From 9c0da90b0bd53d5426bc10b01098711f7cf7ea68 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 11 May 2016 13:51:28 -0700 Subject: [PATCH 001/169] index + TOC --- education/TOC.md | 1 + education/index.md | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 education/TOC.md create mode 100644 education/index.md diff --git a/education/TOC.md b/education/TOC.md new file mode 100644 index 0000000000..364dd264fa --- /dev/null +++ b/education/TOC.md @@ -0,0 +1 @@ +# [Windows 10 for education](index.md) \ No newline at end of file diff --git a/education/index.md b/education/index.md new file mode 100644 index 0000000000..8bfca9f8a3 --- /dev/null +++ b/education/index.md @@ -0,0 +1,20 @@ +--- +title: Windows 10 for Education (Windows 10) +description: Learn about using Windows 10 in schools. +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +--- + +# Windows 10 for Education +Learn about using Windows 10 in schools. + +## In this section + +|Topic |Description | +|------|------------| +| tbd | tbd | + +## Related topics +- [Windows 10 and Windows 10 Mobile](../index.md) \ No newline at end of file From b0ab633a64c5c17e90b3e9c3e57a62e568ed9494 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 11 May 2016 13:54:32 -0700 Subject: [PATCH 002/169] added folder duh --- education/{ => windows}/TOC.md | 0 education/{ => windows}/index.md | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename education/{ => windows}/TOC.md (100%) rename education/{ => windows}/index.md (100%) diff --git a/education/TOC.md b/education/windows/TOC.md similarity index 100% rename from education/TOC.md rename to education/windows/TOC.md diff --git a/education/index.md b/education/windows/index.md similarity index 100% rename from education/index.md rename to education/windows/index.md From 04bf9dff0aed29adeedfa2b5b58b93d8c4e8643d Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 12 May 2016 06:58:36 -0700 Subject: [PATCH 003/169] fixed link --- education/windows/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/windows/index.md b/education/windows/index.md index 8bfca9f8a3..7d202e116d 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -17,4 +17,4 @@ Learn about using Windows 10 in schools. | tbd | tbd | ## Related topics -- [Windows 10 and Windows 10 Mobile](../index.md) \ No newline at end of file +- [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index) \ No newline at end of file From 43083f00e760c6023521f196daebc81c364b4d6a Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 12 May 2016 07:37:13 -0700 Subject: [PATCH 004/169] copied 2 edu topics from win10 --- education/windows/TOC.md | 4 +- .../windows/chromebook-migration-guide.md | 962 +++++++++++++ .../windows/deploy-windows-10-in-a-school.md | 1264 +++++++++++++++++ education/windows/index.md | 3 +- 4 files changed, 2231 insertions(+), 2 deletions(-) create mode 100644 education/windows/chromebook-migration-guide.md create mode 100644 education/windows/deploy-windows-10-in-a-school.md diff --git a/education/windows/TOC.md b/education/windows/TOC.md index 364dd264fa..f02d261fd6 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -1 +1,3 @@ -# [Windows 10 for education](index.md) \ No newline at end of file +# [Windows 10 for education](index.md) +## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) +## [Chromebook migration guide](chromebook-migration-guide.md) \ No newline at end of file diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md new file mode 100644 index 0000000000..e56979fdef --- /dev/null +++ b/education/windows/chromebook-migration-guide.md @@ -0,0 +1,962 @@ +--- +title: Chromebook migration guide (Windows 10) +description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. +ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA +keywords: ["migrate", "automate", "device"] +ms.prod: W10 +ms.mktglfcycl: plan +ms.sitesec: library +author: craigash +--- + +# Chromebook migration guide + + +**Applies to** + +- Windows 10 + +In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You will learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You will then learn the best method to perform the migration by using automated deployment and migration tools. + +## Plan Chromebook migration + + +Before you begin to migrate Chromebook devices, plan your migration. As with most projects, there can be an urge to immediately start doing before planning. When you plan your Chromebook migration before you perform the migration, you can save countless hours of frustration and mistakes during the migration process. + +In the planning portion of this guide, you will identify all the decisions that you need to make and how to make each decision. At the end of the planning section, you will have a list of information you need to collect and what you need to do with the information. You will be ready to perform your Chromebook migration. + +## Plan for app migration or replacement + + +App migration or replacement is an essential part of your Chromebook migration. In this section you will plan how you will migrate or replace Chromebook (Chrome OS) apps that are currently in use with the same or equivalent Windows apps. At the end of this section, you will have a list of the active Chrome OS apps and the Windows app counterparts. + +**Identify the apps currently in use on Chromebook devices** + +Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You will create a list of apps that are currently in use (also called an app portfolio). + +**Note**   +The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section. + +  + +You can divide the apps into the following categories: + +- **Apps installed and managed by the institution.** These apps are typically managed in the Apps section in the Google Admin Console. You can record the list of these apps in your app portfolio. + +- **Apps installed by faculty or students.** Faculty or students might have installed these apps as a part of a classroom curriculum. Obtain the list of these apps from faculty or students. Ensure you only record apps that are legitimately used as a part of classroom curriculum (and not for personal entertainment or use). + +Record the following information about each app in your app portfolio: + +- App name + +- App type (such as offline app, online app, web app, and so on) + +- App publisher or developer + +- App version currently in use + +- App priority (how necessary is the app to the day-to-day process of the institution or a classroom? Rank as high, medium, or low) + +Throughout the entire app migration or replacement process, focus on the higher priority apps. Focus on lower priority apps only after you have determined what you will do with the higher priority apps. + +### + +**Select Google Apps replacements** + +Table 1 lists the Windows device app replacements for the common Google Apps on Chromebook devices. If your users rely on any of these Google Apps, use the corresponding app on the Windows device. Use the information in Table 1 to select the Google App replacement on a Windows device. + +Table 1. Google App replacements + +| If you use this Google app on a Chromebook | Use this app on a Windows device | +|--------------------------------------------|--------------------------------------| +| Google Docs | Word 2016 or Word Online | +| Google Sheets | Excel 2016 or Excel Online | +| Google Slides | PowerPoint 2016 or PowerPoint Online | +| Google Apps Gmail | Outlook 2016 or Outlook Web App | +| Google Hangouts | Microsoft Skype for Business | +| Chrome | Microsoft Edge | +| Google Drive | Microsoft OneDrive for Business | + +  + +It may be that you will decide to replace Google Apps after you deploy Windows devices. For more information on making this decision, see the [Select cloud services migration strategy](#select-cs-migrationstrat) section of this guide. + +**Find the same or similar apps in the Windows Store** + +In many instances, software vendors will create a version of their app for multiple platforms. You can search the Windows Store to find the same or similar apps to any apps not identified in the [Select Google Apps replacements](#select-googleapps) section. + +In other instances, the offline app does not have a version written for the Windows Store or is not a web app. In these cases, look for an app that provides similar functions. For example, you might have a graphing calculator offline Android app published on the Chrome OS, but the software publisher does not have a version for Windows devices. Search the Windows Store for a graphing calculator app that provides similar features and functionality. Use that Windows Store app as a replacement for the graphing calculator offline Android app published on the Chrome OS. + +Record the Windows app that replaces the Chromebook app in your app portfolio. + +### + +**Perform app compatibility testing for web apps** + +The majority of Chromebook apps are web apps. Because you cannot run native offline Chromebook apps on a Windows device, there is no reason to perform app compatibility testing for offline Chromebook apps. However, you may have a number of web apps that will run on both platforms. + +Ensure that you test these web apps in Microsoft Edge. Record the level of compatibility for each web app in Microsoft Edge in your app portfolio. + +## Plan for migration of user and device settings + + +Some institutions have configured the Chromebook devices to make the devices easier to use by using the Google Chrome Admin Console. You have also probably configured the Chromebook devices to help ensure the user data access and ensure that the devices themselves are secure by using the Google Chrome Admin Console. + +However, in addition to your centralized configuration in the Google Admin Console, Chromebook users have probably customized their device. In some instances, users may have changed the web content that is displayed when the Chrome browser starts. Or they may have bookmarked websites for future reference. Or users may have installed apps for use in the classroom. + +In this section, you will identify the user and device configuration settings for your Chromebook users and devices. Then you will prioritize these settings to focus on the configuration settings that are essential to your educational institution. + +At the end of this section, you should have a list of Chromebook user and device settings that you want to migrate to Windows, as well as a level of priority for each setting. You may discover at the end of this section that you have few or no higher priority settings to be migrated. If this is the case, you can skip the [Perform migration of user and device settings](#migrate-user-device-settings) section of this guide. + +**Identify Google Admin Console settings to migrate** + +You use the Google Admin Console (as shown in Figure 1) to manage user and device settings. These settings are applied to all the Chromebook devices in your institution that are enrolled in the Google Admin Console. Review the user and device settings in the Google Admin Console and determine which settings are appropriate for your Windows devices. + +![figure 1](images/chromebook-fig1-googleadmin.png) + +Figure 1. Google Admin Console + +Table 2 lists the settings in the Device Management node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows. + +Table 2. Settings in the Device Management node in the Google Admin Console + + ++++ + + + + + + + + + + + + + + + + + + + + +
SectionSettings
Network

These settings configure the network connections for Chromebook devices and include the following settings categories:

+
    +

  • Wi-Fi. Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.

    • +

  • Ethernet. Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.

    • +

  • VPN. Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.

    • +

  • Certificates. Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network.

    • +
Mobile

These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:

+
    +

  • Device management settings. Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.

    • +

  • Device activation. Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.

    • +

  • Managed devices. Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.

    • +

  • Set Up Apple Push Certificate. Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider.

    • +

  • Set Up Android for Work. Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider.

    • +
Chrome management

These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:

+
    +

  • User settings. Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.

    • +

  • Public session settings. Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.

    • +

  • Device settings. Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.

    • +

  • Devices. Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices.

    • +

  • App Management. Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices.

    • +
+ +  + +Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows. + +Table 3. Settings in the Security node in the Google Admin Console + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SectionSettings

Basic settings

These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.

+

Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.

Password monitoring

This section is used to monitor the strength of user passwords. You don’t need to migrate any settings in this section.

API reference

This section is used to enable access to various Google Apps Administrative APIs. You don’t need to migrate any settings in this section.

Set up single sign-on (SSO)

This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.

Advanced settings

This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section.

+ +  + +**Identify locally-configured settings to migrate** + +In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you will migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2). + +![figure 2](images/fig2-locallyconfig.png) + +Figure 2. Locally-configured settings on Chromebook + +Table 4. Locally-configured settings + +| Section | Settings | +|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Internet connections | These settings configure the Internet connection for the devices, such as Wi-Fi and VPN connections. Record the network connection currently in use and configure the Windows device to use the same network connection settings. | +| Appearances | These settings affect the appearance of the desktop. Record the wallpaper image file that is used. Migrate the image file to the Windows device and configure as the user’s wallpaper to maintain similar user experience. | +| Search | These settings configure which search engine is used to search for content. Record this setting so that you can use as the search engine on the Windows device. | +| Advanced sync settings | These settings configure which user settings are synchronized with the Google cloud, such as Apps, Extensions, History, Passwords, Settings, and so on. Record these settings and configure the Windows device with the same settings if you decide to continue to use Google Apps and other cloud services after you migrate to Windows devices. | +| Date and time | These settings configure the time zone and if 24-hour clock time should be used. Record these settings and configure the Windows device to use these settings. | +| Privacy | These settings configure Google Chrome web browser privacy settings (such as prediction service, phishing and malware protection, spelling errors, resource pre-fetch, and so on). Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. | +| Bluetooth | This setting configures whether or not Bluetooth is enabled on the device. Record this setting and configure the Windows device similarly. | +| Passwords and forms | These settings configure Google Chrome web browser to enable autofill of web forms and to save web passwords. Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. | +| Smart lock | These settings configure the Chromebook when the user’s Android phone is nearby and unlocked, which eliminates the need to type a password. You don’t need to migrate settings in this section. | +| Web content | These settings configure how the Chrome web browser displays content (such as font size and page zoom). Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. | +| Languages | These settings configure the language in use for the Chromebook. Record these settings and configure the Windows device to support the same language. | +| Downloads | These settings configure the default folder for file download, if the user should be prompted where to save files, and if the Google Drive account should be disconnected. Record these settings and configure the Windows device with similar settings. | +| HTTPS/SSL | These settings configure client-side certificates that are used to authenticate the device. Depending on the services or apps that use these certificates, you may need to export and then migrate these certificates to the Windows device. Contact the service or app provider to determine if you can use the existing certificate or if a new certificate needs to be issued. Record these settings and migrate the certificate to the Windows device or enroll for a new certificate as required by the service or app. | +| Google Cloud Print | These settings configure the printers that are available to the user. Record the list of printers available to the user and configure the Windows device to have the same printers available. Ensure that the user-friendly printer names in Windows are the same as for the Chromebook device. For example, if the Chromebook device has a printer named “Laser Printer in Registrar’s Office”, use that same name in Windows. | +| On startup | These settings configure which web pages are opened when the Chrome web browser starts. Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. | +| Accessibility | These settings configure the Chromebook ease of use (such as display of large mouse cursor, use of high contrast mode, enablement of the screen magnifier, and so on). Record these settings and configure the Windows device with similar settings. | +| Powerwash | This action removes all user accounts and resets the Chromebook device back to factory settings. You don’t have to migrate any settings in this section. | +| Reset settings | This action retains all user accounts, but restores all settings back to their default values. You don’t have to migrate any settings in this section. | + +  + +Determine how many users have similar settings and then consider managing those settings centrally. For example, a large number of users may have many of the same Chrome web browser settings. You can centrally manage these settings in Windows after migration. + +Also, as a part of this planning process, consider settings that may not be currently managed centrally, but should be managed centrally. Record the settings that are currently being locally managed, but you want to manage centrally after the migration. + +**Prioritize settings to migrate** + +After you have collected all the Chromebook user, app, and device settings that you want to migrate, you need to prioritize each setting. Evaluate each setting and assign a priority to the setting based on the levels of high, medium, and low. + +Assign the setting-migration priority based on how critical the setting is to the faculty performing their day-to-day tasks and how the setting affects the curriculum in the classrooms. Focus on the migration of higher priority settings and put less effort into the migration of lower priority settings. There may be some settings that are not necessary at all and can be dropped from your list of settings entirely. Record the setting priority in the list of settings you plan to migrate. + +## Plan for email migration + + +Many of your users may be using Google Apps Gmail to manage their email, calendars, and contacts. You need to create the list of users you will migrate and the best time to perform the migration. + +Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information, see [Migrate Google Apps mailboxes to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690252). + +**Identify the list of user mailboxes to migrate** + +In regards to creating the list of users you will migrate, it might seem that the answer “all the users” might be the best one. However, depending on the time you select for migration, only a subset of the users may need to be migrated. For example, you may not persist student email accounts between semesters or between academic years. In this case you would only need to migrate faculty and staff. + +Also, when you perform a migration it is a great time to verify that all user mailboxes are active. In many environments there are a significant number of mailboxes that were provisioned for users that are no longer a part of the institution (such as interns or student assistants). You can eliminate these users from your list of user mailboxes to migrate. + +Create your list of user mailboxes to migrate in Excel 2016 based on the format described in step 7 in [Create a list of Gmail mailboxes to migrate](http://go.microsoft.com/fwlink/p/?LinkId=690253). If you follow this format, you can use the Microsoft Excel spreadsheet to perform the actual migration later in the process. + +**Identify companion devices that access Google Apps Gmail** + +In addition to Chromebook devices, users may have companion devices (smartphones, tablets, desktops, laptops, and so on) that also access the Google Apps Gmail mailbox. You will need to identify those companion devices and identify the proper configuration for those devices to access Office 365 mailboxes. + +After you have identified each companion device, verify the settings for the device that are used to access Office 365. You only need to test one type of each companion device. For example, if users use Android phones to access Google Apps Gmail mailboxes, configure the device to access Office 365 and then record those settings. You can publish those settings on a website or to your helpdesk staff so that users will know how to access their Office 365 mailbox. + +In most instances, users will only need to provide in their Office 365 email account and password. However, you should verify this on each type of companion device. For more information about how to configure a companion device to work with Office 365, see [Compare how different mobile devices work with Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690254). + +**Identify the optimal timing for the migration** + +Typically, the best time to perform the migration is between academic years or during semester breaks. Select the time of least activity for your institution. And during that time, the optimal time to perform the migration might be during an evening or over a weekend. + +Ensure that you communicate the time the migration will occur to your users well in advance. Also, ensure that users know how to access their Office 365 email after the migration is complete. Finally, ensure that your users know how to perform the common tasks they performed in Google Apps Gmail in Office 365 and/or Outlook 2016. + +## Plan for cloud storage migration + + +Chromebook devices have limited local storage. So, most of your users will store data in cloud storage, such as Google Drive. You will need to plan how to migrate your cloud storage as a part of the Chromebook migration process. + +In this section, you will create a list of the existing cloud services, select the Microsoft cloud services that best meet your needs, and then optimize your cloud storage services migration plan. + +**Identify cloud storage services currently in use** + +Typically, most Chromebook users use Google Drive for cloud storage services because your educational institution purchased other Google cloud services and Google Drive is a part of those services. However, some users may use cloud storage services from other vendors. For each member of your faculty and staff and for each student, create a list of cloud storage services that includes the following: + +- Name of the cloud storage service + +- Cloud storage service vendor + +- Associated licensing costs or fees + +- Approximate storage currently in use per user + +Use this information as the requirements for your cloud storage services after you migrate to Windows devices. If at the end of this discovery you determine there is no essential data being stored in cloud storage services that requires migration, then you can skip to the [Plan for cloud services migration](#plan-cloud-services) section. + +**Optimize cloud storage services migration plan** + +Now that you know the current cloud storage services configuration, you need to optimize your cloud storage services migration plan for Microsoft OneDrive for Business. Optimization helps ensure that your use only the cloud storage services resources that are necessary for your requirements. + +Consider the following to help optimize your cloud storage services migration plan: + +- **Eliminate inactive user storage.** Before you perform the cloud storage services migration, identify cloud storage that is currently allocated to inactive users. Remove this storage from your list of cloud storage to migrate. + +- **Eliminate or archive inactive files.** Review cloud storage to identify files that are inactive (have not been accessed for some period of time). Eliminate or archive these files so that they do not consume cloud storage. + +- **Consolidate cloud storage services.** If multiple cloud storage services are in use, reduce the number of cloud storage services and standardize on one cloud storage service. This will help reduce management complexity, support time, and typically will reduce cloud storage costs. + +Record your optimization changes in your cloud storage services migration plan. + +## Plan for cloud services migration + + +Many of your users may use cloud services on their Chromebook device, such as Google Apps, Google Drive, or Google Apps Gmail. You have planned for these individual cloud services in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. + +In this section, you will create a combined list of these cloud services and then select the appropriate strategy to migrate these cloud services. + +### + +**Identify cloud services currently in use** + +You have already identified the individual cloud services that are currently in use in your educational institution in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. Create a unified list of these cloud services and record the following about each service: + +- Cloud service name + +- Cloud service provider + +- Number of users that use the cloud service + +**Select cloud services to migrate** + +One of the first questions you should ask after you identify the cloud services currently in use is, “Why do we need to migrate from these cloud services?” The answer to this question largely comes down to finances and features. + +Here is a list of reasons that describe why you might want to migrate from an existing cloud service to Microsoft cloud services: + +- **Better integration with Office 365.** If your long-term strategy is to migrate to Office 365 apps (such as Word 2016 or Excel 2016) then a migration to Microsoft cloud services will provide better integration with these apps. The use of existing cloud services may not be as intuitive for users. For example, Office 365 apps will integrate better with OneDrive for Business compared to Google Drive. + +- **Online apps offer better document compatibility.** Microsoft Office online apps (such as Word Online and Excel Online) provide the highest level of compatibility with Microsoft Office documents. The Office online apps allow you to open and edit documents directly from SharePoint or OneDrive for Business. Users can access the Office online app from any device with Internet connectivity. + +- **Reduce licensing costs.** If you pay for Office 365 licenses, then Office 365 apps and cloud storage are included in those licenses. Although you could keep existing cloud services, you probably would pay more to keep those services. + +- **Improve storage capacity and cross-platform features.** Microsoft cloud services provide competitive storage capacity and provide more Windows-centric features than other cloud services providers. While the Microsoft cloud services user experience is highly optimized for Windows devices, Microsoft cloud services are also highly optimized for companion devices (such as iOS or Android devices). + +Review the list of existing cloud services that you created in the [Identify cloud services currently in use](#identify-cloud-services-inuse) section and identify the cloud services that you want to migrate to Microsoft cloud services. If you determine at the end of this task that there are no cloud services to be migrated, then skip to the [Plan for Windows device deployment](#plan-windevice-deploy) section. Also, skip the [Perform cloud services migration](#perform-cloud-services-migration) section later in this guide. + +**Prioritize cloud services** + +After you have created your aggregated list of cloud services currently in use by Chromebook users, prioritize each cloud service. Evaluate each cloud service and assign a priority based on the levels of high, medium, and low. + +Assign the priority based on how critical the cloud service is to the faculty and staff performing their day-to-day tasks and how the cloud service affects the curriculum in the classrooms. Also, make cloud services that are causing pain for the users a higher priority. For example, if users experience outages with a specific cloud service, then make migration of that cloud service a higher priority. + +Focus on the migration of higher priority cloud services first and put less effort into the migration of lower priority cloud services. There may be some cloud services that are unnecessary and you can remove them from your list of cloud services to migrate entirely. Record the cloud service migration priority in the list of cloud services you plan to migrate. + +### + +**Select cloud services migration strategy** + +When you deploy the Windows devices, should you migrate the faculty, staff, and students to the new cloud services? Perhaps. But, in most instances you will want to select a migration strategy that introduces a number of small changes over a period of time. + +Consider the following when you create your cloud services migration strategy: + +- **Introduce small changes.** The move from Chrome OS to Windows will be simple for most users as most will have exposure to Windows from home, friends, or family. However, users may not be as familiar with the apps or cloud services. Consider the move to Windows first, and then make other changes as time progresses. + +- **Start off by using existing apps and cloud services.** Immediately after the migration to Windows devices, you may want to consider running the existing apps and cloud services (such Google Apps, Google Apps Gmail, and Google Drive). This gives users a familiar method to perform their day-to-day tasks. + +- **Resolve pain points.** If some existing apps or cloud services cause problems, you may want to migrate them sooner rather than later. In most instances, users will be happy to go through the learning curve of a new app or cloud service if it is more reliable or intuitive for them to use. + +- **Migrate classrooms or users with common curriculum.** Migrate to Windows devices for an entire classroom or for multiple classrooms that share common curriculum. You must ensure that the necessary apps and cloud services are available for the curriculum prior to the migration of one or more classrooms. + +- **Migrate when the fewest number of active users are affected.** Migrate your cloud services at the end of an academic year or end of a semester. This will ensure you have minimal impact on faculty, staff, and students. Also, a migration during this time will minimize the learning curve for users as they are probably dealing with new curriculum for the next semester. Also, you may not need to migrate student apps and data because many educational institutions do not preserve data between semesters or academic years. + +- **Overlap existing and new cloud services.** For faculty and staff, consider overlapping the existing and new cloud services (having both services available) for one business cycle (end of semester or academic year) after migration. This allows you to easily recover any data that might not have migrated successfully from the existing cloud services. At a minimum, overlap the user of existing and new cloud services until the user can verify the migration. Of course, the tradeoff for using this strategy is the cost of the existing cloud services. However, depending on when license renewal occurs, the cost may be minimal. + +## Plan for Windows device deployment + + +You need to plan for Windows device deployment to help ensure that the devices are successfully installed and configured to replace the Chromebook devices. Even if the vendor that provides the devices pre-loads Windows 10 on them, you still will need to perform other tasks. + +In this section you will select a Windows device deployment strategy; plan for Active Directory Domain Services (AD DS) and Azure AD services; plan for device, user, and app management; and plan for any necessary network infrastructure remediation. + +### + +**Select a Windows device deployment strategy** + +What decisions need to be made about Windows device deployment? You just put the device on a desk, hook up power, connect to Wi-Fi, and then let the users operate the device, right? That is essentially correct, but depending on the extent of your deployment and other factors, you need to consider different deployment strategies. + +For each classroom that has Chromebook devices, select a combination of the following device deployment strategies: + +- **Deploy one classroom at a time.** In most cases you will want to perform your deployment in batches of devices and a classroom is an excellent way to batch devices. You can treat each classroom as a unit and check each classroom off your list after you have deployed the devices. + +- **Deploy based on curriculum.** Deploy the Windows devices after you have confirmed that the curriculum is ready for the Windows devices. If you deploy Windows devices without the curriculum installed and tested, you could significantly reduce the ability for students and teachers to perform effectively in the classroom. Also, deployment based on curriculum has the advantage of letting you move from classroom to classroom quickly if multiple classrooms use the same curriculum. + +- **Deploy side-by-side.** In some instances you may need to have both the Chromebook and Windows devices in one or more classrooms. You can use this strategy if some of the curriculum only works on Chromebook and other parts of the curriculum works on Windows devices. This is a good method to help prevent delays in Windows device deployment, while ensuring that students and teachers can make optimal use of technology in their curriculum. + +- **Deploy after apps and cloud services migration.** If you deploy a Windows device without the necessary apps and cloud services to support the curriculum, this provides only a portion of your complete solution. Ensure that the apps and cloud services are tested, provisioned, and ready for use prior to the deployment of Windows devices. + +- **Deploy after the migration of user and device settings.** Ensure that you have identified the user and device settings that you plan to migrate and that those settings are ready to be applied to the new Windows devices. For example, you would want to create Group Policy Objects (GPOs) to apply the user and device settings to Windows devices. + + If you ensure that Windows devices closely mirror the Chromebook device configuration, you will ease user learning curve and create a sense of familiarity. Also, when you have the settings ready to be applied to the devices, it helps ensure you will deploy your new Windows devices in a secure configuration. + +Record the combination of Windows device deployment strategies that you selected. + +### + +**Plan for AD DS and Azure AD services** + +The next decision you will need to make concerns AD DS and Azure AD services. You can run AD DS on-premises, in the cloud by using Azure AD, or a combination of both (hybrid). The decision about which of these options is best is closely tied to how you will manage your users, apps, and devices and if you will use Office 365 and other Azure-based cloud services. + +In the hybrid configuration, your on-premises AD DS user and group objects are synchronized with Azure AD (including passwords). The synchronization happens both directions so that changes are made in both your on-premises AD DS and Azure AD. + +Table 5 is a decision matrix that helps you decide if you can use only on-premises AD DS, only Azure AD, or a combination of both (hybrid). If the requirements you select from the table require on-premises AD DS and Azure AD, then you should select hybrid. For example, if you plan to use Office 365 and use Group Policy for management, then you would select hybrid. However, if you plan to use Office 365 and use Intune for management, then you would select only Azure AD. + +Table 5. Select on-premises AD DS, Azure AD, or hybrid + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
If you plan to...On-premises AD DSAzure ADHybrid
Use Office 365XX
Use Intune for managementXX
Use System Center 2012 R2 Configuration Manager for managementXX
Use Group Policy for managementXX
Have devices that are domain-joinedXX
Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joinedXX
+ +  + +### + +**Plan device, user, and app management** + +You may ask the question, “Why plan for device, user, and app management before you deploy the device?” The answer is that you will only deploy the device once, but you will manage the device throughout the remainder of the device's lifecycle. + +Also, planning management before deployment is essential to being ready to support the devices as you deploy them. You want to have your management processes and technology in place when the first teachers, facility, or students start using their new Windows device. + +Table 6 is a decision matrix that lists the device, user, and app management products and technologies and the features supported by each product or technology. The primary device, user, and app management products and technologies include Group Policy, System Center Configuration Manager, Intune, and the Microsoft Deployment Toolkit (MDT). Use this decision matrix to help you select the right combination of products and technologies for your plan. + +Table 6. Device, user, and app management products and technologies + + +++++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Desired featureWindows provisioning packagesGroup PolicyConfiguration ManagerIntuneMDTWindows Software Update Services
Deploy operating system imagesXXX
Deploy apps during operating system deploymentXXX
Deploy apps after operating system deploymentXXX
Deploy software updates during operating system deploymentXX
Deploy software updates after operating system deploymentXXXXX
Support devices that are domain-joinedXXXXX
Support devices that are not domain-joinedXXX
Use on-premises resourcesXXXX
Use cloud-based servicesX
+ +  + +You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution. + +Record the device, user, and app management products and technologies that you selected. + +### + +**Plan network infrastructure remediation** + +In addition to AD DS, Azure AD, and management components, there are other network infrastructure services that Windows devices need. In most instances, Windows devices have the same network infrastructure requirements as the existing Chromebook devices. + +Examine each of the following network infrastructure technologies and services and determine if any remediation is necessary: + +- **Domain Name System (DNS)** provides translation between a device name and its associated IP address. For Chromebook devices, public facing, Internet DNS services are the most important. For Windows devices that only access the Internet, they have the same requirements. + + However, if you intend to communicate between Windows devices (peer-to-peer or client/server) then you will need local DNS services. Windows devices will register their name and IP address with the local DNS services so that Windows devices can locate each other. + +- **Dynamic Host Configuration Protocol (DHCP)** provides automatic IP configuration for devices. Your existing Chromebook devices probably use DHCP for configuration. If you plan to immediately replace the Chromebook devices with Windows devices, then you only need to release all the DHCP reservations for the Chromebook devices prior to the deployment of Windows devices. + + If you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your DHCP service has adequate IP addresses available for both sets of devices. + +- **Wi-Fi.** Chromebook devices are designed to connect to Wi-Fi networks. Windows devices are the same. Your existing Wi-Fi network for the Chromebook devices should be adequate for the same number of Windows devices. + + If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that Wi-Fi network can support the number of devices. + +- **Internet bandwidth.** Chromebook devices consume more Internet bandwidth (up to 700 times more) than Windows devices. This means that if your existing Internet bandwidth is adequate for the Chromebook devices, then the bandwidth will be more than adequate for Windows devices. + + However, if you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your Internet connection can support the number of devices. + + For more information that compares Internet bandwidth consumption for Chromebook and Windows devices, see the following resources: + + - [Chromebook vs. Windows Notebook Network Traffic Analysis](http://go.microsoft.com/fwlink/p/?LinkId=690255) + + - [Hidden Cost of Chromebook Deployments](http://go.microsoft.com/fwlink/p/?LinkId=690256) + + - [Microsoft Windows 8.1 Notebook vs. Chromebooks for Education](http://go.microsoft.com/fwlink/p/?LinkId=690257) + +- **Power.** Although not specifically a network infrastructure, you need to ensure your classrooms have adequate power. Chromebook and Windows devices should consume similar amounts of power. This means that your existing power outlets should support the same number of Windows devices. + + If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, you need to ensure that the power outlets, power strips, and other power management components can support the number of devices. + +At the end of this process, you may determine that no network infrastructure remediation is necessary. If so, you can skip the [Perform network infrastructure remediation](#network-infra-remediation) section of this guide. + +## Perform Chromebook migration + + +Thus far, planning has been the primary focus. Believe it or not most of the work is now done. The rest of the Chromebook migration is just the implementation of the plan you have created. + +In this section you will perform the necessary steps for the Chromebook device migration. You will perform the migration based on the planning decision that you made in the [Plan Chromebook migration](#plan-migration) section earlier in this guide. + +You must perform some of the steps in this section in a specific sequence. Each section has guidance about when to perform a step. You can perform other steps before, during, or after the migration. Again, each section will tell you if the sequence is important. + +## Perform network infrastructure remediation + + +The first migration task is to perform any network infrastructure remediation. In the [Plan network infrastructure remediation](#plan-network-infra-remediation) section, you determined the network infrastructure remediation (if any) that you needed to perform. + +It is important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Table 7 lists the Microsoft network infrastructure products and technologies and deployment resources for each. + +Table 7. Network infrastructure products and technologies and deployment resources + + ++++ + + + + + + + + + + + + + + + + +
Product or technologyResources
DHCP
    +

  • [Core Network Guide](http://go.microsoft.com/fwlink/p/?LinkId=733920)

    • +

  • [DHCP Deployment Guide](http://go.microsoft.com/fwlink/p/?LinkId=734021)

    • +
DNS
    +

  • [Core Network Guide](http://go.microsoft.com/fwlink/p/?LinkId=733920)

    • +

  • [Deploying Domain Name System (DNS)](http://go.microsoft.com/fwlink/p/?LinkId=734022)

    • +
+ +  + +If you use network infrastructure products and technologies from other vendors, refer to the vendor documentation on how to perform the necessary remediation. If you determined that no remediation is necessary, you can skip this section. + +## Perform AD DS and Azure AD services deployment or remediation + + +It is important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations. + +In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Table 8 list AD DS, Azure AD, and the deployment resources for both. Use the resources in this table to deploy or remediate on-premises AD DS, Azure AD, or both. + +Table 8. AD DS, Azure AD and deployment resources + + ++++ + + + + + + + + + + + + + + + + +
Product or technologyResources
AD DS
    +

  • [Core Network Guide](http://go.microsoft.com/fwlink/p/?LinkId=733920)

    • +

  • [Active Directory Domain Services Overview](http://go.microsoft.com/fwlink/p/?LinkId=733909)

    • +
Azure AD
    +

  • [Azure Active Directory documentation](http://go.microsoft.com/fwlink/p/?LinkId=690258)

    • +

  • [Manage and support Azure Active Directory Premium](http://go.microsoft.com/fwlink/p/?LinkId=690259)

    • +

  • [Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines](http://go.microsoft.com/fwlink/p/?LinkId=690260)

    • +
+ +  + +If you decided not to migrate to AD DS or Azure AD as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps. + +## Prepare device, user, and app management systems + + +In the [Plan device, user, and app management](#plan-userdevapp-manage) section of this guide, you selected the products and technologies that you will use to manage devices, users, and apps on Windows devices. You need to prepare your management systems prior to Windows 10 device deployment. You will use these management systems to manage the user and device settings that you selected to migrate in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section. You need to prepare these systems prior to the migration of user and device settings. + +Table 9 lists the Microsoft management systems and the deployment resources for each. Use the resources in this table to prepare (deploy or remediate) these management systems. + +Table 9. Management systems and deployment resources + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Management systemResources
Windows provisioning packages
    +

  • [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkId=733918)

    • +

  • [Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=733911)

    • +

  • [Step-By-Step: Building Windows 10 Provisioning Packages](http://go.microsoft.com/fwlink/p/?LinkId=690261)

    • +
Group Policy
    +

  • [Core Network Companion Guide: Group Policy Deployment](http://go.microsoft.com/fwlink/p/?LinkId=733915)

    • +

  • [Deploying Group Policy](http://go.microsoft.com/fwlink/p/?LinkId=734024)

    • +
Configuration Manager
    +

  • [Site Administration for System Center 2012 Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=733914)

    • +

  • [Deploying Clients for System Center 2012 Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=733919)

    • +
Intune
    +

  • [Set up and manage devices with Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=690262)

    • +

  • [Smoother Management Of Office 365 Deployments with Windows Intune](http://go.microsoft.com/fwlink/p/?LinkId=690263)

    • +

  • [System Center 2012 R2 Configuration Manager & Windows Intune](http://go.microsoft.com/fwlink/p/?LinkId=690264)

    • +
MDT
    +

  • [MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](http://go.microsoft.com/fwlink/p/?LinkId=690324)

    • +

  • [Step-By-Step: Installing Windows 8.1 From A USB Key](http://go.microsoft.com/fwlink/p/?LinkId=690265)

    • +
+ +  + +If you determined that no new management system or no remediation of existing systems is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps. + +## Perform app migration or replacement + + +In the [Plan for app migration or replacement](#plan-app-migrate-replace) section, you identified the apps currently in use on Chromebook devices and selected the Windows apps that will replace the Chromebook apps. You also performed app compatibility testing for web apps to ensure that web apps on the Chromebook devices would run on Microsoft Edge and Internet Explorer. + +In this step, you need to configure your management system to deploy the apps to the appropriate Windows users and devices. Table 10 lists the Microsoft management systems and the app deployment resources for each. Use the resources in this table to configure these management systems to deploy the apps that you selected in the [Plan for app migration or replacement](#plan-app-migrate-replace) section of this guide. + +Table 10. Management systems and app deployment resources + + ++++ + + + + + + + + + + + + + + + + + + + + +
Management systemResources
Group Policy
    +

  • [Editing an AppLocker Policy](http://go.microsoft.com/fwlink/p/?LinkId=734025)

    • +

  • [Group Policy Software Deployment Background](http://go.microsoft.com/fwlink/p/?LinkId=734026)

    • +

  • [Assigning and Publishing Software](http://go.microsoft.com/fwlink/p/?LinkId=734027)

    • +
Configuration Manager
    +

  • [How to Deploy Applications in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=733917)

    • +

  • [Application Management in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=733907)

    • +
Intune
    +

  • [Deploy apps to mobile devices in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=733913)

    • +

  • [Manage apps with Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=733910)

    • +
+ +  + +If you determined that no deployment of apps is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps. + +## Perform migration of user and device settings + + +In the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, you determined the user and device settings that you want to migrate. You selected settings that are configured in the Google Admin Console and locally on the Chromebook device. + +Perform the user and device setting migration by using the following steps: + +1. From the list of institution-wide settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure as many as possible in your management system (such as Group Policy, Configuration Manager, or Intune). + +2. From the list of device-specific settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure device-specific setting for higher priority settings. + +3. From the list of user-specific settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure user-specific setting for higher priority settings. + +4. Verify that all higher-priority user and device settings have been configured in your management system. + +If you do no want to migrate any user or device settings from the Chromebook devices to the Windows devices, you can skip this section. + +## Perform email migration + + +In the [Plan for email migration](#plan-email-migrate) section, you identified the user mailboxes to migrate, identified the companion devices that access Google Apps Gmail, and identified the optimal timing for migration. You can perform this migration before or after you deploy the Windows devices. + +Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information on how to automate the migration from Google Apps Gmail to Office 365, see [Migrate Google Apps mailboxes to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690252). + +Alternatively, if you want to migrate to Office 365 from: + +- **On-premises Microsoft Exchange Server.** Use the following resources to migrate to Office 365 from an on-premises Microsoft Exchange Server: + + - [Cutover Exchange Migration and Single Sign-On](http://go.microsoft.com/fwlink/p/?LinkId=690266) + + - [Step-By-Step: Migration of Exchange 2003 Server to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690267) + + - [Step-By-Step: Migrating from Exchange 2007 to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690268) + +- **Another on-premises or cloud-based email service.** Follow the guidance from that vendor. + +## Perform cloud storage migration + + +In the [Plan for cloud storage migration](#plan-cloud-storage-migration) section, you identified the cloud storage services currently in use, selected the Microsoft cloud storage services that you will use, and optimized your cloud storage services migration plan. You can perform the cloud storage migration before or after you deploy the Windows devices. + +Manually migrate the cloud storage migration by using the following steps: + +1. Install both Google Drive app and OneDrive for Business or OneDrive app on a device. + +2. Sign in as the user in the Google Drive app. + +3. Sign in as the user in the OneDrive for Business or OneDrive app. + +4. Copy the data from the Google Drive storage to the OneDrive for Business or OneDrive storage. + +5. Optionally uninstall the Google Drive app. + +There are also a number of software vendors who provide software that helps automate the migration from Google Drive to OneDrive for Business, Office 365 SharePoint, or OneDrive. For more information about these automated migration tools, contact the vendors. + +## Perform cloud services migration + + +In the [Plan for cloud services migration](#plan-cloud-services)section, you identified the cloud services currently in use, selected the cloud services that you want to migrate, prioritized the cloud services to migrate, and then selected the cloud services migration strategy. You can perform the cloud services migration before or after you deploy the Windows devices. + +Migrate the cloud services that you currently use to the Microsoft cloud services that you selected. For example, you could migrate from a collaboration website to Office 365 SharePoint. Perform the cloud services migration based on the existing cloud services and the Microsoft cloud services that you selected. + +There are also a number of software vendors who provide software that helps automate the migration from other cloud services to Microsoft cloud services. For more information about these automated migration tools, contact the vendors. + +## Perform Windows device deployment + + +In the [Select a Windows device deployment strategy](#select-windows-device-deploy) section, you selected how you wanted to deploy Windows 10 devices. The other migration task that you designed in the [Plan for Windows device deployment](#plan-windevice-deploy) section have already been performed. Now it's time to deploy the actual devices. + +For example, if you selected to deploy Windows devices by each classroom, start with the first classroom and then proceed through all of the classrooms until you’ve deployed all Windows devices. + +In some instances, you may receive the devices with Windows 10 already deployed, and want to use provisioning packages. In other cases, you may have a custom Windows 10 image that you want to deploy to the devices by using Configuration Manager and/or MDT. For information on how to deploy Windows 10 images to the devices, see the following resources: + +- [Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=733911) + +- [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkId=733918) + +- [MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](http://go.microsoft.com/fwlink/p/?LinkId=690324) + +- [Step-By-Step: Installing Windows 8.1 From A USB Key](http://go.microsoft.com/fwlink/p/?LinkId=690265) + +- [Operating System Deployment in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=733916) + +In addition to the Windows 10 image deployment, you may need to perform the following tasks as a part of device deployment: + +- Enroll the device with your management system. + +- Ensure that Windows Defender is enabled and configured to receive updates. + +- Ensure that Windows Update is enabled and configured to receive updates. + +- Deploy any apps that you want the user to immediately be able to access when they start the device (such as Word 2016 or Excel 2016). + +After you complete these steps, your management system should take over the day-to-day maintenance tasks for the Windows 10 devices. Verify that the user and device settings migrated correctly as you deploy each batch of Windows 10 devices. Continue this process until you deploy all Windows 10 devices. + +## Related topics + + +[Try it out: Windows 10 deployment (for education)](http://go.microsoft.com/fwlink/p/?LinkId=623254) + +[Try it out: Windows 10 in the classroom](http://go.microsoft.com/fwlink/p/?LinkId=623255) + +  + +  + + + + + diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md new file mode 100644 index 0000000000..2c9039447a --- /dev/null +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -0,0 +1,1264 @@ +--- +title: Deploy Windows 10 in a school (Windows 10) +description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy. +keywords: configure, tools, device, school +ms.prod: w10 +ms.mktglfcycl: plan +ms.pgtyp: edu +ms.sitesec: library +author: craigash +--- + +# Deploy Windows 10 in a school + + +**Applies to** + +- Windows 10 + +This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment as well as the automated tools and built-in features of the operating system. + +## Prepare for school deployment + +Proper preparation is essential for a successful school deployment. To avoid common mistakes, your first step is to plan a typical school configuration. Just as with building a house, you need a blueprint for what your school should look like when it’s finished. The second step in preparation is to learn how you will configure your school. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your school. + +### Plan a typical school configuration + +As part of preparing for your school deployment, you need to plan your configuration—the focus of this guide. Figure 1 illustrates a typical finished school configuration that you can use as a model (the blueprint in our builder analogy) for the finished state. + +![fig 1](images/deploy-win-10-school-figure1.png) + +*Figure 1. Typical school configuration for this guide* + +Figure 2 shows the classroom configuration this guide uses. + +![fig 2](images/deploy-win-10-school-figure2.png) + +*Figure 2. Typical classroom configuration in a school* + +This school configuration has the following characteristics: +- It contains one or more admin devices. +- It contains two or more classrooms. +- Each classroom contains one teacher device. +- The classrooms connect to each other through multiple subnets. +- All devices in each classroom connect to a single subnet. +- All devices have high-speed, persistent connections to each other and to the Internet. +- All teachers and students have access to Windows Store or Windows Store for Business. +- All devices receive software updates from Intune (or another device management system). +- You install a 64-bit version of Windows 10 on the admin device. +- You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device. +- You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device. +- You install the 64-bit version of the Microsoft Deployment Toolkit (MDT) 2013 Update 2 on the admin device. + + **Note**  In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2. +- The devices use Azure AD in Office 365 Education for identity management. +- If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/). +- Use [Intune](http://technet.microsoft.com/library/jj676587.aspx), [compliance settings in Office 365](https://support.office.com/en-us/article/Manage-mobile-devices-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy](http://technet.microsoft.com/en-us/library/cc725828%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396) in AD DS to manage devices. +- Each device supports a one-student-per-device or multiple-students-per-device scenario. +- The devices can be a mixture of different make, model, and processor architecture (32 bit or 64 bit) or be identical. +- To initiate Windows 10 deployment, use a USB flash drive, DVD-ROM or CD-ROM, or Pre-Boot Execution Environment Boot (PXE Boot). +- The devices can be a mixture of different Windows 10 editions, such as Windows 10 Home, Windows 10 Pro, and Windows 10 Education. + +Office 365 Education allows: + +- Students and faculty to use Microsoft Office Online to create and edit Microsoft Word, OneNote, PowerPoint, and Excel documents in a browser. +- Teachers to use the [OneNote Class Notebook app](https://www.onenote.com/classnotebook) to share content and collaborate with students. +- Faculty to use the [OneNote Staff Notebooks app](https://www.onenote.com/staffnotebookedu) to collaborate with other teachers, administration, and faculty. +- Teachers to employ Sway to create interactive educational digital storytelling. +- Students and faculty to use email and calendars, with mailboxes up to 50 GB per user. +- Faculty to use advanced email features like email archiving and legal hold capabilities. +- Faculty to help prevent unauthorized users from accessing documents and email by using Azure Rights Management. +- Faculty to use advanced compliance tools on the unified eDiscovery pages in the Office 365 Compliance Center. +- Faculty to host online classes, parent–teacher conferences, and other collaboration in Skype for Business or Skype. +- Students and faculty to access up to 1 TB of personal cloud storage that users inside and outside the educational institution can share through OneDrive for Business. +- Teachers to provide collaboration in the classroom through Microsoft SharePoint Online team sites. +- Students and faculty to use Office 365 Video to manage videos. +- Students and faculty to use Yammer to collaborate through private social networking. +- Students and faculty to access classroom resources from anywhere on any device (including Windows 10 Mobile, iOS, and Android devices). + +For more information about Office 365 Education features and a FAQ, go to [Office 365 Education](https://products.office.com/en-us/academic). + +## How to configure a school + +Now that you have the plan (blueprint) for your classroom, you’re ready to learn about the tools you will use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge. + +The primary tool you will use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI). + +You can use MDT as a stand-alone tool or integrate it with Microsoft System Center Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with System Center Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as System Center Configuration Manager) but result in fully automated deployments. + +MDT includes the Deployment Workbench—a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps and migration of user settings on existing devices. + +LTI performs deployment from a *deployment share*—a network-shared folder on the device where you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section. + +The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with Intune, the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements. + +The configuration process requires the following devices: + +- **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK and MDT on this device. +- **Faculty devices.** These are the devices that the teachers and other faculty use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices. +- **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them. + +The high-level process for deploying and configuring devices within individual classrooms and the school as a whole is as follows and illustrated in Figure 3: + +1. Prepare the admin device for use, which includes installing the Windows ADK and MDT. +2. On the admin device, create and configure the Office 365 Education subscription that you will use for each classroom in the school. +3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you have an on premises AD DS configuration). +4. On the admin device, create and configure a Windows Store for Business portal. +5. On the admin device, prepare for management of the Windows 10 devices after deployment. +6. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10. +7. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS and Azure AD integration. + +![fig 3](images/deploy-win-10-school-figure3.png) + +*Figure 3. How school configuration works* + +Each of the steps illustrated in Figure 3 directly correspond to the remaining high-level sections in this guide. + +### Summary + +In this section, you looked at the final configuration of your individual classrooms and the school as a whole upon completion of this guide. You also learned the high-level steps you need to perform to deploy the faculty and student devices in your school. + +## Prepare the admin device + +Now, you’re ready to prepare the admin device for use in the school. This process includes installing the Windows ADK, installing the MDT, and creating the MDT deployment share. + +### Install the Windows ADK + +The first step in preparing the admin device is to install the Windows ADK. The Windows ADK contains the deployment tools that MDT uses, including the Windows Preinstallation Environment (Windows PE), the Windows User State Migration Tool (USMT), and Deployment Image Servicing and Management. + +When you install the Windows ADK on the admin device, select the following features: + +- Deployment tools +- Windows Preinstallation Environment (Windows PE) +- User State Migration Tool (USMT) + +For more information about installing the Windows ADK, see [Step 2-2: Install the Windows ADK](http://technet.microsoft.com/en-us/library/dn781086.aspx?f=255&MSPPError=-2147217396#InstallWindowsADK). + +### Install MDT + +Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windows 10 and app deployment and is a free tool available directly from Microsoft. + +You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 64-bit version of MDT to support deployment of 32-bit and 64-bit operating systems. + +**Note**  If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32 bit versions of the operating system. + +For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com/en-us/library/dn759415.aspx#InstallingaNewInstanceofMDT). + +Now, you’re ready to create the MDT deployment share and populate it with the operating system, apps, and device drivers you want to deploy to your devices. + +### Create a deployment share + +MDT includes the Deployment Workbench, a graphical user interface that you can use to manage MDT deployment shares. A deployment share is a shared folder that contains all the MDT deployment content. The LTI Deployment Wizard accesses the deployment content over the network or from a local copy of the deployment share (known as MDT deployment media). + +For more information about how to create a deployment share, see [Step 3-1: Create an MDT Deployment Share](http://technet.microsoft.com/en-us/library/dn781086.aspx?f=255&MSPPError=-2147217396#CreateMDTDeployShare). + +### Summary + +In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later in the LTI deployment process. + +## Create and configure Office 365 + +Office 365 is one of the core components of your classroom environment. You create and manage student identities in Office 365, and students and teachers use the suite as their email, contacts, and calendar system. Teachers and students use Office 365 collaboration features such as SharePoint, OneNote, and OneDrive for Business. + +As a first step in deploying your classroom, create an Office 365 Education subscription, and then configure Office 365 for the classroom. For more information about Office 365 Education deployment, see [School deployment of Office 365 Education](http://www.microsoft.com/en-us/education/products/office-365-deployment-resources/default.aspx). + +### Select the appropriate Office 365 Education license plan + +Complete the following steps to select the appropriate Office 365 Education license plan for your school: + +
    +
  1. Determine the number of faculty members and students who will use the classroom.
    Office 365 Education licensing plans are available specifically for faculty and students. You must assign faculty and students the correct licensing plan. +
    2. +
  2. Determine the faculty members and students who need to install Office applications on devices (if any). Faculty and students can use Office applications online (standard plans) or run them locally (Office 365 ProPlus plans). Table 1 lists the advantages and disadvantages of standard and Office 365 ProPlus plans.
    3. +
    +*Table 1. Comparison of standard and Microsoft Office 365 ProPlus plans* +
    + +++++ + + + + + + + + + + + + +
    PlanAdvantagesDisadvantages
    Standard
    • Less expensive than Office 365 ProPlus
    • Can be run from any device
    • No installation necessary
    • Must have an Internet connection to use it
    • Does not support all the features found in Office 365 ProPlus
    Office ProPlus
    • Only requires an Internet connection every 30 days (for activation)
    • Supports full set of Office features
    • Requires installation
    • Can be installed on only five devices per user (there is no limit to the number of devices on which you can run Office apps online)
    +
    +The best user experience is to run Office 365 ProPlus or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device. +
    +
  3. Determine whether students or faculty need Azure Rights Management.
    You can use Azure Rights Management to protect classroom information against unauthorized access. Azure Rights Management protects your information inside or outside the classroom through encryption, identity, and authorization policies, securing your files and email. You can retain control of the information, even when it’s shared with people outside the classroom or your educational institution. Azure Rights Management is free to use with all Office 365 Education license plans. For more information, see [Azure Rights Management](https://technet.microsoft.com/library/jj585024.aspx).
    4. +
  4. Record the Office 365 Education license plans needed for the classroom in Table 2.

    + +*Table 2. Office 365 Education license plans needed for the classroom* +
    + ++++ + + + + + + + + + + + + +
    QuantityPlan
    Office 365 Education for students
    Office 365 Education for faculty
    Azure Rights Management for students
    Azure Rights Management for faculty
    +
    +You will use the Office 365 Education license plan information you record in Table 2 in the [Create user accounts in Office 365](#create-user-accounts-in-office-365) section of this guide.
+ +### Create a new Office 365 Education subscription + +To create a new Office 365 Education subscription for use in the classroom, use your educational institution’s email account. There are no costs to you or to students for signing up for Office 365 Education subscriptions. + +**Note**  If you already have an Office 365 Education subscription, you can use that subscription and continue to the next section, [Add domains and subdomains](#add-domains-and-subdomains). + +#### To create a new Office 365 subscription + +1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar. + + **Note**  If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window in one of the following: + - Microsoft Edge by opening the Microsoft Edge app, either pressing Ctrl+Shift+P or clicking or tapping **More actions**, and then clicking or tapping **New InPrivate window**. + - Internet Explorer 11 by opening Internet Explorer 11, either pressing Ctrl+Shift+P or clicking or tapping **Settings**, clicking or tapping **Safety**, and then clicking or tapping **InPrivate Browsing**. + +2. On the **Get started** page, type your school email address in the **Enter your school email address** box, and then click **Sign up**. You will receive an email in your school email account. +3. Click the hyperlink in the email in your school email account. +4. On the **One last thing** page, complete your user information, and then click **Start**. The wizard creates your new Office 365 Education subscription, and you are automatically signed in as the administrative user you specified when you created the subscription. + +### Add domains and subdomains + +Now that you have created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has contoso.edu as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains. + +#### To add additional domains and subdomains + +1. In the Office 365 admin center, in the list view, click **DOMAINS**. +2. In the details pane, above the list of domains, on the menu bar, click **Add domain**. +3. In the Add a New Domain in Office 365 Wizard, on the **Verify domain wizard** page, click **Let’s get started**. +4. On the **Verify domain** wizard page, in the **Enter a domain you already own** box, type your domain name, and then click **Next**. +5. Sign in to your domain name management provider (for example, Network Solutions or GoDaddy), and then complete the steps for your provider. +6. Repeat these steps for each domain and subdomain you want faculty and students to use for your institution. + +### Configure automatic tenant join + +To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant. + +**Note**  By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries require opt-in steps to add new users to existing Office 365 tenants. Check your country requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. + +Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks: + +- If an Office 365 tenant with that domain name (contoso.edu) exists, Office 365 automatically adds the user to that tenant. +- If an Office 365 tenant with that domain name (contoso.edu) does not exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it. + +You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before allowing other faculty and students to join Office 365. + +**Note**  You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours. + +All new Office 365 Education subscriptions have automatic tenant join enabled by default, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 3. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins). + +*Table 3. Windows PowerShell commands to enable or disable Automatic Tenant Join* + + +| Action | Windows PowerShell command | +|------- |----------------------------| +| Enable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $true`| +| Disable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $false`| +

+**Note**  If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant. + +### Disable automatic licensing + +To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval. + +**Note**  By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section. + +Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 4. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins). + +*Table 4. Windows PowerShell commands to enable or disable automatic licensing* + +| Action | Windows PowerShell command| +| -------| --------------------------| +| Enable |`Set-MsolCompanySettings -AllowAdHocSubscriptions $true`| +|Disable | `Set-MsolCompanySettings -AllowAdHocSubscriptions $false`| +

+### Enable Azure AD Premium + +When you create your Office 365 subscription, you create an Office 365 tenant that includes an Azure AD directory. Azure AD is the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Azure AD–integrated apps. Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium. + +Educational institutions can obtain Azure AD Basic edition licenses at no cost. After you obtain your licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/#step-3-activate-your-azure-active-directory-access). + +The Azure AD Premium features that are not in Azure AD Basic include: + +- Allow designated users to manage group membership +- Dynamic group membership based on user metadata +- Multifactor authentication (MFA) +- Identify cloud apps that your users run +- Automatic enrollment in a mobile device management (MDM) system (such as Intune) +- Self-service recovery of BitLocker +- Add local administrator accounts to Windows 10 devices +- Azure AD Connect health monitoring +- Extended reporting capabilities + +You can assign Azure AD Premium licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium to only those users. + +You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You will assign Azure AD Premium licenses to users later in the deployment process. + +For more information about: + +- Azure AD editions and the features in each, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/). +- How to enable Azure AD premium, see [Associate an Azure AD directory with a new Azure subscription](https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx#create_tenant3). + +### Summary +You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if required), you’re ready to select the method you will use to create user accounts in Office 365. + +## Select an Office 365 user account–creation method + + +Now that you have an Office 365 subscription, you need to determine how you will create your Office 365 user accounts. Use the following methods to create Office 365 user accounts: + +- **Method 1:** Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you have an on-premises AD DS domain. +- **Method 2:** Bulk-import the user accounts from a .csv file (based on information from other sources) into Azure AD. Select this method if you don’t have an on-premises AD DS domain. + +### Method 1: Automatic synchronization between AD DS and Azure AD + +In this method, you have an on-premises AD DS domain. As shown in Figure 4, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD. + +**Note**  Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/en-us/library/dn510997.aspx?f=255&MSPPError=-2147217396). + +![fig 4](images/deploy-win-10-school-figure4.png) + +*Figure 4. Automatic synchronization between AD DS and Azure AD* + +For more information about how to perform this step, see the [Integrate on-premises AD DS with Azure AD](#integrate-on-premises-ad-ds-with-azure-ad) section in this guide. + +### Method 2: Bulk import into Azure AD from a .csv file + +In this method, you have no on-premises AD DS domain. As shown in Figure 5, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies. + +![fig 5](images/deploy-win-10-school-figure5.png) + +*Figure 5. Bulk import into Azure AD from other sources* + +To implement this method, perform the following steps: + +1. Export the student information from the source. Ultimately, you want to format the student information in the format the bulk-import feature requires. +2. Bulk-import the student information into Azure AD. For more information about how to perform this step, see the [Bulk-import user accounts into Office 365](#bulk-import-user-accounts-into-office-365) section. + +### Summary + +In this section, you selected the method for creating user accounts in your Office 365 subscription. Ultimately, these user accounts are in Azure AD (which is the identity management system for Office 365). Now, you’re ready to create your Office 365 accounts. + +## Integrate on-premises AD DS with Azure AD + +You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS. + +**Note**  If your institution does not have an on-premises AD DS domain, you can skip this section. + +### Select synchronization model + +Before you deploy AD DS and Azure AD synchronization, you need to determine where you want to deploy the server that runs Azure AD Connect. + +You can deploy the Azure AD Connect tool by using one of the following methods: + +- **On premises.** As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server. + + ![fig 6](images/deploy-win-10-school-figure6.png) + + *Figure 6. Azure AD Connect on premises* + +- **In Azure**. As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises. + + ![fig 7](images/deploy-win-10-school-figure7.png) + + *Figure 7. Azure AD Connect in Azure* + +This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](https://technet.microsoft.com/en-us/library/dn635310.aspx). + +### Deploy Azure AD Connect on premises + +In this synchronization model (illustrated in Figure 6), you run Azure AD Connect on premises on a physical device or VM. Azure AD Connect synchronizes AD DS user and group accounts with Azure AD. Azure AD Connect includes a wizard that helps you configure Azure AD Connect for your AD DS domain and Office 365 subscription. First, you install Azure AD Connect; then, you run the wizard to configure it for your institution. + +#### To deploy AD DS and Azure AD synchronization + +1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-prerequisites/). +2. On the VM or physical device that will run Azure AD Connect, sign in with a domain administrator account. +3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#install-azure-ad-connect). +4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure features](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#configure-sync-features). + +Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD. + +### Verify synchronization + +Azure AD Connect should start synchronization immediately. Depending on the number of users in your AD DS domain, the synchronization process can take some time. To monitor the process, view the number of AD DS users and groups the tool has synchronized with Azure AD in the Office 365 admin console. + +#### To verify AD DS and Azure AD synchronization + +1. Open https://portal.office.com in your web browser. +2. Using the administrative account that you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section, sign in to Office 365. +3. In the list view, expand **USERS**, and then click **Active Users**. +4. In the details pane, view the list of users. The list of users should mirror the users in AD DS. +5. In the list view, click **GROUPS**. +6. In the details pane, view the list of security groups. The list of users should mirror the security groups in AD DS. +7. In the details pane, double-click one of the security groups. +8. The list of security group members should mirror the group membership for the corresponding security group in AD DS. +9. Close the browser. + +Now that you have verified Azure AD Connect synchronization, you’re ready to assign user licenses for Azure AD Premium. + +### Summary + +In this section, you selected your synchronization model, deployed Azure AD Connect, and verified that Azure AD is synchronizing properly. + +## Bulk-import user and group accounts into AD DS + +You can bulk-import user and group accounts into your on-premises AD DS domain. Bulk-importing accounts helps reduce the time and effort needed to create users compared to creating the accounts manually in the Office 365 Admin portal. First, you select the appropriate method for bulk-importing user accounts into AD DS. Next, you create the .csv file that contains the user accounts. Finally, you use the selected method to import the .csv file into AD DS. + +**Note**  If your institution doesn’t have an on-premises AD DS domain, you can skip this section. + +### Select the bulk import method + +Several methods are available to bulk-import user accounts into AD DS domains. Table 5 lists the methods that the Windows Server operating system supports natively. In addition, you can use partner solutions to bulk-import user and group accounts into AD DS. + +*Table 5. AD DS bulk-import account methods* + +|Method | Description and reason to select this method | +|-------| ---------------------------------------------| +|Ldifde.exe |This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| +|VBScript | This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com/en-us/scriptcenter/dd939958.aspx).| +|Windows PowerShell| This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).| +

+### Create a source file that contains the user and group accounts + +After you have selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 6 lists the source file format for the bulk import methods. + +*Table 6. Source file format for each bulk import method* + +| Method | Source file format | +|--------| -------------------| +|Ldifde.exe|Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| +|VBScript | VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx).| +| Windows PowerShell| Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).| +

+### Import the user accounts into AD DS + +With the bulk-import source file finished, you’re ready to import the user and group accounts into AD DS. The steps for importing the file are slightly different for each method. + +**Note**  Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts. + +For more information about how to import user accounts into AD DS by using: + +- Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx). +- VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx). +- Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). + +### Summary + +In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts in to AD DS. If you have Azure AD Connect, it automatically synchronizes the new AD DS user and group accounts to Azure AD. Now, you’re ready to assign user licenses for Azure AD Premium in the [Assign user licenses for Azure AD Premium](#assign-user-licenses-for-azure-ad-premium) section later in this guide. + +## Bulk-import user accounts into Office 365 + +You can bulk-import user and group accounts directly into Office 365, reducing the time and effort required to create users. First, you bulk-import the user accounts into Office 365. Then, you create the security groups for your institution. Finally, you create the email distribution groups your institution requires. + +### Create user accounts in Office 365 + +Now that you have created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom. + +You can use the Office 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you have many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users). + +The bulk-add process assigns the same Office 365 Education license plan to all users on the list. Therefore, you must create a separate list for each license plan you recorded in Table 2. Depending on the number of faculty members who need to use the classroom, you may want to add the faculty Office 365 accounts manually; however, use the bulk-add process to add student accounts. + +For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US). + +**Note**  If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process. + +The email accounts are assigned temporary passwords upon creation. You must communicate these temporary passwords to your users before they can sign in to Office 365. + +### Create Office 365 security groups + +Assign SharePoint Online resource permissions to Office 365 security groups, not individual user accounts. For example, create one security group for faculty members and another for students. Then, you can assign unique SharePoint Online resource permissions to faculty members and a different set of permissions to students. Add or remove users from the security groups to grant or revoke access to SharePoint Online resources. + +**Note**  If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. + +For information about creating security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US). + +You can add and remove users from security groups at any time. + +**Note**  Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may need to sign out, and then sign in again for the change to take effect. + +### Create email distribution groups + +Microsoft Exchange Online uses an email distribution group as a single email recipient for multiple users. For example, you could create an email distribution group that contains all students. Then, you could send a message to the email distribution group instead of individually addressing the message to each student. + +You can create email distribution groups based on job role (such as teachers, administration, or students) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group. + +**Note**  Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps. + +For information about how to create security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US). + +### Summary + +Now, you have bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium. + +## Assign user licenses for Azure AD Premium + +Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium. Educational institutions can obtain Azure AD Basic licenses at no cost and Azure AD Premium licenses at a reduced cost. + +You can assign Azure AD Premium licenses to the users who need the features this edition offers. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium only to those users. + +For more information about: + +- Azure AD editions, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/). +- How to assign user licenses for Azure AD Premium, see [How to assign EMS/Azure AD Premium licenses to user accounts](https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/How-to-assign-Azure-AD-Premium-Licenses-to-user-accounts). + +## Create and configure a Windows Store for Business portal + +Windows Store for Business allows you to create your own private portal to manage Windows Store apps in your institution. With Windows Store for Business, you can do the following: + +- Find and acquire Windows Store apps. +- Manage apps, app licenses, and updates. +- Distribute apps to your users. + +For more information about Windows Store for Business, see [Windows Store for Business overview](https://technet.microsoft.com/itpro/windows/whats-new/windows-store-for-business-overview). + +The following section shows you how to create a Windows Store for Business portal and configure it for your school. + +### Create and configure your Windows Store for Business portal + +To create and configure your Windows Store for Business portal, simply use the administrative account for your Office 365 subscription to sign in to Windows Store for Business. Windows Store for Business automatically creates a portal for your institution and uses your account as its administrator. + +#### To create and configure a Windows Store for Business portal + +1. In Microsoft Edge or Internet Explorer, type `http://microsoft.com/business-store` in the address bar. +2. On the **Windows Store for Business** page, click **Sign in with an organizational account**.

**Note**  If your institution has AD DS, then don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. +3. On the Windows Store for Business sign-in page, use the administrative account for the Office 365 subscription you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section to sign in. +4. On the **Windows Store for Business Services Agreement** page, review the agreement, select the **I accept this agreement and certify that I have the authority to bind my organization to its terms** check box, and then click **Accept** +5. In the **Welcome to the Windows Store for Business** dialog box, click **OK**. + +After you create the Windows Store for Business portal, configure it by using the commands in the settings menu listed in Table 7. Depending on your institution, you may (or may not) need to change these settings to further customize your portal. + +*Table 7. Menu selections to configure Windows Store for Business settings* + +| Menu selection | What you can do in this menu | +|---------------| -------------------| +|Account information|Displays information about your Windows Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Portal. For more information, see [Update Windows Store for Business account settings](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings).| +|Device Guard signing|Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide).| +|LOB publishers| Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](https://technet.microsoft.com/itpro/windows/manage/working-with-line-of-business-apps).| +|Management tools| Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-with-management-tool).| +|Offline licensing|Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see [Licensing model: online and offline licenses](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).| +|Permissions|Allows you to grant other users in your organization the ability to buy, manage, and administer your Windows Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business).| +|Private store|Allows you to change the organization name used in your Windows Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store).| +

+### Find, acquire, and distribute apps in the portal + +Now that you have created your Windows Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Windows Store for Business. + +**Note**  Your educational institution can now use a credit card or purchase order to pay for apps in Windows Store for Business. + +You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users. + +For more information about how to find, acquire, and distribute apps in the portal, see [App inventory management for Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business). + +### Summary + +At the end of this section, you should have a properly configured Windows Store for Business portal. You have also found and acquired your apps from Windows Store. Finally, you should have deployed all your Windows Store apps to your users. Now, you’re ready to deploy Windows Store apps to your users. + +## Plan for deployment + +You will use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you will use, the approach you will use to create your Windows 10 images, and the method you will use to initiate the LTI deployment process. + +### Select the operating systems + +Later in the process, you will import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. In the case of: + +- New devices or refreshing existing devices, you will complete replace the existing operating system on a device with Windows 10. +- Upgrading existing devices, you will upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10. + +Depending on your school’s requirements, you may need any combination of the following Windows 10 editions: + +- **Windows 10 Home**. Use this operating system to upgrade existing eligible institution-owned and personal devices that are running Windows 8.1 Home or Windows 7 Home to Windows 10 Home. +- **Windows 10 Pro**. Use this operating system to: + - Upgrade existing eligible institution-owned and personal devices running Windows 8.1 Pro or Windows 7 Professional to Windows 10 Pro. + - Deploy new instances of Windows 10 Pro to devices so that new devices have a known configuration. +- **Windows 10 Education**. Use this operating system to: + - Upgrade institution-owned devices to Windows 10 Education. + - Deploy new instances of Windows 10 Education so that new devices have a known configuration. + +**Note**  Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Windows Store for Business. These features are not available in Windows 10 Home. + +One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32 bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above. + +**Note**  On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources. + +Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you cannot standardize personal devices on a specific operating system version or processor architecture. + +### Select an image approach + +A key operating system image decision is whether to use a “thin” or “thick” image. *Thin images* contain only the operating system, and MDT installs the necessary device drivers and apps after the operating system has been installed. *Thick images* contain the operating system, “core” apps (such as Office), and device drivers. With thick images, MDT installs any device drivers and apps not included in the thick image after the operating system has been installed. + +The advantage to a thin image is that the final deployment configuration is dynamic, and you can easily change the configuration without having to capture another image. The disadvantage of a thin image is that it takes longer to complete the deployment. + +The advantage of a thick image is that the deployment takes less time than it would for a thin image. The disadvantage of a thick image is that you need to capture a new image each time you want to make a change to the operating system, apps, or other software in the image. + +### Select a method to initiate deployment + +The MDT deployment process is highly automated, requiring minimal information to deploy or upgrade Windows 10, but you must manually initiate the MDT deployment process. To do so, use the method listed in Table 8 that best meets the needs of your institution. + +*Table 8. Methods to initiate MDT deployment* + + ++++ + + + + + + + + + + + + + + + + + + + + + + + +
MethodDescription and reason to select this method
Windows Deployment ServicesThis method:

+
    +
  • Uses diskless booting to initiate MDT deployment.
    • +
  • Works only with devices that support PXE boot.
    • +
  • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
    • +
  • Deploys images more slowly than when using local media.
    • +
  • Requires that you deploy a Windows Deployment Services server.
    • +
+ +Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.
Bootable mediaThis method:

+
    +
  • Initiates MDT deployment by booting from local media, including from USB drives, DVD-ROM, or CD-ROM.
    • +
  • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
    • +
  • Deploys images more slowly than when using local media.
    • +
  • Requires no additional infrastructure.
    • +
+ +Select this method when you want to deploy Windows over-the-network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.
MDT deployment mediaThis method:

+
    +
  • Initiates MDT deployment by booting from a local USB hard disk.
    • +
  • Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.
    • +
  • Deploys images more quickly than network-based methods do.
    • +
  • Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).
    • +
+ +Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share, you must regenerate the MDT deployment media and update the USB hard disk.
+ +### Summary + +At the end of this section, you should know the Windows 10 editions and processor architecture that you want to deploy (and will import later in the process). You also determined whether you want to use thin or thick images. Finally, you selected the method for initiating your LTI deployment. Now, you can prepare for Windows 10 deployment. + +## Prepare for deployment + +To deploy Windows 10 to devices, using the LTI deployment method in MDT. In this section, you prepare your MDT environment and Windows Deployment Services for Windows 10 deployment. + +### Configure the MDT deployment share + +The first step in preparation for Windows 10 deployment is to configure—that is, *populate*—the MDT deployment share. Table 9 lists the MDT deployment share configuration tasks that you must perform. Perform the tasks in the order represented in Table 9. + +*Table 9. Tasks to configure the MDT deployment share* + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TaskDescription
1. Import operating systemsImport the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportanOperatingSystemintotheDeploymentWorkbench).
2. Import device drivesDevice drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.

+ +Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportDeviceDriversintotheDeploymentWorkbench). + +
3. Create MDT applications for Windows Store appsCreate an MDT application for each Windows Store app you want to deploy. You can deploy Windows Store apps by using *sideloading*, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called *provisioned apps*). Use this method to deploy up to 24 apps to Windows 10.

+ +Prior to sideloading the .appx files, obtain the Windows Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Windows Store, you will need to obtain the .appx files from the app software vendor directly. If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Windows Store or Windows Store for Business.

+ +If you have Intune, you can deploy Windows Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows Store apps, and you can use it for ongoing management of Windows Store apps. This is the preferred method of deploying and managing Windows Store apps.

+ +In addition, you must prepare your environment for sideloading (deploying) Windows Store apps. For more information about how to:

+
    +
  • Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](https://technet.microsoft.com/en-us/itpro/windows/deploy/sideload-apps-in-windows-10).
    • +
  • Create an MDT application, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
    • +
+ + +
4. Create MDT applications for Windows desktop apps +You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.

+ +To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219423.aspx?f=255&MSPPError=-2147217396).

+ +If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.

+ +**Note**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.

+ +For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench). + +
5. Create task sequences. +You must create a separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in Step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education; (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education; or (3) if you want to run deployments and upgrades for both 32 bit and 64 bit versions of Windows 10. To do so, you must create task sequences that will: +

+
  • Deploy Windows 10 Education 64-bit to devices.
    • +
  • Deploy Windows 10 Education 32-bit to devices.
    • +
  • Upgrade existing devices to Windows 10 Education 64-bit.
    • +
  • Upgrade existing devices to Windows 10 Education 32-bit.
    • +
+ +Again, you will create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench). + +
6. Update the deployment share. +Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32 bit and 64 bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.

+ +For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#UpdateaDeploymentShareintheDeploymentWorkbench).
+ +### Configure Window Deployment Services for MDT + +You can use Windows Deployment Services in conjunction with MDT to automatically initiate boot images on target computers. These boot images can be Windows PE images (which you generated in Step 6 in Table 9) or custom images that can deploy operating systems directly to the target computers. + +#### To configure Windows Deployment Services for MDT + +1. Set up and configure Windows Deployment Services.

Windows Deployment Services is a server role available in all Windows Server editions. You can enable the Windows Deployment Services server role on a new server or on any server running Windows Server in your institution. For more information about how to perform this step, see the following resources: + + - [Windows Deployment Services overview](https://technet.microsoft.com/library/hh831764.aspx) + - The Windows Deployment Services Help file, included in Windows Deployment Services + - [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/en-us/library/jj648426.aspx) + +2. Add LTI boot images (Windows PE images) to Windows Deployment Services.

The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](https://technet.microsoft.com/en-us/library/dn759415.aspx#AddLTIBootImagestoWindowsDeploymentServices). + +### Summary + +Now, Windows Deployment Services is ready to initiate the LTI deployment process in MDT. You have set up and configured Windows Deployment Services and added the LTI boot images, which you generated in the previous section, to Windows Deployment Services. Now, you’re ready to prepare to manage the devices in your institution. + +## Prepare for device management + +Before you deploy Windows 10 in your institution, you must prepare for device management. You will deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant. + +### Select the management method + +If you have only one device to configure, manually configuring that one device is tedious but possible. When you have multiple classrooms of devices to configure, however, manually configuring each device becomes overwhelming. In addition, manually keeping an identical configuration on each device is virtually impossible as the number of devices in the school increases. + +For a school, there are many ways to manage devices. Table 10 lists the methods that this guide describes and recommends. Use the information in Table 10 to determine which combination of management methods is right for your institution. + +*Table 10. School management methods* + + ++++ + + + + + + + + + + + + + + + + + + + +
MethodDescription
Group Policy +Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. Select this method when you: +
    +
  • Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
    • +
  • Want more granular control of device and user settings.
    • +
  • Have an existing AD DS infrastructure.
    • +
  • Typically manage on-premises devices.
    • +
  • Can manage a required setting only by using Group Policy.
    • +
+ +The advantages of this method include: +
    +
  • No cost beyond the AD DS infrastructure.
    • +
  • A larger number of settings (compared to Intune).
    • +
+The disadvantages of this method are: +
    +
  • Can only manage domain-joined (institution-owned devices).
    • +
  • Requires an AD DS infrastructure (if the institution does not have AD DS already).
    • +
  • Typically manages on-premises devices (unless devices connect by using a VPN or DirectAccess).
    • +
+
IntuneIntune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD. +Select this method when you: +
    +
  • Want to manage institution-owned and personal devices (does not require that the device be domain joined).
    • +
  • Don’t require the level of granular control over device and user settings (compared to Group Policy).
    • +
  • Don’t have an existing AD DS infrastructure.
    • +
  • Need to manage devices regardless of where they are (on or off premises).
    • +
  • Can manage a required setting only by using Intune.
    • +
+ +The advantages of this method are: +
    +
  • You can manage institution-owned and personal devices.
    • +
  • It doesn’t require that devices be domain joined.
    • +
  • It doesn’t require any on-premises infrastructure.
    • +
  • It can manage devices regardless of their location (on or off premises).
    • + +
+The disadvantages of this method are: +
    +
  • Carries an additional cost for subscription.
    • +
  • Doesn’t have a granular level control over device and user settings (compared to Group Policy).
    • +
+ +

+ +### Select Microsoft-recommended settings + +Microsoft has several recommended settings for educational institutions. Table 11 lists them, provides a brief description of why you need to configure them, and recommends methods for configuring the settings. Review the settings in Table 11 and evaluate their relevancy to your institution. Use the information to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings. + +*Table 11. Recommended settings for educational institutions* + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
RecommendationDescription
Use of Microsoft accountsYou want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.

+**Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.

+**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com/en-us/library/jj966262.aspx?f=255&MSPPError=-2147217396) Group Policy setting to use the Users can’t add Microsoft accounts setting option.

+**Intune.** Enable or disable the camera by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. +
Restrict local administrator accounts on the devicesEnsure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.

+**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/en-us/library/cc732525.aspx).

+**Intune**. Not available. +
Restrict the local administrator accounts on the devicesEnsure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.

+**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/en-us/library/cc732525.aspx).

+**Intune**. Not available. +
Manage the built-in administrator account created during device deploymentWhen you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.

+**Group Policy**. Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc747484.aspx). You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](https://technet.microsoft.com/en-us/library/jj852165.aspx).

+**Intune**. Not available. +
Control Windows Store accessYou can control access to Windows Store and whether existing Windows Store apps receive updates. You can only disable the Windows Store app in Windows 10 Education and Windows 10 Enterprise.

+**Group Policy**. You can disable the Windows Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Windows Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Windows Store in my enterprise environment?](https://technet.microsoft.com/en-us/library/hh832040.aspx#BKMK_UseGP).

+**Intune**. You can enable or disable the camera by using the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration** policy. +
Use of Remote Desktop connections to devicesRemote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.

+**Group Policy**. You can enable or disable Remote Desktop connections to devices by using the **Allow Users to connect remotely using Remote Desktop setting** in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.

+**Intune**. Not available. +
Use of cameraA device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.

+**Group Policy**. Not available.

+**Intune**. You can enable or disable the camera by using the **Allow camera** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy. +
Use of audio recordingAudio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.

+**Group Policy**. You can disable the Sound Recorder app by using the **Do not allow Sound Recorder to run** Group Policy setting. You can disable other audio recording apps by using AppLocker policies. Create AppLocker policies by using the information in [Editing an AppLocker Policy](https://technet.microsoft.com/en-us/library/ee791894(v=ws.10).aspx) and [Create Your AppLocker Policies](https://technet.microsoft.com/en-us/library/ee791899.aspx).

+**Intune**. You can enable or disable the camera by using the **Allow voice recording** policy setting in the **Features** section of a **Windows 10 General Configuration** policy. +
Use of screen captureScreen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices.

+**Group Policy**. Not available.

+**Intune**. You can enable or disable the camera by using the **Allow screen capture** policy setting in the **System** section of a **Windows 10 General Configuration** policy. +
Use of location servicesProviding a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices.

+**Group Policy**. You can enable or disable location services by using the **Turn off location** Group Policy setting in User Configuration\Windows Components\Location and Sensors.

+**Intune**. You can enable or disable the camera by using the **Allow geolocation** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy. +
Changing wallpaperDisplaying a custom wallpaper can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or the device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on your devices.

+**Group Policy**. You can configure the wallpaper by using the **Desktop WallPaper** setting in User Configuration\Administrative Templates\Desktop\Desktop.

+**Intune**. Not available. +

+ +### Configure settings by using Group Policy + +Now, you’re ready to configure settings by using Group Policy. The steps in this section assume that you have an AD DS infrastructure. You will configure the Group Policy settings you select in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. + +For more information about Group Policy, see [Group Policy Planning and Deployment Guide](https://technet.microsoft.com/en-us/library/cc754948.aspx). + +#### To configure Group Policy settings + +1. Create a Group Policy object (GPO) that will contain the Group Policy settings by completing the steps in [Create a new Group Policy object](https://technet.microsoft.com/en-us/library/cc738830.aspx). +2. Configure the settings in the GPO by completing the steps in [Edit a Group Policy object](https://technet.microsoft.com/en-us/library/cc739902.aspx). +3. Link the GPO to the appropriate AD DS site, domain, or organizational unit by completing the steps in [Link a Group Policy object to a site, domain, or organizational unit](https://technet.microsoft.com/en-us/library/cc738954(v=ws.10).aspx). + +### Configure settings by using Intune + +Now, you’re ready to configure settings by using Intune. The steps in this section assume that you have an Office 365 subscription. You will configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. + +For more information about Intune, see [Documentation for Microsoft Intune](https://docs.microsoft.com/en-us/intune/). + +#### To configure Intune settings + +1. Add Intune to your Office 365 subscription by completing the steps in [Get started with a paid subscription to Microsoft Intune](https://docs.microsoft.com/en-us/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune). +2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](https://technet.microsoft.com/en-us/library/dn646962.aspx). +3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](https://technet.microsoft.com/en-us/library/dn646984.aspx). +4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](https://technet.microsoft.com/en-us/library/dn646959.aspx). + +### Deploy apps by using Intune + +You can use Intune to deploy Windows Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you deploy apps to companion devices (such as Windows 10 Mobile, iOS, or Android devices) Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or are managed by another solution. + +For more information about how to configure Intune to manage your apps, see [Deploy and configure apps with Microsoft Intune](https://docs.microsoft.com/en-us/intune/). + +### Summary + +In this section, you prepared your institution for device management. You determined whether you want to use Group Policy or Intune to manage your devices. You identified the configuration settings that you want to use to manage your users and devices. Finally, you configured the Group Policy and Intune settings in Group Policy and Intune, respectively. + +## Deploy Windows 10 to devices + +You’re ready to deploy Windows 10 to faculty and student devices. You must complete the steps in this section for each student device in the classrooms as well as for any new student devices you add in the future. You can also perform these actions for any device that’s eligible for a Windows 10 upgrade. This section discusses deploying Windows 10 to new devices, refreshing Windows 10 on existing devices, and upgrading existing devices that are running eligible versions of Windows 8.1 or Windows to Windows 10. + +### Prepare for deployment + +Prior to deployment of Windows 10, ensure that you complete the tasks listed in Table 12. Most of these tasks are already complete, but use this step to make sure. + +*Table 12. Deployment preparation checklist* + +|Task | | +| ---| --- | +| |The target devices have sufficient system resources to run Windows 10. | +| | Identify the necessary devices drivers, and import them to the MDT deployment share.| +| | Create an MDT application for each Windows Store and Windows desktop app.| +| | Notify the students and faculty about the deployment.| +

+### Perform the deployment + +Use the Deployment Wizard to deploy Windows 10. The LTI deployment process is almost fully automated: You provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated. + +**Note**  To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/en-us/library/dn781089.aspx). + +In most instances, deployments occur without incident. Only in rare occasions do deployments experience problems. + +#### To deploy Windows 10 + +1. **Initiate the LTI deployment process**. Initiate the LTI deployment process booting over the network (PXE boot) or from local media. You selected the method for initiating the LTI deployment process in the [Select a method to initiate deployment](#select-a-method-to-initiate-deployment) section earlier in this guide. +2. **Complete the Deployment Wizard**. For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” topic in [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com/en-us/library/dn759415.aspx#Running%20the%20Deployment%20Wizard). + +### Set up printers + +After you have deployed Windows 10, the devices are almost ready for use. First, you must set up the printers that each classroom will use. Typically, you connect the printers to the same network as the devices in the same classroom. If you don’t have printers in your classrooms, skip this section and proceed to the [Verify deployment](#verify-deployment) section. + +**Note**  If you’re performing an upgrade instead of a new deployment, the printers remain configured as they were in the previous version of Windows. As a result, you can skip this section and proceed to the [Verify deployment](#verify-deployment) section. + +#### To set up printers + +1. Review the printer manufacturer’s instructions for installing the printer drivers. +2. On the admin device, download the printer drivers. +3. Copy the printer drivers to a USB drive. +4. On a device, use the same account you used to set up Windows 10 in the [Perform the deployment](#perform-the-deployment) section to sign in to the device. +5. Insert the USB drive in the device. +6. Follow the printer manufacturer’s instructions to install the printer drivers from the USB drive. +7. Verify that the printer drivers were installed correctly by printing a test page. +8. Complete steps 1–8 for each printer. + +### Verify deployment + +As a final quality control step, verify the device configuration to ensure that all apps run. Microsoft recommends that you perform all the tasks that the user would perform. Specifically, verify the following: + +- The device can connect to the Internet and view the appropriate web content in Microsoft Edge. +- Windows Update is active and current with software updates. +- Windows Defender is active and current with malware signatures. +- The SmartScreen Filter is active. +- All Windows Store apps are properly installed and updated. +- All Windows desktop apps are properly installed and updated. +- Printers are properly configured. + +When you have verified that the first device is properly configured, you can move to the next device and perform the same steps. + +### Summary + +You prepared the devices for deployment by verifying that they have adequate system resources and that the resources in the devices have corresponding Windows 10 device drivers. You performed device deployment over the network or by using local MDT media. Next, you configured the appropriate printers on the devices. Finally, you verified that the devices are properly configured and ready for use. + +## Maintain Windows devices and Office 365 + +After the initial deployment, you will need to perform certain tasks to maintain the Windows 10 devices and your Office 365 Education subscription. You should perform these tasks on the following schedule: + +- **Monthly.** These tasks help ensure that the devices are current with software updates and properly protected against viruses and malware. +- **New semester or academic year.** Perform these tasks prior to the start of a new curriculum—for example, at the start of a new academic year or semester. These tasks help ensure that the classroom environments are ready for the next group of students. +- **As required (ad hoc).** Perform these tasks as necessary in a classroom. For example, a new version of an app may be available, or a student may inadvertently corrupt a device so that you must restore it to the default configuration. + +Table 13 lists the school and individual classroom maintenance tasks, the resources for performing the tasks, and the schedule (or frequency) on which you should perform the tasks. + +*Table 13. School and individual classroom maintenance tasks, with resources and the schedule for performing them* + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Task and resourcesMonthlyNew semester or academic yearAs required
Verify that Windows Update is active and current with operating system and software updates.

+For more information about completing this task when you have: +
    +
  • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune).
    • +
  • Group Policy, see [Windows Update for Business](https://technet.microsoft.com/itpro/windows/plan/windows-update-for-business).
    • +
  • Windows Server Update Services (WSUS), see [Windows Server Update Services](https://msdn.microsoft.com/en-us/library/bb332157.aspx?f=255&MSPPError=-2147217396).
    • +
  • Neither Intune, Group Policy, or WSUS, see [Update Windows 10](http://windows.microsoft.com/en-id/windows-10/update-windows-10)
    • +
+		XXX
Verify that Windows Defender is active and current with malware signatures.

+For more information about completing this task, see [Turn Windows Defender on or off](http://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab01) and [Updating Windows Defender](http://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab03). 		XXX
Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.

+For more information about completing this task, see [How do I find and remove a virus?](http://windows.microsoft.com/en-US/windows-8/how-find-remove-virus) +		XXX
Verify that you are using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).

+For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options for updates and upgrades](https://technet.microsoft.com/itpro/windows/manage/introduction-to-windows-10-servicing).		XX
Refresh the operating system and apps on devices.

+For more information about completing this task, see the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section. + +		XX
Install any new Windows desktop apps or update any Windows desktop apps that are used in the curriculum.

+For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. + +		XX
Install new or update existing Windows Store apps that are used in the curriculum.

+Windows Store apps are automatically updated from Windows Store. The menu bar in the Windows Store app shows whether any Windows Store app updates are available for download.

+You can also deploy Windows Store apps directly to devices by using Intune. For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. + +		XX
Remove unnecessary user accounts (and corresponding licenses) from Office 365.

+For more information about how to: +
    +
  • Remove unnecessary user accounts, see [Delete or restore users](https://support.office.com/en-us/article/Delete-or-restore-users-d5155593-3bac-4d8d-9d8b-f4513a81479e?ui=en-US&rs=en-US&ad=US).
    • +
  • Unassign licenses, see [Assign or unassign licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-unassign-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
    • +
+ +		XX
Add new accounts (and corresponding licenses) to Office 365.

+For more information about how to: +
    +
  • Add user accounts, see [Add users to Office 365 for business](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
    • +
  • Assign licenses, see [Assign or unassign licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-unassign-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
    • +
+		XX
Create or modify security groups and manage group membership in Office 365.

+For more information about how to: +
    +
  • Create or modify security groups, see [View, create, and delete Groups in the Office 365 admin center](https://support.office.com/en-us/article/View-create-and-delete-groups-in-the-Office-365-admin-center-a6360120-2fc4-46af-b105-6a04dc5461c7).
    • +
  • Manage group membership, see [Manage Group membership in the Office 365 admin center](https://support.office.com/en-us/article/Manage-Group-membership-in-the-Office-365-admin-center-e186d224-a324-4afa-8300-0e4fc0c3000a).
    • +
+ +		XX
Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.

+For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Manage Distribution Groups](https://technet.microsoft.com/library/bb124513.aspx) and [Groups in Exchange Online and SharePoint Online](https://support.office.com/en-us/article/Create-edit-or-delete-a-security-group-55C96B32-E086-4C9E-948B-A018B44510CB#__groups_in_exchange). + +		XX
Install new student devices

+Follow the same steps described in the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section. + +		X
+

+### Summary + +Now, you have identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your school configuration should match the typical school configuration that you saw in the [Plan a typical school configuration](#plan-a-typical-school-configuration) section. By performing these maintenance tasks you help ensure that your school stays secure and is configured as you specified. + +##Related resources +

    +
  • [Try it out: Windows 10 deployment (for educational institutions)](http://go.microsoft.com/fwlink/p/?LinkId=623254)
    • +
  • [Try it out: Windows 10 in the classroom](http://go.microsoft.com/fwlink/p/?LinkId=623255)
    • +
  • [Chromebook migration guide](http://go.microsoft.com/fwlink/p/?LinkId=623249)
    • +
+ diff --git a/education/windows/index.md b/education/windows/index.md index 7d202e116d..0ef9f4d787 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -14,7 +14,8 @@ Learn about using Windows 10 in schools. |Topic |Description | |------|------------| -| tbd | tbd | +| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. | +| [Chromebook migration guide](chromebook-migration-guide.md) | Learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. | ## Related topics - [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index) \ No newline at end of file From 876cc3f8b2363b7340fff2cddd29f02d7f6fd6a7 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 12 May 2016 08:01:24 -0700 Subject: [PATCH 005/169] video test --- education/windows/TOC.md | 1 + education/windows/video-test.md | 17 +++++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 education/windows/video-test.md diff --git a/education/windows/TOC.md b/education/windows/TOC.md index f02d261fd6..ed1484d8f8 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -1,3 +1,4 @@ # [Windows 10 for education](index.md) +## [video test](video-test.md) ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) ## [Chromebook migration guide](chromebook-migration-guide.md) \ No newline at end of file diff --git a/education/windows/video-test.md b/education/windows/video-test.md new file mode 100644 index 0000000000..f9801a49d8 --- /dev/null +++ b/education/windows/video-test.md @@ -0,0 +1,17 @@ +--- +title: video test +description: In this topic I will embed a channel 9 video. +keywords: ["migrate", "automate", "device"] +ms.prod: W10 +ms.mktglfcycl: plan +ms.sitesec: library +author: jdeckerMS +--- + +# Video test + +Does this work? + + + +Did that work? From 3364685604942f82fe43808e5815945bb0d77b17 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 12 May 2016 08:03:38 -0700 Subject: [PATCH 006/169] copied image --- .../images/chromebook-fig1-googleadmin.png | Bin 0 -> 94575 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 education/windows/images/chromebook-fig1-googleadmin.png diff --git a/education/windows/images/chromebook-fig1-googleadmin.png b/education/windows/images/chromebook-fig1-googleadmin.png new file mode 100644 index 0000000000000000000000000000000000000000..b3d42e5ff24d6e09ebefe8b8122e852bd1676a76 GIT binary patch literal 94575 zcmX_nbyOQ))NODpE`{Ju@gl_vv`BDwcXuo9UIGa@tQaaX5E%dfph}2~C;|X52mk=IH6k>9U z|L=f;O|Q!U0FdP@goWkh&F!4+oXqX)$s~k@$?P5NOf9TU006g@3?(yVrDHt)$BjE7 zsW87kQg({Ch-8XF5q>zaH1y<17?NS+*~_>J-I$`Hu!KWdVK7lqev!BejGulZFCpxa z=R^hOhW#G-x9yp0wb1r>F#cY@C~#PIn^8N7(1rLZQJh_Y)9+KU5DDg1;9%dt_8#*O ze`G3q00v^MF}c$lB^2Pv=lgdCiY|l>0F>J-3L>COCasH=DD(sUL?}fY$}b42%Q==? z3egV-@WUfYr~vQ-1m%~JOrr$If(7W08X4{af-?{F#%X5)J(+zRgHkI2@I4P0OBVAt3p`t7XYj$ zK!1pm(hU%l0>A;?sC~a?sK7X+heRr+=6f?0kEp*EB9jAxni?|+-Gszv2AppO&<3eL zn0wq)2-y5N(6?^K0D!DmT*%$tzPU}HRZL8Li)ujAV>;=C|DZ55+?-TplA#YtVnx1G0`+)Nbwni;ZY@O!M;c{@&h_WS@|h z!HAmoyIGH3m)e{4v(NX}$NR009V&k|9e**{r>&l`JL!C)$vC7S!?lBGvDZeFk5}SZ ziarU$W_5a;T?H(MD3R32Tef_PaG|&_{nRrb#ygvg|6l|*IRRCc0#Kf@Ohr0IFb`6+ z80yYlJC6XsO{-n^933KzpLyW+r0d6};G0+$HNekQBF+H-&=sL#RvxJp97F^FM6&$p zt9}yRb>lO3!4q}Et#zZk>VFFoqU!4r!Vp3>_9JrC|56qpL>Dq%MNF^HGWUa+qf5a& zB;Fp4xksf5jo%*q#Q-t0o370t3HIj@BDMkfN*I*kZ*|Hj#Lp?gPvqU=uvigPWW!-N z3KUYYoZ?>YJ*y0`Gx>&0k0u#VqgFG*C_DMeX193F5&_PfpSo$ zjGe!xM&o6rO*z&9`6It&A5N8;qpw5@2oJJ$9pNLe_gS+t5A+IEb2B2v8;w>|lzl24 z09L7%!L)|o8%DM8$!*g2aUc6Qs~XOA%ir zRY%i;`P_$Z$o4f7`25Sa1W2;Dc%vhYp zAr7RBA6_xGszKoS!$`(36ug(Q*Sp8QN4Q6RqlKJd_`@OZNoj{pal}%RU>{?jV;|lm zneC@aZmQyXQMNKBXSAkJd3J+hr9x;CHit_p&v+o7gj9ZcPQonE{ImI^Mdgum3+8$P ziEPr8+RW&&*iq6E%$@5e)DYaj!7wvAf;4;td@}-9{K{nM0)p8HfhWc-U-YfXZ^W$;{3XTNJi_df>}s`&w|`6p5q6Uup3h+4(|P zz#-lI)kNE>Brz#by;QtZp;YX&{aeL(VMal_XsgCQf3%;2lC;{iVrJ13a2bb6%S!8o z$c1<^{Ji%S%q3R&gxRekuAR1p7s;6&x_+6`c7+@6?T0T!-Yjp*Z#FN5_hO&a;cGup z!LNRr!2jOQ>0tMrm}PMFT0vN+_lI!4L4rZjc2I2d^!MC(5Ez6WX)&O^OSNk=U^9?Q z15ZOvBPDYpbCIej(_HYSfKQrFdT@MfJZF3%g)@!+>mu7>+F{ya+GeA^rkf^XLs3JM ziA2qwW`V{CU{HFO!RlvtD4$EnT{hgX$%BXuJELeRVa zF7cSfOnnk#a*2Jn0ekdIpGAgJ+N_w_XR~Ifz}v8haH)V%<|F~;G{S-Pq4qsV=X(d8 zZI7AzjI`Rcp7WyB%8PFo78jvwf5$lfe#z8ecbe)Q65dkSpB6;_`rEaz`l ze@Mw<#1gAkzF5_m?^^O`aQRu_LBR3vuE6eht_`*g4ZSh0uEwFpQMq2bOugVuVPDD* z;}4IIX+WVLHIx}lxc^UoE$Dww9$w^~QG&dyCJ!~s=RYH}nt$T{j1DLd*zYbUHy=8S zDJOqCOrD6Hus{oz_c>aaLNGWmi0JkCL>n9$tQH~|Wgn&voc@}`={mh8?6fKJB9bVw zk!JQ)j;E4Il9OJbgxT`@3Req9i{JpWsm9p6dWO1$wG?%5MPcfo~t#mrcYyoo=g!(_StT>ZqLFT#tYzQJ~-jzV_tA?`7wV440l z9kwK_O-~|wBTg^l5qB2b#_3Mg&z{e?-yB3+9MdL^D!rb@n~9hDi_C_NpSS&MU|ejB zgHQ>%OnigciP?eauhBA-;F|Y-+lWRMk_3cdtJ;_{I1MJ`2BCr@Wlg$8dW0G?6E)M$ z@$eCz#L`TL@$<3Tk<}Qk^vk~==U6>h+i?x~AyR5g#Oep_WtKcO-yPgnk#}+77(!Ix z%f2`LZlJfBmn%J2ORDf`r}2=n^4IMi3FxkevN}akLEaDcK3!Wp*O60a(b%jvcnQfM z6u=GtU4gUuISJQyiEhnppD@&Jq%&phPhD|oU$gO~>5S>|!3I;N7FuFS(m@iME$Z@0 z9qOiP-TD24=qgLnINfS%V1saTZs+%=Hj~2PiE%zbOQtwlUiyeub$0` z^U3%3_*uEZ*7VlYie_!A<_nMZdQa2GW5P_XiS@g7_iMb5h51Y#{`K}-54*?y$NNpZ zbstCCw~5i#WmnpZ@;13Py}KXhKbM8qL+1sx-q)5c*L*FzT(fSc*Tf#-g99huWACHU zh2f%8qDMneLrycf1$cON1RdXwUkimNjVEa`KfmX^k5+ufWAS;KKV6)dPM*$Ax=D)f zwDHP+JLx(ls9YWB86fExc4Pmld#C#EyxVonmH0Au6J2i4i_Dkq!~D7WUTLcEUpzs4 z{0A&d^6je;JJTuzZ;}~_E6M->9@GGUUmyVR`~mqr1^`@G0e};I0Dw0c0QhVdr`Hbx zK$)gWi2PJ`TRCe-aMLO!Ugd({DpYglrP zSgSvdTB}`w;)_B8R$AYN=Vb;g(!++QumO~K3}713Po(lyZ%dMcNdfCifZ@NWsEga} z-SWds&yHUco*i6LM?QD_6wtrFw^t|yPft%bk4y@DycR^h57(1K_B{2$Hr%~5@LZfj zEq^=p=e05R<=CS@mh6b(3?`u*6=qCUMF`Z*6KC!u=f;H8E3D z6VM|x0HFNxg@>R2?dcjD4Gk?f*9a?IxpFar3M-w8lD#$tR9aDNfR2WT`+3yZktRY# zQ&Uq%r(9lo^D)HZ-%CJX;AC@CvNTP}L7L-FOUspcE7dshd`e16XWq977$>J19wKHp zo*i==tKJ2}YW-5h;w+AmcNVnzpRT#2|v-~4!7lSRiPQzok$zk!4l+~{k877(%sxOkD1uBQk)APmaIinWz}41zuj651 zVXaLBifl@2_k1)g3lb6%f}YM*naYif{DhXYy17|7Z+V?*?8x&X*5BXn{r1-0-v0dj zJUl#HUthmuc$m7f5=x$%s$1=QQ8jIDd}Df(2G>O1Y}nG)_MMFNDz(*9QIVoxr$W0q zXWCp?NXWzUA4wE{j~|KFZaGq$%0lj!6t9Jaba!|6Y;r4e^F9OaS8b!!RN`%QyOWmziSR9HDnHQUUvTjA_@SyEs20x&-L)W3 zi81Ds5MN0^!#YY_X@&eHLMp)_Q?tA-GWpUrcE6B)!$)^(mwt3Ic|;=P(~a@#wZ%Z% zWCapI`=w$%nV>Ym@KH00lLNEGza*RJZ?8o<`HI*COsXJuNfmD+BQI?)5fNC<33CgJ zYH%rdP%g90AkDhgD=CZwliwqmP3W{Xk6m^cx8_T;Iu-EnR_$(k+Nv;l_(&rza?G?= zp04e$v5FHK!b4K5I=wgB?NS37TSCx`2+?X_6H@id!ci4y}Mo^M#z^d!c|k=xT`WSN7pQ zyb+)N9HZ>5v$OO+>1$Ir3#23N{_qp$UBe|x|qUb%*=`{+JdrX zuBKTH1_36&Wt87=K9(ex2^Ed zBE+CRO>0nvkha3R((0MyJeTNI=w07kS|-*hZovHj#;p@5oQq<-iL8rbE0+~y&%Hy_ z4EQjnjfj_J(3)xb$cH}se4CLOC3s`vvSnzDqr}@n!S-T;D^)&?g5YEMtqPBYGDRqR z`dHa=eCHBo<~maPCQMS}m3;D$$MB!X-nL#pskRJ1vc+lz_IKX>`%2R9Ksjm>@^7oQ-}tCG%j@eC#!Zcs5tD$;+7-$rVUZ-iNirO{_m7T_ zj`v+Qv2{8e;k4A$)Jk0*fkL$p%H8H z=_H8_RhkW}Mvx=Fr_h&-X$EC@3d$TY5s(OoP!0sDc5m?;I@0A>b{XP+_5AsUN0Hka z{VyYWAT+54M2XRWDlZS;d_lNVXFE&!^lk^4qT~p!!$-S^;C{qpF18zkmOspO4KI zBO=at@VQqJG5*tQf$-nN(nLVDL1B?+WVwG^@%SC{-z6Qtf=J4`yLVa^o|^_sBa9;d zX}wN#sc3vz+a=X0wo6Zj`o;mxS5Q#U@lh-%uVH8UZ>YQIrt@QLGTVBLcNUK*@+ndx z8*v)fUJDR}-1BR8X4c8kX?<-S0RdsVN{Gpw(!M)XJZ!ddb#hO|>%&Xa;7c3klN4mNI zBh=LS%!fKJ2=EugfA~Y~4Y&xP7;v7mV_-{iYHIT8$`hY|S360=>cSRy z-A||l_<`k!@l5(>g4`T)Yb(Ed8|^luGW-*~wtL`m-voZ-h(#n|79g|s&MykeD=Dp7 zN34BeVj3MA!$E}ASzj*-4-fxIZ6Ezr?Ax=>pYnt_1xH+#X3JMiw%p(^;}&~`i&04l zNiauCy}d97bjv)=@;+peP0g+OX2#l`KEy}#4D^&iX7X@u?vYW~MK{{NB2{K7smy!v zYEkhBN2>gyCi?3kG;*=3_IWZ*6pJg zgCYTksK}jh5+|BLA5$>wRO;wCw7+Np?$R4&g*S$ z@rD>^yKcKPy;OTaOElQ!uz z(RtwGM1I1?BMtZCw4W4uYPX39xaEx(?F&mlfK38-Q62j>V>x1;rqr)(W_NA&+FCom zmgt%Y?_sUMdsJ<>#ErPNn-p30S@l5c8+Mw^N_{9}uBfbtKj1CmSb*^i0*PJE*8JTC zn<|+OerQ8Cmt4ZWbPz&0Ad<=5#l=Y{9eTLJaME%e;*-=HerLcqzC%Y>|R^^io9k7_ed)h zhnd{@Cr`us6CUgy@!w&6#$O8(HdAlB&r_EavI3Y+Zk+dYdHWe9{+|nY1XZ8kjEfK9 zs!rk_3RSrFl9+7RF1d=u$g(o>JNislLt_lWxCCTfP+D7BmIBYVVq!#da^f0%m)RV- zy;l}p6-Lg^cSjAYW&a95iW<1-uB$7nuP<+DN&V^P`r{I%Sd@0Vhs)!|x{l6zMB8OJ zQb%BKF)^R(j$4OWg~JcheZ z8`3{Erk0O%$!Z?JvYuu&X65o9YeR+?FekA$s#gb^G_w>mhoGlTcZ^SBXSd})U9UFu z5AimsCRf-T4FhZ>*n^gQu>`_|w(+AI-_NE)$c;5(izBfW%k?D-o_T!gGyr<&l+IugFiHCtqK7o47s;&ddO8ZmPWSBjp7?DR+x5jm z|26s-7Kw;SP@W!%G4FCTl`SXmHn+aMJ2agu0tzBg25Dc={qOLQ3vg0WVs$pC8s8lk z{xvlZj6h*?+Oa)3%#bpKXwyVle2_5~M8_Jr6 z#`7>^_VlEOfn&W#*xT#}ev24>S*0YU>%+=_0W^!l9yZAR))8RWeFj!Niwd^Nm zx!TuWS^XrR!lOyQaXk|2`=d)+gO`(&jg8F;9HKI|PGzK6dg?iNvADk^U%@ll+oDVJ z#kSdsLh?6D({W;$JaNic>b+JWm(;2*sqOb)v%sG&KK8}T6=IP+A1yOK2ny3GofdAm ze7WBneR-S7CN<}t`Qszz@U!wJ&ug=y5be6zaM$^d%w=LZU-ei#Sh9B`>Yya^x0Zjp z$I3fq(SMobX+xS;+%a7U0FIl$wx(%C$@-#v`27H4HxR=9BU(fkPlXTib*6&>zGisB zxW77T9c0{F!3KDNr@W}{p4;xF`wQeLr|i(D<*&vKB`q}QGor3TX~*|Ja%PUqMB3vO zO&m_$NE)T2CsiysM8Fp_7+$5IID)_p<7&#LcQzjKuU}aNJ3F!s(9#51>Fk4gp^E6R zV#yYV?+LktgoM4{UMqB4fdm8uK;X&20SPW~pfwEu{}U?8=)^DqkR&rRr5Sa?w;H@s zJcX8^d73e-eN|~653j^Y-=*D}n-|T{%aQ z3PyE8`cQ~Y)Aly8s^{y}wK_<+#SP`}KPm7?)KKr@vd3R81N>Vh`}y=9UeE6GR9Dya z!hWHjnwxuXE%?@zFK{lg_3~#KCb`fr^EpJ!mLy;}^$hAIVs&*&XU~sDD`oIm+`A?7 z&!*_g%2iG-=YA|Ktcgq)S!u~WMuMA_yu1Q3QCVACX45gO__!nI7eHWad^{mBF?ded z-``)|iCCXC){2^eZ#6M@#CX$_(o)2YSS$A^86R2o_FIn|9XYuJb}=Rf6^ex@TyU^s zGqgl(ohHARgbntU<(RVpLLTlw4Nr&XoO-8EJBeKOw7Ej2LUC39d)MiLA&23rSnmAr z9`dOI2>YS0%*w_a=Eq4(Yiy#rFatA)dP|}@O`dAtYdpo*bd0S|Ug~&*h+3o|3R*L> z6vI>w%hO@tvU0bONqA3$2&zg!DoLA>C27eI>O>*tV)s@JlsSJ>LdQ>4;41b6```5H z))s|DYzdCByfKdS8GmELM>K=^nHW-ve-};nnocppxmi|n7Qla!RF*uSeQadmb4HZCbC zNk4~>bxTXjZ^fK(3@SHuB@!=^An0q zH%BbEDx;~%tve6nna0j-)31d!d92{Tv|1#9=ke(Y)>RJO_XA*#LvR%z3nVBWk9vJ~ zm}q5T1aEpo6~&e-S%2N6blF*7Y62q3sA+dJf;NHd9Eu24;! z&X=Zj;+|MFdfzL#Kp<_8D*q$h-2*bgTR@alqFjq-a`(GvI+Sfh!MK zF1u+CytNgl6>(dy5uu=FcnwOFx+>RumoRoDP@v2KJ&*?lU~p1ciU2u<(lo#ge4En0 z*7$SOv$fLW7z7v}J$NRMbzbHlN7kCPFS!49Vttlms2D4?Yy+SBBs?Ead?7LZbz7miQt*l+QCNxb=T_IZ8BX&?YDR@E0 z8pF*ErDEz%0m&1K)vak}GD|5xmWRAd<25O%VB2gIpC-*1)OPSb-mT|1(<`15^bi`C zQ_C}U5}M?t@tBxH6JylU)#Xz)R0AXJ^jr1%i&7LpueA3sgDjm#8R#*bbd;4N>zlW>^p$&LyObEYsoZ#S zek!5T)?{Uosb`gx&^I~esF0A5fN}-84|j8H&d(8Dy7H|oElHoY&1@_>1e0~ zt1ZpV1sw((5qll+^727};90)+eYd#+mAAD)Xa8&FX&(MEY|q`74ofBQZ6J`b&D+b* zg-U%R)k#N(IA>B(QORg`=Xb<0B4&6*bTl~P{^4PGd_2(1$Wl{N%F4>lu5$7Il#UUB z1)v940WB*l>)&V$0v&L2an0o}hJQvvS8j6&YUm#ri0#0%nER%X8xlo%scNYiD=s}3 zhEWX)3Ik$lc3RE}(4|e|KPzcg$n#UlyEx%gQ?IEuXq&M%q7IjOmXGo^gR!BS1H<=o zr8k@{LaS1kM(uX6A-Q$O^wa-fq#=2GRic6;GQ2$W6N+*l5OW0syyC>QqW5tAD!SIi zQktyq`f}RMbSYDO9{nQDQpuQ=bnrQ0Z~BM_PIPPbkfkz+(F38G((7v|izE|c_JWBO zP*ZhB$d))o3wgr!i@gWUC5MkdtW!^ve zY-Z(a)cs8N9ni2Zab06GT&3B=W*$DS2 zxqKo9#=LA(t(Shiexjwk1-h(bnZGNIBc6W=&;Nb-d#}{7I!U$oF-~Q$@`iVdY*E?q zwt>?5F&pjkur%BG<}GHHWJvy+xsTnke)ih~pL}wN>Tlm!%-k9-){7EPVU_on*CXuM z(9AHNSL2;n5+v97lGu$R#p8V5z&>l7)K5aaV|fN1_b>%#LZccw8sCRGBx6_5B9@K2 zu4kyfrDgm{kAx$AG9==4rlaG=53|nC&(Cn}?$?Fm zgl@yR$uekmwv;qYBJ9Cp1b(KX5hg`ss8NP)8y=Q;$}|+!B*V}zAl>QuT_9VjMxUU} zpHOSf6QtD5X=1o0$xUvE7;7X-6Ti&QzlCVFw{*R$S&qgK?S@fulV;aJz7RGAtO0S= zAowr#;j2w-+@YuBzgFYjjpVq76%luhGcNxw#dI__Aa5&bLS#6xNAahmN$iW&MJ;_( z|BZ0{?8WWX?E?sRa5IKIfDKP@tVvpv>IVwEPA5y_wf)@L-T8+AzcmW=`OiZXnp81e}*;q)kYZlY^G_o0tDs7-7= zISG-yb}UZK-@pt3MB?8~ZoCuYa78>mw4D!p)pC+^VMWt%LzBls@l+_qyGF+&Z5!BBpKZe<^Y}yuToozgcV`_&&&}qIVtKi=EW%ze)nPZoF>r* zmv%Z{@yC_AwAUI!pg=4?!Sv^fii(7Jl~{%8F7?FW{V)$<)E(xIwc5kR&NpI=I2dRc zzuq?A49P3k*FY&DImf9ikS8(X|v*oT*dvzWRk2b?=rfy;GVk6TKClfJ$ zS~3RA#&WYF*3r?Anb5R8;|dts$IG|Bqqu@C)?npA4huUs%s_*7J9?Bn(aLAvXk(ub z^F(3Y%}wI**VSGEy4ciORsFk&44>f$UbY5^TPg-hPtEZ;}NghV`n7o?n=LvZQ zjbY>Jn8v)qO1bK@K5cOcB~?}U{`u9bc`5d*k%|`Mu=SGd zqEkiJ#J+`wzbq!uGx*#*3ZUh5BR+iDxr=<(*Xq)az;nIrvoY($sUhjG8SxM)v>wYvGIgE#jCnnS zvuUzHSGz*wF9YH`@IlRYY?{|D>A9havW2w-t_a|^f?&I*-Yh@CAHk-r4Z%t7Ad)fS zfY}&$+o%TKM2J#bPeypxB9jf8P|!KiGLev_f85ejIl5*`=jc_?a51VRE%a4C$WPBq zx#BKOEtD1k<0`jy{%w+*%GV5}}ue4n| zymII#>$7D8^ra&euW8H6N5L=uN);4&2F<5XBS&=kBzH6Tixvo#XLJ(=%!|BtgJJ6S zBq#oHxK31*(`RI==l(01)|*g;-(z*vwo<3Gy6Sy(Ekrlw+IF!0iXVJfwo9shPHIP#cH-Vew&xPh2I zb1kU5{NfPKS1eEk3v>#yL}(N)90m2e({omXA|OzxRl5~5Cr*d;Gv33)^RgNp5b_0E zwA#>PB~!;5tm;IcSKc62G|jkFJl7Q+&)Q$z-+N7sQVS9WSq33(3WE#G{sbYhgjS#Z zd<7#e8{wse`9YRqp;INWrk3Vqd+&{tBBlp--ysTK83OkwtcvyXBDnSDi(F7>G*LGm zl3R&Y3Fb+?&1ypipDQ&DO^)NGnqK?s2m@wpEH_IWQv1WpX;f5{hK2@x0&)e}rR}=p z#_S3ey+d?mbaZFsWrlC?;vZlAtvW>wZSA(LZMV)x1jjpj3pUWfg0oCu@N)fF7En)s&q?F@fz=#xsEvDvJ3b`iL!`4WjkO#t`srz2Yte#%wZYO@^e@P*l@SGD{TbhgP zwK_DRqOq)-m>XgqNaw}1uV8g>d3(8!9Fyig-gXBB!Ko>b>gn|z1qFwalk-|)oCG^x zc3mDRDAg)|+6gn&p%H?OV`eFc3z*O%7XA;m{fWR z8!ecEgM5pE3_;i;U_=&4@K&Plz%-_nYLu*OKQ%Q1I`QjPAo>X*aI4h!`6gkPR`zaH zAKF?<{RQE`B@2Y8JT%IJA(eMEL9`zwk*9Q3DcnA%8pBYauu<()C|&VmI}K(t-O0h9 zV>)m^&RTQxE%=qjF<7-w%$1N+s5%Hp9vuZXm~>)3tTL%yW|vF=MF4;>$WII{ z8}RW+y7N!PvxKlhvBM15Q|H8mh zSycA>H)Qg%A#6~Rcy^@KYENxhAU_6(hakHz5ZYsznwlB{aPmz|jzR|e2Xh&*BG5^` zFU`zIepyrd_W;EQCr@>hy*R&s9NZ%uiq=0!tFNPB7s%b!_;1`F=KUS&-^1m#Rt${5z3hgn)$L4>?5oIgosqPSv5jJ)_iAjS&` z6&2hx{;)T$0O0Zg`sWg^HC^A$XTlLSn-wTuJH5?-d(Ln2HK?}W0g;oefLK-_ZTdGN z(L)-w8)(N+0;At`CrFdZ1!}ybf@ViO!6*g>22Xj+dL3TZJNaQ@h(vDhug@_tQ(G|@ zTfq>?;#!9ypsB2ksFy&Fg+)4Gw-@yj^4Zau`lY3DU0i+Ku>V9wtH539l(kc@dBc#%;o(i-i8x`DRszWRPA zV!{c2Dp%)z3kApm9X?K+;S%8(T)hu2idOa>X?F?)_&6f>SqSj>rw%4y=W5b);ohDq z#e>UB-}6*LeO?3MEYQY}zN>o|CnuIty2hmrp|gYY^IeFor{2okTBLDWuuG2&2f7}| z$gRs{t8)75bQh})q$BMkk&zJre>)aGZ^*o%7~E?lzK>Z{3I}59o?7;~KL+R5wB#oi z#U=#agia1VFb{pc=y3;Q6Dop3Hhc_<%d9IXEsgirFTj_r%1q%b0}s~XoQ9pZ0aKeY zlY}N6*RZ$sdREIYJK};D{*$2_zB22JU#>dFd`@{5NdKz-ndX4uk4*Xqyg#TN!OH

z1BW&@bbb9!~|5-Y;O=@Q6~+wVO9D z)DmWK^)Oasr=QUdJ10z6Mn|e&om36MjdClf6=+f4C0gdBUpVWWe$8~+_ng2bQ~|?p zc-R(0ns5%w#?six%vR+FM#6TZz#>e5UL%hRV>pYoJSPQ=PtU0;cnccjro)cZK_g=L zgj6nnqA#===VBcz#ao;NW1-gN}?0uS>G(=DAXP1J15bjHH$9!N zdGLi?vEnEWaQ-bi8=f3n?YK~GQ5!w+rK zD^9e(DJj*3z;5h7&4WIn7i1)F_%Bd}DlGdv0+|kb*O9q4<4mfYz{XBszcKEC3g^ba zy7h!)X{=)L%;3junXKuc)c3c$*;^M;Mm!@zOacY*Tymz(zCPHVa``~mEQM)>FuO4p zI_-~Egcw%bT_j*hpKl_ml&O*CSX zX`8oQ%Yuwr z=MIl}HF0oFIq#ojy*LpDEgnv`zIXZMn>L51`QiXQLIk}KG=gOo&2NRAGeGgqTlGFnb76-B^xqL8I`E!%6!n2rzk-7N;tH=HAC$x!LC!}HamrF`TwByLZ?%&r7exK{j}SH;1Kxl2vz#!OP;(#EXG@PxV|zigRfUQbR=jEr_U zfa8V}kp{p4k8@&36NqTj5exjU)d~ZyN9QSi(RU;wlI7$1yWV26n!;{&<{}5taL-RK z1zj(QSj+tWRez*aW~8UfrGMYv*)cqKCPlD3l6dV!6N@79A5CblfcWf?rQ?#9mg?&6 zdU}N1+?LfA5YR}{Kd_&nivo5^-%P93y?eFPbXs3ak5J*IWn{kIE`T|)!bQ|O2#ASc zhEBI)GLq)|u#iBoSjB$^2@ma?HOni865nu~mc)(2r3;R5p*e}v8W(XP_K<5Ex*xN% zP0Ws`E05tZ0gJP3I-(yrQonrY)aX0T-i^t46B#N8wc#4O*LpR+0H;Z?i5MzXlp1qJ zs^U_`dzXyhG2yx_930$Heb$?$g$2}uySX^shM~PZE5vi$Grh2pnGqk@heMs8KiW(S z9|)BtSA-VYOT2qcK}lI?ed!3|36zK^D?2+mvE)FV0%VonKELj3qsUt^;t|SFDSu=9 zPDFMpZc7y_4menxpNFFoZ0d&5$4TFxMr4wbk>S+Dcv{NchShYn^YzU~ zO{nh3#^m8A<7aGuxve{59v&SQ2T!>cWoH{GMbAxnLE91f(09S2AtRR*6*)V(h8F*5 zflK}k5nmAA?GKM$gHi6{u=ck6gXN2rlP#E-nQd)sM4R*LapgBz#j7HI{HiFm>x!}D zSqwlydr9a5M}~(7+q7<bXsgjvKdLPF zwD;p&+E_=qI62pA9z8EXbE7%DOZ-k-Y-$QqbOuuryQ1&2+~_n4e$Z3>+U?7Td|Tnp zQ08(fxkl06#@5-y5e=GTVjTHGH}Zw?KUNLhHil~$S3G2Z_AsClT!0J3vKe>z$>-~2 zvDEh)uNGnG(vc`y^dUmDe6Yw&vjC5<`KV&afG~>KNNb<@mYd-zg{%1X5Sa0sVrX_X z3Nt#Mdh zee=AhjcM>)QN%a_(dVoD8@u_VpBa*uKS>kx8cP)XXO)@@Z~Zq} zE@Br*>j6SP-#$l4lZaK$j~{VHixKy5Y!|3d;;EMgXH4Dl#MW&8EpcNg0_lTg2Mufe zk@h@BKlgO}F{=IXWAH{|>{o<%3uaO^mYO@;;oPlz6m&37$A(-8sR!G^m6C(l7y~SR z)xi9a{>)m@d%RvRUtBC{G`r78;fG%KVdrqg$I`_k7Z1;KYhy$E!^4A^&wDB9`>L<4 z`y0CXqG}J&A3nK^hZDMXIglZzj8evcn1f2jCtxP~sW+OMWGxR2oTF>A@%%CRtsSzH z=P38)=I>DZN9DldbV7$tow*qi@%DU+(4iSR>Y?(2C#`X{dRcv!Co{067Qqp zrru7;?{)5CmJ7dRSm3mzh2j;==cIwAG^mo-@G)Wg2K6iy^+MTdc9A^vY;R4|hz8Pt z7h|>*et!P2Fo+q`*1|%Rz?Yt-65~Ion2u!rOh@(?2vh|^Ep|crqwO(^NdES=wk$3` z9&U#n*w-3NuSUC%_gS+EXJ=>a`cu~6BFyZ0)m$bPo1ga83-FksWHtMnG8Pug!%Br1 zEx*xzOEVARWiKFlC5q>T8D~WJ4TzRIv_L}zRQkhrAEI2)OB?azehSbKh9 zb~a!Y4`L8U*gGPxe*&Y(mq2+`W8J1hnktN=_iNg}WMmll427~8n(ymm=W3>=1%*kA zp`@(D*LCWo<~Cld*(f4A7jVtJk8Az432LsoIx(C_j1kf#tQq!3YS{Ldsk8VZmHmq#r8lqmb7*F><19jpdjRLM zS56Xk0e&(Ujt;c12B0;0#%f@+Rm8s`lDRs6twa~er^oeMP8emzLhv*wrXrB1Lb{mb zag>Dd9H(&MYKLJ!RUWMGe|#4g6cn`9_8pL#<6vQ7CG6a8=mB5OCv@iaorDz>lZ^#X zDlfPBQe50G721#STg0cM!^OpA2nQN5DuuuVWJ;6TP*zrkLCEnV3fGB}G=rQsBkIrR z;^N|>Pe`cu=!jmd*_0uqkC6qn#l<{y+}!L8476Mba>&k@eXhGcep7I6(8fz%Rkyph z3=9mtDPQ+UAP$hf$$&Ekc}aPrQ(D{|OnVr&nYA_TSloLnoGz$(mwK1`d%{kIK<9%F zs{P;lR|EfAAJG8TRhPK_;kERY**Q6e?~@22O3>i&3*P+jMBDLuFk3C#?aeJ4do4Wv zCxDbehm=Kh_X_mqkugSk`T$A<`LL!nh1OCuQGC0ey)MVBTeLn(=aXukXm85OPpTHJ z7);7I8M}!iK?i?aekU8vf$eej^ zobQIcP`~+4_P_kuds6j8*}zzEc*5>F<;?>*K{6yIL=^_J%8cwsR(vGt@t>V&RG^C+ ze3kwEH0l0pF(CEvKQZEez#k^0>ik#!gdp{!9EFoj?z6n~p7`8R_b~S>e7`9K?o%t| zB9K2Fr-W=)U0;F&JBiD^BgEs2re_cloBmg^$PhU3J+b%eh3drKd?H$xf|Z;zKepWS zs-rnCO`U7^XBK;t^*Q%;M#rR6$fYh-sG5!Cc1l=T{6gcvH@tZ8R)9zSydGETALipuL^xw(< z|87>iEMWogeNj+OMin7K2LFW%$$4uFYL7+i!MTf-!uVk)KO#&6{_cmHo12RaYU~$< z-27NjISm$-$O|Y)RRa9__BJ{)0wK5=7)mjYCiGdcv9K{NCX8zUf40w0Q4pnK#YL#3 zAj9?<*0ADAY+vh-lNxIr`rQWoCkOoxkbqEa|F3(4g!R7=59wM`VM!rYTIph2LUy_! zRa!wB#^j=Dpb>Z>)xFnH>pSQs+xy?cIGqZuT)J_MI%I!|`i1aG*3(l^e4#9ffFnNA z35VwSK7$%$aLyOB(z#T@_GeQuG1?hpmtVhp>h1oj7TQ_Zw7VV8_y;1SG~o0V{qzvd zs;9(NftW}ilUgASKZJ0b3u9HF>=6ME-BFSY1r2E;LcYJ@k#iohPYV3IU)1xx?vL`k z3}18nT3tPqo|F+U90_?jg3hFe*w!KWrKFVx*$sEe9~%PnpB~Bue*SB(W|XJ&W%K&W z)8J^mVB5?U<>CvezGpQBV`l(jDh9a_x?S=wj>Pvct6st8g^wf2b)S`~6vqonwUaCC zSM;P4F;GZ#^t5@Z0|a+>cXt{H?(Xgo+}+(F1cJLer}Dht{dLDV{AosakLq2ks`g%Mt~uxa_1ZXK z+Lw)za%f^~ET3GaI#%qi&i2H6!28m~GtoInOe`9*AM^QUaG&B{mM|8s0m**_w%aOh z61Jh2t7g(v$t?`LVd-HpxT6bv1HtNvkTbMjMw7Ykpnh2y}oRIr7dm*q>fCyf>} zUBjQ)bZ$FE>Li~UgOJgOt6v_RX#y6b8Byg21d(7Kw%L`1!ekW?O0ZcFITI6}DK#6L z6tMIvmei{gBdI)@az;l*siPks^){{+ev+ZaUeQrimB_%JTU~tr6%`eI@>9Z+zexq+ z*3(o-er+K-3X1M~y6>&>pXQEGht{H`w`p#nKK2L`7jPhqt=` z;sp_Tg5)`N?(ESGcNjP?VH8($^<-w;xhLxDEqgr6g39)2EonZNU2m?LtmfRp^2`r?pHH2110Pc z3_Qs6b-mMMpYsKVhlHcTZc$L&49k&@f>3u;=7&H16iOi!=~?bYcLlGn-cN$mNu%@T z(U>&tqG z>T8ye&SU=~)Z0s5nb7LlU6sy*U~TV}&8z1{6<4is|8(mN&(mibbR36`&{NLka{5T{ zXGX?vk}`ewb>(eq^Yh<7CSTuP_zC!L+})w;l5(S?qN6V^E_P>_y1E7maEE$(l1px6t(8({?E$FDri;JA;aBj_0fM()}h1AcEWXpquhE`cs72-)& zO+eU!M}h?Aq@ls1Moa+8ur&=g@&0`f`YrM~?NZOTZhBQ^BnG}vSALW5 z3-4RIL6H#1kR>>s2?If#JVTo)IbFF_8IU^`C?+K)ej7Gq)|h2u`{kpludfg7T-wy+ z;^~>*Z`^yDO$+pZ2d)&+5j@P9K`iHt!1C#)E*{xu^>qLEC#=xsN7gC=nl>JzHowO$ z{S7vk=lW_|&vu##WNz54XhP*1!p`B()U9us-)V&&cH%Nxor8iTesdTZ8vnr+-UL{V z%%o5$z31H`9GslDx7Q*o^||Dsyo`*3oQ!CyVs+`6nRfm2xaxXUGz?4(#P}pR1cdsK zPd%*xoVgY=3md$ui0xKpR`^@C_%hT+Il}j_Q-r=fP4)HlE{>k7gO-w+2dj)n524eG z_ZfPriYzxn{a7Q{UGOjGiTIB(7Td2s*P6Aa8@E}fP}ntLP~eT=Zg?{!9D`M5c4N6| zJLCJIlgGzVXDj<^r!x|yd3){AXdG?)IkJxME11X!OpW#+@#Y*$D={qr%8f#p)RrzP z6>=wv>lwp*T7o`uPI8#o)H2EEy<1Npik~WF_(VxHZmdT{wZ>*9S@UT!yuJFjeZw_$ z-P@7a)cjdBYJXy8d<3k_h`tfdnGf%^`#~^OxnEW;up+)nyu{0Xo^OHxHJq|Wo|4T; zIY()IVRIII`v=Q8i%q7hk-zmnK0CQLOc&3Xp6WrEFJywp1Fb2>WUQU&-?|D8IX6x< zA3Cf&_OiMF@e7Lkdf`iH&9@mq>GtC}YGMKqXwnC-dH7_b)2l5IqWoTU9!NbC@U9GH z5eeBpIzsKhhlz*kQ9;Kxm>TwIz2A%a9imuZX!(#LMa#PQELOl##!l@p{r2GH{f zFl5?_pPL)Uc=RPcH8U|jUGuwEMMoZ~?-;=;35g6m8ynka3JMqn0`0~2+}u3O;w`6b zu%paaB;iJPH`(4~)*U*+yO5wDz3#imo1?E^zY42;m6p3}@qXDUQTl};&)nADuGi@K z@?4EWLQL#+vce(cBScE7b6=uMjGxqN&-UT>y=OPfEu@}coK$Wm8n*sjRkH?@L=%YL>H=oPewrfie?_AU;K>aU7g zBP)-&`j(F29KN_N`Va($PLt~-hXiKPtk#7x$K7bA1q=iBEDw*TiRNEBJAWS@o^(3x zU@FaB2q^lm>m}*I0ydsR+9I~oKWTAnjRM(_yt}L5cHuvMJ3kiPhxfdw=Fdt zroQ)d%>I1?y+_zTh7#3X5-5V%HuhT}WV=9-c1^{Wnuwb%Pt%a}@D+P$t{(Hg0~<_G zv74>qzy{M{POx16*z5&Iy{(Vy526rp$%BiWZg)FMk+p(w?!w+G;&YZoQZbqWdCjmq z^(7T>BOih&dIAx#y@d_Lz)*n*nCjRhOJcCVKjZ^I+9nbh%0ey{I_1s+ezyQ>7Z-MF z#+F8`ci5W%>WxwqA%9gJk4QQtKBbr!;ag@6dS$n$-}J(`z7g!ICGFo4g`i8{{S5y> zs4gWhKlMxu9JF2%8f`HiH8&!6A@PHbjZGFI*RHMKskE&HBs|LRO~G3GHAp%s(H+LN zw7jHDBa!9sh}6{5GWSmcmBwS2>isM%|$#&k3QOaZDN$EhX_0< zBFCGRhKM947;W>fT=GA@!+{z@cxBia=A7KCGxlE1AFN-j)<25`A~1w8uR%GI@=6F7 zi9%&$^b^gmE}|RYVB$L6t~DPXrWR=9REHWw*qTv0fd31>*nb(_e__YS;W1#R#lfVO zadpCnIt}ckNtC>Sr_k#OR1HD}Q%0vyu9I6#hJy0G&xuqMPdaZB^z?x+4eC?N=MVf& z>py^sTd!4g!^2-9r%ibs23S5aW7xV0*Z8-> zXo}W4*ee9=*qxu#F&4fL3G5rB`Pd119`S8kT$&@o#Dq$o?#ll7?ubn3yQJwSjJKYi zo~?GcbcXEn=GIo2U+8Bf+PcC^&}%x{-d}Wez894?tx!ywI}-D3m1)Z1=_C6k3z*`=0@)%QY9?xNP-9pJKF z!8(<*Tbm|H*AVu^xgblvO@1=@FBc8lX+;xYZKVH>ODzMzWC4rO0P=yd0R$Mg{9CZ1 zjRXx%_EG2KO4&Y7mNS1qXkF|~ZM%+_(`%30@$Ku=87Yvy4=;?4e*SsG$HleSJA2iO zF2wJ+k1K7n?KSuCQ+rW_Ht{ zVx9~lzi3DAn?p|gc~(C7&dSr@XVoxKSMk0pOT|TwDTS{ok41!=M*dU*BTVcQ3?1ng z1<=SgP4JSP-G%a4vnFF&db*e|?^xmj{10?jPY`{Oh+i@*<;ib=@d~nn4Q{u!wH4N# zxY!=VJdK!p@AmLOLXufvRKUN{hc7W0J~C3c`$2}rfRkYJ7I*RUr)<9#$Aef&dH}3x zcYLVr)}1-H?&1Lv5YW=+>$SMM510?3k?nndfT{9B+p9=9Fp1^x`2P-H$PZuX@`liTm|+%<2pf!TO63WMcyKBZ<_I z!o)_RgoIpsq-=H`r5*FzYBH9%#q+i)E^0 z1&AFVJF|cH^dlQ$g`>=dveXLg;o*?)G4Os=JDfR)+<(awaQT2=G61yX1*5XK{U~Js z9s{@cAMOR8k&(}(78Wu0RDxtsCm`p6Md@)FQUQ0Ikq`!y@M*&nD{(P!kD;cWQ~x7g zhmRT&P{(B#c7cd_++mq$nVF{^j(?o)@6*12pBxbU7(A+4$<44B*O1LVX}0$z_Onb0ZK z!NDPVjm#LnEF!y|N=4stBI46y{rSXryV#;k6lZ5*2ryg}CG)g8JmF}%uT)gNYt;SO z+0Dgjnp;^xda__o((^(dj$P~|K!U@oHHG;Y_zy|8_2q^7VL)jp7 zIStd)+s4LL=3!&2D=+t4fPd#tazsA<1+X~)n9%+{boBHZUbd=FBj@wc}1Bx((%GA8qzjKNVQsd<1HsibO>8^5lS9R zYcOpQzg&V+k7QJiE%flWrLTxnjtFLEYBjY_j;B*L+x?Y}68(8cA{re*e*dmA! zo|4Vn%PNbz5T_z;*^t#PNUCm`m-q7-&YvPDkrDl1I<;k8OTA(F<(_m!bJP!Y!=}V5 zKU{(@6<);_92U5;Q&VpX-9;UIay^4YM0!6lQI0ZnQpy%Ifz5AeCjN=U!@&`G zshev&`00%1Q241O44b-_T_2(nsptDG(E0CNv~-bEjZq#8)mlA4rYbyNnRjk=3aNHq z5R8FhzuLETZWYO>5XU_ZB=QKJ7;%cN`j{5)uae!8lo>Fe{RiG7*C!`+E2_J>;g=&8 z+WeM8-5<^V{V`wiec&fgVi;)XwY4>XLX@760fTokRz5aY&(2&}T;kblyEs5LlpHlO zHN`B`J~%kod;PJAccx$zcQ!fko19#9cvv^iJRpl=_Mif!*%|_r&*zbt+V71?#K~Ez zr;w14I0zVcDFE|~eV5-=0HeRRw->-lXJ^^=4|I(xnw#N-C%Ivs6YMeB zjSZHNpG_p6ABj(hKlScsqbT`j+E<|t;l@c|@81%j&?U4~c92kTCzH&<3@#I(&uv(1 z+$0(7_ZimsLS>|-EiNtjdR}@8lKS+hp}>*Yq=WLt3mo=`bakVH7+mwHC@DXhRyH;= zQnJI|sPPSszLUS0x3C5{u7Gqb8CgY}BQrKNn0PAh3l5?BP}?*An74lo`|jx}OZOgyIs*?6kB|^4pTSp> z7kaUp9K!Ev@~(e&5X%P#2L=FZ6$%`*FIExkCV|7uk)S-MWwzS26-ADrw3)d%nH#U- zlB@?Pqhz>1KCHu%EQfW{C7kEuQ zG)z|X^Nkgep!cK2ZQ3NFm!^Wy{q2>Ajp{9FR*F>Q-_wUK=hwaXf6M(8sC`cpYGc>X z2W_D9F8}KVh2#N+z+b$vwIfg779jRe74_Q_G6C(Pk-q$U+H=e#a~K)5%`* zrYCQ$M{5*cIk8^drcc7dU{S*{6ri6nY`+L}4()#(Ed%H+Fytn^?LTaUgzl46XkZIp$S!0*n{B$=Br_%lvix0;NAun%2`NALt8v>{8Y zv|kW-TWLLAj&c6@#`1n&|EA+8vUQzM{_3KDz%jl&0k5>P>#Ma>=tiAWQYeeM&Oq^A zQ}oTtK}y2zh7do;tTKQW>am*q%P@iXf+#4h%)w2y{1vnNp~Yb=>Tv@I**ZWipp6^s zK+6K=iUhJfGLbTAgwGTrAOBSY`jG!s1LP3QT)a*1y^Q9ptt~wSGUYOkPcUhqpG;w2 zzan@H$h{+)T(SLF14l2^Q@s}jZHiJ|RVV>M9cZAj#kW#WVZ zT6D23m7w~e`!pl8G}Ox?=9Z!s`De~e%%>=46VZ_ZdoFo zI5f1F1$kW_6v+ub>>x9>RiER}nb&(N!_#4~25CAti00JRV&Mlb2Z#=BhnC4qj_K;5 z-3(E|V0fd2z-Sue`+Z5QUuofe7R$xt6U3_}ijItIXmEi*Aiqt%eCb}{0855^A-nXn zfDnxa*{?sc0&YXN)ddMieql0D6J(wupOoIXbEyqqPpx-_^rySPMejbA+& zSWvw0^*U&Xc5c7DIOP&tzbcx%TTgq*#a?V>>7n68V2i(3@>sxdCVmKVGv0p}O3j&j*x1_5rOsh0!WjiI{Cib>bT zj{W(IT-Cj*mlhY*`^d(2gJWRYc2ytulv;dCPrZpRxcV;r6mj$?ESD8oqt!i?uZ7n7 zU|$c_0Zc<}W3W49is#_k4$3nt0IRnEc1jcmYv?y$-^iJsr!d}%6She*kREEv55LY% zje-~0>ZtW0oGC1H=Gee=FS}K|F(3>FQ=}YOg@;JO^qc?h;!VBWAolC}MIn-}^wbGmU*EJtO_k*J;;* z%fj$P2+g0=^&~9#7imc@NkZYXCgzQSRsB5taPOad7RYAA$p7#d5kABMia)eA~qmt!c2;6Du6rVts{s(N1Z%V?uCdZ>7+x+ z>OxiLOjGAfRU`P#AgeSI2PM6}y0bYlvQ0kMwoK%4dV65ni}UsH!&$=x389bKj=#&1 z8;$DU+Ybg1G-APLKp09!V%6QLf9MYIfEGS5B8P`Ub|AL*o?lE%XuO@Bob*;_X9F0p z^zLqM^d3-t)Ukx1y1;X$MV9wVy2}0?1(RFC2k0g3nOj-)A3I4~5bh3Luu)J1jNt>2 zNue3b00K{7Q(HZipx~=DUw%Qs_}G~I-^WLHLuLswmg$zYl-OARoAUZ=N3oWXzn4Ha zx8>1YjcP|Oq{cTA14(?yDXML+T6Sr~@b-t|4l-=rLP0xbI>s*g--`>xfAg>U=0GUQ zEHDp?L8gN_!RKD3m6ZT4ys&0JtNsKlQL9u$GzF#oS~7(X5E;Jg;V-dRTNF9h!W6+gGA+QC1aOOo%Uefu6%ucr5(jB>bCz1$@5B?k!D? z%mQ|%l$=`~92EMP-O#|m&Q8z4a03)Z04ozP&pJ9eK}JIAv0PJ+n|rw0W7%`TL{Lp) z+Wy>bdw?}{TWVoWl#zaWwwaZdgolZVPlOd49}mlPpV8_97MF1I@YwDmZgtiNGjnsR zeM)~e-xNINnG%|so2z#@Qx&e{QUg1kd6k?{Cu>RMN#?@Ne+t`^)re* zV$thj;ztEK5%2!q-g_;37ncx$^{4rbbsg^m_xbtZ;ga0inXPLxU7E(G zrtL4>oLL6gE_1nxX-4*5WaH(@;BIby{XbWWp)AmsDN-g2`zA(~se*re)D7F4PTq}= zjZWH_nu?tdE`iRrlGT48GIpA zz5*VdkM@%!HEQ`;9UCyW_qmLj{v(0r_nAut5A2a`uQC9%qGsEP@$DQpX4-Hg7Us?UM^LT-F zF9&NU018%58bHX7`w#N4^_p* z!X6y#?CF^?e$zzm6QFLrp}KH=5%-epY+c9)JC9#f>u;Cs+jmnP(F9I%Cs!MtSWau*sE2~g~NCxA8(c+EBO^ppf45YSzT`hCH- zU;m9SEj=oa@8W`|2V{IPnLs1`XbJQK@6D3E6AS7C?+aL?fC@-^a~d|-MkYslm9>n% z<7)Z=d{s#0=R|^cv=My}iz$j|0A~*bmi&J&2teNW55E1s1Tv?=2r_oGJRSJ&vxRz= z@Xvn}>yhgYA6Tf;pN+{D79M|vhtX>3zDjE1CoNDz3LRG9jm$Gjs@?2uMRwpHUmU))4b zOJx3+Q}08Sbm-I$32?Z_If6Tl{|f&b8=*;ZV`bR?jRiksH8u_A&@Z+82*zu!kRh;C;MzyQdn(d@2dEHMv#Yg@oV8t5*9qb3oIb+ z31`IgkQ?Syf6Nu)V&Wn1&s!8sD8;!@m9VDJq&0n zn934TeB_G?t5{OY(?7D#Bj=EjgE1&g%VSPu(99ulSU}QHWLiRVU(Fx3{0fLg5^1KB z#}H(>47iB=zf#SOnL>u9^5#HA#@CWm(SC%Der}@b0r;HOnz;(*k=u$4h245{^3C0m zF(bM$=HvDi_!?mglnVrb>b>~`%sDJFrA0+fali4`^QD-`%%x0&hDU^!!hn0DImxm+X)OTZvo_h>%-Tuu#*tz%O(sN-bPNs7M7MsHt3GIq7QQMojkK}x9b2JUC=cN-p6 zvBHuF${4Z2SmL<%Z}|qF`<#jRYEW4%ycYIsxlOY2lsZjL8t$}@rXerU1*D;d2^DG} zSqn%c%;ixfoh6}MIRUneY2}hUg6vZyA2eHO_4gT`@_PDd{15ID%IdxTYIZMlYLZYk zxZV3d*dW^H<{m3`e>=%Nl6v;%dvxz&g&yYG-AddteCp=AK6U=WxoFRJAYhnj5yjk4 zu27VtO^7qjP%LSCsh|#^$c=HbbIl+k(P1T1`6OOT+x?54r*o%tZ2{K_6#>l#*JO_D zuV9?l@xvPS(6P%B?l)VXB1toCyc2&AybsF3x zNs!ESoG|dUm}t}*s|j6p{$>=L4p#Sv%(A3<1~YfoUIxojj{@wDeRQy6#Rt$hXqS}k zZG~WEV`9;q-N7O0J2MX5$rF0Uj&}v<(dNp%5w|;ZYXXaMe2Yxflo578QdWA^s-R>z$KVorE!?7MTu;GVaYa!m0K!;!%IzB# z&OJ}NAj6H@aBLeG%l`;?#g20sBl zN%Y0SJ8Z?UbY7{cdhpC=~1@e zSHlH8vkbT>&S(3bYi_WkX-TI>C>mVbA~T4__zG`eh`5PQmXHr<1FUaS!VvpV~Gx>l(g zc~-_Ru1fM>OBBga0~+{0aPOv%lp9wp?9VTz1T1jYD)t_u%G#=Sc#2VFy>*jM!z;SlsF11Y*oic0=G<|l@ znhrY)A%?XujeYWM+Y!n??TpWO`#Tr(zKH4BQrj4gStMU9@T*J*IiS@vQ-x(=h!KE4 z*s8{fVTdUk4bMao3${Kx9Hy_*K%zMN1*ubq!T1dl>fZ2Nb29yDYpHs!oB*r;9$6=1)pSu8Zykd}=2 zupT^InVmiDdA@p`_C#MR%mnz&sN*9E-@n6BU}43cp;PQ6YqJ*(04$Wd z^XsKHpk&Z!)vOeThRgR}w=n3{ubbBY95?KIyw>bCYP=bNhsjBZKmR~MVf)c?sd{>N zn3j%?mz&bDcOY^Id++p=5eF$HBd=xrTB@1Pef!w}_?6fMYkUQclc)$P!k2K|>pX=| zII0YWwH#}sX9LH_s2#eynm1PqPGG47d#X)V|7q4(I5;04SZk{R@e(x^6(29J^=b$4>f^%$A}q9=+$2EE+wug6 z$cztKsmVXdB{)&ejD(I#OU(^)fPPu1bf^T{>GU+qFG8u&5zE_^wpMR}V;{q>y#?I1 z=f7WHo+|#(%1KG_0*V^I&7iEz;tw_!4Yi@9^4{UD^ZC>lLJbYW4$(}({PWdT7p890 z1a&avc%>P6cC5VI<4J_HsY!zBO`A8bHzZmuBMf$Uv@<=6fR=8Ul^hiF^XD2p1nV;_ zzLUXs0oG_k70v$r@`0ssC6&7o3-`Y)M*f$TVZWcZu6egginWXGq2lkp?e!%_e*9pi zd=RR`$<>zZ!&%wcsFRb<;#yD}u~Lw*KGOmP2fvxwWir5TqsAjn>*Wm6VcF9JUqPwl6mD*8Fsgnsw>XlLlCB9{#u$g%zamc> zJ=>q}ZiXNR6@GDmhH_^B4Ar;sfJ`&F7id*-f8ktZH^h8ps#nS`45P@JHPzRb<&XvF z3tv3TN=gt@P}sO#P`-4Dq|>wNyoZHPRgp~&rgqH~if)L#xTvXNVdq^N=i175`#A#m zhf^07ijmhS(}~ZR6D3R150K?3{K%UQ7bB0yOl9mRDg<>0q=l*?91Ph34uZ@P{lPhY zZo7`Bso76dnb;sxZet=`5>9?PZjrTAxLIkz0Q{Y=A-$%){WC|hleiOb-)h7iY`zl- zeS;mXadUU)b&z8j!Y{M!T;b!j1>f8N+#wR_^LTv?9JPl;%#GAsO>BV_*qwChQyP!O4zclmhvrup#Ym^ZYUKXq1PMB`*8 z#Li%$nP8w}X9l-Dd(PfBq%7awqGf2mhyT0t*AFv5RMh41Fx#%ayp3qm#q0+UKeBI- zuA`-)n6HD_DqV|ubR;4&60!o8h4jdXtz>dHg@&niDCc5h6xxS~dB7ZYcL}pQG^L1$ zGh}vC$k&9}#BY&=%H!$rJRYVsL(9cujQtdu@t8UKeb2)D!k>5NB!9$y^Bf)>g&0Uv z#{ur3xrU-j6bRo{b!;ZA)!`Ps0VlLd_+$=VP89`(<(V1xq&lVFt3MOsDEi=-=z2th zB#;>y_`O|qW%%J-jAbTVJ&7HzE(;5psU^PaZ2HFaHv+w-U%SBeLJ<+tw#3!d)x{th zH8thXK@^v9vDE{!8Z}5OM53my3|q)?)oV*xR^!J!`wJ@HN420X`r5H=vc^M)gM*U- z7lR<>S*#JvzoPjZV|UTTftNgDUSeGsln4qFhYG_p_`8_9m@yFE;6m!c`jddTaeAIV zyqtBo2*j&>oC0y7f0ufd$iwr*aug;A9^vSsaXvJf|NW%G2hlw=K*1w0J%8~#@x?qT zZpOh)`dx-gjGd=k%AAkP$tKviaLG)@iSX!PWNb`LNuA4!K}4hpxWxe$erJGxjf34+ zyB|N?thFm~+ev`l8R&b6M<83v&KW@a%=-D$*SI@$Xh=HgSwSo4;U`9xFi|ryvwmbL z27+wi0$Cvk^booG@lR9uAHiJ&x&?721la*W53=NyuI~2gA)aEP3=uvO)Vml{E6QZJ za#;vxyI+k*cn2_38(U2DWeUHzS{`F8k&o_c7>&7ufR$pt-UA;@NeP=*CdN_5C8t2B zF?9$jPW93lzW7>kqy63=6LB~^c)Dilw64a>ySdkk!W_0ZQ~p5yq4YTM!59?|_dHyK zN-#zA098L)S;@muBmpDG;0f-~_c-Tti?#}-Ql=niGW5SiNut#39K8AKU7O_QkKljr zT#D*B${}@!1_tViF_V*#k%2HFl9CAEe@hmYKX70E|9y~m6sB;f|NGUfr`PLj21no zvG*BMe|`~**R0M4H1Vuh-Z}vI0h_E#=)ZxqP~>tEFcL3gn|4M||EzQFsk{@{I?9PX zbs{@`&qT6u;$fOJ*`2ZR)c9!!+cD(dc=KAJ@_e_So}*VDNoy|nY8T&TYlbEFsr&B9*EXXjp}}U0b&6} z;*i&UkMmU2OzPT#K@jiuGoPMWEGtd$O99kYVKW z2R1gULaVj$S3WF$VlE#b zRL?-;iLtpr8~=F1VT=L~vrhBh1q%t6p(Z6F7#W?6mXj1dy^W8L@5;^w)_~=Gg&%3N zrk-A2!2TM@$Poaj^K)E)QIJFXsMF$!MyE$@$ruM-%Av+!w|rq zRU?rjk|%Uh2q0HeaE9#6Z`~+LkRL(#qja;4R}nJ!&yz9?R4ESygt1t_b;#c=Wvg?@ zvc8Xyq<4GkMaRO%zHtxm5&li}=F1W@w6XDe#ndr0JPfA-__puWt24T|K1C7#O7gfn zU9NH116VwrEA@zPkN1!M(%wmozzzbU)qVZ*^ABr0%%=9{hkapjmYjre`{vmH`!V$l z60-ew6rWtXiFajbzbmGoTmkn1*{Q9KP8PV#K!ujNh$(N8>Jj6D}O6dI_ONVc&l+(kDgq3t5Z6;B5{jj zrPcZf46aoycgX+H$G-F_tnTYue@$YF-^Q6TFV!0X*uX#pErbG}^z8KDyPQr`{mk6P z59LL7X?3;L6#$TbX}C^KF#IklCx?Fd?n>fbKtRQL7O-yy;77j77=ZlpXUOW~^l|;8 z&ZM&Tz|?Y!^TF8U8Ua1Cx=)QSEf@b-T2@w*B_|&r4StgD0AtH>6&l{l8I}8d=i;GP zquVAotkrCfrOXBl zi)CnOVTJ9aO$y7Ih}P?hopXeF#$9?lCU(o86ss?OPJ0?|=0y&B?XCfH(59ti%pcs0 z!FzeVh-xw#=VN0hlZ4SfKfN4Gx+cD5$gXUjN&BqSdD^JoZ7vtSY{DF%XH2{aJuY%;`Cmx z%rrVgZU~cXxN?>FI7_;&~{5 z>iVT-%YRa&OHk9$*<|M8DiX_v*kMEL=#``jl556_Hlyv?eISo!grt+zMSqI%Kn-@kih@pKg` z5#tK)p5~5jk_V~vYY@f=NRxCCqo9QRG^T+mnPPZ?lf!Lfr?#cVorusm$SQ#@K|PY- z#L>--XTf-H=XcFO<18C>jI7LWus#iUUQ0_0Ak;`sUxI;ECG;Q#>6R4DbL(E=G84l) z$R?^XK0dJA!R?vy8l}iECb5;-Qk0gK*?lP-?@m)FnH(BA@38GA8ac7RI*7bFb+V$E zuOg}>abeu?ZBk24O`SN-udkoG)NrM=zAR2nOS9SL2?yMKP0`XsDQhK7RErAq+4((} zNy=@CO(3{!&}&BjMf*<@OEj|IQ%KfiOQ6j`>%JZ{axtTXK$uISxT(KUBEO*x{U;#Tav=BG1q4 z%_iW?FS#`Pa$`|zCYox#{WN{|r{bHBVCSz1fx2RsYkAK|pRbD#ZH-qCC#$_uZwJzy zZ#RB4jT!rI+gmM&AxM6r{X;cG*kOQOuy1s2t-UbLug=un~00@rn zA_4>ZfL=n|JU6`9dAHf(!eUcHQ=MA*GqjRcZBf(W^e`D-O5A^jk8)j-}9)p8ROG_`q z!!;$ftpWUd!fVR&6c;z)orJVSnoMPvQ^*_4oTGGGq3umJEh>t||N zP1W7qzkWrG!g!5IU*ms=w;%@GVA=|nYFbKhX-ViE+hB4j1q%&A=g_R*sXi7W)WDWC zmgeTrJ#=)R<6`4F$FZ8zu!x8t5u_NPAy6#fscmFrq-r~5ztRnrnjWifFP0ifvDOE) z0}Ck4F^2{SbhuS%1T_1+m;xr3@_!8pS0ptx1q1{{lu7H#PvJ|@VDNJ=%y)Os*}yd+ z3K3`h!~p1KI5<0pyDFNRkg~%+f5Mq%E-o%QIyzkCZ5GX_sVRRyVu#WDFJh32tVwxR ze3uSB`$Onkga_t3t*Mi`7oXPD=x-A6|?*q6ZC5P178zjN;UJ%w@Q{u_$lllG!&A?snV z^VjP>+uhq!&6SXiZGUI->y1a0&)f8}&r{Dfsi4zC|A(`;yAtH<8ZW=Mr*^ixc555= zOkS_eQLJOS9h;#o39hJQ6dp!AYEo-wYi(^^`QII0PZxi-zL+?07n`s$I;eee{RD;i z4muDz*_Xi*!2@*{T^Ars?s{D00@#C$42mYCTK;?nxR5JLD>zBeTS9wEa(ZvMv$vNe==GQ$f$V}vX{`k4zZws?+?`JK`%2LKbT6ew*b=a-y{VT?K?3RcIaAv8+8TwBs}$BcjrZYo>mz4y_n88go0Q^ zyd@+VqN$p_l>-L`2F_dxG}koeH)V2vW@N-AWH?=Um|B|N2X}AI^vub9wI0ZEz9O*@ zn4D+K`7^G3+FBAI{!*yU_9>cHu(3FJdusrtLjay~fcYiQ#C&sir0RJ@eGc)u`0bCM znATFgTmaM?Yl7(|_Ii#+bXpHLr1A)*eWWPt^6@j*Dd8*i30HWE`UUa!)!U7wKtQHX ziwKoNgm;kdWF3xCC7%qLrn~1!N)QiKLS~FvQ+}l$Z2%ExgqOJ5Vv>!{6|wzEFxPX& z*+y@L^*8%%3*@H>g4KyoF&AaVJ4;BZ>1G03y+_#T2#I0J3pFKWlUAR8*gP>?s`rk4 z(AZr3IjVRB-1^k2F!{Yo&aaWh5r`Wu?Sa)I{t^GKjZ#aFkmgxh^A;6=%Tcu>OHq;o zuUIj$8}hQOE~8S5C)yM--}q<}%bwiqw*ptP7uRMgZwS_Nt-Wt|k@7@Q-H)=LuxU%g z$)?5AuZF#v@=3zl)2C_Oo6d-_a+C&0Iu}B7w|4z5uFPPnmJ`-SiYyt+JO9{F2(qJ^ z{tCOa5Ash%m#oAM89GIm`@T^MZ&GJ+aMQshnLj;dePvE>g~!%d31(XyiP7q4RX-{3 zX3lHYCm%O6VIN50A--Z7FgtJ}0Le%2Zf^$q{L1D??#kyHJ9HEyk6jhdy^~XE^QpZI zh+CvlkVG??k45+Z3#QHK6bzQh+0=28y@?z((Cu~Ft0BFX?7Ln?Vl%3wvwix?UXbbK z?h&P3)o$LbPM6@y7vVV(mA+zPzLK7@aJy>$11)&B$z;wx$b45>X4Cm>mn$l9T;}MF zdglf1rLB$9hJPl@U-XqmfhT+N z>F+j-TT-AZW$w{u~p9XP`JKvqKOz@||OCZ5@j` z_S4`eQzCR3O4vG6Q_Hq5-%mRT>obk#5i^%!m&X&*(gl%M?oOnO3irU1#KcZQh-sl` zo-!NrIrwNZi?2|X6vMZ1gEX{3%PbNb*FB2ih=5!Ilrro zJO0W8Wg(Xi-_viy{=GeOF5Y=V4um{u*G2aT6}B+>8W9kTuF;zx3<9*>`Bcsk=ck+k z0@1^ZjjuEqOJF}W_AczgWN~H&6dEvpBGiY^w6yqJq{7(oP&yby&>Spk!d=+8YxPYo zzVbjv5!~K&-YuvQE5z#03bKusWmb8h7LdAIpSs}~#m`uCDLHwG`|H8f0Qe9Vniy{t zC%QCBehx1LON^;ak9~6-Lu56kX))Pl_qUrbDXwgaN_>9Mz4+-#Z8>4OxZFLv9>Xdc86My1yLQm_E=T<5XEdfrx>rRT`0fC=yD@_ zW6AE8$DSmh$h8nQe4vVsi~qY|#$0pTLj#_Y%ZKRS?6DF)nWOSNzdER1neMIcV9aEL z^;$itY5sk-shR;rqz^vsXDp)v_m`_f3H|Wqru=DfQGh^askxpffHRWfUpO7hnFD5% zz)J$)l7WnWReG2tAb_;V6r;Og2kP{L%R{d@UQrQ|+G7#Qe^471&}#T!+5TVE{$JUS zMg9*x8a|=H6!HI5i9Zy6-FqeUF@%@G%F4>IOj6Q1sc*1&$D*fA8UHeO+L4 z8vrU!?r5fadZ4qSB`J~sQ#qZcvCZf8P4(TFh@8U0;4fH(puT8Y=v4aTuYL6Oq20RG z=g3M^Bc|-E()4VJ4)?!%(W_R%fnuLpoDz#cvj%>5Z;$EWLF@Vg5fP8ucXMcHpIWjWAd-m7qaV#ZBqx^4ZrODtLeVA_k+&r0t zFh$;C!^rEC&+Gdyl$$@ADuJC2Zdjj5{wxaKJ*$^L_QRm-K0Y4Vd=z9fZaiD^qm}ok z)%Rj+U{Djy+1g5W+v>-QCgD(U0JeZC)aPt`LMQn-Z20g1SD4XuF%TR{_`v^~SfPPQ z(pFHAK*EF-n?{3K_yOy?ipo1t2q11;A0r`}%!CV@Xl_PDsU{{O*89Lv(coG1P6NP} zUb0tGFyK=p$M*XIk4vFnU|@K7BwuqjtMyYiAZ_%)uxc+PO$n&>p_!MWE0DAQdlrw|i!k$UAP zCJFC#Ou;v5F0p(s=Ar&^)J*I=yH^z-JgDlk@+<&o>LY;rl4Ii)_ai~dYY#0<5`d>` zpa0(<`kx z(v;*tmV*@*DpsbUmoh8)s(=k_8o z{|{Yn85KtxEsYW&5P}7F2=4A4U~mskaCdk2Fu1z}cXtcH-QC^YHE=ucIp6($+;tbM z{(;PNKi$*4cUA2wE^hLI@^U^B78V+sFjg*QMMZy>N}Ec+{VsI$3sJV+&_-u_J3e#z z7i$JOzR{i@QYI!d;Eug0$fT^J=ubQ=Qxg#(<2SLk)=^zN*xwH$Av{`=kT9FFsD3&; zaWVaohzJ*8L^mqaKT_GH7Mj*=wLL8cmW%^;eFJ^M`*RRdn+j_r0evd&xizz7q0m3nZ zE*k=?YQ15QT98msSF~SIJ_9aCe(Xm$I4$n(5X9AqDJj^Pm@o(*L__bt0JTFxh86dC zqWfAX2t+cyQtk(TQ^>4B`5K;vUYN9ulf;_HNM|%kWs+6$9cRq9a`qH6WzSE|QJS_c zro@i9kBOR=7A>rARF1B5-59A4PASwKS0UvbJ~mVW1ZXn1xwE1TJ%<^@h*sBXjXXu;?ZC~1s z52^drWth2r7AXUrLt{TymMf2aLkVv0@7J0e@GR4R{HQu>4&AdRAdpUGMYQn9yL$Pp zhD(N22)obm3?_@SZ||uN>>n7oy4c+%E0j2qPmjjgA0x-qBQ2;I?8e!)d)76k_l6vHO+55r%U#9e3^EpfAoIUA44` z(#V0X%fSl4*rXcT+r7DmZznNs@hMaf9c+z;8jpev*;88+Lmi<~=ZMRvyeLHzZ#gzV ztVVTzx@Pz+dbCHN=`*FLg`FLf^Mj)??RzPc=!aA-{r-h^8Riz}6OO{agx()x>Eg{d z2d)7@fj%*$(k3O@G~8}X>USD@GAWGDm~4BtpNiIyW#UJJmnv^c4Rs6e96SUjRALtG%qc1JK0+2dM}4 zx|>r23IQrRK$vj*AY^e-U440+wtSvN*bJp`c5!y{^0*TnA0IC+2K}SSn%Djs{rY@= z?;vl*$-_g;RBZv4$SVfOK;D>ab|1mazYPA+U^-#*$h%}U{`|0R_)J9H#wo*X)B(&5 zqlWj0`DovopPmr?d!pMfN^rJ2pQt(=F)+~g+1LkhodScYlaT!;!k~wg7DW$)^kJ#T@RTUE^!5)xph`vYqEViuOn%3(QyB`Ob4hgke<+ZGg^h5t+Q7Vq~2NQ$=mCiw{&@eoQw_MVp?zo+H z7m@Ih4DP``U`~xLovBAQMW0FrXP+*q(%2+LTO)~13n$Uxj5_|m$Ms;UF=0!iMDn%{ z$<*j6os~?3W@b_n2Or-k9pHM~VWaPMn34*B{`T=HxGGnWQ706IRM~4ve&%;kUgoXy^)YMeKL=Z5Y zfCIzr?HQ|o6ok;^tHu`qwP+#f_Ef=qlQSj1Q0Gd?y(zp1J1t*zw9 ziu-NyH~?lIaO=JN$e+T(!g>w=`Ik4;UtoqhFi_--fB+Du(9_e)jurZ8Tzc+f?UIrp z(!2mTEubOE%+yX)nX~))OYlRQ!t_|y*zoYMeMtiF5V5!;+rDx$>7{?7mhy+yKRi!7mNV%==pU!1c3swzd$?aUfK2fW+X`cU%@-m*bOpo#PXH?=d zSZ`sqeafEu65a~4&e}OXSAlAId6{YbY*~dVnTh@G={LdOL;%cEnCf9~k^1tTX%tsQ zR@M@0KT<^a?zP?CUSFU>?h|s=Qm|F8Lww!>oh;o)y6eSS#e@&h)t^PHQO6D<;;}gi z5N|MjxmmT3oyAh0`^D-O%wn(H4MTcxW>cXEw*;L$dOI;~oAjIzBF)rV%CIVX`Eu96 zyEPQi4R@~N9JqfSntyAEq%_)5@W(Cbn4b#e@Ra+xQm5l7b!X2Vhp!Zv?!ekn2Eadd zJ+;4LN`g?{4fZ$t%5z>#?Df{|G>VjgxF`ga+;$S5ye0kAfY5LN zJ>5OG{H|yLIA!kutGTr`r?UWn%FWEEy3Du-w($@mhz*%0m;z$)vGXQISw(IX1KYNx zIoul%_a{aXcU9@BNn+<{%}7#bx%%$=5~Drx9av68GgpV=?(H||7}WUk(x!s<9W!^H zw>0Q%h=|bTD3zlM=RS8#b8U&XM{SklmrgwnD>@c0eY$PBe|Q++5045HemAK%HZn5S zhik zO2D|76EJ6+u61w=m~242IsEcNTRXDCj?|@Rp4~#f_ zV*pnBuWCPudd*Q1r2_MH82FOjgrp5eSddpGA66+J9ttpEfiJ;Q zGBVwN2p%K0ghLFAOG`aWTwumb)!`4AaR(=>gMFUNK;cnQ{*e)T-%#;~QiL{K{SbEI z0d7WbJy#y0oHF8DzzW{q9sPSqYoK)o<<7B3%ulCZwGwWZwetF)nd;X4nO?bU71U4F zRo7~Nf@)Lw$$7MPi`EsRnEo*ja_TL(lqY0A&xImZBE?4FlU#5ApYAT9`r)2YeaKR3 z3Q8gJNbWDgl{mlVnDenGXW+U;?8i16#Z6RP+g0- zY7oY`V%{Q9{k2;!CRbv*8s@{t`u2jPs!4tK8qF-m{U!Um`3CfKfed^5gXt~IsD~%(Jdmxm1&;LwvtTLs{A6EJMH%sV*Y*_*P1NL3W zIKkJ@vUI#_B>gXRuSs&`VjP(+gQxXh?4V@nb7LJ#m~iNN*6z@K8mA$ z{>qFZHevV)Z$~dc#Qz+(Arl3B&Yu41?|>i1>>@K1BWZtfH4lcR#axKv5waGzE1D`hAqXQ8|H2LU;O8A08q}SYbTbuK7Lvuo)apomJ0yD7V%$jpl5Kg=IhTi3{^vK@FjuKS!L zooKG}PN0D$l2zv;T!oH!e!zn%UbTL1c%0i%#fHx2?!-G%_O!{1->t^+tmYb^MMhON zI>$&HAMo7nJGzQ&P@u-@C?& zd7L;bqOF%w))$88&&p(=!JVGRAA-BK??!-aK`+C-;eZP*Dk(IFF2e7t)8=Hf&vt^( zd6)SWvkQqg&oc%KXc-Gx+qQ3holoBAgqjZ|zAFRUjswP9$JIo0m8KSc~aVL!~M72%ap*2OPY@f#})YWQlg zE-X;po{Yb=82}VnkML=4j|b6hgRm6z%l(ZV9tVF8_$TCq1w;cw~^eeDSc);zc6i zVs1N*B5_Od>meC|YkC@!xCbJ*vB+;Pj4?1RpA1ZZ5`m&G~}n>{t1!l_2hh#a1upm{|Au%FV# z1I`Re7H^by?Yd@og*wpxTS}tG@G7rzypXn$M5oCt{=Z-B#qZ0dbu$QouS=C6}$ zz7f8essOOIv(puTN z^9mX-kI9wJ#U*EV*4$`ofRcg%70l3j+j%v*HrbR#3VcEa&7NL4+TM;OeRcJ{T9 zY;L?f8YD2@QN{1fd3#p`2Ic?j(4Lb*g=q?MnH+1WPR1?t=Vjz!fl3!B)pJp*Z`sQ6 zQ6o#&dA|48w{38H-$+pZ14+n8I$~*Nmw7AVXEa;K|GQaGQ^y|Sq8{Ceeg8ha_nlUIPN6#-k1o5699ufmeQceDrBBN8*)+kO`F_Y%gq1D`$(p)0h|k19N;7ZOajXP=Y#;b=|6tq z|2YfC?s>0m~2qXn_G{-O+JDFAk$RP4Lp1{&)nCM&An63`#sITyDkX zKr}DtxJ0r5PK2eeH%N;n6C1!CrOAYAjAY0H=GJ+uZc$RBYre2wU@O5jFKs;Do!#K#Mh9|Q&GRq%ifl|l|>wDBuvcE$iCZN%_12z zRT|BAJ!tFuV)otP+8G`+&^tRjtNsQUqd}xpW58Tp2v!q`j9%g!{O-tua!Sd{nzv{G zY>ogY4yWRhiat%ubZu>I{!TmIitfcl?4d_42{tY^Hb47Ty7|xKQ(b@V%i0attHGsW9_zHuo^*ZpPvwSHyBTgQe>clMMip7)t}HK?hl2uNr;0}d%EO*dhePlz z#oX6AgmUed^7HMQ7>+4JGLls(z{4Z7^W_>hy=d}WJUlv05HOPq3%YMidT#t77uh`C zfa{kG6)I`aCo(1`0B%D2AZBr50U*?ugtxc%!Qw%HTQflI2ZscAD*{f5fESWG-b7hh z8Q}O1j4K)v_PEy7vZzskAst|_IAnu<`+$HckL_s23puiB%A2_PzA=^pR!LU7#)IYxpcJ%~L&`q@?c z_HW23h7<`<#id6^BGT|KXooXDbaZr#^5xzdexCRPfIWwYX1c!bz-r16qv7(jDWHl; zDJjhWP-9^=_{)|A5ROFL|1hyJuUPd+kB^Y$TliKyb7cDk+lX5-pOvn?jqK_AhxkZB z9ZVT%tTIJ<%m}S}=GUnSgWu2AVP{G>KM6xO?j6P@f3`kWjuVb=P9CP%$xvlw)j*=| zC94TO%)?r4yj?yu33?r^$?IypS3Gw=BhJf_#Iq~c>Jt4$(;EckmM2Q*dg>&#oLR|P z@?mW>ZCQ7rVR_v`*_P7M+WKrwt}(!?hXdT{@c=p8_OT z78r(W)!vQ}B0t^GSkU6F{9+$F`>XXK+?BxiM(oBSts)IXfq-$wtko4mvwJWcAczK5 zr3RmWI6{*_h!~!R<6C<%83?BX6z?yzcbr%gNNOc$zm6q2ymg%JZqds15pI zhl(zFHr2J+VM2TZrx;!YB^#4_i_DqPE)^qDvb5Ax41|X0yJT?hjubnMvC?)eDJFs} z^xMzUd;6YASm0J3+c0c9&dz@}bzSc{a+7st$4Z^*R|kX`2k|a0b<|uE$*en*iYC z0k|&;xc>Pm(4XLfkg@63yq+ql-BS1Wjc}bozlGL9bPI>z{=!|o+6r!GWkXg4qbTg@ zX!Va%x1~QmLyI@H{&#UT59A^n(yB&iqF!hs%uB&FOQQBI96PqVi&!#mF@*~27+ z84*5uJb<-Zwgt%r7OY_Yk%ncp-eCR-7*rMv!k)hBIw~!LaH^;jRAkmCN3x2SHBy5~ zKdg#M=%Mgn=Fn5SkL?>z#^UjLkZoW=6*XqT2ACp4DuyaD=1#hq&ysA~&xs7j8+%us zEC?OIfQHq#wOrnb&}LOzuO!c9oQh|3^IOG8Ua!^=uCg;X;6(8}Ati{7`NK!&BloTjd>kHIMs z|GW$8@6n3^gG3ndLUdS`gf^IhWw2Rlv)LWi$x$mXQ3*ax=#qK%cqFBCU~)}G6fCV!ZeHsL+&v#cOS3t61N<)Upm zLs(eRV*}83&6M=?x`d3hjOVw8B->gPMbUn+H5JE_;xZ6Ow=%aDOK8)zaSb;V6Qb+tc&&@SekM zy=vLqp;hEm9X1iT0nq;ct&k<10+BfR5n^M1qeR>_NYGaZ(TXyVlZ$FPX(!3c1sIoK z#htzoA`>vMKUM#e?b{@RMEm*xJI%*#0Z*T<&V;=H^bVUk~zTwGjqe0<#8OLJ@9 zPF8dj92D&Ai1%`qmb8a~In@%_cmxE2EZA{L>FG`He?CMg^gOZ?5oND9>u}|Fcawld zgqjlr0s_iUt$r}HV<^ez|P1g08AgHSC0g@PqXke!5oTg)v zsRo?QVMU_#N|jaA9*_}?jE()V`pC)YD=GlA69^)~Tsi&;PsdWC9A;llAs{E8_vRL8 zfeREQy`LqVCjS2`6SF6Y-g@*_PdCk}LdKq)5k=x+&Q(u`B=zbx&E-LvsGju}*(^+|P~g$+KHx&jY4kI3tbWOA z9-KkaPf(G3cK_^KFC5;Fm6*wDKv~oy9^KzJ;F%@Z>HGdB{q{zC#zL&200>cY_3!WQ z2zY(k>*`L*WYYm6?>8{yaUJ$KLqg7`GCh3-P%(H~TmNJI`xSE}5@J)qvMv`(I~N!4 zQv*btY;5>^PM-*9-)@Tpa}XO^KIRzzh$a$@62PK8^AdbMBy~kb?m9HH&|K!uNDLnV zDo{?sQPB@YP38@@LnpP zF>PdQS?B2Nd`BAuN;G(c(0E4w-+59!2Dh756x}g za=Y<}RGW-M{Px~iW>)N$>k+DlScbF9Z>OW_s7zi@V6L$8Gjsr8S9-BjcK}>(OHICl z4rIR!PiU*!11JfH^uLjpFSj_Fs;IC})BoeH8XFr|^=(9y9D%_wiG;_qi&2LmO5Z2+ zOna1%{0t0lr%QF?2N{Cz+m5}8axzl)mzT;^=s*+=?R{#Le5mb(nIJ%ERi0I@waI7k z>>WBaR&)@&0}$!&yZIko#Kc%$-U9F2;X4CovU<}NSO{W05Yh{i#q?Ed2==n&X_>5_ zL}^1n%Q$D-5&c~8jjG9yWtQ-p;EMbZ(A~Xrf8XYECMPNB-<6(}6*VqJDW5Hzh0HfcDVIe@Mb(?kPQ&xO z{(#1;-8ppwmpN%);N~UpY+wL~n)TIk;Uq)8iHh{dE1AEkdX(#%EBn|$aUcZs5WRr;?Q?3>xEvX7chlwU z(F|bNXBUOV_zW056LGqZj5AWv0jyC3ht;B8{}ddK01GSYl{4t4WVtBp31jCg3pH~I zFcVbR2&4UlSqHiSEq|i*LDFgBQ(UW7dd(j<<7yIBoKEk}+{7@=j$GKuu4DtBj)Rn= zBUU5}M+)J>Ko$YQQNFOX{;4e21km!S??AD(^$S`^*Fj_;BcMr|nc#~&0(Kr&_d^Q2 z;p>C%W6$pH?0m(K8a`THSRzqQ*N4b#>+;GHY6faT0=zzl*)||LM(+a1P{BI<83_$i znNu0;@hAR@7#TT!F#fO4v{@-K2qxNcjWg3x;j5x!viz;6?HD)%t-}oUhC5d4W{l6r zI+xy8@8Yw5{WO~rJGO~86HE)mLKpY~2AbG1;bM&UsCX(Ss!vELdf5Ghc6g|$!^-NL zjvwr6px1Rfy8L`=zKqFe)|rhWC5*5e1w%fXd{^og`4Bx?t3^T9@-q+G##y=3-byo* z1MuX2Bam=#2y5v!sD0nUWXE8__F{bAj%Te<-Epdh9+&{^c*k*ZE;f%<(`dJvAw!Ix z&FYr$y=ZoJ&_bHE@DT)Z_8Ir~j>(XK&H_OxgK^rO>A`XsUn8J}pjkJ3Kf(hy@+hff zZf5aI)O4HsXD%yzRG+_in9y>DZy}v8w7i zO2cc0)O_}bNSK5n7XLI6 zSWN&1Ahg~A$kc3jVsv=d4yMl0;frfwO-ZUb#l*;n$d0m%)xT~KphH$~T$jj${IK0} z?RTw81O)?W8C$W!BZ$v9%x9`2BwVPyoZp~K0T*=_IgZf| zD>T>csk)Fp6DVe?z+ays5Yw0(Zmy>;C`edPV~r;Tzbtia@`7yp0U^ykFqG27#aq9B z`9ylSs;;Wps6`o^!k&`b2i*%A`RYMtl+ODZ5&7ow?;ml<8mrB>AjxpF-eibM*%)~7 zD3Dn*Bn9f;0W36ht`dd=4k=8Zs9o7IqwO^!1;xad|2wOszA^~+c6#WxkJRAPk=Bfs23V= zs~q0pg%yE;iISiLgTZ~A2&yz@@Fs}W>T;$NQj|srb|_2;*G=yl z&?e~tuC%{g7XdDbU+oG5I!Y0a9CZyIfI2k9{MTS-JPQag{$c3wkXTSVCE7G+BfCwS zQ65?}{cV$m-^gkWP`fGsebL7UH<$L^_9M4B*EcsnBOJVe ztKt;#>FV;*? zRzm^D-xs$D$`rN}Zk2?g(uS)Iu=~3$=#TVk9Gy3WP-)o=AzR~IR{G@@FU!0>LEnt3y^|_6 zAz^oCC!7P9jW5T%u(6WxLQuz~v+W#Ko5swy3-1#pq*gkFf*S}rW|wGFS6O*9LP7jQ z0Cz{|2N&Ju@4mx%;t1`4cwRPiAM(eYw$?UF88;d~X>2I7Ed(H$Ja7a3lboDnA6}(0 zy?m81K3+F=-W=Q-som=@RNTnr<&{6OZg%!qlj^BSSumKUrUwvJm))B#o8xOb zMvILpw?Jhcg0GSVe@F-5Ou$(sS)%vg=Ir!zvsZnXLI#B}{J)<*SeOd!6Xu7K2bCLz z9t0N>Ml_1|0)-ui=tke85P+G*smPMlN9u)9s6i8)pB@Wyy56pBv|6WUZ}eHOH2w(7 zNgfJQ10eLEUQNk*DF9g${vQnOAB6TF1LwLF;d=*K4>@$Ffss=x)B5ThxqNJb31WVzJI^hGf12S zRZ5T|{bZ9SzDzvu=4TyVpVkoFzk`%;A^_8Ev)7`hBIXXC zgA**2T6^W<^&lsm8kWOMFu0#?ql0N{vKZ6Su2=t zFI7-P`66=fqzwBKuKlwn1GY{*h_TgXScy|-oe<@7AR-u3EtaNH{vDqx8~C>pjF>G4 zg|g(zV_3(hf2(~$G1Wo*f0tdtNd#5JNfP7uq}dimRQG`Q`vi^&+rq@g9J7%Fv2!Yc zWW=EIvZd1QHf6-k$da}naQbQ;BxkwHXK}EG+bEA=(Jy~AAv8h4y8LDHr0oNh^(T6NTZYY9z zE~Au|R7|d1Ihu#qD+}FXxE?1*!q62fF|w3`2qw< z0gLH$W`#a9>U?vE2~AeQ4l_DiM?qllY+5g-JWP?mv)Mg6Vy{2NpGulK8-j7w`#Dlf zP*A`)OooHqQehk$0*elXnr%_5EPLS?3!%Rc<%sS+LxG)xLi|EPsYpBrUz_wmG(Lr4 z(-lzQ1Guwy+2QRC#6ZJ{KlaG&{>MoTI4pe}39{_;?Aa7_R)-3q(kbcv+imW@iy1m4 zC}s7i4H~giep!lfykwer>mHI$^20#mKJe}u$P7{xP&_YY3J*#tycL0(%$+0Uu@$}FMt>fz-$ItDt1-fCJM zT00Mxo6C5OpV@=;Jzo2Eq_Jk~ab`*+2cp?XV%ZPpkJ(c9RkRurZ>DpXsiPa72_3kr ztpfSZ-cAEz|K6k>MF?4q=?|8J80ZuQ#iW(1y*@6jJj^59Bw;R$9F>-b`l$SR;>k2? zq{dfZ!N>ai%G5E6Ki&JZCL%DpkjSlJGeWFNyN2vq%2?NxTg+#Qol!DB6F-&wVVf#jAtAIjbC4F3L@7bOvI zx@i$5=MJVA8)pnK*~2p0_o*=Fb{DSc^^joW`GdC;CHX{xqf3W}8TEj8RYii5Fw|^K z5QQCh-*URcxS!>=o=<_wAMfa7+0fblYmCUkon_>_-!fc9-Dto3+&Aq5@hh~89`{KDI-Gs7>MlxNg)vZC2xr~(=b2eip z?L|_Kk!A(eS66J2iPzenUMyT)!CnaNku-Sbdh$;u2)SOOO>_lfgM=zTB&2&2zvu5e zxQC?omH=WjFwM`2{l8sh*X*7BuCG7lHBi9cS?Y>RP1tzWGQ@a!i&9fFGqbW3OO)fK z$n!oId}pGlCq#{OwsV7eWv=m(Dp!b-!Z?ksv6Sq^!LLnX)zsZ~!4aWIKYVoL9@wCE z>AFUObCq4pqC|bD8meCTe%1*o8MH1^fgh}kw7_WjrQ-Ae6_&|NAjg5OJtaCS6z8t6 z(3`F$Wz0GB9Fclc9OGsRLU*3sp20tOY)whM>xnNSOSTw2!AVAs?yax9i!f`N(UPh} z^V4|>56N8mJfuob9L_Bn?w4{TRBr{A>l3p1cQT|`HLrJ(8gFqA=m8JLlUMUm;9{bM!x0e2<&Q=fDX22qf0=DmaHU42_I_=o8jI_1s^Zom}pyagl3KN zIOKkXE;|N683)LXT8-cN&@EGBDK!`X&Ep75yqSkf6f?;$$7NB~HD8GrqUlf{ivlv1 zuF#Ugu~fbMnG@utC1NhZn0)0jpkJxjc6ubu!;n2o97}GX=Ob9M+hrt0r)Y2mtla3qpkyx*->f`{dyGE=oxn z1x!Vhq!n^v|9xdJuh)Ex_*3xTju<$wwAF6Wpt_3|>4c74hDtcVhd)HfjMLFg9o?$h z^HBakozz4A7-9v_SVvJ>vpMxg+fw+U5^m!Kls~qk$YGiL@a(*g3RZ;&%W;U?&^fND zZ{2GY41`EU=e(`0`mgcbGYFU-P}y>F-X>2!>JFn3DN_jk8u#ecWH6A^NAdcmMm-ZO zz)X#TU|?Z7Z-7Qz>!G&s&E&~hqPN&pM$=V3x?wew0p|idDq^R3F@9s5MAne}PGNVD z#)PMLXwMo#7~SB_W%5w0DMqFVK)t7eyV`$S)$UHPj@K_Me3htQQ-3{lP5p)qfseL(47SrmXM!meGhin5} z=o&)&a@emLt4y;sDtky#>7l?Z&&W9oB-l8 zVUmpH#i=PN)s;oy4G|Lc#}d#Tv+YR3 zF`puhrPdi|^8~Xm-6ZVagwR5~d~@KQ#`x{L4Y#)e49M+zS8~PsC5R-}ncy`@W_@xw zOHn7?;$9t={D7^gURF*{V<(ady|DQ?2Ezfz-c}D)RvQ}!?kDtk5s@bWIjxK_!9~WA3?=15~FN7 z46yfF*ZZEQac2RS$CGHJpOqU>j?SEh8oo}-9g8TI=j8Gk${>e!HwO40bn3_;qu_W6 ziuj4q)sWfpJq(P0^7f<3wG@9PNuM%Q*Z%jmNMZ`+QSj)^Sqi>3Gi z$t;{;#c}fls#tW=6xL615FfsL1xtM4{sIkXoenY_$B(ulvAB!E-D0179vYz)5l}^$ z{S5vV!C2e_VNOn^Z>}ntrCnVBV7#-xFD)$%_&)U7si>$qySgSPCf+?f0QsC2%gY{~ zo^a~4jEoBw4FFcclWC)`zZHz7tHov|ObNKARcm6YHKnEDHd<>Y&NzY4;GoOY&;Xb) zGBT2$oyJ*2=frva?d`+5@5ac;Okdwe%EG3m31G0K@oaH@b@g<6pM#lM-^OM< zgs9?gF<`9sm5GU*yzlhUe!G*<^R#AbEB1`n1yBf7+(r|`46b;RwQ5X(AiDyeolWYk zSKj`@S^!`n0Z&3|qKek{08S1%zSGyI8(_Qu*j1{ua4g32^*SKo{^R-1=HZ|!fVCqd zM_1R^%ScP}>KkL=VYwc~b=F+z(^{SY&@wzF>L+MjSu}pKFS2A`LMc2#*-_%t_2SB2 zPt67fYTmW$uDj9>?eO$qPO)CYjJN!GbEj%l2qLM|4t*?g0n;b|X5K;pk}HAfBK&SO zZa$g8&y9cQ99`BuPUw;4|J1dhE!fsvZ1iqP?p#Ayq7qvAcouIkpd7kZ13!Byl;Br;jIAXfj~eV;0Tg1I}0QkKEAxz zva{s!yLx?h2+Pd;n})nl{{Co)hKA-W4gUjh9I;ud4Gyw!B1Fe8@7NeX+A*}^0*}$t zaoDbpk|hEdS-&6)OLu+i_IB>rkH*ENr7dAG+v{84;P5xlOu1-jrPr2Qy_W@X2vNH9E47<2$$_joy0pWsX%InXru)+qAb2052By*qb=KE?-3~I>+FTC~ zurheOTMvA00x;TNuW9>#BHxhkdo7ajPyjPRu%GJ;2jqVI`00qaLydq@B)4x1q7?jC%lzXMSJ zBWP~ibnxL}adC0y7sNduD#|O|_)pi`kclqg^qd0%Yinz_5q|mIpDvAnbPN6X-n-$E zd+Ct^c}*-de_jkNJ`PUhU9`V2EX`vD03_ zS8SE}?WA7Ak3Z*1;w3^{N~*DjZ)I%`6<#GM_-^V&fOF)XKf{nHurCZMaP$h^~;u7{f8^J=4{3C&ggXiHGO?4NibapDc2nTWL(NZ6*4BD2?RJKOuxs6s)8Nu<$gOLRnQiY|9Q+QkEOIYRki;7`Z z-Vc^tzF!DKXRgqJ1hq2RdrpH_rh^9 z;R-sK`@D7FaHHL14>sA13!NRM(IZ5?6;2Y^YUztk=8lY4Ym%v zAF&t@oRmsp6VYvMrOh9tX7kmM_h%84*`uRm$BL8@7DGxbRw#>))Hk@zu}agX>G|~1 zKE3R}zVfMltA{aHxwiqot6zhUF zsyZu6r$2-;CDapl=hKed9>kOozJr%AByBqGoimpT4F)n_yx$;mzj+S7a|VzZ09f>a z5%kLPcX$2Y{6j)uYIW<*I=td)8g}@)e~*(%_Jgxm>>@F76Jt3!9naFz=ger4ax@CI z1%VNdSEaRFfB-gftd#K9_6A({7orSxe>V+@@U5;rjRfm03=i3=mbFl+&udK3_g*${ za2@bN8{FPHL{polJk#PvhMWwlwsT2Vm$V}{&&x!2n{FQ!FouRCSF7Z0%^UAjU)nKv z1Jaq}CbZy#BPev#k>@HtuI8S!Pl9Y&iq{4EMhBbG54X3yLLup+OMSu8Bjq?+oqW^v z?f9tO#{HI<7zDxcG_3J(>;+PH@cSd1bbx2nCpfsir!d#-M6Qukt-yDTWN|Aie0jz@ zgp1=6A=UdE+zw;cmz&q7s=$U5Cpyz6e`%+U2^Mg%+4xT63ABp?qi~&eNQ(&bL^n6 zbHF{uf%@X=Y$P*})7{Mj5Uks!UJ5&OK4~|9K}Rna+sWSm&<%4uy)yVJTz z!ep;|x!vgJ<`(TEZ$H%If4oZ^h2d^-mz9k~M2u`Nw)e4IW@8F(^LA07QeaYsQ_8qn zs{3P!`P)y`K(ElmBse&@e2R8>R@ovKwRdrST}WLjTnvggG(23K2!)KDpC1hmOI`x$ zIb2Vo8QIo++;4*WZ(z{9el7bD(WfI-0ox0l$;KF#N<}qOEM#g!Lx{`J$DrOffB(nc z-sw10IY_n0Bs2ZDYx!9P3kzJWz`T7AWF&-NA?o0$-vdpIpFa|$=_-6O-8!~2Z-z!h zyrT&eNumv~%eE5{2I34RUm|pKq;XPH+1VSQ{xV&^?V|rZ33})<$HNPd0fM3xe=7(o zvuYuSC1hrbydkdhw{w8d_#x5`;r~#ofQ6>CB4K*eAcjx;dF??QK4a5?d^d-Mb6ydA zD@|_=qWN=~4an=BdbFGIPw==@D3lM2a>@&Z+Un1zfbNZ9BewxnsmaCTO^ExctlRb8 zd9AIx~(f85E z%dmwnVs|SXP6{iID4unto~S1crJe=~ylOKXglgrS?UGiI; zg*k>^-`c_;SI+|}wgCqjCW;Wi{EI>+Cc09%GZ)npBrb01w|JQuI9#k`Mh?jQcf5Ef#>dSye=x6H ziH0~+v(Q`%nSMhKqQE80R&kcCzm;>RG;=ulY5&J`9%&_ntw0Uwv7m7$E1K>!`0Ez+ zNEuO=J!Z=KK7PTyj8$E;GEv$}plhe5h|IKuu;j*Nua}*iTBpl6zmC!>-#%th4YIjg zF}otb#Tyuq=x~(J*4WpiB&C1^qJCrWU4DK&f+<>~MTYUg-`AAJ0OMqH zhFs8jBSl*34D9u+v&=7#=K&LqL!2q|A}j-VPd)y+8|e-hxgaEqlk9WCsfJsbd9!-a z$ezAZ6z2`}e6X(JXHUSZ#vXen#2Jpf!x3J3iCu)dL8PEG_NOM=6)_Y#mXE2asqZ@k zYYs6wwtaez4!h-Lh*KmBMC>rlc}z_#jf+qAB_Xlp2Xs%aS-XD~5y7>1EVripm=9|K_J(D=W^ zED=Kbn~?yux4&5~<19#9gjJ2v32EF*$nezwC=MXIG8aHUCl**fG*o(LJn0^1Njkp6 z1Vor%B{At?p$>9$M|=LZb;86Fh@2_=DWy!hnEw>MUuuTqso)fEM&hq`XF(#2#%Ssc zW9)*-9?2tqRMf2rdlKkhA)-8*Xu7o+{2V*<6#A+o+qo`_sWHjPB;ZO?jiO>qusX}j zV~I6?`z-_dUuSSU2jcH}wylZsH-|*|@lyCn%j$f-$eIhUAp2O^e@L__zH8 zLIYEv{a);88vQIgzL0F6U7 zNky(_DfK65*Kcg-EgkKZV-d%;dby66fkc5J`rjevwgK~jS?3gOw+`y>3uA6YBVF3# zFRmG)_c)pSdb{q*)tP4ulsT1q#=`#r>^EYG?46y06z{8-3bzhVv=w0{somIkh#f0xU75{1J8UI>!4 zcm}eKBX{$d#{i6D-rfF>g}ji_$axLiqr})A2DaE5EyDkKhmT7~S5dH$<6bmTu#G(D z8y>4>e`_i%Wt%Elsqz}A^5Rz(g0-*XM*cgs!1eY2b7cYj?Z0aY?tizyzHESi=e(}& z_wU`^B{M~U4R)0+6EK37c7uH=cxPo%xweP`D^SELmnCW zimIx6!$(yVLAtw3TDn1zkWT4Fy1PNTL8QC8yFt3UySuyLO#OZ1e{s$k=kBbl?Z7?O z+H0*j=R2SG39u4P?W0GFPK}RqvazvoGyaZN>%o3;eO)K|RWFE8rnj(Q zo&?Wn1WQX-mqbzQ-{ZmiGd@1fGGLh+y;bPpOIQ4e_TOCce}C5hKTK9Ut_g<9goulL z0p#}rC~&awfdK)F^jNsq=n`2oKsgZ%_%b(Q=;*NmD0?hpi;rFb0liPiQDAlitWn~> z?;`lZ-&ruhaH@YDs9?h@v~Fk6o&#fj-#zEke1ua{n5RxG%ZkHS3P06+#-4T^?-Lyn z^Me!oH(l13r;&xlC)nHD0hmM9nvs;*cBVvKS6BC><>B~vsWCsT(Pn43(qM#+mKN|u z&L?_z^XASr9uN*wQ^sWSDjIXyI63t%wrL-3P8{s)mTE0DwPhkkI9Ajf9pK;)%hzUYC3-jWq=gDpN(0;^IDVb6m5v)eeBAxD3dMNdY=dtTi>G#Hy-| zV4H5VRFq`)cZv`&F9^IoTrjY(Ai%+KxGuT??7z|Rc~NMKs=$Z{q_??E89J7ZKEbv2 zODYnoE^4lieUZ5!sf4q!AyQ5@)%|`iMnS^Vl%}?>IN3}^#aZwBl*>u0rkpAc7MdAo zlD~pU$WvZ&hjv>Q1wR&nDG+?Q&F!m$!_9k> z>CVn>;Qt8pM&`41RtE~1z&@dLuGro+X;Nut_%6kY6UX)L{KHpd1+Wf-bFL0+fs{<7 z=if<1-(30m_4Kl3rLM0>$Hugs7frWPaac_q_qG)G_xD@3*#QSeglYfi$Y#2WjF~&+ zQOUszjh0?rS*59>$x_cr#{Av?uHONDVqyZ*&eY5dIA2+1$n-8J*{-Gt!1atnjQ^4cpv!(|hWGxnW@67+Z(@AKw7%_^^{p4#FG}bR?od&MEF6i|y zTFEaEHx(Y7@h?0Bizd5cE6UqX2Z5xmQSI4x^@T1;si`xD%w}dsDo3}Ej|S%4$&$hn zve5-tzpE;&W!T&{b?0vqw$%w!jjf7=*AIDq}7$5`mddrQb4*RX} zigOWir>@mm%(|-it#tVZh_6?45yq(H6DDQ^W0ji;Bb_rHzEP-xL(aHG`A5N|=SwE;595@8gn_@vyM8 z8xCprE6@SFgIUGQA&`bmnbZu85wwY&q>%{ zT~t)m+?`T?j#fq6OZRG#-3?y# z^(J4-2(WffG+kIPUC@LY^i_Z*h1lkmJUF~z3~ z&(jmrrps6^ujTW;yIK;Nd%es*C+5(rCz|Fk_w=d|&j&Ss6nSj$t0f;RC1RDP2d00v zE~5uLp7{k6+;3CsQlBI+N|;a?R^ZaVC>y0Tn`rOkRINGiv&g*DgOO_%P4w%A6zwa` zJ0bTL-GT_neG)r)RjtCqol&Y6-UWN*_Vm=|JGs=G+6yhu`gjio4Y&36$iyDl9?yVc z=;^+#jYuDtW|ACfyP~6W&exVc6IZ9Pg#ERb#ol zRln7&GfRL9{ZXc+p#j`Fv60@ou5kY4WH9^k@bKhQ=7X{(b%%K%Pf+&vXeC$_fq{@s zs(av42wJGb$oubM4QMlZF&5_i4^C?1Il&^&%?ZEj6XY0M1(YIICDSVlVOlCOx}EUj z?GOm+w)0by654e#%#GGKww}5Q->Q4w3$C#hPCX{K1Ra!_sk#V%`9dU+QCiwso*yW5 zxi~i$nEV@{U-h}Qr9>;6q6d}H46Txlw@MCekut}8I8-jy4QtW+>o9UmsV;bYQa?3$ev8U7SCDf55GFwM z`ZTMXJow)Eof%usu^!kf^D43$O7Ji$d6*7ZQwOrF zZ1r5^^&ZN5f43^1i0pXWhh3=LFkf@AIFQx%8}6cp6s9lg7@!O7{qN$C;L&Qeg^{PBbk4#xus6R;v> zVdZt5?}m)|l^9!FS2wvl)`s?7V_9u=i+TXK_{2Uw0U)^7YxC3vl*y6J`N+bw61M`lOvZ~(B=ATdiMIIjE3Bi@xC@n!#Q^SafU87)Q zi>3lyiLc=Ukf4B$+S7aZ)5!dItmKfeP&fpH%-mJ1q#!@P?x-l#NnFKW(Mg^l5qeo1 zR}8Q;i+t(bHB5nu8CRt+CsfmE;Y>nWK>@y4M#Cp5weHptKFQy+xV^oDgKty`6E4baA0t=?VhZah=`Syh@q09yu2+x z{~KjGosD%UjST^#`Gv1v`FE387L6XG;^O4x)o_up`j&xWL`O$=mTLuFnho9Xk18vm zB8mOn!MG7MRKf&8=2{GW1z8mpRYhS127ATt>guYhiP6atE@2_?cZo4E_Mm+OVzWTi zF*(VMjf#VajxNO1-Ho=x7;aR(wY3G{r9qwMgf*U|&tKbo8XEbC7S&+b*ly;eDhtzB z>mrM#Qf%$*w>LGLwZDFa7{TTPJo8U7U5o9+9AsN^x(~>Tqra-mpc#GMY@yg(%Avb_ zRhS&j6Brm6 z+4M5{u8&*0rTbkMdbH0=eieR(D>?y<};jNiX36+aS4qCcjx`YI0aDQ^|e20c%Z*Ho0WX{qdPWmo8Y z8pXPN^S-Z*$(&gp#OzkB$?P0zL67on!q~iD;%~W_?&I@#xJ+$wvTinc^bE$LXopE* zhPz#2c-bIwT5y%UzR%`6ujs1PsGQ%6d~BPWeK{{Fb}^nBflu<7VW4V|f9h!FRc($8 zf47t1zuBsXQNBbmM^$0jtm^euZI5+jQZpXX^#(5yoMn=vRH=jmrI29G)=;9K-o7UW zOAkSl<{Byw(XV| z$J+~SwXKjCJ$d{r77vruZly((m4WY&X{=4xK~gPyE66ZBOW7{X&ejtbFDeW+X<1`| z&DVjOf8Pw)Y8^KWo$)NvC>of+6#o<-S!s-;3R1S6I({=97fLaxyJ>7MCOS+~GDI_5 zwyh+tW!LqZhR-VQqgBv5M%$KFA`wJJjq6eDID$SZ_N2)w`Hy12o$QdDfdT0V67A=0 zJH%vhF$e_z*nfPy3`7HQhy#n&Krsz0XHNrj^wD-cd{>f(eVwpT-0}1(bu~(d|Ie!q zlb^A;5MokN{!)mpf8sZ5M8rim1Tt)k2YV!oQMt(L!%G9To_!G{r_X3pebHCv z*Rp$eqnI-@b6xQ#RrFednIuH}?V6e&0~R7!s(7;9RIL|=C$Ay)k_r5#Q-@4t<}D%O z5>-jba!-}CM{W?HV40>8FAaxYJO5u(t4ZE@#WQ3IwV6>RCMgp=-Ozy zFokGz?$jR?eVMB)r>57G7AC?LHYnDuW3Ug1jjJeC1r7T57reGhhx~e0ot9HvOmQsCnBxy)MHk_EHT2jCxwS^E zC-V0<=ri4DU$UO}9D^hr?<uT)^SdNh3)##)#3NxJKaH?U@0JY9m!mY%lJR#?w#;gybRG6X4TA2{kb$XdOsq2JWn%#_@h9&v5NG>|iT z5BO^rWn`TD9dQ_&a-Wj&n&t9ZG&I58^v@iADNCS4Dk`ryXI=65MPY7zxf%ou52wCy zbGUo>GgEV;zU4Kw%5HqVrY-@>jqA6b?ZMZPm+--t3LBHxZ2XCu*OY5wB3NdhwFnp0 z?@9pu2S}2b892NcriO+>>G4`&+!qT!5&5;f7ZEl7;3w70!oY~k(wh(v@J;WP(g%m5 zWeGZT+@h+LT8|eFP0b=5(2B_Gsj9MVu_v5+kAUx!aDl6x4TwHQrludMsMZ_bb^rMQ zV-wt8y8f=^y>!#-pl2)`yu^p7-VfBsYH;ju1ZZ{eagkuT3G4ew@utAGc_B$r<7m$rta99vS`eqC)X_v_r9}%XUvt<2!OY^RxorwNlyChWg}D^Q{_sBrfr8kqcJ$ zXZvBv4xBUxDpsl{btJ6=7}wb(jq0WsGxX)qP1mC z_~np>8{RJqAtx%!AHNdwhWbf zUl^3c95F>0uBD0&b`1YJ6i5M@_wOhI=*_=l6TTv259>Gc@Ziw!FMU&UkOIWkk?{Vh z>65x7_z#<6dO~bphXt2-BI2=}i~<9S6cn<4rPpX2WmnZaX?#z_6Ps4rakHgb>CNw? z%*fBOvNUzwr-Q>@`Ze+WL?LlgArf;+mYX|WZwPNMzC>6^D4x<8C*2EN1VZ%S0ff&E zg3EXAX8J9%jmt(VdVEorE>eYc#=RxSZVTMh?3HHQ$Fre?^cM~FGje9noj0L|5_8dWzFgB6gRod{dzWY`QQp02 ziv`KbEjsos_hcJYY~gy#8BJD~DD_tos7`b2OVmOvd~DQ3yF{o|y3!19v^|U1#NYVG zUbL^%4-6*#ma|<^ib&6kKem?ap|9;CIHfrum{JWXvG6OuVdBk7OioB7I61;9EW|FP zoGHL2ua447O18JuB6=!nML}7_1V+|IORy$|XqTO^fLqxlGdF}OXJ@ET@?;zi~-Hr)Q z?iLjn=Dr%9w>tpF-cdI*M^{qQdIk9El^lc{gmbf{$|G8Nd{RbCzsuwtU?~_)%%_V}*a^|{Bia%*!l&i&%~(RWce_VIkw32DAcJOQ~3yOvMXw_f&P3v=+_x_q~DuFdImq`jYv@9^ux=d zA_wUkSe)!Qc&e<*du|?yxJebr!e1hMB4xDEXb=eG^QZ|54$j3#B@JYdUQQJCsLHAn zmNduLO&cz3N%*0Uz9nFH|A`0hL5F^_#fL+NnC2sU+&){R+{Dz>l>Cx@Qb?#*;-|_& ztmu~e{ahpe-A(**;v}8tK@~-l~qtHcIOH zk@lZ>E3Vj9PPlZ9J}vL6>X2c73ov{}u0GkA8wY7QpIEvNlQ3*o?oVP(M1c@H{qP zX2CPI;h3?|XG}<}Rg^7a@o{`8s2Bjdiw+7t(YxvwhY8nbhY4-9Llv6rarZIG3PMw# z?Gmru#Iyy8HO;9r;L9T-#uP|Mdf#r{Ex)Wni2jsA#^JBr?m(baea@~S?kHt?_wHR= zthZD$=hpf@$nbVuTNlK&lr%`*jl55Zss_ zi<||?EsU+FLXUkGjZMgfl$r@~$5q^E_d_=>PdpR`J7owAo%wV13+yEAK>(0nI!n`Q zGD^@Rn4cWw7~^49?JpJ)BGsDP3KxDbCT zE-U*aF8uoS>q(6+RG-wa4@EUK_DB&(;K5FQ^NUw+axBj%_+SsPv_1t8>(<;1VtbH) zz~b%>pQsY9d5v9Ei2`%jxUEIB)ST*H7Ve3zBIRa;0@L<9#j za|lcC^e}veU;0O0-Zs#-12Jcnh18^^Sq(Xm*4`Y22<_pvg ziDT2w@XRdUy1{w-sjj$B<7>=`s|{J}B}D}-Awl@9Sus5hWUiLPiAIKlGXy3UM`av2 z&Ie~Tx{c0nT<4F5RN*nN3`ivy4G+IY>M|L}`d*%l>^uw2SgI)MGN#^Cm9)8A>!ALA z3*l`|OSkJP#~f}R=5+PVS;uJPaM08&bzAuLLaW_&{fusLaAU%59zF5rtNWAv)W`4~ z7W#tFT9ZRs{{xd&W5bBQT^LI?rLn0o!P592r?F|ox6+R04ss)t_%juX2)QuS$o28X zc@-7LC(AsIH;0roR1LVu=VyL!ry&jZkRil4Y-a5N*1=YSRWeOtA0nl7YLS{tg>zN! z3TYNC;q+53Ltt+|_z{>20*Y=EGg>VMp3aizz19z}2CVs!j|b7syM>w8*LO)=?*%`= z!DW6-ckhs@{mv;96KzF>Bu1^P0NKPC7u{O;QFE-S&Ad|?4?Fn~d$i^%%kPj(znX~1*VV1FxEJp)4kblZ>FH=kXz7M%2dPpRhfx{s4t4sxV^0h^yZ60Z=+Z};+zY|T!Gsv1n3L}0_tfpuBIL;Cte_l= zNbD1B$uPLi{;Ygl(B$~>X{#gtcj-5Q&9&m&*Km5s&l)r16!sLYT1hp>w#(B@U5R+X zOBspxeiZt4Ob*e}1Ia|h#MabrB-R>}!>e2fXBW48f&;j-iVVqqLQ5^Kw;yJFInnz1 z`-Jp=wO@pP1R7}7{yU(kk^id*>-~!YI)zap|5p`)qOAH)0DeS$_1|t3=%oEWyLfN@ z-lczk`#T-{`{aWL@@D^iq6YK?a1V((A0OM}>|H^BjP69w-OwIuCDHQq1FQM{-5y&;uIeI9hR+toS{eRU-Qrp zVF<|BHBPxsvhlBwaSko3XlY47v88?j2tw28dho$asb-`7(&Azg zAaWNNZ{z?mw#70?Q4aSwj~pMD7cxRZt&Z+clbPbm zvNB9e%&hp4dK+6EW8>@N#uF7~#iaLVpCp^s}RKU2v&YL^BV!_(|!Sb$02j*CUe z$k13U){PBGSm+oTnm#U_;9JP%D;*#2IX#~B07Fc0fAQTe%X4zb6~>=mZckp+m3em# z9u6x<7?7ccxbCgb4313;f_vB~Ko zB2zdT5+qQC^PLHRD+Y3s8uO)o>>9U|ryDgjb>Im=;C3maBnb%G3SVY-frZ~m>T`2& zaBxL&V`I+%eXG~dX|lu0)%7(#F7D%1sfStB&~8&|Dxl`KJ}unPYc!FDm;8O(kJ%d< zU4T^Ol75u@J4k+*I$7D;${rjHVSv(BxnbuJDs~1(~*hPGbz~J!Os)}|6P)Lu>y!Yw2-^@>ayv#jda}CMg_GU48 zzFKJke4Y;@&f9YafB-Z9*&&Vc1NA*SWM6V$sz09;e2Db;f!W9L`d9YBovt}Ny zkEVYeB`*4sT1H%*unZ_Cum-21fW`TCcLNS543FtMHfe6w<92PUnW-ta&^?y0~5!V>^u}%{`KUd|;&Ltqk?YN5gUL?m7(K{rvh&d$aX%iXJ2g z@bS!cJsdBg{O!-PA;)2!j#pLJUT6S;Nvj{-4?X?mIJD}j#r)S=@7q0XLJTn>s5#9{ zRORJEWL{B^S^3h&CmQ_tu^d#tS;N4_7p}V#<_Kvq;$0)Jto+yE-wqE5)jn;x?e%^d zbOrB=+CVgmk`?dcE=jQh%+B8jtLd>33f>AVvjxAUJV2sYx({a%7^5L!y6B44G`FxY z;2f|E!!=;<%!8v8`&6 zfX62pf=PXJh==&3oRY|Aw{NRu`Nco?a0aw7VrugJaCYQ#{JFe@6Tmbm*1o;R`TrC03N{G9|ssfZV_i^Yhz=>CFaJ; zAJ|ZT3Pbw)?QCQG4^qHq1&;7ZV?#Q4aq(k;7vIuu(xCraa1=;=J`?_jJt+OHNy>;L z{J%rfVSTtb^(TvItzz)7c$|o)eyopPS}OC$=|5b2#CR+SNq+G-E8}ZDzzO+v^+?X< z9T4#MyBQYS-n7=Ci-!Ud;*wk2TR^oXASkS;I0Ghq+4iz>5f+}z%rYAlXHF>ru|jet zYOdC_&zVLb8^~CpFruZ!T_Gk~QG8@@6hXCEwU&;8qE;k3C^YzFfA8pUUsPsq_-T0{hhqw(n!_@K#@lCh4=ITjXf zLkQ}{-TsM*%9ix>;$j{$meA&1r}1&?mp^~3Y%T_3=`S8@t7^s}j`mt>N_dHg%BzY( z+7#s#tZ2MDI%XoN>Z{Gq^ihxi0Y-t;n!rcc86@WX5cCrk>Y*TS{S0l~L!pJXA2a>z z*;Y9`ytKpvwoR3lHek8C%gx-tqPI8!wqseFS-p9AnLXlc7IXYtJM#?<7w+yL0G;YP zlN9_*NJx-Rnvb9FnUnS zC5RHKDdS!PVkdlj_zA^1QI|)U0peKxry0Hff4tetFA%>Ty{)se0&rX zE*75RDh|ifG(fHLhW^m9I65mYqikex@~6em&z~dX=g&VNTb-W16lCO>EZ;ZGadgw) z%(5_Yu+Rp51DJtQL_jY@{@e1L$*HL?DP=fcpd5$Tm|3r{5VCS|+8{wlPN9kM8iP{E zr)4dZHYzz88D%*+98ksqpq-b&voE{0G__a@+E-BU`SojKyWoawUx{6U;KANqLof@e zso|RJ9~=nxbZg1X>Jl;&rKdl6dw*gok^qYrrqBNV0m!kYrY_{D;gzR;E=d5&xHx8Py!;G;e#Y`N0R2MU2029E!5SY z0LgIZ%^L_TK8Q>LD0FqK>xI?5Ei+w{#NP?y3o{PeA(4rVssLz6%*xINaGW)ACn7O1 zm@EE{${*hYknaR&#)>OZRH#&Gfowtag*shElk!cH5HWj;mL`j^TF})v(^yyw*PoXXXjheKE6M#1qJ({=?=0W{UyYsQlW?s_xFj( zEAsNb6)RM(JwEd1zZMXel#qa~1jFTDHj1rCnMl+W(L-0#MPi_4oIH!mzS4i^+Y_v zg@J+4`8?CbnjZGb1rhD0*~yuHyq&q8 zPpvzu!$!8M8CWi(N)n*$a$%_iIY%u1V)<>nuw z>`wcrSiO=9v!oOhJ)Pa0T#ZQ=SJe(>sYyx9wPl^MXgD|~rlzj#`<<#5tzB6&CXgb} z@cP5QOER?g5#drMBc2v-@E)+ z0j(h-DoKu{lbGYC2iIECR8Iu0n5(6)gJuTHqb8%@O0BBSq<(N=5)%h2rP75aY3YWe z=OFHFAjvh-;nWKA9sy4_$E}#T(cQG)FGQLnV?^JbR=wW%Q4A8o<)H^>I+rx}BU4k! z@y`BP*&lh2ainNPd8&){s2EY*Eyq%=5l!}z3M1=ldd&JGjwm?Z)qrqNK5kPo*lR|HPEy&EYadq`d z@_e{kTlMVBBDMYu7hBMN2Zz3raCF#ukk;#x2Ftp6OWIszL_+8`5HWsHoS-QhHkE|*T+l25v?trm;p!$R_^l)T;cdU-OxY2I+F}Uq@-cexk*{@ z#kiIb?RYZS1OX)_?i-A$$-$_PGQ&7MU3%*a3BlhQ$cITN8L%L8yCx??vZP^)va&XJ z%QMx;W#z2nZx1&L-r+D>MYhR$yx?;8PWeBIj3Fb%dy|93yTVy;M6$oX9J<5Qvhbpx z+x`%9QD^2@om85RlGX*J#yO=%RKz>bK0?Z!hT(DbdenKmxc7FVc{};dkS2OGt!;36 zJ0yAVOIO%fhv9OF3c^fFQ$Rd0k-v@UdoS@qMwU(AdLC36T; zlO-aqymPL)iNyklZ;SGWNc{}@hmj6)x$Mj+??`H zQ61*?j24%X6wu|I2kDaKu~|{5kO+KoZ@$$B0AeCdC9-j_w#PsWtsohhJmH!p`(2Y5 zVG*#Uoy2jEi52eduE7cjtB_+fkvrYIn$h%^Dfi2Y0?c8MlFY(ZyQ-$nut=dAT2nzX z?qq{tDQ1bZ)`GZobubgT^_%rO3kz&!ULEGm+c_2yn!9OLi{!BtzBbTHT}Sug7x5xP z0x$|dxeM9ypl~4ld?->~8L7Ec@9I3B?{ej2maAuj zK302Ddd(GMMg|D|kcB)k{h$drT#)ZImn#j}urjnMIw{5}uIi^tRD~%NVeMG8Ae+>{ z_!aHWib##sl#$WK3}23rdbFdS~_vW)YJ^KdrP&CiB|CEDC^vX|B4jFqSO zI-fd-$CsDe8Xu2pSBAfhoSvR8)>?Q7E3)YgD~ZhS20uSzdO|`%Y6nQu#l7tSf`8Hv zuOWU5WqMjS-z>X~R@cq4!+vsvU?>Crc5r_F>IMtfX1J8|NsJ^*Jk0`{I<|XzdqaK0 zZdX$?)^J7NG;hp|gRXwbICo?~+O(qz)EoeKzg@Ypv4M#Ats@A_NNTn8H0etLW;S0}4!9s*R&h7L&bln)ivr!Py8NS?xTm)2psutwRYlwWw)U%|SgZ~J&yeSN`X>|gW6WtG1Vor0aVuyD_5LOF~fSxv^T zvQMllRZceIrm&%NxF#91K>`3B^Fa$Nve$XLAk9)}*T5mTBpv<+GLt>!mO_RXRjI4Z z$L{U;SHy9^H>1(DGz|EKP5i4YV0Eo6u-h+NZwu7WG$f+C;mC&k6t-QA$4mmLQ(xI& z4!q>6t7|JC=YDN(2ig-)y|;&2I;6>gzb=^+Y33~Pb@&vmW7SV6jpg2c)}uj490Diz zp4n?XU*1j~8oHgN8$UXuI5>Eqt~n2dpQ$c6y^UYWf?mK!?u+GAfTyPwzM-_7>HyK| zj~@ad{<@uX*()2HsE48E47P2r2t}f!?C(9Rwvtp@os3pgD7b={v^39WER4EML;O%!CN>7a zjiAx)Zq(I=?LI!Zdzp*LxnRIP8$FT7CxaIKiDH-)qf1&VD>5^UZGM7DxQ$MUFK3ET z(wV8qbca+6^#?sJhB}k`lM#a&)N|h(w1Zh={p-jFe-od2F<3!jfK&dhH(S;?v7H5Y zkqs~~Xte95Izio6k)S*V;68=Ik5y@hx6YL&6)r$Qf|jQuyxQOG z#Mk1YE_85~eq|(bZPy``$jI2QbdeuFl9T%-g$_am2L<`O{%AAwA^3xlcQ}46J62#X zzfWe;{79Ao@QgP-F)Zy$P}dCSOLlk}3~}e>z#@dM&$MAg)~2PSrthGa+9Wn2I`iH@ zG&l|*^0VNj0W02;w|RWY7u+90LffyVH`>}jG=&@SVV7XVmwoRK+uOZNeWrncht-Y~ zF!^Kfo&^tY-inrF?}zZ*9PD>2`!CwB&7F7g_#&v0{W`tIDHP^GYIstTnzPZ#VJGB> zXbe+j1%SbN@uU?sd&U^z+B4So;-zwW=;`Rl$;eZ94&)8K;ik#v2Ows{ZFn9rV1##& z8lm{FEH9Vv2?A~SOzNNf{DIi7ag*(Q3?O8fLM2K{ILM00EPL)(r|f^5i{2*#K~X9~ zwT2(b`WnWDN=mA#IGaBWIhKmx8^8Vd@grMX5)!8FcRZYE7NNe@ECjws#(o<1Cwxa_ z=76fNlQ+^zNLg8RRZ)&#SYcsdN$G_Y6v&%i1Ea9e6e&20PoK7>5KV#lOH>Hy8>W^2 zpo~)d#R%rCk>NMMFJ-R8U0+{U3Y@?dZCfT{F3SUR*!a1%_+)TuLfY=zdloJ(|6DFo z(x^<5xbQ0hDOpESQsyWq{s8zMWL(@NgISD3M5aG$0)j$FyuDJUT}|rQU&%E-&AfHr z-mnQPk_6;%0qSuG8(~a{#_5r)zCj<)J(ENMAwPfL4OPV&J+j9@L|-2t0k_dyl_3SE zySpT*^8Y~lB6J0xLYN$641$qFoB=o?)LBRy427m|n0$mEKS54+sFy{3+VE7Hoi!@! z*LslI_tXj$`4-UgIm2;1jrS8Qw=g2qyzU|qYlJ*WF(f|V(@0H-; z4KigjL=r*0C)Ky=QtZM6TTE00R7t1#Pix*kC7)v>BEGP)jB9IMX+y#?>vdIiydoqh zV>=WXyz%MyGQXK|gzRa9|-gO(ZD(5?fr&RBR`x+5eA3+{EEx zk+xIR>)f22-??0XB=~?8DxwUnPEALb&gN=)$_=YX4KEy~A|er}_mPMJ$&Z?3ep0N}!^-&G?{=4q9u#(i`ts)XwjvXKd zdH=wA?;My@sCOnzWy!)}R;Vu~L&W#QfB&v7!8@zUhaR+7BA}_gqVpj@Ks7kPRb5#_ zqsSc3F36NlF8t^$uOVtWMrMxS*EBCDL*YKY#ZmGhPVyPBSm9Z*N%oerGt+e=VQLXE zTRtl;pgSs4$h~CBnqsjvRCQi^XET_EotTt8x46iEGin=XT&0ky*WBRXm6A+6^>w4t z%q?j7cFPj-#BSU#smoU-w)&<>Z}P?8ZZK?^z)TD}+#J4I_u#Nn2H(`Pa@bO7q zJCvG|u6XCodb&0$@m$@`0jTN>^rrj-jicInW?em45W0@85{yovcaI-Q5+_()-~49q z+*22T`1H#8$16+H=RORxWNn?*%c_!m5ntzQgZoXyPw8JLcYX4IShEFzzEdwQGg8Du z!EjmI?lygPbz)MfL^1BA=p-(Ors@hqiuAk#os90D=1%N5di+YHBAdK4-zN4FW47u? zLrh+r;xMXR^W*qSaYOIv&vA4HcFq)43AYM87+0&l{%G~xRgT>z#4yez=gx1KIHlgP z$=4d&82g#>%Wq>GB#|WWS8(!Iaus`HA1w4#7WfYf<-@g&!3dyfDcL*R5Skzb!X+mq zr6FGATP3c9vCb|Xp)_pN??T3+|(Rz4momq(P+s*iuz%FeLq9ojUt_C z&kOdh!n@ZjIU-s_nG7hJ#wo^W)%wpuA`1(t`#!}t;;$0?X{x6dwrX9 zadyTd3{S+!yk15DjmYpe_ACFlmv8q1hs)aO>6i;xq&C}F-nqFH4|*qq9TZF~sXu+b z-#701y=cIQhGwoi@%5wh^X61VhnoW{JcX(31}ur?N3;h zcu##P;VEf8(r6VEq2m~!5A?$_uBTa{Q3{?Y_er^4ug=PDS5q$JWM`vco=;XnOA&`L zeJw&v9w~NgR4`@zyfT$r{-rB)$9_PeEJB@_{|W+m^6g7;~RdPA9H5+q7~kUh4* z48bUwH&9YyLFtDEhU^rh=&^7^`+SrP%TK0~7WLrbykZZ=hBPkb#>_ISx@HfmmOB6L z*^F5`0SyOn?U6sTgI*eAG!X_LX}G;W?wRQQ`?mm$p~EbQUV{gYBixvXr~(Q4*0c)W zzrTlsj7a(=5ZlRbOhMjv&>;}@?D^W3Iw=6IZy6O6S6qukKes3e7u(;*FXDB;TmIOu zfhn*ZM* zo|3)zo{Kb*%=1lFJbB8WU*$##S+STtyPj<*D}TNbieDmlWayA_v{9Dqb7gaLGmQY&=>=nq>PM1rvyZUP1uElC zVOrW}A~w@+S}3Sgbi85m2C~W+OR5lHp$HEXDgtLyp_CNJ*A8+G_4IluI&1B0PkA8D zh({V_t)N^G();6;=d$K^#6s$IADM_5y*^ozd+F&hRZ|ClHWlhpL@|r1KZ}cjz9)B} ztB$_a+JF(e{q^?+%%Gt`zU6O*aTVG$X@NWNt$;@3A7zvn8miTKlm2=H>0MWeg;DRx zV*2LqmaErg&;$uHrtN%Z-_wl);Tq)TLUw)Brj(Le(mwE*1rQL6iim#!bt69EYP*=I z0XBPx8?p)_{5QA_Nm}_7#dm zU*4CXPf}9!budI60ma3%nnrO&cckxD5>+w#5)G}C>2i~AL@YLPJYq-Zg;+j2@EYO#;rt1S z@3wOHH6Mn(<1Fljd*Do%6rsnwGA0_*M3F%Q4M9{AvCy~I6(DjQWw|o~c^DW~meSMa z8g1-azLA9tlPC6Ju*zT;>Tf%zcD{yDiuzwC1}xB1i27NjzlAJ`F9y?D1lUxSmFw#p z+aR=GQf={&rG^Vd^iHGevFultaZjT^4+Izkfje@1-U%lGG{uAbxd zS5!(axBE$8F(@iJ@X_A>zG`T#!{6$tgCma6&o0PFZF+iIzJV<6l_KvYkSf&p$jeEk zutr${1-JWFB>yEvpo2c?FJwoY%&T`hZVY{^>#de+Zy;9Zs<^GZGA-?<2;Ok}LHPlL zQvQHpPA&k)-F?Aj)}GuvTK&8#f;z27dWaz;G@zT4^Y-Ugb7J5JM}M~DW9{PXgmepi zMm!i0jms+{`6*DDDMv1MFZ4O^z~=}l8BUIw%Ulu_=?oEMKFsdG1O)}0q+kGa`G3gz zkE??^V1@YT#eYcWgPD19S(#^jQ8s}YRH=Y02fL&#=>n}i+(i~=xyk@G-)%fA-cjqBjE%+R8$ye;d-rr!B{jJ! zj6<_h`3W~Mz4xV-$fqpKVk{^w9qI4eq9B7of&_K7J>I-7u@|j&TLzm>gR*{2uq5IURT(os z7hJ@5>(l^HJ^UZy%D*<(|7ND5U6@Z1sKriOGsUeh<=gS8yr<`vQYxwUGBeW-1}sDE zL7Q`k|C$vFms6j1tqZpD394IegDnEMUz838S`(;-(G*BW`~rHf%2{BTD)09zZ}|0( zOQeNvf)D0{z-b%s6gFKew)zNaT23#(*KQ0C#9C1mNI}bFQ>DJ5X>yd|+4KAI#rp{j z&ZOtG0h{--;dcrWgS(X&yRgqf9`%vpzxWxKkuaW+VCmzTxI60JbOsAJ~&LB zcw{(l8_?{&7%5F$-g>xJ6frw)8w}Au@?Tv_DX%;(>V5-Xm415eNxjrUe6AnAFi4y@ zoD=>o_56)q>c!{kQO+pmWsj2e?%lwB^971W>MhX$-`qQsl;`}4QYpVSKE-Y+KKf_t z3ee}`#vvvK^tWbo2z0e8-Bke}B(#MTWc5SR}aAwVifgul3q z^pRAW(bAsqPMlxMO`!R9xR>ZM#A5jQ3uSus*vRG{6f&D=$~-*_@3Xn*nwTfiP~(Qe zPUhpdND+*Y3mK!3+$R@pyEJmz7k}q@+SuN~PcEUshpV5x+(gh4Thezi;9_3VZ=`^! zh|$;QyfKq*ydzQ<7hZ0Xo>*1(!bvSYPqr)_z#HB8`Y-j4Q<0)|g;WkknjZ(kYoEy%{ zb1@O)kUEvW?;?q7?7S~rutTt65gyH8qO$zld_P1%4paGlBpDCxCiUPL_rqy???_S! zjoH&`SI){y-d**|@TB5M9!@S*u<|Zht7*7Q@W+c=;2AoBzl&?9R-$)q0^K zQK_f8gIT&;6pw1k^3$^ToQCw^6w`$rEe<(3hE?sAitR1nobS%YHFQ6dX6yIWQJ$=Z z`0o;3+aC0PF?Nu7dB%HX=EpIEjceYvX zFUE0wt65_mSvr!x$#psd*zq;?u@!xt+KKWA9j;}pc7v?8o)XuNmiD%*dm!ER$@5mS zKX}fKeYspG{yIy1oYBOq!Ln|-Dd8I`F5a|mw8bG+OZV7a;K{C4jip5Oo$@Q}vY%JQ z69jk`SY7MzrIG&aPgzxYg8T8ea({9z9|vNBOuUyIt`20BPA82zssaWNpN_oM@Ih0q z?pyLdT(X0`wxv51JDyi8)0^j)es10i{kG|@t^8(V0D&hR^)V8mi*=^mXWP_s!O~n?hUklvY1_>{k$sU&|_$~W_#h*RzBE8P%~}n$z5iuP-=9YJF?%xfc6c` zaI6>)4yqMyq6PJ-i6y;k+Hu0wddbw%6nNj6LTcu{v$yQF2IT1D;d=4)>}T&*kM*{5 zzWcjF!A#Wq!+60ejNsF~vkY0$IMn!_D1(I4l+UdGxD0>*&Dc0mS(8>iQF)XWyH!D@ zeuXa6 zLeq5R!_4zs6JyWO0aKRY{AOM$W>~4V9tK-WYX!03BihuSwU81cUkl~l0&Nz)@;3MpicF1 z%Xl0$um-FHblKGE+jIm58XMl8dWGb=vJ#cD+)jq)JNTVXA#`kUt#9TBgglTebsQpG z(r>vYWY1Rx;I^l)Gv@gh*0WmelRE^vs8oTQ6R>l95Y`#C*0$h8o2kIYO)U@V4(FL5 zv=U5X?oJ%@-|GDI>UUraZTnRRcBaAAkoq>(nMBD{#YF7mK~pD2 zZ$m-?qtHf80?+}WAoMCA*QL@>oXJCVQY4(491==NA8+e0nlj1{i!kKlk)F9A@`)SV zqh1mF=f|@B=sI1}GAEf-5Zh`<-7{@hc)L}B04w~b@hI@Cb<&;fpOj>*&u!4KN?bov zKBR-#3P-6Fgo%_$viBwTd8!|qNqM5W+`kX}e6oavYJd_Qwnk?$S%DL+x@q^38;jvD zP<_`OfaE^^0EQ5l-V9JUSJM}#px}zd64y+5=xHA65VZ4v-%cGUe0@zQ>4*oR*P#Gc zUtjON*uz7@q&0ifdZNdsU^9sVg>U4rCUiA z^@1^`e8sP<{Hvt30G(p;9&?sk#^p^<#GCsLXH2M&V6XSR8N7bhsj65G zziDrnq~zQ?I^IkPpy>lZ=)QjkN90I%x8Ja?zg((ZFNw_0``4I0YWof06WiO)jIm8w z1Cc~&5s|VG;lI5l2nN)s_2VswHsL?N4&W9D2vua=^Sa`Q1;hF^u`z$Y$~Yh>Stm3M zYaDvR;MG9rSP*}4);ZQa25fzCXyEmi<)WXMz@Q_054`?DuK!%k-=Bg9eg$~_{Sgp{ zDh0N*ySoP=>OeAK4%b0Zij3G3XmQ(?8z_0rm`C2zL7Fh9$|OoTz2KAf!Up%mj*WY7 zRt^o(Br|>4PN}>ebzPdPzXOVITOYVmWaf$xds&I!zaP|<`S72&oth7nr&y}q%|{dZ z!`zYcP6q{6)Lo+g5eWz2Hr1DxvH;&80FDEUoG7WNe0hwFjmhH7y}Y18B%PfBE91vp z(co;ayT$suyOWHJ*H`aM+3d6=_ru=>ufE>kVu1Mh(fK1{R3=jOm`YC8L_xvM!NI}8 z!U9MSvXum!uA*l3F9pB4x^kmtrKWzBlIq3+hzu)dz9?iwQ~>hXvuy-G2(P_V69D^3 zN=j1A>L@7KeF)ulZ(Dm-p-q$kKulOz>*abYPkntuLuf7li|Fq74yf<}R;LQ2s5A`= z3uj?&Zih?s?v1sI?C*VlKgUZak}~ffjM{ep>Jf}e=njNDK0m<$q3Op3UnUPeB}!!r z2qq>b%3ymO&qa?JO9Mq?kSq5mB;_yd-t9mfC1AEeEtlzskpU1gK$dn?ru9a#m&d)+ z{Y`J*0N??=2RM!+!$Qs1E)#Nd0Wy7i$D33(lZ%DylXV@CvLgx|BA~+rpmh{fRJZFf zu7QDp>EFNQG6lWvPIy+Te%1n*PX4?iU?pC)O)V>F#CoolKLw8p$7@ulF0=;3N9F_M z86Pi|@$=oO$#@nzeBneE-~PS}D;cXui6S7}%i{64+bWQ@PhnfTYOj z-cb|@@VhdqSp@8^zDRs&Lz`Urt+*~PB*+q_@e>Gu|5>PSR#{$-GDAyF4kbkrD1wed zJU=^I*Vq`cZRZX|$YnD%-U)q>rr;J}pA&6910D z|BQ#f4~73{7?P-p{eAr%roauX%B$?|-m0EE$(UZ6l_)aM3q{<)hN@D(W37;P@S)iuKQco+BctD0o8OZBL2ak8a@iDSIS7n@HM^;^^?I;>-VP z31*ypwnO@{CRsjf<_H_PmNVNTw2IFw;QWh2JyE@MrZ~~OPNXD`E+K}e335u8w8p_f zJ9gaN$XSBw8WD0q!)j&#eGZYhdg%na)T#~|^K-el0ed;2Juu4&mzkzAaGb*vdv1!2 z&`~b~&6H*8cC4wkT^#3#+K?mk``~6nl-K{W%{$89BTh#=DbQmIm;w_*CSWWl3S zdnBxv8IG_KgFP{Z4%&7YyJ-E(aw!X^~~4m_sM65!#PS}#OYRg>JjUxQ?AOihJ{ zYXEqI?EYvUP1v2IBc3`JwZoa3wFUqN7f+ojzBzCcSp0047sN`$0*MO0330PWF9c>0kMVu)Ddqy&trG!9MexRZ3w+3yp@5()RN`45@wyAFnVL@7T2xa z!cH8#7aeO<&nBLOg1ydURn9a>@aF2P$95maso6HU!Su99s^;gigFRomgrC@Id-DxR z4R;9*ckY56p&BpC2DDM^Gtgdkcb44eVJtIBwZG$i(p!(`V;q6O)ppDA*(ul9IE7 zWlSE#`aL+){n;z5PEP^z0k1YMv%|wi%&WmHK?m5-QQKx+cf3daSv-`h!pNv-fS-be zgCk%6m;$Xh^h91_DgXX=mEQiw&{S zI#dLT#Sgvj;sPv80)!OQfIjh^M0PTt^Tx7zd#T>!*&M?`2*`wnHm{~5?r`->rOt^) zjP^e|vuxk)ZQ!Iso=-eJ_)xU}5ne;Rm*^fjM)b@o;d}N`T>nEHT4_lubf+)9Q8GRn z+m-9v{`$3_B926RB#eShQD3|?aPw=D&4tnW#zA~;6;56})D|1$hxT&Kkgw(EC;8Pc zf?%>}Z^?mOnNd!nT9en&*jJ1%{e)4q#OQR*3M9UCnBu^Eb@AkMJXfjnb~7zU9)FB- z7&bgS0!%O4TU)VpuS?m+CMHmjkWWv~jr?o72P1=DkYN2C%K@(lAZ=8anO~52NOR1% zMq}A=({IR7Bxvcc)44B%{3lHaH@#dx+REa_9b#sFR&`}%(UF^(C+H)ZuUB1&}+t)TVZ7(bU{N%$fU^sm- zILM^|sog?n+QYxvg46QZt3BpJ+s^#c@1gqcsE@46Z7^k$1#>@eKS%Hyq}%?f+uKM^ zgXC%mYMaNtRh3>C?x*|KbzUpcI*om+E`3n*?X{@c0oNd6Dpmp3AgpgsMlRg=XAKb) zd6S{>+@EjMhyfEh%>^%9OdZ$D$?K1+bmt=8&sQxzuBR_T?d`kKHl7ZTx6}1wC9}N@SPSkX&JZ`zhG2PN2x~zo`XyZ57_YJF@_1ue zZOqly)oGd_G3~W_7eYDD<$Pg!tlzp0+-6{Us3(%f%f^gPI#7MrO4L6?8wu;DQmeX| zqNa9poe}+}a}ajrBBFM)j-mbPv^n>u0u3?!EpGZjMr*$G^u;C`&1yE9(0Qa+0b@JG z?WmW3+9hju|22buYX$|lRz!)^45i#D@6WOA^YHCip&{4N-w;B+-F18hz9UFU+8pBN zRlih#rds>R)Q;Uwh87FS?@pdGKF(i|NCJJk` z$G2MJ`rJ6uuah17n*)djnesHwqAeSR+Aqgt)_ulYpU;hmrGv6`vL4#%4?{N_-%?~= z(7yLIPX)Yn-Z^ganl1W^vb>Emff~54o_D8&-qWc&sm^dP(_@CY`W;Rn>X2ZDRy`dO zId#AiptgvVQ>r=w^DL}O<`mf`ip9}d!~U8DgZqs9bz1f9!HQ`=edQNgtm{Ps`vtV! zmGkCb#P;q9qW!(uW0Y$}v_6xpR{`PA7C83^IOn^&F#k->76{J!zsu$X$(U;+O3h)h zcH10gp|18=jF>d&l+_uc#H(qVVHR{KJ$rpN&T6!TcxN9w1J_U>Uf!IWuc?dph_BAy zR0c1e24mL?#NWsV=8N_M2FvN5+L{dFi!b!d4q>&n^SAO)^14yN(gxU3q7jjZ`eCc` z(!0VGrGF`fm3Br7GL`hHm{D2}eJUNRv|zA0Yi>{Aa7nInPG)zBbSNybR7=GA9%)=E zldJ0dz*FOWH2f!&?KsLuYOkY-^>sG!mE4n;%?FVoHW@iJ&YLQ_MNRup_O+;7b7P0y zrT1yBScknG5%u2%hGWY;q4dayI*v-KJ>iuDjeTC7D^dA8)k+?8%TgU@>Gb{UU%u$x z0#k^kGnVo*Li~vh)`jj+z^Cs8KE3&G zL59Nujzc4kkJcq)WyK@(l>;WuMxqL$9^XgQ-1ac&)CK4n7*qGlZCO(eBkT7BHirLH zkzW@%FTfV8>rFh+EJUY6X_1qNCe37*V4NrIzXX?@+u`6F9&iz{?re%`Zwjm3eE4TQ zwTuB9PFE^k{V0N?5AuJfHGuy%0v&KjJdm!#w@RcwicY(C*!EpZwYJM=V}P3PHQT`I zKI>TfeEq&dw)SNL!wOCNVTM(4nONOF;XZ- zYwDYcc!9N)V<1}Myf3nm8+5{_mTH!kUo1t%=n_Uf|I0aX!Q+f*yUUUMHImsBbG87W$mkjq>ZW$;Sr0{p|B@nc;YrLdrPf@ zi+obi`!7+eI6QZf2N#7Kq+E2vQ6B9VJLALod9NmIWe24Jpeb`d%J-CeYCpB}$*!() zkuP%T5{d;|wh)Q!rJW39zbRQeIe2SH+bQkiRObODSqRwlVP_{tafz(b9Ttt@X!cN- zk}F~`vW+8x_xY9%x!*d2%-cA}3m^48m+W1o7C+O+rw@X?tMK1-g_<{v#ee=?7B{!O z8zEg!u;X5czye*VNuxBe{mH^PvdS*m>y_F}A>!?WL_xO1j$(CumUDRNrV*AVL z?DLy1oL|tZfa6YAPVOxPR0sUWSMkBYrypHkUf_WLJ{VeA=t#=^)3^r)zfFvg%lTe< zCi2%Y|0#m8qE2Mc`!=asG)}s>uP?NvFLX(H^`PQ*6261p04DmbYt=}L#snsEl=4bW zI_V9wh7Zy9g~sD^KH+vg0Vz4u9K)8pb#BPJtK(HW+b(2S+%H?+b?4 zua|ddn_ko=PsYX54W{-qIjYu#QdjhE6oof*bkm$Ljm)3>}&X7>f)b0-pYTy&j7I%28rj;GT(FuR5EA!d&ZxK1i6*u_a8l3X!M-0cSej<2vh$(<`( zADNLQuz?0-D^5<4+1Wa-u3{Dz8m?l!ls(@*oAY^CCPhwb{`S8L6)3E zYp>rNb`@Ly+2)s-l_An?T|e5i-%`bOlYOSY$`QDoQ34Deblx0`rbAneC54k>Qb5|; zuOC&RtNk)nW@iDH057i>N$t7cONhEV7q;Xw?3yBk+w+PZ4X((?*Haymjn z*y*=zzbe~by}`s{f#t=;2S5(<&^652gNcE`wyQ2P1+y}Nu-oK6#h(XjP%MtSKLn3v zEKQQsZ4$($o|>IX?0N|7;!E&{Bh0f*abMaqZUF7m0> z=Tc?lev0(5)CLf=pBeOgT6%i^{4O2DZ@0~En1IpuVPYZT&Nl}Nu5hE{<9GLHx@f2= zu~M6yq3{?Yx$u7P@YOR>NqOaGF7OD6vxQq(34%Uha*OB6=P*J;3g($^NOHT3jtz;E zx$v_LjYiCmK;^UQo5?Wal9T7_HXGNZ_UUiB`cI)i*XmY-E+)hbqqx>w$@%!;P%~yZ z>f)7@TAWYyS--n(#7-%=)+!e7Rzf45-g0T%oF5dIR{A`jHYn@?p2wf8dNV}}iVBLd zJ8ZKCwy}~ELMT5pZbrz-eq?O3JII1t*1AvJ-X~*XDI#_<#vIQfsW7l4>Y94=}O)4)$T!9 z*f5Y6I+o5wO-T(03v;^G#>dU=y58;;61TXt)Vw@EeRO3cmc@)4anr9!ELCunA6*Za z1~!^xOG{4@P*72l>f`2Fk}~%{Uhhw22n1KdG(B$gpaBK9_l74Mx&H9W%?A6j2c&== z?T>60v-{;JFSs8N%NtopmC=H}*T!KaX(T|YBY@B(m1-+CiiH2s&~2JAX? zzb}MN5)yk}kj4*L0`T;14gM$sKC$(qt-hZxqBys**x`fga(%mR*UR%gHFZ%dP|pKA z0)V_DKHH6V@Yu5(PCpdAw#T?yRcgGRouL&)$Bg%Pa^3+lY6j ztFgMe9L~%Zvb=S6T#FZQFRrC){e!&g%M?YrhDMgpt6Oh()$%DI>g9IzV>xVo8fO|d z-uL&z!9x`tjX^yZL2|fujQp` zSTnJ#$?M(Y+0`>%){?}&t>XqWdH@8@$m^UP7K{bi^66JWdtB(Ic#xQqLT_Uhx}|6} zY9hg}M;vCmnD!+6UiKt&KCv%?m`i`O0F21lMGlh3C;ubNeWeEZKM5;x4|Y}ajD39>5Ca_GI|x+qJ33{~^g6 zFoQ)S;tz?%e}SA`y@kkJ(MVUASyuRFGLhM%s19;qp%Q=QL=lFaRd?5x9AK{+~ zRHXq;fh{+IX`_j;@q2GP4`Dm7eYtAsRKk0G79O6%L^W-Q(9dOkjg6pltY5#(Witiq zPFQdsOpm|hFi8seaR;yEM4b|zdfcCKq{?vXK1UG(5oE4hX&UMmSm$Wo-L)9;5~iM2 zaORLUl_8%mW=fRSPAC-=lA{R(^{-<%FDT|ui}k53EV^By0Y6{qWX6vIR<}WS&C4-)U;g56WW8-rXc1?%?M%*Hck(!p6D-UgRv%J->z6o#nlQ z1E39zu7L_S?v8K>;}@NN5jHYH|3rPV;IEME5Rx13?)*Qq@K8RUG}SPdOG`=$mo_;L z=}2|Ks)b^ungoBt@^Qv~>;3N5z;;i4_a}Q{>1~?jHX*!Ws_$(&?!}^ttT>!G7`kS) z#fDfNF?j3_OhyAj$J|MQ5OMSG$A_XX?UaV$CBi0h)=+={rSF*5-wwIed< zFemQ;^?Ph2jv=wn!qDo@mbJY-S2IaQQAP%JMj49inh(R`qs}!ibIA?gVel-YrT?+6 z9r0nCuJ^k{v z?R0iQO`?h%L#-hzjVCUDE+@jqu7B(FULe|#$e96?c0tmq4uCsK7Rx2l44Gq$p_?Tv z<&Xk%v$k2HZ+|8HtxEho&MFJB_1Fp?3)7{7oQ_GXWajE2J3dh{Vflk7S8#rD2@Z(H z%I3Hg{0wz6H-{I&*+RJFQMtQOC+rC=qq8A@omwMkbBKJ-JQOi=d-wvP@&BB%-CzDE z$E`n(U#7-nD0vd9cn(g$YGA8sARu}H#VuHmHq@=?EbZ(5H%P}@Tdbc?|CIUZo)9}f zlmqc9{aMTj{XgJ>sSaQ#GWpOfG(j5%n*{EXmL6#R5Vl)C%+XQT!1od1;r_XT{Wd3| zK-jspu zqQU|yDk{KBpo^3MZlJ%vE6C;MF6`(s@duokr6xgA);D7|=>Th1 zK=9>P;7ISiUCm4`en}S1ZZGKK(Fn@KM})zdJTBO9-~|GC zh*qqH{>Y7j_37#3F+3FiUYjJ{M>xdE$%qK#;$sD{DI)mW=TC@?!T!HH0iAzWbF;e) zt$d0tr6@nrr_)u|bZ7)Dg$!zJBe)N)m_)D|Tf`4WxvrsQ6DoHw+my;52_ArxW?u z^$VSl>j|@F5gLc~6WazeS^U^m0%OZApW=7+PMVhO38yWdYuaXL(4~Y?mS`n1keer&q(!Wc1wo`+H zgMn}q!M9MJqfw9+1CON9GAEt!6Fra%w`*i1PFaxC0qoPb-;IyTYkrP~FBi45LqEXO zWO&~N&xq>^cY*6le06oTdD2`+i)0+XL14cR z{DVoA?}DstP#-=L3ikokLLA@V^dyP4rQ`S0(^K&24+l>Ak})c_C^(hAS_l*fE9hQK zhX}wx0?@vv7yvT;ZAXwwj|xT&W-V(YeXh#Zy9YWufjtsa`eJ%^3D3MtA|Y?cYti!r zG^H;KQJo|>6G3je%F39gbe>UvUS1RqNrssvx~_i|kg|8yN(KltGVbMB|ISFjB=`^k z3xrP-U}7T2wow))g!hS+h@)v{gHym((M#XFEPc=XiL?Pz$i-j0Kt|ANlokuj2ECb8)cKgYqYD+|+M+RKM~v4B9*iOgd4f@dnm|xj9@)t-& zPH*6s9D9`#W0UKLI0t_WylG+wFqPt>tg&tNVFcwBYkU2*$Y;=yak;6ai=OmcuI)iZXN~gU#dc1d|g4Obzy#92Z#wc7GJ2f>xbi zzW1$rAD31IvZU`3Rf~Xs{}9$^p8`G*SkeVyCMG5Ju;TR7fvAFyK!+^!;t#T)lJs^- z>_w5;FjGEuRigL{h-8U+q2z1fb~U=7qI8Wy_G5sDE{wCa(%*;oF_-$y!b@=jt_@Ut zU|(T|PFeUsB@H#WM7}U|Rhm!cAdyZ9h+lvi08<3f`)G7^FV0{T82*R@g_H#-4=ZK3 z4=y<(RYkRBn6Ykl{CTU}TaAQ}QTZPfY5+ihn+PlNrPy)dNWTdJ`vW+ut2{OX$tl9J_`U!kk~zT( z_k8Ra2ylBl#Pel0xhl6h+}yWGzl*s1R9zv<*)DHgb!fUgECW6IIT=|Nh4EtY1Rg1( zNF>1@7Xkr+F}()y0d=G&!QUceXnSO9mDt$>`F5oR&Z10y#G()(+l>6)`rtJEUyZ;8 zOJ7^$X33@}4!v&$QZeu%yn**;!LHxbOiE7=MrJ*j)T;{F#31CI>t^GZHNjP?%8BCe zaE@pJK{UaEybor9CN}p?R+dJJf~f2k5pcf%%vR3zg(P&4N7p_RhBoU?MuuK3 zdBzK4>rKAHkbXePO&|mI?|wh@ILKH(1R~S=e`*HzilvGcMC*O%ug@npkgVJmShe!S z%>I!k!UNzlU0JJ{nMJt}9?TR5)G~IlnNYAlM~FtSQf%_mbT|EabcGSE0~9_QV>1)> z#e!#l^g+2=0X8Rt-wh3adeky9lwX3jxY*gr7}N|L*vc4n>0t3~<=H_BoxO=}v-*|{ z?+V~Bv=aD>sn_gwgo0T32#{ioU@(xO&P07RSrUtE#B!ryAq}RXc0Z?dJ^V z7ig?p3hK{+RrqciH1iDuSa5}4trl09BH+Q`(&iNfb-yDrk(chw!&rNkaY?i0 zSm~Z>(~kP?BYuTLUE>b$H=NWiOLRCpyhlmGb zL(8rS?a!i*uE%*Yru*X~8?0GldAU)(Rsy~hTH3n=w2bS`PDnMTN=lCKu`T!d*e_{) zBA09|bAGY#51uw={>r{edCCHwGg>LQQpp0cRh$;~upIXC zS>fj=!(ww`veiiVM6&nHMTI%pqC+{eIa<0R7|D^NwDAz=ZiL-7#0 z$k}Tn-9nfslNzs$g6c8Ji#ekT<&v6V+46^tOq`R|@}aIKw#-N9=g94TTANYwn498x zf@#1KR=Dh74q}`A$*8hOV3QBJnPOlJ!P9SZuC%AIJum#J7r%_DbjVP9JIdp~2E#w7 z*Lym9C}+IEZ_a-L@CP@S=GR>^{bP-tjt7WGD$P|8{>8l-y?}~eNWZp=(+i;>0emPz z*39A}3vos%V10IT%tm3=)GGvY_xVIZzbtN;irpb8#qpW zw~q#@?mnKzUw~YrR(@FL`WK?9BCD>a`tN`L^IZP-F8qIDHr=!}dDcmsrQ#X0WT}`w zwDDDa?Kv!3LmU(eZc@@GTC+cbd#gI^V>^N6GnA@QrF7 z(LsY!F|w{vI!&2Ri-W|*s5snX?-$(O2Mg#>j%fiI6v^S%F)Y6h7x=V4GK%An!e*`^GIkR% zxzH~UmwX`-#;rM-Ok*Xx93iQ9$+UAYde*x1Ncg)};;Tvre{I0ACdjXlwmM>YV6Hxj z&Vcr@ktU0w-JQ4YGl6>Vp@G?ragh&EIyswvkTDlT`54lmf{8ujJ5 zN#8K-MI6o4@~`DM-mjamJn9vrj;C4Z?JQNYt@>2r|NUkOj#)07e_W(=i7&~NLE8j+f# zGg2yi-%JlW_yUd#y7!i3X()54Z}i}7&`N`D_(O%z`kQR{(JWHmHLp)KyuWC52O%~x zj~2SCuhqH`yP-#76u8)`?4_x)A^;c7*0}p6;Szs9`Fr{AX1&>6#IC8{%U`eGSMWArk0cTvX!5^$(j@OD z4}Us~Tdn9{`1fH~c90Gx6Z=eml2E`I@_w(VR)b1$yl5s|nD4!esj}{%b?i>9RHs=# zv^)5tC9!nsL5gzn-8jnCO-ZD_ZOJ%IWFLmzry{39Gi9?B7tZKkwzk58eANL+g|mVM zU#&2G2PkF{a})gbJylDge-g&DyTDXaHnopHj}OXe~(EO5PuWN$1AzOK7JPTX8%oo&8U1>ZkguN7KfTA&tzuj#k~1d^9-UiSij$o?&EUm|PYG@qt0~>Y3W5v!B`3Pxt$ta)Y?w4ZTR4+U zq%H0}RU60`T-Vc0?5))^HDcT3B-w?1EMh7vFLY0@Aq#i7?BPF)&&}2s?|`L5Bwobj z{Uc0u&0BVmnik-I<#SW{rX+vOrg!QSdHD9FTSYa2<*9y-tZ>`~i-ot#b-O28$Ll1U~pJUuo!H6+%_FHs8)BEmuUU)^KA-YUDtNy8W& zzx)W+m7P4du~Z!$MHh2T%*U;dBluVnuDv~G;<3IE(XPH3KE{TGO0|r9EjtM6e2p|_GjVrMzKiZw6{`k9C8_Y5hdV*d}=46x}XVza(P#nhH#I$gRfRk5Mhgx>;r}k(;VuZlbJy zUnD}FR2twQm1IlR(R@kwT|vWzIGV|}DFmyWN;f;b%k0G}alH^|l*=npCdwyFI^H|i zzDsUg#Oqb`U=fwn8ieVpnGbjUc!!|l$5jaoriDi zT=yeYw9|CRz~~ES`2}f1M&oc;4i|5G)zyN*ZgA9{$%2-(Q{Y0*iY8H`pxZvi_h+J^ zmmM|A0a+B_I5=8c$9^O9s)uJKYIm2THs>z#JGzgxc3JCIeiZ+;E>`l$qZI~i;uHk& zgTtasv4*g|j4Cx5Y+VFR!4X}MW(a;j&jnpKrf-_#w-O_~!8`14p(KpWdT<@V>njwT~e>$jhNK&z7%?ptHlaUu|GhZj*`Z z-^qx>y^NpRi8;0^`-ov3R(iOfIZ3V8Vl?_vj290zU?AlAKpi0Qsle8YUw9h~*&qyl zr!U?x)pDlp=_cuFLwD@!T(9PhaA-T?WmQI)PZm7eY}(LdnVkqTa8*X~mD_f|^jks|~h_jj#h#l>+I8E3F)nJLy3JKNpBk&^Xu?l4C7hvE?0uHY3v z9by_jN4r|nE`zCArtLpXljpfBZ5=dxQGslw(*o}$P?Llb>OH((*MwBEjf>|edu>$8 z%5#^oY3M;mSKctW=rjyB_P_vJtIAV@4ZN=d3wB5ZWiCsI8AsG|E{BQei(B69e*DZ@ zdQ5b9Ai%q(rMgIX*M#+0rFFTH7cXiv@y$rw`gQ`#dWTd3#L+Sw$$tYsVuVT*?Q^nF z1)QS5KtpHnxuD{=dsF)Yr`sLn<(X1Wb-GocjtDF_L-!17!*C;lsxt80SQxFkhw2Uz zNWmmpLru(CycF8s>s8l=cCLfdEon%#S2~DOAsIWW?-$bql)Us?XJqyrI($$(CEzSjU1K``Z2& zvdi>Uc^boEf@6^<*_#rmMHZg=kOY#fYz8jem+^i2Y!eze0+1X4DUhqE#lW2*n+sB0 zpFO`Lw>Wzep|Ln*v@}Hunc&9BJi@_q;paYbwY>?A!R-JyDxo73<;P77{M3q=K%V$y zYJQxOnXZwiuSF>-b2OhON<=3V!BHKl#x6S0x>a9Z!Tn^qM*WPhFTTV>P&RddixDwb zU%#-IHv)x4SvKAqtDfDw@a+(8j`G}{dlrsU0{^!sk<99&w^pOs*u&{RTB;{=Rf=@k zt@{@lLAU52kIE#MXl>gD?yO0bV46MP(!I&8wS$Uj2ppf>)9?~SkB{f-)pQsgTyPMI1bO0-IRtvBvkN7^x-)Kt$^0>{)(!PfcxGNyrw30DnfM=Egc2H`H-E0;D|QClHBzpUe-u1sbAEOhvw`}Gtz$)SXw{F1B)sq zA;_`!(D=s=cMmh#Nv3aR25?N{8D0JBRA)Lk9ow;D*(gIED{))bl1o`%_!ACdBLt$2 z&%7usn35*4hWQrAQbBx_z%CH13W{}@Qtw^BUwL|tNh%W6$VRnztGu`q`r;^vv3Q$Y zeAdAk#ZQ~@fZ(uEqy!~ogz_4|c4KgM5$#6)MvMDAe^~NHUe>5&e}+?iEtK7I;qcg( zP4{xH2D4I$+A4SKlPq|Y3xoAtqml~z>#D1w?G;G)6zx{q@zWq<3>1fz&}>(Q?9LZq z9FU-*$i7B<+UbPI(p@U0^E>3=pCW1Z_WnuN{IOS(BDVGx%`3P6KpHfKg)l}h%lPZ) zlsF}mQpynn)~U$KM6LTN?j>aLLGrTep4OjIy>GaZd2<-IY#sN!hS7Q;NG$tHoQsX* z-Q@)-7p0&5;7IUF!Y7aOpp3TTYL{&MK?lYP(jKP2?cNiHT~;vaZ|6VJfA97TJ^f{sIIpM@(cEy9e)x$BbMFr)4^yy8L z=)ysK@@07Ad6xA4u={K_c+~*8#X->fB`*y$b(GWG`~>LLULjsdNlClr;ooBtc%J=v z^#2moel^E8(Q(x;r0s>_7s<8$veB5WV`_TP)@mF!$)9pErL*>V9*xu}2#gB6qI@uE?8jDdAN@(AoLT>N|ZWPh*VvC@Q z&4uJ)H-PAw$N=4@A2iijvt~#rxnkFJ-&EYbpZ}EIvGV4*Jfj58a@M@0e=hlY#m4YP zl(|9FbFJug;vE$Pm6lXu*w`kg z%Y8DZi~IbHU{9EE5ZE(GU2%GCbwIyr1`nkq#2Nw?GoxcZ(+6z0{?zRi{qyA2=w<-T z?Ic*2|3*G+qK8H;qD0_{w88#hiq6w?y@$ucC$;Ultq?v|p$T>*5`?aYQk5510tIBt zA#&llvlw3xPeC!&vT$klgjLv*kBkyhO=TJ{W(Li*uy@@bi2%*L<`9S`zGl?snapq% z_1O647+Z1h%qF=^=q%T1kwWRlh5cz@u6z=op*u_(sI@h&tZgb#aMM{G!OM-vG5#tu z75j7a8P-6NKB;pweE0|(>QMLomcoW!2=O@YHnfEZlCt~P_hD-;N~!zHgWx;@`Cai-s}QiVaq2;g7ePE0sG{9g4zR{2y8rQg5g+@=eV``?Vmu zP(Jy_1i{GqT_~kzX2y?=AKk!8Iox^u=+3LeLen`I^Qa-)s1&DuQ}sNup^TaKp%Z8; zU|}^ctNu1Txjd#U|M#N)2T=HT2Of|<7^beFfkwz%3t(#3IEb&48H~gwv#+|~h)wHwEqeqojGbSgpa!C|xt*SF5Y{nJA|n9~Nyv8c zZ^{HL3=AMUeFj96fct1=$LkZI3>Exy;jd&OdoE=A4j~+TlaY|HbG+{Xs6c0GYXLw` zO~-3&eVtgXxU8)Awn{b<%KQF#-NeW!IxZ_PtvFcVO;1JUsm-DcL(d zBJ6nc@X!l5-Np|Ed@t z9PDjVR8%A<%Lh_%S^*+!I83TZGb=ecIUylJ;FORs8}Nq?+=`7^+q}aF=X>_`|5upV z5QXKIJ7pT{Vrrx}qRYHRCy7RYUdv0^s-KBkq*~gi)@UdqLsiqI3({2oeSFJ}T!Fyb zhS~~;uPccd2r1N+jh);#+e-SZb{2@ifrk+jMmu*eR$OV!hs$|V8IA9BEXdU0siIDi^g ztBppg3~8wm*orF&?Rp}QL-hVBxO2I)@e?(QKS zO1e|JJJj!}zq@X%yY5=|n}5!lIx}a#d++x>?|%04^e*I97Xxyv=ms@oQCHVMN#57j z7tj~s6qj68zmu!4Z&c(Y8FCD%1>tj-3}(()H}u}%c2Nqtqbk1O#X}B)!C(@75+pG| zBQw%>aZW;aC-*~)#FwdYA<~kF!0K1f17hl2P+94_*7@NK(;*?#xE4Smj%Dy+Si}N6 zL?Iy|Fnjw>hmFk}3IPY{qkiUQZ4VE=5N}(67zp5K+Rz}8?;R#eiV4M``a|P?c4p(* z@4~w=Rcmp&8WinS z`_a+t?;di~n^tPhll6= zZ%ypuS%wcg;4wZB|T3O6t5gD07evX0=jKz(gGc=-}6V z!tIh_8##0#OVHJhN2N$Zu+kibFys!HvL&gav<*2)Mk(`qahkkQe@6i5yJLYyjNsmc zgoNfhUfz<2Ou-kpxOW3&_5izSU~P_mw^olXps950bAg7vbTKJSlS|X)nd z2kqgE3_=JBT+dBQNcm*IRcvs97CJaR|o5vs*i6YhvDX#l1KYc!;u4f2$4EX2BX*44WHv_qqrJdb1@~;bq%g|c(Jmu z0`1{$C-YiLN@t5URbqUIgm}6Uc&12Oc3?1GkgtBRNIAk8uEPJLZyP24}zk?qIS)?mE!ETCt}Y6M-(uMV3(I!(dNDYdDlW_(YI(x z+_QN9OC)ra*Kf8iFhfaRpA$aN+efVvU~m`HIS}8eH^<8~8~JmDklfez1CqyGf%ZL@ zQ*8kzXJJMpGl;$+Wi+BP9-!cu7@P>0)Nb@o_y9O>44fdFO(N1LQeqG`$1-siS+OzZ z(&y~}1cwy2FqG^GW>3F75Y=;1ZLIV@sW6YOJeO`i%|k7tXI=e`-@cbCO#;vzB5U-= z8UjMBQ<8-CChf_QYATj_pX{UT%=CPzdTr5#yzNO6aQmG#H>rm=B@4W6V{?J?cveTs zFOOXpLy*!+E?D$y)6qHX#?{d>-IBx7e-(+h9w|-Zst;-737~?4gDN$Z-@kzUV{S1>w?VmMn%*gXU!9;v#?Ho?)@7)T4!0 z!Rd}nZ(^!h8rfD`h)0p{s_g$PnS>j43RlWiSJ$)6ElMGJ20<6bly)0n+|i}@*1^(W z2HKxY)NNq)*|IjcL~g?uOXe3#^w#-7d?pI^xQWj4Aar?Hx2{x><)`Gniv8FEg#>sYrR`*;3Lu* zP}71L>!KGCyN$k1@81!6oe!NEpWKL+CKyZ~TxM~Y>s9_)4d3O;#e*DC_E9`@iT1_j zzL!>7q}1|I$1$J$5_C!t6>E9nei|8UG#ELsO+rix(WY;Xo;~W1dY#r!p+XvZ=qi(@ z`0v62L_ZqqCM+!oW1-cfNZdZAENjd*HH>X18vTkI%Mi_wWi=5cWWu2(@YLZIbOyaA zl*P+}<43K8y!$-mk3)ELKH|%H+te524CN_rxIU8n*k^NX>TPTFV{g;K*BJg#jz>Qe zvB)%IB5tCg@kauF-;3Z&Wak2DW6 zc$oe)gnAS78|gL^KRr@i16F+@xoA39K#Fp?b4hJ<-az~G$ar|1Q}A2Aj+V`~hqG?h zPW&GE&_CWwHqes!I;18};@Czq6zl$Mr`Q=xfbV23)9wZGGR1_0eh#)ij6 zMo7shI&PRqHc5+#{)}TEZlCJN(wh7!Gffi%)(tV;lZkilR)Ct zRtb8R6uDur-{3mfOZ06DP`BxfX9_?gj+`R_KRgU} zOF2MqP<;#2I4)FzJg7<`uc~Qp=j)s4!P=7H9%U;P%#*2^;w@Sq>p9rigIHioD-lrF zUD_Lo#~_#D;9!PolscH16MJ~#B_tEpQjHje(b@X=A;`xQyGWqD%%0a#$}Fz*)x2Me zclCimak+}fC1SzC)??e6FmSP!t`dCRkru)UoyS;JM3(xZjjY}@^w znN@&nmE86%*}~m=PCy2alN03BAFQd0`I|@cVl%Cosoj2k0O!`8zCmox^?Z{dQ!%Cq z1)IXi$cTrhp{Iw&T~Uy{Qe9d3OIFsiaX&=az(a_h4?;$kA;x{5kNsJ;tBXsns*bj{ zQHlR=^n2`$ftl6SxRjL7Im{mS9u5`6VNku56+k59Om1{^e0*#ypa_5dl^o;Cm-Bi* zhKG3ps0+--K`87=xTU40#?gU=oujJzZN@VI<_(b9fQKC5rD2};SmgamVhmruawbUS zQB9K`*twh1v$EFZR2R3je9g8c|1PP_Agqd;q4s77As{4wYyS}-=^w%S|T?M=7&YQYAFc0J_peBh9L-~s6$2H9e zVal}yryD+n$;!TbG0lsPQXxz2kj$4R>a3t(U|^tQBe3ek{VwHdGfg@5c@!-V1Cp8u z|J$q|ovQdh-T=)^sQ^DJAKx_=mZcBpZ-9E|bbtT7q9RCQfc2C1=s3sc$Z+eAHqx<3 z->6tvSnNzN=-s_?-8+U~RA(OSA5Mr=FOauK85Z~T(LouY^I^EiDO5y+#9u8;*Io2( zBrzoXQqt2gLThU;!s$OCZFGSA(G*kx#`pGD*!IGu_+O(!wk{Ir6(t!4`UkM1B27)r z^YAA*dJu@~n%mpGbqQ9|nzFyS%sEgBVtGA0#1aX^R=Nq!zU18Jq$nt~g>=9~+1}InM6FhtWtWJz6kOo&05kEWjvp!tB?^QK#4gew!-Tm<+chYk= zN67?$1Am=J2S|Zw9W&G7K-S$20%aP-ZPQ*ei_aND-w; zFvItRdgMhN+x6aRVzfe(7<37iQWS#t0Ai6`aj+Ok5o=l5it~cGM1_%vG7YV?v#l;0 z`)4uYK37k3DL{bDS$y?Qc3rudm;XF4kk;9&*fMfYYeB2|b%@_5TQP@Z*6`wb*RY5R$EHw#4vynIJzK?$pQAIl7eI}n%$6J}p4V4b>ocJ5 z-QGBa0ldW2`tI2q><2S3#uxr{T(3Uald?SDp9PqiY;2ZY0!p1vIoS1G+lbN#2;wJj zXa`7y&jt5tbEL0sybyvAnn_8$fL0)Hw9wEH?KBeHcwj8#6U85yW;EwAyXw$o3m)w``?(|%hax5vZ{8Y&>Pt(KjB?lqPhYL?5rCj z=82kZ{QvHuB+i`Pnwy>MKh2CM_>)AZGcfd z#$kMSw+3i7g<(Hq%EBZ_dS;JH#;*+JKuh zZ@4aAB4USZc#T9rq-g*h7|bV9{;nK{iHJ68sIk##LPFvnEaxL3^g5A$zR(8C$(z|?&?v6)$_<|HEvL@CO>84TB)4W#G@;Pzr7TYVV zXn9T{G3W+KNjKfPrm+^C1>LNdfH(frKB~suXHc{z18#G#&PN)+>=0+b-lIGS*e8c_(M>@JzH}O zc%}-hjz|S2A;~)(8ygPh;bubzeBDTtC2_=XgO{Hl*^Qp$Adrx!slK-qFPe`NHF$@b zE#D{u6&1ZIAfE;DMm5z>pvI{0Qc5ic!aVm;M zprf;i2_2h+5dqNH*jtY@FwI#NGHD40bKS9iOI&Z2*=afOe?g?M$nYh#{)&4VTNlOf zHYnU*1W}<#%NF~sks-#T4K7{EdG8*jh*9w~kKiJBb81W8p~(nsWG?(LS!VfW3eCw| zbjO)MaA%S=P+)qGIAG#@ZU}z8z?O&%pvwMWA^!#A|K6YdpA9+ShLeKY2Zb#seel;l zeT-!3WFox1I#zHGrE+ilVP_bIjDBc&Vs7E$|3Ee3_!H8gvndzTLVaw%8YZD<$>6~nz7`G}W2lA=sXKEzC^j7mX>CpZ6c?rmI zGc}@#{{iiNI{iXO)8uW-utuToC`X|K9sihY&MhmdLM!KSHXa%;=)FH~{+{{DF3IHX z_fp$s5hIRZ^w#gGU)9Hv$CjsSvvzJ40ml5TqUi!kyL49(zo$bm-3Bf`J6de~&yc|eS2uyS<1yEWPJ_!A$l}=ig*QSt9?ES3H=0eludi%} zCpb0N04Xm?`crdyDjPe^*W7J7aYM6tlbt^d{r{pRCSr?*$9=c=!M8jU$z_BM`3 z{zCty$#46^pN|;ospA#X!od~ODuLkOlt4M*aBw-{qJ+=jLZbs~yEWg%r<<*TCMuq%u`5`% zh7f_E-rozXk8a6OjIdf?gr;pG7*MI&x2W829PAC+eJ^|53&rx?qm1=gf8lQMgL1z9 z?rdeD63ge+DfyJ0Fh12sL7l1F92+agxFYPo=9?ubT2k{V<$TAuT`XK{nXRZEn==~m zcy8>{Qq!7|GL(_>Im2=-S~8R>8a>|Z(6#E-RW&>JJH?~IpqzqxGybMOl;S6U?e_YKN=YsQN&^#4$X!w%Uuxdlqoqu;d|1@%5F~G! zk6-I7PDV?~RnyQ>F7VF~|1sDh7!=Z6{pH(UZsl>A1X)MnZF}K+{qIs{Wqqe(H+Jj- zr2_cOY6bLh${;ZtwdYD1jdSLiKNb-FnKCyVeX9?BtM|gB4`M>+WI_iqNfCsKSJoE`RBDvs(e@k_W3Kh_$DIJ1-#Njtlh4UA4ei4 zpAvt?81tS`u;d8*V{&?T45g{n_B||~EsOQVK_0;S~o<7%C{VDcaL}n@` z=8wIB%MQbKUD_J=c~J=(&xe`fO6l-Q%as7{{Nurg)#28PRIsS2=l#dNX1Pc;+V`4? z**^E)AbFP-do{D#fs3hM(l|RINx3~w{hz9Wy5z91V(~rWB;!i^Hri^%f5tElURvAy zvwj;3%eR>ljP3Oa*3p=mAH&At(UK+KdsSuA;LHqAPT63?{7Jr|Rf}=OtEmMy@>6%m zb9Y5nKkNG3Wbw^Hk4JRNXrqBZ0%FH9Qw@Aw0`DOdYpV218~L87;@$|Hrn@#87Wjqd zmu!!3ZU1`al+*k=mHSY;3H{txlV5(;F_P|Ax;0 zNBml@w9c+}I({z%2nyPSvhMHiGkty2-~HYIYN&IS4KZmj{VF$W>w|^q>E);Pz6}5% zQKt>)s6_z#7skerMQfK9T|ltSZ>9D6d~5K7mlsefVYszwS^`$4*&=@I*&+tI8303I zhIgSi^IUdHMn+cFjk};=>fe~WB79B@pal70Q4UL4m~y#lbxNN1{dP1#~XmvMX%M_W0cq+MWL|t;2>qb z8Bp9jy!HwWl`g19#|#N7DG3V;Tk~4_@Il03T@4<_=+b8nPIuSl=T+79 zvobR9adDMYRr}-7{tdU(;Ps(rhkns_3K3sj-+L&P2wAwznU- zwk2|CkPH7ll-AYKii;8S`j07Ts}dDuWrty-PA$t4eSMu8Y6j)Wm)k)9>#HQL7A3`Y zH-0_#B6-E?}ecWol0 zqP|+lvjXzYW#gkQCLk!3@q27L2N(nbNlQy#dt~3-++<{AY?=&W1_$4sti&&kq~j0E zn!30Ur=_LuT+b=<3E@y>33@13PAn}w?oDn14f%;#LS^kXamD4umLEUXEtmtE$vZ-^ zV+l#-RKgiaS?oBfYHAJj^{Og5UU>zQiWZ0a9z#wTf9>1F!nf)KsAPKd4G6fM01A>a zd)|*LZV=I809v4{wQx4{S+}UH?9kV($(z>xoBPAnK61XJxvP4MhlE5QQ2*SHU+ok| z1Aqwpe5BJNoJz{dkP}@kH#av6i{1709LNqJulW!X@{AT<1a`|7b=HIx+#!fp~>H2-aBl~|&y1;x4p%q@C zEjqU}sQrR*k)Zqip4Dmb@WAo(bUnGUvE*DmJ(>OVDM3S(T*OhllJ7OY^-DJ3?6&sy zIH;IFii!<rtj+nwi9+D`5&WF;= zn@pW1{-B_lsHi9uoWhZvPF-!iL~Ugxq(lu>-`_v;fx^-7if2dJ)9~wmV_~5YM~)I6 z7WMvv{OH&iI}1xv!X#)vnust{$V)MQ#*>~)T?0tn1o-&q=$P5w7sEhN{GH!})lwpB zW@gjRrzb#pyvm@9eb8|h->l*5j(y)MlHq!L;9eFFJkHw809dw!$ zx87Nl@bU=hdEV%1Yp3bztLbG{TZ|{NYBYXaDnwVdYFI2UXS?@F z-Tv&&O@awIlLDB4qM~AefE~qSY|tjaC7GX|X0y-7&zsS2_0|fjfTfF2aAQ^MsLK0_ z1zcb>w*$5qVcF-B$ffx?L9_I&e7Q^REBZ2FN?aUsmvg-D!_kNAV{D9w@aRs*%R=%t zWgBkmD1J7<@}{b67UM`@J>5Ugkzx92JI=O(X&EvtUHDXS@bmGU Date: Thu, 12 May 2016 08:12:33 -0700 Subject: [PATCH 007/169] tweaks --- education/windows/index.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/education/windows/index.md b/education/windows/index.md index 0ef9f4d787..f83388aa42 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -8,7 +8,9 @@ author: jdeckerMS --- # Windows 10 for Education -Learn about using Windows 10 in schools. +[Windows 10 Education](https://www.microsoft.com/en-us/education/products/windows/default.aspx) empowers staff, administrators, teachers and students to do great things. + +[Find out how to get Windows 10 Education for your school.](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools) ## In this section From 1242eb8e175968275481c327145217d0cc603067 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 12 May 2016 08:22:36 -0700 Subject: [PATCH 008/169] add topic, delete video test --- education/windows/TOC.md | 2 +- education/windows/index.md | 1 + .../windows/use-set-up-school-pcs-app.md | 19 +++++++++++++++++++ education/windows/video-test.md | 17 ----------------- 4 files changed, 21 insertions(+), 18 deletions(-) create mode 100644 education/windows/use-set-up-school-pcs-app.md delete mode 100644 education/windows/video-test.md diff --git a/education/windows/TOC.md b/education/windows/TOC.md index ed1484d8f8..2b8b527b24 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -1,4 +1,4 @@ # [Windows 10 for education](index.md) -## [video test](video-test.md) +## [Use Set up School PCs app](use-set-up-school-pcs-app.md) ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) ## [Chromebook migration guide](chromebook-migration-guide.md) \ No newline at end of file diff --git a/education/windows/index.md b/education/windows/index.md index f83388aa42..4e759a8208 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -16,6 +16,7 @@ author: jdeckerMS |Topic |Description | |------|------------| +|[Use Set up School PCs app](use-set-up-school-pcs-app.md) | Learn how to use the Set up School PCs app to quickly configure new Windows 10 PCs for students. | | [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. | | [Chromebook migration guide](chromebook-migration-guide.md) | Learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. | diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md new file mode 100644 index 0000000000..3db61d70bb --- /dev/null +++ b/education/windows/use-set-up-school-pcs-app.md @@ -0,0 +1,19 @@ +--- +title: Use Set up School PCs app +description: Learn how the Set up School PCs app works and how to use it. +keywords: ["shared cart", "shared PC", "school"] +ms.prod: W10 +ms.mktglfcycl: plan +ms.sitesec: library +author: jdeckerMS +--- + +# Use Set up School PCs app +**Applies to:** + +- Windows 10 + + +[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.] + +placeholder diff --git a/education/windows/video-test.md b/education/windows/video-test.md deleted file mode 100644 index f9801a49d8..0000000000 --- a/education/windows/video-test.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -title: video test -description: In this topic I will embed a channel 9 video. -keywords: ["migrate", "automate", "device"] -ms.prod: W10 -ms.mktglfcycl: plan -ms.sitesec: library -author: jdeckerMS ---- - -# Video test - -Does this work? - - - -Did that work? From 839509922298e5a5db1994ae7ffb98ff4bddb41d Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 12 May 2016 08:27:27 -0700 Subject: [PATCH 009/169] copied art --- .../images/deploy-win-10-school-figure1.png | Bin 0 -> 46486 bytes .../images/deploy-win-10-school-figure2.png | Bin 0 -> 61301 bytes .../images/deploy-win-10-school-figure3.png | Bin 0 -> 131013 bytes .../images/deploy-win-10-school-figure4.png | Bin 0 -> 18525 bytes .../images/deploy-win-10-school-figure5.png | Bin 0 -> 9897 bytes .../images/deploy-win-10-school-figure6.png | Bin 0 -> 18525 bytes .../images/deploy-win-10-school-figure7.png | Bin 0 -> 80870 bytes .../windows/images/fig2-locallyconfig.png | Bin 0 -> 86495 bytes 8 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 education/windows/images/deploy-win-10-school-figure1.png create mode 100644 education/windows/images/deploy-win-10-school-figure2.png create mode 100644 education/windows/images/deploy-win-10-school-figure3.png create mode 100644 education/windows/images/deploy-win-10-school-figure4.png create mode 100644 education/windows/images/deploy-win-10-school-figure5.png create mode 100644 education/windows/images/deploy-win-10-school-figure6.png create mode 100644 education/windows/images/deploy-win-10-school-figure7.png create mode 100644 education/windows/images/fig2-locallyconfig.png diff --git a/education/windows/images/deploy-win-10-school-figure1.png b/education/windows/images/deploy-win-10-school-figure1.png new file mode 100644 index 0000000000000000000000000000000000000000..66113dcce1147b8a802aff95612240772dc17f27 GIT binary patch literal 46486 zcma&NWmKD8*DZ_{FA%iF6WraM;O6JSY65hZ+f5^kmus29ZO>D|? zGJ4+TCy$0&#AmB#3C0iaXwFK_n(%LQuMKK_H4PR;z413Lw(q3QOqy=0jH?epXmUK3 zFNn}*3PqT>i!jk~qhqnrabekX=xQ&5SRt=_gJCcjEo;x?N%!f&!9l_4!N-FF?|?(n zv$cThfS`xNj*5zkWhpFN3L4BVUuAXQ@gQp|D21`%q~Cr0Qz-4+pXjVV%E|%zTq|pj z%@L3;)5Wo1!>3D4sLYwYVSOn2n?XV9-!$Uhv{p~>QXWb3l=$h<(K;A&MPvW+SH&)c zZZG7W>b}2mMh;fZxA-)^yD0I)U}-e;+tWn~U24!bZ{n-Nof2I;^AFXpy5;`+#gcXtppbht?eZAj41Yoj z=r+OUH~u<>lEiX9(nY@7(nW_Orw9dJq_d10));mB-&N^Xw|8{N*KyTQ;D4=Mh%ZUm z{OVO7{gU8hi0z>Qza&y+a}YvVS)GIj6;?>Zr1A5t#d%Y%j*IyBWJN0e?`aI2 zA9IY0mai4izkN5Yz|DJDUf40Uq)Q_>UNS@@sP@sUk+iuBB&tCS>y1d+-B;pBL zYjal|gj;rLvNimfBJdlU@5eOExriuk3?80C8b__!+h+T~qNou2nnf1NRGsx1w)jQn z>)#xGL#qnCLqaC#VyspO;eh+b=(_>mLh0krJa~zno;69GUBXWOetsR%F9(JckpwrC z;RW6eokTns!hSb3(RUE;-*ze6?)e@MH;$moq53}}D=P~Xvx(h)w;F>eeQyj&P^jEawjYY{1c1sFQ=t_E_c7@eh)7M&@b=)q# zyZ(L+Z>?dcx1Gp~De=2K{d9XKJ#N5vE6G%;eW}>4H_Ol8! zQn)O7bmS}-_Gck)k$GQ`kzpezbta@|X2u#B(f*c~WekaDB7Q%w##H`$sNTHGc(4Q? zSRle5-hO8-KjMB5Nd-FWPtzs-9?HGko2CKbP!_h}FV(!Fvm$j_`Wt)Uh7GB;TCOwu zJ(Mu;ty9T_u~L)fP&X(GecZMNWy$$F?Ht0ze_P$4<1$gK+lenK!7J5#g$&VjQ#U>1 zr=AZ)EK;drwAnbG6iS~s4^Pj4CxjW#+tErxV&wb{c^fe=9W;mPfaMjI^=jTe(C?jZ z5rfAoUo(2bVIW#mjOP#>oVZwKMdWcA*8B4<)E#EZ>Ln?jt%$EfM<4-|;Wy;D#2*KS zRui}v$VwugxqxY{%KaDD;jrpUcWV8A1`vzA!v(fCLNcHd^*5sTpmf=!y?=ZVk|%ar zYXw^&Tn4>EPa*pH`r2~a3PgD1G>;8`Vz4RB=;zWZ>&)j2wJEUE&osBj;v`p&PTWQ{ zn|vkrbh}XvXF3dl$($tsMRivX(G|kz>;5>j$?tbG&ItupANcirjw{~LBsydOV^1DD zh4he*Z>8<4u3Y^HHyXBXyZ?qM$&tiIKYq;>_D&_Uo3*sr^peE?AOed=qdqUs0VEJ< zEVj=P&4*{;$ZPJ6LNiu8Z*1`>BDoS#{--u-r$!{XM=$d@BV}c0PzLK$C!@?pldr!3@6cu zc@#qI8a9eE?2X6qsl}PQzR@x7$B?NruYN`ix=un~H1CmgM!e%-$JOp}pVY5u$%R?wUeIG`N>-au*6RaZ*wUZQ{Va6T>H05~W=}wO;N?)kO5pA3`eR0h&v<5xNAL@Y zc`+8ThxHDxThD3z`zA`<^+&lu4}TzR8+kT4ib`$%H5)`3-nM&NXhDxZ>lVr(H1z9% zpLjfBLhIr{oz~u8u-GgqdndQW0X)uS(XA%pyB|OjIGi^zFIE3o)?E-A>tV6~LeO9M zRh>`Ky3DwViOEBG8U5`^M{(y@shxtJ9VMX5`fHC5CXHh+Je+w&SZ)@|D`qE#V57I8}>#i)@JK3BH= z#z>Nr4JU;q=uy5lIAzCny5NLvGqZg7crlusH8k(Ump!pfQ!N%H=fuGWGn0+$*SmnH z0tohRCbgmw)^$~XV`F1Ec7iMCYy+oUYQeuHQ5NF>NC?J6ytTC*kHiqz)sD6p2Qj_R za9$YQF(1s>k#lscjcz-+Ri-p{0yT@5zaED|7&)W@;jPgT(!%Wcmy?u_WbFaJiguKT zxMsX>PpRs@-=3~A&4ow@K%yISH47y$uHaV3VZN#d6FqE;3k&_Em3=-<)qjK{#lN>`dFYj+k-={98pk+IS{FHr>(q zRb|laNH4*yB2v@>KXN^-!0CFgw25-W@MzizC#cG^rSbYRmM3vC^E`YHbG8O_sd7|mie_)~WSj`@o0IGkWvrkZQC`1* z%wWZ0;<1s)<6W|ly=YDlr2-#Fx8Z-Hx1iK&iNy9*#UP6^=D-YodvRUJ-}Eg-zX?L$ zHbP`Eb$b=8z%S?qb({tjxA2L{#70#TgF`pc9ZRX%M(Pu|k}Kj=b2w9lQr=dHdzMuy z$m=wjcad|?ZVNo)l}MX=QB|auW;_}+o6so2ny~{yo0~$qJyiHw8+^XWh?qK8YXlaG zMTV|q?-R20otyZxBZF)tRDt!_(B7CE?G`5!7e&j&KsQ|ERryE{N{^OeWLV`;@(mxlKa^BjARiH7~$<*Zl`2l zD{Ier`C9;fyhO#==ngO`3zJ=;VW9om-CY3bD}H&MckBQ+Yjr7R#zT85rDmx~Y8QQx za36(F6T4KWuA-r#tp3T66LuzWqpGQ?u38GGQ%v-~zdHDaGq5*P8!Q3h5#bD|S*%EU zzdbTGHpaRxG|y2&eNCsYuOdGA*yMX8cLvLSJ? zDHWvl1mTcQk9;Hew~@XiQ5KT9GR=weC`qEyX$~0ivze}om*{THoK5)1|316a9;_$< za>#sxk&ueiVZl>hnsAh+iP*faW zUtdZ}PxXesZ)EiKNxDo}7z8rhCa?k)1Rj)S(m#H&+8Iks#FGO!g;t_Sap6bzFJF1) zRDfwGd{z#J-|-0vwbaxc1CdQR-~lrHhp%%wt2Ouct>=ZkgE*f_kZLaZ5qhNLVfZGE zJ9o*QHIuyeg2XxO;q}IWU@7;VQ8l9?){|f0{8QImL~5S*V8d=url8iFkqsdg#)#)l zg@YRV=OTyMLOImw=Ta?QbKA_wrHC^MiH<5fMs&npBB^@fcPy$83HMJ;r%v_CWTBWP z0n(*TkY|%zAux_*rM@yEo0cnMAv;e5+y|svTwi~jx`O9TCJ=NX&Rxl)RV#Reu3&nE zU7RS&iTTGcKr5$EszS*m*Q4l~sh3F;e%$E0pjjX)4=QD2>?t)jHC0Rbk}vkh(5!Lp z@#}V26mFkIA^O~>Pd|Fu4C{5aFKtKpyFvhbN66!hLgi`tG-sj|B3f76*=ah+UY|=j z+fIJuqzR_&37lDWuVd^WH%;L{zkucTm1@X+gM~S7cE@Btll1>9ouXZ;s4JI*Sl=CA z7b;*!ltl$DY`*BR@NIdBjGqly3zi($P8=GHA!4!8h%V(cm*D8}Hy&hVHRa5DEbVS; zystO-=Dw50zaXMM2^_w=~~am;VO*ZqtJUYqg%dFeC*MDZL5P^t`z<_EE?$g~ zTGWqz)tHEH|EtA9Ag78^q#bmAz6H$B{wISK5s?u)2Zu75b_0{upkAbVe&@PQwWqsF zCX##+KSAX{64KZU!`grN2yaI5dY7M&ijeaL9N<4qM@ua7J3BkDBm?I47H11x-854P zCGUl>zMIWqygKH0-V3O^wq9O_hGZJE_Z9L$#63a8TsS={TDJN4B#Xteva-r$=Hk;x zK`b6SeqaO5%7MsZ8`TF7VR6%$w$n?4i_w{av-9)wD=V)8;NCq~9(jHio&L(3bjZT0 zLQ+B9K*-1&O~a=YmYy~zWcGcy;V`{c%BptQo9gfH@9;X)0f}}7JbW1oSj8wwei!kviJFETF%j6!`;@pR7x za0oRuOW|#Gb@eOv59!B&tD!tjANiwG#kW7loq?w(Cd6HTp?yX<%Moru6D>)3UcOuRA33;4aKZQCTHIGzcJLS_h2Ap$ zCZR$7d08R*Sd|w;(iur&^5UmxiozS_E>T(e!)(Mr&|E^h0E*dWImp7{%t!uJLInWuXS~G&CLe% z*+$Sj2Y0tGVAHr_7%bVCrI#sfxm;77xKo$f|IX8uDL61U!xitO7@ri^%K7@WHgOQ> zXN4abf3F1_Njg{&Pi5!9r)5)b2PLiw&f#!h;=Xu-(&X%@1LF;^vtZ(wTN(;wrV}5t$dGV#w4J2d#GgQ z^0FEc09aHglJXVUqQ_~yd@|Rt*1XH~+ct|X5PwJnP@Hc}Rb-rgYO~J#yPNs|LQQUS8V;1R?nar5k z*huUtVJCp&-`zFn>gtB6S5NX`<>XwLQ(OSD0+VI|rGzgr**^#YP;aSt+_wK>5oPY~ zp00F|ecd};tiG}yAJg>12=N^m9~)y%yO}(r&M9*81N4tWDLy{kH?M}KlNAYgS!QU- z{eV~-_K}}OOsv*I%2!IVY>kN}24NM<5~`dm5C{iop-TqA3|Hy<-sAx`?atxGA(`mPlNKGZAt=0UMTn3_`V_wM(pl_aO- z*HWKJ`|X0sgn72l86j`kiq{xX#J59VkY9vh;Kv$iohRdXj}YNeUxbH6nU;9TggyM> z?$I=QhQQ2>zxg9|TWY%%6=nKUV7uy%R#LhcE5eYvw=^2j_om37E<7@?o1gx12iy`I z2CWm%s*EWki=V6yY%RaE>o@{UOOND3W)F*| zY;eQ-5h%SH)Lh$~(+ctTVYXBifa{$e2eZG2A>+iWQET^EQUFe`Gw+Br0~D@?5nhHt za1gf_a zl=*V_hvyNqTSwhg3V8XL^qKZ<((T#iZ(uh(6oJQhm4y z-NhM&1@j%I%Fff;Y{?sY6k|KLLF&K#d&%!}G{xttMzuq~P(;5rWTLrV(2Fgn3aWpj zlWlYz2|+%oN`O+E5=mQO{*2l{oykE>s7iM7uuCC#Q8OQ~OFu$?EzL8#q0?!ksL_-�(H zwcj8@pZz^@e_`I8+^$1b>(-Mzy`K;l7zLlo7lV{rCp>)cb$9<7I6}e?-PjRCgL&!u zge}C9urZf}Y}k^Cf?iytF=^_An>$xiUz}~qH<4U)2rMef`S2Vf`_z_j>QIxt6!7Io z+~+-45c*vMqwMs*(;39o64D-G>*Ke5q42vo?z6bABPAo#eG}D}+pWe}sCnP& z+GYxL;O2M*vQ(j2+=L&FLUG}Fv}A)vk(ra3xz@r3VKbpxlCJlT`Qkpj zzDH^4;f@I&ZA%?zgzve@F96nFQ^W52c{4aZo~26YszAg&()>a3?2aPm;~k)6kzYLj z_H7^%-w<~qYnq3DTgYjR+2|{JTG3N5^1SWD3#K4@X@l1^$(rbi)O?J#7jNDi#*Bh* zW4;k}ME;DuGSX|aP|Mj5Xp@!h7=unhPce7^=tb^5A|D?G5HX@i@Nm2IU=3J-7Xs~e zxO0nTUOvQrxH+pB8B|VVE;;}6TM;zxdOib=Wj6dv4jc|fE5r=0kD?-m{E%k0G)Tgi zZC{l5XGszSdvR_$OZ8`aJOtZ$qnm{1eYo&8iPM5BhQ3Cp51msPGr*D4AYxu8CDD=9 z%XKl?c#rMxr#HHY`xd$6;UzCG1}?@=k!x=kW_E;%nm%b3NX%m!e}v`=I+sVIA5Akw z2yf3N#f`vz3*!6O+U@~WI@hbur~RpKM^hO9npsj}(GzHyANGkXR%dRGQ9Y-uQsteeVMsbZ3OPoTQI5hecUL|Ft;`!{<1%yAP{RXe+I1E54AJC#Hu1skEXQBV3t zZJ_d<#sfvZDoDg>@o=%RnwebEDtsivxhkGYjI_L%xyhpE4u`a{)$4k?P%1TKpTI9Y zN7V9{+)kP2(T$@+G_G8$-))^$kq8*CZ6xCoV0Nzv+G4}$Sd(Or@0T=R`~+MxQ+M7fFd*WG%Yie6oeC= zO>@C~haFAgKy&dENbWR1T-e z;S95mHln%^IW5FX45SXfxxrYCSp>Hrz6D9BX0jJ6WjqXcD$aKL?*hyTD1ybE>0?H} zpmtMtIc<^zmu!rNynOkW4I5tEnG{Z4(GmxIv@@K~@|WrYpGI;G5Vm|_-9b+gaiko^ zU$#@#EogX{n8ZxJR+sc<1Ettl3BUVK6-ne0zFt0U*S6s`1eaOPV?rw^R*0BA2(Zps5Co$v$#%nc9nXA*m%^Zju;wJ0O8!Q703_)U%_`n z9jwsEXDwK}4NSDqofPpeFatJOVvnQ+{+lbC>b>btVzP%|=XdXlyr$F&c~FBEp>=C{ zH2mJ&@}YE$!0GgOS0#e+{O)wUBW=gIhJk_UY_%n+JBa?dkLL7{dTx4292wU}hnJ=k zQ$VHb%EeBAu8vlEPUh0Wf}Z=`7v60k2T=+5UbWWLjAwBb3cFezE!FaG<5Npg@_k^> zDYE>af#-H*k=2NY@57yK3cb^76Y;mYO?aV9eUZEc#zzPE46On$b|iea)?}R*Qi~GD zyiFtFt5>G~6B|$d{(7Bwu8Y#oO=4!xvMtwnBSzS%UBjn@bL%dSs zw~3bdgZO36M`ch%%aAio-&`K#KFcdyRt?Wbj?_*X+9A_+Kd+O$1x zzmD77?H=zrOqy{$ft?eF@{!H3?uv%{H3ELOTyLTIq30`_x+G9U4|+nxhoF8g8b&j2 z^yVS4gc5jN|M|UN@$TdY8J9&>3yCO?$TkB5!<8Fla&9i06$wd>eWDvs76-XsZVh0- z1FrT#@(ccV7tew||1{VP0S7+bNA!q!ot8zD+k3WFsRUhe5?i^AEJ`(2`1oq+xdo0` zXJx;16Zln7g{M7{O_&D7107k+42?A_so{wbVgL6a{ts*Z-*dT9oh8B8y1iU?Tk^C< zd?k3;DFdeo8~mFrq|`G{PnQ&u$DUj=H)09*y>^?m$Ra+{KRI0NFm$dgPc+w24l#Wd zt0Yoqk1LY%(-|7Fpt6`5xyE;H&d1Om6GhZPuWr|{Gr*~^F0suY+lBM4^QrO!xKLqg z$L;!*g8}PG<}wU2BEzPrs|c!c;wi= zrRe%$-#@9~rg?|k9X=iWz3@Fe|3@`YAMNU)T$YTV;*KvB{&cDN&@8ifIFpB>tVr_!9jgj|u)1_=7 zzuaO}ecDGb#yBJ*m5oqleALwwjHk)b@g}5MAmD?}Vrc_AsIzhYldd|*wZhC-W3p?) ziMfcCGb7$_oC$Lgr64(%M-7E2cnWNNjYD-c)6xr_ZF93wZx3Sh`#@`}N2kM4_$+_lXK&^m3Ih1-9-L&9*UHoByp{@Lkv-z72rQcEq?G=;B0!=5; zVQc8FyLV&^-(XpNRTcJ>-zrWFLG^o`4#iJZCU#@@YhAn*ymrVIGex8Pvp!)k+GVEv z>a!ak{i0zzn=A~*HI6D$r#9O>Y~Ec)q-`YxxV=NkD7&K@v@sT z=r)!-&i0PT^{(=TPoJq4t%n9p8J))UY-mAU3USO5{)JE&$F$=AFIoPduiJ-m|e=E zDhC^?G>`aC!6hGFG<&=d43)@nDssPH-~2A87X3Gp@sqouGU4ghum@kJzh9pTGI^e! zT4<+hb+7T{&)Y>|v9Qq1o!-Vpo8Bsm^Xn;$YF~5CDtui z#0_5!tc7i|@|5hf1Bga#ZnGXJQm?6jzIUQl>BI;vjkIbm@WztJF6JwM+C>%A=7eWQ$qa>Awvs z)9F9?2pQH9G&+~b#?*cJ{`}cknUh`NA`{AS*aiW}5QN^;F>PafC005F%ZNX9iHPMT z2;WP?J1+C6%EV6;)lil`Vb%yb*%0Du;IOePbug4jKUAB9yQXWk3?5zXE3lL89LU?3 zy(itN=SNQGORr(J)6q$cZ_f}Wn|T%u5rpesKjD{)%IoE$;a*G6lz*bCA1xpVw)iNVP+~&Z{Kf9tb;cH(jgoP}v0iv8!C`>+3jV z9OPLUHjivW&A`B)0nN<>Z_Sy#?3@Xk%l#h72M6%d-c&vyhC>`xG&QFIAfl_I>-sIR zb>z9&uIMzmP-2y3+v#8wEpne|5(Zq9lp>4>L1f(J`EUd1S-uE3=vDdaYe|cns>~+&L`(o_wfq^4X z(I;}HXyQ(~{B8@xf)F3f%&e_{1I1Cf=Ol%a0XYJGAAFw>Kmk@mU3K-d^)LX(K(TW|069MELJ20R-*#eyZtD_p zyAR<$R`%Jcc_iwnFNo3!mD^hJU#$Q9gT?F8-Rf%Gb^`i z>JTFALoXi0l6g?3@YpUd*=~;80IX7NSWk?B09YyDVlD<%KmOJyP^R+4_)gSEZAy++mhpI1c5HJ8CDfkFlXvXEt(PoF+PcK_M&Dtksg zv8E5b_izAa)m!uoHTfDEE*DA#@p~;#6-p)b&`1U3NZ8`_1Ii^(4SW_ca8d-GqI)MT zP>OL7rJxrki>#^fvy^Q+PI3b{F%eNmY<}6Lc8#>q#zYuV zg=eTIHKWnq4WWtX@CLQGw-!AF`AA%?Vd^BplbWFBlDki|g>1=3x?ySn?Pv|y%gC1X zQyg8LIp$F>nERTrNhTjKp~0R`T)<#3jm3XWR`6aN34fyZ;OsI^-sm?h@_j0Y{r18C z7`ze5WM0G+r*c}+UeqofI9b%4!K65bvM&>ZDeh_70iOF1i9ominLcS3PWyBhv+KFV0_1Y_d`R>F9YX@^8xjw2Jn>gXO7rUw?mE zdbP9l-ycNt&=^Z!UOlBbO*U9~-q>5dY6sK(d89a^=V-@pmN@QMNqm>i@=gCPCE`Er zMh7G58S6ipeq81X!L%7`>04mcZz8cplb<`>M3*V|crY!`x~->Dz+P(WYM4Uprz;kg zzn7Diqr?8s)PinBlSqNZ=oiJ0{=OuFM>8;pMj_}x@Kum-uyabDJu`-t&FWiWuCB3h zyYIDqN;Ha#(n=u^>efCO?P&l(CPp|r<>cg~#(mW?|NZNH#TQF$08A5Tn4-fy`ez%E z8|{H2Jx|dHM9Me`wULg*>5cY)(Bp-&_5O`c;=+mXX}!^tR|u;#kH7K8OW!Ps_+)umXoc$ybivL{l;i!{Ppq&fH)O z`BKxX4}7^IZrjn(Z7-z)#SufPQv$=PM1bLx#p;Y?7Kp2IYUR}c*80$_^j&7qGx235 zB{V?mDLe1oYYZC6zy(t|AZR^J<_bYTyrAVax0x%;t=gO!A{r>{uxp`9~z=Rl@&jzk@ z5Up34j;VZGQ@M3Pj=o^RX2OWu7FQ+L*Yf?AE_zAJt53f}fYG6MO;J5twMXnXHNMF= z`Q`uHE2=y&^k}UZ^d|r7R9J}TDM5`p6Oa(Gj@H0=^FDfAj**_!g#W&`ig)0@@n`ou z++{zH9<*vX7hyh6ZO_Mn=8B1eJU?49C9sNZ=v^|7C8*ZTNoAy79>EPrp2BFE$}T~5 z!z}r6;mG&cPd~1HZDvXkVOhLxxUNmMK7Fobxi5KA@de?f=_PvgUhlHPsb~G3o;LqM zz<>+uY3Pvk@AaN!!ngB}Nk!9biGiWqV_Y@v&n*}KQI&vI<1%aKw;SMrKeJsc^vpei zk7cl}CYhEQka3xb`drZO>OB2+abl;r5zBXv+LN{%56b1#HB0?}3fY>tsV+k;D>U^6Ac2digEd zdsBr^KL!6ggf;~v!2PUOz`#BGkEdQvZTD!oo(X>7zgK4l_@Ck7Sdh2k*Q=|mn>|5X zguG*=&Ws8yMESyie^PT1l`s&?Y%gcntq(R^DnIf4J0RQu5<*P4nuZ3RyqX8zk(?TO z#ewtYV8te*sKv)ZE-PMu{;zb};CxGn@Ar`zT!STC;NY=LfgoE*{}>rd2X@@qov!#m5 zHLt=h>GXBa1bYR>Kl0hS_{vs;p;2`#?10grA5ero*U1o3Vl2$=Q!=gm_+hLjMoAO? zsjZE>xwv=>sO!9t;g>0dl`o0pyxwZCJ=>_9FSmrgd*(QuFNDvOr3i>N-seRnCBJ@s zi-T429PU&bM&VKQ+YlSuB+#7M=vi9+8A>QAkOHDU#GOVXY4gEFa(03+4(+pF-%Fck z?*xd0PP1q~n3TH5!91Pvf5uV9>OyJfx%&DC~E5S7XmB{?&Y>C z5-Dd`s1j^sYAR78-@4~>pwoxT!$mgs3Av9fMk8I`e`NXJJ5dX~Rnyc=V&;1d=)(IJ z{O_EGzQ9-bp3)rF+dWG{aF;HPtmAl5uM{es4~y$HaJ#>^*eO}qpL>PBQX zKrV@ulG7bx^Y8Eo&f-qT>p!mL{P}9i;)f*iT6u2AReKA z%xZwiWhp-gM5h>=jSOJFz^nZfr4b|kG0{Lz4Iz|8cA$hj7~l5vGep6T?(t=u`%&#` zi@fYxU@sjeal{+_mY@U9a#C7^(u)SCM_-Wp*WOU=C1B&CLf(38EG?n);Es%pOpUHI z`dl`>UoO(e6*LWbiw?WH*um)>?!3DkPNay^mSWiKe*|(&;r1K4sFlSPtQHH;?GeC$ z12}8`F*>i2-^<`LlHtu90+Fr3m;y)_Yd)9%?AngHQ=nD|xS>=}S8xBMF_jbubtl-r z57VxGG($m?tL)>#1}-f0LHox6DDC@gECcXMearX;Kx5ZW7}g0>0wYnMTaiX71s#@- zSAddrN5F$%yo7<-b8E|1*xn>?%w3$Q07(>n4k(^=rfn$JK=iV#8D)@GR2=>~G_=;) z$zwfig{GM&tZiYDw639|G1M%_;2f^aqzS}@NS9>G^!xdF0sxRS3>OZNNQbnl=t-uU z0hf-7p;6?yITKwL@82H*1S6ekk+xsL??(FdVbTYI*T%hO(oyMyaw|GIIwmI7+keZx ze!c7)hyrRG`kj>9v6U-xbF#`3+}QK$<1iAoninJl3ZhIdZ)o+tHC8--E_@&zm9yu= z-}}Ai3GvW$2oBY+HU#24C3$HX^@}*2tNIr>R8|6Lmyw4Yb7fh7e9HCkMpB=SFy zOqEin>}|bG?AiM` z{p0@O1gk$RImlYL+cH0jqDPAU^j5BSpN04F1DQsCZEYS3!{1*ndp)dJ_hnyp(7d@Yh{e*D0Hc6Kh4EFXYdUB)EG<)tQKNA*pEoMo9(>EVW zSW15K^<4BBswXl!^jvGFU2ZP%Tbksksqe#g_7oNS0esybK3}Lv+EeEYcuWJHZPQxN z`-fmdZ@WNPLc0_wuo?L15fd}5(o?O6?dZ>VY^i^Dmf`DsF%00l4O23zs^b8`1T^>g z-;CBXw5+m3boqcY^YP*KtRw^;=Few4Spp%l<1qiS4bVl2Q%B4Bt1weW(X-=Y|E2HD zguL#1Q=g(^wCguJd3agj4O5Ph=1bLm%$t;H8&)79Wz$Y??ZG!U$LrPN()MNUn3|WX z&I5|^Kv2wg{?Ykra4o)&I|RZgI*cVh_=Z{{5CB&^vAHk)b+D$b^aKSN8fGblQ!TYk zVsiLG?*N_umo2Y8t(1_EA-x`R?bXO?j0CYVpkq+*BL4pQ4eb2ej+-+PB*Iq(QLhOrdC0QFT=US33wXhvY(8Q@kJWnnQFPDe9YYhOuu_B$oMMq;=R2+^}aMB zkxEQXHeyaCsWbokz~J@AqJ44N(C^6^*KGy=F4lja4hR$=yp!y4scW2rl33v_`Jh?m zug1@m2&GSp+U6?)Z0|p_Q{%qmQ}+759~Cwnx$oR$_p=9`P59g#f85P~4s2l%k1nTq zJ8+&Tgq*G(^3MTQ1WL05pv}_BD#S8=m+evdPLB)wf7&n1zFjR8_kmbBF{yhhNp4)99AaB8iZ$q6{>4O(Q~fV(R# zHZAe_#beljy@b`cL$E6-sH)z9$M#|y6$7tG7785zGE^lmaw(vBk-@ZQ0bueroV1H) zOlY`FC=v^E$tRnD{5jfes--MIXBe?@aFn}pDg>^zni>I=`ZhZmh;uQ&epwMVC{aKc zc_Fv)^h7}oQ!g0-So5#WXq){v%5#eQ5B^b}HbdA}gc+|)>1m%W~n{OemE>XT!c zs}z2RqO+irW6x-!UT80MWL=pY>AfnwGl~H;K>&28CwJE+bKrs7Isxj!ZMF&kz4X z@ePHDuMDP8wx>V6Xm?X)x!7`RUY+Js`vuZRtUXSmOKW#c>FfIkxXQ}jD}+C!%WS65 z?&E-Q(}LwPrWg)%DEfnaI5tbn27=v7_9!XORizI zLc~!IZRdC{;>fyJ%65`ljaj(*a;oP{{K4W0gT<66XZ{JQX9ei*l(Qn@HII6Zf3y9kxR;xD6S)=1fae-=qQ zM=Nq~$`)vBX(@dNn75+YRLUU&Dxgr!{P`or4E&*W%{K3YykAb&27YUv&=Au(+JX@G zBhyD1?f^Zbfq<5Y2@XRpTp`HZ{1m30szSn`+fDunvk$0H;CHmq_`hU@_0!cp+NVR%x~3MLPa?~9#@*mtqxu@HZ=CDJ|EesX zbjhhOIGDE6DSTpgi$q3vCfeKq#yHvw;Pz7tyDl+9Tq8E{WBZbn1KiEl<(IW4sG55c(gj>Cg;ai zoH@!1%1?{&8zi0{A8#_-wwI*YP`?P|^K;nSoEvtQ48c5@cZTbmV@9a?x+##pX@awe zy7XwGC?{9BglmsUF4D3;Vn!s! zWvf3T-6NDcPvu4ApO`&7U3qyCkLa1XImj0WSs$E)Z%novCGA+wG-HmEkuh}Qq8L|Q z{81>JF9+Yoy9D8$x;-V9!2e`#UAoBZn;wk8G`ptO3)^|raDV#|E-x=bFF$}qn~(yK z&_Stq8D;RT51w2th#maKKT#g1J|V=5hLYlnd~G9_XVs+9o9}h* zi8tM{*i=EY1(sH^`)&qbTO96JdPFW%Dquq626QU%i0FXZb=WR1d;1Qa6{+-z}?)8GgXvfwH!w=5X)0Ye<#X1&Uh3PDugzHhN z8=AM$n1=LQqqr|Wv-N?FL^TPv+jf4M;Y(kSCL!N?;8Wf%DB6CH&1ww)|5$tLxT?0V zYy65Rp-4-IG@>-pozfjr0*ZumgMdhJXA`$|EbeAZHknTQomnitoB4(%zE{9LTvzv9$A4JIqWP;P?mqs* zA{Q*Ds?=N&A3XG;gCvO*ch#Arzp@+a2q`!OEF$OB9B;Gs& z_$&O%#*}!E4h<853ek`KPK2=BCryHIiQSFNj|a}POlhHui-aM2_ledh6*GfrWb$N| zp3R~cxt!=Q;=fua>azsE-nSwtnT4UyRdq07h`og2vGE`=lkv?SZ~88U&yU&@2t>ro zSL^#H8JCqt(Pmn&?tUJ6N0fNwy?uGAG0*C5fjJp_1oQhtR&{rD)Drx8_HfatG*h~70cs-I<GJsbD@U=JA;$ls~+terZX66w`z%fNb74yO+Iin_&yv{l=82Zk|D!< z!Je>0)jaUp9d;lhLVpxmqbzZaLLaf-vev4xROpy7!Ypv3ke!S1~Wng`T8# zYL|tekKWd=-~L+7e>ZY=Yw08&6Jg8d_B%{VrluJSZCxEN z3BgF0>v9s)bHiwym#)WYH-U9qR9Hm;1Ikoe)ee^)-j1cVy4RE9q$Ygwiy`fU3sjK@ zDPBczN<%Dcv6n@z>&CqiVbpY~)y(tby+{qeEk#a% ziV6rx@f zkX*5HSEi9^;DmY*s(eg$Kznv8I4lEwHzY!)fu;G8KV9VqxSx|%bE_aOSV3@k^~5i; z={}up^abQQ?9NFCaChI_F`n>meh#Gu0CzdaLrFBl?*FHUN@^MygkSmqj4|uCV-GZ6 z*thK(9=5m2M!Lr*R902F!+&n>7rdEubw44u048jPpzR1iZnBHJ*+L)3&(lPGbaU;@p?6kqj%L$sF+@j48!UD;`JF$=Rf%PP`SWk* z%a{{E$4XRKoYAfaF%ZI{AfXSctx8KvNvyR1`{Jgh zw^%7MfG#00h?Ve-KMW8%eJ)G9ysSzi+GKUC^3P`{Rc7k_C`k0c(6EDP%MywR!LqV= zAEDVGLC#%T0&SbabS)!1e`T)VvSMUpBww;uP0bMJFRNo28ufQYMNzjyF`%w*)%k6J z_MSD{tpBg1riU%#E=ZXP8YLH(pSYxRa!-uy?_Dp!cj57M$}xV% z#{ebb*Sn5Vl40wM4v&o7zOQkV;h)La^S-cJvRM|}yzNBe#UjBzWJUu?nYEvNKwEqaydVoIUYr|Jfmyl52!k<)3)pVk+&%+@sCv9tE?6|@2&oNX5K$AAgRk1 z_(&;J-iR+*G4t+K97}%)_R$^J7CHh$ZzOC@)z}=ZV-Ygnpyb7@-AYW4;e=TQD)i;0 zrEkf?9*_Ml@>SkKF%q;zj=x(1VIpuCePV(9Re|aV|5$eXz%d?oqX1D`Y0D~ZJ0;N3 zr==mlHOroG`_kxccJqCyLBV`6*L2#Up`lm9DNfG3{WtIKgXafKtwj6DD*I`nRTprs z0VoV8nP~NUU|yj$HyiglYYc^nRXc8u;?lhnDEX50>`v?JvtufeN8SD3V2Xsc`KYDv zVojLTdvd*56(E^g7v<+rdwOTnD(3nXMw-HqD%OjYUJ9GR@86}}TCZ<~hym7Kphrf; zNtB)ZIw<#`U4}{PP_a(W)C7(iSjXX#y6s@20ZUWnsz5RPBw~xz4ay z`uSgLA(W4`Ge-IwyWrU;QCTE%dGu zRn%;mxx`4itkrxZQt1ZZL~}uC*TPAkl9E!wa)W6+B2B-hg{MvY^=8%*R14@a!WR55 zTKooOcLD-2-u*fvkufna@LC&W911T5J^kQ6b|N&(piCSt}@3 z00!_GvT(g+=x$nBTMraGpeZjem$AbDsP-}t5g=FXdV>Hf1y*x>*kx~^$RI94FHdL6 z5p9?L@Dc)G|3TdY)@N*Z{@>gXmZAg4=0Dt!OhAtRcNe;^*JpmtoAItGl)Z!Z!j_n> z!MjH04)5PQhj?1I?R7@JJF8oaf&FgwgMoxXCv|N_2dhDD)GW8wQlCHgOZL_52R#SD zI?0GyHz_xT_Yvk4*xp~8Ms%j@B+h6OJ{W6?mzXqYP-z_fOBWHMrEh9q^CREqY#YTa056OjUL-=kBmgZzk=u&pmF(?+>ucf$Que`^qOqO| z7PtGR{tC{aNz|^nG;W{v^}O0AWOGl?W;uZ#aicISYP4z!i)=zv&y8=NMOBEzZ78j7 z@t^jVXTOluR8kNModk5u@`JIuaGaQ%YJuB!)&!%oHvTaDGCS+9Cj>)MdY^E`+}MG% zWv`D6pkur3n29H0{whaP+$L>NoK>$;`>J-RYwk$R(ziS!_I*ZKuQj7>b-CNwy6Kb? zmxr|J?6oKNM{05n%QE7(@?3U$zi5!CN^29*{r#09~IrdWDC&nSW2G^LT zSLMHmiW3q4#-EYEszd0AC8vkpqOmV<@$e<%@K;^Wqhwf1zM186av-Qs+s70e^oMFA zfz^a)i@eYnSNLZPw$~tXmX3x0d4-(|5g|Y{uWg8^>m%p?rYA{++okb$VUn(tmvhJN zu8dbap}R@-P!E=Xy95J0fP;L@pqq~b+%-(!6~)){RG@?u8LPbrI) zE&Q{8*G_W`+~b01?eCHSFl+)tfmHK1%>u|cK(s+kyY%XTAF=fEGIZF0=L4zAb3qOX zpe9K;%X8G#2Xkhqe@0#Xf4C9#9~MvAb2n;{KhOAcvp>&35qEY!BH&N|azjFXAy`#Y z6l5;_-72-IRgps1jz3JF-Klynm$ncbI{XTmEX3r*gbbZ!cy-CjxAeQ_S5qN$Yj2gh zzG0-MVU`uvabqCUrKzj9vQnqr9DU?Zc?6mbtef-S`h9bmQ_iZAsUFv_Ygl|0$S2a95J}Y!bk&8ZP-=r-U8l@CfAx(;v#GmX-hX@e@-#>rl zi=gAmLHXOU$ScwSHpWgq)&jfOnri{4+XSzVgS@;Evd8IwtjB#b6Emg>_()JDCgdXf zhG-w~+6%!UDl3uYJOBx)|0&`#gJeF;4 zX*EqH$GAZWvZ?JW*GM8J-0>KNNaXwfDx@Vx?|?cjXmf$r)ZVh0n0`a&6Xz&dLIgXP6G#-RAJPx+iy!uk+VK^-wh4U>a?uixb&Dw$;C)f#^5<{u{6uyD3SE+la7|+yuZEA`!6l|%rpna23R?_O|6|j-fHq0`@xpf zRZ+ZQR3Yfwzcc@7ap#;oa=w45dF;1n6PEnZ@0njxS~8Ne=C7J4!t%aPw{`+NWq+c`X7!JKren_jBVi1@H2<-dS@Z=0` z(E^{0;~DuirE}6cwOS?uEPman;CIAODXqgel;;!3`PC{k+9ovGD)ia>&V~rBJ`(MB z1%wIJWkm-px5`}ofRj~QTibL`7g%9ugLz6QW)`q4h?B1)q2jeOUB_?TR#t)J$R-At z(Odf}t~0~KZlFXOl4rAVKKn*?n|t&J2rPTtx2LMD34`N`4OwSPH3U2Ca}a4-QRPyr zLOa{rjldHczm`a3p_V2jE4w0uN>K8pNy?B`FX%sf;^sPzxt{VASY^7TEx^#xjQxVy zXk#r1jx;O1Z`TU!C+f-Mv3^`4a~o{%0kz}?Rt7@2t~OoF_cj6d0m&UauI~orS=IXO zkL+h_WjPrBp^<&-UAb$>VxD~f(XZiwcX3v7G7%Sd;fD&X17p`p4P8uQq^ztg5X{^p zF9A_3#^p6|C%K#%WTT=wS_bL~EP~f%Wtr#;yp)EZa=bHB7pfp3M_e7fuViRQv0)^A z>e}cs$_~{)5K-duq%%6MK$J>?l?-W*M!O6$!j=xI{DZL?F( zFuGejE-T6r`uywP#w#K;{H*Qm-5(%*pP9uw#N2ndMnN( zBl$$Pl5gsL2H69PeJ(1A5cA#~reIG2+ddZiM^DR6f`?(R0;nTAXb-bw^!(l%=Y&U( zhQK9K_L~Zj+o5@=&-5DMw8|AdRJxzWXZvQKTk#>U(hX`MbUk{4{p$*?eS-mNr!2Efc z>u)sDHB^n%wDFk+hbC=qo>HRb)Vs3kG1wMbv7}&EcmiB1fq)2TqONzwY5#ra*+wFM zZX2khlIMK9wZTykS%mPtX#Z>9_o6>;P!U(><24MoMp&0?4pySS_Plt=sfzd4RniJh zi#Z7+pS~nP7fttje3yDW+bEEC4evP(<^}{_%>$1m-NV-A_&=tv*D1s(eed1l%gWDo zp&SR!s#>~;pvxHN1YSx%8)YoGGdw7BUOsc%SlSj9>Z+ORjHam0g`I_uy$VbsUdO%W zn#RDPj`E!>f2=fey4MqR9l^qeUg&a1Y~II(Nv$)hIe)mbRc*nXnWox7jYTN55Zos$ zza<5**=^pt(_zXhiQYxFvdHasn8Y=t$mI^m%UA;_wJC3o6_5%8eDW=c3#1y?>LgX3 zbH4ylCCa`>l@SOJveKWjiyzX0#YGI6uzPoZma9ke6w4SwmZk_mf##k)BK#f|!$`ZiI1<5{Kn@1vh5K%MGgyAAvWVv1Jl zD|B6QWq15xzXYa}y0*``kPSImuZx?pe7Xp(eh3{Kb z7qXvDpB)w4e6B&-GG)Yuf&Ec@lrVq8y{VvUl8)(QUYWB7_lcCFoI%S%)R00eop+ky zt*7*)sW3VGOMq1$J{MJvwqeAu8F*d;`yb;Ao*r!27(e13Bfa&JZ!qE0e?-W(ij8G# zn57xg3FH(t3z1;`eE6S#yx0-uUT)@SZqDtq1Wp z-SFW+wycc>=q~a^9z2n{fB(LPMUE9cZWqBxj+>l<+;n5~bT-piUt^*Ch7?1&P}e{~ zf55M)DWiY56kYe8e*XdELd@@sfq?s_e+_jHK36h8Kemn4+42YdKY;^|idP9bHz%7+ z+ozPZePcVBX&%c+bf^39M@b91W3w<lZFK_w%W|jxfE*j2+Ngskc^qE6~P5-l|BbZwN7)J)FB=vQ- z>FCg{p!_46u7!fo>Y0x3YmB9pWjo*}F zvDup;pQakgtm5J=pzs3!2qIrjTTp&o&G^+=jH6VCHa#4K=6==13f5kWuIRw8FI*|e z$uoZdIwyxD;x1h8#wV@h7N?OjOFldLN^rbZ|A2mXy!48;^S(X!E*J*hDY^UyS|$ zqZCU-$}oqhDERELL^q-ZzeY{@w9LC?RD-(N*Ehn&3;r zk`Flxaig|oO>Krhmzr+|g%dihyy)b8={UDQ#%%Cq?Bbl*LW9QN=|!M;SLLS}{iP!C z8)dfQ9g3O*2!5_oU7qK~qal4$Il!M4V||B}F_2kI%jl@CoqCGy@} z->2&$$^b#d9P>XK-RH~XrYtunFM00R;re6$aj%#9WjQ=OA@#=cS`%Qv!912j+E}4y z+~Z|=ciTvYQovDyyJ!C`!#7x5yQ+=^2`N?ky3vDBORHB9aKBVZUG0PVt!TsEKm`>= z7@ZXKzj&4#v;GtYEVm5G^^fxplkjsI=6Zd8erI+f;@dZwO4LH+PWsP1(A`w&F!1WT z_hljVE$ABE!a@V>4_$#v;#b-Aqn~8AbS~3v{rhbwNky0QkO9m5I-xiIa1-sA%Y|O5 zqR6gKa<@Jrj!?A9J_QgS!3r-=njQbkN=WIhP5A7Mqw{CYGjE8xqL8iMjZ5a+x0F*PVvEUS4b;z)epW#sW1k7bz5AwctN zNsdrEf)bS6rMv=q8;omjVt~X43S2PJc+h0l1~cu9fw4v|Iz`Ct0l+DGrN&A$oV1L0 zRfb}m6p$%x1z1@dl-C?6H3hansk=bBK#+E0EuK|tZVZ;~DX7eSI&{?#J_B7^9Awg{ zgANF)_Cexml*(aJo-59fmXh+v>t_d?c*b2;Bz}Pe7xv2f1z!qQ`%_@=q7F*H`gwY| z_8r!LUkZ3UDl4b^<-OKRa`2-)AMWsDd#-m#G_hENJaQ^|875s$!LAv}aR{crjpAAj*nYUZ&CEHw9@S%_h~uVEBSU3Q~9&UjQ6g*Uon`BWRcQ3CRg#wAj zG5sPlhH#a){EP#4=K{a&lKMn8FZjY;3a1D?^E=RZJN9YHLLflH&Sqtlzjb=mx_ zfc0Qpo)So%fBYPvcg@DUKOm^P<2VZGcDoHK=YW!LUVfg+kBw4LSL6^Dy?aIZDpsR?<#ogAsIcatUwVnAA8wK8qrY z({PwkU*1K1=0@*C&TA`D54hnmRmsxH6V-8w@Jq#@GNZp|zqPJU_h1q!6(djAzfLW+E3^Lw6EEnUK1oaepSymWo#3*QYYh3y10{e%gKGNO1#06|abnvi<@pv{+ zHM19Ro6SBISpD$e^M4fQ5BU4S){7~aEGWu2)=w8g*xaDP0T=qlB_^JLeIp_N#ywbpHrthaB+rBr`*E2=$% zj>!I&^!V$W_t8@I+1XO@vNV52hoB;#`juF9{3jV1w&}MyW~%p29K^+uNjvAnWx(t} zSx~kn-DPBitqM2_be0kTDt`ii3WWYQ|DB+2w{NTcr`Zg*mkQ`w&VPUbfXuhv{%^|o zJad4GL*_+@m25ClG*fAt81`juXjj+IZzO1{UIgFeaz{iGSC7^nw)E8On@ETvQ2piY zZj6KKFe?Inq0p0?T*+Yl96zKT%b6*Id;@?<L=?-ctDSV~*EMDuX_re7nsk|LM%Wo#9Y`L^AQ*FFNAR-*3uL7yw$Zh@^`~a^uFhF7%CGG21rffmv{xa(JWDTJl@y(m91t?GAWfs&BC~}c-FnCb^2+KDo zuyN>8!!1ELTEy_P1Avjj9tGvC01{zGMhyNu(Q8DPvb!b4f=5hFPR=_k8{7>E!)Lb* zUC)PZgy><8InSsDCMK|tG<_E!2?P7RAGYh-d17>9qNy+U4-TLJeURs4joxnG^>>g^Fk(+LJhE-2W? z9c~XBwm;%*x{t-ckf$BqeDWGC-bSHt@swut>b@y!h2G8!e{yW>AtZsKZk_kn2XwOY zr4Nt=&vT8GdbE*v+dVi9OH{9`78+SzEpn%CMbQ1y@K|n`++G<(R3NtGqu2@YGY#=y z$F6ut2Rx%v%Z^*R{XteH{wx>cKGU#?(~0Tl=gV|nkLLulG7J8?9jZ%#t)SNJq@>sV zvNlWE?Z$k`onJMdh)?V<*C|C;bhCQLY)A=A5q22JlP?7O0Bt;RL2_81v zQ+O|xbmx~PhE4RT^gdTEAH9I}bS(i|e>8 ze2E|Jr~WiEYTITKydI($pyv=^#0qc8xhL_g_P~^8vN2us>_9e0fd};zBSPlw`ka-+ z$>4FE-{(zY=cE2y*nJqkUshErsaGJMBwBT%e(NNuTNWI~Ffqa9BVb>Ev`051;bzWg!i!nwZu@gQxqo^B`!{RJW04lwU8&c@`5 zYiFyh)>#7nbU)z}fo)VlD>4H6b==u0j?2n7dpkSgUhP$?3S$4KZ-w7I8T_PH7<|R_ z?XkCvDjl5g&d%T%7a|9MR9nFsMk61My}r6y05y?8rdh`VlzQPrYSPdq zqTj*9fhtPdQ$BjRlzwm0;ERT=HYo=&;4eaZj>9A zoCx`MsR}hN<9psY&J89dMpDbq13n9%Ed5*^3T3`G{t0(g^70(dSjP1ht(4%Il5>0D!7SG5v~6Rpg*z_ENgaZEcp@!Po2l{Eds5)T6}DG8%1U0s2->J^eX^ zh=i5WA%BnlB#SR;pFe;8UT6C8W?xSaU1;%dxn$`ADwj6@-=#bI`5qU(^6_MC+o|xF z`*2JX*cp8OvSIqPK5;uSJ;NB(7r&kB3H%E!7 z{GP9J@T0s6b5O&D+}8CRx1=7-(zvbrLkC-5*4^_H_0iTUM33B_+PcGso2)e6;Pau0 z+;ZN`jd|Cvb6R-0g~c?m!v-~2U9;Vghm2g<^EHXoLa0M_wk|A>^`j?8(5rusYK69a zH>}aa?QXMf9Ew)XJxsPYWvO$QTI#-A$ZBYvQ<#68ttoFWV?4_@OzcyGt?gEScDc~^ zvZh0cO&*_}bOTnQ@^C?T{EExKKyU zA=UY11PQy5LL-DwMvpqg0D{CXg996c6Pb&hOtSMw^6(4oG3`Q1&|d9(lMp41$lUh+ zdxq%NPyK*V>WsWOTTb0OG%^x*7xD-?Hi`QBr1;%xw&(-R;rMJcotUoQSlYw!e%fBm z)9rdHXpHNW))|lL`BxgeEX0fLN}eW)IjED9oy@Jh*c~#5$(!2wH4O~1-x@tEdS+uU z1^UTxZo3KI*p5GQJ|aW zXA7K;2#p*gFr%VN{Ie_&6$@kZkf%+V`T91ngk6E7qJXGrg#`0_S@u7RE}z(xpavLu z3%D^V!#tenrM8ni;Nh&s#@ZX^-?uO}!F9Q>=IbRMwc>X}*>se~MD3MeupfQP(|dR7 zdZ2wlVOhd@&EB623i^?K`La6A)b`U4%x5vs<6a+EI|%0akfg2{xO{C-6n^ru4_1Ar zUv&rV9gF!>C5Fq@csi*yw+&6+*D2*b!%sL6RT-XL)FjbJPE|K$*RJ!f!_#)d)6?4x zwkbuQ5j3eQoWMG|02kvPy$2ua_6LfESsA|_$HIG-g<{qngoK1Z))_8yc#D$w;y^%G zaDA&qo0TI2$+}yzlQ2Z|esH^Sx9N}uTc$_LwD8Vi+Y=k%krmIKLd^o}d{xD}+66J; z?}GDVq6&pW!tZl_8Rm$?W)|b$lFlD+o4>OYYlFMij#vB+&1(n7e-Yt*4?hT-ytsRN zd+FFF9EF+tBsN^?a~X+!B1EoeDi^36W)AJAoD_OXY~v{AYv$(4))x9-d7rKNZ9gR5 zXou((PrZAOtDX*DyI7s@_nnGT<437d{_PF&GEzOUh3H~J+i%Py(sfeo!dY1e^QZgi zw}R@O80oTR`1s-4TH>r5`L|s3bIE6NsJX5)MaOTIP0zif8OkJ&I2?Xu zu@}l|r4~>9s#N=6f@RpHYs$0mbbZRBSD|%V#O#)AI6C211?e^4mGBm%$j87GJ8O4g zA~q?>iIQ@?voyS)?3y!`I`Vy!_w4vtjvlA%<@1FqcIuhPygD8lP4~RB%l*x>tKoy! z`Wm?>6~%Mx_`^c$RCUe4-xIOB(>0|ju_4o5t=X~IgkL=oD%&nEndMXcmI{On3*V>4 zYBMtn&VDCi`7UED^VqqyL8S+0K@c~<2Kjunli|*>ImgUT^!n)Gw81=cHD5K`20K3$ zuE|d&-$ol{Zk%sl8m1Uq~y-_IO1#HG;bOiYtpBwk1dD0rq40qk%@{Pb03uM(4FqZ`iG|i^p~l4BRip^! zFyc%1TRjJayoWL+z1nSRm#-g%U!w2%SjP38G|xTjh503Lxz6SCCtJ*YtqIC;W}o6) zckpj`u-mmY)Qw5^tx!%?QyKfvcvcdRU_Fz8rNo@l9T{Tv>(k)5UU=EcLW0IISLA#WeEMobzBs@=_3q5Jo!vB{VXFF}`uCL>d!dpmP7> zg(tbRJJPaW(DZ>^ZI@BT!Zsab=K9|wjx7k?kt+)HJE8_GUA8F&E72!QT52pd%vmR2G(`hWcn@Zh zJQRm93+m{9xnj#uWDpP6mCTh%%IU?(nY`tmxRQ}}jdzlBRo(5n4#lORVw=l~qGY9a ze{##uzAe45z~XpaOiS}-Zu7dQA@;4Oydnz1tHt!VCc+$jB#Qm$gvGE%^7UYt7{9N2 zKaHNak%kikb%mYKbBgP(LuLP_aA+LwZJ9$r!v#y z+eh`Pw%ab$X_^UVSKo=vPSQQwOdm?CWj^Vg`b}6ELib%>Z@$9^W7tY5o|j6ZM_Z4l z=cH;dT6@KIv2lL^ohGzJ^vN^*yTiv^f_I1GKR@EEu)u{_o)Fg)p`GIL23fS?=EtMT z!up=xw}d2Qa*+7``g>ii$r=mXxp(ywcZaZl3jE?B4@4 z%;bkvK!J_)UhwFpTMP$ZbXBtAc?GcL_!?pw<0-^3Vo`I7Y37MvA66gX>%G+BdW1tK z7UQzp%=aODQhO!6Tsb1IqaEu)2dhEiHcorg>@T9L5e#^iW9a0Sj@EV(Ma~=_|1K}c zg9^9tv#e*&BW+nthuZ5q(O5G1PI}kdy8oMG1cF0SrWG>}gv@hrs|0IGM7k*3;6QKc zctzP~I4~5?I)rN(%8ksbslZLg<;~QAm~1uJ3=Nh5!b{MGJw+8297`pZtdbJd!;b0} zt^vwCiOUGV?9$WV|9J`a&GCq9SnTZ)?5$YVob9w{5vK4<{O9oZ(t>G0%b4z?E|x?k z>yB+B+&ULFXeQlXbq7|N@7^H++=J6VjH;gf_-0UXlfwWYrq9n%8X-NzTXBCQ-4Q^P z@Ir8C?77r^e`O>m3wn0H0&{0DZZg%>+=r4G045Q|ox=41idPDoRy*Emw+aS2Z65K9 zRW?7=d;jH*9FWk`B1CxL&1H8)DplEwx`4YxoyW$;1{g-3!Lh_$0fAM39M&1@efIr% zT(q|c$Y3GVnBNJ1MyqpSnu1kQ0G?m# zxwin-J$jegQKNu!mBswjgAA^Y(NGY8}ce@-k!o5`=|_a+G*^v}0J#Ew$#T*(R`7QgB`@yXg(ORGyQ$q|@G;4pXUsgX*GdINW)?n4hm z5QRGuKlkS-$0^`49zZ29DRX`dyaASvfpDT#(d@@te0Pie<>Uq?DmhH*@velU*MVW1 zhy4|Iq;j>H2estP=Sq;J2zt!a<51iKt9O($Wi~DEM|6KMD}(e6*fneCKRNWPcfmCZ zY9`qNu@61A(Kivr&D*J1{Bqlr2m+9s%mpc!fjsyX7pfSg$VMS;X_;Rh4xjHSkr-AT zKtzf@!O!xz_gQ&v26Szmo*lIYUwi#d8PK93wnPpOH@EQeSCYslh}2{OYl1f`t2Bmd zo0~+BvE){_e*w8Io1-)OK?oc=s`slE9!mp#?9(03_(wsAkfRZJyK$Zi7A#E<%)H|T$i(OG$z)SF#y z_}K9NJ*&95ssA~YiQXi>rT9J?FA3Q;_9lX?3+vqXs|KlKRpmy&?(QxKYG72uVGt!? zJSJ^8iSjj*?3QSP$w!lzaK&Q=6mj?AtPn3R0IGDh9T|uus}I2cpSOL!=L=$lh%8ux zouppOjtd`iI*sOip_I73Ds9ZQ9MT3Ben1}<1+r%Sq7Zm&+v{LU)7zIpBjRe+(i;3h zx3tRF%VT@0Cj2#%nXwqmA8`C?&3SU2GE6BHs#6i<;WC*OX^?a-raTKOa$1~QW4nDj z0{fb;_Zg@K2jmvh@us~%Feo%|UFDZCZkg~CO6HX5AFWrewVU*O%>ikX%9Ypf-1>?N zIH34^xB9!~w=q+LA7GG!;zqy$xbTW_maK%eo}L~U*g@6pqzRzN#m&Wz*uj$?%N+BZrB33ThukM>r zbCFlMKK|*wRziLCOzodH0O4HBcTpq0RF+dX)&eFJoCx8&HBkwYML6CM!}OYbq(al-p=97y zRFQFi)D--2TjPACotyxF1^+q}amH<(NYw?HXkNew1S_l=xaZn;=5@mJ*FQsdc3QHV zYHD03tDwa2(E7$pF>n$BURz741)Jm6*EbwZ+FF4dSIbJn1H7x+)E1q)FokyJv*q8< z=AO;aTIR=>jwQB7pi3`jT`2oF`*$UJ%DTv$9+P1sD*g zIf2x1W=8yoiIJHe!=6+&EQhJM7(a_aYUQJuzD?U60MHg+2J?W8O~G$hI97q|9>{^* zkKVZC)8QeU;Mn#axRj*6=8>!Dy-owqd#cm%bQ!OXJP{t5Do`^$%#{7n7K-as8Kf-p z7klB*5$jw;VO}1n$eS1)1k(eeBN}e{zqo?&sxfr!Bpkh$&v%pHz6XKTefhWML;8vo!34AM6AkI%mgGyb>v6$;(q%}aFh^$^nn$3I5=kOA1i^jvwZn0 z*cARA9eR(V`J4oo2ImB8G0VTrcHWJ9d4inKz(^QC52)uun-WBOj1mhPwvba%$TkyS z9a#ljtscnjFvQ!py#v#JpB=I3B4G&FSy@^6{1(Ia)4Q8FuF8(lWte85p%LKs5naz; zS=HmEB_at8Q^4n~R(NZ2WbTnnI_1;z5#agN^JG@d7_h@~&UF`#}G zo8{^4d>qjhGAfThvaBEfG#Wv=I?%g{6)2q(JTYmwdn9aRdZQ8#Xo`_7~$n zYTY&*sn!l&o#F6OmR+lJ>2y+7b>!L;Q%a@hty8&WqbDm0q?ez^;9iEaeGI1Cqc*mE zu&FGq4!~(AAf&AIYr85i3WkB;+8OHw$Ev`gHv=4La4h5vW|Y@nDxR#V5KxpkhKGoX z40u3w+0;Drz5@9zU^1l71P-&fU^gu@hazU(*RL>lJi%8K#3$3$UW6tz(@d>e+m~uw zP=4dQvCqW3?Fbeg@>x^S3x%1- zHjC?1cx`2oX74I0cjP?)f3{dGf8$?T!|=*DaEWP%x-(FF^NY^972AiwPT2_p z{%yNC|21)KLRJsEwwdL$QHi{C?@qUZH&F{6M}qeCpNkZ2uMM5@;Z#pRL{<+#JuWU;s43!gFNi= z|8YDipYHm_Os$eRUs1bqfH6+?FHe5y(>_|rz+0l7xulp}V)MnVr=W>vh@r^AUAI!9j(;ns;pee5Upv&rpc! zgG!@irx?hKozfTx-ed*9IWC0OavgBq@!BaZU3n57=;8)o^N^vFxc7AId4PVId9VV{ zOux+XFr;Nf9_)k4OPK+4hKFMFZ?^`dt*u$FnuGfeU9YD!VFD_1gS-is7jF~c3*ezQ zWHdKawExLzMEfN^3ZG!r9jpdGDU4SGwMqi^cPMeWWqXQw6On@fz)8OhtPrT|NdwK_ zqZ@Fl0f4q#tg>MxX~n5KfI3u-;D5aoEE2LV`*>yy=ho* z38Yt|P~8h7ZfPuk~#d>Cl-C>!qd-*M%$-3HzO z@>$p zT;Bn9dIBemIv0#&9-pePAFamZa{)TMb_z(znMyV4O!0?NqF<*$%3`me68uY2z=-G}^O z(#$hRbKy9C+-^fLpZLn}|;_@E=6RqehL&_n`rj+my^#l*OL&q!CytT1#n|-AYIo zaC(vQ$kLLIwKh`M@eIY`Ks=}0iUi*clo~Z0;7sUGIc7z5Jw16X{H&rPWgZPyA~@Rc z%H!J3AmQKV$iBki5A$DTCrH4Q#JI^UP(g-}SA+2Qi=DD;Dgjro6t3X-IMd4^SuBA{ zaI@6n zWj|emZApyfX&_=t6LM2zc;>X)p9KuHhso@N1L!J4L2k$tYfI6GkB_z{`Bf|rO}*d5 z$ES+9$ibC|V`ZQG&WA=BHxXN*y0=@d+===)HSkDotAYaHB3|(tUS8fukij~R4=u~% zxg&3>jz&aat5^=z9)N#lor>DR-BMFrG9lgu|KG3k*~K+c6W3lT%-Q3Hyh*v+2ZhrG z_~c+5v-38N8-!nHbCj^ZXQ(4yib3|x)RAPyZ;(}tDfc#T}rqa?i~ zP28^@2({p1FnYk;u>9LCabeHp?I)T+6TgT8TbjuY)Y z6#n>KKPun|%DC!&INNO#Wo??07|L@SQ366%WhFK7MU(alc<1BeV~DR2$)ds>{GaRU z441rJkSe21_ZlPwOdL*EeE|ORRShSM2J0GdcDJ^(>zJs8vg5Yy5P2-WkqTJ78gR|)XBHgivl#*#YJNzplyugSAoTLsp6NJZVa!2KDZtu5 zoO8RLyaq`xElSgCz=if^6o7{I+g9=h;{c`24ROg@&p=Z85(w54hif0MVSm(b4PM)- zt%WMT&&f`XpNZ_pbqU0V*R}Q#kFkoP=12$iPZKF zT=P?^6#(yC-+bDLPWPB`wRsx8ffvM?mLX+cYcjYZeDmIrA3@s=DYP*gB={Q-`uIO} z8I1WIOdqKEZ41He^+uk3SF4v7sg@A^^|H8>_eaVu_#o#@{PwvY$TaIsT7H6K_W?zJ zjuk3u{1sk!#Ni(;5Zuc@!8fdocJ_|?qH82Eg-!)?y5M)&URM8?G_@2uH}$9#caiQ` z%_#C(4rK?At}n5OI055`qJH&}XOe1qN0R+S)@YqX!&2nq#T?d#DbG}zpKDh3zhgts zW*tQTAFX|NRL+0gHyI7Imxf518rqYhE>Y1%8Y+rXT1q8NnzW@MG}P6PByDL)MM^Za zmx_k8hm^|my7=Aq{XFM9=RWs&&f}k)6W{B5eaGkXe!t$Y!5Mb-q=8O3zaSy-py_C$ z1JmCxz*r;KBg&{Xr5xjVq1FGqz%0^rbtlQ$72hg+b1oa#Cwu+=NyAV=9830~@+Y#o zGM*q!R4KUaT2Y(%&L{CWowcQQipe0E*IqSj=WtRMe#(c_pu-_U-&4KYu8kf<+mz_2 zNX@CtQ#zl+&Z7A5tu1EzQv~%Y4!SVPUO#wk)ck<3OK0M*z&`ihl6lP7Q&UqPkBqdp zx63JZcXz{SSI%Z(3{v%GRet%#j@iZUkTU~b=|^7nk4fX)9dgg1dGcPtihE<_*jec5 zz&ku=sMiY7ibX5TuuMru5v6@b`VMtNI%wPoPcDp!F?seJ9{odbzGzIRXb_UG0sx5q zUW`NDsx@eb2Wf)$c<(ZnCwR`=T>tTLY`0xcxi!_9ZP1`qwvJ%~M+1RyzOFWpruk^Q~JyyX=b&265~uhC6Z8HKv47E7bKc^7t=TwKfz`Y=qB?j!gyNrkhgs`{DcFH%m9ZXrKM@DaC&(6utl z4+n3^X7+yiBn6Kt?_W!y1tGhYc~%szkKNJyNkMyYqR5Hk3d1k~i5A{9v{5tF5RZc8 z+xKIk_oW{=P$$Owy}{{Kp8E&Zc_tUkIUstz0Y%K`H>xT;5wa1*xJ0{btKJ4<_`##- zWoYppWYfegq#P64K0y=rOq1f4ud*91%^}t_rP8_o<7IcO@&%m(;g-s>$@Lad{Zsh(bd zlOhm)R5Z~2?as%0aJW;~6rN-(o;1XtHDeKPJT^Y{%5zK>j4kJ%jvyx&$s3yL z-rQG({VmJn)ymA^8$iUE)gaY6;K=b~I^+N#Nb@zsS;IY+?}iEY7ZL6CQr@LECg(~) z)Kx3U9DJ_V&}r1LYasJhzB_!W3ch_}$QiX%a@%#ti9#!xtYvOWiE*fiv+L^?5PEv$ z_;Fx;pMgjQFQ$sm>QCsk5u;OW$0d8=?N4f^tMhY?k2_!3 zve8zd*a2D{Vyk8nPrFl*`4$J|#wqoMp?BG%{?TtT-*iK9^9vd39~&BWp-KbBen0=x z^K-8}z!y7nG{U6#>M(S?;^)fW>Sp!i_!3x;_(w6m+HBd1FTF^pck3MR@PRQYR=zg z4N1KzzvZjI;$&!kC!+BjY5Z#r3pjq1H?Jfd zQ-9X4pI5eLwYqSiEXAu9<;L>8UY=7!nKWv`yZUO=?JGGnBKr-cX#}RQF23=P;85W( z;2hgAVy3gTG-tlnH=OFWS*VLbi$OyT!Mqz+d@%lVxhJYf6+45jxca>>+@*GINlufi z6RR3%I1uRAQuCr2V^aZ3t2d{It`Avra&HdXLMxN?`|8!J?a$BuCX`S2EzVoPua5Sx zfdQNAwuL0R6I8p#3|$u=R8^sI|8khg)ZFm0MXY`E$PC-Bn_e-O!g(UKTBN2tHRb2x zv+BYvOT((#9^OMBl75&Ulo)4A9r`+*zDS7X?wS79?l|yIb%?12!ec>Thfr+p(hW$0~c~5oM{@^^f(d;gPRvt7Htz2#Y~De-1xop`NkK!P?-?H zI1w(4-a4lGPz1{391z%))4D$7Goq|ZYAQ}4-V+ldsQApOUx_j0I^>hkaF^fBcGKZ$ zKJA;tnT_%djtTO+U-y0TFVZ(Ih3(&5NC?!*BCf5;^xsvIsf*aF_E+=f<>oSUh;dl? z^R>rdwo(-tYkZBnh5tZYQ7eT6VRhv^p~RfMV^IXQZWf42YwZ@bF*+c`uAz_I7k zB~e?x${F1T^pqbZCIu&p6OMW>CPvTjrm#O*0BT87=vRm1(Rh~Aqg=swTm=7FAPSHy z`5l^AJ`8jg*vRt=f<}V+wb50<1dYx_&&nxf=FUWaN5$Zx1uv(|dSf%=y?Z*5_VL4O z51DaIo^_LWY0Knw^nSWVvDj{&Y%pGyk!-(x%B>%kP_uvB6%&zxU6a+P)oyQ`SLpJk zomt?QWWMLkGX>FU= zePLZQJ>&-$6VWFWd`QPb!z1rF0B!-N+mxK-II<$f<=#{JUSO7G-b%8oVa3Adh?Wrz zohHKEmlUaPv#_!CERMJ*^f^{UCd=nKjBd2Ewam4$*mrGGSXA`6vg7Wz z+25XpcXOO4m^amjdwg9}?6ltf_folWX)YCfo4yg_&?9R#WfDadjwM*!xbWlKGibKL zU5XvP`H1l9<}?bNOk|`!|ELNUNb0=OupZh-ipehi?n^{&CHnawP0A02lRfp}-I(m} zHT>WA^tb!iDcYD)cDez=qg}~0~c$O=$74Hnziov#Iv`8 z#j%WoWhk(e2{#4L&dj)SNQK#i#M)XUwx>(9oCNVW8ioWl{pV-5M2fX2Ix0XESLOQn zN=f12`0%>(FESMN6Yl>$wJnU}!Tn`|kFmZBV~G+B#JVw#K;?CklOt$5_sYkJUrfkR zLjyUoZ3r+#l}w0w4vNY?i`~hGQ`TQ@(;?KQ%R+202v!4E=c=?beLk5}B{QbftjYLS+AhWdeniz+5 z!$$OJw17qx+mptGZx8P>rV?lTe8THE4)u$X>~0y1`lQrt*r5?8g!5!Ic>*iX^z!mu z410MtoY$B>S?;lzQA-oI_h_U;f8LfJ6xM94nY;!-ro_{DDl~NxWxYL`fzso+t8U735qn zt?20L>gwy8bhdD6=Y(sItej6(fNsB$$WGTKhxjnX8~q_fIDhTo*m7vHCOuJUQnHTv zI&%GhQ4E37b2O6M|2l514D>;8%N#n+b582m`ct}04x|y%KS@3{1{2d-=mrTTCO{*| z+qRMeS4?nG>`99ot3RC(YPJ>|>nLh1gHSAxBIK2j^S+^HJUS-8p2%m^&sum}LR!ih zHY}%~=pc@=b9KwMOCJ;NE7--)T@*g(ORULw_C9?%kJx!Kl%P}hewG~;Ib+T2)#>4R zM5(o%fl@IiNkO!n*9M0)nxBfJzhNd>r_~BBaK#f@3Bsph;^Kywi^+MG?Hk=rd9VI# zFfFB_p<&%`cyp6Ha!9zexz5z9sh$91;Wo0gDjX|j-bV{WVz1S5-rfYLMY1?r&CJx$ zbIoJechf^z`@VNr}er5KN%T!IWt)Waz5vG`}-p{u} zSsD2t{*xgITn);k?IIcI%Ek=B_RkG|Ick!^6WftJ=G8P%$#+GQ`$(w9d#nk$C9g0= zhKdgvFUY_OCBs+)jgISz*Cyh}YMCWzrp{ksZqV@{p@W=|v;iN=gM^0eoarO}MM`@$iIrF`t&CHzalVYMZ*;VS+Hs0pgIm6^a?^tp*-l z0&MqBLpOO8@L1qB&!tI!&v&&W+2^>Mii_6ft++no!(ff&q(HWr;4muMXXgPY7Klmd z49=LVg5~u*JNs70Tj`1xceqgzepFQYr|v!7N=QkeBhk=!vA=K=4?DXnlZdWz=?e4p zm6)(9>a&u<;?s|~34=79z3H*b%R0mn8Ky1_8_B~*CW@=z3<_Zzn^)=)1yXX%8UyeH zYP_Y+>l!klAe}IBV631`PdTNmTjidwauB2|KET%Z;|Jgy`;{!a(9plogzf@H*KN*P zTA{Tx;n2EZH=^KfZ*9Guc^$ZTbQ6wr!Edw6=u9cX6)rG{`lnS-KjQR#Q8e~phe@em zs5d^AdItst{F#B==Qh_)ok&Ai3z4(Fk`hI2I|M~|XA5KC!Z)9Zj)lEuD3hXxx zwH&i*EW3xt=^?oZ_A3Hm@86FMSer=5#pskj#dmLw5aS8cw4MCIfE37_zrX(kOtLUC z%kS@}FXZ!1!9m|{204KbvzzTCfY<-8hi?*M96gShopdl4 zzp&xzA3pL#6F*`AaLr;^&!3WVnh!tf{_|@z3Ejm=Xc*U+Obh>Qe^am zPa08t6+&~6_Vdbe2)ZTHD! z4kl!ds2IQXqYyCK&A9ywJ4_77bj#pJR8AREe=cp(x2dUy_YJhea{ELq)&0!5NZ5ED zKPK=|P)2i|=4LvVb{|tQ1*XP=!b1MVZ%lP_93n}bXBS{5X$QN8Uq7Zl7du%GC#q`bdKzy<4V-eSQ5KKEzEfXyo zb0<1cbS3<_qM{-c*HpBRaz|Gw$TL2N@09hY8l~ z6=$u$CB^OsECHc0WH&LEGEJ%GO3+{1r0P8ki_A7Y7|k|$+VJ+wepk*!Fdqj&yTP|Z zHT&b(i4jVDKQfE;WqPAi$}K^+QNwyO9cK(DK*>DlvHBC|iRvR&d!+k?E%HBqJx&YT zDMch;L4!*U>ebPyb{)mjqb_!F z$DeP}Yj?wJW-WPs$K?D;<)hZWXSFQ8sTz;-4axP8w?;I4xSEl0^NmFyFay|f^o~;q zT9gw~Fru#29`9jmqo2k;S&I%z%(TR1w&kC>xj8b=@5FsU)#5IPx$0T_mxme;eG1y$ zQvQgVr|YN+R&-Z91+L#atk9Y%JiY&q^q$z8G|~#OU*VJr8~$vQ;ye_4oU2{#H_40J zy}xD|H=9;-Pg_(o!vOS5_lE0^l|ctKo6^$K zNG_FTeF2s+8375L$=kqtIZnZOBM;q5M2lvoIW_2_BMNOoTFqLq(yx40+<2f@l6U0Wd$R+_;HS7 zSDvMNMh-~akb~3K)*@x?mNmWKsOS2sf^0!bQ4zYSS1dHk%gbE~3YfqF6nu9u2f+BpWRHeFeVC%hg0;E%Aa;%OFAK_=X3@y5o_Y2zjQiK(cZ22%1rl7y z3Hzx2Tt4#mONd5pu|z@u=6m?u=)C+t)p?~yIgInb7Asp^^Nebr#k{e|c_LEt!{*D_ z_^Ojscn7z!%fM*Tj+o{zGY%`OnasYvAT5A1i+D!^^Vu%n9|+5sv(j6f{lX-mbBZ%| zH?BzPJ?vWxWI*-s8ZJRdLG&L`RT#kYuh_LCjQXqor9e^|-RJR-bq40&%r@1Ewmy0WIE zr1Y!87Y<1L?1-R~k^>pivURLk&Y_?Ao4OxXsaH5Bzume5zJYT9P!D;p@UiTo9UZ*=2A@v|z_c@__vMx2Ha6=SXU18)9wpIz7>3^ul!ym0 zY(1m(0WGV{(xy97XgFF63d)6qB9pJH9KH0Kc#AHY2yAkDt)Ph&@;l4Ce-#2iXSD~{ z9W^THFFzNibo@zm5%Va)k#px&5DEK6!0zRmffy~c*RCTik6Th~+$ATc&F*P-{o?CRO zr#Cf%&P+)sXTP$rzG>^D;sQ~Z=(~P9%$;vH(F$_@^ZNbOgAeQk#SS{on1M#`b4cl4 zn4*iIJW2QH0l+$Kj^U}N&l4(dT#UT|AOc)OCk08H1?%q33DTzSn!m&;L%v)=j%cSY z$h2sYK$sC-{EhtvbLVn|mN*ss`r{7*1An9Y>2|=`SJy?1baKVcmsz~W!vehG_gL;&SKT;R+)VilQp-Rr z#`u&3tW5M-6THod&FF>64t=2W)A1a-kg^QvMPli-l;0*h^@7gh#Ml;@?hwJvGzdFe zWF1vZ#5St?Q z$Z0j{CzBTlD%bvfyV%YpN~sNW9P89jO%hk{6nrO+*L-XrnD;P`E<}@T2HOnY4>1!H zc4U}*7!VWm31nU-zlSd+i&!%ct_*YMd>}>Xd?#6}@(KWu*74)Q`&DDr92~N0CAS!> zf#yM^^(@x~Mpa6FrOAaO{r`R>>h8Y)SnK}<03)&f@JgweQoe?AQC(cE)Y*qwY@<7F z=khi-5KHneGzK2y%y15QCSF|Wwc#%itXsWm+Z?&X3l+4$A7?ED@!K}cd>bY%ZJFkay+cV%^T;-SVWhwEEf z5+iwUTcDs5Hc34s4Q3-|%X?maA8*ex6=5tVGp01}J!mbfZ(moHwv3@wO&5(Y!47jB;qM$yJ$dc>pRp$9t0%0!owkuG^7xD5Q&e)tkHyTfuPZ!EsIHbS_ar>1OEO41d8om!f=E3-8N#|H4 z#VaYpAk0RUd8Evbz3FJ;?-0?iQ+GFe zgn9fC7#$2h`{1D#A@Q}Nn#GoFVaOD1&nBZLDeSRisa7ia0UyBX^yEZxkmnmCAFN^v zA9%puxO@6kjxusdgEpzEMl9rWU5!|H$TgRp1Q5gw92$I7@2OLHj?KLDmY>PPwQEx* zc#V-1(oA1J_%3Z73JQ&Gn!7EJfBiV)v!7OgdmL6*7yR|IbY!jh;N& zcq@`8_xL;B>$aD_LAHfW4U`v-ZS|PZP4&F~jZGTBDHi;i@%g&8XFwm&DisAne~s$9=Hu!f+im6F>4>--YwM#(HIs^-9@w9MR$MQ^H8`6Dn#H z&REtsR~j+T{P01ftEBC#Rq>)A!L;l;!`jDFJJ0Cpef@;gc#{6eD5W{`wa$xr`f(>o z85tS1f`-f?M0TO~g3F_AZG^rery~c(GkOHM%2mTJ00`7xsQTl4KyKUr+>`BZ49V)Z zR}~^}Y|o}-WY8?WDORlcC#bXV(Ef8GWW6|9z~w{rgzWthER0QXmVmYzp;QR=baI*{ zi?|%9THD$x1FbA9zK)C(78Kkzfz;HRyh|Ud=m=pc2>G{7Pr3$I*uc~b!GUU9^zp7wZ-w_4A$U)$0?6qG99f-acJu- zrcR>MUciBlS)}C`tVoBuO#5vO;cNM3Jm+PR-Qc+Q$rvz<=_D{K!|HLd8CmmB7i4Jv zFs3-;`ZS2MaoP2BuIRHYi6OnOU`j0`y>WJuLT|B*>yA-* zOYn3+hES6|(J#}H&HagmvWm#o(5pg|PcynVk-q@jIhBXf#Bqj_thBmaz110*wd7Hs zv7EHLInA5hzMUx+w*e2%|KVTr-#;i}^Nojo-!SNHJG%NJ6w;NTD@;NTD~&=BC@;4xdA zn7|A0POoGo;L1kGx4;7=3voqpIJn9v%o`(Q@EG0xg|-tM98TxMKlom|LQ^=neT?y(kE5q|~NIPr8 zyERENhwd6_``X9swOYj#zD8_C4KpQYzJyQF0$rG0P2Yo?$&Ad8^&Nx`A2?RRz7TG0 zZboM@`*Eyb=ypA>4Pko=(VU?z3senP*HG_M$rz{7Sv%ifq&+y_H-M<9T2R*dUUaD= zI^nRtI2GL83?L*CF!ZaF-q=LfH)!n}ZS##~RQ!|$$2~>+tvm1WN%+th{$~yYPRaYb zyxjbOXeI?Ex$8{ny}1TD@YJov%Wy2gg6p-Rq$hOa<16@&P_W1axH&m#c*b~L*~bz2 ze?u)HB3Fdyfr&e)yae3etYV16hs$mr6OA9Rlox87a6AkDis^vP$;haYYjg68@G!;a z7p-ft zzV`vBW_>(u_I5GhL|g;lYywbldkVb5*|on)1>N1I@Vc-<=c8QbE)IE5_80d=ybiX~ zEwXK=>$2*#f)wzo2^+l5%dl>*&!y9%8teMj2NTRT7u(LxT)n}gUv+j5k3@a%mL_g3 zrG+joj|kFPu`1g7V1oWV zp&llYug==t?RA^_-QDHt%?B}leo|7?^tL{Rc~m0nKig82rlYM!_E|YOl55|T%s!D3 zS4pR9mcQxGh1+xp-_#FEO(iFBl-Z{!)vJ*UN*&{0uigD+)<@Dp6;Y`jlq#5a^%TL* z!&53s*L1o>n>W`fT2CdF7ImSOCy~$NE0)LiiOETN$&vJ?ba^3BExkxwyeba=FYx9V z_CEHMk77S9QD=o!nScLW{5mY{xZOkYv6G|Ix^?`gPmijRc@5u(BjZ}1B=TSqa>f*)XCl0d@Plkrs-yS%n>>Gpo+dXZLmy(s?A zCMF9A_Pegf-#M}s8q*HE@8-XrqUz})^%lOVz(WnkS&kE*D=R8f(_*mif1L6nPN9mdM7vvYVlu+ObEj~SfFEO5d}N296D0-y#+qy;iMf;g4V@L!mWB==<(KW)6AphkOKguQ~S)yiQk_{5h`i|aJOOtP> zBb8sY#k(dp%niL2lYqPd5=tgQ)+`|<; zWJ{Z!6le$;bFiq0rQT|E#Xr79&eHXHBjGF-)c#HZ?s~q!bU`}ler|^rxVlbhrE35dipKvII)^^`t zZEOW>pjr4&kZ()lt^0>C>N|e$93u}2w;IT+edAMR?>8!xil*T-^On$~0V^nrG>{uJ zG+Fi~(fbO9$x}65c5fpK2k_&ixKm69UDiLi^hC^D>jX6)Qw=s66t7@E5#>BtMGg7; zY>`R@hXncz+I-?^@ZG(J<0%i#rA$0e2#c5aWNmDUK{wzx>OdlK+_*m9f9M(!Bu`BH zk}zv(9v(!;5s)~VPi;@}BI%L|z6wfZ;otymY2BS(U|995RqVs3-(J|0IOew(U2OR; z)5-KjKUvXFLa+^%&36t9x(psC#sP73tw)dWWpndrzMK92;TuUNN*PM~J@Z>Y zH<^Ns%QO;WL4l3OD8?7bVB>sUT}>v<6zarRv$+3hY$^Fs14$_Z-IbYSFp{>10)laU zZ!Tz#+{rM1&CXT}kNScqC#@!`g{7sXd8d+6=kz$D22%)bGkb>}6g?_!)Otk=fWdr=n{rUqI|cpPQLq zDU?qQ85215KS3xcwlU|Cx$(hOcCsjVxM+5F-Xs`sYQw5(YO!f)*j$*Oaf7Yb3RQD@ zBPzAnJ%h{lR=RhztAcQ;aQ4xDMx%z$NNrr4?_Yf+tFrhmL+go3XiEIllh2zKmY&w+ zy1ewkjj5T%-OPT-ZFiQz>E>EfTU+qmm2-V*pC3-R*leMyd;&++Ho3w5rh~;8*4jlV z{=(af-`_K6?brGsb{^F%LjYS~U-@UYwl4gRC@U))u@HoAIXIoz{k>o|^ERTD52^}r zJCQV+j&8%BK9jjqk#5P;zI=rO+8n+E}Te-qA0&-Q2fNc&Cf*$d&IoGOlXUEv_;J^?aTe8<<9> z+v}W9_fpOq?m*OrA$oerVr_loBI5UthE#K82cr?^PtijUv5M`IC4*A8RGo%WL=EO{ z@iU^iEe{O&q_#)18k~NI)eI!e^9=l0wZysUEtnOL3uX3<_9C+azXgeCxA)Pd{O9VL zn$U_xqyoXoDw=(Lu?Z8%#J$$3lwoPMb>)f-k_W$}`=i5Yh@NMbV8^w^dJlMKwMAfN z)Jz;@mT-;=gu6HPU3@EDGD|aAcv|;=obJEZJSpa6$>uz16;)Ll$<}DH;Lo4{CKdUE zl|F)EYHeu*YU9WXD2)I3G;`j=H3wx)gA2gug*M7k3XLx=^eHqre#~^bG`Vhq6*Y#YMGOEXfE^&y6hdGQZ0Tk_H?TDQ{6R2g4!kB5n_yi zHp!#!u@~^yLOlLw;t`oJJUV}KDhdh;Ua2ccHLfwzZUC|PHMNXXIPBtF-c17B9fj(B zDJg8HrOPrtOBJlCsbO+X6>_oOtS~C$8dT@v)7>5DWIj1pAok87SxQJ#HKp1}m`f#Z z(0)NI>eGz1Woc`>(Ckqau^FP89-HMYnFY&&gwuDUyf(yzKMii4qsLLJUkY zhU<3i`z*)vz4;>8H6Sri&!I#b78YVzMy2GqM`lU56?hNkX9!!j^~nGZ``vuI`b>6z_q)1U_7VD#4%CiB0_cx!XbL=d-Lae zi$q%hB@=S!#Kj~D`hN4LlZ_1NYNci0k@Q|JcdM6>T$~Ml?$i9ewJysi5L{2uEe4}3 z*ady_PA7t|989YCs-oYP?^?y;I3yJE@|NH{{Y%Dd=|_#z&=6W{d)=qIolMJSR5U?n z%lNah#E{)HhlX{wWNNg*lRsrFKAgDouV}4ehG$a(C!v3_BlKFmduB=7H40x=Nk-zz z^BSy%F}mA}C^JRgHJK=-c<~Lxczh{KD)TJZiIDluYHt)(>=RxMB7z7qQJb5Zd*)V8Kx1R^DM z&V6b0I^S!)JU-qSz7}QT8XF)HF^{-I#xNi70D!^PcCX_D=Dn^=j7Fr{&deH(q-kX4 zBiAz?mn&zIafj^_t6O=Np&8T&$sp&sdIu9Qa=gYP&=L*Yws}@oR?owg4-tt1ab?$ji$EvmcjI*snRNR*O3Q zXO($BcJoZIM&z)0cz6^QpF4L+X>M+AS=ruQ04kNJkHYu97cUj3{)EY1w=Pu^=aPr{_OU-b;wcpba?`qyI?u@pUrAi3b$6@E zLclsM;Ld4nQ?)@{Wy|Y&^X3Q{waw(Wk^s3S7dgk|qcexgBeRH_-QC?OCgp5t-m0(9 z1osjSEvXEe8o7HkH8hk``OrTYikEi?Y7AIe0rjCB4VfQ7<5j(D=}cD+jQaP-prG-u zUyVA0bD&!0!^t1E^&1@X)-RnBN3tY??Thl2(mZDl*Nb|OuWD;f$JYn{goOoCU`0d) z-#aX|!)px`-e2kh6+Er)1CCIaP5K@QXBFzeaxEN&I7S zPES=Eok9XeYC9MG3n{ANSais+=bk%&V*154U9LwN^E~fvF7Y!GndvqPXX})MoR{bsut{^<)YoId zbRLYxiSyHDwq{smZ1>g;at7$ieYeqt*EkYOIiZ%jpxabS<|=NXCTeH{@z@Td=CsBc_jTQ=9Pi(df1tdL51bv3V^GdT(2)p2PVJh*1ctNi2N1zM`(vfr9FSXYTu%l(}j{X=U$HvCCR9j~Y z9ZcZa9N-(4nO7R?@YV8I9vtA zKV8I&vCcWaxcCn!1%0VP&V}-Vh3RHHT74W+Xz`chQ!d++EHfYHzDA+N_{z}|%%c9) zAw#gPLn>#g>!xkGSldiBZG%*NddjYM)2_(Sz7vwS8iUJ8Hrw*>l*3DNdirSrh-aR08StIaO6^c1S3g zI5aFgs#Mt66CxsxtvNX+$pt5P_zKr(y47k6InuUsgK_VEeiE^n29(yu#s<(QQ&x7D zgQfb53!n;;Xg)>shkw^zfQNfYXK>1ixvq8_$~8WIA6VC?!RnKHFkHiW*>029DDE;S7Df)hfwyOh}Agum_N7>&Qv8(YB*Hc zVLxdV`czsXjwPM02)9Y>`T+fu4q(PWqH5d>sU}$JyFHAI4`+}!fhj(LH2;Pk|1qjk z_mxrb>3#kEUkVGOV<=Zj6{ydMu}7iJ|Lq=tn|%r+A;P>X5if{H<{%!~@Uy79ooIjE zTv5F_)L_K(ia@dazue32hT_@F4zA*ix5T4&QRcv36}-_5RgMY~9uvE-#I-}>ZH>OO zql%&w`NTBW#qxb%;FGo$73=LHR7_FvLJ-b*F5pHijR|3)eQT5 zRO_hdro<&h?XexVG=ZgPGl6dC4QJbp>rJNG<-2@3Me$s^NZxAoLqvx-^IqRmcrv-L zBR}k?;d@N0w|*g&xZ_O!Ws193;O<^3KzaJCTJau@xL4x#uHhMC{1CZS6OBLJCKxk9 zat-ET_Ki!(DJnJ}wWv+m8sOj+~&D|q!zG!W7Hz5#_+~BVgAa$@SiN%oX zYiLSEm@;gw$tBNbq2G{NqVEtyl;vxhiScMXC)LDcQhsS$gYfjIYRX(X%$_S6E!ton z!#3;+%krs22e!#|dxLs9C3>JH%L2BaRI29T;~;B31SS*J+SiMG)X!wqXMf&U;FV7-HZ{1@N&*TZGGzJ+Eg2;di4 zu+1!3y~On>{^K);-y>;&K9C$D?@HqCcE*qXk~K41UnnX9syn{W+0M_{^cWf^feKc; zPecVnlN?R7P6{Qj=P-9rt8q0Y?5LhpRRJjXEdaG#uYr~h$G&yStD$@Tt|)YqQZ{En zf^#|)>ycDkO6M&t>rPI6J+a07&C&61^_A8K6<#+??WKn~_vO-thvY31~+&hi+|s zs=FN~4!n;al#~>QT$ou>XrT6O(o?V6h!Ym^s;CO-=j$Rm;PVPVEM07c#X>01LqiYI z(E;fF=v-< z_};Dc#Z9Vfb!M)ufmUw%J-Mc(xw*2Ehl7KI6MA>B-03K9M707TF4D}pd89fMtau5} z7JW?Gi^v;CkaFXavylnsVurhUe|EUmkDq$V1stOK$Ok7US5hl90x7<>wiZA=ht*zO zC8Z$Yb_C%5Fn@l3c=&>Zn26u%XsyA+15`1YyKmtK>rl9G~)`9@=QHgH{HW;92k9U;wX`=-oqH@&V8Ha#w7 zmBX`P7rFbpl0q6{R|W%;vUsE8-Dcw6#_uN>S~$Y7r!(~#3818}kc@Q;g3~=5hb^g~ zhojbGh=4>@M{)a~EfckzjmpmkD|hrkcea}Z0=?jU5zyskY-@Brz-C_mmi$uT&YgUB zXt^CPbqU88mqVB>6<={)UTZ}KMW?$C>3%u&@`HP9_|X?eYcAKANb3k`@1jLFH_>lc zXJfY*#8Xe=X+Q(>ek5}?Mz%?r@f#j|*Hr_ISP~S<-G3FzhcmOR!%dA^Vo&<5rX#v1tnZ&{UjH9uRTsHX-iz<*egcwnM+lTI~xp|{C~PpwWjha zE;>qJ?@#7kZ!;tKNWri4VDo6zc-9OVjX;&sg=z#ueZl3v|GmbbBM9X8k*V9rK?PWe z%``xx#vNUu0gNNl10Ugl-QBX$G4AB#<#n%K0+AGJA_g4u=bJZshv)KOvGC@uOhEIM zQu52&;AE5e?b0I(FRF2O3vfMsZf>^j^0D8Y1}QebIb z1Aa9S688P-FZaTE^2ZO&-Cs;}tk7MP^K=ogr0eT14s&FAv%y#V4JKUo7ho-JC`5QN zXYf2f?u``?JI_Yao|{Q^7r=IADgl{|i;pi|tPqz`kNAW5eJQBGHAC3rsKH6;F?Veg zpk{zeYs)xeMT7^8^oN91!qhW_fvKoVG8U5#_e1&{L#cY*_J2;j2L&dxI_$z^&C{x9Jh32x*reghq#4Xn&x(;7|lP$0}*{N7(^ z1MIUhDk=jCP_sdk>pLLAGNVc!0VNmoPEUYPfW6o$+2tXvIpL;#ezkOBLhO05Io2(o z@F^IJgxj7vsQIbQbZXg`1^{S&HMtcir7OHt{9y3q++=PSae?jX3W&~Jlhej+74oU` z*ksQpr>C=1&v$o;d4jR2(g7d`X8SzU=k{u9cJ>MsEig;M49rH-`0eyn#{k2Mb6jZS zTBwJtFV(N1e9O1nK~y5t6D39>MJq74dGwg+F($%`Uici2Xq-VyYwM!Y;t3xgw3D;< zm&iidy^i+&F@=wjAw56+hx<8PPPewVXI1nfN?!%xbZ<>21R#INA$=hwxLHymkxE&a zB~}#$T0yB+!y|?eNqZIxDIL=70Eq+i;}55Rri5c7C&Pe3`Ivyfuz+&#+o3TL+R_BC z>yAlN%f=8%rP1h?*KNDhDzM9eZ~}gl^eFkJuBE_9)O2laP*2Y%#gzQ-iSK<%Znb{q z_%wT;ZqHpF6B9@YT26F_6UkG6tG!XGn`dSQB!+L&w_qO5beX`oW1v1ONR7{x=m*|A zlxS7106Z8)CHhd`YySKIqZ3t?5}U%te~?XOZ-7HC;Fr7_QV~JHZwn|QP~Sa|*3jo- z8XFs@kdb2Jf4s?_gzhLR%0^Lgu(5Ss zGB4DtvZu()m+Q5#Iwh{I7i%(G{HlF--x*h>Bbf5+U89OFn^R&=OUo@_-_KolE(|vG zrv_MlR&PyyQR593R8rTZs`~ltbKDJ;ymFYtGXkQ7gaqG<1Mv-RSw+R+m>gMt+c|-s zjk0VOV8&9mm16S%dcL!>!=ut#EtRM8D^(MI-7yGk&zLg()7`);{esWF<%B8 z!`yrWm;t^*32JVK*}b~m&F?$El$C)x)HL^I9ng0m1gT0U^^=3e+7{MHZ3? zj6LU}$;l~Xz(JRim9u6gm5@<5*qd(x6>%^m5(wkxg%t5k3X$Y75DJo{Bw#dug5a0v z*C_=#X9f2+gn(^kYI>JQ4KE*)u+;$P=Y-&8+o7JqWtU5oE z@f!PslOH;FUgQnhjTLbw)wAUxc&K>U~x@dG@-kzL` zp3}70P!VyxiKDRy%FR7_5xg(zzEs&FlbffQD4+^Xar^YodE<2iUspMjX%|vbdKYeh zgq$3PumK7Gx3^qehc763O@E#30$g-b2Fs)})bqQa0k(haWQxHjwO7E@8os9bE2IEK zsBOFI!1821OFY5|4c>mDEfSJHKgvZNR=PTaacd$Y;jTmm#`Z7|`*ZtamkoYQO>G(6 z2FBQc3;<9Cq8;$t`)8^>o@^L^QlIeh{_fkVj3Bo*$-Wu@qr`Hxw!dmE4~@|fakv~t zskPup_2;HP;Jp71Y_?^EPLuYR$pTj6;Oo|VgzRg%Yjm^kq%ekqAFWWVgKFKm1DDYm zgexmZ7@k*Hh_>$TJ&&M=ky^3NrjbcreQJ2x!=aA8jzuhhhn!8WO2ym@qzl!^UXRfh zuXB5h-=GKxiclnVD+;ZQ;=Ldfd}QPu31T1XTqECQ8|TK8n3U5qf&VwxAIl_pCMBpP zCD=B2X>ba4&{aJvdCc4Csshkr|RHh$p(&MmAlsl9x(qz5Z3fgQt8u#Ab zV%y@X!_lF>lQuB3tyW(<;l#_I~Ej1p%nB zWGyx|*!xsYuES14gIcpepumhJZw$h7t{eUu&dbv**AGBW7tgy&UKgzrp{klmVzWLOCKidr)(l92;OH>S*_ThL5J*3tLu zW;dBkl*ZBtYa%mduCEYyKl-lf`qDc3f&jVd z(NiK>8cbX-+MLh1xWU(UJzWoo$Yu{fvcUb+0_&ljTDbknSF;}mp&-Xix zO^i)A2JC|3GO$@vEQ{m(t_Gi6=J55hp4$n;5tv0)YP@TsC+Dul?cG-|bzN^}Ju<9n zM^V2X%`h=5?aue^&hu$tcqfjzsUY>1p{_=Yy@LHI^DbgWrN;AJI&ZX*5V0#ZpfE^f zo@HI;8at~X*yaS(hDnk4oMj2&tz@CI+T$#lgiLTiPtV>H5C=PkE1sXo_UFz9^FeML zE{cxMF9zi1IbUcQbwH#0533QH9;fGjDpd3{qUw;E+m-Zi4;RW)%`nR(4ZEs9Y|wzo zNtATXRwKOB`c@_JmreF>7Yi*J#&>pL7DrF}zmEivCs1&RsU>s&LkH-LpG!>zvQ^)U z!g>{5U48u)vp>@uLauwWr$_7ZNu7A7gu`#%pDoK}%=7}@y9g-Z?eXvONQjk{sLxHb zp!(a-#HWOY9wrs5P=ocdH#Q|lq0WbhPj-FYtp7$D+1K2GjG0kAefm`37R^g9&@6BP zN=^2Vdw`$c0S2d#IbTu@8DK8&Ob`Ax| z1z0NpR*2dkWJa7&e5;NsFhbwnaNKL*;1rzd+;*XadIJDRM>57k&yZJKEH85vnfX&z zAV>5Miu^0%Y$z-Lo*5yh4oG?B=H?S>!6GpuGm-`AP|`Ail+@Vw(JKkmUk&d3Vj%UosE z;U2zV?TR1tpT`xE^rwrOXXQkq(btnvA8!;T_%U>uWzl%}Q@sAC?7|l}UV>-fIPJVk zI-t!nO&HM%oOd9QpN(N3>8dx4?MQa3iq(bIlLZ9=&90&%sud922a^yu9Uqzow_F14 zWhesZaT2=G9vJTcV7$oCriDB_XudhsKwXTSf&j^O!G+_iTW8`x3e~`=!bckTB48X| zYW)oMHcm6AS{Xq(WXZ08KmA%c0yS;C+Tuoz%OVaYeQaAU3#c_Z*EJds(ER|N1=qk` z{69EuMO4+W{&E#~A>4iGN>7 zzYn@}vGQ+6_)l*D-&eni9wRQ3DlW7uiTC*Iee7;zA2r=bi1REe_}s(y-+e)iR=UPJ z!N2AfOP``dxQ_lM%m4T90BT~oum`PDLj>8YH*ajAPJDR!S2VHBbjR4lDmpr>vDqoi zU!z{eGWOH&_mv=`@bU5W? z&40mGOt7lL8>ZCG|oK^LUMLWStR09L;%l6(&RB zB>gn&oBE%2A&G~`1sob8F$fM}1ax>747Jzm@d!rnk+HM4629vvYARwQ!kWxn{Z67j@O&1!5*D?gn}%ho6OF(s9`n4l3Sq3p`k zp_GCzfh6~vCty=mPIh}wM<}k0&5HuMW@xLnvXa7eqFiJ1{M{Zi{tSn;MWl3w#)Oow zYe@nF=46E$#sNL;70gN+eQ1A#Fnnc4V*r(AFEJih0?pz5kvQ66?9yQHV08y^oz3U6 zsz-+AD~65*B1L30UBqqcot&Q8<8>4XWbE6>XtG2#y*j(DHYL(qH*)5|7|aR8UC5A3 zz01jYMU2T|mk+CIEh^dXXz?`p;xO@PS>0I64K}%2H@Uu8yG+FI*RL&m69nRAAW1?e z_lmLu<1=?^D_6>2$jZL{Dq!<|^Y?|bv;E>x76HPrcs8~b#tY{i^`@IIJA>wRVTpag zej5BwyB`%N;Qr2`4!n>$dntjo#S-_gv5>d~&!Vpf;H@wjF+BuAJUl#jCD71Kn5hEs zM6eV6k8>&X+gzZ#x+UP2f{49a8$8lWb3bl$kVgSa(6hxmv5wt>yy$&@2Xpki0vae#3{C-Q1HEnFak~4-rmBST3MkC0Z^eZ3`FmFG zT=|;1^MxZdh0}ClJ)F=$@0s|-Yc-!Ki=(3A)P=`vb&kT7nqKtwmYLosRC;TO8j%Ff z*Lm`vsUeutq+GOQM<&HrSDvYuaroFrl>iS11mpCF&{)Q90Y^6N*)E_by#3F?unrdq z*BfBM1$!47Is5d|-Q}6SfT*5|c}&+~vpt1>WK+$L3YWB~`r`Z#p(Mh3jwrX)IDHGo z$-<|&IC{6AQ8SfJ7Kc3_51yOOJ-1gl+g}uA7Q6(Z0bZ8IEbkLkJs}T2c^ezHfmA++ zZ23m5F3M|c5MW45O1s^fU?SmPTWIkDlGxy9j%yHvPzbZ_P=ba~)t?-+69pti&Y86> zbq^+tM&{=;g7<>U1tb87j@?+kGnr5y~lg> z?X4Mz?~EdZbVMXQ0V)$4E1Pn<(3JgZ58z8Y$}yMZZ)ckYX?Pq!oa7>v+hN6|=?=r3 z|5^B^+E@AF1W^i2p~*iav=mg)xW)SYQT~B(Go_Viy2i%N#?(i@0==CrVl~C$+yqx} zk3wE=FPt{*>33y)>XTV)Sr+J1m%OXWWnjF1A8{dJ(5ir82Z&D8LaX!7uPkZ>jJPEJ zBtS(J{tPTLt%tU)EF~=_FNMLY+Y?D4^p+R_sGqdl0)ix4ps|A;0t+|;gG9f7=ga^t zt}jiHZcXe@r}bzN$~y_UlcTJX*Ib_lD#DKIn6^{2b~ReO(JJUppN3*kuG1lHvdLwK zQ1;8_9s>^_$en3IFw$gRo3ovhlM}%1C2=w_?HQ;!SMV`Ui~%DB+%<7h47L=ND&T-n z1&Gl?bzPmPjg<#LI`PGtZm-qj;^Im;nZ?xi=vcG7rC3xMsCv9_E>we@Z+^TU{#f1? zdJsb=3)BsuN&XleJviA?d&57K>HT8ql%?>EL7%s1rkkw33dPuh|B(?EDbxPsa}t_2 zncmFxb8lCLV|U&ZBUgv(>O6aQ#oBREtfUeD922tD8p2?^U#V?OA;jRi{3^3PFu!bE zAH`{obdn-k;HdD4(Qize0gVLC%WFW?E&;mbM*6BE7evA7ObBDU# zNjwlt!c3)#@y~ntqu*JCS1}0VJHtLlH8t)M2-r2pAbcsvu zpd%v`tDG)m>F1MBF8X$9=%h39)9}~m%x$I9Dy{aaToy&}mo?!;mv}^KkK?#q;p1Ga zD=*mM5qu}#nNC(}$nS&N2x_0Xiej`B)!%nB!9e}b_cp&Dfw0z}pBtQ?B#dw-tD&>02cu4j=_xxm)rnxkHK9EBzfpUn-{;=Nb10R6Ogr6s-Qq4 zR3hiI1Qq9jmi&5-_SqZEcVpW(3zwKgpk_==&xWz~&o_;Yja6EoZi@$?0;5Y8s0{Jw zVczTpt<9FVS3pP0GQ%P*0D>Q&{B*KW>9Mh^huQ_-K1BhAc&X5Cq4{SKt=m4z_VG=3 z_(?=W|JK&ZQ+){hdS?iTjIiss-t>*-@Y?o)V#K777@d)EpI4>ExP=zx4bp_A_Peu= zPW#Lf>ond^%!mA}2IwioV{lK}K?_oZzH83PGI}8wR(DQ@Bn>SpD$*#?W1$PWxw&+j z$X5iil>5O!mVzTA^O3{$WEI~zozM7_=wdeYGKprCI#Z5}K$$R`Zca{&V(4d`1vA|!5%_LqLYW7|w$p7zIr zUk_N;6W%8UiWz&mufM(@>^&vpr%s^MM|WF-#|{YxVtRQ*6Qtf7#OfSYkax`d_NkPmfmWkgx)7yQcf1&^cZgx)iupN4B>!JWDV|e~a&N$2b?<_kBFMJw}pw%|@5L0h@LoY%WtvLzjXY?g1e)rOojD%UuE3 z6<_0@O&$}CGM!UEvy!$IsE^=7zmJSSf9p4$it(yoTZ%MinLI0xk^`Tt2sax{Fkxg^ zZS}**fr6G+R#+1E5`wVaiI_;7Q*JxkOaj{<%aJAiIXgQG^}UO5PLf15uLV|Q&z3SJ zFFg;76)<}!DL#Ws;;3R+v(W7F2PmK_g>|K+K%_mId0cru{+0KzgAePXn~dMH#FhH! zy-)sxdFrSLY13IeTR^&xm)a1sHsZ zcGWg;q}}eJjF`YC4Vvu`{ZyPL=(K^QL`aI7k*ELz`}^2Z!8rko8&UM|<^v{(MS5MG zuy}J$qE7HfS!0SqW|M`SErD$YQcLP@%0iH`<)NcBlp;Rfmq+W3;Y7-5P}oIZ42XJz zwZpF6NYF{7v~U2SGkmQApQ_XcpH18ektWWMg8J1UqTqCi2|0}CYFAm9kn7f4jxDX3 zMjX@0ew2XwxfIcNyLG@!RZ#%6Ngxv&sQ+x%($p)E6K&&&r8eDYZ!MpUrw5S3wX zbAx>kiKMSoL{zCxUP?{Ke3USM>yHQ`x5%uaSDBv*mA#Eu07_fCb9RrzO%x!&xCE&g zWpzzS>Vbg)pn9XqngF{}pgk^2vRkQJ*HHRYg`W@d=rFYAg50Fi@NGs)LY?cpkR@t0 zO1ei8s|83OhVQ9DLG&z~g>2htV@Eq>7{!XPJSg>v1G3`;p!U2RQY0lM195<#y04L)hLVLI|9+j=x*07HGmF3`6-LVzfI@?dglr)s@&sS0 z_iXpq*rjSFyH1*>$cLj zyrkm|eeu%1a_Ej8KL>ez>HBNcg01DwU?OXq(|9D51ymt)@3P__Wv?@YLE3)g=Ej?V za}wkEW2HcOSaitiY=;B%mPD|#1jqFILQ9=X6;t0j2=4*py)ZLM9ZL?z>EQf3Rm1`i zWj=IJf;ngMvLA4CkOe&bxcZ7J*HVWOiNY8@o{N*S2l7qxlXP)9oet$kM533Bf?(eG zPuJP)gSN4Cw4T!&`E4vfPJ*+0>tF_Ybp-@78Cb>C6*ifQ#BnUsS3Rwc^L=|4nuK9R zMP8QX<+X0~dZt8zC4vr7P(#_xFY0XPzZToQ2)f_m)%H6y((2(3F~ZJoFdO^~WNE`z z#C^n(=J0~;#WmzA%M)KM;VY+i`txAL11p9SM4X334JsYi*G`-h&Bv}z3vq=>C#imc zI76czBVRNwBJfGGnpv)XJ|Xa0=?VpSKF6fA-C(G2$gR+#Xpn0)8WCRyj}sGrZ)_p9yCqK_VjjC2$p2O}~|P!qtMX z=sHECHB80V?n$|Qz!8KNq4^Brd=neB&?$PkDFW_TK0Nyu2%v=w$cAJ-V73q`W-6Ko zG`LRpD9bw#Z6KH@F6u?#|JOI>X7tHkU!Nmu{5b)pW$oLaH8wwHUH;&49CQIY1GM_| zT&V81Rl8sQAi?o_V|*L{a8O*0I^{LL3MMC$Qfi`zMdZtd zxmuXlQ8dki{&;BUv_A0IGPrjUzRBt4!ogDeoqk%xIRc1$gFUN9*KYaV4+Ir-f4Hn zU%TMEHV=*lory+8R5AikaR=Nhtlqt&cy60oSCCylIyZ;)1JNgYuw2@|53pX4oOK?Y zSk;{OSX_Y8GnkF7baRSQhw0G1fr331g0LQ}Smgxi#rCc8k`g|_lgn@630yqY$vc$5 z77kiet@deoS$c@5kfTC{RRK^2AR^p2TsqZ#Yfhg$F>bzs1cbyJv$<$65Ed2|$|=zK z)he9;gdp;v$w-Rl<}x_Z7X9OSt36Ra?#=lJLf>AxAD?klcdo`Z&09%tBs~H9_&})1 z;quh8;sWG6&Puc&yg~;_DC{cGft`ls3xHn>e`pQ{m+l8cXaM+QV`c5IjIttzf@I58blqU z$a&un^7!V!+ZDJ?oa$wwpKElHFGFLs!N3HpsxO3Q<%p*7!GUGOv=~W^Ve^**Q|7W@ z|4oA<@@}kr$N-9T{)W<_@HB&cl+uICR6xdRtTW7nREe*ELi7Qg03fS-1f|mDy(_kvEtG`db`vssyfMmVf z{oSf;RJ68m4%+EUif2Q)%D-_^!$DEp*w`36J)N4GD#W5!aJcUMNS2x!(Vrtpw5i>BK8dXjz&Ry_C%iuTUHR57R*GO)~|hwuX* zc9YoUiibRRO66*gnW^be`V-XCpCEd1HJK{tbUe)=&``K$D7$JX=)M`vF4BlDd)a>J z1F+A}Dhr;S_UWAYS<6Vx{UMg^Mo3$$} z1GKw=iZ_X>6JV?H)e1j;z&>5Yo$1E!JGTn*)A@;c@r5LWdA1aDzO-g zRMr#^lQrNq5E#k~+9(Uq8FF|5Rk^&_ik(YBxBm?C1R>uL5m=GtO<@(8(7p&b-c|gb z0Ju1}^?`W2r`71&$F(&z=Zq;a(p?H~MuW$e!EVg=F}qi%e_mgoeLL>5r_qy3HCK@P zVK-9&;xt(M#9=%&;s99LhGzNvF4O;D6aSpOqMtb23}p7hkB_4=1R#A3w+7ZQ!yQg()Uc0#HlWz*NN}t`;S3dc>$%+t29O?h3|asE$J+; zon+9aqocEA_&F{vgsEZKG%Ive#Z0$0u~}>nGDJ8gFiLk}Im04@P%kQ=m<_GKnCS!+ zsYp3p3dIy`x3fOJ=ATno&kD@TyS%(49$L!zW+eezN^j4J$&+P^fo;X%jR*fFG5?#a z`R`h12%NDoJ1+t6Tf%a#sIwrdloK4-sNNXHI-P))aicCTBjeekXj8X&IQU;YibQ`@ z^w1LLoN}fxp!B=iuoFtf`z2GFRMIeoy^>c^sp||Lr#ku2)unUD;#PE~Yo;IZsw8Mf zI`YlDzT^&NS5byFtsLQ&oKn-{P>tf5fim+LuOF<8*8a1s+I|U&QVeFNlkvuq45|r= z-L^Gu{0X+D!`70^U!OjFiGzCkmyI_m#n*cE)2T>7ow+XzGvx=Ocb;);KgCk3)um|3 zCR>BZlpx1d$otyAEhJdUMsO|O&A?`>eCcLUp?&iFQOgT9dW|3G@Qq0t7Pm@f&tO{J zc{#58lh=&fWfZ%9qK&ThUm~XUX!Yx+D@8@NjlwY8-*L{jR(D7TY}zOxNRi^vz`}Nx z>Azr*s;4Ja z7vfRx%?iso*m$G?x(zm)0!<;iix%gwQCm$hpz@8!kkURP_1qDQ6jfq1AQ3Anwu z)N6l6)YtxCy0m>9ZMz#BJDdzT1_nZ5xlJ{lf1uXWwksSyS=-a6AqZV@rKztP7wwpB zXzgbc=(5KH<^{)rYk28(HljM* z4EcNTzn|ECeEnm_c#3?x2C+#ixR8O7kfc(kFZd4fbQ?KlujBQu3dW=z0(k;G0efVc zv71K9YmZkS?&kkQ>R7p`4Qh^04fH8izct2}2;qSr2tJbCdhc3{2YEj$`qtt+=>jqvQ89kHpn3=0oVL$^rmACDvPD zJT=lE&lpf@akNnD|Eq}Kp$Zjx{+$2q3^iR~v^@j)dJf1Db8#ulpwTR2{ACaPFN5%p z6_?Y-W8V%(g2CFN&K_#XOm&MrfQn86gk_ZVfIzGP**4>MMl@F*Ac7x(8Vd5>1YW;K zC`g#3KKx}AAawxVVm_3p+U$@sZ2sK&!d}|U>;n@kKxwV8YvOPQu+eArS!jGYYK7ne zex~qiP3VUo6uoqAUV&HS4u@z)mnVyR7I5d#xF{dw_09*`I3p(MA&g4GkHnZ9o#+m> zppl%1(V`PdKd*+9kSmxF9ndX`h{g>LDa1vo`-e{hL0ey5m__V4MY|MxR+;sGsC(K3g`L}uK;jM%cqt_`*0+HcBjZTB7n zq9T=G9a65ghGA!#OE6Lx&&p;&0T&@*FiQ6sbZNX@utrQ)hOgepoosQw>>3V*G5|i6}~;w`vop0 zMZ*rg2q(zvBJn=kIK`5x=HCd`KA`g(^NX6J#cMuks|n zl3-hs|3E^?DR{VnRc=+f7)z!hokF3EHOERR)V#wT-BQ+sq3<`CXQDOixKy<{3wcp3 z@4cnyt+kaVrjx-ZPm%n(We9+W(QO(xPW%TT=%3fkko3e;69hwm;ce`$PK#jmoZnWm zG~7An3Rt8hv_Hf_It+2eB8U1!t?S}1ukYH&**62{d~&#&0)JnCOrWBh6P8r34)ml? zX+b+FN=HXbFNwp1u^58fY=Q`A*3_$``{29aeC*86R|eCBtcC zPLgV;2Mc>5cigCN2%&A9-xSJO_A)-l+Kz z*&}O{PdT%fUe2(+oGrznfA&d%#YhM1@4S3X=Hmd|f3orao|kWxKkD>7h6(^Of!-Tw z(;+3E6lQoB66wYwXO!EU&?3Ha@#~$aN zG>UYI@~m$l$owuw!J3zYA1h^tn!*)Oz?C;?q^Ek}_wLGHN1ogLK)H=DGJo{ip9OHg z3=H7^>|YmFcgcNls6&@q8V4&YqNtG-iAG{Fv6Mv4@I6_yNVu}v(kgS>(s>l{wxaJ< zPJy>sFs!X%50_p3)GtCYh?d#Za{ZE8kae4s|Jsk+Vo{}7u3W)R*VEJM@mBfaT)5Ht z7~XqqACekB(WelP)M!h$;eVa#pC3u)(O}!dw|;`F5YUS~oZ}ZpU0L%ybWiq_s#n>Y z#W!92Z1W>39K)rQ#2<1$Mciu-taUGmuR%1V_jI9_@i%m~9Y12D7YB0YO6B;&AGbs+8;lB2oQmI(N?cUWR}2muk(i;%>@s94i<%0J%cTa zL_!mZ4Z$DQED>OtgY^A%bKfM7NMNj3ilG0*B>7W*cq;^lHE?i2aKh3U)A}T_0gF zv0Ns=sYI+bO9=)SBWeSJ(bWBJ+5tsU0u%|(%?9!tb&7S^a(*n_JH|C)Xll<-`R^|)tHv2^3ycKtq!~KKvjZK z4c@(n^-;INZ`&_VbUfB@f@n5)GS(-d>6f_E>+)P|JFAACdlg@kWN{^?vF~VHH*a&Q zFk-O4)R0h6xNG&Us6NjzkJ;%orEO^fPwaL^m3+fu`zxnBl~R&(9TGV|R$oo6-Iok_ zM!yw)zdwJMOV?#MI@M0^|Lu-Mim#}tsOS*UG0ri?BumSR>==<;6qohjI+y0ml;9nm zwvAYkl!F9Y+||)jRaEub(j!OnG^bMcA5C+6 zTVMNF&zhV|}$B9^cNlz+J=|Eo9ZfB3LXQ^L;P{#&E(l|Nzc zRuvmR|M!+)bR+^}@b9f5Xn?aI5ow z!#$H5HaQFr7w|LNYd5teR5)`H2k^vQPSKV)B}T_40C$$w{6D&=dqX`%2)$Pt(h+k)z`1;1B@I$0Z z&(re|m!Dbw;t9L!?(Q%DyAK`IOHRkB7I9=4ODfEKGHy-=Ke6i27r7NTvr7xq_Bpm) z|d z)xqq(T9&kd%a=K_%3hz?ELdXuh0#=d*#~FYV(Z`K{Q*gY`8pi>Ys{3&0e7QjF3GLu zAP%Sj2h4jd_OlL<^vOtZO- zpFl5lDLct!edN`>013JZ_-59eowA)8Uhlz5-@&!*SQIiqW;4u>Bsr%uq?iGJWsv$x8@nm*xw-_%T}1D1jJ|&_0)Wx*VmDYa(mi=m zU-2@`or(l8DeI#)w8~p2F8)K>gsgKUy9&K&4Aye`Z_TbQHi`Ky^~^0TL4oOtdd9@; zET8VV^2y{FZ^Cz7N!GU?BIxauJK8rHE_PujkhT8uW$a@u3pkZLEA3X_TYDM+J4!;e&v1q8(l|Q!}E1SW}3z*_| zI=D@8a&>QZf5!pTrz4|xj)%V28|Wb9Suas<%Zw5r(c&Iza4@KDW0R8rWFYpWhnSZ; zGcyx#i}?8XZmo=>q9PD&dcqS1`C3|OOAHR?w1_yBTemJ@pWG|R)MICzXS zmPwiG4|WdW#QXT^la%+5xfgA6Vq73< zGOL!~9<=;HopWuGyeae@ao%U5$nl(omkbGX>X~OmvL%X2lBWzT%nA)GjWI4H7@+Z4 zsYdU~)1aPRy(bquxii%q=qW1;dTJ81S^{m<9*hU{hG7Vtk0h~XYE_aGc-Jl!eXP%8 zRX4U?|9!!=1GXPX9o248*d#2-R3un4q3SVP>zWUkgSvcydM4i0pg`1DQCjL@IZ>E8 zf`PPvser{Dc-2%t++R7zCW6v-^P~M0co2^}rdQ$Cg2f_G9Gg)00vMm&izHQBA}^(A zgh&eM(J(u5+iQ0LOirONLloaLFaX+`-7bxE2azeLm6_f6UEB2T-Mh+4H>jDUp?*pe zcVBp^3J#`bP=JKo`y~*>KF=ewQ%)hPo}6z3;-jIy-nyf;#ys$M;fY(s9-w}ChnqEy zQ;3!R=U_;Rd^lc`!}sO31?C*wsi(THj1om38{wlKzVYmFsdw9vdmHevtH}bTx}9K@ z2y?gb1#{J;1x9uL+Z;q%@MLhsxAlj&G`}@2Ccb|!k&al+KDcyXJ{)^zK}p7sl@Qae zGj>&?(P zt>bD-LJ(W?;#)WLMCq+#3dM)TD0(PNQLJ40+e>m1)|&Naa#34gX!lRhKbp{8w?c* z4d8uJMX&knCJCZhd1&U>(9c);Nt2`)MGOyIgf+<6%bjUtwgu3u+0-n)2?R}AV8L+x zy^qlZ&T#*B6uU^;B8Jx1CDHtO^j{IEqeR!VCHn7q92GLJP0ml`_mwe-2Bn>ebV_W| zVZr~%Z2t(l@YUaaRXAzjsBe7qZZ>GG$&Q3+W|HNL9qMC33yLDgvT#aqZIbk2i^Jl( zq%vgE%LbhZFKq1<>jSl(S^a$&k=R4xyALb4oJFZDs_7)0GF_%Ob3bHGknVgT+SVjd zM&!!o(LXLCmT>x9ZozX-m@g-$AhSdb8#x{=JfiqXhz_Ty9iLX4^MQU83sZ)A?C_4k zwl>ZS1gH0BqH6US$GsVQ9R)4Mn$pmJ&N8bt10{QHDbMQ0!^jtW1%x=ovaz+TCOHGj zDW4Q&IHN_kgC>gVs?75_lS#u;EXRV*^zcXXX6zZ(rT!kNvnok4j-FdAQjz~`QwQ&# zLCgF5pmGojT>p$!)a?mTf8t;#OL6)R(Sla%Z9F83w;^52&-XRYT~;E;--Il* zT4giN@3a&#Hyt_tjm!7OHL!Dt|*}+6J8EL2ubamN8zmQVkBNJ2p{{9d2zkrV!$d&F#3w%JhTvBgf@4n2KI#1M0u@-%gxbLl5h$SVdY6-^u8 z5f*2&f|pt`KAyIq^UqKOowTI_n8v*c2>}D9kK65Zc9Fy)koN+}4@%5=pF@t!Y@MA0 zFBTM)9&l_?eqHLi0o!UoY=fDyWG#l#>6>PNnG9{>~PPW!{>naj*4&os}H<&K^ z)}iky$kVNmAfnqhC(y2&H2P4^c#gffgLE$cbNCaTC12kaYh?lV#LgXxWDIwA7nO^! z!m8iD*LNymGn}-jnabV6CT6gEbTM7)ubmArW4<)JQ~@%qnU?;Li=Y|aop0|@O?H~8 zXJ3rCC)O$U9=ySU*^5Cy<`%p>KIb#dYZ@4ggA|FH*MxI%0OOVObaNmRI){gB7a@RK z>V9%^NY~;W^*LBa@2_?}dD2#Ge}9@9rj+Qbft3o8szH!K5XbaDn9M$1fE`m@#HRWEFR;fFuwHa6@4 z8-&dz=G&h8&~0v zZxu+#Kp+P~F!8~mYv&Ue&Ijj~Pnv^0-alIO#I>>{TXXOVTdd46gU7oOXJS|m)T{zC5rHB!|)LEVnmKrVLW}bt9sWA>>Y%2d|*?J%+b`cxP)MJb^E55 z2cc}De+&}XE-6ZKl^39Ck*5WqLev6s3xBhjraF(~e&vC9ms~x$i;6>A;zMO!i33oc z9Q;0TBl@bS^}-x(Jssaty$EDqvBBGmgZ1P%I=8*0kHDD}Hk#Aonn(zwx0_jakf@(N z<-IEe=nw<~y_ZGNN(Rrdi6Qgr{egRn$nO<6umIidy+4OGo&Y{<0N8y4m)tJG)|OD* zK9I|P>Q88g)soF@bKp(K(*quZvYuL&AJ@9I(gZvwuR9Zo<7i7j2?i-cUmIefJ;J;( zQZ$@jkqQLpy>H%N>_GH&FFgv@Fw{Ub_KBR@r%DxYykX* z%mpYvxOLf3?IN)SB>9Y+`~XQ4+QIj@97hK{=WLz*GuS1`_VNCa^TWG$0pjB59&5aF zhh}x2n!-d(`#s_=0q=k#DX7z1NVtSeXYEoV(aWlp=+U%WVDzoi~96WU9BNm9&lNkyF; zL2FyweAsH(7|>M0Ycvz9cf}}RgB2QL9P7dq6Qz&8)XqW3GwqF1xd@sCQ@gN=?=!N)zd`-mUIGGzcS0G!rHR3lEx|c|gM8;Y4MTx$jc`4LLfBP(J#i0ywV_a`WHd-U$7?u}c>EXj|sjJrh}fu+Xs0hF8VbR1L9Jv|HuE zg3A|y=W_mlN#8Lt@;N)+ot!kv&>cNbdEB zaRxO_He)3vta|d1$Bx5!if%Ro-lIf@TJrMf8}1ivn4>nogVDj!1An|M+(-i~JUV(F z3vlILTBGC)R4{shlh2XFovYsy6wK$|OW|+_n6ysI=K>aT5E@jn$UgveEm69?gP$c(XL9(18RFzZVR-inIhiPd zhms1bpk`sWq~wms5R-6sbJKnfGkVSd5TMHJj|of1oldhndQS7Z6La-Fsrj>R_@9Cx z2h2+8L>vq&Jsu(uBATeZ9gI2!Nmm@HabkbA8X4kjgmx(;b2pcnRN+u6{kj)LcBTGx z-Q6926)6x%RY4TxuI#jQEmY^u#H%&fISVpCgT7f6-EbZo7k=ZCNEAD5&AnB z8oD;yxj4!9Qx*$rZfm}OhCBgQw^>qNM3$)RZL_)&M2eBh{@RtU{^jN#GzV1H^3-y9 z0ve-sz-cG35QHY7s4P9tIty6(__+{C6uoXOQKsjbRQ5p8Qz}mU$%SU9ZKF;8DMc41P%3LBXCQWJ^1IrSoyjX;fpwDBgNc+-y`M zexrPVpXC&2ASx>>fe}YWXsesx*uuE#&sdEvK7ZYjpMMZun-+Q3b(pFWW&IUUPT-H| zA6kk5*D26`Fr~kE0g$u~)7migZ1U_X+)=WdQ#CGc1an$F)cSf?R+i%{3|**P?RKMe zi!(hd=B~4m+FMi$P=s~IGbNUOah?bwJIF+36ke%GyMMhQo)OEPs$Y1n1CpL0(#?*) z5dCS|(ufyD2(qJ7X6`MmQEW>2b3x&j5<9@2IMtpOBbtG%&aG(fKg=gB-S?0o*3nSK^>|NaU^XOiS|#wx8kW_Nkp7toLd3-6nhuKh*}p*f9sip*h+4ov%A>iWZRwCmef?WajeH_feFxcFwomZur?i_RYk*GzFgq$4;xNs#@qRKHHC%rr!)~Dk8QXIG@FK z_HPe|7dY%iDkML_(lrf9ei6gXBfZ858bm%5obTsQ7a#fr?R8@D``2)Pi1B6IY<8S_ zPsyV%Gozioe(gbtVcp32svpN@sE}(MU~C<{Se)QDMEg+&Sd;Pl3 z#2n%Xd567=bKf{x$fZP1Q#(&bolsz4c83_%1^%+S@KIiU#$S#>FLc%bgKpV8JnA@zbz7#f3+ZQ&erDQKX=wFdL3K0p-CFcD1E1fo z3x*M_*D!^LrO2Soowe_Eyz-?E`~_sBfV2m$`b)tTa9EaW+hGa36&v6}p0-8j<8o|^ z;hIV2kFt&a)#u=Nx6k0MKv2VP92a2kUmke$(1#IRFmUjSI?wnVtdXj@Fd3W!&K^a~ zz#t|;Q#_vv(kr&&DypsZ2340!H*mw~0wRguF2d+W6G-N> z5eJL`2k~a?B^!&`2nFP4vfBa?lccWN5^@;T?KF^dmEFc69VN0VVj#t?W>e6Xh|5JN z(EoqpiwES}pzc7rL=A)AGrg1%OoFb9UB87^cdR$F7UJm+`ywp;9Ht@f7L1Oq-emvf zCakFPB_n>V>A)m+aX!ISWp#L}aoTI!2l+gR%JyN^Qs?>|DCg?-qM_mZNFt^#&0*04 z&mn%}KLq`=nrCvD;Syfo8A)M(m8uV^5)WHXxUXKFF*6GQ^c74e?>XDuC>d20H@|=X z{$`BmqvAne>p_!iQs*NaV%9c#3l6)ewDc1!)j_8f*95C$wBqU(asZy6l^P0)i9Z5% znYgjp>xK(B?b!5Z)PX`7Zg{7urWs?T>0gOawc4XQa(-t($1Zm@w!n%GIw?`}8ifVm zl+14A7sM7;WlMUhIng_qK^QM~lj$(nHjioHCA{x-4Gq(>9)mkw)%Za}@OjSpxi9?* z=mRXo%d@LDzdVvK2OJ(mM?SD@qr0UBWgrEKdr<;!fBppda&tTO$#VENP;-MQ3OqU> ztgFA7AQr`I`kny&fw3{&PfL?*SdJuS3$Q>g;{0x_EQXbY`fubavIuY<_%dHl92FaS#0R|o{!^;Br!Jwe z+JX7(o=GPT?_#42$gMMS;B^j5TG%8LBZ6n<+8A z*k=-ocA0Lrqu^8e{b`b(?u-ojjA@v&dtY)E+_Xj7d(F!)eCVz95_oejL7>ZWeaw|$ zk(+}p)9J0S3$_(CH}TCiC`$>wrY;h9e*o#0Q!idxmmhPo{p%35U0!T00JS32qYw?I zkbVfjtRbF^BB4Mu%;@=<9hu%&E~n_`v9#D`)+Da+j`Gm??DjJ)aVZ@ zTv+``HK_`4wyb79&otH5wdyMDbcw<31J6d^x6+)nZ573NZ7&n!ac@obJSMqIOUzvq z>OEifu~%jd7LJ04$-DPL?dYZ5tewoVKE_f*Gz31y#J>C7ZWyGylVIz=4l7VtLa25T z!uy%nSn^ByqTzWe&rkt!p$rQ`M++0U@nN)45W%h&5U4?B0hZd#^e!)~B_|-8jwXlr zn4uf`2(=(@e`WA{BabdHR*-f|`0DVNND?Bo$^v!QK$Zs{WM3zP=PjXO&JfzQ#rHJ9 z5EnRCTKz)pst^tjhdD-6{3e(My28@|7vU)!`YGTzGWhq7ggz!gf=s3lraHdG))fy8 z!hvTWV=-wcu?R1DKtd*2GlpsU!y|VPrE%D}gC9ZYXVCO~^`$mvjqUkDMDPY`9e}*S z0X2Ai2cI;7gu~f7WsL$5Z(ax)CEgQ5_HOf0QsUPjK_L={GBOf5al(0lnaU*M=M9eN zLR>}2t_sU(O$Nrsv96R(Cnx)>_ivZiX&Xxbkq(n6 zWEUV|66_)~Fr?imIQp%@i(f*bp|0+37h$k<96Wr$Qr61xIX@+&a-MAp7n~OHdbM>` zXfPwXqR^p_>gd@or7NT*4A~MAFlYFGoHj^AVZ?TTzJFUH?(*hZkb6LSBCIs|V_@2U zi8`eyGv!GR=^bRc3Es3Ow{Np9HgSHdKqr4HNQGQ~hn6w?U>gzw2Ck=;AFgXre~(T+ zES)}o{mP{qihULZz~jIRVX&!pt!rW=e+o1n1QMW_eEND=1H&GBrM=uOIU-!#5sF}j zU|I(*WSjBnXm7vOJ_h+7k30NVGmU{xw%LpK*M)_1rD?X|k%ph=J>wv}l#-Mt=GTFf zJf8I_^ecJQ)RIB7%XR%yGr}vb@CGRwiCrCBj+sNv1+UO`C=0@KY>0f-YcshvIUVj1 z?md>nut&PP3948&#XRqOoUc5e4a~q13_0Ule6T~JX++BZ#f~7Yuo?eLV$RgcBxKm? zQn(=1HBuVdjYXXq=&W}yDvh~?HIj(#!HD|~X_1VY-NwlMzL?n9qwQ~jD_dWoX6ZV| z$bV-R0@BoOGHRy8S7l|IWjJJjgGQ1-71LJUbvLWg7bJ$Q{iOTUiTe##K#H9vMk<%6 zp-r1S-sX$ZMW!wTI#BIwK>Wc$12Q4ulRh8P-UpF^nqg2gNZ;Q|t%dJ>veu|>@=ruhn$GiE$mT3VW$!xs0*;nt6cN2+BV z?d>(4cIH^*@A35{cAoXOvB4wDZ}y=UTsc6&F--m*B0RrNyjo%buZbJn$w?_Gz=lf3 zLdqFr=N3`z9WSAC3;EdCT1%SbTRrFMuAG=N^o51q_fDybzc78~;PvZ#{dz{TOD@>m z!NgW(SRrR}Opz~2L_a1Usjj7^ENYmM-RyH{H@XTdkckagyQj@WJ)oGZsLzq1nsJx* zKf`&;Xo=wu+1o%MPWP7kDs)v|I%ITofNml8etFIl5{fED?$Bg3*+&-(m?@fiSgG9~ zU!*^y?pb!U72ODRef4je9~*dT)3&*<@UWm3qQr+jw*n92m#WG46rmBJ3C#IrF?f25 zaEEA5U9%aG5mQ*qkrsQ$z+iEZyw=1@Uya0uQ&UraaDXxW(5i(Q*h+y)QBp}U3X_+Z zBYgj=wChd<(n-*wxIkY@0RYfTf`M z-A+G-HlGKSD=T3lx3~yD#W9tcFG~C(J;5bik;4>o${hEYe2nB!wzC|Us)~37R^z6S zK1o2uRf?H@&M(kh&Tz8{e9Is`kU##Zf1r!h!u`5LZ?~qR@X)Q@=%ONmON2TZTvb?Y zLt@rl9JaTw^X5H&{=AoX@IilzD~sI)74c|cK>?O-9CZ7*r+#=m*W~e1Y546iHQm;*C1O~ig3b5AJN0|5%)%RVKIPn zQ|WSseqNrwfVrU=*@vTW{B4B9M(B$c_MPFd#`R45kz>^W~>#hyq#gavOye3(uT*NfC&ntawguM9AP49 z(ui|rcYXaYuXPKxvmwHn_k&>SjcD03Mf!OO8(Cu6@wTra>rlsbo@!#SDxooOJ$1En zy?q$_6b(O!vJGF+AaWn=8l;B==?(gITA!7bL4l@?LSQ(EiO1^!TB-CJw@azudiW~w zRT=+s<9sU0iTu!5Su9yW%P9HeT0T!O4!BwsKo-Jxs+s3^s}cIa0w z{TN#w@Cz;-szwU(%fLzc937je#HjI7p^ToAhru&NJ*5N341RTWfl>+YAIz6as!KJB z)pd0tgTlaZN!fRAUy<{Y31!B?PhuuWYGPz6&b!c7b?rX5nI|n~?jkssVTm@8GqCRR zLct%hLt~e#l>C{;qEpO}jYX z$NnQXYYJ!9-TTfw$cn&s!oypvN)nPG?gZE)$M%!&RtHj3Qd;~3{c`E72wJ(mzj{ZcEAKBI zaAvE0QN1}HE9w*`ZdOzp-W^=Vw}Eb*Fc(Y|y{Nc)os-@S>jR7JC!qhKs|==;V)lCc zsf^?BRl!^t8IHQ$vrhaB-s7|%19L%;##`zh%x=`74HD9!CAf-p7~JE;7dqe^eEYhH z$Rr3|zkj`T7%j$X41A?O<{z|j6xc$*M_bnqHx1b;utx!CO!tnfu zO@?u+k)kl`TU}ykW);Sz8-0cq(Nryk!e9C#Ecqe2gVo8-X%dD<#ll)m!-lqXem6f?BB_d4jJd*2ntr%Ju$`IsMl97+3S$^Fdg<) z)DyM`mnsk6TrO=|b_dG)UeuN~U2irWE9|7%N$Jq5>7(- zt7!_;GO5uhqjt=CQj!a=zo$=3&rw=nPVw(yEOsi|Q8%az5f;%OH<_`&Dp-Nj`vqlB zU`*>3nx^p47n6GTc_Vi+9Ea|E_nu)D=hRb{8?cukCJeu_I~Xwqam5xjrd8|O z$nf8OUuiscz1pw4M8Wk&ie6n^B_2yRk#>sAc9 zZ&4bV_HJc#J-_EQ<-|Moc?Dwkb@S~QtRu(2)Z0d?E21Xgt=aEPo6I;SjHF<=@@0T- zE_hqzl<{k$szR%~(tpWF|DOR#|AMhy6@A~Knk&l?sTwZSdrnm~W{>srAG9 zIa&3f!lE7PAsSz8Bh%+)%v*eVckX;7Q@#E;D@(IEv^KBt-atVU(`Q2ol~K8O%sXO@ zOv#h7lJMt0;PU_QLHb|%<~=2et%Z*@coq83SI~Wr+)o>=-qCE$lu4CNVYY)g;O5Td z`e#o`!M=l!c&;L!agb938s6P2JRLo?4)#vkQ~-q1%~ z_u}MAh+7b5I{j2Fgj!!lX-dn5DDL6E@$OO>r%F}n0ap*lOSR%?nZFV6k8*2XBnxr6 zi9#|5hRio;@)8)iThrdg?`uv5Uz8|yRFj>r7(GXs;{Lj&A8Uj&4mss;1abf61vj)hX|bW1L^D%!1@wB%$CJ6ge|BJ$P0pWU z;tA}Y7k$k9S?&}@^7i=Kv!Rbyd!6}sN(ys)> z-=if^T-hGlId*xS&Uu?hArK4>t*mQy(X}RXa}Ko*oTqNm)my|VHcIsmADLFm*Li*R zbVuI~N(|D*21a6Lku0%YN%h3#cC5shatf2@eDxEPt`X(l|{tFaTPd0CutYr4(e3;N!#0D)bQ_X(4&3 zm>6Y$GWZTO@husZq^{^vr3bGiy8Nf#Ij>?M;dQ{)Kc5CV^EU2oJBtOaBmKi*9sRME z|L4|BdRmIduP;|=MbXGfSZHx@bX-0YiQ80k+|ZMce*KOzh*^5xgY&DSi#f%pFkS+N z;F0U30CJ<~P!Q)k|8Vq_Ip7@$$DiEP#+Y&e0Gw?V3EpQj$~%t+9Rz66;tBza9KDWT^5RCQP_&8`~?-YiTV1hy4(cHM7Md2~3g z|BZ?>qk>a~X|-Ky99>91aA9in*NdRc-tS>;S4CDZDcc`PgN0HA>}5~M`>Ms3;Yt3wY`at7~mXk@HC$-8>4ie#>h1DDl+ zpX;i5XbbtgYwW_F$5Espod%?-PcM+vy!C}b!{`R?+oSYDZjeEsy!AT9UID!Q>J6mf z^&cAW96%1xb@fe6%y-VBHZT+0k1h*y=+?wzMk`UG8E8sEH02R8J-d;#$ zj5|*wm8icyt$-!a;0q}U$gmwVq`ilR4?AG}Y>mu4=b4 z*qdUw0YM+DgX{EzGFI@$M1VJ@*P|YZ)+FVU+ec;JJo#A@k`+YwCWF8Fx;%f9`ihb< zdNP;`_l;xC6u()$$HCh0$jAsl#5NCXAn6&PU}OY|`Lt*P=-R}o4*8*MfOwvZJ-n^- z;6dHwmuqfRQ~={Q!X?X{6yy-rzhuAGLlXP zpL9a&$)W9MZw&>3ZaUZpqUIG5172`YUr^Rf0Y0K^!!VLLaxSDFnKj0S0N{`cEIbo< zNW`%#LM8Ic)`V)Ot+A?P>PZr}UMJndU>3UsJVveOrarvT7S8NN|cm3#hfRbE!`iZ;{fH1bvAEM-AO{VEIgIU1TW$u>=pg0q412UdiKke=z}F z42UpkU5+!ni;(Vx&?W~;yDvlorKe+{KFT5=A;S=s0^IpA!$_nBhFbRvOx!>L)69nY5X zrnnmojHfa+8YsJ6iL=SZB9~`^j}9mBScPP9^&8!JiY8 ze3W~rb!AHlQqb4?{jOb-{s)C_zpUgHh!;}EkRVmRHR*~T_1szaL;F8O{oq=&4W+ry8~-r~ zzB=O>^$(lyhyBNxrR%HZOUBSx>DoB8r%dp9+;W&j4B9sg-mwN<_UnBc!yr8TCB|d> zL}%q6<~`B|VDs0$@#UjL)%-k}ccwQjWLLey8mi?R$U7dJ+9q)-U*2d>n7W?g#jxp2 zL)pfH#@cMiGtyZo-KhN6!G_wkb}-b8;}mC?P3DqZ-`4(7z+m_MRC&eDUMEcbJLx~f z_Yb@kjAMl>)C`|hB}P329c2s&?Y^_>Yp=5PuCOwvbfhC>97ath-|D1%#F100u#*XR zgK0OsQ=M?Y*!tIrU!*bM@+`edV*Iag`v1FVb4-79sj%4YS2<;wlk-RkMMzU?r}yKl ziXUXQk<7YE5C}UcAPyq=Bd=gam4lBVOp+;L(7~$?#lQhUK`tT*1!~uSKM$PYld@x7VsLeS`jlhBOLc$V){k96EtkPb0g{Op4t9Tt@g`U!44x&ku>nWVI#QaO|+7 znTr@KFjjg0Ixu*(AU}_isbYgDulu?sc~WXBd$OOPWd}}0bU+~oM60)uKX~i)*O>v( z_yfPZPPKz$4oQuEq=vUJb^02J*CB3&tD%$=+Y9P-U}MAZZX(pS*Pi`{-6}9owr(<9 z?)VQM{p*qZ+Y$b=!+(ZS%!cL9DgHCWa3E(4S8)aZ8W%l)Uzfei!j=P*2UK=se^p3K6GhaFT3q)N!`{=E&jDq#fw#Yz0zQ2fi0 zEj(tpuGiD}q$qNdbhk&EfqThJbrh)&w9Y1?bbAZxbr6VxuhTkWn18B2axRgV|_WhC_2V4{nzjb#~C05_9tLJ=zV2Z7mAkRRO8lARF-~0cWMpo9lUN<`O9u| z;`ppT4U1VXRR~rX$!HwKF-?+^+ou|TE!|+0++nqyoYy!Ea$S~ku!U!hEEj=6Uaic9 z$6EhXo1~hJMR9#;?M%&3wIW*5vL`$;Ld@pYB zb4*OY^Dc@DaVlg@pAO$TJ3Sj%UPEw?U|PDzdOY?>pWxj{NLjgEJZ^f2v_;UevEt&1 zw1O}`+2s^zXq&U3DC5CgT>~NHx|>n`q$xwDzN(_LtY(R#n7)ScGjjji@+)2xAp{%d zn92`knt~Y0VnR%(x*nsMaI*~|xKHbn5o`OKeXg^w%_K6ox2mG^nB|zm5VoG$Hdc6+ z&v0t(IoI9muO?!kRy&JfS}TuuT}@v|}MxHE8uD|ABYkBU!lFdLZfJzJ`lEDF0esOEfNHej+>HJtPYo zHbH*yel<72hK#@cN#%3&<<>Nrn$&3(Z$=~i=UScjsIv^}#&tiAo4%}^73Xl52sx&+ zua2&)j(hNPnJe*0d$4|5cZZYYPM=jNh0pgjkB=4l_Fg)0h*6?GpZ9-I8t9M_cBx{k z*&V$%QpIZc(bVf1FLz`{dfSx#ar?vO1i~3Sm(puOJ+@x@gO5@UPxUAhqlxNoQP{eU zQ{M1dT{9UW{HXl`?h_fl1o(CqZErJ|be z4u^Q+6HQ;CiSX4sn#P;jKZhH;#0wTChOAIon0YkT zpE>9nUVkz}PYYw;K@OvfyclwExvR49N79h&U?}pc%NTA&e3|`vkxA9 ze)*(tapoQJD!Q^yOA#~OoWO}$+>1TkJIb+SYeqge?o?9G>Afg?K?a9+@fkZSGICdoVasHVk>;@7(u?%C z_)Hdymi)v-bZ8;#*6rOJRU7Yz5jlDM1Qs@f?GO1UH8IMh)x4feJ>|oVpmdoft9|uo zYT8Q4z~t5ys~R8LuP+-H#+9#h`M zb(emwJQ8DgT2DT1Mfxa3?|$`Xqt(2O1v{M?9#gN-9OH+xBIE40GSrY`5pwJLHw!i7 z$ZE^~%gAC&K`)a3-g7au&kS2oS2&bNg_*AHdrQm6{w$JwR!VUz~z z?w~1D=qAaWjJ&=J{0EYLGJg&Lm-YXje;(k%Y?w+(3EnP3jI)rZ!mfr6Bw(}Vwf5*Z zC<}X?Tp)&+UVvE?8kDrt)iM-amA;=rBKJXlupRqAQY9OC_9N!GtMlkSj4!p2W4iu! zX#WSQ6tdShjP!xQKifgRmri;98l|u-&;mj3gr=|Ch8 z5A?yJprAn7>+cY;a69K z{y#&?M)ToAt~QNNpI|JR=>7Cg!aA=*2_M|Rpv*gAcv}cC8!;x%-+)4>JZm_>zVE&B z^ZKY^iE&Kw70aw7Z^n^3ZeO3>0#-bxJTfbiccX~5Y*%PkK;D#3U5Th*ie zhW8@ivIFTHd;>PH4u+fsF8LKkX}8M)HS(`~`w?-2^*Z#jjvZgvdBm&j+0^O@-mK50 zZ}5w(8AN;9DSRiN;H{wIt(U~vyhf8#Oz$%JJmlkTRx-G?;nK+wOA(VWi&<#nhLKbTZtZf4hgxV_hQA{N!$D!~WdurlXm|n}6LAxKciYRwbR4&~g5lNw>1H zszczeHoKk!=)H~bq!LvyE?OZ4a7{=EJoiOKM1Y{VQ-+fU_YE9I!OH^BQuPfE211qx zGR#Z$C^`|3!gngZN_9RwK@4dtaAs?iWAxh**j1Ln857SzY_1m(tvHBHQ(|v*hEg#s> zJ9UFM`8@CGc``XQ7!4#mK?<{8ytpxG$;HnfczW<~h|fC-=kMEqgk&WPtSHo8scALu z=B|_BmxJ(7BqN$ys0vZd{SSm z%Bl=~t-K#A@XqC@NI1Tu$Q1alSQj)YG>TV=?#yg`6Aj0rgfQno>H|C!PayLI4<5)}sIHp%tqtWe z&mNzEJ`j?h?Zuj^8X79<^uVT~LHi%bRl?n}+O5&uDDWZ@F3CahQ(JhcvG^nJbTzXk zpK7~9yIM@h89Vau-*o@E^{VgLTj*2(sc3LNfY#4Q2Va1CKo$85&JV~<5IVBd9CX5S zIJLWY?ZH4?Y@*hs>o^T9S4>F6m{cS^Pd${CBiHGqM|Tb7iTY0!&J7(|O$|ai3u zPqRPx@M4Htm5Nk!Z68(47T+xMXp~r0d#cf zwXR6Iqm`)#dG|8pfI|lK1j1Rp=i;^p0?I=5%p0Qo&Y(^-1dkM>a-YKpLOQVQ zCZ-p2fm;mJk@lM#VCI{ErXw_+V(`}7%BweYq}dOtv(N`%j+1t|5E7R)^4^R<*>Y|} zPXmyvB@2rLJE>4DzU>>@p4XwBsWaKfPZ`}AHl7L|Z_9i$7uLsd8kcqJ^Q#*+N$K@Y zuNLY!X`{7aVi-B1@n&rGk5~_UTGe5FvxRk0R_-^A?z!9`o8cKaxIpe4*~vI?9;q>g zo1?6(Od7y{@aRQ+|N0KnfY7`{QBhI9`2V5qEr6>2*LP7A5k+C4NOuaNba#URh)6d` zNq4tOhX_*AN_TgtluD5cjFic_97P*G&ELUSQML7W<;X+EN(A!Ccv=^PLTSm z6&6UV4&87ca-l2lb}1Pc2quuNPr6$Xlv}uexGA(W%>#nN@oxzrc(CI%!FlCO@d12L+Ngxm0RrtnXC@8Hs@5FACA{9Ua6@p8u@hV zKv_wRdhxEqsdXXC){B?l#k&0>=+j~Z5O>+2k_5C?upT)97ns@!PuNq$n3!P2os*r- z>waYI;&L3%X$Fq%(D+-{YtY(+>%E&=MS;aE!9(@c3fuGDDb+aELw!31U)4AAeoFKL z)a>kV1;W%oG7q%M^*^cNVEF)7W_V5YRL3@;z+quw@JWPS_p*S?1K=`z!aD_lnzCuP zVS`EB*%LV7Civ3`ee(_V=RlN%{+DkoQ_j0|tw&H_*_2Ok zM0J9u-2#nt_cJpW=jOmwq^zjO8V+M1RLLjuIl$2gl(I=UNPB17fEEo>)90QjaoS%_)9#En&mW{irVsIRU3tjPG2W}S1&GgIN3AYz6)Mxy~^wu66Pj_%G3{+>X9)$PrqAStR!QP{oe84Q>d6Wus0haZE17vMuaAz2Z}*xqYKHuEn$jXQmO1NW8k zCSi?2iK{s_p`!IfsnA9ZlL&Hn;9Y&u1QBV{gimX2h|leF9S|5Vm7UUG*~@PW_^#~m zhPFs8t5Z%=%LVZ95An8rs@PS1W9R4GzQW*FQbSDJA=rYeg|+EV!UK;r1!qSyGGYJ6 zyg)2o1Rufgui%K5?s^oe=qod{n|~umHLlYCT|nYoid1fZ!4gu z%lcv1zbin33?SI}3pdaqY7c1240@QV8HA=<~19Sr_j zoWYsTR9t8Bc|??O!9^r}Ace6UP54L>I_a^Vf#`*Nls$-T1dP8bJ@!woU9xMxzST zLlXqQ_Rq!kzxZoZAy$nS7vPnbc4@a=^s5TzgM*OK6Rl?l9>Yq|B_8-=-b>qj^XNe1 zHT_LgI7kRa%TPb4{1TwjKW?mSyyrj$PHR7NQkXC6m$aWP@IL&;m|UHQF*fg|wfnLx z{Hd$e!^>`3$Kt}vhT@jFNSn`tUm~!XFZ=7Hv$nh*n%O?y43*@NGdaMGLNk`;Pi4yW zZ2)^WzE`IhLu@IUL5L{DfBxO~&dqipOGCMO=F*mo(LI}2FAky`*6k9f?ao$r1E(sQ z5F&3C>4;7*`zNP$QDR>ULLf(#>b9e&!IBFBgtP>`un7djwkcr`NWW?B zvbrsZK>moD2qI@`dLiW42C$4Aho&y-A%7$>3t8oj7JuYUxO1Jqk#$c1z!|*|6F5D{ zQjd^_67^TzMecV={>UHQ35CBweUBWujU))x&RTnRS&%723w;qeO@Uf=t z+50)U2r|Bx4F=MtYQIAqluEi*8M$IU#;X-6{r>o9tipNeOhgf@7GAsjHuE zzDZr&hEN!;AP}KAh6VuDu)i@7W`0-X(uLcEy^_0`h_nT$%AoiFl?r+^L_?nyp zdo&ZA@UpV#*%=v`D6hyyB_|`g7vNU4Eu6f`*o}IB53-n^Lx_?}jXTw~ooEVAz% ziSH8=8(-a&5(_EZ5{!rKP2|qUw#GKF04vzz2(7 zIggEQ{Cnob4_pQzbOgq>&y#CU-F11z+%04A$o0u!2TL8N0Kwxy^B;#+XX zdbU0PTIWspqR-89z$x$^YN}Q_T4-q{cAVb+g;JTGmv=k#gTN~pVBJ9*)-P^PSYAA- z;QZ6v9yAZ+me?M6JXHS$(DZ@UC72|=vnmLFA)lJ#!wG0zw(Cw$E$*!`>IC5=AW)fA zj`_`hY+mO9Umu_t0q^HiIP?lPKV{c(t_tj~)5c9!NPlyri$SUK;Scioyy4%4$UXrf z0J^+bYjCz%9Nk|P{Z!<6a^?d24$?50XHVkcYyvcC9>ea9-=fb@)34=~a+}D${L{_K9E`TTMj(5x2gUf&$p&^5I{F zwfvFs*B#3l_Dt>;bW0uif9@cx#7jG4V<3}3@UPjR-vVHYACIkwA_!&g?(FpJva_?p z1B~~tW=;Qb(cNlN04|fIjps#@pj%R-Go{M4+XAs51f!lm1W6h->wVC-hgK)sMBcB> zyI`X^4d*64lln`LDmk1Kj3Z((IRFf39U6HCmU@96Q(T~C2M9!xoT}vPUh3i%D_tuk z+=rRaSq;8?Xsd2`x4V}z35vj92?rh1*G^eO!))Q>E5T_hp}|2hcWa*d`$7O)-<*lz z`3|A@9jRm|Pnly_5wKtac+my?4h|fDeVwoI1_h&5khJmtoDoLKjr9Ss=YAXckSF82 zB4)Z<^ba1y^O)Y1QVw}5TBklXFs`Yo`3XQ8Xf>2v9sah?aw!;}4M8`^ zhYjYu@p1E3=TI_kB!Ir8JEYse_>Z9Re{C5JK|z#RD1azyg_9=(?mD+Fk}6UiKK}V2 zZy$6!=roNA(Q_ExTfPAhSazn$t*?^qcn`5>P%G09zk}RPe&*j7z|vS(;ojNlA!~}* zS7rQrBkPU;i1u`VUPH|0$a{fTH@@GQPv*6|UK)|~;AyfO@_Yr!kIr~OH)u$KY%?oqTqFM3TaefrE(!?(&6Ki zC&QUO&Q_-S%7rZcsL2jPew%Uua6G*|i^Vn?13ObwP=28s2bg%vKyEn{(9Lu%;_Ec@ zvnkDfu*!z>)a+_9GBUY89_BAz$>swiBWOPX*Jho1*K+AYE+W4)ChfWa-f99v)trVUGkz zL6JlMdq7zkh%-Q&*H4m#CAfsUnoB=^1o)CbjT;)0wz)@8ED6s-z+X!b_D_>@4^J#1 zxu9!Vrm-l8T!3J>PNSE>7QgKty}R$(*_m5&?IBvqVv>Nv1G69ZIOJe;n-Hqrsf&PS zp(JhPWsU9ZT4#lT?&FAnZeUm@1tC}w5c;JT@?FAl4+P^LVSt}nUh-GP_=1jLz1c8R zNJgw34Y+ZmUHP@f+KAM~3%?#Nv?l=KdgZo*4{nn|=w=0uve{Qqf47)#g0=f{T%5^A zkQ{^4f(j)NGzJHId;O@_;j<;-Ec^y@*x>>V^wgN_=9JRXT__>|4-XUCB0GJXaXNJyv! z9Q>KyPp36+doq5<+ckk|M{uGi#K*G~a_&Y@@vz1w=s$Y`pyj1bgh*1=5f!>A&_H8u7(#Wz6; z3qbfl1x3rvM8N$3`UT8*+Bzk$C|Ds~Ivp%DaUOxlkcH(1)}_$40E?|=oxLesAp{2$ z+t&1;0l{GTmZ3=f>CYbz9xz5PYA5q4X{b1XW))n)l>%-Dpn{P+OT~sPeMwPCVLe;w zJxViV>5)rjoduwWK>gQL4+Rm_UeQCYoZm<%edyIU*OA4=hwsk7Q(`>~rIKpTL3_M(Va5hwdu9n1<ax9-pD`tq4NKXJ zlnGLjblDU^l#TiM>&yL_Sv2n|pT;n&Bnt$-HwPr|%a<>)(lgeeNE0S{uPuz46e+J3 zY#^PW+kAF+o%)TZ%=MD8C*h6^BiA6||7>`TAk`+ObZq1##`{BrXk zH3w@1b|bmv5GW#(-0E_clf%NozO{xP>X+WC@CRFB_76^*FTFa#;zsxr)}-lg{e68A zgx_e0Fqf@o|L8VLGe8vsDRcAAh6$&c$9gkmY%UH=h;u}mGa zMmIO1V2T-QGzrOCAxMOd7Vyp?$HXF_ztRcUFIK4D#Zj()AjJBzIK(I?rERf51? zq1fD1573kpk(yUH{#v&P`lfBItx~sl2}V;#f2!oE7Fkn{=iS7i6B*xcr6xkhRSuE% zc%0xkaN^iRMfBvUgh(k8JRpk>|4WsA zWtt6(GRDt4t?8UtS7(|e`2)OV?gY0plt6oDX*#E_zztno_1m@IL~f;v&FVJGy$?W( z>-APG>Id1mX&U|KZ9GA{H-3tqHjzrOr}y$b6V@88J4$JOdt}bc9B#kua(BSL`py;P zwIkgh2J(STm(I{93=th9ucgpY@~WTiwl22e64td_^>-!^T6ZSo?G5r(g2O`5>eU~n zeQ?t#Ge41xqQDR(OT{8kq3Br}#C~%7cEnm=NeL9{oOrwpy?+>N96_ZEDu2I%qq|lck-l_hQWo4iA`h)V?SK$>D1wixz`{B~Pci619f9SvK1r2|Dy-pn_ z_fXxeidmiPJdOE^3${q{2=gd<{xzR>?;uIH0)^0!V5 z=(SKkBcE;E+kUhLSxuVN+1bnCrEWgW@~jC=1YIhR{`8~W37zfV6`6(SKS&rZ1P5dg zwHjAa@L}L=RpBwVPKauDSbA>H^u^{b4mux}C`Z_k&}efFM}TMV&JuocwepRU)Mp{{ zK!1>n|Lkl+EiIQI9XD?B!6~SiG#w6kFa-nth0 z0DuTz1H$CO)c84;KpGb6dHTc5It}J#X5ySe_VyIs&HG?TPq0D;ecrr0u6rg*O1MVH zKPrh=hb$)Rsv8=}#3&F=IHGmks4L*LWjwG2)uY(@^@&QvzQ29fuP!`4a;b(pE8_Lm z15c=V5RXpKmV1Qg^ZJCu-|6C%g~!%C(5d(g`Jj*o=ZAra*FJcHnYKo*Y1 z3&2Sr_elwqI870XmF42*o@!F#x6z07NTB|l^;cammpPBeN!hj_Ih+Xw6rDYW1M2{i zfaDnuIJZ@-kFl1wR7Jjj&+7U0S`{6E77NO(x6L0OcfVHAeo7Q}zwHzoT?gw%7SC^3 ztOB}eb=JL9A*&h{migoL#6msr@sVz#t)hNqm6ebw+@vOXunS$?9~ZmzQ~&~yQiK8~ z3XaFK)nQOgG!`3J43ChUJp$H=uMH`#+u2dEersD8@F{Lx|HN&jt*i`o^RrVj1G zF-U}5BN}A)f{PgKnaVyNeMJlPyZbzB$57VwWV}v*L<>N-Ezdu15gl}<8WZ5@qmJ5(sWdFw~+hM7NmjJLp`g-ynG8DI*r+Za@#&@H@2&1p1KFPAQOJk zwX^HGn$0Nh{3D8?hd*obFKzxLOhK(;TUt5}>=LL* zCG&e}yZeu>oYOH!Aq>Bd6giA>0Y_s*z^mi#{Hk9ZJL@l90W!E)Ifx9PLcbgHNaLNJ z1Nfsxyp*|5_oC#U{F^nb{;n=LdVHD-TaR}mmM118K{LW8|%NoUIO@8}8uQbJvNGZ1lh*WmBu?oGxnu^$uW^f!qg zi}Pw$&_h-Y_$p{Biyie8r#>VgU~#|`K54SQ_V#CYZl^^%-b%~$>v zJ^fqvWrOYh$^^d?#3Pz~R_S5#60>_b0D#9!YGy@jC+(heCIHgKl|8hz z)!HAkUAMj6K_KLIQiF&2H&z{Dy>vGHjK`U5`WfWVdSND?Ac6Tx_#cq$|D$2}|C1k{ z09oyhVb&($akg&$`W7fu(K!Wg~a>St5*TkVdNj8 z1&kt}DmrW4lM0v8gS*;m1RU=v8QV4GYo!7%EBEByjGMjL0{9x> zG)quX?dX)81w8ylq8aQ(FaY&?q}Cc1{gK7>;i&Y~jn?2Hwk6Ge<6k3{US2l%M$f_0>7Q`@rI&IWF*KpgsIH$v{)jx zy?szY4=9X;cjsVTBjkl`;rnk;GH~3S6a+)*_8Cwcf_lRgh*J6g9v@%R!O_e8`0*pm z!X`-Qd;`7|^ctkYg#^m!{Xi3Iub0AtTb0lAjHeFsDBD^n3{vOx)M-e*e991O=n2S7 zD%BNqxBUEXGtko`8}d{nT#N{mnTLlp@`nJLGDVz%mm^rPqf&{kdJ1Nsw7zViKAF5n?CM}I#7Yd+6>_@$k2D`%o%{vNB zN;M$h=*||~14tS8q|O0+X9HGB>%l$|ZLm$n8;A@_jCvST#L9DuJdzRaL z1Vx8EU>~RnC*W2v?HEGFo&k_KMZ94w_wf_HkO>-s1R=-f*C6?XGyFIcOAci9C#*pro&KXHA0s)wP5Hr@6smKVoT+R^bK zyFYU}pndQ?>bt($!wrbsQ$2?8aP?Xl0G-YIQe14)5lIWZh)qF%`s>_}Ulasmt0xJH zzQlR-Bc#p8~7BVs-BO^h^9=aAueEh@7BxlT%X2gLj8D5kEv=YE#=I0j3 z3JWYPEF?3d8Ly%$63TR3HrAi6SBU5!zSR-ON)X)MIg3DM z%WxZt?CTT0I7+ve=+Uqr5jG#^Fbx%G9k-FxihD66J0S~LzYVBr@Ss%dgQ4$0g^9E5uu)qsdp=chF=B65A~_*&#_Eg&zzmq;`IGF8^(xz zQ(R0yVReN>Ha9*FNN1K-Cj1;xs}JRp_&BMBy#RNVW@Pk>=ar~z1YDaCDjfcDiLGJ8 zPC%A)6DQsVuOP@`nAK|R0Y8UF@;YCMuAlyp{UJ9u_r83bzB_l8*Cm7nmHEsKss!#4 z3^d`lYk@vov%dB%7sG>yW@=leVzNbuxie6zx7g7_(aJN8a?Bc zfq*wUBrS?}o%|I>2epBHWlr`6=rPw!$Fe!BK$vuur0(S)MAqn7L<7Z&nNXoi20ge( zVIf5MT`Ef1c2XfE*``XBf3A3{=L$iebEJM7fXWaQT|x-Yb*NCphxBv<*(JWWa3m5Z z8=)Wi_`lY!GI?(l#_YB~3f0EV#>>ffC&;@1h(!r-F7h~UfodT!F)`{Hn3>o1r&_8jd!@G2fL=Iok($ZeJK)q=-Ro6Q)>ATr*+KsPc zzcgUF6U6|+|9v9k6%EZPy-yCue>Prvf-PLl{aVoJg!x;Zlyho=I>;&pV_j9{o-%wM;CBhAfY!(f8%`^z;DSu0Qy&>;XmK4^Yd#f{LC4xxqTJ2OToGPm zar4)KbzA%7i4mmCfUTuVhhIPX0ohA32nENL8$cs5pVQF3nTN+`iU4UTjfSlz|Fczt+=kfd!s{zM%5_)DUjmwh{8xK`t z8*gUYnY!-LH;p}+okIKlS7j$2dU)6Q%#XI>fNpxZeE%(?Rzf4?RR*s?dr#^R_sgqw z`2)4ZX=(bPwK-Aaq=LUp+hef}_FJzDv@IBSSC^B$$oMVC0Y>vWo{vEhexPVnZ$16> zt7Ne2;d1(1Z>5efXX=O(M4A=*g5mHPz@+Y&@V1bN1+4cT8g&ho%+oc(<739)pcSi$ z67FlFhj{1+G7^DT0SmWR56?Ng+<)h)G?y3x3!(UyVf`tB%%m)y-D$(=7JgD;PRa0f z(GL;(RxI`_eUcMt7t6h+#>18q9KEmWwdhv`PiGOb1pqk@o+)T+lMTo(J;KDq48~(t zPR=sss6JSk&^R^+F?_hkyDs>LftIIJ`aHD0qH?(KPHtZ#h0&ZeJEOL-;2 zQ^(^Aclf@B!fTm?HL>6M<>=&E6&4;_qBmf9fivw-pbacpDpf{;P%xz9u1uYsUKhuU zxx)g}xUG9qTyEhlVP5`e zMqTYpcWUTmUuc1Waa{nqvjbDMQ<&H<0NLo|jLY^@%}T!ARp|eZNB%qZ)p~^*oTdG_~x>%dmO=TW2=LQprJf z<;Q?ww!f64R@V9Mj(yC?}|8?nS$ z#o7vO)SyJ+%R19kFCyQ|QI$jF6W&FrLmMRQ5k!JR1OMd;l zQ~9l{$w#Hjv&CR$sW2kLvu7*XMi*AEdy{(WOf)qMwHZv+@ME-1(~XIU9efSl4nl~z z<cNTAFlj~(xET8i5dslHQ;(C{trAfIrwQOqC%?h*!%dN;QmxOqZmK+dzTgMq* zUW0LO{SYN^q0rV8aP*nJ?AsdX=}F;l9K*x}-IJOTd)e1r{7^N5z!W$;jgafk%*+7c z8K|!I%}!JEi;JtSL!@(18F4#YH^ZD6ny6^C#|&`Q57m!X=EO5`AD++2RY};>{E+6b ztX`?+S|IGuSa4HyFbq!GuJLN3$0~TZ7K}_x6ZLM;kdRYhcDUj9?lz%-bJ4b`aX8tK z%5+(J1`a0um5Uj}C@Dcq5u$L8VpIEm3d4O6hgb)Ql2cI|L@2~3L6_VV3Mmo_pnKeX4N&C3>{Or3LME3neSn3H`*xL1Fdu z0!52-scaG><0iVwbNRf}Fe9aPEbj~8fI8c`rENKla# zJ5WP=qF8&~%xsT)QVbLG$K!Gbhu0erg5c+Z2bVzhczRUIw05&tdSjR-`#dyh;6@Kf zx-1+DI+O&-@~JrlYwM6UcBwGeoJg4EO%~NWl^-A;I&E7aT$Qh%k5a!!-5Ns558@!Q zH-l_ehYE)^oZt$?xi2^H^790AN@N_SW?-9Ps9Y|kY5~2Vcf7mLG-zHUzU{auSI<4*0C)b2 zx}U@>DFA`FGQMUOEIS=OKaKhLaYd=3`vK3kUw8gkWvSyyd?Jxug^FbywX?+YN6P{pKYX1?4X*73TSk3pTE7mfq< zqN20YO#~_5=TpklJm2&Lh0u^1hH-FDlA`LwsIekrGmn+>T9x2PTTVq)eqehLJ}5cF zuzF`5JD2=Z_bk4{4)qnmhp(le5 zDYRZEV@>o_o#9V7kM=d49AJ4!cdS7I9piP1tYCvJgyLMhkik16p8BYvK!QYrgYZp_ zc0Qfe>9uQ%yGN2rX&(mpjhmW$;-3$`c`!hdR~bQ6GAZVoY&R<;}E>x^|;z18vl{|;e-<u@9S zUse^PGe;J0X!fU^`g85jvaotxt2D#1Z8%>eb6WmTkmx-~Efw@011=HYWXa93^xDev zLNnd*TOz-MgM)hESP2q>7%zWXo2OPPCGK~9<1CJSfAO|mhFYcPIiRkWHxE^CIrz+$ z2CDMD4L#a#7Wa4D7|$LvnZHY#8ul7ma>U{>tIBky}EJVTe6tz~x%!xjD1 zUO4~o5~>POBT-L3;^KMoTP591kW=nYog`L9NVw6B@(vA{eGc+Ll@2BP!kr)|akvD` zwehWQh#Xm!Rp^p}OxmF#XGPy(9|Um0f+uL{(+(OKYu+)^=~0^k9sQL7yb?lGEw44X#x(**H~^qu&8g9!qkSQ5g<$U zv^V5_miXYqB!`Jjlz*@>;RYvTC{g@fjzg0z;C~Ig%&(oJQOUOKXAC17luea-F}qku z#GE19Kc8Oor3uR&Oi)Q8qO7g!aOMS6bMf7G8IkiucIpL?lP9d_UCx^!ZSoT6f|ZNf}c zq^P0cmq`{t{E6BIB>@&xh~RVHN*Q8w(5i7)`w$@(;@BHVb9v#jAsT(j(HTN2tgXdi zy7Q_N2ZPV`a4FTr4APtU)*lCJ3g_`ET}k{-=dGCY)gK=oRq}_*=V&(!7^bPJ+3n|q zb)HD|0%KsmZgr6Ge`ipmKy6ka_glTAm&9b zbp2j1{BpU_om@DO)}H2_#eV@=?TSNocD6#NRq4VdS>~bFDy9&TxR75n`ZTo*3X1nu zga8VPh_ehC3JQe)4FUxPn=BF?1?2{!0~H13jsM&g6qK*xJ18h9)0F?=i_ zb9cHjP2oZjOkiNH*|(*2{655#LD|20K*&<|#NrJb_sIDl)1P*8*@-goZKtN0aVwL_ zLr=JFHI4~SHAsv}?T8Gq7|Ax;uyG~C(^9eLvgVA+Yq_1sHx#q-luWQbSk1NzZ~rLK z8CWW55L~*`?rJ9fs@X+#-erAv&-z}!ov{xM6}quaxp6>lOQE_Gss6p7`~V9_Wvisn zZdc=53n%Tq#eV7YRZ{6fCAcc}8-tE|!(r-HLbA^_LewZqhLlFVbQV)vx6PVt-sndK zJgTnXO|Yw&aU(cToU(MPyz%N*BzlRouMJxTU$d?SW}W5s{z%JyjDaRsQtL{kq%w_3 z*REz-@MMnW&-W{PmD@2Dzn>OUNx3M_Vb8k6%Z%#3sT{2myV*6M$W&u;?=Z-6E4%I9 zu*rAnN_|UKdD;^R{lTM(sH%z^ht2$E+f&1pg!j|EJ1WN}I(aKy9)vN`3A}xy1@)X zt0`-;4gQp^CnK-r>%;JT9*V-6v+15fQOAUZ_-5|P8~FeKcq#tBT)F@K%U`@m8tzK< z5UsB#LlMI0Ky5-Nh@)mQJu0~7jbMvx1N7NRTAt!hY%hLpPHHBj6Gj*I=-HDi-)CA@}q9(SOM6#SKJV=kK@SGhP&fxun6B z+hJK`*YGv%7T}@tggTAe#mf7?LU@#Ks?@$Goqe!HR*EqaT%2}c7_#0~PB#^OrM6YEdmT_qld;?ch?F4X*RzLab`< zcSCcj-m0tHjP;??G4;fn>a%MCs~;*5C?Y(<7OX?R&*+#J9Rt_aRm}=*yCVxeMsiFy zc9d88^-7rsyLH_A-CKDz*FCC!LW`pyWEQ2R7;Iw2XXx+nGf$-lnTD3y<%Qj1LqVxR zONIj)C45Y_ka^>M;AkxAdS-z<{wH!OXXEFG6$dV^BO27ST1teB>u9^Cnp(Yr?%({< z9ZDm*-zVHEP87_Sh-Ybe&93Z5Y+q*hSUI}3%*FgYtwnEt)#%;z4O2N`)Lg85nJucgCu2uX(bi~lKRNj?m3YZ!yiv?GNH#&GGd6VHkRvNlP7777 zBc!c(U@6}n^cnrnq~gpF?dU{hN=&6A3W|_67cIi9W;bCfglbY(S2=R=2)`*bTqw&S?zx;h^i zLf@g5Ug?HniUz>95LX*@CgpR2Jn8_oRg?EUay9@+txgU%Co<)sLcr&+fvmCslA}{) zJq>uBV=j4mLyAYOqs#n3WU2rtI~<_xA4E2*8r%zHKBasw_)V{D!J|z)RH<#RwX%7OGxnNv>J6ZHr_LJ~g+FaeCy+#ru)kVcBYy*`g>$e?IhU z#^;Xaeu)`8;roB>1Z*MWot}tCy)EW$OCxzY=EY<*;an?~KVx=xciTdUp}N}uc=VUk zbZlnYKLG5760&C)WXeItC-_2P8**B&%R{gAPE+;_7jbj_FrC@>8m;Q4;$~-~Ow`(U zCJY9O_8kgxzeacRzUwg&l6&y1gtKALVUdT;vd2mPfheYxEBqe=p#TVO=gnCIa!3R` zL7mvcvR&Wne18~#t4i|;K2Vf3eESxjr-J+1G?1<(bCn&|hw@c6C!u(9^u_ESEC0qP za$9#fsC^#vo0UN?&11z3NIwrM8C52~>@(hPxW^BDBVPn2U`_JcEy6fo^m}#rR)qca z2x1ZQ9R^AY3UIo>s9v9&cj2P-iV!Fnhnh2FI7mlzAhZJVvj9iW!8;1@Yom9x-{>=h z8Ygh9K#RPXo5CMXqr0+XB7gQaN+ykde-aSTu}Ng{tjiRMMDL(Zs0Xav#Bd$}JQ!9j zb@dZ426Fp$-wgl=AXf1_q zUEHAp2h=aD7l(P|Zl7qv^Y)RI!CEIPaNtAo6_}Wyj`((HWK8Hc>^knVt#43i%%A#9 z%H@6pJT_>;8X6ffiD@U;{h6A--O|~;Pn;?W3CVBYO&5w+01UK@Re~~fZC2J&Ybf!- zsC>o|c$uCWw1tNg@Rq;|s7JCXE3GP_^Ak#F)WVm2^FPU>tKdgQn~>HrN6 z=s$i&o34F3$8L)j&g}Xm=mr(r z^yp}4)I_eP?Spl2%vJ~Z9pFf4kc$$wTL21hTNp97$=093hU1JW6&(g+`YTKFv%$%U zd_Z*@J9#GN^?+(`eOSKxa<>IP=!UX>j~(sZ=$9^ny$wS+(VNLJnXkcJj?41w$h1GR zJBdA0_jd_YZy)5DOd*R|#6p^~2r@Q_L3Lq^;+@bZ4~j>O_bCfZr=0Zh4C-|lE_Yf- zRU-qqBC>1`DXW|vZSbDGOsJpqxZSJearoq=Qi9|TN=XZ}vk2HZ?%f$^#Ne}?`fyph zkVJN1n_{oA#%nGJ2Ui>Oi|djdvxie&Dr-T+H-L0qdoJXZarF{n#_dfAp z*MhjoAp9Q~qob(?(yOU~I(k$mMQI{?fp)p&Syd?*(KHRqQ#xKbVuDdL$f9q2dh)BR z&qEs9Vx9Y&Q(nt`Uw{Nt2uAESy9;k`;mdsz$Zq*29TpY!F-gedqv z#yn8R>|%hLOOe>Frc;57Yqi$)t<`+s2mkK}?Tk(;pO&7lQ`-(NnNVMN(~2rt;J~a> z{vcVWo9y|fEtLS5V=h$v28V}r0B*?1;d59SK(5@FXk2{!LhaH8xJ{4}Lx2$$He9Il zHesMA?icyW&;;|?y<61#j>Vp>T5Bdfs4IBSB#Na>8!A)UNon11Rt)G*@61Dqb(r;R z=O;594Gow2BLEqeHvq*O4u{3LvtwwqK)GzRH^Gr16TzZ%nY-G#fdn^=4*8unp^JPL zN&(0V8s-F~T)8aAv)ox=Pi^DS(R0wt(`zirQ@@Y(Qos4_2{FVfijHx>{mSFD!(&n} z1Hu4ONoK6^5{}J4ocmo#f~RBAj6>WnHe)Y|&+(bH1-vday9+g|)1<;l`Hjk|O#6SN zQLPJsOcW3>Ko96OI37ZaPcn~-t*2*$*o(opx8Q^+MUYne%w3toj+72lqz3?4*3Pcf z_bX(R;7VzFURws)Ayl&AU3fibzQfGjW3U{r``y#C1%xo@CxT5&9>fM0luG23g$pS3 zyblWcZMQ(5cN^NQ*Q#uQN%FutPqkPd*40b8}Cb4Tob%#V?3gvLGaKfJR=?Z)HpRyZy6O3@Fn_&LFmWXONORv<+Pes zq%vi%ErLFVoKtB<6+fyN9r;=RYJlW;Og(z#4&T8O>ny3j8@VM%oJ^19c(;X9k62~M zWX86~tn#?KLxM679#A}jzffgtifEG{o*nr%vN8GFD>N5tGpOA*ZGUp{FNKOyWh2sENBp);XP9#1hBhfpBl^<3AY)wHR76>hp}R`7H%htlFn<|*_7<} zKDoutSB z#QxK_o7o!8jstbx-CjG5N`34(B)a!l1V)g!1635l@Y7cwJ4aEdzt%cn?zke+eZ_W~ z+E_LwsT()cl7@xk5pH)w<+8%!2Ax-ujI^9C!+v~Pojok6I#8lqO`fwZuvs&-3>vUB zx8;g5@pxrr&}>!zJL{ZgD5^tyHmg@Hw6xA_>e{>ppoXT@E)?`M2zL?#R}MP4bBnVt z+5Or<&obe?IXj3#^tBxyb@|$y63(c&4)es2qSF*Vx;d2Ttb1oWSBo=loATs)_290i z`_D?iA^QN@doDwEq}qBfE@tuQemmrU`X90lj6#!BLOld?pGiG-8|4f>!nIw`C0)C8 z2sQ{cSl~jisY|YjMCLo02LxFSc+Nb&Ssedsaf4~wa{u@6Wt1O8+5a424(iFWi#Afa zfBh*DqqnjA@E5PqAg;arYkU6lA&}<^1x)n+zHdids#*Vx7jWK^IThV$x(^`$FU?7u z|AvmsmdvcpaxedB=e5tl$cOM8y-G3rZ<{ni9PnDUuzx(CcL>Byya12=|Mn$+Hjy>@ zd@yKkwp?hu1X5ODeZ~HHmq>VvMbBL}}F~boEY> zeERxTtkw}OuD^dt29~RcEe)cHT-f5~fB#->hXQ@y4h2wXq~Y1#3-kdb9zg+eCH+WoI4?0i2b;ATK<*g{|&Gb04NZ^P)cGyJna z67dL(Gr`VQ-%A<07nqlkk#}n)4zfWWZ@4hoBkv9l-7}=ajn-9^ad^iC2D{s&d;>|9 zIPDeW8fz1^!$Kw3qT+x?xZa0?4NHgZS@E}|T;b2qE`A^sR{{E`r?EnFkl-8$q3FW7 zKzPuMKzst91LMt)yg^U2YV3;_sF$92m$}Tt_{L zfWAvNa^$M<{>5*<6d|Z^Ur9^LVl%=NQvGe6hoNnS16KoJL6`V0?5LF*{bqNB9r6{r zXlqS|vhwnP%$n&DUA zeDv5Y3o#GT)8}DT>os%y(%XrPsgA{_(?HsA03Map$YF_3l}pWoD}GdzP_St$eQE#8;2JDsBfd z7GKyG0Ck4Nn^1 zr1pM0wsv>5R^d9q<1xuO{kffaAAF?yWMj_rew;e>x$AO?@6YuNkNI(?$@~AEr~Fap z*yijq^Ve%G-w?Vjvhw`ptVeA&uOEN=ys7_qu))uVKd;VzQ6UumH1DF~Nlld;)mg(Sj#(B@m}uiTGMr!Ck(IeP@A;F^MsJRd{5D~A1{wZyQZAn zIN4(L<{jI;x4ddOd$T6XuO{xCad0W?wY58Tx10^UAaGMIdagpmPnrH?{c6i7jdhb+ zz8*K5vF7W$xpSWj>b_fXd)fxhkGV%vWH+U|=3Fei_04PlDw(B6fR~}R5T4RZ{Q18A bzkTw|IX1v^nQj6{*%>@t{an^LB{Ts5f2`;V literal 0 HcmV?d00001 diff --git a/education/windows/images/deploy-win-10-school-figure3.png b/education/windows/images/deploy-win-10-school-figure3.png new file mode 100644 index 0000000000000000000000000000000000000000..1b39b5cc14258539da1a9d4b199d7ec60db6053b GIT binary patch literal 131013 zcmWh!WmFwK5MA8ep}2c-w}*RiDNga?P+W>T#jUtgv`{E+#ogUXad(Grznrt@{m9w8 zNj90ebMGYbgNiH~GBGj$0BG`ZQtAKzy#+ogh|mB4m64hl0(Kxd$?3TQ0DABL57dBT z*(U%%R<)6o{P4lr(aq7-+R=$ZUQ&|6$;Hvq=CcI=crIsaSZQh;;EUX?Uqcil0+SUT z)$tH1)FIJWuOAH)9EyTJXpYF#N2Ef_`nL7&>gk3a}Oe zDkrp~qygRc0IsFt9|2&I6?iYNV<`vJHUVAZm?%F1L{#9tT0|%#0P6#o3{q2j0wEay zuFR#5@C9=<<{lHcQW-ymn`s23zkWnybw<$9VIyN0mnUGx@n1mR!LrVk)BkHDo&T+QX=&%*zeR;VkdLOrI)1NKJ;q%+ zFP|U$g`e+kHaq^(eC0I!DhqqR*)w{rRQzrt5h=uMbvIu2xe4X%nRJHgkGxs4E)(vy z8n$zsRA$T-XE9YIB$2U?cKYqp-wl>07|{(Lpw?Ct$|r%f%+MU>R*@c4*RAXC9ROUm zI(E-8Ai@M%2X9Syyq$@?$mY=kftK=#&H!K}MZ=~!TrW0&2mn%fUzutpNUpmHS-Rlg zb;GT8qdc4NhCpck^gu8n$e#k=xtK6k20<9Y#%f8KOxS0|Nx8e!tizI=(Aj#lexr*x zVLX~5=5#Z(eMN$m7(~P|rCg4HGK<52 z(2^s)6mfwT2se;vNe~(YID?+U+GIJBzy4GcnMM62*<8j)93oSIGWp4kBQqX9FKg1J zfmkGlH-B&Phc(7>yr|^B`>uUL1g<}y-?R1iLhATgkdn+t>ZmGFfAkaAYFEOvM&6iD z)Oo;Sf0gb+;)V5qP?(ZQ$muHSsw~QtQM{w!##%<=LxKrW>!GJgDpPErYr%T>Lukgy z5w0u8LOqWikHe1X6CwGBj|MwZl9Rsq8?<~~k>)h^w9K@FI`sidc^0=EF?G_=@+Z5W z2m;A06wHI6|FZw}{^R;b@{jWJBXYKxxO36H#$N{YVOs^F9n2l>9e9g$P6@5TO!c+0 zd`&E#czsA!exrJgT6h@_w|l0*STMf4VsTYL$_%kJf%TnD&AwX;)>;agO4_8(^vHqi ze%e0FwFfF%7+&x|gcSo(79j$m6_E#FO}bJE(M&YafaZHXj-&Lw42%p%EnTKYCSSaS zVdNBr6uJ}=CU(v8ijs=;3KXp?tr5-maw84DY8fpqjqP%z+0-9e71KHN}ej^6 z>?lmiKCp73CTZ9!E?I1vVw$!UlF&RQTsS8aD}xbZ({Hd%vu)pR-(N@vPe)0osC=k= znyIebT*6o)q$H#?Fg7|?FgBmTlO@8jz`2*Tm$i_!(PX0Usn60_*7(~({^vja61~&L zHiuAs0li{fEq%j!nX2q6+WFS1)>5p}W|btBA35_@y|ovOLyhH4M72AM@GI4g_Kkj~ zR%QfNO?}n9r%CNeel32nFCqwN;Y;X0NcBnmT^n3*1+@j&GsnN5iuv_jryj6d=}ury zEOKo(;*2o-RqA^9~vI26DAht6roEz#gWG2F|{h`x*_!_l`6HKWyPT?P{XRg z!z5b4W-GkR*TUT**3V|CH#(=AttCeF)Oo2MwLP z^2d9wLrd|?*|1pzQ^l1cRQQw6B`}%F@MCB%aXe__kiB|Hd#tF~r+B9#79|as$W$)n zn3TN}j}zK>ylDEkidlA=L+H!DwJD(~tz`-3;AeiJu;&yJZ0870O!(#usi0I&YP34E z+O_;LQfU$T^R>?*x`~}E1!2gp{#zxS9xHMqq-0-HpJ9Os;ir{_j%DXqlUl5of2&WzRMhVmbOnm=gdpW>GpcJ|-llS)_Tb`KZZzI=%MGbm87%>XgK%?Uws^ZslX! z-HYf@$BGt|mhznCoW+y;Q~jM-b!5fCed?3FVU>!#^T`0rG|USEHG1Ph^Xweyw1}p9 z{5$7}YP2P+ycnpW)h{=d{tQeOWK?vOU_$j}6rzr^@dZXwK&e<8IZWw(W7 zUS`T(&r9J-bI4}-AZRAZ>T)6`J0;uCpY37Q zWTl|dXU}|m!xqEwtOe6;Yg+m(dQYfLXx!lPx7+20TStD6n%noqskfB9J69gyVkjjvs|dtKna&Clfsh^)0=c{|?q-Q8^9ulc*szl@Kx zE_u+OR<)_N8DEQ^NGwUNh0lq7d|h2UTMe-7^2ocIT9v(n4-KApO}L52kc5lRh#v_< z3p>i;7ZnirE9UZY@LVc6@o9oChv2o~b)=dApWXj{?r33rDt#(H?J_N?)84oE<*@6B zsAi?Vr=P52$dil1=vw>fq}yZFgY>L$14H$nFGT>uoApE8jmBi@QxZ{9(i<#H`qi^J z7wZa$Hz~~J)Rh6in-%~9g8|^-4g5U-0QdI*aA*Pmg6RN2;FxIKCj&rTpUX>0XnHOm z8+hqz4B(6L`9NSQ=p^3A z{Uai%QLE0@84Bl5Y#$yTtmX&UWc}OPkZ)cA2ESpkp{Nzb#|Q45EiXq_n>&SEEypul zgDFEy#FIm2nRTj?Z615`uJ7@pi#n^SCE+u?QlKa5+109CJq3r^xm<|}dPqwI+DwQ= z;}zniUP*6ZB1No=_**w73R_zC2t@ibbj=?(#4c*&wb% ze7hk~#ftyfdr@T@veihoD_wtFExvhta4=WGNxhxZ`ZWA%Y3y$xE}O#ldYyjO#sE+z zCtjN11W$jsi2_(qTX|&`yaaqgWHJO|>syuAmcKLnHONfnK4tUO5brmG>~d!WTaDVz`?+CLz*tI*B6} zfCYE}7OfM@y?>uRecCio$`D>!T;vxJ@H(2W!bRRe5Fmnvyt>}bsV)oysb4FD(c!kU2xuR8 zm@>yKSC*E3l{Y8Z*`dA z#qJ_n(9bkp#)Jn%95MkWp^Upy1M9P8QdC47X0X*YADhqtp#6qiU3ZX9Ig{INo<%hG zY>AFg1jtc>hgRA95^Sy1m4<@kT`nutxhqID`zPIi0%`*J# z*Ny$7qmdmKEJ#wbfvW0+$2AK$^E4JcY;0nE1B2Dc$y(pOC=Z(|3H^=nQZ{I)S3axT zD(>a4NjOREqMzu}-fQ#+JB5b7WmJq3ezbWD9q!noj zHAd~k9*3Hyrd!Z_P2|rnbGdt(`c@{~#A9=Pq3`+Du&tb;+G3fPn%LuC=)PQ)2L3BX zqzw62&d3Pjn}cuQ{E7Fws*NOh2rkquyjrl-{t}F#@I5AaX7Z{q zquvsn_qO18^iyP-ZNoNa*a?5s8s+iB)n0#pzsMc}%^YR2VNcV$D1vP=1%rNT_YT8m zgLR4&UV9OT)E`%W-tVKbix6y(mKTR(RwPh|U}kV8j!qNBcbA9%0_`8Cw1JaWM4*J# zHnz4q%2Nsu>?NjjYkfGnEdbw0@<;T*|YV!5t zh(uydO>Qo^19fX^nnR+)b!ouc3x)v}a;WDu1tTM)sAx`~nfn|qE+31bg|p9iu8NXU zWw}XQt_d0tLOricB|CY}1O@CKlEi(=60(20%96w?NLdaAKDeL&yRf_hg3M?#w=U0p zv$Nc9dPe*4M#3F=B_$<3+jNBA!p30(U2BXRX4#(5fi4qh;QL)>%)$xt(8Jx@v!4c1(1AZEe^4 zV-Z361E;&tw~2`f$9mzL4A;a{Oyb}=w}a`lzP@01G^)mOLr$khUiNSd^3#<)C_fc= zPomA@fb*UL({|4rhl!frbtkeStRKFUW$Pc~F@bp_3~wv`&!f;xye7u*$EN^0Oxv}P zku3=(7}&-UP`F1&!0aJi3B$2I2t;GobO+QN3S|UGHf?R}|m)FC`8re{gmSQw!`&fdFgH2q) z|69{cSXekBeE0ZY5w_&F#H_3zV8b>yGYeu~`Di8XA%o7RsHCK%rG=;F+j>Ej0(y~F zd_273sw#U^Q`3PxK5p)YZcRrthEIgOulI-Neh{!3yyxQD zc4;0O8iIp^lg0H8#%xJTaDH8F{@COgPa>4syY>8z$i~sJ({@Jznj&pPLqnsmu+Yxd zZs4Qd(#pz4XFz9L+q3d@xsePWK4}Q%!5I6G20kNe?##aZDbU;YnKh5)z9r=6C)8b3 z*Vbwug~r9@=Tl~@@V$Sp``gJ>OS%u!?}eA~fR2t1Bo(?%ocP~~=86rke&;`>RN9o| z;N+qb2{-`Ir!OB3E(O8jX7&i{VR7>V9mAh3m>KYn4xIUPP;;~z(*5a<_ z)EhZs!9|v?`|W*mcmYA3&8!UyNaT-;tfH24l?^5n<5Jh1!RRdnN; zN<_SjOcmN23$NFj_Ks%@tweVwr>0`Jtn`F3!QgavcZZN+5|&|aAIx34l3G|;oX84R z8+Wdoa{v1=-k!|qxZd_fw5qZa7ZG;&2KuW>*t5GHnQ@x=A}lj`m3RVn}_wJrt{VN@n7Ui3=y@Gl1i@Vi-q07 zHt2|L4i4(->c9j2<;xedI({y$E8Qd0jO=Vy>`1mqsiexPQrBimO3J7euGQ#v_akix z1Y%^AQ(R1&Hln5S5wxt$b#J^qCg#myUD$q^TQoi`C1p;?*%3dQw!GSsGXr$CZ#nO` zE@n!D-Q8DyYk7Nn)6&wi;E(k5^bAi=udW&>{;;=v{zfT@Y}97*o)Cv#<(<$MmfV4n z&wh$ZbVB)lw*Jk3gU^&K5xU?3tQR>|hv=?+E!NA2tDJ6zkM zOE_#B*(v;G$*PYE<{n<9>XCztAXDfHF^Q3?w} zNRz6x1^sy)$7k8OFFc%Ee6vrd?yFm&8a*=w03|(qL_oH4dT9Ld#x#@g@X8@9Al$s9 zQtXvt4+&_&_^>#Pms!|!-X--`8MRR3!hV_?WxA9Q-B2t4;Y;G7oL?;TZ9;v2&Q}(9qD>I5^G( zNIKr$Z4rHc(K_kni^{-;f&sIk26k2HoUl|?rwx4qH(oned_g0*Qp_?u0DdIm9z}EW z?T0lVPKPKUaANNcn*AO6-c2^co)&~Gz7%YfZHvpx=yZFRo~~ZPIkBIq+*5 zR}lrVXW%A*BErNBT|pR6Ogt@rDy>II5P~cF`Bjf7Sn0R2-SS0(mKl$x+j1g3Y7Omx|JY3oDUC7v?Ph z%Z3M+v;VaO8z}K@Mald1{s4_n5)~Nb_`KtRMwrNx+P^F1%3=NcZ({?P#7;_8al`Uh~j-k%DPFOrs)=HDy{8hP)W z0v={mz(3|;kGK`s{QPCvAWZ=1vaEl>UxpT+jJnaW#s&7%!UIhSArZY>pEo*Q>_U?_ zBJ*$^9UXzZTkUtA>?p%O_T>rhDeriJZ*Ja}^PsX9MD8|;EeY2P}ihs$Ac6gG7>}KWGwA&KxBk~0N`q)A=>F|vKRG=IvY6rxd)E7U? z@@d>wySTWJ@$x_cNWCDk_c&dZFIEr#GoH!kxE_Vaj8C(s_BmOhI4}X-GRLIzn1F;t z@!wDOk1e>e6=75T`n{Ntt*xzls8~&=cF&8ygF@~8FD*$L@iRC56n)zu;AK4#`V$2(2|-i)lQW4*n> zzb30X(X=7?@Bl{*JkSDVtAGsECFA?X8GsLL5+^_p0-peF(^X2|5GA@93$OQ(h(5Cm z&$fim#YO5iR#tm0H%F@9`KM@ccXxK+stn3Y>{rx{jiE!mueTZ1)YNA3rem* zJ53!wK$wl>xwxYP*49f`moTf3xQeo{r%<`l9vXO7x;PiK3v34hN!oQ#p-|nszrz6< zdvHJ(3y#ZOIY-MRWQU-S2n7X&lr(#anDKC#mfgplC{{*;`SO~4Z+z=Ve0V8+9FGS- zkCs5W26ggZ@=ewA1Dk_Y8MU6``GNgCp#VkYB}`Grpvd>z_r2w%qCPxZiIq?$hg|`_ zhie&%iJG};_A4zXSLqV~#arX~#rskoIYutAorr~vMOM?dQ& zFS!4~pkfov=Mj)p%>~cbmf%Kw=)6gBwHdN%(#BCV@rApW01(%23|LLZ#>Le%GCJKm zu(Yt?vAlD&DZApu?$ODm#CpWFABNDmo?n|PqZ<5(bb5NMEobzcDT#h~D70{(@4*@n zBH4yt2ki7v&5YY}W}AQ84p# zO@bZFvyv*tXiHFAQf+#tCNJqGHkLk&=5?!PbauHjB0?VUfno(rm2nbXcSpTu50Z?Q zx5Qcz+-sufGi*ddio2+oCQm8bo*Jg(0++&Gh{Xg)qHlT03$E-f7{)Ku$b6(7SyW_Y zWm)iX_FbtGA~tti9_q{o5Ql#M{#{D&&bw%E5`^z*XKv5Z4tDnTFWPwe^-6R?p64cG zCo90@>gxCJ$we&nPb2Jbq@*q(@3CzZpzK?4;$Ly_DEiBX$9qkAS zVV&(S!{EsOKv){{%*TMmCFjh`xPi;xpzc31ii(cjAHV!)%889jOiWBp9)ATR(JC7f zes{b?Lab>E3-Am1Bo;)(to#4jzJT!FQ9$5e;n6*cF!?794Gm#yKHG(9N5%FiACt`2 z=rBrJ7qz#qbxVXY3V57;PfH^hcU<~O+fJaNo$$qlKll2upt{3oM@-P`^560=JLh%B zhf7l%DY_)A^NH8jSJ)avI^hs?OmTbrlTZ|bpY`=8pY8QN-}WM4_)m|$bE%+Vj!|BinePv_Wf8XcYcp@T62rN%!>=V_t45A}kJ zY7&)_l9Q8DU481Sqr)35U97IGr2I5!lAfKNEyXfFH+OS+Y1Z7zMTqKbET!w`=jY?& z!<14{Q$tROc^;FH0RH(`@&L_b4qjef4&IWPgD;JZP_M6eDJdm%bPF}cXWIU`pN zE<`RfE9`}6yOswt?3`cCzv%uFr^72 ze}pn*hS#a6s0gc``8MRVt9B@2h8tLbXX7e|*qtltDpNcP@+OEz^G~X>5PyIF;l+vd z_4VP{3TnqXpWCv}VD>_PzwrE`HSBvoB@5emTh*jFEJuU=9V@yIT>RipB?pJo`=S^Z zMTOh54ff+h7k77y`Xz8;W4;|3K{{X#9#vzctRnv)BJ>1jWyMFQL3GwuU!OFxlbV_; zbG*3q_y6^tnVKSZI?z^D27{Z7On;l#)#}CE=idWf2~c4|(-#ob0gYfFo_ zr>AdLx*SzPy3(#LLI#~`4hwc9Cd9$P0c3SO+}t$VLXiM4O^%F2GI~1bwj?1UQqJbI zFy0u;&&eT!L{yhrS=tV}c+~v(ktOVPnX6OHFsz%NwJ^6ZbKpi#U)s#xwmJTZsrT)p zQYLuVthtw=;d{sDZ;R86hKZrxpRw2I%6|f@VtQ6y{EH2y7`zpF5~^I@(?QAU2d8$@ z^XxxX&GXK0Z{4zEkTcmE3#|-#42@)+^bJ%@b!))609b)JyfQ+_9QyKed>%i=bO+w+ zHTe!@sYC;tf5M0W-{w5*PZ&VnUv1J=)xPkZuY5KDh4l~Yh70yp*{Mz=9^Lbt^`HB* zPXJK%Xa$^q?`BgpphozuXV{*VPygFh|3ll`F8jx3XVJp@#OKxx7;&<_U&&3Wri8b{ zsK#a!DQ`q8qh1(mvuR)ywzks^3+NaaHC0ulW0T#~)4%K% zAd-^KIo&3IP~R@O-9IQQqF~XQ)GvWF5%EkyVoC}e@GEugSAq_amY71moW=LpFPT@+fy>o@s)+al*VNKj%*5sn zCp{m8V)iQ#g-Z1(h+jR7F2R*(FlDPHzvr12@q`f1;sA2Fdn6IIH9W7L+|?Y`pa{OX9F zvuXpKC?-NWB7*Ec>)?by5qIhh2dfE z)o?z6*IBcMg>l zL2Y+T`Zt3zHx=^cX_z}{I5J_84FsCEy7E^$foDsD65y9vpYWzY2-G9jm5Qm~#WDFL zK091o(tl!%U2K(l8rs?a8{K6tLebSJEf&$1>mEPc#2jJTzj_iPRjglVAc=bL{3rO7B z*f8QR?A?n|V_$&0dzoB9w~cX7;7T2ekAJgK7zK9ZJ5o}ped55i1R;cgW48k;>aW|S z(!D&`Z7_k^*=u{b0q9G2OSzs$<0(x~esY*0H8r45s7RQaF>jF!L#=CQ(9~)4KAD%e zQjI)|JN*JZBB70HshZQNI3CperPN`_=ZM4aY-DhHH1}3`{6cf&2QV8-G;A?TV#%s~ zdoy445oD8zh=|n7ui-?nq}6V3Z$WYkOv>`qNX*v5NvRBvMl9bcpk^HlZ){BDE;UBu z4siuuUtgh~w74Do1;g|1ZohW*2ZlIuv32qN{eQD+EAn#f^~|7*H>wALfq?bXR6OLVaoLA_Mc4GRryuQ?DUl*m+L~4ei&q@JMUea<|{Z8kD>6 z@jg50*FnYRnPgL6jpje09Z%@MfUZXO_2~Kg+vgY;|4%Q?;5w}b?&r+vy`B#3FL zN_ML4Kd+5Czo+VKA=U4~}PUlaUyYoK(brMtK+p( z(hE94H>jh75=W2ZKA(kYlL|r9prHV1<+_Ykf-Xd07-}65XE@l{+bGzkG<=F_Z_f|t z)be8gq%*s_ET#R^bB4&>6_naQP@c7^@cdK0CooiqF76#sTfI*FyC(NJe^O|(u%ZXl z0Its3vU+7zMI3&5`79Ee&RZV!Uw9`76E>T{Zc^$lm&-hM#E4i^>=bz(HAbT&RpynA zadqAqV!ysvk`nrqi7HX2jetzo?w=j$58B4~H>M))U`Zu^lc-Y6oN8`Z<|P1|1l47E zO8M*Ckgt?@(+b>;G+b^LgX#&WP%QnlPz?Ub4Kiym2{l0Vx|a<{uKRL8`ihC(FN za9v-G*KAEqDU*ioeMRLHeMJMdg5U(2n@?kDQf=-3tu+&;{p=l~?qPS!dArKQ{tEX4(eqW^zn3Brf#GAZb)1E_BZ~Z6oIUn8b z<0NVlGlEH>OeS>J*gs{Qu}we)K7{o@jf$mdmx%Ca0`1^9*zY+J&KpS5^(>ot`D|tn zjfeK-0V(?loLZ`FWmx>A|YU;xD-f#`o>}AkLH@JyZrnR8|om4Oo z@IGF=J3Y0VuO1s6U2XDk1cg*yhvf#_xr)CC7=O*oo9~gsOCu050zj^b3M1bC<%yn- z7LS0SHHO6M)2Ba6DZ7-sY`oN5!K@f)NcJ!+jBIT4qoK4(Lm;8m+L^pOYd={nB_m_o z@0p(Qdl$03hoTjosA#nokL_I>Az}JNxeHe&THy zzzxt0XEktyo2MX$o_us9jTGYaZ&Q5n9t%WJ|2g+ow%}*Bpf4&{k~a#=iqj18u!nF( z<>d$W7i>>=Q81Z0Y*<5AZ|_8ki;th0lQVt{%g>6v*6M2YSm{NT zz`(#jEoF)bo4t%gM*9pyj}RG<(}7+L{QeBRtLUmdHjCYZYk;VRdRvY z`f@5;G>~RU9*4f-ZBYs;@P5E=qe6($#|<9$#_Em{pnK{_@}U7@K4yNRL#^d>89{l& z1%h&tO$ErgkN|b0?#N9WY_-~6*<7iOGB^MM0pVx}EBgdq;H-HDeqpqwYhr?(hewO6 zMSA8s0*kt>tu1|E_mS6lignp5rI50l$@P%57_nI8LZgI6IXj|b3 z!hnk$+N0y~EE`X1epo$WTq|xU^H(dX#>sOCG&bVg=~jg_j`0ZLXIpK0!n z&)V3FW){iA%uP-J7_!b!1?*q0{;#aV9yjBfA zvndGsyp6OiX=sgCJ9+xeOQ@=_m^lTUei7}3XYYgyg9XlWj)ak{boiYNwz`}{VFvKf z-|6V%wDaPXYdB*vyELyX!9ve4Z^{+S>8*^OwYp93a__)w6R`PGS z0qQTu?yS2x9pgG2IV9Mis*g=At*v}IS?c9V^72GAC*1DV)@4;ytW68$_CW<@>FI>L zv2;r56bW)*-3tl#TC?lG%uGGpF><&L7U&-JcOnKIrgtVuYl?N-=vzdIGD~1GMa^aE zuRndVU`$Z}tTzL9N3(ylV%O>VZug_@1}GzNcVv9b?xm(m58x*KrpfeDm+>$!lJkyX z)=fMM0vR3|)=y#PVR^rhN`d$#Nif**#|j9KjOk2k=|B@i@Y!Y!kwBLlWFoW)DqylQ zGKbalr-KPzEDmrr#+@R<1|GCvWQXYJH2RLOHrKJNti#S%>eYiaM({la1ymY1NqjAC zHhnxO@dF*yN=7E2Bl(hKz!pGcu=Lvo=cztL!D4i)H(Su%#mQ+>P4&<1$uU>E{Lm0n zA`1)4@j^|mO6ASnoy891^=PXX+`XXYweLx&R<4P^)^6vx;Y8NruqGHpVS98)%yowL zEj@j(t@ta7ZlhUf{@3mxxGG)tc#4SUXWuFp(cGF}<)O`xnFcu;!PIXbSn-+hkP~Ta zGU*U|v>0FkNl8f=DojLBFvh~dqO2;pld5v|KIFPJ_&JRBU3Zt>|8P@rC1z!)V18(3Dx5JUmKogP&W)S5lG*x4OLMMa&i zwbr{v8MS|5Wn-%@Dv~PK1V>ZDmB945JCT$EZI&uxs4#5(0@kPa{I6Hr$|Zg-ub+>d z+7Zaqk6{)jbG$#_YDt@|ySF-J;{oX@$7P{Lv>y4lL z5#d1SbfKrB>4C$ed~aTSrU79jpM;PQ%p>RK=IXMBM@De4vH7dpyycz`1`L~rqo-QM zazxIWn?b6fCskHjnh_WIi-v>*)If?3c68f(44KH|Ka|;L>(dyiG}*y-I@h=@ngMe1 z@>5LgtgJg%58EU|ejps+=(uPo8_1Ny4~g9t^6+SM`l!1Is(WfypqLjks?@k@@$C5- z{r2S&MR^7-#HHCcJ3jtY0r~O@oW(~`)9E5hG|Qa|tm-ahqb${<{plas6OC&ecl$9Gt3JUMOmX<=q$Vq#)p z`82XtqBQmYVX?8X`P>{H9u8^=hN=*=0!=0h=3F61vc`8tAeke(4Oka7Dn-%oAIP{02W^aK&V{KcTZ~ubv+dKS{LhMk8^Z6uY zqwh-?TGHAoh`-%t>-~G-8_)lSq8Lwn_uA@#BTY#b_Vv6u)MD)%U#d3@g}iJj*aeFJ z8Lg}YX;cIZvJbd@e}2!BMd`U};L>6uqN1UKlmacbe3Qf4qMdUhO+2{#b_!7jY*yUw zw|FdbEX@9&L5f1LI7KZ;8JwRpFf-RT)tf*40ZS7|`904;>KE)DQwyRDdDD) zPlT25Jv((+skbt;XB8@9P8u>ZGoQ#2DAZ)iFtujl;NZw-P$<{De0Wx)mW?A4YAmQc zUb|a2$0(_-J@4ucZf*h7JZru!{R4gdIbb?=K~ZfML@4RxfBgnc*sAB zVXUdbnys&T?ISKK<`P9BzCpS{5fSm2b=6-Dx9~~5BNm)H?Zd|nx%7HMg=#c&ji3RY z3OjBkgF;h<2XZ4|bFr0rO)k7Z<{vNgSl^cG3zO}Yv0=~2cLA9zi@vzh31^;~n{C+^ zEqNP5MTMjY>%}Fnn@O@r#qVNgGiQ;)%vT(jP?#M4W(cGDq3JT~8%8=UvRdv0ShB3> zWQ%v^QmZ^?ic)_rVIn*WKD>T3eSxMqAfc8~L#Haxb;U9cz27bmkGMbOs{;x>>&>t( z&fRiaf{!OyN5z7n417B7o`&PGrYziT{alwEdbd^rGI|K0h3~oE)4#4vC%r~^`rRq9 zh-v$q{Oow3;33n|p0B9=dC8&7lw9;(a}YO5P(e>e&4@N>ZeDYNB9SRd=1&wdBNdnx zQknhwUYVq=R?$KX$6CcyQ?A9~a^m`NeA87_u2lCu7(E65;>BH@t+zjcs!WI5fx5Ib zT>Joupc{jHA_?#3O$R2DgM)*;@$6Q=r`vX)JBFyol z&Y@^d*$F*30NfY`y-W`;ndUpgDFp0B|E?ZjRo(d?dc+ghyxmjht$B%eZhdcyt>d)}iF5|_UP#!u2{aNk>C!!s zRGvYeGE!$kA~0qurKRbZB3%I0uBQyYNVgn6M^FTkL=cqPkleU4!Q$dZyoA)3uhMEz zdw%!bv!l1S<82y-T84(oPN7}#ri<7V5z{$x%AnyYlsSA7xEJ5*M4$oHr63Qy9U}MR z9$WwM5n14Te+cI}C^<<3r!f{b&?Bb>mP8-2F#b$u zJLrNORN)c>IkDu@^Q!kqd#)4vqfU|hgsDL?cWmPzIO(S1ZSSdN?f)s)&{c=k;CG-x z@eN2x^Yh>L$7XR8v$}?*IOtMEGQt7!bQS5SDYa^XeDI|HZ<)co{8hae^;r5H{T9E+ z90NMdDMMIvJdaU*>Fv+LFf0B>J8qqCNrLr1%GhyT@8=_}pn@WQZ42b7vCVPV`!fnQ~vl#mO5fKs5+CVYC zw|ELiQq`vqcpYcA}A`5W}@t*1<$d~t7k-ZAH zq|8=sk)f5UJEZ=hGSx`&TLpRpg_gN-E>kJ>i!SDZerq*vxRfE)tXf#fMHC@9RG+E@ zE*43yC!Qk_+hq|m;*IU6M)32W5c~d~$XIqRa0rB8DnJGwXe(lbzi+kzJI3o)=8+$! z$uy)xKHP@S4TH*qREY94-pK}v8_!dLP6s08QKzf#dSR|MyaH6E(B*#K*k)&8{qReG zGy}PZvb821wq^#Yr#b3}&~J`xkO;|A7|7uBo&{oGa0@kL;@q;_&07#6uC5{;p;C%s z7T+e!gMkM}r72k&oE^E$5br6N9cSG3dFf~47oTHY5-QH8ZRu&xwvjaUiA)~F%lO45 zWh7+e)1JE!iYU*~Y#~_*2{lOd@oFbauo8`L za48#>RPfUll*Z@EuP`m5fQ%5PHT;eHyoeNNi=Ygr} zqm)`{B%SQ;vgx$$F_aL)_0xGjtVnd6ITDh^GSTYxghV_C&RZPkoEG6^z^1ml7C;9) zKkj~;nj1}A5M`NxdGvE1B%Fjgb`$^t$Gg;)Ut;ENPz|kO_+Gj87hN+Rk;q3K=2!J% z@Xrt$pWShWT4xEw5Y-S#q}BiI%oC9h`R)}JZdlV7GG3ttO>|ImBY%y5FPe-5z^{|{ z2100P5(fWFN^VkDs#wfzFk#<56}LTlUMO$@aw$)B&r8*bpZ~u#O`|IVngdbofTm*?_Xl0Q&q^(BDha z9!|i=%Gmu%oe24G3rxHG%QQ_!1R?Xv@!{RfpQ*&GGMa z3w|gOM-&VSF%kE=SZq{OW+SPrV}9F3UfzEuXNEqgsdbyx5u+2ii1=p-a8Xe~L(M+@ zL?ku3I+#U;q{ThEZx0P%@6o67lTo9sKPmbLOHp7(oaV0t!g2BOh_Zkv)1~?H@)9hm zqfkJA>#))?j~ocaL}30AMi>!$7wqoyChYEs8_!;(E(c7uZ{`O;f#M*?@NmUfl)GMZ z{kPAwTWMq$YqnNGBPxp2F;rZAB#>4-3i3H4#}^ zTO;KQ8yuF|4w!DcF#d)~$(bPx222s3+h@;y7J6v$-yG`J%oh7NSI(g&ONn`wqJima z^V+n=2w!Z?4_vN{iCcktCui?w1nWD(A<&C4p3$Zh9YP zHbOfjDxv*^p-*;pcA#<$TC&PVcIk|Sj;^9o-Q=P$ozq`(O}J1`$mgKHXfN^sR)Y1I zVRyFU(2nf{2W%sS5b0o`t^1Mym)H>2W5eX|8seV3rI(JQVhWuL z|M^fJ$JAQchly3AzD^2xkKWTY@D?yw*AwnM^K*-sjPl|9fG)0JvCfq~exUcQbjq47i_e@?w{Uia0aSs(0&V4WG7XIx zP+r`=xfOy2rDQPW%tBPn6}7jqnA6cA0BV)bHtjZ!Rqb)#p^*rlAL_m%8yp-40xK(z zLE>FlM5NC)S)ksEFCQyIN%YIHZjCC>@bUWLo8=DoLYh`*I$6sNDxkUdn&dGqVdQTn zeZWJ}RHRV&(@V_8SEZXA8vySE)#|c*r(LLCjfp5T9>FCg^?Q4L(azFsysP`SvDa?D zw;){TdfK{&GkuNl9zvnDM0Fs)Ho+2nY$oO}-kL zvVX@DTu#B3p@I^QKe8q8fpn|-=AcnaDa3iep(>!UPElo zbP?#2Wj3==Q=8-a@?tex@(!iS$I!wT2L5ES{EQC+1%gQ_-C^@qFp~)#AxWAtyca{o z*GBB&XSFUlxp z`xnjOr`TKZm9ER4ZsrLN4~Mb6*w#|t_rLW>LC}qfMwa}1?!HH4AOqodY5)7FJ?tc+nZvAsrEU=BMI(1rdJvtkf-0xc-XFLHKe{ z(A(Kb%EfgHjDZmJcjvH>o1tpWUBb@IbME)DgPFug=sqQFcmr7)eURU5`YaIsLa*;{ zIVjzsh5wyoToWgGwaGk#r_@{URY!5+a(6U+rj(H1y&|Bk4R`!H021&vs=0Apkw%E+f41gwxu+TW+y_@IO*4BH-;;ybYw@p4!^`k?{ZLWj1A$d+O zo=-=rCMx?^p;9-Q3pGaHPF3ytj}LvcTXvet1R8hk3X1C9B40;n5=^2Wre1_HP)Ra7^Qptd- z+NX;{hEEXs@$NV?IkBJnRQ2R^O4;a^*pKFXhlJ)x1?7Mt+(hLgWvqsd*2h8pi^Apm z>Bc*g`}_Ox@$qs@Ow84mcW3ty5++)g*v668n_V^dSzCTGOV8O=&VIL0M=zTsLm`K@0z#xy74 z>awq-HB$A|6v?$Ar?zT`Im8YRl4Tg9O$A3)u#2y*!?6C|P+ttjd;)}4%}js8a9$I` zLTqn@9KP;X2J{MiFBA~VR~g-u9Dn?9!&naEnjJo=VyX@2pNG}AUWIJQg}rxxP9Z6* zPx1lD5wNMI))B9Ewzh4y&ks>}${zcXK!R8-HT?&(*hY4>_ zVS-8Nh(4TKmh|_cpdFO0^4BWbPq;@)<(|;HgIA`6J{4qs9%GFzh0&q6_`cn=$-h!2^YN55HEgtP6+P~4O5slT zmHA9UE?KGwOT4aksL20Z)~~kV6H&VVG@*=me0(bWSoV6QqT<5`};!(bY) zdsu?q_peo)c*w6|eb&}AQ7Lh-n45hzwyCM<`SCVg;Lz!KVY;Cq37^duxI7>b>zDcl z6;`Z3YKHaOL%2HVFVrSVugL@6wRN0*ZxfptcLZ^+E)R4bV>c%${Py1bE{)};;_&uW zYrQdSY;=W6tzT#SxngnIP(Hd^!-ludGOL^{-gU%|4#`E@`?j0T>t?TjvO!o#?ciBz zW@x`3SuDQlFT8@`6FsY> zq(#+h?9CcepE)hBbXn<}0-%)I+FBqp3+W%RnuTuLPsga&-W)Wrvho6`5OFZ|D#q=} zGN0?w-gNOS0iPh`>}`QyQ%qQD|yvvr9`$ZxSFKsa$s1+1Z?SD@!bVL#EZe z|LlT-oDFXqFdOd36~%$G`3&~WEMxj&wKLWU*|>QPP6CRb8!YS_-8RR(_42wp)vJ`g zBRhO(hvq4qznD@>!;}M6 z2$9#+)Kph5%+H@;@mevyGGI-X!T4*&@)!32wo1AfYOwV9eZBR22%R_zDz5q!ji1NU z@JG7O%Qf}&5(g;j@?O2<`Bk)+(!K;vi)Qz8dPWnlzghy>k^DU}ts$+&CO&R%qtIi7 zZQF(xXDhsabF5Gv*V&Q28=&-&5RsgCEFGUwT{A%iUj)CEYG+zPLjzRDu8t~Oopt5` zBBUhjK!rCHx-o#@XTl99w*LcnGIngzKN#T%UAvQ^C!?d#sin(85{8O5Cq&7J6GpaE z5P5Ul_f$|2`DA&luOsek$`tDo?54}h%jdzCNDHO`g1Uag85hh27!dL356|1-R&C!| z=u(j8*Pv?ojgGh{CU(zZy2S6LscC69FfF$6#{s&?Ej2Ygom!30$JB-^)r6q%a<_?Q zVX>d-_kypt0tTny;b9dO72u;pfn7kv|*mg7<%~%Fh)X3du-BwQy z^D&Y@YQ1+rm;*#8=?_$}aPV@q)xfpA*b&u_o!#Rh5deIAH#UpR$W{_CX=BtnP}x!} z1Y~q(qiM;jD^4n4aHS)FU;2)WKj9AN^5qM{CoJd<4#`+y0P#AFWD3cl2X{!AK0O?k zx3#rROiV$CRDC5;79a3AG6|8CJ2$?=8<3iN{DC$m-t%0Nx)+9@P|V1XFL(&|2*;e{8HMV59tC+=P61B_ zJjoEmR^-K+h7wFGtSuV^V&7u)PeZgef#}1e9zL0Uc|GadL)=g&?S(JiuaW68*5ZdxXYCW)q;gLNt?_w0#Uiuw z->eAS;UKF@3PcKw{zsSF+=8;ncU}j3lNZ?C*yI*lsu)@%u#S%wXG23nfWHg<2jo%$ z0s=xtk33vl^7G7IU^cY$a@zdh11{7S=K zBuva$N)b@TfxQthw*kUqTT?^HY>3%UKfomwb}BF(N+RtGva~5A`!T^$2?TMOz7JoO zhqr*2B`i)ApyQ?Sv^K=qQ!_K3r}H@_B||jhPV*a!B;|#L+@4!Mw*JRNYa#+&T*Y6k zJ+SSe`gv3QbI1rzy-9-l*3Qm@Udxw)@g$8Zt-3UEe<*)plHcRzi%ZKCr$hICuRwi# z@8RK6@{Un!WJ6X>%;P?7zFI8v)7!a=S-pjn6bt<1XrYqvkH5Z{Y;VKgo)*Zr&4f2u z%`%Q_@N3)r*zVz)pr(>df3P}Kg{VVA^rzR_@9!QYR}e&~skz-xGXx+NMZcE1yNxz_ zLSyPT8?9!4b%#K$MT>X!%VnH3Xb%vspSy#)Bb7)G1#yG;S2lP@efw7QcWxD0m*20= z;n`C|W1h0zc|BW9FPZ}6sZG-=5Snyd#m7_FZv zcsjM6-CZvak5J#oDY@GlbHD70d26Y+Zx!y_aT&p(&hNbuB{r;}pk5zWUq!ba&d-^2 zTkcvpn205Sstl~CJyns5I554VqoU!O`q;m|s>_ zmQyMK#H_&88z8*4dn%;16x&UTh4l6<(gYiulcVDauyq5@)WgFA4lZ~FutL1NnhOiw zjA~&6TlU=aI8x%``HdrSadBY4*xB9{^0*+Upa>SvDFQ+*Iyx&0%Y&=^oW%k(-;aiy zn~{+bDTm03gTsS^Qc`lGBmcr8BWp7`WkBK5l>AelkPro&3JI##+V3IY(W`CYlLQ|f zIEig_bwPjN?0i-J`j{CNg&HY2JvKHrHFY%G4qkpbI_am4PF^jo?crYUv9PYDmp3;y z42Aq&ljhX3ghBm#C(?icX3qw(3$S(}1LxgHDkp$w5Q9a42;tuhE|Z>aqc;y7Un-cC z-CN$ABqk{xu4%_ZZ0`v;^5{vNcUJl1t&Bz z!bna1BRt%QHQD=v-Rep!0x9?dm7{mSO&sv)Q=W;5HfjhUYJ)|dQd(O03DPrC5?m8U z6Jruol~e>=E{sh~^5*!u4J*rZT0M79bTE>&L0e{T1|i|$(U6p+rQnDk+-Aj#u(-Lw z!NCEl0q6k#C7k948FK?-*~%PgJ}WE=ioEG!)%8=B=6uTY>qB7LFUZaP`IY=~y*pAy z`s(U>pIuYi+gn|IZqeMkWE1#sqsTy{GaNdVg+IjO5(4rzC_jGu$WBks$%)fl z@d<=r5ONLylw&}@#qU*+pMPn3I8r=keqkZ%bvvC zFWP2A(@EEl9HdrjE;x8u*9PqZwyOIXTui@0^NyoZ27))oQEKJ7q06J}%*^)x;%LCE z)V~>8l`KjIZq`uWKU(zwxU&V$lb)mVXgD^u>I?xd&UfPC;xkiI(y5#>%6viJzx#&! z69%{j$uRYf1y<45Rn%YYN;HB?&qzRI@gv9kyOS(>UiT+kkSnF_GpcJrBK4^KXQ{jhERS_=Mu8Avg+zd zd)L5?K>1^0U)XVF;|(O2>5RAz+=!I74Js1pB$5(6z$cc#r1wI>0Mb)ZQ&Q@3yrj|d zK8nP6pmA{20<8tRn`?g*QFa+hvUDG_^+fL1VIL6hkW;86gP!M<1MUPvOj=DMNlpEA zFm$HyO)GW`TP*XUphU*iha!Aj_b|l!uA-`PpCKTX_qB!a8NmmP+_bh4b0PYXs%T5&?fh70F1iPn8W3+0!{w;|>g)3>{Wv@< zY$1*&vRZEny1{zEcc76%6) zjL(i-MMNPI^7V!%MM{@NLq$!vdbaR|lRqTL`}0SVJ?l(EIwCGk*-&xu^ zq}cXr8s9B1i^4_bF(^KsSLO<}%DM^;CrdntgotQpZb^J<%DzDMdq_$emz(8c{%OkkxOecUxM=_8_&=!yu-l~z z`T5$17ip-($2WpfCMJeP%x(n zEDl71j-sDFeF9v7mXuV19I*@v3UB(z@5y^_Uk8WEm>9*kzMlYxENg44YikSiL(er9 zAaSIMl@&A_1g&0HHz&utyZzgaIoUaCZaUfe@$vC5xJ=@rqH6;>4Zqa=P`g1uS&)c< zjSWMvNHVkUle*U8L<~ly%N{V_KR-RMws>^!UJ^>1@GnM!Dp#b;KaE1VwZ9&KZYU{r zi;)a3fv}8%f`Wid&qUWfo3ZwhXay@$927}VSY!+6uJS^g2-nApv*vTmN=8PY;k^h8 zJM+2)EkiJLClHtw$feF4J@#*_s;cz%^#m=oXlQCm=E;M(0F;}W+8R)#H#asj1$|P0 zfLKO$#Nt>pe&_fbs7^pZ2aiVlJvjK>gMZ$3Sv&#{uq~j#3Fj!DKUJosy$4`!;*Q$$ zlmmDC_VzCz#9wMqP*UpFXO%!E2DesOc6OIBGua10z{deux$?ohQ)+7Jp7|mKCp2MV%=&frUclU{l5>Z;D5K`bGZgY#bNr*K<89uqyEZL4tHlqoX74LkXCWz)hh=i;iz>f>b>#-Nt%Uo@u1vLY4iOLIPd_ zMK8X86$#4QB~~-34>JaEa7^LsJD5UIAV>ckA&}>J2zrZtp3dG{+){S08QCUXV;my< zU-G7wZV#Ek>Sqqs!Z~^^PK{GZPoE_6)(Y>RSLUkIP!Rj659u*VaWOFmEZV%sd#{}8 z)YkKEehI-DIm_H^$e_94w;dg&FGGibIcLH@H6vN&*sQ<&YfPW6HBs@w&fKc;;W1(e zCS*;Qu^gx4Qqx-hyjl&P2T~!p=AmHgsmVeJ$$&9uL{m6oG;925{ZO>^!iH+y7JukT zQ`TK2s;iro5^@Hgi6#aifychMK)Q?b;edR?0gQ$KtXQm!1Rw;G^A|B@L34{C9^C9~bu)9jphvqe$;) z>1f0eD*p}s`8S{T2ef>3{@s0}8?kI46NqDaJN`&>ybsYRf!P%N)1ekNgh3)~js>k3 z1kj%Jq$GDBVq;CVwzTBc(Uyb>cw=m4cDmZ0DUt=EKFrQHdTkgIRy9Hc(H-5~z^MKs zEQ~C60NC9_LqpljMy4hwKXQ{I0kSAa-r1QQl3P%Ki-SXek6&9fV`@eb26%Xo8WAkg zd58#v0fHYteiJ3LS#FB|Erw}5SMi@FmLBJA<_9J)NT8v?L!6wP#Kd~btaHf8$-#uj zA3SHd|L4b#ACjm)zvP1KNFW*r#E%S6<1ngJhx|6;q$ML0`PB#S4@@=R;L%(ij5xWu zxhW~%K!TuaRz!@}I-ne{9?lC(^QfEo!3=x7(fbwxLC?5e;Iv=sV6}Z_o}gsQtM(E= z4)`rS>RDYYy>Iq(M+^l9dEx^-d#FEFU;FsP>HNg`(qpKBzt4SH9iy>K%kFS_(YIZJ z77YYWmQVYb`LZV^C4s92?^onb;w8AZmIW^+6z0WmHB$nHI?#bYhW=S1L&o-vAr*CX zIL-ZkqmhB6numv{WvyH$r?wubs=>soK#F$ut9EI)HW1 z#@d>IH4qG2MMX5}vU+m~VwvgOL8F`JAR7h{dKoJ1=Hq0b7zN@O2B0src(A3*_A^UU zV`*w>Y5geXTHy#4SIW~b93-`jLI zvz5-Uz)tBT?Papg9{%*MMjE{o-?h=-(2A`J!~%a;WbT z^s$H}=+jgF&yNRcj>=)E0>i#7Bx8LuowAgFS@nr=zHw{|iH!t689emVXsf8+e1GGn zCTPMFTbF}?SKTP!FRGgHOLFq{u6BSlmV(h+ixu`B9;)Lat5k2h-RaD^GM?jLF&H{& zreRnoOa1GlqT(NFy~+7;LAe!8vd&Wt7Imc;rMX+=(7guR%ahL%QL6jzII>vbk`Is} zf8|Y}AkfT{uD(#CT=esvTP=#nC{`@HvLBpm_*3LG8Z0iVESl@5*wPzfhDLO;m9xg( zs^8QoVs@c6k6q*qE{4ZOn4&J?DJk1W;3)k|GRkrM>{jGfo^$jbApji$A(btFs+_X< z$8XZ#HYcjC#EkbNB7)y>>x=f16QpZ(wOt}QBOoB)ew7mK(7NFkzNiA5yXgxI^fpS$ zKf-#FUPXvI&fcd5YIl=LoB45<2Sw|l(YGx$gNfZ&NZ58}h)i4jFaAbu*OtUM1sX1g zZgP-R-(u%xDtm=?mF10VXOEEVj6Yx+!3p;mNy|*2*NAyF0OBDqx}a}F5xxERHD-J( z21!f!uiGq-B5k+LEk(d4jUK|#^m?L|YUTaHq>C~vWJyntOBz@&8Rl>yva&}>P-8{f zY!L2?&x;AIkJm4CpW{dTN~?wz1XyTO|EwLUSP?+{S$ndh_Z~r<>7%W;Qjlh zTC2p({%&9}Q#mVUHTm~m=)+8{RehNb-)3Kz5%G{&M?lEF0L&6Z7}rUI0z((YujJFj z_~$kbGpdqh%yBPaqdc8?K7+(mX9Ot!!DdzQLs%1-=9-d2M2Nwxt+V+RHbi(N=TSQE zN{SC-3VCzE*gEl#s;&U#j)tY>0Z<47U0JKyXxnW<^eJ|iaW1ro$tXYdR>4{&+6>l^ zUm_UI$8#h+JUszPJ~%$EkTZ^l{2hEw^*oyWBI}H%u1L`m8t#lhkGJz?zAZ=3PW6@) zZg9t^u{x>gQl=kx5+>wC5hCC7uyS1Ig@i~XG6LSaKrVAY4wocWgAo6G)h%>DQtfm( ziMyhdp5zP8l)7eVT}S+C1B%d=pwpQy^=U_1>K6YR>;z@wwYrYSwo|UBeEzL3??cb; z&&i{5jA`}OJo4Ky=pxjWB@k0-!kgu$RD`VlK~G8SE}Qzv2r6-1*%>mdNr!ocAbF0} z(Dxz;mB+$eyQmo|gkOHK-_3%^iYv&^FMll2o2sq0!)lEPQ5GZ64^Ge^o!&cJQ)31Y z4D)+75$X;dN_13HbdkN6fWzjvjqmIr;V(LoYl1B9*0B4xlex>NaL`yQN6sd?h%>9d z{FqQ#&3p5^nU`h@e9K7r@t%x`jf2ox>)g;h>S{;J*n`j)xPQBd)=>cA zM7-Hr^!=Y}^&okdW=6^&bk7x!{Y-@A{rc@w?;~&>q{R_Pm446pIw(;EjYU!jWS$p| zvsL-+&)(e%-MB2K-&xw7G@f!HC`5p^{&ux@LZxJ0s zY}o|uUP}5jR~P}M_;fi1D-IFA{K1FDA9CP*YbaB{X@Njtcih4YOXn-{^e^K^|O^#&G6R9R3^yi$uGo6BwiJmZ#c`KmGY@|fINGQ~o#*!DKNXGqLJ*cwR`Nv#d zI=2@!lb2zp&5E}X{epPX4&xqb|0=1P)~}Cd++4kyqlZv3=9~}1=;pNbFy`bsv4muW z`agtEKtU1OZa>g_zSJ4Eio@-gR}qUX_uzD=1a`LIe~kQ5DOZK!$0Q&?EhA7n91;n^PaE%`EJHMrpM@v2|n!*qGXADBGCGI@U-H$x53&@PaHv(87E2x zRv`MyIm{zXlA>6_q($w*1U@ZhP^wlX1JOg%r(Ik`1=s*$YfwFj-+k+pXND5^8UrBq z_iC1-u6%sWPk8S|3IUZHPpk4!p_Gh2nX@Nkk7*>+=}lgvc?>+G#;gDomXwwrqQY~l zsI8^=8e=lATB^wb`qIJ>p|G&2gA4SHisC>HIHe7K_cIc9_BfIsZ*dtxx|&E}7i(^8 zF;M^{nVsj&&an~p#6Tx1sch-LPsZy-9}!@qq9lb8AP6xkX4_=h_V|tItqmOk3)UPu zzX5>P2vp4X7u!tQ4QBuj0pKh4J{PCmQlshg8+G|MW_u^!Fp?nG(-n~SS*G0xyn?!K zEr0TUQiUBy6W9jYWLjqhREs@I`Ht5+jsmLJFepIK7^aH)eHW>gQ1^Upjuq5 z;!*w<39{$pG-X+LCwm@B4^cyY(qj%WssVRi z96Lbsu)=$3;}2XuK|zAJ^GcVDDH$_Tr2X3#!wAcZp)h!L8|}9eSGG^#tbG<$dhiDn zzA|}AYYU9j$FyoQ*Bq-=dX5uHxoUY;#=li6x4@;jf3r;bm6eC5QM1+(uu?R7Z7tVA zmy0K{ZO4N9*Q1jY6Rt;dzY-Hcz^?~<vXwOaLyMOYz-k*y3 zqdw0@6wwk~s{ByC+6ldV-|yk&#fGfZ=(r88*MB##Q2XXwLcx6(i`mHg81i=_fG7iI z86X^a5-0Y4umaR7z}ywEdYOj+`LsgakfaDdn)58$2!2|mR1hJ)31XX(mifuQn&t13 zk*(U0rt7><8RcVVBcaNDJ`>qBkS3^2aCLR5xwP{2K8(mJE$&ItzRY1DaQU7L)$>c% zR+hX1`;lRenftd+bpo$ynoymBi7A=n&Jl^j;pK^QeIf4GZH1 z_wZm9=sz%!f={Ujn5FIQE99v`1Q{wKVyDh_JBHjqYrRmY7|40FK_M22Xli*Q9m;o7 zxGJydl7I8VN388l|4Y*e?dxuODO>)i`dw73kHjp>KhMcsMBKW!#l```=B8Kwif<5=9=EtL1gTVS7{m8v@y|KK>5~ z*3l;V8iWwoP-$qsxrXWoewSnmWMqkdTIZI{lCLoz?^;}J{u)c!@*693*lV}`wG6u7 z0X+1;aF}cHa4=nbA82@}N5SvBS*Y-FmM9t|>d=suGLtbzZutbG8WFHi&CeRvsq ziUXRzyF2$%)o^r0+IT?1o}8ShW@v74PNuPTI(?G7nTOAJ8Xg=`lZXtawHh1FKqHWD zpZ?)_BzQhW)_yrs>UNFtH~c2u*><06vzZGk!3xV)#?Q}gejGQo?3q((b0!-4P=_f}V}T&ke2dtDsYa(=kgkkPFHbJCt+Dhi z%*68LX3-Ah2yodhQ73T`I#|c6ehXX*(s^?mF2sD;9RJQWrkyyzu(ClRM_e+`ajC&U zbtcVZ9ysi2ZEQ+u(qdyVefKeRx#aoJv2w;6tmj!%^2Nx0jhjo$%I@%0ijtjQT*Q1K zNA5-l?n1<*1WQiK=F~x}N9kwU0^MQBl9oRzv-1wSn8Oy)KO+(R@f!_~jWdN>7lDH(hupaw&+fi=%kR9*iQlz@hQzTy2Z~)gyGW?{L5^*Fs^PIPx3%H2A3o@HN#iAe^lo+ zT3(`-uWg8d!U)g4+mayOC--aY!Bm+}p?`Dp<5Hv3eLKpVZ?Xl00|TT8*)^UK+Kh>k zdEi-leNkSYjT(A2k-iI1_O+K#c&!llq$tO9#JYIoq)(e-50$CA| zqzxJ{j`^DR3nXCUt_>`h(;{vt%V$6 zGVkvX0gy}^Kj+4wIR{91oK-DWE&cp>bIS0ZknnM{MB{j|_HeP@?j=NN#F(KyM#ppF ze7)jqlp%Wcq#!q+s%&1+XMIY5T?Vk-nI`jeYGqFpiC@TW9}O0x&~YLDN|zx+{2xl= z5HCK{0$m(9H9#R=+}3kC1?rZcPFEMmQ^yS$w|ZWC=9GZ%9T3d`B?fl~@awx-A$iul zHcPm;IWygonog|RF$*2+1hzrW+I@%ZC{pmV7l-LKL!m!EmZz{&^j=u4n+eUjhxHoX zpZ60Z1~!1$en8S)zy*&N)4C)#J=F7{5`2F7xB+zk-t;zrWz0Ja^9v*iiV64qPUlcI$HKMro*=PS4O!Ss2vMLS zv!WOlvI_qIBRtoTU;%*&8vd?ihVkLZn!|Ov4ga%mQ%tho8P_D!YTCb%rCU4*C*HSm zoz{o`_;bvocwXJT2`(lt@s$SGYt1_i@x-+S(}yybLBePhc>gxko`27YT2u5e5C-F( z??$r+Z#ZH7T^R`V5YWnJxBVdKco)O>ZxgAGxZ9uk>fzdLXOkKy#^e6e_w;UneGPD~ zig_dzsR}vc-$JQaO3_P`7CeJ1=Ggeu6N>rDo9$J!^25mP@j{>Pv^n%U88WZ09(L7J z^18*`Embu{-@N>VSVIYPBN*7&9ENxHR#Rr1`7!{&ilvfyKnpv~JM1rC<>@b%a&>e} zVKbBM4Z}|5v>^aYc(tiami%94c4he{0d(OL;Jy!@GV4<0%Ck>liu)@f>NGl`#C|)4I1+M`a^f$z3-z>`^qu#aw9zC zgoDm!m2RuqQ>7Z}U#&G?i&BoNtK{2`oFzww6pnCY9jM=4q==UDWIY*VgmG@>OHHYz zcRAw0FCQLVFMA|uC)5E0X*iERRugi+7!IR5%)i!H&0gw~p(DsZ<EEm?XmdGU{c~LA zRPg-`hn6qhQr#9x3OaGS_w*n9$$X7!-`j`l!}gb()KZc0DzWe~o#vO1?#U*N$;MCb z`vuFDW|b7DRh~>$wz)TIxv9IE0Z|Vkl*vS>{SJ^mp#us^CYAGf&4T9Mh}a5Ai|wYf zg-U!8ByLD0GOB?4U=7&{+QBnt+}Z%@=YW0%v*WL|Q(;XYm(@sMz`9|=V91wM`Vs2- zvEZH!3g(6gQ5jv~J@U)3ZHV3Lk$N(oEB9z>5OvC!;wty(Wekdp*V%-#Xzj8BsS!GU z{;nQl44s_>=7=7tjJ6%2VH4_pMiA8SfYqCjS(j8z&e)&45dWWRNzv%yBe;k4y-L+pRZ;JGx>%)wSK+*(0_<1AjXO75lU-eyUA;GW;;nVV#P4hC^^#T} zIQr-3PjvpMs;1+gE4xTEOEJ7GWlBp-O~^xIflTie<*H!{LRM<2`midm$bvKq?9$_n#z% z>3%SIjDG!R%`#KEV*Iag+F-Z-l)tLWnDyxOxGYk8-b@<3d!m&u>Uha>4BiSX;q%pQ z<%&hfC@9NKCQ_Z(P^Q%$AQ}UkPPL~?0aj)mZ1A+w=EK*`+@sf`2pjboK>_POp)C^= z(@Xc+xQUHf-y6xB+PkLJx>X*g;qTkYK9n=){=%m6X6n)UTyz4iS+!zzmlJnA);syieU!#tibHCua;IC<60+M-Yp^SaZ2*1j9gJDm=- zP{Pdi#MPx-B;jeb|Bvib=%iTb|S`mtO)}Bk)2`JnMywnzJGoL}KOQ|;S9L6LE(+6rOhi%pe zkAhuRtt7s6{#GoSn3$|q{xcMToM4cqqkR-FNo8i1r??NqeX#=nCzXtO(r+ z)C{3aAD2`d&*K8!y}VxUHltNDvga3YZ**{Zl9F(56-xJaF=vF7izKuOsBCH`Dk@_~ zgXngKbXHf6+bgqny_I&lut13Uz$xF9HvSIWgX@cptaub&#caW+Ka^r_|86oot>peSdkn)k zc#lx5Do2{~642@A=au;tAT)u#csQKK^-GMiy*>36J4dQ?dx^#+Kd0-)>kCLuZOf5}et3A`w4Rd(Mg3%Y(3-Ovc{0yw_hVL;dvDSY)Hv*u~{8$8Ot%t}MfRJn9Pf!}_9>9X(;Y+7aY8g~}X z5|#fs0x)F)haZxF%zdym{a~1A_Wk9K50|}u@k}Y7%U%b33wMz3-8#IWX9LKdYj!&s zO63|gXE!u56oUKqj78e-0Px?Rnc0*3Bk4lK@7`6~9IE)pXK)CLv#-pGKi&(6si*HfAqOrUw}4BcUQRa9znIR;Ll zQr&W)4>$=Rz9>W);!lE5sybMnkT78Uv;~1MYtaK*UtPW;KMq<#BpLxOn9l)hrd44g z_zwBaXJg~7!^=aE3Z2NP;kbKaQzYFth%Pe;KC4&shmYbB9hQL{dBzqqEnuUP^jaLM zAKf9SMmauYK*@+g#Crug;yJ8dxTtX)nAex!jRQg+%r4fo@U#!cTyw83`->+()@sj_Z&fbE|tR{xDTjH=$a+&c4P$HG8R;B6p~wxa#^Xb+d!E$I1C^*%qRF_Mo|WP1XMapc#rm#YyV4I&S%Dbr$`te;*fOt@d>t?A zdwaCSEaKR1ZmYlBZWve3x*S~`F`4Y@g{Bg)J2xNHsOuR%I3#GJ*=07#aJ~`_DwoJR z+*PcPX6JZa?fD+gFhp&#vatc~q1t{Odg+qc{peDao<{?J*HiArH`gcgjHS|u7|Yp< zhqJT2&ua9f=H%nVB`dKF@vI8sAJa{;QweQOM~HBSfa`5wUk!7vfpqjC24plT559Ov z#;eh+C{w1?eEGUmSIKYmhcC;HdT|5xxy**%lA3hH6x9+gx3o!B0h~&jBh^JqC=877 zRPEle=3sg2qN0pkt#$3?QV~iyqs;W{rs>w1?YF9-G26|IBK$$$rUd5Zk#Lh33tT1@ zH1lffp4inoOFYtnY3#bzt25+qg!p%9xx|JEM@L7XH<1R(TDP#tW=p4x3;S2eg)1ESJygi#@m~lz7&85S|R2C z-P+os*R1*SpyufoDQ?7!Crb9KwbjSBuNswzcdAtDHuf1Yvnrn?2w;uCsJW^GhB8`} zKYzC!mq?|kG6HFEfY3>`M4j~47cjJgZD3aGqIAiA{Uiqhya9khVsm&5`@R3xIaV!! zc36L^uW{q9j#o!G6E_+Ia62MCSCXJR?~eONg`}SiRqcF(0W?f(A4k7Hz%I@I(dF^9 z|ILKFybmz0uaBdO%&7$+4!*yYCzZdO8N}njRp;r4!H&GhKUB~+`#yWdkbfj2yTIiB z7;8GlwC;D5>U_LXotxV;#BbDz`f|0eB&d}qp40i}3E}`g-`6WGpwg{2#mFJ`i9Zdb zg8X#(Em!Z;%lYfzD2|i&ux`ZN*HYy%YV*ETXPSyi8j%Z17>#%%;YJ0jU)Kpr*z1qm z;4~M6v33a^&A%(sw1nmrF;klw>*DqG@v~C0D+lb_yBeG0DglX6F;V(@^VgNzSP}$Z zt}Y-Lw(dadn3+*M$Jugh0AliWNhSV*&hzgXh zdW?6D5&G{D1oDQUy`O6{c}n|RtcRxS_i(YPmROKkm-1vhH@0RwopM10P5%bMofP+U zdDl*TyT|o9=Py7uhcieK@$0vA4HR3|1KbE-$;GngJo{5m=nHM>&{l zmeWInRHCG4G&>e9|BMoORzrb-g8Y8@#UdC!Q_?0=;{f+bA72i#r#lG)X}Yo&f##k) zU~KgJS|V6&`)o)ObnDX2q;p|8JIT2K#-2U=4NpgfHap`&p1daBK() zq3L!U5Aqu;Bvl-P&e?8unL}q@5Jhn);3{3|k50hh$qsQgU)3eY0LnwyMc8PcHuTWS z`uhIBi(dwKJ0Zlr2#AOlt7YlJBx~GdI*WDO7eBy01v{mM(+Bl37Djlc%MaH;??%Mu z{8vtx4kJ{v-qPh_il*cgkQ7N>=&%ZH-uGM&M4qj_$4xFY0|Tq5ct4q_`5hZul=`E9 zytV7lzan3s`4#NXnwIv|l$kwk+0CQ_GM*O>REm2H&ky0ldN%}Hy-w$wXZ!lzq@LTX zxg+hg|2@1k2Z(v?;VeMc8+Q`*F4VrXpo%HLJlx7jNp*Af0KVu6Io=QpC;RxZRA@1p%?uTv_bSz{t@C>? zI7UkValUM?c!v=&@|$mf-uX}J0rm$gp~3s_n!fo4pnCBBKRE+3pq}1b4t%>DPoQjH z8Nw$_P}uu?z_zOL9nRnHh9bP7M!OFBa_9t z_^tOJjQ!XPg8WreV_sOo#D#rJSU6_lCbq6kDIo_QQi6xX(tpf9vXo}sviU5VS002jvh!aK!<_uicxZxl>IBu>>V`p3ky%GM4lN< zAPItfLgJAzcMD^qGdF&zP5U!Ni%C;W5}EWRts$L3SXk(%iLVMIc`G;UgHM(GGjU8f zABP7_1-*QHeMA0n_QSgyJn9Q3`Ri?b$kRabvs|AuQ4#F=LtH|WC!L(B@^NP-ReDYXseDl)psG zCoZ)A`i#Qm;2@ZYz&=6&kxs=hu5kfYJr~(I8Y2H zv7jM%Cy(Mc*&8comI|V-{j{7q#n|hdQ3@IfX+wAf=4wZEx~>$>O{wOJMj>QG91rFX z6PzPuoV_hImbcIRnBQJz3(e#4s~Pe>o21%`RTgk;;Wgg9_mqZtBqO?3YWSm}alc3Q z;aYcuf6}fk;oEcY=%O5WN{FGp8|(}vD;3BRSs_Ie@o`d6z(GJ55Tj0$@h~aa{|_XP z{?Bu3rVR-mY4&(vW6SXa#e0L`1r`ECbou=owe)7`Gb zh-BGs_C-aiqkgr$3*1-4*1~%$Dl_{ekn~OetLg z6B9ZTVxTwwPy)>7x(8yf|3%Vy2U6MpZ~P{q5D6hOGg;Z$WM_qB%id&VkH_93n+Qcn zvNy>JA!LtZgk%%P_IvmJ`J+FcJaW#t@6Y`n*Y&zAh!Onuk9y5|rP`3brS^%Flj%u1 z7^B}mPQ}K;!n%4Dl9GwAc30K)Z$#KvH>fK{D!6SN?LG=8R3n!V7ZR#tbh83eoR^+M zrgka(e?-!l|IKSiT)n3LfrmtqnUR^(u;!y`sUD;)Bq}JGNA81w5YD{GJc~Yv3%h<5 zGl;HhG;o)nB$VwDLKmX_Ne^(yd;2r>U@~EPLQ$&SXx@_;mCOc9UUd_*V4`9xwIa)h zD=Q?9%owt7#9ddw)@Iffb1cmG>$SJ24p24$(yAS&!bp7W@(vua;P3q?+N#5T;ljrx zE`A~H=^39bb_El2PX7oxoNK$gW?gX{^it(I>^_HErLgV<%;lWE(1QoN!^?gBFo^&8 z;fdnkpV12o>AJeNy5gU)&h58!S#yVkhu?Q_@PXD&Iwiy`JJBiCap~u4*GE9fO>On_mSvCOGXneu(*&g7$=QWN&(y!76N6@S}&dvP$sGS4P=X0ag)o% zQ(CAjz})zXBud;5D`>HHwK6TO@8(VD=lsgvB41{G(4P!j#T_?v2npkfZ3~u6O!#eo zewI`JX?t);EduE45x5T%Kj2HVf~}7|*|ztc;`S(R2sEhS7;m2qW^1eBA7kaR+QJNF-p_tN{y`FEa)U;c^=9;RwS%3CnqHH6*qtdx`*m(gOf{><>C?_$a$e|JA~OMZao z>sXR8)(g^heBerXolxtjlFipM+P}F^Q1F=@F7m%H zL)F*xgrfzBA?isUJ;rf4E=w!@At51Pwt>GvU7Q2H1ST^2HGnsBG2ab;vbP6oq6cOt zZn-<>Hum7l^gipjhJzD+j&sA)+gn)VwkunygUCzh5d>LTzh&I!Wl=mXrvk8&8--1mYYmV~iA_LBMTn=#N}}|B7;0w|vwU^dUoKv` zUmeJY-OlA`r2}5w-=w`G~ilhRC!STIXE}~`&Bx3o@3veSGKz&OUy@`Eg1}P zbFi>f)Y6iSrR{#uRA!~f_z*+N=gB9*c+4u;bN+M&o^WB8sfH#)T{b9|Q$QVhK$Ew6g z43TyT3XDX!GN$E$dG-zt#x1^U%WF1PPC1E*Fvx-W&Embs6$EIS=xx;a9enRMoGgOl z)_gEfj_!nSfM2@D+*DVamE-HDU?2o>D z^dU6jzT~&=Jl1Ci(~n;1*mLeQ4zge)C%$wyJ&yJYEGfFUTh~J&udxXXzeCpVSfda+ z1z0#k4*h?U5I!Pv_oft)(t93${?Xa~{?1OO2lo_9hU}+X{2=&QJ1!9L-`jJIRzKDc zy!})iKlPaNP~uxw>K2atE8i!Td1Dk9O)0|iK0xyq@@mqaEK-KOuXoucxGj(#))4lywCDkE^|Q>3T+9B$YQ z<%Ra0&PCtEdQxfGPswi!7d@VeK6?tJ-NDL!mCL9@)JHDy-F%s4g$_Gz?wKXvm+#`H zSag~`z}z`JeCg)GwzT^1Yje}V&aO}YpTAU$V-r+7z^@?q7*XW&zpqRP3ZAqV$b=7D zLt_}uE}$zivaq~nyhnVUB0~;$S*>pVPFx{ z*$5L83#!?Ji-)J;QTPoelHd0p;s$Z2E91B8XjZ)SgXK%I|Bu$Pck>K7Qk<##Tjj9% z1+=d*;g1Tc)Z~OV`d@$kC_N!jOg!WL{Jb1Q(3>;O`nl>!_n!@nw6{Zq*&qtl*9{NR z&kACX*pl}&!?NCFot>QpW%AuS>R1tqTM~+u11sD5pFh3pxKc!+a$O@Tk}6id+1wrBrrAg8NIFyZaKRhPbTm1$iGAH9m6PD(^(0VHdGdRHEo~YWC{y5wG*&G4J}uI#2CYcaXusC) z2abG{k3BYcO*=?)xp3-@ z2{Bx1TpXSL0L{(N&@MF->GjS*iF2*tWH8+eVE(5vS+UJIS*w=Q;&1ks0*ckmO;mM(?p?CMtOxnzWg>u>cwp9*Ng{k&Xdx!I+X7k?q1VKE7MBVAr&MRu}yN`5vm zF=~X5vL8YUN+SzJ11@~KT4^}`i6Q3(0SI(PyZRIt(f*UJQG_k~1pFW6Jb$wW zznrtpD!M6~kX8uQYy7?#e$OGJH}CKLUMo<-UxHlE9bZr7GTvHS9<6)Apszpekp$QDO+auv zp;|z~SnW7k%t+=)AM$c*Dmgpl(7nC^rdj2_xCgToEO*cqoP8A zPO&lBh%UhJV~SP7`yN-Qb+nW}qmAq{LyTEKaAm;u9^&c`YLaFn(aKLCWiR9E{{ zj-AXHCP^bJ{V?6&nzMLy^&up40-g?zEni<>qntqfohMo8>Gk%hmISD?skJ;koVF4dkcl>9>*w*-aK&!Gl4vd*PKn2T8>hIsyD!fIbe_+}@R%F=NFNjJ~=bZ&! zhN9L_@M#*()pjKotSxoNGlaC9A5N<&sVm*C))RyGBxp#tTxSN>Sa8^1^dTxx;NUUW zF)6x0&%|#x_V?i6Tr!~W1CGqug^!EIum{TDE*8i6@5F=Vp@~9|ZQ@=ta$4Get*@a* zVm>X;)IA9o!8C5z;C3(4ha6FsTUua{_dP%RcoST#m9U($eOgijz6?g++LG~4oh*#_ z6rvLud)@K0YJJ~+OFR!$*1O9qqd7ACRWgXvBPs>RqlT<3sPt zYdL^VNVqDr)g1bCa`OBHZ48N{*Pe!1OhU{k^aJC)UnK@J$IAjPp;1iy@EzV0xmXG_ z3tpf@t{%v;297bTp1Ge37Z496{hIKEb zN=C`HZEP~c;f_{S9cYz!dh?7V*r?UNJ#3pr*%SShBfF!c10FcnLceMjs_kdyl5(+k zQv-a_KAp!n;QYYH491C0Gj&7eJk81~Vty;iilTDaa`MJNuY-$uj0D`yZdzJN%FOT_ zKgH>&oQoZ@J_9S<69ze*5oMdAqDJ%{ZbhNfd9C7-WpA?^C}<>=N+)Dw6a!#P zk0VDtc(7wX{z+g@l^uEu(gih1-uDhbB@OjE=iGlM5WT9F^H8%~IuyVhAQm37?I*+Q zT-@3^_u^**Zl8yU@k7^GOc)RvF@2+IvSKf!`Lh|VY{ zn342zP=N`Af49`i*ZRXU<3|6Jg8(-Pvn z?lEUeW`pph4|SPqC|9@_K-UbEI5Qg`94u*84zY9a?fg4v`Br}Y+DZTM-O|;_C>uT> z@_+Ru9SNqiuK-=#64c%@ccEb?j_k1JBgXod{-taTYDu~X@a}=^=V=#?*jB^O%O6TpDVS*z6~6;pQJ!>sdPb7#{FD$(zP!J? zqZkP?3k4|kph3_n(vlPN(<@aXt?c}Y+S#10t!1X^K;=O*wtMXwsGQ%9@7w%<+SjN| z@b>{_Y?z5|<>dG6sISghI_xX^c0^chCI8-w%2<%MB`83n2A2hsX?b*sosv?NQQ0%L zy}%m^PU^k~ED?4vsT$U-gg$f#ny>f%n*9`Kp>_dA^S3kH`) zO+-`y(<6TrSAaiEhww3A*9|0GmJ4?~XljLT3?zNU9*pttkz@Bjfw0DKu6 z(;6F#{>Qc&i*6I(i6Rqi5=sWJj!ceVZG?1Y;@se1Kl2Yj9x1@*10zp0$5 zx>?i~OBji+H#awdR}x|%&VBvh4=_{;{gd+C=jG)W69aL&f3r8R+_YOB4Xq!@!NtV~ zpK&Xs%7bDD8es3>|15MnoR90*E^eMPD<(1?p8x{{%C(c@lM`T!9v{~?HtsV6K~4oy zk`d{SP$dX}IcR348~2E+`!oC5 z2(z!nUarD$-}Ln8Xmw0$YYu$1ww6k_Ns#hXR1A*{Yb3sgC8(0M)7wD}P4fPNM_gft zpPp{8v`{oOOQmi{xqaIrDD)w`4D${zXgV#(vzd|}5iS+Df4>hH%6Ai>fyh-?NHA{; zvHv$n{Td2_Yj~$X1^IMpO8bMl6mu#bYj3an^|7NHXT@02oqIg|Pfg6sw&&^I!fpKx zC3+Qad$x8PhAEt!oKVre_*{!V+;#SFWl+?B`;IZubTaO>1v&H^*24Plc{2M!i4FfG zBhf38r>w!hAmDf0VSe|A>uU}f93?3@c!P1Ag{0KF8v6vZIU=!T-Dm!~? zVSzqH0s0`>Cz$`eeT$XZzXBBmIGXqS%?q{uRn~I3|JrG?+vA6VWYM7oHqo7l+1Z@Q zO4L-;R~hdSMH;DvdK`UAh={<2S;lozHX)IRUQmH}da9E!5l1tb?iNA|nM5+DQ%duL5pQoC>-lI<)PY#ZLJTN3Io1AvAZ_f>0rJ!z^YIdVTAiQ9DRKChc z)L!|j6|G63=LxxmxWN9CLa+Z2BqM}Dg1u#a%p7ZKt|iao^{J+s;z&<)X!P z^(jRs#@6Q^8-DFox^~)lUi5$=B!oe2q$_-hi^06-me7D_xy=ub5TZ99K30${i~Y50 zBA|D(TYg)*W-Zs6yDI3&+rcsG}NK_e966b`l{&E3de^bL{;SvdA$1BaVT{Qux1R<{vupeB_de#A?oI(Q-+rP zY2xdJ>8uAkX@(v*rI$AwC{TZ0BTNIf1KWIy<~^hMUrk{B{|0K`*y<6Aj4RqRBIwU~ zjV}(~34eD6W(5D^l8Y~w=Y9-Br(rKrQVdy;FHr+;*i>|`AgE`>3D|Fk$x)uR|C!q- zu)X$k{E5C5=2yEwhMZ}&4&dFA?CP@V&biI@(y!^r!AeN1TJ!7lU`}J<(uqicG_7}p zPYXvtoOUUvkzI6`q1XQHE}hjc#&a*V<}NyeP6N7zehIC|}pa-FQz!H7oL0@oO{7u5n8NcbA!&U`sDr#8eU$j*JBPVbE;^ys2pWEkguk zTP&%pZ@%uD_M7jfJnX0YX!hg1s3V#yUmMnSQ-5)q-}^yxm~I&;GV=1B-9j%~K9&#Y zJHIy1If;?LEhd*MfdosfLBIQ0Ob50UgX2_EFd4P)MhM(O?^t=*A58ZasaVHd2^`@P zonb;gapcjMpFJJr_9-$q3wnZPTc*?dsc-`s3|QaCcXPS)LXe18|J`eyTIJxb+LlDf zDStBG{_>3&3vDaG>sjt{nEZ@@eV97&vH2N2dw10ImgkAxzD(eiB?H9e{haHODZ0l0 zzSaaA2~TZT8S@JMnjjVucjKdvF5Y92(In`~^%eV2V+R=r@nTzYA|lc6`-PCV?ufM_ z!#$*pG%|}LJ+K1d5w17yQ^sX2Ld)|5BU)ct?sGs_1`KO+jKw6ktB=l-i9_t z;H`_5F~wey`ZdJ0v7BX1z+yH+3|6a$aC8Cd&c5*OBxBh?QCg9 zSav-wXy%vaxUk9<@4=aw+5GM)Kf~e^>YShGbob=T?`BmIqj!{%5ChIDNOTWtqJnO8 zI!WYz7Jr#}>7*SQ`T|I8hVOK^P+&a&nfcD;8bbcP3YT1ook=KzJ_Hj}*;@=xItqzY zHXmD~SRC!a0HLog=j#jt?*!!my%@_3hO5#=I#@_V`R{%{49Q4FVtR`oYY#Q78GH^j z#-9IRz>42+us0z8$IcgdpJnJd-r zG6(Yh#=n~$8;FH`CMO_EA=U`dVKeQ=z7>pMxzv;EMF02R{BBe^Io4f@Me^Vw@?!_zquFWvr4}Uk>BHCO7ffe*Dx!zSYA+yc0mgnXBip%eOdhr%Xt*jA zXF^_YAP%DvQ$@@Fj@6(JhcUdj_-q;I1_amtnZ!;sg4?*wzrBK`)nfVJ?M{$HfD8zk zhbGms^7!DY3!lofVy&L>@n?l2Fw7k2?HozF6atHmkl#s_4trcw6j&F%{hB%ZDu7%D zt)C1ofF#dPn_k23ea#<$W>I;N{`TZWtstiJWIbgfqCuxI_3h~JIe7u7ivV#2Q+XSR ztrDPKq5f#tsQq3;EZ{=)-o3T$LK3OpdoC0==w&7*@9*ar!uLXdfP<{>gI$73?bs6r zOj&s!fQgS86huWC(?aE(>*^q%VnGr1U#p%G9T9jXB}+zu;+CSWE&n~W4LV>*V}y~o zuDUwUH%gcy7(HxApZxmbE)gyvlqW13N;i$L`xgbzq}vjv=`8VdT^0`!(3IaG>qQi^lV=Jvaw~Z{us48-R4ZS zy0sNo8t!$+cj`-kBMoz$fA+O`fe)_g&zHX#OjGV>inv}iAQhj|kj|7`^z7{p9_))I zii(K%7VwTPu7+d$Z4|F;c^B`^+GK$ME*_X&mS`53%e|zP zlV{^s@Y9#Y+eSr&q=~%vF|h)|?H|U$u!sTyhru1YUaNR;yBx3P+>7$QI6IbjGaB%v z!X73&unmAA&4(xXpJ%zZEw*OrL8`jE43mRK_2JB`rFvp7)->souKLiJT6m%4LfKlLQKd@wKLPwzIB_PL*S*KpD~K-TJSw$-875&Y~YdQf4q0U@~b>r9VOWJ>r{KW{dzpketAt%`I3zWpe+xLD1+9o1gbDM~f*$SdmjFPevT^kAcR z)@9H;q?T!vK)=>OrBTq9^4$ctI06M-r?gk@gF*mtZmyKq1>gh)? zC8+zp4cxnYF|Tl6;K2$;o77}s+FB~tEBEd#&stPEm+@u33?cH|8I#W31PQFBN46jK zw~BebJyw(OZ&=$LKj*Y)IyU%hYuy25tf zlNZOSv{O8sno6UwgquyBcbz81J@*~$@6If@J>QC7{+%-&Zj? z>aA?=q1dnf>0Xh;M7a(mkb`N+Wd&DYegto;KwO0V`1T#QW(onPo0m`3l$ladckzNfJ<7{!lH;E0KQexW#YTlipE5J=Cw6w$ zG?q8?sC(h~)GNuS^msqBs+|Jdo6Z|*B!}NgV@Ya|BnJ13+l(~Ww2KOEv#KaIna7YqH=^FE3K(OuJjhF`f8n}^Z2U%yc;Y+tYjM3z|G z#!x;EvU3CHQ-u|&XgR@tndj;oCcx3V3sWFOkurU$Wf8Hl&FFhg?Fplm7*bEF!mTC- zMn+pJ3{_dvE*1|0=*0J|nQOQY)wwT8yW#^%>*_qWW{yFQlFzDCG76T622V~G;W}F% z2{X7CE~16r48YbM*v^^#av5Z$#+P0YAH9;3 z4C=M)=j$2fiWKK}`TQw&XSgHw$>)1-FKjBAyPey^syr_dn-T4bf>KsN{(J5BvvM4FKJU&hu$wrxBa%56rO)!ckQeTkB7MWT&GK(V zXtKTT1-mX3e>}I|_$bCg=unUBw9l*%s%IxU%@j~IrDp7W{IHvKRL5($>=7FyFe-C- z2W1XV;Q#)UYCW$xO@3wsHIE-;A<|Y%_K^185DRKW(H^zchD?bC{E7IOO~BhIL#lko zYc|?>0)R8MZH0tcRa-Q^CzumN!aM%0o0sbmL?J`3==>Iad-0I#BgvQ7a)ZQ56zV~4#esYeE= zjx&U43kF!o%)TW|EXAeoC|}G*(RciH(ahbuMQb4Q&1j~s`!;Sa!+LmKV~?DZLV(@y zK5j0*T_GCrwCVQ`Q6C#0>9{_08emQz66PLzs6O1f`oJ(F%)3reHCeYr-wdF&Fy<~| z(yX+2-=OyFoxncl35st$nX#qi@p7Ytr0+-&+a-!H3g&rc|w*IqKcEQHuhmyCq z3N6`tn4XH^J4|%4A$wCAcXGekjEp{Hz}|QF8TP@>b|i3(@>gF~CGC5n}^d)Og$b>-KmH5M@|;hG&x=^9^)UyZmF`o)>o z!|^w7MG{d?dk{%m8${FKS`cJaQ`1+~jL_ZbwG&!k2_cep?!TSW)Ja0sO#q3D?O}t? zC12*VDhMOPFC&&U#m`;8iii(!eahY$ntZZf+(LXm36V^=i&Rdi5Fi@WBnX=W&s9Y7 z)vRg2S~z;p=8|&6a^nMfP*vR_Mg41$jDpOS694g-ZTu!~^Fdzr<*SHNa(oZAY3OIR z@wO?d zhrAFe5wqwKB@zGo`07=J?xpJ$B#H=Q!mFfOTA#` zXZ-r?996$vh#JYTWfo{rBYNU^{UyYQs}6u!6=sJW@MnwmxAa+toxfiIgYR&u^F z6kec;?N|Sc%!jXp#Q&oBm7pcaMkl?%B+Dev5>EXqFc@2zL+Mf(C5LnQG)4!;w z?{3K0CqMAd!_peouq4w^wXEdQFlKWMr{J6%Bgl@jk+au}w_H|&8Io(9e&nmWnHL>1 zb^kTw8D5@Yt+H2Y&Rs7q=-qfB#H^ZSU9D$Zv&>2o<$*HX+}@7Y@6?|#TvD|v zJdG|74@qk!W1Z#Cn_!AL_6iZp9o6D8^Ic&|=c^_(MC`2b zcT^^{RvbPE`PlAwl_p<7l(4qUhkKVw`^nZb=-p-GvM8qG?QtuSH|RKSJEHy4*b zubgV^4Ig;>?Eb~3adgB*0yPqlcOAmpKcte-Lk0Ux?T@!AZT>MuMDP$e%#ne5?xukrPzLhzd z{rF4SpUICR?&2D>PCRN8m0pit-jpW2h{Xxv-};D!`)M2#v36H~#kM$o??TGm_Xc?| z|4{iBAM#~zO};xc^yEDhfMsmSJlL>S>x~Da?#SM9w`WsVa8R=FA<|6 zUo)#3FK%g|wcURaqlN!-L6k-d5^_FHC(Y;{h(C1jE-cks6F2?d^aLxAxgt3c`_BLl10BHvnLd5u=Bh50s;ylHLH?xCC zui;J7k7OqKCeRRX;m3bzGjfu>rzgLG^UUdbe+8?@6Z5BGEcaBjN-56v!jtoH243|! z6Hi*bEHaq)?DmnAbem&7({g8?O~gNjiPDY zpoHvMqTGOuS4kVUZ6jIpRP9FWeG)hxpH%)oT_bzd>*4{62@`G*qauhOAdM5`#sRKH zf-Ft(c4Y943IAFekWgrgeaD5R?cciV5RnQx?ZJIgQc^h5K{}T6&~@dJ@#ew9*=PNz z#Z8JpyMG7plbs%xoTSv$E0PfX1RL<|EZsYxQ9JlE%1e&F-LyY2?bNE0NO&uTm%NXd z^Ud#B3#?DSt+1(*{9Gnm{2+wnp%f8|YL8(u%W zXzp}MpHNt+UmYOK#>Ot#9H+p;$@vKw4KQV^ncjr<^}nrhoy_fZ(xVr%O!#CZF(toN zS1Z}=YNz{pd#z8#gl&a4_xWef4_?kme94?2aNib4ZG2s@lV#eM)7XT3+BAHy)f`-F z)M?^>oR2cLS0GJJSCIDomH#j&r?0?Kyu-$BXD#e1i8S(Ua1fYjl zxpwWL+i!KKxM_b2pgbERCw15$P`snNF!xnYFS%y4e1EjaT!-jBL3R2 zx0=7{tAF1-X~=(ChiCC_c$2(k4)^$`=Xj13ZUwq!r&m}I!rXs4pdSBH%$JWr5F;`l z-|f@JR8D#+|Go!UQb{Q(AaEB1VWgDPYx#&gXGapMM{PfOU`5Obzg4eDE7m(l)2Mk} zRn9yl&|*U5;H7U%#-#OTM<{wNMB(R9Lc#<0D>^GQCX`jr`)oTh#iLSDyLOGUs!x)J ztbKn>`+EJ}prOV_$*#W|vW74Y5Ek3o*c7!r{}So*IXuWqp|`J3F|lfTyZj1S3C)R( zW-OoM5*F{{xr$pi=zc!$!nW(_^iwUf@MsKF$jbJmZ&vvc)Y*4O7Kd!p*JDTibStet z#PyrEkA{UrD@RM;bhrsfE52Lq2hUkv8gZf892SlNvULXiCdd@>SWW&AbUVLnY=%#L zPz*go-7J6)ot}qmsWw9hBXQ50R_4H$v=yiQhXt;8teg}XoNi$#6&;^l&C#5mTPL1= zh55=SO#WzY#o$$9KB_bgA|R@UX5)>_u3)2|3a5*lT&JF!l_ut1e*LboCCQqS{++t$ zPWCES6LGTFfyRNFi;D}mQ(S>iNk~YTVsZceeb|4)pSmeei?qO{zrWJo=(2p>k^bL9 z41pW%U!-4=mdD0{koBO%%YL5K%L$uBxrDR=-1Ly3uu{Fg`=7E0!MUC7%*bM(?(S(u z5}|;g8#Ws{&o1yNW`tge`yS?{F=GUpMOvyzt7fT~$YA6e@gePZQ1a+cJkx5T zU|!R=8;^xOA53jFG}e+p9EWq3(tGb8(@6^EllAu!7GgsJAPaYMu37)RMlzu17#R^n z){t=H1ywkaE!YWCQ^&#V0c*RVYP)AMs_?lwN2aBb7mloLZx2?~cFWuEOH93G{8Bpb zt>aw?C^ySCfB)xs(e8orL61(Xv&~lxc)AXNM#qxNKnjDzc&2<4Gg7*hqjtLZX_qtvaD6%{ z1bBEpKc@cBB40PMQ5AN0L$wp6A z9}dP{4y({#kwoa8?9jH%Sow#h)4l5Gf5bsL`Q5Q)uELOZ^WBF4BVO5@L%Yu@=$*qB z{YN0D2EPIG>mry=5PD}CH#N2@CBx0gLKY3E5y*Vr65tJGRBSfN$;z4mmq=Obh4w^LDfd`lYFPYCY-ubF4|BM0yt`e6y=1&J z-fC;T%<3|iOw0Q%@3XRgxK5(W9w+_?=Wrc#mg6bQDFLGVrP}&>dc|67 zAlQ$e?g@}p7eD#SiqK`BpT)Byk~fyDy735|reAai-}bP1x;HP8E3&JY@T09pdmyv* zd3&vmhgj9G)B(J$G>Vv0bG4b*x({HFbL0AT%s>!XCNg>rN@*^B4WfBt)GYsp_iIXh zt;uUCBDZ*M9NoX?G0cYJfit6#^i0KRKe#K;kjrNcqUqbM-_`mo?$>bo zp1--*Iqs%=r{~+lfejJ0my*O~IB(|MyyW9UQAvZ7XgOr(HRV;mbcd-{I^kQx4BMVn zGHlWwXIHZ=j#+9Pp%bYCg?M!5Fv#ZN+MAg%XxnT(S4h`maHHBPCad~6V%WQj&giAr z{?LJ(ofr7vKGX$eCTPlK5*gdM;i>IccgLK(Q0s1)|0J7KuFUXdwIk!Wr*4&7WnVzI zOjY^A_((_3=K`7imX*#_&vbP`9%y*kIZ~*aY+H>M$EJU``*&lwo>x1Zl8hwfAD9ge z+yn1s2rZ6}R|Acm!mr`V)_IOHEE>}9Z!|yWmEN5Ho4T!X>^ZRKP?>W_&>@CvVbW?P z!L^&yNYS%IO=$8c)DTB$4(s`Fz}9Zp4RqGKA)E?v$MN0g3z3)Z*Qx5oYJ2K$U*H@6 z?aAOc&^pVC7YOOKMy!Pv=LP;$Ga{ewv58q&O6< z|LmFJ?;RA5yzSF|)Tz71bZJdCMSxR0^^6L77415hCVU!6R*Jg4GdhoAJg+Vk@J;O= zO%T=f`vOC_3vkhaFC!r#fq;^am5ZxZuQc8xD%F4!WKpYLa}a#(?F|lwgIt!dk4B&Q zne)FM`g_pnBR&VSX*#N`QqQbEkWtsm_^ceH+t z9xl3)f9l8QKSMKp>|{)S^dLe^0l~GW+@BMqJ?D0axao4^)jsE^Y*wW^2%;(P*DT>* zMxyK&=3j%R?kwkt(5bcCPVZ=r?weDNo=vOzSY=ZvTrquJ+2E3kjRi$y)i>q z*R6|%yycC!y6Ax8sYA4mElW&_7m6M4a&4o9IVaBW$6kNP_W{2@H)%|x1WQr7^{W=! z+bT8X#Ih>7W47fTo!yn9YBxhBP0Q2ze{*ulfIBw`7Z=}tGOu&fRV|E=b`F|#I4RFz zOU9?-R6Dx5N2cv6a=FJ(i zq_WJekr+OYqZYqIF^vSH&Dv2{u=w#sSy|na$8*>{bN6wO8Wj<}L*3hD>$itlMKL7v z{wy6~J?{y1uuCaTN08HJ9`;R39e2W8Xi@_6Ozpeb-fm^*kUEy#WaNJNJPWJs;eX|t zf{XH47!f!xCO%MBZ(Ll#8ORcwu5(^O0s<207)^JnbM7SQWTmE}(Wrp#t}X$mv5mOY zVQW6F)-xXDx0~?m9=F2sU-DQ|L?H9bANu*tZM4N~{laObOS`|}*#UpC9aF_q-$r+l zip=Y?`W${+2NAV3$(}{UC-TyZbvSw`1O6NR6&tf!F?6^KV>^_;;f*ZSueCHcXHD(} zPp`i4CW!4|u?vhcFcp9rS&$qb^v{jm@8i#QDF6H-B*{AQ^8SWgLqsLKt|0h1m6*s> zj9)PJkg*60htbJWc9IxRpr8k%U#rWp#-O$Y=N1N%&_>Y6msp!IUqrBdqrr9CQT!{z zpQX_8QAVH33}emwB3HW~G4&Fp1_l>f#h?9GL&aQt2Irdp%vu<@t=EhBWjmE`M_V|Z z{>`bRlUqYAP#59P2oKn<-@{Nuo5Y?W&)bv4In>`KVt)|%7^|V7X=y>e@@*);J?sWZ zfUAEfHihf&qG3yPgUWimrc{}^5p5A_@`j~eEb;@+PPRFZMZFY@jvTJ&<*g)(&ZXNi z=cqgPts^b91POFBDmsWQ__+Xjpj$eIbN#JW zmuq{=uy;Q_HAEft_R#k<@hP4Cbr^|69AnQaKDa3+#qZs?K;`k96*gDQpjgadv7lYT zFD~9x%{H ze^Wo`y1>V>(5YAJy0S3|hLy<9#Z#JeP!zmMn_v^DX;@z{zlkjV;BDF7?yX1R1;kK` z97c1sSWi{0fw(v{?wX=YVU7RfVzfIJ1|yU9w~IAyNT>p#V~TDIb2&cJ9GWZ-I*IoRpBLtPLb6GujE0esW4TW8bP2DnGOF?ZUu;4g)nniHpbak66?EYV5>esffp4v=< zch_%@s}BP>3AXvsB@csFw(sAUIGKy^TCeS=ypT1uSSWL9s`uW%?2=(IQm$QnbGoZF zW=2F3@&jxL;B_annEfDTm2YytVsJCg{s${_$LrR5B@GP?>kM(1U*B4}I#y~|o{kM{ z8qT6G5-Q}+vmk?|O6vT?-ye;t8((smuwp~Q8loCJg3 zYi5-!)m7?vs9oV+`v^Gx9`g(_pTi}Nvv0=gT5ioQn;rsmJ_H*)yJ$|Q@hd@$og|19 zG2LQm&Dx#RDyMH}yU%))6g3C8Pfyf44_r|f58X`*y>Dw=9*Okp^yBfD{2VuC+fw(; zZ?~pAU3$BE+Oo4S;4yBDo$by!(c=95&aF7V^V>FpT&Mp1c20vrXFfB=`j?`OR_DFJ zx5Y13e#BhW?OTaAuHkRiU9x_nex9(&Kok6y8~@Qr)yP^?QQ@QEhb*nMKmFbvayrYG zj4BbyxW}(7)TQ{YZ7q>$=S}9}H0V7`=0e!h`4Qyf`!(TJ1_vwlJ~&Bgp4xxBfBpuv zOQ8J_DAmU~I=#fX+Sw-bYi~V4J5q+nX-*UXq-$%F(2*M(8;7^IIcISj|7SuDv^rR< zo*o~A5eFWEjrH|n19`??=zR@WkPg-FZjTdAq;&9=n>P_68qPlkuzXCu`X|fX!1}C; zd{}zg>gp}m5Ggeq>M*q7)AK;WqOicWzE`aUG6U%8Y!KYSQ}(T8pL0?lPno579^~y& zce%r6CNlr)wo~g*A|%iqp`!`J!W3db25(Z`UgHW_N(C>3;p0>DoyVoFgeyV*k5QsX zl9O*o7`;=+7tch-hjERH>bS!?NxE7KbX$vp!c;e+^6YEEQQ3!QDY{j8L;UZ#5Ry$j zdbIkdnQXlVyW!f~e-ZAwQS%$WsC~k(NCrQ5LQ{leJik1G3#%p7>FA&-s)wUe;c z&u*UykqE9g$A{nR@vKyhN#-(C?Y?(KiXn*P!SRQbma@&@uN`=+g9VeD*@D=qGs3?9 zA9L2ehT^@S^`PRn%n=D_XIq;pS~snEp! zsPerFls+1f3^plKJ$jw4dsM$1Y`Qe)|0X47;0VReV~OfJPw{QElJ8B4#NhhAXhg8l zd^CSSDn|34R6MN&IA3^^@!HejAxBUDU)~3>wgd1Fg#E>3GmO6k^D%Q`UwurL@}OG8 zK*|-s=(Iy;+P(&=OpGhoxa*lTB92nAB}NUgnPJG8 zriV%Cl=eA?@}sv;#U1o7c|S0Yg*+vg?%<0=0w*R!%>8#F>~H!k#f+8e83q_wP&y%q zjdC3c0$EE*H$fi$MCI~$R<2YJFW^Xa4DC~uQqRdsB703WYCR)}2t3(T-Lw4V6X#qe z3#9(Y+Z$T9o-Zk<1lj2}&lz*#LZvB_%~0>`jL1$b9mOt>+kpSn24y^2bhU_t(Mv;eY0ty-ER&7wuQcEVenk z-~Ady`BYq~Sa4+y${uz(R!-eS28BztMT)hHsJibZD}|XPDJ?&`5W4xW^5ABWwK?G) zN7zoS2-A3^4doNGEY6o_K4FBDb2Xu$JL0*6PU0wINF+KRll~&J);j@WOF_rKZLuQi zoZF`qwQjyLt8?uE_E(WCYK$*CDGM@g0TQ8UvWRG3dp=PT*eaipEU&HIbGz6s|BX!# z9BQWgAt-n^U!Ht8h*w?mu{*2G(3<1iY6sd;&0V`HBj9RU#_kfU--TvOe9W!K25;TV2m!ZP^M%9XsGCC?cHaS`E&44vuN>b7{ zbDrEQ-?)|GsS44MuUd_ME5NV#Vbm6UJ770|FP#9{phMOn1b2Y~5fvSEVHd>n^0)mN zmUv|lJRYFK2Z|nCE5(Hk^|RBzggya&m{Ad=DJPeLT_Ob7?ZAkrtgMWVj^4++F2lz$ zk^3j$YWQ->O}A3*`>B2K!tDj_4DLh1r+2fsn3!RNIXqejs6{8t%YRo*X_OvHp?7`B zOj$?t!$*q*Eq7wlA}j-_W?aPABBuJy4m$`x3XD|5vkZ}ltskI8#m-u$E*w>*x!H%%#5+I3LZceLw=QIy#d&R-%X@<#&FO8ZAgB>blGU_J;LrxIpn3JM>4 z-om?v_J)eNqS&F+stu3-gg~37d!0530fD4~^2?cePzm1%=;BmBVDIGQ1Qv(hCPv93 zr9WUdr@!=&epzWB5;Rgq)02&gD4%3XQe(Y+Yiw^sK;Q!UYo%=QyZmUEc{uUfQZ30F z4wLUxE42%yC7<_~NAh0H>rA4H_tbt!Pg{ITMAZFZQPk-(rpQc#a|V}Z{iwO8Ssy;w zAM@W8=?C(hCCG$I``FspW7m0zBB9F?O(hZi7A&T~p+aAB9`rTAC@3hHBKM$!18d>M z#{#tRr0v7-a6O{)h2sM(^(|Q4@1D4=mrbC>MKp7pu(*^zr70t$2^mZR zYLG{@bJ?M>uTL48R1hP|q1OFnIW1=z{wQ)hnlUry2NPI3>l=}X4^0Jf9VY#QopA{H zqZ$3}&PYw2$mpr_WOHBszsw9R)QA<4i|K6gXUF}mesy(ZJnkjdDk#@%^eth|~$LDs#Z+%sXf*5<1Bt}V;5K|fJPJ@F1 z6j>vQ=A_5SNN0QKm2u<@4{5H+givdTeGT=3ntm)~5e43TKc`KnOR_Gxl_r89 zyB}0Kyg`#0*|Zej@Vn!=WlHzpLJjYhDNlhi!DC|L$HdI)xs8q5MWgYt@oT+54&0i+ zr^b{6OfbM61vt~Lt}1ozD4Cl=SBa^q(h9NVxD!*oML?Z2k7LM}C9czsBwSjc;ODP zwRqn(r{RImCYB1s4;I;LJ*phgdhMv;V*0u}P-z704~y12l0LtCa_5Ry>D?_8qm%Q6 zdl7`}jw_>we(gnq?;7m7e_h6&`dN{b3T zcAilk>^*jx88u!R*xR92dH?BshUfXIwe4JZBZvLfKNaiJQm@yWYL*$cD8HS(eOPJ| z{`+B!2qz0xU~T4E>%_BNaL+2&EJ4F%;rHH}27??xy~(I=%E80s6i}lUjk18c^V6pn z^6}tPyg6NkR#xe(B9BD91+qI({%*O4=rDd&s~$*yW-OL?ptwY;M1!uUbU0c|%=fy>(MQCKJEJHK54_%l(!Qa3#A+NW!c!?T&eWT_2iF~m9TLZ zqRqiA9wCU}XhTVX#=A{$$V&tB-E8M;)}zGQ5r^286CJ z+NH(t47MGaj?lAXkU*j&58>MZc8*Ggu*EpPXEKQxFMTSIw_&iJGEdF1+N zV9?E9V8d^ufj&r2Zku1L3ez>5A!lCmRMb$EztxeG|TvB zqOCh`*zb3f#oBd>D3QT0vucb7uI#sGVJ$k@eNDRRP!GjZ26Rj-2Lwmf9YnH3)D%4o zfd!H7i5<$ff#EuT;fip1cX49favGRL2ZUvh?O8_E(u=uhYQ#4-u&Ii|ECz~$(S&1$ zhc9!;-6eLLjdAwMPLIn&aYg7Ww>1n4l>YoFz@-C_%yx;cfc4eIjmc1aESW#}tu+*> zf=iM=D9%B$p|b7<%yM7uI}MaBZ)o~|xW!udLqgk6=uTBG34!ood4 zl(futO#idM^J({*Z~tz7Of9K_8-|X=`R8xMqykf3M!%)LG4gSH*n28j$3WocnU+_Y zy8GTrA2o>-TR%HLWuVs{g15;z-$wS9D0g3EP?8}#P{ znn~*pDksl(IklpMk{gQi^VPrF4E@w|ZmK*;Bdxiv-CA(GHeOMEu>9m$zCv&t=lN*b zYoSMoDL$kK2Dgxwv#pQxlA_z2hNv_x&TET>P7a!y)G>NDLBtC}Exe~+uvd(#_i z_vBhHRpOM~)t^SrL}L+TQ0 zx_1(|zl$Rwp1qlw7I51|^vqeE%(uHfb<`5AT6d1z-QP>=yrX^b)grX@7NSJ&Z0#~~ z^BRv}vi>}G`|SMd#*xtc_W?Jvi%Tu_Tatfk%Fa(|bL5nWzjb7?vaTzwEGUh!);ZXX z>3c_I*h_hQmVW0sN}AF0SkPLNn~iOQ*eAP%q}zkY=BuTR6_=}AeV+=^jQ0CA z>9)4(e?O`*c%50s#>A6q9vIG{(TH}Am9?C3zMCEpJWem!TUS`%zJmx>5v6p$OjcD? zowVNwl#0l+PT%b}D&Jb=_fp>q*tfU0%dM4JYtd?WV>328)*_%)m(#V^q0Lh=!; z1J)O;_ps=1|9HYyInd@^OoX2Fhh?CpO`T-W^7Z+*V**{rX#%Zqz1_WoxF!9@RZ*!V z_DRBTne&PKDed!pEHYozSkCmzuY%Iv3nTt0)2Sd3R4RtU`3M9-(vM!m+C7%ttKC?~ zU8mmLNT`Sa+Erm6l`S)b{$|{CRW$Zs8UH~%^D%OZKI+S-zk7C25QVDAK{_XfFIQ*d zq%0wbQS_G2UkRjg^Op&kDUp(rnD@W)J;g+PDDnNJBf~zaN>l1$S_u)QZg2z!%1NWD zmfL*WU0*Wr&-u5qG6qgI(BxGSil#ukv%0YSnis41y8XC9*cXq{K-iT|oeyDhX*!i} zk?=|!@y!$&(M7&@ctD0?c)ZkSinw>n;7y^d8J}4upYYcWK1S4lL#=Zi+A4-8FE3X} zk||@XiH{Yd(i*UsjS+u(f5^u7?NC!|&f!^hwjjPayT5wWyH5THMM0*E;UXj877A(Y znT?NSq!{>yoy{4O@gaY!XJeCY9XU!!n*xneaD|=&haQ#Kmqr{Za?AtXvUz{ zd@Z&BiVh{9!$lGcK}zs#1XwROIIds8_O`>{@}^sE;H`VT_FvPl%f=W1VmVS-9_hba z>40y7frggCV@vVdmo}$YN$G21^PL&{sMkIADSY&A<&y8}k(}@SQ}}Fs4O&g;aYTR# zQD5Q^pVP%nh#p9S_}mVH+vgK`amrL+@)a1-h5VgG4#tuDOOj^z<-{sw1`=d32sliS zx8`0&5(#5=gt11x#i!xr&2>MvD%DO}sD)hflzvs@Z91R_lZ5-U&#PB&q#YbMfC;7Z ztcKIvulG(3mkUusPCP_4$`9Mw9@9vJeRiu(IzhI1p2D>JmrwkDmQ&TtkO@zQ;*Z%2 zj{P5vG;$Q_6M6$)$zgT?c$hKnU?5iuNOcStoz5}8RAEqYap93IK6U`UH2|0kuIXgK zu#W)zw)UhQQ{-t96Bk!}R({Q#mpj=0F~p&2ZM>&rU`Ph5%rHVMHD%?CD(ABD6oD?s z@_Rz`V0^3~?&fx~GY`ydtvw7ZB!ikMXoDNF;R9d?9pUYdBsli3tF5P&&yJSOt9Y52 z9}+%9`=NA`2%wz`i^(Lnk7d@MR6xdKTWcP2<>qz4F8$=Z?C@Tq+cVYa9e}V z4tPb4>SYEy7GAXTzr~iw^tGsC`ha+$@Cyukz*H(OIobS+`c@*wEqiO&=QT^37u1l1 z0a`+iCt;$KV+D~XhYWy);Do~OvfREW!K6M%sIDe z-*+)PBm`qTPyP0M+AQup=WqGdzRGGEBHi(sIMJ5m{Wjede@ea;#J8~hgw)xl1UV1x zGaN^7mPULs?Ufg8scc#gO%@MsqWL;LaM`YSbYfv0SA&kQCn)FetdLcz4(FMudDGKk4Gu_o>^n?nHhiM z9Q#}CF)t(q?}=JjR1xhB1mgJ3iXCg&lSfZ*M)mtt|CIPqU^|L_=8jeOP8}zwdFt_J z?{Qma8lHEsH+5yicG9}g@>c|6!m{U;H^1e1&%bfRl<+gLL z#rbqd9q!pF znw$5w-dhQo?|Y?a9HV}7)~dO#zRs35UwgjNuK4Ck?ow};{0EI!mBqTRAmcsRL+=jUzpF%qf#9=_8Bp>hU2fJ_3k13gP69oyFk;2VNLudMDKCk#>yxu(}YIL zM3r)TGAF5}XT#^6&+gTm{}|3k^bFH#u5%MYB`vGx>NCTJEx%%1H~h)jQBJmOqksX# z3tT{;s?d%-X6i*KH=ni@Rq7F@topNi5=DICRXAvw4lJHOnHUKHlKMa>3nD zU2~&&auuidSdZvA{|h3Dy?oKHtIsUI=eP8Z;1RVdqFpFFKIOchs}tvwnA z43<0)2+i9F{a#ID(-~=}rVxb0t#5@an`HK0xyqsI3mL%^ZzIEu(nlumErGF%-^Dt?e6;^0B8?={Tud-`cO|w;G#*bQ-Ec{TVh_Pr{{;v{D-5CHQB4dqYLh34)`roI**po9rx$fPL@Y=Ru2Darhf^~ zn+0_}?v1VXONt=~8!ue`^^C@8dPOMGnivT&q0yjAy2r9jUS=m}_~uQV~YLs}*nm*s8Jw-xK%B?YclF^4!x6brz)%f^PSdiJr@%a)vHSMJUc?tkQv zz~TDKge5?V+{`4IIfAobNj9rEBsAJlVF|HCAo5|;_gR13!;a5HcTLVOAaH)L+FoJV z;Izp>0EF2ZQa{WrvwHCVL=pyH=4$IXlBtKFmrmpZ^Ez6;RvX|SEcd4*#Kjqzn83>F zOC}z@$Rk^z9O&;4+zNZ5ydl$E*|bpRz*Z1J;(>!fnO4mfhS0?))grAb^UnRo_W3`q z5a|LiedGcI1H(-;MT4`oCF27)(r(E?UM9r94CTp@0&hb@qo;yN*Ipcx!hY0VBs|IPBn_$N3`?!!>L7quh2lFw z{ylLY4GnAyCfe?zQDI4pt~^cJxM6h82jKlraRj$SSGhsE?i21UE96);<+mnAI*l&7 z@t0G-y^k~oNCdKZFa+T`a#4NB(200#Y7)i4jo(hRZbxg-sX1*$ zCY^p)Y5q|hY90#97dL|NQa?;6Y6ff7^qLlGz!9^0!tyxr1ngWbI0$yDBj79W5eQ$h zD79G%M9+--)Ka+T_~?Pu1ca1xz!ASt18v{$76P-{qa!{3Zv|rL$N?P6HJ2Yv}u5K zI(KgIyO!ihrdSp*yB*elKh!$>%|ec=DgAJdingE`88CnFUw3r>AkWxs+i<+m${8sD zFHn`ApFi*+sa4g4wh%Rv2}<{kv?b#HV_HMX3wIlNT)+Qmh;VaP!2Ji01Q@HW`Zu~2 zm=s`{1Q+@L^pODyiqP7TpmER<+sICI2l|N)pPIdxJ3xv?!j#*WAxB(Q-xGUOTTM#O zf7`(V2XmwF-|L+bp1X^0{1!0DkhsxMu9<%D1@%J?`)}$8(p{Md{8Gfse1L|JC-wE&rb%0nC8^ zpN~vGOufCwE^n}akFHMg5i#Abmy{-Mv5e`H;M+#HWk7;L*q%ZZOmUyqef_sNif~fE z!Xt3CjxFsB45*>-e9+ij>9VhJ2l0W!wpaCiZ29L;0Yw-2&644lulw%Uu=P&v?_0cx z!Iqh>(4v&VVrswRJ5%<1RZlLYfqwv-5c%{D@{30`*8D$iA#Pc`Lel4K<);&%SoBQE z_o1+wJC9p>B>&RCEL(LH$(=4L!dEi)XTyZ^G=7uDCn^I?e6B~!^B4e)swtSsaj!k6-Q)7)#{^z{WE18-Fc4HS5^jPCA!3(JX2 zQK}DjI^7Kot{#^7zV#%mZS9Z7ny22vIi)*tZ}Z(7C%a!;&x3kmo|Z;7;mcRgjNj+C z)6FQH9%`<2*X{#9<-wyWbIZ$a@x)hOYr7xbH8}BK%^asmB$!{!*2grgL_wF%r^FM; zq9sQA@y6Iy&e~?rXK+uj8PZLXDY~?V^O^|}9Vg;$ulVcx-@#b$8eV?=>kx}|E0B** zju#-TN_8eVDYI)2Y81>4ISkiqV%KR&6276?zXubJUx?E^pmz!@o|3Y@lS&`u`i8!+ ztM9kU4fd+xQj*hs(0~5l&lNdr&X{bsj-#yhiFks6%RrQ@#^_ze5ex^TqC2}tioYFD z#r!|PuZ}QxF%h*%$dErv2=ugke(+iX3Vq`HpP7BBlNU~^;3INjt#SaS!5dp#4`Z^qc?xwGh%Isz< zngKxx0{k>J3508Zb-1KkgZ3!m{*NSntvoid27R;s>R-J%k=wE=ecKzWXGUhxCx85B zMPEg{D=pPvOh}%ndVSFA?wUe`Az!AK%DH%}k)Wtq?6H|I%2+VTq_!27-S9xC(v(|1 z6~?EO5V0d6#eOMww~55$V!A+4H0Oi|W`A&3shuv1DJai}Y%iyOrgNsqhth-uoLB7z z9MNjXb6HKRYin;zT0D?RWXpt}1F+i#+u5RWU7)Q7Hm%=({?z?q7$CkF{RH054V~|e zuL$BG{DYkNrfwy7HDl+&jKSqbWHK_Zg@vI}aKpb6Wd8ML?IGUZB*Su+hx*60LhV^q z<$4cxigqo?*-xb9$K6UA>P7_ znO48TRcyy?B8GOU&o&R>{r|y-71LE26A5zLv>%xBq{+@(L&mEiUB}^f^qVcUpu4?& zp{T6cZs|L4d;#c0d-MT{0yZ+TZ*i57LU6%)JbJST^K8{aKMo*J=jv@O>o5)U;?&{r<2CSNWN_W6nf9cLP zwPp@e6ym?%_=#jDa=p`3`FcnKIw-4&ihwLSgv(N#8bAM*keW~KDzJ7*Z@yhmm5A1)rAjHAHVdCh0&zQYQ}EFaMQHrD z%HV$E^Q8nm?WCt#P`Rm4!oe;Gydlt{2m>(Pa(yf4>FEK}sB8!dN>S9%Rrsi9byuRS z29I^oI^74{huY`MCpJN31=hci8(yW52+fFhS~bZfsz4M7G^p5TJSLUU z^)`ocK`vqL;k8rl`eQ1(2kje^b}&n^p~Oau!gj8(jC7e-iT! zI=q`{1HLb#Ozw)?F{s6H-4dnVzcH9Csh7o!d$j<@x7c=dH8sxfVyU1_0+|Mo`Dgh% z8>k@AFCgpT_IWcOp@k+IJ?C{i1KAZ@H6 z4^bz=!>iefk(;bGQN(qD=qDf+6y+ug)HX6N9E(E%|a~W3<%NVqz~( z&dWk0CpANNAZsu)Fl|hH?rzBlvgiJp`us62!CI)b zYJLHIvgGC^q8jBZfC-N1=tA<)$c6mwIRQ5AocnF9%EVUFQwjI zse$kKoaV7W5@J>vnRsS$`{MGB4t^V?M=lm9LHreHT;1L7=453Vf{}hH|33eKnh}Z1 zdP$A;0pDN?$sJckBx-W@p_v&0CZ@hPKj_SueWc^(Z;XGXi;9Z&FfIdTztyo04R{!;}y}2fV#0Y!U z5yGNsGJ1HJWTpXLHE2II)8O3abS=1b;zE2HG+r_j$D#;(7RryIH{B4Pm*dd70GtZ& zMTYOMS`i2T>E7&N(}Z(ANRScRU#?P!mi)X6z{^$9AIMo~I$eW* z-(-S8*P;F|KEZ=P5L$G-d_7iBwX?G%l|YwVy6vmK%kK>esU+pe3NbX7e?`nTwu*VQsY1g!#}Jw3(e@ zcu>Y~|6t1-H5afyvXqyX*BR5D#5hCh?(78KSm;;qG)WV(u9?#6>iRt_#Y0P*S6*(@ z_iw0FTL}D(L9IHfrdJa2qH5<`2Q5utP(Xps&J2FwbH_6WdHqj}@gC8T*Hold=Ct%3 zW)S!Irx(8yVsjly!uPw}Kvb>KtzjlTF}A~28_WT7hSUiIdis9Y zjc-N}a@q|guxl~F4N_8mUS5#onu6TK28XSU(4WA}15Sks*y}gDd|arVEbm)=W&*)e z+9Ao$9#Ag6=pPt>>nw|CgBjPa&sK|XAR{daUfNDU3zFsx{Fgf{@&W{H4PDQMmuz{6 z3e-x&2?QqN*mq#AKzkjC^^lJe9gTII>~(HSl#rfYx_jV2o$TjwH64H!yz-7q3)T*4 zY3X+zD3dkT+lt!sl%hqWKbH1RIyzV&3hTs;tzpKCntCY!PxnLb(y_q!+o#lejrpoY zKnp`dMb#eqgiOsTpp&Cm_pc#M$UB`%0wQE$W0kMzF@Dr#R%7Ec~4mCBW?v1%!T-<1;4xbu2SF$wRhd31${4Oa;W5GJp zF9^LVJi^iFThv1B*I&vFGgdWIFiS`&teo}0y?O~%?DF12?dP?hK9LCt=`rE1K$0{L z&Zvt4JOxD-y{+kj7^%qgQ8!qJC_df@m0dUm+&)xr%l4aSU;5NBnLuQh^l*l$v=PY#iL1tNDY)lsDoE_JM$6AAug~`7AfSA8DMy(hpe^6J zh$emkqQhuC#G~JuYih2r=)C3RRRUY|oZMXKAtc1c*B6a~6evgWzF57dq?MgrMP`K} zL(DG!%`yV>#C;@~RQQ3>XrT&v&_eU;<&~8(Fr>u4)-2b5&v?h1;-e{;56U^nSD$H8 zrmryLhK-stGcrC)>4)2TRaqxp1fJXQ2cRWSDG{w$z`@4$!2mx=dKvPC~xj??G+o)bRDmYE%`@wd^@XJ3&hQ3#yn;WNB9pd9-7nfEj{g1Y$ zUPn`jDZmnsLLQ=CtXKdT5|m*zWo487{b05|)w|v|QHdbKex;@g49Ei;-?oZk$hIMf zfYUlu5mq%8j=W8}1N$B@i$LBY5q-mF0#WwO#-5PylHnmL3Z@j*)zuY*(P#Rgg?SBo z%S^jyiK@Ffhh0G1z`#KJOj>q6;8e-Ez>buN2D%dqJ&TjA$Tu14TL}MD*}Mr$7SIx^ zGZ`5ff%Y#p7EA$@sOr40z2-M5Q2eDCROsS#)6<{UO?P*{E>H$0CrE5F1l)1S7ae$B zBw{6{UL2r?4$|m2zx8if|5dPH*n4rj&t|S5599nMM-G@JxKaVF`ZW{9T+p#(OObX8 zYB#T{U}B6HR}aiI(}dQH%yU}WpcU67>G+Qy-(y1l6o(AN044O&hr+4?j_Yu3OE@^t z`+$E~P*L02U=%VkG1&1E!LNZ_caz>u>95R;i`LG@Ap>g^ZWv4|GOd7s0HW^uvY72` zSRwwoX34pb8VeX=Pfvkfi=dc7fS4G~XLj&57wgT=$;->m9)HL6c|zNajc3CN6sOKS zeYj!$=8il>{36&As97{0#ZzTXTwUv0^46*s+k#4?{Miu5+Gq^2soF5_qtUjXv?)Wof<~Xop~XysoknZy+k%oi6QRk1IUT@ zUm^z*IXAc3;3Xt4ATZ5?vgneeA>B#0%zC6St~pDjY%BpA4?xH|Iw&iFncrMqJ~(d^ zOZWh{asnDs#OPt8YvofQl#MYk{TOV74{=*yYi8Jxa_1OueeI+|CCbWrc##m94W{RchK9OcUSI|) z7R^6UNkm(_tY5xWXbcvI>ne`=*=DVX%<~z=SnZ zckbK)f{4+pClb*H^Yf5cMJ*)s?3t4Im!1ks6$4BWky(Oy?gW-QeAjgEaO+*_b`Doyd@N|tK_>Mlr!GWbsBPl5-Cx=SHj;On$ zn2pyD^R~ZwJhXr4{PY>qSMK&aw(5TS^!`9N7P3GcVCsaVqTd z=6D5$xJQobU9?n-c-U`^jj@ngDLbA*E}E|fU1(v2#39KOnGqCna0oMpvd$QW81C`L zg#GtFtv(;xSHDhd-nzPC!G(OX@*SI)p+rS>NU<=eQb+NHxxBz*un2y`!Hm+8GW!Q zp=2~*Mh%swDbg#`1%@wILz*owv#JFE-*C184R)z+Q>aV&f@@}`@{B9AW4c4=LbK^W z>i_4DzK~E$aJ}OlKVN@|-#5I~zi`%Ue;ujbw+wvK8E1LFto(022-rD5l+OF4Yu@Hx z?~mc(kuu#T2LESwoAL$!Xf{PaC`LjLif_JNS$bZL^Gta;NFBa?dr_zTlPx^xRZK=g zLQIT3nNW*kk?OGy!S>eHY_3cS^qikR=~}f>PL_VIR+ejGY;0rIzzVCVtB{#{5&LV}IGxU|%1mnu#LNX$rF9QYRGs}zz5xX;!kL#+>?|}y9C*{vgG50o_x7!JZ;u2{VaUqe1?5rMI9q=T zh@-P=Qjj{E)lQ1n7*!vaqvZU`uN?d|L_NO*r$h=t|Z%A!g{L#h@IM!*6O z5TP$NVfP75evD+mhM#`$srXOQ9Ur_G;x;x#R%UJ*WG#)fZaZ(p{woU2=>sIE@e7%E1g0NbpKdSXqKoT<3@ix)nB z-Y8)kv8Ozaj%LxWl~-5J9$A&9d3@{B?!g1tP(0I`|8^}bt*;Z}JQ~W8!V5HjZAe&H zSXNh8Q*&~(n5n40YoA|C0WKA04uoIaMY;zCD}AiwBN-)*2p2(S=FOAc1?rp}>dsCh zH-UkDphZu0=RpQ%saniSiUQ3|U0S+)qy6Ov-Oo3i(qx^PX=%YRL_naaxLDeT1C}0B zQ&XsV%QE!fDZs-aFBidl38zFu!@qE54wI6El((7r50X^r1TqfN;p^)-)`c|Q*WjZ4 z^g%mYc&q+RW58`w)7;!#g>#657!wnd1b2C1osa+v3lpC%PW-=6La2ht+1UljGiz&s z1`F$AG}8R)5)L*tm7~GV`TdTWnVHUa9PlvVNXHOP1e4+{Y37w^urP=nFr1I`^Yga^ z+-&%*E7c_>rNHob$qt->uqCi+?yo^SQ5CNaJoWW)b&Loaetzv7#Ya>UO20(q9#Bgt zQs7E;80IKG!N&eos>2t#fFB4=Ygj%Z?WM7mnU;jde);=HN+=5yhK7izYK}2bP*71R zzzPZF%pk7`l9S}=z!4;w%dG8iv)5KzOe~<&@@W4UFQoHVnk2mR+J%)2F>D+XlG%LW zI}v#%E-tkYGI$lBf$+&P3(d`eWb&JB>)&ii3Z@b(Bje+)6r{@OVGI4|TVrW_;NJp^ zHXPy$c6U(F(7;HE7DXhuoZo{J5@$kQ=H~*x0M=VuZ3&6{G9$XWx-bL>Xq7u5J^Xlk zDsT57JTlU1tTZj7%o^Hum`GyL7;1^H>*$uP{O;Er25636^* z$yvtzsi)ry>8Yp|XI~%vn{9f1yv2Dk(sHrayWpt{n_#`;`tpxwatg{S$oo}ey7opC zOd|j0%3{7r6tXAg-SZ_Q`I}UhvzT(zI?5x2Y%P!}lIwe0hre0?sa$}SKC}z9HQ0m| zeqCLj-#A}Ykv7(z9A10<1Q=n@h*hX-i2*gh5YVYoqNKPuFjc1)mVXsRvS}y}9#!|0 z&aq3a&XkJ67}9+qm;6p~JWm{$--mujo|;D3%YuO9lfnUB`+v zotWCXdkab25U)&cZl68-=W7%ohvL0b<3r3&D6I0B1oEU>MdzY(EfjBJQoe_{0r#Ie-2+sG!`vV z*H%jnvDJ9N2z&X!+jU6jdT*WR z$|Y1mR~JOL;%bq_%@JJ?A$4UxWeV*mH4+!K3dR}Va`lU$8@DjqxX@74D$PrL=Oc27 zVVH?HLJ(OR)1y3kX=}8JC5(A3_?ZU)*De*Hc6^1L@5%3Vn-ryGT+Q%I4pv73bO#!? zo6q}7xw`bzbrfc`>sC_+rm9cK!+Cicg^|E{VOlfTHE0PzAjsY|z zMlH%;aV^!4){#jV1YWf~>2ga9v4sGD6zgVs2A1EZ9Q*?-OG`PJj(!s!cgL;F8d1nU z4*`wX1dytHgZ4=_j@}An;Go(3@yW;_l^MBvdO9J?8Nj2b>)bG?4tZ0ZPc8oq!qXX@ zjr^-;HOmwy39C%2er;h@?Bg~4=A9#2E%9k$h=;cC3ZEQT01=hxoSvt$5_ZreQuu%FA6+36+V7E9*^{)l7L{L-FinViF?1N%mt69iy*=~N4vSvV4(|27gw2W zQIDo%7~k|PTbI-JLkbF161PQc@{%be;GFEyXqDD!iJo6&4sxp?3{opld_vdU>Zj-2 z$`O8R>73UTbn;EbzmL?8h;6ciqKCn+Sg+;kSAmjLJk#lMf=-qBXaL%n(It=~@L06R zVZr?T7&{#tdxYk|zMqA~(n$lV8D-^Pm1TwT8~Yktr8nZ{xs0uID8TZ>@Ob=lji3!DKb>r3DbV~_^B z4nF>wA+)`@N$l3*zu@~RmEX3ld#pyd>it1-&JF6qT2^V{XS4D%gF8hUAajp@mqc6V zB!aekZySy_bu=cD^yEK8Cr@U%+CzmrNhj^$(fI1~eTk6Jnx&!y(YRL#TN^1???`(Zwa!c~@leUD+5>F|_n3fWG>@7lC<(oHe zEWWhFB#y&&r-qJO{Q~kTm6^2@qgDuB~2him45FxWqzNsimrZ zfx#s7S*lV~30Ngm;Y_ap%0#Cg%HXg{J|Yw{FplJ+(F3F$mR(p?>;Ik8NpJT^aFMTJesQD2YIN8Fy=>kyz%hY$>QE2iev@>^t)f8$+*TWZkwyR; zEgD^O;2jwrmVWgn0`JuhkM@S^nnQhRDp7%Qa!ibpvbuUDHG7gYd^Jn6xq5sPe5X3o z@AbncRSVcef_B*eMuP;f^yDerzcIiIr+t0WZp)&l=SSs80Po0Vh^ zbRR`B@vgYCZkn=RDL6bSASH;Q- zj8cwz(C+!o+ezN^UU`06)c_*&>%?O)wl@L9#;`Nx0Px4pzi3wngdI9;(Am_qBtg%m z-Ihosn5w6*m?>z4zMwAT9e{p-M-W6TgY$|NLmXU^VnJ;0+nfJEZ3G0cUwMgTMr89U ziyQe_g<7m!9{-Nfk`egSFL(XIjmHatMU z21j~(0js{pgUot@a#=g9Hz1sfsT_vEa z4NX~DZRS-342%GLH5YFTFZBY7HwU2+!VuXnNkc5nkh4erLOs;1(>;!F^d$dx1wU34H7I)8Zq zF%Xxz9u2*}|0>z;S>> zruXgB5M_oevp7j3t`vB{FW*FvwtJRb zd_?FU#XI&JA%VGfsckO@Zab(QI1fa!w71COB=7dZl_x1DXJpKMm5A93MQzg6gASdd z;@_-KFu1U>ai20-6c=4pcJ?vITo|+(Z=*-D;CJh08H!4_%b?s#tKi0 z$_^gQ4SX9B^!jMD2%NoOT?VAnyoyGzk;h}44X=ovoBJ3h>4;U$@gz3PH0!QfMRnK4l`l?DKuS#GL=!h2wD6!J0{95dKc`oUbFu`xAw6>81M zCjta0Z6GNq{{4qfMx~JwMzWZg7*uP})!{0NTXD@?S5}d^csEMrAvMAwrT}efY!zKy zmY5z)5m*G~=DeXXnVFdx_(L+UefLF@`!tLv&9vB=(o6r16!YFBY z2u!T1$4K)IyhTiu$}upubY&!$e6B9x=nR10CVJ4Qp>0{(^NvK#B{!|N8mcaHn#I4L zmT*y0Ql3v%6&EwLUSpH|StFh-JWfXlW5VqM@Bx1u0M2;>1As)9c+wXfG~X4drliCu zwFvux5D<^pv=XM*)TWa=+?cGD6?g`L-2r$rd;6tqy(hyQh{2|g_0Iwr6hlv_W$?oX z04)d0%b`H%*hl#WmKE{w%gZZDNJC(cgST=QmYAYZ^BMrs?cvY5xt+l#+1SXRz7l}E z8sE0V&l=1`{he6`WO+ay2nvA4aA06SARxBsE5zupCBU4)AX7GPedu!#Bjrm#A-BC@ zz=PF6Tv{4*so=STRfG9op3*a!`=eCjV8$9vcH7U_!_&i8RJ2`0q^-RTnoG|k7hH79 z#w?_yD$8`j!owXr(VJnMPi%@H(*ht4A!_SeqYj?fe_r{KODN{&f_F^$;2_)>)EvHV z2_w1`OSo8BqY(c_i^gL1zw#d)+`VgZZD%o(*QKO0{!k-fJXpO9`FZyTn^ux1>nlzx z_@RTHI9KQxXg4H_(fw4|vphF7HO&iU^B(K+aER4eaLi|B!m8TpxCWU>p`C_F%94uM z|79!x`|<_~RKVWdn$nkeoU3?&b&|Q>OL1QWW#-lkK)yg&54tE=NQy?2p&^oz06kwX zAms>e_&3YBsH?xw*Y^Q@FBpY8N0I5{AjKn@XgEtq^z@t`ZL`wR(T%KHIyGps9RD(% zthPXALB0T7R|OB6?uEb@00y#EO#<|-mY0o;X|~C zkf#evaKTHFXy{tXKqp*Q@<-22r_eYiB#W-9!5th|!iJ&QqFI95RSid%6iy3h{{Xil zr_}}!N%-MpmdP8fVCtoOsT3O&^crC0j0`>SQ4$dm@wdVg8}X6XbUWLPq21r#3kB2T zAH9&;BMGwT{jkVTyCww{6(#sE9J{Cv9QtsjKxPZW3M>qvjSu^#uz?YlgsFO>HvqCN z-ZS-%U{g0}22oA5wI_CxKjwnamsVDQ;L$L{lF-XZAOnn#j8io?|3=&B!z?T!4)(#w zqv20ujY)#<+!KsCoyVnVFOOM8N#*5-Ydndc8CMdg#UmWh9`0`srmqWach7SRg#RAy z@Qg&p#@=l8bQ@?u{lP4codd)u)PTG^lb0`F(gqr&$_5%i;RCA^ytKheOrq5_S`tCK zw*Uq~zX_H#-W#bdHx);0E**LB&IeiS8#ol&ty^0p0J9Pj_5wGZ?Vev|Ma5GxvKO$b znshbn$w zLam!tf&(3fiN^0$hl&T_LL{OPTT@dLoV&`WG6EQ7jrAN@c91~5_UO_4$_gG97JL9U zy5BE3@7}#vZ8-sle$@AMd!eCVc^UFjWCU{Y3R2Ehp-K#kAasp{pfxkNeAuvKo2y#I{g@_@5R7rf9lJC%edmV{W(AD;6Ni zS#02{cd}lm$99=InV^O9>r$S5cV}GH$=13V0>_@FnX@rNXw@;{g#VtOZ2*Ln{5w2L zZeGiH=A7$Ig7fE>b&9w4xk}LszObugCJ~e-LaAKJ*ssO9Tp~@JAjuDK6s^SM-ECzg z#ie*FFpIEPBv(zdGX-F}(^N_m7~&y;cmxoP1hws7K>Jc%_j+ z<1t%hm3k|Oh4Aa1_UtCNUySk_wx|TbIj=frv-X;o$qIU&j^@1FDt7HD*&ToB5E0(? z&v;lQbP+yQkEd?En8(?)xP_=tZM|DiViGlXeJGgk!Psm!cTT(Ru>bCBNrdU@zZD^V zul3ZPPqIxKd>Dvx44n*%X;Xvge1S3ZovUV5ZpDY}G4-|^#D;HO?&IFuPt+*ZOW-jfMM(1q%I=z= zBgPpKh&~a`x9)W~RNDgHh29y$SgxmvKEm5SAI5MNjtp*k2g&;SJ2cAKydM0fr|L27 zK&71OVKn0`$>mvm;pVUq_sEkmQFOpD#pTaV7iZy_kkbPT+r6wEm8FlP>kF**)pp!A z1Wyp@ODKqkP14jarU$I=HHr&S) zNFLnVUyR!0KmEgk0bGXvO*XJB(T0yVYrXH62G;Mt_xQF4typ-T+Gzm+mPcT0Y;La1 zHt+OUz)rIaLX;8sY~~d^5-F<|k5!MFwAX4c_0LOfgGd|MK5HFe6*68{CUELn3F$Do z`^1zyNoN*xDW8+_a@R>dik#zNc-&AT=gFb6Gqxc(wzHtax8wAA>LSefDw5*9Lm9c| zbtanir8rZ)mXl(gUeUn4dzWK(mv*8N-G8J1{*4~d6T)M^Tx`N1nQd(p!azhvS9{x5 zBOzo*i>9i32(=6wx4+sbP`SxBe2uh&TNv>BFsrF}S5Ynny?S;vzQ6REfYoT}Bd6c&R6?WCE@1;Ii6o4w?QHnjy81AoAJ=1~FZLcY*^7%Ad0z{W_*S`45x)-xG2@Hg z3H{(OzWDw2sO+_u`mP^tpp$tvGd;ms+Y6t@*3W8rdXh|>&vh6sl=v(@TFCX5UiT0Z zHegifor|e>drZD(F$!2ymWVnw35;d(%lUL(k0#9-Tm7>-*=4n{wD+EaL>7Wuf5ispLtTqmN4ze zdp@1dR+o?Mjp@N2EUk^>HI}0;vJ=r-u9$JemGPlZ$OaK8)$k?^$r>WloSjyrv=nO?9gNVVr^*uQ#v zSjx)Bv=@LeH>%w+Bi+2ETaHbPn)qb-0LtB@2)%uL(?Z&0)?ZDwL4Oa~2&3+3q1y`y z(=_CPo%879aq2x6Y0upbm!{A5GG_Kj!7W&GoA&Oe;@-Q{*`jaWB!+)5xWf!g!KuFX z3>-~CJ2L&~&h{Obl)cg`b~eMuL9<`QEabp$itg=gLP!DdpyvwsW^ zSH|*7!i^Zx8C}t`xzjZ50SQc~SG&kpSGZA(y|_!4YgvG%(K+4s4 zL&;5vz!=Xhd)CKV3w=%CnRYrGsG8n9chxzUsE#q$WKZe4JZS;n$V{tAGP029k8xM- zM?d2JSVX6%M=q(3MmClsh$(_L5v19RX&)c<5U=A7)u0#ole9Z)@6~BW5oCyP@iV?@ zb5lPQlYahjA-WAyWYtSt?NPyNQixDw=ZrVq7(e*N{SOXOkkZ9Cv&Y)mR(JEq1$QQO z&5at`({Tw3W_`hr`*5U`lJkn+FhnGidkz@I5qHylj)(%8X(8B1R1ld+#QxeR2Z?Z} zIxYIySfhDPv2YA~EiALQI4?}dD)IV0CQt-ErSK|*6{m5Qwk`YhM7hJ0U08%|TOo>F zy$J;#%D0i0BtG9wRZ$+^kQp;bzIuGuM*9?#aYa~pC6k`uJM8&rSX9ww>ceI}zC6uv zFxb?BzK217=X{WNj!1Ug^UVIU?xCBCgPmHTwPoST<~8QP@+i~eWMs@1iSQpaa9in1 zb}sT$YxiU%1wD1YX^DPlYv6j-0#G1U$Vi2JP36O9u7RWRt0&g4=%p81*RVw5*^kxI z;|_FrR<^bE!$~5oRH2>Qh?%#G1nkLm2&%98@%%Hw4KR{Ov+>cK$aX0ZFJWGZ>?DuH zqLBsO1VxA)PU-MfTA%*5Yq8N`Etx<*R@H6Ozknc%AaWb?;{h(s$VkiXwv&E|lyhjK zwGiTa+?M+_%8yUD*WcpikQsVNgz4Jkz8y7adVKCi<}Iz8-WXzeRto%nRJR@fRuoZ; z{XoqrR~7YdfjE0Z>;2teXjvnj)Zl?rh*J`;d~yvsnVHFtY5$whL4Ct1-5O&O?PR~S zuwTk8jJtxeQK?sO{W{MNX90+IM~5^>={}<~EsYt7ju@QF=Z*Dg?w5v-8NC0Gx$*TEkhKm;Ktp`-z*g+i;_Il?0}IDSDA8T zMwrq>Q%@#_qez(=56+NDEm(ya#y=0ktYR)G3=Xni?f*%RZ0d;87^~B&0@F7~Di>p? zQhSIGgAW}k*S~81?OU2SI@)LmWF-}s5Do%5hc*?q)hc9}Z%vUULM35ySbq#zz0?wc z{gjhcXc#6*tZ0bDg@BBO+0A8zmZsDn_zfLep+Ut;2N8=2oHP`MCCYV4=qa!ns8O8W(s+EP8sFK4e1Q51+_!A7m&zu?t0F@m-yFC!~>875zvS|A(xH>{@s z;uD@a=tE!unw-8buq6ine+TDJEzubzgn1a{bwuqB{(k-6T|H5#Ku!blctENFQj;wR zHQ(O{v&v)8GTHU{e2*x@L}v9|?Q*OKD9_Q9Bj=#`1jN}uY#H@giWse5;3bf<1Mya1 zsw7>gAwDqtrwX~Hfy@a2h2I^|MdrZX0#peQnghJl6P+CMom&x|tv`S=kP%E-7Zdco zXS;Pb%QN_hfR3v~zfF%CsC?7Y(|r!-J_swgrd^)`CI73_t1DAYwd^rqL4Zp}UMEKj zHUhqc&eCxzDk^Sn?w0|6l#+qpb(n$N3XGJooMF-heY__*GBp&^Y=ABUgvx?u@4wNF z{n=p?9eLoFBpVQ9FQy0%bs%k=`D~c?7~(r*$_uWU$P44E0hl-Dsuh9$8~}QR1TS)* zFRf%8P?!KpJ-h6`>3Uw?k{wiy>?fFIW2S8n3=I5>e2Mtlz_RRljwlxj+xwh$w>CR|A%vD z9BS|bITlN5^@t(&wy;$m^uIv&2K)%|X~#mq#)dH`XI)lSmJiQxiuIGcAWGO;Q;lUQ z+xzMTU8Z{);hH{UED`#DLFNt4hXjz=xW!l`{lhnTus2(WeNuF&v7eY50rKzc%s!eD z^c5;D-?;!GFw$7e9<0H8%v3{IW~iQmN*_eTW?Xw>v5JwQc@;cB-9)+&;8~s&_=qLR z=vy^Ew+0?lT`8_5y73bCjZ{*^;4a~4O0?|HN8%~l ze76#S4p})_?Yh>>2*N-DAKrK(;B>+R&pvc(ICUSGA@J}(o{!rx1zjkBlD~#9YF6f` zEhW{n5}UXHb{GZ(Fv=aH{0IZT138VOWA&^RF)!{hDoEY{iU6R=23PpK&-mJ&1ThPI z0WlLayQks_BN^5e&+hiil(EGo9Kk}wPB3)n7Ki`Ud;#E6dm?~q6kJn~0`p4;C|C?8 zo827ZO@IlO5EIkxKIcQcNkBkAljE)kMj(g}0xCa?0?PVD=RD0V5A1U^%}V(b~--3xARErJOFA3#9~n@^f;A!Afy#MniJLF8)c}o&6C#a z(TI310Qupn-xq%K6zDweK>FZ!O1d1&0Ky8F;I1*C2f?He*NG}Mc!v(#^$sAZ!2k&N zr5)nh9o%qb@qfIAB(0LtNm$@VP5}S}p!fxiK{k~2<754NIU?{V@I`V&1_!T_mIwm_*|o4p zFZ4utvS72=cVU%cE#Osz6m!0@)A^ID9!1*urk!1hq{d#?l2TNK!^L5dZIArr7`fkvSLGC4u3dR392{nX9G;fxyPj zv9(Kg>7-XHzKbg+T;X{N%np`L5W8<1jkr#-?`iP8lM!rNF2rjY@bB91fc6LJp{ef5%9gQ7E}{!4KN7zp_Z*0#I1oD}BL z3TYrQTd^sIyHubql#4Bin~tFDYsbGA8EPdSeBaK|GPdRmNT)XXP_n1pl8KR~_g$Wz z`j(vhEmxmbG-g{Xf``TA#cGU?*M>>xEpn0Iz0LG19!7Rb_8iCA?_1V1P-!d(q|nFx z!ymhwulSm_KwtYMTL`@*7REPxlE{Bq@Jlr^BCvP9LbY7+hk+*xd;_1kJ=ND&S~i-V zk6XOAnb+)15bEKnY`YaO0KL>p`%Rpr+t%@isM*em1V}yHQIlJ0!pa_+mAj~|)hQXU zj{vflx`6;9^sD*q-eYlrmJ?mxI^blON#-&HZM8$b3@K%e@vk2S%wCzup)6xcbKi<~Bcyh}ZqV!Z|Jx0kRSzn&NQV zzng6)Pb^5R{Mi(K!3Qyu29kbBdckh1isMiE6Xpp29tz!-n4K@!DNWathVm+&i^ZHv z(74<6MC(Fttt^OqK37xt=2B`}$opx*C^%it@0NKM&gzMhKQD<6>m!>DEqsbtc6vXf z)4_$$;@Mo3#AuTQTN1{>nW6|w*X4#gXgM)m&rq%>E(GPz^rO+V0itr)u zRGHm4v%N}E3`5ghu`Z9){IAHi56(U62Q)0ecdua?2daqPw>ZNr**Z7B3smABLmA_dPV)(p7^6b4fdgh(k zAr!)&?2=yNt@&=9-|6wGR6-3E1#xiPBDc7;ziEHQMIdQ%>FF*a#E5^U#rDXIH!Dsm zb8ggTYa8L&eGDCv(OdiTT+oLLs#Dc~lQKJgAC_v@lFS3=dtEvPwQ7sDH2yZWa1qd= znJa*{w(WI|;m1U`HXto_6__uNihbYO&0Z@ z{n#$>u4(a7bOk8B7?B8RRBsU=)lzUSD$#s28jMNAkBfp@A>H3bje6>qLUOvwdHtcRO^vyYklV~XDXRms3l9v+_cxC?)CD+0IS!i4-pw9H}@@2 zjes)z-?|(kTE_u-ErS1b%dKN#f&qAAK@JRveKE%0nqor4b?87)u8$^{qJ)Kr?+Y=g zmR8|P621uI_wvg+x@+~6y=?Ig!srb5AN5gOo%S|xD7qvLvsa>S6zJm=;C1_Rqbm3t zP20zKcSr81HocoE{Ge3}Z!9k^As`S-I=Xe);)vH}S6z92rZ261lsJC#>Ug=%X+IuF zWs~yw`S_MR9jt)V8-xU?73G>InP`HbMKII*{@r%(Zyz`j94s~g2cZ*CKC!gkWQk$uev%b2DJ!5%yVjEP!ezj3{PxZL8yMfdmPerou>|h#D5R-MG9x0~JoDi((;&l>S zc>PThdU+zlU2AYy_$Y?bjc^T?)N(wpqq8122Hs(ExYoZusUI>%pl$A)KW7#R0S0|) zUkg?Dq`Qf!#RLLjQ13i7Sn_6R^D#XqB)f`o@|2g7>IcAIkSkyTg$jOd_XYA~9xkqh zQ-TT&E9k%1GT8mW7lDQnI3+JP`eJ}XcOJ;j?vLA!*Vh9Oa73K2hwXevtA2allo%vx zuT#4N`fsa%z-P^wR5cC$D(*bGu^d53dw!96fZ^Bh}OV%b*YC16wU z*hd4wR&ZviyF1G5lR$1eq%>tP% zA*+N3ote$*^MC3X6udLC^)M|Z^=dsRRTZdJiv^cS;yt4X#(%#QV_t!1vX?If{-%Rj zI>0Lb%Z>#-4}V{_YYMP8l3hH9xN#cicpGdL)-_X3-+LfUg^psS>pkfq)NVQM)C=SO z?KTrzcD77;(7(TE$^^(A-fR5XjZ2|6!KM!m6%G^8B6x{?uOQ_!xA@z&i&a3opqz;c<+b7x)-@4C+5EfHEN zKIch!jG7FL`8W zl7qt;4AVgp9uSuJ148p_EUYYGjK!4(j{*c(UVj_*8Qs6QK|v%N1d^v0?Uh!*Tn*AW zoSdA%2~Sm3)!7+WOcAVH03Sf);!@Xpe}xShc^v?9x81UBRhy3br&7%eP_B_heuCfl ztO$M+5Nw+OB#Wvl4q2dyrU)XLD8>sjv+cf^WsBw3$JaOb)uMYG+iazINeqM8Di#&V z`G1yRw$1)6Deh>P(nFi76un1BS6ySLwP+DmVspb(A8Y&7kA2#L4nIsS#4xmZA4{DN z%_pU#y)#Sx@;k5WzMgM%3Yp{Dx=ogQJ-g<$mbu0DIa2&t`tlc!O%_J6tK{Tyt zEo(n}XP|<+M>iYj(SSe#DtMsKg!R>6bbGwy1ilfViONx;>w3pG0@qGd)ghpEcA~}^ zsfVnuOt(`=->PrP=d)mY$}XlHo(e}5Ght8F{VrCA%-I&p;}%mmgVM!gMif#`LjvBu z(W;Q>LjT~_S-T0#u&cp}mhjorT{H8Z$n2#iJ zr3b6UAsk5@$|zRS-znMB&yqSz1+y$=X1Gr)FoD|)Rp%%xR1EUVXU;Rt?Z5qRFD=`A zL*<|8t*`e$yu{JXuh-u&-^J-l+xc+PoXV<0^$o?9G5P>JBr1XX=UV&XUMD({I^;?M-dTVRcmg7pexXj4b)FpVnmk^Pt=dbvg z5=I3ww`*b{_npQfgAG1I#|H~O)>h+Ya0f{xbku>;^VhqGWeIirugDr1=Ebir4jMVq zG3>2J{3Egd`q-^@c#^rV-_))~^dA194&3k*>^q7mrpSk&GbQibxHQ)-CW>n{|S{^ldL_RIhzy-HryxXg*Bw!%hIP)}9 zJcfo2Ei9A774_d0@ewl1+6WS+8%X<3@aMGy-lAH6IPqP{2k z>=pGhAM0^frxkDR1el7f)rO-&#KKlB<<+tAaHcRs&U}38WQ)`&rc(+_OXY5#QX~0; zhZd6^&KEVpI^3;ldecl`&8gm*uXu(S(lHqN; z&kkga;B9BUR(7Bt^tW|j;7cfHN1{#C0&1nd^g#<119fqMI}X=FQT8cbKQKhT(QOX~ zKgPm@MZY4;+1UG9*Tngzg|3E=g`b<7spz*z;Yf*lfk(TvcIYcII>8nqc#Mnj%Iu)d z&B?CLF72VaY+sD%3Io@!DVEl{bx$`Fr?t5s5$-ZtPMY$6X5mYkA|DQ}+019Bm11J- z9dqtRB*{{#t-0)|F16e(?CsSGe!M<%*Fp6E9vk}?n2=!L?xF}e0SaKU#Yh{&HQSGg zp%!$%8IZ$99^oi1ib zZ{3@_iJ=7RO=Ho#c+1YLlP*~Qc6$rfUtTRIfww8=tV}c2y*9}^_WQcB*2Mvbi%+g~ zlbH7XiwlCrJu6f)N)K7>I)NDP@DDmZBjHpXNifKf+pm?XDuUfF@=zR3hhdC-7(YDl z%pD!_Q|atRJyHhL#S=6%>A5?)oeIhqkJO_)f0TEeR%<4|auwXVI}T5j*uI?p$~;j2 z1pPP|`KpDV2Rae6f%?${{$f_k(SePQH_u58?wcxou2Qbj0EE=`_q17&ja&YOYKcc{ z&5Z&sSzrze)M^^~l<7EexlHA~Lq+)Drc;rKVZW>EVS1C-OmIb#9=E+F2&FiBkbS!J zAwa&CM~m@jt~!2*j*N6DGmBkdBSBSx_l&lGgd&YtC;ml&v~%xGZqfyoZ?}3EsJBbc zOCgd~5Q;~>IlGgG2Pg6VC;W+Kvukv@*U`0iafmp+8}Y~ER$EX>agjd_-HIKh5J=`Z zS|0ceZj3geHWP`l3!UexOUqt!(Q`$59Jjy&J*vm;X2<>YaoIjXgIs=-=dHbs4RhKt zBEK6Ko`Aa}7H?h0dat&i1qu89Xkbuw4dm?3faU6_(aTpqisWp0@jdSjvHbf|!T!2O z!J@ce+{I1?Bs7qJNDQGYOS_yss#dAddI?#XaQbpGsX9gX|$o{i+c<8Xvi zh)!!g1u*yQr8u=Rs;h)~~QYI_P5 z>d~mutCV&^4QBphaVWf5`YsI_rFEWV6IGVL?8+X-lihLX=pbzg2idy!5sgxEQ{Sg1{K>yFTDu zJoS{=q2o*J=3W?mzAjfNPeM^6|3Q~S-hTx*Y{+^JraXB1#|q@OxJ6>0vF+be+2Y1i zgsV_zK@g$ut6-U;CB?82Q-B!J9`@f%W)(gZGo-uLZRV93N1|pV1VgLvyR_&hfc z_vczxrCb#mWk|~G=Pmq1CF;BFi$mPhK8vQkFcbR3!%kV(u)Z&=v|5ykw3O@+j3o<> zpPHetp}5k<_OIX|e3k~91tb zSV@S@lUC)n*kUkb)t?wu|A@g_)>e{64~WLLCu$Pohm>q^hb2;kYtS3eLi|1?GpQZ* zxcs2UR{F~JhN)PH79#RZqcnOVWz1?5-Viy#Fi7g|+NK_L;=>iIP0J2J8*QJ@a z1Sw~0-C+P0^7idp5SXEnKOcxun0=y&F7iw5*n_svd?JrRJRJK487HUN?{A#;_V#-V zb));2fcPC676zCSx{ZzV1@h%Ypa$gvRF5`5c6%8BBlP`KPFc&9`|(l>ys&FL z-tFrbnZ?C`R(>cE`4%%oR4Uj0WF_JLazEJP^}m8KQya6Ww7Qd2Ay)M8Amdj+L|Wi? zAY257F%?x+Ek-rS3fGZlsl%5fQ+#nsEOYiGa1yf{%}6+*75#U#m-owM_qxpR-OX=K z8h+Z`TifFF88#z%wvg$46YSa4T(!GmmP+dzu6x|f?&Pv#hEUhCb@|(7w?rLJTs$>d zx5DKYmM`Mh{s;P=No9}i>inMY*CcYTcKX3#73cm(4NTIq4a2`_Q;9a@nRd$=J-}@0 z=TH3Xv714T-1>%wTFdFBfdS+Zw7@iYt`WvNmOAB=6^c3%-ov4pR(?+E1CmV$M8WQI z`?yv2xYDt^>7L_f$f4Gr;K}+#%N8;@4&>x6G|S&#iov%Nz_1n-hxbDVxG}plQB9~` z#^pyP$0(tEF8MRUQo?#B^et7LU!6Ay5p?8+`{_B7xRDT9>;DKV@-mEcnK@r%?9TDiBAhMFQBJsItz4i;9<0zO{>oc(%d~dzPL7Y#YQEk5;G=; ztjMT-_`pN1Oz7ZHNSoL*HaQ{7fK{K9>d;%td%$rrKlza$v^rAD(!4=4$JtTo9i+MR zoxX(mTb%ju7_z8f9S1wa*w z)Jn>Y5JYx54AM0(($VN(k*}6Yg4@`}_&omPSwQ}9R~qbQEk-z(y86Z9-x9jqf7qTv zBUy0o&-9PBHVPoue{81Y0<jEr|KTAF2U0lq?<9ujTs7%oX?R(reJ$5XxlMF;6$a|yq^HfM7$qARwe z7;9ibxUWlffAK}}dwOzHn3}TS!sKMPVvi{Ft)Rz|84W{Ts92w==G-M$_d>M*@ zKPVy$HEHbP65wKRW@&Z_Te8H#sn{HBtZ;3U?-RVmdP`v8Ia0Qov+Q8;g3ll0-=WCe zQNz`;JC6@P z9v6itwO$&LqoIFi2iYFM{uSFMzq|Bzq_=mz=^2xE*6+3Y5H%V)Y2c_);E4OE4|fIx z3e#@|Q*Jr-ToQEO6@1`mxIf3g9Ez>#mj0-+tvL{hJD#PQ>FX6tmZ13 z=s4)G7LPFX^r7a}Qj*~F&sxKFLW-sl1A)Cwt1`X{$Cals!So#lux`V)Yqk&0&C%0} zZ>+2s-#QIk38;}w_gFuEsH=vDfxZmIf%qc&cf(FUe?1}n`KsFv!b+n)T{vFE%lWjm zOp|3`dv0?mz;kxqV=|u_%$;&)e_8Rn)0@7BgO?CWWr|zM`Tc~^H*p&k_9BI&b?iw{ zXDe!Vx?OYl72ilB=k8X9E5T*&rssK_r$ZeiH@)TNc{Xy^5IZavWoX6Cca#nJ9`sE2 z!Ubb4W1eY;nQJ*NVr|}TEX}Du{YloUb#7G3b90#C`|&9pK5Vq=73jGK?tRUrp}({0 zA7VBW7Rim(m@6525@_5S<8UIo+X*V_ed4O;et*fjluvds*y#+KmQ|6jKldN4eUKOs z7VjD|7Ohf{FDydD`JVjMK#o15abTM8OeE00c4SM zX0RP~?_V$FB@#QH`hC78Y+t47C!I;;?s#yqEV^v|8;Zvn#Uf?mdr*W%4~r*n zXQOvh;YqV}ZL~3&Z$!Q+WmZINzE5&A9k|?eAv)BlD{K5_seJ?2F1$1x}0IQVl;%ZC=qD zex)y7eUh0nNvI^vI!ctI9q-g$%4}7l$_&)rV~eLj5o?*8Tha^(J0n%0S=HbT9G#dR z)vPQ|*at{G1*-OKjN?2!iZ_N!1)TpDXUHk5zBuF>o*T5p24^h7{g;~s zrieTehdp^iw0Q;rD%79Hj%V5@*q|8JDUHDomivRbp`pAvQm6>i)Yil@EiCdc! zKqvqAcaFT2uX9IUo((#@yQzT>cA!OKw_)F(Kc8e}CwBql&IC6M z9`ckNAYrwr2+X5JMMc@!MhXhw0SKe&q{H3Cqs1dQ!7nQZ>kV9IG81lSjq3a}yL6B7>h_JAToi$Z%Xp@=oh&vkm$yvi}*{}q?~=-~JMqxhz9XRFY^`AWykEGH}b zA$bU$L!FMS)4J{uTkKi?$JW##|3U3H((g^;-w@svFi$`6zq4{`D-}+J%YlHpo6-`&ZfBodl?Z8>9CE)k~?LBaVKT!fcos_h6 z0AaTJQ91&p1&*~j_v3tB<6oD0x2aPz!Sw1oS1lXV=knFS?e0jwmgVJlC5eX!le-da zZXSE3QV5%E>EkJxO0!2LvuwSNciR}rg>6e5~{Jx z9k0(qqOAYj0F^qRi2|7kip&XNqM#u42OemVKLOPlH^8r4OWNY2_Opre{dL1 zP@lI-J;ST$&2n|pkJH5>^HFp+FAB6|F&6ZRMm871og^oXHR`R?@{*> zS_wyRc@&=LN4Via>H7QkFC`UKP;fA~KJeZGIv!Aj(8l%m)-gn--Vz~>V#mZf&kke@ z2pkFT%m$iKi=hAh!miik9I@^8)gWBlNKz8mbKTlEcPQ!aFVeTdQ%-Ihq=YwjHug*x znodVzkpd3SO6_d(iCr~$0bPkW^R-&>QBi+Wx%U-=wtdP|8IlkqIHMso=m3`#jzx(Q zv*|B{eQ~L8pGws%ZIov3WoD|Ma7ak~>AWxhh$UcWAv`Lv%TE9O3%s7ddt0HQqoNY~ z^XHAmwdu#_JfsFKYGodtdPQH|Zy5hJ(>+#TZ3WKNcPL_trd6}Xto(-88h(?Qhn7%u z^NpMwi0|7cQ|r(%T7`=?n+QbFoXg|u*}S@sH-#612_stRN9UC{nZ3CR*e9^7@DSgX z1i__;v)*Z+A9c{huS9}GBUR;m-Fyo!6vbJS3((%caqLwmpJ9Sa(k%43~$Z8g!n{qgbDK;`7*Bv{0NK^|D~YF9V;MwGDu9a@92wyJ94 z3p)_Rf&RXulap$JN-gu`f0F=yJ-!i#w=UVQ{P_BRs)p97DbEd0v?foFjOf9(#~(lK zI(|otTM8 z_&iCN{<|Otop9NPNl6&PHO;5lLwRLAhItf)Xn|A&Xt1`GRe@EVh6W^5RsvBAbFY>vu>8gtQXf<1)FbZ0YXhm0yb>-$UmOa+@cQ#i}L(j!~_Bpy_YJkc;#m zLF8{46byp^06NbPvT6Kj?sT9Pm+aDmUB$P5NtRw6s}nP=MuS_AG+cujXW1bft%6|l zBggYQ)=!-ZpKrYOcJ%2t(6vi2z@Hx?o{jm!4fdo08 z{>$C))inZqlO&|w)8LS%&5R%@zGQCZ4B3b&v?)om`&Hm}@(};kEix-+cdzG|TmMn= zd>(DmWZWVC*p~>&`lpYbRpAZ_>DMmINAv-qIr@TLMr+L3`Puyx#g8Y~xM(E^Q{ixg zf~ilkDOHOl(&M&Y?M?DsaJ_Dl&UYi0k0Uu5%pD?@ktq#F>*wNDmmYHp3i(`#e~;6z$^2Kr%d4UoJI1_82bX~ zXc4ljh7p)q`S>0{ zYX>kDTwQ0}$L8j4kHhf3=&N(kU5S{p4!njS9?X0=IW|QV&uUV@NY@=gf@QF)F{4F- zpv=xbe+kc|vXH>L9FopzXR|1HfB73ecU&PY#@znI9(eJKV&l0iAP~n7TWjQd!%;L! z+?sOCM3bgw31lDjh5-S-5f2zf4bwzKpz#s{qn+geCxHN~?r}oLnS(jBiT!cCOtV)$^nI z*GQ{{(_=U_~n^D0tgDcJa(F8mV#N zOyPX=R$1Rd?#^@EvZ?Yf`uu9N2CBb=@v)}mlJ%=;x#HWKE*8V$B`tB+KguasjzON+ zR7GYN)@wQU)~kP1gB>FLbsjVtl@a}cZyJMu0MJ6XBV#^M0*9`}MBdO4-fuk3o+m9w zjv>gnN9;S8mA;>9S7D93O}~CVZ+HD1+WKHQrJ}Ar|C9)xhS*rgsC+h9=m$a>#)U6` zVWk*<^le5rp@ddmYM!3|$6}P70F2t%S+|vTKVWHf6(I{eq($#Z@_7<+OrzfDM!VeG zGd$cnce5eJmEpWqe_GO+O z=V@O0_EG%h(CHD9$M_Q09beeMZR4fOM+%CY^tRiLm1Aw@y~P%GbRq?aYfN9myfloJ zX8%`B=uxARLKmF{f5wdaAA0OikktwJt^hPpG+C%X>wb0chM4&2#nt-k0D^#yz?3lu z^YhBIX{NQ6kpl?m_<~I9PYUR$;Pu3of#HW&bnrNjayZ!_(WZ9g^W3TAc-Y<;lpH0o ztzE-C?xQ=xpHPM&`ADeT9mzPkMa0xxBVTN@e{9f6$Sb4D^p-b01qWHizHue}ezwc%|w z=3hEot;4%DI+SidSs{pq>~Q8~_nR=l{la2v-r{MqFnFn&>?qiTLH!}^i|44|DD-ec z@p>2p)n4i$8gEax@H#>N2M zyLMR(JY&?B4f_ch-BO$qjkY7dzq!K*3!{o;y&RrRgHfux^TPAI?YL0)q%SOSxn&Cx zjZR2VS5Od|s8*qu1?)yCsZLX?z%&KkP_RqBca3uTmf9sPXnk0g#$&0!T+?z$o4Iwe ztzTf;Jnhh1B;8}y{2I|pb*r^T@EgtXn`4-GG!hcs*JU<{kh`pzqU~W@n36IkZFjA$ z$!hDi>0q&07>I^F^YQG}VH)<@qexDrk_pS#wjz|SN&b27yGs#x1xmv|GwO|^TtauP zab`DLM7%W@im*RROSSCATD05rR!dnSk8yGOIUfk-%L1f3$D@1(ncpk5Yx3OTo=#<}SpL6031f8AE`HBmu)-=F{8Hfp-iNN|4|(oWMP zbXartY1$Ab z*hc1c)oW6Cv9`_M4E#_rT30u1U7~9jgN0-el)JfP!LOPu38dsZtG(X!)t8Tfs=N4z)RKV(De^5wOThh16G5BlT$YV zgg^UD5Qd?4Kr0Xu137VX^TOwMGt>(Ji^EajXN{7kR^;U1aDH-vh=^ETS67yc&gkv7 znIP@C1x=o|^zZE+(Z9c(OrKbC{%Zw&@A>%ioT7eXxlMrA!c3gYH9&XO{S(A1R}vb&Si!|u+*O9?@I4x=d3g^}f! zZMfVvpNHF3d?$|}l)-}gX}S3W0qbWMWDeA*$MS1r?}b~X}I(=0sn@A4MX+uELUBx5ez zy?_P8(eVOMpEcq^RS&q>&f+V@__phPktLXbk+rvH5g|SS78r2P-8?)5Q;D|mDjx#$ zpPvGSfF9rGNjZOF(X97XvE~}#>DfI4%@WVm9}UmbX_f@5x%9rG6#RP2*SNA1|IvkJ z(w=7MM|yuK$^h5RWKk3`H~9}K%d#VQ$V?kFT`!+d&;a)8R%}E~8~~@@zkd%_FtBU? zM`52ylKGMZwiZAtx)Rj{JkVTF<7>n-fsKHf8H6K+9$o^(;g26bKml7zd=@oq{cr~# zrY*BL>+=VFpwZL%ASZKBxizKM=I=uQQIgMP$i#iF?6YFNZE;U8&C2H06(qxPoQIuV zpG}L5lc_c7dY9)938X#KOSDQLGx!1*v?y+N*k!Zz4jboe4iEJAw4TG9%(>~PZwZsB zZFZ9#x$g!WoNS1wBea{hhU5?k?|0N9n%E8ddJxTOx}a1&MGS2^6&az@Tn*ZP57%?q zJZ}4rmVZRW_jk^@*ez&TH7L%jVt4CClw8|OOb*?RsJPxn$u?C!Glp9UeRNy%V~?N? zNBHwi{xc2?k;g3r!gc-S&D5rSVFwaKEr2dVLS^058M3m|&B~8Zi-xKO>#I#cM>nOZ ziMBGe*q$h}N+DkNm);z55}qR~_F-hNr42Alzcdx+(j9-SZg^%SqQuIaRu9 z2tYtF#qZ~ncD?f_T{!o}9H?*pS<;o{ZA3*{9y`ZxI2!wg;{F54RiAu-II&)n>yb;J zQb~BLrR59Rd95#qWWaWY+o-ktK@8K7Be|fr+)ld>G0N>Le;_e=HegWjdtChnLkBtf zWYAIonIRwmft|oQDh67*%M8+3C@V{zGnEQ-baesn?1eC3Jr4{H8sq0FW{ZPP8HfY% z*g#)&+^YRCoceH8u-tUU3kP9!D(Yj_|Sms-Emkn5(6+q&V{KmB*zGk<3tWxI5 z6tQM>(%d8JD!$hY6Z#S9capuny0ZICyxf}WN?}ATnhcQomTJ#nyS@F1B%8P(@rL|v zlg1XV+X-$cM-1E_8te4YHlKNp?K>#1_K4hGv(--0QpA$|qu{8Oy8m`UV65S6is___*zMiY}@ok;c zkZY0)ZF_fjtXXVKF0zlDJ)&AKdC@$l#2gzUX#y`4Tyc(|lYD2=yE0^;cT}2|cb-Uv zI%oUV)-;r%&fgkMsp!XAe@Xip1cD3KouExStOld)NUEYi+eyHXF>brQHKGKUGmbLy zMLZ-dg5UMVR@TYsA1M5DMt*RxS~mFf*6N%g#ALrsKpz~AsToNgG+6x`x3349u9qb;XX%CBFc#*ha^G2*drQeuU+oLKbX2M99 z^E9%YHfA6(n2(n>bnPEYf5yU<&uUb;exzZ9D8Ji~8@TvDWGUEenV!_u)bjH4)m2q7 zMTkFZAwnSYBS^04UE|i=i*9M9*zA?jJZa(jFw| z>ND$mA1!dtvopQzb#rwc)Gu!z7}z)9jEjk>a-S>&L-7V3G!W}mU@{O7LatmKTzc1E z^A9;=r^?lVl-Ym|(wII-1~|%suwKyHvbxVHfqFVQT?QfJ0SY@fuw`dc$W8#rSwvVE zh~mSKZ2gE1>Vh2r2o&q?hVkp*x;$h#m6d0}UkO$W+^}4~HlKlCzdTeodBRS- zWQO*PHc7MWN)~8>Uw*b|s7JUap600}6dOBYZmq?IB_T-%9ns%CJ>%?52?NRO=2%2T zk5QTY;Tl>onD=(U90Sb+b*R^$i{HXz>^S%w()NFA!q)Hq@>i+gz-F?L6cOZF0TTV& z-Zv3FCnqN~Q!@aF2YS3_GU-o<*1(e#xo!oMi)-S!HF~XGhcdDA+yBjF`by?+qPGI( zt5M5o_?2sAK~SfrB|Lfq#fdAy#t6bW&QVns>)3yfz?t zy&kll9v(dBmD8F)?ZyuMu;(;s8c7~5TA*ZUOujmN_2$PX;~Fg%-Nuc>!^7iamV^O7 z#OJi0y8skb{t|D8Up61Ie$!B<2sre}6H_?5fc%{si9hMa#zu;O7Y`lx?C@}@ zSQzdQ1-T0Sq^`aU%(pL)`R8}pf9=w2E}>;Tzx?13#@W3#`*F076V*zzx_f#+1u;*k z0>n5maCGuKZtr%lnEDS@Y!f7M_(ldc&;9{b@$f{x>6JwRT>N6wbqiWmuOCKd5~t0xCZ#l7-CP2t0M)c*8cgx`f>^EW*!IJ;5}qIp*rmloX4hYNE3Nh#}X#Y^Pr z<*PXQ5b32`rerlrvErvJ_084PVDycm`AW;BnJKbHu%Z{R)9LNG!Gw|qI^^av*xq+ddyC|;WbJBbDz zEI4Tkr>3v(wM(DvNZch-TsaxmOWKm5z49rr5G&c!V`ZL^mfwHygTMZ8Xq_MJxZ z`P0iX>EbF7)32)~3fRj46bxzSpfUugQeoka#qn2Sm=3b<^9!cUrXqFQ-bP4D0pT`J zor$wxdbGuP%WE$HGW$Q$-ZHAnHhlZsfKnDEAT1)&DBUPZOLvzvNJ%$>N{e(0NOw0V zA=2HcfOJUro|EVQ&RX-%tTi8I_Ij3I(EWoJ zu)0zDIVgeDGBT8ul3EtNxpItW-{{UHGYtB^o!R>8Nh@?jrs8CtNRv^kvg$EDr7Z)lHfDo+N!0Vi+k8RD@5Hw98!>Q6x9hHmcb zhQIu-s!tvx)DKTPO~b!!SZVajC%LRGtXbXi$voMODX#k2okdyr`pVe6!{1qNo$c6u z`Z9j}iz3^Quv2ZB)kuzYymOOX%b$OxmmhAsRA#CREmh0qjTNdla%QblP?oKczHj>| zm%1O^Z@OauT88p`oXT@8{;7D{V@vFcIG^ehKck zQW6D`viA1$3mlqHCq1@ye>;rwd2b2L68Y=h`nk2L!OpN4-&q-m=;4-Gy+4+EXjh$S=z9@R6BEr{+#Pcng?2*C*h$+Gk@f+s^+5fTBuH{cI6a3(jVVUrv3+Cd*;vfIgshD8bl7-SR#r^4#wOa^Gd<6b z0Qw12hW|ziNCl&+kB|JQczAg$%?8uK`~Y5o{{}>0NP<+?O9*buiKhKtN59tn_dR2F zcq|#e)5-2{{Ooe-tlLdIZ#F6L5plucjVo&263bQTHF6nk0PQ=68ZQ(JnG}aH71AA&Wk(_-Kg1W>(>a5$!vnDt*f?^4>QEO*O;`hb5fv zeWprv>(8>%Hw_VpmVGvNeqE#Q{rGc6R%j$Ac`#idLEMTn34Y2-a8NLis^XH9VY?y6#Z}OH=C^VR-8rRfIcQ?=^YMxKf8;hF zxUL$(&Ps?tP|5@Y49dvXb5in;0n}(GYGh}Eu8bd)UEc6eA1Z94>EDKC(vVc z_%U^nxcXU_#RgedUZ7TN9nxjwE*ySnf4o3H9oBq*o$TxnBfIR~JKuzytY-=&JC2y! zy+Q_WfA_5n%6>hrBr#BOe}k+k>CkJ($r6aqXwze_eHH^ich%&8Cz6d&!^~)*lg0j zb#z638rW^l+oY#LeH3|^f?V+nH*_j^@G3B+R9cu%XQuXvF*CA4Es3pM6#g zD^taainzJZDxU90*PBkbWTI+Z@!oNFql7!wv9_U*a_6JWR>@o4YV@5%bkE2dLl>XneO|(-T@Vxv*Ak?q}t2bG&j#6AAV@ zciE$;LVlcY*l5Vp8X?)@Cmm~={fSF;_I~%b+8K+EPDR999B^Db z&S+Vh+x{SIa*wj2qM-jtDr^@C*@6J$O*LW&Elel_U7PESMS#lc1mqJ~u=B0NSplT8*4*AfDb+h0vTzHn&_ zZ7rK)>Fb)BXZ53kv-Ho74&Wusm~l+CboAyDUTKt1s^S1vlr5f#jSW)OVqnV-H>Zel zkLlQ2bhE$>+jt>YOAg7*g{qcMiLIWbK~%?$v@!9Y_#%KthVyOmkYeruia6Ui?PX@N z<=w|M{lZN-9|gaEo@D>S%F3_&GU_w(ylEdRTlObSL!E6ROXD ztTf7c-9dg|8A7!C8xp-W>qphtCYErT5Y_ZoSCbT#()ZB?wpt)U{ z-n_BbR8-T`RqmLC_+%F36{pF-&uYCkRUIle+fmNtUUxdX63rn4PcEm`fi&2g$T~`y zEICMEyX)%icH~Qj_(W#rQ8Nx`om6qsl9Q8L_qJ9#7Et>?ShfKnwu=i4{oqlxF{2Bm z*v11xWu9*wuZ#bsw&n9ON< zUp47dYUvd>zjvgW)sbLbs?$7kX1H&|*;>`(S{}JG&n>Q+k#^V?utj?B{GIoFvEF_) zQM>1AZPCBcOtiWKGc(>X3%&L-*&uf&3hDeAzSlZzRpLtcpjXe0d!Fos@ zM-f9<`iKSf`}4PjVdiNg`V4d!y9mTrpU8Yx%Q%=z~I*#HIEs8R>H(51AUWKp|Cn4Hkc z_WDaD?TB$SXC4sy`g(!%W>ChHKB(*Q#Oc}M+ z-#T|!+fXlkMH?GTPn85ojkxhu7b8E<1p6A4<+YHa>oA z?&0anN&1eH_HG+?wDv3f6w@UstUFZdxA_`>NSR@OqWVNYQaQxM7^y!xx+)XZqs!cU zTJnWkWqcQ}QiLV_rh`hfFFv>uvmBKrtyoLPqBaV+Z)s-P)s?^Y!Rgc1v8I+PYz#r6 zRu3KJV=M%xJO|=;A#Fwkz9k16$#eZ)F`du|e935wO24=eRUF1BJQAN0^kfa3PUT~% zmyS}RqU}Yg-a^3ahnRumW9Q>t`Co6U=tJ&HWkQ@-@GG`jZ3v6}c1?7T?Y73)YW}-e zQBe^I#&JQ1tcG-vLe*go>!-xvY$k-Wcb-wU>>V_;f3zp3P74#^8&#}qafi3E3d})2 zm!6W(qH|J!Az1z3CPF<%(CuIqXh7DDig49f^_o16KNb@(<4JxqTu)`5ClKX{F)k!a z+m5@HGQcsLqwokuO(`p(Vn%Q@n69=7kM&1l#u!^GSwfWPvDArOPuc+t=6qX3QGdx%f6e51;FYwAz z`B!R&LL>XlAN80O*Wl5vvd!LqcU6Pixl)D=EB6F!+>cDPTz(wMX_2N_I~h&8nE*Di zcs#N9FNpG{3+_WwY>Xuwst81}{PeZj!qVxc+ur+8J*^^p6ul>)r>pyxgQT&saaLQ$ z^#$}q;3ungAr|`!fW~VS9`(@mH+HSF;XW!G=KC$haW4!9y5PhSn8B!ml_7@pG!-`U zbG^M_Ot-$K^p`>B0u*6wZLg+B=)-Lfhb$`Lb6!8GHef{U27Y0?waOJNQ3c5Hg?xit zWkLc%!uy1(u=zy6rBjWGjec+kJy2OnDav}`ePL7mDWyK?UpY*~OcHB1A&*saqw7cn zX>n^Jp+db#GovA~0~|q*bu7UMd`)FZov!ADB?Q)osRlh#+8A$XQO;QlfW8>))>m(1m+l zx45{dh=rM%nUS>^6fFSbXJ#(U%d6w%94kZ~zfc?`M;ee4S-4v)uCC^Qen=`)v(O19 zf7R9F5bzNy2J!*rJS|GrDOv1~D znd|&9`=f6;CJXgp_0!=uLjW;?Cx*hMU|;ZZfvaddVYwuAL>;d?{gO8&F>P?^SDtAL zPR2J4FTTgWZp zkv7f2y)oB2sg-Z%kyD_p)$eBY<8oQ;x^=2%HHd8cw+QKmfRg_rm3eRISeoja&UDoy z@z56CpE+F93U9x3zJXq?`@eRgjEoF;idxn`gRv*P%4b_3dSzN$43gE%I6!p>0eghO zP)a~9^j6>DU-I(Tv>VqY&8xO8%HK0dzcjLP8Hr@A*2GYr_x$-ax6={dap7erX(N2+ z4&q5RuQR6&oi^u0-QwZj9k=3M-6Ovx-!bA0A3~+dCbG%dq`2t=V)MF9_6_$zMq2KF zHM|mQGuq*IN3|GKk1BQM<@z1Bt418QGjBP(XKsFNOKk1^8Yw!xzNt6AcDC*-+nnir zE>h@8m4Ghwx;42{qA%u!=lncn?7YX-59^(GcN!Ghb>kj9ecIXSRqQx0*lglxtDuN5 z{afQaWSy@)sm7d%vd~r^CKz+x=zMySBu1Sp#dveU0^2L@5C7=7)M-cP_R&?vE9zP` z?nl&^4ZGaa43>2X3D?@F^>z58Y;O-J@YB1pFbI_9MSQ;|!-E*DP?evDXJUFXchn+4 zyGSvAt3nf$&k%MR*+~r9&84{wna=yebl~C-@|E=TwIF{kU z({JaDvGAutzFoscaT1w864|y;VnluZ{P5O41Gf0Od$~s$RP5~j!Mu}IyGB2l z_8!me$SiY`1?YH#Ap4O9 zUkREz-eWLoFjPG*u$sk$QPp&%B@r>POZd#J-4XwgNh(XIMWe}U_LaQQa$y_fax~Vw z^Ql+=x0no)+OAv8@%2J`k>!HQhM#MAqoQL-d=R)_VqbCb32$pHYehN*J`f{2`h8l? zPJ+4{P2c?5=5o&&Js>08eOOmVTg5xv?%CrVq~Xt!)AQH%hC^H%mwnFl^KX+br$YjR zS^Pbm-kF=?5^TAyEK3U4^`056e4|Cw&fnQ8?G!NS>~FOfznxIJ{4PS%aJ07JsJH0x zqUM~cyR!GVyX|R|XKI*t@i3_qrPuuOhGeh6{c0|SnTvj|VCi@GTnD>0jP-8m6f!4e z2baUN&1J`-(&jOh&h_L{!gWWDkJj~eRxlq~!M~a@O+D^739w=fyOLW+s`FHJ}tN{vKp%`|xzH@7_HJPfPU1G4?@CmS!lCkW?@7JG{eMDarLz(Ho_1J0mGq_O)QY`+H>EWyy8V zU5(966rmFxG5Y3b#|NNX7I?3gqcoA6ZOibpu*}i$R{P}1DfyABeMy$qta1NR-&d1X zFm7?N^0BTrTjlkSH5;`8l2a#_gS|e(57AvSZvA=}Q)tvj^>HU;tX|;R@6h{0UX0Ff0`BQtDJ^j;kzCDe-TxgNX{33!eN(qa zujp%1a$~@^84sV1=D4$7R{`?~i2_w*s+<;G5cVA`ur2<;r?`xb?07FAvh12-5LdeR zv+?9lF#3Cg<*sPpd#cXH%}jDR-00s2MK+wM+#P@6)N0FOmKL_qMMzlDH#anRT-G^) zMxrWpzQF^kHt<}ywFljoGcUtBXfTc9e|j5sSa_Xyd*6;7l%7`?I$v3SBxkiHxL<6` zO+tgO)==fr7qo1S;Z0t>IqXy4Utlw)(=3CYAArhFLj3cErA_0zLY(j9-_^f7&}#bx z{9cJSiu}BmT{5U<7zlYy)rjnIK66CWEbVPUeSzI}EeCgw>S7n8t+29cLLJSg>-XR5 zJpVNy8H&*Vr)O%tV|rOA?($?ff8IkF89-|JQ`?Q-qweyfcLQflDE}SA?wGG|F;BSG z6#HJJP?Lq0l);r3jTQZ;Q;W8*o-dt$I{&$AgHcMidZ-udcELHV!eO^?{5Vms(b)NO znKbFo1Fg@OFIq;q$q}z6W!t)jt8`y{*Z5&kF-k{fDuy$C*j}l`{ALMp8s&;<3gM?5t#O~UYRP7pDUmW{=ujsTjdZjGDs*YA^ z_+MojFKL`oZN*r7s;b_^9wC>IP>$(segF6h))5O5EO)j z4#|h}iM#eeg#2T-Y}V;9Y^~VOkK@LVIjX9iv9_Kbyt_Qb7w53mM?6<7J{K2mFS;{f zmOWO-Gr>)E{&8{qqfzxiIT|7rrCb*ahf>f>pm-xO?YW~%wT8-RAY1k4Qub-OubT^- z51FH!`gCH8pTsjVnI>&A?7d-?mltLkE zGwIa#acB>8ceB59>eIrQNbf}>yV2F8>%wkx-)Eu{mZov+^u-jN$4u&3^Uh^5^+%6N zqq_b2JDcRme(uec(gL=xm7M7j5)~;zcTkh81OdM%;2!0xt7cwL+md0d0m#dUQ&jLxk?dyE zmE&46jyENQg2PlKYyZ}~P#fXfbyMekG&aL*H(Z&O$q2TU1sL70AE*C4+A^Bn#V z=%22ONQPv)r9gc9S~A3I+DKprsp)xgZf#Xt2h;Y&vzz{I3Fu>CF$or>jhy7OpLEOE znJiz)eDS_%zN*)-v?qn#bfUzdioPA$bey(UIq&iQ{HEZ*U@&7i*a`QSB03I1BV1Ba z5*SGftfb4UX&VT%j*!Y^>XuD?mI2UCrtT@XjQP!07Q*1_x07Y=$8Vu5+W2C>ug1yA zDILRNJ(zw|RH0SRy%6H_xY{GOj6qRB%JsHQFyQKbn8tI=w3Q_5yAQS8YP`j8F-v6z zf7+9E+re2lJtq@lXLTziipN49aQgSSCq1Y1p)?-j-J_L3!hLu*v)8`mxk! zH`6Or#i&+@cjE;Uq4!?rlTJxVf1L7mKmME7;LbE8U&=~yQt}hoBw`Yhv*Jqyx}Y+_ zc{@8NCp#xD;@cn)sw(i8pnu>)@(u`fd_kOm`Uom{IA%3g1_8sLEBA-Ok%;w56gUk1OC6jjAEh@Pz zMsi?`O&DwpPuKI~t$N(DgVk=ZbCUN7xARK4a0;*IRE!b)cA;2hg;Il% z{tI{H#N;#tLwTJ1z<|rZ-SNbMtlEB*fs&GPM(IC4;8JNB2W`p6>)a%h-?=I1jaAQz~mMI>@?_0KwB=H!MCpy6<|HLC^Dy(I?l z`9!8S`?;%yjedsQCFlRcfdAiH7>L3C{h#<7TFSkUj$2Tm4P1`g$S2G8r{uZmSy?}O zdkX>Q;CqKuDpL_r64$$Y|9wukvh#5l%Bw8 zUG;8Fk%`0qs`%V@X-UuP>J&OPCglKNzp~WA>@EXCRDXZ*$}QG|t!biREcmC^nNUH* z9IX<4uV#r@Q~^6vgvsrzrW|#|#NXamn6nJ5tUJ>-&7q;8ThrA$K)$8eE#BMT&nVUf z;c|UUyoQpFju${ff0m=igyh=~VsRE~K+_8hxO&qnt?s&jMJi` zJedk|Vwvqgl4KWKo@<^sD1Tq56>b*-ac9a3Z`j6geSg>%KbQ3c0R=@$M1GUSYJXNUP6RnLyr#cI14Nh<4PuP(@zD5F*=aN9j<&7(Z6KvZOHn7WEptzXSgq zT4LNlVPF2iY6B?euBd7TMn-5KYK&PJyQVC=J_L&aEv*~!$`hi=Abt+cfsv8;DZ6l4 z!E52@Zc~({#dL9MWHA~`dM^`39er}vr3H)Ux6nE5qH$5Kyt-baI6H{iNG;DVx4smv z&|*JnbU+|((A^UEsXxz4sf*Ifs&KwV)+qR7qesqC2>E8#978?# z=Zn4N{?Rd!eYhuozWAH>zqN`{Y_S64YacIXVu|AovF+#CSbvh50JTnRhga#o$L4bR z6FKdkf%l?ooA!H)b`CNi8Qz6%g`(g2#V4M4H(&zcnz2c9 zu*mwnGxEvh)wvDa8t|Z>srd)3YQ3h5?p&p8av_hU{r+ZX%neVJUQd$^4O_lR;v<3Z zeQp(lz(H&Vf_;7>%>I1Yx3Fk00l6Q()`TW(GjO7`V|-a8b82l(>D((vcJFu%LtFx~ zBy@`7_nWImwfXmF$H?oPS*(cH(H7WWm`fD83I|8NJPdewevdNL1b;5*Ozi7}qJo+s zC9*yH`D60J$D!i=BxPor+~PhadOZR&Z@a_KSsW8*y14M;UT?UV|Ldld5c4>`ilabb z^BLIc2)azTDzmg-F_)Ruoxv?HF#gUze|%vbH2-_BSU1^rK?H-@Q-tR8Airw(TV`7A zwh?Y&ilVu)qh6EmoVyf)OWkW2f0|dxB;RGmdTSp~SK7xOPhE5>Rp<|?4FuYF^Dph< zJUy$j8MN-*Gw?z@WbL4o*8R8Nx%b<~AN`b{udVKecmVp00(M$PQ(_t^&t-B>{N%fd zX@0Kiw=9)0(eF-dxA>JXKIS3*%IJ)2jiJ4F_fLUz_xoU`kkZ|SN>j&E+X92RaB z^;i6wH*>-{(Lz2%$P*ysu~ixgnH#qvg(X5LmTfmyIwfyX`+V2wH+f!!#FC>+ldxea zL^%;x%t+6=ax-B-e6I~;o+neddZ8sBc!R2?m%DM$LcTmBdtSa*t@GbYlBwXb*ijn} zX{su{J@4vB`3k-BzB^RTBe{QgQRKFGaA9Vt)$DZ%X$fGS1v6)FJo|WWZ?FDG`F^+6%fxKWsufNmMXertup(Gyhgb@`C?Ug zZLL3`e@$AdP!W1`4Cy}X1hK@%VMipnpHOi^mPOG^Gcq)#lo0y4EKK7LGoiR2DrP!| zHC|lK=CqLJ2U!rCI``^4*~C+KkTF-tyibE&DOULHHJ{XC0Ral8iKnq^d{~Bg5N3n= z+QMeReLd~5^F+%u&-tr@a_aJsXtSiGO%=syPcj=i=4ZjsDXhf|$$T6w#*X1Hu_>6u zi8shxy%0U^=Hf+oasETDzNXU*QKEc5%J+SC@@>SY+`O+}?DqzwP%v$3wjA*1G?f(P z%`?rhG1DH~^8@hHdT{NXNksA%zSbQTKEVinUIyZYUQU(eWlqA}uE8G)jP-WKorw%x zj20neGD@iZjAXN9oc2X|6B3rn46xTN9JD`Ht&LP=2J#HNZS+P#((_LvgOaM&1hqVY zApy&6b1xa2jWzC46HD!P^;Fru91Qt6sdSFi8yzpys|F1nMpA2GS)TpAbK<`Je$%Om z3|J^&WT@+X8Cq6W7H~@#DsJvr&1DGf8nHO6o-aDz>s}^e)g=ggb$xKoI2M`%2u+cB}@pH6ikXIjvMi+OQ zQY%^p7h_boGBusU-C65I6hemP_UFjO%}aawTKl(ms_svQ>itpr9eh!k1~+E}M&E^3+5_ z8cpYB{^lIz!p6xDucV{yhH+o{MVONba)voK2|seS{r9eB(bTDENULjhba8BJy4LkV zhlc^|USo@t!#YY8L+#=k(;bKody`-d3)im|FO?495wp^tNJ&WOv^`UMJ&NJAe{*$l zbKa}|Ezr$C&{(a>jD~)jM8M@~>r(>J#^X6Za8(9@yK;1+xY>6_;5w}!cRKy=X5d*f zmp->gssT^T;`{ig1}*+r_!LLQCcSPe-+j@bn@8)-~(;o70NUc8F+p~Z(Cp476=wOTS(0>5AxOOc5VpZd3 znU$5*CJcoc85mxr*S~R_e(*}c`N5qwJ8gA!byz>paW18yymKUeiX2sa>^=UT?0?w7 zb@gBkhv@W-oSa`(R%Ogzi9>(F!2sIykQ*dE$_k@82Jp|nb8;H9s5C59r@?!C9fbQt ziz(&^YId7>T~ML@NPiM34JeRijdEIgdPye2@h&dc6r#Xap67?|YnibW!wk!qv+*IN z4btox!Uq=UqG^rr%|BMHV z!fBD-w_5>l2U8s;(`$Oj6Y=a}NIQc5q-?IT;x)hnkCO5pqRPj9T+79GB|wXWnm!?I zZJJ_gn1dO!Ww|?6M_U^(9T14C&ZG+=>#zVIpZ*_;u-oe^S2HZX-Cu=&Ib;?~gRbc+ z95#aeslt@__>W?{>4O*;7=l7W8#~^6w3JpTK8_W;OUCcvvh%e$+p+WXbhv$fJA}*P zO*MDT#FX-%KYvw31v7~Ybz>hk=vj!-HbKj@|<$))wqMeK{>IgS989q`08GgaiYOk)e?<+XU<+z z;dF!4DQK!*HHHG|Bo%Ha>>r|excDK^yO>e2;W*=&(HydTW^!5un?Nn@(fZ!eMSE%p zR_vTpN93MLxYs_ii>P)o_Z30!@=A`ljV7n5S*#nVH&$gE<};8VtgtY@)%8Z-aSWjSjGc45?dl60wISy3Urlk}ep#;q?y1zT_ z6EaR$^vI9vuD2Z*zvc0A7pHX0m_K`V%Wq=6VT7iyKJE8Gyp^WO%F;Yd%TB7%@7MPq zNAsa&;4LTDYElikoM8mqtdsO9{ME(2M*swxXQERBv}t!{2@o+YOEpWDj|r*#v@(9_ zQxfs|WIm-G+gz4rD~H@@CdKBz)-U5W9R?@w)7sv#oc;CET=fz;#9HDrq_Klc= z#q41wa8sCl{K^$EXOC!c5FHdx@5Yn~Bv}7YsOcK$!yc8H)bRNwd&Tqa%DFU!7h%=L zH@HlO(|el(kF|rtuFfLqQ!8hW-!76qe$CLGSdqxNT>Y4JCQfthV2LX|Ou zJC$2HCupc|*qQmVMttEg?}DN*sLLc#(X<#bUWNUG@QPLe}3E3)RN@+=#{gc^(My|m0Gb;v2KjY z%Le0-5Oo=sYF%>apC3j^FD;!o?;#LGLKY(n$&G(!iXU-o$&OggS3*x?w%#%HAm%+t z1h}VkW*^ng-n!mI@V0e0hUx`%E5B2b5-XX1SPMK75g3uu0LZ~ z4iiGwW_vDA`~$s-w{^6wh2qGp8md;>qSw#w=dDNIVP6w$-s)pW!$3wHMi?ya(y|4u z)w--uN~(Ay7wf{q;l{NTg$+Q<{^>dAA@gYn%n8E)cb|Vte>Hy39eN1*VX&StcmA1i zTd21bCY>lt(XW`RH^B*f#f|p4aOYNx@L6%rd}Sk&kaeSpJ8FH(lO6JxReGT0; zLt(2^jNgc_CHr?)Em&As-v_l)9_Eaf*hQ8s6ur#8R6$ehQ*V|&$D+KwkB%@l%P8@2 ztId6YNE)2r$djHo2z_hC$64t|ZCcIj%FDn;-Jo$U^H@16aCFV5bZnJR&b{2o$P{5V zF@%aHOhTlhcZcfM26Lfdu!d~S=|4Qz_W16brsHGP zJ!0eE?fB;(YPCaQ6DeQsrK&7c!HLC7*3$neS$v9GZW{am8f|3fUcI4@=~qvH;qr(dX6;g z?|HH#7lj49>4XO_O{Sku>g|j5dblU)?H(I>VnuXf53yX8*@@>i#w+Ub9~`DgAADtP zN*sH%JC?0O#u{mwgfyByL)GKOWi;|m^88k?KhrIIr^v=eu;S}rUe7pRMTHt;J5kl; zAI|;6T$#t|b)H224mA&NAmkMl%e*e#$|srd0&k@M#u!^14UF|5cNAL2LWkPGjjQ!7}=8t1x@!P>+}R<(Chb5>KG>Hu=U zhX@43Er5G4;Wh0G9B}j6+LpYgEq5fV-SYeOD@o$-_B{;ljnkigl^sFqD)Q4#zHB;k zHn+qfHTK`n?2oq&(%o-F`S>6pBxgE=9z@`P9ry{n;70=|uc|g?g>PgpBJX_%93u)G zT}La-mBJRi&eooQK1?+qZV=cnuiYv&4<4gRaIz>m9Cea+%gt5YDa}{CjWmm^;8gkW z;e(rt%K%5OT@pwF*-dU2x%dra*xlYfw6|qt!T|K!Qu{CMRJNkAIy7q9f>FH|j#8-ZKlG=!WkiPpSGQ0AJSD0B7`Cf#Bh*;&DJD zK*0$8hcliSD5|fkBDy7eS70O8J8n1up$(#PfWpB@5Cn${j2ky>$+E{cWN0IGi=lZ; z)}g^fSPFveU{UG_=uI(1Geocdl`x4hmZ1e6ojObt8XFp(CR6!e2MAs1DdtuHlFE9j zA{TN1BqgCHlyY;cv!=ZdfFhFh1QA$A4&?X-=JGsQ9hV<(v*7V6>YN!hWB z?Vm#U0tbQNPkjx}yH%lS9ZU!zcxEUFv5eA!g4fx@DypggFwr85=zL>QsmTxx;slVD zL;Q`Ysq^u&7f#-F2Msj9NjlmHDq&We(L5FKcNaIES)?|3F5C0Q+=IUTfKrA$ori}< z3E6-*d`_DO_c_gnXdw9!s`uii3pQ?UHR^~0z2>Hz9J8fg5f)^HAK+{A$8q~Y7X+%Y z&B5{&kkM^!ZWd`bHNXnK9*mF)GeleTrwF2F*uhbX$DQpz>g8%@E~tZ``ycnrNZH~L z9Env{a|QXiwT^fqnToFKOPz4+<#qTAHX?(-G)>?CBBtt6p&2Qpoj<;zW8o8(>R6>2NzI|+B6=H5kdI#+FD>h_fb@ewfysUpy;2OTUKn`~?th_o$G7N!z|Q+_ zb@#`67()0_Vfu%V3O9ib3Q=Oe+$HFJb?TE5Odmw;_Y}UI%v5g*G6Mg4gdp2yIQ;TR z-)|zr9IXNi$QvS%WyrtNFq|z%8Qi|tzLF~J^1K#Aay<#p7NP7%Y73L4T_2P%A07bk z@KgIA7M;2VUZ(=xV(;(5Fnwf;@6mr+pjo>IJ{^#6<(-!JrB*5~LcoA60||oJZfVX#jZWS_%c7Su>R7Gfpv@sS>Y7sPW;H_cV(N z*5pI~E3s=1B#30d4Rmm+XU>)Q^5x4XvI*am8I-<6ju&V|#>5;U`)yeXgPpDBbyYNY z-Fk?%>#_d}2|TdvF>xs0-Gy#&eSLk$&$a^HMm|uY7pFulByUD{9{AODpuoAK$!jbQCs~Xh%+vEp6 z*C=%V6h&A z{}X%ozcLX2TlD`E!UI3@-O~d7#V-i&=g_OO2 zg_{I_RKSl;z(K^FG=!77S-k4+55?YAI?#Ld zR{MgEDH!=W?8R!W_#)ANAN_y-wEftyoUbD3aFlkb8i{GBKL^omYFtGf;n||9^XwI8 zI1-b5qYnD1OTT(*{1>ys2mq_X&wJ$4-YQCo;QpR_5rBBvTE9gmyuKasV3{5d6BAj5 zW`>Q1?dH|WcM~z->@c_OLjGyn^DF+>P^Sb<(hxFgv6Rz0x{15)-|8`ye*QNWP>-hiu=jC-?p?o3^nn8-*@Ieh~f&3Uj z&mJ^oF@o<7szwU_I5WqqwQAOcbw&N9vFz072p=4}XZBd4gty#x91?saUU9zra>5^^ zks^;kkD2I>H@7C^8;LZEp!TOo1tPRl+el3gaRMr~4}ykJ%OOwQetw#v*8lAmW8_>7 z3VX@7=xPrIXVa`cE^+u?koQI1iVoK|d$5nH62rV5_b(RwX`A*cFK0E~jDQp@=oB0t z<850LQi=Us>7J(Etfnza!}OqmfwL*D&c|t05bGmx*v0=MRrXH*b$#^uW&Y<}+|2pz zAs)MW5TrvcS%sNj6pNO+(&7ldP8LP*l-U%>9U~s=bfjKhzdbXmuV?ProTbBa5#a&P zz~?|LzGRWzakBkB^b%9hAPM2gy|NuV>bv>F5Zf1B_6z=^$INK@%EAUL3Zy8nidD8_ z?RZxq5>LqmZ~KuJ_jkb=r4IogaNIP7_!O@u2iX>TSA>q6vJ=MJ&2^tVsXgIc;}3?} zuK0t3mOmNG!S`a(9FE;_OR!nFRFS+bq}|vL4@TOFv_9-Gh4el1{Z!{3-Tnn_(X);# zXTRSW9{=wyzs<#_d;d%A_q>rF^K8fIUD9|bt~A!egU!`OUK_cFyTt2947X5qXuLy@ zjw`4jB*^Gpg%&f!v<3`x` zC=cHy4EDWv=ymsrKq~;DR|{LpBJWdzRm&&kN1kWK?&)0-Bm9Po|;n$shA8 z;w$mbeVTuszq9=6q1#LkD-?lnK@EHyQy^uTO2rw2E`rPk<|jC7p)!D?qjPSK;?}pL zd?pmHPr2Je&)1H$L*{FVaJS9<5k6^OBl0UE@(F@b(===R_5=`^em>Pd!t=Y*4b<7U z9FUx)5AXgzZ;t<$hur^uGf~WxbM{-QKGrf>*yt|#bfyQllE&# z(UEdt>qigu|K4DfBf!%XQ3~JLS45b|4rpK@40150FgWC;=pVaD1;;8O2xXs^=}$+8 zABMX462r9pE5UqI-adOE>cS1f61)%Snf|CQ4FMTOH($V;r03R^h6q0V8liv^rii}7 zhzkRxKW}2}CdMviunE688a-qX@xeie&?UGP+@C$CZ1Xq!kvhV3;GY{XPkY3Kbk|lm5RgSDC4$Ci<=wim zOiS`NzF6frn;4jdQHj<9Jj2bw&42ziD!A1ihNfcox2>U9lp#+!`%RHPvMiNHGf{~; zh7V?^yk?&tcbw@8axGs)80L zNBIen8d+Cb`wToH27InyTArAjYs$*X8eJ&3k#rDm1Q!e>PfM&)!xV} zKy_=O`FFk{5%y|;z-X!wS<-L7lkV<5hsy<_Ds}yZ|5c45l_5CP(Nd(G79(K&)SR(0 zG5HHb8aO)H^wPof4U|oQE2%sY1CbU8(mdANKmE4{9*)&^&5?&3)ga&m%l!B9Btuyp^M=Ya zE-tR)fcbxZqkhsCI1vBbZkSuhDEJWQ;Q7i75fbk#Be7(Lp+#Ids_C#FTA{h6#QO5T zicX$+k*BY{eHn%&!Jj_mwD9nkwH9Z$Lrt}Z1hBD0)(#?a?X$(s>Gl$G7?Q4_L*LyY{{c#$9$ix3% zsa}*i2gyIS0yb6ZnEm`+pE}cTh*_2GVg&{+W7{_`=UTOk=wTqFYPB;5%|_Ozk{S0U zQ)Iv@w8#^bZWZtn(?BD}w2(F?DoWxxQ?=$~NY86MMpOOV^Vpul^1yTiWG~SZU|$91- zE}Bs-C@ADH@NY9jG>BSAi+>v01l=2VMOqj1 zGZi}ryjdwu%=r5aOD`OE^}#Xtns)#AI2=5o3TAXF+1pl_50{ON0af#>tIJ}l!o0r9 zT2N3B`UQoB3E`?d(CL8tubv7MPInwM-+=H22Oq~A++|IZzrP=ezZNqBQ(>aG7#}ac zG!35Cd*3ZBffnb7{xmc+uii(C-skudN zyoVWJRH-hT!WaEH4zze^sHo|hl@KqcL`UGbs+>-j2dpPJdxEGFIx{d7ELJN{QKrp6 z?vz6s!sfB?)h9@!q9Xv>Orcg~o?bD9>ZY6v5}b>$i`CTCjs2Ne1Yy^=Z#3_J*jh#s zcbCCAU6qcYlIIBi_H2DLU(WO7nMsuU9L^Kk$MjKMpML$yl1Y@ZVR~@r{dcCPrw3+M zfblndlKtt^C)hd%9oOma_3y*re1%mTMtlc*dqEbHY*bWVRjaJH5}~y;JTwg58Q|Bv zdgY&;ZK{JsM;N>etCWaE8|DTOcL}AEot<57w0i_R=Gy@NylEA$JjEo?08BYpUXJ+* zMR|Ea;o)*pucNx({O(N<6%!j%q9X5SvJ4L@OE$Rp%VjEDf+ znI6D3W)c)Y)cFbbkws%alSz~*Ziij2xj7MwF2S?c=T2KKA}`x34>pnTDWIs3`xG84 zMI)2I6&mu%*8W|AL$5TTxZqX>?PH;46?`Lkg+2h*@&u|id^Tt!swybJ1uC2R6(A=D z$-MF9ru+N*tt6ZllMSxccP8@bScM%Rn|C+hDE zFL0n^O~P%is3o^uR$dMf^4F2H3F!%3=6IuJnb6x-$;R%m;sR4YtTP@yUQV0284!%B z@&%WW5s?x(L+bhTt<*`}R*HW%#>l&``I4ePKeDMMv8 zc+llmi%AYVSZ{4_uVuaj_XTXE0RS;&WgDt>#Vkw3;S6!ztbom{ur@Ugwq@l4mG?iW zfVq;g3LV91Y6@#srrE!Lb@aj&iUzn*TwEyBk9R#eku0GhA^krSLuj=g88EXjB)>_` zd+-U?sh5XO^^;a#!51R~17-$>Wak9~Cnu-toqZi8`2{ajAWYpdHZHa7_%~2wG}rcB zc5(f9cF5$vJ_x-K$wi`HYV`GViZD|HB@TBGy~57ko~V8QeE$RK_3z+AfM!1CgFKc- z4b){l%zdjK)kCu|?p$fQx1gzFm70UYB8UsXK?n=J)VaF6K9V&CL;207z^=cFj4b%{ z$@%Hi@Q8@@&Gme<*~pln@89uOoi7=4!0i>7@4^BV0JGIVL?CCH)oc#dpy4kgdi%AC zWmBF%J>1^`tw?oEji`MONjQ!B%(q2lMClq4IeHbCEnbS zkdP4MXzXv20H2Ibk$#!b%KGv;A8l=8GVya@ z8%Iya0{aqF0nZNhpG?NFQv?>URM@WvK!9c zo~BAXyu2h}5oW^@a_y63mk{{Us@mDPsz#_@qoFyyvbB}mfA2Cahls>u7-neq=+S@v z0?Cgu-|~brkZO*!@?3fU-m2?OTl)_uH+Khm=6_R*hP)?&iC;k15EK;DTZTqxT%(7q z=s4Ah+~F_ncwy0YvAi6T@%^rUvB#bCcQ`e#kG4u(ju$Xdthym8x;0pA2EA90B|IDm zIcoNg9oM}N67#?hEqlXTnj^^MbwaOBc+SHz>v3HV)-BW(?hJ7k#k}tI`5|E*o{tqm zcQiG-Aq@bCSXD9m(G39llW!PVird8BG_y?uRS!|mBrO(|SIpqOI^!i-1kOF)Bc zlR(7~^-F zJ)wzyxxBJc{5W;#b>70csXsk)8?frIJ|IjAWPf=FoHR%g&^VC-^8&oQ!1rseC<5Z2T21D`tQ&_&$1Kw*1;k} zFyOfQ=@Yop!TkUdEBICw<(gn(1ULAT@?*aMt=35}D$a>%1M3h-0iTq+ySodeM3^uV z!WnOh4oqa)7#v@>s7F=a<@vRbz-L6~TKcqoGV;xRhKv|vE61^X8~g_mtB(cd6dWfx zZoRa(32E@>p{VFeiNj*!Qy+p^51h1ry;liD-Ks|pyhvyyPi&65ZD~1kSdG@aOufKkCc^^1X5Jt^S##sxz|I-qPU(Om1KS({bFKhXYtlI*(-@& ztPc5nX1rMtmLMVf7I+d$Nqzk<9$l=iariR6xl zxQ@V|ovq^j<8q3M(Q)W=!e*#rth@3qC<48(Le9DR=uy>`t#?t z8`q$WKfYHBoZx9GW28LlY+d$KuX9bE}ur-Qj*(D_o(+tA7eY!gSf59ue5xypDCK`GqyE4 zoxYZ~GnR}Re+J6G=QA~O@A7wJUJfv zxGSIXYilzz1I#etITv(AXh@nl*n?os$%NPqeo@g$X0l7%?`)W>yPtC^-p8Xm%!RJD z39Xvu=C;s*i3=Y-0d@6i_z#L=ed;T}{)k1bGgUJy$9-gU@$e8mZ#bilen3O5_apQv zl7TYV8k@sINuwauwf9UWdVtW~4?~ao!Nq|BcxmwL8E|v0(dUDIo7&oeG)^l|^H=nj z40`z^umw**DI|5T@Wi36#4GFKT^}>VD=TOsDRgxsn@vA5Y0x*99*|% zir&Qq1vH2lC^TeE?>rIRetTH~ttNk9`nK_HSA=&wN;x-|`PkKgCtO(*23hGQ+~Le* z2_eZ$P;HrTerKR@7mD^bmjKnU!GMuQK|uj)bf^jRj%i$RM0Lm9RJgkw)YBss_?#%# zRuXXQ`LtIwj*c=It;P%epCfgtIX1F58*GT*y}y+1OQULd*U^{f#x;1#S)Tnmk%i4k z2|2OJ%3S?{f2hI)6NggH`e=i-0f!2%IAu(dT2l;4nO=e5Ozur5ksfKn*hmyqqr-%- zQ>fuNV=1)Wi$$GHt9nTki~9l7f)LArfTCfNt|;|frU-!KKKB=Xr0#uLSzaF18v)2| zOc)tMhAOV#)AI7F8X&fIb$N*Vj0JxyOp>myf*&ze9>4y);nKd;YLhirS}sdimM3~J z2AL!K49v|P92{)y!S`34>wFd}EQ=AoWa~Sk*xwVpc%M#;G&?rD_PGs~q-n>mNELM+ zfrvw4lHMQx$iH{#6~@J)OkR6RjSdWimQk&y{*VMQP84J%DMDVW&}4@Qxf0*1&u58A zDxB+9LJ40cI*}Ty;pZ0@9ju@Hv$lPun4QI^lJ!~%WxDc(Pnm>!hBe&cR|bi5^MRoa zqavDFp;0x8XpL3eqnKFvVo#9jq9g6@>kBp)3v!BfcKTgxkHkqEI>Lq4dsSOVSeOPM zp~#uVBSFihpsAhUB$hV3eo_t3%*>LSn(E{24e!Ad4tw%^m_A=l?zQtwFKP}LUXvw8 z>*%`unO|)TU447vH9G}3fM69nz^=$#NSQWhU`|A>w65;b6^(4NS0~QNY6lF6 zFg}WE(kH%26tVc302&jl3B+48b2(qzuML>1aVC^3U46%0psl33x*Brz;bB5{_eYen zQUf^RXwqxi5#L%~TK6}nbXEN0mxSDI|0o)ZYMm#ukbw>5DTPvo8B&>zr^&{O>*1xXy#qfq>)x~a&F+ewdO@-h^{SNSTwb$%zPmTQj`B>Fa@o_vq<52hF zUaS5L53CQ)%Ejhp>GvMhce9ti#m$70%TLl$TZ_@FG5rn)>rA2;y+Wpvs)NG~oO6kvpikG}K{^9w&a4w6dqM|~gqJs)L!glG))3Y7Rqtd!E!PgXE$;*coO2@yorw& z21|VKYo(S>)T399V@}07QB#qgBsnEfjXa^{@Q?qC@sp*=ekYYk{nNp6@)E8T90os> zz7yk6VR1p6g(ZA>;hcH7Ik`M9ueS+d+gLrxT&a?v{nCn&Jd#(ci%P2NDN-R0-Q?*j z)6j)mlL{bGw~@cNU4#P|GAB2R$dhY;!9WcFu2Lq}x#3(UNfw#L5+Ov62LFG6+k8-0 zx7UZH|J~mZr-!sZvl!LEyFZApEzDf#Tr_x)olySp1k2aPGl<{_LKvS?&5m`J3jA!< zgDc^&xJye)AFC+nUxbqvrdFo4J{@7f_;^6%@m&&kZEZTO7}#*R%#nBQD9i20pFuE& zK(^hHBEqY?@$f{*Y1ZgJEA-UjHa9z@b7D}KxQSxM9>MTk*%%CYNDK#oS`E*WfoM)5 zk8{&cYCbLZ=gTbt9*UC+nrMYgJL*7odfoEtRFkp~boFe*vzS5(bL04Mrh;(ao}Csu z)8u@`tfl>pFn2i(Ic~*R!1J>-dvzg>xN?V+Bg|AQZeqn#C?(;}xen483k^~W_G>UD z3{v7IfsdjbVo`K41&kpm<%X{5wH>i^?$d$eU*3)_ZFt)g6mN^E;i1vxYHLZMjnbVg zrPnr$v~s5qIOl!8qlDIYtFH7n!#^4sHn?!H7UCCQWuAsXY~bCO1?OSC!7`hNXFI&# z`HZE1uN@;~!{k-W=|sk)_eyaVn2fQdwH@n_Oo~9_j)uUGwc4DykV46*%gQ}~y_#eC zspSXIy1K+-ea_g=mrfZox*`MFf7N!nFlIU5kiSV?G~m;t%&nFtCa62T0qQ~M+8#SP ztZZoTUru|VnZV*$D~LSvVYxOPb~yNOHFw+hP>uR={)7O>b{Acu`_=Fj4Z^tBpuCGc)4qWZT@oISY)UT6mUC9J|IfE@hZdVtvO? z23KOOvE?b1X)GWueV}x)y-~1zZq3WLo`l;l$$}#plw8(9iqRIBkcy6{X#zZ9`n05F zQ^74P>Czy3$LhygB#fEONZf~eEtG*Y$^sKb6pvycO)}9>de1~o({!rF=HWv^_yu0~fj;FD zYL0hTDJ`O5gcVVP{sIL#llXbk(iiRUS2+nB^QXu zv^j6j5kQOh`peY-s2W9b1E;@?EpuydKfxlIcsP6&AS)P+Vi9!!jn>s#J29jo)c5xs znUUsiU})A87t0roe|U>(Ct5V?)pmr;^O%vNN6e9N(>q|}FcpndhRhLvvTH5yt20tf zljqGOj|VMEnYDeKllaVDEt2SI;Jq6GZR-+e)UkuPTT&p1d zLQ7Y?L-EV9HS>8TDPS2Bd+*rh-z~ML2)xBYqP_TpuZ=QPPMb?TUBFMu;Qj?qLkK{w znODP2h8#s7z*s<8w|_bcnlst8C)hdz6m|PH<_0`mUEh{>CzO3WJoHPT64~}jvPkAP zTHM;xzHpa=BCE2J0ZGOyntxcCnWqVL^l>R2VS$0mZ@|d^ z0D`lYCybQn3}y5CQe5opRH!Az>JKfW+Nsf6dU_tXOCE0zjtUilIB|An8r6K!B6{d` zl&7w6`!yF?1Sc`0U|zy+h-B-~Qkg^DPft|x!~V;?fNKe3=N?5uMLjXGs^)d{J61Hl z!EdgJCCB{0k?EV)!n;51YixV_V|o#4&-Q;z?<7a>tZ(rz^|*BHY;-YL{J~Y+))=aT zdQW~}gT4?#%@yS5ab8Ah!)GhapRNf>I$h4_+A8?)zJ?j_6yUH^Gx_`rYU`GBS2DlK z{3MZG8`duL{!&EQ)uVc;=FInQlmwcOYLfRPrA~j>Ui0n zUEUVdTe1{h{lcVvs@6m^kCa$YZC6xoe)+%8Sh8O5FK}zA>dUrh zqqA24`V8*#Ft#OSdf(0$*BoDqMm#zB!kOloht^dj?i>to#j9rsTivJRCkzgPwjx~# zMQ%&4tIJ|?YJUVv*7MOg zZQZ6wR4aI@9t83r5FsZ0g^yVvk<+JYC@ppQK_~ma=QJTy+vxmAw=Y`u&=b_dpAu!n zqS*AUHo-kyrK&}OnbQA%i`_i=8Ns1yZ&MzC|9rMq^T`(K|DM9&--61~+>ak)P_yYi ziz_?N#%@y$R$QVcZ#X(w>cWbs3~VGkiqDw^1$nZOUsYb7?Xq%S97=lmD+y$NpN9QZ zHFbP_4~WsSi|Ib|$D8MAK6F1|Q&WK}&#fq)ghu@7Bnk^iGGP>*p7Xry{D1u2wll70&Gi2mWt$o<<0}{p+2EuO*-x zD?9iE%Ec8=Dc0x@`%!xeVou1Vxj9MGmNZ~#;1YCxeWO032SV2YX3MPg z_0@=>XJO{f9Sg_bZDO^<8F@F!;_*Oq$R)w6-;ak+Yk9K%(#+KaYs!bmBaDu2%}P)= z@wLTWX}#I27~I|0{d{G9uwt@fit)tPWW`CaS`>^xDF?D!huj`gwi#dkY|9o!T;JTR zaC1e`ou+Q0K!$?5s9KxWd-GI^fY)cgtS=UBCLUo}M9$irrX_jKP7#N4Ms9i50p$ah z(S}7^)=DpS@6A+?j`a0)_r14ajv@lu^4Pt)Q1Tw~``thKuTM_ZEY;6(7syBaJ%eUR zWB)epWa!`kF5a-B&0Mr{n)C!oiCu4>OSs0(o1QplddvfzL|j3M661D@ezjJ;jr3zW zZMz8#Z#soI+9pP9CtQTBt;*0>XiAqu&kV_6S$TOg-RaMw*P>1szs^A^C)upeCfG-j zkm~Ac?i#32%LbhZ@V=s~IYXK>pPvuJiP=UFeR7eSyZa_&4qHA#u}aW%1E^{Gbo617 zG1l_#-BW7#PaR*Sheg6|u)v5xiU=r9kE`@$fI}q-#1##c4WYt;G3RvY)yeLOHwXlB z@M}xG{^#2Wo;V%)_jxrnnVB4{(Q8r-PUGJcxYKAU$wQMBmAT>pe*q^Zds|0tg{j!Rc~3N?7kxA2b>V~ciPXB2AJpzrP$fn*w{S@Z#E?h4(5L2nKiZq z*-Vp4HaxNiIy!cFA7>U8Hg=u?Je+A9W5Re!PJV!f#4r~B)W)6n43he}yylMB?ZKoz zmN4{9z^g^^XldvD?Pl;Vc+ohXrD@mp#QMoF_}mueUeg5_t!MSAi!|$5P312=Zr_IHGQ^|yfx_0Vg&Op0!Wa{&CR?5NSvT5Agl%tq5RiXIDVWf z-|3)e@0x~|&#_6RbqxXl_r9A$R+nRc_%R8flz|@I25mbe-)ndz1~e0+195jw2G)A7{3Msi%wJG9;lp4J05sV15d{6i8~Q0;8{V?f7*|+ zy8f_Y-a1Ab=2c3rAZZ&lk7DK3_5&$DvEqF-NhK1gkeXq3;>H;&Py4x@(ZlJdp zM%JGW6o3L7Qo%C}0Vg@;mzIjaVmmKyZTDHJWmmeOSxciiPOt9i-Me?;(4sH0#3qY^ zTtQPop~-rM3So?SV5K)O1(Ja3no<`R20ncO%k>$Og=LXPP+D%dxdASOcn;LuEI!A= z(z5zRaa({=-1@(~qMK;+XTCi$?URVFI5vNvX=}_|;~ck0!0}iX+SrZe5jI%3F#SNJ zu~fU(d0Ey*e4bfhU<0%dunYgK?Lf736Kr6GF0}SV5$A`?=i7b1t>)R8?0|(UrYAQZfmh2y=^ztSK3?{)@khuUu)etv!K& zz-RxvOqsqJ0}nV&T$?s1VX!v4?f~yL_p=h5M16k#ZC#t{?CAW-eB)-ZeN9e9MQ!aP z+8}7BPoih|kbCvmqYXxpK~M_B3H$WtGvRZ{LLQa`^MnIY4LLouK?qy6|LFXAuQdXm z4)oxt4-_1K4nfoJ`&BL~AtsJb#f4_74Ie(-dw=zjSQO5*7*a#W$NdBS{j5LTxdYh& zdt=UxS`L+}^S+~BgHNsOfWl_@7~Xlkroy8 z@U*|Kty^AE;l3AjsRX5#CSU?%Og{bm2%+#oVj?^!dIgXcIJ87C0p{xIwgJ`wAh~+1 ztBY2H<|3c=*Me7Df0xP)1nSH987^LgFLgjTC_^cC zVnulADSc#D)Fs9I@xxf|H-fav8!gFlpD*{{Mw+9uu-#UNrpW4n!1>}!a7 z&{(7OUXrHiV?n`)Cg!Sg55UEiov&l#-$>V%bgH!tKhP{TX@VKXQAS^!z|8Jym{PWq zm4$)=aJ~UV*t+-}^{q1*wO5iagD%wy=3zk8F=K3rA(0)95p$mSezezcblm<{c^Clo zp0>KQh-Et{zCu*{O6*hFU#jretxu&o9=Zqhn!KTOEciHBZT}F;9*79xFrezfG@N-D z2cYZg>np%0<NlAp=Z+p);+iI_u#MP?w^UUEB%VLzK~H(L3TgCxw^iw=`dPb zm6Kx$%Y1wY?{!}Tpy6Sq{lijAHE6^$F&Phgbx|!Hef3H~_aq~E(`V>DJ64C+*B=g9 zWdOzJiUgV<4s|sg3!@=H{*@M&IHxndwa4bWuBo6o>Pd|311-bBJH`-A`U_`5yPzX% zXKmU)wK2WPb;KH74ah}B#Z5*ERirG)JED~|neU;Q3xJ~5b1S#O2C{GOA11IdIq3(` zLT=y)AGV>0-~andxTxMgk((F0|M1~M1q%zGyQiW|WQrIzNGZmh!Y;yL*VQfe!gCQS zAX^2ckyc^|r!uhpBb^Hby09R23crSooLQ6DJJcKzIHJYmBnU8MG915s4L zyz8X8*vx`qbR{peV)|{5hlaL&nDjaRdTzi+!N2T?#gg^@lLo zOh3uq!DeWAXBzfM=)s$f@~Y1-u-*_}aASF93ZMMjAy_ z$X29zg>Vx}$Ibw?r7FAjBX!Wn7M`J{Ws{VP)+HMvtg1dmj*RqRLJWb9I@N24w_mu6Y|^JK__{s z<2Dx_eXNSr)gvTJ^1E7Pd=!Y8+1abSym^jxD5W0aic(xzY3|R8g}`s$A|fKP zWjAwjpFH;UHPfbR5`eLB*THQ?_g|tJfhIB%(sAE|1D^JwzP>~ylvp~Ot`3U2l9Zo; zK`(nh`mnwp95OR6J;&#$5y=`$_;AkTPgDcyM6&DS=*sx=Dl0wU6vN}GF2ti3#G-O+ zPzvQ}(aN$45VRu?RGQsrXxRL=O{7>eBrNV7J5LaDEXH5lb6nW^^XqO&$nI|L8_B)B zz3XjRJol0;2o)k~w$|3xwzl#LO3{{W*46cp(Sc)dg2fR0VRC9xJj#r)8DqI~?>aYY zG?24!Aev1D!?XC>deAh8UyydgYhWxRC2K@5^o6HXz2yRo-O7bR1%U89k`rYX#?j{l zs0jn?q1H?|=iS|1ce}CCp5OWR&UdW=nVIux&fE6kLm0vSvQ}zLGlSSSIJn¥Gmf z4xVbNn8`_HAQ=Mdnh(AX*b9W1pl{v;A91&>^}!?ykSq{FOc+DDfA{td4KcBXe6R;_ zBNQD@6mv5A6^}sR1>p3tq+*8&1W3fe?ME4~w=@$BBJAM0rC-fJ&NeVYQ`94lEvdt0Eya1+ACouz+q4*vSp+ly*@3esy(GCBdh{*AceS!W1%^oFMxi0`AO;TKst zFi`)ozh4H}e+(=NoTT8lLUgMFP10n&jsCd+AIcuyX6v!Aa@g@OiqTY44 zpuC49tTAFvL$jYm?I#d~W!Bf1=CuiR01|yvdvG(#1f}3rXV`Fzf0N!e7Ka}RUE@g` zo>GPx{PfgX)Gtmvrz5TK_^SAXQTj7qUSYkTij55vj>>UBv*4VY1Y(?@cr4xT`tkbs zLcf?;e{F9gyK&Rmj^LaIcm_1SKv;ky56ZsGo_4;r-DmZ;*#E3}0?3L8reKesiqcf*LHX&e9Z?rvy%xt#5px85QQY?DF7R#ko*=k<$bkE(0U0{Q7L(Elx zI2iQ;Dd#IMZ>Fscq}#&6!Twqo)ch2IlV9LRtnHCS5y=9ky`n70ZbQ-l;H(@+I#Gje zXsmDk`mf(3cx_1XwYAN#TsWXRc|qS!?wST!9SE|;lP>A%py#6mpE@%YGLy+!4^`MO z0$!3YzqCR{JDhYy89Kj@>Ge!&1J0BLg>C_0$>Lkz*xurei^d z8W8W-iuGa5LQLQxqJV$wcBLJox(%~=1^8Gf$-UCKoqiKHfHwLYCEsZ5=(rTpCF^Ko zGwzknPN5w4E3LJJ@9_XcOPKcE(WX+RcpDsWu~GIUI$pjpLUIneO1rJf$2ML+lAr0PS`N0L6kOz7;-#Va#riKk)oq+9Fh351;t+neH|% zX%q=HApG$0vOq9F;@7}W`$zvKJ!LVqc8$*#%)KP8d>NZ|L2}0`y^S*Kp!gs5y=11Z)4*O3Z73Jx_qYxJoq zW+i-*{j0d%;o_||T1n1b8j~WXo9cysbDdgnkn_41SE_d_% ziw?VUQsjOU8rsGy?S|=>cS=f1wZF_v0eYsuOx72p`08Y_zG@N*bBvh@#l~E)cd4HjS^1N!5srP9i{oz}FUtlaDj^&`Y+#pd_la2fE3XT<;>Ap1M5EQGFvJBs&%$a6Xc=m?s=Y zW!#ze&8Zcg4e1^pHqg@>80x#i6(7gP8<#N1YbY4_m3)JfUj5{YZ)Goh@Xzy@e(Rp% zgZkrn-nf3!u%sYxpT7k5{bVI3={JlBB|2*IoM%U3b7rBgrsKM=N)>9M5T=+NhZ?H5 z6pgbdus%b?07`6Pkx`0+ZoH)>0B>Kln6{d0sdB~c#oXyeQy=rouzS&JXo7s5_p-V3 zvZwI+!I|D0FOptqvY%3OI2rJKY^jnDlC%FK;I(yh&;W{XQ2EVN7xGZ9Y8w{m(FW0T z9b_{38^O!ppOf{jpH#Zice>MRnyUCaE~fDQO#*6kaxZHKjkTW@TWkuS@xFQn(Q}bj z4mASHf`P~+NNtwF6-At7ViG@Y{qnj3`q7k>Q-ukVQQ33V`8*+obfn`O-r`XznQ(JM zISt8dH%y;b4bOV5ikesv3$KImL{FHpOxXw$<_DQXcHNVkeeS19+x@Q7Af7Kg-g%0| zmDq>mD98QvlA)(OM{4q#tIHYic))`%-;F{7kQP$~NhdEf#8NW*Xqay^lC}j^~mH1d0Vl8059Y=W!47M;YH@pna zZ4{B(UF5~&d@|#yrmyvmx09R^PJC22XS6mY>B(C5*C7E!PenyV_XqvZQ3F^)ytK}B zNs7!|P-MKWj-n$Sj-Nk+I<>k5d<1}v&^N_jy9_Ffr!*6BCnHyzi7`ANen$hBt{})7 zjmzr3BlPK7c;Os2=My$3H}^Q$8svm!UI_QytFXY3-ge?^6KGGrMXBb(_v#zD82p`u zGW0-(t*PXAnjGz!;9A2Xl1vM%l0v3fl?gVakoVZ8kh7cTX}!{f`MVEY07!y({H|T$ zi;F_L+1=)x9O0(mIfFAjt$F7~Ob%!%c)|k%2T9I&G{p8eBg3;iqq3QRuf=9DhTLWX z3Pcli^_UI+Mcl}uebqIsqM~BPL|#x1`n0wZR9kf+OSQx696n{pt|3Z2{*6|PV^{nO zPMV@c#(#fYj$aQ|%sw``X^zX{;fjZ^&KmtH?wu_*XU^yPyR1oa;3@a}_z2{*LgiI6?5#=t#99rN5YuT zcL*Sx*h_)obw&c?3lhH8U+8~oQ1+m&FH7yx-TIiyMGj&bIJBDdO`vhoxo`!>6HYik z9=Oz-iR7lIhItHTyJa?a^Ut$~yR++E4mXvGeW{oY>#%Y8f(V0}_5~1(5=xu`8ST;n z{$8LrG__{-VhPE?Bu#pz=kQSD>I@xu=vO_Zz(8++2<aW$WAP%Us!O(`frnLWYWJ$EoC!@pmy{UGpi|Spg>;v&1xA#1_1sIV%zAPaDf%|c&%voCRh>}xwZCTw;-`0>gFVaTh%3J!I z$NF}8e^xsKBW>-qq1_D#{npu(lv5~H~cs&;fhQmlBQc>k{C$OmISkZ=4*3G`|8Y7 zWcnlZTDTTqE`S8#33;;; zM|zt!sFvhfHFO0101+Q(49|gziPPW-n)=08=P2Ul-&V>%Jz6Q&v-}jGF5y#(#<_ep zWrP+PkgkKU738=Dd(?MU?c2UN|0b?%KdaXei&!u2nxhGA!VC@FokEzWvG4mqsld;8 z?Rh{_=pD^F@h6nybQI1hfXEMDVjT`_&bXMLhT{Y#X&g>NEo)cfy-4vWd~feMn8g74 z@+xcQ?O$r-DY3;t2zh9Q9Z>b+h-==Oj;p)RfCC!BVD6TDW>Ld~a9=*n;Y4Q6TpX%3 zoO3a_QIPV! zct&+k$%-k2;aK^RnBs+Yq;wH~muc_nJh36n8qjsHvP)cLM119LI6Pc3vVNk!X1ei; zA!0)l@qEicYJ4>CY!TwMgQU-k%FvUyZ^;D7cbQ0E6)WDUCR5S-t3Dy4FMRl^G>Q!> zNc{G4{^=tbugU4HOE_))qdeRsnaZfm0j||3K|c5#YF3@(_xR#m;HmQ*45ZGeu&Gyf9b+h)piJ_TvHzH$nxMU- zR_lK(`(P4AAgr-J)}-3js1;&SVI_1?Q|B4L&)QdJNh2)u;}DWjO3W47PP)3zhRC6m zwNR~}^S`e7aB9&9_hd%hFV&!T``r5V7HV}ar8yvmxC7}xFd5koQfoYAo4}8INZj~c z7c5x_Y_k%(;oHy142%!F?MI!{K-prW{XvdGIoyWX5|VL&COv zR$aL-Hx3_f+3&4Tu6)!=;lkaZyZ@g`L*4mvr!&P zZ9c0lwhlw|)lRJx;pyHj&B=$xA(c}`qKCVmyhUs$w)cNvY21YQzwD*Y-S5as=#x$L z=)kTQ3v(qc-)|046b$7&TP}KO^u%E*wXikg@z^33nb6#4A_s>Zy%)OHn$22}@ku)& z9pnh7&nABQFYf=^-d%`fe_B%NQc@b-dUK72n8Vk0F_Kvq{Ukxs)c+JmQvJ?vH`?BMGn)`<916BuH_3qu0)6YD+NARq6QX=ht5Qvtu2xA0-QE|I;=oOpq z;`k?oz9}Kkb-Y7e_mOw>bYG~$v#qp+x`tE=guufGM=QzG2im6)h~m`_qob*DtV*SQ zJtqYMu{$OE*!SoHLxaKY)a5NZsjV=786CevY5Tc+GEphU-+g=i@g2fNWBa(rM1R+f zzU1o{Z`x7S>kpq}h%|0h71J@$Si)M+k>z|9Xn_GVe#(mnC`t#e8Nxb}cX4m>iigbJ8s6dhNp=Ct*_326`?LG+`&FlX6|FW3 zJ&Z=Y1#=jX9z7)uN0aN)wm08LAMUpHSvdVZojzLOV0k}kyC~y`OTc@oyyb#kU;6eB z*(F*3T$mzvxE4y35muYl2qmcufN`k+Hzi|MzZPKfj+{0p+9dgFU7bys5r3mucNB>7 z$!SlgB3pc;AH{GX#WI6vtyk)zU1>;As=nAX(M8}!0PtTw|V zcM}=JI9a81rSrnwjKi%uk4~@2)g3FTeUrHW<#!yN9MT-mIX*@49}Jaa_>VR-3b3$s zrMn*OX#COJ%AjMEn&hZj8EZHi>FD4!@}1-t&8V?|<~fXCL9-&RpGF|Q76+IZGb$hu z#zcQVVcUN7qnlf@Z2Qwj{0HM77$Q|R=KyB8RYCFSpv%4O?+eTiy?_EkxIH^|o z5m_w0^-x&_1zcC~s6A?5Rb*`E$NK-f`mHm%Z+2Qu@!zc{qs5!$Tf7|KrL(8`47_{3 z*NJD}BZTPkVqafXxu4F$_56!Z$Emzsq5EPR+hHdjjn+*Zh&*JWr=$iR&RbI%`y>Gf2zFgxRLiCvVIT10zd-;J9Ia+Ju z8KWZ#+N41-RMUL*`&p({HUz8pe}A*xKYhaZ3ZXKwaPFs}cfTh;;_G}7p=_dH!@hzJ zDO)V|==G$);rW`v+<>bxUbhe5W<9o4$d`co_Le;T;@Ip*fcneUJ1{u8#rZ~tGdbFA3;Kb2e*XTr$R zhzBluX`B72{!+=>Cv67lZD%c)kcLK(1wFOCh1*_ltinkf_}TfZ6)ddDj=8VCKU$Q^ z_xR+$xlZO$-+x|s#QlA_@8LAze${;WjRE=_O_aD8*=mo)EF5pc1mRubi0*q`>6U?N zn*kQR^rv%d{i3!;s}jX4Ya8XhBpX_1I-2k19{Kux6+Rpwzz;pCX0i4-n-X8>S>kOq z*>8Vga!yZr_*KZuQ%=W(Fc_abKWuaTMiNn)da(_6^jhDg^xV8 zGrAo`e{Uz$s~2{?FZHV!|7hQDH1?;)d%ei7=J06rX-j$KexBCTOW|#?Z~u8@-!-?g zgxB=n8+DTmR+IimjU97`OF5x@zED=4nj*d4-$U1jPYS5IHhMc-W+x@k8F?qDXjBo z{WuTFZu@*-aYGT=*Y3EZDvR~}RGDGo?!uiWmIf?(smuNfRcF2TQ)f-%u0NWkyM-83 zhfk1=l~Ji_m+j?@2G;{r;HHoG<`-MG!7{5PizL~nc+QXwOH%RL8C-)=UtCXj&!iIZ z_3*#c+IEX2#yzQm%?C33(tOk5x;J%Fla9QG_I<{@wzLoeGLDBk(e`7I_;(ytJMbZp zDu3|&)n*0WU;79~d#w?lO8r;dd4p&jd_B8Me3lw)X4B@D4z1pkas;vXi97rZj(*m2 zlEdx*H;Z@NB{*C;9H((%-GA06t<4?1{4{W>_d_mm_v_^OB}2mmz-{q8ozD)3Qh7E* z%E5;y(i}f_e*#l9w!|jr)mXYP^GacEtlD-qO|l>S_j*$w93939zFOqJJ65<`PAC#T zEUDBTT-kNJPyU?JlPAV^waai+WVS(g(E2K@cLzP9rw9GwGANbAhHS{`$XLY;Hg#{=8J7HN?}?YL{_KA?f*p?@2_h-<4oaNnuN1jwZw-0d^*Jg= z9xjl-_MDCiTVo}Jr6&>Yv86?hQ+HkHkX}plTQ|4c+pD}!`kZ+6$?8_ok;dpW$)Kd+ z;T+Y`vxy<@MX3{zeLUJ7y!-gYq1V=!UkOjNxfDIZO13_i?puY`{f5m9M_HeRFzs67 z_UlWc-^Upk_j4M_yQ+MzqjQfAvrlh1D)!$mJDi&;EiZa$Hf-Nc~jel?OJrLw~94riu@QQ`_#wr=jx(za~bZQJS60e(ieMqWX% zj(VIS<@)oqS?5kADUsJf{K$uUY-9HMbiK_`$*Xk7;LodPKV7mvbL zrxbn<9sLXS9ta(XT-)EiL?%~YHbTPfslM$)|7~$~uZyTCTgD<+wfa7zgKg!2ffHsF zTCaE-eQ_`8W*ibQTrXOr$kb-d?CnwTyb>zc%+cw0YS9IZ4nL`E>o@ zQL}u2uWd-lBd340RZr0l2ma)gqi*Bi%g&`W6 z*Y}!KUMv~9{JXqIHucnhJC&v7p-54!E>+qVn}N}H_1e`H=waO0XX*0mJ@F2_NNcwz z^8CICup!>Ai}Y4(*+gY;_9Ygy+}O`A5&5LlhWjlz*&^zFhYIm)5A1zBEE;t1EMc1) z^?tb{a|mh@_tgcKp0&lUeWeHSE1tFP&1MUFE(&Lt$n`%vHHuHG>N|Hw&LLhd+1c%X z*@|du&XC5_-0HG&EXo`99VeNdKb&*hs&AJbHU55w#JzAIuds)#P}nV@DyezQ;mD#@axE&0?4WF>E_mR`&4r(nG!OUR_7U zJs(N`N(ux;=0$tQ`GHNvCv+n;9nKWSdp>6$IgL*1xijYcuJGHr)cj^cqI3BcVKvmk z%4nlCrG{OH9=|)Yy1rE;J{$W4!Bb$1!*1rYjcf=8eI^>Nmf!VzIyQ_#Xcziz7T~&A zeOt~RZdXwZNI6aEoBYDW1f$?l zH#@Z?+x~j@>h}-3S3eXDg9WE0xZm!pE6bYl*#Lp!Ojf0#QdZxQx?Bw88O z9U7B&)&E)S1DRG$u^wyfa(y|Op3K20-E?A_^WswftL6C6PNpSiX~4osCFk58`?~qP zd;iIKOPgWmuHo_%hSMB~!9NLSPf0vi^t*&Rp-%GBBv`_C~yl=PiF;l~i>4EYJt!4v27i;Glf zqJEs$ut8U#NVo+Nh+lN4U!lAuLFEm;Vv;_VGG%*Vc+y)|tVaay!cpf|i=!t6KE(RF zEpVf~SrZbO+YW?H*u}@jc&LB5M5wgv=SwdQrq$v9qF-eweVaQtHB5qS;*CI6| z6xpk}nQ9o@L@A^hS+nm9zwg}N?>B#XojJ~V&NI(*p6C1id_IS3I=l`d!Mci{PSHk1 z;PpFouz+AGnq1~vceyk#$jb5DwJIa8uf%2JYtcDvYWRki9;QNJkkI`(Cri^^C>!y2Tzb-4kwr69m-Td=r)oROSPVA#e~sUr zZX7-PaswX|3T4+ZX(Jn}n>#dRr*O|Kp0^A9dT1@hixkH56d4v_^cD4SJdxwvnW@I@ z{?rrF$PMq)`m8?LnAh`!b>mwhq;=+#X+yoRHQ~^WQQC-c-&N6rz7vAFJeXEc3h z=Za%5Z?{!saf==rU}rI{;6g5yAb$+=IKqKc?>o6up0*7ZUq8ZQ@&_vvdDW=&;C{Vj zhsdryHLM}x1cjsUzR>T*wL5%@_M9b90$;M*iACbLtWrCFvdTn+0tK}CZi$$PB5rRo zJX79e-D%1n$OjAOsT0eXreJrY+g06D5ktLs#*K3d#5RqAg_I2ph83kGWn<8%HSD?5 zN+BDTSW+M7VoxQ}1wkf58L!D=KY^C}*P@rcBs)Iti>Fuk%`3Y4w8vs@mx^67v*(aN z3d=G>UKQA9eMcDOUc%JnybE_MW+$Ir4`qI&#S0zNn>@JasuQ%y$l6?|@B3ipQ4M?NTq3#G$R!#E76Uij zxlejr*KS{p+=G>^( z)n5FHtDSOapGilTv54(?g2-D<0n0m4*y;85mnOG3Z{zD-8bby?MDDkCYFO)kKzP`8 z^qFwWl<<_XHVR2gGgEhnpw0~xsW%T-D2O31W-d(YP6?hOtqy-jq(T^nY(F-ZKaDO- zaE+K2Iyl!-8_U00*(ght^{e}AwK2L%dU#vHwQMs0O|1|hU!%GVMs2D6%CQwOEnU<# z!0$z{W};Djw-gL|53W2|{JlaEmd?Yyhkqb$O31GHIOFnZu#zsLSmpf9f!yZGz|R_2huE*>nV!&+o=YE+45k2FOOGh(G ze4t#DsYGZj&lXDPs9^TS2q43aYbA!A-;a!R8~@RD^;nASSt@}q9irp0$2GFIj)}SI zCycJhys|N} zvO@w_NoQ7D_gF=}%iSEU8f*{!YbYo@aH6&DA$ON`kudLMbP~Jq;XDZrcR0f9s`G6 z7Gv+hus{Eo*S!{S{f;+O9|XFhtZaWWl&-w&SuECL949Egw{qvl0Fn9V;|$#XBN2N3_)w%9UW)D_2c{Z)=D)K zkU_@bYle%D1OdH5)w0wUL4l|ta-9D3ty@O1N^dIM*D+qpZlGLh`~bn8IB(evCL%Z) z@(V7OctS_DpH3(2jJtw=7=!|F#l8tB@TgsnaB30-+ao;0fkV`tNgX#Cgd3d=pgro= z5jQu%gT8}}e1M4ryXP#61=IkM15hYI%^sXYCvxbZwbKO8QONT&S{p6N&zH|1xkEK| zIc{s)t#gNAs<9Wvsjmu5Vj2TMf`Psnr=PO|CFq}&K(>TXUk3CT;ftRylys`(#2^Tm zE5yXaL`K$^l_{P0i8W%{kU_jsjmrT%iT3H!+-elJ2|HTU0*f{p$-QP_Vc|3nTZ|9S z=RJ3-4Pvb=V$;rvnTtSLU#HJYKt#&R+pGPUl|oS^RrerP=fMNn?TOqbFZ^U-Y8VI8 zEE*uSL!~zC%^S7lrLckP-V;4UpI8agFMWM|bUG7DyFgU+`lgr0fJ%E}Vxk(=0sJ>U zLFffde@8iM@7=oPX;9Vh{ZzX1!S zTo83OQ)$85+1c6GSJgzstWn}mLe80w3u8~5v8v7ouOOPa!OW>7V!_p`AyVVW76_!k zycq6LD(RqQmizsA+97rhGwCa&+%?HV1Fipv7d~Ub&VvI(Gc~GNt(pM&fUeB#1n;fz zS-O+4m%a#+TKFpI)ic$4PcDHXA2cQV&ydSlbdrdN6v&!_VeKd^NqxO&?UZIR5VM81 zCv-A^nFH~FBG2}hiYC7bg8G}Q@5XG-4*DPRowXy(^Tx*>-le*Gx3YFyy+c9 zWZ>t@RUrz6-Wkch>MZ#B4RM@3>*mDPg0yI%fT5iWS<<*tN7YFS2>INVmUE7Vn?;wm z!yEwDQ2Buf9D_}H54(XnwsCU~1-yRxberidiwZfVT0u&Hb*6wQ)E+k1>zkV^N$RJ& z&Tq6GpJ{U~u$6k)R5RJ&9omRaFGCbAU*b_*SdAJznB)#}O7c6StLXQ`b|r;{ZoB%` zw6)=Yed<`BO;@d*nYLC&F&JO1q% z6($y(0N`ZO($b`1_U~~&*g<=FnV{q-vtU$k=GLxTMN8khIO``GU)dhOBR3YbW9nXa zcrWYrjGZH4{X@^+;6&)pSB~7h8-LXnhE!9WdMUm80&&Np-_Vp{s6HB{zY4sPp;UhK`Oi;z!hhZnimPjd#7lmD{sTav zjllqKxXR3Ot^(`5C_#|au1`0++S(?T-KY2T0DUVYelM|lJ6B>NY*9|sWu<8GJ+|t4 z+-$J?s}EDXz=7OSyr^ePj|&kx7)KqSyar7EE? zJV!>ZcTg!(ya${y&l|sPi2T%{oWX`_F7r0JOoIfTx0ovF9NYo=t%Ac%gV@ zG~BbG{eqJd8pYjFf90FJar6cobBbqeQ1xAj?x} zr?u_ko04=nN|DNbw2-%_X9C$hQ>pVSFl_5lP2HytfoC#~N5R`G79Io1j0GT7Y_mo|w=LsxYKCLG}H<=oi2th+G zE^IB#SY4V9U)LU$68Sw}{s=%ToH8`j6l0gaX&=5Y$erC>-|GYv4 zTil0_ANRq#(!PC==((B1m%%PkMhT)R*0#{%uVBsqog*M2@2z>)RhgCH`3nC{^o0gD zly9%FuJ{ONo{I9a5>^=HkB7mA{oeJU*;L*4jq7g=^-lua8ypKCYUizb?=JQ*3zzQ0 b+~PxCXg@KsTX%=0EP|XcKYfH`>K6AO>o^}n literal 0 HcmV?d00001 diff --git a/education/windows/images/deploy-win-10-school-figure4.png b/education/windows/images/deploy-win-10-school-figure4.png new file mode 100644 index 0000000000000000000000000000000000000000..09552a448a0b36bcca641eb5dedf09114b02f691 GIT binary patch literal 18525 zcmb5V1z256uqL_*8VC?H!QCMcTtgtZY#f5SyIXJ)+}+(RxI+@$T{rHwA-I!SJWzgVC!y{L0-<$1|HAay78`*;;%AZ~LdtGB z(2T<&_p#EEHth1jM4D1rtv!k{^a?C!^ssKQa6yLfNhHV*jiV?tBzSsEL7! zL5L~_d5uXe?y@tEd_0kl{!54;tXt8)pxBTs4hzL{7|ct?4nu&rne%d-@}|wQ-L~R! zwsfe{tK|NCGpF66LZ$3oS*Ays#aw}7UURZ>t973>Y+Y08G_wvEeT4(ucL z93K6oV{{F9_*oNCl=Yo~Wk?nGT)ja^4ih)DYlkFF{g1J9A)kiTd=59? z)HDS#>WL%HNqH}auKFp^vjlx~5U?+G8n9?0bz5Cz5jNHeQXLj_I`?HtTZ(>WBJG`zmAN^f+c=#JvOwpF_tJV(f7AlG14W&3EZ7-_VEOT zQENAZKXNYAWN>?@V=1z{Yl?s}2SVs8&vAKt{&9g7z{2g$kcrJ(dkSh*#IHn#Wic zO1+73;YP^fiIWFqW;C8!C<4D4qmrrTsth*gRX3iytG$ zc(W5`XAl8i*|RhMWjXu&{?)FhI+>bcV#U?X&}@DW+mIM1h1<`In$ztDu1szZPRQnst%{E15o zzg49!;@s_FyVd@*_X4fRggqA3-c3kkN-@fEmFQk$s@-jl?HQ_E=bv48{PNS9W=|op`ByTrTO{j@|Wt`+RhOYv*~N12DGv$=a4b4Sj0Z&v^Q6juEIN$ z5{zF=WAey`3O$Dv?v2B=>HB;#+*5J)qXci}%o9gig)=Mj#gI-)O>ir`O`(2>$Ga1? zan1`8fWmlO3?(r;3J+3KwokDim&z3yYwGG|*<@;=q!)JHAGcVx6b2U*P)SnNx}NM6 z#+(i{*xf_lF&U@WQ=B#N3J^_u?#Fs00LNoBbMT_d!kQj5>OH=GVAmf@Fh_I-q`Z+VvQjS`~B_8 z2WX65KDtCW2aT}1HvI0ZdmSRRRty4z`4?5AIv15!B2*NM^^SU;L9{O1G_GhWOLa-b8t?(W7*K2)9Mdv=y+(~DNbh>!Gx?D!W}0XkgXWr0{tD+bzDVL zDHZKJ&;O7_I19b(*SY#e-+}HWAs*iFdaJ(}V$jpxuOj3uam1NnYw3^tzSo+ua*^`P z`_0FdY=}k3enT7s%~X#{nh1Q$$diK=+U_gPpcA;aixhkT&4gxQxs5?LT@eqrOj1P4 zg|-+U8)q<`G^w)L^v?J3QPKvrwOOeNuG|IpE4gzZ7B5>W9NN6D`W}8D95!a%=M!)7 z?loY}S8sB9tAD8d{(a5ndbh(K9qWDNm_$08Y@_Jtp;#=w=(?=7v<0QSYGcL+uSHMN zuAjF{Ts$smo=?#U#>OK=sT&<$_l3!E{;kl(ddq1B#sMkcdjy-XB3~Oe-PirIDygf` zr}%tqDksR{PuMW`wZG(8`fN1o#^eV-{t(el@b}D&7cn0gsfT>HNm%ly?c({j(y9%G z*I`&0tJVF{a0(kM3wkcWPyW^s9Q*ngc5yBmy1J{7L-!O)JTlU`jC^-YSFnxY&Vn^- zw%uVc`{kT5wLkTi^&G#m)R)aeU03rYJM7mGGwry&k3P8e6qC6IHp{&!8kUw%#6HL4 z$_A|?Uh=_PXFNZ#$E}-LgEEZR`}Y0rX}lMHinzs5^q9mJQ@CRnMl8>Q#;xn&mQ|(4 zt;26)f_<2bT5m$RXv9uf z$(~W@Oi&D;V{^We3sO-9-qROCmJS=x(%H-(8%k*c;6g(8kbG!5xd+?MOlOmvP9tcT zAI@-?vqY!P9O_(-6BT(OjUlIO6wHLF@+*O6RKFqNNB0r_yfMtYquMwQ1eYmy#g-Cn zR79HZ&@NHPz`Yq!1-=M*{5 zq_r7W<|HtC2&DZG$7YjnE>pdAW4qRj@6w^p zVOdhl62C9}LmiNgsB%h=W+a9cj>k?~GGwWP@ zoosSRu}!V$r^=6PhP$);L(-l-*4L=FL|&A=xOrS z%9bTsle1;V8eiZ(RF!vqjrXy#0{2VJ+yhZEy$Ku(O+Ms8mwA1S54{A|A0k!^;oT|h z?nkA7g;-N_#INM8Y{Mm^Oj>7Z6;{L{5ujkpwL$7+nB?DYEEo1%vi@oni{_fN4vJf~ zmE9<MR_NK{({ITBTM@t9zQi`UNi=bwhQN zh2cL|fk~)wCRWNhtyzu1fytZE1nz`@K*4^dSN^Nb=8)t=KvE9Z+Tq)Hc6fU`cxvSm z7|$q1W&QWJK^6L>Q`TQX%x8$c>rkpWcwa3SD~sG}IXr57f|J3L;3)2Q8}#efwh< zc3j$+>G7+e0HLJ}Ylc6Dr#pTeSNE(`E|3tcKIbeR+Vf@C)dCTnWtZEt?S6DVat&j} zlGkk|mXZ;0Qb!H*A1G$$=A!0LXmTN#C3=lKXHd>Yafc0=5@n>NPaeb)VXZDI-yyhf zTor<f)iB0h9Z1d7q zM0QHc@wJ&kOMBtk+kRTlJkFyvvF!3#8DQ&uhlZETwK83wFZSXb+R&pJDM_!V7*w#v z8_ug(!`SRZaEaSV=y1Gog=c%9q1ff{n=R^GdLH?;oIP%qF{OB8`zaSm5zaC~W6X-j zCK29f4kQF&b3@+8@|QM5$8F=fb-lT5|2S5}RIYE_}ihR^vx zIdWM{lvf*M;{XPH(|1e>{uYOahpg#7jS~Y4gr1S9K@qRsu7F+68XgSN;C6oc{mmALsc+q$g$=ChYyb32`}N#c_joOxqaZril zg;FhVw^V0IPzFcEG3OKZ$9N|OWxp$zG_Uwo!r<{lFl%d`-vxQW0v!Kmp+$)G4h0=i zt!wUb%rWPnSR>Al3%&u&m!n+6*MiphhiAHj8%W|lJQye~6@)hehMY}{Z@Nw`j|W!2 zyfXOXknwrk8sUUHZB}iNzU+nd5$6Zr_yCN1b2^Ciq#Sjh3js8b9^z{EA8Ya7CCOy2 z*H{myzP5;Yz$yRc-`z@h`RYNX7=e7;`VtF}Q5I4sE-f{2EhTRDYin+JT8=}g64$nnn>RNNvhGhXsiFajbURa3b_bK)+1Td3wa4i+yleyQCT%5VvgVMhc-kH*I^rD6#YuM%IiI(lKd zeO{&sgOTXrBJfGzNTs%y{k6R(6IJO!B{A2=WYkZ*Upyy}!ln2YL3tYG05aH}Ef_E3 zjuKE}Oj_GKXk_dir&BdWWc)&2(g@ahr&%wgP*N+-j)#{m^!8`e-WkEp#)!$`TUWZW zS5UJZqVMT=90Y1>`u7JUY?OcOs6eGbwhhWtz&mJ&L$=yC8*VVu`|{x&On;8pecyD7k{^hgEp% zc6-;$4nJX=ytjWqYMo`rX(U(Lm;DtAJJmSoRS0H`ENMaupEAerFT&|=m~Z_;19lsb z9)Bc#8=)SHLG`GtTjf|~rZJFBGvPeQ^gL--L-;u2xA0;MgXz7*wAHM1;K*Bn-#y7e zbT3aalTwR%ZxpI3>$UY1Nd9(T09#uRpIqUj*U$i}EzmHWtS zad;M2uR-LSmt_K3mVJydcMb`bV-iWTl$`qjKPj%V>Kx^=p#jC;=2YvIglPB6ep(=X z-DGJxSWD6Ons#K}Uxl{coqK2K9jzTmzx_|0S|2}bLk|gb?|(^W-2_kFjUHc`supm+ z_}k-x`(X)9U45^V7>e)0;)~&4D=RBP9tSr7iuoMHfA)K4r!Zdh2DKqOJTgi4W(;8DSy7 z8*Y}C4s~2xexv(&b>VUOSg!pPYU|!vVa}gc{meE4;=dzpNgJ^eomKO^2LE9k)@phh zE;TKs96*ApXNO$2qIGyrjewus54vLXf2k*MKsK2A>Qp;xso{}#>nbXk21+rpFIGGb zUgAj&dwb7nH_^MBekm7oRIm7W)U|uX00aDE_>x^EA%BF z!3Z-O?b?7MaK=UtE7<{bB&qYHvX!=Q0(=n@L~<31>k8et%9~!ag0me7 z3kyN{OwMnMO<=_Bmpfw85f+C`Lf>?!;d+ww2c6D%9XGU%QkvMW)V#>r#^!0OPp}X! zMc!1A<1BfIY=Q1(df5uDuaPm$S-)u)Au%zLk|D)Hl(T~wGBjO!=GQIaHiUzdm2ZDH zVe6CDXW+7IA57xlNQ9Z*P|Zqa8=)&GWVZsD zrc}(dw30f+VGmntHyTXH^`_f7GUX#2U@Pb`7K*`61o#X#ZG~<_m<%1%BH|%B9iH;O zqlXt06k%bxKdcIr0vBkFPVsygmHogoZA{d8O^>|fC|NL-CrobTW<|XThJFiDMM$;A zLJj3FV`3n184VLLG_98U`uf{jl5}qohgEr1-V^i_{D*N$K>KSLCjFkxfhsSs%mIU1 zL|L0M_WRYXw7_v5U%Va3;!ERF^w5BkXWE3d1LEaJrse5X7ixEgtU-@!n$CLodJU6w zeOA_iS0od*3MSuNWYV)uk|iPj&&HVn!E?A=n9Ij;;XbqE*4UluCVs$p82m^IC>MZ zANA!NLWDL^Xc86W!KuVaq2|}ff?wxM4e1BL)+T_fO;959!WaCBI8P>StBx9)&E|LU zojz_4n|!0;^LX*hsLQ!5X;lBLiCd8Hu$#Jb3kuWU9Yhr4sh)*9j7?ud{7C)+O>BQ6 zrnaN$MeR(SN3!g@aoPG9m5>~s?f4r`7CO&?_Y+nw;|A&GV`{P`18HAW{+S>**qUAK zpU&2`m*a`1@0@=lywNhsla;T`u%otB8nsFnJaRQ>mLpj0*3=3EBpSqZ>gK=#`DkVM zin`IVy0v(km}=nNvNrSjCz>&cEuHSbJt9EquiJUvGE+vENJ%yKE08koY5z zJt9kyk63|xd0y1Q$iHSG0KvzYHSAUizh>vcU?G6RA$wsGkWDUP#Hwj}{Sn>6i*&_pfi8ag67hjqp$N?AxTwHQD9*7E*bMQjv=SFtn8d zU>VrUOeR}cM<_WuM(UUec;%$$-j{$)i$>NL8cHG$JF2C-Mf0sq5M)ly^+@^3sM*YO zgl}CkU;3z9?U+>#V!kg}IC{8N9L9AjeLI|x8fYC@iUBz$Kqzo2PskjiQ^=f}?ff!c z_L{*Ip>=;8Go_RAz%A}|?Lyt++6z>pUF)!=Ldlnn3E>TM6N6jTbtK9fa-s#!d@D{= zY!XEr{TllU;C@QZzQR7{2{XqUg4mgHYfu|LkJ4B`{s^td&xk`K2C3vRdGI>9-6#Up zpiQ^83CA{CFg@QG+%STWXt3`BX)zK8i)MJoT~w5y=aVcmR&3l@im0jT7u+}Pp`2m# z-s95KT~@0fT2%9KZFzR~D?9%@v019MHHU_d-WnNzntEngES8Prq42}e zh}|+=8S6Ue8%`Hy=Bn7G1a_+_G0vLrNKr7Cq=~pSi{&PW`CQ_^tsrNx@WX0$`N>HB zdck0e2b$xVc~0LwXpLOof^TkY{qelFw$$`<)Z4*Ehap;P1kpvDHfXGox~j+MOnM1T zPUXjM1#>#{KTJYn_IIY?YoFPPY0XyS8h9$$AlKtWq8I)zZ2rF*NSTTXVi5=YztE5A zE|5sbWX}u;GzC)xBM+y<3;p#KCH4i#h;)lR;|hTX8oUDnDf&)W~IZDGxS6RHwqN2?y=NnxHse0BfnJP;>AvEb=P+faz2a@==AC5pmd zKfX+6mZemgPw6V46& zaV324h(DwSO=p#ZrPXY!npu+JT`vVu?C{NAkrfp@IAl}?PksB+C0+#KGVhSFo%EZ! zajg}q8WL@XNwXMda}B!KBE~qZ(3_y78kO~$@G<5u|P*j~W9HsZkJ%vr*!9Uq# zd4{bs3iUp|M=ftHx&-)tRC0ET&S$VJ;9&|je9fddb$}E! zVA552?KBvCr=$?Umhg5Om{$pH+D{DXj${{@`mlei`N9Y$@w1~pr0IK)CjU8$>nnM6 zn*e#}ji~f6ZSY=7`A(9EM5ZEFnVv5C>=U_sAu~@R9%(bI9h!& z7u~oR9*y1>_)B%(ylZdBwm0=HI}CTkghH@j7CCcljn9I4-dJg1$CvzSzxQrQ@w`Wb z2QK`W8CM%&%(=Gsu<5;K=w?v`d`zJNi}8m2cIkvfVIDusD?nh!ewe&^TnuOYM@#zR zJaH%?@lG9YL%c2Vf>E2``ZLQoVw1)=+!g<=Boe_@Z|>IJ$q{xe3boR=7!u>L+8>af z<;L_?fAuNQTK1RPB^2HG4uTo*lx^#ivr~4PlQm=}V&gZJ{`Qgf4d|b`mCli^yd)2p zL=N~xuzy~Okqvp%g*?UFi@qq@&#J}yJBk6gMrMT73ly#RjXI1`1+A_09dA6>zsyLJ zJNc-J+mPya&HH6WxE-4qG`|t~7GJ*yidEFYug8P=|IVb=?G#F9v@+}8nLJy&V=H6! z+Mv*=VuG%ESbqxb`b#&B;-ur|SC#E!@@{qUUoZRTi)T{SE+1|-37CCuYcn$x>j1d0 zKNMsajZB zT5>XpD^KNx9xc>fonNHXIh^H(&uW>inxpBF4-uCEDBzU&w{RYu3TOPZpwV$7Zk)VlNI5Ut%hxyL(DN@@x!6P=T9+-Nk25y9;hzK%)EsJOXF^U5e%oYjumTMI&!^ z%kspdq!PD*=&`n(ox9@dhk0!+P_eEq-xj|E7+(Cy%iX%mjOBcq5r zsnUHqGp+JI5vn0cS5;W6qq8eAy8D^9aXSQ=8xYPcF_+swK(E#igWED>{9~KT?~%H5;^_?sB>zis$2S;BZlly7O66 zv#e>VhTlQMxyb!`&h7iQQT7L!gSxK}+ahi1C~3Z%ggBa{#Kb+@E4Ic^KBiecv}+Rv zyh>ugG?tc4p%L**P@Gjf?h7?X%51Ug;B*6-6el>+Fl!#!Uvlj|x_s6-A3CXm^qZB}@$a_t-mlmWL=O zGJ{9Q`_+K+26s`(>)N?x^W$6zc;<`NxVj52c-2vJ!5UlEGgiqjgfp*dxFfVgIP!K) zmi#v-3#9jPl3Vy9)+*eO5VTp2-vn2i4t?c~*!kwtOZOY4YZy(&nissJ0Xq(kql)@H zt7)qst7bh%TmLC#W!>27v!(CUMZgSBvqYipHM9Bv_CZ~>?UDO#hU;Ec*@<~# zW0f*8lzkwy>xj8)=EKA9Pf1-H3~|!eOPdY`f@zbWB8YQEony4m^X@q{i2lae=fn&Z~qFvGAAqfioTsHzH9lsRv>Cr|K} z6OAwBwjRrHRUFADF|9vyi)`0p<&_O`?eITAPzMges-Z8%Nxnp%8-JeQFPe$8$S7(~ z-H%cbta%2bt# z?3~Cddok&v`AVss2Nc~WJGByj-@koGLH9vVVdwI2Zkbf=9N5B(FvX*k`}m4T7;Ksg zjd(orAJJymi^%C64L_}X-N9^$@3|$m)7XzcVP8Bdj_kOm53}&{QN=BaDK>FJ6j_g~ zqEk|+%g8551$+a#RdZ!Bj}sMK`%P!cyeaPTl(AjWPy-y#Z@qvwp%gfEB!GU}_H=is z{1alp8p_qpE8OQ@^RVf5E_)u>d9TkTO2oETwra{NBB2F21KLCcxk} zUqp7E_(G7JuyK~^Ai9Q;*Ouh26`qfF;4>RwSa;a}&P&<O4_!PSD`h;4nr*VM0!NQrTGA1efd0UAU;=y+)ceOA zJiEdJXE8Rc!F*70=nw2?hW)3$VHdn5=uR(jItn$JJiX$O|+$pp1 z*^K}hPneKUs0x)P?=wB+9`m-xp2@dG2}pp-!E?(V7vu_l*(G-W_Ki-qh$Ma|&Zn`c z@mrjN+gxQj?pE3=f*HvepEnCJz~z~%h85_A`#ECn_jyvJ zumJUWCca31gH%Vfp7*QfS2R}k8o#HoOvMaSfvpq-P;eWH%;8lN`SC1_|4Z-tf2r5K z+^Fm?_ci1ZLckQ69tR~P{)N8*d!coQ6EBoH1p=MF00V)-a}){sFAp0TF6)aC|KJ`! z&0i}AuCW85s2x54fN-PwhrUh+LT}n-^Q$rxVY#Tn`id!zkY_Z*%x-=`V7!2wuHD|s zl_nlt2s(a~%sES7^^4}@kT?vRr+M;#4+@|gPh&nj>&C)V2S2W;k1}ZN@TnS>x$?XH zpwz+5+t=y6?<;EC<$Rhu-fhqN|MV+iT#wu+GIud8+M1C9JEl%M@VQ%jMdq1rYIS%j|aEAsSAhMx}Vc!$q9&5cXaA874E5Cq# zqsp4u#!zp=)Jny&5uIpSLJQ;k;IBqkV9vG;RVnIHs@`9QC7!77teq-Qug@r;&tlWX z=W(f&gAS>7{PKLQVp?Dt3xVpcz)Or4-%lo))$uH7TRWi-)eeTte?{JgxKlqEhYYKz zr}mn+S+OVY)j4{#tM36GZzUbuy9(w5hgz~siilnVcLFbU4`|hgyNvGCP;g{1>0U-W~jqav3;ziV4;IWfQ?9_O1Mb^ zhfT;*uuc8A82J@x$@a|o4<6;XhW5QSd+^bh#7gsYlR1f9Uu_NiaQjqk6X7a+aI2V1 zwI&LKz5Ht7s>+iTUHVQ~`VM=^Hon)YVd_*Yq^_}H@$iJdg)#3f#ri;0%r_U*S8g%O6{3{3 zBA!t(vRe!AwZ#bF`w7RY30&Rex~X*HmR%m(%G}(DkS7Q96y2ahyHyJ7QxiMS)kosX z{1p9jOXu%j2ZCLM#BQmT9-VByJ6l=QX&oflSF>8<+9bN?>LDOuba7eb%^l^<=6Rsw>1L6aX%(6 zvb~Z+T7PKsK-a5d;&5sV#yk{xzpWH>bsmevCJt7X-7N@w?Mv~f4r-3i*?Q-tGhR`# zhEnD$ZmPB1BRj=3oJ}LeQ|X8jZH(&axHwe;SH3G3?x9akj)(s0&%z$p%N?gy$+{<& zHL=qqrLrpArRB;U+%*K(_aIs?4z4fks5_@96z#j`-8TNtw}wY4YF1`W9YB9jmv|$? z%snzEf?yfD)1-n!x6rJt^Iz=|5*R>c|M&9;m@WCXDV;x45o)V`q-HjuuJ}OSxxBcr z0`wPubOZ40`|G7>J;Y^+vo)UyC}!Ke1|T&Mdr)1m%T2$2(UIt+DxvxT@Cu|9hdV<# z$EqD8p2!One@y3#ax_17#kNZRqRUa_~1AuUDk|!+l$hpKCe%Undblg=dt@zF-y?y-wXS zz4StGJj<@90S3wpSWD4yDa=x07v;}s=%Qtir04E=12i}(s$eG5ZQ3A<8 z6DJG8$^d1PSlk&!;(9P$Yy)+83@aMYlm(XOsd8t#NV*pWD4CEll@9a>Nneqhm)$C$ zCcTFNWjhT2apeecE)gse?a9+>agsDK26r#{b8|h*9{4I)I+DAxk~u8JPbeW%T(j4@ zBC7!E!_S~_r?zB|HK*anCYt!lM1OpRsKwgCtQ!h_+k{900!f)Zb(WbIEGc7_St-aO zh}qK;mQ%i1_^D8gDW*ba3`_Y2k?EeIX_u)nEbYlM-PTbe*9E*v2t3W4Y%T&zdzX+|gM^CD~iI z_eF#QDAz{g&TJvRm%hqX4=e`y(ZfA^)V7{PNeH$8zM7B$M zoMk+26|L&KQtf7k?Q@W?`R(nPB)Z0mT(Mu}K0>=2#f-%h=Oi7<*!vg_N;HO9Gp@+@$jDVx7g=_6g`x9d(n0E%RbUv zl9q7)f1BfD!IH<2#Y@6g?-P#0NEUHO-pbG(QDcQ#fP6IqiV?&pGi>(Pq6ue|eP42j z+;ZX#%7k+@;IgG+X|~RVWtJ|4@U|h0e9q%kOs4+JbWmc}*?T^!h@sv^G?_;r`xi15hE`UYSikyLLgV~0^Fzc_&vL^2zmQX5--4eseDIO6g*QB~bzU>Yd<)EdDjKt!~n{ zSfPIu$xrGONTY1NYe)3CZmxMSdPSdVIc*ozt(tW!@3tc-D7phazSb8}l; zo9$``5ueRaE&y`rG}#G>jsBQ95j+x2E%x?0?AvRDK3`4{Z2ygd$Akl@zAt*N#!yaw zovZCw*yp%|i~XrdEmk@O=ySfga_Z}UYgp#6u`zR3183s2Qrf^ZnuD*+PWzJ-QT#^{ zzjz(CSTcS~wj%-a=u7@l*^&%EZq8mzZfsNn83I!FCIB8u*lysyH=YAzER^ItuP1Dn zT#d49w(kIjKom&JSdgw~>}T-#;)v-kjv!Y9L*A5-=ZjmPb>nvF%#2D3aWR>trKJh; z>-|}tP!|TLVTLINLXrBb@72{gpYRK4T9zq@7QeN--R|W@Nu|ImR3HIa0cTgtJo`Y3 zK%%6-hW@*05f3(+1f2QTGa4^43ihKvVbJa;)v9wlY<*9IE1;V5FHYpE!#Z_gxD6Ra zGA_+l9bXTgOSmw$Nh)<_E95qN3SNY|w$? ziBbOkM!N#eAa5}f2u|5d$gWaxay4W_A}of6h9(!L9Il@pb3`I+i$&lZ6Ror#|>eok4T%S@d2jDJ1zBizc`dZM=(fGA-< zD+i$w#bSiQD=@j*!DEKQtC0#_^7uSG0R6U&Cy?{n#=Q@F{s=Vt{Cei2aSmH;{!~r7 zrzZeI>i|FMJd(Wj8{DWZkYjWCR9ak-`XxY54T0a8K!b!ZeMVmGyf{v}N=iTtW&(6$ zrLg>qabGB)hQlkM#`oXd@j4G~Y`kOkbaNm&j0!OinR1AFu~8n zdK|Bg7OG>0=}tT^cKd@)I>lqcH^!e=l#j>yo0HB50=i@vk^0yFic%tWe$F-9pI44|V`RRz$(` zn*-NbooA5Mq^sQ^v>rgb7x^UBTXU4^fDGr2ZDyZY6a}o14ZMu=cCI$sh+e;9&T5ko z3&O7F6dT>neUl0TS2>{h|b%lH+9*~ zhfzMRW#y;C$~>j*rw7iqT*xZwt9Kjpq9XhJL$kAq9dq_4E9$y)h=m9W)&{ap@Mi(K z+Ft+&I3mKa>4iF|>BY-jdAl=mRb}ih@3WImkHZL8qjc`#K5Yq#3|?m`q}K%pTP05n=rS?PVV9>h9hAf%iYZ>Bti*_G>-L^8x% zUcx~GCY(ErzB*83Aq%#^I@}Pwg_&CFv~)aP>CAF04A@x8^8Wn^57ZoEsSJS}R#a6D z#WMmxFHI!LYNKtIni7zpvhH_(Qbe@TMyxFikmu5A{~-D*Y$Ky==IF%ASy7G;o5X&M0U74Fwn?(6y*14w_2ROXq;ueE*2B&zvSkLMrcP?3KOQ_;-d?; zpxS89zX6U_6hW*X#RHE&!BIX`CVDF8Mekhc(jjh6GbrhzAh@%w7Q65x@o)8h3PN)) zaGY3N#Fr!I3%1zauyN6ood|#i%4~V5*d(e16?5u%9=A{0=v#H}HSJy5HwIVG|hjI zBuvH2!sjl&U2ga3gwWDK6R2PInc*1eC_wiD&>aG>C)>zXPZ)IFk4*&~1B&Fb3T5|z zn>$V(;zGyOC*Dc^xgRcaCJQ`|?JosnFJAhH)YGpm4~gf3mzI{|4PJk|hXQtGr6u)I zER9;czP(+YB#;m-C_VcTd==eWIw4M_A#A0b)+1bf&God7?i0N+9X3-g;JUK!UCzPf zD@y;p##TDm0>|%4!sHz3q)Ia0{a~7oKEb0Rkn_@vg<|Betzkd`IP>vCizu4K61;)o z0y8Y8lZr2rFtou}Dt3!;EDpInW>)?oxG-l&5_r6r(#pSG3qaqS9x2-&u%-bLvaUlv z*WKEGttKs1L0)v07k9h2p)D;aDB#H)+CVmHTWSZ*RccHBS*O%iS{+8%8P%%%*rGdq z;XcpR@pO67SLyTTezkS5+99Y|l1tHqzeQZRjL|6+*Yj#tgX!HdU`gGG-u}sfHJrS~yj>muH+83a#p_yo6mVPzEBTJ?E|*QyZ1qlTru(7ax_ens(A$t;Z-JxN-V3zVh-1XnCAk-8cX$I zoaW{pn9o9#P)^H8*O5;nZ&N9Am(NoCc*g5NK9Q5~BxIxbcX({$-bRsG7z4#hHwa%G z)pd2bNWwy$Jj%@=c@g^WTrmMp>e=PD2SPHsImp+)ZT|a600cNlsjz=}`M(P#vb7bg z#}6+&+QCI!(XU{Q4_>hW*IyF0DT4al8<4z_@V@nlJ9=HRS)V} zbi*}lrE>ltOZ2OGb}Bg(n6L+h6&R>hdv=VA%@;XD#No4%o`oQ(9M(;NGnZRExYeCr zYFv(ooC3mr35>8J*kZy=Wd58!&QgkF0E4cekX~2>w&1y|)?-|lh#)lPTrN1APe=J9 z>yd-s#RYkYum6dGQUiGYG>~;uy}Bx2!U&9)$HDnRI|D^`!>%mrQ-h(GdB~?w7}2xX zdUmg#V<%ZMY`NT=uI@JpSdkxciVM#kO{|8)5c0Pq`$X#J+jxL3fk?^>Ax1tYAdK!J zcfv`5DX~scd~jpO*!wvKOD)D-ZXL#}r5SQXCQX??PI&j;I8=c{ZJZ$7K&y@lGK}QI zY96OL_1YoK^wob7K0e{h#Q+w``*YvX-4}15P8>Y_#HitsHR6a@fpj&n?=T3L%Pi%2 zNOE9*Ja@BHT<9N8_U`8MgA3W)EC~o$LHBey`$&?{~j0IkG5wsqrjxhbRW%C zjz~$wr-sl;2HJrK<{_f_g}Lxome9BKj@Y`Bxv5Nb$!%sgA=cyBWuhW zfZMJS>2DzY|9koT&yl!qO75as=iLm+3lM$R1aLl<1_-lW25V*oI1^oNb**&=fpCmi ze()`Plun_3h7dqAa0;jZn)5fV2mKBA0l4dVP@sQ?1bj+nEY)su*}N@#4JY(kSrjAK z0(g-BBtlv$1U#T(016B|aEQR=;sX_?U;jT9l&MOAJ2?6-mEEtv`N@SY=uYrR{-nh* z7WAjAf_@uoTKmkQP{?Z1cA+6a;Svynsl8A=sK8}7eRXGQ1! z1oIiqulOihEM{-duR!qd*=O2%3uHghdWfdRO1kAizQ1|Bm z9;VOJPzd?Pl9b%FLQZH}-Qw@Jw&&+KrK`tKnl~fk;)bOehqiGKM{}XWqo$!K(&I~_ zTW@Ea^nPz86lRu{^g;pea6cbNc>9izzx+1ObB(ZIL`+hD-e^+U$}S<*Bv-4beNus` zRBIz$9XcIle8h-Jo#90xH^?kK!BZ7qn9{y*M_aKN?+t8|p~3ul8nk^P*e?lUWSK0L z3E*=?3PkJot}Gnr1eBn@#v9Sg~Pw49aTDa+P$XL` zTca#;1wi7iygJ@JWsy85vC1aAsf)c>)b((0&5xNbNp(`im}A7WI5%4R3>JR>K&Y} zFFi*b!|#4*XuIo3Li6X>^N705`t%7T=bI6w(&{=H*aIZ*F;);u22I4+svykioyQ5U{te@V>6&%^{sGgd>@Qs?S>P42YC1cP7+QGs4n2EXUJ0G}nXSG?lL zm9o51Ar6s%3su^1a%RmTeShO2jXyw8D84LC9{ z)~NnG78eG*Cp8n+w@phr;#oi{-wF}^KdvvJ!sg}CEm!+L>*blUX!TZRe>@{!uY8m;EbA@1X8_xR)eMvuK5^Mvl#hY{O!KD#q;-W z>2sacX=a-HbzGm@r2F2?4nC9qW))xRrFD_vAK0F2+5Y!DJ!xOhvr1Fj>e4dDNF{-* z&lGMgthW9&E&G|p@;xbcL@SeauWSkK7`I)YS_gl4~&&kt{&SyCveP>RzYr5&Cq_-zsF6DU4Js~3eN`0MVV1?aZ zU?_0=G*A4h|MOr=(BdeAqfeG{7zvw8So5FB@O#7a=8kRE=IPezo4JJ^m}VTibUGu= z;no%JCn2fgQ`DIPbM1Zs=VWSszlaKc%DPtN?CT|GXPiBJTex-2jAzdS_ucw!u_(-E zW=YTd+Pg$k?RvkDpSH>Ty3-r8O%JbHw&h;b zp=Kl3`lzs*W-}(lSeM0wTBh3Ft@`l#${p6F;3RUoJ8n&kp3S7BGQ(pVzhzvHF!{Qi zBUtg?`E3)Q%-tP&Ye}vB?1L)CpZ7V3n(gk?+Q%N``F8f3MS^*uDreh7T$jxVvJbek z&cJ5=HtomZ(}Pk%Z_fUT5&Fy|Q3` z!$Mx`w52n@y?)X(2~@s6o|??lthHjt1m>serBOU*wSWU3O$uu-Hd?Y=^}{IdiAk_{ hYmAb|$9n(sr>;G> zqW4~+o?G&~&w1DSzO~Me^JCUMd+%%StGB%)bhMsOkTQ{iKp+ZL6-6)zgzpagpSX$- z0^!|*>3IVKJa_Pu$DmRy^D;2FVk5694+2%hke!+n0%H;v6+>VL<>$*EUb}OlB?xp^ zR#j16-`jLOz0Z04+erIi*)pmo?O@O}k_G=$64he@ZvMTyPa8>IvK_otq+pW>4$YR; z|Jt_E>Vwy??(mRWhga^U#d9{D;7^kJb@vEGDOVh`hhD{d#O10n)oJRZ12dBsXI#Wj zD`5OyUL9wFf=P??bsRR$C%581o6pYN|9EgPJ}yC-X7GHx(Ztwn;CH0*XS9ErQiSrZ z`I8IQ1t__f^KWO9h&4W9{zA^U#=NqMks0NjJYMNFOez&CT-?-iyt>hQnSIlVPxa`o z-gM=$ZdK!Ytb>cK{VbbIWU8%onNxB*i=T!C?#cdD{b4x~yByp{w%@0$x&@7zISYO# z?X3QXXPf?S+uoOL>QqAfq{O_U+g4V1zS>bWd#}@B3y!v{V)Sx-{Zgyb(V5f(uA>U7 zw3B0XyYAFEtS8HHHhSG7#(v>4tuG7|Nc_}~%4^8T$e2~fwF%CIegp;{yhSQ(t{)#W zy=rW1EZRhkV1NJiiJs%yoP>*<1x{r)_P+S3=(fIoJnu>Ksh=-ZQ}jTd(WvHm=rMe- zfy~!CQn?Cs4sI6MZTo(3a07Y&f#Zu8YBEs*eo~A?o2X?l4g6Ci`Q(^rI=3j(v2XA6 zCSq|q6=r7b>Ff|QYS45IXOx6&_vG|}c3O-!W<)+@I&S}P?!2rn-L=ZAW(i#uSRA7E zf;xPvv4{SC`5GR70ggV$M`9I_BMZFP@$|xn_E5$b{l+yfRO{ij4P7WBN!cTKAC%`&F%;(iO&4@X32GXq8WPc5)E(Ya?jd~!r{x3jD{4IUa$RtfUt1;mS=K|y`etPC;iUBe1C)2W|vb^#2w>noPl-TgC-(=>J43SMbE_6er1pE zyD->6o$?!yJv&)6j+31;a2yPhR5HV@i(FX1<*Cz4#3#TSx(Z}pT2l0h2Zm5lQgS3k z#BEQTnE3naia1{5@KX6!f!xl_R@9iKn#6%SCJl}a44@ts^h18=01s@MPgv_4-Ulk2 zQS=RxfK2TR@>agzE(kL|x}hZk$E~phrAMwih`=$lQajkieqq+j6mRy-fU$TdEt(hkG(zcOB?8(#uU~KDYg9>*^v^s%0u9Em~J=TVJUl zV4n0{hU6ioi zpe?B$m4;FMjlk%0c3IzZ5}L(u zQxf#*Peyn`baeE>0(O04L(M3LSul*a_DuW*1GItvVt5ChXeYz8YSXYVRm>U1k?k^| zg*KU;weWss{K+$b;kO7~WlV7jNbYU_l28eYeb28G>RIfL5RQsG{voO@tIiR7?hlV zEWfg9DKNUoJM>KkGzX*GodP{dkU;PF7J>wtyN*yP9c!b8Q3gBwDHR;A4Y<~KorhB% zqk=<5P~l2-%DG;yr)kh@DlU7o5~T)T(oC~0IzxM?ByvtX9sD}X9OX_! zjCRm;nH+ryM{yOKq!*d}0=AKU9K|ghtdCI>1j;=spDSEZu4#&YGC8^ti(0ukCQlgs zp&|RqD9%e?AmaE*>%NhiZnWLwlZBcw)@u2NAp*3+{O|S&FAnPvIEu$6lR4FnQzKRg z?Lg-`x>MHtJ1;_=0*%ZpDJ{J#8-0H0H3=V$5lprnju2Wixm&>JBSdO z?(V{Kn8e+)*GB_tcoP;0OUz8C{PY5vK|hu~cEp@4a;Q&-zNpq9zu*_zEn@pPMfuim zH|N3O(~S!gtSUwgLZ)a3ivdapQOs?>_96+**b)wZJ1A*9T`)XK!O3oNY_!)uW-D<_ zBn&X#T{pY1>r1_HOOlr+cThrRpExc~jSJVm&_e z!acv(Uu;FcvHQ^%bXI9;*X0P^jdZ3=BPmp8rbmAH_ANIk+$Q!&Tfc5y?SR>A=FiZz zW)+LYdXLe~<&MMiFkk%!=h3Uj^ZRHvMDW*{8FNF;)aqjDQB42VN!!5m?VqslaN1Y1 z5#Y(~4+*`!n)Wf^(2@tFqXsevl#v!DA@JE_CJoHJ8l;_iprvsWseA+Y?xP`-;KoLo zMGlL?*dGze`|zmvUHK2B!GMl!hkb>78zKoXse4=u&M!WZYDDOc;Zk%pYd8<@w#gDA zieD4coxlv5h-k? zCyh?(RpJ1((5l2D)6uihFm4+Pg_n3A*uG96+$!hozg&v^2LciLOo3S_TwMCUa}A4A0jReC~E z?DTMNDZ;WY{+qX4BB!WGeQ4H-o!dOA?<;ew=&b^fjym;R%8jR`T6c**A+80J#Iix9 z?AmWbLHXU+HY5c*B8eX8htmxwfdt8CN|}%B%iWK=LU@Uvav@j136V8>cJ^$;rd1QG zMFl<`XoLA_w5Z#B#9ZVd0YS^VK9f7cNh+THoNs>d6n7^=_AitRiz5S--ta-s--hpi z{&K$EqSa7S)2>=d4q~9;Y*_8=>@?Bg8J7fIBXQ&G%e@wp3NB8Y9j8ldam3D%^{d44 zHaCi~urgRGWl6I^AL-H?GPU04kw$Bk790>w9!+7v1lxE zc)DXawd`PODPVJK0kuqf?l%AA;`CIHI~uRfmm=Cf{pe84Ea=k#nh(3?a=JEKX$b=8 z7T;m1Y;JCDYWlXRWeS7+92toVWdLH26zRj6s*B%6>)Am;i%tdjgdG@*>5j#a=ze5b z6HmnU_szrJ)n4xV0yQcXH*emA-+eVZ``l1&_Kl8PLNII<6z$Klbnm*cv2i>rLQg{BMaSTi;;Ha0dffk9P*Vjb>5DMzwj!EB=1B2A2pEL^{Z4KidT zCpoa^K8@hStHZJd9erlqd3e0NT~WvSd1h-%r%SEv&DMFs#dcX)Q{p%W8d|SeD9a$rF=5}(%F=Muw=Vj!M)nE~X@rAV zLSVDNK2axTMFY?-NK&n=>Dc}?gk;Em*`|Q=@z}vY=D9vK_uwaCm?zt?^mko$A+%aK zY@OA&Ok7-inlI6VRAiGJnoh#}n@Lay`Q_Iy{0MUi@4Q-PSiQ$}Hr^r4xgR_;Z(-Wn+Nu>_Lrb!w0i0ae8)oD(N*^)~6}7ecs!~4qXtYs9YI!?bKS~C9 z-2K{?C1)nlna%<&J^kVsV`=s4Eli%BCV`hEN>L$5RVp!O@oc3NJ#0T&E@#9u`6Gy~ zx<6F)^FyOrYI@g{&Pe^lMLJ=(C~eP2kRCaI);5d-)T+u2ROj2vF>n7Xq|&jjYi(zg zM`1?E8g%CgjxblUi23RVA$AeHIZ`5g08BsT(Wu4|rx%zftLh;4QD@Xd5} z+BjsK=M}(-2j25`fS$1Ylq)q2yF>NY8UJxIf}0&U2bZ}JioZCm%VB1I>mtYf!FIQM zL2@j0_#l6f5n&e7OCuREFMcT%8Boi^Uq3d@Qj~3k3wuBG^swX?09nVn+TjATV7-|*$3lrM_Lz?cqm7hS+aBKQ zTB+(d4`bg0nSBO_Ck9JPHoZQTSADV#6c{1%f;7QKU_~T+!KiC>PeqY>ASS;1`TP($ z!rGS~wUQ-gU74%VkFq2>*1zR;Yx7|p7+qntwfN>@wsAB zuIHM*KvClB4dM%4`D}*};QmTbh6fUqy+q;7%3wtJ%t#Ii(kJLUX%R0Vlw){|9GS6i zdjIpQ%^voO5uuz5roOsKIb;?nV`$AxOy(`&F6hx{a(y9zy6HE^I!*6$h#z-MFgD@k zVC-H$utOb;GAx3Ekp@y5X=QHZygzT38tiA@FyDIpmXaHL!~?bUlq><47P+mNYvkhK zQf~+Z2WpM-gu(9MdNf*b`|K=03)nVxI~+o1&RRRXA-xuBB5LHD7?c8$qRPp6gZDuf zhPpw?XvEpMoKdzhbx`Qe%i49l*iK(<3Hw43Y43V6KLYCExMPQtt?Tu1A_3`;Ly>Ul zZGRjk+{%_NxI!o%vYuf4=O38$CuIq)Axpp34#f6)$ll0msQA+;ULrB83kZgyWF|9* zRudezZ8L5@KZa|1HE``ysTcuZNPRsXMV>P408d&Zu}%hv+S za~jPF&_tSrs*?i_|h*T-#Fn^|CJd;5Ee`(yCN{nn&ZKj>*uZj#&ml0K*jM6@l+O z-R`(>3+U6B5cA#L0(1IOQpCxdB}xIg54K|2GcC^F_jn`*N-;^ z7*jtBl|veQ{IRk(Dl{ipo60jVU-{ZN%38148ifjf^s~m*Ti%^jWw8jxQg2IeiPVT< z@P5!r^D}E$AYFNm0Ux^KW*8w$w&g^;74>U{KdeCTh2tZ_H;E^P@1u;aqzo!4BWWW> zc+e{kzT0yO-bom|%0Zp{I$mpcJ`NAuISqXuh5gHMSelKp8 zLkhP&dUT<0k^JZAp$u(N{-%p`=j5%+E0@bIu#({qnCE{TJD4hy_LK>O3HlYUPYQ==(0kEVY-k-gaO21+swl^C1Z!8taozcl%H?{so4 z-*a+uQuQV8>FcXvqNk_l=nnP$+TG2U^RyFZ>CpG>zs_wjx-}JIWMX1 z&;aX&4?C`ph>J+57=kV(XwUKv(r%98;^Hc4xx96ONP2CI&vZ?^c<=r%@+MnPDORwb zXfR~=8Cp#R;!}Q5NOgZ%UWY50e#Wx;z%eZaV6}xF1(Xyt68Q?A_d4)}LFg3Xp_Q|f z!)52?p{}+ZVX*4rv%6@X3Xi8qg-(PhOAmfNs%}DkW})|H^_H94e3v%ANqxumf2fn= z#H5&&qPP2GPaKH{nO>~+qYzT)Tp3j=?f+oRDmLoX%gl-jTF!gVfww{_B6d3>J1s43 zZGGLd!9)}%<+Y*Gy7jM6cuEXN!LgK1(r8JkcebblCooNq(ggm$>%}NwJqaHz>7etL zCcdM0X6EA^T^b;<=rd*fOVvE49;lgUx#VwBp|G@sCHqTD9rxUWg3R1R23eDy-u_o; z2L1MF4#TDL$d(YM^jJknG3QCa=kfREnj=zJbLs_5{gf)ff+Fjey5%XPqhgWHQl1(g zPxPQ(h!B-hF)Z@mJEft%`7#Gg3BCbBg&I|qm&--*M=*HoEUS0~1Vptp`W@zeW0+P& z0A_q@(_DKDG_XnI_o@{&V=FO2p#rV3pJ$~fJs3K!a_tY}g zz5*}o`8?njL8q-=w*ul1&u2HJz<1QnPFkMb$g0LZFCPBne{v2zakkXhv?%mpt?i$d zNR{4l7ahs>g~Jz8i*95s1WcM-v|Tw`O2fbek(5L_=$lF^BHs6&Fft0m+p$NJMO z3nyJtQZgr@hWNg+yj+x<@W;XVuHOhtHu=iyHhJ>u(&7283kPl9>&uBInJhm-pHZ^d zd7kYYmzys?dY@$wOOtfv)mrJo%LfU^>XNt2&_L5~eBaV+q4Z(G5BnTW_qS163JP)7 z*Ot*tGA4>2sO&{k_G%^)NhO^hGt_}=^eXei&))eRML;1oNj6IQ{51re&3lOk`@sHAgb6IBW4jttnaY$DfUHiXt$WYA1& zeZ1Z#5TN|`lIJ*a`sLIs{>%vTG0<#XLoRiHH%EfBlGOi_jKl zmSyk^2>9I|7*cy?al&;16ZUh88ckwZ|5Q`4Pcz2VKz zyyr7fQYTHUXj1E_A_rVk_+-Uq)ri-Oc($#lc=$#9i-`Kk)G$a$FB-#iD^;0cy&{O{ zjy3J}HvcC_-X(@%asZQtF%nI<@d1(X?uj0F?Wda7fV~Nj=z8}s#jiiu-OInA(u^0T zsHm{(C$4U+(E^D0MvMxz{7drxNR0oTO`*u12}szdzc{NS5b zEKePi)Kqm}U~?v94rBw&>Npp#l-vq@mB!}$dHY?4Z+iI20t)~vQs4^>Llk^Vd-#9` z7=Dm8a34bN$|1Ceir*5%Xx5CWh&Ukp?>d&r?)dE7=CL21t3_M|UQ#56jfB{&dPzh8 z67?fUOejQOGf^oRIW9r2a~S^yKV=%k-MzciZ;NqBuRx5c6Mb>W=gdaxaYu<_2SwWL z0gei35$;1R36I+??vVB!Wt&>#$Yu=QI4@s;z7=>zr~GD6L!Be2$%r$+V>E>?H$NAk zPCpbt#6MuDE@ud-E&?!vz6Splj*zKMui&8f<>jQnr401nZ%^91x?KApLL|jom(z+h zGct-Ff8iArG{qnKXTk8Bo5;@(8yg#?dWqLXMMb@ffIfMIcB=Kv2snZNx$Dq%g*vXX z&X}e|f=fvUcR$^z8Z|d}HFpY#`utU$KE3}->~cw0Pft!^m&mMko*TROwL#AzTf-_P zd9|>VID;Y$)g@a;6KfJ_AK>*Xn4zI+lnUpuI|0A7RPwQoacppM;o9-X_1D)Q>0js) zs=CT};U#F9CJ>bZ&~gkXxMz~u^9==x*s)TjG=wJqir>59Urd>%s&8)@6bu$24T0FB z+VQIs+a(ca1(4h$xZm7&`OKyf--@;0hzFPNE-o%=p0BJFnylu`dAjpQY^|HeZ~ngS zLy(l~l2#L8{s~>~hO%jN!R#%DcpdVQ26m|qU2EkjkSFtudqO{6jl_vWB&%l9P*?OP zqPp(s6dKG)BVJeG>s%4%1%;_fh>&YWmh^}sZH4yg6!qMN(>)~$5rz&`#l`VQp<0{{ z&)onzvaSN+*@?AP`S@P9M-*c#1QUH9BeCKOUmv*CT97REF3^j4!~E1>=+DJ5aa!WK#mE(5_##G zx&L>H1WWqItApcbW|Tiq_TPV%8x#F55KLZS#VNk(x7p}rtZ=;(KWhVE{~iq^m%e4~ z_rhF%wA;{9eqoyb^Ox!_kRAQ=h>ve9@pQbVOF)U?^Y%PURb}4?vd`&VAIWw;R5cjL zr5-L;JzJ`+y1U5vAKYD!{hrZw6DmLro+_(+NfWuR_S7zv+uGkF^sO>VjNl)Bbtnxf zZ+IF+8JH-ctkUW120S2ZvHL$>d^|6QRjXYRb!kqqME__AWcNR&3h^$ESGonvrhYH| z=9;{~*4*<4UQJlbWX`@il=-_~C=}^l{SPvwbJxT4^FC8)$tg?TUdD5enUl=(({{7< z=Iu@ArX)Hm{C{M5x|o?6q{fwXn0ZRo&i#bEy-${(H5MS{kDYAA4%A$13P1w~PbO<_ z3EUS0h+-fEq@Rx+;cCykIG%rGa?~{IPe8!;m}qTW`|L!@Sqj&GxxE6=4_j(jSQsxf zPzbm&(9TMkcmYl7k!PVly)5N{ho?%@;`?teDS6h_VkmFue=uSLErpGYj>dZ+BxGbJ z#>YKi?mx?$nv_@LMDkY3>|Oqa&~oX-Buy( z?nVJuKFqgnsW#p_3kpVY@y*`9fhCor2&oFK6vV3O|A1+0X?4inGW!Hy zUuoIJiVv5Wc?}6adX%};1u$q2B#6XU>m`bq9t8HuErIc=srQxH%q%SNA4gYnwc{#5 zfT%^TU`e~$nwT8f!3$zoJ{-U*JE2v1MTL2pzpJY}=|h(xo*w}gH(g?2p@HrC=n(`I zru?ivAUT{N4CcQzji){qa%sjSGY_?}!&rER(ROyNtASkMR0u9d|ASVH!qF zqsLI<-BKAKww2zw-u=D3LB>QWL1tFg?lzh$SR>B6YbDG}3RV@jfqer#z z`(AK3aIeWs92E}qBppI5&tY3(Pgs{P)|5`HTwaA#MFYwKweUI`i^R;&E$;0B1%B@~ z7A@B#g-~z!$|iQUv!AXVbUxb`=(-PdvYck8!%#Cd!`ss(v-m*t*$UTn1R9Zh+qZ-) z(H;<>Y-itJX=`r&opQPlkQYtnCN4R}A$8h~V72-wnC1xsoC%a67>W93CJ}gcyib}Q zlXTfT@4X#1{k=P|8!ZscGF|dHZl(lFp7iMQ{xx0 zSi_5>uuVy=WUjrY!}XYqpwJrydd7w(k}gA6>12Q?shsFUo@30C~IZw-DwW&3Y>_Svq_j) z12C7D_9hfWdRLs|2&~Lay%eyLk*LwKS04ot%l>!-Hc>it?hrw~>5{Db@2X_?2lbe_ zpCPY!PC416cjbm57QRK@Tv+Pu>r;OLNbUM`2^*ISMCZlcjYe_aBiX{r%DsS#~R9O{lyn;fxMFb zeB_(U`ltan=(mg3u`AXH$Q7|PmjPqyY{Lr$Sq0oKcJHeAq#Tzy7(_H9UGA|AZnZmO z6n6j;T?a`Top;B`NV0Iw?H&=T?PU>V|8yw;NgCZ8;OnOxFG`U}WR+;yjLsJ`4WN_f zwNeVHQhsKW?h;%Dxi0R2Swb_VST}GD4Bl9sSml)>_QHaDDs zuj0|;Ulj)Uf~0_DM+)v@iz^>i-%i$$lBz7v8v5u;#-La7!;>27G))L@jJr|YwMJ3- z>j#zQh!AM!Pql$@9hxz>L0kc`QCY zBPd&DP)Dab#n)F!{?*H_tk6rZ1d?w;uaJF|XvIndL^U}={j=ffpY;5#N6Mi%tdf{# z{8tA%w=$zAqyc;_CauHTk#GyJG7uX@T2=njoG4NGv7>j_l_>@-vZ_`*CCPu1PXiGY zbV38qopmhs2V+L03PaEC0d#|E>i7m*U|6V=8gEWY2h)8dTK^ z)S*WX0zyE!9Za3JpA#eNyHZqe1SJYi{sq_?I{^svj79b|h-W=Ahu+q_11N++s!Cdl JrH`M5{vVjn{nY>f literal 0 HcmV?d00001 diff --git a/education/windows/images/deploy-win-10-school-figure6.png b/education/windows/images/deploy-win-10-school-figure6.png new file mode 100644 index 0000000000000000000000000000000000000000..09552a448a0b36bcca641eb5dedf09114b02f691 GIT binary patch literal 18525 zcmb5V1z256uqL_*8VC?H!QCMcTtgtZY#f5SyIXJ)+}+(RxI+@$T{rHwA-I!SJWzgVC!y{L0-<$1|HAay78`*;;%AZ~LdtGB z(2T<&_p#EEHth1jM4D1rtv!k{^a?C!^ssKQa6yLfNhHV*jiV?tBzSsEL7! zL5L~_d5uXe?y@tEd_0kl{!54;tXt8)pxBTs4hzL{7|ct?4nu&rne%d-@}|wQ-L~R! zwsfe{tK|NCGpF66LZ$3oS*Ays#aw}7UURZ>t973>Y+Y08G_wvEeT4(ucL z93K6oV{{F9_*oNCl=Yo~Wk?nGT)ja^4ih)DYlkFF{g1J9A)kiTd=59? z)HDS#>WL%HNqH}auKFp^vjlx~5U?+G8n9?0bz5Cz5jNHeQXLj_I`?HtTZ(>WBJG`zmAN^f+c=#JvOwpF_tJV(f7AlG14W&3EZ7-_VEOT zQENAZKXNYAWN>?@V=1z{Yl?s}2SVs8&vAKt{&9g7z{2g$kcrJ(dkSh*#IHn#Wic zO1+73;YP^fiIWFqW;C8!C<4D4qmrrTsth*gRX3iytG$ zc(W5`XAl8i*|RhMWjXu&{?)FhI+>bcV#U?X&}@DW+mIM1h1<`In$ztDu1szZPRQnst%{E15o zzg49!;@s_FyVd@*_X4fRggqA3-c3kkN-@fEmFQk$s@-jl?HQ_E=bv48{PNS9W=|op`ByTrTO{j@|Wt`+RhOYv*~N12DGv$=a4b4Sj0Z&v^Q6juEIN$ z5{zF=WAey`3O$Dv?v2B=>HB;#+*5J)qXci}%o9gig)=Mj#gI-)O>ir`O`(2>$Ga1? zan1`8fWmlO3?(r;3J+3KwokDim&z3yYwGG|*<@;=q!)JHAGcVx6b2U*P)SnNx}NM6 z#+(i{*xf_lF&U@WQ=B#N3J^_u?#Fs00LNoBbMT_d!kQj5>OH=GVAmf@Fh_I-q`Z+VvQjS`~B_8 z2WX65KDtCW2aT}1HvI0ZdmSRRRty4z`4?5AIv15!B2*NM^^SU;L9{O1G_GhWOLa-b8t?(W7*K2)9Mdv=y+(~DNbh>!Gx?D!W}0XkgXWr0{tD+bzDVL zDHZKJ&;O7_I19b(*SY#e-+}HWAs*iFdaJ(}V$jpxuOj3uam1NnYw3^tzSo+ua*^`P z`_0FdY=}k3enT7s%~X#{nh1Q$$diK=+U_gPpcA;aixhkT&4gxQxs5?LT@eqrOj1P4 zg|-+U8)q<`G^w)L^v?J3QPKvrwOOeNuG|IpE4gzZ7B5>W9NN6D`W}8D95!a%=M!)7 z?loY}S8sB9tAD8d{(a5ndbh(K9qWDNm_$08Y@_Jtp;#=w=(?=7v<0QSYGcL+uSHMN zuAjF{Ts$smo=?#U#>OK=sT&<$_l3!E{;kl(ddq1B#sMkcdjy-XB3~Oe-PirIDygf` zr}%tqDksR{PuMW`wZG(8`fN1o#^eV-{t(el@b}D&7cn0gsfT>HNm%ly?c({j(y9%G z*I`&0tJVF{a0(kM3wkcWPyW^s9Q*ngc5yBmy1J{7L-!O)JTlU`jC^-YSFnxY&Vn^- zw%uVc`{kT5wLkTi^&G#m)R)aeU03rYJM7mGGwry&k3P8e6qC6IHp{&!8kUw%#6HL4 z$_A|?Uh=_PXFNZ#$E}-LgEEZR`}Y0rX}lMHinzs5^q9mJQ@CRnMl8>Q#;xn&mQ|(4 zt;26)f_<2bT5m$RXv9uf z$(~W@Oi&D;V{^We3sO-9-qROCmJS=x(%H-(8%k*c;6g(8kbG!5xd+?MOlOmvP9tcT zAI@-?vqY!P9O_(-6BT(OjUlIO6wHLF@+*O6RKFqNNB0r_yfMtYquMwQ1eYmy#g-Cn zR79HZ&@NHPz`Yq!1-=M*{5 zq_r7W<|HtC2&DZG$7YjnE>pdAW4qRj@6w^p zVOdhl62C9}LmiNgsB%h=W+a9cj>k?~GGwWP@ zoosSRu}!V$r^=6PhP$);L(-l-*4L=FL|&A=xOrS z%9bTsle1;V8eiZ(RF!vqjrXy#0{2VJ+yhZEy$Ku(O+Ms8mwA1S54{A|A0k!^;oT|h z?nkA7g;-N_#INM8Y{Mm^Oj>7Z6;{L{5ujkpwL$7+nB?DYEEo1%vi@oni{_fN4vJf~ zmE9<MR_NK{({ITBTM@t9zQi`UNi=bwhQN zh2cL|fk~)wCRWNhtyzu1fytZE1nz`@K*4^dSN^Nb=8)t=KvE9Z+Tq)Hc6fU`cxvSm z7|$q1W&QWJK^6L>Q`TQX%x8$c>rkpWcwa3SD~sG}IXr57f|J3L;3)2Q8}#efwh< zc3j$+>G7+e0HLJ}Ylc6Dr#pTeSNE(`E|3tcKIbeR+Vf@C)dCTnWtZEt?S6DVat&j} zlGkk|mXZ;0Qb!H*A1G$$=A!0LXmTN#C3=lKXHd>Yafc0=5@n>NPaeb)VXZDI-yyhf zTor<f)iB0h9Z1d7q zM0QHc@wJ&kOMBtk+kRTlJkFyvvF!3#8DQ&uhlZETwK83wFZSXb+R&pJDM_!V7*w#v z8_ug(!`SRZaEaSV=y1Gog=c%9q1ff{n=R^GdLH?;oIP%qF{OB8`zaSm5zaC~W6X-j zCK29f4kQF&b3@+8@|QM5$8F=fb-lT5|2S5}RIYE_}ihR^vx zIdWM{lvf*M;{XPH(|1e>{uYOahpg#7jS~Y4gr1S9K@qRsu7F+68XgSN;C6oc{mmALsc+q$g$=ChYyb32`}N#c_joOxqaZril zg;FhVw^V0IPzFcEG3OKZ$9N|OWxp$zG_Uwo!r<{lFl%d`-vxQW0v!Kmp+$)G4h0=i zt!wUb%rWPnSR>Al3%&u&m!n+6*MiphhiAHj8%W|lJQye~6@)hehMY}{Z@Nw`j|W!2 zyfXOXknwrk8sUUHZB}iNzU+nd5$6Zr_yCN1b2^Ciq#Sjh3js8b9^z{EA8Ya7CCOy2 z*H{myzP5;Yz$yRc-`z@h`RYNX7=e7;`VtF}Q5I4sE-f{2EhTRDYin+JT8=}g64$nnn>RNNvhGhXsiFajbURa3b_bK)+1Td3wa4i+yleyQCT%5VvgVMhc-kH*I^rD6#YuM%IiI(lKd zeO{&sgOTXrBJfGzNTs%y{k6R(6IJO!B{A2=WYkZ*Upyy}!ln2YL3tYG05aH}Ef_E3 zjuKE}Oj_GKXk_dir&BdWWc)&2(g@ahr&%wgP*N+-j)#{m^!8`e-WkEp#)!$`TUWZW zS5UJZqVMT=90Y1>`u7JUY?OcOs6eGbwhhWtz&mJ&L$=yC8*VVu`|{x&On;8pecyD7k{^hgEp% zc6-;$4nJX=ytjWqYMo`rX(U(Lm;DtAJJmSoRS0H`ENMaupEAerFT&|=m~Z_;19lsb z9)Bc#8=)SHLG`GtTjf|~rZJFBGvPeQ^gL--L-;u2xA0;MgXz7*wAHM1;K*Bn-#y7e zbT3aalTwR%ZxpI3>$UY1Nd9(T09#uRpIqUj*U$i}EzmHWtS zad;M2uR-LSmt_K3mVJydcMb`bV-iWTl$`qjKPj%V>Kx^=p#jC;=2YvIglPB6ep(=X z-DGJxSWD6Ons#K}Uxl{coqK2K9jzTmzx_|0S|2}bLk|gb?|(^W-2_kFjUHc`supm+ z_}k-x`(X)9U45^V7>e)0;)~&4D=RBP9tSr7iuoMHfA)K4r!Zdh2DKqOJTgi4W(;8DSy7 z8*Y}C4s~2xexv(&b>VUOSg!pPYU|!vVa}gc{meE4;=dzpNgJ^eomKO^2LE9k)@phh zE;TKs96*ApXNO$2qIGyrjewus54vLXf2k*MKsK2A>Qp;xso{}#>nbXk21+rpFIGGb zUgAj&dwb7nH_^MBekm7oRIm7W)U|uX00aDE_>x^EA%BF z!3Z-O?b?7MaK=UtE7<{bB&qYHvX!=Q0(=n@L~<31>k8et%9~!ag0me7 z3kyN{OwMnMO<=_Bmpfw85f+C`Lf>?!;d+ww2c6D%9XGU%QkvMW)V#>r#^!0OPp}X! zMc!1A<1BfIY=Q1(df5uDuaPm$S-)u)Au%zLk|D)Hl(T~wGBjO!=GQIaHiUzdm2ZDH zVe6CDXW+7IA57xlNQ9Z*P|Zqa8=)&GWVZsD zrc}(dw30f+VGmntHyTXH^`_f7GUX#2U@Pb`7K*`61o#X#ZG~<_m<%1%BH|%B9iH;O zqlXt06k%bxKdcIr0vBkFPVsygmHogoZA{d8O^>|fC|NL-CrobTW<|XThJFiDMM$;A zLJj3FV`3n184VLLG_98U`uf{jl5}qohgEr1-V^i_{D*N$K>KSLCjFkxfhsSs%mIU1 zL|L0M_WRYXw7_v5U%Va3;!ERF^w5BkXWE3d1LEaJrse5X7ixEgtU-@!n$CLodJU6w zeOA_iS0od*3MSuNWYV)uk|iPj&&HVn!E?A=n9Ij;;XbqE*4UluCVs$p82m^IC>MZ zANA!NLWDL^Xc86W!KuVaq2|}ff?wxM4e1BL)+T_fO;959!WaCBI8P>StBx9)&E|LU zojz_4n|!0;^LX*hsLQ!5X;lBLiCd8Hu$#Jb3kuWU9Yhr4sh)*9j7?ud{7C)+O>BQ6 zrnaN$MeR(SN3!g@aoPG9m5>~s?f4r`7CO&?_Y+nw;|A&GV`{P`18HAW{+S>**qUAK zpU&2`m*a`1@0@=lywNhsla;T`u%otB8nsFnJaRQ>mLpj0*3=3EBpSqZ>gK=#`DkVM zin`IVy0v(km}=nNvNrSjCz>&cEuHSbJt9EquiJUvGE+vENJ%yKE08koY5z zJt9kyk63|xd0y1Q$iHSG0KvzYHSAUizh>vcU?G6RA$wsGkWDUP#Hwj}{Sn>6i*&_pfi8ag67hjqp$N?AxTwHQD9*7E*bMQjv=SFtn8d zU>VrUOeR}cM<_WuM(UUec;%$$-j{$)i$>NL8cHG$JF2C-Mf0sq5M)ly^+@^3sM*YO zgl}CkU;3z9?U+>#V!kg}IC{8N9L9AjeLI|x8fYC@iUBz$Kqzo2PskjiQ^=f}?ff!c z_L{*Ip>=;8Go_RAz%A}|?Lyt++6z>pUF)!=Ldlnn3E>TM6N6jTbtK9fa-s#!d@D{= zY!XEr{TllU;C@QZzQR7{2{XqUg4mgHYfu|LkJ4B`{s^td&xk`K2C3vRdGI>9-6#Up zpiQ^83CA{CFg@QG+%STWXt3`BX)zK8i)MJoT~w5y=aVcmR&3l@im0jT7u+}Pp`2m# z-s95KT~@0fT2%9KZFzR~D?9%@v019MHHU_d-WnNzntEngES8Prq42}e zh}|+=8S6Ue8%`Hy=Bn7G1a_+_G0vLrNKr7Cq=~pSi{&PW`CQ_^tsrNx@WX0$`N>HB zdck0e2b$xVc~0LwXpLOof^TkY{qelFw$$`<)Z4*Ehap;P1kpvDHfXGox~j+MOnM1T zPUXjM1#>#{KTJYn_IIY?YoFPPY0XyS8h9$$AlKtWq8I)zZ2rF*NSTTXVi5=YztE5A zE|5sbWX}u;GzC)xBM+y<3;p#KCH4i#h;)lR;|hTX8oUDnDf&)W~IZDGxS6RHwqN2?y=NnxHse0BfnJP;>AvEb=P+faz2a@==AC5pmd zKfX+6mZemgPw6V46& zaV324h(DwSO=p#ZrPXY!npu+JT`vVu?C{NAkrfp@IAl}?PksB+C0+#KGVhSFo%EZ! zajg}q8WL@XNwXMda}B!KBE~qZ(3_y78kO~$@G<5u|P*j~W9HsZkJ%vr*!9Uq# zd4{bs3iUp|M=ftHx&-)tRC0ET&S$VJ;9&|je9fddb$}E! zVA552?KBvCr=$?Umhg5Om{$pH+D{DXj${{@`mlei`N9Y$@w1~pr0IK)CjU8$>nnM6 zn*e#}ji~f6ZSY=7`A(9EM5ZEFnVv5C>=U_sAu~@R9%(bI9h!& z7u~oR9*y1>_)B%(ylZdBwm0=HI}CTkghH@j7CCcljn9I4-dJg1$CvzSzxQrQ@w`Wb z2QK`W8CM%&%(=Gsu<5;K=w?v`d`zJNi}8m2cIkvfVIDusD?nh!ewe&^TnuOYM@#zR zJaH%?@lG9YL%c2Vf>E2``ZLQoVw1)=+!g<=Boe_@Z|>IJ$q{xe3boR=7!u>L+8>af z<;L_?fAuNQTK1RPB^2HG4uTo*lx^#ivr~4PlQm=}V&gZJ{`Qgf4d|b`mCli^yd)2p zL=N~xuzy~Okqvp%g*?UFi@qq@&#J}yJBk6gMrMT73ly#RjXI1`1+A_09dA6>zsyLJ zJNc-J+mPya&HH6WxE-4qG`|t~7GJ*yidEFYug8P=|IVb=?G#F9v@+}8nLJy&V=H6! z+Mv*=VuG%ESbqxb`b#&B;-ur|SC#E!@@{qUUoZRTi)T{SE+1|-37CCuYcn$x>j1d0 zKNMsajZB zT5>XpD^KNx9xc>fonNHXIh^H(&uW>inxpBF4-uCEDBzU&w{RYu3TOPZpwV$7Zk)VlNI5Ut%hxyL(DN@@x!6P=T9+-Nk25y9;hzK%)EsJOXF^U5e%oYjumTMI&!^ z%kspdq!PD*=&`n(ox9@dhk0!+P_eEq-xj|E7+(Cy%iX%mjOBcq5r zsnUHqGp+JI5vn0cS5;W6qq8eAy8D^9aXSQ=8xYPcF_+swK(E#igWED>{9~KT?~%H5;^_?sB>zis$2S;BZlly7O66 zv#e>VhTlQMxyb!`&h7iQQT7L!gSxK}+ahi1C~3Z%ggBa{#Kb+@E4Ic^KBiecv}+Rv zyh>ugG?tc4p%L**P@Gjf?h7?X%51Ug;B*6-6el>+Fl!#!Uvlj|x_s6-A3CXm^qZB}@$a_t-mlmWL=O zGJ{9Q`_+K+26s`(>)N?x^W$6zc;<`NxVj52c-2vJ!5UlEGgiqjgfp*dxFfVgIP!K) zmi#v-3#9jPl3Vy9)+*eO5VTp2-vn2i4t?c~*!kwtOZOY4YZy(&nissJ0Xq(kql)@H zt7)qst7bh%TmLC#W!>27v!(CUMZgSBvqYipHM9Bv_CZ~>?UDO#hU;Ec*@<~# zW0f*8lzkwy>xj8)=EKA9Pf1-H3~|!eOPdY`f@zbWB8YQEony4m^X@q{i2lae=fn&Z~qFvGAAqfioTsHzH9lsRv>Cr|K} z6OAwBwjRrHRUFADF|9vyi)`0p<&_O`?eITAPzMges-Z8%Nxnp%8-JeQFPe$8$S7(~ z-H%cbta%2bt# z?3~Cddok&v`AVss2Nc~WJGByj-@koGLH9vVVdwI2Zkbf=9N5B(FvX*k`}m4T7;Ksg zjd(orAJJymi^%C64L_}X-N9^$@3|$m)7XzcVP8Bdj_kOm53}&{QN=BaDK>FJ6j_g~ zqEk|+%g8551$+a#RdZ!Bj}sMK`%P!cyeaPTl(AjWPy-y#Z@qvwp%gfEB!GU}_H=is z{1alp8p_qpE8OQ@^RVf5E_)u>d9TkTO2oETwra{NBB2F21KLCcxk} zUqp7E_(G7JuyK~^Ai9Q;*Ouh26`qfF;4>RwSa;a}&P&<O4_!PSD`h;4nr*VM0!NQrTGA1efd0UAU;=y+)ceOA zJiEdJXE8Rc!F*70=nw2?hW)3$VHdn5=uR(jItn$JJiX$O|+$pp1 z*^K}hPneKUs0x)P?=wB+9`m-xp2@dG2}pp-!E?(V7vu_l*(G-W_Ki-qh$Ma|&Zn`c z@mrjN+gxQj?pE3=f*HvepEnCJz~z~%h85_A`#ECn_jyvJ zumJUWCca31gH%Vfp7*QfS2R}k8o#HoOvMaSfvpq-P;eWH%;8lN`SC1_|4Z-tf2r5K z+^Fm?_ci1ZLckQ69tR~P{)N8*d!coQ6EBoH1p=MF00V)-a}){sFAp0TF6)aC|KJ`! z&0i}AuCW85s2x54fN-PwhrUh+LT}n-^Q$rxVY#Tn`id!zkY_Z*%x-=`V7!2wuHD|s zl_nlt2s(a~%sES7^^4}@kT?vRr+M;#4+@|gPh&nj>&C)V2S2W;k1}ZN@TnS>x$?XH zpwz+5+t=y6?<;EC<$Rhu-fhqN|MV+iT#wu+GIud8+M1C9JEl%M@VQ%jMdq1rYIS%j|aEAsSAhMx}Vc!$q9&5cXaA874E5Cq# zqsp4u#!zp=)Jny&5uIpSLJQ;k;IBqkV9vG;RVnIHs@`9QC7!77teq-Qug@r;&tlWX z=W(f&gAS>7{PKLQVp?Dt3xVpcz)Or4-%lo))$uH7TRWi-)eeTte?{JgxKlqEhYYKz zr}mn+S+OVY)j4{#tM36GZzUbuy9(w5hgz~siilnVcLFbU4`|hgyNvGCP;g{1>0U-W~jqav3;ziV4;IWfQ?9_O1Mb^ zhfT;*uuc8A82J@x$@a|o4<6;XhW5QSd+^bh#7gsYlR1f9Uu_NiaQjqk6X7a+aI2V1 zwI&LKz5Ht7s>+iTUHVQ~`VM=^Hon)YVd_*Yq^_}H@$iJdg)#3f#ri;0%r_U*S8g%O6{3{3 zBA!t(vRe!AwZ#bF`w7RY30&Rex~X*HmR%m(%G}(DkS7Q96y2ahyHyJ7QxiMS)kosX z{1p9jOXu%j2ZCLM#BQmT9-VByJ6l=QX&oflSF>8<+9bN?>LDOuba7eb%^l^<=6Rsw>1L6aX%(6 zvb~Z+T7PKsK-a5d;&5sV#yk{xzpWH>bsmevCJt7X-7N@w?Mv~f4r-3i*?Q-tGhR`# zhEnD$ZmPB1BRj=3oJ}LeQ|X8jZH(&axHwe;SH3G3?x9akj)(s0&%z$p%N?gy$+{<& zHL=qqrLrpArRB;U+%*K(_aIs?4z4fks5_@96z#j`-8TNtw}wY4YF1`W9YB9jmv|$? z%snzEf?yfD)1-n!x6rJt^Iz=|5*R>c|M&9;m@WCXDV;x45o)V`q-HjuuJ}OSxxBcr z0`wPubOZ40`|G7>J;Y^+vo)UyC}!Ke1|T&Mdr)1m%T2$2(UIt+DxvxT@Cu|9hdV<# z$EqD8p2!One@y3#ax_17#kNZRqRUa_~1AuUDk|!+l$hpKCe%Undblg=dt@zF-y?y-wXS zz4StGJj<@90S3wpSWD4yDa=x07v;}s=%Qtir04E=12i}(s$eG5ZQ3A<8 z6DJG8$^d1PSlk&!;(9P$Yy)+83@aMYlm(XOsd8t#NV*pWD4CEll@9a>Nneqhm)$C$ zCcTFNWjhT2apeecE)gse?a9+>agsDK26r#{b8|h*9{4I)I+DAxk~u8JPbeW%T(j4@ zBC7!E!_S~_r?zB|HK*anCYt!lM1OpRsKwgCtQ!h_+k{900!f)Zb(WbIEGc7_St-aO zh}qK;mQ%i1_^D8gDW*ba3`_Y2k?EeIX_u)nEbYlM-PTbe*9E*v2t3W4Y%T&zdzX+|gM^CD~iI z_eF#QDAz{g&TJvRm%hqX4=e`y(ZfA^)V7{PNeH$8zM7B$M zoMk+26|L&KQtf7k?Q@W?`R(nPB)Z0mT(Mu}K0>=2#f-%h=Oi7<*!vg_N;HO9Gp@+@$jDVx7g=_6g`x9d(n0E%RbUv zl9q7)f1BfD!IH<2#Y@6g?-P#0NEUHO-pbG(QDcQ#fP6IqiV?&pGi>(Pq6ue|eP42j z+;ZX#%7k+@;IgG+X|~RVWtJ|4@U|h0e9q%kOs4+JbWmc}*?T^!h@sv^G?_;r`xi15hE`UYSikyLLgV~0^Fzc_&vL^2zmQX5--4eseDIO6g*QB~bzU>Yd<)EdDjKt!~n{ zSfPIu$xrGONTY1NYe)3CZmxMSdPSdVIc*ozt(tW!@3tc-D7phazSb8}l; zo9$``5ueRaE&y`rG}#G>jsBQ95j+x2E%x?0?AvRDK3`4{Z2ygd$Akl@zAt*N#!yaw zovZCw*yp%|i~XrdEmk@O=ySfga_Z}UYgp#6u`zR3183s2Qrf^ZnuD*+PWzJ-QT#^{ zzjz(CSTcS~wj%-a=u7@l*^&%EZq8mzZfsNn83I!FCIB8u*lysyH=YAzER^ItuP1Dn zT#d49w(kIjKom&JSdgw~>}T-#;)v-kjv!Y9L*A5-=ZjmPb>nvF%#2D3aWR>trKJh; z>-|}tP!|TLVTLINLXrBb@72{gpYRK4T9zq@7QeN--R|W@Nu|ImR3HIa0cTgtJo`Y3 zK%%6-hW@*05f3(+1f2QTGa4^43ihKvVbJa;)v9wlY<*9IE1;V5FHYpE!#Z_gxD6Ra zGA_+l9bXTgOSmw$Nh)<_E95qN3SNY|w$? ziBbOkM!N#eAa5}f2u|5d$gWaxay4W_A}of6h9(!L9Il@pb3`I+i$&lZ6Ror#|>eok4T%S@d2jDJ1zBizc`dZM=(fGA-< zD+i$w#bSiQD=@j*!DEKQtC0#_^7uSG0R6U&Cy?{n#=Q@F{s=Vt{Cei2aSmH;{!~r7 zrzZeI>i|FMJd(Wj8{DWZkYjWCR9ak-`XxY54T0a8K!b!ZeMVmGyf{v}N=iTtW&(6$ zrLg>qabGB)hQlkM#`oXd@j4G~Y`kOkbaNm&j0!OinR1AFu~8n zdK|Bg7OG>0=}tT^cKd@)I>lqcH^!e=l#j>yo0HB50=i@vk^0yFic%tWe$F-9pI44|V`RRz$(` zn*-NbooA5Mq^sQ^v>rgb7x^UBTXU4^fDGr2ZDyZY6a}o14ZMu=cCI$sh+e;9&T5ko z3&O7F6dT>neUl0TS2>{h|b%lH+9*~ zhfzMRW#y;C$~>j*rw7iqT*xZwt9Kjpq9XhJL$kAq9dq_4E9$y)h=m9W)&{ap@Mi(K z+Ft+&I3mKa>4iF|>BY-jdAl=mRb}ih@3WImkHZL8qjc`#K5Yq#3|?m`q}K%pTP05n=rS?PVV9>h9hAf%iYZ>Bti*_G>-L^8x% zUcx~GCY(ErzB*83Aq%#^I@}Pwg_&CFv~)aP>CAF04A@x8^8Wn^57ZoEsSJS}R#a6D z#WMmxFHI!LYNKtIni7zpvhH_(Qbe@TMyxFikmu5A{~-D*Y$Ky==IF%ASy7G;o5X&M0U74Fwn?(6y*14w_2ROXq;ueE*2B&zvSkLMrcP?3KOQ_;-d?; zpxS89zX6U_6hW*X#RHE&!BIX`CVDF8Mekhc(jjh6GbrhzAh@%w7Q65x@o)8h3PN)) zaGY3N#Fr!I3%1zauyN6ood|#i%4~V5*d(e16?5u%9=A{0=v#H}HSJy5HwIVG|hjI zBuvH2!sjl&U2ga3gwWDK6R2PInc*1eC_wiD&>aG>C)>zXPZ)IFk4*&~1B&Fb3T5|z zn>$V(;zGyOC*Dc^xgRcaCJQ`|?JosnFJAhH)YGpm4~gf3mzI{|4PJk|hXQtGr6u)I zER9;czP(+YB#;m-C_VcTd==eWIw4M_A#A0b)+1bf&God7?i0N+9X3-g;JUK!UCzPf zD@y;p##TDm0>|%4!sHz3q)Ia0{a~7oKEb0Rkn_@vg<|Betzkd`IP>vCizu4K61;)o z0y8Y8lZr2rFtou}Dt3!;EDpInW>)?oxG-l&5_r6r(#pSG3qaqS9x2-&u%-bLvaUlv z*WKEGttKs1L0)v07k9h2p)D;aDB#H)+CVmHTWSZ*RccHBS*O%iS{+8%8P%%%*rGdq z;XcpR@pO67SLyTTezkS5+99Y|l1tHqzeQZRjL|6+*Yj#tgX!HdU`gGG-u}sfHJrS~yj>muH+83a#p_yo6mVPzEBTJ?E|*QyZ1qlTru(7ax_ens(A$t;Z-JxN-V3zVh-1XnCAk-8cX$I zoaW{pn9o9#P)^H8*O5;nZ&N9Am(NoCc*g5NK9Q5~BxIxbcX({$-bRsG7z4#hHwa%G z)pd2bNWwy$Jj%@=c@g^WTrmMp>e=PD2SPHsImp+)ZT|a600cNlsjz=}`M(P#vb7bg z#}6+&+QCI!(XU{Q4_>hW*IyF0DT4al8<4z_@V@nlJ9=HRS)V} zbi*}lrE>ltOZ2OGb}Bg(n6L+h6&R>hdv=VA%@;XD#No4%o`oQ(9M(;NGnZRExYeCr zYFv(ooC3mr35>8J*kZy=Wd58!&QgkF0E4cekX~2>w&1y|)?-|lh#)lPTrN1APe=J9 z>yd-s#RYkYum6dGQUiGYG>~;uy}Bx2!U&9)$HDnRI|D^`!>%mrQ-h(GdB~?w7}2xX zdUmg#V<%ZMY`NT=uI@JpSdkxciVM#kO{|8)5c0Pq`$X#J+jxL3fk?^>Ax1tYAdK!J zcfv`5DX~scd~jpO*!wvKOD)D-ZXL#}r5SQXCQX??PI&j;I8=c{ZJZ$7K&y@lGK}QI zY96OL_1YoK^wob7K0e{h#Q+w``*YvX-4}15P8>Y_#HitsHR6a@fpj&n?=T3L%Pi%2 zNOE9*Ja@BHT<9N8_U`8MgA3W)EC~o$LHBey`$&?{~j0IkG5wsqrjxhbRW%C zjz~$wr-sl;2HJrK<{_f_g}Lxome9BKj@Y`Bxv5Nb$!%sgA=cyBWuhW zfZMJS>2DzY|9koT&yl!qO75as=iLm+3lM$R1aLl<1_-lW25V*oI1^oNb**&=fpCmi ze()`Plun_3h7dqAa0;jZn)5fV2mKBA0l4dVP@sQ?1bj+nEY)su*}N@#4JY(kSrjAK z0(g-BBtlv$1U#T(016B|aEQR=;sX_?U;jT9l&MOAJ2?6-mEEtv`N@SY=uYrR{-nh* z7WAjAf_@uoTKmkQP{?Z1cA+6a;Svynsl8A=sK8}7eRXGQ1! z1oIiqulOihEM{-duR!qd*=O2%3uHghdWfdRO1kAizQ1|Bm z9;VOJPzd?Pl9b%FLQZH}-Qw@Jw&&+KrK`tKnl~fk;)bOehqiGKM{}XWqo$!K(&I~_ zTW@Ea^nPz86lRu{^g;pea6cbNc>9izzx+1ObB(ZIL`+hD-e^+U$}S<*Bv-4beNus` zRBIz$9XcIle8h-Jo#90xH^?kK!BZ7qn9{y*M_aKN?+t8|p~3ul8nk^P*e?lUWSK0L z3E*=?3PkJot}Gnr1eBn@#v9Sg~Pw49aTDa+P$XL` zTca#;1wi7iygJ@JWsy85vC1aAsf)c>)b((0&5xNbNp(`im}A7WI5%4R3>JR>K&Y} zFFi*b!|#4*XuIo3Li6X>^N705`t%7T=bI6w(&{=H*aIZ*F;);u22I4+svykioyQ5U{te@V>6&%^{sGgd>@Qs?S>P42YC1cP7+QGs4n2EXUJ0G}nXSG?lL zm9o51Ar6s%3su^1a%RmTeShO2jXyw8D84LC9{ z)~NnG78eG*Cp8n+w@phr;#oi{-wF}^KdvvJ!sg}CEm!+L>*blUX!TZRe>@{!uY8m;EbA@1X8_xR)eMvuK5^Mvl#hY{O!KD#q;-W z>2sacX=a-HbzGm@r2F2?4nC9qW))xRrFD_vAK0F2+5Y!DJ!xOhvr1Fj>e4dDNF{-* z&lGMgthW9&E&G|p@;xbcL@SeauWSkK7`I)YS_gl4~&&kt{&SyCveP>RzYr5&Cq_-zsF6DU4Js~3eN`0MVV1?aZ zU?_0=G*A4h|MOr=(BdeAqfeG{7zvw8So5FB@O#7a=8kRE=IPezo4JJ^m}VTibUGu= z;no%JCn2fgQ`DIPbM1Zs=VWSszlaKc%DPtN?CT|GXPiBJTex-2jAzdS_ucw!u_(-E zW=YTd+Pg$k?RvkDpSH>Ty3-r8O%JbHw&h;b zp=Kl3`lzs*W-}(lSeM0wTBh3Ft@`l#${p6F;3RUoJ8n&kp3S7BGQ(pVzhzvHF!{Qi zBUtg?`E3)Q%-tP&Ye}vB?1L)CpZ7V3n(gk?+Q%N``F8f3MS^*uDreh7T$jxVvJbek z&cJ5=HtomZ(}Pk%Z_fUT5&Fy|Q3` z!$Mx`w52n@y?)X(2~@s6o|??lthHjt1m>serBOU*wSWU3O$uu-Hd?Y=^}{IdiAk_{ hYmAb|$9n(sr>;G>3k{2(q{Yg0r~0yA#~q-Q5-mA-KDQ;2PW)cPF^JdvLyepQ^v=->Q|V zJ9}rkx~IGEIp;>JC`qHE5TZaqL7~gaNT@+U!DvH4LH8iRKt3Zj>Z&0F&~9qdVo=qS z#K({WI4e;_Q7EXoIMi1Yc*rrbvy6@#6x64_|GlAyoJ!51pgw-dN{DKB8=mDLis0zv zek^ykcdo9se?+YEG_*IcM-X`2{JW75J+}^5GnhJO`JQkBNuW6qSyuuQT~Hb+?+&j5GrC{_4uOrbVqX z;*$;BAx0Hi@5Apculyp|7+34@mg4|+ z^tf^36@tw4bP;27b2z;NZ#uX@?9TB*wk%9d#4x$;Q{z6vLHgq&w&|Yo&-PyLfwEqi zHL#>sv0(Aa$Pf;pZkI(m1m)~r4iY(V&=~!2N*EVkaAeC7xoVw=%aHb8By`j%-w2>( z^~lJGBXWw%c5ghBmt{3mh!0$Wk{N47weN3o86#WUl}kqF*w=QK)Se9cT7$o%2fUw>Y@7dKYS9)D8xhhh*3W5j`*+YEKTy?8q7jo@M(_r@OwVzWF zM`U^MpEItdV=DI>yR{EP7VebN`?+s(DVj~BdnV%YqIU}joF`S3H1U*m@i7>ltdA$2 zc7N%Q2Ri&T+yv!Pj9!gRv-MN?NJOJkxp#HVjDx3YYxBt&Ip#Mv$@IJ^DyIotYyFqt zx{nB89336Cjgfl@Ohc+CCl?nr89OjF@6kFtJL`Hr2eZ%T6xY>ZDesF-R1jk*-jE{) zj7|vjK@;YxaT>yRGnsdstjUQo>mO^=;gRGQRqQ9a)*ZpQ!354B_^`iO@b|UaP*bvf z`bHPWK%pQSpGkOEGboX^?1xuLL~?in%NC*spY(tgUmapTl9O`!;P zkbZy1)uzE|Z8GkSiHbBPp7t{P*%#Hr#$2pBz@{<0_B26ayS#&i*A5mOZ0tmc_UEbHmt=}Xi;qiiT))_p9nu!-*4)U0GIWcO=gKBLWj`qivMsMr$*?%}? zl`|;T@?B<-JUt!eVM+CV?VF2NGcbr{Vw?XPX~eJhhu~nLLd%^n$;?cAueX}DYf)`u z$f1@gJEb@rE<+(TF}Z*8N>O{%!1p0Ewa#81(eck z?CdYkDv^xPEqumX;*3yqq~)PkFUG9sKUD=)wT+)9uhP0D&H>$!OJL)IZqHz~jH6@f zN7&8lw6ocXC!M|0o^IY0Hwib(JrbAw=(@t+XaM~;FVoZ0S2(Lzk2@jK02F?x!|30@ z&wQv(9s2L=`iu<+kuXQ9_Z$Ta9o*YY+1r;)SBX@EbBJZ<$-5LGbL}OUk~KbfBo+&KIum z5tX06wcY3KpYVfCs;;MS>S_){GE@D`m0bE=A76f3-`<6lmC-_V+%qD3ea8h(^-+Xl zNUOE}sMj-gYr>RTtHuylwFAdh^y}^pkm+}P7=phc3v3Ke-|`LlWC7z}f(JFf?X(6x z#)Pa(?l)8nreMiz3Xp;&iw+t+NQpu`dBoT~|D(DRLze0@UW>U+*;U9A>J)Y_Js5BE z%tHA0;LiD;3{qjY&u=4G!p#ng3RT*T#4FdMuXx&P2Ia1tALH1W@#2$dvt7`Mi2q)F z$f!)Ep_=rqXw|7x?THKT8ZX`lwyg-Ykyj8r+KX=&~TI&oK;&1c- zgm3dmgoAo{4qIt0`TO=wef*KC!`P@iBVszWta2%0L0w7-%xRIEOG2d_1;eRD=o1?b zk63bP1s)Z*=!bQs-gGM(RXSBVyoNfwnj>N=Ibu-rEofGc5sd8^V}sLDa$C#O?2iUP zR;6Bp$34q`3Vy1%4!j+56vGzy*EmzVL(Q~rU{-V!O`;k(C88gRla}O|h=>HAj0T_Q zF~^l7y!YMhk1qdVhr4;<&RnQ%&+as{I{HNq)eQr)vP4+-(7rTdz{Wpw*IM=RFRP@m zHCKIG7JKO!c`&Q=Ii3b&R+1Ei!(aY&iT}6{-Ez!7Vl>Z3QF8MPIPiJY!c0zSvRv9EwH${VI{itJs8u1f3iHR0|XMDHTbJ6^85P0XazB zaB`oRs)I6$h}^upAM2=`Coug~?4=xl!Exej`sIdR$Ac(5(&A(C?6iMYD>H>pTuI9o zkL0rArAhmpJ)2yW`SnMatgxTw`#W4kd<;@JDAHu2ZINrydnL=H_B`SmV7Kq~8A`D4 z`{?(b#2pLXK18kGo%;r;`Bq3DJw+IkDl*!%EG(FXUDbvS_k)?~U)}U_rh=80iz1t8 zr`f5JMv97xoFkUbQOfAe^qSInZvcdwGoKQSm5}|!6KWmiW@N1{t8~~ zhPj%So7Kv7?&Ydw1a5g0N19DH0I7>y%}cLx0bS|nIU}b~cW9h{IOaL$x7Q>FB#0bt-$b9>)lbPh?@KffRv9R}?Z#zgU1qu17`Wf*Gnh zBwKt`YqOKjv&nNCd_s$d%*&flK?b~+M0x2ye%JT5ALWezFYv`7_Z|t45!Op^a&$7j z-M7pl=!WpJ0Tb8#byg={ob4Ij^YFx;>$*1n;#6n`04zljTfEe$&axUdL4c2ja`jN5w(mC520ZF1!JYpVFWxT}x~o;0gSRa+ zAGwX0MICQzKIaHo3=~C_X=WjEZoC@{FLV<$nbkrR9d02w%du--FS>xxvzL617ONGj zQvoZUNr`qrX8sEI2!9=9GE+g<7M(Ko{;tv^5-Vfq_a^YBp7FRxgj6PtAjVtq%e&QI z+bbN>ErPz=I(Ymp`)lL3SIKaYq@)BnRQH*AL}6m{;uK1j&~v07P|f}C9ho$+e(tI7 z_-4R_lx(BbdqeqD-<8I7Z(epiX)vBm6_<14u2^^j4eZWWUh($wU}0s|>=uwV^wtSK z#f?X7N0;?bC#f#WoL!JyOqCwmA@Hh{yPZ{E+U{-*b^JKkMQe{=r=k(zE#=Gi-YBW5 zsi=sq?+r=gj{}Q_j4FJj#KanEYHF(ANbvD_YJ-HS0-tNTDP$D6)dC4gGOS;t+rOvn z6}YK(N z!hDQfW)S$pW<{$rx|-mXGO5zTf{hBb?PKlb5qyZ|kTpF8_)0~!#R}ULt~BJY(@&7< zRe-LqlQYLGU{D*KMn)`#fi-a|S-#+zwAd1pSz(Yol(KA^l?$k#JJ_t@WQLJI3JN zOO=v3f2$UEyc6-#B=%`#7y|QA4HBmfai1jiaQ}~%#LrD`s|K5={w-R84fc3qjzo%= z((z1sO(MQgZQ&2G_B?G&o9V5?MfcQoY8zb#sDgbHepR3B5d6&_S^BkZ$2PZe`#-_+ zBXu#Jpj8o8ZKb(I)EIUqrify+6@;v_^$e5+DYd5@SYq+@%P?k?=Q>Y1Hyv&eZTwPH zR4fD^acdqN9Pm=gfbaWTR*#>U{%jDtLosw6EgWqZ$Q}syx$$$a;(l?lu24?Nmfv3H zztH9jPD!MIl7^Lz`0Cma&c0`5az_opq)rNq%TYF_dsp2(R*1BNG!Sb5(R+3L~s z3LY<>AuVjP7Wn#$WKqCmGrU<}F15gGqDp^j|okD07kP<$n;Fqc3FPo4DE0q zJ)nj5M*8*|Gc@^!Vt`|_<7Dl5ZpoQ63QFV|X0ZZ88-l2{q6=Wcbm+_N$mZ)muh5{k zk)F&C;~Ju&$cB(Sig%ZOS2J7N?~v;E5ooz`h&5){%{Fk#`bcndH@=1+aea|v!uXH@ zucdW2b$)tq9=ZPZqIkZE);S(#lL&CM?04t4Vi9VR);r?23~p8 zK0=iBw} z5P);=WW{Q?g@qE9ti?KHxR$7u3+i+Uq(Q#`28*d+k|a3Ubc{6FMS2{ATZyFbK1EA} zN;8n^G*=1(5D*b}Dc}mcIMwH7utLt(`t|E}!Tm^^ zOTqPF0ku&CJdxtWDJ2!v-oZhH7rwqge8EPC5BBC?Ujz?|hhLzSM%-6j!}{dJ%;#Y> z9g7o(T|Ek#>cyiu%*wP6V}Ot@4K%kp5C;$I;MEj(c6OGWnvm;t08SxiF57TkMHdib zp@9rz1Hz14kX?SF#vze}I9ng>-6<8Jqj`Ek({%G7%14$cywW9~#iTNSj`3wWUz@pX z#_C@j9b%;(dYjdOvx!VJ`f5>_5^+Z{Uipb?={0oW7lVuupos~Cpt<5ssOzWnB73hV z0O+?7h_~b4%f&MB*Cd|@>vKcljFUc7b~UAV3I`lXs1r_srF*?;0I<=bFaT%LuoJaA z#$pt7M5&>BvNI5KMc!D~$Q$s?A;H>*aFG}5?e)iNs=oHwXsOx-&V3daY}e(?^sYQt zmRl~M(58ZL?g_I|ICuOx@iQh13kNSeg!4c^Y8sG zCg>?HyC>-8m8&l+oKe1h1p!^NM6{xT*7IYhx^j~L1ToyLr|(vv|5j*G)M9dQa?*Tk zC2x;$VKNq7$iMtmU24Wbj2gP2H%6DjdGz7eKPz)rrhETq+2jW42HL>(9}K!qkiolz#!ub*RiuZ?R|S; zO-e`&e0Fadsn=Qr*?zNKBWoK=88hj7GLuP>H3@q&LrOzpNL3D)WzzjJx*ls-sx4Eb z3maFfwOAwi`&VCZ%G9DVdMLFaz2h8*Lvd_IB`<)Uj^31v)tRWvUa1F!qBWx$7|!&) z`>KlSABIgt0hxdor^k^wI^qWN%M3aZY?Pz(Z!VTU-nXq?b;2 z$Xu@4_MOiA8u&9L6dGT`r58zw)vESV2TvK&$aIoh* zJUz135EY_$pLrdMfdM|{Q|2)-kL`iG!Yc~-4J5nY1LI0IO4iwi82z_gIK7EPb@7pI z_BY=vAL~BPl2I_f-v4v``$1=VX~cCiQ`2OfULs%~WNu(!fWClGr2gm?+SJsy>Mms zv6T)yS&>zdXS?Tb9=R_h|4e4;hJ8PW;>3@rFk}*P_*~1R$wqpCb`xYZH9&XY>HVLb z;Rp_MU%3+mdsW?-H{4Ny;kLARxkQz=k9$&OX)Aphc!3v^mGT#bl{}4QEWcd1#uP>3 z$n=pW$A*Vh_+7;G6)GXfPhs22N?BQ1;^)uAfKP+RHk)L|Q{+(rO=E>B1Y1r>xQ5)p ztCwYAC*DQMSE^->!>vwCtMQ~2x8x2!Z#R>eYME(i+#24EWTJ(G@%&}H{LQ3v4x)Z3 z3xEHLGX<99sC;7r0tX!*+S=M~Zd@5V_D1s45V*=!z41{V#|H-B1I@?;T0GAQHN1I% z`tYWHW_1L+EjsN!6jFhKf$kbOYhz3Q{$XQdH=CJiZi1GoD5>e?eyK%9Ms5Q-qQ1K7 zTVs5iA_Qdj3jth z40;0a;Q>4}b&b&xV;?FOtN2!Q(!^U7CgZ042Q}@v%>krsM*sR`B~a_FS)D<&h4zZR z57^%w5)>3*xxIdf*uiZ&a;Vz@7JoWe%AU7kEz9C^cwTL$At4hC??=`hYJ$Xg>A=vy zfP}Q0o&%GU*7KTHyENY@j=RQ>T?Szk&5QmU|L9cuQSDDiokqNy+ z@EUt+gTtzGL@q8awMzb`u0}7N5PYnUj3n}?HU39Ua=^1xh8JMjEKpKEy-(t2KzZqY z>RbFzB)f`34pn)~{tiC ze|13;%SB63vy-XkG`+^v<#Hkn3%Pti>0_8+xW0^ z2q$3mhzM_C7Cr+bWsLBp^>y@au-H*nfGQRiLRg(2qA!auS;uG3SEDaO)zRMjfj0w-`Cq1pP7FkYh+}e;c*_ zqkm#(C`|4Rj3p{T%#K5uvm_lp6D>iGr?RuR&|QapB^rz!7&Hc6ao-kR_(CZ5t(;*x z6?SE>rgE+i^v^VRq1P=qPT}VAPK|37vh#ir55L3--b&=EA6@y7OD~( z{F+20gHBm_8_1e`%{dP9&)wZyUf+khRW|P>d&Y8^Rs(q$Xm1`zWo6W!|Hq3;ZW z>}GvWQ98`I_QKpL#!tjT?~!UyeWW_5>>YH`wZhgy^=ZlTV?WtUa1t`}^EJYlRM?}s zQdp5+EztqQaQ=N60vXn7+*35MS;_3wBQo1nb*37xcW;Ihgx49kC&aijrEB2WYL~D8EgN#)B5fA0* zd4%%%j%j;#y<#$THAcWkyb9~7$P=9%U^?@4weXwFk}f+Kbh@Fr28up55OU;|XW5_X zV9Da85)|;~nabM_h(Guz%rP7TVdYq2GlRY_9 zgdlI7S#XZBW2lhUGVF&Lzw|$Z=q1~uL4LufPY=R#NVwI0l=>|fvCi9V&8_+}wHHgl zK#gzTJiNS|Y;1fUuL?>_tyO3KkQNigq3?^KfL!-cE-N47y=`yA=g~(ZT(|9+fk*Cb zp`l<9Du9E7LnN)Jh{)D`J9Za5mNt_B#uI}yHwfvup?wH0Cd$fjm1pzQ3aAuJOz0R@ zZi}6$1%FH}EfEMvNsU+{AkUI@PQy=w^z`)7U%wU>7bAuM$gxscemy7m;5K&(eP1&( zGl3ffkt$e>Dyzj`sDc6|9;kY3F%v?6sZXasqoZ?{!UZL3Q~^vPvRfn!&LPA+EcdZJ zd=_u5(-RZu7!*i$G`_Fy?Pg)0gF<@3V_}Ne5DO9sNYEJ{)~p$CcP|JsyFO`- z$lC@I+L;Gyz9y#PMOQ^&;o^cK7il0j#%$QpBYuU`x!-?gU(8?rDdruz@XsC*4z~fG zMJT5bI2+%rX;GoSMKK!?DT$qW^e-33&L^IHznr@5nhH{6y{!Z4-}Sw(wnPOukQ=yxu1lQ*Z7C&V7Y#9fKa|^mK9$sFi z0v)TWIw5`Shr)%uF_t7|>O*Jo_`fwqc>+FcLPDf@Dy|7@T>(U-!(*if%}6I=_7P-1 zWn~KIwyQ~8u}{#O41`|{Bv#NjE*p`c)<6KDp^AoDa!OKTQ{6$!)pP9W(ov~X0{dn- zjgPp+Ph(AIfMxe6mw*M5VP$3cUd!~~DKAq~7}Ode9j|f^E~dJP{Tvvtf~ZoY*HGjb zBr`~XJqA_-QOR13eP%u$egAOs;gI%rYyqhfWDdut%1TQ`aNH>PGFv#z6V>~8RU%Ht zPEXHk2Dh$3Gjp>ck$6&zowiqGuvxC2>#l>yBvi-M|GvVR#7-YD3;5A2e3^?>)#hnI z9r)V64e+O?21c|xdwZu3fey5$HPLMKgggp=#r*J=+&4Y`yF02bP8@l{E`>=oJpeD7 zS-%sCWe#TUJT0_P8MnxSij*JbDdR!NDXDkCe~Ztq0PJy~HE*_D_6I$V+)I9A=M$C@ zW#aqOd;2L-(io+xXn>DAWi8h8ce^!-wa+oi?5fA=F^ojsyedqt7rDET`gcaSH4vmj zEwNHeNl7Vq4Q<6_$O$Fk^N;GJz7fEGgL<_|r!*_XLg6*!z8(P@c}~Ze1<2epi}Iu~ z=O=aJtxE^R&>U4;0=LBY>~T%~RxsT z(ACkIH~=qe-#vmFpn(2I?V|cEjAz$$A1TWWNiEdSIcdtLmLx-XUIm$Lnb{rLe}4Qa zNu@sErQLGw@YW|FX>!`$8_IWk1*UrSf)+fEtVK{M1Zucxe-p)#%P8Gi`!Dy5AqeSU zUVtGiU4xsYwhMxPghj{_@jqgK5ZaYA*(W5|v7r|q#hQksfc~)qQoNlY%4%{h99Ly# zW@R{&gTr;^=zr1(rxkQDcCdbk`b(QDiSU4d<%PZpnxz-rHD^0gSONtfd>D}A!-6>P zXYFg|m(bzRvKfpi8ct=!ciY4TSurD!YmY%x>-W`sec0|$X*d(Q1Mq4Z1v4=eX+74MP2GAwcpg78~1 zM5j>&gJ=k|+!5qjmCQ6WG+wck?$mbO!k5Kt>hFEyJY%=}^Q*XPAaQZ=HTpgLm;trF zDns9n4r9qFuVfxt4{+mEf`52Q6*p7CEr0nllL}2QcHDXZZ=qyK6sjTA1&ZfauK>)4 zq6LMXV(eI&n1nEIh=dDD#-LL`|J7gbTn`9C#r~3HWFCq#xYr%_pH)K`>b5$x~iiV;9af5%ZhcY92vr{d>o+f-;x8qZ!1y zqqB#27_C$qW_=14z|B(onb_84)6<;gpP_LMqE{Mx71n()`*JPY1vrb_NlZs$yAhCn`vyp483WZfYz8pV{A$>J!57jR`aD)l&it+4q?OE$@*?#@q=EmJok2&hA(t zXB~^lA|o>}F!*1e*?R+EC~ExPZFBw&$+xaiJM*1}jlp{aJo@!mxNrCT&I|ZXj*i48 zB^jUpN#ewH|H*FotBN(fN9e%EqpOw%>60(bXZ64QKj+V%w~3g0$tZG$Kx&DJ=;-Kw z!@`zdvST2j?~kRTJRokLIs+;_#4HB9YpJT8_~CB6jd!x+J5-2|7Ik2cl6YtsajT*X z#-nw|#FrEo-_4Ra$nCqBNJ}HWJ~w2v`;l*pq0NKNTsBqn%|jwBgR45Vhwq*?30&GS zsgPzUL#+XZNX87~2>+c%92&X-)^i;Pd7FQ(bfP&JTPD|!Vx0gL6sQ~YYod>XA~8t7 zXFcz4nrT3iwQjPr>E5s}VDO_ayS5ErG-Zr4;Wr=CaN3yHT**of1)svuCh4?}dz2E( zl@h%zi;9ruB*_HDzO(dGy_7*IKS`yaL6l&^ki9Xm zIDg8PPnm{^I!SqiC)AF58Psy+d*~t1Pu=3Ci_B1Jwt~&jVz#1|dlWlamhm%~h-9v4 zE^XtiEjn_^UA66Mn#yhlM9xXdZ{_%tIhUjfHG|WdOR=s^FO$FLb*1r-H`;_~b7sLU z?eSU}i6uktKPewI=83Y7)4S7zu=f-dDMMxqwcmKZGYa+HfO{fEEcEPG$eegECt`Rf zwMWRBQ!Ks}z7N|wNzFjeXEwMmzE{69Tu-jp;S2}@mKy@~htnEQ!2?~)`ZFCWe>Co% zrriYU2bZ>hudDMJXAf&F-?v&@TOC{I74S!z(3ISs+$c5&zzV!q$jPt)!L1WC@} z8?9L*2Z|~E4~n#A&sYEe6cgSz5F)kdIeowfgc;4 zFaOT_{^wU?^_hSdUESKJ$?4oKq#Ut~^hV}$73dXNdmkMx0C?SRN6LlJrue()vO~(% ztTK^NFnb((avYhKnudPVI;17ov~0Y(zwXUkXXST0_>r4S>LsVGjbAxvN|lw{X7bgu z7`x0uRhr9b^L?3H&8VZfwKnfzWN|`J8R+i@{s?;C4HAA`2r_9mAmpX&FrsD5Lft>F zN5I@$4MQwLs=_vzmnbZnrOOL?e3PF2X{BVmJWuvL0+nF{`3QMnptJK%g3*c1RVm z3sfK+X;+d~?k*9)$@z89iRxk}a@W_O>trkU=F*;*T|15kzpET*dg(#u-RLutGPa!{ zn>qoqr~_Wa~vp`O=pA|n8nn;Kg^`wbn&9SpHsy7Zge=6Eenu8tPTUHJ<2H8$<@v4UPZcq=rrXV(Aq zH3?rV3YJ)4W5dk&r6$Jdf79Q|F>&rhfB| zp|-FH2?ct4vBco#87hc_CpIR_E5WPM>;O*~4W2-!d;;0Z( zi5V}D7Au5j%%_D*Q|o*MbRlnvNh2b*s99K8Ty3@4TQxre!(R~k5r?3<(|`tStXvT| ztg5Py@VhNnH*YP{9CsdCI`x3m`VP21h?T}JmixhWIE0^X_C~P114C_{)>@z!*!-8v zd*~*EGcq%U0$(3Z)MjNlIhDQ~h*^RV)jpQ$h>?+7RopHaXR+~3Y4mUkEBsy=-0qX! zb7_=G*lUxeh642r7jseJ;o^Xu{YJ%qZf2B{>dXG2Fb|Qzf3~lCmfl- zg#OruMXvZ*Cqu3LRFG3pzuy5HRRcldY70r2ODL!zsPF+IwDuO$jZ%xsrC}IEs>jz| z9fg0}hWY(QU6}<8x~+u)z6Jq|f{r!SmIY6tTyNW0%+l>1{~KBZCZpC|%Spf7ek=<7 zcKQ)i7T75uW5bwfSHVDwq9-b z?YmNdCO@+bduwxs579hz%eTTjckG%@o{BxWKIJRDRv=gUgsk4Vd(=rfff~~Q^@!~{ zFb(@4R1-tM;!kCdNNB*bx1XP{w=p#hLq%CZ2(uqiWdv&E_i2|iR=ykTt7&^ij~}h_<(t^cTe~+;`mN-Qr^L;TvP?7{KeBQj=*ZsE3?LG{bTvh$J^S%tQyNeC`lj*|Y z=sV;|z33eF9{dqFb7v~hgW3{*SQuPI2k=z;9YMIqtHcruuYfH<#ymk_C_?nSqeB3A z??4nCL>zHZJ=w9K$RunV458V>3Rgu@{tU-^k(x0n0klv~xnAr-ZQbToYQ(02faDS& zP{9wk1CEvU=!x)Oir$E*bOc5G{Cd3$JV6_O=(iutHk~hN6csbJWrdDv?>^Z|yYZL( zR?Y*d5zhza;&n_?uqtJloHHk%0v4qFrX!Y(-8E>EMW6FsNG_9`8Fs{|!;~Z=<1Oo! z)agvHljBEl*g#T6`6k|u-lQ)$1}PKI9u&zk>gwtgzFQy6myw@J-@-GXgjH;>(wYj`S|0b-pjPKhBQ&{sO5q9G-1 zZO`C(tJ|Tro|G;IN4ygk7I3Fhrf49*edrgbUVx-`|Y}!@L)*nK7CYhw$o%0_x)v zE;)X(SvzD2zj90%_;vil3)LtMxcMg^XNx-1i>l4}`2E#@hmVh*nmVGU4oY(#L^U`s za*)qH*`lq@0p!wD(7?$p^ziV|(a{l;{z)!_{+wS>RMfkuQh+wSDeO(8)cv{`t<3%Q z6c6L~^V4Gxul6w_9kW479QMs`IWK&6gHrFa^u`oixIyYoo-o{dU$WbEAC!Q>7q*%{>GxuJm@7LJY^TGv;iUro0Ohc-6992MOk z|2_I2J=71{blhMSO0NsJH4xKE_~x-P7BOH0}U9#8o!bY8xfTUcC< z4vy}4?~C?d^<|jxC31a-zo2tFl|^%y>$4)$Cocu0&hMdTnBI#MHR$bosglg{NRpg= zc1A!6-RW`p`nBatx~K`Xk(1I!Au8+E@%PA7T;~)&hP;g!0MRrSRmehM{0%%rJHXe+ zF7s~A8bGSq#e?Rab=?HVa`IC;#wS=qxag((gFH2c|Fs#+gd;B;aT>)$HyFG>QF zi6kqN5VvXHUz9@k%X9v}-kF=C+R62ec4sv0Hks(*OlK1*sli*>VRN>)j~=`){mt*> z1{C3PmLvk0uZZ3M0oPI<6y%ztzg<0w@ymg<;i#&blb~@5j^BTj$c(#z*_ycSE8VDp zjhm||-CFW9I~LoWWr%E%&z2mkcGTQvsy|My%Pg6}AX_+vEHrf>&+3v0CTiK|=G>8yUIFt(m=`xE3n?gUT zz7WX43&*RuxuwDu9_NcIbFpFKwc+<7+Nh^%-MI9C$yY65J~zBrr6+4K5@7bn6)yTj zq{$xM<3ZKft=&AK!Hp9J6DXmx>$ANE`ChICCa0u)GY}@`_e2xE7@*95xf50}s#eFI z_WPcPkYxj;(vDMbGg-z=+*DrTV{t?RRLk#1K)_-S$H$gw`ES8~4&xoqSkMcRYpPup zozb|5i?_v?Tv;yc6{u#*6|S%0tt!+AoA3u>1km<227%QysqfT_5GhXj_5ClvYYIU$ z@r%9)QDCc6JuX|WaDPA*k7b)%hSNpH;DkOsL~aU?Y6iqvI*uk0JP>=xw7$E|$<4c5 z163hw+MPGT?Y3b4Xkhr+o6wUI3M+Dn&jJ6|9v`*-?I=Wvl*q~^5Y4xhH4JtzkT=Vj zsI4^^%CC&;BpCmE#4X4=Go~sGaayBVINYFO#N(Kxk9P8)#Q*ZJPsQ%&%q-{#T~ zaU<51t7icVxG83gDQMqs%iCCMq4>^zI@>~_-vW%y;@ktb&^QRtg-=+nRZ;-xgAPCh zMn=`H(e9QBk!EZA%DMHlmPzoPWuX+hC}a28W_iZhu8i%&Tn;k|yOxsrN4u#F{~2Kw zX{?f}SMZsx&FaOVmbX~E6_#PfczZ+_+mSthWnawm2^*sU^^d?%FzNOl%HyP2$>{45 zv;q)R&w!WS*P^3GzbCtlk8rUq>*KZ?K|5Lb|Gf17IqbimmYJx?i)>+GVGv4eaB$Go z)fKXof{@}fGc!x>T5zX?V&Qfq5Ih6|cU9^PQW&$~KRrE(iHT)L!yzw{gd_c>RiIWE z7w;Rh!@?HLNKe;qb1!RdZfFLYM%0%&vYGE`qHN~o&b(!jU%FqNAe`F-XTJa=6l`d)&Lv?Zb6}=58}xd2k4zpg3lPgn3+bC%);t!rO09=49BmCsi)o0VhQ) za=IL;!>}<*MeE&Ce#9Y?Hp+!`s#+9KL~6UR89Dxg9^F2-C9&w2$@Xv+$dGFd_4kK6 z1p$1$P*44!;}J<41y`E&j8%4+wcYn#=gFh`eq*q^lA`Clx(W=Njyq#i(K|teUaqC+ zOyjBkQ+|x#XhIK*c@0dxjBiiAXXVs({^m>07z3NxshIttg2bx|^64HYChF>Q%f5S< zl`s&iiD_@XX=?6Z0gntODr?|r>5kTPt=-#@Mv!}xS@@Ay^vY!pc93$U+Nh?8&j@Zg z&CvfTOSGa@1i{Pe>|OUJ8Pzw7n8c!inTzWD$1jOTkVtOa$3KXf$Vh17XVe5uy@(BL z5WFro?(gpUDd8$UL5!r~<6GI-AdMRjURD)0sTq%dynTE(n(cpQvHksnSz9unhY-+w zG-8L8iVAU9NK=!i?a7}6qracv;o+UwQW<))#G{sVip!RrRCwlM3#;6Y;6kiBg|87^E0KH%2t{^ ze4u}h0M{v#p{6DtCg#@O9-OJRVzqv2Vrr_CwUc5<3=5-xf|{I~oUWXh8q5#&Lt+|~ zZitS3X%wFkFJ>fLsNso!WQlxWUpsVT@l-R?5yL${PpCtwl>M0zPESsRg?UbrmJ$>Y zYZ`G##sLw4f$DZ;;|u>(W-E4eqUx8x&4thTdb3M&qa#6V965sZqR zORA|Q>V==5pNoOT(&bDldU`|{a{veyI2QJxu}ZVQQ~cjlw9L7DJ|(-Xd;@uhIdB6n zVlQl{2Q_{9RYtIJPBa`+m5LPN%aFv{g9dnu?BJ9GV715VWTa{GN`Fn|wQzV#dcQoJ z_xDRMIWQrS33_q>fk0L|EIcN)@IOclw}~bKv&k-V!qwkpPyO)!(Z5;vYnYGzfyT!y zrsXUP$mihOSv*fWx&!Zaaw_NH4GOiavWQ5<&mdx9B_v?@Ze1P-kBv?IXu-`%G!)W( zVf?~YQi;7F?r7@IPZDq*K(nLSKLJ;1oql^2Xzo65=MG~K&IutZ2z(fBkk1@d6@I9! zrzAnbL+>oswklmniKMsOZGDFN%Q$6gLRH_kK+S1E(R75CaED7DHh)sZwXAQNMtmyG3G&(ijfi7XlXhOD|Q;@=G*OsjoD?w zYUNpV0*zZw!t*#oVDx;n<&ZoDc^G8-LQR&AyX#Oa6z!~`UD228i$#w!&h~oBj@=k( zLPNv*z#oo+y7oRZq!Og~_&C0|n!XBKIcs<_U8lzCVhGC#`V;zF(D-i4CE23PKVs_I zy`KZ6P_YR*Ev*hu$$}jLTY8+|1yDO3O#-=!iv709>SpQCCNN;gH%}`i`9rZP;X}_S zo4-^ZjeX)Q7NTj#^ky`wm1Ga*Fp31^6ixLRkf!Wnysyc`wbUyi{juD1m+z0@q$j*Y|1;@y2a(1PBG$k;Zy;~1aJ z2x-&M(5QV-Rw0)Tr>3S}L+L-8-WI2%6xfIM-43(6Fx)V_c$lh~76|8Bw03fV#WfM_ zu<}M|`YZ+JTpdy_?Cj{s29t`ny4JpfZX2c3!z0HMna=ioLtL zyZ$?yGGBUWdTC^&vpc(0s zPg}^I5L8}&Zo|z6j&f;TnVLN9V4CEPPsk0m{ugrxA1=j+?<7%I)l*}mD|Uy>`|ivavJG&95p+Wkk6tSM0M{E5 zRLQtUc}K8BW-}X6h%Ton-rkbuJ<3t5nVFG5%Z8yJYjvvQ%jDfk#$>9>829_=JD72A z!b57WQj@F5Pn!Isi+5Aqt|4(1&*os!lAesS?Jq%#>607m4EHZTg1QQ)z zo#D^S`Yq(}3V(?#YsKW{#~>R9ksGlw_wlyR$GCpsAj}`@kLycg4KnFvbvWMbMYO+c zWlU$296SWC2PLW=o}b|1

LDV7d!Zb=BgsQDB;&>xC;j@f0t3fpnLQ$->2z9y?m! zQe*e~MjbuDt~Wy)o zim2TpWx>*G1moRd7_C>rd%pw2FJ0@zKsxIVkAr9BZ)E2^Aq6{}0$a`DxW`y)=NTr; z=#DB$5P!~Bc_^cfftigBL%y8A#WThzljc#f3w|Dc(cvm~a;3## z8OLN9l+SG;unO4LRa;|SWS0|fP$9)~UH0R8TB`PT6Kh%T?;qeH3}eB^LkM&4Q;(<> zij@oFnw@e*x8TNiNZR6i^9# znGCvBN1v^^s+sbX^?lgm@xPiWx#W1&Bh#taI6CSmV{Sa{J6vbf)Z6*z`)?+;bU`?% za^?|4g)^I1$$e%L0 zvoc#N9Kxh>E-a|n!Y}D{&_UA4XLstD!Spd>c(5G_eL9wrTg~VJ>llEtptQ$U zH`Ng&wfCp)t2ip=x7wHcJ)(JD30eq+qN%y4VuS&0Wo6|b#vOsV-Hs47eM9kqtmlHY z@uP)~l7W(e=7qY%*YumTuhWR%7q@vBKfqnYIJFoPQ`PnLHAK$pqN>Ux$)u>L9cxCT z@vX+F`{$);0_GS0zv)Kd?8lJTWssK8#x@>Bd&6_GC<4+-mdtCZ}(2qWMkWIY^yOF+qUgA$tI1_*luiFjcu#3Z9S*|=eKV+XLDxeGxNoTIoUyb zhZ;`@${qG3Qek`hi>WCEzS`;SP-Jp3*%g+xE2CuEHU3Sog zxYGC9X*JoWU)=N@c=+(xCNx^xF4juE4$fDl7Y7wSk;P+#9H~UB_Rh@IDDeqo_D&0H zz6E$N{mJv73&VkdKmUQ&)JPVo4`TSF5zjwk8i0 zHSrhpDLpxPqGnEh`eH<3RDG+_UjsvVQB5t2soX4zom8q;GNaL+-yg*!UR}sD&qD`p zy33DWq1Fj!V6S8!h;J??tiq&53HaPLM%xrj)WZ8m-KbR=43p6Gs;4e19?5zeHhuR@ri_?38@_eD$W6QB@}YkZ zYi|I_aj1TQ3c0bz3RNxZztPcQmK9esB}cTct^J(=NRN;1xbvzh8XM^6848>QlFW_q z0aFD8rCw6&MSA)65Lc$H*)Dt#XVaUjvqv++ zE!ircWr$)(?za;Kme*Y%TL?Ap;SERh8K4_7-RY}6*DX=B{<4DkC`Fss;HQ7WTOmYR zML`{Y_L!jqY8o~m%Xr>=`_%z=`REiB5!>Io_2N~xenMo#V*xrVcE*SjdKuVOwc!ow zC%)iGZ+LRDJD!@uRttN$5eye?yGh>X^fS3RuFJvPR~e4Tb$hy_d|70CPT@2jQPz+& znLDw4cs`u#i5aiuSWW&meL3wE%H+(&n*FCsT!IN248j_h_MdB$I{_;&{-TYKr%8l8 zq2%dgKokZ?n2m?Vnr>??zo6DB6;YKns7uL?AYMVl=`|9Qp-}z?$I}m6+y%-(-X(xe_QAakCD$^KX zT>xE}$Ied+`HX&7n@GzS{4dhB{#4ar9|Sx|eG>1DMDNV&wa!s7-3^VRk84634X`B< za}yV74l7-p>A|~VX&#(W=|1g?7lFIusO0?LCe3RTN&cw(jmUR02S-vJCXnf0EHSv0 z2rU2g|Jd>GVioZ&dpwLdU%GPkl1chL@-@&TRaZ*r(6d#1v2&%yxNV{W-#i%10f|Gs zS;Re`rKhZ%Ur-!6{t3GJcTk}N=GCiFKq{a2y{wiJs%UNhVjaEV1g4+kV8mrN%Rzb;e~%tG<~zl;l$KET2ha{QkTiK-{B^h}gU4?F^3aztdyzjfJREr^0 z?*H5ZAlRuVnx$dR4;1BG=A!AeH^Qy|a1V9KTjYA~h1O1n;T=eVLFTD=0!VyAK z2|c;WjtY7{zP0yj)BEuD?zCTj|9Y70^s0k%x^E695BBz!S65@AqcpWN0OGBsrB&~j zZOwRf@L1Z5#TPiD&k-Pv+7X4+xv~oN_0=_!A5`PL&lPAhCnKYE zc3QqgT?xzF;yfqg^$4Ccq$!{y7lBO@;rqkGtxx|=X)7uMvYd)8A|9T?5tv#U*GR01(qzGA^?Y! z`{KYrbRNqrNJ^$MnPdw#T$3o}Tx2zvdr6TxOTc0#|(NzI5q(=-)3-p!||+C6!^uOlfo>D)YJ*vGyJkl&*>b z{(U`I#S>TS|Gqhi#41DorO*g%C!uP4k6-J?ndD)_E2d+5KGMW{KE<(sQgnj8V_p8( zz)QbkORp$k0gti?XiVZ4XsC`JD8Mp39y<8Xjw5xgQG6xezbrl+$;v-#@LNP{GoB>+ zet7i!u3t2rVRw1H$>~q)A^L~d!-~xtdAlZGLch}|H8rjVSw>#o-qx0$j&7GBObF58 z<=%D)?+~pw1wq9B-zLRe#4ftPM(;R%>K4zA)6-ay}9_+yC<*%EVqt<%=hNC75&*o45=_JCHM zZEl{~(FxDKPj<0mr&9hB6o?*@_LaJ%^VnAT!|#Mssa3>ew=q8KSNPM{Kt8y-prTVU z^$SEuY8s!!!yFeK%_8$W#;>Sv^%d=wSCq zSyb0ojn@%EN_vEmI^YG#sr_bupP8B2;Q)qE0DhjZxn|4G`*N#?o0S!m!@YgUgo+(n zTyk}8{+5X!K!jy!rhqoiEp`UCpmA|fpGvK(rFR#@$K@eDgiWsUQO=4|CHmnSf? z^vLUAeG2aQTZ(EW?&6j7AA>vN%pWqAg%km5PUf3_lY%=XwnYk*R+Y` z`GvvGq{Kg7AN{i*p1!F$>GDo|K}o#sDB!qk==;M)go( zN7i59Y`ddMnC$44#(tgld)zDdlX%B|%XlxgPN$(k+~!VZa*v)Kk6y&yMood}RyE@S zRfePjqL85|94*Li%?APsG4OM=WW6oRKe7R+Ay?hWCT$~2LdC)ld1|)aPzIU~>{|37 zr=yQgm`wo8MQx?%V}aY_b6HjZMFVta3rGT+3=5Ber=Dv{lNE6*6Meh)-wU2dfFUR~ zsq#;>LcT)aGNRHf5fRgcaAFy1sHdo;CTNr_#Rrr$!EpiW4+dtU91Ue8coBqcdVWQ{ zdZhULQ^vDP@WZR-i9`|KHv*Y7Bbe13nU(c+;pxF&LiT&y&B4`eqPZez0zw5Q)6k`? z#31h8lu+J#ljnqgTE{Vg_Ti6iFesVe1JVD8#d6tcIkeKVa~l{c95eHwZ(mKMCzPU| z_&&z=(c|w2+v_G>>cF*0PB?#M&iHebl@H$R8{P;VjVI^DzZ*3z*8_xh*`XWcp!x(jBzJa?0 zvTyYF>sA=Q*8$ZvZ7Zc;yV||}f!=o8)?j)>b@qaP>HS>Gvokv77kMLPMMcMzKcdPa z#)z!!?7k8q#9MGAy~{X65*UwV`Xps9gq|B24jBWHj6^nv+4n29978Vqb*HySe$n(i>VI=uHjrkU)7A&;KyH%3tj zU%1()vf#8hwOm$OZqiPgkcC!{sk7uGknl6jx38+=o9!w^A=09gGiJa<{Gwljg|6>h z_)ThyH6b{J#Pb}(=zjLRixk(=&bp<`<*%nADk`huf*AC26q;k;`!*7dCmQPD_8j9E z8l5(uZCmE@#GC}qeXJwbGB>zoPSNO1%dsghH}ZK$dRpuNQS&!+%3q>2d(UF|+2dGK zQ&aD?%PP$}5f=L-sk_9U&}&^G`q3Y;*F?k&}0TH45K3>WwIb1p*?D2x2`Og9m2xnBIw2o6|x{xV(118yenk~gbWU! zI${n;OcStRqqF#(%N|2|)0!B8AtMfD!E%L6YS(Zdu4KKVf)~Sv`na>}+N;m!)Z7IU z*{|YG~JZ1-F3PKdT{{CHk7xuN0etM|xYEwg-{TA8gUW4r0F&G)= z*x7vWSe>`mSc?%J`tpXP8H+#}k`x?@ER6%S5|*BQZK^MS4M%h>a_A@LUPGpz36|0u zy2QsiD;ZG+AY-4kya%0f`};@GZ)Wyj(nkTWC9`>6-HEa1pheRRZy348bDlz2+5E5p zn$dRly~&LLst#BFgawz$b?K~W_X};mk3wS~xt>hrznF?bSTX%`cdh3y0vH`VUj3bq z0|)coQ zwwnqFS1Gnl`1$f&No(IQBq-l;zRmq0=5*a1<3pIgh>Pus?HIWa6QDBvd?l2xfuX)e zh!~sotT%+8dnve6xHX6U;Jld4lUJ%NBOs{vBJ znDy5b*x3{dLf)2+P!QJ17}U|#kt9c*>ocT&4ctvjO9MK0fN7XhPD=~-Jtj)WepPiA z)SHAL`cK@0rP+uJ-}<{7d$-^_1sBdU0M;?Un05i@Rf{2B3r1wVxS~g!l9;r_#Pq%y z-uF*pfNpAU8|9HMP`oY_1idAsm5fgP<5(8S)F_?0KHgrmo6fBv6D6`95B4kc{crm; zn8=dv)R z;RsVR?`V3#)=5S7%_XNCAr9Ta$~;~J4megU@!2Mu^McmAIvx@dn*|OaspiuBB6|T@ zp;}U5USz94@0_fxED0;tMl?GRN@p&hm$TX%*;6S~fwq{1QXLTW5LRWUVfnQRFaivy zb=;U0r`y~~u!L*s>vutulZ);a79c?2ArWn0eDs<7eV>Pi$1(Wz;zcvZD^tMK<=F_2 zP*=NL1|>SNrI~`0Eb^B~8)MQs+oi~=;BaZtdL5sfp1s6?w>_>Nqi8Jb-TI5$nQQL7 z07siPA+aYD5l;L@E^G|zPK>|sphosYub760LbnMEG&B|<@Pp7SBK6_8m92$;i*2`R zhm|)93Il2nH5p~)__DGU0LwL`=HNprpPgAd-8%}SM)uP`*fmK1oJ&HYpb;#KDpczK zJZ5uE0J)R2949ZZOuDb~N3<3=$8LrPKad?O3Vs zBapgV_}Gn?mnF4(-%;;+mt4c#99%K*#ga&l12*k>;z10ZRHO%KiG;(kR> zZthsp!JJo^;ISh4tnNf`p#tU^&;vX@z3p^EU^vZ}h}j|)^nC`vTkNE?Y~G(|^z#<0 zN94B@VwR>$S(7T?!lhTiKU2l7se*EDscv$8HoI+gHy1BKNlVts1pd-z0&1@|n;mc! zKBS;^hf#SSSYi7_1QOwA0{RanKEBLa6TG@MLUa3T{SgF8;bzwE6Q8roToD);n9px- ze@_*Cd$t06C&u76{hpQ#ND~s{xJz@o7r*%dh&v!T&e%TQ`qf()(n}@LirmphIPG&L zVmzHPWFinn%-q4O7Ny4Vog?h+kj)U=Cxk$QiWHycx)Xh&Z?AKi*=2xo6UG3oG(+-H;y=|P~MXhtHVlIqQfmhZchKJgDx;a?U(n=9X zOi1Vz7NMd{vMeaU2pK4#R{h%2Frmz1L_!w<1-HXvY*ztsLP2$U<5K_7nT;?3+h%pK zG7D_>JT|=aC=Ig=55Ne_KJswzjwB8DW}g?{{gu+u z;LwszmeJs7~ zULJKEX)y#zBAl@!Eltcy81xLE5bERO;~|~vgW#kHYr67KE@K>oAwg2bwdtT&BOG^e zCTA8$BL8EoAbrGKpbcdpR4yvotbuaU8VO!frA#TvJF}>XMx3ev?Y-EtgF3aRXw!UF zbapyCpO~sMvHrTo=?T{J#mqa)iA=mlGQgx{H* zGeKv%Yww-RyJV+94e{n{66560tiI>984A(neW2;+py49D33^FMMSCllUf8b;cFDy( zyAa{^t;0D!?{2kL9{eeRwR(~r0d&^C`lvXrg|;n=|K4 zvk0BIQr;PAj_6z+@~DhxS?CGc{5Wza%785^K+5h+h|sB0yqH?x{WkAMBBeqEVdQ;pb@4d ztvR#NHwvleu~+{^94nAX3*I(*UGgh}njrCSET==ppN4Hk2NZvyES%C!mR-jWyanGC z``xmZDfa<@B@GD2ZBQh=>_9&59z_w(L~4{J6bzFjtEacIifZUO`8WlcSv}8&no5#W z1k6VI^BUXO7FYT&79Y=TBO#|AWfK^4i=n>1+U zA@R{iA}Wb(SY`rX-ejlrtKks0?E*bW)8`0JFrKlpS5$x@0grjYUe;j|m zGxYlqQE}ttCz*Dk!bM*y8Gn}`#{3gf`Ga;AZc~cDo1`_Nj+5>S1mLz=Jzq`Wq~@Xh zkLqXu*p6WWyhysV#cEcqynYMgWJLHjF2I;mS*B&i6Lqn2+*5ps0Ah<%s*(!)B=BdO za7Rkhy)lFI4+P8U%cneI8jyjyo3xC>x^ew?=V_)vE}5E4ABJi;nGgI);fCp3Y}=~$ zR>0=0S`5EW~_|cbwbv!43 z&UI~Q$0%dax^|ZDk$n;Ko>09cmnc)zTHHf%*8ZkIH7i$lx0{2{aCHA{KnmtlkISNw zr1c6=pOSW8IY5RLI%lJA?(9lwnv#i1E-6Lk=eZgZ^Kn?;rof<}iZ5w%2!p{W_eoL6 z+ka)BSQ(klI(i)CS3EGst!L9QF)gh-T+!_fwaSIoV-WOc`^wBuq0&%sQe%UQQWlx>3lr{QUcWxm!62e{2?@|0CfE+~#Uc*=HGZnc`WaAqV$<0hlm_!^lb(8{kb=j0t7 z1b*Cciw)IGw#Xr`(hor)qH0Gu$6YOI(Ov{n;E@RTVjB5uOrbXFh=;~9^={OnkdjAM zH`)CEUGVRFkoV~SzM>ZcLqbB9eIn_-`!7)%=rGndHmU(mk_rk_v$M|5&fag&?D50q zENFpuUr2fz5TnGMU0f0p5>(XH<>ln;tgNg66n}EE%lD7?m-1{xY^ zlvGp)LvdsP=Zl}8-($vQWp!03kA;N=0Rh1SwZ{wC{woyB%!(Qs&3SncF_RNOryPk$ zAR|3J0^o&W{NthKe06lZ%FRu6_PZ%+ZN){0>xzns^7QmFF<3fZ-1JpV|O9JG49y3nP z2NMKhVqyT|!~sMU%Hq;e77mW2U%!;p)C4@QcQ2WM4vDnG{uoXyDItl*X8<)GWlEI= zd~Av<3JVG%qoZezTzq=M6?Jsz7#U;!$BU(ehx&ZYPfJ^Nb>+xssmkT|>fz@n0B|8! zf#>0XHS+fM7I{(@7XEuYU*>U4gNldez1{nTPx!JCc>B^hz#VFVij2(pY^4FPiQweq z+<{X|URlv%XJ^NZ2p)v_KaOk+z~7USk{SxWd|b_MYtz=$^u##MhJ*`1-llN`M&;@G zgkgKH!$poNB`qC(sMabD3=kLKS;D}=Mn^_&U9oouK_d}s`)ThPLI5R4B@{qMPEAeq zFd4rDNQn*i79O0y+x+G8d&QlxP^=N0T6an9^L-3d?Ex&|M@C>{ zklQJMpWrHz%lx~F5S10rNAe&bbCl0q6pt2TANBr~sag4lT2e5h8H>d*$sCBv%$)4c zA^kiXo~F3--J|E#RXXAl4Qp;SJAU5Mk6F>k)!3DT-QqGbH3?1l=adP#XJ2_U|AUm4uiV`k_*g$G z#yoKO3D3WcdrC@y@_0&X#D7X;u$L^-r(}L#Li8-ItX!Cy>i*w9mJtyNDlexaOr5|d zEl}T!e#$Vd3an zLux2ogY%BQJ|D-p$bt0|C8BR6`u6hNVn|$#b(S;&;~#>S5JzILjgW~ zECg24T=XB*b)Aq_F1J}6*GLc|n=n%&mz+4|j;Q_jOU=RPLG&^sH*J@2PlVP+2|k<9 z2;SMh_0)`_5tUyj<0^J73oRlL`$t2KD!ws#1%!y$d|kL6n-uMJJ^}7G z0(QV(l)$F{NO}{4r3(oG0miim-^AxkabF+jzmIC+TU9uLA7V<6u^XMuJ((LBjg1^Y z^#yFte`myBY&<+cU{A!1L0DI(b6>mh#8FUDq3Nr%>;BsTg@uK6iIR&DzzK6BKn7An z|Hqq7N&>QxhpQniQYtD5K)v+8?Sk$?V_fZAUWe!#wJ|^M3cv^r9BagLDkKq<0yX|8 z|A^Da*KMpuH1?~eEi{yAK7>}+swo?TJ+`WEOG-n|ThWZPw0(K@1PVET3P1&P#nrP4 z9N)E9-A@fYjVI#SA=p6>UGS_=q+`miEA)CwN)V=9wCa`Z>r!7d=`byj(3_n;)1uPB z3WGh`1bx!b5RJB_x!K3}ND|I$uojB{F=)$wJuZjC}A-9UdBz1o+HtZEb*!-WAP1 z$Dzvdl9Ha7AOleod3E>Ew{+7)@7O`GQ`U_?5L9UPi4YbGOZOoUN5 z;ROb>PzWQZ*M`?NMBU-cvKFHklFMcCn3~!aR#fmSg8?PRAbL#y;NZ@cJL)y|xEP7v zNBjxagE&&Xyl=(gI+G}076@}90VL$%mV8F6qpM6$M@mOZbN%s(U=Jx~g5P@Pf=qSR$)upAdGk|*uFE8)rdD(%gvCEIs-wBX=@?|1TZO37T&M-+) zmi^NJy-`|5=3=ue217zbSU5a9Tt`QTypX&_?C|g~v;_S$bSiFI@tq9xJu;>z&v9g= zQ}?t~`W_^ydo=jX&S$+uUIcL2`2in0OpL3$0U^udYGf36vcfuyhNi+}?Xz`<@q$g0 z^(cNjSHRuo$@weE)I7o<4P<*}L!zUn7|lM$=lhJF_iul@_6CPCvG!82?baU0&Tt7fXStPeU zc4{&s!MpO3ywk$9Ww0H2#7MWWF|g?l;X2y6tewq_AAP3<$O@^r2YGD%CGBR+)0hk?;~@u zZd{d|texFN@t;>J+Wv~ExR@AeeF=f!S8t}Fz;urH4 zOD>|45a0CrHA<))IfG5$NXtSK<@;R|2j+n+pY#Uz3Er8F6Ng!KAp7UB9n8SSf2i$Z zt@?u=n;>VWt}rpVwd$a$ zLMe%>LM}86p$sz65Qq3xI7J%_Tq@D8_6d!z*WBaRHFRa1r*g|Inc(QFBKgfT#^N8P zuZ28W9b^0(Qx?uy!3`2fxTRdSjs%tax>R-D5{F-rI=^(;R`( z3c>`8SZ=vSr=(3SS}9m=L12xN#d1{ZDZVq$$GtXBku%26{4-N+RrVeZ1^21JSUgTh zGpWAQBv9vq+IWm?;l%QNx_TUW`CAo;v!bBu&x$ZGaE1^;sMMl0Zn(%KQQ~D473+2G zNR%?sLd$n+PtHqzOr=CGA?+z6=jYt17;$lt1_y%{dVfHj7ON0QSxd56q}&)YTkuKCGqW4$9~-o#J<*6~$p@VYVoUWTTn zsU0`G`x@v|F86r3EfN|61{-LSh9Vz(5X;zoF*5TUMqNdMYAJdSAB}=>OPSX8*kFfX z=#ybU$@|{ti%)XOpR4XFiC`o zVy1e8W}t~BOA8X$lamP1#8buBd*a3#i%0U(7iG zN{Vlxu?C1)3y5$jCNPJ;FYf3C2{sF`6=@xKw7)UxvNc=5r2ehv*~W)TyKUXyJKP0X z?P@~0DZLdGB_A+ZQp*QUhrqvBTiew$3WFi*u3AmecbmpbihVt_)GRY+XmYY^PFC_H zm{KW)J->JkJ*dbR12RR^NZd5saOv;;kA9;ID}4nd#!+` z+vllyh54Dj1B&}!sX5HrKfiud(>_LEe5k8Uo=DP*Bv3W<`DyCLScgRLVBXd`YGqCh zEQADCOOHy|@EB@o;YRegdfrgd^(H`#z=Pl=C1sl}98r4lzXZ~YgZn0u`Io+{MdW>i z8-FDc4h$ByuIKD>Sf=&TJWn-bF^-Yv*4k$StS!cx)q4*zZ?F?{{j0WwZ`(emMh{BKNlD8E*&MMQ}7y3P;wafA3_Lyoh( zJiS`mHb_K#c_s!|Mixdni+7hZQ)F*_x5)gP7Wv^JE!!|78?EjW1g|0Z_}i!@_4n!y zS4$RsAkw5V)d>_;(J7vwg1a;<*-=S#E>wy_#5;>aooZ=`B(x{8H@l)I`VNmUUki9H z@mxIb5KW;6qDPHq>P}rBEhM$-e7lK-n(T@L{7LZ|tjtq?$C^8Mb zReI`2v=A8E*$GI~4AP5f#BTr&M<~Oy>1*}wa^p;MNwEM9UeTjZh*MBzeq}W&9==W>Ca|fjo?HxH$ zLFbX3Y2I%$k}xUa9=O0E7`!f!KID&n(Iu*>@y*v8`gJ*`dTtb zNayZD4?COVl!OFy_lw^R^NA#lK7=o;1BpNGH7w&v+ihdQrpOurXG|?;(lcMXo~X2p zU-zZ(lWpy+t&lFWGCYGdU-cQtn{p^r3AevD`SZRU&*U$xioK2DIAvzrz}S8>s9OL5*kwHh?Vz?xuH|a8C%GKZuk-drDtb$9P84A z#7#n;^Te}zPxYFuk8?0jo#h9L#Mq%s42bkN`@6f}?uY1wi_!FAJYY!6eR1PsHzBAI zCWZN@7xT{9PvtHf=!9&$a?SKSDuT<52RC4c6GQoE(owwRmwd za<5^Of&pb+Pe}u42FGW9{^LDA;ZrsbR2?5RT?6jL#9Ef;==x1s@=t3iEWe*;H?+{p z28M(yA;n50^FGG`;+hcRser{!ommW}X5M1iWyfXc)XD%ZP^$kWl?4Oz6l4TAxE)Lq zlV2GtTaJ4>T3T8(r8LOx$n;OHm}z95FDJVC;& z`Y_4l6zC9REA;vbxF1%842D>F4ZrQ&#xvikXXTnsRISTEPFz~E@W;PFkLuvQknLHL zg6R-pQ;Ef7)nos2S~1|FzC$>a`BIGFR1^e=kHW*kpP!yXeg==T-8dhRQ;-ArdwP2@ z6%4k?51VMQxikv4N$akTN8E9YJJwUBRov%ci07lVm7OIVZZF~IGZe3mXa0t zn7_qlX0Ff9#sgY40Qpx?_+j6!a(#0XL&&eCs2HI8sw#42wwFy``!2bJx0+pX{cbcq z$*@-{J}>mW$}^Tn*6cQN+Rs_wr@D9iz5YITpUEw);0Dh>byb2`O**0rNHNRkz(yQh z0_#fx77Z=!)lg}-5s82O(CZTOgQ!WOlPHCu3`e4NB9YF-j^bPbj``a-r9OG{wfCe_ zy`{^26Z+qHd+Og|m)|1+(SZjo>1(`c(p3--pWG!B8-l`AG8$j&-^Lc+sT8x1i z@M`ky-gzYxVzpVWc96W5;XVe*T%4(?Ni^shN6XFtV*2p+w@P|9~LyYsv zN5M9jhZkPpVfkU#!L5@vEqJOMvyMx#aNP_ z=Xm)kbK$My5k^eH#i+5m4)zqqTB9jatkGrzeZIRil)JmjzN(Y`H&LiyLR4igdQii64RUX|34;6GDj#-|ezM@^J~;XzjB3 zQ{GeCCQWa6&;?@M|2@XGy(Aa3&A`y;Z>M|EBK1X-hMWTtcwV4-9_(G4pX9Sz7n z&TJ2f^+*3H4#V%LdZVuk>M`3_v@(#>CjE*CEGqL|)_#DA7i~^aR#H;O=_S$QQ6-Xd zneb)h3Dw)Uz{I;D&?AG13FQ|gL*J^Yo-?82SKJ2hUXrZ-=;&%5HH)7pERRD6pQ598 zk|rd?HhXMC&;gD}!G(bJ;D7J4|GXVJ^a1OKO=?VXVG=_UP3~n*W@g8lJ=E=9Y+v-> z{!jPU?HBvB!T{R`u*6_VEiWj53{>HD{9BNQ+f+hByR*tj2%L=QaHu4{Pyp(HM4vLB zS)3_FO20bTQHLRs3rb5$;$UVbVWe_jm_wh48;06EMIZ)dx`r6#`jfl1ukYJ&__1v- z%D)TFyw{A^h-v7^6VlUVa0x@ImzV37o^fz+>?$kg=MPiVWq{@)Z@-f0(&i>34UKd@ zy%AKRD*|P&2sD!Ldkoe1r)xlD?KUx|qMngq5MNpd8}|SIo{Nczn2PG5GE6~S>-n-L z2%thAGy>O;5U48!y6Sa$#Py2_`E~vdf!a+vJFAP%V~0M`0$=%F1rP+}!@uhXtX*^v z&ENwXoKdmnRpZ+VvJlzMfJYNYq&pMC#jy!y%0P-$TGzbv-5em43t`d8zs451y zcE0W7**Ov}b?E~JR?^kg^Qa7S&lrXa4oNPl^#JQbu>vLQ&zH4B7E=}jweM)1H%(sS+oT{g#wYbA4;K(y-ESTgR!?mm=rf?LeQFc7S3$OLG6! zaF$!w9XBaFDSSWf`m#Vu10++X1(yVy3|f@C)WfHYDA6i`l?e_H<|&>PH`hW32+7cB zxm(+P9UYI=M0Nk|sUk)rBIa~=b{5K#wEBsq$c!X@P5e}nQ88#ew8n?yL#jwgqDg7F zX%j=`_+KhHUEp|CgMMFp^N&bGH(EU!!fF2bn7|;3bZELSsT8;JauDOey72@S+V!Hh z{m24~6rB4A`_(E1q6H2v#~tXaivV4yxKEK*ljZMF;(jQ5?GJ1a4{hU?j6 zOG;E7GU3w|7glTyAE5`lm^2UEn^H9Nkj7uH9lM9MeQo?;Q3XpIeY#Uf`M(h1`PHih z0zON^ggLj~WiM(gpFT(_@M-Xw^nD=|DiP1%gYgMt^p*c7f8!FA`e%fL|0BcJZuM2me+FpiJS^``-NyT8HW(*OOZY_w&F-QYxn0|&`BGW0K(mkH+Yh-7Q9E=d9)}W5 z!X4GHXMan6$4x{F)OfQOox3u{GBd|meg0@)N4e`z+4cCgT~h2c3*mw;2ej-*KiPgN zjWGBbj&wEN!3_*98|W-&WMt?tz(!n0NW%gbl2p~!T_J2>%Q?Cf{C=V;`bD)~uU>Tm z5t0&eFLt`UNOiA?0d49oy}Z{zX2QKFeDq@b{X0F!U9rSk(CBn3KXORpcWxM*WH;J` zh>KIJiv=kQe;$w>VIr&zJ)@ zN9pA^gmJ&qIMdQrIaW>l-K)~WBWZQ)a}f~U`UScyAsk`p*KCq~*}i0wUW|)z$r5$0 zdMDe*!}s6=zzi%czaU8wSF07BjNDgk23l3hLe+}9a~De;On@@{MHtL#SdC3eL3+J+ z4ajcc!T!lu5S{;?vla!*8#}Z9RGd`w_VV+RQ{qW>B(A=#n=+Fusj9-_QjYXI)D!kZ z){@DHFdc@8e~uqJ9?ycWF?XcU0K6QMdvQ@nf>|uGIN<|!4-g7L%6*N^ctVvwlLuyF zkJFN5Ffs)qpXPN2=)xxy3x~s7eDtdS1`qIrMZOnyhBV2KN#B@{(vcZ4g#W|w3NJ%QWh?Qkeb;O_Be(@D zS1k{1@l*Y|8-mTJ!&fdCOwO-qTx8Rq^OFfV6ptdXo2(L;wb=F8FOqp7`Ti}7{nuVa z*!&35%)aM=)O9kptUrm30ghT1hxLLhQd$jC?i-f>*46$Fy)W^Ux0TSaMg!2a6;el;oBb~~fM7>Iaet11iHV4Wba3vN zMsTD)6NY6CeUl$g1C<4--0l4)K=MFqf`Ae?mW_S@Lm_9Thtd{_Unv$F#@eDaAPIHZG{ zn}M({PdYdyHZxO==Hm`JnL+w_uV6lTy@>47HY{ zP1>92SP7^6B3tmLI@j;E!?k=}*8V888e>Z?ShS0FA|IeS$h_I{jAe_T^Z7}BMdF8oJ@sZAMQC(Xh{RmU@ zVMy=xVnU;C_Hm862Wbh`7tM8~?0n-^vFs%srMTxs-9vosaVhgm*k?d5=`>US{H`eo zm|BtBHZ{ef$uUtT&?FR$7Q`eH^#Ppx@p+gxhT}PPN*!4|;n>@X3wy!GJFJPP%zRzL zB4OzjGK4d@QZ7{?PBocVnle>sQp0?zpLueet==ITF+is|4f+5V^&d0h$Zm!sJtGBPs2gB#~)R@~*g zw6xdbB?)?JB^S5Q+~gt_Yykk1BL66^sGzs$*K@?p5&4b~b$isd;sN+NI4VvLX&=IC z0?6mmVa$er0I^Kgd^cdFHGXac>6rW+6zhuNxkX9YYqOtnIoJkVU#rUF3oUfq_0a|? z3g7kEg81fU^;&!w@LRo6i`hXRec0j|bA#=^9K4H7AA^6dRyM-qi+#dOrb1dj;Wc(E z&~`O!xV`V#T+Ep8{oFXLk03XMb86v3SC3D=z9Wg5`#G<1b<^TObJY6dl^P_(;`&+_H(>4UPMhsDT=Fx= zfb{h2?4Q5sr>v2I+1c5bm4@wY!{(pFrMZ>wrW3G}4EXPzWSTsDaAwjW==n?H3#spGSj|aV+DGSpCw`uSWuJ;KFkB62 z7dlqttK2bHhwA$Lv6roRLr9L`L5hlb0TG1=ZI6-#-K=BHSLlVI^fha(G7C(yxK38U zyl?h?M;10ysA&#@I`%!*0wx?9$hti8;WafkdwY5XLUKZ(Q~&`O6jH9C1icc!Ia%PU zfb4yM&FIw)R>2cnG7i$Cw-D1aCaMd1zvU}e-=SE01|V(92wPK6z!@nxhLDz?-uwFU zM@lgb)`)pI6sKPB368aLFd`_2g)R^&U|Olj{gX61`lfY%nxkx}#VbuL7(_P$&3Uk- zmUPEO=7Ziqt@Zu{Vt0hVQfx;Thm74aNV1rfohmRe3<#WR!99L- zQmyA_{hg%POMJW9Z(eKnN~9%Mv^`v%)Z0BLU+a0SZa>}lKd}emXi?X49oZUHw76;Z zkrVFOF)}gP?``|~xXlLZ%4~66avas=2T~AA?$%+evnjozk6Dj54U{bi#7cGfXpcFd zu~P;74`IGH+~+-L81((xEKe73@XT;+_{Ch{I549f5EC?ro|7L8P4lO>w=gH?H9}S# zoG5wm8PN3KoGf)&1yyze|1-^w$3-5^;MRo{+Rntn>k;#@*v~002&wWp6T1vlL3)r+ ztf>}pk_EqQ<-~9m>yvBt{pXC{pznzF@x~ebs2KZ5xP^LsO_oFrjr#NZJ2HsGL01+$ z5YUKm%#QR_h3)9_gTlX@TbKFn?(R7c5wlNkV5UH}Iz!NR{&F~#=diZQQ3n1#ZaFR+ zT&+QwM28uzpyRsu{zhLMF)5jGA|xoY%k*x)gu|P~}u5z?d>ia613+I3NHpD7V@v=W+M*GruKFcAXH&ixfnX3taUN*yHA^Q4YwMUtDT7R z(Ai4U>$kA)P7O!!kLY4Tr(C+at-3H*Of&eo-@Vf9h8qIMk5G#mCh9blDdg*RAH~yb zK1r`7!4y31t9hO>QrHF5TX948=EV*kWjQ!!$e}C#j+)}i^5Z_)+Z_eTuJ?Tv}1X{f1{kHEXZXJ0n18fYE%TF^e%c^N8G9VIYluI=4$4Zh|L8?Lmntg4 zE9=8~#Bp_XRd$l$11ugM54n{e!kb~a{z_%g@3JNfXlr=xMpsU_uNpV3dY!?2${>^BGOPm#g z{E<4pft}L@B|0i0Csf$p(#pa@G|Ow_DdX@bpKms*uNM2_^2FHKE9=@0gy{Fqid^-i z+~nPM+`ua{FE0-WgUP6aX=d(aaUI zLJxv$In;uY2D!05_R)Hn+Ap#6zUBMqC|@WqnTvI#!VE`HX=HZQAr8SN=!dFf=U8Jz zLP2qBbAs7~yV3IWClp$yf4e&@~HLm)EXYUtH!>TqQ9Zs2=Hl%SIp5*4CC$W@~6jI&*CP$p)zbYwn$# zT=;TK1Uv##?JpPjiN7WG!XD!NENBE%_p5dw)!~`&t*D0)A;9goH8icNit4$KvZx(nR9W!V{xLs8*n~mci=Ol>;y_7w zH4{+)@&cn*{wkj*0ag@FV{PNt*gqHW5VB6wSK_;yyKiyu5t4+d65&nXHx{g(`Ojb- zsXp$G=bctEEAR2qh&DoiuRI{^2CUOS&ui->CMGnp3CAellBv5jyv7#EEfs&h##L$L z%IaNGee|(L2_#%7M2L)S2buXeG;|i2VEsCE+QOG_gZ2`-4-4=3+#S z^CL|PNjUm0kC&I1CQDLZVPxEv=Wbu4 zeq#rf$@9C}Z=a4;_`eo2rG>;5)Mrq4I$pa}{kQ65T|1uQP4e)` z0AE*SVjk;lJIX&VZTiL_fRSiEiuU^TCT_d1-<{m^^}-7I#s)t!+s~gr$5m87dE`H@ zmJgq*1F*2kitmMsbX4LPX~EW2FC;9n%8j8=U0EFFt1*p_*Ys^-dL2+UEQ{HWbm3$+PyfoA2YP0 zHrOQIof%RfT7KcgaM9PTXlMXJdmcbaPmQ>|K5u9f4DMO?lu-FY#l&>-x5ix4o7Bvs z3(2OlCehV4&jRiknDw;X5txzk13Zct6ch_OIzXjl7NnegIgN&ApDfd&7Q+WE#*`1n z#`bW*X_SBzg8KHcRYP<0qS7cN_j_17qL4HZ2`#*CSX81mSbV4rna#Hh6Vu~4s)cRk zeqvS=b`qd!oaF;N`p7`1IAqi#6Yddsp73aC9b+-)MK9PQ7ym4+t*zxZH#74)Ud%<} ztg5N=O@`B@_(y5LG}6*a4QP9&73<;|1{-XWRJ}hv^IN2Cc})hYz-&&U5h_i?4HbUv z!{vQ_0sZJcb8wqaXOIt$EO7ixs56giz?lZ{4yeCRqAru_f}L)gC!cqp676jpB*4a$g z2?HWXiZe-&g|Hu)One42qg-S(Lf<5UW8p{+W_GucM&BC5fyVxukXIC)nJn`a!}?DP ze>Fh%R3r0~8Z1K~7cLp15quIv1bf$`#}U@rD~KA*j{l)cG(_IR$XBPq(Mr9cZ{W!@ zu4VjUioOPF=0KEqetI5gF`#k(FI<8I-Ha<5^49#xrR;Ea$NBn>(d+)JDQ%3KTJt3A z#}4VRGl+Z#2||l&wnI}#8QUKW34M< z^+*gO1tzW458DrJcZAfLG4>c^3hkE`=)9ETjTk10)lBTV{S;ekXa5Krh_NITu(08^ z>|Qs7LNTERt(~}K{D`%UDt zp0dG4Mjq=wnHwPPy6^o)IbY`fXunQmSn@_Tga1>5XA%Umy7v_`cZ2bD%Ju+SaYa9y zgiTiID3s*k3|ghAKK&Ka+OIl#H3_h@5?gxI^T@M^i9pS|Kmgn^?=+CMrf`;o)a0CSs%N!_0IZ=6=1anx70 z|9H66fyRD})rLW0{ViB6wR4k25SyH_J9v-xQaMC@QNsJFr3o@l%+@0c;)q|czbp!v z0c?DCQ}1ocAH$5mz&j;#v43+pJwpY(n%YNSVcRz4$8jpauW+X=coZK{?6AkG?m3sW zFpz&J|L~15k+YO#llb7;QX8MMHwVl66IC0moKePX1=nFih%-QWEAH>d89Z5WEJ&~b z0!eiZL(jO#z2Tka9k=s5(xy@te+O(%O-LSw&? zBrzomsro=GeGiEy6aALlXy`pl0ab*HwpS9d^t@K6khc8t=jCyw>DFe6U9Fu;Z*CWU|hxn5Uxgy|@@! z8ZznGOw>w!QBx`GCo~i3XQ;ikwzm!4`)`Mwp`>4^0$%PMXJgx!&HMDtzW~lb7aZ!B z$Ow@q6BJBr^l?z|(V+F8_vq=8D}U!uGtt9^*sx}4L#G>Z$hx{x{#-{cY8WS&!t#}6 zFy-osp;r>ks80+N88NIxqXIwjD2gC|(C?DtpbCEU7J@ zzk6IOIurca8KP%K2wvNtFW{5pq$AdI@(77piMP3Tog&>DGuZOh_Tf7E=s%;nQ%dJK zH3fyUmGa`yZsoID)$~bzz%Ss%d~5SDSz+)UPe5*;?b4%Y@uALBV9xj0qM;#9tA2Q` z**G-Yq7)mY)RSpFIk-W0i=5WHVfMD>Vh480IUNDQn4g<@FSp#>W(8iS_R#2p%|j+P=dAP24+Ykl>VorW$IwTn_0EYCObjcx6~0*RM@ z5VAc$+yV)hRcqBm%!9Rs(zk$@GTU4}^leD;MtsAOlb%x4z;Zy=MBZy*;JEN$+ugdd z;E5L3|CcIE558VQpFS=VX@B^7*t&x?_mNPodjsrEiuowisCBC5wmZtv{l$*#pse;c zbUgiebc+U>kF}*Hjstq$J83%4)oOdUj(VdXplOpaoqu!c!gES@4W|JB!fk(iXecbd zoSyXk!hdw> zqKlib7&>iywUB6T&(&d-TxY^Tn78^7`=u+B1-j{WtAQ-uZQYz4Q#JFGFV0}KT0+Yo zWVN((6#sQX9Fmt>?rE9vb{M_jOQG9ICU;bFmx7}OyT0B&^H~b%_|;L;y`)b>5vM(c zLahy!lkFc`-$3I!QZFq^MFZe+Wuonz$_xM8f)8dLY%Cs?gATG*nQa3#zdA zzIqYIlc9rB0v`wH$pLvM#HNtmbT?xLRmD?63%2n4loIWeue$1Ke3bezDb#mmcMr)FCv=v~!9vR6Ff z5s%?D|2RQf^YZ-Eay)psLrYdPs#DdTM_A9}JRg>toU#wVFBZ_Y!HAzjjKDNCT}m*E)UV z<#I`JDfU(^BBLQUH#12HCxJ(2`R|YWrSjt9Y%#culzwX?OLxs2j>&@(rk+CAG9$6@ z)3R{o58{+8WJW%pMAgKg9?}E*3>Of}r@nWV8Vnb0}=)!m1)VF9!?vTJ&TNsBn8s@ib5JtDPOC!9{{3HKT`mBx=QL$~-0 zWI|(&32V7OVArkv%pA!IFqhEttR7yTEr-6nPZRPQJ-2-7rnhf>Tl+3-%2Vyci|0_` zI^}-cwhuj+>Unvs{ztt&O(fOhQ^m_?IUps77 zRUk7NwDALo_jD&Po;f_U8K$V*og2@aTc%SjB^Ql_P<&SgmN;2G)(aP~T07L!J+eKw{(5MwzC2kUbYKq7DE%@NQb7NHk6KAL z(2qNKJec*^{(eCSosVGXQ-a^4&Be#muKD@&(;)rf{Iy#= zeqwu_kB42KkkI0{v{?!*ES!jx)OMZ-My= zHW`Fgkde`z_gzm92)e8v7667OC{9);sI9H!&dGf<4rG1bzTwbRbi#xQU@`W&-?-P+ zce}M2C61og*h%y=a7|6~l$E-apjwTOUb(pPtL1RB#G!c%X=^YQrf<2+?C7pingXN3GBeWzYgNNM@K~1cmpii zplH0f5{*?@%hIy{-q2J&Y)%3P9fueX&(YB_0Nd~)JDb!d48rR2QA4UP7*h`|n#nGM z*L83l_sHPajAjveKJm&u57rUW(SsCgs?YAtim>gd`eqHoe7E^a4b)}bh5L(Mhwvfl z31c9_O@_{c|BX7TDpiqBD~-4WdnNop%}moDK2rp;PH@*M>O;DD%T@!5MNjE1@j&yT`u?so;**{^;A#dqgqo||5a*x?Zg z{VYg|B(3*GajB9>*{Il92_KVY;hn9nB68GhgsdG0T&-F$O$% zI<*9Up@yE(&3LSAD7@U74E3eahgu$Egh_nueyQK;a||}B-AY>$^?o@mqa!lH4t?u$ z^@qz0zUOj{s_KtU8#@1|%Z;7(hYO*u8V&FM1Rl+b9+e4!pmzV-yMFyMzAovfCp8kg zc?R>WDAM=md{@H3y?iL_B6XlH*lqT6E-h%%v4v`IF%Te6uxt9TyM)*MAa_R}nHNNRsZR5-4JZBh=<$ZO z(Q~lKbIRnv-2uPBrF&8uYQgVJh)?k8@+Rys2)jVPCN@$gV){zE6%QGw^WH8+OA?1h zlm=Jj#|JoX@52CORC}KXQ_~HOVZ-E@KESIK4s*b(vOd_}hCL`MEYz>AZSj9;i;q`P zHe5}eEUGH4E=TdzQ#|l~+EEG_Q)Jv^SOV?Sj*svW8Zy6{4Zd#8Ci5IGYCRAMZZ@2z z5&I#9biTae7fB2qxX6XxGHCZVCob2eW&0%m*LNELLXpx#Zrpmyd~w8&iil1&rGLEC zidYo8r0(EsXqs_OeX5kUXz!k77UB6oOtbUlrOiuxlXyuZ@qKF^1ECSFq5SZ4TBmr>DChD3lM z%-k9ffD7_z0VUCTCb#MzK2R#TO=xbo0H@g3b5YEaHfc7t-)-a%iZV$B*aa)5X2Kv^ zrSLifC+>%H@rxbOwU{ea#t)g314#KF*1PQ84sUmj)t^xPp3>g4mMbxq_|<3}!eCk| z@n2Nf^3_MC6N`m1qt}yT!C`lhv^_I=eO9DiT7J0FFz+l0nBeV?D02o$JifkMyZbwya|Ij@QrZxkk72|5_fFqf5)4o5)DVrAE5!p_ zXMJgDsSB)ThPa$uWFqn>*c*i&C#9_ilrLzzCnxPrTZ2``ePi;fA|1oSrNtKGi6`yv z6CPAxu9bK8_*4b-->Z@*D13K&C__b$spFq>CqDSH-16Wnax1k_L-AA!D`UhLw-{08 zjn$9~GeSeL_qO(2O7M9(jP$RedMY8Sy6J;Rk3yK2g=f}r$4(ysNz}yk_bY4|Z9;5} zb;giDB3=(byaI`2pAs%=Mfs~^J)C6)bSJ~o2HNz5`^0?Nf?q!nzjG8@wd_j|#51Vk z5F1Fjc6Kg^Twh;rb@huMI73XX0<-Q_iE&6FSC&&7+bs)jk7RX zU8yKxv1H=gcw6aBe_uD)EcVGiS2IGBuYf3)>D5?{aupi2&>|@^n>`AZ=o*ETHWlCD zMO;cszZ%*WXU_m}?@%W%c8+1y>M)DhE2_@nw<9UGcMsj8H8-Cjl_8D=DUql)h11R=Sx6*-4B)XeO59R->=H4 zG-1*RaxQ7-D5`~pTICAaQZ4n94o8E-Bg93jw^E~!p}xYq^VpQ=7oa?Js8QpYMs=#r&1BDfE^>eU zO1+t)N6KW-WP~dh8I7MkF|DfL?CDGvTUKxCN2q6{BqB|6ry!XwmkPBO6+A{6p_J(l z)gRV`6WCG@@#R^3^Hm+)q`!I zG3^dPrcIRCNjeU16T@Sl@&gsN3!>bbSx6dzQie&e;2SPRhL9C~{F4&WID|vYZ=J+u zX8C_G|B!lX(iu<*v6Ym*E&0q!$)L`lu{qEXK&XmRzk{jnWA*R@>W4!usSsM4V+Kp+ zpk%8yQ8#=a)Y@>4ye4udQ>ebMAEP=IjM0&mt&PH~uRpX3Jgd$=2}=r*iGJ-4hE_pG zSH^FMi1^~wn8!glz*8eKoNcxXEC!E`kpCJYvuSl{IaqtudJYdeziKR6gGJuod{Gw% zEMbP|eGw_n)PI^(hUlZ{o(+(v==6OtiSu_|s`-O?J|K^gN%Vxwsd(OPZkoQeiA7txf8*j&zD7u#irNnagsDyK9Dv?}1O6Q| z|6p4?&g3LehMOrLueYl1+^_+pihq_5>G5qS*Wvp8r_2$oQyjqxx2&jB0V0nXaFIOA zGm#;9P)ksVe?2&}{XBjhvwy%kyG1gLcdNVZ>5cU8!2ouZ=%T@h)GO)?6)?65(<&N7 zCzksiy)$BQVJMP6YOdGila8-dV~T~#A$OpK3k>tA#ddN9W6dLsdVh+w~enOjX zYBpVc*E^6m`zNAASAIY(hS{EjUpf&x&mHxcjZL*#QVk-N*@-F0j->rXa`gOilmVxU zrI2~^w|Sx28<@phXD&7WdDwj97nI2|9QnMNj-{ONIXj$OCZ1FVi;_kL3tIfONIa?5 z0MAbPBpNJL-_6Qo7x!jQwvg6rN}VV9)IU{66^mP7Hxf;;)&%t z|G8s)NoU&UCkgCJB?ooX(U>_Ose%;I&2fBe}&x{4WSFB z&tsFnk%fIU$XF$uk!W)f#w#a%P^<85k-;Ca_WJ&(FUyC#UXP51XFZXrZ8rWRnFE0W z!>xU@S}#dPdzUx)%J<9Ylpf6xF7an^q-OVZ+K02)Z$B10n)?>jnilclSrGf>?PuMy ze9rY?f^@ESRi!bnv7UeZ@}fx2yFS9Pfj&_WKv}^Fp+P)-*f^y1+^Z|YH;Ik}^#ST7z<}eG#}O5p z(4+cE))wMNoEMf8oU@=pr38f*_zqpNy5Fud>Az>?|NYVMWb%O10WHOFT+z9lQw>eF z4CaV-oxICGk$2lomXU%unujoC9>W^%TF?+`A14}R#Qk#+0}9j+U2X4ex^Bpxp(;|$ zp7bN3Q`>3YYl3P>3AT}vo)|v5;7-2C7YcX=^fcW@&@nb4?VaCMATZu7bBGJ=D)(_v zkDs}nmDcw!zi1V#t6Tn<=;zZ2R;2QwK5c-kNVZ|uu6nCBs&34Rw@`|1nf$8%o*9A| zi!^@QbY^zuly>)Ur+V8?#+5THB6I85!4@nA{|@@)y{5VkjK_E|E7r2S{_3J??Iz9{ z=J~e}g)iZ&JJ^gJoFnrz&-aFwAzhw3l>S892BR7!A)2;i>5M!r(OKH5huQ5R0_V~sFr8^=I|rWS5u|caQjbdhNg}OrFGxmJ;QMRUVxs%X&LNO zq7otN_QUl)Ge*#3IxX_Vy&F~1%5j#itPq~$!xYLf|C+ed9+KRt!<%{SxebKF<+=`r z30XWs18?xoXTl6%3zbksAdEI&`b2dorEgpOXsY;v_qzg-t{pO2F>reku%#Zc>72$%<#HsgR#^R6zp`leU5pP#GEOfSY( z_&?tS;z1o|ZSy9S-*9p;V(eU6}#sB4tN;e2=Z-aGe7)Zx% zt6ko0%j+D)(4btFHAaQ18rYL^Yk|9TCf@yn{%n!?f`sOe0DOK25HrWSLbImj1fff2 zz>~S#Pep0Q&gC}JmfT(96?7<-I`Vv;@0Enqv(Cc(Y1g)78(sd;Svt0$xSwtm5C_&- zkm<*YzRg-@EBVku_g)>}vrnnm8Fra3*kAFKxOwf#3>t;hhkSi}run2;84h7q$@-NmOW$V5(7qQ_>M^Tw!KPXm?603mJR2%5cE5QU_P>Ig6fHGUfA{H zK14r#{_Mjuzm`R@N}TuI)*HcX8VIv$HG{Y?}BU~otf+In0xduaUMC{f2{-|rBe&la4}D79Q5b)G4tXw8`|ObxSk z8MN;4C!Y3qUccEwcNXN{UXSSxtyBc8fNPK1Du2D5 zF9Ux*UL`xEu2lYKEHka^5y@JW|DPrC|9ABN*Yz|KTNL_Dl~wVFeSk|kJ#{cJFc@VA z>?ok?5GP09KHnfi3)etq6@^~!5zZTzm6cswS^^HsQ&UsGA{8hT0da3DL>bh~3Y!w6 z^-WE&Gcc6a)g=KwiL(eP+5rmq%})x#e50eICv#QCVBh!}AK&D2=cKQ%4=g+agnCRZ~*~&_@feFA)&|51@lYyBtrJTLGhT z>}{*xlNV^Hx%mzti3kb23DAV^hoFaVB_t)mEa#P%KLc}2zcINW$-H+|Q~;?43kSEe zy^Vr|B(I&b=;^cxnYe~&bM zU7w$won2DWY(%muf_Mea-D8F!p?P1v41(H)4#B$%G)Q;nzn=I8J0A!N-=$)Sec%78 z5>8}!_YP*}rgOV=bUH{`p1j*i2fHdX( z{r&Mm!|43{uZoITk}txf!NQW^!iKhOz<1!`<^%vIhXx1fXlXlQ<&qhJSP;M`KhuJt zX={5=H}?ySwqCPa0B&wkD5P5#yxg+YoQ<2PXdoDGz=;BBNbVKzGikG135rEh;^K$P ztqT(q81vze%Fu5*pzz4nkKTNj0+#Xric>>E486zB`8-au)6)LA$O!ckAk@O>>FQ!( zVFCEOCIimDwt=2%Ia@V0f`fz0;&GM~75%hOZwtf;pdr+X>6O*h2uMg^6t<*%Cu!fm z53!w{oIE%@+=L@TgO~(|b77yhFD~jLB1Qr(Udhj&fL7nz-Cf(zaADq_B&;?!GxJeR z?E;LE4QCqYjh3r_f6g*aIv;qwf%39R~t>bCVHLos!iCjW*vWBYa`PrFgRaXcFTE)M)VGmI*1C~yn zU{Z2&a*iQvhLLXz7pQii0DGkFo*pK>UzgYX|EXH3GF4^78VAvrDbsxUN|uEp`8Tcv<)=BQ33@ zpup775LjQ2qUwPHB7DT@wzb+ zk*cI|7#nOk_hf&yznQ!ra+)=o#&MV%^3no4y#4M7Ot8QKw(Gy{e*bS~Uzu514UUW` z%F6DK=SdCuD5dkvNw`n0JyLdleHIY7AeJhA*L`SdI$xsfuk{=9mmwi}pm8~tLEl>G z)sf6?W5?(eT-$JqRAOHn(d^?FEFZtYArtwh8rqGcuR7Pm*Sub5m}bb|u+5#KGVwba zOZ!}=b9-(pi>OF-ytKLhT+#ed2#fd38cHoPg^f&MUQim1G2+yaPfyD3eQ@5xdglM! zLwT1HU!Jk9R2~Pm3mzUGXXlHV8N7uM;g)y*85Mw;1uI*4WTeV{;WE7#vP*!GW*Cz!{X~m_=O?ibls4{9>?7zlhrPsVbs#v{(=jM*- z-I(mLjmFcNp^_lUJ}(=6y&i?^B#k-NY5dh(@vUuHV~c<+ zjhol9h}UudRhr@s+*!89R@C03uKbx`wou zP#&6#jsyCk{-9H$+a-55KGC%O8#8@FNk{1Fc1=x zgXH#jsbz2!DIR9;@OPUfQp*UMjiGfLW0YY_kC79Sm?@!UOGv}Jo1(fV>c+$?9vSgp zninqT6oj%hr%~y-%53LGc|hQcqzsI)ggUC%9a3CFqL`($7m+0;v3gXD2erScWb~!t z7cDww@>eCE{Z7X7H$Lx18H6&J5vFDnNN_x%qYy~gx8yf%$xumQusM~(AR=ltA0<{& zQhH{8bH*7Eg?8oz>=OYK66~SbbVZ{!#qZyQbs3>vG1nNs4Vd{boA-fBPdob^8!a@x ziOZy3Er~?09~PM(HS4=8@9okN);DuDjO1Sn}@l%Jt}Mb?BIxKSKkKBD5< zTvNWbRzq+{-s(stG))X2eMqSOoBo4kp`ihAt1T>OgdhPPX<*m$XnidQ zwuA}bjWaRvv%GvetQ;C82o|OLxY(2mTFrK=-!NFPCLRkYKw2 zQhTM%7XY!rPVuPRt@`;Q0P%Rf4zZj}QcCJB2hyzr%PQJU@W#VPQ!@qZr@G0k$*35QGoUi|M>&z{tgch#}3vIK^6w&t*FSza>~my6B6Fc zqJeWqw+=jbjnF*anuCPPph=j8VaR3B`o^`W%W*~=2NE~Ox& zV~SA>9OG+l1{==i?Cjrjb8qSHH~M0M-(ZE^+hZ9B~hiz#@`hBsjuK*wzQ~;cxp94%VEG(>` zprDqP7C06^{FJPmdrELF180o( z$8*G#6>vJ}>g)uT5h@#R15$>NC@xV?U(Sk1ZVmynabr?h$~h2&qATqMfr*wBOi;y2*9cp+FLZ zFh5fE`#2Y8EhjqZ*VyN$?RsvWMKIan`(U|jcvu-s{%qS16DCDNtX!6qE}C4Jp9d@* zLeaMN`N(dd)}u7Pg^5|dp50ep;uLc5 z#R!w?qg@b?-KLhdl-5PNT3a7LV$&B1YbMRYC{Y3yWTa&+2xq{~LGbqN?;UX75XR7r zBp?eAZrt`&_#ltP+T?yh972Anz|pNEW^ggL6zTbqk6h6Q@6)B_>3~8*&XY#sl0t^| zv0)Ab`psFc<}ieakVsnXQR?6d`3h%;p&K5DnaGwyILl>F8(yLf?vH8dl^0O*}8d@>Ebfcl_Xm&bActM(qM$^iyn$Eb_rYzlxSFvNd4;6-qQa zFDolMKfh#d&GISE(5F!d)4Tx|lC*)Ip6|?h=_y-hZ7q8TT8N=j9Q169$+t%LM(!O

t0GQbtmxgo zMn;KFut-7wWKd&PvohT5A?NaqEOFqrw70O=`P&Y(Wbuz5sTmp3qi@J5D3aMl!4k#d z$g=nbCeSqEO9Ys>41Ey1jn=KR`>sIZsclXBUsh7& zqdU6X4x_u1q+tDv5<+b&%=mEL=<0+OUHsWY4v*oN`_NNhMr&S1&_-P|&k@^~PHC~u zKP55OhCXg~WbrW8;Hq4}GVy#_xFli!awzEcO1MN8#ev-oqGas{b+Y{4&H96giim=q z!bT;mw7P=2z6f#FJBqL+e03ESm09J!9XeY2H5vU}^a(hfELc9hQv~@vN@sI}M0s|h zXs1et=J*d{JFGOescmlcMNIn0k$!;t7Ki56b(PTC_Y_qaA5valIDby8%UL6Mg6(wT z=OQb6zR{guS>krw<|i{PV4Tu~@tyS~ovWd~37-(pRfzV^(ad%f8dIlW-J6VzD~Ozg z`km01h*RgP%LwU`qa5UKlHR--wNCKiQA4u+kIej==XY#w8gGax`?`Cns09?m5gi&_ z-I|kEx`%vf-%(8MA4=Rvsk=}`&g-S2A3OHEn0e@`I;{t-ddFg1c&;cLI)>6!liWWn z`k-NErF`|d35{%SUU(`}pkQZAWc`rpDD?YIR+?cL*bbaEr)mGaR}~tZ{V3=$$}(!E z^!526piijx-v55T0IQcnjY{PK^{k#v6AOFO0`r!ejsB%7E2G3;S0F$rjPonO+R;8q zR$5XLmdybgn%3uNpP`gurOV1H0orCAAcyGOssLmg7UK>UKhg zF=HYXb93A0*-i2Wy5i$D(nrBIOW$#N_J)ihQ#R@c0=hxD$VfR^xi67ce4!BxjCIYs zIYmj${-36u9|{`^mM#T%T-eGSqlPkUd~vocHh>W+E01mG@Jx|WCNAUclFVS(p{(4{ zAVMb9N{dIwNUu zR-bz+kICTEA-L98IX7jfXll)}iu*>~Xz(mbWxgv+v%~WvG`Z9|{b6tKO(HiEYy15H z9<0q}Fl?f5L)NHtu*GTuJOPR*8eJFRSe#)K-yDYiO!MW~S>%>%$Hyi;)uLm71(}g& zABxrk;YJ^ zHm!L>uuX|iFb(N8hq_&?k(J*AdMlc_#iF$u(izHODLD}9Gq%c_A!b4G58hjrp8WX4;k|@jw`$;3Tz;ulA+Y{ik~kpufD2(y?ZaJg=axT zEZ{bE8_Xhj6TXekAMqP<))xkN9zgQHZyk0G>h%gxi3w;%8zd?DIZ3%;4yW3Zd34uaGlrsV-m)zbw49zh0-|T}02S(Y7IJbn5t{h#R zDz8o>==KW}d-2y>kMzxqhQ72o^;})o6spi{WxR7-zQ9|< z3Y$DtB3@OZh?Ym#zJpBXx6t zzk8?%35|yXrWGtTpH6!-Ooqvf!$#ugiydD(GuI6k2d~WK^QyY0%nwS23NHM5zadK} zrtEDTl92jt{~SNB()-ZfQ0!J^Cgx7HB1IxB0U8@`MEJ*v>z1QV$#CDFuDLa&%ah|> z^bB>bK7qZ)KY#4zw0FUr#8F>uv<#6`{dmv!yJvuxyCB*=*w^&z_0A!`{Z6e>;)U=& zgUmTwLv{1IcYA(V)RrtwG|CybKMPH3DXzCX|4agr<5}QAok`9!gN@TtqQ%L@Ht`y& z+=FKcD-Wk?(tUQmb#2jOPFBfXQgaBA55-}B>yAgqmX&BvE&2@AZF81ebH;QOp3y>$ z^aEnKppw;q+GR}X@Xvq|N7%%HPcGZ2^5`0Z9iI3BuN`HYsr7|bQv?HZ}9GkW*Ztud>u8WbP}=b{S0mhvcL34P$fvw zM3HbLVRiWrJlnHjN?>@R&PE=`5OHm7ZTT_j!}>Lmf7`r|xvH*gM$e2TFf#rbo0q6( zVMY?)VLF*M@yVAl{j3pFV-apEotJmU;NuMc^cnla&{nCEjrvI~y3-tHM$&k4hHeF{ znHySRrEGv^ve)Rs3QB7D$wLQIEJDpu@n^Dm^ZLo*V&nHa?NX2vT*k!}N_zNgVpeqUAQ9k$EA`_8@WdVL~WJjg`TrRW3%3rkA^%*?OQ%MIEYp-wT{#3|B46%K8!e^!*0L9N<9j70@BaWf2h7??}x ztkA%;8};QV#9Y?ZyQ4-iUB)HPlGnE5q%3p)ot=X4%+7Fex+4jJutatgYJG$IHCo{u zo6aW&jH>p!svKg2r2F2POnB~a`Ts-JJ4WZ#yz#J2u`4>Uk%5{^|Q%4#NGP5_OkOZ+Rv@US8~Ifcr4XqipeT$&u;$ex8>J) z48GOac?s^+#S&!JMV>^oNN$_yc~$x-`>|$c6M^wkJw*8J1SmoYIs{F3o%LDoATjFmnitc?g3$naVJQ z$}r)BH+B1>Tp4Geo{BxAbOcn$KkeTgDA8%&kTY!?}q7B~A| zS=Vi9P{O8&vU76mO_yvJh%X_P_vLoM?G+Cn2tn*E3GO-dzQ1g4dAQT6ntFE~UvF@N zq5*R^m;bqdy*%w_GSa!nqS>%#)ea2Z+cpmZs=sPuo zsUqV-8;>Uj)c^;s)qI0u1LqaHvheRMU^6`N4|F%LdYKH54>ds_6MTB4jak*v8!wIy zkfFD5Lu()Q)Gv3*VDxmzwUlxbDBv00`|mSHuY!8?E@OujifT{0j#ZdhfXO!yx^_9X z`EQe0jZ^I`XZevqo(6}8!Xyt4ixC_gvXeekA3(w2MsHbHp(Ew6IXT$3pW^Z*NJvOZ zIJ&Fm&D_r9w9?!j!bVE0EN#oB8jto34^ZM}{O`o~r^R1jb8H`9g7P@n>uYQ4P1jns zw=6+ab>*NiS^SfdL1}3FYA2VLIE9tfb#~#5!Z0M)y6X016?T6LLR%RaJ{!ZcO^k)k z-f~82448IAMj;IqBl>e=FO@%;1<@OkkJb5@|ElQM50>ZX1fs2)2TP}h1NBptFzeOc zF7mKA8|qwoL`UuSz6p*(pZwMy*O%6eNk0=6@8}JS+8WaEvC-x1g!XaCJZ$&sxjl*b zsrUKmnpt(@Jx``J5<_QIDN|QfTnDDQmUzqkx*vp>AMNeLjaZfcvzdE}_Mb@ASb6E= z_>ngobADoNg7ZgF&|gg`he5;5x-6}nuiUgsV>NdByITRPeA9ZAm#XT*>YN;LO>*y4 zSYztf1zXCwIX0nSZU^5C#`-Q86CJ0G%%p!TNaAcCu%j1`tmY-@VHebA$;bFPUH)B) z8rJ2V|6zs5n6;SPzc+}I?B|$z)TG;?_|c^7zVAD?8_2v&4hx>tFR}_he$A(#p@8ux z^0(L4H}!7{$4&)2_#5+6np28Xio=S-va`2=#a$PJ64h|9>Qvit8n-;Sk*9PA^HptJ zyFG43a!b}_Kd2?6#_b9rJhFX&jE8n|t!sLcu}Sf!}vc^<)Ij{Vl*)P@s$^< zcr^Dr%mR|L-~rJV-lNDzHn-9W<4f>UZJK7Gg8Gj%Hu z7dKY3UYz{tW$;Yklo*CgK73HP{u_E_n9So(ST(Os(Jd0rLNCrHyR~Q?9hyNd_~|B& zbblNG8!8OBmC#q2!~sJwXaOo(N?4MA9-fg>qcc{{$^N_gF=G8HlrZxDaC;h~&vLaP~5ywUN}S0KU$De9=iKkrIPIbO&8{p)dStXb0?1aKVw z0`}kwDU8D)+E8;yPr|m|1`+A3)AnkGe0)?0O!DY4WYdqwz{;z2lFSr&f zW{Pj#(%bfnbu{gXXQ!k!DFf~#r&IN%_A44Z4Z9QxdNcDX?Ia6$A)%rc5C!5^U zJpsLE%uq&eWoZfYsev9V5Opb=!SlOA9J(G#41<7RZGC-xWd#o9_4W1g0oox`OK~z( zSy>Sf=H&fCl1xcVbh}+tsMJkrxh$JHwb!B(j~2)9Cd03YxN~J`a;8glv!;5{RD4_0 z!Dj-`Q=aEwH!>C#&)-Yf3fTSyufpGYt`C}GN z%rN}Jb7Qx>lEEx!f|mgy4k;bVZSRtOfg#6q(KroBztTV5i03PymPNtSy@g6kxXNX; zN0>H-hk|aFdwZ_p)zTSgsm^3*r%_rFnO7HZ5paFqE_q)p_t)iLP0h{UR!%d}NzAo~{RlGiq{xkcKYnlnfuR0$TD z9blv=uFfw{ug=a+&vS4M89P8qT|n|=JhaB8Y|Jid#-%zAtj&-1A4wS^miYv_>p2icp>8#?ca8JXfmOtodOe6iBf%igD3@B$z&~)-tpDoo%A!cgY1k>%|}o zSc#T)BZ_cwRu&0qG(ffKVjT>MkiT?xdxj0_F`c$hZvNK;2MH$(?xR_mLD$`o&pqQr zb9-dZfp&uS%|lj?Zc{F@ijk=XKYYwRgE@%O-JJf=n9RAV3v~V3nuCy=e$K#3w-EU) zbxc-Pil?}Y!QpT+jjSH`Y@=bKzdtyW7oe)(wH`-5x3+{MyGMSzgL{Q?!Jiij*3*iu zlnt7>L!7rl_9uxD3*kX37Ad{RA`Z}Sp^37Og!K@rPG%l-uIHF1rT-5z$wd)MutU@@ zh|h+M5Z3ZB+9{}mW#=wPV--x!!0BV7soTvuOrTNuzDcX^!X}J_ApzWUEUdLr#_8kE zI!nkI&tbn39B7@ZD5zlyZd_Bnfe~1BLD!Ah!wdKJfPk0}@V0QB2fktkAC% zlT8Bkjm8rh%bdM4A0ORSFff3b%LnyYYgc{<#xlBHG#PGtg&Yh=hZGjKlT$$#=e7TA+*hO-|C1EfR70!_4Zs{pwO03i^QR1mK3td>B$d5@l6aa7G_m_od8)n9`BE(PTK!> zsSz6#6mc2+)V)qyt@V4^O>3iy29?>JHd~Nk zYojD#i?wvgOyJDeRNu5Im9H3*s!FTx#kRCHacpQ6NvA|h?D5+?{Z)j0o?hmrnjha5 zgYYkgF}!z9R5Uaqeou4{>c4TqLY0Zs~5Z!7cmXkPrYi;z4E#0R%Vzr-(Fm(6CDJ zPn_N z=G=cv11%=S`15SC28c4#pzGrPG(~;Kkyy#|Onh1hvIYjzK&;bG+pcMkzwwFb++Je( zfg#cOva+&}sksKxT1P-WU5Zs8m=M=GEI5O$U!y%)plA=R&_1xSR##VtpfEvUU|<03 zGp-aiTm}aAI}_}!+1bBf|YYSrK7P zv%82HPbzaCv|C?N0&UBDY&x`rZ$@DYeS!_?h4{;lNCVY^E9f7NWzW78uG}kf#-|Sz zFBtQwrlNKm2XDvD@9mwY>RP%Q8n^R>{@MO1&A9HU5|8uL&>iey8(2Y2fUSeShSfr; zR?efEISLcT;)E0LNU1`1gVOEF;at5?Mt-+KRBP;U@x>K7XG z=nvs#WR_u6W?xE2QZopa{#&b?*R_QcTTBFz7bL;9Wb5&sWreHG;0<-mur$plI1DPs z4}Gn)Ia$nz+dEX?cQk7vkgEh*mC06#cMlFa5X7MKc&mJGK{hu(qY8*%?5K~)U859N zU?e0eWC(I*=TX8$g%2vm)E0-(uxg)V9IIY3H>2`f6Zf{Dz{kVt@o^4br^?xE_p!bM ztc6Dab~E}yCes}`Nxa6D-<0`i3V#{mjz)c+(XHDFC9RbnStc4h@jget!R4CKB@v6l zh$gHvoUB9o@qS=eZ?{(U_9FQ1va-~oL3VO`w|loGij%c@*2CZ82GGK8oHnolB#u~@ z8=sN0B;K98dhg;sZ_&-O3;k*Vc7ai7La`MBrc8{C{@|mY@%c$}Eb>)o80_MOj7*!7 zYz}5#>O!(5e#*nGXom5fLljU7lB0W`ppu^yW&)7YIc5M0mu6OP2A8Fi70VlKEV_Be2v5uTl4!= zg7@91g2G5;b!tHap&Lk1ohYY4r{~HNa-N}HaA-=^=->)!=e0RZ=D8 z`+h7&xfgqs9{d>~zD$#UksM>Jt7W@zXs*fst7f}47)Qsu@iw5=jCjRB@P^iX-hxRM zcu&Lze#WS6ZfogZ8v4@^kZ1!Cq?XpoBiH>|Gy>QsM;4)@{dlsmzipb8wC9p7! zO<-RaN-&k~Ob`p@DL@!MoYN}1TUTY|+4S*EKl7%)d7a?3T$-zP{kb6eqA3X5XZxdXYa+*-j@Reu zJeH?8m+%R3SlLu>V-1?)RSIqw>)~O)Way8Qa`U*(7IQo(o6+?WkV{yFUl|Mcnw-YQ z#$sT&GH>#vQMb2W?$7J$>Vtm_Vord_KBtU(z?J86I9`^G;=qj@9Md=8<&6vZ?sE_A z+%hII)81uZWJP*ms@5_O1NF;zIb2u-&qp&dLCOhJ00&~VNpE_YuCA@&bf0^OfBQK) zMa;?P{=IgE{CkaA*obvxOX2HPrht-z_o9H&tr|yzz;aK&#KPol;HYojPE;1bPVc!n zQytO!{S*oNAf~;C`Z9!y)($~HKuZT(BYy;y@ucTD;mdQy$Gum4r=hpIyP{fE!PEOM z(2E$1be>!HrI_o*&(^hu4XNYc{qd@TcwCal%-q0U9H*P&VJV6AnVFsKQ+U5^L&Hh7 z(y|gGmSiP3R&H*Z$NRx%fM*1}y$7=xwj-VKMSI($nY&&VVi=*aiqe|C*kd;dxjGGY znycK}cdaH;vOq4+=4K$=Js=RB7D!H#kdlJM^}lv>1e~P+rxP#N3&=B_A1$uut4%&F zB_(w2hb{os59|u^#xUYLC)2}q{D?riK!qw`8R+NdhxYR{VFM4kgnj?-WBo)2&uN@a zhdm z^zJ?X?@NTbrzTqkK87PJ{`qqQYbq%v5lYAhEjc|s4bWqM|7<=#C?IBHVx)8(@6IlD zz7LR42mcw+@yNw=g7m*tV45CbZ)ix$!ZJNNO3%m`HRNrOx%k5x+!Ti-X$crkvx$s3 zMkyT~0=Cm)S~>_ajh^VF!$WCV*>hW4m}o+j-#_{Av9Ylmx3~PXN&y&gry1$-_y0y% zgNh8FfZ*=xN&-N*5Z=(b4&nvpexg3HPpxNg}7!dfc1C_+gBioTj4dEux8OCYD)i(!J$KncTV% zpoW+_qU)l$sK^pNnyF60#t}KHYof`;QzGz#9P@XVZ(lwz=c`or*Ku|7FL?_G5a8{l zZ|<%X6cl+}Zx4m1xm{)SSsaGA<@p!1|bCdabKA+!6xY) z{wS0xgQdrsww$%#!}k3W{P__3*sX<=0{NW(n6OldUDz-f!5(WCumIk39m@!`Np9ZU z+^lQ{pGW_yx5L+hu~F@`^pN0S;>?u>TY#!R9!6GLV>bR@CyD_IFulTHVF?KdAJrOk zIR>HiVD!EI%>4dQW5zTb*^UQA ziv&GAyfB<;!OuFn*OzGz4(^&c2+BMbD~-t!}m03z~_WyX?TsG0`Fr9@5D=jJe5= z(BFw#xt}^&RCnFwUW~O{a(_3yi+8wgc-Uq5QmsLO(}mt8xvZI_KSnQ;Xtq+H>Jm#E zd0A`3+TK~7w{xNsjD&&y^DiDF*2zMnH)jV|wUyebu6XtvCix6$^noURKEj%n-UqT~ z_TulYdH?Y{Wj}$_W8KGFrWdxQ3yJx`Kq??-uV0jH+YcnvXXCMv2iFJ4_4 zWoMV==Mg4g$?qME=hW5B4NWQBZVK6JP*D|}pPT3`bo|)I2Gr?%`ndA%V|m+l+TrbO zOE|NLX6zvn_5hz z(@jFgSHy;N{0oSO3U~=vm`?dA7OGCCAILqCv9!F1O(~5ncF*X|2O?*D zj^>j2y9}Kyg7SQ9TWb@;2WX2%tFPw+5+bWwjb~&a#AgS=Z+9J<_iE zzNii*gswZU|0?~{jTpH(&c~w~oBK)lwEkC?#*&h)SVF2x!KlN)ph}UiP!KDSFrL{) z3tTAXVR({%5t_+UCY>%+y6WuWkmTgNggQ;tA9nFzwv;xCzAFZNaCs$hxpx()x!RWulJOT>h@QR})qT zyHsVn=4+P87NwlEPkm#;NZ+jh2^k<~;P{UKQx4NC!elnaa^77J9UvF0BMtssb_q}p zK>9Y?-jeR!=1=tee7Oppn$ifbX{M6u4ZCH*ROj?}nO)4jO(h4DS-#UC5tChdY2hWR z3MQ_{OlP=`Rop351{IA??G0f~b3wYEpY&F4vP&OQg8rGWFLG&Ws_abNLQ_D6eJI;t zj9peqvL;un>aZs(Si#cir1ESmyCNqfMbZh)30r1=61&XJf1Y319-dlN8mGiiiHxj- zqTDUdVJWii>{wRi;Fx+$i5@Z}JyG>3&+hGsMNu$zUd|Y~(0b58grCgVY0(++G#6u5 z3cC0Bf3MdG{dSvi*meMNoGBykaP&Pq=_$n|3F#rkNu#&S9JEOtv`H@{G`rTd*@+pf zjUqXQu2`T>6)rlW+<#CEdDK(fXF0mvmnBWeC4i&4gm>h?M|26(UKSn2`zLteGi-c& zdy_CHpur7d`A;Nk+VV=pl1lYgrH35lQXsP>lwZ_Z)?TILPelhRW>Bb5*S-T~{~!i3 zPPm}TFa7_HY>>%-;^cMjZaHsd$zguXalC%o(R45E3vP(=Il%%rN1->AIsAdmNu~vn zcd8htVn*kprTuuy06COG==1Z%puqNIvsxWLE52ZZZ>{gkXeuo%j$vM-o6u4etQ;w< zG=-F5BDGw&Oyvs}bY~s+7uHDip5 z%LzE3#(Mr2VNaN(ltD6=FE_wrp1b*I8vi2FdgZv76DaU&rS+qR@$ph|Y5>!u_=wD; z^`iFL%LY{ zW!I%czP@|-+~-M;keDnDYyQW>lovxb<6bZlFW3_kMm1!}KT&m)waz5g+65=FG+(*Q z8KtRmP|jiW0W9d!20FzOe`?_qZZKf;2VxfzV-?<`A zuTIGj#CwZ-bBpsjAzbjB6K{sXMgO-@Vo=&KflaSftX2VtAPQ?PV$z59{rn`G@pxP4 zk?bse*d%3Q;4G{(tZI@`(hEx zKryAEpT-1(86s*lLv0P49toK!)av}dd97v}SQMGV@%!umjhB(UOnZocBU)>sk5jXs zbBVHkEaL_8$Q#w#;w3qxZ2zh(0mkMaZrMz<6QX5`C5yknXL}EaBsDy;0#bKy^Ru<{ zc@#uB={oVX`b1p1K2H=-eoF}`Na!*q5; zpVq^9zm4CauR<)juI9z`uW45niH~84D`TM?nt11A4_hDJBy<+Ix?YrO;qI0>7d50|2>Xxeqm~oTgJy@!VnV>lJfgJ z&kj$c(uRI}c?kaUN6EY$x@G&FslqvY6JFs-N^<6idS-e=f z%|wtZyY`|3R1IHdc`!ZD%-h^7MtQYhz@_9f_vF#k)b#XJ=Mz9M#^3f!1tTwh?kq>1 zq_Uvd3RYj&*498{rS|uf7*9&r4N2+0)^aqE&R^DLRgFN1J&gHVnJ!0~01r27bhlTV zObrJJyeWUbRGv&0mIpUjvR#7vKmSnqP zvW+&vdp5sQ$L*-IZKDVE?N=WvqoxOC!dXK?R0sSx_bo)X9f^zmNzaPa)MMcSJb8VA@D)+?5$V)xg}s3 zk?#5TF?$4%GuD(4&l|_xMkeUOp5_!J-k(B}(Fb6E8)_E^J#GJI1`{cT56k*)USMHv zU!jEZM$9P8NO^oGcr!~ErB z=4e`)C=BDH`KYQ^-G6ZG+by<8;4U+@%!q#Ron5>S(yvx{ZGln=dc&=4d!80IBkG{Zc&-p4lAUxb{wkJEk{IwGesGxjfdB~F+M7FDNycSAJcGs zGr713y)dgEn4Fvp*eB=Zi5@Ig*=RKYMT(4zI+Vx)5e*Fu(Bf%v*agp%%S1&-6Y+XF zKa}eLf$INBns?IB(FjGxrTqnu1601*K=QDJn;MqPr?g2JNY*Lr)_3IoQKlv@|F0y6 zjEn*z`9=h#f{Kns*!=kGet{g;?g4A^XnsB=SNi4!pm(#du#j?e1nCh43d%}M@;QRP zDvD`(sv>_DuU-Tw-p^N@;-sV#sHar}{o`(9$Ch(}S^e9WHs-pyjCtOkZalL11VqyZ(=d;om zz47aU!0bLRkn6Ch(8^LWd}s*Aiw#wx_s=X`wjhYfX-C4 z5VBLzmXB}p5<2zWR70lSn%y>$-qpS!nZ7-?XfJ8H7(o>+^AN4%qt&vtCbLS{|E_I} z5F{`4&%C6hL^PrZG8--uHE-`LBDh~QSZ&=D2fS?YJr1mFI{sk#N`QhswxUIU{#;jS zogT$#HkeBG@SQ0C)k49L&d(=Hu>R6#mRal`AC0)@F7aNgw%*y__i~%{u)db>$Q>|p zD&x#^{owYH;@Q}@5M>lOm7t7O#E^NmT5_@ruZ;jRf%hNSf}_tx!N(IwFAby$x7V;f zXL~{PLGDWN?_cq4^LoREM5be_IY{w8CIQL0|Ydea+2$dFH%= zye{(EEx?I`B)6deiV~>rBw2tyYj6-+h7mxP?NC3b$AMo%a%!qxhwoeW(+%zLFeWBu zJfJ(FWxpGW+ku3%*VVbYylnK=kW*8OS|Bj}oFauNq#XD?w_9S4JK!e}&Zxp-kCsKg z?)Q@mdK#4SNhNl371*9ClQ2eQIq%^DN@yIyjn(@hj1btLqSr&eZ$N0#cNj7E<6X(Z zU;yYfK$U^Bq_ANqi@0@80zdJ8h7&cz7FXV)& zCEy_wTy-l1RULqdhdN*Xk%Vgf14!FIRzp`$Cn7+SDO9#JHKj~*ac{izQD`I%=+xkb zwn`QoB(0t2oMn%0T`h1J9oi}np3WDdRgz~=f=bnF;T0Pw%sEqe;?}SzDzZ4zcyf7r zjWsI>)})1%(rl&zhgpqdjg3nW$7t<;;YLzQ zfQ6*WhNujvLU_ZaCS?S6w9@drYeUI3de8KIMf)Wo(TIgHw-$-Oy{N&CZ~W(+{BHC1 zA&XKkSpWH0G(7PDP|c?L5Ir}a+#+R}`L-HeIX%+FPMLKft%hIjK#y7hYy@I9v`Y}X*4x9axJdl;o$&V z)mHM3!;cY`?pXDKxD>tCn?01An}>y2K_eKho~EHhbb;CM6UuE0e--NvwVS^$0aI6L zBgckBC7$yLi1qQ5X>0FOuHloGV5wS16{K&;gMuKR+gd#w-Dhetn}z82y8|?Xy7X3y zUSVRg)yJ5ZVy2Szo1LMg`mer&iuRPxxU^CuS|Rh51zph5c-ZEJCE}u@b@lZ?;dE^^ zUtU?+y4WTEpo2q)h0sPo(iYIs(E$|AG046@mi@YXIWGL@BS*2%(s7S6ym3fxWn|%F zC3lpk!6Vt;pTne*b6Jn*5mS47DGVL-ryi%E0wa-MVOHUM|NDtVh>nH^m~TWzMD%77 zJv=-B@@l+O1T*uHAvdj_bHmfumBEmx=vb~PE2n*V38xJ!JsT@8pYi=7p zbUWx8O1gM^=H*-0=GdmJLn27&Cb#9}b&-xM+ocSn6nzxE@#qu1bxuPf9=63=?Ol)a zT>q-w_7#u#n-(J4UzWf7qI)f64@=5S4U;s7^bkn6PXB!p`@o#viIm2RX7hN!>iIY9 zYwHu!{gol$KP!^+0TV<`auHK_L$iPDFTAor3kFDAC~yH0_B|}xnTPodR177c(aYl? zGSHe?>Lhz;&;q44e;zdh0_!-GiRx`Z$WkU8lTpm2(L%iY9QUT_dQJB(vR+82_d7tJ zQHEl0DWuKK`xQX_8lEoRP#5GdB6QBkh;_FujQ10Z1cT%}pSKqkY`gw)29Iy9hq86s$-HF#*%(}AYsCULP-lsK!tAPgG zCb0uUI};ZZZQknXB@V*}sX%E&8J3XjLJ4$YqNOcv%gJe|Kw5rY z;{$wkQc_a^j~^1ziGYQ^9ha-y%Qf)9qLFQ z+u!lmRUk_FK2Rx4yoiG9s*7jG<*y=9PPMAV2T`|D*60b1@kXl67Bnl8Ms_?J7W5{5 z)ZIDDpv~hURDBWPR8^gvD!YgKGAdz)&lw zc&u#BX9-j=eA+!_$2QXDdMFrL14uD>Oje`r=9sMu? zi@j?3q`^)9`SaK#ERkLK?;m(wgg@A8Fmj_NSo(JkUt~P#w9aSD``g>Vz(Bx&tkXLb zhFj$R3;96`Xw|kt1z)jk^Uk4*W(|uq`?7(sQ6s=XDzyH-=#JcF8Zyx*{IDTB*tn2u3 zAHyv|z;J#PbN}Hfmi+}3&Q^b5&$+Mnit)?F#>Zui4sWk)=G43D5Pwc|=U$~4VI%(f z)4G?sUMf;Yoa#+c;Nt1;)spKCU;2}b`G^kH)!1Ff*TbxvDtRM&^PP0gU+r(#aY&Wu zsIoY9=_*zAe~3CpMz%)My-r!&nM_B6Whi^*+}NX25{bWeG&l29(jkT@sjAk;plrL~ zD}%7cGXXoYkoo@_8XlHd&HTZ>Ws&v(Hm@w*3+M)9y+{SmnXPxSIrw{A*>JRHwY%1`+G1|i{1OfruN(u`Sm_JURZ?MU zazZ-wppACG>kIH!W-V+4dz{eH+MfqhYq~qg5atcbtqS>@G zd>?*(=#X&F$FDYBz;wODGq$zWRndUK(Cf|-M}~&!0?T?1@CF*HQS^p^#Ffl``l$Gb z@0NtzU9^- z+|*J4bu9lVlrL{+WaxUn_!R-nIIw~s9B+%>Z=x$%-{V|c)zs9%;R;CI2CPm1^R><% z#Z11c>RNbM_|l59$msBynYli@xbb0wa!ht%+?II}*BghIL)=nUDLJ9A4{o@Un{y$g za2R~dbY+aQT|*-alf0@OUJa#aFVQCw%9eKbiw?m@(YaCjT<5gaB$qx3tzQp?z?CD) zzkIH45)-kEg8B53v!jtSLJ?=xm#7Ts{dkwtdZ`kGTi#V|!g##;2ll1{`Pf%4=J3BkT1$%Ni;26e|--vA5jrQit7v5pX zpF+wxa0e4R3}2G?46L;k6~SEQ+X|@>TwGr3z7P6=tk7lt_H1=;WDr_w)FedJqRg(3 zV?6uLheaTdf4yYj;_U9}xnlmW_KK`{7T_dBMC-x+-5iZ!Pd3Eu?CB_xz^fhfz|TCR)u(N_bcS}FS?F#= z##p_$H~xpn`?||b&~~HF=ViRjE1q5_?)l#(TV5kAQEiy5H8gkm9%w*JVQ8I>jqkQO z{`dV;?{ACN$Rdbj~t(}yn)S7LuQL`wVxe%Szz}h*PQrr2?V5pOj4v(*Kq0~3 z-feY5cf?lWGq_m&I{n`F`A8RUV^%C;KI7eCz0-WB4C0_;>2`=JGi|&O ze}{#2Lg$ayhYmZa!YevcTlv{MQ$*26<4L6C8|eMH62v?ol9qyFT=CFH)UG-u;00>h zu>$N8aYzj7jEyf(szFa!=UY9iHD*ou`E)T=%nRNAsVT#GGtzW)SQqTifS02VP=NT#PDzs@>ahEBihIKfqP`x%fqjx zvcTqsa6OjDJ-0BeuB4+9-IgPPo!RM+^Y<#Fzd2=j`5XrF9z9m-(6)Rpue8|egmlyH zzIv&)YW;p)fhCTU7B^^eWoAVXl5)sE24(rUl5qYPzt0+f4mpo6QZ4K1;7_G~4l{@x zLed1l*AEy2)9c7f&W^46>veZ+2Dm$1h^{?8YU=Oyj<9%<-^!nttnW8F{{wIY0W~fb z##yUdb`wX(>-#b-dxvl0_Vdg-+K+EvB%lwzX%qUfOWpKqC9N;dzuu%n4 zRxo=Z=BRNs_FV#dwrcC^yRTFfl~+6Lh~`1+%Fd$xBGCXEwC(>0-%cZ>{fK^5n6FmZzam8N2<*{Mg-Z~7CHB@rW z^=y{`>+&pG{T~Y)az6#%b^|a;@9vt~A|fu!{KgC#6qd(pGh&Mq{*)#Jc9iRso0lr| z(rw$YbiclO+t{1|js$ZH6-S7pkRd%=lylLBV&*Zn_yFs|+o$~~G~)6spvxdedJ;a}bn2mq@6z)$00AZhzv4Uq8ROf5at4=e|AffcZd<7RV?6 zNAG2FsKYqXIF_FKw1|2l2?b{;3S}fEffXO63PYZJj(y>Cj75zFe^Cb6BkF7G|MMXE zMfSUm`94z0CQv2ARLe#_`tq$HhbSqe+{0>N8G$>qn;)hD88%7WSnWwAS{Z8Ji_qZw zVDVfL#61KHcepO>|MRrVTnFu4=k~!Oz9+57GjL0XiP`9dVo~SJ_f3uXwdd)QQvlmP z&3Vu{Y0FnHq1L4+*DUb#+Pp`H!&5V7{sdz`O~@>PLCChi&n{fGcy|j2Lz&S&Z7-Cq z4_#M6$-$2W{Zx>fz}ACO8) z+eL)8hk~k_K<@9qK1u(0L^=mzq@e?QwAT+8?Xa09pi@I=!u0(n!FM(OE!4bwNE=*$ zubmnU*iB#vf4kb4!2FK@QLfFM7a$`oK2~y-78lX3iRlbkN;ctgKYCR^87~>*fbNSw zw+9%2JUk)L)82A>qUZGSl=*ar2<}USfb$g6O_a)#@{VJ z$^N4df)5y1^T*SU2@FlXa~VtQkTg3?L=5M0i!a*?E6^0=j|W>paMIWY>T69lTRfnS zt-N?(X4eJu?A=biq_w1BSYenHn`~a(t)Gb8lDwa)094&7VNK1(>gtIxIdw|PMTBY2 z*gEVj@F0`;#k-4w8`0ZL!*snLfD)hT=H0W3tc@g&T>`{^K%aiShC2V6|J=H;^-`4m(TBbOWS`>8C~zWu9NNSO$LFK&V1$ z>apk~R4JBjjk2Z!gX;g0J{-_7oHeGzrpoKrJXavrOa8Dy4=dGzWrfPn+t1vsuy4Mn zY$Cwi5xY9LNv~rRfeg)#fFQcJmjw7OVdgdFHrAGcD=TVhM?hgez+=4@fVS700_Jk;sI8d0Z!xzy3F9ZVy$0$Z{{yWtt+OY2CGWoj&gO{rrqU}M60Weho$`+5#P|QNv#$(_Blz}B2<`+69^4_gLxAA! z?(Xig!2$#i?hq_E1oz4tUr;kn&_H#G!8gQlD%&8^5QHb>9xMz8;QjO9tT zg>%Xw-oy9hkIZ5)A(&HSc`7C3I@G0$g{hyV^J?+!w}P=`Wn__w@++dpWT~Z5?tv08 zp!j|6Ce=>zFK(rj(x2X6u5CWY5)qGCbXI7!^B}U0AoB1M?Gu16us#6FebM#xwFxRN zE^O+&p$Q2PL{m*It#Ud>@w)c}V7-4Z9>NdAyYR3~8ye5!09@#s#1c@sN4K-)<>kG* zfAID3Ws$<1y`Q0mgM<5|0wgh5K&q5JqyL4;wxp5u+~S7?fCAe21Dic zL#TcX@e`Ld=Me4QrByYuc_hf^|x_|TRpBah>Za)>4d{mKLN>>GbUT>TEco!{UA)5fudXu&j{ z9XvbO>NewF3H5hSO#FCW>U(R_OgkbiOCh_YI}99HBDqXdB1ysy*xSJUgkseLMYdU4B#d#BGre^AkQ z9yzM?iE<};?n@5-tL5bInfoyp?N-%wrxAKY4ocbKarWOz1zy@m9{SX=hm0-CP3wn# z4YQkNU%f$XwM$jLTIz8b=>KNaU=XEj+{ahOsFdYk$BVEuSdkL9RU+q4l!mgDmoE4o`_m)YyH=r9Kw zBWXcHB)2S7wk1Waq&ZZ~&4w#gO6JzUUQthH69M00#8cp6Tx6H2fP&(5ql1X#m9E6) zYjfX(l8oZQ++3dkdON15rm_-l$KLaF0x*ZT>#=BZwF0%aRo}Y!ZnecapPaCVum6yV z-oqh7crI5OIKU2-7g11qOe8clEvcsV$(dfhxlfsGA_A%{1M1fuZnmiuWf|vt7&R zq)Ll=T~u7vf1i?+5pX`W|9YV$zzo$mZ>^p}Jh>Ir0Nt%hh0oR3)bq1o$O)u2FT#v> z_Yx8+*Nv5Z)MOSc4}RiW?*>6WQtDfMBj`=vNk6ANmq?U|GCJ1ZY z(YWMzV4=ow)JnO|_u`K9;W1W}YAwI*M~}J0A4A=}JryEgg9>yoFV=qnc^jQ*@^!)F ze4wjYzIJ+TlbP8H1&SC0JY@Df!ntbd1m52Jelwo_jApK@?O#Cbmomp&uEPhXnyF)P zOT32x&qud6fAw^9viK>lU!17g$>!Nx)&@SUlZZSU6E20(`i}z#n6#jpfA#HBI>yzN zC4ED3&6E`6iwkd7;eX+ds1LChp;zNj9XROY`jC|Zs7@d5bNl?9AfjbNyTpm|cGjce zSM7auv!tB4Cf(xhWHo)U)9anzX;`WV0>Nk-n>KjUQ}0yZ_57qt2G0L>$Otp!KJR$< zyn&W^9!7RXcT-am3@7gGO)TMu4-n<(EBk1z(SyEwIb?!s%r;%rW_yuGOjYqoS=q1n z+sON$RwqGA`9!m`IVOHvw~v#SF&9=QS5&RGqxLf$%N!kTd~3tzLIjlf*aQ|R2yqdI z4<)f9BJI`q+>bg^5<@C7I&6=3Trm$XBcK2AqGH^+7n4%)@L?qS8&2Lmp=aB3msZ#Q zEVeLqrMx}E;TA)3aRGY9S65d#xEFWlX3om(BK$x_GXl*tG_{o_64?CaOv#qt3aFQ> zwatT~`qR707vZ^khELf=o>{w|wxcF}jzt2h%Q8jmYN$rK)kkjL21)*nX~3U%^;?^G z^c7PJPP`Eoe6S>d*irXrxQ;^%Hct{nZV_L{dcNr8K-1q1zGE0}e<<8~Fkwbnyz*pe zIXu;|F@(?blwB6iS48sEb1S@@KFI~0_oo^;rm`W@4+MXR_I=&)YunK;_={)@)-}b9U;UdY4TUgTH$n1$vB`~8}Sj4lu=G{c%4X+-hTF4PW^?sW= zz=z>2#RqLrpean` zSvAeW4oBDHOmBNCA6F)xI5hf<%QWNzd6K8|@pho$|LtONd68 zKn?E;6*nvaT{{07z0vkEyr~9|3xEp+PM1m@33Y}*lH-Tt?(@$tsdYMLy?yO}3TRTH z^XM)JzuU7NAh?|B8ju*uqh@zkv-s(tN)gB9-w-Rx+%@iQ+KoY?ZG)mF`@QpC46^5g z*XMn*mxtlh@3A~6Tdj7@Gz+?iQfYON5}_aax$)k&RJLX($Mzb@oSgHZ<=>ZQ>1sjA zcZ+~&-+K`Qah_MJ>?ktxt7vE7Fyp9gn1|J4L8d=IGQY5)Y!>r7-K_GSJ~D2GA(PZ6 z!}>s50Itv1xCbq(8^g5WiV&?IE^Wj44w3S54eRlI%o~WSV;* zlXRjf_3>_SJRGX9DP#!qK1!Wm=fV6+X4!n1LVTJ9+dPyt%RT(0t)A)qSrn10)vwH} zQv-%+h&^Epso#U!8lu4Iq4W@`tAE7$-rw>__J?~A6|t?=X@KUAI3vVilN1e8U(Cf! z5!9)$Sn$>BXVS)uNDU-Y?fg!LE6t+oh$ut=vR<+BW;x({_%r+Y+4MG(ND*{*Z4J_; z)|#W%4MOhvFod`d2OJkIm?Z&-$3(4JWE|N}i>MwZk&A-i%b%C$c;*eTU5a^O5k_QG z6u@3Y0<2U8_;ZZPCqk8P`%H6(pq(29AKm(xi<#%H2FY+ydoF9_cB|^krEZ>e4tzyC zYK{iLn=c20*{a*N;YD5@w-dDATTRy0PrukCojWGHu2xmhGy6$D9C-ykUWV1AP?04Y z{6tvGb+y3-!?%5TX*Q6M)74df7~OonNsVe^pyk!Kz2(^F2oHR+E~(FItO%WB&3#$5 ztlJGrCmSUlxvHD_Q8SWLh?<08Yd?=sP8u|7BWqGqURz)B<4%d}>7?t$C(8B<=^E6 z9cHT>=2v*m9DqMs@!nt9X!ta}KNjXmj3xjB*pnGeK|-dFS7{3qCwn$e!(qlX1WE%r zzZOcjDMzI>%&^C5jY3vh~{Z)ZL?MTmxwG7QRg4NlOlYdsgSYMfLD{4wX{C_{paI z`#O}dOc(^_IL_5cxy#Qq_RtC^>d-f2z$lW54Cc;IY2HL(N!H&XZ3kS63o16v+ zJzXQoq*D09_9dZ+Kn3kd4Wc#b0w!UiadU17*DV5@BE9Yr1> zP4aIPpeg=1!4N>JUOJ*LBUZVY*imKdQ5pgL++GhY0?+I)cW!u&UF%GKX^jdxs6|O{ zFZ()UbP{m29?(c1ASO9P2r_kIXmi+aL73VYm;HV*{q)r3xjZ-@6xpLXaPf?Gg@)=B zgk(Au@k~A_vgAY2{F5ZpKH`)5v?ibJo=MSD*Z|ttv(7QHRq5@<<0!3>|K&Q*rau4+ zL5Q|DU8!lFOfPfcYZlj>oMRPYY;k|k4n0Su%o^$Pd`SBh_+f+6 z%48sYN2|4(ZjKHSpd*yOM>)U%Pa5J5A#Q4GbI#luyWB9NAo0aj1YTTauTX!MtA?BPI()F?CvjkjNVsY`?w{HO>Bmeq;7h!}@cn8kn5qL6!9_hk}+d-it7f3OM~*NlgO&TX|e{d&O)S_|ZNKCM1_vPSZ#CxGKHP zzb&fRR$D)sPwk8D_EC!@r0U7}2)N7`<2$+ir} z%*SED@||d}#W^q3t45xt`bJb!H!1#1Mm_kmLBHeas>9YsVG1ZbwoiS*la8gY<#YkU zTPuv0od~7pn!HPrmafv$(psrI4H5Kkwi(swxph?oO{0{{V;xONhBKzF;@nrnq&YQ% zr0lmx`noEbnwyIo8_S#Ps`Kp9xa~%4(*_3d>9N#u0lJ#AlvjU~`iX6r%Z~_iTu7&B zkqpov4&t0E(pnlahMw@OHkv+AOFtRa%u!3<##mAqn4r*&5h6bMXO{>~^I|`qNM8yqATzeUR0YrU( z-!9PTAW#G9YW_vHv`_AG4)9Mta{^7HJDaO(=^g1+20a`1osxG4| zI=d!&vCB03A|%YPW%}PwN5&YG2e8`ZV^D>EM{9;?9%>)5OQpQkgK1l7@`8%3v{_BE zioE*2ZU{+drsl>qVRgemH@o7j=*EVIBA)xByc^H(Q((r0heVa6N}7K~^qck%42VVi z?GA}Y>I>Rrsj3nZYG2Lzz~s9*`w9OY8j=JYoCT^6SNT?S#=g*&AvZBz2Q@7PH}LNI zH~f5iKT9?{$}8fwMUc58jzS>{p0rCODr>gspV*ZN+)Y=*ixUbG?~?US=GT2ovVRT^ z-y2F`lmNj{@(s4~aT!1GuI-oOZ4x>&z80$qVJmHN1_ zo4H=tA8{}cQe9=jcu;pc=X%0l%zm6^2DEByGCB?8dl>!z^cQf>@XvgKZA-}I$n)K6 zZ=0C3hFs}lsT8`zZ@$aT?OZ=QoHc2Ed3*B6$nRpXPX`~L!Z1I5YG*^JtMc`Zj*AIO z)X~!m0gK8DT1C9!w=%&Z!v~D=Qj(J9=0b(2Ll&$Kv7@*0@+iYGLMRRE>+Br*A3@5x ziP`m?_Zv(x6wQ2mXia@Oxgsn$qWel#Qw8etM)wbR3QN1Ry z^~noYjp`7Hg`lGBc!fO~X1lu50iB|pe5k!D1AioE`->%Zn=QMyiH?p1No5!Y>(J|o z+q7BLi;~@n)Kn_d9srGL?f!{v=Fr&QB(=ZLTRf4&8BUq|e8ak0v3+p7u`MSh@*;ok zs$=74WtCoX$~rPAl>44H)IGH~TzK|kFe_Sy6m|OXG4A2T8>2j9b$}rw7et$1c^@{{ zu>Dfp3Oo7^bT7*KGcZl>#LGH7TJ|$rY7*2>ep_6FjOlGS8zNv+wl+i_YzEM2$px2_XQ@1xQKjiycgna@$O+;&MH;ngE|8NMGkG1 z^&WLCEo{W46TttE0?x;$y#c`n9Nw6s3CKB($$DQQ0{+l2q~PclKB|4@bPRQCz~thN zNAHg&fHDma_rVZc;+lj}I^q9oz{%yt z20diHCi6Yl_}PEDUYK47y-v_1NKhtFpuV1ix}Jyme@A~>@b3M)U%5%zIXjl$SZt*3 z2P$!~77dh;==bnA=V*fRTx%JqVXxCT;H|^y#3{(jPfHi9H=&8#%glmZ$P?r(Dhj&* z8&&q6>o6d2>*>d5>dmdKtS!tguJC;8n)^fS$S^uN3h2A^<`7&?Xs+x!dr7HH(ls{m z+5_Gb;&M>BmoM4;3$xS9LV~h@-8sY9DC1bQwT+V_LDo;U7IiTxJ*!2!uu&RpUw*yMJ6vzinF0&fhtn;<&k zN<<#e2&NQlDzB`ZpPdiG^k-Q*oISSR@O@iQFl*2yLFF&0IuGTNPtt6%8-qO7;t z@%gEDF9zqc?BT&YPvK43QTVPY1XOtZLIAnNt>#ifi`(FMbPu;NCa5k@-04ueaP>P$ z97GtYI&!>k`yp|bdc z)i4QbTWb~oG9I7wJHm;dI3NF2aTfJw(dP{j1>%8o-eCX<5T8uafu$eF$`XO0W!B`h z`E3`NK>JKg&P2U#Ut0jM{=~$D_bg^wTH4>!Q&IwgZly&)6EGsLqA;|}{jFT6di+y- zv$woFYBIxGT&|>p5010rBEHe_awl2UTQGz2{EeffqvkGdOl7V=!fe~E(|V;lTN^Ub z_t*5xReY;19Lc)+{=Nj6lB;V5sJCjxlFg#V9CX(Q-B_g%M&Du~eJm^T$5duX@Wc;a*t*aWF_mTiH?)-mcZ@UJ@S20I7wT(G!b_n+ z=h?S)4-t_e6I1`E3&^NUO+t1j0U(|7)#b^vP{_w3|%uyK%UO-;zrgIL-PDHRZ*CXK+ zZ`7@XzG~lMtD^9GD;@CJ?-`pp%4irK7TjI64|GegeV(UyW*0`M#9i-CsyJJ16arTiwR@UU+iI`k$c zO=4nyq`*vJ{)9wCB*!NJpzM^RZerdCt{;{{{4Ek1T38*45n10#ehr;WC{+_n(@3c- zyj7!74c{@)s}t!U1<=@u3RWQSc0Kr0 zvKsAJ#FhAlJ*Ip23IhL&%-gHP2N@PKvj23%$bPz6bE@~i*Z6Kn;I&qcqdl8bCnv!0 zCS;OJ|DxTU`-Hna!$2aRV>yP+$}{jB^cb@PKZL^{HJWyaBK&gh_oFdA40eeA;QL7I ziK-&KyrkOq4!li74DBy-Xur#!a6KbQ`MnA%Dwz6L_oD{_tMO=3`^hCffbL2rA=R{; zDmGE1Rwk5!R5b7d-_XR{-~XA9__7Unx7xb_)@VP2gU=wBOfqsZ-CVqBkMPw}Kr&1% zuc%lo?BhDoBL?gWRWRVWuu-n|+6WYyZW=I*qMqE*VKSqKhllgTB{t;(YPPr%6;;_{ zIpYF@ue;CJdFB}7LZut6~;QnRR zOxCuw+jXVh@m+5>`*5jcE{RK^df(s9YSz+^kgN!em%bZ+jBF*ZjLl2+SNm7`*Y_JI zFe2PEr`Z(cQ?XRh!wR(h|Ljz~KfMjQjT^R96x5k-Wpu~Y;EiM56;hXHC$gSWUo_BJ((%f{*)J4H`&!{-hFr3!YnpUDHTg1gdB?q!e3NzaNyFI zKLb!tgaAI~**}0hk(#xN9ER@GC+B;pXtfBCRdR3nqECQ<6Y#fh-%6Bn|B=M3tnl&i zy#V>&=;(N(O(i9J^*jjBbDa9M7+;;xwc_RxLH;4nN`dnSk;AHee_5YmLk`fh7I8-h zlAsUv3)+5F$vulA{!KnSd8YX3!b2a90=-wwZ>`A0|4bN&JW-k5^E!R_u3Xf$efqA= z-n6DRc0lhp3*C!Ls?QpSR?B4PqxY=kIFSvB4~CM=>FeniUMM`Bx-yfcpT$(d^QPl^ zJ&EgsYe^5>W_uu^S3CcPDws?pH^M#nxhq#GRNcc(M#v|2WwrC=5?`Pu8FO*2MP(Sw zo|Xvq1-o#*-8EcRSYIN~kiN&iy*|ex%&|2K zigwN}rJjGdy%+G}+aze8RRqV}M|+D0H4 zuF>4mf_C|^XwM0x544NE)iRoLBlAP_^93A}HMz?xaAx5A#R zSgBCA)o>^Bc=ml>DIInAqPmoHReM$EU^RaZG8K}79Y?`|6yAE?oMozCmVoepi7)8sJqt(sT^`nEG9l$0n+Op`LN0Of#8?*1MZtIW*-XuqI zp=`Bb^(D!^IJ{T}ot)rGApZ-_O003#89tR7rP;DA(mWmLre})psyTu8p3tZLx>ULR zjSYzavA{36IDgLm3}h0-i%!RA@wyd$^sbd@b_$ZmT7Fq>pRQ_lxU?NnJeCy zy8=KX*eH>u6^cKtd>;HV8ghWB7FV?j44FYJevfdF5TyY#8j@&Dt*wXc7IBmpRX05q zUIuq2@=Ol~pr^qr|Fj(SgFgki5iKgj10H+cZY~7EFh{5Vx4C92W(wF(PJA6|7@I!? zt2+zf@ZlhViCJj<1c|By&yJ|l;KJX$GO$KUAd{gE#sN5@%>pzje15b;X%FWU3Qc;; z1zYYv4v0hK04zb!N@5ZbDEr!x@~IkX!Xq&HrvUwT%6FB- zvv_L1?*8EZQO}D-KSrTqx4J6H#s8&IE;FxeASNcrtX^>Y?UZ>?JueJ-e2Vf~YS*^5 z{^PIgM5N(SHr$AJY%cExUW3_iFi}$69`RSir;?J&_gHZXH-BL`G(fJZV9OEzqI_N8 z?o`IC|K4hCFe-zx7tnI_`y=zQ!;$Bag{Msr{6l|i6d*aaWf)Jan^>e)wCAvAtYxJ) z3FISp=b>M3&LO9xQ@e0oq3WI|o-sHtx50ik9r4Ix+O?8cd;A`}9?CT+_)peiltdgu zgmBVCYh;20Y3pzpx_`EwzbSk(9@9M0oG)a+OLaN1A^SJCws*F1b|JSX>nM)(&7RPe zBDZ60IXRR<1_q|N#YKF4>`V)ray)a7tH0BL+vpQXwH7*1OG4L{qiw*>z)~)c{iJ!5 zMo>|dyn<|#pZsY8=jHe5jIwqTjVpGc0~L=LQ36@3U|yBeN1o3sc(N#A9lsaDjfG6) z$eF!SD?~)xeg3?>?R^6UlyX=H8{xhxiN8ai(Nxm7oqkL)%Y`u(6{^qqUW#n}6RERY zLs$b{>r;3cx=y|BpNFlWo_HPe2tjCUSVz-T1>4>dotgXTJZfSuEDEPJ=htt0Esbss zySm*pc~+qjT-~O%Il=*DRmGmhuYvw&W%$&!AqX1k>VRf1cMnp?KRH2}B!%SkhBT52 zes7>9hHFDApf6w?1azALjXYBgQy}QMK~n+M;|e77@Y&7H+>2cqclWE1r6v5Lr4P}x zN;!a`r$eYD`9IOaB2|73-!e#&ck-PWkDL}lws^SaN9~UvPVR3mr?McEX@I*atf>uv z!@)fI3@FVFrzEn^vzO>8hLEsWxz~r~0cS?D^oN)SK!QA^cp<#Tm9< z;d&0YlGni&=UTh-OR$Wxm_|hDmEq17&EA;VAIq6v>d4tG!L5WPcdZ%0RW{li(JQGk zv;*2NSM#}zt9|NmN}JvU3{j0jH+7DmcPb=yoV8I2uPp+X<9i|M@)}vz!uh%-gdD_m zt*mliQG9Q_85Zbt8+C&7S?+nU0r|;VP5{=*3O8ZASx_euXhW#a@y8Fhidt1__UzYS z9h_e!_oh&w^zk6aG^1y@AjWxz>!$9)+0bu%lZI&WS?RM4aBt_S1p}EfnSCw`2*q*T4dc)&V*i!gGcdB~h>B0s2 zgfHBV&HsHYMWRKGoAavy$G)a%*_~j5$6va~G2ilkw3XlrE8o~;6Lxnhcey>FTze$Y zxUvHfsY|CK)xk%{!;ZGuD@|M|wtWovn=E1YSO{6aF9UR)iISGuV{7mh#GgII-cxy# zn6-(h!?al`F_rqvbU)yqm`Y4F_F;E+!D z@X~aGBO|Ek!kS3sQ|))Bf-T6m02&I4i>Mq0JQ3?>0C)JA2@MEja-j;)u7a!i zuE?jTzsbBW%!A!Mp9;iZX+4U3T+=We?-rfneD^K~7HvS@iYiZxI-||O+nUG8QY+rW zB-e3XWF6a=bX;5$VyBlFU9Tpo!9f$n&ziUF?@g-?o-V?ju6`1RHz()#fl_usFNSYI zI9>H_SvPHs#vxr56AlySNv}~6Lm+>8n?(On|5bb=S>C(BVl$jMFU&vflCr&HxG(2* zfzqD7Cz#p8AEH$gp8)WDVwX!7$^r|8*dsLenBRpd->UvL=dyG1#u@>Z8jx*RvWCvi zc}DCGW9{E2HV>GPy zqmp8R&Da60u03A17{w23d-QPe5=`3MNz>_}9m-zu(CN~H?@0>OvFI3R=;*NuK&fAq z-km>6lz@non3$9>J1ZlrkbT)+nwv`^SpUxE?(?2Gc#I8jmh9tAkRLq$DoRMy?Fuhh z)6l(FmtHT^GcigLOIGkF17+kdfGoA93oJ`w8w1U*bAfCPyZQRIUXGj%08 zO6POED8NRa zxsXgEqHzSC(Q!mN)GF9F$yrl|LOGGEcZ@{FRck{jCw*^oA z5H-|Vg8XI&f)wxr<+;OqjMab((7Trvjby}?0YEk^44`8*UonGdH_%c9OZ9IQqLt84 zY?h?}yTX6I^2iP$Cd30{!FT#Gb_K$|dip zTJ0iDLgilnrD9{66BgFA{Pv`-YTa)N=W3fOD!%u?m^mudTBFb}SnlI=7xH>j_CW9GcZza~>}#kTLx#P4RgEkbRgd z@shlcy8~#Jgh9E?n}`Kl?MA;2!FFtvS#FC-_&p*4aMLx!oQY>$Pcr!$2GU#@Il+wW zr5P4MC0}I={_M=Ro~m zDr`c3_iW48Nf-rg%x7X*<;*k<{QC6vTjY^?&g; zNa(v=x<_8e_HaB4L&eVcEqqTe&AyXO9h~iRkyOFO9`{7$`2CnPgsoae$ykU^M5D^` z%vaF<=%4SPV?2FX3DCbze(HcZxXr`thV-__3i!OP_aZsOwf8tQjf)1Y`KGujlK z5(wKV)C}8L=6+r}pu^#{yI@{m%FQgo4~TPD9H-VtF$Q@5T=mK%oE*9LN7XvI_S2WS zyO#zblQEG8_us+q4Hv{RYqAbirBOmByM)tHnxZVjCYR!ItMY4VhP1Q7w4gr3`G4@8 zqf-dbHd~ju{yb$i4h4FXcGhEEG%EhNL}Xmft?S*S=`f}I;#+sk?%>q8SBZDO$fK=- zzwN^*dQI-X*b@dA zU*j2i2vUYtTRqTvxRblmLD&ffhAg)`YYASPr5oc)YhR8pK%N>Okc8lH=F>!DGI?R&l+M zZnRhb9naeBNNFlwhv7q1d}Gg*LuR^>nc#N&hn*YqBHcw*^v7Z&PCE=arGNkT_RU?t zqBDhgCKP>X)+xf;!)UDySdmXcph_aM){S(X6XEIuZx3YPPCoVbwkGyo3U&RX#EmWs ze)dbd6y7%%_)|5I63m>WrJz)h&N;bzNy6^MXbI2a z-(#Es_D89hZ!eibHHpIRH1^Gw>n_J)@6jsV?E(K=52F{-_R`YVb(R+uBn|o|5^~C4 ztQOI|B`9%zOXGgT5pHX~V2Efb@&ZdtYDJA}L73H91&!GBdu;GmLg9MwS5n~cI-H-Q zDtpHQ80&{8-Sn)l@pQMv&i7dyzgbr7o3`2MF3s%2Ui6kMB41#6>gNydM`Z#(4nYxW zE*eVEqp3v4lRw_aZT@1wd8ukVVbXJfb^JDer)RMuyJbljMA|tPqw76A$_!U64McFm zpO*J)OqKIDmUfCQ?^!x7)fvmnVfN-tqjL1%jLA8Ue(!_p7*W8uz0~a$VcaG`XJL&N zL1*`iRw+49ZU6pI{En$Z=K8*{9h577mq{)&A*+%MH*4<u!ok-KMac`!WBN29+pg-&6G5+9soabFAY_hx}@0rB6Bc@e3-B zeT6s5xgepYyH8%Nh0r&lCOpOLi-%(&rXnCBuBlEgd9 z{?IVwa72X(L7-gH1n0$W#Gx3uU;4QRX=|F)V?&#mtW>sOGyou+|tI>4| z(QtOEw>0GWSSkAdw6XnvUeur{DQ)UXOYomnB~7GgP6OKLZ*U+IBfRsybQWXdwQbLP>6pAqfylh#{fb6;Z(vMMVS~$e@S=j*ftg6;Uhf59&ghTmgWD0l;*T zI709Y^p6lP1rIRMx#05C~cW=H_Aw*bJ-5DT&Z2n+x)QHX^p z00esgV8|mQcmRZ%02D^@S3L16t`O%c004NIvOKvYIYoh62rY33S640`D9%Y2D-rV&neh&#Q1i z007~1e$oCcFS8neI|hJl{-P!B1ZZ9hpmq0)X0i`JwE&>$+E?>%_LC6RbVIkUx0b+_+BaR3cnT7Zv!AJxW zizFb)h!jyGOOZ85F;a?DAXP{m@;!0_IfqH8(HlgRxt7s3}k3K`kFu>>-2Q$QMFfPW!La{h336o>X zu_CMttHv6zR;&ZNiS=X8v3CR#fknUxHUxJ0uoBa_M6WNWeqIg~6QE69c9o#eyhGvpiOA@W-aonk<7r1(?fC{oI5N*U!4 zfg=2N-7=cNnjjOr{yriy6mMFgG#l znCF=fnQv8CDz++o6_Lscl}eQ+l^ZHARH>?_s@|##Rr6KLRFA1%Q+=*RRWnoLsR`7U zt5vFIcfW3@?wFpwUVxrVZ>QdQz32KIeJ}k~{cZZE^+ya? z2D1z#2HOnI7(B%_ac?{wFUQ;QQA1tBKtrWrm0_3Rgps+?Jfqb{jYbcQX~taRB;#$y zZN{S}1|}gUOHJxc?wV3fxuz+mJ4`!F$IZ;mqRrNsHJd##*D~ju=bP7?-?v~|cv>vB zsJ6IeNwVZxrdjT`yl#bBIa#GxRa#xMMy;K#CDyyGyQdMSxlWT#tDe?p!?5wT$+oGt z8L;Kp2HUQ-ZMJ=3XJQv;x5ci*?vuTfeY$;({XGW_huIFR9a(?@3)XSs8O^N5RyOM=TTmp(3=8^+zpz2r)C z^>JO{deZfso3oq3?Wo(Y?l$ge?uXo;%ru`Vo>?<<(8I_>;8Eq#KMS9gFl*neeosSB zfoHYnBQIkwkyowPu(zdms`p{<7e4kra-ZWq<2*OsGTvEV%s0Td$hXT+!*8Bnh2KMe zBmZRodjHV?r+_5^X9J0WL4jKW`}lf%A-|44I@@LTvf1rHjG(ze6+w@Jt%Bvjts!X0 z?2xS?_ve_-kiKB_KiJlZ$9G`c^=E@oNG)mWWaNo-3TIW8)$Hg0Ub-~8?KhvJ>$ z3*&nim@mj(aCxE5!t{lw7O5^0EIO7zOo&c6l<+|iDySBWCGrz@C5{St!X3hAA}`T4 z(TLbXTq+(;@<=L8dXnssyft|w#WSTW<++3>sgS%(4NTpeI-VAqb|7ssJvzNHgOZVu zaYCvgO_R1~>SyL=cFU|~g|hy|Zi}}s9+d~lYqOB71z9Z$wnC=pR9Yz4DhIM>Wmjgu z&56o6maCpC&F##y%G;1PobR9i?GnNg;gYtchD%p19a!eQtZF&3JaKv33gZ<8D~47E ztUS1iwkmDaPpj=$m#%)jCVEY4fnLGNg2A-`YwHVD3gv};>)hAvT~AmqS>Lr``i7kw zJ{5_It`yrBmlc25DBO7E8;5VoznR>Ww5hAaxn$2~(q`%A-YuS64wkBy=9dm`4cXeX z4c}I@?e+FW+b@^RDBHV(wnMq2zdX3SWv9u`%{xC-q*U}&`cyXV(%rRT*Z6MH?i+i& z_B8C(+grT%{XWUQ+f@NoP1R=AW&26{v-dx)iK^-Nmiuj8txj!m?Z*Ss1N{dh4z}01 z)YTo*JycSU)+_5r4#yw9{+;i4Ee$peRgIj+;v;ZGdF1K$3E%e~4LaI(jC-u%2h$&R z9cLXcYC@Xwnns&bn)_Q~Te?roKGD|d-g^8;+aC{{G(1^(O7m37Y1-+6)01cN&y1aw zoqc{T`P^XJqPBbIW6s}d4{z_f5Om?vMgNQEJG?v2T=KYd^0M3I6IZxbny)%vZR&LD zJpPl@Psh8QyPB@KTx+@RdcC!KX7}kEo;S|j^u2lU7XQ}Oo;f|;z4Ll+_r>@1-xl3| zawq-H%e&ckC+@AhPrP6BKT#_XdT7&;F71j}Joy zkC~6lh7E@6o;W@^IpRNZ{ptLtL(gQ-CY~4mqW;US7Zxvm_|@yz&e53Bp_lTPlfP|z zrTyx_>lv@x#=^!PzR7qqF<$gm`|ZJZ+;<)Cqu&ot2z=0000WV@Og>004R=004l4008;_004mL004C`008P>0026e000+nl3&F} z00Bn|Nkl)y%vZNh6VxNQxpUx+dFD8fhdA zDN?jeQfxNK_SIe9q2Rqqcn>7JcL{GYfwV~Pz0X7@EcF=KAm#ZpLpU1f0#@b*m`||!fra7i)V82SUi`__=Dki zDx1xupLYF(W6#%kJJ}zP&j+?6!#!{P>u)<3DGM{hb)8d{{flb1rKje6Q+;dKDrI(K zZFjm%#Ml|?>uByk_YhJHSNzV_TzyNm+j=SO>O3aXO6SykIA zu((j=r-xP;=SpgEN@p$|G|TBvvOn3|aL35wLr~q|M&qH;R1l-d1a@s!Yhm}~p@PKY@u#yt ziRbqB0M#nmxRmh;Hd%cPaXr2}Wc>vfMVU>O7)eP>Z=a*D)a zkI&z~v~TzL-B$G`Lw@D-d7~@PH@h}II_5BIK?yp&zPzl$;j+$c(3A#)Nh=`m6 z;?$_i>zB(FkFP%`f4(dh^Ub>!u;p+#N4r+bEkAe1B9Tb1|0II#jbBBx*_=NrhQDvH zKL9WN{m;vP`!8Z|_Ip2m7wYF3=uhUxed=9O+~cM+8c#j>{)|q}W#Zm&I!E4T$ATu$ zp=^t$H2Y%qU~+V7(Q8x)l~%JaKD$ZTp@~*7i}q+r?~F1CTLP0em-H=f5w;m>vF2cT z9g~eYlOdDN8;|+Tpk#p|ATx#9=A?UM{U?2YeWO1zx#A8YQ^*y{`;@2QdEvzM)Z?`q zRa;c{$Z&UkRgKH(_WOh2b?IC0pC23<<;%r=tyO_g7}eH8XKWJpmv`p|&R=dEUR*_w zpgn=0$Lo8#`g3S96$D&9kHbdu$*}o2d`Ee@`tw};zMXi?^aqh|J}v_<9rJTp;=XMm z|IkguVOKVAiA>IK)_|j&eFBw80I%wCG+9miXegf9AaYoArqLTE?O~s;{@nRzJDqw~ z_49m;x8#ZEA6p@CsR(tos>=~d6)vWgT`SgDZi7t&yQMXwJh5zGbsr;fs=V=4t|JVt zo~hi$^0wN6dCh?mTx5S$viDXS`|Wm)GL&f;;s~Ab$Jw9f>-%>2w(r~E6PzK4M7nHB z&hADgliJ7c5h!e+Dq9puz>*$p%r1)PSjqlgES+YMi8eLI;qqx^?3nKmB+%M|yh9&& zp9sQ4GJ!)RzPLMI`;KH-y~3yz|bLsr_xaMguNHW#~?UZG6UhoKcWsq;yx>z#TrTTpm%W`T!XpW|K_jRUd@;>`><6_r2_#RF2 z;tcU?@1bA%@a@lOU2D&tep1OB`srLat2X^?VBwoTDE&tJxj!{{)%xD#0`u~@$ye((Ue@RPvrk2CbHKE+STvf+WWtd+G7lyiIeN2@%_QQn zLO7F77XGGE>3A#}4o6z5Djs)#k|)NS%~khbfB0XfroYG#{pAqtYr8bevp3!nPvvK+ zhwl&gWN^F_iN)?;{QkiGBzx@riQb^N)8!uOM+vxuOQmfJS7@vgC7|Oa8lf*5Yi#bT z?wuW)C$-FAT^996JY7`dcgQD3dnWs8J%Ip7_PF~K zJz_Qjfk2oS!HI1lAhz zP{>jC;W<#&_U(-*?|Tu1FWsu%2D&zQ((ir=X5`Zkqs*$d=HwD^ZiaHdwu;6IlnXrEc+=4So{OzXz>ptAIKL-q;g((o)*i1 zwKC6Lf1ansKYM%l7jn-Rp3?pV0)Yow|8r}9%zDN7D_tnn7l zU!Wq<7zl8r#=?pka5+0(2n4RIPygbdTlG^||C2}_otq>wqax$=1!KuuV|{P77rlrF3xP@+dh~q4 z{JwH%2A4}m!Q~d+h1wAaDjV9sHf(scJMv7)Ze9SJPL*pIS|A1Zid+^x%Q&H1WHMoq%tQbx5_S#D$Yy0ivOKK&u?(deRK3b(@Z+qow zT>tZM+1yUY&N}94*Uv|;?TLQW`XBIIdG7>|wLc!OmyTN^a%AHZ6F#@4rM_IKx7UoU z&Q6S)91gIy2dw{D7-~jOF4nbmy8@AQJj-pntt2EC^e>6g5>XFZ?h`O|75-pLlGfMXN@zh*4%w^Ci*mbkNFfSvjmGZ$KzePzVP#4#TTWiZrb26_xw8t<_ zuPNAK!Q<=C?Tddv^JlMJ z_^_^Lsihm;-QP!CotznLyHMIq9ls+`J1B|+@U4zaVTld)RLtYINI){l;URbjN8@UD ziL8SI0hLIkk!b`P+jc0U5sAAr2}PjYBT~2`u8c+AUfUAuoEE#m8wx}H!2W=rfn+vU zUtgOJS)L#L@T6Ke-k#$AD9x|E`s>e~9euTE`jy`me+9&B%?%fobu?GjuP`mkb6p=6 zw_R(;433XzS!?CREqtXem$hCwS0ofjC$TadX0Etnw5}aZ7I76~F;?URQyK6=KDwjf zgZGQ8`j&rrs1CMnn(OAH~6cW2#=d*#A-^{*^81m!5h3Y|#F3o$}Y;dE;|6b1%vD{~38K zRjJf!^*!>-9mm%bWL?KP?Z{s6KA!O8`!hiPX8q<%SLa`C>ix<)|N2MyCssLF&jcp# zgro6XItjjF*<{;MWWG!$zY;o|$!3v5$PA)PBofKLd&qzVLLf^z8Gq9JF~0ihzx=7v z_@Dpc>wnlrd)m;4W;+3kFP$umRn7do+F@xpXZ4`Cl~(| zR@xNS-JD#ygRHEH#|tZSki|cFB##&N&uoBFL3$KmA{U+&z!p zG5upeR}T}vrKlL-Uh3uJaLP?1VvnP2R9rE@TO=QJjR*wngKOhbnKisFax*EqQM#>u zQgTQ2uvl#1U`(ko@i^2_A_uISNAoJ<^Vm!_*C3>EWQQV=-0t`6F(o`M=VPfS{(L!V z`=pWmgmJ5SqVYSc=j2VTwyD5Nz+#Fc^?u z+XUjXji)eWa+y@rMc`}n!7OHrkjtj25_2{a-rd>Er2L?E#Q@f@{I%5X)Kn^?qzHpGLe2Lh@G0;=cvQBTZV zdgcx0Omlq~=CA*)wt9%$fhs%ulOM43et4!JdmtV}J-|!Jo)hH8r%iw$?WfjL*$nu52JK4uQ8LHH|G**UnoU zhF@PrHI|*xc*6C=+Y<{jAC@-sH(UU-(JH$Zr`HMB`mi$clGYW2?16at)KjoH;mL3B zCcsrK^6KZFX>OOq^W{F^$*9L}M@~JBw05nkol9Q6THd_1w>z~bzS1%$7jqOwr`_SS z+wEX|97tJS*SXG zm24^^GPsAQRu*Qb-3NkHHoZ*d-A{cUmy<@ql6E)Ysec;T1Mz6o^Pu-*w~H9Kpcaci zB3U4C?*wYKMz243=r$-6isw^3HoF5zP4{X|W7qBqx@>5Eba2q*ww}IHzq8O(i=Jz# zIHwa6YkC%THr9GqS+kw>2X04wLo1fN+cLfb^6~`&E{_KSb7)j`UHkUd<_E96ex;#* zVW?w%7k~Ba1)EX$!P{?>Rwu@GXq&5B>r5r81h`L^*R=FwS7+u3B9K?1R4SAz5GcKJ zxqp#BBW-q1uQpee?d|jwwa+ZERG7)ZZ5nfH8_yO=8fx0~5^USx)bi92L23fIfEAe|*9$8y==xnI1wPF%R$I6u?g$Q19Ly4s8BM=7k<;*yq? zg@H3IGs_EObz>VK7X~wVx_)%3tFfKP{LSTd31xYPqAqWp86E7^&}XmI^i7QobWCkj z6<4sGF|pOuUx!*>9;;{@ue76Kmceky7YaYz!=pcVhlkTZCT2)Y-q_)(m1DDOt@Y(& zeeK|z5UQgeGu9`dY?4@1gPf^Vb1?HuX01@ImuxOA^!Bt68BF{-rUli!GTz6;t^zA@ z$X5!d3#tdO2Y!8l*B*$6RL@;LEx-A@-#Og{zrHCEkJP)s#V-vEk+l8@Vhz1=XicG$ zmy|V;Ntni|z2>qynh+RUiUicywx(9KFRr5_cH@auQuW~G*g#XuBo?L&pd;HpXcfv*V?9MJIfa-%;NH1hKw_?LNbYV&>Qsnu1Tn#yQ&A`DN)azKW0ax z!2HzFWvKzx3alZ3m5X9*$8mzbvEkzC`q{2}V44au)X6gj6R8ZamjG5M`AwWmIyKRY z&Lq5r#OYKLGu#J`0?+o#BKz^{O5np@K-ohkhvbcECy~Y+9m*hoqv`w~y*~-na}#_% zpV#Mmh!Qmd$|HYOJiMvtTUGY1DADUG5CB{BhPrP>*}sPDg00gZ|8%M6Bm@%Vs|m2! zhODfl>=T(hu*eh`M{#L+1iBcQ(#ocj`SG3xByd^~Lv@+_5?L^<0BmFN1fW$R29%Mf zhA)+WmIq!SbD5*Xw7}$``@|0|&~Yr0END6wN9>q@0MFpX(#62eNufqEW-61jle> z;H?1!R1d^G)RS-^9(4cd2X6)90lR4V#UFlHI!o-m{0p&A3C|Q{55#?|CmNHOoyAIP z73Z*)q^;Z6)Nv1Lq?Br}x4Lt%G!Q-FlbXI!hu#6}gMq!eKqP6kx%?hCxJL-ZqhLXA zGKzRy0gkJ|Z3WkxMU1|rlP-tj^7$I8)9ZC1HezfJS|dCFU9CtM%XRZFcN4$W ziht>?*FSr%_Ui`w8vNyXEb58hd4U;LcK)|#{{$=i%D?;1zyB96|A*3*?_65=&Id!U z43>PJqxq~ibmX^3BoYJjF2D*92%|2ZW$1l#eNEsoq^@xk%fL%qiG}_qhkU2Ewqd-d z@pAJhrnf2JJGgYIv9hugH86IjcwkfMLap+1N#MjGa`uBVk6AsuMHbo9Yj|w_xrSa` zHH_+NE2(VXG(;}d5A?LO@9Zp}Z<|HcRkyDRo^$o2?(*X{N544A{$?-v#iH3)&JDc$ zFIT@-)BHDI_{P7lT7LP%>AzKKA$uN=dXjfmk1vEZxlrTlZE9nO+dmqN;BD^4fsuM5 zYe;76bOaUf+&vEUB;k$q)2yCY^v*A=3iC1g2c|;NgfW~9go1%k0QeFJ$6~%<2skM$ zt7!5C!+yl)TqGO?H^4Du>PQ#~%x_UGZs3_9>I3sRf&q}^c!CG;Sm1KIL7=s1&@9=H zM5DoQ)E@xFfQ->#1etjPN?6<=dy*NDGY|$b0T2L@h227$qv;~S=X|=z3-P<$8W_!% zf|#wg;{b5Ah-}SPWY=N^yLth|oR75FZ22_6xwH-J7LE!i+g$kphy-C%z7PQ53;rm3 zzD%>FP^`VDrxS#cG&WnIQd7Q=Le(JBgrv0Pn{m_zi_QL=t0x+bz~7K(Lp|Vg4zL&x z<&n$BQBVHblTjfKEW$6~$$#W<{=Y#0acNQTY7u=Qmv|u;&xe6T@-g`Y?MvT80{Jun z&HpSC{ima&k?V+p8aaBb zU8tUq_1u$!b`74vw+0YTg?eZ#9*Mz4gvPlcbk0q?k5{M+E}O&SaCi(hk4)##*gUYy z1mTm7yss8=Zw?%9xi=rZbH;rJs1ezvF?n1r(uQNj$yKGE_u8tuJ!^V$!8`rm$j`nzvkSQC0HCV0OaC7T23HJ%zA zQh9UlUM$NiD#OTF+##8BDhQ zK%Rb7x(S+947I~!l-k4T(TRD?>wNLD zIb~HJ_uY1mQ|oM4*O|0-OE`J8p9dz32pRg~5wLJPS3M>Ya}MiPw0Gc5HpS(#nH;`^ z$2J+IDv7{ysALJ{DhV%=NXoTlZy?AM%7e}W7EhoSapIXr#~X;J_csmV-gvBzE>G@& zC9(x^I$dB!8L(0V!fCL)J?;f-)sK%R5?}^M@_4r(DwC%WNTt%Z9D;J60#-+VG;al#EQwvUMVCi7t~HLS6V*7+ zRm~6fDSheE(pr)kepLMgo^Qa1JSLN6Hd_!DBa6+m;On*57XYrXlc_W?4gr?3M?wL> zrBvqViXILHkyTQ_nnXGo3iy#xkb$ld;j<^y4a8HS8(;t(xb00Q)9?g6b-FQ{Odg+4 zCX<7(8b9UBBzu-ve8SQO0pB*iKhlY^gwy4nlU;S^s8V@(ZP)%>I~phX&Ba#C+I(Zj z2vF%VcDuN;ov}ARNftNsE-vq^*OZiQ?kvA{u4x+Gb+x(^c`dZL+S@y}GFk@J@Bq3I ziN(O5vP_EHr%7}!9*<>|3YY@j%GRD`chaO30An`0*lnqRqjpDVN{h&d%(12u@!4EL z$V8STZftFdn8ZxX=TD?mVs<8%GRwtlI|S*0JDc=U@jFPG&Fy_0R-q6O5#5|WU9_^Y^})G{s>bH`&lcIVtkd0# zMU}0|fN641R8-mWZp+O2{8UL}Yfo*d#A+GAiZO#N2H9rA6!BVRLs5BMYeQG}E@ykH z-gI)}O9!XzQqLDz2{mH0mZ~k#i56QrdPE zsvEOKH@U2*+7>EWM$$3Q4*#&Ev9G*)V`pp2m(G!whUIQQR$yXm%~}*2OAK9UeRoS^ zbH-WpZvewzs7IdNHt`&NDV>6Cpu&Wqre0|%<>ew>V7LBiQ4$GSQGErM? z_e|I>uc)jCiOZ`R`#M`E#-~XPLN|ty%ecq-J2x=1mDMdv)APkO&FdTu{7r*+nsjrY zb9O%dOdp5`(~Ze&{z%_zfj}^Nvy->`5r@+WPx{BwjWMsAqT(v_CTE4fX`kNkIt@0f zew`xJTHUwk1~}FeF*e^S?jD|6oS9i1on2j+oeYLTqr+Y63lmp<_Znt;4A@44x_LCZ z(diF>gS*QYi`o~q%FmvfXQFMGZI^_gxIdU3g<1UPDElF2+8(QbDFLul}%e=Oao)M|s#cxW_%?XiGe zjqacj0AjIPfo_fu9n10VaS10QK>_fj!}~O-8;IvdH?e3Wm4>##KCW)E%}vc$LE!t)OA1)fLUcs*VVVw(G7hy`&i1GXQhkivuN z$ISk`>E?dkr+uX4t{c>UXbA*^AEyvti2pg%&7sNU_WBO=vO}wDiNJLQJR&-FYr0u) zvCXWLhtNYb?4rsQnjRZEkkNLh+kW->TLJ-7Y;eylu1t&#gS;NE50vBa`8~d%Tu62r zWhx$(usy#@;tdXu@2yU8sauE@9fkPHix)9GCaJzxJX&*A00w7dGVv)y3W(zuY+7*;LWBymR^Dg*D8$J^#+GP>9pxSznr-Zm(Whn?F}nzcJlE zyRx?4TLD%J&yRPu_KmL&)?Mnt)K%6_?d_d8e|2`a9m(Z#KZm+es?;Z6k=>^ljKHmf z?RXdA-_1wwvmC4Ks1Q^Bf^o}Ha1}WUoT%%hSZvnoDXq_;ZgLN3TjL(qHa>niAHNOo z9vTAb2I>al>Cz2(Ves~q(eS15Q=yx=_RGOUYXWdMoN^OB~Z*$WO{jg(dPr}&lTgElDjbdidbt8zY>BYtA#{N0#<{V#4 zn(b{R2=^~m4U*>3d))o2`?1)|6C5vN=OE*HcsJuxsl2mnV8^ zJX*@zXS)VFigv~N#^(ObjahI?+q(yswl_Nm=a&1$tQnQvLdJ8+mQy>=?fC z%9*#TN0#PB8fJG^CcEqg;gw70BnR4xrs3XE{tDmzS}}f8;&``>+0@UP6}ZoLup5WC z&zo)nR<%8pnO-F>?#XNl0gWjOrE@HeZ7=Eo#@qf)>cpPB=lQm~02%hdFONrrs!WGZd5OY2BAA%|4Jl9>HlR9P;A zSY27CNynzkFDbFnH=t^HF6Jnj4jin+WQ4+6W|1@ zrJcrCs)daHP2w&^V6`5I^p??85|>F5>TEXTtEU6%<_-WC5-?=|d^rT$BQc){Ul;J{ z8sPT$yqND2f4|9WP&e>)2gKuE4VcRU{NyPV3J^Yj4TT{Qi7eIX=B~}344JiF z6>Vd(i%#5&`K;ifd!Hprr(>~H?%Ut~QBm!{28k7oCk%3NI_8h0vs{gvCqKAcRJF22 z$YrB+Dh+ujL}KmHB%7PSqH5Nqmj;~%u0Xztqwis{7cNvHH;V3v-X4OwxdY^KMQLfN zP$&T5lB%}R?VYI}6rQ?U`u1CA>ZTKR`Q}7h$K1|zU&|Jo`{CJ(w5`g@)~8FQG7vuZ!3FW54+N5#oHw4l z+B}{}r9%#hnz1vEKl1ffR#SKEh7fo$Se7_IU|SpL#Y*FOrv_j*kwvy4y9(@r60#Wt z>1?jxCM%gfdb62KXA+5I1~}VEB#KcBASRVaLfzbeR;ROAZDO$)xfke~W^N2u^i22E zSB7)B#=#{a4_Q7~S>04uRomCySC}SM)wWn!)!bE8>s3-_aBKVdC5HV3RnDi%rGr;1 zy5esBxzf(GR}bRn2AXr(xKhTYE{@Jm_2_kC4x1Tt9yU+o_+0h|nO5Ak3hJuvSaoG` z5ihbFptze|HOQ|U7Mdf7vOR~+GlQa>GvJA*uXeCLMY;)v!akoboqiZU9>eoHkG6>z zig9>TofpmEx~gwQ*}I|yTlBhWctc$X!0QdfQ>Gi|ft11&#o~n@{Y1cH+auHM`5zWu z{ztEHwTQ(NdvpAZVf5ZDw<6DBZ+Vz6i*>Z z)5(O(=}9F*G4OUh5)MX^7P~9tcjwaa1->ch^Q4d$ao~#t@`f<%bH}6L)lv>UE?5w{ z&7Qc^16~|ug5FRth`hDySV7)-gDhZLi`W#bnLyqsCbKzfAmQ}IHgT#?TsJ;n0L+Q0 z8vn-M|Mqh~EB)#R=vOY!z1pz$(wW!(?EAm`%o6=?k97mib$4TX#G}D-jlHM}8IROb zU$-$ml*+&79BM36>A;(}jFPrs2*xVwx-e@aml_7z8mg&U)78q(@!p0JijvBfiU|u1 z<2ya|r8=Xux3v{B*mkI(s{OHRwZr;I?pk>ZlY`q)yM{K!E!8O0$YgU>{hR<T2``D7tB#AQFiaE|mz=UEkO%-kUTB(^M+k5eWsH>{e7;B!1JRFaPmR-sySy%FwrY%Fhzye|fAMu;M_WQXc)DByXB@5x=e8s_c;j+=fE2>TMHk*W zb+xLlrLJ|*DA~i2m*4x~GSd?0+7sZ;O=Nd4WyYl);`H_^dTcJ2cCT{KVufOrTwZUue_Uw*z)Z$d0T-3y|#UcmnT-r|)ANDj}sh?fD^8Q(H zSM_Ps4Y*HR7k~N9mKPg0zg@lZ(xsVK%T`|b?uD=PQC|FI=gTYnFCFVIT7-=nP^z0NG{h-Pts9{{n96!V&P16ZuXZj>giNY$O^#CIj*j8qBJR#*eKAq*E#I zfjJyaAPmeRk*Vvf0r$t(^M3kxGfMwv-~NlO*l(Xfzw%zkOYeN}g^Gz67ua9Fy7=m= zKlo#Ky?K(n(VG93Df;>8;xCpqd_`;gtm5!L_m6&IlKi!1+{>3SFKe_=H&5#F(lxtMUR3P#o7!7D1{=z{W@bl*&?D7XYnlc(MrxX;G2^3S&Ooqxks?(~ zx5)eBBO|te57?q`dAz`bB`C*kw}0w%qf%>(W(%+x5A4b#g1AaSw!nVBkx0Od_%{K&J>4B3JFr3zav|w$Ho!R$K$2N(h4PV#tTrJXCs2Zk z)YhY-kfWCTE^^eAk1QkxwVLuR0b!fX_Nmj2TCEWXgaQP@6C$`dEVxqw!JX3Ihy;b- zDWmXCF&|xN=DD`P3-8mQZXiCUZsK753zSDKA6qxU7jnVh`$Qxyh79=lx_N<$`%gyp z@8?1<K}+j*|gNOW|351iJAV z{$E_`f2!zsDQEe=wRe4UX5+6|JAb@7^W{GDSNaCO-Zk)rHR9*GdcTr3{ZFkue}&|Y zywEZFmF}_6w{?Eg>-}Gb=l=@b{f(}gLhu1{v?6{J@W%2#2nRqt{P& z@Q5xq0+D>m@CzpXAMhmq{wO`<&7;vxi|0`Byl2nqmsgIqL4I!7=Az` zUr*xt(W5F7`NFT)n>ene(0W9!SD8FfOJVo88>t(S$>XYzDoWg(D{)jsA#b6In;MhI zH{g0}3uPXaj68Q9wFI1jlQklVuQ%y>;Wt%X2*1GR3&~^(g|ZI?3Y7a4K$#bKd;tg* zCILc$0_A=LQ04_Lmk*f(1r~^i5 zp+JFh{{rv=cwr5{n?OK3@V7R|90&-=90-WV#hk?5nWN(qi!1A}{DZsZjycBga4ILn zT}DR?c_PR>n*jb`v^woQnUlB+bF!&_`^7KER|xsFe6jc6y)Zd7cx3=P)?QSKUf-VY z{Kb`?s8jySLBe>=g^LY?mrnhLV~%$gzuPh}@!F5Sr}5{`{O+xpnUNoz>&xZ+(qywo zMz^wgLE2W>&HJp$oG|nCk+!+AHwTV(3w7Lb=(y7CjlFz+h=6GmF*Qqv`u$PQf9W$6+>F@3qd|YgI?@G7P_GTryEqMb`M@>$Aev2_Z0>Hm~wG?jz&xY7+%){od%sPPSQNo5t%b-e}Fd zJZbfJP4a<9$+Lq(AzeR&k#=opF3%t~4KJY)E2yYJb|9MCBkN11<@d>)Y$h2FczA4< z-7FW#RBR64VbY4YRI^DGO=SgAHArdIi=){bjfs|CQboY6;`BrK3Jz zzm~y~@cFWk<3K9rfFa8fDC`E6M5an*pBQr{NMJnc% zD-;r) zHLMV^7gupI_C8DF&Lusws|2Jh54#mT%hGw&QgJR5rt_)4F6q1c{`*>Ya&K$xz@HRw zKrRB*9K;i5&I4U@fB{^@ESkk;wb_M2;q~YQuve#)GY41KdKS3TJ7KJV?Y4958SYsS258{blbKuIVC6oZl*wf$j-<|4^kjVnP@7HHHcoLZ?rovP9fCU)cXxLS?ykj3 zaVzd_h2Tzc2^QSlU4NeE{oa}Hn?EzVv)Rc#Nj7(O&$-TZt^=Er{pE%C&OqBjw4XoL z?T5+Jp}kxUV9v1^qj~r;dC?n}1034AQ{N+^;7LSFzFEs6Sw0i&4y&FqcIp_>&xKl+ z{dA(EM~X(O^W=)N-Bf0bn)tHO=oaT};b?tpJZSE3VRIAIRf2ct*0c{>s!J_Ty~#9( znhzm%CbW4vk622C99K-m4`#GdODp8?f1u0>m07|MQ*7+QvAEmZEd3d~*bnxgZswo* zK|)(5;&Ak%;2}>2YHa{&(|hV3w4KXoSK${?iGab*uTDIHg&b+Gb}52kQy0=86SWY+z=jKx`^YCl3;m$Sx^pz3DZK@qh9-FZ+l9jij8NT4sux@dx$AD#H)b2dwGt*c=YlH zSBbG23b~?ncy=_F=hN73x!k%1!7-2yZBN}6dDWa8I{;K>f)CRw%0vo9)8Uu#)J|y7 zo7~+Sww+_UZ+6_JwUzXGeM!e!epGj~pY2r}oRm0RXg5}#*wI>`#tM2ghf&zh<7ueQ zaGWCkZRA-37B+DKb=pJ&d9V3RAuvQspY?Adv;QP?@alSEGqR{01mz>MBErCIDltoz zDw7h$2qAOxQ4ZihcoF1J$p}#W{GkZG&mP<~lW?qln^mjyvw(Aht!2eiN*-9XxC1UFmq95+TAgkn)d)s#ie||3nlM zR46e23D&+?&VfDH1U+uvJ1>6Aj)G*l`{d!uC`EK|dNH2%*{^s8x(>gmd49){C$QYR z#43Wua}2;t!n0yeu^Mppw^SuYt)JKDWNyF<99mEEx2}t{j9Bxail@H4advKvP5h^; zsv2tZTp;wRb8x?7wunAO0FfJrlo_#tfuZkDn*g4DZCl&rq}_p*1zyS>0{zeKK#7VW zMW2i3zor@%lI;t}4Am8gO{-HHFNxN>bR?Z5-$9Uq&<6{E#2;|YVR3s2wBR^9m{ z7&^^Bao_)Z!YNBv^YV{a(cqJtRzCf{=hFG3+lLCb;u$N%%$k6s*g+Fl?rycvI?kw+ z3_JN^@F^5sO<-1&h+9Ull40zWtpM$$wfOzkMF4vjd+Ex7aE}{4!5wFaHN~pFW^9zH zJLNZFBzvYm=AObZT|(O>^Cs@C0SlQ`TgGS-pG?vFa5{D!xk8DQ9DC+CJ`|+&+gSmY0f=A5Zs%Rs*EpO3aIw%AFbMB0v&2>o*NwGiniBk#V zeS+$pQ)nWr^$@9?+Kw;%7)GP$O_i(ob>o8{XBA-ZYOc*M2kpW3%=r(Wdukfqhnf%N zoc`zXiE}V82y^QlH<+ncyEhMAO8N3fmusF)klKhZKVg9H(M2!c)kGEnP}Gph`J;|+-a=x%MD4<7 zk~fU+(S7a08-&v&YE0yBxaa&&Y|dlv>}i+Q<%n&XKK5$|54q`AGcxxMP;vb@nKL^Y zD#vwo8aVHpOFqYbDY*d@+u}V?&oo91vZq#>Q0Q#Ph|M(%P*1r1ex4S`j*;z$(8B4jNsLH-? zQgKI{HPQ-CdxJC7F6+nf&Uu=Yk$>)i)ch%HIrZ{k<1q&Yw{X(Mpa*OD;^C;#RXE_V zEqV%UTFEXP5Yp!6>bsT>*@3AaKSsyrMy5^zbQQ2h_uJM728`K{OgM^S2X`8Fq^&3o z**Jknqh)knVm{L9bO@P_XY`vk2K*u+;|iCB-`q8cPY$4`X0wc&32NxE5>T9LMyGTQ z@|=|qC)6d+VvGiBmyoKWVh88Grz|(X4a4k?P?9nH=^qL26 z{2fEt+dXmOyA!*=y-x(W|AL@wFQ*6ee*1H}arrPbPWscy-e#3Fy43{iehjnMl!plo zB@=L29O|3me5$$rQqTq<+#BD+eD3JNdbVYLKdNBjo^;F1mw_1%Xemi!m7Ut%{F}ob z>wnkCcHlv=YxgRH<`Sal^fx$UD*`o zbLqqF!p%ws2~MW&mM=EKDrc|POvaCds-jE^H&>l)2~^gb#<|L~#5H~c_b#2f zL7=!9L)J>7Ml~n2LxdN&>YQ2Er3LvjTUlZGRj;W)qnn|XcS;@mbZaYjYh#=VnS@MK z*N1USRrUmcvP#^K;(?!R_rA1}QaUCi*LSx`;M-m0SZHjZM+RTps2NGId@ATt@@AiEo7{p7+rW$90x!@?iXeKsAEa;Q;BMKXf-o(?gJEN(ZWNmXB1#FOH5qts|<8BEBL#6ikmg1syd{3%JjF-E^#vyN}- zS9Dp?x5xMqj%jF~ofDcmNiO#(nTjz&7Y#|eeP=K()`psm+yKoY-cocluk&|r&-wTv zBDxmEw3?`<#z5UAwm<#>A~zm44J}!VO$R3oFr?e9(=bhGD56wt%X)LYvX4P_>_;8r z{w;}-M0hT7pJEkOMOe}X)_a&~jxk<-han@fwCRBGZE5A-X@}1ToSAse`#Pr6fE`U{fFMbv04;P;j!EspMlK6> zG=Gn=pjBl5mf=Sz5}tSfhT|9u2~jnZHmdaP{NIrgH||5BuLK`LeIL}KD2`ErRuub+ zZBmOvdU6f-i^NlMr3xr0Q0FF~b_rsr-)E3Xf#DOrBtHoxL!jn`_D$IKAP-Rh%MB;qDQMf45C{5fK> zVE(lS3lrxZw7FV*`8{p;)nl+fRUY4k2|f+SA8L318Zi{!h%BeLpaH$2kFi62MRyGg zO-nk8j_XfTqo1m)XZ~8DXtkZ&7?WP*k$z?l+ajM-)sfAT{>!*~*B^MJ8cyN`X+b_d zxLq&`l5Kd;1;2==+0O0hG>j3*!sAj}T*n(29tCQQGB^-Z&}9@&Qb)@u=(_+zT>_YqN5uJiwXlPCs zOgpSTkOD{+0WiE^{$nKC7epTjcZ4&xn-5j@hm{;tiK{AUeqYwj@k1o^2n~vsz3FK5 zVjdUC`wxPOP!CQPG-V*6rT6Ch>!%8%EVarN7*ork7J3LjUmhd_uR>XS;}s+#Q-vrb zQQxSzbdyYBwiFL@)gpGCRd@u9(lcWcuOAK%VF0tjh{?cWRL(Ad4>UI=6Q4t5F|{s@QX~0 zu6pmJm%OLe>A0+FM~LOF-5P6dn-5xtoK>{!;AvCP)bm?gc1>+u?Y!-dRQJG1l{-rS zW+a9s=0Cb%fDS}JcZDyh?tHKI9?6iQGOxJ9m1K4yv0B8)nX%g8J-k4-_0lK+A8RDV z4(5z!-bze$RiIBCX?@bDkyGh1*RlDU0{k0+oKtQURR;jG32O2**53HdqyM)2K1d%N za8w2g`$F%XxM-76s*hg_|8Ao4u06bBx2q3bFyUh^zozU5K^S(#)bMvupn$i;wA9)? z6gS0QQ#6=~(i7W?0M&DQ$z6RYtMard@{W-+Fu&w6cj8DI3l#|{532j-EW?l7$s^4X z;%s&HP;_zd#W1kFXS1OaTWhD1tyqw+zsQi+JwAmnwKT0IL0*R04$s!6ZI$d=b>`gK zK=R4b0wuViPTow`h>(LJKXFCwRd$?qNwhlAP4n--TzArxe1f!u@wE5eo!{kL<4a{4 z8j-gx&Kv0Jrji2;KVO37;HV9q$+27VE7+NRja*(m2DzA^XJ;6;ItK?T~=r|Uk04ujeB+*Am>Q2Hi z06PXDRT!tt^L}iHp>67`PO1Sjf--v`tEme5ghO$4r>lGzX?`LbwSn}PO|xm}Y!)c0 z7d-IfeI{Lcla0rgjTmM%))>7A%kvIn~vX=$H09b;X7GteI zl@dF^7#ksZcg>wygpyy=(sKj6M6onF%Ud>bhwmEibezYwgp6{&1JNn#JTw##|FdBqT7;p>6@d{nY+d7a%s00gdAE8LX z&+64Q9)qg=)OEdf?az~BVOlXIAAyO{~myXzyhUJ;~!TzXCFTzKuyq za}=G#=uzSh|-6eN7Dw~dBvpwhG##0 z8?vtr**Y*~--e>&X9J+e_+6Gj?9m344^&ZqXxEe-e~ku{i1{#>ca8dn_z4vA63B_e zpo0=3AKHk1P}fV5U*QD7JS1EEbi&RyYy_!L1}pkuMo{K8Y{&y!NZi~f@JT~uK>?kyd*^Bp|x;)27(JWqdz zH~&F44-DmL3*HWx{H{)U&!kRw2x#<{n&1?u-horJ&-_75Z@o4a69#qR{08@r{x+r0 zznz26^A8(!mG#(b9+=LcO_~NUwDJ9}?Irtl-Wqd3cUMgQVm*Jblcl;OJ~~wASk!u~#}7aq)0hF+qxe6ZJyQH*J^tHeGXq0Juxk3O+__KC zQ?^!rHt!?-{MdKE7o}>`;NAfkT^@PuT-zI2@eRF|i?gV8WcS^3>0&)NNf7Sbo64EB zMVGbuAh>e%w=NAX73}2V#h-oriH;LT+NXgoT#PU6uL9f!+$qO%UVe%9&A`r zu}hIZnBXm;?9q1QcHSnrb5Y#ODgH5rv!^*)L%(#*uhi}i!XM(`x}o2u{O}R_MImNa zFkSogc|zf(-=Vw{_lGhE7u#U2@h>hH>&)7ssIc@XudGZS`9=Hee0`919HDhe#4Sxz zGom^mY3C!w#nSfrrEIWNad{3!@XAhOdt?rh`g1a;B}4`26c(*YOgJlAj`E zQbUc)Ffp;o4c`f71@tj1>5CjHYeFp>_3V*!m^+ty0vK-p);KAsu1iGr*2kmK)z{U= z-%M=JkzD~x`)^rF7^r}CfZ*LHXx37h64KVMArR{lIm->BG^{%Njv;7E;xXBCArT;$KYt6S<(&CBT$qiszh?@Som`_JndDMonCRmAu!}aU*8A(d- zYq?=Ya7ow_be?7OXnC2~O)jI2YtVu30kxLnhH|g0LYBlx>53^knjI=TSK!%Pxu`4E z5`wv3L;?3Z9#L6B4tAQGZ$jW&jL^!Vvxxp$z>n@0U;K;S$O4k0_3>jRa38%fvz{iw zonBcfN$!RN&ANNMZ89CjO2@)VZ9YnjBwbf5vsjw(#tx~}+j$&8cxM;^?c{1Ua4G$C zPPrwW4V{nCVuk}n8hXA>mTUgn=`)PYUYMKOA;Y2JyRs*cd%!HzTYUR?f#>U)aqs|r z)rgSb{D3E;MSSI5%EYij%BDM^dE}&!($hF zIbzcpVl{_g&07d7#>R24Ot)TT}2KAsj zhcT!XEn?(5A<)#>g%yFRx?PD!KR7c8+j43Vjg`q1s;0e1y?D&p!z-G}zlI#Pb+)Sh zaX`{C=rdy#ImjF=*!ZsIm&2Cbx$t;`NRK3v8=Ks%OT8UeFlx@GDJW)yEL@;Z`IA_8 zu_U8A(d!bgtwFg%))f=OQ%fWbjIZ+ji&AGagEEikkdk8Y0HM=j0M9h10o>>&#Dr*M zs?Dy76y#8n{&TuNcGqbGrdMQvOZB#1iTCki7-2ib$;vGD!(5@BTz`aNw9O|chDMW~ zZo3m|eH}rjwL-#MkGTYflZCQ8dkKk@1!4&}ViL%6Yn`ibEG6l&V`VC->rBP0b@Tnt z2?1c2wqn%pYv~pI!`6;z{_B2*zZ%J<2HE*OFEpJ`$A!t&bFw~9gYzA?+9zBi8u|=+ z{)J|DJAY%&GGDT-+O5RU6YgoqPAcYxgq6E(5Cofxa7r3AYL@hfGpv zonS5L>n7*W3)rUHLbTJA!3(C>nQDQjlbpAQYDFf_)Am^j&(f^(OT;sOzl^8(tF~%& zd!LL-&G6Ac5B=14FZfe>m#3`W8lwNx#M^xC)sNA0ch=s{QrW$br5s~IgUppjubG8t z1CJZQSO2$>H+A;AEFjxjsg{4C%SKYO|E+-|Fej1lHKh6p$73we!!I?_r)Dp+EBo@9 z=gmR?ZJlXwPJemT|KO?mg(d7crm7#m^Krue+G6bygX!h=s*tWa8*wzvr_uVh5TnXh zy!G6I}0 zOHtp40br!EpQoZxzXa|$y4o?V^Q5kb>5dLOC&%2N1$JZnARMj05k|E)QM0|4)N36E zxBr$Smp4zNnh8|KyVEIRfwY9Uo5Am~e;XJ?Xr3i2R=Vy5o*?BoIm3tZNy3qyI;IaO zd82P{#Ctp2e@Q^Psf2=!F(lP-cJl*7wf&OLdR*!JR$0`@Q88GQrQJ^>(iAhs5UUDk z_b}Z}scEETe*_T`JE!gUJ@a@VV@=)dONakb$kEdczvaoc+vS@SF*wf*PSjh#^^Yuk z8*DwOe%o)KNRscozdQ52h+cb{LD_dmGSU~|ddZ?1b&pEc=V!af@_$&5R@rvYP4{_t zt`?A4_x01b1!SDffjAiB{I|mgts%v$j`h0UjRb9cC4>w6VvQ#%x1raK52QVz)Gl_O zH>L_V=&+sQx<7dnvr5!yL$SxVmyvDns5YPhct&NQ}a*J9f>Dp!1^Lq#y@$|pNR>;JZ5@p?exPtX4hY}%Xv4=|By``b0Om$Uh) zRlMNTp3<#7qzHDS_}5e4gWzAIgGU{jFgu4QZF}Bry$K|s@-SkCFYKr!i3~K2G4h|6 zeWlNiFQqd_8{fn4XWMmx0|K~>(Q7_?yp_sP=WnKobd$%*7keW^id1Pg?w@9v2W@X3 zUj{cZ5Re0fxHoyR{2h=aKdnB=`{Y*%brF9cfj?!Ep&)2jwCys;8#xh}+BFn_>Y(74 zC5GA97iE8C976$+$aBNxsO|QdV4R0_8M3#$YjfVajwa2`NmS0LXsPKqpZ1Q=ndcJ- zhJU$3M{ABb(*?P7R91;q;)C5$8x-v6Z#bJdxRCEdcJ;4IHy;(b>n62UAP{*?aTK(H z!|V&-JQ0(D9d10c@5@TLtQzxiH6v5Cq$_QUH$UtP&XJBo4%1orH|;M|gX+x+24&wE zs&cDx5yPI+lfRoK-Bgn5k@?q5a!x3rbYIUxc}zx0Bx%JVeO;_DyWZDQRq5Ga-qczL){A&SGgrg+!yP zCv5jo@u?IP#tGL`d$31xDo%{VsbHgedHvF{(D7Vw?HB3yB$N~K%zZoil5#F?J<)tR z3AE-aEHDc*3vaj*@`sj0<;`dNc=iOnO)GoX?LLGhvfkH+;kxyqD!u zKMNCI8OgWJ>ymy?Zjj_zRW&>o4^n+@X|7XREBEZwoFJO4YkFheVHs`q0O#CHYan4g zPYezyvoVrPbz*yIvjDu~{73htB>fTLmu^p4RcYY}23OIe(uxV_XbZ2|qN2Xm*EB7* zcQPVFS0J>S-##0KbuaCm>$6-roP@kCvWJDNsRMNiMb61Y5d!wOgWG+UX_xw3#zn#> zRO^{dNN&Y-Hpl14h7`We_LPYe-CYj_eX%~DDFv4e{~L3X(xzj zIbP9^*l(j~$Xn{VLj@*s`O0!%I7(V3mx?kQZ?}N7bH3?b4Rn1MI{UW3bFMaen!}{< zA}%wb5z_ZYclhkjxFNs>xcDOUaeUn0_UuJ@@>P(-&Hu)BOXdpb?^^TbZw>!e)qW;} z@bacK^BR-hRQ;g(W@B?^fP(A)hxwwVYJ(|5{7q+mJtdua4QkP1P;h?fjtgn;t-XD3 z#P*fE)9H3+u9e9iQ?Opvv2hd+YWf=1`8{1sBQ-e$5C(XwNFPdJLK|to!rc~ zT$~qY&9}aG1W#sNnNHXEI$oXWHE)84pw5A$*D2Ep170})n%1WjNI_?&!OKY2yYSlg zx8Ek`4n%vMJnZL%w}I7U$ZtYSFYd^TyCc^k{hn~Ap+3?J#wIk+4D2Pos=aBc2=-$4z1_392MIicIuS= z-C6)2I^rTLfDa)<(#(0-1wAG-q+1E^eQL4I7w=sk!SAQ<#_kTckN4=X)ajTcfGeE5 zLc)<2S+9uMUKP<;s2ZS4mJ*$rX(BxS@$PGYlt6cT=-AF#Fs)G9JOpX{voq@f38sR{ z)xPbv?TpsYumx_9Em=e{OCSXj!F=dA50A827QqHrh`UOFpPtYO>Zx7vDYcQKIFn*& zm+_(i?pMWA15Nr{lv&@yf1Z$uE!d))qT_yz2PppL6WCR>Iu{cPgn6fTBL8>x9sK@h z;y(;f#BBKYi^2eKd{}Wb@AEsap%VF>n9+mp)Xz&H>^K_zfSG?Chn0y6iubL>1SSid|cD0?6M1xlCUs0=d4PZdp#8XbTZx%%Qi@zWf9a zDk4#OrGBanDLz-RUfoy6)j_XQZWj}-6n?A@uDW@yX4BzaCmC7FgUSm>ML|3Q)G&+Y z3-s_U%Ct|*gpW5#oPl^wro;LNHUz1Fs|~9J-N(bb*BIKL&-=xKt2o4<>X*@!=+~S1 z_aZL>m+f~DAlYzdhi7AF`35ifZ~mSelu8r))wir!GG4Nd!DB$JH+w7!Xz__+l121X zvuC)KH7z3*C{wqGQ_8-E8S&I3E4qFg9PTwSl{)9STPgv`g~W8lg|0ig}onUD@8v9SQoL_$Up7 z9A3=l*Wac(vk=0^eb4d!L>^V&HwqHJzVaqg>}H*H1`}KV1Z=fro`CiwX7tC1&oU)q z9L!H$lsr2m&u~J1nfQQ0)6m4%Y|S|ANr&K)*|O+CY<=|-G;R&mIcq(`zKddQPJ7H- z(d=VUOt+5VL%Zd6E^VW(wZY=Eh|!=$d@t^?-e-Yzh!@0T3lcz#>leA2_I1-X~jr_K@Z=F`NB=ow6yJem!S%}&r;dPQ1sNlE4;0cC8hb5QanG_{h=+!>$dV`pVeEe9Ks-H1usUFOeM$ed09QQcdq^SE9m+-iw z_#(Z&zKxx=Q;AzNwdLR=)#VlNYo6lvT!2!YRI-%Tf(K`96CLaY$i{ofm(AU&s_HTE=xOj`cuUSi@Nf|G`2NEF|^-+~xFgoay?vDXA_X89T@`07V<*G#Ir z)D%>38w`i`vK-~dC~V08p(qORzVTC#7=D) zvdP@*+>V3wX{Pc0I1#hd(dtx~Q2})FVM68jEI$xp7R%5Io$0H@KA8je#WL0=HiB7y zD0~8v;ilDWa5-dqZ#8!s5eJ>`k#FL7iT+NGf~WU7#CaX_uK0&e`@Z{A2rzctk;Dyd zxd|rb%^XkyDY6ObCg=s~Z2sBJFoHp>h!yzl;w0!6aBas!D1S0Z2WhZ}RcVvPx49c$ zJXl@5CB(2JU3k!b7O|!A()`iK&5)PN{`xuTZ@_35{~W)waNy=H|V9EoqrF%IFMY9t7NvH&Rlu5G6uid;T5bw?^9a+yC z6mE6uU8>_vQwhQ6v0xABYCy9nb)vVAUkU`a&yu zP!Q{0VN%3G!0rVr*zgxIa`k2L2pnTq-L9glJ(qx_Gijm+adw#MpYEc>5Y@C!qtX4N ziT=}dPGe_UfA;;I6^5^TL8rHP}wh z(@sN$E~BZvgH2fRu}u0%BwPg5uG5BWV)wgn(7?|bpWW3_0aA`y*Ta|kf?D-ph>pPb z@>1I(TY389Dw(W=yuX|!fC!5)fJ9>2urW(oL=E6LF+9l6pFIJ3f@;W=i<#{kQ7kpv zdOxy9#rNXaQ+$&lrSp5ZCaY>e)TUBdyk)r{tNl`0Mm%)!t9qDjw4#Z)<)+Z!_w*uk zYF6>B14Cw1m<~l$+iv#pxHiPl0FS8D|3wV`FF_bOEtq~*?x+gZXCiP99fozUgCb>Q z>%#Oi5$vWTkAe@<7)#O8Z0@oLQ1AFP`l`O>CrEx}~ZV5=jO& z(0gq13f(r^Axa9OW3jJzhZz?GK=!9tzjz3M%HW|%Q(0Lu5NvCnonhgcs>HHYI4M7R z#6$23hbY|~nS5;)1&JBqVpKK6RRr~o@T1w31GPzSbRo;3)2E&;Pn*k=cuBIq4*VV< zk2|^YHJk1x1*C)cFHHq^oBgzeX0EW!wS59`w%#W$CVE-`S8r>3-%9r^HFXGhPP6mf zB-bMZbK6!M*j2XPZY<3$Q6#T${?Sy6Nk49>`%aBsy|F}dOK{bmnswsa$eZH&)>@L^ zQ6VM-SzXjwGmbRi)gz3c-mna~7fbz=Bz5x62DPtWvPDD;GuaK1eddZ@^1HnW5Os=O`qiVfys@+;7Ypqj zfR~$M^7Syn0qH_`;itb!$qWS8*-G*(t}f3zd)nKfj3AC)%%T1SL$(UVT`A-)cGADM z%?as}2;G4>8ViBBbKi*kYMIhTeh;M3r9Y1Qdsx}Nm-9LgR-VOMJLIsz-y3jZwP4)Z zPcp(%A?B;;=8Myh_`dg%{PUaqyJz2#Q&z;|2zKwCjNQlGC43^ z|4CAn?oiSJcg4@LqZuWe`@>KsZ~kkFAbeuf%?L+V?Mlnts_&6Tb@gpZ>GR^9|Ft%x z<*Mb^8I9lrSi$eUye9N+HI&XFOSD@B2|5kfM^e*sY*?G!t>=BScb0^!w{4TOb0TW- zRMP0sS-eW)KO}(iM%B4@F|a+PXdV)n*TBDNHkGaYo*xq^ zTXTLW(P3D$)qhdJj#d0n0BhW~>^jJPaK7>31qvOcfDa@=rdL1s-g5ooTY{`g=OxLx z6v(5qnrn8g#@_Jbn3i~Cq)L~Yj^kYtw}JlDMksmlG|VQ+bt9s=F1OGD>#aVgZFO}) zRiGvA(16eN_ORuue_V6}Of*|s6&jj7K&Lh~Y|BXMq+emVuVbRe=YMOhRLh0USS{+x zIB7MKpHihZcjGYUaR)S(fnG2HMbeqm7OQSD2l5ItufBt_J^w; zZ8;EL*Nh`Z^hkH|HLJ9vJn06H|H4OH#%XVtmPk$8E!0w`kmSeAj$BFx&5f_grkEskFhON2QgT&YURebY z0lh;31z3?MmrfZU4PPVy>c(*M9K5zvm_Kk=0Nza{=vGzudbr3`<=LUe=B7`XoXkW( zTM~w=LYBW3$g8`eH={DR=C&G}XMc{bI83!C*5-1Y_u@GeuDk3o`xveodKha4Ty$}< zc1CR>``WE6VvkArFS6rCB>6Cn%?$y%XuVswjn&QV<=dB~uN$=-$F%aBOWEXA)!zoA;c@6+<}Q8o z-l#}?aB z+f;U_UD20Z9PSuqv3p_aMF&y2kIB>L(K04$aJ9C3od)__xs7{&ZBdV5)!BAQ3a{f^U6`t`Rz3a8;CnK* za%IZs1l!6R>hJ+m_QoAIKa36IdU+G@wX%eI#I~9I@HEGFKiP$Y>q~vkx|R(0AKM$! zY|}}8Uq>n7|8A^&!n>yASY)1ocPjXBeThcnf%^WItb{QGy=}OT9wI-u928EorC_C* zhfP_xYxQZ_^qD3-bZ#Ls0&U)4cU#e1o)~RdFzUtUv`-peVY+|MpD{)3d94fg<9~n} z4}fXm%YG9J%n1p&>^DYIW$T;iA!(im8geu9uE0}!!1{q^cH97gCZsh-DEC*8uBoXf zL-YtZc%F9Xlo7Rso2-T18Mq3sgrQB*drah$4aW{c=A14Ickfe8toIy@nV!reSpMJm z4sj}Aey|293-%O`Bd$n^`MEHz#jfEDI;Mv<`{F@Z5}F_w07)$5h(D@<7^K9pAKD&M zEC0ZhmJ))cx8;nznMx~k>Q>>IBYm8yTVbf}#s=qv zpsA$7rs;UPR?x|S%Ma4+ZoJCG zFndnCc0K~+|5>r++f@2w(R`!`XwN+x9>R`Zygzo~Jxajz4k+Q`zG3Hmp)2HgQ z!z+m_cSD-*HONNC=Ha0)`cm`3R-rHnLSJz|1bn!Jh^%{QdXO;vsikZCQi~ZdxD^N! z>Phm^qg``DE|dh{U#8$(jLqIY^1LWH03s49g7oj7=>J&wSC+ZIBF&5iFl*xzzZd6r zP*MO-QAh^-Sg{oPOx()9;l+sfit<74THZBJWC6Te>ZZtAwk~8pd0p9i$~>u`6(eWB zNjjO68Qm?oNb`}!3{v4G{)4$j>H$qhL{C-azZ-~8FrYD>spa7fp@@0~mjInh{ey3B z`~QZO(K6#(*jg3ZCGdnv%!B6+`WIdo3+sL9D7+Qy`YF7Gx{1!R49dwC(~gb^jt^8x zzk+C(O9FS~Rkwt6z8rK>0autuww;#v(2sf}*G>$lq!4+ML}(kdesCskLlAN7< zX@in)XXvB_@FF!$IOjHb$+A7f{ZlmyzUg=}!b*_pb9iUZ+n*{Cx6UnJ>Xls;6=Rhv zS@8Qv)n;Jqn`TN=V>%s#dx3M+FDAvcP?uC$k-|~>L|F%^x59q5*p5b%5puyz%N}3e zj~cUPkdkIh@`$wZ*1sX`}Rg`eZW0%eM_INLG-Tu+zG)hgGSk zdM9M#qskg8r(HiEqkgx9lB6+Dc5y2oCG}TbF;PDEnG=X<$XAKldanS%)i?7LCN$m? zcIIiYHLd6qH=>Ij+;-HIq05;sPZ`y3{7)Jf6EK_h*xuL_rs&s%VZ75jg7AMK(PpZw zam_C6S{epUNWwS0ny8cEroJ8Ly-VsXdZ@VeTOkUl@U!}Ek``UE=)q4@`-w@0UrA6A zx@l+66YY@*I@VQ^)XO7ju;V)20J`qiqs)8e-Zl!dK3%%1m;@=U7&>-=3JqVV6OouD z^QRC*a|iv&x-bYyIwr_~0cwQd5EFOqGs|k`b@z%BmOyYL1OvV|+p{lrcI5}bqv}#` zxDk5I2p)24dk3*NyeOy~xC)B1YL-#JJo0r19A5BX*o`Ba#ZHhz;o-Ce#!sAqNww`y z|G4{Qc{InaEelU_mM`uEj(Xak&f#|bP8-}qG-e}a$>I=6>ONsd%MBl8qzPr%VjGgr z@piG4a$reL;u^2U-hsK?UP%4BnSaJOVSj>{IS?6{@Uz>DIsUWk@xrv*SCUjxa`k;R zhmKcBU{Tbm8Bc8Ag05CtD&*EX;7c{r8z z)IyheH66adu~4Vh<$&UIjQ$^|VR^N~-=dk?Ks@c@_y9TS>vMt{VOH28ZcDiQeBUkH z(s_IeyRpjnd*~c94-Zvpv)4;m@!tNs=C3fxiZ!*ZA>FK*hmog#0kpu0- zFs4z-YdSJSQ}dxo5cc{`u80f0+r@UIfQ`dD6wDuGdoFtzRR%uA#Kmg!#g;XFN3!#_ z&Kjb|^3kVB%fCf{IYQY2=_XC&o{(o_PjmTc%(g-pOFOYejgiar5u(x|y)(=KI)IK`jJUl3S zT}^I+9VqLvwK*hXswRIoWb&Rvrh-2QtB=b`0Q{{U&SwAvJyF#=q>xKiup0pXj2uwruEnA#Ky;jlwA|ArzMn znf*I4bi7ZZaw*C4$%-l&FiS+&{vu|Rh&saIIb&t zmBU71x!!Vy6%{eYYUsNE!7NFe028`+j84%tfP)t^z4*eb!hcnMC7Q}_NL#r*3Nn43 z-d}z`zSUQG=PT!#xcv6PtDod=aj7iIue?5GUnpX zbs-Mi-m=_ns7?;o<;eW$PgUeBUC{Ao6;>oha6|Kl3W$IPjr zt%`1+k9=c&69M8*l77|5|xu}NLKk~gJOg8`9fGtZpILJ zax4XbiR5XmaXTPFW^PjCHJ}LTy<0Sl)ud`#BBhSzV8V;;MS?N^En1AzW(MO{m=z(; zK};~&^_P%fO+DPAqj~wmam}L8XJ*NWKG;*}_TV2Ba1}Klr-R|-%>eDd6toS7V_0>uv4d!!v}yDpcEl^qzn5y_>> z4;xvWm^E6$ThI@}P{Sy(L5!LE5r7E=;%U@LYJ8)QqRW}uc_XBry-t!AUDir_?Vq7` zq1ar0t9hb0a9VUgQ~c2M15%i8n)8f|t_Jj*i?@cc|3A9^I;yQF{QpH;iWYZ=;_ei8 zE$;5_?wV3c@!)R7i@Uo^aCdii2oesT@AsU0*YBQn|CnUWWM;3Got-_;e&qEYsYsY= zEvms`m?7R9`+2w3HESc~NxUV@!?2|u1pPCC5D}4ZHsB?qPmBdPDI9}%J}gKvh92H8 z(%@B}phOF;K1nzm3ne!W(L1SAds8T1p3`zRB-=P#a zV%tVF`03f0ZPV)f;I*pn{Mw!i4rS9SnAf+1MEh-bO_V2-e<(+wzlE8`OR1H?Q7`{65k{XSIn zvIu~*?R2hJOgzGBg&Vyelt~r-6j_2?RwcDxmo2I-KM8kv3Smw;VsHcI>Zvk$Ctbuy z2|qUH7X1m5s8s`EYJ)~WN+kU8b)va2~3F|FD3m7l|Z zUkYLUGjg)H$ibfL$lr#lV$4aEV9?~82zL-*OBm}R_@$1CJx&4|q5P}V0Nh_9^J2#4*jgy0NjQ7C)f8>j5~eH>1yd3A6fFArOymN5n);bt7w=U``LTA|+&(+hBkl2mMv^o8(oxPwjTh$Dgb zU^rkQ8D1jQ_3%$Wa_CvzP-gR_@`6w$hmHsN%@JRth3W2G=s>u~8FMNo=dQ+`Cqi&+ZNzhkT6<^Wc*+# ztnn2?ebHm`yW#vYD(hYr;<;Nf3ui2DC=MHkAJjw3^E3zU=_g(o{)B{7$2C#24)!LE$C*aiPQA=XOcho3)i%ZS(~A*=2U4&LMf8VFi`4LW3=MBdxSKFSu&<$s z={4)|w@&OwZU3g{Pa3aht%UpK-8mKQ4QVf79jqB!X;aP?qMQtDQ+19UbyH7Ld=hK` z&E`@*J|f<^+4Z%BrTWU*$J;qoRAUvO$D|1=;Q3nOjz3|YU25d=yh-5&M*Uw)Nkq8o z*$JX56=Rfw#z9>v>Q+{0K9zr^B^P2Be7^>pCOGp~GvEodWWMW)>kYYu@xR!a`eCFp zl~sy>qhH^|0bH0?wc3RW`Pf>M2@fS-v721H_xo<|1=j`Hc9|v5-Bt{uksVx8@bZ!O zUgLKrbk0Z`T441*locY?BqaY;w7R&s8~-cD*Pr)IP8R-mG_?Jox=iHZFt>B7TJrP& zLvKBqbmK^YO5@RL9`&+O6xCPs>CPVMA)aGVtd1^H<>;C?5biy*aVkg+9x z?%+wEP&p#6(lM(h<}*vX-3Wd}Z6Vu0%PE!@^zAf&2N2+UfpV>OKHG8RDQ&=P5`mbbFDB}mOiPX`HWtJqJ?mRL)KC&7;lgb>9Z2xb)q-$ z68=c|-a{2B?;sTqyF1Pm5~k|{tz5(1E$wwWnLM0Skc5o1%~71###UcoQ~3KAym|RH zhtqA75yqN)G7c;>?ZSMvjPi+Cp{I!9{hK_!7AAlwXAufYJ`CKrQpGO6LMKR~ipDCf zMHzi~QF5Z{GkH#~#F~2kzYkf`@S%O|E&9}20vK_ldoW5VmUS>Z7k+=B@oYkOVRt^K z_Tj>tUQ6&`1W;l`4<2nDlL}0geUB*}Ym?hUPo@r@nECcm*$S1*>fGyN{DJzD?De`G zI7IaS9is^N);-MeL4wI*tV3&-9zi7|T~CE`xuXmDZ%sO{@$9U&&hp$jR5qM=t_UrB zrq{3hZfeg9;wcu-7VX{4C0zT!a%zfaTRjW%(>c|Q=9(=Gamf6lpe^^oHs zK=}O$0QJ{@tED?;?$;E;*`HprSiF+Ttz^z9$}4hY_?OB{*pK>T)=#Fr*WTcy8EZz* zy*?}+Z6ui6RWxU=)Q?-2mB|DqaK8@j^&9^YN^{bf7u<*c0G$=?3Bkj!qx-(>w}2wI zw{<^plB#;pNvXq$F1`cdk<$QsbJD$o)dm1iTa4{JB7urJhBnYmVe;u2&=tDlT(!U+R|296t(svs@l4J1Cm#K#>ijLLD zj)n}zo2m<#Ggnyao25-5f8W}Db{?7!nV(0FSlai*cKzI_&p_9+?abT+*9t7-QD@X7xRvKaRwkL(5 zC}K1;a8|;Ujffi!b&!Z=hh`4=bnVvCWI0V7VCGo`Xssd^$I?wa8*C)WSQX@FcYc_& z!SGx)pK1K7>wVHEmi+4*^Y@SZQW_EIAYRk(yQ6=7Egg-f(+D!In3g_Sjo-Oh1tzxQ z_Cp&7_K^osmWVNr6pkPpsFe!@1$RXY%wMhyj;e#prlI1T7OpbV`8hRjMXZL7kSu+C z2KHT)^4k`McajQ|z9hvKa{ZD`8G@tM8qotqa+M{MFUTX^W%*umI@q*-je* z?R(G+K;6c2_lxD{3E1uCAn#8H+KifvC@=ra;o97sjYXI(#K_X*i+%#aVwLRa7I&Ql zWm|a1!=bT8voMJq=)CA}ff{T2=oqxWd+P1*|3eX3ZT@em`u`DG75L`Hn4G`=i9GHo z8Qd!r!=F4leYNC=6YIfqVcSZT@pT%DyIr4ZSEagHC@VrZ)}+w9e}V%J=+(h|I5IY^ ztx7{p?KELJ`_&-aFX@>{swxk~M12xlx z$!R;mMc6UrsQOe(%krSmk=iGwOmuCyL;@;Hu`_b@{`c%i>LHDj0fmV!S2eU2rQ5%) zgLTfmy%)r1WmhY^Rf4eV-?lm9)(xjJ62E3JZc-cU+T1&w{T$7dOi*AAp63mu=FFC; zShqfYo^J=VN;$ls@ze}f%j(?f z#NR-x`573_f=|`n!{lW1?##)Fo_nUiIFh3tOjPg_Rf2be3iVuAYUHdnl4C%;V>zvz z%=6wYd0#_Oj|Vwwy;sSSL|*TO z_UZ=nMLI(jv4--3vtPcdQC@T4-&_X)OwU*u(1~&@QAptBIft9|+>?6F3>=Fn8fq_5 zjdpuy=XKVlzcjPf2iIa~tY(zU>iSoDMEXQgx<2z9Tbu55+mxynE;32GUih)#Z8jT# zpEH8qB8*atkQ!Ex;D;Zg1XqKPXH#CITYXb>Gykf>cFfk%{CNTv6uLg>hZ^yQ{zXMj zfEE>1%(k^8G6l{?Z}QUfbJr_u$@g<6ryTq<(qkLirN2d0#_Jre7J(`? zks6YnE`cX~B@7;KS^pl^?_1_Ou+2E#DqO0|ih@8US3k@`(X9&+c0^On8kSSLO$k2m zLhMdiL9VB>!&yTMY|E82(w;C#e3-&bW$v5btsa1|0(DJ`{(}BS6#RZ_x0jjw$wz(} zeIF?SK5IV;b9>DHhlulkQgK3fYrKid{h7mb^TES+Fga>rfWiz4C3(c*qRSTt4SJ6^ z23f8QMPV=teVRN$r*-gH3(N5SjW;>|c;B%*@r!Vs-LO@eE}>s{`7e3)5D99GEjgL? zb`R#HkrN+1eJAQ9zV!Qvz^-pGCfLq?A8p-RSY&6B0u68$3jP_ z!%RQ}lQU1U)A?U5yXso2TAjZxB zso{=5w|)skgD3yueVsLmNtVWwos}SSU?u_vH-2mTM5iptoH4cskI1CRx_iX;+ZL5b zK9<+(KZo(%)2m4L^Aw?xSdt&{El={ohdN8qcB5{KuDoSk>w(Orfld0cV*$G}C4!S< zjEW||d!ivv6~Y%^8_T2Di<%mIqMHs=w7ypBu(DlUYsQp%B_nU=JAADeeMQc}9dl$Df=0ka1sqzsWr|t*kqv+zXoGe?i zGMmLvSDUru!RjjNphR%2chuQS(5*NioSw1jJc|%tH^*r?Z<>($5iyINP$UZTr%_OZ z=mzb0V`nZc$(EkSL}c(U2Ek0bb^EQoJ`3k0AbeGHn4IrYrE$5pGHZ{ge^{Oi%BzNT zPbvJfnV(|XNAlB8AA-nn*mAccRHUIXHc-tBD~2`x#=+%yxxIpu%5lOn)YDGl6z*VKEHcrm)3|7C!}SsL z5MD_wee^|@)C2>(jMM1%hCQg}i7A+po*dkHFc~h_kod>+ZVmp| zA)g^HU#1Es+(wD2A%^+$rJMv;u@uR&FK7MV zmfXiCO+8t|m5fZ)^Ao#y+Q0851)ky*hZO>aLUp`tmvx59(PND+3R`qSICd5ghcw~0 zMy!2&?#CG_{BgMPIZ>lnBvqyFVaHX&*_vBfX(lFPP?kCS>g=}gEU~R(YuU7atrRrC z?MNZa?^%HL>mofF!vRz}$ zF0c*T5F8|cHSIXpIVq+=OnYjaF&i++-*f#o(Mr?ekmJXh5Wij_X$exTV|Cm8 zcfPKSzm$96d@7$5DuVqrEx<+1_MCH&fEQ8ZtCiH3kshS6KlR7gS%J5@66$mHYE!91 zRY`ZF6AS`H+v%|5dxR@|fsqPIWtp#*h~Yid^rz6>+mZhp2^LnI%3GpNj?-2174vDV zWix8z>6&s%oALQaJIj#S^a~3$P9)&$1jwJESU_?O_s?74>(GT;cP3-F#6HJJCy#b5 zK3qN#cq#mw)eHknC|8eAHYoSlK!rRAR;cD%A9n^h`r|UE>Nk|m0xTgYVr0#$0m?L4 zLhLhT*eF!iCwAi?8=kDl(6wuIuCy>x7OF7p&W>-J+87~Cu-$B$CMKU$y*_GWRYq(7 za2%UM&5e>@_U{h)f2xqM9bL>I-N9$=zlR_*KCe+)W^42RLB zKV5*k5OzY7u-M${kiwrm>fYSM_ts31W=&)w65nC{BxiuqaGv)sLjt8*=_G`I`~)H0 ze-lp5D-90fdcHKN{99yiKoNE%^?5IfjZm<~(ZriYXA zkP3Ze$ZVDDVo;MPVO9_)V?X*w_$Y7m>jKKmDs*;YPy*snr7_wh8k!AMM=FZp9q((9 z1AT_rzG@g{e!Lsrk76;L+=U6VTX>$lp%0cck831qU9F8U8h#&G(bCj43!zQn??nYn z2W+_1z+#JM&Fa?h=Ny8lmPZ)4-|K?Bq2_f&SE#X0MeNi%6vmX~nn691OUpgG3m;mQ zAxx=OC^x0u1#$e0^wFYyS}PLvd~N{HW!=raC5AY)1qWEZe9~&$HVQgDRXkr=hA`V2 z3V2`@&6`H6WFiZLLPfwPZ8mToFOD;UvcF{S11nchj2R?Y6fdz-92fi8dz=b~^r+uU zre??EngNtE!9XZ+kC(Slfua7Mlb3v}@ilpw(A68r=;|#`p7jTF^uSqt4|L3oW2X|l z41cV?RNeqf=M5DZ1+$Sy9)7oTSG!!kfq5dr-uCM-92(vqIa~4ElokmjxP|TcxbcEM;0O$T{r{1B^uOAj!yTvizf3^^t`RT$?WzvGcX$|^_VD` zA(I^4nypFY6i%zop4ze)zMelr`#^{;1;w>rtb;*nrH>3(kc%%|87sB{=TOjBs zD$=#Rt4(0Ie79pPFrdc~3Rm@PSJyzN+*I`wg zp2^tVE9GveE<~3ibx}(O0Y}tG*`MOzwDtoDaiOwtm=7!pGEeO2?=1SEXz6r$cFP7{ zkxx9TprX9+*Ee0pqlT4O76Gyx5TV4yXgLnUlE;d@{iq}DyS!;#y68zhO^!DwddyE7 z#~`#DDo&CI{Wpb!f}@lIkbgrakKa1?esN_m z;ku2WqI0#Ld2T?M|1H_p{4A)co;*e@#6;gZGfNqT3*2T8|2J>}Juo!G8#9X&QOq$C zhMjsT6a2NVI}xGTsn+%hf~Oj{`k4=aoQt( zB)&p*J#V9Sd$yb``fB}a+`FL`&xqzLjbNFK-ruC;``~Muz+8skGoyxcFJOUYv=2DS6SB+AuDFt`)d~?3f9O@%LJmZ5q>#uHGJ1o zuv%eppa9ct-+uv(gcq>adkfmqDI~TWRTlcD@sK=2XD^(2g;X<{W6QsNiwf&2RHjw)atm-n zO|V^7|90s_;YVt@xaPP?yc@LL^y8-S7^QpV4nc_|25Gr`7F=Hid}xi)g&$J}lgErX z0#^Y>)c5*e^Kfl;pGi7eMZk`aF;KMxYSlPw@9wXA}; zM@_$%mdW+iwgA7f;(6IT%7{Fg@AcvnNM2eD;t`q!5NMcV3o)5ZO@^BDuqNo>#M?FcKOTDtQQ&13COyJ~pB-uFf zvo_8uI0(3vEv@vj)w9z@Z*Lj%te{7FTuh%XT34`3!||-0-md%XFEl+o|QeG#=PxK>hKb*u@4CYYBV%pP()dfexN9;%iF80sT?ZsC^W-9+7W;-beS+ zqtrei@i5lr+ERv!rane1T}pUM@{xjgLjY|;*r1Y`0FEOP3;ifb;9an546>IGR-!5+ z29R=;<4e|(GRZcjA<5rebF4&iJnG6%zhtq0evYHWLxPU7jhD6Boz~{ls)T_OBE^&b zJO}Tyh0w2!KuLm7G`icGG)fUmL@F)blbnG}(-6N{GDvbXJFQHvrA;Wd53}aHoV17nm=Ksz(E{`H(%^d%nDBy z1%?w2(oX#2AZVZ)moa8s^*iOAq#Iw2!3BsYNy)WGjgB(g7*>Kvj_8-|1nGz&HLWl& z)zEoYWkaB%J>&s+0Al$DvCMp|klEn&wT@YE5-@Cf;Q9615qOd>4!2p7^Rl6QZ62?lXEFXqj+gzUee#<~6=c;}`L&S9E0OFxfw2_AnQBf3p;KTGhx;ZlI6NrS?*} zuLyfktON4WLyP|^kmf33(LhG=;0mtE7vl;UGnN=wwbnJF1? zX#PmsB#Y5C4WYiXmXnK#72ulKn!3Y@Q1)vGG_KDVr8M_WkRJNr>p&e2?!!7WAJ4wQ zk(bQbw?r7wC_T_6wZjmUnc2fFF2-1Qmd@TDKo_M2AUOWDieS{%75Zm$w(Ec?y$H|$ zb+@Ziby6oMRvYPSaA&JmN6i-_zkGd#sNB_iSZw?|)fKG!MsoCu6y%$ZN^DU%wMChm z!nWBIg3x%&le99XuR`KXYm||cJT zAF(SO-iX)DGNZ!>2GG5jH~DyOKY;e;545J}kL9=AHodlc&_%fwxhJ)Tt>QS5a9omg zh=k(A4zhG^j&=dIS}tHyY}QY!%ce7k)$a4K3aW1THW^_qgS)E&3T_M-XIV$*oaq|k zb)d!Pg}91}Zz=y)by;nd9?NG6AIj-}eHV{^{+t_o`AwD4jr`qdMSETC#w71YE`t0& z(a?mQ(+uElzJTQ{PnT6jPJ&EB;8>@d-U*-~Qej2isoMS}Spr+}fiGRIIDM(;-x5KW zjC%XR_$t+DLE}@}w36Zooz$+|h4Sjj1|rM1&bNlHH>b^)dn3TLldxd@<9P~Pb~7uu zpK1rwgCVBLL13ZgW=U>7h7l>Ck@P+3{kl#VQ1pOaxZAa<=lV5BvS^xqX$g(BsOiTk zl$RC1Z9&`l(=bPC(;{ypla@8Xsd8E~P1a4ZsedV+WCw9CeACBwi| z8;G?UeD0_gM5isV&#c&>Rds&Ue!lcQ#W{l~cvdpueyQZ-VY)W#4>3W)wtXLT0Lpwz z#i_kLGxc}^96t!EShdimIZ(}ttJJ$7K=R*(?)R(B`KdUW)R(5mlTfaz&cLLWFjUy2 zFkY$q=t0*O+siTYyfD#T9vxnwB-HmQkiLLYveG=FwUiC(A{S*jAr4%5E>H$$D4Qqr zAeUzETpKuw!yOv*2g}HyX|09fgDsF(O2VQdL#(D=CY03$M9(Be zTTRL?A?{0G0yrxF%2ZQZ)QFRZ5Q&1@P}N@1>3FG};CZW`vq%NNDMkTjF_6V7;oB;W znAiKJchEw*bS+O}&*N);FE8wsnf(Knwx){>;;?rW1M3U%mF?j4cNd_^TJB#Y!K zq|5$oxv}gYV|M7)<;C2>{z22*f>EtL5w39XpN))NpB26?uR#Afj-moakOwJSc^;^d z!5V#b6kOYO=JYu7@IXjKc|(wv4Vs$=){XNJSmV~v%kcrKnJ z$dYFqO$K_XUSrh6>|R+RQW1u6;*akk3Ixra-F<-e7)6`bEnyH$TnGM^a+UT!9OW+V ze+nk}GaG7r!CbtqOTRe)?x_;YeBdVz9f?&gag)Z()m}MtJy1mt(m$0me8O z#7d`zU+B(K)ZaBxbF$vLnjHeiVf3nrfzpkyS%MJZXrn+s!*l%Xqy{k-9F-#txI zrMvSe>-I@|@#8=E6pj4Ug?#eY_1R4UQlh)E!g~ziqb|*=s49!`UIwlNe!{DQ&l+P( zi&{U7bn*cX*$>105N=YR*RFdf|HqOQCrB%JRg0RmtLEnIA!{f$@v;L5dBB4(?C!Cg z*>(L;4cxAfLxH{tXW}(pX*_P2tSN{oQ82O?>7wO)RW^s98@x3rjBG|-_!Bm~t{cty z-)fz29_RU^*1Y4{zSorHZ=N1M&vagZ>>|4GaRs2{Q1)`?GcgPx#pLTow2bcsUWV1a zgi#lSs-Ui^Iit+Hz&fwvY2o*ikHjT6qc5n-ttcd?X8ujSuhW%9EDmK|e8c{CKzQprizA1b(;E8B_r+$!{i z_o15$GtJEp2}bnRJ;XA&&8Pd@93RLGE(F}G)pZxF1bA7@dC@rZszN6{)qlNk%6`wZ zyyUQ5&5?};v{1f`3R2NzDcX5_Qx|l$jXnS(%y)|)`frc7t^Dr0TuoW^TYb6g&(Q7f z1jyFY5nVgvP+_BrlM`lE5+`TwlE>W^Mlu=U8N5Gioi$10cJVg8Hq=yHwyQrjOujz~ zLk7EE=iLNj7Rm*$pZ6Y}6on1NUpKm=C%>WyRnc9#~oBdr0_qNxAWPiTqsE* zX~c488Ol>VJZH|-N-Ag+A;j4P#Sg0)?fZo_Og2FDxFBf_EP>qp=N0uT58J>vy&LKa@kuT#yDQv zr{1c#m_PJc=ohll*pB+85h9=Vpu4l2r+le-TcX|)$r-Lt+`EYocZ&5qywk|iP@C&CJ?&x(bzLC;&5`8aYL zt<<$}f(1maB5ilBDeTPINi27A+Ubt$`vX}<*|Qesr!Lj&VZIc8^hM;^lhv@JvrpaD z^+dI1F%YZV_DgAcoH_1RfJSMbA~~1Bh>gy8L6k=cHW@9y%OxN<$sbins+v+(6UvM_ z<#N$X3hJdTB^(~!*m-)QwKVZ_F*?XSzsv#b-#qMWG0X@5?OO!R2b?c5|L$Jxk8%N8 zh<*sBH#7Wsx+W?*^raxTU9kuO+7W^bw31;}B3I|U#{|Twj3gBe1l{mgJw4p~8cgh6 z!p)YuJ>xCSv2DhvJMYmrj>nPdF>9i`a=JQp-B=8DEJ*ILeqaWMV)xlCRUz-w)MU0i@YYGg4Z{gf~E(9EN1{#*k zzrWo^H#j)|Z4E8k8~fVDLlaow0G@tMldieDG`871Clg+2g>)e9D(Ppzyg8Cor2}?a zdWLeq<5tqzF?n>GFfhk(lYko1mwlLJtxG!IH2dW716CdTttFy~?d@&CaiXcu&Fs-0 zTnWsHGyxNKOJ#o~5ICc6LQI8>hP4i4CN0=$+=Pre7ve^eQ6~##lkkfpOWZH!#CZ!a z;H%gLkFHfJ+o^IUbIt@y8Glwj82g^~*&k@`mY#KKr>zsndwRoDgDQy-sjXPBf$TJx znkl1FP~xMjb;n{g^LO;B(`s%dL7y4_>*EwX@Tbw0JQ5?q^=d?@wI(DFU`o30;w z0cAOm^^1;6PkTX6v+Zz>-!z8!zON12Lo8?{!b;w+Dd#alFE@w0gEYw&o3^@sL`Rcy zyYFw8fSco*iY~B0c16&}{Q!5@l50!Mgal@%p>t z?TMLISd3A>;KOsbnNpMRb3&a_hwnDx`s^n7e*WXHw5A`pBYnOZ@CFv< z|D#k$hH5v$o4x!xIv?a@L>5?VvVZ+NFjNH;4s_hAS!CUOv$*H3GI+0*x;=~zV?kT& zyngI@iX`auy1H{(*Z0q}+z&5{+ytCi<^0c9kW3VOD^2inSU*T}8rpT;_rZ$1P3gKj zX<*^@3e;eHW5_?{;5#K{7|X#a5q=-2dP^y`g;?r=qq93M^By`w^8znv6gGeUx2q%* zRh*xG1p(Y(T2sJ)$3>&}zUh4y&={bkI&kIWISu5sZ~+OKxv`RZIh4X70e?K(^l@bB z#RuBSK8=4~@Tz3-hf5|J?$dVdeu3N+l3sX)Dg#A|`>HccvsY1^4@+MXxgRtI z+G`{WHFE?`LPSXN;=crm7?1pK6B?z0y8})Kmczq>h__Xb>!m*8yZFV^nW=E#y%Zv6 za8M89?DE;rz~|tg<*$Y88K3~@@h_8dTlbI7i9{7#*`N9b1{Dni0{wW?WIytTm<%|x zp-Fe!#U~&8VNjyhZMs)m66Dl!l?NR&2;erMl5jUPc)XU-0Ect|dd14!;TI&M@%gz< z5yT$^Bo}uqJ4*Y4gc@@`0|=-<^!kTIZMZpkvV2h;{#HvZ0o;34ktI!r|Q}bH@UTgD4EwSi4mTS!fJY(X^a>{ z*tcj5OI@N1ZEI{>U0m0pFq$TUw1rM_iupDy5j`^}7KwF}Sf{$EZiS#m1Rm zv);cC+fVD`UtM;6GyG$-QF(UykG-ArpB))&y9O)gpNtFlWGcgo(C7x-wY868*uI}b zdmc4oqV6hd3XtzBG!Bh+&#H`JU%V_1oCm7;iJO(aSc3L%oH=1NMd@(Q6|yRbqn7$7 z1-+6R+J2Kt)$I4)&Kqz$)w_7%UOfetil}a`X}G=Rh1GoLS?ijZr7;a^TzIIQn4q(V zi|gkxn%6g)E#I+6-iBR#D4FaC>^qC8+R1<#`D7cuvNE?8B61AfCjPXIOn*OsIL{x+ zbB2cF-=)j8#eBQ>6{a0R0*ues4DBt>arR}JNn!qO;Cm0_&cDM-YLl^aa%`(35R3Zo zjnA%1<-_#ea8~25Ekq=Z`J+?NBh=f!H0STP*(y`7$npGU_%hRrWNL2XhBdt`EVMSi zhpH25d4;*EnzO!x_{RYjJoj{klMn#0Jmn#o)b1(!RU@^t!H5%dYJ(_oc0|VLBHi@+ zT=i4~GyjX8m^dZIhsp@&r(zr^nv@h4g*16sA)X5RaA&VUTwG~%c&sN0cc%dV#Gh#^ z`SOm4L$OS&b_vh|IH8wDCTR;aQm|-R)K-UXx%pt~}&26Lx z-`Tj^>T87RMNt2kg8J@z5VHjVyH4e}$`@0f*tE7~DdA zx>>#71hJ^3OVoeaICpcBkQn{!4DgbQ+54$`U;^J%Y5BR{#4sdd5uFJ=a`gP`}H%;uYOWCL=Lt)R5Onv2;;}K4sJ&@}s zozkPVfb+eouqC9*twI6G(?rUEkJ&PLJyY?i#l(Rivk|f^I5QU(TN8A4Y+y1a<9_@+ zN1M_)9dcn%gdpvwlEQ4jnV#7FsdDgZeEZK+$?ZcyDYie&ovk1W7RA)D(&S`KphSIh z->q+eB}{%xLqI%zDv1brsHFgxhnpLRG`;QyCV_;X!gz&if=y6ww!ucW-V!{t;y7mb zz}2%Ktt?7&o3md4N(v!Q@v5KQ=eyGDR(d0e9D6SxdeR?lYczyChShJ4IX4@lLB>7j z*U=~sI-pfhAU(@pg-xq)$CKXo_I%MJ7~Z7k|7D&oy*=3xmloil0i0OnpBw z!$(t!lqrR3Doi&V`r2t4Tj=#h%dja#)g@lHrj`W4F8Y6Bswvs?DCkl}=pAJJ_GkE~ zW~cP{>-|#uAu(&nZB-yh8NRA3G;i-`8=~{hx#Ho=QDDlatbNxVUqnPWqjQG)nY+H>osaXCs^s}S9sdQ&_Ucq-wd)f9sdV8f$M1!- zMfJs+3j#-XN_vMBAo=aRYV{Tnf)8FHg4Cs^vAiGLV2+&&o7lgPYz=Guj(Cqaf7i7; zTr;>`?GMrap%SoywRjQ(%l@upsXh<*VN34X~fLEVCB|){-jk3Fk(FnUWdbHGF$=$L7w$&h+#-Ef9DS z_U1_6L(%Q*o6S`^{>Qb(q7p;+!JTh z!C$)gA2*uu6!X6zg83C+x3j`W*N?%KSnKEmg6Qj=6PN86jz$s1GR@fI=W4HXTuS}B z&b;;$tIexxb-sSPS$>zozi$sh1)OnT6v&^CZfm$8289>n#4p5cUVd1IUhbFdWK#i8 zz&90-OEcXK8QD#7NB_A=#z-cda3LxTIUPov;2v{!oheZ`V)rT0M^T=??8g7zmBJ}i zaWG|3K88NVN!$0ra`#03cLrI5s{{s4Br+8o-_hS-6h2zs|6Lp4N-2%>|2rr;5`^+U z(^|b4c*V#PiT-EFkr39%X8)RCx^#oCO$CP8Fq@X$9VQ9USwIe%I{eOw=Cv>&%qXsDq7tm==OYa-Eq9g+X8 zoc~Wp2zrFq|1w?;inv^k6_E^WI8?4i*_khkFKgoyICh#)q%yQ`dsEaEWwT-r3ki_?%y5~1l;{}Z#eXxC#g-`hsO#aMa>(6C)D;)IQ?XvyhI=7@_GRanzx`(= zY}4>Qd&nEuv&~sOj0!d8D=CO!H#jy^Z2O4SOZ&Ivem*sC(h75hv19$b;rqN=*IPkY4i1(+vK8>PH>GiW9^3DEdcV$xSDZKX9<9e!Nk++FmsR{6uPl+DS|*j z5)IdO zJWpfXGvJ{QK*BRM#K9Y?$ttAC2A=VX9M+qwrg~yTyI~_ImN)EZe4G0@=cmpWLCM@W zd+6h+#hNA1LdQTH+H0ftEsGv^N0mOnU7L2(wV)QPOu0S_>TI<|C{RLd);YEzz-k)* zx8j_)f`1OR?ujsNfuDDwOr6D&^mV{m;1IDeAyo3Olp|mUlS#OR_5jhijV9Jrx~?VP zls3^bghM(>Onvx^6P*&{7)&C3JvvY5(flTlBE%I!%JndoW+ zTWkO+br(!;_aIS)?~Gh9-*ueW>YD2eQE0e|Y*Jta!h z&l&3(Li8Z5#+~y$lw55dXp^6@J&{p2e`dYiNQYLA`jRvCMZU9fNG}dKIiUlMUbewf zJCF-ErB3%EJDI%LuLI<9@RrRj6><; z8dcx+{B3C#;Bvl&Tqe;>q;Q~*fvE{FKj$@tKAgrYek^*rOt_t=2${rk#-)neS|ySz z*{ZB6^L;rIzLN>^()A@oss7s~f6Llay?^52y0+SV>{z(+i78yb&to>*FB)0pH45V5 zs9u@7-!sGH28d&~2bfu^x8*n# z#m$-Eth*P5b}4cQFOF&_!-C-k-SC2@(#&VaHN@jX6y|lxm5<~rSQrA=h6~a$2|qw$ zb-rJRJik!()esY}yW;@PQR?Z^!SeLDzOHw=Z2VzId% zF#TL7LfHVfYf`1*)VMkp5&R{YgUAiP&_0(>x2E1558Y)6D!T8mX0;t6vBq*xJ+Ij{ zS$XIxY1yPVR&***V=wT{wC+64e%Qen5lb;8xo1lo%B4wWVh41liJZdZE*&2jnMtPJ z+AE44$^5;!-7$1z8x*i6Mf7r|$16$URCloxvf1tmK1(8G>A0JzGOEb7#OogM`r&Ci zk>hhS55jd?^WK)%0MTOW8_N_o9}HMQE=E9g`f|sttjmGtPJk=l?@nDAA! zJdwbm;w^L&qdblRtu?CwawaUq-&ae5YnB*ZY4mzJtCUmH>V3a68Td9S+|KS8k=)Ct zIXhqX{=Bo#u;?W8GE-JXfva#i>wy&H|C<))2k6FVeg+LOJ(~{frf~P{GY(>kqO+kr z1I~M}K3mRnx3-+FXtQUEA%A@yIdIJL)+D}N71s)-inkx*9hEK+j3z4d_-RcE#_ z%e3=&t$Hk37>6wyx2WN^ZSdBbS%)yLA%)sMcuNMR7X7j9>X$sW zV$m_|vaCSVoPpSkjyUJ3Q`7-7QT&8Tuc6ztu*5!3DGrmEI11$@1K&99v|&;je@kX1 zdsg~p0Uz3|m}XAKxEbQ;ma_*DO553pBO;rR2 za7hABm05%LHz!W9x@%7jm^1;x+L6UMLtc5=li#JTpJ?wJu*LEPcI1mm68iZB9y z-CB3Z6@Ki>SVR`Huy$f4Wrab%LX;_8+;6Ixa-u_mgOs5K z%ow?EX2O+Ov7(1CN8B%}U;EF^Id}b;iBVvJr+K`KHF!qe{0xjO+1qu{* zD8=2qxO?&9?hxGFrNQ0Z2^!qp-QC@x^yS=h=FPir?w`rzmq|X|d+oK?qDr(daD1mh zAgWsTF-e*fREkZiAUEI{KTCtCzki=>gkLoJwmM8VJlqs;0m2@e$>w_ zW1mUI;);L~-uhFhHP0vW{h-*cNH%mk65Md$?e(^2jqBYsy~}XUZ&7WnpV}KHr~IEZ zQG`k2c4Kv88q34FCWbocw35H`zw|7PekONv!_|f!F4@yDdUI?zw4QtLGVwc zbmKsd9qAu}icWMSAZu2uxo)e#@wlNs1c}@r@zYRfUvb@~vZGM7?-cQ08}8@UT1C2z z{Vx65w@>7nZd1a*%zowC_Q$(Z@tS+WK389^er=`Sy}SKld(dWqB

jeF9H(8H-Jmh zgFi_BY;~dg1DO8_6N?fOpACpAEE=>zXTL;K_f9X_;6zjN5mjqdwkSACLy?2aK;Cac z`_X;K5K(42{G;~wyJdJ|&YL%vy{s|I9Xk%TMot&!1u}b2!~Q$_OVF6jex<av^5W)lyG%^ z<7uW5(nP6aWz^ep;E*XuQaA=8W2PsxDVau*$eSVOB@a}{E3p2Yi!_5!a9sAzd5ki!z*YZI?$ui^fu*oQwsvJJVr~-~%RL#mlW3m&XSFowM zsVFGqXts@z4;cdiP0voHGF6D)2k}P_@ArsXfBhQE#^o=F{oWADwL>|ZsRj#SQyH$D z8v9f9xW6szFO(>ixSs^QuDNZs_li`tG1O{ z=8v)_!xkh~e7W{ZWu|N#E_cxi3v4@VP&KTg=T;Z^LaqQntz7tSMQuHti$QoXKdqSD zD0H~}pB*dCxaQjM@T_UdklYy##OqpJ!iF2ORd;0tiPI^r)_NoD9RY@BPi>yV;8r;= zG*h`0UinGn2TWMo<&mlTg=Z2;{Sl7oWu;h35X6s|yro%YX)0#j>0pZ;!5>ns9v&w2 zA<@?u*>_}j10A@oX3B2~MIyZM=-Os>e+=nq`P;2^Ow&y^KCil%*`^+wlGh?yHU4vl zRt`RtSe!5|$dp?a zWfB*iGI)i_<}_4XM6P|JSAEf?sh;x?C8Rh z-xHi#!w{B*Yy_NQh`FERY|?E}->e^sCHRuLlUbC`o{Yb0+wee`A_~w*pYcV1^rtulT8>RB1ed|k@LPL=D6Cy!t-18!-%;?Q0pQ@`( zp$8apq^~nPPLo!+LK3IF+}|0_sICbi|FgHrxJ&8&uWTs?l5j&lOPWY9MXm+erzr5? zZnt8U()pb7yL3X}B!$uSNJhXQ_r=8np4`2#*MPFLcF7(}A?phfD*uQH#Ch@?abdzj zs^g%x&r+(g{m?1fJ@4pdfc%(d@yFRq8|yXY1b|TPcU`;rZ7?nlVTDSwIM+TpEcA1M zR7?@emK<4pSf62&E?xYUo3~H|5!Z>EKwj?}-|Oum<78yFM0zNz_xkt}rN3kWsQ*?8 z#}_b(F;?hpimm@ylA;m%uU(dG zUw3A3rPCLy4l66-O%JhghGdCiJNbAy!QGBxsIeG&946k*j<%VV@&zg$-;8X3c?0b5 zBagETj`9seMDbR?GVbjXJ#4@`c>GE%=g!RNz|tYC>YNEm&Cu7&xq3?#A>GHBZW^RA z(>NM2X0TFnIyg+$7|syFcrXkVA|d`htYpQ;QBH`=jrr04_({Y+0_g{tP^c=}?+h>J zy0(0Xk>T9bDPHR`_T`9y-QZqKio^*Kg?!~$CU|b17tA3-&}%o6Fx&-|+90lFSK6vG z-0cxgA!iP<1Oi04p)$jt$6Z)9XEpiR60-joKm#C!Bj%^_MOmc~3i2bK(& z)K>on^?eR&k&_))YlW_9pJm093&ucA7-)!t%bDR- zt=pMv4)Ht->l{C7myop!&Vj&EtHbIY^>1PXd1gN|7z?pOwX)r>=WhuU)9krz_b+t3 zkt~gUj7*X*qtp+A>7F%0(&J}!YP1_!98u~S7R^icD(|C%N6i>e?541(rjNdAVaN+Z zFbo0L1oGtX$l{5Ehfb~h^05fWq8~C=PgzsxSxS+S@4T8e`Y2>{Ialpfb4AD!tGDCj z`2UPYpVQ~h^(tGp|9Pp`2+uM$uDU*vS%fDDb>{_~z1=g+KvlLq%vgo>OO^^{i~M;r zGh1}N_L>n;ARt^dpi_9zxB0rDIzU2W8lXMv)&y~ zOl#)YOw8Tb*vP#;6+~tgAOUr8+R48tgcVHCbKCi3^M{7s>D52i{?vosQk$l`fgM9K zV#dK5c{*a*xMs+yQnH65vZ)?S-55+e9C?9`@8kU${3Aa%J&jrB_0=k|k+3(tVckbn zW0U39z^Mo-cr)kRuq{3a!o}$^m-w5vK6HB0V;erV_blHBOYWOdIQHNYql6ZVG*|mB z-*dO7sqw`zqOQs3cBb$G4#NkRzd83qedw5hl96g*LhYJA6%APFePL{CY2>|oVjN!% zDPRPqOWD5k^2BK#rodYo;B-610I;YybwqJ}^z*u1bKhezNn2vA=?a0lfrK)#*?WH1 za|JA4V<$Uj9o+fiC6UFoJbibiTjzsp=Y|k*)RX@SKbWK^LZwK3RcU%Yr~Lz4Nu&OQ zOpz%5Qv-m7rbPJvy!a2j`VY$b-{{r9P}YA>3s@wm43#`Ce(V*65f#OZG>)dej)|c) z<>!d}o)W-~`aj>l!TeQXHL;U#6{N3+Y{{ele$2>-$!AfM)Fgd;i)mzqkY^7%QkO|3 zlX1^WvexX~KcYt+I2iCBf_o$E2ft+k!^3~J_IYW3#iKu%vmRHFrMI@!ad4CV=XXm_ z;3v$!?=kAzEpw;p%rq_Dmisj!5Zc1AOI^Wr?Nvwh!BZ6la7?HSPkWQV1ZOIE&r^NYKh|9al){=IFB)zwev zssDF;Y-J`oGfuf^nyhxP$Ck7IJe|cYGFo|_OE9`tOLW09UgvBQ(-RV((0~=*-#Y)U z+c8#`H^68 z&vYCHi6roHYHF*wfKSA=Cuug_cytf0fBgoBSv9*?LPZyst^v765*p^ixy#zuhZPzLWt84Rs-)t-1Y*crn%UTzX38m0TlK&|Y#B-X|=Y5$HAAKoO!_4T!Rnb)Y=GKbIC>c+5yR;t#^ z$G&-H%NoIlfoS7#pd=1&M*#8K7`1uipDXF$Ga07gSncK#j%!4Rew{gexmfx|iaBHT zTL(3CB)(;Yl;Dt+wA4>-pO){-E@En!Y}dMp)cLlx!2T}N^Mv260nznY%K!>+)MSyh z8Sx5Ah2a9zUUQ#GAyKtq_&7P+_xJ#pKaTF82bCdF9>*fE7(5{JIeFgv9ysXqaS0hD z#E{JPE$G!bYbBEgh|14VPn`h;a^q*vps{Ykb=QfPv>iSe-BB9rXTuES4JDH>+qbjfW5<%U?u9vG;tD|hyyyn8Wwf~8nrg&Oa(yuhaNPAdGmEuFL z&GNa}Z+z`=gg@Ntn#Pjdl2QaJ`WuJ)Xippp?~@LPyVHRwuj{7n1*$$z6qF!Yu0i&| zY^xzqtT_$a6%E8xTD6V$EV}QD*7bhODp6W!}aw6Cx%`>7RBoFbT~JCdhNS z)Rot4W`T;EoHDq*E}tLsm+72L_V7#{ZC!TOg0br)TR4K6r=;1aM&`{&iqA?)t+I1j ze$vHH*s8}dW`J9Sk`;?;a2OgdJ_h|6%92wdv%qm}xQl?cct0=}eZ)$ZYhPwBLM$}) z+;v%>y-i$Nxu8@aD_kRN3(?&OW8+TmwJ#0goKmU zR_y(pkkqIen_}=0kfx0g6l2_1MRv)=X9DD(2(}TWAFmflx3#-5eQjn=c#sCHp0t*{ z+{k&X^o!=bHtpBN%kLeXkrjcR(oChOV60LmF5<)WunhfepaK!b70?}i>l%BqTP6WV zfcS{PVYW5p(UOhE$}!zZEB?UymR!(D2c>_8V3_%(&Pwm&ufro29t%_Rn4X+UvJh;L zMZrplPodx!rf)R7s?1IoC;K78FxMLd4?QRieHz$LA{=x%#P%k%H_+Q_(E>3ka|aXi*;54ndyBRl|S--i=n^V_Q9wyI;8&U}(b+g%M$`1N;`>4ElOsi2CT{%J(1n3F* zKjQ}-h4X1?C%N=$bJb_oXIeRNJX)tXElE0SQev*CRh4(SX;eRxjAdi3B@~p7mmXe< zw&miFa=@*&=D(^Cru~Xb>RJkZj~09aI?wbWF)q$xvB)BLL{zV*_vqR6Ue>jEvQ_b> z1yd43PA4gO25Yj0#auI27wqpw-eq|H68E`0A)H+X))ilLP%xU9V!1Vfi^2=|T^3J6 z4&3IT_NG{xFM(&W>i4qp^a||v6A>;Ulsbz)#>RL|?#0y(L6YUa!+zj-wmNQR-;^d{ zFQg#;IdIdk`HP`3QB`fJRUo70SSplvyQ0P~Cr57W*++X(VYQ*^X+CPiKIA~<-9Xre zJ4B4Xe7hKLRDO!dPR|8WmPi%O>>YDJS&80viPz$vUUlqn8POh2w;pQmXcq^THBl)h z<4GJrFw#c3bgxP`0I0U*ub;yCxyVjauq9B0gmooKN6eemL81bk8Jpu_8PR7pS{+1h zygNBZI^g|mL~pb${z{`Td}=LTUBk}8;bQuyEAv~Vw!jGq+eTkpf!2YgH><0D?rvPs zNm{Ll#z8@@(GH{F{j8a-Y#sTpRbznJB(zH57ZlfqT}Y^Et?^3nBmWnmq0zAETi8Pp zbKS|^w(<(|{9g__}%aVLMa~Z+Z$MU2SiJeK^si!euoi z-_VyCvAWF8ZZn(y-6pz(Jw{wM(+doWgcy*wC$B5{y4b7as4#t&(=BIPnfp*?WvNg# zAJJ!-n5FAoZ{dH)6J?=YwrUFC;7zkdt-5ta#IDOVN~@cXwO&?&i$$_kl~}wY@@&9a z=BTS;I_f72?(I7gZK#lW>yImWSZVBF7qGE88!l#y?;|r-IiykP7F^O>#R*FtU96t7 zrd=nkp52b^sg5CyQwZD35Ez`K5bd^SQ}ZcNrX$!#9aV6@k=PGT1VgxTsS^h=H^Fb) zq)VE#oo^q?g^R-{67VWl!Y_(Wppc)l@ZiX7!q;9mWc~he4UIgT& z!;%3W#mMi#eX45T7#TE*x99UdbRvq&bK^^eNskC60mq9Sps-52W11oP_gRQY6x(qs zUn_FCj)pBLj37lXjPKT{}`G#7}A@_u_|gTGe-#UUW) zH}dP4X*p-Ydk#5tV9(D=bq%Ix)Ju0Hp{^akx6ROAC7zvogc;&PoXW z!~t12ms70&|Dv*&Aq92%c$%zfsVsa(#f_(@uk6g3$^I4zd+l{lf^I0U2l z1th3kICkvE440&HO@`szgQ!aYp&4BNZfMfsDfD4n(`ZWm#<_UB+R(x3!&fL#wd~yV zrR6qs_~^Xsk%JO$%m;*ag_etG*N_ns!6-F8>)4}CC`~lDw7+)5x_(U1H0TsW_xq=^ zEP((}iTh=s@=ba;|x#|;ja6x$d zGNBn;rXe#&*U8OgSoVhF#j)YWO9MSvD{^VxMTkd}*n! z6uOv`44v@Y=Qxn_G6u;PAtrgcsAS+bA{l7HNv%RF6cn4&5c_4PpQ8`9Nti!_S8YxUQ!9*it4K#Xq578KM43vAWbJctt9wm(EbHTwtH}c9LMSrTfMm zrFFemVMX)z?OZq)$CW9`RuJJ?n;UpGXO=h`U21qj1e^*j976-`z&;>6ZxUuE?CYb8 z+!k&_E33(c3zpXHeJ8n;d&vYm3N8ri4%;)@aXIppL)d|?h(6m;rOU>kD+ zZ@aUXmP6aT0Zp%$I|GHuAvOox^_a}MLbEW9Es8#H6bBRXB7Fd z*j)Wi9rj*eoLNY%5$mj*Dyv~wPl2nRdu5qf7GuH~s%xw)JvstUx}sQgx%D0XK`{9v zL!k2yBfV^W1`R((t*v=v2y&`EtW;j9j$eZP$A60+L5$iE-EO{-B-y0HZK<7YZJG~M z2NF9vImyh*uIhBI1-NH}c{O55!n~)!(-TSECiOq3*6l&9R&L%#M(!?wpthi6>z{@e z`AWpzt)~Npqw|&gsz8JxDH<$P*xqhM8eC+!(a~<+Jk*!&7<EH>Ar5ZP{!A_H`JmP@+Kn4F z2Wu}&M=y^=`uY^Mg6HdC!g%2cy|gTy{PIfi{fC*mp^v|8&xJ~p&f+<_9rFb-Zd3bG zR?<4ye=?nYnf+!=t4(E^c+A%kS6>UNta0;#5=8%kUcGt>hXip&xw~wo=gyhmaclwm zbgrH{Y0$xTbTuV0w8ewKvJ_j_LDwj0OBX13{RoMPw^#zWaS1$}^0-9lc~@-e{B}-G zGNz93B2bkn%&g*FvGO*|6t1xe0mo#wf4;UssKxUPc zwGUPQgQk|eYQHIZ^ZIszB*i~i$WZUe0vT_nyU0{6njR0(N%J zZR^yAx8hF#F$Z4~phpJdmM3jOqI~gBx+J(LCnx2WwhX{&-fcA8BH^}R7saCPz~=7k ze(UOCCRNJ?|3lW^W~%YxpWzltBip8FV{F9Wf5+oHcj_5w$vDbDETV~wEY+1jv9r}p ztuc#5<1z|-FE7snzu4nD-e0PtX!xrMWao^)WEMz;&+T7C=|8aH87zhR7KHvE#$+c& zvn7~gjn^PuFKon8;$NTApiJrsuwqXRcA^)BEM#%Vy6dpnZF`Rq{Q$SmOLI^t6i!FJbbU1b45n1md(`Cry=8oiUnq7xa=1oMjA58Q()s_Mq}A8ap~eUgGHK=4`@s6y z%8j?T*NrTESIVEroSWOp^EX$BP=hLpou&e?Y>PA8bfA07L|Ym_M>uzGYd0aQfErb8 z!MC3(J`45d<_y-=Qv3Yd;zVkWt%YfwotN&mte;w2zz>QTKtAsTXvbU~a@DKA2|AvK z7<5tZ)EZ9LC{yj#mgpRGC{;f+pGASst+D?B^xVz0xT%M5LV3}5eR80Jj|kxB!6hH? zy))(~LR_r{%j$i<%0=x`eOUjI} zRr7>5Jakv%ruMKMmg$I)W_2J|S4~V2JrlQGxuy@+Ft)uqrPi#%%W|uGy-t-qEHD{~_fKmHLiT=N9$HnCze-eH3ls&N6%Q*oBt{Uq-wU z%kAl^vhGBUA)VP5_O$?V^dU&gU%*rl7C0>(xCS&;K*3Sk9E&5Fx`wVro*ktYBc^m_33E!y@79tgec#wY$NCNidYsRy_t6hXZXiChi!2(pF{!$;4a^1~`Zmi^nw{SqOOE z7^>0R8u^;$)H|dU)O-zX<7q1f0RZ24kxTo_j_fRsv)4C@FXGXHP+>5q7v?*gS*JJe zWKlvaZ>3=kb)TSCbZD_}B|f#?a-ker!HyHcrEG-Q$uhZ`70HPDgX}UVc4sy z*IIgCXRp&;Y6yD!e5J*GiOKz9xVc}{^5p4Ts9bj&W>XU0MO|JFdnC|Rc=@sps@Zhe z$rDC1fAbT7`?=)(0kRo~-D4w^pvS{!E(!Xm&lm6|QDbWnep6xJK-WSs5Iw9$(XKFj z`e$7|n@gj5oxM9yCdx~}5)hq!xYNe8KcbEq&!IKh5g|pp{Rck&Uo6M}>UN2w+{BWP zP_cvg6*-FS+eFO}qA36S<+5jI+w9--eNPSnrajL3!*NviQ;3K6D*iiAnn{T*g=f3w zrV%lPP`-HaJMHQvn)I_P{^eu?0@WcA8XDh;f9k`+H;*m%7D4R|9w9%S+~31{KE7Lf zmY?7QrGe7#NoH3zjDZMxXm;^G>@o+MYPR`d-5zP5l!AMIX}$_U;7vR81}&y=Ewa?8 z0YkKwNWV=tWL2(kv7G`BIJF7UELM_d0}p<1xBW~w`k0Avt!8(HAli==m2Yxz|306c z0CV!&jqG#jTuYNKTdHiqY|b21vTQNNuqS^zFmizGnyaLv_wp@H1qb2pNN8u}q#GZ6 z-v_rC>YZV+mKaG2!)v!a-9fk5{pmJJiO({8B-;k$VIV{JF#hL-Yw_LiBhN-^yBj)7L@kmMn7kYWlD=<=9tnk7So!x zlMjb)l5-1fwIi(F=3`kf0cVgv@Dfx@Je(gN`j~RYnbB1W3DGBs3fmL5W72oAq{y-r z)NbezY0sorginOhN+tqL1%XJ$0Q~71HO+^sH*qS{Bxj*lRVVHPg0CnhB z34A?=nbRw`oY!5F<78i~9lg-#f#?rP79@ z55`W*L+^A&txj{e@+K_B$=G4F6?(&oNF?5`demur>}_5|qjesJ977SRWZTQy>6s>} zhRiq?zg(qu?zmO8(|M&OxH3o8cFHpTB+8Uv@G^ZzIro@j93liE|E1`q-Ha3~{yq=NyghSIP`aE2# zs~ggq7+2p)K&WF^_6iz{PaHNeOFjo8<5x5tg}Lso$+co7p2s5mSz&f%mBdyCT*$=Bx7*C;dCSqIe+G7S!sXvHC28Sl zzletuHsUZoPO2=w4!v0RZIK{Ox70A+^kd{I!ct(rWl<2*4eduf(GSN%{Ho04>nRCJ z>BKOV22b2BHyjWMmF+~k0?>mC<~4Ev(3%~JNL;|4Gfjl=m=Wr zyq<&hN34us5rY!)Pb9sh540B^HdcSHgv=hdI@V}bw2zL(wg<&mR?$_g@S9`OlI=*S z7HIfgG$z=#UB5c9KGicA{8@2GL)d$Bq763YrAUhKsua!REG78Y(5DA zk*<-{WS2Gsv_Zu!VInxfP;6e<`+Wi_RAGz$aLSv0lInl}`iOXHuKPZo)Q;jrBLoL` zcP$4Vzn2Vjh)(ddV2cgFxgE8h<{zim6$~Ad9OkR_s(PbQL38s8%Fk_)TuiVDs{Mrc zXM@q(Z7XTw$xX$=F9)b}rk{#BK6h4rq)wQQv-(w&Uz889&uN0;{l^uMPTN~4xd?TQf8EkXdG z^#hG7>Eni`!r)X9eG2kw0Y6H#TLMq={~Jd&x%JA$W)Q$u1nEw9k>_|^F*pj z?JAr!JZLc*=pq_Ps{lLaY8&cb+r-Yvx-!4O*Ipy>^T_SF5s9B`r|;4Rw-r>Rc<V&Fjf@1XMX%OqT6q`=IjuMrys5PnNKK|e=h4z?@mfw)$y zgj9TfhB4e?#Mf*}RKOj&TYIzs1vIOlO{;5_g|S@afsqz|wQk!ozfAqh$jsqm%RcnL z$<3OOof&zAn~-)z=gZB#`q*CI5|d8=6~-hoSzJ0xr@kO^6=m9V(T0SxfjX!t-sWS{ zg2kdTZyZ>(uRCM_D(f3I+co;V+$dkL$dHb1%DDuf;Z8nGw!?FRU9w2F%J0$__Hhy@9v5j5az0Z0}%A7pB=k9+^FX!b;U%k9V0IPqou&l`k8@c)CIfb;FK4Wy? z_@52jp;Qrk%+TXCazdP*_W!DzbRw&B^74W@cnol|;KfIn`>L~BD8o*}R+in&z|ndR ze?2Ct&uMD#k+ZdCkX75IAQcK0dR>r-rEQQUDIW$RBVRhYdlZ8@cZDTqiVDw<@xlYY zygbh@wp|V;X=Nu1k%anFI^@*byquXC-RQysbP&?g%U}7U_sz=8C$fnB7*zC$AIyKx z$*6yk`T00HYG29N%~4dmV~1{L5Oo2btj8Uoz*1hPOH zSer%VGtF%an({H(2R8!x`zY{Z$|stFh|9BrOhKE; z`0WsZP`+;}NTw1VJiPHwK<`FE+&s$3&pbRrqn2vc_B;(3$sdiq63je6M@zGmLqdF&&ati4M_&Vwzt$xOzz!jvfx@%BrRSi7k^SNj$3{fes$ zs;@e@IlB4t$MRL!U_G=fHmF|$!%diidcIwz%40DGtE;@NiYYDhpk++NCu@ZCQElha zhT~;tC{N2(?e%0$%`T1;yo<(V43_%k5Cb!d#)3cIQGE$uv~4`lG97m-wXhE<1t! z8}CXiKu|}=_`$S#vIeC`+c=4q-p@l^0z8gXCck6LO5by@`Lv;&18cOr?s=wWkwk93 zt$-3_wlf&)&u=`&Ew{(e>pDP1NWA?TKi7yR!BWkP;<<`g)sm>_6dgiW z@=gbHl1;0p)3pn==6i1)Yo8J>yb{BR%>7O~<`J?3JjuNg%+CAVb!>}&gE+#h%Ph>l zYUh4Ew>7xYCipm!C2!a4U0e-mCb7H^yxqIgY2MtcXd&EUO7?H}OV?Rz^7tda=uKUF z#%CKE3}Tv_moOfx%t83OUfaA$Yqqh{vMyg7{3A`Iac-fJ1n03IwQ2F#qr3wC0r3YJ z4R>6qx}!jxg0KloDxR~JQyZicm)AK4aCVynGaIwv`+K(%t+w-2b7PJv^mH7s4z_gS zdh!x*Q$lluU%Ra5)*19<*?Pa@*)THg2=#J%jjB{F-CDd}fcMiCit8FhCSh&bc(dqw zrB5EbC8|OhY#aVM`053>;c40Rl-yC-&Su5gT}dn$ICkN{1-pz9O51^CYJA|YF#=$ZJT${4%` z{@KJYJs5}4=v-$QPp1&O%^`4u^f11lkMj;Kwe=uO>W-VrZ~%DxPq(*od$-*bL)y>3 zTWnBxZc1@<+y_5`pgL0j0O5cu5Mx)QfAgMyxR?-{wr36eKaA{;*8BhS#=lge z{}?3y7nLY3Hhd3j=k#c_^Xb{{M4Q)&k?#>r(A_8Il;)j*%J>U=_4}xdQv?|w{=eiG zdFjxO?Nf#K^GW?~Mq=}G1J&nVoeo^q`YBF5UZ>-c{^V@07E2+Vs5)$Bh=9SvOXH}* zpVMlq!KG=EM-AV{%+B|XSO&nv@N-+(?Ihoyp6`r*9&rA?rSrtcY~HL0dcXVrd0E@9 z7knp<1uF^?`RgMJL;lWh0-o(D4@s7D_6U;eY(?f-|2`#}rFqucaO%Ae`aV&{n;?~bTl9Sn zJgnj%Z?k03xTiS_>0U7-emzE#8=n_^IneigMKIf^dO>3B$DD%A;#rbz`{^QsFFRIV~NdSA6l$QT?*nnGznAuC* z>1!sCj2c3=EOJaA12|2cz5Q))FsH!qW$tTb?V4^cma#}gOUsu;&g+i!Y!v*YBC?!?v zhvI|OkYOF0_VxtOhr@Y)%$w;Ao}W6kzUj|x!Pj-1vGJPJ7l8&dv|-N zb=WV3?n`R2bMbLL%aEss@=|gvJU=dQ;){*SL6uI~F?H1AZc&w6aT;QP)xzO`X9zVXT#?RkbDVRchUt`OqBfc5 zb~6^h3a40HDR5U6_?KqC(1vmQYF9O$8Kb6hT!E|>vkeij#%NpK=1)Lk5K0Ar1+5w? z%D$EqxML+XQ#$Xl2tPnrfn#f3AAB4X;u(mj&+CF6-ahzPI{H)8tQ6{CYuI4in%A>B zk@v#(u&gH21b8TnQ2eTCPUUxJ17O$=7i`%mQ69g=E7kDwvGFlUEIg}FzlykWr}jh> z5lZNYvjB<5zVP9p#`~Rq)y7B*>=GTTOv@y>L&v6c&AH&Nj|=FHb#-Oy^yv6`H2Ir< zY5q5i1BUM%#9z`?N~URp_AR2ZvL9Y z?EJgI&ZZ(pLH+^Lbb;G(WCa7B7erY@0IX-J-jAOU_%oM?lGxTT4hm_#h`)wfTk~Io znMp$Vs%{!ylKZu20r1L#>bZ;geI@4WeHC+-AYUF+Mek@@7Ti7GVttF5xEw8qiN7&z zn`qOPM#Fl28Ol$l)S-*(3}w+0fSBTsI2T6q12`Y1EODNcjP}|4v#@BX&M6{%1QH;W-pG# zQ8^w6O@-}Y?C9eJI`B|gyn4IZ+nbA#B-d)4W;){IDh$;Itgrbsg0I_mOTf8-*3@?+D1IK!IQ;$xKF zsZQjV81IPnG%I>&yB46jWNT6A%b+Aa*nAEc;{Rhrn%q*|W=n3nbwMmA

  • 1o zEO-=`T}zlO>xMLQ)fEPl$`ePFUx9Tj8v+_4v#`&coN+Oxfc`M2KdN1w`ImO2F27n$7Ad2L8rs9t!mTOM|U z%IX_k)XqL#<5*dF{Dzv+M3i-T zFlX`a8#TGyeFQ(JMC;CSw2S?0zFKj=yW=pic^lbpr8L2EbBQESldPiqpd~`NQ}To; z>{A#jF&!MMQc6paZY)nUnCQawHRRl)&k;@b+M3RxFqD=0hD@SR#tY3=S$Y9jsh9e@ zJ!r3UYG6klj~@wEiMT&W%J}5;o1lg1u&AQlKVc7V;vMZvT6*i16+#r)$Jui-M3TzH zr6I@RRCQ)$z`t*A-hrpQ+~IX#YEY zzGD7#K8(Lxpw2AH4n%iHsvU}bP%NR8U(UC0YouGeln}-fw8*f?YO_C*=ZveDO>j(E zRY@PMTYYJgO2DfkYO{1~L+fJVvT2GF<+9kcwaAGruE(d{=~fecd~T9zRG8m2L(=-0 zwULR_pQ?gr2v?VoCY&62KZ>8OBoh*`hm|-7r$g>xZ3M9M_SQGSAWKhAPC3}kYwBz> ziy+S&d|b$(#>NSo1bdWbPh?Xg??|%g=pSB@bvhGhcm#fk{F=7DL3m<&nzj_HUiMrAT-8yD{JDfDJ`Yx0rLHfdMnL%Zy-lU} z=%Cvqah1#eTsXG+^32+f)x;8|v$Dv+-qxz2?YdN>+#RTn+Eu*vey=bYGfg0H-~CVZFZ=9@fVO5G!U{VuNU`(#xXjn}O!c$zk|4WF!Th z`*_3au@+8OZzEua#9} zm4mCZR@L)wMg%99o0ff@sj$HHv{rp!3zh6qqPFso^W*SBs)N{d7ZARczun2bkdKBc@AA(voj)4!CwU7ebfVSvE5?UJ>^FMfzC;#cjDJ9$&n47&z1EeLo%9bGdl%FFkdnzmT>aNw9y~V)>9q^b!7-d!W!(U?bXI_e#37 zJRihxgpVP;+q{7b{5gmCI`O;-+ptOFvO;LId|HeJ+vVJjp}J13TMY5Z*A95b3(PPt zSfjc@5I);S@8rj9Su3EH9h+Hhc=JctvkY>rcSM&s@ zx|c2^-SEADES&)xS$G5}M_AI}c|!QZ5{w(|psOlJqW`Im@k`3{0Ub}d!vnwDy1JsGqL!$hY`hD&n@Qx)LTW^s zWZNwgj?OQRgm~b3X}RD(Jaf;*K6hvLCbhh&<8X8Vt()&}+4^NG?4hz4Cr2dkf!Vvq zYd)b~o-V&kGnly8IvDGM$bKan`+5~rqX|wbwO$8U5`%f-;*$^`SjocAkTq5Q>Gz?Y&p*COI7z>nPA#)r0D ze>kDD4XXK(yhJy$FQua(2xZ-5K|{Y-o%0GG5*kiXG(ik!(_I(ohVpyAR_|;GUIQO7 z#bULb6_bP$;c(bcf$f+h%*@_kFX*~-`3p$7MP`L>OJ>P=&VH&ADn)WFE$#vq;R2>UgBImK;0Ta29F6pYb zfDvlCB4iF%)Zq*tZf~e*uRk;6L^ota(;=pKd7)p4Eg)ukt)-9xjm#OZw5L>W*h%8qnLra+M#cTm_*kgo2gRJ=uD)Vkcvi#cHZ zUaRkIM$?8>4`rp$iM7*rD1I4l--KOlPvRI8`eh6?9?O7YBbShu^KSRn1^3}`0!=A1ZrNBQ>5z- z;5yUruDZ6iITNSx)Dch znZ>KU9r)m?x)#xCO&a97h8+>=&Rkx3v1gqRaLTm6ccBkSod0zHAW(9PCw^7s5%Apt zA;I?Qwb|O@PEReff*aUYHlaf7KGOz8HeV!deBRL%#0@kK9MJ2_Gx9#q*BF!XhQ-^axZ0_3*E`l(=$#m)D?&;(42LW=dGg7`MI{`D{sR6 z>E0R^uQ{{l;UKrjMGISge-Dwk zMmoRed>u3mPYFTd|d?u8v8ZO?h+^o3NT1&HRb8o~KWR0le27sgcOdx(10JK=l z7p=*K2Ks9_Rv7cUslJ<$nG-6t!z;L6rD~P7pv!Y=SvmBVs`axK92pMkT3s+X(&*@S zD^F!^!c~X*##kP1Mvaure-X$mWa8y{SK$2v**QGi~o4# z`-AIR&&`L{LSL^%{07v<#k=w9T7cPS$+5Yak(-$`#Y&UQv4DfcGq$SQR#!{?p5pV1 zi|InchX(;|ifuc)^HS@5R&O)YfKegZ#6V2gQG7@X+F@VgK^Iy;Ch~)p7kccLPRk# z0pcTs{o8e(KBpDNiw5603!SVsGO%a_wFW`}aK!GyCuZcip znGd~m@U+^RJDkV1u zfBg91FLV8Dy51aT0=9D&MX0M8Z4^Pt;J5U3#bEJniZBuoZ=mofFX z;(q=rD*lHz-@gBSq4n2*D9y%ilXUiBeBwg=ZxfJlv!o)oCnBiDt{=A#a%WWC1ngd% z$JFsciqcO0*pSVzD+o@3K?fcbb^wIk{L-MlW{)XlLQib}}!SM0Jn$y<# z=IZv^m#skLjzP11O@sf3uXhTLb>YHpcf4ZTwr$(C(Xs8Utk||~TPwD0+jerY_xGQR zQ}x%W>f3%Vx~r=v#vD(52T~dKj=NLE77^;9Fpit)W)>nZ!{2vUF9j-p3)6%P({-M| zN+JD^X0NW-V#8f+&VFzkdft7kip;p9$H|7Z7xPD%e~vJJ~aXi%URx*r@R{vJqD zt~(aOE~$6(UVOG~3_b)dMh+qhA`p=zUefL`55XBfR=QZp9s~GiqzMG?{{Lg_`W>Gz zeM}rz`V0sB#gwP;>w(7q_21)0_@Vb)28s{aMEs58rJto&LvYUPJ21l-?ruIs zaDk!a=>aycfyMd!iP!Sm0y3w+54UXP2FZLq`%~U>%@C(VA4`vxD9f&a-oqs+GsYCw z@G;yLh{$LzR`-0buz)*8Jfwr@%gmkBJIE$ZpKVJtTV0#5jAc;_9exWC^x%)qn!C7$ z^qc>DCwd|CKDTp4*FM)?larI4fr9GEnO+rRp-Jj4Rp4C%4nfGd$~Fw8_~soC2c`=T zdn$`j&9K!{f?4gW(WEj_tW7TT4TH??6U8gl0NRf;a=@q*I>4gQ*qv6b`XT(cY~T4Z z!x4(PrRk?!gV1rLcqVjUs2Gfck@t-jvzqN}Ldlzz=P)@LxD_I3z-TAK@9yaA%rqSD z+X)XE<+=3@PG5rM`<8VD;e-ZbSy~AOJiy=t48Y-L;v8MSBg_Cph;CE`*>b@oZqEx5 z_vKZPrrp9M!J}4TTWV&d>Qj9>%O>?P(9oExooz9xhCmvV&?3Ls*xlN!J`c05ifMkC zoU2YbLAe!L*1aw=O1%5)A?nNLXlq44T=)85LF4-Vxcn&bY4db9W79YRnYgM;M7Y(l zTPm+DZ!7MxOHyc@IfZNZ2vA|iHeE|YpdC{`yJ>MTU&B7tF!*qo45<0t<@Crp*@c&o#m&OHxwXMI-INJhXh^qYbaW{8N`V%Up?@ma2vb!jI&rvWCiGHTT3n^JX#4~} zr00ICgYBEw($MDMK8#+w$C%n2=kf7RyOUW?pO)WlkUHW%wa>`YkYWA0UB+O(;-6PU znsVqC!hB?X&UY>1Xp=i~gP)o?_ea6-quQ-VNlx~?9shxWP6}f9zh1UKKey#&WP*tm zGy3yXD6VV{6CDYm<#QR1!-pAD8mr37{T#s7qX;U;qGRSG3O+-#xAKnOWF;|PlIUT# zFIHzpF_vxFR9g^T)7CFtWYM*5A(j>-HNv~foKm<30`4Ze#GCC4@VdI1)RtLjo_{76 z4pRC~>yu|k!FaO&EKI*n`ijUR*Mo)4Lr4#MTnmsprqW$mh{{*eN4e;Gbanf=ni?Cq z29?{Zu0dfA(KMsBU`xJ)l@^ohd+aJfWHYU9&UPRH2Lv^xz9qvpi#103JPMtk3|-CP z>|UI^=t5VTA0p=(X)LX)^$auz99q+0!Ev*dK%~#OXN&)7FRkN*tb@Gw*a8vR$YCTXNJ(=0h>>0ol8_wXq9 z`iEaSDaq=_TTEnY1@-q?N2&1z&aX)~K0c|psB>s#UJznoxZJM> zPct-z@tS92fGBaPv$H*L>a=O@M4F8e`|AOyWgN zf=yv$Y-^XJLLUvO08a1~$E?_CgHfBJ{rvFhTnU>JR4=aD4kqS?(bzBx9k3PcnNW=m zrE^0%vfS!t*gbnElmdDWq}X8+(%GW!(wwd)9{&uSjBM>(sm{?q&Tg2@q4)$c6L!qb zV!Kap+?mwDS>=iBqBf-K4!@NJmfFs#`T3Vzy7XaX_bH z%UZQ?Up?z{jCp3c2KJWDW5b%M6WybI4#C;XMXkchU8#v%xKrsFR+Rv57nesWd>j`wsIFdlI29{cudtarGXD-z__@! z!c8^CCMHMK;zMu2uyJka-;d2(;|eYt65+DRm0x1bD|B7&lbEK_zHS*qOBp>H32R4b zdI*BP6shKQamHBJB#~2c+37$l@ZX3KYB4A|2`0EPLA-v{0^4)JXHUFn;+NcCOuMQ ze)F1{Ouh9K9AHJ}Ec+2AF>;P23NWHfTPuc~WkEka zOO$BSg0cc2p z$6XyKc?cxtNrWoem?wnMzf26pny_Yqm(Y?L3zJn*$!8g|fzmQic~-HYR9USiCDq+t zzE;SB8hTr4o=-v2!qA1Mf&;72QO@UCE}FBHnU;dP7vwooXx1Vyj=xFMa8F+rnR|HG z*_6LxzY-}tkY?rM5B*1MV6u3fis7X5=^`5+6UOxAhGbuom#9;)G8nOU#y|EGvu5Vz z6#W{&8gQs_O04_ZoAYFWuxIDEh4s3v z!5kLCUO>bq_ZI*z&HKArtt;>Lu)3-UCCc{Wj@RV+YW$AIYQHu?O?B}^p7ZJQrzI9e z#$iua4Y>`*Kx575#8AVoKYLL%WjSXCcG!DnP47tQ@=Bs38E@*fNG>pEKgn9RaX4){ zh79REd_D7*KfaY6^q(mxpkBj->GZP-rzQFB=RWLmpy_aN685h5#a4KJ+VFO88Wq~>)EyCY{K|4fA&(qS#Y@jJPwvtEDtb6> z&KG2CHzYYxC!De5Vk2NKk3%Wid^`*6awx;qbakwK>L|ZvcdvVKXtnPVGxh!!+G(Zd zWg}uHbA$`!hWa}yOMM}7tk)e1t?ZMP#7z`a4Z9yk6$7T}A1jDo2gbyl1{|zqGD9Xz zm^4c^;sB-~A;OhM$+2GVIY})oQs&lq;?(plQ#WuumFu{EZ$*pfN?eT_tG58v&z)dH z>661TpLy-zUfEBo>HcN#=hf(0*w2A#)3npVUpyqy5qS^HBwMh_33)Ixq}i;=fyKXW zSb&NbIwl(D4}p>=I;LD_P=SgEI)+?l69tR^if+sxQzV0^#**GvHV6^`<H}b zjE^gZD{`_&f%>USh&kc0i;NJv;l4L1QKVn{bgOU3#@%dbc+B%|$h`0|zIeR?FiG9H z2>)LT&HqH%BkNLAv*O2TtS3~5)P6ntH$%+V1Ledis>8DkNz^H~yc!HO(+_wuNS{rGqS>oTj_*|$+i@dYPaJeD-D@WNX%k0J z>cOKlV*$nrD!TK4u}+>rhQl-gE}C__%i335n1OUo6jf-SmRO_iRYf3`J% zRQ)<2OidM^05GS@Gz;KK94QfI#EJr(JY=wBEuT|ejM@cor%hy}C=&)vZU>(X_89z9 zr3#rsO17OyKG2G!jvr4}V6Z}ljb|{WBEARwl?Vaz<13kt&QJ~P`kcA3u)j2%!6U|j zfWn}{?U;tV~Xd3N=MpI`*dp4x;y1P8Dlwl^-&$vYtT+)31-OTd`M-bvHz7(;T9~{Lr9AX3Y(>8<^-&Equ8anc~J{W@` z-@f#(keMu*M_tlR(}--9^+sUI7*y3r7_C*LTv!+Wi3*Rd23I&gubXusk89mD*ERHnQGgz%+@n;ehWf~Zu}96esBApaeh zcDc|3e@c)O*=8sXkiuvY>PtJgtyMXk)WHy4 zsaACIR!K~1{}AM=%(M<8c`=bESuR;5rcl#Rc?3?}sM}`UTcF#xO63R3wDV0?c8|iz$Nq_-+-zlFQjnrTKRT4!&5jQo@A;L{WE4?E4!u2 zeIc|IFor{wL2GpB1Z&6A7S73<(yN$wKVX+QTgLLVm93&~3y=FY`MwUpZMDwiXNQ8)1fdi<{QZJgUIb>4Q=*s~NR=@gbsV>hL zmr15>ISiHO$pPUg|6YYPTS+;>GuFV$BZlV`G)b)pK{}3DY(d{*RikbJJEYqaDroaz94Zo? zY_Wb*CDdX8QU~$2M){#_^G8y#p!E;Mf}` z^BziW9}Ji*b*uRXRQn3IX}PEN=W0BVTKu_RAgCDF8`I(aW!4J?fPkZ4AufOaVGbqh z(=%=x?KPUijVyGesA<1n)7n#P;U~ z%3V4)521#EUIMT2MT~RjR@ymcM<-7OWKGu5=A#fbUfw^=u#5#Q zXMBa^vb+)vF$K21NJZkemC)rAC#=yKkU0z!Tl0vN{09lAVuq1jNI7GMDN!;Ij}0}+ zt9A1nHgp?|%#8moy&jfqO{e$h0#_OF6j|~O{HB~CQyxNTZ`AfB2~#Fca2P}x(?!X(RKF9MDT0U+xG!3q(*8hmUcCWF{`1 zhirNKrT*wJ1t`!V<6q1df?sR*m09cU_azHTrmu6Dd=$QRA3SW_ok}K*|0fda#{S|2UHQ#`2bs)4o5J1qtGA*TmJse?{5kGUT3QS zzxR)bs88xV93J}rG3Q-QB6#gz)98vvL=#Rwv$OwegvAQYJ~=iu4^iYSO4h ztlsT%XG|X5zdG5o5&S!L8<38kHF4y~D%w6bXG^nIt5OT;k7Gw4B5qJ>ZENcqRs>}( zQlg_VaESaG@CvIu$?1!kklskb^YCcUqGNpXeWus)!4f0)RKfByQv8w9rud7URM11C`R@e<~usY zfh(SGhwI4V=L$gA&pt)E&WD&wAn1uaybf;x3T^l#9D!KIX|{Tn**NK zV5f>t(>dHgi@K&|=A!o!dqPaa$(6;26%`ny;5=~T(R=bywseQtcKU5%@s(Qhz3=l_ z!mjGqRQ-XY_%R53s2>&4Q%mrEZgG1Y_t0ap=~Ec=A#wjiOsgH^9EX3p`hJFRIqp7` zV*fx7d*xSTb7yY_u0PwD9SqxIfb zxl_|s7gc|UDXUlWJXw7_nb!=R>XHkC8DpE-O29Hw@(bCyYq?L;wz}J+srl7Y8eg+F zgZ#%3(W2j_q{}bhN(yCBV^r93esQSvfJ2==z6xpuyV#^|X_d|E=A?5`rPHHH=3x^> zT6is|+qR~mt?pNCn_A6VMd4()er7&>c)pmjCg#56&WOB`cGaV#>XX;zCw|4(_94Cc zk7@h&TvYpg%2by^VA2cG@1IzaAvsztTkmk*$ISVmo-e4?QoV z){5JEUtQ>0uEfyiu@;z?v3@*2DoqF!XF6XaBbrvFHGZF-{UgN$9?nL^W{vM}=j`d# zI$fIUEv6lhyebPsM9wWbrR8>bn=61T)vkw&XI}?A>A7JZPaXZ`)e4uaghqkl#M|=Q z)ar&5Th}P%KFDbvJfEue$F;|Fu8DMJy)Opn%@AXAZ^4>z^LoxItvM9eFk@QW!7}C* zXmzXda%^l!YHe#JU0o+t-TR<5*Mk*rH|_JZaam?(A2wVPd3e2UHJ372eUb!KSvk06QC=Z@KJfT-ro>CgEKC+yzuLbcWX&l12D`u z_tjBu+oe`D?Rri{PQ54-V2u-3Pe%>QXYFRI0WySzyeE}4-Ae18Re4TA7c!tx%EF}$ z>gDT@ByOELx&WVINR)J&NYt+KIzeDv+d{fsI^DANnQ-1251RN%-;ea~+8q_f8|ZbJ zDXqmtt7E&TI+yNxArs}TG>jaLys;N|1@;=fe)lR< zJvJZB>%&L$(U3a*;u9T1->cHf#QCKquTv9H!+`XWljocF@HbF&urGYo3OL19ERn-TCvEmsZ-3A*3H(=A>xx$)qtD7cjLk}T!mImddBTh>&l&`ds zcrk*g01TsXqgLP?bHz_ha7&n#?(+!K_^2Zp z?M}a*Dl`yOHj3_b#F7Iy<6ei4k^qXG+e^5an95$e5|sF)qd@4wl<6xHMW?p|^`nn& za@(eWQeWX$TAI(@PqqP^eg!U?rXXJMFP~J0 zfCiT7SymeL?Ah1N90E+>;Ao(XSo5G?~L7c0z^J7Z~?(R@KFW1H{h;{Df zzNJ^{qSsLVn5uKqz=+kFqL${zTu)Cdh^MjTW_|9Bg>d}ybAjmgxnV-&77%7G&S1-H z?I_e3WmgAgPv`id>YA(kG#<+>Jh+%^>oT9KN45awLPI;^_PUXPS=C}L4<&Qv@-RYB zQOtju#NCAZDTMu$QeK?Bd767F;6wBc+Y%^IUAjGjaii0N*QdJGmU;hRw>fkHv2$-} zIXx|MJ^Tm<+7V~F8aFpr8GC9#UKuv#ql#w8idt7mi*WtV+V53Uy#{llEp^>seD zg^cG|VtL0V+1%Cso&G$FLa9Rr?IGxHl*$+v132x_vn>_&7y}LaA~J68(trx|HX(2Q zWvc#vESnWY)^D;GtYhU6!+3eKj zQo2ozm}*(Yt;LPK#L&wu_2)|Z^5ZTG=2=Hbo1XsJT$6*am{?;lhjFmNTMt3v9C!IN z; zN4uwj`N2Z=(F+G7@4{wJ1zk+029<&vi%Y|r%FmrbvYG+U$?7TNpy{QHyLdgc)VQRdU3)0wF&`{F4xB)cj3qnXp5&;5G;JhFWq%~;CP*ZD| zPGX6T&H;ybHV#|I?wtGCPF-kDtA}vD5fLSHBYh^)N*xNdIlS}Q2gs+eO;lDqD2K2L$DKJEsh$ zZW*)8PBrBf5J!+%Q12kWXb}jntDcU7iR#jnf(8PVHTFn0sGvtfq1Egd?`Dth$D-}7 z9-r|%a>18=$z^t7IM2?nIq;O>W)D8Ei>xYq63sz(TcPm1OEpdFll*7XWzloBW z^_CUx&OT_>T~xtGn0)svDf{n(F4{VDw&mr^?@Q`wo`%yn02}Yw=dvuxkzU$UYj0#$ z=G6-sJwR@AI9hD@520}&;>yX-a8XPoRIcLSxjBYtsLXTxUDA0OwIKh&5a4^GRFv_W;w%;@e zrX?t)0=IdTm66Abxq z&l@3iu0la28TR!n(GE0u0AUq(Z3Fb+b%)|xU|YUm)F`W+4;|nCFL=;P7k0AF$f39> ziNjk^(P_nQCoES-U3KEvl|^yv?F8Tc-fy57F?9Q& z%D1!fYC#Ktu{R16O4yHY=R{?#s=hd)JCr8fx-=$m(4aSH*i;o(8>gU)rg0vQ5%M5i z@KQibNCwf|0c}Erhc9B1o{GY_@$uHO0r+>f%s#va+Z2oVy7 zqQJ&p~%0!IdkxqNjv_D}LsMzSm zECYommMx`q-SvvL8d_4W)e+g~svB&aMbg7B`0^%L7wsP;I#2}#Vd=Zq=mB97d@h{v z8)M`pL+VZbhipSmNcJXb+y(I$=lGaG5gy-v@Po+luWUnMVt)1K$K-UN%+uf}+XuXX z6B*m5nHqgY;pLsKVSLX6VU| zP14v|r>Y`JpX|m*xg$Om>wdu6rtQGdQC$G(+65&g4`Z4liLIg}SR}Z1;p(r9pj4O8 zw+Fn9aMuIW+zO%u3iz%EAJ`|;rn5sB2ZOLZV;gl00PA8| zRCz!dI-;M+MhqrBrXruj#PT(kVw3nCcg3Q)z3`N=Xh~x;|Ixe|q!-JHa#1`AnH zCc6V*!OeGVgofNWo@qq1s4&0%Dz9$(4Rx3`>2;OzKnI46tRbEM6~6~-Ff&nFS{j7T zRtPkjWI=B80!|hR`wp0B-lKoXuYn<=@h2nxXyN%&-1%4oS3Rsr7;-TFLCQny@gH|t zx&+dsvG}r2OjQs})jO24x%IoEmZZCdJKr7EKcudmj>SXg)|-$*ZboS|O?_!l`eg4k z3E{rpWz368LdTe~PhwL$1u6(Or!s3w6WD2izy2_3Y6anBk|>y39Da`Opo-{0QI4Zl z#BPUXK6t2MN^2G=ybC`5l0Gb^69oY{Vh0c7%uKd5a4n%_aL0e&T|u|8dO4nN$b(pp@Z>~Et!Phi#HzbdbnGg?T{4tiNf@0XUh~^+w4UF(1wOwOx8{WMeTe0y?i9#=*g4WzWRKNI?eBs-MXY=#+zW1F5C`af7S+*Q~ zWyzev1v`gqebxL=4Dhv2GR%0D+QAni%M+*D#7k!7M&K#0e9UJXW7RUyQ~-cTXlW<| zpo=%gkgjbK*jMabjskFHD!4M$d`OyxaP@b6>Ar5fN`>wI;Cq6&kmUCv3*Q5K2IhMV zvU%)jWZza6V1T=q?)&cc+oVz2ZWy){1F@%@sCSvTx#VcK*{7^&{UikcO!Ka2M$_~d zM=|l;bb7i4Y&fQOx=7SJ9xGhKk|6#BcDyjPWcO}MCk~sY-xEkI0z}4II)eTBldf%1 z+7j=dj@WT03~{6Bo&4qjDa#ode)nM+<2icXhj-b9WHB;Vaj9g}98y12#0{oi5kHC8Ia%YFlSkentXz!~R3U zJoP1j8C9OQ7(v}!r5FXwIxOYNwNMqzK8Pm1{8@NV;vTDnw#6H_;|91x1~>pSym7>) zeorT08eiX=+nGLZl{no2Mf4tAPY(E1qmnJZ z=}4oA&`|@OLOJUS_XAt~OzwP5b%IBrk}Hy)^EZJcR|qsldyYPmh0^N<3Quc7*S&V-w>H;X>z||?C_}Yum~9v)=}r>o(Ms*hdXew3d^&p_D^L` zL?VWIEi+9|w=8{atreQIujTuUQUY=^)F$74l^QTB5K1rAbylMGn4vYHXeTobJ~Vz3AgMeClI@Ro&kdyQY<+b*cDV+YT^N5wIj~p{Q=! zWA}F5e92L}s)%i{yFAs0XVmKMz;;K9m%eaWiI&H@H@Vi?VelE!CXDI^*!XO5-83%u z$9ut}hcCT-m(@uDzGB$eIN^D&r7TpQf|l-TSu(szsc|wt>3F2%r0DF>U^FHiNIB|K ze}i9gl}{cuDPSOFU{xcq`XN!cYBY9=Ap*smG}CUts~SM2wVmM%^pc?#efNH|#Ryv_uN))G{pB%0!^0LeXY8nU)$T(8oilQ! z?xF_hew9lUD9b-C+OzWDk@FG53RBWTzz6_5KF&*pmVu$dsyOPH4c7Xo(VFZcF^4Ah zrKT2+**?x$$9oi1P90B(fBgvu!X&1;IasA|B#y|I3>7ayjc1C_pO4_QIXtG%6gEQz zASn#{AWC|uroEW^=>%ANOCHv6k0}|082vzG3~4=rrimqc_M*ChU740Tj;_9jwkkAb z(l%FyigA*wt6-ewIBlvU{h~VmSREf67J~iRU-^Fe!1(!j(MwH@@s4X|Lyet1Q=U2+ zj=46C#vG}2MNVz`aV~B`w7_RL?I2Hl>HAzf?FEqMtiO(T`K`Qkt{cnSd=7r`+jffF z{i?a)%kjJL-mQxm9QF>60a}Elahn1Mb8?tEbnijk|LT=Q*IDZ>ydw?>-Q>f!B?Met zB-@>0`-IUt0qMa>x3BNzZfiLTpljLHApDByHE&0ZBxB~7pY3h%R&^|HV$2IgnTnMh z6%7$>fz@Q~oOqVk8$yhLrbz5tGgA^m3SVhH(TPaFOc5!skrWqA5L_=#VG}JzVRn~g zyj_h#ju`+D#;u6u^%9k~Vx(6z(&{ygDD0+kz1F8V6;ZLWwJQ+- zQbfdyqPWOaV$gSPN04ss282m_mLMwqViTon=tE&4p~z7J!t8Y)Ie(F8Jdxcm4D*?2 zS;;z_l||$sVgT#Hz;KAk-f~`H%hFL1AEPO@^)ruS%8rHI#syvEfk}%K(KYK@D6^&f z$%l^myPb_+BR42MI0#k%=`%##JiBxPYBc?_SE%GKLiPhi;?xFJfCp99zSf|2ER8gt(EXpcMa&E%?ISudUt;C>VL&#DaR;QUZz{57s z<9RRhBOyb{(%CBOWMdz#pbi(=%}LZxBbw~^19hzP;t&`Gp;1CjSSz=iTi|KzWfNa_f$Nmg~o=<)Qmh!2waIpQYrlmLR zRy|*o(r7j`NQ69BkPzCG)fbJ1mcZ}**`A~)n0J?`4!E4S%QOJx3f7=y_t`RLFR-el zItqQfN4`rRgQ~-OV56hxZ4wa&Gg2xCD_{$(%`NmC@N}6Yp{_B5k*A%)2$7buY?mF! zd(Es5NkfQ&6hW3+2QMy`g*`;26>g?>RYhc6rN_xoTe8g7ZDnH9ks$*ms-;xPRwF0P zrOSa1{Uy4qMD4L}-^T%Zw|}moos4reBMP-$q|;jC?}sq$3{Q32p12=S&55;rf+_nP zS$QX<;t7`MPFTSUBF)o#;(x!o1(4h_;Kkksw(|>jGpK9vi+gUmC#ppTAPa)8_WFCtT$%9b<~TjLvuh%eGSPx~7r3_$8mY5_Vm< z7SEm2kK3H5nMbqnN%20hmpLK@wV0#yB+5SadVwS5 z56ANM_vxVjN?<6=^L9_q=Kf+-kB{AO*a=AE)~EBVph^+iPZ*w4$Xri90WQ~v zg(?1zD@k8$7YBmk)=86<~b=ac6*Sz z&}Ck{dcLmfz2sZ4>j~3Oh0>k#oFTpY__cX*&RyieS7DXUTydAD9!BE4UH{uI|1<{7 zUZ$cU@HAMJD}s-9Z%G{k;pig7>!byGo8bi{Q+dxIu02kU0J*_#t!OJ4Lv7VAY3&eg z@oBc(nIpnS-=e1^#mx$-s^{7@)#8m6((Q=^>m*9{A~U+vLk|6b763f1Ne+cRJJDboJsG+?$L>T=!k6SHen zA8@yfF-5`R7f-2=0?SXRZi_!-O>1oP^mRX9P0#-oBTbL{xjl?H03tjjQFpeV-hIib z%k9{qBhiVgk!}?OMfcx%rd#Skrw(dj08#i zXqn{8d&rLzew2D;tQ56hkJ-PU55*eWfbEuZk9U8nST0#e8f)N}MF@SS=2L@lqyD7FcUZp$d#0g=!L6 z17a|7R!e&sS%HXHn6b~&xemCfXV8NhBSy_BMh77X?5n8O4;E0&Uu3X6pd0dnw`f$% zQR};}x(OR5^Y9XHf5LrpE4qRvb7wic+kCD24B4M=wXH1ASH07KtT({1oQMBRS|&a< zE-fyzyGc76!-e#7k?gYiw|K9Xy0*gLyY4Yjwlx^PO)l6^6Hqm;6|;pvzRfD4{qY_^kJJ@XQQZ0TPi`eR$?8O z^pm|8PF7wWFr1l3$?hnjc&@jKZmp|9SgsSZui{L7LkK8dph>z}>DthiXcse5RD`YU z=L9QbaZ`m!-~^~lo0|kexA@oeujH13Xw-z!Giy$O7y(tp4emlMpeeZB$Epxusc7Oh z1BI2kDVX9hOSN;lJi^L)*DW#eaT?+#yDlv*vECMmMVJ=q&ukpXRLqqR=w`011)~K_ zn13cO1^&R+9|G~r4NTLHe-prKQKKf!S|T;SF)Me_?MkPI2$ds1vm!}If~PLY1`Cva zqPXUd>Qz|CN(wvwgiaT$sUPo$smzA{9=AL@*;Bkx>?VYasjM{EkfS`p#vvF+EZ`{>PPe9Zy_Ne3T8G+OU+~|Cp9U= zrz#2^-L2*J42IA)&aV}vL8DAl7_uEQ7K#toeoRL67SRxcB&FwM>Z+V%vOTvl{YR7$ zNZoXf%m4-aMf5<8S<|}OSwTru2wbFy-R17iNH{jl^kU81+OuqeYf&>JYQhR@mYRaH zE^Q%w;?KjmWy5orNRISWqyhyC#-#BQy%u(3SMk)4kccx58f#Ch{)Gppl99Qg`D!5&2fr+WHXxLF3lvSMe_{cv4 zNS17TFmbWVV|KDJH?X7ml$FfLT#Te-2=W%p^75`q^ZD_2*r%vGtkYSNOi2ck7}K#S z1ba{VJjptWRGA2h%?Lh-l-An0?~R0rk(KL}h!QAZHvdEk_r8OPB{8LE2sR?ZGW4-) z!M}L)b@LUBg8F?UjKmZg!$#s_C{j%Bz<R*#IrA2Z0M~Fmqcy;$;b$43gkF8RU@4^ z36ocd2LV-?(o{-6HNJQ76i;SCXyi0Koy0JqJ?BL-xXg@)j3I18K)R;Jq(ybKFle#b zJqeLvi2zAbn7gi!W=~<@I%h7UkHfQ)fuzBTUYe0)wb3WgOW?TdU-hi58k*C&mWSIu_19JVn$p*1cAb$6{Cavvg+#y(P8AucHNjF z0~3zRD@=|H4aO2#jPigpXVWPqm82MSGNrkdfr|{pQE63_R1_|g(aL4h8o0tC9WaYw zgjpDmz>(-&c6L%!Vj;b~sUkcwwyK?9njV&1K-XJG^YKyWqWX&B3?v#)Z*Au^Hu5{! zDY(eQ{6@Xi3TkV!C>RAXp)r|^7J78BPeefttFe-pU(Rl-iVeDmFJUk$h>^%ddRsf2 z!Qk^a1*s9qMNRrKT~m2ZdJeUXU5O0}Al9_^OM3ZzGMTuiqqAplSjOXZ52>97``j#_ zS+A$3*Jw1t-#-L$yCr9Zh7X9v;-TRYgUPJb8@>?0erS4~!Khz)3l6}BXnN;c-Ka{f z(SbA0^LnEZ1f4U2$)MM(G|rDew522l-Evy}Qa&c5Mypn7bb6x+1Os@h(J0kgjbW*M zG3qrcjY_LuPP<&9!Dv*2tv@wdJ?LFBYPi*83ksOng>bXI3T<2SikB)T3IE&}eX8kq%TB6a+?3fTBTG`sF(749@&Pjg9I~ zHlwDF-PK-?3J6H8d?3xIIf%a^6#?Sv1RLS-Qmr6##6dXIM6-Ub|Er*jjJtjyTH&7E|l= z&R4B=$$Gk*TCZCmfRY1&{2(1`EAlL-udfdbMFqck(30K=&TXE*@cN~L8y|i3_!b|1 zDeaeX`(lY-4N4_g2M!2?UZYWeHOVb9{5BQ)>h+Fl)SzJ;b&3OMofSjF3eY%eb=sTe zcGH6!6##Ya>K5p9x@F1f>h4y8_Fk*KX_Bwj{OdBm*;Qyjbw`yW!y^inQw24*PI7C5 z-{MMdec`vx;imQZy4wc=_!GkC^Wl205Xg^5a=`qD&Q3n~CoT~52%PkM;Xv?(gPyMh z!B-BxbW-p&XL@cK|E3uV{(pv_N9eg}(cd!jTcj1-vRuK}m-y9e1zlZTHk)m6XRBEUsthP*IDrOmhAZ!wY{~`zU9|I@RcfkJa5D4Tpb*w=k5C{bF zWyt}%+CVEnAP@)ydN~jX1OoXnNzU|l8$JLYyUs%(5D4UZ?-mFI@{^F9ukmu`<%^S#FHWrbR>86A+s6E% zGF;JY|IIMDe(|~(eitDS$d6xgzP4j+eqeF(shc;E)2kL|m%^1*i!-aP817RKJ~C^& zcX9H2X@6HO*zeK|K5R2R`2A$~g`CYJYgEdg&pYn^=Eze^S2y|3gL&IM^Y(jIMsj|! zcwGX&ix3Fpr|jk2Ome1H&5zw(n7$K7I>_ffnU%7OSg}{ceHxd1NF;qquYPFOelHND z>(+a;Lu<67Ye3^ZXSrv}d_PEg#eClt>%G9wm^QASvE8?<0gH~i%!&uqinTNL`<+T= zzssU}aHQ{%Xu=^nfAduk4Yc^SyQYlyFF5X+)UH+yuCtqd1`=K|-#e~-Kr^(~qyvC$m zDtB_#ly?@Yk&m-K9i3^{-y z9_i_LfsnCZrFj&%NAuRZx|thz{O7p!PhSW=(n8yci$B;Rc+NVw4wHPKmbsmr?%LhA zp(cNONxh3!`e;-0i?Xi&ioxuyVD79a+>%td-)2~oow7ZvdVg{5&IHmvt9eZq<2hc( zrY7nOpbjG8lVpNx9Qg=^=$2FE3L@vEZI7WYNzUvlP1i31!@Vn++qlgy$i+{HS&t)d z?wvi))D^sh&UbHTy?{$RG@$>bq~VF^bPuC>J-zsa!uq{6rCTDC4_b5&XQyt(7apeO zxTY2D9y6^i17cQkpsVTG;3$te_7-l_MtT3^3zK(2$$>y1kS}(uO@AjZXI6Dz3Sl3u z{iRvQ{VmiDLCKyh)=LTL2d&n1BKD)pSSr zb$4xOseB%jazxty#9+@83h`4lx!cl9cbgOsrzN_gOFW#CGrh_vUSCtcLm_)SH`z6_ zWKUnyGf|00I{The^!?ZH@KYn)$Iw`hKIP-`#wSn-o+|Alj3vpbE!~<{uxnxZ-V*YQ zaRu(>1ulgAy$01I#hE+fi}y>qo}w|gjLIJ)5q4+S?Qs~^*i~z1OslP<>!!`Ct;%&X z*88C3Kp>ExvgCYcFK2Q5F6-z+3i-o2)w=7ByRTdCau^<%cieT&a<5(Q>~5Mf->V*6 zuTieMHhwQqsX5y{4#Pv&$M0SMG4&75joA|bLRVWL+iE5br$uSS5BkL`iwG-wCrcA4+Eugmzbkp7MFgv^2W(=#9 z0}q?^Yvw_J*VL+M{p!(yhqa^Yu7L+Ij#cBT2USDsO)6(v&_}miff@b%%7OLZDx6iC zT6NWQzj|Q3O0oXRQorA%ZnZ(R7L+@#c>vUB+F9c2Y191^#-D+5L0{j5f?w)^_zy`Y~>DSz0YSqog8S@XRX?V1_OeO4Xlc3W-LJTz^+|0WNppyWUx zke`a=T>0+92VnR-fRPTyfi-=CM^(y)=O^!m!v`P`2;^Uroc_g$pF2kt!?4m}V)f$n zKKNaPKp;Qij0t5nqKyHWR%w4+%tpI^Q zAduT5Inc|2Kp+sv?U5YVu?B%aAP^`y5C{YU`B6y@96kVnKp>FYB{}d}4g>;$KyC~F Y2jOrk>9t=NRsaA107*qoM6N<$g8jZ3eE Date: Thu, 12 May 2016 08:31:40 -0700 Subject: [PATCH 010/169] tweak beta disclaimer --- education/windows/use-set-up-school-pcs-app.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index 3db61d70bb..f440a05dff 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -11,9 +11,9 @@ author: jdeckerMS # Use Set up School PCs app **Applies to:** -- Windows 10 +- Windows 10 Insider Preview -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.] +> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.] placeholder From 2160697d7517c8c379fbfccacb8488badb9aea3a Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 12 May 2016 08:32:40 -0700 Subject: [PATCH 011/169] updated beta language --- education/windows/use-set-up-school-pcs-app.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index f440a05dff..cca8ead346 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -14,6 +14,6 @@ author: jdeckerMS - Windows 10 Insider Preview -> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.] +> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] placeholder From 71aebac2d82a133debdbf50afe8592bd25ccd5f5 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 12 May 2016 12:26:33 -0700 Subject: [PATCH 012/169] add video, new topic --- education/windows/TOC.md | 1 + education/windows/index.md | 1 + .../set-up-students-pcs-to-join-domain.md | 19 +++++++++++++++++++ 3 files changed, 21 insertions(+) create mode 100644 education/windows/set-up-students-pcs-to-join-domain.md diff --git a/education/windows/TOC.md b/education/windows/TOC.md index 2b8b527b24..99abf98502 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -1,4 +1,5 @@ # [Windows 10 for education](index.md) ## [Use Set up School PCs app](use-set-up-school-pcs-app.md) +## [Set up students' PCs to join domain](set-up-students-pcs-to-join-domain.md) ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) ## [Chromebook migration guide](chromebook-migration-guide.md) \ No newline at end of file diff --git a/education/windows/index.md b/education/windows/index.md index 4e759a8208..8fe3a1d3bf 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -17,6 +17,7 @@ author: jdeckerMS |Topic |Description | |------|------------| |[Use Set up School PCs app](use-set-up-school-pcs-app.md) | Learn how to use the Set up School PCs app to quickly configure new Windows 10 PCs for students. | +| [Set up students' PCs to join domain](set-up-students-pcs-to-join-domain.md) | Learn how to create provisioning packages to easily configure student's PCs to join your Active Directory domain. | | [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. | | [Chromebook migration guide](chromebook-migration-guide.md) | Learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. | diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md new file mode 100644 index 0000000000..c16073de0f --- /dev/null +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -0,0 +1,19 @@ +--- +title: Set up student PCs to join domain +description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory. +keywords: ["shared cart", "shared PC", "school"] +ms.prod: W10 +ms.mktglfcycl: plan +ms.sitesec: library +author: jdeckerMS +--- + +# Set up student PCs to join domain +**Applies to:** + +- Windows 10 + + +> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] + + From dc4fdde96ce65deffb54fef57300a0e21718196d Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 13 May 2016 10:20:21 -0700 Subject: [PATCH 013/169] new art, new content --- education/windows/TOC.md | 2 +- education/windows/images/app1.jpg | Bin 0 -> 34004 bytes education/windows/images/oobe.jpg | Bin 0 -> 27689 bytes education/windows/images/prov.jpg | Bin 0 -> 17796 bytes education/windows/images/setupmsg.jpg | Bin 0 -> 23035 bytes education/windows/images/signin.jpg | Bin 0 -> 5667 bytes education/windows/images/signinprov.jpg | Bin 0 -> 22869 bytes .../windows/set-up-school-pcs-technical.md | 112 ++++++++++++++++++ .../windows/use-set-up-school-pcs-app.md | 69 ++++++++++- 9 files changed, 180 insertions(+), 3 deletions(-) create mode 100644 education/windows/images/app1.jpg create mode 100644 education/windows/images/oobe.jpg create mode 100644 education/windows/images/prov.jpg create mode 100644 education/windows/images/setupmsg.jpg create mode 100644 education/windows/images/signin.jpg create mode 100644 education/windows/images/signinprov.jpg create mode 100644 education/windows/set-up-school-pcs-technical.md diff --git a/education/windows/TOC.md b/education/windows/TOC.md index 99abf98502..fa05afcd2e 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -1,5 +1,5 @@ # [Windows 10 for education](index.md) -## [Use Set up School PCs app](use-set-up-school-pcs-app.md) +## [Use the Set up School PCs app](use-set-up-school-pcs-app.md) ## [Set up students' PCs to join domain](set-up-students-pcs-to-join-domain.md) ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) ## [Chromebook migration guide](chromebook-migration-guide.md) \ No newline at end of file diff --git a/education/windows/images/app1.jpg b/education/windows/images/app1.jpg new file mode 100644 index 0000000000000000000000000000000000000000..cb7f4991836d2d930995a9d56fcb27e41ff71c01 GIT binary patch literal 34004 zcmeFZcUY6(mM|It>4HkHQMy#=ASEI{KtM#g)QCtIB0WGLic+Ks2uKi6dNCl$P?=F!Ze`~}UfF^+K(xpGozc=#B{?DKM`T3t;k)HI_RMda& z_`lbP-vQUCFC~#Nkze8ikX^e(e(e&m0{|q!dYOdLAEf@?E|HN_T&5&}L`z4yq53Kb zd~$L!60nykC`fmQkgfwLu3f%_}?`Zy|rLA*cSI@-M%-rI!rIo`oM<-_&S2rJDKmPz|V9@I~ z;SrHhZ=;iv->0OeeMm>-l#K>_FhbUGOwta?RsmcU2$B%Wq`medX5sIASoC3=4#s@*sK+q=QU#;0VrZ~G!~xN8F=s(Igm{4EzJCX=$!emX#y#Fj_g!UZCNp1AmcVE#tD;$|o03=~`k%K1Lszx$ zCh=c?;}Cc~JEKPWhd4E5L8`OkeCv%WmOnqfz;U z%bQl6{c&9>4%{{6tEq&a^xyivDIUBFSIK@}v7{qVLwWzkRTz6!*fO7#BrL|V1AX(6 zt!`a}Kcle4<oiE9^LYZVPr8@-f51W*e_5&?H@g^7Sm{6qjP zXo=z%5wJm*M+7Viz?ZD*bLIXEcQqFE103OPG@prpUu?QW!1wz^KwAP|3X^od`GYo0U!Rc;K;u>aQyj9;-kMUK-)37 zQZ>(h!Ab-?e(Ul|=vCsz2nR5y1J^B8nIQHy~1695a zx-3rebzY$Ctd5WDpnOM?&b7Dtx?=b58vne@RdJf22T1t049l$e%2ytE@OOcOv>lCw zeqwm|7y65L56#eX^~p4#6KhTvNO^MIl^pn@NTN~YUYIWXjptIYsuce1l$oTpYTMdY zgQ|bXYkBi$JNIyNRi1>Tx89SkTNix!JXVBj!wWA$F8lAsHm`B{#MntBS#N+=n-(dU z06HW){Ky|&vT4V|SZMk7s3yr!RQQ=e{~CSG7>5!EvK$*y+bwmrxwwF1swDz=%99|d z)mugIiQ@@ELQsM{{z}Bs$1>ksr0|}NPLg{bN5hJkfkO){7!06zq zOi3a!p$xTjvcQd6FMkb3KU~21C;SUc+y8(m(Ippe(F@<;1-*cG=q@LmGZYg6uYk7j z_T3g`_#l{)B$G2y*j*s{0um2CoM=U1g&_nLFyD~QdHH*i=v56}Bm$z6JAp?$CPV<4 zdIJ#C_?=HSJbNh zBOI_8E#OuQX{5WDi`N7`LuU9dKSLb#`8EOQf$1XzVHJr0id`b0+vR_S!u^#+lI5Sava#3xi&M-DFF7;BlXveiV&AG75dj)wAT---N>3C;bFaJa8p zkp?n5$Udh^m<3|4LvsnQOW=z-6X1V8qdNbA&J#bXjQ*9Tp#P!h|4{UQc=UfS2LFdg z|3~WnP5S>=rLNZhi9Sg-0$~(JLED6NB0#5E`;J+h|H4kojWPbchH#Rv@?+m@d%SH^ zo31DH{@KrMf;J0DK7sJJ!kLY1sZyDZv;hB|-3mi@mL)KjG4Y6`jEDBkEb<>uB;ZV~ z3h{3w;YYz^eoOB3is;-8lt7SW_XQq~=_3O4?6sK9*Af4nVE-BW@dN`*tAq%cy!W?> zx8M=&BAHG%cTEUwir{m#t-4Jctn~$ZkW>$EsuzI>0OLrO#_$ItEtX$_pS74DUHa3l zdCAd2r5M@HRD@8B`w8;iVW5^PtH{b<+JORzli~M=Skg12XiIeE6Ko^DFTAZm(c=6B z*YfSv3v=BNe)Dl9*4Di@>w@)*tZvauYS4*B(C5E0wxD|b_-VeeT)wE@K~2mcT1DpE zSNLrqz5egl?&&8M6S=tTT&|VOc0 z%%|5W7(FLYPNn4$pldhLB{0DunEuk7=(CEk>WqHJr(^OuXIdTT+l^Yav@^K(2X(Xs zcUKVy^Bxc1v&q$Gpj?_IeD}s1c0#zJ&ez@|CG|oF#8O=Q<<82TKAJSyW;Kch{5tcV z(P(KJDywGq@D!-1NKz{EWTA)H?3oZHGrm4=!m903?0| zlzrhrc47eVO!6bCMLl7gM*|5I3$e@V?0{2FP;_g@x zRBybKAHAclWGg7%UT@@nG8WS}mpM7<^>IC`8dV6@X;r7if-#02cM8K-#>;WaD;XhN znl-6wF1zN6Y-jOsiLvP$UnAPSI=TE}rG3ni<;vbA6KlO@Q&lnd6Q)w? z)aX~(hj^9ZEz7&u zB`;t~&RFyGUCB4yu)H#Nsgpo-Xc|VUqoF%|U&0~Hd_vCsJsQ_JWySOGhH#kl>oDPK zP3%ts)9C zPPC{n z{s>rrN`|*}bKESFSGM-@iuQo)!SQyQp-iDt@csD-{e4}+1F;tbz7)rM9zIIFU@YBx ztK%ly79Ea{w9@^-!n<+8Z(!FjF`e@?X!x6|W-0w&)o+m#Mya}MqtAT(=U*WVVyK0m zetNJQ_qf7Ir~>XJMYS0!hmov@colA*pGMsrwu3Ni)Sgn#&selv?`ScRX<%~<&-aZ9 zI*X5PT6g77Fr+&!WKBt~Nvo{QOg&$4te5Sv`U$VhmA@r4;&#%|JUqPbAztl&f6?q9dmN}_9)Izw(=NI-jhA=7(Z-Nsn= zr4UAw_^$KuwE_L$3;%DaYU-G&4g;?b^ID?u45mfB;R4k!7#(w=hl^CPFiT*>kq6zQ zit!_NuKQIZFK$#vKbCs%`LAz37F4u2R6ZOuIUstK-#6#Res*-(_B~E^Z&{ddD6zbv z7-8l*+O%)HSx{BTB3T*`(yTgon;VfdFjp>hGyJ}JmR2m&uj_XS)tkK3STo2<_N&zE zmNPm;0F7k%%8V4ljIFF<6UVdNQnc{d&=cc3c{SLdw6k=lDV}3q#%J)9nAev96tZjoA4AZmN_zmur z@#Vw{thmq3^%X>K^#u%X`}|ZFfJ#Cl7Ou(fGtAm(`6;|AnspsEV81Ek^30`AMD?ZK zdbU-k{4r%MS_Z<3Gscdrh`G0%9i;kMvVf5&PTnQVLJ++*1*7sfZI_}=`vUt6*rCRbz8kTY~-0!Y8BN|QGU4KNw^ zgsC_br|*FuSAXcmX!<+KoH<_)7m|{ClJL9LzG)ae(Xk6Mz(=gcL&&g-kDyKVmoxNV zNCo`dEtplDws!1IPy(1fp=edU7g(C=3i8v=X!IJIakU$SOT-7kl=VhZ^tMw)gYu=K zxofRTXXYQ`4X+OSPWd6t$9u071otG(OLWs(PKvIcKZ|!ClLt+9cZ^S;gdy&LO138i`DYaO^)bO zL#)w-8#JanO8`^&de^s^s#|e-YjU%pWWj9$!unZY)9u|~H1Xz7uEplFs@AL|hB+zq zR+SW)_@7$qO*9&aG4l0(os5-5+A-*7Nkh`Lv?UaNm(-+gLD||3BdjJmn*)#V4CBhH zVU&&aS%FE@<87C_HVYB=_@kxY(WzWY0`%PA$!5o0PiPC}Y8XZ0{LuS$?yOpfLH#ko zq@6v#2VF^;>>tRcgoK`pNc?hYFl2IPvJUM|JvATFA%!w%CgS$j#?=Q8a_RJgoolK= zNBx|8u4Gv4?$on)CcgBJWa{}|wKHko{;O`_ox9&=e|~M}aH8dyt25*1arn+5 zzq7!BlXXBJejl%NQ78N5mq5NXZCj;aCne#dHkwvWCimqauT4orsd3LAVHjeBBjvYu?^y2a36AUu)CMAjEqB*MI`wtKSSUZ41PB>b`;ar{Ax|l zy=(3I1ey)poK}n@khzA+jvVnwwFl*=HVeHfn%Qh|o3_ifmgry-_g48Z>yg5JYkJ}4 z_Z#c9%7_g8l<7^dzHO)cINoDxpvjq0FV;~KdT3>AWC2Mr=-hr*hVYy-ZaL=$y}|J- z#zG_)BM$W{-BoUtr&rT;RO_+|&Khz2xFY6j%3ZN&ZoYGV;nYli@&fIjwvx^6p4xy! z*lCc2uk)jDj`Vwmm*0HrAOdbt{q{3?-P(O)L|qiBX@EX$8w{Tg&-~UNSiTWpVQ~=g z)YH*GZ;RzA&G!zk9L%eO@qPB(sFUk+GY60(rE!Z}PeNQ@+ECIXB`h4h21U9L7I|5&Gu&Q0og2VmK|Bh?0>1xC%2S0)>d%-cFF zty*=~WCz1eY7lExeO{~Wa-9=>y0*+u?of&r*DI!Sf+|x{pa_sBIP#8DEqbs$lye+; z+^E78qf^~n?UF^ZTva|Z8NQMM+*6ePRxfD%+9t)vu}9e?ZuaRsQlfl4pr+M+Ha=lUM>WyUBJh@3Y%NwWpQ&Op~r$H!vtLmssQGFYA9PDZ>zeIei%H zZkGLZeO#)?NB+Q~er4&!QI^!?rhKqiUm{3h4tZFSfnog4S=hF~Zs%h4Q;hQSvuhcB zDNfO*iLCd3$7>1NDaH+ry?Win&QTYQr@=5*cw*N{xI&Fj1`xlKB8YDt z(wNJ&qme22PM77kXtTbuv6)xFCq8J2@)#W3a{3YK$|gYpGZtHenwsX>{xP%j;en^; z%`ipn`V>60!_1$)AZn)hA-a+3oa|HtZH2f&CWZK6|EPjD2yF2F8 z$00GXL;wSh%d>AutS?=B)%LD9mvBYg?h8*%@dsz#dHamtpX7S*l3^u$kTAZOZcflk zIpB4-EXlF*Csh@7jR(Fc#u@APSH9hnG}e6k z>1i!|#H1{Z{sMaMvFo8i-fF#LPHeqrl0|^O`QGujM)isT>+ukmVhRoUEU!4S2X;{3AWM)_P-=ltiBP`XE>p}?(Bp;&7o zz;Tmpd^)66=Bb86+XKw5jdxwxgO8Z*a^BJvvcIABJvIpb$P$2e|oS{GAcIt7N zr{fUq!)*#}5uv!xuaIrJCvkafPM5p-s|T=l5UCSYOr4pyAjUI7b`ZGHkWNT}-1at1 z^bq9nz>NplZ5x!Y{&Yy}%CMWaXjV3`I=ABPv$ovMt?8E=l+B428&iKSk`oR1&w53f z*D?>uyJZ9Y&AT<1UpQkw247IykOHEoB`f(3kpyNnw$%iEB_aS`PEdw#J|O+gwD!#!WlTlTzl>{1?I@Y8dYSD^_jFP`7XSJE?D|Tzhd=upBkDhMqV}5iu z>8E}=*ysNK_q!!1S3c+KZIJE!#HMG=Go%Nj^F?T>-GJ%x=9D0vx|!3o zyY>7*aBc9m&yYGBbg-=gE7irzf}xn6PsqcDtqq(HoOBJVoFSi82i9~7cnI8V?^e0e z+ZXZ3fAO8_@l4-`D)9v|&)Bc4LC;KF$`DX!n{g6keh!v|GgcCFC^TnY5@_zr8$W5@ zozb4F+TIAB&1P3;-$L>1go?R=(P{l(T96Rr0`{qx2;PVsJ42RzNmXndUQOb8X!@b!C##L5QSN;G_3K=s zvWLY;YdEJ{Y72D}dNn}B*Y@5yk6tibA~ZP4`0+}}Fjq%>fRq@F6SNy6qU9n^}oG#h^dJMw?Sq$Q{-E`h@*?C8)Q zUF9V++g5KlQ!Br?nZJE@>NNMvIv9!^*HzGtaJ5bUSXn7Wd)0Fpb`$Al$AgJTEOIH( zKu#`b_!I^{sl?|Cn8&zqr_Qqh{5CBYpEgL5_?yMA{0*X`Au@8kvT{@);i*lZJ;X=8 z_y^y8D^myhPqA&(lP)#sQ}$ zA#;0kGaj`*!=UF0z?n^O72jqSbGWaE$`Za$BKA?QQ2c_CdqiWCpAsOvF(B?CXl$nI z&LvZr84@OpO<8W-XWdG(lN;Levra{g!sHzaT2+k)cI=+jHoH#rh0lE`!*aaihOLsp z;^qoc^8B3w*;B>!Wtm2k0tLm77(F3rG#%~19Fs^;hrq099ll)*CF zZpBOufnSkL-|lH2KUJvlrY-?q4ZR6fpE(I7B?nNoVYUM*g`-AnGOR`=R%#TnRS2>$ zmPA~>0cO{D@8Pqj+KahAT}mu%nfJN!eRqd9E!8h1PYzlN;M=UXIuE_;ohE2M)1e-eY^XoH*MQR7hlIy_dgl3m2NK@HvKfME6})E zbE-P!;HawKF{by>peC!o*{&Z{pF4X4pI>Fmv;t|zn}L>YOjN-sTxDDWI8(6qj}6Q@ z!iTFG6~C3gPqVWzs)~E_>XQ9ONyax#7K;gtuIi#_t?|-jl|gE3U%PI@YNCI~Tj+{uRp(rctQmTYc$`eQ^XAnhv)uCO*V>vd z-W4g*Q`uQgnwTHnoZmU#4PH?U$8n$|@1twOP_>@&5{#XR&`iI6?P(QwjV`we+f{-1 zr>2euCAM$RdhFljc(`|gXpYOHzCpL{<7{dzf}+OCV0<+%Lf+5Ho_*7n!p-78^dwOw zu2HDSCbl$rMuRGEA@c?1_V!C#PDc)^8y zp{3eT(ROrWO)7rN2Hp}>mbIhRDy4nY;_5@(ChdIP6m$Y_Zqo=^{%&WrxeQ2NKQhyi zEaWPxNuKkao|wJ}oI#d3o2Zu?4}W~R&gLhkQXY($nVx9b+ElUY{sg63p3hzaPnQ~E zes?ynB5Vtz;k9#;&C9zO*{yM!*w*F!t5e-_ z3RyQMq^j@pf4C&zHRvPI`{fe<3x-Rr{K~ESHoGjSiiE0@W)Dcpo)_M;@as8h3Z*zO zj!R#F-NKgUZt`9oQw6SE0X-U1F5=%j$P0>ygGD)5mxi3_%yCHfa4p{1JxfV3 zu)vhPMsMq&f46V&3Ss=4zvx!(4B2j6b*=e@TY)2%x11o!{$wI&Uv;}#I))zOABq-M zz4-_!)py3auDjc85k@~2iL%&pc$aEbo#iwNAsTFzlWX;Po0rOYp=?WvZ(v5kk$&YI zTWML6Xna?U!rS12b`NLrfmg82Lfu)z)tdE~Yq#dF{(j-J)p#255{;oop407i!oF`4N138}MMNi6ZR9L32^VRt)G?N=I*k&G zpA(pY$2b=fdMfE4tk|~A2>Wkn^=5&ejMqvZ_s}LECp{hwN+WNUOe487mvMh#&6YCR zIvdiWnn1-+2}zIVdsY3C650~l!>))$?XAPMrzwI-HtLpo4Plq;0vq?^=J`=rn5xuC zoce^0%W|||*g{Q0~%|73hRKciF%y<3KnehsHCV=uK8<_;-)!EwkdmdjJxKw!alBw+pof^2$A z1XxPzd6%-VD9g?QM3^ys}y1PP_3``!6%cX?h&o&tu?(z%i zKX|U|NFlm&c1mBf{~jP)yV%UOG+(|{H_*HcWOKRGAx`j~cKPaNKB1eP+$Xfm8drnX zq@*~Y=4OzL-b$g|Eb?hQ9VP-&P~`pbGNM%_4Mwi`w0_6UeK1CaF%EQHyyfOL!sd=v z+(70M5pZSmg-e5}qOo|IHg!yWlG7vR9)WNAH)$2h(77t!PqAJFP+61eI+7+!v%^S5 z`f&vsTdQO$>cu>I`*J|TL{&10velekTlTw>e6NxIR)uNvd#>ocS{x+!ECrvh{M1hL zi)qHjUYet)Iie=D()^p+H^?-<2FAGy#pZVBn|taxFa{>6Dj}KU5Wj8O+xfh-=wZf? z5JIQgB1JRy3>hKtYIjF3D^ohawb!XIg^(0c);cl zly!br8n-0H4O7KRl>k|x+J~Lf2+=9SO}7JUUeoJ zvzJWP2v;x#h3Jb8>8)wC?kRcd&slSV2jdR}&`sB4Z}YFk>)5RDE3@C=>@^DS&UY5C zMSRIuR#7Ty4yg24cv!pXIm6W+rIy8cHUFWg*T=QY7Oo5_iXgrb(84i$^hXk%loN3!RPM|pYr zx}id`sC4^*mbT)4X_9Wwc1w)A*!B~WZ}asa>|b4x|L{u3d5Vj*DklXUQAe;88{bkZ zA^;Z~^yiB|QAnfVdNitylmVQ$=?vT-BLz^U{vJU6Z;wJ+O?0X1{4)w^#v?l3GKJwS zB?9c}vhlpfroLq`sec4ekN*)swa{22MS$;K{%`E8^807()rS9cAT2Reynotr)+ zgK)l-AtizfYjgxoQWIan6HtE=$?|WL$mr8gE0Xi_pFLL&;LPmQtbgK+k5j)HI*wSe zhJrMc+}W)?29NNW>3%x1w6HURK3$S1(Ok-= zz*_ue+CAu6pvfJp;~&!a;UdYvzZF&y{(ZL-<_KY8+0~24B87?t1}9#?b(EDBSmJew z0Dm@ca1t(IUD#+uvI>sHRX0=;0cGea`1w^9vO2%sj|oQLp@Py+Q|>j$E617nI})e4 zSuBZ$qqpUk7uZmX8Q{yIa+x8a8|NXmxfvjIDmLv@zQT!dLp6L#fES!+rd#jwS?F?Eh@{pCJp zQcV8Y7MH~F_k4(-r_77h$mq#q;ocCD2i(mo{L&0p&G?6lq8@xvL^sVzID z$uY}mpp)P0pEvu%5ovyvc11XgD6FQ!kCF@V-k9){;LdYh*MsJZoP1_lS-axHoBtXy z|MRNtG9Wq-lQR!ZFs~jtno&XOJZgHc32}F)Gmvl3ijMkJ$+U4vUM5Lz|LJEcghtXaZHMf*{!8etHJLLcGba*xR&iG`CC({=8M^!>{Ax^6!IY$Sh6mTF`fV=)uFR*eWrBZMbVyB&dBD9l|BvH>o z3?b1+{>i#2C)V!fT!ka+YOj*X`+V>{WXS_El4bJY#%Hh+ps7aLmXKGNXh(x z&5Xc);SU7{jS>5M>j=Cn_A+T*Yhhi{=j@VAuEE97L(@leU8|FuTk}Kw5PQPKyO7Hv z252JSB!uJ|#mGgr+g(9-g(a>4?MH5gzdaT&p;2E=249ZHa8Vf?EPYyEN0)c)qd^`$ zp$TVQe6$7jR&ua3lvE}nf$(7Py9%7r-NLnjhwX8?j!JGtO5_@Au^X%GrbNx&e6YD1 z1?IybLG?0RdrRSHxp012Er%^{Z}~$Os=MWER<(UvzycAM*T>ER_z#{(bNlAJsvvQ{mIyUQ>NukpO^Qe zqB&)FFa!l@>0WQrSuDKj_|C6L(2nj*>Sr3(4&^r(rP0r#P*`BIfr#r&IYy49{Qekm zYj@Ay#pzYIneP*h$3a)G+*4vXF-mgVz(u@x0sCf7O6f7X{-0&^SWaLuLdbv7W1{ zKhDFlD2tW3l70dAj$Ea26by=CAV+a=`;q7NHMJ2+61%^&n2m}|-!eZDA%97#BHIOL zconkh)6bJr;!iQ^6B|tnp;?V^O{m6_hib2wO8-ib;^~c(46rK^;HQ>mUOnV)*rv`n zqDsEhs0P#;**QWA8z%JDR8>W3(Tk{v#$R?TT8;~QPj9gjZ_wC0xUJ{ALS3X`DUmdE zBbOs5nwI`)v{)u)Ax;1t`L2&!f;)O=m*0b$je8wKN)gZLgo1Z7FD^r6Pky4?C6S&D z;I})=w+gn$dtzctM)~6@Dx8(IHy94@B`7=xFPgi&a11G$*iqE%V|Z(G`>sB(%}hY84B+-Z#Oe5((TfBil-kG zYg=P?wU@3M-R#pw5WZZw(nE zGL@IqXDRn_2AG65@=}rW5~EcTZUY7&^P#}sO!5Qmx4?t zUs6q$Ws{phwqGWuQ}bV>*3=Bq_o$Y&8d23hrCOOTAVvNhM+$HCXp8PP3XWw8e=mP! zCxp*!5qb`fc8ouMcRJT?Y zq2|z~Xmoj0zV8iwh1-Xl7Cxqx)xP%pN@o;%+6e&v_6RjOxI}L*nR=QfF-~S!<|Zn; z)-z3^2K#VumuFy2wU+mUA7HW6WZ9V_eauUW;%oU|*g^WfomF1wv=ISxU(bYiIU?*? z#7$F<$4pRK_`QS8Z-@ROoy->P*;SW$Tu6qNv=;NF>}5j+SAx{9y{cy8-U;IoNUn>g zhi8tZeI|9Qx%uMj4fg{SfmVwIdw$xYLH>Sx3%7>a!t1A$w)%RKBQ`F%O^L~=!Cngj z-<%s(%eM%vMmBeoyEgg6x)w{t=p!h+sgKIt1qQv89pSDT7tIbs<%c_i2`jubeRVOE zXzY(^_a%hg5qPT+nO##7*;73sMACrS}MBW$-5h8zQL8L zE>wBXWqLLv?E12kH2UEhj_GmS{+vn(M%_@xl28`{c2% ztiY^yY`g9@iM_}P5!0IeHCQU?E%YH)=5A0)80TH@`!*1~)~_lt5dFr zd-VML^iAg5IkA_`9+ACNp{?ZBFqQnp{6c!tG~+T{ZQXKBSf+f}z4?w#&Jo@cztoCj zOM9_*#r~_;X?CYV^Cn1f$lqGZR)^uek=ZdF*0)i2&(kS-dU}pjl_&NlUce~TN%-X_ zGF??#%wU=L(`d9kY1>2#pV5t*fWK*ikB&H#bW_Jf2xtqAOSq_Ej9S`&S9%cvh+T9Vsa7uoL{J8+kqSFB2~q@-jama~(~g)}$!?tib8g%} zbg>v*&JdXGa75;L5CL0x-+?<{&37~|%9xgWKX4|tKh4}|Ap)HH0|UTvp<>Gk;Z?GT z>p#6GMV52QhKEe`a|x%;6V5~BeZPFP6ljLm1e28cQxuY2;fE?6_6CA=Rb2u&8yTH4m-|&$EO!s_XHHVSzMc*{{DImVezCW zcea8YQ&PXyLaJ8`Q^oNnEZ6QL^X6^u300syK2EQcGQRI^d>W~~tgD#-#g|6Pc6|}L zULXW^R3w1k?!H(vRGpChoTeF+q=!#Ah70l7A1GAKJ`lM%He4Qavk6WbaL!_uN>Gt8tL7BbxDn!4( z4wDA|WeIyYM3`drtCMc>dw)K0kd4XG%3d*y<9YZSesxQn@w77FRzDzg9(IE?yB`SM zaIzL)Z8%OIBP6EAs_U5kIql(?)6-!9aLq;b2l=LHC@;KKkK`)>Ujb=6abkapkuX-9 z!+NK;=o|ctWjVNSIMgo={$;0DimqjL$nJUxD&C)zJvql}TtIMYb%x=gN+U2!uf<8^ z7r(~Gi&^8_58i*KThqKF@al1Hct|6c!;_EPuox204&c*rhg3CkaF2(PsY=HI20+_` zi7!ixQ|pkDo3Y9GACW=WL&6p6^^;|M0ceLR7rxOWc2aoq3o8NaCIY4cx>{IWU^7Tf zgCzYM%3^+351;T8ruhgI@yEO9Jx6f{`-ja(&Dpu6ZOH5rb=eLEo``@%i`MEuYXq-J ze93%ckU}W+(1QpwgkWOm&db|4*JC^%JZt}MPPE8X-jq`i?waf(Wl9-Lf2>6i8ttLZ z1*T8(=zAZasdokYJSekr5vHcL#1SVnq-b`8Q6V(e0-mP zJeqqrWA@6ix-M*sd-ss<-TnHbAIr#z-;6lUQV4Gv`t?eDwkIc-7?^EZ?lz^mjaC&l zhK1w%0HxPB%A)kFmgh|>+clFbiUBlAjUKrb_{~?HIxG=|Z^OQQG)*}jv*~Zac&6vi zRw-J=XG3IOKJcE+xjp!hrk|u5Y1T-j(TF42mSiNSi4!M)9lTJ-DPqq^1e3#m&cl8f zA0PjUoe%aZwRx;xtn0yPY5igOT4}LZ79|6-`JW97@6aC5k;)`|i7t>NiA%R$z}TY7 zBMaY}d_y!;iRvS3V>w$g2j6#LYPcBR7Dv1YcwKqA*W8jm zQsG=85fCSWS$j)@DU$>fIsYG+fY^)+ve15Y4m4`INxFD5RCG*r)$nW2QgEi49Y=jMKfQ< z4?0z4$jtB0%G7#NFOHUZfl0u&)|b5ko` zLjI@GCsjV+hf8PKy(s_1ES|2#7a*%*rQQ@X4uNvt=|l7Bo|zwn2bgy0?@sc$qH@1E zM+KIIc3rgz56|`8kDl)oGOTJKp0ZCr(YdO;yhfh=aE%?t?YY&`svw_|Gsoo)vCw?#B zuCXodgo5y2JaPJdbh?m559z(9Pu0yD>V95ZpVfBe|MfEH6}aprYz#XXRi9fN9ZxGY z7uI+TUq#8DZ+~at3a76r@G=TMwvL76@(|AK2vPn6u4A|c!UC|Gt&QL`GS_Q2@}Q{2{KnN93^%Xy#0%*gESBLG=b27xneIUCO+^>zVk?gqpKp_DPyNT4N|<|2pKO(NhaWjzs)$MlG5nQF)Sf_DR6MfIxb zO73PT9omo3T(VJN!y)A%k#iXRoo6a9(JSeaYL-FBHBx%iqY2bT22P4p?wYC4Bz$5t z{A5C%7Roxlc0OScVQ_s$kqvO>8ubdWGLawj6>FPA;#2;@NcetQ`DWA;0rZhA(3z!& zXVXVz%H2;8^%>V~avS{kOKGsKyt0QyqSd*W9I4=E1GLo3d5ULB2w%W56-=;UY6&!% zkP9^zbE|~61RzeWwt7@DwC7TFeAi}d2FIBx#j9#V;pkD)2?4gb@L!ut3m3mP3?uHy zz<+Ko?e}aySEuwU%C{YPAC#|EK=6FH;1$o$!(rkUU6eo6(35{)WN|UHnvEWuC-K;4 z;WjW>fIl9W!d?dBYNiGWp7D~O-@B#r(n_)U8C5e;u3#5H3PgxrfD;ly1P=TJWMB^w3 zYpVR+*;fg-aEACoKf_Bn&}b8AF#}G%dGF->)L3im>DV|%&uX_ODlbtE!dxhbZA&U+ zzcduuy};}@7!RU9g_iW&PpDFr8Z2G({ivocv#@BcGAEr(GacPx)s*q!7T}!*J4*@% za$=93=!5{LusQP}Zm5(U>*>|4JCWhb9+DRphYoRUyG&i0KPt}L?$u~~-?WX~IYjrh zqb{j(f6YKlCD9)%E-A+zT@6uZK6!+aay+o&k5Vqi+tCQ5fsM zeroTuy9$(^74ea_irPZli2zkUIF8ML2WwOLhRnrnsYE@V>-jlBJl7Nk7H8U~)Yi=azZ?T8f}1Rk@^kXR zfgea%Hve)T{~LurXTC%#BC2h}V1-w7V&xvgM>p@x?S6#8>3tf?H!l0g&k{y0vZsMn z-5p}DYft9|N7)wxE*_+`TO9K;82ox2JQaGM2#`B;(Pp3i72j)&n5?uNI>*N}Y%H650DY{JPZHhFoFaltiUx+YmLHJ^Ou;oHxa+CSqJ zzS37v+A%)TV7bVqH|iL?)zH009S=*J!opP(kP4QnMd@GrtFGVW5UMzWaB6;WleW&!LelAeR2`4wq$dj$jvpK0 z^iC~WOSxZ=?7UHnEQx!X@a6M z7P+!;!Bw4&mqL*I(pQQUc5aVOp6TE;_|GRemg_m;Z`BnNTaL2C#wPIwM_mmIubyQ3 zV^0pK2yevB3;DsA1d{o>Jqr?mb7M&-Fszj04oESJ1OsxCE9;XT9nRzO>6cvSXLu_a zOy(<$6Z;D3f&abMd?f-t6)`112%v1a07*562EkjIn;iT;5q`D^*HpWVp_arEI<`kpc5&YddqmL3&1S&gVg|c` zScQZ|!|v?Zc~MN~X$;}ED`#X(wRPOny}^g$&$aSo2i9~|Kg)kix-9u~()qdP_wN7( z3&PC@_-xV^$0wK%X|a!!W~ul5qMg9{@Xx3ce@4yyw;#$g)p7Y3BB9;tboh7zH5B|^ zou#^=VMJA!PRl*Gvx&xT|z%L+g~++AgW4!DmK0ZUFK(D@7_;b=-jOt}I+l5lGqbvcv^2EwpK z?6Vn;i&u#lb4)XT5P^~@_AVCpCXaf7wTXcC0d)ljf(|ttZQ@DAU_AzJQaY!2+GWa`a>~;*3rA4VoOW?+54v7T|fxwPz7KiYc$*uDov9$&#@%6a= zXVA(nFKo^@d-7jHM<|KYw92Sl5PNHnsyV9b|0wP|pqkpcby1YwEFd671q7uDh;*VN zARh`z}V=P}_ z?n)Fgv+b!>LZJ2*8>&%JEz@ox*JPBS_E$*{_VGW0VWJNNis#-ukE(YfVH@G%K7@QD zaP@=H+yl5o9cTpzu_C~!zPOFB)~z=N!u)GTXZn?ym(m&j8HP9qPt2QvyB=$PK&M~n zOID1b>9rV-e(|0UuOFxRN{_!eyN=`;`o7Tf;VB;xaOi$fpO@vo0RAo+@HxR~j8`X7 zHP7*u;G*WhjA~a$hRT0PQt1KVve!B>IJ76|wj+AoAUCLOhRtAB3UdwRa>i6`VWrFM zdBs`3z~mQJ@8a-v!NA@m*n$?KEAjO-J~LGae_TL_D+R1`nNWik>4#3LcKO+&YW^@n zLJj`Rkb!2d#(p4;%qh2rI^q-OE~c~1+D0cY8ah3<=HU7~&)rt>Jm8@ah9|tK=Zn?l z+R+_XQi$IqeV$Fssz3Sz!_r%mQ%zPK)&UDIu-&a;5&Yj1@;5Zo8M2e z-um=|DKb$4A26u;7y&ByANT#PrT14YYJa(v`(G9GovJh!OveD^&z3k-{2Jj5P}}GO zlAfYC^5Yh?EvDjqRk-I_B~Odp8Xrlbfw51ARc%Z%^~u85kA9N*k<3B%7OzP+uprF2 zxgIHfY*n}rJY(xLzTC-D@Fd)who|uL<;3@|Svi>QoIkNx?oDvi1vGN}NiSuWNVGYC zfoi9Cdi3Q_vbPL?E&uuuiAyHKCy?lkfpF#kF$)Y}BEU2sw5U8V&PIgU^X<(?F=t0R zxyn`Di=kNLU;aEgCq-cI!opi>T`<&mC7;fnJHtf*VtGa@$&YiOo(@ov1$TI=YL!85Zr zNrKFpjP&!s3Jm(X?Y=&eW&$y2ANJFY&fZa1-tkgha0!>cBO1Af$LKpvd*!?HO>C^y zs*1R8COo!3|HO5$LKv*68yT%fKt}|6GNy>CGJBMr0c!RfT6$e1pF?`mxIelDkRzj`F zXmtP=)qLP$3!Yya{UQiGi0Z@gdYY9c;o=G!`G7Ls0K3i@&@c#fXMg~c3K>cY1Ac2&dM zH9I@}74+p@p7G+@c{2C*!G=J~z(B54d)|Tgk~SG>qGH9I6^R;;Z2&Bp2#atADi8pj z0)AiJW+eEuyxdlLb5gQqxG-EqsK~}B!^Hm(!)AC*8xoNi-ngvBjEi}YkT0bJt@Eoq zaN6iym-WbaM3X9MU9R>#emQ_=D}hAqh-M52amxqJIg!s%6rxPPoNJmejU3SsVYqT# zDX-7j4iS?#oM8iBz^DO|VlN?u1=t7P2*({uD3yf~&TXQ=MDl<;fM<0z0|0FD0HL42 zWB2c~OE?IdH3Y)#`RPeaw#7(3i1BR`w9Xn({b+Kft5DC=QR_|Cf%CP>fIDz-!p}ORL7n8MGe8d>4e{mx{1?rx(=Eb*YPqB8b!EL@$8>vB{0q>=o~lB z0~uHLlZ>CT5WtzNfM(lqW7Xi?jEB`4z&b!>!VPFD*@Bx9hzr1!|5tr+IPV!CqI5)o z16C;-4W*xCaoVKPXUN?%AOdyRQPq3k=9?hw`6s}>DFd?QBgP@9r+iqzOjACY+dHO+ zQR|`HFD5+lkcY)<3xzjWpJ-C1?6Sf?i&o?jK+d99C-rZgx*lDY_SGO^IsHp|vkQZx zmtRQnr()Vd0DM17x{Q3M1f|f?>sF$B)p&}16(Jhbi@1PW-={~bo8UtSy@~1T$1oa{s@c^?^e%J^hU*mrb1HS6$Q|`KwO1u$xP6; zNwHWN!g22sxKR;tAt7#kh6#*P%L8w%6224jM9VKC_@>~4_=wfuggnfXZd1bT-~MNBu*URG}oJGH(4U;^CC9gJHbroQ?%9wSgNycq9g zI<9ChM~Dx~J*|A+U|n@lo?&b; zm?DSIS;VJfH8rF2u?G7E*uCMQE`~%{QoqYs?8z+LnG%K9-B);z$Sq(Y0ae#$d>_#V zoooMbLFuNapPm~0F_eHjhj;u+Sd{+G9?MSJqkbUlE7hHjCM^QHXMh@>$>3cO(1Pu! zV0O^D>Ii5z(s-}NR3+r&>w?#6{A4uS+!sj$T+Ac1#^boc=FA}uIk3GFev{z8f%gWa z%eY?y;TmAQp$@o&ML@vC>h$}mIVKa6s{7OvRt03umv8uTDtpXer;xP3DsA}*F!4vZ z3Cckw;HDqgI3nHjMPQV@;U+xh##YMn{3KJ70un{AmXtuYhy_$@OX?={!A&TY@iji^ zGK|o^BppZRRy%B?ubVnQ;a6M?7;mvDyY2utWLjXuYOas`5*5XK4;{N#q@(~i{1p;6PAK(EfUmUwO*(hYR zpILW&abc0qt>N1gx2lFeC%A4<39Ay6g(eO!AAm^rL1^X$P%o$fyv@Hb4Z%AG$ZS#M zx>#8iYr6XSUJ9iOO@ATZZWY3I?Nz*ATA~$iLPEmi(dd*#6{J1&q9%^sHOsEH5|U@( z6N?g>G&WV0P$pBfj`m83#^^2K7ZJ>GB&ukKEg7X)5vAs6Hzw&(HHFCCv502#q7?42 zggnVw=(^a6v0EtZ7fAvi6Ze+mz5!d%AGu(^ziG{{ux^O}i>BqpKiC|FX;)dd9>I@) zfc_+VH=X|~vYDPBaP%KlRBHZBVC138?-4%r>?KGCG@A@6p9FITQ7L_1H8@ePJzJew zQq3?HzcEDr#nin+`XbQ#z9*!o1(z{n@Ky`JZD8B$9Rth(=TB%jWA|CSW`O)7%|u_? z7ufr9&{%~#&2&su#23U=fMyL4Wd^zFG4;x*!!N8ee~2%Vz?G^YjI= zwWY`iv0O&y!KXB42%-hMfr@i@-Nv6}OxJ8#sTMxefXfH;M=`C>N0W^u7lMj5DIZ+R z$p1QT(9B(a%)~swmY+E!a!DiKRaRh`B^n zQ=6W&vMrB)HNi0Fkha2}wuk`c+3O_I6n5FzIRiV|=p7}J?E!N_(?6JgBm|Y0%z6%5 zfV%NsiV0r8w_tE&bX*^H+Z~AhFLBO#2K%v>jVd?2Mku)cYKbaGOOhM-XA>sA1uZ`%{4SEW=Qad?hTpA8FWa8ihs>+ zQ?POdPl?ElM)dg^h{#cDGT$}yL((OFT(usnC!@c`;8n-{suc~?g^t^C8CT*eu^<3wnrzLnz&oDuIjm=YYH&8!AnGOBY z-CS+&mt@Z|0a2qzI?XW#x3)FdJX2QHTn9gki(l)g2%E2}x~td^7GpDfs(bKZZ#8M# zT2j5Ite-l@%0Ab*o4)yFSMpE=YF9k5AB@{74jSM-53koQ{$f-t##vDyV^@xMO?}(G zF0Q6v6v3ZhYT-wEg$jtU`5^hof}aaFg3uW}8-e2Qi;)lnV z0>Nm+2g34kvM1vl&I>-`@`HRoC2s#c?!vQC2+gzrc3d^rVcBHqeMpOe^jgGYHGcdm z8hO=!)Eh4y)aN(4-n*sK)p8`dS&y8uFp@}&(yHWjiD-}*HlcJRyFDAc!}0iSQ7?4| zcdTqH$^MAs1-g&zib=l7l=K1bzr^|4pk3&v zg@PK-7<3(HP8w@zn;h5ywJWwOjgQc^LTw z)XXFc?Dx*zAJMb1p(~;(eb-FhNKxNQVl6|lfwmvX^K|qQe1!cxnLqaV#u3D9n?OhW zTmbU>^@Qr*O6IA`WdG|MQXXBC(xUtbZe}?~xHDZ*+ypXa&h~XjY|zNG+B2O0><`Nj z^$y-7hkW)|@!e`)$=uYI1&1I)6Sq6$$pmM?xNBg{90k%P5Zl{m&?TAgBG|&7U00=r>&%m>rB(vVcIR@cI?7oGNm+)G-)rihA1mfM# zElL_vl*J-jxMPefW?t_qNZrQ5%4juYX{F^8t7F9JHe@&6MM;$=a+U`CBs)(dcqDo{ zI5#wdPJ!93l^0>L2u?pl*oSwQREYh^^&N6TrfVvfZUe)kHty!}==kfW25lL~3=kBU zYL6AW^m>i!(17p9e2lwT(jG73_xFw|d4ICy_mIEI@_%FGohLi@3Q)A#jN`gWObu}7 z4wo0qyC_#-A>v~e(B;2emT_p9WP87nKJ-yJr)+iOhTM^33umVVx) znPq%HsFTKSYnMKe@n)I98uW%p@NWv$+fcU$DqdZ}CL_eF zs1|ppQYnZ+qqDuESj6=g#aB4`+mwADY=I+HhuN}v0uq5fZhT7OFr3&Z0lfZbNor(u zU!yZ1NNVk}V6M6)MWW?H_c*hC#sYG$E{xE5;htSso+*DdH?Jk4pn1(0(cMdf48&!Q7+XCk-dH%J#9gWB z{)0jDiR0|d#5od8HYloSqh1Qzu(69#v=K9N9B5xKGrcwoD@}W<18f;&1njx|LsfKo z8lrfNu}XWX6aNrd_mZo>?Z&$}8*S5XD;62n@|0msY6fi}d&z<6RWQ7F z14J?B!Xb8;D)VIfL+$yrSc8N42K{%3W{06};C9$~ZGgfbToritFQ&vP(2d3w3oB9^ zVCCug_lD_vA=q$lN0Si|G)1?PThtfL4L`He-dMZ&dFE_@luHo~tXDEpUYPM= z1IBk&WxBog%LeQ{yX(Pbq9yfkoDtIJbA9{43Rgj!P~vAgp#=qy;-{sSIKq z*IfJftH6jcyJSIaI?9*!CTw%(WuV~TSL{`LGt&O`wIe7^p}KwZ&$DliLqi2kyyqU zv0HsxxolLsxKd!fG}Op|^VL(z>_GZiBuLOub~x>!X$_Hc#D0Gr0540B^<#NTfj+gpp_tvDtk| zWn1rU`&Rnh4>gR&4+t!BsD)^@!2mfl@xh~4*0HoeU!>>7HWh2N^4V-Z;%?fc(}4NJJud0@CKQ%JmH^@AO7YH$Fa zemZh1H#{?GrU}8-A0Wo@@gy4cNvl?SwT7Arq~~x5MuS>GX9J#WG45AIdiJQB4~c~& zZ#*Swkyb^gl=rnx2XYw!6Q@w8P3^8i5`3@}-`ndG*WR5=OG%f*P>!$YI(>le9q1(X z=Kdsm4#!=mKWJ4~@1+Y+z(0#ZO}w#lkyJD2L=0(RyI8+lhQ|V-3RW&JH^y(5o>)}~ zGan%g-lIy7uE(<9GP5vPoY6fDj*y0m^}4#SeHdDVD3?F2Q}(b(*8*H$Kh@s97weHEU;SqkLE=CJ=x7p>_8avJ9Pe+HcbGxPk$w%HyXsDY{;p zF7+E-FTS*(S5T|!iE7zFqh58x_A|O2Vn+k$kCa_!W5dXvrkg-x?>8Rczy6~ZC^Qr`_9Vt-U+(Gwe*ZlMQX{3OHzzNzDDf?`S&C(?6 zAdia8nJ@5gOKckyEf}L~S}_nH=W65X2bA-%X!i5V;U0r{l&YyWsVcR z!YUaKkjm*N?djx6v;dS}>Q%{D0+4wHeqF6*n15a6_P18QgAn9%I4w@|K?MLzqbO@fZU$b};1hCk*|eOJ*MC%Oyr>*? z_JX24Q=;A5S|)MWqHlGP{?$}(EQ7{rAOdxJAuX0u4zctBTigYi6;d1{D=sxnXS)0%ggx zCNZl{W413MN}^b4zTjJJTt1{V0NZTiopL9u7Km|iHcBuGrm|+_51>!f!sB+BkhW|g z{n-zVr_Ua0$(ELW2)=eoL}t}WY%AV1!_#IzaWi{#v2y+Uk<24?f$<#i@7osS6^ZNk zH7I`gC|%^^W6f!EUyi-coz?iR-ba3;2m&QBUtVzbBK*RHgE@0`5;wa8=0%yQc~su+ zgtwd34l}eHPR@x|K9RC?Q7m-#B77pOvCrk&o9xPUV2@eIUQG9;xs~RO!OZP^HiEv>_erLtX)iE)C=LrP@UzA6 zXOFKT&xk^?#P6{IP63dlum{Oh)17=07fJ*BP_V@vt&WB8?Y?4)8yBE!hFSBeoR!|j zYc5?DUs1l!rgPM)%(cVP3f#gN1md8!a(e0QVHa^>*1h*Zvg5Vc!HjyJXX@%*hp_(hWy_Bv#u@(z8Y+3tRm8a_q)7y6J>M`P-GnMZp_8yc#UcV)5g%XHN!m zt|MDhC%3!Bh&N^q#ewC#FIF|aZicJY zJ!sqvSL94@!raQ3v){NHiI$mT8M!ll>kX9`Sq_WpxUT&b-I$CQ)2e-=*te&_98kXJyhZL+L+jXOi^ zCHFIYNTw{<;+3n;)#RhWhmYYLxC=%&TQtQ$fKv9fU2T>FCq`s$dr?`Y@wzW3qs4=c zyP3+*v^tAe^EZPn?i-TEk7@jGD)A-_SmB>aK_OgV7#<2 zMNsg}C}sA;%J_<4v+#Mx`->*tDVN2HqS+E@J?I{Dyh?eSwM)_9j)r4Y8Cxxa2Yj4& zlr1n6k^KWWWfyLUC+F~d!bAD$;joYNE!s~wPEf6r74PU1>jgn0FT-m{t@gdmDOu@T<3z4PUvwyP>*d=ERy-=;t;-U#t@Q{ij6DwOepxx5! zZE?Pwo6{#)X^SfZ?az6OQ&d~q(}^!}K=rv(cfX(t7aNBqLgnN&wkfsm<8atB>X|V? zBhQijIy2cR3#_+9tWmu5c9HsGoqQvFB%c!R#=(M=NB^E8s{I$E^iWT+g zze`K5gXoZUQyVCUP}YkZH~BL4r2P z5&msw)ux&i6<98IZK$fT6MsNLUL_PqQW^{P$unjC5z0Tg6h=@8ME5vMXbh}xNYdZk zBGmZErq^TD<|=I4T{$Az%#0q%^ujy=syB(J6(E&g2n*0wD5~mPhJfw;eNt4m zV~VQj?vQVK!!58gn0yowbibl}NS>RoY30aoWd!b=RH8v=F*f2gkg2h-8C}2MBlgx= z`u*!-w)cmB?5R4yp6cT7Se*WD)21fK!aVL4|C#k%f1}p&k>r&s-6fC=xW2)46q)U4 zZ%#EL*~VNGU}``>UHqHOhS^Xz`?B;q( znj{aKl}zHE13fQHWCNcEE7w7)#GOEtCp;XwT2alV(OMrv_by&MHmgvSv+dz=CQb_f%nn3L;;5Jj#+CAIsg`kd)D^W`uBgxoj-a0>$-TXl-Rse-^gm`nxo?=bnwXbVQF;CaI{r) zxszZO%lf7rENRVP8K2|BlACR6*XvxRee>!n)kemo>gJWVHXQzER6b^#u4zw6774$o z)W>+rJmkL4cS$1s$$i4wba~u_u5#t;HVu=n#xCKKw5&IAT~k75+CAo;u0B&Xj752J zI7GemVsU@{NKnyYyy{Lh@v}?4r6)>yvq;1vuY94xPB`P;6o06u%vXIKyw$bph44mx z4ti*Gn_R9^_JMK3O?+KSLZ@368WpV}oB+qUo!mUtj9+M`ofB{E~$$7h=UG00p~ zL2&ZIe(`_^NoJW#9Dyy8(#WxgR9>KZ`pRfN$+5DsM)|RxsLOe5=KRT^?>D+a1OZlb zv$Kz6xqvVjWl=Aso*(2t&KoTu*c0<$LBat-<=6>(@3^ZFu9PH$(NKzH3CfAn&GF$3winKv{fwdD zO84fHF{_qM%%vTT6Wl}Y0jEA~OFUFO8{=%s`N(HXZhR!rfN%rgb`JeJW9+wbbn=|^@fnn2maP{4EmR*5yeOSEYfz zyZht$idr)kAPhEilp=b@GGALSJ2+QZXrf_y{7^yG#LM3n!-%!|Izt=8VK0^Jw7b0q zdAH(i@8J2Nm=9T5Q|_DVPSe6Zrv2tJ=f~iPM<>Qz*UYci;^emYjYnXjo|}xz$&d02 z8{S)3WznLRk~|lMq{V4YSXxv>1TWabKp~){z%|ujpx%6~ zr_g@>Cs`p^EM@q)mIrC)Xc>&MYAg=);KiQ+k`hC0TE=Yen{*oaJ6j2@`%&sgS#-pufk9# z3fg>OZN6lFMXRu#NuiQpcG*ltTGvM0=KeD?LA1@rr>r$EN7RG`LTFR}Ga^xzybr-{yT$q|820+R|ezsBWJPahjRl%vBmO6w+r;u@yQkW9~n_ zfvHT|e;{XJ_=lRG(ucXnzJ`a+ zG~&7O1zBY|6rROF)C4NPW^L|r;g~jBIb&fs)=2?%ala*kE=%Z9jWL$sEMbp!zwwNw zX=d?K>JY&Uf69C%O=ycR_EV94Y|=q|b7rGwVC71t*^?F5hHp&k-KB+B)@{1BZ)+*P zAjuNr1GKSgsE=DJa8DH8B=Ft+O5wcI$R{MjfO}tUGUK(+M=~sU1W-H{Hr9pRErOJ_ zN>6tPOO+D9Js*ae=57qlRCZ;Em~?a*WV-k(B#w6QdYPZbE;WG}gZdDcD(Z(=G*20i z+dIE=kgD{iz)WZl1`SiCaf=!0U#$t4s7|ncp1rk59yc2oilpD`aRETd;w80yQ1B+MBsUFkAeMwL!sX=Bj>p1wK{6sHS%0X(~@e)cSMC zosrA)MF`KPla23LCF)LmLn$iY+?#{W;;IVlNoNp&>djx;?fJ4c-I=?b;|JKDDe>Ne zvM&1a9IBCbwW*y-yBoROJiGKrtrHrrRw(D_?N6wbb{)%R$G*3`d&A9s%Hm#PQGMEG zH-Il~$iMh=Vfk-lRRTt!vveLef!3ukXSU-1;5 zse0eZu2~ksN)k=BgR>U{OV9gZU%}m# zCIlyerUs%l%Cp5hlI`npRGG_HkydD9>nIepUvs%Eg3LGb;=q)4w=$>oq1xohMI5{d zU`N*TZAqYnWa&r3^6W-}ME$``Gp4I0Q-L`ho&sa+i&svDBRYSG16vC7&5>3YB+4Hbso3lZ@+b*5iFy8WoSKj!E*^YbLjPByX-mIa6emGpkhK94)Gq|I|kD? zv0{)PzT01_i=vb}_*&hCH6=7($I|>}at$fHc@EtT$2xO33 z9O)j%AsPQe98yrTkt8*u$mLkFn#=&pTdsY7{Tt+#0sW~ALraL;+XwH4ID(DdpGp4M zsOHvT#;#K+>#iGY57RZi`Mq>>ZZozB0}TbS`D9qdX^}=~iTM(Y6^Cgq>0R#pA9n!8 z#9{5u<2hU}8b@%Hin!2fe#L^x^q$lF5Jc;}nf$%e+ufha%Ivf*eE#~CmAMBUtq%e? zQBfPJy4@vCysKTRo`wB~4j$eB*|XlLu$On#{OTxwvJ=8O&S$-+a(PShx^x`xV9%V^f{JO4Ud%JRS2Ofn7fWP8vx zg5#JFK`K`vMaTnx@}Yy;t!4MG`^A34iE^eJjkDR|PRir$vFK=5^B%xt`~C?y&JqIx z1e6kf9WZRG0gzd}fC$dZ4ia;Q~Rr+ z{rleB9iBE<6~QrzSJ??a$u1FrkjIHZg2D!1`n! z=kg8w!<}Svz$FnY(CRPsw+Dm%^)YmgcKw6y{I2_wyAqwh0Z_Z--)ct(iP%>j1-6D) z0sk1{s+CzaCS$9avxRh0YMxt0bS|iT%9~G(RRjV6WgUNwBK&u*Iemds$%K_i$YLPU zFnFg&c9V41IE)B311}$51LiJ3$bEG@j)r>y+dmu_UqHwHI;L#E7YO_OaZK5N@l9^B zk>1wO_7xZl0NKqHm`8V*QQgv#D}2O4r<^N*k^0BI+3m!`o7|B{ir^7b@JxdG zkD>MEwfCUZz@-r`j;-h3e)^G~buh}9>w&WEcWXvq@S9Qjpi)~y5vv$$icY0Vkus;U zl@vNIch3zxL-ZF`|G;l0junLREI55qOo;x$Z^=yhWAs|{JTMI(@}zO3^&Pd66g@s zKQ4QL+&c{?pcidLM+LyL`0q)Pi(u4qpxHYEb0k8t#b4e~9Pm;Y|9B_DFF@>|xix?) z>!!I_QTFF60WM||OsiVJ=f`kqjGWl1<$^X4;&f~^%0uyoryc_U-ct!oVOuKnR`nA8_ zr#S64i=0A{m=C!sfj|@w$K9V~xqr^dA>YgY=!t*!%>V83$tmzR6#y7@282-uw3Xdv n!BZ>1@D5UirGvk90aQ8*{@*&CdE0mYLeV+-|KXbP=h*)M22Yu1 literal 0 HcmV?d00001 diff --git a/education/windows/images/oobe.jpg b/education/windows/images/oobe.jpg new file mode 100644 index 0000000000000000000000000000000000000000..53a5dab6bfe01da8909934ed8a1ea5bcf7b075b3 GIT binary patch literal 27689 zcmdqJXIN9))&?3y1O-Hp-eRGsG^Hv6*@}RGi1a2zIspNZUZW^gilBgk7-`apbg7Xp z2qIl-=)EMA5JP*GFu ze-0lyL`6+=n1*KmqCG-)gqHRwEe*|4hNDO6=z$N-kz7*Odb9q>Te zaX@`4s)K;C)Q1iMPX_?^L5G;AnNMB3diaF41Egu9O zIm*V)!O0~cD0KGRc`0cb*-Mw@l&&kQsNPUh*VWTEFf=kYv9h+YwX=sgxVd|HdU^Z! zK7JA$5*ijB5%>H>d_v;OS4nB<8JX|0vU75aOG?YiD?U_KH8eIgx3qq0Ywzjp>mL~W zHZ(jrH9a#sH@~pBgx%QO+Q#kRclY+~Isl^jVb&j({mm{Wz^;RU4-V1n+jZce7jRKA z9il#U@i6mMZ5j*L6Q?B}(Xw2NO)aWFaz;`I!)p1U`zRZ~)T97*-?ZpP@(ZeH#!*56VvAoQb%RtR&A zCIzG<8xFxZxl%yQ-B@w5Iy4-$a?y_h%49aU#DQGSS2$|kuDCShuDT(1hDl#9v1TU# z>Sje|GYm&9*kXmq422MU6=c!|pG*#MVTMl(Pg6io^WA!$$?mdNyw4=&t*L;G@`zpQ zwp~OK)Cu_4&M7S-_Z>La9p3O6D@&pu=cj<`%UUTQcBAU|a#M*?0p^Jt$PaL%g8yZs z7E*PhD<|mLkv-iitL^lqEmV9!{dUCXRY+|z7*kCA)kX@4PPhrZCF%W~0y;bhCYo7& z^=A3eCG>}$t^ZNa-R6Tac|BzPos)ab&^frD%uoB7D4-tzq?6eIAOV2DKLBb?`_X`I zSsMO|wDOGt3QnAI+2gEHqktYe#*oEg@Wz3H6i{k%6C5w|fdZOZ=8I57YU~=0f{nkU z_lH)He}~?d_O>syy>60Zi`@KQn%=G2zX(512;NRYb&zrQ{^1eTU!m}bQ3f0CyA(X& zKmkb-hKc|*#eYHbAAk=i{6zO}cKq8Y_}z|)z0RN5djB=H{($!P*!u}B<9`pWcz!?G zZl?r@=3kuk)0=-pv+voxTJc%veR7H6E@Hg%AHG`n!=0+XyR&HFM;tc%X~ZuB8lBbymDlZi)= z8`)8N+5%Pstxd??bAdt>(EH|f@(VSi>4IBey!ICK85YudYyQk^vvH8%RQOc z!0S>UNS#ChY4yn;ao+JVU>a!t)xgG6L=?aal;F7wsNhrHN7_(v`8!9h3^%&!2JRt2|rf_`)|-zxh#yrtM`F~sp$Glp80SzV@m!LV$t4R+S3R1^+f=(bAH6Uf-?L1< z&T(YZh2T`tQF(RlK_f#9GYKK@WQRdb&o@#)Cmb{+VRal>nZ&$tT0{3JhO!yS8!TQ< zMddVZ5t|p>vFcIYYSO}2t{9_}{GhYWg9`FCHzDQeXNL-HJpA%ZxXH3xia{8|`YzhB zz%S6!!^v6rW#!PuDoD8eMfu@v@^cU8dtWv3R0h6|JmTL}H*Nnd=i&UEt)7a-tQWM{ zAQL_fJ!XveYBD)iJBeb2v73;x!p(%<7ZtxRfyM1PHpSAv4|r8DyLntVVOJh?p(e#eIy)6( zsiE{aE0|7-iR^Qi>w^xigO20Ny_tpXdeKJ0d!R)QVh;^)o3 zqNikot)G4@8daOtyklZU0omeR+COO6Lv}RjHdwedYO@8%V&-iszQbFZRe^NkjXq zV<@1Q0{0ofEBFnKVfJkk z-Ld+gy?d_*DA!!YUC!`(ng^4nHRtxb8~Q04cDjODYN_QbeO>n)(`ODdbT{DS%E z%4FSv)aPm+1}4O_hUJfd0ckhP)a9>PzSE29i}z5yz0`E!9l_grg$|QGwrZLQ0*Y};~p9qPC+o(pbYz9qPZZJ-#|w0 zQ>mJ0sZd?q)QEex#ES~!Ltac;bgHMFy_D5#Hg2j%6J45JzO9XX1RwKYur9Ck@yTcv zEybDW=d)|RYvXN6=d9`zRLh8IgIMWpTI_Om1bZuQD*CW>Ki)a+Hx++ZzolQlm5Pd0 zZ-eNN^kR9;bJo#R(;=OLe-+1^O@(gM5o_a`oD|kOgqS8^EzB9>=o6na|J2bqF<43 zbcrjlsL;%jZgRW7^aHzwN*Ok|Bk5*R%uwk&W4bP!ZRE)4T{dIR8~P9dZ`r5*hS}ch zrsS{vg-Lr@tLQ_vQC2rjM|rlg*gxcV&BbItJiBsP`W4Q*jRG>LTyF(plkLh-=6Uk= zda+|~$1AJ%=G|qgV`UXY|Cr1=X>#)$UJPRsBD9Y2{eZNeW0YUhaAJr@3jB8T87r3e z4t&>Gql^x{xc;d{=Go!VtOp^7i|Ry(R2WnP;}G0n@Lexa9~|K!s-&#psNgA8hQiFq zGA%Pmo%k3PBX>1R^?WsQFE1=mS;Pp>Jdzf42v!=&6kRGJ%-No;yK;UyamtC~ONpnK zugM-7<)nE1^Myw9TT(hz#e+_w6wo08)s*VWRSY>m-(B>CHkL6MStu>4q6yLI@9<(P z`Brb0ddDTDLVWFGU8VQ<#kP-@dIxK$f%NJ1wu^966@zPSPU_4Wkuvt+DD)^e93TO# zEX-9B&ZSr0FlrHfo1}eSY``+?NaMv_!pb74nF6Y_zi=+b@%+R#M|OI`)I@$>MfyU; zIt2vEeHFsyOm22TXSv{o2CT?O`X`g=#F-tqLSv-uw;;!c;0|56rm%3=qr-E;skPcK zRnNe@JPl8(W2yL8nSEL=%cGb{X(+oq3TSA#SvX@%x_>4?XoV}~+mnE3QB7^Zq@Hsu z@z2{s{487LrJlIgE5hI1a<9ELzQG#$r7YeqvhApPYTt|v2dl-K4qC-0*7`BW9V_b2 zW2tckIb(OAOG%lHW8-GG2y>N5Dk5tgJ|Z1zLgPrf$1S~izWtTc3$bs6S)Zf`>tucw z+o{yk{_S#F?c>&?XVV`3HfnBv;noD^=SizqYbnPxR6pwUal9i!*(t z!kpL;=GrMZjL_|IkD)Tw*?mK=PTzGrk;ihk9x2?YV^wNlA@*U_YFFc_Abb0B#(xIpKp1+(m;`fXaIO|_wbJSSLU4-h~NuGy|3d%wP)yIrIxm92V zr-LC9giRfD<55_}1JhB{E+^L`BmBD8yW2Ro&VM`}5SA7AsD1du@OgXpyy_@1zlD`` z{-QD)wY4}J`;&H)tTR*&2`fhq;X0L~VdsS2tBX26jQmQ?qRS6zX3_qQ`oFxm!T+H; z+fMjioW<4&;fuE|pmzh?QRV1H_(38KX8p0hPu8+*m#Y9eSYAm=CTP+MQxoHsef^Y( z+q_to+(mPU*U`;~2k^us`}?ZgsP*S}F26GkZRyp+9&5Xjcjd}zDmQxoXVFIaW{^0tnnysoOOF2K;Frshf8c}TLoRc$Gs>6sQ< zPoo{ARNZ;+o=B0E^!LBL(||=H=QEh@ z-I$8XFv7Qxk=S(HeJnrP!bwb2?8_AI0DHptk*l(ys{@;=DN?)rf`|7eT46aYE=Sr3 zcc~*PnTU^{X<@%>2H#gq{S_bIgSmK^ds(KVvB1uvmm`zbWhCv8c8uw`!U((|VZOJH zkCdax=Piz_$16>B(y4{2V!R%$^HD%LrV7U{iDkwkkzhBcgK9<2xNIsJmUEzEYAEql z8q5_VyvzMTbG9DQ8nuA8`M!N@4MX0kNN}F7n%4^Ks;VdNQhfhS-Zb zlLto&5zmgb8f+7?h-cGdC(of1^2-eH)f5nP?)<9(!OYh=sw#-ak*w710%Qw%Xk7>I zAm!M}Hcr>6rJSf)R{gYIo1e^D9l*6Q>^GF5CX3!3evwe2ee!aJ5iUow+BEMu?h^@7 z!;3xk`8K92XbYe3?uVB)z1;dlbh=LV!m{UyQ^!UkkT`#@&n2E?8 zU<%H}T2z+h2@4y$-6NpumNkT7b2m$Blxv686p@K=VYmsxXVLr$o(2oPg~jFAIbs@> zd$(2IQsH(D}OUw$ntU+viHQzW?`T!IP@JV^n{ zS#LLj#;r=MwOsIQ6gpVPaXEwURLCNdYxnghCkm*jM?=yw(7^M{G5>b_%M0M~Wl|%V z#Ts4)D48@L$}p*y91l~7+bKwcKD8~LqF2&Lh%}&p?EFd=z#Qa$t~&^t8qG|+M@VS4 zcW>jKL3{xW$K_@O^J32I+d!))bhDPJ@t*8u@7&mV7R{1lC-jl#R?1%Q0}xpph-{

    %*qNy}-?wY4>3!LGeGepK0C??tYvjnj#W?d+v<$)P~B2_`D8?yI$i>!W~P z@hG-r+3j5H({)=z@3f`=xTR1AnY+5;;0br*RhGQJ?LwI8nenY4ZP7;#Ru5(9u?H&8})dhZw>- z(ALi(;43NWR@a(UcE%S~Y~abBXm~@RsI>d_v|gb2OnY_e-_)K!jfwh&j{6rirp;e# zOg@G{V9%iba^Oi5qBKwxnD}2A+}6l@Y9@RQGdoL~iOsvBN^j`pyu#{Z$-)O}YYyZt zLXLv*LamJ>@CYbI9ex0BOIX$ZhJW6$vuC|g-xQlMXy}@tbCo+}B{E3j@~2LJ@i6F` z`zjHguDIS<9pITs0VQs$R+tJajq-r%ZYWv=Hr1J;$Jl7DW z#6C@x%^HJA#9b@HL$DCdK`D}sQo6mXLo6(b$K<-qB8-$S@FJ0F74(Wr+L5D4?I9Dl zg?O>VhZE#RuVR@j52xv;ohJke*@$5T&qWPn~+EWJqh`Cl`TcSSczdMv16k{ROHs9 zMy8av)4t9NrO2>h=i0n+*d9Erv{UJJZ+e7jwT9-cb8Di^`sfoHToHKlAw#&MYaEza}Un78w@q445Ums3_lscp4%UVf9$h7uKBH0J1+JJQZ^XcCI?bD;r z$#^LTp8ti~`*Rex0C@(nQ=fi&)-3#|0yua}%qlnHyA5zge4n2Hz#%;NKIsmL?*RLP zbqrjg=U3GJfTHA26!Gwu^xwgQOscfOD*-fN|3VwLe}MQGZL+c-6gDA-WucqH(_{i< zTJ@&`P@zNzg*XbR>oR2hIhp0&?A{19~lMlym{;G@ZO`DX);>Mf3p z6JtW*6B9!w@L|V~H`jW=`0G{A5xapOkU?^l$Xei5hCK@Aa$rpdg;n$70CL?(68>z! zG_>|Uk{FS_7no0^dkUFxG!~id2R71_=t$J1WySyF@QCSbrJ?l;Ni#u zr-Ht?CVuVq?1x2G!657BooV7Dy~*$}Vf4uGGafFOX5k0h%o zppa~QF63__^!)!Wf)0`N>_h}qw-J7t@GQWO^``(}r5BQg2TEvV-KiKd>mHDX_|nN- zh^e;}P*M(7=}#RH1&0v6a2;R^2fzcNT%y_NYKP1u+hZz>2#qejJ<6qXvTE56wqX@;&}?FTmM&}vwlSG z?Vpj`->^wqx)osmJ6;5(??DPg$akmYA$I?Y7+{XpK43q+WDc)Y?IbPzqw|$SI!PvEvbK##oLt79`^2%62GItj<{%MmUe^vR@ zwvcJVzIjx_*$q?6nvRaVxLaR;YZEM1m9l(z!O{NOg*!zCstW3H$#cooz#1^S<6otW z{r~&dY2z0rC;$F0Sp#Yv*p4n@e@Fqrz(a(_q~{llu+XP*>-BQCO$SdAHR&tlg1#*D zP#cZhjG%pZDYEV2r9<>Y=UeAxf;mY2_pottgM6?@c@gi@RnoKg*F6@?mkXjhkenKf z+U;f1QvLZ9P+{w+xipY^{qQu?0bd?x6EA)kl+p;e)-!VZ`OV```;xV)`pfdX#VnIx zjipoQTVbWAE;PPCpSgD#2{nhZko*m|h8SDdBOkIur2i8mf7nD}MI{4-dhPI2HWpwtsFq>R?TkkC>vU>au3D zdHe9L8QRo*Z@q78Hu-MK?6ytE>Y!HDm{zKk__w5n^=Z{+Et;jevsK;BimX>0*jqFl zeKHWL6=E)HA#J!Dr z7P+t0UdxUSWP&(N%^wDXt-v)Wg@5g8EK%JbtjY}6hZUn~$yktSsJ3Ey9< z;J!P;bC&b<=x^R%dN)vyh_GCuG}bv8X)im-WnPxiA$AXW@?*ld_A}lGv|U2k>&C(d zorH@5;9NSNH-&6?G)vL(j=~jiQIUMaZ_yTs&9Wj2+rw*Z#-b!=vfWq$7^BG;S~U=y z>FvJrQ)(wal(Hs?&$aA<`x4`+$^yYH8wAr{%0AK(S zlad&g(ZfC^Slrv{^!5r=a}vL@(vj4Xj=SP%Au@GiGU`B*(&@ZMgxa@3{TuJ2H0)dy z+|W|AiOyr`&KDzHbv4d)oXQ$N!-KsBF~utdX=28OhfOCF#|iM8gv4t=0GoT;HJXcH zg`tj$l335=)J3l3+G4!Zx*dO;j1ptMoXIjw01r36-{s?eih5P2_ek=B5t{ z#`uT}93>{Nma~v<)EAt4_3*RAG;i6iBi=?g-*yOw8@4}7XA)d-`qs7aD427{NynRK zr&YZN6BFSf4)RW5uu`smuGueoJ&&Qo2+a{E6pnozlO$`S*b$JUA>7e_`Ro)@$WfNH z`%2!u!r|(QtEv*8Ur%?2?&z-}$MOO`Zz>`OAQOq6zIKhGrcFXkZ)8dwxgD!Rg9r^@ z8>;B8rj9tI@tV~Q1h$yl=D4|cAQ?{Uz*U~< z`JVezAu>^a;8dB~32%EVd-vJMDzT3~mb}l@He#_dZ~ad=PL_BH;TTegRj=7D@#z^# zG}G&}U-~i^Jee6Z`6-lYIoeu;#8rA_$Gy8EudfWts>E)3SY8^11e|Gyz*8PD!Tp6(K+r@Ikk1aYP@m5txnWG2K^-eLlHWe!3=%88SK;`kNbKzqgfxHe)jS3q5H}f z=ux#ihZE*^+C=;N`wHZH)thG$R0L9nVgz2ssmaGVoJp7)9oQR4+120iD_|xJ!G}5R zga~!0DbEp24`NK2yfP57k1M{q5S1+`pd+|cluD)YQ=`PIH@0r1Ki4aHe`766_P}J- z5$_6y_KUf-ASOc=~A}9)#JbmM za@8yk)16f~0-CG4673p~`F7*hlToOws&gbkjJp1I(^MAyb(TbN{lM&yX)>)DhV6?% zw9}Q=a$YujOyH?nZ@}wIxlSJ%sc76kFq-~`uOm-qM)N9I&i#mJ#(^b)Cc9@yatW%sAv@b6kd z^Z3}5A103nWbD~}UN%7;C7!@O!>?;%Z8QA!oqQNjp;AvjA)W8tG?`6Xu8LTa>^eO5 zm8EwrxZygoO2%57e*{zjWyQNSB|%n?OrcMh;-O9Er>p#U{Td5+gIee1*>NUk7A0D2 z<1Te(Jb>*zxusvi(A-q0cf|Su1vDV?nGDxjKSMJ644>~%oCeN~hH?<8V8H&h9e%`j zUYJz3%dy-F)L4wfWho-tU{OBtSZV78h z+L_D4TG8SHeKlV20;3@ZIgjWHuWaMw6kJ}8(W~@|s!|Vq<`Eawmfjb!bjMtjdlcoo zkKD89@rO(~YCP>?UL20^eC?ZAfD2FkMtZKQw)OeynZu?x9`-Z&G>~3fSo>HxK=x4$ z>{_?r!3sVe}ch!0mmw8cor%%=b-0|`4*SETI^S#m*n{va7PuP*3<+s;Juvqq}o=THf zep%t-1gU*4#{1cDUqc@#@zV4JI}wlX0;;~lKr!kLZ;T=zup`U+!+;Wt3XZMX!$;e< zmN}7XUjo6s8?X|yLSI4lS6x#CYWz?he=4Bh5a)8GfOPjChD^2q+q|gx))oZ*HiQD= zMk0$=RW2>6;&4_#{W-hyp8OFAxu(GB88F_p^`i*9H3ryP!n}1M%c>GDp(ofN)8E_5 z{%G5(ev!C99`At96YFr`Z=5bfe9UOfv!C63Zh_+=Kbsy0NC9z9;IuLcg&zxm$2eSE z{j*yjf;P~*Sa2oy;}!geeA?t?_LUs2B5@SfWxc+fZwHY!GCH!|Ch$%e{1~H!pYwNwG+uat{6J9zrP)D zJ{JeL&SM*QY4It4*Q2%D(SO;zy*nnn5;N3D zrn@@LIE0*lhWJxu;e{HiGGl^Q-wbf)ja;5%3w}!;+*$ume-gbS0^LFE@Wa-9DL?5_?SN%2Tzc=7#@s7b7dY{iO_U7?7Ehz$y;|7IT99|Fei z^Xc!M1Alg2#z4u3&46)2Lq5icorBN3#slIG0;EAp-GNS)Upp@W${%sWDC!eo3tnG8 zE)T@c(dqg?1a`-(cQX@$xgQe)L!RCpAEEavf-l=ky{=V;DHoNxJQ*`E~+&H*{|-8QwLxBmTqgKc8gx z0{GUZYvzgo4dXU}BGOj_R5YGON}HT(0}SJUbz&pQxf3aaK34=At{SZ-DX6K{uOl_n_8%use_1;Fu&#_#lb*;sVkIZFh=N?aEm7Gp6ehZDiZ$Ha!c{0SThkJ!{!U){ ztIVcmDRbRTn+kW<=}VoyJN4oth$(hpFJ%(RurSVx>b2_i7oOrIYS>VBMsyUoNv99r zh^Qj7MlQ?I1C{-u_Q7*DsYb3E1%;|5Ox}3CS&YP@< znGa`g=JLnF=42w~ZPKLd=C7o>6#dq0Dq^fgf8cb@Fl59*o%OP40opLVJlVzZO|aIA z=j+tY0Ff$DkHKEcTJ(x2)v#NhlA0_xRbPe+B0Sjo1y#J0E#>kq z^kcz97Sk!3n3Wn$t0|={v@w48M#kV=k+BqEdC*8R=L2&KL9=y8U8zbho;FC(+RnhU zA0G?Mcv9G`s2Z;+29rUJuhXGARpoWPkTR#l+cjU;oVIrJ&s0a~F{$Dn^LCC#j^An& z?TDFu9BH*Gxq7DUSXA|5&vISW)({s#{<*Q+m*F8(^K!VT+_wB48YhO&RLn~=Vx%!w z^_#ksq$$VgT#)7$LPy1MzlWiM+xhP4v7(D7RG(Z4cJ@CFkShNE`uO^3@nZ|Pad3>9 z7PG32E5ll*5B+V^t3Dq_G|uO7>fOjWbNZ0Pg$SMO>&_~JL6C`e2q=a$H|}F zFXA~h z^BO%!8XW`Xq!lNuQq!O^lwA)Tde508MOa~3 zBzK}K7^6`(n!-1VF$mm|P^HSsni5%@3hWG^4se3WP_<=MVsQ45u=vYD-a7@(_&nTB zf0+|agD)>4)IG0@9`Dr{lZsyC;~&X2b?o`3^}(Zh3ujx**x58m-^cCbm;8m?DyPd+v3{n?#M-a*{K8!VP*1ZYds)K2diHM&>NV zbPPLZWlNoeJKjvVIN~$NZqWVeX-Zp_pKvxVUbKph+t)4`gIHOgj^SMxGzkfvEKo8o zDRS)lknkyEnX|;mWPYvaOY?^(Gu9Vk)z{|v5?z2$6v3zRW!mN5B6IY~UvRFwd`4s}e$$JwAeSEtDb8k;GI65bPWck6+ zXS;dRa0@kU%cGs-jQqC}%w9g)%z?K&qHaznXtuETw6Bd+kL{TZdkN}oMB8Vc8!@dG zUd>D_SkoPVTdqgE0hh?Kzd6!x5o|JZdGn-gm}#S%eB=_(3+VYTi`~g|=ReL#Oc-9x z049SgWFbcsCcO1nq9ZRl!ZzM~9M+_&9B%SaRbiz3jNVHJnF6l#D|M@>UKTgy#8>C1 zJ5RT?KuYi?OH&*`J?SFmUOQ-hraYp3t>LVA#xeS^go+BLgULLhIvvfdA$3Rqle75X zDF(|cQ5qT;!Bi(IRelrqJr2jSGhyGjz4XRu?M*ey&V{rdQ81O<&Ns4F;&Ub2TQ+;?~yxc8_p-oFzKa}4JV7rA{f zRonBVnT_G4+EiL&FW*|W>K)XmYH>SPO_so7ui>82Ecp<*B~Xy`)*q6!BzG$_%~&bh z(am1H0&Z^`WS^{Q5T_+3M91cF>F~<7>K8?`q486sXNvrI+d*j62h5vv9GJdoP_{QH zLWc>QWX)7^B;tGoZG*N<=0HvzS`Oa z3*FzwZ@taHUbNiW;DJ3nMu;I&l(t~ z?Zn^#w)ak|YJ{6P(zT>cQcAtRM~UH4bF)&_1FjF2Pk*{_7}|gsZfu6o)`0UCssfOq z(sTiqQ@GXnzO6}DS0~Zgr{B!vML4fsF<={ zoYidJR1>R)m7~K2GYOnTwXe?GW&QH9GKr3pF$j~YxT$l~J>6G*hMGjy=EkLc1fvCf zPF)x1_AZ1^BkQZX9wL~mF|)Xw%%x3%_)N@)BDHC=L>cU;N}RI1YbSks+*$9;C^PPp z5nC=`c)c?DjK3PDHLTQ0m2gZ!wke@|xJIV?PSZepIq-s)h`@>6=Ox!!wT6f9A3S+G z6~qUbMsu3`t6&EzrbMq=m?=R~2%V~pihGhbXVKiRk`pW+bZF%WB@I%MGS9#MR;SPH z#Ou5@Xa>|V^`otvBm|fL2h)lGv=e-SQ%YOek0$!p_n+R_F95V?#Mys$QCUqH5?`QB zP(a@-cPJor{(Rqmv87kk2$U#_Pd8+N%}_S;eA>pTl`Sr09` zYc%f-%EY1_ye{5J6Dhv#l{+H$xJts?svfMqduIzdjQoadl||8^CZfsgSeazrn&Hq; zf9{+mgSPwm-SW>y&2OYOJX4?bsi)zbG3<2pbPfCb{%c-{!EhVekn45yFR>Y=8h0{(>Z?6{rZ= z;lyx&6A7XvI=2!->NsKukw9g*ArM%<3!i7<*rb4#v&c2JDM0o3@HshcHsE(LVEAMM zlpC@jiviH4kp-jxzPa5!U9FF5=pt8 z0Pq3;Y4R`-DB%DMWZ++2CgHzh5QD!T)6%uaKm&|7pPBasIv0Rdb-?m||%_(%(nG{x||gfa zJ95EsFBmh-G+ddR=W2|s__d#nq|1X;E_OL=yq=EU-pL~J9EVH`)X-2smIx?e|8Q2Q zE;M(>sQqO=wY)MkLIYYuOjoS$X|T$*0FEN~Lc8gJmsRt<>;L_^+P`se|KZ(D+0!T^ z$Xx{fTj^YWAhhs(28YLP@1C7fi@`<~Ui zeMDC3!qEGJzV|K?UeBGMA>H*~Y zq*p&B$K&BK1vH4C1`#(2gS#}u>mu+C)iwBB-~_yJ0&d$2bS(R`boj`O8EhGI@!U6Y-$4FciM203>iD_-wl9)(v3U0Stx%#EoCv9^eYpf+3`Ac^ZPg{{u`y5e8Ui00&ne zYxWQoaCAAr!TpGM+2ME3ZAZeUtv0G&KU7t4Yxa+gl;&*3e5Fy`#&HH7<&c-Z-#6l* z03G*twu*iu$t0qA{duB=eOkoIrE3vqfsOfpUJNmRf8oz+3i`LDX?y6OuK<30t=~Oa zaKo6C>Rzj{0$@sjC9V|v1gZe!`j@dtpFq1d)Y{tg<*A$#k4CV_LWqsa2x4-l5&8&t zDHR$mrQoM;n6%mW=48^qFy{{5T&1!ug4^v(%vNyU8rwBmS{?rRhr*#!&6f7Mx{W%x z=)J=7abUeS5-`4$at06ZliH7^hirzcAlK9y~XI=lzGXjK$6yt;0Q8A$Q*VkI~v zb*_#E-fJpNxR*HaboRno&l}f-gWX!m{gAT3#`Q3^I=XVaUwT{WV&D;M!Frge`yx@= z%7xB!wBU7TP%xhT;+>e157uX~)>G2To0#2l8Mi38m$q*zyn2bfKQB_|M1k~BDIvvseDr#eWU&a^!ipv-?9jKigaXcp;^JMjO1;OE4+o3p9ABmHtHp!n~s&Rojgxt&Q%Y|*Eg-F-uHMqnR%4>7RZh4 zEx&l+eCNE5FoRb ztcVs!)yg&`INAA01Uxg7ACRo(7rfCkb2zv!@jUuu>_DNnB(4}Qn&EAy^S%!6l{T*C zGN~z~(KEcDZ$tKYg5TcW1rx%Qq<&@_XCAxGeLa4NL-bYmbJmOVmnz}dZ(4d-c+ z(q9+JF(yjttY)fOQuyt9SRyt3Kn}k#lWfO2vwr}dy>LM;9o}%+?O3JVyCpWF5}@Ebes+%TZtN11n)~~v;`36~y^d^Y#+`8cNgnwm&AftACnyl(7xUjF zo_>+ne8qgs!%*>VZSR`YH_?pB@(&f!8xXm%*{F2WupNo@Ybu;x!eW!L@fLkth$cRc zet97`db#pfIWXNj*DH><`Zx(xYn%ueygk9D`#6M$$FL6$thyYbj{}+TeiNeLroh9G zjS&DbT8d)U^qBPHo`2IXFql!pw$U-tjb0tLXl?&(=0 zPitY|A*-dcro|iT;$TUry0w?rGqne6ALBq~5xKc<4OQ4LH0vW*GL>7-Raf+j76A3n z;2@6*4TE}UX_Pq(mbN~3KP}=SP=81KT7Um{-$(KPfd+dyT=D_OW7G4*5NOgGFd13ZtpTZi*Kt9|^|{8uW?18Po(8wmv={Cr8Ki zw8zG(%V~rjdV`*ugPHAOL{hohc?Lbl$GBGreCrG|j*^*f>LA@kWO?! zkwFC+1*sVe0zr%jC^dHm5s;P<6r@N*WT+uBG({vMRRj#ui?krUBrymVa&!HiIO^z( zZ@u3e-yf_6S>fD$zVq#U_WtfZhoU%lwE1;@KHL87Y-T2Y(}AM6wF%ofpzTY!-TYSc z@ks0SD}7uR=N(>bBALy4JWFjt_te}gyP67*GxSe4y+EyEjz(G;7nhP6@}sAMUMrBr zJ5OxmoQ={v7{ArZf~bqi>QNEUu@7o)gJyJVDKx?Xj|Vq((V2*>PDcNjPSJ9nwh71* z8}$^jf!}Sp^CM`y;2Z3^unZ32TEn;j9Jo+G!RBE*rTgG7ub(_2nMJ$m`ouOcuf==m zM%LLJL#`(TDUv$F8qLW9RihgA)7nEZj z5X|&Q)$$PP@EWSfr6*8wA& zAn?fr40~rQjU|Lbm{WNW;tWCkIF{fi6ruk2DEj^$u~xy7&hz0L$Vc%Ex?iUlUBm~q zeMXalzLXJR@fNyXdFLN+OR;99t3)3SYhLRGb>vk&E&_t6S#iY+syJ=&;9YHtxYd-~l&qVH1+QBqXEitSeMV2q_?oxRj`r61TT`^_=c{&M|9N zpV+#+b<)b*-Y$hye`A~S18ciO<96SzSR8U%9CR!IZzL-L2?%eIo+OMde6E*X>D!i7OVDS|I;P(diX`Y! zHfTy%=-xfl8EqJf)Gj`-?dFO!esvKkH#KR6E(N|whJ!&qN&dL7y5OA#9*9i89?j(A z1(s5s?-Wp@!io2R1x`Ri+_28nB|x+~J8z)N%As`^t2m}FZQCM`dU;0P3nk3I(#zX< zqIQ`Prcy0#klED@QarQZg!b@4oV2rPinEHBSWD4D#E*yC#aSAaMR|A6*SZg-oLV;@ zWt;(8MU>wOjDSu$pffE;41wN59|4AdngvTHz($3Hg(c%;c)2QQ?lDGW6N-6@y>Nfx zNF5EE7)%dwLrxLy)=+Kx@IQ_-@BR?$K`HOR<%k|tnckaJ&fHweH587&=h)vblRcFW z(M_<-)T0KnwNnQ^I-gD(1mrH!`Fy||+Nfw2)Gtj&j$l~V$2&f;2m<_;4=BRTk16nG zow?^}oF+5wWHZ3^I(DALXC)B+LJ7kBjus%OC~(gCzlRW7d>9^5ejL4{$xRrEr3VdPL$xQ9@llLqa&1o4LQ6?|=0W)S`M3ay(yTWW7T>(cZb z2Cf9$*Ff?^*!*W0ZHj+-?=ycsGtS!qKd2TP>ldcx7nf4gXA@5$9{w5dX8U zRYZRm>%XXo-YCt^%`Sp3^G^vqRnS{KQ0+rWZAVm~bY9A~zSr>=avKeFr{tualB^ga zl46a{K+P|;9hlOQ+KjCt?s$+_Bz3B|ur+sU@D>v}MWvrp<&qY)B(St%wk5k9R6n&{ zN_S$kecTUGORiC(DmI7TYAv`tK}=_c1oF!-%4)_MnJq0E;n`K-Z}aw_nivm^0_%>q z{Pc#JW;6j?1pjQ!<#&<+8V(-xy!L_MV4KG z_BD{3>xw1&SJ!x~3)X*8)Zn;i@xEqdatMx9>hA@v+O3J8v3$TURiGMJUGas%Bslmj z4tYX)RRbg}#W-XE^2J{ARPD&Zu5{JeG*(jB?5rc6NzjNQyE|*T_Ct188z>aFDtnqX#_cY8@5THbu8S!Oe3qk3tZmEF5Qy zH_EGENlYpbSe&P^G7|Z0<4}2irJ6RL*KK!l--YCb>hiXy=UlHHyXCFSs6S<3x$8ur zTck$mQtnoe@jPHBlc~-`*|t+gQ3+BMZPc4hMum6L;33T4u;iN?O0YtSHPfd6bn>M4&;|H=aJ6krZr)%{AA zO+$vsz}P0ORExYj7>gM55J^ei>*$-8%vLShsMnqh_K~MrrJ9-WB0X(+3S&b-R8!l_ zv%xFQ+zd!GM5}{%_5OL+;s{6jsVm%Z*U4Y8-~(We9{@8$w>DU1XJZ}(vSq`%Vz@84 z6&_rbbVP}^W^}idopVXg3ySZVJin7(8czyal$q_$S3G^TwB%abJ)0U1?Timb`p5h7 zHrIrf3TBM@ricC3dcSqDfG0ma%dD`Z%66VSplDsNYQ;L7QM2iup3Gx& zAeTsdpZPKnEg{Hv4)|0=S~mzx-2^-u~YY{_ie|=#odx3zsqI!c$53l z^ep6P8GA2@vDvgD-*vWVR;RU8T*PksD@&%DQQIWaRll?{FCOciW=-5TDn}i8CxA-C zMTH>rzwEh-xU+#f#1B^EV7(I1n|l-b=%`g-J!St~Pd7a=P(ZVqOH~}RR?|hjV{FRW zQav9(PF^BpT6_P{Nr_$E*I!agM1j zEWhh9b^oo`#vi;NdN_4A4we^`Q#$ixgTM^rJJp+@$gDk5VKv7h5$2Ll~& zDf1`OZeiJL$02$LuO4Er&xGD%C%T^(&QuqU@PH|$R+I@`SHe&%6%tBY8SNIUl2zxj zh7j{C@q}*osxtfgJ3`|x8}!UdML?N}D6D}D3r88~U^st;EfVY?^W_uWS;GaFbIOKI z*|OoifJi(^9ysdZ-2l$)Z!)NG2eS7${yBL_8?f?&8-s0-A7tM9@xUM%`0+W>pjiM3gU!!17Jp?E4)u6s*v?Tf`Q=pIQQqE%2|3;-LXdWp8R1(Pm zUE*`83u@f8H3%C_PCek0nWzVLz}x!^S{{2J|FEA0Y%*fl^-h2@A5agQ7B7q22g6HR79n_xm?rFT&nL<-Yd(FCx_8Qthm_Ua50?QW*!t3Kiy3feZ<2?UfIo zjbm+ebOaeB=UFw>oU7Cy@l#t!D1yuJt{&HZd&l-f+peu$=ao%2)$kM->9!lf zd)wq)RO-oYkumg@zmgjJt!^YgF<{yZR}AiGr{zW8D!9Ct8kBvow@n52@YufB?)!3M z_$>(Qjvd$_@PGeNOus$;L{r*)@iF^6_y{2eO~jf_t7w#M*iVLefXQXzPq32_rd`-D zy}qgQsvP1P#%OLQQFI^3MGrrECqQ#G1q}?b0?^=WKi9|AjEj*#Xko%1zN&WMavv*` z0#2{jyshDJZKMX&F&r-NIDZvP2TUD8%puoPP$J7o^q?zf;<$E%K>G01losMf!}PIs zQOfJd(~(Jw!(S}JJKkhiJSH*1qFjSxevj*aVE}SG^%;=ML0?{HcZLCcBmDDwW)rGE zm$xIr-ZDG(s(g>@Dz5n5xx^rbA-vAo7Oz>N5}fA#`l&v$S7Lp)$Qv!6^+wj)B64L8 zy)>~KE)9{)EVy%euA<~gZc4g?gUiCTh*}TVE3RsW`UM$=ayLqTeLnujx<3L}h;4kn zt8itLnYBDE8}A_Wdzy^~&KMdW$t2ceB=sa%-TUBsWg3l$buQjuFDq$bdqjyt+Sv*>tA=@--`t0skwo&(fX$ssUFm2|$G(eIQ0o-iKztZwXqqgJbuI;_%79o`@+yxiI_v8VANQ%UTvE^l*=Wg5jLs!A60!HtNaN1Lt z%F$mv(E8*~UnOpBMMeObYvAV4unR$a4vJn3JTgCcp{J9+u_3^bf{4RXY-0!4NKK2T z8CxX~_~Ag0`yD{4jfo&@hdKRg8PkBmY~-29B)}}aZB;GbBo25xrCB# zLJiZPqX}{n4)S#@%$W%AVkkA(RM`LQ5=T^Oo;=&^6xcgf&}rYi!+~WKmHn_rFt>dV zVPD_Q+;(&K7D2n)Fx91)FzXMh+yJONsZV?=zabJ_RD&6?mpq<1uwC1#vZS;Pj%j*f z>)DxhZrpins+o4;9P3NlLQlt|vDksezI;ud2qXy7Nsv-9GQMV&Y>_bPZ_3;c zD3%VsgdLpY&to&zMtg>dYoZ}KQnMgMxu@C>A%a+Nbt`L>(3yya(tZJX${L{U9EU0` zpMpg6dcY`_v0)H9f)Ixx4e7!331h9Xh4vZh*R1~gplq=R5Ql;D6^5^A(dXX@U>=bh zj1BILj_4~b0DZDRmfznL3<;_Ca2 zu{ae$4vO`_CIE6p1?YYY!TFPTp+hX>f%yJ! zot>WUt3AVW{nuWSG&8n;qKlUHl}Uevub;dGM3axcuHMht_uogG-1pJO5Cp#;!$I(4 zbK{Zb>C`J6>e!k8Vi^?s|FH}gTV(vKX27QV&)E1sMHz|DqD0b2Q`px+C6G@485rMn F{s&}CQcVB= literal 0 HcmV?d00001 diff --git a/education/windows/images/prov.jpg b/education/windows/images/prov.jpg new file mode 100644 index 0000000000000000000000000000000000000000..1593ccb36b6c841627424547a2722af005483fa3 GIT binary patch literal 17796 zcmeHu2UL^awr3C&5RpI9K|rJ`0-_YDQ4wik1SwJ@AT>m!ccKE)MLh zy^3@Q(h_=2C?P;dCf;}Nn>Y7A<<4C*v)-(AzvLuY>pN#>|Mos-pR>zH9jDF${?Nax zcNaiMM+bOJdjY7E04=}?I=bKQzh3kw>3?6R7#QeJGM-{&{N0$CS(uraPBSqwo@PCL zn&k}bVq`wc#(L)L@87?P{2u;$6zzS6iIM4dkN>@k`VGL&1Q?@3)6-o9oM5M;XQ!jK z0)znox|1|+e>42oi|zzH!^u-LmQJ(KIw1a_u}@Ebg2wDg1_oO1P}+R}1N+HyBJ#IR zaTwV#Ui9R=_9E#slj!Y=?_9@rz4HN?p3Fps1vLLq%2Vj`m$0 zT|NDWCZ=ZQk1Q-5o;W%=ySTb}`}q3#2LuL%M?}7gijIj*PI;S}mj3R2Mow;CenDYT z@t4Y~Y6KEhQ(M>E(%RPE(b?5KI5a#mIyOFmnZx4d7Z#V6S5^tzJG*dkviC7E_oLC;W!?7i9k!u$TW7vVRBmUvXgoXXxo@%A;oo009S4IN^3VUW<^& z1ox{XR2#b%H!3KpJp`2`G7qJ+7qfLSb#3W&?aIg`^8d8vSL zzauI@U##37U3Rs`Qm9!7JK0_aW&8PIKXF(z`MfoZ-~(%3Clnr^)s&_JzPEKy0X)`i zoT0{1+j6yxW1hl0+u-1T43X4fKHEIli>(|BT$*np`p}sEd;SOhgwdPRXis0bvuR$~ zrWMxT6}rAc1^h|&e}{2V>aViXtdFJwvXhS{hNytQ2ch%dqV(-G(ixG0T|9ad>d#IE z0LAyK3jd^)#J^YE+Pj>@FApf%`xpMDrGIHD?q6%^FBaqfzqQofe;^|yPX&D4*r&YJ zvu>l=CIR4lbwCHD1vPVMB<{^=2YkV%eQ-+o7+XlnUgUDVI{;VLE1g)u_~!RfJ{R3j zLn4s_3RTv<>s+FD9vG;}1El!Go?k`;nXlVV!rZeXB!@cqB`F^-d}%fHS<%l~{%{oC zJZK8Jow7Q3G@*qxUq=ztX8WVs%dk{Hl%_hq{OyoTP2gHoF9(|KtH=YQ2SLnzTQakZ^hciXW zj8PeMobEFd4diHIoec2X+@5Ks0yur*4Ax3|($6WqAueD?4U~Q=eS>aF(x1OWa8~JB zr3~hCFN7ZEjK!Io2So?kiEYsrp4sDS@x~ok{PlZ z$27K3-E1{DA5Bi*9Pg2*f>>!6_jjgQYR?KZa_E65xfmU z9#4?Tk1)44UrLpi-|L~*$Jr&}>}#yg!%mZ>@Jn$pS95#@3D|)?Q#hn9kCiSnzc-?o zt$Hk5rT{q_Z*qXr>j(tOm$Y~KUvj_7+784dEu{P85ho-@$LcYdFrK@#L&ng<1Wffu z<1xR%ATYO>ad!~|WwK+v zh)8A3kD>c^($ZB>?H%?L$We!hN0hE?Hg$Fn0@#uuvlZu?eTD>TnHC~|UcsssUJmY< zB1f_qU$P{3UDUpy*XmXGiix0W3SMB;b9$RoK2$Y%geh8q`=O8-WoL3zMp7!1>t?`F zIx;@%Sz}{5#oNask9p57eS({jrttgCAbeu85D;&ghR9jTx-hILc#aCt9Z}>Qw(Z{T zgXZsC%(RcLHrDcI$8@FocqX47%MI(Xqyk>3cU5UAwt>*SEOLr)hmnPTcmuI6(2jt;zwk@%1s(y}7^k`)8nTOXc&k*b1^NN-n$ZD|Eh^_ubW?$@_dlDVSK^B;!e%FFOow`ht0kS6aC z3S$&m`lHMYo+*Udv&w2*9tO_a?a?`{dXVBoQZ z6`<2(o52t^*)oZ{*@7Q`t_eYRk+|e#8TP2Y?GpWl%|7p;zK2nYcZSf=F=c5aYPIR8 zB)6d8-f?ciC5f^b=bm1;@6$vN9jA~z?O@4`7<^9)`lLEUIg)1C=mM6S`3o}rCDVi9 z5Kpj9`S?PbbWxg`OUhZ38v%LA*La`bzve|b6QYbqlP^;N=g2n+4M8K6@J}-n%ShF` zss4hQ?G;7VdE3v&*v`M?z4!`q*GtsNDOue5sgrFd?(yog$IvX=?r!aO!`TgEwo{X&$n|`ibDM|IYXU8avIg&RV=XS8U-HT$$m4iD z`<%?j!p@WA=Fpgw*{JVZOk}l08~ip2g}skDxmR991z-kUeq=bM4K^5SpEvZ%c24Xy z-5x=42!YOehnOD;u8hH08XU1K9udOlL+E&(%ZQA&^~dT#VC;`rI%Sq#j8A++qQb1P zj^l%}qN&ex&D0k(qGMo&=58Wb|eSPyQ*LKEsX8n}_i-q9nn+c-HEYb&_S|W7gQmPH32{>p5 z=qa&sZ^U&mUNptbGj+oUGlSe3(t)RFLUNj(lVtD)-)9gytp)>gV8)PJLkb>@%RKy> z^?56pH)DIy$71;J3`$l|QK@Z1@6&46bSnxDp55lU7B&E^e20g9(+z<^@JCo+i>O0+ z+ox4kU>rko+0UAnu4Uy=$zX`r3}NG0a=R%~SUlYR9t&kS@5`6#btx#Qz=TH70od0I zSShV4+raN>9t1W)xvdpuBK^h>He;pWy4x>fr9PebC)?TVKRIA^u!QVwOLYe-z;1Hu zSSqS z^z~O61=}Hmh%HR)8i>@7pX?CgK?Mt1&5b60p7_h?7sGXvOKvNTYH(83RzG5M?e z$P`!plf%*7Re_y3!Jp~u38G>aj`8(3%q*^Ho}&!E2~j+Lr*1wQs8GC#sLxfmY6P!}NkO&6WD;^;OD9dFGtU zR*sqF=ElsOF{jirhvBlYD;VuWwxr=EN zMIeLoFa6t+0wHBz-#@+jIO|4dR3Av*;@ma+Go?>Z zSU83_*&fD4Dl6>!++Wy%gUa3fxhwEUHe|WlKu|*0jOmGAi|&l`3(gv&rrVpQ{*MEE zIjMjum+8Zm%BDC|8BNzPgIh4SF+_F!)TDXtYqSIvpj`Y50_2kM1y0nrG%;Bjq&5zO z=oPPdStmE$OPaEJ)LfLi_4J|J{Jg{2nk_3ZUD#EUce5~S(*@G?HYDa~IZP!Al(Jzd z6t23uz)?bkUzzP9s`qqqp7Tji+JI$0^L>*k&4ihyFv#&DCjlX1WNMY~ky;Dg z7o-9@JmR^txvPOuen_OhS>kLzlU0D%LV@GO#Yg3`PS+$vth4t6LT0Bk_CMXID4cV&h`e$7VhAA6pYTbsG zVk6%>yf*y40Bz}Y!5;89Sqaag+P2QRpwEUF%!1Cl*7a>gs%r;2m$dlj>YZD)RQl|e z(s6#E6kVUDa?5!eXA9JU?~QJM8#Kw3@%3-qYuti0827r>bt5yREism(sHq*z z=*r`-4RZLz7AoMZyQW}(gV|kDC^l28mBSjcFSUggt4APENs^DQiu69~;vVn9MC$r^ z89qa^H{8M(lf{FDBd{d6Y_b1W%Qm>1pHsj7gVkQ%)=2o-pAQ6)vm6b@?cF>4moF_; z7kBB)%#4LvjV;bBAYY|=TaH}BiIoi*RvUnl!C8k{9XJn6K5h4rbkPJD%0BX4a}}u? zRZM%sUhJ9%@|6AH#%Q$AxY16=n@tb#ZMRRq!Vz14Dz24;idx_)Rl&1;pgCgVY?;?6 zOU-Pf-Y)UAE`miz1UH@Bv0WM$^;+-2#!PKka8BZSgGSlYvdw+Ju?5Gcqh@RyA%>eX zcaY0WGq6gFabv&>zQF9#C+)IPblSxooI zt6)grt)#qjoKoFi?gxV6R6CwO^@&phGYUs5qb@qgjO@qAmL(}co7=dm)$rcQPh4LI z(D5*!n6+KcaEfaBOdYPFKTzuZ?)qM5{_&vzOOr)I`rb_aX{nt0vw)mfseiW77m_BZ z0P);*AW^W13K)!$epmiyD_@Jx{uY%(eqHKu)CM8|d!=&fwk9YYh9jDqB<@KI0~G~G zHv7te8?)a{RIp!NyuO&sH^WGjbG)-+ncnuT{)&XlVS{S>Dogup0km8&=e>|<^ z5l*2eSrIIGeQmBAsowpJZ$4_};kV5#pZGOpxyt6?H=xamxmm%i+`*!ARNyG{lI4ui z8SLAXg}Az=tn9Ia@!}_@IV1C>7;|(O6)=|H|8W^!5u$b^8*&~GdaY10P(DqH?F~rj z>|4w&?8~40CdY7laPL`sKhen|WLJc@?!_Obe){;ZR$%LFPQ#;5*63B=-p z6`a$xSwk08fU!pO)LB+Nn$*(hc)O6BNw}Q(NlQ%@Hdzyl>EEQF;WGMEfO!RX*fhYK>th$W6uuC;nBb$3Nw$lbB2IfQ6UAZx{F;~s|l6QLEGB_;g ziW!dU9>S_uf;}Fmpl7|PfG49w;YU!*u^n>a$(*M4MB*tD%<;?W#IWLq*XWRW7dW)o z?ls4@j$8Mqb06M!cb$(m@0ST<3E(g#^?xFH4emTj?jmzQ%cteX+*>o6$|PQ8y!eWI z`%M%vMFZ|=`sUth3!^s~@u07$uS;8lYo>7KIEY<6twAL)V?V>dwv?bRy`C5?TxI@k z8DW(GemLSgb^V@I0uWRa)l!Fi@5vpZ*_J2WKm~~Gyw9tx_fNh+7x3=#IkAb}8A?wW zV6cHtCfRLFQ;Hz>YN?^RVQ{w(W>5vSJ(Sv&e+Dhjni`+Hv+w`ipHD09Hemy-vUWLe ziZAcLwh3H5GeT6%(z28(cPz|aLGMBP(_P>>A;Eazxx^N93>Cl(^*PqD9IMWRSyUQ6 z#cml_bMr^097j&gCSMTxMpNDf=K35R zNTU0MMT~6sj;@9E!_HEGBy+25V}i_5gs+P)hh2f?^eXX%IHczJ(0+AN!Tjrh#iKju zixKjV@7@PF=Z1BoPx-2i(1aBc)f(O+#{!<1LB}YJ=a2GqH>FlDL{FxnYNM@Mg`CgE zYuPLA%$AgVFe;Q}mh^4P9^2cw_}aiW&jcqmagcq<2&@$nNV#k>~TYLM3zF+Z*OvIwTu|+k}k-%71Yg(*c z+YT%Js0>^2vw&dx0VZ}$FF245BbLk(V#xk#T8aJB-IJ(;S1O_kxQvI%aa9d8#oH3(yFq z0jJ%3=KGhLtb*$6T~~&|{(9mOzo*`!i` z&sItCd>F7<`$o>Nc~~a}dj?=vuR_rwK)Dqvu2Bv_rLWC_UNC zihZu`G9g-JzuKT@BkEokgy4K{v!EI4l{jC6BureJud7h4p2h ze)3bMo0MXPrmdW`8PMow1fpq3ys>JiFpc3zTH(#6!SbR3f#$~?c;23V7;{2F9UHrR z=(7c%x9nU)gt_dkO@ew4++q*Eqo4FgJzVp%g#JJgM=I-3Lt9q*1kH4QSHD5Gj9wnq zxL+E1P=BrlGr!kb7gcyfW%%E{)t*C7q|YfHM|OY5LM8*tcBh1-yF3&#m3*5rC@rA+ z)QzN#aI0vsv{lg^^>8MZ&lX%`#1R36bK%}06<}aQ1w0;RNPpnU|MSYgfuCQwh;HhOx*yx6 z?{~H)cA95c$%aR=5H@VE83ki71vY}j*;sZD9xh4?if$;SRq$;T1SDIfU2fNWa#Umg zg_b#WH+HRQLzej#S{)q7UwI8zaJZ!HZQEavw!LE;)jw=L95l1uhL8Jxs1vQIp=Cl4 zU&x9q=npK^f?yjJ9SL4iUnjhuHjjd;bUwVl6*;IU@SK;|iR(QrfIg8sN86@M1EiZr zHN{4p@J?m0VhgwZ#PUattq|v;X-w(BkFU}894#Jaz6c5nd7N1_8PQSBl`#$t@-v4; z9e8*-Cyl+{PQ2eZRqsy)Xq1M`Xomtlj#NVUqvn2m!1C?M@%0h=S^BWRsurxE;>9%I zp~6~Km(;SJJc6~@1LaNYuA>&@#eotVg53Ih{Fj+Fe|$jj1A=f2ck?E(TSF!UoNs00 zCe3=BcX375cBWgG9QVrp18+rqjVFK81Z5&O*y4BwZ$SChYDpfTWt3-OHf(Q~;Ux`< zN9V~BV9hb_9{k24M5uX38 zss1TivqDjVb-54{kE1-$yE*!c(%H;prXab_)pjbN!GsFnAU9Wsh|U>M0YW5{{!gEx zlcUAuwk?Ggx1T&}9qPN-!T;2r%d7X)qvzMVPE?f`e9w|W;~C?t6JQ3Zk4F@wmlXw6 zEESU+viP`l$4gF>(o5aA5I&8_R+gTh`5dWf>)VgA@^BcEJdV(m$V2v=r3GDt-Q**o zK-;g4cV6GA_kEAK^iJ%?*M{DNNMWaEx;WJ=Hd>fEgfwF^rleKtEmooGcNHXq`O}YoD#bEU3WQDC0t!_%?Kk>le(GQ@qgpnB8ST*$asq zvsxD}?TE@229*P2oB+pdZP{nTCMat7$eKjM4>zl~!*x6^{M@j#x?#C0(2k0kU=h2! z$dK*=4CwSe>QWBmu*j{8i=x#gFc4RIq|Ce??haAtdIKhBm7^QzW<%9l_eZZLvaRt{ zJ+idb@n)zmj7xicCtxn_8cFnzUMB0-qM}4T%AFh2XK_fz6HvvOdA1qD6ipY&4*_*FSWI>|?R*E^Q5v zXXVei-&jo^(EHugJC6&TGTH6NS@4`S``kFtM;7U~V~D_UgUvSha=5T^0IudMxlo7{dya;_)t0g5Q$hy3)a-X?>`i5u^$>_J2SEe zr2=R%OujWE#djin5RrG>M3LwVl4f(uN9l z%DjW0h%N#ZxTR}KR=?~pL86CpYO5Mvu}OBC#e8RIht6G|3BJ^&_QChzqdno!w)!w- za3p+(OV4pIyCyGnYzi9YkLtt>0iPtsq+yhD8Lo~$S{brpNpO=Oh`;>Mc99AIaUV7oPADqJ-9yDfO#9tcn5X;Ng;)W5n@lt6*Y1nxbrE64VthzBn9O?6+vk$%{(`Eb+HeQB`e?zh8pLXx} zKC%vIB9y5QvJXi|@*6t#urSiO5jngxX!Z*+e44?S51Ny`&~o)cV7>n-k&2}6<+|;8 zp#ulz<^%_v1cCr>W&5($q8EBw?@Thtxxi{dA-g_S+-y6^EBehR?d5DGz%TFavHU1v z>|0ZhSj=SY0@g;^?0!^BsNDF?=gu$sZB+*r%EOj-R}8e>?L1GvTBRdPZMO%pb*IGw zZhjI9-~RkS?k3|;Wo-t95(qD0e&e@vd;H3@06Y4lKMjeKK}igUx!>$7I-H`{`&i z(aO%}ov8Z@UJqU;UKL)4wMR!fpKzG8*i_CBu5R7lDf%+Y5lnQ;8bL;1>EeG&Am`4w zvNOGA&8NS}oCeV*+JSYLo@BI81oWZ(?E@Zm6S$-}q0Juvo7IZN*eisS>%oUOkeik5%EkdLh1q{mm`DvdhCJvx`K_cY_71 zCJ8q-rLR3uE-vcZ`E&q-oj!!;KP00EuXbGK}p@TJ~;Pyn;1$nWR-hdZ%LY#U|tcC z{Q#DuRUE!F4{&Iv$OjvO+cgyj*ORw3q;C1obzT^rf4_GG<&$k?^+v5 z;lZA)agD8VHQgI@UdYF8!Ly)}PQ;OJj9#pAg-mlsUpfWAuyT>)>!r$ZArJFhF$-_` zOKd@(Tf|d`IaV-{`xEQV98z`lNN!u3X6Vh*K`$j%%y9qLw@XqcP_N0{Rd{~9>oelD zQc+b`O%Fv{Y_68Dz_kTK@T_OfWrqv1UTM&ogLAB5ex?{z&>XB0g(CM}gV4NNUnbwW zET(viJq+}ELf7b3%Qc(2Jm+ab;5;sqX_Pt0a*|^-XMH$fIzw}S-WX|f4SGd#8r?kk zf4B((|Cbd=T>TLg1`VEhUkBLqWmpWwPQTpY@vRHtZ*F}*l^naQqQl3VE4zqky?zGY z>LWRmaxj!%mlpWMKg~SwnV6H80gkt8>u1>Q+?>=T>wbF+kHSnq;F7PvSN_{Kr}pdj zx7M_5d$(%($*6XW(0vz*vV(X`_};Qw^{ zlYj8v$rpr3;zgFxq9p=QQ)ToJL9FwFIZ*O3goVztjO=D`-2~z4^BK#}jtb z=#uqf{Q{!lajRW%u;oC0u(v`JF|hDs_Ox)OkQXc<%$MlgDmNL2(}-$i4Pw%iCTqp= z`bxjUB`B`FDatVe(4n6L+NFgl0w^5#m(K7V|`#Pej&8nLk@}{Kn0v;$)?D{ zk67e4*vO~BPxjNw zc6G?gv^?^mG>jdF|5W?C?3mKr8>~eIoJgkvE(rfmNrfp=0snnk=zoG%;z0?F{ci)Q zfLH6k6Fu4jsH~xL; zCcWs)X|y748VPSS5~2YBA;nPu;4$0o1f(0%(K14;&NUld)H`0vjmcdv(NEp##vIX# zWy<3Jk!qQLt}+I0a2$u8-_fK+G{$#mOs_Pb-qEL3;MG$=*Jr7K<3v?qS}|+s4%@zE z_8crJ(Bo)Ij-a!nV?|J==!0ox_v_L$2Rk>bDf0NOf^gI!dcCm>vsMRt1y^?{Tjd`q zNLJ+iY@V7kXqU{OEFOWZNzKGb2`u0Y;YeZjg;<;W3j;$f z{*gBKN^ddt%(Fl0APSLsVT(y*J=#IvX@?3(7#p`I@LsXy=1jYM6_GiduDwQkOahTr z_`^=h;n};|(EtlWwUQf6@F5ggpp5O)78PJG{NhlqwaCX+9gMZ=;geNZV`xk?AHu#| zdAddERpiYd|NfcX=^^(3%Hwd5H}%^9%pp5cQ)Cb~{Foq7%$iC`fdngOVr4YI&EGfR zHk;+Q;uVL(e5+j-?o`z5c-B-&Z1K~q+j&wq@INv-Knpym5z>L%x)d>5B(}4PHVxX> z`Vu&E#)z5I8PmXY<$k=sIcU)LLn^KCL}ARpU}u4X8km3wl7f$z$r6PAXoX2T+)HE- z<-^&k^LR|5-dU@=klWcID-CL$se(7hUD^}$poptFPpV%b zU~VbFoxL3bFX0Cb#Wxz5W1!P4Bd70_w(Ci#`K3yORkFvuahIro3>|_bEuHnDpQ3#8 zI4bN~;z1tl91Q=S=1k#yDJd3EF6%@*zH1Lg}yij}(h9}T>CTp!aN z^oF&d`JQ)>F9Tz4PyrQxnGOFYp@6FZlbk_{%^ z^#GElAd!)(ijCD(C*=Z_K3L|JdBp9m1cM)*x6w~63g%td)Lhfc+l5Y30c>kK$f)!I z+g#c-(;{S3VkBGPWC=KpgfPAp$VUY%Cx_6o+s$r&Su}%G0Av=pL@O>7r#Sb)9B4k# z5-o;==b`AN8~tN629Dv+X^+{^T#s+*2T?>#ASDDut1^Yn2l{fY0{{GhjA2M@ z2Q<#f%&>R=V&Olf6igFDDYr+n_ojfmBDN`i(jX|G(hB2CF+oVq$+f;==+x8XZ@?`I z@BS#TXgV>|5k+A@_kIby3w$4jg^^gO0MSmghwy=>a6F8t1`$5Ak_prf>e!gihdq^x ze;m(_gFgNv7*^0@3j$|4QURN9(JjJV!rt#;jU#`F`^QR^xBNps#XsXCJa`tW!L*^L z?Q=eF2E!w~L-3>mU{+)oT1uWa&Epb}4rg!=1|D|T^YqKk|4(}8TwXuFy=i#-nKmBC zBfP(dZcp4`NjxCY$e_z8imaSo<=_8B;y;-znwQc&^{%ug>q&~Gbmis5=G^`VE0X`Y zb5>5Q^rwZtMYH~IfB$pQGO6fRl#DX_~ z=k$w3OsWvE%6Uon{+usmh-YHLe+@yYO6+K5gI-aiVp@hj&0gAMr9g}xf4oiRV$8Lg}dqk)J zIUevnZF`Iq#+O`4BsbVlAQaAEm#7h^XT#>+|LsuVoSB6)MUzHoE1z~pqgrdV>V}(i zEp4;~&3*xSU>ScUgkHjK?SS#QlXo;ruD{ADUFDW`E$ws9kJXWn=NJQE>+h04j|C{2 za=^b(+PzwHxh7&tHtKzByK#%cm%SU8r5kCajO>0>&HgKYU#=k?q#z|Dtp55f9fy=-e?Pa+894nNvSQGUcY3yFe-+RE}gs!;#ZM3HvJ}zzR>B z^l9P$5m`^wvZAjePd^#!f4|Fc+h|MPs?3j%N~*6#5TMULf5$PB2XMki zXJ=q5cT#)JL4+!bflfSZT`iOf$UkQ;Z)?jz`ePTIwDz|km!8BuXF<>QOD^T%@Al!7 zs#JjSV3;zA(TE_E6^R9(5k5)s!nF{U3RZ^<8V8JjC|dcnwg*rFLFw$>W;dHXX|$2v&p9`n65cTE=Y~Q0^~vCwX7T8`26Kvi@gO;=i6u zsy#^s@S|OhAL7j3=eb7R#`{N9v$9&P2kE@>iTsKezPkqXg6AfBbQ}a6em#G*Fk#MAy71uSX+}0}u1(`Y{%0n* zO0zB0`<=Zn-DP^FSsOD*$}Me9vsbi_2Xz0tO+Py{EGPNx`Ky{y3a^6cLvecwsXfYV z2KF7t+&K7tS|Z8PZ)RtWw&#V)cm}KZX?S>mYIh~q^9#pq6Zxv;1C-XMT6RAsh`i`Yi#&+)U6$gtSzXBsptRmKIIgj6Ka=XFKt~Y4o;OxuK0x}k@j`|Eh zKh=#2wV)zaHkPKy*EdGerXq-b(dr17&RUyzihTs>MbjnAuZx4T$NGb?=6+hqR<;Ul zb;GZ7q?r{njkG!Y4$dq-iJTH|Lz z5!fl6V~W9?BXDp#HxuO?GGhqzQER?Vda63b`qwvS-bd=0gLD;ZNylX&9QgfjFcx*7 z!)*VB=?<(K6@U!fNBU>P-tpOxX;w!L>XrdA%Nt57I(pf9`I}5>D>$2G88y8r5PdYK zjCp<@ZrQBhwW%$asLIIOw?Y1UV~2b7zUIm;KR$lu_q=Zt9OQZ&WFh+{b^$%-ItlA9 z>p0%6hBXf%X#lMfk5(X~M6dP0u<2~?ccbWew>l~SUO)x>EExfBWtRmC9^)HEC2CLK z?vj6VX_Zc;ysb&bl6Hs_GN)O%vEli5UrZdtO)*4GW%cF}_>DS!B6``^q$mD3lkjol zMjNdp6OV+#mb%v{hnB!OcMKKKpE`EDi`ay@*}<}DeuQYVg_HCFP;?i9^>2Ya2Xm1_ zvFwgTB&%j(dKNHBH*3hS1{vP{vL7_cuTr{TFKS>g%I~H2l&LC8tVjy-0iV9UgBQ3< zkVr3{o^EV43TW!TUo)WS!D(?J^s*k58?wSb^~*ihRU*8{Liw7#y{WN2Ns_|d2PYrc zz-A0|$TD%DgKe6*ZAxpp%jYg4?0m-Oz&+hIcJh!WX2yr>Uz~=D8;O>ogRPTkW8`M_)$Kfl^OrgQ7>t)e#94lig{ cYamQ#828uUzc#1&t!_>uZNUGF2BS{=7jr>dg#Z8m literal 0 HcmV?d00001 diff --git a/education/windows/images/setupmsg.jpg b/education/windows/images/setupmsg.jpg new file mode 100644 index 0000000000000000000000000000000000000000..12935483c52eca8648eba05e1e5d507b8c244018 GIT binary patch literal 23035 zcmeFZcT|(lwl^L`Kv6_`2c=7u-ieJaAiWa>krImZP-COFFCd^GAiaZ>fYi{D8afhc zsL~Tkh!DaX&$;itcb#*7YrVgA|2j`HYdx9FvuE!q`}xeCz31}hqa6xVN2Q{BAv=l&0oKac-;iuk>GjpEv$ z694zE%XR?GH9+x|KvEKJz!e%2QW}!WZU7gNS2ChRe}wvvi{uLFRWfoSOO!W=1z@*{ z?30pSAu>yL^(wJ+2=RZwRT?tdyAlt{=?q>_aC_2AzD>-z#`CDUgTZhN%`0W+_3k<) zBNHjSbf9y#-`4$?w;PhAN>R46O&WZGe2jM zsFl^V^^MJ6Tick!qvI3oDem{#AGt^Xq<@>pT*1P&bW`uC%P9m;=OF-v7rs0B`Q}zz<(5pX_i-^yFL- zS6E2OELX4jZWnDe18s?T)J4(!HW1|xnIl9butApzN0)$jL+C$JthDFaq_@YfG{I}p z@S|-Yj#2?wCjmObf^c+-P@K&ovF@DJ-X$Ec! z-#yHi0QtOg;EhXwYThN_%~!%`4-_#AU4FWC3HS#N3@!mTntPXyl_7JN0E*LWyjNo^ z^ov2lQ8e&>GeEs}(+q!+Mz}hXM_}@gga3kH8VJ+}K-{_jUhIGkI*M8Kz;i7^F#{VC z1W$F~h#&#cc?m!iUjmi||IPfrTmIj}=HC=imXn_Y&}r z;O70#nZZSN*d-vFsE^v8L7nX2o4atd0Kw4&Ge^)t{1=`pE5Yqu0{AxjKv;=w(3zR2 zS6_iL^?3ylUDZ#nbg@x{%idtgllgTCsBzq#DJ4u_0yup@SGMGyIUl+_(%ScMe1tK# zdJ?YX@LWOOpnX-u_~olsE=x3GH-SH`#PV0$ecY*R2~}N1k&C|{tJju)a;ZdYoiG!U zR^WMF_9u$9o2=_Sj`U75XHBsMqHG2+e)_M@Z4n4{A5={=toY)^fJA(Wf|5TcGjS_G-WuyL#i)1aTb`QglQovDX4S}fM~ys?{K zs|2E11XAqdI4#&w2K2QO#{h5h7oHzIrA@hGt0+pL=#B5?9Ih&6kLuj`Mv0W~g$=dY z&K$|PA?f!Kg^C;bvP_hRy`%H)Zx~a8>xUlribx!;E;cD7&372N#z?;^%+PCUsI!U^ z70U~M>Xw3XP)9tKU@n%JIL78m8cy@1C}?Ooi8&2xIXbA|3A!y()><ba#)|Kdk^(H=UxLiaHrH16wtL1J2{OsS>NUKk@Zi00$k63rc|i$ow;~# z&!P2;#!V^frwg>wVtq4jhl#8;?P^qKMI%6W8}nqKkH%0f7~AZk?FQXk zB{t^FN#)-Aa`)Bv>fa_ekXD2kp^vb(7hix*2aF&H6AB*JCf2uFU)%J3tO|C{#y2M8 zESejTDXYeubqCYCuJes2_UJHMi7UgPQ_Q7QPqx`bG{3oFj04ABSSkA5$kT9^e|K&- z%``Ycjk_LAB^nsVdPMqKzpAJsbvsa*>7ea@#>o{A_Mer_T!QLoDtyZa1%L#^aa5YJ z-%48$jq5a=GJ2F)l7sFZ)xWsLC=J*ar~T)A;&ejxtY=9(A%{-%7@S5*eW zB$NbdzjI;MlYQL>9;-Oht>rV9DX#S$W4DEE3QZEDvq#h;Em$oWv^s0{ⅆwiDj&W z8H($rSkok(Bul*1^t27K3EqUr>F3iL#X|Z!#+uzl&oO?BtnNh3QmR6S)y3(qB!n$} zbBw^-p!;lbK`83TY+Bz8+&*4y#myF>+cv%{V)KGAm48iQC`rND0&vHbYUI&}5<9u91=h@f>wnAgG(G&Lc@z#}s2U_gMPZAnbYc;_RY~2~fhTCu+3-Qs))?1hcn72UiN7 zk1FDfLS&%UPp#b!w*yaVU8V0EK>R9xqt?75kQI4R3v^xz2g2ZC(op*TBHXz)uF)Z9>r7_y3Y$85uW$Be*%0rMZo4Rrya6-G zyUj*bHgwR61JSksjZtOB#HaGOJ?=cKs4sC(3YoQJF~Q26i#9l81zH1V)ve^$yxL2H zlh-|+%WRM{aO302!z1fX$&tLc6g`Nyy4E7rtTh`9&e>{Xz60&hsF1n@s8JMMz**0^ zP;!wdv<9Bu3OhQ@KYn~+$HDVpsF4QG^HbMKM zFbCJ;xO@qSnc?J5Hq-Ufr?$yp7!&ninJP%+v%vqRv2KZCyK3rI>Q}|^3shaymq3NL zxhRLbAR@DW28I`)bb~q-Q;W}Zk7BIKGE5WYI``=A#|?y&BxX=hD4UIJ+Ada582UIe z_kOfHC|KXS>jT@(YF3SCO%b9m6M9|2qHSWG0;>z)dv%Og^pj8cnT0Q z2yOWH8ZEZeztn{9*zZ5u#8efuu@T0z0ha)WkVogeT$Das(a45w@o&1$IoXUC;T&>Z zhq^3}y$To2f}(f~A5oZa;8avCvQ~5kKl5j4qz8QZaR?OUsqVK6(c+z%e)-*m-NbUz zsmT}_tyN~Led>4Y460~z9NILGca>3;aS=+P&)?77V*(4GE&S%P!zHhzww?n*dqEUL z8;z}&2MWQAx2$c!FgCB4=SJ&3n9J{HX#HZSn9OdazCoJQH$R=wbAWu@%>|>t({djf zVxCnuV)!#K>InVjDHJUFM%?p|x1agHA5J~iF71%Z(lkgvf?f$7hf@;xLx&gHa6y=C zEesNYCV&%g>M{q{D#~XJkn{3MR#uUfym6EfY$fY+e#LH;IOQeeMRmi@mYI(WcDN;h>A+CUfHVlRRCCdASF7I`a>1Vxa?RD}o2VbYhZaaKh; zS!`p+Rx#i>UKf9`$|WF^eER%JY_?FdW^;X|iT7LUpPXFXQ+k;}y}7Z;!Kr#?x^hZw z9)aVQA#)te^QY8Wr61h{6@U8(>xm2(_E}`s^&n19f zIsrZSz#`8;#J`q_^+RGRVwhgj@;n5>}R}ST^yGo ze2B7$e06J9?I2?nF=x5ZMj1MC=JCOPs&0unm@cUKvxnFoO4duC??)ETEsmJtUS`dh zt@k!HgGa2Gq8Lxl3Wa|7KA+y}IDA!AdA!W0=Yo0=^M37*+)0EZU!Hqb>qWVWhy)~VeDj8!%fHO$?);JVt-kg`H0=+vL8b!Fc#c&%Y2LD1I(5l`e#mdQ8qLx{TxSA*Yd z3TY(aAL3fiMT1>2u+2Ew!OdVt^i1SQBkLu=bhHI{ku8>>vPwJ7T$FAg?fGLZ`Mk!= z6R8rg6b7yH=n`kbUr9hE^m35)%qUVv`08Yubt=NcLx;smazgS;zQbN-Ch~P`0X6+cd(*1=~!X(&t zg*xIap&fDcr;}f(WK5r;PZ|jQmoD^mLjF+vau4 z1JKK0@DZh8?wkL~q?jGQbZ8swdkL`TEVu*|c+H5~==XX27FSig1XL#&UINA&!KuSu z&!Gz?(6CU=ojz#GVgC5Em7NMtUM^sgP zREY8KMq2SFaW3>bk7uW}4MJEdIbqsTCij$NCZE`pQaqP0GPHNQ#|*r1nfuWnM*rp# z@WpWSPHrYyOPZ00rv~r%kJr_`VV@Jev1fOt4-8oO57sTepX6NK(cZCZw5epyeT&$P zPTKDcQC;rxyg7X&c(qUDl^o03OLk5T>Bf}3*Xt=&c8U_}-kKH~7?P7x{vo1RN|%5* zj$)2a1{&H=M;YzLG+e03-;&Yaf+8%RVhGZJx@Wgm)uAJTe@eKH-hzq{If^~fSbtzH zm`~MbV2HFBF4nYf2nR<{T9+H7J|Hc4#hmb?MRNC?W8-4uPTS*sF>>uyF32s<$y+WChQfZv&I4B5t@OV{ z*PHCV_3;jsnnzAn1HAM(-fXIbNdeO;R9|8#7-4o}deMtoW9jm1iS}%nDL1ZKuL^Kb zG-6K*SJ#J?Vp78BsXtdg*dhF>QfgRHkoWs%;%Zxq8AV)8O6|axUzw4ZreKa1kU_+f!^orh4ID-9lK#wY0fIGwAssl6{^WIT@ znKh3=RNRwpV2ug9`*%8v_Y78&q{209%8TYXHCA;I^fs2uD-*Spg2VLv|7v>v^E48g znhN&21SB1;R-H4Sh+hb&Hrh{`@l#wN({N^M@k9RS!}=KD&@7rF9)^g>;(vGEbv9k` zb?K?$!oKuQzo-KwHqzpT`a>b@k~?Tk&J-+S@5H{yWr>NP3R&%&z?Jo;>%VXD@IbXv zbV295Eq@{hy`Y}>e*zo=BvPfYbR58Udn zFpVm!sM-jeHFZ>vXN3gLoTh_y3LN-?e5WcXLWw$oLYgZqO9c&^elL2G9Tpsf+LP)r zl|4Ti$^1!~osztdBR@(L ze?tz(c%ISlJSZ)VzEb)I&|bM}bn!iu-$hk&^kgo?3!yQoEC*FBd)1_#3@);|s0`)L z(tHtTpRxu@iH)B7xTnBwrYbHZB)TAK1Z4h zcc@u6?=Z3qo7P`cD+d(fwMX$L_CYyYfkhFb`=YLQCys@cbeNNtHEZ`_@e(&aGn$%; zd`M|mCW!}iaxn)#MxUFY#3v0ye``c5|z$Zqy2SQpLp7H@Sf<^-ox zX3N{oqIrekC9t-PAHdWn?b~{qtb4p~mY4bq$!pQ=hj(y*8!ob-%lWpvXt`eab#Rv0 zM{5YQyOCkt z>5L|11ya~QkT5raV@#iHld8%aSw0IL08!1YR%WAh>)^McoerfC2VX(FIkHSd_UuC{ z#j`lF)P*XS>XOL%gZmelEnBmI^9RnVv={OGID1q^0*$TyDwXAu1x7hN*0ame#VwCp z82rS{YhYZ#Kc$}W(2h+*<{{ioJhHDHijJ>ubeZ1Cmy4LjZ`Jpi+9*WwkAecAPKTOo zejdF`X@zPU*idJK0fXY*0zS6>!juCRl>;!$5hE;XHdBLik@!gGr)R2Fh8z)w9sB>< z4@5)|k-*Z`?d&?}hZb>O%WvZ+hz~ry6JOi7)hB_q{7rmTEHu9p6Os!hg%Otk7mo;4 zGMvUTFuY!oJff7E7MIb<3X1ZzF+DH|;HI7L9zyqc#N|*^C3zLyd1(To3|(BJZ=pkh zL%8&2cJ0Gwo_J7c_=+Vs%bab+f-b1{L|Hy|w%PC5{Itd(TMqi*bg-%@L|#2C0E^hA z5?XpveKDZ1Hrw88m#|K%^ssj|DJbh??#-Y#LuA}j6P;ca`m73Xm+6cJ=gK}Ysr&7U zx0s!R#t#^BC)7?=f)Q2l7YG1^bUAJB;km4(OFAR03ewkS$3+uoM`b>T+_H7+>6RVs zbEhxw2p!pYw8q~5_7tp0J^L8N72%^#y%em8F^f2EUW!cIZrVkL^+i^SR36K-Zfvs| zxY?y1a7^<@c-Pf@Rr(BId(3qk2R!%1>*46~olI3(XGBEJIuDebCKjBqX=#?)BXfoE zi_Z4WJaKb;d8SAmIWCD(PWp>)!9mOLYgFVjh7)4aIB|E_4Jl|I(iTym?>lthEK*%N zcL0>-79yqX$^s8oByJ>iYuA*3>oSb|ofTlS@57g2GL^%C(Xfm@K?*>@A{qP?PwK6j*|NQqRIS1HFTc@sRf9An*}a=k455Q zv-oFVR&gM`DPGJI(?l1)rql%IAbWqT@skE`HxaknNiq+vzV)|PKJ=av$&=pP@C`_6 zYLGIETXi#Raue`tF4*wakR1$gWA$?%!Rn3IRTUX$n1ZC{@La^z&aGNB(>q@T(+(08 z;RBC)?ZVn^##$A%FM2|K%l!IA_}HEL=-Jg)Ux@^Xe4lwea^d%vfOoEz5L*z^%D8$4 zuL52flt8um>6oUk=R{pq^c_4v(ua$c$|esv-c(@d+k!VxcUJ(_lJ(uJblMuu-S%@_ zXU_OC=bKz-g5tU?`*|HIx>D`yxxdo=Mdk^-)+P>Kx`GdIT=BTMsNqm@y93Q0Nr* zeOiSyk~fqJ3Y?zH;mO8ae zH(m(WutNO~etS>Z1VywSR`1k@zSdd~6El4%;>KRat;zDz%*^+B`b{T7 zbxn)sHCgpti{z>txYqR$eJ9=!O*1RjV{C8G{ani)+1`ftOtED9!=jQ#2 z&+C=JlX(NM^Xoefj%Bk-=gqz<%^h5|0v*hF(&Z&uNUiBO9+;1RnsolGL9r@EOw=P- zuCR~Cs&7q=qb@2)Xy8V5VxlGqfFgbU#AEgV6}&`J7vj<7=D9Mc^s@dE@S(Yfk##Vn zp>sT>(f+%0U8(^gX6+lzQ2DIg4OeBeFGSl&cDE?0&i5MDth8dw;nLxX_Vlb6$B>JR z09ob!3gw@l=4ccZ5P@6v}(^9)|EC}P*62kaeP!y zFw=Q5HX1q$C&MeC5&B~?;uN^o4^bg58*9#-{52RUaG-yr=mbgV8Bd2-=F7-pr1?$% z%5CwVr|mPg^b>8|k3Gt&x-K5K-`>7{v!RluMTZZ8h5qc$@ecs|7(TkzAJ;0}87dw+ zmL-fsITRtmGnQUkXHRSAk><|n4s98Z>__!mg@zwKOQm=NK#`*!Sf)D{He z&j{UVt7vNyR^6NB_3mPM5*^l&!^{^&{SCvD<%lki=OWpX=DD}Ke+U^m4s9r}`^<^XJx~3&u zmS&+;!B^XO#~v>+B`MX{)nrK410i8W!S?{q6CP&sW6btaFm%0HSHGk8b1JO*!68K* z`HPGE8E%{<#j~9hX&#=CVu5s-&bZ38+ht#tO%}|so4C)F!77u=GQO4OT1DGPZk+p> z$8ONWkdUI>J)HpeC!yY@Z)ErF)X5boJF_e@I<|~7Ud|{jVp{5V9G#Ba5_0NlMM^;o zKpCfs^6~f!G1!j1H}*HqW|`}aDsTeNL)0wP+t``ZCe`dx7uE`F-HL z?mc%l-s}QD0yEL)j-{#x8UeiSD=OZdmL-IXLN)6e5ojY%q;3W}ES!99s@L2_8#?g- zcv7Da>Dceb;@2@&D>IR*vbaXr0UZeH>{0}x-g7777aKAo4t;lWkX_ty0ZXu5VFJK-jdtB3PC zT0H9b!m1l|d#Uqq>&A+BUBzCy1q`vjnQ3C5OnMq0YJ4Nn)@s=UsnMMZq6uZ+4or)d zabpCAV-vTKqS%xdR~syCN|_v<#D1D~w|Pq|Cp2`OC;CJ@W(oc5`dxI@+d4$VY5Ir2 zi1)#d<)T)n1xBSW80GhE8Q*9ygjM1mee@UGH~(RE6+jl?dtU*jIQoI_o{m|lvsZ-! zTs_^>bjyv&Xfj+$xJ1wUqp@j}urNHrLr3fP{INbYp);EjZ?<~y!QW*dSZ?(t=80l! zQG~LtSlLbe0;{MzC-;qT*+u^_A0Z>J*FR+<&}`UXw0@5pSI43(x-~mm`G)<93Qtdy zU(O4+m3svldx{}{WeMoS3jdbmeQV2)icTDziCrQra?w?taNV*Nt1b9h^jJtd6wQ&C={ciz)su!JPDkMrruLoO$b+|oj6vZwy;u>(^QOt#q54-jNHB* zDK@fUsE3;r2l}&Eb2?uF>>O{!WqJgelxLU*6D(U_R1yxBWTaxNkU@2ImjKG8h4Ylj zx+4`OJsb#q2{67$lUA|xhzKl5=%(g!VLa1+@9L(kuROzABYd@Sl67Ii=|lhdr#E+` zbNUt@foFWUX7y2sxA@1)`g9to3x2C%rj@KjlrH!|J?2BxK)2Y-xLl@}?Zs&{_qjFg z9is>i^MI;M8R%T{3S+~I+%Dxd1`E7`gGZ4w(j z+Wn1k=lv?2sWSy_o2B&~`mzJ4vN)ucxR?4{2aml*lbCzho zjFMoF_nn8%*rvKPMw<5Nw4`B0t8drbncHPO4@s-_r~+oXvWe*G2GptfdSwd`1*L;L zaZ;5ZlMedWIL+I{TA5aC%jT-!%c;AvH*X-R`iig@P!t1o1x4CQHh<4rwQQ(P-|1!~ z2qhl3D$eP9>}hgC@|wu$t+ilty!M`MeFEv(J<$5JZgHkz2VP`hial1vPn<4g{MbrY zMO;RHDbQwKM4~wB*{s4}az@)=?EqCr2B*pT>C?qj?bC_HHsoH@WUocNjli%VDCoS* z#%G$a*Dw*1V2evcueLAU5LJe*iic-$PD$DW}Z;oq%EULg#dTu3Hr0A_sM4N?f~zql6icJY-)<2IK1kSC6Zq0a20bI?He0_xNhu>+Sqv z>=I# z0``G-i4!O$Yud(ireFPB$Ff8 z-e^3|u#k~=^(Q}@#ONeHMO0 zy4~n&$y8y60c_sG-#=&<>nso=5^@#(ZKmrWic<<5*YIx714bQ@HZ)@dInbYJn@4_> zou;$4`8oV*0B+azDy*LLQ|E1eSxCvbXz1W2;QA%Nl>yz>ScvoQwxt{Ii$#RPY^1?e z!3}8L7b;UNQLlfnDwyPuOkTP6A|AG)dhY_(#tW%68L!H)s2+E(3wa57w{UDDG^4## z9EKFjKjbkGY4&Q)_8%Bhlo*E6hyJ_-5IqPgAfdluU{Q`1iBb*^y%@FeJ)dTX#~?Yl zF#6gQ@23<%^A%0ztwd{s0jUU15ZLim@@8tr!MN^LWwdOIp&}gS1rt6Ot`KW9ZFZZo zvXS$j$|^Z0qKCE{xZ&lc2sz|rV6DzdRSXavzNFHMiqp%!$X4n5ao_Wf&tv#RthdFY zFxs(`iy~NR8V@0mVW`&M0UXF?|bXtqsf9ly?Ix;96K7Y;bp$eJT5;fcz z&J-*+0n1=xs}MTUnW^e63nGFJwfX`_zU6tc&Mrko-mgl4ZIX^Y?O%kUVLmz2{8R9P zk+aq3`pTsG)ajW8Ve4LtR4Zm7pPY#mPkk#3CAr13V8mA+>e=_pA!)>IqHEi>f*A5- z)F3oc(GA-`wO_Cj6M2AFah*UgM5}=r%6bB7`>z;|-+N^Tu=ei4>)@D{ZIrOK2|c#g zC+2z$oUyXt3P={BTa177gh_a#E1*!4nxC96=^jJ2r*$gD9nX4TeO0%W3YpIqOhw!v zelch#Lkq^iIC8l2G-z7X8|$1Omj&3>p<#K(yhdULqK0|^nIQJI=s}mnt)|q7oF(T5 z|5Qdr-@**l@99DAuy^|#^1=OikKacud~qx$&sA^-Yllu`4ve>cSxDF2s_}=VWWY|< z1|PhtsHhFu9%9W!cjsFn{L%o z|8@EHz)+a>7t-d6pv^ewa(3G_T+nhemDkzXnFmfIm?MZOX3ubIpkt-m$|QUO!qxm( zEYF3~|8S{Z^S8!BT*(SGRj^(Irl7KbH}qb^Bos#6hPB&2H$B|Y{XREH*DEn15xuRf zb#4{>2;=`g*zxN&CwJ1S7Vd3D0u2})lEruKixzs)c;n-`*}5Uqx~+WW{Gj+ynVr26 zwONuV?-W4~=?4w8E#d^l4;GKUuF_98^Yhzk+F63~EW(|Dvt=mi-C?E}>5mv-I2@&l z3#?~iec|S{fj#P0jFvV;cz74dG<99&v)-E%<|vjLWDoS;rN%Is;>tXTuiYK98=mFh zCFT~jkN^=U91l&E!1d#K5^a>2;d%wjc9HxCEzV5Dy8cG_PL z38nX{7$uY=zmwkFyaVulYuv^ZI;kp;6EAd@C7N`Z^yB0OQ=LPzR;mo98C9Irdi&Pr!YF91oK6tK6LVTK6C1P(Av#0!XV_0?s1oA^YhM8L|xfUUZnl@ty_}RE_&~=i=6pvz(rmI7%{hWxN?rHw*k5V$#R%+atP+jm$f=Un@m*1wy=xG!ZG`@~ zn`?z?C%;8Yezf2e5C0QWk*^XwN#IGit2j=u5RN(OUF1&a@`Bpq^t)M23gaYo3Xp20 z`p)#8zf;F;xIbHxr|1N{dUUOw2ll#8aA<2fI(DhmZ%Jva@=0UeX?b!@P{qjBt68_F z${Ep3E`up9*)rqJekUFKl3&mI6ePAyt6ta7 z+zxmUauV=0>D7-_#PwP2I=*Wotbg$M%WG`P+ zN;Wi&MG0S^zWAfjq0$2-z9+XT{_gBnPJz>DlkZ4EsZC$8^-mY1NqvdajKPT^h|b?06?cTfrk&#IEVdXBPVusj!!n4*)mGt~6#x z!rAfq7|<#QA_4!fBm~}*mi8BDIAl$O^LGwSs$>uPzy zf?BN%>QjGBOkV{5=&`TaQd7KLyAcDc*J|DgEvbx{2GKxYAwCdDF;rg``9|>$E5kZH zT#P3kzVbbsjIZHjPmwL3uTGPSOYXgL>-XR*-|ep03+4Qd1dtZet%=vZ2nNH5XM z<0@y{`X~beQ@VHtfdhGWKhy6j7{miM>MP;ypeQpxWVu_Jv*#jMzqoazfHBIEGav4e zSkP>~|H00DTHSvj4?y}HAYY~Mvay_pVbA^Sd>^Tz=r)+ARkjth>jwop)VLq-6=rR> zm4Py`?nD>f1yz|~X|#SfA_jhI_xK>9J}@++5HI`f}q_xP-mpa^MSUdCbUgur`m?R_ukcCSHA(gx zSG9h*o+W)z*Tx(Cpn0lNMmLltf4WXbpK9US@s5-67Pf(WV{yUcwvdpv7TE*&&b7DE z0~WWO#Voa*A6jmW=wZ`SkRd+5-Ky)nhZ?<&JzM6+4huZ|7J!vSFV0^>OjrA$Xd?ud zlj*d7ddf6x)!+qHL0;~>bzK#`o&4;N2fO9~t2demhN5#2VJPb+&ifqri&GxmfVD}P z>WdK%mVnw9;8JZur^SV+6?72125ydK6Flcre_X#;-7+r}AdV zbN|X^Xo;H|fA+=|m8d5XFAQE~+OuCxh+m|xCB7yi#p?=3k1w=!?QV!FX}~6ObQ&2_ zwdy-qgGZS61xnTqg=dP=R#74%FL-nG?r9HiPr4q@R+I-M4c(WD=bMc2DxQmv(RGJy zO>chTq(-UTRiOX6W;Su6`dlzK8t{+lA3ca0pxXbG1?p|Q58R)Gcfxu7?BRD|118Y2baX?3XBu^*dehVz) z+4ymDYJyR17(;$bO$w`Uq_LFHzEfs8B z4=F*qoPmObD>MCU9n*;}EZi9Xa35-#r)Sw84rCDITkp*T zM)x^gcw@)Dgp-oDlA<>8bSHQv3{STz8wR$KRtA0sAvM6L#3y_O>3Bk~4qm0RXo;?V zUiSMt%{?)F6Tmw#4uP%1d3#p{8)NF<=i`W89v14Z#Ll1uXlxFBv zrkC}Tnn$0gk7zZNI4Oxc9;PfxpJ!vvH zZQZf3*(*|ieV^E{s(5=!Nb$Di!JFeSG*w*OK{V%)1+s~BL5bUP$b?N!(3m1xW%ovI z+=zCZE;Uvzp%Z>1R0@R4>xZ|Xi^A%vXdob?@hbd+oKg7xt{OISo@Arf$ZI)FaJ&7D zT436nV0*NEFSOvZlVH?WTG&Kym$ z`?A#Hx6~IIGaE&EVwjIcrvYwgxr)W6ewots>5DVfoR4GcU)EaJ_6|V5lg8&P)Rr{7 zhfbD$B6>{QnCmBxMRmGV6|CZ1mbz-@a4r{BMRo8@mYlHOo~x>TB&*^qLJwRTJ9{@ki|pn!90jY z*O~4ty0xlX)bu4LK4nFhOKW6`=c4%5nNC^B3JM^Q{U(Yk6Fz&L<-Hd?X&)T`SyKYG1o%RWnnufXYjujU=E0Au2N*6q-CXY?yXGF3Ia+r!az9wP z?Oq*vy|8Ly`?Q|?t^_3aCquq@KUDBrVhT%&`4w>TMG--w4-;fI-Zr>$35W{4Up?+> zd)ISSF4DSBs#!Ygse!Jf8jArFN&hQD$TD>?+<7T}=@#KCVN{VRwmc6LT7VJP!#Nh3 z|5UqH=SHbiQrF?ZF*w3^)TMSa$vtA=&UetKn=_`uT%V1?uBqAPf1J}+w2?n73i7H5 z*_`;X*|jWrmQN{mB*RpyF?h(<;H$>P#!&D}%n+^4tkbO?Xj! zk!Sp^Cg7@_1&!I@a!qR7OG&{OA320aRjETe%d@$HDNu0sokhBM8!Mafa$m$vD=?Yw zf+|}-;My-bmmhQorAo?H;meJchjRofflP8ybq6$HOYIIj zq(gIW$ARjgLiTW45ch9q5zjrc_Y&=u9#xJqCYmD|(Wi};@y){g2Zar%Ee(O7yln+F zprhch)_F_+pzgv_R_dv~5=MOYeFcQ*_w2ri zvetb!vn&n~;^Jg9Z-;f|b|0?ncrZK$^XH(P@IZkGvmUpV67gAS`MPOQ)~AOx*Xip9 z*F;_cB?|67%7SfGht5N(@nB4^c(kg}DBi*mL-%Z=N_yDLVBEF5aycG!N6o(6vcvm+ zywcAxL%9!RAKZ?39K0Ux?L%GS#Ib#oaFp#lpZM&Z0zh852!1LO;z~T%vlZAG?sg{a{& z?jQ7T6`XAqd3X3`{}kx8RBu52%$ri?Dt01pj}~I2123{FHnwCHUG=N?-T8ki7c7Kb zGj8;vbH^8>LZyPKr&TFj(w{1RM7rnLuW-nUf;1=Vwub5hGt0kR=MgEr1PGI>o0&K` zJl9~rQX~*T9q10^1-eF3?R3`x6)Q@cZ{x@XvL_qzq5b=9fti zH&WC-^}&Uk+B|TxnD<1T&X_wbCL;=6Wr~#<9S0V+!xg}JJMN*`IKt$l<3F6 zt(our-Q7;=?aaqlp9=!3Ga;dS6|C_UHu>jbX=ZcApZn7t8r@jE;#fj4Dqm7klHB}5 zeCy9Rl^!fZEh)5xcM%D67N9sgR*;}3uen=ZUpg77S)*d?L=xniE?Qd&Inn*846Gm_{(En@6F zr{UH7GVZ1A_ZQzCXVR0R$ulf-{_6b3KV@RV0bst8P2`m5$!YL_?EiJ58)jK~LwQdw z#A)H=D_L%`|8(4vCBX7uWjH$la^E<8y%Mc(EX~*hpf_|s8*AQqa6^s%pn|Qf4p8?m zG75$P^h8;GfgJF)7TgY@S4HO%puJvc+4RpY$JU>?PF+AKP?92M=|Be9eF?aq8!cSE z_ODzm|G&%=huC)_i{e@ygY%u5+_2T9+tllG78dOj^Vap(k&$0(*{{5&cmQs@1cVFW zew1ATc+*zQ2y|&syqezwSElA(|L}6Yv27x$rU9q#lF3fSe$x{&0u9u=r@lZN zxHP#8MMbwsLdW=V$;AEog{4aXjRs!AtXKbxcZn8?&S<^_tOyf>?!tR<#9KA}6#)W0 z69{iYf$hOH>Ely?k=eLsHc*W3>_uAkY2GCu`3oG$!sP=0eecI5po<~+Ul}z= z$8AEu-wGhmk8_htK>sZb0(04_zy+;G6cDGoa0$TBL;tC&rqy#hybZ-4IzYUjSR*n1 zoft3tk8*I$5>IbABE}>4_Y+3{PF?T+i24D})guOeY)s&Wq8<{R+IyZsi5c1dEyLjA zbM_@bhO6ntMNT4?*riEd68<#pQ)vHxYi(h>5zHG_Q%#9NF(nePyR5kfawh!(RHz+}e#@Rc`kCq~SFCjCF}>>%QNk zESso~sqPmFlO^A`ge{I_n*zB+<3G~9Rih{fvf||5J!nxl7a$`2_%O#(r%M1;a7dYR z;0GN~aDZcu^)T6xt7K(-@#A~!?`{d5;w3bCpAwss50~=42bAr}xkKn^s0vOCZH2Y3 zMpwnPSfMi55#&|W0@;cO4smZpVGsIQ+8LIMu+zBy?BBv5S~xoY&k)>M zzYiH&Wzd-$H~wgqWVX?k1fIw_fy^@+eJI-%YKqrVt8a8G)jy%e*(LlLU!ifTw7JkdTr9v}NqBAIaYXJ1#KmqNfjRHbAOuB$aJn{sAB151OM$;r zz9;sFGO;cKad!PT${Khv=tMUD3lPOb$hriq<@_rKqg9Cy{kIm>z{|q_)~f%F&;#P` zjwILbvj1!&;vqww2N%R(ivF&D#k0#l@%*=mLp^7;Dt^IG6=hEJoJt~=iOD0dfmZo} zYZbwNME#E}Cg9c#L5~X^a|zIg9vTVsF4f9)L&LK;GR!an#ElMC2vqBBB46vIk5!Bn zWbnQT*}|iD=5Hhecqvz?DLBe@fq-BqOj-}IQTP(}7#Bq`j#0|brWI$xrinpj9~-h? zQ9=A&kFL*sxw*>Hj?l)P!dGn+RORSwOvCSKq<{GxGB@RB z$3*%|9LFaBL>nMJ0I{qd7yRkpfvi<{)3eQs5BucA0Q-Fw_Bp+B{EE&&=Uo@?+!r79x8D7ge|ncUi)BRr{t?yM2dS@`t%dzBYa6NEYu zNM}@KU1SN0AWBU{&OEXIl&GUNoO~=!+{Pkl_rfJuj06nH_gXQwY&Osi4|W`=ol~%> z1>^D7we5~`EmEc>Fl3~_^Z7Sz8)iM;58)yV7Jgsev1fI*#VB{_wOy%T4W3Cl7rhsp z;T*VKw+&Gc_2Y==-)5qjDrFLK~c!yb>OT1dX)IXS6Ed-F=v zP%4xm>cT(dQli0Dn%1z1fj&TYJ0SndZ8e`z;@Mg69C81vnQQ-tI`85(ZB}k2tcS)Z zNi{A{g_bbwBWc-YLN)G_R4(%jOBikVDw~O1R&IqF8WD?GGLcI|E|Y|6${2SeavKeX zhMDiz^V!|!^*sCPwSU0=@creyKA-RRe9!rO&Uv5D`J7`iCiv8vi$zBcoJy+G$|`p>*+w!;VM4oQ$dq9jh>C;w|?tg*Z&KFVv%Pk4`BFeFY~nJBtC zc(`Mw*hn`*_lJU05wf>pnX+ztm+`H@AqjyYt?KkB$6dl{?Ga393 za+C3^{qc-La4zJ(4ClpQ0*7^}EfJQ(=@kKlHPn1^Ncb+NjtgNjkw0}Vm257R4QI2= zMBF)G#lDmk#utnaZD6|!N8)49VtkX0GB>R8K#$;2=cfBX!dclzQIgvg3bI*-cogO> z|9c!{*B!ZWRrQ2ve*Y(faI!~~H1%lj-HOW%*7470_tZ^ek*DLi9u@(>bX z6AtIE%Um=v7&B=>%SUpa4O>@=uZ}?)o@Ay|n#tIr43?59A(%<=w>>VMhy~MF;4@h-8-*1$n*kv!U>5@aOl~QU z+zyJrcZ%0#5}`HE)O4BuWnT#&T-xQ-$CJ_pHvFsj6*dM7CPZFV*nFKI)b%{ZN}#1;wp|xV%_GI3t-RbhwS^_}{Z3 z%1fO%4VU@B@pX+UndMUpQ>xSVch_g`xKZAkZh1H;O;&fKBJDQ6BI-D>8&ABWY+qa1 zt4b|6bKxpqdry7p&+OyQe>j$o%dzlvJsZW|NPeWPC;Mf`huCk1f|1Q9Du^>QEi(nY za$mq2wOt9vK7G)L^BtUER=Cim(?n2}zOJD7vfeakVG_}e1|;ik@85ZAnb+y}ls<~E zf8r(_Bp99^@Tef0W|dHav#-$c1i%JqnhR|gVXu2@h?#WpBR;vk1kSCPdgXtxIXM4v zh*dUzg|27BPMgTwbEB*^N%6f(0GtP!^=1Evea1?;r&GV+_}w^7UR-=+LG2_jGP{}U zjjm@tt-6XjZ=U^qw~Jh;!&h?mFs&a!;Yx%#gsP?`#-PM5V=U#UW2r8dDfOi-r9&r_ z8>(6typEFl=6=FYYFxzMaote+!C1%u0fd7%WZ@#a&0AgUp`6mY7F1l^MY_cAvUPTA zn+v?-V&S9J{`JJ^leix|)HTbnTYHO2ym-wcqxD&hE@uce7y|S%fLh)n3cPYO^KIr+ zEY;D!ml1P*j#0VzqLOV>boWipCae{wjxd$>dRI*JVe`3Y3kj&vet}^H5G6`tAR~va zDE7z#qZsSQTD7AHFzYfttj)lkxiM}p^^AM#;H6Q1a5Ql(=#Ib--SiCNvf!s@EuD@` z+g)M*^tTT1tQ}YM#JobJ8_i_IO2Zkp(IIrPuhSt)h}*F$PfN}7_%yeSZP}>f<7RXH zH3?YXyTsEC4e129=!|1$f-%Z@z^=b+&h=`B!9NU2%oeRRn;Dp`nM-_~eVJ~YbO)2H zGj%7JbFQWsZR(mL*qK*NkfRKN16HKqxGwVrG#Tv!7fV1xN#7N)9Gl3%CEcJ) z@GIu)GWl$Q1?Xhi58}72L<4@36PycPm;Zt#Rt4DAR^prrZ+HXd5Lan`&BVIQXI!X3 z7x~cC0S2;>wYmj)3nIoN)hyxHh+i+dAF8Z@H(>*Mq?=x20Zs?E9({w?6k|9vvC@5L zL47f1PaFEr|A1xgS(kZbWFq}?UFObmTp+gcml8QwxY%MGv987=J8SU+pT=AUc8s5w8#VBUz|%?x<^ z18(q59f2vT8g6zm4=pgXwmf+)lhLVth+G#-9(j={rv@&;=;|0|{mAG?$p`$&G1CyZ#7n6KrFL}=T(<(_QwkP}$c<1716;Qp) zed(F#{cfpR9AU~e+PAEyU2{R7^myR$U7jfXo5XOmnY-x(MxTQ6y5&C0L*pPHq>Uv) z!4FwNv@PgI8umFMd^lHdmGir*^h^W*dLI#i@nQoGtq-aUhUKtAJ`uQKa(QVgY6@+5%3HXaK=eR_+7U|IYtwnEE-1`!dW4jx$-4 z|9!zNs{925|Now>EqoK2vXD4Iqc&7Jqy eiHG<9mrD#E|09>^14g<%|LySU@AyFLy#D}G{^?`@ literal 0 HcmV?d00001 diff --git a/education/windows/images/signin.jpg b/education/windows/images/signin.jpg new file mode 100644 index 0000000000000000000000000000000000000000..ad31bb31c438ada2f1b57418eef16667fd781ad7 GIT binary patch literal 5667 zcmcJT2T)VZx4X{2mOPW985o$#e8@#5bCr&Dy zI;{wXoYm6S(KRwQF*P%{xOn-By@R9ERha87x7+R>o?d}L_wEOWgg$umIQj`HCN?f5 z^?6!4`b9?Oo4ovj!lL4m(%QPW^%(5ChQ`*m_KzK%pSnH|3=R#C5WamMotd4RUmz|n zEw514e{F11w`kit2V5)w>%U|DmF%Cm1esiim^okr9dNN63T7&+ARGH}bq*mzThI-E zVOfoboFW&JU)Ox#lGC&!i{1?A=RP72o;g7|K>L&Ie+Cxye@6hImnAY7yxGc#5fQ(#)lR^W)}oU&%S5wAZ_4;Wx;`Me)th8JTE0@7K*!4!^9(Q}LBm^8`PY zZ@y0_Y<$_yYJ7SubIRN zCVPGdi&6z24l^9`1*-{opi}Y*InqPZomoHzhrFGHe4;&zTb%j$sl#tW-P@B`#=~_f z#*N`$Zbzds{LZQ`nm&*z)?s^)R1o%3zuif%r_nky!K9)*n~+*FyEqPw?@lQ#)iG>B z*!$TBB<-Eh#qP61)b@B%_dFQD<01zJ@T#zY0Xz&qCb;)EK{k<&1$*&7&ARt*R{esu zWXh1!yrwophLB`c8%o~arxKFgd_<{^e;gte&Sv#^x;UI)(GS+b=}k zhRW>e*EYf>*Cad~b?qzKqnqEkC-Xl?c&OBU;b{U=8l)CQ=dMXJfT+)V0?bT7Z5wIP zv!rt~QwhxmeLk~(Jd?EEuO4xJO=U4Dv(ihj}MykkDGllV? zWmjq5v&IB0?$mJ5@-ePd)0$`)Tr@lMiDd~fO309Zfr~o5u8;m8!`}=g_kBpGOOYp| z^Og*b)g^U3`n|d?k;i=S-TKh=#h0lm4^phXw+9MzE?5gYcpL3-i^^%2e3;O;`E5V? zZG~m~j#{FD;>v^YOfd3j{RTxfxzIw<0+OC8oz{{aZ?#ZoiWO?}TQo2JBJf$DM$tQr zT2=dW38qgt7U0}0NANy5w^Lkc)`sNsVF0)K#z1X5Hjjd~l?`OVZ()a~Z2NtV`~BDl z!E58r#r!1oM_S%$iY~Ia1SH6xsb-1o$sL7uR?~9ZtCvSolrf{$3&EGuLgA7%^d-QZ z0NK9zwR_k7FsSEv|(t{+`RqDnye| ze<98Rz3r^@(>&Xc?ZFa!YPLoIgOC&mGAh~$XVm|T%&8`qh05galC-hv(&-z4_932p4-{G6Ml-=}Z9zYbz)kRqt);icK0 zdu=xDPHcMZJ61MHYjj>Gt|>-Z4qAF55i|uWP^$_*Y`>r)oTtzWHn>bGGf2?i{30md zqj-^0*AZv_?P9`foGa<83_o4aLw60O2Q68JZ8SQ=*1Zt!PrKL~C%U~=nmu^~zZjeM z5kFg+-zQ4vr8=uoH)#|QwYsJ8XwfKcg8JdOaO~E0jxW7wYj3P^F>_gx`j9f_tyHY_ zRL_{u-$5=XZg;=YF}(-Ul8g|ud9S@8Q#kwRW(`ldO^t8fD*pO z`P&FaMgo;Ih^?)TiU-?G}j!u<(d8JnXt^K zr&pvB+5>W>n)&m>HEGeIuaZfo)Y^-{#v z1o(S(p&<4Wbc^;Qtr$Sw(c;XOS^W0Vdp0|J%!+FYvFmX~(Rua7<`cXbz>#a^lVpYV zeb<@szWv-ldV>04m2x~-LvXyx_2(JyuPS)&lLC>uh7PIHuFa$P_+Z2;_$+2D4iJDwh%hVC$NOa=N_CcOgGHf``)im3vw} zZb=V8ZgVDUY-dKtpTOOZos%`Mqm!3uv(&4u=C}EK@ zaA}Oim2RXiq5VpQ?QrRuLKF0rM}LuNW`PAv$vDYx{{>EcRYojaf3^qIk$FGEZO#wy z4h->bzw7iwH)1y?FGsTbUci@X=P@ghH(Dp2)g70w^!|f3K_)^`lZuGiCr5o>6~ga^ zu7BEH-e8N;k6C3_|LJU4MQ%GXdh#SKNwunQ<(djDy9$S$4O7yQNQ$l;nG~1ncXQ;C zwQ^^(HBop`+H;c1EsEB6C&8JgaVsQm<5%R!uGy}^)xK2>t}M!b*n_B^C-$>IIIwq9{!?LrSU(_wp@azy*p(N!F~x0b;%T1mka%;NznrVwKprTpVk{nx{6 zako*Nv=o6!uNnuIJkZly%p^DSt87K{nr$UreiRVXeB@-12z!@{MB{eRmZsDECN|a5l;Bd&0MuHJ zN$Uy0e(&#*diE(dRNk)q+&aHOZuW2DRe5`E7+pCe?#R)?q+-v;4wQFTW3`e!LckGoa~P#?8zA@kt<6emG3Z_Dw|z7D?8rjjB_O9 z4)gj>X=>=Q9gj;W=Q9!cwW4~u2mGT7gLYgS`?-3(zYW88xCQMdR7h0oX*=5kVx9C09eUna60`h);W&+{%;CS39g_;zi~1{^O8gU6ns z6f_yigCG$Af#R=xGd|p=YGuWEKwCu$uI>PKlwZCJkm<7|PPwGueDgPg% zdO6x(!=d}ASqmTEJ7Sk~e*_~MD69;?z2#ed9YVgNLa8{GZ|hE(bOFxxa+?e{xW&~n z>xv&h`@G@_iT63Rbe1p>U!kfHj~sOiyyNn?NJ;#bJ%?78FJPndD(%OPK{nj73a(G` z#rPaAudE>5BjAm*mIoNXLSfM}J4jdp{zro=H2&>a*zq!Nm`v)dC~jEAz=I7VG^s4# z7*(?%hq;-*H|Z{Qrc`53lbnD-6>BWR+9qki#$W4KOWcM*X-H~E-PLJM+5J%lP~e6L z6vVO#gyfRGK)+kwf#-_gx52GU=h}~HU{j3Oi4AoL$hvY>Ipw3~*N8?sF69YS zF#m@STU+;&vFgfGux&9Df?u;vvC44t&^KsOKnnd9X%G7>+!$+v60CBOrEvUbX`a-L;PUIa+;*eyhTEdi|EAs|b zaJIasXnExZRvuX{zt=~5rv8K7jn*{l+b~zKzA3pZj|JU*2qgZ7oRCIJjR;CWHk{R4 zq2GV)^vYhmyzGOHB)C6pf9beMi-7aJyfNG|6okgPJjTv|7y$Ubj=wG~sed!4C32fmH|CjEf(jtofFnOtguv+7mcd?gL zKDNdTCm;IM=7pWK?E~iL`S`3ouMesEIDs7<1vNTuu%B>icQ3sgx!kq=Akfyw;Jp?WdKc^RxuG@p zE=v)!02`J>RKk-;Dn=yXBD6Bz6RBZOUp*UORs(T}%XR1b6gd#_9a32q>U!s^QD`u) zkaUkopoW~3>j}dT+H=cRT7lJf2fwr$JB>^5_m(A;hR*Zy@;zexdL_s{OndD{V0Xib o;c>#RZM3kJ|H-dS3(uOa-{r8j2BxnB*;<*X2xR#=AQ|8P4ZleWGynhq literal 0 HcmV?d00001 diff --git a/education/windows/images/signinprov.jpg b/education/windows/images/signinprov.jpg new file mode 100644 index 0000000000000000000000000000000000000000..dccd7e98e2f123b8a1e4c17b2944cb9624e22799 GIT binary patch literal 22869 zcmeFZ2Ut_jx;Gl6sep*|uJqnJNCc&cfb z1VRg;B{%M~_da{?bME(@^Z$SMxzBy>S!BXwtywek&U(wt`~GHOW-u#&yHAzXlmR$6 zIDi+}KL7>>U{UgMv;zP%GypsR0N^I}+C2a+Hiv`#`^$lu2RsJcz`^G zyTpI*!2AG^-NfO*8N|h50o)+N!6n1NbOM;MeZ|L8^qZ)^9ym8}@$d<-UAj$#El_h8 z+kITz8`#d`*jZ$Y6!6y3hP4KPT zRMa%IbnG0QT--cj;u4Zl(lU>qC@HI`sy)@!(>E|QGB&Zcv9+^zaCCC_@bvQb@%0ON z9~u@O5gC=3^f5Ul^;24UPHtX)L19sG$@gkVO)a#pzM;LNv#YzOx37O}d}4BHdS-SG zwz{^yvAOkYd*|@z_~aCMhC09aO&1OT_ut6+J7xbu7a5kW8`x)nNBEmAoEzTQgiD5p z|3H}Fo`N=^l^Z#W$h(^qiV4|OZMRrObr6&<-;Ca-ViSY0AO0roFO>b)2n+s0l>MEs zf2V5>K#YrneR#NJ03hIed2Oqwl4(1ONzNApS{tD^H8n*g>4ec(P4BP8(M;_>FDhYc zF9HAv01R$X>lgqmCy2!j1E41A$wFycfDikD4j~u-E$JZ~pb z(%Iw91v3N~hKZmxUY#&>n?78)wLj zB{>EIfJ_8xkzxSyYiIW_kgVt+^#gk>9VBFj?N*6qLmM(VD6 z<(nh0a-MiOJM$md`acMcSrB%-MA73qe?~z6-%}0$)AD~)5f@+oDQ&3!UlL2se=xaBo}dL0^mnv08u zYhCdkDa2s_zQsEjfKW~psmYF1d(>VFyN_~5M+*SuALvM=;#ui%ytq{Va>=GN(EX+q znt{zhNNP131xBcJT9QMyDRnUml4{s^BxW4wZ}D`xxoHn>yXiYbS-i$fxa>pP znJQ!Ol|N|G8B$f#7_~!1oc*z^N|g0R9@DL>n=DW{5(H~!>s=50Nj?zdGEhRzw4a3MSg%8&eMm9bSmZRC47xnb4az@E6UL@=Hu*GbqjO88x>7;|5p+1hi14 zcFcuBBjg7KErvIqkm9$dZl>i6Jc<*_61KmO)7Rx;L4Tbjr(YUifN%}n&#ej#aP&!; zGD)t;cJ{UV#r`BMQU9az!QEG%&cda&<3HJRuQ@1K=$KjtWu$lDT7ZcykTb`0ykAji zh!H)M)~YY0+(gRyi#p9!W08yG*EiXbk&6nlTK$?T8^%j)i0))#2sm zk(SKO(7H&wFol?_O8QdLvr>nt_la))J2AG(ZXoe0#i)G`tyySy`f`MvLcx~@9_Im^ zZpeprAmt+>dUKIAKD>Jxyd}5P3~+GxyfUTO?42aZ+ zVf({k-u|C#6?Ke)ySLtml75K$8Z|6c!au7PxS6F}mMR(z%^nyv6ssg%c21#7p8Qgl zH2({kb96f41|rg+xS@;`8M^1Tq@e4g(r%I(clDScId4vU<8%rhLBms0#5X+H$-`2_ zXB?pqNK|s#QL;DyUB%>TYUHJCf+!b_uEd)Wg0U`;Mbi$XJa+;_y>TXI{IqBzjDqS& zs)^jRn&3!6EKEe%>+Yk~Qj{PPd}tVVB}!0kYi~^wyC&zQW9eitrBN)ySW&wxTKuUr zpzsAylF_Fu2&(QiX5t*U4?5*(WILGap;z)s2kvdJeR1zj4-W@j373LF+jk$k7a8{k zbAF4`k4;pA-euMJo_lYBOZpYSO=Xq34GxCAPq#|Z%QWMQDQMIg*L)x;dHLt6u#&eWexx+Zmv4w(%zFs=&ds^AX{ zfGmK2?A0lW!BV$|{DpT-)P9FHwB@blThaCrqB^x3ALdO73FV^J8w@6P6>~O28jgfY zl|7dECO>H_QD$SmC;)#T;mib$G9S4C@3!taOoC5poz^a)Q;no^tY}TnRqE?lx=M7) zkQvzPVp@RkdM*oPxE?p?eL19Mcpgd+b*p_^yEoqE5Ico#rSw@|*=qMMCv9)xoPvYD zx#WsEUMO`fScMgOC-c(@joe?8u1H)~x1{8qjdYCW;4xi z+5ieofok4vLTDcLu6+K+mq(s{WdE+1t4Nxk-Z==mH01p-!j1yQ$(C8n2~`JqTrw+K z82MzZ3PuERJ4iC!%1}DwkM9@)s?{PkKDwJN-7FV8>DK2OJXYiRk@1P)ds)Cc$h*yD zT$V$sj0&GD^=gDf;hHmVtaRCxQjUVF+g5plxnf&nsEMkDYy_+W{=gLH9bVK5pFqKw zz*=2RinDPxXmkKCOqx|b`(rQ=S983^w4CEqfN$TWY+v^Q2Q)1^L18ychZJa1_rlDI zi`UuZ!gMPr-T4h?oX%%^-bKm4S}?EQiOfN~CCOe8b$|kTaD2Gf74$H<`LJs828oKQ zuP(pio4Y*cqX~Vt-xurX8zozetb*IMC<4q8mL0LW?Lo{_O}g1Cu*N_d5}tnbuJOvX zL|u2h9HA$gW5TIhKWsk;^$yFu*hp(ZZnA$$n#fcG>JE8ZlI9?2e;Vy(@}WXum&H(( zqB(~-KI#M~GGh2GUW><&m6b?qPrSo~E}4@Z#k+~1etE-|tf}nqa!pT8s&ZQ2xw&QN zN+8K9|7~Yd3RFiM)Q==SUd~*yqw=N_RTfjeD5D~;tPj)v(vqn+sa$jf1Is!B)C zMJ>4Jh#iD1x1>Z#_m+y{Em~5aBhxdO3e8Z!nm^brXlI(5+^mnmnZ_|+pua?@%yta^787-@v5GX&UQ*pZ8#|NY%z#at;EN@bD0SPuy4L|{P_FCm2Q#4 z1-jgSl~?_y#nF*$X>F8JOClS|gE%E!=8RxmWxWroi`Y2{qIv7R7#P<_)GYjxv&*lm zFe<2{aQPdwt_C}~(m3LOkZejomA)da|C;oG0zqTHIZvXvrq-&SVH&x&pNq$bJc8(O z$=#(@m12$ei(1L(TlY=NPxKb#?e!Kb^X2P2>daJosK)W}`?mPrL}KhdWC{(PKQ_U0 z=PHELxo8;g7G|a_pFS*wRko2*`7p1jbjMm+{1kU3HSK}<%W|zvzS^kH+)_$WGB4@+7vL)Nejni@8mkdL%kC^!w+vHycJ%1#%o$%RB+jMcj+M8kOSi@D! zo|{cm`{zZlkP?WP53c*AU}GJgqu!bjQ>AylvR&{oVDi*^&mS3%Xy||~caF$ve4F;5 zIwb5kAlo7TMb}4C^eYi;XCct@Ks#Mh|DN)2#0LE)A$;}_Dp6;a*f^g5^XIJ!P3L+9AMnmdxHWp|P^%Lpp#Gk>WLri#9wa973BNXCpKf31 zZN<-L-_*YC|FANv5vp;hF}NB5Wn6hRPAlxW+Ov41nNDdO|$q{jUq} z&ORG3q+ay_zqM>asVsEJqpW^X zbthjur@6&t>t}jq=xSvsRgh={6m^R;e823(Tt#c5CT(kytvZ;f$Ye>)KrR1>eQ`5{ z79T3n{d|T}Wo`P$GEKk>)T-QLmyR5KEg-xxf1O}` zlxJuw{OQgcp`H%=i3$M^6v(c=A$|B~5*{h9*z=@`lBCcbzdH``+I1Qt&f<0T>aqo- z;@{HVi+t-Q;_#}XVfdg0nA9EEy5+7=;VeG6UFf}WMy4xLDBdS_?iv(r?$2NIkQzA> zr3!RDh!P%R84*F1Y8$f~F0fm@K7ZlARpEbHsfM`Tm`W6zk2dCn)>*za>}QMl_@YvL zRr28@p21e-$_%@-{4aAVzBbk=_Uvi##hk^vQ(utv6oLl@7=Xb`nh%Jqh21kX&bZGf z<@u?{+Myh1iqysIWQI0H$d2hM7@_qD5ww1tbmf0<|A@MCjtGzWwPZpG@mj%az}mM; z*IBB#4@RHE-oX~PozqxwzSQYgQK|0hhOAG zaRL57!u|GNUHVm+kzUpS5tV(6pAOE_Gb@j8%Zw^{GFZjXkv`?hX?x8n=A9D-5I(kx z@z+*%U=}5yg-6{SqIgbi74uWsAtyN`Efmi#ifco`3-I|l0SSdJ(Kkl$ZD2TaRx^e6 zi_I5GgqfRBTz9S0H6W1Zvfpwkw3R|%{{f2raTNXxbp-Uj_<w6)v4J>D%7ZIl~>=_3sIca?+LN3}I=zUE4(R~b5_Xc_{AEHCmR0fC z6$7}rW*p6%ZA&^Ymm%HNRbG|^KW49udQtJMngZW2KH2Tqne?;bRSnCf<>~j6pz;&> zM5CA-M~ly?{@{*_%DSBvR&?id3(obI@+*(@sZ_9Q;m$=tZ23Zm7rkcO=90S4N^MP& zgJa=`KDVRzR8ZqLSwl|N_T?(c*e2WTU*1%LuyaB2UOvH>Ho3M?e+(eOy4~_SFyhMnP^D{$a_kgHytwGY zGUYsEu}|NVK6#H@hdbbVLK+7bJZvWPk-;lCeQ5>C`SPZPPtLLhbXrae)=X_tjficH zEcZZ8C|^?5HIC;%)vvmr@bXE*ekhvV{rYaKsRIV>X(bEbL`Ax-4$*1w`9%2+%~_f| z{xny!e{Cajj_{2ND1LlIEA*&$yX)05dWH!&2{Lx6iI$Bn_V@%*&o~<|AG*HI(={ET z@TR7h>#Kd3UuW>!!uv3*-wX`Iiu9~qk$aT8V{4uF1UzBDUy|wd;(<)N2|d#hvM|<)_xP>e!X1Vk~W=Z0-@z#7uLRp=VpkYIgZeWaG(5 zAx>w8(^_E0JmKZJjQM!TqKfNl>cL=cy8(#XHyyQKxA5hxE^V$94kyEEoCC{^qg}~N z%;t6yOdY3?eMK2*@O=RncCxP|?tCe=d&kV5&tKT%MUBjE!t=QmrwyUbn7+uT z(xSdb&x6XW?5Y*Z8Oc@Z&aAL>>S(bdv0^cEuWLTskvCIt>jv4#C&vema&Q>S_H2}2 zNH83^=|Nm)4mvZrqSZj0Mu?zN&dAfpc_=>`anVhmC?$s!HU5yCO`5sqwCgiCYJlPX z_zqz0R%az4%2jpjWSQ)-t7}eREGXkresR+QP6gv%Nl^^V4`pqviy!##k(-yBhNIX7 zJj%Y63DOF4k;#>HO6BA;;7$G2UQnyGwE&ToC=I4^3_`OTyQ(8R7%!$55ZS z3)kA(mJIk&tB&;de9F8^Td=txC=iTW5Q4-z?9MGj**_n5mE$dSSQ0v1Tcq@kqFs*rPU@Q2+_}bXjquSE^4r^BsI+Fa{(cYII-f-3L zUc2f@pV|2B4S@1<@sqOjkfB9}dq@1pH8#efzjGPkMPK>4a$-BCu%EZp zx49M`Iub__^0j`!vE!$(d+YwF3~N{be>DAPKGBK}B-YQL6p0GO0IZcuF@XGPL*~Vn znt^v1fL9@!@|?Ar5q+#XiMCQ$aj_tw@X)G!x?}n|0*x(iBZ%T?{gD;H{2kg6=x&6v zf3mz0Dfv{UEQ(VWZpp=V*rmPFaX3&tYXH739n?bklxt1pE?Zq+evk$&y3gs&n}}Q z1>a);2jdvPq5cVh!w~cQdDb-^_P!q*XsiF}%KyPpNfHCQZh}w9buj?k)bsF*))eqh zap2Vr;JOdtAAC6A|0SR3Fr(O2_V$6BSZ+gL7ht~Dn&A*z znATj|257jJpGe zQRw1a-tlPvS<8LkM`5z3d5Qb&*g5mF8&OKk zPJXR}+`#CpjJS^w7Ft_qy6+ zXCU#ML}c;3Q0F_cH_wwopNqJgfDzYObN1-)Qt%a}Dfp1`C^b^$y&UVR#$&bC!#oD#S6(`4D!eHE+_%I5&* zzeUA3>8XJOF@Utw=_{Z;5-YOVJIh$NyutF767#<{DtN_aK>$2{Xo>->q+o?OG8cW1 z85jKX6gwFWHXT886waKulpwqB-`JZ|#){6Lm`uEO@`OAf%1F^jNgB1hlji19RsAFUyng9bByx2lB zS6@EE>YBfFqtq465|0WRfs0}Qk0)Evx64~mQRmeE($RR7Y5>W<6}aUJM5RB>RKP+N zuV3FLam8V*nAk|DnkiB@Ezw_>bj(EA*cZ zPQ3jG@JI<5g$F*r`#%l*&k#lAGb7Bi=A5B%<*kf7zuBrX0SJ45kh~@}z^X@fEIww{ zku;*|whU@#IS#x|rr#K6XJivw%=rI6MtyR+4Q_{#F$;kkP zQq}KH>5~(wsfj$H_nvOK*An8gCG}7ym@skwR0;D;ftW^AS_^f!F&yTy3@}u&6?xU( zlr^(qI?b}w(9E-^-k-?I_5JcFw8PhR(Sb9{GsJ0CHp6=Uo;%u zAb3p4C_e~qia_4uzE<*3w@%6Ge3Nxo?53RVrTOj!X!_F>bcwqmOkZWLOQXYv;6D7~ zgWD9OhIuw(7Xxr=K%nyrJMfd!7Z&Hum!jjp_f_R30wGVrIA)?~l7dA<7pB6yT;Ewp zHKMjwLGCK!lerlt4NcYcaThZ#25C`s17~=irzP_DP*#WTKTPzd=;U-~j2EhWAH-e! zEauCmi5+xH1~6FPC!XFID>T&95Ca;=KJ|98bw$}M8tsVAb2NYL{kfpxLW|#b&o}Fh z!ev>6(F$MT`peh1ifXiGwagLA;Wm>sU$m4)_g>UQ9r<$lerk`4dYY`-#}~`y@Z%2c zHI8^Scx5@3F19J5cUn>Uk-^cytJMbz26MDVlx8J~U*D?s5v0qJ9%k1(@UWd=t23;7 zV>3~1V<7syY1ZIPo-9w|O;#Q$nqs66*4Lb7F;03dN@#MOE>23K6mW)SK`iF^IjKGD z46R@zdlZ*YhBAtrIbgF=Svs!=+)$A`3~#4e0-*9M9BSXF^H*fJuXi3XRL7RMeJlO8j*Ck&zE)sO|c}+OewlYubuXhfxSiRH$Pwd1|9IN6PiZj#zecRw*e)}If0BR^GFXXIggkmvyxoBGN9?KJ4 z%d0!JzoBoZ$5)Tjyrlp^5Zs=_|7~B?ErFfVsqSwHcOL;w{$T+k z6wS8jGC6 z(r0MO6aM8rYy14Ur9SbVm_l?{GE0Kh_{+sr<`Zt0G{|y>2rI>-{OXSjGo0%dmdN)g z_UtPb#GO=$^cI$ei7fs4nuf-vSk^GMyQV{oO-1!b`yZZZkNeW+rWV~umec2!H$p4$ zF&dQ)9Lq&?6Cw^DJ@OAq-q#5llBce%icu@~DTEJZ+!>H{zuhnP$y53M!Gf+$EDg=@ z3cXaXlq3dFJ(>CCFsnnJEXgF%_K*@b?~RAkZq)aH3VJi|?GWF6b?AMo3HxT9&T%l} z2ckx&b;sADix9f;$Px*DdO_5lRaKK3gKMVZy~@whzokLmMOEySU}0h=T~FqV_-ei0 z&;O|u5QQ5%EY!FXjno=5*iKikq%s#g@5O?zxk2&r$q6Eq(%PD#fJP0(t~K*Fbrz^&b_kSkH=m$P#EmUr_g@(M@{aZ z79edEEWoSh{K%DmQ>{MLO17Ri26SN^<58#%c9UUgo*ay32zpA8obeLuVS{K{p>B19zQtO%}R1KaJCTmhUtA zE&-rnl?%>wWL{j$e>HHZVv@1S2#u24^_(nQVg=PMQW4ok;<-IZz^SoToz#C$49Kb9 zd+sZC&a$}2G^Vbe0<3YRb7YrHwNv|`e6ZEBr5$s_J&}L_XXW`t*Lse|bZYEo=ly`; zo&f6{CSUDeJ|%1M?QtKuzIw7Re6Se4jYfl$6M7CviF2JYn;)$(b-a70&VO<=I3{*1 zmZ-{Z?|943ZM1KMPvo`VkrNNs#*^dk>ZSFS1&*BQ#(A$2kEFe%*)p{rssUqFlqjD- z|7@`19|IqM%m0}G2yHO0@CsL-{6`&`^AOjwFw(JxIMtm~Nl)f53%1c^9n*4LBPfVz zb7}Z;5aM~scD&w3et6XMNmgN_s@n-<2_uaXBc*bbp+tui&+MA4@yr;TDO#uhf(!v} z7osy*3orXsoGz+iXIB)|KN|SsLts;4aHj*Wc#`E9;OH6H(Ye87wjyffU@+lpmBwDr z26fU3!}Svc> z?G{*Mq~PZ1=6ZWSk>;y`@0V~}B?C4jV9NN*4HtpNK(*DD?~v=ND{`3sBGp;P@eZ9v zTow#utuAu|Wis-LuDmODohWGfeoCG3MqO-_YMyev4vi9%djQ#`=9TbIFv#406>ko7 zni=j}F#9k@qJgqn(G!qj2@;vz*E`y@Y5o!Wkt$gYhc>0bI{js(ywjaNb6*JD6>EMt z+y{8u{Y%6r=heU z)-czB)6naHk%YnCuNxDf-K4Sn#5vV+SXyp^Ro%kNgb$&qjvb(fcSs2tNdg0N(NkGB z(ex@Zza-A+@~6`R*$knXB-M|Cw>nd(VRFSx`sZS(3M;(pDNt!BXtFD4)Dp5B8pQ3R z`@>H@+|$iD8ztJ6-qk6?xc`o}8anPG&g}xC0R{9HyX=yi-V^OzctoPFF5Wqu6a96< z)URdA4?e9_`G&_<%0c%Ha=T@qB{Qh-Z5u3BajR|ICrnm)`7yL5UOn+#`GtBhYogwJ zs0N%tM~JaqGT;7uyQ$)Ip;_6N@{FMP(kFnQ+R$L&PJXfD1$LdrSHthO1SX!Vd7rYK z?^HY11Wgsek}=cAZ9)TYGz)A(KFWbJcIW;sJaY*s1M=NFBJ;4z&a%Y z(x^jEZ(TibTg9vX0#TQpfy^ERqc?fetP@pN?S9cF(i)Mf&W}|r1c)7ylpzoMa&|0i zH$Sx84}C)1ts(uP7i!IX)cKXawLrSEB!KnOD&PTPBz*5gvTCw|4?f<}qCfBRhQQQ+ zo|Jfp?p1n{N!n9&7E7}ZDP=nWT!~dZg7qfdOB0m6F$yAHUnw4|0EB4)-`O{Ucz9JB zCpAKT*dA#k^E6mpdZlsV2Qsg2s8tK z&j8u{Cw+FH zISS~6os#6(yhun%bh{IX;E9 zIib)W02}^i0L4E6KqTBi_U5Foz4@Nd_`3UHGjIMmL)F64L<^lyyvpdFYo*6SlkNfC zVD(bj=nR7}-nv{sW49^JTjIiv5j?WbQSJVpj)pb``+d(#f0?_kxppiXDpXC#DTwz( zHyLxpKMdXI^pl-w;{(2oqj`{Kp{(l>OQYa^gKI`o*shH!;Zix^+0P&n)SFFY7eu;A zqnx8&F#JJkyNsTQgT$CdE;aNOZRLe()LYb@)C zvydMck6kkY`>NRU-#Ek8I8zM>l7(#y7DgroU47*zI%8?fN`P)#HpmWZ!xma zf9Cd#c`Yq%ul+75Nwa0t<)o2_zBJnS1$2_dac|wTeWANTI}O-`%PXMbW~mMXx$Pyuo-IEFe4ITLz(FLyt6RsAwvwiU?PE>~hMcx*oW&Gn&=BMhji%K^}r( zp$DO^0-#fra(Gd9>JV&(f1`dfZ!&hMc}#v;0{@8a8Bem_vGMKC>FqREdWEjmwuP0Z zC)?IJ#$J@VjpdcFu|>a3W?R_&wPOFyD!ptm{~kzw`SmXCJV{-Gl}OU{i14K39Z3n9 zN&cM$7xS56Q8aku=>@0yb!9H%tZj&HZe0IZP9X<%=eUDPB9)1$Hl3cRb`tKAlj>ir zrq@Q+_CZ)By1>+}`BFLP=ko0U5F*54^okzV4Af|7o)Qq?UjtEs)?@mDripwhN`PMY zwewbY;3Z}KtlczvZZpZc31eO^(=E|MOPvFP9scq@Q-)8G&Xu;s$I=OkNBzQmavoT} zZ|iXC(4&q`vxH17*W;y@SOl<#G^~Lj7H0ak_S^3BmiN%@Kv-xd5owiU!I_RJC z4+6@p%s;Ax)Y}!<8p|q&_{C)!D^&V@SLrL2p=$r0DMh=hl9{1*9v#LIu-xDB0Re`q ztSlO8jGrvi8nw93=hUfo#}7Yz1q*JZg3{p#qjKE>6df&=7_< z3!?F&6)guS&c2|RYY$R4w?~$k`#<)6P3CKI@B0PJ4-^-KOCzSWQQE5xSX-9gw>omy zvG$D z#AQIgky?gLQvS(@os@$IQC7j$Nm|Ei4$EGf{fOI>UxNikY44b=a*HqWUsYjRgr7YdFrcZaItu5i&?}`9;Zf5x7rGq9uEO3W8 z*a-K=AAJ{+;t6b9Z7IUSI*fhrRC1k6#vjA5f@i!uH&o%IMO$6D$US@6dQuo@!k{i|}18AxL+$9csd6ipL_1Tk_zn@m6DCQBuqRk|Rm z^Dc!u@sk?u7~ifA^VTkMDDTGHIUIzbI2fA%^0TJv_e;g!~^+9>KLhrhgeKW?VW z(9i(rt9j=Rsa82w--ldTW1l6NPxu;Vv^a_U@LC7*;$tTJ&&}pI@pSXYa1kPPQD#0J z&w73q!G8QY&d~A$GW5?Zq5!pmZKTelDx*cy#d(t+>i7J)No{UgIcBpob9yf>!dwfY zwtPVy{Q}sHNdz^bbXBQ5dCUF}AzD?R-}LK5CzYf+pH5#~j(kcE!9j}!>y0d#tw{~} zA#)Fjel%3VsaN@*@J+RlPI(ZOvrMfx{2H;9Yml5}t-s`Yfuo+a#8_TO{EfY?(geG` z75)(6t$v6&SJb*BK`VPO0N=Ytqg8S zjlCHKqL}hV2ONf4oQj>M7bniyM845j9eebE^Nqfbxp?y0r7tZxzmHRjIJb6pc`=yF zsHrHt_B|cR-6H5iYH(e23Rl-1gU|n9dQgQPZZahi)=}Jcy`|op4Qerq_jP5ce4A#> zPXFjl&Gr%z*03<6bbFYXry$KTK;k8h()rznyxJhfVBG>Uvw4d)Fy4dkAy=}*iSFo_ zSk!Gjy{SQAGWC?`Mzw?LJ$;5&5^i~?KDN2zQ+e%)6VoADK9ij#Q>$VV{_E@nuj`z} zXrBI-qNh@LZb#`q!Qo5~qTAe12@pox09mn|o2S64KBO^2)$^QZAhvHjLcaIoa+uA_sGb!al%g`UwQf8>v|!fA90RaY!0XVB*3EQIYeMAc$Clgjls4KAL0_?RV(c4)y zldqMgGj*Wh2_IKK+kUy03S-o?bS_BWK0bx+_;gnyqC4kEnop+F`LE0TYzl}9l5a$? zk?{?NXEm|fz9dj377cbY`agn1Y_(C*` zUq74gt4+E{;rr56+H3vmjb~5NhNZ)VdG&HDlg9l$Ek!m`R+b>Ujun^ip!oHG0p^ez zUpaQk2x|2SdPQhG)tj9g1QJ!x^n_ybx+h=Wl;Ui5-fqQhax7gknV&zcl*4sN%USW)l8tV6q~o4q9at z`jglDrm;e!VXRTZoyfY$052X9CkjYo^@;k(#g$se21-roX} z@+($RvyX~O4K8{M7{DTZnjt5{H^!ZBX`1r3=M67TD_yQXx7_!UY;Q%RjFcLMj~bec z)u@bd%!;L6m`TQOn!MdB6@8Gnq)X1A`ry@Pn^?hEAOss7%L<>XP0by$FY`&#`95AI zE=VT$zFaH|-o^kO(_&GKM#luym#wfXHnrLktM-=X$CksJKRVVzrkz2pSHRs@29_!_ zmnzzvGYBab=h8Yj%phgePA^W3K2wa-o*FI{~g<#2dvqOvW8^s)@V6;ej8&_(0B3x)Vd7aA0wE`4~MWPj=`PvRVox zn%Nd!+AS?GeR##h6g67;Ahyz`PKrw|Ro=7gNoQ#@C@Be24e~KX<{}8bz~XNR)Dt-) zP%g|Q^8>leMDxDi`mDVvrlFRvycUK0J^VdGpN3~CF0k#iFqVjCo*maArZt6Kq|*J??hbK4kkfipyC8q;dtT>Cja zdO_Xo8oES_=-P~CTw65hf(wa8sf%R46dT^lop;$2%JE2?^qiEIi)5eO3&0NaGRNM~TW z;DzP%5^%3cK61)(vb8ed=w~twx1nz1yAjKLrZ=F)X0JQtnS^VWIzAo9B$R7K&l>*S zZS60Q91FN#U2#QoG>Q>3rU$m^^N%bha&_KW73bOVH+<-M*xJT>`4S5=F~wiM=OAi) zGryq$vEwT-&7|3l-Ei~B`qo<(Usf-g^T{I(M=haBw)wot_5rj1A{wd^*n*Gb8D!y)N(#HqW>tg-)e=Ln zgNM1^qD4=!kKe6Ib{6$if2a+US*A}Sg%6ZcU!x?ds#s1l{8AAmaMqCyI*Wk#95iW^ zIZPv&I6cN6=%qVAE=&D6!<|Z4N7y?xSWDvh;R)x(aaIwItuLoXPO7x{J2+BnpCOde z=<^aX-8$~HB(s-k_`5R*m1>B6=Tl>_c5kd|FTyRo_XxMXvfRUUt`HWKx+X|z;Uw(1 z#PWUOe#j*OZx+7k+~a&BHYh1a#Ax@O)g8oxIvO@*l}}$c>v)&rm#D{r*sn+r36kIZ z99i*?=C1MCJCTBeUctiry}0iQiD(GldOd9ZMO}o#mao5pHjG7Q1Ih1j+LB>8JpgJq zcA?`|n=%(@IB-E8pU43_WyGi7pEeFj>V%fn5Zxj+y!-T#kC~^zRxnS-)2iz&?QUQ3 zla{1QLmz*m34Vj4qmjoGY-27nKJS_sZG+~5$^}Z@fOAX>Uyq?iVy|!DknO|X5b4oD z;g&0loSIW3@5LA;6%!9n2b$$+uY|3nA$94SqbHmAV@ff~35$25o+@pE=)-uZtRib6 z=GTD%QRt!eW_?>%EfnXl^xCeHCo}z(LN=;;jX6pjNIX{_AAU-r>HkH37Sz?yMpV0! z!@ep6Y>;BWd1uz_ce1`gF;~6kQ}Z&HlVTqm!!!Q9A@Wc77FZEL6BAK$f$KX)`+<=w zma{#uma0SDA2K!F@lH$h(aK|D<^C%ETly2?r9<*dM(o2_PmRrh+_;bqKth!C<6Tlx z(!JE2B_GkY^rXkDBsyA@9P!TL!?BbQi6Dk!7=)i6anm?m_x1d(*}5lccCU)gr-uUP zp(0R*klr5LEUU54sUpg>29C*W03kyjde_C?5tpSerJcrhECPpR7lI=r z_C_-0BwA&RYWX{9i1;#zlT32#RvhbiZpyW;!4b#>B~&+nQkh>;71f2GoRogP-W*+Ws)#Ty$UU&*nL%6{MxZy!yKppMCWp85u%d=&K8M?UgqA zu~>h40WZfttKPfWLK+}+s1+VSmu~s?v^2W+;EFnbslg&!ImGB&rfFp1QLdrgan!2H zOa0ELjfTR|zD!<3&2&gjG2eb}npI3HQ~&x70~I^j>&?Q_D=ZeU zA~%LBmmuaRjuPW9F@UzR&(}YMZuuQ*`>&=y71JhHV$|?tuy@bC!cGR?=e8y7m<0BG zo=PDFyUX?mPt98Uyf0d@Q?fDS#MitkHVZMf5JWk9!*1@grEK=4O!j0@Asx%tM8wot zVO}4MX{=~7>MfM)Dq}n&3~-prir6+D@q-lL zKKbWlq@4DE81#;lcXM2{0gAck7Y6XEE=haLdK|>@MSh;QzvQrsRheyuRWQuv6(BDr zpzTfGkzYlId}N8a(W1)6qR}AonB(y)kC$a4QY*ny<@}PX%FTI@A%e;x-e=#r-Cu8f zsMpymlqQ~6R$Y&Y>arK;%5WEDNYqq&c;u8lf{fXb65s!t6UF=ZZqC26{NGsr|J46K z6WSwXiQ+9ie_CRI84J zWVwVB`Q&)E3(|T3vr;tCwLfGpX{2+kyFnAQ*shl<2*Nz9zNLRI;i(WkPCZF-$m3x<#$wrfSZq z=;1_%eI~}z%br+cUH;fEJz2PpSMc5=yd*5Zti~m#v1Qb~H9lkL72+nt);G4mTlsym zF7kes1E?=utv`Au%gSB&YSh63Fn;~m{+qP}0zX$sy3+LOZvSBHBn$0!7(?Tek|{By zyENOsE|A(t8h$(P>v%uO>U@SkHYe~0!&@BsdfZU;+1!|t0g+O`?eP0|?>yR_IX=xH z>MPGPh*Pt+{iWZ_T3I-Ow#%x{a`RUO3$A)zWVL4mGAm37cqpkTfB4HS;bbL9G41nY`|hepF;{D-5mp0M3;jRD zW54;!=Q>CJfgiYCyX4>A3bV$R<%cAlKl?ESCTV?z4SmgNW=@mXH54@wcoSdlTgB~Y zKEh?P8F?2+K=@EAz7qGa0=w1U$%uJm8aX%_ejnlsV={=`y z2YW0G@k!`!Q}9OXsPS1IL9ghJ- z<<38DAT6EP8>Hj)xe_=80FOwL(C8lQ<_`leC~W?KWQf6g3hv4l-K_Tw)FHK}K~_w) zmnM=cRSMC`fruRtE$>XVcs4hxk+Bgh5VGz#xuO(2UC)nQFX7^{3UP=`wJ_CbYQ*8tN4BDDQ>XHbxmcG7dzp)4A~WHP5Vm+@({|!#IJ^&`iqF}nfu@#mL=1N+UtCT9hTB5 z=h-6~GqFf>d^zlfn-f$524HCb#%`&qB&hVoV$L(ceHQ_$7(ity5DQf^3^9!SfQ5%Q zVjYqeSl3`)?#u`_aB3fc1>dzwP~H99LLv>%Lz@Q>lU|a&MDGG=x~;H+LRwl;xe?m6=scg+RTsb8%l??lgf`_o!QW2 zooE{({UDn2BU46}UqgtQSYht_xWDdkf8G7}{^R|4|M7Xe-;c-p{r6%u0<8^*6rd!EmoW& zK>=df8%1FMi_-Rk>MqN(c^<+1YxaKnf4WiT3}nM_z53k~4+^1@S;wo{e&SghZW+H4 z=XuSd`#|kT5@zd=Lb~&4jZ-SYJT_@t{n*mmZE}qk2W|JUz(I zWM7y?KFotZCCiI!{UjnwIdb&du`Ak*8aDb~hYOXfQAN$?L(1Dmop zHx1TfU!T=qckvNSU884r-_Fi?zqPd4`soMrPn{vkukr`IjucBc3={1%RByBImeNsg z7r}!X#-O{gf75?$hyLxiL6``P(7KS5bI6s?1H?mhj*SK&O30fI0vTBxjiE5=i~WR^ zGr(d8n3!{_3ANy>9-R5@nSQ3+bz;&}J-iAj1k*!-S`J_O0S}b3w4dO^K`!Ow#B z<+Z^Vs9Z*+Y)AZsw4VvC;g|y1vG-Q_N!vG+M*!9PGOAg|HWJE^<@Vq--MfTt-=;1r zG5)3*%={)n|Bpm#w%_J^^#Mc(%j&gq>u61%YKe7Bju%R2G(c|Cy9e-IaN8i{kf;kp z7}BZdw1e(>Oh2ph#&C-1=5{{554;9H=_Q!VsCXxG6d47k&U{TAHEcHBKSRi>Hr%tL z1-a*<4t|e_17Dv1`+Y+43C{6-g{15C$*Q*4>}Ea$8h^ZlP^_9N?l62>ws?s|PQ$0Jz(L>Kz0ZwnUi*b)NvAaqxb3ePm zRJDJj=n}!gS0Qx`1x#V$4SyJH9z9AQZz%VEAu#JE%uu=>1|oZ7{Cdp0$jjfGE&i(P zsZvFgqQmhxD@l8A_VYB3laq(N=o$Q09tB#*hg?|`MfJIkZnLM#?1 zxBmL^x;I(cCaxH)ow~L1`MTC^O*mJ^mtkA392oU-o@jVdp^Z0_A#NR^T@95rm^s)b zcnsDmbm&>w&JR|!%I+$5*}018{*-Wwj8-Qjkf`EotE*!QrGdSV`9H_N|7+{vJ9PKT8k{V7BoXtOMbD$S56A*IXUyGLf(3D1f$K&p%ZOQta8OO0BK8ty2mP*E>)Arqr PVGKCvwli9htG#~#-VA*# literal 0 HcmV?d00001 diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md new file mode 100644 index 0000000000..0daa935fc1 --- /dev/null +++ b/education/windows/set-up-school-pcs-technical.md @@ -0,0 +1,112 @@ +--- +title: Set up School PCs app technical reference +description: Describes the changes that the app makes to a PC. +keywords: ["shared cart", "shared PC", "school"] +ms.prod: W10 +ms.mktglfcycl: plan +ms.sitesec: library +author: jdeckerMS +--- + +# Technical reference for the Set up School PCs app +**Applies to:** + +- Windows 10 Insider Preview + + +> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] + +The Set up School PCs app helps you set up new computers running Windows 10, version 1607. + +If your school uses Azure Active Directory (Azure AD) or Office 365, the **Set up School PCs** app will create a setup file that connects the computer to your subscription. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity. + +The following table tells you what you get using the **Set up School PCs** app in your school. + +| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium | +| --- | :---: | :---: | :---: | :---: | +| **Fast sign-in**
    Each student can sign in and start using the computer in less than a minute, even on their first sign-in. | X | X | X | X | +| **Custom Start experience**\*
    The apps students need are pinned to Start, and unncessary apps are removed. | X | X | X | X | +| **Temporary access, no sign-in required**
    This option sets up computers for common use. Anyone can use the computer without an account. | X | X | X | X | +| **School policies**\*
    Settings specific to education create a useful learning environment and the best computer performance. | X | X | X | X | +| **Azure AD Join**
    The computers are joined to your Azure AD or Office 365 subscription for centralized management. | | X | X | X | +| **Single sign-on to Office 365**
    By signing on with student IDs, students have fast access to Office 365 web apps. | | | X | X | +| **[Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) via Azure AD**
    Student user and application settings data can be synchronized across devices for a personalized experience. | | | | X | +| | | | | | +\* Feature applies to Windows 10 Pro for Education, Windows 10 Enterprise, and Windows 10 Enterprise for EDU + +> **Note**: If your school only uses traditional domains through Active Directory, [use Windows Imaging and Configuration Designer](set-up-students-pcs-to-join-domain.md) to configure your PCs. You can only use the Set up School PCs app to set up PCs that are not connected to your traditional domain. + +## Prerequisites for IT + +* If your school uses Azure AD, [configure your directory to allow devices to join](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/). If the teacher is going to set up a lot of devices, give her appropriate privileges or make a special account. +* Office 365, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/en-us/academic/office-365-education-plan) +* If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703369%28v=vs.85%29.aspx) +* After you set up your Office 365 Education tenant, use [Microsoft School Data Sync Preview](https://sis.microsoft.com/) to sync user profiles and class rosters from your Student Information System. + + +## Information about Windows Update + +It is the intent of the shared PC mode to always be up to date. If using the **Set up School PCs** app, Shared PC mode configures the power states and Windows Update to : +* Wake nightly +* Check and install updates +* Forcibly reboot if necessary to finish applying updates + +However, the PC is also configured to not interrupt the user during normal daytime hours with updates or reboots. + +## Guidance for accounts on shared PCs + +* On a Windows PC joined to Azure Active Directory + * By default, the account that joined the PC to AAD will have an admin account on that PC, and well as Global Administrators of the domain. + * With Azure AD Premium, which accounts have admin accounts on a PC can be specified via the Additional administrators on Azure AD Joined devices setting on the Azure portal. +* If shared PC mode with the account manager turned on is set up on a PC that is already in use, existing local accounts will not be deleted. However, all other local accounts created after Shared PC mode is turned on will automatically be deleted at sign off, including admin accounts. + * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or + * Create admin accounts before enabling Shared PC mode, or + * Create exempt accounts before signing off. +* The account management service supports accounts that are exempt from deletion. + * An account can be marked exempt from deletion by adding the account SID to the **HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\** registry key. + * To add the account SID to the registry key using PowerShell: + * $adminName = "LocalAdmin" + * $adminPass = 'Pa$$word123' + * iex "net user /add $adminName $adminPass" + * $user = New-Object System.Security.Principal.NTAccount($adminName) + * $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) + * $sid = $sid.Value; + * New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force +* It is recommended to not have any local admin accounts on the PC to improve the reliability and security of the PC. + + + +## Provisioning package details + +The **Set up School PCs** app produces a specialized provisioning package that makes use of the SharedPC configuration service provider (CSP). + + +* Uninstalled apps + * 3D Builder (Microsoft.3DBuilder_8wekyb3d8bbwe) + * ? (Microsoft.Appconnector_8wekyb3d8bbwe) + * Money (Microsoft.BingFinance_8wekyb3d8bbwe) + * News (Microsoft.BingNews_8wekyb3d8bbwe) + * Sports (Microsoft.BingSports_8wekyb3d8bbwe) + * Weather (Microsoft.BingWeather_8wekyb3d8bbwe) + * Phone dialer (Microsoft.CommsPhone_8wekyb3d8bbwe) + * ? (Microsoft.ConnectivityStore_8wekyb3d8bbwe) + * Get Started (Microsoft.Getstarted_8wekyb3d8bbwe) + * Microsoft Office Hub (Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) + * Solitaire (Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) + * Skype (Microsoft.SkypeApp_kzf8qxf38zg5c) + * ? (Microsoft.WindowsPhone_8wekyb3d8bbwe) + * Xbox (Microsoft.XboxApp_8wekyb3d8bbwe) + * Xbox (Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) + * Groove (Microsoft.ZuneMusic_8wekyb3d8bbwe) + * Movies and TV (Microsoft.ZuneVideo_8wekyb3d8bbwe) + * Outlook Mail and Calendar (microsoft.windowscommunicationsapps_8wekyb3d8bbwe) +* Local Group Policies + +> **Important**: It is not recommended to set additional policies on PCs configured with the **Set up School PCs** app. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required + + +

    Policy name

    Value

    When set

    Admin Templates>Control Panel>Personalization

    Prevent enabling lock screen slide show

    Enabled

    Always

    Do not display the lock screen

    Enabled

    Only on Windows 10 Pro for EDU, Enterprise, Enterprise for EDU

    Always

    Prevent changing lock screen and logon image

    Enabled

    Always

    Admin Templates>System>Power Management>Button Settings

    Select the Power button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the Power button action (on battery)

    Sleep

    SetPowerPolicies=True

    Select the Sleep button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (on battery)

    Sleep

    SetPowerPolicies=True

    Admin Templates>System>Power Management>Sleep Settings

    Require a password when a computer wakes (plugged in)

    Enabled

    SignInOnResume = True

    Require a password when a computer wakes (on battery)

    Enabled

    SignInOnResume = True

    Specify the system sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Specify the system sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    Turn off hybrid sleep (plugged in)

    Enabled

    SetPowerPolicies=True

    Turn off hybrid sleep (on battery)

    Enabled

    SetPowerPolicies=True

    Specify the unattended sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Specify the unattended sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (plugged in)

    Enabled

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (on battery)

    Enabled

    SetPowerPolicies=True

    Specify the system hibernate timeout (plugged in)

    Enabled, 0

    SetPowerPolicies=True

    Specify the system hibernate timeout (on battery)

    Enabled, 0

    SetPowerPolicies=True

    Admin Templates > System > Power Management > Video and Display Settings

    Turn off the display (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Turn off the display (on battery

    SleepTimeout

    SetPowerPolicies=True

    Admin Templates > System > Logon

    Show first sign-in animation

    Disabled

    Always

    Hide entry points for Fast User Switching

    Enabled

    Always

    Turn on convenience PIN sign-in

    Disabled

    Always

    Turn off picture password sign-in

    Enabled

    Always

    Turn off app notification on the lock screen

    Enabled

    Always

    Allow users to select when a password is required when resuming from connected standby

    Disabled

    SignInOnResume = True

    Block user from showing account details on sign-in

    Enabled

    Always

    Admin Templates > System > User Profiles

    Turn off the advertising ID

    Enabled

    SetEduPolicies = True

    Admin Templates > Windows Components

    Do not show Windows Tips

    Enabled

    SetEduPolicies = True

    Turn off Microsoft consumer experiences

    Enabled

    SetEduPolicies = True

    Microsoft Passport for Work

    Disabled

    Always

    Prevent the usage of OneDrive for file storage

    Enabled

    Always

    Admin Templates > Windows Components > Biometrics

    Allow the use of biometrics

    Disabled

    Always

    Allow users to log on using biometrics

    Disabled

    Always

    Allow domain users to log on using biometrics

    Disabled

    Always

    Admin Templates > Windows Components > Data Collection and Preview Builds

    Toggle user control over Insider builds

    Disabled

    Always

    Disable pre-release features or settings

    Disabled

    Always

    Do not show feedback notifications

    Enabled

    Always

    Admin Templates > Windows Components > File Explorer

    Show lock in the user tile menu

    Disabled

    Always

    Admin Templates > Windows Components > Maintenance Scheduler

    Automatic Maintenance Activation Boundary

    MaintenanceStartTime

    Always

    Automatic Maintenance Random Delay

    Enabled, 2 hours

    Always

    Automatic Maintenance WakeUp Policy

    Enabled

    Always

    Admin Templates > Windows Components > Microsoft Edge

    Open a new tab with an empty tab

    Disabled

    SetEduPolicies = True

    Configure corporate home pages

    Enabled, about:blank

    SetEduPolicies = True

    Admin Templates > Windows Components > Search

    Allow Cortana

    Disabled

    SetEduPolicies = True

    Windows Settings > Security Settings > Local Policies > Security Options

    Interactive logon: Do not display last user name

    - Enabled

    - Disabled when account model is only guest

    Always

    Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

    Disabled

    Always

    Shutdown: Allow system to be shut down without having to log on

    Disabled

    Always

    User Account Control: Behavior of the elevation prompt for standard users

    Auto deny

    Always

    + + + + diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index cca8ead346..28442ed89e 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -8,7 +8,7 @@ ms.sitesec: library author: jdeckerMS --- -# Use Set up School PCs app +# Use the Set up School PCs app **Applies to:** - Windows 10 Insider Preview @@ -16,4 +16,69 @@ author: jdeckerMS > [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] -placeholder +Teachers and IT administrators can use the **Set up School PCs** app to quickly set up computers for students. A computer set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need. + +![Run app, turn on PC, insert USB key](images/app1.jpg) + +## What does this app do? + +The Set up School PCs app helps you set up new computers running Windows 10, version 1607. Some benefits of using this app to set up your students' PCs: +* A computer set up this way is tailored to provide students with the tools they need for learning while removing apps and features that they don't need. + * Places tiles for OneNote, Office 365 web apps, and Microsoft Classroom on the Start menu + * Installs OneDrive for cloud-based documents and places it on the Start menu and task bar + * Sets Microsoft Edge as the default browser + * Uninstalls apps not specific to education, such as Solitaire and Sports + * Turns off Offers and tips + * Prevents students from adding personal Microsoft accounts to the computer +* Significantly improves how fast a student's first sign-in happens. +* The app connects the PCs to your school’s cloud so IT can manage them. +* Windows 10 automatically manages accounts no matter how many students use the PC. +* Keeps computers up-to-date without interfering with class time using Windows Update and maintenance hours (by default, 12 AM). +* Customizes the sign-in screen to support students with IDs and temporary users. +* Automatically manages account profiles on shared computers to maintain performance +* Locks down the computer to prevent mischievous activity: + * Prevents students from installing apps + * Prevents students from removing the computer from the school's device management system + * Prevents students from removing the Set up School PCs settings + + +## Tips for success + +* **Run the app at work**: For the best results, run the **Set up School PCs** app on your work device connected to your school's network. That way the app can gather accurate information about your wireless networks and cloud subscriptions. +* **Apply to new computers**: The setup file that the **Set up School PCs** app creates should be used on new computers that haven't been set up for accounts yet. If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost. +> **Warning**: Only use the setup file on computers that you want to configure and lock down for students. After you apply the setup file to a computer, the computer must be reset to remove the settings. +* **Turn on student PCs and stay on first screen**: The computer must be on this screen when you insert the USB key. + +![The first screen to set up a new PC](images/oobe.jpg) + +If you have gone past this screen, you may have to reset your PC to start over. To reset your PC after you have completed the first run experience, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. +* **Use more than one USB key**: If you are setting up multiple PCs, you can set them up at the same time. Just run the **Set up School PCs** app again and save the same settings to another key. That way you can run set up on more than one PC at once. Create three keys and you can run it on three PCs at once, etc. +* **Start fresh**: If the PC has already been set up and you want to return to the first-run-experience to apply a new package, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. +* **Keep it clean**: We strongly recommend that IT avoid changes to policies unless absolutely necessary, as any changes can impair performance and sign-in time. + +## Set up School PCs app step-by-step + +The setup file on your USB drive is named SetupSchoolPCs.ppkg, which is a provisioning package. A provisioning package is a method for applying settings to Windows 10. When Windows 10 refers to "package", it means your setup file, and when it refers to "provisioning", it means applying the setup file to the computer. + +1. Start with a computer on the first-run setup screen. + + ![The first screen to set up a new PC](images/oobe.jpg) + +2. Insert the USB drive. Windows Setup will recognize the drive and ask you if you want to set up the device. Select Set up. + + ![Set up device?](images/setupmsg.jpg) + +3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. + + ![Provision this device](images/prov.jpg) + +4. Read and accept the Microsoft Software License Terms. Your last step is to sign in. Use your Azure AD or Office 365 account and password. + + ![Sign in](images/signinprov.jpg) + +That's it! The computer is now ready for students. + +## Learn more + +See [The Set up School PCs app technical reference](set-up-school-pcs-technical.md) for prerequisites and provisioning details. + From d79f30b6b24a17cf44e8e49a5ec194029ea0b90d Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 13 May 2016 10:23:42 -0700 Subject: [PATCH 014/169] added new topic to toc/index --- education/windows/TOC.md | 1 + education/windows/index.md | 1 + 2 files changed, 2 insertions(+) diff --git a/education/windows/TOC.md b/education/windows/TOC.md index fa05afcd2e..f7d2916ea9 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -1,5 +1,6 @@ # [Windows 10 for education](index.md) ## [Use the Set up School PCs app](use-set-up-school-pcs-app.md) +## [Set up School PCs app technical reference](set-up-school-pcs-technical.md) ## [Set up students' PCs to join domain](set-up-students-pcs-to-join-domain.md) ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) ## [Chromebook migration guide](chromebook-migration-guide.md) \ No newline at end of file diff --git a/education/windows/index.md b/education/windows/index.md index 8fe3a1d3bf..a087ed8190 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -17,6 +17,7 @@ author: jdeckerMS |Topic |Description | |------|------------| |[Use Set up School PCs app](use-set-up-school-pcs-app.md) | Learn how to use the Set up School PCs app to quickly configure new Windows 10 PCs for students. | +| [Set up School PCs app technical reference](set-up-school-pcs-technical.md) | This topic provides prerequisites and provisioning details for using the **Set up School PCs** app. | | [Set up students' PCs to join domain](set-up-students-pcs-to-join-domain.md) | Learn how to create provisioning packages to easily configure student's PCs to join your Active Directory domain. | | [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. | | [Chromebook migration guide](chromebook-migration-guide.md) | Learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. | From de6e7c4f0c9a8f78ab40edbdb4069329e6e445af Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 13 May 2016 10:43:27 -0700 Subject: [PATCH 015/169] tweak --- education/windows/set-up-school-pcs-technical.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 0daa935fc1..87f8828344 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -38,7 +38,7 @@ The following table tells you what you get using the **Set up School PCs** app i ## Prerequisites for IT -* If your school uses Azure AD, [configure your directory to allow devices to join](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/). If the teacher is going to set up a lot of devices, give her appropriate privileges or make a special account. +* If your school uses Azure AD, [configure your directory to allow devices to join](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/). If the teacher is going to set up a lot of devices, give her appropriate privileges for joining devices or make a special account. * Office 365, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/en-us/academic/office-365-education-plan) * If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703369%28v=vs.85%29.aspx) * After you set up your Office 365 Education tenant, use [Microsoft School Data Sync Preview](https://sis.microsoft.com/) to sync user profiles and class rosters from your Student Information System. From cfaa3f09c79802cd7db16b89eddb6d703b5193b6 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 13 May 2016 10:51:08 -0700 Subject: [PATCH 016/169] troubleshooting: removed table --- education/windows/set-up-school-pcs-technical.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 87f8828344..bcf70ec786 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -105,7 +105,7 @@ The **Set up School PCs** app produces a specialized provisioning package that m > **Important**: It is not recommended to set additional policies on PCs configured with the **Set up School PCs** app. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required -

    Policy name

    Value

    When set

    Admin Templates>Control Panel>Personalization

    Prevent enabling lock screen slide show

    Enabled

    Always

    Do not display the lock screen

    Enabled

    Only on Windows 10 Pro for EDU, Enterprise, Enterprise for EDU

    Always

    Prevent changing lock screen and logon image

    Enabled

    Always

    Admin Templates>System>Power Management>Button Settings

    Select the Power button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the Power button action (on battery)

    Sleep

    SetPowerPolicies=True

    Select the Sleep button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (on battery)

    Sleep

    SetPowerPolicies=True

    Admin Templates>System>Power Management>Sleep Settings

    Require a password when a computer wakes (plugged in)

    Enabled

    SignInOnResume = True

    Require a password when a computer wakes (on battery)

    Enabled

    SignInOnResume = True

    Specify the system sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Specify the system sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    Turn off hybrid sleep (plugged in)

    Enabled

    SetPowerPolicies=True

    Turn off hybrid sleep (on battery)

    Enabled

    SetPowerPolicies=True

    Specify the unattended sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Specify the unattended sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (plugged in)

    Enabled

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (on battery)

    Enabled

    SetPowerPolicies=True

    Specify the system hibernate timeout (plugged in)

    Enabled, 0

    SetPowerPolicies=True

    Specify the system hibernate timeout (on battery)

    Enabled, 0

    SetPowerPolicies=True

    Admin Templates > System > Power Management > Video and Display Settings

    Turn off the display (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Turn off the display (on battery

    SleepTimeout

    SetPowerPolicies=True

    Admin Templates > System > Logon

    Show first sign-in animation

    Disabled

    Always

    Hide entry points for Fast User Switching

    Enabled

    Always

    Turn on convenience PIN sign-in

    Disabled

    Always

    Turn off picture password sign-in

    Enabled

    Always

    Turn off app notification on the lock screen

    Enabled

    Always

    Allow users to select when a password is required when resuming from connected standby

    Disabled

    SignInOnResume = True

    Block user from showing account details on sign-in

    Enabled

    Always

    Admin Templates > System > User Profiles

    Turn off the advertising ID

    Enabled

    SetEduPolicies = True

    Admin Templates > Windows Components

    Do not show Windows Tips

    Enabled

    SetEduPolicies = True

    Turn off Microsoft consumer experiences

    Enabled

    SetEduPolicies = True

    Microsoft Passport for Work

    Disabled

    Always

    Prevent the usage of OneDrive for file storage

    Enabled

    Always

    Admin Templates > Windows Components > Biometrics

    Allow the use of biometrics

    Disabled

    Always

    Allow users to log on using biometrics

    Disabled

    Always

    Allow domain users to log on using biometrics

    Disabled

    Always

    Admin Templates > Windows Components > Data Collection and Preview Builds

    Toggle user control over Insider builds

    Disabled

    Always

    Disable pre-release features or settings

    Disabled

    Always

    Do not show feedback notifications

    Enabled

    Always

    Admin Templates > Windows Components > File Explorer

    Show lock in the user tile menu

    Disabled

    Always

    Admin Templates > Windows Components > Maintenance Scheduler

    Automatic Maintenance Activation Boundary

    MaintenanceStartTime

    Always

    Automatic Maintenance Random Delay

    Enabled, 2 hours

    Always

    Automatic Maintenance WakeUp Policy

    Enabled

    Always

    Admin Templates > Windows Components > Microsoft Edge

    Open a new tab with an empty tab

    Disabled

    SetEduPolicies = True

    Configure corporate home pages

    Enabled, about:blank

    SetEduPolicies = True

    Admin Templates > Windows Components > Search

    Allow Cortana

    Disabled

    SetEduPolicies = True

    Windows Settings > Security Settings > Local Policies > Security Options

    Interactive logon: Do not display last user name

    - Enabled

    - Disabled when account model is only guest

    Always

    Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

    Disabled

    Always

    Shutdown: Allow system to be shut down without having to log on

    Disabled

    Always

    User Account Control: Behavior of the elevation prompt for standard users

    Auto deny

    Always

    + From 5f2e84640e025ab7b70b260eef25af58728e5ac0 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 13 May 2016 11:06:47 -0700 Subject: [PATCH 017/169] add table back with changes --- .../windows/set-up-school-pcs-technical.md | 127 +++++++++++++++++- 1 file changed, 126 insertions(+), 1 deletion(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index bcf70ec786..ada85a2a86 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -105,7 +105,132 @@ The **Set up School PCs** app produces a specialized provisioning package that m > **Important**: It is not recommended to set additional policies on PCs configured with the **Set up School PCs** app. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    Policy name

    Value

    When set

    Admin Templates>Control Panel>Personalization

    Prevent enabling lock screen slide show

    Enabled

    Always

    Do not display the lock screen

    Enabled

    Only on Windows 10 Pro for EDU, Enterprise, Enterprise for EDU

    Always

    Prevent changing lock screen and logon image

    Enabled

    Always

    Admin Templates>System>Power Management>Button Settings

    Select the Power button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the Power button action (on battery)

    Sleep

    SetPowerPolicies=True

    Select the Sleep button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (on battery)

    Sleep

    SetPowerPolicies=True

    Admin Templates>System>Power Management>Sleep Settings

    Require a password when a computer wakes (plugged in)

    Enabled

    SignInOnResume = True

    Require a password when a computer wakes (on battery)

    Enabled

    SignInOnResume = True

    Specify the system sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Specify the system sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    Turn off hybrid sleep (plugged in)

    Enabled

    SetPowerPolicies=True

    Turn off hybrid sleep (on battery)

    Enabled

    SetPowerPolicies=True

    Specify the unattended sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Specify the unattended sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (plugged in)

    Enabled

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (on battery)

    Enabled

    SetPowerPolicies=True

    Specify the system hibernate timeout (plugged in)

    Enabled, 0

    SetPowerPolicies=True

    Specify the system hibernate timeout (on battery)

    Enabled, 0

    SetPowerPolicies=True

    Admin Templates > System > Power Management > Video and Display Settings

    Turn off the display (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Turn off the display (on battery

    SleepTimeout

    SetPowerPolicies=True

    Admin Templates > System > Logon

    Show first sign-in animation

    Disabled

    Always

    Hide entry points for Fast User Switching

    Enabled

    Always

    Turn on convenience PIN sign-in

    Disabled

    Always

    Turn off picture password sign-in

    Enabled

    Always

    Turn off app notification on the lock screen

    Enabled

    Always

    Allow users to select when a password is required when resuming from connected standby

    Disabled

    SignInOnResume = True

    Block user from showing account details on sign-in

    Enabled

    Always

    Admin Templates > System > User Profiles

    Turn off the advertising ID

    Enabled

    SetEduPolicies = True

    Admin Templates > Windows Components

    Do not show Windows Tips

    Enabled

    SetEduPolicies = True

    Turn off Microsoft consumer experiences

    Enabled

    SetEduPolicies = True

    Microsoft Passport for Work

    Disabled

    Always

    Prevent the usage of OneDrive for file storage

    Enabled

    Always

    Admin Templates > Windows Components > Biometrics

    Allow the use of biometrics

    Disabled

    Always

    Allow users to log on using biometrics

    Disabled

    Always

    Allow domain users to log on using biometrics

    Disabled

    Always

    Admin Templates > Windows Components > Data Collection and Preview Builds

    Toggle user control over Insider builds

    Disabled

    Always

    Disable pre-release features or settings

    Disabled

    Always

    Do not show feedback notifications

    Enabled

    Always

    Admin Templates > Windows Components > File Explorer

    Show lock in the user tile menu

    Disabled

    Always

    Admin Templates > Windows Components > Maintenance Scheduler

    Automatic Maintenance Activation Boundary

    MaintenanceStartTime

    Always

    Automatic Maintenance Random Delay

    Enabled, 2 hours

    Always

    Automatic Maintenance WakeUp Policy

    Enabled

    Always

    Admin Templates > Windows Components > Microsoft Edge

    Open a new tab with an empty tab

    Disabled

    SetEduPolicies = True

    Configure corporate home pages

    Enabled, about:blank

    SetEduPolicies = True

    Admin Templates > Windows Components > Search

    Allow Cortana

    Disabled

    SetEduPolicies = True

    Windows Settings > Security Settings > Local Policies > Security Options

    Interactive logon: Do not display last user name

    - Enabled

    - Disabled when account model is only guest

    Always

    Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

    Disabled

    Always

    Shutdown: Allow system to be shut down without having to log on

    Disabled

    Always

    User Account Control: Behavior of the elevation prompt for standard users

    Auto deny

    Always

    From 814d15e57c6a407c865dd939f762ae9baab7e339 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 13 May 2016 11:24:09 -0700 Subject: [PATCH 018/169] replaced > --- .../windows/set-up-school-pcs-technical.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index ada85a2a86..91f46eb988 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -109,7 +109,7 @@ The **Set up School PCs** app produces a specialized provisioning package that m

    Policy name

    Value

    When set

    -

    Admin Templates>Control Panel>Personalization

    +

    Admin Templates > Control Panel > Personalization

    Prevent enabling lock screen slide show

    Enabled

    Always

    @@ -117,7 +117,7 @@ The **Set up School PCs** app produces a specialized provisioning package that m

    Prevent changing lock screen and logon image

    Enabled

    Always

    -

    Admin Templates>System>Power Management>Button Settings

    +

    Admin Templates > System > Power Management > Button Settings

    Select the Power button action (plugged in)

    Sleep

    SetPowerPolicies=True

    @@ -129,7 +129,7 @@ The **Set up School PCs** app produces a specialized provisioning package that m

    Select the lid switch action (on battery)

    Sleep

    SetPowerPolicies=True

    -

    Admin Templates>System>Power Management>Sleep Settings

    +

    Admin Templates > System > Power Management > Sleep Settings

    Require a password when a computer wakes (plugged in)

    Enabled

    SignInOnResume = True

    @@ -151,10 +151,10 @@ The **Set up School PCs** app produces a specialized provisioning package that m

    Specify the system hibernate timeout (plugged in)

    Enabled, 0

    SetPowerPolicies=True

    -

    Specify the system hibernate timeout (on battery)

    Enabled, 0

    SetPowerPolicies=True

    Admin Templates > System > Power Management > Video and Display Settings

    +

    Specify the system hibernate timeout (on battery)

    Enabled, 0

    SetPowerPolicies=True

    Admin Templates > System > Power Management > Video and Display Settings

    Turn off the display (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Turn off the display (on battery

    SleepTimeout

    SetPowerPolicies=True

    -

    Admin Templates > System > Logon

    +

    Admin Templates > System > Logon

    Show first sign-in animation

    Disabled

    Always

    @@ -168,11 +168,11 @@ The **Set up School PCs** app produces a specialized provisioning package that m

    Block user from showing account details on sign-in

    Enabled

    Always

    -

    Admin Templates > System > User Profiles

    +

    Admin Templates > System > User Profiles

    Turn off the advertising ID

    Enabled

    SetEduPolicies = True

    -

    Admin Templates > Windows Components

    +

    Admin Templates > Windows Components

    Do not show Windows Tips

    Enabled

    SetEduPolicies = True

    @@ -182,7 +182,7 @@ The **Set up School PCs** app produces a specialized provisioning package that m

    Prevent the usage of OneDrive for file storage

    Enabled

    Always

    -

    Admin Templates > Windows Components > Biometrics

    +

    Admin Templates > Windows Components > Biometrics

    Allow the use of biometrics

    Disabled

    Always

    @@ -190,7 +190,7 @@ The **Set up School PCs** app produces a specialized provisioning package that m

    Allow domain users to log on using biometrics

    Disabled

    Always

    -

    Admin Templates > Windows Components > Data Collection and Preview Builds

    +

    Admin Templates > Windows Components > Data Collection and Preview Builds

    Toggle user control over Insider builds

    Disabled

    Always

    @@ -198,11 +198,11 @@ The **Set up School PCs** app produces a specialized provisioning package that m

    Do not show feedback notifications

    Enabled

    Always

    -

    Admin Templates > Windows Components > File Explorer

    +

    Admin Templates > Windows Components > File Explorer

    Show lock in the user tile menu

    Disabled

    Always

    -

    Admin Templates > Windows Components > Maintenance Scheduler

    +

    Admin Templates > Windows Components > Maintenance Scheduler

    Automatic Maintenance Activation Boundary

    MaintenanceStartTime

    Always

    @@ -210,17 +210,17 @@ The **Set up School PCs** app produces a specialized provisioning package that m

    Automatic Maintenance WakeUp Policy

    Enabled

    Always

    -

    Admin Templates > Windows Components > Microsoft Edge

    +

    Admin Templates > Windows Components > Microsoft Edge

    Open a new tab with an empty tab

    Disabled

    SetEduPolicies = True

    Configure corporate home pages

    Enabled, about:blank

    SetEduPolicies = True

    -

    Admin Templates > Windows Components > Search

    +

    Admin Templates > Windows Components > Search

    Allow Cortana

    Disabled

    SetEduPolicies = True

    -

    Windows Settings > Security Settings > Local Policies > Security Options

    +

    Windows Settings > Security Settings > Local Policies > Security Options

    Interactive logon: Do not display last user name

    - Enabled

    - Disabled when account model is only guest

    Always

    From c11e3cd5d6dcf12b492f45ea2b2e9087d4b27ff2 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 13 May 2016 11:40:12 -0700 Subject: [PATCH 019/169] tweak table --- .../windows/set-up-school-pcs-technical.md | 257 +++++++++++++----- 1 file changed, 192 insertions(+), 65 deletions(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 91f46eb988..3de8d5b795 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -105,131 +105,258 @@ The **Set up School PCs** app produces a specialized provisioning package that m > **Important**: It is not recommended to set additional policies on PCs configured with the **Set up School PCs** app. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required - - - +

    Policy name

    Value

    When set

    + + + + + - + - + - + - + - + - + - + - + - + - + - + - - - + - + - + - + - + - - - + + + - + - + - - + + - + - + + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - - + +

    Policy name

    Value

    When set

    Admin Templates > Control Panel > + +Personalization

    Admin Templates > Control Panel > Personalization

    Prevent enabling lock screen slide show

    Enabled

    Always

    Prevent enabling lock screen slide show

    Enabled

    Always

    Do not display the lock screen

    Enabled

    Only on Windows 10 Pro for EDU, Enterprise, + +Enterprise for EDU

    Always

    Do not display the lock screen

    Enabled

    Only on Windows 10 Pro for EDU, Enterprise, Enterprise for EDU

    Always

    Prevent changing lock screen and logon image

    Enabled

    Always

    Prevent changing lock screen and logon image

    Enabled

    Always

    Admin Templates > System > Power Management > + +Button Settings

    Admin Templates > System > Power Management > Button Settings

    Select the Power button action (plugged in)

    Sleep

    + +SetPowerPolicies=True

    Select the Power button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the Power button action (on battery)

    Sleep

    SetPowerPolicies=True

    Select the Power button action (on battery)

    Sleep

    SetPowerPolicies=True

    Select the Sleep button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the Sleep button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (on battery)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (on battery)

    Sleep

    SetPowerPolicies=True

    Admin Templates > System > Power Management > + +Sleep Settings

    Admin Templates > System > Power Management > Sleep Settings

    Require a password when a computer wakes (plugged in)

    Enabled

    SignInOnResume = True

    Require a password when a computer wakes (plugged in)

    Enabled

    SignInOnResume = True

    Require a password when a computer wakes (on battery)

    Enabled

    SignInOnResume = True

    Require a password when a computer wakes (on battery)

    Enabled

    SignInOnResume = True

    Specify the system sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Specify the system sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Specify the system sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    Specify the system sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    Turn off hybrid sleep (plugged in)

    Enabled

    SetPowerPolicies=True

    Turn off hybrid sleep (plugged in)

    Enabled

    + +SetPowerPolicies=True

    Turn off hybrid sleep (on battery)

    Enabled

    SetPowerPolicies=True

    Turn off hybrid sleep (on battery)

    Enabled

    + +SetPowerPolicies=True

    Specify the unattended sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Specify the unattended sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (plugged in)

    Enabled

    SetPowerPolicies=True

    Specify the unattended sleep timeout (plugged in)

    SleepTimeout

    + +

    SetPowerPolicies=True

    Specify the unattended sleep timeout (on battery)

    SleepTimeout

    + +

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (plugged in)

    Enabled

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (on battery)

    Enabled

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (on battery)

    Enabled

    SetPowerPolicies=True

    Specify the system hibernate timeout (plugged in)

    Enabled, 0

    SetPowerPolicies=True

    Specify the system hibernate timeout (plugged in)

    Enabled, 0

    SetPowerPolicies=True

    Specify the system hibernate timeout (on battery)

    Enabled, 0

    SetPowerPolicies=True

    Admin Templates > System > Power Management > Video and Display Settings

    Turn off the display (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Turn off the display (on battery

    SleepTimeout

    SetPowerPolicies=True

    Specify the system hibernate timeout (on battery)

    Enabled, 0

    SetPowerPolicies=True

    Admin Templates > + +System > Power Management > Video and Display Settings

    Turn off the display (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Turn off the display (on battery

    SleepTimeout

    SetPowerPolicies=True

    Admin Templates > System > Logon

    Show first sign-in animation

    Disabled

    Always

    Show first sign-in animation

    Disabled

    Always + +

    Hide entry points for Fast User Switching

    Enabled

    Always

    Turn on convenience PIN sign-in

    Disabled

    Always

    Hide entry points for Fast User Switching

    Enabled

    		+ +

    Always

    Turn on convenience PIN sign-in

    Disabled

    Always

    Turn off picture password sign-in

    Enabled

    Always

    Turn off picture password sign-in

    Enabled

    Always + +

    Turn off app notification on the lock screen

    Enabled

    Always

    Turn off app notification on the lock screen

    Enabled

    		+ +

    Always

    Allow users to select when a password is required when resuming from connected standby

    Disabled

    SignInOnResume = True

    Allow users to select when a password is required when resuming from connected standby

    Disabled

    SignInOnResume = True

    Block user from showing account details on sign-in

    Enabled

    Always

    Block user from showing account details on sign-in

    Enabled

    Always

    Admin Templates > System > User Profiles

    Admin Templates > System > User Profiles

    + +

    Turn off the advertising ID

    Enabled

    SetEduPolicies = True

    Turn off the advertising ID

    Enabled

    + +SetEduPolicies = True

    Admin Templates > Windows Components

    Do not show Windows Tips

    Enabled

    SetEduPolicies = True

    Do not show Windows Tips

    Enabled

    SetEduPolicies + += True

    Turn off Microsoft consumer experiences

    Enabled

    SetEduPolicies = True

    Turn off Microsoft consumer experiences

    Enabled

    + +SetEduPolicies = True

    Microsoft Passport for Work

    Disabled

    Always

    Microsoft Passport for Work

    Disabled

    Always

    + +

    Prevent the usage of OneDrive for file storage

    Enabled

    Always

    Prevent the usage of OneDrive for file storage

    Enabled

    Always

    Admin Templates > Windows Components > Biometrics

    Admin Templates > Windows Components > + +Biometrics

    Allow the use of biometrics

    Disabled

    Always

    Allow the use of biometrics

    Disabled

    Always

    + +

    Allow users to log on using biometrics

    Disabled

    Always

    Allow users to log on using biometrics

    Disabled

    + +Always

    Allow domain users to log on using biometrics

    Disabled

    Always

    Allow domain users to log on using biometrics

    Disabled

    Always

    Admin Templates > Windows Components > Data Collection and Preview Builds

    Admin Templates > Windows Components > Data Collection + +and Preview Builds

    Toggle user control over Insider builds

    Disabled

    Always

    Toggle user control over Insider builds

    Disabled

    + +Always

    Disable pre-release features or settings

    Disabled

    Always

    Disable pre-release features or settings

    Disabled

    		+ +

    Always

    Do not show feedback notifications

    Enabled

    Always

    Do not show feedback notifications

    Enabled

    + +Always

    Admin Templates > Windows Components > File Explorer

    Admin Templates > Windows Components > File + +Explorer

    Show lock in the user tile menu

    Disabled

    Always

    Show lock in the user tile menu

    Disabled

    Always + +

    Admin Templates > Windows Components > Maintenance Scheduler

    Admin Templates > Windows Components > Maintenance + +Scheduler

    Automatic Maintenance Activation Boundary

    MaintenanceStartTime

    Always

    Automatic Maintenance Activation Boundary

    MaintenanceStartTime

    + +

    Always

    Automatic Maintenance Random Delay

    Enabled, 2 hours

    Always

    Automatic Maintenance Random Delay

    Enabled, 2 hours

    		+ +

    Always

    Automatic Maintenance WakeUp Policy

    Enabled

    Always

    Automatic Maintenance WakeUp Policy

    Enabled

    + +Always

    Admin Templates > Windows Components > Microsoft Edge

    Admin Templates > Windows Components > Microsoft + +Edge

    Open a new tab with an empty tab

    Disabled

    SetEduPolicies = True

    Open a new tab with an empty tab

    Disabled

    + +SetEduPolicies = True

    Configure corporate home pages

    Enabled, about:blank

    SetEduPolicies = True

    Configure corporate home pages

    Enabled, about:blank

    		+ +

    SetEduPolicies = True

    Admin Templates > Windows Components > Search

    Admin Templates > Windows Components > Search + +

    Allow Cortana

    Disabled

    SetEduPolicies = True

    Allow Cortana

    Disabled

    SetEduPolicies = True + +

    Windows Settings > Security Settings > Local Policies > Security Options

    Windows Settings > Security Settings > Local + +Policies > Security Options

    Interactive logon: Do not display last user name

    - Enabled

    - Disabled when account model is only guest

    Always

    Interactive logon: Do not display last user name

    - Enabled

    - Disabled + +when account model is only guest

    Always

    Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

    Disabled

    Always

    Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

    Disabled

    Always

    Shutdown: Allow system to be shut down without having to log on

    Disabled

    Always

    Shutdown: Allow system to be shut down without having to log on

    Disabled

    + +

    Always

    User Account Control: Behavior of the elevation prompt for standard users

    Auto deny

    Always

    User Account Control: Behavior of the elevation prompt for standard users

    Auto + +deny

    Always

    From d4437d493a2d14dd4fc5444f8bed33ea9d819f0b Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 13 May 2016 12:04:17 -0700 Subject: [PATCH 020/169] more tweaks --- .../windows/set-up-school-pcs-technical.md | 256 +++++------------- 1 file changed, 69 insertions(+), 187 deletions(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 3de8d5b795..838d77ff92 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -106,256 +106,138 @@ The **Set up School PCs** app produces a specialized provisioning package that m - - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - - - + - + - + - - + + + + + + + + + + + - + - - - + - + - + - + - + - + - + + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +

    Policy name

    Value

    When set

    Admin Templates > Control Panel > - -Personalization

    Admin Templates > Control Panel > Personalization

    Prevent enabling lock screen slide show

    Enabled

    Always

    Prevent enabling lock screen slide show

    Enabled

    Always

    Do not display the lock screen

    Enabled

    Only on Windows 10 Pro for EDU, Enterprise, - -Enterprise for EDU

    Always

    Do not display the lock screen

    Enabled

    Only on Windows 10 Pro for EDU, Enterprise, Enterprise for EDU

    Always

    Prevent changing lock screen and logon image

    Enabled

    Always

    Prevent changing lock screen and logon image

    Enabled

    Always

    Admin Templates > System > Power Management > - -Button Settings

    Admin Templates > System > Power Management > Button Settings

    Select the Power button action (plugged in)

    Sleep

    - -SetPowerPolicies=True

    Select the Power button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the Power button action (on battery)

    Sleep

    SetPowerPolicies=True

    Select the Power button action (on battery)

    Sleep

    SetPowerPolicies=True

    Select the Sleep button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the Sleep button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (on battery)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (on battery)

    Sleep

    SetPowerPolicies=True

    Admin Templates > System > Power Management > - -Sleep Settings

    Admin Templates > System > Power Management > Sleep Settings

    Require a password when a computer wakes (plugged in)

    Enabled

    SignInOnResume = True

    Require a password when a computer wakes (plugged in)

    Enabled

    SignInOnResume = True

    Require a password when a computer wakes (on battery)

    Enabled

    SignInOnResume = True

    Require a password when a computer wakes (on battery)

    Enabled

    SignInOnResume = True

    Specify the system sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Specify the system sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Specify the system sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    Specify the system sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    Turn off hybrid sleep (plugged in)

    Enabled

    - -SetPowerPolicies=True

    Turn off hybrid sleep (plugged in)

    Enabled

    SetPowerPolicies=True

    Turn off hybrid sleep (on battery)

    Enabled

    - -SetPowerPolicies=True

    Turn off hybrid sleep (on battery)

    Enabled

    SetPowerPolicies=True

    Specify the unattended sleep timeout (plugged in)

    SleepTimeout

    - -

    SetPowerPolicies=True

    Specify the unattended sleep timeout (on battery)

    SleepTimeout

    - -

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (plugged in)

    Enabled

    SetPowerPolicies=True

    Specify the unattended sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (on battery)

    Enabled

    SetPowerPolicies=True

    Specify the unattended sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    Specify the system hibernate timeout (plugged in)

    Enabled, 0

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (plugged in)

    Enabled

    SetPowerPolicies=True

    Specify the system hibernate timeout (on battery)

    Enabled, 0

    SetPowerPolicies=True

    Admin Templates > - -System > Power Management > Video and Display Settings

    Turn off the display (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Turn off the display (on battery

    SleepTimeout

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (on battery)

    Enabled

    SetPowerPolicies=True

    Specify the system hibernate timeout (plugged in)

    Enabled, 0

    SetPowerPolicies=True

    Specify the system hibernate timeout (on battery)

    Enabled, 0

    SetPowerPolicies=True

    Admin Templates > System > Power Management > Video and Display Settings

    Turn off the display (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Turn off the display (on battery

    SleepTimeout

    SetPowerPolicies=True

    Admin Templates > System > Logon

    Show first sign-in animation

    Disabled

    Always - -

    Show first sign-in animation

    Disabled

    Always

    Hide entry points for Fast User Switching

    Enabled

    		- -

    Always

    Turn on convenience PIN sign-in

    Disabled

    Always

    Hide entry points for Fast User Switching

    Enabled

    Always

    Turn off picture password sign-in

    Enabled

    Always - -

    Turn on convenience PIN sign-in

    Disabled

    Always

    Turn off app notification on the lock screen

    Enabled

    		- -

    Always

    Turn off picture password sign-in

    Enabled

    Always

    Allow users to select when a password is required when resuming from connected standby

    Disabled

    SignInOnResume = True

    Turn off app notification on the lock screen

    Enabled

    Always

    Block user from showing account details on sign-in

    Enabled

    Always

    Allow users to select when a password is required when resuming from connected standby

    Disabled

    SignInOnResume = True

    Admin Templates > System > User Profiles

    - -

    Block user from showing account details on sign-in

    Enabled

    Always

    Turn off the advertising ID

    Enabled

    - -SetEduPolicies = True

    Admin Templates > System > User Profiles

    Turn off the advertising ID

    Enabled

    SetEduPolicies = True

    Admin Templates > Windows Components

    Do not show Windows Tips

    Enabled

    SetEduPolicies - -= True

    Do not show Windows Tips

    Enabled

    SetEduPolicies = True

    Turn off Microsoft consumer experiences

    Enabled

    - -SetEduPolicies = True

    Turn off Microsoft consumer experiences

    Enabled

    SetEduPolicies = True

    Microsoft Passport for Work

    Disabled

    Always

    - -

    Microsoft Passport for Work

    Disabled

    Always

    Prevent the usage of OneDrive for file storage

    Enabled

    Always

    Prevent the usage of OneDrive for file storage

    Enabled

    Always

    Admin Templates > Windows Components > - -Biometrics

    Admin Templates > Windows Components > Biometrics

    Allow the use of biometrics

    Disabled

    Always

    - -

    Allow the use of biometrics

    Disabled

    Always

    Allow users to log on using biometrics

    Disabled

    - -Always

    Allow users to log on using biometrics

    Disabled

    Always

    Allow domain users to log on using biometrics

    Disabled

    Always

    Allow domain users to log on using biometrics

    Disabled

    Always

    Admin Templates > Windows Components > Data Collection - -and Preview Builds

    Admin Templates > Windows Components > Data Collection and Preview Builds

    Toggle user control over Insider builds

    Disabled

    - -Always

    Toggle user control over Insider builds

    Disabled

    Always

    Disable pre-release features or settings

    Disabled

    		- -

    Always

    Disable pre-release features or settings

    Disabled

    Always

    Do not show feedback notifications

    Enabled

    - -Always

    Do not show feedback notifications

    Enabled

    Always

    Admin Templates > Windows Components > File - -Explorer

    Admin Templates > Windows Components > File Explorer

    Show lock in the user tile menu

    Disabled

    Always - -

    Show lock in the user tile menu

    Disabled

    Always

    Admin Templates > Windows Components > Maintenance - -Scheduler

    Admin Templates > Windows Components > Maintenance Scheduler

    Automatic Maintenance Activation Boundary

    MaintenanceStartTime

    - -

    Always

    Automatic Maintenance Activation Boundary

    MaintenanceStartTime

    Always

    Automatic Maintenance Random Delay

    Enabled, 2 hours

    		- -

    Always

    Automatic Maintenance Random Delay

    Enabled, 2 hours

    Always

    Automatic Maintenance WakeUp Policy

    Enabled

    - -Always

    Automatic Maintenance WakeUp Policy

    Enabled

    Always

    Admin Templates > Windows Components > Microsoft - -Edge

    Admin Templates > Windows Components > Microsoft Edge

    Open a new tab with an empty tab

    Disabled

    - -SetEduPolicies = True

    Open a new tab with an empty tab

    Disabled

    SetEduPolicies = True

    Configure corporate home pages

    Enabled, about:blank

    		- -

    SetEduPolicies = True

    Configure corporate home pages

    Enabled, about:blank

    SetEduPolicies = True

    Admin Templates > Windows Components > Search - -

    Admin Templates > Windows Components > Search

    Allow Cortana

    Disabled

    SetEduPolicies = True - -

    Allow Cortana

    Disabled

    SetEduPolicies = True

    Windows Settings > Security Settings > Local - -Policies > Security Options

    Windows Settings > Security Settings > Local Policies > Security Options

    Interactive logon: Do not display last user name

    - Enabled

    - Disabled - -when account model is only guest

    Always

    Interactive logon: Do not display last user name

    - Enabled

    - Disabled when account model is only guest

    Always

    Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

    Disabled

    Always

    Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

    Disabled

    Always

    Shutdown: Allow system to be shut down without having to log on

    Disabled

    - -

    Always

    Shutdown: Allow system to be shut down without having to log on

    Disabled

    Always

    User Account Control: Behavior of the elevation prompt for standard users

    Auto - -deny

    Always

    User Account Control: Behavior of the elevation prompt for standard users

    Auto deny

    Always

    From a1d64e6bf185a1649c890c0227dae3a9593fb9b3 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 13 May 2016 12:07:03 -0700 Subject: [PATCH 021/169] removed and valign --- .../windows/set-up-school-pcs-technical.md | 132 +++++++++--------- 1 file changed, 66 insertions(+), 66 deletions(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 838d77ff92..1715815b53 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -106,138 +106,138 @@ The **Set up School PCs** app produces a specialized provisioning package that m - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +

    Policy name

    Value

    When set

    Policy name

    Value

    When set

    Admin Templates > Control Panel > Personalization

    **Admin Templates** > **Control Panel** > **Personalization**

    Prevent enabling lock screen slide show

    Enabled

    Always

    Prevent enabling lock screen slide show

    Enabled

    Always

    Do not display the lock screen

    Enabled

    Only on Windows 10 Pro for EDU, Enterprise, Enterprise for EDU

    Always

    Do not display the lock screen

    Enabled

    Only on Windows 10 Pro for EDU, Enterprise, Enterprise for EDU

    Always

    Prevent changing lock screen and logon image

    Enabled

    Always

    Prevent changing lock screen and logon image

    Enabled

    Always

    Admin Templates > System > Power Management > Button Settings

    **Admin Templates** > **System** > **Power Management** > **Button Settings**

    Select the Power button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the Power button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the Power button action (on battery)

    Sleep

    SetPowerPolicies=True

    Select the Power button action (on battery)

    Sleep

    SetPowerPolicies=True

    Select the Sleep button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the Sleep button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (on battery)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (on battery)

    Sleep

    SetPowerPolicies=True

    Admin Templates > System > Power Management > Sleep Settings

    **Admin Templates** > **System** > **Power Management** > **Sleep Settings**

    Require a password when a computer wakes (plugged in)

    Enabled

    SignInOnResume = True

    Require a password when a computer wakes (plugged in)

    Enabled

    SignInOnResume = True

    Require a password when a computer wakes (on battery)

    Enabled

    SignInOnResume = True

    Require a password when a computer wakes (on battery)

    Enabled

    SignInOnResume = True

    Specify the system sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Specify the system sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Specify the system sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    Specify the system sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    Turn off hybrid sleep (plugged in)

    Enabled

    SetPowerPolicies=True

    Turn off hybrid sleep (plugged in)

    Enabled

    SetPowerPolicies=True

    Turn off hybrid sleep (on battery)

    Enabled

    SetPowerPolicies=True

    Turn off hybrid sleep (on battery)

    Enabled

    SetPowerPolicies=True

    Specify the unattended sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Specify the unattended sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Specify the unattended sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    Specify the unattended sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (plugged in)

    Enabled

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (plugged in)

    Enabled

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (on battery)

    Enabled

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (on battery)

    Enabled

    SetPowerPolicies=True

    Specify the system hibernate timeout (plugged in)

    Enabled, 0

    SetPowerPolicies=True

    Specify the system hibernate timeout (plugged in)

    Enabled, 0

    SetPowerPolicies=True

    Specify the system hibernate timeout (on battery)

    Enabled, 0

    SetPowerPolicies=True

    Specify the system hibernate timeout (on battery)

    Enabled, 0

    SetPowerPolicies=True

    Admin Templates > System > Power Management > Video and Display Settings

    **Admin Templates** > **System** > **Power Management** > **Video and Display Settings**

    Turn off the display (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Turn off the display (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Turn off the display (on battery

    SleepTimeout

    SetPowerPolicies=True

    Turn off the display (on battery

    SleepTimeout

    SetPowerPolicies=True

    Admin Templates > System > Logon

    **Admin Templates** > **System** > **Logon**

    Show first sign-in animation

    Disabled

    Always

    Show first sign-in animation

    Disabled

    Always

    Hide entry points for Fast User Switching

    Enabled

    Always

    Hide entry points for Fast User Switching

    Enabled

    Always

    Turn on convenience PIN sign-in

    Disabled

    Always

    Turn on convenience PIN sign-in

    Disabled

    Always

    Turn off picture password sign-in

    Enabled

    Always

    Turn off picture password sign-in

    Enabled

    Always

    Turn off app notification on the lock screen

    Enabled

    Always

    Turn off app notification on the lock screen

    Enabled

    Always

    Allow users to select when a password is required when resuming from connected standby

    Disabled

    SignInOnResume = True

    Allow users to select when a password is required when resuming from connected standby

    Disabled

    SignInOnResume = True

    Block user from showing account details on sign-in

    Enabled

    Always

    Block user from showing account details on sign-in

    Enabled

    Always

    Admin Templates > System > User Profiles

    **Admin Templates** > **System** > **User Profiles**

    Turn off the advertising ID

    Enabled

    SetEduPolicies = True

    Turn off the advertising ID

    Enabled

    SetEduPolicies = True

    Admin Templates > Windows Components

    **Admin Templates** > **Windows Components **

    Do not show Windows Tips

    Enabled

    SetEduPolicies = True

    Do not show Windows Tips

    Enabled

    SetEduPolicies = True

    Turn off Microsoft consumer experiences

    Enabled

    SetEduPolicies = True

    Turn off Microsoft consumer experiences

    Enabled

    SetEduPolicies = True

    Microsoft Passport for Work

    Disabled

    Always

    Microsoft Passport for Work

    Disabled

    Always

    Prevent the usage of OneDrive for file storage

    Enabled

    Always

    Prevent the usage of OneDrive for file storage

    Enabled

    Always

    Admin Templates > Windows Components > Biometrics

    **Admin Templates** > **Windows Components** > **Biometrics**

    Allow the use of biometrics

    Disabled

    Always

    Allow the use of biometrics

    Disabled

    Always

    Allow users to log on using biometrics

    Disabled

    Always

    Allow users to log on using biometrics

    Disabled

    Always

    Allow domain users to log on using biometrics

    Disabled

    Always

    Allow domain users to log on using biometrics

    Disabled

    Always

    Admin Templates > Windows Components > Data Collection and Preview Builds

    **Admin Templates** > **Windows Components** > **Data Collection and Preview Builds**

    Toggle user control over Insider builds

    Disabled

    Always

    Toggle user control over Insider builds

    Disabled

    Always

    Disable pre-release features or settings

    Disabled

    Always

    Disable pre-release features or settings

    Disabled

    Always

    Do not show feedback notifications

    Enabled

    Always

    Do not show feedback notifications

    Enabled

    Always

    Admin Templates > Windows Components > File Explorer

    **Admin Templates** > **Windows Components** > **File Explorer**

    Show lock in the user tile menu

    Disabled

    Always

    Show lock in the user tile menu

    Disabled

    Always

    Admin Templates > Windows Components > Maintenance Scheduler

    **Admin Templates** > **Windows Components** > **Maintenance Scheduler**

    Automatic Maintenance Activation Boundary

    MaintenanceStartTime

    Always

    Automatic Maintenance Activation Boundary

    MaintenanceStartTime

    Always

    Automatic Maintenance Random Delay

    Enabled, 2 hours

    Always

    Automatic Maintenance Random Delay

    Enabled, 2 hours

    Always

    Automatic Maintenance WakeUp Policy

    Enabled

    Always

    Automatic Maintenance WakeUp Policy

    Enabled

    Always

    Admin Templates > Windows Components > Microsoft Edge

    **Admin Templates** > **Windows Components** > **Microsoft Edge**

    Open a new tab with an empty tab

    Disabled

    SetEduPolicies = True

    Open a new tab with an empty tab

    Disabled

    SetEduPolicies = True

    Configure corporate home pages

    Enabled, about:blank

    SetEduPolicies = True

    Configure corporate home pages

    Enabled, about:blank

    SetEduPolicies = True

    Admin Templates > Windows Components > Search

    **Admin Templates** > **Windows Components** > **Search**

    Allow Cortana

    Disabled

    SetEduPolicies = True

    Allow Cortana

    Disabled

    SetEduPolicies = True

    Windows Settings > Security Settings > Local Policies > Security Options

    **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options**

    Interactive logon: Do not display last user name

    - Enabled

    - Disabled when account model is only guest

    Always

    Interactive logon: Do not display last user name

    - Enabled

    - Disabled when account model is only guest

    Always

    Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

    Disabled

    Always

    Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

    Disabled

    Always

    Shutdown: Allow system to be shut down without having to log on

    Disabled

    Always

    Shutdown: Allow system to be shut down without having to log on

    Disabled

    Always

    User Account Control: Behavior of the elevation prompt for standard users

    Auto deny

    Always

    User Account Control: Behavior of the elevation prompt for standard users

    Auto deny

    Always

    From 5412b3ec7772e7c5cfab0828ad630965518d6771 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 13 May 2016 12:17:52 -0700 Subject: [PATCH 022/169] starting elimination --- .../windows/set-up-school-pcs-technical.md | 125 +----------------- 1 file changed, 1 insertion(+), 124 deletions(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 1715815b53..f96ec39c49 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -113,130 +113,7 @@ The **Set up School PCs** app produces a specialized provisioning package that m

    Prevent enabling lock screen slide show

    Enabled

    Always

    -

    Do not display the lock screen

    Enabled

    Only on Windows 10 Pro for EDU, Enterprise, Enterprise for EDU

    Always

    - -

    Prevent changing lock screen and logon image

    Enabled

    Always

    - -

    **Admin Templates** > **System** > **Power Management** > **Button Settings**

    - -

    Select the Power button action (plugged in)

    Sleep

    SetPowerPolicies=True

    - -

    Select the Power button action (on battery)

    Sleep

    SetPowerPolicies=True

    - -

    Select the Sleep button action (plugged in)

    Sleep

    SetPowerPolicies=True

    - -

    Select the lid switch action (plugged in)

    Sleep

    SetPowerPolicies=True

    - -

    Select the lid switch action (on battery)

    Sleep

    SetPowerPolicies=True

    - -

    **Admin Templates** > **System** > **Power Management** > **Sleep Settings**

    - -

    Require a password when a computer wakes (plugged in)

    Enabled

    SignInOnResume = True

    - -

    Require a password when a computer wakes (on battery)

    Enabled

    SignInOnResume = True

    - -

    Specify the system sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    - -

    Specify the system sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    - -

    Turn off hybrid sleep (plugged in)

    Enabled

    SetPowerPolicies=True

    - -

    Turn off hybrid sleep (on battery)

    Enabled

    SetPowerPolicies=True

    - -

    Specify the unattended sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    - -

    Specify the unattended sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    - -

    Allow standby states (S1-S3) when sleeping (plugged in)

    Enabled

    SetPowerPolicies=True

    - -

    Allow standby states (S1-S3) when sleeping (on battery)

    Enabled

    SetPowerPolicies=True

    - -

    Specify the system hibernate timeout (plugged in)

    Enabled, 0

    SetPowerPolicies=True

    - -

    Specify the system hibernate timeout (on battery)

    Enabled, 0

    SetPowerPolicies=True

    - -

    **Admin Templates** > **System** > **Power Management** > **Video and Display Settings**

    - -

    Turn off the display (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    - -

    Turn off the display (on battery

    SleepTimeout

    SetPowerPolicies=True

    - -

    **Admin Templates** > **System** > **Logon**

    - -

    Show first sign-in animation

    Disabled

    Always

    - -

    Hide entry points for Fast User Switching

    Enabled

    Always

    - -

    Turn on convenience PIN sign-in

    Disabled

    Always

    - -

    Turn off picture password sign-in

    Enabled

    Always

    - -

    Turn off app notification on the lock screen

    Enabled

    Always

    - -

    Allow users to select when a password is required when resuming from connected standby

    Disabled

    SignInOnResume = True

    - -

    Block user from showing account details on sign-in

    Enabled

    Always

    - -

    **Admin Templates** > **System** > **User Profiles**

    - -

    Turn off the advertising ID

    Enabled

    SetEduPolicies = True

    - -

    **Admin Templates** > **Windows Components **

    - -

    Do not show Windows Tips

    Enabled

    SetEduPolicies = True

    - -

    Turn off Microsoft consumer experiences

    Enabled

    SetEduPolicies = True

    - -

    Microsoft Passport for Work

    Disabled

    Always

    - -

    Prevent the usage of OneDrive for file storage

    Enabled

    Always

    - -

    **Admin Templates** > **Windows Components** > **Biometrics**

    - -

    Allow the use of biometrics

    Disabled

    Always

    - -

    Allow users to log on using biometrics

    Disabled

    Always

    - -

    Allow domain users to log on using biometrics

    Disabled

    Always

    - -

    **Admin Templates** > **Windows Components** > **Data Collection and Preview Builds**

    - -

    Toggle user control over Insider builds

    Disabled

    Always

    - -

    Disable pre-release features or settings

    Disabled

    Always

    - -

    Do not show feedback notifications

    Enabled

    Always

    - -

    **Admin Templates** > **Windows Components** > **File Explorer**

    - -

    Show lock in the user tile menu

    Disabled

    Always

    - -

    **Admin Templates** > **Windows Components** > **Maintenance Scheduler**

    - -

    Automatic Maintenance Activation Boundary

    MaintenanceStartTime

    Always

    - -

    Automatic Maintenance Random Delay

    Enabled, 2 hours

    Always

    - -

    Automatic Maintenance WakeUp Policy

    Enabled

    Always

    - -

    **Admin Templates** > **Windows Components** > **Microsoft Edge**

    - -

    Open a new tab with an empty tab

    Disabled

    SetEduPolicies = True

    - -

    Configure corporate home pages

    Enabled, about:blank

    SetEduPolicies = True

    - -

    **Admin Templates** > **Windows Components** > **Search**

    - -

    Allow Cortana

    Disabled

    SetEduPolicies = True

    - -

    **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options**

    - -

    Interactive logon: Do not display last user name

    - Enabled

    - Disabled when account model is only guest

    Always

    - -

    Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

    Disabled

    Always

    - -

    Shutdown: Allow system to be shut down without having to log on

    Disabled

    Always

    - +

    User Account Control: Behavior of the elevation prompt for standard users

    Auto deny

    Always

    From 796139ed053ffad77c88220d61a27ca80aea9677 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 13 May 2016 12:37:12 -0700 Subject: [PATCH 023/169] removed colspan --- education/windows/set-up-school-pcs-technical.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index f96ec39c49..01b2fe7aef 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -109,8 +109,7 @@ The **Set up School PCs** app produces a specialized provisioning package that m

    Policy name

    Value

    When set

    -

    **Admin Templates** > **Control Panel** > **Personalization**

    - +

    Prevent enabling lock screen slide show

    Enabled

    Always

    From eea43dc775f410da711cc442924abc1c4c127858 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 13 May 2016 12:48:44 -0700 Subject: [PATCH 024/169] removed table --- education/windows/set-up-school-pcs-technical.md | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 01b2fe7aef..1f25de8042 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -105,17 +105,6 @@ The **Set up School PCs** app produces a specialized provisioning package that m > **Important**: It is not recommended to set additional policies on PCs configured with the **Set up School PCs** app. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required - - - - - - - - - - -

    Policy name

    Value

    When set

    Prevent enabling lock screen slide show

    Enabled

    Always

    User Account Control: Behavior of the elevation prompt for standard users

    Auto deny

    Always

    From cdcd2d6c1a7fccfa1513a85948e10a607ac9cfe0 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 13 May 2016 13:22:13 -0700 Subject: [PATCH 025/169] testing table with
    --- .../set-up-students-pcs-to-join-domain.md | 130 ++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index c16073de0f..a07a8cae33 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -17,3 +17,133 @@ author: jdeckerMS > [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    Policy name

    Value

    When set

    Admin Templates > Control Panel > Personalization

    Prevent enabling lock screen slide show

    Enabled

    Always

    Do not display the lock screen

    Enabled

    Only on Windows 10 Pro for EDU, Enterprise, Enterprise for EDU

    Always

    Prevent changing lock screen and logon image

    Enabled

    Always

    Admin Templates > System > Power Management > Button Settings

    Select the Power button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the Power button action (on battery)

    Sleep

    SetPowerPolicies=True

    Select the Sleep button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (on battery)

    Sleep

    SetPowerPolicies=True

    Admin Templates > System > Power Management > Sleep Settings

    Require a password when a computer wakes (plugged in)

    Enabled

    SignInOnResume = True

    Require a password when a computer wakes (on battery)

    Enabled

    SignInOnResume = True

    Specify the system sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Specify the system sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    Turn off hybrid sleep (plugged in)

    Enabled

    SetPowerPolicies=True

    Turn off hybrid sleep (on battery)

    Enabled

    SetPowerPolicies=True

    Specify the unattended sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Specify the unattended sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (plugged in)

    Enabled

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (on battery)

    Enabled

    SetPowerPolicies=True

    Specify the system hibernate timeout (plugged in)

    Enabled, 0

    SetPowerPolicies=True

    Specify the system hibernate timeout (on battery)

    Enabled, 0

    SetPowerPolicies=True

    Admin Templates > System > Power Management > Video and Display Settings

    Turn off the display (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Turn off the display (on battery

    SleepTimeout

    SetPowerPolicies=True

    Admin Templates > System > Logon

    Show first sign-in animation

    Disabled

    Always

    Hide entry points for Fast User Switching

    Enabled

    Always

    Turn on convenience PIN sign-in

    Disabled

    Always

    Turn off picture password sign-in

    Enabled

    Always

    Turn off app notification on the lock screen

    Enabled

    Always

    Allow users to select when a password is required when resuming from connected standby

    Disabled

    SignInOnResume = True

    Block user from showing account details on sign-in

    Enabled

    Always

    Admin Templates > System > User Profiles

    Turn off the advertising ID

    Enabled

    SetEduPolicies = True

    Admin Templates > Windows Components

    Do not show Windows Tips

    Enabled

    SetEduPolicies = True

    Turn off Microsoft consumer experiences

    Enabled

    SetEduPolicies = True

    Microsoft Passport for Work

    Disabled

    Always

    Prevent the usage of OneDrive for file storage

    Enabled

    Always

    Admin Templates > Windows Components > Biometrics

    Allow the use of biometrics

    Disabled

    Always

    Allow users to log on using biometrics

    Disabled

    Always

    Allow domain users to log on using biometrics

    Disabled

    Always

    Admin Templates > Windows Components > Data Collection and Preview Builds

    Toggle user control over Insider builds

    Disabled

    Always

    Disable pre-release features or settings

    Disabled

    Always

    Do not show feedback notifications

    Enabled

    Always

    Admin Templates > Windows Components > File Explorer

    Show lock in the user tile menu

    Disabled

    Always

    Admin Templates > Windows Components > Maintenance Scheduler

    Automatic Maintenance Activation Boundary

    MaintenanceStartTime

    Always

    Automatic Maintenance Random Delay

    Enabled, 2 hours

    Always

    Automatic Maintenance WakeUp Policy

    Enabled

    Always

    Admin Templates > Windows Components > Microsoft Edge

    Open a new tab with an empty tab

    Disabled

    SetEduPolicies = True

    Configure corporate home pages

    Enabled, about:blank

    SetEduPolicies = True

    Admin Templates > Windows Components > Search

    Allow Cortana

    Disabled

    SetEduPolicies = True

    Windows Settings > Security Settings > Local Policies > Security Options

    Interactive logon: Do not display last user name

    - Enabled

    - Disabled when account model is only guest

    Always

    Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

    Disabled

    Always

    Shutdown: Allow system to be shut down without having to log on

    Disabled

    Always

    User Account Control: Behavior of the elevation prompt for standard users

    Auto deny

    Always


    + +text + From e158bd9a7d2d13c6ed787dc7f20bc56a4e7558e9 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 13 May 2016 13:36:29 -0700 Subject: [PATCH 026/169]
    worked, moving to right topic --- .../windows/set-up-school-pcs-technical.md | 131 +++++++++++++++++- .../set-up-students-pcs-to-join-domain.md | 127 +---------------- 2 files changed, 131 insertions(+), 127 deletions(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 1f25de8042..5bf30b870c 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -104,7 +104,136 @@ The **Set up School PCs** app produces a specialized provisioning package that m > **Important**: It is not recommended to set additional policies on PCs configured with the **Set up School PCs** app. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    Policy name

    Value

    When set

    Admin Templates > Control Panel > Personalization

    Prevent enabling lock screen slide show

    Enabled

    Always

    Do not display the lock screen

    Enabled

    Only on Windows 10 Pro for EDU, Enterprise, Enterprise for EDU

    Always

    Prevent changing lock screen and logon image

    Enabled

    Always

    Admin Templates > System > Power Management > Button Settings

    Select the Power button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the Power button action (on battery)

    Sleep

    SetPowerPolicies=True

    Select the Sleep button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (on battery)

    Sleep

    SetPowerPolicies=True

    Admin Templates > System > Power Management > Sleep Settings

    Require a password when a computer wakes (plugged in)

    Enabled

    SignInOnResume = True

    Require a password when a computer wakes (on battery)

    Enabled

    SignInOnResume = True

    Specify the system sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Specify the system sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    Turn off hybrid sleep (plugged in)

    Enabled

    SetPowerPolicies=True

    Turn off hybrid sleep (on battery)

    Enabled

    SetPowerPolicies=True

    Specify the unattended sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Specify the unattended sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (plugged in)

    Enabled

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (on battery)

    Enabled

    SetPowerPolicies=True

    Specify the system hibernate timeout (plugged in)

    Enabled, 0

    SetPowerPolicies=True

    Specify the system hibernate timeout (on battery)

    Enabled, 0

    SetPowerPolicies=True

    Admin Templates > System > Power Management > Video and Display Settings

    Turn off the display (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Turn off the display (on battery

    SleepTimeout

    SetPowerPolicies=True

    Admin Templates > System > Logon

    Show first sign-in animation

    Disabled

    Always

    Hide entry points for Fast User Switching

    Enabled

    Always

    Turn on convenience PIN sign-in

    Disabled

    Always

    Turn off picture password sign-in

    Enabled

    Always

    Turn off app notification on the lock screen

    Enabled

    Always

    Allow users to select when a password is required when resuming from connected standby

    Disabled

    SignInOnResume = True

    Block user from showing account details on sign-in

    Enabled

    Always

    Admin Templates > System > User Profiles

    Turn off the advertising ID

    Enabled

    SetEduPolicies = True

    Admin Templates > Windows Components

    Do not show Windows Tips

    Enabled

    SetEduPolicies = True

    Turn off Microsoft consumer experiences

    Enabled

    SetEduPolicies = True

    Microsoft Passport for Work

    Disabled

    Always

    Prevent the usage of OneDrive for file storage

    Enabled

    Always

    Admin Templates > Windows Components > Biometrics

    Allow the use of biometrics

    Disabled

    Always

    Allow users to log on using biometrics

    Disabled

    Always

    Allow domain users to log on using biometrics

    Disabled

    Always

    Admin Templates > Windows Components > Data Collection and Preview Builds

    Toggle user control over Insider builds

    Disabled

    Always

    Disable pre-release features or settings

    Disabled

    Always

    Do not show feedback notifications

    Enabled

    Always

    Admin Templates > Windows Components > File Explorer

    Show lock in the user tile menu

    Disabled

    Always

    Admin Templates > Windows Components > Maintenance Scheduler

    Automatic Maintenance Activation Boundary

    MaintenanceStartTime

    Always

    Automatic Maintenance Random Delay

    Enabled, 2 hours

    Always

    Automatic Maintenance WakeUp Policy

    Enabled

    Always

    Admin Templates > Windows Components > Microsoft Edge

    Open a new tab with an empty tab

    Disabled

    SetEduPolicies = True

    Configure corporate home pages

    Enabled, about:blank

    SetEduPolicies = True

    Admin Templates > Windows Components > Search

    Allow Cortana

    Disabled

    SetEduPolicies = True

    Windows Settings > Security Settings > Local Policies > Security Options

    Interactive logon: Do not display last user name

    - Enabled

    - Disabled when account model is only guest

    Always

    Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

    Disabled

    Always

    Shutdown: Allow system to be shut down without having to log on

    Disabled

    Always

    User Account Control: Behavior of the elevation prompt for standard users

    Auto deny

    Always


    + +## Related topics + +[Use Set up School PCs app](use-set-up-school-pcs-app.md) diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index a07a8cae33..3de5764c97 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -18,132 +18,7 @@ author: jdeckerMS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Policy name

    Value

    When set

    Admin Templates > Control Panel > Personalization

    Prevent enabling lock screen slide show

    Enabled

    Always

    Do not display the lock screen

    Enabled

    Only on Windows 10 Pro for EDU, Enterprise, Enterprise for EDU

    Always

    Prevent changing lock screen and logon image

    Enabled

    Always

    Admin Templates > System > Power Management > Button Settings

    Select the Power button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the Power button action (on battery)

    Sleep

    SetPowerPolicies=True

    Select the Sleep button action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (plugged in)

    Sleep

    SetPowerPolicies=True

    Select the lid switch action (on battery)

    Sleep

    SetPowerPolicies=True

    Admin Templates > System > Power Management > Sleep Settings

    Require a password when a computer wakes (plugged in)

    Enabled

    SignInOnResume = True

    Require a password when a computer wakes (on battery)

    Enabled

    SignInOnResume = True

    Specify the system sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Specify the system sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    Turn off hybrid sleep (plugged in)

    Enabled

    SetPowerPolicies=True

    Turn off hybrid sleep (on battery)

    Enabled

    SetPowerPolicies=True

    Specify the unattended sleep timeout (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Specify the unattended sleep timeout (on battery)

    SleepTimeout

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (plugged in)

    Enabled

    SetPowerPolicies=True

    Allow standby states (S1-S3) when sleeping (on battery)

    Enabled

    SetPowerPolicies=True

    Specify the system hibernate timeout (plugged in)

    Enabled, 0

    SetPowerPolicies=True

    Specify the system hibernate timeout (on battery)

    Enabled, 0

    SetPowerPolicies=True

    Admin Templates > System > Power Management > Video and Display Settings

    Turn off the display (plugged in)

    SleepTimeout

    SetPowerPolicies=True

    Turn off the display (on battery

    SleepTimeout

    SetPowerPolicies=True

    Admin Templates > System > Logon

    Show first sign-in animation

    Disabled

    Always

    Hide entry points for Fast User Switching

    Enabled

    Always

    Turn on convenience PIN sign-in

    Disabled

    Always

    Turn off picture password sign-in

    Enabled

    Always

    Turn off app notification on the lock screen

    Enabled

    Always

    Allow users to select when a password is required when resuming from connected standby

    Disabled

    SignInOnResume = True

    Block user from showing account details on sign-in

    Enabled

    Always

    Admin Templates > System > User Profiles

    Turn off the advertising ID

    Enabled

    SetEduPolicies = True

    Admin Templates > Windows Components

    Do not show Windows Tips

    Enabled

    SetEduPolicies = True

    Turn off Microsoft consumer experiences

    Enabled

    SetEduPolicies = True

    Microsoft Passport for Work

    Disabled

    Always

    Prevent the usage of OneDrive for file storage

    Enabled

    Always

    Admin Templates > Windows Components > Biometrics

    Allow the use of biometrics

    Disabled

    Always

    Allow users to log on using biometrics

    Disabled

    Always

    Allow domain users to log on using biometrics

    Disabled

    Always

    Admin Templates > Windows Components > Data Collection and Preview Builds

    Toggle user control over Insider builds

    Disabled

    Always

    Disable pre-release features or settings

    Disabled

    Always

    Do not show feedback notifications

    Enabled

    Always

    Admin Templates > Windows Components > File Explorer

    Show lock in the user tile menu

    Disabled

    Always

    Admin Templates > Windows Components > Maintenance Scheduler

    Automatic Maintenance Activation Boundary

    MaintenanceStartTime

    Always

    Automatic Maintenance Random Delay

    Enabled, 2 hours

    Always

    Automatic Maintenance WakeUp Policy

    Enabled

    Always

    Admin Templates > Windows Components > Microsoft Edge

    Open a new tab with an empty tab

    Disabled

    SetEduPolicies = True

    Configure corporate home pages

    Enabled, about:blank

    SetEduPolicies = True

    Admin Templates > Windows Components > Search

    Allow Cortana

    Disabled

    SetEduPolicies = True

    Windows Settings > Security Settings > Local Policies > Security Options

    Interactive logon: Do not display last user name

    - Enabled

    - Disabled when account model is only guest

    Always

    Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

    Disabled

    Always

    Shutdown: Allow system to be shut down without having to log on

    Disabled

    Always

    User Account Control: Behavior of the elevation prompt for standard users

    Auto deny

    Always


    + text From cf569a2c1a1e85522c1e5ad3fa9880745f426dbc Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Mon, 16 May 2016 07:07:12 -0700 Subject: [PATCH 027/169] uninstall list update --- .../windows/set-up-school-pcs-technical.md | 34 ++++++++----------- 1 file changed, 14 insertions(+), 20 deletions(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 5bf30b870c..47d7e4e1e9 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -81,26 +81,20 @@ However, the PC is also configured to not interrupt the user during normal dayti The **Set up School PCs** app produces a specialized provisioning package that makes use of the SharedPC configuration service provider (CSP). -* Uninstalled apps - * 3D Builder (Microsoft.3DBuilder_8wekyb3d8bbwe) - * ? (Microsoft.Appconnector_8wekyb3d8bbwe) - * Money (Microsoft.BingFinance_8wekyb3d8bbwe) - * News (Microsoft.BingNews_8wekyb3d8bbwe) - * Sports (Microsoft.BingSports_8wekyb3d8bbwe) - * Weather (Microsoft.BingWeather_8wekyb3d8bbwe) - * Phone dialer (Microsoft.CommsPhone_8wekyb3d8bbwe) - * ? (Microsoft.ConnectivityStore_8wekyb3d8bbwe) - * Get Started (Microsoft.Getstarted_8wekyb3d8bbwe) - * Microsoft Office Hub (Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) - * Solitaire (Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) - * Skype (Microsoft.SkypeApp_kzf8qxf38zg5c) - * ? (Microsoft.WindowsPhone_8wekyb3d8bbwe) - * Xbox (Microsoft.XboxApp_8wekyb3d8bbwe) - * Xbox (Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) - * Groove (Microsoft.ZuneMusic_8wekyb3d8bbwe) - * Movies and TV (Microsoft.ZuneVideo_8wekyb3d8bbwe) - * Outlook Mail and Calendar (microsoft.windowscommunicationsapps_8wekyb3d8bbwe) -* Local Group Policies +### Uninstalled apps +- 3D Builder (Microsoft.3DBuilder_8wekyb3d8bbwe) +- Weather (Microsoft.BingWeather_8wekyb3d8bbwe) +- Get Started (Microsoft.Getstarted_8wekyb3d8bbwe) +- Get Office (Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) +- Microsoft Solitaire Collection (Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) +- Paid Wi-Fi & Cellular (Microsoft.OneConnect_8wekyb3d8bbwe) +- Feedback Hub (Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) +- Xbox (Microsoft.XboxApp_8wekyb3d8bbwe) +- Groove Music (Microsoft.ZuneMusic_8wekyb3d8bbwe) +- Movies & TV (Microsoft.ZuneVideo_8wekyb3d8bbwe) +- Mail/Calendar (microsoft.windowscommunicationsapps_8wekyb3d8bbwe) + +### Local Group Policies > **Important**: It is not recommended to set additional policies on PCs configured with the **Set up School PCs** app. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required From d7569ea192b225f8f27c7937935d30992f1a1819 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Mon, 16 May 2016 13:32:08 -0700 Subject: [PATCH 028/169] added proc --- .../set-up-students-pcs-to-join-domain.md | 30 ++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index 3de5764c97..46f364291f 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -16,9 +16,37 @@ author: jdeckerMS > [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] +Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) + +Watch this video to see a demonstration of using Windows ICD. + +1.Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). +2.Click **Simple provisioning**. +3.Name your project and click **Finish**. +4.In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length. +5.(Optional) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to. + - Home to Education + - Pro to Education + - Pro to Enterprise + - Enterprise to Education + - Mobile to Mobile Enterprise + +6.Click **Set up network**. +7.Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network. +8.Click **Enroll into Active Directory**. +9.Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (Optional) Enter a user name and password to create a local administrator account. + +> **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend: + - Use a least-privileged domain account to join the device to the domain. + - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully. + - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory. + +10.Click **Finish**. +11.Review your settings in the summary. You can return to previous pages to change your selections. Then, under Protect your package, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package. +12.Click **Create**. + -text From 53fe36898c996e452cab6caee3924a19f51c0bc6 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Mon, 16 May 2016 13:35:12 -0700 Subject: [PATCH 029/169] fixed list format --- .../set-up-students-pcs-to-join-domain.md | 41 ++++++++++++------- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index 46f364291f..029afa4b45 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -22,31 +22,42 @@ Watch this video to see a demonstration of using Windows ICD. -1.Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). -2.Click **Simple provisioning**. -3.Name your project and click **Finish**. -4.In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length. -5.(Optional) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to. +1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). + +2. Click **Simple provisioning**. + +3. Name your project and click **Finish**. + +4. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length. + +5. (Optional) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to. - Home to Education - Pro to Education - Pro to Enterprise - Enterprise to Education - Mobile to Mobile Enterprise -6.Click **Set up network**. -7.Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network. -8.Click **Enroll into Active Directory**. -9.Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (Optional) Enter a user name and password to create a local administrator account. -> **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend: +6. Click **Set up network**. + +7. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network. + +8. Click **Enroll into Active Directory**. + +9. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (Optional) Enter a user name and password to create a local administrator account. + + > **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend: - Use a least-privileged domain account to join the device to the domain. - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully. - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory. -10.Click **Finish**. -11.Review your settings in the summary. You can return to previous pages to change your selections. Then, under Protect your package, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package. -12.Click **Create**. - - + +10. Click **Finish**. + +11. Review your settings in the summary. You can return to previous pages to change your selections. Then, under Protect your package, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package. + +12. Click **Create**. + +> **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. From 4398c5d23192606689c0889cbd166ae3d8b0fbd8 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Mon, 16 May 2016 14:04:12 -0700 Subject: [PATCH 030/169] sync to switch forks --- education/windows/set-up-students-pcs-to-join-domain.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index 029afa4b45..245a3f6520 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -47,9 +47,9 @@ Watch this video to see a demonstration of using Windows ICD. 9. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (Optional) Enter a user name and password to create a local administrator account. > **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend: - - Use a least-privileged domain account to join the device to the domain. - - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully. - - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory. + - Use a least-privileged domain account to join the device to the domain. + - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully. + - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory. 10. Click **Finish**. From 4dc10a879f5a313133e0971d6e6ea709a4a18e03 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 17 May 2016 07:03:50 -0700 Subject: [PATCH 031/169] new topic staged --- education/windows/TOC.md | 1 + education/windows/index.md | 1 + education/windows/take-tests-in-windows=10.md | 36 +++++++++++++++++++ 3 files changed, 38 insertions(+) create mode 100644 education/windows/take-tests-in-windows=10.md diff --git a/education/windows/TOC.md b/education/windows/TOC.md index f7d2916ea9..1681d0003a 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -2,5 +2,6 @@ ## [Use the Set up School PCs app](use-set-up-school-pcs-app.md) ## [Set up School PCs app technical reference](set-up-school-pcs-technical.md) ## [Set up students' PCs to join domain](set-up-students-pcs-to-join-domain.md) +## [Take tests in Windows 10](take-tests-in-windows-10.md) ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) ## [Chromebook migration guide](chromebook-migration-guide.md) \ No newline at end of file diff --git a/education/windows/index.md b/education/windows/index.md index a087ed8190..47b8a29118 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -19,6 +19,7 @@ author: jdeckerMS |[Use Set up School PCs app](use-set-up-school-pcs-app.md) | Learn how to use the Set up School PCs app to quickly configure new Windows 10 PCs for students. | | [Set up School PCs app technical reference](set-up-school-pcs-technical.md) | This topic provides prerequisites and provisioning details for using the **Set up School PCs** app. | | [Set up students' PCs to join domain](set-up-students-pcs-to-join-domain.md) | Learn how to create provisioning packages to easily configure student's PCs to join your Active Directory domain. | +| [Take tests in Windows 10](take-tests-in-windows-10.md) | Learn how to configure and use the Take a Test app in Windows 10 | | [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. | | [Chromebook migration guide](chromebook-migration-guide.md) | Learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. | diff --git a/education/windows/take-tests-in-windows=10.md b/education/windows/take-tests-in-windows=10.md new file mode 100644 index 0000000000..b2ee59bd77 --- /dev/null +++ b/education/windows/take-tests-in-windows=10.md @@ -0,0 +1,36 @@ +--- +title: Take tests in Windows 10 +description: Learn how to set up and use the Take a Test app. +keywords: ["shared cart", "shared PC", "school"] +ms.prod: W10 +ms.mktglfcycl: plan +ms.sitesec: library +author: jdeckerMS +--- + +# Take tests in Windows 10 +**Applies to:** + +- Windows 10 Insider Preview + + +> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] + +Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test: + +- A Microsoft Edge browser window opens, showing just the test and nothing else. +- Students aren’t able to go to other websites. +- Students can’t open or access other apps. +- Students can't share, print, or record their screens. +- Students can’t copy or paste. +- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features. +- Cortana is turned off. + +> **Tip!** +> To exit **Take a Test**, press Ctrl+Alt+Delete. + + + + + + From 463a9a66945c9063c00e685fb1dc0c5487743546 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 17 May 2016 07:17:50 -0700 Subject: [PATCH 032/169] fixed filename --- .../{take-tests-in-windows=10.md => take-tests-in-windows-10.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename education/windows/{take-tests-in-windows=10.md => take-tests-in-windows-10.md} (100%) diff --git a/education/windows/take-tests-in-windows=10.md b/education/windows/take-tests-in-windows-10.md similarity index 100% rename from education/windows/take-tests-in-windows=10.md rename to education/windows/take-tests-in-windows-10.md From ded583a15c43f56885c40721d8f63ad800f849f1 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 17 May 2016 08:25:42 -0700 Subject: [PATCH 033/169] restrctured take-a-test --- education/windows/TOC.md | 3 + education/windows/images/take-a-test-flow.png | Bin 0 -> 19438 bytes .../windows/take-a-test-app-technical.md | 88 ++++++++++++++++++ education/windows/take-a-test-multiple-pcs.md | 88 ++++++++++++++++++ education/windows/take-a-test-single-pc.md | 76 +++++++++++++++ education/windows/take-tests-in-windows-10.md | 41 +++++++- 6 files changed, 295 insertions(+), 1 deletion(-) create mode 100644 education/windows/images/take-a-test-flow.png create mode 100644 education/windows/take-a-test-app-technical.md create mode 100644 education/windows/take-a-test-multiple-pcs.md create mode 100644 education/windows/take-a-test-single-pc.md diff --git a/education/windows/TOC.md b/education/windows/TOC.md index 1681d0003a..05d7f25c10 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -3,5 +3,8 @@ ## [Set up School PCs app technical reference](set-up-school-pcs-technical.md) ## [Set up students' PCs to join domain](set-up-students-pcs-to-join-domain.md) ## [Take tests in Windows 10](take-tests-in-windows-10.md) +### [Set up Take a Test on a single PC](take-a-test-single-pc.md) +### [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) +### [Take a Test app technical reference](take-a-test-app-technical.md) ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) ## [Chromebook migration guide](chromebook-migration-guide.md) \ No newline at end of file diff --git a/education/windows/images/take-a-test-flow.png b/education/windows/images/take-a-test-flow.png new file mode 100644 index 0000000000000000000000000000000000000000..6ba26e08d5dc12756b97c29158f814242f692174 GIT binary patch literal 19438 zcmeFZXH*kkzdss8Kn27C(gf@@DN=ucbOA-_B^2odkSZl0gr=xSN2Q4L-djLQAOtL- z6Kbd-Dm_3Vy@uQYpXWU1tpB=qo%`m#x-VE{vS;?}J+sUAQ@)AN)z)A<$8in>0x>>% z_&^^7I;8*tQNhp90^iIQ^?d;TQF-fYsDLW^t}X!wryZ5GltG~CIQl~y8sPZs^M|J1 zAkg{m$A46bg6BCwpvPg49w-~Wuw2E__g@_eS|DFRym}pf;dg9&{Cnl3&#RLxHTV5AW-YrwLd_CUD*FwP!vf04Nsn`|5%t2 z!Vjad{-k|Bz;k_Tc{&~WwJ2x$^k)M@599NJ!iep+v%4cMa4_iYQc5`XwqF@i0QN>t z4S80guxL83l>UEx$N$@={4WbKFK&e=r+=8*%pU0+?>>*2F1EV7;gst6)X^H@ImNX} ztVu3_*f1g0k?I0}QskE7eKdBz9%yUD{^Mi3O*Fjv;G6f?oW{#^x8~>>l1Kcr!wHRb z?6tvTNRNeN(T>a5J{sXm4 zYq9U1v8-6-tQnd^at-#^*)CCZG3I`+O|nEuHXfET<;S6R4;%+~K1*;x-9K(zZH(4o zfo90p8eLvq?3-CCZ@P27;~?{e46L4A%Nc1d2URVz^PFUw~4�~HYy%S#}y9Icsm*^@L#2Khv`WQ zCM6^HhTY<{PN(y7$w;Sb>LocbkEFa5ERFE*0|w=aKR>GlOx5dw%7z zFIN$$;(&)UNA9z}gC=zdaog&aA}l~-+x(BzCXq~>7yj$O#s20tn{n1De! zLbgjZ^jds(1zcsGYT6h-vOp*8DI)FspL69C*1_rF`z=tZJn`$4CtVbwv*q3?@W%PC zmp@7hvN}}WIoKwr4u!LC%jzUMa+@VjRd1K9u&5iMwhC59Cz2_PN?9{lBcg&wd(P^p zY*Gv5qtN9L@J-@q3c>i#UV9>(Bj7usydPgW%=E1Y({pY0O^|dQH#v}3r>tV5J~gqt z8}FbGQGCu=+85*IC!~?+pR~0br1+4yxBg|kv>1J7W`?!diEbZfB`*aV$qgIBf67U3 zc8X6MXf`Zflxx`l3u!7GVrOc=d$p>sllI;UYSSOp8Co0#&tJT}FEk+Q(wJ8P_aBit zNbiHvcCpoV>zi_+`poa6l7Hyh%{zt}^GJsb-uva-w)o;KjeHI&Xx>5)4u0fCvYQ+# z4i+)oAx{u)4n0e$NV!80AHBA!c2`tX>gR4Jt6#nW|Gu`OYty)tf&bp7G>z@`qu^`g z?W9ffg(Nqa>Xg5+UIIU<@^nGOxgn{*L?<&m3@_83hhfP!w<_m(B=Bm4mPKtP7)2cX z=9oNTqK+aRp?TeL@hz3KEqq%gkZQg$GS@*&d`UMRbKjOF#@GEos6Kj2*M~%Eg>=pD z%Vla(3LvaIejb#iq)p@~mf3+R^>Hg+QY=pXB=b>d-8QF5>({6`W zTtTL194my{l`^W@o?P}cz{zWgGdT|<>ChgVYY-Sq+^ zW`$aP^Bt?oY(Eyzgi75>zfq0Qp46hAimFRFb$-%8I7D%GOh^$U6lF8qsOIL8;*WL9 zJH^A*;QSz8Gt=$vCGfANrOEC-g4+|8W|Vi}Qbpm=QbZKf_7b}2(jVyxliN4k@y|ON z3pWMMt}YTuV?UL-d|LkY8sdLc@?*&mHB(pu{WEbs4J;+4h;rRt*hEWJ_YFndQ@9{` zM|P$@Jl#!ja$}3K@pS)b-O4}z2&=_>2zkg_W>(!rIxe1E*JwmWL$ z4N1|yZLG*ps$lMGe_z$S4tZuogcz`RPPl%B#oozZkvz&-qqDgvM=<7m;AGn6USqXY z7k74*PHmkqRi8dUU$u`D&Vg)?-uB3Vau&C?#}t*icbF3=6SSd8%#Z0O-US4qaRXab zkq*C_*Qt_oY$<-W{1$jmjZKc_LQC0CnnL=}y@M2ul``}^GI&UEsrF%!t4{&DS4TAa zcujGv<(OP9`@Af57>D}2c1(ERPt~@!9P_$d{_~IM2cMO>bRp_|dd92WNsZ$srM(id^+pyl(%^{n%56^mY3eOP2e(gh|2^4z}HH zDX6hv-CLD?U$P3En#SM>&tO1rj99ol*2*VUd_!Fp1TMEtqFL3@k-BPa;Zh&)tfo@G zd*t{Y6f2Qi@~IDO823MlY>PdBoJ_Xs*)^YaGyNVaLJZndTCPi!A?uzFEc03H* z?hd=iIV!ds-x*UL)Na9BFQ>6wdRgKNmqL&R#1ZF0K2z?kC(|(5gB|KU+`0)geR)RA ztuX~un z?IK4jQ(gYCsrPe3wTI$lzU$;8z0$(bp8(W3wbt5DWJlmu+y2 z^xrpKSdwrGi|}Q$FH7QxlowwBbBwat9iS8~+s9sfSe4t+mc{b;ZzuZ5NGO>ymLnPs z+o#w5JRau_*yIZ8W6CItD(&*znX2=GYDSxj{FsQszc3(uS6Ti|%Sc2VjOUAC5%RCD8b)K}7r+5CufCAmUk zNLJ~E=;@7{)5at{l&YhJS9St|BGu`@@8AkVr7t;ntaj#Tz3@Z_M@OQ@GnIVG`m9hC zc5QQJUS}`8q}$4Ync1639PMoW*tL%$7$=9iU#mvOCijo1{^n__ zw!3AlxamD*Bwwc*8T`$IIvSnL*KpQ?1p@s*u`u7c;P$OKl`e85+o-z@?@(86yKH>R zZ~@__k+`Z~x60VNF%Og8fD76zQSzKtQfLojXZfqfi{T|EGDw{2w65pM| z8G9>Nc4Cr#P?`nKY<+YOx;+(c3EkV6Ukk)qEN(YVro{KX2o&hny`8t?%1us)nFgy7 zCw9NKttqK3uZS2Z&dFM^O-(U|IS?h#g-_7!v*}ANl(>;haNz1M>;9VrqL}k{+~}R8 zwfADsm`Xx5*N6I+{TN;AtSw+=%k~uay`A`qnTGwhLj(a!lA27vY(IB)q>;$dWK{Rq zsd38>HKn?-vU4LLXT}Z9=MWg`sSNCrMbaZ#11chX)BOO*+IIsd#F zN*y)~6moeaQuCa*&XT$60n!ygAVAg~9aB`j*`@SsHdj4xO29SeEi78k%)Fou4Hy`q z0jaA0=c{E}F+U~mMZzg{wsua?a8xuCh=G0UPJh}&6XG9gn$N0X&6T2uesQJd{(>*Kf z6RyKzeBKU53bn7CL|;~oANbx9@7#Tonjeno%ZSNP7gvC$(}3SgV+!kun!*%<>e7s( z4yj{WjZ>?=g?ji+j|F+VCoOYjl47=fPRkiKX$k|6UUSSkzUm&=#se}MDmQ5DOP$iR z?}l$oj%Iol8C%a@$rUdzGWVac+b7AI@u|$TQ4}UQZgof&@5C+FJ5+v{eW&Vpdo;w_ zXuHG__ja{&%TFN@DfvpaJn3mhw1Lyz~H?D;Z6fNvyqkZX)C>b z+`}Pzdpl)mpGe{OfIzRK6164#1N?}`>%jF@Ufx0;R$^>KdAQ&vxp{97axEK^Oin8z zVRh^f5C=o;%)s__drDt2Zx;@-yxuq&a?jIP_ls-kikt#8t{jMxwo7;&HN;=}z$djef*z>=!VkQnchhAn%*O+}NsLrgR-Cobbgj!{2bd#XI)=k@kv* zac09eCKZ%hcT3Ph%WN**B=c#|(bx<2Fz|UB_l2k9cOg=SJ5Gw4h z%blhi>C`>xnRL@pCAiBi8yb2@eOMbuicD)&|53`a^HJJWj&mx+QmvkooSir$;KVP7 zQJv??&|bi#%VHNcZyyYK-X^}ijI7&hsEw{pH;=VsBV8WZce2bTwa*vs9Ex2CnzopS zXBzCeu&V^s?=x~WD{x)Yl)*6C+pohVAl-ER=^*Nz6Ui zACor+9=`jTQb-A~+rJ+tCn8_b=pVG-qNvCfT4&I>To9hr_UaWp)4SVBukiq=)925G z$DT^is{f2vSCU&w5O0C2>1TmS^En9QSMbs0diRI;QhEyuoM=x)g>o!T;2`iFgh@DP z=7W#3u_Gfg*a{lITm}g*+{#I%=_@_h;taMcc8wEiGUpxJ7tlRZUg*iWh29t{gAkGezJ?T{GZluXo0$?00}hK&yZBu+mwJ++sPa`u!R+26O| zpRf_)tHR&{Nd;4w^dK*hfYC#;*zk^PA#!nZn$&0u1~bQW^PAV{L!xy?;68~Kcj}v` zFq2t|shF&{;{Z;kmGRB*@?3`TA)Y{4O$uP*Tq?9l8R%X(Br|%34 z7hO#d>J$vmk$T=Aq&!zuI{W69zguCs2I^p>O7g=R|F^*)f~;<2PY@sZPCFOE@rM2( zHZFiuH#07u80oYCXS@h3y?AaQY+4yn<}d^sm6@X*pK0z~B*3fJC*ZmDhxfJ{d99{W zwC$#woBdiFmK;aPs24Kn!YN1>&05QZON_-eu6A8X`Ni-j-LYxO+U37@JXtuNe(Raq zf~^Rs-dpr^LakzZOJkQLoiXl{iQ0+eYSehdn1RUF(H#ikXiOesV%vODI4-nHgC}v>nBwRblWFFU7N5_ z7LMZ~pT6a=GB(0~khSx5z{6ZRI{inc|KKZ$to^=-m0Y1`1 z&N`*Wnnqmn_FHbkXV07ZkL3v2F~wmz)SX>Y3C^?YImWA3kF>8GtWJg?Zp)9cI4!nT zh4amoLVE3%EQR9mD3=-Y=%j;0tL;8@!|_>3Y+Z0z!4+t$xwE*Bui;iOhf!CZtElaI zmsllzNtaj(i-wV6cj>DNVP^gk@J6h~>PA?=pH8a+1BkbT$jD13uA&;BsR{fv!dcI( zy(A+RawU=wjN&e`8y7m$F>{0~H$Q|hj0jcxDo?6rGJT=~p37!%eivX)(F?Nw(V zvMc5qG{kA#El6m$%T8J8-GST{*9PcgcC0Ypu4l2u9}(YbFSc3xlFXoNr^9FO2yM;q zAr`+dhXh)^<7k1d%FSeX0g6Mm_=yJooU$u;dOb_U_>Km-L|v~2_C?7o1dAs-3zHGg!Oi=k}3rFP1j8x`qFuSYJ(fQ@+D73F`FX<(3K+qS> z#{IdUNk%K)ITgx+E`lL34Lg-r`#nsZN72R+g9TR>$?cDm@(l(|e}F|4A-0WnkzLq^ z$$P#^;j@VlRPEj0Ny)G`udx;f^I04Be4x;8qT+t!t4&a^rl#rVUtev?Lu9`n75qBG znmHl&XxB4|M$8>Y;(n~Ym0-TZNyCgt!`#W#DlFYo}R`8T{ejS*MPD7{ME*N5uS9mgTRbIrRjZ5VEglf0$sT^%Enz(QvbLrsCutq#czEVW$?wlctV&tG0fbm-4Ms>%5G#8vJFFe)~M}2liT8gw3e)Z z$t7f%cRUK6IWq#BZ8yKy(ttaS4_DYOcYKEw|pLKX|!@96i10&$CDyZgfxV4SzxL_?oNz%fR zGP&07IRHuoeiyHB%MhA;L`-YLr@_M%CT&@^*4>}4tC2qKb2d+dE$S@(G_8p?o5-c6}LD*A#aLcrHe=ON@v>5rJsKtvwX~yd6}H77REOzoE2P-D4|!9d^$36f=bwC zs6j)~0ha+#WMPr#`f|P>2ij4X|!W^+1!Qtugw z!tDy-|AI{?C;bcP{AOTwI?w1Jt?Tjkn#czEY5#e>kM1vnfoOf)s-NYgUgA{R-p0<= z%#{=w#l2%*aXN+Y(L+(jwEBg^I-WR{aJaI>HQt0I37bhsE{-*NJFa`6s_*TRc30(& zA!Eyt1&X|2#Y!O~VGZ8i(rJEM6ZU&D$@Z1jhJ_iyQ->=?aRe{LC=p? z0?e~^;W^(;iuI=`+bhKU}!#hC$BqO_P%|*?@jwOLfz5>^a6m3R+VvH(CUME;8cmeqn+gjX3tKyf^mk zCre>NJH0%XzMAmgMg9gYxx%8wvSJvw<&zW242Xv{6prI^eym*}U2S9n5`%VQxv0gH#m2oBZte95v;K^FKn%_yNoiOgs z$M@ps5s3cVQc`Q#j!|^NK*Ox?MGAX~)LU=R-*&0OEW-)W0?_v>(@l!$CBeQm3hvvT zgtd5qt>>0Ogc8L0ccoW%eX4I@&zE`1lD9_$CNHlS`w8n%3aS;{b@M`1HiphOKRY0< z;Jlc}n`Xij9u2yr%P(E~(&C+dyMa8PB#X8F+CTn=D@#iI5o&?X3vEG5<59;DFm*H} zwB+dHuwEg(Ehdp&trM)fG3lWY(B)xjh5C*)XWEHA<8%{&2skFHF9y1s?*)(mocXbF z+}bWTz-X&b>_%{qClT)dQG22Ut7aRPYNV)$gpPjqD9sQvjyqU=I}gt17B;BgsyRPX zw)o<>8(X017H=zet8!m2Ir`^~dX!|!*76V^o?A1~xp3HoC%MJWE@Yo;>Z;dvCsL5X zr)qb}5?V9f1{+vH)(GQ`q!lhP`r01WFnN!gJ|03XUE2=X5cJzgT3vM2ZCDF=97H|} zcwMKQJaEEJbk@OCPpMc=3>-vPqO3-P}<8DwSW3e$7>pXY``+dzc_j!^FT_<9T@2?v0D|Za)q>p zkmVbtLqP#nTa;w%7GWexC;cPVd}&6>I&aQhuzqDq-lzkR2=CDuoy1gFnyXT`(RS&AIvG01o()bN=o@sM_xmBw)pk*-gkqo zvRUD#zDgfErnc^*kYF%3?7`X?nni=_vo=f5?v}ZwZwt>pGG2}DltgMhp(sXVFFj7cyOwIuXa! zBc|Y9pC~53FVA%=xyAF*Hc`3SQ`yLETu-43tXTbc+4|*B72hY%gIrv=V(defsA(|h z8DxhSMMm(`)ub*FWI1}=uX&Gde2+rf)jz3^hG++G?shNL^0?#l@`c5Y*m^{8TRyTQ zp|+(uxafplk;>RXlP4pT1HYF0@A=o48$JbNZLW??kBs~Putk)Z!~{D&l~Hqp|Ak)N zceq?#*fZxDXkf@rf7Fs;v7TRh-+?y!e!1>jbYB6sjKRZa8CECGCtq?}+h`0vW@^r2 zRuMO~>4eZ?HZ%)CCT7=tYshMQkZdBYvvPwzx3nce zE+`heoYR4q-)#w^%t!RRksH&_WWUv0ycfP7MzX}0UW>%GVWGOdq7%1EgaMvi+_0@! zuzMQp9|+Ke+6Y5KlIagecB%SH^u3pz1jYR1&t3Il;@0D0L0o#YvjR6a=j#}&c5%Kl z-JA5uWe%kV7~DzmW2snarv&gEAub!_=v0V zo6%7;shdKyU2*FTbkzc9)90oDh9TndL{yR*Sb9;DLGK##@8ncDo!l+YO5)-rck406 zsn+LWrKt7S6_NToA80oOHi&o$U0w~un|E(-9nMj9e&@+%7YTbU3suiG0bw*Ft)+2g z)T^wxU^{Xiq}Yt9J8SD%@^V{=GwP*HvH=N^`RWxbD#W;w#rpLrYA#nP1wJ303>eR3 zhBowqsk$n@6A+wy<3A^L^Wafx zDM7OD$fduh{3Eg6COD{@5||b7upL^KF&L4FF587B3i@Cq>F*n|?m<=bEM{rtA$+No zAH~)x2_H(fsu;{NFKs4hpy`~dbHrJrX$e|cGHNMaVhT!8_oVXv(%L7?wSaAw%>Rtj z_+_U%c0oeuH7w)*2;2T&@Y5hw^x2z#N$h`7<-E}+B=&C*?dNZ6v?nAsK!hLrT7WRH zPw79QBfvcry*oZUrGx~U(High^}ol80Dt}8E2jF_NqYZ^6~%RrdxKLtu6Xf9>e>X= z_=f)U5uKHeCGHDvP=%(c`13-iObR&>uTw}l#2=3OL~cKirFV1p3R@-uzYo*I|L`SnPC1^2%=5#%L!E+VDAW*2D+D~c_2u=Hv z2?S!}JPlZ$tX(hc0tMB||DP40qestoWaO#_AI|Xbn%BE)Wm>)X^=4_aPmc7Y(5sDx z)gA)^sUT&z&jiX6x&$kqxHqq%S4Qk*U*N*nK}tv&VW2?MQ7DR4q|Z{T&T|HBzqdX& zE(i+M^@ycI@A?eqs6~BPu4od5LF4<({&_)VEkNj9Q$iPhQ*jhY`vOwBy5+F*er-uK z9r@Jr2g`WrEq}@Z9@9n-k|~mIii^gueY$6-E*tdoCEW*U9Bz4;98c z>P%F3`x$7e)VA&bIE@EmlNuiDn9Qc%DNA8W~nVhera?h?nE<(A~bL zVEA3h+ex(PC4jD&Xr-xz)Bz>vbd?ee7+bCJ7h6yD+5lP+Fyf-usMOhbIZl9_Y3Q)#K5vst%%;2)}nS=7Fl%Y|@;7(R8wS zM5rI*w^e0e0lEilvsr&VZek7WCx_QUX^t&#m;Tk4)i$;h7af2nYft*3wQ3i5yb3)3 z+Z}Ibo*7j&28r;$J=(T@E`AIyaY`WiTDq4yFBO|t5@rjS%C-9}eO~~B$WRq%m!my; zH*mMSy^!kdLBnRuV>l}3Jn!Ala(Z>SmpWp8i&29LFb|{G_5cT(PM_5mJ{Yv0u20@U z(@vU;{S%;lLolC>b`VEiU=R5Mm!SQD?_%{br5dbfLBlQ+;tD*d7p8DPDyy|=0vu&p z_m6ictVF+A%aXn$yDJRpVODp{z|9`A^c~ ztb@h=0m~ImcB5EzXSM?IMGjs!A;;su;je2Mu{U&90PN!?y zg{t6eyf%=jAC8GjE~a%r;CgcGRNL$ElezCq+x$i z8q1q`6vMLQr{H%W@*z_mdGo*}t{0P!S*#I0NF(=Jv4-Hf%Um8haWUUV43`(FAAL?8 zEgWY~PSklP1RH_gJA%7Sw8-@m_9ppm)%K8u!%LlICcPTg>omAB{GBYk+9yikU^b%# z3#63k@r)7#eFJ8a_JNTFlRectj;!Xko~ZNbiSpfr=-|#*kFj)wl67BCr`i_aJJdcKFw4l>qr=%@YI>*JsWC|?B{}x?8mBoDE5`7Z z>F$GN-EF@wJ=IwnQ|o02;cSSU!>_d2u8r7k%Pq$-h;wbZB$MLe#TeBl;^4;`uo4?P zPnLW^P&B5Vgip&zkK(u}DVhyh)Ct~wAd6KUzp95tqp2Gmr?CI*jWe93QSG{Fl3QHk zcc2Afjpi_sHW~CAW+Maz^|j=NC+T$mlqLjVl6uqQuvUGt7p`7?Pvh5RIOY){#<9I; z;`>XQ>26#@<`=wFu&6_=u$fdZ3D70)uLYH7E=nsxC+(KJi{Zky-Sh6^A>+2T-FJxx>??VL^*)=#uZU{(TOk6C{>rmRO35bL@gFF;G*dzdfs8@ zI1OE1MyIa%PqHKD_6aZNwyDdGV_5{l<9STq^pa=T89xQ*ye;WoySYKt8b98R8m;Tb z!bHcdNq0Y;GV@35Vtbi%3Z&q95_iD8^bDWb*(bV+%eHvnjsKX1zG2iafHWS2qnZiA zBh9ltms#_M5chz!q=dgjx=?<`&Q-ML6{AZ(Gia|(htFk3->%+8=O4av)#{YuWZ(QD zHtBw|B$`u%7QN7Ug<*0&M3*(1#;V4#_aT1ra6QB4Nu)=&$c{bctF3azvInJ_HP0!< z)_e>E8Pd*^DC{!-cFuD_~6nQNCjt5E8skbSqYx@$@*-;fw{m3fvW*m@}kSQ$^5WXTKADQHy_ z&&e!xG%nRLK&TSd&c>{D&iE}P{E9uh#&d4^5K@)8#uz2WBNeht*sH;tN)B9W=Wq~o zVRZMc0q?g2izn#uo3SeX)crFfVxID|kna@*&2Pd6lUNtyx6~Insc&hynMZR2-H|Ehp2@9&K(44H zbD7(f(GI%lu5;X|pKL=0PRw6MJe@?lFLnw0-PcPYy+&V)5M$5YNn|M+bOR4BA|!O6 zHyd3K2jBKq78s<~C%zw8VBQQ|Ny^l*hirCm20n#YsB}Bn*}9I~Mv5sIbxYi;Ov91C z;dP*2k}cMt-9f2?&u|^gASKCio|#;AlbA?o<=D4Vv6SG^p{3!m7tA|y?(sI@8%xgI z2TeE+zyL6sc38%XMxU?c_z^ocJKA2+B;3ewz^03txI$O|VKUF_CjH@0e9J$j zojKxc8Q*)-;R&SRooM*E{c^|pH%&bW<5g|L>Qr$pHIjp(%W~E3*N`MjOXM}qgY0UJ zY_8RK_O)th|7F7d3jThEyxc=Pl!UtM4VW9pYpRYt&H89{<;RJhhSiX$#LUva4UX(G zoiwXA|HBU&4oX`WvkR3-Y&0+)Jmn3WO~0G1SRK$AaBg#vx1*-iD1R}p((0R;FZlBE zy?4(j$t<5N&p9Q;=-oW3M(z8FkjF-2K{2=ogZp0i{qeFlVz9V)V_#7i_S65!mcw zzyEY#z|SZ9>6{JtF1#axz+8MAR#D;3=8ImKVHJ7IDJE$qrLM!YgRUA9x{@H7O%!_v z(Hf4*_8O(R8g}}8weX=V18m&l+taxFU*gtmsvz};fkUOw@_)ugc=5;@4B{zZ->?S~ zQ8VS7Z@F6gdN^uG3cD(@lFmK0jHc$Na_$Us`7qWTs88OOx|?%e3o6eDlc!Y%v+Dng z3v7E_6N9KfToZ9RPf15|zP0c$^V8N#u7z5JFH&&NTyrM1)>25WX@k1+P_8{nyh#jR z168fCx9LS8m0bo2%!rI@TR6Gv5x8OI+&*G7>&2=wmqbs|a7B?p$bhf}*mP#04} zH61FklLua|e<^j1IgsD+Q=KbUlGYi4RGJa>q4EUmKBX_#x8bO-@J@cmYIZt@Qj>f< z%{Axvby{%|0srlCT0iGhl{JM<t9MM0<$P=LE1U1Snu-|q zO}9(tEFto5v-u3P!L0qZfP+bNWp&Xq#i@Sm42@FA`ZwOe%N!8z2aNIQvkmMQB(p9# zr>V5X!%tza38dPhifaOL-}W;mZF12l1XyL(kQTG&hQyxwPkW9R!ZtI6QssD>1i%z? z42K!y`bzz+x(Z>M%XQqug{^+C?b0riGkN6-r@&2!_GU)Qg2UK~6+H0dGI{jtS)UCTvx^dzI`Nb6Uv72g=6Nh=k6S?_^}>Iq=bM zh{b7G-@wvv;kB={p)OAnPNDl7_^d`C^EKI(nCh#^XqA`29G)ety|gwKhl!-e}x~3p%6dCKtna4hoJG6E!y8 zFKa0ktlQVCUD>Wo?t%vu^#lMB<#A4n)4f>f;ki!MQrv4p3aZjIspDvX6cN=;$FQAV z()Iz)YeWr)-z_5WhJGCLG9p`aUs%GE`J8moeH0Ch0!_rZ*UZnIM4?7%5ZQ-~VAHre z{UbEBY=FwdARaoxB2Jh;V}UM%5sR)HhAm2&UGXV1m4Q+Q|G6%y|Jzd7ZKL|}kj1jp zCKjVuDzcH@&vr|%UTZOk<|2eztkWEviMw)bSgEPo0CJ?i?H5C%IdNq>u3pj@onG0p zaFm2-khr6{ju2`xa!h2jhvlGVaH54!Rb8XJqsEaVyjo;$5XsC zQc@31a2g6^x%yGS5!!yuS<(nx+$fTpT4@T0+(MM z-M*FxY#P>br&jf3{!sN_tsoF+>i|k9=Wr}};RB4M3tKKkuw2;~dq;J5xvG3;rB3S;9bHpv8|MPt%+v$rhcbJ@Y)N=LKz z_^jX2$g9;Vdabj>-zr z91FKMU?FjO;CK#iMLq-5qJh!%28tY-=vuP1Mdz^WySOd4P-&K?9i`w$`Nd&av2&_Q;NpKmZAfo?-ZQuJDB&8$V`?fZenR z>p6490EKkIMz-)Lu}ETMBXk)%``*#2(~_%pZw@zJvwnrv{SJ#QPK&7OXTN27p#h>n z(k{GbT%nd(BP`V4Uq`i_zd(eNRv14gt&OFrOLgJNN~6 z*635G84W8`loKF4fS4p#>BHLRJsH4Q2W?|-!tJA3e^cVrhDY+Cx<7%O0aZ0hPZeOm z7^9q?K-KJoxIPW2B$SVoCJ2GDQUPNx#}9E0cq1lymkeF^t&Z(|O!n%aAGm+z7wxO}E?y0Q6>x4z-g zei}~)|Fy`N$7c05uzeWOYsa8Yzm`->Maiq>obZ|fTVEXxrv6r^SCx(KpR;uHA*bu) zGg`iz9^Fx+`hJ`Orr=k6akD8=Wux{b+Wi{5gEQCG4%~IVRj7-PUw1=XSXgpB8#)*u zs7pWa*9=2{rZyI$z$-xM7khU~6<|Ru=7}ESG?`t#@@uw%hr<~u8-k4P!V`X>h~r(f zz2m4mvZBT{2F`{Gne^_gKzt5j5ePYtLLGVf;<D@jo9ErT=!~A5Y6LV9EUP&otuY>R(aen2A*~2PC{7DL{g; zw#0EkEnQgZ%PTVva!;E5Z*RV#DwtLD>+z+aD^5%&HveNb_3ypwk2j?Md81=?b}{^Os!(<`qy$=#}HF0Ox;i*Z{A3TnVV)gedlbQk{q}t{Pb~z~`IM z|9X(X67ahRNSKZmI979x8QTK+k*@3WyFT5!80YdKZC zeC%n*h?W4;Mp%bu7n^xY&T3Z;K948+FOftc6PV#d@Nr^us9x1>-q43~9r@3PLmQR1 z1e3WxBk8lAi97T>ER>LRqNkP4{g}ivLhtK9981uq0$n)8<1+||4uebBa`Pen&?UR} zoBgz>6&Ca6x|0isG`Rh5rJr(|o{3Y;&^{a3f9JTwE>2!5U19fU*b=kS#@#>FmoH{9 zo(b%K#A+4jDT@Tui$VU-dGeod#V3Ux{@vz-{Qa~~N8V@;j%ECaVs!+Z`BLsvpAP3e zjvUr!cqsqC=yDg2MTzyJ9h4%B<_TbATD%p*-#|nxA9I?5#%0$Q**#gGKBrPC-P}VwRXe1f`$US&4T6o7LY-w>>mKz%Ki5k;y6F ze`6kk0c9xwUzsh{4rzC1P$>lg$>_Boj@)QK!!gGddQ!MS-++q#qf#CE`GU$N?a!jy}gN{Nf&+FHPXVJB00T{?BT^Aef$`mRKXdeBtUHc~jlptIlL{LQoy>B$- zIsUA2{CV8u;%l>(9Iu|#Aac;N>iuqchjuPHMhmpJkK|2N_D`kr0$AyuJPcCV5YWC0|Q zvX3``LTx@DYsTKgi@*Z-FxCor2l)AgtzY%rnQ16zy=?(JCS&@2AdpONUl}Q+=xn*p zBO)UcbTr^mrn61-AZ7p4;{_6xpZlW)5ZSvzbU1ZlP7sUp8PBU zt6D+s)R-|&?PMq{)d6DF?Tv-L9zfo}OpmH7%ou3MfY`Wz*RF;xOqDpZcjBq5dipO< zT@C7Lo&<#xNCrj{8ewGYtjN((%8HTB-5Kv~__vS8@{mN)ZWyK7#+I9dfeau`vGn?4 z*^Gh}I19hQd7~sSWK9G3Z3v|12dzmz-pmH5s@Wa?nJD)bKLf7=oqGGq-*@Ha&IOIu zbzV02E$Cjt$W=CXS9lEEx1GFM8Ld*1V4hmXGO_w!KX4)Wx#M`KXRhUjs?Bg5wyF%X z73n=UMYrdx_tv;<_W)r9`WIf`giP?SXapFgvNRGceCxQ3O$o6V%^uP54F>3dXh zpVY8oL^(;AL6Yatz0{Un@&2I71uZZ7wYRXS{@r7}8>BmVfe5%wpzIBhcNdxymSQ8P^) zgEu+L)!978UgiL0`5=FUm^!FsU_KKh-cqcor@WVo**ImEx7SB~=M*?=c4*;I_M*0;Y5}}Fyl&v@s z?Sx{K{2{zgFgISe5xE+DJ245jGF`6-Gse_?U0hT_hqux#hH*r(rBju{egrM9j7r0> z(Y5ys3fjd$vdh@9bEEK^FuYM+8^z)v1EFykjYSVqLm&741 z`HHiK7`l_;?IT-Wve;FX1F3o2aNekL-HUFZWKz4E9RS*>We3hkC!}p=2;qkX;6rCl za7yK)zhcI8(3I%M_m99$5o?C>!mfv=?47`43GNbd_ypYSWi(UHu9d~i!g~GHRBdQt z6xy+<^gH*Jv4*LYR|uBPr_|<>eK#L4#vY^+XLcy~kS?xFJ1QgB@pX>h!E-_+4fg<_ z!Sxd5FR0?H2{c1&H)veL`U84X*emA$uU*-z!IiXT;kG=D-bl_=-JIF7R?E#9ZpF55 zdi^@@yUo9%=<=mEu&IGNBTkvwpn&?IH*OnH3w$I_xi=NrGV~ykVaNf17UGHYBSe0Y>@8+kt z>C^q2r-uGp|K^^3YK=Fr5CQed-`f-@aBO@Z5_^Bqnn@>5Pur1t<@^nu%b@HAs=!ie zcKPy#pP4mv^7g&44YmbSePJ%LV&|G3&>HD#b)EHhZf#m?V6~%BanX)BduLx+E3msKn%C*#f#6cj z6{{UeG&in$a!GRYu3c}ozfmhVb?8Pf@A{n|jxhJ0IP~Sc;=j~az!N9JRMyKZIrV9k z;nnv)LiFbEdb{z>)h7u@Mb>Vgn%Yx;bb9V&V4!CWqT>kBAYJcsvo4$O- zovu?WRszES*mGhqaO|D%F5z|X;gp#&^P8mqpNZ$)C?#ZSP?o&o_4^vFTL)goX}a=u z>CV2tbn5n;%C23XK1~aMzx#A{Y>ghPN?pOir&oTjYoC9X|4PWTg`oe)zPD!vFXTh_zTbAJKjRcHlD70}YN$(F|VZGqdl}74V@v tH#2~}5YRDIpyg|XPOh5aG3h_Ii-K`H*N(Nuz%#lSJYD@<);T3K0RX2=0@VNj literal 0 HcmV?d00001 diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md new file mode 100644 index 0000000000..765de7a8b6 --- /dev/null +++ b/education/windows/take-a-test-app-technical.md @@ -0,0 +1,88 @@ +--- +title: Take a Test app technical reference +description: The policies and settings applied by the Take a Test app. +keywords: ["shared cart", "shared PC", "school"] +ms.prod: W10 +ms.mktglfcycl: plan +ms.sitesec: library +author: jdeckerMS +--- + +# Take a Test app technical reference +**Applies to:** + +- Windows 10 Insider Preview + + +> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] + +Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test: + +- A Microsoft Edge browser window opens, showing just the test and nothing else. +- Students aren’t able to go to other websites. +- Students can’t open or access other apps. +- Students can't share, print, or record their screens. +- Students can’t copy or paste. +- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features. +- Cortana is turned off. + +> **Tip!** +> To exit **Take a Test**, press Ctrl+Alt+Delete. + +**Take a Test** is included in Windows 10 Education. To add **Take a Test** to other editions of Windows 10, see [Add the Take a Test app to Windows 10](#add-the-take-a-test-app-to-windows-10) + +## How you use Take a Test + +![Use test account or test url in Take a Test](images/take-a-test-flow.png) + +- **Use a test URL and a [dedicated testing account](#set-up-a-dedicated-test-account)** - A user logs into the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing. +- **[Put a test URL with an included prefix](#provide-link-to-test) on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments. + +## Set up a dedicated test account + +- To configure a dedicated test account on a single PC, [use Settings](#set-up-test-account-on-a-single-pc). +- To configure a dedicated test account on multiple PCs, you can use: + - [Mobile device management (MDM) or Microsoft System Center Configuration Manager](#set-up-test-account-in-mdm-or-configuration-manager) + - [A provisioning package](#set-up-test-account-in-a-provisioning-package) created in Windows Imaging and Configuration Designer (ICD) + - [Group Policy](#set-up-test-account-in-group-policy) to deploy a scheduled task that runs a Powershell script + + +### Set up a test account on a single PC + +1. Sign into the device with an administrator account. +2. Go to **Settings** > **Accounts** > **Work or school access** (final name needs to be updated, still TBD) > **Set up an account for taking tests**. +3. Select an account to use as the dedicated testing account. + >**Note**: If you don't have an account on the device, you can create a new account. To do this, go to **Settings** > **Accounts** > **Other Users** > **Add someone else to this PC** > **I don’t have this person’s sign-in information** > **Add a user without a Microsoft account**. +4. Specify an assessment URL. For + +5. Click **Save**. +6. To take the test, log into the selected account. + + +### Set up test account in MDM or Configuration Manager + +### Set up test account in a provisioning package + +### Set up test account in Group Policy + +#### Create a Powershell script + +#### Create a scheduled task in Group Policy + +## Provide link to test + +## Add the Take a Test app to Windows 10 + +### Add Take a Test on a single PC + +### Deploy Take a Test to multiple PCs + +## Assessment URLs + +This assessment URL utses our lockdown API: + +- SBAC/AIR: [http://mobile.tds.airast.org/launchpad/](http://mobile.tds.airast.org/launchpad/). + + + + diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md new file mode 100644 index 0000000000..ddaedb6e10 --- /dev/null +++ b/education/windows/take-a-test-multiple-pcs.md @@ -0,0 +1,88 @@ +--- +title: Set up Take a Test on multiple PCs +description: Learn how to set up and use the Take a Test app on multiple PCs. +keywords: ["shared cart", "shared PC", "school"] +ms.prod: W10 +ms.mktglfcycl: plan +ms.sitesec: library +author: jdeckerMS +--- + +# Set up Take a Test on multiple PCs +**Applies to:** + +- Windows 10 Insider Preview + + +> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] + +Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test: + +- A Microsoft Edge browser window opens, showing just the test and nothing else. +- Students aren’t able to go to other websites. +- Students can’t open or access other apps. +- Students can't share, print, or record their screens. +- Students can’t copy or paste. +- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features. +- Cortana is turned off. + +> **Tip!** +> To exit **Take a Test**, press Ctrl+Alt+Delete. + +**Take a Test** is included in Windows 10 Education. To add **Take a Test** to other editions of Windows 10, see [Add the Take a Test app to Windows 10](#add-the-take-a-test-app-to-windows-10) + +## How you use Take a Test + +![Use test account or test url in Take a Test](images/take-a-test-flow.png) + +- **Use a test URL and a [dedicated testing account](#set-up-a-dedicated-test-account)** - A user logs into the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing. +- **[Put a test URL with an included prefix](#provide-link-to-test) on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments. + +## Set up a dedicated test account + +- To configure a dedicated test account on a single PC, [use Settings](#set-up-test-account-on-a-single-pc). +- To configure a dedicated test account on multiple PCs, you can use: + - [Mobile device management (MDM) or Microsoft System Center Configuration Manager](#set-up-test-account-in-mdm-or-configuration-manager) + - [A provisioning package](#set-up-test-account-in-a-provisioning-package) created in Windows Imaging and Configuration Designer (ICD) + - [Group Policy](#set-up-test-account-in-group-policy) to deploy a scheduled task that runs a Powershell script + + +### Set up a test account on a single PC + +1. Sign into the device with an administrator account. +2. Go to **Settings** > **Accounts** > **Work or school access** (final name needs to be updated, still TBD) > **Set up an account for taking tests**. +3. Select an account to use as the dedicated testing account. + >**Note**: If you don't have an account on the device, you can create a new account. To do this, go to **Settings** > **Accounts** > **Other Users** > **Add someone else to this PC** > **I don’t have this person’s sign-in information** > **Add a user without a Microsoft account**. +4. Specify an assessment URL. For + +5. Click **Save**. +6. To take the test, log into the selected account. + + +### Set up test account in MDM or Configuration Manager + +### Set up test account in a provisioning package + +### Set up test account in Group Policy + +#### Create a Powershell script + +#### Create a scheduled task in Group Policy + +## Provide link to test + +## Add the Take a Test app to Windows 10 + +### Add Take a Test on a single PC + +### Deploy Take a Test to multiple PCs + +## Assessment URLs + +This assessment URL utses our lockdown API: + +- SBAC/AIR: [http://mobile.tds.airast.org/launchpad/](http://mobile.tds.airast.org/launchpad/). + + + + diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md new file mode 100644 index 0000000000..13145d80f1 --- /dev/null +++ b/education/windows/take-a-test-single-pc.md @@ -0,0 +1,76 @@ +--- +title: Set up Take a Test on a single PC +description: Learn how to set up and use the Take a Test app on a single PC. +keywords: ["shared cart", "shared PC", "school"] +ms.prod: W10 +ms.mktglfcycl: plan +ms.sitesec: library +author: jdeckerMS +--- + +# Set up Take a Test on a single PC +**Applies to:** + +- Windows 10 Insider Preview + + +> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] + +Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test: + +- A Microsoft Edge browser window opens, showing just the test and nothing else. +- Students aren’t able to go to other websites. +- Students can’t open or access other apps. +- Students can't share, print, or record their screens. +- Students can’t copy or paste. +- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features. +- Cortana is turned off. + +> **Tip!** +> To exit **Take a Test**, press Ctrl+Alt+Delete. + +**Take a Test** is included in Windows 10 Education. To add **Take a Test** to other editions of Windows 10, see [Add the Take a Test app to Windows 10](#add-the-take-a-test-app-to-windows-10) + +## How you use Take a Test + +![Use test account or test url in Take a Test](images/take-a-test-flow.png) + +- **Use a test URL and a [dedicated testing account](#set-up-a-dedicated-test-account)** - A user logs into the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing. +- **[Put a test URL with an included prefix](#provide-link-to-test) on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments. + +## Set up a dedicated test account + + + + + + +1. Sign into the device with an administrator account. +2. Go to **Settings** > **Accounts** > **Work or school access** (final name needs to be updated, still TBD) > **Set up an account for taking tests**. +3. Select an account to use as the dedicated testing account. + >**Note**: If you don't have an account on the device, you can create a new account. To do this, go to **Settings** > **Accounts** > **Other Users** > **Add someone else to this PC** > **I don’t have this person’s sign-in information** > **Add a user without a Microsoft account**. +4. Specify an assessment URL. For + +5. Click **Save**. +6. To take the test, log into the selected account. + + + + +## Provide link to test + +## Add the Take a Test app to Windows 10 + +### Add Take a Test on a single PC + + + +## Assessment URLs + +This assessment URL utses our lockdown API: + +- SBAC/AIR: [http://mobile.tds.airast.org/launchpad/](http://mobile.tds.airast.org/launchpad/). + + + + diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index b2ee59bd77..0262fe3f68 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -29,7 +29,46 @@ Many schools use online testing for formative and summative assessments. It's cr > **Tip!** > To exit **Take a Test**, press Ctrl+Alt+Delete. - +**Take a Test** is included in Windows 10 Education. To add **Take a Test** to other editions of Windows 10, see [Add the Take a Test app to Windows 10](#add-the-take-a-test-app-to-windows-10) + +## How you use Take a Test + +![Use test account or test url in Take a Test](images/take-a-test-flow.png) + +- **Use a test URL and a [dedicated testing account](#set-up-a-dedicated-test-account)** - A user logs into the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing. +- **[Put a test URL with an included prefix](#provide-link-to-test) on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments. + +## Set up a dedicated test account + +To configure a dedicated test account on multiple PCs, you can use: +- [Mobile device management (MDM) or Microsoft System Center Configuration Manager](#set-up-test-account-in-mdm-or-configuration-manager) +- [A provisioning package](#set-up-test-account-in-a-provisioning-package) created in Windows Imaging and Configuration Designer (ICD) +- [Group Policy](#set-up-test-account-in-group-policy) to deploy a scheduled task that runs a Powershell script + + + + +### Set up test account in MDM or Configuration Manager + +### Set up test account in a provisioning package + +### Set up test account in Group Policy + +#### Create a Powershell script + +#### Create a scheduled task in Group Policy + +## Provide link to test + +## Add the Take a Test app to Windows 10 + + + +## Assessment URLs + +This assessment URL utses our lockdown API: + +- SBAC/AIR: [http://mobile.tds.airast.org/launchpad/](http://mobile.tds.airast.org/launchpad/). From d58330d74fc09a8b03d4939848f94f6087dccfa1 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 17 May 2016 09:02:06 -0700 Subject: [PATCH 034/169] populate techref --- .../windows/take-a-test-app-technical.md | 78 +++++++++---------- 1 file changed, 36 insertions(+), 42 deletions(-) diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index 765de7a8b6..3f410e8d68 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -16,72 +16,66 @@ author: jdeckerMS > [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] -Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test: +Take a Test is an app that locks down the PC and displays an online assessment web page. -- A Microsoft Edge browser window opens, showing just the test and nothing else. -- Students aren’t able to go to other websites. -- Students can’t open or access other apps. -- Students can't share, print, or record their screens. -- Students can’t copy or paste. -- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features. -- Cortana is turned off. +Whether you are a teacher or IT administrator, you can easily configure Take a Test to meet your testing needs. For high-stakes tests, the app creates a browser-based, locked-down environment for more secure online assessments. This means that students taking the tests that don’t have copy/paste privileges, can’t access to files and applications, and are free from distractions. For simple tests and quizzes, Take a Test can be configured to use the teacher’s preferred assessment website to deliver digital assessments -> **Tip!** -> To exit **Take a Test**, press Ctrl+Alt+Delete. +Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](http://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. (Link to Javascript API when available) -**Take a Test** is included in Windows 10 Education. To add **Take a Test** to other editions of Windows 10, see [Add the Take a Test app to Windows 10](#add-the-take-a-test-app-to-windows-10) +## PC lockdown for assessment -## How you use Take a Test + When the assessment page initiates lock down, the user’s desktop will be locked and the app will be launched above the Windows lock screen to provide a sandbox that ensures the user can only interact with the Take a Test app . After transitioning to the lock screen, Take a Test will apply local MDM policies to further lock down the device. The whole process of going above the lock screen and applying policies is what defines lockdown. The whole lockdown process is atomic, which means that if any part of the lockdown operation fails, the app will not be above lock and won't have any of the policies applied. -![Use test account or test url in Take a Test](images/take-a-test-flow.png) +When running above the lock screen: +- The app runs full screen with no chrome -- **Use a test URL and a [dedicated testing account](#set-up-a-dedicated-test-account)** - A user logs into the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing. -- **[Put a test URL with an included prefix](#provide-link-to-test) on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments. +- The hardware print screen button is disabled -## Set up a dedicated test account +- Content within the app will show up as black in screen capturing/sharing software Copy/paste is disabled -- To configure a dedicated test account on a single PC, [use Settings](#set-up-test-account-on-a-single-pc). -- To configure a dedicated test account on multiple PCs, you can use: - - [Mobile device management (MDM) or Microsoft System Center Configuration Manager](#set-up-test-account-in-mdm-or-configuration-manager) - - [A provisioning package](#set-up-test-account-in-a-provisioning-package) created in Windows Imaging and Configuration Designer (ICD) - - [Group Policy](#set-up-test-account-in-group-policy) to deploy a scheduled task that runs a Powershell script - +- Web apps can query the processes currently running in the user’s device -### Set up a test account on a single PC +- Extended display shows up as black -1. Sign into the device with an administrator account. -2. Go to **Settings** > **Accounts** > **Work or school access** (final name needs to be updated, still TBD) > **Set up an account for taking tests**. -3. Select an account to use as the dedicated testing account. - >**Note**: If you don't have an account on the device, you can create a new account. To do this, go to **Settings** > **Accounts** > **Other Users** > **Add someone else to this PC** > **I don’t have this person’s sign-in information** > **Add a user without a Microsoft account**. -4. Specify an assessment URL. For +- Auto-fill is disabled -5. Click **Save**. -6. To take the test, log into the selected account. +## Mobile device management (MDM) policies +When Take a Test is running, the following MDM policies are applied to lock down the PC. -### Set up test account in MDM or Configuration Manager +| Policy | Description | Value | +|---|---|---| +| AllowToasts | Disables toast notifications from being shown | 0 | +| AllAppStoreAutoUpdate | Disables automatic updates for Windows Store apps that are installed on the PC | 0 | +| AllowDeviceDiscovery | Disables UI for screen sharing | 0 | +| AllowInput Panel | Disables the onscreen keyboard which will disable auto-fill | 0 | +| AllowCortana | Disables Cortana functionality | 0 | +| AllAutoupdate | Disables Windows Update from starting OS updates | 5 | -### Set up test account in a provisioning package +## Allowed functionality -### Set up test account in Group Policy +When Take a Test is running, the following functionality is available to students: -#### Create a Powershell script +- Assistive technology that is configured to run above the lock screen should run as expected -#### Create a scheduled task in Group Policy +- Narrator is available through Windows key + Enter -## Provide link to test +- Magnifier is available through Windows key + "+" key -## Add the Take a Test app to Windows 10 +- Full screen mode is compatible -### Add Take a Test on a single PC +- The user can press Alt+Tab when locked down. This results in the user being able to switch between the following: -### Deploy Take a Test to multiple PCs + - Take a Test + - Assistive technology that may be running + - Lock Screen + > **Note** The app will exit if the user logs into an account from the lock screen. Progress made in the test may be lost or invalidated. -## Assessment URLs +- The user can exit the test by pressing one of the following key combinations: -This assessment URL utses our lockdown API: + - Ctrl+Alt+Del -- SBAC/AIR: [http://mobile.tds.airast.org/launchpad/](http://mobile.tds.airast.org/launchpad/). + - Alt+F4 From fd991165e2353ac9a24c15c1836792ec15ce9eb1 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 17 May 2016 09:29:55 -0700 Subject: [PATCH 035/169] pop single PC topic --- education/windows/take-a-test-single-pc.md | 22 ++++++--- education/windows/take-tests-in-windows-10.md | 49 ++++++++----------- 2 files changed, 35 insertions(+), 36 deletions(-) diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index 13145d80f1..e3398a8957 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -16,7 +16,7 @@ author: jdeckerMS > [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] -Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test: +The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test: - A Microsoft Edge browser window opens, showing just the test and nothing else. - Students aren’t able to go to other websites. @@ -29,7 +29,7 @@ Many schools use online testing for formative and summative assessments. It's cr > **Tip!** > To exit **Take a Test**, press Ctrl+Alt+Delete. -**Take a Test** is included in Windows 10 Education. To add **Take a Test** to other editions of Windows 10, see [Add the Take a Test app to Windows 10](#add-the-take-a-test-app-to-windows-10) +**Take a Test** is included in Windows 10 Education. To add **Take a Test** to other editions of Windows 10, see [Add the Take a Test app to Windows 10](take-tests-in-windows-10.md#add-the-take-a-test-app-to-windows-10) ## How you use Take a Test @@ -59,17 +59,23 @@ Many schools use online testing for formative and summative assessments. It's cr ## Provide link to test -## Add the Take a Test app to Windows 10 +Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments. -### Add Take a Test on a single PC +1. Create a link to the test URL. Use **ms-edu-secureassessment:** before the URL and **!enforceLockdown** after the URL. +> ms-edu-secureassessment:!enforceLockdown + +2. Distribute the link. You can use the web, email, OneNote, or any other method of your choosing. +3. To take the test, click on the link and provide user consent. +## Related topics +[Take tests in Windows 10](take-tests-in-windows-10.md) + +[Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) + +[Take a Test app technical reference](take-a-test-app-technical.md) -## Assessment URLs -This assessment URL utses our lockdown API: - -- SBAC/AIR: [http://mobile.tds.airast.org/launchpad/](http://mobile.tds.airast.org/launchpad/). diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index 0262fe3f68..c5dd2475e3 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -26,8 +26,6 @@ Many schools use online testing for formative and summative assessments. It's cr - Students can’t change settings, extend their display, see notifications, get updates, or use autofill features. - Cortana is turned off. -> **Tip!** -> To exit **Take a Test**, press Ctrl+Alt+Delete. **Take a Test** is included in Windows 10 Education. To add **Take a Test** to other editions of Windows 10, see [Add the Take a Test app to Windows 10](#add-the-take-a-test-app-to-windows-10) @@ -35,41 +33,36 @@ Many schools use online testing for formative and summative assessments. It's cr ![Use test account or test url in Take a Test](images/take-a-test-flow.png) -- **Use a test URL and a [dedicated testing account](#set-up-a-dedicated-test-account)** - A user logs into the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing. -- **[Put a test URL with an included prefix](#provide-link-to-test) on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments. +- **Use a test URL and a dedicated testing account** - A user logs into the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing. +- **Put a test URL with an included prefix on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments. -## Set up a dedicated test account +[Learn how to set up Take a Test on a single PC](take-a-test-single-pc.md) -To configure a dedicated test account on multiple PCs, you can use: -- [Mobile device management (MDM) or Microsoft System Center Configuration Manager](#set-up-test-account-in-mdm-or-configuration-manager) -- [A provisioning package](#set-up-test-account-in-a-provisioning-package) created in Windows Imaging and Configuration Designer (ICD) -- [Group Policy](#set-up-test-account-in-group-policy) to deploy a scheduled task that runs a Powershell script - - - - -### Set up test account in MDM or Configuration Manager - -### Set up test account in a provisioning package - -### Set up test account in Group Policy - -#### Create a Powershell script - -#### Create a scheduled task in Group Policy - -## Provide link to test +[Learn how to set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) ## Add the Take a Test app to Windows 10 +You can add the Take a Test app to Windows 10 Home, Pro, and Enterprise. +### Add Take a Test on a single PC -## Assessment URLs +Use **Settings** to get **Take a Test** from Windows Update. -This assessment URL utses our lockdown API: - -- SBAC/AIR: [http://mobile.tds.airast.org/launchpad/](http://mobile.tds.airast.org/launchpad/). +1. Open **Settings**. +2. Go to **System** > **Apps & features** > **Manage optional features** > **Add a feature**. +3. Select **Take a Test**. +### Deploy Take a Test to multiple PCs using DISM + +You can deploy the Take a Test package through Deployment Image Servicing and Management (DISM.exe). + +1. Get the Take a Test package from the [Microsoft update catalog](http://catalog.update.microsoft.com/). +2. Upload the package to a network share or to your Windows Server Update Services (WSUS) server. +3. Create and deploy a DISM script to add the package to offline or online images. For more information on how to add or enable features through DISM, see [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism-operating-system-package-servicing-command-line-options). + +## Related topics + +[Take a Test app technical reference](take-a-test-app-technical.md) From 3d925ce9dddbdf65d1af17f51de896bc0ef5cffa Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 17 May 2016 13:16:42 -0700 Subject: [PATCH 036/169] updated multiple --- education/windows/images/TakeATestURL.png | Bin 0 -> 10047 bytes education/windows/images/take-a-test-flow.png | Bin 19438 -> 48795 bytes education/windows/images/test-account-icd.PNG | Bin 0 -> 5875 bytes .../windows/take-a-test-app-technical.md | 8 +- education/windows/take-a-test-multiple-pcs.md | 177 +++++++++++++++--- education/windows/take-a-test-single-pc.md | 10 +- education/windows/take-tests-in-windows-10.md | 4 +- 7 files changed, 164 insertions(+), 35 deletions(-) create mode 100644 education/windows/images/TakeATestURL.png create mode 100644 education/windows/images/test-account-icd.PNG diff --git a/education/windows/images/TakeATestURL.png b/education/windows/images/TakeATestURL.png new file mode 100644 index 0000000000000000000000000000000000000000..b057763e8b7895c3795680f731db0d8af789ec54 GIT binary patch literal 10047 zcmdUVcQ{;KyEoCIwPr2^Ih*b|D8YfwXePReebpIweI>`cdQZkAw3NT4G9Sey^gk~ zF$oFjH1Tq}dWHC=J~Atacq8>TeyBlGIl{F;d?0teZ*ZT4q$Y{>!j6LYOzo*{=}khy zfcWbo?ei#gBq0%+($Tzc>i-M_tBH4;Ysg1SGW{4LuYDx+r9(Kt_IbpkFX~`=mZ5wp z2QFGFrvzJ1p@g?7SEzUbSoqih(!E!xuO(2@c1Bkyl{7ty13x%IA?Y8er ztDSZ-_Ab&AF3@UFjH?atW$3+L?3!GI=IT7Vm*-pNBLSnGCO96$F6+76kfsz&Q2AQT zSOotGp5tk(k5LAJwHH{oJbWOjE7oXB;?D!<{Z(z{FR!nEaW%VnmJNel!4FXgzFAkfQ1H}fR2Wj~$32h&AH6=)R_Uzo{fye&oe=>nW zJ6#o_gged&HkY_r;oqZB!l7#9J7=ux;u35Ozo7ixuS_LVQ&S=eT?}Vhi#(5&T(p5Q zcTW9D6B!u_#c$b2=Jw<;ezn7SD&FB;W;=SapuBI&cWkkm!fv?4{9r82vtW_c&scoY zX1QiRm~e(h5l)(J+QZNOd_Z0Nxu@qWCWIJ)oMroWzWSA|z!>~FN#DI3$>uT9GuDmO#d#B6@HIgO)&rF$ayXG^C3=D%O%%g+d2@8tJN zQ5M7J%3_yUf(`LsQE%|mHu&kL_TxLSyC2F@XK|Y!p_kRxszT4CbT-pV+FSdpeqZg# zDeI2!kL)B<{X!2Y=83RwXv-%@-6!s|d00!XEx8JH`oi>__8$8p!$0lwzpfDLyUzUl z2dn=w!~b4FrBeV^ue#>yels~f$G z8bh@tSdRVnU_ILS>&@DgT2Sc4Z(b-`33Yam1s@XM^?>6~crQ=;fPS`O4|d^~s-5Co zzeiOasA+>z4OPz^hq$B73i%Z(Rw``po7O$)X03Xvrz;U2!M{0m;>WG%>n-TX0Lf7@ zuznWi0O?8%=;uOVW}4&ihrGae0lvr9;Q+i~s-X3F=y8S3^XqfkT}rxf=r80Cv8Vtv z_iAcneTq}>(H-Q@)l`7Xrzi*9t#%jr){)US7rzqyY-#L4=CS>0udn0cNj~K{c;1Rz zTx;0!=x)*z(0w;wQ0NeBJKG%T)G|h<*AM+LI%3!Q`3T-x<~5;)Q_9#mx)a|&>D`99 z1ltKdu-cE*UN9eI3D)=x`H2v!cy*cL{qp)jSRft8g|e`k=&00*M8k7t%PzAmkIQuq z;4j2&f=)1Box|9-iqxnt8k2peT$735YnYHf&WPC0L=!qVdKynSV7{)>mGp;SF*sD< zO9dmOeRK)08fN(`>9sjj?QE5GDsywS%oLFR+MXtnz!PzCduMN&ibpQ82H$dfI3X-X zSz-17FUdjPPj9lg{n5F8r5PS^CMqZ=+k_Zz{Z7+v zP^xKucKfvl5SKRw?qanf>|{jGD`5joDYULZ%uNIA-=^}LX=4P+a=0T})vam95$wG3 zGZR3FpX{14{lWmR_TJ|g-==I*rk}PG9+38}Py~y1&rO$f$BZUfQG-(_^S%Ab>T~N* zLtwXv{cQpPBO6S)JG^}&#BbQ!u)ceQLHjX4Ng?_PjVwc6$_rId)Y*g}XgF+=m#><9 z)ZEyxntsHOV_^ah+CQPS**vki^D2lnrDXNs_})b9*eb2b@@){{h^>(Y#`rY@9l@yD zk1a2GUf=%0Nui=vVA@6tx)Ha$mlnq|$7Z&d5W}XV+hp2T?8ElFI91^teN~L|b&LJ; zd)>0U{-mVC;&Q3!B=RxSY#^krl%f_7Oh+sDQt_C5-JzaEia!fkRRCAFkQeg~E%gZ~ zV&Zm^D}duQVfj?#`ax_dfR!smU$xqx{$IwZ|GggO{}FJXh7$-{nyV5Qcq}jWZv6%q zF&01NPJ60)>iS|*ffzQM6@{9E_h!e6y@_&r`RaR}tyFz7Kof)c>Sp%pL8lGq!^kH> zT>mt1U@Zb3C6^1rUr(uUNFAht(z`465tW0}<2z8CxjFEk{u6L=Ya51hSlME>9o&rLFuuFmJpKf#|AEdn9{TeE&qN zUHr@^9F+jSv2jr(-2YvohTjl#y3x#=_H_A=FMyh7-X~FP!X^(=C}5ius}g!rmyai4 z;k*&8W091QrAgd{O=~;NRT<-6dBW&h;AptUF)2uAi z{2jlQ$)ZeLB#W=`81C>$SuR!9%Va)qm-O4W%xQM9SLHgF$kzYxZBo(zBTHar96hmA zLdRv`Tf^zmJS;MI@>}lUzqYVP`$mLbMV4K$WN7{HTn8o|TW3;N-D+TLCYK=ZlHjHg z=ELHgq|oT9+$SgO#Yr4?a!c;-VP`Ah${i_`+bmhez?J<<0Bq$HsLP>vPx`QSEIq;e zKzBmyhJ3~1l(Dpj-*_v%_@X=GE1c4*9d&Nu4ahIXprtvthH#am>whPZ-kb1E zCWBcs#L>i9cU`0J`e;8Z`9!y;fa*w2YC=>mCRXOCT3uZSskx?8L50{l?o021-_mbHMW5!<#elq)fd@}55Q5|<}{<_G;_qwZAB~ z`dnR9be7o-pQ1$A08>n#8{ep~aLYHkvPcWagHn`;TAKST^m32ox2B<&8vdQkgA#s# z?hE^T{6%XKQHI83sX9Q{`X>*m>)+qCG5 zT>98=`Ik-%qTs^`tSST6$600aHG0PJaj^CG3mBGS_EuMr$431(sSM1~E5KExlXk3I z97$pkP8=E?Wk^0X^QNqQxSma^!e8Ta2SD6!7kVq)uwQ%6NzS>IU`B_qx^SG4{pCp!HpqOyygXE|WT0w%e+! zkMmY$ScuH(c$FU&FhXNmpE`bNO^y>L|2oyMJu;}jGRQNRMWx#&MCevGSu9sX*2X)t)KH2 zeb!4xxU`M!YRGhckw@V#29hTfkYCC-`3T51@~H!)e&oD(oeK-V{pirJr);Le`wV9V z$c`U3l!1VoZT>Jp?N^Ygp^qwXjcMVLOiCC*ua}>9^g#z_dFoEb}; zF~dr74~h!xdwv&QBDpWbV-2F}yUWXr8sew)n3XxK^k+fbzAV*v-d`|w0&%vH(@r?d+}xtIdyVzQJpTvOUTKm7Va?b6(%syz%E`R|pXXdM9B6Ux~)?@9Ftb!9dseZ+*-&ACWx?}@zdjR8_I2Lo)^D=v9N%Cs)-0>Wdac=$srx4d#?ZUk=T<+@cHZSnI`)06W+@042-8-Ksba}0O z->(+tvo7&O6m$z9Jh^dIW*OfZ_PTEfvCPN-rrEy-N3D+Dr9YKfd{quQ+>pcD9=WzH zse)kaDs(SR$bBx!yozvxLGaDy1$)21p&G$seeI`5LV8Wq9UuYD^@)Wz}b9*PV!xHHDk(`oNOeb}g&xi9RGKhquf-ZSZfXb<2 z{hH-b??*|v!k6296bfN9Q6Gl6P~Z_Mxo*`*_VX?PlMuehROm|)Q^(POf`xF{G|9Q3 zchV|%YpVK4A%uqRe4l4QJe2=jTt{1#GI}T@v-(G@!Q)0)=r2^4c*RS;x#}RT8FOkD zbJ6W56nMIQEJp2`ML9g#o3Rfpm&GN$Xf54K^($Hthpp?F0?J^QiTr9H#ZEW zSzC_FKfzf~M*}$C=nG~S+%zuYSoh-*xCQA!yz;tr81q60*EP=pV|UUy`Ec@!(M9^m zVe!F@wwmRO;m(FMSpQj4CvBp837E&e4_eUeGjA36bzTILFj7;Qcox46T;*8@XBw8g zFDpYoTSK;`$m9efzw#hGE&?8>Hu7#u44LPV8{!uogF8KQr);vrdEdrQpj_W*;xcFD z&!sbmn%zDq3H5Ak=)@Z#^XJ*C+XPY4Y2~8miVW=$$I{TpUNM1Xh%3wq|Nd zG}YXr+Ah^c9MF^tDpB*-T+1GRc%ChkR$XH7rr(-4leL_(hw*5>4?j$v7)k?=#n;Lb zbE#Y`m=0si|0rK-W->`xK^S*{&sPHy4M_0aJEoi)qI0Ru#oAp`knVyKgU2U%Yu`Pp zybfl69{q9XLoLK`tC`->ZZ?gz&IzlYcZ1XPtcn*QP>0EKN(Qk$*V!kQ*}vc7EE~cv zCSq#(x@`t4Dh84swX!y|vYq0|7(r0ot(qYR*4A@7i)$Zwni*0CM$hZZiyLWgo~$en z0ku2I?<^O-3PhSjYiT;tF_@Nr=#oqm2%)}X0O)mlKh(U> z15LCqaH5@Ys`HJ?s4f+g&LD}J^F?KZM%!4L1zYrPtcT$f~2=XoOE z-~UcUrRXj(WnE9Qtf8kprZW+I&?!|!2DvL|fJp^3S8A*5wJN5Hc!6E&`hfm?vR3Z% z<&*)n+!rdK@hqbdMWEB9J4j=WYmc)l z5K0i(Cyv|g*kmtJmBQwN8|qoRb^ykM(R@aKG)?Z)~d^Jx)-fRFinCXR`@{T%BZsRJRyk@-)}s^wd=bERB;asSNC1(lLORW5rXRH*T-ST1(IK zf)frVAKVe&GquoU$*-8amr=Ia7)?5umf5l66EnpuPa$TzF!?5jpzZ5*-!oSXk2knpX1}wD=67yR-sSao z`*uuvdjJ<&e?5)OL+{2u)_ zfR|NL{`ITs)`#oSI{F4R%JlkZBZOPSPnt$Wq6?4n}nd) z^r*Dop5=hlRKOR#8NH^T?NcsIRCNI%$5^`@-ReGK1rn5h5c+{|I}+9Qun9Y>r&i|svi&98uS+O-$N^(oAu8#xKFKJeLLOrqnwGc z@C+z_;1EU9wO1$A>8JQoS>;Y1k5Q|326DmODHAI%Chf*}GcZlZf7>NcxN`kak`(_X zc3^oQ>(9`J0^+YoEiQL9%ZSQ6@SVUs%k}c5J;@fOKlK~D@5_TLceqC{SguRqV5+Cy zv7^vkS+9_}v`}mjrki*B$3ctY>lsQ{6Tk@TXT>3KP;-Iq+tAdu7jnk*w!5#&IU*eN zgvSl<_6}QaH&D5hO&AyO*NA~oL6V&snP}xOkr;#EQCL56F6b-GWMa(dc#lnhuysHn zz_V^(SdP`ku5ZM>pzo;uluu4!>zBRr@3|*1q>l9Q7-k8S*Qig2*!ac+6PrMVrg+Uf zKQgIYTM&tAuFoy}TKyyu-t=hhYH0~Yc|}W(#;>NeH}$^L#bzDVJ74W*=Vr}=ZfdAK zC@$xBi;oJuE~K5&CgA?#7}ikcfNsVl^FRitQ>7x!_+WVbMECMvKar_CCQNh=d(tL) zzKqF*SfkJmo1zjgyrcGl4AY#)r@TU9j?&lef?xYnv7YY8NlnhAMtR4*W5?jec0miq zWq&sG+)0eFuI(xEB>8P0L-Q4l3w&r0UFFs}swMiHTr4`hWaa6KG>*a+x%g97Dg)7nP}>4I591Gq)^Q+R(1GqpT~;mx>`0;FpySCngm8~u@Una9F%i#UzgR!Lp7i|DyUrRxa$8ibN-2-Vl8Zc}r42tYgnA^@ z>PnG!SaHF?*oH4iP2x&wj#tB$`n+OOo?|)t)&2qUZBt2{TNwORU0&n)r>Hg>s}599 zUSKI7WeV$Q4rXwxAYuQvr!{VH9PnkwV!31m7Ic%SP}|u19ciaVpm}85KzTGZO#fYH z*pinz!gso{B5{qXxZlzmD1P3p&@nYo^Yu}aE}E-+bTh~Ag04hJ>?4EJl;?t-{&J96XP{s7br&c^Iu)*}t2<4CV~!GIraqj_dR<5kvtM&N z>Gi&^+Rn=CZ+$fGlv|LfPq9`vT)-P4%5)Q%Yu8*Fqu3Xs>|RRGz48vM>hj(2$aSG` zGi;W0E|&=AKM!HrTj7n!IxaYmcfc4l>1BEhk`8W_8&tgE8v!E6{KjYVRHDnT;_H=` z)RxvVK27}EAZ;kySbX^nlPpM#xJuC*>M#8#x0VlLUlI!!ohFw9O(~V5vX}mw-zWXX zt-?d4O~yqI*u@8q6>BDS?;02cQ9B~kC;>?Y2#L+8UA-3Gm-1%R)1$Ih2#4rJu`71I zor9o>8Lv_XYT*yGFsFlSW-c>3nPgrk z1nLUASMQOz&l2A(noZu%m8Wux$)(>}&hm}#t8{a8(y28Y_c6}>t=|!QC=f831V5S1 zk*+Q*SEpw+59;nVYG<}Vz4ft}2Um@K8m%Ao>?&ui z!4*-0U9%$od1GROt$QM8G1<*!MC8DEw*UPLhw7UX1H-?_LNK1(rB1bSE2|+^47HJ} zAM9eB!<9VrcN-o(^xNi=PT+;Kh9A*2e{$XZawp(j$W`9+VUtIsuX+A>WJhJlBx%yP z>pYe|Tt?ue20*@dA90RW`em6~7+H8Lz5@rY2i;_)`bC%FKCk6V;d@5X${1#L`<0s*OcebohR6Y{l;T=VhJdbo`{-`a~3VO*rJm?hlz@`7;HazhO^9 zryb9^zUbmv5;hhScXaQvx$mo7ua|3HEa8BCOvgx)hn(jUhGrj}^zzLo;(K}2|L6($ zPf<6->>#?dXD@G+=aTa6DaPjM&t}xx7PS9*Z@13Qcw-Dq9UmfSR4Jju;ygb+TiicLJ8sC&>H-=zp`^ z`FbHM5oaZ$)6y_0N=d{G;Vi>WgzqgYJ%H9-USZh)5_F@v#a><=Onk%LS*b%K%B8B* zY^b+xskT4ETLGt}a#)ldK-fyN_K}hcXTiiQcE{4Q>-%oRKGL_B?d)=7xQ4-CDto9M z#@5@8Ge0txl!a@|fvM1qGs8(Sh)+fKVDa+zbmC==Ko&aoC6vsh8T~m6bJ*ZGir{AW z-i)OhfA!|;pG;RdE7{U_wlzjrUrGyZ(@P;kD!EMruNn3itXCFi3Uq0J z3nm%x^0ew*i4u;sogAIi(=o}om=3LwOQL*Y8f?Yd9h$4LQrn>%0^O6>3r+0nX#-j` zGTuhEXZC~GB*(EDc`Re?lIvDmaz+wmiW$y|l^v<_-q&(vZQOTHzE9gE0B8HtV>$%4 zJhmnDuQDN!R<$&`D{qGU0}s?kSj&p%IFD5d;1nb78B4tE*Jqk$Fbt8pkob*n8qYhB z5~P`h?p=-e=)9Yscb{kqNgSS2$(bF@MvBlZtoaV6(>xw22fpwTfvwYbyu&T)K}#al zhjwOKmOhQSA2pRMjZnf|l+>>Of~~ujfS6KZ<8gQ^YWfqP9e-`S#?-qvPpoK+yZrPY z@`J3)W5^S9J~4;}^5QWcXwH~foKa8M+8GEUWcr;)Gp&NoReFx0_I9QV={r`XOWbm} z9`Jw(D78>{w++@m?ez$yc8f+CnT%HUNuePJ&`DqKp)O)`2)>nPT`ugS6Q`CJA)Gso zy3^+q*Dx^CWNw8l$7F_H84IGttCvrgVcPdai_IW&Um^Fw<;E$9Muo(0V{`<_Za3ehplxFG#tW|?~W z!<>h?SzE#qx}QFw_1iw{knIu!&FaVRF#eeqm3t1C6r&L*|`G)&a&YDC$@ zoMtb$>xm#gTW`;%N4+l{gHMiFvYG&+gBXNPhGL*Gqe~*|&5AiEv08@~h3CDa3`A?5 z2;~erzhrJ!mN19jhE7%#-pN-yjO*}irc>c5wo^AdNB@$@vUVI4)^!F%3VH>W!TGa( z5Ut3fm%sLLf%yS8_{cBrT8iFU7aWRwc{46{^Z~3)|ANBBj7nF zW_p06rB)l_UD0@Q+=qgiu|LwJjCp4FxaNO2lDE{XzVH8;&^OPx+@IO;Aiu{n1 aOVUm^&RQ{S3W(VBMxvty)~wX94gWVEDG~Jm literal 0 HcmV?d00001 diff --git a/education/windows/images/take-a-test-flow.png b/education/windows/images/take-a-test-flow.png index 6ba26e08d5dc12756b97c29158f814242f692174..a5135c182226e939368a9fad1048c880d0065b7a 100644 GIT binary patch literal 48795 zcma%iV{j&2wDl9)wkEcnJki9?#I|kQw(W^+I}_W<#1q@em$&YB|KC-0s{8cm?&@lt zz1LbhLP1U(0Tve)001CJN{A`}03c1@O&S{VdrQx?N96Yc#7Rk97*I2ffBM}4HxrT- z0s!jc;NA@&zWXrt5*khb0OHVp4J3sY5%2prCP`5t6?ffp9SD7NaV%d4@_^m`t^W^d z#9@L+bl8wWF{y&K&dyG0;qb|?p4Qeq#~kEg_{>S_cvbo3q~?~iwCyPESR7jLKkE`RrA zNnFKmmK4Q&;-dVz8^nzae7%?up+a))JoGm%x(f}}H{Ox|Pj?E0d=~vb_(D?!l;(fq zS_BBg2Jwv$B2cM(>i<0zePlq4`nK2GJl+fvIyydGFBur$)fpDBcH2V{sIO3b_vQyS zJZ##^-24s;+uu)ezrGLV;qj(;jU?5JokrySesZ|+bbq_$wU$FhLA(yl#yAX@BH9j}ZasS#1n0bK$R}2x(IQ_S-m`qoI zr?*g3WHak3By>c^cM$ddhul3r#7`fPGMyDrQ-vdGkvM`x-#g%kbn{O#F(sG(Xo*Ynz_2V3lOb}EZ7aac6TCudjl7V-VA83iju zVS*wcm{^=iFn(spsi`3uM2#@YK;<{GmPm>Eh8@oaGc=Enu6+IGIq@10WJ*UJiVzEF zEGuZM&j~pp1ylDxjvhxHDR7oVgAV95H2k@tt;ru~$jzHBR$kz9!=N_J=yMy)Vm>u@ z)GtJ0Y-c7ij@GUSIgJ%9z1IshJCA3YY3C+i)>m{l;LX57a4eG*-1Q~DkALOg-0bZx z4a>!n)=(;Ut3l$=oJJnQdpMb$=vOcL7D`HLH|x7n`s*-fZT<%$*`oc|2bADCYb|H@ z25Sy#N4u04`kz$Ikq(P2n~e1k>#Azu5M1|@8V&w&s~va`j&KME(FbP8`R8W{g%3v$ z3)kMzgMY@1`|KSchww1seLsodrsA3-((F!B%$_mRYx9=Z>V)YGXCW(Av+*?v!r9a5 z2`)4bT72Z^ndJ!!nVN#UCQPBqU~mcQNaf6nOXXt zS0;(dA1c=SKYF89?6$|#bK6akrvA?Sor0pa2wZIn%5W%Ex#Y8LVn$o4YpySpeVds} zq!&N=yjwB;$Uqad4@Lxsilv3!tN)nV72oOgq1N;H5Ui#|pK#ONz7M2Vg;tD4^8-WT zcHHBT)pf?R=CQUr!;5*{s7ZD034QX+R)Ap~8?*!0xvHkX(fUzPnGkQ<3mx5p+a<|`) zAS+Edt#&04ACtn)y|$sWlW}&kaxwY?X@5DWx%4zi6wwO_)`NoEyfCxL>uPj^MD zv98+s7oJpYM4%3Zc!O~`zqgr*%h@8dskPRBB(ulxnn-1+^AP5QNf~{@5@ho0pgN!& zNaU&TV69Id`y)0sH{{b*pi1^U8%rd_3p{&oLj-~x&*Y>rn~*Xj@e1atv+l5(agKo(r@h}y^Z z&Sqvsk+t)1hfjK+Z6`Uu^`lK>FyO3hXeD95b#LM%j<3p|U`9FKxN)kLDe!;?jSU&e zmhH>PEbJoWJ5i-`&;Ka?{!vZ5-QPs@K0~e#aX~D|4(~)AOHtm}mi4=sK@q}LF#B$5 z^hZ$|{owi${?|Uk1%+fkX4K@bdrk6IUmTO|jW2)iHS*tMa=+?=lZn1V0~C*|DYWDsmotcG?9k*E8E#`JjL(xT7E(MDOpYqbKwtIXNIVl=ZoEzQ_TrBy#nb%l_gpgI~ zGjlqYX{j@_Vn51i6_fTRjrISW{7R}!`D4~rRB+LT(e$qtO{L74A#=MkV2@^Q+oSu? z?l712bhX6m4;$*-nCq_!?SMay1YGWq6c4#Qv4jGCBCajkzL>V`(g(%lg93zY9>+Jd zuRbf1FR?9M(fHWNNp%o{qqxv0?&|%1aTs?r7^`3`wJ}=TjuBU zz2z=T!pU5|)|y=}$PanVx+nJblM^Z><{b3OV4gBMWJVubUUs-^rJxvN86l1w9}&7e zOI@JIt~dK!3weTW2~<5YF54BG%zaZ8n-KBpX z#94M4izqPQX3JfdL9ewRBYRI$}a+rYR&%R7M<0LjLa*!i0Y z-e^8~h@e@`YfN~YUOH#;edrXRTC0jv)Y|dC7G^PUsN5BNcMF3| zQpgCZUW}bjr_l)21kewDYcPLgCKnuT#3?olIGOj4fE6}kXZy!FXEa5QxYbDBq+5_hA_pNEVF;nKzOkE{+|$RES*S!TFl=}Rzp~THS65=7 z94?@j`{bttc_Yc6^i@Z247i83ifvkls&Eo@=X2WaECf;3QhNk)HJJl_c)a&8`MqCN z`6x9v8h}Q=6p=>mGE3msq&AywvHw_hZm(}mhaVVHt~hcu<8&Du;HGG?iZy)jBK;v| z$_MyL2A@-sd5s*`+1iuZY?u=tJ}rkQMlYk}gP&wH+LdoPp=SM3Q&s0S4$VhQqVTRDE_iris$3 z8vPb`a`FcEz9)AqF}tXzA`oy&sl4;=v_E6k65)J#)9!G8W6nC{DBSaB>Rh51rbca7 z>{s1akLoH&Fn5tVBqDpWb$t*z(hrhU3JKe|lvB0|LT1 z&{rD{9{bdwpz!`}=SO?XkIY>1xTeVIcFX%YYPn?IXSMNO33!kvbw_a$BnCu9yqx}a zYjm}cf0#Tdp{(UQSsmsjjgJ4k4%sM-FhF*z(Tdy34wmZYNXKM75P5 zKWJ8~yYevg3M#WI&Qw@YW5(eeX(xVO?XQ^AXz`9_%x&urTdJSY6zU5bWcBXl&r*&^ zKJ+-L&vlD*XC)h1F(B%6yu^>*D{C&6VQO&;4A_BYjJwq)q%myy3aef68w^Kg)C=v8 zy18qGHdWG@SPM8(S8qB9pJ2V0xWA1jA{s#qkV^7l{aa~c>-POfWvO>@OW)~!`h)O~ z#eto+_1HrH?iLjfIrpzA#!2Wr-1YICVj^K(5CiG zsEO#FJ6YbG1Ku>h6HHuT_Ue~U6I)}^*Sa!X2j?fe1o}DxLWFp{uQQ!ln2U(%89*dMG zp%%b>IjFcKnk4$#jDUPF?h2aBzvMKV#kFxBtu+S|Jthgf6QPI!EB-`qy&c1ib@BIx z)eM3$CN@Y{IHNCE6RDc>LdYAAUd09lyl-(I2iA6s3DM7e7>>~}5dKWat-(#HCFVJ8 zm>X*ekw+4P1OJHOeghhgK>}_i2!%H#?D~ak*L7fJ5m|rCBe0-l|0O|3*L)1)XGK<@5b(Kj5@;)Q#dq0HOD~F?rg6cH#Qu1 zZl8+MY^8airMmSnK7;gG;2Y{tTK9T9e9XTBd;Ye!-Rx2?8H*{9zS6lzYg#J9DpU#w zruVZF-2FoFS5I=e*k)A(7;x_rVn0vx%8#=~xYO~wKZbH#2};YwJ|+u@2`fq@Q92jV zStQLx_QobqvRXvbRyBhH_jgIs;rwoI33LoePXAgnUb1vS!4o>YU|ZEyC6e2lkTZbj z_}qv7e6#?Pt^X=fy!agvh;NbYc zyR(Jjs!gK4AqX|KG9GerqP7Qt5+=i_p}d9U{PC@`F?_5|V|#X)cNZu(4w)l)UWhB_ zgK3C&&?YK@?mHlHIvNmnu|G3Jw@#K0vwV87(?J8*m}-NVL2Ko;;(zJP8xug zI9)53F@J$-trWGfN=am^<PWMRo(g*>}?eyjMgDnHd4JYtKEx&fp6%ds*!UlhJqQ z4`IT7?61=$>mSF8AN^6H7L8^+p-=sDQh0BKx;=%)Ao*|Lw)H2~X|3uI*l77a1rEhN zPjd4l*RV1k7Xh@lof^ZS_lX|j`>-#=nj1cUaary0>bew|lIG ze2h~#suY4;BKwBj8;zvthcuHVsNArTo`H236S;D^b2=fV?qf#i06V6`pV)Zm0z#Yq zL_3_W-2W6~(^p2jUWw3nlpfh6Lnr~}MAwK^Bgp=B_dU+pYwC4#eX<~B*ttUO_%`$} zndCZN&)VzCPz~_+n73XL74 zLr?$^P?m9Lk0wYDAK_ztFzP!?mB4)ARoGzeRazolvoKu2wH{7*-YIAwX52}$ zUKMqvTb31Y73+xq)i2j%x*|EpR4fkP_XY|ECI%o)A1p9e;~5OH`A*#pS;WCf(1RdT zIE`2$Lc#SxB1_Xq>)|mq9Qz)+?w%pGeD4!c)&7Zdgz$ufGiyKx|qX`IPwx)5uGDSwJtAC_N(7B#KVyitl-I+iVYGr}_`1x>q1ZG@1|ofyq_@tS|&9VpKHPO3*{q3&qYj zgPGjj25(?uESC}v@r$72DOmaEp(|K$9bCBep`n`GRjfuE=&4) zQK~bQzYySewMNOiVLzZ$HgGx^51ynoy%wyVG;etc7Ej4r3cZf2X4_{BHv-GW_zZC_ z1-j0^x7{p=B{^XdNgCo(X%WpyBb^d&rv&pj6xAPEWayv8AQ%F}pqgFx$!xn8>E>^& z89AgpE3Hixs`QLZRT`?RC5RNl3Ai+R@S(fbEAmPz`H_RgZUc*(sKLVFe8vpkAoJ?k zb)`F?m{*@qI)$XSM=NtY)+>buC{_g=s9rvdouIQ2e3!uQj)aSaWc@QK6d}MN-Noh76sf8V3Xu?2QV{I}WYP zM%%pex}ckK@c^&J_^>Q=25%W^`IEDbg7bv2>7Q^dMG3aSR zBUB&23t}z$2p9NQ&HhTc;hyzk>RAL|UiTw%KX;Rd1!mne+vUm@YKo-+^fELMQqy4y zHitvFu09y1aD?z3(m(!-$1&o2)}6`85_vzh<70~t7mkT+ zk|-%x|GC-)pU|%;)1uU0aE-H)B;dgfBq!kD2twDHX99kMAT<5B>l1S}<#r3Vq%!jq zQ8Q0=5x`*LK>OG7dUHSGlM%+9{-Kk!bSx?`%6fAW7UHAK)CdO6&W?+b%4xc@-nO{O`Hon3CVpR6WO=j#{w`F1A z%?$*)nvxW_2D2>*Sw|dH*C^R6Tf&+lSk$Zg9BrUf3I>00jWOB7F zF?=&f=awjZTu9+yw9If=2`H-v?WD`CyX4Y{Va{3bqzhL1=|M+G`QZB zZ8A_2*W_;jL-=d9_c>$=gH4vssonX;c83b37->V-1c^Mn0X$33%N>Q~Pdz2B#Lh+K z#nW=EhbcUO*`M!u=@#=4^(xX%$EsTM>-pms0+kHsbg|lkRNDvTLd4@omO{%EeuQ8y zlXGS%RiP^<>P*<_tOZ_oNg7*O53QL%C9c{egTf6r6@4gXWVGi{R1j6szbj^F1B@E@ z4AZ^ZiK4aID2O6`#!pW_ey%*US^iDX)U8Nepa_GMie=ir-;b!~7*?Szu~ut{rM1CEudLQGtq>q{%E zUKTd!lt#A4Lgd#GMm1-N^2X_*fP{sF0=A>-RuZCG>iiFH@g_n~s+9;RB1b~X$F?YI z6*nEbPY|_AkzK>-hMbVm8MnJAvBc>XL#6wKDSGxA`tk!>;B4qzD{`Ck_k|duqN?x$ z{BimG8qK}Pu&fL6{5GhANCRQRQ`r`n;B0dq3t7YD}Yuy z=Lm}&*`U&5Ms?32wO$GqHZ_MvOhUg98i%5_THAF@;8IQav-3lL<+WIH@|)44TPXNC z0Ynj{+56tQ_aXz^{kQn6Z3ImS6Ci^Bq-Z^zU}zzEjSB!c;vRV^fB%_tPbx_arp6ecsvzAvmOLh=}*zEx~rG6Le6YZEvI$`fvkJn z{!LM5N-rA4Zf=1u#h3LH92WM&N59~4 z_XTfC*0OGyxLAKFMyr(ieZgz#xZ!0kMLf5PxOd;dl=5zUH$cJCpxUr27%CZN;A*pa z^x$QiHd(wd`x;dP^F-q8F}oyKTTaHKPr;nYnB?KvBc=`5kH;kbb@>5x3t4;cb_6+r zjgJl#^3BuC#MG|8wt9q+Q2wI4ecQ$Ocgq5$fZsN<+b}O33hS>v*YX_8_N(gta31K^z?5ya!_1lonSDUPc@NE%6!HMSS4wRziI(m;S827(EAb zfzV0xZ11yc1t}!-HdhcfbVh~)h6svrwRq;=&}A^Cyu*sv#$-Ip;McWkXO>}`si;8P$PPjRpF4D(GoI45tWm1EF3f1+U1qsH} z*Y<7Wa?TS7CIu8kG#KU+S99-9nvADWQrh5bEZU3p<8wKl5-#C2#aF3I!q14@R0DkU zb8w8&lQnWYGC_^-m$A%M^0dI5Ux#=&s4_$I3Y`N2z($%v?(0gCU*LGy2uIiX{Rn@5 z4wNg(Ym4OaFapjm>Xx!|&g;V+4$k!%_kYU6wemgkV_g4cPK}<#C+s=Ws44>631Tr{ z$J`|^C#or`W*QlQs}o7)D&-^v9idq+C_rG^mfgTxK(g-#Z8Q0UmVl|ucTFf1AYQk5 z{O^Ew+?8OvRd^m_U~x{a>3nBhHPERJxboc1#VLDoPmQL4Z=(Usq_pY z^M&;J8e(UwF!fM9SW}Vk7RLNQVQ0WddkMzl^J16KNO&?34)K~3njIqKB!Jk@X5R?n z4kW7&GOQ7$DsaFJWDC7_z8E{6xRzJEIrrU5=tc-s9{ z3Jl^QC*atM>Edv91}??mxQLE#ivAE8(A8-+xyi|~3BcBf|JiT!3hDYs75%XI4#`O` zEDUT!WXO`xr-0(oUVovOPm!z>Sm304tpqakvg+Rbud2HNJMzUpaMobPn@5Tu=C+?i zdnt2YO~?Mo!qgsbe-Jkb5u+M?m;+EAo; zQK|g&Y9f3$a+LLy+g&gsg0*mKGb$Wct`N>wcLs0;!&xq^Jco?^^{Mz{M$`%JS`{<1 z9R(+i3|#&5PldT~t7o#Hw3H(06vVk%`s!53h+D-JtR>0X`h|FCNeO}$MP2e&=Q2*d zhIznW5;n0PIncUcsa(}PdQ~EwmvT&e~v|G-)lenM^6iZ!s^?|MPSz~#RyPipfk2(mj@k@e+GIZ ztoO_!o~UJXz_j63cX~g_?%4-ZV>idrzy*C5Pbc;SDVp(I8diVu$82~#dC5YoTv9&e z!UuoCNP5i!8@5`$1s)zAHwENpI^b3xe;-EBde`^NlOMbQ|?jjMr6wVNJNJ)7~bgh4Yq zU1c35cVjglAq`~-ti!ef-f}Qo+7(7QhALcIxC0jRt4*xpuf@*aqLe{fkd{h(k=nMq z_bwtr;W~MP^3CSyX>Czjh3bv9%5N20ZbS%{_ty`zf;Z&CfO=+ohn|)AN!=gfnvQYD zG?W{UHcE1_-FeV(zUkOiVEQJq9Z)dc2tavkTbjVQE}!b!&nh?>r_k_ zqj9a6H6q-A9I9XoeqbaSvjXKkJtXF%@%JgavO|Ii1{6~*#Tpb|0yPekgK0uomA4u^ zinSH6>qwYi;Y@}c(75KovI-6JxbN4#)2Q*R6zGMRTr#j^L4(cJ#YKC^mOu}GS&NlV zr^x0V#vM&WBT#4Mb_LZ+T|Oui`7D)muh#<@le=wNw>;Rb9s}IpDqO#1n9)r=hp3O+ zpdg`N6Y7WW*V=?ZO3$i<8*!9=6rLgJ+Uvp`w2@{*f^YRi@ao=vL(r-~1 z!%d!)PJuH^UdQ|_AZrujYMGb0%ODU$^{w6w-d6QcO zxP_b<7{|osMc&p1)R)^o;!ZOT3T3+^&ZJG{DaHo!IPS$Zfjt^lD^S5LF(!p=kg%Ib zWJo;Y&KpJpnNL*8xbE7CGha6Z7YiMIE0x%wQpQqpLrPp}AUS>^BAJUoPwrLIDgy2T z(9|yH#yC=fIa9}y0vL8YNGWaop#W68av&Cp&Bz#IiIFd;?zth!dOM9Mpm5$TT0u%G zJa&+hL1-M>9?|>gaSJO%;Y!g0eVq<})3}Txu z*TujJmvm$G^R-G{P5bi+jw--}>0~bo8pf}OrkBdq79vA=aX+~|Vt8bqWqB~Oa$+si zA{JCwHkTCqW`!e(Ml+7??X25wQN%XnOobcsKj7Y!Ivr?FWzj4>X8llAkcpCP?)7n>GkG?GH#-pev`FBkyGBB zvX^wi8`x;RTSEJ(pX6ELo(=glS&V2grz*;j^@zwRO>k)N6ZJNhYTTVu*brLs@j<)} zOnU(yKGa$rKfW)!j}8|>mwpDZ7>{#R^mcxBpbc-NBg521N^pwjvW$ zj|rnVG$VA1PNSE?k%~da^r_WTh4E-b;Z`lqLgK%ah3Th-dXF#ee_RGB)`f5s?T+rs zm1+XknMyfjO5~V;4~>3SNV(IoHS6f?RCwv1P~eChR{~Atg5)Ne93$0Xj1_ZrVvgaA zp=QH@8s;x!s*B&kWRt!=+M1Z|XdcwGV(sbK4?&{>$YJzjB-@kw7~2foPSZQdNl76488>7?VOJJRg6gzML>i zMQ@CF=a(yVs677G@ztz-I}8qILuO-&d(rFqz_@oLx6T@GGbinT4W=oYfityEqKx*b zoUx|CGNFZX3;3?-IpVs6b_^a$B!kdTL@~WNT~Rks%_dmGxt0F&Ibv#@kx=$pN*Xuw z4r9`aUNE|ANkhw+bk3o%joWd}&L2v7U63^0KDOga?AlL0B@ZrHpoq=#4-VV?wg%|N z*7jR8yl6(Jxh!|BQT*m0z9*J5!je`Gh7Qnc zdx%d|Bl>aJJhqd|apNCK4jF@d5zlO5sL9*Y4c%xR^HchhOU~?Z-Nz85pWZ7pf?%L( zviO&yFoWE{&Ae?QlRp8gmqIQ)wXy#5SuW_D zQE$gOz4LWOE+fg>uEH4D4>xKF65r3h+^4ZsOut)MPo_4H0oc{BRmRx>iRTp4O0|#{LTN+QY|9hAH z86%oLrSpcQaqBW`G73X`SU0(MQ5jCU5syO=ymm6IWzxmN{IQ6~m50+x7NgOS!?J|O zU`A?d1Y(#_MnGP^DqczxP45@2HhWW1@*$f3@aciE;Agf+#O}^lCW{%z(dd}UR1-y& z!PQLIw`PdV$i)I-v6oWu?NvFHNC77E8R>_88KqrKJaysZv;B2`2DS_|Of;i^^RL>Z z+BUW|v3v~s^Ia}bqN_6Js#?Ko^HXmn1mBOp0JA7Hau#Q$q_pjN*W~8zsi+GlN$FJE zg32UD$Pv|V&NXTHj-}G)*Emri2j5AgbC~Av5Y11mzb_ObSjw75v}7BVnpv1&N2Bm_~1CHp6TfyMS zpi@0d?!p&q=PV$18Zi;fC;OxB?;;6Qs?A+5;pqV&K%>Hev8#VMX7^9^za9U8OtXU) zL9hPXZ-PV(2i=ZCQ#>b$!gG)n;a3!^CRdU!ravG?X8B+eyY-OsnU_6 zBhG#}oH&dj;>ASMi-*<%-U<4xE7&{eGc6O=#S`A{BwYNSy>3}L32M!2g4hgX`r=)r zp*fXqRDJzhU3QQc40Uv(*D@g#LO*Gi<`iqMuq%bR&J{)P@V?pe__-G!gUM2 zk7LC9E7ASWdjp)0D^82d2v7QBp=_8r{es2at%u3xE)HNHZhyFcI~FmgS5};H6D4y1 zswvpv${Ks7w8n=?rj32Sy?rj;BgIscSZ0OFEsnZ(@}cTf877Y@bTRGglHVt&!AxSh}@)<&rHq(yb%Z&dazddN+F^8L7UN+vpopWxW^&Y>K@ z!;pw*|6`BUVi<*dHFzI!gWt-0Z`CQMopMLmFNiwoQW66-v+#%AYse;Qzct@nM#IVf zC*3B+yN&ls=3BlW$GSWbE zh5_fh6#wz;DeY6p%3r#PzXYWcyvK)pWHe5qK&>D_@%{nJJF8V!|(d0LDCevtDOhe73v!=Sg|>4ynXZsz;jjf*{|%pF~>KOQVqQgeGeDWAyA zrs*Uogc5om5!=n4t@u#jOy6I(pm-clYqDj7e>{5~_T%9sb8*6W98RZeA9clJMiZ@* zfFBj5t$Xd;w_gh=@9JQCTa7lC-Te+*2!CW(U#R>kOM?-Q7YwlTafT_pC?fB;pfi@J4tT@L>W&j`zYBcOcqT(P$#tgl&uCuJ)7DNoi;sjUvOO zeDN5!D^0tOq{~c0Oa@y%{$yPd!GT#n7C=%V27%MHke`NACB0pM>{)(1f;aV`&K#iz?f5L_w`WMbV1a+j+LYA;~BUlDc6E8k>WaO7fLA{CqX{A^%5yj6J=GWm%N^&ZcR3%vgoj* z<$`!p=Sm4{FGA95&fkuU>@DS*{c978+ggBoE;%iyVqM+(yJBoUdGMp9@F+I1n(V%a zkuaIWkSZh_!YbdLZ{pQmpV`TZ5(47@emFjd7t zdYC6r00?i8!7lAVG{nTfN`*eAT;|l90Dynu{qwMv!Fv92B)_TB!*(N8OA-M+-dy7L zc_xih$Lu+YI&yw-T*`I7(U6jnZ$3(niU`TOKfH7FKTDSoH*qM!`c~*4;?k!7P@q|_ zQ?ih9C+)yp+D4rUS_!Yl?}GBwlS|a&4b~JwKr_tuFO}~vgW|e)nbgr_4AukApn5=B zX_M7e7^#^2^IFrGv3a6j80pl2`&N0NGmzkxE`g}l1V01o^4a*zMpX&rhV`axq5(N6 zys>DT)!(A={Ly!WKZop$O6(ngp{mLity8<}<|zn75w{MBDN$7zV*FtkK>M)Ys{pIp z<24h>MR!%3B`&TtnjNx~O;m-S9Sa|Ul%L@J@iF`qRo-1J)}d6H8AMI)cg?A>6oCHQ z7zxH?7~sG5`J6&YUda+3*^=|a!`V(@o+&&~1WH(aVA&J&smX4WTN_fw+A3P3GZNB^ zz}(rH_c#J(W3kG>0B`~d0m>mZ(6;WzkVZZGGMik9J|SxL$t}j6`98FqgqHQrF~61= zDyX`N$*9*`QdNN(RchK53v~r7Jg(h=Q9L%bc?y~tbt930v^hDfu3jluVJZR-I0?jD zSFgvnc*$bVX%8(gMs7fw3m=-Bjy?ORXUI?|0o*59CWNHK@M|S(3MiRX^IxxQlhT2S zycOsq$oaXc06czw&uQYun5spc7a64>I5Y2fsSs6Yvr9)o$JCMu3@oV+H`&D#fKLHY zLddPYS3%!H5b|;^|Mj?Z5eMy@ato6wS}@&ceI%yya4NVfue;A6Z^lGc0*_nw*;8Z? zwL@5oJArR!eaaaoWN7Uj5kSpbnC?`BSnDTB7fjbKiI#j>?RFW*QlwJzUv7)13M-b; zkiO<0Fk3(D!E>vnpK==ut%r>iw0P>Wt|;j@xn+2N9J)%VROB^*eQIcKpgPMnnZ*|f zB3CK?HkNydwLtMf#|0}H#wP+iF}mj!yrK&0^=2PocHNznKr5-sF1`IJ*@J5d_d@AH ze3wlXxpuoABDS>?H6n#ZdP*RY+nA20D>yiu@djDR<2&Ry+-ZKBp?re%8C+x(%GhRe zJ$0qdnwIYcKPkd)ti$y;7KcE2d3p@N6!<)U@LG3yuM`E!5v)aeYlQo+`gkZ1!?*rw z7H-(Ca2?lHp;OcJycto(KG~y{Z<3*}Di+ai5s{WWz5IE_h2TA}>0Xg4V>CVMy2~>J zoLlY)4qU*|inFIDT?N04{B|PFFO=Dx2%!DkmZ3I3JW)-gAWb9Noe@=_u=`nYwl7{= zE_11}*lf#uLD9P$5OQ}-&U?spm&58c1_++q6R-;0!b?s?K058aNa}47fM!)5A`_p&k zaz|n_9jT3hdx8A0!#p8qUQW9P85C?zxKTDlB_2k@AitA`TM7U-kd)`tDbD6Wfa7m! z4;mckfwI<(|FBDR`juuE9I)g09EkG;W~o#FKseD2^UkO-;bRTD*sf#yMW30n@S@n6 zDMr3Xw9ZF2j8LX0q5B6kat4SRV$j5uA8 zy<=TL-U?Bg>zj|YmeimLl>FT5T3G7WqGqan`fZ#a*gq^IOjQxhJOhN|u@|i>kAuQ^ zIO+c?ysQtO$BikL`5r8_Lxrb5g#*No6~`*XnmlE+mWls5i5TRL1b$-g1O&!TmF@1s zQ5}pqcg%n{8NM-Fv~lL@ZhDxBo{13ZLYXRfF4GvZq?4en3iAaR(v#eZJ3Zjw=6rGC zQB*RgGs!nU&xo)Dz=I-kccu%=F&6qA-4`nMT4Nc!Oxy)A`5EOaXFqEM_Z#WLxxjNj z!BuChhO`hYc)#j{+jpMxx&%Q^Zxf>}2tb)BGp!()TxpjDL!%>0W-us=(Y~6=$-{ED z$4}O!VI!G}9GjYiZ5}Ux{+1 zzbnheG})Zs*zaqbgBrgTj5TDKG_tBP{<7L}9tCS!EJs`Fi}X2>F5GVdGBtc3=1;!J zH1-JV!bbEq!YYe>5)fI7Fz8!kpEJ)reO+2sY{0bM|8)90GP1hu@(x=fasHDe&9B64 zgE9$@Hhx4H0TUP7`qH$B+|qrxd|CJl8_MhWG4)C1ieC%e@DHOAE{K2Dj{D*OJJjpf zrV?7R#Z1KSgM))VMuO_Wcq15H(kqwzNiIfOh`RC2AfEy9QHqo1Um198l|Bz~7kzxj zpM9mtEQ)-v##Zny`Y*t%RZ`);G^`PdxSJrjw@BK$DS6tVbr!_tl>pj~NfaRx8%y*< zUv<(h%hPL2=i7h$nfGTqN~uw;gbV+A*(sW*a%^OI8OGEehF)ep@cU#OxFQHPg z6v>P1Y3+&+JCzlcXvK|rX=mdR}iVvY)|CE35t4iTQB!BZJ$Pp1P@;?}rd)T*cy zUW{8_)B{)BNomfJ5c{&rO#hHHBwE+z0U}~#c^!{H>A_U^!rNHg4%$==d^5@jL+{By z1i>(Y0+Uz6#k5uMI(I_X;Dty?xxLgcKz-{~x1ZWn$hapb0<53;%2hc+8(qFnI2XJ= zBH{h&UV(kW&cvA5q=LzAv)QuF=};h>HBi%A=tMlh>j90e>UBC;RwxVzbdKk&A4na8 zpwOZ>@$?!p0!GL>M<8+DWwoDS-&CazIOWfyY?n9D@XbTBT|-fT>|KJin6xM^G|?<( zIH5E#p+oMN*=(2WCQ%x-!{+M!%ARx;y%!E-Yf$iCqQ8y&X~99ddCyG@4OW89`04IZZAKY zRh`l7nQ)-JQ(i~9Q(iX(ShsHt103(3V55IpYv_NiOS9`1K6XO7S?%+Rr*t14r+qTv z3yW3zgforV^2fC1Bd+AXJdC4kZ7-ihS zc*?dNKkf6n1|jOxYeR|C-mU-h(oX<&1*`oC$3c)hCKe4RN6`f_mxG*&>}ggb81E?@ zu;X|_I{fzxJB{H_o@>K3A&XlQUr?s1D@ zSr8VpJlOUl!GRCt#1d6DB4)rbe|>v`b#xYy7rf*t>0WrN>EQNU-!0!@h=nrnu%po* zTuq{jVgqUINzC!rTk3eCpU@`D)%?jD&jQep9;Z%v=4b~6y$ek?ec;7C6yPB&Bm_;G zU9c8R<#Ph*l#4nN?pW&zq`*NdBDvoSp^ujU3nJQ<%Q`0jWC?e{ci4~6V`9+E43z)& zxkwwLrV&HUqWhmI_&R3}W6xU15X~Tqjy&~iGuyi8pBv=jT8PfE%v!kvHF4fT-*+wg zo;jwG_Mt88x7@AA8fA=7`-V-Tp|R13+Wyp~Dqt>x*#Hbm8O3Ht;}JK-c~1^eb^EUT z4Sx&9@iG5lDvdeYwT{cLt9!u#vw08jI6CtyjY#D69Cuyo57r~O>Sw{-zoC6k*a>;> zC(GvYi#F3vYdN$^?@931D1f@gySr?BT{4SeU@WQR7F|~)+IJ_+{gLBFg5*9Pz4KPm z*Gc-Vzg?J)O-eHws2{;DKXzvQ zb_j?Q>`1!4I7Rah|4406G_n0hp~vcaQ1M=%o#TgVTg+5iHyU* z*B49jtLLXIfEqe`oeuQ=`q#4S$r&?>96+X|H&apZ=*85gn7&>6UIu z4S>W@9(9s25Tz>BRJZX>-ygCh|I%oKeeuj^e0_atc5@A-M_74=g(y{-1!a`1Us!?pp2W}@w(?ud(*)T z8EQHR{ZA6hfPhL&)hwcaL;uo|bP8tOY$D*1VR(F|1ZXl@3BE1!I?Jzt$NU~Qk+97f zRCoW6v9k(`H~6Cl9}ZoyrGySr!3r1t{9|DTl0Y}OIy?Y* zeiUI!9IiEgpL z#`Qfr20rp4jBq6qK2Pev+w1--Tw{gUheFgaWK;U!OX)P?3?Z_AOyU-um|n0nBBP6u}TStXQ#QkY<_DN9<3*%bj#1@&@= z@nLLp7~x!q@v%_OU_6~@>`Q>c$jF`R2Db`(fSVCjOKy{Hu7z0V_6vu~@UaX^ zirZZdFAqDX5p|YG%ZM#_6=9p_~U~A@p zJ74zWYb}qO;J>m$@JM$#vr{d9PF8EJkuJRK-v;&L#a9w66oi~0o1AF;!vrUCv*cx$ z+*J~_hY@~Oadiw}=y+9Qk?zVGK{A>_qrmU^h>p;FDT3#XM^9{}IxI@0x z%|;^k(n<)`)hK?}p0XoakAKAI)sMd@sV8Yl+Dbi^ z0E%QOK@pBHR=9#Y>a1TwHD6{UTr6ciexuofwmbcB_aXIZW@)vwOe=TP&2?LgAnz+q zJ_f`#&NKWYnuErtadytzC9wDWg}W(%Gi*6#t4gOuDm~sjI|C2an@2v)=zY(o|5rEu zC6{f2fD8zD|Hy2`x2}6zWb|oUG@yuo?jw-Hh?{!{F;6f}g;I~_*7nW4I?S)f>?Mb; z>$NDNA&QJ*z8=vOi5QobgWYCizM2!Bhok>dG0MTNCj?F=Pw1=N02HO^wo;JmVh45^ zW4)M?gl<>QEYm=OAS)Q^?=k)9B}HW`IxeMN)RKWq@D?ij-#w7sSm^U6X4r*T?!!+c zXV3&uCz8D#VtZcfj8RbA^;MdusV>QhUXW+_{c{uKDTU<%eFn~Y@2-_l$0YhRvklJeiGMHd-o){5YN5_ZK$12g za_PEfZi@c4ehmd{!fi=!+GIXIky%Hp{upHv*>LzF!enQo`K+`-By)FJkkydWZz+f0&=O#_Mdst{-$)-7%-TRhE`+ix0{tp;8JIP!V1|;4Xm)&zmI1l z;LZC{qREVYkDv5{PmYhxjP@A|Dl70l1c^M3B|G(j29EryPy>s^`W%UKm#s;4C9o#a z*(RLRP)PqSTmMa$8^Xmze5tESL=!n6B4%`U`mUJ^SkgwCKRN5?SZ^080{&)W?X3&O z`+@H8mooW|SPLv0ug(Vl*;C~U!@jqf-6;0whd#mY6qBf4-Cz4gk&e>xrCHa$xWHsZ z82xjVwY1T%f;a!P%i=o1heI$r@1|#rHigQKh|t-^^5#YQnDbD~s==5WO4@moPle<= z6&&vW=nGgtR?Jo9g4    adyc#8ewybYJPt?1j}2}3k2y3bpD7<`mmDTm47Rv~LA|*##n%@3fe$)A zK3vjSwwSq@{B_b{ujTIBYso)l^UPqjSLLsP@^?#mbV-7)kva&Uci4lz8gO`;y8B~e z#mJ`vNn1=4yGE^|eMOQQ1+N3=(zM?&zXv^T~N&3!q>Q|vtO z-^D{G&kE79ekRJ!=;;Y-3|D%YUWz~WRWdLY|LgJEzv&0U_wm9t_u60=FJIYCBErH9 z>J_CJCFe3$VJ2P5f$IZNlmLZWRq-aR+05nb*SSlVqKKdF<^XphD{V{x368h)SzA^4 zD$Lo8B-((?%H4s z@L;)!t153HIEiLf`o0bsY4dPuu z#dZP&4+N-w9eRcD4f*ocNh-i%`jF{_n~M^@k`;$%|Bl<<{P#*dOWZ6T^Ko=^;JPMV z58Qogrr(BkvqVNn*bnTq6Omb*q5jIPQ$`fhGQW#`z0IxP4<*D@7-Aar1kX= z>YW!EkEw$?51PIi1tc|=w2-kLEAgy6E|zJIak8O)bN}J$2w;Zj1VkE#IZchW0qDl9 zjG8snaSpy4i+0wSQx*E6avOw-LyG;6R6HAV5$rCFAEv>VefW{wU!rV?CtyfJTa1q@ znqQ7)#! z=eGIK5~7ZJUj(k6221S9dOT-hY90VfUdV+KmX0!oH0B}D7+Y?CFZGWm8(Njvghd$kW7HN-vZv52?aTGwCF`oO>3-HA*&G4w`-5AY`b_`*iu0j79o} zWSsoOppy${JS}VPR74><<4kNO|1s0{Zt#0EpCsl@;f$M56JNd4jF=1a-_Rq}4A%KB zHw9xpRC#Emvm?I>Ql$7y+k54Sd8Q&(L0_~n-ANB1)A$TQShU+ElM$992rqjy8Pl%j5+E`R+kzJ zC8n#vO0zFZ!!#4KQh}Vm^A~nFdhy-BEV&|L_@g=yNjZTIc%>{KkO=;ylhfU>HPM^G z?oQcK9e_<@AS@oA2{P?(mRY*QAiQ+TtW6tV_xnId0Plu^C7Q@6;WFj$1AB<2Q<{10 zqvLvDqUj%FhWl?d2K8`cG_dGl^z`D#-Q{CJ=%GVhV2LBFVYXH&awkHqM7~cRUds#x zpY9y=;$g=ZW!g)slEs4kE-Hg_rF?tp3?a36E?4x17P;e}0yv(=*VkLta|}o zNk+5#W68=(YSZoxzh!5gx^oVk!K^I7jCFhSfv~D7T_{tqj+IeKCw^O9>o{BPh zx44jf*lNjFtmdmBYHAK62)h4I3-Q*w3-8mTRj$rQv})eJ;CiGZyG5#GCGa&HNx`sA zcO0Tpi?0G+1c^wxwxOYTIl-X%!nA)_9{c;@CITmzY$RW0`+H=lIN)+gNV;lGqK>DH zB@R+W9)aGz!*VjHHfeitK3gmu2?T{1ZPa^%G?R!6P3R=n366J+R4-W3SRI%CeBl8x zBAj(;{zbx4>~rLGfDztyqhoDjkBfYvJe(%)5rCK1ADKvfr0QSnTUI*2+xrd}tV%gx zI6hSdwHNQXNFtcqStxdIv*E_+)u*OTWt*&aBZYFF|C`WbwRXOsc_2=M2}0}Iay3E1 zFvZ<3;{K%<OU!jh`RO(`)H7IEZI``)Ksrhz_IQYer()xYd8$jHM!wfTf_ypTP%lvhGrAu<%>wQ24Wm~m#^~A zWJ}heb4fdX9T>R8&R?vnCLb}n{3GHds2~r}E$axNpr``(QYeGY90^!UUto#9G19{K zDnJ0vORW$Q^h@{CSJ$fr!O*ie{@gFsJO~PySmvyF=@e(rW1;1>W4^y#utO+#_Y%}mME<0=2pa^QZ1+jwZAnEehyh2lBdIfJ? zrz@L<)<~CX)L57j*#lv0QJ%JQ^+eRYOu8^gZE10pC#SrVP-o!ivPmn$57Fv10A>`I z)0u_O>yiYMHsHgl4Wu#}@WY%VTge5rX}J8T|GwI#bf4Euy*@*uKn{s-itE>}1pyKr zNoS|O-VfV}R;z2)>p}XR)4G3`#ATh__r~yg*U-h60I0UVdh!=^Z@~U>7~?x^UR}UR z$=4&3)vASixtn*ULLr5IyL=kpvH1RxP$k%6vSzI#_=H zWj+S1>9NW`{M-@IZrO!rUiVQK8F{F)n5P$*2%Q~T%N<|!lgT_nDQ!N!8>)GNhdx{{ z;zCj-P8-%?+~Y&GC&Yo*M5-8ze{)QsdJrQf@Rg^Fu+4f}9a3>+hk>?&932|Ugn^3< z3tV5+H{?VTv(8afESG> zRxxNt9@Lp2wd-u`6~{xK}!8q!H>qkVExQO}q1^`;0xFVo2%Wf%DaQ4G3`3JX!Y-@O5r zl_rxUQx$dX5G>NA2oyX~JwMIbSF(C=Jwm)!WD?uIbo*J0lV7vm(+rPpIn_yosM?aW zi-fTJU@cSInhwr+wT3mZXwP(5jb|&-NYL$}HoEUCxhIEmaLtu;wa?Ha)?EoBtZ59kr`<)h4V1 zmEmx6eIA#t?;|AerWzuDHT$XXp*C|&JFdKyM5Rb_M2=v@{uB1(>pA-zZzFZMpcigy zJ0H@)bWrb2fRZ?zB^j~2K{e)FI5W^6vuh-`x@QA{Ef>+0uS4ys0@-EnMg3X44%f zv?M?Ggd@N}v8cNua=WrntFUdnZMgj5gCsF}!OghZw#VwL3Wpc^ebzXBB3HAzRa;Q6 zxHnEWnGOjB`6snx2-ZGVfKqbDC50XZgUt{&_7M~)YQyFv@`jie>NntCJ|@&J)i2v^ zSAN(hs#flBC{%wk0cF=synCf%8bFJlNa@k|I%HdqO0EIEH5sXZweeuZc+x|yi zML3hD=+YsrZ7tN{M*h-qT|Wya)tdwXa^1UFI0%|1>SA(P>2Z%>L~mz0$hZ$?xZ+t2VIF@!ujQ%)% zHhSY8h12i2=HfzA+Yk_7#L}g+-mu-fqJTWED#ara2$XJ&oDO4(HrM8|)VaDvN~!*A zr8uY-m6nV>oTbB*{cYgqV2%MS?ia#(i^yK6v(#%|vSIM#_21xHaBC=aq`UFc#7g4v zbh#f%2()YBWYUG=EJ?`oO~X^IYcQ&nSH^|NFcgM0gcwbh26XCIf9%np^jxKO&bgW5l{2YBSQ(aeJncdyKgbQ28O{W}nG4De%M zYKyRWm#N3`cBAPGwS5nXz<*=RIV-hMFtXstT5b=D>Bj%@!Bq7!hQjv+{ze|exOXBk zz^P1^Vk7W?37P&vBF}aUsRUR1(MM}Y7gaySO7Zz4IUJ98$JlwxJy&J6($ds&!bqC_ z8U)2opC8&YjQtl|m`vVJ>b#vGQ%_MM^bHhDHaLT>`EK701+iAsf4k3B(mi>b8YAQ8 z5%-9ugpVS=FY$^7{$fH;72H)(jh6jrR{DdzkZ z4~k2xSBUK9>-1xS<2;}2N6Q`Xbn0b*<6!a; zZ>{u~228y(iepL|??c$-1DvU}b}{O6CA~y# z9s^U*+iNEaV4Z&bH4V0qf=7IKgXaoAfN;Hnblr5t)hQ}dQ|Nlj09|Iq1Swp1Pm~c7 z4}N}Mh?$N4`=+0fjF*8#mmpB1vl$6j|EZx`0P!L)%0*rILDeWndO7?rBI2H8b>|ls zF5cHpqzWADSD5O_kix?r8yJ{6@u{N4?|SiwQ;2qw);}ke27HP>cDnF0Nb=HAGa}~y z_lXmd3CG$fq(U<>P63u#trpO;pm>P0a^?GWXh0wJz?2qJ!MYc53IP+l065`-OqF)2 zBPtY2U?jxoep*dNx(ukv6=1X~pj{XBsE?C9cZHYH?*jvI@xEWC|Av5&6^=V z2AALbz8(J*z(VN3Q3e8T519{iMc$HFu_tJl{_CFy|xGOey{ z#0nIkiLTMM>Axwre!KCAa6{bddaY|JJDW6j(c#>iW~=>9Q8)(SmjF%ls02Q^z7@Xm zeTmZJNZm00Rp8tSok+WpjK8hP!D@TDcr*V?U?>JNvr;>779A3P&+()-y&Cgg$72B5};)uMF%-x&Me||*&Z7@T06m|`#h^$$McjGnJgln=e06_cdVjt?;t2dT?`>~Wb>aZf zedGgE0df!=nXT9T83|0q%;6X+^<)Q@Vh*1ewQNeh&+XCBd9JXp>e))O_3hE$E8X|w z?5ek(p_5Bvx)~q~96S$!K~l}+FhBTP@%c)(+fSKRGf*0vQ8N~mM8NDp3Y%7u*ynmL z4v++f^dx}14D9UekUP0&Aa0x4 zC=T=C59>IiNWg(`#*+y%1@4b!(g(gDt2*f&=ZJ zso@%Cc?~<3FP$%o;D9;Ii3k}|F}lb&W>F%#i7UJ-B=`dFI!oml+$uWbkOv^Nz$A&* za*zzk$`cp&Eo*cArX9o;hFkEg-GSzlZ23s|vv6&xjwgrapdznf z??;}He+25ux>9ch3Kbd}nl;*~w%qLtV<+6hlUn@ECjbe%uu?~c0qBO>=A5o>?`Vhw zeb2xF1o#Y`K8$DTY}CdV$k;(|rR=6O(BF(mu&? zI{Xtz2P6#1hv5kq6Tg^g%a<1@I_Ww2dS4qNZ_REYKDSq%zXY{mOd;IVs1Nr6W*8yI zLKYx+Ud0dVZ>QQ(WY2wGP>HbhzYwT7MMk!zvB5%&+mU&@ooRE=OktP_q5)sX_R$hL z2StuI4*r;jRwLyHkx%j^&|YBFBbBPGcb@pdH(7&?&=pQsqq0&*f*nu+Vu#LBKi1Ix zYK8K8HEg1yq;}TYQ`WlZMcs-RJ~Y{7^S+2D+QYfX@c<;V;aLt4pTYT9WkgEcewBEH zss~PEn(WFK-5Pn?JD!FV-K(<_ZT@#^cQ1+-#q^eso;6#A+EAv~<)rbR2=cE)ZSd(7 zDS8V?>{z?Fy)Io@M&K_N-T4Nd1dN;B0TPo0_ zG|*#es|s)ziwtkj(W*k{d_QLM{rs>j@%j*;fB~ZnOdJX@W_xVH-;ja-*AmQ?no){T z9O;Gco1f;VFkMS%TOzVUe|6>m0Zcij;J3a2`;4JBRO?U(hyhzaD1m;$zfVrOO!eM( zX8GSc=U;69*BCuOgi(9%1#7nFs4V!s*>Cx{nvBo1C(|tdiu67fG;J-CBA`V{G~gVv zUm)RXZtseTb?@w+N-G(9Ph$1%KiVo?U0$a@ft{SHi)I3|q0lW(ZE*_CsdSR%P8L*X zW|jB4WYS0`L;|-zISPx)=t{!n%dd6lbUr@9WfVJ(PHE)z~uE!{vF2$KR!MHLO(3q@fw`e-@lZlmvc&=k;jf#hXjvY0Py|Qc6+qV zy6x4G&H93j(yd(86at`OrvYdxa4|7sBy}fP1=3~ z&pb2VCKoxU389__la-#3M+aG!e#xm5@bT1CeSj5Wn0RB`{Qa2@2nZ3`VSsrQa4iT& zc|Se#-JG?fy|`{M0KQ6j2Np$a*2X%vKWd-PlB=q?`{H-$Vn@@MLA;-7U7TIeKU$1+ zZnp>|r&4EU!1hNR8|hu{w3yRL{Andu)_c_6iR=WUmp0WjlH&5E@_PjCereG+u=zM%}=eRRdpnU!2kRx8RU#X-&mJiRAVthBeZw6pAhYS zO7PO|qmx40;OqCZ(>0^TgmiMTTk-1eY8D;Yl9UqGpNT^KQ*AnNtv?w8emfaDJsQsS>)=X^Xo7Wv7XHWg81!nbx{i6@3n~);mCh2c=0X` zUpTVld3%Tfm*Nev;g%;U0GmM(O z{g~W20cSC+8Np}_alhGxi&Jh`cg1BoMta0+`i+ed4wr>)7Ov4@Nu5<5t7Vo)=n}&_ zE1|e;k#j1fqhZlSTk>gq1w8^KB9pp7@HA^RSwKlg>i9l~LJ(JkOzZ5%R$Xn0f7L3>XtpHdWN`b1q zT3mqZ;X`rj&gL%FwIlHMU*xT~e>&4jpo#?m=+h#YAClK zh;fF z3Wgn9{c~=TWpu0v_m9c)UyV)Oev|FY56j8I2Ge*g3?{w@U+8C$Yv`n3Y;k^KtG#su$t2&#StGOA+Odi|7+r$)37D!(Ve)T+GHdP{17XChBLOl&Q8 z%jPIYmtwUQPX~VHpK&%R_g+0($(LsNt!u7ro(^Cp)tE>!TBJa1(U1V)A&WK2`dq&W zbP2lMuDg*i8l|-dyKedHUh`(-uX`QgKad=N1REs>JbqC0RNg8*uQ@YX9k2=lIY)e| zETf+x&=nt0()DUi%B3>e@9$FYn=HicXJ-t<2sW%@Y6DI}0oT`b3j#^m%pZ-U*FU?h z>J?@zM_Ltp-jDx2`M%B8w7_$wV7ZgkdeKtH?o+z+z+N@%=m7pz*N~P}voU0pse(*3 znu3PyWwrTFog=LPx>Dlr7xU7e?s8#`4XCrHYcssFL79|#8R%z)xQ@jhE3o+}XquF1 zD7F+mc4I%2S6Dm0D6bDg`k2fwaaC(*Xd6a&Jbx~uldk*UkL1~dx2EvFSsMt(9~%>8 z?=qx!k<3aoOqWzQro1WfyYfked>Q9Z@gH>?DFc?BL#k5bdce$(qA2KMX&tZ-`(}=` zJwKHjxn>(YFlr3gc<=YSuj_3F*lmQYNP#kK#K~#pB11h+OriZ)LCV)m=l2YV!?ePB zmjUOjwLP1>HdBEPL}~OU}TS1VhDR&%Ctb>JQv_MRRbMdc?(5pPj!cubG^d4&H{? z>C+g=;n*kgsxj1fq}%b!S1d5-|MsAb+Y#ulvPS%^3Kde{X1{<4JIN{*{JKNRi_1tV zXVqsYy{lg=pim4BG#pOmX6|#1A<>}${WON(9fKR60T>9>3GebJ(N}&2Kt-ERgL9>J zNlb69*svX@QSbfc-FU~M3XnamW?qqIf5-+5XH(EW5-rhD%IE@@>wl(WA0Ki?*i|8! z`Or0EMOv@uFHG1tb%}^tTuyPDQ%|L~(_f?}416cQ#hI3=ZdOv>kUN=)#PT;Mw==&r z8kgY7-|^((qK%TWd?b&8BizdcoRLRFUzC5gB`);Othhh%(Es71tG!I-ik*ew8x@JmJPe1W#j-vBn7?ujzh$RYvEgl z9dBPSe=n%m4J2Hr3S1B$g$4AGjHdTc$Cxcn(|qNs&>l2B!_?#$M$*Zs-3wZgJ1A*r zs@b(fTv1br-;4Zj&Pu*kSQh2-9Lt0R0}YkYK!pUwwsSe+shr6&Gq~N(3zR4llBi>; zdXNao^-Kg>#pgPT#tsjDN|W@%QtBo8MzMLZskFJe+_!Mm zIZ6NlK_X*k^HC8^Rg@Ft7m$Z;unC_JdtlwWTlhiU7>0;KXvZcewIu3+7nFpHjSN*J z^SK^lN1qhqor(z#JD*|Bp-m%kd?SyGkeon>pfHG_e8lY_1Tx%sh-Y2TA@SdZ-x}t^ zp4g&rzL3ls4N?*UeCijGM&{EU4lqcTAa)6-OHDJ)IK1w=_54e@VO$&vJ*K&zm8$QxZr8w-|Jlyu`c~WriGK6r>*s6f&RIDllTL#s!?`^4r&)_?m0W7zQP`{&VzF4U*F1Q)Hb~8!O^rOMsGH(D zlE271>(w@OCGKcys9O01NdxKUtio-t+>STRz>=*fCEyD;#Sw(0(E0pkHPxX4Hwn?N zl%u8iy^Tr$%5NwfhsP^zV-fsFu`;O%5o|c8X=O>*webr-dyuLYo>j@OUgWvuTWFDD zj-ei&rOMoGTL%o`M9i0M(`W4se0)bQP%m>1bAy)T!rWop0GzfhY`SWuT?Q7yhsx#< zm{3sI@1Kf0LpmJ;aAe+d6NaV^t6A!4{P@scz}bdeMa_C}QGy1GoukFR~?RQXD5ZT3`d$rOuWzgQ`&@+pR244ytkyCn&!ST~t)!3QT?jEYpN z6ezhQakOo5R6ZW#zqFjvQ7fI$bkmdnt_~_DoZF4cM@M4R^~S>wf92tVt28aNK)|ae z+)V51lF|+4W8a6nan$^}Oxbvn6(SOr?Y!94Qu~_->GHCY<$)?>5B4(~=$$@DP#dcrwbpBc!-WL034 z_B4F-J7DnB&olN(bcBLD#*ezUk&jtJ&8^ko_AITFXdfxR->oexL2g%D2V1BRI7mVc zVg-BXR zb)7Pf>3=^Ec31D<2e-siMU*;}mswJ^#5{`Fv$Gk)+cVlYaiZw@j|aCqY_Pe)Gf%ag znEqfQuXXTR8uyke;hs$VI+ELcZ^>V${xBb&RZ?|Jf4Ri7&>(Jjx}Ely`B(}S5~uGR zGOnZW$9)IUz9LDPI*P>|n zN&~5MI2%cJhZBWjl|wy3PjlZ5By&n9U?N)g0uoo>5%P6!fQjHK&IW-#J%|KlK2G+u zvqV!*CK~BNDUKBeK|TS-ZEGP%WE|y!W}^__i1zq{*z2elfs%wbJQ<_&nN>V;Vm+-{ ztQ}b(F*{C-lXr|jA5FRjbp`HPoD^e-IA#0f7LGDy<4AwP-jG2FR=|0e^rg*(7Rj$F zPmJopC}_Y%PDTRnMIphkgB$)Vu)7mpDE!wz6H{eBCZgy4pZd^&%~}j*b06c6=diVQ zFs2|)LMu#Um%cL16oF{mSaTL|8N>#&3Jl%;jL#fiF(-#O%38kX=uG~Gm{mTBi@6Mq z%6t^@D{l<$Goq>Ny+hcokv~z-SaPJ`Fvm|<1x=9=q`ZHG!6gZXO#3D{x*gd>hFuht z{hd<$;!)2xBRq5UHMmSf8gv;_kYX++av!4^?+XD9;nY zbdiUD(KJ!8C`NKsZjqnr-A0V7;9tHfq}*mz`?~4 zSP5Qlznbs|T!OtR+1yGgWIYQD)NnL`_lLSV?e|I0;p#h{1!LP!B8Kka)A^^4@=2p z&6Q!T3EC6jJ>h5kS_yD+3x`)Uqqm!fDZNIk<~Hv<&5ltZI5oalY|D$&>7RbDKOW?- zc@?40LvS(#NGoK9fHKo9`ti!Yu0=WiX2?8Kw$=uUp83AmxA@g{f2b zEAE((QJtL=&Q10aG2lrf=vMnX*un;&T^7p|e`d;Xgc&3>#cqQYLY!gqRn#vdN_Ur~5@N5* zw6wmJbZcE*Um@2;&0!n8!sD_9pk$C$!m#OSefSL*5_A~XnfUC)T;M9Ub$2EAqD2lXot~$*NRmZ;wn7t={3}l&QzlHSn!wM zP*<=fN$r&Xh5o%YQo7}WVIZrI9&k37SFLb&AOai>KNp!m*h9lfquiS6IDD$zeoB5HrRk0p}m{ZM00+Do|LM@Fuo-{1fO=Zd+ba`%FEA$AQ_N#&F9=8mCGy_9PcMVN?8(asTDX-4)bT_`LWt`G zDtUGNQ-EjDm)ZD+FQN6*?eQMtX1F)|$6fBwZQa%t%+M^-SqvLH$PctTU!_e~kKc(e z2+;cq9V*E`{G3%f3cu@ip}Y{K3$u~~wT&$l%pRK~&tjO9EH-kuJ8GpReI`P_q}eHY<7elTXzDdiHccEiw1c@(hcmJMWbFMmT7Cf zz<{6>vFD|@oL@qlG1!E-P=g|*cee+ksqZ&M=LDe-tH+XG?U;b`9xViRi(vY|%H>q> zTc-s&2TuTD6zA~>B^-#BL-+8>eF(z8dcB_LLFlAdGI|!UOO3`0J|po*=@YaQLIIB-U$aDPk=fwu z^VZhT8%xaLl`~e`V~8!~&TOtuYkoY9dX-#0GMDH)bi1Gi z3*hWp1^A8h*tCz-mUy6PD3eEliSorJCs!ci%oS1Uxod1moOvZ=pmi3euQ0000i9M4 zF*_~@zK;KSv}+HiuQ=*>@QH%aeHB=ZP)HUW8W;X{oRY$CxiRMZOIZYJm$1i7uT-br z7kb16P^)!YY0wu)X^5nfN!qURcxr|=d_V9;_Z-y&krD9StH`&eRNNlNr#-eNnw zH)WIZW_aiMZ#*vY=KbT;HN#i77v9&~%uBnxu43-qtyS~-Yi-q@E*TFYOc3Oeqb`Cv-dI%P z5!X@Se*p3-RkXQ&2S;Lw`B!`?R?k9?`%Z%}Gb4e;D z790KJeoqYgc(8jaVL--}{+(?7T&s}nFGE)5>wEnnXVerm7bg#rO+v` z7#l+_Kj-Omm#l(T4k!~tnXLhJt6yJ;kD|T=YF~>i$*}u3#U{sfEIC z{z&p#@eq!-sZvMMR@Z@bG&8sJ5e!|TyRslJx8l@eGtQamK>0YYB`cmV4ppw!Se(5rKQHHmzY6s&FPUgwxT)T9^sfk zTh%Yc+&HLB>?sPhQkSMl^58DJIX>xwOQ9LU>cL{2<*fPDdD2}~I$HN&g$5l;u?%)( z%hhdrB+IZHw2b-A$!)D0tz!wc3HQM-A)ifDlmsT?gAiC z#o|#xsQydCY0L+EDZ=`yKh`YcQ^>9@4S(cNkziMnzbQd=QTAa}*@=?vmR+2pfA7a# zc;)1^z8z1lzspl|q3p_4LFvX{2NJd7k&3Z|3jJ{-K9+*4is}t$p8D zkk}nwCkxg^l4FiwxU^Z`7G#Z%_KYqc_=UcLS&;CFPl>qri^QbZ2pU+uYvQhc?fSZ) zUe(LRdu!`3fMAQsk&}~#R(5ZvO~)8^der&DNPUOHv-BmtZ2ydM0zWm3H^duuQfn3H z*gcUm(>KQA>5% z1G~EBdCv#I(DLcrwNGo_Pj#?S2O6jtqjha)ud^N4Z6)p)XUb=X$3-j@PZ!-)l9D=d zz4h2GpBYYami2K!vr{c1{fJ4u;f=QxVW;YI)8?d%6(%gG%8z2N&~mR!lCDVob&~9a z?aD+GM<2T0HC7tw@X8Hz)@}BY_@S8%)nYW(-E)KJ)D14yZvaFX3H!TR?YGdH*XW;# z(OtsgLHXq!z%#=RDXcU*07Ww7ID%Maqx~{7DS8QZGnlx zH#g8qis=Srl9Q#5WqT~maa#<>YpqB)IqjW&C^v*g?6x z#a^+YG9bt*PD#K#XKEmg>8A*ddvP#F+};gXu*KE2?zz}@6=*owMZt^N?5xb*JDS;N zO~B5xH#$FTbK?6Yp&?Mi?;GbfRHpoW1xpIxFd6ksR4w~wkVJbVuLc8Y-NT*BZp~^p z2P6UxTpRl8%2?VwZtV(7X`4HOX>?N*u>7pNb>L=1j`GCw_1xn%AS8QaQ2n-bz%_Xz zv3ko|4mks90JUn?4`wob@+$_O?NaR<4j2L)#^I@_Njxpvo_z%~9#5s)dZw7<@>$6Bzww<5p3Ysze z%-SRXUBF9Li?ae(SMQ`k-BSe^IvoboLa_>R z;qfFODo=xg~eYCjhq1o5!*%1*5|uq zDbX8ied!cblQzClUs7FxuTdWrSfC|JRS*I*Rd^S5IDW>` zQ$DE21i($7xAhhd0X9NqQ7)mpS^}N|{33lT5~!q!wC@cV5h~*vDYz-tg38K9Y-NTI zmwqxybqfW;XEKZ1E$Tw)8Ed}b`FE{h$}*K2FR6or=rNedKqI^=@};Vpn1%BElNO4_ zF*xjD+(6b>WgVkG>f5TRg^6uNTV}s{#8O}A6>56@`zFET89;RL$yEq>V6EY)`rFR# z?pScIRwzZt7iMbDokCMZ|s{ZHnb|$KI%LYGP_K}nh zon@mlxo2tm#B>Z;QA!Db55?AJ;<5(_w}_{(kqsSc385z?s+A{u_D@%J+-fzOA$ z?tpT^sgr&_8jzw+f;*!BRu~c@6mqSM#;aL%rrxx#;iJnW0#gLKV#ngT92{BG!eqNPyjqAzig;?g6r;c*vi9a&hna^vOJXOl zjbjhpN(%6gDfMF+Ko&p#wzLN;k>&bnLUEa{@gGx(I75Ht0W!5b$9IZsekM>ZjRm^t z&Zeav?2^nsn(_eF-Q;SiRC;v6$B;NeKPb`%`>oNm2bn+I-k z%omEjGU~dm@RKHLZ?^7(R!6h*shVM^(gw^mD<{PG6Uc;MeuMc;+&2YRGU!uzOK&jg zMd!n4oLq~sTBng5#reB!0sC$$zY_U`3bV>BSkEFAuolXE`iX$EA)X|)a8oVvW`oYv z-qy!~zs*H}ki?KtnOGC|XV1H zD{@)nK;qD+zDQoqTZg0D6ztSbsaH#gyfw1Ii@#uovQ=lPlpN{uNnX6mL6Fuy@_`}% zcG)CfXe~(kNJnF#f-1+K)m?U`$BW*WJ(`(9HZ$b5pelE}BM*C#q3B-)OXK}i-dS4PX7`=R`;jU3N+`YRoPqa&nU2<-y75j-?-sd$bORR zslep2qG7M{HfG*sM>k~B!yqGz=S!PH&n+4Wn&3=W2_m0!Ddrs*xM2k<&j4NAzI zaWp3ABFMR*i}=2SK21h#ZZ&R`{g%w_XXj;8Xl#XE!E}$x~U0|5#y_7yVRjJ^(oB}Ja4V^4z95( z48?j4YPSiJM^b~-Y2Q=8>`tEyxa}=ThCGTN<5(5xtS7K2VGSKmT{R~<0tg8y;vl?G zaqA^r3U>Af_12l_$z52gSw82EeCMOXT5C@3tdiu*=yPfQ8ddDfwD8j}{dyFP2*Zz?8bog-n)9mU%s?zEfp&C9`#RIyzt(+{`@2d6nUGM z?9<*Jj*Si5Kv{RQ4gif*3!|@}9A%lTsV2P9>1|@@2j^!kcoPMG516^+F8e@J`^L?r z$MZZZmg*3bf40McgJ`C>YO^XF@X;QUqF4UTE4|r-Jrs^`^b+>`5jkay8P+70Bx^l0 zk?y^ma7ksUaRd)X5v}gwn#HBf(&wGTEP4w4{CCshrk%HJHWV-81ac_?H0%__9v zv6VC+Xjlp7`$#RSqF5+xragF*>@9!5I;*%-X+-^t!67OGw`p3{ID4&7ZPUl0nmsC^ zn1tp&9iNBkZ+_6wR(}t8U48~~I0$(GsFg|+%4bbj@)gFeI6ImIbya#*ODn6PmXkOZ zQn}|(m8q);lk>|Z9wpGaGwL%_Ox9yoCouvb-|fFSHwcw?$L|^|)aBylIHY%T>JL_8 zBl6`V`6=-9O1K-$ZDf0K;aoRt`RKG%Bjv?D-g8Z4E>yDeR2QAtmIH|`>r;AJDZ(bA zjw~DWG&b7Zibh|0>$xD!_Ff#*CLL$dACm3@-n$|+m7HJI=Lr-mKR+ZNr4CU?EPMNS zYvfmax7I9O!jeudQx}!jutnq{y@;-;Fut0wHa$;u6wPPy%yC(Rq4!_ibi2KWY%ZH zFhbr?LQoLKJnIZd0j>1N>@gDvGAH`(z9dyFfdu?s@Bk?m-90SRAX=pZnPb`peAD@l z3ufa1>@?dRL4U(si!f5!%q{saEnR<~q;kHk=2acf9LXBa7V7Y~TKw8iHTrqoU0u0c zh7hwZYe`t-nWrNYwl6QsD>q5WK$`qf%k$Z!mH|{C@wlL)Kb=%H_njjZ`6Og@j&g_2 zvs%HU;=m4oRMqhiu?QlXXv2_D2J=SX-tub?G=nVE0SLjsZyA0@dMO(AaX@0z4j&H> zxNGmlxrE*z?8TMQwajkFg!UDaZf_}`*y7=98(qj09yFGE{NNbB%@|8j9r+PZ)l88Bf06yhW-?I^voa7@uq=Z;fnIdEiCvP6d;ndS8s=|AM{iXXqIZS0y(_|JDnBV z2fgnw261TtQa*@3fAqOxH!WFnf2`FBr{9hP9_&Ns#)E*h$x-qM^=Cgsda+DY$u_Hi zd{vOneu%9qr~=h@0QFSrHtoPtp(8DZ;)<6brWN()IahRuxPYR_E54| z4b|Yy7Mfa{-aWvwqM-_Vou-gXexbnIiAUdq<>>lArQ+k42jSuuZ;krAra-2 zA=Go8FPPEvpQ5hF8lHa!=gb^peg)M@hGH!nQju_= z%R(&)5JhABu{`H!Hj#ualyWAF!W=yb@yS2+L8eq$wZBiPJf7sdBG-vCePd;rH#Tb& zw})}nF-UFZ1UPjy0dtqqr%|yNzz7U z;$-i1RCJ`t?;GImFS!=rpd7>vO(;~~nv&QXi=(r)9exxThB~g&?Q6%H#p*I3$Am2_ zloEt~LTf+1U%st7iDyE#2pu>IjK;7J{Y2qaU#!e*p9cdCYadkhKF@B=?Rwm5lWzWK zXCf=OOLqoPPa68o7Z{d%<3QJR+Oh~&rXcTmvcibS-a)f55Dtgu!5UL}WTKSEUkl>l zZf@YI;Gzeq!8Lqe8ku?m)7H#~3qRxFbn@l34ENYTETn<=W*T-U1@`fsFI&^g+BrR; z-3{nj9jpjfsD~fop-~Vf#6b}0IijR7rqMRHHIyY&AIHYN$mRI;M7OjBnR$#jr=Vha zqWHBAUp7Hl0%Rn1>5AM*!*9^pArUZAP^{}dQfOP5la0K>{uf#vyW?4mm}BG%I@7;g zojDQvRG`H5*cBM%`&0Jo_Z=Bj!gpq?EIE3W>{HJGt7qvdz?Nd}fS2=A#5dD3(a+LK zO!!6I@3&^M{yx6F=XOYC{{C(76y`R!y;TMh9^9z@aaa)nyw=2K^nO_kd znS390vVgC)Wp=6?f+A(=s?CJ%c_Mc*#9*&;^FnTooAheHH0UkCD@0@Z#^OjpFtx`p znVTcBvUgToJ&KC)6Eb&*{YG({e}(}*^~LQC?NPm}}rs-U=t zcLI{k`AU!DU-B-2%xZmlR=RgYmXRVvKtYo^rlt=C)J#J_%}mY|ZDM~5_2v9QM`bk` zv3#UE2X3jUux^OX0|k-4QEu4H>jKo&J{}4759>YN`4SHnq(E^7Q>>IN5Yg{kQ$6@< zdH!_UuPy2(!JU3`-{GX(;_{D@+HrN_g(FEHIn$LZT>5}*d%8=^W+PyRge*+=*-`Y3 zh)Ax4GHVe4|NNR+Uf5!4`!|Nj2c#{gkTw`x%o^8A>9q7?KN55X@RYp1#E){NyV}2L_}ns# zk&qf&84JPA_3TLQJ3312j44lcCOR35 z!1nRNxfbmkjUvfBnt>4zlTJR%VP2sSLd$ApK#r{?C&6>+vMfi%(~EkGw2P7t2z<+d zVTiC4XBLOVSL|N1+8HtZoD{Yug?GN#d)1t`49xP>DOYM2*10{Oa^V&5eIJ`f`t zU|r3}cU%M1HgSLN^P{HKs|{}hHcK~I?aC^~zVdDxxd^O-czinCv2GI!E`32k+GoPa z!h1DgXyXde$4AU~B(SsB>z?%#qHMOSs#Qo`r(f%nob>)w%CgbKbdH1J+>Vy~ktoDP zd-}d?VCm>~+QAjFK3i7qx2p`{z0*Mp%I-?QJAMFy!Ln^}h5ij<=nd$XJ$|bWcxF2K zkxijsSz;eo{;D-!T7B5=SUcsVAQL4VQC1#?++~R5ve)4J(^7zP)QzoT*PA!%FdH0p zN@`&Rt@OS}p@8vo!KzW500tPU90k0@?yrp|CK@b`5KLvlvngVb?38?Xg@ul~@)3tIbf&rIsob>XiglqM;e1H}6W zkIuO5i46vf+)Veu4V?ZPH<;SYpLT!QJN8*miM)fwYzqg~wAa9by=1XLyHdo2%`{6y z7T6=&ODpq#+zL;2)4nvR*qB2sugkI}a0;-&ju2z!lN*;9Yq6`K^pIRhIcN+-4AxYw zcnnXoJ~FPu_CHZjLA3A9aIOVpJj;N{HT?R|)WTp1O;D7#NhFQZ=~Q4w(ugU5a#x>4 z5-mxidNmbuGEF_^8bMGGak(#ZI9%aO4d>@Ttp8r_F@!el0_})m|09iJ6ohC53623v z8Gw6sPEB?k>BcR+Gh6A{bn=-5?C$}9(tR%XU;s$y*F97_iIMQ;qEH9cI<}qQSOn=E zYB32)8>sH`0+KOwT)-0h8RG>y4-%*osud^!1rLw>R+(?JuznZC`J4QGI&n-9^OLv} zTrkCGqj!DJJ`}PN1mnUutVXF9G~k`YT!D5Ooq=6$j%9)imY19i8Sr&n^qrm=i4eMD z^SGP571O+XrFbWYT&2cN-q1nvp$%Y%2ky&^0pi}$*as4*DLMxO7<<)u7&G}NyLT5l zZvhS+l9yS*N7KKrwrsL+VQf%1ksD48ykUdlCqQ?zDYk`z0p%+!D@Y#%#HIOVP&JbZ z0ZNEv{^HjU?>>>sjPI7kZ~?46D+fqW{NEb|z#^9eV3t0pR5X+S7LRg?A%aZd0W5%! z;jh(`259A6|G=gppP0n-A4j1Vrv$ZEApvt-ENG`2eiR5z6QX z%7UVRWQA7X=$Az7^1hD33J6Odcb90Ur?WDBo-u;TLLaRSrf;$**_pTda1^&;z&;jMC ze@0Gcr4~1w$j%3un}*;Pl3rsS`)~rIG%~zN2r{8sk->i|huTfXii0@Oo!9m^LN48Gd+3UHNeDv7t|A{c9R(X`p z51MkPhe{o9Ns!IBuC~dH)_ij19TN+eWn0C2YFh(zq`gNwDtUpI(rLc|?v~Qm=YH;S zG>-n=)^JpTFF90c|+^i z1*+qm#CwoA!v?Rc7i*85lkPUwHqsI+AZG~J6a76}{3dc|;~JEhG81G4ZhYxlcQ^Xp z8F1p+u^#N5wY;R0kgcTCY+eML(G!5b+-zUW_@R8NP!^rxePU5~`I|RW=q7>4dlRKM zqyhw0^iO3b7o~aUf1O<7XaXEpf3g4+@&f9orv~>gH)v>=+M5I6fK0$TEFT|VU44Ba zwQL+viC#+7pv^<+r9YNf`-Smo0m6lKlu%X0u$ag(?3~CE&J+?B-fin?hMAXoe)wxW z5J$Rme9TnE8Ri&KSV+yHQxoWMy7Hb*C8r35kdxpP=!Gh@(q<-y-2yuimt_nJMJl;QFF)JbMvUR$!m2}nk-wROtu?b&pyae1rH8QVJJEn7K2Y*t?Nuq0 zcj*5thX@U&2?`1BX%r!;UVV~P3Vva+(uRB}a<7&K^Y*4p_O7ZwH`fj+Z^ z)Bz*t!!yN2qWJUz0KIAz8L09HtP=WI6ol@f-O z-z9BjWsB&Po}S(h>7SZPU+LATj+R=f=e~c?K;i4<&lTx!rtzHVSVY@7g-*&W^hxfnV>zs%OCV`j|NmuwE- zMqpWCnml(R&$>@Le(bALMB)xB6MrX(-q4>~S;@@6o(7jel>KH3N2K$!W|xa|#&TQA z|E?7@G8+q*!J}`Lk}}Lye*PLJ!ko-mj6n+Za2*t;RmnW|M{mgK@1vyi5u!=Agdzua z*csepPJw9HLEMH|KyUK_aQLXiR0Bof5D+f-`ZRHXO+Vg28NnfybdZ7f!@<7fn#E`ECjhV4P zGh#y=khUXDyM;LADkY-{5z($^f+dnh)F5Xjb||}TgL9Mm|p(1n|Ql4RQsBmEdU&p!~NGK-VFagfPs3Q9mIAq;mpjngPfp zQiTG)gkV6Z;*dFlkk)A-40d2}k!t@(GnfELE>0XmONUenhgAB{?)>2G@&V>r*c=Bm zz+wG&4)HR80@VL4KnB=&pg>6Oz#z`OLxDbVz{3{aSuHio(IL5^Z5GSF#wN_vVw31DE3 z5^{2gaNF1<7YNqpUl3dN@4F+6e7*d6S6`8h)#+B^(JVfw-gO1O2h337C~F$(rklFd zSqG}2348!)2XF7kD6uzZS2<_*ceOo%P?&KbFi%nXe7#7vK7Y*2Lx8q;kS78h!nfvl za&MmqV>%Vq>gIUSQm%MaN#d<5#1ENd+iamC(rCzi?J1OOxkut5iB z=Gudc-Ejceq9lwMZPLSG#ys_O+E|utDtn+>DlP1H=j5bq(x5oQ>h@I3x+j-L?;*na zck;W&AaQZG*F#%?av%bsgmdYk52x@VRj#{+e_r=agm60p$lAsB9YwH^H}sS9D4OIA zvi=;#BazZ8)!j9OUo|z?bF4gH1T`t7u%iJmolG*J0Lg)LEj#;BYPUS6cT3AtQEHXn z#pX2u+&-p@Nq5P)JvePJi=?WvHrwCHP7G{6f{!VY-O z95)IO6A$Wc*s9)k@xP49Za6uoN%y?8=!Uzc4yAyPM6(JsahOj@G3(2hbV8lSn$9el ztKNn&jck8K9fUcX%atVC?2Z~aA0LTGVTZ{Y-p%dF1&qapIv_TYZ>!Lc{vO{Hn(0cU zJ?nb|cwj!I?SY9t505;ZIFFs)`Kpy|TRC#f9sa_0zeR}MEiBCu(WoNny3)Gsn;9X% z$BA>JZSB*8r#D{!#XH5I&e^LddeqCH`P^aQs;7Btn295?j2in#Yr_P1d&>-33W~@q zoz^Jqk%V@C)Z3S0d)$AoUJRU#(i@j28L_fHmxfXuJL?SqvxEB!6A%uLFhckypDUE# zf}^k_|Bo|WOVxPK9}ps(tgrs%z8h4~sN0<$MZiQ7BLEN>Pto7<${(E_8BnRBu1lYHSHZl?S0z|` z6YnBfW}%oa$ArEge@S5?#TIY0w?g>sy>|kw;~vhIx>CYm>>Eo37GiTcH`jc?pji#z zt4ZW?NrSjPHdveje(mAF2a5_6enH8IJ+K6m$mOE|9R$MKZMd?0#v=^%ta`ANt) z?AppzSf#_Bf?f^&Ipk?&yEPF3`EmN5bGU6P$HPudT=f7bWawPwmPwTthyZqS0-P* z==OI_!_=TSt+n#uyAlE47T_gUwz^<^*eA%=qzr8Z5NkBU2`z?+LZs6y6jKw?CXU4+ z*`y#>zUjmA+e6&a?6o#1_bLscm`je&i)c+n9#L%o)gEaNk;!BYOq&FxIeR}~QO`^g*3mN_sz2;>3g>~xWXdztUE`bSeKzM3uC$~*l_ z|1pc4$zoo2Th(DFe8hY|7CP044C(LoV`kyDMD6X*^q=Z;f0+fF%t7UEZ|um={QOXC z)8|4^WfMq@Gk;P4n~eD#;2d=C$6c=i^MiK-pJ=_4%7W*|?H1tpeh@qseqV%fX%bXp z<3{{LojWrn5Gwz->60UXJ)GIXYBZ(U9q+H@-uoReIJcJZbB@hgZpi%81R+s}7gNX0 z9fd>hSMZQLlM8YO%WT}Rwr|Kw%XeJ z^Q$c1TZ3sJ-u?Bm%lkD5p08RiL|>bCWlj}H^8GM+EBM#mXw69)W{KNzr1pA#W}w2= zT~t8qm;eE_Jh?dCkcqJBb3hqc3Sz`yA>AA8=Ih+%%;^RB_s!_(((IQj_HP=0`I6_cqPP$PB}TXhbw*Il~&nh({rw!Qh=(G|T`4```I_bS&_ z;Pm1@<-f}*sa|7&wzJ8VVLs1d2t6*)&*Ac&OKBbRGiWL}p`Gc|kJkyrE7tme?5cnN z1>?cO$`#Y{o7QO(FUy*>Kz7GfFyKlm10*4Nb&Qug*W6Glv^@^TtZpS(s-3g?qkOjf)A7{%-_xfzizTaHI3cO96Bx zt!n9)^1IHkBv+^M;flMJR3AJ$;RH)Zk)adAaDjPNaYx;>WRqi@9=qKe^Jx$1C1t>F z^)&f*Y_$eLqLNcF_L&5%Ul_FOIW&LFXgUy!YT<}9RraJpBzGXopD{#QKUjAi@%JVz zbzrMsifwac#dh8P7`BJI^>m{KFKr3ZC3$t75Baz-`rIQ;?dX$CD3!)i&m6m zzD7hKEY|Sm-%ZI&Q?$sz~pz8nKh;%sJ(g-{!QecEUQXL&@cG>QWs|wFD!^ycxA)tEKTieSkT- zoH6V4&=?Lu6p>Pd9?+rB?Rfdhy6&y0k!qi^UeoU&>cgOAXJW!`*!q|Rqz0%DV-GQV z+NF1)leo;~O`lc+j3m)>I*JF_*3@$ek3Z(rX;yJ-3TQK8ibc-D&7YV-vAeUB`qE)0 zHNrE0EWd|y->vJox-6mcu8$IfXoaArT?!h0gmVA$gvz-5Ik>@M`|=*ON_HqNERPM> zfh#Dd^Ah8@fdZL=!vAPzYbhFkIX&@hq*7^1Hk*qfo3nq@9}(uOuQfLAc@7v0@hwm2 zsDJ;SU*bl;P#P=byoGAEm&OE36UBXGdgjP(yZHK`Xdu6gW|&7-K>_Xw7sPt!a>$y! z*(CcordJyV5hTUy8;fB3^#Rp?_eaBtZ9Y2BeAhpVQb6v>-VzaEwuOQKeNPV$#X$x_ zzKs1QIFl>tnOxR=J386;5zp)ytkh`X;_Cy@e&!BD@GH*!|IC@ zc!LBnT|cFTz=oiHtcpeyeQxG35vNruf>Ze;;+(wY+?m!U@gQYzYq1T45uBa-(|ZRoljg?+?{Z?f{kcQ2>6Fj@MruK%JZ3Zyd-gdIHO>c}5Pep(weYhBK%@KiP(|E1@G8WsQ8mm9Vu&(>d z01`Ka>e-+1kd@G<;NveY=R&2A-d=>6_NYUl&k|q+)HdzD>Z@KD9G1DRCeAj=sNG*% zsb*AmdSPj9f)$t3oO>?CDFy)BAdPAni|mW|W75_$`6FtfUN6f6lgv@GwP~P}CNIkGAQ0(#owMg8R@BM4jccajf+bR{l z7Xl>!8y^nu^F&-^?=3`CL+=PYUy9cTnohL3xGj{n$8Q^V$=TLBN`G{GnyG;cP(QW_ zv$*fo(n^`s%GcuS(%7SVeV%)h3**@=Pzy|TwvN4w6L!xMsJ`Do@AP_z-u@CcsrCiY z=4!^pnal9!b6Pq|TH*~NL3UkaO1pl&N{pa&mCNxQtqkQ%<<{H1!skiFDv2^ zW+uAlD}OY<)7i163*g`>KqdvHgcXL6eqhT9fgjaV87fCD+OHPw`->n>8977%N>vDba?!7eU%tS@Uy7*12s-~W2Pi!N*>Z8e?hf4?Dp(+FEJ$%qH2v-ay(`ohZ+;%C2KkrJL3(gfq1Sl1JYWrM*)+j%D zpNTFV81yALNZ*O>9p_AMM*eE4gZloL@-iSkf4zLrBU6&-Bwd_s31LQmABT{iymLthgsK#8Ur7{HT2P$svwvO&ri&sgc;D_* zvN9ERVMwGQ*b10^NBk4}O<)>^HNq$-xlmsN$o2RAU`%4cJ;_~ft%aT- zbVJfck8+ENT!Nso9(jCue`*b(YC1^b$ph$m#aAR`Gbt&val6|rqw9@{i>!Swftng} z8q4t2t9>5khBXE6>%vRpu17KL`IxT_K(A!8k5iMuNTZeF?}WYo#vP#>y*(aBV>^|- z<%>@h5Ly)ZLhD&A>1@U?$A6uerxF{qZY6om1>5S|zR-~MxOKW$>*jd%&Zo(o3VHGl zP~P)Kk`VWgh4MUaZL1#Qqey$;W>u(ed2xN?6f&z9TPRdl+Du%vtp2nZ^GNid`WpdQ!rA)_g4E%t{FCJy+{aYyzFG-zF zQ<;kyt^JDcfdYFUOT@SW22?Pu5y!XcMMu_q1h}a4Umk{z>%I|hm^8qQVAsP$x}xj> zR)za+Z~~d)L#c6-#^xXE&{oO8d?6NDw$jQ7*2K(um}mbzvgE;Zd1eB~&f6q7g86jH zjENu?Hk~iW=tjj)qgkd=BL2G!XPA_ZdD2hPVB}Ct50jxR#@ZI>iz;F}8miD2KtK%Z z4(gcET;8)*Y{Vm*HHEl>;EzvsUNh9SxvrpLu$2+QK^A0@D{c z7)tER!Ntsn=3Firx=%@swS}B>Y zZz)NaP=aB#{aVLrwCpb?Ej2rjQ3O2hm96w(H}g&(eBJZ9^860|Ks6g?lNK|Bju7+X zSJf~^3q<1uyj@n+;6I(hfS!L;8qNe7exQg^TDL|i`u%%ce4#)Ev=h%?H`!z%w@fq~ z*d)E&D*$^QwP4^d)6~~ab}8nsniH9XA9hY@&OyXlp#{W9D@2{re=0r1RtO$lrW4=s%eNvf*6d_3B;g;nsPU(@$|08 z&k@Ed6&!KA_P_KAKuD<|wavY4&W;$y%#++rgZ!tmn-=;%fBpY|IpE`NnFf_r0DN+;bXoaMqG6T1Z3dL!w%3ef7`-xGT~f^4u0n0*56|-BYwlnc z)pR&xxvz6w*@CujZ5eis!r$lIiDWbG0)#)SN4|Y0&1v#cNVhS>*Z2$;l8xKWWNT*o zRm!!0vp&cmn?p4~8=vXf=I{M_^EHDTG+QFJIvcwl;dY0x>>% z_&^^7I;8*tQNhp90^iIQ^?d;TQF-fYsDLW^t}X!wryZ5GltG~CIQl~y8sPZs^M|J1 zAkg{m$A46bg6BCwpvPg49w-~Wuw2E__g@_eS|DFRym}pf;dg9&{Cnl3&#RLxHTV5AW-YrwLd_CUD*FwP!vf04Nsn`|5%t2 z!Vjad{-k|Bz;k_Tc{&~WwJ2x$^k)M@599NJ!iep+v%4cMa4_iYQc5`XwqF@i0QN>t z4S80guxL83l>UEx$N$@={4WbKFK&e=r+=8*%pU0+?>>*2F1EV7;gst6)X^H@ImNX} ztVu3_*f1g0k?I0}QskE7eKdBz9%yUD{^Mi3O*Fjv;G6f?oW{#^x8~>>l1Kcr!wHRb z?6tvTNRNeN(T>a5J{sXm4 zYq9U1v8-6-tQnd^at-#^*)CCZG3I`+O|nEuHXfET<;S6R4;%+~K1*;x-9K(zZH(4o zfo90p8eLvq?3-CCZ@P27;~?{e46L4A%Nc1d2URVz^PFUw~4�~HYy%S#}y9Icsm*^@L#2Khv`WQ zCM6^HhTY<{PN(y7$w;Sb>LocbkEFa5ERFE*0|w=aKR>GlOx5dw%7z zFIN$$;(&)UNA9z}gC=zdaog&aA}l~-+x(BzCXq~>7yj$O#s20tn{n1De! zLbgjZ^jds(1zcsGYT6h-vOp*8DI)FspL69C*1_rF`z=tZJn`$4CtVbwv*q3?@W%PC zmp@7hvN}}WIoKwr4u!LC%jzUMa+@VjRd1K9u&5iMwhC59Cz2_PN?9{lBcg&wd(P^p zY*Gv5qtN9L@J-@q3c>i#UV9>(Bj7usydPgW%=E1Y({pY0O^|dQH#v}3r>tV5J~gqt z8}FbGQGCu=+85*IC!~?+pR~0br1+4yxBg|kv>1J7W`?!diEbZfB`*aV$qgIBf67U3 zc8X6MXf`Zflxx`l3u!7GVrOc=d$p>sllI;UYSSOp8Co0#&tJT}FEk+Q(wJ8P_aBit zNbiHvcCpoV>zi_+`poa6l7Hyh%{zt}^GJsb-uva-w)o;KjeHI&Xx>5)4u0fCvYQ+# z4i+)oAx{u)4n0e$NV!80AHBA!c2`tX>gR4Jt6#nW|Gu`OYty)tf&bp7G>z@`qu^`g z?W9ffg(Nqa>Xg5+UIIU<@^nGOxgn{*L?<&m3@_83hhfP!w<_m(B=Bm4mPKtP7)2cX z=9oNTqK+aRp?TeL@hz3KEqq%gkZQg$GS@*&d`UMRbKjOF#@GEos6Kj2*M~%Eg>=pD z%Vla(3LvaIejb#iq)p@~mf3+R^>Hg+QY=pXB=b>d-8QF5>({6`W zTtTL194my{l`^W@o?P}cz{zWgGdT|<>ChgVYY-Sq+^ zW`$aP^Bt?oY(Eyzgi75>zfq0Qp46hAimFRFb$-%8I7D%GOh^$U6lF8qsOIL8;*WL9 zJH^A*;QSz8Gt=$vCGfANrOEC-g4+|8W|Vi}Qbpm=QbZKf_7b}2(jVyxliN4k@y|ON z3pWMMt}YTuV?UL-d|LkY8sdLc@?*&mHB(pu{WEbs4J;+4h;rRt*hEWJ_YFndQ@9{` zM|P$@Jl#!ja$}3K@pS)b-O4}z2&=_>2zkg_W>(!rIxe1E*JwmWL$ z4N1|yZLG*ps$lMGe_z$S4tZuogcz`RPPl%B#oozZkvz&-qqDgvM=<7m;AGn6USqXY z7k74*PHmkqRi8dUU$u`D&Vg)?-uB3Vau&C?#}t*icbF3=6SSd8%#Z0O-US4qaRXab zkq*C_*Qt_oY$<-W{1$jmjZKc_LQC0CnnL=}y@M2ul``}^GI&UEsrF%!t4{&DS4TAa zcujGv<(OP9`@Af57>D}2c1(ERPt~@!9P_$d{_~IM2cMO>bRp_|dd92WNsZ$srM(id^+pyl(%^{n%56^mY3eOP2e(gh|2^4z}HH zDX6hv-CLD?U$P3En#SM>&tO1rj99ol*2*VUd_!Fp1TMEtqFL3@k-BPa;Zh&)tfo@G zd*t{Y6f2Qi@~IDO823MlY>PdBoJ_Xs*)^YaGyNVaLJZndTCPi!A?uzFEc03H* z?hd=iIV!ds-x*UL)Na9BFQ>6wdRgKNmqL&R#1ZF0K2z?kC(|(5gB|KU+`0)geR)RA ztuX~un z?IK4jQ(gYCsrPe3wTI$lzU$;8z0$(bp8(W3wbt5DWJlmu+y2 z^xrpKSdwrGi|}Q$FH7QxlowwBbBwat9iS8~+s9sfSe4t+mc{b;ZzuZ5NGO>ymLnPs z+o#w5JRau_*yIZ8W6CItD(&*znX2=GYDSxj{FsQszc3(uS6Ti|%Sc2VjOUAC5%RCD8b)K}7r+5CufCAmUk zNLJ~E=;@7{)5at{l&YhJS9St|BGu`@@8AkVr7t;ntaj#Tz3@Z_M@OQ@GnIVG`m9hC zc5QQJUS}`8q}$4Ync1639PMoW*tL%$7$=9iU#mvOCijo1{^n__ zw!3AlxamD*Bwwc*8T`$IIvSnL*KpQ?1p@s*u`u7c;P$OKl`e85+o-z@?@(86yKH>R zZ~@__k+`Z~x60VNF%Og8fD76zQSzKtQfLojXZfqfi{T|EGDw{2w65pM| z8G9>Nc4Cr#P?`nKY<+YOx;+(c3EkV6Ukk)qEN(YVro{KX2o&hny`8t?%1us)nFgy7 zCw9NKttqK3uZS2Z&dFM^O-(U|IS?h#g-_7!v*}ANl(>;haNz1M>;9VrqL}k{+~}R8 zwfADsm`Xx5*N6I+{TN;AtSw+=%k~uay`A`qnTGwhLj(a!lA27vY(IB)q>;$dWK{Rq zsd38>HKn?-vU4LLXT}Z9=MWg`sSNCrMbaZ#11chX)BOO*+IIsd#F zN*y)~6moeaQuCa*&XT$60n!ygAVAg~9aB`j*`@SsHdj4xO29SeEi78k%)Fou4Hy`q z0jaA0=c{E}F+U~mMZzg{wsua?a8xuCh=G0UPJh}&6XG9gn$N0X&6T2uesQJd{(>*Kf z6RyKzeBKU53bn7CL|;~oANbx9@7#Tonjeno%ZSNP7gvC$(}3SgV+!kun!*%<>e7s( z4yj{WjZ>?=g?ji+j|F+VCoOYjl47=fPRkiKX$k|6UUSSkzUm&=#se}MDmQ5DOP$iR z?}l$oj%Iol8C%a@$rUdzGWVac+b7AI@u|$TQ4}UQZgof&@5C+FJ5+v{eW&Vpdo;w_ zXuHG__ja{&%TFN@DfvpaJn3mhw1Lyz~H?D;Z6fNvyqkZX)C>b z+`}Pzdpl)mpGe{OfIzRK6164#1N?}`>%jF@Ufx0;R$^>KdAQ&vxp{97axEK^Oin8z zVRh^f5C=o;%)s__drDt2Zx;@-yxuq&a?jIP_ls-kikt#8t{jMxwo7;&HN;=}z$djef*z>=!VkQnchhAn%*O+}NsLrgR-Cobbgj!{2bd#XI)=k@kv* zac09eCKZ%hcT3Ph%WN**B=c#|(bx<2Fz|UB_l2k9cOg=SJ5Gw4h z%blhi>C`>xnRL@pCAiBi8yb2@eOMbuicD)&|53`a^HJJWj&mx+QmvkooSir$;KVP7 zQJv??&|bi#%VHNcZyyYK-X^}ijI7&hsEw{pH;=VsBV8WZce2bTwa*vs9Ex2CnzopS zXBzCeu&V^s?=x~WD{x)Yl)*6C+pohVAl-ER=^*Nz6Ui zACor+9=`jTQb-A~+rJ+tCn8_b=pVG-qNvCfT4&I>To9hr_UaWp)4SVBukiq=)925G z$DT^is{f2vSCU&w5O0C2>1TmS^En9QSMbs0diRI;QhEyuoM=x)g>o!T;2`iFgh@DP z=7W#3u_Gfg*a{lITm}g*+{#I%=_@_h;taMcc8wEiGUpxJ7tlRZUg*iWh29t{gAkGezJ?T{GZluXo0$?00}hK&yZBu+mwJ++sPa`u!R+26O| zpRf_)tHR&{Nd;4w^dK*hfYC#;*zk^PA#!nZn$&0u1~bQW^PAV{L!xy?;68~Kcj}v` zFq2t|shF&{;{Z;kmGRB*@?3`TA)Y{4O$uP*Tq?9l8R%X(Br|%34 z7hO#d>J$vmk$T=Aq&!zuI{W69zguCs2I^p>O7g=R|F^*)f~;<2PY@sZPCFOE@rM2( zHZFiuH#07u80oYCXS@h3y?AaQY+4yn<}d^sm6@X*pK0z~B*3fJC*ZmDhxfJ{d99{W zwC$#woBdiFmK;aPs24Kn!YN1>&05QZON_-eu6A8X`Ni-j-LYxO+U37@JXtuNe(Raq zf~^Rs-dpr^LakzZOJkQLoiXl{iQ0+eYSehdn1RUF(H#ikXiOesV%vODI4-nHgC}v>nBwRblWFFU7N5_ z7LMZ~pT6a=GB(0~khSx5z{6ZRI{inc|KKZ$to^=-m0Y1`1 z&N`*Wnnqmn_FHbkXV07ZkL3v2F~wmz)SX>Y3C^?YImWA3kF>8GtWJg?Zp)9cI4!nT zh4amoLVE3%EQR9mD3=-Y=%j;0tL;8@!|_>3Y+Z0z!4+t$xwE*Bui;iOhf!CZtElaI zmsllzNtaj(i-wV6cj>DNVP^gk@J6h~>PA?=pH8a+1BkbT$jD13uA&;BsR{fv!dcI( zy(A+RawU=wjN&e`8y7m$F>{0~H$Q|hj0jcxDo?6rGJT=~p37!%eivX)(F?Nw(V zvMc5qG{kA#El6m$%T8J8-GST{*9PcgcC0Ypu4l2u9}(YbFSc3xlFXoNr^9FO2yM;q zAr`+dhXh)^<7k1d%FSeX0g6Mm_=yJooU$u;dOb_U_>Km-L|v~2_C?7o1dAs-3zHGg!Oi=k}3rFP1j8x`qFuSYJ(fQ@+D73F`FX<(3K+qS> z#{IdUNk%K)ITgx+E`lL34Lg-r`#nsZN72R+g9TR>$?cDm@(l(|e}F|4A-0WnkzLq^ z$$P#^;j@VlRPEj0Ny)G`udx;f^I04Be4x;8qT+t!t4&a^rl#rVUtev?Lu9`n75qBG znmHl&XxB4|M$8>Y;(n~Ym0-TZNyCgt!`#W#DlFYo}R`8T{ejS*MPD7{ME*N5uS9mgTRbIrRjZ5VEglf0$sT^%Enz(QvbLrsCutq#czEVW$?wlctV&tG0fbm-4Ms>%5G#8vJFFe)~M}2liT8gw3e)Z z$t7f%cRUK6IWq#BZ8yKy(ttaS4_DYOcYKEw|pLKX|!@96i10&$CDyZgfxV4SzxL_?oNz%fR zGP&07IRHuoeiyHB%MhA;L`-YLr@_M%CT&@^*4>}4tC2qKb2d+dE$S@(G_8p?o5-c6}LD*A#aLcrHe=ON@v>5rJsKtvwX~yd6}H77REOzoE2P-D4|!9d^$36f=bwC zs6j)~0ha+#WMPr#`f|P>2ij4X|!W^+1!Qtugw z!tDy-|AI{?C;bcP{AOTwI?w1Jt?Tjkn#czEY5#e>kM1vnfoOf)s-NYgUgA{R-p0<= z%#{=w#l2%*aXN+Y(L+(jwEBg^I-WR{aJaI>HQt0I37bhsE{-*NJFa`6s_*TRc30(& zA!Eyt1&X|2#Y!O~VGZ8i(rJEM6ZU&D$@Z1jhJ_iyQ->=?aRe{LC=p? z0?e~^;W^(;iuI=`+bhKU}!#hC$BqO_P%|*?@jwOLfz5>^a6m3R+VvH(CUME;8cmeqn+gjX3tKyf^mk zCre>NJH0%XzMAmgMg9gYxx%8wvSJvw<&zW242Xv{6prI^eym*}U2S9n5`%VQxv0gH#m2oBZte95v;K^FKn%_yNoiOgs z$M@ps5s3cVQc`Q#j!|^NK*Ox?MGAX~)LU=R-*&0OEW-)W0?_v>(@l!$CBeQm3hvvT zgtd5qt>>0Ogc8L0ccoW%eX4I@&zE`1lD9_$CNHlS`w8n%3aS;{b@M`1HiphOKRY0< z;Jlc}n`Xij9u2yr%P(E~(&C+dyMa8PB#X8F+CTn=D@#iI5o&?X3vEG5<59;DFm*H} zwB+dHuwEg(Ehdp&trM)fG3lWY(B)xjh5C*)XWEHA<8%{&2skFHF9y1s?*)(mocXbF z+}bWTz-X&b>_%{qClT)dQG22Ut7aRPYNV)$gpPjqD9sQvjyqU=I}gt17B;BgsyRPX zw)o<>8(X017H=zet8!m2Ir`^~dX!|!*76V^o?A1~xp3HoC%MJWE@Yo;>Z;dvCsL5X zr)qb}5?V9f1{+vH)(GQ`q!lhP`r01WFnN!gJ|03XUE2=X5cJzgT3vM2ZCDF=97H|} zcwMKQJaEEJbk@OCPpMc=3>-vPqO3-P}<8DwSW3e$7>pXY``+dzc_j!^FT_<9T@2?v0D|Za)q>p zkmVbtLqP#nTa;w%7GWexC;cPVd}&6>I&aQhuzqDq-lzkR2=CDuoy1gFnyXT`(RS&AIvG01o()bN=o@sM_xmBw)pk*-gkqo zvRUD#zDgfErnc^*kYF%3?7`X?nni=_vo=f5?v}ZwZwt>pGG2}DltgMhp(sXVFFj7cyOwIuXa! zBc|Y9pC~53FVA%=xyAF*Hc`3SQ`yLETu-43tXTbc+4|*B72hY%gIrv=V(defsA(|h z8DxhSMMm(`)ub*FWI1}=uX&Gde2+rf)jz3^hG++G?shNL^0?#l@`c5Y*m^{8TRyTQ zp|+(uxafplk;>RXlP4pT1HYF0@A=o48$JbNZLW??kBs~Putk)Z!~{D&l~Hqp|Ak)N zceq?#*fZxDXkf@rf7Fs;v7TRh-+?y!e!1>jbYB6sjKRZa8CECGCtq?}+h`0vW@^r2 zRuMO~>4eZ?HZ%)CCT7=tYshMQkZdBYvvPwzx3nce zE+`heoYR4q-)#w^%t!RRksH&_WWUv0ycfP7MzX}0UW>%GVWGOdq7%1EgaMvi+_0@! zuzMQp9|+Ke+6Y5KlIagecB%SH^u3pz1jYR1&t3Il;@0D0L0o#YvjR6a=j#}&c5%Kl z-JA5uWe%kV7~DzmW2snarv&gEAub!_=v0V zo6%7;shdKyU2*FTbkzc9)90oDh9TndL{yR*Sb9;DLGK##@8ncDo!l+YO5)-rck406 zsn+LWrKt7S6_NToA80oOHi&o$U0w~un|E(-9nMj9e&@+%7YTbU3suiG0bw*Ft)+2g z)T^wxU^{Xiq}Yt9J8SD%@^V{=GwP*HvH=N^`RWxbD#W;w#rpLrYA#nP1wJ303>eR3 zhBowqsk$n@6A+wy<3A^L^Wafx zDM7OD$fduh{3Eg6COD{@5||b7upL^KF&L4FF587B3i@Cq>F*n|?m<=bEM{rtA$+No zAH~)x2_H(fsu;{NFKs4hpy`~dbHrJrX$e|cGHNMaVhT!8_oVXv(%L7?wSaAw%>Rtj z_+_U%c0oeuH7w)*2;2T&@Y5hw^x2z#N$h`7<-E}+B=&C*?dNZ6v?nAsK!hLrT7WRH zPw79QBfvcry*oZUrGx~U(High^}ol80Dt}8E2jF_NqYZ^6~%RrdxKLtu6Xf9>e>X= z_=f)U5uKHeCGHDvP=%(c`13-iObR&>uTw}l#2=3OL~cKirFV1p3R@-uzYo*I|L`SnPC1^2%=5#%L!E+VDAW*2D+D~c_2u=Hv z2?S!}JPlZ$tX(hc0tMB||DP40qestoWaO#_AI|Xbn%BE)Wm>)X^=4_aPmc7Y(5sDx z)gA)^sUT&z&jiX6x&$kqxHqq%S4Qk*U*N*nK}tv&VW2?MQ7DR4q|Z{T&T|HBzqdX& zE(i+M^@ycI@A?eqs6~BPu4od5LF4<({&_)VEkNj9Q$iPhQ*jhY`vOwBy5+F*er-uK z9r@Jr2g`WrEq}@Z9@9n-k|~mIii^gueY$6-E*tdoCEW*U9Bz4;98c z>P%F3`x$7e)VA&bIE@EmlNuiDn9Qc%DNA8W~nVhera?h?nE<(A~bL zVEA3h+ex(PC4jD&Xr-xz)Bz>vbd?ee7+bCJ7h6yD+5lP+Fyf-usMOhbIZl9_Y3Q)#K5vst%%;2)}nS=7Fl%Y|@;7(R8wS zM5rI*w^e0e0lEilvsr&VZek7WCx_QUX^t&#m;Tk4)i$;h7af2nYft*3wQ3i5yb3)3 z+Z}Ibo*7j&28r;$J=(T@E`AIyaY`WiTDq4yFBO|t5@rjS%C-9}eO~~B$WRq%m!my; zH*mMSy^!kdLBnRuV>l}3Jn!Ala(Z>SmpWp8i&29LFb|{G_5cT(PM_5mJ{Yv0u20@U z(@vU;{S%;lLolC>b`VEiU=R5Mm!SQD?_%{br5dbfLBlQ+;tD*d7p8DPDyy|=0vu&p z_m6ictVF+A%aXn$yDJRpVODp{z|9`A^c~ ztb@h=0m~ImcB5EzXSM?IMGjs!A;;su;je2Mu{U&90PN!?y zg{t6eyf%=jAC8GjE~a%r;CgcGRNL$ElezCq+x$i z8q1q`6vMLQr{H%W@*z_mdGo*}t{0P!S*#I0NF(=Jv4-Hf%Um8haWUUV43`(FAAL?8 zEgWY~PSklP1RH_gJA%7Sw8-@m_9ppm)%K8u!%LlICcPTg>omAB{GBYk+9yikU^b%# z3#63k@r)7#eFJ8a_JNTFlRectj;!Xko~ZNbiSpfr=-|#*kFj)wl67BCr`i_aJJdcKFw4l>qr=%@YI>*JsWC|?B{}x?8mBoDE5`7Z z>F$GN-EF@wJ=IwnQ|o02;cSSU!>_d2u8r7k%Pq$-h;wbZB$MLe#TeBl;^4;`uo4?P zPnLW^P&B5Vgip&zkK(u}DVhyh)Ct~wAd6KUzp95tqp2Gmr?CI*jWe93QSG{Fl3QHk zcc2Afjpi_sHW~CAW+Maz^|j=NC+T$mlqLjVl6uqQuvUGt7p`7?Pvh5RIOY){#<9I; z;`>XQ>26#@<`=wFu&6_=u$fdZ3D70)uLYH7E=nsxC+(KJi{Zky-Sh6^A>+2T-FJxx>??VL^*)=#uZU{(TOk6C{>rmRO35bL@gFF;G*dzdfs8@ zI1OE1MyIa%PqHKD_6aZNwyDdGV_5{l<9STq^pa=T89xQ*ye;WoySYKt8b98R8m;Tb z!bHcdNq0Y;GV@35Vtbi%3Z&q95_iD8^bDWb*(bV+%eHvnjsKX1zG2iafHWS2qnZiA zBh9ltms#_M5chz!q=dgjx=?<`&Q-ML6{AZ(Gia|(htFk3->%+8=O4av)#{YuWZ(QD zHtBw|B$`u%7QN7Ug<*0&M3*(1#;V4#_aT1ra6QB4Nu)=&$c{bctF3azvInJ_HP0!< z)_e>E8Pd*^DC{!-cFuD_~6nQNCjt5E8skbSqYx@$@*-;fw{m3fvW*m@}kSQ$^5WXTKADQHy_ z&&e!xG%nRLK&TSd&c>{D&iE}P{E9uh#&d4^5K@)8#uz2WBNeht*sH;tN)B9W=Wq~o zVRZMc0q?g2izn#uo3SeX)crFfVxID|kna@*&2Pd6lUNtyx6~Insc&hynMZR2-H|Ehp2@9&K(44H zbD7(f(GI%lu5;X|pKL=0PRw6MJe@?lFLnw0-PcPYy+&V)5M$5YNn|M+bOR4BA|!O6 zHyd3K2jBKq78s<~C%zw8VBQQ|Ny^l*hirCm20n#YsB}Bn*}9I~Mv5sIbxYi;Ov91C z;dP*2k}cMt-9f2?&u|^gASKCio|#;AlbA?o<=D4Vv6SG^p{3!m7tA|y?(sI@8%xgI z2TeE+zyL6sc38%XMxU?c_z^ocJKA2+B;3ewz^03txI$O|VKUF_CjH@0e9J$j zojKxc8Q*)-;R&SRooM*E{c^|pH%&bW<5g|L>Qr$pHIjp(%W~E3*N`MjOXM}qgY0UJ zY_8RK_O)th|7F7d3jThEyxc=Pl!UtM4VW9pYpRYt&H89{<;RJhhSiX$#LUva4UX(G zoiwXA|HBU&4oX`WvkR3-Y&0+)Jmn3WO~0G1SRK$AaBg#vx1*-iD1R}p((0R;FZlBE zy?4(j$t<5N&p9Q;=-oW3M(z8FkjF-2K{2=ogZp0i{qeFlVz9V)V_#7i_S65!mcw zzyEY#z|SZ9>6{JtF1#axz+8MAR#D;3=8ImKVHJ7IDJE$qrLM!YgRUA9x{@H7O%!_v z(Hf4*_8O(R8g}}8weX=V18m&l+taxFU*gtmsvz};fkUOw@_)ugc=5;@4B{zZ->?S~ zQ8VS7Z@F6gdN^uG3cD(@lFmK0jHc$Na_$Us`7qWTs88OOx|?%e3o6eDlc!Y%v+Dng z3v7E_6N9KfToZ9RPf15|zP0c$^V8N#u7z5JFH&&NTyrM1)>25WX@k1+P_8{nyh#jR z168fCx9LS8m0bo2%!rI@TR6Gv5x8OI+&*G7>&2=wmqbs|a7B?p$bhf}*mP#04} zH61FklLua|e<^j1IgsD+Q=KbUlGYi4RGJa>q4EUmKBX_#x8bO-@J@cmYIZt@Qj>f< z%{Axvby{%|0srlCT0iGhl{JM<t9MM0<$P=LE1U1Snu-|q zO}9(tEFto5v-u3P!L0qZfP+bNWp&Xq#i@Sm42@FA`ZwOe%N!8z2aNIQvkmMQB(p9# zr>V5X!%tza38dPhifaOL-}W;mZF12l1XyL(kQTG&hQyxwPkW9R!ZtI6QssD>1i%z? z42K!y`bzz+x(Z>M%XQqug{^+C?b0riGkN6-r@&2!_GU)Qg2UK~6+H0dGI{jtS)UCTvx^dzI`Nb6Uv72g=6Nh=k6S?_^}>Iq=bM zh{b7G-@wvv;kB={p)OAnPNDl7_^d`C^EKI(nCh#^XqA`29G)ety|gwKhl!-e}x~3p%6dCKtna4hoJG6E!y8 zFKa0ktlQVCUD>Wo?t%vu^#lMB<#A4n)4f>f;ki!MQrv4p3aZjIspDvX6cN=;$FQAV z()Iz)YeWr)-z_5WhJGCLG9p`aUs%GE`J8moeH0Ch0!_rZ*UZnIM4?7%5ZQ-~VAHre z{UbEBY=FwdARaoxB2Jh;V}UM%5sR)HhAm2&UGXV1m4Q+Q|G6%y|Jzd7ZKL|}kj1jp zCKjVuDzcH@&vr|%UTZOk<|2eztkWEviMw)bSgEPo0CJ?i?H5C%IdNq>u3pj@onG0p zaFm2-khr6{ju2`xa!h2jhvlGVaH54!Rb8XJqsEaVyjo;$5XsC zQc@31a2g6^x%yGS5!!yuS<(nx+$fTpT4@T0+(MM z-M*FxY#P>br&jf3{!sN_tsoF+>i|k9=Wr}};RB4M3tKKkuw2;~dq;J5xvG3;rB3S;9bHpv8|MPt%+v$rhcbJ@Y)N=LKz z_^jX2$g9;Vdabj>-zr z91FKMU?FjO;CK#iMLq-5qJh!%28tY-=vuP1Mdz^WySOd4P-&K?9i`w$`Nd&av2&_Q;NpKmZAfo?-ZQuJDB&8$V`?fZenR z>p6490EKkIMz-)Lu}ETMBXk)%``*#2(~_%pZw@zJvwnrv{SJ#QPK&7OXTN27p#h>n z(k{GbT%nd(BP`V4Uq`i_zd(eNRv14gt&OFrOLgJNN~6 z*635G84W8`loKF4fS4p#>BHLRJsH4Q2W?|-!tJA3e^cVrhDY+Cx<7%O0aZ0hPZeOm z7^9q?K-KJoxIPW2B$SVoCJ2GDQUPNx#}9E0cq1lymkeF^t&Z(|O!n%aAGm+z7wxO}E?y0Q6>x4z-g zei}~)|Fy`N$7c05uzeWOYsa8Yzm`->Maiq>obZ|fTVEXxrv6r^SCx(KpR;uHA*bu) zGg`iz9^Fx+`hJ`Orr=k6akD8=Wux{b+Wi{5gEQCG4%~IVRj7-PUw1=XSXgpB8#)*u zs7pWa*9=2{rZyI$z$-xM7khU~6<|Ru=7}ESG?`t#@@uw%hr<~u8-k4P!V`X>h~r(f zz2m4mvZBT{2F`{Gne^_gKzt5j5ePYtLLGVf;<D@jo9ErT=!~A5Y6LV9EUP&otuY>R(aen2A*~2PC{7DL{g; zw#0EkEnQgZ%PTVva!;E5Z*RV#DwtLD>+z+aD^5%&HveNb_3ypwk2j?Md81=?b}{^Os!(<`qy$=#}HF0Ox;i*Z{A3TnVV)gedlbQk{q}t{Pb~z~`IM z|9X(X67ahRNSKZmI979x8QTK+k*@3WyFT5!80YdKZC zeC%n*h?W4;Mp%bu7n^xY&T3Z;K948+FOftc6PV#d@Nr^us9x1>-q43~9r@3PLmQR1 z1e3WxBk8lAi97T>ER>LRqNkP4{g}ivLhtK9981uq0$n)8<1+||4uebBa`Pen&?UR} zoBgz>6&Ca6x|0isG`Rh5rJr(|o{3Y;&^{a3f9JTwE>2!5U19fU*b=kS#@#>FmoH{9 zo(b%K#A+4jDT@Tui$VU-dGeod#V3Ux{@vz-{Qa~~N8V@;j%ECaVs!+Z`BLsvpAP3e zjvUr!cqsqC=yDg2MTzyJ9h4%B<_TbATD%p*-#|nxA9I?5#%0$Q**#gGKBrPC-P}VwRXe1f`$US&4T6o7LY-w>>mKz%Ki5k;y6F ze`6kk0c9xwUzsh{4rzC1P$>lg$>_Boj@)QK!!gGddQ!MS-++q#qf#CE`GU$N?a!jy}gN{Nf&+FHPXVJB00T{?BT^Aef$`mRKXdeBtUHc~jlptIlL{LQoy>B$- zIsUA2{CV8u;%l>(9Iu|#Aac;N>iuqchjuPHMhmpJkK|2N_D`kr0$AyuJPcCV5YWC0|Q zvX3``LTx@DYsTKgi@*Z-FxCor2l)AgtzY%rnQ16zy=?(JCS&@2AdpONUl}Q+=xn*p zBO)UcbTr^mrn61-AZ7p4;{_6xpZlW)5ZSvzbU1ZlP7sUp8PBU zt6D+s)R-|&?PMq{)d6DF?Tv-L9zfo}OpmH7%ou3MfY`Wz*RF;xOqDpZcjBq5dipO< zT@C7Lo&<#xNCrj{8ewGYtjN((%8HTB-5Kv~__vS8@{mN)ZWyK7#+I9dfeau`vGn?4 z*^Gh}I19hQd7~sSWK9G3Z3v|12dzmz-pmH5s@Wa?nJD)bKLf7=oqGGq-*@Ha&IOIu zbzV02E$Cjt$W=CXS9lEEx1GFM8Ld*1V4hmXGO_w!KX4)Wx#M`KXRhUjs?Bg5wyF%X z73n=UMYrdx_tv;<_W)r9`WIf`giP?SXapFgvNRGceCxQ3O$o6V%^uP54F>3dXh zpVY8oL^(;AL6Yatz0{Un@&2I71uZZ7wYRXS{@r7}8>BmVfe5%wpzIBhcNdxymSQ8P^) zgEu+L)!978UgiL0`5=FUm^!FsU_KKh-cqcor@WVo**ImEx7SB~=M*?=c4*;I_M*0;Y5}}Fyl&v@s z?Sx{K{2{zgFgISe5xE+DJ245jGF`6-Gse_?U0hT_hqux#hH*r(rBju{egrM9j7r0> z(Y5ys3fjd$vdh@9bEEK^FuYM+8^z)v1EFykjYSVqLm&741 z`HHiK7`l_;?IT-Wve;FX1F3o2aNekL-HUFZWKz4E9RS*>We3hkC!}p=2;qkX;6rCl za7yK)zhcI8(3I%M_m99$5o?C>!mfv=?47`43GNbd_ypYSWi(UHu9d~i!g~GHRBdQt z6xy+<^gH*Jv4*LYR|uBPr_|<>eK#L4#vY^+XLcy~kS?xFJ1QgB@pX>h!E-_+4fg<_ z!Sxd5FR0?H2{c1&H)veL`U84X*emA$uU*-z!IiXT;kG=D-bl_=-JIF7R?E#9ZpF55 zdi^@@yUo9%=<=mEu&IGNBTkvwpn&?IH*OnH3w$I_xi=NrGV~ykVaNf17UGHYBSe0Y>@8+kt z>C^q2r-uGp|K^^3YK=Fr5CQed-`f-@aBO@Z5_^Bqnn@>5Pur1t<@^nu%b@HAs=!ie zcKPy#pP4mv^7g&44YmbSePJ%LV&|G3&>HD#b)EHhZf#m?V6~%BanX)BduLx+E3msKn%C*#f#6cj z6{{UeG&in$a!GRYu3c}ozfmhVb?8Pf@A{n|jxhJ0IP~Sc;=j~az!N9JRMyKZIrV9k z;nnv)LiFbEdb{z>)h7u@Mb>Vgn%Yx;bb9V&V4!CWqT>kBAYJcsvo4$O- zovu?WRszES*mGhqaO|D%F5z|X;gp#&^P8mqpNZ$)C?#ZSP?o&o_4^vFTL)goX}a=u z>CV2tbn5n;%C23XK1~aMzx#A{Y>ghPN?pOir&oTjYoC9X|4PWTg`oe)zPD!vFXTh_zTbAJKjRcHlD70}YN$(F|VZGqdl}74V@v tH#2~}5YRDIpyg|XPOh5aG3h_Ii-K`H*N(Nuz%#lSJYD@<);T3K0RX2=0@VNj diff --git a/education/windows/images/test-account-icd.PNG b/education/windows/images/test-account-icd.PNG new file mode 100644 index 0000000000000000000000000000000000000000..4fd9bf3f28398e4a979eefb3e9e459b961539dbc GIT binary patch literal 5875 zcmc&YX;_kJ*EZ8QLyI=jjF#Ipr8YCUW$vlds-~i8rG{c^X1S3IE+|rInWC>2%BU^)yxg1ka zs6%gG_y10g1Fk!GM=K~Ob#6Xe$j}#;6%>BH>v;0mxp)YVNkCmD!`>_=d~5rS_KjJ^ zOpSw=p2cAITsK0kD(u+p-gh_akfPZy?{03{f^kry-PpNBcZbDO!cG6ZMh%dQdGwoG zvu|y^yYP+D7;KI`;ZZh6t!CKR3=OTzQaeP_3aj(tVpo{h%^Zgijov(78psZlFGLM75^Lilo!;oFw=|inrKI0h)J8%EQFK)A-VFAQCqTfZJ}G$@1Hu# zCt!UQx$wV<{Ev107e>{?{;R}JJLx>7Gj3z9_akokahgbiBU-Ni<+t%^A=i)d(}+Im zqq3iN^1|=6@mFOMOeapdYNw=)*l>Z|^j3{C*rM=;U>VY}Fw7xZBym8wX=GFXX2}Mt ztSJq*-jI7l#`jD^C$G*eq}fSaAdxNhrv4TuWc>yr&iUq_=}S!9#@qs>?Tf*txs!}g zS?WGLU*ys{h5XQmHw9ADN{|H-AE$dieu*$&DQCu>8V7XlpGOu>7PO~sNV{450wW9d zk9uA7Bu)8J`o_Ado$2_Z3^|U_X#;e!`N%Vwm~@b{#-;(#zrXIECms;$Au(?@7r}YN z(tiL@wmg)#wES#3SOuB^9Hqk#CXtb*JBYhK9)WhFWXPdFqS zFQE?WUeuj&526Pmfy$vXtT}Zgh#s?@Kjt&Eg3ej7Ycu5{}Jf%Fljst z{MK2P#_0|HgOO<}cA<@0++jyNh|QDcEf40EV)tg-aYRySVGm3TX(J>$ z)U)q1xv52JK0|W3{w^Rj=i{~A=5T?FtaO*JaDd)R+ zEgT8UrDPk{%@iM4oh3478}MRt$o$n)v+;&M6Vb5N^U}q(n40erYgz$8Oiw$0*sJQ< z4ds5ufuM(n{i7R!3tm(4UoGf#wju&2?9iTV!LfIQLq2!du7gQQBc z84aAnc%rfYE-;57D(1;u8-F#LW#n@Ybo`dF<2wT@02j3DdZPtPLE)$sI;3MjdJfob zpIs}1?>}GD?v1p+bK!rSh2=?f{Vh%=`8bnk_}hcoU#G@q z!;Ak;r$_mNSR;k{sb5usHdFo$Zb#}CJ^#(&b!LIlpOtW6a2KT47z326st zVr5qx*TFSY)|Z5c--sbJvuqOnbSHvpgNbb29U_vzm-?t}UmC2*mA}{v8$%_Z1T(}h z!&yy@QnR;nwbrg5#5PJ`&h?i}LS77U|t#mz=bZ0 zR%;*5;WD^IrSY`T!`%~E)y|6dEPi{zx}*cJ(*JEw1Ck!FKDT~nI+)kf?x!l1+bUXr z9Fz#E@sbfPoqS@yRJe^!o=+`mc`i&A$Kzb?$A3t$;}Uj_ac$Ywkl&Gu`)+qCC9{NO>KP?J8|E#%(Aflm?X%xe}=Z z9xw1`v_mTp36rC7sS_>rT}dqVOPG?Bx6wGxO@ZV?SQD}Qn+4ThC@1sADnD)%5j37u z4-z^JHYQ0gc9)YJtC1=y1-c|vZY;oF>rb8bxnm8cN-lmTO$g}?12{KI8tJP=9BGDV zH!lkNxR*lN%uj!5?-(hv=`F4}P{JE7TcIwfmE-pmWXkh`+_ zybeuS0G-Y@hV~a#4>kDdm(e}?jcwXrxxxs-G1wZt8Yx=Ukeuyzj^>w5sIPeS1Xx^| zeMcLqM%d26)mHo^Uud)h=R@3r87U!ACkGMZ{6!7c*Fs;3DqL^HBcdgTNUt=2IM`B8 zJKz2(?k3il!H)|m^DE=!X1dx!P&|TRjKq4(tdnFMOin$fvY_n#Od?$F9Eu|nlYiGj zhMZGuJkYroY%VD2@)ae@W{aj4a^4X0ttEX!uFALvC#?kHVxj?KdGV1g|1^1Dq(0Zq zD(Rw&n&RSi#Jsf*X(jy6xsUp=TYJ z#f4_V13sb>1W7IyAsxG*9qAd3EjOuIKb3xeHZeDzJFR%uJTkM0nh$NC-bE-xfwlNi zY{NPR+iIn=?2lpA(I4`<8EyJJ&khG@m@a7$lzDb|wCm{Jw6lH$QHlvRYBarjkM$0tI)(S@hFAFEFeCE!< zxXD|G2`qIJ0%^M|CwI8%j0(%92(GO<#t7C%^^GS+ zT_uUt`*mK)eXaY8&RY~Cih-Xf<;7>7i3yZm8BMp-tjsehZ~c;(R-yG1nh*X9oL{Yz}_p$ciqi?WrZfxEleSVYG(8#y(gCk>{@#(tt0l1Zzr_x zpqUE$we03I+$a!mrQ!H2e>hwgzBx%ZH>v;uOuQjDviU^I4z2l?Q}bkY7R|MV|z zMaxTQWvP2~pz{O_aq!;gYR;d@(?wXvcs`*DBCtQDhsPL> zjFf6Z*H`d+CgQW?6?@dDQ0ogi9n&0ZSPnL4^5`R@bR@R0VoF}<3^;`_E;lciw*rw( zAoUY8oXV*q347M=Sywm(_d+l|h)r)AD8MEm`AEUC=hKFwq1DgbMtKxH{y=UP5O6A=X45?g4eK z?wv5ralEBcOG1qRqvMk2Ld~#(vn*?v^Z54evHbH)A|$ht#}03sctxktj8oRwmRh_- z6xaW`vdx6>rD5L7$l`u8C2tNh^te6+7G(JJMO-HJ+FahqCziP-ood=_n zz>8!Ax6AUJn%6ef&HD#d=l9S~93X&{deFZtS93nK?7<))lUDg~fU1?Mn2!NL2z>x^gs(et%3uZ8Kdhd3|b*F|#=T>30|G++#wiE>P%np=>g=}{;` zgYR%~U^YT1EpDQO+L%@JRVUxgYNv`wrQ+&9r_M`aK&rLDzHk2NNhp{{T+JP9EDCpnbbc{CVX^!}xJ5IH= ze|8u8_#^#i&T4-*O%Kw~KL&I%nxKK-{2-@R_`ml>|E1UX|HhaH_;$1V`wx2>rt3Rp Z-(KRWpoAmQBbx>}o&ue$IezKZe*x@1!IuC4 literal 0 HcmV?d00001 diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index 3f410e8d68..3245416d58 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -24,7 +24,7 @@ Assessment vendors can use Take a Test as a platform to lock down the operating ## PC lockdown for assessment - When the assessment page initiates lock down, the user’s desktop will be locked and the app will be launched above the Windows lock screen to provide a sandbox that ensures the user can only interact with the Take a Test app . After transitioning to the lock screen, Take a Test will apply local MDM policies to further lock down the device. The whole process of going above the lock screen and applying policies is what defines lockdown. The whole lockdown process is atomic, which means that if any part of the lockdown operation fails, the app will not be above lock and won't have any of the policies applied. + When the assessment page initiates lock down, the student’s desktop will be locked and the app will be launched above the Windows lock screen to provide a sandbox that ensures the student can only interact with the Take a Test app . After transitioning to the lock screen, Take a Test will apply local MDM policies to further lock down the device. The whole process of going above the lock screen and applying policies is what defines lockdown. The lockdown process is atomic, which means that if any part of the lockdown operation fails, the app will not be above lock and won't have any of the policies applied. When running above the lock screen: - The app runs full screen with no chrome @@ -64,14 +64,14 @@ When Take a Test is running, the following functionality is available to student - Full screen mode is compatible -- The user can press Alt+Tab when locked down. This results in the user being able to switch between the following: +- The student can press Alt+Tab when locked down. This results in the student being able to switch between the following: - Take a Test - Assistive technology that may be running - Lock Screen - > **Note** The app will exit if the user logs into an account from the lock screen. Progress made in the test may be lost or invalidated. + > **Note** The app will exit if the student signs in to an account from the lock screen. Progress made in the test may be lost or invalidated. -- The user can exit the test by pressing one of the following key combinations: +- The student can exit the test by pressing one of the following key combinations: - Ctrl+Alt+Del diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index ddaedb6e10..c55210f810 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -26,63 +26,190 @@ Many schools use online testing for formative and summative assessments. It's cr - Students can’t change settings, extend their display, see notifications, get updates, or use autofill features. - Cortana is turned off. -> **Tip!** -> To exit **Take a Test**, press Ctrl+Alt+Delete. -**Take a Test** is included in Windows 10 Education. To add **Take a Test** to other editions of Windows 10, see [Add the Take a Test app to Windows 10](#add-the-take-a-test-app-to-windows-10) +**Take a Test** is included in Windows 10 Education. To add **Take a Test** to other editions of Windows 10, see [Add the Take a Test app to Windows 10](take-tests-in-windows-19.md#add-the-take-a-test-app-to-windows-10) ## How you use Take a Test ![Use test account or test url in Take a Test](images/take-a-test-flow.png) -- **Use a test URL and a [dedicated testing account](#set-up-a-dedicated-test-account)** - A user logs into the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing. +- **Use a test URL and a [dedicated testing account](#set-up-a-dedicated-test-account)** - A user signs in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing. - **[Put a test URL with an included prefix](#provide-link-to-test) on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments. ## Set up a dedicated test account -- To configure a dedicated test account on a single PC, [use Settings](#set-up-test-account-on-a-single-pc). -- To configure a dedicated test account on multiple PCs, you can use: - - [Mobile device management (MDM) or Microsoft System Center Configuration Manager](#set-up-test-account-in-mdm-or-configuration-manager) - - [A provisioning package](#set-up-test-account-in-a-provisioning-package) created in Windows Imaging and Configuration Designer (ICD) - - [Group Policy](#set-up-test-account-in-group-policy) to deploy a scheduled task that runs a Powershell script +To configure a dedicated test account on multiple PCs, you can use: +- [Mobile device management (MDM) or Microsoft System Center Configuration Manager](#set-up-test-account-in-mdm-or-configuration-manager) +- [A provisioning package](#set-up-test-account-in-a-provisioning-package) created in Windows Imaging and Configuration Designer (ICD) +- [Group Policy](#set-up-test-account-in-group-policy) to deploy a scheduled task that runs a Powershell script -### Set up a test account on a single PC - -1. Sign into the device with an administrator account. -2. Go to **Settings** > **Accounts** > **Work or school access** (final name needs to be updated, still TBD) > **Set up an account for taking tests**. -3. Select an account to use as the dedicated testing account. - >**Note**: If you don't have an account on the device, you can create a new account. To do this, go to **Settings** > **Accounts** > **Other Users** > **Add someone else to this PC** > **I don’t have this person’s sign-in information** > **Add a user without a Microsoft account**. -4. Specify an assessment URL. For - -5. Click **Save**. -6. To take the test, log into the selected account. - - ### Set up test account in MDM or Configuration Manager +1. Launch your management console. +2. Create a policy to set up single app kiosk mode, using the following values: + + - **Custom OMA-DM URI** = ./Vendor/MSFT/AssignedAccess/KioskModeApp + - **String value** = {"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "} + + > Account can be in one of the following formats: + > - username + > - domain\username + > - computer name\\username + > - username@tenant.com + +3. Create a policy to configure the assessment URL, using the following values: + + - **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/LaunchURI + - **String value** = *assessment URL* + > See [Assessment URLs](#assessment-urls) + +4. Create a policy that associates the assessment URL to the account, using the following values: + + - **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/TesterAccount + - **String value** = Enter the account that you created in step 2, using the same account format. + +5. To take the test, the student signs in to the test account. + ### Set up test account in a provisioning package +Prerequisite: You must first [download the Windows ADK](https://msdn.microsoft.com/en-us/windows/hardware/dn913721.aspx) for Windows 10, Version 1607, and install Windows Imaging and Configuration Designer (ICD). + +**Create a provisioning package to set up a test account + +1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). +2. Select **Advanced provisioning**. +3. Name your project, and click **Next**. +4. Select **All Windows desktop editions**, and click **Next**. +5. Click **Finish**. +6. Go to **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings**. +7. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up, as shown in the following image. + + ![Enter account and app for Assigned Access Settings](images/test-account-icd.png) + > Account can be in one of the following formats: + > - username + > - domain\username + > - computer name\\username + > - username@tenant.com + +8. Go to **Runtime settings** > **TakeATest**. +9. Enter the test URL in **LaunchURI**. +10. Enter the test account from step 7 in **TesterAccount**. +On the **File** menu, select **Save.** + +9. On the **Export** menu, select **Provisioning package**. + +10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** + +11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. + + - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. + + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package. + +12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location. + + Optionally, you can click **Browse** to change the default output location. + +13. Click **Next**. + +14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. + + If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. + +15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. + + If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. + + - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. + - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. + + **Apply the provisioning package** + + 1. Select the provisioning package that you want to apply, double-click the file, and then allow admin privileges. + +2. Consent to allow the package to be installed. + + After you allow the package to be installed, the settings will be applied to the device + +[Learn how to apply a provisioning package in audit mode or OOBE.](http://go.microsoft.com/fwlink/p/?LinkID=692012) + ### Set up test account in Group Policy +To set up a test account using Group Policy, first create a Powershell script that configures the test account and test URL, and then create a scheduled task to run the script. + #### Create a Powershell script +This sample Powershell script configures the test account and the test URL. Edit the sample to: +- Use your test account for **$obj.LaunchURI** +- Use your test URL for **$obj.TesterAccount** +- Use your test account for **-UserName** + +``` +$obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'"; +$obj.LaunchURI='http://www.foo.com'; +$obj.TesterAccount='TestAccount'; +$obj.put() +Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount +``` + + #### Create a scheduled task in Group Policy +1. Open the Group Policy Management Console. +2. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click **Edit**. +3. In the console tree under **Computer Configuration** or **User Configuration**, go to **Preferences** > **Control Panel Settings**. +4. Right-click **Scheduled Tasks**, point to **New**, and select **Scheduled Task**. +5. In the **New Scheduled Task Properties** dialog box, click **Change User or Group**. +6. In the **Select User or Group** dialog box, click **Advanced**. +7. In the **Advanced** dialog box, click **Find Now**. +8. Select **System** in the search results +9. Go back to the **Properties** dialog box and select **Run with highest privileges** under **Security options**. +9. Specify the operating system in the **Configure for** field. +9. Navigate to the **Actions** tab. +9. Create a new **Action**. +9. Configure the action to **Start a program**. +9. In the **Program/script** field, enter **powershell**. +9. In the **Add arguments** field, enter **-file “”**. +9. Click **OK**. +9. Navigate to the **Triggers** tab and create a new trigger. +9. Specify the trigger to be **On a schedule**. +9. Specify the trigger to be **One time**. +9. Specify the time the trigger should start. +9. Click **OK**. +9. In the **Settings** tab, select **Run task as soon as possible after a scheduled start is missed**. +9. Click **OK**. + + + ## Provide link to test -## Add the Take a Test app to Windows 10 +Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments. + +1. Create a link to the test URL. Use **ms-edu-secureassessment:** before the URL and **!enforceLockdown** after the URL. +``` +ms-edu-secureassessment:!enforceLockdown + ``` + > **Note**: You may want to remove !enforceLockdown for tests that utilizes our lockdown API that checks for running processes before locking down. Removing !enforceLockdown will result in the app not locking down immediately which allows you to close apps that are not allowed to run during lockdown. The test web application may lock down the device once you have closed the apps. + +2. Distribute the link. You can use the web, email, OneNote, or any other method of your choosing. +3. To take the test, the student clicks on the link and provides user consent. -### Add Take a Test on a single PC -### Deploy Take a Test to multiple PCs ## Assessment URLs -This assessment URL utses our lockdown API: +This assessment URL uses our lockdown API: - SBAC/AIR: [http://mobile.tds.airast.org/launchpad/](http://mobile.tds.airast.org/launchpad/). +## Related topics +[Take tests in Windows 10](take-tests-in-windows-10.md) +[Set up Take a Test on a single PC](take-a-test-single-pc.md) + +[Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) + +[Take a Test app technical reference](take-a-test-app-technical.md) diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index e3398a8957..add9c59143 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -35,7 +35,7 @@ The **Take a Test** app in Windows 10, Version 1607, creates the right environme ![Use test account or test url in Take a Test](images/take-a-test-flow.png) -- **Use a test URL and a [dedicated testing account](#set-up-a-dedicated-test-account)** - A user logs into the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing. +- **Use a test URL and a [dedicated testing account](#set-up-a-dedicated-test-account)** - A user signs in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing. - **[Put a test URL with an included prefix](#provide-link-to-test) on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments. ## Set up a dedicated test account @@ -52,7 +52,7 @@ The **Take a Test** app in Windows 10, Version 1607, creates the right environme 4. Specify an assessment URL. For 5. Click **Save**. -6. To take the test, log into the selected account. +6. To take the test, the student signs in to the selected account. @@ -62,10 +62,12 @@ The **Take a Test** app in Windows 10, Version 1607, creates the right environme Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments. 1. Create a link to the test URL. Use **ms-edu-secureassessment:** before the URL and **!enforceLockdown** after the URL. -> ms-edu-secureassessment:!enforceLockdown +``` +ms-edu-secureassessment:!enforceLockdown + ``` 2. Distribute the link. You can use the web, email, OneNote, or any other method of your choosing. -3. To take the test, click on the link and provide user consent. +3. To take the test, the student clicks on the link and provides user consent. ## Related topics diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index c5dd2475e3..09ed708476 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -33,7 +33,7 @@ Many schools use online testing for formative and summative assessments. It's cr ![Use test account or test url in Take a Test](images/take-a-test-flow.png) -- **Use a test URL and a dedicated testing account** - A user logs into the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing. +- **Use a test URL and a dedicated testing account** - A user signs in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing. - **Put a test URL with an included prefix on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments. [Learn how to set up Take a Test on a single PC](take-a-test-single-pc.md) @@ -42,7 +42,7 @@ Many schools use online testing for formative and summative assessments. It's cr ## Add the Take a Test app to Windows 10 -You can add the Take a Test app to Windows 10 Home, Pro, and Enterprise. +You can add the Take a Test app to Windows 10 Pro and Enterprise. ### Add Take a Test on a single PC From eefc119cc3135e2fc90a10fedf937d9a775403db Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 17 May 2016 13:31:52 -0700 Subject: [PATCH 037/169] fix broken link --- education/windows/take-a-test-multiple-pcs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index c55210f810..116da7017f 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -27,7 +27,7 @@ Many schools use online testing for formative and summative assessments. It's cr - Cortana is turned off. -**Take a Test** is included in Windows 10 Education. To add **Take a Test** to other editions of Windows 10, see [Add the Take a Test app to Windows 10](take-tests-in-windows-19.md#add-the-take-a-test-app-to-windows-10) +**Take a Test** is included in Windows 10 Education. To add **Take a Test** to other editions of Windows 10, see [Add the Take a Test app to Windows 10](take-tests-in-windows-10.md#add-the-take-a-test-app-to-windows-10) ## How you use Take a Test From ac641a5aaf06ee57dab1372398add11832b95a47 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 17 May 2016 14:27:55 -0700 Subject: [PATCH 038/169] correct spelling --- education/windows/take-a-test-single-pc.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index add9c59143..724aa1066b 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -49,9 +49,10 @@ The **Take a Test** app in Windows 10, Version 1607, creates the right environme 2. Go to **Settings** > **Accounts** > **Work or school access** (final name needs to be updated, still TBD) > **Set up an account for taking tests**. 3. Select an account to use as the dedicated testing account. >**Note**: If you don't have an account on the device, you can create a new account. To do this, go to **Settings** > **Accounts** > **Other Users** > **Add someone else to this PC** > **I don’t have this person’s sign-in information** > **Add a user without a Microsoft account**. -4. Specify an assessment URL. For +4. Specify an assessment URL. 5. Click **Save**. + 6. To take the test, the student signs in to the selected account. From d036e1f0d44cb83f1a30d6de58974dcd873ed0b9 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 18 May 2016 19:45:16 -0700 Subject: [PATCH 039/169] Vicki feedback --- education/windows/set-up-school-pcs-technical.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 47d7e4e1e9..3209eaf7a4 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -25,14 +25,14 @@ The following table tells you what you get using the **Set up School PCs** app i | Feature | No Internet | Azure AD | Office 365 | Azure AD Premium | | --- | :---: | :---: | :---: | :---: | | **Fast sign-in**
    Each student can sign in and start using the computer in less than a minute, even on their first sign-in. | X | X | X | X | -| **Custom Start experience**\*
    The apps students need are pinned to Start, and unncessary apps are removed. | X | X | X | X | +| **Custom Start experience**\*
    The apps students need are pinned to Start, and unnecessary apps are removed. | X | X | X | X | | **Temporary access, no sign-in required**
    This option sets up computers for common use. Anyone can use the computer without an account. | X | X | X | X | | **School policies**\*
    Settings specific to education create a useful learning environment and the best computer performance. | X | X | X | X | | **Azure AD Join**
    The computers are joined to your Azure AD or Office 365 subscription for centralized management. | | X | X | X | | **Single sign-on to Office 365**
    By signing on with student IDs, students have fast access to Office 365 web apps. | | | X | X | | **[Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) via Azure AD**
    Student user and application settings data can be synchronized across devices for a personalized experience. | | | | X | | | | | | | -\* Feature applies to Windows 10 Pro for Education, Windows 10 Enterprise, and Windows 10 Enterprise for EDU +\* Feature applies to Windows 10 Pro, Windows 10 Pro for Education, Windows 10 Enterprise, and Windows 10 Enterprise for EDU > **Note**: If your school only uses traditional domains through Active Directory, [use Windows Imaging and Configuration Designer](set-up-students-pcs-to-join-domain.md) to configure your PCs. You can only use the Set up School PCs app to set up PCs that are not connected to your traditional domain. @@ -56,8 +56,8 @@ However, the PC is also configured to not interrupt the user during normal dayti ## Guidance for accounts on shared PCs * On a Windows PC joined to Azure Active Directory - * By default, the account that joined the PC to AAD will have an admin account on that PC, and well as Global Administrators of the domain. - * With Azure AD Premium, which accounts have admin accounts on a PC can be specified via the Additional administrators on Azure AD Joined devices setting on the Azure portal. + * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC. + * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal. * If shared PC mode with the account manager turned on is set up on a PC that is already in use, existing local accounts will not be deleted. However, all other local accounts created after Shared PC mode is turned on will automatically be deleted at sign off, including admin accounts. * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or * Create admin accounts before enabling Shared PC mode, or From d9d54f40a6ce1495f5d882345ac0d01a6f29b62d Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 19 May 2016 08:04:39 -0700 Subject: [PATCH 040/169] new art, topic updates --- education/windows/images/package.png | Bin 0 -> 4523 bytes .../windows/set-up-school-pcs-technical.md | 41 ++++++++++-------- .../set-up-students-pcs-to-join-domain.md | 12 ++++- 3 files changed, 33 insertions(+), 20 deletions(-) create mode 100644 education/windows/images/package.png diff --git a/education/windows/images/package.png b/education/windows/images/package.png new file mode 100644 index 0000000000000000000000000000000000000000..f5e975e3e92e22d17610159988ef2735725b3b84 GIT binary patch literal 4523 zcmZ`-c{CK<`=4Q~!weP4o+YI0OJ&b85u>bOtdUoCQyA-5BH2QAqq0+$!DJg5ri`5^ zgkhwRtx?&R`FX$Zd){;2@A>|o=iX=eJonx|p3gn!o^um!!C~yIysQ8KfZgzho*4iD zq@Kk4%=9PLqwpK!i31|dVAlaPL;T-Q5|F!&i4FjOO$8r1Go0isem888004ye=LC{` zD_l>&;akQQ`X?R=g>rIo3JVL1ii%2w49LpL%0~_=DJfmOdi7fDkhZq=^~b|77|b~3 z0~`*w$QZS@wsy!Fb98ic$9(kg@bK~R@hut;E}sYq2?+}ei>aPWNJvO-n99h=$j;8r z$;rt*k=AJp22)sASX5M0TwGjsBAw*&^788H>bkl*EEbEy;oh7`-y9x~Z*On!=;-L` z>LL<}Boe7_{L8?=z~JEE$jHd2PoKue$0sKzKY#u_Gc!Xbljr8<78Vv37Z=yo)@U@E zwA~~L0N`*l)YGvDo?4rj_ngw^A#K9?wg`q?mp$dyyBjVz$cfsVCF07rsGN zsNkb4M-+VPBLTX#Ekn>^uZ{V|oHAL?98sa#`miI^gqp#iHOY707eH{&qxD(#BXF!k zOgrW{U|1P+XvgzYN{prpHS_K7=e|3h>l_8J2`}qlKh3XPt?IFO-Hg4OFVF7U%mc#4 z_l)B++v$Z04|fDRQO}k6kzx~mfIlw&=$chNWWO@vcQf^?<9-IL!zWI9&yLz*cMToq zsh)B`efr7@J!~OuL0n+q$E?KsqBUE)lNeJ5j}~-h2-TX!?nJCQd!v zyZ-gm9V3<(1wLA`0bsy$kfht*3Xf!Y@jU22f}UGJU^e8C7;$d(4TN~>H*0iel)k#8 zA5i5{6q}8bSfbh=>NMJI0axiw-RW=Dn=Tyby?u7xCdWqf=#O@kP}Se5kk()H320_=6XN1tG?1y}zM4~iz!+wgqb>zBs|cl# z?^*S1EFL&(mh90^#6I?_^_^!m|l@IanaKvp%ljn!ONJ4ra- zqA*I!3%phCloa*!MH|qD9m~}|3qC0>_fl)0=iqCW)D!Ai+(v^NkFz`dlwRP!(>#O-fu&RIu-%54NV#9Xk>{ z$6MIFt(lX10n+eW0Ci2(W=GLa< z6KCYkfGD@mggxq!(sAk{3g2*MzCaO~?J{v{rqS}vZj9e=niOHWd1d%PmvG|I`0#Lj z|3@}J)>NatwJ?<=ezaPg4gpl&5_cV~!$}u#hHmt&X34F6W8FF8f-`z)?8+O6s5US< zn5sA}L55XKTA)0JLp;5lEtkaX2xj?jR#`#EDP@DxjrC@zCZTGSRLi-m*8+FOSaRbY zRgO;wKqXYq`Vdwp4?Lwh3cYlD`#zG1SDh~8_F;PvAu7aCqkSx0RL27L5N>s#=RlwvzSZA5AzN)X*y zV}2=!0@hAP0m5weGpcbxsX4t@0W#y5H=LCl8`V53GKie*sYV;SD8j)7ds$QX_MP#( zU;81y<0D=|p*2upIAe`z!HG%bF=d21yzOx4>3^kZuF29Y;-^n}Lg0#$rn3gsFe5ns z1~MUsCRZ&%GXJ~!=kl}v-`4*WcOx6?4X+I|(4yza%S#PF&~X^mm%Q9S&{E%(IP{2d zjQm`ydm&y&n2k6m$IM0-<-{1JPm!x&o;|rbaP9oYpp})4XhTKvC5$H6%hi|K0ogFd z&&*IF1!rK2J4-JQ*l0`?(l680KzjaO!y4d&Elx2zK+gNsmUW>IJ@1IMYoa$)h82<4 z&!t_qVmf=?9fgC_SxEHiIh)+_4Vl-6+e#5Z(y5`xd7+1_1x~6j`WWR@b`~w8YFx}} zkI!e=ral1>Cud%%!e4bjaS{tPl=tt(Gvt|Wo$(y*HbGb13Ed2jfho?4lqpu?Dz+f< znBMjfWnrnUtS;|;V6ZiVaBfTIX+k6S^5~sG0fKF(4wG>kH66spHPp|j`j9J*X$2rz zrES*c^WA?iGWpKU!V3?DCzY$C7BuNKnMi7AkI~iKJcb9QM{%>Y`N|(HnVlG7+Z&79 z^xne?7rqU=Et1m0JBkL9^&axHX+o5{J*gTI3~%KUQ-Y{i|Esm34Vnp?txAqIwQifo z6_$A*6+efR!_8Cj%4^R8VhAw&+A};p& zy6kD6cb6Ws$f`8{(tFu0^OTzuUhJn@VlL`pum1}d*vn^Dv?kXJ`N1BNO-*WP0zS&)#gU@@o^? zowTr=e*Ak?hhXSp7=;=?h&ml#P)vdMW*|Z~jg?}n903k790{bu2$vB?;1v*s1FZ{y z{1g0F`VanBK)?G+oijXahUPwZG%c{ZxhCU%Hq!H45Z{@88c%(?W)R`H&(wZDf$6ta zzELYv^Td{hx8uYFdcw|ugSslC5!zY~)OsL`rrEn64W5pY*dtEiMASHlazJxkMMuKS zjNXpc7=1u`;9_UddT_(>4L*kIJmygV8@Ni2=ae?{2ga|HX$l+npK=0i)B#smujFV* zhK1u#X@AI28c4oI;oNs_yPrk1xSTm>R_QhqfRaJ2ca0imr4?dXZrn^~sDEZ$VT-*T z#QxN(+~MwxkXfuQbcgdnGn^>GR9d6nqXRadxKGwY!k6gTIp?KctAzpnC~6u2=2sd< z8U?@Gf8FEnCb`N4iL-JIkW;Yo&mM!{eMe_xE;834&Gy2y|61=I>oTbjg(OwpH?vSd z*DL)!wq0pP2_l!9EHrn3jZ^neZ3XU%^5ce(u6ZBDb>0ik!){y}-*R2GNsBo*FlCJ; zghK=4+cIK8EV8P}Y08&DXrCfe=|1jlbt@j7G8Zx^cAP=Y3$=HC{-Fvk_G1R8>mQD_ zLUU%rog)hr@h{7ju%%P8OZFnuHMdX>u=qD_y)oWKhc6c@O$cn~Q8zE+LK7?|XdHs3 zA>tNlMhh8K6e6v{PWEV#jO^LR7$#?^9YNX?F)@Q@v8o@27cT8QO#ac6tDUz=u)?ne z#n$p>2^{A5-#W*3n#mpKTFo8aM82r^mBdmaGbV1#Q7lHTL%09&PAJs<^}-c4`VUf* z^%f){r&@=>Lz=3+PFgzV($g8YohO-3gyqJwdL>fh7`sYg`R{c;LhkVju>*uXs|rMH z8KeLdDZlCZ3Ipqu9QEE|uKsfY{JnekhO8%FTRlD9yy`|C`lU1S&|&yjw=nKmX+}wi zCd4)M(6>+jw^5*&2c;qX7!Wq3^jv3h4(RK(Dd|N}LupLeGURvuAb5W+VZo1r%l8Kx z$x*|UXDhWpQ@ct{0+{Nr>}`s+TTPzI*PS&Ty8epKTRn^bTC8D zn-~ASrdG4Ij2Fxdly7g?i=Z>jlr@|?9xvI5Ks0_f8`Zch$f%I3fsAKwCY618bPCl zrRbXoSQ4lU73-mxbgjzB!25+5pSQ&wmM}uk#y2QZhfUNwFl6U#Rc^rTYwI&fX2n}` zh}#}{<0~xv-<5@!8j+6#REN6TJXS*una{0>jDZ4^=rrwk%RI(1gNGiL@|Jni)w;%e z{2CG3Q}VM47sVmz&8MrXP>clv+TEIz+fEMw0%I3rm6U=7xCnXg&;GustwQ0Kk2EgT zZsS%JupIl^CV%5btJ78_X4L#NGo`Hr30QU>Y;Zl};~ZLmr+3V>23otl!6xko0?VHf zQv+V1hx-R?m7}cd8}<**P*YQ86z5RTB3bEAGSR+o7yRdc@M?h&Q`3aGW&9455V`*x zc|=FK%XL|n-uktw`y316LooWe|9=mf$5N6%Uz{_bN9QI}@<0jnkFz7U!8BSKq{Nk5 zKM}-?Xllu)18zRO>B=V$<$y3V#nN{H=h1$DJMAmN{4%nKNAO){&cBND!z{zl?Ir(R zH55FJ0e*TmQTQ-3cB1eCfb;mrBU799XfB_h(dKtPVqEI2+Msho$_KW3c#vGl#;4rW zvAT!K^KBt@T_&9Lk3ah*i>1DA?BG_!$bYPnW)WY%qmiOG%AtkO4_;4Wu$jNG%xd|}W$QK20xe|rU@olN2t_Up?!20#)1rk$fVS!4@3 z91V8M0cQ#%4j1w5@4?4{`d8{o|LXal&E|j%a}6QCGsCX@hlanPzghW*oPVMJ;)(;( cL1Mc9 [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] -The Set up School PCs app helps you set up new computers running Windows 10, version 1607. +The **Set up School PCs** app helps you set up new computers running Windows 10, version 1607. If your school uses Azure Active Directory (Azure AD) or Office 365, the **Set up School PCs** app will create a setup file that connects the computer to your subscription. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity. @@ -34,51 +34,54 @@ The following table tells you what you get using the **Set up School PCs** app i | | | | | | \* Feature applies to Windows 10 Pro, Windows 10 Pro for Education, Windows 10 Enterprise, and Windows 10 Enterprise for EDU -> **Note**: If your school only uses traditional domains through Active Directory, [use Windows Imaging and Configuration Designer](set-up-students-pcs-to-join-domain.md) to configure your PCs. You can only use the Set up School PCs app to set up PCs that are not connected to your traditional domain. +> **Note**: If your school uses Active Directory, [use Windows Imaging and Configuration Designer](set-up-students-pcs-to-join-domain.md) to configure your PCs to join the domain. You can only use the **Set up School PCs** app to set up PCs that are not connected to your traditional domain. ## Prerequisites for IT * If your school uses Azure AD, [configure your directory to allow devices to join](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/). If the teacher is going to set up a lot of devices, give her appropriate privileges for joining devices or make a special account. * Office 365, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/en-us/academic/office-365-education-plan) * If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703369%28v=vs.85%29.aspx) -* After you set up your Office 365 Education tenant, use [Microsoft School Data Sync Preview](https://sis.microsoft.com/) to sync user profiles and class rosters from your Student Information System. +* After you set up your Office 365 Education tenant, use [Microsoft School Data Sync Preview](https://sis.microsoft.com/) to sync user profiles and class rosters from your Student Information System (SIS). ## Information about Windows Update -It is the intent of the shared PC mode to always be up to date. If using the **Set up School PCs** app, Shared PC mode configures the power states and Windows Update to : +Shared PC mode helps ensure that computers are always up-to-date. If a PC is configured using the **Set up School PCs** app, shared PC mode sets the power states and Windows Update to: * Wake nightly * Check and install updates * Forcibly reboot if necessary to finish applying updates -However, the PC is also configured to not interrupt the user during normal daytime hours with updates or reboots. +The PC is also configured to not interrupt the user during normal daytime hours with updates or reboots. ## Guidance for accounts on shared PCs -* On a Windows PC joined to Azure Active Directory +* We recommend no local admin accounts on the PC to improve the reliability and security of the PC. +* On a Windows PC joined to Azure Active Directory: * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC. * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal. -* If shared PC mode with the account manager turned on is set up on a PC that is already in use, existing local accounts will not be deleted. However, all other local accounts created after Shared PC mode is turned on will automatically be deleted at sign off, including admin accounts. +* If shared PC mode with the account manager turned on is set up on a PC that is already in use, existing local accounts will not be deleted. However, all local accounts created after shared PC mode is set up will automatically be deleted at sign-out, including admin accounts. * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or - * Create admin accounts before enabling Shared PC mode, or - * Create exempt accounts before signing off. + * Create admin accounts before setting up shared PC mode, or + * Create exempt accounts before signing out. * The account management service supports accounts that are exempt from deletion. - * An account can be marked exempt from deletion by adding the account SID to the **HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\** registry key. + * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key. * To add the account SID to the registry key using PowerShell: - * $adminName = "LocalAdmin" - * $adminPass = 'Pa$$word123' - * iex "net user /add $adminName $adminPass" - * $user = New-Object System.Security.Principal.NTAccount($adminName) - * $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) - * $sid = $sid.Value; - * New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force -* It is recommended to not have any local admin accounts on the PC to improve the reliability and security of the PC. + ``` + $adminName = "LocalAdmin" + $adminPass = 'Pa$$word123' + iex "net user /add $adminName $adminPass" + $user = New-Object System.Security.Principal.NTAccount($adminName) + $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) + $sid = $sid.Value; + New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force + ``` + ## Provisioning package details -The **Set up School PCs** app produces a specialized provisioning package that makes use of the SharedPC configuration service provider (CSP). +The **Set up School PCs** app produces a specialized provisioning package that makes use of the `SharedPC` configuration service provider (CSP). ### Uninstalled apps diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index 245a3f6520..e0634038e4 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -16,12 +16,16 @@ author: jdeckerMS > [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) +If your school uses Active Directory, use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package that will configure the PC for student use that is joined to the Active Directory domain. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) Watch this video to see a demonstration of using Windows ICD. +
    + +##Create the provisioning package + 1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). 2. Click **Simple provisioning**. @@ -60,4 +64,10 @@ Watch this video to see a demonstration of using Windows ICD. > **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. +## Apply package + + +Go to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and select the package to install. + +![add a package option](images/package.png) From e217169341f2cdff361e1c3476a9ae0e51ddfdb3 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 19 May 2016 08:51:16 -0700 Subject: [PATCH 041/169] adding minecraft --- education/windows/TOC.md | 3 +++ .../windows/get-minecraft-for-education.md | 22 +++++++++++++++++++ education/windows/index.md | 5 +++-- education/windows/school-get-minecraft.md | 19 ++++++++++++++++ education/windows/teacher-get-minecraft.md | 19 ++++++++++++++++ 5 files changed, 66 insertions(+), 2 deletions(-) create mode 100644 education/windows/get-minecraft-for-education.md create mode 100644 education/windows/school-get-minecraft.md create mode 100644 education/windows/teacher-get-minecraft.md diff --git a/education/windows/TOC.md b/education/windows/TOC.md index 05d7f25c10..450b18a3bb 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -2,6 +2,9 @@ ## [Use the Set up School PCs app](use-set-up-school-pcs-app.md) ## [Set up School PCs app technical reference](set-up-school-pcs-technical.md) ## [Set up students' PCs to join domain](set-up-students-pcs-to-join-domain.md) +## [Get Minecraft for Education](get-minecraft-for-education.md) +### [For teachers: get Minecraft for Education](teacher-get-minecraft.md) +### [For IT admins: get Minecraft for Education](school-get-minecraft.md) ## [Take tests in Windows 10](take-tests-in-windows-10.md) ### [Set up Take a Test on a single PC](take-a-test-single-pc.md) ### [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md new file mode 100644 index 0000000000..67cfeedd8d --- /dev/null +++ b/education/windows/get-minecraft-for-education.md @@ -0,0 +1,22 @@ +--- +title: Use Set up School PCs app +description: Learn how the Set up School PCs app works and how to use it. +keywords: ["shared cart", "shared PC", "school"] +ms.prod: W10 +ms.mktglfcycl: plan +ms.sitesec: library +author: jdeckerMS +--- + +# Use the Set up School PCs app +**Applies to:** + +- Windows 10 Insider Preview + + +> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] + +Teachers and IT administrators can use the **Set up School PCs** app to quickly set up computers for students. A computer set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need. + + + diff --git a/education/windows/index.md b/education/windows/index.md index 47b8a29118..7fba6e3d70 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -16,10 +16,11 @@ author: jdeckerMS |Topic |Description | |------|------------| -|[Use Set up School PCs app](use-set-up-school-pcs-app.md) | Learn how to use the Set up School PCs app to quickly configure new Windows 10 PCs for students. | +|[Use Set up School PCs app](use-set-up-school-pcs-app.md) | Learn how to use the **Set up School PCs** app to quickly configure new Windows 10 PCs for students. | | [Set up School PCs app technical reference](set-up-school-pcs-technical.md) | This topic provides prerequisites and provisioning details for using the **Set up School PCs** app. | | [Set up students' PCs to join domain](set-up-students-pcs-to-join-domain.md) | Learn how to create provisioning packages to easily configure student's PCs to join your Active Directory domain. | -| [Take tests in Windows 10](take-tests-in-windows-10.md) | Learn how to configure and use the Take a Test app in Windows 10 | +| [Get Minecraft for Education](get-minecraft-for-education.md) | Learn how to get early access to Minecraft: Education Edition and distribute it to your students. | +| [Take tests in Windows 10](take-tests-in-windows-10.md) | Learn how to configure and use the **Take a Test** app in Windows 10 | | [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. | | [Chromebook migration guide](chromebook-migration-guide.md) | Learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. | diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md new file mode 100644 index 0000000000..01a29c2dc4 --- /dev/null +++ b/education/windows/school-get-minecraft.md @@ -0,0 +1,19 @@ +--- +title: Use Set up School PCs app +description: Learn how the Set up School PCs app works and how to use it. +keywords: ["shared cart", "shared PC", "school"] +ms.prod: W10 +ms.mktglfcycl: plan +ms.sitesec: library +author: jdeckerMS +--- + +# Use the Set up School PCs app +**Applies to:** + +- Windows 10 Insider Preview + + +> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] + +Teachers and IT administrators can use the **Set up School PCs** app to quickly set up computers for students. \ No newline at end of file diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md new file mode 100644 index 0000000000..01a29c2dc4 --- /dev/null +++ b/education/windows/teacher-get-minecraft.md @@ -0,0 +1,19 @@ +--- +title: Use Set up School PCs app +description: Learn how the Set up School PCs app works and how to use it. +keywords: ["shared cart", "shared PC", "school"] +ms.prod: W10 +ms.mktglfcycl: plan +ms.sitesec: library +author: jdeckerMS +--- + +# Use the Set up School PCs app +**Applies to:** + +- Windows 10 Insider Preview + + +> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] + +Teachers and IT administrators can use the **Set up School PCs** app to quickly set up computers for students. \ No newline at end of file From 4a649a57f5b0fa6b141d7ebaef0a8c850bc34ea2 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 19 May 2016 09:13:25 -0700 Subject: [PATCH 042/169] sync new topic structure --- .../windows/get-minecraft-for-education.md | 23 ++++++++++++++++-- education/windows/images/minecraft.PNG | Bin 0 -> 144442 bytes education/windows/images/school.PNG | Bin 0 -> 106632 bytes education/windows/images/teacher.PNG | Bin 0 -> 100608 bytes 4 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 education/windows/images/minecraft.PNG create mode 100644 education/windows/images/school.PNG create mode 100644 education/windows/images/teacher.PNG diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 67cfeedd8d..3a815018d1 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -11,12 +11,31 @@ author: jdeckerMS # Use the Set up School PCs app **Applies to:** -- Windows 10 Insider Preview +- Windows 10 > [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] -Teachers and IT administrators can use the **Set up School PCs** app to quickly set up computers for students. A computer set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need. +[Minecraft: Education Edition](http://education.minecraft.net/) is built for learning. +This summer, teachers and IT administrators can get early access to **Minecraft: Education Edition**. +![education.minecraft.net](images/minecraft.png) + +## Prerequisites + +- **Minecraft: Education Edition** requires Windows 10. +- Early access to **Minecraft: Education Edition** is offered to education tenants that are managed by Azure Active Directory (Azure AD). + - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft: Education Edition**. + * Office 365, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/en-us/academic/office-365-education-plan) + * If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703369%28v=vs.85%29.aspx) + +![teacher](images/teacher.png) + +[Learn how teachers can get and distribute **Minecraft: Education Edition**](teacher.get.minecraft.md) + + +![IT administrator](images/school.png) + +[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](teacher.get.minecraft.md), and how to manage permissions for Minecraft. diff --git a/education/windows/images/minecraft.PNG b/education/windows/images/minecraft.PNG new file mode 100644 index 0000000000000000000000000000000000000000..c758c28ad540904219300b02eccd5e635d100738 GIT binary patch literal 144442 zcmb4qRa6{Jv~>sx5HwhDNRVIw0zrbi2X`k(fFMI~7+^whcL+MTyZhi8Y;bpX7#LuH z`T6d{|8!q&uT`tN&Z@4{)m3$B*FL90Rh4CNFv&4rym)~lFDIq`;sr|Xa|*&hdzQ?? zPJcb$P@L6eC01fO9>&KR=vfTXiBIDr{G(~*63=BU~UVeFO{ML_&iN*FMwOTC$;cm2B(4mJign2g&uLd^D8I3Bf2hta&{Rv-w zwe^u)Qs7#5c=X56>L-k5bxVs<)(O$YSJqZH-(>qS%Ll_S!(C)j)mWL?tJTy)0C`ko zRP~dwvGmR6#}-Ff+sdh!TWg)2Stdc5n*=jP>eji3@e+?$N6d%3uXWnqtMoL!be%sx zFT%may=|A6QPVcgT-LeE^`~pmw(ytq*VfgP%J*H7mhe2Vh45K&-OBnKIekh_&rM%bBRuVa`xL=xC0n&4!7IO! z2%v)AU0RJ446f4Kca!A(kfQCjiq%Tekv9%DbTfPkn2c2$D%O*?sqQFx!6E6C=gfB;n^h;QXtL#eRpqq<=a(_;^h!(HeC8+G9 z)q?Hti2DrsYr2F&khFB){m5T=b^pyxS_k`YNDu3lxWEq)kATxN$j!a2cw?SS$nH^`381_5RgAm0a z=qSo};?XO1G|$HInfc4~f!q$x1CGSYx92rbE}xI}lPQ*#J2@ZBQT_dSxrMeBM94IM zLl%Z%Ly(KEb_>VPgF$G)mJvY=8!hP!HDxV>3S@>Y(N&_6jM*%>mxEu;D6^~_t*6lz z5w4u#I{{8ZCbV*rE05aT`lgSPMSorq<+I<=*_yOH`ev3hYL0hmYm-$&KPfGLBkZ{g zx%Ka&t`5^@CLBuZcX*jdrVeyNez}PiSl|_t$mD#C_;bh`EardIecVjvy?{yUZ@0Vu zJ0q$MW{;z8Gqqr?e=FivA-ZbuDBcklE>><~X7mZTz4T|+DEh(xqOSdG$ z<3o*e#+Hpeb*po0*^kCnND8jGPDoYCSp5C!5Xi-gWfVi0yNTQAMEs6e-(;2afmO~TLYKM!GZoPLXv7&kVzosK>Z+Ovzx%(usWHcua8THrM0o=Xj?8K z@e&BsYK6YU<{Sw$(wpr7SvN-RkPUbxHfgFu@if47Jgths8=Wo=2;K2 zm=Eb*&Sm{_bQ+u7AEMqeJj{iYu-S{Hu_INrnw@~7q*?Bpy_Mm;LYW~HJTU~wF%U`D}LY#{EVHGN23Y8PyIqJ{IR6OUAHi>FGmF) zx}0uMl05r^c?epBA_%q0Pb9~*#3;()#L#@{frnY^v?Vm{%EN#XXx9yKM2!)rDPFP& z<{9F*WFWHQ5H|n4W5d#usMhbU+a8OO*xPZpJDe0 zMtFveOY>9li^f9>f_z;eOn4L&<>HNEf*2#cM$mD#s4^jZFrD%>yJ{Xb{CcB&SFj#) zIms&Sv**@(`O9Lp77=m*2kbXI%C!y*F6ssBSFsk?1h-?tataY|&`%1CGP_Hu$*7V( zbZV%-vz`(j%8BZ|k9RVcb!0ohg?F^ICx8=hUDE|cU9n;Ch4U9dAzk@E@&Gc5y8C;n zELooS_g;u{6`5RB|7fmd;#?s{!?pMl!jKAlvYe@xzozYgria6C@o-HT+q zOqtW&27MB<-jt;GkL^0D;ZF)0w+mI^!vwq1w@r63`V=?=l3z8ykW~Y(x_`)^Ss>t7 zDw*}{PM=WRz&KBT80xMK3trtjph!b~y{pt>(*@(J;W(4)*0;N^kL3Nz)FWv?f7atP zM(XTXs2((!@7Hidz4alhym`iJNwB=3Zh1I-#J;j(a? zbDY||=+m5L3G&EL9j=NO1gTV;85CC=BGR!d+7+h74K0TE#wV&|@(6;_yh`5}Bq(88 z((*R+1;qD3FFnYcWGHId2uI~h+jr8kVr)Kad+SoF?3!x{`%T6W^sF6=x)*4s7})wa ztp&=>Wr)8e3wh}ncvx$~=l6xd)q*gPbz6}%g;Jc8KhBKmO`4p%fIxuDLYg53VuA<4 z;pHOGUrWCvt&FMsT2|F!HE~a@Pcjt#>$?_OYE-8> z-_AKd%if<5jI64U+|#Uo)WFPLj_zP$;B@%!+zHI`Z`4%O_`wt(64we*__2Fj)`qtc(7%a&g;WQNs0mJGe?$-&QN>n*UvF2zhJX^Lk zK)lpu?8Xf$_&o+babs8fHP`1G$+z+CNvNj*=J7-m0y1aX@29uG%mE^J#4%F#>@inM zs)AZv;n4mUL-aevVh_k_CVeMoIrggB2hds(qb?#P56c{s|8!k{<>S=34~jMDPyRl| zKk)S3Ing4!|L0il-YEmTj|Wbd*Kn=0ptC_)>(~wyubCf9{eOwD1pY%2Y==1GdK`Im z4UoxpJIrwmhF?WVg?5mUk=2D^N;|*SHMUSAsdeO^hUC3Uq#4tSrpVvcgncd;9C&ADc6)IHIxhsxc$V+?5biXg%;5F7)nU)ZS3t~ z(Rq*QRjxvfB|&Fk@%T*`>)VEsby>VS!W&9z{x{^colU%w}&Bl5(8~#4EptQ$S zn3_43{kj1#n|A4UW$%2Ofc6cy% zf6}R@&B3Pyl4Y7r>K6$?zmY4FneWu)RCkx~eB72lG>A>i1pSRrbh8t9-_%Jpsy-w9 zEuf$)ncD!=8!Uc#_~jQ%oJxX^v~*xPkpGt?Y70(eoi?(@2j43e;@DL=h0DPRtkgui z_S52RYwE*P=w*za8*{No$2^NAuLc_gVFGwlE?hD?!=yel zEG2pMy#_+Hw9K}R6~nUr#VJR0L8UVH%JBA8W?u)~zmx$3bU%&vRYXA>7cgUJq6PBJ?NYW?0pCd_?RbP}v`y!*RWRc-v;dU!6 zAAz^AvM2c*p4Dgj8(uXr%yjC;4v_m9!12E?%2&>Ng~Ndk33nVI*W3)ZMP_aG@rlBh z8StT;gFlSmy85HprIbSOPoGCUx&s)|Ldne0F$Vw#oUk zo(n7wIZci88NU{=`eq5SZ>#5Q2e+#3Pjlp-eUQC>*B^kVdE0*B`=U9WswHumSnK?A zvTUZ#+&+!UU*|Q1(z)AFdUOmgaL5MgbLQ`;H=JLWH_S3ZL3CZ~#%b3>Mn-6%W*&N> z$zT4U>zam6p+ab;_9i3zy7xG-y|+EJ04=M$Eem2?=Q z*>++ME0o{p0BR>2j0+iYtk|RjIm{hP;x$Ca{|MBqNg^81Uu)&hUe5@Y!wVS8veN50 z?&*N>aoLIyE~x#Wy;f)di!j?k4Z)5JgHsGQs(DNVR+7bET<6SpI!lZ7!s_1)HSSnG z*9Ch$L|1q|`f`Tb>4k=fC!4_Pyw}SZYw|8@Y&fM14-O1TB4TNCk!|9$l&t&)qq5Zm3}%U#sfa_W-bnPEE7A7cn3R0c<- zt80?LB5;x%1vmaA$GNCF*?da*3(b!~tN1s_HNJ%js_L) zhuqT*?;EVSr6#tnhd_8Ej5---%cj%kZ7$ zzgYqJt{fizYy%X0%Q%+F{T8$-h`d5YEUh6Oz>hG-^3u|gk4l;JsOlA7;m4D*H1#UT zfxVM^4&PZmj)af`b!o~KVd2^N`7AG$x-^G}K$ZN4x`xHFlrI)cB#YVTG!|=jtI>9+ z=_zi*@*Fi!ekf@ImSM6&9#)X{gCB?+cZe0_VIjI)!_^EXRxHsW3|}0H622j|HG#;) zs#Uj;;8k~q&EOK5s+d3$wRGq+ORy4Xt$Y$nAPbYS^lze#c>kFB4N&7S`0QWi#(&Fx z)vij-5}ODmuu-$9(L>2CuTv*yzqQ6r+zFF$dGGG+M0_C@t45qn^R*?Em3hKsd5_CRW9ZTB2Ix2)cP~`EAeXI`G{cHnQn$Kl%=~#a zaQoF()`5t9agre;u!Eiz(+@M@hlO>o*Q~2H4 zR<0UHWi2g(GT~Tdr;LEwZ-}YL$%;P|xqyeBdw{1pHS@`EjT-1Pt%F5d56lF8?DNC* z1&XYZ`xKQpErBn>`5(vRn8= zlB}d6?<=`BGrn!5Fv(F|5%3gQ=V}$HMoYC&lPC*bRwihz*^trhh=aZy%#*RYQvaM{ z8Wa5U1FC1dyfRm$U(FPfGB1CFQU%c%`-&s9r5`QGM1CFhxAuMqyP*BTro6Nf9oGW~ zXhCoGc}Z)}?Wyoa7?juM&x`@@j!ve)4^8#^={2Bh5Tt4=T5#6OlIY13F5ED_iePdg ztDbG(6+D@aKdGuKQwbPhqj5^+smv%zf1oaR&N*Qaj$!u;g%c96#qH z@yF!EzpO218CUSoV+pwCZ#V9PTc^`;cs;wkoTGf;B=U4FD_TEN>5;4guIA8OXzMZ_};B<=fUYyTv-2+10ky$Pc)$T7z}r3SUR-zK0$j*O!!VB}GlMqtz~S zz7HS9Sd!V*`&7h4GMVB}X?LhbdzWai0&1QKLd_>G#?0 zUSjPN%tDC#k>Y~~2j^4fQ3(iW8q0#`_NGdHl3%;JTo;Sv$J@CTcSL<+tC&bEDs44! zfg!fg<@t&)tdC%^?OVsg)C*%f^a$pC^5Hy1Wd&I)$lT17WZJDVP%HTq2N(O^6FnGu z4Z9i9Q%BUo0_8FS5fx+9^@`qy2MrY+KPV^muhmhuT5eFihyBR%ivMP2l1`sCPX6ic0D?H zI^B701j;yP`jSMIyJdG)fO(G1RXdR>nIsP>?=K7{tjEvPLAG(`F^+u9DvJqrk`XE-W|Ko^+to)IlDu-2~5n zqaOdwjjC%sYhQbUGl~+mPo1RKj@Qi2@&Yf10^PV`)j*JwcDOMwV3pbp#yKz_?s9VR z8mmkSfBq*~jq|uqv&!CeF_rtnwKl5;gdy#HuhFEzHX2>1LYQTqHENDN%Xmb2eclJ! zP0wgE9Nz*`pAQSQU5+Bx13L_{fe}I#e`tNIw*CxvEA9v=`$B^q1ycZcT(M00hjDF= z8AJ;z>v}aNw}b96gN3R5O)6&x7QkuXNwb!}&TN#=9s}Cj{!n9krH%DNPhRiT!pxK6myVt5uANnyHz^j!qgB;U{5H$ov69?uj0^*osBx7Q3ulD zsU8c-I*%em9V$UH(yP0|@a2J@nn?6jpU8}>8lCxtoL@t6(l@K_z7xhiPqrs*&g@lW zQ&zh2zlwcsQEA}ZGc)yW2rBqeZ@&Pd+v;h`_~P>F*<`9TB2JOP*hayu#m-|Q<9rl# z4ZN)p63BWT&_DK$eFEvHod(k`!keJ*RXg{UJ9k@r4$(^hO`|N0k5s>qXA_Yu|0L^u zj*3agR3CNXNa=9!M4n{bgFVlOHbF|GqYTfQnjQ zt1K2mt4qm6d?S(AywLL$N7}nnAwP0tWt;cR?H08n5gpxYuB@-W^m>AM-RX*^BLEm1 z{qtSKobv#BcVRJ<`$O2R&fx^#;but%4vyOr&z$$?>@LEi96kjdRZQwZ4^&M*kw*zL zg8;`kBJKBpo~eD&j7(ik<=SuGFi8fJDM=L%w@jSS^JP|s_&7T2EpFC>Xj)FeIZCp( zm~9qgwQKRc#g#e!JOjdROB(KRuE{Me`hup&$7B2C_Jx}jcYw}|Z<3D(9E}U#gQ-)E z3YpLM2*@cIi{fPx3dfX1wmu0y-I}|UPlg*ec;}C%@=PftxXUS+RSLta@QfZs5S?0Q z)zLn;lImhp%Ws=ZF)*U<1(xb0;Oq;O5|4<}+D0^(;_^`%pL<0H3*Fry9k~U$m@JiN z6WZF^ae#Srbwh)j;C?5n-OA!MdFM(d{9F>RnzhoSG$&^S=GmOk#kvxbq^T*_#dhvS z13I46UYpqOe;xgAZ)Zk}lqQyEmTo7X_~{2)128Ee(Sj=JJI*UIN6)iQ(EE?C0EEr^ ze#iWC+~<0{>=wD%6(3()O%>&O%f7`HBZUpw^Szh2SEa0 z*c^CP56SR6T)0^bU$ahz>=7Vt>%sM&&Oeq^kb5#SYgWmSE3+l%OpD#V%Bq#UQ=3ZA zHN(vzpOJ;h?KrXq`2^*&-^gJ+?g4v%sp^nj)S+Kr3id~RCb)V(V;Z5Rq*R{ax;t{> z3TTq5gLFM3aI0gbO33mP0%-)OOwMlFhbj`kxgPWsn6&X6rQm27_cNQo5Tt zgVUO}>tWRQ>zoB*@c{w!N;cVk)05*n&Ow?X{qQgcHV{ z6b2m=#*p1(ub1s#)wJckADI4OW@8Dl^Nn6f?MEAxOWQR9rR)`s=F`0Mmf%HXByV|J zSB3YvZQNYMXhphRp_0I~ug5lenRAg!{kwSv=P^hB{wrmmrb;8~kz2eI&BYnuuTRUI zr|AkMaLJ!<-l#l!2`{Q?QGl317)Lo>ArJImTC}g9m7;;Hs4i$|HlCTYcqhfU;43ZL zjkotEkSP{)D{ee2H*D_yT?xl_NIfY*((k?Ca#1jB$jT`k_@=49X*XSeNQ`G+~jKUl}9)+k9`6tI_CV zb)8PvMHcCcKk%y;jx8LEtN)G&i*;1#$Xkzw(p60}lk^s7>@c6Lkv?#(AB#d6ki z_%rY{@sz)zzCmBoCu6Xa@Ke3P6Vvz&OhY);3{?!=HU*92vJzS&5xq`ON)eKuQ&`!5 zIP70rGzOk+Y5dTz2ytjRfb+T@YLd|JvrF%AwM^|rOAtA7yW`MEn81~ ze)}LmzU#*H_Dv@@f)6+ZQhyjTyu&Dz@J_UFAEmf^lLPF-Ql+c|7kdQWJ$6w#*`z?N z9qHu03F6>fEE0VUKaW=dB_utW0@*3DyaVX@TuHveFrRVlgbx~_L^j1~tR+5nf@0I~ z4@a@w@Hjk{2qtiG&%yg>T#+6f%Vm%A#{=}dC{R|LdhqbEhLi%mFpH7I^zzEoj?-nc z%4725K5(rbul-E8!E984A2)arv3kvp=x>CWvDve!&vMi#RyIwu>|`JZk{zmeZ0F`D zWizt|3nhsexWCl%aDSyAkov>AMNf5R8-+M?j)AlsIM0D*5I2iQB6i3&I6L!Q?lIEm ztn_B;?4k2!1sEiJvz;4OwEA&x#{#jv*Rda^t@<|YN%0W482bgAU$^x8;UfJz%*Bb5 zpP))3cH)?8T-(4qc4O1vVaL%-{sHYW!|x`@U1U6+7U0b5 zj5sWZx+*FP7jag(X4<&?K!JFQ?y&#jmS*OE2x`E{j<_XBfMZ0(w>^EB{d@1_(?F|7 zrxVEhHn4Kv2vDdb(o2_HDRP~5?6MLwldQee<$878!su(q6ZZEBQM~3kJw_GG8%&9%QRKV;7nqY|i7nkPC{%#j!>T?jV>q7`^~V-^2*g-9eN>=sHZS}2esAH| zIygdb#r=c!9CP~!)8pvx$?NL9xVUWYq%oBQw3dk#=|D+xM1(lOzG}1l^Dy;sKM(a) z>G0c5=Z=sct6lfvHM)H14;y_&A?w}HMHJV@-Vt&oP_4VtDuA74Nw8l zseS*PfNp=eg%Aby_P@sI`YZgr#zhC1xJu%|RUOU~tWV*PyL_LED{yVtFean}`Ggqu z7zS#tO5%zP7AS)q>bdf8uCKL?wr0g-vgb3seulaZhSa=oTk}I#OtJJ<@UxM2TVtSp z+da|`BqADDA=a;kR%xY2$OT2CWdME82FS_loVukFu@iE^j=^(6gv= zNm|{ND?JlweRT3ZzkW@=LFaa|(6IB07<$8%m=};7T9zLbBjRfR?O&!_5hVn2@t(D^ z?5+{-F}U2gp?mk=;^@eX18+E$`P1uK7Lq50a)lqN%g@BloP80S`JB)0PXpNWOP$nC&q|He#M{mu z_@X5M0$sg74JRH2RE?W}{Ec8qSH~0nQB?zHp3{~K;PXO7Cp_yx;TJOjlBNTD%lxfN z$cOc`=gEo$Q@Kn~KdtXsb)0k7!$-Nwz_9x10kFsP>OJqI(@tN5^(1EHk~lvLP_92= z;KSeUwoR(D`YYor^=H^FV)_c>tmE=0@FInyUf2z6MbmWXFXFsjiR$F3U{Mb8=!_D& zv<63hMgEz))3)XPM$CNq&(x#lRS#GS^Iwals(>Zw@KMQiMw5{_YYGjyWOcwz^%${R z_sLmf$);25bpQyykKW_QYo1}HYH9d+%L8$Wud|TY3NZ{~GY2i4R|!u)B^cH3-OY~F z(&!~zB%vONtXh02v!;`hL!TR~MT)>O+`esf+$13&&l9x+IvAGRFY6TH`g?d&kWHaK zK!hI_$fILI2Nmrvp`e3dg7cK9DxzdlX!ocsL(TP4$P?-Gj5I#z#Wwn#OJe)0IBxCR z@RRC@v@~rE{Smqpem}9FAP!VdP`CS*TcP-y`4?;N72a?+Eg6nNj3!Z3-fugdqi8@b ztXP0qcxNx0W86&L>{3FP5`MFf_it!6D`G)_Q#YLzgmP^aO^=O@E+}2ZnZ`KLAB+pb z1#42M-$`@6m#52~S{JcKO6D;Qdq*MQpxa#G+d*%{;vD3AX%a`h;_A8AO#HtTH+dTs z4SN6YUQUy=X#&m_;M)EkI0{*~Bp(0#Pmf`P3hHpA)H^BZx}A_7yxJp?8~oNAf0`-~ za(kd%nYN0676&I4@8Euh<{`_-=X&NQRK*(_83B=z8nzxw*SoxJX`}L}u`})L%q|K` z{4rL>udbPEt`SlQcB*;YX%G}rFw5wptHQsiD>6W98lMtd8s1^`{!VtUEP8E`#%mkI z`tFsi@D^&n=bLdC2|PM(OKHnP`Gmhx@}bRJE2S+lD#Pb;f1NbZ`p%Out9wU2RAUu& zSf2P7UZeC&ca4k`>`c+@=Q={I@Hj}#UO&~KtslMk?vjrORZk*c_iV=oO!oVC_444- z=n{?7sHE>@nW-cQ!;Fe5N~%@7Z^)OfCKlY5Cm9!e`K75pY*7v-F{zW+=i-Sjid==N z%!7O$TW=tchghq2#H!$lfyrY*PKbEx<)xzCE^OiE8sIZtpps@IOVa=u%@7{CSvxZY z!m5Mmqp94AY14H&cCn@P=MEOluCH8xaAJVk6H4oi&m0Sj0Ca#2ehtMu+RAF(<$rm@s&vhrw$7>D=q)}Ti}#5pblrW{3b=kXBAiY){(4j;CM8-W7PNh z2)u*`x>U5)Nzqof$oR=>D=8f3?=WN^p767EyG7C-%v~-%S!AKZRXWM;skz2zbYPl# zx_mJ39|W!AV80gy)&T2Ai~m~WL(NYlS60UwPu!Axl+-5Kj!v&!=eSl%If@%N*dOxS ztvCI&OEEC1WA>6<;Y-A=V79`F`6&D4akRYs5lltRQx@QyB+`D4<37I-OK_dH`?YQ` zX(e5(S|lAZPm=!6PYtfx0HG3L0q?w6B``H{TyoD8OC?Que8evqe##u(jBma_P8Ahp z%G!v8(^bXfhxQqzNu>?H4Xe8G(nn^Io zZmHs&RXPL`_bjrGsM!A5Z5m}KEbw56^e}}b5UMn0o+?K>I6NMir1xj8qLfya*M|~P zl-JkKJl!-3o?I}JEIjX~eo*joFBu_k3)y^}{FG8uZA&fdPVWYcxa6?PbtMdR^nS1= zeQFS0c8RZV4(Qqy}z(K=jZctqDt5%F3JNg8(UPdUc&= z&O$CoAGf8G#wG4V$oCcfG~~JDO|&4=L4$F6A&95c{)rB6NtC#qXI6WmMT_;=4{=)0 zxGVY-XJ)6ttIr9zJ~?1Fx>)~|b*%5hZgi1QZktFF@qWYD>b!}d>pL5fNTpHh*pnAx z&910%$uj^&*(-ofeoKI=S)E8T0zYx``wK)uS)n?p1w9obOF2=+b$IQQ+0>tCw)|wus13X;*>vlq(DM85(F9JyP43zuowq$9hx8L6xAc)ysa?<2b&KNs+63P%R?~`+51Jvezj}=IoEGv@zBUOO;%Gua3Kd&uW=}o*i*`m0Nozj;0AtJvkxDZ&I<=vbgt_ zB%@aWIwn{6rNzwkgv1QSw}(25@{E~3bd0ZmJhO?CC((^h#x1!fW4eAkfUHO9n*|Q< zG2^>1tdmPV$joWmkuu`S1i7s|D|vNRk51F1qr7ZL)}&1l!!TA9%0QlGw{)6pt~sM? zuT`J8S(z?FM(f7+aZxSUy3%U~KWWIpR4kY+4#mv8%hK7ztP$Wb?cmTdo}1UVVtazr zMy@EQxP%yS!M~9ueMj^|*AS^tXr^o2sT$&Bv9&!yRxnvlUc6dX0tE2i*+NBiq}Prxl*4qo%wm{v(l)q&Ckg+|`4BK?PKVy*b^i zDWlwNNgZOTA69^+vE8j+=Obf@5#`qx@)<^Q4|sv)D%~NJJ?8`a@B>McU9=`qNJ0)w$I5ns+1CN zR2OiL+MhwJSb|UGCF^^FgG-f1Us3a7)uE(hYW*U{B)JIU9XkW|ORK>cd~15VYfhuZ zksB+|>iJ}@Atm={meKA?c?U1g$B2DqR*rL?9;F!j+8)98k<;*F=HgJ(`}`)>ykkl5 z`L0zC?OvhCaQ->sUd!g)!oZyOJ*T%78=+Nws{zTtW%d^?_O-SL()p&G0rbrSTO`DR`P53B8IkyA0wpFktl?=jmz#b7wUjX(YO_w302%p+W>AuREV2*EHN+!rpBwY(BlF=l6~{f~_Ov`R+8s@EYDOHNlb7>M83|GZ^(%JjYEwM4rmyczRrQZ}}|J^O{Xpo-Y z>j4LwtK}?~bJJBUF|m)Aiylw5KC(T`3VS<;$!Odct5Ndx?|Srrsg$f&ZT&AxmA1~) z2^uNMXZDqb_Y~Fp3*eWb^X81=>QY$C5xOYm7N-D0L*sHA>=;-`U?$AN z2s$}MP`~w`ZQTUxHU^(nn47LW+v}YbrJAQ39JhNN-!m7L1a*G9Q+k6*sHHQ7?eWHp z{j9Ep<3DBG7tb4yd^&;Q3}e{}2ctd9#0ojv9YTf)~uPt)x=RUu)$7Bw-<^IM(Ip z_<3$UVNMkHfn}8$%U0%}9|;#+nO~3L^&0w)YmMA^dK*clcbgW9dG9+1e6bD;ZMIQj?Zr}QGKH=)rtIV?Ak4ARMqHPP zOL}&cQ-&+L1Eg&)qwKodGGdqA`Q;KqMJDA3)%%CTN-Rx@$!fAuS7@8N-~LK=9lfj} zVAb+6_6qywnQ>}(G_@1s#4nXSQnfAbB(k#y7(<{183md~c!9t^sQy?0XnLneCv$S! z_|--H4@UPude>77g?^H@H^qao5vbH5XEZEzH)FmT$pR3*)2tPYy?inDw?7??RMgK( z^Xy<>jn>Z^rahnO`X9uYt9PgF77owEZk+UZShR@$`JUve!SpAVbsg20zHbWkWo0sH zuomb9R5g8_zqoGy*?u6ig_w{c<^{It`_lq`{8jH2Trzxf5GO+PkN+?EdLeNb*2u~A zTJw_Ec5DYC;jzs8$!J!eZy-~@X<|(DQHl(^R#4k*;ltF?aUhLaEhk{=;1TQk86q7nkH>7J%;}OGAInC|*0%v5UF~@HuTbRkPsv9q87>*{ z!*(H;=;MJ(JoE1u5S`LelwIJKnIas_vrRxi-hOcX?3jz=M_PF0B7qzX5g`InOySJ4${&QoC}Eo}hDYD`2X?FvtL zyOLb6^%wTDsCaT^WUL2wvKm{b1T6D>Tb(9m*Fddo$UB{~wgz@Z9|!c0n@z=+ru%?` zFTBoJxi!V>L89IP5fo>L(LzuAJghkh>dtx?JS0RZc2JjAG)*C~;{aJ;j3{8{rA?Ee zd41W7Wx_dL2HGOpV@Fq{#H(oh7pJ^?Sxe$hY%v%w4wg=Z7=&NkciHs>;kY3m@pQWw zMJ_`BMS~u;dP${)a8j~SSeKCWg7;9oc~d~+HO?26GF7=%`B`_zy|`2H9~i>T{Y#Z8 zNfHsdB!@JyeE#c4lq!+UdcLXI5~zM$;VIn~Z#}`quQKAJotn0>B3hDMS(e{d`Dz+# z|5U=-Tlxd=nO4xnTbGfN>YbI`3IjWPjQJIx899VxdYVR1d+ldiM>GUXcKK2)9FeB| z`bWmgHBpE~7dnaIxKnv%xGCfVpbYpF1@k1Q4hv56{-aq?Hu-(Atg^mO|LN9;b<3vP zI)av#Hd8jF-r!5M#U_!3gHc-Je*3y>%W%SuT}34z~6PV)YK4XrQL z86w4xwcrqu?Ho&xk7qQ{lg?M!lK%f?Xzh%=*=g-OqeDVMJUTv*=7Jt)sxw{@Jvm=L zOP)n^U0UJ0bl{&mTlec>clZfid9 zL<`^iB^G+R-AY+;TN;&-k*P_h`=8e`sfdV)7c^9aiTOT1w^d5&*h|Ws=s!)>BlwYO z|4Dk;Ww~Ykli;^fPLlrjN2HFO{+B}DW7d>JL`1rJdMU*3b{pq%b8~0c*1(Sq_}kyt zyxD_-f*uB?ZEOxc0wAQ6lyw^$8^?{Wnr(`b@2@@>fj-7x)Oo*LR5vz0-9v#PIy=Q~ zmZpw2scoA2+snH=+J=Ic@1b&2U;~hdZ&E_SEq+XN@_Rm`7dAuj;ma^Vb@=WgmJ`BG z@nCB3WQ5!4V2S({|59qh4wP&gO-RFDZVtsGpKOcweR6UHR==!Rhwncn!WT3}90{+T zrlMpKv*%}l*tdhuGLxh`;;PdGK4!M{7hQJN)>X-E+YD(KT9%giE53-62D^nC zr3liOplLPP=Y9NHd+52wb8lSW8MJv+&xOWhx-Hu9I`97D%$G|AJzasHPCr6pz+Q~s z{+@ID_jcY+fuAgF=PIsof2_A{5?7x4iBYt)ww@HEIgsZ@K1>xT)yAucEG&r|!Ph_# z`HyYv6|cQKB-Z zZFBOvE=9y+VZ?a%B=3{QQ!k;4UF;cbr#F=Fq>sb*;v)=o*z>##y`9Q{h4F>H@jWzI z-`qU6k;*r)fy#3`Htn1^75M~*v@Z8(RDhj^nb{5M5EZSbHTjCk4&7(oV(6oPIeV0a zucr%{T@N!wK^=|$&QSG%>0*t?bhpPf;CoOgy3-InYd@0zymj~8lv+F&r4h4aTY zy(&|`73Xnb^9RB07)e84RHX6#@8st}f%3Aav*WxQYk;cl9P@*@X$&vMbC_5mmHYCq z%#ZdFZw1iEP*J)Vg)tN;q-8u43=9m8{7F=KZBz%NMed6V5BB$~D!q4Dl}$`cz=c@v z*)W@$n->l~o-}q`vsI$rcfj&F7DzhIU(@LRzHE*X7gKXe_q{)0Cq4JO@xBN*shfj5 zJ+l{Z$eQo{6u9O4JS9`SUxZW1a{wu;jyNae*+$fwJU3n0R%B-x3f*k$3_&hI9@82F zd2@=^uT*?5$s`Exf=)he!{til2~PW7Vz-!*h3p9^fWY{ z9pGCu?RYO&5`cZgI`hw+ZBUqU)0HOruz^>Bai9WiyUIALGeO?ZWuoOGPu(F)BDY<5 zUMuIMsdAG1FmsXjBniQU+<;Xf9VghAuutH|Oth13(#L0YH*VrqFJP0;e&wX$H`V}v z`%{kL+HF7I;(xVqb{M-%O5e~RFKAYI?<4OWz5Y;6J>mK6OWsttw~yd#dG2NGncK9v zp--SithK{eTSFz#>-;W#uS-q%qqDb^0ABGvhZLg=XCc@su(4 z1}WP3cmJBFgT-aNcfWvtW$s3;k+7^QdZS9>nqvBso)PT6pJ!r9&^Yy5FCb>>9{Zhz zo$%R4!g#pL*09kbV@(A$8_#lfZVn+Pb5MXTDS#uZAG-VUjCxTHor(!&N}9}Ja#|PQ z)HMFv-qw~PH{9>t{=oU?su%to+e=Wt>Jcl$7jrh_ORG1$trz_i!rdb}Xy^}Eb-9C3 zxKkko${f_jDUrrI*W|(%l}3W53mCzNugeaavJd8CqE66ld3ZiH4V=I;N;Y%~U2z&= ztFRl0XRhcGynOW>mt^BSuuJ)Rn5=Tu8{NkLTb|9jSA{s1PpWc{2gdITM}VTN{;6~I zUM4UqQCc)>9pzEFE+xqxci*_$tWOt2y9fIMC#5@ZcY>l>fSF=MXqDD=Nb&v&1k`-4 z`O3qX?$}KV%F3vwxX(O-ARo^L4g+uaop+l)eLkh-mFAXVelPUjeDL{++a)1(;i$TQ z;6I33iIz{)*=ZRTrE>WT&u`}owszaBH!A;c=Y&bVjtiW^4?4_fc~{$iivO(76{kT>1d67dpEmW3jKW@=ZY*06!Hlwm)yf|f4g$#yQiVk{7Clpa^j5UwiDgk3pcRO z^`5b@ePjRd@RHll{h$TKDVc*tHl+LVB12%qMov-K#*v0@R2ceN8V}074JE8%n+xT7 zNp;}wMFzP09g#KYZ#SjfkCBC&9$_kkGWU$@2EXE+$QEqi?co0kzT9_C=P6iyiPub0 z0NuB`|NK5dye>Rl9o;9=uv2z;>)Gq`w2^qevQrK{1AdD8`m88ADk@pXvR+-M-&n zK0kf_fw{frIj^~v$K!roPuJOnm4n0840eU_93!rUOzq~+gl%zdaTUOx-d_{uC;NYU zwa7nGBKimUb?Vi3o^RLx{-;mWscraJB_)Ld@ciQr+VZ9T`?B+aK>%mb4Qm`w7~(C# zD^Ux?_~0~2o4nfOM6-B0ML^?w%1t<$3!2c4^7cn5@U2^=FjO=#X~nqA>f^6|#=S+V zx#vM5v|)?(0`)TcA=<4&*m8y+??sx9v_G`}`=rM&?VfwN|NV3IbqdesBh}$wd&$4{ z0yZ;ZP#wG1FH4|a@Tk6`9F!0Dr`UH-l7hxC2frqhk4wf(uairRPqqsR#7|H2TwJP` zqCYe4Z=W2tdf@K;MDe1DwZD1i+FAeiQ7zZNAnHeUo;+yj#GJJ8GYld36L6ik;#8<8 z%`T$4cYcytpUdlVggg?ugpGL@JJC7d#P{~o-idKJnqK(sLC@J-#bbDtg= z=gMVtg@z~o_xGQ}TJ#Wp3unF4F|)CLKWvi(V!L>zdFK2_*zx@Q9IEI}h`$zhc!v(& z*i?CC(Ga4z8z?bucWfWw41bOepw~6G%qNkc2BEh}Mlw!IvdpS2*M+NqsD&k`t9K-? zjpLtseSKtV?9aW(6<74<5|_c+3t8cs8&t5Q5@0ekopkr;lexoKlovtWwx;?)6W)P! zNoKMeA}+8hYrrk20>L-)bRPcqG_D%3+OfZoTiKVenai%ih3lXqseKr8tUw%xMq(W& z_q@-f@T8y(5uPUTC?)ig=rTi5tMZxtBd%1ZWY*nksh^$aJ!z!(-MCsKgw3#q6*ip6 zS$Uakzr9pcO zqw!wK3Qlyo>rDb~#o`U>G(G*t{IztX3oUcc-a=Gl7)#=#_OBT4>Hn&_U+I?qgAOP1 zIPUx#6A=t)0XqH^d%NE|wl7^1QxfEht%9p^cd6pqL5B4Fy@$s*%TtVI0 zg_=%108a@Xspu)Mlgf>*aw}TD`GW}sm9)Eg@PpdB3An#R;%yu&y*_8O?a-tl!}==~ zi&31t{CTL`^umIaUe9H;81FTapXVptysP)$De34>S>DT6e+g;J3A4kESmceLTF(&m zmvAf%GkW805f4W*F~6$*(qpPN9_K+t#1iUcJ}UOLT+JG8<=7u8g2ZNLj#(RHB*zGo z?(v&v(0+q?;P%!&*{?8vt;?k;nHx>7hhq%n&3A|HVoBM;1L@OystOfiG^pBDgS5$sniU zpj)yAW;j8XN=hUzNu7$g)(8$8_FOawc(Cqen;t=D{8^l@zfVf9NeL+0#<#qpF*Df zUU}V-xNSH1SY}YyT!raiu {>_;gmyrQZ6al;c03*gKc1bfk#ykB_nFw^*S8T>iY z$5<~F*GzRV^g+|IK4}FCV%)2iA0`Z1isl<1`oG0%UGPY6PVE|~{7jj87A1WM4rXSJ zV8#q*xA|q}1Q*$DC6dEzpoP;chbEVRLe%o2!yvq=;`D_JP&Kp|%0SxRS624b(xU0$ zlf-L9?HBrSzDy@;r{eh(3kVM+Hwuh?S%}y1EVSXVDREaH=G@hAtTtwzGjFkM8#(QS zut;13yRU$E8A#!aoYM@I7P|HBslmdHPk!xc_AAS&23W=^$CA&1OjYy|;xN_~BU5uO zjH5f{xg>nNbSQ@3=MU79pTzjRFNV(@lY>;$W!rWY3=jG&RIk0|)4WiLNPYGg*V+Rn zyZ2~oPtGevLO!062{Z*R@oZSmvjclzBi8~kW7}e;C+#Kh(?jX#!3@9qX0D`yl_Pp! zq~HNNa*IBD1Qg}NA-swwD?!2cVk=O_@$!O7tH&19qIhLrNqb+4$qP~@{aSL}xCAE0!Iz}>B z_O{P$C3~^jbQU{1^@~W);LUIB3Xa+Bj#?YD1m8m5>N%n2gSiiIEMGDAY46Ms*BR@! zHBv#^VRx)CMr`*BtFqJkc2VaN_DqWAmk(lI*Ynm4_VMUZHCIsP>Kk?mKQ>K?AwMd; zGb6RSCp*K;ZWfvSMu}Plbjd9mgo{rQ0c+~FnK^+i*&i%Zwy1p}Njs8r2hksWOY)3l zY$|sJJBIJM^l`v%M3_*GtH;BZ?_F(wDBc`v;Y~D)lU2ZW%`9OMW7bZngy**~62m>; zpYaQP$?GxdRCr%E0$ulclKE1#Zl&ub=hr13tMoXhMpVF{sTZlG2E0|EqXo+*s9)pN zga}^d=l!bwEL;%Vd%WBAU0WuiDBc7GCfoEahN=2Xmh-zGuV4Ln2e3SYl#p-S@9KO!#)S4v9X!0Cy1C`*;sJB?x;G@bL^^RL?KZ@mB@l zUWXyt+$X`0fC^65A)g&%)%|^bu4`)ib16Do7{%S99vIc(zsun)H%q)gxMGAvPG-SUL~yer76;jT8#c=ji#CsK`+ zpu=MsgsjyV1bKPONh(T-=z<2zKwGBqY%JbKsWP%yrXoW2)48fzDVqWT%?7L}upqDP zHdzMSFXokifCVA>yDQ-^jn|pjG6RS!0G2V1&RxRV51t|btO$ukcl5atFUz4 zQ-IFD?swN5(b2{*03)8NF;AE1GUcvnm`SRQq*sq~k_vz$WWemtd#bs9e%-A*NT4sr zR_PBX-K{L|xLo6#68P2o@hz2+UZ4FVWDkA4B&-!>ssV#VKf2*qo?nl*ro0Qjua>0Y zJzn<73U)Q;m5JRWAG`x@T`LES@3?WI7w_o@X;Op1 z#k3abHbqniT&IH%aod)0bb+-{KAPiKg7+tRNqafEN27+uE#-m{=E5g8%vCl+uh7R9 z$6RC|z{E%Xk@e}46-1H}4tSwCX+Ke}qFQ5SgPs&a`P-P$yZM2pg2nvsLjCm*DZqDb z5!fWJKtV`Q*6oIZ_JcYp^6V?9x-E@rG~KNP^;N$XpyazGPb?iO38g>>WpAkZi>Z0| zx<+NyGIXOJ4KWON&F1n!8A4<))ZNF@wLLWJgqxHAt-Tt_m6WWQ2#T|(0@zSkSwUts zSvtvLl)gno63~5x;Ho8wZwXUUbMs=sT*n7)y7c61bIg3%Hfb zl+H+dPK^P~GIJ@#{J!QbxI)cq0(ZV?lo0%S6X{_EG1q{d5$Z5~60i`$x%1=Y+t2mK z-HG|zA~K!=8ng!8I{5P9ca4`Lq!r^?1>X#9Ii!{Rn;96XVk|Pesz6DqF5@HtHkmED z&5X5lZZPz4kxRUD{Aq|YfWEtpWSaf8KX`t+uaEaoOqyoRK@$Gkp!6D&rmg(38AgOL> z3Gs9UWq8rt-xUy*sc9A)Aiex$1${B*(B`F)7}3&XG=>_EI!m-G5B+1`Co^r^+<=}Q znXn=)`^U<6yC5gh9r;^W%7`t-|cmDGRV-UWbjchN)LB3$5{K-2|ZGXo^H zM{`vAf_^)b3da)H5J-XEaTL+lvkXX`o!E>B?RXbMmA{ah(GW@!y z+jGT0&BL-SbU3PYKXEpQG2J zm%%OS=LZ8H_@Ct#Q~LTOBynSm)on)>T>C|dU%LOezwrJ>hpYPMq@?S>MF&Z&t9h2O z4s;r)YSt;9d;pMPK)tiuLGXbgUXEi+_w{aPpP-DmhwtA+vLmiUH%4b z*64!}LF2qn8Jj9{b7oQBGPATS&OBKc1zFS#* zg)Klbvyc$msLdNv4qtr$gjJmgg{NB-LSb^P{Xt5UtG1O#fbeep9}Cb@*Y(OXC4s9E^3y zR9Q}7A=3n_>%2%wpV;3Q=WgodK3+BeTu%@c66{BJ;3i3Ct1qsd- ziTt!uv&N&=LECZSpPWa+qr$7V5DH0=1&*B&p07X`6YBH4a?w_0fd>MtolnA6 zJl=-VzvSgxp=?9utALXeS}NDeOuwd%{+9Edc?RlMX9P)4g9CM=^C4P8wBoX8$UltZ zC|nEbLt%-5(@`7r;6Msav^$A(sR-d;Yhee{H}j;E-Ii0|y+X12N`i6+ZKA7`DORdu z6+2W3uG=Tylw~;UH59~mWZ?E>gp4v<+BWN?XPbW;(EvB6FfGzuP-bE#@Ma zBoJ$^<2bDKp(LJ3G+fSDtEsa+JNkQ>3gGu)=9T{46@<#yWU zMxF1p`paOcj@Im#o_HHUe2VV%Bepa>yC8C#ZAi+qeLN(j$T^GG=^g4i&YAl%Hh`p8 zS_W>sp?=Xqf+%lmI45tstgh0#k$X+jR;FWk`R{+4!beU@0l^A`p2vzWzd4yaE#mqv zticopcL_vPUgc^2>+YSv!{E_2SYOt6Y4^81VQeXC|GMyo;U}JD4(}>BLYBPT{ZDcq zSUZUUmSMIowQd>C9ppReFTkGlS>D){bKb)CY0KYq{hzZ0KBDqmO_R4e5E8^OZ(bmZ zt##i5ikvoa0b7HPjF0tl1P4 zH01f;7w&ooNq9Mj-mU)31)!esE{4t=JB6JzU}Q2@pE(s=Kct6*eTlL z-LM(ksWjve5gM~X4Z3-!cbSeBXR5qI`N+eX*p6mjaUg;HYyw2J0F;`Pn`DU6=V8!t z_|iX;i?*&LI8BtSJhowJ5pVCy8u-H7R3vTw?o2xEM7yCtyF;V=rK2}YuiLe)4Xzd& zk2YyW%HIe0_h7u=>(wXUXsOmV@f7RrYAJ1!WtBMG99V}Cr4*}r~SFdO(f83tnjNEfR@?d*x zU)TS68r_3)hFuP3RzCkYg)`+YR|36qOl*9_dA(uFBjj)Cgv>nVX3A~3y(sNV|sP+$$|HG7VeLcPwG*K34+s9kUd4OhljN- z{3WQ9A$MJRfv*q0rc1xW-?&F{<>xh{@|a8!DO&~^|JJ#AeswfCj{LQJi2#Yc`sDg@ z%bj6F#t9eccvmqoN3PaBsXsRu|B{`e*!9+vmGBh*9;bva2S53gtP{jp;n^0$zE4CQkk9uXly7rV<(8y^ff=KsgW zN0O)KtT5WvlFrPa*SG#Shv1ve3`=4SC>dSy;pR=_RKN1o#?J9ih?5d@@#OpMjq)Oio>_LyErSLrE=H65^=%NMe~uJ1&svu}U= z`}E&~9rorP>t-N*@w=8~|47WkbPe0a3nX3*H`ER3&ZT*}x}qp1u4+-AZAVu{7Z{+b z_f~55oeya}h7;k*?Ug&19rSzWa{FJi9$fb}A{^0%w2>`LBe52qwD;e%CZe5I>%6ZQ zucVn75qnxg2%;^|I{O?yyijdPI0#RE>Bis*p7;CM!*5Oy9r+_e88eZJ6%Z|(hf69C z8~+R%DVQgz>KIXCbZjXy`x1kG@5iL+&%V8j`8FDIR2LohB>Ug9(H2%lg3T{d7DeYS ziZx%x)he<~41{l zQoN1P_xigipiTXJ$*jMS;I_T2?bUbuVBY}|$w3W7G3k}MK+y4-IFQA>T%74Pr(#Zu z{BxVM@G(qSef>Bc8dU)GA3Pt5sQYm5ZaMykr_;{zJWOy*p#ZI^vuwrDSKc)b91E0c zG5X4$4(~9VNV--&kG|oj%C{7|;X1dz9A0Vgc&iI46FG}ZIMAo=499eiDO?@og6)lw z98u+(`g(H}&AC}q;%t!RCO+l4Z@p9w|D!>XD~Fz9Qru;$so!~sUIs{>Wpw$w==oi3 z0q(;1wdX8kot($D`U_x7$@ST?=Vr&mUhV%TmgH_zUWGZF?uwbVe$%3B6lF7$eQ9ca zxQ~-OLG97El}S4__$aA~)7w>&Fv5aMV(%5pd*I7g} z34wjiN;zcFrRh;Nf^$Y-k{}<=?UYV+YLcpv zG`t&_Ty>EtHPGb0)3osY3&3cEEFEhsC-Lx{fRKCd$W}iG@XKA9$VERO!l?r(!HKWs zfyj42AhJiOIuZhGljb~s?+@G&Q7pZ9gJ|i_a@H|XV%Cbip(dXxi^J7(+as@XYk~Aw^ zZM@%)R2gxYHaT~6IQh19EBV*YD!lGZ^RbbnA6hGt%i&HTC@4jYzo~w$p71F!03*By z_Ba@R`fpVNYv3e;pC*P8XX1A29^RStp*-z1^KQsZix8l5GLfMwOnF@V5*wzAH>(1y zAF>U~nBV+PH5h9aE7jHkXB(QWtPAn9Gr>JUg<_+7)-fK5+cXL6&Qy_yt zqWEe}BSme{Zfxkhd)qs;?Mxl~PxhB6&@@kmx^S^mtgrK(GO;#oj&x1-l2pfp?(Y}c zWfX*h+=bk6o-}4$GRI23;Wy^oyeU>tJ3T+;2OA_B&EtG)Ft{}<>kpFxWtuJcadrb9 zRm_CE{hYzv?w8ryT3S&VJPOi2z;0;1l^S%EkbO7a>nQ)5P-qTpYU@j0gf0*6FQ zvhpS-UX;YaGioLUl&1}>2u>c+bD{01l9xej27=FB%~k^?y8h~?+( z;aHnvf5YR~x|(*c0CP;J1=tSGJA%z6pR6QLvn#^bWao3spCiXEo|s*k?%w`6_baLK z%`Wme#-PdB*aXU7u+M*y*7u!aXS}90eX`8nm=${=X}V9XHHkf}wYNk1%6_4Pc7|Gy zBB65!=_b1-YF^6{iFxnwCrif5^8f5AN6M8SX+wAM2`zV{$3k{58&lN!c(s|X4oiy{ zj-k?6%9dOYRfN53n0k&yeYy^D$Dhcm9o00xJ>CpCF=C3%j-6?eJFACF-tUn)iZ?DS zIH_xr`L*9~tW$`Lv?Qgxd~9xB=(u!lS8=Wfkw2C7TVe|pcN239O-Wwi>qk*!X(%%$ zdn3tvsHjOyUNfdyuJ8yq!?xa*L3_VNwTx{AnS-pe&vf6cT~u8{$Z_oOg<#W=QRB{4 zq8Y5;fJ^cS-VySZ-GCd8{A5E~qsf`Lx#x25?mQOefjHoZA!%ZO-{ZQ0N`LugGq?#r z+Il{ux>MbH3-Fsritgr8+TY@-IoI&BWz6A4sg~b#wo;Y9TI_(Go3p0BIN?*hF+?3K zuxR(O<9u1GMpl3l7_JC|?|+aYDw}}ze$zt9EQzvxivzl7t(bp5b0=c?=hqhnziv4= zWqs*f(6Q!70Ken~Rb_ECF%SWAiZ${kr z+9%sm$<^~4%OxIn#BM|uZGYJmZ~=-4C%js|@A_$`uYuJQgK$eKmNeh}_i1AAd#;-N zT(!=rQ|Fg!zN({5xj;#&N6&irBg(SwGbDo_ZK0sjOshNlscy`_BBpoP!V&H1c3J`z zWdg}6wrZMX!%A_#IO{nxK8&>CJ>nIotvcP07Q|-c@KQI~EZ|G)UsUV%CtZ)t?r7ks z0_cUwTLV3={Y9M910gPNzMOv=7CW!PIJ$KzoKhexKeMZEQeh*x3ho1Hn$NMtooh|u z-W5Bmc zFj(MB1h5%kqR@yx&UfiQzok)MAJWm`1*OWR>Psi$%4bbV7N`kq#^J;JY7-NMUdALK z;JknqUOKKJxukZ$pSIs7V)o_tR=5bRKr3#Qowkug)tw%h6WUhF*{2YEW6hvhYoNb1?Hlnt{Tjg-K;=+n$l4{~i_?Pmes}=%~D;EpB;j*n1VA87Uq+ zcET?1PUug8;#7is2Z7M=QWyoI+LXqoz#sw{GM9;$04-J?jL`LpIiv@6N&X%x9BW#;`(Muc}YbI#GoV|yyD_cCeU3=hGamY;h{Z5{sne>fk14Y^R`b9<0zCll<4G$1Akz{T21xPOJBwH zHIjy}-Ho_k6tOh7CaJHT#Q%g)?}V4K`$g1RtTz48bFKdEnw_klyn<5ih$+LgOqG8S z)9Q0YYmPmj+TYh$k=h()t>1Eyzp>ygj*Tcj5f_iC*LwL$Y@NM9u0DH4Km(!--{Vdb z%U-GE86d`6;2b-ykiD5pSr*JQJtHBD8bEX%fa^tkiJSLza0svCy#~$@KE}s|E)abM zR8U|8etM!35}O;3wQ!twZ-8IlrZO82j3foV&3~Rh52g#27Uf5vXBkgeNCw~HM^+_O z`RI1Q{u_C;G1?2`UVFYHk(~X&pewgO&?o2aPwYPyITl&=r^s(;7+o3#`S32QuY6*F z^WbrL^*H~rrDRP}e9euNw@kjRG8o?fu0Jli=>7@JT}NBp5_SU@fAm9O5{xSET*A#^ z4{4NGe=$L>UD~f*zDQ;z^`5_E)j(HhlE$f=pwW>dX`z6FQ8W5wlSGQzXt#GQ$G*fW zCrtt?fEB_dTBOo?fq6B-6;R{R`)v^`hx*S4#t}stiMBIq53jQO1nD9H(+u{!9I*>) zI|O=*vOC@lX!jWC8J8M`tYvi^+;gRb_>JPd8Vm1lLr7r#LF7v&INi9`NUyTBIu@L#O=%6J4 z0yz}7pU6r1+EWLu_C%;lB zAYc>kLeHS$`v~GqSv7ZcG(Kc&00UxSn1JRa%DB{6exq`Y{ea|ZKT7?4j%n;dw$hOV z>FFwz{3p;saO^Tw^q3%&t~w3Yh}| zvCO&*D4mA&iZ4lh+41?7R2B7B9%H!nAX;!v$=< zZM~dJYU0R_?XHB&%{APp7m6Qt%7Ek!bJ-hL!0vhhF_)r5p}a%weuEMuRqc*TG<5%j+vc z7ox?4c@v5rZ8>G3tXPzni}{Ab8(ostDKtl>Hg=o}-q1yfh^WmT{Z1Eetu1naq!5rl zI2f{?{hjOh|HM$?s;phbKT^gg5SUwOf5b(dDHQYJRjF&o0>4yJJ;pg4boG#tp#Nn9cqf&wB~X>s#f9BP0=i z6PqOADmj@t%P(^~ReM-*#Gio5mK1}q{Z%_`t{1o^`@7*%)rq``11Nlu7o%QWmj-7( zh%&B#5ezY^HDbm$8%vKdIvVQ)v8Cz=fA~?(RMvjHl`@GSz+ij^qzlTXf9jvPP`_xL zI*79t=<$>{az6!DOyB0UAW9sJjq-4FIu>pvT+#s(HB)KD(4~j)Uakf;nm9cSE`h+V zwItMkP0$9f!!t`qXx}g~cV6!gr*vDiX)!-q;3o5G(?kb3h+J>k^BSfkCD{*Gv7pZt z__!KqCue5_@~};G-`bUw*HI&5Zq((%sE8wFw1!na$EZGSlm2#DH7Y_T4y8+|36=34 zIK#1i2DzMu@h(&S7D3U{xg}8Pi4IV**}KtRZJta~801WVM{&}uux9ZQzH-D8tM(@; zKio>~ha5V?YZU4nheA-2g_%EF#PPC5d6ow2b-}ofaq%Vjmh8{fK|-=Z;F{x_DkneG z+0SC8_d)bTkVlsL$KdQS%SzzVL;LmG_ik@6`k(MhYnp9P$MAz=Gsv;c6{$RDet~Nb zgo&KpyKbfe>+0C>xA?A7X}1w=CoA4Q_5GTZRbXecUA}2QX;z56yxg-R)$EfrNjnw9 zKNt~+6(w#>)Mbd-mkaiiaIKIfuW4RR*cKze>HSQO%C_?75ZAO%tv%+4SnER|?Usn) zGEHV?#vO~C2#7gDDu}MKwkr{{2 z?eiWB?N^cW;!T^(UECf@@vnc0r`ox$_J0tUC!oe!QVPaPT-C;!$A|t6tu~O?>E)S4 zWOVg(=tq3y~sses*Ve%S|<@WM$*#JE%*G4AEc&~c#(RPs^)H9Kg%p{Ey8C6i#9)o zgZZ}_!0lNE48w@MuNHNmEiN#N1M40p?Ds^RL8B!0?c%S!CXHMJ%d0>ST(%bZpyNY* zoU1r%MBsD<87blKjeT~11AVox4Cza1D11y3`RHjDhjnbDna!+>RBwIXE*)|tsvMZV zZ5HG-?(*iJ?v@bRP_0ukc|OoCTJBre57@Vg+t2J6Q^nfKm}*%S95JiogYx%-f0(Xn zld{tc#0?2No%n{-tTO1U0hvDWO}rzmGw7pcJesTcYXPk+Fq&ro%@%JYSc(T-mt>myLVzDtq2@ zkaMIwkB>NTQwai^_c29g^hEOJ{tZ*H&266|4`J-Vk2tUS^vVJ|JVdXH+u%N15ILuu zF#18Fuvs)ox-~@WL4ag1FWk9yYAOIP@A(;8a4*B3D9*m2@3Q0f0HxNB=TRlkr%;qL zz-cLnDtESaP?;<;_tiOv7h#}7Ct6UM4crQwGwM}XjJLeK-bGJ zK+sW#fQMOOK0BNc9OpWNm*h5engY^&y4Cg2veYwcRd}N98UQbfwRnxS6xqc<4PQ@v zGUc#NhV<~LpvP@mOy4kh7tLgD+JCH|%%Ig5n5C_zY8`#*rfRl#qu_K?VNLU-!v}mo z8m>rTn%CD8@wfn*(=#o?FrF*=^Dr;mIrFQ3x&vKKQYxsgX4B#mDl)ozbPMsSg;zd? zY9J|y;%V1#Z(%E@qv6Ol?;s~#P0_;#I$dggoSGx#%-=1XdrYAuTa@?4Iv5-R58k=l z9D_PQtO_gt{)#$nlnLnPYR{&wne%cvAU4nlI|AxEcQp#c{gH+%8%7 zAT0&$Q{VMv5+@RARrSim?GMiNN!I8;DNFDL+b|yyQ=i%IO)&@NDQNWzrD}<5c1BOp zeS{7z6X+%W6ZI-cX$d%A{|n+*`Wa`~>HQ+Hic!XHJYcrb zWLe%$U0SoE@%MiXnL{=q}d+oXM@C?@+bAHeba3_v0CERmHb?t^U@L; zUx04RBS2^`f0uw|U>{OtKQ2r_`maX``hPj#<%QI=aA7uYsPPD%I+N{p!pBmwJZoWh z<2m%LO>oCQW=2c`Bsclyz#&B|v@JH%v2^xlMx=Ts`wF}_3s2_fAIaEyZ~QSiM)6*u zxXRa+2*erS>LJYV9`huuE7spW9*7R>jv$LOzisa_)3=#eRp?X6t-|M7sQoH9Hp(K5 z*h7??!G4UgOte>ORy-xZH!m)f=xiJ)(1znj>sFoWlI)E?O;=#eNBw~&WK9nJm|(P# z1v^aFC$Ov?ZEeJ{K{XBr+#>1#&{j>H?sxC+4FKt(4n7yO!D_%2V4dTh@Gge|75X7T zX>e$B1mlYF=V4S(QyX%P&-@K@ZHn083{|lJ(1!H`icXP(vWBx7%#198uzeOY76KMz zi`y0)L4FQttpY{RPPu>V1uuzqKo9)68Pc0vu!IYHlE(t_fc2Vu^(fK8ndm{TM9Fnb zQ|TpdKK?cZ5ciRikvB&yh#JSRUX{T*h+MqF0Uxj<4tVnijo$jeJ)KpRjm@HDeJMOE zeF4Y63TF-KYn>YBln&=F4ltK~(CG zy#-Xy>!!3V726#djwzxI&2At#$nH+B5N)y)*beqG2Lk@3QzIXz%&T+bSt(FaSR??8 z5becVriRUcT_*tBbKZYR4kG}OsCI+HT|i`;2V{&s zMTu8;ony7M@ zBkjdOA`+3zM&U6}FNwR~g(@U{)Mx;cR4;CZVaMR4anpQcI=(W@OwZ4@G_C<23rjSg zDedMCQ~*qOC$6VTFBK#`3J%K0MK9rwcIC$I*}oo;{IP5A0`&&I8cutMcI4P1Wvn@1 zv%UNx1fy7>tK=SaR^vn9An69x$g1$M;rgxHM9tE0U!+pwz&1?_9A&0?rl(cX@CPBa;%Jj^!d#>LBHU@2I`j#^`ikid^fk0|hwa4Q z{<;U^l$LwYOWCAX!=H4VT>$QAjGU7W_qj$53XlKd<5+?=&lnT@==~mhgL>p$yxV}I zI}t4Thm$cP1PjiR0N56^B@z&8U_QX~E65wulzD+?`IueUML<&XUn$^jRg8!S)>BA; zYyNvTc;e+0u4@{c12t}*1$a39(G`%QO5oqb-P#{1<3DKYKQAI=E7+M14J_i50`Y?L zxxO=)fQc8Rdr5LKn>9Cro&%}E+RjQx44~^ehz8+nF?u=2P-JD)E=d{lnZQ4IalF>32QW& zD7?PlZX$xNx(#oGvz#LwnlQ7kZSI(~avtIZg72 zGgEyDY!kO?$MXieq)d6ENP4f%Z;xEaUUYeQ8VJcm1`vC$C{K#R>`j`-imGqQ@=cEA z_ytnN`DVYhE}7Rfdlw=jEMD7hn~CLU0($#)Z!nu)rh5iC#}O}{wjfesY6o}qti?5v zeNB2D3FN8P`$_wRW+fp${=Q)lH`4r66rBe=iZF8Q!aRD4XbgC&iv0@kE&DdoB8Hdm zleCL(sN>_7bP^rpc|?t6hW12>h<=Bpubu{Qmi_oL;CRe7Fmd^eN1#DQ(&2Sd_G68z zf4Hi`+P^aHLF#5W>3cQRk7Z~3tv;qe$c=h_W%rbk|A9z_fKcsqTU> zfrF$v*uAfA^gcTBo8XNa26$^;!7~mYRZKA%diquq`qEm4zx4dx;P986A&uGU$GrxQ z(|RN{>F#&=F9$XFqxX|L#eazyjXYD&Fx95y8%=yf$)xyv!2K(lR0b%!)^aNXFd5sK z6&SQnx)WWsZG<|vdXvA}@5U=QpPL=H(=$OGwB-AyFz{Sxn&(u{9m@&44LsPb{+MQl zv=DJKuX%of)4l7m=zs>m?IEu;$u~x!9DY4ZGAqwUxAhswY%~Sk>I&_4oiO>RZk}!3MHnp{rT!2RdcbTZu zIMBl&QKB;r;YdyJpyQ6Ij5);Yfx*4-FS z0eZ#de~?6LBcpG0Cu0e~Gb%hk^}y`YNO=B&-(4tW)R>^X`H)w1spksv*q$S!x$YbR zB*9zS(k`vB6FsXquHE{wAJgKdXw9mFbcC^`upg&txI zfCxg|oC@hHIbL4RcG@L7E>lE9B@dH zGgll@cLQnJ3#YHc#{NVp5=CW^Mc}9xJN&)U{?;Eg{(~H2SFzJ;YpOW;KHRhAN)$K^ z_BM5!-?xUU5d`S5m7Z`Xo$Ad_^)(>Cgl8#stBNYn;H4)JX2#*iFiT>VU|&|@{ouu~ zyFId;%RH%aAX=|zd~^~!9oi)ke5a}54o34f;8{*@HvPG|7zV0U8uXJW_#DGbjmz?9 zDEc;UN*S25d%B22nX*;kRy=-l&0>m)=rJz^xM1=ds#~`scyV#&GGoy3^7v{^hVWjN z=)tf<7c;@*-Hs$X78VGQuQ5>v?4`_L#B$EdteccHs|)H47jk2AtnIy41ld0MQW9k4)is&_>$Y4cefMrIw_ut%GNJVjx#B1@gWoB(8 z&yTI||8jS~+f9@yf=R1g#-b#NqSjeS4dphe?WNHRm8ms%L`z6H#Ic-MHa;JWCe9cSdXXG_!{cQg12^3jymc@ z{9xX8r-xpDF0>>_3hE?E4B`r8nJ9$&AlDww{_81yjL?_N6)A(^=Z+O&OwOPU;PJdqpqp2d&)#>iv#a-o^2bnFo*n>SzmV z`$_dDRt9AD#Y^}LrQKe9z~urVo*a%v>XlQ0*Xp_&NEM_EyadqpZh#s&43#ER;*Cs4 zdSgcsLcBszH5LJ2tAd8~c9#fQnR31d-L_{#9V?>Qgtr@L-ezGNnuwP&*T%r4LKdr1DS!|xoI#`W#J*MHQNO(>;UT1xlf znSEWX&z$D1!>mJovCQIHdg{lEzqV_M4r#qul-?UW{m$BKTYhWjL&x__ac&p(+3$}v zOIbG6FAdhYFZ@=1#fo#2FrVK()#n1M8k}fcmv)EE%KcVHYg^t^Qoe4bw`!!NE+fPc z$cDw5{>l%D7mkCx&8TMHEhqb}h*w92P3zozHk~aAi*KY$wZ&xaoeBi6-*%kqomP|g zPHx33v7TTQSUyJ{^t)p|Fz-z(ORGmWSHpkNFh8RCthD{Gi&f_q_?hMJT$1h5Lv^*t zJEN+DK|H+vGl6txjWJJ(UMujOm*xcMd#;DNXnjoW644nQe7rm8-KSPSSEXJ1ut-HF z^3h;8{>Gj6jn(q{X>ZG-^DpRAv{G#-&evj)st|xH$CWj?HCrA#PT3q#(hfwUU z-(P&$>2n$F4xu`ZJ&kgYy8QOS@mMy;DUFYDM=Z*3L$6IhQb*w;#DyjJCDT{E>Tj81 z-y%FO`@7S)*1`|)LQ*B_Xg#qB3vSiS&~|KM&_Q$rex@GJ-U=pSYieYUJ!0p5_+Iq; zpIDou?|FE3)|V4vZLEm@@aI-{G36VE|95HMzffKOA9!N_M{@XoaRvQvd|8p?`c~zS zCVw^jDUjYvmH!*$)V31PlAfNvUl|v-#hmak0S2p)xfHNFp+g*$TJdpn4@acN1s#;t z)C?De?AHF%Ex!EpNMPICvDorL3z|ac+CrDjnrC6?eABbY2y?EG4;5$o-k$i+7bUs* z_>qxFq1Hr}_Em-iXp1TPu`Rc#N6Q!&T1U;wS+-vm4aK9+Eb$hnqpsV7+eJ8)fSoHw zSSbfX`Gl>D-;z_7UaK|J-~&hFpgktL4UItI29d3fZoV8{7GWJkk5eb}};4!arIx<}qI&b(`8cNnq3h>KCVsqQk7fZ8>y z2@8yZEX?eD`Kp&1ArX!Sx#6BOLXd+TWQluL_qQG)ixd57M!42Nua#rujFtF_vLry1 zj|&4iCZvb;!^#@xlV`>g;(?a0JUeT<09lFBaU!|;Kzmd93vlR)Y;j9qoZwtx%nB5{ za2|%L57_|WQdX?1-hdu44aY_D{HtcF*($yvO(Ma_g7q+p{+(#oOmd``U_07MX4BjB zuOz&Cv3hK>C6&-Z{3f~6P9tWONATx@t#L#iO+OXfzY`mKJ=;%9A_Rc}wKnB3*f z{X4G%R=RPNDh}5P7Q%7b>~>3U&A-8fjckhLe+l3+%jLNHeUXbq-OhT_vw{V|Z%NiP zRh$RxgW1^r(mcXDwR-P{)eRve@TEqw<%@Ie)I3e&RV~K?E9nysY4=eI+-|PW@qO;Q67+@SNn{sq zUK>u}z772yTCLdL&DZies)_e6M<+~A=10IRZ|0Nb#OaIK5`LThWBj?HY6G zZ8V33cDcvEcioW*Wq>{A-4>JXiGYEw95h$)?|6LVme*4I&F>0)D#7i4qPCJ>R+7-q zS-}p&{71a7(y_fm_%r|cK6=gR@#OQF>Yu`56#_Y|yje|J(XJnl_bq7gVNRE*X89$q z$5&tKSNFoQUcbF=|6|*^|E6K7@;nlqeOBK#$Hn3{knl0Crpi<-WIkZB)!xHu!8rA+ z8D9u`o*fI(AhK|Lo$F6>jyX$=1g}{}K*MdOOfN1>@wXDnf83N?GRW39x8L!!Eaz`6 zkM@xEw67PTVtTUYBm`f7!Cz1PO+HfN8iz+V7L5kjcVzy z`{ONHgyAqn5t;|x?Ii+7Qsr@$Z|dsm_R+{6O+(CygWTWSQxjE#+#s^!jjp!KV`*xAdAi~aA3LMi|Jf;>{v@|^c_ysY^06!_)$)3SU+ zpjYwoIprRG@?lkCP=JE*7wvvL(y+x8$vlCNSjAu%@D1gJfUctXEu|BZ4H=b`Y~l5+ zr;_zMnqV+)+vVbP2h9f}sw$N9ShC>*!v6E*A8M4so6;UIZY;slR55e|@Rfhrbf@mW zW##4JX*xdkVPw*g*xmTY)AY}4>b|fX9?RFG_zl)F+5F~BvJmkko}KouebP+I%KiQQ zcnnZ1_$oK9z_ml{-%s@*RRssJP@KnFW+Pr_`Ng&4-w;rbGeJQ?BtEgOU;bZ~?T(qC ze;4dK{cXbdofkTxYro2fe_E=l}%1Ap%K(Wvl^AN5O36P;@{P%9$EhRB9Ml4?@*atU? zistDcVhNij#skn&#)A^IK%Ku@TRzn%I=A#hVc~(k4alV@$f3|%(tV7W-yZg%J1bTe zZEf<%)2sfVAh{#I(BPJGKpXp?V$ywHhPJlVt-A3A6bd6U^u#_nIT`tbW|voIhZ`5?^1h5+?Fr8GjbQG|I=H zbFeh)aI{5xi$eJDB#v%{sWhut=-CbOZL#KR(S`o6CsWU?+tdiv*Vfj0En8TUZkTq4 zwg}dzPE@u$^m>?XhxdvftL9*we5j6r`*BPt9AZ{d7ww7cf93d#ay0dX8}y3LW6HvfU~SENb9;E&upG z_*lP3r2l|3J)?v*m6c#q&E~9Y^Ird{*EHHQh}Kp!yrNd8ST5WnbGpNSZ?Ni@&wp^V zy7va(lUk+99LE)(JfW25{7jDBTy7`*PnWj#>4j~qgtSR;jsHxU3NC-`Y7m3L46d}( z{k!7m-gAE`^xy{(%)+}{uq~9?bl7lZ zqpKBrH%J?`3z4U7#Yn&X`^X$r;mjoXbBp=n!+TQ!EPtVFIkA5R zw||o9|0*R9=RTS6ikJ(O-FQokJTKJgYV`?~&Q+;bSVz6pZ-l`-@=p}m_3nF-!^dMi z^?Ire->7j0Vu2%FH$^sr@KuPA&WkO8CYk2laoVO*UBDj)Y1#AGHvqxfkD^!qXe%od{3tbLLP$1%FSZKB~rq$t9k4jQ;Y8>m^RQ>?_Ly7*oUS!z?_d2w(iD)L1Y(zjg@SB z5Qc7-%{r|ZuBd*VR8N2JEfS~BzIJ_-vc-6ezz@x5hXW&h)foO99PZmYM=3VR4y#T5 zOc6U?VL4nvo$lC&;vrxge1To|&QGn|r@l0arZs%U0}TEgBnRRze4uv4$!0lE_${Z_ zxVYb6p5Ci=a3_289}2SHhN#7#l&H6OKh3j~WUnyx!$bP?v_^N3V$Z?BL6fjh@@f(D z-i!$I@E*CUBYcz2ue(uS&7euwq&_97eumn>ZD2qJXa%f4iE5P;>2X#Jmnj%7Mz;RqA3UT$>xxl~wigaPI1^gO>H{o?o^0Q4+fkTQjh( z!AfV7<@^nPGm(K@%UtvgpFmoQe}@uh&OC4;`eZVC)jF7Qe=deioMMLOG1KH*mX+RtHYfgT}&elT_#njLO9U4VA#mkwwd{P-SHiYNuyp< zn`ou}o>lciaq+VvS`ujFa%YH)fLfCayH1+G-xT=u`w%Ia?ns2~j9lEgc4&r{W^~fd zG*|POB4hZ4o`1^rFF&-;IygNgBg280_^%-?XHwmh3Ncnz*UYs!mcg>LXLv9K6pTxV(sF`11hj$Q=LK=F} zxLDZNZ(io;DtBkyWgtv)jts{XbZO{awC8Q*B=0-MaQV91d5+FD&g!O05-q)YxhlX= zQLV@{v-;H)nk|rxa;43|z`eb{0CvBmf4j{`$7HA~BBxaS>;!f1BBjLfN|ZvIQ-AqA z>=9>1W$GKN?Pdk$11>RYYKU13HQ2y0h8&YJ8Nq~=upf2c>7n2gT)ZV9G=`Gg?z4XP z9cY;WCf&FLTAX#_1J)zDw{+Whl1)&OG7d~wrrmWpK8IJVr)&fa58u~*93GvoMUeWV zhb z+tiUj%x5B(CtU+rUhWWUR8=V_rZ>5%J7TA&AJrCSq88-c+OBai%Qf|ZgHsS)We#v08LFSlq?HL$xkix zKv0)7AA#&yV+M$~uP^kV^lL?0EQfS-|LPPCjZcm7)_NLoJwNijRH&H&_CUfH<%v9P zTIP(D#rG*aRs4Oi;Vc(v#}1J?CjN%Nkd2RJl=|AIoB((k9O^#}6mo03cy9q(IsG`c zeoB975jj;7WLO)qM}70mEYLLP>vC|2ZNVdx{XNr!l{2|e%R)V2S#a~V&yU-; z3w|w6fQ_1&*yQ`6N>R9I^dB@#YAn>?`MX!1)_INba20Z zXn`FXzqo0Q!e9EB2+wB=mv@fw^3AV(H!wdc!HP7!yb@@eB!x?ak7|ed z;Y4s_qf$V**C`YHue?ID&Rkw;pxy(Q)O&yHOH7e1g-Yh@i`glyU~wB4G^j;s2Tle_ z_ylzSixPR73=Tc&uT$2$ViBSW-n{w9;{&l; z!1(nBQM4c*k09c2{p}I^{ND>+<$$}EqidK2@ZKW)tjD6IX9DQEk>TD{ z(XH%*alWU*x*Ef&unH#jMy(`+9K!3%`filmQFe<2Rbu#+523RZ{Mq_ zuSd=wRq_EoTj2nBBEj8YpmeL8L)E$B9pxd-82>$PML{|ZLb!29sPLp&Ho4s8hhK zYaE9L*J0&CGyI{xi(W3xwxrMgWOO;Nba#-vSN!wvVTBW)L((&`j$?tB^mXH(|K1LM zrP*-%y$^jBo4dub9V5pFx@rLZcwGkrv`|d(y&7>tz~qGjLi*ivE#e$h_-Ujs%LDHm3hp=l5L8)_unwoD z>W&d9lf6~~5Zm3P1xfNNy?Z;To@~dF6;NXRUgwHlpFSGkeec5XX=Ohi4VW>LHmg-O zrO1P{%U@lxF)7RW>(9s4LuMP~;LXSQ%q%!OSzMhyg@g?4trnY=MH@fV?Q?&dT!kfL zg^iv(Nv}3(Hg1>EfJpSCupxT}>-A%SGR5$?fhWdA^>QOc+x75z*5Tc zI%;ZBcEI<#9Mx(YeKzJzGaN@!n?#uf;@mWg7bz>uV1f#^j7k|AA}*H?LYW=(zMe3; zXTC9OX&$L_W^!AMJPU!Qt?FyOKHgc{$m_9*qf3YH#d@Ia1yIj}-wIg%`ADjPB$N8> z;=VHNkw`1==DT&k8qKXFSlMpd&oE=`AfU5{ZI&!%ZFf1X3GBcG4BfmE=&y`e=;bO7 zn?*qjp;s;~g7nDS<~Oz*7C#c0`&{X0Sz>wA6L=p|a(CV2gN)iF&vSgX~q zPT1=hr1lk0!7FE>@J+4#8mg4c+x5+ey=;(sXiEWF@a!_}40�|3fU)`>zq+C5w+c zFl{pn&mBy~NHuiK>Nk7aB*GnO+` zr2EJ|i0ZVqV%!inlWMffWhP8WWcOToMbhk3tchbKFeRGZ({JoK?iANi?u!NqBJ5LS z`lM?=st?wfP9jK5GOqM0bA1DlF5IOeQq{m<<=jG0eixBl6Fq@A<5l5Y! z8(+X-j#DXg?1M+Gu5U$CpR^CsQJ9sXAwvh=pB?wY}=XGs+JRbtO;QQdk7CW~jkFc2-@sAbtoqY9^`$~oR=`&>o2ClbvZ7psIffh8)Mk_vP zdQ9LYGu(u*x{g>ARlFy)6?b=pe!2?p_WHg_*Js23+h6)YH!f=$(XMV_?8vVO!Up|WwwVvb#3DzkEtJ2{7&XX-VVOk9` zhRMV{Li8HcjlY$`-juQM*EG^!GP_oaCqTr8Lt=@sO|i_)z1N%P@lnw6jylTaz<};D z*2+cJ@0Paq&oz|^WVkYT41-LoZr@os&DERPd17xU_}65_oqz6A4MbF*&)M~DlBK_6 z7D+mW&sMdl6xMB-p5p)oCA`)jtkg`mp}?v68`rJS9M_H2jlz_#RYGG$0l&o;fUsi_ zhMMM#hb`@mo2RSE=_=o$rQ=9k;7BRk#m@FVLV`(vX+?9*QD-k7-j0~d<_Ed*0pXcS z({=(0QOg@8)H%ky>ZPRfAkS{)$1Ac)z!B%t!6*lv{Q+*uKV&;0tYDgC|FZ={g@k4Y zIw%L9TSfBlT-&imMzIDm;_MDjEbEAEang>MGfS9GQ_q=*%}OdTRROQMYgj^!$kELag?TMiv=4rs3~lXTsMC zZ!x)1&4*aWp+mtQa^6u;!*T4qsbk$-fhktjhg($>=9Py1OrOObyicDIcBUb<*GcWs zHd;$t{0wNUahtq@)oYgpi7<@fY^g@Seq7|-(7Q{V-?MfQkVAcw9C;NjFzuZBJ3bR( zsHt5aB>-ybBNSUbm$HeJz8db|A1+Tp5RgCrLMHvw8`K__4r$#rG!_JcEY06MX|dRI z0V5wEs5a8HTdOVdz$*%G79d&6Uvd7(z&%ZBedOlbR;MWHg0}1-4rS zY4#&*#^@ouv~<<#IxmsNRnnrCt>I_3Zm7cu@gDuSnT~&QiVrla{CRunV3l?qB6p4f zoEj|Zu?u;CT;AW2P+a8Gq?ypTDLc(=|K!S$J}1M*OsZ*Rph*yZonW_UQCgO*cyy8t z`s=xeLYg~!Rr|dhbkffEoU7I~Z~zHhbIjF;$#z@TGtS)8MwFkAQo||3bF%nC8s^0p z21o`QpS)o^`$nY)2cEWy-1=PdR1E}BeG0aj7HHkVBMRCXiyu%uTLQPOI6bxsD!u-} za7OO7Ipta*0H4a&jI!0T;}{U*(RP&#chQH2-#h-PC0>Gmk5y8SZN5OE zv~ove^QO(f{{D`3+O^_h*-KwE93?b{HU(CKyzWuC0S5kci5D#ih7{TeYR}T$ zU+p+n9=DlTJST~6T`qX>xVAE`PWiIt;j-40%s|SE-wOEv+p?_35T4PrjQOZF@TwJZ zD}rdbBDZra8U|Sx2^1tZ#PaY0yLA=V?go{Ev9bW~6{ISKfv<0;8ZqLG@)z2u^7%81 z@-mvcEabJ#W!io68k*(C2`^Q3HT$-5OH=F~4hS7-cdWg6UGice2*sM(TB}l2$W}AS ztRgWQZTt2{xg@TRh1<}Qw?bjdC~DH*%WQ^}@V?p`si0bMmRAL-b(Y$RcK1bAm39~9 z9vnsyvIpnBP`UlR-CT9hvJxO}Uh>&sL-S?0!7EoPcQ+aZYTlQ_OMgSB5IF@QZwo7b zjL+#dX6ioIWWJF@u34RU9IiMozd80GmvPZ^_ehHtnHIo!=Mh$jiF&q5OLxM1p=*Q= zuvmw834YyXT}Dxrm{Vu7ZY4Ul3{?p8?1wx2SwB9VYPwPw)u6>yjvhzS*+-W$&DgM{ z*?D32A*GDJ)Dw%~8F++oznnqy4uHE|#r)G81?u&?J6*u6Av1l+9p<^9@5xK`TD(LN z?7S79OWzD{Jk`_Z7_qk8RE`9+az#_56Uj`wZ)TlIIJbpwKu9nfwW44JK+?4i% zU`}-J_y;kRPGgUt3d~3IqGDP?OnfX3VG-FDR3iZ>RFkLaFTYczy%|Rh(R_n54~$I; zKWvm`Ra!N$u+>5#FbPOz5L8ZT`>W~Fzzxn;`rxVs?0Uk`c{UY^?7RucNgmbD8hHvc zYu9DQS<>=EELDa~cn{HivP8%QoDnJv+~wE_cX#z2vWF&iBbBuQAy|Rt|+&uus$rxQ0(V ztbKqv%r0H__pg`5xQ489BST@2%I}ZKj6v@CYIFkll>t_+Aa(oLwMV=&zYh(m(Wsev zxxw_EdAhxsZsKLH;$VruwjHF$AH)2crE)<%X~tozcE4wnj|k(Yj()+^REG+@->Rt+ zB$dGxgjEL&f6E?+Nn3#CKVuE44fD$hfE=90R-9A4hH5713-j4L$K1#lJO!g}cn)7aq{qxl zP^TRNp60wVGXr%g?fW^I%f)HLqw;*6QACsGws4Ntqu7_960JI`&=~0#uWZlxzSlq- zn$VQT4D=v~anoO6*=?iL-P1R3Z1?teaiQV>Lq|uLv&NsX6Tg@~NF_CsQQkd6L98L$ zM4_d`(*e8~)JV1R7;{vnNj&x?+JGJc$VVK`9M8K`zpm9&dkFr_euBlxuT=OYWY1gs zAAbxe#ypLPtLAnp)8;|FtL6q!my@JZceggTIX`6-QQ)7mp<@^8_2Sp>vCHXqu&fFE zXnh_(uUhf$!XrD#d;GQ9QrF5B_XXs_s8!#JpPj9@-B`0r*%8P~T-N|=qBq(FUu+Nt z!~7XO0=5BfwR5!f9p;-Nx}V%z;B&M#1oF2}*B0Ct3JkbTto{CcERPPq;yi$m zvxir%7Ntb&xiBA#4-X_BwjAJSBsjS0j17b~{rnNj??y7I{k4M6T7Ty$sirL6Tp#B% zD49&QxFP;Dn-=k|#_Q6f15`e^FN*I;=R3xIB8InsnmIzW#H{9*cdZeiA7#oEYc*YG zcT{Tn8Q6VkM6?$^x>1o575Y~(-CUTWUCeXgR-Kc;1}j$`s3|wEXCr-P^(dOZNiYjN zk72#np>OcInq*51)b0s~TeYY*!)vSoujW~m%BE_4&ztjHGvO-flQkq$MO1a*j)HkR zsqE=?KP-caBqRkA8L`6K)U6+)D01o2J5eZtCNuaF&{fvDiVJXGZd~oy zOe1k6c{bNgfb^VjQ;{mOJoOLsUmBi{f?M@`WuE(JQ7;mCu9Uh&tb!GFI&@mmp5i06 z=Iei`$5-cWxf%zH`(z3;?L?qFM{oWFn3!$9Q+~k@0#}iXB7>&dOAq9biMUPQg=9j{<_4 zgW^{LhE`B3mJU=^`}Rtkh%yaLgnHAvyZJ7SU1ifwlONb_=eZg^(@QU*8PnniDt}U7 zX`+ZBW&b`FC1WY!Qj!elS3>EtIu6ZeZ@>R}hsOe;3AP`4-;>zQeB?mGV5B{uDXQ32 zAknU>s+IuMoV`pqpcIfBsBZ25&SRiN2!%XU5rQp}))g{mx!OQR=`NmhyvujxH2G=N zNZ%Ear36YemV3El)pPu9ldESwj*T5*biR4YlSiM%z}&2n$tcVFBu$}h^n;kBSEE(% zs^jjtD-{D+vtL=I&rpK$?@KA+&D||?&B*zPll^zm=Z&|66Xe8s1?^f*plY@;bwu{& zHQxD7u{Fxcfv>-O_|E_6bDS|k@re7Owl|>_UxQ!!($gVrGRVX@{RqA=yy;qwKJ4$ z*3;{ZZr-&2bfSbLo5a9Nl1xRl>oAb(P0h!O3T+?IK|Tv14Ve9e`zr~fId!T2lYCjA z#_P$YKyv9LMXyq*N(l62^Trr#%fqfpI>4ldZEyypq z&oQ`xS2;{?xKzl*Aa7 z#e#EUb^xY4RT7=|jI@BF>S>+W$1E=B)rSnNq^EW9wXl~^V+R9va^%bRy0up-FFP~Rv-vbh(;{a z$|I&}xqTSwKG-QaQi(4;TmV*8njQ0JE?Tn=SnzpOjW5#H)u~7l>l?h)W7<(z`U9~v zo-aej;a<}7m+=+rQYFXVDZlsN?PDVY3lGHcPrgyr@Eo8WS}Mb}3>lzHL0{SoBf~ z??xf(M+iegVOqLtR3|J(kkr66zM>|h=6SqE>&A^>(DBGnPbB z<&izB?Xql>jMb5F?WcrV|4GBPU$9DhV%Y;W)+v|WFG?1~9bhe%gevwC4z1c33X65T zVY1s0D!tZ0417(WV|0->7(2DW zlSw1u>~UzG>9P8SVb8-8>6mDWnZKw7Rv!6|vtD9m0K%7(MYjH7@}~;YM>Tlym3<0Q zi5xTaOcGU-ss^hJE)<7bJDOw-ATPV<0c2-Lr)!_k^>iZaw?C=B#jIS-vsQf9%6~8< zVDE`~;^nX(y*$kYnf2w4)5wQ+1^a`PHwoUq{j8b-sM7gm!TE`Qc(iwpJ2Ph@ko2z1 zjBPNaUrB{BgB8?+T+AN1FN^3}$>w)QPNwLtupEP@{JOYbSEiKdKpOlR>i=fgFx|?q|6^?%3_7loU_*IR$LGft`>+F+{&NVb{p`O91u` zy&)|PdUwQv%ml}$>^1i(bU*$~!hQ7!@XX}EvFthVhV5hOM@Pf<*{47t4<)Q#JAkN+ zJB#Gr_${@?IH~%lL=_)Hi9#x5(1qErwAc*Uw9XIxISdqZ9FxW8#mxL&ll7QrYX$1p zYm^e=^+un%l@cGy-H(mp|Md5-O(wRQ~20nkq#)i>8OJt%0eGgL_az*Rto&E}GlaIa#1ol915qG9CI*W0z~Ysu9>+7SwauCuo)Jb$0Y2} z{H&Pbw3@VLV<{ss{Vn%tJG6|dsEHw4#KQT6C482a-@=nG&%$HiLPAO&%gYkVRmtHv z1`+KILys|JJ)xG6GqOvTmhqmQ0EDPWrjRKBVgN7k}OG5bHkfQXT!lF zM+}+K9KbdW_#9O`)y%5?7tg;X7AcE;wg;hU++n$M%sbv*J559i@Y9_@z?p zku!weGwq!jQu+m2bf@k{YB{<69H+UCIT-q|5n!iOIFTneQ8nCBB<9+z<5J)D5tXn99dM_avcLZJ%Fs#DaHrCFm<8_Fy&585e}m z^ycE{8k0$bEYdF+ccHLV>Ug-NtI5O|xS@x3IZ~ejqz7F%mjJ1pP(m#bpBO-c7E+ZX`z64m%FA9;vK}G!<%r=DociO&2qR;l?H*_urfE-- zDIF|&HG59i1@wDZvI z4?T(ODnydHtKR13p*9S?4B^{7G;aMA@+FPG<6RrcVe51?G0J1RDLX}xiC7KP3Et6^ zsbt<`K@DeRd{{Me?3{qL;HM6$FLEyPCvM)zja68ud7tT zhzDxsmB;I>W8P-b6D#M+Je3lB3~pI!1u~7mSN!%*F~Z~8ju2?Hf%^Uvho)RtsvXuD zff%mxol&LHj4i@2V(sFf5t(8U{=bPbJSY!BPRB)^d>Mos&wwG#embo|O_yM;U1erl zQEg-H<&#S8CS7ym>H`_vwo<^QKpQuc0sE=O49Tf^epwbXPjCPfF$x8zFRsn5+E08x zBMi>ilMeL=S8D)o@3#O^UpEBK$6T6oOCE3X$INnZF2MH)%(=>o&+g9*PAVXAl$_gA0v<@YN zAcq+?rA*`g#JI6cQqAxi<(=NFtG`L|=+*fkGFCOQVyUWp%x(c}c;&Q^6(g}O&D;sA zD4VhJ!Hq4DAuJupG;kQqmpx{Bx|zX2rUK}=OMH@5@h*@>EYKn{P}N{6%0WMzSKel% z?~?O!58ePpUxF2q?PN&E$<^ZnK`Lh)(1v18Pg=B4girLS~CnNB?;G<`+2fa|)6W7XIYH2jxVMVJyl=c_Y+fzDaO0CCSxP|J zg3#vNtWe01an)@Z8}Vb^fP9h9RXUKz9C~GW`qt57s$nz(V@fr-y;*UZ=@6G`j_AVb zUh_|czcW9MBm5VRYnGbWra;jxRj(870>xZ~MGKcW?~Sub&Z+c#kp0^5S(0ND$WLA~ z`j};pOUw)|BaTeW(bC8oRzDjF2hS+v${jupMgSs@{fHgnf_}#0T2_Kzh8G4UwUOyL z2pbcD0OlUf>;zt#HVj_PcY|KqclSj+$lrAgzoR!9h}!wJO`gJjl|cNS#y@LVoJk*K z5F+ysZ{D(dW}U&!eV=QR_@ZNJS$hpYGpzfCO@{TN%Wx)(5Fo6f*EIS1}-CC+qZohWJMlQ%gHP;@)T$(F8o`r6xj#LjT z$LRTLv_pg)%kP(%k|~tknke4eJt?$2-l$w6t{~CkgPzs4?glbHDU$WgV|&SCo^@OD zReU1LFY(&w2}=Hr*_&56NyFYH!*L4w5t9!sxiX>~jKcH5aB&S*xJCDB9!UDDaH{4X zr;2IsyZ4)9zQ0U4lX@r8x6V3q(c`c~DWwGXMdEklZ4Bn-5y+-0uTfg0mFvMszz%6u z5@Z$*N^h$uTmvKk+U0J`HrA@d2BX@8HQluf7N+$rDG0-~@3GPX$J!kj6neMv1pMvl z50aeFrkO? zAaeSd=1(WxqVJ4yW?F8pd$_`o{nLVZeJ>g}Dx(&iQR$K?06lvV%@@`kLvyHUeG_M5 z4hAnV1~a+N=R7CTe$zJm9D$^A)pT-HP@6~p>d~Uus+p9wScb!m$leq*B@DVn4ifcW zHDYdDK-B`KUz!y+Q%0j`auzIx6iN}AJMP}lsn_EV;ryaCHLy{qL#d%%C%qP3ORLHr zkhs20+qG|d_}*n?vx$3X#W2@}Jps|a_#zp`OGx^6nvytbfas_MS*4p{u%CMC>S!u( z_`b(<5O-T8pwT1D#l`rGHeAX;%+6;G$|hn-ojNBGK=yw^McZd2wI~z zmVcRZ!t3hrX=7Ex`kYfVeCJsI!q9Mtr>gMen(J3-PX5`pUo0QmMV4?bQI zt4UA2{&qg6aAz)N8Cy4Q0Z~m(!NfZ&LX*^cJ-gou5TrTxRMKV#vl8x$B+v;VOR`TC zU?hwx08&E#j9aE(JubGlZktF+RB9R(DoNA9<=Y6iQ7M43hffdZXVYjs zV_q$e2!vXjF7-d8#ef4>>=UyE&ziaPa!U#0BQ%PaK3jWnHNV?$eE%bG!8_TAo&+-y zXi(##{ca?!-)M>_m(TRefS*a>0&nxPj1Pd)$tpf#Xf4byg6#3|=g%LTa;+IZ`)RP`9jIo7OQ4~q}e#uimG~oK2 z?*}`Nu`7l?dyv3rwi1LUTZ$uh^)T-1C7tx~hnD^Iaw`w2s)L`Ycjiq|d=oW?yA_d+ z1mWPJYM}*dZ5GnuA40b06}!+{c$?J8&p)0opF|n(=$$29WF-q5`gjH{T?qbQuQV$y zFWRYjKy~#;WZRrmulto|E~1Pz8G$=9guwS`Y>`?#Wa{l>pXm-V$HzqIvXqR~?03SM+`eT#-0umcUeJ`_(k-;b&W2AUP=fr0V=UOD`f7Kw zU)z#~+5NbiFB|w?etWzn#DDikOd=4o_V-WRO2C#9Zk_$%J}Pn*D|%14=i9HNefxkh zH4A62F^V*oLV>4n7bI?pA&H`#9bK}16mOhNCO+96IBG~KG($seFF9g5{DRO;@y>8` z3HNeex)q;knQlzq1QY~w_0J@9OnkXw1?sTtUJ1ToyIht{#7+`rFEO19Huqlr5b3-= z;My;}$46aOk5D=8$!P#1ex@+*L41B>G3yCh3Vbsyo&2RdLg8r4`?5Cc6U85DY7;Y^ zYh(AUwzaQ)IQPC~w&27B9|`;@l#;>DIqR-Cd(0RE@g5g^B^+s0#Guz4h%1fAtUhP4 zZdHEKqf1aT>uPq3m#BFe8Ga>jYA!Ru{7on30w@r3pow#VMg zw`o$M0>xwV)9x1BV||zoAetk;n#|Js#!J3xZ??Rin`axog{DSPmE5ZobT7YArUbNp z57hCm{2kl3C{G`KM~puZUx?UYm^Gr3A%rk?2 zK~@3}l~8jloL1uPwoirj;$cKbRk5sDKa8LkL%MQ5(L^7rY+o3(CfDg=)(^SI7`PT4 z-oB-S*79b*tZxhnN10HY(abXxe|@?6O-gLjdZ z!8QY+raqkll5voJ{^FJ03K;NVr5~URSobme!0^5zU6JSH;EcD;8j$GoraI#>J(5+5 zV!)9UXeDiKa81I;lUe5W!OkC0<_?56HTNlkdiEpSVL~U85qBRwXdbwXVka}rbxdfz z@YvkVLY7*N8Zm*43%U@wuEU1n2+f(GEQr73>p_Oiug30O#(yIZ{u1aS_g)+-n^upS zSQh%8Pe`#7u|2xQBODKLP|?bEu*e3F5aX773Yv!GiO{0ivQvlV%tYv8eF%3t^=-<# zqUvlv2)`D**g6<(e=&Ij^3Q+w9HKlM0vX!+UeW=DPNJO;X?nb{h($7q4IPRYyIO~M z+}&hwGjT|cZo|^o*#gJuZ~ien>0ZU4fzk&bTX)OyMD3F}GGF5S{ni%iN?Uy1-3hnQ zo#u`1a~EAZYFEFAc=9agrC{6gGWcEC6PUL_BEYgKb?LR>-Zs}WpRJ- zI4{e-)5CtdLY%aqS>c99>mcOQEaHRCjHzWh?d9LY;A&D*vfo$bs9JdGTtm-Ao@MWA zf=}j+c-d!O^8hUNJ{$_HSoEmXk-?CIvOh_#h>d)7wuH}DQDne+ZtHE@RCki~e z^$X(7>6{YW_=>nXaXMUD;tD=AdF~fcUVc$NSs3bC^SARwKoTA0VYNQ;orSMp-qpNj z1oIoB>He|d^(R5ZeqSlmqezjl9v?+*1)ionG5%W8xza?-xO0!mUwOylgDRi8D9W|4 za0N9tXWto+ywvm~6gzIIwqHu5hhZl#Mh>w^+3U%K)Ts zEX6SR=f>FVJD=}vKkTp?wh+EgK-^~5q-QeBcP@vTvYM-x>}}=be=AJMX(w@K0(E zLv5qqFgjW=+ls-H<4%IC2Rb@1bj>&<)xX0i)A?HerED~n)oH@GsJ&U7b)Nn#fsW^9 zmmA7}VV07vV*KP_bw8C<(fpLm3J&)!n{JA6?dIfaw z1MO_gDfRbs_$0D277=DXLf`X!g>4(6PJdx!RIx$qpdDrv0w8Glfj;yi>qs?Iuvl>_*4Rw-AzhtvH2ML2Pf1Mq%uyw$u;uzEj zjx)&fD4MPinbMv24)s|wOgogaO+OWpM}@`PLJ>>At_)C6%4T2=E0)O=d_k(#|EXUU z_733qH2=}2oOWbHC9>8rx|&y$J~T>yZJMg21h55lZfao|^1 zVO^@-*4<_IA31?D3EMW#r+K5sb!uP$m>BnHZH-xTeAwz8do8}}KHGQd5!-*}3EO@8 z3G3MRfX$TY2lVgH{qP5Dj6U1o{yMd$^7>W!b!Ek}xeV zWBeT)Z`Ez-mh8f}a_(gCedl-nZ#-nkc08jd*JWt@6$MsD^HhyfpKZLjK}3fdVI@5{ zzw1w0gAoceSx2JH20J3wmx!PYTQ=I0v`6nhVUIt2%-;UMA)L!md;G!U_UHpA?SZ=v z+Jko;u=~&Kw|h_TvNK1z__rSx}P-+TBQOjK#&wdR5qOq8gc-7k)c-mHBpFDK}l;UU2809 zlQ(ZzE>pJQu@n5g&DoMBBQ@c@w6x;RO6kRJI5ECe*pI>=Aq>g}!nKyEStYk^sYNLM zGHisO*9$FHEx;w$!#KYXZ3$YPYj1A_c@`OLzDr-$)|GTn_KA88fyPCHg1KZ6r0^O& z-r-e!p}7_PzH_(}QW#L5<8)`F6Xo7H^uB(V!pmU^XvjEY_i>zj59jQqZ0_`r(68o# z3?nDUq`z-LEr)yhEXvp)**j*VgM*%&QNa1v>GQRk43-?zhIJ%6ZQoe0McUS3eB0LD z(PqaEkJ#{Fr?ctfhY$K#JJ4y&W-1kP-tTQ+8eKP-F1s# z{7>%RYY&_{?ipPQ3#&6EPdv7dZ4Bp{h=zS0sjs^mAO?HjGwRFP#grF2-KrOGo~syK zWRG!BJ5-LyV0!`-pNzi2!}1sIt$g!MsPil6Gih5E~G;ApH~p`Nz;< zUjQn@$FrB$n{2vNw+#J%V|K=hd@tG6K~JH7zzkI(snNC?V;E`+T2CLWvAu`!#2J(T z6473>&QU8y2W+MqwiEY1YP-jVJYv%tiFv6hE$;2^>ax+{5gQvFv+hnMP4yys(zOkn zQwbv+X)Em$aFU!Ai&{Yz1Xzb*Ds`S&8J>Vh??j2g7X8+!7~=DyynSnY9AMj!F_iK}8PTf%NAD$xpRXac1C z0Y&~cj~#v2v7-au$|(S;!?WqmojV8G_CnY@yxo86q43Oo4?JLxKl-TC>YeKX z8r-S)&pYqE<(}RKlyt3Dwo0}kwB`#tm9EU+e7;eJL7lm6(dIUroL;tIB4!8o4}zXi za6a4OWo3}u4Uh&x*Srog+bm-!Dvh5(Sejs7!(wY?|8`TrmNHqJUtG0dbF0OotsVz& zAc{sgkdDq_d-nOS+V6ezS)00zAwXb~pgdLPmb55bqWHYbxeU)5s5*+Us=s~lCxfBM zSFemf`!}1E0tzEat)i&ScH+=3Tb(@1W9j(}#lcx1kg9;73fQV1p)8nn%^QHKm0_mr zn-ndt51cNi54e&f;k-~||cG`{O*~XwX$6*XySLyufqkO)M)2v!oXOG=?&;0<61=}p8 zXpbt0%Q4cw@?gkour=hBKsMIP82Ew(VI`YeAnxrbvIBci#vRv9uS|2#ZvLJGk*jjZ zrf0Lskq0Aji{r>uO!f1he~$Ml!?p7@7(HW^p`W_B$J-yi$7UzSEe(UM@R=&IyQPpLeXDCBaOe>%i8d+( z>$MnZi&(cpon1JBG2}A9c!dJZwwhhF;n87qF^98<72trBOw){a4x^B#2RbduHO7}S zHnE&$Jd|KXA8|b`ID#n<}hWPRbn+&nhb@ zHYhoB9l=2$iL{{)I~u_VR^mUeSDJddXH*;%hZ) zX&8_q26g&4fsXX`b~Umu5y}#Fqmk6qI5b}0s{P+_MBnc5r&fWXf$PLB8n05y#t(N+ zy?o=t^DC<9#;^%x)uA~Lg&7ob@Wp_%{RI_Q30lIZ#+^$?6 zx0$JVs}%EAD`q)!AW5xY&O(8+uDn}H7lo+^r3&Z;kY1(Hs@0fflmn_v?=7yR?JHk> z%|bYm-h?U);4sQs)sN!=-E3`uvk*3AY6%@H#Zt(=G0(t2RB9gIm9eW=X*X`NjKL~Z z@^jKjoOqWlUCs6z0{ zvW#OD#oVy*>AbyuZN)B37VXkZ31uuS0aHHj<#vO#T7vP&;RraverDFhfVoi zd`QEm%&xB;{3xLcVEq-sK?gC2%{V9=IZmz(11W^vNNI0m8LItKE|uU3h17;N3xs$s zoSH63D>xf-ExzJk6VrUAA7`viZqb`@VO-&rYAZ3r4E~vzu1NVQS5fLUa{aSW#<# zFv~%hL(Um9?+#e+J7YukR3Td3u60B4#4hXTK4$&HC-{4(x5I~+*Kj0a-~0U^ zur^qSm<41511HBzi!rRuhG9Kom68>DLIlT4{!G)4<<_VzVdQJD^365?j~u@O51Opu zIRv&EOCM;T+UxUc;&L+XZ5~RF1cMF)LdcQAU%lNOmPu#m8?g_r(Gg=z);vt5lZyZ- zU=-X!Ym-(BYgVFB!S+6@G}E4XvyCGQ*8mge%60ovs%Wn-%wx!}Snk$~R-bvrsuM5S z_!s|+-TL&e+wIT&rj>ZVwWykK8QTnoc>tV0j@GBJDK4Gt( zyJi=!+_vfYl!xJbdL75EV$(AVD>gYbO&4w30J@+e&ZC39cJJxq4kZ3t4%zN+_uM(Y z%g%@{ymN0g!aeEN+ww;oG}`~q6_nS`&4+a1;Y~iLL$eW*0N;%F}tg5O%3vq@)xt(30 zDir40m8%v;IW#e?kVkh<)T*^S3c*L^FfmZd4+}_>$y$ZP|r!Q$++hLaikUV90r5kYmLvm7<3Q3tFpyHK;d*xt0u35J77= zsvg=o(AQ+dV}?yL$T1Yr-U_VIH9 zWR}oe6^LAnOvOMO_tQKPN-2ZP^))}BtuVT~yYH-|hkewm){9|IuP!+Q>EdT8YA#>0 z1sqZiM4T?*h)Zjh%9cUiFl?N*!f}~Q#jakPw&}T?J@@92Wp25z6{My8~MT6r1rm3_M(i8K!=PlAND>`8740m#3=?oOodWu0!Jf+DcNkyn_^S>yY^mMn4WAfO!UC#k{I`<)((q?dvN}$pbkUX z&^nbY@~`bY3c?#ck0UpyJ*Cu0T~mnwS{|V_QY|4+_h!W+@i?*&;*9ch_nmgQmbgPz zQtMz}zs2M2hJv_rRu~cOf4o7mCq_$tx{^#`{Z+fQitq&!=X0h z=8rqR%g#s-+Av*?@MO`xrGxKCvk@XGyL%6QZrW%?5SpyGT(<0D*)mJe=Os}73N#d_ zBq*j#5itm%l6EL*Z&%C`$&gn@Sjm7Ys$o!4D=2BxmNG52w5kG)TQ)Uaw3!)Y;T3IU zbijK0`aBjK>r7g_tJ^x0z1CD?pzEs4odlT&t$(o3y4u^V69X&j-GY-5;?snC3+OG5 zp$UR=)-aw*KULh_6A^?Wc|;)|ZK1FU8rMR()@B&p!Y#|COEx#B75wRj(9?GXgjuom zViwe!g}U=Rfoj>BK%Eun_&R7P3cKjR5q0(?EgBDaeY-GDwH0GtN5QnBzfH-`rG3;qmb?H zi`$;wn2mLZZLBw8yKqutIP_tV;(#1Htf(W3Q^L3?`%0k{F$87(Y&1#PVH-d^g$I>+ zr;NAx#)kAFOc?g-}o^`bTNo+SpHFP?h`PN$Cd}6J(HQR`rkOK)4~M z{N7lzrE$f{sAFiWUbV_T&h4fSmBPwBJzTr%S+ z=d?prD_X;yw%(kut=4V}#zw8ZdpAfr${4F|8|=Ie=&6@+KpV(Q##97V2Fg(>m)A3b z&ycA$#S@T=k{c}DClpbZ=o;gT{I<#1`IGR>+E6ZIpZWN6*4y4~7tgAf$8~ImDru)x?E^rhM31G#logdxi!KRNXxt@Bjk$8!DS(y$v-F#GG?=Ay4Tl3b zMV#GcYJq%J&Iw)DJeaDEs3NzVv!W4dt`aCTm#hWhZITfHfXYW{(@7;T$sP*GdwC^v zUGq?K&?=HF;Qc3YsI6-I!Gi~VBR@UY&NKaC$JedMckO6A?6>ZSIHUvqd6X1E_tGZ} zreiRSc@1Qsk}5(Cni$poBLN<~X&b>5vgG+y&q|ZRs=CnC9YWDUwx~_U<}psy7K~J@ z-J033*DvJkrPt={^>dSU?dAf;tl3WAb;L$T$9(g;7OtagH!-p|U%h0_wGA5_7=UGf z)_E24(!w)^X_WD$u!q9Ixmua;1#Ng_#Nt||k6~R`*aU@CmY%1!H*Z;CHRZAIBmQLtyjy49p-4 zx`z>@vbMCa0Mg^03dO;^Bs5xGUt0&QV|c|V6e7_3I()uIN`{sF+I#f9ltW|KFqhvT zMnd(NCExsRLzzj+o{|x3!Xd&qF}nIbV9-K1#CSw0@*#_ddBtgW@N<&S#c}X@ZI@G3 z0td_~ac9A&q(NanF_`5{!I5B1;UNsg62@#BC(+okmi~98)`nw62O*GQ)1FOh7(8Vs z#bXIOaPW{#&&=7<$}-|6hlk{VsKsPeO+$`I^Es|e+cLTVD~nl)ZIwXdFfY~2QxEC; zjkI;KO!c4oOvVs2%I8;Ba%w%Yg_A{A#GV5IkSom54U!C|`c}?gYj$X-C;IR_`kSt$ z#l#kf;Ybq}?cQrK&TwMT9YARaMq0 zSMLZnSwrqZ7H(B0U)-tyn*#Ee&lkAo*H_o?=>Rcpg5Zc8NhO=gW5f>P>*k824VYb8lXr)L5(Z7O>3$&t{7p7-Pg|+UP$~)@`vg?uqu^Kg9`?wwQf?3yFf*o!Gi zzKUg>HTo@NuFd&Y(QCC`Yt;08&3S1FK7VtFf`CuirCN(+ zOBj&0xWzD1T^RS6vk43gs74#4$r!36$KqVd5sz&uGsw8kFo=cEaX%rJm2?{6knpUd z&}(+#@^w3R<%XsBUCvAk-Hvs6v$2N9reoq|!603R1*T73i}KlyE7Nv)5j~V%0+3jvP8} z?|kQb05wVw*}#BkJ_n;p)3hj7K1Jat^c7iC*ieRjld(wKtX8wnFTpyrmA>Y16b5Oa zTZQvncEv7nmP(AMZor5zcFAO;6pO-zEt_o?!I*1X3C)YG>H74!LTcIpRbWLA&f9t{ zYr+U`V9=UDA?p}>Rm^~s!1CvC$Ti=#UW>9BJ`M~r{koxw;p;W}nKwbq>T`vh`(Pkm z0GRtJ?HJnxqQ*^dGk2B_sKknO=f)v)ol3**(V+wT_VKLSwz{0PI{j8bK2#lh6MfZo z_y+S`)?6m?xv-*=L?Cd18)T1*dk9K>rfppc`7Hg?fkbIXtEHpBAiM`sa$LN5`8!Qa1cuN^;e1ijYWWze4c{O7%z$-AC> z(qfUgJ9#cnAIsr;cRPU4*h?60~dQA(?MIxT-VbK*F?fs^I>a!`_8ffmgzZm-di zuq=EO*FXmJH{`?TzIcT8NWuY=lA^Y7c5*Dz1yy~KY4*enw>jt=Z|V63ZuBghHLhE2 z?DVR|N5tg_KDP)O1=? zh(Tz9GAn%1WV`l`Hp*KtxE{+!FgF5GTWe#$0&y$ixHPfdiZBKvZ5Uy$uUS46(32y$ zhcZ)HaKDf`q?cGkPwPqlQka_Yli~=Nk zyR8HYUP!}K1jG9a5_t8b{=x_Ub3FHK}?Esf&N%5)ODl6mLz zLf~9q;Y6j)HWCFI4hh*-uglyv9EOWLy};++DqH$-Q;P?Elo-1<#z#n8=$yYvA@%I4 z=IzdncQBPGPDAKpX$wzDQ$L%+bbXt2(@eio?V zZyxfY4RW&TpLzu_!u^!_rLeFH*4FEoW4@?;fb{!1eO}%`*7Em|eYoQMn4pLgVoPrFac2rgAAQ`4$m~o0VSv(oC_HNjAEoJHX+g8b^ zkk`B|FU)x{R@oPYS_MK{crHeg_u#{u6)U7CEVXdW=BKY<;Hog^Wzc-qE?>Rm{Vs#3 zu&a_G{=mUS>x|()|JVPrtD<+s)~KZm zu=C}4Ym*b9|Fw2VMkxXt>)+MuJI_ka>zf6OhMH}pzt2t`K45p_Kz0xJ`+T4;W|gcm zPHvd_r?OL8c&<}nGi_a=+I4a;O3l_DM~aLz<{JZc{NzdN?eDSaTjMr!^OlVb57^05 z$Gw7sbW7XIYuSX)3G%2ON~fLN*4jY!0yV1Nws-FyXClf}q)|Q^m^VL@R+T^Z1u060eEQ&J?A-j@!J(;gPlM7O83|RRW4V^w|Nuiv>oM68udS! z!|%`7==sI$e&aWO!^XzOeE+C#7OwjS3H$H)pp#I<7L;16)MdUjWO@S8T^~R?x2cW6 zYr|P=Lyya=3|a-(yLDD}VSt+L87tMF1?@#J>=?@$V^)&|~9?n#4HEkHDsuM~Zazn`PG{nEHQ_g-% zPKoPC^>iocu~-02`C7a5Cf#YZa>a_Nj77MnluemdiUZ1ls!WqcNp7o*V&>PYFj3Gr z%CGfPa(+sQotd4s#f4crer&(hs(Bk7?6+Kc899JmMpP}K#kWsy2dGFk+BvnyQ(sri z27B9WY_P))?H{sJNA}vOqr2@4*Ez6f7z5g4dv_1n$rA_cZ4Vx?CmuU(Pd;|P-F5d# z8yp+4qoAsS2Ip0>Cjxr3TznUvk zpQO_nz)Q)pyh^TRgp?4WaBH=$b#EB=DA$g`dJ_9A-g(3loSQA}ZX^}%s#S7!?$s~Z z#q(daE0=M^7&OgqD8%H;5s(!zEFpFQ6OGBvAwyGuflT1^=4scpe8qn6<#TrWo$t3Z zPkzAiO)(4h3|Q~JBUWw2*~2(hj}3)sj2T8*hFlZ$s`9-uzhdLpX04Xrv{)bv`KVc? zSa49*-x;U>1AGrTbcw+fNKPdT9Fk|R|H#;@f;u0uF!HCpi8|V&cKE;^cl5KfQ^@&- zjqTlQ2ag}|az~fWzln|o?B07%I~W!4l9a1LLNniy+&Np|nqI03!!MSq@2svact7@b z^|;=zEY91?@&awIHyp$Upjq=;=%BXyR%lGu5Tg?g)1u}gdM>*&(${549FtP&l?EQ- zxy6P;{G5vsQ%%2HTy!wh+-8%^k<60<^WF z=B_s_55QWfZrjRc)cf~O`tWXZx(=zETOReCrFx-YSizV88!@j=$0k8Gc7RG=g_!8)Pv1XGu=6tT8Xa6CK z^^e%av*#?JRC4I9LVC&0POFs5wzRx#xnkW`GTOeNWLkHSj0Rkp3LxsGY{@GzXiZ0F z?|_%5$)s29-S2qRs@Yjsz| zaH@#mI+9=HJ|$I-F6e$WTjlp?GU-Su)TZs2H!RHOkbQS_ZJa6%BH`2|z2jG*pm3;K&kXO{Wt|w`HULK`-f11Z!xqQLhT{pGL5D@! zIr%--rNX#f*3~;|f#j&QbnF61j9SOQKI
      >u;bLW~$Uo&`3CUE`qdaJn-SGxSr7 z-S@x~cIxzFR?abQZQK)sA8YTo-oZWA*}dB$;eLyUyDc6cvi6Qq&Jmt<*w>+`l7Xtk zw=vjJm|_3Ws11$nhhd31_j~AYU~rK8g)O2`68&BS#ee+6|AsyXJ*%H_R0sC-*um4M zYy;=>F}P2pgs}n;6){wguEqJVjTLD08I-* zEBVwC1Jy$8>Fcp4pL&w7HCf-#5X{c(`t{2=taj^xg}wUPIe?DpT1t*^=scs=lp&%G zMuSn+{WKt&o8CRrZ@Wf^Y^cBA(wP-I`^E)3a$vt*zjoDk4xXKv2OPj)XtNTTlnJOc zith0EPglb=VW(iMT;I2Epsk98$kBAt*V?H##`iQYCa{_l5EPh0_j>!1rlP7|Ll94+ zaBromWeA$DRp<|9!u8`gGlj=dBM0uy04_d_fN?JjhSq(hU|MB>a%=7Dl{R#Zo%35c zmAumE2OkIqieVAQ_uV^h_2B$3EH)9r~`%7q`$%`=pG8F zYpH;wF9ep+pbhd@Ug(k^xe%BEIp zHk&Hj{A$G(vsKt`$>tXeURG&#sbrJ$8Jpl7pUv2<=@pxt%h|+q%5F?9+s)}!yE&P% zD>s+y@~uU?cw^BnfcBSjW!nNFS9w0*ku`0$;u!YWYd2sf6IENxZ`%R`l4gwaHJ-W! z*+_O+8RNattQ2Kgk;Y{F>hh|{g$<7$v13Oc_IZhV1prdnMy^$j1KlX{?8P;JM`ODM z72s4x;`(~oBLr=&I3oHep^EOk{qDqqktEKZdvPdrSmRaadTZ4h*R5J6wQA3N?Emz6 z7@>X{`1_BIS?}m>d+m)kZGL9KjvhW@_uY55UA%tLUORi%E?vECpM2&smQSTEh+Jsy zr#;c$00{i7y^jRC1ai81yR99@xiCKkNH9L9P!4Ps1TV*!0&MyMX~tFdz!O7|9bYib zxa)Vdi!Zsu;PRYGqt^T=`U2y4=-~&EV}3+)EBbhF zg*6aHEkxTyxn%?$m0;i$E|6ekLB-W#h3jjRwu+^2CPBsSJNqowJ7g`fb_+z?E!j0- zUXMNA?ffkuwKv?}0IddK?;>0)1C$Z?nZI8h+m0yDYHNn*NKxu1yp^g(!6^3=a&!^?AbPHu3 z>2{I{{YBYVGE%B1rl)AsWRuZDXr;Bhr%mNfoH_|29KbjgamWd~_u;qO_x{k2Ti@>e zwvC}w)8oN_jrDi?{7VQHpb24ypEd#t%Ij9ZSZi_M@4+QVnW_%vBg zkI-pih>>W7@yBVbZCf^#aznp{L0kg_ZLQU8qXM$$^V?19jL()Le!gK_Alhb`{3;BG z_W?ED;~3ep`U7WKpz%5MC^et5)wv~G#<^q{=B%)^VCB_}t>^PNZX6S*irwl&6RpTN z&&)4cZ+Djs4Gr4A`q#f^uf6!HEzd64*;ihJWp7$1GOPKNzM%nFA?Yec+{`dy{fFo7S$GO=#o-<_A^V6PD`}mVjS?9nY z&P-)}0D~D-V`;Kfx?oGId9Mah#hEBH9n|7-*+%3%gcHJ0c?IxZ%>nbXfOFW(NCl8j z>>PTd>J0cdOQ%%$SdOFarH9s$5zRkJmoz`9LkUY23}P1Bw?bPpas+gn$`UCg-PxhK zfgu~~i`uR(ff)dh*x;R0ed=R4M+M zA*1w-H{2-)^w`_phLQSz{{5RBI}K;JteBodF{Ze76GjDNu&UB1bOzVeDt9TLP<$j3 z!0SUD7}PeDSJ^f)W;L&Npp@rLpSLNNptBflm3rTV*`P5ta&XkX=e-!XKl5HYdit1k zz>Ji&wJEw!TVDIz=dDTk`K5vda8fg=B|QI}jo-RO8)_(6$*T;sG;R2{0jig#^&Qnp z(a}tykoRZOCT`hmfqS=GZ*Px{f%3KZad6jR8yeeZ`$nMtv$rhKf^dc~Mhruh=gzGc ztk%57GqrjOcMk}y86(^T0}$L><8vkYp-`w}V5&HvxQ&kD{E}@bR>GRfD#22;Sr8{A z2T#%lODtMAuxX(HW=egAQfO7X5Su1(g?L&(=t8hc?uhmuuuFuJ767M-L6bpYoge^HeXYyDIV(pg(s0493N*O z62*}zjT$ywMlLp5Q1qhBEa#m0dZllkYiGh)N+e0udwwF1N{{A8J}Wecqqy@o9!0p4 zzH0b&g{3wb_icb`5BLa{*WCxJZjf& zUIK*aLfpGWp{Q1yo|?oMHDN^hVBUArzcqfRKQW%#?xGdLx`DM(Xw|ogU_`W)#r8(Y zRu?8btvMV@BC8u#E>*0ABNBsJFV}4yM6ES$+oF=(R+{fsLwH2(XY|ao|Cup{f$O=k z)a|jbWnrJ0e8%E96R}rqmvHd#e(UM&vi*B@@!IRpuL|g+d&g*FBN<1AZe?ZJx&US! zogLf@$DGOf*lDmY!%*bp4j(>j^V3t#BARf*N|_gm@dCDVOjUrhj&o<69H0r12^i7& z3Vm16i<75M;TR&ehR(G_6ZQ%q@iSj|!IK@da5@rG$*Wc?VkokV6;uL3Gzn_CCJnJN(4{+-__Y}ot(o$7oj>R|e&!nw{oRc> zhN-kV$2p~U-PmSQSrkhv$2FL=}ov1at$my6%YU z=zXW`iT6Bddk*Ze{RsWR6NhYUFKnnih=3PtWog>-`Lr97Qa)$peAYsW+k*O5R#t5u z#k(~%?|aRxE~Zd`Rx9A}lm(+&V%rFp+L%hGZGL{mD@AKPlxLr9m3`~u+2v&qEq1m? ztUZ~uU3(APqmMjfrKRguSiWw3T>%`#x|O%ISQ96x6mSWijN$sGC8IG5DSQT03eYxX z+|`>wg*@X1#-(|?X5FBlWQ^+wJ*tu~eYMW_Pu%^W9X;`Y^$ZMS5Ry3XcHi_b*cOEO zwRrZ9lw9FDrFJwb4m4Z1M`5}>vXK}LoYA%0IHTWf%o$;jR6YIR5KbI}7?x5Y3o>w0 zG8sGHzzbujt-{w)CY6s-CYl>v{?~*N4Qd>*K)i4?vgqFaj;B1fe{*~aV&QZDkfaSAU8yf7h!}~_?){7Qt zO54~#iya39^>!s~;`U{LNxSVH>b9xLTki1MFuvMezNIC|ds7w(MJ?IUYkT+YN1ihD zqZl-OETkQYWB6$!j8GGOO4*L!KuWNXQX$RH+TAwctdlR`oaF4e3IBP>i?+)M>Ti08 zW;#*Ms0#CX=Gp&hs;QEkD?UM%AfkQoV#GY5s|n(Wl+dwoq7LvF3K^#=O--1A@bWf9s>OI1|7R8^>j zXXCzr%oE*7dkXt;PiNHjhqrA%V0APUw0=NoZ@k$C<85}JGhv6YFMDbK7>?#^=vkon~=h|_tsl#x4$~unMp%_0aN~0f3hCF5_5^(& z1~|jeDjP7YqRq{%S|(G*ccJrqX6JaTGy076zvYe8wsI4;np(wU*RLfS&f+0~3KEu}q$diS9N z_TKM*pN$lf}?0^3HV_3@Yxu~x)+4i7HRiVH7m<2R=`LJ;pej{ z3mUY(JZbIWEi3W9*143hFj@-~!4YW_x()83^#LmNQ7=@X;n49~9R$?m_Z0I|HRT{m z;8}MVZ0!K5brM0<#_H^`@BN{lvd5o(hn=|hUORpF10dQnHnw}eZ>^yuiwa0iwXBrc z69~#N$P9-p&^=~-!~4uPhQk0{ff+pyGulaD=!l2x%-&w^+v?v9qF5m)LKx$ust`($ z(01?9aH~c6yE3LCFfvtLi0OU47eyXpoJu@V<%-jHox0P#-P+^Ai=Ic`_SC#{SVRCNVBEo=m9 zD<&mrlOeuyNIqTukC6~VYtK{~M{C+bT)?3abH6F;T9OVX1w}RY`4QpHIxV`qu z3mC2f4y6PFZnC>h9RWNj-oK7qcfo>SG5`UsZ9{Cif6x|S3rbxd8QbfuK@Lx0PI(MD zD>>=rmY8QTqJh54Z;d`E`S##2r&dtB92FN->l)9{V0LJl|J-o?VzpI(LJ2u9VldM7 zsZW2@=i~g~dt+lmu&`EJoSpR@O$*4%ZrD&Cjz{ZDvgw??@TIR<6a73mG>Cj}*lC#U z)yvl{y|RK)?0{*70cs0ApDgF4EHwuJ+(MPFuiP59GJ5si4}8EjHP>6MSrHv8@Lq=R z{NSJaF<|OixZaP?G#<@24Q3>d5KSzCVz{`eA_9{7Tk7`P`Q*vy%4>4im_gs*rey z8AGjQ4jbw>*x8wmF6-W`S`Z+iV5u6k4MP?P5hx4thLQtft&-6Vi=r=EIJmCCVavdR zDz%DD-nwa3?1Cz+_jPso78_l#FeTb-0LT<(R9I26qD(|zTA6OJ5%e8p!?Eg%JRRT=fhgIn=_T6=#qAyMezzSvc?{>1w^DA^DlneS zO4SM&u^Lo$4dzlSReh3OSyrJ1bVSS{IPDrd7Ri?+NnPv>qUusAv?Q(M$FFjiU|oTF`8DW6K0TtUQATpn@y zJ^?G^cxMP{UE_zh98z-axq~_=S}L2*d-{C?Wl-e>6sd`myJ-`*P^;3_HRc!&lqig1 zV1+FP3cdUOQ`SE`WM?m2vLeo3l@yv<1J*Y%Xt!?Mw7>T&f6G4dq2IRMyY^W>EN^ak z$u5tN+n%E*?9nHmv`9z7I(vHTjW;jYrK>kgJCbT`nvAtO86He?Q<6OWf5*YdC<=_| z)Zwo@vq*z~n(ywM`n>+WBi9Y()v2s3RcKZiNFhnS%ta=qrfp_%*_KxeHZ`r?Oq=a1 zU;Z4jZ40f{bx3oP>{o|MW>jK~xt5xX>sM<+LIDLqi9+1ddA1mlLt&*kDLur>c|z!`iIjw92ahvN-R`R$CYx0MkUwY_oZ`Fddjnk!ItqSpG<>Q$Uyw*$7$mU`%Ic=5RV;fKmtsn}Wq`08S#F=B+;5*jS^#&~?cG&Z*Ad{{2Uvv9_*$tKbHT z+X0)-mTWGaxAvX^8`^Wg$~fqAwceAyQ0n6uc7)vY#91gbHnHO68?Vb7KjW1^BkFn)wu z3%IucvO%s9z`&<(PFaXCnS%K#lTIaj6h#r^Q-N0{V5mC1`d&#jz7>h&MzTnssse;S zOh8LI~}_=4#}dj{=^hwirRdd2k# zA>f)4+{W1D(4YCm#x^ustE3&LeLW#^<6`?A9Fhm6Zp*QJC#Syub?N#pA3F;ChaIl$ z{LgipS2a|~O#>$*rOA11R3^g~(Ih?tw~Ye{F}N`dX0wzTEa#1zxF!4^fVTBjf+Sx1<)ZTLC@ zyS;(nXx$Pm)wT!9pjqSlMT91uUjvmDJtVZ&61DR;=Io^l*KKMcYqzJCKtNHi+@J~8 zL~_8s^p$h=+QlWiFkZCFi&eXTvAQsxw)2yDJ3F4Uv$xas=6Kd#=X~)-%D#MSh1W%U z>DH3Hcyr!fzQ%cT$zHp$WN+~PS$;l$d!B17+NG&gyS0?HWl&sRla4%xK$fPo75A1Q zP(|_#R9}TgHTR&hHOjE^>^dJ11lI?sA>GXww8n@v4*!#cpYd(8VQs3~PJ@w>c*3%XBb!TdT^i+zk31N36-uSOS z$Ijsi1pIx++3fthb2wwV(-)HIozLj$<&cGFHOHdAH72XKtY>JL=j#IL^L-ra8|SXt zwQJ+_Pb+LR3tOJ`?|Dd2OBiUQH`seqS&cy)7L0vE6%!&BjdfTAkkmKW18eHB{=RmQ zzrxKRX0Ssr9F;h$)A@Z3MlEJtM`rU@tS=!8bDRqp-$ko80Vb zk5($emcuyN7zSGma>E@Ff(a9cO#>Wyx_WG4X5RkEzx@yPnODx+Qf13h>rH@+9*ZZt ztT~>rY9wa!+HSqHX3Q{YtCEw!4qBZqc*nJtC9#rm|s+(!>FRfI)zwc8t#EuFmW zGTV^h@AS~zs?RTf2d9odwJ@EstakqXjf$*S&xS!Db$^;`5t^|8p+H{0ID6Bwb5mSr z1C%NB1TvHWgKCsbw++V(x)5)ogcT@l-L7N6#tt5}dmgyQilr>qRj3WLkK>_{rUkBA zd!+Im8gL;9W!x!6Sbz5o^%yV>l$xn>9qRNj2z7x$UtCVxI*v%$WhE>Na>i$IiqW{2 z?pXj8RbXCK+P9L<;+Tpk{~BzkV)Ln@Rb+q>Ls9MifqwgizxLM{)qq`@UbN{{$v0h7 zYVC45XET~)SA2IR%Xjl2!-~zqTtwxUi+l#UorXDNYnzs@s(|B$FMicC$Y?i*FktnX z?ccxOdIv{s*S=%6=fFX%A;OQ~x60Vz1h!#k<<$k4W6q-SuxkL@69;+iv?bWyS6{m9>FbIxY5ylFqqa}hcU96x#z9FEAOFNN_TYnWvw^`Ot79nA zC}@2%XahroAkvb(^Bs@d%+!R+TF9QtKF&k6_?D5m zwT%`#aOfTw<5NC&)QPc zXP6e%YW)$n6Yp&}3Uo_J3ECoEu0zFUm7t{pzlniCi^QXrSCR+)rXsKk?d{$@YS%7b zaT)3C?shvqGdFF)Xwc@DQ@%Vvc2shxo5{{7>V%gyDbnQyX^nRvr{})5=>>JFGCl{0vvu0<;=bnR5dr zr4xkG8rxkrnJVoHl=)&zgvZO^(@f35$WF^aiQ)^@gh5!xPo45?pw-lpXAG&%lnSM4 zUmB%d>)O#!z=ry}ZDdGjwbMpN22k1o+r4kE^^f$~VrtGNXKrF#o9y2EPl5QS?7)%z z_7DHXui68TJ_>@Z+5<<&?BSDp?dZWVOD5Yv{=IhBnPZ;*sdWYl8A_Pdt}VK916HQ^ zb92jR{`1jvtjX&MAhWdoJH%_y3fP;Tmk~` z;>zdbJftRiR&>hN=^x*blJR-#7)r=Bgz7u>p(bHfQ_$LYgJI<@Z=X6_j!LLd%BA{x z%CPGi?6+fg-DTleH>@^mANsA|$N9HoB*J{X*%Ivu`XT9yGZ*IOF_em(0}w)5b)T?* z`j7u94!nkPc3F4ds4b;H_vP8&ae zT~>GAf9vm!_jC$~`MdtQbIr!Fh2hm6Nn6&{H{^gI67K_bcQKaz_K8n?#=~|W{_tn) z!sQ9Oe)9$hSD;MJT;JC?G<%lhHf%MMD%kSulFd#{a?aV*_?(q6*nwcgL&bIEQL?q& zi~(#aTXh?tv6;8c5C*xu$>Ia;){cD2z_%e=Euide*a+W1HbCZb4(LR)gQmuz$JBb5 z?w)?H1fjVf%}WmU57@6{MJVq>kT_}=!nl9b#@O} zWwXV8^LIXOzx8|1dcwk|KK(h`+Kb%8oxyE3;dsMMIIA9@{g{-}ntJ>@IZ)3;_U7w)#XYK!fA zhg7Zc7wqbsMS^?Tl57ZihMMoPg{%;@8j^Q{9W_X+Csb) znQnnOs+44FNTq`UKE7I5JAVB(avue34Feq8?efhDp0U;PfL_(#)V!3$rgf{?mvdke z8e=Ml6W{K!^S$pnGrISFn9(DR)b6hxRL=Glx%UeYAdjSWf1d<=2h04Eh9&i&sh-zSFE?dT0q78{x|;i zU$=Z=)lwNv{5BYl!bD017h@4JkkjyVOOUAI=`y@+LYWALXtk`Tlv75#juQE#vYZ(M zc=Xs&d-c_Go~fceRAh6s&`?`4Z1UaF{w`lormZCgdoemVsZH)TGdt%+}qxS|#re@@-GN!-jg2R!h%YdlE(RGAS?*P~5RYdl0rb2)e_fiEai<&QkLT zjR{%R6WhOk)D9ooZF}}=LOBMqETOn1&*s9uSS-0>1xHaZKDn`%GhQpZN=qz z%VbwEA}!XQ2+<$Ng65U@>{htPI>wGR*kB1zaQ&iv{&Qb2ReNw|q-?suq%$MoFHfn5 z&G@dX+&GoaV^}r~0td5dwIYVOwJmHakJQoEZO89EW7lra*!aW>ZCJzU-`g-GD0McK za|Ww$Rv71`-;3G2b#%h~gz9LM{N7i-@)f)9{`)Kx8Dw0?EP^pxnZIQ{usm6wr{48m z`|!s;L7N(B+dGH8zay7Br(e_0#%FlTf0oR+6W0~=9!OSluSx6flNho!JFx$NFP_#~merMIoS7C+ zk6BO0peMf6>t$afC&$j?*wDxzharRU2b(PffN6#Ov}&spWJ;b+ z^D8w;PYqdil+37(IcXEo3)|Q4Kir7You@#N!F?-)uI6oDR~h7)j(# z*>;-86`Ilfq4cqoFZmj~PWn?-uvM#3LnIxR9x65b#`w6i2Qf_TM7ySSJlsQT`HIDg zO-@bWQ1duS)pXmmD*D~l9Kh#oTPk0$wYC=9R8m8v#oBs;IEARK^4U2YVWPhWHW~Ji zb-rA(0s!bA{EL5SW2a776YRA%zho=p^LG8llrQg4(m?>Hti&oMIEcmSVa0%?gS9R6 zuZf>zbJ1nZV@)lsTDZHsdUxy^d-Y~wyXKW72PQwxR#EZ1pR z3TLTWhO#?ieoAceB^&gVhv?~B&6ft~JIycEzd;`~);c81f7GGR{l6}OK|-X%Q8t~f zQ}1bD8tXgg6d<5n<2pt;++4O~%q-ZtWeO04kuq%`E`tu7M(COxJw+pm$G2EA+JTX8 z2mRIUFaF}s*_I|{D-}-_R!VWP(Ab4lrDvMZzHJbnukdH^B!KEvRS4F=!y#RWJ!Hs8 z3dwlACqB1HyIX=SwhSveb^5qH@X);=yb@2cW^s^;%JyipEGwti2Ll?y~_p$dc0WV#zvX@tFR*d4nt8oy!Ncw zrY{=|29~f5A_SE+Z{tXL%$+P8(RX|XO47)v+oo?NII1SC#8idWG_qei)WP&=y`r@& zFsF?s1P%pWPTLg>tU|Qv%QVhqd?96@dF{G=79+KVaqQc3$e#JsOLp+UY5Vhk@vqoF z{%8Np{`xQdg8eFN=imQ-f8Bom=l-hI%QaUV)$khIHR1^gH*Vd+ab?|zDwzaZWdHhK z{Tqu#G5qv#F1Kphfp>9X1|yWW|NUS7Yvc&5C^_)9BL~Qq<{}%YTwqDwv|*He?FxUB zEa4K@18oHk~WjrAs$08pgS=DGO0c8B~X? z1>?Nt&l-v)t+Rj7hW3ov?gRVW;HmtP!hFigQWftS47(Y*XbNGJl(9yiDT`1>M)RNo zCvvL3l?gxT`4l!4SZjPwNgsUZ&LL2@M*lR!GV*|dU?AjkjZePk-B!}o_`SVv(6aS4 z3$#RCr_$QwuSOpM1{IELPj>hu`Z}LchG3T#ZgNj;s;5bNRUJ?=kjig0Qodz4F?twG z%~N^!5IN3b=vS8(Z5d;nUQKy+qC)tp@p$a$aZipYm$URi9Y>I`k^Uho!yYGYPkSi8 zQr_UKIU`!*=Q7`yE!sp07GR#+L9v!HqENPIV9j#XJbjLnhgG%0b+poL&+fhUq31pU z!yL5f<*dEATCf#*GSV5dU5v~AgL|w8=BOwEW(8k^jABbvJzi@VkuVK_vmt1k1G$Xm znHZzCo<4MsJ2Bp3u5CD*o*C{Wb?%yLubFsv)1)F)b3-+|jI_|5w=R9#^aQ_4j+0hN@1+RbD&);}_*O}4%4?bj%YMqgg zIPDQ)Y>^Q_2-oX4j^{Axf=C55PP^ z)`4N-W1xZ<*VY2bnEi#H`B7V1x`{}jFwk!;zFY&<2o0!Co{%J>!5~N}87xlz!#IQD zm4?S(C8T0TQa% zP<0_Nn8D)mGQ+=a_ug}g>s76HU=YJOVC%Ia<3Zn{pqgijBzx?Mr@z-$vK5=XIc`Tm zdIMTVh0$ro_y(h}DHxAR^S8jY6~9k_*!Jxj@@>Y2b1VmsGp(1L8D-O}mgn9vo-0Zp2LcVCAfaxG_gVMYG5=YHV)Eu?`|M}G&WyAV z(O_51Ry7ZTA*d?5t2ty#nF6c28$W&?)B;gW1|DsTGei%8}=hV{6jVcdtO{j+1$*MEv1&NtFzDAJKA~fO?%+s zr|sB@do0=0ZS64X7>-=!Yvi1&TJ(s~(-H@jaLO{Co7yA~R>a#bkN$)hcAvL%Bhhfl zazp}V$|M!=(p-c>XOi3B|Imj_+l|YRD48YM)sAeXeGX7{+$!kqfukqg!R#7B_PV;= zxvk96&)iY{xu~pG*@Zd!#uO z$*sbS8z{vl;8aLm?`hqW?wjQ2c(ucD+ zv|#t3wYKAouv68t5~lb}IBK!3PU{&Ov(CX`>lz-jO`QK6>@h)GwS1zrS&0jqI9M^H zhFwz}PSscBi1ayCbrCCSuy?=|?bw8UOAdC99jEc_FeCjezp;DwZnwMo?l=2cpVRL< z%;>x7jD&`EjrQ8uSf|ZRT?5J7vXzAiTUxknOY=AVT%Nzi>kXT{{Dzfa3W*5*8g!%> zXfuKk#Q?W;#B2-H*cJeN^S7kds=%xjnhGJLH*QVX&;I<+VklI{E8`)wVxbHb%^;$>s> z;2jvUa=lZOuv!^KrPYgF`gkXkcHe{d+h;!aIohR2IA9Vq zsg3fwI=g*R6np0r`j;-gVaJajgfXkK0*_a%Vg|Q8{8-LT+y23r4R_%@69F6S2-;|O zgx7!#C3!E|=D&}0h51YvHWRdwo(S)St+%tq`jWiQ&-;eM_Py`C+wMKN+m0XEWed~e zcJk$6)Suoz_CGHej zmCUQSsQN)5%(WC9L8M&=#0I^I{LPIKGAYCT%>VTvFD;})b|FlkYM!+b9&9pgBzNk} zJ=UizH-&{UZrToe{N{w^kR??dSimu9Tlpv7`Gh+&C88`XF8f+L8AJz#Tw5}K>eO+Y zo13#pERG&;07_~|?UoG*sQeGi*Peu!9HpTMc8~)eZB(Ssgom%&&Fn;w39r z0J6xM_SNZZ@9@;}%xaoPhFv4Gs`S3IyRJf;yiGsWc_u*UMvI5tp9WCeJv74D58LUH z19oC`6qyQJj=uhjfA^o*M#rF~VOA*|WD!SP$*Eq zO1h%8K{eSE_ZBV4EG!HMn8t}zV3a{veRDYG(+XP1t#GuW6RNeRj5s>W9nskSeb&?2 zX-)NtHLa;Swro|v^2JTl0%4yc>q8dld)2gTkH&ZpKBS5jjI|bL@D1$he|wltwqGUA ze&~mO$gWbCYrfAmNFXW0n-eEs@$UlyRT{!?*AGMb0>_S^A;y`WT8HYnScjNiIK zXLKUywF&egqu7LyE2S|6BG)3e5)7pkVbN;x^^jJpY@#C|Hf5UNjIb>rzZTmBVRa4k z*gKzo+*THEVPs)I2$v>LdWccGG1sD&q{msyu1jhl|a_WJ_Z=P=*mme z_^x)2l<+9COvbTAX|{FPNQX+!DCJwIxd{b``?{owsTo^dNrBGvESok0Iy-XYuSL|vkrQ{}jFh=lx9v4pLnUil z)x4!~Mq)-$R80_!jZ~Zn*8{1mL0F+UC`W=tDvaT#I(cTseOOLY{Z4T(W zx-yVj*eb*~HnztrMttcDFMx_;0>}<_=H})-wOfWn$r)O_`|`^#z>YrPW8cQ_nhbAg zs#{lh&Gz;uY^W=0qdhPhIi2np4kyYh@AXD~aq4g{4yi9@qkX*3-$r`lUdwB&FOH)M z_;%{aU=xOR(k5%Or1=GF6d?aJ#I<4Ied zx@nn}d24Ilv~HYYOWTH>y?nviqV4wZBk#0iN7QbE@RbR+d(Uor9%lI7_q^9Zlj|D) zG)1i{2+}&uvuJL!AjZ6X%mj`mVAIpH&X8_hxnd#gfeflP&r?PF zIh<=5JC>ldd}16K)Sf*!*-8;81hYqOy7%m{(gv->!9$O6 zPVE@IHXL2+ol4PFd*zi^Etf0ukefKLA>?8J2Uf6|Nmvo>R&ml;H0t+LHthy_D;wa| z>P3@zCTB{tZ2|yz>+BV~dG5BQW>c2W}oaYL1 zj?<)*lQ?2!(n%KDU}MtpRvgRV$gp*HC289#_(V<}UEOGagsz@;JAQb#btOX9g`Lta z1Pa9~m0oh9(7r;@+NAWYX8SvFM*6HA%_8<`X=%yldNt>#pOv||^Rqsu^J~uN;fEjo zW1Z1XgTB>6-}`3HNNL!6#|G`tfn79k&C!lnhF-Nsr&d~nisEK4_UmOF6hfdel4sY1 zcM#XDw8Tuc;xtbKEu*j1`$D}c8d~P}ANY~)!+EXxdJ<&>DWBfU&%hiMHq*KyW#}kG zph>*VZ3L4Gi2Zn2O)QD_R^_?%Pm;;t%P{J1s&1@T35JwsbF;~AVu0E^x;$LajDYx_ zK723M0iEvYM=)bJrw-e{@1PA23`5s9K=BC}z&wI^(1ozQvyXlQqkxPx=@^Z7@Z2~= zSfIbpJxjo1QT0ckc-r#0ye-eoIwh}(F~HEE4?JJimoB*`sVFAM!C9_B{26JdI7}fMs_|1!JW)?xflG%pAXhuII+s=G= zbq|6d%Q;D3^%)hZ)%q6K0n%FTn6ZL;4rcP666bjrx3b~;+{Rb ztP2n`H95mQ!?d*(xh~_1aCoQB*wa7qQ)cbGw&&Ps+jHcE?b>qyKZ-#FAgS2!8)whk zD&r_;9RU;^J#oYx)ZEO1|XDt6cl3pZlw}HMG}mtN^U}jKX7Cz`zA;!S-6sMn`wq24k?z{r9R+>%bnnGQEIf zyKax%d)n`#`f$=CB^;=zbB^nm196Lu?zW1+u@+}5%!UrAIzrUjj9eq@LB?FE-~tpu zn2vzBHuda-0bY6If^}nGGT9tJ8C#PCP!0FEtoskaB{q2yMZ}#)f=f0M}pf~=gQ^z-Z|BpLmK)%^2ph>0<~mXgO{#KNeuus*qYek5u$0h@ zSWZ)G%+|KV4uW><*ilb&)i%aj6sL4iQE4%*-rg>h;h3E{bIOK>2CO3)wOwOk1Q=TG zCBz@bS*g;*mK-AtPsmh6&ax z3zo&T#4ei|C$SgR)l*8WO0%q$>vRP7=bn-+ZL2(WYr^V0|2r%wTrRRZo;#-r)~C@SObb$6&tK!Jk~9}TDF0{egH+) zKK_6v`z#eC&voav3|cXFs12NYHlg zAvyPO>7AD&`0X@G0!CF2r4@eV@RCxZt!;jb?4rX<|hSN(q5S+o;rqdYz zT*ZQIVe9U0w;M1!>*%+@=mBf#8M0%KeUAnC{fl3I*|P|>b-C(mB9y*cZgba=jh?>G z)-1}oAC9llN3cV;hg&8t$?{v=`&lZ!OU-Ym0YTv~$=(?ZXymALVrv%7}Vm z0iz58-@*>^0Q93aTGM|1zJ-C%4DTyErYgPnKlCsHf%0z_>2$>-aX=XH3WiPdHYHVM zK=CwbsL8|{j6lg0T7<@h{AX48l@n7qPyHjO;`_KrnQ6c3J?S&r$u!WG@auH+@B6_Yw_vQxT0;ojde%BIlKowS{u<#qB_eV#vN&QF z@feJOHu?s75@eF%^7P8;n>*wHr{_ZwzG_>a<-?+fWs!^1iMSd?USGS zlp{r@hHGnP?dQ@dCxhci#&P5*b`J=@D-pMjM8w(|$B>LEov3hSi2jUntq{g4j7%sL z8pB9NquMeAr>3wEAC7Xy6sDt%aTUqLF{{FQoZq$ipV(ap$J|Q4s;rL|6syulfbmeM zDH%nknxppHzyC%1ufOx0ed&v@*zbJ!S^Ln3e;fI&Sa1KR{gq$%yY~4ny=J|z+~wI@ z_P+0Z%9d9bX$!`RYbi>QDdvz188s=5UK-&!8G;4_Y8VF}LjLZrcmCg4aIU{=gd4IU zh9UzVh8_7f7RZg;HTrTHhJWJtQEY0!ZorgF#Ug#1u!+kzY<_AE$ARo3Yso~Xb#!AO zo3~)xQOlJW58A4=YpO;d_H!J^wFncPfL*J!kt%fy2zkmg{g+zJS`yIF+23ic5$pp- zKgVZUJ9}-uP_-qPQB!Thi?+)8b=C?c_Uu*m{rLZ}VAXoxZJa z032kW0BLggJv}|xGV~P((o8?AcAbaV0DTIX7K%y=&>ZrH9lz^-3n1I;^^z*7S`PhJ z1%2t3)>LZ#RZBsljH!VB7P{Mo?8{LoO15*VPt;d`+$lSzKHE7YU*GDvb2Pv8m$x3@ z_`z@Y*b(%%o;ubyTW#OrhwSuyPur<`-f1W9dZ(Sb_j~N*J@2sl-u6Cw^64M3w>|NF z_SEt4c^g)b(Qjk^WX?X8G*p@cLDxo|WQb*Es zD)coEif+YNG&2BR%(PZT(B*)H6Eu;CLt+q>udlRH&FyGmpC~OCL5bD&W|$C;fkD;6 zGoOeS65(fL6@e5h5))8yQU(=;lc5P?oD=*_NLkxgYd@k0lzsyt>um2vxnn*TrnG9& znUa-ZFj};i$rrs6LMl`6?7&4>Z5jr!ypqN#YlE+Li^#Zf zdlhWdT%FWESIBc+t^aCctW@p0iorthan}9){a*7c3WGU);-ot+Wpyc3xIy2^;p{)K z-zKLg9rY@Fv7B15FMRn+7RK4kE-l-_YR0A)mu+Hx$z%PqOBvqF`8maVlXHu@R-s&)Wa?tN$xbIS+_IPjJFz3{e}5O`b-hsjyRHz#1d> zHSOjHS9Qi!V59}h&v3hOX{5I!1zd0E8?pn*G&~O`g?nQ4V@wiI>cBMI{MrfzGyk* zMxlM*o*W~&!E?Z!Ey;CMEO=>p$_mSiws&O6R+m$D_Uu&~Ie5&f0y8{^7-CmfkF#xM zS{48zG~DN-1oFg8^q_jGFmkA~x~^1mMFPAz{7rwQ_h|#_%NrPO9Ki0Q$AFUB2Bw5< zXmy(*;GDt{x?{s>r(sIFcaOoGR&Cdwz36_zVjbP~sh7{${>R>Hb1fZqxrl>4`k-wO z9it<^wgZJI9U>_*T!ie&;(m9N2!h z4heQJ9JhYxYKtb^VHWc63g76|1iMxtW9xB3O}78=F`ppUdI1ftwhvcP$0(>Xi4z*` z?XV6MGy+n+^ce}~1{7TAOY<&T zf22$o6+iVA;W#TP<$7HuXo9pqWQkbZorO|W1=a$=D2}MzIxrOV^)l!X=G*Dl+=_uuUkrkW_0VyOscW;I3oT5N1+1O|1}ui4(6v@gE+6)#Xa zgX3v}p>H<9C>bB6+Um8A5v$=4Rs2(6rHVrpB6efbu*)tJVqadSpU-Mo*49yI$&K2_ zX9ObF_5PX+JYb0qm7!Oc$+@eRVzVyDha1<$iA&CSz;(VKXx+B=KJ}oz=gIr*{=1LZ zkN()Z?A`Bv%Gx}CzjdxQQy+%zJAEqXpZjKiKBMt_+fj`_rKqb?WGG> z?By@NXj8YQZ1Tp0t>KIl=w?f;Wc`tVz3+RTu&3Vjl$}0x8o)FRK!TOR0u?4+0{|(r zOzbCx(@;G`?R({pxlpzybX64sHo5O0taoX0&f1DKYZtf#w9L&;+0^W`t!68B?A`~h z0>EmEgX+-(?IWbKTCBssHqgl!ObH94aX_Y2Pfy7(Vo756dRi}^qbH|rT6&@|vDP(gYiOi?=2iHIJ`qAv zgfoN*7l4m|Xkr+FE;@8id(6VTw*l>5lM}&d4ec7XN)@V#Lbt$(q%`Uj6-11~20X@% zArHkOrc(54N(LyaFsedMjRXfFY8f_7D5@=*R9r)VrJM?LxTlm+p~I#0Dzzdru9V$f zyY||-bFca%D8%70YsGn?%OMbIM<=iN%|r}`mWX2Hs@Bo17_dSV+7VGD`?dIVC$k6! z6>0bSb!`Z`7GKua6=qNZh8Fxn!M7?l3tB&T=pK40Xz7Jnt7cX#fQ5`ofl#in_CQ+a z^Ef|cXsednT6N8mFpilEZ`zHQU$p7VmuzWf$}_(zwK7aAZii2wvaZn)1J2oIq{p^6 zE!IsJtYL7jIMd0|k9Z6E>g$JuQ4YDgv&)fgP*k5j4+1LW1obL#FgiBs3Z#CmD2zj2 z>+iCTn$*?AszM26#z_WI>rGVpK9k8iXi&MITp?#YyowQN9hnw33os}&S1J`y>Q);Y z-E9*S6R?fC|LwD%`yz6H%(aG{$wnAkg$rA`rT~vhw+0wH^;HYTNNg~Op=?D)0vdOX zEsk9kIyBgt%okvB`QS5Jm?;pnN#83AOi4OiqVZYDCJ?)=O=H}U^({b1Fx+gt13lI^ z)MsIsVlWi(Flh_2(Y#%zzf{P#f()zvq2@eP+s&-IZ?FCC$G>1-eeres2Y>(X+MoHr z)Ar&2@}F%T)}ek@C{{k5W=rXOen_u7N8<@Nd2Y2^GONaVa*qarKH2&A)J)hpM0 z++>O5WHm-Y{bQqJHaIZoj=QSR8t=E!8_*i|9}nc+wVwUvR+a;HI74|h7opL}K4I@aw%eW_?6D`h682O)YVW`yzo#Q=@4^m!pu5w4bk~@@ z2e4L?9sUlF9Y^%mpTCuJ=a6WAR}Up6=+Iph5o;A_%M?=?b1nrv1^TRNL@ z*20ML{sxA%ijl2Z6-p|hFXT#=!0@RMrVABHtjSKHccpJ@{y{&-8DM2j)%d*)BdL3O zZ8{+{5QTo$sTx>~BmxPqu0wk;JZ)Svz;%>L98wiulwBbaJ=Ny+I*ujjiiQ6BcUx5V z3hxtvl|*8&6SLCG{|;#r1J*@OYmV{u2stz zBhZ;6WQ7(LDk;&PxE0DggAy|MTN8%8O#kHbIj*mGv7rDe6BOf_LYAJ(*!8oo+owMK zAMKN%>1RIt8+Pf9*X`PkTeh07S!=S(T5w2--Y#p6f-W&E1(cavSP|rU?!_E0 zlx8qASVc#Yj4S_y@I9=9)6(xc8Z49^=W}Z~N`*uf=T6*-Q|tK^ijzDjl&aPIH4wGt z&Qt~6Wdxy+@|VhaOQlvYBneYJIx(c7p&_3W(1g0eEDD)wYXFAYlS8DiH*Va9HAQ?) z*aB=VldEvA0FHzHa)Sf%ME(NYD;8j^LNHsLoaTl!(X4A~e#2!HBciett*wnoUmlFV zg)uysGa4#pw}m63={TD^^32~<5=rUDnzK`Cv5b_Amnud}l(e5ue}AuUBQ0homYUBj zp)XuO_jNDGb<}PyS}Y--fe!oKkABv!!$$tuKmJEHHW;_he(EFE(~IozA<4Pc7wH-G zB{|K87V1|8V)ZzBM-H`NjMUFQZ=ycuA3yo~jRV#P)4cG;IlFP`s$F^WvWI z{?xG7Yh~J=!O)g$W_k{zJ7?!#g8|IU@|+4|H~U&L-*8gnj^b#I+4bvJZF1^1VqCZG zUO*6yP-OS|gY$A_CN7LWT{n+@b#qQbk@*Eek1S)fuWfrBI~t=0ih)v}6IT4kMJ zlCT~nZ3&D{Pfyy>qeq>sX}(SiyTup>hliapUb}i7c6jU79Zr5#ptLE2f?4Q!nupr;X!)2aB zqAdl`qx-q@!<|D;K&3OLrk8ASF=xx^vdv{MuGp(82qBN6E@n&M#*pPOvWJcw$GBu2 zz3Ad9jnSxuw$5v_WwTjd@TT1z6{eCBDyv8fQYAl1f7IlP7(??m#!(@Qtrmn$i@-oP zTvzs1sw=^hfavp5TAw(_@M$7f@n}^;(1P4ZMDs&tLB1EJE$()?UKzn}Yz|n5(qsBi zdew%KVN&C@;$QnUmGdQ@M~gKhrj7BUv7}Ez3W4dMiN5$(!d$@#C5QIe#mTf?n$6hj zS7+?SHz)12%QJRmI%`*^^7h7+Ia^r9kp~hOh&5YYS;d}WI9lp30By&vayA&s$bhA_ zxV<^#*@AKou@0O%y{!ZQ+r*I2r_D5=1oB;7o_9mrI2wjd>ppzZAWm9{TaH%Gr?C*) zRT^keF={@mP^^L@Lab6q9qM0IUl2>wB3Fg!v?x*YY1-brSk#7ZDACA>rB+h*u6Mu7 zt5xfJT8JqprEExzi`azHc!xl$=ia=CF{<0(*e;ufQEs(G9D%knz%n>mm>3AOc;bTU z@dX_f$P`OjWLPk^^mz*iT>II$yFgA|hcRH1KZSPGUa=steN8G04G179!%;>}GAEf= zF_z>ig_@JMZdf|YV?Cp=(@#Dw5JWwahC4pgAf=Uz4rnA4__a^Ee+iPd;f7my&96<&y zyzz<^R~9|dsTupwF+6B(fE6+D3ZSf7)S5xYm&a&E76(U%ZP&g%fV?)C699%W@Td&~ zxP#dB$g)w&;0vGwjqZn$@84$y#y|^^6-kg>tCrsS=9(#cP{^Shw&C)xd#WFBN*)nl zOf~l-Hs9;avI|hAB#SW{8HG6w4f@vPsZ81i1_%Aj779Lhrs%>b&y}FhUVrU1+XH*- z>FR}52TjFhHMgqFRq0~$Hh|88Hs2hy=U%^R&wl0=`}FJA?9GLot+qz3ZPz{vjqHP3 z57}BU=1CX|Dbv_Lwd1?)j1=C|A++EV^eC4jFit5)wYgdKkcn3h5c{gGWB6c3p%8zQ;REf^6H0j%>v5FM^)>J1H=s|ng>*QSv`{pO zafQY4HxDz&z|%HWkjU1yZTE=>?Z#5st}PVo(oEXU-d?bma6qqL*WO5rIHYBpTFshf zg}R12?Z{nsqqL*83FC@%^g;D|VVWgRA)cFFwajwCmX~s{h%`*3z%$@%Q6z0`zTLLr zTMW>BD33sZI!K4+9vDmdQlT7$D6}|M>p!HYGF&qJYPY_j?WY?G%QFKoWOTGh&KZ?o zlRgkD)!HtsgOW;QoRps2qSIq^~fk818m6W3g4Y`j%3vtK7Z;OqAuJxgUmzXVms3LejKxXPnv^ zZI&FVjE>eh1wt(t5yk(57K#8Y=mbxV$C%4#wuNEMFm2V5Qx;`B61SL`H!Mu(Tsx@_ zjqLXv=ia;MhZcEl$n&TEEGeX#fhc zPM>VkQQB}bk%+6OzSdVNKPG*U?kW>eQ5rcXRiKE#hI+bt?XWf<%;sG-Iy$=T6zpzx zei4~&^CXYHzFynEZ?9dtbdkPobylZ6mNexcz0i9aXW5!9MHP^rdLn9N@v1ebi7cR|WOBw5dJr>w?(3<;qA?wKUpVFZ||E?WU2RE`Ds>&_a;Yj%o zs&-+yb0|FEd!`7nBAkgX1`ma9ibt%*?{zwO8>CR<`+K0O)p7}|TyW!{y^XYhRYt9Z zaf>Ds81ksCWAxInqC`C5;kXjtQOdVgUrPv!Dv*ewP!(h?ic=e;o(lWOp=nM-0w#qL z8bZ_%P&p^jYHhX^w3DY!`|4{MOr`KDT^BopAyN&jW{XGLcy@%IGuf3i?HA*jf*5!e zQB`GMH;92|7*r8sud3lN1vkVI3&o<2HZP?1S16Asm23>jfJc>1G^pAekhP!?n^o$*XKr8uk3 zo9duR=@q8XVnrn$NRjn*IXPuTEiEpZs)frSYrHj{9hxle>g2O9Jien)h*sWXzqnqV z_cSN4Zo?o;@Ty(7aMnh4@3vdh^CBCj#hlt1RdYyMYt-&%*gBN$*B7>%8NIfFPSoT9)6 z!s7`PHTq9-s)gU4tqImI*JWZFPIePOqmZYJk664{V8&aBK?*3%!$5xRKmHeMjmGVn zk9@>l|I!yM&R8l?s3FqYAN6Hpg1&L+>O$<&Mg1%Ts-IP>u~p$m^i#L&p$fg<%+Hkb2i z6S;iB=cVP4RFpM@Ufy%>eU{3mtx!_PJ#2e$?y5FY#fd8XIXE&DH?va<_S&l#?YDpb zS^LyiUa2W^_b+G6#9`8_-cCO zVl}k@y3rg>tMw#f*4_~V-C_**xdWlnD*FzM{^O6m&8oGuA)TP03^&po0|*>Jlj7!3 z(4c-su#}CGE9MXc2B@r187PW-x=&AHM;%(g1C&4-O+)|!bj!mEUhS~Uv-Z+CRPr491*1%wV8k0H_A6wZ*ojHs=& zApoyHP`^`5HxdYNSovJa(kUEMvF3~;hN5a7O>uQqqgJ(nnW=e{DbM&-X>YT|qRKwX z`=t8z8V}UyipKMC4>_~i8f{S1n-tQd@fcSjZ5b5&g4e#ov|2i=ZMShC^qVG}HL)zw zRR3$?t3q!w8cJ(UGHz1%8Bpou#DqJgc9cyEgCBh80Tj6C{h@`7QcSf+NL)r(AtP<` zp)}cYp=7rvrmd%M$d7D^^RRushMPzgefFR(=S;J8X7pd}xKv2VJ@jd`1omsXr0OsHQUmvnZ9(}|<{Ga~4 zeeT(hSu(Eh%{H>2aIuC1mPEg}lk&mSTph?70rX5u`YDXVQx>Q)GE4bYzOQfUP{yee zZMH1I^Hyo=wQD!+V;}vvz5e1W){7(lu^;(S``}OgIWG*Gh$N9yu7Oj?X2iH>Ewj38 zM~>{XANzAZZk+?YHorV)FJlwdHL;H|)?DY*_=FpBE#y{~t$<@4Mis^gYhR#y-}W}^ z#Ym3=MmK7kmS4$P32>uDq{8>=n-YDx!8HYf1@s=c|3T{?9JC^AO!eaA_@sYgrqXjI zhbX+NMcrb&>)RX77F=i6YxaXb^Ha8leUS|A*}K<6%+keZFlr${h1g(>_IvG1E+K~& zrM;5xo$bcElb!Uzs>PL*fJ1!jkw^XY%JnNe)s_wQ_E|qHNLg~aUI#!&OBn<#$8X&R zcmX(Zc9nXCd#_`60)Ed5y0E&Uk~?dF2(2f={=l@00OlfKp|;MrZ2>HKHqTyE7B7Cb zX}i_Zt9iR}ZNlx}pVrax$Rm&ZFXzvncV+*^L!R9;OTNuR-_wNP*U<8vL&#RUL9XPM z>>Q|Sd36P}JxQm}LUreDO`Qe;O6T+Lq@MlQZ+lr4t(NajVrVgfN+!@;0X^-Af1^@| z-oG8?$k;kaQ8rIy6VsDW>Tdp~tiVRngKEurwiW*= z!%hn}HNojskm(yS6HPM9E-0!Zm^jyn+XA^iXQgQq*VY zyH*T&8^%nb(#8TyJ+nfVinaR#yBsCrj6IG)4!Sd$^l)1TXjTZmR4(#fr}vf4&wc)L z?$A8!%Qd{*3dq*yt9(oWKR6P_^A{JF7&rPD{Tsm`3fXErG%r*Ka446p83v>EWt&^{ z3-YNwVpioWkgp<$IA7MjS{MP|TUyL`>7zWquUBhcA*5W=)&$6OrVR2e)6aFQAgA>; z&4F$6y6*j|xlNyI(sR?sO^iZFh`m*FhFWJVGIOJ=y%CHSQ!SKw`wtO zIUL5!jjML`+^hEHYcJZ_m%nOXfngPkb$5i4Q3<3rsnpzu8*j;YPTk zu`k%cy}RtG$DXibhYna2C{JM#z}~>_F>6BKF1-A*?cTTBRsoI!aI~5yyXV0N?JHk>5!vA00K)$MZtKMvC87y? z_TwM3y$ANwC+HUAuey(^)s)@3cHMQc13;xks0ycR52-M^*n*vH1^BJger3x^$CR2S zb|fI9HJZXRvh}Y6(3LH^bLhQqwBz5(@$Gz1q4{6@#b5mHJEKHr)D9fmZwC(_ac{ql zF_AE(L5bIIO*!op9qn(ALw5sq@r{>IG-Y1JK%fCSRNMOIJ(RJviE&Cq?WuR%V@pfZ zwpl@$5mNCYDYoVhB*S7gN(<%s{}f*?qpJ|0(v#%?I$#z@Pn@)DF@q4$n_Ds37Nn1ArahrFr=zSy`Puba z!4{Slosp@Wiq<|U+$G~sueVw-G3Zqbrfyxf*DmZhBc))6tf#Zb(Rh2T&Dz5WPv=#c zCS}kmtmRIhF;tB#v9Tb1qcD!nC*^@Y*{;2Li9Tzyz58}qC6luG+v9fa!a2Ks z{+wMo_qu)YQ@?MY`@~1>tDpO{z44_N?3FLSV7GBdv(r;B*cI+yqyMEs>QB7_&~Qd# z0AjFOgf3jR&8z;VFqXz=26TV(#w|Wuwv)#X+dkMtcQR%Vo!D=M#R;pGa@GOjpSpe9 zrWY2`&7_BZSC^KM0dxW7Q&ys!i9lsD{kiMtej6Dau*~9uUAuK1$FhoBwsnOm?8CFbyb0W4LlpPQMnx!F0dZ>dATx2LPemgg55fJN^y2A=ha{OR{R zcIxRL{vjJYe9V?IT0Uad4pYB+<%(Uue$&&?`*4PtY|0D4`o@6RJKt!Lv0PqV^7T`3 zK(&$#x^N=#_@{oxM#lE}q-Z(20=t1S<0Kw?;_dd1Cmv?7Flu~PuIDRX z_%yCTMGYH>wY<4zs~`xKsM%WEuty)h-v;_H)|I?@G>BWOt2LRYwrgHUrA?|J5-qaO zT#?w4?k9BPF?YO$O1HFQST)C^izwqod)D~c1Q0nK0fV8C2%Z8bx4F^m=vpbv3_k{u z>(XAuTodt_y$otQbP%E8TKY_*FB%3?VaVI#b9Us2gbE`>JDZz9r@Bv*(!4Qj+)vvJ zG^rvuD7pnBr=MlWmX{VhB&ZA!AVKHmL z_<%)l;uF^|+8dXz!}uC9q-w&Q9dVF$#V1qOc~!E3!Umo)>#qtEwE8~%Vtd`H(9Pdu z#N@QaV01mLl2?_5I0~+beor#tS%m&n6jcsNwZVG3`(X`p_L$S`QmPoO}P>MCxju@^JYb_8Ox?|=6bcK4|xHqtj>?|RqM*3;8rmoA>gX(sIF ze*Wj}UGM&0P;A*|rl$G6wj$xWoN_QR`dEvwrSB<>oz}GpV9Dt!R^JLc6*`fO%2ldC zG8*~`ThWj$A@fkkLaHmq7%H^6xhY4iqOMs>b`06m@A^Ir8LXQAkmD9R$`zKay(`EV zx7eePK0-U%?9iSuD;ILUoA75o{jAZU_VVXHZ(n%!85@7|O}l;Jg01izg%oU>zE<6i zu1eFcLq;Hf-T zEorFRz}PVTxo)S=oPlNZI0!2tUrV{X?b?3;fP$ zOZMP{57-JUL}~85v`hW4!8HX$RZS!cv(bWVfy9xa5sLv>o_*#SK#+TsY&0Ea~5YR8+Y@{HJ-oEBOcOCZI2_6tZm*4 zxg32D$VLX&a9CQ_CY?Yj^n}igBx@QnpGTsPF4cHew^fbf+i@yyJ-(gq?Kq=9)YE(? z4fw`G1Nqid2B>dnw+-z+K}Q5FwUV~<%953HOE%CQvA5rI(hZVowCV1?KMw+-ss!pl zRcqE{rq(F60;8kRpuO`QPx;o6lzgbaeYo4vSD0)&@eLxuFp3p{KLm zYUReHzGAalIql3!ue1*dL3kSL3}hhns$#3#+X|b6t+_3Nq16@-Nl&=YyintT5E=wV zyVWWKDHPN*X}(Flr8QG^oJzm7@tFv>2?u28nqUg5DR*Z+ife?zNy}u`?CRCqHaI+h zv4`bgAm?x2vJH^xS}A4C8$}DZY}rs}7{<9`ndLcdzV6#!$U%odQdJ4n_rv7+V!r9QdB6e=lfKnlkC=->SE`^P zr%?uBtKo9&N@LX+&?U(=RU$xyMd#ydv$#Wz@ z%NqueWQ@%UHB~^?%_M)D{B0dZ83cWXk@bL;s>rg&2_vttU!k;a`GOWGqO@%|Se{QZ zr&Q&}{E%2-gAEk&SsW6;h`!OYC{)~$)cPm0C}X@?%-V&oe#%~W=0DqS{rbPOfAPQm zE&Jua{6Ty9%b&OZ{Gb1m%`VPcwk#tbwC6tZ+tvlJJFH%bFoka8KnP| zG9HB~Muo2FABn7zjWotzKX9x(i?;rL+d~h-a7w0%;E0SH6~QhI0dS2|8I*Erje3sr zsj_|Y#Y^_*=l;loF* zy{F4w`0Qt_6WLDyt`8?8Hn>r@!u4ww$L6T=yjoSI4>V_c{pwBIyXSzW-Tvz~i)DUaU4{ai+oIHpsI#f9;yeHeFIWYnCa&6rz>)5Eq;QH|=;RC*vW9L48 z@14$n>*+CfUcb}BWAxwT3Lhg_>HfA1yG_4 zkVafnC0SI)N3*xh&FdiAX8Y79pRsJZVBuC}%i-M-zBmStr*OlqRn9G9M4G@8bqYyH zK+G^3WwuDc^%=#E3k-4@qoI;3%HXQNoP>U)3~L)zU%V%wRg73h(kU+O3Sj8FIyBj> zj3^vHB;?h(wb@r#$WRVREdq77@Yy=Qm#Zb7ktoWp(=P%7rVourLpro3sm;Z`sS|Z`g|$F54?_-mq7%+_KlMOjsR9 zk5st9)pLmriJ>dJ(@Z~#4F*8oLQYC#P*_b_feMuh?dBC?gRKsYsPaY?7F#-PQMLms&2 zv@IxW3xruI7rp$>(c>p!*lS)rI?H#p$CbuWslwXbRtu8lI23}d&<0iJ)|k^oMobc_ zBm%JsCGIqmHWaFryo-@&?T=)ppuN9%-L3<|U_gPE5{UXY?N|TF-?IPtfB6gcmp}MU zd-gy6b8A_dv9q85oLzh44NK2X*#`X~G_Ex=Z2+$xjNQoSh&})8vzF*+x6%E(t%#A< z9Gc|RcX-A4#ps_9eU&Yh>DO&bEf?+foKlQw&yIay44MH@+SPdX$dH{raojtFJda(fT30e@ z_uO^2U4G+r>xc!d8&Fj5ZMRn{>z3^wv7SA`hef|}D^Yt&$DHRZ0zy>>eoPsJ8Qbfp-i6ny# zn`sK$S6_J1u7H-hJBDy}0Z?4TYOpFPK!D#>EqDv%uJe7Z6s=UZY<_7Kqh9qg?_v(x zu*y5oJ4P8_azrWxB;|nugB%oo(!5D9q-xzE3}lf$LZG9X6Oaj!F+w3QO4&4wMwN@( zlk|m@v&~VHLMo|L-jBC7^XE+CWPoKov1;aYMYWZ7SMgw5L&e zWNBf>Yh7t;06Bs{u$_BrT}r^`X|7y+l{RSdJqQwwI|~b=AWSib{TxJABD`6cu}vExd-U7T;jP>mh9|?^;9g@)zAGD@4s$W$EPe3 zre7EVM!lbf zRn<_=&Ty+88tcW$((lNaYKX<+9efU!2J)1X)!K~+ZF%7Sr|hxsd7p)1aeMBwpF<`> zmJA0hf#QdP$^g~86sO+(+`LhJDBD3V#Kr&gQi3i>54n}h)PC* zTjxwhV}9-KyK&C-%Y`+iZGu*+Kw`5dEtyE%f-B*j8vr zF|>Y+v1IJk*IxtG@3sMcUtXH^iWWt{SPSjkA5WqOn>MaRofsvtUtcUs52{byHZV#N z730O>ifR6}|LK?Qw?6VajIlz83SaYSUiBR=(FhOe(5qjnVPEvSr%t1nD=QhV0CM^2 zxF<2x0g#CpAgH$+UCN^)8@2~Vmnr8h+STE6iHCNN;eY^T$msIyoE4T3_~L|KTVV`DyNsOsgK3zVZ*b?_TEZhF)vm(L>;&9=C- z;PX~uPNz?w_W5(|ewv-WWkUwg!ckW`$83}Dw|B=Z&hw7L{`TzI=TU%zM-TaYou`-& z4OszTeeKd^Pss8uTaZUj-f99kmx@-KS#;p1eVOn@4%nJ`)-}eVq-Tdw&0rtXnWF2) zjziL+zR}M+y7R}KI^NboDa@+)7TGm;U}O?OTmdi_qFks7~qot;A- zyqiw#3N~9|Zrs-MIbXqFN7=MDyGmiiLm&x^d?mN+o0T=SZFx1|?v4&Efu zQIoLEWT=n# zg^a6?EL4k5p)VmKIWmtCE1s@Fj&R~ML|NKkIa;kRhLla`tyHX_=ul?ZRA+aOy>a1! z?cTo+Bj4g-A`fSwoD&nX)`64i>jCfhcuPR&>((%iNpl7W&8D0l#)!dE)>~_<3Z@2Z zdh(jpDg~SdZ9u5CwT0f-M7So>2l_kg)t8>9KW2HpA`Gm+^Ax#`3W-*%${EF2`F7t4 zw5^)9u+qmtYbtdwbevwzV8Ar7PJaOolosCHgrVXy@o)@89Kdm6bZBof5x0q3*X`2v zn_ruE)U}HFj3+I$!LHnN;iQ#NBIe>k%X?bLr|^^nQWLGpKvLY>feW&u&$~gRf5mPT zmsiTK(5GtJDeF*s{U|v_6Tu4$OZMESpK(VZh1XpqzwU@6izuG1>mfUgt=6Gw-G;&x zS|}adUdOl%_*{$TxV$_J}I%Css_2!^`^|jY*ZebQXzhw!WSvzb! z8dWO47CPRU8&mtmpj#D^)x~gVu*wMXL~8&BO%_B}qab2cTUV(lIVR25@uPJDBHHQq z7=1q6*JFEkjo4jh?zTrCd51l4@7rNY3A=LrmR-4d%c}Ifo-M?cRlZ6YZwgf@yHSf# zmCjti5NoZ|`3rAa9}f4flgF&Lr_-+AylFx7WN$bDd*8M>%{4Hlt*{SemoadSe&o=& zC?P`NA(KhjFZ@rxWHZy_cJr3fgT?ISuH=P~2fn8S1C6_9Zt2ZChp*@1l^#N0`3d=7 z<1_he(ZgsrZ{38wMC`=zV|Mr5rvZLppKqDGHEzq(GnQSRw-)qOZeEouQuFh4@48pZ z9_G}VFYW5OlER4tFlD?mD{0%rP=;|HS_U9nrTG`h%8t?1fo9>*wybw_%>Lo8{hCcK zE!rgv{^G*2iS910E&{09eNI)~avo;$zW2O~?*N{-maeI1Uj$qW@F*0oepD8%7JEzn zRLNXfbqW!e(`75nPuihylXVQnEQ2G|HactNl=XDLh=K_l8XUF0;eNVFyG+-R?WRVO z$!ZEY!G2;FweD^c*^x7l?Fj&AYdCimd=+cg(>0+_sJPXTw=Doknh{vQ4sRmcU(**3 z^@)D|c1|5Tj_I5I{TojK?!Wmr|K=aR?f9RhGm-%c<8%UbjASWqg`83@RhNrKv#o07qK9jg5!b|f>g;eJYPnnrQPey}*wNoYL}2*5|lnJGJ6E0&BZ+?YfQa-sK@7ZEv6uj6y@#u8rHS zu@OhBa!~c!CihE7e^FY6Y?Rd(vJ7ldJ2+Non`-B2V*29wm#nWVPCFVIcj`CY5Awko z@=5lo@v|V~qP52w6Pewe?Ka4B_I7EVRuW?!u>giwb3^MmU?EeXIz6}6`~c;-zvff6 zJ;hn*PAqK=B^N7ZSU}qsboheQY+6TLn>^mx_naXbS7AR(`GQvtc>3vg+K>F`PuRf7USvf3 z(rhutJcAbe;Doj@%JubToKMQ4$szmlS6{Vfe*dE=f6&7r(NHVT-2$6pT#yTGmG3-{ z_KC$QcOgPMwe52p<0D4ojD^3+C@QR@%Hvw}tbXYl7{GtF+9XE#rB`3K@!OL&J2QvV zn6Ot~K8s_a4`7r(^n*Wa55DaQ8{2c(#-|ocTVjWCp$UMKCZn}Cl^mR^M{BNe3S(NX zf|$c`yL{~ijHqDW_ks7>$zuoX)|=;TKy!-p#~kk~^r$s93a>S7tFL{8^+*<@jktQ4 zTiG6c_#u1bv4`!WzxxrFT^<5m+;S(ZuM2Yti2MPYAY;|A`^bLdbDm_P+i3=u@zVM% zh2zrMyrp4=N@h`5YXF0;ZOCt2zG4%%Z@VMc4!>ehk|$+Wrc-Hm97=uGILqo1HRcI=J?%rMhID= z6@j3`wJKUDNTIewq}`Iq0UO?b(t7qEw{Yh$9iFu1iQBeSENp1N{F-=R-2;N6`T3BT4QK#BRTn8gN2TlKkS zr)Oaf2@m~gL89W}+9u%&>}>!xCIt{qQB4Z54Q-*J)ZR^$zFyz*ZO65Hrck03etzZ_ z_o<E}bk z!#JRB-dAzTye-TvASVe}u+rO`Y-xGLe*Y66cW0yV&^Pf!+_Qo7xMRa0im6~wD)g<4 z|3mkkwqO0n|Hyvq&;FzZqFokh@3zr>2Q8H@c!*NW7n{g;mF}yY$ySSX_S?~8ciZD{ zd)Qw1@^c=_3Gtl$9brI&See4L%4~zR(YFE)S}&(9J7k1}*0p!m8t-WivH}ZHs(7Ni z%d0}COKbMROK;kRD-%|A6bpOB^egeBh#nw1mQBstrE@Rh06t{nx2{=V-;n*(Pkzvz ze(D`|VDE0wc*+Zv<}h69Gi3{^in^|&xzQHQ+i*RlJx`3^urntP!IF-9_-HDVwKQ#1 znJm?=+X9$0zttJ>Pm4K~d?Uji2QWPK-XFBN=^Gg4aR)QXFy&EQc7P%N9bdc08yXAE z%ealuHMx&I+n}M1Qz%|zCs9%2gIIKmb}cP0y8%G;(6MO&Djv`QUx zRH}N0k`P_3w(YC?s|ebd)}TOxy_H*db%a?+PEKVV>Gm3O2y>xWb42;_*>gNto9)@P z8)KujHg!*YkYdOg`BvQ+ScO((kQfdzteeb-gSr>zBsq4_hMttRx99rdM8f7F_kM`RV6jr4dJW z9{cCj=LC4w_^iQJR5`g9GF#n<1o8@FfBjdo;{ue52|ffoAqcsN&pLE)}OeKSDR z`nE03&)OTWe9=DniQfT$Oy=PCnGNWGoD8ek0i zdi(9U=Raeo?mA_Aj_$UXE?%+}AV~X;F$g#vjftGP53%dE_U+qTE5qUfHZs&}58tz& zHg?;mp8FjAsCgrdy8eN}Re|2WD`n)6Zu!BB43{ge-ebIVZGDrwIat#?mAsU~u?;4y zWeu=oz=AfeQ(@eq5{u9i)R?mYp2Vd6lKj&~mR^+u5GK&rxVvtST+qo%wrErzXvmGv z9doUHJyHAL|Nbx8eTRnZ%wW{ITQ+QI;+9>!@TS`%&EtA1G-D};bnWt0TLt(&_|U_4 z6{fU;Ln)Ukp6;!6NQ#m)>eON6X`kjwqu~fLto41^53UjD>V(l?GwJ{`&MT8M)_(M1 z8#;ck?LWNFE}lDY&wk<=yM5!9^$!l&u|tRWUeT787A=#@xIIaBXeoqt1ZcIHvllE< zmJ6a+X=)|dVtpqLT2_plzSJC723E9;qtx<}ouSe3Kddv7kn|*@Hr$uw$#LV8^8JnUOsPgnX1h!=WIR&0$M59>}uYom$aXK$P#Zf=h7;5FY)poD-ZRlKnRAB9$$48o_yweCEWk;NOD zf2!4?_(Hy+ID%z1Gp`tM#tpwhXPwD7&Q!k+owPI`?h{!x;+3 zJr=F4C_Jo%BDE*l?D~ZltUKCb9bpU^&ORR2W`AMR#(>?uy}mXF*W(OwV++SuMfrIi zt^0_>3>FYfRenHRxmRO@L+x{<=TjCAO|x)&KY|?dvMrZyj(^=5@l5T}kUJ`gfF@Hl zhoZfol$n?>sB{s}3mei}Eg2w9a0^WijSTtRp4fxNO)+sV$)k4Ce`2XZt=i-)9E#c? z%Bb%~7`MweuGnWk^SnC%8GmIeY3@g<{+f%*V;Fw+gFkJ*@K=7$o_z9gJALXT&bnsl z#fL&;~~iS`LHu=CzxCg0<);oH(pFi_@w& zvInK(s8wfCa};B{$2_zaftko`Yb$9v$d)$AYt?SRlD_cyFWR%8{Dh59Oz=$GcJKZ7 z+fV$|PgxI4Vr4arQLb5PWd-IQMP7I&uAfZekUsl)J9PA*-F@FFo1U9RZUw@Erfs_$ ztYPQawxfG`?1#Va-S(G$=BMobGsi8vFz-%lIalzMYtM;gtQ01dWAJa?dDWqxWh3}2 z`qyxFh%{HG+vQaRAntr#8E6V8OSc+!r2#S|AIiSesbm;A63LE!)}ebe93R)A9db;( zssH@5dS9Q_;%U|X6OhuiWvey|1^Yk#>EE)u?mcW9xwN$bW+K~Vj7h;W>Bgt#VLdfx zTx&(-42Kv+2hYCrvfcC0gEqcAk4;;)5cXwYpx4=nlD*PEMa-%t*N8S);b0)dEkVlu~%Unrarf4?>;+n>?pu4Vp9`0k@vEvn`;q& zjBBfkdM=lvUD(SvFIooxL^7Pkc68y;*0Bc}+U+~(0-CfiTG1CJ1ikh6AJ!R30F<4z z4eCr|&9X&04Cj!}tywl*vDt+gyM6P5t;}Du-0GswBNS>|R#=Btf`n>-l`5TD2i+^o zqcR(Nb`M#-l0(i=c>XRVCZFWxen2;MjFt@7I^PqM(sts?ItqlEFhB`VVF%7c8Dtne z`atD1gvPX;aIUD@YgOwX=z&W2;aFyDa%v6%irLsmpA8T9+t5I_S0M-91{HU|Syta&+|vrs%? zeZzycnr@U?+Q!*#V0_a!b|r0S-H$?G%KlOfFd22jg#^T%y(aN?BKRaV3-FQ8rZ!kg-t-9;IC?M5kR&wGpA>=lCa| zH<9s>-0W1)P?$*?EtaIYH5sTlin~Vpl+~yNm_PqxKVk2B>K*pPqmS6rPd;G-u(*@DPFG{VN1&?t{d_CbXt=k1=U=I(yxV$mMMY2C4Ej0~o-EAGpWvz3Vie>#%Y@?V+M`Z(c=y z1D1p7zxu`-cK2N;?STg#vRjPn_kG~|Y#GN@#Nf(+%TOzF@vDF57w!Jj$1sF>U(@2- zLtwx=k?+@DeZ9e|`OlpZ_Ta6K=xYaWeQmzzjwA8U%4qYmzP}UBlhaTobgx!{tTwLK zkPn5ub`pfXb{`2KKkItREE6DVuq=IFpJ_NlmEcjxUW?VmP~><868kzL_G|zA@7Z=a zMH^J>5L=Z8RKhSWK%^mwXvRj9pwIffyod*5T6l%4-M-JP~+v9fd;6dw#eQLih zIRv#wHSO8}Szg73ceOM@%l0FBWWq_y$=wwch_!fjYsU&b7$@4 z*I%{yxdjUXCX`&YM!OepPuUVSDzDA@=&LAzVCC8k^df8<$Vp_^pydJXnv2$)eZfm0 zZCeqYR~=8yYrpmQAD9`TjLB~68Qo{G?tUBDbHEOtxyKHkJY)B~?J;}!o!?`Re9zPN zw#S~d2j2cJJMrM7cIx3L?QWFn!N;Gldmeex?&rMc-UsdOGk4nq_Z_n`h^1O6YPtgh zE^05Mp|-0^?Ybj$-I{i9-lc281Jnj0D=@ z!v`_e+jimnRnJ~g72!b~P$B`d+r)byO06JZg_DAy4TbU)>QlvO(QmCUIB^0513OXJ z>c+KOHZnYHVL3nqQ6=85sfwoY(2c1ewsVFTgj4U9* z8N_jx<1Oz!Bukd%ZS{Q5)lZ!K`@i@8-}eq(C-<>m{oirMbDn+9`<(YaP+sz~mzOIp zzq}d`fA~x`py3<7{`KXkO2^Azd|7$%i!Lpf zUHYQ(rLTNtIjb7Tv(GuFy{mcX!CmD<-?OVTty8NUKKRgmb+&s)ouyn<1D9$ns!~2y zBg+FDYLxighH~#6w^!a*o>Uk6__Ifr$EvKsXY1Be%FgSqsl~;YFT=mhbs!kjz?|aXC%KP8wjvzU$G) z%iVP*eBXn0He8+N6Lo;sRReZEgIf*jJ@?$xjI(dk&FwX+@?CL0|D;Wo*N?X?3C8k7 z6`Vbf?k~q5yQu{o*VfsQ4ZWOjj1z|vyD)c;Q>aF;8sxTbuik5W?&>dbn7i+Nl~Od_T7rO(4^b_Fsk8X8oMThReA*eO*5K^u_90$r zH7@wk&tY}vnUQ*90Wyu*67273D|kKN;d+8@EJy4W)QDqroTlI_=){j1FT(#(DL z-c~L=|Dtln8E2Kx+;DBV<&Hbb7hds_a@Lm9%PvV0x9%(t-F0u%IeQDYZauvvB^_Jq zK5*lW<>+dgPQCO6;-&-T`fEQ`XGVLQ!25!&KPf|SWsX!iZUXv5H7-7z zvb!?>!aBV@_0*H9!1>}r1a;XQTsb4QicBdU;I)?Pf`R+)Cz>8F>A zEvP<(Q{;mp8xhYs+cX;2(R`<~r*-(DoYHxA9P&4Yd6c zH6pXLQ+;)9^T_r-%sZG9>kOr3FIGn`P1WW=%YctQ@oYJ1%Q@AVREKly@$FOoJ8!wU zTwiC6Z6k0+3r#m4eW2pHu{j=}VX2MQF>b6f!35MLR7B=5jhhmAtH}C8N^M!01Xs!8MzT007JV)q5u$-O! zRu4V&aQnWU%q@FaPTq1-H6AzDXD2qtE-_~Rdf-NYIq*Ad$sC`KLLKr z%~zKXzyEitbE}T<$!9BFo+I^l)o{7YU}PTu;m*3VOq zJy?Z%Pr3YpbIPuJZY^K&x>vTZ*xzyc9p&mzT~ltTGojn>zPmj7`2N!J4rKdxN zSrXPz73WIxdap85I}#n5GpYgDrWy$OUYtKoVp+?3waqo)JG1Khi!VH@Tv~bHD*v(py*_AT zsC0hn@qOh5)i!?f8{gPI?)$)l4^|s=Tn&V7C^vrknkoi++j6<(IWsOgZVA)!^pP8$ zDYspJeR<)fFD{?H7r2bi?s^}#esi5wRAXn8<*r?O z%dNNGRT+9zbwn>}e`B7ZyX4}FY6N{^HJY-*Dxs@jn$9woA~epxGK&cqL-A-;@Ljte zt1||BeU2(ue(>rV(VSg{^S%~Mz38%+wJ!xHgXalp+nZ0W#^8*ycdxHSGqCmFs+^}B zx3RqIUGJ<;`iyc62Uwkv8JHdEGX1uj<{kH>IC z8|!SL&fNBGsI!CPYgB%qwsS@~r8?NpTz74``Hs8(cxF@`^D#$OT&t7uZlbcY;<&Lr zw;9>2!*|tu9UZNuru*7)^&Txk+j5Ewx#QX_tSLj2lnu=plNEc&Ec4kP)FSPQHF-l% z8ENfn$7Xc3e$|QQ3_W|QIw)CQx7T39hgR{9^Hc7mQ%@~7@4T(b#u@GX%;VJ=?X9!p zef##-+2g+Im>#XP-B9ko`?jjwSCxD3+F9vb1BVLxtJ8Vtk-hEw+zT!$PgNQ|UFr46 z6Q#}$?k+p;e6T!i2W6$FKMP%@^PsYpYB2U!z1Ux8eO1<sQLw1bkOqW z*MI$2S3TQR_U^B8Z`q*&r|?7H`R(Pdowt++?z^pQI`O1(+uirKzrW*qe9vr{+mL+y z4L4L>skWt7YgIX;I&gex)0KKcN6|u(5A~l55i9SMYrQF^fcHOj=3aU13mkB@xl%HK zB|c6{aAJeGcakR@e{4Ci1|KpsPd??i8qi)?F21PhL$!7OWQ^@2&(=W9vasb?Jb;IU z2upQ4@4TbD_X8iQf!5CQV4b}@`efyEogLoxz@Bo`?f17YweNZKu@?ATR_%p%q5j;( zZ8z;KuYUEHmO3dcANj*8%e7a3q9qBObH>)D2YAr_yiFZDoXMMvKz}Rj(Q25V*zcpX z-g7?Lmi)}3o~!oYm9KhLx#{Mcs$IFg++Q7%grm(>S2rDhOeHHPTjjn6ah7lGyR^h{ z>=DnjM6t)}jO_0F@2d`{lv8S;V`_ta=&e`U~<)yNVkQq)p-tN6AJgYCD9btS$T%i}dd zd+8UytXx=UH{R3`Mt|GKi+NM^efys&x8Hep6O_y9EN$1W2iscw1?Qhz4H*AeXFf-B znG~kBD}tyB>@P*`tAguOH22^CVB7pE^7PKd`;B9c*<3#Tnd{4zDx`jQ)hPSXT3$5V zmYI%0-|FO!++0pP?cCayga*q92g<%Wg+IFru=hL9Rh&0_uVofgJz{ovOD*-K@8f;* zt&T$)^bwUNo6Ekk``+uTL$8r;9s3D2aDEolb^V% z?5s1b{9&&4XU3~xkyB=w$6qZaN9}z>H7XJm7#uH+rQ&-j@2lyS>&$E_8_T(8o!z1~ z*2vO>SsO#KxjL!xTy3|GiG#5`V^&NK7)otcGuGM{H8WO>m(0d0%}p+EsRneTbk;gM zd1%+JYCNm)t`6j(haaiReSGm}u-o5mst(9<7sK|6kG{Xk-<4(WgLjl;H|($F>a4Ua zX+GPQ*^b$GTsh~W7nXY;dbC`9?XBh7Tkb87RGE6V9Nm^%%`Po^Z)?@by1de*EWtq0YpPsk-pnh^Mbo&8*S)z#(38st3ocx|;hAlnzb3$w?|M{L`cgBqpyWzc1fJ$s<)OvPhQ<#o&Z z6JS-oky{_rJj+LEYa9N2$gWBssnlQm%2$>fZkqf1I>3s-SmfNc1m$6z0`^S8#L6#`|kaei~L{~XXvmEb!$O`*G;|>9R zu0L>Xwx#}$o{YAAYwFnWOC~P6{E|Au-cn9G`Gj)L)>F$1&Ofuf@WOM;1vN-J^@Ppk z@)!Bb0hg4$k33kmRO3yyY;I>SfZ+DYN}D}Zj{wy`D!*^PcXzq!+MCO#Z@R18asQt3 z@Z&zCQ=ixJyX$x_z2xF@-UVALeQu~Tq!X&l@2`4xeoGj7;l&p>hjgF@%%`91!>s$- ztp2pErQ( z$=5Mk(dprH)*00sWy6z?mxu4zS+4u^C(2HrsK4dra@TD;%YApu2G;;$n5 z19V;*`iqv2RRgjA=^D*dBe}PpKeGSX7Wo}G@N^~eo=WfPe5#_gcMVNkYgE;ypq0Qi zO1<;GUF9pk=Id(Iu({4qZmAK3cM%(^p*g-9jOWUocihwP{env`s!Xm%q}JV1jieeWVjkKC=qe6UFzvj`g=;Y9IGh+Pv(FOUpg?+*vl( z8A^++D_OlDZ!^g%L{C)uY&>>z8~IapYJU5TpDd5ve_c8MluhN7V~;DRop5?f-+jS_ z7nZH3ZZ3QF++L&lJ>}B#PbtS8Rh{1M2g(t3rg-9}YB)EGCXZ=Cd_u*+UpzgoIzF>a zPQ*sdqo1p@x5pnTXV~`<~m%r|ziEh}W*9Z}@qiRb_|6_p!|?>NV;rEg3@U z_%XGtqz`G+W_k=uwa@MM(dr1!I`gb%tnoy&>uV4vopN$@I#1Ub>;08CTiR0QlTX+O z#M#XKrAvRj5ltl__&8?!tury{@s>YCzl_F~EvHxcIkjx6GvbqLyFNBq{aK4n;l0PZ z$j2@1JzMrXbWi#CmG3UcRtJClanj5=qUYLQ4?g{@bBnK0JX~kPAG_xIa?gXi%Mq0q zn@>EYM%;BqSqU=t9z&8tB~LXF205o1H7II-46x;smHYNo`91qp&wTQ>a`&z}{%2}?b;fg)FS1wK9#!#0 zYwxYR^Q%2KXVDsHA~OM;K=UVPT6b@uyoeQ-o`v}O=K1bW1g zbIYuN@&AI0&n>U`qL-B$uliUG0%{OZ`MRqbJo;cinrzX{bq0Fl&9_xYDMJz-Eb=FyDwB=w<$)D_KuBUd`mXKB$|#2KIEbDLBB`I%RI z(TmE3=bTk%Ll=~DY5;a}mF<&`-&8I<@0=PS9o4?I_#;2~z2*DA`@71o{rYd0C#$W9 z%`$tmuZ-k2L;c(l%?3SK^?di9eRU8rOgERUr)@2#oj#X+`aqpMK2vR!%-OAHZLQ;~ zI#7ehopq+Pb;~KWzZ1(N)luAZ!_8H<_g5XX9QSnFmndkGgyL0(js2WV+fwlKGj(?K zcnglc`}@DQ+;Hp7ExS|}s1K)Z_7$3wPAw;FI-&hNrdw*;HvJ!Xd~bEcC)Y7pX?dx>|1r?kI@Ds?%3-=%Hls{;CTjq;zW zg85ASwH#xKUh=`->UeB4d;E#L<zh$WRXhm)iPc!& zTQ0fSM@b(pU-HT?sgCNT+V07fK2@d}wHhg%P^0v-&%2}?z3IgEa@bdzckaBtoN@9| z<%iz#UFD(bz(4SzkCqG0J*T#NOmh&&R)uN%jjAKN{np#d)gQgO{N8)tTh6IY=yjK# zQO-T)xw7Th4RuCU9l^7E>Wpb$IjNqX?}MjR={Ftmcscp#Bg=(bPcN5Va89}SoYSfy zI=NhUM#bf{<7*UNol~6wY_1M#V-1-%`cva&e|1ccS6bId^2r)7?5Q(=eUFt-+_}5a zo^=oy9Czfi<)lih6D#d(7(Sso;1jC?h!&5mvnI50E%QWlCgDS5Ynj2U)n5=j{q!x( z>3TQd9hPqbngRLDkWU)f%-8~u+MXqzr=NbJ%3U=|wSP;TZHm?G){#{XWZsqXNR5O) z{i#pZsQB{At5eGp)rm<2@Gi=qShsxfz8B+<9F^^^qFI)@ZgG zpVQ7cx7@dTf4Q{=IiI@muJYt_8_Jp0fpVCfWA(wcO`BxB2dVS)rb`tc5&r?Rq&l-Z z@<3aXIl7KPqRqY|FDO6ybH7;5IIB9j$M%*zANb9(_v&9No1Uw)pxf>(SAF!xYK-=l z`ya0cs`AmhNpi69h$`fFybVPkpaWfxV)E`jH%;*Tx*f;WwP@;Pb0)yPym_LciLeZyCkD_;6VWmlEG zNAA0`oOH&ibsXN+*i!LSm4`Yzt9*U%!9B$uvU<1K1mACL(54|AbG@!OaxrGVTdN)D zz!_aob?{YR@ulVZkA1X!@ak(S?p2N|?PT{E zVBo15BnwiHslms|Z52RvolgSUbWiRq`+e|_K3a~gxJeke=dK6J!}r$N?C#xd?_T>t zeYJ0oRr(9O@T&E1Xw|M+wRrg}UQyoo<~NmF@4ma-ddtr8$&Y`$JpACp<<>eozPknr zJ~I7a4OsW>d7#vovb^Y`3(Mvjcv~{J*?G^yc(8BI!BzR(SZ85^WZ!*6ds1re;c_`6 z_Mg3<1@bwd4R3wxTMzul|M(x<%hVn;guz~fje%z@i%blnwOQ{SU;8?~DuZ=Vk~Sw# za|)}5>?yzPUj3aLSQQE}QRNUt_7d{^3ooeC-u;!JHOi>Z+p=6GrU0;3I8?VWwhHjM z7hF*8zwh1}1y*6N_bho4c<&5sbhTUFR|hD9Wep15{`7ZkmjVFk%bvrL;x~e~0kp>r zwAXG{T+Ar$f8e2V`qr)Go_p^v=bd+M6F&5Dzz?n)j;Ic%3iET-P+3xXY~S9pch9bJ z{@LEkY_3!9-Q~I(^;p}s?#vLi7mwB0w8*z2V42QZG=qQY@pZQK>=O-*)<>n?97=?( z&NgaYLRrby#*mlHEn02kIY|3<;d-u~Ylqu&{G1CI9(>e$nYp4ORI86J%~Tut4z&#l zrTn99PZ(}{c;;}$6G$$dz1rzoaiqcv_p=+}bNsGgpV?$jfkF zT-aM@rCYX~T4}hk&7|OEGi}EH@IzIh>kQPa3I0z!x~J^fb$?alC)$QvOI-I?Lr_Uy z8?AJ&xE);`LR$i>ifs&Yc!{W6A;=v3t+>?sB6-fKC0f+G{`%(TE$5YsFMoO2UmfP7 z_ug6^|C8m3eS6BjYA}2Wp$c6cf7OGw0x3!#eBqQ`)T4a~#AW{qB2$VV>(tTfTkw(wDxpJh5kYdARD; zQI%h^%RHwW=s+JWSwC8%-!?O=FlQI$Qq>j^vm3=9p;z9=wg1&vV<&+anEO*vm@xEPqTX0N>$w?b}?L;|b z`~RTzS$R^QTY8R6&Q-(TxvdRt7E_7qW1x+`b+$}y?b#v&N%3Y+=Dv77r!#ZS;7^^o z)P`PSPh91}-a2D!i7&M-BW~}RCA>=PwlZO51RdzlTuOb_@mf{@Kle^-&PkYkI)@W{ zo1W31gM9<#v^B@C*+F?@bIbzX%}XGe*BOC^Y;ABTGJv6-R?h(EjMYRb9 zid}zO#8;umyY*k60k@k|t>vwsx4KnW+t;Y;LwGh^58{6Cr{UJxsn6yN$z1!CxxF)J zS95UiN&cS-@DQnazjbJ=Qwp;c0)ZYl1%iB#q@M*-nmC9X=Oz-ITgD+LbGO^5<_f9Y zPSJl3=5G5MJIC_J1}AW^mAUd2Pq;=Y(bGGY@WM}XX!OZX2|A=1wcjbzn?nKjTTM z)|Q9$wjZDf2ioXSFC>@5*{2N95?Z%+ag`RzDBp_srxqaR>S(LUzGtAF9J>1dK#Q96k$b`Q{Afs%fiFntV7XJ9Dx+cRdXv zW6kb#*KqUO#yQu(9Q17+LTJt@p*JUTh&I|i`1{9YW4p95cMpHs-+`;YDc0Jk(CW?u z%D{V}GV{TZ8P)yw-`}<8vG#Gy81>`5%uqh+Z>-H3QZLSExRkBKI;_Jwtiw7iGpswKby$aWSci2u z?C^QFOs5aH^`K9<8f(C{sb*-PjB9n>%XB%*AHZ|vQU;`4`qXaT87Geiy6sPq9K_N6$$kNzd7fwL`O?aKe4Y>B5!{Es(0ZSj?~JtX@Rt_-0{!`G zu<$+Qlv5fL;q85ZKl5xiv+~Nw%lA=5%7TE_#C?$);nR)`7oYu^`}EC*a`)YLxAOkp zNQ9gbQ(hZ{QX3Hz_mtDdamO8Z2v2;Fb<)ya>%BA1IHUb)N1qOOOoB4-nD%TI(Cr-ov$6YL7{Hr7d-gOMTKf(kwExgU4>ex-_^dY2&OLQpqnC|^fI@mEK}K8Z zX%~-`RR=GC@fx?j;OHDq{xrI>?opt;hz98gxYyRf>zLeUMDz^@eY*zQl4*qoz436K z`^uybZRpc||gt9f35xP_P{^;XaB7H_>cd1Q>+-$ zZ~2yQDR1L|IX{q^NjpZZk!$VWa>UiZ4! zHAN?{|MuVh+wz7tyy0NUQa=6ZPnWO$>aT9j3eSK4_kaJ869M@1p$~nija3_Ds0V!c z_HY08*3TDz@fVkuz3gS>iYu;YW9;G2{kcC^{@uU(cL%Tj7{2c7zOKCMUGF-0H3y&g z#3#xtU-`;%?X}mIOD?&joOj-N<-5Q8yFW{IfAv>?_5YI{@bzE+^=QDWtgLg_Z zTo+t$!6C=c13r#*M(D}7?%cWa;GH@6gFpC#HZD9zUqHSD2y_$gdJvpke);9)AOGWj z+;H#VTfg;N8;!x2e94!T@BQBIEq~>&{FQm>Nq=ARl9!af`d9zz!8>zf6ktTw@an9y z&T8l2@BZDt+vI|M1i@=wa!-uAXuZxYZyj*DGkuh}MeusM@JSB-<51g^U3s-_ctz_b{k z&1yQM;ZpWI21E)lg0Fq;Ys)u(^EWp^Ph?22e((o>u$}+HFZ@C?n!pke5Geyu2f^fc z2*wZmzz;MB;&br?Ml=H$Hv*`Pe!zeIum80y)P$VrBmf|M`(!Y^#J{f*!Fjq+7r^;NA;MoZc^0|5_?=%;?_r^@SJ|N7P!hZ%@$ z2_|0in%9&oue`Fg@rqZx;t;O-`&)nOZ?&;7$Y1j{U(@)@$r*bLlzu(;;ZE?L_q?aP z_{A@7j)_Ba*q4!+x$%j5Icx@-JbdFfeq;HIfAKH2`v3cX|L@ih!%nu|_rCWv<82)1 zGA)Q%4u}E0_10UP<1|jrpNz+`&=Yhe3o*p>g#*HW{C)MSUww#IbU=V$eAiuf-66U7 zNB`&_HKPWM({lkDFkZa)%x6B+Xv+y|^P9fun;PAXA1(2nBN8ky+@AlB|M5SXQ8gAi z#sTP8z(`)+{N^{8-~R32Zt}pO{yGA%^A` zfAJUFwYHr|JoSfFKr4IA`s@NLF3+O>XYE zAnF%Ow#u7UDokqhv&pmDQv~`YW?h8T~EK7fk5JO{TEGW^o=oOfy zQf|*hp#qA?1PC6z90fSepZS@eY2!0q#_&J=r~gzgyX>-7K6s)HnaP+%@9^XR8J}sN z?^0G9?rVp9X#=>{xA!WXvItz?f-%cnG14mm9E;TgwC3R9fR<*3?lJrTJvm+DEPeja z5B*T1xusCJ!cPD~_SAKlwUQC^4$t-N2>&=)&J5%pNcqT&J{<0A+Y+y(%gC2N1Aoy9 zsHfjvZp?n@)%)N7{x%LYSN{L}pZ~L>d|nRtymLko1`)IfhjHs2gL6^0b!0-3@(czg z&e}Sm0WW{~%iH?|Mv2gwS_8_Gx}v~DeF4uX6R_-}-Mj}%+kn9k?F7^_?LPbLvztQ& zl&d$0&j&CL28RJbKg%A#c>p~qJ_XD87=tJr{xEiwk`tl0p`rGB`oHjnFKje(FKwxB zInd$UELl62ltkTliWiKS?ttKS=M zys^!Cy!*jZc>lwH_z#pQo&Zu5O9hEsBq~_)0M_C~7@}s8oaHhO%$l-$ zmfA#pgx0$PGZez*8DakZ@BjYR4n;Jjj!+R6LT8$8X^F5>KJ(5#`6DEdSss1!t7ZJ}jS-hr8~&s~KsDE9mOTy1e%S*6iWK7{(FB zSX$EIyhPUev~-eX6-LJLk@tZN1LJ2o${5K*#u$UeFar^-F=|V&L*|SHUhp+mj#ht? zGssJyIi;Nb7$@}d42}$xcOu$a35c%YhxbKzh;L@5{xvjc4q zLiA$n2&n8UFL5agW5if0^RbV8tj!{_M4?aZrT!$KsrxZZLjnJdb10xkjKVa~E{9^B zUmyTKhM7}RSC*V5PC%h#k)b7H>)diE`Z7*<=jAiQVZ0(%G{R{m_fS5r~BUf&@`L!>3(1Qh2i#<8;8Gr!xb?@EaqeDrts{F)GHdACYff!ZWV$ z&C-v)$%Yw>F`38JZpUi{=cVtAF;11NMPvjGAwTp(@ zVaVZb6@h-!M}dQPPH+S0j(+{@NFV73;5&Z6T^aQB3*e-_XY|oHIC#$0wf4zNX8rg` zUf2jS5gVx-p2jxeyFSnz?X+j6D0pQ@$Ub>;AI{{$%u<2~xy5&mUAx-AXYUiUsxt)0 z^L(-~AHaP`J@!sex@J?m!|K!TJp#WEOT?i)Ih9jE$&GS^g5?ZPAF84lxBRyn}<_3gx{P}I(>iG!N*G}r;rSlj= zkTM{+=3emBhcS7kjOWg^6Il#BfU*wP>O0q7u7hL7IG^l*)a}Q$7-%o_aJUYh01YzE zp4a$le9Ah9ulk{}GCioTuJ)ZP-?y9bMrK0Kj3xE_hOfQ6fY2yF4+Ea{j$B>sq)nhL z_W_(TE&)WK$D`*XNdNj(pPe=aWzb2T^r4*co@pnb9=w9ntbk7HsyBrHAoXT}nVbyjTXixDv#nV0;v4C|%VvzFtsg1>+k-Q!s}AKs~q)m4T)3 zu{Q#<0z4`57`l$>55(Y&!F7ytSPG1x3*07+_^hDr7@Ddl7#UMn9rzA~rO4_Sn*-uB zheDk35I~nP{pm*lFzXoOj27hpgoYl=0R}Yd5t#ODmSb#PFm3z`9X(8YKHmYR;V|nl z7N+4c>oFFl;lJ1sqd5(a#g1w1Ep{xWzreJ17dm>F*6vCiU>Yt99RUV@TAK?UW9sCX zhRdu6n09}@BQWjREXSC-W9sAp(`dHP5t!EALPzQhh2i1AD#0}3%y;xK?fF7SVA`|A zj>84haGCFTzQVMzEOsmvrnR}yu~eAW=0eBeglYK9cLc^5q@}_%d=@%-nD%_WqlanF z7disdo-K3)rafEeSPq!h?tDke4}~@BjI5FN!t5pXtio-HP+7}i)>l^oOwarEW1ug6 z!gb8@#zJ6eXC;&yt@`!ll?HV4a$bgz7pvCJEw7ASei#b+nssRfy}dwICxE|WaMkBh zWRW~g%G+9j&+6$&UtV6m64G`$YrtE$KssetK)aFj&nzzPyQ<3UlSZzGCny& z(A{IOWZKApv$4^7X^(3_Kg#DfxG3X%+O_^<3gxAAAoU%}PisS&9Jx+ew33-)gRXP+ z`f`rGzomlq?TxZm!l#p@zS?E(TVm2(djr;w!vPo2@j{Bf5-`7t)hx@L*pZv>z`7a-m zx6}(v_Mdb29cfQnecAq*^P!OXK2u{$0@-(M?~En4-~#+A4+k_sN1xxKpFIwq2S2}F z)XRuu7ebq~3EXpl^g*6&N|qUC-;m5qpK^*rQbyUd<5#=d$+Q02d4KIUcsO$HfG1lZ z%|ABFp-f*7Xv;I1nCRd=n^gALERZ^W1Hn<ZgwJYC}1F=ug`WnQ;L)c_z&i4wS%e#;t9s*YI2}fkhYT+jf?7 z)(n^rOiIr+1_#<32O6V=apE&P!WZ{kdyX$~g*!fk$LL^eY0vo4N@}&|_)JFd9j$=6 z_~kxY`Am^i;D7$l|9R_&jM*o`a0JjA9o3a;t*)~8VZ5H}%Rx4bQU9K!d1Oo5+JPh9 z;F)vaT6u{^#!4oQSNS+_WzaXv>FKEs+5znds61EBxiN$mvjV)0OZ$w!^kU=j zy}<-f;ho`Ep-5?YUNu+>l@L0VjRy2Oa>Ow52YHOdM`F zvKoT7Py4*cQo#T*WhkhluGx(}Bp89PHmMRG5r-L%{Wmru5@ZI#<~@v}?7q9j=-FIo zgB{_qvDIc(8`@m^K&fkW7#y1v?ftQb#pY9cckE-(2j=O+#zP+`v=_v_4f*}{v)Eh- zPZ5}nuoTgU6Md+Yv7rzI&we5M1VlX|ZhKwqO>n?TJqFE;%LX{@5+=(ZW_a*`qa`kf zy(EmfNQ&U0k8!FaiZ+Hn{KG$N^g{=mWVH!LWz06=26xH|XXQM%LD8NT_@bjSLm@`8 z2kp3TmS8^!n%GUxpqZgj97YO#7*?M}F@D#Kv3)uAo%qNkgiM{t6`AW#MZjVT091j6890L8;> zQ33d)86j3h)U=$eFn)G-fO;6Z)crP0aA;AUP~!WL)qc&jcA{Kg&uCK7NrQ zhJ*uSoYhOSTDUwe{(pVU3juW4?@6Tf}{P?Xd{Y4MUg1$~cm(kdV zX7z)I(?DH;r_U@g-hgc&e}Y*D8KM{P6e!Uva>Jq6Jk74K3uuO}f=@KIf)U*p@S1(m zC4nEuj|KufV>ND0h&^Gm)UiR8jqr<3&;plWueDsaW`>NR&&E(>XQ-e!M$(KIXas0aRB%vpyBB4dPh6TO%BjlP{EGC&MBoQz#ipnYT5UV|7;4k$x*|MkEA*UixwH+~x% zxq}0qIN$~E)QhZ>EBtieq2P^NkVCqjMV^%;9W8|zDqplP z4s<7zo-_Dn`gjLNjteaWXLO!k;h*sumjm8(iaeNEF}(Ul7qrJiMpc_WX69HUqBl5dGK=ZI~f=k7+Tt+D72MPjgrN%^VNJK; z7kF!v40v|9VNEX6VUQUFLriGRQW$*%v`puFP>ioNSu+dDMVQq!4p9q(te$o-)6xN> zM)C5uXxt+>`eO_*NhD`>Ai{Mo2Hm%>2ofVg=?H@QK0~5Uk)d^8?Nba>V6!#t5fH+u zFYUqAb4G$upa}U~hls}%9^RA-Zk#70N1+)&<3V5VKg?Vxfu$+VlQ46hl!=gwBDF7i zW%LL)<3JHDEy34@Gm3%M6i*p5Ft~>&V}K$|s|znQ6cK`)iwfbwu%U$|2F4)#<%l?3 zd^e*oHh-T8&KwOnrlk0%P3;*2*-_qXN2F?IBHDD#SilpV@siQ=u8F}RZ|I|qI01bz zvgFTFocAQ2oAn5E@I-%bG&|82Y&)+1Ll(fGOaH%Pd+Up zqKh$kS7Qw130(wp=tl17l<}h{{LtOW9FRcJ$Ymwynhv(qA}W{l{U~3 zE>;!L({sT$+sS5-Iqgk@#rQuTkfC0V76SA%>s<5;3}b;I7&?F$FAM}28|5Gj1SZjt zYtJYmLNXN2)lWU`Xwx(JxK_sDo@+oV|t$l5&r{5SOZEJ@x`*kSq8Xk@q4|PEw z!Kx2}tFrC|$FysVuHmG3y`Q3PsCo~f(vUSPBjC)dGW zU%`7QXm6o_1P=PqU(Nv>)Xmt@!ZX)t&pqWrE9JByVuW+X5AZd#RZe}^sgEW(@B0n^ zJ#!v_gEIPcU;B9O8V;TtlWXVd_cEbx%BK(48N2(D+4Q0R$WF$H&(4)kUHxe*_1)K} zdfIY6IWG6L;U4+TGi7^F&NFr91J5(|(84*~oWsjCJkw`z1j@iK{P3%+1O3#2V}CDg z2egN-?rRI(l!JHLgF|>3dTCpk;HXV_X)p9lo9eiRKSwJ#;v57YDW@%U^#`<}9!THX zQa+9dz}1oQ!^<^X;H6FNhi2O49L=UU7|WAnL)*&fAD;TjI5Mu>bFLrP^MSq>{Vo&myOU_cH6mh<_J9;Q8C z=vZlpyIeDnmK{WeJ>)sVlye7Ksgr90q|B^9&?oy^Ng(LP42;`#pdZ&P zM`#C(1Kk{vr&(ZHyOT$ca{$dPg$#vh?JsonFzvbV!!6g5J@m-=kfVob&lfsEcaDCN zUb6r?ho3`W5)XXob;>oI$T_-<0eU3}6u`&fYTL|=4jONacz=)+OJ(HJGI@`eV=-G7 z$T{7HLmY5uy->X&M-S7U&v&GJerGvA8^yGTOF3qRFboh9Yqr@7;2DN_CxE~hnevGY zT)RIBxu0jL3)Jh|@|$z_323f!xbE*ecR26coUCgcrt0Z}W?K4kzps<=xi>4QJMGYp_c-1Y zP*4d5mKD*=bI|wYUhoCRoI@SB%N!yz-Yt+DGk)zGPx{qH&!@EMS6k^1^mUYRcnR$# zx<1`UH#20}dei9U+>y3G+Dl)4bFR$fGkE3P5nKZ9;lB;UGEnsgKg+nvp^f(+kt^+` zpIlEndYJZn+5tqwmXGj)PJ8!>Ht(fwgseg7&}fBD+7B%p+M2vh`zfo>zMk<(5~73Ne@SpiIk+g}*ZVT>mL*v9G6PqC zYby>ZbwJ-QNZ;-|mpNyA-i5O_WHNn&zJA)C*lWlX^#0!H|yTYGT~Z|!+;uC6gU zWOhlh%sB(1U42P875zwE6#*GPCDo2=W78IZgVa`I32oHX4g(5*I0aYjz)4v+0WU}; zQlMe(!wU^$N=P0 z#OQf}&k;$2;NT=ED2KlcwtmsfJuivLmKXTw0X!oYXiGl5YeNTRjLFM$DZFT^uKw{` zpP8AGTj!jtw&1RBhdv{dXbSXUoN)4tv-3=U+R}%1-17_9$SHop6OLqu9s$oJD@bNB zCbA~7y7zZmMlyj`pq%z`LqMhvgKsO;UPTn4DUQcD}B08-;4)7&hb$j=&FpD z{^%7RqzruN0K5WZ(=&Yp7v<<489-C*NQhwzBo#^05dfhX8j^EzqA&NIJ3M#jQy<2K ze(I15@@R}+!b_Kz{31y~IrrhIp8nYm0iOU9 z4w4nb;2MAo5mA-MMOv#Dg;GwXNfR!Hzzaj!OAL!mo}vv?Uu}vwFiIxYfBw(^xz)8_ z0i!X8LJ}H`v5$bkq&PBBcI?=3NQq@_IoBqmCOc0%GWi?~3?j<((S}T-Y#No#C3}To zv0s4_$(9lkxyJxg1hc?w_Jf}c7m6ZPUEhS(wd^nB@tv-mER*O(}wtTp8X0mi6ZSx&O`C?+0L zYI{dy9La9NOLWzSRBQWLWJ{3~Y0EO+$fQ4LM@GFkrZdw1(MR@^RBUpYKZ|abLI&&& zLq|N~oESHJl5TGwmE;mxe2g0YlMx00@8HMK*nc7`&;Ag4VSF;L7#VuzxjxCCj5RN` zIWFxp=GNo!nd})8*@iEpAuU+O7=GZZ_HqDx1pWPm4vs`nfVa^Nv}Vlx(sTL-7kkOb zl(E1;+A{go21Crb;vt#itnL4jT_)`x-(=5`Lz{f{O?JJ=k0GTK=q4MDENRc|1HaKy z-{{NX(_8oo=;#XF!&iD?c17+4qU;b^kT`_C%9?q}P!l|oGxzjC=WR!zzhn zT+7bIPvat6oG%&BH#)Fo%CM8s=k43Kx72oJ)%DzLPe!0N@zk|`Wta+Z>AB25G+_$_ zZggdmcasN*Obmq~_2`8CREORf^++tou^13W0zwE(S8Y@yxYCeqM59;~njs;y6qFGm zIPMcrdqR{oJr>odZ>h_3`TvX<#YK3V{1|_Lp#%V)n8VOwq$nm4n5n#93eVs$KFTwG z(sC&WN9vwvk03IjghE}oNULO!D2tSBLdhr)Y=T5#2_E6mw+J={oT1f^G+AS3%s3!z zOW&kO_F8bno&(BfAB48h$++!X;+VC?0W(sfLdF+RV9LbN5oF_|IPPm-+l;6EU3RIP zIl0jWQ|;KY82fyS=2w7Axru;yK#^aMq9s(kOSSdiSG;|xg|p)TQnB8$RfjL zOM-f2oURF8I9MwJiM+`NT$clkUvNP;^i6*RQVcg;z+b$<7c`Pa&AD?FQk{*@bAW$z zPcR^;;~dDeF{&d-LO*)L+3B03K(B!Dp|9W-kI0F8_)9L}$^PISCxWhM!J(tA{_zIS ze&aWOqv^VUNgHPNWI^ym2BeJ(fH??yg8sG=2w(ubjaOgxphc%`gk{6Xo-uQJa1$JI zrkpgMR4zOr;L$~n918_BqhKUOw1k5pqI8(&7tsl;YYby-l_9hYmj2SG$c7?_ z7)4x!SDTDF106-DxRl0o3P$ktW7&ZKYTMW{Mh1uSn=Nr991+3bv=|2C;CQ1Tlr7+# zGK=;_Lh4d%b(JT05p=+~=*LnOLm*1mhKLW&#%T=dp@jqPXrVnvXawA6Sj{{bW3wzc zFm56)yc;XnF*qELw)Bk``qwUpYNkOcJu}Y!IY4WQk3N<~D68>NW-}>@$WSqk#*|3a zti*GCWpLc1sEiGT#xFcUJN42pe(IZ3;@I)twP&0;!^GfmaAqs$hh`inBVsJdp&5BH zCSzlO^hM6SCsCG@WysVOxG-L51|R*w$vIshhxo#o1>mK9Gf#cuIsUt6hQ_d)MZk|^ zgvW9K93A9F-_GHxU-$~H=ozDJ7D`?jQmX-G^k@dq8onF}nP-$aEHqLct-ViGA0M@c zUTg>1K{udZ%bI3HW)#jtL$czz1D@*GX9P$1SZ*`ZiL)|GVuzGvSI8c{g0r^JIUp$J zAbVT@S+|5{=1sTRJq{3$IT`#Udz>vN%z1H!0x5RGOy3weVtC`5HU(DB$rd{zND`FO zePe~AgIvIWEyAH?I>cOU(5Fa+VYi$>s3?i)Deq2b7WNkv5^Xv}B$mzegNX#(#x=%{VHfd;GAIFBndNAk!vpZN%)lTL z9ty)C5*F{l%vLBoCnpMm1496Bg2}L17E_1Qv}~zw(J(yVs~tvEv_dzx@lir_X4 z;7ieslTyMP{`wK5Fp~JoVH>+~8?Wce!5iJS`ei7zr$5mpTA1B3wE7OtXkaX&RgM~uIY@lq*o+5G3@p6y)Y6nCH9Ud~ zdYd^oI2KEHaMd3}Y>Z}+WCyR%0X}xnGd5;AG47rjul^Y|ZJ-@Psvp4&dZDlWv^k&t zC)k+PfGNiqk~4jyD}41$=8OrA=o5aSqnQQ$rB57?HaKp2NB_wO$Ho||t37;C-!=Tr zTx{}0-_YNf=r8)BiEA>gOmv*AqoZ-UFOWbN4wNqAkr@+1PF~OpKk13~1VHS987#db z2l}>DsaHPsSjzlD@4VhYEEM^%5ToQpe2&`ug zObuflh^nq~1PYTF8$yS z{MCbB+Hg-D4orD%rQg(dop#^?^qnz#uAPPW-9!4&-VhjCk8|fN534gmB!K9^wR6M@ zQD*^zR~7*X3xWfT=-XB<*J<0Y=xJ8sMM$(ILLLIC8^xG}jDJ2LbZKK&=xH+q(vP~1 zC;;VgEJiD1i6NL3CUNa?2u!;dpnyG(7lZT{c^gt!dCmwvleh#&G?=8jJ{XWm8Bi9a z|6Bv@2ftb6bRp38&h}jBp-O`>ph9} z(WE&dq%xMK9Ig>~+O>Bd7%EbA&f%o4Xvs31bX^G#-gk)dl>vUe6ztn}9`T)oWq&c!`52W#Bwr0&*@KE|S5I0biOaqhmd*4uaN z*wHes)KSKIH@xDIwHJKQ&$|LLMV8!8U*VrR`gE-iU`*ssB8B%<=pWiEn=vYBT@r8DEF7u=FD1Q}9^z0>L2oE7xv9i5l&Ho1D|qJ6a29==IDO5%qX{mERkOh>*_ zR^QsgJLl*T9YH(t?=Y5(3E&f_?cJz)Xd7A^OWMWZ1OkFh67k(-4TphTi3_RS| zPU<*Mx&C>|>Bq7{h)QX~{zIuP*1+OT`3qWO(GARSk zi$41Zq-9cUnJ-c&z4VkO&MA38ZF!C$$jA3G+U7WIdEtv$aMZWVK8D2$LJDlJgkR~C z5(Iq7S1PhLf&BpaiZnry$>Rki_Xax0mOH#eNz4gN%=1 zBG6vex~G4eghiqDFGyFG%I#%0!K3KfgtzQ03D^W6&BqPV>94eetN5moOkd@;7 z_4)n&zOMhS*X?$_p3leQaes8)zk?w{ctaj>satp+NC-#8)k^Sfca-o~&Ex#BIhU&q z^q}%It~m9gBGzegFga}(4(@3=(aRM2?xM}Dpz)}@y?D>I9V+f_+tFxC z8{w(YZ&A6^%P7hARr7EOK>ri=R8k3Eq-b)YRw@utin2ERwVgk#tp0Xq8jpA#(OBNL znl2S;uO%Mo_m3q8H65#yV>KY$U|a}+>XAg69{LR(HOD0|M-Fpw0FV6QxC}>ZI80Yl zRIKW7S&))l+Ap-eex>LVsvzgO6&uR_(vc#iC{ljNxgsLpwY8R`$NH4kw=F?Q0({Qy zmJH-+!Mn!?+=fv`J2mFG7PGg2;=}Ynp^TkJCsNw0CCyfoyd=`SkhAy~b5yqdk&Uf` zm-KmqF+oT|g_%h2Fpq03apu&@R`Lu`gLgE3>eY*Wxski7kj9TC$w$p`^$bqaD*oj} z?pmK_2xZWgOuOQYPCS7r?~xKlffeLshD61n+@t|XyeXC~@v!S9gQEt2s99L@BOju{ zyuj@9TaRQZx!f|ZQ?g+nZR0!0i^fX+txg^@VQ!O--c0E7K zMB|4=T;d(wwLmscma%TAK}4g9r$!|<@0ds8-}%XfXgS419?Ow4 z1z#1EK&TRYm~^S(f}(M>NZT@yGy>m;xc=?Or#t)7AQrpRiyHEH!Y)Dg3t0@e^9?S( z@u{2TKC#k(c}@I{baWWbNTUbeDF-Ezz$sv)rg!^ab~LRfQ2P-k2k6c}iohVic^~>H39VNtY~<)WUNTvIW$STv>g8 z(JpG5k3$sC-10vO`S=6q?>9(KmE0R7m3;NQ9N;eD!0;QlYvo!0TrawsqHVFJD|WJx zgs<#8##r`cTyfLYMd_3B)W9|I>AjE&7?afTm8=3O`0bQKC`D%IxZ&{mBD1Cxf*{s6 zSv}Omi2DF>6lNN~3?%_22l{WD4mNs=oBKq7FEzH|rK{?6qzwRd0#j*y5Hu(5NYv)b zJzf`pLT#)m+g?B#W2g?q5o);xb#4=SSgG;TxZ`ozPXe>gO9QFLz63BaCNiNvtzU)5 zfyML+RF}80M;aLxp9QIgji2k;vXnF?*yEXH6vxLw_xEdaFEpu|{L(AP1yqh!DM0bfnX`OE~FkATP70EYYbrihbmu=6Lkc;1o;NduNE zzE|^o7EXj^+%DKifW6wWY=RlE-?d!hbF9dZMZp>v?6)IGZ0rmtWx$;+7X(c~f%{hH zatXnhb5{xg7}V09X2AO9a(jGQGpUAQ(OEoWNx>4untgA(>4yO<-6*0zhyB7{(7*B= z-FA^4(-~GyKR1dTbC~);>hrVSj&BMvQ@Ne?nPX2XKl00!@UsLTeR_&?I?qk7NE!re z*9V1|)i3I;gib$4H40^GGd3HuK3^?u*ZP#u5}qLu*U8wS%D{&8bJkJJ%q)K#(l1YqD%LleI3|Wryl0y>_sT?mb?=)S`=Bs3J88gB`O0iw&o#!0j@3Sd=&@)@> zDJX}-BEo`C@tG?KdAWZHmn0{W;?`kD<6w(jT={LZ$Hyd1YEh1C^Hc8?R&{ zASv8aqt%B5QHaMV`(nn98M0m7@d+erQGgl!(atmB!EB$GT>*l8m&io;@ilfkm*>Ra zJ|FUChhvroKt3@5n5Tfn+nKk)GM*$c8>9=%XkiH-5|?=#|Ebw~k_qX#bvXuCS`K+2Is?qF~kkYBD%TA5ldVTrx!>P#t6`p#Xw7|{VA5w%1V^k zm)=?8)Fds{d!bGQ?N`eVB-RrhL{v)o&yuukIjx}^qg5e9i}Si717%UGlg(iJ{0~Nd zgha{Cn%d{LMT&M(3b)u!pZep;_j=BTaM9N@N*pOvKm%#8m{t-^#B5Ox)ts>2_z0@U zr$9zfT{!aFEoLTZUOy&0W2%g_{AIlKngg#{M)lCVA#m#AN}c$Cx8@+qE{XRMyNZuUtA#YzW88>GZHAf6}=rBEjfAxo71X-Q!;kN)lxRGx}F9!b?Ty}unT{>oWCq=kDO zBh(`-60`iweuZ2S7<8c~W)PCfjxs_HEOe6uY5~2;Hp)5 zWhKTYpHfk+&O(1rbRY>WLYR@q&i?pjrhAA6DJYwLh-zi~#Kv+$QiDAn~t?x7B>> za?suAPmDS5+=49xJi_965d!CvhF(;?5MbkB#c%)cxp8Tl-S|PYBo&D-Hi`mB2=8y( zf8%qIABPLb?|8ApzF2uQnAppZ4)e7Bt(|s+NN%gFg{>ux9T59ty04fLSGDh@FnoDh zp}~`&vGShhra0#&WW^zV#VL_Ism0VzQqlq_{-WK(IDr&=&it@19R4gk9qY;C)lHB& z^Cuf)g_(}YUz`6OX1cAd@FDfw1B@?|&*~%)>;F%3r+>^<>&(_xR zQsA;aizeSq`U}}vW}i(o;#Jj1bLH96P6qnS5Foia4l}Brzz^m8?LX<;eqfMCI@I{l zdNrP>S3bayW89Wa`uFnOT;|**PVmPKv|# zDhWwQ&h3+f5FL)68+oCQAMdS3x&0A0xW9L@Pc294!oJsM#J0-p@9Ix5*1!HR#E|NL z>sG8gED0}3e&m|l_)JNME#l{6YVmpf!yj(0KdQmmUACnkLciXljCFq9tKzo&sVw9` zjE!|X>TBsJ@IPia);gI9#Rb>%s7sz9+zdHDu;bpV`OV7|H%+}g9sdk4?Hp*+|2Fo= zj?<-i&up8YblB(OBwUt;-*IDN#`lB8H!OLl-psaF08# zd(7=>rcXg}6`@PC+~#}^xmJC@H$qG6-{nt~%@O``RHWG}DiC0KjP?3c-gi>Gbp29y zLq_~AmOiNu7-KI~a#GNoukSL;guUL5 z)jC8E$ao~|zWKVm_GMuAvP55GVQYQH5>MuG#!#{0%tFWdykVv4y=4uKvsRFjVBw0k zTvrwhzqqXU!Vfu_`A9n3gSoy330=K+zg?9T%D!|&QnF%;Ag>4uN7ze4OlPwLyRB~1 zr>*|b2Xqa@0xT=&1)@xrhlvf$4_sdN{(T?5830FO?>-yI`ClsatJ*W{meX(ugQ+vS zg+*aW(LGpRZ?>$!0c+&jZ*`S>t^sMYedzuLhBb7vR&C3JiI*`p@aDF~4)dIXg8h0i zbuP61tHL!~-OiyS8|4p$lNVgA+nz-PP1dYZLZ>1&ZGIXtqPDiqF(gm2A?|G>Ui=GC z!FI(NkGBG~t$=NWnB$vWIYzaBiBY~CUh(KC)Ohgp>_<6yOlgglnsv`vXu7b(k0&c^ z<@R|CWe)ya5q5C}*(RItqJ!RZIfIYv@=aqQ*I8V<%8FW?Hnztqq1baKA>}AJ@}#e~ z2N88CO^XCRoyBdxCdoe@yOV3DlE;0MTx#2InId#-orimUqC9)MPJJk6aJhs#uPv4I zImJaYH|5H6lG8zP5s@g9V+KL`RMrlMklOJ1i0c6-SQ8t^W=%JUM_VImd71SXCJXDR zeQXm$>JpkcXhr2|^(c+7PvpWL)#7OV z;hQZrgQ9!5^G-_}>f##{-JK@t=%`#kOp>~*%M6>BMXBhVB_mLn3=bk90b&KR0PtzVrrd_rLySrpjX2@dk>ppFC|)XaDExcGw*G~@w_b{ z0|1FHbH#KFW5()lGD7^{c}Awpz)Z#%|N8wWSRyME!Fj2hd=2vQHb{J2JbzD83&pJ!dCSO$6G!|ZroPOI$RYA#D8gHbm$3?eoR^uFE%h|)O3InmatQ!e z;+N*9gXM!hl~y))nXexE(rT#}WCTk>tda!lHj^9{2!U_&{FC#TG^o|SkEB=3C`|(X z-#^HB;{}r%Bw_>4-N6IDC)8-V1XQvJzgfn8p*_De*kagGDeBa!R3_jY0j|jR*+ZU1 zPKf695_0cEG84!ji?o#ZnB#FjKe_u1)wBs%R~nZn8Lo_Bp_j*_TDcV9vJ?1Cm@Scw zls#LWv@2SqHOjay-Fd@x9mpuWVi=Vtmy#T#G0ntiH!d!hQUUBQO~}eK6;Yb<(*-7G zyq+aMIHp~^XjR;7JY}qK4pFnV)%UZ{j%hsFFmHUDHaU6eF(0fL|8|DW5pzg_aMKq; z-C0qrw*X(kzTF}fSEB~lRx(D2gYg$8sLC>r%UR#oC1GW7qJ}qzB@&9m=>m2@sAarD zqH0@{%9jv++Ehdc^#NI?-TQzsh<=sxrDSq~{Cb4Q`kgK%da_XE&=%*3K=um`CKICj zS9)s;$J9oCKW?%rAvE){$Y%e!8M0I4?yByWHs?<-@7~Q!o}xM!j)YF1yUW7DbhYQa ze~Xc;w^!|}P{|{^(~hy_%M%vrv3VytcS43eU#)3=P)H(z-7g=0_$?a5!X7ARFZn{A zz$fplIVkz~qH_(ev^iT@{BL@>MlVZ$i(+A=ujEQfFxb=^>})#h$SZGcDRukbY`vjk zzH@E=s7)GM{YPnWyUF+N(JZ(f1&0GOjhNyYQpq=XCJWOkpNi=nApKji8T|O_bqKi} zqetY8D7-w}jkio*ucYBshrgS3h#25;KAIOB2n4a=x=Fk;K?yEAC>NW$hSy(I8A!^- zh@|e4lb9$k-&L;6H+whx!H-SUBSN(T;0Y{*d^8>+@Mz-3W2whVKb$+V)UZiS(dF<} zVi~)uKB!;n)p`-1-_eenQF1vZeKE7sBW%jzaunNLD#-&pwx#_zT?mf=1; zh^-)4XeT}Fy%5? zumc?TE2TI=E4eF!y!~+HdkC?U!3@T8@z}nfGn_}`#<>BR35{dRm;yIma#`4zdl;lf)*{Gsl@~-bC z0d7LokT``CsM@j6t7NWI>N!fT+{p_=ifkaosc6y?aE7SLC-wjCWC=jF~&W9UYdgBt#fy4c%ov@EL9wG+-&>$KYqN>FSG>P_(3(fA9+f zA%!@;J?udkzm_)4v<$N>nKJE2lc1n(o5zdtG{_yJd%@*8LSc!e`w?Ml-k;n5A-nK1 z5vk$EVk?5FSSql)q!Q6^u) z%Rt6tjKRuTwAX#bPm<31Yk%f)Wx}s7ul$Kf2uEMx6L1u9&epL~K3n4fjQ>xYro{st zmmKKLxEBk+8%c$D+y7;A{ZM>P6+2%Gvy3S4z8bIwt=3SPp?nEesR3JKk9$ z1`cFv99?uqSoR=5tN_%zT$qe?`QEzZf5xRob0`(RIRe9<<#+g@g(0CM^7YIlxP}Gj zVXF|s><_$1ne_eDR_`N0vII3fSS)$b`Ga~CyHB*UWUXX0Wt+SG?H zW5%@@16o+YAox^sSbu3ub!TviQtSQceF>vHxaM+yM*8y{cSa4;SGOeYd)WZR&1^-C zTs+hpNOT4hUCd15tIhEC#W>QYA`jJ`WPUNg#?X4LB%Gi;V7bEeaT z$`MTW?q@d?-L*AjunbDdmjjDF*ZbL6!?S`7B5XRt#{ERghi_nJx;xIvY1S*^Pd_`) z=%QyWF$^6N28y~K`7@J~7Y#a?70dOG(_l4eJ9Sg83_nG)6~&B*J|0#66yPti05^Ur z6iw#*GTxoizD~#8r(c&ir74c%2bEg5d$FL|7L5y*Ur3g(H+v46RJ+|$+RgkdnpCaD zAJ9s7RwSq5r^;C_5}x`~CcF0o&$f41>HApHc{f}OeePx8_vIRU7;|Dn2sW{aIc|Ub z`puIIKRmo>=N}K+m(t@)*D2WN-2aLN>pxV~zTDZk4hf@k8E~Ph}fFd=H3}DRgr?z|2|vJxy0Y(`8!=Q)u1DUUzCl{Q_33GAd={dN{P;$_J3F*r zLx6puI0_-zt-CirL^>@P?jH+JF{N0!pWOSoKc7jJhzWh;;hh4p%Sr4})pCWXeYoCc``N z8k|WdPV!Kj{{kiiC>kyf9WseR954cdnCyk(Kaabj&r0*|Z?mVO64Q4k6aVs($}f-k z_zloi?n^W=(vpoZOZv3|**jOpE#KC{xR>rHEBsFAGF#UO1APyjR`RoA^ZJbVZ^$b8 zgt*b~uaw;dlYa{-@&ZIk%-L_&h#XhTMAe_T8o$jE)LR#}A2Fpv5|i5Y$_Zwm3}j=6 z*PR=4)1zE3|7WrCV(A3>jsf7%_mrj|iq)NNhrN5YemBPf`E!{eloxx|LAcPM{h4Pg zZol_c0^b7r8taOt#-l7Ho6L!VqVIQnUEU6iwe*~c6P@mrgraA#_zqV8?LqUm&kMLS z%l};Y#CK4ZsRbq6%3HK3?O_EE=2mAdyfiz-Db zf{8B=m7JpA+}-i5*csI`^n~ENkTA~`ZHpE2&_jffriIY=;|KFqbzjTR zJTecC*;o78T#t85#j=)J2d}>!r}5C#mDW)fUYikBQ{8o*M8VCbzw2`&;l6o zNfAG>Fr;vAa40@{a}V9IK{4?}e~)aiEdTu5Lu`6%zWvP}kNAMI?q2#?yiOr@S%x|D z&h1CFd{#U;j^C+F4SjYzprZ`QK1(xG^>?iC!`}2~nySBRbnCbSV zo6FC<#_VB#b~{7Hc*9~<2Ocl%QJB9;=~PDrY&q}161V2FRfpnX&C;fW~K+KWi(Bz1JS z`$Yz)*L7Z$EJ+)S3JO*=h)`9j2uz#=XPOW*nzhw2bqV~`e{W=wIro_Fo`gzLjG2`P z2gHR5Qzg>KDd%3L2a(M_XuNh;E!%g(EjK~V8KC;UwZ%HBb5g?e!o*}Z-drnBMcvgw zRG5D`#w_3yS-l_cNL0Y`|S;i9TLCl_!cGK z&bX^)V}q4Fm%ozpy}_U?`&fN|X=V)kg>ugP`Xm+YTP-0{DTYjd3qPv$XWUHy9UF%t zL+#nbbmi`!Q8~uL5tf>*_id=j;i7CqY12+?Xui#_V6?Tci01_bnUAN^u4ungl-FOB zjj(2qrO+5N(zfW|8_6~^fLsanoCm6~O^%Y1-bF4DS8j^kl{1D<_#j55Kbd$f%0&%N z%Od!(K#Jt0E|1ZCgwVD=i*RBP(z&7xA=8`la3r%zVQDA%K|kQFj+DW)P6C6~M~%-p z1y&$DPK=>TAv?%*l>g4?cnI^WTJ3fUaODQP)U$z6N(#?nDw~nRQuGb>94~9`n{S@v z$IO1$nNX+3gxKIvUGqs%9JJ8=UMoD&7Mzvi?aj{LAjv)3VpQiJWoHF}CHvigL`CZ= za+`Fn8h0y+vjt|Epu@oCri0mM(svVkfibTOvLIY7Q3mgHW7+@kVvUXNb^sN_4mF>v z52J10Tf_V#j&$27$zk&=1|2vpGOA33Vs-K6`t+JDpcM1qi}kw{@DHa1CTCa&)f-}d zh#$I*=il^#Xs%MpIjs%dv;Er`e{Y>D|5j{uxJ9zIHWHjx0R-v z)(`ksvy~5bgzN}eJ6rz733jh5vMM%^P;%3E`9YRb&aPG@i#P9?6G%@t|{W6ua0 z$jK?Uj$x(h5==R=SkN>&Mey$XbpowQ(he)jJ6Erfea+%=IaNwb$fG}1~9enF!xL_8haGT_L=SaK(gj-kcnX?;u9^=Zk2(jW8#(T6=SY&i%31j zxFb%@1=f(UwQS2K$X+_oKQxpFD`mgMS!zDBD0sLi4Vnh)ax1Hd%H!Uhr}0Saq>0l$ z9pFYeaOU^PtkXw8?eNr~HqFalcH)sk>z$n2h(>Vt5%iDp*wyj#TWt|?S>Y>n9%Wx3n~Lr{uNbH9bmuz04ZrkW-mlR9$+Aos_!+=HQeQb z1oXnPwd-EM0kgkjr_u7NQ9|$xyuIs%+D&60He|#V}`2;i+~1X0B?D6VOxj;fuBHUVi}PF^f-V{oLu102r6!! zQlAWzeLyKs>~^h9LCDy<;dUZlyBMF zjqvlainy6^s)AccE?!2wD#xGpL(-Wz$pHN76!M3zti92SmR{z0E4CfDgL-w)I98Z)(VGOuFCdxx1$4aFuN09E82V zKX$H}UN6$?_t-$h=Xhjp+(abCD{eLDW6knf#do7Zrr21Z`HeX%M;X9?Be*#=`9<1Q z4rz1W+h!6hj(Ztn`PtdG(s$3X=VV`u9;89*(D8f@nm*@cE+~X;O1}t)7Pi6yXB$c$ zD`t6PzP9|O*Vy{>{-xCGNDEI$;sqIcZ!ywY2NN&~uIEyNm$YdF|P;?KZjuy2HOXjF4P z;!?!XdoDL{dYuMmisdTfP3LKyokwl%<$O0`ipTJu^hBA4chX2Ar@D?gF~9w6b!jF- zR(#d=WyWg3ph=cZOq=LXsy~y^H1BgJ zo?ZJsh^uD8TjR3?<ZijjzD5wx`Ck#l|zrCP@X1peft;PCkWI`*o@|q;WF3w{iu` za_m@m)26IIFJ~XAn%2< z6H^U7Dww|<>50E+E>93;UiLj&ntvG%xjs|iKbgPrD>O#*u|`QkNl9w)vQ0oo!)^LK zu^RSEC*AcleELB`52PX#r)TVn^m$Ks-4bW|qc3m}WIw}vOqQ1;wVdMOcZ1_kbO<$B zr-|*Y4p(P}L@K>Boz)VO!pZC{V_^DHL}k7x=y8t|$hD{Y^dEP>A^<#EO>`o|xHD2#`DfxzRG=v9}Ba%CQcd&jMf zH8*FF#pL16&?6?;vR*70L2>?QXzon)4MkP!u3+IT?~~TSlxB1)+-BP}(WR)X$OT z8|72n`M_8NkGn~IW%N`V2myR9dFGom)Y>AOoG;eSk z9nY@wA_`AMr~NlBp-moCsFPN{ATTd@YbRrZRM_S=UrnEMaPR6%?4j3_T*qw_chkxK zt>No|E7*bGgAl1=4D8)K=xTjwI-fpywJftWmBzIK`2)&?a6VUybVTX*At@#(weS`x1Wqb^*Nft^uT} zHJj`0rjZvzU*WST!VvR{D`p9$gigtHFB^+`uz{154#9BPN|4h7vb)aDj^(>PDYLp< zHrD#RPwv&&-#lvh&W+Cy(~5%Rvr!p32`lcjWg0PN3T*TwMM4yu?I7LMK!~ zX4mFlg?zLL;%x^uoGjfh?|S2KxO??2%V4PGOeMAOFQwf~rqmL~EIQjV6lpB6sbtUa zkBuj&F6ggJZ^U=+Pzk&7<7+P^&T@(dq1+1UMsHRv)%WI#WIEo<$1rWWYuVoF?a75v zd3!qpGla#Id@pr?2=${2W+w#-q@DFf;-W^9E8k%D<8cq{E#07Xd`KLa9?_<`G&1or6W_aO|yN_!p_3 z2GHlW3(^7BpPYVYn1`e!^X+F?l|r(TrZ0!kGuaKP%V)-453ROafT<4hO06ySy2RyL z$(r&&k^VHbPb>0{7N(E-I_om%2;Gq7le*}Q-`K&Nf+u%>{r8+0!bqGE*7XI-y?kqY zK5a{@#G!2^H}>Hl_Ltk#2cV5&X}^?tiQ9SCOzG@E{XYM-%%_WV5z&0x@+~FXcI8&XODWUGNFP{Z&x}VEUsz| zr~A7YZYQi5E4VX~%43A#ud4iy*lT-h(qL_)wHfOZTt}JVh0SAvZVMsCLbnSle-Tr) zoyv9wwYW4JUNh;q;xY2qM6j}`8-;{j(Z}mY7GHG)_k7RsN9349chKJza)rG^9JLA^ zA+#ab?pB*4OczU>p6}YD8PP|TYH_%6ah>TLq}koYBp6~$=#42Ltlj@nA7-RN$V5Gi zeEtpG2+}Vqa-4Iww_qcUjaFy4v4k-zrzN!!<2{exsYe41lhl_Mo%ZBph+Rv4-WruM zxvxIHn@shVDHe@wEYNC$RcFgy#X|>Hb$0J#6}4r2?OE4{QlXPheX)%uwFwL0?2Jay zcocVzDywX&Q#<5l%5Y)sp%`n$yn{#mUL7B zA9{CC`!72HDHyvtV&QVVB8u@pUCGSk_BH6| z25+DqV*FKg(xtmo7;2O21ve-YrOiI6*8v4X;Zcc5gh-~>C462h$9a0n(nglAi1PX{ zdsW^kIkmmE7o+U$U{~=I9&$8>#c&xNBvS=(GfLDqRMwky(IV+x5RMR){zR^!apPbQ zCeUA377M)5m*vim$jpzo6E!|m?D?k@EivyZCa#04?Xe;&snRtOHGLXzJR$kSia2h} z3EU80XHnQ4sY>tP{u8`i(nHAS{;`(?&*uMSR4IgVc=Qs|W|$ITX}M8pM9%8tWNIHM z@CdMcy(cu)S>>gN4t=7Bk`9w`7X|?quZ*->{Y2`*Sg`wZfQ1^4Hhcq-PTnyyJHTSioAaW53SIWw3Hk zj$rpKz+GJ>zNeuBc+6sR=};DsxdX{SFJJMw9CI^)OvR6iBb6ncKeBnPTx0`{-aQgL z6_!Do`hm^hTp|SBD>0gdr*F=?b}Lsp1pzuzg5+AVG)lyD*PyNBmuN%2faX>%_@QXA(oCl4YcD?3mc1V zXHe#dnAlLlNe~P@RAM=z!1t9kBb0QcOHsy=RAF_RC}mKLT{^1fr*7}bEul*rFAnAk zkFl&2G&33ZraFmG#gI6;z-fFiRrkBwAVR2 z@bC1wq9a32!^}9bOZgZpDz?m!oWk+vazemBkhHJbL#Uvj690K}9U3$kkcL22i%sYP z83*KOlp)|?Jt(2({U)D^^G!6=Wz|F~Uq+?a1_CWV$N#KkEG-O@3N`{D6s%L=Ll(yD zo-FykPDX6q+Gn&Rg{tQ?d(Giuhg;-USKx?cznK;=i+ys-HcX*C zH;1x9HIM^{l`4Eb#EY5{=SQeU|NBiyFa`u|YTJpaMNE{0vH_deJyx4k@9oJ63r6Nb zVjP6}#`_I-uN1Nhfilw#;G9Qt6onzWWgxjtl4WM!67WrtJfZ6rF&$Zzw%Fp268}m= zj1MK*Ry|A=dAqF3)?scxR>hEABX>6<0Y}TXhq;D05mn~5;=d>==*S*2Npug6z-aGIU1;kSCDhI>Y^qlHfDN6!-k`#g)?NHA*hn!j#Un?bck; zGLIkPt5R>UK4t0ii*~)H;fdB23fdStTDHG5+7Nq>P}Uc!xN?Xce7xwNj7{d&(1o-! z41O19R=tK(y=81l(4Gv4C* zOEVfD;qw%kY)MW4yPn>Y7SIxYq}x>Hu9NiSr|3^pM+zxq9&RUsOZdmYx|Q85Guk1}YpgoP83F?|UUXZ1%Avg}G?%Msq`Gi7ox1ho;&=*(aXz`PYhU2g{xh4#V5s>|9Bh!lyu}QOEsf501&1r_L78 zI*F62g1(w_|^I;dkBWkQ0?uKQG*>O2hNs z0eX{e6xZ2L4)L;oAU;K$_18!x%Ox`=p8GDw#Nu!h6r|XfFa78e zOMb%<;@H{pkK&R;>I#_YSVkMMQ5}O{CutD--(h$dPafK}C+=d#pXiUiw+4%+ypqV% z$n~)ZcZvVu@R*HA5sl@pvy9+%t!vpzZ6)$e0XB(B+>HBF-4v}rh~JmJM+{BeTxZ7^ zaTQjueO-vM)I86w#w?{LD*cWwY@PKzarpSA+LHVy z<1t8iuo(jnPPiuDUvUa_eUL9&5?fRh9_OB@>O!wGj{FfRcSl)tmR-DpJ+jh9YL1i6@hI z0!}wl?Ut39#6N<3*_xQ%#A z<54$=Pby(M%}V>$2CV!n#Q@-|Kb|{&U*1Z+C|rmCd(t-H>rG(%2X(oZ5&d!J!V2xv z_?w3e&k-9;9s21xZfYc+o9Uk1tYKxzePS!YQ}H!#TbK3!Fw-_)MSDy2M6u0RMLhMl zKraSW9VnPwqVItyz{txt(PY1~aAWmDv~~|pUa80kZV|-Jkgt*Q2aAn+Y*@ldH`=QZ zg!Q@lKRw9mlCu&*K)OBRjSI7Ff1%HfHR8a2-S);*qK;4ZmW+gQr@Xa;;mh++4IHNP z@1A9mRIgnZn|Wh^_J(T5`n?ez*i(-ju(_MO=V6Ez+Z;fM;qTjX)(d^~jM=nwcl|k6 z4`aA9&Mys|E!zDV{l}W`X5c3{dJEzs@b@nTXNjFLQ z`ElzMI!vtW&1D`?GP%2R`??5`)1cIV1bvkA`ynXaGeVuu%ujOpeb(vn^Sj88>aICD z@h;=F9>iyaXktTo>;87OM7tda3-OMvU#91i=vU9SP+w`RBY4M8$Ksg4bH~(2)_!@iW8P?ZMJmH|oGbnMDQDH!`T6BUt zl}H=EHTyCn-3e6oV{V;X*EnvF^F)%Te5de100JyO>X37)*mMRTT)Y5Qa%=tJR+v-t z3moY6P{8YL+n242KE`H}o_a9T1KEhh7BPqlzU{UIzR+4p=0YR+KrX^0P(4{Ik9F<4 zT#Z`#W!FR#42p5gZtkUu1O$=qaI59YBd7lDB$#I=gZ*vqsaRJF80L2J`wA^IT;rDC z4N(~a`Vibcl|oA?^mM6F9>CT3=bQOu^_^YGN90{&`BD4%Ib?sHvtR=#Ba>#u<{C|^H&vxg~6l+KSiJgog8|zt7KoZt3^oaTT4HxWpFKtkg1s{ z=l)BojeT7>yyn(bUy^UD_%DAgWBv&DmGT{oRvSpzdUYV$j|i7X%ANzhMSJG>l;i;w z6wq(ez28NU#7;WZqdC8LL8j{FZP~xeKlrf^36S)nB5x}@H>W@tJSOpS%YW)VP4#yN?o$aO5|@u8bF zOp+h5r`nGyy}ojbvI@-gwYjW&apQ?obGu0aKQFi)3Y71S&*KeXV5$=J$5b$RDCKAo zKG|2r#cpQ3fYv8JbQsG;(h^h@#&3n!8#1xPS(`I0w#4rtwk$aVdCSL-+m8U4j{gx^4(q+EjEPam+V}(qndOwh(}T6Za>(%;KP z2j`pnZ^vs)oPleabuaz2LBJHgr*~aYJdq+u1T@M+Ide;a+jE@796WkARcB4Px2y(nZTsgTGp(7YaT z`Tm~j3qg8__3ArYh*9EYk@c~&7B}7nNbEO3L#D8+rD0qZIyN9%hbH{r=|#PN7q!CH zix=2;RlAcem9$C~i+y+3?^RB+Xpg;tNr@AcQ*Hb_I?5s3)rB z|E@UAQ%TvvM>B!>;2u=;r~lJib5AhLGK^K{_myx`#pO?2Y9DujZ{Jg78#vd=%g!my zIS)!2A%%E=)vLcPL1A7h@#zBB5~(k?tGvyfrsYAtyzMU_Ucpt}pMOQ`0rcrUFim_-qcST)%= z8NQNKt%o8?8H?{hL83-A7lbGL9~LqZ;{n7}JIsdo17RVwEy{ijd_f0hhBfBNWP1}I zPQT*40vR!fEZ^M{pfs1j2h-oLpgJb7&UeUliUt2@>Hl(=vo)hjdCkYF-TR?WEyHz0 z;k+R-@sfdwikXSd34kFmF12tKQ9F^w$w@cPpG?hR-Q&aO%&UYBe62DxAlj_(QrT1lr%{wWROT`F=BUM)ijP{gxM&Jvc%^x7hC0+ z!^c@10>wZ-CNB%z8lQIHmGvysP+%`kcV#KyldLT^Gv;U;WCf#unEPf85ct%{KuGsdGPRj!<)eb-GIqPj`%z_^ z)?JIS)+hco;tIBZ%y6P|tmX=P4j=W!CW<5cBGdYZLY2I4(|k%);m9D)%Ph)3&N`So zA34;x`tly{GvT5|UgovF0}@LR0#hTDs2XTb!UR;qXE%Z&; z@x#+OTFkd73F?b4{{_jLSx_5;H0#xYc_j?~UAbr76GeAI7HC#kU|ZrxFg5EuXx@df zS+uy|alsQFuYdB5T%T~(6G&`kJYp6Ub)iK}FWGZL2=TEObwdDosPms#+IWp`-l(A%awoJ_(5vh=!Is!I5ZyM#n!P6zQBkiMMlgE zD8I`j4JPE6$MEIuO0!R98haOF#$N5ROd1+TbQHigMM{l6E6^!Y?8P&Vw=7+4{UkZq zR(SRJJhy!#M0o&8xqNSw){RWsUVovqotYB%0CC%YKV3WiVI$)Cy1 z3XXcNBD%Lx{@`DAqZYOCrY2Vg{@U3!5u1XMx3a#E^`%upyd7cGusbFw@QdQh7+Zy-L5>uZ%L0?$gt%7>}LB z&7S996N>%7@umM&U&4A7&*OU4qs^fs5~5_Z2ZogaY(^AD8-H5Wx|gqEw@%zH3ElNs zB=ZX}r@Q=4*rk^cSB8ymYHG?Ox$e9%s>#t%{L!aTDfb|o<1hhYp)N!7x5Wf~9CPLJ z{_OlUHfH;>( zD;5eTXV_3R^74WXdh&Ls40Mn1+#-cV2kWE;yG@|aNr-l6vrubePk2}(z#}TLA^)a? zMD6@Fxp^6OQuZ1_iBd};%+*e^rlt(%nFbR)1*Cvs+YjQ@2erfS`OHaW=Zp>9n=|$h z;1LE-S)F3R!a*LGP|^#q;z)5_Gi29ch+`i7Rtjn05iha4aYHf>6(D8Fvezy;jd2<6 zP8q#WBl3SWop)3d+xzwDpoAcTkU;22Q4o?)5~O#fqXH46g(@H=fV3bzBB4o*gx*9E zq^d{<6M7dVDuRe~DK{X7a^KwFcfDEpGqcv5nVd6oo@ejkC#lTXeEPb3uO|o!e9FC99vX|wh7aU z-X9Hk^mE=u2TO{98iydtM0ebDWTcBS+t<|2QIpco1BS-jdRO$6Sjbg+wD=v6F*Q0a z)Js|N0$bncyWJzgx6$)C`Yc94{4evHc=}K}$k5~;tu_~;N1gEGCCIixqc@!%ejnaq z{s{Y}*HEW4;QW|ajal*W_ND^M@VZR%3vu+#N5hssvLz>mgo@iOw0+RB&$G2!TlvM& zB|n$yUJIgU*}JH)7MoHm`@1toTz}hyxA^3a8@6vGrw}^WvM`;nIjZMKM*MBna3xm1 zABMX9j;K!e#rj%)@tMJ#m+0-~G$-|&Vo@5yzHlb=2JqpE`DsFiid%{RZC4L@D#y%z zFgw+d|7_asm5QK{BTW^H1b~;!)U*8Ca zDt!BdpFX~R`Z=|NYlOv#$y6iom14+ccG}jua5Qx@>76@xXU83OpDftDPpT{$%nw`I zF7|o~?MN7?IT^}wAMLfCEBph#cvI?CX`vK@gYY0*_a_E<$vg&vj%y{=_LkqwqKdTDs8&!drO&SH!Y~%90wz1H_BDihfzN**WwkF zrq9MUNObHKLwH7QO*ab5-fpTC;iO)H5cGMuzh5yheGM!bPdwF9Er(u!x%zo#TVLih z)dX8kcWz&|HsIcRg27-@*y7j! z!s6laHW>#VfN4{YrS(rDqT?2MMdqDN-{@`%_t^QstD1S%t#p?dY}vh;sFm}P9m3JH zC9n7pDdV#VAfECAc*x$-hjxK@&OMMKi39c_`&1IcA?&euBO*VBTi|H8&dpIyb@^(V z5Vr^2!?X|N(5&nZJ~<4OoyY>e^n-Tnr*achF(e1U_DEH!zM|#br*^O>Em0FQC25T` zJ@#O!sGBgBt|1G(fao_<(^@Kj+^6Pk7p>TfDlsF)@y%Ou=uEE1>_mRATIbkn8;d1v zv#p9o?Qbdtf@S+}Mm97Ga(2DTc;h}~FV&*7P*!z{B#qABFM*1)!+@+;A^0GN>ghbZ z2~0n4s3rfWO?@sL7)7L#l}Iu#xyissUK+~NA1tBZpAl$dogkW*4g<-VbA5QsOJ-9`}}BmzdSh zsOoD`#ROin>6W{y-~0B)dW$%4MkBRC{PlFyIThw{D{BPP3ekqLod)77;Vpek%v9yz zjms+^iB)=RBYUopz*$oxtjDHi7W@5h`-_l>4cYK3{uQ6adNrty8_sS)de_ofG770!Jmp*x-k-9l5?TI6{w4|iMYqOF5vQpO%iV=^UOrp%BW37f28+wi%?7^y!XO<=HUYkZ(J9eYu4gw+u0?g!TrAxBr#!`bx-cB&qOBj+-rN}rnY@0)A?yC_si=eg;;$~TTS{dCSJ{arzL91A7Pm@uxk-9k zt9AcNJH{tTa?Ic4px9*I1#ny~b2EbuDc0y^Ui^@P7?tHn_wH{>1D`|d=@__3=-_1U zxmOf_H+wa8xlpOqbWjsLC=2z{8RV#3dm1#YxM)W8vUR)L;LJ3pwWIqTCpN8n*cJdq)g4i7WAsvlf#sd|gZx z1(cqK^pfioPjI*>+BxR~{W<^pb8V$2QuUT0vpDsQa?QW1?t{r)X_n5Un{%Tvp!+}z zrDQvbvXgEs;rhFoU-y|%(3!=7J+l2EyB7haj8aPNVUE;gpA?IHVr#3gn^CmuOEA3` zDd?2VW$~rx;8Lv}h< z7)7~2cqRzv19_<{Zp3ys@u+s!gPo36o;`gp%@B4Ym48ghKqfJ6^2*G=!DbRNBUqNS zKx+_?Tk|6?7+PGtng>A))NySVN>;3?N<0~qduonNyd`DkiZ_=cJ%%C5Z%?%!52JX! zG!{n!Z6G56PqsB(-7%2-2UMgU`)O4DJ!Lod$;7y48edCx=JjyuB<~JD?fiMk)Ue-W zYIpnCxpS5Pcx|eVuT zEOQ_jn^sO^BT37jU_cbKSyx*KV>t730K_5y0amO}W<>rzmp90d)Lot|>cAjufs6OU z$V1>aC>+7iLA_Sl>twN0uvELFr84FBQDT0)x_a!Rg*S$3Y4GKw3VPd4!uK~P)4G}n zr^%Y+@h`B9q0C^xio1nDMDqpHL`tR1n(_Ck3+a?OcH;*B(9^p`7j_qu+T9(I-QEqw z&ZU5es(f2Tyme{m4z(fxHUTVUB|tVZCrzXDfuX_wQOB~>^a!qWnSNQpeDB-~tJhiB5@})cKcKACvpABwd9n(s6>D=L-G3( z-|&|W8ejKJMZwu#;q+QF`@>V_i9JqH2K3^)V_M+aEiiSCO@B$<1u|?{pGy|S_T+X@ z5$_u^K;j+N#>c`Ep zBY=-qJI@e{W=>1B-MfLdlTMZ|Q98odm$)#Rnid255xvbIv|mb$nap*Z{JYDu00feP zMaTiahJud9Meq7#Ll7+$T^N6%?zTzZS2$pOAKo2uuMrT>bu$+ zL{4U?(}d51ER^WM`8ka`+APVh#WdoGtO2LiPs>Ud?0c>9ZMdqqtO8^e4{-eGHFf^! zRnVD`=wGmYNm;4(iKyf-io*CqlL>eUTI(O55GY5u#M!P^0eC6?7TEvML%`;-k zV24L_SP1%h&p*9jt{smwhUGYWecht61O6+DHjR~Paye+)Icg}m1zv5zZThPFs}g_7 z3dooOnw|^J-7XoUEJ!_GFkA#QpdY(}zpUP6RTsQ#HZvcJ=-BNDF@o@9a3#y)n>;Pc z6H%L0VaM_8fsbl@H1rP+xAGRv~=#yw$ujPd@UGgUz8PUHR3pDeoiY1vt0_nzwpYV!*AiA zY-HtXYD-}ho0^Yiy|d!7ay}yl1*uMzPIMLIW26e9USaLkU%GW z0l0^LO+b%lRnf&Y9W+|7s73KQGa`SfQg{c@p&`Sb?O)rVz+mja+Od=H{_vYA7|pel zcCWqbw#SZ2R7cKCa!A-Y*hLw4zbpk<1HNgaN3tcfyQVg3$u)fGQz(TH=D!(>|M;K7 z%4_pA@G6&a*DsZZi1+xa4wLQPoEXX}Di$W+;$)&*X%Lm--JPgx4mN~^yW@vU_V(}C zK5KC%1Rq`++|Tm4ym_-t&?667U2n!;_`&@NveNVB$I3xf@!_XWYo-2mzF*bq6LH#v zYw>9_|DUvFx-QUC)5@htMWAq&q>^CZLm;+e$j>vAZdU&YN{y ze{EBKu-q9Z5360Gx%v4i&$f9O6RroYf@W%ogTJP)Ip*fC z^+G>8pi9_l3b8^qV^!}ey6dD{k|p)icLEQlKe+}xty4rlMJ2M)@u4BMPA{6aRI$T! zVdEndhL(TRG^WM0y5*|B{j-ie3~+Z%$szS9chATfac#%NV}8i< zc3$+&Wn9CGcocdIl@*3Jw#oCzm}gmcJQO2{J2y48aEcP19$oh3ZP;FtFrH3I%g+8O zzb*4mYQ4Kq+TOkE-UeOUNqP>Um{%RX*tL9(X&#vNFU@f`RTn{7?ZeK;46fdfOc}9U zsKYH+fPc^DGtxBa{7^w8No^DKH=dx@SDdC<~HV&*Y$N~PaVF>@>*kgYvzyay68%I+2LfN}8Mat0_E zGh52_sMbM~bDqI-yEqlo4MWZg)OHeuan+jfJ)oht6-WQc*3qiW(9Nv8vCPj(>%_*a zs?`t0r*eR1Gg&r#9Ly;Fvc;z(T8JfZRP$JTk=|J#d%Pk_wsb${p$fIrBWWS=iVRAV zbDyR@6ij}>BwKu^*^mor7_}(OBBfI< zUTk|QL7g&PO{nPFLiWLdLL$Rib_hX%it#wiJ}HSj{k(ZE%MbK^`&>NOfl;=R!9d9a z;_m41Gu|Q-6CA60DBC-~b*?yE9u&u}6ZQ6okXLH{&yOn1vHZ5@>6X4Z?=@tXpn#^% zYN$Q#V{HE~Jm_l4_Jt*D9k!XLPtrVy97$@v7jM|OJQ>kR5kYc4k)x>m@}Ru5Lof1vGtfNNcg<;)47^M1n}4e#K!Z6BWG_#*_{_=>#5@@1b8|@`Mm5Zm%!+% zVL*)y;x}J=nQ@+&N(IXwr3@I7C~ldC^?=s)--JsfB+XE9>Memg+U+&s5>H(iGl?7y zmG*>|{~j#>nJYtQpxM+R!2_h1ze!Y50tWkoOUIJBM4TF!`h(=kf$HCpnzD6Mm*yLV{w@%5gBSETq>?V@%q^k#ryHUhqvdgo@mpialXKF{|MKF8G$4=>ve8 zjO)1pntFwCTu#L-pL_|HG0z2LJR*R9vZ84kj?aq>w4Q)l#7mZT@Y#W{HyUQ++dQO~ zOSg8L8M7prA?a%+P^)BUYTT|+#e;-GjOk-fE&R0vbeOEV%CZ|E*E*xuHOFu(udrjr zn3MB|I}1-SuPxe1M3nAVF?cZjt~wJo7wuqZ0Lzyjt6v`?Vj{VE+h$j zwSQe8#*+w8(SrUau`71#95b=*_ZB#)_G73^I)iLAPh=ohB7^sV*N>JKUn>u}ex?pi z!GFy^=A1;m?$1&h@UAT$`w%Z>B2P&teoWaoRVJISo8=j|F7;Hr=0#1D?Hr zoH`2{BF~Bn}5QPi1=R)`$;|&HSG?SB_uH*XF=??mBVp(W-asK;pu=7+m zhoF@pozz&{rvjm=$~J|`Re12;9F)D~cr&157#cWk*ue*?-(clFN~!zkCI9hK($xw} zqxhi7WUt|Y!RI?*2z;Ss`Q0(aa~Ge+m}rboJ>FfGG8pi@0T9tAGlDBt!6m9ouR6k( z9*k0S*}DUiIUQ$e+Bak?#=fq`8h*~}=-6zc{)*uyxo^>$q&$!xr$uOsWqYy-&ch!3 zKecFyWX7Z3Z<=rWFTI@;2`uTSjuyln-V>_W>mj!`F{I7n9?@SEIuUYzW~cI1sXXuE z1892J(F~*t?(G_L4UShIt!=xrz@-4IbPex>I@ua7kEQCdLHfofNGuPcAdVS7C$U(6 zZ#gdiJHi1A$`8}2&*dDCNgLa_pd*UquB`z=^p4A7>-F~_oPi$&{t7dPYb94_HI^wQ ztI{ft!(n{8F>}!R6!QkW#&Th>sjJclR|x5XMsf_tn#_2RNy%^qkL*EYuhPP(8HXVA zufNJx`MrWSg-V^m30g%p6F2CUWE^fyuz&P%2G0gcoNmFWh$IR0zn}i!TOw!L6lhRV zf81I@V6iBMJQ?~8JjUHDxFJIQ`)&(wJFY&;;3=$s&H!of9M8_gJaxVA6>BW#S6e3h zr_YRxy4pqyOwo9-JmX zYIW2hfuiB5lm4$5$Qk3!i1OT=Df-N93>*Yox17;&%X>YkayS?uRiGZ00&?EL%A@Ry zU1VFcB$o@q8nmmwl{EOJYjFR3R<fRFl zBTYpQ#TMQLfr<|@)d4RA_R1AZi=PTrBP)H5Mn7o++L*XYf_!N0KIRoJzK?l(Z+9XVX2MYcMmfi2Wq6J4n@zjdjQ=p%lRNp zGZdaadUrYlD$Co&lD}52Uay}qYLIIxx^Z6{aeU`{LuB#w{jb4~JN;qoo#+tDFKf&t zR1ZktD3ot{wV+*pbInv39n|$K_K`kgefV`x;*l~NiON1m4`*;6f^yndWBkH59ll5Q zh-NkR@gYi-EOd8_Q0yKkMQ1HswAj$G^>7PP1RO$Q&ujRc$vn z+tiYSa$$Zmm7`KTbV6sTQz`s$4p$r)n0!yVC?~M_s!u21LNJc%Hg5(aS1#QY&wJsU zfp5G~*tU}l-S4xn&c}+wUb@c>6~t?6oa9k>7!d>A8LkOgY`yf~VCBf;L<@utEC>E80F;WapJhSQbSnoBTtFBWv5-bKZ zVVbXwl>SWX|Mk|Riynkok)77Dn|ZIMc+2$o{qBwA(kOS6Hkq#;zm{?doo1TRIe*z7 zF6WpJ2cdwMzpP0)a4+U6hk`NgyuwrYbyIeXDR|_3vb$|E5jx3_6dCoGZrk zkRZ(rOwhNm4dNH>{?AHOyeQpVCl&e$>(6UDEGt~VTsrXkmNLo^&yheXL)AAm<_2xB z=9WX%0Vzc^)ueWEthGDo$x<%c7NJgM#2p}rmbv*0-$qX>2B=o(DA9!gi@{oWX0HLU zf+27QHK}O2buHSQub3V6$ZYP6P`!@C>g; zXQCy=H1QUhelX@`vsZ_Mb+t9_(5KgI%nH)XXX`hekAftVrpkE|>aKO&Vo1l|(&LWK zRCwG*x}u}RX_GF0UTKTxN9?YVi^M(QZ@a)EM9hg%6wIqzu-~G1GHolE1p+Dl;s~%z z*F`#TO-h^`0Jf3xap(U^8QaWGS&J5L+GzqU+qKCB+9Uqovlt#X|JoY59?fELWGUjl zw4R`G{%q|#NTvmHK?t^)rHS?E`z8I^$*a)V;RAID1nhuR*k-#=Wu z)6`{v3Y);_{kO$vW_>aYg1T(@=0oFTqFWmR4${n{D6Syzxv6)kQZT)b&CNCmN^>aO zRo23Vfoy=20OV4Y z@2DamuWZuf_Jd!StsZ9yzTn#^i0GL(6F~$r0gb+fFaDxL=>mrpDLqAgN>3qhM@Y)W zDT6OeOvxZ&1af)m+I$Z)b#auM;kD+;w%mD9AD^%F5{)Ou#p;VyLQYz7^=mIRn?<^d zFBinB$+%QkYZyNxNNMa6c`rzDFf6W{AVcn?LqLi(USTHMqkTvbnr=FahSqoeHi-A8 z@Qa@pHQr?9Ed%32c!>5sjx9CgK|%=a?^B^+d~C~D68ObB{7PX8iGIo z)u2+>Y;%e&xoZ2Bl;VjptFEIP3_{2;;HY=Y*gIG?K52qCrF!fPWNsQG5i`|P-K`t4KbI+HP9g=uCCF0*V|))@5zVZVDdpS%HOpzXoFw}M(+s9?7a z^a(2n!s4_k@NLWybW6x$k0k#@L#dc z%Dd!p6q4a#zTAu-5yPc#*sJmbGOejM-h21HT^5K?PH0Trfa@HQvoLo_?qGB9{zwG$ z$Q$UK&NOyVPB@^-=Y^>?(H{BoA6HII|U+5ZC#|dY0M+ zck{ymnX+ZS)s=ETG1&$4-XsSpsXn$uXnLKryzFpJ2;?q?*l%35oEmcY`rI7-TyWL#3(yuI({sqpF=@7KK%6)U#lcWsbry#AN^1H!Qn z`vV_#t)5WQi@M{$WJ^kXs8rwenZU0^^_uv(_St#0LISwYyxx z%l1mD(IPXVXAS(t`f&<=y+7^-8fgwN0M>6k%89T6Efu##dZg{y17v*ybmRhc3IR2% zw5fmf;x96@un)0xG8SK2WX>-;vC8Nbxf`I>KF&0}`OvHcy^$6-c~Q}}qWdG$vP8aE zWM{!vAVW~_6!*%fqN$VDzwvqOKk&fK>lL|dPu$;$H%otNR+lKPYp1LUTXRdem?rVL zihII0d`AARUbg}odD#vET*OVl{&2o=bdKHm=}&j#LB9~?9~jakO7y8{;W=025{3eP z)lXqz`-(#<1Uzd@Iig8s`jV!v^Y6U8xb$Zw7PgQQc$jAZw%ajw&x*)X&px0r+*zb)&C3UXuobWtKF_f#4j7kBV6c-vlL3|1Q%)2V+$JMiYe zzgOu3aw@0s%FLSqj&rc4-(P1eoV(SIkWvDbexxl5{L~vhv9uOJ8O3}m#x$kR?i`PX zf1Lp3ay_WsJe6;cD0%xEKerUv*ABmn>u18h&_0w-v!4@T_Q{rAzV<#fC?{0fU9;Vb8`Mu>?!RjOB_Fg^_VkWy)O4|E?N^)f&W2Rp%sVosmPX?G@>i$XoC|%% zzEXFvFYqd;FnqhfX;)uQt;y8t?d^YIoY_5Ysj+xt)P0)OI2M%yWARw=`QC6D>hq+=b224@xLY|tAmx+Bh|{jnRl87T*j6DJ)Mfs|s z!+FhTh&B&W6y9f-KwLJf@XOcVaM->5@S!R zyXl4V>HiIcL4Qc>W?_Czzz)E;r!-h2Z=SBFymag|>WScUE_5;TPgKE7T0kzc%Sm4`ArsshC6Q zlx)}o!Au)gzlWfs=k@mhfDgQDoW-Q}yQLG*XcqiWQ2Pc(tKF#0fa+FvCBDTMul{n6n3PRFiEmxzpn*FpI+u7N{BF$LoGG1KWN(}l((krHtFgfWfKiUY$Tv&d9e$nYo%mYJkE{AA21#lh&pZ3aA z0a8!MY(LX`JvM&WUHcMG0C+J*&kg3QjkamL;rY}XLCbl%Vwg@z*7g4^g`e<{NQkhfGt_7Ye z>-O_0a6!05czRq}@cBhtJ$e_yxhA0ln(<0ioB2MZFwRxd7tTiW51esFmP= z*8C9q%VBZA|36?A-TacP?NDc^GCN4Rm#i6;a?+?VAJ(+C^(E__*O)_Cp`w#%VCI1g zuayy9H8pH+>+sNo-a-1O|GyPH6v5$S^2OzTo8&!W_7Z*z9ITK=aXve+bM}`yFl2>` zHj9NqAnDrv58$t`=Bi7PjrHll^rJVGg#YhR)UW&c>o1Jn+5HAWM#zKXylCM*JAsol zu?g&}-cP)v<*@-XK^jEVbe+O>ke{dNA?shj1nqqVy)N|E^&9;;sSaToAE>tZ9@X6Y zvF72)Wf!6SXoWuc!J6=sD(7a=!Z3gN6+eW6X+++x{Ga*k0RrmBa$PJ}W038CC$T&K zTKW$dwPDi!z3z2RBzndjTm(HJ#e0ZE8QNy6;xKfrbo7)5@(}EUn}H^;CHhX>doPNM zzqUbfyk7^L*k+BxVO3RM-L1Z5i)>O2E8*!OPd?4iHpu!ZUyXt^SVqMTw{fOHLrK0LfaV zpnzn_N8#3;trvIcqpdTve`xgInbW_4pZ|9S{_p;~;#iBaRJt3<_w{MS0dyXE^x4{d zW=IKlI2-8)n%1t~BTup<$I|qV z4Q8NVFWUZ_=>0BF4ty^!{)RM%Iho2%`mw=!2zn=!S`&%htXJ*9)Qy3!8=ZidpDL56 z@A#rL_&pDV4}U5gef)i)@CTleppSNyoyvQ%Y2Ql+5-g^u_D0xR#mE`?nRQZ;Byd@p zSyLIqMC04^zvWO+VUh|7%os}Qvj@BQk*QZDEuc#=u4-e>gG#s{gx*KmXO_t$2A@_P)~u$txjmNw_NGO z#}Ff$kV8OS1&Q;(jyG=uZ_D{zHufy}%9c&h)crntFJ(5nQ+$w7Y~9UPXLH&l8QKyj zNdqvRDouOC`KV;@tF|owE80=P>!%`jz~?UPahz}cJI{rx7tql=UUe?=tfWKSXY@vT z3XKZCz03U4+>*X1Tg2ew6)%wxzTxTT-u5ghNuxbnPx#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf|D{PpK~#8N?EMFv zCHZyVhn@~M-`i<=deYA9Y!28(Tx5U%bCyVolqe`rqAbd?f-TwB)06CHJ^7=joUBai z=~02Am}!AY1W5n{NPr{~iLlr>Id$&7`F48W@2S4K!zCzD0BnzDwt8x+Zq>j3@tofY z|1|Nw_r336b#*nSrl#U{KPDz74)0z*UOxV>Jq`{I4)1R5<5uR8TfGjykh}Ekn7>=KVaNG<`S{O2Ze`jtU;TbRMx)U! z-M;(#`!PR1pVwRM7}w#gn78rqh2YE9)>eSUG4Z26`lAQ$de^(MA-<5qOx((V@^b!e z-{Zf8x*H4zv9q&tOXpFro1LBgya46@io-fIkGEnSexWqDxw#qN^F7}alZU@wK3+av zK3+avKK^e$UIyfskC%^^kC%^IiDgL77uOH!N5@#cIxrqCE0uF zr!Us$VJHaJyMi_j|fjOWFp0JfqYeC}u7n~VJJFmUFT zbCU2c#CQ0e<;}VsGq+*+ZK#aXd!CKI`%OnaF5YG7jq`=W9~n#W>+oG({E>O$z47~O z{NIZ|^7=xa4VP!}+?Za>yLq-$#gX3}=G|x3yR?+;==*$@x5nasc?^fc9BZ2S;uwE_ z^O4{2da5+d)i&VA#1wp0N`W&P0Z8O&5_&OBhtW+X_5Ieg&zT^q*F+I)mso2}y%c!TP#fr(y z>v$-e?>(~aIZaXlGj1OR+8)1`moMLPplp6$2IT*YqiEpCm}yqy_rBxt=ni&h?1Sj` z`Vi9&jKce={n#B0V4h;U<1mSga}OqkN9 zrudHN{5vScXgG+SQIB(&%rG_Sw-Eb;AT3YB2*ha|ljMDhIBJy&d7g-Rbt+0Fm|n)` zTaVIIC3$OSv`ZZ1;Q$Sf1c$q$m@E^2trDeLEvAWMvQ&v?YbMIxQ=XFbGZ@BBw;RKO zXD@d5M+MUkM^T-cjuPn#EY@eGLb(-4Fr#2~K;8tAN$SJ0Sl2t$mkclSYDFASA5+9* z;r2s7is+c$4*8``jjvKJ#k6f^y-opO)F-8fsrO^Ywxdi_f&?^CuT^8V)r?BDN>rrP zhX(rH=(V?Fav$0-ALPxeZ9PS!m$hjymg7N3_SnB5gynJoD@)W7ylEu4-}W?uWscR`j-mI@^nx))aLR z&{f2C2jHe1W}DCe32zf-2jHHX-iy`ctI?>}q6|$oD$Q71TZymxhI?aS{%DbbTjY2d zkpD9e^Cu(BHEZz)zVbD()dn~~x@2y^?Er$2 zK!HiXY%&2{tw3Nlx_k$-sS(I-f-r~|dw_;iEWr^=rXizC@%#HQJlfEHg6}R&y@zH& zo$`JJaLec*L`;xZfn*Xeo}x?#2fNaL#$(w1Jv9o;OUeL`$3Ea?UZwyNb5|>u6C9d= zdzrFLk&fwRaTP?wFEH+KuXZyMV0=D35#@S4N|kC%RRMM5X*L1mastbw8VzCh9W!eE z9qhztXFz$V2LOJW_ytM9Ur;L{#H?Ed$h4p=;F3QDlH~zksk=hgQ<0ja{ynC-W|IQU z(wyh+VZ8`)(>@bLcxJurk=8D8w7Y}o^w3txtDtTg70NI_JA-g273~g9D42VlE!sVybd1?s?#qF*DPOU;FTTVq#}Kra`iHrytKf^9(dF5wlBo#f|n} zJn+ctxEi zm3-1}x2eAoaqq>-@|9Rzn9q3kMh6JWc6`ToyaT*iJj}(daeT1=S(3e@4si;8fXS#p z2v#j|LQa=yM|)_600~Sv#qZL@UR3y?UWUlfNbvED40EkECX5$EE=8+lB*;zFBdOmN~ z8qq)tt(B|f1C3AZif6TQ4Q5tTFQK&oUNRbJybJh_IJ4-U$FpH{5ex&)J|Nk_N@xQpJ;Lq)$^weo-4KA0LUzXj3WihzngEb?Q8Rak3Jt*r zK;fLCp7sEP9_jToR{{AF^-yb4?$&J7DR;Hrih6SvP;W%F(E?l=Xx(UwFytN@^S&UA zR=$UovCruh7yzoc+Dx1yG|>TVbuclVfY|Ge$oo$8xmu2mt#+)eZ^iP;MyzkP(YU&R zW;Zr@*5y4P!Z-py2mg^}u`0pQ>)4vuBOM>8-R^Ur<~G`~f^vuShX8wzx>W179<;bd z3R>fWIW519qcBl$m7pO7Q3?7{(=PLD8Ua_L+@&(Vd9NU{{$+51wWwR#gZlJp9r#QQ z+Jen)t} z@wea5UZrw_FbXK>f~w4P$oCYA&(_9roO|{&asA3U=%^bbEUA^1OVn$J`atMY4@PDg z58%Pwoqlxt+tjUM_4YlczWv+3{V)CS5C8BTF?Cv%sRF3J>Yjxpved@7?(Aq%qm`xE ztk$X_3}8cWmS&o86LKwNrba5DYo05?C3+=eiHBv(g7uQE|t&}$U_a&xmu~@wa)t%=5z}!RFD^#CJzh?bCbErNzHe`MP}HK zJ|H<9K)~D!AUiu~6@p2Ej10Y>>06Eo!45z+w`zB4&&lX=y)cMYG7V5z30|{l0l`V0 zr&dG0tMw|HB}`{#2+%_V?e&~d712a6m8$i0y9@xXA*ZamLtb<*3=kfJ5gIgtV>kj- zG5-a+KH&xkl>q|6Fbaw;0;NA3M4PzV+a0th0CsB&O%br=TwB|SRn8mBE3ppnZg00^ zb7PC=>#@4Jo?*Lui(E-MP+Q$6W77x`nZKg8Pq}D(@-s>|kUm;9P-$ANTOgnEH(H^V zhwWQ{5ZWX3pk9hh%sK{tIG`s1IKkJpu12jc2xAfGCZf*t2kY*s)Sw6QFbN$@@mnz8 z1I(rXwYek5X|qbKUOflN4ftj{t-JQtHgOTYREwR7Qk*z_Hs1KA*ON~*U2{O5llq_! z+dCW3W-6{XA7cx^Q_>#uvY_krrT4~Q`4!H+?g(MmNx_zu4wgn$g`zbR3kypz&si!} zv0C(vPf@QZ0PT&~+FB>h{WyB$7;WB<^XJdS0?J9f)=c^mjOCj$bf$Yx{uu4{QtTIvovBqae=_E8fSWOXx8l`tIuE5q?e%|gTk*_ zg%T{&cPWAMLSWKQJ243ZBDr^skMH#PN>vZbMM&!Z2R3_bUVG&YPa~kxz&Mr zH}iJ_zS=%oxIo<11%dg#wcU%2jqO+mgg4QUw*cf0aqOzSnGb!(spTeY+InW0LU6SV zq6rTKJF3m9;V8lsnxQ~t$I@Q9kF=!JiYEa=L2(+uOn}m2@f+)gcF;W|kfiLMl-gmQC6j*JsH(r99PglenQ->UWNBY=a{8+w%}3?yv)*f%%ef zA=?8q9KlFQZKq2T7xxmCda|cXy$c}}zaa>HMG3}4Cj&yjGKpNFcBIczLKRtcDahLb zqMCR1k`uRnXWqipJEW;Az(9hwf?|}2Ab{#GCIe_@W*sKijLzS%9E3Wx2jK%E6#*Fr zm`5vVqP0%i@kPES0DHv;B?HtazW9(gbxeCU1{tVJ;~JEsJ5-59%+i~MV%lggQB@PxIWm6A1a9 zW=O!u>Zc7;YgdEkOi;8f?a1Z5@u?A40O1N(U1GIbHJVMp7As>4z_qFbH^I7!z|+E# zcKp^lGA~697+;aMggbsD&`ZCB*P_X9d8X?^x-xto#pk?-PQ5vNED`T+rx;s+$j<>nMLsqs=1Dh=orGEzf}~~j%A54ZPEfB39Dzk`-VQk3 zC{;Aa)ZP!Dc|T3PC{X-Y0%$F_8e>_1vrU!x|?& zQ;&7D-#P-aRzt90Nh!B|ZzE1QDu=j9I!|3pWW%}SZc zM~+s3-%u#*f0&x2eaiJHS8CDU8Ab=I=*W@9sMc#)M&r>PWLu~x6+(CtL9Wm+_1p8X zD(|R67%PTRNl=HxIAKpc+7HZ>?grkgB`NOp#U(NE+)hAaa8yH{zUR6RfgM0-YI)gX zjs_($>8{WZnxDamdw@$0i6gDlqWKd>jH?7_#S|bo zfp*FpK~AAC8p;T0sKX9%j?h4A@x<$29pCiL-w(M%yLTk4pOLvK;vhJT8tpZpHE@N<3 z!=FrTpQ|84U8Vbl1oK-EO;D>)KMs@fSy5*WfwO&!bk$}P=s**}id>>>7eHf&W?|73 zuAUKX*zI&;NVt99^Nj%9r(K7H?e_cW_tw{JSsf9h@4umoi83_+VLNGSWy^p-L9jUl zafiG;&@fp8xhwEdynEQ96ux%qb}q-bbgh+ieR6R&lg zmYQ{a_<#QVJPzx}GA6$eiI-F+s5`Q7c#!acu07j-6zeP3Vr%mn{ICv%c489xvJa;= zT_JCM%IUoUhm0j{dNVme-BG8ZIDL2DGXGufx6szNVdtfJzzW zsp?anX~jaTg@(Ksk3Muy%(om>QjZ7kJrnnxJqvI*Vz)oc`VwrcmmwOYrf}hR*L6U7 z$>$^j$$F2J+n^Ffsz)-5Mj-5Keg;I~?8x=H{B6H{AFO&PGXeHF3_Q=3T8OAseY<1x#2 z+G=6c>(rkDlsx3nK9jW!+?(G_PdXza%dKx)As|h7=ypk02!8^V6H7+4pXn&5^IHm^ zAAOf=t(DK0hUe0TVr1<4Sf<9Ok5abs9%G~*+0rmC+v-5!+9c&#r3 zbi19na^+$?|LkYt{JAIN;)SPUef4S#+ndp8Z{(;7hmP`b)`=E`jj56&4eaexRum6A z0K4ri!co`My?q?F^8vr>+`NNNwlVJSC`N=vD!K{-s2Mmf$P27^SaI zWuy`sPr(rBABBefMl8{n$v>-)Pl*Ao0PIK&LMBO=6htI1)6`Wl*6tuUjd?XDK_|6B z;?42Fc~8V<3L^J11&|t6P%@)}^29!{3D~PqJ6=;pwWCSGzU$P zQ={wkV;g2@x3_b&gW=7qK->U8)PQGdt!OryIX>A@9d;;|V7$~s%^T+WOsyVEN9Lnd ztHd1V180uME6|i@D-+S*+#n2~lFUikSw4#b!*b?5<+q-=NjHaA5lx)1eXQ&3EEVMv zK)LXrny!I_0UNGhGvWsLww^(T3$ToE^Gkn=A2f z&1?dUjwc_{;5($dPkjV*qJLa>lw}g^9kN#C%+W6h^_rt5_?@G6D3{r`ObP+fSz)RG zQwFIN*oF>WG&_ZhLfWLAtwWRK`B2x8KutW3=N4SeTUvPJxsqd#>I1=h)WlrjCN-o!8a8P3-eKL)MB{PL1`FdeU+xG&|M=1 zq;#(0u!oRGycc=84bP;1>(cR%0?-$F3VLcox9Ta;kguA`ycQCEHUE){s zEJjJFEeagAeO-YHAlG4NM{3jnS}ld5tR!w-?F@6aVSBrcb~+tRg*brIs!qqz`9?hP zs)u5hZ+Bd8fP7iE0_C`_vvW;tiuw^m1qZ>YBp^_(qQ-d7MW8r@UcN2dM=6Lbymdgl z)?HdQ2|BjJA-LEMgj2p*Va2Ek5~a)niE&zw-Wa49Lu)*?se-Z)2D>Tn^ujWoY^V@H3eX=kQ0 z|K!nkf~Np@01*25N}XC4i~d#1`a%IIv+Zo%cw`+>prl*gr;sS#WZfp+ zjvw(OL7cl3S~ePWVtw-%Va9V(&x~>yr=Y14GF_(bQ4F+rl0L0h>kwh?xwqGet?g^E zx^XSKSZSu4Ll3F1%adp#2B6MUHYeJPmz-+fxYpX>R5 z&gqfVGH$dl^e7nPixb!XnTJHKeJMZX^kRrdAKh@b2O((=S~10_i!xv(Age73tT{b8 z8BlJ z<_Uz7;k0mEKfzZ5y(1v(=(L(N)w{%JT(+%(tJmqmD1xcLZguR&$>U4$j<>%NQ?wli zq*)BpD^rVr2mszs9XSVyoo8BhQfG$ZiJXfMzZ_a4RX;+nwWGfsg~8a{lKN0y2I z6n<*QyVQ^6GYumtTu0`}x-jD|SksG6rxV-TTd}dV&AFLln1`bs-szq=1VIxLtSPV) zQyfX+EKdcEnsB4ph}LW?7O)=XW?ETZv&N^HR*p@kp>>N5`$GgIb?Uh2LxGSQw;f)h zy)>fWRv2x{F_C++Y+Ggrng0#h8E!NjA z#@6OJ;@=`;@)0z23!NUH>-lf@93Qs%opltnmgFQrSOckLaaE&$Bqcd`Lh$gVM8-n^ zSPP&aOb8Xmm?}Z6K8Gpo^-tG`njj$r^StMKfjSw4Ya!i}Wr$MEo984hNUMpA8A;|> z6;Ufw*Dy~`_He|;2(Z*AtPq$a-CDho+OC~VIgS&p*O^vo`{aib)X(CZu6JI}TABjB?1@us?_`m`5#m*z1xeJk;;T;#@u6_NFJ$ z;QO(!RH3RStv=Gu(H5ksNo!tHW41mhlj)eBLgV#Wp}Bhc+jqr#V&FULN0&{Gkl>d9 zkZqX1#0JXEZQ(X5v=8f1-*yter)dD#L&~+e*^cGq)wq7`dbF`Dx&UUEvR0|rGM2zp zsT$ShOq42h@?N!4GJcUNLDnhZ(2GJUqgKf0)%Mod1>V0aOg`ZterbOAM`o2pDW9tnvn(?9R8N+8_-)j;iTuHOwvU12f@;%A^i}Sg^|7vpu?HjrI=s3JC2`xAWocqB<{Zd z@i_ayV{!W4SH#`-JreT^Ct~P`3xHWcF*kc8`6wqlaSnI8C_xIUer#?n$BorXvAlkP zchbP^dDudC)FHr3sJW@_2!7r}*!l+b&p9h7J9M(62Lj{@>Lr5-9uB9P#I$#P2gB>{ zOz=(shxmP;J;4Roc=#=poB&XC4#9XbvR4?@YjN@p0`*=~*>i+ultO^-1yKEnvXIl7 z$Lm}i5dR2f7DO{XG_A2#C(wFz(0z{mHA^s9x&mPSK3bj{V!Bb}E6R}|$v3Hqsr~bT z8rYy$xITt`d&LJaK)c)}AA*Kj_@LX4Ctmq@yyg{;#V*>PYg#0h@ZOnt3KT)WOeo0A zn*zc^=9VcftHm{w1sE3~q5$(uu;rb36x7UgmW7WpZaxvTtgm!adC!?m;JZVRR0!!R zux_*{mY0{&!qCuG)&ONR=5`msht}40k_$KFtp`x|0cs%^M#L zmx2o`#dgY$z(idw4uF+gOEe%p^J3ne#y$Y3shFgrECumSrv(R{?C3w`L!R*fpjGSE zs!~4{c*VlPwV@?c2)9CLkIOyo#7uWX#&3?s5a5@^)w>+($z3Wark8*#&?H}ZsBNJ8TaJmFE*p+%K z5L^jjP-86K?b~su77GxUt7uKr6*MPTJHs?Zs=F3LxJnv8Kasx$=L$6}h!i?*_V8yO z09_b0K^dUS^$G+p2-@em4fX^u0eAoi4Et$X_Xb@wQ70ono}`;hL7W2!ctH38fa@9$ zPCd@G70AEqEU2M5RoQhRvOE$woMzdbl;K(yT})`>O`kUcNx`Mhxkg#*XoqTJ=1Uhy zE+r}Gpj`?YIWdI4?EC|0-~5IrVrg-n=ah+jxF&=nES#P#Fs1HB*wlCrEssK5lc@y^ z+p5sGe3T$!y#X{H=|kpy`cD1LnIl!K53V$qfl?FqNd8UW+sXIVziH{WS3q_;&K}%~ z<<*T?URjT8%WJU;IA6Q5607T5af4@9uXE3{%}oRn_|YR{rbI5bhfsmhj8mU zBa!+{@U!qGlJ?^9i7MX3wG zcC|Uf_|YLok{DG%z2=x`0*^cOJgut({mlpzha(mihuX7wEZT+~(`=NBZ_^z?7Q}8@-)q5B6evu*-EPdQjx9?gzByeF$;FH4G|%xg9@TCjj*c!2JLQ+DG%)hiLZ% zn>-={D^5i6y z5%0Hq!(2XceQOI15RDgREQX@#$A;m14keq$yj+ad{A{{e)T{(R-520V=Iwy^4*;3n z(I6HH_vph9#{RHFSQrbyNS6ZP#+p^O24!^79zn6N7!X935vCO!1X7h;uWIgsk)Uqg zP^}XTbF_$gp^U~Y0HjN#tiKdpP}dT_t+~{SIeDCi0!yGYT_^F#4r;(dedyeG4qX>p z9ol?#E4E!vgLYM;b@){cK&xke0ak?IL|cq#bG75Fn*{D6Ewxjv7q#+iCjf2&A)Z4P zsdY6)CrQ*>vxPu0ZwI4jHENWD_rvWdPZip@`QJs@37SZi6b6E|9kafpxu_F6Qe6*1 z%Zs`vQiGenZr6pF_7NPqpA?v)rtQLq38R2LAgxQqX9ex-A#4U%5B=DN);G6$(cW+x zJMBTcJJCZhPUQl@x4Y|Vc^laox4+{U_daDB#dNxv6s1L5rz=VRP?4ccDNeEY70SW^ z^|L=w2axZJ#p91~J{--NyONe}*W-=?WDhlgEwq;&%;Vhpo~9-D1DOOe*@gREIcy7N z-0TlxV|x%QTL7?t>k0T?TicH7YaKMH&A4=9Bd!71%bT6JvEI(>)wQiy;VM9{@Xd;= zkD)!SV+O00Z@3~^djOb^611W9=zk)Q=2LzoHNYGnR~g^5#eDaP=ktzi`i&;%9jGA=TaTCeU3?=zEJ($`Ko3x8^% zwPkRE$^zDRVA4f=xN7;x~JG6;{t#BtPSOhp4jdZ3p|M{%|F}`Wj;F(v^#jKbm zL0V1GBomG((@3GncOxvcrBkQkonQG?aq7&O1nZnJ$T8gM$FF_jqjB-V`K(tv<8me> z0=`&Jx|oe9EhuoaY_z*mkh5&O6IAu{+DX~o0w}vE3)|552B5mtjRByl=Bq10;8uHe zT@2}G2#s!UVnJ=`rh-P`hpmk^V65v3@D-3LhyG=K)w+rFp|7v6#B^tC)7C)h3->y$wPZ5C!1`0~l$KGyS4ma}_o6P4SY^5?tWc9$K57Rsy)H z6u|)qKSvAFgyy|#G^j}y>a6n3cMyHF(Y0FC<32z5q zaTG3>aooJh^yFVdtXtsmQX~30JHHNBI<VY1We`>e~`wDL~&=kzj zjDCo4&20qkt}YR+FVeHQ3F(oYz0ko3Yp;*uumkAsBFHCpQCP4L`kRC3qaBaXv`5gq z>s%{*bVms0Ho@+0Cwf~ev3lcNT)XsCTsildxP0zYapC#T#-;O5$M)7LnMX_Sb#sJ^ zlRorCJ8DGgvW*JMO1e_WYi&^9fc@=!+;M;`k=GiHaQ2hK#a#HMhFR!xey!P=s5h!n zsaK;)7?+pSXM6yKc^_y`dukE_8H}b`E1;>t4%BvF5dDCC7`fS3&A11_ z4I$btn$|V|-vRWuA@&VG+c0X&ZJxJ#JO_BUc(x8GZ+7~zx&a`gm1vsFz&Tj~Mo^Qp z83n6c9A6;g3CTm$fEW3zU<#Men2O$M08Hi)%K#aHCe3!@6CBi3G`-X8HX;En8CG*y zgj35So=F&wI+TY^2L%$qLlff@I~etazwtG%iIF}|n9De2bSzflQ_EAMQp1&zO_!(y z8Z}ezp-f#RKFbA+$Z&QFYVz`Zp%n^RXk-a;;l}>`iVLZHFCk* zPRpk2HP>BrtU~_xV`F0@u3o(nD{C9n`DU!GZ|2Hz?n+|ksAU0li5Fo7Fgvw7^LiL> z)=^%lH*QQ{S*6g+b}@ejCY+sQf~sZs)F(d~SFc>lak*n{Q~&z?_udz$?>a@8!a~^F zwVc2z^jo%rnXparZzti}3i-uyTjkmVFpHUzwv9k*-SGVm`7>YSIP1}S@})a!a-xi; zy&GLXec&bzLu!O`1Ujf=_; zy4x}A@x8+f*Ot+?d)epUti8>x&7@leoBa{`yq!I2rcyZ2{_aWG@3nbH-5&~$+wr*L z09lUAT`OcU#d_J9HeVF?TnZ!#5{RT}xlQkE5f&Rr0I z>HI6hB$`|4w}i>6FnPuCmXl@Tm`cr6!0v-!cEIU1*v*{~&^BQ1(T?MWAws};#54WC zYQpZ&b^#05LvhBPeF8qWBhqX7NzFTS zl%r?R#PxYw*V1Ff=iN5#sPK`xrYXCdBQyZxyHbPJd`FQigbTHvLWrWMiSO@2H%^`3 zb?76SK2}@@!S3!Ty}p|eI699ThY} zQ|%AYczbK)X%)q`4UeqHPH!1{*#S)T>+evPYP6%6($#PnesNCK-`N@{M0r;NZQQNZ`vvz!mqfFyfA1w4436G&81 z{EoQCW0lioYsl>>-y6ioEkDw+POrk?8;ugzfZufU^Gdt$6b3XXCl^ z7vs{k>u8e8aS6@t(&ekMytX%*$zV4hpS*{eUk=i3QbF1{_|woUV$^_6LwJk|yE?*yO* z^;^?Ia+S7$zo7rypgtP!=+t;I5jEefE zT&|wiAPwKmHk-M9+74hk>JL&_5ouz#c{GFiRddpa!ZPVb+AvM&)cQbpBdlxCkGs#z zlHX>viGV5*=PsHl-=pOQnlVzEZ1GjfC!Qhn1a)^^ab0OU?Q~mZJp#0o0POB=pLTEt z=8*d5&M@*!ne6oR+(v75IG97ho;`Oye)%IGiJyDl`{LjK_)o;o{@l;U(@#AU z?X3=Z+>foT?d)h$*c7YVsc{u~w%&wP>&a8I)G@pY0P|#;MO||ep4?}7`GQ|+%nA(J zhw#R^1Hy>zXJNW|fTJsNlFeZoW*j++plE9?h0LdEXL@_tG1_XPWdp)z?>-%mKJ;MRbLQ^c z{X?)eoaHly6ug`{GKTha_Mh}r(3);5+L-4GOzTOIZ`IW95$b@VBVPpNz?#?tkR4Ic z>$n?=5{)|5*R4>`O7q^L9ClnHK=$@}t@wxiJ*lrJ>!ZFqjPpLV^wOcGPC5=3^Bc>n-_*{nPIo7+ zUSGq!-HBRbCgvB8#i=uAV+p3J)|=seb!)5Zn7Vz!c2bbIrIPt9MmGo?Xk^x#!__Rm zLct7Jo^&JlQ~eOdE$jLLj8&YpWOy^wJny9SnLbLXBuGW%u1G!sQ z#%VqbP_)M($ni+Or)L!{wqA3`3N>f9Pa*RNcOQMb^Z&7$FQ30CrA`xWEL71G7% ziKHvTklr-H!sTIIa#c;ay|tM$DXl(ivDAhI<6)Qj8bEs^B0@7xD^2az8cI@<#uPwW zXvDwc<^i2NT`1@vr*9YTIu!>&Su4P)^U`=K7|@}edqXUf-2*K{H@}^rjT}ZvIUFWw zCnM!>tbeIe%jF4d(;L@sWZ#7wEOgo{)XDSF>#k$f9b{WbPmasaw!2M_I}VU-OncK` z&~PCniFU`zpl@=r z?9K6bdZ-nVnas1j=?;6^mCIxbn8??%RgMj|_g@VM%GbXv&>!TmBAFMfHS>ari*OmD zk*V3}QjpMdA_FOz$D(dvQqb}@3&38shI29fNN#N~ltj5~%B_6k< z0w9;B$uF9EA3=XJFWzp)9R|p9OTjQ6HtdU_SAggET@pR_1w)SkN-f|;zoFk2=Zj(T zH-sT)7SsJJ$VlM?J$Qo|(s1v7I^W~WS+$HThM(F^>v&MjZz({<<<-|(Mx zuCKCaE1wy-$PcxVb$=LJ4y)6b?=B@X?hxK;a<+0OaCZPvleA5eE{ZS6k9AqJeOdw8 zek8;{rJH#a+zi`X|C036R;%fU`A>s>O_t)#V}RppFNn;=~Twl(jK zFNdh9Ig-qDMe8PFe!fW_seZNFQJdV2C<}CO(B~XL54{+4Hlw|HBl_)iK)Fqu@f;z; zO|C(_vA!DpPB-hVq&5q^rC>wro#eh!H4S~nS|+xSlTj3=mU{=GJw-cpV|n>%EMLDI zt1H)02uOply2(@y`u$D}?8v5UGqbbNnrZUA)6m_mMm|AV+3jEfARrvK%vn_E?Rnf` zfJ{?D=q~`L%mZR>>w<`T)jB9xDem?wOGQX?3q&uG=g&qAHj?CC<0(beUXk@y}vDMVO1Oo z4(ps3gxa%7vD1_F#StNrQ!bo_HB z;D_XuDoo9@Vn<)CYAN!23**(S>zB3-)Izf)fV0CLEw64Sg`MSHI({^cEX)A*e7=MA zGwjk%YccF{_Lk9x*Ll7fgYHW7x0eCi6@GU}e<#XQdw{F-paAcuFmUR&)a-D|^!Zyq z2_|=dXMQbk=8*Pv+&WfKzqcLdpMN@@efm>z@!a#|)xn~KAr9NY8KX{J zH^Jklj_2mOosOF*=<*`1Q3q}LMs&7rM6bQfH_+i>8n@$d#{qHzs;5NHG1hp;K<)eD zEZ%#(_)LN;fVemcP8e&n$w!BPG6wSWi~5e!i5n848lFmpj3`mcSTfiiuZsyQ{FWm~ zXGCCU&bgmojyZ<$bNyTy+kXJvpwo|5y&m`8eNTMq6TcoGLt{M$6C9bFiFdsH&9Mkj zyGydWm^ePT?@*}juozZ1a3P$+Wgz&0b$PXH=5KC(K29Dx7K<=Cwl$zJg?Sxu;>1Fn zIdhye942-U58QiK96vT6M~}=wRJ*acu@a9wcz-nN>1rUU9LG#~ z1X;b>j&Uxgju-WjzT^B&9r0c-W_rI9CMJ|Ccn(wxZ<*lOiYeSlw25s* znuYdBTk-u6!J$ipMxp$Ur!FQYD9qIU3g2pxZnnF$qo&MhnLG+`vTadQX)FENo{nH} zr|sO*i+m|a6%_UnXtGN~&brfoZ~D4U9F3FXzp-=#{M1JIdyQ zL?ys*Vh_!;w-v+fmFTQriO%W;!0ifJ@fARMmAbw3;l8 z0!-oT=#dJNWU4$F?ao%T(a_bj``xX$a{0M<_L)y}eHNvnpLKt`9yaeCbQBF)XfFkW z{s!>m{)OL$rr|w3ypG?E@6+4{Xwn4Z+0af9{lSEhk$skFK)pLd!lz~`0HP`RErgpI zFo#;Qz?d2c&!JTs8DYtr_j@t+;miQZi3}dpq9! z@BfducJ&IH>RoZq*?WqK55%?WP$lw|K2#Wr?2=ctp{bmumz|l;$TA#^vIxjNbpNS% z~Of#PXZ@NWj3(G2y$;i1%-lSXUW0(>~ZJnYfNaqye{4Kbt$#Pn!ymJ(V9c`(3 z3rxi4I}e*qcaT4AHy;S535KL8AX@LP_O{)1oGk!m`)V-|x8ReVX{2pk8HLvz|1GE! zhi-}@uciq*k!D&x{IV0(ckXxCAGqUk58>2{{;2367P+&NRRBi&EjBXHO_GR9K8eme z7*^3DQE*MaH*u#Tp%}7Eym9o0`ws5*0l;A|cD6QRZ?GBV{a(~!5T(6#9E{dta<5CB z^+-$iMK4_f2f8sP0m|uv(1-3OtqK8!g~Hq=SsmSDKHcR*i>TA@(yr2emDFv!3g0_q zZ7Rpzr$7O5b)QYpPGzk}>U-({!A4lecss>^IJBOrt7M1$7>xSVx&CD82QYVu*FkTS zZ@U!RA$JAO+>XZ`2FTL60O=io0265ESB|jo zTbYh$#wC*&20qH)0!0o%OS8Y|Tr)m6A(^q5$8R|E!0$W(S+AgQf(M`?3FZcyJ%DXU z+D<9~fO@@RarFZio&k+!W@qB)!qJ$SnaOm|J^vi0X&a!d#=>kX>eUjAA{N;5Pa33c zhnX`F-J)~{fN^aFC$Bg>%0<+j;pH~$M;6eQPacbpvM)7VpAl;2a= z1a(9B5llM-n|Am?wZ0&@)Y2qm>)m6l4UaW_N2F+V2(TI4d!8#)^}p&TZLe)ae{-AP zg*!*VY5c`?H?=os^JNDwf6{{g=N^6@q?hBud0~HndGN>B($f9o`Vynv$>{g@(8i15 zVmXdnHIZ=Y^X^P-+&N6pLYjY`3)qPo z657*h5gbzx6QjfAq~F{h&_CiV)*AsTr^``sN9bvHFemCs@=80ksi!{esVlRm* z%t-|uEo*t9q$0;zEtH5jO-mrJ*okL56UIgIQ(#()R8fuwG5o%(DbB^*;@N1;pN{&> z$(TKIGL9ZQ9kUC^VVjpHhTKMnO>Pgmoe~c5LMv0N0Q6Kxra%^lEy)tu`wKWHW5_sE zmHZ*?7v{a7zz?V@{laQ_0EvsmB!3W}3{|k1{$ZJlJBV3RFn8q81ce%9B!QeSi4*e; z05MIEG>;+J^m_szYOgN#BN*#)P!ME?AOzlM)`@GF8rI^%Vm$D`Lpfyc%B9Pq7aC+g z$EwzA)%>o{y8)(T56#tCP{s0`fF6KXEP4arcl!V^zx~1|`pwTATN#}2$gB70Eb{o?I!rb4;(hgudclU?$t z+axt`ts}wI^u&CgyJHDI0W?g1Xh=M$;aSP1LKvU2B6CGeEx9S?(a zJrI4=h5Jq`q#Ui8Q?Ypb!I)XRKaL!GFy@x-i{p1a7>h^mh7KL}XJKy7;|>Gl;wT8x z6T*?0APUEE`b;v?4=2Ict6VPE(2nYynqm+tgf9{6@2l0CfH;f>7v%&406qPRFs{s` zY3nHyJEgi@t>myZ!>DN$v-JoAAP)iZ$4|uU{6cJ?^{uS0$BpGR*?{s?a`y|D{&a=64konPz6-Lu0J~xO zeN9vu4{Zy^?{tT`ZmoV$v0rp+0KhILUZsBO)q2#?9;*O-8KxGxb*1#S(L6Uhv9Y|7 zBSF6Ho4+;gz2}~|1}M95yKVtjQB#}pxB0MB&2i5(37}W3*ReCwGnsQF00zl)%ygE^cf4p6hW|5^WCEktxM}S;~|XC1wq{kYNNtR z&bZ^B@tD{Cz}aiiOukd+6ejrJcH+6S4bv@Aq?YLlMhQqf61>%}ZM)nU721)8q=mw5 zLcE$XHn21xc-pwst=h6_Nk7u5zGc^;c81%+Tr1{Vv(Z90o3?^KM`u`m>P>&N7K7G@ zX{nSLcM1;Ua3ajKb)*GG8E7BFN_+APMa_I2ASj&3lh3Uh>D@eYA~FG3XShlWrzm+qq<7m&}wY~UUPEEd{pbR&}l#OeY+la93b124az6MFBGmbt8@DT)n%1xiMCjHEH1+zz3lg$O#?`2q82 z0xm2p#IfT?0L^wX-|S2)jx8NcP&t480!&&%t8K=Wix=b6$x|^me>8!#)@bEeQvI{; zCFiaoPKj19$QrrY8DQOYp&2x~t?hPBoz4*&oOVv>1D>7&giBQz6{};P@}Ytb+Jju= z#-8|tor&03Z^zXu%M@ZNzT-Q-lXwtx@9Pb7}!bEoNus zIAj2>a1A*XTmPg`r&TkZ8ofRC0<*qbHSFn10}7`lsdFbQ2x4Qflkf|W1sM3&xWtSE zRRB&mk;mBOP(XkHSGWptg*#7z19QYr`sA(G!>sT3Gk^7(>zrs}6Nlf~IY%5N>0_LK zQ!*$FBfT2lU3VBxa{bo?rhOsn*~rR?F2c} z&%O>po$!JsDl6?*qqx)`*1-YRL3SKcqI9vL?T&V_qI%oZJA!+!j|I|AV6G$drE7a$ zlU7NdTxA`NEerE(zEm{awOkl3Ocd(Y^)50r`8OUO?dn>gUR(mzS$w5RD@H>tqAG${ zIzV95=3Z!%+wr)g02y*fjbZ`qVII?a0ic>~09c%J^;)#hV4G+eb9LV5vuZTUm{0)V zEX*~-?-{hf*@n*nZkVSALpa2%&b0yK8&5@zg>-Zn3h0h0l-6m?TR1akYO$x0Lrq#+2^wOwK-~yUcgQOn0Bz%cT9J$^| zexrB;_^3<2&wURQwbb~E`d8EACeQpne-k0$v-8Z(N4}fXGUBSHo0A~Oq)WG|xvMp* zMLG$iR#gz2OSOOUN&XbV6=-d`ELdAOfr~3~<37e(9D=KBTIXU_ z>8el|LKA?qlUNG>x$RE0oYsE2+GtSo?D{39OVi|$E<*BDbeQV%F6zk@7Zm_@96J76 zOR|K5qL8MP@J=HpO1dhh!^Nr;s<-Q59o|ugnnaqWRYxnT zaO&R`tc$6q5EjIr>*`9i(l@7Cn!U~Hi28>i-@|(}Gr)F)sp!(7RWw||NTzk7$fXOH z^Y@jjSHh7N4?FCvT8^W0bL6EQ&pi2=v;>@?rH@fC(jQqWSChzPCVl1uffy}NFf4q@ z`e7#k*ioAQt_$obDC-MNtr=C(9X7a)O*G`IH&$b#JB&|1{an1~y}uM6`p8G)ne&(8 z>F3X-OF=!={n3hX*l53`lY0SD7C|99?x+$wp5*cLo91)1H$j;5klWSR#%qH(j4Y=# zQ>oP|@e@P&v!e zaWnwhym1t>+$PeE;DS)LSDO5Qm@Y08^}TK>ws-d z%@>AoYHSNh?b#Guc`q=}%?Q#Jv|~WI0T2V&GtF|$r}0x1Broj2(+AwMNrK=4d}CXB1Gr8W%!@43?knJzkSIAuV-OU8!q zcL7#AT+&=6-Sw@_)Y3M$I&tp#=W{)VV@Hm}m%ig|@x~`!m!ljsAC22iEcr;kp_)rB zE~FMB)e91smPVTZ4B+JSY5`iUnBOjo+3C5)hhV%1Gj(I5-9t&9j>TgqVhZNoYIoun zfBB_0-M^o)0wBSnx;xM%1(P?`tJe4y9ZufVGYd_ z0It*)u(0OIUm02~CEeK>DIL(vl%p82;TY^x7yx6pUs6kUnsvLgP5RETEAnWCnr}x_ zFyvN!M}y{cU7(y0AIsA%Vi#62;Cc1 zzLPmLr)&CV)6CW1T@b3BC2EaMT1Y>gpg}7-#<;D)yj5wy;8b5q)hS|Toe z-V@o`nr1ukS-*Bx7M)>5JD9EXUhzbYuyAW}l84NX!i1mRXMT7qU6?2H+?<<_YNHkV zQ)tHe=BMkiH`R=Z@=TQKN21z1n#0Iiv&Xp3BlxSd z3OrpsO18Xrw2nL{FL@KGELsSnCUIi-Vo zrJnU|z3Dr5xSTv{=d~TZDhjGNxAP%w+<6BL?5K)T5;p{7TQm{B6xZcnyI{#z2|_aE{Z8sgEB;1LnYR?>w3CXeTiz( zPJvfx0qfm}$}k7y#sAX9>(xfX7ZK=S?|Q^ttnwqB*+| zuX)3pqTGNXVa`neRZu#2@k(4@-7LU^?{YR3%q$wp+%i;lT)|u(GQHZ8Cb=NgRm)DG zi^81&e;8Cjn$Pk;-j9ZU$rhl%0+Z!d{X6mO2Bi? zVl^>)_w`x&%@~XerZ;Cc5SqLK1oPaT!w2xOTWr}8*+)q9;o&Y?YlnOf0IhWS@NN3- z)iQ~}vg(@94Pg8pq>$zD5Cn4=9)JGJ(IEhQzdJynXl6TM!nW2GKv}61zobU9PIE{l zM~<|?BFp%Q+p;MDOw+KQxpoL`43a^I#fXChYmOqEz-${K1YP_`z~-M5Zq&Hl^=70% z*a!Fkz=={bW*3e{bK!WjILoy~%>S9(SXX0W2QVJ)^#MG6-&<(>Ta*XdATD>!G2U^X zg@B)eio)5>3W2m9C{KWxO+eeZ*D_P&Q>ap_d%d9*Vi+ztwf zBbCtDsWV*^GcyZ0A*n~57J$DOYpcuAX}3uaUPRN*4#C^_xZ?m>!WU5OV6o8;*$+Zf zC$X1V#-QB+6rbc={S3u-fGbo<7|kyp@IHs@2&#IjV!-jv;nk(I}hw;05Uj48>3{6r`*d{l|_d z(3Ex(giNUBJV4{Uc;Rwfy?Q-XSJ(L6i@EuQ9EG7EQ_FEpThlB$kJJ(|@pW4q{!TMo zFyvHQOCLJ=e`AsgTrNqUM)tQd2hDI4v*1 zi%4=<-C=&RlS}Zn9rDcL@|}5;=JfH^g7zcYOL z*ZIcsNz}6oN8+y2XXEr;_eN`ez9@&|l;Hv_4bkY@5 z^fORLQ&~P&MF5v^mFL>Q9rY z97^Oqas+|U1O>Gd$c1>MU;h(;GDQehaJKV}nE5S`Y3A!^Oqfmz%X9Bd^np?nMU*3odm#@Z!YuDn&#(F&Y{Bv;)jiXd8p$SRo zebPrOBdckWS}(+-FmWV-d2ukm&)kY?Z@3#fXoWjyG2jg13oXmM!-Q_#e)-x;T)n;# z*RL$cpxsBaZ^Ua}^_qCw+ujyWy#9?b%%uzjH$JqE(46-Kcj9#_xcOHPw6--}<$Oh$ z<@T_C9ns)SMmslCyN0oKIoKX9E9#_$9^mWnGuWtpMDLHHi^}<3k|qE|1?TKqmETI7c-nCtTE{l@j>~@_0j6TetwMl;Q5)Z`q6pl>xv_K-LM2&DQH=~>C9kv;awG-jmGbkfB2hA&g&A+VaR z@d)5aeVo4Yxp6oqce}d{C?-Ns2EK#ZrvX|C*Xg(}`fYFZ)O0m_|3CZGQ}MA+{93eH zGcc!NT}qo;#7H=hSk_mMg1KPPO?Cn!9H3?w-QddM+#+HEeypw!KX6 zK5n2GZ3Yy&^96xS#|9`gdP+)IHCkKDb{wGzs=*bm75f~@nBvqu+8-2=?JM~R^3nnd zVKkey?A&uhf$~^j1K27D`t4H@(1{Kp?sN6M^k#ccRRB2XEwxa>7uF5!UADdJxj4^( z>rqsvqcvNJS`*<+nt7&=4q)zYM|<`#|MZd&CUecLW7nPy?CFD zEJss)sc}g(sS!x<5LBMBAYg$e=h#Y#)e)tnl#!U2WXMV16Z@PTS}VZayR5FQr?1{PR0;^1f?23GA130s=yDBVSTE znXy&J+$*AQ-(y^pcg_JZ3o>eh**QhSPeY|LwO|J}p!E69FcJk|=sUo{@S0wl=-xw> zNjQRWc5G0aGDyZFaiSUIluOe5UGD(mUEW->I?Y_h`mm`A2poPYKf) z^*8F9BYl9(ZQmVfq2@(y5^Nk6w+8?uaGN*X4}{OHc>pa5TUQ7fMz9p&1~7*cJbFXS zeSN`#v)U=;cbgs4(zRg$E$@^*O3LIY38F}#bk^Uo6HBpld?9A%W~kHYc;zcz8Gr1% zzBBH*_n!E~Cq7C1Ju;|(10=0yPI+2EW;OX=A&iRh>YrEO?KlE}au-v7c}{vVbm8yz z#F_yBbzkT<5IoeS9VDfmg^blIPsX;wRrb`tvJZiH9cybxlUot(b8mblJ`$+yT(q~J zmII9K&~shlgQx>=3IK(pz^jn69BO$2@_{3EY!ve3X*pAPe{&70@-hoq{0k~Z(0?dE1M?L{& zM+a348XXMU05M@H%dqRvJ-`@RYPZ|5vA!AYoF?C+{8|pK5?>B48@^7+r^_0ol>;<=}v%#{Eur3z_n#PiQTm!mpd zAnQ5quU@;F{2=`o0*y$MOROX{aw{^EyDbk(d*>a8fF>waDm9qIY7qMDbU_;wcx`l^ zr~3e2kqX9iAb6*1z#jq#m()}Uucqo63lf!`fNC-cyqu;f@untx7&gBn0dpY0jI}%U zjslblV9s#nFp;YOnLdm(rMBp73_-z2OxGO27?5x>Y?|YqeB;Ch7t7g&flWg&bta%1 z>JT6s0)E|5Kc`8n^$HP|+~H4}>P2adyKv!bY;MHz@{MSBHUW<5IJ!8W+vWFQy31EC z(tS>@7^YhRNw>N>>AQ2yRn%_5o0r+>gOWH(83^)Cws&?ZVS& z&NY+X1S5w#W``L^v6xRG&~?>ZyN-r=Vd z4xI8nStZ|1+OUO&JqvixMu~HOs>QcXv9D34THf#OR%xvodE;IsBWY9e2f(30w}9GM zUx^FPJ{1?Adj?=W7uT;`j4RhJ#M;_Q(x{p1A`F~np6iE@N5?nY;hr-9%{=i|YqjJd zdBb{hy_h1k+w++Cu^;=fgYWvT?}|B0+As95(j+cHhLE09pm$w!fSBDn{_U@QZPe?!9|SKo z3W*jWLegsZlCP$^&jsfWW}?%Udn3o6YJv+C3Jd*oSPGQaZ*+syD^<+uMwY>6HQgQg z3jnw5u3o$z7cO3nvkyHKed7PQ54=Bi&@^3tL!ea{ zNF{=l!l}@j0Ugd_#Xa6>>T^xSmP*LcD3nRf)Xqx_Iaw~{b1i@pCased^d&o1+HVzp zn%D03+`u}hH>z1SHAm|<+vLz!U*dUA=J2ILli$;*xw!!>AZvWOWk#H?xYz5@7PL_V z0p!jo?p5bjND~4p^`q9iHv|Z^I8uAHj3!K5OJAfdnA$mJygSr=WpODcYOUCru0*Nc zOgE3^m!||&rx2?_Kl$rV(*8RMp8D@+jx5Btz3UIgCRda6EZoGF?J8{pR*&^r64`nY*p! zJQcb}7iR(8%klJ6pCAqZ)=o<61>R8G-aDwqsZ;mInY$kZps%JtKXdjpZ8k)pT%{go zVs`dOUbnkl+OwY>rS48rt~3Dm=i~Q&Dgw|mp2B^g z)>beF@eemX>roFkd8<*Eeq%=`xMLr?Xct87sFyiNVnfETokQVOg3g?mwGFe z>*PfR7>7Vb8BC{Ko{3s>E}Bh;z)_~;Ip~4{>NawON_Mo85mf_S zFxI6Rt5zFv?dpa2JzszSZ41a#-~R32{+HhU?sumK@r52{%HviAWHnnimwfdDC(u|O zT1H+a1@bN6n0@uCJS9qh^UyE}Rxq7m>|n`{InosYvE(TD~nuC8GbOhsj89?hD1tktPcOk@~z zlGACv-j`rFpHH9-P4K%|x7rOw`3*=;m+GK}{_7I)2p(LiD?P>v8F$3?>NM=pj%}ig z2$P-maW-LZp!>izH1=YvyMwi$|J99x|s@Ajh0ZwHbLse>KLZ9js2 z2wshIhnJ;NBPzKJYa@nxrRZ`F4lwbf8bA%@XvSo9CJtO6hwHQ(gI1c9waIra?x_PU z4~HwlgS(V-50G@>A4j;TSt=m2J){FIB>?{#TCRK1Rf)qsfu$37#VcR^)~HwKsgdcJ zYc0mY{8G%e7NSD^77NZh`eP=VE!qbS)MaG_VwbwiNf&zxER+NaYaKe1(2*`$i^Xm# zC?&MLf?*5IR;9t^R}1HE_-fch!|!74SixDM_PLsJ z(Ti_~R8QZn;A&k#X##q#&p^BmElV&y1WVIRZQTwm;_LN0gxib1@z?%R%m8$bC$?97 zW#vXJU%MX9JpB|fP-ud?yRHjh$Ci4ATB>-~=b;h>GhsR-y|i=>v2mfy`e*Yl7=B z-wP90lihv&oNO@LaQ{3t!YROKhwrZgnp2pqGt?`E0+B)fVRd5!$XAt6RhP)YIn^bW4tKAdU+4?wTUyD&J3*qE@9G#6C^_ z9fcM2}cj)4%rV=u)TC?OzkGu9?7xv)Q6L96vR10kY{_2`PD79ucl0XNuaP!#&v9(YWDy& zzgx4-r~|mYK|5Agu4Owl>hlGdPq+(pEn4#k=Ms6Gz}kRzrzm7D3`HzjfkZ?63R9n3 zEMlh}vv5v$3Tq6_{1!Uo^Dl;me1`(^Ytm%T zh0w{fKv00@E)43>8u&yl7}Zk$tL3q>1v=;HzX+BPkLwZSeE|~5sE0tGnlaCI4j^!z zNs#VtQ4ptu2{ZtDFNEbr5SRZjsnu{7mQT)Vy;Z+Ytz@t6PK|5IGJcrms+n=pPE z;+)Hg4O{E$@zk$>HZDB>9K;JlVulMi6QrHPtH{6FnCnhBy2RDl*0(U3^%r`YCcu~@ zP^g1knGQ2oU+M(FqHnbf0eq8fI|Atjf?-%@6S~_*xMUYuE|(DG7lIx0lB%Dooi%gplR08 zh$m?$M_|mi=He*Y-`->+&Rt!P4}A1VfO{^>T)GTC{p(M1ouJNVXt$|2e*EtEJ-`3I z$z3(v%+?7NPPow%V|z)f34%$x0;1q3{aFLnv7pNh<#(8-zWoGHYYL%TsnebfT}}t^ zQ8(6>uZHWKH0wtbvbA8;d}rpc2530HSBN=L2ck-MnQ1F8P1i#O#f68G0SIp+J9gi; za1Tm<%ZKC6P<_-_ubz)T^~c@;UM*%Ex61Lw0_3Fb&o`2r591i0x9XARzl^I^t45{9 z1#uMH2LXl<=V*T?XJJV=YNfd{71#WeKm`!~az8hbyd_8-#Fu=@J9F%&jo$(cidEJ6(dq2~ z9>?OXU;1V7m0$Y}asNY)#sOMer;qWBc_*{z@3d#%5eF{AnahXHRADri^7OP*Z#p$& zQ-^iQuk~R5iaLW=Fzp3!%7$6%YHzN1ru$-Js}oz@UUWv7xB%~Z7a%Ilpk243-Jghd z*YzbzG2E>H%$4YmN(h6=e7@D*kByElgS}|`Y%m?0qp4``O!K=GoxO7OcgxZB_h2e| zeoI`P{$%uaOIRG`817d&xgL~bccK=fi7IXBwN6{>?x@G^B%tD6aG2^KUjE)iyVFH7 z!Lx}9COld%YHnIHqO=0avQAD^0M;7yKa7>NHUR3FVCsm*QZNYfG1Y*ErYU1By2C0O z?{sv?*XF1k>z%2%v3?L2ZtTSQYlFD5u^)Z%J273ynplWhYrX(aKwRJx936S0Fi)XH z^bVhd(sJzwefyA3OruTKrzs}_)**aDr-}Fad=FGgSV=>~!Kn*PVNeKYHPM339F8Xd zipyRVUIO=|ZUr<`*C?KVKKeU-gt42o4u~FLM|k8CUC=R53f}0<)8N1NcUYqiCy0MEAg%)K7Z^U$|Jw7jowC6$mIby<7CuKjoQ|Js=h}CrL($%xef!B1G$gaMXB(%rV$1 zXw(G!ElBy^PC2|3Ayp?hNP(lYxGj{#UFiCch$uvA0YkhuX$a({;h9|BTL5t zG$(NseoweR^C0lrK~_hLt)Y3ieug7V+}R|VNM=%K2}sJ2tP?w|3dXXIv?hF}7UR0e zu71|*E5!6K0}jOFqz`B1RjQcQhvl>0ZIA5ilIhXFZ5Q1t#gtvr^u2eyvu-_73(jXn zJ7gOX-;2rsk8LNvMvE&*gIh)eOmZqEJNq>72!9iP4 z?~VDnXe}Oza!FKf<_5Nox#la*B2BYo zl_vON2@au&UI&_RT=T|ObR6TnwgupB#Mat6APnekwK=x|;O#jt=v<8p6P=n4OLvn8&6=aY3kWX*eLB{)P;WBwZk!+)9J1d)OOJ3N;Nb< zxa!*423lJ=&OZ1^yzR@rGT!vIcRED?&2ku1fUw}~usgx7OkQhf*)!zLB|#fyOw$VY z&Doe~%wl3U0m>=_WAD1z7E~Puh9(J+mz}PQxjJ$!;GN0n?oP(#8(V0)J7~+habsgU zmeGD(AdU4i8?gQExg=xK))@oNsDj}uLEqQ87EcfK5-bD8|@0t2a`VMJ;nDl zk+cS(<)TjkP=p@c`NS&PgYFIx0K4ud2rz3yWv!8>TJ}CX)7=DcY4gpsO*Gz3>TZ)d z1durg-9hZYbFPW94`3favwI^H7h1(9f(?u?$*hS07w0Gv)koz69A-CIiCYsu4uZLNsDUR9X zqU)|4CScq9+(rA`c7Qu(yqkeyT_$+j1Fsvp=w$LN@*&Wabq_QEX#KAMZ|(#w7!%Cd zW@;zyE+YN8>+s^y`FP-gd*X>FUYS~x`El)n*}3^x2kczYY#K0iD)Jh_=E$)Vu};39 zJbyXr^GnfKT#9e}w%-%)_^PjuEwsI|9dKx@xsx=2?6&W&z0lyfJ8@~b9p|rZ#IqM} z#O152p-a%MqL3oVYYDiha5rB)#sIAQ$NEwul32&U>a!f#!oAN8|I%~Z-rkRieSD0= zjE{`Z-&{5C3;#9Y5VmTYIfD`FZwo+aqY=9Zy@EV_?wkjJsv5o%T;^M)xcvOD#j77& zir2sLSbW>>cvHOowWngX4siEZVyC+bp!K2zsMv|;m}!x-T&tv8AlC~~;FAHfq_`K0 zfo}>6c%i;q6i3wb`?NU(B7kW@b$e~-O^_U+l>?Of#62bvex zN4@qScSPTVzb2ru2`r}E+s}K|aKV>5Z87^PY#rYy>?aUbhF69N^wxui@$0kqnW1mj z<3&onLkQ?FUOh!c#kOErVU& zIXp;kciBLPUOC|;*IWR!U64nr%2>JDlke^b`t|H(cZ#lCD!CMAF-y?ROTD5Ia21@- z+p);$&LXpO5|-B|AocX4tW2l7|{;0uA(m;+uX@ zz)(xcgq)1BV@EJ;zt5S=Pa-e{r}891zP%j3>+8NGmS!Rrnpj!A^YPH#t@x^UzB<0{ z%U>6-d;C}b#1?0#>zWi>gm;oiF%4XB*A1ad!n(9}q$h>FBSCZ&SYx4V+Yz{VDPm z-}t}6C)>_ZFhr!LZl|Inaa^{vnD$OPn8+*yDu(a^Yav#s1Fy-|nYbP1pxx}%4h zs%s2X(OPn-62NfiQH3cWD(%>GGRjC2P_hZ2iiX6iX$VsQPsyL;2yu>|LAWkPUjcB- z)VlYYv1JI%ov%I1#8={-t7GXG(Zqc8(TC#fJ!hlVYQ)0gV*JRD{U7l?|MGj|{qO(9 zc<;}@KR)=u55?t6m*cKecSUPvK37(20oZD9TbtW4zi>3i3VZHM*crAP_dWDzJn`nY zMY)BkTvJ=FMHMi1Y-jEutzbCxGuL!qwC2%<7h-k+ZFznH=ADjJ1i*!>*JEw7jaH0V zigj>sP|A+79p3j8OfnQN??F~>kT2E_3-!O~L(HT-W8ju-wa?r%EA zU_1VP9DW>^r|J8A4ASE(GMOlgPE>&-L67=yl|HSjoE*fnVx42nZG`E>4(+!eGnL8M zSiKbM%NJtf#<^&(U5V}W3o+cf7;}w5yy>;~#9LnfKvXB&w0{q4WDlW7KCKthbN6d$ zO7q`Jn$o)B%>0w4hZdKkNTjaAQb8}oA>EMo;iyadxOo9p?+8Yl0NN@+bcGuX%7nht zYT!Eo(DB~7lgL3FC=3ZVrIG?~xM-0>1RX)-=pp^XlZ3B8H#wA&1Z>gN=8aR3wa&;H zzj$wT`re{Y-_W)`Z1ZJ+Th1z ztA6XIshIz0A2rfw0P1e>H&)j`F?tkF^ zWD2SFS3df&`1r3s8PA_PA0PO@FU3#%)X&C`0nmTvZ~y)HYk&Q3$0tAe$$0gvUjuWw z1msLC9yx|)q~<;ZCu{L*pZZKJZ*RxeU=Wj(g)=z4svd#^7&$Ir)C({NUtj}GxU zEgh#2>yEOFuIy&Vso`^U435v9NE_}VVD%Uj?WxGHjnkQ8 zPV!p?g#cPK33bE&;%)vk17pEK`E*g`Du@8FL+~t2&Pb&m($_t?mu1-BAEtnDC?etp z;o!LJ!wR_#531)*JJ43$OAl!~ty>`JL|+}Sgr?%$FE=6uBe}vXw7puZ+bX&Jk^nx7 zHkrT;h_`A}fHr{J@C0m|C7w+K%r3E5A}sfWaSJhl*{zub-x)NLS>pmI=K#REzFg9n zYc}JaGpFO7?|56>i)JhZJ6`%Hf95^$(?9$3vEAtbmaV8YX5++(lbDWZwtWBWGtb4} z{X2g@{)a#N-^aCU*WxJJw5)pa#EDosb{tUNiPQI7TLHY9a8}a%#y(PZx z8-HiaEgpsNCt~UN(HxULHwy^Q%~DQxOs>ZQnznw_cmKpsr4M<3LVsf^_5fdN%~1yF zdXPocbdvdDP@Y?cG4K{60ASvioNB0kKL*HTW4I<<8#{p2lARGa0kAsqP7tIP z$XB7+3c^}2mci0H@uQZ*8p%0v>Xz`VpeR`VYOlHnc*t+!0Z{wHQMevQ_Ho!TNqH5f z1Kn?w$xdkVVt!oc9nbz%i+`c9ItqzF6 zwG`~}mNpZN3uEoY-P$83)Tom4u@OY+=vSoufa^E zSYBPvT|l~hcNli`h1z{RjvQIY*>X=m{Z#zVf8j62U;pcW4XwQvL&7y0tvC)audQvx z!jYw%u6*vorEt*F(`eh+v+?!c_&ef}#~wrLIRN0@CJG?VYc*P}7U>P+-9P@5xrt`Z z{-O$s0sdKOUl<(e18SmXKS%4B2k!N^7M29cgt7!cbOcZC*vwUzi{;V9P;AX) zJr(g-1^Q}%O~Bt0(f)w3>t8tjIX5!!J;KL0=CG8UC6`mSrz9m5;u$LG2x z%#&lO{aqxMYBtYkFK9a#SaPY*QIE5W;(&$G--;gB!Eh_OgAD{k2fFMdM7F7;0eSqb z+xfrrUGqEr;AB%JI@#`P^c>MW4_vhoIANd%}Rg2k~ zg*bEi44|UvM+RWp%akZ& z+0BQtz|&(4*1su^m;4?d-j4;q_()LUd9kFW0-AQ^y=BU9`P`Fx{yBT@0L@mwu{oXf zn2RZK?{sJP7aa6PvAxlcN@+GW*1GYrk9;E9Tbt2suc0|#jC<}r9&dZg8*@!!)3$~b z_Rr3;v(>aHmcv2?McW^(~LJW4nKdB4hAE5kMw z=sgi+$px8JPH01cSTgsrCNz0On>FN8h1aod%bA!{wu!jYoawj1GDb( zO+8-s`X|W42F&8HuO1~-19SK6V%Q#)Q~>i~`HO>Ep>hS*@nQact78nP35*=cbcd(+ z3CxH086uMs{EPT)qj4NQyBTovoBv4K#o>Fy9j42@onYg5(ywd$1S>{;c=fyes5h`s zXcJ(PI+#i@>;bYHn}Q1eX4Y+gpcbfmKw(ds z)*p!_?FhzsHGhTGV$u%VD$k*QEk3L_ zmm4irpqtthmQ*cfnrO%R*Pv0;u{x|9$D9kwrteCKdpov;l~B;NI<{@CHJP2=SdXq* z4eG|uE_5?!qeyg6HrmkIMs$0dG2BH99`PJN-U~G3gJJA&x?abWc|ZZ50)VILrKrr* zqCVe>QbWriGj&@Y1;yS;N5MsT+{~ojr|HJ&V}B=Gs2w2n9cwDlJ5DlZ@`2|sR3Bly z*Ox}X{GID#K#w`46it$dp-p{p`U?4trtK8eD9O;Zxc{O1qu#7xqB--b63fdQ@xc#$ zG~7YjJ@6a>F&yce?1lS~9X+}jGc&EYdhL2V`|NX>4F!v4X?E~TyW&Aphcj z|7Y>UYhOvZ2b^dwJD8cfj^&1d_;W4gvU?i?=c3@o74B(o8ue*zBwMxarki@9)^AKUYy#^1(&Auxe8DSCM}7Rr|#x=EgG{Y zQEz7upv@eu(43u(8!KyZeR(~Ba(#U}H-ps&?cReQ`N*%v5`sIrCHcqE_8&FgsBXDm-@zc%As&>Yx09YUNT53#%24ri;(l;^^W+ zy2ehOIu-ZccZTay96Nd>*XyXH1}cbBC+-U3tUCbSKq0?f7to+ zS6bC5yU76bTjg09{+Q4oj@9Pk|NjvZ`Y-;t^8gu*0!q)@WKx*vP|+=h)G&Njn2v{^3d4stYE7PciZ#=Xmxv8VV1w-HFUy`}h#f*6LBRD^BOZ9<{-~mv zIQ7{H8@0w9OuHP{Z*1_5J1e-r%s!wjlMMhtJ3WTUTt^n?qK(G&+_`fJ_O5i^opI zF$C|i<0oSY4c^f*t!5*R%+JT{>|8FY@3?oz%MS;AKzL*&WLqi}WCj&!LD{|m!Ei_z zY1d6urvT-B=y89)4|t>Dqy6soHe#p0g(bCtC9oa?_tD#J$IgBSASR7TXt}h96-a5T z2T^Gvm}YBHo#R9ysQ|#!ZX!@aE9UA31iIuVrX_0Vz#jJ7__)1G_qh(*HC+<=<~UN5 zlHoK5eJwNlT;CVxB-)|=Iy*FWU!Wg{7O7FHN$4Ws zAL*(!_h5jTBXjZSD<6%qE#JmuGJa|<`QJi>T5J$Shbc> z=&G<2&e>$kfT`f9_T+Uk2Q{1KMAQNAW5<@_AN`|$9RK2b{$-rJ>vS$CF0s!o%tyx! zEo*MsJ{1=)-H5IBAU^ZiXQKu4x<&l?^UuYl%je^pf5$h(|MdU-A2GS>vE!ImC$*4F zjv@U|95;j8`24Mo&-MOuedqlcK)rg{rZ@i{hxhmRSvCfT?+kzQyW$z`eABZR-boeI zec{631hjM;xMs)vk>k;vJBAQ+&EpvWZW61+jSxz-T?H+8Keo1q0O4YM_Os{XyZ`rp z8Jla}xPEOT+U;R%Zgv2@8sPzav}-%(N~MV$5o9N_6E4h`hiPWn5eNzir?Ah?FCw5% zpy?jtdOZ6aTCF)~2CcIUxba;Mmq^Bj5&J%an1zfbOgizQ0@=5P#W5B0G5=aCgd5apj4Y8pJlXPXjpB$ zi3W@XClF6p%Ybm1@*|W|6Gq^WZngpC*PoxGZOGH@eAq^J+>u%?j3kT6VEIhu@;MJZ z3t$s;^&iWm0`%b@$SeNH9FDrM6HmXeCZ!!N`p|Mqo?#y|PUg)d62R>U>kkKU?5-2> z_^V!>!e1X0Lo3JOa=UxZqH}AcX+U=nr|!Bpsb33o=*K=2pZ@eYfGiS}Kk!Q*j`giAlGzJzDLeR5XaG#b>_M}{J+zsfpR_`~ z(Tv3-OX-@>MWNfwS)$upotz-Fwze9p>#MQ0x`ws00T^%OFuiSn*)=t4HXQV+o0n{ctJVRQ%EydR+XyZ<7zf~Gv&$8wrNcvPUvCg9sBN42FZ zrxo?tnY0K?b?6qwVgj0-DmjD2T@@`CZJ+?KtSN8``p8LGK37xM9Jq~-L#Vj3j$|$x zI6Fk-MF6W9?gTA>!amPwn-$DbYDgcUt^g>LpsJjNA#lN}NNos4;#UcF=#XPPT`A1< zEOvRO4^HB1tA$p|ao@ua$Lrqsrd$KVT`Vfi1qgN#CLF~N|Im-ejpfZ~z|;*ih+ODJ zu#*;HoB?sWbI1YO)54J>Iqc1{s6AMMtCy}vztamBn3s5gwFG1`4c)tydM#%b{>)GQ zbbRmwAB+Wn_U^my1`PUf{P?LjapG*OZVuw=_3b!y>cO}R0J-Ph`=T#sqiNlJ>STQ6 zL%*1_3jf0YlhTrfbHS+W}viq$RC0QqK_|q~nx+@6AKbnnPQt*s)4kI$P}o+O_4CxOVwk zT)T8FHrLnD!q;PKeIxp90CY5nj?1-nTmnFWasUlg({)7=d9QG_EyiuMo3s3?RYB7o z$ve3gOJF%pOkt%3;0yql0pC)y6y;e!c)k|pxq6gmYEheOMXlA$8KLERGxnud%9l1} z31J1@xb!U=gGDmMOxwDZd7R}s0TWK_p;R28JzE<^z}xb$t?#JAwiMiQmX(?fPjb~Z z9%|~lBZ$4wR*j}(E*PI+4e@Zg{G>hEoemm8&#m)!avPvsG?LvZCrF?Tq3!NrqdC0D z=T1lM4xDimv2^lOoW1|P*y?tp0>I5KEJ5_8`1r@3ihusy|2leIC#F|{q`>31R+2kr6h7BLJFdpetm}kK zMIAt$ouA{JjpHYd(q4o3#IJoMHa1uIZUC6>Vg1a-kt0Wmb1I(v%rj`tzeHV5Q0Ld; z`i(Vc6x!(#7DXTzVIobb)^YTcQ?4!SxLlwzfp#-z3ihF`U7qjn?LY_6-R=&jW!)hh z0LpL20K0%tm3+?5HK`9bPbjtmQ+_ACIg_>Fs0%v__pz8(v;2;naJ9He$WRwVZKfHO zIW*r^CF)1#0OdwZQuawKIHzP!K$|Kxu0;nLszmS@j8nMf1jvOhmyq4v(^G8rtOZIfv5Z64Oo0*MSOvoSn!5@mJKKoRH zRRgoPR%?d)(UnTASYPkQ^Uq(3D`;DjXeV7+R(sxBUS11&SCjs)ZOAX94q5+_n>eZOE(;1C^mv?Hv?z_0F(4t-yUa1X{ zab13n49zLi+>6Uap2!ttbGW6WJUn~-0enKf$s4s?#B&=Txyk7d|L_lIkNp>VC{<;g zTlOGtE*kXsU9Ogf`I8+YkO4pkb--|F2>_~uFoKXBbs(t8sN0=xtYP-K+E+nAN_u;p zVF-xC>8UY2hIB9pZIiq@PoesleXf^ zzx*rX5B$MD2nc_Dy!kC}jW@sf&GEz&uZt&M|N8ivul<^M#lx?NcDozTJpF766x|ML z_R}RbwEfh0a}U5nka4L{JNX11{lacMs^*_ylz?X_!M%*27{rAO=i`w_A4_+|);5e- z1>k2EbHVVH8|UN3^$W2x=s+WwqcCIk$P;%1?XH8h@OS^-KLmX0C_RN%oMVr@Cl!Bt z=4frMsRB^frk~g3Q{VAZ(?w9s(#d=NU&KMixfYtRE{8F&j*kptoSfP5Mcg^+15h;? zW6YUk+$EjzSJ12RStrHh2-iy3KLF6sW^+MyO>&2EIU^IzaG&=sZRsNP($YPr&qf7J zQqXqqH~SJa?_JoZL4CCVsr0j=xwhNeab$5m9!7w@=}k|>+u!o$m_;yNymUUUFJA)~ z(SWBX(RvYXfV(p+@4D+$`cK_C#<9Q6){Lc%m6c`wM^i49X{Vhyx_B}kyzf!c*LN&P zL&E?WB~u<#mk49%poF$-KZHQsM6*>GIG)*MM(y87p-Q7zKj|*Xj^Tr7_Z-63E=E_B zb=wv7TFfFuczKVKU{6b`*v2CG@-sDG_&^Z$-XrOR_E5V|lE^mmJ)lfJ^j)WmhJ2?x zj=1edaWjo~|KJazy?^0&^~FBE5d5=T-}Fu26ca!Cqd$7^u6MmF=I7C{zJNmp$?>nB zXNLaIK9YeUlsUANcfINE7+^nTClIZMnnn>ATA297K&ptWh17XH!%Z_==nF&S13YHvFJr@#1D zqk?Q`=ks0#L`ksw1@EgRhjVz=O$ z8W$`sAladrvk0+9> zTRcjuPsB-t;LrWS2jj2)jlUih;&<|n>AAD>u-A*P{IYk(>C-0?u*>%>WutPL(_KpT4#>PalE)g_FS^l`f(!#Y0F)u ztrRyRa0yO<(lKubVDHYsC~mA@CoS53hPVLgLMW;P6m29pdyEC8ZSQ2N)X;gS=35AA z!Ydd39wDOzXs39(QHaEG?YSH&?Pq=yWv%m$G`3OAV?N6om=JjLh)~N zb2Gl@d%ow+1LRq>mT!II*>Kke8`=HodV?K6#)Y`6(e89on!EI*w%L_y*JERI6|mM6 z#XPGwqFP2H0v>vUUTk)|XuQSx1)JSrTwmXYh#lboi+2a{$OFgXcmM8hiOZP%@A(h^ zAs)Q{@%V55#2<-!@4KIPw{xhQ=}4n8uT0`JZh=NKtz2y+AW4k=cDCO4e&6@SkN?EG z5tSsAnRpZwE* zhZ#LYODkqtb=I%M<%>@NE(e&<*8vfj1vH#QOYg&s|DV7052DtbrMzf}G9HYSV{{Q} zYNysif~s1V0LyO`Rkfw@VcVD|!>OUEAqlp|lgP<`FKFGKJV}P8&0sk+5iobu z0Pl(^>;n2eLaxuZcE0V>mKCfcL5Bm-dGNur@xXm&5DEz(wKlEkZJrG=yL6oy<#$;I9sGw*wE{M+yU;hdBs*jNvPUKi!`AZF+4@tW7ZGG7108{BZXK%VYj6zpnv+TKp4Rs|LCMHtfb__bBQ&3hZ zQPbD;Vm;ddI0nS*W!LJ6*cA8y5wE?c}$%scooW^kuOxqYY13 zFIm5|dD01y5SNp#cA-@@V`9j>W_-ray_06vS6AY{{+4gOZ2|d?a#@(SGTP9?r;kLR zhHs}PIm)3o6*Qn+suG4aoEopQpE>{?B$3mRHLi3`7|xDAr=~i3LP8cqhQ#UQj=~@9 z!sh$&2Y%nT$EQB|sd)0UPhyh%&iK=R^1Cn>o4F%Nqaov#F<0~f7Os$P$L)^vWADY< z+6Jas9j5DM{x##=>Gw6Sc}?7N&)N9!FMqfIzAT)siVmP$DVT%&2((4~n%w&d%4*0G zk5{>BigL#B3JB1lV#3ul) zerj#HXL8{r5r=!1Idx40xJm>~jmVuca-Ct zmh*Y9Ae4b8jnDA><-T!ViD??4=EwurDMsHSdNkjuQ7pEmVqvxd=vHC@fIG^0^4J3B ze7ySc2jkI)?uiHQJrie6o#fdPVP@j!kt1>J=+QVqIZtse9a-f0LIQNF+2VdN7xmZo zUU$VlEC=hSR<9zor_+)uQ!fIOTXfZG6}0D>m?wM#kZjRb3WkOGxp>nX-x&Aadp0g# zxe^;|>q!sp+|onHyKBw$8`mk}R1R%h0E{X*9=(;dz?Q7p0uYUC#quQE{y343S zH;(9WdcKo_T#F^an7VSoBHP?Q{one+ZBzMIu+GJRs9)*YE|jgU&2XPP{o#Uou3_vy zo7uME5JD5^`B`9qzcX0=PJx=?iX#C#Z%mu~NK?F2At?@W$9D=Q>jLxkbpaUrs=A_!*Rh z2I~@pyaiYUqDi$8Xliq-AHV8Vna{+vYggi{zwRsJ8@}P|qF!sn2EeAD({Z33 zK-BdOhQmQ>brL7hrLS4=U09e$+f}=p1jM@u<}#7m?$U{4@elvWzli(qJ)IhzW~o}X zEuerX!SFV;CZGU(6mW5bhNCJx(iN}^!IPl=bX_)|`t+xBcamerj$-Z)qrJ5PQ==tq zZlr(Hb)vgi25=4*MLj#Ep8D*kqCBmOV4tg6&oHLBuOa+)Mm^#_2uDh}Mzm`_m!|gl zOc+KPY#e-*$#lsKYOx>XilCu8n1Ztet;OjT{r^ZIh3#* zv(1@Uw6hdY)J@d{{M_D3cSgCSOUEh32^(3rn(@|uYQ|Kl{`4Fbpb3ru@wpvluBUC8 zrWHicfO)npYjF^8r)Pd=VMe;#1oj+wdnq!j~PySf@z0PJ7==tq-I99n0G@!e-0 zz~Xu+9)9#y;gYBVuv)%bFA0?U)MWx9>1+MDS04mr@(6kT&4QyHzG}uoX3^hZ2c~;B zZnoE!*PxaAOT^|a z_3_BV4?tu9+qScq27vM=aZSd|tfLt=b2}yh&m|nyWCTrny@6PO(+)fk4HA~wb5R%m zz4BGB1h8B2kze^px-{(Ub9*TnLG8x%ZS_ejM94g#P)XN|?>*JRU6;Xn*>%}a(%sx# zi;EY}$6Md}#`JeyJa;}$0sPicdwUxoDi}mYcOfH9@X=r^P9C3+Q%9R|d|vId8pr0F zu{2+cW3#nbnyJU)Y!xlF5{omHI6l{mqgd>|+hC@OJwg(!c z?PPoCpSEp>2&`Uro3`AB&f3rr0vF++=I(N=6V&CD-(&IEIan&$Syzn<)cf=2pNms> zokCl_FWc_&U-i{r9w$$oijRH#lW6BNfKwAXnu{}M?@8^LT+=>kzJQ&= zA!$axJ^-n|ASp?U<^b6xI2P`!T=+_%2KY)76V$=#=1PnXcF?#5dcr190`Oi5kN%zc zbDX|3!B2R~bO>9h%RbFR@RkQsJGM;u-cQIa_o_YSCTF|yUAorzOJJt%bXg4gz4-C( z`vGY0WkCK<9=AFmOB|Y#Pdt1QV5&h70;@yEG}{Yi6I?a(oRr~s()pPN%#N7}a4yU? zs3+dl$~mlQuGI>66Pa-lAI;T9Jtu1%KYl!(d*<1g=lvi5W8Vo-5*`BT_Bs$$KebJJ zwe{64pbc%eU4jr3zgC5bT!pQgM5t@Ti71vnclUrm|#mX?ksSf_7~!;v64rqvptE@Y_Hl^b#5_|bUcb+3sF z=bod?jzx9XXNW<=J<3RK`_nKrqC$MF@vC*sZC^O>LS1_ zn9kIvxv$2N*-FecOMFwxut#P*1>tHe5Z40NdEE>E`2yc90KmE(=6&Aey&ykdB@Ui7 zdCzsOMf${JK9&}0aq_e}6ps z=wtB)dP-qN9$iK6C%zv*epy5QPan5FAO~7sCEoeEN3-K&ZFLd$Ny+_F!x;6P(apiyt%O+t=3F-(81$z`tH*(Y7cElvsZVAofj_t zTJ$PAks~{1Fr(9T0nutkI+ZoU^Y`#05692^%zI*ctIanJ3aW+-7xB&xJ$==tvEAOz zYH({FJ9<3axmX54Daxw=F2FqV%+v9uB(+*_r8LG@6WR+76#;QSQ~{D_FvP zz!hL@0ElSKZhO^oH0o@}WFq{ZdXiCm)7FtoRa?>*I1b8&t^yN&hJ>2Jj}`I{~StT}btDAk1paH!A7 zGYvuXP@CndhO360@tT0xn*i%~#bH=6SY_J(%$-LHg#3W-36M|u&hqrg(@%c?%Px!G z)^V!?vc#Y^I9u6|8-VfEt2fez=89SF810(CTkS4dO+SaaIp$c+b<{7mf_FHXVCVM# znpnCO?DTVtZ=Y|9X|z-EiBEhw-tyKr$9?zRovr{!WoWJqi9@if18&&~I2vWIy{-kd zFtuSd5D%3HT@Z!q!HzPRly7PPyV|nrAv@_qP51~}`O3;_Jo)6)IgsBG0KQXe*(GlR z?dI_?=(>>3CSb^S zeVz%pE$Zpy(owFJn95E<+L^FBgC1eFV~91=2TZpC@vZgcSYNvm>#J8|efeq(+G^Pj zFD%0JyPL7GdLyn}J{LDGor^8%uHWB`Hri#I`|VW(!P<@3;J$}Y93a&CoDTJxo`Mdz zc82|Umik`b>cU8_jHnN53gWTT!{IkB<}%Gg zx0%T?lMqp%y&}t1yU;eW6NA4Tw>#X8=Iqe~`#<~V{tV`D7vk+knfOP&QG((QNGlN9 zY3S}54?X-?GD;s{5!f9YT_P?!I2!e4p~=9oP3|Sl1b;xu?U~$;zlH{D$Ipcem*T(u z(|W#NzXhee7d-e+=#F^y$+m;>Cmm-Q&AMGBUXbbM2=)M6L3V zf7hRkFaPo{jc#W%j$=MQ^VG8xo5E9$W5*Wa$A08r#V@`8r_!hEg8XXj>ANHQyLd9{%#q+9mo1Q0;Cf>3i~0y|=0f^mYwvXY!9V;*s0BbBI+~oQk`MD}eHWm->kLx_T5hj|KrTi$C^)s4?BJe^Hk$m^ zmCNBSO|_=GPxIaWC_z!Ha+3HI_||zkLWo#iAPNrR&x*ce%I|g4*AZ~kRc8kf2LCOAbU!LN^Z4X zwO+UbBBLB2?o_D)k*OWHDwTvyc!`?R-G_k^G%6UHINTVrF*BQc)xG|WZ-~bqdqoZh zlblKbjzgi0Tdhc<%xT&?eA8&Ab~+f?vFH#j_bHo*63`}ju_q?1V?65B+dv!g=vfx3&eK1m6{jzl#L_fM0F91URm zrQibOWYqKLpU+`d`i&*Ho+dY%lzw*CK=}Fh{8T*inNLOwlV5AWDd%dwPMXwlG}Ven zSP!Nv^6ZhGLk86x`)Iy)2wCTD_^PJr_wImV+_uXAA=F0u?X3wR+q#-@_XosKtfggU^W%1iNZh1h4m;~e_^@6BWsO;!)YH=0q zQ4P{HXS2td(`)*4r}ZrgQqurYF?%TesG9A7q(gP8bqC~^<1%LCANYgc9<5d*{aw3& zLT&{_`U0H%ehsP z>n%7G>(R#^jeq^U|2B!0B(e4|ZP8Mg|skQQt z^d}O4R|t3iy$@h2&jLuD%#WRVvy|~eAAE1j)=Fq@?nY6`jaFTytc6hUI#VyMu79DM zpxLaYPu)othMk+4iMhGimOIqHB{)?bZbtjosMn0sFueD^7(49mD$o7x_tpHq1Q6N&HT}$J zqb=SUR|+g@)nRO9Xu~nrHEBqCpltyp75 zK=yESM!F(6?HbO`IgT;!kH^MmeEb^&aE`_>K++Z$0h!a09UfXv(z~&EYN?IC^=e)A zI^Fn*AN-M*0r|Ic-0FZ#=CbqVfm0B^zzTuP&$Q4o=d!2$h#hxxGqEt+jJerH%+Jr{ zD2sWReg?u^m<0p`n;C(_POfSK*&N@yw(#@MKOc|3>hXB{+uoY9_|(i?BSG!OqnO2p z?I)2T?bWO$%9=o{7L{6XCH;F&*@d!m0T(qntJQJBYKDT31ZpRqzFgP2aI(UY#ijVn zlTXD{Pd^RNpd}yr1oLAKzu6@&ug>^WOKPL_>C&*%P{1$3s!8p@6lzA((caq5G#`7# zD`IOH?Fe!j0zM-7C6-#FgatD_dGw6SBTO9+sP zSK7PGJ39w$|0?$aYK{%|JT(QrdfAS3gw~P8Vx_*1fBa)b2ldh8NjpFI{ofzcljR)Z>6Gh- z9(pWk%@IB#p2Pb*Qc>Zmt3pk;gAm^CY$olwP&`Np2;Tp|9@q;gG$iJ=Q*4L0>NSNWl zlQaH6+o8;us!I#=fC&r-6PL-p+HeKnt|tS*pp;9naNSvl&B^pG>;vy|EfaI0Nk9GU zx%i`h^g96q%sbFF2e(6vg6nX&mq4bkF}LYKZBcXG0uUF_a&vJPz|x*%O-q?upId6o z0J%gi_-Mw-{Ayw&o;kV2h0*lD#W7uWg7ul^!tc?ZR6Pvt5# zElD7$KxUH}lOc=xPpw_IkPl!u^NGYEFk$%HCtZa>x+$m+T?t-`XLe8)L+|oRyb`hk zE7#@#PK;K!L8isMGX;wU&S?*UXOeq=lVavWFfpzJeZNA+p^5C|2)?l`OxGut&9>OF z^OmcimqW?aFgcA!pFaV~o6icDjn9iAgM4!cK7x%M#>ne*gSlkuQx~qquRV1>mN)uw zeR(t1*V{2WyAYrHwNJ)5g#C3u_u_?f(e5K45e8L+F8G`~g#6{d{MU$eB7WfC{Q!cX z8V}xgZ@lhxuZv&%_{Vcp#?wzd8z1BT?eBaCZ9HR^Vnn?;A;@w{vueWjaky^Fj_Y+a zblFiKIowU>0&QsVC|h)&r5;_*(OOQaPb!MMB=VrY6jweX2uCK)!=lqc)&_X4dPj)Dpb0W25hk!lw=p$&0 z4##sMOf!D`$A1JS6)X`bltnGyIvSt4NzA8fJa})1ls??P?*O&|b?P@xJMRx2X6E;U z{ANJ7oUsUS`HepFA@8*&T$QiK?*jnSe2sn7f^`Ax1sLki5j3qQM>FU{w$1D_5ai9H zZkx=@fba?e(%Tu3*B$DKXS<^UnC-ChUHV~j*qA^9h#_o^H=m6JX~7tvwWp4nw9F}7 z2;+H@s)RLxkHMDY+f&=es znD6?4YXFS?+-ZG*Rd+eycisKb-1Do>w|4459BK#p-X^CZ8aw&+V|jTs?!EV36G+0+ zXIO@SWI(kghoafbtqCePc?il%{We4;lBSA@BM-(e66ja0dbC)uD6+kar0?MI!i#v)A2=E2|NI{cryL_#=Ph zkHz~x@JsQFAN+6%hVT4Ce>nceU;iud6<_`(arMfj_?v(2uhRa~26U*(3u)@UQbXSE zwW%94W`#e$-CWeXNz-F+eBtn3uoQ54_nY2xi~%|?zDgC_A70G^x3mGVa2DT6v*Yi6 zLwr2TG!B2>j>jFPAv;V78jGpDeypr*#@2QxrEUk%Q0wgh9PM^Hw^rJ0cL0%gY;Jb} zn|6kEMYT3z^vMYdJ;0;GdwsdC9QV#I`%*NQnH=kDhm9JLnwZ+Fj4CGYd4<;O;87bZ zToN!qf@B%S-Gd?Z|H8ZyI)E!6>yPwmTy`Qle%Cg$gU3@XS(k+)ES&oNlEDEtnZUGtKR>?^moHz+;ajfLtG`pXiSbm)XSdTu+qx0=-*-$?6epi#94MvyCcYG^Fh9Td z0k^^pVIBzRv=YM>12@1E!WIQ9PU>D^i&3B8M-C|Q6!(IM-|ITjrB(D9WZnS3RaT7Vm0KcGO?*SXDP@lxAJ$E-)9mAr@stkU8_ZpulbC!CAe}LURo_iPw>+J zh)XaxnQ>YL=-T!fL;m)ZPCMJ}_~{@0v6o#Izn$Y&2V^xniD0j{mAer1(8!!IC+J9+ zP7LXdFqhS+G?97kI~Nxc*j(XF9vlK_YDJo_#qXVX?dx9`kH6}bFxNq@TdX1=J;|to zs(@(+oWsEiVl6<_jZM|uWaHF=N!Jk^5_Pdv6G8-V$<98$b(oxK7watmI-E`?b?A{} zWgRDdbm?fk?|tt@>ueXkWI!*8oVLkP7o_GPAg3>vC;G1SC$?s1(Y7z8kg;P>p!Peb znYU(IvAnvPd&jxh{)Gz{;wOIU-SNnS_oaU|W1?)Pm5j-?xTkD@d#+!Qnkdac`9PWk zQ+{O~382Ngxje~y70l|P%f=_U$><@gI(}S#e6G`AdVVVdb4?#E%&%3F>n(p_Ww;$U8 zQyJkr9BRtf;tg+jOB_4C1ig|DLg!1qV4 zpZ?Q-8aJ@&-tnbxiG8$nbJFgrjBIB|-gHH`m~};oD35h(MJ1^6m+dQ<=I_HQqz>}8 zSL^ohnZn6?-x)aTg8M1khdLmo1mrP(@W~;N7r;G^bL_JC=^wd$0lDCZJLRBpW!yOk zwNk3)M2(ZjPsJRX;S8Fsv*28)MfXK>t`##d#*BNSp)EEETPz&p2#nbrPSxUcPqZ^< z?~aEadYHzTOgDf&R>%FibBDY5%G3g$({Xb`1czFmVB*j>U@|5FTwM=>@VLXu@xi-* zsX&$c{=pOOm8VXa8W{vFh`V^Yi|4zjjSJbFI&~uMz2}|;EQv%y_DGEwf^kHJnzQ5jc6kcP`86v}1Q= zc4CXbv46m~)6_Hh7CNjyC)8+)>vttG%1WG+<$%+b&Fs`O4g%)$y@OE-9s$QcHCI71 zM+lInapmGWb{?YH>Q10V@_zDg@(Ch``ZV1Uf^bOtb8pWb@6Dq_xu^}|RtO&;K%0P< zb;K{)qDonuqc;Jql++){m)kB)ObrppUFy+k+xATqK5&HxMIjD-+SCgmj!Xww_u{|( zGk+@nw}15A@!WG4=h|Mc(0`+xpt;ypk8a|n5bv>n8q z1Yj+xT+5mIu^!B)IP=1!4GtBGu{eF{aWg1oXXjxo`5%n~6ek6zKq_7r^=mtf!}BhM z-66;+0OZ|VbHgCF>2YTP^5Kz^omO=ym4v6JliHkOI?YSTjdqu*)rReO0?g7}J|s#t zH{AvjQmZu!;UK+x#aa_;Hd3&fwsFYVx+r{~ZU){t3Bx_tT&}7twk<(VW<}9Yv zz#vHC)Nd@asr3rnzBWx~e7OaD5l1PP_H+WoJ@=l?-9}PF;afWfJ^d|#7c~xD@3cCoAu8pf#uNCDYALdCgUtU>@U;M=nMNMs;dfM*v5Gd7T6!F&aw|1VE z$+y63+1<+z%*X|drV>~MwW1znPC<5DuRd3Yoc3GVL-2I1jT{{TAWjpndj}df6`aG` zOx$mC9JO4}qtt*2Yg>BqGYQ^%!x&#?+VprScnIX#&OWv61ZcwLw|>l_z|2@)&>+n- zg2J=_xBCyW$>|em*8!^8YkaL1BTWORNVSsape2k{IDwSoP)NP*|yR8Mrs(G`+#i@ zqtc(3{zJl`jp~lj-|LX71V~Oz|6-KIAUl^F!|U1@M;8|WS^){LNa~ZIoaCX2D}*u+)no zZ@Un+n)J%*TDjqHB)4zZByWfa}$H_1<+w@d5ug;L0RDC8dF1=g$V+)Nc|A*sK z;{j}q&&e^)Mw}J|crSSCv(E9s#P2AW-0cEWd>U<1lUzTnJ50Deyp=_4#Ld^d6Djod zdK3U_@rfffQS(v&uXSL%+74>)S?R=QM;yvIG++ei!<5NkUg@)@j`caacb(;-Dv|~q z@0??x5v;nC#2GLwJ9ZU9CzejcTi*2McXcYbNS;#H4FW3~~q3-h@KvX+i+ zu@OY*wn>e~R4mM)t#WUj<&(l!qiFfMfOVNH((y@ywSYisyTx@^ps7DR%vVG%lN!G<>m1z5f_avO~D zc`Gq;KNgg?J1AS1cid5Uekanun#AER{&W1X0GOH(zjFcvFLLJ%PVZBbf+)OKqp3D( zx#Z^TY%9a~u>j~o_l8N31ANmL4I@cd9%@2@pxTx|?4m$wC+>CTP%saN*_BIm2-P@? z8F#6*6PKeS9I~fR*gWe#aj27r3*XPr&cz$v@cIPbtxeZpE{415tMW*{ZhmW=5Ikj4 z!?NHqg02w#n5R#lK?Cl_g-e&RL$ikV>}qwoJU;S~j}VbQ>_WSCbjlQH8E3A znK-L6>rTyC2Ad>2x>)Wo;_333HGnK<*kL&cZaD#i(|d)R8*FM-xDkNbW=5?>Y66s_ z=p)co0yt5&!ujAqTPa8Y{>%gSP7yXAwviT-tx~kB;q^mvZ}#&=2F<$CY)-*I{CNtL z#_w}L#lX^(qgjmG@z36O2km&~nP+18#`RcTS&p4SKaMXRjmIB*JYM&j*Tjiq$J6DL zJKi2hCb<0 z#%Epxljfa3 zrVqEO51jg_xY!PW4s3F(^ozo9YCZnTwReb zzcF__?mHZCeJ$3PSK`X~3-PNT{&2kiJ@1K+ee_r3qaXQ|IDhWhTrn^=05I18-nDDj z<2{6NpG22amDbFk!bJBJS;(>$HOt92erprhMgp=l=t!0}aV#D^6YqQf2jbDkUKzje zf%hXEE~7aE%3ty3ICIy0{G0#ZKaQE^bhu2anNFpFZ;RuwF2`w!wSs>>EsmS{#AAH* zNcRL+LyP5k5XYE5JW`W>3BQe_FWQsSM_k5XZl&{!aZpcACv~bP+SwOy8i#Rxu`>3> zKFpiucrGHuy_%kyi$Ec>=YlI}tae;L9@24u$Gdo>qX+WflM zk?Eeg>#kTtn{yP(GtWIAopvwFYuQiS<@Qm4$Ld}x(hrAabi>l>6+d;uVI)J*ug|E5l&M4Z$Bo8QK zMgXxuPQS)sT$a-ZwqvG|ouvRR_okhK1F+Zqlw-lUCi-xu*39=)Q-?s5?@Xmg!ZSgf z`ZJ!Q-qrpv|M^bZ5=>n$rDFXM->BQmMT_k4wPVq|@L#&Aysy_8uqt4tB+udsVSaM78xBu=xjE5e2MZEtPej%Rz?5E;AKm8N& z&bPk-fv_Hb?{EIqT)!Ekgk+=z>8GIK0!cZ!=1N_^F00DI(h+AztHnmKkU4c&>b%1 zqB5G+Hg!Q1MW>7!qT4*#QIvi`G`6uhTKEdpypwSZh`o)TiQ*pDErHs!3oLa4cBg@Qs2vIHpFZI)D;aXFq;P0%>}ttPA+Vwbq= zFiiIfCc8cGM;DjkzI*SB&CRVO1Ve=@^8%JTv7p{x!+#^2oV0@Ot*>C1$>G+9s z1vs?s;-!l@Cfg1v(_C0O76U-|`3qNa2jyvJA|}jYfuM;OmI6X3ITE53NL?;-8X;rn z7K~}$QYaEGeeQ7PWcq<&%;ZuIufO3Ggk{`HL z$!%*bH8sfWyrgY2KEqWT@rp+ur;eN1)|n6fTuraD)yY-+1UKW=W#nNzT0gr9$b_d| zixt|aYx36V?Z%O#cg5fNd;d7T;;X(c-t)6R7a#xVN8(q1`NQ%1-}QUq$lOf)(7*dW z;@^bMOG)RZTPOlnYe9!upQJagPmg>)et&rNJbYXH{8YVOz3f^{&+xZSS)? zTV~tue?I5!k)MB_m9^4J8d-B@-~N8T_ij1&+;hJ7-1>NmJS$yKW3wunSDVU}_1{%K z!*d2fzH5vpa_+lSOg5PaGXASFwm$h}dZlRy=fJWmsqJ^7h}8K*r#i3(O816AqqR}+_QS3yk1_i!*FbN*|TqN`}S}Dj<)~cfk*`) zgn@(UJ`F?c&|rYsB*&y3Gftq@T=J3C}HD`ax+50KyiptrL*LL0zi z7>7KKm1^{&+!2g{;*-o%v4QA0!|)mZ1-Qj`vDI;Szv|X=ymjlJ)eDclhJ#Gd&CAKs zk?6iVEzZyp@B{|=c9)398^-0VycebBe4|NGFdM+5Mh_UJ6;%7f~f0|P2)dgNfFDpPsl)`pf*RcSk5JxHnK_mckBjR3(riA5_!j#hS zDm%~C5+|B9Xa^1+N`n)IVJGnWlkT~DNLutRQj7=PkdfCr<$*roIeN}Wt&cu&+z`i^ z=Ir3k6ZUowAObYH^~6q4vm(TE20FHMNv{9hzjt3AFtcQANg8w4=yYJ@H~x9VD2ETC zK`=II4Xqcs;`yYtz+p^0^_8nuw53ZHN9d5@_`$Yg*N!%RC_JfXIF>A1)=r(7-L~)A zo!%_~h{VDWd7!+`08L;YKy1ry1j({=W9ZSag~6W*?>M{oyi>p(u|P^Lh10!_@7-pB z?viG9^COS&|8i&qVCDp1G`89|_w-cK_~UzewZidI17I~Y^8i|c?c6-H$LVpSW1|Vk z8eXTKE%1F|$U9`60GGXr0PjfK_;rG&1|%{X1W?bN7vX}d972h@!hJ-_hAJu|!Ua!J z$6ZrFpSn5?*a|t&)2OFebKCKgfS9t#D;m=rlh6#rM>e3{StbCHo}G!`RtzCU&4cvm zV$@>}`^29{`B>EF*6oMd-~Nez(7xo|U(xP)gGfWuNF)U7tgK=Y8@B9#nzK&2*%paa1jx)4>~-f*^U$2K!7f4vA)# zpPTO&6Qx*QRuqcFGdvz()OE+gs3}E!XIOax7{j6~@z+-}%EHrOxJY;{Hbb&b*}K;m z1TTQm_Hw{;&roRf0h z*#_MKK_m0KZPD{19V;(vy#_+Yxt9e{zVn^$%=_I+kIsYde|o)Ab_e6?yh+~XxvqOW zcTcxkS)8TptrZcp9X@opZG2*5v*p~7#z=VYTf?aL9~w_@v!jqt077n3VQ^7)-sOUj zO`anhpLs?xaE!)mG#VJ^COc2r%Re2(*&WB}Ok(fl8_6?}ow2-dY$VS{)=1dcqcO^J zj-!FdV?M)6?T+dUFdZF@dvT4r9{?O_*|?IR9C=xLUC(UnakM7z&EF9=(~9po864hn zj^Rcb6L7PbQQjzH+z9OSJ%Bmt+;9N^hF`)8V+q(9I*{sZ zQ$N$b;ZJ-^`}ik5)gFG}{`N1UcP)~Td{m;f~FysC5y-MVETM9?AYSAJV11DG$4xu@En-4 zG%iP>E(E^enR>Ztz8G~;w;XQ7!8_-M5f%gI$k$P#fZcMqZmfS!0)C#a99JGPAN=N0 zx{$SUlCu}Jnn%zu`tEg2v&D&YdBDJT{yAXgX?8u5c_D`mc&!TXLeTm1BVIIyIkXgM z0c0yXvY}1I;i1pXjUcB&o|7S)69I(I^U&}br#F@jNV_4W0Pe_x$8BwV4yT+0DP(e2 z*aWTkojtGMC6~GJrg@Zjb1&+jP5^E7mBTZ^hozNA=&CqT*1z^Q|7QDvANq^!(T5+6 z_@~;TgZta&jgJRFKiF2UTov~^eP;t*LXmN#<7*#$lgIepaoRmY?&sKXdew173svRm zLJ%o1)g30G8$18>>6803zKC7K{OlNfM<^)(wMu6yWCy2RpB~OIGneonTqP&7s=twto zbIxqQZB~V8?ofprO2}2Bi*^hHH<}Db> zBSURpW*vrV9(nYM0M#XJQSYEc(8FOaO54lAe zbTZ`HP4b1_o<0%!d8ExAiNegE(DWX*dG>VZQT8H&Z^Iq4X9X`II|ETx;81Xr!d-tX z${O_%L4)sjMqk7Y8+6{q>`2et&1oB$qBmC{|HVizD?sile0E#3B)a(Fb?FM)ahF{@ zip1PP>GE8H2;E)LDu;q(YaU9N+mLx2p*TEapmO5GvFz^JHRU)--iIrf9SKkE7*^zA zryuVJQ1FHrO92N@*v_?lGe{^ak8k;kWw}Aav6|kWw_)wtws!5Bwj%C#OXIqiYuYk> z^w@^WMC%|;>ywN-vZpEtADNkP3mM6EhEnBy>Yp=dGJj^BSiLKki6O3%4tR#@2c1{LX z1Q2Jg)eVb1rKJm=d8?;XlGO=3*8u*x0pJVfFAVQ_SsPurI6T{^yYNUyN5-Q3i`vNI z?$uedg%1zd@u@u7xgoMqdd;VcGk7V@bIC7?eKxa?a+aP zxtYe0%;AIH)O{omi{G>FP}_HKyzPrHc|}8XAi(xO+}nR(JU$~0s~-Z44;?zz4n%yL zX>7)r@EPE26OAQ~$3hQI0MLM`Ga)0MGat0us;wc=xTvPii>4d78UKnB#erF+T$|HFT*Dv^YMa4g%V6l+k6AamE$|U>wDT&S6`KllJ(IW zAAPue;J^OowsY&IXmA$<*qX!OAZL@BLs=S%?uv|)tGF0idZSBb|kEh*yu~MG)_W%Ch|I1AW&y@%j zP1hEzTgU5gp|R8#%II7L!)lH=i~{7PRZazVQT#9ls|0eT1+Ox^HtC#-Zv2AiLOU9B zQFO_>^B~T&(Rt3X<#3-fph(SWZM<8<5hm<_2I{(~q0Yg_>Bz(OS>epkTTH{D< zqI(}88J=0bYc6=TR(4K!)Hc@uRq~oUmsd7FJu2R8@)O}qc%6*81awa2%R}r#*4}!; zlQv=H%;kw=Cj$`eXguDI1V|nLwg}y91sKjBYp2f4YpXBa(BANdx3q=P zNRfHI#X0J)!{cx;BL7_Osd0+B9Y1_1-#TK$&DdhALFNb8j<$#IyQlr+-~G{cV6Ox5 zy;OB>o@w$&pZG)$k*#05AsY8JQQw`DkqunrmFI^U5&?;o@E%bWl_>HbYVO+C-DNvYWH5AR+s5dWd0_r*t)p3V1Mei+tQ0xH{u#w zWlFHcCUtGyM54i(kw>@+5&+>POFT29=9Y`HHJl>Xt*Xn(B4D7}?zCL9R zq?9pVQ6=G!y|L>lXf>wh%BH;g&J^Z4%cpH9|>@^Y6Kiw4?HhG zK3U3gc1zMsKDl=`y4pOuz_SEFt6fDXb2Z(ne=Y3@4N_Lr>-;#xjsGgVf^sH@X(Ki9_cME%pTSUe&N5h|M2hrP1_d$ zc*FJAh5YwM<8-2JSid293gemPlUuj8H@yB0!P98eq3+L_b~*qzsx-@@;bjWGr|_ce zxpIeRA6~h}0uY~>j9$r6`h6h4cVF8d;Jao@je^dBgVZaB9fD%Vj#z3?N@1B_M>AtXg?#uG`dVFJCs+M#EEEJT{WE z`^(0brV)%STG*B>>5ki68er$h%~dN`MEIrg-J6U@bE3+a9FL0^+wHWA&j6%3;k8m4 zz64`Ee!^>(<_BP$NZ_Nk0N*NsZfor9Fud^`3Rt^#U4{c<#*=}n4H;gsv~2O>G%9f& zR-Y4q@#p20CKFezSedIZ#-a=nEImW~-1e#4+KwH&a&k&NxoU=6wRK~6j0zB`KXpm* zJ0QUW>Kd2MOV@DlF3Hq6&tdbKt^@LOMMTJOWWk(Vez$+${xI?b(JkKBcJJ90-T4F2 zg+JK71$TrAzQojL&{9vIr{z_DvsrID|I3a|y_p@i9U3#4u%i^D_K zkVan4%K*rZfc5$&!)TFcG;$~M1U_#GnLn~5y!O*=_391nb#HicTf8uOO_6Gj`$zUR z;As4m!8;dcMdP9|I(q6@$ZoRDAB{Xm7vu|a4~K63?r;8Pc+s=NL6}Hq!^EvgSTD9c zc;G-=7W%$*>*jn@%_XZ>M_JC~IV9#1=0w@({E_iPZF2l@n+%XY;UKK&l^qVRckhlJ zZR4X4wYzTrWc$o*pJ=yz{A2ACfAG=v;Jx>@y8-ZL?ritmd1u?X{mEP&c|77CIe0J{ zc|De+A&XAW*u=48-B96lqZvTHKX z&kzPs_bT~IFIf}eyEh6GDZ}+!ca=dK#t_~!OX+~!czC9|l_TLL<>X+LWAWl;@w|I8 z_3!=u@3mcfb|)b7ZfZ?(0!1XmGxoo#%Z(ZNOg+XGpXqf4|A@C&b)3K+zlAZJz-Uee zc#`j;MI!;INAo4BhsF(If3OH(b}g@+;rl-hR{D^L**M?s_=AHfL2! zPnR~mxafuCsc#FqWrBb-H)lkn;Ip&MuA8ng!4Cj7X_{VZq!T~#yF-lZz@+b%$JvRQ zo?XPrH)X_g#o@sMZ9@=-iGZ(RlFSF->3(N}28=_7p(ET~K+*NAA}(HxU1KZcL}n># z-$U1|p3vn#ORkaWXf&d;=Z~gNYGhHf26W&XnW}1 zyW2x|-JRa;199E)$xpO7qInP?1;Jt6%Il(5BjAxn@$u+HWM*=9i^~Q|B zc%oqt!vuy4tdj5@XlNvITsLIrWt~)R<*JobGCkOQ|DUnic)n!uk~|J`QFxTR?E?5T zbTL9nCyq>HnkOeuhc~}0$Chm<`2CN3wC&luCjq%+0enz-!N~n?Y%?f66Ig;5Ra*6$ z1|m#UH_uY9z}vLD``LU%LZ@=QGSEAAtUIO@&xR~aR9$+>^7hqV^`5qB#nN^v7Iov(gzw2{h)vMulCnrI za5Bo-$pcvULhHMAzFqIZ?+B6goY}@5_Y;8AL_$tc_xYVjJ&OX4Mp>LIZHb(vbG$)w z07oXe7uJ%khQS!}Y%5g)kO#9Dw5zXvRd~p6jJjQz4M4s=OVaqkv!SWr)5{1BA2}F3 zj$;vaP5^Q=J~^epV?W()eA633UbEVsJv-aif9==gFvBAcKiuB>)*IV*e8;!9CqmAC zn!2TW5?74H3JDlBQFj3bU6IOm^$Nqg)}hiKC%wkq+Tv<-Dw7rSKX(lp}RqFcB-JR2aPBa5E|3Uk^~ZwaKqR~m18 z2gJ#HAduQLtKX5ZVI=X>e+d%g3+n4#71Y8{r(p%s1rf47!w?`hiKf%Pr*5&IjYd`RVKNz0e zbpfUe+Ttb4+hvzukz>w}Z+s#*$aJ13jswA>4C(vpR&<33AP6wlD+(j$&3B%cGpJAI zShJNER-FL!d^>g2!Kpxs^jaevfDm8WK%>04d{16v5!FLNnV&J=co3{~JdmKD@~imB z(l+O0kAyy1U6K?4WDPOBI}y%-N#}@?!y5qEZb++4PM?|6)^E7Hz449Fh(*J#*U&Wy zQO`=%Mx4v)aPZ`ME)d$9pos^VP4uF3J$~Mh7Ad!%K$1 z)VZZ{n>TL?Fg}!^e3spW9v1zJz zAq}*eC~n0!I@bZR9!HiS%19q;)ek%2q#QhWEcuykGy}*NNPvpx_39h0VHM#4od`g| zv!f)(+9j(mZDWf^1MudD7rLm8jdi=f#=?6ukwHd&n=s2O0M()J`PSh`=1c&O*RAu^ zRt2yyCPpnY3I{L^F^q-b@#GjiWz$F?+jb`oAIo>wEsXA~O%`^Fk!QZafmapEu6wO4 zfKz-%NI^TVISe_TImK-D>~4qIu@lGIZ~WG8wB37mN0`prcG)N~Cp;|Pe)1UkSZA6; z5NS4u*9T(ic?Z5cK0s-;1+U+V6<)bj3mZ193qDV`1LOPK(rB1?xdq0+=0Q$_5c8Ksm(_ zGFHw2120*1@OxBmephn64Imy-lf0DHgrs%bHgV8}1mqwqPBgU4!a-8GQ75jP1Bjb> z9BRl~ewOGtlqt|Yev3CJWMC&|)MqpnCg>~`(|~V&a$D4`dLN1OW=8{fReQsYH?|S= zAFctAn;$%4(S+K<1#{cv(L-(G(C&6%|F(8?Vt?>?q#Zu6r|sVTWP5Vcrp zk9jhjfD=b2Qgd=xDEK)OWyo#rsVmVN1h!Fj<-;I(q+ZAOJQg?gJa~^VIawUi^k-;k z;b=5CA)CGXk7Q#y-Dn1oFOYbT!1i^oePxbk?%#VLXOMxVNhmYmd6;~5^TSh_HMfn2 zk{!*N{1f>$>La0Wxom3uNC4cvd>#F~k%i~FwB348%i30jhe+d6nWAOa!Xv=R`vl08 zz4LTC*)1Ghlq(`kK3RzYki8y?!8>z-rwrf?4f4{wTFH4C;GPmo!*B*~%*F)wz250W zc&Z=%@b4w>0OBc%>auP%>&xwkpJR9Dyv#ghE$dRf3g@Ts_5hLi1J1782oU#dE-}Un z_$H#8Ei2!7VEKN$@YF3ceEVD9)Yh(95x^GU5%Su+>4~=K@yAmpzHi>LDR(?-d^W6G z-M;3lzpCBz*0+UM8(!JjFznNjaCoHi!$UM|^pQXKXuhII!^DkDz9LAzr6qv!ga-2* zkBb&~Q+IG5K%h+CykT<%kWV=VU~7;}ZqA8b)8x68A0`QNI3ya84$wQGwbL?JVMJci z!5@H`7p{1on;d1&IfKXz4>oTAd!U`(Aui+>`Oee$#;0e>VlF^DODCgxGkYg z9=x~R_Q{X8Pu%(k?PGuVk@o4^Kh^HK^Un6<<|o?3f&DqDX2MQ=(Z^svC;74`5OP}? zJwPuT-M4RV^js{TYwZnhczv^_+?+-HOee!T6ZOtCeC$cjE{Bhz+)rUe{0?mkxkcj_ zw=`lIH{?bKdCPQ&{m?&~t&SY&w)#&udM^0)vK_MEH_Qt}+qz|2+p}v=Dja|6%vp!M z9}ExTP#Cur4TsyV{Ri6a{rlVA1LJMKrB`tsJbbk63*+DC`^51yjOELhhhaKICk#8f zT)I}PSFcXc1YpK(NrZgTYYs!9UB)CCnb!_wS38uf1G?z?g@^7ia%U`n3P&+crVAI| zVdQZ-o-xL5>=Ib=LU|h9xO6UW3S%+;#$){L5C2Y%gXb9fIlzfz)5x+jey+;81|!*v z|GMAeXtdna(G(BJFj|4^LNvh@97T6>yscijv|YAgZQC2&-6(!|y(2kMdivz4c6Hpp z@wL~r1rR1skX`WrcZZj3=70IBm2K&gu^jSYbXQ$*c^G3DdVtgT_|fpF1|eS)qviod z1B^f1e)o5NJLPcb;NfW0x*;V)DJKFTkB7)k;x+2rvysR*ZCR@pUn04Di})!+Cvo4V z2a|jpu(Kf}!x%Qce&adj_Jjm8MrOFTY# z?0PY|IwNi+=m4LnOOv>{x+9(ep@WAG1*4&}dMLq@2I<(uWZSuYcgEA(p>wZ!%?<6Q zo8A(Q@S*4}+!-G9#`ft?f4u$CCx5Sf>ekYO_KoW`{n{iH6yk(cBB0Wa4f#rgS~7s6%yh zEW#epNS*Fq&J@tJFYEfq7F6lso(E=&(tSl+pM zI2rlpIC4CnJlU-uP4AtDA4Vv>?tFrI*$wO_<-C$A>M)GUbBF0DhcQrI-$(x7_uJm^ z=)GjqI5eP6kPSA{8w%bN93pPFX4r5_*L{>WV+6v&&i-)I2O)mN-(E0!%x@0mgJi~!}@b?fr%<}2fJ%AMmyomgi=b>fI^$F_z~ z1VEfl85vRn;@&YB3`DQz_3aIBx-r0LM|*Pn-iW^tl!ZrSJF;P(S-Hf`vh#UlB>#wq zatm+vG*E<%Fd9h16xKGYXJeNOOacZ-<<8BBnnNQYJMzfl#DDp=laN(<$3PjthHN!z zhA1>)h9T5hH$EDTwK!2n^G3QC-~urqePH}hJOjMEb{JYaWAYUNmSZ(UTi4cGzAJ61C*U}}65|pjMoM%--C?8LDUdRNI0t$zfM*c>}2xd`8lzZ)~97a@<7 zO?b1Bm*Ju8C1r>RANuAOxhsCac6QA}eEDgDI0Tp=OxD)^8dLY4LHt5IJ%zn{cjsY9 zvuAf(@h8Ib-5Q?i$;m@)^4Os$m+^8#D`(q+_#6%Vx@5(YwsJ+JAN(DNM(lvz6QGZB z=GboPT?;Qc8nTeP@~UJFDrY4dg!nrh0BY5bA&g5_Uy}7kzFW6#ZwI5%qzkK8t!|fw z?(f*PEqFQ+{Er40pUk?{OVcQED8dtI^Fpsz%wNLtvZ` zLG#4{Ap&e!&NvTS6)9Kr;HaxhF|%$yfw=UX1wuj?NX=7v{4Yff}gO_ohsmm6^-En8$m zTp4yU%4U52z@dX}-@g6Lj>V%#x}}AubAoUpf!j%P-au`M+oI@JTW)puz}|LQcxX#U zmxRYV5`_~ zUL$eO5Qr5h*7}BqwK+DHL=2Op*;fxaS@xIP)1%xPyptzSMAv^J&nuoYEA;8iiI7P& zY$qoI)K0gfhY#hUS7%LFYQ#bpG)zG4_^IP<-@*OSXzj~ogzDZH|GaoUe^&IuqD~Wx z2`=z~w>#xuC@b}$!U%U67dvX}W*uSBUiNpKb zp+kFfgNSY02Z8RvL&4{bZxxVXBuj;BZg04{KHmsiNc>BegF{cmAh-B@fsPVhN+ z@L*m!wi@9KN0`L(j6w6NcGew_-?PGq&YU8*NXHe)^Db?&k%kE_2dC#Mf-rV#z|GR1HO8Kzw$v)Z zMOk>A#$>&R?rhYT)f!#`JLhbaD|f!n4PG=XjxP;R3h#J+cxHxXjKvQkPf2QQfo9-Z zlrew+82PT~m=r4h<@hk2i2PC(8K6YwKaFeGg^wgMjePZ2c*KB9L#FY|I1v?2=b6r< z0rHCsxpddUK<9^TMdhktoZ80L^6!!=qfb ztSt%;HzeGajV)|fZCKORTykk!vcy4DmqagQdGK$@!I{p>+hFc!+rDq2-TlyGZEt{~ zgPW}4NWBYIdF><7lQNDwCk)_ZI11_^!I_>%ne}wYZ8GXfW2s)O&DW@s)A|kTqhUSJ z9*#Wjec-{IboO3H4c3aKi`%kgiz1x&T1EpBpXywrF*p{w8oIP7dUy0=L6nmo51e}u zc0v!>o6Cgh7c;#Khb(Ns=nj-&SGGG-I+G@Y=;F9MyA!!spJ=>BMtSL_m&zue`OUZ~Z*I>8Fz1v^p1Gzq!v%mRSe*_7n3pGyS#bgI zfVzf3myvgmH(fYhwDGmk@Fw~8`8uKSX7X%{k%jFOpZY|5V$)-pKK?Z-S%%s1-Cv~B z@x#mOWPsc!h2$^3r*|0nBmDZ^@!Sp7>#@*b_|=#FW`N8}TqQ5ziq>V*t6B*2l}XD8@t5N6L^680Kib9m#CX*Q7m{TF^d zJmx6(LT68h;YWH-&I5c4Bd>Y$4L`&cy$20uuCWeQkB0p6D9@-@y$oegtyE4U0^Asqdey)I3pf@x4vE60PM)m*nCcQh5R%!PFw5NDr@jMISX&R zb;G)~?aIq9YfHzL=CH~YmtEPezwX-hs%x)puYT1l+f8r1slDgR-_ve<)U(Z`?c-e@A}HNB;wt5*S+o2cih#+k61Ajat|4v)H@298=pUG6-qRq zhGQH*s#jKCvCT85qfQTn`U60=tk{M*((apZWOy}S43 z#Ov35^;foQUvW*l;ng>^(M4nJ@y8#{MtI5mkv1AKUL6h0is*?18{HjJ5f*!}AHn85>=cV`i50pE*4l4o!FBnJ#~M zMje0!1~Hb1?2{p7H$T#v6^8DlH%pjw2|Lf5Cpss*+~YZpoMXNbR(i=p7^VpsVe>(F zB)m`0{pKZuNy8(yVtY59c*nvMvGdNBZDVWV*f^3NdgPt?0;Tv3D1i&$wQ1zBjgPg5 zAATqRv(D1!fEO=F+5Ao(f|OHzy6@iS+>fseCC86LX7bY@;1N%}F6R>i8_T2|7Vjme z8`iIHZ+PA7+lI@p48vR!nTD~;Bl6V~z^k#$+|@{qKsfkw->}hH-PKw1;7%O%%bx;6m&?d`o^`Bm+P8(tgW zxTNjawXZpg`Lu4}oba!Mzj-0w)8RlE6!8AM92(JhM7=nC$%c_dqoY}uoEHtOFq7c{ zAB>*c-tdYiqYTHQS8|$iXt1L04~-wmH_C7huDcvZP z-SkB0&Gzv_?RfMo&ae+Gl6cg`Z1oWmqlUQ-d>YaWAYUM*mm54T8JXWMxnxcArV8VL zIc^+)+!0Tvo4D!9!)SmqW%%qp9x?E7z`553p#-bA(ir2)F!9@Kk4hr$^N@IDQZi-< znB8ZP4$QIr8Yo#^u_6FDpM_Ebc;m*-hOqu~=dNABRdj^|5Ek2!7vRXV!{?c1vMF+n zxPbPKyY6WB-g|dE53f7Y>Hs#Lv!D1Arl=3ZMFr3a;_;VV$OwbtR{+|n++s{N)+NvP zEXv~W^`+tceB;-BUHjAD`JL^}Z@a0jU4K=(WbNf``O4@$1OOk8F00`UW9q;*QV2f5 zUdTIcn1FOJ4rWgWKpL4i9^SVVC?ktkMo(dB+qP?W`|$7nUK0YvMA1?+aN1r$U*8B0!i1XsHA+Oqjk_Uz*G6vHbv z{6k*qGpUBBq%P76M zW%<&v0A9=6y2ixzW_9d9Bc~e1?evOmhd0)2>ENleoCo^Rx-t6zOJmlSZRW66$j*eL zqggMz;);knKkQ*?c>3$wp}o7?_@2FO)sp3DbCVHo`@#Kff~-Q0r$c`vo;_H47P5DE z)11_W=|>$lP$AO0Fnaj{a@4T5A9Uxso(gZ`NP==$etI#QWu8l}0!UTssDsb0Y>Xcjtu)rpFo= zFIgP#%HzRDgd7__c<5m8awd#)Urs(P2mrTyDu+Z2_61o!g{M#7aYwu7zPln`7*O!f z>*RlAe;oM;HnI)@5bH|^UTJ{hXJygd%iwuGH;P1_lPTXY(&IU;g5_hNdSN2>)+76@f-eFu6%j?v4_IT4(~V`AIld3i|xZ>K-h3ac*taA1&SU~ zmNh^@55tyvyx5*SJHC^vA%yPuNPy4{L1e=e>1NL$8+D)2z=ym~8yi)xp;w;qiY-C3 z%D`uOra8X9w5?jRE)V-Z8~H!<*rs;Z-S-6;Kh$>Y*qc2CUbQ#U7{;-AC?^)KL)*#Z&L+4Kh(C%y7pM1RCf6ra*fdJ_3+qMQcPb65r{*5;UFu$k0^UJ=htz5CZ ztz5RWEsVy+Dx=9`6JZyV-Q;VOPucX!tVE#~Ci9kzEoxT2Q=dnyTngQesB+A9xJ?r>EUdnOriR1N!VF!?P>qqBh_c^{LAo9*& z(_A1CjCZGYkWzqftocmC=2nj3D2;NjT@h&rWAse|zxs^C$rSanHsdCxYl zKZ*pSo7~AJz2s~|HG+cxHJw(TXz(5Jt(F;$?k*2`>9W;vZ+_gO$eY}a>jw}-eW}B4vxh{KIrQhO^A;?5i^eBB z#oRg{-z`lf1H?m?YL+9sx_axgvM*V_GI|JW+Nw*}wnYI<-X?PILr=6%f9C$SY0J(w ze%Ol-mbA;Rys|A0usnLg8s9TH^dt>y%$@k>C8*xNCvR)t)t~x375Z%qSTBLTcoWLj zEl;%j@4c%%`p84=$?#Z@j2}oqe9iUOx7XkB+IIabU)3(XbWI*+wEy6tJd?$)IJ&{p z&F%T2Z-7ICp4;U^V(P`3eRg8&d~R}yJb|gnRE?2g!7Hw~yzLC|btd=f)z;|G2}fmd zyXLAZ+wMJk+Tm!#4~J~`9zN10qtVM3yK)**FV(+^#b8IhM46`}%>eQR66500%$x0P z5XWRhn2Y)2zHX;Q>yDjVv3x}?2}+O+C6$*Y zWp+9_Z+G>jDs3GwQIE*&TmR%AZ$JC9|0F)YIlSLBA*=A9 zB7ZW<$+yVF`3i*Lg`*CoKN~>0WZ9~=>4~k)K{#ivO%CwY@G*D>nY$T-XP&h+yS&R0 zudv1=+xZV z!c1nJc?$|~U3dAFZS7^3$HN6}$KJi|w!7|bw}0lIwsY5kkcDNBOC#LMNau9(&b_6} zm$mC&d2Q;UMt9-DvCtWHI49Rx6R2So4WkCm+q8kA%_n4k>`0X1Xw*-{J$`h&?c1}X z?by1pJ@U}q?beTeI1h(kxpH|limTeCYuB|`T=(ksp7(xLyY^MDjvmZtyYs$#bLm+m z8aHJUUy z9i1Z{mMbc{8z4VFc*wwm>kjwveCqv-{s-e@LYJRqtSg8 z#?rU3@N8;5wetk5wunb<&Z3b#O7#Eyzh7%Rckf6~O8&aNCKkb+uDf%2)t+G+GyNtj zqrJ$o;*nRFD+R&~o&Uj0^5$so_glAqZF~LeU)R3x2fnX;%Qt^Zb55>p(i*m0#LuJU z?F8u!WWrJQI@iIgnlyBmUUEr$^0CJg6ak(=!w_MX)t2zCE6fAafEm_^9>l5e+{2R= z-`et}WAoa>58Tlnd+eTwcQVIBy-*-uZFB}u82b%52OlZ#08zsv&IFkia+o!*E59iu zXH;0$m&+ET_d-VMsePwjv{XKzVs#r!SC3T=$eP;sTZ(l*@|{( z;#hn5vB%n-ci-C{d30mc)rkNx+r;N)FKYSfr2+6q+wo`!B7=Ox`0m|%Lmx-lrE4|> zU@y!KOB%V*$aWw+PC%IT6>6DF9HU<2SN3EU%!{5IoeHjbtyaNUMdAI6M?z1W8}dh= z_@j3J1NXHZJGMuj(F2H-*KJtWUiXGKw6FX6KbHEo`N^#b*d~R|3uxrE_9vrZFrk{O zV&XH;c1b;CL(Z}uO*>&nD_5?_#>rV6J9h5LL++Q3jfI?MwPo?_c*y#pM;{A5t=pDv z=N)&wQoWF9=ps#x^K_&cK)ygqKn|K8;OgkiC7}#>)ipInX4c&%i+poLD8&4cxHqo@ zF56dimw;;^MkrZ$qG7;c3+YAWQl_}f*1MULUZF_Rro@YvjD^81592=-ifZ^Hf&t@D zUSrS3VR@p~8S^HAb?# zwqslS)&KpgVdw$mq0q|QEm;#Y2uQ{^6M|&qL^B{{n1ol#fO$xbwgLbEplnG*K~&n# zi8cZBwzuBYzV@rWvc2cs?{05@$4%`mZ+=UA$Ctc4-==c+op)-x+VZ8#JHz1;8xG)Y z$5#M07=&y9Z1ezf7$N{ww|lX-oP@{Cn@b9|GQ2NQE@uF@@PYwM*lv1}lam3>^GEWS zQ4>ZF+;?01C4fW`Bu^_@ zY>8J{-BP^x3_c7K=n2vH+Th|{i$GFLyDyioj)v;WYud`ymj+PHX}k9BZ;u54Kk)FQ zZRehSx$JDk%GJ?JSRAr3mK>gM0MYR%|9I51I^q4#kDgMv(_yfu+WrFvgQwHcn^@j1 zzv_y1)zw$GSKsjJc4v6m{0KcUItWymVE4V7oYaum=+f<^j2>e2Laf?JfQ|-a-@ZN3 zgL*8tU_bH1V{ON-9rngQesqy%Kj5{79FFF+2a(d;HULkpizG;sPpSOOT8_9Y<*LP9DIT zr-%nDF0%6;;qq*S0ChlOteN*2#cIwB0LIRF(4FTE^XNVN=CHfBUR;UY@h&taJ99z3+Wr zpX<6`KO0`UP(xEs!*fa_`MCv#KIg0P7Unj!h{0d!*YuJ{!$eccb_W25KMqWU*Smki zd$@^#myEn(-e$Niv+>Wc=tO2*vJs#{hZIW4+G}B%=QXBd5h&ty_Ew((x*34yHQy_H z=7kn^_bwTh^{RjIixKEkL(P&WD=+ z4t_^{)}jC&!?zy11DdeN(KkMcx(MiuE++9mzPej}?j9EMYl{II)gE74{dCP|omw}D zByyYIsy8}h=!f6nexnBfo{-70Drfw3a`ZR8_{zrsCkS!$3XQ!ctikNM4h=^2M4_{l zf$s#ocavYt5__W3?QF{--L(yo`{Bi9WW9O2W6Tl|!HL7aFYb7uN}cV81y2}FL@@ew zvh-q4+-Rd}Khed28hPCJUl_K4m_ik`URKXv9S(^`UXwFDVq{jSD7aq?^U5Y?b9W}3 zi2H`ku=#Tw3w|s(Xy>Z%xsEMFbNcA$XrvQo;Nuz90e54tX$G84I-ZZWY6_$3k6Z3> zw;)(looQ*_Gdl*2WR)q_WX;+hR*J8a5FjQWe{~^Qz~C2x*B5R%q>#w@o3N#AVNSz{ z-yTmey`oZ4&+PR-qoTCkXjDu}H#_WRh%U>!D{y*9c()5NV|03CGKOkAUk1137t7d-pHU&%RLPBX$^I+zS`6g zr40(S@-aSS#5voao!1H7g!O(X>Fk}e&^4fjf5~NrkBF;gXTRUFx9mKuV$zf`H-%*l z6B_Bctj?@#h#vaCVaNF;g-G;OBxfHN>=&ssSBxJ1E^=@+1a6=1ulwrQSE;5HKP4Zk z3>vI=_y5+{`?;{E$EMT?Gj$#y72^_^rRmQUBO~d-xjX0S3QtWO%nu)XGBbr_S z)n{w@Z4fz7LoHWU)KFG2hc0;4C4~gGq^gp=xP9 zw)zZwoLt)Q&13A>1faZ6AsXm;u>x4~X^6L~6t;L>Ue1msYC#djU=Pd^pCzrqVf6&)x+VhV_@>l|1c}dK7|B?m_-i6nh z_m6uMhuy4ileS%-vkWn7MGn!GrrHt0XH2cUryxR?(o_byZNyA+LP%_iqyBuR`@$F! zvjM9shakM>LI95q#|T*(1!RddG(zR1Ad9(S7cK?cjIbA3ZD(HKr@Fs(Y~BZ4S2q~Rp#s>Asg?c=aq`i zfs4SC?!b^m&DfQv7Ih4phezyeftT6JW^qb3OJ^;ukAZ6gZcDfBu;KKBh!AVzt(7={ zDP=BPPi0hsNb6$RFjr7uZ51ri2I;(V9TV20j#`1tw_3XQ#qgVpvxh!b&yu8H7h~&d zmw=M)VkK@#x<-pg2ugqcbnK8n3>b>^cU(FG+-8myc`v8<{%KzCVLYDHb9?0(P}=i# zA0+cw%Q1deEo->eFj~d)BRgr$i}Cm%da+#QA#0}z?mQ0`f`L%m%GoLFr4pX z`Z!@ME%lHd&vy)6J@J0G#cpvhnT@nKp?_h5jRUj-q?MMWvt zK^aW|_$(>%a}N-^uI$`7y4lO+^>qFer?0Lt`b~?K?MgiN#CGJ8nhQQ4D8RZ10hO7> z?p2PLkqHhtZUUs{yYidCgJ*RX6Uk=JSWB?jVR9wnMox-@E` zG+VC@Jh!z~8{_LM5m}1~q6*o`3z%tw*FkeRc8cP!B!O_j$ay zwq=?T9x}8+Yp6w;5`vF4i&R&Hd3YOpZH;L3oSQYov-iFhm0vmkqU^O%a&+Agr^IEP zpvIdlU}vKvV4c-?Iz5kOxi8&%09o-TlCvtF{7KNB=$p8NzYPb7s>}nxEj}FbQ-?vr zFLuPHr3hEE-o~`-Hh*TZ<2}S!3_6#sm;mP5J1NncC-`;BF>PxLab`yS)J_JEquxTc z7>wutlq!uC*>E(i@be0)*D5IY=8iF2qk3uUCT)zcU%TB_USGr`LQ_A;cIez0IHs1J zkQ4`PO{q*CJff#%Dw$r1?&BRWLE$%#)xy}vOy5*1lrP=Y!D{XAr|iM^CzgKvOBXWY zpeb!GaI0KWy7W{@OP-QRouN(1nra`*h_lP_fr8)<-* z%LW6HO_`^Nv1MgE%X-A$r@R3{l|p@=FQ!W8bGWFQp$^~no9+W#ME=zx-|eVxou(E! zyG$n8%<1~BH_bmw31SYmjbWA^lRZ*)4+0u8kbQ*No{0PHy1%w;zFCQ&j5Q81>%;M` zMg)!XJ=6${OQ%}xj&$Rt?=Vr-*_xW|_(Dn42nqN$+x=;X2{{@ZRrTBsm_XN-l;C@m zo}&6{_--&z*Bp)>-&)1{jC>grrcC@flIK{6gq%)e_%zSdgdvnt(iwctTFzh+Qb>(} z%NoyQd<<)4vLxF8&DYvkk_Gb_SBmTh!@PSKt2Kh$^Hgk(mE0?aR=0RE9xcD*Pg5!E zNJI|_1z0&NM8iS~^Imoax(FeEo^{N zGZ6<*)v>m*c1=2rjs_cMtC3KXOliIec}xnP`aum|3P2r6uQ^N=Yy_P)pI|3Qa4b+VvIyz4Uyaw{8y7@0GO*Ld=tGSF7Tb~drxZmtgOCH6eT*6m1W#x5tFqm-Vwm*})biTj1BxXN5E(Z1yl0SXJNRC*H9d1_$%`Fs-^UO_2 zO}9FEIxO&}Ihz0TuY^d(tcS9%>vX$eI zGvpBCe`Y1mbO{;hmt5PTk3Jd2IU2#Y8X2CBEgIH+)dMVUyYYbxjHHbA=ps#U92Py% zvz%eLfIdZ|k!2ZRo5jx%zC=8nk2W7-R3l+3(+1;YEcE0Rb7~IY^#PS9-lRlyPzS-7 zmu4#YbarJm4_QYDc*ccfzc)ER-!a`9;?b6&xbT8<7j)t>9;WisJHOfJSct`3u#>~Q z_HW+kWBHmD7lX`cMp5bfbpY0;4qKj0zI)jEDmSl*kJ!5ld3 z){@D{ygC@7i-?)_eLAoVT2s+2{b|%$bw+%Trk%sOZ`9V>=+wem*8e9k0Vy+=S|U6$5q=+R#FZLOd}#;b2P zw|vYb^uSC|W^*Vg-OSunM2OJYO29Qz_=#8oWgi9DcPn_3iiyRo+NXD)=|g1;l70ZC z%$Y-$914{XH?yC4J*|-Of8+&GpVleyH@w2xKZ)5aL|u}+%m{9M{6}reQEnkm`a*w-`bko&Hi$rJc{P ziY+MMD4w?KzV28FCN9t52Rd5#L*vL@=`4Z)Kf9=b${WfNqXO}yRbZ!Vg_M*qMMrMzf+!DSL;B&B^70S{QShLgBFDm1a& zsK;L%{Ls!BoMQ}i@!Xs%BW~n$$dgEdd#^e6^tw7O_x&)zu^FcHp%7Ce|E0H(Zu!_7 zwX!ctg(IR}cts3VVpF>&`38=ZQDOak3rKbQv}3uEy8eg4e;l#ACPP_1I2ow06`oSR zfxp3e0m>cIr|K85;pHbqoP{&aFFdfx0pg9uWDU7aRnPa^2?@)i|88v{B&i#{uRePn zq_j3S@1K@`x0x!ny(Zry7jUx&ey(wyj~0`41j(O$mZr)I#lt86K8hD4`jIo-W6?9f z)0R^(hCqIYLa#}UB?c(TFfPcaAZNM$K0a6L%*sh9BMfXA$U?-tOf6tk$9Ll3E4IaI zP%cvSzB%gd?V0D+_TN!v%KqurtE(bZbHkpx)P`h9Now@}U>*$|%)-cov!H4zm)bH$ zrUrlc-^;M={O1}s)o}q&yQ5B`aT3=}B1wxj=&4LIFsUT$FO?pakWkDxe8qJ<%25RC z0qD!|ObWX4D6Ktj<2?K9z`s(Csk-_zz2idjKf(Vl1k=Wm%56Q}T>C5nFogf+CPo;i zBp0?9H6EvcI{@_~d6|1;FCUR7Vt3NCecEUR*4jTL8ec6kHX=4=>U34N3kD9xRi@VR z)PuqyJ)xc2#J(>m*0f&ewZOs1nrF=%Tub!6ugw3vs{9^QICM?W13^7Ijx71^sG7Tf z(SIm-s);#Op8At1i3EBaLbs51ky4Twgms9p>*E~no#QuM($uc~2^{HbFW1l&UY#P6 zG|Y;T1tPs_wD|S>`n8kexX4H_5<}DLNiZz`i%O6(V>kZH z5cNjP$}x_yq2AJhz-nLxpOrQ%`G9`J!C>8dYoyYO&r(r98Rd9x=w90oDEp+MH2*h0 z;!BMrk@wERo0Jffk&G?2OtA*ZDVWv{Xqs*l7&yqdm;Fpz(Dwvxmq*9^Eo-PJgArD9c zE41{F6imRkSFYgO5K_rAsDDPIT=gEBe$3f)EBLp_&!WA!hQWaVfPIaJ-_Y%xf1As^PSRnStL)d-I(fmMjK2&jlFH&#(CC&y_Kg z*G?Aq%(+e*Q5YRoZhVwTXoIWTpF6z0&uBlYGZ`7H`+igcIFv-Ex#ps4r_1fj8_)jM zxeY%X_SzSl`wMrpnXd!u{%eQiS$HpK_WyBnS$zX=-co?9Fwm#xm()At@iq%?fLD`@ zifjlO$6S4$l1dkLE0Oia|Fx99B2!ezPHqrY0f zo2*3qQ-O%oT9c$}7l-bPN191d_5gR3ffO}!g+T;U$ROoo{@$N>+^YHj3+uT_nCJT6 zI_|b^eEKl@eSlRP{{$kWjc#Sk;7j3rZv_r@zLB6tikGjn3pa?su-m!kb$dX;OBp09 zw6uI*e%4+<>lCAXuySo{_$hEqRMs$ec_6IoVpzLs@HsX~7pIPpjOiib1k$wgx7fLP zAL(;F7maQ@Ho>4Z>};-A8yvUEs=vY1aFz#C$|IcwMwC>)B!p1@(ADqQWwNlxc}Y;l zhM`%f9!viPa;!l^oSeNb+OIL6`%#pHxq`i~*F1TrXc==}CNI697+MM7W@%xz+~JUH z>Z1vAhkxz<>)kxT$`GMftvnwMKwh&TXP^rnztJ;Ia!rQ`g=#0bMf=N7s}O2DS{Jqz zq~5rE773{UPx8$8*# zJLf|#i;RwDdDyUP$ZVB$ccP37cdOMk_EQ6PIb*s4#9$Bnp~$5T#8G3xEx5a*6Fi#} zR_8mp=XROTj&);-I7V-~BONW9Hrom3&bIbhVtO_l{15(Uhj?$)gvB<5t$`c`2CRXv z1%~waKc=Yb1?Q|}4^|T{X8cfEG(FohAV+l7)OI2mR5Z?k67k#W zTwmpa{SYBgU3q9(VmQ^n%SQjh4yZ?B_FDiEN z+M=r6P#LG`KU`2{@-4fPhtUg!HRp?de$jaPcqIW9N;4}jqj556fiH3+mYw=n!aGq6 zmX_WES0kukp_6+e@BVxfi>WV+ z?_d05sWA(6t0OJmteaGcsg<;JuUR)kfzboG;L|F0@X-yHy6Bt2nolLWT^AmFj{#l1 z@%-CUSgN$mNv8IcfKqF-2kdd}GMlcBp*9&?n4$mU&DO$glgM-D_&QO;z6TzpQ&b%_ z!cX!nRiF=++G}5|{rZWXTc@inhxbySu7;pFli1hO=>Db$TC|uik4>k`^b*XbR|G?E z@GiQeuS4$0)R^}7o{l%}q}gEqAE0D7pncng`cCb1kJ!+5S>q;5&e0Jk^(7utbYV3`#R>Sx`uM^NMDracch2IWzYL|u_ecs2R|EtZ%`DAc zntTAK7#>mzEmaXi(Kb_>(qOoC9q3kbYuegF{Jjj z?2&^U1N0D##WiD3`!l+Ti)`4BPdIQvt4%g#%n+O|=Z-_rT@uGDCMwEtuFH;?Ci z6DPzWo;6$QE^KaZnfapYr0w?}ncJhU#x`Ura{cFF~@PDog$+ppA4xa!-|HQqNB!nmovFQ$y`y7;MPTMZz z9R6X~Tl$l>*dGD_iT7ko*toi`emo~&@MNiFA#1NJ(h#B$cp9qR28PZ|Rc8PCzRvTz4xP1x#G}xhSK{8;cIUyNd>ShSgGqEw`)NCuw2dN~ z0Lk~hM}H6tE)9>pvW>sE`{A#Iu?6n?SoI8a}?LizYPN@Gx zTrTardj-7_AUf84EcAgj0qB@F%ltw8PbU+%F-AywDX!Nn?{I(p^OrT#x4{(d&@FRc z+@xS)9K|k1xqm>vy`w{KPAm{M=oBBQY;`_axrLOZWnF&CJN-Z~Kh8Sz)ucPe0UWz$ zri$z0+^u{w^*{qe)=|9=JOA^5QBsND_(+tg=XXr6aIag{#{%--nP%SSnJ{HMdf>#K6^A-g^zK`UFRL!i)Tl&IIoTlz z+tByp4m@M`OKLQBd&efFq?Hdo90nTQOn@!U0=*$-^OW-5oNXQ}Gx2p_*PlrS#fR>{ zQ8GMd5Dd0^Ba>cHJID5j<&=fgHc{M5<3x#`y;WUy=P1KK4W-EBbjl-xwk@l*V;_6S zXLTJzI=2;0icY^D%Cb488Mf}lO;pd2nI#Lo;fyAqo18XUy1OC2IXx@CTW_@~_gXBT zOE+@B9b~YldcoRFSA*m^cc*M1JZU4yres zQiG=px3F1pov~-M<2at@s6)`iQ073pIvV9@HI^Y# zBmJa;-f7G2I5S;ds}hIcqCZn(?DH?d)Svq@s9&^(&5CBZD=!85D-CQ+Vp!zTP}5jY z6(|7Einanlx{)Nd;>Cd9WuHFvDPOV@F@p-%@!93d}y6F=IS#OQRl44kZl{r>l~tC+$zI z7m$Z0mEH zcWTQK>yBA))IMnMcBNMw)=b!g7rTMgDlO=iHP%GUZPPg=6I>QENF!B$2o>VfgSk0A zfwlOJzHGLKZ*iV5RgnHupSsx9A7ME^};2!hrHH5>GyBZ6qVwX{L^4!zj79@!&E+OH?j~~-=C)mhLMQ1OjwkaoSbLrCja06v zrDN@0#15kQ@8Cr-6D!opKub$lpmGi@AZC;u)vlueVY5D~?@%dd)e#G#;X)h_eUY{vwZ4#jLTPLTfBIuhU>{UOLedrLR{7|-M>G__{RX61LTtb0lp1VDnmfr6&TNAC0X@fw z#${;_6-6X1gvN4wLh*u=3p$$It!_-nEFjs16OAr}+LBKt0fSAhR^%qrkNdQ-cCtiW zqd&bkdk&ZNkm>fNrN_3Ux`J~J!}J89Tx6TSYN?;;8efKkt~-^;2#Yp}zMJxiQ8SUW zoEqvFQuf5MH32o;XG$`JNdKtqrq2f@N34b zP)$*iN$N$C^mn1=S^VD+`AAC-@9&7?hebzh23H@IegRGMR)oE{dp$5XK{!?N_y1C7 z(T7K~=q;0y<|CEXI-d!5KR>Mf0b{ADzU;kfx}OXD1qcqyoN=+Ace%E&?LD|Cb@RSw z2ixBLsl!Ss&f0v8>>6d-7A48E6{=}!11SsV-#~s9Zs2ogNzurQO79F_z}S@(rf~rt zWprY#u@;e1B4wFTKP?@FEgr+a@mTgAUz9DM3_cD3j%<(0?S_lyLFrqxoI*e0c-bT- zO@FbIDR6na>ip^-J=X)z-Tc|;vK0L4D5-LT#tOqqQ$x=l$}wW8-Nob;Rg;Xu7qq%A zM)RwRxeeoAkws=esRj+M|7ofT%;AowRe&kMx4EV-1Kx`fH)j6 zq8OYs6}W>_cHoZ<{AK!0gI`K3phqeRP9##}^z@YpySB-l9I=C+>shnn2&?VHZ`-j{ob$RA>%nS{l=eb%c( z69t-3yk8zD9T#o|pcJLNJ(GtkfZI3I)lmZA)!C?W%=DPBIK9Gv$-=PO(?Y+|!FT=` z3!u9|`q-TndJ1Dgy!D%GZ?EcPS6xEoqw0J@$u{5r=oPaAV_OwaXvHK2+|tl+*E%yz zTy9`cUv-(Jv)%IdhePJ&Cr(v0WWS3X-SUx^%7IB{sH099Pn;RJTK+DSw&H<9ugOl}^vJG(#4puFS^|+f4M9(BQ%_BqY zZ3@rrZ6oF&(oQDI*lrtPj%B3)qEEuNBfjeuq$?Q{EUp22Ek;Z;^k|dqL|Nm-iG>k{ zpl?e^Cc3Ii#_uG-Xjk!1Ig?zp3rSe22$WG(cjh0OTf*TJ9p%u-Lqs(Vzm|9cibI8_%MumCZHLuy_agQk*$ zfPAFo9`F8Te$rxRqGJ4!GZK>#=}q-LZLAxx7U5a{7y-~mgk*1~f2ag#{L2$p3es7V z3BQos6Y9A@>xG|Z#Af9fEniIqANmz`$*P1crgSy@Yjo-KZ&IUKT)krQi*&&$Gm(^} zdGrg0Q_xzk+(M<_D5=hDv9gVq;!Qds83N#sseyc8G0e;$PAFOPqu|#hvyc=nj7)#0 zn6WxNByPW;uGC4VV_~&yYyV(PN0^R)q9uX^{|5pflEwMxh2z8)cOe+o^CW5!Ph-1q zdZ3t65?Ge;BsRuA_Y|CrU|s#}6}EHHwx zb@n+qeFdd74g)j32bj%%&d7)a1`Jb;zXRf4tors=!=-n2sEjeX(fdZdxtdw)!g%YM z(T$kQ-1=1O?tI6AM4?t^kDl8bU>1);v@ZV3lHV=k+pL=ppVtqL2KAkYSx}hztZ}BW zT8Qg3f4{7%P-bNz(*O-#92uv$e}mp*Y;G)1M=KK+V|!fKPlGqhjQAtrorkUW=l6FQ zTyuhQH|=-VA}7brTg24s86)06pLP)*kIjIGD&KnCZ&f{ah<7CJO0s?SQBU0EdN%Lm zv)obelS{3pBU@l~$pB*QyCUz<%_~Uh_GOM5}E|0RI zHkx0q&oE8AF*A#n%2~H=(F@#SAyyY>A75Q>`<&62Pn(-4XQga@{HL29OMoVh@pQdUX zIhD+kxYBFw_05x-J3IBGf=9|dNil2!p1%qvflIy5kbNA6x>g{U`FFNA zo8WXG%yZvp_bwc4hqO}k=RXjbZ1kQwV?6+ z)wCr&++Z2$buf%|krK6;0zDYmA&$8|Ll4#@x&Auj$?RqE14Z45mV2nRWVqGy?N|;b z?{kQPhDU=Z{x^np^9lNzum*o}w-a)UcT-DO`j=k6kauS=7$J*yMe_>Qs`Y+j=_Vb2 z#uT@u^@y=`4C|J7zF}{TN5^_U-+DXmfzabTz!Jqz7S_*U_h(BZ*FINU%5rnQ7omO< z)S;{I4zg|%{Kokk*5aMnq;UECwgqnU@t>FuD$v{$`W+G;!#w5vSEXBzrRU{tLhlcG z5X~BL_s4Qs7UwNuYoyQpb~JAPoSokxmuys0q>gr-x8?47?|*^LvOI{-&;9PtVSZtao=d5%-sJS-;7CTmCm10hq|OLLN!@=6?@Jjxh2Q z#PBDZ@F@1_+|6(LJ9@kakX(Gac>2C`7sDh;F>-2ozn68(B)IQo05WV_%lu~VF{nR> zjiyJ)JRlqAZQRH1rnX+t-anOje?v`r%nC*#@B6vc*Jr-QTHCW} z+Q3;Y1f|6oF6h!;J<&ZWgT~{;eNW<3A8{+QbS$&kQhVlpH?q|4jXWt3&*zE&;4PQA zP#iF7*1KcPDmG;l9#0$l-EQW|4FzJFQOpMt=f$;IH~m?v(DKHeziy|Kx|XT_rhZ%a zZB$lB*J(qvD^}~5{0ZW88J2Ysh7VnFI^7ny32u#b@}6!&CMk&i%pj#a!KvLEY}p&c zOgs+h34tf+UW)#>xEv_I!McMkHWv1TjfKkHtek~o;pofNOvVnLt0d#gB)17Q@qCcn zMLYS13~5Z`?qI*Ws~@%xQipZ*+LQs7!57)to1^6}0_FPPhXh*`^xoSkzSdaSly?s1 zJqY7qS^bS2G53}j6(qFD_e9xGWL+A?+*&Wferv6|j>dUJU~Yx$Ku2hP<5N!j(xs~c z0$H6rl&5(7->}B0+Fa=2%(e#-&dZ!HB(#AeG357$&YTtqXLfp<(LAX z;a5N&)(5NdBi+OVNeRK8HkBuQ&{4b~&H16^Vh$;4(jQx~(K{h06#c%Rr zh@|-fJCjT#(nUF{<*D3PW5F%78O!x&^?`=F)7HD`ZLQO&N&DZQXmgo36TIPHwojWi zJ`(Uk?P^54aR-mJ*29*3>jm)pR)2Bxja%IRC+%EAPy5|YJKsR)xFM->cPKgN5)S(T zM%?dMT$n88;|*5cYOGQr$*E|^7zvMU}jJSbrKijop(EOaHEdRJGlrb3<);y z!HrDP4KVM=Kae|7kV`Z}|95Hn`KSY)2({X$-lQ0W@6Ds!3{N~y#V!5TQ+?;XS*9OC z)_qG?Q!rnnTpf~RXG{p@Xj~{Vxrw6bp2^_pPqr<;qeRxs8 zkN_ljkI4H3f0qTb{I*nIIryuFR^v3MR9smT8~)(F|2vAq%Pub2BS}<) zPdu6Lk@n45K%K?~$|v2{nLbyv>`tZiL}l}}0aHiJk$aZ*(O6*%+z`=KoW$vIQ+R)p zHMgE(eD^PZOuQ*3lAZUU8s~<-5%RwQ0!R*%9-M##^P}=^`?DE3`L4rv- z4{6ZmqP212uRD8;O+8Zm_F`@;GayxsIh?c+S8aoVT`6HNOe3yLV?|rw$W>BS0Km|~ ztXIe4LPSj8@fykC@lf0RHD#86*LZbKxU;MY-VJ2*@iJbLY6z;{UNH=#=esff5VZJs zWI_uYzn*?j`=iH61mnf&{}##cmG(|;!-q|iQ=^k+^>=7uHR0Iq#d@(8`dTy>d)0KA3kIW=$H2uBebIh^ZqJc#y6#;{DACV?F zkIShlzO4KvjufH05P}l#J@zG0K51G4Eg9cV8mmF?uyaXk!wBs%Hur1J{(CVaK+RT)CoHk??olwC zwnO=EJ##N+ch6l41`^6XhvnQwGA2|HdTxFnx)C$-ZNUtU5-SLgXBBig^R#h4H$(N$ z4LS5OyXRRF#sb{5f{T;rI#KaZMpBhikXS2}pqWu1}RaW$JDyPqT4?|qf3#DK zp&(;%qnuk1N`fCvBML*lUwL?{Pi>+;DOi)FlU!A$X468yx$UU2?+nJ6;y%%(H;A)r z%N^*%!!$=$_6a9^jU03CA^10-$qNE(kUk>cqxV=6To+Jf8499ZYL@jISf*!fPpLVa zFI?5D|5L}Lg7CETpf2z8*;dhJ@aYf-Cc((t#*@i>L)N)TFB40&M4w>(z(Y`Mh{RX$ z)oy!a^U0MEwQ=J*nt1ayv_T+4VnAyp4<&wA7!Q-64$0`EE!eSw(DhXR8F*^Y|68Dm zzESY09|k>mlR7>$wQcAR4n{xVQHAlg2%Gx>Y z(D|Xqy~ROx*GTKWrCzaf#nAV>^Y@>QhLBEDxpI~IKM=Qfx>wp`mlwr0&!voI%Vb-} zfh}?wy7!kKK~v60SBT*9nk$bh*^F<&yD64`v1a z)%erUFXK9EUN0&eXE+vV-y?U<^EJyA%_lZ#?-9B(C)h@j1_nLf?-I)nz4DY&rJWEf zAkIV>6;x@Ro_LQd;+RvfO$wi(nwTQdZ;H$BcFISNNtpmB5Wq&Su=?mPU@(yByRi2O zs+uin&z8VG-yzz6T@k|_?EZPUn*eWnHtv~R`a`IOhxSPMWmr%P?eTohg~q%Kx1T0b)1{MpC^Y^ z;A?ylGFy-P>!qxwCV)_|i+{L+LCu?v*>8WTonoUS1pR3c?K;{&0L!OW4D$xys0Sh) z*Zk4lXfj)hX;Z1yx4N%qx?NKl7K z4Wo?VDcGvw56b6uugJeCKz+ zbf03$>6K6c3N8l^V9I-xu99G&8%|4)gru6d3x7qRk5kJJcAg~WtjXoWv+#S_eg&hq z5;yTt-d(4Ra&J8$pX|2B=)Hdmz`Ym=51hW}eRQU@Pn z0G6(!5p%LHSS;8>eSJUO=L@`D{D-3m=@Mw6c+5uZIEnN3F`X#8IdEM26kI z?qfNTS>S5*WqiYxj$eNH`13{Q)}LhWW1vKV_LxBGTc`KBou52ejka4O$Y_C7)}u3m z%oNB%(BY=9sr))S`rvN=!0vwqku9C1RtGn2;ZTHizbf$J*>siK$0~)@6ZAl}sh1>6 zn3tCO4h83fwxWYy9DsAG*yW5-#fQ&#EqymEF)iUo8>Z!6TulCIY)tB%RvE7qc^-DA zJM%;Z!hPKPNO2^#6x}sfx@nOS9GM@L0y182{Np$J8Gg8s9=$GLcu=ezH}3S4>_ckg zq^V?L>dQYhAHKaYUE5Y0e*Qu4aM!$4>VX=Ns^it(gMUUcdFzT$$yVJIozFcyhFR)o z9lYgTuTIU2Kx7B)q3>@7{VoOM9*CH4{e16{2xIrL=FYvQqLh!VZ9IJa;mCEdndfRF z-F~D7C)hiW-MFxlG)qb8+qk=W<@wR=fAbh7mi-8)R!Lb_ao@{Kq|GrlZV4L=^1;aC z$RsI(FCYb0@NjduA36GJWNjr;0=RyLp4av}8O>-3$pX*US^N^Zh!5~iGES9Ycg}(o z(sry6R^SO8K#vVBGoih0bOo@4A`MV{XrM<|zHm|&@zRLB4wp-1$EY&E$GI0S6^-0I1?B--Jy>&9~z&tO*$IF8=(Vwp~!jUcf zgV8%5&z@iOq;22igLZ28A54Q$`NSGy&CJv7dyfzg-;d$wc<|t7SK-L9>p1ibXl5>{ z%<_bo0g1w3J5P-75@UP0SfT=}gVqlWouY#|%sl|Qk47SLG9Vo>5wBH@QHLY$Ey6go z+zkA`B|@GL2(OS5m6If%{#W#-tsjyc;?j87)GQnm;eYx|@bje>6Ew*ZZi0eE8{Y`~ zZ6G*|Jvm#nrAQMY;~!*c$q8FYY8h18cIlBBT6>=^26AjRWGg=S%0U03{vKe=cVrv1 z-@Eo~6-OAYOj6K~;hhS|IS~qCL`v}55^-W6ns%h{>1(ero^s<$65;wTwn8CnW178n z*Vdv+YkKWjnJ(9n=Rayqf-3nZKc($I8{&uoH01h%kmJIhD+cDLZ$seRq`@@-S#SeD zU%EusC9mIlIfnzl<0e)bVDe9%6k*=O`z&4PYnJDyld$6eOAIFb`SMeE&qvu2NWnco zdv1--&?%*`9@D|@gPMuubr^d%iYFgDbPW(?RTHy)hZ>m8R&e=nxqh%-ggJ7ft?M1h z#4k$W@hK1eOF+PK!KQE^oQJp8TXtoCHwCCKw42Gn*u3dS6t}?d!i|z;FB9#y%_vl} zRra7II3ki2l$Q~MWZQAq`GuIVw?(ij<7O{!_SWq{N?J*`leR-j(DBeue_iM11D}Iy zrr&;?B8+&CTwd~r7gY&<3g3oloKtDOqN2H|w=B_v`Qr#{z7{Sk>@InfsFbh&`hMN` zZXMtGMRT~{US)4p{Kp?tmB^o1IU*{D`?-P9$gjyKAM(yy?{6iiiX#d>ng9Hv;4O$B zg^!~xzpeQ_<-Lv;^0O9!f}THPjJ6T~`m{rA9AqG9^Qmc`f>@+V;2LE^`O8CoNsO85 zGyBVUT13ps)kr<}L&R%dwSJFWIAIl@L}Cz(yxu>)QpkISHya#+TQC1_DA4u zFpvUN-57E`I|(0uNa0`aq;xnl$SmTu6hvXAV<-OAMArW8dVn9R)*Rj#rBm5HnpPLR zw4{_Ps$^Z_p%eeETzmhtlK!8nYY}|}fH6H!qjNxxm;YOjjP;>xR(AQ<2p>Wwe^tZp zdG8V7dFxMfP``)TCdbmv<;s}XKd^_`36@Lh#@I}sqD9A&+X9<3zJ=pa#a*4(`sTKZED-EB| z&|^UPF7a{9{*eSA(2lBYBA+ktkIScIp+ube@~77ySFVrpj5+MX*P&(9c$@815<*h% z+a8KMZzDcf)%yG4{Ut3q35)UgiE8R1ZK&=#z{8~ICH~pC>A%LP0ek}&UK|NYOfr3D zO~~MfrSE}_}n(&IvFJgx&}5PA%K@mAS;yQp}T z`Q6ep8JEpW_X70K2yah*S)Wg`>!$7@7m)4@c4t8*{$>5EP+iiHn#s7qQFED;vYu9q z?q)tM|3`}ym#d`j`v3Ux5dzXk*C^>uiP1>o=uQCxVmL~=MhK2>X$2W6B^%1<5NUW5B5V_+ z^~>k?JKw*)|KIz%=e*9j_jR9-j0|r!poGWPT-*K0vt>WzhsXk`g0+IO$8!shTx|gjv%*bf#~;lh=9Bn`Z>wOJ2?1Ul z9$R1ke9=-GEVh`t z8$IR(UUb&kClXHWn=uNQ5Hg9#5FWa3_^Iy1B7#FK@^{;QqACCx#jQ0>pZ9g2k8`Bx zs)=7|~3!q3<^97sDFsH35LQis|#Mkd%X1OQOXKnt%zS>34-GJz*;a zjsB`T<+n*a1EhOQ-=m1l`FdCz83N^t2gJ#Q2Anwt-r#m-ux|0=CJhI_m-~J#2ie0c zsJ6T_neMVJ*uR@kxA@}(Lh!vm(hRU1Z#qmhe{N(1rH&fWitcV^nB?B7+KeZ1vK$tl zmyva(fk(27{|#A&iDkUrEtf5$0ErKQI2h!3g-db`3di*NrmKDkiOv!MLrLQ2_9%2U zP{$m4J^MjdO(yep&K{vL=;RuMQEyX@JFr#h?uh(^@o+4z&e=O@x>W5>O9GFGO2*8m z{^KezBrl-_d67oPOD+R*Sc9cHN!5eS*<3EgkKl@)v103%=O zP)7mSRsWj?kTiHWWzrSeKylt*i!^>lkOZq*Ji6mBoP{ zt)V+!B@jlWA5Cj5TmwcNz~;F)lF5^(b#bNY($C35;nX?sA;0YY(_C$+4t})VlPMAN&1K;?g zc6xujUz+n&%nbC#?$lWixGkn9Oa?5g0d6?X*I3tb)`&uo8)+2=7hKej#_iZykS6FGzQ?=h_>?3871hJ}QDLIigG1 z_=^KZHmA`iT|PXy@yuVse8#oiC|n}Draq8+@!FXf(YNf8l&n2T5GB7;Z3>d{5b^xD zH%&iZBPjY2^mV5TB4s>|`??olYrQY8wNYt>z1rCEP)wBB99vVz<7`ZFx2?|N8<}|x z**wJ4y;aT;K5i^y!M>;HfQ{S+LP+y;ZUB2u7RnB~$vaaZ)GCS$ka zY)`!Pj;PqJ-mqm~hr7$?+o#Zmyt^Ai)xc_moA`#9(5G9kzlmTDTI%a#cK-ZWq6@WWvW!szE)gFguU{0m zFpQ8<1>sC9l4IKT8M(cw4sIRQC0w|XQG9aD4t+_KKwE2L@kCY)jV_1o^W=cOi~n-t zBeIc@5WTktMG^|7=YztWr|7=n99H1$Zc5jCtG|B1j<3c@sUky5L_Qd=%L26SxYs_S zw3_Mx$SI-mK9}eaR=EhBNP)=I@`+>c2&Pyy`zVV?_)*@E|=)iS14yPIO z+lT=$zXc1#UCpp-{A--f5)9GUqm{%!tU^92B3!|j$dSz}%)22*{C(3NLU(d#+WrEO zW$srx@bu8OZHNxCc%yLW!7Q`vKqkW`^S8>V=>T&l5C%^$iCUKW_3D?Uf@!6;fN>|4%g8b0yS&9;@ zJimh=1}6~zM;N9DlqC+5^wwMLlrDQ6mGZ#67Fbt08tqUJ9WE*wk(&pmn_envT>D88 z)!hJVV23)%(@>)O`@9-U6fLLJkSw~JhRaSW7U|HS$8P^p;)F@svYJj5P7a6)#EK%U z&N?{HcC^A(z#aW04^IOgRP`vXdzCij+Po7NaQ&tHLCu1F%*AE;xd$H2f;&=iuqGLs z7@Ir-(Z>4>6izJ1n#3H=T7}DK-8{1SkG0s3`feF*xngmcoyY=j4@O($Gq2;EHf)gB z@mQPfhBppG@tIcRaw>yXhn?Ia3y#|(n|elT``$haTTV>w5eUbD$ccV9OaKttFs*6^ zgh~=6mtOq#84gBPwhaYGPrsQDX?ZqRuPuUKpLYu2j?4Cr5XlXvUzexQV$&OMQu-Yo zf|f6l8P;YqiO%oCnzv~~Lg9dYZP*qsER23M8=q^VN<>`f&o<_Mb9oBKZIcth3iSbl z>ow5_HFC{sH!Ex0arsIVLyt6EFl@Yq`(&B4gGprnBWx8Yz(OU7I<$iVTyfeo<=X6V zS=7WZG9nxtha~ghg@^b4bb;eetY`^u68r_BG!Bw{1B=Iajg`mN+roLcTTAKfXqkLUo7TP3(c zhT%9Naw2;Np~x(0hd2w`@>t9{5d@wQb?6CydQLXAh4u*%AK<^BAmJe`pl<3uLYcy^ zE4g9#*?{XQ(H)BiAyOQ%+ORQRj%3qzWOuHc!%^SWkv8Nz{3(~bv%+K@mPijy7mb4# zHu(?WT|2~%j493kKwse= ze9z&D%T^lokE>hC^6#u!q#;jwOMD=0HnzT#_0m$w9@MDr<;nxrU&sp|=bZ6wb8``| zeKj#z-Dow|VwaRi$K?w*$Z346kA<%A z!Tc$zF#U`nb8fnVPA|jc8bO|&{6y80W#MD`jOp6dq`(AaYN+yq!UbbZ=<}$-24K>q zdCm5tW}5g(20U)J5XEZSTx}S6K_#6ELd*$*ZiYFr?dR3MF-Lu$AU1iM+#6OI=F&Nh zEp@l_b#_O@K+cCf@xO?~o~pVBhDfi6ZjiPJ#lGM6a~Y~tod>Rtq16=X+w3`sCnIl0 z#m3jw)O8~soR|fSXChTA$qAL=7^~A`wO;rB2>yurbN38TaEEAr-?x5yg60Vox%rSsyWqGY9)UU>yUHfP<AttQTt1hSHV4t>*BN%r!exy>zUH%ZNauuy z3bxxrW1(g2i`MsxrQQcw3#c-SQmr1mLKwZ{1Ww6_GO`!NdBQ@p?Pg^RATD*R8gq4W zxjg{w*f%JPnj1cr`(V5?wbNTc0q+Iw>VVN@8Y8wGTf3<2nuOVw*JL9QXHWVM3@1$_hU;w&qQ;d=Kw%)Viz)smZOy@ZFh5cFL zn;*GGT&G`T2Ojj2LK2L*BJa54W2J-sbFO6#4H%2HdOXMmp1#+CRpSgAWAqub@7SOm zqVnQ(UdoK%1*gXz)5i02I%Uzsu=QDVPJ0d|{8Co*o2b#hJG#CxQteAKmXv8-&BBuD zyMHa@PWg@Pnk=N}e)9UcHsVeQX!nKr2Y%+EPoS+|vO>Jr1~M3v&NctbcS%nMXj)6ZDO9pjvc=`2d$Gw*r!_4DpPj?PI&xO&AF&7k)y=J$S z5H0cmKul~Es|L@@2r}ZlcrTYHk$F7Gdhrcc{Be9)SYS0>fEPWizWM+*FR*^+cM{t( zO_vC-9}YL-i8-g+U?e~fhym*#q&({VcXN!jnoBj??1fookkE0=INhq4fK}oTXH1~&=;!MoF_L2kZqDwi z+YHNThltHWJI$`WXLJ1@Ak|Tpv^19cwX8IOlsFSNJow9OtZO-LT0l1~7bxklKPS@O zmdWRe_(hizp_?I+_gDhFlIi3!6MDv6d&dp9 zUP8k#Qr`|%^Zjed@y1Ai^*fe~1e4iDAIxrdPgEYzxWbL6%8d{V)$dFCaty6%Ufter z=Q!a%eG~4ToqoOZursqw-~t8c)~BW80ACYDr7>{w3J{p`it$pZu2kT+XEcGQ^N|0F zCDp|vr#SIrP1`P^e;(5p`YOBLtLd%lu{77={JTQ8#dunRXc2w08+uxDwl&utk^aMz zNh4kxk$A-n43vSDC)-(XZ13wJkXL;R?U?b04m655YA72>ZHP1qTVA_q8xh)E^54aI zEo3ap`*T0`Qo}T=Z^Qs$u;XT(=DcHJ{c`23cattLKSrH#!iJO$l=G;B)nnzjCIxhy z|3!Yg>k0up*q!UwEKc}@&>%jVXkelJ1dz1e_z`|OJ_XkOjy$_SiuI%H)*W`vy0NdS zHVTh#dUh-bVLUbw51IRrGjF0VYawrw>p_OmBRuuWh`yHp(%;w1+$Z`(^uA0q=+_s7 zZI#Jr-Xji5;+_P-#>$}oWa*pam~N+VX{O#vz{TUNd2{bv+1^6q>bQwuOz4Urd zdXib4eBJ6vL6g>LyCDKF(7Qu8qmBCg%P(pRCfxoam!y8st;6`EWb&^g@0vQ?U?5Kq zX})Q~Ps09azqva|7yAx?Hz7)`5qL>TUB~ve^eQ16Nt?<5Ap6do*xT|h|FyuaLgfF- z$X)Nj{3ML>t45Qg;)WGpntS@O8lyB7|6H4*CzJf2#S|Z0@Vm$}s&7|3f1rykHhwZE z7~P@QIeTWUs!tB8V8kZuajzm9rKWD8m+I9t=X%A+qjUyO#=R&?g;u4=S{r;UrP^`= z@DA7NZYMh5k7dkWX;ssYcD^X8DrO~4-F!>a!8M*YO{J*H{P^j>FmZ$sw86B!ONe zMa`&pemz>+yC>5zsN3nXG~7wp{vQYIT^S1gZhOdP+iJFEsrqt>df7?{_Vl9k=i^)W zqa!3Y64~VJr5|=1C!_dXX#?a|DxtaSx=3!$m?wSTOifD&h7!5|Sr1W#M&=k>ePT1sM!&ByN>T=lWY{ za^VD76SE7LTF45B=yok$9z>5czhbWb=Xd@}(|M)YXUN*)vSc^qLFB)E0iktS>FIOMxvv#rKWbU5LJbKu?0M&1f^gCtNJ;p)vFQW8px zmd}N6+8Jr=DQ4*G`fK(0aP*6Y>n>j0w4K5PpiZHy4b!9hI=%! zyhNPYU!3_C^w$mYDm}g}fcD}4D>(C^%*qo9<&W_<*9LNGVa982$P9PVv|`hVxahsd&tf$hmrh_ z-J^@6+nqWdWDbZP|MELpB`Pmcyzgp|!tFj?|4MV)rMk_pQ$SWE7p52ju(Nnv5LNKt-^F;?4b+7zy>ZGSA0rba7oUv2ch>ML>XAPl=Qf(=qkjxuXfNH za&1&`P`~YP&D764ALUUs1vVhrersHfePG6^CB!w@={>td)5EeX^vk6)VUoqcc!+T- zs`Y0=_Pyd?JuHz$X&*ypY$v}@h&LshTWHONIh{$WHaC6?wM0M&or`~kqc?@`9Ui)G zsw}E_FXV%Mkq(yh;(BO|9piY^Ru9Lro59`iL$dadvrYWogJ1^1cJ6sqqYXqmOJ6>J ze)ba4ok-{qMCbu#=iCs>&MdHfBUgWTfGIp z_UGz3!-!-KuTPxq)6f?n6_egW_nDy&y$(^!+I5EsPv7gg%cl=nyZWjI4AClIfB)uN z1iENrNK2PniZ}#Dg*~~8Ox{y`W&I@di9n(!^;mO=o@(fKZr9ut*C_^+MUf`;>EhVq z#S!(Lvg4$88+83%zQV|N@azR)v35z*)g~;v41Hz{QSW6dBK1OsKcLNe5L0gqPderK132o z2((ZDv5Jxlct`#@6mNLZfpMY~>4A)%aq-+W^%MWdYVS7RkL(zo@5*VVg`B>EXP9VHXG=D-E^ET>+$ik$-n0xi_y* zP-aQOJ8B|eZ~ORHJODy=KB}Oo1F;c4f%|6@!32st9t&@m^6~4+4Um)ufmNeT>|EHf z2-bHqfmv@Pcfx#BJ7AG}Oe>cCA#3x|q4xLviI5eKh}siu*wHLgMnOI~T*RT@#2+|s z`f=bZ)5xz)`U8%&*38RWIB3Jl`^L0LoH`5=Rm4KHNJ>G6*n%GYRR30=OZOz5LgmLt zHm=eNx9_p-(!|5SO%|}WH@z60uE_+vbhwW$U zTe8c`10$kmS2lM)|47!RVPh{!BONdMlyt)2JXd<= zvp>KK@R<~OB%MJF!7qwxvY)=;QY0R|YvNB$S&McOxKERCSC38oF%zb$nCE((e8ws) z0T4JKO+rio;@uTdwu;S?@96uI5ui`15Jg$n*az#-*Mvz@tu1U4;u^^;C(-80onJ}QgjB;mkeG^2vp7p z@pHc?F~{zH+sN-hYpo8DX%SSR#Sx+h>GGu-h+eQ4f7GdV#ym!MEU`qviS!xhCI3EJ3S15mi0}WggLHl%0}KL(;f!Th83MoWm9!Pmk;6rsXl_ zO#ra#UF7B@Ux!}4ieH4l#|lDxwJ*uo9al%I)%2sES{59LXG(ra@qttmTGUt+J) zH#NpNZ8obEZadt067;&iY7!yd99+G3kxT;R1=JSNT4;1YkDkjT*r-g113RyVA~h;P z$OXWGO&{b3yy$QOzkW;tad(WfqoIfLL)VM!yvFV<+Fc}{$(a*u+(y@9RiGl$GOTXu zwJ|{osg{vAFGT100Er44kK{W(`9!tT#DWAP5LQv>B-4WA$&d(Y-*9z0N9wOj0{s2$ zkQW^CR)gP2y9ox-))T^h!Y2w7`j-yyqQ^0UsFULqP^Nzb3KFzxBtY>5!Qg5nh8;h z-A!c1u;)LJOPnSY;7gmmyIuBoF6EL*U!b8=&;Kz05&PfiSMCPW=1M^p6RhxR8r}vb z7d=TPZCQ6MgHNQ-oDIGAFG*P4F*B3=mU5IdrXrm=YZUKV3DkG<2iV^`_;}i&lu4-JXAj z7odf2iXY0o7joR4Q*~7z4%o03><&C9{e;0T@9UMr0i9nWl37b?D%Ajz-h8BfSb^dR@FpO7|p#hwO2 zCQ`ZSXQ(1iIECc^vjed;b*x&_V`gW}Zgb}+Mo|sVy?3>J<0#Fy10V_El-BCaa>+Gc zw)c!!wPZDnX_F3dvEip>&RitD)UM6IGOL+X-5Fn6BbtV>667<}6D3H<2`O)#_#cmg zA<(#tNKRwxD_sUdx-_Z68D6_Tm5AqD-d`(AY9+r<_*suh+)IyWKvnZZygT#~ zYpG#P2srtnFuD26JvS|#1zi*N9Sv3|d6CwEl;jNyDt3*J*hr(Y3;Wz9WBr7})U^fv zLy#6ba4^*g@Wcb{Alt6v_mZC;A?E8O>~0jV zf$K-UyO$F!__AF-xBF5g)xjsj^k(lqn`zFm%h-H5Oz4?qEChI^!DTHjl7+#%6K~8} zg;dccXN|1@EkcFBtyXKldemxZPV-{D$*jbl#IR z&rQ_VRT-Wd%f1DRUys`KZZ&W)Dpl-`@@27dD*X@yc1`Q5>O~(os{c+#Sw&goD2`>1)_zO^e4j<$XW)0A39{)r0W-C6rqa#7IQ$86fXGH7u}P z=l6*FmB=_69!XTl-;Z!$Pr<1({~L3zzHhe zAHqO~BD}vG&5^k|KbX7elM*NS-}y86NldfnJnfeCFwnl(aq-R<>JkO>NLOZHjSUK> zHD~ji6}FA438ELDj$QX_j-^R`BcD8aRaEAq=cT{oCbFZK3YVQSfsKr@l>n`X21A5- zA3HAz!(WN+0bOeZGQ13U`s`nH0xsg)TW-YzRJ`kSaWuEZ#TYd4W~^nYFC|2O!@Rde(HzJCy*%0au;?SEwQX2LE3wH6b` zH+wsuBB|7u&shbIeT;X<8;= z&-PT)?X$SE8P{yU%g8<^3M^{d=Fu9WTPWv%aHwMl*@7u9S$H;UNGnL*Pj5YYn}o_# zh_gxXDLRWc->G_k(-SHEu3Q?cUkx^xw(Ro}D9IN<^vvco1T-VFJom-b`xZ|_`DS-N z9=2(eNF#3_D&Av6KR%n#x%J0L`MICug=~|dR^EU1*yq0AOk%Cy3wr1A7uJ?X=21B0 z`N+TiCcK*deEv$u5H;_Z?9-Jm7}V#KESNzh80s$DD;RK)a9AQ*N43M){{&kiJy;Vu zH(K0?5qXTW1=?>t2Q6IMntYdH$*NP_B7C@bEj2ND@uo*2*t22&_rkeq+ckDL?}FIG zcqw)#owdDBDsB(u9h!GN#jWJ4OV{n~gC+kal)C%dQUnHg`t`n8(v=ul0SX)VF*Wr| zl)jCL_3*D6VVdp`7(D)TQ$FlDwtX~041)t>%2V!pGHJ4WR^S@RwU3F;CT+65eDjZ@Y^kE^8Ig06Jz@pp-9d4k%t)Bc3(? z{TRRvoFBIGrQudKspT(7x3Q9g3_&z*rU>|>%bI!m7UcIoi6K8EYvzOEf|)mn))4w` z;km6?_^ZJrxZPR9SHuxckmgao>Qs_3Ie4De>6QNrg{W2rOt$uE)u9!-dHUx#eLrHs zTCM^-ovpv}bG&&v4Ey$J4kiRsEw_wc5{237M~+tzUNtTFvCmbagL`4AZ`eu{iF8}S zgqAK&{+{(~KCl*v%QK*QS^?*N5Eke`p(z#rQ4PHbd7TB+UfKrq96r`zDO;W&7yoeE zYfRjEzML*Wb@(EoCB^8{(WiUSPn5;(vgdhZ(dTecs^e*YaViY{MNNKkxbxPx2W!Rd z&&KQ0$j(11q*xI1Kvmh$+FD|^-$Bt-YmzYXj)Bj0PeBh5QrtP3kT!8MU|6|m_i4VP zPm!F&W+#<}J*Q_fov@2Tg$X;l{=i0gXWkyKq+l=TRwU-<%G+G8>+Vw#Pa}Zw-y+w_ z@i%KzY5)8 z5Ft%Y1wZ0a@vvZ&op-5|mvMRsM*Vc#Qi|q5G}@_eP+lknx1%dPXYfK}{oAs)5RW>` znOHBeNl_Z^jj)`xlAiv#Ww;mIP0fIaGSgBsLR~3f%&J$+b4^2GFsyExs7TvSqcwpY zHaB7Qv+$I5jy!r#0yoI0j$2Xh;N>P~TQU_uzAFkF6fGjObFN!=h^rH-SvjnCI-t5( zVz+~(|ESt3OOzUFW0btUDSoN#@M)+SeEnDO7NQ9=_~jUa9pxa1IV?x{v?r>zz^9%F zMJ~^7JXp$7K^{(vue28$M6Mr9itXIzJQaE&2jdH?XuG?g$#60GQ}xx#Ba1)OCW~xN z?MtTbo-5>LAqQkpN;VGC+vRFvk@RHBNv0*gnO8Qo0jpN|Au)efp7vak?9W@v)L{ zZ3-{?gq*eJ{=b*nB161AJJ;N$x7R)SZovQtY-)$V$)+f%|7VG(S-m+5_xWTV_c`ss zs&dkN0R5=^r`uc$@&(sdFY*M$AoP^V6lHYfoT?P`k5+Zi@<)tdP*%^KQrhxO@-l_O z0JhonTZ)?FN63sByyT*=1l>YJ3J1K^wqE3QT+oI*g*Q5N(njORV*=?DN_JADPI+?$ zXDpF>#B@5Xa>bybbF#8rIN)4cK@T0w=7SN-Rl3MCU|Z(}JjFGxT{gl2ZzS9Ro})JD z=G)o;um6NydNx(GRL6PJCV6wA^rK3jw$jzeh)Ur+|L{CKajdep+JQI&`SWEvUayVcmw-cpa(xc-+zOhd|7)bs9hmmI7{kF~vzW0ZYn3s&` z(7}z!5RTKoT~$;ZD#q#%PeeC(PJXr)6Z0Pr*;{=4sVR5%!(09xRMaE=YcH$vXzc1$ z|Jf^YA`SR$(guV+L74);K{|FH>v3M#bUqzqWEbsG3=fnb)4a&hR7q+IpZ5*vv~u;R zgadm1C!|OXr>A-7>T%)_9l13*q~Oghu<~}!*RZ1>D(C+T z#^|9}&!f8%y(ygf_}ITc*^1454k9?=W<9M0x~)L0(iJ@n({O)5OmI(UwU3Dx{WnV1t{t5h4HLihkjcdo;r{y*y_n;o5ib$P{!;GP6(0>An%W3{Kk#3Q-j9chx>14D_qoNJZR2r1T>>Nb<fCV;^|I8TBXT{{p%q}E*BmidKf54Y4 z@V+ND?n>)xd-Ur0)SYSX^4#=Jj@&MmW?fgOpnLyo#Luv{s(xJ1vHYo2>4vO8y z10`Z|n6HSBy{nD1O@8VZbA2ICp5lqvdOvnyHKLnj! zZ9mY6q->ao_ukvAGtjrwulg~t7Tm)mnz#Yn*fvo@*k-joO;!AqupH;JH_c>gw;+=! z�h3K|Ccxw@mK9woG~nz|dPFZtXBUJ$p(G3)6HL=eOF0Eu-%kodvXZVZ1-F(8oc_#K{m;mpMn``*5lN&Z(igv!T%DOt?r2D9j z3j7?%6s44U7Z$7Z#h{R=xvgG$$2OWk(zm_&AbP1ljxBp~GS3uuoZa6LQiplyx|j2fPk? zx&%?69(Emzjq*H-=HqVbXeyC|at zARbs$=2I!+an~D7oYOou5LmyGFJIy~9+e^qaNyXNv6SNPb7qh2~t2*NdS7!<>_dgvt$>f^W z)kNF%c+^LtZQc=wL%ZEr4`RejvevwG&z5dGR*J&?>er5DRQ9J$dRnw$zq%U&Vh&zc zXk{$wyFG~ta=Sqd`-mTIKc4zcIaWZPF2?X1B}kn@T-drTS$C}(Ur%e=jHYFF-_&A_ zZ-H1-h#Ua-6NpG%m0@}SmpdjV(S%cH4krEYsbyl0RmRN$uv9b8$81`Wu2giHK`4k2 z6U=8MGqlQDhQ59jo;cBN6Upl1Fjf+dT~BNv~9*EN0FR3t6A3-^Tv++FUy(XJSm6*%nBEa2L6tULh4M5(*p{_&9%TpR6dUe+M*Am%~K^F6``dGDINrvM>Lh? zu{x+pHU;pUbo6Kuc&V;)*r9WBMgafX*BU|Aw*&RfV9pz%plp^t^Qx*x2c3lMl;c`} zWpB}pl?JR>chGryWb-AX z0k=^Fhk&{gbmoQqz|mg9C~-`PjX?PWVKceRbiyEmZ-bSR@snvWptGQOujT5eOHVo+ zb%(Qr`NU8>M0Lnz!ACdONxMEMi}HRks=0--_O*>Al!bJQou4gUSow~m7Co8$v&JYN zToiqFhC?V+);|B(5J~MEePjoXErcMANZttWT%TUBq%)|HFPJvtq|%Zo5lXA`+ykGWty_mdE?rFf$AXdX)^0R zVx{ht9EsM>d!~M``maY>tyhC4ZX5^mpBm>VtDc|VZ+

      flkb@3YisGfENp9Q)Gx8r9_?d+VZP6`1J7mOciVUd|csc@uA|A=MfGnq3`m$ zpiRdaaP((aoX4+d7-lkj&|YCX>g?V$t(oErnvIB0@I6^cTC`W$vnyPO5uNn-@hcdv z>P8SGBHUJb>JBnY>AN%jj=PgqQ5DcP+Q(n6*$Y^YR2MMVH<$DjJ?<}E)Jr+mO}20| z4aBy16%$TW28xiH>~zHGuR2nAFt|YpSt$vhr5Oy%R><*cuPdCXrbFjmY^*x}5)LC# zJp4eVVT$$dtItT_8=~U8+xN>`&D!EaMA6{i&ek+(mM?y?Ae%pGG)=d%zo1hv$MBLN z4X2|@{v51ySI`I*{fTO!++MVqU~bYZHbl-mQ&91>P9Qpz*)_zALtlVWjZ(3QF)#o8 zv&?YjA)Bqol1X4*tN{<@X_=_ch`0)yjVxcz-)cvLMMpJv=ZA>|xN?sF0nk7%zkJT8 zWe)h&)_6Dt5t^@eT+4a9`Qg1%9OnPMkgBFBP+C5 z+v;jteKw-JdZiom0(Ahs@Je>-z(*(Uqe~lP#O~P(xfj3-pZ54KeegkalR3IQhpT)` z89`cyP;>BJE@|7_d$g4N$O8}L50|W82QMh=giO!)F5tsW#^vMqAYb;N?nFSArT_B* zG)fpRSx^O~G(yE3MPLNueZ^9QOBv4yLwgkv{RZm0-~$zS`gHZn7rC;6y1)ej6qD`H0GVLm_Jr}%%Q(HcZCf{WZdNt0d<+ES+YEvP#1laqSxl`Q-o)OA6> zy`m4zWQ?Y&r)?Kpro${dlzDnCz&eau2ZSHIsay2>E?ci5zYJ8TXcT3Hpu?;-UFx6( zuRc!)=*HtP-p&RtOHjR3a5jQDAK|G(sSM(L>Q)`!DOkqKkPMv|KpD<+4bXL|^?W}1 zxm18Qm&}SDIdb1&FBI);&2=`oE~LERIa2_-5K#OHq_TEA$j*)C$hKgRH^EQf6te_a zqW~k9x_`cMxKKg$;!Ex_z?p<{Ar0_sq2HeG6eyUQ4-%xGjWJwIAgjv(&qY}jpv`5} zVwgP`fG!m6=OX(H+2*CvIk~wE>y6gn!9>qbR|izRiOMkyLy{U|fj*D@ zx)b5(!(f^I?>?To24SN6gU~NibtbBJre_6%WhSaK2ovGgVHt+%tcJm`dc*Lz*SFbz z88$?RgBkoV+y(vnzN6DM2ou%s!$kft(LLpTuV;hx`@hd7F!gZ_1J4F&0adT=lc8W( zzTo$u-umSM`XnLhn5r5a+7Fg5sCz!iz4Usa;i3gqOx9IEXoN8+p#JZEc~HOA(}VTP z7ye;5hCQqHf%~A!4T3r@hCuhz)To~axt8aXH)tKBlnv%xV~rvKabqTlyn z`1<#i9fZET3aU>3ULVf%tf2TWn5fPm4C04_t~jZw6+_AjCVd#J2L@^I-97rC7rzJF z;{1bwV;Js&{(ZPBnDpxdf5fX%DjH z72dX%F#B{WQ&39vX3-mPW%1$aw+lS$gZs+Bi;h0tK|rr^RtA`Ox6YGec*|YuY~d(+ zv_&o@Q}@x1o_d*3v{pIK0bJUumu*G2@9LMl7+;^KK0dh6TEHN%}#T z`s%nWfwIWmy{e}S+) zU2=fmRdnIiQZi>pDC0Lds-rDA`*Q0oEMG4NQ^_CV(TOxt6O5sbmgjhXo1rkd+ENh``ino-5FbPe7wQPdGN{H3_ zTh?J|NEs;{*7sTO=8dg(+}GP{qZVOn6O=-%Q{+7ESEg%Co#j*I9Q`0vG*}9Pe{@q^ zDZM~B?W@Zfw2wFRX@k*Q9|#v&7F|BoQ5Ftz!UH2FQw9joiZ*=W*LU>d75$ZcktN#b z1Wy&{`p&Eze9Cz-K$d_`;Zx5udI#tL+NriZLp%ELsvcbKqfr~$R;HGq^_`^;<&es0 z8-8`k(^_TQUA+mmObrw-$^cHxK1y$8i@v*j_sl1IC0{Q^$k=o3_|z61k)exxYe^Bl z&;{^JhxE)I)TdW(z6B9{kOjT~*|6=>(IDVQV#2>p3x1zDZ4GZD?kt1Q-(b7p`D`Br#kSWg^b`vGrugqz%Lrfi9W2? zC2z8jK)GLj&W5ywZgsTbyYheyz>N;=z)xp>1GwPPHvGz1OIz{bLPJN@c|aK|=qnxr z0)w@CdJK-mzzKtJWDktbVsUHD7@!Ok4hzinQVt=Z6uk*ysau9h(G>Yz-}POIi-EeF zoob=9{o%3)J2|Z1^ET1iH-V8*8JxNngS%&ew>6%6bWUi&K80{90v9+ess;|T;DDBI zP_ktoG9t>a&H;^#$%1WdQ(Wzm!8c<7>M(3uAkpuI2YS6hgo6{}oAEh7MB5ghqsJi> z>d0z!ROIEiI+mlDytm&QP1++18vtY`WFSC#F+lFxv};HZBUc+MoMAv8ev^Sffll~= zh1uG0um+wPH(Kq{R-O)OT_HKyw~l^Ug2OKCps`tjJUB7qhl?Z23BKe=;;9n)~j%FL^N{p-23{r7gN}BAPm$*(~8~3B2LQ?i+eHqQN_RK%3Pu zvP!g~g^XpX0yr;0y>@zWTpzqxn5a0 zl#eKv?*xi*0Y&f0KsbdU#0b6J6U;cgAvlNDBdZ4|Wl#j=ItI->I5??{rLq^hVgzKt zh7&R~%Y`AnPf^Kbout-`xjv-?g zC^-lx;1nFwZWITJkRQk4$lABf)ZrYmE~j(pWbCGaR}dm|_XTNLja@O7)q$eNK_Qlm zs4GC;fB*e?)_|k@v?q9=QAP&nK(M1PPOP)zBo4wL8wQWZ3iO`QrOuSj?Y=`ZnbQY{ z!y6vynC|TeBTKpzEZxT!J+P~~)TJ-OU~(52>qtqolO_G2U+~n)a%}Vna5_aYf``2* z&(_FAJ@&_`1?@VmN?V@OjX;2BGSeoX5aG8B{qMe-1|*sj2g7v({H>csF0C!a8y z(h=$W1af|)Vnis?+Ap#t+J>)Cs3tAN@t6ehD*`SX+_>oSC z{9@-)DP)462Zy>&5sWAw&$;Ct+{`!y?SsekapY zRy|4)gp~80FbGp!ztz>FFaX(=;49Pd-8054P!gUXsXjxHT!ywX8riQbRgggw`Zy-J3%Y0({G2U-2eQ+?4iE3; zkm$E%l-w97T5O+GwmJ#)l9@WT7NUzjIjsO}WTL#zM|n78IrJmY%h+`W0t{S&si5pU z0SB<4M~6bMXp!Ab_n5#%*r0?LK}UtSxEz(t0OC9_v}O`0w>#In|SjZPT#euZQtRuQ;JN` z&z9I0Tcqpq3G#r8zoAn-0iE50qK{nRC&x-UlwtRRDcdW*ffHToX@^X75IT6aZ$yDM zzEbibUrCV8*E6=|a^3@Zu{-p$Pi^|mXV|9fSX{tcwOOC|c{Ue5pP5r7=ySOM1pNy$ zgsFFu1;{oTym=#aig?0Q*3~z9zm+36WhsPU5GyDUB&QHO1t~jO^#0~Y2w4510}eui z+i%MA3E*QGvdPNs^kRYu11K2eukN8qeKeOcT-uU#$%JHQf(fH7-s=Kr^BrF@1hmyw zQ}p%A3*g#eWO{B+BCra|3|fyYW0RS3vf|ZQ0qV)T1Vj7^#6}O!ge4;xnZRmFLFS?D zI$HtY7Y?%LZ1~nO)Ik<>#8B~wf8aYllp`xTcF$+&lbrEJUhcc6!<3Pu!!VAs%Y^V! z^?gT^pv;cc(;@iu8&341-#zt!?*dvKgU2pqG^InIY}aS$+vQ&2$B)3QJpBPQ(Sa9PK!Y8|u$;r^@$j}@Oc<9pv)P++P>f8YVR3{_Q>g)v) z!B#dZG0_H4Uz_CPd&v->nf%b{dFfL*G_V1kyBB2mVuSea%dE=7sU6>a3Zi6#PFXr! zef-K4XbTPG%_q>}w~mlMku}h%X{L7OkUuOr}nN5)`#5(~}hn%8VWkXAr2<=hbf)*}yHU)bpEvl}&JFGF3*q)i&_mGaZ-_ zf#I4_jA1?}z(1px33@KTqX#Xv?~*B8>_kW9QXim2kTjY>gEC}O@+_gp<~cok(IL@`PkJ$zryVlWj`jpC*`b$5WT;cXqoF=qW^=MunWSN-7p4W| zqFs2*aSE(PPISs11ur_*cF7aq4Nr#AY+fgBWKwn^z(^9jyKt}crw(9;+Jw`0_p6+H zrAO`fT~|%V;8Dg+U)uMqK%KH-&q|KwQ6(?zmtSb3bX1@2q01Lj)`+8m1YF$u#w>gf6(Dhm$cr!z{gjuD)U6^d*A!slnHtTF1@S!0!a<&85j8pvgAb0ItRlh znF=Q+2SZ3Y5d;NZK|_0sV}I|ffq996d<%ur;M7@3LcD>?#ajykbZp1U<4ZS zgTtJf-^!5ze1fmwXKIJcWg!e+CPC+D;zVfS1Y{2%U6rkIXc>z(s%>%>e6@#9@;6VY ztUy6W_#hLb2zIFsdr=NRXqPQ`CLppcL0!NTjExp#k?ep>=)s&Jy|Xp6%UIDx zw&*9n;)~7kHF{w~aG2J?qj^R1wdgY%V`mZwdPTnxLEqo#0gvVj@o27EQi2xK4)_wp zJOl8v6F$Ty$%-w=`0!!s$cTm>%J0|+oMj8jq8Wbm@refY1X68kPp3qlI&t^;5Wb9x z$bqZ`eslC_pb!36qc1kjN3>BRH2M=zO|#$`joQ^#Wvy(v+QEmfJ~At}SyJQFMlR4>kH z^~@Yk8A_=@%b*BCaASZBU*K`iZwD*DL6F*_M20|!GJ(o0D4CIP3c*Sn?sITMXU`Z0 z140AEd8U211%b+l@F+kUVyOcdG-E-VGI)ZM(glNlIc?}1III9G@aS+jw0r1BH#wt4 z`?6NUaI%G$K``(dW~vL1_8EJfnnd<^;Y>yd0)~zaUWP0X;YD5YC$n-SZIL7S3gpV6 zNgMEy4};Pk+Bh#mt{_0h_@i%*iY7xo5Qt zL6>&uNW19rnNlam*QW(u_zFKzu6|eh%KOa- z`gFR7hCZn8o(pd6S70pqv|ZpgoMZrJ8JYTnvML^ZDyMw$Uvw28Xyx4Slzfygo=OfS zYqa`Zv?=FOPg&*Q_Fa9?ly~*zP_)$shfJ#u+O)}r$qrs+m8s{x zmrUR&e=Bfbd+HaTKs~<;sy_J*@~ckOL$k8gw(`LDy02cfS29)3RqZOPobt*7Z5DoI zt8H>r#&fiJ-skar;i3iAO96y;HgKVYRRC8R&V|N(CeU6P*QIP*Ta2)r{(J$R3Jx{I zldZ^vDu4}wIvkjz^d0t60f$A~AfQVY=DAD>Z5M++?a=w9wlnPw<9iZL4;54|y`^3t zp!_qzg*L_tXy8&Bdcma*s0A0IJvd}NG6r*5GCadu9kb!@+3539!P(GacxqJ!5P&WQ z{grV|!WS2O(FWBoSGXL({6c~tYHrQknQT?&DtMfZujd-i=rLdE1(po{O!QB}mls^L zplaA+xOb-Bw&p>qr}tUc7ZVK9Eh96LU-M7ThNqfWs_(96186%N-3)_4KFS>;0SrDvq@kWSZsi#L=k*=&=F(&?pvp~DzJ8a|`}gbFL@-#c|GR&`59jg> z%@pFdPeWRBhu#L8Z!4#-@`Lq3|6X12%ILhg_FZ=5rAR+0fqtD~P|x77e8x*7a_rZ0 z4Z`4k?e>FAzwVi?DzDwaw);@`v?C)dJF0d)!w0!~gY9j!mtXExT~|T>_u#WW43-1r zB)cBO?V89AT?K>p`oHTQ71Xc6J1pfSovV(0KXNx#H3+5KN~o!b*hl*UG&;6jhRO>bR(4N zl?cs!-z}@LhuI=)6S(fzh$^Yz5gQ{CO{TwE!qJ*%J}VB(d=Hy34ZtC@6#{{ z>Is~dn^_lXb3*Z?j*T5Qd{}?&WuK*HmNi-ZfoAo6YDe2>(jFWo<9_?fReUI()hQmT zJpSFQa)sYLD>>}WwB*gwHtS)nPqzM?yx`Nm@+HS%0GD;DXBAWtAZS?Z&Y|?&0)&PH zLBYftFv7GZ4bd_*MsL@J`7;DtK7&EMn0p-4{&n? zHEqJ{xo6fF7W1H#p*=Lp9MNuFtMz$k@T?Ymqk)0|;R){62$GFw@Zn8ab+k{pp6Qh- z!`p1Q9Y#T}7Aq@n@v${?%F3$H%%Jp$)_F1jYeBU~c4Ubk?O8mp9R?~OqQiPU9hZgL zev=*Ds0Uxk0A8Rhn(-pQlPB63s&#z~OW>v>odBHVW8pQtdTqprE+VDchF8J7m1?H~O30bjEyML?!ExO3VGdR>07}X|SfoU~OwRJ-`8k|leo_UXIYBRBFF1JH#xc(qAqvs;9Kr0W7WL-ovWKmY_PyE9Bg zKZCK`N*jbniOSpIA=v0a2~zg#s5}C-qlLgYm-h6wJ~qtKDae&?0}hIHtg8N1Er}Fmn=mAU^?yj2N12oOUS*toWo0br>mqYL^Vi z&pvm&pu?q(Kt-O`j&edqC+NsvO*1$Wkh9VyhvFRcPmcDStLwBP_8~|*d%zAgH2ZD+ zrohb6bq3_hZaAm|jM;}EM7}yB8w=o|FNVv`I3i=V%Zv^suw2emFUh%KvU>9g6FEV5!c*BpNrE^oBjNxI=XrUwW zV_zX4kQvz zm=a`duwY9%1@zj|&Cj*L7uXZ~x6y(Q*qOR)k^Hr9_my}-o@BtzYX>IT$&}fH@?r@Y zNOa)mW6D~6!ajfKhkhvSja~(1vJ^|mpG?RGA2zL&4Gsg(#5Si1jfW7%gOSg>LXhJj z-0^Vm@i5-;F#7Qj=y(t{9tJTU0cHGWe&%P!gSqiA+VRK+#)HA}7$%JeQR8oT!yCqf z=<#4`{Oxal`}kYm`qpP~{>YE~$apx(crY;@4m2KV_IL;*+X}-NkH9$o#y7q(+l^qA z_mmAKkB1SDM}Qv>;~I|uH6Fqr4}%*I!yb=Ja6Gc!@etH_C@g6VXURGdn8w5T#v^bf z{cn5Q+s2~<7!M;({yh(ck4GRK4@VvkrDyvgtMU8pyDw?d{xARXFOQR11eWnI(D88Y z!{NrmxW^-4jmI!!JUX56F#2cs#X}fQ$|?+JJhFxHFrt)S z1n=<(2;;L?p|1C zI7u)0xqPRu2oh-n;aub4=;IMgQ{Nx_;0KczZKId1(|ZJ>ls~=s{HdS%spOOX$R+}C z`hvFUjqgNflCq1AZ#*1+JUa7i=kdoMPrD-vdW#^Gz7?HH+7!9+JHA8SaF7ANiJ+JK z(t9}lcyz4!oBxovPdvhl?#Oskp7cwv(U~Uw+K3K*JUX_#rw&`8^I!OdU&waZl?#18 z{^LKM@`INQ>Qa~NBNH8e%Uj-(w#BC2`ObHaNAOJjy#M|0PucPhc7R@OM5mK-B5N@N zj*=NW)i(RVw-^!uEPa*?BWNdY{E^Rn>QkQ@kKmd~D@?G>7@%0=o*@hlYcBO|?M{jF8t6nJtoxPmiMP{t7Uc@#x zy{&bFdQQEpy4r=;eRE>6%LtCyc0JeIdX9FzkW2zkdNLV|A%;vv7LGnWcL+9*N7I&! zQXO=Wlb#A+dN{qPh2eThZF+_`Jvbf=TTPwFn(ABxZT;X6{$L(7qOIaV@85?S8W{zI zA!O!ACbB*F&|7ks4fvF?&>23BOwgn^mU+ks^u#hdbjk>1jph;QTqZ`|@ZbUOdUzRZ z&F!K|CSTiFf$YwO2id&)G6$I>`Gg^6w#vTT#|vJaZ$KyH7{;EmWj6(A@J!YZFZmlj z%l3^_(B`{r$gmksc4==s+Q|n#c;MD9JCoti3BK8!=gO(Cjx4eCBdf<3IcoAPW0H2Y0(gB{> z2l>z?9Owi-*=X4m9?|7KIr0^UkvL~UIrQR*zQ|bHGEKI^X8U;iKsN9iA*g2r!@UDh@Qe}YBE}$G7+A8?~G!@XFfQnC@A$ggW5v-i{)@rzZFVbO_+4 zAu1RtS4K%5%J^igIzK@}yXbRXE`#Cag0>5!}LrY!NO@scoIZRO$gF_MsU?BdEsT+13fw#azs12 zN>17V=*Ev{X!o2z9|lY(&6jn!zC|( z-qJU{!s9m^))6?U#dL%~N*2mjdlgJe-r6r(eNII8Ae=F%B35t5Sat1=)~!7{n2(`W(HqmXq2tLAP)UpI~c4*WKy053Bd>MnxPn{TgWM<(vXVF6nV%jhdr}xA^ z1*6MVPFl3#iA>;^33E~zjSNSy*OS5_V_}Hul#EL0pl@`H-<+zsUow=XRKN$yaDKSR zkUY#`adNWKOLHU!CMcMbl_lX*rX)j+H`%*N z9|c9LGW0JyqZ9Sajg}s@Az*USIyfCaWbTvQm@hXkD$^qqFMM=De8$|r%#x1LjTWD9 z({Vw?w&+Z9=K!>KT`AIfG4)h(v z+??OM|Ni^aHrbPo!5p-}$VTYOrM@!cpnf0Jb9wf_0}o`Ppgca%NkEs zjW+%D1xG51W_uczV697s98Wz2%PG7OIJ2ny|jgXIzem(GB(;#Y8HKrVsR3IqYo zS&xP{lw_E|_yiYa6CbiLn%WpfQ(#*z3j}=HT2L4 zeE1_T_Ks$<=fK+4SKy2epYSodAV;#GWBQfI@N>x-`(fwejQjBLFZ$E*)01|{n_P?r z*|$zfz#azL_M+;H2dZEYVBY07!`Cq35g13JGz17D?)fcvQXm5mlsJ}pdJ2S5uwFnf zBAZlJ)`S-21YE)pK$k9EnhbFOK|^3tPMc_AFz^T%oDY8Y2~;`CEC+&Db_FlP*S33t z8vz3C$_&)gF2jdc+xVk&3UD7k42*p6;5((M$AQR+0||x%4~MqVrLJiO_jC;IGcJ7L zNl;N2?PNoaXd^dm2zW*arZpIPW$y*b!H36^u}fXJ(W70uAu~>{Z9I@U{sBJmgJv>9 zH|Nt~2o`7(&;(9z_VKK~AVv>lR&CbMSDVV=OPc^aoXJpGSvp}yzQdz!pJ=6TdP5ia zu`@VzlsY+1;J!`{4z@uSrQ-tkl#^ZJ7jLprv~hfTbK#v$Xon2p(GHobM^Ena0k**& z&ysK&;=J=umN@f7h2dj zc>?#z6>soV{NNMXCqFpRi7s?&i=4HC2Yjmw@XV%^({|Z{GRpey9@^Qmd&;tdiUlPP zbPfZwpY6t7_muM;eeii+ zG?Z+rzH)xMubg`>_gnyO_t_~GdD@!~>v=@DJ%@!W5paJuJG*M0T+@~d)asd8v5C|=Ounfl7Q??RVn zK)vEuz|fw1#iM#v*Kg0Oe1T^rV`a6e40*$eUf)Z8eO>^Z?(-kP&PWtab%65lSKEHW z3A9ND*vxav+~IjN$l~I@pt;4wX|GiZLiM9n2`t1qSQk z@p8!da_RPb;X>;DY-O%Zoh^M&2Gq}oFOUX-a*o04bb`JZMtHW$Jzro50@2y>I(V;d z$QPT|VNgabuw5>rMgtk5!F3_CI`X`b!J-ePuS=z~!L}|$+ZO@{I9EJ_<R`5Wf*5}rLO**&LDVZ{$Usl5>^`qGcLVykJV%4?MT_t1_+8*W9R0R^udAScuYdnc&@b<^XsO?Q=>M*IgJr-(_rXNv z`!KBj>FV`A2g}jXJm}NVdaN`(Veyn2I~*QGuS3L+xDvNFdX1)o()3(z8El!f3ofCt)S`- zmhZzebE@9fLF7%EB`D@eRFnlVj9M#J!%WZ2IeGK%ySHxrOr`1;QR?(Fk3La@_t9a# z&>K;B`vzHMeeY*z>J?7+eXp|pwhFZ2Z6Ny12^MZ;Ed}ugS0?CQwM8z5x!!2wRau|# zP>wg1g`?Up8jBWC{PgJu!|3b-11`M4cewBZS6zi4_+9k$+Z$}FkJHuvJuDmcyku6t zLE-gTZTF$-6`h5*a8*6JXVh#Ce}nCS;?uqU{b6mo+-J*H0(krF&8{|zPFIz4ujW*% zohk>EE1F%Po)w_mn{IEmt)8GiIK5-|ae6m2F2tpVmQl?&L0Kur1tS}IUr=F!k{_HS(+7jfg;bf52OBX(u zdl)V{;P6>(xnH0zXR=t^?l4P#1k66KplGY*8&0vYP7iMD3N894GdpLjFBDX@<*m4K z3>4q)!Gph&30l!mG#1Szzdk6B7Uh)j373qAQCrD?mU;$vIR(6A3Y15$dua09g%0?N zh62xkdfKnwr6Y8?;HvulEX;lN3fPY4Kz+}Bx>v?pFQv$|cF(}4?ZI|{dj0#Z>U>;f zuMED*SRd@L7dqELx`$4<`gL5|DZbH4R_5#}&{h#=WpGY3W132*jwBN_6e%%{JUtbPDo9dytKC6rieeRWC z^zp%8?W$8yb@+j0eAeq)TaV_Vn~befC1af+KH>IUTZI=NeR>O?S^O_(L8cM=)$MV% zIM#w}i=PpJNk$={SfglNpGE2#u;A9h+9Ft#x2TrVT_V42knRZp80RpIPC&A-+PXJ} zM?e~cX5o&{jv_2|~_p^NdO$%14(Bl^kOZ}eG6 zZgID)q2FTyv=p}w_pQD zt@Q)sMQ`XPU-#Jn{liOE+AsceP^K!ZKZZ}S~h{eZ{a#T+Qg5{O&$2@)98sj z>7GojO++_+&;$9P2Uv`be!R0sHpC7&khP6uP;zEJ+Vz`lp&kFqTNz#8Ge<5PzR4|_v1r{rVwg&+KDmwhWEv-O;PS+XR9q|3so zqqfK$eO6hJ51#O%j?Nr?ULcje=#cK|h>Y;$85eY8n9?z`{4 zTu1C4y4Wn7bi^jqBQF7m{4MmC43RNd|qx%P?!M>1hbUm!UUvxH3ShjA=VBZ#M=46K^P8!*pWn0h_#;4jtqh%XpAus z47nH&1v_t%0TV<814f5%&*4?iF>DN$194UvGp8X0N5{#Y8G<0;yIn2CTY=|j!?T}8K3qDS&yfKVgSn7Q;m1D=n!l|ATtV= zIWy>fFV1ioq<#2kA`4DuyB>ofdvuYD=gQHAw$KPCTBTer;E!P|2M3lF~N)N}UfJJ~Bs4}MqTgjdebw$O`Db?8kUKFYRa)95XJ(18aRTlc$y zEnUzPdc^^D;y&BgiSa9biC=bvPn{Rp__QmE4WUI_Xrm+gBM)t|I|n1dEw0c_#iIKn z*bBgPq4S^@vcQ9Fw`9()jezKlT;LNt)hQlbc-9`;@JY_(qYZW|Cb22@s1rd?A2P(2 z10%wBJ&B!05D8}HQ*Ae8GyI9AfyK!WQ z#fVdV2vfF1zM zYu8pv&Pj2C2|8qdGBLcOn}MQ7W+IC!8Ic*I5g?S&nZRk+3E@*90;cO4|TRZSEQo)5oGX}v!?_IQ@Lpk+0j2_lLZARwg9kdyu;osDbV5&_c1kcFU zG>Gknf=YEVaB~{6)br~M8I+(R3&#ti$AdlLIuse0fG6YU!00O5=wFpd(YH4I)*hY& z3dU@Urco5R&@KBAfRquC$;wEIp6QA{wJCrIwD^OUBYI{uMXowu&ijkM_=|ax5jq4? z85mn7Pd33>*@U+1%uV>|QUI~9AO8FAzdvmb4P*y&{Pc|na$-|#MX*APz3|#6bJGEA zO8^!?Y~M8^VmD}KS8R-pY9CJWA!A#O`J{x!iE*~KmY)c4~zn#j*wBAY;;T~_EKe`VP_J0N4<=|_N)EZCOH zp2(9O(QN@AB3JZ~AKNpPB6hHU0ZnjLkL~Fw_<+vS_I2ld&tv$6YLma?SG%%Qz9fdRcUx!K3LBI}*wI*1hG1$rCE@ubJV8vF4zZUu6v$X)Yl11` zmf>hrP(ujixG<*&^XWGN2>?zGt_{5`WeZk<7G=w@^vvo}1fu{H?l)z@<+;pEa3MgM zC;=Igb0qvQW(J2BMx>n*TwU;@TU|yf;4mmdRgOZ~c*DCakSuE3BmD59#ix5NG@}#W zWPlb<#6TGY!(v3r2yDv9&;=q!rG33Me*JbSt9^#U$?3sXTXffs$8Wy*Fu*FNB6Yz+_aGhnC6(f$JFC^Ix|B_wua}r)N`SS-NDU&I4U05 z6dUCHY?*##bK2I4u@iX7t8jwC%jP(^dUOx8Ay|`_tPK79ja{MpJ@0u>mJ^KGGWqjm zG88=UC_t(2IUZf`mR|5e9&ifyE_TDm$x*;%1Iim&3Gf0Bo$-J6Bc7m}tx7U<@XD8e z0=gqFcBpegkE~cA#tVH3tmGsa6EKY$=-bG`$Os?gYh+39Y*q3=2X-QokM{6VGA=&J z7#LZI1v(4(=?u;MMZ0(^-Q;+yluj4~EWkYQzyokO&CP6o}CZ2=JF; z{APUWm%?25f%r4hhDnXDWHkW%BCt%lBYV_cWJNasSBMxwcVGs-yDJ7 z;MW<*8U!E#;OBns=Q0cDtm*^K$VLF&unF?l2HMCQpaXum$(xOnr83%aN|*cE)v+n3 zj>N;T^52I|s*_Qye4M zS4Kk-oXi}LECPXgNdZOb?-?gBAEGUFFv(%y(&HcyK6qtQ7$JBxxZq>l0x??QGkkK! zqB;Vg&jLoOEdY0cG7Ql$0G}L#kQt8Cl{hRO(JVvq44@Ysg_F<)95P`<06&b|@RCew zwSb|KOjE~2NreNTr#dG3C?hho5+FFOVW})yn-mN1M?Nki3mKU91XzaTH>2fP+7@WF z%OL1T=IXw{Np=j6EdcGK%gajqn16)}J#;598?Mp;{$y-|fb152*^myw&{7r&$XA9U zsNoZ6$AxE3$6nY2nKF7)5T4;h7UsLGgF)jPki9zSXLp8xG9x&lCO~pAPX1Ws0Y+D%#_*5RAu|*i>Go*_ys)ldH=u(wS{-jK>c=+8$I}LL_@~f zg`@15?9i`$eu*!mM;W33Z|Y9wCo`lo!+y9-4;aDF2OSxm8O^a%w!jwE=WBFIw&?BC zsZE(Rneq*FOP4;YTy=f|Cs{~*=*+W9CM0O+Gv_L}^M}4K0Bsj;c+{r@U+&0CMrhoC3?_tn=bRBkgV^&|Ni8)^aJwk zKjY(=h~gLm4C7=7oS`OzDUPtsm6-fyKzbh;kwyths!yqmkFY3|BBa_j23Zj~tG1YO_wdN1t+ri2@t_FixG5cF3P`(YxTKSJ!qq zl%QrVjehXp5E@3O9sIcuhi7EwXgWbr9U~bs}qId-!B4 zWFuJAN(r5VXR?yAJM{%#&ZQllbJdZ(k*%Q3QRv60M|~YDo6!y%AtyG@M#zco(QJq+ z8=_x96mLcjMgcldIPilGwymDvgg&~U2ew1!=;TA}K;|zv@S%EPWXgt&=o?LNy6Bk0 z(;2x+c9by^Fjp$UpcnJ2IzBX;#y|r*=S!Xm5;|4%YMULAl_53x3mE)e+ZEW@n0EOD zUI1Nq_n`wPW61|OlRr95@xjUd_y-(hfq%)B`FOS=_^~-{;ZY~acm3r9v>J9xUc{8@ zxdUx@rk%1c?N{alSJ7Fr(T?BnDO>o|aUU)= z<+t|eNJuC36pvt&cb^7(H>@b{FXHc*GGJ{Zc`t1y><6gm;@SO=y z|2ZI2FswWnl(};KvV(Od($TQC!C<+9D$}py``~AR-*ry_H?lMhBdh(@U;WjbPLfC{ zqw}hu3WnjD2zUQJI32&B?$>YjU3I`PrLXa@H>kxjp2X}%ygF^`J?(WXu?jgY)g1asM-A`M! zRr@}5RoCl&U9ao*y?xI;C-b~aVZdf6Vp#_9xVt4`{D_wTp!6bDOE7GXE8P@4GW@|8`j*GYIkJG$U~ zCpkhmS*lhaP#&0xUCH>k1nuGWTt9BoTMLz#r|n0?oUAtYDR$MLSDZfyTzlRNba}|O zF?ik!Zu)nR8!D(hYRw7Y4c>r)k5X=z;b^E?SnA2+?nY?H!4g6~Zua2D)b3 z!Fov*d(WPM-67{DP$b{L$Xs!*M~2pZdmf2weM0dK9! zyVB!664@iG4$CI9NeI~bc@9J&S3O^7Zc*Eh1Q!48{vFRZVP%C<9Wy=i)G1A&3*^x<5i-y^SDgPISuA09XQZ1;0JDYVic1 z!Q#E9rD%QgNLlm1)_6dDEn1p4o}9tAJb!y8Y4m>C<6BM>xx>E^_EtELnRP1lrr_6` z)le58EadWHqZ983kkqr*a%pF_CtckSF~*mpnfJXXYF&MsHY?ly@~$7Rb*`#)Ukeq6 zWXq8!Sxqy~d%b$vv{Cm|jQ2eSr*BJ5XKgxQA>QMl+Wj&;a|#8`t5j%T3+<(M@1o;Q z!hFM_yySh}zr?pu5 zxH{G0*@^l`cYZFZB!X&***5g;0|O%?-nK4VRAi0w^SRq2>?c}_eDu25N`9{D_=ydU z$<7v&=O%aaL^|j;GD)1oRk)Nj>w4TfoK*3b+Wfk0{OjT|7wH<0iF?)9h^dU538D# zxSHT65o~<|L@KBON{H&SON(xbp~pz186gZJ>nU?c0z@yZ$RSf;cMuqHbK$3 zp$bdd>rDz2HcKIRw@aw0x{pzclyW0{)7@wlDucpeAG_@H!W7U&OB>z!{=Z5PiN+l=|S^!8ryA79lez63AhSWdp$N#11Rkx?pBT~md$wopQ z5MZO+cz?pmIZ3_LJ%tQHMW-Fa-)~vBgs_RYqLS0J0+b0qdLsc%-yr_%#cJ3RzwKnh zkrFwF-0lQ2XB*Jd`~`J}xG)DTZm}{2qFn{!vinP>_7mvmH$5d3)(PFo`1jVsTur#W z2lKb4Na(&xEJ1B~jKvpX7wDG)qOw_I^X7T={?5S}S&K~T(?k6!tb{N^`#w-14pb8K zgv7<+2qIjcGgN1%IJ6z_u_#G1F3m9K)u)BLK3$(iK(NS)eHi978dd5o;mmOdvT#`spVhg|*1b*F{e zTZjWO9ee$a>JCrjOk9XXnBM%M5OQ*uE`Zx{=)CbBdpJqng*!8a_s0L3q}te%h?N=F zW_F_m_t~bS@YlnftgFmimjjVT2Y9pu|y9dsP_Fu&e^Lsu@tEOUSWqa;YmQ?d1~FE zUZSR^LL^UpJEEyh*r>oWbgmU#!J!T^Xy z=(WlucwPH`0kAfbnNB4khhw{Z-#4|knHZulFiq+EW}ysZ7}-ZBI>%Q*Ei@7J{3IzE z!ZF3e07?@`f}-MLYAoI&P2^~O$<7}A#yzTyS$|OKNoKCkC0(vCVJ<*dEtHb*K{c0- zshLL>5t1y6pQsEQu3qm=SnpXz{*Sx{A;ipOT6~yF(STG41@k&m5%ayW$xrM!PBO6R z2bP_NQFMQyvy^fJcP2bE<%F{JqDygz>0^5CN+1?k+~=W}qh$yo16(>g+qM89&qGJW z1fi`{-Kof&eW0d;7^xp>kT7ZY*zaNG4W!A-gAp4&9on66cf3h0roK+3FV4LaOp`2< z^sZ(@>;e1ZDY(B`Rb}{p~(cDb-K`Fx_-BF3~6XB5mYd64JQh zrx#j46re^o{ox!yO`B1Clqo*CJI@B43O3LBm(Vq#9BZ_7EK`*2^bOCao6=(j?5Ec4 zQ02Q7DdOyWb2Zw2|Gxb&B?Dsi1{OKlW(^Z2kVg^^4PXQ3)Huhuo>*!bbeTRr84Q9v zW|rS&$ljwsnZZx#BGIl(hWB{-`?qNwwFaVJk^?^IUuk3zda?xMNHom2p~A>;FbO+} zg5K*Xbt4vBUH2NVlmex8UA|ek5)o=YdE=Abm_9hS9Pxn8 zg`M(*ihcAUTx$4JR0ZZklelk!iraqtI^pGEm$7Y}=}xg}G|jAp$fE|a7C&qWRab$(T5p!yM8Rwz zCa?ho+{mP@K}n4KD2~TT7$AIL`4CfnDc<{oq55GhXYuWjMhRBR;?v_9 z^XFYkA(1|(RO+l;Jc%~Ls>4JviNH{l2!ncvh!uTwEE@gK2}w(Bu%o zs}SSl`t4Uy@6j;7=hWoc`xMRx@4J8hkxHxE_`{Zo9*HdGQ_(x=imigaku{9$Qje{1 zYu`$_4O-&L?J}PfqED~}mXM;(+uu;pe*JZDoG7}S7m<@357%0 zz_s6o;!G5Uh$Trf(DlE+T?poVf46oWu|3A>B2a5lE1}dSqSNhviZtnB2c6<(pvKVW zvGCWWt|dX91_*DjM^!5RrsowIz9OqO-(MgR7o)&FNt~rmjh|{{dv|LZXu`&OrZ4E9 z?w>mlNv`u#agtYL3Neir&*Jd&x8OQF_nrg<^e&H&H)gD?zu(W{pn!SzAY$%jRmWtY zV+}Obiz0q<9zX)K3yAX{Q! zpZP>lXIoX&sM{?v{b1p3d?hcBKgF}?bZ_ys*(bw1pmT~U8Hfs7&z@;%&Ph64GbGH_ z9fh)Iwq3=PnrlKzF@Q&(s#`xwXdAJq<@2oz=6lB2?=07BM8NmJylLF~95lnbL0+9l z7$2fI$vS^00(tLOmVNvw?7jx9spI(JY;xfCurdl5gfmwp=CTyxR}6GUy2k$Wd;{Pz zd7mC$K2?#h`K9*DN9!z`)xGY+HZ+j1T1u3_C$v%{Yg%XdZDYHieZT(WX5is3Hg>BK zn?NgaG=XF6_e=5Z{z3i-3xYZy$}jPDcq%HzBT;{9g^0a{`9(yIOpHCGG~rUq&5i)HMh@2rEz_>Eb;*lB z!|Q!Hvk|;|PLE4a^M)#XwF_e4NkF>9t+SEV0jVC6fsbWQqmhC)ATr@fFJmuL{dRY` zjq4kD-bwBEB+GpeJRz(MoV0I|XDQz2qF4J}NT|8^^rgir{RDm?U^fTR-hq#1?BeQp z*&=>2TZhH3ufK(fxH(EWVrch+p-XPdUvyC3bNBm1G96mv7T+_O%oQ`S`0@@S*IBrB zkt?vUD9W>hGn#ymTa{!;HHi}XV1>?_HZoHlK!+3UTz4f6x=J_f5OoJan-m`R7u!X< zPRssz-e$JVmpv?&=-vL6q1deW+^X5w*$n-g0mJt|A!3y|Jq2!SW5uy|81$I^I z&m`b&G~(q0ltdH6EX#da*wgj9NyR-^Ak<5;lH~b}Aee?W3*~(RY)hhZX^QJ8v`*ys zE;eO(ns4Qe=LAQ1q!%VILy=EE(H-(oS7Yyz1KpM)yI(%f6*-iodQ5)`GFB2m@=FPq z=^22aiG4QnxXeIs>HT}C)J$z|1H|2s!9E`n`0LJ>IQ{{(jL0?@wrvd`yFleau4_2$ z9x3n%N*L_)y2z#K9isGt*u%-nX#L4dVGOnPZ;hNB3jtF$)=VkEPqm7Kl#bsJZasF&TlqEuygbaDwv< zxt^#R;35a+iW^Vsp{#Ulfwe{ipMbr~!f2{Jc27X1tjEBM_qELHBxO-}5#?R*%^=-iw>s&=!ZCT<$3Q z<3o&J`>q=84bykt_3NO78?PNpqUYtfuG5dTvGqPMajb0uIqOmCny}u7g>uuPU&oo7R5H@(H-@aPmF)h_m&V|2g?4eD) z<**%{BIAY(0R6#t2M_lnlv9;u1z%=0bK9efg<6hvmUsrk=Vr*y>+zM0&z5KOUWR4O z;5E2?^iabWC+f|XX@ek{u@BoN0hF#hvgUC1G2yXD_ship4lnc7{31675s5jFkTZ}hDksa%RGGHsUr z)Z!5GP|M!4Soa-l2t?nB@8i$5plSWo;m!CR>JbogC{u!$jYz^H`xjukD#(DIoRJ&+K?jkt& zA*AF&xIs0O_Y#i+ua+Eq?)@x@_{pTZ_Ce>;+5lJv26I-Q$S;WX&*DzCJf>LI&ftDA zNwr3Lg@NFMUl3aO3^OEw^IymDX5)rAqs~tw%g1HnKK!bKkdWd@ z>f@_+67{pxD@gxbsIK0fVSx}4`Zl)P@b>zI{RrX4d39jjcPg^2k9(O@R_>Y6ZWS={ zc5=m!i7bkQhkoQJg(YAsvMTQHDwgB_yEqr_2(Hobb&U&h0QMYj-h?K=rxl;b%ot=K zlm_YkAG(!~Nvg3I=ARHi`-A8nDN~#Z!Y!naQ@(f>(q*A=RAT%KkeL~uNP&uFbPz4i+CeLO9G;Vj2dYehQwWFxFsV{ zEXip4%XtQMdBV~hBA(27kT-`DrJ$PJc0W9$rM2^p*rEM9M9?$M{iv0vPj=D!NMI@bCk^49;<97;4WtD>t%XXg$688Os~ z97g-!hz-YXjZ=d8uLI*4Fv)nOku$=(6>@4ntXX; zFDL7d!k0gT9A^7vrU8_ie{5e;j!pCZQLQOg-U21Ba?h*}tCf zC-j0ETE?@H)R|Jp<5s#A8(~2iHU}2B8xic^lnmMIPstU7-Q;N5?9T|qyjF|AocZIM zoL8x}U#OmoZmd_h zG98afqpwhW!8HP>pDs_}1;Lzc7MR7M>3&OZB7>QU_yiMx&1%3ztM1U~%s2QCVZ1ZN z8pa>%o9F|TaE&75h9Cm91&t=mc2;9@QNHMtWp6*>y7>| z?KbCFP{Pz|dJ^~8AOd)2IH~1W<|{fNs2A(02>ZpDGJ?rS#3SzS1>o<+de;^eoBo@v z!t6EIlU3WmkLio-4$O&3bkQfD9l_#Ei$(zs174OLV8~phifyP8J8^IHXHW9zlGS&n z2qBR3fXJ-o>hn_AEX{Wnu$*j4Xp&tOE?yF;?h_9};KThev2S}c?flkl`5l`v&1nsU z_@pOI!R`KlAp#P#3iNaI6f}}=43^8Ho`EQ&YMA&4ZBQgCtuSbu;ml2J+Vm7T4yd#S64@!WW+|r61`4KbglMj3P zruA|~dzoI9{`4#r9on zg*pp%Rl>FeCLYni*Q6S6Ew+BCc?T*$ zaC5N`Y%3q1R0Hmi{(dv}Pym+jSqP|IoxO22t7QMQpC36Bq03fQnovGLZC%}zKw))6 zX(Ah=KRkIo@ZSu^sC;X2Ba!Ik5Jl?coOGN>7i+qvGL$3c?~6o>mE-Fm0)V=?xRKHB z`5Cok?+1VQwp+Q&e;Myppo~g?cyvVha_o)$5^(V~PSsqf;9u#vO8-Bfrms#7cTf$B zEZq`N#B@;kzhAPXom+@hUpy~^MI*wToHuh<2#Uq%R8=@?tE5dPU-}!hZbw~yui^UU z$)jBN5YzHD)N+;FIE zKh&W~aZoi-Ag4L%Vm3NFKA@(4Y%bI1H5K2ivo3Xdzm@x|WUgeX1b)jw{04Rxh73}x zvHsAmfmC`F%bJPSO4I1pN;(R=B`?pyhs1oUe{7yVepiv8UKLil(C({a?k(j5V>#v9 zH?2w@TYs!7U6|`}SRv;sO%20TheDG@J~##FJE$7AtnXC~Z=Z4|{-)96=+bMKq|s?M z=mgsbraSF1kYAnr7^7IZ!au*wZB_i&WmUf_=94I^VPKrS zWkT{cHtKVn3y$OEvgGzi`15u>EilPEIVtSDS>*feFlUvj_-GfsH!N{H_|fz+lLAbn zdmj0&G;jG=Wo;o!0On!FjfPS~<3iSH#@K+=r`clr*to#95nEas_F3N=RZaVqqW?;f zR!T6Y`z3KuJ`tJ{e}&qdf3|kp8ia7sOae1W4T3oAjjdf3T;8pxT0M0hdXCFoe(;(J zS%NfF+dzv6Xga(96H5hNTOB`G5G<`=iHtJZlu10ZaV*#5$V2afZ|Vssk8iDYg`qY< zT2?evWyuS(f>viqufH+abndgT>TmqU1YELLo$h5*@16(Z04tj^UNdDWUQd2VEswPX zjsstPK62AHOEGIW_VtzR(3Z)WZVqMEt|uoH(A`dX3;S$%jLW!v&e4>3=((D9JPHlr zLv8Pyl`3$Yb~B6vK|g#Jby~?Ds`I^4+uF{p>7WFDfv#4|a6JxSvPtR#4Ldxxi{aoO zyT~nPL2fo~CF>cElRV4XsyQc`zYFbHvIE@oU%l_Q%oX2MxOOL^8;{m109;GT84gfZ1tfiCYNZ?{rQsm%O-0E@AvnKIKT9!Vb%dnBxsOo+~;Dqe{so@M^gGZWzmcxI)P`afO0de`QV|tQS!Aw8nLorDiFU|3&@W`)c!P zHkv3uzg@FZ%_!_+O#x|nL{H80h3R=Y-q0rSak~@cw@F!qqZV)ANT?X}v@pv>aPsNRj-E!Xk|!{_%PHSkD}&qaYbH2LXjL`Ag(x>{bu zCwuxtwXCiS{2jrujYW!=qLk$sl~@LEvXUtfX}1YI=B!HC=x7__7jrB>Uee;wdhsk! z-ypE^?Ry{{g77OP7wFv%gGh<3!PZP-MRocfs$wk%V?B<$9T3w4O0O@!9_dA{Y06$7 zy*<`<2=BK_4Qg$x{`w{UE~Mc|KqVdtJ@wMyI~ot7obNLDpvr>7m1xv)VKTkz!*kk@ zp_+>{;j<6f!%5;`xrwvhtBiw_oQ5I4*5X~I&>D)$(HKA(QlgH4Yp+KnI(Z)RhaZGJ zEcjctdN(e99F1%r8decXq#LO7BE1SGVKYI%1>p~OU9LqDh=B)Nq#QB1?o}IRplEg? zP`u{9;@HU39|kXHBe*)X4lz%*rX^$Q5?)_#Pc`s+G6wbAJ z8Q-q&ZL3%PLV`ckmB_`axd~rvi0|7#V5nxj2GP3R%4G9;8pBMX zFJGh@hyS5ZQ7$pxR>e+=*6Z$qfZ;2xCMR|+2j>klb#!{t2hrU#PVesb?>aBmHwjzL zwK#Srt2(KdK^mZkgf4x0Jj=U3DX>`1b~g>(`0KIBcyhpPO5KlIeVV%?O`YNsgWT)% z=i@ZTKYdaclWM3#%f_D4xhE#LT&3i)nGs(BLBR0riB^l|k53m!Y_Ip~Y+d%H$IZ7Q zEovPyLA7O`C8Ybtwa0AdQM>#* z%JCS$pMCS@VamtBN(_k0X!|vWeMX99|IrVcDu_nd;}n1SCSPNhXI!4=F#l_LCYT>% zq|wvLcg@SL&fCHSL|)-K9#Oim(L&rtsDk-oQ5-z)xwbMfw4 zAkVNJ=TPP;@GuAWs37L{eGw&%jhij}6Z=v@+tr}T&xC68S=T4id&PT*N{P2Z$9Kzv zNYTAwItOWCauj1xr(9p5=k9r16Z7F!ExB#0j;Zs+!sq{jw=I{xJv^wV+X-#`9I{zn zz$E8wZ;MiyoNhD@bxGh7%wUiZk)*X%J25aVqa!KV)9J&aIkYP-)+mWh)>veD5NQzf z!K^DN!_>V+SsO>gWJ7**I$=QqZTTd^g*wF(I9Q&HDl#K6=6G48T;1dUlp){cyfV_psG#Iqr*$#>&otmt;kp&SnX#__{s2 zA1r>-$~4epF?`M9H+itvlsaIv?>fIz@ind3g(J$vGi$&TeGP87jSvv8Z7?sQR_3)s z63Cm2%_!JOy1cG!1=Tu0L7TB~!%ANfK;vrvmV3~PSau`vp#e^pah!aM`2qcJ@>{Ni zm~jt-BGA+lbJsd+>*TmFLy$XwgY6gfmP^~N+3-_RL9y?9Z}Cw}RnWDz zxus+y?;JZc)=B-%<@lP-=jqS2tjm@3=|SK}vgpJmAv;$&B3c$q1O27Z*X^n>i+|4E zt}2n=O|!#`qa=QunO!}u=>~@Xk!ozagI*_b^%9zD4 zQIA7Qx8zU4M4w>@m$hZTQi9L7lsYh-OlD#$YpvS;X1{F=%(sof*j88m!>MY_+a$yL z`pL-gr~nS&`i~~~dQ+@<+D)e@roxcZalBf)5XV& zuQLiGjOI6R%?zb6fuw|n0%a!H&nMxZA(6!j4*So6wzBQUl0L#r3vH!8dpO=rm4cyj zytq;^|FmM4a=7Ncg6DWc+)|9a_P#2_+DA9O-ih8jPV7UcS;GTQH2hCj;2M_1ZUNTJQw-ZAo81GXTS7uDV^@ zSXzCd&orrmid^YShSIp4iS#~~c|FhO(I?EjAW^PEhHu^8`Q@#X|8dY#t^p{@#q2Ej z$yfN5V5f$3d$1!Qo}pL3(^)M6MjV1dU)nvTA~mbe40`w-s z%Jk5#hR>N=lTYDCgHoU!RLhkQhaHMyPO+?_T#3;CA@JzBO?Fz&75qP-SS12R!kg5Up>r9N$~X{&d70*xo-z| zklC%bvj!i)c-HfJ5|oJjg4Z*uI(dZT)1OfQoxacW8p%9-81mx5_+6IObzQ`7(o@(` zdw)_IR9%WcF5nXjy@G$8Y_}<~6`;G0%X1OW?Uup$igw>c*tD7+;Y0OIp zzFu}-{Fi$y9*dj1vHa^_a2jAFG3QU7@2DY=JsI?D*5JKWs^WO$Az84v2vrqsXt-im zefHcQiKtSHn=G*y*Q;f`D7E}8!*Z2`Rz*YUF>+;?e5zHYa+{^sr1#I=GogH~GG=p* zm;CSp&$Llxq51xMmz@6bg2x@mCI3jrEG!1~*6?h0G1o}b&DT3IYAUTeZ`5t%9q*uQ zaB@t-*mI!ov=UgKX*88^Ox!oR?Rfiz=dtvI<8b=ocBUnxiA~pMTe-lwgPP-9zS}3; zNblQJej;1uyxT~;7kkpXs8ZK2BT~f8o7YH_Dh^arK$#1tI);kRm!+Sm=$FUWy}pe6 zRZWn_@pKzag6fin2z}Tr(nqQP8II&aVbAMVt>HjX8Z#xY!@TCwPW72F{@PU9Bl7*O z`Ed3>gWPt4{92z+GX}IdUKZdcW!mbiUm;CrlAf+{89NQC(YIe2b89K{V=(RTD$JS6 zfAND>8qY6eev>wo3C=ZUbIZUEGARqpk&sM}r>_FlzaJz3ji?bi?pLqR<9HN1rY&Eu zOR?1_JFHVC;%-MwP!~j(LYra)RPDz}Rea780J68g4dbc6(5q>liX^Mk%2LR78oLAv z>Ab7|Wbue|bGL@J`+0psz3u|B*3d6o;^|l51A0f=KnXbtKJFuZbcEDFr|xn#68W-y zRqTI6!bIxpU7i8kruTeo#rQiFy+sUCnPqG2DLnnMmrHs&q&rSi6H`9z)|lG@ z%LSYDABxRCN@BVE07;;9467eT2fLD3dW!r8U!_>B*m}0hX?JkYvFqB?{BFRu`Fbh+ zwcvQmG#kSTJ4AclihM~0-ryOPdrd~C5pY<~@n+jHWQUw31w7t2Mo%iBOT3rXU(Gyg z_Az<$s766S?uW)VEb*FflYCd#W&J; z`$dPhc$oMt9-c+oKRxMtdL|M2iPEAo0~CW~sNTv7Q@nLuLbuIFyF}EP%>Q1?eO6yP znl?bW-UuF;ISA>J6%2ee&=!9GKO+#5B@uX(0^iFLYx-6WqBLx6{GT}g{}oJUBn=t> zGSq2@X2e?i@)_2=g;y0OGae>7S2S8Bl!U>rPnS3bt^G-tpjSL-v#djbO^_wR+w)aQ@k{0BZvp=cL;_WD literal 0 HcmV?d00001 diff --git a/education/windows/images/teacher-get-app.PNG b/education/windows/images/teacher-get-app.PNG new file mode 100644 index 0000000000000000000000000000000000000000..329607edb9f0aa65065e4a20e2c19742bbd6b128 GIT binary patch literal 103443 zcmV)8K*qm`P)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf|D{PpK~#8N?EUGJ ztVwpC2cFD~Ju-5?`@OZVy`a0%3%b!j10Vr{07yX+C5jqxMj|nyjZ7xZn7+)I&6v%6 zn}1+F>BB6hF@6yjK%_JzMM4k>ZUPB(qZjm2U3IJOo_p*|Mr6+O9M7yS6btCC-ch&T zynZ9%UHtXs_|Jdm_;L58-}*v)ot>S3`@tMbOH1e9esp}ljvrK= z{~+u7am@1%>iBMy^Rn`kR0AZ=U_dzxWqpV`Jm|(hv7Bo6TZ6on|3?zbn65 zt!DWC9_Dj7mY0{$e}8`u%UNOhK{d3C_kX_+%ezKh{~%z^{Lbg|^IzZJLt^#4sOuk8 z2l34g^J-atr!qDkkK=FrjlU5~zy9mLe)em>_G^D)0QKbLm>FH^PZ&yqd1>aRg z*s8T!5sp9V-RIZx>No!T77p*rH|4Ll9!twh1yFwgGI>gV&M3R@#_@-f|IT@R`*C)5 zQFrfr?_1;iR!jPu9mZ*SS1W35-&(BiR5gF-$+t)IP7juuH-Yk^O=QCIzdY?J3BeDlL;hBdiw^8NN#oJcQT+A4{@368fGQY_ zCX;;TJ2{qkU#(J!O1)lA{4pS7x|V2=ODn>_3Nm&^(^w9l_&3tb?;?Imo_Aa{BF>(9 zFZoGR6|^n^!I#eS7@2tHtRVS^Y-uowr!_`Ng!K zzk&Z~H+(FYMn>?%>}I|_#rHGf%ZNRD_BOycKkY|e;?`3E6@gzVky8#ZsC?`BHKXCX z2XE#c8?Uz-%Qvohlr!b{Nlbd6S^Qzq)~08JX7u{Z{@l3I?Vi;&%Ep6>Nk$e zCeJP-2jyycE+0JqEM=8H2wsOVEnrMGaM|Mdy;(<;-T9Mmxtl-Id`6niW6w|X_2!9- zhdA=odHPMC9p;-is0kU5vStJq@_3Pk^ZUxv<@@Q$EIT|OpgQvQ^Vs=3i%PW;je0Yd zX*)lx$BzK@TLe@q+WY>~|Li}DPk-uDG2yvyx5yM9h0Tz{`bQilX*`|B{^4=Vr;|9H z4QL#bSUw%c>3kY1N}bx=g3q&g0?a9&OH`@?n?ifGKpX`Nz7t;ouk*JiG8y>2B+!{2 zK?g}zn7O|QetCYGxbraMUZZ6S79vr$6XW+;<0rntiq6xK0hsdDODnO$b1O8qO0^!# zwF;o;!~Eu+>B(6Ph7&rkK{RSBvD#jxA=P3sCXd`#sh~phOpWIS!mK(Ha0XcWt_6R~ zE0y!So&yODdIe;ilg%jtKc38DzuS#re-!m?mHD)}ParvUS0Hj7bz9MkcHYUO>FAkp@Ze6C*AL_IBS8HY0o8)?zW?`s^WVgu`=wtxKl{Bu{xBN!_A2()=wwjrGZs`)yLll(63 zo?cKo%0zJDY=TvV&jb?wDd-73H0pc}@fzLoiEs0&pvs5$oFAo#h4*D}1GXXKXtrXB z#&HIaEO_r3jb}QV$5C$_!*Mq{tM%B~+yn%g(I1X7wpwE)TJ1)(EA_&@d>3JHo<~X| z0d)l?V?$pe2;lM@i)#d!_J^~$eg9z`9UMiA_uss_6HndPLUZ7G@-pX{E`X~&D?797 zn26_;|9Qt!mJ#m-aT1icww&c4pz@2)I(cii+fiR_&;%HWSkFV0yI8F zA{GGlSiqjn0BC@nj-ozZzfpgU>~KwZqvTzT-!L`fdOfhVuXTum9`# z5B|bmh+_&3@%o+|rer~yDyXFW?jY{IaVI8&LChydaXRhNs9~tHF^y#s719Ng0xW_a zYzGxjNC8PQU->D!67~3QHWxNj8wP(%Fucq^pQj=sfN`2dQF51dM*v2kOIDp{FRsdj z{7!=;Zf;Hx@R_uoafK&|li-71=K%?|%61b*R&M~Pm0HY+dpcXhY;=;1c?6>}KkI9a zSX)~IXDAB*RbZ>Z{5qX>G?r_`W#>`q#`npZlX|Jnn>fnCZ23(_d_r0#lSPciCvoTD zF2dV|MXtn^t+lvyZHqLmWSVD`=U_18-ojFsRNal5!dZaI<}S^meBXwDLkO`f2PL0e>Z(X#@4Qi6kkL=?SX-7|@txXIBO2 zYOu!~A@^P9d0Ig&uUJ5`Vq(a+`Iqi`q>mKy{3*;3W z$Udjxp3nd^;hYF=77i3qmM*AHQ%(2!9H2kVPvf3*9&F6MLYr*brAbrP33Xu^m?**i zl=s-RtN@f10Wd2Ua3TGcp=IfF0$^d%olDlbMeDqnHD(vfr#Fi;pAWkc775qVELJ8AO#QkJoi6}j--GWTeIHUYk4 zPC3o#aK>~}c2rZ!X9gH9t<<=guEFm-m|~D$jKsLeAn%lId#aMM#dkYoPOMlqoF{kO zPZ=s`e$TsoJy+f#{4gBvl&)_zTpW}O1&q+X+wg-rY@o7*0!-f|c;ENP4dmi@Yk{Vq z^Dcoj8>~Q>-}wZnE}$eoX#A%Lt%8m&mH?$nnxf}5<4s^I4bl6~REdoXfwys_%}sDc zf|FS&*u=er>gM~ooiaH84XY5lYIRu{-#K5Y2pEEVVWrEdx)QHx(K;if(u^5wS*H*d!glK$K>Jk7JtWJ4$(Cx>g z-Q75bnT^I%8a#jqkW67-gW({K4i96{>n9`Y4|-hVy)d{F-Yp=kz?!#rF2%L0H#2PQ zT!jU$#gww|O-|x?FyRvbwl1J~mZL?SY~EaHLtawF1sDkn&=G0RYnmZs+Lnc9QZwLT zfhQj|m&E6NgZ?CrVVDC{_9@J|bW)Zr;0&X!!!~QE`F1jC%}kVcR9|q`j$4DZ)?$^k zcRFjyntg+viEPT)a^xHanVlqMEx4xaDMwUSsZrB-elPcAU6Pg}KPu^@m(LlujbN?g zF=Z`ypKu@XoWgLaVx!M=DRaOuabyYPJ2Pvh+dtl8;(V)ZVx>~ea#FT!6Bp@wr||9K z(041Cw(lfd9Fze4F2ek7f(f_)k?;3m;cMJ(B9z}WcweJIgQeAckB&D1HH)K^NuHx& zDe@`Qo~F#Ru>FGYA!SsA0_dk_xi^Kr+$cD!f(xX1EuSQ|bD_968UZG$?N4l zvz(08gxY|S38C1yG79hV*}R|U&-mZ(oHkC`dEQH&(k=;0o6g1nbFl@cpv$TNXYUu> z#={W+K8jYe9#^kiiW}Fi#m?4FY;W$w&8yer*{7a~mtS}(UVibVc>nv~A0PO!AB&eh z_`!JgrI+KzttX?+y(h@eNHzwBO&t8;w~5jt;|xZeX+CGG#RO8Sk1U$01hrCD+K&Y| z&H<{PKOxf5U=|}7`(%O&4$IV3kt z&h-tz)PX(0EM+R+s#K8_5|v<@9df=Rf$yTeyi`Rt%$|9&!n`dTKi8Et$%grwQ63Z6 z?~wHN=yddo8JwFCmdKl(MrrRQ-$kay04v`5%NOMLLLSc3z&YP%`%`m~2>nsP``(T- z->+ca-VX5ZHe6tgC6N)n+wg-rE)xIt483FEzH~iNh`vY1MckH2e)r$GF!_&EqzEcx z+~8%ua6gy%VIxVBLnB^RRg-B_D-L+5B3J!XU53q7>i{5ND9aQG>x~MHvjITXGBn%u zXs_0z)v_b0@>vB$xo5S;eHFmea{wv7I~^N$Eq~W)0<+08ktH9Q75=l)3Vf=*=fdLu znMUumoU1eleKu%eTZ#U0H}1UlM%;e&)wuojSL6Qu z`!PZFUTv<$W$wH6bb1ZT zFAL1FCpA6?kXonOp*^q0qIZO)pRk%`>vvMee?<^U|j?IPQ;PFq+0hvjZJP$|;eV_rg>y2je4;q{)=4EG{xv_FOV># z21eRUbCIh*I=mfYzF)!PoznAe!o^V}h2x!WdZ+Lw>Bz!5FR<^$aZwrB$P{LZN7df5 z{?2px@9kws;{ZHmm&;X{L;@Os*_1s3o=w>#pwgmYwPBNhVP~z8q1CFz+Byw%y%}pX z%w`)VE?}-UVimw?HLEn(daU!k(~%7UnhB^5wwwbk_ZXUl2ET2>*m@SR3{GBqrc35^J< z?b-<|sN&U?8qby>Sg+7pTa?Yy&)ft|0n+E5f)>tWfA?X0^-EujFMr{S@%z8~+4%hL zelGst^IwRsf9Wgn%9phb?iLhp@ z6TbM;@@B;*&=K)sp_yb7CuehDaS06pV5P%z05HeZ2zpIuXZ2lr zc%*rQ!;>zQpB|uH)2;g-DKGeNVH9G4J025H$1QY?!)wO1x zTj$)`1`M>rGk|Op#+eMLC2#_k$zTD>I)I64DPXEn)?quTRsx*KGWb-`RpV;_UR9wt zE9A$9E&E6&Vjj*VByFPrs^F3gj_U$(vk8y`?542+*z2umzP(3wBe3ZGpsiKl9Q0s7 z2ctMR9K_L4FS^{67cV7K^ z+JQ%=6hj9YKn!!rvu&wEUc#r$BzxOD1?>>sVuiph|UxC5Co@Ry3 z&Xu@+_1Rc$UncKO(yeO{m6EwIpEdGXG#pDK>sP}DbYAu)u1!&o$Ee9;KJ5_F!Jf*M zW$O;rfjxIfa~oi-)&&rwu?;lzgLJj1l47Y{Ex};_~i6$$6M+Cw|m&o3TT$^3bb+# zq83J=3csZPD4&9rf}Z!E0vhn48fv?&6mXP@)&xM+K!B;nZ&_*;mRdozUughuwDn4Z z-w6IPjnzT7B^YC@*pO!k{fu|O1!zFda8m0$L6~Q#wR5W4MqxvopVE-xgl4^nlT2qx zzbvGvy@V4=kLeKgbPPxUYz|b-W&j23N(cX?8L60`#2M!Y{eC=nup3|e(%0e@fK^tyx$#7- zZ`_JXeLcpM(@apM94eIS62CkWKm@%6DBZvUAg%(++B#QbV|5jcU=d+-<9U3iVCqr8u^fK4_ZPARA!AptWr5lt z(`5)m^R)_RwF>KiJ=OqJnZXjwLbYG8RPR&xX9(k|jSKd0N&|qvA(~pQP*L-f0|3oN zWP{}$itou{DIj1mnXSZdvJ`_6>gfRR)H?^2HW>$T7?x>28f0TjbPy}a-i(U8`-L#)O;Z3(fE=I_3!-DdZ$g5!o#x;MvCC>S zJqW0?*(ADvuIhNT)<|Y{=gz&jd*^LDYi_E*_aiI@eXEO86 zt+m+N+C+O;i!}hX4I|YQB8VhoB&<+qPE;@+8LYDBfYzK$2|{xiqDI!NLiw6@K|0$4|ER8%T|RgRoiE>&$@9d$=MVG!SRM*M z3IT^g{9QSe-TWZ#ltBdb)gu1H;p2;M5?o=cr zE^vZ)i@0VUXmDq+fyJ2)^A*_KG9Y>uqe%cZXK~z}0Zb<_!f}4iPHgOTVnW4r=8Nt_ z8F*I~LuoJ;O}c&A_;{TSJkOsu55HB&OkFdBey4Am7RV!MvP@;2`3V4_{ioe@s&6Q? zQX6FPX(c_GkCLBdX!zNDIc=)~rVY8(Y{d}3ymuEcMV;3lQ&%dd_&SSeCSZa`b~1CK z)b(fP`ROd2HmXmnGn>-AOaE5cFhFnu$Q~T*$HU!+aSw1kB<}X+6|{lPn4VQ*zEUGT z!KtX}mfTrVOVUcHRy4QB=1}R|tI=vW4c7cyc6J1{RM!i@awrdcad6IFNmEGaWJ}p6 z&}x^IS@V0&cgv)PhLYUXbnPb(ybBQ?ANs-d6!6 zs}6+HAy;7Bl@&e->BtW&FXxI3P&K>`sr6ysmEj^!{L6auQVI(1Ea@_N5c_g}o_X&d z7SUsQD7+Uys-S(h4n;@1q%)>uTyi^YPlmKfaYnT|8x+!4Y?++3;i2ATqaYq`&+`IJ zvYM71Y97-4X2y3}*$^ z)DD6;EeAUb(th5QvqO+QPET~ypQSm#Sxo7gb1JA-07Pd!p*8|oGTFnUZqANM=YD`u zKo)G$>7VY2=@+- zjCR4>J7u8K{0BP-T`W*h6Z;z(kql{}>%?>tpz{Z~&>fmQjNEp5up1i}lZ zo}H>CK^(HkWoI%e3lycLZV6{+OWBn=U!tQRj|72T7VE67EJ^OM{1b>}x7L|*#ydnn z{?8+8&3p1hIjfzurJpOIsis8Q8`N1{zhJNP0y|DqP*O%76I{tIKx}qWHvLlGkRP_G zb4)Ey0@gVwb^iNtIINq;@<=vx4x~jr`pym;?)jJeW@8g`6wRDT<-2I)MZA<)dU%-# zEkeONqhTtkTBICd7KFS{wbj;e@q1;ZP9s`IZ3Re1^XLMk{o!eJ2lMFlVWP*A*xm2N z?p`;#M}r(JnV@3J(k3u7XEY7R#m?yA0E%hM25PJ0b+(gyqm3uah+o-wOrzJ!rx^sc z^1Cc7?;$K{x=@w$S$=0R_@5xlpFmO3wpa(y`K}+QBmWEF2Hr&4PLoYKh1YZr2gA&V zCWAQudhyIj20I`D$M1sdd54r`C47+%I;#rcTu+r5Kr=0ZEI>Y==rcOX#Y>F){=;tc z#}V6?pF%D=#9Ng_5+C;i$ee^hYqKQ3oTYmpP=5ejUZ)6nU5@5A$X~Ug>3};E)Vb3~ z41CG2#>W>sFYZVnH4f#1)FptPp7NOkNcy#UUM_CYS~n#+%cKkx3DErV2G9HDyxiw9 zbAD<*Xx3ZNasaB?&h-e2_Cz`5pks{(?Z|mF@!qtXIy(iI?|_9mJAC^aOEA^u2sWxK0R@1+dMm&#(e66DkqfNG9A%L zY;HXn?ap=BVU0SfCjKUr!9Wu{dCt1E3&<(HiPF?9Cw)ipl@{d4e|A8o8_?vd-T(>w z+8_z3^7Ci<%~+16^F2Fy;#G~Goyz6`)-%D?F2h^BM@{1VSq{s))EVzfsQZS7VdrS= z33RgTDxGtBZ8(4=>!vdczPoanW~5TLfM!N$EW~C8jMMay2fpMb-{xH<0p*8Xn=xU zy829v0aTZ&%UYxo6VQBzU_rhv7O^QJr1u5@o`7w-%Aie_qU@D)n>LpjlvU@S9YUH{ z^7e12)^t48n(DaeUM}u!*%|7`3tJV`J$SF6?NLC^6Gh5$pwf8#Vdui1*scwCG1u>R zo@)lok+;QM2789=ox;|&b(5|c4|2cuVj?9jN|ZRwcS-=4ttY>8s=Pbp;~a4FaZB#; zIjr>`9p8nc@J@uw4?tDPO*`1qc?0w}%rIFS-xTk>pWt_$*q3PV)2XWbA`W^d@euX> z?%pIG(7^8>ObD~Mb1;q9_s4O2e;N-D=5aU(7+u5|4c__ePCwo1wBy=#CvIF>kDCDL zmCbhSY`{{T9I#rCCcq?+Xm68nn07yHdo~i4&uloPRYoY=lASuaG(psSohRPw;+l<# zTx0_*_CK0FjehRZgnW1KLvMg~vl^Wiph_CsomSM_&TDS~BK6qV-hq(N=PXL)cYu-)yAQOVA(713wh^%v@_&+X|v_;f+j`7ux`#7Wq!{JDuMbG)H5BR;Nrvqx=A|b3+gAFv)o;Ba5$Po zzcG_b+7cZM z(m7oKb@D;8-Ofd$>wM3^d9S-Zshx#tx@x-&*XG~1hpM$=^U^g~rlt^8VswZcgeoAB z(=ih`tk2T;(Rd&_^d3t)Qh)xP7!f1uSJ=(JFbD+ zqTHM%=O@~QU`_t)@Vw7KrqpzJK~@>EWF078S(TQky`JUjZ_+Nf!j-As^BH@*)N-Fv z#v?r=C{L%Qs<=29=hJF4b_&)_K~E%sG+l zI|2*{t1W;6rl$(4YA3tUb|^CwY@AZ+z(`U?js!Mcq20-kHy6#vu8sndzRWh9L zUO{>~b0Ol03Eu~k0Aye<8K$`ih>J=)Q)mI$X@{goAXlomhVov4q5+sXpIsoU01UjI zcIUlB&h@2wD;let>H4HCRiM)as|Dz3>(c}>nbG(Gz5*uP0}CX{sk&;L)w4Ed8d>g? zLE3xyon8jK!#WT&>&9Ux$J;9aizC~Ol@{+=BTbE%qXG*OP2R5u#I@^B5Oe7?99+yM zV_hU*xf)X`Lor4*S5U0iNFQk|-om9rxd2epQ?-Mk5S+hXC)B8y8gaRsLt(t-eRjmT z%K>qv2_Wl~PJ;Ycv*yJlrE0IN`3%2JWwJ!lmF3|t05q>>%n7B`bGg@Y)1=^gbw?`; zz!2YgTD-~o(#^|*^F_poAm4Egs+kxo*Zb!bIdPo9p3mRc^vf7e5|Ew?E1COI<|6Oeg!I0VZ2@@P<6ADr#QH z!63k433g`jX}}g0oaeQ9dXocks{I1il5x~wX)w)Jdo@8*u&`9K zd;p((A9)o(9qcK#R?Ptp>djGW&zA#q**|~7#+K-4WS`5+jnepe=43ho#9*Y9;pX<0 z>Dc1VOcU zekdsdHy?xqNy^ktQD?i9Ex+@T16Y;-0GKC~Cq8^WKlt>|PodSXcIFqh@O1X)swR{K zUtVVU+v%7G6_WGl_&k@}JVOQfpn3MYj6GjWzOx((z!O`(=W#i*NPcvD^CJaBX;SFU zgCm~hToJa?xcy5+O_?kI716#pY#=_gEb{t1-)#%p0Ox>+XL8VB1}$97;_Q5ZWmm>` z^xnY(o#g#=j{MYxM|e)JfNp;r2M43rI|c{|4q)k%`tWcP54FYa4dV3&-FUFyjk~+Y zap%DizmGZZAlLBx+(F#s+`UKLxX>1Axz;8=-r*=X_qwvw(E**x?qTddI*K0YbRpR!qcJ`DsOk++rM~TWmbm{6ia4i3^OMpd@uD4_$s9;p(9!st4tAM)m&rp# zzgoV#$g~Sn>j9Cyw?PYpnm3+2ai)}?XsI*tP2%n92~5W$ zfV-=oD}Z1FJ#RcRgIh7mmTC&m0TFBRGM+=^3AjX?;ad;u0rSF zJ7KVN7!{|05|wOKa2-3%)TQ!z!%TGO-zDS4)R76K}ABN!T|-^ohKsv^gC<>}2197HVUhoau6+#+*M zi&j%|l`EgEt<-XMTAdE2xP%G##7RU>CdmOR0h;nQuf=Z8n>a@Wz8SYBnM{NyACn`q z{5T#msc#nEdZgCEsXu&=zc0?8f2QgK0`Pr_23yp!w}_S3XkfbE_*?(egi#{Uc{^DE zH`fs2c5Nva$7rbDa^01b2C%Chz|)1r`F%DS(@>{0AmXC|kNEAvBM%=P#=VCJ@eszT zqyJtmGuHzwhY5uH$1uR&2vBig0x)rq$JsNTHjHrtRd+qMwm0L-wM(euSL5cbYjN}D zwYa>qlYXSCu!5)qYbuw5raee58tqpzM_zMHS3tE6pt=fH9kpK)H57rB)Ke$`wod+fJUEq>@7gmhcbTT$wCh0>p3F<_ykW?G*Vd{RO0IEB zI@KIpLQt;)H2|t6LDwyK1mdh#>zPjpMbW;@Ug`WV{9p4fv+cXN*Rx4L)I=VmgRDQE z#~%j9KRToxPWqG2D4Ph$o8cTdI25Kd3*>M9^BDj|xbY|~q4eY_Xo@D+jkEklz`3ce zosFGa*zQONn@$8dV<2kP1xVjZv8yh*>Cif4bA*V%=^pzFji)}LpHOR9AJT5q02do`v zs%ZyKAmw@2A9WPI-La2}xpqy$#TF$l;*tYWfY6vcPsggd#aHq~>WO;n@QgOh>C9(! z|Iv(KWx$@i<($DL)3Z)Ul;^eUl>s?51b_~}n*l~H9^=55&*ko^b2HJ5-UwC<3)R~| zvxSRxcPM8!x3h+|$&N^)>jPvSNT-bP0)IsMQ%L5hH;ul#nWAY-dM9WeFxe658}d1k zp>n-TrwG_4sP>#8W_+3fkO4q{F`x260M&sy@{;Jqk?T6h5(zG%xI*VRi?3WuG(3AdoKEPVyfc{*kK{DmCpRYBc*E;TOSOF8?e;%~>PJiM96 z_xSNx0;+P7JuZUqW>B=K__qedzygwimFozT^7Zz>JqC{pu_^lx`HatA1bcnX@jjL0 z6k4upWwRaR;?OO(zo^F6YCQqcu-=5-L0xMIYy+9UyuKRG+`JMmJbyi2e&J@kpYZZ? ze1HB%y#INBKN;_P@#%QsxhLcKXP=6fo_{)CeC`RZKTUXwXP%1panH+ympK38bGPEf zXK%y{&)kUTpSlvyKCu%|-`b9+uCK?fONKSVMqGipZf%sEH&uvr&nS%eQ!MJzTTZ!!>9-Ejq9DPOPuDbI?lLb`M6WDZ)iroW*rvUo^d{ z#d8P#TsswYemc}E;*3s_a^O>2>I{bKJySg?V5WU%zjZbBkj~*eW+URUFCCNi6Uy?` z?gW7#UuS2|=+g6{84GQjX9PNj1%PIr&99QIyr!y7on?of8kO3BOxi-SoC-L;{h&+8 z`ZS&b9JYsYCKsDN2izhEo;_#DMKB(Vs^U3R*@dV#*5UyYG+$DZ*1B9!DPF&t<#m-hUE^S_X)?;g( zu+~b3y8)oLtL_0`A&>@M+9W--_3)Sz@lmh^?8!c`w3O&w2F;rPTZBJ#&DJ75% z(>dtc`^t!VHsr-hGD~pAQi#3%gZS)ce>WaJxC0m$mN?}FV^mxRlO}$Gh^qgZ26DxJ zXY>GK0&7_eg}}YuFR1z{`^-gD&d>S$#pt#Gt5<|&egcpXV6^=HX7>c60SVM9b_GMmKZf-SP>et!Ufo9B{O-&q!bvD+kXIn!zpRXUrx z?od3hL&37^p;~@0)CDTO%dk3AX##VV)egIq?*PCZQGOF7iZB~d_Csei0hln@lSP$u z==!uw{Z#nPxjEPPj_yPHdCq|@@^443)VY9+`+3by&;X{c`2cGseX?84PacxnBGE#s zb$h{5E&KCw^+wwie?DNl@^?Pzqj|%7|2QwQ$L07&tzI;&3@ILeI4B4uc(1`{zXhpK zjP{H{oHKGh>b{vn_MmV%eUsxWh|%4ZEgt8$0xHLWJxkKR@MH=I2q z5Uw|4bFC5UZJ2GR$~oAROgBNX5-nGOqQN#Hl!9_?*)=w4&@^D09u1m6BVRr(VQCKV z@t*w5nM30^OsO7&UMOxDSB0;cM@ezuO-XQLM| z3En4or?0N}W_cG?-r~=|^#la3@r>pgZs3Z5SD2aalnD!rxrH-nKHR+@fAFQRfD5g- zdhIEIuSpcXkAkFk)cjB;Ho%f8i_)nOOdr2bTrFp%C75h ze7R_hM@-9J)W;F1$JB|QFrx?n707wT;9LR!!EoKA4kT%^X4C6GXB66M2vhw{1 zK+1P#wul01w2*RDLdlQb3&%+J5>B_&=*^|WQ|g| z09?n+)SifAH0KxVs;< z_G(n?Z3{nx0FUxakZA)}L|&EZJAWi}lSW2#*o5FQWp zUMTzV3;HXhX@#<_z*hAJkfHXDPGTPbJ=hz@-osw(-tWf#{a!qJFp7H*rt$itlX!LS zEN<`4!3H)T1oWO7? z!(}?+f{l8&5Xi6YT;5g&0PU>oB&aJhPrSKgqV4H1IUX~HN`_TOi>#N=i(vh~83Yb{ zTc0RBZ0ThU-{jyKowMz^bLu4kq*%WBQX3pXC<|2*WqN{cxd~CN%6<@N&I`a^P&{*L zAOQu92CTb`0LK+ta4ydWa1ICV(bS9M!{azWjo#bak4F#pV}Dn#fNt)&bUGdafPqy6tz)iqvg2^^*)JG-d0p@U9l$Q*S-A9o=Si}@0tN@GdrRzXVheXbv#6EANONS z*?j%guf^@Vx6{d88+T4lQ2QXHn-Jil53ECTE_;_#S#uz!usRoKaS+aP?rPvjx}B&K zDf;7i^hUGj19n3?z%lGGw?r}Tq^)$2)X`|16DW?mgV@{cQMY~ScnHA4P!9lC*y?>i z_SH9z<14obcl+_xdtE|5Ug!K>*zKNfSmxD^#14A78g*?A)STd$X*NHprW?-d*1wB$ zf-1LU$4epAH~5#65(_Hue{UTvL5{YI2_qz-|NRkU8YS`;ZS|?@WMrS+mV9w zZiPU>Ny$=*{1jv?WPT`w2wTo!SIW5H-bAv1(k%In*FX`71rjqBE4Qe288Z$KaLKLU@}K>xZkA#b^%+#6SWeMRGpo}MDvrNf247p z0G#tw`6j6SsP}+QI*60*C9eCM&T-?(OeVRx%wsqbxW;^@O|%=$w%T+G$Z%0)6rO zUCt?)z9;wB=UH94Z0{KbL6bo7B;YfnB@d@COjP0APPzi1QpO|7!NDpL59m)~((h7s z1M-AMP;nNN`F0g3SQ_t8t{VDo*30TuzDp3fSnEK*vJkY{j_CwOq-nx=_-BlGeheU= zaE~@=8L}P%78_a2PQ}j1OxUpsRsJ@=4xZ_HCQEiv6SseM_F5k`e=t1*q|b83TX%F4 z13d`H=U6v0-skFGZhupJMh&))vv7u(D`we3vU4<$j*Cy3s=%6;tXSL9#XW{MKR9=B zyyfeA{dg<@^{t2YweMvOXY2^3K>$q)n+Rir5HRzu(mZl&6z&jX5$$jV_tO~wOQWiI zjYegoTmVwEgJjJLw0s~zntwJfZFOn)gMpm5um$S+*cF5N13-3y8a?IvIKgZN0IBA> zC2_V`o-IC-GD3hAAj^d_L?Y7bj+GgFC+{!7PZ|AMM-!p72##t9FEoNePG zA-YI8z*eiGnm&k!4_TxN3cjY92A%>u>vS&*t|Ps zlOh4!O_%B566XuxW{CrwuwqzWZo>jFnl6{@b9RreJ$7a0W@X6{amt;z^j)1%XAV-O zZI$w<8~L2FJl^Mt6XKwwgV^aJW^G#&I&alhV4#{HjGH)|N^D1$i?)!4^eAxUtO=?& z^*iC23Ga5Bl~X>AM_IVA7wb!F{_1rXasjOAv|Mmy9TuPaSFLqoea)?@*P~i%5{FZb zO+UbVM%hLanP~x@HQwiX2m-13R+fB+Rj(A157D1&T5p1BE)-*4%%Nh&%|+w#le6AV z9L3+(@0=nez@8u9_~yX_kIC_P0qS`z+fbFE@5PbPDr|zM0w^k;3zW?-;m`&w1DT&U zAV+1V{6-DbEk?gYG(7wVJCjEk-do-a`e4Q(Cyz1@UQ?(Ds@HlDa;nqtXY}Et;o<*~yr) zcV^Z&CZl2Q%6i6i%gs7)&}T_A0pH6mp`{*7i%j1o09V@%JnEjc8XIda%-zX7{T!wsbUlJx1cy9Y4tiY7DXTIaSItDWenNhgp8~QZ zFJ;NYvM4k7EF*tgavs(JLQFZmIq>Eq(u4~NkEQZ}VD*KcMJm%aigWo4ZSq_aK zFcwfV8o!etf4IlHD--29ngE!4^0#tbP6ulixmwc@aPE!HVoW@~<-J{drD_91lq6a7dm`0LUs}$-6qOXz;$O%gVu|Dl$@6i)yu^ zy|x~mb|+SwYf)cml5RVTNi>`t)mZ~*n^`{X&T8%$S_7qbwl?GDjmx>`QRy%)c#n*Y zZO2Ykzb=EX2qujHN^OO$#071Fs(d`on8r>-*Eio#($yS+$zY*bq!N08hdy-&>sq=RG?hVhPKXkp%i2i6Pj)o^0 zT+n*|co7fx=7iIDu*>J8N!)+XeRH9d2ZV#8V_4V>cGQlWx30&P>sMlJV-wZB6*a)L z3FB;{mR1}5ZZrT%cUJ|d0HMQ&M*zn>T!h&{9Z{xT*jbJ8~j#GERcK9UA|AQ4?wN)?sCE*K?D zG69rAZNiwf=NA9u$K4_22zwm^o&pOI&lh%5us>CP zRdDMLu(YlPvn9^2(4#Mtwq=+rC>m6DxVP0z7CRZnf@`^A73r`}zcB~~0Ls1zGZ?%! z@M8CNkW%pHJ%S?FSE5W~R_@ZvB+Ec6kIY*Qps4$v*F@nq+paB}{-fTgkdcP8`}12+ z)y$(=L?-IF3rW;XE^p5^C7_nZWmGG<__e>vy?@m4R&2Szn(s&OCPG`yzhmd55fo3-jv)KQz=+Bq3&s{*5O+NbNB>a4zi zQJuz7ZxLNS`;eLO6b3qR0DnM$zux+3>>bVH?!#%^y*G|G?hfLOJKebb#sS|CiD}X&?ju1UmvKET(j#UvaZM7@&1a89Vb|7U<#bqMh}P*xcOA z1(+S2qQEI;0EV*4KqYW0ZN3hwIaOB8A?Lo!?1q5mU=a06HP#z#Is)#agJ`q>@fAQ! zyYv7?>b5j!5%~!_b@M=da0hgTJvzUkD}KR7T_<6vPbutwP8qwYq8f#6N;T@PwL++z zMW?=!t6Vj!Fnk45a3t>t4`8P!0$|HI2NNeVmr5i|&|Dn(C%vQYAl>6!xFx*`%$tl| z>kEG=bHuA#)0`fN{w%dN5df&xC`!Bumw;C=Yun^L1<%c-POmg+3w^i8p z;<$K4zRUM#V^)$BL)5GD-({3u<|qsfI$6l4T?4!e*sm~K~7r)}`Ovz1gy{lRlf zupbxP;2CG&_|6<%=ei9jeGF+(b->DPotvv}Gg2q+3cz^+n4-FCv(#9w|3TJXL~bM^(N}QOfh%&B#Cw*4gwi; zejg3TvG?#GUVruVsBy#A`g(Lw`Q0MKolGaF<^rlyQ1xlebw3F?vQHhRyzxho(AnsU zrM0BYpy~oDgV7+%dzEx_0BcvwcaY37KA~(Wd8$FRmspeso<*9GXMmq_OE)dRYH)m< z+bXvj&2Wd*b<(sBb9NH`6b5PjrxVj<)xkamC(@vedqDX(!rq0oI$gBqoPDR6jx|B( zlY5pxCcAS{YbRWE0PGD|weQe2y4LCBz@2N6+NtWkb##1)Msb`=3c8ZMaxLh|GF>}h z0C2k~i>`XE61C*OrZUKT9Kf_Ll(+?8nmff({%~VtfwKsS9hK{!x}A&zYw5j^$XH}q zu=MlduRuqs69kunAiU+cxXb&J$&xP33dOrZ8}lCy?!w@wNA9vfx%>J33b|Dcc{aS$ z^=~z#CPA6JYleCOstH&Y^bcw9NL44l{^3ghUK|ul9yZOXA=VjU z832W234D&Fx+l;nf<5Ke7)Il~bx0}ssK%0OfXZN+mDt*7#%2fb0svi+DVKx;T^y*Q zeGxN_#)j?)7Sdczrdp5nRaeY!^Uey4iuhrqOQ^SX*j%&Ij(TS!Y5>uSqs2iw7LFKK z0W4JYCDe1+XQSz^sjIP0qjyiJHo)VC08U9=Mqk!P)&{%eitXy+7Chi(XCce(c1Q8> zVK?^nj>#LKIUfULbMm4CKaHqC8k*|>tj_IrG?v2*=7&lR8*>*_vPSu7_k>xGTpwg9 z9ueQyV7_1Z`s?w^y$5mF2Vk6T>0EaEGYOxAeooEI*+P`r2>`_VbBRR2%W|s0;+HFS z!p@`b!A1wM1JGUFSwj_fC8+^r0>CdXqSByqvrYhBl=7GWrem}WH%WxV0;FXbzSAji zhRVO9U6g#BcKfi^vDlst{w>O?O+R)`j#CGbXty~NPHCa;F4m7| zw`HND59_KLd?H%tF=?_czK^^JVq_81g3MG<~jWh+BpJm$!gvVR5 z`eb7zri~nV*Kcy7tqxFyT+o=@B;x;5zw;};VDlny*D-F@h+F9m-dT6t;g*c)wlX2S-8+7i6 zMDaScR9mI2S~jIms4ia%(o}4DL}M&|A)jSBXvCv~eZa<%Z*6uo%;hRTz6zLj$dAk% z40MfE?r#9(z0ojs508?`%4YNrRmJt)b|%_YoiMO}bQE_1)YtAmh=+%VIUUxSS-BS! z@^GQCB-gc*Gu?J>oB;+Xet-y|zy12F@!KWEW~xy=BqlbjGho-IL5ER=;n z<5X1_zS4ayml1@Cx*&^_3lM;)QhyFYEvah*x^7jSGqbqg!9v~LEK3)lh9X9Fow`|V zg(}8~GM(_OKBKDu?b`N64o+=c+KNrW_NC3Jx7=4u86$scEaXjZ4i}Y4Cw>FhiVf9{ zinQ3#*-l8mY`9JtwvmAx;A+6OkO`OFGhSu6$n$wo5s&q+q?Ge?sLBb!-^!Prxdeij z^Qmlq17_Z-tzLv5#37J>H;-={P=8Pb@WXysDyo{=I&&W%0fkR1&huG+G%^9B+|6+Y z>v!OVCafEeGk;uQ!};M3BDhxRDy(F4YbzU+`zaAcHe`b_pDtGbRUiN$b(NvHKq8RB zfK+f@NW{kJXs%VKi9pp(5Y=s|EVozEnjlHKlZo)#h9Sbci@?JD;W;N0SH*XrWi~=> z10i%gZwy#`=B{tGNsPlU911$qi zRZSJ7$CdY0aUEgLH3I-4*Z6c_trjf10?W(+7w&a1D)Va6Dd%kbTyvh8MV@6xBbVhn zb++Fd#NMNQ!o%ntAAyc;c8Dr${`j7*VFF-k1bPq5DFZ;0@=B9}l}i1IG?rU-6bY!d z6YG_Zh`%azqhD^VU8icGfi=L7@^rwEXt^06Bfm?$+nrdAf4Q*|jkRVp0aRJ3%vd(< z=6$YqrAt~)Sys+?A<&fHRp~E6cFerrmAOo+uPSL%<1FP<4xUDiaz8F_;Mw$v^?Q~d z1y}x+XEF|D$uk@z!MpQW_{hHg7#H1WjRd-b+r`bmSBO614IjgxikY z5z_=h8lvFpYV)qLBwJNWisEzI(sxTD5}Ou8(CQBbp{`5Hc^`LpuCaO_UEOwFUk+$R|D%Fa7vW#KzSd(E}`NtYnycfrz8Z;Qdmi+`(sDZjJTiRLCih`N1Nh2_dv?U;<)cW6GL`V7m|PZgDXiF&^PSxPqr zO%^Fbtx=E34(+&=2>{jf=?|RJh-?X>vSMe4ks?xvjM|x6KbbLPf=~T}{VZArcM(#- z;-)elQRULW_-R~#5Fu7hb8`_@&37rv}HZIpCo68$8- zE2aZRn2ZxpE7KuSX&u-x6Nv;uctSDHQXbMS*&6TEeJSm|0Eg>mZCt()pZ-&SHZI?M zE(QSp{!uR%cveM~@yP3Zrqx=Foy(U2%XX^wIRb6DIqRv?00B^Wmz^n8huN+GjzI@< zLVjViX%c}&62Jk1H33^ApEE#aWO)!@1$NxpSWECWFS&#uZ2Rl4d^!H{Kl(?cc^*yP zqb)M0g%Y0{t>xt6HG)#k&?385t)SwTFU~m9ch)~g-y79tuASO!!&2!SSK8Xh0Xrfq zu27_x_u7$K&VrRTX3Z>?p{9c2$%uUErlqDpm(06zXI%lEG^u6eJ2|I}atq}sK-#GZ z$kYQTbN{J)2SK3J@s(@JbD0Fe&(vOIv0gIXQZ|C68Rc|#oKApH12B#LSss!Ke;cRy ze_RgBzf;CJ8rg{+`j~9 zI_RSlyJmoS3|wGjFpbfujJVHXs1Agk06f}Vo&BTPYNTb!0k&E* z8m%^Y1K4<`*XzaoJFlnhxWGiIOHG~hb+N)bs#H@A23qCZvh3SJCZF0RbEX*aUf8AW zZe8hVNIeZ@#iWPFiVP5WF6d(Vs4!Qanvt)>IN-^C$xgv(t0VKycgwGsHK-4sx6Ur6 zCEKd4YeBAEXVHKa)p;gIQu$q@A;~aZJ;Hiv?Vx3b5o$4DQ<{biiueRyIs_L+sj7Mcs>=XsGD#wv zQ5KpUxSP0CJ(pmHa(2>Qtw*QRP8Qc6^yA?0Fj-TUQQ8zs!l&5l|bC&O_o@eI@FyAaEA4&PTOhphtu?P9Zj5|!T0`{avK$` zLl7g9RN=Fnc(K(;niJHl-K@A$7qb700VQQ4<<&oL&0TdLrjw*u(9T}O&Jy6%j#2JCvtD$K}{BORm>Vc zV68?8Oxv3C9#zv+{{Sx+B5@A9%xz<9JHe;l?Pde4)*6%xER#;fQG5rvT+l_f*8;E| zM3b>wK4Vz<{^5SScKh{s$j?*{+Fi-eZvnM)< zv)DWC<<7Q8T|1N^T8Jisi+54{q~8w6on;+V%NbT&&=#7y|3zK!o-`Hk^`f))C;*yY z3mAHkzkG&&#Fk~@q0GE_ld{1_#+8?q;5?B}JT6D(`Eff+Z~DDD1Wr}-BD@N-Yftiv z27-!;y6HS{=j$JJC#bu!4M&>Cu+us0=!{0<`kfBmSUoT(K3!9@DVPG9jY=~|jB8cY z)J6-i=|rp9Id^Dp0X%i&xPV03F_CatL=JfYWMEQGVI`5d;D@U+CGeBh9F*XlGM8NG zN(RfH+|+#8Z0dlM69qIM=&QJ(VJ-j*?JO^J{tM4Pf9`C*29pF_bz1^@>=PO=`BlL4(&eqVacw7V zUA-I|>y7lWY@x=t+b~bSe1IxF1~diaGy_a$l({QF&0wsQ{}9GUhvpR47hZlTo_yx% zxC>Z2Xr&p#j#9tQ#;F>@aRy7~+aVEsOu5)2T?fbAc<54$N8LC+8uHms|J1{y9v!fYxlnf0 zo9xsM*2w{Opsw(h17~P5GG9G1RPRli!Sb#kCw3H`w-d>2d5{rhp#1i`Zd$am<-R^8PVz;yfX z;*wT2Axy;QUS&hjsW+X(K&Q0=u)E6w6{{#_hekOHY_5#&q=yxq=BdFGS-bXLz_plY ztXl{A%5zq(oupl;Nbuot@g8MpaWB1wm9B&0v~V{()de~b>QKLPbSJ&Zvy`G&eA zY|GG!07C~5V%6j#uov58jApYO3^^VQ;|TWE8;oGBI(s9;G?H9RKG~DAWAwK~SY?xb z3Xp(}(^JzoGZ*%d(eWF!)ApAxOZiOcILaSjpn#J~0oOD7lsa%TCJ6MoQC%`n5R3*r zr$d;|%ZT!Xd+in$vQOCY3gEU>Z@@AE7r><6T8&0)4fVPeckexl{YS7)*mjNkU2xf% zUK^J-;$xruXgu-Et+;yaQatnA({ca7-53pyQBlp_Bn}StX^^~!cbQW0z`6O4?mvou z`cHm4b|2i2HtPG@YBR2Et;MrXUXN!0(Wh@-jc1>@5!bJ{t^mx`K{C?@h`K{SoAl*Y z+G`uJzUnGhGI^J_1Mg&qFl86Kc2%Z!t}oh1=I{PivcHO+1cDC_q}`Zwi7PU|Wf?f2 z>DmRdW^Jafb&#sIFYsorsa`K9$XW}6jGd5@LdfrWHSozbnSaU_|I3P9NvcJDnyT_u zw|uUXPqzzi^ShRvESbpnS-+re+S`4-!4A#ACOf|3MPli4p7{MUbG|D@nd<_!UvnUe zz~gyOf-W}|xlc$=jo(46GSKB2PVhS;$Ri&vUmt_R68O>aZ5|1rZxNqwix>HXYF&kPIugo}R_? z?|Uvj{c}G>___Gh&weI;{F9%G7e4U8xO(GOtZ(kb_LXa~y15m#b~F0jqxk>+zy6=` zcmDQ&8(;eD@5S+hhXJ3B&8_u#|A#&p&%F3-^oGar#FJO!!QI#5OP~AKG3f)SYKt`F z(XgMsp-z82L!A}~%%ZF1yLZu*olQE1rI^qO^}2`AJKjg-?a{dB3Cd?@l;dm+I05FV z_7V>rjEJzYz7a1z`$Ft&Z^v`bJ{KQ+{|Dm7UV14$^!}IQ#TQ>9O;5*jFTNa?uHJ~c zD`oNQ(f)3@3xRfL?VOTz!6FxcA)FFUU}|X}rSnv6*EiI{)@{rJcOhzR+^YJ?^ktTW zGpT*rugSb%N<5`*$uD&_pW6X@%_*)e(!Um)n=UL3kghdjt<#PTLQBsI0hv6?1hrSY z4(oi5mV_LMiB`MC;Ns!#X;$3xC}*GHPasvLzX<+Lc_BvvsV6ic!S6ZGMFCvZDYxSB zKAy`@j*I6w=i$%tmdE3GECKbqRk;de>8~kB8blF5&Z&mUIJqvkDu21p6piN;wMe{^ zt-2Mmw$|Jm9#GZ6JC|w$VN|!AiaG}PXn*-zhi_MM(s$9(^eRkinZ~+|+L?P%k%VNZ zGEEwR@0IoBo<}qca2Qs5LY$Kr=&Q;5CtRCpT}5Se+T*oncH*O-eqa2B|L|AhzxY4> z=kZ_tpZ^c>@BK&rethQVKNBDM#K+?56IW5&i~Eubl=S-jILHB^ajdS^<4=F)C*vnR z{GqtC+KE0Y^y^=LH6A^D7>7p(@wqSlejN9XVl*1Wzx=2FB)^n`+7`!`qfTg z!_%C%f4ZoVmy(~^!bPKJacO5Go_^w~s5|pZM|=maxZe#0jqi|m9UdOVF=<)MXSqb6 zAbos%7`wZ>ly&h`aJ8qM&F$C%pmsLa0VQ{k?Zg#2hONuj;>l;81z=x}>sPNt2WEZq z>gAXa|C!6|t)Py(dLY=isM9&3&yMKGMx=2Bo1ajU0;=pZeXA%VCj{twT5mSf-_`9< zc(1vuAQwODUgqtmL!dXvvaHL99M0CHXT z)2SaBIyo63V+P76JA(>!?hdHPhQE1N`lIrGf2UzV{NuOcylm$oxC6dOPJ*m<@npYm z25#kgK9E1oAyoB00ab0MK&yA>wa4HnCG(gZ+D!}42!!AHq54LX$?wG`dv3Qvs8Yp3 zFbj*dT_C{RllCeC7a=S*I0PI3RCQMft2AO8pHnVX1*ZUN+Chzl%-Txg_3ds~$J5ZpWp~ zMm)OnbyV$$W^);aI*a87by@{7s&s-t=wLC7zB{Cz0{q%ft2*@qJ;(vIogJhmff^lQ za~W_YxN=wn>fNT^%DtwEXRZJIbVmcB2(5*@&nF{9Y61Yyqd{G^2sLf2+UjQm3TYIT zvoV2kJRPOkR+C4Ku)NZw18yNWO*++jj89xde3_1Ph4k}D0BgBc?5bsp6VmKpRmwKs zB@THWY36%Myyp@;Ig04}FQ0Le1DBE6az5{QOpYv@_x|yXD$P0;b?lA5(*prZDe^0E z7MrC%@=W$d?;umytZ+UI8G7%!3ks!ge(yqj_A9yx?=Fk32{QNKfeEh^uel*Snqz+AU9Jb}}~BvgSaVI$)F&zUS;A z^6#`+?aeyIyBXbacfvacasS?KJb3U3kUs!e0e0By{-gbPaQ}X|>EHJDdNi7~oI+{` zxU;=MRm^h@((SGFxO(MET)A{9Zr;2apZ?S*;@|p}Ux*i7v8k-sVN6J~>D7T;ZCG)d?IxAI~(%gZ{@9S_17U>8Jtl^Z~K4x)M9<&3NM4jrhR( zJ{X_;iBHF;e)6Z{<3I7!@v%>SCSLxrpNJbzzdx?rd?B{4J{9e)Ytdfap;O*Oj#g0$ zV9-!-=kp7VCeHyZPAI-9?h3r8a=_4xD(9p>XJ>KU7EtWO)TfsXKK7U#WcTqpicIAH z-<2cf>HJ7nBmY$Il|I=hD!rdN;5$n1(rGI+&Q%(V%jy}Lw4O%I4cV4+8fc?IKTplb z08U|3+GABCb!u1T7kwRh)>WpA*rI;ZU`K$~1eWG>OII7x5nR>oh4;T4zx40?O8mKh z`agId>hE0q zTrmk<)PN`XKl@{AVmVh>6>)`v(xF&0WIgkDRmgX&in_5 z2b2@Q>oi@xC;&irV|7Ww25S6bdK`<%VVus6VA?0~kq5NBwXl|Q#JyK9t;Lhqx8s8^z8IhU#HZq?f9f;w z3xD>{#xMNxFU2qX%Abor^DBQoe(ulwYW(ESAO}DB3uq=k9nZe+Bk|<3?~k2pPef<^ za)wvYH6N5k>u=fRC9^51-fJH4KpL}6$j|*yOM85dmA~|t{?h;L z*MI%jDagk8srSy2Dn6gT^vk~-FTeB>OhTdf_N(_B*eQewc$yCiK7T{yj~K$#x_ftF z6eEKEl<-R$i*8Kr$>bWL?RFh@imI;4=imY2mouGefDO{@oP5myj`+4SMpW3jQb4k+q#IYb>ECP+GE z)zzb>3)s%dG?|q9)aR;E6To;r0YG$e7pNdb=N<$CpV`%gC%0tg{W30Xx9WNBp)}|X z07~*~+0a1U3Pbm>1%Pw?)-B!zQ{_E+5zLIAc%9ZNNa=A<+;(_Zs-kp92~>b3_qrgp z6Cga->8!%^S92{-ZKCU&9b_5S4_kEY)+M)K;obGt8o)b=M~`+hZT((14!gbRk>3Gj z_wd2J`0|&2HzvosF&#Xl-i~35uG>0`@c;nkecC4%bOtk2X6@i=!H(!V0G104Q|1ar z`u@^+S=+r37+>f7U?QC*Z81cGJYc;hMK)aAK%5q-c?nHZ?GSXhWy%igq+ko{B=QeUs zadmYw7nx~kN}?0ez3+t1P@i1=bd^7|mAe3FL*}>XQ^VkF%&V07rR&6d35?gh45>_0 zfDL0M4vz=%_y5k{iv8V3#k1mv@W>8B2J;;pPV@fNU;WkdPUT0(H$4hm8U)kwzo=61 zS>fR$OA}E_aNwG(gLAs(EYX0RXRkkdtL4f=OMoYhZdrdzZC*4UFUo2G4OM*)<1hY% zvbyv45TAdZ70iaRo^-#O#*p8wwe@)U{U1Qx`^mU^<0=i$W$$`4!U@qkzu$eT00>&= z84PoVS~{iyx%8f3E?bgiyA|?6b=5R!La+njt-4vcSCVUgS`Gr9Yk)e-$yKFvJ*qUD zv^T*)FcolIm$ed28m{G&;31V+J|(ZjwQvB1j)hFgc60%AaTjf=dPa<)srrNtV3#`K zPq}xQ&d5EiRJ9f83E*Fo{t>ZgYN;r!Jt?w-Y4(@f2n+qovHJb{>GN3zfs8V>op`F!%i$$L?W2 zeVF%Q`$u#LdTI2glVrUk%AreVF&UEw__K;qX0<|G0G%_#T+IAzg?y$zu?x#oGgwwr z;?v~P)9b_K6-kd?Arb{mQVvpCLn)HVBHwKXwhw>j_58sN{4N7jkI!MTJT^x%%Jc8v z&SCr4QCZiK0;--wXi~=!Tmhc^O%OB^SQRK4s)JPU8>HK9HkyDzt%9HesLLyWstmx| zfC0!pbME_caSoT61UtGX_u<= z6WFMG6FGvc9nVpSTnHM5vv5IV8oG-*3;5dj1Xf4I(_?^pl0edEs-&GHN0sk>l4KAa z5X_E+@(_ecV*}Q>zO`jLOI0;jZvr&ysHbUOApX<`$(J@e?~?=1mu23XF$5!S0iwNVQI2G z7e8@LSM7Vb-3&mpzO@n8u3v$@9!Kx68-pWVvrb{JXOtfSWE;(^sOd|&BfyD+Xzpxq z;?4$DfNUkk;}w{<<`+H}D|zqn@HBS&Cvkr?i~E4+qy991KN?Kq(Qq0M2D8}XbH6)@ zgZ?D;2je*4+JWZ=Cwvn4d~iI9J4eH~e>jMHheN_B9(2bU9(6~Y@5e*(`tax|9_~Mi zquv1>sU8y!cv9DN3ThFq$KWC@y4Ow8(}T{II_ZuFanwDIy@P`|*zZP{KaHn<0PA)Yxr z5I_c)oJ+65Wn*#C<%7ec*rhRDzVSqS;?tjw&gN!}Xe3kEs4Bk8`Z?+?n|1Yh2Z-E7 zbqVG-f$eE`b=7@G)CC&{k94mxo4`DIDUB#qBdCeKnQmrRd@XHVq!AEwz|1yR;hKP| zKc{w0pLNNRzxE-)6jo$r;(w&GryQs=3AncS} zS?3tm=3*hL^qs9s(L#ki2CVKrJd6jAj^qCBeslq*AsvQWuN)j4bA14_bqj56yG~|M zjdcrRzR&37CIBAkIh@4n2ZMMGFuZdxjJtcixOXs$HvqwVfMf#XelPAH^tpGy zC-?35`Rv65?z_9!jk{cb$aMkL-xv2k;NAkJ-rLO;ykwWIfspFAws#8@St>*T8RS2M z@^FHTXnt`paWK$pg3g38%6+P+UU$>g^(z;e7CBY-jfFZX?6Wim>)j)_`tjau2Lg;e z=i_rcHa67vz4TJrt8Crpb^oppt$F;Hah#?nGjZ__KfUAtk!tLucNpFM`?0KBi?&eS zTNeG0^#O{|T-AH+Z>m$W#W~=n-R%qzaiM0XfjW(`0Tpalm!jPegb`+h)rFdM4xdiu zG^~T@^+xf*k9;_O_D}sxs?CF8pLak+X;f1H)y1I&ch&hRfND!|H7W`y*~=KUR<6Li6o3XaG8r|b#m=1tV**I*?PW+Y?~(yi2AtRCxW2X-wR$67`PwV#op1!(&rSCLY}w%< zEb<8TcfU7;Nse>rzdab^F5hL7`}}s%l|$aW53@T0P!D?J1lHr>43L{~UM~ezeHkbB z0Q5&PQQ|$$-`ocqJw}Z`hRt>fgV6$ToMvzW$e3qG=|)B;fkxo~Sabc} zDVhdFr`g6S%-XM=#=59>(2Aajwau$3Pu}D3l%@r4i{t&h_d&0-M0>hXCcD z4P6#UycJX~7m^ z`ZTUArG0bf>g60znbNVS1y*adTkH-G3Ob-`ma2{Eh%T7oc&S zg5_!h5UN>was9^4_z(Wle-!`G|K_j6*5w<3-aK{z(cZikM<+{h2(aw|l!vg-<37yw zu!ly_g%$SW4eI0#nC~5!6k#LVQ|NV0iB5R#_j zY;Iqs!)hnfmp_ySu8i_Qomz{^sU9b;*Xn0ojfwJhP}Cg@TnE8=veQ?>h2JuZN)RO; z>es?$!G}sc-ue*%{EPWd6u?-xdlSzTS zsM*B7D7I47UzaEnU-~?Ma5RdCsCxGwxEbAHymI?qJlH#m_kHj~aqH<)8{@0hlu?z~(L3fDSPrKZpGuAh-wc z-b0n&gZYilRZ`u&mg9-1ZpCGQ|Kp$fRQ#2{_SfP+{7?RBJVUuotMwQYaq$jWiM3WM z*4s_Ag|fqeWve@xqwT#Mbed4Nut=D+OELE71P)=UhuU)cBLbZPb)KFDIrub>32{5{ zHl~wu3l#d_bO&=5nwthDOeuH#*?&2!YkOxiwzk*PMy}ksQ|V>SUAuNEHrG34qJpKA zbz&p8BF_&IkFxWEV5*F0LXv?}ocWyj@|_+kC&_RHQ_@8;I4o=e|6C$avraM1sJRL9 zrDL>gBm-HYTzedj#{y8laVQ7~h2dK`WTD)g-xE-IzNq!OlDIZ04Y~poBRD&#f%J6` z4&(N#x8rd4D2`z%`^Tt>fZ^fM1XXYvU09AbxKtyLorQ!72|LjqDBuddw8yfKnEodmR;JGFTSt{u_ z2!@_loi4V~(pVhb9p}!XsE`1JBiDs(l;GU|>`3&Xp-hsk@;m3HbG@wYB)g$pV5BZ0 zGI9a{4Q}hwrFi1Wr(mo)k1KNIt=~=H7OZ)Fs$4l`mfs1?#G_4CHeA+3uua`pIso?SZl}T=0@DOel>0q^7H0RK=Mj#Zn^qZJ-rAHkDaZxM+bF8KF3+7Pd<4o zb}ntgaPP$3`)`ouNqp#IACABLYkxKV%%A`Bu|i(lUZz=F3Z3SkytWn3Uf+r*u5QJx z%UiLtiHhBBaorhO^|*X#J8tp*YgaDEDrwY*)D8b~EmuMTC&5S)N6}UU&8#2FGc}+5 zBftEwTV2zsrmHpb%jX7pbqCZ=3s9$%TRDwZV}&wtT51hBRKu~%tS<+R&Lx<0S@J2; z)Si_lNOL_k7R#J7nKV8NBlYwAUV_?_&)XH1O&yg2Qc68$UFLPQBjg2;)o#C_JagJJ ze~-iQSoxvqvsVOyBPGqN<@m-ouL?Bh_m-P8u2k)jGJ(aNGIvoo_xJYVfZ&wOH(vjG z{PTbI+wsa5zZks15+pljs7V+QJ69|Dew4M$;di6g3pk98OM?#cFTN)#U*- z=i3jafDhLk1nHrQ9y=1;8^%-5JR86GE5ArwL%>icdS@ij@SC*+r3>HCG$oJ+1wL1) zl3kJpCk5o7PlB!aa!3r;0$^3NlV!_VN^q6EB%ozP1(dxeI0&GQ#9M#~1j$^MGd|bl z)GbLi=zdM>u+zS#3siOO$@*^E2>s`voa>Id+bi(NDVleJI%NXT^U_!YxVG2VVq@Kv zqdEYIUJz%|M*XdmW^KH(T*1wBIpE~Fqn9r4kbczm{fEAaYs(41&pz{H{P@Q|QnE!^ zxeZLOdqn3pMs?nakAD0UaS6b_^XgY)c|MNoI~#HH@VLlR)$SCP^j(;WnlsDI!acO%k zwgB$U%?_V!+NwJkz-otmF!3Z-SDTcHn;AA?%etGL!eXz)wX4?v^>yl)xX;SoW@a|q z#fbxzLy&Kj_S4z07bnCw9_VuA0yC%S6YY#LJ8FT|Y0@bcyu8Q1t-l%n!*BdXeEzeai^GGX z=)p{LdSn+is!I$E^^ou7_Y~$jMGbX8ViCuq(>NM(4Zz*c01yL`JwT_2KG>T?y5H<~ zXFNBEMyC@${ilB}*`9+ss)Iuqp94_tqXar+%Cn*J#jN>Vr+xiL9Wm!;0^>~gDSqUj z#R|+a-I$gU5Et2i!3ebE*?|lr5(s2dwkJV4U2?L#N|`1r@f>C8YFJGGN0%klb*F&- z_(y*{KJbB;lR-N`rkj?4y#lbbnyvgk2Uusk-%ddXbJqcNzxegeYA#sPg0;1{e`jMO z+LcCJ-rNSruEwQ}t=Md~0l(AOeefvmy#9I|9qbYI(*|ua1x{yBUAuNYo__8b0Iil& zV?Cdy8*WlzKHT4nyKmf%kAM6p<3Io3|5x#Wk9@>_BK=%f0Z8|^sx}+ZXagvut4%(& zNy?ztR$H;NwHCLo?Eq@qaRoMe?Z%b31la1j)d7e*Z9%yaF6&nqx&^B2!E(@k+#-7W z(pFr(1>3!OEw10X99M4c0Fdo;z<2Q#_wQP%*?Ey}DkS}Stsi9oMy?zqFB? z$~HnF19rO>zi9%HKoq&*GuIK|2^pxiE$>mF%75h<4q_|sqr8jh$8$1NHJ9>kS#Wvk z@i-m}KrPkJkrmE=2uk@Yzw;XcSybS1_TM~8&+cU#{RvF+(Sv(&u>T;sM|&|G9MWjJ zaRL}PYOhUDHCdDQe{pFj=&E{6e8K;RvG=#L%cMyOGvb-rFK z*X1p+P4vAZ)mW;~0$7G7~)Q;f+sKQvgo3#d$~ZWvWe`{JEzK zs9Au|KKE>FZ*QlHtOtU##}<^Q>TMeq>cY^1yjwf#RiNrBQ>|5tXM{lD+OdW$Sg+H2 zXTx!<)*7h7>#)0ez)@ps6-Ige222s~qbxQ$Yk=umT)%!TuA-8+0kz!dj(5~}mbOow zk>+z?8ISw1yZ0cTd+Fu)U;mZ=G(P&tPjfHjO*pgTkwH@y0+gUe7Rmn^^#HqUH(-sc zarNp>niMWw+6EvmrwO9HMmp9uV3h4lTZ8hc!0yVrs>}IXzu4`|+dR7+8-Vl1)_N|S z-5_4K|1OFEWv(-@?^Y19eyD58UYohI;3%9db9+$Pa#;_xxb>xfuz_ck0@I&nos3c) z!H$+^0ow$A&L_}PI(aBZl)Z6fr|R#FgMh4AhnAzV^tc?42cX(@a-^X6sYvj}%GT(f zLoEuJJu|{*^`}as@bIWlD-@3ItM<5O&=L%*zPyOl>S=TuFs8aTzq6q)TaS9XMq{4F z?!hk4EXB3!FfLfzb1yu@3!MdYNC(p+50NT-(}h#$gk;9L>J(D~Iq*9*=%9_Nse>X; zG1a_a9a^_8zWn_2&&P*8{Gqsd?P_dqZKE!4#ya7Nr=EZp_MF7oTbH=Whh*n)w( zkAI8ua0+YIrQQ-wX{Ib|s^y%jtWd@)$fUr@ztkdN+^5PN^=Z{wvkuzPWpLk=+vX|H zxwZtro1GMOtoETsQl+eA>h1y|N@kqMyY*}%N)rJ0xSIdj*-2>=UgBL2a^=2blt(T_ zXajmo4of&2#=8wa$m5;T^Y-x0hc#|P*U1Ssuw0zP^{EqX)OuEA8~jFsl5M#`o}IrS z;Q}Tr+|+YPx<_|%HK5Czt=Q_6MNXVPs(?2H1sY}twRF8zi;dM9jeLdstFZ~gSZmi~ zmG7#tE`+g)D!jqDHR9XqG-7kL8EdXG-)iL&Zw_pjrv@tGU;ImdA=WlpIaRW(e+dIg zm2D}3^kQH~|4#>+lyc|h%SwoZd^?H2fhCw8c@MCs1Rd-3aV!kSC)59s zvh&%T6(u0kT3u&UPIm_2Iv62SmCa@+L^&2;$rDuNHejiX)GRuvv~xO^kN?C+ zkM<7Z__!B?oQioC&piE9T;AEr2^GiPgV+b)FJHYDZi6jmJ2loh^kp!nsH_v7eeI3A z={oh9Kl|^-zx9`XEiT=9G5QnA96*&(uhz8hZpO}PC-;}yY}I3@)6B3*9j>zyL}iuJd5Ms=1%IETVlge0 z^R|<$XW}L@K$II09+!eO-S!XJmbl$pJTBVj+rxY1pd+zoDTVZI!VjttzSZav`wwFk^mHJ? z^)p@LQc-j^lZ%}QtPU#3mNq)D6qtr8n1^)|jYuYGxn&mG~#tF1?9pLm{Rt33Qo(sefRZv^4VwOFaOp5ZT#Y&|F@&Q zeu?E!S6tSvD%C0O$(A5qs-g zFNxwGYVoBF6L4S9xw$)RzkkHdt{JEiIEp}48IG7k+3!5a1t zqu1S!r#aFqfC{dz8r5tf{De9zCFk!W z{K}lYc~dq*q?N*RhHf&I)-7@gmQg0%)CKFeK+S!IB!o=?0zmq zS(xP2?PQ!XbC=k2imZcM0;`K^U(Ds-Jvxfl@7|3!?%$6G`@3=I;vl3`JM@72&8xGv z)ClTyUTw6A1|3+HI4@tmk|XVwOO_33F8g`8%pi4us;!MM0gCz+8S6#`%qJ9z{Z;m%8&BZzt^$` zcT*PhcqmhmRq0`_)+^tg`8FqA#R~wrBAz;NWT&gjugv)_WJwuR{}x=etY#3m>?p{i z168u`0<8Y_`HS}KCxH$!Gr>OrR2eXeGO*<@>)9^d&d55>o3j3s$dE7H>E7Nh-yWEe%yKW^YI3shTE@vE^fc} z`vBzUeq)X~4@g-inI_*8$F!45XTBp7yLj{dKp>YTE5+fP^-H6JVjcm1<&Tr3TP6xR3Y2aD8vO zWdUL~G#jXE1rSXhdJ`DGi!KY*jvm*^7GPF#O2R8{^g3h1Ocm-M4j7@lfk*}iuU%lq+q2e36 zv$Yvp>m2}G^}Zf!8yi_3GU1#Fm-(O^2ni^pjgrc+KtowNodWE=xC>J~IM|I(eBvkK zKl!!45{8wU;+g<(qV}s`T2uO-wFM?KR}Z z&h%ozoQqv(twRsZRLi+w4)IZc#na*>2cdjdP66h2Re9~3nyZ!*SS@+#oBJu61V|U) zCX=K~PXNK70Ai^^?zf$By_`e_xFDlV72i{wQ`*asPZ4~VCJfCNq;*O8@P&C3*Oa9{ z9Nv2P&L2ehZoJ#PB%ppf$3+C+&%^im-gk9y`*d&+qodbjbbK$S{rj-XN3gd?F`p3n z594I;fZiW9db9@+93XUugf6VJ4`B9?ksiN~V`VXnIs(%KDACw*YYYW<$?0`6R9*(Q zrL-z&g1IZXpP_~=q_VIQmz;CeB}f)=BJecgDtEiTkf2)S9v7Id=@R1t&;aVr&RYEG zU-&5+jWe(g^PSpq9U*sSQ;z5ZFga~g`6uuu(#88>laBoB#^QaJ-W(Oy#gbD+<4;>D zCuzVYzRYql$U5^lZx2HNPxDCywkz|<_;^QA?W%-YdJecxQ4U@ie=-odj5IfhPcmG} z3ZS^WbBWGEyD#|$1!SxVynusK7WIc++i=;vt8wGzjkt2-dV=OrZxD|T5987PJ`8jk zrvOZ~*`c#??Net>0seFbO<3gf&p(&ItsQiGV>MoQ{;2{$l%1xBi^Zxf1J!EtuSrAG zNama13i&H%`t|CThCJ{&pZ3sj9-ztGj!Rc|;@|tr|Eu`5|MI_x%TGTW4+mqyEc!&@ zHX{oG9%LI&#%T_z1LXR!*4s_KH|bo-JDr_cN*(#Ap`}{CV1F_-ors4=`%?~f*}xINbcW|B48jJ4$_WGux<->ij?lXmae|O4x`GK~`PrZSX+Y&t z9CaV%ylDYJmn_hWw9@#YLV~lb%F%Bbrj5x(Pjs@j@r_aceMT^|A^Or48n1gGsd1Su zp3L;yAe4Va#0F(U5)eVkY)ArSPGKeAs%fr|s?E{1C#P9hRIpbEt(>oK!&<4jZF6C= zMLi1C@J=>3S#+b-qN9PCyKoAh%bd>@@2ArQAqShA%~o8xbSY}w(>?A*zdy*^150^>kg*yF%{(=d8Q$k_#)#64R9^b8UIS z_9$C_*3&oFI-_pr#PshxI~_&kTvo=z!?^$Ojo3flk0+jcKK|ps_P>h{f9hvqd{&Kv zzN>bv!~&LP1_W%?cFi8{R_Xv)yA8{x9t6{B);sc`EZIo;ty#soNx(EgRF<8J)t{?n zDZ5;>JiW(SOV*mT!KZ1?2Jf}ZQr4e9DhVhNlXpk!Q$9ZA?>xu*i-W(i z?x&1_+j)=gSVHsCiz9uP?PL|Mlq7F@?;r1ZKvhj~krKDaNXPaGjUUz35%7!P==gNZ zchuAgpC??OjQKt?aPJs3aAH6;h3z?Lp_qs^HbiiOH_6y(6#S?W=${Ki6jX@cRqTEL zsld$LszbU*<>Jw*Q=TOP0aj)P3gzO&&NKh;$3GauaTnkkaGlpCfYK0hAV}4%FvV2U zNRxw9X$vLl@z4=|%7Df!;QE{mG+)cZZWp4e=wOWR&P@UVv<9G6?5Z?ipPv^-dvOS| zrdm*yQM#Roey+AC8(rF0=@ewHVzJH1PR8HKbO6aJfaV4Fp0X_5|6Z_kPki_IZ?CS0 z&i=Yh)$5JutgpxQCvN4I&zCP<%X2EKbMo#MFfMlT^s~>#GlZQ>mrI_==hmjPt2)s} z#U4|C+D>K2GSp^sl{%shNuSJ7W>wZKu%ok_w9Qx!o}qjNA5?d3*>g08x$DhN1oCd& zxqCM%txo*nuly<+#V^H5Z8f?BnC+Qyk~iygTGm)_Fmiph5$oF5n=8>wm$}0BwQUQk z7Pn<77+Z(AQ!Za-mN{TZjTXR65h@*>GUzNPnSLImTcOFd3%tfDuN4p`0Hl(Fw2P8I z%O!KlJ$h&e>dK2Un=H&=q4H9>u0K5zbV-A@a8LPL880?=Vm?pKd;PFv-rEPYD?4;= zpRymmDy{ZHKhFc_knuPHINjRW^&F-XK=>R?XP%$RTm(>ibp#DHO(s{w=Ui^-nH|}s zNx*&)NJocZhK{~ZonqP_Bp@fSaXklpXut*BN?PA+6#SG4eB{SJ675bS2K{3MTy~_r zi(75rf*olRymG@k8yoCXCL=RQ_NTp(7ntm+9suPfh5Z2vWgn)}5Nu2)A{(44?|Fxy z`tJ;@^k3!A{9pX}OaWlj=kvzn9DH|eb-$)m!ELjowE|0Z@Wu|q_qpHv>S`xOl#ykt zKc+Tb&uhYvt>^jxH3whn38+`DUX7bi+>B?Qc{ZMZ>7{u7g_q;$r=N?b+-v_sKOWCN z^8)eLVle2%Xgs291P;v|r+{+Tlbo z1L=@&ZRa&Q0QbIX02(ws4qb=q3#^zQl^wG^Oc8n z>!<$_nVo}j%1Hsc$d!5LI&mo9KJRt^6x8yWPYc7u{S8p%(JWWfEC$O~^-F&9hR5Kr z{NLM$m7GF?5Fm6kuN;7I88quz4AD4m!_huy@VpFff_gXwz-ELKdh!Jdu9XqA8Kjd?q0DFecw!D0T3I|XTLZ@jOl%h(L zMb;;A_3EW~-^(w?Y&Z<(smrW$p=cVjjo9zGDW9w>!JM?vSQm62vg1~@NjgtqMY9B3 zH_HVS!=wu{9l zt0fJxZx3f)UA}QWZrpk@7l?WKndjoUXJ3k~wJp?sXRA$Ot+SSklnA2QV~4$NY;SIo z#wEZHHfWyR_JjB4v`bQ&j_50Vk}dh4u4pMS%XBE=hI-T$O#KYGu#A=|2Y;s-gK~4h z75!-U_77tSGyTL*{;Bx%XMPd&9~J$qn(G+|o^{@{JV%qMbYi8x7OhSv)>ifI0Q4Pb z)7Gy06Pxl^L8jeT%6Ds{Jws+S+nPFeY&9jaX|=A38~SlR zmW!#U-1Xi+-ur+`9Xo>RsIpV~WJoT$D;siud)Jn%t5*7*>+W;E!Z||)HnYtA%QXHa z7k1DVW-l%15@c|yHLhT<5GjZPO*T$H2{J>;k2__KG$R0R6CLgO6S-+7dB04-UpbIv zJTR0OUVJgt&mLfq`#=GfG89>;>U9Rrsm@>6-O_%_-)ssP(1?^ctxXJijhqWy9p?w+_$oaHY61N>=mHewUr0+8M zEOutVih{CyF1#7$)MIfy5|r$)^!X(pvmqVWAP%}mvAcU1AOGa1;=>>P7=UVAO#r@5 z8S)JA==14JxF&h*v^%ju(6`xHM|4BT68Bi{S>(J8c`N14r*F2S<9yB{vw)O2o=Ck3 zV9WkF&vBM}az!bA3%^CfDc6kC8BN;Z)8#LN^+Q!D*QSE}Cuo~`&QX9wN|1_jHanH_ zdVUpIPBF>rCB2Ws@ty}%RT4pQ33b!0FIH+z+B58=(nP=kPlCOutI40ypbelb_csuh zdNPZ2j^cB+@UxcT^xU?n(6}8)okmG4rFW)S>Ch2gxr0)Lc%5nobMT`)4@w93>35j_R`bp25WjszlsuZoH-NUPq< zh8$3G_K*N6v#feAU~FV7oOjhFReFK5wc3EWHR&{Z06FS4$n3z39iXbOYO)KDI1ysC z&1Z`a5d9dO2Z#jFN^EU30o7V;Z#U!0mGuPDI@P+g?52I@5;jTxWwzRUoe5QMnl8aq zArVoi2l86-18Y}i?4vXw+nKS6b@C0W(M91yr}0UZ^#={kBYXGK#%}U1aAh zKKhAI#nz>(lr^&A;w_|QemVxUCgfo$SI25K=oD60VX3ufQVzPzsc|Ih6G*9-qG<_m zf<2(`A7$+%f@JU1WveJH z_y!ZULo`^w+?@C7H*5N`C^>6<7N~VR{(09YCPrxOv@V0t=M^ z^4m|B$y1R_@IsJfr|y8MK+gb6Rd8)y0;%lLBa<&kn06Zk(%=>F#qFhYNN~;7@oj*DB&xsHcw9i$%b>H?$~9eWu&qW5 z7U$e`fo%n?0uc0*tN+>NYV={d{YbLrq|IS}5sNt>@1{ zEEDajQ2KnDLKnG#UU45CqPAaDZnNpYUdf}NKt{=5)^GmiCvgr3x=;x~z$OfJF$W}< z>73?n6*CWa4|Ngn*7|mQ;*&o`2e*V4)Gk{>qeh>e45GR;%LyFZn7J~Pf*^=; zMXkZliy2nDmOK^tppj&}mP7hE6G!n<;Th6vN1==)82ftP%6FrGT#n54d-qUkU}C2* zB7ku7(o^x&Gd~v3zWC$u>r=S0DJpJ5<(O6TqX0q0mS`!cvWf2BfPIpgN_& z$pU4N3a`S66lMdqS5IlQF^P!VwA&5?NC>tK!Vk}+ww z90Q)tao3blM%e|evlyeAs)D=qvZewBT$R>_Vwzlf%{(kjyA6Z%3F^+UngI;M0nCer z=fIHbStelftWDI$MXD^~Jfk{4JtvwPFd-kntp|$$`D4*xJ_i zd6*`G)zub&;=mR8MBVmNyNST)D*2XKjc1xX>oi?wmDMXQN^=T(bzKB~c+nWhqg#6j zq6sIItISTP_&VU#Zm)6;Erm-Jo_C6*fS}8pQ0qDg>F{oyC1fO`rHO|=C+liD8Ia~l zrpdZ+@JsWLc;a=UXjpG}A4W!!3^5rMu(v=b}U*or* zS8oEqS7Kvxhp-);jjd>|?Zn#7&3NCBe>9$c@ueJuI#KYEp6rGBF0{I8&z$f67Hn;p zF7T_J&VdGj!P!y*M-ILq#H!5NY?t_b`R4Uhg-0~F+(v@uZLqQv9rA5h`uW+g1y1dZ zvc?hM=cvA;+{p-GDkBPd`sRx5;k-)f!-_>(sh#U4W{yw=_v;E4H3<07@22o@A{0 zuePaI7f@;NUcuGvy^GonJ4LQ)Ei?j{d+Heix2%&wOLsN1tlsZ6?#MwZ8Fv0j1}I44 zAuCzW9zJVDSPf}oS1TirdTI!$UN5Esv@1@S7T3`6EnFqutiZ?Ou&CbChd@+=kzBrV zGdimqurE|~f{xLK6C@`$o#R~kGtRXk8uY!?O{Ih>KrrUPG3syyrgg=2Hk&O3mj(QeP~$~K&wHy2=X#mS*Ps9fib_^ zz-7p~5$Q%HyY^m};Jb78cC^XA%qCr{C|ALv2`g?9T%u2PR+U}*qT6o^;|{i@)4l0& z<*S7QZgw1&i#q{~(*|2>I1{VP1QOJpwPn6lU2{w9^Zcn{SbYKow-IFgFi$%@msE6p zRXT!nRU=sE zbB@xdnWBJovQ*M5tlFQb=`1K)!B>8&NdU3u4q~EiEDt-J%pv7my3&O2BKuh&{xTJh z*YTbQR9i%~*38Y^T#VO2iFATK{}U9JbXl_MQwU1%dq8u(-7K#)H>kdz={ktmuBN$8@SKw&b4*oLict zixfyNb0R4S>Pj|Rfl0QT%!PL($N@0=q#hr+qbO=9?=+3tLsj+NUDeU_IgKti>`O2$ z*JgmI4aDExpYJ2yvNyksM7!vP>gHkj$$H#I#b>lZ%DQ1jvKkUw=iS;Q9T+jLoNYuS zl{II_L%CH~8UT~_(gq#gm3Z{0Ot0A}j7UXh3 zi%yOF+M#F=Z)KLNm zb)jmnroxA!lE`X#a_RiP$K%NIcyAx)jpjT^Cj^6BELX7P^UMW$IiG@+L9hU<3`+=H z4&%u56jX`~R^{j^P?PSX4TRCzQG!$gD=k}pLK}eR>s(rcRc*KGvDrkWBmV5w5olU0 z=^%C*w|<6CKldDjrPD!kwJ4LI+%c>@itf&Iz|s@V*nir+pP5_FZWwBTytf zV!mK6yju?gZMV9t*(uo}35@gtg%uIk46qVZHFsRv*&+T@)c#!nwXkurn9t;33ioT@ zO#2}~R&DTJ;&#=jR$EpK=mIv{TxG6~oXdO#^=HfMKG){D| zt}R<->~T2W`+%A)MfHS$@aY<|g5*^MMY1m=D9qCezX%>&<(j=V(v|=t0Od;c+NEfC z0*L>s&Zh0n_+=+HHbBA0>NKz>jHv@lS?63+U~(!f!anNtV$>fYi1XY|+C@FC-M9|Z z(e*}lW2yloU+&vz%;|_PFcFWli`;Wb7Pabv)a&b+HWx7&I7pJ_TsY zwAy+Cj^+UEs>WG$NkRu)IOp@8vww1Rs8v+{%Yf=1eCdnEo?vZ9KolT~^}snhA^_C| zq;u0dK(&$UfwmH41;aKVy0f(r8=IZ<5RmnoCueS{x|((YRAxB`P!_J!Kpi=eVKy0X zp0b~F4iL*}nWj~6gKaMXB8#(?nDd@oKCoWq`A@n36cEj26jKJYL6Tm}kaA8RPvV;K zp5rd>I6-BvuK~u+q~pDVQJjrn)TG5V0_x;_g|b~C|7WDp^(5T&0eu6RL{7N2M18oJ zblriu^-ip9xoCDHW<$y!Fmoq|<9m1FtN-$!#pnL#-;Ce=t$!H5``iCheC_j}i#J|- zB_7_pABX!#gu~c7+>5=V{TKt-?Tt=sU%MQaZe5M7>szt9u@;p^J0?)yiH?D_^*F7y z<7B1D_ja5iW4+#C+Wm8;=fpfOn5POp5#}!jHl6-Un1FQu|M- zPa5WV<)*_jjWh>n1eH`x-x@gQJzVoXLBp1nCIJ6nIJw#rLO&W$Vu;%1+tK%mE?0qIet=Up_=!g^>V0y*bR`-Kfp zYAEA0Pfh`K!4Dba@i9zfKs+E)wb4v4RVB+oCPFbKlspK`W!X9cjn$541gL9r(B7#d zz5Pn&o;2Cz$V_rA0Iwe_CZ;1I_euQ=W|WbWTd)ixms5-y*MJS!?~S+dpOav z0$4KY!bBZdQ}wqqNjstdm@}aOGq0Odp0{Ilxx#8qkA*T7HN761WxWFzcS$=j<(PGW zoVn^2|56q-Gs%Wsn8jIZPJdnB*y7$|v$T%Yc=ePrd<0$8F4*a<-u}E2_`y< zC1qEC-*jDDEW-27KT$hR3}Gc0opy(&KQv_W_l9v_aBZvcVv;2`-4OXY)Yj z%cu9gC4A%X`3qBkPYOhfbVVBU-M$&M55b=}Law?a2Lc(TQ7~nCGAvY^$ajwHe?61{O&+p+CrDB3FNZa6Zc9Yi84+L&NOPvRA^*L39zJ5 zJD$@$T}?^GW?4D7WxCSUs(NmZ1gM;hpo@|NPG%}+j?ux$e%l00b&8!X^@V1i^~pBHF$?xpg6P2siT7t>MX!08`sQXMeM-f9MsBHrT`922gY>) z#O~d1C!hvE38h8ASw*f7>wp_@o@FEOyCx&WL0Rf4pqeeST*=PG8Bm%<^bk-A?2IkX zGE#pMi}Qu6UA)B!C;Fz&;GW~fQn-!y5S6_@c8l?8bO+-&>LOnwCu!IPRVddLI=i3) z20ZzkO-SPj=LXz=*o&jRzcWx- zH)XNTvhp@30}NrvzF%O~Z&t9%k!P}Xq3)9~-d`A=JE3~qxpNzEl1(~e3J}yz>L8x$ zCcySJRDh?vQ^w|@&FIDw z&veZxKQ}vc{e!aizCNaOIF!Y7Dx0k2{CwrZg=b{4xv!UT)3MkYOaXQ`|4U;#@}t>e zh-|bvJF(JOk2{aLasOx(54w}Me>{x4k9zU?gTr|3;c>irA65F%QM|F&jeEQOcyKt5 zhlDq{=gvd!0EqGI>7P!tcWsPhFq`aFCVSU}ccG z3n)jWDHtGD^RLj4dYX&S=JRK?4Ho%g8K*a^YVd8_Nh4v~p!XDjNP z*W#7?2k|<9DS*EA@F-rnyBA-3V>iBh`yt^$eEHQ!@yZ+f@%6h0@#?+9y#MR>_v34K z9>!N+e;AJr0X6d4?5yX`t!rDGQE>^x&RSf)el51IU5^Uv+d;xgtr44>+pz^ZzINqi zv>R=h>R~)0&inWF;?=Lc5fAu2Kz5IlD7afh@k_RY(%ni%?*ORUgDhN4%ed|Q^;~h* zV0sH6Bksl3L*uY49|x%Mcnoq$1IZ@OagGsms`=F>=>LL}f`6fUUxa`2Fcu@AanLZv z<5O7Jj7B>L%(R07YBa1a;SfPQfF13_a`ySX3oCg9a6TNsL}0YLy-Dl?zK;-E!FP4z zQY_b6F#*s#5|{`&38}i8U>7k_Eq5@)U>b8izkj4%_1V4pWge?-cK}@_BJM%pYdWOE z(sEiVaU^g6I618pK(L_*oW&j}@VWOBDliBp^Gg+2G!<(sC%#*H#wB6Z95M%h(&3+b zG*cAEegVpkft&!sRi~lyJ{`mbI#EWLwh;=>moD!VdvpTuxmy?CozP%DaO^HsJ8 zq2n?F(@h89BGz_5OR#v?b=AbcO$o~BzI3kU>NiW&SwDJYOl6Lm5MY#7pLjmHXexv0 zQXHeD9MeG`Dmx>!96Dv#=fk66+&>t`gQE%G$MJ~YM|9X~Kwa+ZPp5=Q3|(iHPOQ1w zh_#)~xbf7Jas8=h5?rUe?+h?)tggoyX$JK&pO)Eh;PR4a8q4H?v^X6%W|V2YcZowM7UFZ70?v$M`+v=mmFeOxQn>CBeF<8UA$@Abn5 zQovE3>bG>m0S){ROv_R3DW4bTzHyYRNQFpZJOHX&PvmlHG~#rU7eEj+nqnI5hcqm- zC|Kws4p6c75dJ+r4^e{;$0GvY5#SkdUA}g+*xmr8^hfk9#3%a_Tm>8fLLhNaOZ#7E zeXT4~qTNs19)KjM^!hziu+wC!0;LR8#^m83+L-4vy)-K0Oa|Ae<+Wsz-0MnA4ss>% z$T)d6r?9b;RJ7B|{c0{ES9)W=7K9~wH*oNWRM-@fDP$NyD0JHz!nVD`?ZhyyqgVr zUOTb_L|)5NB!7Ma$9j z?jqA?uw)0vls{L{>J5)zl=}eaSzNuj6V0_Yvek_T`>5QcW@Gzu)RBkrSXt2QK!<^XjN!rM~AT2?tpvG(so_1>$f_G$vRD0 zwn~Rar*=XeIypr-`;p53UOA{pS(i2?>(oJ*GY2~mewmT~JCGt+2o&k7%Aud9zu!Fa zJKTi^;dyt!)M;EdB^RHpv?|eBtw*cl>PU5jmxk7CMt!vzOMq3ynL4PmZYtN>Tu*nV z3Jg$uzH;?SJo(hEIDt(q(c8NboTx)nOn}s9R90tdWrR)-?e=;x=Ceh^kx4pOB`VoC zRO641k5RV<(V-CuWCHUTCgXxBZojPEHP=!_=pCKb?x)|Nd2>WvK%D1_N}dB8NT)y} zcv6U@M>`_mn*ido00t#gW@V}7F2Rbmdjj+v+SsfEAGa*CILVO`=pISF*Fm+l4OCVd zcemS16;d$GSwjGebJSOJ@sv7j3oxdvo2}xP>Q*A{b_H-0G%YWIQ9I&-jz>1hyOs(- z$|l|1(6lBOTXGtn#r3hXz{F_gZ5?1%?TjQx@#Ngy5YcS z5Sr4_UcB+}HcWO3Xby6e-YLS)yzBRebUID)50IVYR9I*IwM~Ee zY&)3+8Q}Q^gy9tV$;!2WAA{pP52&&uXRz!a8~`G)DI1yK;<}iC#)`~`L$z6902};~ zDjU*Yz{KWnJE6hnD8G{dxKRe=$g!iu&cSY@Zn<(&vsHt&RA3+aM{IB0Dkucs&3DOG6cHH`~!_wZi@MwZoZz zE5sdBWv;%#!72B&cZQqwAv?-S^X-(MYJCm}!3v$i>sHhk3`s_IQLhP()cVDYEYGJY zM8aOT16Ec0%spt`23ah~nuU(vX>wMX9uq6ksyC7Gb^`puc1ApDs!DS;H$NuFdm2!) z3Gv?u0r=Y2z80VV;vd9kzxc)YXaDkF#y|MY-;6JQ`418VWUI~@f77oKAw@3AXfINo zjb3S1g++**58Xv*PZnd;HHy%N$<3~A)F6&ryc#vAj!-vUevVItPR632W`ZmYuTg2l zMrS>qd;Uon4(w>|Fe{A;q1Oj-&>J9_G$@{vHI>ClR7y`1%(P?mkGcsq=}eEBl>o_o zuBarF>h+JaQ|YwVVMz6u(deDcqR**iqdJ^EsXSBmb#hvzg+jIjmTIv@>N~1B?SPAn z)@`EC0FyEp1Q2oW1>2JyI&!bummQPpxqy>e0iS{-N$2+k!0E1aMwwJ$J1xp&El$Rx z>=0DxjW1_FQP$Rv0Ao4VRV@`^qSt0i&yeM#M}p@Bu{j;5wm$Qvzpd#vpH`=u%LxFV z-W#wsRdXttw3Dz?(z!4`cRHZ60kr97N~a+BAvpF+r&%_1n5{J~YHo0S0#sz`L{rOT zqKlD?Sn~tX(*c~E!u*{KK%K2^T_zqo8}30f@jl~D=1+3YEOXwQni1t-S!u5fHKa=E zTm)5Jmh=!g=pD!U)^^;u@no#7ZY1M$f%5UNAA5VdF+?j_%<0HT{H3jpT-bVRV<$G( zcaRSkY1xdeoh`^g3m|S~`D$ktgdaZIjef6Bhj9|R3{J?cfGQrE!3mA?wcB5hfAKH>N&JI<@b}|4|M73d@BFKO760Qu z{D<-RFMTQ1;}j5jRy$K|X*!SRe(E$t8H}UG3WY4~(W8g)$}6vAgHKi121$daDbmPM z%Lw+|`8>j=vYzwKx!3lRbIb)RQn$6a71yp^M)+VgvMT{YSC#W#-9|ryY1u$kzky2x zlncCAmDt8TL@jeqBmGi!CF;Y7ggJlb$i9pT>E77bApUAD=IqX&Zi*+<9-#Wk24&01 zf(f!m3()-ftjtY&Y?@2}Cc#V7f;Lxea;DbBr3K5}1dlRI#?SM%CCvgdZ95(dIhQmP zVfdbIS2Ex8_pGh9=>*MFnK71A7?YjK5`Bc+foXOknnK<**ATL5mF9s&YH4>gx4d>F25a)#V=rQv@SHs!T7ovnm})vR2ciDDv*KfATj) zzPraqX$o>nnVp?W+0m)4_qw|Dp_O>2vPcK1H^AoBR<5JEPUltEgTu~`I??k%jjK%^ zv^%TOSzRM<&8!>iPjgZ6!5+q=-NQIOIz~2S@OGAZzvwfohB70*;%}YOVcs5tL-~Bq z9tjEv=wv#G{r!9C-*|ZN2$nXa4V)!=`v-sT@5O)r8~d>tBz1ckdJ#u`$cSXmBzd=kRw> zo7Yfx=IaK6r!XS{Hyz@MQoVsJ^*pvm2P1I zB5}%cPhmZJ8pu$Sbxp^~KxCSNL|H(D^a+jxN5h?9kZT5H!xKzZsf#T&Sv4%$dvjhs zalAQmi+rp03Lu(8WN50TK4&blXh-vHu=lrO>#3X3T3wB1rxlG=_vuG_p>w7D$*@17bFIfyPdpiycDB=1Zf|!l&0M;7wHh0-xqS_lyn`&zQO)%q zRi?&tY*PTY$2r~9=5%CzSZz0kgKkV^+0?ru{fK0&ZLE_HNA~$aopxcvZ`^$ddmSJf zRDeW)U^Q3~#oNL001N&-4K;5b@9kV#j|3MQ84M1o>;)`sHTP-XMmTo1w-SI3kM`rv z8+QQ8*W&Y^|5AMJv%ep|^E;o7fBaAWMf{WB{%7%pFMb&z8>Q=!_NZGoo`~x=Ze+uA zHce@JND-gT;8C5oAvlO2;N(CTjo+ozvK8{rolmthJ^AF-XttJPICOCdKyw5mL*36E zRs|{I&k^Kgj;f=M>bmHJ>K=dq8+6CfwYAj*hHTKJYYwv$v}7Ryu@3gC-h!95L2Z=+ zo1mh3Lgtv8>k0S(wvE-at3D@S(THUlIctkQI}ln+Uh{q4>z@EAQxcp!C$Ollns!;E z;3C_x&82&dv5^~apnlO zws;q!(X2qdtkm*dIeUyc&OtBJ#0#}d@KW#>hEJaL3GHmHrJZ*j*<9^3)5fkHKFvif z2j1MRRg)C*MdmC67l6r`Zj}Aj`g+{F`9!R*tpjddRQo+T6SS1mO02fsbz+S;R*APw z{f{9Md&t`n*YyR~?QBGuo<^gp+Z=#986tG-s3t(y2eIdDm_&0ITxKsT9_ix+}>Z zi+XLZ`qE1;#?O7`Q}N7G*HiceH;I&jys^HK%tKZuAQ)^sCQX+dRYikfDp2O4#XRRV zL1i==#M4hd5l=pG3xRja9t;-2(}pQfXpd4=wudhZ8`~JULuO>dC!GSRtI<2+@03TG zmu2L=r!b{%x10CYVK|PU3(!8Vle=zHsjAZeRO?r1fNO13&xZ5j-A09U@V;bfykB+M z=bcW8UIn80fX zVmYcM2)x#|c5z+AWbV%1O8;NvguD0*Sg1a-GE+M#K~&j8j4UgjcQDE_(KPbft9Rnw zy*)a)DkR_%fVrI=-QiIewmBjXW6J3?u3p`a>zB9V^411%QGeq;toMX>&f;ta7(2+M zyWH?N=F=hXIE&7zYxuT!9xVo0PR38%xpo9#PJ&|O1eSy2ID)B~KkFsUKALE38|TN{ z+q2=~{Ke<@GkmuXG}aQah4ZZj4?!&%!uL6Nd`syyUo<*}bnEhsc<$wo#EmCkh^;F( zVr_j3A#RjH<(>tq*&MZJF&m`YiTk2|>JuN2pZ)2d$d%rcp(z-=`+{L<>+^&I8bx3L z2hQ8*93Zl>xPQK&dg65&M*%5rg|+IQ^ogJNXp~t$Wl`lENFlv?5ojwDn4D9eY$So8 z3NtF8=_vaM5LLJx1ac5!?i}vvg2w0Co!Sr)Zqlgxiom2fKwnN9*myYRg0rtCG$sH_ zz&I(u;gJJ4G-Ps@dA0!=kMSkb6l{5qE7&_@$c3U!i$LwbjdkEO&@^rEtN@_BGnd4( zqamNp{hp$NQmU!K%C2Q-4cN`4txaw_%c-2XAc<&r0j60-r5-d}2rL|3Y%S}gG(DX094c4fScx8Kd$D`akA8O=qoJK`(I~RX_zYl}u2#C7Q9ma` z7%Sz!v(}9D7WrOGVlnALD#rP}K|NjBZpT)u8uQU{F03-s4ZEnW0){Lr?VdDR2XN946qaJEagh-h19p{m9k_2jaU&hO z_4U)iK9^`C4%wkDRx%+O;l#y+VK*MCi{;$~OsEFw9zdkc(VZ{#4iLNbk8SW;)Lwv8 zc9c^%5pCiX=+HXI4?Lk0$^xz@&t}PSr z;{^_s_?(>s7m{)Msp-M85$t52%7E{5XHe@z_NvE(0JsdBlo{rHe9FqHs;c~+clD(l zSRnvOIgq1QfQ!eN*Wtj`#rnx|wR5K+kRCg5%{ybR_mL%jC4g#ju-<%+b!MIfkSrt8 z)Fd5Ob}r?Bnt9haqNj*kypS`im(IY>)Imz*f^26!@WryWTpSQvS!n^lopAc|m%n;D z?%sctCWP(n^<<(esPXLv>7Wd{dk4`w+^6182(qKuOj~vm1Je0U?fC~Ctc&cJ zk=K6%L*7O3`NRPud^h3ZcNi7M=~b}#vpp# z;~3G4o(M3gIlAf8!Go))L=A+%Mo4id%N1<+LM15jk!ArM(${ zTOgGQ3w8pp4deYUzYte0U&_wG_c-!Cp_k9KPXT7_feNU-yDDeSXyVU>L}XNHKjnqG zObKkMauYvo9#8<7+kmVi{N&BDAff~`eIqpyB!CllXRVVA$sIFYq}maF>sIg*NOOgL z(k`InTzT_HdS!(+7zdzo6F>7oIoWtjhYcz7PP%f`+XhC*F&UE&>&B7uIjo4rXg8T| zYJi4=EHd&o>A!qwJ6?bNHqRE;U<3yuwUg?`WjbWYPVKcZ%A5s{Tu{c22+c&FXQDk% zSw#Kc^&9vd$xv1)EHzm6{0Ht|Jb}6u?A1?XG_(^SQNk+~^ zrx~wxHh5>5W#(=Rt`?PSbLoVn9oK!#_J%2{W z1;e1Tbx$weDcJH-_d&aSX)B(3@(J3>l@vJhUiK1O&5q7$G2fC0J5<|6p8O`q4+2ws zXQ`8K4O9N8;PW2V%b%#@qR=l2;*Se?A7Od9&i~a^v3k9OINW~_#|QUfc(@k}*hEF) z0UQ_OVa#A3)9w+yH9$gi$03iZof)H6SU78ogf8kb_?c7&L5xWh;OUy!p3Fm5&_I;Wk1eN zQD{|fwcSl+l@5aG^i3nEt)fcudI8rFf9KH)q&6n2UuG(3=j<2MHuw717dNMf0swgv zjivY~k}p5cS-Gt5ga+u8QlOVK5d>D_ACHm^I?$9r4@1*d3DVQK2%t_4b#uBUfK#_1 zRc$U4a-sylS_kBB(P$5k4oLGj%>epKy6&hzZ5qs+!kkO@@#l14r=aWVvv+t1pe(0P z>k|2)n}GQNS`HwQCp)&>#18;4qol0-Ndc)30DeG$zen(E)h1xHN?}{ZbVBnHvaq1; z2Go-vUoZK$JnY;6anqr*f9YUk;*^uD`V{$c+Rzz5M_IYxxE--??yRrp1Pihk^#gXietxo!)3hIvfyONlGPlD_K zFg+RfV_DE7l&!Fbq(hShY0^&0-+1nJCIe*kEH*bfv9;cgPP-m$WM*q^JudHT$JWMr zbeip0UeH++xANi)IL#FLVB4w7_-z}dHU4lP?}Q=WYPdN5!~yENJrYm}&XXU)NDm%9 zh=T`jMDNjqRP#^msR7!B43KcRyBGh$S-4Z*zJOm511b=^w$CqQ(b>N{l!Fbx4q?SwK9!6+TL zX~bil%X{T{dl{E^(`KsekJKiB$|7^HijKu{=>VE;hb;S)L0W3E9Xkv=n(J4ur>*$@ z-MfImEP=2J^I0)|?l%6M6~+AyC>D?;%M(aZQzh{qnuVq8=uxmr`3+_ z&8^tkz7%WgYrJQb_qMVe98|L7+vqrR3gKN$qJMkm8V0+!8-8g=9F9v(Nae|t2IvT)EhXAQd#UY5=J885_u(><8 zZ^v){!+#Y2;mB0NnR z@hS}=7p|ajrfUm;lPkF+Xxhb`gRM%fU9C~qZDlp~cMsz4|GnRg|LHe>J6`|#eHyU? z8LOy(G@|AjacGw+4PTH^)oiyrIg>@kEF;blSFVfgf~L#|yh^*R3t>;l({Zm4^PQyM zs%pM=OWleDLmNjlT)r~cjejC z?*JhB2zRdSIje7yZlL=`SZ~#hmH&tc8OQxpNzbL1vM0V>!**hECaqo?L$*%1{ z(jLk)mV*Fn{R+r-COK=0KW*2CFw|D3ovvzj00tfO)3KgsHDw5{b_$go_2=DuKRpBB z0kUMD#7DML^wKoCObpQ?krL%SMm^FcKYb)BxY>^RE zdj}=8>1us<-ha2Z7lZDDsKcLV!RBFCh(*M|vRLfsjHP>4oqT(q0~EFO`=<5(5d45K00`sD{u@ z09RaPS-r2Mm9)F6@BHS|v9CXWE3KrJWJ~whSKqyJXU?2CbLKy1=FZGUdOEfuWFWwO zZd@T~j5@;eJ}?@Nz`n5Yka=uZ*|_HZvUUC1u#Ff!4ES&wBcSNGc;%*+P~GKa4kP|Q zSLmz<)M#&I-`-u(OK&K_`rDm3zOr! zcb1*u&5mqXS9Wb&TmRtMuJvom?f~U!<9kYffavT1B|}k5jSPi`X7|@;U)_0*mbKJv zoQ6P#v2lrK;ksUZ;ethB$bB)?KU8kN_0ID4xBpxDm$$vEeD*W9mMt5%mC-#;rw{9o zYkzo{Knn=&*s-&ISgNZA!n3QM1b_%{qB;X{MSF?x837#rXy1Vfs=mAe9?Pg8?)1Lt zW%07b;UR@L6AA3JvJ4C_OKt!KPm3qUYvpn6H{Teb;4A=B4fU&f#POl5&KrhB0o6K@ z5zjmve|5Be*dtU0)EFj3JX0EVZZR5i-B1u|YI)*6AZz8r1s7ga%WGbkuId-#NDojA z_v?@=z$x&yju0w{1utuEtur>LHt#52M6d7ZNatjV#yVDU%)Qd551Di|Z3gdfC_0}7 z0T%sr*gQTSAmrT8kl8#d50;#EaP1r(4qI}RVdn#&&gM|9goqpYD@!D+dNP-*w*p@N zWRBDE`(_V?{zDIuzAnX!bUMeXKhpu5T=+M+Z7?cit` zoISnF2>|UoJX&VC%KiXcp<_64tyAv6{| zjmE~pDL7m|RLwXnj~JbBM&j4m4eFUaSg-24gHDysndG@bXFZ^5qZzU zFCYEr$IE-({l4;F|Ml^*cFl%5_thUB3(wToR73ia7@k`purt8M{3(F&mqzh&Z@$>V zal_j>CmJZ?>$73LldY^KSQ3C^nz?xP$oK9Zt;?KzJ)ai&7%}vR*X39_ zQv`uI^)Hf`I`Bomev~3OPz|82XWB-((fu*<2%Q7f{@HUve^zcB3|Y-p^5i1o@Y6kD>_Oa>U64hP1(|FtMKlTk>C#ujSNB!(P28TLEV`0u_}eV&M1+7-|o=k z!SGaPlm+3g3f~`X#NPm$7b6OD#RnYx5;j!lqxD{4H&k#g&{++rby-CGZV#_=^U8a| z+YAqL+txDX%Qz5?M!Z)eiNlU>0?6@N`CIjJ7*NZ`%*UFn!s-`wRD! z54`_F>O3- zkKfr$uwdc*7+wyBSGu5f1RB)d(a=SJHZQCL#+~_7!&yLTi4YH~ezi6<4zr1D>P7-9 z2I$!Ih6V3-$5`uX9;!E?dJxvThc?I)52; zF%q5J!ez_Kw8($`#?9q$bW(wF0Yl~{R_RM+A9TE}*L`5&BLZOz%ZyLLMbD{Q8I5$w#-^DOI1kg$7S@k1q1 z|2{MsafJPb>^2=Z>r`iAiPvC&>->4&EHW+{2D5UV=+2*AR6_)vMYv<{u1Tz-u>|$h8k%M zd#A;aXnFw9!HA=gj_vILbuf)98mb|2q&*y-;^FY(Y#~7{lHQcmbN#;|netDR2eaz`Opf zqPX_PwI^i7kEdvLLk{HwU8)D|u$0YPHdh&ZHLf3)GJ)c5)go678g zIRQBRwWEyOtC!6yuKVx5-Xp_X!&Bec>1?7SbPQmfdI$tI4P`xTJ#{~9eR_13diT1+DdL$w zuRGwVG?I5DXQRP~y@$M^w5YSu7$I$mkxFOH_1?WZ1L&hIh3S|}txMvn9R=0;Is56X z2UI{c8o;r8%cim?hQ~W&xWB`e#sF0FWfphOn$|gyeAX;qScl5YzQIU15Z=(t;=G4F z0i3(S3*37k8oVn!m;Lc#+ITb!^KH?94jN*Im$*Lw?QqB}md|{y zth)E!`qw3W=yDLsK>t7(w3Dn3)H04(*|2?c8H~nx>7^G{57<#~dq;S*JHtcW8(uo_ z^|2?!HV+v2FbyA#?0xs)sO~Td(5b>jTVh>yboo;v{xq|XAnJj~X_pP$sfQEuuA;G@w|qqh{P&s?2oJh;a8ZBJVC6@b z<~0GLk2BkbhXa`Ag%^FGZUoSn4@a4uHCkl=5mC0fmN)J@YY?M;%vS=}kUN~#klT`` z1p$H6%W#ZpX4n}PWzh*)a|$?ihkmzj+g#=j1iy&s!whh(hb#vu)vx+hUmZ9#-N75~ z?5>NjD5np9^KBQMzc@U|=s@OL8|-g_IcLIODHy1S^4R9-G_(10!pk%oh+k`nmn>Nr zz`87S73dfF?;rQqW_Lzec#2M23$P1$`3pL2fBn>9Iiq2poCinxbWXYKD`3q z^ym=62I&c)TJc~*#NmTvjk&h0>-xQl4ou9vCVYEPpQNUWC=L&@u&vuFi zV{UNI?ilKi)UUDT2YDWKmrQu3)5DYTw~Z`M8JKI?$l@}8(RpRjd6&je?2-AJ*9)z5lFe zs52Ov_+gX`&cgc+xP-BWar5F-O8tMN==t632$yJJheSBGT1XVT008U2%+S104Up35IO~P%2tQ|AtUeD+EObTc+YmB zEsXrZU;PUS=A&zM8_JKB)vH&Atb4+n1<>j=>OS;qTFCsdb-xaz*{@t<=86Gr2ed8Y zGAi(GesJExu&beXA9~zp&1itth;$`9&FCC=jz_05TDJT1BQ~Y%+8fXQXx`rH5!)4I z6NCAB!|o_$s5k1h)}N^borQXiyxkj?`!8%z{nS6P6JW1HsV8yqqyv0yl3*`BhMJ?U z8y|wHjT$IIllqNqXi(?0Wv2%ka>d(V(4{2S#j}| z<$}juTNYh(Rap?Ax^UUWWy!KjDggMJzH8U^@HBS?|1g}|5W~BQYhTDW>gz9$FF>>I zpfC@0Fmku3JWQGgXr15E#Y@WCHEY5%3PT0%!72vDVaFX~2C0BF7}T;&pYH*O#r~H947m^VV(U-h1yUS6qH&creQ=C~4$AHu)oQ(I&#w zL$>g`;@=7?Lh3mJfu+-CM4XT{vQ_D|Avwd;T2S&v+pRJJ`U$T4v-Uj1N{o z&NPHSxjj5$nOdhYR~w1~90-r8>M1VZ<|CW+tN@Zn$s1l9p1CQ9rFNG^IqC|E$k$0y zJf-N*qA?GYb!#@1yY9ZTTzB0ybvchAt+BN^RlwjcgIf4sJB}zo2SijMP>G>$$Yk21 zGxZTVkNoQ{tMKA>?H&!Uek6vs(QzKy7l5|4+uLz_h58Fmc2z-fa;DN zyUW%cy8_%ppThyHp-=iYT43uu`4|F39UUtC%4z0mO>rng#585oANo`WfVdvh81kxf zA5c3TXy?OY-Rc}Naz0Fx_~5CdH@vTZ;UerNs)8#Y|M!=f{g(0#*7~X^ens9}w{9$V z+`Tf&5gvWSn~09LT~8%VMcz8sZ~2yQp}w=5sK{dD`Ga%H(2(J?KRXilbNkAi{s4zr zjNY79^yq!j)6WiXVbI@)nj7AUoiZ`Z8kiUH=hr_-W*DsVF(0)zjB+H5e#f5uWq5ZO zPk0TRw(l<6M@Gxe(Sv1IG~(USAoh$ODtq=HF1z;~ilJ&ehnK}zoknlWZylw|q3 zpoOkFe@ds*c_NLKen`lEE^GI2=wgAMUZ1t}k0M)9q0Fw9x0{*s>exmNPk2m#bztFGkn??aX zWceFRR!^*2d0*MIaYI?QbV&e7#1Fa6O>^OuzciwDC#XO#Iv{bgv*tg>iuW?9%@%90pBE*mIiQ8)pMV`#r<&On(T-saGN z`PKdkto|AU>#5TgQD%5nx2gJ=6t>~}YxTZuE{OcC)Cj1JwlKF&b?KP=MG7AWnOgnm z7x968T>}h==}~db7e|jjtq(6Fgow)~t%8ZN)Oq-7PG>#DJdDnP(#DW38r6}(Y#4j^ z31RScN<9prE@BTOupG)VlASxYmv!q_m3zK$OZogwA1$B%)CbG0H{Don`}Bv)9iRC~ zS$X?^m-P?a9YeBhbtvlt)sDUU%H{yo&EcJH3gFrhAi6OCb$wjGbnTX10jN95+RZ!5 znho2^`iyD17Su3M19=R;CR5i2c8U1(NGVtb-XA;HjNXwLx9Lz z8wq(d7$E11ybmAdCF%HJ=yp6>>F(gaZR_^3W%KsxF_X=QC-ZCh*9?Y+oKQb606U&7 z7n?U&KWNPLmosgQIO65iGXkQ3^LT;bodQnYsIUAF9@G+Ermy|}a;vG273ZB7;0~l` z)c361K_)&B>4?UZKLDRSjE#nO7ejd~4org_05tR)_A-0UoC>a6HxHLBo1&8q{h4am zvuAf%yJmG+81fHUF%g_XZI#ra%?Hs-L|SUI%&9X}&OP|z)P?VHuPk+rGeC98vH;XY zOQQV!wF8;!iu=Lv3vM3$p&18a*y@k80X4@1cD!?khAbGG z8{Uu;tu&PIZX#bxg)FP0FMk`Vo+K4O<9+RX0@Qe=wyg4EZCe}~8m!)n>4U9Xhs);8 z+bX#EtDM%<8h+2y=oc-FhCfsm1aJaSXU$sZPqta%>C6pzj37FVva@bgeOr2E`ek^> zaDZ`u$-McY|Bj~$I1N*wroSV7MbIaVp1tF*P zwxP7}t~=XjJ0RfW)9e8s@n%+#;$@qECiDIG-W4Fbu3UVoqG?5ry9e_ z=xr@E86Wqza(0F>hNpFCG_Dwy@*Klh_4@n513VB0crdOqqb~p~#%F#lu8-ft_1?Ba zi>5X50HMJElm!cGqqXR|HoP$WT(if!IN%Fwc&?Vc$jh(4im4&(i~L7!?n&4poHf$w=ckMpaR950Mh#BV0^6& zFq_#QWeC1?X;lE^$j*_nGk9uz&LLg0WJy`J;{1?5I)>e2Wy8jeWy6LIVO*nSFu-xe z(&c5@5+@TajG^&@vUuTO{hMBcgR>)#08WiQ)K>rYP=FuZ8jjDOKc^EfqCqsK|JQAc3eeWY~8k{&Iyk?cqKXl7q76M^mPQN)NdUDX`oS^MnUGB zP3_n?0-St=j0hEcZ7t>XS=}&wnk~ual~oUHFDqAVE%!dKx!kvQTe)k^mU8Es&E>9j zTgu9fTg&S3{8z>Aed{*WHPU^KT^yJbb{9Ggnb-^4a7?AO*5-lt$LIzy?+Oof+i=)) z3@rL)&k11d3lJVFJ4QyTS6UCv37uHxrZX^Zs#7GP>5^`%el}ifm>sHzLJy+EXQ|o>le- z;2m(#goV!iG4z}}So#O&mHv72%D{pJWoYqvW$}tj%G|{(%G{;rmHFpgQWjlsNm(4% z@{2Di7hHCEx#Y^L%OzJmzFhkF>&g|^KCxUL*JW2-Q?7{Xs>fej9)In1;Xz#)UR^YR zYH8s`g_mo1R_9G4uzp_Q8H7h*-C*bMv5U*UQfbrcyr4Noo^L%aFnIB3eZl5Q?FcX0 zY54O3jE3gT4G;^@vjS&;X8n^W!7TvH#}9LVKH4pcA?!Ru?r4;C*I2{}JPq)PynIZG z3t0OTD(A(pdcnK}6}Y!--BDJrURSnn+g9Jr3w_CFXkGwB4DV;n4DdP}9`1p$3h*Xe zqAf-~ofQJ67&<_1ZWGV}$pG2`OM#qy5Ih0&^5p?sd+Rj8{P{85_Texh0#n|sKaD*v zI;%M`MCLu$KLQxP4urARQai6h*3ff3OeFMpsCw4>%82t*0~|Dei}HQYvgC>9GPBQo z?*6iE$F_3M{r5)4u{L;j>cYV%>Wr6H!6m?q=j^Kc`h!=UPKoq&jc4fF7`Tq`%%KGN z_!Y^+0}XF;a8X&cc5{H~#6m{U)Qnpvl!_5{f9ijK~RMF(Q|?!NwA{pftm8`r;9P&)t~X~>}? z2;J~*^$@)Jx=e4+?z&XZyflEVV9Dmp9z@49=sec22P+m#=<6uPoiQ9X8Vow-dk)aF z815hb{_p?(@CX(h2|7B}A(-AN6n!Shm*@lL|3Zdi5m{ZAU4B)$;DU=n<``DiulGDQ ze>-V*J<+JY4tqOmJZJaKsYA2=f$-Ai#1JNiF0-RS%?Yn)P7D*B)44Aih_#OUX++SkkT{f&;U3P5QU{W;V?h8A# z11QixjJg{3bbQT+hR12h7T{UeF-F6+Ep$Ar*++%CyCoWt#y=K3d{N)EXQW*DxGT%! z9)D%Xw66~BojvMLTnEeIZx_|m^`qfCqm)I}VN2pS%p`n5(F($sm}Xtb*zSW|Ak?epaYU-!b=fJa7lgm-S3hAgAYpqDACDS5imM>AmkbhxfYfM%Pxo!$#_|}c2nqlX8p^t zJW6Ht=S=*moJEV5m7OEI%I7}&>9S${+R(|?7?Q6oi^F5SeFfePv*7=P#84 zSUApm1KP9u=LGQ2iw#=gn&7Y0D=9E3*#XGNe+Ch8j zqpeJj;d(d<1gjs(!fx!r@1N5j+4Dl9Zo;POkUZY$*sYAQ#@9Ms?(AsTlkKPT=FhD% zMfB*zW7M}d>~q$f7=5e=0FChe1$CRQ^6cHcrL13bUwO|5KV3F%9gcc8qUcS>)2^qQ zrXug*;o>Hzz`Hkw>?6BJ%GT{WV>oE2sv03aHFD9n5$8R=c^ z@!SBZhRlNm(!4mHGq1;xyz@~ET+gUq`QP{c_m}59=gZ3DqO;hwYiDRD@(8fn5yRMj z{kQj&D=vLpx$KHd%Dw<*2W<1$d_{LiHSg3P;5%^0(zgX=$?}WJz5wF~!VC0~N=NHU zo#B4x2)m)OXvy*bkeTK7FWg$baNEsg<-K1B5Di@{Sx^=(oL|>3n|d(!+!y*)j{wIs zgwDYSp*aDn)-TVV9Ygck4!F^w57ka^rs;_&9WQm>q6KB&*hu-MpLluMvw3}a(lwWt zrHd9teT1hOAh~nLt};Bbuk0QR8N-(L?AckK^~|T0Z~K-Pg?{&!+iv+>8H{??A#B{Z zuEtT<_2jUqL#r@MG1l_IWb5~ru z!!Y+mBOD2k+Y{d52oMXP92q|xz;(E8OSKgh(AjEdRy7=!@B+hIn=`#EiiS9E=Ik;Q zU^f(vY)*JW{tu^$!Fd+7||I*AC!PsR5y3>vgUzfV2)DLrTL(N2JY&44hgO zh#L(;BZ(r$f4oz2n9JiKUUu;nF%%w%v^UFmSEGf&E&X0VhiT~p>1XN4}zCFq14uW!!L#mhF|sl3*J)}>nJoI?-6B|I!1@chuhta9%? ztIO_PKE9ZD7H4|dxpSD7Dwxg>=fGjkq2>UF$ns?4ZVi0La^E!_RWlrWY*l! zk5vE>H{=B-4t}W~?Y_|p^oIgu?!EoCGQKN1tMEiEkE(~m=sW||4;&nevNZ+v|Mu0vU2qm z7nUbqeM!0Ivh&JS7cD85FJD+L49|5@-FDg^<=$EDdtg=Bw0%pAln#~6TSo$b!xm>* zxfeyPFq(Ls}{C`@bLfp7rop9JcZZ(4MaMlaI?{11da z5BP2n?Ph$xl?&E$4@UW?*J*|s!EdGxJMtXRaUP1%Q-qyGn!Cpb zrx?Qe9gW}mWjuOd$CQQT*WtC+9==hDQDX%ni>br(I=fG5PhDd89|jXn*qmtSv!m6B z+aD%8egB?PoU^)ZTiLyNW7+z^U1ih#x0g+;?kMY5-C5SHyt8arv!?7D?JQj~oU08B zM#fbaS!)2{RRSSHRvv`4kM%wpp#A=~d;0tBv+EKgb6>$H8jO9^mtA^MS-NCV1!w24 zc7|HO&5?6<%Y-))0AF`pMZ@xU+<8f+5qLqq)bHLMU>fqxj`S;*FRdSke306-X+xb` zG*@}vc`NGQLo#1#7*CE6FD}FTC{ySju<-rs+SUNcdh$`9!==MZ3(&Jf$cGVABz5^y zbZ7^CmA2Z!hm?5s!E49P-L=CQ8d_MFG3^~S{~L{X%tx~WW%ITj;T6p*E6%$hWFD#> zVe~k`%cnzgwdPghIXb|QCP2Q^#Oc66D*pab?HF}t5yozOs4{nG3c_6Q<_!)2@95Y9 zeDkCA^sqn-f6cX?S{46U-o+aR^mX)8br2m_=*Qf&&d>H($NSm;Uh6$#918FX&6Foz zdtF^U&>!`_B08$&iwDd33kS;bg|o}jq0ZXWx&711yclWi9obb@-FJW4ywM3;=1R%m zIlx?*&70y5_+(T&>+q0$Nc3we;9vlxIpD+5@%W$$jP0H~939ZXLo?%DC*0pz*&hJ8 z@1Qx_8D-Dtp)$6AX4xH{hz%?UBb$&Y%OcnZYb;4Z7lcQx4PVR`(5SkJ68rk z94=b|JXfw-TUM{$SXMusV!Yx4qtp0+;;k{$!>dUSyOQNGXd?)}rJl`3I$HNOO zW&Z3^77k2{D{MCKtv|rIKX~~2RJMZl84b;uU+2StwCSR{NIw8m{rcN#GiHS68s6lN z(DBabsH{G*WpsLY>6T^f4*>1!pC4ZN+`1I-Kq&A)bcXv6`V-mH%kI$<02(#*dBKVO)~{2{*>3OTH~oKA<NqoF?@p*rXcL7ik24Kj489;>$(o!jOO z!{wG+Z!cHG(0=LCCDj&O_pMx2m!e&J%{A3KwKHyDu)ofsk_&*E-}LwDdA61)&0Dyl z%wKV78Qwlpx8&CI820nbt+Ta0+1Aw(-uOT{Z`rZ{@Kxon{_b_!hlxTrkg+N;aZ{DHD@{i^5)Zz&)6 z{H zX>01=M>nnDtGoOvpvG?`s`ue1Raq4TSmEPvkj~$Aig+=lzqI;PEjg=DnacXL0n4#m)PdU&&g^OpypURL((-d8qn-d;Pq65W)gO~Bm|ch0k& zYcx~KeYm{oEpH4!Iaue6{ngPy`ouo~wRR{`a36B2+@TlK2la@;0L$5P=7vlGrg23n zgIf%YXZqucrd`6L4!zAjJXVIc+*elL`?)ZoJ>iLl2O0G^ec$2I7r%!>k2}Nbi$1*^ z3jT-VeP48vfqC^W3RrVGbNa!uEJhFhzSZhgtIL`PVnh_6TIZ!>=xzu;8aCul+svLb zQ05N$^Up>R2crx=#?7f^W!t8g)F&AoU3lPtc%}$+kmkRw95@(5f6MjuhhCOOr*>s= z9>%sUYs*dl{ps@Fo9`?;#`bkOwh8EL0n~G1r_{n27VjU~Q8uhwS2l0j7@lEVn>Ur= z0E*o^w+EOEN2Aw*!&GZDcPLkQr#innT>#s{Gpt)nJ;zn|#0QYtnyLYr zZ(XopepwOTsrlCJVJKG4IHu1O!1NI3Ky*CTq^bvvB>zT|d~1hmULvS^|9~j~bPwR$ zy*t2tZ#CWuq;YTUD7`5$V0ON$Gh2t|b=H{<+T}K2zAri*fEE934ZST{zO-C=*<}?t z9mnX8@?CJz`DI}Ym8Zh)L6%E1CT61>zr3GyUZGx7qWK_L5ZKL1Hf;( zf|?z8!UlYtb2#|H7@F_hJ5txe=F~|a@TAiteMkLr9yfHQ`pC@-bpTD>3LE*;on3B# zwEkhg;J@HT8;y>!_E=$S{=f!|zw2yL`sI?T!Y zbzQH{$aIhqjB*)Wm<9>CJ2lIpnilmQ@i+p}0a?Ojo$;cf{<3_@{Nis}9U9+NcE!l% z&W+pZfk607M915%r;?^3@7yVM)&nX!fARb>XaZm3sK95wi`VHFFm=36>+_uEgg@$h zF!C%8?`B$EKu-pqnPpKtCw3ZaBP@R7*_y$6B22Vq70b(txHfOz z5FYYqFyxI!;^51XW3Wn>MXYuh4}hG<8v@n)j+A`?1k=k%0HTxSuYJ;W5uX?=EW?1*yhk0HLlz;SpveCgBU-QgI{t`ASn zq2zG|xYVq4cyXypc2;!~Wpzl3@;W@*M?eQh(=SjT3$Jqh+I8iQ+ixu+!|ThkxiLcM zpH>!GGi=U3$~zb62Kd)yO)+Zj?+@?`J^M&{=-_yO@vg`}hX2llI4~ONO&^4%_~;d# zrBx-fqfCR*#vK$i&kBL)9DPriH#a)ap@Di?H89r|ad_ne(NPSQnaK~8-JlG6H>9&%~m740;dC^~Sco=-em%pW*Y8~vdf zoevJ?7yY3#b58ZkE&vap11``1s^^z$ufDo`?z5jLyN9=i!SAadh^o;><0M`!UGO&V z1t1RxPty%vM%%2w&)XS25HbcZY~Hb}Jg|O4`Q=ytYIu?}%Wb!PHoWegWnk{y>XjZ2 z!}s~ej-;U&zUoN)4X5GZ0L=hBo}mMZ=g*s87KexG&n}Mypjy~%961?fuMh82QbX4YP>j$xL1L;-oGb0+bp)qi-omiyj-O{{AbDef_ z@fho(^AbbW(qC@A^|rEM~Q&_FM4uxTGsJ)I=sDm$IIyM zy;W~9TCEG!9g5xg%M62M&fwy*V96zAX58=GvA2wj`{EvQO$z`FeftB5YgXT1M)z!w zZtGxq=2NdL&-jw3lro@7I+gmt1^hSvWKlofM#%R##o9%ld~Iqnvf#lHLLk zqZFZwu)olak<0Lok#hH4_td3mI;Lkn`O5O_Yc4D^_V11S#>%YFUmc^ctJW_2asjgv-2Ok4D1(9WK6Nls3c3y|n)N^Y+hdo%qF%%s(9ZZ`R`VV>j;p6v~HQV=u z7d$a$oK-{qx4-@Ek2w!@vg8Z;V0aP^`{3Qo85lfbXqLT%Ap|Rnm?ipM?q$1+fD?lz-gnZ-GE17;|SZ5obOq^&w9$*TTzWC`+ue)-# zZQT+LhR1iX^o36K{B;O+#7pvLMfw5^HB=uu`Xk)0h353{s!Ob5*bn9W71I~~&ll7W zNbA?Gt_P6#lhr;#IaFl+f}zNFs1DH$*?Db-!1Kc^U9#AI`$c8RLSJ~vZbwmP&%84> z0Wr|^(Z$f;*#M>u{D}^8g}has<(!CbQ$bzY6_-Cz?IW3d7sfSjFouKC;3}|3zC#fo zPs2=Jo3*eG&VFz=n-4uaswhX@FCO07@Nf)cW0?O%U-U%*$g|7+t5%nbFTSWe{_$7W zG(1N;eH^-6hp@rlM>eNg8Jasc*4O=kffzK8vQpLGx0981Sy0BF{R8_|A$Q^Jki)!}Avh z9Qb|TeJks=`uKdGwdRO+_qgZR9lH5y+7gX zlU`qRv~zi}F|?l(G7rQxyLztta;s1~o%HN!p@XO^n=R&qKH*y5j6-2t(OCu$>qgDD z&xosp#~VFtc(+dEa@^v0I1IMn#;`u#`D*|Xp+5V2TG2`Z4`_~uS6fEJiL}<`2JqXm zd)wOKvU@!A60%H0+KRS)x(Sv|Mcxm3r~#&jufP8KNqeY>5NDz%K^4>>*d&Rb9DgqX$p3fbuVdn0f;GXk+o&Gqk`p8p?p`u^^DQm>jg>=>yMuYJXjKUTx$ae1ihHPP2 z)guT*?o1h2i^qf5R~!3vPq;3)9xlT%B)8Pb9IaFOg<0YhNLf8RU|ESv8u`^fCg;C+ z?0g`L&Lv*&CqqP7w*35Z*_D@;`|n>_%QrWMzhof;FV)&pU{zN$j2q$xqo97%00D3o z>H`H+8O~VsN9Ht5pj%f4gbarKNaLX$92B=>69I++qVDT)gYlN9R!>)o@>L4Gbk1Gv z=r+_G<#88z(QCXig76_v>5VArv3J3nH){9PmMvS$#w}aQb=O^2KhWK~^8Rwc`RA9# zOBctmIywp-N64we=&Xn^LQobmkh3%7pBcmTx$`<--VYp{RzHr_-EC1H=AO4jKI7xN z>&~bvFT1E*bpEp7)7eFJdw7-~|HMtT6Qv7>k9Yozcz{%ZR^U_}sVESeRT`revef0k?{qPrcMyKl8oHeWP zXI`pt_=$Mc5%E~{?@nOcyN&x=8*H1+9kG4$zI8Mg|Fi!ZUv%{wH{_|DDj#<4rO2Y= z$BR8w?$|I=_6DFn*wlK^@wV%!BDQ)Uywj7-`(a=Cf8Ymx;J5%);X4bLkD{SdM4g7) zxsF9_K{TeMvKf_B!g+TLt8#f5uZ}@PU|jAy@1%86d?(F=|5V1>CMo~`llMtPK~z9- zn<+a4fSIM+PCOYqiOBxyn&b#LcOJxz=W3!IU^&A6Au$@ik1RhAVR{&cO$;625!QjN zBXZP#P=wa>M|j8^&$ues0q@R>+88z9BiTO0!*9gXHtWIIM^a=@e}r?rsk|dWmPuc9 zMDz9Ehf+VBfJoiO8J$6gL;M>;R=vf&VZHm#lnuM|uHHt(PRUV6B==R2`03o&|H3dj z_9RZml~3rf0(rcMFpy}ZQdvZhx#IlD(&5wLS2GAE^$s&p^uClE@2addvv}@As^Jyz zLKgbA{n*@d%8zQ2N)Lr~Qg-f?wsRYyRpz)Jiuz!@&RxdN2pxHmk?KRsnc@iGz$Q;s$|;bwdOlMy&(qP{LydSMI-112lHx0zv3CMGKa;2K1RXvdcKNPX&gi%^ zJ0|G_>)$cr_0|x1908}AozPAP)Cp+H*7clGQ3bgpyn4v(l{)spEZ^5T$41=F(i;RcMm3gh(|ZcQ{Hx>S(jU}_5`Vldz>VR6$^H=Jp`2xr%t&aUbLwoWj|BjWwdE{ zb~5dnhYCF<{(b|OAds9)gMq`v( zF@jLl+7iT!ptk;ezJL7wIp?2qp4W5EbDrzmQ1LR_uh0iB5Y&xeURLsh3)BF+r>;Mx9H|HDuP&3fG6K;m-LnSmlGxP zGiV|YbYB^h^Y(pT*t+6%KWRy8-h{?hvELBxlsK@_$vFN26gW8s|Dok;H?5_@RH>KI zn|gTEsUmTey|HP6E1fI2L|%v<``R-8?iN7mK69x$&gkP`y{Xh2ZL0hN25CQ?c{d+9RvK^&)RVN$R9)n1@7$2gSbYazWUq*nJ>FwiLfEBmz3d}f3CRcv(JBy=A^#i z{v)uuH~7WnuV1|YMsP$Un*(WDLzi`5HJvKCn0Ni{Z`8Qbi#_*1r>z=056JSWewtL9 zN^EWb%jX#l3Qpggi^(yZ)NA#osFAMRAGHy=o8;FOdxA&)?Oyi}_|COx&%ul?3vM-b zwFA{JVt6ssJ%pohR{Kt+swcf=6w7fMHX}zaxi#&;D5)BEks>bvj6fo!Xo~ zMh!1pcxu?8@$cebxT)Z%js|kP7!h&$Ls;Dud;R}TMlQoP|NiljQd|u6AKmj!4zZn& zWeml}z(@lcSNn~wqd7FF8T%0Lw(DZInmYDY4YT8A#)ww3X8yB+zs;4`6=TX&hKkfu ztV*xj2^GQrt_S|SR_#SPh+nK!KdNqo9<0&414Gf~=nN}+>#c{Yt>eGHcn-U50VVS1 z<$CZD`+cl4t=5!{;a3NRQbCJhL0`Vdo+kf0N&Zh< z7Ic1E`0tdo)pfNcf9dIP{+mSGMWn?mVW7r%f+A3yARN9Tj4r&KEqqpV*0Ffr5&Y}P z8a*!JP$!}pbw0mW@AvPTcM;x3?4k8k_O&$%|M%DDpXL9O?WLgyiV^;&YqczcFmVPzLM9p#ZK z&9e;`CHxRfck?A;rQwgVNW^Z3%S|hd8x`4%QrT8#X$Vx=#S-I{W7tn?q5T)o)~%nP zYB8!rMArpAW3e1z|KicZ?^9f_Svy2Z&*5$5{>j(-O-B?+e)9qczH)~4%NCe+u84P* zgq|WIpr^&$XT^<9y)jh4J0|<%R|Ee}xTjaoG5;CGy8Cp^vp!Kbhs$XPyUyi%oy8ZJf2SJ5RO-Y?ns#v5rulX9)6QabK4h;WkR70Q zIs~rQbl+Uk3CHQY`h7j%V*LV#j380o;Xoe$zr`NrzWB~P<)9VjtQ=WKT9F5-|M)|m zHqiSP0(wbmws4px{{bhUS2*)h~{;h+Y4}+JXGAWm<y_3v^I3HZNn*yU(*T7HhmqU)y9-K6kCaXsXZcZ=E$RF9o{p5VkS zscg5+AUrz5Wwk%?epW&6|M1cna3|~PH}dkuXz;sqb9h7V8;g|40p6yu`)_j z6H-e`BR$iFmkw`vo|5p_+?!%*N4DP@1U+y~D1e1{V0r`U7M`JKm{e|nu;j`XZX+%~ z+Pt092sA!z&GGo*i*JHBoPTk!2|ufhXusG*UcEZ1F?}o2tuO@to~XF+oMZg8`rjjD zL|EGeX;{2l%)nrs>w04+F{i9r@6YX`4#qY`NxSWl4}g4XUp@dp5Aok#H+ZLo+6@_m zt6FFdX+1@$Ywm);X~=yTmcyq4>{kewrPHBa>-mP2ryh^kY66RF^}qLs^o4$1du9Ya(fo^AS3{0{A^k|U{F^yu{|b1-A>6yp{coQesp%3vE>oRH zWoSa7xu!=S5k`DaHoE-HVPB@+4GTmyC!}9%qm$WcPUwhg1)|CiQn%jGN>=$oivFD; z|GijOPakv>VGK=vnys<&;XFl9$}wjz$K?^4=3$_;(kI}rQ9K{%g*WkkXmVuGb?Ukl zFC}xo7&NGa&m6lSJec-ES(y4w_z)sg@3i0NqMu~6cxW`O5^@cL{~CB@yFc$vUeq90 zRsbU8x;b3MjQZ+#t(Eaw=1fF#v|h|)XXg2v!|O7x)_#2cTCgP?z;FX7*S_62ylHh@ z3bZ6EI~@^#KIf`RP`;_<|0Mjve}UQLKs(G?W*{Et;gKbC20O}dIL)}@1w;~Vh|^4h zEVYkE$4blnWB<3OKg7lXgdLk=c9B<`Nc7^x=puaaByq87!Rehq!|Cqc)h;P0;yCDN z3pyr#Chcrj#i)9UU-aX1m zB&U{K1`vHroiZtYJ63qupIo(IRPaR{#z0o!YbfEGMz`k~s>)Op`r#km;R=5?&7o=I zyazI__m>aFJSDCf`;S)5Yp=`(y0}Ezfk_k=nkpS81+N(XU9L@$v5kb0si;CGNFKre z!|$ubvk3!RRH{sR-@tvDUp%l-x{$w3g?7W5l&FnitBA7_P`;Vu6*#%2+&}(zzS+Pd z^e159m<(9He1^bJgA|Jt(3^!t;dQ&m#-C@)<{uv}^=8oC455kxq)Q!cQaKbM3_bvo zn_+Wm$qynWzT2pFmnV%r)2D4FzARi=28uvaCSTaQ+)Y9hE4Gynq}!5Kz0cnW7-#m* zecow0p>7$QddkpyGUp60bEgddh+jQfu2MmjbIKX|U!^KJE8+VK-YMVd^qy`Nlf`|uoRm#9Ay zGJ0afq&}fC6*`lkG7*-ZBNNnxksBr2tERQD%3~GwOb1`(A^3;Oq)m-TPCai zRpz09d?6TbYl$8=&_0IpI-$2;^$!K1A8}iA9ednn!}wHq+mD8(G`!xtqZlC@o=(MN zoC%*j$6*bzhBM;EW(Rf^!_B9ELJN=U%Pz?N(B+Dyxn;KK^@JT+DV~103@|m9I^9CQ znL_EX2_pse+ZV52>g(`%jPT=t90fJDP5ZtH0dE_-fONkqjTz?yCHBCr4M=?%n^gFI ze8lKmP0te{gS#StK1HeMuQ$)myZ)Vfa@a844=J{-Z2lv4HIW?NEQUGvY8`cXa8eOT z>o0$5!~KDg)JO)W_vS!HYj_`+^FuDCe#E@BwIKH>--`5#&Y_M1Fijea+W`-<(;@zTF9wu?27f78~`IWac&V@ zFr4iMNlOov^c@oE{PYp`qt}JE?Q#kC6Zml4TK%id@4^D;L~*{_Nl4-8x8qv#@8Ur! z#kl+QY1&HgL}Mbe4%Z1p$KC@~8G(P(n670)6mr|_KOa#U7BNer2h)^DPVH9^Z9v5nSu)%dBV@>-z~e)I zJlwfG{K^ipj;S0^Mh*3;N0QlDk4SMtoA{3*uAL{M=D)L~WkL!O(gY&-&v%=G$tu?6 zO%V6qhDpJp*5YA7V9D^#wVn7ny7In=#;oyLPeet8bbwK2*^u~92N{owfk=<+_e-;2vBARf zH&vf$N>zosRV?0pe^{+sYDR47*zrC(3`AE3kXNzA$8vcP-Ld3w(dRJLrBtTn=+5w+r!+ks();fa{LkW_v$n#U z7*b2bdCN0xH9=xCXZoXIotJL9=#mkQi(U;|7aoK*pA;t8k}CE&$2P`2h2jAnRq(G@ zgn~Mp-}4)*S|>!Z3$a=VdiO*rgRU9cJ6S{PV!;yHxp&@)M2i(fJ=ul|S2oUWJ8^fK z?*gOGK&qRu1D_^jUo`&d1#=zsckho;I(Mn6o%r)@>e>yZUum3tXSB@Uq$4CtdMjnv zhaO4Y5Bcw+8^;>4&sxh_&1zrU`+`GdgOM~*82pw}Gs#l!_R;!CWW=?vQmy<_Wpg}o zJm6hn43%T}W@UIyMJiI}H$!gX#0PWda#}8wM&x4!u8s>}R`X%0?V&EE$9$91nXfDG z-c4=R&EYoSCP-?jKL6s{1rJOdsQ<$3SM$F{p7nF5G>Qg3ks^&#a!T_vx=eYHSu{?l z*`=CV6IdtWWokj8gt5qZ^n0leaSglL5Y}v_=1caDZn~W~`uN(*ht4|LK;f&yzL%Mb zf36jkqDM@#&W5(0eCXUlM&!^X2L`4;R*-`Ge(M$GyVv&7mz1nMob@cmeDYcUzw?NH z$aisC^6$-EN#v@34P|*MxlPp_O9i@1Zn5*p&}HmM`H(GjT?}{Cp?{b&>Yc`U(G8^J zK1ffd8p(Z&bdw8c>B>!gIM-XalhP8ldiAa{fJBv*@XY0babkQZJ2W$TUk_<2%hz8f z>+Al&r+32dgv>wUT~w%;!R%0V9XiI1ea`1<&FAMuq+oW$_CRbPSs?8~h!LL@wtlLWjgM%^c}CEN=3@ zWlxP#hq$QPFZGxc2No`^C^iUxwlM3abT_*Le5)Bd^P zOOX8XcKl3zQXp!ZIcq4_zldwYwl%oOJdoNX)P^{~uy1L_P%)-a{n#~;LmEVdcUDxU z_5CGXWWIRyI`i-MifKi=ECoN;`_{nBpzZrQl!wV1=1_uJcHpLFeCQ!kYvQyznZvG( zzQGLx_@kR*wDo@8QwObw@iGW@S-*Ir{j1dYJHY`LF>JG7_NO$pX5xbe!>M=|NqqYC zuREIS-jkosyv@FfD~Lq+670h6X8TGw#=R7nP4T$rVm`wWcaiIUVkn<4SEQil^1$)q z)7!aSMzH01!llS~HUdSyM7=FC1I-JD+@V^!`|NKxKnH(%N8qeQTJtECUv%1zt z7-D;cerG1s!4AL&-u>tjiajwa5KC|XZ15dbC+@Ft_(^M8BMN1x zP@38{sH+&@{%gQ~@VkQ9>*E0W?q4iEln{?M3q!0E$#3ZCs{~R~3sIXEmBp!~cL9bt zx0l`eS1X@EcsLiv3xsphS`g2b`KChxJluRozqtX)9n}U?9qKB)T`75a6fJeNJ1e5* zq17!{8E#gHn<(D2Rg&}gMsoV5s+)*J@C2RY$Fp-`(bMN_uSulWam5)AQI&NZPpIL8(nKeB zcy3H=W8|w7oRdYcRtF!_Y_Gt#@jnO$Njh|SpKwX%Ag@_)=OtMk0P$IzpZ|ekum8S% zFljmay&{{12qxXFdyx1ymuIC!7z?amIK;(BSLhJO{P<3na-qxlP}(3-6?;fruO{>( zJB+kkIkAL^k~S)`1<)W5b8^d^9$Y7(YGcamr$Jg2VlW`1%UYnjrZTS#2`=}avLi8x z2=Zc2(iURy`OuP4Kt0rVS` zne){5!oX<$FnX(6m-p;~q6?}dD+wd}7i%Mrt`_9S<4~-N~M_WO+E8v&WBsS9F zw2FUcT-Qqd#69=W5OE!;7a6TCY4@V(K4c2!rYkOZHLxh-vS()p=6s>@41$D(peXhPodc5#O}2zCL@T zg?A!2;*hsMtehg_lzx*<;K28=md4aVwOSDL;0aKkI1r2Y5e}<$Qq(M0k*RW^FR&jy zs(GnwrGE4tA(Q$jSlLl$&B*BKK38JN4`J4#?+$7WR7r8|&pK7ha*cn9hJbk{lsxWL z^uW{AGlt=;Y|W-e>zug{!m!Q2Be#zO$Y5ZnGVNC_3@Me$tWc9aD|^ieyVjnOdWBl2 zaHHDe{4?pa9$Lew6LZx)9gwS>&N!cng-43A?4%@3-MjSVFq|Na%<^>DMO+?zkqk`o z;E%JdPv=#rGc>2EihFzn36|`ye5`ix@Q$&1@IwL{AM(yp)on_hQ$qg6eV~x^uqv=v zE`eU^PT$S+G2^1 zk^AR+*&BpsV$gjHp$ka75J3$@lbGA$C8@`SD^koTk?kpT%6==|QcW_q*VYV&PNasa zt*+WDsd{=zp7GYUJEow-Q5yn*MqCSYdofOA)=NbauqRMldGAEl$fbuPdrUCJnlt4E zn)YNWN&~rFqEbNLd1cHDR?|SSwWn##iwh^ycRQ;+2*-C@l?unlJTV5K$2MkU^Ov3? z4yWw8G3C8#Y-ldC&1@os@WG680ff&)Ep zc~tFd8P%RV=xmUJC#4wGG^vPAcA zwkAoNGp9>Iuv`LH8PT=LGNg6oWug2PlQ~$jlND|%v}0a?2ERRZ4sKlQ*m4#Dekq7W z+l<46v}kw_>Wb`tKwMI^KQ*ifyVo{XEFXy31$Q5El=}k7RC7=kF|F)~7+$G8;_>kK zV0RHdsuEQu_>EH1KAkwgES0gL*2|)S?+5wpzaQ>ZX{1H4UVA;%TDZYRmp!I0 zkTS{mw9JVAakULptV@-RPKmg`-Qh;Si6#b}2x~OzA%edfsvZ1jRs%_nh9ucB z3GuLxQugNIn8|O)g0_|Yf5?bExci?j%nRzyakUInEz0}$vu51Y5gvnxW0KLOAa%NB z4%|w8vRtx*zblAzGilO(@ZFq&cvl@L^u1f>VFEY}1x=1w(q<$rk6x>W)U^g^j!6_s zhZ0$YG)`SFE9+Iiv91+-`hZmJDfisuKguH5ZR%OWEX{YPo~1Rqe(RP!;Bk{>R2|wu z*h(JfF*ddh@CW9GMu$|yj^x&bV_9Si4f(m)QdFbk3;*)^9J47N#S_!Nvc2Ua9|^o! zNp6xZBCMAqWOQf@5xbA9U=oe#d0#G}$ENcTy*?to>IP911n=1ysqc!;hne?}bg?N` ztBf=?7uXGzsu-dF7+CJ*66S=Dg0(wvPqP_cW%46kLzQO^azU$jm)?y`)AouB-MbhD zzyVr*?zOc^g+X|DWCCRdO4MOZ#njd*nN3sePFbVqRlxeEIqIr)rt({S!Bl0a zz7Oo1Pk#7!$H$JB3H`JGkxN!nX|qQ%*bA=F)mqOMlP&3eolHG+069{5HbsuY>XB5< zcY?)$NAQ{76JqO6#3b*8qddR@NdL&BazsU>tnz{9z@K0E?|-%^&8OyJLgwJgcFE+v zh?3(0eI1{}0jO{G*yig&NZuxiGg0Q>%OPoNw&WIx^q~+LxjU-H?<+X2^_i3ebl68G z;8R<6>OucXP(GxcBt)0dW@f2Xo)8qHGU=(H*Gh6>vs3!vPV!n%6vYOZ$0#luDRA*c zwKc(&)K2XMywQ2EpYd+#q%hf}5a?S(7n|_)>iHk&zd}bf+K#HqFubZTGJETh7KD7* z(SuJtm8({<-II9% zl!~zw-u1b$tKz+Ew>^613o>cMxoc;7YOx;MLa5>_1jipm4dD(I$|*IR)TArTP5hke zriedJC`Hwe&|YV$)JFsK*nVztGQ}WkRTxi&0yVz5MNAfz?)$_TP`y9sO$o~WH!*n} zJX2=Bm+M04>pl2Pdg?VEhE;Fk*ya_*I=7da%Gz%}QrFX2m7Vxj+UH|dQ5dI#3_6_? zpDU-k9-A{r%tIex1XT1Kt~+iD)q3jL+*$8Jv3_%)>14JcdQ~{@Q5j-_j(NsMY{-u` zzG}aPyiWy1GH~-RP&^nuyiP1}gK}I_lLa5MyuMfQq8?;B^aT7C{T%zMEhTy>GxGUD z)OA`nn(E3UAzRpbKh?p~3!O)Zj+Yvd3KuPX*b~hgoQ?>L#x>^k$=vZg4!vmDu5C*L zMEFY742a{0l$oSfg+z7Gh*O&08D%qrOj`)8Fqo7&HhtYK`b0nj)6)S~gRaLneM!BB=g|RNsveX3?gSQfbjktjjr;~3#hTFY1 zwX!?X!RXYfsc7QvI*#|#x&-3kLTb~H?3NxoE{}YeDQu$@A+V(rZ9^H0Ae{#mk5uYa z2l?aJ!0JEWPnHYnUc&?Pa)w8fgh-&#f`mZ~G*dg&rPNAQEo7#dYRZdyXh2YPr==Q+ z!-u`CW3y5{HtG=SO6Lu&4CSnO{Jfjqs}6kNwM)10oK_%Z z@g^zs&j!8Kg}L;nJ!|pY$rdKa>0jlo}Ic6>Sm8fxw4F`JPt)WvoncN~PqIq+c)=Ru2N;gQ& zuMu@Uwwsn53VK~94SMYYw7EWC9XvJ?=NrH~A1{7(y$GVS@XomfzSpAz&0YHAjQ3J+EVAF`{8}!Kw7D^I*FqX6^kd54fPSxA^DYc?ADo_WeaMT>%FQg3s)) zXTcxTmJAiCCa_*>rKYOhO_eWxE4rWNeNZmjuO$pi+&r9tlI5`>{zEf1f zAMDh?qJfQ7&a{tey*k_S>{N9kVY`BqHYC9f6GUdm1F1JYn_>6$G*_>Tj5<}e{<)h zutYRA$@AY*&eGRZQ<78@d1Tp3nFV)sXuw9_w&i8xyxFXKk$kn0yxCykB&sfMA8o=C zUBjco$ML74k~~w)cy(d}VxpPK6xqn^Qs#C@*Hhs9@$HSc9WQ`ssre)J|D;OX5#F9K z2EfAthLqo6hP=D{P$0#BaIrsQtd%qmUWMR?26At5ckBAB-;6R>hymQ*-fU2b-G%?j zd5ZVHovU30>b5$)NaL0!{&%-XAMd?yIOyT_v11)=K>38Sy@YW;GCCwMQVQhtHWN*~ zJ?I#F`|<;$rX0Did@!fX%}TH@kTHz+ymOHlqd1j>ovi~DF#L*+-(KLg`Hx^?H>;Py z`F`v%RT+Po)#*m)HVHlUc=qO-$v1NBvDv@&K^#yU_Toh9ui~3a8wT_GQVuS?I(9Wy zfsYx!4rv3ohaIj+G|pZ#k{ST2ITJMC*M@EQ_F$8;Ai|Umni75GB@w$5P*Dte{1?d& zV)@OqG(A)U!vDs$fm6g-_$vq>-L%&@X+1lfdnFS_;ycnN4qW;wPLE0l2RA{TZ(PC`Xu88pL| zMIE}0gQVZ>5Tp}Ryk=u=DcgB}_>`vd$WrCOf5lcRv(0RQ>eF&~*he`z`?!TEqTXJe z8(9eoq+OjRUm}-fYfL5pjrv-kS2_-VE!7fpLt0*FNrHQyEgBMR0V|7q0J*@G$I3ek z#8Wz-m%Gt`Uv3NaSIkfuE6%;q+UbyYw9hIwX3vG-Oxt$lrEQiWsw8s-F7_zjn-m3W zpgtokPCl7nwGYopiPOeo!Y)G!Skv*MKw{kQ%0C^>E;(RW?$H+6OcyFnrS}X8rrLrWC zmK&~=`)JI7FP`@9q~f2o`2*6%@YS2IvjQ^XrN;3|s@PoBUlL*0p%`k|N-4-i9D-GH zG#!A!kKMS^=Ws1y&)5PtMwKJj3WX&vye*n^`%8)U^>v5aC?2X6eWV*vb zj003Wg0v&#1hj)sPw%SM=hc% zV4GDN2BoSD!-IKZ-2#O>mSr5LisT^ly5aM1k|4LsKJCp&0C>iN>3oW4MhW-GFzad z3XD30MTPAYMOR%4aLkyn-$t3de+q-*=Cf*+ve@pk&F@bIzBMi&PvWO7VjM8==&nTzuKxyi%MGH2AReeSC`6WBAqt=mlc2A) zhEBSkc^NL`zBZxM=0}p>IbPxMb8Q_~V}tMnyK^Zb^?XJ=CsUw|?5#Aettbk6So3uf z+1O>ZoVY-*mGQw%6OrB0>Kyn$qS5ssG|lWjuy6Vq{FS!S4#yBZjH*E z8-axR7bdg(#+@JoSlJO7uhp=7?>tgs&b_qO$)xFCmM>F)RypuQIxH96I>a2XP(=}l zz{p~L3~8y#*&~%y7Bp}t??>WL7Zxp4J~EC1b{S@^qZ27c}xyY=oEXw7C+ ze#%g}QI@OB3R9t1MK6x_Mq(%3W#Ss3D5+3=wA27O)+jNVCS2H5H|e@ zbJ$`WZp`OyNNpT0FHjIi?U}epMeEp|C5oQ=$eXe3WZ7!)h)p0|clB>xBHEulI9PVF z+R-B|S-;pMkp)b-JWKp20W;Pzk7UnXkfpz+m)s&pH`Af7&la7|j~7IQ$l#hDvVR0g z(mIZX2g) z)GcQFq}qVrj*y`>n{%{o-PW;wb`y8Bxj$5>k7x zC)n}8oG}3yp`VG288Cs+(ZLK)jnzr!%gzP>psuqSm+w&mPO$K!5Y@{7q^jicib(9o zN`6PNjuUjc_RfD#=&V&;cx6piJjfo$?s0Nl9%Xty-V5>F6zV@auf4R=-`prxoMv;wZVG;EPQ-#24WBBw1uNwA_b=b{` z?{8R$V{eNeV4H%Az#c@onGsj`#Ce_nk^mzopcDPrVRAxr7Vz9wiu7NNF zL$)gEM|#0jbbE;g6iamq2L~UySk$UFd$_>le{(49|5vzDmRK#@xOq58#z>sv%80GU zOO0F(-Hh#qFTuH!9v8#Ai&EdwXuWsU4Htb7f{;iE5;K2lDv|axgD_XCiE$nuY}^OD zD&X$XS)fb2rf8HwC@@?p>otvKy;^N)#Pn;&DdUe66dSTHIc&g%|K6)cs*|Xu)#j1x z5x>XH#byQR_gPCWduG26&o{&cN!2@GMq5u-m+hG5Tg?_HR|F+NBNu5h#^}lf>oJZV zJtUnGG+IwsjZZ5xQSyDfxC1;;l0JV>iv#K&r|Q8iLs&$W#^l0&3-~#oT?l$^YCq2$ zP?7nZUT5Wt&6J@p=#ewCS4@_x^n~}ZMrfws4brsjNv6hK5cIcdb7USw)5*`kV9dkpPL)Iy(TXLs{29v`IRAzf>kTlbCxhByKdt4^2x>Qa=KY(R z&wuTc7X)|StZ~sK5w2zsg>2n?R^atG9HK8SwY(rMJZttE1Ce)8x~1#_3r4+P+$R=4 znQ_*m_<*#U+A_~u&_h1`jFw^Jt8A`p97&(<+u!t(kz*?`&)=IkfmXhj`{)JVOcovk zE%R0q*dfq`PmbZRg>n%;NdsW7am%kM_oC4)e#7v+A8p}FbjRpRt zry9ICNk+iY4W8JC1Z;SsQhptrap8msOof%Ztp1@D}>!L z2P=1fsV)0w7}@Le_Entxt)q_`x1hpZEfw78&TQIaq$Pp9U&&$^(C+;N)vZGH3 zIeQlhvQ7k>5vjRBlMwB&d9;%6**D-tA4`I=%D$1RpAtz%2Wcj%zk-N9xDU^hWUpq2)g7Y zEXF&?qE72i=WriXhp{05DIagjyELGy9_W9P$4VI81v*cAB^_}Fb)#-iGK&@oy~#GA zl28Oxz@;6Rd*)@UzHL;5`@d;gLuiIT_cNk49HvVnT* z>+U+mIEMEzJ8$xR2xy>n!7gd_6J5O!818{XK;za| z3#2MKUsZ<77%46nl3WY2t<>Grb)RoqX1V#Q(Xv_vcNNIetFH_hK=Tv3Lz=0h>>MJ( z+-%B^k|sYE;!4w6H*f5XaBCF3(;&@F>7etEGM!e=-?)a=C@tE`2+Sc{cg+4{43n$u3JeEtGFtJ8bqf>O)W6B~*t+5`DNW z9Uz6FWy6s9(>0Z4%QscD+&8Dypo2AZ)&sh2X^1!C9(Cnkl>4dPm@AL^xh#CRGwBhM z{A*Z>>?TnVi`10?!}xAe#I5Jk$w{UkhzjTf(|-irdJ>tU|2>|pOz`e?Gp*{InNM)Q zTh@?$31mb6C=*j6P--7W4I&vTu%^YvRM_Iu7}fQ5@$2~^_<%h$s@zHvMSSM!SCN+5 zc#Wqq6)WlSrn>9B6v(H_WhHE_hm%7CQl($rZKEvIm$Q*FOZjKUYHq>97IHqp{bu+3d*VN_Owr#@|zD+x` z>N<=Ro^9;3bH43x)qOk5M(>?lChK*8&9Y7H8)_JZ5{^=~wDiSi7`&4yczA<5km~jq zS{vC^%UfP8Ea8{NZprz_L{W-*QrEGuxm_&>XW>amZG7R=mdiAZ* z-SA|B4)*sGq>n0X50|*0Z>5sGzHQ3?f%`R49J$^XS4T@4{f0m6Imi#42LH!8OZ@u8 z3{qigMcPkDiw*A93ilFGv2p(LJ|M3R2R3$^6ne%uUC$|X_=@GvRxu<-Y+^`-g?;Pk zVR*1|d@Wl>bhpWD4&Po79s(gKjiR zKMsXdQ^Qak4lVh{&XFCV1e;DVOOF1Og}a;p^CO*bPuh&a8S(pj8Hz>fgnO{sm)b^_ zD4fsdFO4Fg@WY{DQ`i1}<~25#J!E)FjAjtS89fyk!i^E%4QG{}n-n;v)Rzmm&>L`xxcb_~^0cB%TpISHH(`i3bVmCEzYP>7bgoUA^oRfyY|8ye>N zRlq0)u(U-S2UI0&8ei7Xddo0&JYaA3AQwra_(c{LPb9!b&@@yWBBh_igzr@{6Rvym zSb3+1iGP#Xp!+4H@>8$D$1`RB8CaQWInEa5(9vM!r|a_}mm$jAQ+#tS^QG^G!|W{5 zq1{>bYm8^EGhf%&Eo)_&o?Bmwxi+jgP_?l+8~VJNOtW7c3p+SfZ}%=8Wonv%g3xr$ zLaO|q^M@sADQ4X7Z)CJ_Jra^3mz1QT>V#of3@e#{uQdBLVM+^{Gp6qBk67ef$ZZqM zR+~beEX07sKI~iDjylTe_v?!$nV2ikKVHr-2o1&FoU48QB>Ylh_AMF3NQ%Fu$JE**d zFtC?jKope8=`BwQV=Q(@QOFp#&#K4-W8mGk$oDZD*(27NpKw2!jl{%SD}^Tx=$BD( zt;)K8m(AXOEh|oqb<3d7&O7{M>-B8lhMX$a=`CauUI!*?2vSX{jF*P5e(P zPdJogte)Y%Pj9T<=cm4dMgG@D7~q$5x$fT=pjnnFw}i4 z8{Q8%v=ERo)cP53nsvFz4w8Pe93AT*9Vnmqu9XRmm-;y z_4-zmE1OW#Gjo%civ0k^{ojX6sW2!Bo$3b+r{k>2)G5HwJAIBrBg{OCT3G34LLEZ} zoh!V)`=(q=Q~{7(Wr2{zqrYPC)Ge2cL@v1CmWevuQ{j?*LLjhC8cOPB6H^)-G{@f` z7u6)@apqmHwf7e$KA&$JTqfs*E|tDC19uy{{Ww^g{wRL!?j$EKY-q7_6+*T(U&0mPk$P-ilE(!YI}`+Jq6HoP3U^GvCb*W!A8%Uc@5=?U zdol5BY+t-$L^C)}QQRxO=RKNf(T@G#p`|$>@=h&oz2x5hw0TS$Re)^sm>aOba^}^1WiR^^kb5cMS2u4FtFkMiT3A6m!W;as!yn!p)?UoNqp#ioawlEo z`*u4OskrbXAvg+{*IW$ej#dHg+I`2zF45DKhU`4LoJcgVJrhX(OQi$1=J-3n5GZu` z9XKfGWo&1qS#E)rrkn6Lhij)MPN{UH^*;rYm)xerq(mZ*!y}XA>d7^Z2YuL8K^e&* z%dkie_DobCsB_^P>wsFCG4PU1fCL>FRQ)EC7((B3(|E5Zowqi~x-C4Aj1Cq{{RD`l zd7zX?#i%J&bHUDj3f-L?vf;YsB8nLgJdVI=Dhp}9-!K#uDU{Q-Wi8Rc4?}IB=%_0^ zp#v=h($eqX*(*!Uw8zzcC*A}K@B?0x)|c6pu`Q6vYFU!#H(q|&Q#u>-?P=bRs zzMR9_es8G4)MIX2pUY!PSv3)`kuyxjHJNVSx~v9HU@)KQj-T^ll zx56G4ry3CV`(67!!}4-LIIuLS`=$msD-HSZ|1tKS(QLo*!+(fT6|2;$RZ47Xix~Y< zd(*1gC01=QVwKvpN9+W(s#+A)B1Wkq)C`JJE4GrLcEA68e-C~S?(;wQxgX`6X(dJ@*4;H}?$6iD!c z9G6PAFVMtK>_ktp+nQE4NbH@#6h8LXJ#yx`SBSVt0wWnU!jRIX>Mq9iY_)vyHp_~D z_|Ztju>xq4CBeR=rsr@ZrP7eaxHgq)c`J(@8AuJvI5FppThfC8Ybcb;_$0O!}+UlTz_16^P~iy)D4Z_m#E^jB828DPymOM#{Fu5Fu*!IA(NI(CEBI^_ZL_G}~e7+fbRT;=yRw z4~_#)_r{Nvt`|ZGD(&@v559j2_p#v@)O%gr7EN?JTIDl!%uE-0O&o_W^8aC|3On@ zEaoL;_2(`1AY)0yszEiy*!sZ|F7YA2)0Wih>oZR-`Gacj@b&PETiKs&Ej_O^PQMdghMe`4`-OSK-iE%!I{e8lD7?`Uxb ze4JXccmU3Khida`G>$ zdA1TFKd>Ezb>V=*WfbrqTGeClA%_BoqfYF%ydNL^93S`=N=4RL5s;csh(_iaUb)@@ zj;XBhf*v!};myd{K@Yhm0VtsH>d@+7Pe%pWaD}TH<=v>XJswlTQFge}VxPIhF$@6e zf6!p>uiAyXJ&lXdU{~wus`fDyE0o$;>7xle*vr3u4i05c4tG6p$)#64L-J~-6_?RS zf>;}+eY7cAIHFHAzMDQ+`@_S~d;dn+y?V56#=yebm*fHWkv?*X2w^%u#DKvgkI8M+ zam%Ec>tnQBG-FvrC+kZSK8WQ9^*(|gRZ z-)aE%vTVcT@Y;K6DG%m2Nd|-uNaBH+aU$yW@T#sYqqeV)93X$;MI$DYAEDcYs*Oev zJe0tgCDSYt_D77=?DnfA)@{F(Yo3c^3l-%EnhPQxZ>YYe9$TH{E}VlA6YtLF2Z-nd zzuIBCVUnU9`DBdhJ?yKl2-SUE!|R(S@%-_Oyv>%?pDFY;vyDGHAhotApqRMuZ&S@s z=voYBETk9O5i(?>7Mi@q@nURsNIgxf|1;DrkSOTZBM<;Gx@xsnPMn-lzhEvDIQd&zKKMuJ;szTT zhuEf9DPILLlzwmPLSz6I!@i-9INvg{G4#t(0cL`?p77Lu60ZwCfUYGssSQR~4!4iA z4-*yl!KD`e>h> zxMiI0^gHcV82L^`;f>PhB1#Af_x>y}X3MsX*9a!WY&tavDz>xGI|G*q5nh8brqwkR zaR$;4Eoyl$e*gJuEDy8C&WN8D@)O4uJAu;{B2$(vyA-&@u7nocq;nj5m$s|-YX<3> zA~_$P#*8AhybH?eB=H*BV`FO7r`Uh!EkvrVdFTM@){wPmPj_csM7zl5ZX2%wy)1`H<@$cQ!NX2or)ZhL^u)3gfi%REaQ8Uk1^I3!mTf)$oZVZ)O1pIx!bB= zrc?RU4Ev1Ts~Vk1p5NWBmZf^bvW{Ka)B>$*rRhVy6*#cNjp5t8nIF=^*Twu4PhO@?U1pVnMOyu4V54@rHL~-ZztUWyutlw3gnf^$T z_}soTNnF`Q&E7h@a!R>qREaY*^MMW@Is(jp0B@K z|GGkN+g87v$M&>eNb|tg~5X z|JP+VD~}CUA!CROv9RjJ3qpU@Ij5Ar7icM=Zn(NBmSOnooz&RmtLJTLlyiA!Prf-1 zN=P(SPd&BVRDUxd?u^CTv)e5fH?4@NUmkBy+>$uxWTyW2U5L|p>S1Mm?ySny-eJ?| zq&Wm?>%qGSHK#wYP&hDxJvnu!H{*7L!t|n6U%3sx4QsthGMucrTCJt!oys+VUYXCX z4}gdH(xfAPcKocl(wj^ImyXD;$?Z;dtp74vN)bypm>18FXvQodT*YRxpSHTpRRmav zzvaGE(mgfeDSQm=UcA_q%#e}mOV7{kZ>klc#96-k=c(iK4EekAPgg+E0SNOvlsgM+ zfKASh0I*89G5$K$T!5JVPo>VJEPeQJZ`KP42=W-;g9Xd@sY6wU6_cmVmXfV)#Ug z+tJIJk^AIGaof)E2YKqr@1S>6{@w123Qs{I*-W0_c;9RZJ~k4%AfQP!lnq+CtW@lv z@VbES72&(odo)L7|I|*xD6|9jQTix_Qyj59-;9X{b_K6mZ}}!O&utrZ9eaI|TO=d3 zYkirNRUT@1KoV9gR2Yw|Ai~|Ai&-PBAm?>~0Uwwz9>2hrc`ea|=u&kB4}4H9=D>*{ zhO{!)nG%f*YMeE89&$w>$%Yo3)K|$O+XZUmQM%|IO?y3;$`Ft38&d6-4l|c;c>}h@ zhe(Q&RSyS;FqfkgnaTL{Z0~GqXjtpx*&EtWZ*49Qye8{~zG;?J;n)1fi**(U(%UirkOmY%0}+s_|fc)0XLbPZ;f?QH8`20$)83%CzAm-R;M|6as^KU z9B9`i4j-9q6XrVCSndI|9w%n5e>S=8xqoTXP0B}>x)An%7)qeYIpQHK? zT`qBd2G9fr-LAs~OIWXeSDK2=tC10YaZ6R23jm|7+>gX`*|PYU$@#`*jcfik&H`(0 zBom%(-|x1aiV1T(3zdaa8B!CS)-{eV4o&6d+FvsV0k(3pz%ILul(Wa{eC&9@s~%%u zrc`4-*m~Q#O`hFGm+h%D zK~}%^zCC@6r-mB?oCP$13@baSh6+*3cX@k;v`aQBedg|rI~MPtx#!y|xPbvGH8>Hw zEMzLib>W}>N5Lw~q?-8;PGPtqPZP+Cx)(T(@X0I}j*oYOGx=bj$|AOw>K{O-GaR=Fk zz)K8n~VNsdAJ2X{B;Sy7W`b1<SHLo%M zxgE)?F{7LIdh5a5kKEB$&KeE617H(JvY$&AGoK#&l~XqX%~7v|NLYAO-k&_1l%cyn z;qj0%wpJ6~Xp~`Xpi|Fmc>720+!6>q;m~XVVu1i?2bVQ#(m2Au)c;7xy4_J}Wt=ps zfm(?q0p)OJcdi3dam|=H)yqnQlW6ruiq`p$?XDzxz5rvGnVLNW<@rJ*j8wZpcH6AL zDK_Ct&XoHxKLE*pvX%PeVM_5$?dTN6=NVl*4+Wkzf~boV?)80xA*9PHwa4XjDF+EnfbGIvZe}Y zEV_i79OcrOX3*s77eCC@n~{c{EDoB!Np|_qCBOEn*JHs;38tx5vE(;7g<@9;+g|KK z+(6(xJ9}%kvn>~P=}s~^$g>e*z}@auGI9;)AKvIEcD2vDiGh_x5Tn1}TQGs#W#7o+ z*gLL*o@y(>E9j#$fRBHMWK^0*X=Q{S84lL138|Qv)a1CmZDO$D9TK3=G^h7K7V7i` z2ff=#=kfLyEDj?x2AHt_^(Z}S3;9b9CL?p_W@|80Dh9Aa3>>Qh2NZ*1e>8_pZjoiL z5s7^C+%caw*2rEqzGLRA3S2F}oHjmW&G2FDYDIY39FHomq`lRQXfc5*{{!!9CFtHt zq<+5MV?9pD(oyx?oPX}K|4lR8g11KoZ|MM`XsxFM20^!;x)}yvZsKXhaL5+Y$>go| zuRTpWVQP(8ZMqXAr8>+woT>|Q*IPVD1}O)Nej6R8rrLOyFJ8tHSwRRjaRQ6)&u(M$cM1ZRnWNam{;+51H{(w-8_c2`rVl8gsLc**A!R zf-D=}YaZMkt*0#S%2Nf|tj)Q9lJd0*e6cI&o7WdUb}knAH@N2ZZ*!@rA^m)e0zy!j zujzRil*iGXg-i)<3EA^0WJFKGIy*LpK3H?pNZ;=#7bY`P)XR|Z-s$VSGXE`<9Q&i& zppdlnxI5+%7`m({StbSgp{pZwTC0K>vbuijdqSBz-4=EFTwk`@mOjx@`R zqa~-hnt70vQs-`M*RK-Y@)jFDmoOXC=%hr=G4V}D;lvmUu6OUH@!;MQP2`P4%FMZ> z^ctu@DDpnW+xlN_^U;YQU&H*^< zz;rzx&ihgi1jvFpS^lEs!+7Z}We)W5-79pyZ~8(#LNya8B%zN)3(a}93AvwmAmEu8 zrXFWqj48}a4gb}FlK5@p*ZH9aD;-%T?SKiVeIc6JH&9hM*Cp3?J zQdd8-Q%WH*lA2(2>`H!yH&obv(1lZ5MMJ)z75&z!EFp#!x5pJDqNlmLcmP&K-zk(&eROB8mVH{iZu|I8H!)s1XV zd${kIJxya!+D+Q(8Mhm79L<#+?7f3E1E3*~{f9t%Kg7ZVOE8%GBM# zkI&$}MK!|&WKns>kGVyT|NBOZMK^22X)tc-sdi0re-0I8+3Oe`Bvj5rOCN{RO-nw$Qo!~w)Y_V zm9(~?A&lTEY+P%6oR8!~8wHt}?DIdedaVuPj{3C%*4i8;)wAqw+064b~{H_1$6;@yZjMsvAr zg~iW~yMAt#++AbNhq~mmP9$nem^fm`2f-*z)gzxYEownE#1^jzgCB4btLx_CWV@tS zGrBdHslT+eRz)bvf6eAN=pLiEv;#Ehd3}EcjPip{H&E#sL$_@OgzAh95(QMRcS;74 z!OJMIm=P6xZ|plxSp>d@XOK?{&z$fhGeNv7K}0IztA+Z~%2?}_Xnu>!clFqnird#h zCNj$pq|OMdLE4b#ux#+9#aP~BGV&!p6%S$=P}8EPUQ<`ajP=A|bI&O3Vw@whm@ZQ% z{K(kWX;l<_I9@oedS`+MucIC{r`A{vhM1MAT|9l@2=80DTO+fIJh>5SVRBs0gNW;m z|3bdcACyGeI8VqHDvQ8{I*C)ai&y;`rGoiQ+I1PLEbt)>oof;js6O)ZsgIbdshE`k zwIE?Hv!}T*2#3Za*YxRJ;M;GSKfEGx-}bT?f9^GNz4h=WTYi9QN9O0;Jj#ABQUh`0 z#Q`A~j9(ToD%`I9<0=@Hh<8TjS>O5D%^NT0b3a zxar(N^da&WhiG7_Z)l zKsTjSZrx1rY`r;PHKx=+=~~bsB5p;GN=84QSPs%5js?IX5j7F(x?Pi=O1+#5g7_V! zXwbQfF<9Frl}rjV&sBa=_b!dF);@qXGqk@}bbO_=!|rf^z*WyhbD2`cEuG(Nm>LaE zT%W?dm$|sDbNyEA)cV)=D^qMDbz7y5b-n8%0xW^<9g-4XNK>kHi0C90J~}ja;q$L1 zqjISmBGmq;T2VClA7TF6N{@11jo!rFsbi;_vm{yy^T49?h%iG8C9+|_*m_hh3n`u< zv@`RomXA*5%j2kdYTwNKO>*`D0U$S#lT1izNRYwGoSa{(kPgta_A!QeIt_zN*8IXc zclRI@WU;u!;|(7LzUA2nz4-#FEmY5Aqh{o+V?p_*QyAgK!As}(YEZM)!fZoFOr*Kp zis8KEq{1GspS-1c(NdZW;5a1itc&n=*Jz%84;u|o49bMJuPdYEZtp|LPF9lq^UOtG z-T$1fy-M!&4gT)4k^a&^PPHEATkUUmlx{nQy$(Q$!CTs$nR|>D0R=+}7$5Y|nmavN z$J$*UIzw>wkxQ)zugxBng%-MYq}xU(BdAEO%-HhKIbQKsh&qY-(r{S05osRsq}n54 zH}d$R_xK;o7^#pk3+Fv@Uavxj-iR<{f_EF-TH3YCsX_3_Yy{?nscueJ+B?CcL+BTe zBERjY|GG{UdR0s!CW_f7aPQig%Zf|2o3WlQ`nT7f*I!099O5Rl{4*YMNUdGK7!pR$ zOAdW4dWBdJR|O>SQ?>| z{M!g~d2^xC9xC+O=WkL>;VCg_sfkrJT*^6LXzB!OG8d64bMkt%7*Y1SWvIal<66*k z1c`_gEIwY^^bNTJ=@>k$XQfL2+L~3+Yuu zt+@4H>&3Y1QD1E0;RabVf(Nl7$b)FFEp{+hQ|v4Dw#rP3~HIgem!V=F@ACP=(E(ITf?*rTY8&bfBH>eondRzTXHz zCIw2X9jBv$zt&CYn{1+9Pl|UoCVZcLy8EZ;Q}!q$wVs=vao+vp*PYEg>9$x{sMces z{a<4K?Dcr4^~|c`RCp;qPjWaG%yAe<^XZV?WS254+#io>&uV}VSrqpB!&J|!c>VE( zmn{;#t*Ls{(TAq?P*ZwYf^Hi=Ekw3ES74~Q-M@++UmQS_GlTRuf3cb@1w9dfu1!^) z?M)Tw@p_5N3)IL>zKUIsH#e4EXidgNaYyIyu>#RL`B_zLm9-Ifb(Hx4e3jI08m?3AIu{T07UOtF^YPf= zd}!`_LoIkaGh{Wh)C|2o%CrrPGKg);6%*fJCtapHJLtHJ0AWb-j_1 z?o>ly*c=|-s4;~djz0TqJ6263gaA@t(!n}N;#c3DoQNmCx`1Cdjrc&W3%As#1XMeEL0!TXJMbrBF#P{^!$;MK-_S z2MPpa|HUK)MSz|&cLQcxFcYa5*-VM52=%b|ZQ&awK|5I+rW4X;Fz^z72lRF7>__?8 z&HxqDa|ppIxc$LSCYOtq!_2X$O?_;2U^iBC4DS5Bn%J23?gh-K_*wI@#u)r=y>Z-9 z3neXnNEF>Z*_KICKK18SRw;TLp>nd&xbh2A1=wTB0PBUJYCzf*mjXqomwFzx3ZL(M zIV#ZQ-X}~8jdv>MSU{a{_?Tho16{ij;_Bw7@ul8~u=3NN(raoby1rf}cGwIx!b@cZ z)$xjpO6F1Ef;01>w*3y>hOj!vwl$=6)5BcO#aAtQc?eucTM>&ua)rLC-gQ%;goaYWY)n!6^sv_paE1F1U*x{9n~}F zBY7c|(Z5eq)bkLv&9`l%jFYVhewzPH$DRk;NvsT&#b$Ivrky^hj;&8y{}8G6B4t|- zEp>W_))~3OfUPqL`Z^|$yBi<*&+&IyY@VCZ3~u=yx(ImeuDkl~B=E$L+dNy?8>7FU zh9moh9aSjm`1&JRV%F=y0y*pP7iZkrkY@$ZjvX<e1Q1zk=ShF@zFZiXOji7Osz6tV!Kbp()mDU2^yuI;n1QPRsCSTq zOO}}`g!rY`wF7OVO(Ip0DVVl+w$L3%dHRHlqFGG!{H;dnuj^5ZyY^OWZOsCRH)27a z>0{;MI}Fi-W6$6!nS&Y*UP*RgiEO@o-v_(i5#{!z*rAa^Rbg^7PHAs!0S=Yj z0Dk1Ytx33KZQpP=G}19eGIJcT9j8-Cg6^`I00(SH)w#h=Zxf@UZ!j>w2nHlgEp0ET z{yp}1{-M2+A^+mk-g>URb;HXM8vO}ck|Ji(ZuM(DAmOFzIfN^ie&leHCtB!^mG2(k zLiXu8Q~tGZ@#!Q`aoIEQRqLDg?rh5MXHwvXB^=zBq=8Vks>_{jznJAr6;n%EE2W@(3yps|i zDuFx+X~qGFS(G4tv4PO(tj#vc@hvf;|A2vyFNT$k@ZYSe4C)M%FuDQ;0@N3fyWb=n zjy$mL1>^;C=1XeVuCaYNTrNP#9cJBSC*fFL%}D|oE8XMI@Ev1o`3tW@;qwhaG!?_y z)x1>w0~!0Y)EJ;qTH^Qd=Fu^|$DG{>uZ^c^8mEP$>#myq+ClXKnjgYmzgT{D!^Aiu zXf>1!YR_UPEGvCC@d`&%JpLp%-sjMQwMQVegyf1|-X;*YIJ1&Vp!`e9Ju)n;iu)$c zv#je*ztK7rmO=M6o-330BzxByTx54&fHOio2GE4N0>yWWNxx!jEkF0e7rf*isc&6uv^WkK75P;SH2L`+mT3+^{bUj{L)qpZG$+FKn`q) zf+b45W>W=~7J8!8FAg$KC(XFfz5OStZW}r)G&ex$`PJo>A+80^!mkY{S2Y<#GYxx( z9x%YO(n% z6?on|JA4(IbCw-HP`Bba4tU4HeN*9Dl3EHRX+|0wqrd2n7_oi3 z&&Pnm>o>BnEMx1h0(bsK4M~g$qMNc!!mhq%jdqftTO5eKgeHg{TE0fx_MQ}~Tc%J_ z#{0oot=PK#Qa$cIxi(}q%vATVZ}_m#yVAG_hf@!~{||m}#Y4`(2i547SQJQpXr&{( z&xV(>Cyu5>CY7G7@=Ha+BJ#t=nRW}D$W^zW3~6=iLZH{d4kwYThWCUnMK_Q%rCqP46& z3~w-uO~UMdi&*-8b2dCEh!H7GaH3BJ8z)azP6`)-Yp@$t#6btBjFDv+e6 z%@V7I0+%A_8E8ZBc99kn3?wvc}vK2X0&$4hVm8x<4khuNk?v4Xh4{8e+K7Ipv2OGrh%Eyih3% zA>d0#r%NHyKVde#h(`dU&PlWc=^&!D=O}~;Qoyk z!Jt=PofhWXm7q`1pCS&;|KPyAZ0f<98P!HV-Z={!^|3R3$jFt|Q_iM_ItggkYA5gf z*h-W9I>gifsi5_kzGDX-0||;sX?4wZLGcQlOms~ur^MWH+yAGpNvhum4niS1Qvj$ zm=_XmX#CUf?w9b9<@J|7QJpQfi)s(p$!nxtEbk zM>APlP_qomI)i#L{N2C8t0Q^}Lmu*q+WyszucJWdI&ZxdKZDucz8M;-u?~Y{^?8Z1 zpw|o*JRmy9P@S5km2K6EDGp(9rWq@#6(yexD(Bv#D~WK|U4PA>@g^0c1KHf?te1U8 zP(6}CWN^}HYi*z&&@{AEPLkPbXx>L*{R?Ke24GgjV=LJ~9f zUL~3cg)P&N*~9qr!`2@(0eO&u4--81o1sv-SOZ7}^lDqHa7r6TV>7R&z&?w>ic~8c_ zCA~f0;h(gaGEs*6trVPeG&gRQd~nil(=9kHY#R<->R^BIl8sVe?6<5PkxB8$ppj?~ z9TPDj<{1}Z2BsdW-MlAd>Z;3`M&x)Z)GY*C0%>r1;K#NI#y~y975{0fK6-K`E1(7% zs-IC4ad^DTUt>^IefKT%N~jF0M-G7Jme7lPbmos`mgCj!hI!S$rN)Wmv>^2QGHrL* zeVaaGa+U_}(&esP-mdN=VF-c5Y|0EA84q?D(1oGVaM+s}L_y;%!iZ?NA(u``*$x{jyh(SfRVe&nP4l!X(^h_Sn|kbw{747PApf zInu(>P*{K2c_s5AcjXP+i#Q$ZuG$NPL2gx!bVj9{xksn)d6jsli}rbO?t#UN#Q@sV zVxs(c^*iB{pAnn4ej(+UxIgR|8#eU&6%i% zSGh(Afb9;js!P^>V^KU%R=l*|H*Yo&JBOkdRBt+JGO{?-N7QQ1Lmlmv(L!^~};jRP1)(>$nW?9K;({|$tO0!GPKX-r~-1I^G$Z_o;G(iH~fan>|gL}3LL#w zX{=VV=#uTyhn{12j((Il)1gyRLfUU$iLi*4ap(7HCJDICbln9Rbr1SHqeDYp+Tbh! zW)083vn{dP2^BFOIiuDZu=Oy(&hd$`QP~F~1|g)}GUq*Ij&kE|FG>bHb~jWv;$+6~ z7bZR5SZIHnAAn^AOc0_cDq?WA5hRtmSHZikF%Jf0c0f9QLSub-yUI2U(U(!l#j5&r z-N=(X^60OYZrgUxK}GUb3H4IRnhL941$|od)$8N+W)i2Nl0dk3vQ}usm0?>GJ2;Ku zG02qxD|{AuKD#Mi#;=dvb*Z%`J1? ziXwf*g!G4t9@#RH4I#q6V3>%~6&-^qlyO_+7lknQY84)yMO^Caf6f+=Z?<1F-npvE zY-8pY7b&cml^@#0X*1yc2`Rm68CYXmPrBaQJfVY8IYRZ*y3W(Gk;kFt(B9-wmnS(6 zA(+}~*M$Jpyf-#~*0TOBp~BVjCD0s-Z%Y4KwGwb@LCcHY?mc@iqzfFA!?3O7;m$N% zH`BgTCvegiG`cUgD|@`V+wyy~vt=g#!bq(*3n~kRd3GH}0X2NLFX18>XcS3At z3;n`}dt`-vhm+_V{3aG%>$Hslnz2gXW!k|E`qv6aK3yjK&LP(>bL(Iu3#ziJt|qVE z?=`gy9j$v|IrVx(FXCxx2K^+te~?g`U&`hCn&Y3iQaHBGcF=dD6d&lj|IW@ujo;>u zzT`6KGf8TrlUHlalOOIR{K5u;fRuL+k1ewg7xE)`O&ab$y7%jMz;kwtZer)5Bm3v; zZdO$rkgxgD>i~2zP%nbwXu5g3)*aL~zCa$*5h*U$dht?+++7}Ipd8`fBGPlA)KSCL z^fIv}^paAW)hosM%f~db=$_Z1Y3&`LNq0E0rEIC8Ax};8iSB#bXw{5pfmj*$Tm^aE z9NJ5K#U5Nk0k&*5H}Zh3C;8NaOaUbl8-S;xyl5_1T=l~@3XJw5XwM`@T6;M8gsFLm z)v}1AEwV~zXgduH>#K$2O3mJd0Cp5h;ZRa{1TL0x8~y-HY!)z@^VT*EPT7roH;7kX z&7MmK({^kZFYP5&&@Q{N6;vs*&Z!*s8S@q22B=(5GR=jeSQqPfQ6@8q5p!hMjUu#v zKU#&g-u^tH>cA`3aunefgEMrKCo~XI- zRmJ7->9;)ZFQ*Hh13(sz#X&QU@_f|(0MKRi`!VMq96oIMR21xTy2zU?5zAz18Z0-S z^3rPUd6B1c7WYs7fgG93`6Sx9pK%sRyf`D{C0gft-6{VD6fXLj6vI4s2-L3T_6p!r z%7;;fK`2i$)9mMds!;dR^FmDXHFB?ruU~i|?WlL=SOAXwCOpL12OL?MdT4D? zW5wn?W;Z~%{LwI#A*U3R62SbtmlxU+MRmO=eMRCqJrKVpw7>99K&V9Lg17!Em@nu^y2J@jM$Y>E1dQRg`j{hWK;h}1AX2a1QYcHWod(N~A3N^D z=*zu_*W|ar5p$9|XR7vD5=e~1vgC*>Wn#3F1DWvhf)SL1?*7=&y&P>xHAeh*vQtIO z3f+mW(&cVU{KG4#Az%$I1_paH2It?)%5ZaCc+)u_9UDR+zL!CLjFGp|9%3ljN;Hfj z%cJkFwU7*>072Cu)og&2!~o)C5t=G0bZDXcK7_p^B-+R4`$rUGff!q479Af!!7Jpk z5GqdM10;51-m=HrioGYKC#7PED~I|lG!|nG*t()TspJ7D-pR^Or!G*g!nV5E1WAZe zx5Ev5AiWD;6d^)O9|Gn*_w>zuY?Ki1w8gQb#Z@ot6{D~w4#Zw+T`|pIkOT@!G7P@_ zdPANH@THmDbz>N$ilFW3qfz7R>>U3iy1?cY*3+1o=oET06~PSRQjf@Tx))73(xy70 zQZ{&osO_O5qeG|OZF1tvu&4lTV7Sp$O1gap%m18Z(cBm=O{^{_Gg{sQGD&Z?iPoHj zz7pf+z<>ozE$IVxH0%kltZ<}yJPuVo=O;UpgG0T~^U^nSb0LhpzG1H!qN{(d^RZp? z^R(0J7BU~+GVGM~3LdR?aExsTIFo;Cs&I9sucH>$!fV@w(KyMsxK*p-=<-=Y(%1C* zNP0-86mm!As4Peys~a^Y*<(OOy{0Q>6t;alR`F+q$}na;HXL@ZK}py8$IZWgwvP6U z%74(jk>zthdz2f)bI*vT$h6KDIeC&AlE(bc*4&vqBi-PNV8Rh6z$Edsw;3Re;n$Xu zY+xi%$eYqtk=l?FDju}U6$uTgf6@F&L9MF^3#_1%<;e%&~sSAGTZn5mXUZZfHtd7^$-|MJ!gjUc76+pn0#_4|sl(Y*gm_zn6H{9y9;YdkOyYI_ z30$dG22BTH&jfT<6lYDbT7Z$xj1T)!$CXkohe45Q@?-#n?Z&L|O=WGuTL=IZHIcn4U zXgPK^Q71L;ayKy}AatBN+Ef99e6YyA%74D$hZg@$cIz*E|A}_Q^hXA@^_oELjL$pC zwoAK8hT(5?j>>q!4@E1H3(&$Y4Nu?bu1FxEq-?^sY{ zkru-1a?^dgr|Ewy*V2mms=V4?BCwvj_+LOxmh9E5$VQ&~_t!&E-?!!<&<7|+FzKJNkr;h12drbGM zL2Q@rg{&G+^z^J}*-i!J_y+R)a1HvD_ZuKH<2KFB!Wk*k2QK_;TIduRKoF16fli;R zsoJ-**K{q10~x6r-x_2%&_E@b!MoLKUP)l6^2mWE4m`3XfK4_wpsp5x)qy|3t?oX2>5+{ z>o^XY0&PF(@#0dTUjf+$U#_dN>_ zxkU_n!ufs8hdj06`F?E6MK`4%o)s|5rGB+SL%%sAGi)cxx(#P(4KuV?Z2}S!Q#1jl zCai{FP4Mu)mcz4?g%uOYf?h$o#;&!yj%Ihgf8sHV1z{u+cSdPqjUp=4-HEA%67 z($b9f%_jTD=qYo98q#g?e;n*Z{GMbV|8uc>ym~{4`_IW@%Tc1S4F&UMHmD}zm;lcxB!Hd9KR?MsqeNR`4f11hdu{InHWjlF+owy#G^q`ra6` zT}Nosy#w(Vf6<;;tY`g4D9WWA>ZopUF&bgw_Sfw-y7;TV)0*4Mmggst5Ru(B>tCcJ zW#MkQNy1)kfO{yV<%?dYCK3)-hLkj}BsUJ}O8Ovjxh-VFw-18kz|@!#HIXP9KQhtQ zNi>bQJ@?kO(8Wx>NljXvL%W&>s30c@xXLr%E)@QUKVypR9$pH zPZZiJ$lo3gHIDmHBvW@VWwc{mI7U%zINenHpU)aLPx5AV^F|$n{|f&Jt}gxE-|bdp zc~-ciFy1o7BHs3Wi9Z)I)v5vef_WT>R-}0Y}JMsF#r~jGwJmZop<&$l< z-cDcA>_3Gp+{i<>`MVg9M5mM1+W+f0{TMxOPI^!7A&%Vhe?DU&t*if2hH7+qHlQAL zW<3@*lQobxDra<=5R%ulb$sy3b6dP@-x+_{-L*BSX;4$FMo2bkiN0{J@c4CFO8OG` zGYZpx|2|KLw!qtI%33x5{-2BTf5-LzwsQYpFWR1XxJGTD?C0~h{Bs`9CF%d)_RrsE zyIp{~&P#(i=Gor@-RPJf<+7)2cD$9DYp}7-GTZPkj=`eqbh`!8VRLoB`+ z-HN%wpE_7A5!Os34x;cD!wdF=b>gK|TYJQ2^W)r@ztZu{WRI?nio}g_UH3H3>)1%< z^9=&6jfVI3eLa%D_B%x*xo*Rg`=5SZ?YQN=IFH%I%1UvI+WgrQJN4q0n5sq+Q6_ee zmyT6u^YSAmngB~{6dx$GcLm$7y=0|Y;l;xtHDyouLacN+4?X`f`^*0S>+4FxlHR^G*kH4#JZ0uU!znXU`m4op z#Oj>PqornLW=fNpLt>f&ilBAW(YB2x;vAFfn%=u0q+Rf;&Vz#`pcyEjN?i1-9?@j zNQ_LM<%#9}nUwMzGzsd4(!z0mib1Fa$ue6!{UY?{|9}Sjygm9&TXvtXv;4WIB_2I7 zsGVahm%R~!+GMK2w(N7vtQw_NRzS6I(06|1V{y761Gy>Tvp7Fl^?fF*G}XQbUa&#Z zzGk!kp<6R^KjodzKiDOK;Kf89XZxULaY*zy5!C%s|14~$aCNu6tsWs-N;?z#m{eg? z{0^&ETT*t{qF`rPG#D{CMPmnI%Jss8vFjTop1#v3|C?x#+vB(*?7|DEFtusLbx z2722NH57I;ejCT6Pq${irv9X{wyjyv2{if`Uy*=q*;D^4zt#SMx(UkSi=w5k zYFEQkt@l;nmHcFWt@<$g08}pUXVt0Wqs=RWO)++ByINfJ(pT+bD73Smc)-|U+d~DV zh8$nqRDhI-!iEQ|8bhfkeVFUXe#Vq;rW!Pw0N#;cQ$!rajm`pLBC6;qX7v+eoXVH< z0mL4tEF#r|UAiLHUzVrAu&=R;MUR8#khD+K#dZ`?Z{2s9|5VicU%264j@D zcpQ2gfaTk;E#T_m^-KeV4>iwt`CW*5lcu!L7fW=NRbc=@^W!J(=}pXM-D#SKL=bSRW3y{q4n`WGCup(ec;kLn$X;xH8y7$ zq{vypGoeIS!huiz_L5tRkrh2T{rD4aojz#73vZ4=z# zbVM`DjF!?Nct$-hGY}t-5%Z6bD4K>C9)YIC?MG(<#Sp!85vDtvCl;JwjwZxilP%Hd z1=QsfXgVz62*?p6-u!EncI&_lh8LNd=r`I7WFMpzw^$@Yo6x* zyF2j=rKtoCH)-h}zbcVjRmwX~Z2{&Wj z>Ab53vY|Dl%0_9Rk8^#TudMkWjY<<4Eb|z~FEet_&=f2vy5%9^jzNbAiogrU0a>nQ zJgVv0055*`JViBP!jmE|`Ou^@EEXRxwKMS>oFP=+y{ISgKH)R|di6J@92Ve>{;l>aYI={iW$1F9EKc1av#65el|6-MYW;zCM<&c4u24 zl{sNdu|}BzysWG4vxUg-7i;Z#BU&a{@Nh>X_ELLXJ$C(;43oDBwvq6P&t~aiI7LxK zkbu*1_HT=n&kBvagjv0vh7Sf!=z?uTzxCSjD!aOE|jBlIel0rB*M&>m2V; zr=Cipj@}Jj(Du{tyE-1Zkz6lXDkSbIM(XKQMHQIkUgT`f`3|8?&RXkkU;P5xtxw93 z)HSn2BilK`yCCVp`0QcZ66{!x$<~E(Khqrlnzsqy{WdyZ<%xceb-f5z&#SuK@n848 zx`JPIJ0z`T-53YYj+Bj=4B3Mwob(*fbm5dGZ-CUk{u^P_E^5PQ8dsW~Db47^|310+ zv=dnI$3Mrkt6NfwTlScYAe>bVCyTRO zsf>_eAkQdb@N91?KQJY~;AwH#6}(I=9Y(-ECiHciUc6iMNE0*K0T@66`^;UNAz9~| zQy44={(69HFl-yi?kP=j2BNt0D+@XE!DDM~sA4Yk-_5k>ITt^}9L_6H7IEkV3ji@m z&SGjq)l4CBX9~~L@1pv*9dd4a0T&~*XkrxX>AMLMI)SeuZv9X-JZeZZUzzme76PO; zYxFOL6uvS!))LFl=(IMt%(Qk9$q4>l927s&+&fL4w4Zke!g-|^h4@k97QSV{zRQXC z>@_fmq`!-`&ehcOGjf-K^^JA}Wf~|OcNIUWm|{oFBwl--*4FKO$nm^YfbBOo{iC{@ zOb)=x(g2WTev=hi*~I826$jW}C|@<4NG)X8YKf*JXL@F5xu9c0lszcaw#Oy;FgTwa zH&o9{)u__|A2PjOIfE}FlhMAF*IFE)E)pbN{DZe(M6WhhXOhzdCH8%z%_>0-g0|1` zKuTlgT(jVL(U>pEC*}%!&;IeY^@Og}e;bjw&&RE&B)tY1{D9iLxgC0uPCBuKopEbD zfgo^}LM@l^j+4=UVd4^JI~GoBCJO}2A>_ct)gEBu*CC&S4<_EmPm}q-9%~Q2XbAe^ zI(>QU4dD_2w z-xlOju(bGYJI$GkLLTtc+|%H`N=o7Ka9J|Go^IR^x$T*>3S8d$BqU{2^X*mC$jT^Z zn@QyWs(gdz!Y(iDc3G5WvXDnXp#4;NRSQH|24B^2iWjd2ssWhD?_95NyM;|WnCl%W ziUg@TI=@M;KllZ^`bNi_Kv`Pn3Rh5VA;bEo!MoZ*cvJDIEVHZAN;+-n8K~!GEtPg{ z0~`FZ&?D^H1^n;h99onXC_&=j^Yd~2lGb=sdeu;)dx=o9A;|@lt#^Wza)anF->+U{ z7?8Wp&NqTHG~*KIoh~_th<3v$%KVudA(y%hn==iv_37YV_tgs1BZXYtd;AGMEO#eN zesX&A7NpXp7TfAFU~A0*GuDhZu^D}lG=B|Os2;N+k^Euv=BQh1?c$SA?gaBtuq6Dq z$96l^Fm?Ma-dlrBM1-cA@f|uEW98kry4*^7d%yvy+Ba@zk=fyrz!4pD|dMNjHz{ut3gX;L6#hucZIyAF9okaOSQe7&mrgpU8pTVwc_q6}R-y9SyE~@A4Mb;Eh z?Wymjnz?S~L}TTSb)pjJj=C`Q@Jn9B!&D{=j&U0}9GiD91bk9d6XWk!l~9W18qjMN zU6ljij&Zih3-6rR0V+U-tJ48TNTJTjW}QbI9IG0r)J%M-xIW`DBgzb%T7Iz6HqLuz zM}oh!SLD){4WsA~lIJV)WGmg`x*FO5oB!C38jMA>&tkZS%*?ENKjuG8pX{YCvFsh* z?8~2C!@&&o0tudoz#ObF-+IrT6vm&dsdN-wc|T^p(x3yO*~?&%a}x6n_Ev zh2SJkQWDYm*edAP2~GYJUe##ipMKW(*q2+mm3y4CIX}$U7L>A4pFqj{xoqO5Z#6%G zK;Q)lvei!Qd!Ba`?T?6+nPh`Oht z@a{!)ENNALJx@Wl^gU?0AH|650rJ(Ly!BI35(OLUE*sG+x5^AR+Bk;o+IyUr4NW*^ zxCyG&9EooXK9T{~j16`Gc@evP(4q8&!zAJ;`tx3%e#r^u$wXO+I^mp5S>`XWXXawG z;gOzNoRo@pgTOD)1Ot2`4A*x!Xi$$ziQac~!OxLQS2FbAA1;~N*M+feqSI4#!iq`m z+d9fwWSRns6t-=Z=06$XT0xdO%}8chFf*pzMJLJD z;OG_?IR#4lgq;u|p?K-DFlJh3LRFi1e1!Kfm;}?hAxsluWXVeTzXCm9%Iq5KCH(E^S$93K)*8UFiebHJQ~tRh@~LWv@&n?)C3Tcge;cVd znE~H^d6q>lD~92~K#l{#Jw&8V2Ar|KTzrGSPE0_$q#KkCRGj!7Y(P&MI3rlOYL zw`x;V!@_M|kYug&&8u{AZ1bRAT3G?N@nFOEuySv#_?}nMnXj!F=Dw3A;Oe;7D~Ad; zW7^FBdT6k7_whu$8NqbMCubkX4Z+&x>vNjga@+RMsZeHD&;3Y}GXEa<4PH84!W<)D z-&fA$Wl)|Ltu2~flSc!xr9?O$fga`ro93T7+o7+$0egRygSL7==THif>g8~EcB}MD zT#|WLf0COG4t6td7P}9{5-a`j+Dg(d#>~F_Q@zZo&MH={;w`; z=w$Rq^{yT+t>vBQYM`KSlU8*v$!||9A_0BACej>Fx6K{7F}IUB4;+Xl;*s@A&?^v)b)Q=0B8B z7N=rp-Gi(>5i_MlKY6Z@ij}_-q{p8vTfWG#`TrP=|D!!@h0k-9liXm(2}4&?fBSA* zp@X_IJ-PU@AjCZwzL7v|M21jua?IsD#m?u7M$i+FQxyuu!xhQ?_LY;!L5Cl2)Sv6L w^vdZdKy%Jr*EBXI%)K}@>$!uobD$c&Wv!rZ8w|V>q+M=*p8li!*yX$b1 [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] -Teachers and IT administrators can use the **Set up School PCs** app to quickly set up computers for students. \ No newline at end of file +IT administrators + +![Click Get the app](images/it-get-app.png) \ No newline at end of file diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index 98c194c982..f3fa5252e5 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -16,4 +16,6 @@ author: jdeckerMS > [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] -Teachers and IT administrators can use the **Set up School PCs** app to quickly set up computers for students. \ No newline at end of file +Teachers + +![Click Get the app](images/teacher-get-app.png) \ No newline at end of file From d2f065097b2818e66fdedb9891dcd37f65dc7432 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 19 May 2016 10:15:32 -0700 Subject: [PATCH 046/169] removed colon from yaml to fix staging --- education/windows/get-minecraft-for-education.md | 7 ++++--- education/windows/school-get-minecraft.md | 13 +++++++++++-- education/windows/teacher-get-minecraft.md | 14 ++++++++++++-- 3 files changed, 27 insertions(+), 7 deletions(-) diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 304a564556..ffa0781017 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -1,7 +1,7 @@ --- -title: Get Minecraft: Education Edition -description: Learn how to get and distribute Minecraft: Education Edition. -keywords: ["school"] +title: Get Minecraft Education Edition +description: Learn how to get and distribute Minecraft Education Edition. +keywords: school ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library @@ -9,6 +9,7 @@ author: jdeckerMS --- # Get Minecraft: Education Edition + **Applies to:** - Windows 10 diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index 2bf69a266d..256ec85ac3 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -1,5 +1,5 @@ --- -title: For IT administrators: get Minecraft: Education Edition +title: For IT administrators get Minecraft Education Edition description: Learn how IT admins can get and distribute Minecraft in their schools. keywords: ["school"] ms.prod: W10 @@ -9,6 +9,7 @@ author: jdeckerMS --- # For IT administrators: get Minecraft: Education Edition + **Applies to:** - Windows 10 @@ -18,4 +19,12 @@ author: jdeckerMS IT administrators -![Click Get the app](images/it-get-app.png) \ No newline at end of file +![Click Get the app](images/it-get-app.png) + +![Enter school email address](images/enter-email.png) + +If your school isn't managed by Azure Active Directory, you will be signed up for an Office 365 Education subscription. + +* Office 365, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/en-us/academic/office-365-education-plan) +* If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703369%28v=vs.85%29.aspx) + diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index f3fa5252e5..f76ec8535d 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -1,5 +1,5 @@ --- -title: For teachers: get Minecraft: Education Edition +title: For teachers get Minecraft Education Edition description: Learn how teachers can get and distribute Minecraft. keywords: ["school"] ms.prod: W10 @@ -9,6 +9,7 @@ author: jdeckerMS --- # For teachers: get Minecraft: Education Edition + **Applies to:** - Windows 10 @@ -18,4 +19,13 @@ author: jdeckerMS Teachers -![Click Get the app](images/teacher-get-app.png) \ No newline at end of file +![Click Get the app](images/teacher-get-app.png) + +![Enter school email address](images/enter-email.png) + +![You can get the app now](images/get-the-app.png) + + + + + From e008b3711443e3ec0c928f456753628491c89b25 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 19 May 2016 12:16:16 -0700 Subject: [PATCH 047/169] will another commit get tnstage working again? --- education/windows/TOC.md | 6 +-- .../windows/get-minecraft-for-education.md | 14 +++--- .../images/app-distribution-options.PNG | Bin 0 -> 37125 bytes education/windows/images/get-app-store.png | Bin 0 -> 144683 bytes education/windows/school-get-minecraft.md | 14 +++++- education/windows/teacher-get-minecraft.md | 45 ++++++++++++++---- 6 files changed, 60 insertions(+), 19 deletions(-) create mode 100644 education/windows/images/app-distribution-options.PNG create mode 100644 education/windows/images/get-app-store.png diff --git a/education/windows/TOC.md b/education/windows/TOC.md index 3d85abd08b..6708148826 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -2,9 +2,9 @@ ## [Use the Set up School PCs app](use-set-up-school-pcs-app.md) ## [Set up School PCs app technical reference](set-up-school-pcs-technical.md) ## [Set up students' PCs to join domain](set-up-students-pcs-to-join-domain.md) -## [Get Minecraft: Education Edition](get-minecraft-for-education.md) -### [For teachers: get Minecraft: Education Edition](teacher-get-minecraft.md) -### [For IT admins: get Minecraft: Education Edition](school-get-minecraft.md) +## [Get Minecraft Education Edition](get-minecraft-for-education.md) +### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md) +### [For IT admins: get Minecraft Education Edition](school-get-minecraft.md) ## [Take tests in Windows 10](take-tests-in-windows-10.md) ### [Set up Take a Test on a single PC](take-a-test-single-pc.md) ### [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index ffa0781017..7ab224be49 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -8,7 +8,7 @@ ms.sitesec: library author: jdeckerMS --- -# Get Minecraft: Education Edition +# Get Minecraft Education Edition **Applies to:** @@ -19,24 +19,24 @@ author: jdeckerMS [Minecraft: Education Edition](http://education.minecraft.net/) is built for learning. (need more marketing blurb here?) -Teachers and IT administrators can now get early access to **Minecraft: Education Edition**. +Teachers and IT administrators can now get early access to **Minecraft Education Edition** and add it their Microsoft Store for Business for distribution. ![education.minecraft.net](images/minecraft.png) ## Prerequisites -- **Minecraft: Education Edition** requires Windows 10. -- Early access to **Minecraft: Education Edition** is offered to education tenants that are managed by Azure Active Directory (Azure AD). - - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft: Education Edition**. +- **Minecraft Education Edition** requires Windows 10. +- Early access to **Minecraft Education Edition** is offered to education tenants that are managed by Azure Active Directory (Azure AD). + - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft Education Edition**. * Office 365, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/en-us/academic/office-365-education-plan) * If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703369%28v=vs.85%29.aspx) ![teacher](images/teacher.png) -[Learn how teachers can get and distribute **Minecraft: Education Edition**](teacher-get-minecraft.md) +[Learn how teachers can get and distribute **Minecraft Education Edition**](teacher-get-minecraft.md) ![IT administrator](images/school.png) -[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft. +[Learn how IT administrators can get and distribute **Minecraft Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft. diff --git a/education/windows/images/app-distribution-options.PNG b/education/windows/images/app-distribution-options.PNG new file mode 100644 index 0000000000000000000000000000000000000000..75b3374720f1e9ce44691e561cf0e48bde69811c GIT binary patch literal 37125 zcmd3t)mvN77w(Z3*HSFFI~0fD1cw5pxI4wY#idZB5L}A8yGxN`AwY|}yGsdB2zv7U z{Q>9dT%3y}v!5q<_Uy@;nYBLeJJFizinv$+EF>f(TxBIWEhHr5Sw#B^0}b&m1wYV5 zd?0&jDas<%j#C~XE?(Kmyq7^jYKX^vw0MoU#&lCM@I*qw8~pEuoXUYmfrONhsVpa> z?PGeDgC1fcKQ}ya-V?Z@>UR-N@J8z}oL)Y$lwSUo{16t&^+!U@)9)x){~`(tX}^A_ z$D-HqQw<@IrR`2XJ3DjyxdG34U>0A%W!!zOB=WL*-u>nLcLx8}dCp5VzvltTn#UMd zcMK^{8Vu&)E@B#Ucy^ZRB*Y;vFW*5BIk2?|oD51yNjaVTSM>9z(dQLsVYd4%{NP3Z z^Nxejzgq)bR*^d`uc*JOF*A%<^O0`5iBPUYG&b@@4_S(Z?|dqnuQTJ3y6eL)J{;w! zJAIl??_nH>!1a{%?qZ&rnXw8#CaFZ+ME92?frGodJ9lw?zR7aEMOeU@qgk>g%ZFh{ zs@0+%_*L`?16WW7Zw@gj?m{x1!mIZSUOJG1ULO)aLlU0VE8 zrZ{!4sSv-ivKy*WFE@H{(foAyW%j3B9WyJ%1z&fj4L0!ZXD(jkz$HxcFG+x74du4i z=g%reMk~5QWd#SXU((V@jP~sn8B(kqy;e*$Tjl8Kz+iA|a7S^g1Tfi7PcPle%d3mt z=CcT8oC)r0hS|x4GA%ZS*Yl>YkGu?*S5}-Syp;&)ZB_zr*KF>uk6N24w`ie9*wZtI z6PbdlX!z7l@DKtisXsAPkynp90r_7h<8hPdaGqF6JJDW|2iiD0>mzxf;{q5JseOxM z0fM9Bee=*wkwY|cG_BnL)yo0jXI>7%OaIe`Vd|{lcsGeb%tIb=DbDa)i7)^4iTrho zCf#_lI#79B^1;b5#eOjokBZ&w=~&OEKOFNj9%0bk08N@zoT$S3zt*-9bjiP=f55^a z0%6}s`rW=+rt0eIjU@p?uh{r=w1=p9)MZ0#bb4H59ewO01I-tz{0Zky8Zec@g< zvu9X3m$Rc|m2;Mmb5cYE8Uu0E+s0qS-#PzTWE0Ydz7ld-{bc0ndA0v;7ipTFLx1@F z`}YcmgLE|0GC8 zn}`ob`y#YE;Tseb{*lB>hWX}lzO6^+`KB&-sWVwdYPx{`e(PM}vztFr1SL%3ynW|) z=hKPVivtzXyxl&w>>yJ-(s6Wi@zxJP)(XARFPB54VV1W>zJo+>t zwK!o4@9gVd{w*2FOH}3F>HN6+!rpp4>{Zk{ra(%(;W5P#qjgwX-6|sVY<-=1KE0!h zwThR})vYyVyIuQ|7x1qsuVrF+l3>Ga0GH2Z^sVS#%E#UB9JL7*AIkuVlWx72VAtjd z%9GT)D!sZ^H|VRX+i)WFciT%}HUjsgUf}WKe}AF!dF(2|7l$QnNgPc~a(?HCEmV(n z|65i~<210`{k)%HH~O8Jqxw?nX7(f4m^Sma>p;SmDS3Fg#gPlgQuO(5XYUs(zJTi4 zypd}v{OTYJ4=M`ZO$Pf+;=&&;dV5FcBwyV;UQJ}FD^hu<9Qi`&A~C#GMUS*8KQCG| z2EaYWA|LA`qT^%9`EB*7WH)ye%U+p4V#%#M=tPu=44`F%rY#P0`#h}XXD<&MFG8}# zAH#<35u4YC-@UoYds&5AEjQbj z(#(_MauwqkB>$s%xr|7?6^Dr`1GSf8hWP@e4nhAE4~E%o8J3al8EUY!d)DQ zn5fmBzXXlz^-l`8zYaxm9>0czB5-)AqOPXmgJ!*+NA-Fvb;Wfz6eVGVo*+-0KKEp# z>mr7x+jV~mndgm{r@RgboJtb0IT&`!MCi}z*QVsCf1Q$uXV90IfM)FJ zW8QrV)s+!!WvT-tW&NrS%R>~eaiAr^OgaiAl3$CtV~W@5aqcGanG#E-{2Iw8q2X;q zF|7u`j`Jgc8qlDe%$&iIibkypmRR_->Q>RSLv@jW7`Yh*Nqyabs?>KFSdAefv^BSg zzV2%c^7ZRrkq10q<)tH5@r)}RXnDLlBZj+uZ(>(u0AH(1N1&fF!y9(Ejm%RTJgS|BA_K|zFY{BG9P9iOs zTuzB>9xzX{tE;19leTgZbSvh2e^geZcKE*I2*-TwLu3l-o8q|V#{;P>Vij`Kk){t5 z=rjTKguDkS(H@o=TIhW(Q95!|mS>)7zU4;8U`Qrk#70u5=t*@`wP{1^(cq+gUya&9 zcwE2eLAKQ^m7@0|x#3lHJ{@0dOa)+3<>&Ia*f^qL@clDy* zgDjjJUfX1EeldZKG2WhJ`#{Sik!~c-e<5`oS61yJ;y{p;?-djx_ij|7n=aXpnM*D* zhK%p!NF&(61`Ai{GV%R@nrKC`G(Z3<@TgyUILycj2|Riyy)V2G&@}h(n$+0*<~=BG zC@x!XK=x}FD?d<1_Yu!43gcy$Mao`osQ#6UKd19?*!_SilED@v=qhW&iHg;D=W%}H ze!i`m!TXQkf-7T&7T9w$FKl7Z;ZnPmTz{48`BfEVjrmD3a-i^>yYKgd@=* zaS8)i03y}$040oc2p*N2jO-l&6Sn~;7eMb9b$_Jv2>PuzEdhjh3Y|W3mW12*6PT4={^N^%nX@YwvkbRVMIVT>N@U=u>~-mmRQh=Ii)aQU>nhn7c=60?}K#T|7sONB~eNW(jbjO~Ui85Fye~j4@0V?X6^*0``Jh z#WRJ(q?{yhk}%^kbj}=_Pc8JE)>e~08gveDcqg~f?;R++mOVE3Z#G4?vY zhF$tNsTyv3TomwFmFoNGr>+{cS9B=YeZy33uj}ZoKO~De5VoQG0krsm5`%w%)yt71 z2Bd2rY50{v6T%54?T@gAgFDdMig~=h6aRKY&Y_0*jKp7>oNw6W1Ua~GMip@jM4uS!{T~4I-%ut* zjr;30WiW|p!*Iwvi`+{K4zkg*F?j?kokA4SWG(4rlLW{JNWm;e_W6m5;sDoa8H_Qh??76mk*@0pUVIm=i!lC@Q8t zp9ntnE+Qhv&zu2&^p~JDx^yR0A=vu$6DCU#ZNTXF@xEgWY3>{O9>gD?9P!A8zhzuT zX{@Lr-Hig1XBk%>^MBsrMay|})So%DE(QyE=mc&2y-D6nCN z!8eNNt6l96?kf>^EG;Zq@ZF?&VPYUc8;PIb}C z51%_Q*+J9B>2G;`c^NMci{b(BUO+BNnemr=^2i4VA%3F$fd6=QN>n2@z$zCSz`Ph{=BryNqR-B#TvsLmpALKzs>o9!H0oEG4R4Dz* zq;W@b(zW6ulvg1zJOTTu_-0CwIZp{k=j4=(B)*vaWMmwUM+K-q!#t7`h#JmM4Za!K zZ1xC(jhN0H5}iJl>aZ*8@^cJ&;XtGc7!Cr=3nZCnNH4qx!7 zZ=3|SJ&J6J&^+ZFM1H#>NDHR!|NPqgY#MI;n9O@ZC0~lP^!qiGMZMZiX?0|F%je7@ zk`Mu85EQ45MFg=;BT&c(r2kiqw-+j7{i2^G?w*d^M6g1s*3uUFs-&JT&~8bXkI?$1$c;)RPN4JP-b<=K$w=_72^;=0m(k z%U15hlMoNtMfvv|tK?Q|QMGmtsLO4uKT6YXJllRl-wVOP@*_KndTb66>3*Pj#yOPk zz2yE2B6U=mLe$LjF`}p8$B03~8*W9Fwb6IrFWA<-x@7wwnrfxi?`cn_(+Z{Xo{qNA1+c?Zrn!8@{R$?$-U9d(e zO{#-JjP(7esw!uo2ulz%$oS8%@oS68UMBgW$~x-nuxusN#_tbY+5QNb zNhe;v9d@G0u@^{P1R-B(R%fK8U61H%G%bZGrDn>9#Edzs&HNUrjLz4L6 zlCCaeAP{){eC9jk<=+6r1v&UnyHTrV4JSr}8f`+Og(aIyAP~tD+v#^kwHyR8jq+vcuLu zvM1G>wNqr$+=jmThUkMgJ6CdJpB255lO|&pb%UCAZG43_Dy_ydTQ}a zXJ_ZN*+z_9LOHa62 zRaJ3xS~?}cPWP5SV z8&z@auW+~CwDTXpEW^^a7MnVY_1*WCV%D`9LMw&4mQ)))3!m;!gr{5F3!^6WmPM;q z*A5)6(WAw&OJ0e;GX>Okh?RFb=R8&qg4sXf1;#LnwXIeKvHi80-kf=7>elyKAtm@> zWutm4l=W&af+iR3h(8Y=%c);4jUbo3WYHe{zY)mz^G4to?6MDjOf_j|@}J68RaN&u zH1`R{fj4s`&(F8LWF&=G5*!t1evs>5`}j9fDy0`eEn%%~-OiCG5t8D)PU&Vr z9ghf#^vDC-0p0{Y-7JhPHdwuseH`}Y{BV37#SoVeA9!j7t8oof)vYt-at%B&vRUu) zB|(qL3OvL}L?0ZvXbXDs%Mfud47i`kYi)*8aYgRzh4^z3uwOTruCGv9bGfW^ zV5=)ngdH2QRn?}etTm<1%{ml)vjw`jsJ{Hb9#7(xL3jj~%YnpO}=Lud(TjAX`phhVc z!4Nghhad##9bxNS-3bKd zvtpPra_ye01zEQv_dcDu8g(2WA3rOit)w9-OI`iuw?&>?STH(39bys5A$ONMdu38j6@+XH@U@Mr+*>F@EZ}er*rBLNCZ5#OU4%_- z+&ns~=J%8*E7Anco-ZKQh^yXX&&7HR-2*t^{pc?6KC+XF&pIk~FUIV#FvqA&S4@=D z)Tcl#OX$ybqyQ>9UP^q>brGyoxceyh8VA1X8aQQ^T`x+x^1eK3(=5?2N)r_SJY}cA zCD%P75dJ5w14`3!EyBY--Cfd#%}85n(CYWakl=h5+EnR(wXnY%E)rfY7`>-lnusRg z);Tf6LMmW^BXmeu5-WH8DMau)faaFdz6k6XMd!_}I%*GtvLuBix0R(k%=)~|ecF$K zHt@5}cUQb+l&d7cY5#i&2eG%ikQ;p!zmgHB_Wv~{keX_-L#Da zCcq^+ic;M9?fdC3j3UuZJ$I0f+a9)qG@eMh-7xiT*)@NGRdF)QsuhvkQo)oJecI7- z{m(^DC{Md@*Gcd`5RiVw#pq0o*wM^=mKGPP&RlW%`KOxQdJQqrS_^2r0bX(})@V;C zUxQASiM;SPMN-;aMeOhA^`ZtOU)tybgSv_0bXqNkuujyFw#|pmeqQwGQg0umhX%5u z^NolZqr!a~4-BJJJ0IJPWZmG;2+brR7!gygA9~wXJ;rQF0}}==h;}`3+DW8WH3E-6 z!dmJA-y0els+qMq)^^zPcO+38gwGrS_kURZmR~i?kbUgAeLcJ-jAD%Mes!{Xc`uKQ zp+h5Wg}-*%yMEZ&wqoM??ryU7O}^3FTK_eAl|6?=`C)=gldY7$Pxwl`R(EUkIgSVAp#$GqTUv zKxafFQnY3aCgM^t5SjGpg8y+98cU8yij)Y6%s~%^!}eeZdcE?)6bX!sh{P}f0RjCY zkX7Q8LK=ijRBiXywACsY?X@f(E;R*Tzle*KRnZU=?xifHkoC@Y25K-3OoTZb^5dPc z7u1r*xcN{TII0BL{y+`G@N)x$$NNg(XK_+{h(av!ap|^@)-p3QPw$2Ra=SA!ebZL) z>g|e4oPx*Gk@)LF*<7!743NTPYFCBc^(FxBap4BO`kUp1 zE8EeJHiZn6Ch4WRC4$qX18wv0Vf&`Iw-h!*MIqydBLBno%QTTngHH!UiIP+IQm&2b~zTxs+ z0?$rK_($fk$aiwI!plbrWDN|&(23a(kXVS@4P}m3{7n`v-(8V~0sEj9DO!QM$bVwi zpPQc>PvZcTel}7HF!oNh+AcymTsObO#0QJ&uCbM6TY}%!z@SK zw$=Z%M1(Be>JxG;z$(1vmE0kx7)NREPM%)mj&ljki+EHuyH6S#=#CVJ`8>l9xTxou zxKB=Mf2t!yRL*4P_k2}ED8P%ZtKXwo=Q0rHBihNs=l|dn+Bs?O-M4Qa(8JJh8`b*{ zr;7em%8?$UKGjd#hlnb0cXq$6hyeR+i6C{8tz?OM?(cgf^1Mr=7>p1kM{K_; zQrk#fPlB9xe!M&W-uVPol(d8;sCM&BVR_I^1S5nc4+JvH;vgD}^O<#p-g3G6#(;&V zN6ekb`TT~()-CoBD|ax5|5;1=9O)MAW8AFRjYcl?39+j?-C$SHlBy=TkN+nrK3}{% zYoOtfnfJ2Y1id`nuDGJKYUjbBbrU__oo-vQqPq#8>eX2m@8RyRxyY*rb~)Z@N6I-K z7x@e>enQ8dhm!^W9;Bll_od(?8bayh9>yIWC2Knc)NJ@SI30!Pest)!cL)vBHM!6y zj+Ot$>)(={(b`{s=l2;@KbflyHn>^+2X7SExwslegi3hVu94Ze=Iei)TP-Izl1*T~ z8p`f;`#Gd?ow*)T(g2kwnh`is)76q7cYbV4`hBg^mV0ZR+P)~jvsxcQ-Up4h_nRJq z3YQKa7Qih1j15(K-hRN8kLILrrXDFzC_Znp{{x~}vSzRGl{eD$KN(5c&-!=ug7%CS#V7!huM^TO*sMcKal8S{Vl!yq9FKhWqx&?2ctaB;V;PwlHe z$z{Cy$~1bRuyd1I7chizU7W1m=tDrZ(}7Ou79zNxfZ8dYYxZ)#P=jpP>XadVIY{L3 zcsWc_fVwNQ8yh(Nj>oVW8b!T83*JP)Nlyk@Yfy76a-lH4&QxTyR6&7Ri$f|Q3LhCi zNC-^T6g-uxkO4`$gX8)J=Rc-|0t+ae1lEhg#P`Q@9Fsfi-P}xMeP$_$o)2*}dy!xm zP4yr$X*}P0_t@H9VcXwiCyblZ#ikWRK#b3Qyy)9Ud3%_~G{;((?u+;I~;R`=xTy z>mA9$TBOb^Bex3={OyK5`PeU!em(z|9l^ipEXP3|6&&aC=lnp+!^>!mfd2Eb|0GLh ze36PC$p({f6{11h<=Mo9e{sdl-d?Jz{#p~>ju%M^60Xx%XlpFV

      (`#kTFZ0R`wX?Lcbc}b6pT$QxDAc;MG5&bk{4~%O9$71Dg182cdfNowW&1J%tFTn0=t&IAK1+9A-d%)yrrD=GmyX1?M`l|f zC3b4s#{yaAo`4*8$tK;zHVxe`i3OKxSJZBtvPtceQoJ}!$#W)f6P4y&lKA7_fxZ6; zx9nhHT=G{VxgM{ud5fqRO;PDzCVxb@0Tcm_)t_PY8-jI@$j~D9|7k<;;J;xs&FUlg zL4Q#hK2}o$F_2_KyWEBO2)_d-&|wero=6sSlz|P8pXwW`X$3gxj>9*I`@>S;CO=lg z1i#6vcUv}0Z{@3bk=;qKQYkw@?bRlFM4Rws><)FT80b*Vo zm3%;(Z=;4a9=gKKBkU5Uojvaj#TbP1-UFwvn=8EMZ1~i#$oR{(6!2>29xIESHCtk* zuXsUK-W05;DVhrs0Zq-4o^{RQp1lH6-s#Qa5Bb;SOk-Bj)OVkM&Z5Yt6K5IPfcLw- zOk%w3(Jf;~DaEw+@GBEPpz8b!aS%0M#>n6gET$B-ip8nr(W??XW_*i9An(>@8I7cb zkMa#8!|PSltro^Buj7icWopNW`bpZzOGV}bbMLLn*8(mfUr_pjpRZ_EK;`XT4eaDa z{p|A0ol}HJ`hWz~%k~K4R*8R$0~iTt1SiSjzH6v%5{FnL;mW$9j3Y7i1d*O`(V(3P z5@>*Gz8ZlLSb}2SxZbdSoAxs&3Bf3cYRB|7-9^o7AnYD`y3|xN6B-A_x!1BCZ|FoK z;jmT&;a4Qn*jUC>Q+^ZEJ1mslcByc;QR?HI&f^D)zy3SNHa*BB zEVp{)cBASCIHZy}{Vk3QhJfR*>T-V-2xvAHN=>I$FmG;R&c49esW#PZ;;At9mdF@W zistp6m8{Omn=j=dI+zD*A6$ZSk%biWif-lI%a5hdYy@iw*`k#rDTzr+24JzUmR|N% z2xw$*+gyISYF6ByN4W}}l7HQx5LU=*3LA9}H;4m}Z;v#xMK|j4y&lByhfRD!+x>=D zjWp!rf;m@3&MO-2k?>WXM#U@U(xWo9svZN3CJ`i!ssuvL*t#zi#x;!#?(tl|ML*JreI~8{5-6>mAhJsaE5bKHd8kW(WFONFa(vlkMr009h}Z-gb>86V~H z>e)LXy^cSP{d~s_|0=*e-ZS2Va{CQhc~v@llhwk|XCn5txHTz)A1YxiKSYgIQI*}V zICNwvyH$i0>hCpKm!vyM!ZH;6s9fC=N6q!8AZj;$3Jf#0c7o3MM}pM;tf-<1v@hU* z53;wEM%25}vI%0bb@1&+gfUrMIb*%Tx|NoyC1rBAO!ovF ziGMd`GKDgfXA;Z==v1%fC5Ek|W2w0kQt2oXf%wKk$t_(T6Bl@W&kq-_udX{L0>_~- z%3@vYA!Dvagi-tD3+^n>r(Tt4>fenb|Yo-1*&5c*WHJy z_P-B4sZg#C%bd5;r_ed^ybcnEVd-K}6es6N&VnTG4LJsxsJ8+s)}MiB`nJe$->DE# zwq3S+L2l_!W#GXjOdsWhf6Nwmqp$e58um) zD4mx?SD$~%ztpeja!00683KgFBD$iX9cP?;a54 zr7BOBL45I0rY>(?&?-3Avyq1piu#TO>j!uwRvWU}54j_nX9T~w@UVQnbv)FKK1u3` zx{U*a^$8jWx37_zSyf}j;DldxrORIX%Oz_f4fgT+S~<_?|4aX3Mi9vb#rC(2nErry zu4zpamkJ%ECWuOvAfc?4g|Se>L9+ywQHqqd%X}2%n!&WaJ!ExgJ~VE1pvFVFz}KQ7 z;)_bCt+R*x|F9ZXeGhWd6p`l1a!7-Ojq8nM+izQm3#bPo@O=0tLoYuPK&;qEy}xtA zZBFr_XAfDouXTmJ$A0kS$0?Cwyyd~jCFS&r+$qsSlAViS-Np+fqo*HuGh3z_J?I35 z7S3WPSX;Y0#OFz6rZr4eC+W#0WUebI`-k|g8MgtrIwKx*2NKZ>2;;Arr6>>nWl91^ zbBJiVC+VP#?{6lr7u6h6mVFnUYD~e{MP_Qk3%?Sw#P~Mz`tU=ym1=|n0C8oZe4F%vot#-+^;@Wc{I>Rgjfz_AQYDQ^{{XQ`^~_tuWUz5onWWbA)=blH5@S%gpv1S1 zEPy8~zhC+;zV>P=V=5(;oV5$r{lRTqJQVFm(zMN!ZsB{2{XZiM8Zc|8-Nthx_zAc% z8fo(a%w-7jB=XZIssI9?1r*ele_0k1TK?m~m1wLtCr>Ucu>8kLLRdU;r$d&-@bdV` zO4{_ETy-aviaG2ZVI(ie_PG%C668A)DIkN!sM3*f`09sv|3jF5+wa_=)ZbMsND>c1 z|5Av^)vo)%apNgqJ}op()+k(3;Z1;5!l4p8gBYhjoEEm(g7>Rh9|(+{kgX>`+W8&g zk&UqO{`+}JvF*UbJ^uzqcb+f2Q+*hQ9>S{~ca*P5a*QsqL>q98rE5DG-HDZhYpSs& z$N=O#;fmd<$*oi-*;yIr{Tl@eaQm^X>gbd~jq7}vRNMaToiO=t?Ad6QJdApzxqr;)BtLSrBGX%HusowoXfur^k`Y6uT2r>ah_!C1JWU%f zK2L77bDa0HSN0m)ZsBSSc;CdSKgF5@h`-!F+tUWT0jL3_Z3j>=A|fgKfA#l$#{pyH ze}E9je3NHT0%;6{>JUhWX@p_%?h?J_*0VK~RS%8wwTXy`MT-h>3!8rTCPFMFBF5*p zfGs`7JOa4lvVsNcv2aVudhC&DfeFm5*6149z)1i52b@v zu_+nQ$C6q+FA4IcasWspyDvSnL}@}tcV~CF9T7K_yKh)lUA?pp7xPhRvw@+Em-^v< z185`NV06?rI5*@%UawY#2U%XsZ}^d8Babe2lUdZN7yx9saAK&IcQzf_p;y)d!M!mp6J@O~R?J|ESs#x0CK(%^QM}-947pV?ohZN%@ ziNE>gCK}}YN_C_eC1WUWxTw}(kN38JcpPT*cGt^S&*N3T#&>SUV1gcHg zSc11$_?~c8ymD4yal9J(qt5!1q_$1#rz?ZD6}lr zny$35_WKNnRNL3+qf}lO6r^y0<&<=v1jR}8ZOnPdvthw15XNM3$n|P0kGf)r16L6w5QOGJg-1+84c@j zKB9O$P*ig8M!sD;jdVTzfW*DljhboT+F-%B>{`S<27GrRdFLk7O=_Br1F4`kouOGz z*t1tzMMR}sCHICuUQ2eb;8+laeZGF27@M)dwqS6Zv#M0CD!hc8{YH*I08D)218Jwz zD$!-)ASaBy>CobuQDBme;%huyyzZMgavb66E);fH^x>XXapRnPSDiZnnR3)N5m<+$ zakr2VX<4#0G|qjmtW7ZZiL3W?V|-Og`CcXE#n<7RVa?ubW=Bzj))yN7U)S4Q041uE zfTIYKt&c8=D_JiI_QezvoMV)gz}9k98&~5ttvHE`NWQ&<9mbBFa4Z-_M1X-2#kyJ7 zSz<=~|BNd3zf?Zh3LDR`b9^4fJkl7&Y*{F>QPE1;c9;J0qa!j;3HBmM zcUv*`V&=8E>LqON2HaHQ80hVGy1d!OgHb?|K3H639~SU;6SHx+I#8$a-*16{_l~2S z0>*{XqU!(1OgV@mbypm-hj{&Jj2ZCi@XbvW20L3D_z%WyNSJp?YDBc_bm`li)Mlm* zf-K<*1`APhSlwxdCX{QFnp}gJeID^U&s>mi)~ApbdU7ozwlD|Z_}^LzY}!=*!YL@9 z(1v)=`aYNJRoG^hT8eDlhz*L=;C8IM@i6waYSfCa zK6Ao|KikXcDl1ZfLX(Mm^708|7oXPKrXhmjVr{PO_P0ZpLcY=NQ`VJ=Bkym2 zXWJkLbR$LchNYcAVq3eV`3;!3pxim3WXgGS;)2}PWm9*Bu?Bga4fKQ~Q!zD4BRHyr z!W{nl==`>$KOFQI`$#EYKQqN#0(k+;^79>IW}ih4#Q6_NO+yThsenAsc`$+PVukwnZJu zSL&zGO|BzSuVAi}zAc~bBBb!ju8R3|!Zbs70xb<7lSD>wH(#>yzG>En#yMy&b57k+@*!hR-61OHuqy z(4p=RC}S{H7-bFdIdLcYic+@7z7|01q+XJ+(kI5 zIaH|>^TqXaK1*d55- z(q-$ZOxToJ=`wM^j*P7xmr#Q=zv3>cZ=jUUOK#S>P3gt1UI5R$g6d4B4vxib`MQ2; zCl8(aq5yU6CiGPtY?6q$#w#OP^^DgWOI3)V-5Z70oN32}>Hcs{#~3=rvc;-s_eCpH zthuQm{CE51zprQ+1`%Dd{a-XiAzHQ*cOrFoe}UL_ZUhP@G7hIpw0+Xy;UGWVJU?}x zjjM#TjGiu$3IEV8qs*xdHZu}ApE(`9B^Q%z8Prami)V zEQ{F&{hG<`!XI9o!74yKajud}6=z~U=ZG5jqz)_JyPL~}$J-_6A3{zg3TgrvHp{Y{ zYm@90hGNbrgh0zn`Q#r61zL?{p-Fz~M3{hogN{nqjDZ17JIgU$9O@eA8QIN0#`}wY zTVgKoGfhES@eltr-ueAF?hgNF73Yw-fDcSln3lOfzl20C623i~w2SSVKl=!DSFKWR zT7B|rC&^Wyg}Uu;^M|lveH%m?K*wTwXSK95xzpyK#)HehJ2dvvWi}!f-ZlS=+&*} zx{kfxf$-w?vewFnl%!Dtafrp~67`%%2yrS%ES+;Yo;!ig8-yOBCyl|Np*t+YP1DMZ zqs5Yat1$)EqpXiIQ2WXk@%oX?YNL}e_BQg8_4Mfq47*zbm9#Q5H}$lc2Kjq*|EBy{ z+j*m89Gu5=CZSa!+_&kGxNlvDquF>ef8CwgswQR~{g&vc@ZlXbk^SMQimaFk1N%+x z%mcxMJpD{n4k!_`WoWv@8e^l4SsthZaq%9So~Qa?Qn7Z|J)M7dpJ0W%Axw}2vN=UIE4pDk0*Px!q&48u6F z7|kNgb4AQmH-#kMgt%MjlY}CcT5+dWdXzC+I5VrQ<}JtPu-Udpb-wQK+wCoD_IoE- zW|TT>6#t=eB+3)Ot<|npnqIyuhZH5wyr?7z$bR@iqQjN!QBkuAnlzqq11~z$yq(x5 zv7hYnu40cFX{YmM7c-ng7e{frTX1|EnIxRZdK^?Nt8GD{7G~|#OZiRI_&}t z=F#?Td`ZI0N5qxV1kDZD;{&E5!5UUFQJnK3I6Y;f-vz4^1`P)S@&WxeI+P>^(!#pC z7I1MAQ)zq>uaI8`hk0{B^G)h+aDK(`a2$jrCxwrbkC*l{A6Uy?kDG(NlJ&Q*ZK)`)KZ^$;4D;RGo1eioL!$ zd-%}6nacc7G4Tmy~U6ZED-KG~O-IxxebECv0wlFIg z*nin3aa78FLPhjtqsHT^(8bsKy~?^!kqX}Zl;6@9xe87PC^U3uY>z7VQ;L7u)zoA4 zsl@j$-`XyEJVYpYaB+xw@Lr=k(;TKcg3JS5qCoL?rk~;st0YvW+mV|Bq?$?lg>-ov zcSVIA~ffnXbfB3@- z@N1BP8G{!xdRG>x6XEi+w9WgAH;4q+MflvHJ4#HXz|UwsQ^@HMa>vFW-|%@6R0_p8 zA!8U5n){HPkVt)kY$GS-cxt~nmsI#ql#8IA+Q9F;=ixm0zq5I|KuZHDPLS!k-5+gE zP+G3lkpxNR0mEo@_CVpk1U74VKc$pCB)T$$!IwfF}fM3yb(&E z0U2frr49j6_Sdm=M_#7x?^<&;>5JseLboRV!ZA8>NuCBOzQ#XsD`~K=Kib6}O#e!< zYnFHU9bjGnd!2=4sMXzETJpZO_Z;8j*naAb-HPEYJcP4e$lxPs8*1K%uy?%(>Gp>| zaXQ!ft0;`^uvvXRJaalzuPJ%vF!%ZY++F?fR+gQ@kOsB1|HIyUMK$$BkGd)fC?EpT zL29T0q)Qj+p-E^-C`t(sdhduzlMW#XMT+zmdhZrWLhl`s-a%2i%8kGOx#PUwanIX% z+XFIoviI71mAU5pzI(O^`F9z3H5`x9uU=TsNo+$*1DT99bhB!eXs1S=nLAc(z%vwx zj&e!`+`N!rKBK9GS6UGAHm8+eMmNI;F!*@suMX3Ed$qM+fvh(%G`7k=?~u_kj70%R zugbMw+4R!SG{QH+LYq5 zwgq_aD0t2ZQu=)}}SyKkmflP4M7H(j(LN7*=#^Ho7-vjT*ZK6FMW zvOech0&AbHkr)m1W3ZXB9bnvYSZ5$>$P9o^7R`XiEfxU>bG``O2JN6)Ls_w`@$4O>)RNzcH?G$x)_L1C z`9wjeRx5F)*sMTz9$+vIu*i@yC<{{1>uqz?DzC3d2Fz4Nv7FM?~J zQO&^|CezyRyHbm71#r$lG@?f>PV(N}+F|~JXgT`wht_Zl=y>EX(GG`#CIuO$ z>dVt^LTPf&U{>4$eUqs0Vo?zfm-(+Z4;jgNp7rLzpN;>^Dlid-=aDDLm`J#~REk>; zq?)t)0AENQFH?Vm$n&QVqj7PcMA7N!{HbRL;NxyVQHYTKV);PE#C(ka@)ND7jJJ8q zpz(O7OqmgnL+e%cAxiwTDg{%CMLA@)?18~lf^X&EHuj0#+9+F7-i^Fass1}n4gLI} z$hh3E)gQDgpMyh=2%}Yd*h%l?Fukg@nO5MBqI&a-m$8{=BXrQIX|B4+R9Igv^e2OX zS>Ex`2Q+ie0a7ko8}~iKdS_e~+Dugrm5Y+m*J^;(b{TSZ1_gj8)LMP^Tu!?z$Ot7S z`PEA{B@({>D&z~ybArJ(b1tvq&?1j-1q?;Fvoto=CQC8c_3cQScW18Lw+lvzRL}Ys z#=HcgMDd)1WLV{R#?q3l`FE;EG3qmeGqFCIZJAm%mDRfi6nbv@>irk3vG;~b0K>I! zSwR^(Vzs6aF9C55{vyVt7t!~ubY{IH&Lx2TFV31{Cgw}>L=aQv6oC+ zi;K}GboXMFk}Bnrk%nJAVsvs&kK2ht-WcPaaN3j%wnpICB}r+TM3~o-{JE-+Awbq= zt7&+xf-RO?00m(f?%wKp9h^7I8;S3$?UA*`rg-a+TFawqpmeY(hMMpe>1rtsPeqYP zfc(F#5zY$>b`!eEtyq!ZPj{px#NXh#1=JjZ2tYJThmlMn1 z25@J7v%@v8{=ow-*39A-j@*9@PJi;4=V-AU{OCnWa<6J4c^MGNffkjq4K}|&d7kfN z?fEMkEoOn%}-SL>3?hgiZMpiybmys8y zA;#c%DJ#*w0BzUQGXEMD#atbX1bky1f%aT|v{CyWx$k-+3Y|?#POz=gG2HX_16)c0 z{(7BOiS9AdpIn_)qC9*G1)7Xb8O#NO?nmQUgeHE+BN&YgIN284U>iSWAx3tDM`7(j z@AIbRjq+y>+hq+@-*z@G;Cy7Vd7olakB6;bcujbD1V-!2Q>u6*>rt{N1=z4MIj+%Y zjFTKx7N|G>HQRy1cXbx|mMQ1wP*@d@ZV<^ldJETSQPzq|#UTCynIS;h4S0s7mf6~O zSA@29n=f%*Pp!)j5`dXz5@WLhy5l@|HsG)dqL+|s`{X`_j3e>alm($Z^FdDCON z&e+|;XV2tMO=eRbh){dw`+Dn1b1<292?%HbG6@=yfBw~PGYDJLae*=0D0=_5fC66Q zU4M#0*k|%M3gV#xugnq(*1QTa{fOTt>Y3U6y&a;{|`PhM3>hh}W+| zl?g{zh6i7iFDJzc%f8rk%+oiqYFL#juPj6HW@m^r{kihJnB-M*T_^R4@&GgaC1DGM z(8(=sb=!^>d;TiUgOzV&p=Rx_pq9a$ z>*kHAv3WqK(X$YZH>9)>-ZeNUYHcIW?eYM92HqCws_5CY<-muQru!xD(OpEmySPyG z%sUS+S0AtBHYG|IKs;-X`ynmlB4q56OkzzuqSx87GSIok1f= zT0zr(Dz_&_r`ZjuIyq8mQZ9~3UW&n({f3!rG2eX$K!z~CVfj|P#v`6O`=KNS-yC2? z#X;@JKBJh|Ci&6`D#S~+H#CK z6hiS^WeQy`z#CYD&~&rhi8BR}UxXZ>#@E}89+{!8W=V{d8wp-B$5fwZ+12HFf#V+^ z@uk9|;%980LD;CS0bdfX$QFXL*|I|)t**aFT$f`>FuhN}6q($&-e9vFO6%M*LO8l4 ztHoxgxCL);^2erX%bN&F|2^ShRPYRk+Ug6uulxS_FvTw=VfcQ-Vs^5QUmL8}SgNfq z4=79@x>nw}`aHxXzJ+L}(u`Mkh+n$h(fG}FUShVIiy-F=5Sxaf)9cqh#<~P!O#a9+AJdj07?b&Fb@tAU zH_By@f_<4IkwHQ*xs{J0cU;N-?&s)~A{>s2i+e7sp01#wL6?B?0rau_I-mn7JaOn~nqK@H z$D!H}YF^qYK0NG;tPqu+3M~T<4rKsFv}oy$)Y8 zzo?*9K6A{9?5n>QgqWMGHy_pYc2H`6w+Br@Zp|m2$62rD`8~hdU+XJgg>Hc?EGoPO zqmPKRFU`*T6s`b=JT z=;8-yw+#Qm^n9K_ex~aiOU^6<>WybDv{$QjzPNX>*(8Eq;?YAz>c$@*99ibtra$If zoE&v1Xqc%-j91uBe;wmsmUcmPoGuztN4uiYNF&)oj73MJG}8}s&sweP7vdlnqS~_3 zQj7*$mf%+Cq4;rhVkk)QS8m;geb;$|ku~4LT{$by8@XZy5Rx z>!v_*=y@0$%1iODmduX=zy3dj+`h_<+FDQO`QWo1BkRMl;a3*E+UU0VU1qm6;j5 zi$5L~*Gnb3KWmDwU9j}wP~2Rp>0=Y&%?hr~Ja05ywDI^9Vh-?vB#@d{pj+7 zmO^92>z*oHKBW@()uDpn?yln`NYJ$0D}{=j?os99eL%4?5ecrufGaKy1aZERV*05} z4pJgY;biROb-W%8Hip8*!viEY^2kO~^@I1FFFr@)q^u>%sf%d=H5$O^8zh3tIiX+e zH&Sw*m=6CrZ#h12vvdw0F8FW{05+j61CKi!=T$x@L)}$7A=*QIlM~APv50U~GcA>0 z9Ash-(#ghN);tM^wPf_6_}d0PDu)@l*7WOYx=GmtM-OvC12*R(z)G)=QtZ~7rP%~` zgiRz@Gx9z(9Q`YHH>J7bH10$)tzAyN9kU_0{v+Tg0i+YLsqW(7*kJ4cnzA-)bZ(I+ zfFL}NLMRzHDqsz;HIdXSw&oX1%*?h^wSe05Is5f&xxYfp(^cXvBSQWlj7WgqVcXB; zTF(nG0@7u&sd$-$9j)HVv0x|52?Wz2GOrF>RUU<&D>raXc%HFdBYVi`amX#Y{yMVF zfzKEE{f0jurJA`B!qpWj*<(MqPA*dtl{hUbglc^+!~)befWenq2sdXGMY-v2LzLvf z#Q4}e-<}CDHR`BC-vnq`a4C%LEwW>-vuLr7z?yZa_iL+BN5_9Q^^J+GNytC)#2C-u z51N(%Bf{p~gtCfcaKpP;h+wBQY=FM0{vS=jm*SywVF4!qee>iCJO?W79MIL6pch~_ zX1(&$4ggvJ{%Kk$hz3JHjeFk>aQyUa&Zb|LQOx~AeM7^*BR*l(iIq| zMRPnHE(t2@;qmL53qr^Q7L=Ep4amO`I&d{Zx=&<$7FHnO5eRMm$WER%a7THA+Mp77 zm&Pw;$M6i5u?vDOkFrxLoEH4DYvZ0;;^)%PP5N^-*M~z~#2D8?D&|y97tH2mX~0*# z;_&W48RY)15!A!V;;T;NjDBFDV6p@<5^{0s&;ko=*XZ{%bb)>X!@Z1I5BOOMh+C}r z#fV5}fVOzs4;j0TX54RQgP+PH&9Jwz;bpf6nvAq!2c*(L0=cQ0ZU!|EPizYUKR!;s zP8BTN{?UaW^+?gFx?c3lLBeCv(ZT-kB5o65V`C!Q9L6A!i$y%No{UajP*=#Qu(J{@ zK{8k0xbz>x!Pj%0#_?09)R!yF?AwZpq4BTidXF(I3?)<{gw(2W4@m47N!Oz(UIO++ z_NpTm>$O@@-8?J-NHK5o-kDVVib^a1v!6uNH#tyWhKgg8QoSo7bd^|%5j7S~x18p$ zh(@s}!Ar=igwa~Gh`FGrI+3Pm%@8&7Q&tG~1Tl(FG!>s&a{^|bkT))FI*`!;p(lAL zD$z1wv9=K7(m1x~{6vLjdTHh&@Mx)YMc<@q;15x**nL4x-hEM3;@*79XKr9dg)A4b z>uF}4ulEifN=Ujq7K6{Jb(Va2O9}bB@xv4F8-+ESd8rMQYH|f5i)h~VRGds_qYU+g z7H91KjoUwV*%?yr5Y`2@L4y(ZM6ecZ=9?oqf{BW!)!u$md|_*P#&0JUF~TA0bn-u& z2{lFX4fo98e1r`yGHGADoE^Do?Yg0{kLP)} zvge)`vnU7r>=G>FeEb}tZ3l-tMYVX^->*vE6+@fSr7jU0_b(JBCfO9wT|)I&=JLa+trVb zJG|qHyuQ8>U$&{I#kXaY`l}yHHRXA+e3;U)t4dd8&MU3dsrgmhK88i{ z)$8AXlqd%#MnqEHG)#?uC}=P3Fw3^6({h~r48(KWw!or7Tl}(t&;~tldcAx{aD4ZG z;QrERNFN2}Fu|^6t+WtqXv{zGeln(#iTx+0DwQ|2Duu|GSy+f!3dhFw0w}HUJ-k2` zrl!sHBSW?nY(cTfxmhj&OFmCYPbwIkTgcy-3Nac^3$a0$Z8}xN9e|{a+RO_74dmq? z+*6Q)nu4`8BMxtqkcG&5s<9jQo-xe1FP48wPr&Z`UG{B!tLp+DP=NeFa*`m`tT{_L zJzqaj|;4BS6Op|r4h z;J+6elz3#+VN&fqKDy&@ZAq`CGZ-r!RO1tdX+6&}whW^LC9JkUUMf-MK}!vumx$sk zhX2Ow0vwx)5JRq*qJw(IP`|NYh3SE)LN5g@55seW;LLXCf*9v%+%4v{0Fq?=(Pg}j zY|<*LfbOV&LF4@YsOG2X^{3|jb`0VI4ZU-JH`%#8l42e8pzJuhu&>9-^@T0%8nLic zt>mpQ0LQIxui-sW#^|ZUqoS8ho%52=TU%J^YAFp;s-s zGMA96w&{KlRsHH|rVz)vEyC;8EV>&s72}Fr?=J+K7m2>q5%+80Ql6`BAB*Ug31O7( zE$jVbW@sUdz}f+38zT$M%fka(Y5r@tdOp6~W37g}pc427ZGXgL@^G*%UHOmV7**i= zA2G=~-sDRdhub{6-z^c|fLkC8AM{fdi+EU5Jyrr#?4d2`Mi=j(%{@s6Oz0Jrr0I3W zbFCM9SC|)(+*W;S%o}fCbgXnE`fNfGjF30=+#l>Q;Xv* zbBWyO<+th=)cO6%I&6_$jxjkmlr6IPSf+*7fn~o~;zXEn8WhN-qm#oN z*Q+~vHPd(B8w3>ge`YpovrXTn_hHD>0inWkAkz+)Zm>3x@NYcZdeWL6Qjhn)XO=%% zzXWu5frOMRw_qk~(1oRV0y(-Cj;s$!nVkM6lw3AW%^ypvr3Q^QB5Y0E4wBFVA^CM} zevJ3G4^m6v?QWN4@$v%}RmCbi#K!TKa8pbwE@}SWQopUcOAD2&g^xM)l9rZ3dwBoe zc(X#ZUbLUI7PifJ6>k>}Fe{Xvg9iXw4U@Amq4jDAu8>wQI=^+j=?(+WWK@2at8rlu z*!WZ5aBRH_a{RYZHqzbR4|Ts|mbj+M?gfWUq|pF@G$-caUx8AYq?-9h=(6GMBa||- z#xt)gkmw~T*bkd{4uO(uS9T*!BFW1F6*k}LpgZN`wpSpPtZY`yMzhwkB+CM1%O+oNq^yvUGM56pXQ>_1~zKA0C5V?At& zcYv)q-0^^dIhjtlGvEEG$%v#s14&iP{4KW(MBmOoKLsaP2*+SO8szz%o<;kwR?DVK zB1*E)W`Qrc^p=qG(I4ZNmTL8SvyRnDb6z#uQnR}LBaQXxz55I;kr}sUNKxDKfUjcW zPXjA&-x95Tr!c(iz!3;gf~y9Z8ejkLVeo$!BKxJAyIWm?BzZ;HjvVc$?_!vaKo0>| zV`|e-eKxSPG^0H_(+dQ^8Kca-90zMt03FxpfIzkU{L?}hJ%L=fgk|zhd^rPUjpxhy z2%BHvFqz;b;!c}HJJE(ln;u{x1Xu_FlyT9NkG_~dY^V>A#TfN!qZhTOsHb#=j+>FL zx@zW*0@{VG?UOuD=0IT7e~>RZ$;QOzv~TXm`J!0T7*sXadEz&lYhxY&E9LEP-{Kc| z!MO8)WG_xjbw9|(hXbor;65l>2$8b2a@p-QwPPQV@I*5j24+v$0AEC^TUje!5HO2w zqGXS^i>|P)!1|92l^t?1C*@|z&`(Ti6VOMkyl&pnc6{lzb{=&P!iAo`QI5fwVEE#p z-eXk! z0E(P8otJu+s2u|;Xi(s1jV`G7D=cWpUs&v>>e^;I*SK3&(Po;_8d#{-w5e(WqX}G0 zM@uQ*Ek-Oz2<1dM?P!9$c+HwzC|vID=$y`CSLS1yCrvO~A;#tcAZ^t5F+ol}&E&g! z1ukRWjiuOnVHw8ungt^!B=!BV4Sz0Xd7cYA4}nHIyd;#>d4z3Ob*cmU{b>+wcJ zM`r7p>YURNqa$OHi;l-t-M?|Xi_ErN$(&(6lG#+kG5@3q|`<4Ng}S~<`jl^9pAju zy>jyTI0n+G1?aJwN2JyDxkn4ujF+;P>w=2PQE@?|+FzWpCO&X20Csaa-f6wWt4olE z@`*aq;_rOizvxFC-?o!D@di0A^3IC59b$E95c(qN12tFo=NL^$U9)v`>eyr5qIMJ) zjlw5|I3N$_iWJ=Q!EIX_Bs+k@ewETnM{n1P8i`~o=YgNd!@NI*Bc=_0F#N0!2C|GB zUo`S}Z6vf~&7Rt>(Vb8G6o{Mc0Oc&%f}fpPtigB|8^P_Msu zpz~Vi9M%OF@BPmm(Knp%_Cc9vIQ89vZsHZ?j3g|QBD{o-jk~)U;2e7gq54@s^T9(~ zG7n{q$5bGO-ZmZ&(|rBtWlPNiRWWp9w0xK3_cn8ygh8DXUlKb>$Z{cwivyZGVf}ruwv%+^)P={J00!I2;KsrY;?ln3izX zWj4W^DgGpy`}55PFt=m#-~3FRGnCwiKt-%W@E)OgpHFN+6c`sj7MCRi>6$$mB~i;>VV-&!1I27ib0wb)&K1k&{WBlZAGags=De zJC2xAx|io4m`V+wMXWrwwF#_HsTcHVG38ipfQLpuXCVIuHZ+HP#AsiCr z82U;b_`?n2+iNj!Np`!v)ki&mLGtU|-5bKp;r;y4z8JK#JAUD$%B)JuB$x1OB(859p5^8lKnO;*k7Y6CAMhGgr;2 zP@b;tS5|4g&Lh#MMRANTcc2`1_vnx#BK(z`dJQo-hI>-As`>Yyro-^t3_P+_l(lXq zPU(9l_i4lB($o7OO*cI4seYHP5v#G@(Y2xZ@T)dUkf_N81|SLEre>@=de1#IhvCtN;Iz|TG*HoQ$;S))TBIc7hYFnsw08W#3LMC`NI`23+|FLK`G_Hj| zB$*K}V$uz_rt_j*s{(x}iF$MYlZi3PA)V`UQ;i|ee2FXU2`hyYd_H|S$x1u{<=yl@ zE3Y`h%BxWzH@i_f1!>2JC_t-1B}-uas6nF-)G08}{_vp+Erd4ruRt9wiolq6WAF5! zQE1f5Wg`zXwQ;mXn0-);HTBUB(%((CFDveK3^}1x)~2K#LydiDCZ6{DycqiZPKItp zR&8#LAqXV-!bUaOXDDlYblRoT;`J0>K!Yvdr}tFF?BXDyPjXg?4L+HVf){MwVgC#s zdMC04=~Euz*jx!KTTd#@uOG}XDK%}em~H~tUR+8w=!|XNc{Y_*B#6Ys3vR^cG@J9V z`eQ}*zY)4QIsW6jw662QPtD&~JZ=~qJSe5hhB`K4Ty1~UXf<=G7Z_nS4V(y5AOs`)smb&*_rbfYs8JdZisUe<7=*m$v} z6lqeTZi@;_W*nk9U1DRbV`U(+OK*c|6Q&U5k3F*5M-!cNir(%^JbvI%ssFN%P_+}9 z!E1%%${Z$gL&9Fsoqo2fw9pNMml^oPVxhlcY|DVRy#EXPTM$KX7y(kNB|bp&AKWp| zrRPu5ic&g?o2B3 z6SBL(DY*EyVVQTIzl|aN3r7Md_4_MCw`LvBeRMKW`GF7pS60B+w^Ij=wFa4QG~;`_ z^G+*;cTE0#;K!x?m|7tstkxgL^U zgMcLLu8Qun%1!*V7tj_p^xevx?Gzd09j7-DrNQ zo++65!XnyimZR2_qmppZ&ZiaXc%l90+y_gH(Ar9^)iQeVaOp-L`~qbruy`;XJLAtv z@+{(Y@{Kplp&62`oh>S^f&QgboOA*hUmtksVD=LoSz{%v)@MUd???qA`C%4G1(EI} z=$0dXRZ$oW2P+^LpIcbTK5JKCN>#AIZgNilW}dD<(ukbr>SV3`&y@|w1V8J+&Fk@{ z^J!H}3B`UBPv?D$#MDyA-;5?0Vm`2>Zr{Oh*Ea;Cv5@W8YLv25$2QI>^@ErQ|JfU= zF2cqDi+9zU*Ry+4Jc-|_+bros&=5p2mGn{mvzOSV_s?r}tDD~*%C$iu9Hrdv2M-MG zKJ`v93D?y-LY)F-Z?gu*r?+E?7PAI3%w(Ca_oH!C>c$pp1rxtALR7cQ$kh4QN}H<> z6pRy$m%lf#UXTsv`y6;;bqra{XH`W2>zxj1eYsG=tF2@@T(v~`XgvZ_)b z<)ih*E82&Usz+6^`S!&8dM{$pmM!7r-gVseY|X}M-g~Ny{@V6mx6CB2=vV{e&PU%! zm`{jnpS{f<{5^Fpux!U}C_FIW+0blqXgP(q<&-kb)&hV84W;M@AcspdtQUjk=|r zRkRY%jhb`$l&mL-33E=CJFfTwnpS;~6yBrhQ872#&io-`YhiwSaw6@()|#`Sr~M*I z)Y9wP`p0f|G*~_R0cRN$Cd3`eu%@P~&~r~iD)#*6{ql;9fouR(O=~I9p#Hc4Nh|b~ zfQYAAYTDdz&HvgH`}izEXG+Y_^;?KOhQ;XbJ7*Dv$7H%yGbX9{=9LDqK=+0?W-!;9 z`Xm!V($`zd%(SWA*LUFwqP-p>K!6yu19>(ITYGH4P)lno+8^Ljfy6lzm>eXABmslG znP2EX>X3XnMqSR#krCfhG2ZNBJl3xhe{dIJav^k}h1eN&`Kg#2BsHXz90xQOBE{sF z*{v1mvhpL2K)V5WlER!sCQ|G)h9x;};Y8@jMOxMAdES@_wQB!PVWw z`je37Ih(X1Db5p2JJ~@g57EXMKJR*PTPwsf$I;Dv**i8GA~&+qq3r~cfRHwi27+AI zteE1g9+!Q`Q{FJ8*qJ7WR!(S> zXM_3a`@N0XrW^qm7e#*jza32V(M@_=Fg42!{g1{;TB>{oY4HHhB(8hClo!@MSi2{pd- zh%Ww-{{uGl>373=*Z{5cPcmj(gzN)-yoBuZOSzf7Ry8&LMlCRI#u~D9BUbAD#)NZg zDIh^EL%~D_pFCt&u57SW7L{Bat^Oag-uI648LX4SX{Mi}?SQ9_r!PJn!sch=HI6HI z_;=KwMW0pSsV|%4bG)XI5k+^P#l$3sMKpG(OwyB!CBa}|vR59x2-3FM*{P*qrzMZx$K# zmP+6$!@~53s$Uh_4S!}cz%J#&xJAo9rEX0+|6;jYYKpn8O^DkZFRfgLdacPX%tAeU zyQig>|2F;|@0dOH9RIbH`QImJ-dr*Ln_{o<-N^hG2LAtkVCh-N-6^z7_JHsc30s9- zvqfm+f8X(C#UJsnb^e{)z1`Aav?2JvFLFOG;QsfgC--js7n~&=-1xr-|0i$4>pTL} zx!#W;pG4~Lcq#waAWs_U;BfdcL7S*Oww9>$RnBWuXXo&6*n&{DMfgBX1D}YddpUJN(32we?MCA#gD3>ALhRaGRL7T+WRc#bX>-OA;aXlXtRevDRF;%|-3dd7-8iz+oyVY8Pag zx0Sz;cxWa_*bAS#82TxNR~V68@OWV!a1Bdu%hT0cwofC(pFML4R?(zyw5H}9`U)pT z!nO;aOt~T{n0Wwzhz@;>$P3{S`JXz6*y^WJ6h1e$2-Zb>mW-tf7S;gzOW?QT2%5#h z@^bA*LHnW?KN3TMBTCo7!o3N7gj1}qM6nJ3uS;kq2v-a9^Ht8}9SDzwuy^0zMn6-qD z`H6}GWOP7WR&@88M`=k3?%zeYi_{KfE0_@wwQMpw1u5$Ugl=21ql$`(@N|M207Fo4QS-x@IZ^ZK5fYiouF>nq#)*H)bKQx{yM0z9e&B4 zE?Nt#406btoaxzMK<6ZCADLIkx}a!v?*@2UL}fm9sm3}UVg`;Zg-n$im0d^Me;n#F zTf%=_U+9Fv>h}h9gEvJs2l^6NoK|l70UeQ5f4tIxvuQ~=O4TNt6+1~c(S^rLZKnN+ zM;3xZu<1X&Q=8VY=2Zcqd#ALX2aEAY+%Ft(YRSNVl&15rb#MJGnebyjO3KU8T$KZu z02)cK{yitW+PpuvMw*CUj($)cpPhB+*#4(i!oIsp!=q_t_MYmeD`8lzfed2rJu=Z` z@_QV#=!4^7V~U?DH+>%zy_dqP-zZPyu4E-NoF!-a4>GQgYi(?t)_lOYuFv8<59X?N zo)c>!h#`c8Df(XDBq}H?>o;$M$U_v@6D413Cr4(~x@XmUKYW(2Zi)MBT@*~it5^S> zz&u|tPx*D&B1LeLUO5~SQOdvcA>of>5dFL=+xTeFevvnbAmiLjxZm|cS2upCE{g3{ zbA$)mAA)PIF(_{NLuKXg>Y~?(0*}o)E*UvwCv^V{(_&b&v0KXq9hcB6(?hRUen5>w z^nX0d$YsWs|J=4Bhly>6tplsynZ2sKu5TWS98!AoQ2c%%ngjyh2+rp>x3XF zkCT?aes$gWsI9_E)mx{vl)x(ITelT`zWq*TH%Sc1b{vo}`X)hOgyuzZz;%G} zD>xUlAC=j!*PvZ|hYTR!UlO{6-h=>6dJ#+KzSmJ`;@x<+;CzLWo}M1{`~PaR2J;G& zORK7yB43k4M#-i`w*&tPDJl%)R^M^ie*5^wli2$r6^egPVTIe z=PIjruf0)y(VIh{yxUz&Z2u-WFGmW`-9}5OQq}heHn;}$m4BMkcF%}RfE^bZu*EjKz>ALWYs?Nv0vxG345kVY)W+Tc=$33{~i zimO}nLc$KD>ja%{b`ehn41_4eGmfaCdVpe(?fp{1&{?s?7%;|Cip1+Zzi0zu*nC$Pqwo`^)Uf=U3e z8e^Kh^^~XtlUo8QZjY3d4}%)F;ved#%NXe` z1ikxxS>y1`FaWDb?C>=;M;7|mee5P3hSGdY{H!F^??_Ikh`a*jH_X7jCaAqGaq!T+ zv&;9^p(RWF#;b3wYMw*TiFMo(3C=2o7#D;#5^1qPTX;RBlMo#rVID42$v{FVH%D`g8Oo zi_Nf?yY&Bbufzbat=a=(Q=i26DITyMh zP#&u3N?*JZY^Q&~d6E$I#{CdZuo>EtjS-%ME&~3TP8IiufiyBV_HVCl&C>w71i8Z} zZ6X}^Y*!<0KpF@=jW|++B%9`Sg7>ZFk-HiignnzQ^L1SFSpa5M#V(0^ggVRAy8xR+ zOG@|spO`mb;{8|Kz&oS4A8SKOw<4}mw_*uAWsd-wFn7G15xxb*(f`Xb}v7qKY@`y;|5r#n^;%@DN`t^vs z8RI@U8is{-aMWcSb>D<GJ z8yFQ)Wbf(-LCe=VZe=N4!tU5AyP+QaCCIV`x(G6fLBPYnt|(UDH0Swxtzp8DmdoAp_$P?^Bzp4~HwNgf z|I;D+Fw62Ke7?b1IDAp@J@A)Lu?h=B(+bIQ_Lx*g zKX1L+47*}jz41>faFG7m|9mLS{_Ph3as!#B{XrlbLFl&ZLAi#TLScdZK?GP=dDraJ;2-J!js2^Aka=YBB#hR=8EOvURu2d>don z{_H^82Ua0dw*KUnxWC|l=6w>1CGDBGYondje& ztNteaw3q9oT1=O=)6z%u&uy=7tTjashMtwMYxF8>*N-PVcVBj$;mAgvR%(}?wAg&~ zX#UjNApU)D>nvq6mJ$>HB8RJ^D=-CnKCazH!LmSX{^VC#*Y6FHfi1-|nTu8WF21No zfh8@TH%w*-qE@I3L2NzLad+hwwqCHReH`0$M7S^0dz6QQuT%n;zhW~i*uVh3*!8c$xr_of8HMeFI1^oy$Cm(Z6tpXG3M|hILUt5)Sizm z>v?tI6|M8o&+!+~CL?+jTFYuH%P-rfc1J#VQ#_}}se2%l7)S4f-U@e@{U#Fmmc|h# zet@r`>P{bSfBM9Zdsk*xv9ZiTHU*k4-wal4zINXk93qd@nDH){d=`Jt*z{4#W+RGq zxvAY)O4w<^*@9E9-EyM5FZ~rHDGAkoZ^kaM0^J~Ry-Sjxt(yWH2+eF$)=L+i9ga>_ z+q$NOvv*L@Lh@E_m8Me_-|42H1>B%`m{&%T9GN||~xi1);2>bJ_jyg01v+`9N?RaA3J zLU_CH+{6Lv-sGXv$IkYEm4+*gU0H;6^vwq=GCB$h*ejyB982fd3B(k34w(!jWYaQ; z;|VKPE83gpcDaiQE<`>ff7D4Ro&w`Y#9k3R#hp{1-Id30k{9%=iXAqo+?VMl?2D~R zZJgz%L`e2Ev!A(qSO0a^7Ih_foo0W-DJ6*6{l&`khN6nT?d{dy1a61TR`^f(4=N02 z@I2NLmC$ge_3*2N;~(u2_6b|D9xIQv?kyerjPwy+tabWdxBg7sp;P!E{5nJb?#KoTni;k*Cl(ZAs)IV=Au2P7=v&=`VzQL%Q=F)e*)iR%6pY$hG?$$zw3#q zpDB=Cn7igIqH}GrOe}#h%MYcr6YbXjo@$x#6IOJ6%hGPvv46JIxBi`NC}m{1-MQSv z+tXRW!Q21I)o>-N(yR8CVt;oB;46ZNY@S$8@xs<=G7bNZIVxH`j`3NuypH_GeXSAy z4T6^3tWz2Tw-k7LtC*-1~12Sl18!-(mYZaKUjizN<^WRw<;HBAypF}THOi23au zF3ulKcvBVE;>0~oSr%^XqKI=^yX8LriG-gJwCZl+jLHmZpnK}I6Op;w_t=JpeOwwGnZS+hpZg~}K_xZsYX?T34 zyiHubxNFQSRK$J0?oPlnK-cKqHR$SJyFrxw>!95sw^wz^PoAFr4yqFQUe-SQ^Yc%& zzSPV7u%|6QbB4Z?-^lif4CW&lA?WCH#dR~DZ{2|Ed|SQfyYrVI?w0i{41KusWp04T zgzvEj>Em3!{AqJSfmOz$GjvbQ+ukKJ*@-YzE>M;UEd3Us_;_#e1GicE4tue0gY80_ zxKt?)>$_3V+{=sQwB!_(bdr-`J6-9R4EElrOy+q#_eCf=?*9pN3XApS%fzJsEaRkF zoPiYkqVM(YjQ0Fg-|E~rDtR%RxxDm+ywJTS!L zK?@H#jRZY$9=6cf5TEdTdBhU-) zgPbjaGN4Ca!UX8db;gy@fpUaA`qL}O%I^g9Ee}9H(o!G&)v@EH5$>sQKjt^?eG%?c zeyhIqjSPO9Kw#XL`HernC-+kLojE2AagfRNe3@KBM*ckz!0%2zgopbiAm|9$QYMJI zKko(B9O?31v4pYZKXZUQ!n68fc(Lat$mTgEPQJYU${%Fq*LB}#02w^9A#LB^Bp=Ka zE;yk&9J>m5*l>F?21}!WrOV6sjHmF>Ivfs10EGI#=A6UfFwk4Q>86`(Mj$VTtXSn2^DQ3N|NGhr{t=a6)xB91e%0 z0B}Ne?8NAmWIB2!3-t8xN>cP%60@q=!u!mHMsp%(cjcD%m8eVELx ztOj^>F8}qp=so$Dcb`Tpwr$U=c&dv&H{pH$Z9#apNV~3$mFBibk6i;!sE(Z$G$tqf za(<3TMb5nDS^L@%_|-#v#b}d#2%*0PKeiWtoV!ULUa@r_X_&vZL%wm_3OVZ!i{zIN zM{DXjUO(8>k(P7+yjYfOir#g+nOJ* zvU1nr7PVBfa@(RN`EBm2LH}CRD5LA*wt&cv_y+EW=ZugecKh%3P`88;^=0zO!$-?? z@0lte(gx7+`ofUvQd!-aloc(JhvLR(8|63iqSd$l{!EiCgtMtVt;XWE->37}bxC%+ zEYu<;#co+o{@aLUjos3b%*v^=hRDy}F-0C()gkvT+4>Kc?22$gb?nsm;DN)HJe%cC zCDp6Xm?}#eyR>mgN-|R<`;V)YE+yLIe({tPo$_~?yR21CSBv$tH!ZQW#s7D=TA42_ zS4MAtz~}Fi+246omTMz()Q{##%?0<$Q9qa`w`(4QF1lZaeenVN_U$`3(>^tPXr7iM?A3Y(XzVe_{pL@5w`}fbv;L1`Z_cHnTUlz;N@1B~= z&GC8x3%#5$eULo9s?9#mF@1E6^lB#$H}G#BUMHVEVw6Ae7h|`GvVtG%UA!kLgJsfM-J6{wCK1SOSkqiW=LYNd{?E!foga7KA$H^5Z?k3ZQSIdG8T~ezS@K5#pcki1fgQ{XO zWpJhZUJ3CthmVy(N|NM#o|5x_KE1arxL{wII-$;1!WuK6Ov!x@>G;9na?L~0n$h3V z#*uZZ&)jF2ojYD%IAnaSb->nlr1ZY2lA+acd3br7tZ43**`sP@zIM!R(EF_G^220J zYqxypz>#wOlhN?SAhmGcwSV-bmGx~&xoLibEWT)eS#bXTl1TN+{d(`uU)LdBmmVf9 z7awd^;xT&GBAgz}kDg%`y@6k@`g>M`yzk28HGILm!G^@NX-@06WaLQzP_6z&Vf#Yi= zoz2RE^<8rHV;kgGr%y2*U(awtb?nsGb6BOMdPM%QuvrFF#N_n7hsx#mtd>27N6VU( zswIGRn920oQk8s{cd#~4AN})Ux!|Z5J{N`MfCV{38yCLgyRM~MZajO2jd7iK(^8o< zxI%t%>SS4{MEkS**Q(rT`O9^!N!eYA*1%+wo?h*>$D|^xE3FZ`mDP`)GC;m`^tdR@ z@w&raBdeuM@5P_rzfSfWQzOUjIY{1r!y-9x#t^-2dSqyA-0r8AM8-a_L8mOP9k8E0 zuueONWilkUJZe&}F=b$2d30VDE0PwyuS;`F|8b3_Q0HhzajAA3zpNJK4^Nsb7u~W# z&fIU9xoE>ut1Q#nr4J8Z_hNOx)#y~fAX6(cDkFIQ!+ZHujBeKtTAD8vofHbI8@vlWqa>YHX z4eEqh_ zh39yE;>~*wmLK1>N)DY^CvTZPNR~XjUf#3caA`~S$Vw$YzEZ_H;Y*vkr7PVdKRR`H z`REPL$vbAh@O@4?gk$T=adt*teYb9a}4l z^#05$SxLSRy&HVdVhkA?HO649mx%Pf3x2BMMsa7Nnd|RN%T2+Zc{=| znl(i3R%`d43mfIhmF==r!_GTmjGUr*TyXPJdHC^-Ha`K6&)L^6menoWKB;O~gRhk2 z*y+JIDKmM)hX>lUmtS3`y=v_)Zt6^F?>=rbfm^!MGO#i(zkF!DJiV@6t~hbBXnV66 zkS+}g4HlN_vc`lF=VY}`k&Rmoi+7JeK>l*86y` zZ$B!lzj~0x&&ML|sIhQ6_hP`)dVlhsuWsQ%Y14amKt-vN zHy=&lOEg%U(FZ+NHYa3LM@D9kuC}pXUQ1iJp;Ly`l*#bgn3NP1%NixlmPA@64z4sS z7fZEOpRM|eSifJMdA-0F$9KH$aJyQXS3R;pK706R*?UY)F7)N&j^~=>8MOo+T-GKN z235#6kDrjc;&8ltJh`SrK79Ria_yOW$fPi&;CM~L3Dxns!*klR$5Py5SYaBe#SLAu zyeTQ#QJ2HF@--TVCI%lja<+Z8)Ji91e%WQ2_Yj_zs7|;cyfPPN)ut z!{Klg0L6;jp~K;DI2?|b1Gu#4-h1!u<-^HY=1)5u4u`|x*d~;elt^1!oBTgri;uNN Sq0^)Q0000L0Z literal 0 HcmV?d00001 diff --git a/education/windows/images/get-app-store.png b/education/windows/images/get-app-store.png new file mode 100644 index 0000000000000000000000000000000000000000..14ae888425aeae3fe1ae80fd96563093f49ba550 GIT binary patch literal 144683 zcmZ5{bzD?!+pQu>H_{;kk`mI5gfMi6ba$h4NO$+p-5}kJbf+NFFm!hh%o*S3eZKFU z^9R3SZ)Wd%@9Vy5t#uKuq#%WXN`m_0#S08+poGec7YMvBUc8J(egi*4212WXf4p>2 zkrI1RJwdh)KR~n)l^1>SqBa%{YV;a@jN%CV;_~7JX3yWBmv8B1zQ1?@E0UHFRdd%r z>O}fpr0ya7yu4b{eB9YH<3-3c_a*?r^|Ib3N;3LAZS8v!S>s5Ob`^XaC4OX;)TSer zC9m}KEd7(^)#u5})ko&~-lMvo0o}0MvFuI*zNgI7j!6&2%Vn?A&g8Z>{v?_AEsh&K z!Dxgmx*bUym-lS^{HT*7$xKXAWKI&twSUk5{X)MiX@y2rK(j8(yuIGPSLi=rH=qBm z{-5J#bH^cMg(5YHqPT+L0+qty-8<}|)L-<;F7*7xN!6|YF4W>~wEm^m`15vYK}`9I zu-g{wP8I(IjFN4b*5$cQd?K}V!3q(1qWmn|>d!4$swPvKMBM^Og9Wc?YJS`M=V4nM zosiG_@D$1TF%&#TN$^iQar%+$*;QK(&2vkTVy{;tzj@jBfwD<|H0>&Ct+=3#YcgI8wLJ-uQdeB6|zhqS$2rI`=QR5JIUrJwg7kRu-6Ds3;@B!1^?J5A1${6oa8#8}bG{P& zYCwvFlXpmH=-Jr4xE`Vz29U+{n8Tgm-q+3?^4C zQRq)$*0I&vKdPT>$}4Vl*@gI=dQp0MdLBLBEIBk=r0P1Oa67CtDsdz+cPDQ5p7a!y(BH9F#*PhYq zoLpS#KJirXcvhZYeYWDI0J!0QYC?)uuZnp#s@qR`D4)-es1-RZCOCWQO^0zW#kDEH zYq2*st_=+h@34{6$p7_sS<29;b;OG=?*t+M@(diPrjqN^w8QL0G)iS4nKH^`r*3QK zTI7-alAM@R?_GhGs~OqoG1K}l)KnlQY6O4)h@*h2WToA0sq-l8#V}Bu8c=9}p&VZ6 zeW04do`4rSIG)vH|9dKV=Uy&HcqOD?q7V^7U7Bg@zftSHzZr)^7F+U=6T2mW_*wWc z{%QAIJz7I?;Z$|%Ozi_fZ{?TzvmG8VaU>xt_jtt4CNR)t?BgI2aVsQ($+j^uBTKbXDlh9;tX^9NJA9rv(C@TR?W6!B;>IFx#v<;mYT$gKZbUmKbOOL~2_fX!2 zTBK)#tyn(8T$>t){{OOuZ2=hU#THB{l>Qn4@bRtTSRjnI`DKoK06HBI4Z!cM%P>y` zJ77kBtuvOjvmRC$HU=~)u(7h>{90s0{S8i|g2=QXnj)S({Aj&flI zlG1=1tYwH!o1re8V*lgMESUR}ev!DsWYZKsovMU0KXKSZV5#;|gGjy);C&C-y!S#M zH#+k~P?rjd;c^2;SotEaL@py^zQnnb+mdty#=lx1RWz3{9#}&Iuwu623_LQ!be%W< zF)!3^J0bjLUp$9KS>>)t07Yxan|s&|MRsLcdBzuD&GG-6B;2aO~>YL?Y~)F zw_}#de)CJKv)OhSb<7WS3GL2*chB)$B`7SK0K;lcU~*2=KyMneCtRZE{l9mLO#L9? z_!Z|owYLWyI#swFR1_j77-i(FF*JK{Co&rzn_lvRlDEyd$w3wnE$_S!3e*_ z-VGQ!3jTT7OZhwn|C7E_%k@Zbqy-Y!4E&khZyZr#A_?Exn;iG_*9R^Uv^$dlRmx_mP{gfb2RB>x@*|ZrHQlCYq&y0tN*z~TxgAdHTjzYcnI^Za>Is{LCW4t3 z4?YZ^JWea|y~_F){yM}n?7Mh=w{*#`mZQ4STx!a;wzl=l`!fgFjRWuFQT_DN5*qo= zefp&L8<*XQeqxKv+El3Jx9DneD!P{&adDGACoYzDc3c}&?Wp26W>U8?q(X^t)1Bg_ zWclmJWSzhII-5I>?d~?P{K5>L4m5e6u6}*w=eG`$J$YMv#6(7?03u_8ebzTcTp68k zM<}pqg-y711s22#FNVe7S%h8M3b9ILZkJpPF-ZL<`p?JQR}rNUWW?Mz2cq5K?rMejS?sX~jkT}B;K>>t9X*Y^ zxV9FjdDWAt>pa>aH!ts{|EHhX^6;!iVvoX&aXOa4gEc-rPWxf228tHitM$Xs9|dDJ*}PpF^T=6CGxbd z=ybOcs^jh~;B{mBi<58blaso8UB&Ip#8Au;)9Qr*IFf+5r_OBD)(UhXw(l~-&dzRp zgRj{?EnN?xW5*AdI8%gODgJ4&!h7DJeC~#uxs%X8o-!i#!V=yBc!jV1Z3?`qc_j;! z$I>|lj}Fs0RWEc3XNF&)m~5NK%0_NyLFYRm+go#yuTgB{`EV5a4XjibDBy`#Ln_I< zNV!k#o7_}Q{fH@qV^`ntXb5?8g`ANdob)DnX;Ap)qxW@%L1PD*B3l-3bnN7vMH>aB z16}q+{rRanI7zYG?LUbIlI{f5_D0!zJZYZ{dVtbjf|IB%Qp z#Dv|&!YsuV!O(41`Aw(oWKGbG#b^ri-6I(0^|xf-t=@K76v9*X8sdXp^Ge9y+}?6n z-9F}k^A?Ao6Ly&cvklM%<;k+NBJSq+byps-^>9#8>+|U9Lapn4 z-cPGVqxH5X2L|1hq=46UTTt?;?`?Y;|F`n~?T5pf!RD@OX73F&12zDaC|z@n$GFW0 zN@4hJk(S*pO!|g6_+Dn*{mOX`;+Pct)uWs#eCCgJ^d2A6^>o$FD7xd>eq_% zCriN1`03&L&kv)(BCEsSRj#b{@Q(6Q92`TQ911Kok&-Nw_5$$UhB8J+#D=vWb4SOi*KKRTFJ)%G!{05I^%xSUot?iT#U-X*kAm#Eb5 zTtx1>1;c#s)^Xq9CZQT^0fQt#8B&x!vkge#yM9*N{A#Fr+JV2@*RShAcnWN=tr`gR z3^h9yFC~B9m)<%x&S&6FsQlDoX|5z1ZL}b z?iUeM15==WlU}PP`?#VBA@W8{l%EmxkD~h}&>tTjqLO4>sKv_fN+}o&lGYy7yR4~4 z{<^lLlBubb8LM%X!JJ4u=Nyk!z68xxg=fJ-f%ET9j>22-JZEKMdWYoLaxX05yWHSf z_j5=msl`F3@9oio2^dgKqCMMqP;w9x);iP-RTWeR7gfdQl)nPN{>DS}-XSS52}ybX zKTW|AR%p47q?@SOsCtYB};S9Qlol za6RL;c+v$>Q5D;?;(VOKjtgoF$)M@r%#jS*%?qWdv%p>VgKknrxVf14DTqHH#riGKnNDEBOz8$UiiJ>OJQ()}?#u`l4uO?5 zCzA9cN<0CE(C|>q3_ZQKRbCQ>Rfoic#1Kv2+^^KL6xhLdWM){B^kxE(Ch8NvN6}YC zbQEB}`aR9eS=VhRR;=Jf7>-;k434>M`$Q)tnyOoONPcYr4J&N*<>>Wre>X2XqhSgh zv61qtEvgx)@!%`s@Z)4AD)0}Fh%GX9ChD|K>oViK*{(&--ti1aE*G|TSMzZ0f2+B! zn)8rkRhKmH`Rtunm(sK&@8FqerTGlcLrVwW4}u_N7ufqMe2n&>!y;$GZk%{;==q>s zsj3s9QSy$WS&eh&N!#I3D>P0+RXmGl*)eb-(Ol{IKP^_|tIarh8SF3E-AX1OHVP;z zkSCe+&rwOO;|x=k;(kth;b1h0s`bO})YrG&HhlkwcUW zlA@7X#6uy!2fH3?N7j2D;40yoM}UDLz@)HnX!3gERN{aH31z=1qT)uxGGDJM=CHEh z+C@q;(Muc;JO*6pq_ZSfaRhluQ=qu}3=6~4h%64?cISo0bA%d$-V6eLH2`GuyR!C2 z;mWj9N|--1`NbSI2$%tNuibT{pTw{6I%yr`^xMt$V(EH1cF-Zg&x!TkqLx%kvLCD- z`D6y!%0h0~5gv}Y5Ca4714i`jkD)T+fP8A^{LSZ9F^?*!TBmZyTgBwa3#G!@Y1}e& ziLVliNi0u{%#4)VU6v!J|;Z}2^dDc+0a}wja;$nit0j2XbM${;8 zu16fY?##gCxLaMi6Ln0q<>=I5{pf3%3VI9U5+99Fqm&ajd*JlM3g| zWx&XJ5IV?vyZ*nh?$TgOPF(+>-{xdko@d3>mmWqVVWt_RBu)ZA#my#RPXv$9waz&v z?d())H;y1@?ZiXZkwkttyMGKVO+t#u8OjPl=c+7VPdv+EH;cgGjn~$*(NDdQ?-jzm z!MzyK#LW$kHzaI^B!p&sDVQ=(=e|c_|`NIYn_>*kfL#dSQGU%7QBC zUdi19jB~yE^_-Nl!_gVDQN`zF3aYnDs>yF7N|s0W^y7TCVV7?o5=A!{)-t`Fb9YfS z@2To&t0G1eoYeJZ$w;0e`sn=%v#93^v2K%$m%dD^Z zX@K^Son()ZC!NRud_`xM8`Yq|D%sWIZq@x4Itsc)(ec_J9zY!4%mi5?wC&VeUes{( z-OmRU^iO9p?&>cRVHkv;?XCX9bF%#fkYEN&OQ}Vi@%snxr+0;U(?4eJT1wrjjcETu zL^$DzhV;)b{{c-qfAQr%c)5R#Y*~5$j!7-wC(#nO!*Swzo{_v;0-P$Hq#${4(^USK z=X@?^%U*90SNrF>;7BlE3*z8^o&dgQJpa$_4P6{F#c5Xf{ufCzX7cg=?G-ofpKrki z_shG&7NHbv|9ibkFmg;x_cZbM>?H?qXTEA?V{pg+;%s7mKuK#WarRp#4Ye5l19}1c z>HjXg0VzT!4=r#(5rP*_pxHv5nd?KH7x({Q+agr?#_9B+3e6hdh;_^6FaK)<{c`N? zX@zwF?+Lrp|Jp(~;J@5M%UwpGEPU(!p*;UTy!>}}|4UJf|7XYksf7QpMMA}!uqON` zYC&W3=S_oPk)#qM@+j~ejmYiSzh<7wUrZt!N%;wX5x>Z^sQRciq}@1dGLOA$8RD%n zTyoD%C*Z47rkLi<#SgLb9tPhW*xVkqIJ7!wg&UA!1}_S1Z^}2k?n5>f(Y*97+szGD zhe=qst35B14B$I-cbNOYpaF-%6>D{W?I`zs*q$Vdk1M{pbcNRxu|$`JwDml+=j{F! zL0zn*|L9pGmo~fEv*wP&_pO1NdLb)CDgv1~AcOZg%>p?k-sjN`am=k-{UJZv29;{s zrXv%jvdg!RNp5y87juJF~!tV^9D-Vtr_9R0P@qd%`Wf0i%F zFkc~}6mn2O%ab2C;`&xM^1&TJ@0B$Euy!H&7xs3HT1VuUB0s)*;z5)}xWC1$&%4!p zu2$;4+Tqprz4{RJq<@8B@uOWN{L@dV1c^Fvu#l;2JCfuyPm+I5W`;y$?yN%Lk`fK}3?g_lz){XH%U^kE*{{Z>Tu2^Fb`i8Y|jrF};3X*3r)FW?1=UKogY7mY51jfbINdbyTb#53_({v|= zT(Z|hxEeHWZ-x3+Owx|FhNq3iZ1(oK^_WiHTFi^~kG7~zz|nxRyLUfo6m6onmU`SD zFMZ0H0ul+5k!@U=dju58_?JoYI;xO%l`^@yM5#QjEiR03#qjyJWg2^uH>3TyYlL^Y zr{$-koX)DnoigFl+#<5(^9@|=#T3R=>Xxzd{Q=P2wX1nZ?hmUPE%TNuu*w!k7wftH zYweNUw;uYZBBV)QVw~8X)8*b_f1<&yMW=8$4gLemW0%nV<~kS*u5@1sRvyP9cfS+nmf5WzRd7*ie9W4 z&Zb1Y6nl75VP~8Vmt1T0rK|U&AG>24$ROljhS`KzF*A)PO*|wMRc~3+Q>GJ=7{!d=7IMMyFYgEa-PD<09?0({~FFE{L@^Jd=kg&x8Pt@UR#POEck;Ob9 zky!hMKy@9jbV*k213=oeN@%qm>G^;kjJ%kc5A%L@@7E0LjGBRg!#uy85UZF(7+K$@ zQ+rB;t-CuBTp&o}ama4<$jfbzPGh3DU3S4DAt7-bVJOieD|g8)j}yYlJ>Q?MFHB?E z_%r8pF-Y!4_FAUVStRu$Rba3R!p+NT=}~Jr4Y<5rxZA%gXo;1IFI2Od6-bYd#~HnZ zM<0nSyiYwy3*o4j`ni@~gPNx1BK?AsyCm z@V{7yHGD7O1d?FM3dk|e8=DZe3hFyhb+NcVR$ua%ib*{wRQvNdk}Y5mT3kXTTHZRx zD+i$X>})%BWK|x%x|Ea%5|DB}|1Ec%oIWt{CMr4xlrJ&K<)(=!KfAMM5;L$FD`f9H z9#0-njdhIu7G+`ud`Hr>dW&R}>nROH{rpCa#YjQw)oV-?%;8}t7abgnQ{R;nVdz=0 z`p}MS+BE1V-{9o?vU6k8520Nf4LD@)`+|}uBddhO_wsY7>axGa^t2FEtLWw_q0KiN zK2)rt_|bH;MOu0u(b3KxKt7T+=8m)9oFof4u7MQXi4;_6qITNo+nODE)_hJS#{?h} zrgYe3W(h$%a4I=^$-W)K0FJ(IP?gPAYkaSnmOT%vS`Nx9&Q?x+3D@o?+w~H_shHu;KW;l?(m$S^U%P@p}Jo!yCd6bXW;oW@8stMxYWWAo%eep3<(K|Djb@`Q{e4}R6nl4*^9el2R|D# zYWB;{Qy;8Tk4dkw&ak)!{uG+P%JS?EDsfCU!U>~996+KR1Fh0&v+dcwp$3}>W>!=+jY-5vMP>}z+49uKpXZ-{k1$4op2RWDi>Z@>&%1#` z3Is=a)@V1HF-VD_NU!Mh9-IQ|4t;v6R`1gOyz{H4;iFI_f-#>p?~L2S5$f`4JwwEKCMhjzUNUpj&&=i=-E;Y#Y;;%H2>q~r^XmLdGe z_lZxT%wK|{59hlT7cAG+}_~DD4j} zJHBHLpC=1xIkt?g1TGc(KrU9nz99DzNkfD>C5F-Ym869DOWPx|z5*RD?A^waeA)_r ze?9}#9Y&5c9<*Zage$g!LY<1nx9F%V#FPox;3NV5^V1q^1=ueo@}T@H+jg~s_%Fw+ zQK@B=&OqG^zzqm$2&!fOf|qM5ftV@yyAg^*oUo$CXhtLYOy9{q!6ACGm3kBz)p2a+ z(7Uwu?Aoz`;qb!%C;TrG^GdG_`?D*2%Xjpr_SIju>*hh(bTRA4c5$upVpT-H&c3=} z*4eizwrvGh37X8i;V!5XC%1#=uZ%Nz)3^qq_6i6KSsty1s%Ybf^n9z{ZVsuxs_@#5 zUL6K&c3mXzl;n1(wFLOWu1Z9RyOW$QEa5^l?|xz8hcz<4*W0OynEm1)9y&oBs{Tpo zoa{qSZz0EXi2s*ZrQCq=6;a)G!6^DjjiM85f1g~WhoS3Un^qr%T%AFO%Y547t(;3; zBEL?;hF;nozTWV9&-%@RNo(tu4_A&e-v>p{)yVEDN<|8u#DfBd9XXQq8ZyIrVkE_7R4zWQqmy6$TBZ@(~?)>(U+S3AR=z$M|8~03Q=9_ z0h?BMWhrD+CnR+=d1_W|(&Dwdr7?~t0HM$E=@~oZjg-@Gn~84L>MGpKbGs&}N(O7d z=3_hfv7NP{xmjlurb~MBi8o9gYdQM(P@`K`^kdrCyWXH8=hq)HSNr6QjMMkXh_h%3 zc87jOL{$=fNh>U2!7coLo^L~M*Q?1GU3tW=0N{E58*!MYwkMtWTUbyhGTWfIX=vUH zj0J^1WA4&D}T+yT=Inn23`II>=VFBF!Lo zBvo<=XWr}nNFN+rPnN^cSUaW=cj4%cl$1i{&GRpjr^JQ(VMX5n%?`+0I4ysNwd}qb z%^h?F=h&Bnx|V_TupK4hI$Ab2vSvn6z30g`{q-X6^AK z8x07eeUCxM!0GJT+AXhd_OqWr(_Cw1bo2rb-Fi{7tb^yIb~`G_T&OCyJl+eq^@_*@ELy%`V7erswV;BVF6oAjnps zbn%UXc}I@f&bjJ+p~b}Y-7aU+%#9A&?U5n+wtu3CLb}efJFKDQ7w_Vxp(YUHJG$Yj;Yd^NM4XR!@Cr3MejXLC??cp)MJg@lVDBu~T}A+X{^ie?H? zF^JsK4?Uy##_&mUMCC!1_A*gJ9x+qTAY{`&$C-zK`U{SL32CMUzvO@l)Qref^ZkgD zB+}=)8~||)ExVMM5jF6E1>+)hLTce&&H{DlmxIr%h>RYkd&ZLm+Ysodiuz7&lEPJm z;Aa^SA*#n%W;?b+%NBbg23~9A7SO?==35*l3g?Y^Nb5$)bWPBk`r)wfmekS$P4wv0 z;^f+ZDKE)1;`ejOv8SC}B2c-gdy^{(#*b}GNzz)3Lo<3Y^XxP0-zzcw(`XT=vq>1N zG>EVssGR$JTXD#7K0FZsy9%e{wdH(Iu>jP6MVF%ocw@o&k~x8j9gxR*wA#6Z*!1pV z>esKpN#C3LKaDno)txumg7;gAlJ+!lYj*=Y5V)LJZsjlhd>)%2DcWlwo65p6$3(V}m`ivMcsYP1eD?C!4R9&XC@0qE$b=h7l12_#Gxq}q`!uRVUOTJWhwGt5!n4CHULavbz4=Vz8@&nb(do5~0E@;r02pP{1MZ4WVXX6lMlA4w+6!Tls0 z9MESo+b)V@%ClJCvaC2|ydsF^q?+A?KFsQ>NFbzU?Cf0CNP#UTD_qi7UH%y4_gHAQ z-1vc^Gi7J-$zP6(GTT0Bprps=93AGhSRXzhU11s;DyDSFWXAYGY49vr)I%hX=4!oc zO&UG%nB#7sWZg%X3U*b+@)bYJW{pFDyGo*18HAiTC$|2anYUY}^;B@Gt0@>5p zo}nv;#wwKIs>%cTTdjr~Lc>o7o68t|+vVS*UL$(Ah!{Tm?RBTI!6r-@`_ZWs5uZ#i z&1h7u5;wk96S05LzkF4mLITr#uv#0e0erd@X3rv9!H6}BV^qr4gl-|w@S5QQ7UQD` zr*T9|-J!_r_P(8Yum{PvSXc-|(vj$8b!0?0%oM2ffn06_lZ8nad>IWoM5Ll|%#t)@ zpXiC+C2rPODGL_&4{wztQjeiWhZKgNe{`auzb()#QPxIg!$BHKCEc?VMSvo?F{9s2B%gN{OPJ|K8hVX&@zEuQ&K|b!g z&t=A1)Zd9G+CS}WZH_k!7E4O8?*I@v{@*p6q%&v0J6SZq;|!6des~Zxlg}k83Rr&z zuNpH)`d_C%@959hc&!}Dp-~xC7!hG4O8qZMr~y}4G! zg~;-3tu)C@!jjK0jisni@xh1wF>>hfUjA`JQv0f8pl$I;GaAF{l&h@l}W%^9FX58JA(Wppk!_KWV9>7C9W?M|Lwe&%WX z!3;h3OI&zcQAxWrra#;9=P^@d{+?sjH}iHgx|Q@+0VYpzbIDUlgMRqJFR{ggR@_3J zEjmR`s6LcSOqFBq;fsr^R}J{waaDTRPWuwswbCHQ{R1Manag{ko}DVMA0A#j9lnc~ z4;5Qw1l7~YxJ3+JG;}%9i0ZR1>Wv#kq_M2uYrhgm zCuEQf%cmDgj$n~iFxi-W^SATq?onPhYkHj1;^>S@oTLPlF;Jybh$mg~Sc{(9Zba|z_kailQM@?l7Epd66Lsvgu+Jo-t_)U??&*t9;J^;8-gI)#fx zqS}6ae%#`FPiuQZBB94Ck&pk0cklfD%RIYM;mu~<&-M;vJyw|(95_oqxLf&$7(|C7s z%{0veYRY5ZzBHZE#i&9}$W?zI&o=ubEXZD&e+ERptKIWu@nv`VA(e6NJr&5C2_w3J zf5s5FZXG6x?S#9fe}ZVmEAdW(v2a`|Enrn(OJ-}JR)oTncBa6HaJ&{*BBIa^S3-dd zCNTn^Sv%6+OqYp74g@AZPUC2;)H%rtIe{F7ZUMk}Jjw<2KY+I}DWBuGWj970wqv0L z_(+3(qVt|L8*KeLB-HUZ@RW}X@SG^L-cE%oQA9#{m3Tc%pf0p|C^F3uDjo&C;cQi3 zmS>Qm&>7G*BviPJ%>&I5s*#vn`u2Rovp1DaIQX~||{t&0A8I4g=n}`7~u>#)H@m{AI%p@O7+Ty45 zC?nnMQ*+~J||L(Y815+z;DkR%5W4UhWQm=#WPTuxAM;d=w;YBfUZH`CUPM*7lKPNnSDZoKi=5h?jKwi24Qbr6AIS{mXqC9!WCXMxAIEW5 z5ck3dDBpJNoCZk;ZMijS97i&4R#^jSW?y5lGE9IB02{}a%7voX>DUsyWXA!^2U!g` zxWzg5V-~hC6MskI{-{`B%!ScgKF2iRm1Eo4*?DnM5gK@Z{9XCQtWXhu(<~12rwi+ zk2xMAo=(c7fRpc@DQuk{ixa(+iYEBIae;@x2z7klVGWo9#6vsO2~8jkuG$dBsAqT{ zLBdEJ2XT#tK)Ya1r#f9WS|d~<0T*M_FQVymSoFOSrBgJS!Gt+pgP&XO=_m&>r<}=n zI?<|pZ+3=6bJX|G@P3!$;5lzbElyg99bfYJzdN*+BR3Ieu;#mWrhKUxxN`6$arq(F zQTFR*kQJ8oMtSGA9-*`YYlZ!Aw_oXT#W9{1+B5E zEZ|ajn!e&bCZm2?X81vsJ0RhG`0x&pKjOXXvpBK@UKm$HZkY)xfAOT`Wy3;R=N8)s zp$p4Q-vMIxYa9LWB3Z(C;f6MSB>oT0#{uqk5XxNUpLWRk3tpOv(w-wd*vS$sAk?7^HQXJc z{V^oIY~0CXg#m3kGmN7rN_aS&mca^G=3+Rel}}4FnKAQSi{22Fg*5M`uBrTyQ6|&3 z;$Yzbv9`dxQI$;<`&=9Ek3^DlzaY087Dqu+?b{C-bCRhY5HHH$6o%o-i@4~S85|cK zCkVs}cxx+lG6zG2&Gsq{AGb%yxPE@Y*-?1-cL2^Y>E@I6YkBjzsfe8%%lGkP@cA!0 zmPkY}Vn@UK&j|!Vgj6%8dfS)7bUC(&5&?RB;?KZd>Z;(KUQ3p6P67ZB^r4bZ=}VyyTf9`aF3Gv3`zJH@G*~%o!!A>RA9vbrc5JLJMxx+iq;#i8%sG$P7nedo?8>t3M(P6VX0KWv^o25&j?U7>#IwZNn#E-s zKZJotzB1UOKjgkr;~V)GVn&-&FF9IwBzN7g$HcprEqW#P8Or9vqk%Q zC|r48{oap~=na#~4;$EXqX**U!Ki{5E~)*om!Lu8VDGEiIpm=7U%;qYC0~Xr;gt3@ z11f`3g-`h#A+y(+8^mN zor$Q2Tkk5(EUOjcl9T0@0P-VR{GsGRy~QCmVZlF?m_TW@6;0QhtKS6T4b6!ZHT~J9 zL4AcXEL^|C(Mr-iD!delGSJ|@l(@5VrS*d*TGdSOoDWB!Bnufg!k0V zGLfqSljJISw-3o{7pf<3S54331uW8JCf_z4jb?>xTvfQSJ6GH~GqpRH*bs{vF|O8a zesUtAY=T#31%2L=Z3W32v&q`cK1JV(4*cp1T_axC?TPUEqgMCxypGuVF6j9!xYvut z4-cfh@SE=5E{NKFQ)D@yFJEj0_Wst?~WISn6RPhIjQ7r1zF=I#5s9S3KI&!(<0oztr#^gYakD-mm z>G^B~QSWeLsmK)H0l!dMWGw$tnw+o}GCsn7e0upCCntIx_`7_ZQXVry#l+n*2~0ea z$$8O=?ra;WT1F#@BvrmfSa9HN!HwE0bBv|Z6hfq5NfGaul(oRmS&LU_RIyOMyRNf# ze}bmym|u(N3!U@p(VKrpsO5cay!pYs=i|Us=#4I2K(e6V2YJ#IW9&sJ9SQo6x{8lf z;!G)a1>lWZvK#awTVxrfg~(CqQM`h9J$3ZYs&BnDm^iqO=rTSSU;ozMVs>MMGw6e( zHFR0bxi)OC!Cl0@jSnde8h)-i2$2@t1rCn{WY^P_1!mpT^yUeP#Rf*Go;(ZJ&u4Ns zSwC)eC+jhKyZxa;L?SuN*|9mBD-`srNP$oNCUv`bz2vaf@X$y?O2$xL(us^}FfOI% zqnV|ReZQ7d*zqSOeb_MRG~2Zne*K363kG-Ee#CA-Qm5I?qO>!Pm@v>tunwtz`f++{ z2vf-zCnVyiP>CH$_I2Trp%LyTU|4{ZE9?6StERx~#aBU!W0Tf%o-*5zl^oQqef4P{drk38qwk&Zvv6f^BtWK`$O3E)AwNll&% z0qgK7sDwm>AQz<8HKV(Z5TnE&y87W%ZK$^#ANciifm^y{>WEf}MvXmnUd8a8@V1$h zw6a(Sy;oqz1B9c*|FOJQE9;ACiP0ai_{hy4rpp-pob5}46#7w+J!*?cS~ljCAyWPJ z$rp>=s;O2^O;1lq00cE3!U+%+fz~IX+jZV$jf)-= z>)lWNG%be2h?EC<%#7d0hfATVUn-ZrWUVtoHnDyf8O1zC)g>aFYa%%}(Lz3yvj09k zX*OFW@#Ht#=j7yYX>eMnCgmR{m`g5O4_mNndUf&Q%l-&?C-<#n7rgW(rhqn$8o2su zZALvij&#xKJf6*~h zffvz4p+vt&DpI^0_00*GHEX3uslG6|cOKEgqcpp!@>6_l))80n!(8leTjgG^g2iAlge` zzc@W=Uc4S9pC8e%uL=dR35jp(84i#npMwS+?uA|Ly%96GuL0_qR61juTF&2jz}xcN zg!K-N*!)N;izi|Viv$TETY^^a7}NK?Y)sr6X|YG`I&EK34oFSTf&;@6`)CkoB=W*A zWM2pHzgx1<&K0ytF45g`%fD}>Y2@7BB699;AWvhki zTDprQL4~#ClXcZ5;ZY(9VF!zu+IMd0^q|l4O>P)?@7_9^1P~8t>zG<$##r^^+QngW zNpj)S%sIcNCN7S|h`H~duLEGja{^bgR$2~Xyc|c$ECiVov)}Oj_S$u0-(#vPdw$3o z!(3scMY=GdoIO(P>+ahoUbkeXE%xx6)N66iJIC+7e=B?u!!)%z6O?zvhWicetW9zC zh2N&w&8nqSLb(Thc?AQi;ODIceYx;^$5TZZL+%IMz7GwN?J3k2+G)lup5UskHG7p)sBnGh$xj<8a(wClv^4hIZlrDJ z|52RhDulCHptNbE*n7E6d>}`_p!JI8tA8#b>2D};h5bEY(m)$dRHKSv%sV}@0VLQr z>Pxl&V^BgKu|h`p6_AntmhL%XW%|KS1-tIVWoU2m03A3R)1tYfe*5 zNV7;Aeyt4XdL%ZKVl7aQ`g6xgfaZFXYRq7xrha%dX;X%)JbN3zTcd5HUsRzbay+bI zMTR|HidWwPO&N5TWxqV;{9!w8!cGlbca|xky!UTv5k_Q{X6M2<7uKEZ(2Krci0k~1hh^U)EUFM)p;1O=WB;fUc_A= z%DWf7XPu`D3vWsAn+os|P0q?2Q}opLdbIJxM1@sb9<<2^6`1Eb@j~8#j@(UrN6)%V z8yACka}rlpeFw?i`$r9Y4FjkjeXFi5h*WB2*7%I#)aWw2w198xbeFcLwbMX;6I_1k zwH+5s1_j{6+#cu!u;vT?c?ROuph|9iGke5s(4t$AOm?K8VuulK4DHRDBucko(gogMVWZKYdo79M`)l9C~p^jAvUL) zL!GtQ=u77fLVDduqe4R0b3}B0iGJRl0`^8B(hHrK5I)js#%1OxfkcgVVLFV452+iU z{UEHkXPqIbAY>kQnb2%_{9Y(AzSfCQO0Zk9@nSML+b5_v``i~o$7+*;)M)b*h?q&_)47CI?F)`%+5_G?_=v zn*SBJsmT8d{4mbNirGDltAG6F&}6{U*zs`LJi}w9-37T-Zq?j;>BByZT1kb&G-Gj2 zBjZM1#xYG<65aS3DCEq;VVlFY8Fpll?Hr@v_DHoB^2ntsmq6Q8bCt*1jM zRGn01I+3V#;5jh(_L^~jOO;EsQS6=UxVuI#2?H4#G4o#f1G_~Pp)pQir!2ivxai%$3DxRsu49` z_=u))H?o4De?|=$72f>lXi*jr5y_g|RB}i=R*N#syiv3prHj5Ix|0X4^XA09bFSux z;die+5^E^e3#?*wVkM+q+1)Yp6yXEpk6VrvMLx0d1h`CiG}>|Ur$Bg)h#M}QK_yw= zwI0iW9_9c8`_cqVc8c--c#@tQ*t&?k%x`aeB!#$%lA@MKn&E8y1HOU|o)|Cks6d<~ zCtv=wzJp)6hU6s|gFWO(UIvko>sv)51OC5strWJOb33k67|$M2_m-VG-ncGDCu6O} zOxNN|n}!K_jRYCu=Y4w9+fUK46TQ|mW3o1$ExdBPwnX>_@8ajryI4i9#&q+(G|^(S z^6gk(>(oh-#Mc!T0NzBalN%J90FxEQ7>(5O=`EjOPRrIf!gk6hz631a5Oyj_VmwJV zYjle&9~?>7+YJj57z2o;NC<^GYq}6p{$ZMcwLFgRx7j`Gaa3&GMgSV?Pq)?AF zNmO)X6*eFzTVQAGon%l~(UAzPrzRj`^}#xLL9_4YKe;=e6B`SClEOC3_T6{M=|5R{ znhE|>=zG&@_pa{>z*!{tN!avx0PrKP`fD-#pOD-!eBFA-k!W~Bs~P9mJHDB}ifMOb zz?H|rzj#mP^=v#QWd6oLQ)xzP28J`6-|jaRut@Kq*U8|(&UEr~Z$(q|iJcYY4YAG~ zh3rqfk}SjTt|wyV_sl6}U7m{{XGCMQ!T{1LF{T`;iSVRR_fu?N?QpDAH?1VlkogYP_DPHi(%usBT0RiC-o{G2WgXp*prH*q-8# zQXS;8+;6@qoG$j^uM>S-u(WDq40P3d9`u7s31md{%`*<)g^UMB5|UMJ@^jFC7A1rr zsn$q`<^_GroVC{UHuL2GkSqdvgh?N{uc%6+6O~sq19#&{MZsS3$BF^VI(gWEJO2m$ zKmxz?F+2+6yKnqY{N>mGjMaDk7tTKZa7^WQd*|=2#%R}e+e9=oRKVtkSEKW>TQIi$ zI>fv?5Up+F~xFg`j8&l;-<#-7)pp$QG}i_AEty6K!O?+3Mbs0=*Jn+@yk$3wSYjRHGc4Y4TV z!7!qAF_t5RVljXvvo1ng#~H{`uvr{l1njK~wYW}1m1yppb_4Uq>K!j-_TzjX$j)SD zvWMcwy42RQ-ijs(SL>H@lsFwvu>i z@-N+Fi+JenJMh~pe~M`xVG@%F-7&qalvZb%Ud>n4d{>c_LN0^Zb7taQ?|cVe0$=&! zzoIyrLTjRd`9ZwQQ>z5H!JoX@qkS@Uq835Vpc zO$ovqZnzOU1~+2X;Zv~f@hCru}Sv$44kmlr+3e|0-buzd1KiNlvr5fb( zqck#r!C(J7GMiUojAWv)b3Mxb2+|MVsvXG??3j&w&rXc|@yAF#`4GnLxdw&p>!5?r zQjgvN57}&J+Ct>Ix6;lJ>CfXBz5UlH?AnTQK8@u4e}s=c#X$Q^6#8~!cikwUqgDs!${q89r9aNAo_-n*$i`ik?L(YkOoG3 zzi5YIZBVGgFhyi^RD<@m(LOdh*i)PT>H4w99y5ZY<0wRemM>p!$0AO2tn`7+!4LJnA#s zeFCi=hnax3`IYj+JUY}EpP@DX^@#B`{-Q^YnQ*Us9e?j&!tK*wA&w7r98^8WdufLM zIYV?#y;jYZAJTy6QttGhG=sdgNyJ`nkwk-Joe7aUd7@*EVxc0=SjNt7VLMhVzm+83 zgDu@-c=E}e80hIoV^e}Y5F%5Q$=Y~N!$j3b44LIuC>Knooq5XXShM;GJoJ~l5bHI6r+qE>)KaB)A1*1;9j(3Vgv>gfMVy=YwOBdr!m%Mq>(I@eXLw4Av$U=Q<6sNr5 zaP)2)Lf`HYn?NM?pBze|cl$8f=QX3DjjWv+ICI8KBR5AMeUxqXGjrw)w6(QbMCZ+$ zYv%)~{$&HH_6O~E{{%9+jI+kI|;jhKwGv9_;$G#qUf4~~PP%coN z&}%Kd4)zmSDOc;MHSGHu)n0q$7`Av`N(NuC+EZn-ib5rbf|fITatP8{ncw4{ox8B| z!TZs(dkc;}_9Ps0=6OhwTs`{G?by9>9dhh+B(rI3zU^07b=@a{(T&JN1IUC)z}Ps` zn`+qOjUMg~<18wk)o;3bUG2BXan0y?)#^S*uMQN1gT3}AfjxID9Ka}ElRbA#^*uYE zB$1)U>3Ge>A7@8*8PXZ;oh3S{c4rvJo_rzZEjHD}t!K$=S# z4|9+tnh6L}R!Q5#t|-3;x?_U!Sr6)2Ur#;3hnZ7h=Rg+29z4Fb2dmfauuX9zF?JY8 zj&#bm*Bc~(DA^9iQaEHuBDA4jj=vPymX6zRzYQBUY(QNiM!7*U&wLY^(uw1GFM{eL zK@sWU7shmIzqAUDI^rmN{9_+OYf~M5^!@+FpRWHsa+wt3^)cI*N8g)`j3^EHEPt!3 z6jcu-vsFgY)@YhXk#-dujZ_~@J+V*c`9c*Y+7QOB^}R?9rg8pCLDr`z`0EVGX}={0vRqzThn=OMaREfh0+*5_Q4#YXT1V5KK@<$)4-NE zM}n0^`#U~|mJj|HEzo6_e8(R|G|Y-pZ3Xv%Dyrt*2qG)a28GV1c7ilvDhnN;`Op9S z&-P4napYFo8y7BKOh^@e^a*F+i~sXyyzh&Dz#HH9GaP-|yHL(W5Gqtq4CGPtXHoR= zd+dIOk25pku+YBsM!!sBMB1~pZPO#`z{a zQM*Cj_XmUyKaO_ZiTuVVP}sSd1y$==vg9?qoV@MVh`;P~Bwq6-WLDjW{2m>AsU})K zthoFcyXz{1kDxynz8Tro_Zq9#JI%jQc*U_4#vZ)`kz-Cl-T9ZHkQ!y7PrlkpM_7hFKkU@-?c2BSJyXh^gX7}Ggx43sVApEw zUhyRavv(jI=wrPfrpY1CFGZS@0(+Z9Pmp!m&%O$Ul^WGat0})3Ti(RRvSu`Yhm44w zEq>ctEmavrYWuAiS@k~{+ISuO@fe2LI8&7HPkZ9{Oqgt1^%x%b*;QCPe?FF;c{-A* z3RXP03LOiV;jq&$K*+ZpO}Q-y@cYU+6DB6&>CrL6$4`TvsXZvuFZJlHk)TwnnBgrg zm~prruSISq`u$91vS=O}P;g2=#Y8VuX~tqm&S|qh zww9I-O|W$)m>$STxLUr@s6AGhPBfO0v@8GQuiVI#Xmr27eTMc2CS%fk+@JB$C~m5s z`_xfhYd(x)L^i7Fsvr|AAs;A`$Ww0cxhBdq3Xs zj(6CQ%+tp4R2x|Uh5l|72fESvo-d>R{CA=_G5~Kdg5Z?7RSgas++u$hihH)B<^O#Z zb+3FIN~3-7B^nWEpT#eTwJ;DuzH=K2-P_Ue>7OBS=Ed}cmcRQC)W7;|rv0f_J{9>>P+F8Okr*AO zsnt_jEhml6)TvV~&qaXFJhPg=B0nOGIydXO>#noaRXX!YLt4+ZUbt}aY!N2ee)OLE z@b!QEM+|g6hQ_)yTAEVmn4%RoQDjp3CRo?m*lSLL&2%vVQS*R!s=n%1y+Qq|7s>{m z?=*4K8c}x4JY$=1@3mh--^M!;V>hI2=4@ox7L4@|p|O1`rq7y-w)PoFG&EzVXE%0i zUBjlKfcc9KLphzn_B9WYi1^SD)NA+?WUB{c$b?vrv0S&pl-gRcPY42ge+K z3Ld=cw#Dx_hJ#ms*`!P7dDeAH(qi3@7G*i3K z&-iGLhu%FKh>JLWIsWh06Fwgw?nL|58eIG1ORYANZoOD!J!QuFDw=1i)o32XdPZqCq8>EHJtQp^k_VtYQO1mBKMr3QvpF)Y2@jUvcOAa`x%XntV=EB!MVZB_ z`y>-AkAOFTR5pb?JJI%y)Z(S@!{VlnH80DmBpNm%U(p^ka;G^lnje?qH$V?oo^M3gsh%O!=qs=`K!*e&byK}RYXm3(uoJv;6=Vf+_Y5PW7A4( z?p8jB0PUo*MJ!&r7#F|k(x=OA!kL3}NS295!eRW!*S?0^?zj{8{P`}_CF;>Ow}Je? zi{0z`n5aBv&8|-59q8{jjluBn2oj07WsDt&$<#=*)7;jATt>T>#%xH%$HZ5cJ7-wv zRh3s$Q-duH)3A$k*rT8flK@YRr4S;)664hF#=ZbQG8TAlI17I?h#>Ft%pgs`l_uki zGbY*SkE~K9S|Nd`Fta?GP*p1w?LFfSL|6uFSoH;x9NNUfaDP z`7A2IDC44i0oYfe8%;F!hUkyNQsrh?B2^weV}58Be0h{aD9n7SMa%rAbuaVK2#{_V z#>BEy7}CPrcH3<>mr0~Xc0>Y|hVf@JsWJ%4UzLq^v(&+#B0YNcT!W zXtK9!D@yDOs(xnyb{eEDD6kic-Uo2g58sVMVGwn(7K}*1NaHXtjQaKt`_AfUZ{ZO~ zpk+!c9{%$k7~HuNzL5GYA^KHf<4j`atwSm}f@K$e1C28;L`n_0qQ&qeP^2zUl-O2R z$%q5lk^HFL?gP1#g}q#Fsb=ssjNBHwS#yOwGu@`*+*`cbY zyGTm%d+uO9w=-NO?dqqj^Kx9Ln@Sm4Lm^<2k|I9(CT+4Z3te(lb)q`)n5kyGWG_cjm7okC7|G&wZ+s(ub@lIF z_+{dXfHvUK*q%;)*2Ewm8=qh{VXSY~tT|Y)Xt8M-Bv=)JrY81s_)_r_xzW4&hI;nU zbois!c0iOp9ke+{!lG;0kHsP;l$8JpU|nlYiTsst7KzeX78Mq@9ect|wDBR*;&3!# zD(yn9Vj2x$zrtG#l!c*<3)O^rM07NtM#Lo;qr>W_Cf6PjAV1TR%P_2bwZa*>p&eOZ z+&#fCZI@A^9r>Y3Ax)4&Zp==AZj@oPV;ctY*B43HNAJKUa0N(66dzRrd-n7+C_i;_ z_sd`Yaw9h)Hqyo@9|cYFb`IK9rIV2xJs08A3Ef4P+_-qr!N!U8ussYULQ!NZY4r5< z;?^5(#HZeWIllJ6SEK*YZ{Ya4d(c+ThK-+(deo}Bj?uTIPtQ6MY^=R(9KCF*E1on7 zi3AiIOV;Z$n*e{Aq@K?_?3HFIK(b>4NDlNM>(OvJJ5l{z7#-S!)eqc-d;WL>PCw)2 zIOUwz!CyZEBjp&p(~riovtEnHlsMS;La4YKVRYHxgg9!3-hTVI9)TIN*|x=46Z!G^|CPzlr-c31Su>j4=vyA zcndab8iG++k_igOr^qo54(OdFW!$4`I_PXNV+|ysbRRH{2WhILRWT4LlOX4{+Hn0U za<%*)Zhp&hl`@6lBg-E`U3~)%Uv>oArnJ$tWA6NgH1n`^(`GwrUBpC2 zS_2Ui=U#+E&on2;AuRT8{B_Nq?j8HOmVI42_vUv<$Fo;Ym#&_PLHjH;{f5{hdq#pI zsIe53;Y4*_4(+po?aexKuMb^?qW3hiFXQ+&H#kUX9&5w_)kw%dl+mQP{J69X4-&1k>j& z#;K=XOtLh9fsMZcQoB(MgebhqHu;!z3MEP;b$*@(hB2uzRMW86NK)4BCSv?EeY@&@ zSr=@apUM}Df@4`XGLw1ep!Uuy;Yb1OWzXNMbE7C!b+BlVoyj1}OXRVtQJ{x>Cry(L zBl6xEda|X?d|mS9k@0KM15g*F`_dr1>FsD?pD*I4IHX|Htc<*08jGi*IayS7KmPq> zMwsZ&fy^_a=9kqm$ME0NKuap~iAKet|4rW^cSZh}DdE^7yy%!3LcTyt$^k}Ny9k#m zqBQi5_o|kf(gqp6t$++R<3{H6jT*&0UjP(Es6 zuht~so(!o!{A+lLPp5J1=SYlWuB*!vHkENLa#?>#)s6>&5n<5B# z;zl5I8Ga`uHg$0i=FV-zym@UlYEi0?Wcee=7Axo<8MBki+4V53kF+yJg3VhWWwa&{ z>l@|+#=$z}49w@#Cbf(&(?cixUm15`RP*@|K*U03%chO!+0%_M8;r)LMwH3C)~s5I zRB9BlXta9H!~u*$WMmHXY@!)&r)sL?X}@-uiNZ4pahm|e4A!rs{je5uAJC8S{^R=h>xY%2(n?-#(z@N``G)7#p@7ZM`iow zVPthcu6oFU z^vDeTbIdbAIV^%$A+b?TN>gA%P<*F;v?fAJ`=Vjm|Oi9^`1PNkA>JGt4<8w4h<0Ov{XeNc_7xPtZ zq}tW-W-`#e-b^&gO^Fj*T0#Qj$rrF}ei4Vw3Zj^=kW7qVaBvUsbq~5I zTf4fu(Yd=5ot-rN?ds}8cUKp>`Mj&U(=_**;t|y714(I_CX-9sw^Sx65@C@{6N$;O z^Q$8eG*Xhw^Pa>i$LE<`$yQcn^ZG6Edt|Jo8q#-Y!@^#=DcI1J$CD=^EuxUlV9}gb zyyC3Guz3DdG{zf9c%Y>EZ*k5QyduGX&uL3w>hkY`2Au%XDY1sTnjuzLMw-2c#H*fThSqA$Xp zQy3$;3WjTDux17_74(c1(KT8`f4YJ+nd}(NC=0ot?_|a@I>j`NbUKBh4DH$T@?JAY zGg|NhCpqMFnYjzl>j_$AdZ8Orn(%_KM?yq7J8n)3q7RP8}?p~5ZIM)st z82?U~c<;i6i)R2oC2cgOHZK;7BgoE()Z;n>C(rNE!(Ln{EUgYmHWD`MQC(9}MfFSE z7o<#VCNba_n9g zd{K-P0;ohAaPrx&#>r>C0)44G9)5B)Iw@GrJpBTMqfJ<|brp8+-i4VRb5I{0MVoIB zI>0&Wm!^X~XEp~$x}Fc{ULz!X$%13}Ou4|zr$f>}FUA`^Q(WZepbQBN35(9@(r}6< zy|y;{(B23{eF)p1 zyaD;1HMr}B|HkU&Kg7C6eu9A=k0VB5>ZI>!X?`}wN$)`#I+-L7YDSotr@G${q@hu{ z?_<232hdb7ZYM2;ZWGNC6ODs^z*x@6ay$`ya=#vOrKG~zkc~5y#BRk*@l88P1hg^ z3G(}mMnY(F^drrpA5qzw?Qz-h%|!X90F_6niO8o(YF$k}(^i|NX|l;jZhiLOc;8At_phsX= zAXfAW;}>RcsJ=2dpvI3+org{>H~ zTre<_R!FQc9&`_-|HisnRxP9v;Tz%`kIPRoVSc&$X zsN_u2J?*s9Y|^b(8tDjw%P+s&hJ0j9y~ntURq9&58WJnk=B~&%!$U4yxHvG>A*h~3 zbq(J8=1UQ)4_JfhW!s=REoxA-m@r?+@LMb5onL(%{`MnK$cjF&fu|pPzcgNG)4=L5 zN>u}t;5U8e_3y#-raBCb_F~(r6$s>q`0c7!nm~zu#v>FOff$BHk{B6F+kC!gG^~T` zP~X4~4ttSHjyVaf)92#uJ8#8U_cqL5vIHlbd^R33Frz287o9Roi?U#&F3(a0WBjaPbbywdEeCHp| zLMgcgB?|IaUh#RXdGvO8Gmj#hi@;N&0F6WujQP;jxgOINo`^TR_j(MDlAMYaJYS5< z0`pGULP!hvG$`NrTxGQnEI(`46QFFKSfmQlvcGoic&F_ODxLx=DIexf&*Au^q6o3z zcWmoIXLqM*D>eT_D~r5)%WvO^GF$b($)M^L{pUBN;nyH})5qWQYIJw?A{=Wlt!E+{ zLOR(`IjHjqC0S+Yo?hD=7=@wAr;fRYWk+(NSrqzqLiA8`bAl{;Kdopt;gE*8yg9VA zHe%kK>Bwi&DCa468|yHfOp&;xNP?pn8!KaASlT0!ty~t<7cRuy!w<*3_uPj|U;ie= z_|1Ry%U?y5B+1XPQkeo}b_q>&5!)D2%i47~r=Oi0EkTb*0@&4;!Ry{|A+EXh`U6ff zJ|qMuM1u3D@BbTC-*z<;^>yeP7_&`&l!5cw>n(Fdqa)#>88m&waVxb_WHpfV6 zJQzynNOIB$1$^wWmF-m10Nr(aThZrfwD0gRY-dl16@#_XiEWVtrjMjXL{s7HR`^6Lvqd5w-Z_Ff#u0?QcK*WZn z64_Dw@C);B!qOuVYn!7@aFAu=xO>ZX3=VYDRvz`yW_a0C&GMU;Hl~h3p*|6}iOF^G zFzvAYU|Z8MV-8L{^A%XT;&H57bsqweIvjTVS!io%#^ZP2gmfu`Wv8Bt#t25+-n|?F`e-wK?IAEntlC!9t-;mQ#%d& zDcwrx9z1gUx6!rkW+a%0MfUP5p?bud7hu_Gmt*R}Gm%P@-q54!>ENO_J~Wfy{OF%A zL?zn^KZW+flg`1`C!T=6yay#uoOvs40f{8bV5D~k+UA^sbN}B@F-QUFE77z4MeG0= zKTku|VlT#fH;KQ@9@wPq+WlVWx!lT)<6-SuM8SD99-44%`A^?;seI88T`p6?%qcmX zN^%pYi0tj@$NEiOBoVY@mPjC2?`#RZ4fl!QD6sKxLaatY^I5clQ1fiIY+M6>FotHz zu|(8^EgK%fkH7bIbocBrvY_uxiUyNS^hVkd5gYla{b^L0G}&8at{XoS7$m{hPQ%j5 zOl@yKtWJB|gi*-R4($g6Bs^0Z&^J&-I+aI2%iR4H3?-8`{FP;0S#R#Lz&J9g74;+1aq6K_!*p_Y49ExjphrPwjs}LohHi}CFgr#uO*SSu2!w3dxxk)ckqxv*6DUn?R5$Ik#>}VAgt}IwJG_=K z(!@oz+Ie)bW7UYA8`omp;}2l>%2f<2hbi;tqOoNv{q-QB{h$szg5>3FoO0Hy5QsM+ z#YQ0JMCTuMGAhv~tXQ)K{X|-QcyCLE$A?#g zoIMTlPeP7@cxZ4Nc5ZnPkxBsU$Fp3RC!QiY*WZqfk6w+j)F8`-f>Q#Lf7(!yMTm5F z7Xtn)No)+!SRJ-JelLY!4+>=pO%|TtLn2!YB26Ni*6Gy2diuk#6-UW-+OZ|g&%#)x zkf9&O7aYTTjnat3C~Zpfc%yd;b|U0XE2&hBQmmM%T?-0wqOpvq5lrJP{L?b))_4xb zAEEu7fUZ5m*uK4|Ms6&jbjW&A^?>)vh{?eBQYn$xh#;C~kiW%J5et_r!#vi{wpJhR zx#idR(f7ZC?BEDOA}MqtZHeL|+MsOE+!}4|QhmlySx040%hUbdD2Z$k0VZ_XlsYV! z-GP?o286spBYHwV)I5h;jt`+lViwb+4%9hjj;`g2kZE)wIZn19<*2R`e`T} z+16+ovMrz0Cru%)iJ-v{?F_BP?)BH<_?Nv3zV;4ek^}ILjbdc|25f%p5e)Y3v7xY` zfj&I>_(NFz$V2cJvp9U|5(GkFwi!M&wNJyWd5duTNvC4bVau><*G@d~*h84w){3*v zI0Lh$PsOUo9z_4(AZ9H*63y+ikS)hdV;rmVvwf4uQlrdvknNnB1#2267zr3QdDb{H z$p;6yt^GXBD6IV&y?@GBzU>DUwcLzUG*m$}$lf+ti(kF&XqeZH2#4YnN~09^RpO+$ z2ica_Qy>lR*n~e_{SgdwuSHkq9(ERYVNcg?3^Kp7Br{o()=VnN@B>HD!sAKj`+yRU-kWdy{vh<&0YEYUdbxWh4i7@N@Z&Jg6CU{Zp-10(u&S*z$(OPYI zTOY~bTI|oWv*6J>4XExY1`JM#Q5b&c*qGdEbGDKAa1_vR?Jv1+m2e& zD2OZdXm`OHH>v#Ls+%F z59v%E^QJUlPJ0~^k$_F8lIm?cneN8!0c`0W#L;tG@Y)mR;G{)U%>RvD{d_*e%qcUh z66(nM&OdfG&ZCKieRyK~0M_mtq#45c-NSftTfdQ<10B1r;U#HfPB`HND*)}gBTbE< zU4S)I_5JUEAHV$NFYTFj|GnahEA0Ne-~H}hyDnU~I7sk2xAugjqQLI|uofWBw7VgUHJw8^Js~MQl3Ix$1hXz4hPGzxp4JM^jUaIq9bZ=jeRqVu!jqx2jNn5sT#_C5O!ODm4Lqo`i zSDkSphWom(c7>ijfCba1;FRN+p=;|}tXqBu*4%pw>dRvYW!Ro=y#bN@4yB5MNFszy zH2>KWSqZ_K(Y1*|-Pf8WU9yee$4m;f`jZ*?vp*xhCK~-b6(zeCqzKE8Cb9P68%S^{ z7=uL{RD zBRi`UidyLt4$(gnSIyxmkgOWv5?iXpO$5i5H6M&&K1&m$Wb&5&@Va(yzcpjYvvBq` zPWs22y>RkxqM?7|jST@Q9`sPF{dBfcB2>UB$3)QD;KNAo0CsNPE+s{EE)eZhnG!v- zYsWD8e60E+BjO}eoufl{{LkjqXcCa}i+P&IH1zdHuzBr9G=)5f2AUWP)_uBDy0uk_ zzBFA+8&VzG@>_XGCW>Gwtf|cb9DR5l=FhK#r|3f|S4X>=A45VaEd>*<^fffplSJih zB6Ky*6_bD3uT3OJ$3tj-&d|URHg4FAS+nQbaBmSHBuR{NWExtK-6j zi-Uy(f~Ml~ibO+ma+WST2B*IKT%2{$>Kp*pt`p$`V)}`fC$T#~Ho1F%SNeie3UpLTtQY z)W(^bz~kSuf!U^CbS3aJr{k$etjN=T;Ivu56C zw_Fct$-vG>+1?gy-ycn09U2_Qp6>Msc!CHA8*FF!>L#yMjf~n>_5P!Y2K4vsX19tAIjHwgHXM?JY-J4Ik*N@U@zcftN-gF*}ne+&b1Hi(i@%js7)I~%{%1<~t zfN4#BjO9Qq<1JcV?=91svAH!~jZ`>Bb*RjItOYlzfnyt3-xas2&0) zxBSxep@)Nh#6s)`&?t;PlA&Zek03u7O-_#Ry*?1R(PYG-WQHb-3>z#3uFB(7glY~= zo=f`hH2+2i(ka!k3Vi28x3cvXQJV$<;#~F>5(4} zS#sgR#WO?gfqj|$FT#d65eZ?|j1HWB>hXBfWf$YJcYgq{KK~N<`K@ce99!e{Cu(K^E#csB8nYD2#gSk{Wy(#xCLwXSN{eDC~KTl}iAW@{hl0S#a5 zZPK2>IDROkeN64bNWk8QGz61_&TWse9tJ8?(Kn)@g)tIM5<9lRV|^=7 z8tWn%^x2%9NOry5RCTdftSrLvy_GmVkaBxcS&0cV_X zIW*t2mIKe;)Z%Sv;ji6Ju%s+CIO#lCvp>}QRsPDzs)(M{ir!)dM=kYX=2SmM`!m?G zWgEkn5p^;b)^8MHStyZpEgWlvQ zNpjvM5y$JA*pbL17K@T6kS{Q7EfvodvbKkv<_0OwB4J9kd8;wsXTTvjY}3z*y5Z4# zFtBR_n(Go6O=mHjQYMzMrF$5iLt3_7#JR`K!C|wS*y{8JiKua_6(=7a9R@< zPH)7lwg$RaA!s63neK*R)eeyTeZ4s9HE%{^`*ePwPhUmm^e&2w zyRK!NCE^;c(ub+{j?umHar`rzFy_LAi-UqzKdf548o&Mhb+$BBJLeAcc46J>$FcIk z`>^GqJFsWx{Rn!tV%GE$W;93OF9(pJpwNMiQTCMAJoFRfcix5A*mm~#hEd1HzIp0A zw6x5`;u993v8@f+eyAA+3K#W>ad9fX}1tByZgB!J78l4wgp3o)XhWloMYL3 zNGNGP7`Yamkr2}_|0J~bHbcD7D>Whd6(s0*Z9^aW)g%6AT4^(pbm*Yd|bf?F_2N9;eLkQCQ`&5^5R7z>kH8y&Q{-<3T9?DN^?|&TwnjPYCb8@_rNxm}u48HkLabD(2hzTXjA-u~&F%4#tmJdr>xNP|62)<6oP`t4 zIvp2Zektb9orQ-Uc!=R9(ZD*9Os0&i#o|%^R?kf=ijeWTO!6hIla6>;co2te9vXrZ z3S!kmcVp-JRhG%aBq(Fq0@6}DlFXD-Pj-6J*$QT4VVT3v#!4{WSBuW5PG z%$&wV1XCKLWRMIqqZRh*of{O>(I4*yY0~0K5GH``v=(Z%46PPhoNoiOe|e; zIOZ;#Z~Jfz_3uGpqzB$?5}n(&qOY$9WBH^tu8qNnkrxdwsqd|Qw#sb8)tB+;06ad^ zDz6GjSBTF>2D&LYe27O!k=nTqb<$0OE)A`nzkVgljgnH$|LhrIquv` z*z&jNLGzRjJaNzUsMH^hyuXj9AIn|!Ad`R`i5;tF51>XxzL6`{N!EeU3C-l zvlE$e3aOzyh2}7ZhlemcFld_a(cxj_*Z~a(v^i@Q6^1io-qC1TbOw9!B!U)owx^7O zrSCZ!rL&qg{u^iP*(8t#<|))}Xjl8X>D|7jI_y~0ScsHW^Gs!`u?i3KY0fmtsaP88 zpWJMnW(^Znm^gL3bxu>ctXW|c);7#Qf9S8%L1yZ0C|3NpYN`ZV#6)&t^$Bz^&$Xdt zE|)P)*cb)B=ETf9>_nXZx=Zkm_kI|cUU3CxwkNP@(c;@Bd8SEvET(+cDh|Oy$MNH{?$7M z(LI#HgX_DnVoN_(?dZb^i`sGg0`|@r*76PA*tRE$?!hG8YJ)%zn)v*TWz#UHtsZTR zgAp4hJQDI5x$=_W%su@Lh&4|^X+H$Vg$oxi9z<}~KDm+v=Q=xQDiR8?0r$br9%+c3 zC!J5FUVoV1a+dAFlWW%Ck$dmN%7^aY{Z>?x-N<$C!AO4>J3*u5Mg=1wQkkpaUAW{3 z_`>QX``Kt}eoYE}ot@Yt64bc^$>AjG;xXjen6kCEqaoC(8cB}W9Ktx`rzNdges0TO zX#%|VNMNZa%+PEV3!fF)+w@W3up4W=>S=RkAjfARPl5inX*LhC)hP-_Y~-f;BYlMj z+A&xMSxS)UiT?Q7p(-?bCt;`GD%p}Y$(Hw0@JY0q@u+RDhGFto@s@i&)6j+aMCmU< zEPa%E_1dSU8n0?tTGgZN`Xg+|*FSM5Qj9wSE%Ymm0)<;)xRaJL%%d`GUcLxn4H%f?uXYfaH+t)!2e5A>|aw{@p@GM`F_C4A@~ z=)y>f`R%Vm2CQcYA(z+j3<)$gHlV(qo&9*d%|kJw%ZR8HRT?6}ssa1_F|g{Kn+k?U zMr=xiNaI*CiBvL$G3IM?OADrUG?Qp|;=BLxIox^MjeM7+YnHfA3I_Vh_-d~wMOihW zfg~gth+y}QotQJdQK9pDDkH@2Mnrm){!0I&os+e~sl;!kzAi@MCW2o*PfEujX<)WG z3|XDJqBv^~kPg;fvvL)-Z{C90^XD6B86e@+6ci2lD$Sa!lg;TE2p{7TVBKQHAapKP znVpn{OBUiym%inI1V<%sXuuRO{bm};yrwnBF{i!3CJ^r#Okqfx7B&EygQIc2o@5bw z#%PiS^bTjxJCsJ}(3q`;+R-zLv8;A13?d#5k~wN?=IR`t5q=DVsSJivSxjjl0h-2! zqbXt9p8nA^`uPDV4mpOQ4|>7W2F#sWPxrvC-XwMpiey!Z){efUO^SAjjSCn5hd=>B zI%4Wu<-$$*;J)`UrTwr$>qzua*Rdz%e7`_&iX=rhkn+x(?y zoiPW6Kp0wFkWA&UYj+p=x^}~x8^Mx=b8+19Cn6jsaUv;*`ASHV7;RX)8bgBvrZ+14 zBk)G+;E&ZKO+Uuc86!8^R?thKouh!#{6ftyP&-nhU@v&puuCgaZC*o~cQ7)Dt*h2y zV8dfre$9umYpX{7*H3$(WtqCXPIeoD!3$%jxegg{06*l3;x+faHgVx=Lb z>NUe>q$CuoM^}irREdyGQNwpK6g(vvwxgOaqwW1g{4~4}3NkD*wMYmEM|mCLZ;bbG zFXAy7KVsxG4a|p=&Ul?I5pRq{(a7ghBPn)Jfx5bSw6`^5aCjKKJ2xUbv;i}xPr-~? zb1-w}Y|NfH*XBCSTQuJeP)*cp?nRv)s2Yk^_Y2c%9vgmBHq>&&uKAygQI6`%XJsT{ z$3Loi^mNEx)rc65H*~kx)Sg+6*9@PF1UP?A-0ekK=O~4+v$Kq?optC>PebQ$J32>O z(bd*%h(>$X zh*;)WA=YhJhfjX=-Prip{j9Mio2x3#h=%_}*feiO>M`wkqiS1VhkwtW9y=yU3MJF@ z@gkSkgkP4E--iglJFAZr>LPa*0lL?`9u0M6^LeI2ZVLQv^E9l#BrRojIyBk1zpvjk zqB@IeXmr%%yygSRD6R5Cn**yXL>Q&1N>R>h=W%@>diG3E4jmF`=R=(rQ)HyHv#^%K ziSa28njoZvYwk-rS73&#r(^k~$BeKhqmlL52dDEiv?q@CjZnt1@MvE{UMZ5ERJw>X zuQN0nlT)5*tWTuL_QYWr3SW(mec*iWT&v`iSqj{KXmoQB`Q*Zdix&(0FhyfDr=h|g zp~l@M_(Vi(IV&3t^$hdbto8P!(P?jO$7oj;U;paY@bjyGjLyD2m@)52T=eb_M-FGy45*RIC_HlS?J*f30+ zGZQlwEy0EviMl=PIJ<6(qQMkL7MVozBkS#k7?BtnFxT+E=kK_f0cQ#6RoNHfAJWTYWL z(o@t>8Q%?$CE?}$yWaCo)5gd@t(21;rN2abs?!?zsh$a?mCGdrgCP|2*HB(qcNMhBE>|6VM;@*dZN?KMS283>%Ar& z8*exW_Hsy$Y6!>UxcZx4!19}}L_Jx&dP`Cx#lr#9l4P0ShIkNfIb*TSmFXSH;<2s0 z2ryGL>38=)k{Qd7t}cRUEeWe=gUK}ZjHGNf^#v!)#c794CpprNrDCYGOx(S)6Fnno z+v8?>3wv2=_?U)Go$P(dL*BC-EOQ#`!|Z*q!C`pXa$MQfxpfoX{-4)j_OcVIClf!% z^t*83;`u|Jk3^!5g7Hec?UJ{ky)BB?hJ?*2u#=G4z_M9`j{;sTfI339y}S;_WalM2 z=Eoj3%s#E~V6Ropg+J!UF-IMR#s;?Rr5v_z-B_Iu*ieTNwo`qn>SBOsEQ*fidfO#= zK&v;$QmBuIP$5ZCZ@MXwz^th=Fmu5?Jn`fjlv7Crqm3xW8c7VYY-b9#>eCa7v6o6A zKvL$XVDTnuRkZaRJ zA0>|FIRtzu1WF!u;4&0|DK%^q90dxLEH6of3PUL5Mvxv$BcG?CfEXSb0MaRBM+a;; zE}b4iCOL{M^E96uBLNw*A%=V*&43vw^NszA7YUR1zE&S zg%$zr+OgY)l{Ecm&iqD9pMM0>dA}WPQ7WhCP1J;FdL)M;+gQz|N<^cS3ptFAjIuYM zG{M)>+J^p-ew%}H+!o}UuVeY)S_}VwWfp32E>+p_r z+Nel0M0X_iMcUEUFWO3hiDcO^TngHjrUdI8zrRqzw3ee|W2RZEORxiw&0#FZ?}Hw( zcrkVMY;4}Ni_QaBdc@(_vTh5yyLey8AWq_=63`J0jSclku|7+d`$&4y*}M%;_xGpq znhVayZ?C)YfJZeP8iK1ojh<&PHZ+Uz> z`i4?APCvJU4GmxDgIv3Fz!N%D)H{k8}ZI>{{eHCo#+xA z7cTzFa0t%tulY4DyYzB&H2Bd_pD-b=o}m^TP#RmONaOK3zfQEkN1>Z3WU*xFv9_9O z>y~Zk-_>d3^qQkAfjxbCyGbo+ewx@JYmV2mvCNX>jMxTq>OHDgnMv~*NsksC)F;C1 z?Xnx@rSPq1Z*we<5pM*I)8`;a;*+7hVUh?0osgI4eNVDq{^;qE_v z72(Pl+v+kqYT6G(J>?vQ2n7f2=@3#aLDz~J<&(7Hn&_$B_B`I83EOa>IzLgGFE0g# zhOB~KzYPzl;gt+k+bSKqwCTm7R)T7Xg&j-2uM|h&^ViW|_NvQ6Y*$-sZ?g4U*20qm z7R_%(`>Z9D0Xam-G_|rUPazi4JRJ(BNFvGv@?9iuf=L^}4G)c&plxYs$M9GWg{T+D zpGkuA+Ru`Rv3!l-(857O5oLz%ZO?Vjyrg{C>&rOrs)WdLyXuaxc~8>dm_5yL(mVZ= zzx-u{WmB(JR)Rx4l)qJ9YVYZ_4l1>i!?nR1GfGSCk6$VcS_pl62GQBMgEEQkyv!dh z8CQnv^_kax*V00-O69uuSUWCQ=GN&UyKB2kOb%RAA1|gb|123FLGIFRcI~9 zP5^mIEb2pJv>6QzaqRBvL0xk*PCof`{QeJD;^d{XZ0?m-JnLMs0158ENYXScns}`J zYg88#{MaHPFEYjInUB?YGEMx^%H!Ul3}rMaS2&8}PB{YuLum|B_8+!v5gxqnUTodC z4y}z5i@W4@Cao1%q<6*;Nu=nPhOMOF7#_;wRp-41*WPgR0SS(igU=7lbP*H{J!x1< zLq;MP8YV`w6-s5`>Z;3Q%ExfL? zbXeuksub$g=zY&(tsNIqiA#9*hnT;@G2>;a%@}JKq0^kKo)(-he4{ z=Oa=dwVtW99qc4Y|Ks;jh-eZEg?mYY$3wrO?0Gh|qOPePIkp!%*RG(+EHv7qr4k65 zN?(oEl#W)Mcj*sU$Y9UyJQq)?wk?DLCuYV==F-0fRf&Vf&_artR=Wqwuo* z3y}z=^GSBD9>(L>|2I4o`XUvY-ykEQWlPN^F8SOWV0Vl`_6|}24sHardo1G~2~;SQ z{3cYI8tc&1QjeDQcC@xlLv!m?G}0uRIuL7`!X9x8;#!&=siS}i!ynKNh}w*e>96FO z9Oi2w#r8XcY(C5ORV!ffY^NoVeDG7CXs$(wdF`Xy&70R_+qO06+P({0HmpK=s25?M z_Wl8O>>0x-JFso+d24cZf$cJBlI4Fgonjd!kzsk73}ymNKCrws5mkR$Risv3LQ2Dg z)?;Rw<&kMWbYBgfjwP5VH<%`S&p$<_L~>Rl zNvTkXOVgwY&=txP6xLs}y5DKU>o@Pb85X{z9ur6DvWLfEmh z8#_pdZ7MuTrcL^08Y&d(nlf&`Rt4#=No(GS$XEhNI%&5WN0pFdrO2ra?NHt+NhQWJ z5UR)QB`0Fa0@m53r{L&Q&&S#4yczT7&cFqyF2gw|oP@(?&O|-yxaPbK4Ue${!T9hS zsc5A$qZQ!uK!jzcI!YN`%&Q~7GA7~9^V(LDc|zjW_T8kjC3ZYizKmPNhj5|^OO87Y zOO85;)h_{mD2l1Gr(<|j=d=|V9tk)}cOgf=C7YQ95gZ$q;`gpjhcty+#b!!U1@sI! zBpRGZJb|Bo?X$S=#$VeIl`Y+7Wzf*j@e4a_cuM4Aj1}7|kJuP31pL*>QQc&6r1uC- zUyQm1CtBsscWpp!+vB#Jaz<;MA54siR)VVTS-r5WhaXF}$Pb=*!DouU#ssIdBp8ma zNoMFm4W=d`kFr;xPivSxuYs`~wyxifpWOBr97Co$Hh~4YaN**`g`>f_?zg|eTQ0eb zy<9b9YAf_@vq_hfVrNDpP@34NZ(H+EbOLdVZNP9cY3)or(SX@AW@5qO#b}y3!y00V zgst1R;nBw)MmY(aDctYVOw#M9vMVKOB>ocrlY;35f9yaH{;K~C*z(? zk0B9_n-C9@Sd5O0;q*_hMai3}_IPVhGS$p!U6fZVu7UyFd*=_Z^14r=KH7*Z1&_2@ z)uqK+xS>v-1VMo5tX@kXi=1eZs%_0rH}bc{H2XDoNCZOT_p~QJ)LyE0Y@JQEp(=}N zZ<+ZlVMcP6V=uhDqmA!@EnBvloQ+b_XlwmQybjUE4s6@88;yxL6594-$}}TAsdN@e z$`@NH6^SxG%4n#oGyl5xbRm@*Gocla*25DoVz|GEBTu;;FT3pXDB7vyA{rtd2Lq)` z1j!lllb}>yF=vb{nUyLr;HB(HGawSBd{Rzm0=LeM($2pcI+T44K}G|bYN6-!n~yc8 z#72|k5B>9LKN}69GGjD4Q6*W7w^Sq=?$YyO5cLf~L_#I(+R=@n!9kWAJ=rI9(v~qD zjFaMJX`nw0f?(VjJ_F%X1;V&c&M}K7K<=fl4Dg+(l1IuKk`#9I6=+Cp$8Tr%nzd-4y=;emk4jV$Y7v)p@s+`LZKI zS09g(Jdym6UHA4TZEu_c%OW{az`3tK4_9CN#{+6`4&5^Gdv3+1Rgak(FqPKU+d7jX zhj|@!)<9??(!g+A;A@+26|R`;QV*1S4$UhH)=fZ`HLjyHTYo1(*tFFBcGdh})NoDvf%!ZHBf(^1dMkWh<0XBL% z3Z{$^c97CK^G)4Vz89ex=1CTzK~HZl279_OGT2A^y*61gJvNFEJ7Upr#I}r2XR>U#^Qen3{9+b+wrxRg zPp1))1RME01y(tiLVs^J_Uztn!bMAQPdMRJw9TA??%pA`Np=ReL?33J{Smfz6hDl* zh>6-D5iZFvFI#vcC+x+R^MlBAK908LgsnIVQ7CFjZFRmzm6Q~7S(|5*Az{ccKgLE! zkfiV!p#T^f>c_y~0Eycm`j}4b>(j?P>hJ5r0Q07w>6Ne@86Lzif0G(M8XGY`GU+t3 z8O_! zJoEW1W=xw((w9O*EQY$e1miYFS>i)o+aers@+GKmTR?YCW?1nb5F%+JLf*2(Ije%N zKsSsF^R&8wqV$6Fk7PqSLhT$ZdLv2dsYqMGS0pxCj%_R3Y{Na-s=!~#;mC!WLg7Vo zT^UU@jfoN(<0X%wwOQ zG{Xp~k|$Ea@?`u)5^VQtM!QncN}>>rG(4;eOrw&c;~11y#arpE>Yi$b7DOUMC?xQu zq137EC1_$Z$t;aDGwB^$FtB+WdRYJK8m8jpb6$sVb1UkiF|?g{9ELl4&>Cg=Q|^iw z7mH*3#B_i)WiVx~kFt46dlQH7x4uR ziE2^Nz|b(JPMczL-*#@_D&EFA6te|G+9NN|Z%~Sg>f~l^rpYp-olK^TWk(%>*T3;i zlPYHp**-YRJT2wiv}Pp+`H?gIp8L@_jyMm!#&Kw=|J@)Gs?(2$5>{@mGk%`48vh38*@<4-;gGZxH4Q~Oks z2?;cx9jl;yXhQ5rX}Cp%`J4eO-Ho{j;^Iu z>h9`hPu+*ZmmP`LrY4LI_FKb0d&Mze9Js1*_1ZRr%5Np z9G|g+$@~gahqAF-@AwJd}wcK!Lg@aj3ZCK6sbIY zm4vTpTNH<9g5{s`l5x<+c(#!p{qTC&zKh5(U$wf2xy$^eVcLT>KSl(BWPubw+8wV5 z4ffPw$R%e#6{^T;+M@b!d9V?W_m?qMa0Behrk+HN*vK^z~P7ddg z8Z9B2%<$O=iQo|HCqtvKS9~#i!M1J!Fk?8R3bR~0OVe$@~UuDNU9u)h*mc7LDjAd z|6>ta1~{+@!7}z?SNFV;(O9P0Hp^8%#zUPszBV}CRlT8WU6|YI^J*CO$lmEvoBPE` zcx1mCF~=7dE?m6W(03V6)ZzMTuf&@#eha2{BrrUfL^B&vX@hNuiln7J7O{CE1@<5# z?EQC4pNY09Q_#Ym=iIq-D75?-N{(VrS0}b?SWiN;6=M`G>IBB45op_qKp=>wrbZ;< zF*c^^ah5TbN+Q8tqc$HMp}^`JNm7vHF}!u17;GV1l>Ip0YFz z63}dU)#~uMhBA~U3Kt0_3fELVjgT*HbAnQXdnh3DIQw&3*yGi_24z6C9jjfMxGj51 z@M=@TpDT}ZP#vV&x7=*p|Jsxa2SIW_@g5vY3U^DA_*)w^MhFYvJa6kQBcue%`d6O z;+Y{^w(Q=^p1;ym((wl+G&QQ;D9sf8BsH=prJzWp64})Qk`I#OfO1B2Xn3vaMl#nD zFJRf?0Q&drL~591PI;r8+Z!dhAyJV7dS-Nxq(U1;N+YD@%-Y^Wb4TGP@uNGRCRUle zktZs%r(nyk?O6r&b#dlFiiCI%vUcKq7;RJMusq5pznCEAkL)^rIZ!-mzSEA)XJVZE zo)CtUz4+tLzlhUMIUlFL?mTS!`PY#c8bxX46Ii~x2O~!vfsRv8LQ5!*==K#@-7|_O zws$cN{Wx-d6Pg=av88i_pQ4ChbwaVo*XHd#*s^noL|G#?MI+9tbDEf# z8C|oNqsB+i1N0{#^|aZo`Z3;EST!SiGP*W@?f$87Ail#kq9#?VIQXA|6J1U z!i9@N3)A4NUWKc!{XLp&)gyb}Y^imsFh5cf5lTJ&`ba9&OVhVI(BF&h9Xqgf!#b>I zqqcUdA7PGL`Z-rKT#xUnYUmr((Dm;9P`fVemEM6VG|?)EOkP)SFZ=`h>?^8Nsu0`)*c;czZvm1YEzj@n?83;%FtaFy5YyE-o5FSeDb_Z7J({4b zEUo2-jNPlvW(@e;{%XHQH5jg_o5`k<7XkV)wcU^AIzQq8&7~MtW4C?Z56W z!(KeO;z4ZRvKreqJqevwABwi1VDa;_zG&qfONIV0i|L;zie>;Y=nCtJKZK69X6)Rt z0^j}SKjC-3{x96|$KPW4eRp8Wv{?v7>w#bdMSdG1bacKqe{498;gtLgO?gn!Y#R-8 zRf%+j&V#D=^l39_--8^_><4B~s2_TzAHj?at^H+q0G7^c#2xiTl2lkk-_VGtiM`Gg-)S;yzfd=*lbztC7 zI&azwoow9NHid#9kGYE$p{aESa%0*7c^jJBry@>5uy)0Alv0Bf#w0TI-{)aZl+9ly z7^ifi&?|`$rP+v=OnalAY`#pwK>I|rA-*!`8Zmqw!=>{Xp?rmLCl;t*A6Pxa`yQob`pY$K=+ny zXk>nSq!l9JDx`+7XP^tmyyEjX?3Ev6oJas9ylq93kHmu+QX>MIdm?#f?3b@K$ya4< z%YC#WPU;I9&AMR~LR%xtB9%nBI83*!OXUQDo*`&W9Z&}^JIr1$JI7v;0TK=78A}q8 zFnL6%gzl~`RV{|Cl|@XoHfSVq%7aAC&-7D}@7TN+snI@$k;IA>_uvn|y~=#o?rop_ z@(;1>w2MeihY>3ANik^UYP3v*tjbUr1Os6m2^9M9;7vclPrv_7B@aO(m3_ywv)7#WgAl;qhHFh7-F z>o@Pj&b~2m`Kq>+ZZ!9{n6JQ3zfL&qEZdnlo6VxFy^Z+??AWyv?Ng^CSY}xib)3AuAx44@G)GCDoROg%&b{zLT>XdZ52(R8WCX{B3l}b)57aQl z;tAY#!|(8+cfJ|JsWKYd;>f0p2nW^k%cHTe4IlZ)2S`S;6u?8+)42y-d-hO(_F$lY z0J)4NL9#)$9;6yZ3Jvx&B^)ya5+;AZhEC#aMB5tcP)F%EGM2(HNlcmoxFL~Xqf7zn zt5B%KkYTS@#~ftxY1?n>xTBU~DjVmn&fVC)b1T9chhmFAs-?Jzc6fX-#ObFd7HcwZ zfr5VajOpyv1~ED?fMnm0ow%IK4A>mOV_ta~%FSmW&~k#UM$z!e@P<3FbMw6v!qrpA z)i(Po^^8}Tf}@D!o+pqVWN%l(j7AGJiqf!DC~)$c{7Vue%{05dTEV3ruxW+_zN=~< zqy^In-f7d;FiT7ez~B*YXp)G>$lxI3<7Y3N_A6fIX%1rr9}4~g?Rw!WF>^^gV%`au-QsAR&7Rvig?QA?;j5q$PbKf{qHT!5jhHdf5B zY?-el)MCieI+4;cHQKc|%6jR?!}t6GKmE=Z&>XI_g6SUaf)>$4NKl8fMO^mbPvaHm zeU$YmYZ^ZN8MC2ZB7;V5l^?nl>0`Ny{FL|&q&>~ZjBY`G$7A@@^*_S$<@eh;VVV?ClO>^LnP>9$uzv0cckS2 z{FZehxd_uB!`82~ldnAQLR@w2feFqbSw-c-g$oyl0vev~-?IZ79={jlB1mPl)3CG* z)n1{80`;-S9>&HEn`~&wAC6=3VM}n#@yFrhlTX3?g^SQJZ3cXyFq=;wGT9tL6plek z@I;~s(fU^QAoEC3um?jC)4XU$<7B2l`y^Owltqpttm6?sitI^hS7XgNsnfyc=}~Oj zunq&GN%m?(2v9&KM@f*9MPw-S>YCdzchN#Sojky}J^sWB3bY~xMmt*KK@4?oWg0cf zRb(#AUUCI_UlU@j%S@PugB2{l`Nz2P+OME{{c?0~T8n|5tFdS6a%^37FS<8Ai2mMf z>=A3IJ#0N^?Gd6=oujdOG&Q%OzNy)UnwnZ$F=gsBv@z_qjy6o0HpPD1r?jKFwb}Oa zS+aN`6IDVsLxDneQ#~%BWCTcCepDyX=1e$h+x$X-VbVs3LdMuea3)d}&^lh>Z?{EHdx4WH`k<9U1CloFf!ue(0DVg;Qo2Q|6zIrn$!& z+0Z0Y?Z~TDMXVhNlLRRDO4=`n^2&zE>>aK7B-C^8U;A;C{`eV`ANw^*Py7~zC$2~4 zk(=Qk*oxrUZ$+gLBR$Gl{m{8jA}x8wE0ZeNs=W;JBAupTnQJ3Lt(p_TlO{nLGA$kV zh-8s?lmi8XDs{N|x*uWJnpLbfUYm3qk48z@A|!YkMk4_&rdV&5WBI)|AsCILW$HYV zE7m#ssi8yh&uGYpXgG)MPu`8&Zu~j2qdiQW7devEBI|u57_iCAo@f(}J?(rN>%_VZdu+Gk!Qmu&`bIG_n#QPBG#5O! z6kJ1_+G{DIEfLho;I)S0V(c&!w2GSkC;9#8=oRhuErKqholk3`dRKxD@kcELgk<7rp7tlPYHp*(xd*E?l@cRM6bJZ5vkM)*G*arro63 z+tx%y_29Hqd7eFK&2`a<)Y_-!p@&yv`NNN3)ryr^zhS)z%7%spELpk)XP^BFn^e5& ziB(2kX3txM^DlTU79F+>Q)bUYP#fRHVrZK-+jiUS?&)W5w1}WDXqp90woOy$YBi5$ zoirpO?41UoGw^(&dia_4qG_K4y4@4 z-f2(w4)jvUYgi;0inDiL#86)+$<1Qa&p3&_dJ1TEREKu0gr~3(9UU`}sGovZV-%4@ zm~qH~ZNHJgILVAwJr#>Z698Gwxyd9kHZ(}$(2rp)1Mk^`?%mz!-r0rD?VT9t?nZK8 z0Dav(yzW8wo;^sW(l%dFf-O%0QeyXA`CDHfrx5p=;Ig?eiWtKd(+E-^#r;M2!W9%E z3sFD!ES5(vW^|COFsFMuyKQe9%~|R1AF}y1B8e@H&9*bOk7TGxdj++(8j0v1W}f6r zCiojj%Hka-pn2ZWDCJ2fqa3lixdMW8(m!Q>IV|3?Tg z55qnYHJYH0Leq!HXg`w2UJQS13Q1?i^1GsWGz>zk!L)m>HiwlaOv5?St4O;dl40bA zLR#7|&3h56s`zN1`4tZ|WAl@L!R{Rov%V#yKw()GnN>O$vA`P-wr<^kwQC-=tqTrY zdNPhb;guvuF+{>msE;?0WHg|V+KpfS;8VErXWzt@b*#%d5{L8%#xf*^1rlMBfa!CN zz=uEnUDml*F|Lfbma?;aL^?&dY=Mn(gCrndjw4+Plho);vm5znL7ap(?6+ay-ae7}H0wXhnnbU_vI+RK zGnK*&pku~t=;)11HeWK5YHDB)u!t}TPn6`u!v-)&fv1zO`}a_2ckRZb%b&m_4==}Ux7~`t z0XDL19N`aQNLqt|Ui9~LSwpM2C^-uF#^!n)bJUSI@#K?Cxb=4T+KM1Q1!Ic6&1{Z> zgo3*+5{8yhv%STx-hOnFVC9lSNDU7lOrdbn87JfXH=KvQT^rHAaWx6XPR6Mdh0$SD z*x*l}y%4Xt@t7A59=zEp=;^GswY zR9mJVj+sq)3~yh7j_LC-bNWo%9%RbY4lJBIp8~ATNRskgLqEgxHxlyL@fIRhP0h^~ zhR*9Mlm0c&I03U3AA^n-lFG0bi3VWC6d!i3x*p&D%(2+M;SS7Qatgxn7W%8g*LD(~0x}wwqRFI1J~W3cKtd}b zpxumpXm9PXy0>}Ft=P2sE&Y=rVa72+Vj5))jj|3!NNgg=7D6QE{8o5v6O38b6%js?vZB&L z(lu*t7=42&ti1brw2{d43}qOu-;On^)39BA1a%3&#i61DW|@^kBL&lTY6vRNI-+d@ zM6NUsN0Zy9&74DWJ8YX;wzajIW>B3G?K2n9%DJXSo5U_sqCJ~LO*L%QOY*&^s|!JP zEL0bzsftMhR1qN}(P7<4G}L2wILR{OH^^`Du)`0-8!tZaGI5vSxNza({|rQMc5GRP zJ8!;@jVT+!oQ@<2o2Ekhx@h&I^zv-3|3CKr1J3fJI`hV#?%Owa&fPQ9lY?ePql5wo z5GEQh#sp(y9KboO1M9WDYp*l*dUu`HVa+-(#sQ2?GFc#$a~NrIj-B((`F+0C{;~b) zFC>A5U+?FylJ4}qzfg7R)TwixI(4cl{APLs-IX$kNmvoHw+!($1S;ZfKoR4`Z+4`W z?dcAihpAf7f`P~6`LkM_n^MI_|KgdGI(ht%<`)e{Dy1-8z&7z^EAg6*5ySkRuC7pC z9$-M$dvhf*Ge_yBTTnYz(wwW%L$M4>= zD;SaCVFMYDh6nq4!bU0qXn9zXD=8yIB z20CH6xc`RLNk$FTn)w<6mfHi5)9tCS$IHgu2h_La8&r#LR%zw5db9oRnY;g1jZ$8lcD*tj!%;NY1R1swe`K23P_OOr52`tP)_h7C zwE)nV)Ux4po%>(;P9?`CT$aJAjcLAEQ3uCx7}f=pV?@;McK{~9THeKj z0X=&6r*!7zW9n!vYs_{y+t#Oa+K8^LYS}NTL%nVX@-%R=7^ZrL^r~-shw7$1?RL(W zQp%MLhD>kSbXN^*Y6dhcCuap8rL)Dc<6Rj7VprdsScf+ zS<;fhIMa0t?gw$U3*cx5^KEU{Ys-GV=036%RuGy5(`h*}xB;+n(m-$jV2~dM3N7=3 z>kSW1x-75k*A#@@?VRm2cyar(@h=-mva#fA3_xr5MVnbj0OVL2T z>i58+yRX<|fb*@-1Dxm6^Xd8Ye@6-)oO8!@`{zEQrTp6JB+QT1lYvIlMwyYQN6{#6 z8{d=+!g>`}6RjC!yav|3YpY3^>o?LU**LQME{5-RZEqcjb58av)yWQz8C<2Pt1yaptozy5Ol->C}QNgW()y0_(IUD zlxHIY0JFiKyLeG^lNXfBErn6=;P6HbPi*s(DgT$$V+TK>CvN`-gRd1$Pfu$4(q-jy ztLp0Sbk0nv#KJDbbHQVESu-B_&Rm?-I%g$6{@lXd5*1n&4#D!a&I-`WgU&)5O`7ug8?O4_~KZwp-1~CzR=% zP;35iv%02Oc352=^>=mlDAUugZi6nC2{YA|G)Q4TAp*UbQj5hBE-sX?Vm9s=eZLsIhk!+cgc{RK24hXjZ7G)z z?K^02IbG zM(Rps(g8qoz-HQYW%@4kE4S6+;;NRHi{=%q@V}-DZx&uFk43a|_s%f2%)Uv@T1{2= zH&*8{b-BDauSy|rnKY1^pS7IM8PLv$Da{pw8;*8@H^lJ3bOtjV=$TBUou|Qi&EVVh zWLI;*(YBqto-qc8rg}a-pPo<8r++gE7d0!H5=oYzwg)AL#tysk`ftr6)l#)BjA+@d z7$5-*VuZ(XRz{GF&hfyo6rUs+{f0m_8x8f{}ZhzcZ!dF?;|E;jlyKATGwrHW*9{jTJSX68r%Kz~W)R z!&0-69vs=I8^7)~YR^yV#Akj-xze;+2`Og-vY2zJHu!4>n!sLG^w>;vlw5MjMy*Y; zxDBjHAA(zxStZjMrBdugmI*6LSecUbNSG0I%7%+L28?yh2$CRA0*hHe z*5!Oy9RtHd{aEU5!w5J_Hsj`xbY^}|tHqq!%T3eAN-g#}se5#vbNyOu-{tl_q`Hwt%XMF= zlnj&&?hNv#nrYR}-m3EHJ1j#DP3NZ6R$X%YSayQf#vgNgZGRfq%lr;90NQYKGnQw839OjoO^$E^gqK491szT7u8SZMU|1&GKN>SU24;9q$f+*?2DiN#a#T zMn<)5>t+KI8}?K(#8&}GEcIbSztv(>KlZcl)s3(CPFxHQp1H=8HfW2xu1tkyfV<|Ke-li;w6Lg^nTuMUI;X{{v&t<@sa0GFTL3ib zkc z7gTRI2(g`CX3Kq#w#lCjLfLPGeRB$Iwr9i9*PZoW#{LFnR=Dj3R?#wTbn0rkp@N6B z<+XV#2BsmvlW5{%vAniy+G@A6r&p=XuU5LPQxk(DN_1v)VQSXp7i>r}%48bKv>SXh zY%GoPipAQRF>`(#go$yWOu$(vJJ8^JE|&Y@8PmsVvJlsSSD{)9JW0np!Zbo}Pp8I* z1~q2@h_?Z}2DAh2kXOPyee1VD zdgQi0R<=V@6k0c{U#Nb028k3i7#ko>6q?rjq6Bui#j)NR-wOJ z$9s0GkQmj07hk2$P1hTKmOmaX>D`EOgaF=xMdO` zMF4TdyeSteman=xIt#p@w~fI^IQ-LX#Abo) z8HGG`xDT+IVV6OEHW^bo!L$@X`fXY=@R)t#b4tbHDuzJlY}f=bW1w6v7gQ*eb?oH% zaLV`Psb!s?T+r0?qApF%m^TSsbN$WQynRoY7TvaMZ&?1_-P@-fd-m$?yY5nPb;V^h z!W0&R6?QIW^%T>!?HvX%2I8!e3a95g@eE%xX#;sTV#-LDUCLd_0A`TqaEu7Lz;z>@ zr&ew0iUa%f=I5uVo=?xG=hOc!DNIqFJ)zHj{2#Q!@+FU&tEF-nxuMv$?A)QTiQQo( zPO-46qlZs;^o}P1qkx)c6l)WNaX?YF6Az?2vp z*VQlodcEq+Kd#q*$IpfH`A(d^Bb=DdR9nfwWF=>VTC14mj5-a5m?BFg6XNhqJUb6>C(q_xjhXJvE{exBjJO&fKokryjP+^gSDF)mbVW zHy|;bXe{a6#Zv}o%gR_Ty0dZZxq6>Y&XlzKnghD_6|d8#Yj4o_uB-HkLnri_*S$k| z1GWGCcfYQ)2OrQq58bM~0n>p4H(M~6Y9uI__>zvmQ@ns|#0O~M6QX`n#hE#4yI7yn)RxH-e$_L#v{!T__qsj2}2 zXS3DZFXEi~U0K$-gMY75v#JUn$x2L>q5)G%8X6ch*lX#+?4m(l(qI_xO*P0AJSW(C z!lv?l8s7R4^W0^nl&sSR z`+CG#L`){JCl1p~oQ90MyWVUMOTzq;hlss{Rdv~greeM4hfs95=?do;0gzqVd+wT32kDBU*{48h!TQI{uY!sxm) z>5;VQ+&DfK40PGxY;7vT3f>w$mg&-t9eb4=7*oF1uEuiBBX?oZ#Fva9R6n0}_lABY*zk zyd+LaZ>Ur=ps{ghrP|mSM>p7*Rm#rWps3uY^NSvV$1S$SYwye2ogwp{ZKYBMnS z??3WFOb-{DfGS8fM8{Vs$+UiXe4Gs=JaK8a?n{Imf+qHD|4s{#!Jo>~59X|eq z0c)SjpVh}c{z)Ad|jt7ZR8ZZM9>x2xB)Fo>H*l)kv>}o+~=3g>lIT>joLzhKl|JO{!;)R z17w2CsjD-x{8dAsG>mIEFTy!gmOnrm@4zF1jqyt2)nYoYU|GTg#MxfE_UzJI-uCn! zoac8kem*^)o=^WK5{f;O?bN+r__%)l$KR>RC66$xjo>9gVY1@l%Bycuc5H(UWV=?T zF6!_@581d`iKk;)T+D}96BIm3vsNi-?~XBbW-}hiqEw}28$|0+<*dZnz4#ly@hv)e z5;KCv&_bSHvU%b<3oKOm3R2Pik6qzF;(G=AOedErMhO8Rt;R*wPAEb zSpqXt2_^c5mF^!UzF8T+aN^*@Hj2|8!Fx39x|BT%#lwzgjMsA9$i{_!}|v z(6o2jh?Z&^+x!B3{o8*)Ba63cytA%9{leoqG;=}U^Qw(nnOoL_Qx)BPUrF!zwwGwn zhCw}WaZdmEz;X4aM-(?W%H^wa^(};J@g64D{NzM>*WMpI3chLXHdJlKbl}?k+Piy9 zkACs?uz!-_kd1Cr!`<27FW#At+SqxK*=Fi2sqJH|f@6gVxUn0Mvo-Tt#vo>!$XqLJ3R*36C2AEp3s2TW6 zQ>PB<($Oz!>GFeWm8SK@&);XD(57rhNx%Pl->9<(kLsW9ENh^*Q?W+L)U`}|MNb^N zY+30DLG{s;CiQni>Z%)F9QIDSc=>`x#x@4oTbQ5IpzD70(4*lutMAJ0f9&#%H!zb< zYBj%VJ_0@rkj+!hq@o|yA^M+r+?i%t&b0}b+AWVsmGeb|YX&g}Hf6VsGnrd*-~Fa< z&<8&J@u%I%7^fU|_dX zR;Cb7vKD-Zdw)&Y5#UJxWSLQ@M~|&~Nu5@xqrKhQxnW2*?cJcs6Zb07T(Z(_s_ZhB z{15xy5Mxuc!e!ZS#l|m;YHPUKZB&~z)eV4_4N@>%#6!dyHP!I&EX-);=s}&l^HVzX z#gFOm1GlMODX7J?kbzLU(Z^Lc-lDJjrf=8SzMItQ9M-Cp{%SR+j=o-Xo360x#m0$g zl0;VO?iyEb_a=iC(+N$rWZ(w}95O=Yn1V27wh@Zq4syL~b-VzRKy1H5oX;gCd_Ng@ z$4J>Daf1Xr2N)Sw$HuT-T^>pIb|uuANrh<@JVV4i`4OdTWLTNT(F~2YvPzd9*1|pS zRr%nD)Up99){`o(dh|{ZxATu@dR5JCP;Fqhn%NPVMM`$|IHO)I__?Wz=QMrcOxWbG zR9G^AsHrm*SE<=Iiioh@8|X2e}97kOv=E+ZA|@K8G>a~riJ*E_IOdm`RqJ! zKsSEfwVI!PKxgY&J(?eLr8a7~ucC*KE$hzX3yQa~y3OFQ(k}Kls^xP^RqLuXS5z%6 z862!A9WS`vN%eFlG&GdehVc=N40US5rhaYRzEJ}seHt3>(@i&Bsf|P3y7N>z#Ksb;qMkCEFWeda+8tJgfAW#|3Z^q#h2? zPMS`p=-4{IK+|$goYqkPkSYf2%ZrP_OGW%r-T;IF1VAS4-{6jx2PQ3}$9mQM#PzQj zurWmyH~0fsGv&mC;Z$_XDc&July^%dz!CdTS*G2`0f9`5u{%IJ9;atW&reZ3pPo<8 zr++gEclY_TC-te1enhh~<)F|C1&?H{-151GHjIs`t9RHV-xVEv?4dAy6t}^O*)R}@ z2;fP2bcq|B_=%qWZY$po>uVbnVjyf(+Cn^u0TipVoB&R2tfdpR>}?4x;BPQ?&{5|66F;&7EkN1{^XZ*(`Il;Y!LAd&IoJx*{*m?n>J46D(XqkYTEK5H@Q1jV{Ayms zTq&#o8tm^iNG<8e6OXxV8wMYBjdE}#{IzT)OdGLa9Q4XG)mj`+Jb=7v0O3K)lKP+Bnu9yefrNre6&l z48W@{2Tu*2zo|vbD6;IfA;zZ46m7xn(2>v;2d)a>XJv6Y$QYmwzyhyUS69@*)LQ`E zOfeaR0G60K_IJ+C0=W>=sVI>I^wX$WTZPQ_;YF%rkjbUYV6)U88f4MEL z6YNXVGYHZO*AfOA8#;TnZNr4R`ud$^LzgdJ2=8o|mZ;xvWzL zVv9=K*d<$5?y;iZHIQi~Y=q0281D^nAN30Rx!C&qUfE5&u*g|THVDZ!Z5T8-!{=|K z2?(`!Q3Cm4fJG(nHVlc2&XzJXGjjaK!@rVJA!RbG*^Z|qr z-xGIxHCt8J7x}O}nOCtk1Eu-t;H^kxx(qBU8XpP$%a~p-d*K^3lFVuO%;Q>~X=?xV!y4~T=+3)x>fd0QLvHE@3Fc2K zQ8%!1T{{d?@;QSOoEz>Bu3xKB^IywkrdK_E!)n#b>gw*bj4x?rby*uXZc)pCDwWD= zb!FLo%7A@&+47%PUtg!roI0+m`vOzN1pd=s!bY90d&6~HS39uI0N!FSrH=0QQ$0E}Ib>w3eR-lV_!yMKJzDXQlL;E*8=M5Yi- zqN9MKzLI<+WzJtvZ`vad4n1SU@YT}xOo_6fmHBgMjp!wCtEZ=D&6P%va?0g$U!w83 zOzZRfTI5e!U(b9#AL{p&mO~!2DQ#V?uI*94weIfjaQ|z?pZ_n@`uaTEx~=C42Mk7h zLY_!?OF6{v>GI-v68X?p@OEt;{HssoNuQ$a{w;cJp^v>=9zFP={`{~1T$`;-$Hqp& zsJS!S8N45H8)JO>?e#YO=y!gP&Yb|@upf+#w+&%B%W5l@Kd-Gc*}7>YObf8}J&_75 z<@NYZMJr3Dvsl8~vVLLYy_PZbk>UJ)V_%%X#+Hb^90YG!T$d9WCXZN6f?eOnXKd zly;q%nH7VRn5J#;8tq~HYY;<#we=|mzMfF4gD9J-0gFM3!Pus;J|%2b*`*he3BjhW z;oM5zqh&x{OryhnHk1VB61W-NId?|W(=#$|P`OYJUWRtF6A#GHz>roJ=Yq$9v#3Uf zdNezo)6P9tXzw*QC|@e5vRn*1Jy+{RO>7*}<}JH)>HK*eec~~t4H}LgeI%?XB6bDo z?{yn-Y(<5sCG*EUHC$)IJBtT6*Lj(*F5ks!+s3qcn$*SFW%Un@x*cj7F<4u)v0rkg zoGzbogR#9p*+w1N>&?0yOUNDpw2iPUHB(Y7_czYa?EG46S6i%ZnIAD&ZI~7U?1{l? zhNbqzRqem!t$OsteY$+|j45o_*3CQAmT5Y_jXJR7MlDS}uI-~49XRkZ<(gA^_;Y1wcqYj$=@{r!H%@_{@ND17<+8P&=Kb%ryjEJq$hu&NC2OS|Q%R4RwKD?k+h zrc^ViHs1k%3_$SKB=Ls1{`BJx1E?5>oyOS6vldpQvG8DVxukD=^BeUyANeFEIjpLXxw9TdRRwSSZ% z{`_ks_)U=U9iRTNe(}fNsZ^%VGFAxyhMj|39Ug7>q-`%#8XnlBL-!rhg-d7E-Ioee z0RR#l7424-C{NtkERAL}*R=CUTfyRC$aZpKIQxh&PISAwU8}`ap0!a$`DSg{CJZ=arQK-R{JXGNc0e)C zM6%+ZTbNVJiu&un{tX5cLpBg=M;c6Byl5kQMwNQWhSZARF-Gt=?Bb!R3!wRX{ zg=w8SaoRMyo-U0&ggEC5Lmy%yjDj#U?FLM1B0vm}!I|sbV>u$Y2Py{ubLMfm4*%Q3 zG)sf1*QN(R2206wDuAe*bt(q5(>(0zbU6lGY)+UlI7+x}F#ZXHvBw^JRI^hvHf+f- zRl=B!Ip-0-LDlX9*H|vH8XRnDWyu3;gDYcJ6<1H1ht_qK4(-2Uv-&4? zht+mxjy|sbOj?JI9kLAdYxDM9!3bYIeq0@wNUY^wA!ji^DM+{y!Sl=ZK0_WA) z)8#5Am0w;~ybZ5PLkEvu)PUPRWpLDMBfqd(GN>Uy+B|k%tGTjDu5ZR|)}1w=U_Ydi z0Z=Mtpw?^K&uXc)9e<~$rUQ?ehS|1#N0>h3(N7x=)%QQmPHS&GI4dMdel3_lo=aNCbh6q z)k6nQs~JluX}yk4XH(5E(`Gr^b+knj$Mio`p7Iy*bVZxRLsfP?ano_oOyUZD5A?|u54zxf;O*s(+3`JLYx7*E2u zLl1R|yiHN!TExp}7V{-nD6|V zpZS?D(M7@_!wcFVN|E;{N|C37#C6Jz+65Y^-}-i9(Y9_q)49EzZ-o<+(0=W;*XnnF_jmQum%cRIBf$gezP?=eM4pixu5Vuw<&yuFEnD>QkAFOX z_lSn59?-B}-k^(oB09g;2|55c_ucjp{rb;-xBB|W)#fVHQSvqjan1^|p;&E{wOn8j z)Y8)GqS6`DS8dsd5X(StVw-tn#fnUKS{Hb<81^0U7&dGJPn)w>PFuS&@uYc{RF{oF z-i4jE0d4bW6C+i#(T{s%+2IlNrh%?7)pcp1q!k-pjN|t4{xF>~wOBMbX{p=q?AtnK z+ivCUvRlp4+Ef^GVkVKp2FumDRt=D1nNDSGwDN@om*1(2=cjaOaw^2WWDT@3264-k zqAp!rF#U)aWS;LWF`K?-pv;~OWG>g*018P3noggBHg8)sW|^N#gH z9=BtBFi18;fR_z^zIUKoo&AH>Axuj!9aGi9{H*zvP@}Y@R64G~jXQL4YEDgquXbN= znV!DhJ{>uFTydA5NoTBk_giBnxg_F-KZu6G&qCWL1`k}6g zi48h>`Z^5^jcImz(g1Ea01eKJVucx-6sBFTOOw-KZzK8}$AVax3^o^3SXnTTcH6rh zjM+S3FkQYEH^5n3TDG3?prhS@sKnL-9%#5PwhT(?|D0>p!G1l+j=?oks2QVnymo*n zvn_bWmR4$d<6GXKzx&X~f_+-AqsRxj0pL6*LB=Rj6!IVc@gM7FfA(j?wNs}~>HPWg zdi&eou0Q*;Khtmh)^7zReEs#;hY{?r{o1buqyA0b^i9DaV>JHm@BS`$0Z_)9H*eM# zzxc&)?=S!IFD*;Fs?%WxS z!xdLt5#Ia7U;IUV_OqYWo;`bv{09RF``E`m7Q7P2jve#J>gzok8qiPu)K9sS9n$AN z|M@`w(9n=x{Nfh}L;Fj=^hDC<+7`jkHU(T|3|7^eUFU;k_H`n>$* zFAqlaFaF{$^!va6`?_@Ll5W2FW-S?=lNa70p8xOv{lABN$?rukdQoU3+JwSG_9Gf5#nng!e!6p%3ZmtFI0`{HwqEE4}0;F9{9(@WT%W?-alU zAaeBRQT^(#{%WWr^w3u1@q54bdw~Z$d;0Y0VBERCU;+Nyzx`W%-Pe6x;KSa%dqca> z=J1a8;ki$K@{@tj0NxvJxFHzezyJHc5B0nE-h1`>*S|g(aOy|Bkqv<5KmF4`1&~GC z@IIgt?;o`M<3Ijm;49_fA^eqJ`IP{i0ie)AoslQn0UD4QWSRW`*Z=xof$tb<&Oy_t-A6w1ksyE28}$v^n)`Sr;R$U)J0M#pPo50CqYVLU$QJxSM)5AfU+Nu|3lN|5 z=;wy+%NA3V?$kV))B)mY*=r;hSx4rFc zK@N~Hgpa+y)>W=H^)q#b&T^mJ)NSaTCu#pB8Q4iw3D} zHrm9WaGEj8l3AJ24uG*SX<6|%twd}7&dxD)k60V=lu8)cWL6~`+FUE9`D&XcZGbuw zX>A(apaVPi>BTqPtZh4YYt*CpOjnPT>DSPvZR)eZOBiG%;El_!$1`CXgZ)POISdnp zZFZrI*^7oVdI}y%ujVUSDHV{nxbOVg`1 zLOHg!53IM6$B_A6Hr-`|yBdt-h7IFNCOTDXmJOh&cSi`qT$-D)vBFD|*5L3+=x>Iy z*3~TiZUykNI6r58S^nLfH5xkMr(R%4aJiO)q1k8Lv8>QTdBLzw~fZn{zN?j7nM z+pMv1KOgT@vDU7IoH*6#Zq!&Hpri&Cpx=2 zZ6tf#GSUhGs>u%XqUcY_G!aZ1Q(ra{HmS>*cM0=y)21POpUQRk2nz^!a5Qp-wI9y+Er0j5(6ISp^xZXl5e%g0&vMi6|}jRs(eCo{_Q z5Z`3NEfj3j*wfeV`;9OqW7K32F=fzHSFunF`n}|SOi=twUvjg-O}C~moYLu|kL&Ow z_i6U>MFX>L4UG@0({ebx@e1wOcOV=_+EH26U{{;5Y*IN+pEu7249ti8d{-LJb-`Zewj()o`80-EZ)U zvP(IAtjhjP&~HHIK@8JWJNN9?+rH&r=`55C>MI+!i6x+^W#7M2nO_(uY6_je0=)T zpAJR}8usts9~3_wg@fWS6c`z<{pgSWsNV9Hw*)`{P{QBkeFea4widVcM@B-t;hkTjNpniZqj2htSO>cUWwr}6Ax4!kQ!GMxCbz_A7AO6FC z2#x#R_r5pq006?Mo%{e$7((j!ec$(ep+i9r&wukbe{ofahWg2${K=39hL?H* z3?6#up#W0xw0-w?fA^QXCKoSW4DAG%<(a$gx-0Muql+QtKD>vg7en?U!zeKtA<1JoIC3{L^N(DIwV`J16_FwEqSv3~5a$G*g4 zXn=me2_WlRzx7)~p5zbzpcgvuYyfni4<6vTqf9^s-V^`;c~Xz>`mXN^?STxF*H8cS zPY3=13?okp2^j&@Fil0d05$-|yWaJ#z?1*>-~L<3hu?U905`}03HoSz+MM==#`nGN zeP05tzwisc5cG!0rB21@{uf|YlX>8xx*^>j?Rwwm%W=b!TEv9D7lE7?m1=Z7CZs0+uRP;+%k zF=x75ZnJ@{YNWqQH(qsxUUc07kK6~^HaujCDVPp3Ct*MoyhS!xjEvbYgt(1{!GT#~1HvjE8$aJemf}fbBiSw2 zIaqJ90*xsuRsnT(c87k0L1RSEA)5pmclGv|w{DO0fHFJ3L*3iI-yrXL)`l%t*hp8j%weDBPHFPO=`gj?-8XD-Q4fcLCJi1o8mteDjH|;SF_rCAuiqcs zu+_Y)Yi?%Vbupl}DdAX(nEBYO;*QMZ>EhH zlBO%w)^1+63?}@@@=DHw)0q(POfd5Pz1#Kmue!x_+@yV1U#a<(1sy+iTAA)Xz3l5> zr+59wpVwP{;NR<}SH4N{-Vrq{*F``=x+fe|T4?4~t|r1}i@UdU>e>UFwQKXZM*F+n zmTNID2oxdrZU*z&Os-d5w^HzGvg#{eVs%_i8SBt&XP0Hhea_DjGlX8id(Xm_oFYb{)#(?rsk{D%-7x`h7A~!vM0Xo#_2Y%oOg13O@Nz@;Zga_ywzTq1J z{TOKg2P5d?$BzetebY@h1p|j+!ZU)5AXvTC?9?T zR%lxiJb~8$FUln0nW4=npKExYs0RQZnF9y`z5q2*LZoB!U*Gi0Ib*`GUA8A zWXdB-8!)3IkJeYzT$$6Xb;82gGs+oIls&@C&CYA(a!&dAiVE{3)mQvx$pFV?q=|#r zv_YH4hcrKZLFbMf){#dZ(DBC~(a9$s))Nojt*X&hPx}icXxH3QK`EY@Er zXLR()W4iseFX(fh{6f$hh!KIB1aKO&g(bBt+a_270EHXhkT3A4YB0y9X&h$|Gl)Ti zY<>bgq5aLDnn%KnsMk(qZdY_d^IGhW4N@w(HjQV?fKl%1?y?N{n!hJ2S%btOB?p_z z#LwCAPwU+IY4xx)JPXJuD&5tiRL_vQ#%}2udko@S2ZEDp?P<*{76NUlOd>3^cB2O)S}T_f zP-}trcpl#B(fu3W@~wL9H@#JF{?_l*_j};kXB!bW=t-wD8Xg!8{?@G@eu=~MM!bip?O zN(?-A3@a_SE#*qZaPa4H4i5-ZTs!og@BDtf|1bYcANcUc^gDm}``UlaRj#M&Qz;l2 zG2PhE{M?dG9y_HE{LvriPu}y(`h%bQS$*n{->dsR^nN|@*$?T9ANVs}IQ*#XMpLVe zgmTTSR;zA9gNQ0TF<_~+I?S7P6>4o-G*DbvVK1Dx$}NMPL?#?f5=(Wu-x<8P&9Na& zurcQGD-iy!)-9|}_s7zMmGjK(ou0G~%5c_bKS@&OFtq9;)XhMRf-dhWUB zo?tMTmf%?uW$+9hAz~|-I>Ja`O!*6~(1>S<5i*JIBmftA0<`!Gkm17=6GjS;5Q2e1 zqg<2`i8?W|28?06c?RPL*uW^lW2Qh5IJ`6%P7F8iF(m;H$q!FhL=!aP(PDZ8fQfel z9&#PPK#J-G-|@7;M`*(6!2|MzPk3Oc6J9CmAAv~P^zh-sVX6uK!E^Hd^FROd0K%dK zUv9ni)&P>;_{KK|4+Sy;kl|VCL7Tuw$^-;Z4k@|@2&N8r$&fpM5zhfci5KEIWRfX0 zKp&tCUgEvD|Ni^Kb7#+<4W1q3iub8wlrZf4j$+A>U%(rnhG`{aoM!;jDLbJ8eNi_5h|#Eh5L{Ns9O%^#xKSL-3nvFs9I`CtwP21E9oXhz#?I@_=tq0x)wA zI-rYt^p8j;qCN%yryKwj{GiS8#*rs&@vjAPkiR+}8yCm%3m7jpsl(;owBfQD3GpAe zx$BK;PpFv( z10(&~7;kCBqu{ajf;v?-ANFWy>psOd?AJ?Q_s#l|ANoQ4;1B-4*%-9*`CD{m|o2=xR4HRuK@7Kc25hWT)6=!C(w7RVJZdQWTG_qmXIx4Nfu9*L>dBpk$hO~A2W@E5~ zDz;3;d`_#&3+i#*wohy@K#IHWWtUyn<%_4obXYcn?L)L`u(5(X?^DXf1$^2^I+{`AJRjg`?Mat{R_Ispt`hh-tv<5fXjAZ zWI)N04XPV>#SAoBZNz28!lsgJAob=~==vAGQrF$^BJI281-kL(7ptqM*KN-%jPaxG3j<{A1ofeBp`)-F z03Z$xrM_i@sjwH6kvG#$kru-<#58l!_x)nw!z#^??V6 zbjM_;^Y(zIT4Su@XBq4eXk2j{w<#TD^#926mrMWR7#!Y#P>>z2ai)hb)F^S>mq~9L5aK0AL6pME#+c=^)+(V8AQIJ))Iz@B~i>QNEtb*i~UzvjR`ZP_%gRW@a@G2|M%+a^6)uDHG1 z>Xxx20hb;)EYl;gP2OGU_P{K*X}LqAM8@W z{h6JQ0Wdk!LXa=VETl7C9z>0WJn{B~5xMhOTDD9Wn3%;B71E~7TS9;;qw=N21+jn3 z(BNpulM|wAg=uxQW|dr>Qq%S8h^NDn><$BpHh=Hw>e1}vWnDOTTKT1Um2I%P`-cob zYg$=eF+fTwk?plyuPwDsWzufbhEAH#rNU}hy_U7H=Ja-As!DEWRz~H`S9bFq8{MFy zLEov9kE^_5pkAuz@Uf$sHppr=Dq3RV^aOqXke)brP)CnEp?mMXQ#sQy zGQLsmY%pjbiT8^551ZQ%zr+e6T><@ zEE42y!j;ZuLSN`jQSG^g#QbI}BnzZ&^AW`qa>d4cdF%^?H#( z(1z{%w0YN++H>_y+Pe3uuv7ERuX?>+@Y-+H4Y#~X2ai0i<@}sFyEE>)bDCSoX?|`| zRmZ%8x$A z2R;@yR(PR{7*t{laAGjnLsy{-xQ7gdfM}P+^&A5-18@$04ZQWWa3VNzZ<7YNL4|M+ z00r>jdc6_%KQ(0&Ej|A5<2rNdvKB3)1nGkt*Ukxpn+gj6mUC6@-M>d~dF#KzMt{-B z4wMIwprR;!Mt~R&lsMnH2BRnkVc|K95k`dTfD}I5BQLJ;9{ES#c^2i&yHtYrqdfVI zP+=IjhLY!b-jDL-FLXqWv_60Gpz$$iq^Qxj&pn=}K0FiMBXKV(gM8M1kMe}SfC|6? zzo7;CB6Q5N+~*pPV ztPFljf+piF3v=qLZEoQMwcr_Fc{TB5`~cnY1ALmrXWg7PDNP=8Xy56a{oAKsxn z?vWqwA>)(@?;}1_4)x+1d2&CZnH2GkYm^t!3|+_)ePsP}B%Y1lfp74TGWZ>}8|@qQ zp{PEQO!J-V{N*>_=^wnuwTM2hQzrlrKpLP2&;jU2)11)3v(WdoO5~r(WOdISpVfc; zrFUznr{9Lt#vFq}Y>RoeQq3u!t7)~+)Z9{D`IVx9i?vlheWUMcHx|2$$ z+MH)fW5eTm=`AlcC@82_GC$&-;ZR7HnKVm9^~64b;k#P9J_etmf(&8ql7-R|arYXBCi51S@+cFI);h zB+-sxM-B|8uDM?AE+4RT>csJ|4gc=_2f|(?Q|C`9*R1MwuYa>9FV5=H%q0VwgfcFV zsfVt#LB;ZtjcHCv1EM<9gv0|GaL!LoX>5Eb1aOxyutrtv4>UhFtG?dOFiK|%3b|$T z!iwAZl7SL{v9oi)eX7TFmfS8GEv*)8P?ywcK$VOoHE+2Xo7fgku|9t0l78Zczt{Jx zy4wSiq{|0f72Izys8biG%)c?c?c2XYi-od|dEk@muuR93T3sk=X>LlX9)q5a&QK>j zYGDe{?=sD^G{30bdx(!Khk)DdJGSd{x8A1l@y(`-leFgo9|s4Aw79fr&@dPJ)|QD; zZ5|!cP-mAmjSp&MVxtBO*1E2Ol(uZ&PQcTX)@eRF~$9`nI=Sr;+|nec^MDX|sWPslH_Xbm;K$Df7AL_K*H! zC}3G|U)$p6h>s!&oRjw3v8BGw;iz~6(JR+i=;#I6` z*}%A2M!wOZ2I}Sqz#I7sx-V{>?03S>#HF@a`XYwU%ZUbm8)fZh!35 zKL>NWM_d17QpEWb4Z@N-KV8sU-u6cQ%?G~5``|>0Oi2hS`JfQ_@STd0A|=W1_1B{3 zqI=Q%(KXWg@9Upg{~Uk0$F=A=6nXTW`=sdp`aIWv=UEcJqYsH^BI7|G>#sjKFYc31 z^giGDa6P&g-G@fr;Wvrjl!L%9y+@EO-}$W1i|@RLQNlX}NQjJA^xS&7qUWRX`A*_D zDY_S3kDg!uT=aW=9y}L)BHBpn>EOfns6C*Q4vhB-`tefWEufB3c~PEG8Km`PNB5tq z%qYP}()wqkJfixn&x32E_4oM8y(i}pl@;Aze{KEqB<}Hv^5;IE^>jq{`Ad3oK2hJ| zd-Pm%KgxG~9^8W-zDL)i=lLDw%Xffb6ca|fFujNe2L;D_(Q{wRL>cURa^~VWedLq> zq-_%u9{Ik|BYIZ1ctFB5i)lb1n=@e)owp%qw$@ftv6o9R@6mpZDR`m*b<)HPRKrJ9xW?Bcu@^D6;FjSh~e*kDS0TEFxspU^}1++}0re(riV z6Wut1#A=?V4eZ3W3FmJ>x-zBQ(s`|xV=4e{x_foqfqfe6?oX*;7xbuWQ74SjO5tXlY~P!cG;;lVit@8k8+*Xs}6C{0`@?FWR&_})*}hGq<9+JrjjOLMWpGzfxm8lCQq}O5KKHb;1VE^U(V^# z2k$c-Ee(whYsb!gmPfzs|A`~vh>NNDd5z-@E3Fuma;!wBCZ}e#Y1=l9_((zmtlohkwHa7kzA$40U(oBm>1NART6f<5kU?|C z2*#u*JM`GGNlnihbar?E)U*u5*YqLBK=cibYTM2|24-wkkXC0`#?Q{F+k<2P8~}#_ z6kvgYSQOXE^eAAtR5ZN?D;e`)b;W~P%U8Sm@WSM!0C1R^Vz#!ki|sEwFtv&f=f)YS zbEHSPj91ak=>FBJt;H;T%bTxrGaKkFHFU>Ar$XFWSJngjI@=kvn}-$4d5119*Y)C? zZqS|g-X8}0>-7`gpL2jiBI9RDkz!q+)|dNi@>rjq>D~2}{+Fbuqx;L1`_+~iy^BF( zq#iZk`g`jWf(XK9gumXmi@MP8U^O3zeIREKAxWqnCC8V<=x%e9gO!tU%&q758kWW?!Hr- z`$zOsKlN_ypV*`$$4_`ieH z*R4(cZnGXgGqo_Sp{|r>3^s~3$~V7ok8Zl=8vVsT-l|g<=k%f-Bl@G?`gy(QZ*J3} zi&M%Zh#6U1EkleDhc7ZUb;0c;ZCYJkb#Bzx@ zu75@28#ijpjw{@@mOH=aAwdB8fa#u|UYqKKHgDdl1N--=$3QDX43UB8QG?2<={d^? z1B<4%PK=p{tEw1Gvjg*r`9_=yo=Eyr%m9XC9YWm=%4(LISS(?%U?5a4n|=?LI#L0I zCE|76a{XQ{%$IcT@{~HeQ*Oq!-F~z2r1}Rl26eNs=xxiKf+zULiF3)7r zVOs-Mow2tPQ_RjT*rwpoHjl#Us`}cIEN;jzm8pjNVy&nfZ`u|1Z>rZ5mVqhrlEE-e z1!C&lZvL-kSzR`u8Wqc$p&+0q3U#E=*HpTXa#+eq#8Y~zL%;jrZvO#H_o>8|ioY=8Lj~_Z4 zj1IdM6Ts|du!81f^Nekw6?1$=>CQnV6TK?bmpsDuDAObVqYvJ$<)z8sR-c<)(d-hu zl$I9rS}u7sZcx%=8V3fuJu+`-^3qZ`<^eAO+;n$PJRQ@{z5BIXz_`XjJWMz!)A__* z|AD?i4Ga(Zg_sI9z|&K6HZE(UWz3+KX8@UnPp)gv$;;L&6z}j^B*kNtlyjd@M`KxsB z;30K&c8fEl7|o9l4{2d~TB`;i-91TVSsAr7tsAbrN`nSg$4*_+sguX`su#XkZ+Yzt z^hck3RQDV{t-&7j$*K)%I`E11WT)k&`6V4YdDs9ZYa`tgcI_?Z<_y-VVHrNl`*ekX`>rED&X}YPGkwM_aaT4tv}@aL>Iu zY=G0&RySCBu{LhmX~1&IJSX>79y$O3|MW>jK~(Ia6b?n5@P}pQtYKeSS#;;1i5?FiS%5jzQEzQkyz%0j;#KUsxG{-;m_p0oIXJ-}+j@h5dV97x6)TBXh zt`gcgtUR;~;yJ1M*&zd*;gN9zH@q*V%Fjpk8XFW1uA{!b-W!a)DwhgjnrhGP-67r( zP!vw9Z(j?-CO;D1!-8ccfUBzO<7;SIz^rHv9|eg42ML4b)+fs4`St0ku036f zi~&oXS+dPuFc{IO!6IWq0z|B@>-z8O%Ou|7eeZi;*ncJ3u|ex4N7ExP_x&qV3T_tyWWZCRB>05^Q)I{YC$ znV+QfzoR_pG=Mw;kO@epF3-ke^K8@8)$Q4)i0-d6pY>%w9UbfM0VqEB!4HO&O9T-| zeUK?45-wp@XR)*$nTcfi$$4{)^p(;aCEA6)$!a;KrT{dw3++Q}7s36kprhX+&wS|5 zPn9BCzM2I6U0vP!&WDoSGXp5FijMO^iXT zZbQLTjt#)Vsz=NfZQpaPl3O-u@8E#G_vTk<^aXo${}(^2DH|rGy4BNYSJET$YhLm~ zmF5==P;S%Fc(1a38*S*0@CV|E|o4;>ngaO>EcReK%@)dD6d|>WtZ- zxcxfRqkOrj<=U#5VWZ}ec-)jNtmITEnm*@O$}eeh`jSWYHPf5W;6SgoZQbPi73GU1 z4cquGEf;L0m~vZnePcErdH;=TCAX}Z%a@c%r!>Ei)6DE;m*WvG{4qF5WxBM%hO4VH ztuNgA8S}KJtFPRrR5IrBJg8_-8=Up%{OOZAfAWO+#|V3k|1W;Y%^}`qekrfV9y?^v zSk^T+u5FKS!GI$>(yx72UZb4f=~)kLwWw6E>dX45AdVCQ0JuRuqp}7oIq!nfXcIv*8}u zsEM(D)rw2LUkb~ciNOFkv7z9hkXIhZ!&|lnd*h7U)4~e63 z!)pKjeHt6J5jAg%rM&L^{1Ocl5^IwJ>BB`E{-jz8S4-~*>oA9 z?^~9MVLE^Av?>Nm?FJ#l+$4~DBaoQouGQ=a9?ijF>t44xyG0YTG&7U8^t1O;#e8$U z4dk1Zx<)qd(vB;x3Z6y0hHZYHz<8$E8V1mz3$3$9=yvov{U82CdWQs!*xB{*r(9zJ zLbvNhEES0*;^w-)p{oGy^Y;Ry<2q%j)T36&ILc zZT}ncA?O~^#;U5-&@bAZIyE=CUp$%+8fKr6oy0K#AY^GP&0Y3l7>BiBEFHxhv#{gcc=^ZBQVJ|64#>p z(2lT@c%R>t5%Dyt1JA&dh(~}Fc*BYz_UFL>(=litXn=lF^n6qYe$y`OBgD!&0;owm z6VboE{D_|DKG*q>55FmoyrVYYIj-@EuJJ6-@E(b4v{S?zu196iuKXqO9?wN(aUC9z zSM+W~E5CV$I#Mp5h=zz}-i>JDH}}b(W%Ha{#q#(lkeMKBR@Jfki+l7LcoP9j^5VIO z<|siMiE<*o@JvK=^d5Odb&7b%hq`i&a(EW{*z1QlFjfdg<+Hs4tL~74^?B0n+$W!} zCh;x+=kGuGH~O}3eTN2n6WX(VOana`b%f2tJYo$iFL3cQfZ{E;iT};mNZ0D-N7bWr zk1FHs8O`SmP-1c2yn9ry+P7D=@|;wtt319-?KV2G)iX*gO(~J?_j6rpbhur&U8g(l zeLxq_ozk_}UZV@=C&Oy3l|osywn8`-A>Gz(V|re@Hw`Eo8&}cw-?VK)Q-5Rf zfv1ePyE@lSPhQE>=Q?%oefR6Wd+!s6hgK>rZQC}YPWR8YW=5?i2WgL82G7adXrk_7@=%D(BHdxLRI(z(( z(gunz{<@dz^69gx6-pW#>Q}@4V7{=bZiA+{X)4XkYh&5vw%i{K)Z*ivs$5!D@xr2d z2Yd9*Z``Xt{N(-m;<1YcUG85oH=NtD%lc$_WnMkqeL7`;Q>o;`%B0@GagFzz2f2md zm1)J&AzmoiUh^lW)8`kJ9oVF+uDe!+>e`g5?ckUC9i9wilU~hlWEf9TkNL_)j&%TB zF}3x`{SWD#@A|gjJ*n1X+PrtWHg6oa4(Ax44g=MeP8+~YO)Z6(5Ihqvf7wgi2k1XB zJ^JwDVLuvmzS49jM^7I|MVW5=j5mcD$2Vo!KLDi_y8L0Q^UR@ETv_s zDbJxWsQ^ozStd)_(aIwBsX?jpF4uUTeLi>|mm=>ls%5DwoAXftmcnumg^h=Sz(^X1 zGN~wvn2~bSC@hC%zZJ?NFc$z8DQMnf=`#0N4Fe7Ad&6>Cmf!-~Snf?8tU3W`AOO${ zt?c~*O)RseOzyGI3v{z&oVpXV#eIwc*8qFa#u8%6WqC47gBdYnKoK~WKtmtAg3kaq zzyW!|FIHLcJdMioY3ju_o@Mhq{<8cYV1@F6cFG5NgMisn2LK3NvJQH!Gpt+ZOUWmGkm2^@SE~6=;X;V?`U5o zo}~9DcEkAK~X3b>uJaktdxJUcejZp^eCc-?Sxd0xf`3 z-l49@7)!zF{N&9ZHt-)FApPmhnb@)Vm;U8_uU+9N#$O1A?ec6bS z{z{_m&`z7upQEzb9UD+fe}+EV8-BxQXeLj1_|+z4OwQ_* zLB~n+|J2EIIy+U=xzlHK=HhW12m|b{A>H}OTa}-g)3HY%)sz9y%FLwdtMe+aENbE6 zq~_gMN4n?qjyLyf@7A)u@X62Xp)Wq9nUm+WI(JGlr;lm!$O%1u&z(B^#N#^cvM!uB zsiTiRpvUjOU8kOSOmi2`X!iVR9XoiBCXYX^i$@;P;Ro*0gSUN358w7lop|UD9lZAo zy8HA0r2FsqtPVYJr|!G`vpQzb0jMJm0dG(;)il`Q#PF_E?$}no(PP}y!p}AbU$;SY&R&# zo41^(6PZ+J2q-pGu{@Ss9}hyz0pc+*jwR@2 zqq-i0PF6RWCso(C=1-+$P--K~Z>Bgo8wtJ8YH&spazdv&OojUx)QJp$=#O?W@P9Jn-1N3n@&7(m-D+##~-{?=Pd^t*cee|rP}LC z$FZYsH-k(jvf?dY^B1PB3Z=YxQZOK7e;uj6*ETIi@NK*DrhRdNa}jOa@%pqULU4LJ zQ@F{LIt%ucocwE>Ei6cGmq;dQL{TCjg>(C|GP`>lwUIcQY`&{E0 z03f;m;KXztf$De+*#VmC07>5E8lajs;r&w4AGZVT!x>-D#NJC5(2zI5%-kb(sp5LF zB9Wb!X*V{rWG8)SA+6Utkv@FR01lO8qco<7FhGp>Sayn0#PBmE!7jG!E5p|G>{o*V zWiJ?3|FAh6${eCFBJ6d7yBtHnhbbaFDeNBtD1bR^n#VnqFh++|8XX?P@WBs$Fnq^*1+YQE1Dx0}4&VW>!U*#mo(eoBEW^fl04CTAg@(g8!awqa zevB5Nf&Eh0b(Vc;$PeR(H;8kM*malu_^>e^yu*lNV5kQ)z#H~-!P`N?FagF8Qp&+V zG5W`Fv7DE-gGcN{OIxxj9KZ~(8GHbI!dGZ`-}~Mdj2`p@3ZWm+2C#qz%7C}*zRVW? zj4}Wz?9;<8zz7tE2!2B^d%~~+3Ioo@aDbj@k06XY9y1I+U=f~@4}Zy*eRTjF2s7<~ z@dPX|r;9v66T-@VLhR(rHHG^sV1(H)kiW$Te*XSb=u-I%2AnXW%_@ zgFN#L-a7b1eUW=Ms3d>dkbATfe5E~^HbR~`Y62N$pCH-69=q#fX?MVfB=a5F3_Nt-Nu|W6<$t5PXW4BE)NWNHLr7LFS+*SQ-VFaVj+Ho)n?1fi_W(kj2HWw0B$jAfP?PNZok2n6U$-h zixGb!mhebBsamV4OOqGF6jaRyhCoz61|--r%jqq9`t|0o zzuA3YuNDg>z5K=(+fcXb{OkpnQ`V0DgkJfgtMs~;UaNzL9?{{m)7mz%L&;1`6Pq@w zr?V#jvWpikx?J6K|TP}wB)YaXqxtV3ND5bHD8UN{e9U6wq`?%(}ZAjHvQx9NcQZ>=U822Bkgv>)7I{`G`kHFC3K z^duj25Q9aY&$jU>cPVLE!9~4Dg|i@bV;*>ENlMFLcC{ zK@O9q7mt@qH(?5=@N>Ka9wN@WLN`4fz*+M@JqL-*84ZG{Fj9aUj1Nj4kU+x7!#vOz zo2)VIgK`EGU?lKfpxAMVVin+ETC{HA3#EW7+nl4 zU;z&Wqh$;udEs5c{SRnh^htxU!5fO6yfJ`uVi<)2=Xs0)MinCqU2MDuz~M|L3>jV+ zHWI`L0K70tcm}8+BV!C7Mu5%d_z;srf_F3$28lcY8{~oE1=s+HD2M4OrU1#4d@v+{ zC_o}05~GXJ1l$0us2lYK;7~_^3kg9(D4`cG5Oh#B#)_jWXal?m7<7ysc>^lp=laC^ zkyix+3M~i~fD3R1@AwX#_R6!09ff+vVJfKSkXmkHnq zr~pL3GvtkSr`{YpLaYq5Qa2LcqrU(?V!{9)05;kc(1ol5x}y$?yiqS`LJr_1V2^!* z0F!u1=uglSfi(sclmUsbvROwbmd84Crp{|ueN=N1{+6dNl z_4Rpeec9J5);FM~#;v;ZAL?3~UDcLMrw+6>DbATbiJCrt@d@SHnp&~(O4%UQ+6)fd z#LIJK-TqGx8O&rgb-Cz%*J;JQ=3R@YvKr{NvGV9OWxf)d;%ceO|I`g}`fZk~wm=vJ z0*9Hp=Rqp#VQyYf+b?nF~ef*;z*XzIKZMx2V?3@8s)p_JrSF~%#maswK`3skVw*=2n ze{W9+j$T@v4;}?P3rllL>gpXZ7-7{Ao)+Ronr;vFH!B4121go{k!Ks|Vrf;eMpYRD zlSU({Mx|Y;Hg<$&FCaW7c->-3*4I`er44eb1}9;9*1!ZHL*-kB_U%Sdobwd3jD^5l z%UP>pQF0v!TqceT-GoC9@mlMjOwp}PT@%5Et$=UbLoe_*x)$jM{_;DrS$s#=kfMPN z*E*0TmqZz)sGKNIYy-i=v=RNCYis4wSJtNV`Ar$WIWMcoi^&yaRJFNPI~A zh0%PX#QT(mVdOmw2Zk;>P?8ZWo*R@ndGdUe2j8QZ9vTChDF0pWdRN#*mZKY(MuCk)Q!U8YTE0 zbpSvIJ48b};Fp*v>P3B{(LZ1quM(aLfC!)fV-I-ZIi{^hfDDX3iMm4vfEOcAg7=h7 zS&{r;?2$JTbpcFK24&*e!k7cNksUlN04``pUP-hQ3Eok6@*~l1l!dY9IthCC!0U*A z@RPi$d&DpPA{SAL1_ z`fCktb&RIAvUM>j8|2^d52bF?$fZcg_gnu>8@BB<5c7!MAfjOfo$Sb{2Hz|W1ViJsK{mKwfqwIcLp)i^yf{0lx#`Ou zt$Wnkk#udF+PZ18LB^08t~YE2(6y;%`pkz8M%Qb3)&Nl{%YVxQ%-Lx*jPgz!aGW`N zLFrAS1|)r!`C;wYy3M>bh_+5a=Ul#YS$}=}QLVDSNU~eKn+CLDw9mCE>csiWnx3Bx z8>^i&{UyA+hmYyZp~sYU*{8>cTt5Shc+B)Sbn()R_Ky$f)mOhQoV|7V;=S6wZ9psK zMGa2uRAwx$T?0w=XS?*l3-{{KQdRZi7qnnw{_3~BUb(piRdTD+K!^IrHfYL&!@l9M z5HOrcW-Yr9tGC&!L}#zk?dh;{Z?&+hx`AK5ST#7LUz%$eU!=u#iewfUM~}uk6570V zquPD_zB|9DFMRT&DqD{6nhjdk*~kyD`FDT&ejR-1Ubo4j+L9R+UC#UsF9<+kZgEK^ zHf}L^>DjYWJNNC;#YBhcnNz2MGIF$W^Mr1E!HppfD~|WZve4mtE*c#EPLs7dd_3f5#*AH;RaR>>2vFIC2 z`(t1fyhX;v1npK$YMTM!g7tpfK+nIdPu6q?UY2mey6Hf_p{LMc^kF{yMh9^XxsCJ@ zx+0op=N`|Y7s&@Z!*h|2i*yX{kSF)J#&hI}&f*?z#doen<&vUjBRcp?KIG5uNN+t| zdd>h21xE&#sSUg@cv6_YKrurcmF6!*qsT}QiSouEW3*7N+~ZxQ0+`<5H=YHQF6EF= zvb>A3j+hV`0}{#}Bh5&Y(KrbM$%m0Gqj5&x05TX!8FU2hlP4b-5A86W>rn#GMCVj- z9Rmiqi|8RQ%Eu$cv;+nbU;@nm33ltnXj3+2Qa%O(4+9_z?+c@T0#5;Q00!<;4j?L` zB?1nVN4b>2G#=(fF#PH9#Oq{4nPBa zv?;)t^2wWWkZTe=i}?JNCdz>pHXF;8mi*g_-J?1H0cZVK{h_D*F~4lonYwEFd(NZx zf=7(wEUosnwgeAV)l+HHbgHGhx@$VyR?-cLVeL*QwRN{;E^W)uF{M<-U^!{y7vG>< zYsDtMtaQwS6w7bY1~xO;t4h4CT7$S2%TObs`C>s+OY=4)?Uv;QC1z}ZZQzQ9q79Gp zZ7>Mx(UGG^w0XemNI*;N7)rk8&%En%l8m zg9Gj-%PSf%sGpmj3`b2IJ#|hS$49idFcm<}g^QQmrkiwm>Y~bpl43UGXU?1r9wN@` z3Ocb~(uR>iH4KIp+#d)uU2z*0+N?j~y{4(IVtmQ@&Fk8$CUodj-g;prtkhyx=cC7t zi%tHz28YcT1441!gWDq6sSyL44g0TChmGrFj~r81sjRl1gnB#rboG`iRf#24oLsex zy5Dx@m2K8kNwjM=U)1;f@P4nnepS{&h%#QOt+Ocg!KlPt} zUNf@`dg#%|wY;>fZ98{|_>z$gV>2i4L^l}&Yu5d( zy@6pbsWX$(KzEl;oj$Eio44uk;iImV0ieO=nbM*GS5d1r&Uh5=UR)cL6-!kWT@Fj3 z&mFu^58e6+ts0mCI!bQee7T@>BBd`5{&nzhu^Td{a>uhhK_;Jg>@mw&yOwP$n0~7^ zQwF>%VI#j@Khr;)R9Cal`ee!i9CN-+?Y&~c^2GA%mM%;$gcI$FtzvmT8$dD*n&?RD zn(IBVYwHlPYS3JCTi5DqOV&A)iYXt?6GM;Ck0afN4xnyPpN&8UwvT?uvs~vHt}#Gl z1|`yq*ca?J9`wjQ@LXh{NfCGf>_lZn-vKI=!LwZFJBjNgp5YpKMt`C2+3J_)WEEA! z7~Irsw~wa)0D*$!J0oj?f|=^z8dC!>1|x(r2`dYac@l!o+}L$Z^Bt$sjMl0gVQzAjX7un3@2bP!IB@JPZfk2FgOg zLnrxRxSI1N zKBi>=iwFQyHGn)k570yaEQS`Z2<1{fe1~`c<-h!wkOxMGyr~;P$n*l`LJQy%p2C0f zrhZI!K@-LfV@bIfTLN9-IRJ^j7-9@NV1nO#;2CWTubJlJ8tnt{V#<%UU>Xr1Lz&P8 z&3q?c>cJEcU<1HQAT7@V_VCOwy+hjqics9#CwLe6ji&nm36~y`gT%Ei?lNkU#3l`?MvAwqcqF@QNo6S)mUQ`$PT_Xrye~lRTK# zgfH*}00OV@bOJI_98pK7o_Jh1?~68uXLw7H56X|G&5&Elrv4}tWQ%?b&xqfOJ7gDaa`kl-i@|0U^GT75Hdh{yi5OtKKRFW1^`DqaP$xIjM@y@`D*kCi9VRg zcIwVsKc-*!$sf?<%!;<`*lO5PR?KA+AA<9p(I-kCL&HXHsKjzxQ>!+VuWh>T6$jLn zNUP5y=ybJBPjoEl%!>_}FQ3$g%XPhSLs>6=Yg#MYepdBXPT4cRqlJGkNI$(>XPdKX zS}*ss;!3X8)&0wFSNBze>S%Rok+Y5xEv?K~G;`j4=dO>07>Zrjyx9CpYuEN|I(`1E zR#%o(E#HOE&&(9@Q5tryQ$L2=N?vQ}XU_#9frC9{txE24t*0 ziK{E!uAY>6SFakdq_k=ySt!@E+DNHpx`}1TW|A5mW(V6PoxQN6N{yYy*H%z&+_*un zdG%|;3acfBc*ZRyK|F*vQ+O6ug4A=Tcwb7MBeYDk|qa0IifYV;!-$w4#E69(%bE7qnrd zF9dWiuN2G|j&msadP1Z9ed;ub#?8WtFXF`Ts&v}s5!=LyDvPrga;9Z>x4~*rD~mO4 z+|(87`M`Z13>zaGTk2IW->;P0fkQpNc+aU22;LE210LvE+94VDpy`%ZtE+EN$=KQe zV3k!_rF@vSEt_UmikTRVj*SFef;~Vl(Z?whn}?o8H=$qY$Fx1=(D&hC1b)!#@RED{ z<~#a;>+l)6qQoo&vf2nT_4%+Nbm5S z=de%D**-YDi}FKh!Z;K)#sUWLo61utG;e5WD#OQH?{FKFWf{X9p0(86=ngG8fnk3{41JhYM` zdMGENKgt6y22*#8fXRz{q=;wyr5y6)9m;`j67=vq&qZ~FFZ`t(3?oJzV}noW}b31La2V^C3^l<8S1Ji+DpFcn`kvo%W3q{3V}AZpb&{NyH}-^z-4_h^O4AY_7w* zh+olf=;1s3;JxTK-}#WD`b776k9u>Bx)V?|UJ>oc5YO@+-^mYpp^bM)l*2v#@@zyab>=tkaPO;0 zyqoRp(ygEPpnmFyzfD~|qhU&lgDT^;5Dgp5yhpx`MkxeKvV1gbCT3tzu<>rMHuY`Y zH>o&4)v6jzGHS zqg=P~=u^J|Ij4U&3^;7(!juxzDDbn*51u`BOiMEt)vB@vtWAkH@kC8+8tw}_PG#7@}?{i`{a?!N$D!>QJ!fLK;fYWq&hC()mT?CqTcN!Gh7-qT^ z_s8f&u|%hhZm-gA&m{3I1`RFKS}`AyMsy(ou3cRm-k4F-btedv*b=~Hh=FRhDchaa zVGlIUKJuV`>YHxV$;(sv#Chu&lgd<9vpu7d4fN=M4gTF9)fFBLq<7t*=EQE>+?KZY z^r@rEgH{{zZUeCm!=qaE0OLa+{;)pw@lUCS1OzC*1 zHf`UeN{hf=*UNOmYxY_}Hj!UMlJkx@m3?evP+L9VU?o?>H`-cdU4Qj;`pI|yw0`u* zendO>>^9BPo_%{Yefg4V#j+OWW;8G~Y<~5H?Ep%vD_UBZRf+!6;XY>2z3lv0T~^I6 zt5$NKbDwW>{n+>}<#xzsiR)rYYt_J`P0MqW`mXPLy^bH9)E##n(!{0_cQC+vOV{6c zgFf`3Pin`;F@w*pAm{f#aYjq*|6;jlqDC676vF1;dk(z7{lzi^DssC+PjS_TpZ{=n z`f*~1n4&@t(AUr@^ndg`K#)Nl{6e1S*XR{w0GojRigYphfkYm>!*#w#Ivv?wC2TJrDuBot4&`CeP3-N?`*b9 zw|)9U`o*7khkE-4Z1UM-B;k>7ODE3Ego6b;lNfHxdnTpr8^>)F4g9PKdu*^rk98?) z>&8AfnN~s#ViycNPA*KUdGk)Kbk~(Tdb@7i*{9#WHK)OJhkoasBPyJ%tNqB8y7l5g zwfEH2uejQ>OS&*RqLtXN4L(OH5FY@*vUPDivz>T6+`kx%`Z}w2qWTxDh_~B_65Pvl zi3je!XF%ZZAtuM)dAD%slon<$i6a>p=ChK^E|LF% zwV4VlayU5C$j*9g&4Wiu8*Cju_(Zt>f}3x088);`Rhd^U8)=L`^}t}W63y5~?X8lg z&!4b?T-44TSA>(qIc6b~?FqDO+Pqo41_75Yp3=506Ixte4NK_jZods<@Bfv@m)ZuwbK)-_Y$F5J=vm5& z%BM_rFJD?(v`qH|uk*hOzR7;)=(uQqNP zQlXhvtWee1w81@w%m&0ZK!;bCRcS9NSITL0-!5$#BW~k%^^I-RT~D-YY;0A(@!h*s zeZ(f-K@Cvm(25e}FZDqIGpLA^H%c0V z!97NwTn7o+KFj7(>>}IdZ*ymlY3}lQgCo4z8IR1X>g`HusHZcG#@TUp)u1HV-KVbM zP3j$+Q1{@V#y5;<=dSJH;7tGt+uI*GdMw23qzynADRbTrV1%i=4ue7tP)x?U^cR2f zmwvvWWO{8dWJ3J^TAM&GBWC_$+^8S*p$?ZWUedzCysP2g1hqI(FFYaLrrB^u-+kSn zHX0QE-I0Rkt4*a)tpQBjj46~9_0)+W;^-}3I>&*H}K5Qt6ErAtAf|jIL8LH z70+nCNL*D`Jzd?#KIl&fTx$d9>&#^J$O8|A^PH}K$;}3dHsS;UlT0I<{6+K!Plf?f zt;7lRbFOz)*IawO(w)636^db+nkDvl%7~S^eBq428J@SQDm8;k0*fu1#3kjbc)Rh& zRn*hltu0$OY176H8ria6W1A-o=sNVdyYC3zHFnu<)k>=7SG6=Vt1inxacMzygS4E1 z;ND%EH8V4>i_>!&9OzN6!FpGBhq`)ub@9S<@OmVY9uymhJn`71=2q}t;yJIW88fYx zrM6~VSM0sg@AVl(_6M&S9!0##00LxzZA<_HOt~|4&2>JsKi2^i{EoaN033c3Y7v1E z}za9WZz$to+gRhH1QtpJDs8M>h`H-IO*=O_2vrXjnT;vla@`DF- zTsrpu*EB}F;&1ew^i=sp_n)q;XYDn`fU+*Rb3-m&MSs98j|@ zu0o}%mDOBWMqI16h4>6yI7~qe^rVAAkGX$!R0`U<@sfr&F6(7)ZK{7yTz~b&Q)>1W ztSB4m>>pIdy6)1YbJ{$*LC4Qof%jDP+UxqYdXD{Fr0p+U&=q_3sV(I}UoN4?k0&&> zY=h2fCYQm=sHnauU;1@aAN~S<_={XnU%sPHSh3=s5raQcKEfA|5NJ9SLQAAeM{)8}>c;G;Ts=DZ39Bpe88CI-6K&Z5E%wKnRe zt@ukU2KOU_#pZkG&Kr!mZfqo2Ht5Vbue`xkI4IP-Xg6@$GCrmgOI0JeM)2UYwoRaJnuy5C#V-xzwPTMD86>}`~2t1E7>l$)8< znd66a!n{6l^if?tcUCh~lR?%d&9jxIRRbmS(B)^7?FR2D&94-6*>XAej{&pg7Wcnx5+Y=>F5?{p7Ts7CJJF=R-gyfwwHNr6EZeGM*>CfCgQk zo~lmKHIO#})CBnwc*+W!FUOmwOY7^$CyJ3F(ddz4db)%FAlxKeh2+VHx{=l+;3wB- zeWEOcjg?0Pl+tP737r9ONd2B%$EV5@;p5tq`ALeNr#<+N;6GL3UX-4WW}bsS=zgl_ zqI{k%k0?d7G1_6T7!)i4&~*5xO40M{)0eyUbTqC{5xr63dD;b<)~BbESJIPt|5Wrm zUHd#aQ8u41*G^GFR{reI{wxHuvl0uLe5$%2M-M&pXxMPF+at8arP;8IdVcysP*@m= zgq3~MMn|!xwv2RYba>FlCa-!USQ97lX2E~eGA@$oxJgO`*IWJq{Ke6JZ|XDt8zbi@+@%y1?V zu_MH7tXi?3J9$JiXHSMBEVhgdg{dP>hhEOHOxvGl#%=rn3&mo=&l%8J_E$?y%^Gk` zS$9vQ+x0_lyjl0pR5eop(8ZN&CJkPeluEQ|U)zihoj$LVxps{kT)gp(Z(wH1M%;#- zl|IS1UiRu&8ej~oqdl%qf8rCm_s+Yuvb-7s%Tvj<7>?)K||Fj;Q=WG=f0EK1Ftk6KYk}#^= zCvX1J`RO|% zGoTP=^1?u~!Y0~Pn)f3fudfUAKnr{YfU>z9G~mL9J~}(W&E!K+Gv!hj+J=1iO`at9 zjeJlJ9gk=5a>3WA9^8X3{AS-9o{xCSa}iIViQio3enfM`OUflb+_TaAFV}dUXQ>z0 zNKqa<4^2^7)H#y3=rP_Mv&(inUx969C`Ikd}tmIw+v zSri${jeGo#=;u4nlE@d?VRakr!aeebX7VEOK0ITk9NPu(mo|;+5hZA$F06uk&#(Pj z_+GOSTbjA7sq-gQz=LCUC72y?@fiQDn+G*E+@*w-eOIUJn&?xn4N6B_TBUeJN#=y| zab3Q!s*Wr6=~7`;%O0)wCS7+M-&RM$MyINwxWPs$tw-jLs3+5#(sP_9O2; znuG^y?LvD-^@NZ7<~#KAmk+#(`c04>^Ua9GaKbWSlf>}?@l>bc!Jw`Ir-scf?O83a z^_!a28NkHDR@G~39uW`LHGSr&mM@>wj*X*XUmBKt*F1WknOhBUr*YHRolP6K*ibmv zdX<IP%F$~m=_N5(C1~Vf=1iiMY)5g;^*DYWF3cd5~-w{9o znih)L$ERVSR9Idx$Z9A*zo6g!?pJ7Tsy1Kh$=o$dg+QgjO#WXG#@;Z0^j3zBlN1k|058Zp0<}Y4Q(f}!KA?0kRMH^yc za@WUg+mTYCl2^7Xp`PBXE}p%lsiietbN&7a4fS?wav`V3o;YpUTazz#i*6dA5{vb9 zH*M2~oj0o5)@`upJeex1*+$fg!RtiK6(^(vKsj5iw|7V@g_RKCjy%DS;gMlY8PFhS zG<(`Ws^l{I`g+1@PCz*;KamMMIoL+}HL?K@p%nmxeuh5c%a#@aIDnfq+snQ?-F_y} zZ~cLWWsf3&CyBh)%5Mw$h?QJXKOui;<#!~DB!17%%xYk4SlbWm)WL@ybDwYN!3Q4s z+D%bKnL;p#kJUREUKl_H2mqo2FbX9H(qoA!g=6$l2oQnS1VLnZYqX>sqM?gQlR%s> zl_jZ^NkbsG0230+qj?5p!|0mE;29W9q&Lf>QK~3i1fBbo#d26Syu)il9_*3Ba$(-V zT^BviH557bSl)gzO#gx<zIuG@VIs?y>2mGKsWCIY$5`E+wS){#LR!uuV3+=>?&F~EVKodMcMyMCG zQ7(Ls+7j8|dD@?6kt>#bvvV|nf-MG+74GpD`k;fvmI2U#Op*^D9P5s$kfcixF(3g-;c*{=Y?1zL*u`L4IFOUyyM_WS|?S;-@P=cJX zET3lqlN?n7&C~}TP(FNzm+Y2J-+^D0`{cw5iJ6&6mv^sN;#{wl)UpE4#+%xzbkAK6Xl2fzA7g7n(qeWv{JGWvk`?hpe4J>+U%G= z>0t0NFNsW#+EX^zsh$wSf&oXy0I0N8(4p~^db@fwHZc}XI>+n8Qsd6ftgd_E4Jy_- z6NpXa3?vNzGv-ZqXHtVbefrJ+@|$}6j?b$zX+T|FRjWFqOle6m8^XEjsFpgf)pFU! zyT|#aJ9O;$69x&Fbn(JD|8;*obxhM2FKgzK>$sd(PglP(sf^Ouju3Zr#qO&O5VHF8 zXFp|N)1}^?Ze=qDnXX4TMcj2UTLTa1dAE7YGGcj}y`+L^3Fm29cJkJJ^r2PX>ohP+CD-=* zqJ7~98y?a(iJ_`jaV%Iy+A8L6r)6*@$nAQ$My8PqKG;9{e*inyVep#sq1a)&QeB&> zWoPlS!4(1dEY)Y}JUc6MObHuP@}0cb@qC{Nz`&ENdZKnO;Oyx4OEMad4c7;BUv`6GlJQ$S;3$T1dpB);=IzcVnMt?Sv1 zmTluvEG)yOOq2^7*O51k{H}MsD~!IO6^{e&vVRYr5T0RaHHME(0x=XY8Uu_W!Z<(+ z`=dY)BT+VZ!x%y@@39*%497r_Km4FUF&ex>op8TXcN9NBhHDso02ZK-BL@H&jL4}I zJRnc#f8YDw7mN#a;x|IVJM3Y=UM|qf=pEpOVZ{JbK1PZ?Sa=@ZW0c4PUQ#yCFdBtF z@DIhn(G}zgZvi?#{^LI$?z7CDx{xPEi_HMxCwr(c`o@a{{dnTo^9Sz&;DIIbxIHn( zbR>9+;bfyeIu&h-5e8)7F{4bT_CWY-m`I+;6?DQg>PiP>H(y2{7+U}(?_%i56TZP8 zIyIgRJYcjlc>nCZJKhlh z4ZH_f(RT0_K+HyX06#Xt#G^*tC<8j^AKb@yvVRRU(r*AIY}yAvgLj+*1{j4ul*tF4 zAggS;2VE#7>O~(Sf7+R6kZ}Md`yA2Np&LUDIDmib=>x9-SjZ268?b}%Pb;>8m&v1uY~@n14v!4P1a>KFnWT?_#$oH&&^#8o&?WR`dn&W&P} ze)CN?C>d{8ab>}D)eM4~26%OGL>G1TkV6UoO~qqk+ka=YX0Q`k)otY~tTr+|#FQWp z$N_YQYyL0p-z-nYcw)rZa1n1-xt!M}>l${E9vtos@i<40p3v=ge@=h%_aD?9AG=%q zqcL?aaC(oY)0k{onHlpRgb7G5@mX?F; z^1-H{%aDIQWdlbxV$2ylhI(1&VINk*bIS$`v%1~=?EZW2(V3GcbolTS9*EqlOBc=u z(0Sp)Ma@jj>++>3ojH9@XV0C{q`?@Q56;amX(hj^#hhuVl$A2rBS8NA`HOCE0|N7y z-<5`qI$H&V_NWKHRjgGD;M0v1jQiX|QMDHG;yzA;wl%|fUzaYF)YaXi3zshYdF#na zL&ZD?>;e|>UIPZ!2FrM=W@cuC45HT}9mNzMAUc(`Tv?`jd%MlMMlHyv`eX6_);4ISSkj{^b7Jt z_mN+?ZoUDW!hQ3Bx^Mkh|Ob#Sl{@NW!N(9zWlx4{`4_8YktA6GLa#bhCp^* zrSoG1QKlFScFVs88X7dm=m9Z!bRCqQ4}dtDJVfkxELmkF$qP@J3NaQ zh~K=AM*^<~Ui?IeQkcgH?f#QY0_y8U_!wJK~#(@~wpZS@e3D0pp z5{8t~H%b5_is9rrj0X$^Y+xKPJiNH<9+J_)d9lRm&0?F?AOgA;XllmTsn0zr0=J$M4Z zB(96{xetJ0muX}auM2>fwq_uJJOTtF!--rYd$c_u0e}ctjLIX?7Cg&4fI!NEJ~}tv zLu8M7BjbQ11_Q*m!B>DdJd4_xen~y4GqOdyA_MRea7X(?DhGBc-{;d>D-Y zmOyF0$CGU#exYfA0B39$tYBL~2R96a2tw9UNu$lQ1~TKSFRmzG&uM|FlWI~N@X4lj z`Bqu~`@?^)qvm5Sw_>}3_lD`CwHN~Q9Djq-HV@zlyyk-pM{>YluJLU28@b{`dr`;8 zXuuC=<91k^s^=PiNjy*DH+gViA%JB6HP`7~-|}XC;IIBf_gy%nO0!+H@Qi7wq%t-f9{sb~U`I!rR#pMaX6Zj09K2>l8&sJW9UbOrg(boU zo~cII{OZFtIUWzD#}8?U}zog))! zT)bbkT+#A0t*&^V;s$BU)wsr2r!}6RR7bX3wQR2zJo;aD1D2C1t(xR>D`h3x(%QCt zpUzJ$>yQ7$17Np(f2>op4Gy>Ts6Oz}Omqr$aNp$v@3~Gpz(YR#j`&HU9cZhlEg2}H zrx@@8EJ_BsoN~T-(?;#zca=KYI#eYO=h@+WrgN)0e)L#qm$YflrZPHn_KXKLXVsbQ z)J-pcxjQT%(_q9pyvk;U4I6IPGhSR((cqRtI}=8wOfBLSYp@%!+lTTS4Lmq8XVK94 z%d+ZuaSe=(8uTU9 z9pB>Tn0{W{)DJxwCG1B4CeELH`H&X?ob3w|>6G5}z3;UAX2Nu8A)gB%ofxoo4>k&` zD+Vp)Km(`WSIj3)4{uo>0e%gGG6pN0FitzM4FhpU032f8n1*gxj);Tm%NIi*$j#== z8@35p+XwII(!U7cL}|TnkzfYKgTIXO7**q`VC0HnM7R(#lp_X;gi)hGP}C$8Z6t&w zkT^;g1&VK_0<4(ISrd#kW6NL4!+-%aqHFLP8p#J905~b<$@ya>F|>dWM(NN%f==oMub?%e zF=}W2Mk8C=5@Qd2)HUKAyyZLPkOv7`@VIaqHwKWY6B2nw3Lc)~`60n0Xy6`s!hbwB z7=MT#0IuoGcvdjTc(kYo@52{>9*HvH4{ZnENYo{gdlKJy zjs#ug!^kPR7Dhcz)Sd6p4-c4fWfVyrBO19LDH#AY9y7os)2Pq|Eqo}Gb^x#dA^|i2 zA*Q9p;mP zKv$;Ax@^F_?{d8i9L@fvd5@a?x6#62t!;%|`4YF*uazh(eZXf6l7<`xVb%=_{{ zR!>akwesL$t(-mKIxQ>f>($;}%JdAVxpYan<%*V9(wblplP+od?5Fkm9S!|VDXHV- zriQzFwEf0g)QTCX%q4Zr;m5VTd(Qb=AH{6^v=+b8ZXh<@SkNQs?Ru~Qo7@RUA}jIM7B`T#nNHsgBKR{Vyqv!NUCpwUO=L7X zJ);kJ@cqz^hs~o*m=XklB-|Dp3vuSu>2P)$`|+^TbIQQ{%Do3HGsO^l#fjKlui08N z<+->tuR@97V@@7l*2?^xW~?iwmh)m#v1NeRthlXRpO*h=`U5`ATislkUI_Bf>aMno z+qiR369a<*q$8i`1KN=RC$lBgojwmAs3TKE&Gw{fi$!%O&Z$;$9>_P+w1o1~910(1!N3S?;Eln{0rLK6PSRniuZbqDVKDZ7&fFMTM>&xdm4NBq~w9{!weCJ)_ zBv9fUi@?a3P84-CQuI7|@u4FzZ2?~Z5f}kR$p9qsze%dc${&FM0F9^8g6N&_NHQfAZp4JTG`b@U~&t0VhnoP#1UrPiZ>@ISLNMxWXg6 zW_Ui}8(sb?^kw1>QnpiSYUWK&U4?rA$Bqa!k3%HXwv@Xp=~Z;A!F> z`4Dpj{dh=tE~+cuBHpDOWCO6o$O~|U$B_OQ4IJ>=0X&KILcYj@cA(9m4G_XJT!a6} zH0?s4;~wS059lM&xAB@$4qhGlIoIF~ZNxM(UMT1SNK!Z2?aL>(TchTYZQlJg7lJV} zod%3d*CZ2R32>p9vx4_X)gY*4Fv5N#rFy%HHi-FZyOwQ4OZ5&L0_%zHUIU&p9<@HK z@A{50{pc^gLO=Kmud?14(X01ArfYZ3YX5-=4WurswfK;R`^GdfFrpWE@bkhOuh-Sr zTo-f&GRy!b;z6L)yrV8rTacnYNZ;Z*eBuMo*7xg3w~%Nrd-+Qy6<+y8y-N_Ys#~tiNM)Zr&7Zc8r-s1yRW@PH@?yX!JA*BZCAa>*RIgW zw!JnE{hC`YXgTN43NaOHw9?Le=;KSJyk_~VE~#FwscC*Ddqy>GUXGr5Tra(Nx87NJ zP`^4htv}da*6)q2>do=9D%zNx$+cu zsJ^9kSX=9y?7cS4gkI+Z58*L=g5T5&p29o&Cv5; zTE1FtPvTt;KK7_S{khNRHV^#ny7ddX?bgrft}ooCl4X9xAS3IxNn6*Xn37tyEvOjm zwA;W}%tKbVRXqSVaO=hcmFiMgc1S&4quRRVO5N~+uXF!i$ zWI(OHZguo$R5froa(+suFU^G=x^r$LK+MeCZ15T(cjyXcGSIOMXwVsWg3;5+F4I6u zg`CR8yso>VTfg~>x9HmIq}6iH^{=@7^C1uP6FLVQ2Uud7oq-DZIQ}r;C>^hIc1OQ1D#mJwOx+GD6pQmk=6g!K+25f<~T2x#4Mn zc8nD7VFaO%XBe4dL~!{79=HyTQU0_C28vFLvLZidMbOEQx&m(CEry@AqQ1003IOm2 zzwwB`U%WsFI&F)wf?q5V=N&o{#)|~_ppBWDLa{LIg2JTDD1&FI6JP~7AVFL7EK^R< z2``|XI>2iTFM+AFBm9LPJc96mcQHP+Bb|upAKD7V#Pj4&JHQ({Ep=wO zWQVrq9(;vfe)Aq}N4xNw4|RY(fH`HsGx$h*MpIbi4-n-qAe3oZ%4SLxJ|h>%4KyK_ zluvz89uZ)S_N9P+fCiuj*@XWDb3+pe9`G!3k20cfL>^Acq3xn+MnEGxMlL89{*vGw zWzc?jLg|~4kzinfCkmN|zmx?Z$cty_hvbDE0>j1nAZcyLAu#IM~hQ_yADQ?w{J^M90 zvPq*GH*43PYqWd&l`34iPeUCgjrK09)ib1&%cxv@ScP*3l{G!dp=(tv%WtYo$YvRiYk=rS}YhCnFkwpT%qByO&S~?SH@t3Ra^B|oAQ2# zy<6yyC5&vgQ$u|O=&}MV8)&7k(8hSRy88Q+%BIxS)2sH5q&6kWx~6hSdlnznwaIy1 zzp<#T8=X&ALkkxd!m$LIc)QM4o9Zzry`i(Ax9(|ZursfQ%UW$_w7QVj-p-~;d7*W_)8260nArjbCvt!UTwFb-EN(- zYxhpwU^{TrO*bf&PH1{&N=ehYT389*3EUBtN>PofWux9yIDpk)B4ha{z_*a+sDYSu zb(co)toiLmSh++ni^w|F*@lx_Exxa%2!)Xz2Wu>20R1Dw+$Vpop)^P^KM10KQyJdj8Oo2!rA*4;KF@QV6(lT`#&yoS5e<|@eo!H|@mx&`<0T zN*~V#3En_2iR;k9H4?ytcljMDo=7Iv(?Q-*KDg+kI>7^eM~VA9M;_dZ>PUiq?o)@T z{t@3PD^h|y6Xg#be4^{{K9U9Uga3SocHZYh`Al^ZheAvi_i1;YS>M*tR0HL#?;FrU z9$ZIucqeL0Iw`;c-eP2VpZgK7ppn1p%YlB%=XxYBd?#<7$J0grk-SB9=NZ~3l5fhQ zoXBgzyW~q*5ue~S`SC3I^B(V$_)VTs|Kbz%N%DGf;#uCm+kNy`f9=<;6uU#fY$?BF zqnuXOM!QO2u}5xMgOC2fQ6&kYHH~@G#bJg7O0KM|`m-Ed-d(mi(|7-Yc63*C(~BmQ zy7HSsLtF%#-?5n-BX^W^Cevx)JYn#5 zUjU8Ng%rsezu^lBzED4|MfXYkMh4&qqiXs_Bx@vO2_Ep_I((v?_=|iKf6$rjQF;EX z7SA75+C1nR-Q-dKMpfFGqFB>$v}fp3jb<<^>}t!37lJ}L`5Gf!b)8}aVkgrf)`92w zurj5vQd7M!tLqM=^vYcZG7INbJ9}CAOG_HNVyoiAY0XYgskK;A?p#jYqeDuLq_o=M zelcTxwp7;OmBUJG>QnAwUiEW}TArE_%i}LkT%+GPIiSh8<#2Y_e|d3BuiKx|Y`LcV z>7o`+T{aCB8|JuD-8PVwl8RF~#d|X9-rcLrrV+JIUeMp3*seQUTMe8phm}IeFLDRJ z;2#OT!Skq(tWUHH@9<0{`?L-69kox)vbFEZ{d(h@-VnTq1iZ!!NH|~0nPTVl(T{yZ zk39NF;3a|E1YLKuxve_ZHjQQ4aDIL^1P4PWaVW$&aX6})b>$0r-|G%-McJ9O`=<5O zKyOc2{-3toH(eGxNOwEGa><3p;;J^vs#gl?GH9BbU(~eq1k1gN<)YtpcC8(CFzNx> z<*6z2CZ=S91679&O7d!PaO+A=LotJZMp4rXwjc4e<=V)BagIurH5))ae1d$Kp9Cqd z?KNajwYs2eM?>Ao4h`83&do2Y*6Pq655D(ZeT|+tc2t=}N-wzfdTrl#rCQFT;C$oB zM3~a!kXK@H0DwUUnm4S#GIPu?mh@Y%m>*0-65F%l!4{zQ@gtAxQy=?;KKAz?`;uOb zbPBYh@1OId8p!y$Nb3disf061Prmnb&yu*0Fr$btcI%bP`t(fsL@6>VC?@hn7|8eO z(zDHbed3)cJ^9_QCcmdjPnFNJ$s3`E4-qhYGEcu!`l7l%(>u@Rxo0Z-+0eHBnWuZ6 z4#fw+_jJ!c+iN7Q!(WUR{S*0GpST~TFZcdaU4OdtmAv!S^md9?+<@py_pV;Y~8HI zMyKXhTUuDEsO8Zwll1WpgU&>UuDg1duD^1tfrpK@jVlLb#@g7e8V^V=c(UegOd^Gf zk%Z<5u<@P05vW<;7od^*(8eGFFD>3l^agFqb@T}Dkaq+!@gUN__|CNz1JE5?HX7JT zr_Wq8$m#NEdX0`uCL5NPlSf1cvcq?-(NZjR=UK{)00HIkL3RtplE#yDU6;PBeTlQ$ zxIL?dT8EO&q;zss=Z>6JEZwfo;j9M6`qa@K(^8_Tp@}giOn+OxqQx`wT0Xa;TEpPk z2CTcML#f`hiiwyu9@wForj7VYK|_rtU3%=W>eYl2sU91!qOvxW9r1RxXX6^Y>I%iX z&7V^jwVX5c9_bhB=3l(2zd5lFS^ceKGYkYz=P;H^cOrp zr{k?#&E*XiR<(2YF8%zk{*sa`$**!InL#44Pd3DT=^n#28`tok>Gr>C@ZM$q^WVcq zkLb29+~&a#tIt|C>T3f6c_%FGNso^!uq2 z_Ygu-)N!9FJ-Iy6Q_&E8|7z0u_oMvQmjTUD{ho^M_0L8r%7@O0LJUgDzrR`1S6b%3W{T*gt=5nBzS6Y5uIqX5T&DjU`1vnQ)DeY`mz6;J zZjX8aGE8fQ!Gw+V@X%WDIG!!0!7vOMaoP|A#k3y=ihMXXXmWZ%fBg@iQ^Tewo^97i zXF@%hR2UtyvES(En0h=~W@EAyk4C2_r?r3ozR>?BFHeT$t{8}Vvl@;ic>J*^fHRvX9c*e9R*PxMp&}dZ@udXWFY*X5! z`f99hFw?HmQc+VEXVu%&6#_>)4PMw}@51rpY8iO+4fh5bhx&$8EgLYMJnp=TQh!pt z1HI~s#kF|koCXFnez~DoCa(Uj9@Q@Av~c{g>*ew}=)AvEsqT#C%>N;Sfp~w1+MDev zUzk&)(xa8>Dc#<_RgcBDsFYhf>~TH+qxwcrw_jn0qYG$1^i!ndf+dAYlLuf1~Xi{`6RG zXiKJbdir{`x@3U#&$7cFO!aClgo|`_cZDgUM8Y%~T%_E#L)n(^=QY>tRU(=7J?vIp zODg~z^Nm$_rVqKKzrj2DMS~p-TP`ozRJvIf2gT-#=4qlmY@lf7xSp0j4>p+UeCNA= zPV>t}?Z5U~6zIYC@c#8jD&~p2o^B|%=dGR=hm0cZxRhmBa!I*(e*Ev zqRR0B86(6bgcv&bO(*7lG}?YH>rH;t4Iv=bhd2#lS)x&1^bCT%zFc_2Gt?K*0BzAq zm9I3Be^f7&D#|{}|Jl}+_oGo`l-AS8Uq-aVzhF@4tm|cnw&EGydA4OfR|(pq^h{;* zEFBjmkBqGED9@*V-4w|j+e6^Np-qq}WQ;_gqEFDjkgKTw0&sYbMEhYVkiFiXzOZDv zXd_i`SjpPfWxLnnjtY4;xh!eR#Fj8JpPio7vHyp?^8nPWD9``<^?twGx3lynAVoxM zD2lzsj+&?`rkeZ{qlwYjJ5e;Y#1aj$7p$>k6b0#Z7Z!G5*?#Zd{`LO-pWl2tc(VZ% zSQCVK?w&p8J7>=HGw(C+yfbt2%_0_SZI#FchLpFeeR}9aPj&U2u<3D6PtWLWIyJwn zXVe$M#SPys-viJ5cfz%=Q?x&{J&-oy4cQ^?TvPvOvoKcYIqelB&ih5Wd0r4H$PML9 zl1=aYvV(;k2H}xsocVU~AAk8x+;HpL7@m6#H2KMW4rX6PB&50th1*C-Ky^)`Q$1}7 zWW_0yN~!}MwX!2#ZA(W6yP#L=A}ZyUI z!m=&gR-4%5KdeSBiY3K5nWXCssp=_!@UB4b(i?qG_|Jqv@6C}I!y|@uahpf zFyNjkTP%sV^cik$xwWMVDr>gUsCTg05}A-+tgBP0GUXc+k->LGeEB9JQY<`)cD3JW z+K}o=yi;+chP8RRy}Ht!vZ7>Mig=YvmJ#7g=0~k2e;@SVlkJp;oo;V^^IPoi{{HW5 z=k7gr{K=mbphb#Mhm|)KQK7cned8VeE)!$wZlvc3_mGk!s4UG2$C5wxF>?kLBaDbez2|$Mv&OI_zDP?$Jd8T z#l={Y86?=pP(i4KoSAM*qe10jmJtS#%W-G^g1frs!v>rQgX!C>ZGzz?Ju$+k67!so zhgmo*UWaiqi@K2)+$YWC6^kNb@X0+N9=M~h!SdgHn4VN(+{>&PRIa|^_2AmS2bMp> zE%9RJ4>PMEYu+fFJcbl7V+y+y42&sP1d%T@rW<42N}2nH75Ffhhwa1N|329NH@GW5 z0C6Dw+@rpLJ90<8Kp6V1Ea;v1dbm6cu>5_09dO`*&|#JylL;tC8dbg>4%!ULlLn1) zLoj&3L7nu#?U;yATs`jeNXpWB#)`GGOMC6MsqMCP+ig}^s@T}%xGkyi-77&dCqY&y z7Tww=^QznP^Kk)keRbKuDcXX+RS;nQ9L>NK+F}I0#7=0z`w*>oH>sn<$Z+`oM@8zj>eU6#qyA z{*X7^CvUk%=bxFvZcpCv0vw{S3F&(qIn-N&g`9WyTzkLLQ^+c z9JV>N=R?Y4_THLVnzNm=du_+;ZksL7+e~TRDk7otDwoB2#db{Xw!JE+rB=<&P^*ZH zbVX*83|EP8)VqTPlYp`@lQ&F*nSi`K5&&RN zHLKa}|8m>CYr8%8A*VPSr6uJT-zIiFQN$Q}#Z(fHtw#oHh~EYL>p%y0RCCWYr5_`^N?@b|dJZ{p_Hg$@FZyYkh!FPr|4flyZ@$@8&IQeTx2I=A3<~`EK z*^?0Jxvyu`JL(^P@ojN1(}cRms>3Z9`nd!l|plWkdrdy4wJaeU9;iwf<=>E_4cFIi?yvdma#~$ zYLQOQhH_)dpQP23Su4#nY23*0jX9 z+Wdo*r)wwORP^a;$##h}O^FoEi;%EwM5U~{D-ujTDw5XHJq*#&sI)o_5j`}6B8uXa z(;{SIL(Wbn5|J!TW{iQfrs`&XWK12339BnD=|tQ%TyvG>;>ypS>U4F%K6=hO?1S%o zv;FuRU$HOz%lqwuFa5iH;Un+0Z~Vu{?QMVYt1z{yx3I{C%aUy<9d8UD6Ixed% zLwL~cFs+rbaclrS@{y0YG%-b)^btoiNoX~gn#?r>jPOV|&q*88n0cQWRrI0|wmc*4 zOz-sq9Ssig#c$G18K7w)T&B{~h%?0)?E=%+X&~{3Dc-DX%i2Nsfu9fw)?YdAyz^Z6 z5DtDb%Zn-bG?dH=puxkof%o{(nKH~YZ>ENmKQs_bktS^3A-`$h(f$BFN>-;OorK9$ zXV!N?_)w0N2MapVdm(Q*QwPW=7K~#i5P8pZZ&s~lrC;umKJtp*0OilxJxYLMW;7J~l4%QZ; zelhhOQcB&$Z`?rEC~L}w{HDC9kN9y;u5pdgaK(hK9`qv}cSQjZk_-M)I5dz_$R*Je#5d(VNB?p{nPQFN{V>H$xz-BZ3y8B4M6G`YQJbLG~Zrf>lm=Q#H%u?wpZU|uPAX3qcdf9bn__|nD{XBofeU-l@*V;dhJ!4nV)sjl$Ye+9_9H~wSO4HcB(Ze zFsCF8ON!sz^j^Dp)2$5fsE6OPrI|(BJ2P){3uT*~FWJ&uRU~Ss)k<}1&NW1Aw%PXC z9TIR$${X^2phfWqdC8eJneUbS_2h-KF9+N#FB9^bvoDWB4n4#z-*AQ6Gi1W!9`{&B zm>NnqdBv6@%yv3YZ5un0U%%mc*Ir&D!Oa#AS6zFJ%3-TbN~og|nb|w#W>^)eKMH$B zc``OWVVNvi%Bs!J%{%)t++c%4n?qe_b~|!6Zsl6ZHq7p{Eelh&ZDHDWmgj7{&Z-Hl zr>D9Tb;JXL#45tf0E3L7bsT76)H%Z#UG*oO%cADgo6OE*e=d=dtU7%9redmVJrNHy zCH-j6X^L{gBAxON1Ljs&`Pu6_TQIJf+Rdy+6S-0_wjeo0dKTphR2j= zHN`LLhTt&asi=obyrn;S5n>>3G(}fZVVs9*q&U zH4qxyTuUkD(^QWQAC?OAsRVo??v`gfr=2 z{Tt%TYPgUNRM4y@%-SW`I6;(XoGA!E*z}+f+KjnV7_1XQdLUt>nMMyH#mC2Q$Q)^g zxUt?0LYTPVCwl~umuwZlnkf(rrWZr7AWgVqIya<=w4vd`FGwZ=f^}%n()hRm!bj+n z=a4SIqH?4U|4BFbh5wLD$OL5!$)bD^Qsf)&6E5&NKkJ8jSvkJ z+jT%p&~$NTUoRHUgCIiEAYLpUNPK9ZDQDgz?u0|0lUDpAUE~St&~Q-xkQ?rCKmJh53WoiED={>eV zLMy7qe*OA`6z-%I^2OWBpRi~|eVaoa;qY~kba(;k-Esix8ugv$+@oGWif~I~4Y*E5 z6P6W;!N#L6BGRd-9gy&scW!o4RKf>)1(w)H(A+A4IyJRhz3jS3O2-=grqyF?SlDoa zuO}hJG+n~ziL|k2m#&;ZlQ#;qEdkz8pSy33cGZ?zOK!>hq?)W&OW%5AqAo}i6jY_S_W>-SV8j9I3D1s&y1;jw+e zg2?E?!iPw%okNn%m?CKk@wrDzHtJX|9 zA^-`+KBZb^Va1AwA1e^EVQ9)`rl(XNso#SoIy%aqe!XFp4O*3ih<#UO4mnpxl4;{iuNN_fKqpd3R}Uhos12_f zvBOR}$|jEz=|60x9eUbvw*Hi3Y*g2iN37Ga#)=0|SYg$;9sAG++ffgBunny{$TAbF zPZPV0eGqbp0Ny1?7Ej=Ud#X`o0hSA2ZF-5~pJ?==$Wn%ik z%vP+Lv_n@<*!t1D6_XJgSDnA)J72SnKm5Aga`i7Pfd#VQW$GQ_fDjzW2YVbLuu+4) z>}4-=ga-k8-g)Oa!r?U+Gzj#H0UsI!f<*!O;N6F(jGMgOgTNuoA#mganhaP!?l`djAspgEen6twaFV^C`0&X`;>p5rXhpmo0r>~; zi)Ro7&cuf@V!=NM6+IjpVu%}YA}>e-@g=YEoB9CJBc80HjOK*8K|IhZk@w`82Lb{u z8Tm;WL+pqT;gO$cj36Yqqkhq7K`y-^D1exd=hPWLJbO*lLQ1l2la}&OdY1qLI`M2C~N8`bs7@SLW`Wa zM;(QQU!JY%+S^bhNBN4?Y=}AX1(y z%)0V~>B4R0UrU0XEiBLyBqAbf9i_V~^3>3KJ+%{2<%f=Dr)Hgc)gt7X%C_0nxh=P? z1dA}MoLK)1twq^QAFd$K6}}^AA`X3qry>KA*s-d5uM*7lA?qyFth6-mhAQ~R_a6r2 z;2!1T%fz1n{*lMrE>aUBrg{ z&KP!KU#CSqTX*m}8!F}qT|2j1y4gW_)-N?2xm{4* zs5UDq*ShLR$(AZhstD$e)h}u zub=ydo%@N;+S@+(348TB-fMsInzz{V{_Jn<>A(958xa9&cKWtQ^>uNnXF2s#{ypMlqivZ!^hDM8fG@xiFSdt%23FHVe!*B=mcfgw1df`30~Sf>c2ic%OZzxQ8|c!A)b%5D`OF z4C6o|AxaGA5I%kqM>J^U6(2qCF;BqJQ ztrEg=d0qt^I8crd8&75^Kfhc&S~k8p%8N7ghdSczFsS354mrQzA8+-9A@E36xcnwjr)NY`>K4i7 zY~ql$HnA#a(R9Y9t5Msscfoc`2+q|?5^#$at1eouw8O^QyY2Xqnmy;3l%0KW&z^g5 z)Sh@y#GZ6$!XB;bqbF;2@L0*#k1g2|tE#qkWYH#v=4`AmFVZw^iB{R7b+yM!YO9q` zwY|HoGdE-XrrK~3j80p`sMWJw<&w>c2$Uq)mn4vu6#tgUORF8Xx(L&P2v(z=6B)|u z7_yqKOPzw%x@vD#CdRBJiJ*r3Y=}fPx0aM%+{BvP!4smu(Yxy9eI zB9&+Z_Q@ae+vhuZ$AKn~d*n6usYkSX96rx+L*4O1opf?&LmlDK_l}`&A(yws`9-_@ z7nj(F|M`RVkq`c}edMG6Y#;pRbM0+!_(%K9$3HH@RkDJFuvnu-+fB=<-AyU347IeA zW(&Q#ZP~Nk7DU>HM@OvMs8~G78doCRP348^P+Hd*6Qglsk2R)gN1}Z@{P08FsK-;D z{S14|6V9^3k2u^Oaq7eECC_@Hz2tXZU{84DnRdca$JzRo2TAx(*qYH5Hj*B)XfI~{ zM$dX8vgKJ3$k`>^xkYia-go zW$YuBaI+2}L+L`wzVWTE+fOe3saL4%jRzSTKSI12*hhF#1Cq!Au|o69NGtPA?xpg7Bh2 zLYPqbXr$0`AdmsQY6KXK7{Uc+4e{VNDrvMt2s?J8rbo_D78(N@4g95{K-&Y!VaSIb zIPcPPM?1ntL3j*xAarS5XgulBqitYFg<%{>4Z{|Y1%{6xY-k-w6Ivnijx^zhYu-g8 zLxYUg2NFTvk|+3$z$Ksgpde=qks;L4il8Avy85UjFizyJrv+_Ekb7hP?x2fj}Y73@?#4G_sT_qy(}7 zL11VLw}eGH$One~$Rpy)uo<>fgiTt=dq^l`1I-sim!T%Yq4B4DXkY;8qJhD7iUx+E zHm)Hflne18uW&s3ROcu7ESoeA|X5if@*>!+kH9c?bUxzSPTD+-!Ve z!Y$vQ$`ssCQADI>U9x23rbfQI&5rHwu!r_{+hY=CdsJfDPVa5ChxK;aX^Cxi%Fu2* z{h+d)v9@VvtgPEpj!4)u502Ye@fmw^Zpof7R<~y#UC@!YXC0BXXC0QaCm)=!Ck|Ka zERmnH4(r&%531Q&4^G*`k2X6YSFz(FGj?jRY^Sd6+R5uX_OOYj9kZfkhvdt4WU6FG z#45JBzt`497i>+gZfmktTa~HWXlluZ<0V^_ty?}V0+8+5P^NE*NY}FZgoa}Y^@`L% z?KYjA5QLKTW!OF-rab9I`c})f-O9#^cHOc`Y!^icL@M}3$vZ%v`uYIKPo9zA)DPSO z?~Z4<GqHlPqt%@I>sJ)!YOv<>5sMFdE8U&c~AZwd)`x@W6yiabL{s- zeqQ?Am)J|5_hNg|bI-PyJpUzj_H$oo&wA3c>_yLhp*`)ar`l7W@H9K)VUM=Qp7v;4 zHM!b$?cHhfA`lB|&)Lp{gDL9?F@rk!uyJ?k`B(f)v_u3EF+M%5u{D1$qev=_bf_ucmcmbb-}8*=YAwp9Za z1kf-coT)$vGb$ROqTv=|!!zD>8Mm*JdA|UagShe0^S*BcAUz($p92s!30xi?@t{!y zxT6vi9)2v31Ma*k+++E>fUs%ANGBf+>06$6-d~;*SDpjj^FqJMJT3tLaYH>ai4MYG|MWo8xR1fL2ZRHHhhaAGJz%gre~A}iQN92-#F@0+Q93+G3(px=qYSYx zgLpv%c}CoqzaMb#;oA@hKl#l!M_uILnRi2ZkoVlDY^m3LhtyBLRkUxA8H|PL3{hs( zFW#XOGOXWjH)DN^94u^>N)2Y=VU&qrBMj^ycn(Rz7?Yj1u`BcSggQxlICBs_@u&W> z#tz2F#F212ZFL${&#^}t8yy#M8MlUnT3ddyodS(I_B1RIN8M!w*GMX()?R6@%-G6F zG%qb1*?p~zmF8?Tldwo3D&fW= zEz?TBK5Msaz`inAUQZ}H-!9Q9!lvqJ~e1aX>)mDmt z-8{3?uGxHp#i%nKWg-iaGc%4-L?f{6epZ;ygm5%6K(CfwMu)!wRb{qBpZ(GK_MZ2hb;KQf~^mGOtq9wG%tOn$?Zn3Haw=d)I?JFy=u)trkZcpUv;%T=JdzdaYr9- zM;vy9UH08?*!R!>tjpJAU*D6`vswhFp**axgT3S*D_PIZ&FlM2iQE-zsi``kijj%2 z?MuX_=9;!rb!)a%S3McCA76BtYl|sQ-yU;~d}qYtH@;N^e%{gjJHzrw-d)_)yT5Kc z?#SKUO~YN`K>GEY!d>O#Zwhx7CISpC8;u8=6V3=UhL<2EXwf+H{;wPFU$+eS5V65w zcn_@~4UUHoE8xI^GJ!lWyv?jeh=L~w%LNhFv{#e|bpbbAb5Iv(^bt~M_IOSMNLfO3 z0Po`ujUaydFj%41%|xnHT|quy`!ZE|wRh9Deu30ujUd?sxp#COF?>m;J;$+xXETd_iC!PYmn+L7%!J8ZIR zseDsHtZVTu!!liq7Lzu4>X9M=X{+v@w;nT#B)qbtMa!<7u=s=sqJ(lJmy(c*T5Ic+ zZTsP+)}1d)089Ak{oysrBaxTI9Wz$itnRio#<9!LtnuK0gsZB>MJ5jX4+MKiHfB-SYx?O2lY5RgQu4f~P zTY9KqHRV&kBoeYvcfI;vTclO-9Xo8LrB@cLZe^<|99xv&o>2#QRzzVaX5T2UvL7x@ zSTw2cP@gj8=<5RYh<1YVqf96#v~xV8ZqVuDn)}oN+;i|7l0#WTj9JN;wOrh^d=b-? zB1ve5=SvGJi~K%qjYv&AVoimo%vT&lJoU#cvb_s)Cgvfo7IS_ze0#WtV<&bZ`HyTI*J@{^B>jVxRxomu#W5WCanNhU#c6 zp>IR+VPCCb5#y@j-&KB*FZsMkIQdw}SV8f+<&w4*N%^Tf>?V@-$&1={{;he-B$d}H z3-X?_1e6u^f^ww1C_g$Wls&(F+krdEk;8x2TtkNG(0HxAuXEH7G&`Gayio+UZDZpi zhi;mBRAnJD%aE4585tdRTMArz^F~{0R*VHB@t5TZQt}%W4WTvBw$z)Jvy`nGo3O_| z@=^ArCq3DQi{m05%5M{47V*H~T3s>`Uy(t@lT~~n;E z*`|b{ST?%koYXzGnjq~-5i7J#QI-~v&&;Ai8?$=FYP+S6yc(+yRHG9m%A8prM zcBL)0MYfAWB57)em4?#XlBH7#%M1;P*)S$uZp6 zYO*!PV7M!)GBBo)i!dosB4A02cI(z{*YrKCuo;NDzKMyUv^oNL`9c1xEZZH6MZ30g zQUp-1E?LpO_S1_4!3p^71{D@8ub=)N_)XQ@%K+#Uhl0A`|SkHFN>=6N&u$61pNN}~Sr`~s`vS^v5-FA4a zWGClmZKzkWh~nIsYg=ilXPsErV)>}$R^)AX#i%8-Nvkz$)~GeDvb$`JX$kR~S*DP* z^h(9Iz>36ut1s5Ay|=0Ea9mb&LFkGNg08xpodhpkahyJOQA-(am9 zcPZ_X!3r-`%sGurd2hu!OL|u%DK`?g=$J(E>LE*ukaQZ0){?+Y9kSMjPdrpT`Mg!G zzS$NwY_VQFWZmTkK<>pS1#e6YZ-TlotoTDNnD(f&5S( zxaSEm;5YAa0RJv^g1Sf9bB}VSym8Oab`E=z4cEKp*nRTcX?s}UP6U7&naZYARuj&U z7^7KiQW?r&Ru(&lL$+B-n*}9V7*Lf##5iiJ*Q~aKjy%FnI{73=f)%7Pje1VqCj+rP zV~rcMndRJf8Y1Fbwr_QNZawV@PqJ$+y~?)C?y@}7*mDEBq^bx7@5l8$G|Cl6V0kx@ zN?My?DmR^8=@Ic`O&-GTHahm8BahW}U*E`Jfkn3Ls4a;oHy9eNxotU``i82d!L}h2 z<7i4*ejw@${pV)(>fV@TMATZfuBArS+P8oHi$HJ!0s`*)pkeX^2P1f9#vyPJRGeuP z5i)?b$`cOXbLV{;M(l97hhH50=0G?>aF#cQ_{lZzdEthip42eZg>d7!7l^p?@!|m7 z=N;@W+G^Y*5=z-*-!kc}^>tqqO1;vEZP<9D9kljf8_H!YUfX5I3@_Tc`c9iDO<7$2 z$0F+Kc9|(8!7gEvRvr|_Gj2-n;+|=1Pc6B1Xrf&;{1RT3B@sO(C7sJzJSqX3kU$>8 zh9%~-E}gRCJ697yDO*$iCs!$5lS3BC#w^o`SWCTrc9`xg^sHA>EY(wv6y(Q<2wg6z z^u(=MYFTTsCQ{Wl6JN^3)jNkotxntOBPK1Li&-_Q^eL~q^Ie<2YO6K&l$dL7$#mS= zUGY z?-enewiW9Rw+pYlIuM+IfPnixXqd2X!OjK4as&)*5<&@~gOEYE&~PIdyr81(!VUKz zA!ue0Ks0i^$2CFj6eiX;vFUXh5N zNSoYt>9S9xt$6r)397Ws-MG!lTlZixV#+Z~Hg!?zTfN*9alyDWZvD8fvk^;=W-Z$8 z=@7}RM69+T;Z?3$3!*bF61i3cu&t|JN*|>yi%1wiw zZ>onstMXcCi0CM63Ep-(Vwp8VHgwFmjT|~|rM5h8MJ%$nVGCF7u=bL|TxwcBqxw;Z z+6oEI_f6&OYYSsmWQ0m-rFH%k8F4PUm7;PTclpW{qXhvAsIIDVj@f}{wCy%$55urqDwnoWv!c9< z+T`ejmF5?%-|Sc>n|9kb3>Am0UaPx&O3J^+V%dEM49Vq0iYg)~?5vKqij|Wq4ZanX zrLypl@wLv5Y1QbYjq4aKj@lvX){DRw-E2j9WJ@ABRrmdNRUZf2ny{S;GwYZ-zqBxK z<(X-_@~X>h*X~*S@lP)d1ScRM;JyzUCI}Ae5;1!X!LcAAKDlDj&4QuPqt{BKhj2o0 zA#@-p2sVD>2SZW_8VC|++BKGSfUGby07>Ft7y=>2JHY$t{o(8h5&m!wKM``=!;l!! zmsa@9#6rk58x8eJC33Jk=*4VG?P{!3weiZV9aGwAM|E~t&dL^Rbu68WS}P$z+d<)i z`aj~xNS^(6hB8)B+S^l$7G*6M35#epX~Pntbhj(@hV>MFMr0&8k+Jx=j#kg=x2Xrb zw_;5Zf<{$BPtFsgX8BbGOO56%v2w)4J=Yew69K5!s@B;xV;zx*o`lTA!;h4pPT0(r zZPwbmWXV?4`q7xR;yO2a7OQnEF0wRs+L4xBJuYH4YcoH;!J>NBO82Z&sas4Wr&Sh7 zX-L>A9bH(62vc5hkLFTt>M@%&c4{I{Ga@b$Xzhsn9Zp)5;S>qlnDVWV%UVss5^aD@ zV}~LFl}*^Fgz`srr|io!5{x29p6rq?%8WC=IVdv@uYsYyAmn+*HE#Xc6CQ*kb&ooN zwgEqRh8z6x?x~YZfS`^PL>O4vc<@~HNl8Z=6LmvR5j`8W$(!dPlh;7}u!!Ees$1d)K%}(XV#X|FK)Na?y(!U+-&`n z2y|O{u6mYAX55O^3}LZYCfXmSwD&q95kol<&$3$^C!JGxs{iv-do3b@&4#LcuV{{% zs_X2MUhgz4s`rY8VH?R8ZFFeJ4qCa+@~NEL=WTM;8e6?~mA*+;SjD%dy2M7CO%W>W zi^zBE%6dJvh?ut@{^z&tlmGI`+lQSgQ$RTff)fxBaGwGV6GVb(;_o@<9H;t6rN4Uh z8Y@cBlto;a2I~Zf++uLa*}sbr8Z?4!*8_*pu!x%+6Lj~DYgDvi&up*X9Fr}8gbZS->@lq#K@rYPWM6B5?*>SBsc0_&3 z4r`QcB3-lOuo~iiRzyamAt9luhCe5P9UoEH<03GJuQ4liZRYCRtaR!ne$d6@k(6@9n?{-{nr~8(eh+8(Ewf5ecwPr+?L~Pnh z3sZCvo^BXM0-|27xM8(^N`8oFV5FStM69x-Wc9rbYm}L#rf|m;%y`QsWnCz2ei|Yias3`u z$79#l?G{tMq_Zqa+qJd`J~Ou5a9xWfI+7yHX^V+0LDb43MC`T2FdN%|B=me_XxJu3 zCu}G?Yz2LrYxTXeEBmT7tCasN*`f-sw9RnX zFPq6pNF}V9YCD^nNK=yv&L8$WI7UIvKaF zdgA4os?}!d)~j^f`aAK_sKwU|TYNZW@fdX=Wm#;LM4H#v*Y%;~od~ zf%iFkGR$-88t-FA<4H5_d_43|^`+-D7zllc!05z;o%Mt#*m1|7V3n5JF4Ng(u^DPq zWTM?`OYp~yy~bEmM^#(?#GIz1R9mvkFTTVs`svT?`s=Q>@zF6G8yS<|>;qP{T(Mw% z`7=8=t4hWKhwOPJ0;@uo7b+j+Z7S=CL|i0e_ntkL)VBg5!hVLKG#17zPK;Tl-L!hY zW!v`d8N^A%4UHdhbEE@ut@x6}h|Di;L@x6P95kPZ;TlWslBC}&8aO>r^H7X63aRY!&8ukg&DA^|=6&sSkLJN~dFe4Y0N0O?Ne~MSs zBH4%~3yNPqZbL_}6~QQ4V{grN{^)w^Z(6ioE#kIjXp8iq!OCPYgcXTOiWDe26KN5~ zxJZW*l__K$`DrMBdx@wOM10UxAmno^hOF5hqS1jsqs%E&hzG+Klri-I`y2M_gT!)8Sp$S3<;!p6AAV5hSU(Bd7*=`5 zPwyW8aK}CB3UvffPdL2%^k>}Rrmwtqvx#(@ddrX&!>+G+^Be6!M;+@7ewp^&XNFTk zL|DXxx*b);!>5kONw?j#v3${5k)B&_psIR%!8gBa-}~CvZQUX3ZA?Tbok~lnUuUaU zt{iAkM0g-n_`9g@W@=%tZJ*lhrl7|#&Q`osyDTl{gGMN#xcLn_AuJh@qlDf^LxPcX zR>T=XGf0=}z2XUZA-&`y#>Z%qqKTvkOWWN;yU2{J;|@F8o_XqHZA5uHEb=t5dX){0 zjaXi_7@(Iyo28ngdWlw6M22sMFo=)NZcQRp%AV?GO`V)`-u@0d=WTCyn|aNq8L6*=A3TZnVe5ciP%$&7x|Qml|oS&)2Pb%Z$xjUA5U8Yt}3=D?~zzDdL%) ztvqVNhE^7>F8`Odm#tfpV9ZFUj;K*DNZ3h8#K$CTR^%-)souGSjNu)5b))XN5_TiPc#fJABysO5duJ*4xmd53=m4ymjXr zws6Cg)%WylVNc5zHqF_dtEX-D)>-S^R<)g#g58)q+;T-0a+JVRd3l1tfdHob5wM)G zqk$-6yG6O;7B`eNZk8XAU7ka9sfQ30{HMNg&2xV9F88?Rz;Egm*SPcUZ+Ek=UU8I4 zOD;Zb{jrhg!7JHGo87*9R<2h>_7Kt%*nQ(?oa zj_umD!?xafi`+uK5{}Fb7f0-tTW@t8gG@4Q>knRUD<{US+N@f+TDH_sUJN$o!o@Zx zR!Cb-p*KY|nyREFxr3ar+c_JKvf?&`1_R<|Lo{1y@_9*qvDz}E91V_3w+`%sqS+jj1>?b~>+fh^}QlqFiYKyU&A0`4Ik2&MfHZ?t^MpV5~^*m|65I)Ro!N?c_!$HFbQDOTAw)Q|{!_Wl+fCC|f zaN<7i;SY@?e&QFZ{%UU?CGt`?HP&fc1S*Ejabqa z7h6`{y=ax$1)JSnwdP)gx>@efgca8pESZ2*f{WSEXu`*>#5N}(nvV2MGTI^% z$hVFjWE+d)ZfSop2GxJ4srMqT0>;D+D+K=9(mKjWHu28avKx$nqzxne8i|Jl!ffn}2!OGe{X92&M%LZunO z-h?<|qcYgOBdNOJ7WmU6u2}_`1^&8`o*jJf(RR!U$66tiwVCM|H+}l>V~(~}>(;s{ z-@AA3v6k|N)v{wE>MMswZS~Not(#nB%?dl1FS>YQ#LGBnP8F3IOAxB8;uBZBfv7+< z5@=?WmX10dnG`Dv=bc>)-wOu!43VL!(#K;FG=wqL1vD;g<%_OwU7E6Ov(vVH&n}x? znspn*&d$u)&h6XX{&O9M;({0YWdd(WQJ;&jP9_BX89hn@r{76xabw)kF9rn$yp0CEX z>kKpjjW3NgLJC2|Z-fem7ib=|bqGV;0EiWhqF*SGYYuwSl1UcpF?7(inRdl;66i-) zE4Fs}78`BfW~(N0>WlZShJfrhZDc5C{Up0?w=7;0!Dy>@j17&1MMbggvFB1NVYQ{M zRTeNPRrrdUWY=IQO5_8><5)oiBHA1*&=!r@@K6D&BeKDc-5p)EEIW)5ri7t{S8cW? z5|DGN{nl%3TiR8%?u;6L$((2c`y+MOC)Ax5!O0G#+$mvl&b@}n5=O|=RjV&`ti2>b*%En(D(+DU)pSg0QQ0X@5UQBs6~(xk>F&yV%$O_D zp8ah2B)e|%5L-F1%92Veg4dIZL75F^z;Qq*(B82Q5;N(r!J(`vW3T0d81X)&)<5GN zX59VffBvV_PWWLeuJM<8FXGN5eL9C%FY>r>m7bWnh!nXP&@ytUlnmr*iy4* zO$lr^mn4m?e%EOZArC1LdqQ#3!dZSm?-M>@VPwpVJvP8BB(iq%rj2&<<}DV_rj?iM zgB7##{Gu()%((s678mBNr?M$6Rot%O&0fc@*l?}woZTy;N`9$aS>uN9W*=#D%M<7~ z>Ehf{Jz(f8$v#}9TV(|xM354v<C)k(>fXyfsVDOF*@&)^F6UU5Z$I`xYB5Z5OfXTcaw0tmvte zYU!l>O-YdDqSntyxWv)8^erm#kX27PmdmpJrkrDgQ&JC}jX@b>a@!7clx_r3 zykl7rnvsc7HxsB`XFl69Aw>eVYhC9s%9#(19F?pswb!&B%hiud- zH)tgo{-I7Y6gGg^+WX;eR-x6A^a=q%bGpy3hX0i2Z z!)E7aMTT@OLIg1U7nOFTuq_hBH_5ELs`3?$WG0hT`q;8TWv@77b9pN(pKDA#k0h;_ z&D)xZm9}znrA>@a+Q{&*jSdal%GIlE?Yea~IXY$;2oAHmRG*uwlka=?`|RCsdAHT{ zt@&~QJ^{DF&n-QsT(_ck= zGHRsRw9*kQJ;(lq*)B2lrgI`f`QeOZ^JBJDTCz*8zs`=|^b>p5-VIi2$8c_`oCKE$ zLq9cG-^Ef&KeMR{S?h~bwJTkl-8Lg~pu|b8wi_)8APGD@V>RP;LqbdfjCDtt1?Bes zsq{py*o;&{Prd7YLJfaP&n4Wl8H`9JltmOI`y^=EmdHmfIhwT<>sPCHk9J6cY)QTO z(m-QUnyZS8M66nBT1;nzS5joEQ#C6qE;*4Xa=WAO6WNI6RwOOAGH1zQm0dg`Vpp^F zLd9Bj2~fqaGg$Xcc^$Q((Uc`7vX;mtt-8dN{I0D&`7oz;0%%!myYQkF~VeKZFuGs+#I3@PQHEIIr>RF_?LnJaS+$`|*L7|sk) zQuiopZ)bx&7ly_cTyTLSMZRv~Cv^!wJa|TZ@osqT>l25+CLE5Ht5({lMB-bu#(+G@ zeWQz3t}9|7_bOvIEnD$+BvnreiIf|bs@B-lRrQ6kYUX(Twz|r(CPLKjiBwUKn{`K!>LTRbX4}ogf-Er$aau$Pn>wbYLu?zR zs>piBM$$Qbo8x4x$bZaMsGL@hP1+&r*IIUTNTkW^9dCb^z3naU5g`o(CmEJ3@} zRJUFEu59j0&h?ZfNoGvtL|%p@{L*?BS6M6}bVV{HV8_?4kU*8NR{B`TuHLFzZY)0- z%4o14qRO|RxJWvuYYE$a#k2&X1Z1ph`Ao#6W%r78c7EZZ7ReVaC%;C9M_gHX8y8Px zDI@9w2V@r6wqe5t=a%xOTsb`P;5}FWAl3R!9pXI}gFOHI^PN2h?mY;D`or1(_TYW| zLKEccmiL$Xg$8GMWZ1s&o$uIEdC5{L#~~K zyvS3;-tzXh+nav{!3jpj0RaK`4XFL01wy6H0%N1Y*xL-q2&AMa!jof74Bg*)%ND!l ziYuIeMmvEZVTc8xLR$t9Di9Ke12~xei(h`m6o(gt2p$?q44It}5g3|aeG{HRju3bV zE8G#DcSo39kBfMrWvbLFwtH%q?b$Qyrn)xO0LLmVJG?w^hqdRdCqWIlNf$-BCP<$I zrJ~$eY}(?kMK|-Rv)HztgnPHG-gX<~R?-8>5K&?Nwxri!RabiE%C(Nj3${58h6d zRsuuVz6eOC#W0!TBWYC~F4*kkkR^vOE>2jyn6=C>0$4>!92-4L#o4qoWra0)8$PsX z^;A`P#Fhdg6G(2wxiQOjr_I>JNpm2C{#EdFWR`~7ZC2sJ8 z@cldd_Jj#H9KgFH4)D_FJpXyt6*+Kg(8zD@@g74-kkyvl6|#9pOdNf}wo2~t4f~pu z$|Wa~$}FmSz2U;a9~VEBQBU`i`kfSUVMxl^$EaACna6NuPXvT%>q(K0%)aly5p`ms zvcaEZJZZgz@|R&mh@-x-TuNk3b&p{%jEkw8Oakc0KW1Q66;4Z}sv%NSu2toxX$_I3 zy3$lr{7dz!RrO6UV+{MUMg#k=x)Lw846!1gRPV7jONb1itx7AMlv_+`X82Ct+l3ci zWM`iFc;%_`b6;M2P*!0URX{+%eFm=eQ5!_#MnlQQer~o#K4-(lA-Al&8xqprhHI`9 z!MV~IMDh;f{NC;YEedVgx^?T^8A3w?2zbtcpaS&#`3(`m9lh%vJ9ao*0)!EbD*hob zX&-$X=>;7?D}=jprD8MFQ#LcRWMyU?bt2A2p;(==hc4Y@C&u<#G1s$XA#T~xl+ID5 zli5mjYc4jdS!Eap?joTpuj4}riw#TgvZ$X9rPA3$DObt}fd?7&>m*Trl&c@6qznOd!e4tg zyLRnzLsx*hh|BVWFp;PD!TX-zOyU%}#BMsDPrfFB09<8WjUxPmo z4U}|9bNqp@xZzM8*x$tUF2k0NXzUa6a_BT5tfCAlMH?7Z+8E+(sZLc`@K1lvNLaw; zhFMc>#R=^l2F?VLz}{t_0e?3osv$z{R!`Qu@xJ_yFw04Wr8uxIO;6!&4s$vb}U+BrYT~As$Sts3Oc$YNvP;ptEs?5 zJ|g;^NGpvAJ&UWunvUA=XwEDvq0iLprINKub?eq8Xym@9e8o0{;V*!EWGZfyA*q<2 zD}J?VTj`Cso^)SACsQ-KDZj>kdi*I?%B{6xG;Q7Cm=%Wd5{Qbs1XfDrmZA)@B4~+} zRhAYd_?jY|>qSgrcEzPvSXX59*kcd3L`v?G5w~DrysKWidiuF;#Y}OHmdlpXyC#wt zQT`ShRr}1udYf0ik4YdV;%x9ZF#e^SC{uq>Uwj#(l|y^SVt-6W#_k5vg3JTX21b5R zwxpTzrtB#bw0z9Gy5y2e?CPtpcJ8Q8oB?6*o4Vn{<~MM4Meexg&-himnw3VBZlaDrgs?v!z0a7Ijsfi_AhpFw80=gE%m z<#TvpgFAZ0^m5rtCz(V$#E?ZoJ;fl}j#{|Yj#=7j zha~3BMno_&IoE4df8E*3NR+z9JE@*L>(WGWG08Cro=MiU8M1DoYmM7VR=R$#&D=I? zv5I=ZA{RY|Yt);i_p45}dg=qAiYAAZh%s8Go7^G4G71;XkJ8+z)Ri8j(7^u3+1f}d z#pEVElyklIex04do7SyKs5RA_mT=3+eIl7r{!8FUINlstVHX|yFk2d4p>(1dh}j4l zGP!eu8wjNYvt9I_1R-`M7-i>08dtAfZ8u)G!8UK-X5$kRj+92?7>}nc-cy`nXs(#; zqc|qg%F?(^j*VMH*F)^Jm8{w)KJY~ea+0C=h%8|@!bXsuKmf`VV&X{;gcVyF*0k|k zD)5X0!3g}jp1=U=6Tcxx3{!sXYhQD9i1&c^fBD&81Kj%i)G5w@dWU_>r@ru6i<1Ys z$HAI7X@)D6F6wwPyU*rFam4T!JC|0Z>ohTKG#MfR3B`|%Hrv?2Kw9LktydrsNs$Z; zu%oJ**lYFmEs(TYSKorJQ+h_-$mt#YDTx@B8g)zMMEI!hid91IHtSWzN2Ec73bNDH z(bTtr<`6PFAVY&`SX=cpuDrm`h;?{av7GQBP7&43_x{s+?HzA>kJSUg2?z-IZ2-N!sv6m8 z_1rO{q(Q`{1bYh>EW35{&34nKn{DfsEfNwP8yg*Q(}WT5^y+BX5K3N{aP0*iKyA%Z z`PkRs#@pfeGr|W_1ZXsAR5Qtx4UZJ9mr7c7VaXaxRSAQN2!I-L)^<^kvaGn61o?y7 zQ+9l9o2|F9WwO}Xh|H)LE50UyCpT#I6(@$AdePos8Z{(^NmS!G%O17b*p#udZQACp z+-Z$l>8(pBG$k?GF{@Wm->XM1b^{NKCgrz;UL+xbB%;LrP0Wm8@iW$x;o2>rrf?(l z*vIk`RD--?I``1paqB8?JBxMe?5^0}o2IN^6)91$)NTt7Vc&l8lM7WwNvAoZtewnZ z9AdyJ+;6l6l7f!B4Gj(Kp4`HFr6v2u`Cqr31Tfk>Uggegaiq^ddv-5*(lk=tK00z$WBW{MMCrpH9K4F z#B(A~iJTJ#J=Q%@?~~n}>G492m{~Nsdc+bd3YIx|+!lAw+tQ7DEV3Xsl3z_oR7(xN zNK&T*;X`<+S03wIGA}a6hLdh_K}9AdRsmno!GeDhc@|4cU}lo8N1Yx@*+QoxvJyle6TEY&9VHycN7U2`w=_t9QnwaG);z;M0^-p7#|yVM&9i2#A?zE`Jh!HugQDL1h8Qw`zcX=lqsas zmld{D82WzqyWe&9kXHyYPb54bsQ3w4_4je(Ne4ru!DeMwCo9zf98Q-+~Ya*3Vh~^UsM_g8XISKB|jOiY$)19UB&B&3WScu{F1Df z6jfbq4*X5IHE!fcHYcREaFdWs-B`omwyt$dG}l29fqg^ z0s`*)pkYFA)M|A#PS@GZTejE@8#Y?0GUz=Pi$fwdIX9C7w+KSoEqbSDE4<)gn2F&9 zge1cf7z_gh5JHolJlCA@1A&83Ln!)&k|8U0Rc4C!!rpmn)mX?cVU_l*Ez~O3k1$k~ zvZBq{$-QlMN@Ut5vugNLSQ2zC(oHE0)H3Rcs#)zToNirYg%y0OdX9DjxvqwtHECiZ zDzTIVkQ(=PRl=^Omzr`Tp@LA9GyOoQ4m2c?A{GaX>%CMauHJmZi4TU8daO&Lo^rQ8 z*j<}|=tZNyXhqetABx%dVXMv7h$M~{t+lgkyDr~sHr23xJ#PIrq=xCaB2db@b}DMu z9&w^wGI@-}$0lq-geK0aw`mFAo=Azp=p%rXZx8_TlYHbLUk^R>P&dT$^Pm5mVsJ*j zxP#;XPXs*Kq-+t0zC3XUDZ2LBYn?3&Ww)F>;Er%SdEgqqmV*e%qK#Ce@f>bBn#+JIzY%cN>%7J!;bl{CLz)j(1c+2IR zen%l%dPL`h*r07BZVb8A8Cung7%Nku`yG{`{KxMImgO<|+t+(~hK-NgqC)wAc8g(a zmw)mPjUn2p_q_Yv_O`dYOKH1vf)i#@1q1}#X8-}&u;F@p?|a{C(^JznJY2N#u~E0O zDf`^e$g+YeS^_rRW4I%eQIAwTf9!J*Ts&ieHV%Xn0u=*fgbocKf`|qYcYynYMq3U3 zK8*q72#vww!h$u_s4{yg+OF8{`6X+r0i8%R?7`{X_MF0Yd-TwhO{|tsUL}E^Pg}Z> zwfw4##j{C+RobqrqXX(6p{1RwP1#Z^VBbI;BmJZ3^ zem8E7YTKfgorYwtGq&!lQp|)?TL2H#8H+lK;Yxvmx2F{8&626 z6Zl7YGQ5a8PfYQHXP)rjmgmbgJf4Vfcv9oT^Ky?f&%tuH9QehV@SNriGNIoLqafh9 zCcgMdyod{DA1}xqzo}FH8FlZ>Cq2>Ps=slSQP@$Ll{yL_z)SUgJTbaQ8q(K zkPe1;5+eGl@S->(5lyC95B63Q(~v)`w^P|yuSA;bB6YgQ%sU2$uzg|?NY=<<{UbKX zWEK-cUl<_A_i1Qcx*cH>Ig$Tpa@;;p$^(FrdqZRz!)1s^Tpfaj;>lEYC>HqvQ6Ycb z>ePx~+-a6nCd%J@HfOm^%0yk95jxY#n~GDjEC1wAm-U~}N~u_|!y_(^WT6?=_jt+0 zmxgKL0RaKOJwQ+}qiM^QEq2gB>zu$sfOx@2gH7+3Yt;L!iNk_*sNoTyXlyVb2EOO- z{csH~jjP%^8d$dui2Tc`p=G8GwlNGvuv#&G;g03y<+ZLMF6fa;e zB99fHwpdDcQSC4rTe7NfMuef5wDgFC;BegHqj9%4R7T_}y((+z@tp3ZEI(eb6$edN zZmeMWQ4FmILa1G9Tdh=6Pg(7{hzqtDZTa18cCCXg&wR})JLjw~p2r?h{hE5~O$lg; zl7!M3S5JP!da)f%wLX_xuh<_$JnDP$!LZg(4 zr`+%uZrG!X6_4GzJ$%Co8zXro-F|WLFYIxTdz>p9^7xl|9tciAK)`(vG)xRBF&u#q z0SE^Kh-+jeK+x1M)fcS{_BlItZg-j%+A!YdK7thC$#2><{NQ~WZyNb{FKXFD)^f!W z367pk?c5=Mc3Qbow?tPx&aQf*YFJqpglV?zwi@Hwl0Ch0qdls-#U`Uz;l?bgR=!h_ zfM1e;pX*s=s%*9G4XbRfTVt9%sMNSCJQmE$NHx#ZiO|&R$N(hz4%tWZ{;cZ zDSw=BO^fUm)zGI0YlNu%b^0vXM(zGMkcsNvY=?cfI4zLfet4nXU8Inr&EZ zy5S6ldm=S`2^t6qLWAKghCM8oQhq3Zn#yAdjZT!I2?-vhHzT1mtvvkxswY@7le3A* zywaL;&lyUAYWCIRZ$#;7EA36?S6zguQgI{%tp(Qz8EjPe?S}nQ10!(C210bkj{YId`~6TR}eI7I*jyJn_K|z>Oy?%Y`84{qF&P&l45S{DxFJ zdk~ewV39nAT?Qlrqv%w6kRCJ-2w(UE?=b`=N^Pu23^5{&y6t8MKJf`pvEi{{324Csh-&0g=E)r^(XTN)Y}+qOjp19xhDzLEU8M@U93i zdyBEu0b!zX8W_UMFNMuk5Ulm%w6LT@`O3zg)Z4n;q9Lv6+>u|{j!}LXExY;>5s6d2 zumy!Ep7r#ce7xwQi|q-Idx9gK`E+Sr)95BL5;ke|JZpX1JH6Mc&5Cs-prdVu zd+N0R7L_ESSBpt;rct(&OWW;)?v$;aSg@E#ModDa*H2ip(r`y#B%)V`M5xzU?Wmh9 zkrP*XiXtK`*q2fN6f%UsOqva?8neuB-Wn20m8}h%*;KN&-izyDEY-7gPLUAtil-2! z>h~%+iL9=ZeUTdpwWJz(#f>c#m|@k`(OytbUBm|P3R^X>4hio<=vb2`F)D$U6iI~K zv}0D?F(*GnT12pxvLR`J;^uYef3l!|3$XkS! zJ4;}3kpCPEDPi1AxiVD9JCv&@Fx*G5`{6>$2vClM!5I?7`ZbqcdZ}|qJ%Bvnm#-WC zj4z(teK&(id6v#*-0)Jl%6dzzj2si0$ts=*f5@52OX*;(9Jg4W zsuxDRG4fksHS`|ciDIT85`m47;wi$rP}R3FP}^7ngJh9$w|cSMG~{1g2No_D^-eczOkFI&REuV8}{5D;*m0>TFJqK=olrlIl&ZPeCV zZ*>9_p~w&h_vyXTc6q_ZGY*6x2lo-AxX50Vai&~x?63vDxthsElcRv ztuGTWVN`2u)^4!b7B} z8&gj@-?bG7uW%%(yI7WxQ@oa1R{}&B1eLq`%*}19Lnjam8M-Eu|@e|=-x-4?yMN<0R-p$oUfORZBZu0@$?~4nY z@eQ(NQj9b|Qi&(;#HIu>!LBqiAhT$GbF|A)5sum}eScR^X`mQ&`YrKou2|dI*Y!&% z=xRk~JKP8t>1|3*z6!~s){1VytG?}pR5hLc1X{)}O+M1Q+5iK}wh)RR7eP&;7o@7K z(?5a-c9{l${q{8lDlascv_DoEVvZV^5`QdTm!CAb=1H{J@#c+SNd`)uLo6i`< z`2H~HoOc;r`V6K{_L=0nM-|)Ufcx8}Pd^k#WN++?c_ysd`%L}s){Y~~1nl4FYrIc# z02}H=e!9@m;R+K<{Vf=9@2)^?D=cL}<|0x?jIQrYBi6N{(Y5ApU1M4ahKQ;6r{zV* zY$Ihwd`XJ%!V?=-mb13{<1a$HabwTykxTT4nAphFGS6$lz{UyT|DZ`xv=#QNE$!vK zO^S8}k~mbW6oFGa;(ej+G2xWGgO1*=hGsy&P+T`evj#zf11?(+~dvFEEP%YjsJFniOUR-hsb`SvyNHQE(sq47Fxu5~4 zI{b=XG?l%WXqDv@9u;rX59jebIG#tE>P577>vyl%OOEa1t&G|_mcL+7WeD`Qg4qdi zWZo)~Y+v>Oq~G;R2SEiAczIw7a~@Th)}0Ttwk=B*f3r%4zChL-#oGUxV6s7TiMSlQ z;ky9_z5cpp9x3Kor1`O?#i!;Ky8O88ubCeT%riOOHN4>-HjPUppGnZ4SF?EC_dXI$ zMy*O^yoIU8KZdhu&q%2_>M4)J(6sg~uaei(;Co~rN;4}qmevnNqG?9BiM_W7?Zd+o z;loQ@;>mNZZ#OC}N{Tm$!-FeZT7^!LAS;d)(VVfLE*i6)FkxfiDqQwp(E zAmk>PtP3g~E>*zU%{#mV-wu9SACLenQTgm=)xf%5Z@+)}U&*yi6`mF)>wbCCf8QJY z+g!SCI`ATvAKfH0Q0C5aEA+eE-39q(et1H7ie)1GBjQqa>T1kFrS@FnV3i4TWgSIj z=nxFcEB5V{5b~$Hb-6=p{6UcqRNh18-L2!$5%*SYd1%LvT+Dn)OWZtfkC7*xObwV9 zU)HPbDBgP>8~N#{#k^2bsWsY*5ME-BcUx1V63_us9o}32D5trh&01Tg7rHjU<6Urq z*I+Zl(==k!C1;*}g&v?~{jRdKTSGf%qjfj2Z@j^|6g5sEiMb|Ec8E@QZ|~D*|Hf$7 zp$2?IGlCR{lu_=O^ZEJCjkOjr?ROnpp~c?dWL5X^A2`j&^6^eQK9}@#H0jNzwAMm< zx*2>QQUMdXdVCfE}V!H4ThE1D_zp1i?vt zvzZfVKdemVwF&Va#{5~bedOL5L7`x5Rsa;{uOgQr6}_ytT#~BP7O6%z`B2qKDwBx# z^zAYfQIl^Z);ewJ$t+iG<#NYaPVJdUXPo7M(A9p{ZB2P04MPuF?V4)Wc$A%o-vU8wK2 zZ~{56&v<;o@~u7xOEAN8Zm83&Sazs9eLoVqdWOLWYdVqo@~PXoywLwD=je56Hl=$ z=DUV1z6BSWub8&wG8&ig`qDvN1(%q!7PEyT^TH#Iu9ZsW_UeZwJM*VZELd02hf34D z?9lhhvL+_RJP1OHC3|Qx#Fr8?QM$^LoOKp3L8Y+^t+^6`i7}%$S{p3UEBR^iORCfm zs{v-4l(1Ay!m}jL32r(iyRxOTXwCuec=N8Va@RZE3}+zBPr{PWL0P5N5% zCVqGbcrwGZ;S&agHT1?6tk&HEu!1~!6R(w0=4o6UkpmeW4*UF%_qEl+sT!PgdKKDs zu5f5BD@}%DpXv6Q@!q<>)I`Vj(~z@Z3{zlm@w?%W)ARQ#Gwe7Vc{jzBL>z9h;iJNv zc61KY_eXAV&x>3(7M+!RVHbhYH7Thb#g*Y&(~5sF!x@C&u;J@!_asG-+^g@WGJM@D zsXKmdKj@lVzlYq0hCTmRg$>?(ye^e!7U(D5 zKdv4HuX|hNqOM37ZF(7*y?d2mgQ3R=_Nf*)>Eo=sr`IUHjDhU|?iV^Ko35<2{+?mnxhMOi%@00o};fHFF$$?RCg@lMyMg?#OX0I_hw1bn`jMYHY~Il z>h_gZd%XFTIi0E)wXDE+gO9HvTpIH`kk%hRI~tK+=(=UOfSE6~$z3Bjpc?5#YG*+s zd%0U^I!52M+$Q|xvNOU0HRt<4$=4myO7?{+jim3Nh#I)Ld7K}TGw!lJJtkF(FeS9G z#!IZRu&rmP>aTxJA1_YJKrdacV?gt6{cLY(tn*Qb=C#;c#84bE;?Z!z7-o!9wRdfn zqdgq*qhYqgfgI|awdEM8^fy8Ig5d`+Ms*H9A;cQ7NT7=+0CG$2(IrpvEZ&y_1?>nJ zw-qnrnWX-yj?Asn?Oe#e2XEBNC8cMQGbS5d(xsRzy=A8pDRbP$N*~3vi2czWq|;FU zRja@MiG!N4ca6j$0TwQ2+2I8%t7z1w+0h^*ygL9-fRaUVnmb+&9^yv;dV1xi7EO z&U!8KDtx~BrEvY^$sic%6D)Wbpe~j_q?vHge{Il6=8^7K`#QsQ9YWgZ8ga81Mv&#r0iaBO{~q)_N;ime&pdpo2|K- z+8oA-O`FXs8?g1$PeroG{B1*doB?gIcLCM-pEGNHpfEqgOQJ&SmSr<5GNV^)bk(a$I8-ZCQs4{Wt~tvOMX?-8Q9}3|InDgr(08IX&H@cPF>sf#~hd+z?1#X zX}+Jul20!&CuCvET(8nN!1fk1mvmj)C)I4F1EdDy>a1hF_{dUITwHiJjQI0a1Cg7% z5D7hEI3gM~cLEXG&fXjKOQ@R20p(e}N6$SaieZS%$~B-9yG>w|9^^radk%+!mBJ(# za3v71L&l7hOKc1~Dcp%i#xfZ=N6CgC#+tZn(1?CYOi^@9J^mja?C0 zr?ZdoZaB<$;BPwf&7iq=)x6XF66aFPF8xWHY(AZdC;Fp`kpz^8kzsb}RW277L!$|u zDxJo?b5ab&3LILs!w3HsyUChvtznBd6x$0n-`-%LG}>4t>cSWkf=LG7PG+R3ilM1m z05L79IoZWIJiw*~DN7CBb96pO{3+~92~_?a=d$-2hG@UW8PXBt(I4%#_Eeli%CBEphqMTm+M0qVwf;XU9cDtuum5!SZc z;NhC9N0>dw5vLBBk^T*H| zM`!-GsWD7DMOEFi#}z8al(~g_JHNGP!Nyc-1|h}sWNwxOzy);sOL;FQ^u0(7k*?lB)T=QrH5wy}nH{XnUlSe{KB=DsD z6d%en%aqmwPElZ;1tPy>G|W*ae8XRXT)!vn-tjev(QNv|*j~UNc;+IWLGSBo&*A%= zcCVDU52z(`Iz!}|sb7-(b<9zT_h?%5wuWPQP-$tNRzmi$A}R~^UbvvaSI)F9 zk=14kR%_xs_YQkq=enp5dg7%_bOJ>K)4kE{_EDSzgmOz6#S2Akvh1Vhi=*tgpe;^BNC>%#A~K_Fg*(oreI85Cb4I znAB8f1jvUM7gzoW`6is?YfMWQ$Lb#gw`2S=^y{@{ zL#lC2)%L9MJVG9#V!vW#_I;YRW*}LviZUi>l`i>iGv}I(lYc`{Vb-tvHPK_XZFWK7 zyO&0nT=*ut-=1posJG;$`UVz6U~aNud-QzSik2x^iZ_jF4-2T}{SisVP5vg>;Lj=@ zO(HsKjLWn#{Lp>`yEILk)dw0YD>P=tiV*to%NP^(;eue7v#;eZzxj{L;<FaMzN=*vZ%W#1)4uIa z5RidQlqpJs6d{b*NM`;S_xJ5#(vk}e1c$XEnO2f-Nc>a@F$G+W6F5r)wx z@d~Zbas4S!u|b}NJ7FLf_`%NH_K3Q^sm4#kt5bJnwt=noJ>&cC6QdGn*=fMRZMTrg zX}|9e1^4XukjvIti@W#Tr)^|k`N9vIyhq!ESMRv}MY-Gv422%aY+ z({0a!Rk7^W=Q6_0f=1%fweXYq_4M-QHG#A3(1Vt=3_dOO)TQwYezPh68Q7hKk%cHc zck3PNi~CLN_**D0%6-PLC5j&XK$hHPA>CvmhkV-`yHvALoDqln5DTR0=wxI2pPlRr zAT{r-i~a)NMc1Uf4>E_Jp5{84@vya6PK`lTN=LFg3sxphHD@2)Xi1fq%zJ1OZW6oZ zj5LdDK}1ojx7}LDSn`Rf<#g{uIZRnvQ_EfSZjl?SI}GMslSG^J%U)A%X)J#hOf2%0 zFg^1;76Fetdd2YV9>CKH`i)iGx-8dZci-!ayq05mjRV?2VLW9SJ7qIUo&4!C_6&Be zJdrDn)h`#f3PePp8vgDl#reF6B2fo;S_QZPm3X638L%bnGs7oR$T^yTzYVnf?`yG5m63pF>}Z*(qZ3 z{b9E3A49KgH#LL_Z^L8|a>l{g4P{8keKah=z1zXd;Ka~^P#xR4;cR_^0u$~7O|AaY zO(fIy4)Zv@ftw}m__#xg)>VfUyV=fG{r3|%;$WIFh0Hf^Jd=NWm$T_rFqkYD>nQc9 zBXASg>nb5tENV=)jOz)}y{?*Li^{6VnNO>+T`Vxyru1*>(*VJ^rO?S&6HSujcT;$r z!$r~Z-zJwPB5p?h>Jbfd`i#A_4)Q*(t`X(LEscGPh;5|hKa76o63n?td`6pjzDhu0 zp;E8Lg!IaTgbeZVN_MC<4|L_cmsN{ll})2|H?m)V%Yz+AzI`woMh!v~OB3Q3^ur7H zZZsi)^*nWgvgU1NvkRcx+m)i@srzBd zo=1xpYR6LT4KvAEW0_gp!vPMW^^Z}!Kk_6y;nm)YAl#3bwABEjM+FKWKSYmne-#ZG zlri!679I8J#-;)hI+GmwheZX~Sa=R?O?z(b+Cvjfe#@lS`KF7O-s*e`LCrEVXuiBC zO)Yo2!nCN!*Lm=^B4x?a?OSmg{D9x!wBJAwVTOpQ;}SX7o>8qZNy?Cl!+Dh=I3M`6&4TAb+QYk__T-l&M7{FpMF1>khzO@=-~EC%ePIBPM!-WQ zz=fZLVm*)~=+Ngr7te4kqUU#+UsEY7tdr3Ayall{ zw_Cz8pw-l|pxVOEFfPI?l~gxm=fOJb8w+mR-?5jg8@l$C%Rc zJH;zVO_dv(NtN}n;o43Qg*Z$g-8~12PUT7A_+K4FdYr%F7@KlI*t5WR#faw z@m+Wcry(z)UbttWz7(FX$0O{k&fj}YlHSM0W~uGfcY!V@0b`CeQS`TX{&OgOmhP0+ z2)3zNzV`of@rllP;Q!ql^>&qa?~L9=$b z8K?X938H%T$Yj~%FA1YSbTDWr^}A-&{&mXgNz>;?{4mKt?FQPEx!9b56R!Nc@l4<( zw%8QleenZQ(YSyNqfeum>Y)kEWPDy|?U~0GyPjHoMHCzn5FK99pR99Rr1J}7;MqrNG@3&E~4xAzgnQrTIVy!$nM|d58NPcCkZzWRlQ*6a7_{chjP=WOWS zE;=r4LPp7`Eco_Kh>1*!D1V(Im}xSFzNT`g+C}5BAX%Zg5yGntMZ*7;U-XHjp?cM! z@hsq=6W>XUlFkLXy&su=nc~?=ON@k%vItuB7|%Laz#vNkVvGE~2RQG%Z)HbxaE>T= zR?0QV|6>3HB^Dg)vOA!Xe+G(O5&_^@^%~FVcaf7ru&_@JvR~D}KeOQ=p2rGrP0qav zpA|j4Ksj^1yKSTDH@Gj+f86&rA86}72NUZR&D8nQp7ByD!80|Yg>2DJ5&O>ldeQ*W1q4$tNc_Q8atSx_0r@(amo}rP&^5e_M8`I5ufAubN>v@V)4F zuThh_!B3oVYZYrtE(w<$6SlIN)rue)0n)7D#vUncNu26MD^^PTRu1AEpXb@t z$@<%_8-oWee^^#W4@Jd3T7jacD%^fmKlGQ=I~7a)@oh-sqCdxNTSn`S1yg%@p1#m= zUj49>xkx8L5e${u5mH|> zUoav&yx8u?t$QsXr#&~-P~NpaWtg=Pmkh?5Op2DEQ+V7G%sUj4ad>3q13-c;NH7aob% z-}`0yK{Eb4=O9o}auCj$;koVUkG#ZDjeNMgY$!56%N?-uE&*_dc->R#tP`Mke)#FV~nJ< zXqE|oCjUgsD{xrLq`RUlA{ME;fYqZg{!Eg^YPe>JUFWYtFZ6L`l-kx6I##{|4xqYM z8Z}vFg#upANHWt;o2=ihU6;tKRQq;m!sx2cZOjLkW6D2??r$nzV-?SADvf*&ezbTy z5@Jc=tCkDzFx6icE?g*c*sSL^X1u$XkA=PNOh*1RAo~lQOX22wz9;TG9|JxSEGA@H z_QxM+niGeIG%qOP*fpA0uZgb(`Zd2EpH{LxJou*q&b*p6MS!^#HeaH957zlTO;EG+G@n<2>h2&a#*#1pjiEr}y7Q;Sk-c^5v0AmYvO( zoGnus(`yR*~`i$G3X+hNX+(V7wUi@_90DssQ0To!Un?$Dvs zrzWfe-aJ@%v`w~F)|u<Oo~-P|tbcT*jZU*PZm%44zaoNFbMM=d(I2HLH>AvbUI=W?eQkwVD5=u=#r&HFG`?TVcRfO16*Op678x+* zd63+*7*`lo(aCE(GZePx2zV40aklS$KHA{VCe$QJq;=7Lp*SDXwqPk^Wiv=Y`dSwg z6XDVMBF3%9@uONX24t=b7A};Ill=N=^w12y-uilb;ZJG59>Ky~JLU9H0?HgW!WUFn ztGls~mC=-z@55|CO9tR^4|<9WBNuyArSJeb$M;V~{Wxi(4-OfA287Vz6X!tpjS9?F z1>O6fH^*{L76#J0cMc=SVw`@?aOJ?dgg(i2t+xdDj?zNFDU8VGNZW-zsv-`*4Ov~x zU2;Ci+9RDza+)Q1qnxPd$61J*(Bo3=w_H$7@l`p0erB3N?eGZ`M}9j}oF27Oa#a2Pmz}03-gd{2NWm)S|!z%%3MOeqS5s zJH?=zjX14i4(!Vn7qNK{=|)Qh;`hcr%V-4r`u58cdW-%q^oyBo~2C4Ez&4sete zv0_c2>+=lw;uuhIJVd3{gyE3eN}#n54!x0q%u_owW{B^6@|izyY|s{W&-2?F?S>3c z+w;u2@(PwxaoGfT4U$3EJia&tTzAof%jsAry@$TK540!L4+Z=o>pZ+ET?zQowi+kZ zv(Fr%w=1{7rS8c{=LP|4txl^oGKqS}J>8c&G`UWS&xrdiQ$goo$}=A8kDNY-#Qe)? z0Z+Ih&>eDcAr=q+RnpKht>bf6^D$wL0>7PTixn%~6`dg8N4f0uSe8_(7@Fwa$jv!+ z>pjE4eIL1`++cRy^@^veW_q;aaTzCUoWDj->bujAhYO?9)m|z91wyfVt-pcI@v(A%v0!wa=;%ih-&z0bg#eADu=%_{KR>`Z6 zKX=?OeAoKj!G}yLOST2Rbx$YqHH`vK)6Nhaqqb$dT-9gOR=)>*{S&D7OV~@#G=I-2 zug_^jZF7ucc5C;GZ+Nv2P%iyXy1iVX1?#qJOW!^_dAYvuLd(i_GFBXByS0N@Sg&|f zv%kgnfkQ&O8VT@3oYjinm6*tZ9bPVzv=cH9JnSqH`9w()24t=6qZ}FELppd_KxQIr ztZZRhSq*4f<9~cAhX8N$OsM@PlH5lY81S-ARAR0sBt(0kw@D+G@2pmypUL&XF@P5u zpF?#V_g&;}(7Mf-;alnJAr8SA{E@Oai=A+I4;6o6C>}JX)}h`*>{h{N=#1Ku!zX#& z7Lr?k9_Mr1Vj*Z!D-M0@bN3M32+6Pg20lTzy^5eR`#4_1Zf72`mFf5Rb!e#%h1#~@ zZh*@6UEOy)Rw;M3Wyj7ebr`)NrIWKw?V9KPe7b_MZmm*$-J>@!ypWIe{V2cr*Rey7 zm8GMCC|6S{-u)j^IH+xuL0}XlBns5WjmbjkHlAt`yk^hr!>lrK2q|f_TYqE7tBg!3 zhZ~~Km3BV*C14+xXu}o76!esAs6VQF2SlJ&k2DBWdNQNNUb{se{vgTA4mhGCU%K+$ z#Pk_^wR++zv3@w5p}bi2oL0KBBkmMu;0w%MC$JuY*vW=|W$Q3!E#wg{rt|c{qeXy8$%&sgc?L7J&sS#!G<57Ip$o0eLW4ZmOhMyVe={( z2B^iwJztH1W+SD114JZBdJH|iq7zEP_ObZ0l0t*`J=sC$$!b z^KNcP!r{Vwu%yMY)jXJxu`|7;gizKlT8Sg!oohU%uDPH0Rxb4A)0iQ#RIR;ca8Ty4=hcs>R<{=Vk8NaOJDC2~)< z^FK>f$HyWjGLst=5Q=&;z>>wTo8{I{>XGd8>24bB&Aba{9Uv3LxJ9gMab}w7==WhDL z{lZdVeyS&7CDFDMZLmtICnZ1T&}%Si^%b|4c-+4|kpNs$!a$DmJ*~fM0RBZ!YsZFW zl?w?v&fk7#cbBb>n)om~aQOB2LPT(cMo0PWrmqv_l7(U#)O4>ieCA+z1Z=>W*KJg} z-HY2By36o#rfjxugxCq`JZ0Q23xMMnvV&3Tw23FreeR*5Cy-Hm&(p83q4Hd|USmr0 z&qq8NtH1<3lUmU$)Qd#?as6Y#Jw zxw?f?yL`I>u6cTjp*DRY5vhM)ZSOqx^(y_Hk`5D}Mg8wGIUXQU)N#8G zXWBtfN++zr1lD4Lj!Vu@v4U?3@#aq*byvc38dKWHT)(Rz_4!9|;RkgvM?3 zN42pJJ^K^1pq%|urIGB<$b0bXI7Mv($RnYgyRZo_HD50}`M(6^q_2BGxEFNl{QV}X z8is_^x)%t0nWHzmo#?2 zOvv10lyiE|o=-)D_Tg=U$)r@w|6GL=ZZ~voo)&4$qy83Yh=2wz>KqBVJxiNI{u0WFBcW5lqGn! zV)@Q#^jQk&;HTqVE~VS>%NxN>1M0iX8-Bm#=f^Nh9f53@eX*oAR26Q=Y4C^RgF*J} zg{0T6@q=(m*pdCIJ9;7r2K9Sr2c=5RTjVJ(6>2f+in-EL>j&%7;IMrgNdxPuFkreXMP5t~_YiLq`lhEpD=vnj= zL?*-%n~$pAYTvB_d^qXl8ytL??Ec^E;X28;iR>bKX1QD5xhcZ3=Cq$5X0zAwHIMD{ zUPRjA#la$%FE#mIp!r4-nNN5iGY}eld&nwm^U&ZJaNq+up?;i;7kuW0f`4K`PX}@a zB9?O134d(VQ^^>`FV!((w}^}70b~F27{J6<_>p(}L5UjLm#p46!^4gUL7O16GPqkN zp2waLmo=DnThGIxtNjCULEWWWK|QgAci3K|b*1Jpw2QQBR||AlS$Hl(SbPBKgQd-X zGiS%0#p%9BM|#}c&bS`>H}R{+NJ=K})CnwHb#t-|>NWxnW56KSNw-@S!Dm4cNa!p$ zX()E7QAJ`n-+6^aWbaQJk@A}=oT#lQ1z#sYZ=N!m-a)~C4}*N#$f?el=fJ@05#b>j zI#_4kDe>hiXm5hQ4YlX3#7Y*5HaHx{*Aw)0R&lIac(7)j+i}f*j!XBxyAd4lD<&o| zsb#)t(X{Srn^&n1B!a`|hu_svG-3Z&&T3L6c*~UO*qa@pMp>=(Lk~9bPgm`&|9iy3 zw3W~hdhgw~((M+u!i!Cbq8O?HjymNWpFdadod{V{Ii3X^O7V+pHK|BA09*&_Ap?_n zmg6du{!YDga~#h*3FWTg|Rj~!Mvj2Kp?qhIeIP2!4?E`bObWB*&yyJqJEq6eQ}!Sk_M zhjaEiwd#!ue$yTE%*O&5Aa|@Ml`-$`l7Y-^dxMYtMOx*&Y?KEAIW9*hRv(ZQU}6s? z8En~mTKaDcnmkz?r#%NvFEZsob;P5EpQ!%*0l>S{8|eTXo$tCqu7a!NU`rQ^L%f*c z_f-WfM{hG3E*BC?Vfl@IBha5(=$Of6A-LTR1fcJ=6zv>o~|J_1Hw-xbSSF zs_+(txcbkS!WQ^<=xNkr@r`I&tIlVn2<8J4!Z83R@4ss}8RNb=5(}gL5N*t}qlms( z^&ywYYb5&juAD_Q(MK%ZH*w+e#qV!T6~$DG*@%d_w!5u#n*Vc3NjltIAB;)YsbBpx ztXwhmcSgJpTus7O9@~joL0nvbqIy4>&r55vMK09C%Kx&EAXyqg6x<1gOpMYbTHB)d zVb1G*M~}FZc>f)4d|rY7tO5@y_=-H3UWAU*K`T`P6yi7ec=q37AjV5NJri%DDbw)( z`|yj%->SsFDB&ORKPH2}PI&6^|L^U#MWoWjW8KzOw*y4yO>Mx&#(~fOZW)$3t;z3R zj&Yn(2RvRZ*zuo1$k=g{?f7k@WKB2nd=lI{?Qgu-44`*lRnOD6`Rn6(KTYnhM6Mj$ z$!8#y{D8-^=eoi1o-xEwk=Vu>94F5Id>4a;RlPjbAmHidHg{7JE_tMQd}3my{UF~* zWaR!#`ehNt9KrPJVG*z%9ucwDObpK5xo8vF&=kE0@m#~}GJ0Ma@@NkbO{g!J6aTK< z(O4(?**T2aQRHFrUWKHq@sW)U=LOq2!hw+bXZh@jJ{>;|KYQ4Y*>&YM(LW=UL}-{L z$o1iqO&c)>m*hCOAfXfnLViwLweg_9y9wv52Domkxh@3@Q7x5s48<<9xPaTiZP84{3zNIr;+eN7ll2&=wb7u;@NC>bClkRnB-y?!<69cRc@;vg*yzZh}O1`{X9TJCd z$rn1Iv}a{y)&KZGdw{$R6su8>${g3!gPc;^HRxNiE}UMo7x~m>w>31+fOTlg!GvnM z6|L+Hmk2>pJ3L1Ay_ReR@%lxxjUDkn>}Ed1#YZY{%tT4m=UxGGz*iZLjUB_|2OJv? zj(3yCYfs*#wm#`c>54z<(ck=Y6XSq>S%vi`(}8FsTR{sU8Y0{vSVzrrM$a{aJR83Q z=uae~Y!DQ1H^2dwc;1nq;A*=VBtIc2xC?!HJdp4}Lh8G!@#r4wxgU2Fz6@dv^Du%m zWGusY-6(?K6EptSFd==!JyS_PV%~KOi{JI)tne*<*%_XXF?ux3$;oj=I_TVZs>$=c z9Dy8Z17O1GD_4r^OHvXZ@gz>b9q^QF zM&`@APB6E;JB@ZsObleU;CXJq@oIluCFR>NZG_HG@_Gyb)m0wVFO~&_ctXB(jsf=r zmDO`L%cbv@ZDwJpJH=x2jN#!-)ZY;S-i>R*>dlUhAbWvR=GC-SVlW7Ue|ch{V?2h< z4{})zsmAI&i5jZG$BSO>HS@ZcFhl$4I-oGP@Vc?ZM0|cmN5&e`3UhBO5r9==x@`KCkJcJq?IhoC8OJO2>JtafQCG_y8C{Kh}Kw!hSksddZ zWf;}CEqWM)cV4SkEzFMDc0Kd)1ZHhTvm^#?^O}&1fcp%{T&ehcQX1g-7|?RE+6rT+ zl6ZrL-|YY7O`NgVed;!Wv;EQYuG#%WuaqG;wOX%v^!YB~WeHmZ%&D)VQ^zwYI=g-m z@3Exab4e(2Se%k;)b`Z90Tp8_SXbCF)ljv# z6n#yQ@J{P~7#Uh_t=+JYUZWu{@!n zY}S&m2kUc_)we8RbS8U<_=U|je&ePK=+v@t2i490;%2gP{+B4F?-<%Tk(>s-eT2o8 z_B_w+C`hcOC@?8bT~%xzOF7SZkktKdD`K@5h1!n8@9^UZ%)7eCJA!p6+~(9yDI-T@ zs4j7Rj`cSlBzOfwrF0}<=9atv>ekAJgfUo9s)|ObO~x!l!s-huF*)_jASdDEG?myk zUV_sK`Sw*PlW6aR#EY-I11^Oy^lS)7QW$4S@YQo@22PKC4 zu;=oeyVOxPQF#b^(qkfvE7D`4U?WH~=mJPM#Mtk zO=@SP14YC>LIE$G2F?S7DzoY=X%4rD9++N1^znjyc$ASSjn$C?GMaZG-M^QXGRYh0 zzSMNTgidl2?MBs!as`8Msj+zl@8Fk%HaEj<^Zj5bZa1W;Z~0DrXdf&mx6wVc+a1K} zllWw;ZEwe2=&g$9;NbXh6lJ9}qRKQ^4J>^{Y3Y)qhU|c+FkYo_1BizurM>mjy0}qe z{g=^XmyaZuqcbC!Co>}bZiLxXsoY6Dd?J42_`2EU{08gNk(ru=>g!E6r)$iO{~QU* zlbC{Ho-K%Uz$9@W#q-AhDrW;6%5!^$ii?FEiMS_m3=9ZC(Y3)f0l*KL=o;}+m zOBmZ0kpn-_&+MUkmU_gFmz=rxS?&0(5A1srw?@cY7FzI;$!&3n?}rT3A8sN`mE@_v zU|ll&%Q}qVcCTO{7YW!Q?a7H_KqtL006mci6_YHrRCJFSdisq2+q+{k7$X<{(j^!% z-H2M@J0+bs6)uHpS32V70Wn?~DDWVsl|9SB27V?#*ydzU)c_KsBY+aP#kZQmhD%FwQRKowl27s(_QVOY#>QwKw@5Q;cgcq|*c?$}`MexW+d2 z#BUXfaAu(i1r(bZT-1r=f%^HUu5_6BYj~>djnF{o`s9D9Sm$6jqadm`wkmQaUKrjv ztI_=jOY=vtrNrv<#tSrHBK+&|LiNP>>00Mn>dD@(geQ3Cz&YQ2o&x7*srRBke)%Jx zQ^;6i#?rpSeGTwKTExX4#`!Qn4d6M9-V(8xiMLxa3CFF@&KMxmJV#xSn%Hcg714<->umI4jG_Ue+yDT?2 zT!FH({?|p+?WAgwp^DY?YZl9zBqlvA4Tl z6G-%`u-9gYZDHuzrO%{=&=y>0%5A&!cv$dUo{Z*ARuti z!NkI0#RV?t@MZDY&S1%~w!8eCU9Vff+TAmH-ZKJ8hb{f7 zbHD*=;?mU6Du-ST%ZtzSz~;KMZVG=ZTn;&doEcVC|2rNxb^?DFni?^O$LOpg2iHlE z=$Re~IOqV8eTX;txHsd&%V^$MY1AF}5+NrCIdk_1htzrE6arTS+JZK5IktoIFd@7f z&ydzNmcgZo#P@*G*Zxl9q;cc*LsULKqB?IPO_+F9Nr+{lX=JT@rZ9h`NdtkdpcHDU zlz%gF9uTo7qk$5;DXBE|jdLKUJI|l;aYy30sC$py(RtBB)+sW9NhlPBh8@=NV@Z9m zXBj~Kk~uI?FMDeJ`=d@_W9+fFzfQ)b_V`MKvJCg6M62Q zab=j%D_&YmdMRFiLeVIi846rlUY2|vr~SZOCr^6}OJ0ctKd_l2lfYeAOT@vtYQVVb z8SyiIJiyR@1A2z@h`P)8Z>Q4}hN$AS6oZ~af)gGL*B{L1v{Z+0W(YQ20z}(7X}<}w zyxo;t4Q7noV)6F@pPf#`8}0G`XNNsei0_?9W=#BYJbJG3S{-XfVv8Cl#aBs>3!m;< z1E2yv^Oc5snDJcP7J@NYg7ua6ZcReBNVu%=|J*GQ1sl6;H()kreb<6iN~f;Y#QSy; z@azVC+IaC3sEktPCCz_W+jug7E)9wAM`9O8W~u$#^T5NSpu=X_I03<0>LX$%<$%i0 zQg59NC&nI^Cb>`M(^gz^NXdU;byIRPkO#d)%`60n;8W#=sN)*WJa6U5IrFN`WJ`ko z$XwGb*6rVs1_A;$(kWl>azQ4=w<#$|Ka=>hL)#Xz$klJ2yy|gcz@3}`<^VdZR&-r- z;#vUB)knK~yqatcxQhsI(xW7L!XW#$QggNc6~C6g^>)@DS|UH+THs*Aat!x|1(pn++a$i>2}$ zKF6uPyJpL!+Nf$=8a^e&15!P5{@qY;T{A+Cu}eZVUZ%6#UYd4CHRa=nztrFV8vyK2 zZ4`BBu~}jR*#ZHVOaZ1$`JRQ1z02*crD9KqsvhtAtKM|E9cz`AdkwG}Zt?O3oTCI7 zlk?lvS;De#hYP^0ipco#aiFBlzXSx~lpUL-w->T6$Kjns&tm851ack{>I+HY>Wq>& zR8(~tnwF=wpY%I*&2x{~z*Mb&Kk@fLa6on%fXMp|FQT=(tOueA9ftp$TB&|Q ztk2rBZ(XxEgJDzbZ;s|6Fy=FmwPPkrkL}{SR!YRqhyYk{a_#iqa2aD)iIMUAT}JmC zCKS&tOCv1`;AD^R{O! z^*VJv2h5=tI<~-Dwa&n1CgJtk|66Gz6sHJ8Q*%uCpxEzGTjz_34Dn9^uH#^qm(`6c zhb|x0*#D*vRtkif=2l=LMI>+)K8!H#Ka)Mh!bVLwmpzcA__uH{USlFDP5l4rIsjk* z5BGmHI2iZmU_g$XTOS&ePPgI4?c0BDOtaZaz-9t`@J_0%>8O~TSg%t17tH>aG%*); zIvNJkW; zHx0c*kP?t8Rhobxh;-=?dT-Ku@14+jJAU_$``(ZD@4XCuFiuXAefHUFtvTmfdmR$e zh$(#V&mXKhC^}%d*k(D|I6e6GJZlJ7g{yR}-e8yjXk~O}W~NH7`sP2dUkr*D@&54B zYGt{1S(#Y*%xCU{v-{posu-naem;lt#(L?a#+ zjZ%q>{n{L~B1wPVBDE8S8CqLgtCFZ@b_2yLBa;_rlba|1M6j)F>l!j@DiQ1gl@-cc z62Gc(-!n2S7CRF*Vi(^Oo9Cye-zwQ0$ksdiP!e%}@TYp)exi-Hu+d@ z?|R)gK=2nj;u5;WyAMGWHFG~-bhivvs6V^S>x|oQn5Grkkh^hM>3*0NK*R`?63us#sS9(l8zPOTp)RbhgI z%Y?>&VQlD@gI)X12clnIWe;eJK{xSCu#s!f9Q(N9{rpCG`hG9 zN3gNgwYb`*cfK>KM11au%p$FFgFP|_5N3XJ@_c=AL@?<{&=ZK<`P{Mm!jFeHK#gXWCA=EldVGQp=e*%AoEjL~|63e~e@>O<%F7C}AE zEpM|O7XyRZ@!8|j*$_JpDhTf++18{VXR`}CmQG~uJ&@LFh_2@&kHV3TeXWt)xU-5y z4`LU9@C#EhQX^LbeEL*a`9k)Jx+%#j7|Jv63w%{l zfuiJ!+S4I8z578yl9&ON;}Os-rhNWBq|=!rcEA7Co^U~q& zFYksT%*KbE9>_aS#pbV_fGsN;i*(EEfU?dq@Vd@HmldBeIj`mO($El-McW5qFcP&& z=l}TTa>dGzY;7?(Dqs-LW$})W$@6v5he&0*W$Zd0vm(#8F*;*XKnWRXpwn9u(hW@q zJ;BR>JDj+51@%l zbG)D?zQfY$EoA5V_x1a-om6JoZlEEqyKXusNgnrLirr62-0hann%qwnH4>A~_cGSS zx*S6i+|Q44nO`JA=vRmw5`?6dWN2)sr4^cK##B^PhW>;Q%rbVe%qTl*J1wV&kj*aS zV_b9207^`k+_1senR?WON$tej;Jh+x8UfW3k3T z9;rHy^sPnaxumme!D!sJyc1YG+bzaQd&=atpqzejkTH{ckhh^EryS>eF4GhV>J+w~ z)uCBW;)KO`E*)JBY|x&7($qD-E9l%LBA6lh%4R{PO?=x_USIYttDyml3&dqYn zhIqlul9ORfk={;Wsd~+rufVQTtSNGGIU~u^eP6?Uo;ZiJj>YrJ-ES2WprK{ieFcxy zudM4`PJavHS>I_=6R0q2e;hXEtwyt-Gn<4~hdyZL_y%MB0jxDzN9Q^cRs@xPlCo}PR_N}vz%KmvanK4q-*C@>^#=kpm83mU&CA+Vsw~} zfPQ4m=e8ZVUe@KB%YHXhT)HezGrtbX+=q@==>@ssM^<0vEyA;fJ z2l`!TMW}rb0e@^_cBxXUe}_!&<|+kmX-$|19&m0Pd0wj2FC;Z#>yDKsVKvyxC9s*3 zuCHT&;9R6Ob3LnR$h|VBoBrt>79=-$h($K#R=S_U=gzEQUP1P9yjA-@t;+V;wrDt5 z!A3GUImn$E%rCdIRXr<~^DTd-mYro8O*TaJPGp{FGL?*Mx2?3oUB(?hTgIC=Z3!p6 z3sdjbA%!3&ORO#)xGa_k$)kpSmh)+rKU?tNG{!nOb*xt*dSqRj=Np?F6b;&E3MX<2{-Qg)@_wiFRy#!Q zcddl9=6I$=j+Sbl-5hzsLP9D}E)wca)&U49LNTQU`H1o69Y2};9ym=GVpj!sdW+Ao zMM@7JoS9Lg`f@LYX7=`$$>pBYCray3J4y$udUrvtzjtaUlY6;N<`NXX9Neq?@Dls! z^6S(V1A00t6S28@OzmZZc8#en)9B!UXY?g^ycRZtd z8)$Iv(pMP@LIG*%lzC}X*hh3LZQ>TOqCN_P!ut|?+3QG14#s7UJzeeFpuGB{2L4z{7}zM93C^-&zmh zfY~;~JDG?Vf&@FQr@s{$#86z7kA>Dyy2|Xaeu}s&e}f7;{61+tQGmGFnttTk%%k(4 zI^}}5!@Xt9yvHNV(mVJmmE7+2sv zi^_V(U)bsT={)}WOy3fEZ&tq z6-%KvgyYd)3f(P2&@FFw403IIhOt&v$arp^<+PTi)ae*6tw5RdRR7(VN7Bp>bE}S5 zq+~Zm2#BTXVC$EsVwr!Edi5dedD7myqt?j?S!%uFi0+dF7aw)5 z;1ltD1Sd^I!txG^9zpl4d~kH3ZAs(MGJ;S-)vG3Z(c$RHYY=|QqMmx3^!{c`CzHVi ziU%XIHTdaP#Cgf(UM62f=E<;2RT*<6Yf10;D#)9Vsizku%~V6kU?5vuav%t9#cMMe z30`9!5^d$>ga#AW%LuTu8b?GMKbSqGE%8fu=`a|y?IPTu@tFH2a5TxG{}1QlVAVEM zPo-uIq!p7tOUF%kqU98}M?Y-OAKHGlgU|=^K zyEr*oKAyNR`_%Fdw^n79G&pO6+*m!JJ_n2w;6d@-uhL6*oSgTfV`iiafI~1CJGH#j}=j z-<=hFe1w1J!T{$}2B?6n_H>BE2HMP~=OJBDdf@AVcad#;)fL)~^O5s-QVKhBx2)K1 zypx?=3VIg?_Nl&jY5C$aq~5fQtEc2fpXYkg(2;_VXfW5w}q$IHR0 zZ?v9@FQ-LKR63Wq^8PI76wgk7#a~3pBwlFz)i}!ZHAu|N7M!1*l(Z*Gmd}HRM4tz7 zV|J?Skx^0V(7s-P(xOONT=*w2EXXS3!>wr^cEyk&vrm(*IME3%T`hG@1K;A)G}qOi zC5`Vz4~C51I327pB=J-o&hWhWu43wfpE3@m_rAr;)-;`lfjsJ34`s!Gg3#K+nFMnO zQp9_g;`8Ixrm^_H6|)$+ckM9()1ESUx|OYfSN}b5%&tMhv((|&bQ9E46(WlUbtR+( z=`vnz`FvUgX#}(j_fNyL!YkpusfrlX<^=$p+5jmglpeGTcHR5wm1+KG`Fr{+{i6Aj zi}RD{pT#3w2xQ5mo3j{5V5P1}mCr}LX>H}sgDu~}53{#y+1gVsjlL7k)(P}a+uF-? z5&q0hcl=T}DsdC{ZReV8r+w+7?7AdHe0-Eze5lES+|G_0w!S2%iP$2 z^E7pEil3|%wAIrfwE-uryyN_D>JpNu=|r(uX6H31TjSV`#BhUpKVQW(tH~+>wZmWa z)ZG3oZm40a>a*5fWj-BsZJUPDgX7ga8k(-d?b%t_MACe;UKL^+OS|n@p!l7^@cZlT ztx}=-`WKawktZAFd5Hb~7xNxO)OTn(p9Y=IwYAN;5H^j)-F@*r!lHQidk~`tFR}Xn zjD!!|SZ&!9!AT9jX$e1RtxQ4jRCEK8c_SaC;HT?U$$jC{PoQX3d-e@2E3_!iO^Xr_Om@z~1O*d}C(D)r9L>_B$Oa z;SY>~5~kBSRqJhJsrEk??B{w~)Z}u57Sn(owk%(-ds8rKSsuysaR^=^p8c~}3&eZZ zR$b@yR|gZIr9A6G1B8(n;z!AFHQY@xh+gfsN({vC{kX#*5BQh`%2T@(+FAn+z$_HPgFIRVN#acIKy_5|lc?5^!LUbh3AOO7@jK;-3{QW@u#h zNZCfdQa7#8u|^?sVw3P4Ekqo2N;-y0wbR}mh58!lQ5`c?ZYHa`0@=nu1fq$0Z@ zxjbI}sX};o(9F(Qc+9%~QPbQMuz7!exOJMCevJqHhxf@O>6EtX{y?yXPB>mfpAS=HHmz_r z-2k(?gR8!%+_sz+01kU+t)NSIq7tDB7*E;$-#3h#;!!L>wwMQW#CTR`P`@)?Z2n-> zicb}>EkE1LJ^QKpM8|QfmXvW5e-XYNY_y_CAVId(coMY=?>=BwswpK+gLyTAF}SeSZ>nV_#YB&Ws@?+zXE^()NqTGyG>JB@@gN9hPoQC&!wVd<8OFvtw$7G zN$-QDXP)&Y7od3IL&eEt1+H?F2LzUTz?Jd>3~5(}ca92-7S~kU&wr@tx@rh(6nvhoxP5WhgdCAFieW}gdG3JmW1TOOfUWOr)zdUNd!-Ne_4f8& zO)64-bB?d6XahmuhA9GMui(Y;dRdOC8hN@lyot^mWrr8weQwIjcq_d#`bC+SVNtdW zF+OPb!F2?=-Nv}$s}=S5x6dNz4XHhgTbB13gWv#iel{dTM8>O?Y zKnw^#<-w%FBVM%bE%(hzLO*s%;(S=cHLBgt>guh}_6M6nLyUI( zSWv2)cu?0S&;)ydhb^cp8h#~}>lX7smwzn=3YuoLnC}i+{i-Dq=wDED2aA=`iku*S z?RQ%gzL;sdzN@VO*iy7e)pqba(D-aAy&;a9PJ`vGAiBetbHUOS?96hR=hh=n<+fNn z2Ra$%R7Mmcz;akanqqlu0Gg@ufEmQKf-nkL^~lCgD_1l6Hm)Hw8ccXnkKbx;xh0vn z!|;dfpD8r`gU$|k%~IfhS5~a+rK!n0dh!~P3Gj( zv%Ts~|6({cLgq*(TT&PIXYe7z{7=0-&)=CB0HnOZgP^5)kkjVv1?4Gj5aT@^dy6j| zE!hF2OVqnlIh6+^+j7gK8$f)Pn_X&~Z7O6yekcCIqKf?D7J3%rB>vV1MSybQ!apU3 z(iP^klss)}z<~%5+(=aj{%nR=k7e9FD5;i2D9BUG6@rv!Ap@ab-wW>AT7Gr1+bIvl zN|zbr70y3%=aOv_vX63IZ3BV#dSm?5b5eyD!&6GbWr{4W_Vgl`syfP2)>Aaka~FR&66dtjW&V3)+$3x7nJz+dBMfPN+Nmw*)3yynj% z`_L}~cm-bP^bfnuE47zQkO4h156y7r!Bs5FSOfzo~L(b-U>&XPkjFMDqZOrQ8 z*}-TYfa5~Bz8?pkf^zGZNBiMb-HOK!;ZKAEPE?2K-!~P}Oe;hP$%!`OKzhj~qOJ0A zO=jOvzES;i%>!3_|M>Z2X$hLRu3msy$g5aZUo1(J-O|xq3Rl+EP-d2s zuaK7PN-lxBW*}R^l~in}SBCpIVw#Z|et^?C20A~Z#nWyW@ZmiZ@&Qu2XPTg(bGAIW zav&`8mhGM(G}nSmM$Va;1pNS41w?EMH#Z6pM8v;P(~1T$z_);E_simNHgd`|(SN$b z%FS-HZ{e!)Jt%Sw0bd|G^t^RtN}JgWUx5ffB18d8BVzMHXO5DQeFbUs3uwxI^k1ap zHWf#X615m6uE?>|+$$Ngg?~}kGEINfgh8avXT__r=0qsJF7mXSGSy+C|Fd2)DHW9P z8$wITN`UpoqVGS$hS-DMyG>=yJA{Y<&X`=)vmezM>0MIM(GMk+cDFv`&L zr*vva`2{MjRqS>K8c?MK)ZStSFsWx|y_D2qi##RFfcfH`)4wmq)$h2!-#`z06*8RSN`NQ!KB zQ{kq(4cj%+y=WKIkH7)^%Kt9tChWbY430lq+06LM_&9ipl~tB8+RWF+Ob+se-Cvu|)NC z;n-)}!j7`))Q()<74+SoZAHJsc5r&H=N7Z#Wp?(=hgx5VeJIM&2O_x74h+T!|#!3evL>7wGPq@({oPCu4H(rFd3T0>7q-WNWZ_M zE2fhtg^=%MpQ{jt8Cr%Ej?wPx_P8I%W%!A{WL{h%GF9)oF_v0!#V6Kw30ZHgJ6Pp= z@|iSqLhu2faUb$}%EFX44RshcyfJX*JZEv0(|F)%QT2zL9jKdQNETt`*LiQAz2cWeFUg>Rr!P z?`FGncNdc7LEEdY*wXueZr-~hZcg3F?JKiuzm|0k%=dNr*YyI4IgYXj1GkgW$&hJ^ z#yyZxQ;t`y;nzRk6{a`j$23_}Pa7P{A1CVTu)DhJ3R?Cq_(jw7)DlgZ4uLAEQjI*! zDkA;_#u9m#_(^vl)sWMg^LY%8VFl8z2L)y+c`3~`)^&d zYWC>K=06T9zGzKp-(fe8u)?CD`Lh1eE&Q>yCU@1HP9v3$+HTU7j@{coN08T5k3*o=EA4h{7DwAJ?*<-l>JJ2( z3_LydPJVA))C2d2U2Tjj@x(oj-GIw+B9#1We#qQ5q@Ts-OMBj5mko|ql3148B!`{l zS{_fFnV=)WZcERnRvqgktafu@;>8{<)NEO2l~?SM8f1HVeC#W@+N0Lwpkv(&F3gGi$yN^iyI#u?P4{Ih+^?>PCR`g%zRXc-pJ6lP zV7Ki2Ac3Da-9jf%2W=zUjLV^Bm(wdviqF>dDRfjCiFu~{g~PE(;8luZw!XTtV%DS%tGP zB>(nY>?J&60=$Yp)+YcW@S?{j4fgUbp!A4gvOYA;i`b}*8*2)@BE>HvI0SAPum z^=u4rle5^ImBWyi{s1KT@4&Gb_=aV1`%Z*(KG#sN*5&Uvc-09I(zK?VSwDiQ>ojn}VRHmw_6_n`G55GF1D|kYYsj8b)sE#re&ov%M->o{UVW{pa9igH zeW5n{1?_IQTp|Ro%Nd-hrdJmz=448_)LS4QEe$d0ejhdUx6(~pwYlu?j@8k?ou=#I zt_^8wlPd(jb4G0qdOogNhoqN|$W_LQv|pQhc8|Hu8$J;*Sp242w_A83usHk4O0Vg1 z)*GE4)DFITvckE(Wg&iw2?oR1J9Lt>16G%vel$Ad@;ZHOX+y!T_( zUuz(P-=_2w7@{miv0^D~q&bH50u(*(*yMiuL|J0I*g7vcYo$z*NTZ-NG2@E1lH&+S zO37*c8BcgX?xWtuT}9@}?iXkmz#!mSc)fqT*UTZZs+32H);B6tt?K3{U+byb?J}}T ztQT&DTb+Dcb|?To3)^<2G(EC9s+jV^zQU53q>;PAt3vk3xeb+1pxPZ_9syVDf`=kX z{(#Iza4GK$4OBqA7@E~P@Nr_-JS%mu*Q67PXXgLn`AiD`M<1^mr`;>wd>*fv{tB4O z-hn71*ojGO^ew3|bEkzk+7r^0pNJ-oe{1ocS^w{HKU#K}9vDgg*m5C=-h*I<>+*m})sg zZ>lx?+I4GIw12(zE3>3BV~yt)e|#5D6SIh=_AsE1GYAN4@6}g-&ox>f3yJD|O@Fwh zdHl0;=j#4ziPpI0X@P?H#26n|7q1EO`*$+q#FZy+htUERhWlxV?G;MSnrXb!;-xTB zceu)DJpJTqd#8Kdi}T}0aV#H)4500*zoZ=S)9}St#=o-`I$r2#R3BXrqg)Jp`DS(y z^~Xo_wG&+5&cmjo<3wgGS2YWZo0{fMYH`W`>mPI`;ZLgQLopLbl4APA?R~j2zQY zh!q8&om-SED;&E<@m+C!@w^eK)EalQaq`zaA6jn}Z(SqLQnmj)mve7LYjJF=G-hfX z*7p7B4#{-txOAFn_U8(-^K)gnvWKYKekim4*C$ybe9?dU&%G*aF)9CiNN+OXdp7}& z=appFn<#0>DZ2WsTkmFIg$XFdj7+_yQ&Q`i1#=cA`@0W;8W56vQx>gJ&pUyj^UFnX zwVUPB(9m2_C57wLe*Zt2C% z+{E|3F=`^^h(R&r0uMvT48a$vt^o1Dj_YyL+dr0_pFpk#_<60RH?TkSX$kMnPZd&y z2pI0usy#$pwaLvJGL7d~qn0!GOETBfUs7gyIhTRqA`WpW!c=CqXU$~&rY%X9If37e zbG!dG!zzHcJ}d;U=K?EMzI-g0=j-obvP9NiCUEy)uTRwq_U{I#WgCq&vh7c`^Z6Bu z+wMx$b2;#;;_p1ixc}G>_`h>3A4cy^;SVW&X{XT9ozgV!cT4X%ojE=TcMQiLU;cB? z*3-y0A4V_3 z(l4b(VlPo4!#`x1oFCiU;8KAeRvn8YA3y=Ak%CIhO;3#>cY+hV0_i!AErWV15bM|& zV2eCad^?=6<{7Ms!FI%}yPSvdC_%$+bQZfpAfmx4OXdps_t?!$wNy5;q_Zrv0Mrdm z!>GWO!Rovs69b0EOW74F?do-fs}Ij3mqq_pyINpM31F|SO&8xwmD6{&3f&(L_?sHihIUGe`U-Wp+TgS^pK_q9ZHr# zG*z0ag+sCqw$Y|?r_Bf`I6c%}Y+T%Gi}84|A=TyhG4Z>3+GQ=b9ft(zfCoB`&B`2a zm*ei-*0FIeED*i{eI18JzBNubR2X?BKC^+2z2}iyod5V~4)gv;y{wXdS%?i~|EKrg z&BhcAax18itF6=MCqt@X(hqd%-66#BYv5Ve$&w`;(C&@_$l zOK@I!T#?>&ZwrdcGYZcn2y4}8DBn@dk>=YF)4ZhfJlAg1yn5%rVP-h=cCzs!r80{b zwV_;gBMjj67elpgj#i5)32~m= zbj@A5ZwO&4Q(#5#69?-1A8fJ3h9J)mGjTvmq1}H$a|GpPy@3|1ldoKVVq8ul1JzL$ zS|-{?%d6b(N7e1gjk~27Qc%5luw@cpd9U(Mbc~Qib+Xm^$-I_V>(PUlWFB~7xU+Iu zA(70Q%h5=CIBV}lE6KXTS}9$Bn5csa3-^2c8arF&_hkQ_=iwNHtJrvGj9vjcBxQZ8 z=I7Wp{s3&7wctBpYtRV0Y&u<^-cfmt^VZBJ5W{Zz<<#-tccIKELFC8{ac>f;E8coxB=st++nIN0Fqc#zMlA*PsfK)apkK(TmD+Q4V5 z!f1;1x1A8E5ep|_rX@FlF3%v85E~$TbwD!~I~gNjBwJD1IiZGNKrjYL8Aul%1zCsj zSw;TYeP_xys#n@5CLdD~Szo30DrQG^SX>Tk%*N)t$ z`%pRgyVLSMEAKA`5=bApbxiyQejx3nH`&hG{F+iwJHZosW(kYZQhvniBqU!s1Af`KKFB>6#QI@S z8f)Vme15-YPGd7nnmT8h_}#s0Ii8}V=G=ku-H4!JCR}_JNXDA-!(?Xs8Fk`~lvO;1 zOMQB{byeWt`u;1HLG>_M4yYJHjj|lhc(gqiLy54N!8Q*b9eA@*rm>G}`H2T9TAL6t zGbi#J+wmm#Au7^z$SLG(g}3J#?l1Z(1~fHwPeT=9(7Fyc4PmYMp8V)nf(~x4e#*H% zIUSCBJh^I>c#929nt48KJaIN%#rh*6JUT!Gv#1E3H%=Cx^&&%oNxNXTQ$o=Rq2Slp zp5J?rJ9`U|aiu>DtzkZw(Vs1hlT`A@)0%QkGS3s;qTeNL0Z WWPx^A-+yumyp$e3mCu#c_xfLlMx&Vk literal 0 HcmV?d00001 diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index 256ec85ac3..f5f19fedca 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -8,7 +8,7 @@ ms.sitesec: library author: jdeckerMS --- -# For IT administrators: get Minecraft: Education Edition +# For IT administrators: get Minecraft Education Edition **Applies to:** @@ -28,3 +28,15 @@ If your school isn't managed by Azure Active Directory, you will be signed up fo * Office 365, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/en-us/academic/office-365-education-plan) * If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703369%28v=vs.85%29.aspx) + +## Learn more + +[Roles and permissions in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business) + +[Troubleshoot Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/troubleshoot-windows-store-for-business) + +## Related topics + +[Get Minecraft Education Edition](get-minecraft-for-education.md) + +[For teachers get Minecraft Education Edition](teacher-get-minecraft.md) diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index f76ec8535d..ab019d66fb 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -8,7 +8,7 @@ ms.sitesec: library author: jdeckerMS --- -# For teachers: get Minecraft: Education Edition +# For teachers: get Minecraft Education Edition **Applies to:** @@ -17,15 +17,44 @@ author: jdeckerMS > [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] -Teachers - -![Click Get the app](images/teacher-get-app.png) - -![Enter school email address](images/enter-email.png) - -![You can get the app now](images/get-the-app.png) +(intro text) +## Add Minecraft to your Windows Store for Business +1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **Get the app**. + ![Click Get the app](images/teacher-get-app.png) + +2. Enter your email address. + + ![Enter school email address](images/enter-email.png) + +3. Select **Get the app**. This will take you to the Windows Store for Business to download the app. You will also receive an email with instructions and a link to the Store. + + ![You can get the app now](images/get-the-app.png) + +4. Sign in to Windows Store for Business with your email address. + +5. Read and accept the Windows Store for Business Service Agreement, and then select **Next**. + +6. **Minecraft Education Edition** opens in the Windows Store for Business. Select **Get the app**. This places **Minecraft Education Edition** in your Store inventory. + + ![Get Minecraft app in Store](images/get-app-store.png) + +## Distribute Minecraft + +After Minecraft Education Edition is added to your Windows Store for Business, you have three options: + +- You can install the app on your PC. +- You can assign the app to others. Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more-tech savvy students who always use the same PC at school. +- You can download the app to distribute. This downloads a provisioning package (.ppkg) file. You save the file on a USB drive, and install the app on PCs from the UBb drive. This option is best for younger students and for shared computers. + +![App distribution options](images/app-distribution-options.png) + +## Related topics + +[Get Minecraft Education Edition](get-minecraft-for-education.md) + +[For IT admins: get Minecraft Education Edition](school-get-minecraft.md) From ffbbc8f9cf3c30006a9922560ef60e884453cf4c Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 19 May 2016 12:34:48 -0700 Subject: [PATCH 048/169] update IT minecraft --- education/windows/images/minecraft-perms.PNG | Bin 0 -> 36340 bytes education/windows/school-get-minecraft.md | 42 ++++++++++++++++--- 2 files changed, 36 insertions(+), 6 deletions(-) create mode 100644 education/windows/images/minecraft-perms.PNG diff --git a/education/windows/images/minecraft-perms.PNG b/education/windows/images/minecraft-perms.PNG new file mode 100644 index 0000000000000000000000000000000000000000..1788d6b5937c65613ce6736dc004b9b2bd39663e GIT binary patch literal 36340 zcma&ObyQSu^#7}Zgd!m#Ey@tm(lC@XNQrxhOO0czIaKNTq z_>bu~CTN#x@SCQiipzoVIEe|G7`U#9&($P)$7OYZX1fd$IxJKx_y)T1O8FbHrBdlt z8)kjD z(flm7&3ju&@>C+O%L?!h+bUa?`w$HZ)o*a~59zNyyp2$XEPju_m&OFeqsa97AbQwK zIUstb`Z8e2uEW{IMo3TIv8(PqTXvhX-uXskzHQUQUvy_F`8%9MCgpFEIFB;@X8t*& z)p(MQ7}DOx&bW1;D+8`d1?lX_f`mJM)gs5-yjb&;6Is;03;1=k8h^Eu@fuVQW)Grx zBVv6a{KKSB>A$~OUj(Jo-8}68PRg`tnMc3^Y_C$D+GRFY>y4!;oe@5;b&)}(bfd~Ytc~}GW}+M!51cpMwUMBA$FzRdf};iww%L7MsPnp!0qkmZ zV&)Cc)(jDL{P&yB^WYzPEm7lr3pGWjNJHs3pF}w5uJ3xfg9^~n~15a1zql^OLB*U7@4EyHdOc%JQ4p9q^HECRaib07u_MpqnN8ve> zszb*ei_-FX_JH$2$kvD3G2j_nVN~MG@b&)c^oJNT~Bx(QMAeXuy2GIY=(AGEdG z#qe4Tr8!@pqo$9BJLj4sAlDam&n)N2P2BB96n#(+5=q<7*E169L1iMsaFT$o5D7Yv zzgb@_R~Ws!Ub^4uEbCV?|JsvEE+@`~P#=HXM6stU0&%?IyY+oImt(P~*xS+Fb;URr znb&Stv{aNeZVbqkdh@XjSwKs;tGSf-n{4g%S=&Amv1m_{%K5ZZV2Q@!Hu_8H~%^Nv7R&ep7 zA-<2@;m$|H!l_V?r6z8_y}D_Wy78M$jQ|7p1*g8PSiMZQDSh*=6z^X~@w9uM4_QiT z)z5s4a_+cKIpK1;;4tCk3e>M3R$QE?o>*r$+!lXDkDqEdJ z(fuGB%j-U=>#DN$i!JlLCRBxg4sOrO0b^QxYw9QX{rjugFp&wR=X3>y({$D@k6rZMJP zs3TPN4c2lvid258_C)N6Vw|-4f* zMIzN28DbL()}pVD^(ch8v&TtYds0wCw~j`nAgMaiJH!&lf7wk^lvDLB($NjDt8(~b zLi$n0*5#Y)vq4}XHn49!>}7B7egSrZ3a(;X_L@tv!0Tf7*{M?89SS(gSe_uh?!af@ z+%9i0IbT3Y>h87dw=1gzhA8;9ALsKV@7B*(aNGH#6SK=chGt*wSh}5lUcbCtzG;78 z!O0v6k|JEdqqTk8^-I_P^K^l;UK7`0UmR27s;x{v{|rD@KuO;RIftEyFJ8 z&tKfAOP;T>PX%0ULu@2v>15(>r+kXfep|zXGwVX=dv%GE34<)JHehL6QVomzp{|3n znhG}dSgdpZ4qpGFN7{1MijvS7G662}d4HXpzBz*zlZz8KJM)#&L~jWgtkm6x<@UMs zax#6yk6a;_^BqemL-|Qt+YGz06_E$XIfhtQCtM zEd6qr{pF~y@|aA*ohmA41#%wy!%+O%bl9-q22N9YgY*i7R;_gKnwg0#0#0s z?yoj<5dJHDEs~=`?|wX$w2@*Ajm}={5gbgw`|lT%T4TgqRo^qi5y*$Y`vW)E`!^}m zkbpKL@6G%~blOYqs_w_;fRUH;d*(zorYq7krNX*TXDze2c-k=^xhSopTmjc`ECiOr zC5$GfV1>HAgKGM2X=RttS11y>VxBvKuWl|XZ`c_wXZlL0;KIwk$WqAFXK0(=M}Z9M zs9DBC-WI-^vCYS?_!Sgp!2a_H8M$*i!Vz~vPSzlw8nvMQ@>u%r*L@5J!TrG4Yq@Q{ z_2xwGwO{V(Fb&m*k1zS`8@Hd+%-FA#9*6@#hYhKg{r%loaU=Jsu)Y-^79CvDCd?@6uXns!k>=xfCnm)$Yp1y+6-m&zZdk(3CKY z{G+b1^6hlFrt}KHjV;NA4dF&4!3|l@Pbvf2e1WB<@}8yjs2jgZm<4HtpMEDO9IV4n z%TJ2%7#5tKAa*OSn<}BNv+Kkc?nv{}j~p+)Ss@8{scYh8PJu(;#5|Rj@CuGpG<2Q9 zKG8*W)F~XgC5GErhIH4p(Yw$5e1@u|PVzf+H;Y?M!8i5@b{YNTng)+a_a#m`;ps+Uw{Lh z)^AAvj(j^!VSG~~_u0K|+5a-x(7q|3n7eVc(B*@>4Pg=tJuz04F1l8V)(6abduZIb z+$J2G;?6(39{rzp;eaAbJrg!Wwn|y2~zer<{4!!Ntl=T=!5YxYoCJ{2apEr>{t5_;G$E|>I?AyxPIyI+A3;$aly!CQM30}hs>x233p=T#9GXqJIvQ< z!m3>9Hlu5A*D<-Jv71Mu1f&v#%C3ICJ z(A6jtv!CWdSJVCG?d~AIT;_9PY>bH99OwqKB7S`|=%ipYALRfDZigSTa-^f94ZEan z-GOGK9YL2HpE97IGrP+5W0C69)eB!my^lAVYf%@u`4Tdu_M=3V)C{M)J-j;^hYzH% zp_l9D3r-BD;TX`)cgI12#gH4dn>3bKe%#oMa7+H3AL)3g4{r`vdxt27MFdu#)}rE8 z?N&1Yfu6AukNgYInf=pD*!76bBI)ezi*X&8=*)Biym zBc4lDv;U+Hh!hy1&2)468}Yej?pl%hKUxI1wolydhSa7*^$T2&R1^uGXF3Q`3ODF6 zKDq=9@menKsdNZwT3w@8&tk^arbV>Hg_v_eFM~|~@^yS1AcuEHSLI2;oAm`!qxzeB zoB_A$=V6=7e_=`M5T=M{e`@4J8}QZ4MyCDYu$!y>6Q2M|BS&dJ9`h&f()#o2 z-A(7_X5VjS0pW-9xSH@}C}H2dd72*{krx+OK<5f?>U>yX=p1<^JzlZ-Osz$v(3;YI z6}!$GGpxJk0Ju~d*t)11Y%QTu4%6I5jI-M$A2KSQO)D@WeMI#g)yoT0>umQbE5AIg zCqwo4j~mYn;zJr?z#_%s#$wtDTlXUJKr1a3;Yjk?w(K^MS!6EPHViYkt=)>}E1?|l zm@9*Q7xyVyU)S;v>uK@Ia${S3yEtL%tZ{Lk`V4ogZONUFQVV@N!Rt;)MDQQWY(IBD z(@VRCMWIccf!N$lOAOhyJZ;-yFYWgEN(yZ5x8K>KaB=G@RVQpF&P)|U@9v)=u*j#@ zQjh9xzg}GlW2k^=SQk91U(I}FT3CS@i)`-!?|&i2J(zMA=5)jx$!{AQr%3;`%z9J zo4&!HY-MixZ3oGH*4R!8*1p`}C&W_S9PHm3=TIpDrhRcrlsDANGOZgqQCsz~^Hrya zeJY=D#cty{5Vz`@N_UUfLYHVl;ezOhyEgccTqBfW?1LEAV&^D0LgeDnStpVOo!nMS zm`g3$-615r5LGH7Pc6oS4qj>aMc3evK}$b%G7W*Oj!3QicG|;qKpWAro(ol!EIuOZ zHQI&Q{@zy<#0_>w6YamSbCx^&ovR*6%6Tt#(kw6tsuOlZr`j4t!v_W!S^Fx2>Ke?t z6?)~!V7RxB2|#JhJ+e)0lg``ZHr^_aT)B8EB=M$D+{Cc!Wl@_But z3qI#pO{grxEMN4WEnPZFVkxRk3ytHRt|kN<1IQR2^UG8W@zhk5bqB+6nV@jlnZV!} z-R2j{fQGb#3)>u95~Xt$<0L;-B^;$5J)?g2KBFN?6NHyKz05>KZru9tF=L>@3@Xz_ zeHI8Y2Ef~8T2fb_8s@2RBqEBZBBp!#AH@%{$^29k0~jf6h;J|n7~p1q2@^A31iJ0@ zeaq$OZ&GrTsZ143>)*dONfHe5P-w`GH(7VL#}&Sf{_MxIb&ksBxs4^uyA?RvRbIB< zf2#N6y+}>ayaTLlj?5t28oev|sQ2ajE}?HolNXV}>YdTuMUIC(l$ALF)5adj_|H6l z^cwc)Id|=lo4y9sI84m4p;X_18>COoj=3M0nONb|>iKpp_R+skmz;-CDebHvjuROzR zLX{<|=l#OwjB4%Z5r<3OG|{c1+$|+7FAhlVvOJ}6ZLdxt6YP05hTgP9Y(ep2LJP+G zFdl~X1!DHn!^CWK*bSDH;Y1zuUW(|~S{209NhR~@*BD`OV8tNR%RxwfL3 zK^i|Z=~D4dAeWjZV-KOV7($!k{FIWuulbMI9-a@EyY>fML)<2H1bsIX3KQ_rA#Ib? z*D*ALC87CtA{t&m)LoprRUT_d1w_^Xc5!pn?s=;^9(nTT2fFm+_1@e8%STyf6XFxZ zLqy5N&ZMDNfQU&VAu_Gvfg*~b545hK&I4?My9iEu&6Lwg1~2AVG{lQtWw)xU3+s0|AAWSxqqF#)64~HgsZrH-u~j+^X13i-fg#`;*5mtD{0PgBKeDz} za&~%*FOY4n5e=)I6qM&h?GIJFIC!iRva!=Jr&1GZOKdU(ySfiVkRsOgB@SYnd5NF( z=XFz$YY_HdDvXkHvB4MI`*gbad4>jcZhnm}Id-LITd9~phKq++MSQek?zUb#Rehfg zQ%AP)Je6u%A6K}_-AvEEjQc5zm%?k-mwMToT)m3!vblEeSABbrd7#fe;9@*`DumrC zz3>M?Qs~c)OZL`#kAL2#TAqgAn|@0yg+2Jb$=*!lvGjnW?Cq7M_Jd@3>EcXyLLeU> zSTA%jf;CI8>+J`ctk4`ydXELCI%k`Ox0~IHKQ~o%UhTOBvBxX$?9sIKvT^1Vh`m08RrU!Q+3VahebD8kQb%k1OWH089mp`6u<45#yn@_ZOdDvXK>W|=UgaBp z&ky@oGrn0p{tqMjML>MnSljfxQZ^z%G(g9IK0QeILwEwT)or0_`D)KYa3n?VV+8s( z)wF*1M!>=x)Lxk7{kePw{J=h>R8xdSV~5<*>ktU`s(ZDX2*>NI|NagiavtQ;y<((8 zQ$WN#m2=TNf7sP&iJuS{0GO}vL5+9 zrB_KUvFZyUAd>_Xt_oC(WuQwGZH!;Ew0%5@bB;kt-84U{3l& zmJHi>Vt6ZHlFo^{WLwGa4T{}=z!S6dtRtk=8g(ns9=S0>C5ID)hvRpouLnF(b5nn8 zT+kYHkMt(B&MV8HppkiZ)ty>%^W3iKl@ejF^ri_g6>Kt*_#uVr8?N~Y%a|^P>$kg; zyl&bpdN$>CpJ$7O=Q6x){<3S-Qm<^x^iU4S`9IKLkWI?d4dcLq;>4>@aTW$u%EGIm|~ zgihhc>eVyzztEvy1PUDk{V~EzjlRIcR?zcEe~GO4RwO_ZjK>lDB&c)jxz4k62f3eS zZ#OBXDq8jo#B@FuOZPj*xOY7gF1uuJI?^WU`_%lPs4Kn$$TQmM18F{+RspJHy{|KX zLD(Q46L&+*%}3hcA^qVDcVDf7;%UD7#aO2ryB8-r*9;4l(iezqWOfGt`mOv>lUG~D zX(F)52y9%#>2GbNNr?R{@(K)U1@hSjk7Td=Ee|JOD58q^z>0;Ra53#?ZIxLyz*tU4 z7NWPpaVYdeXyQA1)-xPT;s$w~lGN$*k5z&d*zG#kc*J6K)AoUoycAlUP>JB&cdG{T z(|^NMC$bva)#=2<@$s*Idv=}iq7(aI7g}!9Q1*K1OkUrg7`WhBPC5QAM=Tp&Xe?HDpbm1lcc-WT6S% zZiZn@zSd7ey%A}#G5<*4ov6?sa>V5iJDIaFgdjmE9CWIoXdjqvUn_SeS*@e4 zWxgLP%0;IU8eUD{g@6K@$SeF+B~@UJ)=|GIB@8ylbq93)eo89dfR?smTmQv*v(sIv z{)qW3hE@{YQiM_>{~Ei_2uc$QH*0rX13BS_Jr41Y`MG9K{z>E0Yd`#>q-m}tnu-62 zlBRX2s?xci393sM_MnS+fxYz=O}LDXbhj+3va{dweorh69_)ARWN9dmQV%OfY^n+r z1(QfNUT_#)2Zj@b8HZER#f?h91nH8$gp<$n_^v#xGmBK<;wEEQ>1!g(@{|X=ks=Dv zrC$)cbfJbQ$L-96WnMWE1p9JRobNXWi{d~#`^-TJ;nR#wS5;5M$60yBTva3wtVfNG z(L{5Kj09woljlDJq*q~(IGa55>r4dpibTjBh*|7h4+$C_g{g%Gz+_1MWce&u-^rrl0`q^ZSNI29}xR zppowDbpDDM#PW{f`L+lKRB;2Cfo{WO48i_U_KojuD(w2Ca(Y<<@WypFa~{inrD=*y zXxMDnfg&BL-KhTroBM(swmF#kX~#>dbo+XyU;(RiMp?IT1#X2(1=7d%kgt3)yv=V3 z7E0(|<<>aVGMkxKn<-2>4v8i-{ZpsI@X&#nLEi2(t#4@Q!--ImZwV9<6nq|Nf*Tu* zENXKD)7=Q9z)NX@X|u(c2jl&J$G&NPgCxtbGOMCgN~vSS$<(_cM%@vHn3y+oUcp75 zEaYgy4x()ZsZeRg>K8@~TK;3tD+Y9Dwv^Un*J98pbulu0FGe`L%Hfsy(;PU> z2U0e3mc{sI=IXEO_^rcz!v$s<%7-I)VEG&stMapvamlPFVWiHi49N-UY0WIHMPXw+ z*JDg0$uVXZTpY#=0}y+{@Lyj!#1$ko6)d86>PEw(AlBih1$KvBMC#(mu%l#psSq1; zHKXCNH52Joh|w3-W>aF1yQ$ESM%79 zm2(m?HK77(MiLlCxto%wj^JXIDK%)zW%{9m7~c4m$0ay!i`~`tM)~NgXBu{lZUf@~s`}>;KA(f1!xGx$NTvJN4 znFimmQwS@ZV_mZvOI4jD{@5yD1;9>^3%1{Y7xd6tn}WVhHEX6RMemBjakZKG2P|Ea z9xRmUGV|Y?INT-@tgxUHpyOwZ$@u$+QbiR0uz@{Np!7pZ6#;=yvW9^U`(+ASGzMd8 z{oTh4wEOo9QbJq7nzEqP!#G}qDscM?r(ICdfXbm@qGhF#fXw0h(=irRBr8Ktc9Gl? zIZ^QQ>wb<$ztO1|&m|Gu4uVwo$mm;|pTn^e(i^W`?G+jPTw_Xm)w*3@ZY3P8WjMR3 z`X3pJuhsP0S-i-isWHQnp8~~e2raXi*LayBS_x;GH;r)PPIt@=T2XXUZ!P1%Z6PGs zXXU$_a$$YWHPsJ&aAM)WYrT}~r2IyuBcLFrKWOYVILOi&zdVn56YR&dR%UyYTXQQ^{rI&{EdA_OkyIqnuM(wZ2KPr~hQF^`f1uBZxAJ`xm z=KZ{m-)i2;Q6hu*hslM z6tJPi3txzc^ZcXhq#1jggQovyeR)CMC%%`zt9Tv>^Zcxc*fYoxcn}P&2Wp6YQypK9 zH*bz*x5^xUUTwiJT#)1@^z({N?K5a4w{jfc6Z~nFlYD$S$Ja46e2-b}-e8SG-(?dm zef=pZt-qQ0=sWTSY|_uXASSBe6|%JXc}%yF(a!d2QsD8M7U`0UUK0Nn+k7<}L$n(G zug|1ck(iepyYKXNPNKHr+TSfE#*+5JWxVHFcrAWYTW0c_=H4S+ZB)J)#CaHpInYRBH#dU)oq?|Eb^mEXbd2<8_XDA8m&QD4b~sK${S~^;>lFF( zsF5s|?{YNGUpw_kU_wdwtiGv=i%xDSs`LQEY`@UqkOysh^@wrV(Adu3J3##`Q^1)x3FizA+Dh?riYFnHGCj=BUYL0=2~7OH z*|3269>Mw^6>NGxs1HO8x8!My=e~CC%VJn?w1J3<5T7PkM!Wpe#f*_T9S^E|f9+X* z>9LnfgjFz@Intf$Sr(10p^Phvi&X?eIgIw`Ec-|<)uhfT4g*&a8^WF8d??GIZ;Y+s zBuUAyK-X3m%ydpG8qbLnq{#67Wzyg)Ea-3`G8|->Pe}bhx%t@Ru#Uk!)`drP<&|dp zPSZnS(n=9sNs*CymptKtM5kvyPEP7;vKWTlE+NoO<_Pxy-vBdu@w~H2jjCtROA5O} zvi+{4f7LijC-h7dDnK_P7Acfjm z0I{+cUR1L-G;{3xnUF{=BOqBI0h{lIH4Tr{*QPH0swwYi?3z+iUuu%>ACgvNsErw{ z{VNn(Pd%?TqsCTYH$vzU3pzEOx9zsNysfbA;^yEy?5zA%Ga_(C=492I&$aX2sb<(O z@iaCJwma%Na#Md!>L1c#L5H1-+jXRzm*$snDl0d}%oB0!WXxn6UE{9k{++V(G1Z7I zfE>=N8uHW4+l@~##lq%A{pa`a?MCGJCE-z51%@F~3m=@FtRMHy_gcTPH*K+Noe!mS zEaVYC{wrI0r}NJ24v$=Wn}Fc1SfV;*$I_c8Ut%?+)kv`6qu)Clmdixw<+bT#xZo)R zV2-jsWE9Xl4>AZ;Ty(V&aJlbP*1X}H1LA7m+Fu{bUyN;#5V4pQ%r4q}c4nN>$g@Yk zr20x3#3ykeYuaa3So1&(OQG&T@I0jW-NS5aZnhH(&T+kaYIjw?QFpz5xBS8FWr~!K zbH>&ge*%8u@5;<1aPN=d75C5zf0%QNJ&mO|@_aO?T=tk-{HbFc zMqD08?dcXDmPq*Vztb?;zdr6HzgDXL|Stl7r=d9#6BXWBNFpk6Y zVLc7c#w$>!CfUxf7TMwJA%a`dDz7FSl_wS%dsHmn+VT8<_T|~wP%0rz4p0v2^9v+Wtq>Ak|njuWaLc+;p z?rjXB#?hmY^MFOSX|)9(d{j1&j=fnv%4CZKDtEd|O$0N9em~;axdHajeBQ2s3-}nT zSfSEA*P!|z9dDr#j*7+{xciS_doh~{Z={* zI9%shh5G!1pWBB={>tcgF~vR2@Unza-}GmkqPc*V$2w-ZPkft%8x)3}4};A*m{X13 z^+r=`0mN9_+$MM1@fh-;i==WMYy`=~{Kl7j3&32B;PF|D47-8m?FvI6Hs4PM^3W|8 z=T&ijWmqIn0GsfltCl{1c?@#5?7Uk~GmAyfn8hVaU2STZ1Mpi#PVW_~)cGIhTTIEO zqN$)a;u2tks_8uc1)8sXrR3&mJ&@4{lDefLdLI|OP*9r%|65WgHp|n04a88~=?L&k z)4IP8SAj4eqDIn6sY3-Ia~!gvL~NIPEe=iS0gmlx58&)vhPGAm`k#yQOAI$*KvljJ zR$5m5W)?7uL6qcK6FTdxwGi&x;{~82Jb)y0nDtzZ83Z2O_!@w*w8^N2?Tya=hDmB4 zy)imn4!Cg!_M1K?VUTRS;28k|VefN4;B6+~GE&h1sqtWx#->bDXwh|itCITM_h?x6 z>-HBM;+MB<)HbJ9Q-2t_hIkdxGx0`%s9I}CFA{%x25@4HdxNQMr*ox7x9M5>f&X$P zJarN~zq$s($v~f}cWXu@1+xG{r~hMMQ?3&$b&aXUAfl$P%lcZyYPrDc8$Yf(#g>PN zNWdFE*qy;!qq&NyKph13AUrlL95@ZJ4ng>ak;|}7oZoRSLphYgbqe?U<|%c1SW-hua@7JaM(Mshk|mtH*Z#T^of4G0rzc~$~a3-I<3&eEQ2@% zz^mp5`?or;!Ou%pGM$&aTr*c88DP_X6$}#1Rn-%uLTK$9O)1##DdkC>6l>@tfZni& ziFXUPAI4Mz@S1jl*0bnV6n@|dpTRlz6@t4GK+lHRe zTyg{8U7hc(uWX=20h2pRp)le{J}-S~?1UlAZ32vxf2yAsnP^wTt>RdLT1=psC4 zmCLRgGB#8i5xWrGZ#(9cW2La6@-!sI({Yt*#XLmx279Cdh7{UA;oWaNnsOl=xn;jB z1LV#aZZL{%6;Jg}6Y>1Jcy7++7ruwXUgamukZQ?1c0#67CmuhXub(ZR&84<*`QzlA zOIP#iBeVKH5*UaZ>lFQgtM;$VB>V(o-`({*Xt^HwXq23X-x;A6k31w~&3wDK1I#qR zM}2fIsz80ta_gU5Q$K#EE<5@fa?6#Qco3027&QcSxBHAkvM! zvU602>rw$kPruic_G=-`t&=tkK1u*^amj0giYHmK8NO9{wgpyf>8}qpz{s2bGUV|j zA#kTbTy(aNIcRvyeCqS77siN}#(3NS#BCNsA~p2*wpxx8tPuCium2+m#ez=*^Fnx#dH-$U<{7zEP16^>TM+G}fZ?9TPKe4sPU`Oo%5j(@T?35T zU%)`%-W3^<;p*L5ts$V@U(f6#-nVDi9qE4O+J7wNj+V_j3VS6QMw`Pag<ICN5^G8qD`^sb|6q=zqwxa{T`% zDs5vW$v#EqT13#hdwJ_u$EaOv;jS~F$ItptuLmCTwEmLxgnF3XLf7>7%MWvi_vH%s zv&Q$r6`6qIy@coPUAz7CCsp+hp0`JTqwX1$X#KKQlp9;pyc%ODA%iQ=xTLInr;UvH z_V3`w4wI1$p0mVP=`;Xzjg#=gzlrEOaGdMY+TIWw16D&QcMxe4@B`DPYJp|-By*)2 zd6j_m7{G}a@T)0)qujr}%Ktg%4eb2Ca}@ulkof=O;1UA$jSv!w+ksHlC}a-88Tc&> zVRL8`fETW?{$HBpOCZi*MkUO|#P1|Ig|6U#VD+$Ox;F%dH-J%tlL^ULuwjIAd#uX3 zqw(#T_kmsluaN#>fpJyyTdW*tD)`RiAB<1J4LG;bK7b(GRc49R_yc#JKT4~2R~~z& zgS+fss-tYc;s(53c#t01Z(z}`{10%gY(>AJka5?LIMJ@_`ukIMkj`aDGn9nE#9;;$ z4*=`iOkyGZ=q0Ah>BSHs$15Yx@ z12f_VC}Z@0u;Qn)TYeu4WaG*%0dU(^6fpMz!D%C{`;H5ZPRQ%aeV$YkZ|kP(i|xT7 z{t=`56W743(Ov@lE4wp5lb53w0sn{uAjsl-{gpr=wqXHyyva%?YZV(7k)N#+o_gul z^-V;R|4BSo;%+OTY`}FZE4%AT(vb#cn%LkrFw(agi`|Mu67%8w zYCixXzX!1Q+;QS)rA2>WecLYkM%oTIP9z}Vcr>K0T$=#ZQ`-Ny^C5TRk7x#|b|Zj} zz2$P#YjHD}I>dx~YuS6|^?3pNyEn9Oi-of*-Fm_%0BaurSZ)bxLYHKn_r>!ey8x9Q&pjTwt{=Wbf(lc<2gw`*4Z&&}7c{n+nP0b`Mm-qp& z3cEi(GMCigF9piqDiqrI#pZ7{NV2Ypeya4eo>@%ulZ!c<%H&%>I~pk0J}@@g2YJ5I zV#-O8FunvT8j~gc`p?|dNUZ+jfD5{i>R1P zSms%OeDz#wel!hlW9xOn0C-e>jP)d7ie;+6FGth{}hE>p}oHU`k{l5%1k zaAsh6XSQ{JymGE1eWK>Y2Vq`4_3u`ee`#xE+ZLOc2T|r-RiG44XcpV|>`2PY5(cR=4c?75UPukTx2rf6Iu8K{}ybyMA<_#9=22HhI?v!6Ye8Q&!%drJzm_iIh>6 z-+KC-sp!Zs(b4)4!pw;r_%cbhYSg{lx1CSMzq@xA!kAr{u=mA-p0?c0cQy%gCR_A4?M+z$2rviJe z3u8ZPSfKMc9!2(0n!Gdva8)Cxb0o4FcGHI4&58Ql=ZvW8OQAIJtug|*3S=>Bb{RA| zGL$`{4yw>`WLm4KA72PWyzn)-bl8V?sI<72AT5o^?L*Bd~afMf8>_j z*fX}EE8LiD&zR3Kk#2ZkvfNKO4ae1kDZ3ssKTRl)jV3<>N_xs`#Al!gh-z+{&)3oK zOUVsB9rlzua<^d7$UtC)iK|tZ=P3InGwZuuJ{Xb`;IZhWXe_B`ovibjiZaVZ-5spl zQbeA}uLYKDGQ%^l2u+ci1{8F2H_i0TT(jD@df?rXb6Ue2e&0jZ1GYU4;e6y3TVev^ zAG446nXgViK+T$MWa)8MXAvxGu;)sjxb9NEI#O>D8f*ZC+chkkRKT`Ms)ya@b)>TC z#OfCuuTI>22JITkL71gj?1pvCZ20&@Z|SE0=aEhI0>P{o_8}v-W0gnq6YpFOIU;g z)jj3ctkm`f?lq5S-}g3P>27*y-9nq>Y>p+I*ZR?s`GqOgC$IMxvm{1AD*erP#?U)V^uxMJhd9hj%C6+^yXSyTDyEk%%-eIJ2>C# zUlLUInie9KAak;%InUV<11%*;ZN2evw|dn6?XJoMJkxR{?5@y*$TN_jwWFRbl2v%2?Fn)e5cP&id<R2PIpWZ0r!D{zd+_%UqzmH*JjXF*A45M2i1R2D<-A-1e(y?hidvnrIzg}wO zOl~auVEHeZ-Lhf2^YRtf!aI?bjuNiM)RC*%7=e2AcTbnO@9S?TBJB`L-TE$UV;{+q!S})CuJNd#s0X!ox480ZcCmfaE_jZ zKijSSIGceGM(L2&kDL~CD{-r6CvPWvOn|x#DYFBJ;kFfMj3$1%)wQrN)`Sk^N49L? z+c{E@@p5%0)~p`62+&@TWhwS(UbEhbRmAV(CyY=$0lW{leP!kN8bE_fo^(2onw;%ENu<*BwPl9V-r+ez!iJ(;k9GpJ z94KNJ^GJA?-t4`eb$<0V9&M7_6a>aOPNPGc+$-vobf(Fol!Y23h`cN93Xk0;qVrJXl4@M>P%O|5%L%@itn}Bp?J)6< zy18vGVz*kVkm(l}`jN}WN6EUsz{Io^&*%>pa1x42#v2JyphE_x$9uRx)&lVF*y(w_ z@E_Chgk9TxjpPO5-`>N~yJedl;~pOP*>x)G zzytJPE)#mxDTv8oE$VoX$C~9MUcp!{cX1(F>&nfCzcfA{ga4Q5HZvc6@LruwSCDyDE&h#6R`c$d6XscEWxTChpX zXvF`lVZg`T7HGmKqyI|DNghKg%vfx?txZVyb0suK#|f?Fs&{X&atKtl1h7MF~u$+CDs2XN#c! zLF)XYqyj2{Zo;`kGI8taL(u{k*VKH=Jq+{mT5{NUq3*#XnG>@C*jB;ltAjhs&257m zn0)j+Qn7nK#n8Sum>Ow~SI9r@VX^BHM?S1rHigjPI8V$2Zc{>|q)511l?u;et3%%ssa!UB~ii%k8V?E+c~~x zd%D3S_7fELwfOFB(zq_7wb?%zUzJOd+tIkk?EcxsSGz1)OLUpmAyBdWVLHd+UvWjs zp1c_CP}z3M4&0Irefbt00D&}APrf&tOeiI0276xrcF*hB@B#YeO6ZkayG6k^k6`?y zDVpMD$96(br?IXE^=?bupH3!qD{CaJrvj_b>hP2(rNU?6V*5t#jol{a4wWs}G9W8< zK>pM1`ERbONkZ}!&l9Q!Y=%jARjZad?i&n}BOM0aDu?uYMg&)u^DyrL>!|lO}_<<#epbTPgo6yuLOUiE5Rlu_k zak}M%4lVcTyng!o%zp7TACW>)l@)JqwYIV*p^d13m#J1hjz~+=F1*?Cr zVnDeGb-vI}>5W#pWu?GJygtvVoInx1<^0os!a-utLc3gDf4PP9jbp<2RWL~S5mmle z1^*bYD_*D2pjilEu3M1$^V_Dm>4fGHV!?z0J((!Jcy3f@yZET}ACkS?qj9g<_1mFgpG6V3y>_FnmlJe}HjEBj%2Hs%FQMX0S; z@4KRry)=2M#ZKGb!!J^V34iE+9etH6t%(1a!J%#;Vncwi5CVtgfv`65~gU**-%C$8djV>$ir zC(1DWANlWUKJzGsS09VDg@?tCm-Xy)eS_YObdL1wbFc+qL1ri3t~xr)KU%G8k6t9> z?U}v)s2}HJ&TQQ2rn=N4_;y;13pzMoG%ay=ckJ_5W}je@O=m83$#7O_{)g_WUf^e& zvO9xfB8uniH@7s2+rJP0On(%{Oe_gA#_caL{cx#2em=ZKQ2>HG!F zVvJ`$h%vvld-yjunmgq+VSaUZtyn=8n57NfDVidM4Bie{C{TFPZ=}LfR;@)UEMS5o+SD_>o#=-wEj}nlfcLCrv+w(|6k^Hh- zBQu1Dd*|byKfIgYp1}|}<}*eq&ROcCPKS7R{}mo#$j_NLSt=&~X!SKgO}b?&i(N2z0VkXoZmTPocI0DFDw>|=XvfquX$acDd%Zu4u^~QDXy6@ zI>N_G*3kNJ7p%`V`#81)mH8T;*O5tTaACcFNoKZXkpRO;O$)G+%0av3PHV&|#L1X? zTVSHKX6UE*JBP0q2!oU!wvN&WC4*CXRt3(KpqSHA=Q%pqr@hC@uKld&V$-ClG4|hL z3{!rAXBC1-#J@E?$oEp_`jAHOD$rnwNq>u0Y3ap|SFLepV-5S#c-TXct@H4MNoiNk z2uTtZDl2(T=YFJY5LLU%bUUF+1fFRpuw!?^lHp37*?MGFAkI9M7)jE@dA7#qd|`$f z(AV!WZJzxz@+nI&3GwL6LZJIgeUP^ewdBwA3}2D!6#MQZixNGjN#l4Foa7tgPF1{t z!A#O#-+0p9InT9JL|XmM_nu_=Dk-?Iw%bDE$@ueO<9MCo-dO^%aw+-jeyd9OeqBdC z+DC3498t7k7fQFqFDQPxEDa|;|DVb2O$#qe+4QAq;iTNUxkAo;o?P2W#}ta3VJ4l! z6%R)$q-$*I%##-9wvuwQu$q&uswzW0E9R^zZFZEqn#?C=t*4K;raK1MR5)I9pW7S7 z=GaU`B=5Y_p`f-@=c^H~P;Te9Ix!;eyP{x2Q*!T^@U6!LHdc~KGHJSn&-kSt zEmt8Yc}2?JKkjON!#!1C3Qdgu13-O*@b zdwpUHREGj`(x2KUb1Dy{mIWaylway}gpFhblMf7OGO&_ztRq@mQ zpNuA5{%p2l%->B?_!cO#d$*IjD(O16tI3iyGP{U&!bS0&im(d}(t@I>PT=x=SW~rG zZ%KsIZpEYpx&=h!v+2#{((bHBpys1oi5(m%o#=$Fk}{NPw1Q!GylC!6U2prh_G4q& zDjA4VwjV{m9JYF9KErOPCJisTWYRBc_-VP}vc(xueqii&-X8ha;PQ!TPjSE)Y{JRF zTtc=J&+6wCYbI+cr)IMLDG}Yp-`!DywUEx0CE{{Mx>LZmI_+>2)>vKpi%XvhIymIE0Sr&ev-V(p^8q)-(fSd3%2;ea6723$U+P+ULN zwNd;Vu+X*~xqM+ljoXL9*vXZMWjXQsWnlY(*p+7X6YXwLHELUPatQHE@*D zzP|PEI1-w13tzZ`2{$~PXF9+Cw1K--2hXoyaqcdX$LL|8o9&PI!#XtiFNKqHLz&Lc zq84I?ho((Om>;^XTCu$|sIIjjMZ4RXeD?49Y^pCPG61Q>Z(L-*4=1d4AkTDHm&089 zJvhAl#bQ9|H(C=}39l&$9;34(oyncKFG^j$z4M=F^(f!+*6;NzI8B3@b+MbZ0_OS? zUb-ofgI>-}-(%Y~K*#7WBWOCda>@+zplGECg}r`g@6M7C*zCBpl{12NWnF*5oOft1 zEjTy0D8+V`K~c{rKMhUGN8`EH{et~4J1U*MHXjI{7E$&{)9K6fH^Tm=tP?jVkBXn{ zPl^9+e|0hX;Nk2+XUp`1hI`l|E6vg&hxBcah##KTXK5$8tj~s8zTaP)l=wGw#BFRkw$o=#fcKp44G?EJ;WVdg=_U0m9`{tuj(nt6p7G;K&; zPd(C=9>gYOD(E&hz$|!gE&<#SHXmCVng2@r|AJz6FCw}rua2Z>c82rqOL(g)_FJnC z+4rS|pPZfzOmu98?E=`2QZa3tcLiBTPZ0)Pq=|K{V{rhjO^SuL*=E88B3+u%BmU=$ zD5X92kwI6vk`A^jm^9)$JK3#*3$kWZhyJgV`z#Op+{?r2NF6Kd@ibl)rEPq6%!X04 z$pLkxhik0(ROMFOu$lyJ+pEM_j=Hn0?zImDlD9xPW z)4W=Ydk^z=-E`^2x_4Kky-QSoN|Q;gvqA6ot>2q{K{YQcsdlhpToiC^qcD6)mO2~V zw!@{-mGv19@MxNcGnyn|r)+6WxJ&-i`%?tPbw$E|sJ=1aprl-tBoOIF$B1SaokDYj zEM}DIgx~M0>=>o*PWs0zP5a`MQVSz7$iu{UT*7g$bB4vrR7u~yqKMSsOpJJO$k0M6 znZQ)o_BL2eYG5><0fuGs=46^7i{5s)r2#Ek)a}5hP2+uofJ%zn8+r~QndPjasP$55 zDm_Ze9QnXS*A`A4iuHtX(GO|rIgRy|-WC>BE49smI@UWDI7*b>TcxPM^PVDHlgcp- z(E6MW^rRNq)mOxoz^44QDSkzJJg^eLSRxC@%g;45NFMfkxwp z5jLM%pgJ1StK@;xTK~q;2gc?&ex_emL>mv^DQ=$r%EQ>y{%VF^x4Wl`O>F%~oIi(( z$u!mbSj<_neDnGULYHz6r+#*qDCMT0*PG|1`;CWDj1IHFa98-9??3DK@& zW$y)SmXsJoE>w;MC*Y(F6MUy|p33Q+_+D{s7CfyDYB2J)Vt~DvYKU_hxZ1ufjZ`bG zZ|2tg%6n4HbQS=TWIUGKOb-W}2R~vhYa5?O!3E6l^s}ne3+*RM5s@BF`Wkq~X2J6G zSx+1--?2RmOBmyJ#na7Lg#D zlWujl%kFaO+0r#7ir|KO&R*A>%~ypU0JKy<(=`x8wTBn~Ph;-=9j7JP*_K8=`vFQ7 zc#ODic6vs_cGttT&(})?SAor5nHNUMB7VHxdV)m``0VC}1Apvm-e&aQE7V#@U_j&J z9j3C4QaU>YGC*0#i@(IgowOHea(ST{VbQMbf0D`{^h>GdBKN+3k9gc7+RBKRMW6Nb z{l=m$ec7X9FidTJ9F44x!a0%Bn#DH{m#2LjG(427qEc-c{2+iy9du$+Hs)qhf4 z8^^j}d`p^NLUIDjQo4>COD$0*i58nH$b%A!8EGn}L+G@s;{ z=CD;-$?iM8=3L^J>s+`8FW*}OJ$ZsW zlGmE^D2Ufp&2pEC7fnIlb8FO8J{!iJ+QgGMwSeSNub9VY@(y^d9d#b+O0 zGZz*ZEqSeH2C7$s@B$xfhU#)%I;QwRU2&(7duq8>50tqn88dI*C`@bw5YaOIHXd0` zF%>WNm8I!YH{SL}$2RtNa#ZIqtTPn7s_FkA_3cWFX;=k$EBn`H#iqUTtj)DiYTdn` z+4Phc%rJqaT-EAF`9^O<9s=w1^pqB>T6K<&X}*_EQZ(joV!Y^<`wDmz;2#B>gy z&Z`(DTXjkd_TjEngH#rQ&OVn)qchqPhw)*Cft3f7<;xM?a2@{~wohTrL(=(KvjnP~ z5__Z41#C;J9-buCZ4SB#!!+K@urdy6W^}*Qx*TS|P2H=`+O25|@(Y!S;qJyJ8PplA zQW#hJkq~lO{~{s3eycqa|KXY>h3V;w%eJqkZG=>ND-YfGR?@%ta;Od%zI&d!^!{v; zfF(s0vzz6**4A2iU4;JRr$>AfyOhZv5~7yl6(&(>>H{^iI9NSkvTaFTxXlTcs9FG4{gf$X7%#8<~1dPiJ4zIzB zh6?-JhgVm1thFd@xKj|?oa>u9SzSaLS~>TVyOrOvH7xqLVb0zKLzv_1UeoSo?X`wc zSd*m1YQcf}yxthrH|9hJ(}_^*CT81U%;o7|j78W}Lsv$!YP*w}RAYmlBBFFr;X1-0 zddFT9P(zdg_Ql#!(j(hv1X0$m)Oy|3d86-bN9eM`WsQQKF7pYPSF%wIc_llQmc%^t z&PwB_oay74(|5-d`PFFDZ;EMai(4OLlVZByYTH}ul@ply@`)+Ub!v~z4vlq;xaKgi zm;FHc-9Sfjo4#aC9^dNV$$SjsOi&wT@~v@OuraFv}M zVa25`IManiRygtGUL^PykEBBND?IzuG{%VS7Y38GT=}b=qq`+{8pLu74_<3$3I0|U z4D;&?X-iAR|7q-2!E&DVW(P(S^w5aQS_&`A5@B9D${@T&!xA-~77fox955qaa4t`N zvQ1$#?QigYjdyFvNyH3=&vog-d(wAVHM84Me>PI_U>Y@Z?2;0A-2X855e74wjL4L@mhk21=@yY@YYOBmwDl}ZLG4en0(Xex=n9&HMhE3 zO2KKinbgR*{6qHpAClys3f;54PgpUxi^DZC6y`p2`3z~9bo8@&qWMwlhk*4LI8Om6 zNA|zWR>+?dxxar8-#EK0a~%=EQjRkgBaoRZJ8S)qtVWVLAVv}tFS7xGS!mP2Uc<{w9V0uPaW6$*83z2rtWFII?Tw+Vwh zTG45*{`*IB;8%EU77v+oyQZ>(|Ab_&lRytntX??h%Ze0L3Jrdc0e!>pkOL~59eprQ z-@{`MSbb6tJI)JQt2d!R3zLsRQ!?aHPo%6n>L4-b1b)l<9%v?5*3DEH`y1${Asw95 z!UOix=6Pdm#+?%(H!gWvWSNDJ$>%Joa3)}3(w_oZ;*GphdQ%?YVJZXB=J>nBx<7vj z4-ig}%oxdaP7_$?jeA1x#U9Cl|Lnsa(JtVb<#>hJ%3)A2a_zk~))6uC{zzGeU2T#( z90Pg(hwH&tT0X!}j7G{}Jz1tBuOKQZAQIi%KLE7KxOc3B8(Mfe%ZNNGoK*lPF>H=qi)i6P|Ah z0k{;}kP#e~P`)tJ!`Mx;kzO~cv0)%h;L7pg&sXiMq20rdx>-Wx2n`l5Viq{45a3O- znWnj#5J?gRW%LQ3Zyn*jopl&dG`=|9J7UK@e*YHM4D80HMGmym5zNpSnG{fHtQr)Z zFSZnkRI`T91TPOq5CEo_c!(u$W1~A1%tUPN1}d`6t+^(ylib5#i&3?s12EZ3db?}b zGEN@F`i+$W1HNH^t-j>4pN_COubQz=9+gHc8&Qa-KNh3SozQnLx&T!HOEd7fTikU6 zED{SNdr!y|_k(xoiNm0n+LL=zHs0qmW!G2dV5T*dvsJy|h46X6%0O;ap)v*Pi;c=& z2!Hkj;A6&il>u53@l_m`5elc13b{EzUUYX!`od){zOMlgl#v-wGmXIng&D#=G=|16 zo{aZbGJeM30X8&i#Th_8HaG^}vgu42cN>{>z7V$3b3ohFANdJf@bM5=6XM4@-dfYN z5kIGPQdg}=HjdY;f)4@ws;-8y!+w{*S+>C&OfO(kS7y2fQ^cYahhf>u3nMk^L@(42 ztnVaDgUgYiub^yzEaCNvj+9KerS7MH1A8EAGGuq3J}b0@D?pA{JMhmF3lJw00shzp zcaZ$j6zc#wpm}!%!n9sd*|y_5UW2PDiK~38;14l!!qw}zJiX}bFKIt83>N5u&_Jas zhiDL~y^RDZ` zC=jGZg0mwGOb`=S^zgG7WS(+p2JTW>4{PB783fI&v=;&Q#ilLJ4irF61lGeIC{S-I zPTBeLfgA8yX*||<`THLaTC^!~cne64q%ql*KFWEz3vBR5r{4>UwRdWkBQ~6srJKxT zq++bzdv`PDDQLqt!q-KC8}SgPY2E{_RV@KRYd4OK60yYFA$-;Tf5=-%JdWtT=|OMY z@%0oO3KJlP<=Kj?QJnj-*GofX5a@x>>N@=ViJ){5)kb*XZJ}Um3$gpIawbxryc}>% zOa~bW__EAsKhpld3OxO-$gW_|&w24QV=KAyvV-T`1wA`YL(aU+!J?o>NLPHbk3nN1 zaax>TAlDa(WS~dm>j~J#H{U`Y6|oE(o3L7KXZkA7chS?BRTc=XWD4h1$9XGf$xFV3 zQD%Lb=+FItcZaKJ9X)s!hj;chTTME!-yr}m)vFP0bT|*u1E?pZPd>HWhCHGr6A!`_ z{7o4Rq zuUQMCbWH0lY~8@1xP^{YX?Gb&svK>gCRF~Q zz2IO)R0K9Dq?4iTeL#_L0q~soV{(3P{@tjj#+B;n?Ek?lUOBET`sCv$1DIpF@#WD( z32*$mU+xEoTM!#%3Y-C(1S=I0E?7wj`JN<;AEi=_JE9)M+Q7JT;Y)S#?&tszZHsNE z!8`4FBhR8XP~L#7w2G)Vvq^8!qO4@0giDtK=jp_AwN7GSD%}X|o>7%HU3#u(@*DnX z000b=7G8dO`TAc6Yunn!rLqs;YyW zYMU#Zh5LS1syWf)wM}$28j3Vesk_6q2Ln6;S13fkBgxFtI$xOXFP7VXJ8UOdE&>cL zN@vGMe$x(Hj<4Mh19Jw3&=q>Y?>j7h`ncs-LeFWSCP7L$l?bdM|I$SGTFif4p4YjysOR1hrZQUW&1kcGBoWo}M@98Q$3 zGt_G0%`40b_IPvEEz~W7@jX$QQz`z)NhM*#Fe5`C1}m?b#ydH;WJp2BhSkD$_l3Fn zF!9JJX$8x5_VS&ZRl}Z1z866uP=(F6T`@xUqq>^|5z5=I zA>81>sKds6z}3v&;hP+Ea(UzWH~kwIIl|;~?Pb&}k64n%h+Wv`GPwNI_W59-`CXe} zIo$5l3V=I#b($>8P8AUT=8swv?zx3ZLhsRmZXQRlk;Y}1r37xj-b-W~0g7urY6+Z~TN)ueIv>WD* zj9swgw0AX|J>?ke@yG1rkoP1S2n$IF%J~n6KGobL<+ky^uZi6)x6yi9K=D->=DGM~ zzuRSDv!@dSdcmf?#YBua({$HdFK*MtWo1GAG>?to{jGn$dy)w;st!x-;aq(jbE2F@ zbn%+dH$*ILgXI9_{lccC>8Oa)s#={JhfNzUn4!4< z`eg0xAzH5sR0nU93Ty33GzWlFE5qpfm-}5~${%=7{jPmKfz5^_`SxU`x-1z~PV{k- zHndBEJEr-RpD zzw&cn_EQpf=-K-ERD46Yls4h-G4P=!9!7uKInDaJ@y<#b)A*QlrvD-D#ru>V@8((C z^jDLm>oRfa9?d&-o831INQF_~d7ql^R2w0@^AI?@l2tAlHj+F%EYTo7dQ)+MV1y#U zuSad!FOUa9Z1~_9^6$R$fcZ5jUF+?jcp{Xp@PObf6f`RKwEckB_{P)?WCdJrvI<}% zrsf4v&FZ!0GVGVbdEp=cT9#JdcK<~z6e1J^#no6Oo7Y~bF%&Qb?aTL`;^odrHVA4U zbOI5EttK_}9Mz^kY2HI1&#VF!bYuNfTW=?q5X%vM?Bv&Bv=4=h+`uI^alwP-HsC(5 z>I8ZtZG8osKWliRdzTP*T^$s_`;h)`0lO zG$44OVATsc53STa3V^6UWCl`x&vLwTa+AJXgOW2)ZECmp1rrXgFz4a00nR81QuLQg zF})<+;Eb2Y-|#_XCW8771F0CRWBTi~j5DX1({PrXr^jE<35b8>|Usxgvi> z_k-$4Ltq?=wcK$3DTeC2?12?^0-^HF0=;=y?!^uLAEcJpD^(%f^mo1vBU(l;ia?Z6 z%P?h{K-_NQ^X4K$2@3O2t@qN^amAuDZ-irX&Vn{~WQU0y3b4p3J4&WryVFIymx6ug zi@%jf+RlxY8WMQiHxJ?R>lDnpIA;miT{IWo(D8a1X|a&yPi1>j#2%cUKs>zu3*D7# z0Iq*qB8}e;CI0H5He)j!=YqDuBsykuF&f!i3Z@8o{f{k*AaD55_?x z6?}eOP&CxrJsI!&!A%9Dql3+tQ%IYJuM}O7*(32fCn87em0`WmvgU|FBpys!+AQ1r zxO(Gz;rJ)V$9}KT97Y}tX*$%*u#W1WiHZUcBk)Zy_g;aCQ^# zfn1v<0||d`Fy!S*@>Wp4>E& z!bovozlGuO=lcLJ?~s})e!1RN-kSdlT^u$$OPFu45?$M~wBc5^PHsaSZKKLLzkDr|yVo^CEy)v^ zSWO3~g;~oQ!|V(K2s-ahkV-FM4<}*&HlJ#7%TS%NkU)sST!pO&rVAE`9AW%`=ypGV z3R9U@5ZPF?!!?tU+&TM%mIWijnvYZSt=Gu#e9X$+e;0;ropx)Z%=Uho$b7DSbD|bH z+d{{g2%0TlEW*E4$lUEczVV8O)6=##&44C+!6Dm8;HoG(N_!5|MvIt-FDzNhida7$ zqRcjunwC@+CFgh<%hP_O{UKQfmc-~K`K??fGa2V(F05lQ{=CYNy9h6%>Q2zlhqMu; z6beWe_v4syah>|flVk_Ms1lQHTb63x`_%1I?_R@xP}dYloUd;?N?#QDF_0tWZY$LJ zvf{V41i|wai-LzdctSq7y|($blP}*`OBw8LFFKYyLLdSAW{Hxki=LN^4|!MqO}PjJ zFmu?(a+)UT%2Mg)WWm2e2k+st|Fs^6^nZ0huJWYZhM!z76*mtF^%S1l63Rp0=I~tA zUN2D!hl1m07^y(hEN^ivMLd;$vo^=vz`YI%J;gnXrc|(53B(%7BOmxvDhA_vYwBmb zzcYYRQ2YSB!Uw5L-o5t#)u<{lNY1=;q?)#QuxN4rW=9WE`?IjCcKeE$EY*3EWt=DT z`mK1PJ~HSd|5*vt&%=JNT&S^kPys4AW$Tg)@LO@y@9~VeeC!PyO!K~pgwo+~()JG8 zt&hIz_>)lOmesr&q-x}W7Z)YE*$90XB4y5sQLq}pW3m+|Ki)I84CyPQM1P#x29x|rEqQdZ> znyV-6{ZrY3Cp1ALB-7;*@!{j8LosRo0%@>x^fOhd^KKrv1F;^RkCmzYaoz`$SUi9| z=$ttD1;)%qj_SzVWV26CW5w*#lmGK@9pD>xNPpIKNVwgFh;~_)t}4kc1bxIijm)R` ztj<|b4+r2#ZN%MBnX(T;4V64q34i?;rHsNnJE5}8>!f~REdEwIcULZWqq$VR3RVt4 zk}8?OD1?MPD;86KS&d|>1e+;%E>HNV;70bD&+UKWb^6yB^2x_D+hrs= z5P9mOzkgf<$z0EGq%%QC3F_blQ6YLokd*r+X1wizj0Fc_+J@rsXR;cDY!ZV; zq|m~h&HWxK;G==P7@fow{MS;a`*FM)L@i?>sn7!m5o}-#_6gdYw0ZX&Qp(6U#pJot zjKY#Fbg2}gKTN*_zSYdY4abvXK+(XYvwkkSHey91BSB{hvm^C0Fmd07(sYmv15k#>X;Pb1ENYJGKVHzLr{%zI~#4E9L|0Uw&*4 z9;;AACrIsomCuxo2iI@@n@&BriKdCFt+<>!hJ>k8Dh5*B@KtfO>Rp4 z2&Ag`}St_sM=$1W_BpSBC=Vb^vpDM+wc@Hb%bpZTMT3sf4=(MmWP+_+RQJZ~iJn zJ0!kuFTe1Z{FJ{{+4-m?J1Y^W9`#`BO+e`1uzJ?K$KTq8I2*%h$aGrLbM;hvr^_t} zI?KP%b%l*o3E{t5xy6aZuG@Y=pptn{E9^9P{F4an9jw0sA__VJGw;C{C-J2{>k1>> zW}0@Nd=Bn=VuB1R`dy!zz3f z>pwHkMmE5aNEGm|^u#jL{?+d6$$;3j_w*dLutQXrQpIZgTX#BLkXpqpsIU%G-^7GRw~;`~h?=KokbzsbuA z3hqFFl-uf=%l9{}m@-FVaER|Gk(1g1wR-T>tD46D-~@FL zonS!AA=y~XU`U|D_YL}!D-0R(7o0z_-k5@1}XFQa(F24z*+cbeW(QPJtfYo!A zGrge1@Vxo@yqT#AAZvB`_u2_JCtjq8`+>o)h%%}lC=-{yc%m;P2?Nc@9L7tA16?x-&N*7MikL^(?ofviFC>0zFT-sK2&JGZpI>~Qm+vGkps zflzAOgQYD9fUOqW*8d}PQIp_^br4VD73KsAi>Q~RRnY@2+zel)T$qzz{u>;2?*~GI z3h6i-U#2Gx%^G?jv<&Kt{sjF5&^O57KYbrTVn%V!K*&3+5M?^8j}Afu!+BHlV0xk7 z%p{iYp*mQ7SFGh#tcTSSaC2B)M*Ca%3s=bZ&d%Q9?U`IlOVFZ2jPF4i$H-$8>~86i z9<&@)sP`sjx$6^eUVQ0Kd>4I4wX`27&xFdgyiN_h*nulEIuhFsO>ue_ zxBia*YjoMTO%Lx~4SHAOSRA;Oisn>I+hN;wms4;j=@TLEG9Is2r?ekhxy)MPy`)qr zKmFCtcjZJ@Al>>rM8X+=;*?n+;Fb@C5$Q}ykW3Ha6Erh14XS!avh$r?CmLeCY7Qn@`Ab@c*+Q1$M~aT7%$)N;#M>ve64x zyM``cNyqTHrX~5mB+Y<(jYtOA)_d2e?he@ycE27Wi-NKl1BbBn$EhJ=?YUKkH^i~g$0vucq|SWdi%z%G^>SMJMH{n zbXiE!l>D>y)`oZm)Ima97&ZdU1eU*Lgeoe50Da)cjs>vmXubC* z>b_a2W-W(J%8?xgWZ5TR)-+0jVb)^iyc@kF_z=+@_`nem+8%c#$B-Z zk+TPA9G9|f$av~++maiT%3%DjVo0%5E^6-?Xz=~4g1aGED z@{bVl#10Xs0f+9$`%4fH4g8!cCO?UO>>-7LppYO*|0E#8Zbomd4`ua$a=MYp3tA|8 zv56_OZy-LRZ@~^ zhsSLwGsw({Csr=d3GE~JZ>6U?jFdAMj0&4UnA%QGj{|7gnBBxp|NQOF5b^QQ$X4xE z30T!}vxpNa&Jloq@uR#CS|U0|Arh3;DQ5Q;4ypk|(LSifar`-2+6k=| zS}6`iP(zU)rPCCII_?8DV3y-56Poe;-7A)v|)A!d!F@4nEa2r!2z zy1n(Kg3I8SH%8G)t3Q371P0di@pz8fo$&u*lCIz zm0}aOB0=hWA820{tf6hpyV3Hj1?9qc^1Mxx^dV5ku(`Dh@y?EZrDn}r9ssXMO+>#g zA(%8F84it5oM?8wmOf^ZFHE>D@1glbC^*NjX8cJGcD4Kq;eM7z(}Inl-4NMYlNH~F zv21`E$qHH!1J7SRrk0?ojja3eE_Kds6>6dZGeJCXe zZCBMps}?Hqx6b}BZf>%wd%pDQmesFPO(kkO^st&l|LGGxi3alyc4tHW&NJXrSNSjy zv9N_&#)43ZdBa6)g8@gIKv}k5ny+}jD$|=Ah*yvInkER3u`{`IvXkFzr_;%OXJ#5Y zJA?wQy}wi?MsI#h%SwK{oPs10#d{VY!(K{NA@tZu(b=kc#(rU(6*@r99LysXse}Gj zBs_`(S66nqj6ZbDpja-Y(De!}EMPtn$869S!chKLb+*49C3okIX8X(&9i{wx&Wh1G z=CVNJ3}|1Wpd$3^0x9h=(5$GYuaN^hpHK&@UyqGyJ6$!E(_YWR-KUcGp`p_5H|0=j zF^cNlBXNG?RU{{ zPS9F6UmnZuK{rbTKdT`o6cuU!OJlO2I54gh>bBLarv}(}W!^Ls=v%Sc=9#r=|YU~+J zo@ulgJ;CU^f`C^{KJx-e6L-Mx>PB_B)Iq|@&HNJpV<0*{kqBFTKqA$oKSP>r2dN|Q zx$QTxo4JmjEA=t7HbbjFtl5Bcbaa_(5)b`7p^rR+_?`D68dd(ny~De%yk!YQsEp!x z-SZH?O*a={o}s^&J3w>x{Q~kK+kE~D#|s$bUx;Rywe8-mD({A_jkOU|$*(T>t&occ zT4~AzZISH;GV7S#pctlF<^j9z#Hq*iKv|v*4nZvlxM%h6K&NReG{ZS^%S<*5qGtC) zyjjy?I!b-Dl-QFAefp9Ahh0!Qo}TjJDD-xVRLAjxZ_+EhOS89@H}^~eAdn_eb*j^J z0d#^EIft_XpVARxu8F8-&S@qNqAP-(>Cs1p{U#ouxiBNr;GKqKnIjA``J%lP>f3-> zDC>rcTKylt!GD(RZ2IN*fZ|wBhR>Epe~LgAIkYDc@YBe3-~LhEUdc$*AuNaF;~v7?Nn zZ_S|AYPN5R{CVkgVllkDb5 zkZUg~^+R8FJ!~WKb+OiZZS`^W@4948f9M@}kE}@!rl!32K)weIw4>Y33y&(4(UYyW zl>3W|JV&lUD-FtKN>l|F0sX**>w{hhX0vd`0d$H{-bNROG%VOSmq{S73!QsUx|$3! zmlZX3(iqOLuLbZyTBA_9@CzRkWAwo=8)(Y(u-cs#TWkixutH7W!u{nKIl$=qqy<{A z9#EJWG~@08!(NSL#gNodANxF$_~Zp7?y=BHh2`5s@PlFf_n&UJPXNYKeL>~^4LtY| z7v&JCm;n)9IX;f&qXH5jwy7|Q2s8stHfoSQlomm$xB_jb8&cb3dlD&A=!5)*H%B2V zDQfB&)$&oMp5ZAN$Jf;z;We_UrhsWu?K9}4>RBJ5kvR>T1oT}k2;YD@d&c>ygLthE zouU(L%+fS<|L3K$`{*|W#%O-@H*_DG=y{eNgF{2>1|2mU&(Mp`5}w4qDt-W6vVq{^ zX#ca>3yH7L5j}1|HBzbDm2j_4JQlCba_|RkL}wUC2Vi01qZnRT-(utna*TlUjr( zk7Zz}I+|?g0Sk7Sb{+}a41^1Ms?850OT3N>>$o;J<-zFj-KAf2&Is0v-!~Wad&ALP z;T(xr52oOMt;AHl(?O|P>1_Sg!v-a{>;4)8E#W)OpYUaqFA`r{&I~0+*f=HcZ0rT4 z;D8I}&=Q5ni`AW>eG3;MZIdK1n%Q5!k*I)}h8lC_6z>d5+Vt(G_dA|JNxq(%Qu?po zz#Jdl_TxZ}{b&{;v?hBBY`5Cv{Nh)H%ysp$uNS(}SD=pnlU+OWfW>G6-p%;`deBA^ z&+n%>xT~YDByZNh%Qiokgl;BewZpo-&)Ix0bnCoG7S7F1z06&-~v z?y*>H%&%7fl?W~cok-cVPrdXlrj|{7XjbHR7(YW_Y6{x8=k)Bzq{lE%I+B}f{aNbm z@TZ?kg;*4n(9aL^Vxbpo692)aG~m}$n~DnZllgBWh!rdvm+(KGp4I=M>-=9s71{q^ zJ3ar~qx=&8Ffk8!ZxkBud8{!58;+{Y(yuxSu|N;4CZar!cP)O=3x5@(3&fKd2{B@; zb*?dR$ld}M&o1um6iWP**?5G26uQoy>(xg0_mEKr^)Y5?`T9E}AvBu~xqyh|L@8>s8S=9r2+K z0G43!N6JJy)5C#7Tn2v&A(2J-6-PjpPJZ^yE{wnzS=;9&=U0YC7)k}Eo7g3rI{oz zzyV!>(Z%Wh1*dZSTDo^`nEPtt{3=KfkyuOC74R+uY%%<1Jps|Q#2|S3tWE( zz#Xr4A`SW}|1nw?pavRL(thp-d%!z&e23Q#a6}t}9<|QP5S6LZdb__$z3k)qu&R!h zlEc#g_8*oD?oEm#{+{o!Do1*L<2HEmxaovcR z%Ii>fmK~0#*7w_hpiA3^(26KS$#!*J+uuyu&8NTFx*@*yF=(72Ciqy+FtjrpWZll> zZq`hKxdeg(KG(5q*42~{Y7C(td>b~QJ6al z$#I@yA14{F`(5}G3V5ii`W2okpdR~m^;(|(`@37=ySKdgd9cK-84yfw0PU8*V2S|Z zNU?RAb!GTNk3}>`tpk9-WB`4iDL>Fw3(fTHx}GB-QPA`E9Q0f5L#+{O(Y$RZ1p+WU z`!p7gUP14f6DP5tw|Bb2Se#9dirjGzhrvdY2gPp^27PEpjq zO)y!)z@~hQQ7!e|rmB4}E?%EmS!ho)PFVh1QK`LfZD3HFS|d|gP4xai%6{!*Y-WL;LOYpVBDRh-4cTwv1;CAU#iR~r z1~($gZd}VWE-O;F?*5bN>CZhFibEC3|2n`7GX6~^n-l!zYPqS*A*;OcXugUgoRqi! zS)(twSmg?Bh0l9O5OMIIjeI+299|a|#-A)qWIB4W4BX!9T6{PsFa;l9iyO|r%5fRz zRrn-6px9zmq1)@aZX<{{ad=EZrd(p0{7_qD3sBPz!8PsL@ug!SBD*f|u0iIZ63%uo zKd90L``HnY8QfZY>!OXv8)9U+^#gszAYNoyDgnw6I`SU@&g~CQX-)~w?(CD7|Ie%2 zQOQU9LtK0NUvHZS9QB&n6zlcbmYzyh8bO zlVFpGu&K1f1&~(Ighp;qY5Er5Q5p$RRc$J2A!!86W%MCYq-@r%XUxdNuZ_SOmsx<) zxDIT9RbW~u=rgho#3j}22%|9AA=l`R=y_N&;c@VSpb@VAcY<_IfJoFgREqZ}ciY%V z)m3$`fIMs~vD!+Y{>b8)?l##PUFv|2O*NTOa)}HS0y)YJ%U)KQ7_+&9m`>e>M!Wr! zSUQ3dyC$RopZQIA{s;+_xAQGr0gs!;B{_%p@T2|%T(vtM!{tc8rICJ%2v&B z22tzw743y;x5GXxqa@#Aa0~bY?AJUEo&t}LO~=WI8i5KUiGSN~(male_BWCV?LH;&Q1(7F%dJ+;K*4r(R!yAz8vb#HQaOgM@7ks!4%lNDqYC3?hZRTZ zW*HB5H@mzCW zassaa8)-P8Z1+w+o`o>qw7t(VEyO*oraLx&s0-U8ei$zh$xVGo%tTab2!-(t0b6it z%V&=FpV`;j1I9n*pl#?#(vQ3WrNz^R8ZWpOX8ee?S80mC2UC>H%FP!}^5`WshHd`<5}Yl7iXts32sBYf^ P|C5zek|=)l&gcIEHDt^b literal 0 HcmV?d00001 diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index f5f19fedca..684fb0e0c2 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -17,17 +17,47 @@ author: jdeckerMS > [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] -IT administrators +When you sign up for early access to [Minecraft Education Edition](http://education.minecraft.net), Minecraft will be added to the inventory in your Windows Store for Business, a private version of Windows Store associated with your Azure Active Directory (Azure AD) tenant. Your Store for Business is only displayed to members of your organization. -![Click Get the app](images/it-get-app.png) +> **Note**: If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 subscription when you request Minecraft Education Edition. -![Enter school email address](images/enter-email.png) +## Add Minecraft to your Windows Store for Business -If your school isn't managed by Azure Active Directory, you will be signed up for an Office 365 Education subscription. +1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **Get the app**. -* Office 365, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/en-us/academic/office-365-education-plan) -* If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703369%28v=vs.85%29.aspx) + ![Click Get the app](images/it-get-app.png) +2. Enter your email address. + + ![Enter school email address](images/enter-email.png) + + - If your email address isn't associated to an Azure AD or Office 365 tenant, you'll be asked to fill in a form. The information will be used to create an Office 365 subscription for your school. + +3. Select **Get the app**. This will take you to the Windows Store for Business to download the app. You will also receive an email with instructions and a link to the Store. + + ![You can get the app now](images/get-the-app.png) + +4. Sign in to Windows Store for Business with your email address. + +5. Read and accept the Windows Store for Business Service Agreement, and then select **Next**. + +6. **Minecraft Education Edition** opens in the Windows Store for Business. Select **Get the app**. This places **Minecraft Education Edition** in your Store inventory. + + ![Get Minecraft app in Store](images/get-app-store.png) + +## Distribute Minecraft + +After Minecraft Education Edition is added to your Windows Store for Business, you have three options: + +- You can install the app on your PC. +- You can assign the app to others. Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more-tech savvy students who always use the same PC at school. +- You can download the app to distribute. This downloads a provisioning package (.ppkg) file. You save the file on a USB drive, and install the app on PCs from the UBb drive. This option is best for younger students and for shared computers. + +![App distribution options](images/app-distribution-options.png) + +## Manage permissions for Minecraft Education Edition + +![assign roles to manage Minecraft permissions](images/minecraft-perms.png) ## Learn more From 63eee9d5a99be0841f116beb88256ab0f1110dd3 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 19 May 2016 12:37:43 -0700 Subject: [PATCH 049/169] add video embed --- education/windows/get-minecraft-for-education.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 7ab224be49..21bd8a182f 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -17,7 +17,9 @@ author: jdeckerMS > [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] -[Minecraft: Education Edition](http://education.minecraft.net/) is built for learning. (need more marketing blurb here?) +[Minecraft: Education Edition](http://education.minecraft.net/) is built for learning. Watch this video to learn more about Minecraft. + + Teachers and IT administrators can now get early access to **Minecraft Education Edition** and add it their Microsoft Store for Business for distribution. From e624b40a6661ca242756b2ee0b242dd8ebb37c41 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 20 May 2016 08:09:47 -0700 Subject: [PATCH 050/169] Tyler feedback --- .../windows/set-up-school-pcs-technical.md | 143 ++++++++++-------- 1 file changed, 78 insertions(+), 65 deletions(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 93a7b7c1fb..7dff059b00 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -16,7 +16,7 @@ author: jdeckerMS > [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] -The **Set up School PCs** app helps you set up new computers running Windows 10, version 1607. +The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode, available in Windows 10, version 1607. **Set up School PCs** also configures school-specific settings and policies, described in this topic. If your school uses Azure Active Directory (Azure AD) or Office 365, the **Set up School PCs** app will create a setup file that connects the computer to your subscription. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity. @@ -56,6 +56,7 @@ The PC is also configured to not interrupt the user during normal daytime hours ## Guidance for accounts on shared PCs * We recommend no local admin accounts on the PC to improve the reliability and security of the PC. +* When a PC is set up in shared PC mode, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account managment happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Start without an account** will also be deleted automatically at sign out. * On a Windows PC joined to Azure Active Directory: * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC. * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal. @@ -83,8 +84,14 @@ The PC is also configured to not interrupt the user during normal daytime hours The **Set up School PCs** app produces a specialized provisioning package that makes use of the `SharedPC` configuration service provider (CSP). +### Education customizations + +- Saving content locally to the PC is disabled. This prevents data loss by forcing students to save tothe cloud. +- A custom Start layout and sign in background image are set. + ### Uninstalled apps + - 3D Builder (Microsoft.3DBuilder_8wekyb3d8bbwe) - Weather (Microsoft.BingWeather_8wekyb3d8bbwe) - Get Started (Microsoft.Getstarted_8wekyb3d8bbwe) @@ -102,129 +109,135 @@ The **Set up School PCs** app produces a specialized provisioning package that m > **Important**: It is not recommended to set additional policies on PCs configured with the **Set up School PCs** app. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required - + - + - + - + + - + - + - + - + - + - + - + - + - - - + - + - + - + - + - - - + + - + - + - - + - + + + + + + - + - + - + + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + + +

      Policy name

      Value

      When set

      Policy name

      Value

      Admin Templates > Control Panel > Personalization

      Admin Templates > Control Panel > Personalization

      Prevent enabling lock screen slide show

      Enabled

      Always

      Prevent enabling lock screen slide show

      Enabled

      Do not display the lock screen

      Enabled

      Only on Windows 10 Pro for EDU, Enterprise, Enterprise for EDU

      Always

      Prevent changing lock screen and logon image

      Enabled

      Prevent changing lock screen and logon image

      Enabled

      Always

      Admin Templates > System > Power Management > Button Settings

      Admin Templates > System > Power Management > Button Settings

      Select the Power button action (plugged in)

      Sleep

      Select the Power button action (plugged in)

      Sleep

      SetPowerPolicies=True

      Select the Power button action (on battery)

      Sleep

      Select the Power button action (on battery)

      Sleep

      SetPowerPolicies=True

      Select the Sleep button action (plugged in)

      Sleep

      Select the Sleep button action (plugged in)

      Sleep

      SetPowerPolicies=True

      Select the lid switch action (plugged in)

      Sleep

      Select the lid switch action (plugged in)

      Sleep

      SetPowerPolicies=True

      Select the lid switch action (on battery)

      Sleep

      Select the lid switch action (on battery)

      Sleep

      SetPowerPolicies=True

      Admin Templates > System > Power Management > Sleep Settings

      Admin Templates > System > Power Management > Sleep Settings

      Require a password when a computer wakes (plugged in)

      Enabled

      Require a password when a computer wakes (plugged in)

      Enabled

      SignInOnResume = True

      Require a password when a computer wakes (on battery)

      Enabled

      SignInOnResume = True

      Require a password when a computer wakes (on battery)

      Enabled

      Specify the system sleep timeout (plugged in)

      SleepTimeout

      SetPowerPolicies=True

      Specify the system sleep timeout (plugged in)

      SleepTimeout

      Specify the system sleep timeout (on battery)

      SleepTimeout

      SetPowerPolicies=True

      Specify the system sleep timeout (on battery)

      SleepTimeout

      Turn off hybrid sleep (plugged in)

      Enabled

      SetPowerPolicies=True

      Turn off hybrid sleep (plugged in)

      Enabled

      Turn off hybrid sleep (on battery)

      Enabled

      SetPowerPolicies=True

      Turn off hybrid sleep (on battery)

      Enabled

      Specify the unattended sleep timeout (plugged in)

      SleepTimeout

      SetPowerPolicies=True

      Specify the unattended sleep timeout (on battery)

      SleepTimeout

      SetPowerPolicies=True

      Allow standby states (S1-S3) when sleeping (plugged in)

      Enabled

      SetPowerPolicies=True

      Specify the unattended sleep timeout (plugged in)

      SleepTimeout

      Specify the unattended sleep timeout (on battery)

      SleepTimeout

      SetPowerPolicies=True

      Allow standby states (S1-S3) when sleeping (on battery)

      Enabled

      SetPowerPolicies=True

      Allow standby states (S1-S3) when sleeping (plugged in)

      Enabled

      Specify the system hibernate timeout (plugged in)

      Enabled, 0

      SetPowerPolicies=True

      Allow standby states (S1-S3) when sleeping (on battery)

      Enabled

      Specify the system hibernate timeout (on battery)

      Enabled, 0

      SetPowerPolicies=True

      Admin Templates > System > Power Management > Video and Display Settings

      Turn off the display (plugged in)

      SleepTimeout

      SetPowerPolicies=True

      Turn off the display (on battery

      SleepTimeout

      SetPowerPolicies=True

      Specify the system hibernate timeout (plugged in)

      Enabled, 0

      Admin Templates > System > Logon

      Specify the system hibernate timeout (on battery)

      Enabled, 0

      Admin Templates > System > Power Management > Video and Display Settings

      Turn off the display (plugged in)

      SleepTimeout

      Turn off the display (on battery

      SleepTimeout

      Show first sign-in animation

      Disabled

      Always

      Admin Templates > System > Logon

      Hide entry points for Fast User Switching

      Enabled

      Always

      Turn on convenience PIN sign-in

      Disabled

      Always

      Show first sign-in animation

      Disabled

      Turn off picture password sign-in

      Enabled

      Always

      Hide entry points for Fast User Switching

      Enabled

      Turn on convenience PIN sign-in

      Disabled

      Turn off app notification on the lock screen

      Enabled

      Always

      Turn off picture password sign-in

      Enabled

      Allow users to select when a password is required when resuming from connected standby

      Disabled

      SignInOnResume = True

      Turn off app notification on the lock screen

      Enabled

      Block user from showing account details on sign-in

      Enabled

      Always

      Allow users to select when a password is required when resuming from connected standby

      Disabled

      Admin Templates > System > User Profiles

      Block user from showing account details on sign-in

      Enabled

      Turn off the advertising ID

      Enabled

      SetEduPolicies = True

      Admin Templates > System > User Profiles

      Admin Templates > Windows Components

      Turn off the advertising ID

      Enabled

      Do not show Windows Tips

      Enabled

      SetEduPolicies = True

      Admin Templates > Windows Components

      Turn off Microsoft consumer experiences

      Enabled

      SetEduPolicies = True

      Do not show Windows Tips

      Enabled

      Microsoft Passport for Work

      Disabled

      Always

      Turn off Microsoft consumer experiences

      Enabled

      Prevent the usage of OneDrive for file storage

      Enabled

      Always

      Microsoft Passport for Work

      Disabled

      Admin Templates > Windows Components > Biometrics

      Prevent the usage of OneDrive for file storage

      Enabled

      Allow the use of biometrics

      Disabled

      Always

      Admin Templates > Windows Components > Biometrics

      Allow users to log on using biometrics

      Disabled

      Always

      Allow the use of biometrics

      Disabled

      Allow domain users to log on using biometrics

      Disabled

      Always

      Allow users to log on using biometrics

      Disabled

      Admin Templates > Windows Components > Data Collection and Preview Builds

      Allow domain users to log on using biometrics

      Disabled

      Toggle user control over Insider builds

      Disabled

      Always

      Admin Templates > Windows Components > Data Collection and Preview Builds

      Disable pre-release features or settings

      Disabled

      Always

      Toggle user control over Insider builds

      Disabled

      Do not show feedback notifications

      Enabled

      Always

      Disable pre-release features or settings

      Disabled

      Admin Templates > Windows Components > File Explorer

      Do not show feedback notifications

      Enabled

      Show lock in the user tile menu

      Disabled

      Always

      Admin Templates > Windows Components > File Explorer

      Admin Templates > Windows Components > Maintenance Scheduler

      Show lock in the user tile menu

      Disabled

      Automatic Maintenance Activation Boundary

      MaintenanceStartTime

      Always

      Admin Templates > Windows Components > Maintenance Scheduler

      Automatic Maintenance Random Delay

      Enabled, 2 hours

      Always

      Automatic Maintenance Activation Boundary

      MaintenanceStartTime

      Automatic Maintenance WakeUp Policy

      Enabled

      Always

      Automatic Maintenance Random Delay

      Enabled, 2 hours

      Admin Templates > Windows Components > Microsoft Edge

      Automatic Maintenance WakeUp Policy

      Enabled

      Open a new tab with an empty tab

      Disabled

      SetEduPolicies = True

      Admin Templates > Windows Components > Microsoft Edge

      Configure corporate home pages

      Enabled, about:blank

      SetEduPolicies = True

      Open a new tab with an empty tab

      Disabled

      Admin Templates > Windows Components > Search

      Configure corporate home pages

      Enabled, about:blank

      Allow Cortana

      Disabled

      SetEduPolicies = True

      Admin Templates > Windows Components > Search

      Windows Settings > Security Settings > Local Policies > Security Options

      Allow Cortana

      Disabled

      Interactive logon: Do not display last user name

      - Enabled

      - Disabled when account model is only guest

      Always

      Windows Settings > Security Settings > Local Policies > Security Options

      Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

      Disabled

      Always

      Interactive logon: Do not display last user name

      - Enabled

      - Disabled when account model is only guest

      Shutdown: Allow system to be shut down without having to log on

      Disabled

      Always

      Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

      Disabled

      User Account Control: Behavior of the elevation prompt for standard users

      Auto deny

      Always

      Shutdown: Allow system to be shut down without having to log on

      Disabled

      User Account Control: Behavior of the elevation prompt for standard users

      Auto deny


      From b9ef920801fdd551d63d7eac3a62e64f2a7bd1fc Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 20 May 2016 08:18:45 -0700 Subject: [PATCH 051/169] another Tyler change --- education/windows/set-up-school-pcs-technical.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 7dff059b00..392c652544 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -60,7 +60,7 @@ The PC is also configured to not interrupt the user during normal daytime hours * On a Windows PC joined to Azure Active Directory: * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC. * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal. -* If shared PC mode with the account manager turned on is set up on a PC that is already in use, existing local accounts will not be deleted. However, all local accounts created after shared PC mode is set up will automatically be deleted at sign-out, including admin accounts. +* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. However, any new local accounts created by the **Start without an account** selection on the sign-in screen (if enabled) will automatically be deleted at sign-out. * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or * Create admin accounts before setting up shared PC mode, or * Create exempt accounts before signing out. From 49f3965048dc388f1c25709b6bbb41124871f076 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 20 May 2016 08:36:44 -0700 Subject: [PATCH 052/169] fix table --- education/windows/set-up-school-pcs-technical.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 392c652544..6a402c66b7 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -146,7 +146,7 @@ The **Set up School PCs** app produces a specialized provisioning package that m

      Turn off hybrid sleep (on battery)

      Enabled

      Specify the unattended sleep timeout (plugged in)

      SleepTimeout

      -

      Specify the unattended sleep timeout (on battery)

      SleepTimeout

      SetPowerPolicies=True

      +

      Specify the unattended sleep timeout (on battery)

      SleepTimeout

      Allow standby states (S1-S3) when sleeping (plugged in)

      Enabled

      @@ -231,7 +231,7 @@ The **Set up School PCs** app produces a specialized provisioning package that m

      Windows Settings > Security Settings > Local Policies > Security Options

      -

      Interactive logon: Do not display last user name

      - Enabled

      - Disabled when account model is only guest

      +

      Interactive logon: Do not display last user name

      - Enabled

      Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

      Disabled

      From 118c5e1d076285a97b4e0933f609bcc42e0059c8 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 20 May 2016 09:41:20 -0700 Subject: [PATCH 053/169] resync --- education/windows/images/setup-app-1.PNG | Bin 0 -> 21118 bytes .../windows/use-set-up-school-pcs-app.md | 22 ++++++++++++++---- 2 files changed, 18 insertions(+), 4 deletions(-) create mode 100644 education/windows/images/setup-app-1.PNG diff --git a/education/windows/images/setup-app-1.PNG b/education/windows/images/setup-app-1.PNG new file mode 100644 index 0000000000000000000000000000000000000000..1b88c5ac312624a64e75809c5a14adf734130c7a GIT binary patch literal 21118 zcmd?RS5#A9`2HDDM1u%Q`wG%TQ9wYYDF~sc2uLrX2T)odfYKC5A|OQ(P!y2fTOjlV z2tpJQ6hvwWBs2@1&)ynTxrYH8*p?f@GZ}C+F<_?)Q0~&*r76u^ty# z2n+&&xb*MeF$aOzctD^d87Gbd&p3Sv#Q?vK1eojTfU16;UjQB)^UyZZ27zjmI1gOd zfyXEP@7o4|K&LzY{TxY=JuM6Zne*!3(YAc*M4MoLZsj)FwayB>p{siKEZ#MwGX9lZ za1}1DYMWB)y+goPMZb(VDHZ(uRUX@``&Y7cjd!wk_A~%DHSx=ryD$|MTp*BhP;zo|WnSK=vz-aTf<8Esb?s;1oGNyhJ5%F?W@Rov%l2yrIvYH8UAg zEd1Aa!LFFAA(PMM?h=Z=z>juFmu9&dre3XWZ`a9G^f2}*v*kHEWEaLYtS%=TLc7q`YYPn+FC%^ zn`U5WSg+W3dq|#mutB&HJWy~qc(J^clAt;{U%g&aVl6Cg+2mXMRUml$ao5;s_2p^K z#aPkMZ%)WszX!1lu^c`g@uLSfxCixTKR6?8cyNscZF|1_4knh zX+1PIH~-y(+to8O8&H$|c1c3wvqGsRwudlWX{*>WlWMQQ)0@8{?LhrE zTlZ!&+YZcKgfzG8a3mKjBc>>5X(SlX*4|;n-ow?G&_$i`G`oEF@s|0R$Z# zU*D%mZT$Qo{l-^;t2U;pFp^#1%J`Vdia*zSpb6hTMI1!{gLl36 z>N@gbg9!Kv_|lVpZH~Q?b2w!$!WqeXyWC63hVttob|XQgGoa}ty%}gvsvPv`{PX5~ zI~q=(y|G(2h`nETrl|X4knK|bUd7&FNv3bzL@>2?r+I#gi2lp-R>}F(^Cb!%Asp76 zrDk5{ZykHbDyWS3JVVwpyRhUa|E?N_wKtc`Wc)I=?tKAg3m$V5B)S@?z<>82SQ@^` z%v|cS;En$IqW>cW=RG%+gE1>H%5*nOlgG(5jt>g%+o`hi%bEOnEu`GtXDD1P^d>uG zax9iNp`z_H#>_O~rDpg*1DHq7u3@d(%D%v>#5j8~t=Mhp%TT)1Tvk9LnhW%aP!j3D zQHx23ZW1yWmyNULxt~}`76?05abgf;{Zosl#bpeGKvhQ{r%ZV3IP#tCe0`3$Y}yH0 z)v}^S^&>KU$c`ZiTt`5l0-k)k*r%8j=u;a(qsy2vQ=`_?_$73DZXmbTD@5^*KeU zQTI%Qt3m|-1oO*-mXPrWvRC9Alk31eKMZQCnr(vzR2-K(L}{)Mu^Ni;1~ls3Xna}2 z;HwJERmtn$Z&)Pz47uClkri3Mn$}mhVIYjF>7V6GvwQ58z#d_13{S@OJ-|&+RqJ0D z6^(uXJ?|f_eRz_`bM$gR>gbWx*R`+O&DC8he&Y3FXGgBf_Lc~yjP=7dmcQr+$X!yO zNX@EkbSu5sRkBa(uBf2(E^s0Yw9B{Q8Ez8+H?FEGf9)P$dnW(!pr&#ZgE^}HF+f(( z`G%_n)9>EQ43(iMNWEut!{?oQ`p6B9-m_P0_KIgzyll(uebcuWM#u4f*}|D@An{`- zl;*R~ane3Cw$&pj%8e2n2!z~_`NP$#JMU!sS?dEy^s&fdmBmp*}2}n5~5>I8e? zrICw@^q;S!uFBOlddSydGgWJuYPdKqcF+~AehxO-4_21GU2UvZk;#hIg!x9@s9)MD zhzvI|vF5_sPKWil+%Xto82z5LeWt)yBQl!!5f`&@(o%d0v9l4 z82sb-SK;VaKaB<->O!&J#xdKz10DAiel)&P8|}B#c%n#KmQ$_Mllp-lobvDND7(8i0^E8zzh}hbB>CGKk8>s# z+JDS{JOB=UdGaLQBC~`Zpk2<-j8W8)YF^;GjZgG`GLSA>ZJg~Fl91`**K2d@1Y$&q zD&r0JaW}i`a{}}n6rt8*DGs%y`if+B#SELHBRKUQ+^DFmyJ#54<>{KyY9G;1urk{Q-a;7v<8)`UN0~}%J zTFY25MB0#@zQxJ@xXTo`b1R{2wVOA}FQm?-3Y#3!JyM_)+#91K zcrm8e&ZnAWpCejr)LUOI$Y*17%lx;FX>Bh-;GmSsB*@4yx>=uvSF#Y=kRLLvRsEBraHV69Stm4U(B!~ZntA=TW=m@O1FvI3@X=_3cy8uJ0a~f8rz^ui22KKUCBQZ9bSPGW!c&c_aUD z;hUx^ky8>}`}?H1tF@nrKN>Yf z>}?vGo=euh>Op#%#hQV%ItzxgoRTs|iKR?up%^s*IM9ig%nDi=6UH#Gc)96N}m)+L$V<2G};5_;p z131;adW=U_TWjg-%rT`6ONxeg@lC?_6_FQ%wTgf)jSu33WoGy z8ER8%ZtlDBx0x!y>|Q!=Z)fIK{h&9VE8Z(F=}U$DgYr(-5W&28wj-dPOI-h5nSTteij}f;f*!@PQlU77|TlP-Pl|;#Gy5O zf1Yx2;-13Qn%emItLnGD`@sy%3s$qr6_tUdisIaO8{tRv#a7-uNS6lnf9uVKJ+a)7L&Po=NIbj5-!}5l%(fX4 zbwOET0ORo1$=vE;x%{>H-zMq}PGKQ`EjK&t6$QqYlW!Q-9z)|}eM_wDL~K&Rsy&Pe zw2A!Y;)9ryv!Ky8j}_$(WR!*HCwU1Qe_Wyc_@4%ia+w}`Vdj;xoCZCJ$6m$!me$SU zZ+(o+lPi(d8O4{dnUS}N1%m?bn`W#m_uOA)H9Yc8$$=Y9z(Ak6|94Nd(s>dDLh=5; z)LL1~o?xpeFMrvJu`)Gv9x63~dEG>zH)ne{ldhy*wRO!!?R))QDCq9%Yb>`Y?Q~+^ znrHm$)QKxgnTN>eB<0UUy-Gh|x%TXSFC9E&q&nsjE8-q|{z+W6fBQ*#r?B7djwWMS zv1Ps>zOt-ism$~~VsWt?$BIrK2#$DyrKyrc&PIC^$4-qr)cvt-q-qf-p_UoNdJa z_;CFT>Tqvvv?8XJNvEb}WWZUwU65r!n>E~x7Z}4+eZ4sauEr&pEtM4}*2OEdjS>PE zTrcN_*KvzHd-kktv z@ZDvT#Mb((#23Wf-<+&NG7OFQ`t>W&hz-3Z&E=w3DqM(wFixR7{_^bOKO4vW#|NN+ z_$P(9AqV}FVXGP}-F@%j!>Y$tDViQXvqt-4kSykowXN+!(qBs?Hpr*!`#n-OrR~?3 zSjM97fQr`#&&-BHJ38?4>DcJbBr)RPnc~^Pc4%Nn6|)4X=-LsN0vE89EMgY##o$Cv zo;-Qzci(DENFmGPzTU9RBhriOF73yNVqbz$a!^32Rt1q!r^`*AC*~-xbiCwc29H40 z$n<|Fjhaw`(bVN&OQ~<){^}YC#^_h(qXdOYgw7zXy$2N}$MrDlJhY)C$l++UcN5EP zd9+q`+pT}DfEHJZEOA3`e7}rhDe+YT+ENfywb3g^2wYyrPd6~3a zE}%1|+v{PaRQ=Q=>v2pgW2NP=xh*7$gPTrG%g(07evM~|dbVueD!(UnkjUn(8_6&` z4ft1?qlQYs`@aBV2Ucm{=vylxJH$<-jO|do6<9|rXJ7v_3|w54n`ZNaZLN~xQB8rC zqK6;i!TlB{8YCzY-n?JC(w`p%(cwh%ao?NKVNF3!OH@cP^I&@KTjLKP?Fi%X;X#4bc^lL>U!i=!stFQtt;X) zfB){bU)$=}<=%US_ZljZKVL3x5m6Exz@MXL;4{_MifG%L4W{A9`%J#Yfx=jkz<%xE zK8>AS@_s&9(@LV0ZML0LVM{_vPOeu*Mkf6E)0q@#rCU!b>L8d#*+a?LmC&OS&G`?N zaz>089|7kinBrBsxBlBp%ySfQ2$+XZUJ{zcfO(TJDXXP*+=?KEH0YQx37@Z(23+ zpF-}iS2=S!XrFaJ?af3mBIv6vY*$B73|f@EZ}TPpXuoOHqoX^LLg>z{#249o?8 zDCjsa0sW`JQ=jeZTH0LWmT{46_%4`7F13%O#U^Z60# zzqhEE1sw4wgmv(VU*-_`_?NhUbUsW^@aMrbqgAjK>!UZhDnd4#sX{JAif3p#cno+n zunrj<^3J<`MoTmu{b{fW%Wg;{XxQwtRHo0_gRLQx!}e&WR=h+cd z{C3~=#2M^nml%3EH`d|WiNxC*_gUlYLPXTcl_>~06fk*vP^10%y3CuQCR1jDYX{y5 zb8K4vo4u+G@_r&b9NN#Afwww*SZ7$~Mv3mf{%7j29Hy`_P1EOYGq;9nq1w~!k-2_N zhx><+jc<~Ndl=6>`4{Z+e;Le$$bRq?bQ+z%ti^kLasEoE(Z2Hhl|Wz#*wVvexJ+pg ziCcjkmoS>vR@>}?4%11mN#}m>uN>aD5K*%Fij|ZW!Q}*v*dBU5(92X?93E)GR6A-r zi>L>0>7j*SdcV{%PS35P#+eL^yEUmY@kWqRWky`ge3_|U^NJo->`XA=>_J&ouR6_g zxqG41GD&kpVWR0>+7GpY;WH(0p?e8JZp{7dO}+4fLh>8Dk+KYYC^+IfcMGu8(tfJ1 zZYguZ4c?UIgm#N9cxNiXL>@2BTMv0d7U#$KDQ&a&EG_blgYCL%O7xa6$kGgP(n?b# z=5wD?gk_^wud?UU7iludU~|%8>R=@lm$W%;nEG7 z8A)XZsQO-&O}&i_>JI8Ry*F*EfjNBcA#xQt)f$VDG&I7=0VM& zjk{AK1E?~h!tdB}6&)s5yPX2I5#C@Ke^$k!EcG5Pz|I6|LJBVuI*;UNxQ$JMXEvZ4 z9I$DcA*3f|F>AX{ZQ7-eTn!m@;RpjPrYibuSx!uaVc!!{=IoUr(S-$w)P0{>4DpeoN2NY0e)*4Q=obw#lY?EAZ1t? zh?~LLVIgsjK21iAdX;7$Y`(#N7fIiL6Vj_p?ue<%7*TY9Mk~nGqa+I3ZE_8p9F%9~ zw->K`hyxG5$sw~QUl=JB$OK1UpnU)Z<$X+AL&pXDNS)tkv@(Ed#NzV!H&CNB|EN1jv>4Nv{qXV^muxrn-zp)!7NV9B3V z`Kql8enJzK z{Xysbfh~F3>aG1c=pdtu$fVGDr(%y6QgC35J^cURaM2J zu8_`|B3ic>${df}VG0e4R!TaGFjNf@WU@y-}wPY)~ zm++ldJkv$8*WZNq?63_Z?A0b+iO~oq@`-2rb=M% z70}{0Yb5U?r}v9TM&M7otM@*};HA$)(IFE-P_bj}eOAiqi#r4L9wrcDq|Br3=B2H> z?05KA@^=fFR%TeO`@du>@5Yz*shv6o=3woUi3fB1RfX_6OZ%e74X_50bt()En-2>A zQ5v{xZ(hOm4Q-9W+mb*Vyxj1EWANL6SXVGMch-MLlt~n#b0b2`GKz>^R{!1!n z6<+z3^xN7VF{6HV1Tv(}9%}?MO7--W;$S@q{laP78DA=}5V!b6V`Da@qtG%xb3(_}WR!1rl!_}Tx z{mRqP#%Zc;oK`>I4J)yo%ltXF`f7HzPc!W&oG}ijqCT|G0`?+ z1joza*N$j0^78v2Ig@0<3nPBwJ@$OH_lser?TR^0s(iQGUH04N>#aZ*vBm=%OC0%Y z3|}AyoOEWd%2vG-Y!PSx}_ztYB-CBt^@sCA=bF7W6u6O z(flq6C_kji3~MVaW`lIbb#xNTW~sL(Ga57!-TuN@!ipA)n!lqLN;q2rHdf{>gTt2c z3e6l5CRT@PEjl!MMq^b6`Avx5SepUo%w9gw!GL~1vKtGpQFoq}Pz_yF%$ADI2)C)8)!6KLl zvm?URE#AmQu?YBwjMzKWN@kJfsfvQarQJwt_R7>^Ne5+Y8Fw_j0xYU5IbToSC0aYn zoGjlI_zY!o9lLyOzBexEr&qT>SN_VE&?&<2_s2=)MGL;5}+N@Z!~sw8Zx9hh_Kx zk(2Pf0x^I7n*B4@n-QH>9G$z{C%sSvgWSX-W$x??rCJ4vaJ$%jzN=dgtMNNEojR5_ z71Pk?W|??n{^2&D>F@|g#DhzBId{t_HWK>L5nvr`3s91E5smb;)M7LmY)>h9qw@i5 z!JjO%+`yy=t{W-IRPt^8PIBKK^MqAEfN!pOlomn?f5A}B=_JpM;=G|OyZi^VeYLww zBq(fKZ*u>Xvhn>PPt=<`NPFsmD1(Vn9-z?*nLNCM3EqKnb%aib) znf&57mU4D`0v?*%!dBK^2d^ET($j|aJ}g*G$S~fr?NrV8JV&`lI_^2OfMZM2Bm%kj zO_h-+lrD+@sSTSLnFHVCb0EDhT;MZTe!#HHH{m#jiMDtS_HKU8N;&L(EbKk0f$%4S z-gB*}z~Xz3F4w{Qoxem_fe@~Vj#3GLAE*N|?tofo&jKctYvRY1oXFU!{xY|hRaeR? zxMBjW3>+hERHwlT3+GoSLZ-H%e}=5i20@NEo-|jzvyYppdet5$ugkP&gCYqIbyXks z>>aj^b7;)@Q`DW>^x*O^Cx?Nx{r7}^|L@dibjmIpC%izgy{q*a+5M{hHdmHFn&nuf zjb{^j*EKAleNpFA_hhbvt19y2H;y<#VqYU>F@=1+y6nc2Ye#D6XT)pH^2ZU5)%rSL za&Zw+IA0?9OypL)ylUmrdb~Wxc>zo)Z0Ev>@_w#W-7~O1rYv`x?bS@4!ApsyK>C@x zRM(NDLH|Hhh@KxDu}hWzitV{Y-T{b!eZzy(qPIu=3g_jc34wvSzsc%+kOxco3(z1* zg_l!k!g)FdZW|~)x909}cJhHf&?%~J-Fk7)SPo}T_eOj%UVX&7DYG0=o!U8hy+@&f z&R!R;TsT~!fNh}e<7=0dCSVt8x)+5i5~EL&9`OxVxY*2=C{$yR!~zUuFqyY<+^EoN zsbzEXQt*x-4tI;Bd@^;VGv!sNc3#oP&TbiKPMeHGP5Z{DWL{px^jq51Tjjx_q{{b% zpm%6=+wcm@wcMVZQp!Q~xaM%XNdMgd@N&oiQquU=3?I5LDkkG-!|Sz`c*0%^_>kA+_Q2F- z$)cGBr{je6HzOvhFTh`3gM*Wcq@gVfE0S%GBsLSlfCr%kG6@&%N z&px0?v7aC4&1rxIUhZB~nJUUmwZ-h)&+3S^q<<=DwY{uxv)C|gzl~F7 zJm{h5#IgJNIw41f6CwgPB~LQWmc?i*^ME-Cq&o1AfkHio)QMuK;a4a7j+>k}`{maZcxN~|3EJGKnAH=-21#rXW1JmEK9Ebm;|D_$(_^EdmaUKk<` ztwSV>_(J?q>*~*f-^+eTOSK+*)}qpQSlw4|J*H2mdx=yc-aTTF8S%>`UUi$?m2`T4 zKBCgiI=R=$+{-U(%Euwt&~;fM^6V=+2^+CUB!DD z${u_ayY(>vxv`V5{76vVdcH9~=|}X5iST-i+Gou8;klck=@SEuDMlYXAA0{{8`N(N zm^jE7%jOt~u>ujffxILy(zcOcEym8j`wQ_Zh_ABUgnb)O{l7UUE2;?HNrh4oYd@oY zA<}@xe%b;!tU*SL{|?_ZOHa&*R>;=y1X~bUn|~B60H5qvBGl*Yt9c?9r{0>fV^<=} zTL2Uz)=n&Fbofjgob%3+drM`JP-StM*Zg)3PIfu%Q7dZYE?~J|q460Gmb`gu1#5YG z6;gMp)&6;ubJ#Rrb! zJ=2MGGlrq^X@X*T`>Qf3oqQb$ub|$GCw+Is2wwPYpLcLhaE07=>`;yVT@}RR;%r7I z8^g<`*sZ9kkYTA>Ae*=SSo+lRq(+Zjv-tYV>$6jrb#P~Q!fQJQlh0x;hWOMU?#u>% z`gBWWHYNuBZGQNcaCbcIzu`gvh-$N6oi5SA)Z#_y%B6C zaIrxX|NMK{3I173ju-#}`QiJ`8o*)vB~;%Q#Kf8KQ868~)$4!s39Lyti%o-E;e zdnN5WNCuv_C@3tfD^Ub_1>BpXLFGu_ZR3JV4Ll{_0!LYQa--YJ}dUP7;I*_H?|?*4Yz{W!T6gmLoB zql;sbdJXktlSR+f?6$YceGlrolHeW+=cgupnNRcOdnmmd7 zGT~cm)5s1vN1%MK$rMAz8c5<{(URW;%=KZeD08qv^i{bsxWK*7?J z4E`5L@jxZ4R)4997;J{Mie^!Pbi@Oalel7~=>LUFbyvqmZv&HUYV;iJx(zdxsLbGu zj@&&wSx^{cR7g3+|1-lFcdkH)Yv64wICy|CFM%=ZmvjPI%kl5rXa6i4txQKIq=+$c9Zfg%fFA_XY<7zd~?5wtzjPj+2GOj zm+HRKS|V>+Bz1Y1{l(V%JBDT?y(}j=3&eC;F@10AtSYJ?nx9?YH>_e}uJ&Q+DesJ& z`4NvQ`|7*FKi}~8p#~^L%|VsHpQWe?rC$3)l|Elq;7i<-&7}#=FL-#Gdv&5h0|(J= zwzJAn5JZf+{;;#@sJQqEhX~;&of~vas_a&zS>e4sB9P;8mOMy58+Q4GgZ8=GjOF?W z&aR7SN}EUScL3w)W5|JA%Msofhx6*ECIIkTD9B8-|wFRw)EhmL)pnT)?paL zVM!x=*PnG;>FL_E^L&4P5cL+YFhN?IKxV2iS|JcVT(tT4^zk+S=}*&zNtzp9gspkQ zueV;jawX(zm4&S%??*`U6~L&zhS0yeHucspl6!nfXoq+~^(VRBfccbowdzD$x+CNE z)^cM{WNDkNz>l8lwQ4a|sMj=`c1>kbHxY$?;$mv!#0Vd*{Oyd%>;jM9h&{C7316CJ z3`N#C?+;RFS@x#qPUYJD%}ukk=IBf6zkg>gnEwDZA?>dT|!Mv1@t8ENbw)% zCOp0@SINBnH~VGu=S&ExjoXwnCJB6vh#b1m?06rYPSA}Y`vob*gGD6(HRT4rD1gbI??YF!3D;PkuDFXIB zE&%qLP9rQ;1p~0*-a>qQJk1Zy$V32SIEuh)eDgDaqWY>YRn}J)6cqSoDgM0qWiouz zh_#PiUntF`v`2G3tRBf4nE@=8xK_63ki36`K1yX8t%}^=%EMq}=x~z5=l_a|ipntJ zWmQ#)TwIYqv(*_ctF1du{(z&sJNHh?2s{b6yv~2Wy+xhpY5`3CC}5hf|LIENmNLmX z|1Xo&1{6jlr+kyR|F4Tz6co7k=``W<$gP3TFHZ6vd>kAcj07yU$?AV4K8nR4vNkt| z8Nk96{3a(y^g*^7NkNw-)sXf0Pv;()%a#!6wQS2XJUo01NR|(q4?F$d%_@5K=Z#j_ z#S6&2(x}MB=jG-3X85<|hHt#gRRM5a;_>H@vrJ?2qY%$-hokn}3d%89|nDRa8GRD>v@dapI zTs1E$&khHlnIpG^_!$}*DMQ7nKxB@{^d*%4OUvm%s6oY%oxJt+^#O=`ri*kt zjK1u}A^J4$UqGi4IByC;V|##%mIm1CVe4N7u|SwNs}pzW@@3iQ)IJDnxls@I-#An#RNJ5Cthzh5KoNU-_GX3wR;P_;mIHwNUxv@XO*WjYfeka1xv z&0WMvfQ#>qKF>N2I=p{^XV=KG7tNqGQUTK!{x9;M0G5yuA{yQE?OR+zEnMc#gjtg# znz991VzrdgE5YB7kuc@GcYpIWB=Z8wv5iT$SEn@$EqBXSZ~ZCj z)LEJU8j7jE5@1R7m8L@O(=HxAtjrQ3uZ&+Qy7Jz$6-elXAr8H2!ia{qXnF7@mw@}D z*Ea!YsK$4KU<=H9U?+-mG=-P_H2VoG3-gob$nz=TBW!O0rR;Gl3%D6=c22mXn{$0T zOis&bWlI_?w>@_MOj*Ar>nKTQzPe1yiUk5%{SH#Bwh=#24l~g(c08E;ROS(IE1KKu zNP61HlY#hXxUi-785NB(+dD?5z~YqS%9-DQO%t9#7ShTsyp9uGKh7oeD9z!?OK#Df z$*^i}wRk}VI<;^{`oooFPuqgM3cU88aIDJG#g6FFlfMHQcMG4bUx4lG=JZ{ zEH_59-o1BY6DWbn$F_?cCI$p}{I=!?+UoN&ge}Eo?w7SXu@@&cknk+;;qZJ4d-PHM z;d+lgdNhIUx$*k&+h*`zX^WE4@#X;J3DeIqi#}z>@8LI2NNWMB|M%DvK_&0Mzq`yp z351&b@kX6ZtkC4d;7mW5CFqW>n{PsoRFmPZrbDstd&9N$7Ny2*kjN4Jr4qDib8~as zcU{KAf3>w`SVGYuXLb*84fnM25SBIr1YoWi{BqmsaBT|a45pt3J%@;~ z9UD=fP}d=Q_1m7;6A5}RR-&k`xj!$7_B$D5GhChke;5XoDI_AgsxVJcB2caPXK4Q> zP!q?Ks)v-nECh*g$hRE>Er}jsTgtBT&Rde0H%KIiM#&p*Q@pG9WYrckP7*#PSIw3! zDbHu{fO!cw-&Kj1$3{j~U0Mfh8ishmwfu!3u|&Y;dlFq?%?29b`gcl>Yx+Cy`n{4A zKCbCFD#jSc4wvT>28%LO11)46!?ab?%$xd|7q(6)$P~vbF0`9rBKoc5_?7G$JU`z} z137B|u}rJ^=8KGrfg&dzOKg?FG6z;`OHOoILSGXMj>&${1?cPb>{2(GMqL?E*1V!2;u_Sv;=Zr zl)o4~6%FUHtmi=w$tXKsaqi%@kc(P@N(jM1Fb*j(B^;niq{DqMF*61ny6sm6xe5@~ zgf($4BW{q5>i>iN2TNLc#zscYn}$7d%GWT`@e@2{ z77n&<)kgNty+h`eluIX=o*=DA#`P;th}`OpUha+=k2+!suK&?7w~2s@$V{O5M7JDN zzs`P+;z$zOi87tZnGZQ~!t7{-np*o)H@h6%1H)gjY@fhjS&UCwuo2cII!#O z;NJg@3BA^GBJvYtk%4ph6^ODK-`r0!Ws;q4R!*+@kMFKSGe*2T{{tzh06IBDSy>qu z?cdt2c3za#cv!Qmmk`!;S(ZzXg&J216%G4hG8fBUkwbLqA_{KwOZBJ@yRW5^mGej8L!sVdRJoP4wT*AQgRFy{ zr`x4Vnh*XqJ(Id9WuKoZr7g*paIEz41yN{02N-4e+%#WCU;lfXKR_LAY3Jv+Tm6x_ zeKkvw>J+x6y)+oWyA(3gjQ3f;0DY?3SeuJ4v`tl5 zx3{#!ZWsV9 zuY#V)!|X7GZ`5Hxyhsq89lt(nZ};R$a_ipKJKuA~_^I_$8=Sr9Ikp7$BW&wUr;ni& zVYpQ=eR%6skJrdJW_)1(;M`ES3y~nX`To6SPp0C~v+x+b@-4;SJeeP(O?QBtL4QroZ6SSqBnC85YtNi_WM+)}`91n!8m^4DaC z`E!e@X)}|3-3YkR6VkADD5$>)_=+zhwO!4VmA%I(ny787mgR3zK55K-%B39*-%`iN z37qU>ZPG4Qmdi4z_h~6(kLO^nNBur_3jXMuL=}nzcaB+Gnfa!qTnheuDb23l8d0fR zKT98c*w?gI!f?L8QrqUE`t7v(tZ8uDCJWN`Od z_+dBAW|Be+`+Hq;`A2qrhtWIt`jQ6?J0(9FlAJ<+;wKR%hJAx}A4H~hOx3+uM-jV> zFUSNvcxXv>Fe!-s8_BBmdd8lb^R~9z{}?FYcTW&vna z@%B9FYs^e{1Z8a9ssig5*=h6~uq!S5xi+t%Z0m4v!M?h33{Su58wbAvkm zIl(5-bk60{-PxGr0=5L_v9Vh#%!^@%Rn+AdlbK`sf-tvICuE9Msvu)03_*-qg}kNK z6=ymo@bk~wuWHconq4{0X(Er`;1kY5ITuHx zPm()d?{>rxZ*|FP5Nchn&Opvjqv8Gy^E zbIc@RmK)RW<7a|jbGa3?ndZNVExS^y$O&(?}(yn^SUcPe*BR#_LBbDP+^oMGTil(5`t#zl0M^Ek1y|?{!kbA>#Y69qH%*) zoJ_R^%BkYJcdc!$;ruD?=v#|V)u)@@(e^D&@bRZ9XbuLj}(o0DIFLtt?u$i&YVeFV@@G3g{G`tte3c z)5k)W7b{nkjQKxEpF5}GvGFKuuK6{GD?=!D5$AFFN!CSWkZAwKofRf%7 z9i;;?VkX95KHoPmsB3rY@!1&lL-b?^#<5uo857C57{9xl}=ZJ1I8qJ)dFUw}!#r z7sMXiP*h}=XOMjN#+sY0?aT{0T)k{<+x`^EgNy6cFREWA8@vKDqe~ACtPH0QOFZ0K z7G%Tc9z=6+85)^1Dm9*mj2pog*ka`ai|ZkLXJxu4npSYI(!YGFw|k71*j{Ejc!YZj z4^9xu)9+BL-P}|WzRFgMHMYy8>_VJu$9_v|UHm_GjvUXwUf~~2f8q8uH9d<@xGsw= z8ceQBHuoNDYgNza!>MGe+3RaZAlin0rp|&Xr&s1-Ol}$39_BGF_7hwdE|sQvY_`?1 z4lY&hr!=72)kAlz%3?p~ck>^FntbW*8E4ckxGHX;`HsUe7&zzl=rv`F`F$?bp>Iab zCvvzq-1UzdDjSYr*0smBN9{kk^2XDba6eVl4)x!i=bc3bgibYO{YLlliq(q=oi2w5 zd&64J%_Ndm8E8aTnN6+Lj2r;4l3;VyQS(5TOR68o`A3DEpr4M8iklvdceaedJBn$i@yx30{(vkS`=vGYOnqG0(ZtYj+ObwltG~H zEq>9Z1zLyU30 z6K6m*Z9o~E+--+kB9*)r_GXV4pytGixG==fuW(C*S|n@cL`7v;L-P=-b_`;Izn+Wy ztzd!GGP84Vg`wA~iZ|Kc?0p!fQpykYb>=vHDn2NOh z*FPcTO1&%~HC?IpdxyMMq!jvZVEO*d{><9pjh~<9UfiXN7b$69CL2;k)F|I}rtr}L z?qj98Fnl@0s0OZj*bGDs}(a(lT_YS!h7HkhO z?-1%CxQWv@zY!2^(V12KNl^2mFh7Frv8>NWKudtnu#^B7!pKzkY>I@?8^0bdCyep1i{&YSC(2?YVd8x{Sp>Q5W zc1e{|w^FGX9MQ}wg?JD&9c375&Fh^^9gciuz=@HSleqNtf3S z=A4q4F1i;=ti7=M`3d3SWC>zWsRax$mBK~NsjxN`xKk= z*{{dr_c*`*et-QQ=a2K}_ShfW_m6!(@AvEVe1kLH+4{unz@_xbzZ5F-}*5XKFcXBgjqQiwONvP(cJCNKIz6N zl$W-`JX(e>%}6se70HYAw_|s%`vin!szY8z0e%ObXqxOVLr_P={00W4YVh&Y!u?Wu z!4L?a@omsUPMGBty}J}0>A&EIN9XJ@xwxJT5qh#|z&wHot0-hbElc3g_$UWNh5PO}xbnA|>`D>f*qg!C z=Rb0i|LzC<{r3M{rTY6({k0y|pL7Ggj|ckuuiDvVs;H;{zfE-^=Kh*uM@Pp}Px*m= zF%o|fw?tYkJ@3^=ISw$|x=BRqpZu|6hia<5+NG7N&`wU-v4DdcEU}P*njH~r4Z3qr z*L9yB?I*}cvmbNYh6BdBwJa^~rX~DjJ{}sHIU3%Nj9Axm^%U*}17TI-%1YQ4P~nK} zPs2ma`pST-q({lo>rTX!sxkB7gl_{R^RR+&S~~0(N(p`OjQ3gU&#TDl1WcE#@{Dl8 zZk2ktgi_k7R2=_COZlO;;!Gn?_XMVKym>t2kjY*N2odbw6lCSL$0zEX6;>hfdlkWJ ziM$KIQsfEN`&oGWcCKlB+m-cLuwB&vtNI=ph5AEW#R}qJDqP`{1GUHXfo`c^t0?^< z=w_W4YfUmp)O4YA0T_^%y~{w+j-z&PCYU!pPW~PzihBTPw~xoH9)Gg&k!T+{B5`zl z9%VT6&++>^##25mn438wMA*-{7=FAs{))Lul>`oLe{r098fk1K1y~g@r&n4wX zaD1}duQ@sg4F&bRSsZ?r>f{lrakxIj&dq5HE%eG-9vQ4MNpZS|J?r%}ZG;?jxF8cO z50eU8&>%20+5#L?tPqIPI4t&X4NuKnSajdoxX0{=QvMf^@?uW7P{;xui!+RN1%>hf zQA9#5rnf~@2zMI?lV=J%N|J_a8FKRSTlR+q`k~IA9xlfQuitB|gIow=C)GH6= z$E!<>_^$Cjcv7QsE3DQFDP4@VC5C)zvIlwyHfiBB#j!Rc z7EI$|2@g2bh92Q=ZF_cRGuE#WKd37%u4yGP%VI&fH`8G>MWY#{Z@K@;OV3F*}nECF)J3V2v%Sq zAVQ78k7My+@6?(;U6E-A0Xz|4m;yi3FmTxf3nE5=Xe$m4%rvuwOqj^M@3gNm1PL10 z)4y<+-`-Onl98L~nbeHOX5lgAfvoNo1mPKx)W)QAk@B1;83*OHjPhu&kz-_9n!BTC zl4?)QbDLpSN_SVyqo1s6mm@{=&NTO@Y-`arJooG}*MaU5!)k@UKB@i!)wu+A-Y#JG z$f=`K0$s+owSqsMyVd+aP+1rJ1?@vbNn8#pxsBA7I)ATK{NjrS7XEwOa| zNX&7o7!WjWfXXTp6foH!Nhb*`O~@>eI@AbgP30eqx0jOOI|6-C>`7VEel?j}*td%T z53})@Sv3niwdZuVZJ(yS406(BSvg|};OO^1pNjVG3a7^X?j7y-4jPb~9drdd)}5}P z_r8f;SL{RSAhq1RG@p~}p_t=46gMS!=G%=PNp@GSVhp1<*2=>OOGCZQ295-qMC7c4 zOe?^)y=c)~3dk2n1i2?%T~@Q7O)oZ=WZf8Yjoq6xReb2SYsB!IeE>a)1|R@$lefjK z17(1&p;O7R$MuH2WdPZcE2#l$IUV|(7ppO%omF0{`~vih263N2WAgltmi!M-o@lkF zbh~+$4(MjNJ9^U;o;dl~r5E2wONS&g$ssMow2v#vQ^c9NuB$M$~y9_`&X za&D37tIf@(p2>vM#X_`C^xtXD9?Z99I20fs5<+delTs=iO?h$-839}UYXw8&oBla; z-6Q=Y1>*!=I(d8@F00kTa!&2T@ICr)WkctHF$BKRx<5_Tqq`#?N3qb=FpLg=PRkxF z2Pcqm*QuMgl@z>$i#WFtOZFqhrh)qjh9R%Mf3uLJ{Nr1~FQfDC)H}n9k2UmEzm)b5 z4p=mrSLenhZjJO^mVTyjk^K9ddZ*Pz5)|ckw0@S4hHuUJxg3yZ(o(U$)7Q06=#N;z z6z*4LIPUD0o08sVf4)+=fZ!u1=t|kr|1sfzjyFJ7Kez78!3ml4pe&{MaMoEWFcGPMxS)|aK~VyWA_dqVu}7AQ5YIq9oN!$-+fTx%;h(UyBk`CIGL zb~{qWC-}QYd?`@ceR$b4{|1{Q&UwR2gYUzB+Wb}c-)(xjaxHfigMYBJD*46t>w}bK zOo?Rdo;f~5Det(Qc_6n@yx71lY{O)t6j?H7)-ZdFMtmpD?viY0^%-}OOUS=74q~wV z8dqvdIu`X~M5*C01G^%MjEWHSMt_19C`jbH# **Note**: Don't use **Set up Schools PCs** app for PCs that must connect to enterprise networks or to open wi-fi networks that require the user to accept Terms of Use. * **Apply to new computers**: The setup file that the **Set up School PCs** app creates should be used on new computers that haven't been set up for accounts yet. If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost. > **Warning**: Only use the setup file on computers that you want to configure and lock down for students. After you apply the setup file to a computer, the computer must be reset to remove the settings. * **Turn on student PCs and stay on first screen**: The computer must be on this screen when you insert the USB key. @@ -53,10 +54,23 @@ The Set up School PCs app helps you set up new computers running Windows 10, ver If you have gone past this screen, you may have to reset your PC to start over. To reset your PC after you have completed the first run experience, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. * **Use more than one USB key**: If you are setting up multiple PCs, you can set them up at the same time. Just run the **Set up School PCs** app again and save the same settings to another key. That way you can run set up on more than one PC at once. Create three keys and you can run it on three PCs at once, etc. * **Start fresh**: If the PC has already been set up and you want to return to the first-run-experience to apply a new package, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. -* **Keep it clean**: We strongly recommend that IT avoid changes to policies unless absolutely necessary, as any changes can impair performance and sign-in time. +* **Keep it clean**: We strongly recommend that IT avoid changes to policies unless absolutely necessary, as any changes can impair performance and sign-in time. Get more information at [Set up School PCs app technical reference](set-up-school-pcs-technical.md). ## Set up School PCs app step-by-step +What you need: + +- The **Set up School PCs** app, installed on your work computer, connected to your school's network +- A USB drive, 1 GB or larger + +### Create the setup file in the app + + + + + +### Apply the setup file to PCs + The setup file on your USB drive is named SetupSchoolPCs.ppkg, which is a provisioning package. A provisioning package is a method for applying settings to Windows 10. When Windows 10 refers to "package", it means your setup file, and when it refers to "provisioning", it means applying the setup file to the computer. 1. Start with a computer on the first-run setup screen. From 873cdc2254be5e518df1b68f00c904e8a15d31de Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 20 May 2016 09:43:05 -0700 Subject: [PATCH 054/169] table fix? --- education/windows/set-up-school-pcs-technical.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 6a402c66b7..00f39712a3 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -231,7 +231,7 @@ The **Set up School PCs** app produces a specialized provisioning package that m

      Windows Settings > Security Settings > Local Policies > Security Options

      -

      Interactive logon: Do not display last user name

      - Enabled

      +

      Interactive logon: Do not display last user name

      Enabled

      Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

      Disabled

      From d8c1f4fc485ad4e7e457e9d5ff679a64d0827eb1 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 20 May 2016 09:55:04 -0700 Subject: [PATCH 055/169] found missing tag in table! --- education/windows/set-up-school-pcs-technical.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 00f39712a3..25735d9755 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -231,7 +231,7 @@ The **Set up School PCs** app produces a specialized provisioning package that m

      Windows Settings > Security Settings > Local Policies > Security Options

      -

      Interactive logon: Do not display last user name

      Enabled

      +

      Interactive logon: Do not display last user name

      Enabled

      Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

      Disabled

      From 7efb09504d17fa683dfd7e245ffe4e1ca37296c1 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 20 May 2016 10:21:17 -0700 Subject: [PATCH 056/169] darn table, what's your problem? --- .../windows/set-up-school-pcs-technical.md | 141 +++++++++--------- 1 file changed, 71 insertions(+), 70 deletions(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 25735d9755..8b00b6bf00 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -109,137 +109,138 @@ The **Set up School PCs** app produces a specialized provisioning package that m > **Important**: It is not recommended to set additional policies on PCs configured with the **Set up School PCs** app. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required - + - + - + - - + - + - + - + - + - + - + - + - + - + - + - + - + - + - - + - + - + - + - - - - - - + - + - + + + + - - - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + + + + + + + + + - -

      Policy name

      Value

      Policy name

      Value

      Admin Templates > Control Panel > Personalization

      Admin Templates > Control Panel > Personalization

      Prevent enabling lock screen slide show

      Enabled

      Prevent enabling lock screen slide show

      Enabled

      Prevent changing lock screen and logon image

      Enabled

      Prevent changing lock screen and logon image

      Enabled

      Admin Templates > System > Power Management > Button Settings

      Admin Templates > System > Power Management > Button Settings

      Select the Power button action (plugged in)

      Sleep

      Select the Power button action (plugged in)

      Sleep

      Select the Power button action (on battery)

      Sleep

      Select the Power button action (on battery)

      Sleep

      Select the Sleep button action (plugged in)

      Sleep

      Select the Sleep button action (plugged in)

      Sleep

      Select the lid switch action (plugged in)

      Sleep

      Select the lid switch action (plugged in)

      Sleep

      Select the lid switch action (on battery)

      Sleep

      Select the lid switch action (on battery)

      Sleep

      Admin Templates > System > Power Management > Sleep Settings

      Admin Templates > System > Power Management > Sleep Settings

      Require a password when a computer wakes (plugged in)

      Enabled

      Require a password when a computer wakes (plugged in)

      Enabled

      Require a password when a computer wakes (on battery)

      Enabled

      Require a password when a computer wakes (on battery)

      Enabled

      Specify the system sleep timeout (plugged in)

      SleepTimeout

      Specify the system sleep timeout (plugged in)

      SleepTimeout

      Specify the system sleep timeout (on battery)

      SleepTimeout

      Specify the system sleep timeout (on battery)

      SleepTimeout

      Turn off hybrid sleep (plugged in)

      Enabled

      Turn off hybrid sleep (plugged in)

      Enabled

      Turn off hybrid sleep (on battery)

      Enabled

      Turn off hybrid sleep (on battery)

      Enabled

      Specify the unattended sleep timeout (plugged in)

      SleepTimeout

      Specify the unattended sleep timeout (on battery)

      SleepTimeout

      Specify the unattended sleep timeout (plugged in)

      SleepTimeout

      Allow standby states (S1-S3) when sleeping (plugged in)

      Enabled

      Specify the unattended sleep timeout (on battery)

      SleepTimeout

      Allow standby states (S1-S3) when sleeping (on battery)

      Enabled

      Allow standby states (S1-S3) when sleeping (plugged in)

      Enabled

      Specify the system hibernate timeout (plugged in)

      Enabled, 0

      Allow standby states (S1-S3) when sleeping (on battery)

      Enabled

      Specify the system hibernate timeout (on battery)

      Enabled, 0

      Admin Templates > System > Power Management > Video and Display Settings

      Turn off the display (plugged in)

      SleepTimeout

      Turn off the display (on battery

      SleepTimeout

      Specify the system hibernate timeout (plugged in)

      Enabled, 0

      Admin Templates > System > Logon

      Specify the system hibernate timeout (on battery)

      Enabled, 0

      Show first sign-in animation

      Disabled

      Admin Templates > System > Power Management > Video and Display Settings

      Turn off the display (plugged in)

      SleepTimeout

      Turn off the display (on battery

      SleepTimeout

      Hide entry points for Fast User Switching

      Enabled

      Turn on convenience PIN sign-in

      Disabled

      Admin Templates > System > Logon

      Turn off picture password sign-in

      Enabled

      Show first sign-in animation

      Disabled

      Turn off app notification on the lock screen

      Enabled

      Hide entry points for Fast User Switching

      Enabled

      Allow users to select when a password is required when resuming from connected standby

      Disabled

      Turn on convenience PIN sign-in

      Disabled

      Block user from showing account details on sign-in

      Enabled

      Turn off picture password sign-in

      Enabled

      Admin Templates > System > User Profiles

      Turn off app notification on the lock screen

      Enabled

      Turn off the advertising ID

      Enabled

      Allow users to select when a password is required when resuming from connected standby

      Disabled

      Admin Templates > Windows Components

      Block user from showing account details on sign-in

      Enabled

      Do not show Windows Tips

      Enabled

      Admin Templates > System > User Profiles

      Turn off Microsoft consumer experiences

      Enabled

      Turn off the advertising ID

      Enabled

      Microsoft Passport for Work

      Disabled

      Admin Templates > Windows Components

      Prevent the usage of OneDrive for file storage

      Enabled

      Do not show Windows Tips

      Enabled

      Admin Templates > Windows Components > Biometrics

      Turn off Microsoft consumer experiences

      Enabled

      Allow the use of biometrics

      Disabled

      Microsoft Passport for Work

      Disabled

      Allow users to log on using biometrics

      Disabled

      Prevent the usage of OneDrive for file storage

      Enabled

      Allow domain users to log on using biometrics

      Disabled

      Admin Templates > Windows Components > Biometrics

      Admin Templates > Windows Components > Data Collection and Preview Builds

      Allow the use of biometrics

      Disabled

      Toggle user control over Insider builds

      Disabled

      Allow users to log on using biometrics

      Disabled

      Disable pre-release features or settings

      Disabled

      Allow domain users to log on using biometrics

      Disabled

      Do not show feedback notifications

      Enabled

      Admin Templates > Windows Components > Data Collection and Preview Builds

      Admin Templates > Windows Components > File Explorer

      Toggle user control over Insider builds

      Disabled

      Show lock in the user tile menu

      Disabled

      Disable pre-release features or settings

      Disabled

      Admin Templates > Windows Components > Maintenance Scheduler

      Do not show feedback notifications

      Enabled

      Automatic Maintenance Activation Boundary

      MaintenanceStartTime

      Admin Templates > Windows Components > File Explorer

      Automatic Maintenance Random Delay

      Enabled, 2 hours

      Show lock in the user tile menu

      Disabled

      Automatic Maintenance WakeUp Policy

      Enabled

      Admin Templates > Windows Components > Maintenance Scheduler

      Admin Templates > Windows Components > Microsoft Edge

      Automatic Maintenance Activation Boundary

      MaintenanceStartTime

      Open a new tab with an empty tab

      Disabled

      Automatic Maintenance Random Delay

      Enabled, 2 hours

      Configure corporate home pages

      Enabled, about:blank

      Automatic Maintenance WakeUp Policy

      Enabled

      Admin Templates > Windows Components > Search

      Admin Templates > Windows Components > Microsoft Edge

      Allow Cortana

      Disabled

      Open a new tab with an empty tab

      Disabled

      Windows Settings > Security Settings > Local Policies > Security Options

      Configure corporate home pages

      Enabled, about:blank

      Interactive logon: Do not display last user name

      Enabled

      Admin Templates > Windows Components > Search

      Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

      Disabled

      Allow Cortana

      Disabled

      Shutdown: Allow system to be shut down without having to log on

      Disabled

      Windows Settings > Security Settings > Local Policies > Security Options

      Interactive logon: Do not display last user name

      Enabled

      Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

      Disabled

      Shutdown: Allow system to be shut down without having to log on

      Disabled

      User Account Control: Behavior of the elevation prompt for standard users

      Auto deny

      User Account Control: Behavior of the elevation prompt for standard users

      Auto deny


      +

      ## Related topics From 52d4dd9616a4f8e31b7082cbcf9ee925f5be25a6 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 20 May 2016 10:36:01 -0700 Subject: [PATCH 057/169] it shows, why so much whitespace? --- education/windows/set-up-school-pcs-technical.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 8b00b6bf00..9666f1d1f3 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -106,9 +106,9 @@ The **Set up School PCs** app produces a specialized provisioning package that m ### Local Group Policies -> **Important**: It is not recommended to set additional policies on PCs configured with the **Set up School PCs** app. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required +It is not recommended to set additional policies on PCs configured with the **Set up School PCs** app. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required. - +
      From 5f83d2ffc77dceaf6301c122f2ede53ba06ee078 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 20 May 2016 10:58:31 -0700 Subject: [PATCH 058/169] sync before weekend --- education/windows/set-up-school-pcs-technical.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 9666f1d1f3..8c663f19e0 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -106,8 +106,6 @@ The **Set up School PCs** app produces a specialized provisioning package that m ### Local Group Policies -It is not recommended to set additional policies on PCs configured with the **Set up School PCs** app. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required. -

      Policy name

      Value
      From 6e3119151ae4df4ef13f502bfc71e414314f976e Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Mon, 23 May 2016 08:55:16 -0700 Subject: [PATCH 059/169] sync to change branches --- education/windows/set-up-school-pcs-technical.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 8c663f19e0..a93a867cf2 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -106,8 +106,11 @@ The **Set up School PCs** app produces a specialized provisioning package that m ### Local Group Policies -

      Policy name

      Value
      - +> **Important**: It is not recommended to set additional policies on PCs configured with the **Set up School PCs** app. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required. + +

      Policy name

      Value

      + + From 5061fa22aee8ec623b340ec55411546e67e851c6 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 23 May 2016 11:03:44 -0700 Subject: [PATCH 060/169] fixing spacing issues --- ...ve-encryption-tools-to-manage-bitlocker.md | 107 +++++++++++++----- ...-use-bitlocker-recovery-password-viewer.md | 28 ++++- .../keep-secure/bypass-traverse-checking.md | 107 +++++++----------- windows/keep-secure/change-the-system-time.md | 97 ++++++++-------- windows/keep-secure/change-the-time-zone.md | 88 +++++++------- .../change-the-tpm-owner-password.md | 35 ++++-- ...oose-the-right-bitlocker-countermeasure.md | 26 ++++- ...gure-an-applocker-policy-for-audit-only.md | 15 ++- ...e-an-applocker-policy-for-enforce-rules.md | 15 ++- ...figure-exceptions-for-an-applocker-rule.md | 10 +- windows/keep-secure/configure-s-mime.md | 35 +++++- ...onfigure-the-appLocker-reference-device.md | 22 +++- ...figure-the-application-identity-service.md | 6 +- ...onfigure-windows-defender-in-windows-10.md | 57 ++++++++-- ...t-policy-settings-for-an-event-category.md | 17 ++- windows/keep-secure/create-a-pagefile.md | 85 +++++++------- .../create-a-rule-for-packaged-apps.md | 14 ++- ...-a-rule-that-uses-a-file-hash-condition.md | 19 +++- ...reate-a-rule-that-uses-a-path-condition.md | 19 ++-- ...-a-rule-that-uses-a-publisher-condition.md | 15 ++- windows/keep-secure/create-a-token-object.md | 88 +++++++------- .../create-applocker-default-rules.md | 14 ++- windows/keep-secure/create-global-objects.md | 103 +++++++---------- ...cations-deployed-to-each-business-group.md | 33 +++++- .../create-permanent-shared-objects.md | 85 +++++++------- windows/keep-secure/create-symbolic-links.md | 90 ++++++++------- ...create-your-applocker-planning-document.md | 26 ++++- .../create-your-applocker-policies.md | 33 +++++- .../create-your-applocker-rules.md | 31 ++++- 29 files changed, 809 insertions(+), 511 deletions(-) diff --git a/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index ab1c7f7bb2..a20d25ff66 100644 --- a/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -2,79 +2,113 @@ title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker (Windows 10) description: This topic for the IT professional describes how to use tools to manage BitLocker. ms.assetid: e869db9c-e906-437b-8c70-741dd61b5ea6 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker + **Applies to** - Windows 10 + This topic for the IT professional describes how to use tools to manage BitLocker. + BitLocker Drive Encryption Tools include the command line tools manage-bde and repair-bde and the BitLocker cmdlets for Windows PowerShell. + Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel and are appropriate to use for automated deployments and other scripting scenarios. + Repair-bde is a special circumstance tool that is provided for disaster recovery scenarios in which a BitLocker protected drive cannot be unlocked normally or using the recovery console. + 1. [Manage-bde](#bkmk-managebde) 2. [Repair-bde](#bkmk-repairbde) 3. [BitLocker cmdlets for Windows PowerShell](#bkmk-blcmdlets) + ## Manage-bde + Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the manage-bde options, see the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line reference. + Manage-bde includes less default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde. + ### Using manage-bde with operating system volumes + Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on ` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. It is recommended that at least one primary protector and a recovery protector be added to an operating system volume. + A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status: + ``` syntax manage-bde -status ``` This command returns the volumes on the target, current encryption status and volume type (operating system or data) for each volume. + The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process. + ``` syntax manage-bde –protectors -add C: -startupkey E: manage-bde -on C: ``` -**Note**   -After the encryption is completed, the USB startup key must be inserted before the operating system can be started. + +>**Note:**  After the encryption is completed, the USB startup key must be inserted before the operating system can be started.   An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. This is done with the command: + ``` syntax manage-bde -protectors -add C: -pw -sid ``` + This command will require you to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, you can then turn BitLocker on. + On computers with a TPM it is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is: + ``` syntax manage-bde -on C: ``` + This will encrypt the drive using the TPM as the default protector. If you are not sure if a TPM protector is available, to list the protectors available for a volume, run the following command: + ``` syntax manage-bde -protectors -get ``` ### Using manage-bde with data volumes + Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or you can choose to add additional protectors to the volume first. It is recommended that at least one primary protector and a recovery protector be added to a data volume. + A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on. + ``` syntax manage-bde -protectors -add -pw C: manage-bde -on C: ``` + ## Repair-bde + You may experience a problem that damages an area of a hard disk on which BitLocker stores critical information. This kind of problem may be caused by a hard disk failure or if Windows exits unexpectedly. + The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS. -**Tip**   -If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume. + +>**Tip:**  If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume.   The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. You should use Repair-bde if the following conditions are true: + 1. You have encrypted the drive by using BitLocker Drive Encryption. 2. Windows does not start, or you cannot start the BitLocker recovery console. 3. You do not have a copy of the data that is contained on the encrypted drive. -**Note**   -Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers. + +>**Note:**  Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.   The following limitations exist for Repair-bde: + - The Repair-bde command-line tool cannot repair a drive that failed during the encryption or decryption process. - The Repair-bde command-line tool assumes that if the drive has any encryption, then the drive has been fully encrypted. -For more information about using repair-bde see [Repair-bde](http://technet.microsoft.com/library/ff829851.aspx) + +For more information about using repair-bde, see [Repair-bde](http://technet.microsoft.com/library/ff829851.aspx). + ## BitLocker cmdlets for Windows PowerShell + Windows PowerShell cmdlets provide a new way for administrators to use when working with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets. +

      Policy path

      Policy name

      Value

      Admin Templates > Control Panel > Personalization

      @@ -205,72 +239,89 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets. A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLockerVolume` cmdlet. The `Get-BitLockerVolume` cmdlet output gives information on the volume type, protectors, protection status and other details. -**Tip**   -Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors. + +>**Tip:**  Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors. `Get-BitLockerVolume C: | fl`   If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you could use the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed. + A simple script can pipe the values of each Get-BitLockerVolume return out to another variable as seen below: + ``` syntax $vol = Get-BitLockerVolume $keyprotectors = $vol.KeyProtector ``` + Using this, you can display the information in the $keyprotectors variable to determine the GUID for each protector. + Using this information, you can then remove the key protector for a specific volume using the command: + ``` syntax Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" ``` -**Note**   -The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. + +>**Note:**  The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.   ### Using the BitLocker Windows PowerShell cmdlets with operating system volumes + Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them in BitLocker Windows PowerShell. + The following example shows how to enable BitLocker on an operating system drive using only the TPM protector: + ``` syntax Enable-BitLocker C: + ``` In the example below, adds one additional protector, the StartupKey protector and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot. + ``` syntax Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTest ``` + ### Using the BitLocker Windows PowerShell cmdlets with data volumes -Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user defined password. + +Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a +SecureString value to store the user defined password. + ``` syntax $pw = Read-Host -AsSecureString Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw ``` ### Using an AD Account or Group protector in Windows PowerShell + The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover to and be unlocked by any member computer of the cluster. -**Warning**   -The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes + +>**Warning:**  The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes   To add an **ADAccountOrGroup** protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. + ``` syntax Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator ``` + For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command: -**Note**   -Use of this command requires the RSAT-AD-PowerShell feature. + +>**Note:**  Use of this command requires the RSAT-AD-PowerShell feature.   ``` syntax get-aduser -filter {samaccountname -eq "administrator"} ``` -**Tip**   -In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. + +>**Tip:**  In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.   The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account: + ``` syntax Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-8937238915-291003330-500 ``` -**Note**   -Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes. + +>**Note:**  Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.   ## More information -[BitLocker overview](bitlocker-overview.md) -[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) -[Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) -[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) -[BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md) -  -  + +- [BitLocker overview](bitlocker-overview.md) +- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) +- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) +- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) +- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md) diff --git a/windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md index de1b0e8a2c..61521699b2 100644 --- a/windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md +++ b/windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md @@ -2,40 +2,56 @@ title: BitLocker Use BitLocker Recovery Password Viewer (Windows 10) description: This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer. ms.assetid: 04c93ac5-5dac-415e-b636-de81435753a2 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # BitLocker: Use BitLocker Recovery Password Viewer + **Applies to** - Windows 10 + This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer. + The BitLocker Recovery Password Viewer tool is an optional tool included with the Remote Server Administration Tools (RSAT). It lets you locate and view BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. You can also search for a password by password identifier (ID). + ## Before you start + To complete the procedures in this scenario: + - You must have domain administrator credentials. - Your test computers must be joined to the domain. - On the test computers, BitLocker must have been turned on after joining the domain. + The following procedures describe the most common tasks performed by using the BitLocker Recovery Password Viewer. + **To view the recovery passwords for a computer** + 1. In **Active Directory Users and Computers**, locate and then click the container in which the computer is located. 2. Right-click the computer object, and then click **Properties**. 3. In the **Properties** dialog box, click the **BitLocker Recovery** tab to view the BitLocker recovery passwords that are associated with the computer. + **To copy the recovery passwords for a computer** + 1. Follow the steps in the previous procedure to view the BitLocker recovery passwords. 2. On the **BitLocker Recovery** tab of the **Properties** dialog box, right-click the BitLocker recovery password that you want to copy, and then click **Copy Details**. 3. Press CTRL+V to paste the copied text to a destination location, such as a text file or spreadsheet. + **To locate a recovery password by using a password ID** + 1. In Active Directory Users and Computers, right-click the domain container, and then click **Find BitLocker Recovery Password**. 2. In the **Find BitLocker Recovery Password** dialog box, type the first eight characters of the recovery password in the **Password ID (first 8 characters)** box, and then click **Search**. By completing the procedures in this scenario, you have viewed and copied the recovery passwords for a computer and used a password ID to locate a recovery password. + ## More information -[BitLocker Overview](bitlocker-overview.md) -[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) -[Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) -[BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md) -[BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md) + +- [BitLocker Overview](bitlocker-overview.md) +- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) +- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) +- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md) +- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)     diff --git a/windows/keep-secure/bypass-traverse-checking.md b/windows/keep-secure/bypass-traverse-checking.md index 17fb337e5a..d07fea0ff5 100644 --- a/windows/keep-secure/bypass-traverse-checking.md +++ b/windows/keep-secure/bypass-traverse-checking.md @@ -2,113 +2,90 @@ title: Bypass traverse checking (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Bypass traverse checking security policy setting. ms.assetid: 1c828655-68d3-4140-aa0f-caa903a7087e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Bypass traverse checking + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Bypass traverse checking** security policy setting. + ## Reference + This policy setting determines which users (or a process that acts on behalf of the user’s account) have permission to navigate an object path in the NTFS file system or in the registry without being checked for the Traverse Folder special access permission. This user right does not allow the user to list the contents of a folder. It only allows the user to traverse folders to access permitted files or subfolders. + Constant: SeChangeNotifyPrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + 1. Use access–based enumeration when you want to prevent users from seeing any folder or file to which they do not have access. 2. Use the default settings of this policy in most cases. If you change the settings, verify your intent through testing. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. -
      ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not Defined

      Default Domain Controller Policy

      Administrators

      -

      Authenticated Users

      -

      Everyone

      -

      Local Service

      -

      Network Service

      -

      Pre-Windows 2000 Compatible Access

      Stand-Alone Server Default Settings

      Administrators

      -

      Backup Operators

      -

      Users

      -

      Everyone

      -

      Local Service

      -

      Network Service

      Domain Controller Effective Default Settings

      Administrators

      -

      Authenticated Users

      -

      Everyone

      -

      Local Service

      -

      Network Service

      -

      Pre-Windows 2000 Compatible Access

      Member Server Effective Default Settings

      Administrators

      -

      Backup Operators

      -

      Users

      -

      Everyone

      -

      Local Service

      -

      Network Service

      Client Computer Effective Default Settings

      Administrators

      -

      Backup Operators

      -

      Users

      -

      Everyone

      -

      Local Service

      -

      Network Service

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not Defined | +| Default Domain Controller Policy | Administrators
      Authenticated Users
      Everyone
      Local Service
      Network Service
      Pre-Windows 2000 Compatible Access| +| Stand-Alone Server Default Settings | Administrators
      Backup Operators
      Users
      Everyone
      Local Service
      Network Service| +| Domain Controller Effective Default Settings | Administrators
      Authenticated Users
      Everyone
      Local Service
      Network Service
      Pre-Windows 2000 Compatible Access| +| Member Server Effective Default Settings | Administrators
      Backup Operators
      Users
      Everyone
      Local Service
      Network Service| +| Client Computer Effective Default Settings | Administrators
      Backup Operators
      Users
      Everyone
      Local Service
      Network Service|   ## Policy management + Permissions to files and folders are controlled though the appropriate configuration of file system access control lists (ACLs).The ability to traverse the folder does not provide any Read or Write permissions to the user. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The default configuration for the **Bypass traverse checking** setting is to allow all users to bypass traverse checking. Permissions to files and folders are controlled though the appropriate configuration of file system access control lists (ACLs) because the ability to traverse the folder does not provide any Read or Write permissions to the user. The only scenario in which the default configuration could lead to a mishap would be if the administrator who configures permissions does not understand how this policy setting works. For example, the administrator might expect that users who are unable to access a folder are unable to access the contents of any child folders. Such a situation is unlikely, and, therefore, this vulnerability presents little risk. + ### Countermeasure + Organizations that are extremely concerned about security may want to remove the Everyone group, and perhaps the Users group, from the list of groups that have the **Bypass traverse checking** user right. Taking explicit control over traversal assignments can be an effective way to limit access to sensitive information. Access–based enumeration can also be used. If you use access–based enumeration, users cannot see any folder or file to which they do not have access. For more info about this feature, see [Access-based Enumeration](http://go.microsoft.com/fwlink/p/?LinkId=100745). + ### Potential impact + The Windows operating systems and many applications were designed with the expectation that anyone who can legitimately access the computer will have this user right. Therefore, we recommend that you thoroughly test any changes to assignments of the **Bypass traverse checking** user right before you make such changes to production systems. In particular, IIS requires this user right to be assigned to the Network Service, Local Service, IIS\_WPG, IUSR\_*<ComputerName>*, and IWAM\_*<ComputerName>* accounts. (It must also be assigned to the ASPNET account through its membership in the Users group.) We recommend that you leave this policy setting at its default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) + +- [User Rights Assignment](user-rights-assignment.md)     diff --git a/windows/keep-secure/change-the-system-time.md b/windows/keep-secure/change-the-system-time.md index f34f347c76..4ac7356093 100644 --- a/windows/keep-secure/change-the-system-time.md +++ b/windows/keep-secure/change-the-system-time.md @@ -2,106 +2,105 @@ title: Change the system time (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Change the system time security policy setting. ms.assetid: f2f6637d-acbc-4352-8ca3-ec563f918e65 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Change the system time + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Change the system time** security policy setting. + ## Reference + This policy setting determines which users can adjust the time on the device's internal clock. This right allows the computer user to change the date and time associated with records in the event logs, database transactions, and the file system. This right is also required by the process that performs time synchronization. This setting does not impact the user’s ability to change the time zone or other display characteristics of the system time. For info about assigning the right to change the time zone, see [Change the time zone](change-the-time-zone.md). + Constant: SeSystemtimePrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + - Restrict the **Change the system time** user right to users with a legitimate need to change the system time. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, members of the Administrators and Local Service groups have this right on workstations and servers. Members of the Administrators, Server Operators, and Local Service groups have this right on domain controllers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not Defined

      Default Domain Controller Policy

      Administrators

      -

      Server Operators

      -

      Local Service

      Stand-Alone Server Default Settings

      Administrators

      -

      Local Service

      DC Effective Default Settings

      Administrators

      -

      Server Operators

      -

      Local Service

      Member Server Effective Default Settings

      Administrators

      -

      Local Service

      Client Computer Effective Default Settings

      Administrators

      -

      Local Service

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not Defined | +| Default Domain Controller Policy | Administrators
      Server Operators
      Local Service| +| Stand-Alone Server Default Settings | Administrators
      Local Service| +| DC Effective Default Settings | Administrators
      Server Operators
      Local Service| +| Member Server Effective Default Settings | Administrators
      Local Service| +| Client Computer Effective Default Settings | Administrators
      Local Service|   ## Policy management + This section describes features, tools and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users who can change the time on a computer could cause several problems. For example: + - Time stamps on event log entries could be made inaccurate - Time stamps on files and folders that are created or modified could be incorrect - Computers that belong to a domain might not be able to authenticate themselves - Users who try to log on to the domain from devices with inaccurate time might not be able to authenticate. + Also, because the Kerberos authentication protocol requires that the requester and authenticator have their clocks synchronized within an administrator-defined skew period, an attacker who changes a device's time may cause that computer to be unable to obtain or grant Kerberos protocol tickets. + The risk from these types of events is mitigated on most domain controllers, member servers, and end-user computers because the Windows Time Service automatically synchronizes time with domain controllers in the following ways: + - All desktop client devices and member servers use the authenticating domain controller as their inbound time partner. - All domain controllers in a domain nominate the primary domain controller (PDC) emulator operations master as their inbound time partner. - All PDC emulator operations masters follow the hierarchy of domains in the selection of their inbound time partner. - The PDC emulator operations master at the root of the domain is authoritative for the organization. Therefore, we recommend that you configure this computer to synchronize with a reliable external time server. + This vulnerability becomes much more serious if an attacker is able to change the system time and then stop the Windows Time Service or reconfigure it to synchronize with a time server that is not accurate. + ### Countermeasure + Restrict the **Change the system time** user right to users with a legitimate need to change the system time, such as members of the IT team. + ### Potential impact + There should be no impact because time synchronization for most organizations should be fully automated for all computers that belong to the domain. Computers that do not belong to the domain should be configured to synchronize with an external source, such as a web service. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/change-the-time-zone.md b/windows/keep-secure/change-the-time-zone.md index fafb6d6293..1b27d5afe9 100644 --- a/windows/keep-secure/change-the-time-zone.md +++ b/windows/keep-secure/change-the-time-zone.md @@ -2,91 +2,85 @@ title: Change the time zone (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Change the time zone security policy setting. ms.assetid: 3b1afae4-68bb-472f-a43e-49e300d73e50 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Change the time zone + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Change the time zone** security policy setting. + ## Reference + This policy setting determines which users can adjust the time zone that is used by the device for displaying the local time, which includes the device's system time plus the time zone offset. + Constant: SeTimeZonePrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + None. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not Defined

      Default Domain Controller Policy

      Administrators

      -

      Users

      Stand-Alone Server Default Settings

      Administrators

      -

      Users

      Domain Controller Effective Default Settings

      Administrators

      -

      Users

      Member Server Effective Default Settings

      Administrators

      -

      Users

      Client Computer Effective Default Settings

      Administrators

      -

      Users

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not Defined| +| Default Domain Controller Policy | Administrators
      Users| +| Stand-Alone Server Default Settings | Administrators
      Users| +| Domain Controller Effective Default Settings | Administrators
      Users| +| Member Server Effective Default Settings | Administrators
      Users| +| Client Computer Effective Default Settings | Administrators
      Users|   ## Policy management + A restart of the device is not required for this policy setting to be effective. + Any change to the account for this user right assignment becomes effective the next time the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Changing the time zone represents little vulnerability because the system time is not affected. This setting merely enables users to display their preferred time zone while being synchronized with domain controllers in different time zones. + ### Countermeasure + Countermeasures are not required because system time is not affected by this setting. + ### Potential impact + None. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/change-the-tpm-owner-password.md b/windows/keep-secure/change-the-tpm-owner-password.md index e76c48aac1..7241d40deb 100644 --- a/windows/keep-secure/change-the-tpm-owner-password.md +++ b/windows/keep-secure/change-the-tpm-owner-password.md @@ -2,49 +2,66 @@ title: Change the TPM owner password (Windows 10) description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. ms.assetid: e43dcff3-acb4-4a92-8816-d6b64b7f2f45 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Change the TPM owner password + **Applies to** - Windows 10 + This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. -## About the TPM owner password + +## About the TPM owner password The owner of the TPM is the user who possesses the owner password and is able to set it and change it. Only one owner password exists per TPM. The owner of the TPM can make full use of TPM capabilities. When an owner is set, no other user or software can claim ownership of the TPM. Only the TPM owner can enable, disable, or clear the TPM without having physical access to the computer, for example, by using the command-line tools remotely. Taking ownership of the TPM can be performed as part of the initialization process. Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it. + Applications, including BitLocker Drive Encryption, can automatically start the initialization process. If you enable BitLocker without manually initializing the TPM, the TPM owner password is automatically created and saved in the same location as the BitLocker recovery password. The TPM owner password can be saved as a file on a removable storage device, or on another computer. The password can also be printed. The TPM MMC gives the TPM owner the sole ability to choose the appropriate option to type the password or to use the saved password. As with any password, you should change your TPM owner password if you suspect that it has become compromised and is no longer a secret. + **Other TPM management options** + Instead of changing your owner password, you can also use the following options to manage your TPM: + - **Clear the TPM**   If you want to invalidate all of the existing keys that have been created since you took ownership of the TPM, you can clear it. For more info, see [Initialize and Configure Ownership of the TPM](initialize-and-configure-ownership-of-the-tpm.md#bkmk-clear1). - **Important**   - Clearing the TPM can result in the loss of data. To avoid data loss, make sure you have a backup or recovery method for any data protected or encrypted by the TPM. + + >**Important:**  Clearing the TPM can result in the loss of data. To avoid data loss, make sure you have a backup or recovery method for any data protected or encrypted by the TPM.   - **Turn off the TPM**   If you want to keep all existing keys and data intact, and you want to disable the services that are provided by the TPM, you can turn it off. For more info, see [Initialize and Configure Ownership of the TPM](initialize-and-configure-ownership-of-the-tpm.md#bkmk-onoff). + ## Change the TPM owner password + The following procedure provides the steps that are necessary to change the TPM owner password. + **To change the TPM owner password** + 1. Open the TPM MMC (tpm.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. 2. In the **Actions** pane, click **Change Owner Password**. 3. In the **Manage the TPM security hardware** dialog box, select a method to enter your current TPM owner password. + - If you saved your TPM owner password on a removable storage device, insert it, and then click **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, use **Browse** to navigate to the .tpm file that is saved on your removable storage device. Click **Open**, and then click **Create New Password**. - If you do not have the removable storage device with your saved password, click **I want to enter the owner password**. In the **Type your TPM owner password** dialog box, enter your password (including hyphens), and click **Create New Password**. 4. On the **Create the TPM owner password** page, select a method for creating a new TPM owner password. + 1. Click **Automatically create the password** to have a new owner password generated for you. 2. Click **Manually create the password** if you want to specify a password. - **Note**   - The TPM owner password must have a minimum of eight characters. + >**Note:**  The TPM owner password must have a minimum of eight characters.   5. After the new password is created, you can choose **Save the password** to save the password in a password backup file on a removable storage device or **Print the password** to print a copy of the password for later reference. + 6. Click **Change password** to apply the new owner password to the TPM. -## Use the TPM cmdlets + +## Use the TPM cmdlets + If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command: **dism /online /enable-feature /FeatureName:tpm-psh-cmdlets** + For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). + ## Additional resources + For more info about TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md#bkmk-additionalresources). -  -  diff --git a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md index 374b255db6..3e84e8f209 100644 --- a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md +++ b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md @@ -2,28 +2,46 @@ title: Choose the right BitLocker countermeasure (Windows 10) description: This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks. ms.assetid: b0b09508-7885-4030-8c61-d91458afdb14 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Choose the right BitLocker countermeasure + **Applies to** - Windows 10 + This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks. You can use BitLocker to protect your Windows 10 PCs. Whichever operating system you’re using, Microsoft and Windows-certified devices provide countermeasures to address attacks and improve your data security. In most cases, this protection can be implemented without the need for pre-boot authentication. -Figures 2, 3, and 4 summarize the recommended mitigations for different types of attacks against PCs running recent versions of Windows. The orange blocks indicate that the system requires additional configuration from the default settings. + +Figures 2, 3, and 4 summarize the recommended mitigations for different types of attacks against PCs running recent versions of Windows. The orange blocks indicate that the system requires additional configuration from the default +settings. + ![how to choose best countermeasures for windows 7](images/bitlockerprebootprotection-counterwin7.jpg) + **Figure 2.** How to choose the best countermeasures for Windows 7 + ![how to choose countermeasures for windows 8](images/bitlockerprebootprotection-counterwin8.jpg) + **Figure 3.** How to choose the best countermeasures for Windows 8 + ![how to choose countermeasures for windows 8.1](images/bitlockerprebootprotection-counterwin81.jpg) + **Figure 4.** How to choose the best countermeasures for Windows 8.1 -The latest InstantGo devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be, too. DMA port–based attacks, which represent the attack vector of choice, are not possible on InstantGo devices, because these port types are prohibited. The inclusion of DMA ports on even non-InstantGo devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case DMA ports can be disabled entirely, which is an increasingly popular option because the use of DMA ports is infrequent in the non-developer space. + +The latest InstantGo devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be, too. DMA port–based attacks, which represent the attack vector of choice, are not possible on InstantGo devices, because these port types are prohibited. The inclusion of DMA ports on even non-InstantGo devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case DMA ports can be disabled entirely, which is an increasingly popular option because the use of +DMA ports is infrequent in the non-developer space. + Memory remanence attacks can be mitigated with proper configuration; in cases where the system memory is fixed and non-removable, they are not possible using published techniques. Even in cases where system memory can be removed and loaded into another device, attackers will find the attack vector extremely unreliable, as has been shown in the DRDC Valcartier group’s analysis (see [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078)). + Windows 7 PCs share the same security risks as newer devices but are far more vulnerable to DMA and memory remanence attacks, because Windows 7 devices are more likely to include DMA ports, lack support for UEFI-based Secure Boot, and rarely have fixed memory. To eliminate the need for pre-boot authentication on Windows 7 devices, disable the ability to boot to external media, password-protect the BIOS configuration, and disable the DMA ports. If you believe that your devices may be a target of a memory remanence attack, where the system memory may be removed and put into another computer to gain access to its contents, consider testing your devices to determine whether they are susceptible to this type of attack. -In the end, many customers will find that pre-boot authentication improves security only for a shrinking subset of devices within their organization. Microsoft recommends a careful examination of the attack vectors and mitigations outlined in this document along with an evaluation of your devices before choosing to implement pre-boot authentication, which may not enhance the security of your devices and instead will only compromise the user experience and add to support costs. + +In the end, many customers will find that pre-boot authentication improves security only for a shrinking subset of devices within their organization. Microsoft recommends a careful examination of the attack vectors and mitigations +outlined in this document along with an evaluation of your devices before choosing to implement pre-boot authentication, which may not enhance the security of your devices and instead will only compromise the user experience and add to support costs. + ## See also - [Types of attacks for volume encryption keys](types-of-attacks-for-volume-encryption-keys.md) - [BitLocker Countermeasures](bitlocker-countermeasures.md) diff --git a/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md b/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md index 5de6e0fbde..58ba26536b 100644 --- a/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md +++ b/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md @@ -2,26 +2,31 @@ title: Configure an AppLocker policy for audit only (Windows 10) description: This topic for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker. ms.assetid: 10bc87d5-cc7f-4500-b7b3-9006e50afa50 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Configure an AppLocker policy for audit only + **Applies to** - Windows 10 + This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker. + After AppLocker rules are created within the rule collection, you can configure the enforcement setting to **Enforce rules** or **Audit only**. + When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log. -**Note**   -There is no audit mode for the DLL rule collection. DLL rules affect specific apps. Therefore, test the impact of these rules first before deploying them to production. To enable the DLL rule collection, see [Enable the DLL rule collection](enable-the-dll-rule-collection.md). + +>**Note:**  There is no audit mode for the DLL rule collection. DLL rules affect specific apps. Therefore, test the impact of these rules first before deploying them to production. To enable the DLL rule collection, see [Enable the DLL rule collection](enable-the-dll-rule-collection.md).   You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To audit rule collections** + 1. From the AppLocker console, right-click **AppLocker**, and then click **Properties**. 2. On the **Enforcement** tab, select the **Configured** check box for the rule collection that you want to enforce, and then verify that **Audit only** is selected in the list for that rule collection. 3. Repeat the above step to configure the enforcement setting to **Audit only** for additional rule collections. 4. Click **OK**. -  -  diff --git a/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md b/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md index cd7c80e04b..3d6aa8a2c7 100644 --- a/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md +++ b/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md @@ -2,25 +2,30 @@ title: Configure an AppLocker policy for enforce rules (Windows 10) description: This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting. ms.assetid: 5dbbb290-a5ae-4f88-82b3-21e95972e66c -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Configure an AppLocker policy for enforce rules + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting. -**Note**   -When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. + +>**Note:**  When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited.   For info about how AppLocker policies are applied within a GPO structure, see [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md). + You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To enable the Enforce rules enforcement setting** + 1. From the AppLocker console, right-click **AppLocker**, and then click **Properties**. 2. On the **Enforcement** tab of the **AppLocker Properties** dialog box, select the **Configured** check box for the rule collection that you are editing, and then verify that **Enforce rules** is selected. 3. Click **OK**. + For info about viewing the events generated from rules enforcement, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). -  -  diff --git a/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md b/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md index 34f5707623..0d4e3eefd6 100644 --- a/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md +++ b/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md @@ -2,23 +2,31 @@ title: Add exceptions for an AppLocker rule (Windows 10) description: This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule. ms.assetid: d15c9d84-c14b-488d-9f48-bf31ff7ff0c5 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Add exceptions for an AppLocker rule + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule. + Rule exceptions allow you to specify files or folders to exclude from the rule. For more information about exceptions, see [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md). + You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To configure exceptions for a rule** + 1. Open the AppLocker console. 2. Expand the rule collection, right-click the rule that you want to configure exceptions for, and then click **Properties**. 3. Click the **Exceptions** tab. 4. In the **Add exception** box, select the rule type that you want to create, and then click **Add**. + - For a publisher exception, click **Browse**, select the file that contains the publisher to exclude, and then click **OK**. - For a path exception, choose the file or folder path to exclude, and then click **OK**. - For a file hash exception, edit the file hash rule, and click **Remove**. diff --git a/windows/keep-secure/configure-s-mime.md b/windows/keep-secure/configure-s-mime.md index 0f76c34cac..1d5a83822d 100644 --- a/windows/keep-secure/configure-s-mime.md +++ b/windows/keep-secure/configure-s-mime.md @@ -2,55 +2,84 @@ title: Configure S/MIME for Windows 10 and Windows 10 Mobile (Windows 10) description: In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. ms.assetid: 7F9C2A99-42EB-4BCC-BB53-41C04FBBBF05 -ms.pagetype: security -keywords: ["encrypt", "digital signature"] +keywords: encrypt, digital signature ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: jdeckerMS --- + + # Configure S/MIME for Windows 10 and Windows 10 Mobile + **Applies to** - Windows 10 - Windows 10 Mobile + S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. + ## About message encryption + Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows 10 Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys. + Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipient(s) whose encryption certificate are not available, the app will prompt you to remove these recipients before sending the email. + ## About digital signatures + A digitally signed message reassures the recipient that the message hasn't been tampered with and verifies the identity of the sender. Recipients can only verify the digital signature if they’re using an email client that supports S/MIME. + ## Prerequisites + - [S/MIME is enabled for Exchange accounts](http://go.microsoft.com/fwlink/p/?LinkId=718217) (on-premises and Office 365). Users can’t use S/MIME signing and encryption with a personal account such as Outlook.com. - Valid Personal Information Exchange (PFX) certificates are installed on the device. + - [How to Create PFX Certificate Profiles in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkID=718215) - [Enable access to company resources using certificate profiles with Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=718216) - [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) + ## Choose S/MIME settings + On the device, perform the following steps: (add select certificate) 1. Open the Mail app. (In Windows 10 Mobile, the app is Outlook Mail.) 2. Open **Settings** by tapping the gear icon on a PC, or the ellipsis (...) and then the gear icon on a phone. + ![settings icon in mail app](images/mailsettings.png) + 3. Tap **Email security**. + ![email security settings](images/emailsecurity.png) + 4. In **Select an account**, select the account for which you want to configure S/MIME options. 5. Make a certificate selection for digital signature and encryption. + - Select **Automatically** to let the app choose the certificate. - Select **Manually** to specify the certificate yourself from the list of valid certificates on the device. 6. (Optional) Select **Always sign with S/MIME**, **Always encrypt with S/MIME**, or both, to automatically digitally sign or encrypt all outgoing messages. - **Note**  The option to sign or encrypt can be changed for individual messages, unless EAS policies prevent it. + + >**Note:**  The option to sign or encrypt can be changed for individual messages, unless EAS policies prevent it.   7. Tap the back arrow. + ## Encrypt or sign individual messages 1. While composing a message, choose **Options** from the ribbon. On phone, **Options** can be accessed by tapping the the ellipsis (...). + 2. Use **Sign** and **Encrypt** icons to turn on digital signature and encryption for this message. + ![sign or encrypt message](images/signencrypt.png) + ## Read signed or encrypted messages + When you receive an encrypted message, the mail app will check whether there is a certificate available on your computer. If there is a certificate available, the message will be decrypted when you open it. If your certificate is stored on a smartcard, you will be prompted to insert the smartcard to read the message. Your smartcard may also require a PIN to access the certificate. + ## Install certificates from a received message + When you receive a signed email, the app provide feature to install corresponding encryption certificate on your device if the certificate is available. This certificate can then be used to send encrypted email to this person. + 1. Open a signed email. 2. Tap or click the digital signature icon in the reading pane. 3. Tap **Install.** + ![message security information](images/installcert.png)     diff --git a/windows/keep-secure/configure-the-appLocker-reference-device.md b/windows/keep-secure/configure-the-appLocker-reference-device.md index d3dd0de7e5..59e6e81b2d 100644 --- a/windows/keep-secure/configure-the-appLocker-reference-device.md +++ b/windows/keep-secure/configure-the-appLocker-reference-device.md @@ -2,35 +2,47 @@ title: Configure the AppLocker reference device (Windows 10) description: This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer. ms.assetid: 034bd367-146d-4956-873c-e1e09e6fefee -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Configure the AppLocker reference device + **Applies to** - Windows 10 + This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer. + An AppLocker reference device that is used for the development and deployment of AppLocker policies should mimic the directory structure and corresponding applications in the organizational unit (OU) or business group for the production environment. On a reference device, you can: + - Maintain an application list for each business group. - Develop AppLocker policies by creating individual rules or by creating a policy by automatically generating rules. - Create the default rules to allow the Windows system files to run properly. - Run tests and analyze the event logs to determine the affect of the policies that you intend to deploy. + The reference device does not need to be joined to a domain, but it must be able to import and export AppLocker policies in XML format. The reference computer must be running one of the supported editions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). -**Warning**   -Do not use operating system snapshots when creating AppLocker rules. If you take a snapshot of the operating system, install an app, create AppLocker rules, and then revert to a clean snapshot and repeat the process for another app, there is a chance that duplicate rule GUIDs can be created. If duplicate GUIDs are present, AppLocker policies will not work as expected. + +>**Warning:**  Do not use operating system snapshots when creating AppLocker rules. If you take a snapshot of the operating system, install an app, create AppLocker rules, and then revert to a clean snapshot and repeat the process for another app, there is a chance that duplicate rule GUIDs can be created. If duplicate GUIDs are present, AppLocker policies will not work as expected.   **To configure a reference device** + 1. If the operating system is not already installed, install one of the supported editions of Windows on the device. - **Note**   - If you have the Group Policy Management Console (GPMC) installed on another device to test your implementation of AppLocker policies, you can export the policies to that device + + >**Note:**  If you have the Group Policy Management Console (GPMC) installed on another device to test your implementation of AppLocker policies, you can export the policies to that device   2. Configure the administrator account. + To update local policies, you must be a member of the local Administrators group. To update domain policies, you must be a member of the Domain Admins group or have been delegated privileges to use Group Policy to update a Group Policy Object (GPO). + 3. Install all apps that run in the targeted business group or OU by using the same directory structure. + The reference device should be configured to mimic the structure of your production environment. It depends on having the same apps in the same directories to accurately create the rules. + ### See also + - After you configure the reference computer, you can create the AppLocker rule collections. You can build, import, or automatically generate the rules. For procedures to do this, see [Working with AppLocker rules](working-with-applocker-rules.md). - [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)   diff --git a/windows/keep-secure/configure-the-application-identity-service.md b/windows/keep-secure/configure-the-application-identity-service.md index 2f0505366e..0714a613da 100644 --- a/windows/keep-secure/configure-the-application-identity-service.md +++ b/windows/keep-secure/configure-the-application-identity-service.md @@ -15,12 +15,13 @@ author: brianlic-msft - Windows 10 This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually. + The Application Identity service determines and verifies the identity of an app. Stopping this service will prevent AppLocker policies from being enforced. -**Important**   -When using Group Policy, you must configure it to start automatically in at least one Group Policy Object (GPO) that applies AppLocker rules. This is because AppLocker uses this service to verify the attributes of a file. +>**Important:**  When using Group Policy, you must configure it to start automatically in at least one Group Policy Object (GPO) that applies AppLocker rules. This is because AppLocker uses this service to verify the attributes of a file.   **To start the Application Identity service automatically using Group Policy** + 1. On the **Start** screen, type **gpmc.msc** to open the Group Policy Management Console (GPMC). 2. Locate the GPO to edit, right-click the GPO, and then click **Edit**. 3. In the console tree under **Computer Configuration\\Windows Settings\\Security Settings**, click **System Services**. @@ -30,6 +31,7 @@ When using Group Policy, you must configure it to start automatically in at leas Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. **To start the Application Identity service manually** + 1. Right-click the taskbar, and click **Task Manager**. 2. Click the **Services** tab, right-click **AppIDSvc**, and then click **Start Service**. 3. Verify that the status for the Application Identity service is **Running**. diff --git a/windows/keep-secure/configure-windows-defender-in-windows-10.md b/windows/keep-secure/configure-windows-defender-in-windows-10.md index b4f9e3572b..72c2a16a9b 100644 --- a/windows/keep-secure/configure-windows-defender-in-windows-10.md +++ b/windows/keep-secure/configure-windows-defender-in-windows-10.md @@ -2,33 +2,48 @@ title: Configure Windows Defender in Windows 10 (Windows 10) description: IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS). ms.assetid: 22649663-AC7A-40D8-B1F7-5CAD9E49653D -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library +ms.pagetype: security author: jasesso --- + # Configure Windows Defender in Windows 10 + **Applies to** - Windows 10 + IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS). + ## Configure definition updates + It is important to update definitions regularly to ensure that your endpoints are protected. Definition updates can be configured to suit the requirements of your organization. + Windows Defender supports the same updating options (such as using multiple definition sources) as other Microsoft endpoint protection products; for more information, see [Configuring Definition Updates](https://technet.microsoft.com/library/gg412502.aspx). + When you configure multiple definition sources in Windows Defender, you can configure the fallback order using the following values through *Group Policy* settings: + - InternalDefinitionUpdateServer - WSUS - MicrosoftUpdateServer - Microsoft Update - MMPC - [Microsoft Malware Protection Center definitions page](http://www.microsoft.com/security/portal/definitions/adl.aspx) - FileShares - file share + Read about deploying administrative template files for Windows Defender in the article [Description of the Windows Defender Group Policy administrative template settings](https://support.microsoft.com/kb/927367). + You can also manage your Windows Defender update configuration settings through System Center Configuration Manager. See [How to Configure Definition Updates for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/jj822983.aspx) for details. + ## Definition update logic + You can update Windows Defender definitions in four ways depending on your business requirements: + - WSUS, the managed server. You can manage the distribution of updates that are released through Microsoft Update to computers in your enterprise environment; read more on the [Windows Server Update Services](https://technet.microsoft.com/windowsserver/bb332157.aspx) website. - Microsoft Update, the unmanaged server. You can use this method to get regular updates from Microsoft Update. - The [Microsoft Malware Protection Center definitions page](http://www.microsoft.com/security/portal/definitions/adl.aspx), as an alternate download location. You can use this method if you want to download the latest definitions. - File share, where the definition package is downloaded. You can retrieve definition updates from a file share. The file share must be provisioned on a regular basis with the update files. + ## Update Windows Defender definitions through Active Directory and WSUS + This section details how to update Windows Defender definitions for Windows 10 endpoints through Active Directory and WSUS. @@ -109,50 +124,78 @@ This section details how to update Windows Defender definitions for Windows 10
        ## Manage cloud-based protection + Windows Defender offers improved cloud-based protection and threat intelligence for endpoint protection clients using the Microsoft Active Protection Service. Read more about the Microsoft Active Protection Service community in [Join the Microsoft Active Protection Service community](http://windows.microsoft.com/windows-8/join-maps-community). + You can enable or disable the Microsoft Active Protection Service using *Group Policy* settings and administrative template files. + More information on deploying administrative template files for Windows Defender is available in the article [Description of the Windows Defender Group Policy administrative template settings](https://support.microsoft.com/kb/927367). + The Microsoft Active Protection Service can be configured with the following *Group Policy* settings: + 1. Open the **Group Policy Editor**. 2. In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**. 3. Click on **MAPS**. 4. Double-click on **Join Microsoft MAPS**. 5. Select your configuration option from the **Join Microsoft MAPS** list. - **Note**  Any settings modified on an endpoint will be overridden by the administrator's policy setting. + + >**Note:**  Any settings modified on an endpoint will be overridden by the administrator's policy setting.   Use the Windowsdefender.adm *Group Policy* template file to control the policy settings for Windows Defender in Windows 10: + Policy setting: **Configure Microsoft SpyNet Reporting** + Registry key name: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\SpyNetReporting** + Policy description: **Adjusts membership in Microsoft Active Protection Service** + You can also configure preferences using the following PowerShell parameters: + - Turn Microsoft Active Protection Service off: *Set-MpPreference -MAPSReporting 0* - Turn Microsoft Active Protection Service on: *Set-MpPreference -MAPSReporting 2* + Read more about this in: + - [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx) - [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx) -**Note**  Any information that Windows Defender collects is encrypted in transit to our servers, and then stored in secure facilities. Microsoft takes several steps to avoid collecting any information that directly identifies you, such as your name, email address, or account ID. + +>**Note:**  Any information that Windows Defender collects is encrypted in transit to our servers, and then stored in secure facilities. Microsoft takes several steps to avoid collecting any information that directly identifies you, such as your name, email address, or account ID.   Read more about how to manage your privacy settings in [Setting your preferences for Windows 10 services](http://windows.microsoft.com/windows-10/services-setting-preferences). + ## Opt-in to Microsoft Update + You can use Microsoft Update to keep definitions on mobile computers running Windows Defender in Windows 10 up to date when they are not connected to the corporate network. If the mobile computer doesn't have a [Windows Server Update Service](https://technet.microsoft.com/windowsserver/bb332157.aspx) (WSUS) connection, the signatures will still come from Microsoft Update. This means that signatures can be pushed down (via Microsoft Update) even if WSUS overrides Windows Update. + You need to opt-in to Microsoft Update on the mobile computer before it can retrieve the definition updates from Microsoft Update. + There are two ways you can opt-in to Microsoft Update in Windows Defender for Windows 10: + 1. Use a VBScript to create a script, then run it on each computer in your network. 2. Manually opt-in every computer on your network through the **Settings** menu. + You can create a VBScript and run it on each computer on your network; this is an efficient way to opt-in to Microsoft Update. + **Use a VBScript to opt in to Microsoft Update** + 1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript. 2. Run the VBScript you created on each computer in your network. + You can manually opt-in each individual computer on your network to receive Microsoft Update. + **Manually opt-in to Microsoft Update** + 1. Open **Windows Update** in **Update & security** settings on the computer you want to opt-in. 2. Click **Advanced** options. 3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**. + ## Schedule updates for Microsoft Update + Opting-in to Microsoft Update means that your system administrator can schedule updates to your mobile computer, so that it keeps up-to-date with the latest software versions and security definitions, even when you’re on the road. + For more information on scheduling updates, see [Configure definition updates](https://technet.microsoft.com/library/mt622088.aspx#configure-definition-updates). + ## Related topics -[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md) -[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md) -  -  + +- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md) +- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md) diff --git a/windows/keep-secure/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/keep-secure/create-a-basic-audit-policy-settings-for-an-event-category.md index 08b1dfb88d..cdd372d271 100644 --- a/windows/keep-secure/create-a-basic-audit-policy-settings-for-an-event-category.md +++ b/windows/keep-secure/create-a-basic-audit-policy-settings-for-an-event-category.md @@ -2,26 +2,36 @@ title: Create a basic audit policy for an event category (Windows 10) description: By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. ms.assetid: C9F52751-B40D-482E-BE9D-2C61098249D3 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create a basic audit policy for an event category + **Applies to** - Windows 10 + By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default. + To complete this procedure, you must be logged on as a member of the built-in Administrators group. + **To define or modify auditing policy settings for an event category for your local computer** + 1. Open the Local Security Policy snap-in (secpol.msc), and then click **Local Policies**. 2. Click **Audit Policy**. 3. In the results pane, double-click an event category that you want to change the auditing policy settings for. 4. Do one or both of the following, and then click **OK.** + - To audit successful attempts, select the **Success** check box. - To audit unsuccessful attempts, select the **Failure** check box. + To complete this procedure, you must be logged on as a member of the Domain Admins group. + **To define or modify auditing policy settings for an event category for a domain or organizational unit, when you are on a member server or on a workstation that is joined to a domain** + 1. Open the Group Policy Management Console (GPMC). 2. In the console tree, double-click **Group Policy objects** in the forest and domain containing the **Default Domain Policy** Group Policy object (GPO) that you want to edit. 3. Right-click the **Default Domain Policy** GPO, and then click **Edit**. @@ -29,11 +39,12 @@ To complete this procedure, you must be logged on as a member of the Domain Admi 5. In the results pane, double-click an event category that you want to change the auditing policy settings for. 6. If you are defining auditing policy settings for this event category for the first time, select the **Define these policy settings** check box. 7. Do one or both of the following, and then click **OK.** + - To audit successful attempts, select the **Success** check box. - To audit unsuccessful attempts, select the **Failure** check box. + ## Additional considerations + - To audit object access, enable auditing of the object access event category by following the steps above. Then, enable auditing on the specific object. - After your audit policy is configured, events will be recorded in the Security log. Open the Security log to view these events. - The default auditing policy setting for domain controllers is **No Auditing**. This means that even if auditing is enabled in the domain, the domain controllers do not inherit auditing policy locally. If you want domain auditing policy to apply to domain controllers, you must modify this policy setting. -  -  diff --git a/windows/keep-secure/create-a-pagefile.md b/windows/keep-secure/create-a-pagefile.md index 31839c324f..c914d790aa 100644 --- a/windows/keep-secure/create-a-pagefile.md +++ b/windows/keep-secure/create-a-pagefile.md @@ -2,88 +2,89 @@ title: Create a pagefile (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Create a pagefile security policy setting. ms.assetid: dc087897-459d-414b-abe0-cd86c8dccdea -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create a pagefile + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Create a pagefile** security policy setting. + ## Reference + Windows designates a section of the hard drive as virtual memory known as the page file, or more specifically, as pagefile.sys. It is used to supplement the computer’s Random Access Memory (RAM) to improve performance for programs and data that are used frequently. Although the file is hidden from browsing, you can manage it using the system settings. + This policy setting determines which users can create and change the size of a page file. It determines whether users can specify a page file size for a particular drive in the **Performance Options** box located on the **Advanced** tab of the **System Properties** dialog box or through using internal application interfaces (APIs). + Constant: SeCreatePagefilePrivilege + ### Possible values + - User-defined list of accounts - Administrators + ### Best practices + - Restrict the **Create a pagefile** user right to Administrators, which is the default. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, members of the Administrators group have this right. + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Administrators

      Default Domain Controller Policy

      Administrators

      Stand-Alone Server Default Settings

      Administrators

      Domain Controller Effective Default Settings

      Administrators

      Member Server Effective Default Settings

      Administrators

      Client Computer Effective Default Settings

      Administrators

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Administrators | +| Default Domain Controller Policy | Administrators | +| Stand-Alone Server Default Settings | Administrators | +| Domain Controller Effective Default Settings | Administrators | +| Member Server Effective Default Settings | Administrators | +| Client Computer Effective Default Settings | Administrators |   ## Policy management + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users who can change the page file size could make it extremely small or move the file to a highly fragmented storage volume, which could cause reduced device performance. + ### Countermeasure + Restrict the **Create a pagefile** user right to members of the Administrators group. + ### Potential impact + None. Restricting this right to members of the Administrators group is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/create-a-rule-for-packaged-apps.md b/windows/keep-secure/create-a-rule-for-packaged-apps.md index 2474296f59..3909260775 100644 --- a/windows/keep-secure/create-a-rule-for-packaged-apps.md +++ b/windows/keep-secure/create-a-rule-for-packaged-apps.md @@ -2,24 +2,34 @@ title: Create a rule for packaged apps (Windows 10) description: This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition. ms.assetid: e4ffd400-7860-47b3-9118-0e6853c3dfa0 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create a rule for packaged apps + **Applies to** - Windows 10 + This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition. + Packaged apps, also known as Universal Windows apps, are based on an app model that ensures that all the files within an app package share the same identity. Therefore, it is possible to control the entire app using a single AppLocker rule as opposed to the non-packaged apps where each file within the app could have a unique identity. Windows does not support unsigned packaged apps which implies all packaged apps must be signed. AppLocker supports only publisher rules for packaged apps. A publisher rule for a packaged app is based on the following information: + - Publisher of the package - Package name - Package version + All the files within a package as well as the package installer share these attributes. Therefore, an AppLocker rule for a packaged app controls both the installation as well as the running of the app. Otherwise, the publisher rules for packaged apps are no different than the rest of the rule collections; they support exceptions, can be increased or decreased in scope, and can be assigned to users and groups. + For info about the publisher condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md). + You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To create a packaged app rule** + 1. Open the AppLocker console. 2. On the **Action** menu, or by right-clicking on **Packaged app Rules**, click **Create New Rule**. 3. On the **Before You Begin** page, click **Next**. @@ -99,5 +109,3 @@ You can perform this task by using the Group Policy Management Console for an Ap 6. Click **Next**. 7. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Click **Next**. 8. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**. -  -  diff --git a/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md b/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md index f5a2a1ed28..261eea052b 100644 --- a/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md +++ b/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md @@ -2,30 +2,37 @@ title: Create a rule that uses a file hash condition (Windows 10) description: This topic for IT professionals shows how to create an AppLocker rule with a file hash condition. ms.assetid: eb3b3524-1b3b-4979-ba5a-0a0b1280c5c7 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create a rule that uses a file hash condition + **Applies to** - Windows 10 + This topic for IT professionals shows how to create an AppLocker rule with a file hash condition. + File hash rules use a system-computed cryptographic hash of the identified file. + For info about the file hash condition, see [Understanding the File Hash Rule Condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md). -You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + +You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer +AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To create a new rule with a file hash condition** + 1. Open the AppLocker console, and then click the rule collection that you want to create the rule for. 2. On the **Action** menu, click **Create New Rule**. 3. On the **Before You Begin** page, click **Next**. 4. On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**. 5. On the **Conditions** page, select the **File hash** rule condition, and then click **Next**. 6. **Browse Files** to locate the targeted application file. - **Note**   - You can also click **Browse Folders** which calculates the hash for all the appropriate files relative to the rule collection. To remove hashes individually, click the **Remove** button. + + >**Note:**  You can also click **Browse Folders** which calculates the hash for all the appropriate files relative to the rule collection. To remove hashes individually, click the **Remove** button.   7. Click **Next**. 8. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**. -  -  diff --git a/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md b/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md index 3130eeb9a7..8553577fac 100644 --- a/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md +++ b/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md @@ -2,34 +2,39 @@ title: Create a rule that uses a path condition (Windows 10) description: This topic for IT professionals shows how to create an AppLocker rule with a path condition. ms.assetid: 9b2093f5-5976-45fa-90c3-da1e0e845d95 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create a rule that uses a path condition + **Applies to** - Windows 10 + This topic for IT professionals shows how to create an AppLocker rule with a path condition. + The path condition identifies an app by its location in the file system of the computer or on the network. -**Important**   -When creating a rule that uses a deny action, path conditions are less secure for preventing access to a file because a user could easily copy the file to a different location than what is specified in the rule. Because path rules correspond to locations within the file system, you should ensure that there are no subdirectories that are writable by non-administrators. For example, if you create a path rule for C:\\ with the allow action, any file within C:\\ will be allowed to run, including users' profiles. + +>**Important:**  When creating a rule that uses a deny action, path conditions are less secure for preventing access to a file because a user could easily copy the file to a different location than what is specified in the rule. Because path rules correspond to locations within the file system, you should ensure that there are no subdirectories that are writable by non-administrators. For example, if you create a path rule for C:\\ with the allow action, any file within C:\\ will be allowed to run, including users' profiles.   For info about the path condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md). + You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For information how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To create a new rule with a path condition** + 1. Open the AppLocker console, and then click the rule collection that you want to create the rule for. 2. On the **Action** menu, click **Create New Rule**. 3. On the **Before You Begin** page, click **Next**. 4. On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**. 5. On the **Conditions** page, select the **Path** rule condition, and then click **Next**. 6. Click **Browse Files** to locate the targeted folder for the app. - **Note**   - When you browse to a file or folder location, the wizard automatically converts absolute file paths to use AppLocker path variables. You may edit the path after browsing to specify an absolute path, or you may type the path directly into the **Path** box. To learn more about AppLocker path variables, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md). + + >**Note:**  When you browse to a file or folder location, the wizard automatically converts absolute file paths to use AppLocker path variables. You may edit the path after browsing to specify an absolute path, or you may type the path directly into the **Path** box. To learn more about AppLocker path variables, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).   7. Click **Next**. 8. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. Click **Next**. 9. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**. -  -  diff --git a/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md b/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md index 11baddf574..11ceca1e52 100644 --- a/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md +++ b/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md @@ -2,21 +2,30 @@ title: Create a rule that uses a publisher condition (Windows 10) description: This topic for IT professionals shows how to create an AppLocker rule with a publisher condition. ms.assetid: 345ad45f-2bc1-4c4c-946f-17804e29f55b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create a rule that uses a publisher condition + **Applies to** - Windows 10 + This topic for IT professionals shows how to create an AppLocker rule with a publisher condition. + You can use publisher conditions only for files that are digitally signed; the publisher condition identifies an app based on its digital signature and extended attributes. The digital signature contains information about the company that created the app (the publisher). The extended attributes, which are obtained from the binary resource, contain the name of the product that the file is part of and the version number of the application. The publisher may be a software development company, such as Microsoft, or the information technology department of your organization. Packaged app rules are by definition rules that use publisher conditions. For info about creating a packaged app rule, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md). + For info about the publisher condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md). -You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + +You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer +AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To create a new rule with a publisher condition** + 1. Open the AppLocker console, and then click the rule collection that you want to create the rule for. 2. On the **Action** menu, click **Create New Rule**. 3. On the **Before You Begin** page, click **Next**. @@ -26,5 +35,3 @@ You can perform this task by using the Group Policy Management Console for an Ap 7. Click **Next**. 8. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. Click **Next**. 9. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**. -  -  diff --git a/windows/keep-secure/create-a-token-object.md b/windows/keep-secure/create-a-token-object.md index 1c972b491b..99055b694f 100644 --- a/windows/keep-secure/create-a-token-object.md +++ b/windows/keep-secure/create-a-token-object.md @@ -2,91 +2,91 @@ title: Create a token object (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Create a token object security policy setting. ms.assetid: bfbf52fc-6ba4-442a-9df7-bd277e55729c -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create a token object + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Create a token object** security policy setting. + ## Reference + This policy setting determines which accounts a process can use to create a token, and which accounts it can then use to gain access to local resources when the process uses NtCreateToken() or other token-creation APIs. + When a user logs on to the local device or connects to a remote device through a network, Windows builds the user’s access token. Then the system examines the token to determine the level of the user's privileges. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user's access token until the next time the user logs on or connects. + Constant: SeCreateTokenPrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + - This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + This user right is used internally by the operating system. By default, it is not assigned to any user groups. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not Defined

      Default Domain Controller Policy

      Not Defined

      Stand-Alone Server Default Settings

      Not Defined

      Domain Controller Effective Default Settings

      Local System

      Member Server Effective Default Settings

      Local System

      Client Computer Effective Default Settings

      Local System

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not Defined | +| Default Domain Controller Policy | Not Defined | +| Stand-Alone Server Default Settings | Not Defined | +| Domain Controller Effective Default Settings | Local System | +| Member Server Effective Default Settings | Local System | +| Client Computer Effective Default Settings | Local System |   ## Policy management + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -**Caution**   -A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign this right to any user accounts. + +>**Caution:**  A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign this right to any user accounts.   Windows examines a user's access token to determine the level of the user's privileges. Access tokens are built when users log on to the local device or connect to a remote device over a network. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user's access token until the next time the user logs on or connects. Users with the ability to create or modify tokens can change the level of access for any account on a computer if they are currently logged on. They could escalate their privileges or create a DoS condition. + ### Countermeasure + Do not assign the **Create a token object** user right to any users. Processes that require this user right should use the Local System account, which already includes it, instead of a separate user account that has this user right assigned. + ### Potential impact + None. Not Defined is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/create-applocker-default-rules.md b/windows/keep-secure/create-applocker-default-rules.md index 15c82719f5..eb37fb2112 100644 --- a/windows/keep-secure/create-applocker-default-rules.md +++ b/windows/keep-secure/create-applocker-default-rules.md @@ -2,24 +2,28 @@ title: Create AppLocker default rules (Windows 10) description: This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run. ms.assetid: 21e9dc68-a6f4-4ebe-ac28-4c66a7ab6e18 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create AppLocker default rules + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run. + AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed to run. -**Important**   -You can use the default rules as a template when creating your own rules to allow files within the Windows folders to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules. The default rules can be modified in the same way as other AppLocker rule types. + +>**Important:**  You can use the default rules as a template when creating your own rules to allow files within the Windows folders to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules. The default rules can be modified in the same way as other AppLocker rule types.   You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For information how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To create default rules** + 1. Open the AppLocker console. 2. Right-click the appropriate rule type for which you want to automatically generate default rules. You can automatically generate rules for executable, Windows Installer, script rules and Packaged app rules. 3. Click **Create Default Rules**. -  -  diff --git a/windows/keep-secure/create-global-objects.md b/windows/keep-secure/create-global-objects.md index 7e51c7a813..1f047ee451 100644 --- a/windows/keep-secure/create-global-objects.md +++ b/windows/keep-secure/create-global-objects.md @@ -2,106 +2,91 @@ title: Create global objects (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Create global objects security policy setting. ms.assetid: 9cb6247b-44fc-4815-86f2-cb59b6f0221e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create global objects + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Create global objects** security policy setting. + ## Reference + This policy setting determines which users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. + A global object is an object that is created to be used by any number of processes or threads, even those not started within the user’s session. Remote Desktop Services uses global objects in its processes to facilitate connections and access. + Constant: SeCreateGlobalPrivilege + ### Possible values + - User-defined list of accounts - Default accounts listed below + ### Best practices + - Do not assign any user accounts this right. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, members of the Administrators group have this right, as do Local Service and Network Service accounts on the supported versions of Windows. Service is included for backwards compatibility with earlier versions of Windows. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not Defined

      Default Domain Controller Policy

      Administrators

      -

      Local Service

      -

      Network Service

      -

      Service

      Stand-Alone Server Default Settings

      Administrators

      -

      Local Service

      -

      Network Service

      -

      Service

      Domain Controller Effective Default Settings

      Administrators

      -

      Local Service

      -

      Network Service

      -

      Service

      Member Server Effective Default Settings

      Administrators

      -

      Local Service

      -

      Network Service

      -

      Service

      Client Computer Effective Default Settings

      Administrators

      -

      Local Service

      -

      Network Service

      -

      Service

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not Defined | +| Default Domain Controller Policy | Administrators
      Local Service
      Network Service
      Service| +| Stand-Alone Server Default Settings | Administrators
      Local Service
      Network Service
      Service| +| Domain Controller Effective Default Settings | Administrators
      Local Service
      Network Service
      Service| +| Member Server Effective Default Settings | Administrators
      Local Service
      Network Service
      Service| +| Client Computer Effective Default Settings | Administrators
      Local Service
      Network Service
      Service|   ## Policy management + A restart of the device is not required for this policy setting to take effect. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -**Caution**   -A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign this right to any user accounts. + +>**Caution:**  A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign this right to any user accounts.   Windows examines a user's access token to determine the level of the user's privileges. Access tokens are built when users log on to the local device or connect to a remote device over a network. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user's access token until the next time the user logs on or connects. Users with the ability to create or modify tokens can change the level of access for any currently logged on account. They could escalate their privileges or create a denial-of-service (DoS) condition. + ### Countermeasure + Do not assign the **Create a token object** user right to any users. Processes that require this user right should use the Local System account, which already includes it, instead of a separate user account with this user right assigned. + ### Potential impact + None. Not Defined is the default domain policy configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/create-list-of-applications-deployed-to-each-business-group.md b/windows/keep-secure/create-list-of-applications-deployed-to-each-business-group.md index 6afbbb8eb8..074fababfc 100644 --- a/windows/keep-secure/create-list-of-applications-deployed-to-each-business-group.md +++ b/windows/keep-secure/create-list-of-applications-deployed-to-each-business-group.md @@ -2,46 +2,69 @@ title: Create a list of apps deployed to each business group (Windows 10) description: This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. ms.assetid: d713aa07-d732-4bdc-8656-ba616d779321 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create a list of apps deployed to each business group + **Applies to** - Windows 10 + This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. + ## Determining app usage + For each business group, determine the following: + - The complete list of apps used, including different versions of an app - The full installation path of the app - The publisher and signed status of each app - The type of requirement the business groups set for each app, such as business critical, business productivity, optional, or personal. It might also be helpful during this effort to identify which apps are supported or unsupported by your IT department, or supported by others outside your control. - A list of files or apps that require administrative credentials to install or run. If the file requires administrative credentials to install or run, users who cannot provide administrative credentials will be prevented from running the file even if the file is explicitly allowed by an AppLocker policy. Even with AppLocker policies enforced, only members of the Administrators group can install or run files that require administrative credentials. + ### How to perform the app usage assessment -Although you might already have a method in place to understand app usage for each business group, you will need to use this information to help create your AppLocker rule collection. AppLocker includes the Automatically Generate Rules wizard and the **Audit only** enforcement configuration to assist you with planning and creating your rule collection. + +Although you might already have a method in place to understand app usage for each business group, you will need to use this information to help create your AppLocker rule collection. AppLocker includes the Automatically Generate +Rules wizard and the **Audit only** enforcement configuration to assist you with planning and creating your rule collection. + **Application inventory methods** + Using the Automatically Generate Rules wizard quickly creates rules for the applications you specify. The wizard is designed specifically to build a rule collection. You can use the Local Security Policy snap-in to view and edit the rules. This method is very useful when creating rules from a reference computer, and when creating and evaluating AppLocker policies in a testing environment. However, it does require that the files be accessible on the reference computer or through a network drive. This might mean additional work in setting up the reference computer and determining a maintenance policy for that computer. -Using the **Audit only** enforcement method permits you to view the logs because it collects information about every process on the computers receiving the Group Policy Object (GPO). Therefore, you can see what the enforcement will be on the computers in a business group. AppLocker includes Windows PowerShell cmdlets that you can use to analyze the events from the event log and cmdlets to create rules. However, when you use Group Policy to deploy to several computers, a means to collect events in a central location is very important for manageability. Because AppLocker logs information about files that users or other processes start on a computer, you could miss creating some rules initially. Therefore, you should continue your evaluation until you can verify that all required applications that are allowed to run are accessed successfully. -**Tip**   -If you run Application Verifier against a custom application with any AppLocker policies enabled, it might prevent the application from running. You should either disable Application Verifier or AppLocker. + +Using the **Audit only** enforcement method permits you to view the logs because it collects information about every process on the computers receiving the Group Policy Object (GPO). Therefore, you can see what the enforcement will be on the computers in a business group. AppLocker includes Windows PowerShell cmdlets that you can use to analyze the events from the event log and cmdlets to create rules. However, when you use Group Policy to deploy to several computers, a means to collect events in a central location is very important for manageability. Because AppLocker logs information about files that users or other processes start on a computer, you could miss creating some rules +initially. Therefore, you should continue your evaluation until you can verify that all required applications that are allowed to run are accessed successfully. + +>**Tip:**  If you run Application Verifier against a custom application with any AppLocker policies enabled, it might prevent the application from running. You should either disable Application Verifier or AppLocker. You can create an inventory of Universal Windows apps on a device by using two methods: the **Get-AppxPackage** Windows PowerShell cmdlet or the AppLocker console.   The following topics in the [AppLocker Step-by-Step Guide](http://go.microsoft.com/fwlink/p/?LinkId=160261) describe how to perform each method: + - [Automatically generating executable rules from a reference computer](http://go.microsoft.com/fwlink/p/?LinkId=160264) - [Using auditing to track which apps are used](http://go.microsoft.com/fwlink/p/?LinkId=160281) + ### Prerequisites to completing the inventory + Identify the business group and each organizational unit (OU) within that group to which you will apply application control policies. In addition, you should have identified whether or not AppLocker is the most appropriate solution for these policies. For info about these steps, see the following topics: + - [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) - [Determine your application control objectives](determine-your-application-control-objectives.md) + ## Next steps + Identify and develop the list of apps. Record the name of the app, whether it is signed or not as indicated by the publisher's name, and whether or not it is a mission critical, business productivity, optional, or personal application. Record the installation path of the apps. For info about how to do this, see [Document your app list](document-your-application-list.md). + After you have created the list of apps, the next step is to identify the rule collections, which will become the policies. This information can be added to the table under columns labeled: + - Use default rule or define new rule condition - Allow or deny - GPO name + To do this, see the following topics: + - [Select the types of rules to create](select-types-of-rules-to-create.md) - [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)   diff --git a/windows/keep-secure/create-permanent-shared-objects.md b/windows/keep-secure/create-permanent-shared-objects.md index ee6979dbe5..33ab226516 100644 --- a/windows/keep-secure/create-permanent-shared-objects.md +++ b/windows/keep-secure/create-permanent-shared-objects.md @@ -2,88 +2,89 @@ title: Create permanent shared objects (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Create permanent shared objects security policy setting. ms.assetid: 6a58438d-65ca-4c4a-a584-450eed976649 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create permanent shared objects + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Create permanent shared objects** security policy setting. + ## Reference + This user right determines which accounts can be used by processes to create a directory object by using the object manager. Directory objects include Active Directory objects, files and folders, printers, registry keys, processes, and threads. Users who have this capability can create permanent shared objects, including devices, semaphores, and mutexes. This user right is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel-mode inherently have this user right assigned to them, it is not necessary to specifically assign it. + Constant: SeCreatePermanentPrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + - Users who have the **Create permanent shared objects** user right could create new shared objects and expose sensitive data to the network. Therefore, do not assign this right to any users. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, **LocalSystem** is the only account that has this right. + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not Defined

      Default Domain Controller Policy

      Not Defined

      Stand-Alone Server Default Settings

      Not Defined

      Domain Controller Effective Default Settings

      LocalSystem

      Member Server Effective Default Settings

      LocalSystem

      Client Computer Effective Default Settings

      LocalSystem

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not Defined| +| Default Domain Controller Policy | Not Defined | +| Stand-Alone Server Default Settings | Not Defined| +| Domain Controller Effective Default Settings | **LocalSystem**| +| Member Server Effective Default Settings | **LocalSystem**| +| Client Computer Effective Default Settings | **LocalSystem**|   ## Policy management + This section describes different features and tools available to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users who have the **Create permanent shared objects** user right could create new shared objects and expose sensitive data to the network. + ### Countermeasure + Do not assign the **Create permanent shared objects** user right to any users. Processes that require this user right should use the System account, which already includes this user right, instead of a separate user account. + ### Potential impact + None. Not Defined is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/create-symbolic-links.md b/windows/keep-secure/create-symbolic-links.md index 618cd6c90a..857a5a7ca9 100644 --- a/windows/keep-secure/create-symbolic-links.md +++ b/windows/keep-secure/create-symbolic-links.md @@ -2,92 +2,96 @@ title: Create symbolic links (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Create symbolic links security policy setting. ms.assetid: 882922b9-0ff8-4ee9-8afc-4475515ee3fd -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create symbolic links + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Create symbolic links** security policy setting. + ## Reference + This user right determines if users can create a symbolic link from the device they are logged on to. + A symbolic link is a file-system object that points to another file-system object. The object that is pointed to is called the target. Symbolic links are transparent to users. The links appear as normal files or directories, and they can be acted upon by the user or application in exactly the same manner. Symbolic links are designed to aid in migration and application compatibility with UNIX operating systems. Microsoft has implemented symbolic links to function just like UNIX links. -**Warning**   This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. + +>**Warning:**   This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Constant: SeCreateSymbolicLinkPrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + - This user right should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that are not designed to handle them. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, members of the Administrators group have this right. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not Defined

      Default Domain Controller Policy

      Not Defined

      Stand-Alone Server Default Settings

      Not Defined

      Domain Controller Effective Default Settings

      Administrators

      Member Server Effective Default Settings

      Administrators

      Client Computer Effective Default Settings

      Administrators

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not Defined| +| Default Domain Controller Policy | Not Defined| +| Stand-Alone Server Default Settings | Not Defined| +| Domain Controller Effective Default Settings | Administrators| +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings | Administrators|   ## Policy management + This section describes different features and tools available to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ### Command-line tools + This setting can be used in conjunction with a symbolic link file system setting that can be manipulated with the command-line tool to control the kinds of symlinks that are allowed on the device. For more info, type **fsutil behavior set symlinkevalution /?** at the command prompt. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users who have the **Create symbolic links** user right could inadvertently or maliciously expose your system to symbolic link attacks. Symbolic link attacks can be used to change the permissions on a file, to corrupt data, to destroy data, or as a DoS attack. + ### Countermeasure + Do not assign the **Create symbolic links** user right to standard users. Restrict this right to trusted administrators. You can use the **fsutil** command to establish a symbolic link file system setting that controls the kind of symbolic links that can be created on a computer. + ### Potential impact + None. Not defined is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/create-your-applocker-planning-document.md b/windows/keep-secure/create-your-applocker-planning-document.md index 990887b439..263be36d5e 100644 --- a/windows/keep-secure/create-your-applocker-planning-document.md +++ b/windows/keep-secure/create-your-applocker-planning-document.md @@ -2,26 +2,37 @@ title: Create your AppLocker planning document (Windows 10) description: This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document. ms.assetid: 41e49644-baf4-4514-b089-88adae2d624e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create your AppLocker planning document + **Applies to** + - Windows 10 + This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document. + ## The AppLocker deployment design + The design process and the planning document help you investigate application usage in your organization and record your findings so you can effectively deploy and maintain application control policies by using AppLocker. + You should have completed these steps in the design and planning process: + 1. [Determine your application control objectives](determine-your-application-control-objectives.md) 2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) 3. [Select types of rules to create](select-types-of-rules-to-create.md) 4. [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) 5. [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) + ### AppLocker planning document contents + Your planning document should contain: + - A list of business groups that will participate in the application control policy project, their requirements, a description of their business processes, and contact information. - Application control policy project target dates, both for planning and deployment. - A complete list of apps used by each business group (or organizational unit), including version information and installation paths. @@ -29,10 +40,15 @@ Your planning document should contain: - A strategy for using Group Policy to deploy the AppLocker policies. - A strategy in processing the application usage events generated by AppLocker. - A strategy to maintain and manage AppLocker polices after deployment. + ### Sample template for an AppLocker planning document + You can use the following form to construct your own AppLocker planning document. + **Business group**: + **Operating system environment**: (Windows and non-Windows) + @@ -69,6 +85,7 @@ You can use the following form to construct your own AppLocker planning document
        **Rules** + @@ -110,6 +127,7 @@ You can use the following form to construct your own AppLocker planning document
        **Event processing** + @@ -139,6 +157,7 @@ You can use the following form to construct your own AppLocker planning document
        **Policy maintenance** + @@ -169,7 +188,9 @@ You can use the following form to construct your own AppLocker planning document
        ### Example of an AppLocker planning document + **Rules** + @@ -268,6 +289,7 @@ You can use the following form to construct your own AppLocker planning document
        **Event processing** + @@ -304,6 +326,7 @@ You can use the following form to construct your own AppLocker planning document
        **Policy maintenance** + @@ -348,6 +371,7 @@ You can use the following form to construct your own AppLocker planning document
        ### Additional resources + - The AppLocker Policies Design Guide is the predecessor to the AppLocker Policies Deployment Guide. When planning is complete, see the [AppLocker policies deployment guide](applocker-policies-deployment-guide.md). - For more general info, see [AppLocker](applocker-overview.md).   diff --git a/windows/keep-secure/create-your-applocker-policies.md b/windows/keep-secure/create-your-applocker-policies.md index cc275dc563..b7a23cc02d 100644 --- a/windows/keep-secure/create-your-applocker-policies.md +++ b/windows/keep-secure/create-your-applocker-policies.md @@ -2,19 +2,26 @@ title: Create Your AppLocker policies (Windows 10) description: This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. ms.assetid: d339dee2-4da2-4d4a-b46e-f1dfb7cb4bf0 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create Your AppLocker policies + **Applies to** - Windows 10 + This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. + Creating effective application control policies with AppLocker starts by creating the rules for each app. Rules are grouped into one of five rule collections. The rule collection can be configured to be enforced or to run in **Audit only** mode. An AppLocker policy includes the rules in the five rule collections and the enforcement settings for each rule collection. + ## Step 1: Use your plan + You can develop an application control policy plan to guide you in making successful deployment decisions. For more info about how to do this and what you should consider, see the [AppLocker Design Guide](applocker-policies-design-guide.md). This guide is intended for security architects, security administrators, and system administrators. It contains the following topics to help you create an AppLocker policy deployment plan for your organization that will address your specific application control requirements by department, organizational unit, or business group: + 1. [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md) 2. [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) 3. [Determine your application control objectives](determine-your-application-control-objectives.md) @@ -23,24 +30,40 @@ You can develop an application control policy plan to guide you in making succes 6. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) 7. [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) 8. [Create your AppLocker planning document](create-your-applocker-planning-document.md) + ## Step 2: Create your rules and rule collections + Each rule applies to one or more apps, and it imposes a specific rule condition on them. Rules can be created individually or they can be generated by the Automatically Generate Rules Wizard. For the steps to create the rules, see [Create Your AppLocker rules](create-your-applocker-rules.md). + ## Step 3: Configure the enforcement setting -An AppLocker policy is a set of rule collections that are configured with a rule enforcement setting. The enforcement setting can be **Enforce rules**, **Audit only**, or **Not configured**. If an AppLocker policy has at least one rule, and it is set to **Not configured**, all the rules in that policy will be enforced. For info about configuring the rule enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) and [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md). + +An AppLocker policy is a set of rule collections that are configured with a rule enforcement setting. The enforcement setting can be **Enforce rules**, **Audit only**, or **Not configured**. If an AppLocker policy has at least one rule, and it is set to **Not configured**, all the rules in that +policy will be enforced. For info about configuring the rule enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) and [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md). + ## Step 4: Update the GPO + AppLocker policies can be defined locally on a device or applied through Group Policy. To use Group Policy to apply AppLocker policies, you must create a new Group Policy Object (GPO) or you must update an existing GPO. You can create or modify AppLocker policies by using the Group Policy Management Console (GPMC), or you can import an AppLocker policy into a GPO. For the procedure to do this, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). + ## Step 5: Test the effect of the policy + In a test environment or with the enforcement setting set at **Audit only**, verify that the results of the policy are what you intended. For info about testing a policy, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md). + ## Step 6: Implement the policy + Depending on your deployment method, import the AppLocker policy to the GPO in your production environment, or if the policy is already deployed, change the enforcement setting to your production environment value—**Enforce rules** or **Audit only**. + ## Step 7: Test the effect of the policy and adjust Validate the effect of the policy by analyzing the AppLocker logs for application usage, and then modify the policy as necessary. To do this, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). + ## Next steps + Follow the steps described in the following topics to continue the deployment process: + 1. [Create Your AppLocker rules](create-your-applocker-rules.md) 2. [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) 3. [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) + ## See also -[AppLocker deployment guide](applocker-policies-deployment-guide.md) -  -  + +- [AppLocker deployment guide](applocker-policies-deployment-guide.md) + diff --git a/windows/keep-secure/create-your-applocker-rules.md b/windows/keep-secure/create-your-applocker-rules.md index 15de4246f0..ee0590e89b 100644 --- a/windows/keep-secure/create-your-applocker-rules.md +++ b/windows/keep-secure/create-your-applocker-rules.md @@ -2,54 +2,73 @@ title: Create Your AppLocker rules (Windows 10) description: This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules. ms.assetid: b684a3a5-929c-4f70-8742-04088022f232 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Create Your AppLocker rules + **Applies to** - Windows 10 + This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules. + ## Creating AppLocker rules + AppLocker rules apply to the targeted app, and they are the components that make up the AppLocker policy. Depending on your IT environment and the business group that requires application control policies, setting these access rules for each application can be time-consuming and prone to error. With AppLocker, you can generate rules automatically or create rules individually. Creating rules that are derived from your planning document can help you avoid unintended results. For info about this planning document and other planning activities, see [AppLocker Design Guide](applocker-policies-design-guide.md). + ### Automatically generate your rules + You can use a reference device to automatically create a set of default rules for each of the installed apps, test and modify each rule as necessary, and deploy the policies. Creating most of the rules for all the installed apps gives you a starting point to build and test your policies. For info about performing this task, see the following topics: + - [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md) - [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md) - [Create AppLocker default rules](create-applocker-default-rules.md) - [Edit AppLocker rules](edit-applocker-rules.md) - [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) + ### Create your rules individually + You can create rules and set the mode to **Audit only** for each installed app, test and update each rule as necessary, and then deploy the policies. Creating rules individually might be best when you are targeting a small number of applications within a business group. -**Note**   -AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You can also edit the default rules. For information about creating the default rules for the Windows operating system, see [Create AppLocker default rules](create-applocker-default-rules.md). + +>**Note:**  AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You can also edit the default rules. For information about creating the default rules for the Windows operating system, see [Create AppLocker default rules](create-applocker-default-rules.md).   For information about performing this task, see: + 1. [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) 2. [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) 3. [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) 4. [Edit AppLocker rules](edit-applocker-rules.md) 5. [Enforce AppLocker rules](enforce-applocker-rules.md) 6. [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) + ## About selecting rules + AppLocker policies are composed of distinct rules for specific apps. These rules are grouped by collection, and they are implemented through an AppLocker policy definition. AppLocker policies are managed by using Group Policy or by using the Local Security Policy snap-in for a single computer. + When you determine what types of rules to create for each of your business groups or organizational units (OUs), you should also determine what enforcement setting to use for each group. Certain rule types are more applicable for some apps, depending on how the apps are deployed in a specific business group. + For info about how to determine and document your AppLocker rules, see [AppLocker Design Guide](applocker-policies-design-guide.md). + For info about AppLocker rules and AppLocker policies, see the following topics: + - [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md) - [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md) - [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md) - [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md) - [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md) - [Understanding AppLocker default rules](understanding-applocker-default-rules.md) + ## Next steps + 1. [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) 2. [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md) 3. [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) 4. [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) + ## Related topics -[Create Your AppLocker policies](create-your-applocker-policies.md) -  -  + +- [Create Your AppLocker policies](create-your-applocker-policies.md) From f4b91664a6f453c5d49bb1748fbd3291e5bc22f3 Mon Sep 17 00:00:00 2001 From: Jan Backstrom Date: Mon, 23 May 2016 11:59:47 -0700 Subject: [PATCH 061/169] fix tagging make W10 lower case (w10) and add pagetype where missing --- windows/whats-new/applocker.md | 2 +- windows/whats-new/credential-guard.md | 2 +- windows/whats-new/device-guard-overview.md | 2 +- windows/whats-new/device-management.md | 3 ++- windows/whats-new/edge-ie11-whats-new-overview.md | 2 +- windows/whats-new/edp-whats-new-overview.md | 2 +- windows/whats-new/index.md | 2 +- windows/whats-new/lockdown-features-windows-10.md | 2 +- windows/whats-new/microsoft-passport.md | 2 +- windows/whats-new/new-provisioning-packages.md | 2 +- windows/whats-new/security-auditing.md | 2 +- windows/whats-new/security.md | 2 +- windows/whats-new/trusted-platform-module.md | 2 +- windows/whats-new/user-account-control.md | 2 +- windows/whats-new/windows-spotlight.md | 2 +- windows/whats-new/windows-store-for-business-overview.md | 3 ++- windows/whats-new/windows-update-for-business.md | 2 +- 17 files changed, 19 insertions(+), 17 deletions(-) diff --git a/windows/whats-new/applocker.md b/windows/whats-new/applocker.md index cd25de1dee..355d16bacc 100644 --- a/windows/whats-new/applocker.md +++ b/windows/whats-new/applocker.md @@ -3,7 +3,7 @@ title: What's new in AppLocker (Windows 10) description: AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. ms.assetid: 6F836FF6-7794-4E7B-89AA-1EABA1BF183F ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library author: brianlic-msft diff --git a/windows/whats-new/credential-guard.md b/windows/whats-new/credential-guard.md index 148a76ff4e..5bd63a42af 100644 --- a/windows/whats-new/credential-guard.md +++ b/windows/whats-new/credential-guard.md @@ -3,7 +3,7 @@ title: What's new in Credential Guard (Windows 10) description: Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. ms.assetid: 59C206F7-2832-4555-97B4-3070D93CC3C5 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library author: brianlic-msft diff --git a/windows/whats-new/device-guard-overview.md b/windows/whats-new/device-guard-overview.md index bdb9a878db..669cdadb48 100644 --- a/windows/whats-new/device-guard-overview.md +++ b/windows/whats-new/device-guard-overview.md @@ -4,7 +4,7 @@ description: Device Guard is a combination of enterprise-related hardware and so ms.assetid: FFE244EE-5804-4CE8-A2A9-48F49DC3AEF2 ms.pagetype: security keywords: Device Guard -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library author: brianlic-msft diff --git a/windows/whats-new/device-management.md b/windows/whats-new/device-management.md index acf0982f94..4ea023327b 100644 --- a/windows/whats-new/device-management.md +++ b/windows/whats-new/device-management.md @@ -2,7 +2,8 @@ title: Enterprise management for Windows 10 devices (Windows 10) description: Windows 10 provides mobile device management (MDM) capabilities that enable enterprise-level management of devices. ms.assetid: 36DA67A1-25F1-45AD-A36B-AEEAC30C9BC4 -ms.prod: W10 +ms.prod: w10 +ms.pagetype: devices, mobile ms.mktglfcycl: explore ms.sitesec: library author: jdeckerMS diff --git a/windows/whats-new/edge-ie11-whats-new-overview.md b/windows/whats-new/edge-ie11-whats-new-overview.md index 7a70709259..ab7d69d78f 100644 --- a/windows/whats-new/edge-ie11-whats-new-overview.md +++ b/windows/whats-new/edge-ie11-whats-new-overview.md @@ -2,7 +2,7 @@ title: Browser Microsoft Edge and Internet Explorer 11 (Windows 10) description: Resources to help you explore the Windows 10 browsing options for your enterprise. ms.assetid: e986f903-69ad-4145-9d24-0c6d04b3e489 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library author: eross-msft diff --git a/windows/whats-new/edp-whats-new-overview.md b/windows/whats-new/edp-whats-new-overview.md index 26e5b09d9b..696556b54d 100644 --- a/windows/whats-new/edp-whats-new-overview.md +++ b/windows/whats-new/edp-whats-new-overview.md @@ -3,7 +3,7 @@ title: Enterprise data protection (EDP) overview (Windows 10) description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data disclosure through apps and services that are outside of the enterprise’s control like email, social media, and the public cloud. ms.assetid: 428A3135-CB5E-478B-B1FF-B6EB76F0DF14 keywords: EDP Overview, EDP -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index 28468ba5d2..91bd262819 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -3,7 +3,7 @@ title: What's new in Windows 10 (Windows 10) description: Learn about new features in Windows 10 for IT professionals, such as Enterprise Data Protection, Microsoft Passport, Device Guard, and more. ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44 keywords: ["What's new in Windows 10", "Windows 10"] -ms.prod: W10 +ms.prod: w10 author: TrudyHa --- diff --git a/windows/whats-new/lockdown-features-windows-10.md b/windows/whats-new/lockdown-features-windows-10.md index 265ddba22a..7df7446f4e 100644 --- a/windows/whats-new/lockdown-features-windows-10.md +++ b/windows/whats-new/lockdown-features-windows-10.md @@ -3,7 +3,7 @@ title: Lockdown features from Windows Embedded 8.1 Industry (Windows 10) description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. ms.assetid: 3C006B00-535C-4BA4-9421-B8F952D47A14 keywords: lockdown, embedded -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/whats-new/microsoft-passport.md b/windows/whats-new/microsoft-passport.md index 6ee13afe28..2c49406384 100644 --- a/windows/whats-new/microsoft-passport.md +++ b/windows/whats-new/microsoft-passport.md @@ -3,7 +3,7 @@ title: Microsoft Passport overview (Windows 10) description: In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication. ms.assetid: 292F3BE9-3651-4B20-B83F-85560631EF5B keywords: password, hello, fingerprint, iris, biometric -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/whats-new/new-provisioning-packages.md b/windows/whats-new/new-provisioning-packages.md index b389c0b3c6..9a0d03ddeb 100644 --- a/windows/whats-new/new-provisioning-packages.md +++ b/windows/whats-new/new-provisioning-packages.md @@ -2,7 +2,7 @@ title: Provisioning packages (Windows 10) description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library author: jdeckerMS diff --git a/windows/whats-new/security-auditing.md b/windows/whats-new/security-auditing.md index 92e3548a8c..26276b5e0a 100644 --- a/windows/whats-new/security-auditing.md +++ b/windows/whats-new/security-auditing.md @@ -2,7 +2,7 @@ title: What's new in security auditing (Windows 10) description: Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. ms.assetid: CB35A02E-5C66-449D-8C90-7B73C636F67B -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library author: brianlic-msft diff --git a/windows/whats-new/security.md b/windows/whats-new/security.md index d8784f6c41..ae44b5893e 100644 --- a/windows/whats-new/security.md +++ b/windows/whats-new/security.md @@ -3,7 +3,7 @@ title: What's new in Windows 10 security (Windows 10) description: There are several key client security improvements Microsoft has made in Windows 10. ms.assetid: 6B8A5F7A-ABD3-416C-87B0-85F68B214C81 keywords: secure, data loss prevention, multifactor authentication -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/whats-new/trusted-platform-module.md b/windows/whats-new/trusted-platform-module.md index 34233ef3a4..bbf7d88d6b 100644 --- a/windows/whats-new/trusted-platform-module.md +++ b/windows/whats-new/trusted-platform-module.md @@ -2,7 +2,7 @@ title: What's new in Trusted Platform Module (Windows 10) description: This topic for the IT professional describes new features for the Trusted Platform Module (TPM) in Windows 10. ms.assetid: CE8BBC2A-EE2D-4DFA-958E-2A178F2E6C44 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/whats-new/user-account-control.md b/windows/whats-new/user-account-control.md index 0b655fc120..fad8ee0ff5 100644 --- a/windows/whats-new/user-account-control.md +++ b/windows/whats-new/user-account-control.md @@ -2,7 +2,7 @@ title: What's new in User Account Control (Windows 10) description: User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment. ms.assetid: 9281870C-0819-4694-B4F1-260255BB8D07 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/whats-new/windows-spotlight.md b/windows/whats-new/windows-spotlight.md index 1c0d39092e..d4fb43b2ec 100644 --- a/windows/whats-new/windows-spotlight.md +++ b/windows/whats-new/windows-spotlight.md @@ -3,7 +3,7 @@ title: Windows spotlight on the lock screen (Windows 10) description: Windows spotlight is an option for the lock screen background that displays different background images on the lock screen. ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A keywords: ["lockscreen"] -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library author: jdeckerMS diff --git a/windows/whats-new/windows-store-for-business-overview.md b/windows/whats-new/windows-store-for-business-overview.md index f2eea69ec7..ca022e0b5d 100644 --- a/windows/whats-new/windows-store-for-business-overview.md +++ b/windows/whats-new/windows-store-for-business-overview.md @@ -2,7 +2,8 @@ title: Windows Store for Business overview (Windows 10) description: With the new Windows Store for Business, organizations can make volume purchases of Windows apps. ms.assetid: 9DA71F6B-654D-4121-9A40-D473CC654A1C -ms.prod: W10 +ms.prod: w10 +ms.pagetype: store ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/whats-new/windows-update-for-business.md b/windows/whats-new/windows-update-for-business.md index 0d2dfd165d..24ae371549 100644 --- a/windows/whats-new/windows-update-for-business.md +++ b/windows/whats-new/windows-update-for-business.md @@ -2,7 +2,7 @@ title: What's new in Windows Update for Business (Windows 10) description: Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. ms.assetid: 9271FC9A-6AF1-4BBD-A272-909BF54363F4 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library author: TrudyHa From fe4719a90d801f8b3357437dfbbee730b15d00dd Mon Sep 17 00:00:00 2001 From: Jan Backstrom Date: Mon, 23 May 2016 12:01:55 -0700 Subject: [PATCH 062/169] fix tagging --- windows/whats-new/bitlocker.md | 2 +- .../whats-new/change-history-for-what-s-new-in-windows-10.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/bitlocker.md b/windows/whats-new/bitlocker.md index d0b31ecfc5..99353d9d7b 100644 --- a/windows/whats-new/bitlocker.md +++ b/windows/whats-new/bitlocker.md @@ -2,7 +2,7 @@ title: What's new in BitLocker (Windows 10) description: BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. ms.assetid: 3F2DE365-68A1-4CDB-AB5F-C65574684C7B -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/whats-new/change-history-for-what-s-new-in-windows-10.md b/windows/whats-new/change-history-for-what-s-new-in-windows-10.md index 077f30c7a7..14362dd08c 100644 --- a/windows/whats-new/change-history-for-what-s-new-in-windows-10.md +++ b/windows/whats-new/change-history-for-what-s-new-in-windows-10.md @@ -2,7 +2,7 @@ title: Change history for What's new in Windows 10 (Windows 10) description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 and Windows 10 Mobile. ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: TrudyHa From ae8220499efdd2bafe460fcae530d62dc13a2634 Mon Sep 17 00:00:00 2001 From: Jan Backstrom Date: Mon, 23 May 2016 13:11:20 -0700 Subject: [PATCH 063/169] update tagging change W10 to lower case (w10) change Operate to Plan add appcompat tag --- windows/plan/act-community-ratings-and-process.md | 5 +++-- windows/plan/act-database-configuration.md | 5 +++-- windows/plan/act-database-migration.md | 5 +++-- windows/plan/act-deployment-options.md | 5 +++-- windows/plan/act-glossary.md | 5 +++-- windows/plan/act-lps-share-permissions.md | 5 +++-- windows/plan/act-operatingsystem-application-report.md | 5 +++-- windows/plan/act-operatingsystem-computer-report.md | 5 +++-- windows/plan/act-operatingsystem-device-report.md | 5 +++-- windows/plan/act-product-and-documentation-resources.md | 5 +++-- windows/plan/act-settings-dialog-box-preferences-tab.md | 5 +++-- windows/plan/act-settings-dialog-box-settings-tab.md | 5 +++-- windows/plan/act-technical-reference.md | 5 +++-- windows/plan/act-toolbar-icons-in-acm.md | 5 +++-- windows/plan/act-tools-packages-and-services.md | 5 +++-- windows/plan/act-user-interface-reference.md | 5 +++-- windows/plan/activating-and-closing-windows-in-acm.md | 5 +++-- windows/plan/adding-or-editing-a-solution.md | 5 +++-- windows/plan/adding-or-editing-an-issue.md | 5 +++-- windows/plan/analyzing-your-compatibility-data.md | 5 +++-- windows/plan/application-dialog-box.md | 5 +++-- windows/plan/applying-filters-to-data-in-the-sua-tool.md | 5 +++-- ...a-types-and-operators-in-compatibility-administrator.md | 5 +++-- .../best-practice-recommendations-for-windows-to-go.md | 5 +++-- windows/plan/categorizing-your-compatibility-data.md | 5 +++-- .../change-history-for-plan-for-windows-10-deployment.md | 4 ++-- windows/plan/chromebook-migration-guide.md | 2 +- windows/plan/common-compatibility-issues.md | 5 +++-- windows/plan/compatibility-administrator-users-guide.md | 5 +++-- ...ty-fix-database-management-strategies-and-deployment.md | 5 +++-- ...lity-fixes-for-windows-8-windows-7-and-windows-vista.md | 5 +++-- windows/plan/compatibility-monitor-users-guide.md | 5 +++-- windows/plan/computer-dialog-box.md | 5 +++-- windows/plan/configuring-act.md | 5 +++-- ...tom-compatibility-fix-in-compatibility-administrator.md | 5 +++-- ...om-compatibility-mode-in-compatibility-administrator.md | 5 +++-- windows/plan/creating-a-runtime-analysis-package.md | 5 +++-- ...ng-an-apphelp-message-in-compatibility-administrator.md | 5 +++-- ...-an-enterprise-environment-for-compatibility-testing.md | 5 +++-- windows/plan/creating-an-inventory-collector-package.md | 5 +++-- windows/plan/creating-and-editing-issues-and-solutions.md | 5 +++-- windows/plan/customizing-your-report-views.md | 5 +++-- ...ta-sent-through-the-microsoft-compatibility-exchange.md | 5 +++-- ...whether-to-fix-an-application-or-deploy-a-workaround.md | 5 +++-- windows/plan/deciding-which-applications-to-test.md | 5 +++-- windows/plan/deleting-a-data-collection-package.md | 5 +++-- windows/plan/deploying-a-runtime-analysis-package.md | 5 +++-- windows/plan/deploying-an-inventory-collector-package.md | 4 ++-- .../plan/deployment-considerations-for-windows-to-go.md | 5 +++-- windows/plan/device-dialog-box.md | 5 +++-- ...g-compatibility-fixes-in-compatibility-administrator.md | 5 +++-- windows/plan/example-filter-queries.md | 5 +++-- windows/plan/exporting-a-data-collection-package.md | 5 +++-- windows/plan/filtering-your-compatibility-data.md | 5 +++-- windows/plan/fixing-applications-by-using-the-sua-tool.md | 5 +++-- windows/plan/fixing-compatibility-issues.md | 5 +++-- .../plan/identifying-computers-for-inventory-collection.md | 4 ++-- windows/plan/index.md | 4 ++-- ...mpatibility-databases-in-compatibility-administrator.md | 5 +++-- windows/plan/integration-with-management-solutions-.md | 2 +- windows/plan/internet-explorer-web-site-report.md | 5 +++-- windows/plan/labeling-data-in-acm.md | 5 +++-- .../log-file-locations-for-data-collection-packages.md | 5 +++-- ...ication-compatibility-fixes-and-custom-fix-databases.md | 5 +++-- windows/plan/managing-your-data-collection-packages.md | 5 +++-- windows/plan/organizational-tasks-for-each-report-type.md | 5 +++-- windows/plan/organizing-your-compatibility-data.md | 5 +++-- .../plan/prepare-your-organization-for-windows-to-go.md | 5 +++-- windows/plan/prioritizing-your-compatibility-data.md | 5 +++-- windows/plan/ratings-icons-in-acm.md | 5 +++-- windows/plan/resolving-an-issue.md | 5 +++-- windows/plan/saving-opening-and-exporting-reports.md | 5 +++-- ...or-fixed-applications-in-compatibility-administrator.md | 5 +++-- ...s-with-the-query-tool-in-compatibility-administrator.md | 5 +++-- ...and-data-protection-considerations-for-windows-to-go.md | 7 ++++--- ...cting-the-send-and-receive-status-for-an-application.md | 5 +++-- windows/plan/selecting-your-compatibility-rating.md | 5 +++-- windows/plan/selecting-your-deployment-status.md | 5 +++-- windows/plan/sending-and-receiving-compatibility-data.md | 5 +++-- windows/plan/settings-for-acm.md | 5 +++-- windows/plan/setup-and-deployment.md | 2 +- windows/plan/showing-messages-generated-by-the-sua-tool.md | 5 +++-- windows/plan/software-requirements-for-act.md | 5 +++-- windows/plan/software-requirements-for-rap.md | 5 +++-- windows/plan/sua-users-guide.md | 5 +++-- windows/plan/tabs-on-the-sua-tool-interface.md | 5 +++-- windows/plan/taking-inventory-of-your-organization.md | 5 +++-- .../plan/testing-compatibility-on-the-target-platform.md | 5 +++-- .../plan/testing-your-application-mitigation-packages.md | 5 +++-- windows/plan/troubleshooting-act-database-issues.md | 5 +++-- windows/plan/troubleshooting-act.md | 5 +++-- .../plan/troubleshooting-the-act-configuration-wizard.md | 5 +++-- .../plan/troubleshooting-the-act-log-processing-service.md | 5 +++-- .../plan/understanding-and-using-compatibility-fixes.md | 5 +++-- windows/plan/using-act.md | 5 +++-- .../plan/using-compatibility-monitor-to-send-feedback.md | 5 +++-- windows/plan/using-the-compatibility-administrator-tool.md | 5 +++-- windows/plan/using-the-sdbinstexe-command-line-tool.md | 5 +++-- windows/plan/using-the-sua-tool.md | 5 +++-- windows/plan/using-the-sua-wizard.md | 5 +++-- ...ing-the-events-screen-in-compatibility-administrator.md | 5 +++-- windows/plan/viewing-your-compatibility-reports.md | 5 +++-- windows/plan/websiteurl-dialog-box.md | 5 +++-- windows/plan/welcome-to-act.md | 5 +++-- windows/plan/whats-new-in-act-60.md | 5 +++-- windows/plan/windows-10-compatibility.md | 5 +++-- windows/plan/windows-10-deployment-considerations.md | 4 ++-- .../plan/windows-10-guidance-for-education-environments.md | 4 ++-- windows/plan/windows-10-infrastructure-requirements.md | 4 ++-- windows/plan/windows-10-servicing-options.md | 5 +++-- windows/plan/windows-to-go-frequently-asked-questions.md | 5 +++-- windows/plan/windows-to-go-overview.md | 3 ++- windows/plan/windows-update-for-business.md | 2 +- 113 files changed, 324 insertions(+), 222 deletions(-) diff --git a/windows/plan/act-community-ratings-and-process.md b/windows/plan/act-community-ratings-and-process.md index 90c94ca481..6d28ac6493 100644 --- a/windows/plan/act-community-ratings-and-process.md +++ b/windows/plan/act-community-ratings-and-process.md @@ -2,9 +2,10 @@ title: ACT Community Ratings and Process (Windows 10) description: The Application Compatibility Toolkit (ACT) Community uses the Microsoft® Compatibility Exchange to share compatibility ratings between all registered ACT Community members. ms.assetid: be6c8c71-785b-4adf-a375-64ca7d24e26c -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan ms.sitesec: library +ms.pagetype: appcompat author: TrudyHa --- diff --git a/windows/plan/act-database-configuration.md b/windows/plan/act-database-configuration.md index 528cd9a8e2..dc8103e03e 100644 --- a/windows/plan/act-database-configuration.md +++ b/windows/plan/act-database-configuration.md @@ -2,8 +2,9 @@ title: ACT Database Configuration (Windows 10) description: The Application Compatibility Toolkit (ACT) uses a Microsoft® SQL Server® database for storing and sharing compatibility issue data. ms.assetid: 032bbfe0-86fa-48ff-b638-b9d6a908c45e -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-database-migration.md b/windows/plan/act-database-migration.md index 38d1886347..4b4009c05e 100644 --- a/windows/plan/act-database-migration.md +++ b/windows/plan/act-database-migration.md @@ -2,8 +2,9 @@ title: ACT Database Migration (Windows 10) description: The schema for an ACT database can change when ACT is updated or when a new version of ACT is released. ms.assetid: b13369b4-1fb7-4889-b0b8-6d0ab61aac3d -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-deployment-options.md b/windows/plan/act-deployment-options.md index bf817c11b1..32bb1e10f0 100644 --- a/windows/plan/act-deployment-options.md +++ b/windows/plan/act-deployment-options.md @@ -2,8 +2,9 @@ title: ACT Deployment Options (Windows 10) description: While planning your deployment of the Application Compatibility Toolkit (ACT), consider which computers you want running the various tools, packages, and services for ACT. ms.assetid: 90d56dd8-8d57-44e8-bf7a-29aabede45ba -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-glossary.md b/windows/plan/act-glossary.md index ed5fb09904..87b42aab6e 100644 --- a/windows/plan/act-glossary.md +++ b/windows/plan/act-glossary.md @@ -2,8 +2,9 @@ title: ACT Glossary (Windows 10) description: The following table lists terms and definitions used by the Application Compatibility Toolkit (ACT). ms.assetid: 984d1cce-c1ac-4aa8-839a-a23e15da6f32 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-lps-share-permissions.md b/windows/plan/act-lps-share-permissions.md index f9299c2fed..f2496dc915 100644 --- a/windows/plan/act-lps-share-permissions.md +++ b/windows/plan/act-lps-share-permissions.md @@ -2,8 +2,9 @@ title: ACT LPS Share Permissions (Windows 10) description: To upload log files to the ACT Log Processing Service (LPS) share, certain permissions must be set at the share level and folder level. ms.assetid: 51f6ddf7-f424-4abe-a0e0-71fe616f9e84 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-operatingsystem-application-report.md b/windows/plan/act-operatingsystem-application-report.md index ef3cee87c4..3c0f49d348 100644 --- a/windows/plan/act-operatingsystem-application-report.md +++ b/windows/plan/act-operatingsystem-application-report.md @@ -2,8 +2,9 @@ title: OperatingSystem - Application Report (Windows 10) description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports. ms.assetid: 9721485b-6092-4974-8cfe-c84472237a57 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-operatingsystem-computer-report.md b/windows/plan/act-operatingsystem-computer-report.md index 4a49ff56db..3547b28c17 100644 --- a/windows/plan/act-operatingsystem-computer-report.md +++ b/windows/plan/act-operatingsystem-computer-report.md @@ -2,8 +2,9 @@ title: OperatingSystem - Computer Report (Windows 10) ms.assetid: ed0a56fc-9f2a-4df0-8cef-3a09d6616de8 description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-operatingsystem-device-report.md b/windows/plan/act-operatingsystem-device-report.md index e4be3521b9..67e74536c6 100644 --- a/windows/plan/act-operatingsystem-device-report.md +++ b/windows/plan/act-operatingsystem-device-report.md @@ -2,8 +2,9 @@ title: OperatingSystem - Device Report (Windows 10) ms.assetid: 8b5a936f-a92e-46a7-ac44-6edace262355 description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-product-and-documentation-resources.md b/windows/plan/act-product-and-documentation-resources.md index 54cb4635de..02677af71d 100644 --- a/windows/plan/act-product-and-documentation-resources.md +++ b/windows/plan/act-product-and-documentation-resources.md @@ -2,8 +2,9 @@ title: ACT Product and Documentation Resources (Windows 10) description: The following sections provide links to resources and reference material for the Application Compatibility Toolkit (ACT). ms.assetid: c7954b5a-164d-4548-af58-cd3a1de5cc43 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-settings-dialog-box-preferences-tab.md b/windows/plan/act-settings-dialog-box-preferences-tab.md index bfaea35f75..6af88e476e 100644 --- a/windows/plan/act-settings-dialog-box-preferences-tab.md +++ b/windows/plan/act-settings-dialog-box-preferences-tab.md @@ -2,8 +2,9 @@ title: Settings Dialog Box - Preferences Tab (Windows 10) description: To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings. ms.assetid: deae2100-4110-4d72-b5ee-7c167f80bfa4 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-settings-dialog-box-settings-tab.md b/windows/plan/act-settings-dialog-box-settings-tab.md index 411450f21f..0f1b179b3c 100644 --- a/windows/plan/act-settings-dialog-box-settings-tab.md +++ b/windows/plan/act-settings-dialog-box-settings-tab.md @@ -2,8 +2,9 @@ title: Settings Dialog Box - Settings Tab (Windows 10) description: To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings. ms.assetid: aeec1647-cf91-4f8b-9f6d-dbf4b898d901 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-technical-reference.md b/windows/plan/act-technical-reference.md index 6544f9dc8e..c05f03fc92 100644 --- a/windows/plan/act-technical-reference.md +++ b/windows/plan/act-technical-reference.md @@ -2,8 +2,9 @@ title: Application Compatibility Toolkit (ACT) Technical Reference (Windows 10) description: The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. ms.assetid: d90d38b2-2718-4481-90eb-4480719627ba -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-toolbar-icons-in-acm.md b/windows/plan/act-toolbar-icons-in-acm.md index 1620557d16..9a0d2b3e79 100644 --- a/windows/plan/act-toolbar-icons-in-acm.md +++ b/windows/plan/act-toolbar-icons-in-acm.md @@ -2,8 +2,9 @@ title: Toolbar Icons in ACM (Windows 10) description: The following table shows icons that appear on toolbars and navigational elements in Application Compatibility Manager (ACM). ms.assetid: 44872da1-c7ad-41b9-8323-d3c3f49b2706 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-tools-packages-and-services.md b/windows/plan/act-tools-packages-and-services.md index 5d3ef9ba47..bf9c2bf728 100644 --- a/windows/plan/act-tools-packages-and-services.md +++ b/windows/plan/act-tools-packages-and-services.md @@ -2,8 +2,9 @@ title: ACT Tools, Packages, and Services (Windows 10) description: The Application Compatibility Toolkit is included with the Windows ADK. Download the Windows ADK. ms.assetid: f5a16548-7d7b-4be9-835e-c06158dd0b89 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/act-user-interface-reference.md b/windows/plan/act-user-interface-reference.md index 80687eea7c..ff28470715 100644 --- a/windows/plan/act-user-interface-reference.md +++ b/windows/plan/act-user-interface-reference.md @@ -2,8 +2,9 @@ title: ACT User Interface Reference (Windows 10) description: This section contains information about the user interface for Application Compatibility Manager (ACM), which is a tool in the Application Compatibility Toolkit (ACT). ms.assetid: 303d3dd7-2cc1-4f5f-b032-b7e288b04893 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/activating-and-closing-windows-in-acm.md b/windows/plan/activating-and-closing-windows-in-acm.md index 3e7eaaef87..dfa085659e 100644 --- a/windows/plan/activating-and-closing-windows-in-acm.md +++ b/windows/plan/activating-and-closing-windows-in-acm.md @@ -2,8 +2,9 @@ title: Activating and Closing Windows in ACM (Windows 10) description: The Windows dialog box shows the windows that are open in Application Compatibility Manager (ACM). ms.assetid: 747bf356-d861-4ce7-933e-fa4ecfac7be5 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/adding-or-editing-a-solution.md b/windows/plan/adding-or-editing-a-solution.md index a3ebf8c8ff..f16e5237b2 100644 --- a/windows/plan/adding-or-editing-a-solution.md +++ b/windows/plan/adding-or-editing-a-solution.md @@ -2,8 +2,9 @@ title: Adding or Editing a Solution (Windows 10) description: If you find your own solutions to compatibility issues, you can enter the solutions in Application Compatibility Manager (ACM). You can use the Microsoft Compatibility Exchange to upload solutions to Microsoft Corporation. ms.assetid: 86cb8804-d577-4af6-b96f-5e0409784a23 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/adding-or-editing-an-issue.md b/windows/plan/adding-or-editing-an-issue.md index 51a8522a05..75e4e67390 100644 --- a/windows/plan/adding-or-editing-an-issue.md +++ b/windows/plan/adding-or-editing-an-issue.md @@ -2,8 +2,9 @@ title: Adding or Editing an Issue (Windows 10) description: In Application Compatibility Manager (ACM), you can enter information about the compatibility issues that you discover. ms.assetid: 8a9fff79-9f88-4ce2-a4e6-b9382f28143d -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/analyzing-your-compatibility-data.md b/windows/plan/analyzing-your-compatibility-data.md index 4b145ad92f..30f6a43c24 100644 --- a/windows/plan/analyzing-your-compatibility-data.md +++ b/windows/plan/analyzing-your-compatibility-data.md @@ -2,8 +2,9 @@ title: Analyzing Your Compatibility Data (Windows 10) description: This section provides information about viewing and working with your compatibility data in Application Compatibility Manager (ACM). ms.assetid: b98f3d74-fe22-41a2-afe8-2eb2799933a1 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/application-dialog-box.md b/windows/plan/application-dialog-box.md index 1700305f86..c8d9515fa6 100644 --- a/windows/plan/application-dialog-box.md +++ b/windows/plan/application-dialog-box.md @@ -2,8 +2,9 @@ title: Application Dialog Box (Windows 10) description: In Application Compatibility Manager (ACM), the Application dialog box shows information about the selected application. ms.assetid: a43e85a6-3cd4-4235-bc4d-01e4d097db7e -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/applying-filters-to-data-in-the-sua-tool.md b/windows/plan/applying-filters-to-data-in-the-sua-tool.md index 7f960b8cf6..7b716d119a 100644 --- a/windows/plan/applying-filters-to-data-in-the-sua-tool.md +++ b/windows/plan/applying-filters-to-data-in-the-sua-tool.md @@ -2,8 +2,9 @@ title: Applying Filters to Data in the SUA Tool (Windows 10) description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply filters to the issues that the tool has found so that you can view only the information that interests you. ms.assetid: 48c39919-3501-405d-bcf5-d2784cbb011f -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md b/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md index bc5e40d571..8076d0787c 100644 --- a/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md +++ b/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Available Data Types and Operators in Compatibility Administrator (Windows 10) description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases. ms.assetid: 67d9c03e-ab9d-4fda-8a55-8c5b90266d3b -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/best-practice-recommendations-for-windows-to-go.md b/windows/plan/best-practice-recommendations-for-windows-to-go.md index 4ef9e9177e..c9cc2ac741 100644 --- a/windows/plan/best-practice-recommendations-for-windows-to-go.md +++ b/windows/plan/best-practice-recommendations-for-windows-to-go.md @@ -2,9 +2,10 @@ title: Best practice recommendations for Windows To Go (Windows 10) description: Best practice recommendations for Windows To Go ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86 -keywords: ["best practices, USB, device, boot"] +keywords: best practices, USB, device, boot ms.prod: w10 -ms.mktglfcycl: deploy +ms.mktglfcycl: plan +pagetype: mobility ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/categorizing-your-compatibility-data.md b/windows/plan/categorizing-your-compatibility-data.md index 637af36069..f00d576eee 100644 --- a/windows/plan/categorizing-your-compatibility-data.md +++ b/windows/plan/categorizing-your-compatibility-data.md @@ -2,8 +2,9 @@ title: Categorizing Your Compatibility Data (Windows 10) ms.assetid: 6420f012-316f-4ef0-bfbb-14baaa664e6e description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/change-history-for-plan-for-windows-10-deployment.md b/windows/plan/change-history-for-plan-for-windows-10-deployment.md index 7d8965c6d6..4f0b96a684 100644 --- a/windows/plan/change-history-for-plan-for-windows-10-deployment.md +++ b/windows/plan/change-history-for-plan-for-windows-10-deployment.md @@ -2,8 +2,8 @@ title: Change history for Plan for Windows 10 deployment (Windows 10) description: This topic lists new and updated topics in the Plan for Windows 10 deployment documentation for Windows 10 and Windows 10 Mobile. ms.assetid: 70D9F4F8-F2A4-4FB4-9459-5B2BE7BCAC66 -ms.prod: W10 -ms.mktglfcycl: deploy +ms.prod: w10 +ms.mktglfcycl: plan ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/chromebook-migration-guide.md b/windows/plan/chromebook-migration-guide.md index 5f6f426691..9504345b46 100644 --- a/windows/plan/chromebook-migration-guide.md +++ b/windows/plan/chromebook-migration-guide.md @@ -3,7 +3,7 @@ title: Chromebook migration guide (Windows 10) description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA keywords: migrate, automate, device -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu; devices diff --git a/windows/plan/common-compatibility-issues.md b/windows/plan/common-compatibility-issues.md index e9feba9487..4e96594b85 100644 --- a/windows/plan/common-compatibility-issues.md +++ b/windows/plan/common-compatibility-issues.md @@ -2,8 +2,9 @@ title: Common Compatibility Issues (Windows 10) ms.assetid: f5ad621d-bda2-45b5-ae85-bc92970f602f description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/compatibility-administrator-users-guide.md b/windows/plan/compatibility-administrator-users-guide.md index 06246f50b6..8625f9e210 100644 --- a/windows/plan/compatibility-administrator-users-guide.md +++ b/windows/plan/compatibility-administrator-users-guide.md @@ -2,8 +2,9 @@ title: Compatibility Administrator User's Guide (Windows 10) ms.assetid: 0ce05f66-9009-4739-a789-60f3ce380e76 description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md b/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md index 9abe28e94d..f608310bd6 100644 --- a/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md +++ b/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md @@ -2,8 +2,9 @@ title: Compatibility Fix Database Management Strategies and Deployment (Windows 10) ms.assetid: fdfbf02f-c4c4-4739-a400-782204fd3c6c description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md b/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md index 1efec32cb1..688cf0a0d5 100644 --- a/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md +++ b/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md @@ -2,8 +2,9 @@ title: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista (Windows 10) description: You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. ms.assetid: cd51c824-557f-462a-83bb-54b0771b7dff -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/compatibility-monitor-users-guide.md b/windows/plan/compatibility-monitor-users-guide.md index f5b56c4858..9a72ed30d3 100644 --- a/windows/plan/compatibility-monitor-users-guide.md +++ b/windows/plan/compatibility-monitor-users-guide.md @@ -2,8 +2,9 @@ title: Compatibility Monitor User's Guide (Windows 10) description: Compatibility Monitor is a tool in the runtime analysis package that you can use to monitor applications for compatibility issues. You can also use the Compatibility Monitor tool to submit compatibility feedback. ms.assetid: 67d6eff0-1576-44bd-99b4-a3ffa5e205ac -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/computer-dialog-box.md b/windows/plan/computer-dialog-box.md index 498f20d93c..b191d79a79 100644 --- a/windows/plan/computer-dialog-box.md +++ b/windows/plan/computer-dialog-box.md @@ -2,8 +2,9 @@ title: Computer Dialog Box (Windows 10) description: In Application Compatibility Manager (ACM), the Computer dialog box shows information about the selected computer. ms.assetid: f89cbb28-adcd-41cd-9a54-402bc4aaffd9 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/configuring-act.md b/windows/plan/configuring-act.md index ef72f68d43..f5803ddd81 100644 --- a/windows/plan/configuring-act.md +++ b/windows/plan/configuring-act.md @@ -2,8 +2,9 @@ title: Configuring ACT (Windows 10) description: This section provides information about setting up the Application Compatibility Toolkit (ACT) in your organization. ms.assetid: aacbe35e-ea40-47ac-bebf-ed2660c8fd86 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md b/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md index 26d4a51ca0..a88189a7a2 100644 --- a/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md +++ b/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Creating a Custom Compatibility Fix in Compatibility Administrator (Windows 10) description: The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application. ms.assetid: e4f2853a-0e46-49c5-afd7-0ed12f1fe0c2 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md b/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md index 75f3706089..ac5091d0bb 100644 --- a/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md +++ b/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Creating a Custom Compatibility Mode in Compatibility Administrator (Windows 10) description: Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues. ms.assetid: 661a1c0d-267f-4a79-8445-62a9a98d09b0 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/creating-a-runtime-analysis-package.md b/windows/plan/creating-a-runtime-analysis-package.md index 8246a9de4a..04411a5fa7 100644 --- a/windows/plan/creating-a-runtime-analysis-package.md +++ b/windows/plan/creating-a-runtime-analysis-package.md @@ -2,8 +2,9 @@ title: Creating a Runtime-Analysis Package (Windows 10) description: In Application Compatibility Manager (ACM), you can create runtime-analysis packages, which you can then deploy to computers for compatibility testing in your test environment. ms.assetid: 3c703ebe-46b3-4dcd-b355-b28344bc159b -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md b/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md index 4fc5707012..5b48ebdbb8 100644 --- a/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md +++ b/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Creating an AppHelp Message in Compatibility Administrator (Windows 10) description: The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system. ms.assetid: 5c6e89f5-1942-4aa4-8439-ccf0ecd02848 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md b/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md index 339ef48aaf..840fa87695 100644 --- a/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md +++ b/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md @@ -2,8 +2,9 @@ title: Creating an Enterprise Environment for Compatibility Testing (Windows 10) description: The goal of the test environment is to model the operating system that you want to deploy and assess compatibility before deploying the operating system to your production environment. ms.assetid: cbf6d8b6-7ebc-4faa-bbbd-e02653ed4adb -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/creating-an-inventory-collector-package.md b/windows/plan/creating-an-inventory-collector-package.md index 01d9dcf89c..c174e746e0 100644 --- a/windows/plan/creating-an-inventory-collector-package.md +++ b/windows/plan/creating-an-inventory-collector-package.md @@ -2,8 +2,9 @@ title: Creating an Inventory-Collector Package (Windows 10) description: You can use Application Compatibility Manager (ACM) to create an inventory-collector package. ms.assetid: 61d041d6-e308-47b3-921b-709d72926d6d -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/creating-and-editing-issues-and-solutions.md b/windows/plan/creating-and-editing-issues-and-solutions.md index d4e183c235..0ce76a3f2f 100644 --- a/windows/plan/creating-and-editing-issues-and-solutions.md +++ b/windows/plan/creating-and-editing-issues-and-solutions.md @@ -2,8 +2,9 @@ title: Creating and Editing Issues and Solutions (Windows 10) description: This section provides step-by-step instructions for adding and editing application compatibility issues and solutions. Your issue and solution data can be uploaded to Microsoft through the Microsoft® Compatibility Exchange. ms.assetid: b64fe4e0-24bd-4bbd-9645-80ae5644e774 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/customizing-your-report-views.md b/windows/plan/customizing-your-report-views.md index 97566482eb..a68961a2e6 100644 --- a/windows/plan/customizing-your-report-views.md +++ b/windows/plan/customizing-your-report-views.md @@ -2,8 +2,9 @@ title: Customizing Your Report Views (Windows 10) description: You can customize how you view your report data in Application Compatibility Manager (ACM). ms.assetid: ba8da888-6749-43b4-8efb-4f26c7954721 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md b/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md index 4f5456aa5d..8bb30d37a8 100644 --- a/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md +++ b/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md @@ -2,8 +2,9 @@ title: Data Sent Through the Microsoft Compatibility Exchange (Windows 10) description: The Microsoft Compatibility Exchange propagates data of various types between Microsoft Corporation, independent software vendors (ISVs) and the Application Compatibility Toolkit (ACT) Community. ms.assetid: 3ec61e33-9db8-4367-99d5-e05c2f50e144 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md b/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md index ed48afa8a9..0bf24136b1 100644 --- a/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md +++ b/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md @@ -2,8 +2,9 @@ title: Deciding Whether to Fix an Application or Deploy a Workaround (Windows 10) description: You can fix a compatibility issue by changing the code for the application or by deploying a workaround. ms.assetid: e495d0c8-bfba-4537-bccd-64c4b52206f1 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/deciding-which-applications-to-test.md b/windows/plan/deciding-which-applications-to-test.md index f5719dbdb7..a0d4d06986 100644 --- a/windows/plan/deciding-which-applications-to-test.md +++ b/windows/plan/deciding-which-applications-to-test.md @@ -2,8 +2,9 @@ title: Deciding Which Applications to Test (Windows 10) description: Before starting your compatibility testing on the version of Windows that you want to deploy, you can use the Application Compatibility Toolkit (ACT) to identify which applications should be the focus of your testing. ms.assetid: d7c1c28f-b7b4-43ac-bf87-2910a2b603bf -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/deleting-a-data-collection-package.md b/windows/plan/deleting-a-data-collection-package.md index ade04833e1..002a431377 100644 --- a/windows/plan/deleting-a-data-collection-package.md +++ b/windows/plan/deleting-a-data-collection-package.md @@ -2,8 +2,9 @@ title: Deleting a Data-Collection Package (Windows 10) description: In Application Compatibility Manager (ACM), you can delete any of your existing data-collection packages from the database. ms.assetid: 1b397d7a-7216-4078-93d9-47c7becbf73e -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/deploying-a-runtime-analysis-package.md b/windows/plan/deploying-a-runtime-analysis-package.md index 09c49b1cc9..bf01c5258c 100644 --- a/windows/plan/deploying-a-runtime-analysis-package.md +++ b/windows/plan/deploying-a-runtime-analysis-package.md @@ -2,8 +2,9 @@ title: Deploying a Runtime-Analysis Package (Windows 10) description: When you deploy a runtime-analysis package, you are deploying it to your test environment for compatibility testing. ms.assetid: 304bf0be-0e7c-4c5f-baac-bed7f8bef509 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/deploying-an-inventory-collector-package.md b/windows/plan/deploying-an-inventory-collector-package.md index a3d471a410..406a2823fd 100644 --- a/windows/plan/deploying-an-inventory-collector-package.md +++ b/windows/plan/deploying-an-inventory-collector-package.md @@ -2,8 +2,8 @@ title: Deploying an Inventory-Collector Package (Windows 10) ms.assetid: 8726ff71-0d17-4449-bdb7-66957ae51c62 description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/deployment-considerations-for-windows-to-go.md b/windows/plan/deployment-considerations-for-windows-to-go.md index 8d512f6395..da2f4412e7 100644 --- a/windows/plan/deployment-considerations-for-windows-to-go.md +++ b/windows/plan/deployment-considerations-for-windows-to-go.md @@ -2,9 +2,10 @@ title: Deployment considerations for Windows To Go (Windows 10) description: Deployment considerations for Windows To Go ms.assetid: dcfc5d96-b96b-44cd-ab65-416b5611c65e -keywords: ["deploy, mobile, device, USB, boot, image, workspace, driver"] +keywords: deploy, mobile, device, USB, boot, image, workspace, driver ms.prod: W10 -ms.mktglfcycl: deploy +ms.mktglfcycl: plan +ms.pagetype: mobility ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/device-dialog-box.md b/windows/plan/device-dialog-box.md index ae65f7330b..7cd1c0d3ec 100644 --- a/windows/plan/device-dialog-box.md +++ b/windows/plan/device-dialog-box.md @@ -2,8 +2,9 @@ title: Device Dialog Box (Windows 10) description: In Application Compatibility Manager (ACM), the Device dialog box shows information about the selected device. ms.assetid: 5bd7cfda-31ea-4967-8b64-6c0425092f4e -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md b/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md index 0f3ad7aa3d..85c5e0ba27 100644 --- a/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md +++ b/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Enabling and Disabling Compatibility Fixes in Compatibility Administrator (Windows 10) description: You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes. ms.assetid: 6bd4a7c5-0ed9-4a35-948c-c438aa4d6cb6 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/example-filter-queries.md b/windows/plan/example-filter-queries.md index a128516e95..7b7732863d 100644 --- a/windows/plan/example-filter-queries.md +++ b/windows/plan/example-filter-queries.md @@ -2,8 +2,9 @@ title: Example Filter Queries (Windows 10) description: You can filter your compatibility-issue data or reports by selecting specific restriction criteria. ms.assetid: eae59380-56cc-4d57-bd2c-11a0e3c689c9 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/exporting-a-data-collection-package.md b/windows/plan/exporting-a-data-collection-package.md index c1eef9d0ad..5baee693f6 100644 --- a/windows/plan/exporting-a-data-collection-package.md +++ b/windows/plan/exporting-a-data-collection-package.md @@ -2,8 +2,9 @@ title: Exporting a Data-Collection Package (Windows 10) description: In Application Compatibility Manager (ACM), you can export a data-collection package as a Windows installer (.msi) file. You can then use the .msi file to install the data-collection package on the computers from which you want to gather data. ms.assetid: 98fe19e4-9533-4ffc-a275-8b3776ee93ed -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/filtering-your-compatibility-data.md b/windows/plan/filtering-your-compatibility-data.md index 36776e764a..fcc724c2d5 100644 --- a/windows/plan/filtering-your-compatibility-data.md +++ b/windows/plan/filtering-your-compatibility-data.md @@ -2,8 +2,9 @@ title: Filtering Your Compatibility Data (Windows 10) description: You can use Query Builder to filter your compatibility-issue data or reports by selecting specific restriction criteria. ms.assetid: b64267b5-83c0-4b4d-a075-0975d3a359c8 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/fixing-applications-by-using-the-sua-tool.md b/windows/plan/fixing-applications-by-using-the-sua-tool.md index 99bd4deb6e..bdfe9b9c63 100644 --- a/windows/plan/fixing-applications-by-using-the-sua-tool.md +++ b/windows/plan/fixing-applications-by-using-the-sua-tool.md @@ -2,8 +2,9 @@ title: Fixing Applications by Using the SUA Tool (Windows 10) description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application. ms.assetid: 7f5947b1-977b-4d7e-bb52-fbe8e76f6b8b -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/fixing-compatibility-issues.md b/windows/plan/fixing-compatibility-issues.md index dc3e884415..b7f338d5ac 100644 --- a/windows/plan/fixing-compatibility-issues.md +++ b/windows/plan/fixing-compatibility-issues.md @@ -2,8 +2,9 @@ title: Fixing Compatibility Issues (Windows 10) description: This section provides step-by-step instructions and describes development tools that you can use to help fix your compatibility issues. ms.assetid: 30ba8d14-a41a-41b3-9019-e8658d6974de -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/identifying-computers-for-inventory-collection.md b/windows/plan/identifying-computers-for-inventory-collection.md index 638addad76..a7378b9820 100644 --- a/windows/plan/identifying-computers-for-inventory-collection.md +++ b/windows/plan/identifying-computers-for-inventory-collection.md @@ -2,8 +2,8 @@ title: Identifying Computers for Inventory Collection (Windows 10) ms.assetid: f5bf2d89-fff2-4960-a153-dc1146b442fb description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/index.md b/windows/plan/index.md index 3c830e97d4..a82ad27fb5 100644 --- a/windows/plan/index.md +++ b/windows/plan/index.md @@ -2,8 +2,8 @@ title: Plan for Windows 10 deployment (Windows 10) description: Windows 10 provides new deployment capabilities, scenarios, and tools by building on technologies introduced in Windows 7, and Windows 8.1, while at the same time introducing new Windows as a service concepts to keep the operating system up to date. ms.assetid: 002F9B79-B50F-40C5-A7A5-0B4770E6EC15 -keywords: ["deploy", "upgrade", "update", "configure"] -ms.prod: W10 +keywords: deploy, upgrade, update, configure +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library author: TrudyHa diff --git a/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md b/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md index 2d040ed0be..c55deebb84 100644 --- a/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md +++ b/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator (Windows 10) description: The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. ms.assetid: 659c9d62-5f32-433d-94aa-12141c01368f -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/integration-with-management-solutions-.md b/windows/plan/integration-with-management-solutions-.md index 788d1ad4e8..83dcaee001 100644 --- a/windows/plan/integration-with-management-solutions-.md +++ b/windows/plan/integration-with-management-solutions-.md @@ -6,7 +6,7 @@ keywords: update, upgrade, deployment, manage, tools ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library -ms.pagetype: servicing; devices +ms.pagetype: servicing, devices author: TrudyHa --- diff --git a/windows/plan/internet-explorer-web-site-report.md b/windows/plan/internet-explorer-web-site-report.md index fdcd6ef921..da0098b6c3 100644 --- a/windows/plan/internet-explorer-web-site-report.md +++ b/windows/plan/internet-explorer-web-site-report.md @@ -2,8 +2,9 @@ title: Internet Explorer - Web Site Report (Windows 10) ms.assetid: f072033d-9d42-47ed-8fb0-dbdc28442910 description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/labeling-data-in-acm.md b/windows/plan/labeling-data-in-acm.md index d9fe6d9da7..1e0ae71639 100644 --- a/windows/plan/labeling-data-in-acm.md +++ b/windows/plan/labeling-data-in-acm.md @@ -2,8 +2,9 @@ title: Labeling Data in ACM (Windows 10) description: Application data and its associated compatibility issues can vary within an organization. ms.assetid: d099c747-e68a-4cad-a639-9f33efab35b3 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/log-file-locations-for-data-collection-packages.md b/windows/plan/log-file-locations-for-data-collection-packages.md index 6483bf1b49..99ea5bc63f 100644 --- a/windows/plan/log-file-locations-for-data-collection-packages.md +++ b/windows/plan/log-file-locations-for-data-collection-packages.md @@ -2,8 +2,9 @@ title: Log File Locations for Data-Collection Packages (Windows 10) ms.assetid: dcc395e7-2d9c-4935-abab-33c5934ce24a description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md b/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md index d85029f97f..7c8a961d1d 100644 --- a/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md +++ b/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md @@ -2,8 +2,9 @@ title: Managing Application-Compatibility Fixes and Custom Fix Databases (Windows 10) description: This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases. ms.assetid: 9c2e9396-908e-4a36-ad67-2e40452ce017 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/managing-your-data-collection-packages.md b/windows/plan/managing-your-data-collection-packages.md index eb9af845ad..46eaa26130 100644 --- a/windows/plan/managing-your-data-collection-packages.md +++ b/windows/plan/managing-your-data-collection-packages.md @@ -2,8 +2,9 @@ title: Managing Your Data-Collection Packages (Windows 10) description: This section provides information about using Application Compatibility Manager (ACM) to manage your data-collection packages. ms.assetid: 369ae82f-c8ca-42ec-85df-1b760a74e70a -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/organizational-tasks-for-each-report-type.md b/windows/plan/organizational-tasks-for-each-report-type.md index e49ccba8f8..e572f3b042 100644 --- a/windows/plan/organizational-tasks-for-each-report-type.md +++ b/windows/plan/organizational-tasks-for-each-report-type.md @@ -2,8 +2,9 @@ title: Organizational Tasks for Each Report Type (Windows 10) description: The following table shows which tasks can be performed for each report type. ms.assetid: 7463fab1-ba6e-4a9a-9112-0b69a18fe353 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/organizing-your-compatibility-data.md b/windows/plan/organizing-your-compatibility-data.md index 15d1d152b6..54bc38d151 100644 --- a/windows/plan/organizing-your-compatibility-data.md +++ b/windows/plan/organizing-your-compatibility-data.md @@ -2,8 +2,9 @@ title: Organizing Your Compatibility Data (Windows 10) description: This section provides step-by-step instructions for organizing your compatibility data in Application Compatibility Manager (ACM). ms.assetid: e91ae444-5d85-4b5f-b655-a765ecc78b1e -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/prepare-your-organization-for-windows-to-go.md b/windows/plan/prepare-your-organization-for-windows-to-go.md index f66acaff2b..fabf25bc73 100644 --- a/windows/plan/prepare-your-organization-for-windows-to-go.md +++ b/windows/plan/prepare-your-organization-for-windows-to-go.md @@ -3,8 +3,9 @@ title: Prepare your organization for Windows To Go (Windows 10) description: Prepare your organization for Windows To Go ms.assetid: f3f3c160-90ad-40a8-aeba-2aedee18f7ff keywords: ["mobile, device, USB, deploy"] -ms.prod: W10 -ms.mktglfcycl: deploy +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: mobility ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/prioritizing-your-compatibility-data.md b/windows/plan/prioritizing-your-compatibility-data.md index b597b63fc8..3d55e9d1f3 100644 --- a/windows/plan/prioritizing-your-compatibility-data.md +++ b/windows/plan/prioritizing-your-compatibility-data.md @@ -2,8 +2,9 @@ title: Prioritizing Your Compatibility Data (Windows 10) ms.assetid: 103e125a-bd2b-4019-9d6a-2e1d50c380b1 description: -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/ratings-icons-in-acm.md b/windows/plan/ratings-icons-in-acm.md index ab8a3a47ec..e8f095c0ac 100644 --- a/windows/plan/ratings-icons-in-acm.md +++ b/windows/plan/ratings-icons-in-acm.md @@ -2,8 +2,9 @@ title: Ratings Icons in ACM (Windows 10) description: Compatibility ratings can originate from Microsoft, the application vendor, your organization, and from the Application Compatibility Toolkit (ACT) community. ms.assetid: 0165499e-cb47-4d76-98a6-b871d23e4e83 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/resolving-an-issue.md b/windows/plan/resolving-an-issue.md index 74ffe1f620..4d5557c944 100644 --- a/windows/plan/resolving-an-issue.md +++ b/windows/plan/resolving-an-issue.md @@ -2,8 +2,9 @@ title: Resolving an Issue (Windows 10) description: You can use Application Compatibility Manager (ACM) to flag issues as resolved. Resolving an issue changes the status of the issue from a red x to a green check mark on your report and report detail screens. ms.assetid: 96195122-185d-4f6a-8e84-79c3d069e933 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/saving-opening-and-exporting-reports.md b/windows/plan/saving-opening-and-exporting-reports.md index 2f947a935e..67d940bd0d 100644 --- a/windows/plan/saving-opening-and-exporting-reports.md +++ b/windows/plan/saving-opening-and-exporting-reports.md @@ -2,8 +2,9 @@ title: Saving, Opening, and Exporting Reports (Windows 10) description: You can perform several common reporting tasks from the Analyze screen, including saving a compatibility report, opening a saved compatibility report (.adq) file, and exporting your report data to a spreadsheet (.xls) file. ms.assetid: 8be72a6c-63ab-4451-ad79-815e2ac18aa2 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md b/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md index 6c83a990ee..99b2f4a61f 100644 --- a/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md +++ b/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Searching for Fixed Applications in Compatibility Administrator (Windows 10) description: With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. ms.assetid: 1051a2dc-0362-43a4-8ae8-07dae39b1cb8 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md index bdc0043f6b..25906a1746 100644 --- a/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md +++ b/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator (Windows 10) description: You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature. ms.assetid: dd213b55-c71c-407a-ad49-33db54f82f22 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md b/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md index 7343863528..999d2e6956 100644 --- a/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md +++ b/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md @@ -2,9 +2,10 @@ title: Security and data protection considerations for Windows To Go (Windows 10) description: One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure. ms.assetid: 5f27339f-6761-44f4-8c29-9a25cf8e75fe -keywords: ["mobile, device, USB, secure, BitLocker"] -ms.prod: W10 -ms.mktglfcycl: deploy +keywords: mobile, device, USB, secure, BitLocker +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: mobility, security ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/selecting-the-send-and-receive-status-for-an-application.md b/windows/plan/selecting-the-send-and-receive-status-for-an-application.md index 0a8f1c3450..782d3c1651 100644 --- a/windows/plan/selecting-the-send-and-receive-status-for-an-application.md +++ b/windows/plan/selecting-the-send-and-receive-status-for-an-application.md @@ -2,8 +2,9 @@ title: Selecting the Send and Receive Status for an Application (Windows 10) description: For each application listed in Application Compatibility Manager (ACM), you can select whether to send and receive specific application data through the Microsoft Compatibility Exchange. ms.assetid: ae139093-27cf-4ad8-882d-e0509e78d33a -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/selecting-your-compatibility-rating.md b/windows/plan/selecting-your-compatibility-rating.md index 3b64974c1d..b7042d456d 100644 --- a/windows/plan/selecting-your-compatibility-rating.md +++ b/windows/plan/selecting-your-compatibility-rating.md @@ -2,8 +2,9 @@ title: Selecting Your Compatibility Rating (Windows 10) description: You can rate the compatibility of your applications, installation packages, or websites, based on whether they run successfully on a 32-bit or 64-bit operating system. ms.assetid: 959da499-8fd6-4f32-8771-a0580dd8e0d3 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/selecting-your-deployment-status.md b/windows/plan/selecting-your-deployment-status.md index 4d47ec35fb..8cc4a070bc 100644 --- a/windows/plan/selecting-your-deployment-status.md +++ b/windows/plan/selecting-your-deployment-status.md @@ -2,8 +2,9 @@ title: Selecting Your Deployment Status (Windows 10) description: In Application Compatibility Manager (ACM), you can track the deployment status of your applications and websites. ms.assetid: 7735d256-77eb-4498-93aa-c838ee6e00fc -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/sending-and-receiving-compatibility-data.md b/windows/plan/sending-and-receiving-compatibility-data.md index e2165cb7e6..5a694085b2 100644 --- a/windows/plan/sending-and-receiving-compatibility-data.md +++ b/windows/plan/sending-and-receiving-compatibility-data.md @@ -2,8 +2,9 @@ title: Sending and Receiving Compatibility Data (Windows 10) description: The Microsoft® Compatibility Exchange is a web service that propagates application compatibility issues between various data sources, for example Microsoft Corporation, independent software vendors (ISVs) and the ACT Community. ms.assetid: b86d2431-1caa-4f95-baf9-52ff6af546cd -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/settings-for-acm.md b/windows/plan/settings-for-acm.md index b548b8f403..6abb406ec3 100644 --- a/windows/plan/settings-for-acm.md +++ b/windows/plan/settings-for-acm.md @@ -2,8 +2,9 @@ title: Settings for ACM (Windows 10) description: This section provides information about settings that you can configure in Application Compatibility Manager (ACM). ms.assetid: e0126284-4348-4708-8976-a1e404f35971 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/setup-and-deployment.md b/windows/plan/setup-and-deployment.md index 590be310dd..618c4b80a0 100644 --- a/windows/plan/setup-and-deployment.md +++ b/windows/plan/setup-and-deployment.md @@ -6,7 +6,7 @@ keywords: update, upgrade, deployment ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library -ms.pagetype: servicing; devices +ms.pagetype: servicing, devices author: TrudyHa --- diff --git a/windows/plan/showing-messages-generated-by-the-sua-tool.md b/windows/plan/showing-messages-generated-by-the-sua-tool.md index 1b34533117..03651875c5 100644 --- a/windows/plan/showing-messages-generated-by-the-sua-tool.md +++ b/windows/plan/showing-messages-generated-by-the-sua-tool.md @@ -2,8 +2,9 @@ title: Showing Messages Generated by the SUA Tool (Windows 10) description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated. ms.assetid: 767eb7f2-d6c4-414c-a7b3-a997337d904a -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/software-requirements-for-act.md b/windows/plan/software-requirements-for-act.md index 5b3047ffaf..3564e2d753 100644 --- a/windows/plan/software-requirements-for-act.md +++ b/windows/plan/software-requirements-for-act.md @@ -2,8 +2,9 @@ title: Software Requirements for ACT (Windows 10) description: The Application Compatibility Toolkit (ACT) has the following software requirements. ms.assetid: 9bbc21d4-f2ac-4a91-8add-017b1eacdeee -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/software-requirements-for-rap.md b/windows/plan/software-requirements-for-rap.md index 18462f9bd7..07311438e4 100644 --- a/windows/plan/software-requirements-for-rap.md +++ b/windows/plan/software-requirements-for-rap.md @@ -2,8 +2,9 @@ title: Software Requirements for RAP (Windows 10) description: The runtime-analysis package (RAP) has the following software requirements. ms.assetid: 0163ce70-f5ba-400c-bdd5-a25511aac91f -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/sua-users-guide.md b/windows/plan/sua-users-guide.md index d907f4229d..e0f2921b80 100644 --- a/windows/plan/sua-users-guide.md +++ b/windows/plan/sua-users-guide.md @@ -2,8 +2,9 @@ title: SUA User's Guide (Windows 10) description: You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. ms.assetid: ea525c25-b557-4ed4-b042-3e4d0e543e10 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/tabs-on-the-sua-tool-interface.md b/windows/plan/tabs-on-the-sua-tool-interface.md index 70a9ac7535..721e32bca7 100644 --- a/windows/plan/tabs-on-the-sua-tool-interface.md +++ b/windows/plan/tabs-on-the-sua-tool-interface.md @@ -2,8 +2,9 @@ title: Tabs on the SUA Tool Interface (Windows 10) description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze. ms.assetid: 0d705321-1d85-4217-bf2c-0ca231ca303b -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/taking-inventory-of-your-organization.md b/windows/plan/taking-inventory-of-your-organization.md index d42fc430b2..07b40d240a 100644 --- a/windows/plan/taking-inventory-of-your-organization.md +++ b/windows/plan/taking-inventory-of-your-organization.md @@ -2,8 +2,9 @@ title: Taking Inventory of Your Organization (Windows 10) description: This section provides information about how to use the Application Compatibility Toolkit (ACT) to identify applications and devices that are installed in your organization. ms.assetid: d52f138d-c6b2-4ab1-bb38-5b036311a51d -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/testing-compatibility-on-the-target-platform.md b/windows/plan/testing-compatibility-on-the-target-platform.md index 10111af439..621a8bfeb2 100644 --- a/windows/plan/testing-compatibility-on-the-target-platform.md +++ b/windows/plan/testing-compatibility-on-the-target-platform.md @@ -2,8 +2,9 @@ title: Testing Compatibility on the Target Platform (Windows 10) description: This section provides information about setting up a test environment for compatibility testing, and about creating and deploying runtime-analysis packages to the test environment. ms.assetid: 8f3e9d58-37c2-41ea-a216-32712baf6cf4 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/testing-your-application-mitigation-packages.md b/windows/plan/testing-your-application-mitigation-packages.md index df727951fd..669904c1e6 100644 --- a/windows/plan/testing-your-application-mitigation-packages.md +++ b/windows/plan/testing-your-application-mitigation-packages.md @@ -2,8 +2,9 @@ title: Testing Your Application Mitigation Packages (Windows 10) description: This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues. ms.assetid: ae946f27-d377-4db9-b179-e8875d454ccf -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/troubleshooting-act-database-issues.md b/windows/plan/troubleshooting-act-database-issues.md index 758df1a050..ba1e7c4f7a 100644 --- a/windows/plan/troubleshooting-act-database-issues.md +++ b/windows/plan/troubleshooting-act-database-issues.md @@ -2,8 +2,9 @@ title: Troubleshooting ACT Database Issues (Windows 10) description: The following solutions may help you resolve issues that are related to your Microsoft® SQL Server® database for the Application Compatibility Toolkit (ACT). ms.assetid: c36ab5d8-cc82-4681-808d-3d491551b75e -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/troubleshooting-act.md b/windows/plan/troubleshooting-act.md index 1dbfeee130..3de62348a2 100644 --- a/windows/plan/troubleshooting-act.md +++ b/windows/plan/troubleshooting-act.md @@ -2,8 +2,9 @@ title: Troubleshooting ACT (Windows 10) description: This section provides troubleshooting information for the Application Compatibility Toolkit (ACT). ms.assetid: 5696b0c0-5db5-4111-a1e1-825129e683d8 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/troubleshooting-the-act-configuration-wizard.md b/windows/plan/troubleshooting-the-act-configuration-wizard.md index 058b39db72..709b60fb6d 100644 --- a/windows/plan/troubleshooting-the-act-configuration-wizard.md +++ b/windows/plan/troubleshooting-the-act-configuration-wizard.md @@ -2,8 +2,9 @@ title: Troubleshooting the ACT Configuration Wizard (Windows 10) description: When you start Application Compatibility Manager (ACM) for the first time, the Application Compatibility Toolkit (ACT) Configuration Wizard appears. ms.assetid: f4f489c7-50b7-4b07-8b03-79777e1aaefd -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/troubleshooting-the-act-log-processing-service.md b/windows/plan/troubleshooting-the-act-log-processing-service.md index 8fef3bc4b5..0fff19e588 100644 --- a/windows/plan/troubleshooting-the-act-log-processing-service.md +++ b/windows/plan/troubleshooting-the-act-log-processing-service.md @@ -2,8 +2,9 @@ title: Troubleshooting the ACT Log Processing Service (Windows 10) description: The following solutions may help you resolve issues that are related to the Application Compatibility Toolkit (ACT) Log Processing Service. ms.assetid: cb6f90c2-9f7d-4a34-a91e-8ed55b8c256d -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/understanding-and-using-compatibility-fixes.md b/windows/plan/understanding-and-using-compatibility-fixes.md index bde6db5bc2..6c73a5645b 100644 --- a/windows/plan/understanding-and-using-compatibility-fixes.md +++ b/windows/plan/understanding-and-using-compatibility-fixes.md @@ -2,8 +2,9 @@ title: Understanding and Using Compatibility Fixes (Windows 10) description: As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. ms.assetid: 84bf663d-3e0b-4168-99d6-a26e054821b7 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/using-act.md b/windows/plan/using-act.md index a091159a76..3793af0dd1 100644 --- a/windows/plan/using-act.md +++ b/windows/plan/using-act.md @@ -2,8 +2,9 @@ title: Using ACT (Windows 10) description: This section describes how to use the Application Compatibility Toolkit (ACT) in your organization. ms.assetid: e6a68f44-7503-450d-a000-a04fbb93a146 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/using-compatibility-monitor-to-send-feedback.md b/windows/plan/using-compatibility-monitor-to-send-feedback.md index 4bf3abf7e8..9a86a64d25 100644 --- a/windows/plan/using-compatibility-monitor-to-send-feedback.md +++ b/windows/plan/using-compatibility-monitor-to-send-feedback.md @@ -2,8 +2,9 @@ title: Using Compatibility Monitor to Send Feedback (Windows 10) description: The Microsoft Compatibility Monitor tool is installed as part of the runtime-analysis package. ms.assetid: dc59193e-7ff4-4950-8c20-e90c246e469d -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/using-the-compatibility-administrator-tool.md b/windows/plan/using-the-compatibility-administrator-tool.md index 09f3b30d05..26bd9c4a90 100644 --- a/windows/plan/using-the-compatibility-administrator-tool.md +++ b/windows/plan/using-the-compatibility-administrator-tool.md @@ -2,8 +2,9 @@ title: Using the Compatibility Administrator Tool (Windows 10) description: This section provides information about using the Compatibility Administrator tool. ms.assetid: 57271e47-b9b9-4018-a0b5-7115a533166d -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/using-the-sdbinstexe-command-line-tool.md b/windows/plan/using-the-sdbinstexe-command-line-tool.md index 26fdc888d1..fdd93bf2f3 100644 --- a/windows/plan/using-the-sdbinstexe-command-line-tool.md +++ b/windows/plan/using-the-sdbinstexe-command-line-tool.md @@ -2,8 +2,9 @@ title: Using the Sdbinst.exe Command-Line Tool (Windows 10) description: You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. ms.assetid: c1945425-3f8d-4de8-9d2d-59f801f07034 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/using-the-sua-tool.md b/windows/plan/using-the-sua-tool.md index 978389cd95..c758d2f32d 100644 --- a/windows/plan/using-the-sua-tool.md +++ b/windows/plan/using-the-sua-tool.md @@ -2,8 +2,9 @@ title: Using the SUA Tool (Windows 10) description: By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature. ms.assetid: ebe52061-3816-47f7-a865-07bc5f405f03 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/using-the-sua-wizard.md b/windows/plan/using-the-sua-wizard.md index 7571be582c..a8f3b3ce03 100644 --- a/windows/plan/using-the-sua-wizard.md +++ b/windows/plan/using-the-sua-wizard.md @@ -2,8 +2,9 @@ title: Using the SUA Wizard (Windows 10) description: The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions. ms.assetid: 29d07074-3de7-4ace-9a54-678af7255d6c -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md b/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md index 29d76d517d..8c89db2a64 100644 --- a/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md +++ b/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md @@ -2,8 +2,9 @@ title: Viewing the Events Screen in Compatibility Administrator (Windows 10) description: The Events screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities. ms.assetid: f2b2ada4-1b7b-4558-989d-5b52b40454b3 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/viewing-your-compatibility-reports.md b/windows/plan/viewing-your-compatibility-reports.md index b1a40653dc..c0f5ffaae9 100644 --- a/windows/plan/viewing-your-compatibility-reports.md +++ b/windows/plan/viewing-your-compatibility-reports.md @@ -2,8 +2,9 @@ title: Viewing Your Compatibility Reports (Windows 10) description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports. ms.assetid: a28bbfbe-5f05-4a1e-9397-0a3ceb585871 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/websiteurl-dialog-box.md b/windows/plan/websiteurl-dialog-box.md index 10f108276b..f9f44433db 100644 --- a/windows/plan/websiteurl-dialog-box.md +++ b/windows/plan/websiteurl-dialog-box.md @@ -2,8 +2,9 @@ title: WebsiteURL Dialog Box (Windows 10) description: In Application Compatibility Manager (ACM), the websiteURL dialog box shows information about the selected website. ms.assetid: 0dad26e1-4bba-4fef-b160-3fa1f4325da8 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/welcome-to-act.md b/windows/plan/welcome-to-act.md index fdbbc6ad7d..c6755be21e 100644 --- a/windows/plan/welcome-to-act.md +++ b/windows/plan/welcome-to-act.md @@ -2,8 +2,9 @@ title: Welcome to ACT (Windows 10) description: The Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. ms.assetid: 3963db88-83d2-4b9a-872e-31c275d1a321 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/whats-new-in-act-60.md b/windows/plan/whats-new-in-act-60.md index c765ca62eb..b516ef3eae 100644 --- a/windows/plan/whats-new-in-act-60.md +++ b/windows/plan/whats-new-in-act-60.md @@ -2,8 +2,9 @@ title: What's New in ACT 6.1 (Windows 10) description: Two major updates have been released since ACT 6.1. ms.assetid: f12e137d-0b55-4f7d-88e0-149302655d9b -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: TrudyHa --- diff --git a/windows/plan/windows-10-compatibility.md b/windows/plan/windows-10-compatibility.md index 7823fc3961..7466117367 100644 --- a/windows/plan/windows-10-compatibility.md +++ b/windows/plan/windows-10-compatibility.md @@ -2,9 +2,10 @@ title: Windows 10 compatibility (Windows 10) description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. ms.assetid: 829BE5B5-330A-4702-807A-8908B4FC94E8 -keywords: ["deploy", "upgrade", "update", "appcompat"] -ms.prod: W10 +keywords: deploy, upgrade, update, appcompat +ms.prod: w10 ms.mktglfcycl: plan +ms.pagetype: appcompat ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/windows-10-deployment-considerations.md b/windows/plan/windows-10-deployment-considerations.md index 51d122fa2b..cefe2e8c90 100644 --- a/windows/plan/windows-10-deployment-considerations.md +++ b/windows/plan/windows-10-deployment-considerations.md @@ -2,8 +2,8 @@ title: Windows 10 deployment considerations (Windows 10) description: There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. ms.assetid: A8DD6B37-1E11-4CD6-B588-92C2404219FE -keywords: ["deploy", "upgrade", "update", "in-place"] -ms.prod: W10 +keywords: deploy, upgrade, update, in-place +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library author: mtniehaus diff --git a/windows/plan/windows-10-guidance-for-education-environments.md b/windows/plan/windows-10-guidance-for-education-environments.md index c40e7da07e..599ac55e24 100644 --- a/windows/plan/windows-10-guidance-for-education-environments.md +++ b/windows/plan/windows-10-guidance-for-education-environments.md @@ -2,10 +2,10 @@ title: Guidance for education environments (Windows 10) description: Find resources to help you plan your deployment of Windows 10 to desktops, laptops, tablets, and other devices in educational institutions. ms.assetid: 225C9D6F-9329-4DDF-B447-6CE7804E314E -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library -ms.pagetype: security +ms.pagetype: edu, security author: craigash --- diff --git a/windows/plan/windows-10-infrastructure-requirements.md b/windows/plan/windows-10-infrastructure-requirements.md index bfa40b1eca..f8a5b10095 100644 --- a/windows/plan/windows-10-infrastructure-requirements.md +++ b/windows/plan/windows-10-infrastructure-requirements.md @@ -2,8 +2,8 @@ title: Windows 10 infrastructure requirements (Windows 10) description: There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. ms.assetid: B0FA27D9-A206-4E35-9AE6-74E70748BE64 -keywords: ["deploy", "upgrade", "update", "hardware"] -ms.prod: W10 +keywords: deploy, upgrade, update, hardware +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library author: mtniehaus diff --git a/windows/plan/windows-10-servicing-options.md b/windows/plan/windows-10-servicing-options.md index 0cf0cd63eb..2e67c97c04 100644 --- a/windows/plan/windows-10-servicing-options.md +++ b/windows/plan/windows-10-servicing-options.md @@ -2,9 +2,10 @@ title: Windows 10 servicing options (Windows 10) description: Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process. ms.assetid: 6EF0792C-B587-497D-8489-4A7F5848D92A -keywords: ["deploy", "upgrade", "update", "servicing"] -ms.prod: W10 +keywords: deploy, upgrade, update, servicing +ms.prod: w10 ms.mktglfcycl: plan +ms.pagetype: servicing ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/windows-to-go-frequently-asked-questions.md b/windows/plan/windows-to-go-frequently-asked-questions.md index 0eaa4178e6..a9f0dfee6c 100644 --- a/windows/plan/windows-to-go-frequently-asked-questions.md +++ b/windows/plan/windows-to-go-frequently-asked-questions.md @@ -2,9 +2,10 @@ title: Windows To Go frequently asked questions (Windows 10) description: Windows To Go frequently asked questions ms.assetid: bfdfb824-4a19-4401-b369-22c5e6ca9d6e -keywords: ["FAQ, mobile, device, USB"] -ms.prod: W10 +keywords: FAQ, mobile, device, USB +ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: mobility ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/windows-to-go-overview.md b/windows/plan/windows-to-go-overview.md index c473ab949b..f00dfb55ea 100644 --- a/windows/plan/windows-to-go-overview.md +++ b/windows/plan/windows-to-go-overview.md @@ -2,9 +2,10 @@ title: Windows To Go feature overview (Windows 10) description: Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs. ms.assetid: 9df82b03-acba-442c-801d-56db241f8d42 -keywords: ["workspace, mobile, installation, image, USB, device, image"] +keywords: workspace, mobile, installation, image, USB, device, image, edu ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: mobility, edu ms.sitesec: library author: mtniehaus --- diff --git a/windows/plan/windows-update-for-business.md b/windows/plan/windows-update-for-business.md index 7371c01825..67c4200203 100644 --- a/windows/plan/windows-update-for-business.md +++ b/windows/plan/windows-update-for-business.md @@ -2,7 +2,7 @@ title: Windows Update for Business (Windows 10) description: Get an overview of how you can implement and deploy a Windows Update for Business solution and how to maintain enrolled systems. ms.assetid: DF61F8C9-A8A6-4E83-973C-8ABE090DB8C6 -keywords: [update, upgrade, deployment, WSUS +keywords: update, upgrade, deployment, WSUS ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library From 7d106ca8032da375f4fcccd6fd00647be1567ebb Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 23 May 2016 13:54:34 -0700 Subject: [PATCH 064/169] fixing spacing issues --- windows/manage/windows-10-mobile-and-mdm.md | 270 +++++++++++++++----- 1 file changed, 213 insertions(+), 57 deletions(-) diff --git a/windows/manage/windows-10-mobile-and-mdm.md b/windows/manage/windows-10-mobile-and-mdm.md index 076e220c88..a818238913 100644 --- a/windows/manage/windows-10-mobile-and-mdm.md +++ b/windows/manage/windows-10-mobile-and-mdm.md @@ -2,48 +2,74 @@ title: Windows 10 Mobile and mobile device management (Windows 10) description: This guide provides an overview of the mobile device and app management technologies in the Windows 10 Mobile operating system. ms.assetid: 6CAA1004-CB65-4FEC-9B84-61AAD2125E5E -ms.pagetype: mobile; devices -keywords: ["telemetry", "BYOD", "MDM"] +keywords: telemetry, BYOD, MDM ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library +ms.pagetype: mobile; devices author: AMeeus --- + # Windows 10 Mobile and mobile device management + **Applies to** - Windows 10 Mobile + This guide provides an overview of the mobile device and app management technologies in the Windows 10 Mobile operating system. It describes how mobile device management (MDM) systems use the built-in device management client to deploy, configure, maintain, and support phones and small tablets running Windows 10 Mobile. + Bring Your Own Device (BYOD—that is, personal devices) and corporate devices are key scenarios that Windows 10 Mobile MDM capabilities support. The operating system offers a flexible approach to registering devices with directory services and MDM systems, and IT organizations can provision comprehensive device-configuration profiles based on their company’s need to control and secure mobile business data. Windows 10 Mobile not only delivers more comprehensive, restrictive configuration settings than Windows Phone 8.1 did but also provides capabilities to deploy and manage apps built on the Universal Windows Platform (UWP). Companies can distribute apps directly from Windows Store or by using their MDM system. They can control and distribute custom line-of-business (LOB) apps the same way. + ## Overview + Organizations’ users increasingly depend on their mobile devices, but phones and tablets bring new and unfamiliar challenges for IT departments. IT must be able to deploy and manage mobile devices and apps quickly to support the business while balancing the growing need to protect corporate data because of evolving laws, regulations, and cybercrime. IT must ensure that the apps and data on those mobile devices are safe, especially on personal devices. Windows 10 Mobile helps organizations address these challenges by providing a robust, flexible, built-in MDM client. IT departments can use the MDM system of their choice to manage this client. + ### Built-in MDM client + The built-in MDM client is common to all editions of the Windows 10 operating system, including desktop, mobile, and Internet of Things (IoT). The client provides a single interface through which you can manage any device that runs Windows 10. The client has two important roles: device enrollment in an MDM system and device management. + - **Device enrollment.** Users can enroll in the MDM system. On Windows 10, a user can register a device with Microsoft Azure Active Directory (Azure AD) and enroll in an MDM system at the same time so that the system can manage the device, the apps running on it, and the confidential data it holds. Enrollment establishes the management authority for the device. Only one management authority (or MDM enrollment) is possible at a time, which helps prevent unauthorized access to devices and ensures their stability and reliability. - **Device management.** The MDM client allows the MDM system to configure policy settings; deploy apps and updates; and perform other management tasks, such as remotely wiping the device. The MDM system sends configuration requests and collects inventory through the MDM client. The client uses [configuration service providers (CSPs)](http://go.microsoft.com/fwlink/p/?LinkId=734049) to configure and inventory settings. A CSP is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. (The security architecture of Windows 10 Mobile prevents direct access to registry settings and operating system files. For more information, see the [Windows 10 Mobile security guide](../keep-secure/windows-10-mobile-security-guide.md).) + The MDM client is an integral part of Windows 10 Mobile. As a result, there is no need for an additional, custom MDM app to enroll the device or to allow an MDM system to manage it. All MDM systems have equal access to Windows 10 Mobile MDM application programming interfaces (APIs), so you can choose Microsoft Intune or a third-party MDM product to manage Windows 10 Mobile devices. For more information about Windows 10 Mobile device management APIs, see [Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=734050). + ### Windows 10 Mobile editions + Every device that runs Windows 10 Mobile includes all the enterprise mobile device security and management capabilities the MDM client provides. Microsoft also offers an Enterprise edition of Windows 10 Mobile, which includes three additional capabilities. To enable these capabilities, you can provision a license file without reinstalling the operating system: + - **Ability to postpone software updates.**Windows 10 Mobile gets software updates directly from Windows Update, and you cannot curate updates prior to deployment. Windows 10 Mobile Enterprise, however, allows you to curate and validate updates prior to deploying them. - **No limit on the number of self-signed LOB apps that you can deploy to a single device.** To use an MDM system to deploy LOB apps directly to devices, you must cryptographically sign the software packages with a code signing certificate that your organization’s certificate authority (CA) generates. You can deploy a maximum of 20 self-signed LOB apps to a Windows 10 Mobile device, more than 20 if your organization’s devices run Windows 10 Mobile Enterprise. - **Set telemetry to security level.** The telemetry security level configures the operating system to gather only the telemetry information required to keep devices secured. -**Note**   -Your organization can opt to purchase a code signing certificate from Verisign to sign LOB apps or use [Windows Store for Business](windows-store-for-business.md) to obtain apps. With either method, you can distribute more than 20 apps to a single device without activating Windows 10 Mobile Enterprise on that device by using your MDM system. + +>**Note:**  Your organization can opt to purchase a code signing certificate from Verisign to sign LOB apps or use [Windows Store for Business](windows-store-for-business.md) to obtain apps. With either method, you can distribute more than 20 apps to a single device without activating Windows 10 Mobile Enterprise on that device by using your MDM system.   To activate Windows 10 Mobile Enterprise on any Windows 10 Mobile device, use your company’s MDM system or a provisioning package to inject a license onto the device. You can download a Windows 10 Mobile Enterprise license from the Business Support Portal. + ### Lifecycle management + Windows 10 Mobile supports end-to-end lifecycle device management to give companies control of their devices, data, and apps. Comprehensive MDM systems use the built-in MDM client to manage devices throughout their lifecycle, as Figure 1 illustrates. The remainder of this guide describes the operating system’s mobile device and app management capabilities through each phase of the lifecycle, showing how MDM systems use specific features. + ![figure 1](images/win10-mobile-mdm-fig1.png) + Figure 1. Device management lifecycle + ## Device deployment + Device deployment includes the initial registration and configuration of the device, including its enrollment with an MDM system. Sometimes, companies preinstall apps. The major factors in how you deploy devices and which controls you put in place are device ownership and how the user will use the device. This guide covers two scenarios: + 1. Companies allow users to personalize their devices because the users own the devices or because company policy doesn’t require tight controls (defined as *personal devices* in this guide). 2. Companies don’t allow users to personalize their devices or they limit personalization, usually because the organization owns the devices and security considerations are high (defined as *corporate devices* in this guide). + Often, employees can choose devices from a list of supported models, or companies provide devices that they preconfigure, or bootstrap, with a baseline configuration. + Microsoft recommends Azure AD Join and MDM enrollment and management for corporate devices and Azure AD Registration and MDM enrollment and management for personal devices. + ### Deployment scenarios + Most organizations support both personal and corporate device scenarios. The infrastructure for these scenarios is similar, but the deployment process and configuration policies differ. Table 1 describes characteristics of the personal and corporate device scenarios. Activation of a device with an organizational identity is unique to Windows 10 Mobile. + Table 1. Characteristics of personal and corporate device scenarios + @@ -75,10 +101,14 @@ Table 1. Characteristics of personal and corporate device scenarios
        ### Identity management + People can use only one account to activate a device, so it’s imperative that your organization control which account you enable first. The account you choose will determine who controls the device and influence your management capabilities. The following list describes the impact that users’ identities have on management (Table 2 summarizes these considerations): + - **Personal identity.** In this scenario, employees use their Microsoft account to activate the device. Then, they use their Azure AD account (organizational identity) to register the device in Azure AD and enroll it with the company’s MDM solution. You can apply policies to help protect and contain corporate apps and data on the devices, designed to prevent intellectual property leaks, but users keep full control over personal activities, such as downloading and installing apps and games. - **Organizational identity.** In this scenario, employees use their Azure AD account to register the device to Azure AD and automatically enroll it with the organization’s MDM solution. In this case, companies can block personal use of devices. Using organizational Identities to initialize devices gives organizations complete control over devices and allows them to prevent personalization. + Table 2. Personal vs. organizational identity + @@ -127,33 +157,45 @@ Table 2. Personal vs. organizational identity
        ### Infrastructure requirements + For both device scenarios, the essential infrastructure and tools required to deploy and manage Windows 10 Mobile devices include an Azure AD subscription and an MDM system. + Azure AD is a cloud-based directory service that provides identity and access management. You can integrate it with existing on-premises directories to create a hybrid solution. Azure AD has three editions: Free, Basic, and Premium (see [Azure Active Directory editions](http://go.microsoft.com/fwlink/p/?LinkId=723980)). All editions support Azure AD device registration, but the Premium edition is required to enable MDM auto-enrollment and conditional access based on device state. Organizations that use Microsoft Office 365 or Intune are already using Azure AD. -**Note**   -Most industry-leading MDM vendors already support integration with Azure AD or are working on integration. You can find the MDM vendors that support Azure AD in [Azure Marketplace](http://go.microsoft.com/fwlink/p/?LinkId=723981). + +>**Note:**  Most industry-leading MDM vendors already support integration with Azure AD or are working on integration. You can find the MDM vendors that support Azure AD in [Azure Marketplace](http://go.microsoft.com/fwlink/p/?LinkId=723981).   Users can enroll Windows 10 Mobile devices in third-party MDM systems without using an Azure AD organizational account. (By default, Intune uses Azure AD and includes a license). If your organization doesn’t use Azure AD, you must use a personal identity to activate devices and enable common scenarios, such as downloading apps from Windows Store. + Multiple MDM systems that support Windows 10 Mobile are available. Most support personal and corporate device deployment scenarios. Microsoft offers [Intune](http://go.microsoft.com/fwlink/p/?LinkId=723983), which is part of the [Enterprise Mobility Suite](http://go.microsoft.com/fwlink/p/?LinkId=723984) and a cloud-based MDM system that manages devices off premises. Like Office 365, Intune uses Azure AD for identity management, so employees use the same credentials to enroll devices in Intune or sign in to Office 365. Intune supports devices that run other operating systems, as well, such as iOS and Android, to provide a complete MDM solution. + You can also integrate Intune with System Center Configuration Manager to gain a single console in which to manage all devices—in the cloud and on premises. For more information, see [Manage Mobile Devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=734051). For guidance on choosing between a stand-alone Intune installation and Intune integrated with Configuration Manager, see [Choose between Intune by itself or integrating Intune with System Center Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=723985). In addition to Intune, other MDM providers support Windows 10 Mobile. Currently, the following MDM systems claim to support Windows 10 and Windows 10 Mobile: [AirWatch](http://go.microsoft.com/fwlink/p/?LinkId=723986), [Citrix](http://go.microsoft.com/fwlink/p/?LinkId=723987), [Lightspeed Systems](http://go.microsoft.com/fwlink/p/?LinkId=723988), [Matrix42](http://go.microsoft.com/fwlink/p/?LinkId=723989), [MobileIron](http://go.microsoft.com/fwlink/p/?LinkId=723990), [SAP](http://go.microsoft.com/fwlink/p/?LinkId=723991), [SOTI](http://go.microsoft.com/fwlink/p/?LinkId=723992), and [Symantec](http://go.microsoft.com/fwlink/p/?LinkId=723993). + All MDM vendors have equal access to the [Windows 10 MDM APIs](http://go.microsoft.com/fwlink/p/?LinkId=734050). The extent to which they implement these APIs depends on the vendor. Contact your preferred MDM vendor to determine its level of support. -**Note**   -Although not covered in this guide, you can use Exchange ActiveSync (EAS) to manage mobile devices instead of using a full-featured MDM system. EAS is available in Microsoft Exchange Server 2010 or later and Office 365. + +>**Note:**  Although not covered in this guide, you can use Exchange ActiveSync (EAS) to manage mobile devices instead of using a full-featured MDM system. EAS is available in Microsoft Exchange Server 2010 or later and Office 365. In addition, Microsoft recently added MDM capabilities powered by Intune to Office 365. MDM for Office 365 supports mobile devices only, such as those running Windows 10 Mobile, iOS, and Android. MDM for Office 365 offers a subset of the management capabilities found in Intune, including the ability to remotely wipe a device, block a device from accessing Exchange Server email, and configure device policies (for example, passcode requirements). For more information about MDM for Office 365 capabilities, see [Overview of Mobile Device Management for Office 365](http://go.microsoft.com/fwlink/p/?LinkId=734052).   ### Provisioning + Provisioning is new to Windows 10 and uses the MDM client in Windows 10 Mobile. You can create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10. To assist users with MDM system enrollment, use a provisioning package. To do so, use the [Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=733911) to create a provisioning package, and then install that package on the device. Users can perform self-service MDM enrollment based on the following deployment scenarios: + - **Corporate device.** During the out-of-the-box experience (OOBE), you can instruct the user to select **This device is owned by my organization** and join the device to Azure AD and the MDM system. - **Personal device.** The user activates the device with a Microsoft account, but you can instruct him or her to register the device with Azure AD and enroll in Intune. To do so in Windows 10 Mobile, the user clicks, **Settings**, clicks **Accounts**, and then clicks **Work access**. To automate MDM enrollment, use provisioning packages as follows: - **Corporate device.** You can create a provisioning package and apply it to a corporate device before delivery to the user, or instruct the user to apply the package during OOBE. After application of the provisioning package, the OOBE process automatically chooses the enterprise path and requires the user to register the device with Azure AD and enroll it in the MDM system. - **Personal device.** You can create a provisioning package and make it available to users who want to enroll their personal device in the enterprise. The user enrolls the device in the corporate MDM for further configuration by applying the provisioning package. To do so in Windows 10 Mobile, the user clicks **Settings**, clicks **Accounts**, and then clicks **Provisioning**). + Distribute provisioning packages to devices by publishing them in an easily accessible location (e.g., an email attachment or a web page). You can cryptographically sign or encrypt provisioning packages and require that the user enter a password to apply them. + See [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkId=734054) for more information on creating provisioning packages. + ## Device configuration + The following sections describe the device configuration capabilities of the built-in Windows 10 Mobile MDM client. This client exposes the capabilities to any MDM system compatible with Windows 10. Configurable settings include: + - [Email accounts](#email) - [Account restrictions](#restrictions) - [Device lock restrictions](#device-lock) @@ -165,13 +207,17 @@ The following sections describe the device configuration capabilities of the bui - [Access point name (APN) profiles](#apn) - [Data leak prevention](#data) - [Storage management](#storage) -**Note**   -Although all the MDM settings this section describes are available in Windows 10 Mobile, not all MDM systems may show them in their user interface. In addition, naming may vary among MDM systems. Consult your MDM system’s documentation for more information. + +>**Note:**  Although all the MDM settings this section describes are available in Windows 10 Mobile, not all MDM systems may show them in their user interface. In addition, naming may vary among MDM systems. Consult your MDM system’s documentation for more information.   ### Email accounts + You can use your corporate MDM system to manage corporate email accounts. Define email account profiles in the MDM system, and then deploy them to devices. You would usually deploy these settings immediately after enrollment, regardless of scenario. + This capability extends to email systems that use EAS. Table 3 lists settings that you can configure in EAS email profiles. + Table 3. Windows 10 Mobile settings for EAS email profiles + | Setting | Description | |----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Email Address | The email address associated with the EAS account | @@ -191,7 +237,9 @@ Table 3. Windows 10 Mobile settings for EAS email profiles | Content Types | The content type that is synchronized (e.g., email, contacts, calendar, task items) |   Table 4 lists settings that you can configure in other email profiles. + Table 4. Windows 10 Mobile settings for other email profiles + | Setting | Description | |-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------| | User logon name | The user logon name for the email account | @@ -224,21 +272,26 @@ Table 4. Windows 10 Mobile settings for other email profiles | Incoming and outgoing servers require SSL | A group of properties that specify whether the incoming and outgoing email servers use SSL |   ### Account restrictions + On a corporate device registered with Azure AD and enrolled in the MDM system, you can control whether users can use a Microsoft account or add other consumer email accounts. Table 5 lists the settings that you can use to manage accounts on Windows 10 Mobile devices. + Table 5. Windows 10 Mobile account management settings -| Setting | Description | -|-------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Allow Microsoft Account | Specifies whether users are allowed to add a Microsoft account to the device after MDM enrollment and use this account for connection authentication and services, such as purchasing apps in Windows Store, or cloud-based consumer services, such as Xbox or Groove. If a device was activated with a Microsoft account, the MDM system would not be able to block that account from being used. | -| Allow Adding Non Microsoft Accounts | Specifies whether users are allowed to add email accounts other than Microsoft accounts after MDM enrollment. If **Allow Microsoft Account** is applied, user can also not use a Microsoft account. | -| Allow “Your Account” | Specifies whether users are able to change account configuration in the **Your Email and Accounts** panel in Settings. | +| Setting | Description | +| - | -| +| Allow Microsoft Account | Specifies whether users are allowed to add a Microsoft account to the device after MDM enrollment and use this account for connection authentication and services, such as purchasing apps in Windows Store, or cloud-based consumer services, such as Xbox or Groove. If a device was activated with a Microsoft account, the MDM system would not be able to block that account from being used. | +| Allow Adding Non Microsoft Accounts | Specifies whether users are allowed to add email accounts other than Microsoft accounts after MDM enrollment. If **Allow Microsoft Account** is applied, user can also not use a Microsoft account. | +| Allow “Your Account” | Specifies whether users are able to change account configuration in the **Your Email and Accounts** panel in Settings.|   ### Device lock restrictions + It’s common sense to lock a device when it is not in use. Microsoft recommends that you secure Windows 10 Mobile devices and implement a device lock policy. A device password or PIN lock is a best practice for securing apps and data on devices. [Windows Hello](http://go.microsoft.com/fwlink/p/?LinkId=723994) is the name given to the new biometric sign-in option that allows users to use their face, iris, or fingerprints to unlock their compatible device, all of which Windows 10 supports. -**Note**   -In addition to the device lock restrictions discussed in this section, Windows 10 supports Microsoft Passport for Work, which lets you access apps and services without a password. + +>**Note:**  In addition to the device lock restrictions discussed in this section, Windows 10 supports Microsoft Passport for Work, which lets you access apps and services without a password.   Table 6 lists the MDM settings in Windows 10 Mobile that you can use to configure device lock restrictions. + Table 6. Windows 10 Mobile device lock restrictions + @@ -314,9 +367,10 @@ Table 6. Windows 10 Mobile device lock restrictions
        ### Hardware restrictions + Windows 10 Mobile devices use state-of-the-art technology that includes popular hardware features such as cameras, global positioning system (GPS) sensors, microphones, speakers, near-field communication (NFC) radios, storage card slots, USB interfaces, Bluetooth interfaces, cellular radios, and Wi-Fi. You can also use hardware restrictions to control the availability of these features. Table 7 lists the MDM settings that Windows 10 Mobile supports to configure hardware restrictions. -**Note**   -Some of these hardware restrictions provide connectivity and assist in data protection. Enterprise data protection is currently being tested in select customer evaluation programs. + +>**Note:**  Some of these hardware restrictions provide connectivity and assist in data protection. Enterprise data protection is currently being tested in select customer evaluation programs.   Table 7. Windows 10 Mobile hardware restrictions | Setting | Description | @@ -338,8 +392,11 @@ Table 7. Windows 10 Mobile hardware restrictions | Allow Location | Whether the device can use the GPS sensor or other methods to determine location so applications can use location information |   ### Certificate management + Managing certificates can be difficult for users, but certificates are pervasive for a variety of uses, including, account authentication, Wi-Fi authentication, VPN encryption, and SSL encryption of web content. Although users could manage certificates on devices manually, it’s a best practice to use your MDM system to manage those certificates for their entire life cycle, from enrollment through renewal to revocation. You can use the Simple Certificate Enrollment Protocol (SCEP) and Personal Information Exchange (PFX) certificates files to install certificates on Windows 10 Mobile. Certificate management through SCEP and MDM systems is fully transparent to users and requires no user intervention, so it helps improve user productivity and reduce support calls. Your MDM system can automatically deploy these certificates to the devices’ certificate stores after you enroll the device. Table 8 lists the SCEP settings that the MDM client in Windows 10 Mobile provides. + Table 8. Windows 10 Mobile SCEP certificate enrollment settings + | Setting | Description | |------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Certificate enrollment server URLs | The certificate enrollment servers (to specify multiple server URLs, separate the URLs with semicolons \[;\]) | @@ -361,7 +418,9 @@ Table 8. Windows 10 Mobile SCEP certificate enrollment settings | Thumbprint | The current certificate thumbprint, if certificate enrollment succeeds |   In addition to SCEP certificate management, Windows 10 Mobile supports deployment of PFX certificates. Table 9 lists the Windows 10 Mobile PFX certificate deployment settings. + Table 9. Windows 10 Mobile PFX certificate deployment settings + | Setting | Description | |-----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Private key storage | Where to store the private key (in other words, the TPM, a software KSP, or the Microsoft Passport KSP) | @@ -373,8 +432,9 @@ Table 9. Windows 10 Mobile PFX certificate deployment settings | Thumbprint | The thumbprint of the installed PFX certificate |   Use the **Allow Manual Root Certificate Installation** setting to prevent users from manually installing root and intermediate CA certificates intentionally or accidently. -**Note**   -To diagnose certificate-related issues on Windows 10 Mobile devices, use the free [Certificates app](http://go.microsoft.com/fwlink/p/?LinkId=723996) in Windows Store. This Windows 10 Mobile app can help you: + +>**Note:**  To diagnose certificate-related issues on Windows 10 Mobile devices, use the free [Certificates app](http://go.microsoft.com/fwlink/p/?LinkId=723996) in Windows Store. This Windows 10 Mobile app can help you: + - View a summary of all personal certificates. - View the details of individual certificates. - View the certificates used for VPN, Wi-Fi, and email authentication. @@ -383,9 +443,13 @@ To diagnose certificate-related issues on Windows 10 Mobile devices, use the fr - View the certificate keys stored in the device TPM.   ### Wi-Fi + People use Wi-Fi on their mobile devices as much as or more than cellular data. Most corporate Wi-Fi networks require certificates and other complex information to restrict and secure user access. This advanced Wi-Fi information is difficult for typical users to configure, but you can use your MDM system to fully configure Wi-Fi settings without user intervention. + Table 10 lists the Windows 10 Mobile Wi-Fi connection profile settings. Use the information in this table to help you create Wi-Fi connection profiles in your MDM system. + Table 10. Windows 10 Mobile Wi-Fi connection profile settings + @@ -456,7 +520,9 @@ Table 10. Windows 10 Mobile Wi-Fi connection profile settings
        Table 11 lists the Windows 10 Mobile settings for managing Wi-Fi connectivity. + Table 11. Windows 10 Mobile Wi-Fi connectivity settings + | Setting | Configuration | |--------------------------------------------|----------------------------------------------------------------------------| | Allow Auto Connect To Wi-Fi Sense Hotspots | Whether the device will automatically detect and connect to Wi-Fi networks | @@ -465,12 +531,15 @@ Table 11. Windows 10 Mobile Wi-Fi connectivity settings | WLAN Scan Mode | How actively the device scans for Wi-Fi networks |   ### Proxy + Apps running on Windows 10 Mobile (for example, Microsoft Edge) can use proxy connections to access Internet content, but Wi-Fi connections on the corporate intranet most typically use proxy connections, instead. You can define multiple proxies in Windows 10 Mobile. -**Note**   -Windows 10 Mobile also supports proxy auto-configuration (PAC) files, which can automatically configure proxy settings. The Web Proxy Auto-Discovery Protocol (WPAD) lets apps use Dynamic Host Configuration Protocol and Domain Name System (DNS) lookups to locate the PAC file. + +>**Note:**  Windows 10 Mobile also supports proxy auto-configuration (PAC) files, which can automatically configure proxy settings. The Web Proxy Auto-Discovery Protocol (WPAD) lets apps use Dynamic Host Configuration Protocol and Domain Name System (DNS) lookups to locate the PAC file.   Table 12 lists the Windows 10 Mobile settings for proxy connections. + Table 12. Windows 10 Mobile proxy connection settings + @@ -538,14 +607,21 @@ Table 12. Windows 10 Mobile proxy connection settings
        ### VPN -In addition to Wi-Fi, users often use a VPN to securely access apps and resources on their company’s intranet behind a firewall. Windows 10 Mobile supports several VPN vendors in addition to native Microsoft VPNs (such as Point to Point Tunneling Protocol \[PPTP\], Layer 2 Tunneling Protocol \[L2TP\], and Internet Key Exchange Protocol version 2 \[IKEv2\]), including: + +In addition to Wi-Fi, users often use a VPN to securely access apps and resources on their company’s intranet behind a firewall. Windows 10 Mobile supports several VPN vendors in addition to native Microsoft VPNs (such as Point to Point Tunneling Protocol \[PPTP\], Layer 2 Tunneling Protocol \ +[L2TP\], and Internet Key Exchange Protocol version 2 \[IKEv2\]), including: + - IKEv2 - IP security - SSL VPN connections (which require a downloadable plug-in from the VPN server vendor) + You can configure Windows 10 Mobile to use auto-triggered VPN connections, as well. You define a VPN connection for each app that requires intranet connectivity. When users switch between apps, the operating system automatically establishes the VPN connection for that app. In the event the device drops the VPN connection, Windows 10 Mobile automatically reconnects to the VPN without user intervention. + With always-on VPN, Windows 10 Mobile can automatically start a VPN connection when a user signs-in, as well. The VPN stays connected until the user manually disconnects it. MDM support for VPN connections in Windows 10 Mobile includes provisioning and updating VPN connection profiles and associating VPN connections with apps. You can create and provision VPN connection profiles, and then deploy them to managed devices that run Windows 10 Mobile. Table 13 lists the Windows 10 Mobile fields for VPN connection profiles. + Table 13. Windows 10 Mobile VPN connection profile settings + @@ -680,7 +756,9 @@ Table 13. Windows 10 Mobile VPN connection profile settings
        Table 14 lists the Windows 10 Mobile settings for managing VPN connections. These settings help you manage VPNs over cellular data connections, which in turn help reduce costs associated with roaming or data plan charges. + Table 14. Windows 10 Mobile VPN management settings + | Setting | Description | |--------------------------------------|---------------------------------------------------------------------------------| | Allow VPN | Whether users can change VPN settings | @@ -688,10 +766,15 @@ Table 14. Windows 10 Mobile VPN management settings | Allow VPN Over Cellular when Roaming | Whether users can establish VPN connections over cellular networks when roaming |   ### APN profiles + An APN defines network paths for cellular data connectivity. Typically, you define just one APN for a device in collaboration with a mobile operator, but you can define multiple APNs if your company uses multiple mobile operators. + An APN provides a private connection to the corporate network that is unavailable to other companies on the mobile operator network. Corporations in Europe and the Asia-Pacific use APNs, but they are not common in the United States. + You can define and deploy APN profiles in MDM systems that configure cellular data connectivity for Windows 10 Mobile. Devices running Windows 10 Mobile can have only one APN profile. Table 15 lists the MDM settings that Windows 10 Mobile supports for APN profiles. + Table 15. Windows 10 Mobile APN profile settings + @@ -753,8 +836,12 @@ Table 15. Windows 10 Mobile APN profile settings
        ### Data leak protection -Some user experiences can risk corporate data stored on corporate devices. For example, allowing users to copy and paste information out of the organization’s LOB app can put data at risk. To mitigate the risk, you can restrict the Windows 10 Mobile user experience to help protect corporate data and prevent data leaks. For example, you can prevent settings synchronization, copy-and-paste operations, and screen captures. Table 16 lists the MDM settings in Windows 10 Mobile that you can use to help prevent data leaks. + +Some user experiences can risk corporate data stored on corporate devices. For example, allowing users to copy and paste information out of the organization’s LOB app can put data at risk. To mitigate the risk, you can restrict the Windows 10 Mobile user experience to help protect corporate data +and prevent data leaks. For example, you can prevent settings synchronization, copy-and-paste operations, and screen captures. Table 16 lists the MDM settings in Windows 10 Mobile that you can use to help prevent data leaks. + Table 16. Windows 10 Mobile data leak protection settings + | Setting | Description | |----------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Allow copy and paste | Whether users can copy and paste content | @@ -769,13 +856,19 @@ Table 16. Windows 10 Mobile data leak protection settings | Allow voice recording | Whether users are allowed to perform voice recordings. |   ### Storage management + Protecting the apps and data stored on a device is critical to device security. One method for helping protect your apps and data is to encrypt internal device storage by using the device encryption in Windows 10 Mobile. This encryption helps protect corporate data against unauthorized access, even when an unauthorized user has physical possession of the device. + A feature in Windows 10 Mobile is the ability to install apps on a secure digital (SD) card. The operating system stores apps on a partition specifically designated for that purpose. This feature is always on, so you don’t need to set a policy explicitly to enable it. The SD card is uniquely paired with a device. No other devices can see the apps or data on the encrypted partition, but they can access the data stored on the unencrypted partition of the SD card, such as music or photos. You can disable the **Allow Storage Card** setting to prevent users from using SD cards altogether, but the primary advantage of the SD card app partition–encryption feature is that organizations can give users the flexibility to use an SD card while still protecting the confidential apps and data on it. + If you don’t encrypt storage, you can help protect your corporate apps and data by using the **Restrict app data to the system volume** and **Restrict apps to the system volume** settings. They help ensure that users cannot copy your apps and data to SD cards. + Table 17 lists the MDM storage-management settings that Windows 10 Mobile provides. + Table 17. Windows 10 Mobile storage management settings + @@ -826,33 +919,52 @@ Table 17. Windows 10 Mobile storage management settings
        ## App management + Apps help improve user productivity on mobile devices. New to Windows 10 is the ability for organizations purchase apps from Windows Store for their employees and deploy those apps from Windows Store or an MDM system. App management is becoming a key capability of MDM systems, helping reduce the effort required to perform common app-related tasks, such as distributing apps, and protecting data through app policies. This section describes the app management features in Windows 10 Mobile and includes the following topics: + - [Universal Windows Platform (UWP)](#uwp) - [Sourcing the right app](#sourcing) - [Windows Store for Business](#store) - [Mobile application management (MAM) policies](#mam) - [Microsoft Edge](#edge) + ### Universal Windows Platform + Windows 10 introduces UWP, converging the application platform for all devices running some edition of Windows 10. UWP apps run without modification on all editions of Windows 10, and Windows Store now has apps that you can license and purchased for all your Windows 10 devices. Windows Phone 8.1 and Windows 8.1 apps still run on Windows 10 devices, but the MAM improvements in Windows 10 work only with UWP apps. See the [Guide to Universal Windows Platform (UWP) apps](http://go.microsoft.com/fwlink/p/?LinkId=734056) for additional information. + ### Sourcing the right app + The first step in app management is to obtain the apps your users need, and you can now acquire apps from Windows Store. Developers can also create apps specific to an organization, known as *line-of-business (LOB) apps* (the developers of these apps are *LOB publishers*). An LOB developer (internal or external) can now publish these apps to Windows Store at your request, or you can obtain the app packages offline and distribute them through your MDM system. + To install Windows Store or LOB apps, use the Windows Store cloud service or your MDM system to distribute the app packages. Your MDM system can deploy apps online by redirecting the user to a licensed app in Windows Store or offline by distributing a package that you downloaded from Windows Store (also called *sideloading*) on Windows 10 Mobile devices. You can fully automate the app deployment process so that no user intervention is required. + IT administrators can obtain apps through Store for Business. Most apps can be distributed online, meaning that the user must be logged in to the device with an Azure AD account and have Internet access at the time of installation. To distribute an app offline, the developer must opt in. If the app developer doesn’t allow download of the app from Windows Store, then you must obtain the files directly from the developer or use the online method. See [Windows Store for Business](windows-store-for-business.md) for additional information about apps obtained through Store for Business. Windows Store apps are automatically trusted. For custom LOB apps developed internally or by a trusted software vendor, ensure that the device trusts the app signing certificate. There are two ways to establish this trust: use a signing certificate from a trusted source, or generate your own signing certificate and add your chain of trust to the trusted certificates on the device. You can install up to 20 self-signed apps on a Windows 10 Mobile device. When you purchase a signing certificate from a public CA, you can install more than 20 apps on a device, although you can install more than 20 self-signed apps per device with [Windows 10 Mobile Enterprise](#mobile-edition). + Users can install apps from Windows Store that the organization purchases through the Store app on their device. If you allow your users to log in with a Microsoft account, the Store app on the device provides a unified method for installing personal and corporate apps. + ### Store for Business + [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=722910) is a web portal that IT pros and purchasers use to find, acquire, manage, and distribute apps to Windows 10 devices. This online portal gives Azure AD authenticated managers access to Store for Business functionality and settings. Store managers can create a private section of Windows Store in which organizations can manage apps specific and private to them. Store for Business allows organizations to make apps available to their users and purchase app licenses for them. They can also integrate their Store for Business subscriptions with their MDM systems, so the MDM system can deploy apps from their free Store for Business subscription. + The process for using Store for Business is as follows: + 1. Create a Store for Business subscription for your organization. 2. In the Store for Business portal, acquire apps from Windows Store (only free apps are available at this time). 3. In Store for Business, distribute apps to users, and manage the app licenses for the apps acquired in the previous step. 4. Integrate your MDM system with your organization’s Store for Business subscription. 5. Use your MDM system to deploy the apps. + For more information about Store for Business, see [Windows Store for Business](windows-store-for-business.md). + ### Mobile application management (MAM) policies + With MDM, you can manage Device Guard on Windows 10 Mobile and create an allow (whitelist) or deny (blacklist) list of apps. This capability extends to built-in apps, as well, such as phone, text messaging, email, and calendar. The ability to allow or deny apps helps to ensure that people use their mobile devices for their intended purposes. + You can also control users’ access to Windows Store and whether the Store service updates apps automatically. You can manage all these capabilities through your MDM system. Table 18 lists the Windows 10 Mobile app management settings. + Table 18. Windows 10 Mobile app management settings + | Setting | Description | |------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Allow All Trusted Apps | Whether users can sideload apps on the device | @@ -868,9 +980,13 @@ Table 18. Windows 10 Mobile app management settings | Start screen layout | An XML blob used to configure the Start screen (See [Start layout for Windows 10 Mobile editions](http://go.microsoft.com/fwlink/p/?LinkId=734057) for more information.) |   One potential security issue is that users can register as Windows 10 Mobile app developers and turn on developer features on their device, potentially installing apps from unknown sources and opening the device to malware threats. To prevent users from turning on developer features on their devices, set the **Disable development unlock (side loading)** policy, which you can configure through your MDM system. + ### Microsoft Edge + MDM systems give you the ability to manage Microsoft Edge on mobile devices. Table 19 lists the Microsoft Edge settings for Windows 10 Mobile. + Table 19. Microsoft Edge settings for Windows 10 Mobile + | Setting | Description | |-------------------------------------------------|-------------------------------------------------------------------------------------------------------| | Allow Active Scripting | Whether active scripting is allowed | @@ -886,16 +1002,24 @@ Table 19. Microsoft Edge settings for Windows 10 Mobile | Prevent Smart Screen Prompt Override For Files | Whether users can override the SmartScreen Filter warnings about downloading unverified files |   ## Device operations + In this section, you learn how MDM settings in Windows 10 Mobile enable the following scenarios: + - [Device update](#device-update) - [Device compliance monitoring](#device-comp) - [Device inventory](#data-inv) - [Remote assistance](#remote-assist) - [Cloud services](#cloud-serv) + ### Device update + To help protect mobile devices and their data, you must keep those devices updated. Windows Update automatically installs updates and upgrades when they become available. -The device update features described in this section are available only in [Windows 10 Mobile Enterprise](#mobile-edition). You can use your MDM system to postpone system upgrades when you activate an Enterprise license on managed Windows 10 Mobile devices and control how updates and upgrades are applied. For example, you can disable updates altogether, defer updates and upgrades, and schedule the day and time to install updates, as you would with Windows Server Update Services (WSUS) on Windows 10 desktops running the [Current Branch for Business](introduction-to-windows-10-servicing.md). Table 20 lists the Windows 10 Mobile Enterprise settings that you can use to configure updates and upgrades. + +The device update features described in this section are available only in [Windows 10 Mobile Enterprise](#mobile-edition). You can use your MDM system to postpone system upgrades when you activate an Enterprise license on managed Windows 10 Mobile devices and control how updates and upgrades are applied. For example, you can disable updates altogether, defer updates and upgrades, and schedule the day and time to install updates, as you would with Windows Server Update Services (WSUS) on Windows 10 desktops running the [Current Branch for Business](introduction-to-windows-10-servicing.md). +Table 20 lists the Windows 10 Mobile Enterprise settings that you can use to configure updates and upgrades. + Table 20. Windows 10 Mobile Enterprise update management settings + @@ -968,7 +1092,9 @@ Table 20. Windows 10 Mobile Enterprise update management settings
        In addition to configuring how Windows 10 Mobile Enterprise obtains updates, you can manage individual Windows 10 Mobile updates. Table 21 provides information about approved updates to help you control the rollout of new updates to Windows 10 Mobile Enterprise devices. + Table 21. Windows 10 Mobile Enterprise approved update information + @@ -1025,25 +1151,36 @@ Table 21. Windows 10 Mobile Enterprise approved update information
        + ### Device compliance monitoring + You can use your MDM system to monitor compliance. Windows 10 Mobile provides audit information to track issues or perform remedial actions. This information helps you ensure that devices are configured to comply with organizational standards. + You can also assess the health of devices that run Windows 10 Mobile and take enterprise policy actions. The process that the health attestation feature in Windows 10 Mobile uses is as follows: + 1. The health attestation client collects data used to verify device health. 2. The client forwards the data to the Health Attestation Service (HAS). 3. The HAS generates a Health Attestation Certificate. 4. The client forwards the Health Attestation Certificate and related information to the MDM system for verification. + For more information about health attestation in Windows 10 Mobile, see the [Windows 10 Mobile security guide](../keep-secure/windows-10-mobile-security-guide.md). + Depending on the results of the health state validation, an MDM system can take one of the following actions: + - Allow the device to access resources. - Allow the device to access resources but identify the device for further investigation. - Prevent the device from accessing resources. + Table 21 lists data points that the HAS collects and evaluates from devices that run Windows 10 Mobile to determine the action to perform. For most of these data points, the MDM system can take one of the following actions: + - Disallow all access. - Disallow access to high-business-impact assets. - Allow conditional access based on other data points that are present at evaluation time—for example, other attributes on the health certificate or a device’s past activities and trust history. - Take one of the previous actions, and also place the device on a watch list to monitor it more closely for potential risks. - Take corrective action, such as informing IT administrators to contact the owner and investigate the issue. + Table 21. Windows 10 Mobile HAS data points + | Data point | Description | |----------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Attestation Identity Key (AIK) present | Indicates that an AIK is present (in other words, the device can be trusted more than a device without an AIK). | @@ -1062,38 +1199,46 @@ Table 21. Windows 10 Mobile HAS data points | Boot cycle whitelist | The view of the host platform between boot cycles as defined by the manufacturer compared to a published whitelist. A device that complies with the whitelist is more trustworthy (secure) than a device that is noncompliant. |   ### Device inventory + Device inventory helps organizations better manage devices because it provides in-depth information about those devices. MDM systems collect inventory information remotely, and you can use the system’s reporting capabilities to analyze device resources and information. With this information, you can determine the current hardware and software resources of the device (for example, installed updates). + Table 22 lists examples of the Windows 10 Mobile software and hardware information that a device inventory provides. In addition to this information, the MDM system can read any of the configuration settings described in this guide. + Table 22. Windows 10 Mobile software and hardware inventory examples -| Setting | Description | -|----------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Installed enterprise apps | List of the enterprise apps installed on the device | -| Device name | The device name configured for the device | -| Firmware version | Version of firmware installed on the device | -| Operating system version | Version of the operating system installed on the device | -| Device local time | Local time on the device | -| Processor type | Processor type for the device | -| Device model | Model of the device as defined by the manufacturer | -| Device manufacturer | Manufacturer of the device | -| Device processor architecture | Processor architecture for the device | -| Device language | Language in use on the device | -| Phone number | Phone number assigned to the device | -| Roaming status | Indicates whether the device has a roaming cellular connection | -| International mobile equipment identity (IMEI) and international mobile subscriber identity (IMSI) | Unique identifiers for the cellular connection for the phone; Global System for Mobile Communications networks identify valid devices by using the IMEI, and all cellular networks use the IMSI to identify the device and user | -| Wi-Fi IP address | IPv4 and IPv6 addresses currently assigned to the Wi-Fi adapter in the device | -| Wi-Fi media access control (MAC) address | MAC address assigned to the Wi-Fi adapter in the device | -| Wi-Fi DNS suffix and subnet mask | DNS suffix and IP subnet mask assigned to the Wi-Fi adapter in the device | -| Secure Boot state | Indicates whether Secure Boot is enabled | -| Enterprise encryption policy compliance | Indicates whether the device is encrypted | + +| Setting | Description | +| - | - | +| Installed enterprise apps | List of the enterprise apps installed on the device | +| Device name | The device name configured for the device | +| Firmware version | Version of firmware installed on the device | +| Operating system version | Version of the operating system installed on the device | +| Device local time | Local time on the device | +| Processor type | Processor type for the device | +| Device model | Model of the device as defined by the manufacturer | +| Device manufacturer | Manufacturer of the device | +| Device processor architecture | Processor architecture for the device | +| Device language | Language in use on the device | +| Phone number | Phone number assigned to the device | +| Roaming status | Indicates whether the device has a roaming cellular connection | +| International mobile equipment identity (IMEI) and international mobile subscriber identity (IMSI) | Unique identifiers for the cellular connection for the phone; Global System for Mobile Communications networks identify valid devices by using the IMEI, and all cellular networks use the IMSI to identify the device and user | | IPv4 and IPv6 addresses currently assigned to the Wi-Fi adapter in the device | +| Wi-Fi media access control (MAC) address | MAC address assigned to the Wi-Fi adapter in the device | +| Wi-Fi DNS suffix and subnet mask | DNS suffix and IP subnet mask assigned to the Wi-Fi adapter in the device | +| Secure Boot state | Indicates whether Secure Boot is enabled | +| Enterprise encryption policy compliance | Indicates whether the device is encrypted |   ### Remote assistance + The remote assistance features in Windows 10 Mobile help resolve issues that users might encounter even when the help desk does not have physical access to the device. These features include: + - **Remote lock.** Support personnel can remotely lock a device. This ability can help when a user loses his or her mobile device and can retrieve it but not immediately (for example, leaving the device at a customer site). - **Remote PIN reset.** Support personnel can remotely reset the PIN, which helps when users forget their PIN and are unable to access their device. No corporate or user data is lost, and users are able to gain access to their devices quickly. - **Remote ring.** Support personnel can remotely make devices ring. This ability can help users locate misplaced devices and, in conjunction with the Remote Lock feature, help ensure that unauthorized users are unable to access the device if they find it. - **Remote find.** Support personnel can remotely locate a device on a map, which helps identify the geographic location of the device. To configure Windows 10 Mobile remote find, use the settings in Table 23. The remote find feature returns the most current latitude, longitude, and altitude of the device. + These remote management features help organizations reduce the IT effort required to manage devices. They also help users quickly regain use of their device should they misplace it or forget the device password. + Table 23. Windows 10 Mobile remote find settings + | Setting | Description | |---------------------------|---------------------------------------------------------------------------------------------------------------------------------| | Desired location accuracy | The desired accuracy as a radius value in meters; has a value between 1 and 1,000 meters | @@ -1101,37 +1246,49 @@ Table 23. Windows 10 Mobile remote find settings | Remote find timeout | The number of seconds devices should wait for a remote find to finish; has a value between 0 and 1,800 seconds |   ### Cloud services + On mobile devices that run Windows 10 Mobile, users can easily connect to apps and data. As a result, they frequently connect to cloud services that provide user notifications and collect telemetry (usage data). Windows 10 Mobile enables organizations to manage how devices consume these cloud services. + **Manage push notifications** + The Windows Push Notification Services enable software developers to send toast, tile, badge, and raw updates from their cloud services. It provides a mechanism to deliver updates to users in a power-efficient and dependable way. Push notifications can affect battery life, however, so the battery saver in Windows 10 Mobile limits background activity on the devices to extend battery life. Users can configure battery saver to turn on automatically when the battery drops below a set threshold. When battery saver is on, Windows 10 Mobile disables the receipt of push notifications to save energy. + There is an exception to this behavior, however. In Windows 10 Mobile, the **Always allowed** battery saver settings (found in the Settings app) allow apps to receive push notifications even when battery saver is on. Users can manually configure this list, or you can use the MDM system to configure it—that is, you can use the battery saver settings URI scheme in Windows 10 Mobile (**ms-settings:batterysaver-settings**) to configure these settings. For more information about push notifications, see [Windows Push Notification Services (WNS) overview](http://go.microsoft.com/fwlink/p/?LinkId=734060). + **Manage telemetry** + As people use Windows 10 Mobile, it can collect performance and usage telemetry that helps Microsoft identify and troubleshoot problems as well as improve its products and services. Microsoft recommends that you select **Full** for this setting. Microsoft employees, contractors, vendors, and partners might have access to relevant portions of the information that Windows 10 Mobile collects, but they are permitted to use the information only to repair or improve Microsoft products and services or third-party software and hardware designed for use with Microsoft products and services. + You can control the level of data that MDM systems collect. Table 24 lists the data levels that Windows 10 Mobile collects and provides a brief description of each. To configure devices, specify one of these levels in the **Allow Telemetry** setting. Table 24. Windows 10 Mobile data collection levels -| Level of data | Description | -|---------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Security | Collects only the information required to keep Windows 10 Mobile enterprise-grade secure, including information about telemetry client settings, the Malicious Software Removal Tool, and Windows Defender. This level is available only on Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Core. For Windows 10 Mobile, this setting disables Windows 10 Mobile telemetry. | +| Level of data | Description | +|- | - | +| Security | Collects only the information required to keep Windows 10 Mobile enterprise-grade secure, including information about telemetry client settings, the Malicious Software Removal Tool, and Windows Defender. This level is available only on Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Core. For Windows 10 Mobile, this setting disables Windows 10 Mobile telemetry. | | Basic | Provides only the data vital to the operation of Windows 10 Mobile. This data level helps keep Windows 10 Mobile and apps running properly by letting Microsoft know the device’s capabilities, what’s installed, and whether Windows is operating correctly. This option also turns on basic error reporting back to Microsoft. By selecting this option, you allow Microsoft to provide updates through Windows Update, including malicious software protection through the Malicious Software Removal Tool. | | Enhanced | Includes all Basic data plus data about how users use Windows 10 Mobile, such as how frequently or how long they use certain features or apps and which apps they use most often. This option also lets operating system collect enhanced diagnostic information, such as the memory state of a device when a system or app crash occurs, and measure reliability of devices, the operating system, and apps. | | Full | Includes all Basic and Enhanced data and also turns on advanced diagnostic features that collect additional data from devices, such as system files or memory snapshots, which may unintentionally include parts of documents user are working on when a problem occurred. This information helps Microsoft further troubleshoot and fix problems. If an error report contains personal data, Microsoft does not use that information to identify, contact, or target advertising to users. |   ## Device retirement + Device retirement (unenrollment) is the last phase of the device life cycle. Historically, mobile device retirement has been a complex and difficult process for organizations. When the organization no longer needs devices, it must remove (wipe) corporate data from them. BYOD scenarios make retirement even more complex because users expect their personal apps and data to remain untouched. Therefore, organizations must remove their data without affecting users’ data. + You can remotely remove all corporate data from devices that run Windows 10 Mobile without affecting existing user data (partial or enterprise wipe). The help desk or the devices’ users can initiate device retirement. When retirement is complete, Windows 10 Mobile returns the devices to a consumer state, as they were before enrollment. The following list summarizes the corporate data removed from a device when it’s retired: + - Email accounts - Enterprise-issued certificates - Network profiles - Enterprise-deployed apps - Any data associated with the enterprise-deployed apps -**Note**   -All these features are in addition to the device’s software and hardware factory reset features, which users can use to restore devices to their factory configuration. + +>**Note:**  All these features are in addition to the device’s software and hardware factory reset features, which users can use to restore devices to their factory configuration.   To specify whether users can delete the workplace account in Control Panel and unenroll from the MDM system, enable the **Allow Manual MDM Unenrollment** setting. Table 25 lists additional Windows 10 remote wipe settings that you can use the MDM system to configure. + Table 25. Windows 10 Mobile remote wipe settings + | Setting | Description | |-------------------------------|----------------------------------------------------------------------------------------------------------------------| | Wipe | Specifies that a remote wipe of the device should be performed | @@ -1139,9 +1296,8 @@ Table 25. Windows 10 Mobile remote wipe settings | Allow user to reset phone | Whether users are allowed to use Control Panel or hardware key combinations to return the device to factory defaults |   ## Related topics -[Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=734050) -[Enterprise Mobility Suite](http://go.microsoft.com/fwlink/p/?LinkId=723984) -[Overview of Mobile Device Management for Office 365](http://go.microsoft.com/fwlink/p/?LinkId=734052) -[Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=722910) -  -  + +- [Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=734050) +- [Enterprise Mobility Suite](http://go.microsoft.com/fwlink/p/?LinkId=723984) +- [Overview of Mobile Device Management for Office 365](http://go.microsoft.com/fwlink/p/?LinkId=734052) +- [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=722910) From ebaf07c2e006a2ac8644c324353a9b08a413590e Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Mon, 23 May 2016 14:20:20 -0700 Subject: [PATCH 065/169] moved topic, added Start policy --- windows/manage/TOC.md | 2 +- .../group-policies-for-enterprise-and-education-editions.md | 3 ++- windows/manage/lock-down-windows-10.md | 5 +---- windows/manage/manage-corporate-devices.md | 2 ++ 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md index 64b224d198..621ce3f5ca 100644 --- a/windows/manage/TOC.md +++ b/windows/manage/TOC.md @@ -4,6 +4,7 @@ ## [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) ## [Manage corporate devices](manage-corporate-devices.md) ### [New policies for Windows 10](new-policies-for-windows-10.md) +### [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) ### [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) ### [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) ### [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md) @@ -25,7 +26,6 @@ #### [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) #### [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) ### [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) -### [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) ## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) ## [Configure devices without MDM](configure-devices-without-mdm.md) ## [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) diff --git a/windows/manage/group-policies-for-enterprise-and-education-editions.md b/windows/manage/group-policies-for-enterprise-and-education-editions.md index ee2fd20508..b448b368bd 100644 --- a/windows/manage/group-policies-for-enterprise-and-education-editions.md +++ b/windows/manage/group-policies-for-enterprise-and-education-editions.md @@ -16,4 +16,5 @@ In Windows 10, version 1511, the following Group Policies apply only to Windows | Policy name | Policy path | Comments | | - | - | - | -| Turn off the Store application | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application

      User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/en-us/kb/3135657). \ No newline at end of file +| Turn off the Store application | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application

      User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/en-us/kb/3135657). | +| Start layout | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) | \ No newline at end of file diff --git a/windows/manage/lock-down-windows-10.md b/windows/manage/lock-down-windows-10.md index f0782128f5..142d9f3824 100644 --- a/windows/manage/lock-down-windows-10.md +++ b/windows/manage/lock-down-windows-10.md @@ -67,10 +67,7 @@ Enterprises often need to manage how people use corporate devices. Windows 10 p

      [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)

      There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset.

      - -

      [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)

      -

      New

      - + diff --git a/windows/manage/manage-corporate-devices.md b/windows/manage/manage-corporate-devices.md index 227070a768..bbfa571b02 100644 --- a/windows/manage/manage-corporate-devices.md +++ b/windows/manage/manage-corporate-devices.md @@ -117,6 +117,8 @@ Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager & [New policies for Windows 10](new-policies-for-windows-10.md) +[Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) + [Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md) [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) From fc04d08d94b7d3a85a02645d160245893c82d52a Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Mon, 23 May 2016 14:52:19 -0700 Subject: [PATCH 066/169] add lockscreen (spotlight) policy --- .../group-policies-for-enterprise-and-education-editions.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/manage/group-policies-for-enterprise-and-education-editions.md b/windows/manage/group-policies-for-enterprise-and-education-editions.md index b448b368bd..5d5f71e9f1 100644 --- a/windows/manage/group-policies-for-enterprise-and-education-editions.md +++ b/windows/manage/group-policies-for-enterprise-and-education-editions.md @@ -17,4 +17,6 @@ In Windows 10, version 1511, the following Group Policies apply only to Windows | Policy name | Policy path | Comments | | - | - | - | | Turn off the Store application | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application

      User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/en-us/kb/3135657). | -| Start layout | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) | \ No newline at end of file +| Start layout | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) | +| Force a specific default lock screen image | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) | + \ No newline at end of file From 4842f352e2fb22931965a0763c083f3eba5fbdd5 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 23 May 2016 15:46:23 -0700 Subject: [PATCH 067/169] fixing spacing issues --- ...criptor-definition-language-sddl-syntax.md | 87 +++++++++-------- ...criptor-definition-language-sddl-syntax.md | 90 +++++++++--------- windows/keep-secure/debug-programs.md | 91 +++++++++--------- .../keep-secure/delete-an-applocker-rule.md | 21 +++-- ...ccess-to-this-computer-from-the-network.md | 89 +++++++++--------- .../keep-secure/deny-log-on-as-a-batch-job.md | 94 ++++++++++--------- .../keep-secure/deny-log-on-as-a-service.md | 90 +++++++++--------- windows/keep-secure/deny-log-on-locally.md | 86 ++++++++--------- ...-log-on-through-remote-desktop-services.md | 86 ++++++++--------- ...oy-the-applocker-policy-into-production.md | 24 ++++- ...p-policy-structure-and-rule-enforcement.md | 46 +++------ ...igitally-signed-on-a-reference-computer.md | 15 ++- ...ine-your-application-control-objectives.md | 11 ++- windows/keep-secure/manage-tpm-lockout.md | 37 ++++++-- 14 files changed, 471 insertions(+), 396 deletions(-) diff --git a/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index 5d4da312b6..6fe17f05af 100644 --- a/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -2,86 +2,91 @@ title: DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax (Windows 10) description: Describes the best practices, location, values, and security considerations for the DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting. ms.assetid: 0fe3521a-5252-44df-8a47-8d92cf936e7c -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting. + ## Reference + This policy setting allows you to define additional computer-wide controls that govern access to all Distributed Component Object Model (DCOM)–based applications on a device. These controls restrict call, activation, or launch requests on the device. A simple way to think about these access controls is as an additional access check that is performed against a device-wide access control list (ACL) on each call, activation, or launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to access any COM-based server. This policy setting controls access permissions to cover call rights. + These device-wide ACLs provide a way to override weak security settings that are specified by an application through the CoInitializeSecurity function or application-specific security settings. They provide a minimum security standard that must be passed, regardless of the settings of the specific server. + These ACLs also provide a centralized location for an administrator to set a general authorization policy that applies to all COM-based servers on the device. + This policy setting allows you to specify an ACL in two different ways. You can type the security descriptor in SDDL, or you can grant or deny Local Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you are running. + ### Possible values + - *User-defined input* of the SDDL representation of the groups and privileges + When you specify the users or groups that are to be given permissions, the security descriptor field is populated with the Security Descriptor Definition Language representation of those groups and privileges. Users and groups can be given explicit Allow or Deny privileges for local access and remote access. + - Blank + This represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it as Not defined. The Blank value is set by using the ACL editor to empty the list, and then pressing OK. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Blank

      Default Domain Controller Policy

      Blank

      Stand-Alone Server Default Settings

      Blank

      DC Effective Default Settings

      Not defined

      Member Server Effective Default Settings

      Not defined

      Client Computer Effective Default Settings

      Not defined

      + +| Server type or GPO | Default value +| - | - | +| Default Domain Policy | Blank | +| Default Domain Controller Policy | Blank | +| Stand-Alone Server Default Settings | Blank | +| DC Effective Default Settings | Not defined | +| Member Server Effective Default Settings | Not defined | +| Client Computer Effective Default Settings | Not defined |   ## Policy management + This section describes features and tools that are available to help you manage this policy. ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ### Group Policy + The registry settings that are created as a result of enabling the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting take precedence over the previous registry settings when this policy setting was configured. The Remote Procedure Call (RPC) service checks the new registry keys in the Policies section for the computer restrictions, and these registry entries take precedence over the existing registry keys under OLE. This means that previously existing registry settings are no longer effective, and if you make changes to the existing settings, device access permissions for users are not changed. Use care in configuring the list of users and groups. -If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in the Windows operating system, the administrator can use the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting to manage DCOM access to the computer. The administrator can use this setting to specify which users and groups can access the DCOM application on the computer locally and remotely. This will restore control of the DCOM application to the administrator and users. To do this, open the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click **Edit Security**. Specify the users or groups you want to include and the computer access permissions for those users or groups. This defines the setting and sets the appropriate SDDL value. + +If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in the Windows operating system, the administrator can use the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting to manage DCOM access to the computer. The administrator can use this setting to specify which users and groups can access the DCOM application on the computer locally and remotely. This will restore control of the DCOM application to the administrator and users. To do this, open the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click +**Edit Security**. Specify the users or groups you want to include and the computer access permissions for those users or groups. This defines the setting and sets the appropriate SDDL value. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Many COM applications include some security-specific code (for example, to call CoInitializeSecurity), but they use weak settings that allow unauthenticated access to the process. Administrators cannot override these settings to force stronger security in earlier versions of Windows without modifying the application. An attacker could attempt to exploit weak security in an individual application by attacking it through COM calls. + Also, the COM infrastructure includes the Remote Procedure Call Services (RPCSS), a system service that runs during and after computer startup. This service manages activation of COM objects and the running object table and provides helper services to DCOM remoting. It exposes RPC interfaces that can be called remotely. Because some COM-based servers allow unauthenticated remote access, these interfaces can be called by anyone, including unauthenticated users. As a result, RPCSS can be attacked by malicious users who use remote, unauthenticated computers. + ### Countermeasure + To protect individual COM-based applications or services, set the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting to an appropriate device-wide ACL. + ### Potential impact + Windows implements default COM ACLs when they are installed. Modifying these ACLs from the default may cause some applications or components that communicate by using DCOM to fail. If you implement a COM-based server and you override the default security settings, confirm that the application-specific call permissions that ACL assigns are the correct permissions for appropriate users. If it does not, you must change your application-specific permission ACL to provide appropriate users with activation rights so that applications and Windows components that use DCOM do not fail. + ## Related topics -[Security Options](security-options.md) + +- [Security Options](security-options.md)     diff --git a/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index ec95e60bb9..d4c42764a5 100644 --- a/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -2,86 +2,90 @@ title: DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax (Windows 10) description: Describes the best practices, location, values, and security considerations for the DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax security policy setting. ms.assetid: 4b95d45f-dd62-4c34-ba32-43954528dabe -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft + --- + # DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** security policy setting. + ## Reference + This policy setting is similar to the [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) setting in that it allows you to define additional computer-wide controls that govern access to all DCOM–based applications on a device. However, the ACLs that are specified in this policy setting control local and remote COM launch requests (not access requests) on the device. A simple way to think about this access control is as an additional access check that is performed against a device-wide ACL on each launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to launch any COM-based server. The DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting differs in that it provides a minimum access check that is applied to attempts to access an already launched COM-based server. + These device-wide ACLs provide a way to override weak security settings that are specified by an application through CoInitializeSecurity or application-specific security settings. They provide a minimum security standard that must be passed, regardless of the settings of the specific COM-based server. These ACLs provide a centralized location for an administrator to set a general authorization policy that applies to all COM-based servers. -The **DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax** setting allows you to specify an ACL in two ways. You can type the security descriptor in SDDL, or you can grant or deny Local Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you are running. +The **DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax** setting allows you to specify an ACL in two ways. You can type the security descriptor in SDDL, or you can grant or deny Local +Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you are running. + ### Possible values + - Blank + This represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it to Not defined. The Blank value is set by using the ACL editor to empty the list, and then pressing OK. + - *User-defined input* of the SDDL representation of the groups and privileges + When you specify the users or groups that are to be given permission, the security descriptor field is populated with the Security Descriptor Definition Language representation of those groups and privileges. Users and groups can be given explicit Allow or Deny privileges on both local access and remote access. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Blank

      Default Domain Controller Policy

      Blank

      Stand-Alone Server Default Settings

      Blank

      DC Effective Default Settings

      Not defined

      Member Server Effective Default Settings

      Not defined

      Client Computer Effective Default Settings

      Not defined

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Blank | +| Default Domain Controller Policy | Blank| +| Stand-Alone Server Default Settings |Blank | +| DC Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined | +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ### Group Policy + The registry settings that are created as a result of this policy take precedence over the previous registry settings in this area. The Remote Procedure Call (RPC) service (RpcSs) checks the new registry keys in the Policies section for the computer restrictions; these entries take precedence over the existing registry keys under OLE. + If you are denied access to activate and launch DCOM applications due to the changes made to DCOM in the Windows operating system, this policy setting can be used to control the DCOM activation and launch to the device. + You can specify which users and groups can launch and activate DCOM applications on the device locally and remotely by using the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting. This restores control of the DCOM application to the administrator and specified users. To do this, open the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click **Edit Security**. Specify the groups that you want to include and the device launch permissions for those groups. This defines the setting and sets the appropriate SDDL value. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Many COM applications include some security-specific code (for example, to call CoInitializeSecurity), but they use weak settings that allow unauthenticated access to the process. You cannot override these settings to force stronger security in earlier versions of Windows without modifying the application. An attacker could attempt to exploit weak security in an individual application by attacking it through COM calls. + Also, the COM infrastructure includes the Remote Procedure Call Service (RPCSS), a system service that runs during computer startup and always runs after that. This service manages activation of COM objects and the running object table and provides helper services to DCOM remoting. It exposes RPC interfaces that can be called remotely. Because some COM-based servers allow unauthenticated remote component activation, these interfaces can be called by anyone, including unauthenticated users. As a result, RPCSS can be attacked by malicious users using remote, unauthenticated computers. + ### Countermeasure + To protect individual COM-based applications or services, set this policy setting to an appropriate computer-wide ACL. + ### Potential impact + Windows implements default COM ACLs when they are installed. Modifying these ACLs from the default may cause some applications or components that communicate by using DCOM to fail. If you implement a COM-based server and you override the default security settings, confirm that the application-specific launch permissions ACL assigns include activation permissions to appropriate users. If it does not, you must change your application-specific launch permission ACL to provide appropriate users with activation rights so that applications and Windows components that use DCOM do not fail. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/debug-programs.md b/windows/keep-secure/debug-programs.md index cfcafef2b9..4b133fd251 100644 --- a/windows/keep-secure/debug-programs.md +++ b/windows/keep-secure/debug-programs.md @@ -2,88 +2,91 @@ title: Debug programs (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Debug programs security policy setting. ms.assetid: 594d9f2c-8ffc-444b-9522-75615ec87786 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Debug programs + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Debug programs** security policy setting. + ## Reference + This policy setting determines which users can attach to or open any process, even those they do not own. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components need this user right. This user right provides access to sensitive and critical operating-system components. + Constant: SeDebugPrivilege + ### Possible values + - User-defined list of accounts - Not defined + ### Best practices + - Assign this user right only to trusted users to reduce security vulnerabilities. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, members of the Administrators group have this right. + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Administrators

      Stand-Alone Server Default Settings

      Administrators

      Domain Controller Effective Default Settings

      Administrators

      Member Server Effective Default Settings

      Administrators

      Client Computer Effective Default Settings

      Administrators

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Administrators | +| Stand-Alone Server Default Settings | Administrators | +| Domain Controller Effective Default Settings | Administrators | +| Member Server Effective Default Settings | Administrators | +| Client Computer Effective Default Settings | Administrators |   ## Policy management + This section describes features and tools that are available to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -The **Debug programs** user right can be exploited to capture sensitive device information from system memory or to access and modify kernel or application structures. Some attack tools exploit this user right to extract hashed passwords and other private security information or to insert malware. By default, the **Debug programs** user right is assigned only to administrators, which helps mitigate risk from this vulnerability. + +The **Debug programs** user right can be exploited to capture sensitive device information from system memory or to access and modify kernel or application structures. Some attack tools exploit this user right to extract hashed passwords and other private security information or to insert malware. +By default, the **Debug programs** user right is assigned only to administrators, which helps mitigate risk from this vulnerability. + ### Countermeasure + Remove the accounts of all users and groups that do not require the **Debug programs** user right. + ### Potential impact -If you revoke this user right, no one can debug programs. However, typical circumstances rarely require this capability on production devices. If an issue arises that requires an application to be debugged on a production server, you can move the server to a different organizational unit (OU) temporarily and assign the **Debug programs** user right to a separate Group Policy for that OU. + +If you revoke this user right, no one can debug programs. However, typical circumstances rarely require this capability on production devices. If an issue arises that requires an application to be debugged on a production server, you can move the server to a different organizational unit (OU) +temporarily and assign the **Debug programs** user right to a separate Group Policy for that OU. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/delete-an-applocker-rule.md b/windows/keep-secure/delete-an-applocker-rule.md index 7b34477fad..ad342ee6cf 100644 --- a/windows/keep-secure/delete-an-applocker-rule.md +++ b/windows/keep-secure/delete-an-applocker-rule.md @@ -2,26 +2,33 @@ title: Delete an AppLocker rule (Windows 10) description: This topic for IT professionals describes the steps to delete an AppLocker rule. ms.assetid: 382b4be3-0df9-4308-89b2-dcf9df351eb5 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Delete an AppLocker rule + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to delete an AppLocker rule. + As older apps are retired and new apps are deployed in your organization, it will be necessary to modify the application control policies. If an app becomes unsupported by the IT department or is no longer allowed due to the organization's security policy, then deleting the rule or rules associated with that app will prevent the app from running. + For info about testing an AppLocker policy to see what rules affect which files or applications, see [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). -You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + +You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer +AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To delete a rule in an AppLocker policy** + 1. Open the AppLocker console. 2. Click the appropriate rule collection for which you want to delete the rule. 3. In the details pane, right-click the rule to delete, click **Delete**, and then click **Yes**. -**Note**   -When using Group Policy, for the rule deletion to take effect on computers within the domain, the GPO must be distributed or refreshed. + +>**Note:**  When using Group Policy, for the rule deletion to take effect on computers within the domain, the GPO must be distributed or refreshed. + When this procedure is performed on the local device, the AppLocker policy takes effect immediately. -  -  -  diff --git a/windows/keep-secure/deny-access-to-this-computer-from-the-network.md b/windows/keep-secure/deny-access-to-this-computer-from-the-network.md index 07247e4be1..df4e48dc46 100644 --- a/windows/keep-secure/deny-access-to-this-computer-from-the-network.md +++ b/windows/keep-secure/deny-access-to-this-computer-from-the-network.md @@ -2,94 +2,99 @@ title: Deny access to this computer from the network (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny access to this computer from the network security policy setting. ms.assetid: 935e9f89-951b-4163-b186-fc325682bb0b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Deny access to this computer from the network + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Deny access to this computer from the network** security policy setting. + ## Reference + This security setting determines which users are prevented from accessing a device over the network. + Constant: SeDenyNetworkLogonRight + ### Possible values + - User-defined list of accounts - Guest + ### Best practices + - Because all Active Directory Domain Services programs use a network logon for access, use caution when you assign this user right on domain controllers. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, this setting is Guest on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Guest

      Stand-Alone Server Default Settings

      Guest

      Domain Controller Effective Default Settings

      Guest

      Member Server Effective Default Settings

      Guest

      Client Computer Effective Default Settings

      Guest

      + + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Guest | +| Stand-Alone Server Default Settings | Guest | +| Domain Controller Effective Default Settings | Guest | +| Member Server Effective Default Settings | Guest | +| Client Computer Effective Default Settings | Guest |   ## Policy management + This section describes features and tools available to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + This policy setting supersedes the **Access this computer from the network** policy setting if a user account is subject to both policies. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users who can log on to the device over the network can enumerate lists of account names, group names, and shared resources. Users with permission to access shared folders and files can connect over the network and possibly view or modify data. + ### Countermeasure + Assign the **Deny access to this computer from the network** user right to the following accounts: + - Anonymous logon - Built-in local Administrator account - Local Guest account - All service accounts + An important exception to this list is any service accounts that are used to start services that must connect to the device over the network. For example, let’s say you have configured a shared folder for web servers to access, and you present content within that folder through a website. You may need to allow the account that runs IIS to log on to the server with the shared folder from the network. This user right is particularly effective when you must configure servers and workstations on which sensitive information is handled because of regulatory compliance concerns. + ### Potential impact + If you configure the **Deny access to this computer from the network** user right for other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should verify that delegated tasks are not negatively affected. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/deny-log-on-as-a-batch-job.md b/windows/keep-secure/deny-log-on-as-a-batch-job.md index 11dbb9313f..d3abeeb6d5 100644 --- a/windows/keep-secure/deny-log-on-as-a-batch-job.md +++ b/windows/keep-secure/deny-log-on-as-a-batch-job.md @@ -2,92 +2,98 @@ title: Deny log on as a batch job (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a batch job security policy setting. ms.assetid: 0ac36ebd-5e28-4b6a-9b4e-8924c6ecf44b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Deny log on as a batch job + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Deny log on as a batch job** security policy setting. + ## Reference -This policy setting determines which accounts are prevented from logging on by using a batch-queue tool to schedule and start jobs automatically in the future. The ability to log on by using a batch-queue tool is needed for any account that is used to start scheduled jobs by means of the Task Scheduler. + +This policy setting determines which accounts are prevented from logging on by using a batch-queue tool to schedule and start jobs automatically in the future. The ability to log on by using a batch-queue tool is needed for any account that is used to start scheduled jobs by means of the Task +Scheduler. + Constant: SeDenyBatchLogonRight + ### Possible values + - User-defined list of accounts - Not defined + ### Best practices + 1. When you assign this user right, thoroughly test that the effect is what you intended. 2. Within a domain, modify this setting on the applicable Group Policy Object (GPO). 3. **Deny log on as a batch job** prevents administrators or operators from using their personal accounts to schedule tasks, which helps with business continuity when that person transitions to other positions or responsibilities. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Not defined

      Domain Controller Effective Default Settings

      Not defined

      Member Server Effective Default Settings

      Not defined

      Client Computer Effective Default Settings

      Not defined

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | Not defined | +| Domain Controller Effective Default Settings | Not defined | +| Member Server Effective Default Settings | Not defined | +| Client Computer Effective Default Settings | Not defined |   ## Policy management + This section describes features and tools available to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + This policy setting might conflict with and negate the **Log on as a batch job** setting. + ### Group Policy + On a domain-joined device, including the domain controller, this policy can be overwritten by a domain policy, which will prevent you from modifying the local policy setting. -For example, if you are trying to configure Task Scheduler on your domain controller, check the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Verify the targeted account is not present in the **Deny log on as a batch job** User Rights Assignment and also correctly configured in the **Log on as a batch job** setting. + +For example, if you are trying to configure Task Scheduler on your domain controller, check the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Verify the targeted account is not present in the **Deny log on as a batch job** + +User Rights Assignment and also correctly configured in the **Log on as a batch job** setting. + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Accounts that have the **Deny log on as a batch job** user right could be used to schedule jobs that could consume excessive computer resources and cause a denial-of-service condition. + ### Countermeasure + Assign the **Deny log on as a batch job** user right to the local Guest account. + ### Potential impact + If you assign the **Deny log on as a batch job** user right to other accounts, you could deny the ability to perform required job activities to users who are assigned specific administrative roles. You should confirm that delegated tasks are not affected adversely. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/deny-log-on-as-a-service.md b/windows/keep-secure/deny-log-on-as-a-service.md index af4556d1b8..8fa66ee734 100644 --- a/windows/keep-secure/deny-log-on-as-a-service.md +++ b/windows/keep-secure/deny-log-on-as-a-service.md @@ -2,91 +2,95 @@ title: Deny log on as a service (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a service security policy setting. ms.assetid: f1114964-df86-4278-9b11-e35c66949794 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Deny log on as a service + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Deny log on as a service** security policy setting. + ## Reference + This policy setting determines which users are prevented from logging on to the service applications on a device. + A service is an application type that runs in the system background without a user interface. It provides core operating system features, such as web serving, event logging, file serving, printing, cryptography, and error reporting. + Constant: SeDenyServiceLogonRight + ### Possible values + - User-defined list of accounts - Not defined + ### Best practices + 1. When you assign this user right, thoroughly test that the effect is what you intended. 2. Within a domain, modify this setting on the applicable Group Policy Object (GPO). + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Not defined

      Domain Controller Effective Default Settings

      Not defined

      Member Server Effective Default Settings

      Not defined

      Client Computer Effective Default Settings

      Not defined

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined | +| Domain Controller Effective Default Settings | Not defined | +| Member Server Effective Default Settings | Not defined | +| Client Computer Effective Default Settings | Not defined |   ## Policy management + This section describes features and tools available to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + On a domain-joined device, including the domain controller, this policy can be overwritten by a domain policy, which will prevent you from modifying the local policy setting. + This policy setting might conflict with and negate the **Log on as a service** setting. + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -Accounts that can log on to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is somewhat reduced by the fact that only users with administrative rights can install and configure services, and an attacker who has already attained that level of access could configure the service to run by using the System account. + +Accounts that can log on to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is somewhat reduced by the fact that only users with administrative rights can install and configure +services, and an attacker who has already attained that level of access could configure the service to run by using the System account. + ### Countermeasure + We recommend that you not assign the **Deny log on as a service** user right to any accounts. This is the default configuration. Organizations that are extremely concerned about security might assign this user right to groups and accounts when they are certain that they will never need to log on to a service application. + ### Potential impact + If you assign the **Deny log on as a service** user right to specific accounts, services may not start and a denial-of-service condition could result. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/deny-log-on-locally.md b/windows/keep-secure/deny-log-on-locally.md index e8bc095116..916d358f89 100644 --- a/windows/keep-secure/deny-log-on-locally.md +++ b/windows/keep-secure/deny-log-on-locally.md @@ -2,90 +2,92 @@ title: Deny log on locally (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on locally security policy setting. ms.assetid: 00150e88-ec9c-43e1-a70d-33bfe10434db -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Deny log on locally + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Deny log on locally** security policy setting. + ## Reference + This policy setting determines which users are prevented from logging on directly at the device's console. + Constant: SeDenyInteractiveLogonRight + ### Possible values + - User-defined list of accounts - Not defined + ### Best practices + 1. Assign the **Deny log on locally** user right to the local guest account to restrict access by potentially unauthorized users. 2. Test your modifications to this policy setting in conjunction with the **Allow log on locally** policy setting to determine if the user account is subject to both policies. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Not defined

      Domain Controller Effective Default Settings

      Not defined

      Member Server Effective Default Settings

      Not defined

      Client Computer Effective Default Settings

      Not defined

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| Domain Controller Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + If you apply this policy setting to the Everyone group, no one will be able to log on locally. + ### Group Policy + This policy setting supersedes the **Allow log on locally** policy setting if a user account is subject to both policies. + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Any account with the ability to log on locally could be used to log on at the console of the device. If this user right is not restricted to legitimate users who must log on to the console of the device, unauthorized users might download and run malicious software that elevates their user rights. + ### Countermeasure + Assign the **Deny log on locally** user right to the local Guest account. If you have installed optional components such as ASP.NET, you may want to assign this user right to additional accounts that are required by those components. + ### Potential impact + If you assign the **Deny log on locally** user right to additional accounts, you could limit the abilities of users who are assigned to specific roles in your environment. However, this user right should explicitly be assigned to the ASPNET account on device that are configured with the Web Server role. You should confirm that delegated activities are not adversely affected. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/deny-log-on-through-remote-desktop-services.md b/windows/keep-secure/deny-log-on-through-remote-desktop-services.md index 85f6651839..6877912bae 100644 --- a/windows/keep-secure/deny-log-on-through-remote-desktop-services.md +++ b/windows/keep-secure/deny-log-on-through-remote-desktop-services.md @@ -2,89 +2,91 @@ title: Deny log on through Remote Desktop Services (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on through Remote Desktop Services security policy setting. ms.assetid: 84bbb807-287c-4acc-a094-cf0ffdcbca67 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Deny log on through Remote Desktop Services + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Deny log on through Remote Desktop Services** security policy setting. + ## Reference + This policy setting determines which users are prevented from logging on to the device through a Remote Desktop connection through Remote Desktop Services. It is possible for a user to establish a Remote Desktop connection to a particular server, but not be able to log on to the console of that server. + Constant: SeDenyRemoteInteractiveLogonRight + ### Possible values + - User-defined list of accounts - Not defined + ### Best practices + - To control who can open a Remote Desktop connection and log on to the device, add the user account to or remove user accounts from the Remote Desktop Users group. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Not defined

      Domain Controller Effective Default Settings

      Not defined

      Member Server Effective Default Settings

      Not defined

      Client Computer Effective Default Settings

      Not defined

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| Domain Controller Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + The **Remote System** property controls settings for Remote Desktop Services (**Allow or prevent remote connections to the computer**) and for Remote Assistance (**Allow Remote Assistance connections to this computer**). + ### Group Policy + This policy setting supersedes the [Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md) policy setting if a user account is subject to both policies. + Group Policy settings are applied in the following order. They overwrite settings on the local device at the next Group Policy update. + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. Organizational unit policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Any account with the right to log on through Remote Desktop Services could be used to log on to the remote console of the device. If this user right is not restricted to legitimate users who need to log on to the console of the computer, malicious users might download and run software that elevates their user rights. + ### Countermeasure + Assign the **Deny log on through Remote Desktop Services** user right to the built-in local guest account and all service accounts. If you have installed optional components, such as ASP.NET, you may want to assign this user right to additional accounts that are required by those components. + ### Potential impact + If you assign the **Deny log on through Remote Desktop Services** user right to other groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. Accounts that have this user right cannot connect to the device through Remote Desktop Services or Remote Assistance. You should confirm that delegated tasks are not negatively affected. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/deploy-the-applocker-policy-into-production.md b/windows/keep-secure/deploy-the-applocker-policy-into-production.md index 1fbb0a2cc3..32e3cd0d65 100644 --- a/windows/keep-secure/deploy-the-applocker-policy-into-production.md +++ b/windows/keep-secure/deploy-the-applocker-policy-into-production.md @@ -2,31 +2,45 @@ title: Deploy the AppLocker policy into production (Windows 10) description: This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. ms.assetid: ebbb1907-92dc-499e-8cee-8e637483c9ae -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Deploy the AppLocker policy into production + **Applies to** - Windows 10 + This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. + After successfully testing and modifying the AppLocker policy for each Group Policy Object (GPO), you are ready to deploy the enforcement settings into production. For most organizations, this means switching the AppLocker enforcement setting from **Audit only** to **Enforce rules**. However, it is important to follow the deployment plan that you created earlier. For more info, see the [AppLocker Design Guide](applocker-policies-design-guide.md). Depending on the needs of different business groups in your organization, you might deploy different enforcement settings for linked GPOs. + ### Understand your design decisions + Before you deploy an AppLocker policy, you should determine: + - For each business group, which applications will be controlled and in what manner. For more info, see [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md). - How to handle requests for application access. For info about what to consider when developing your support policies, see [Plan for AppLocker policy management](plan-for-applocker-policy-management.md). - How to manage events, including forwarding events. For info about event management in AppLocker, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). - Your GPO structure, including how to include policies generated by Software Restriction Policies and AppLocker policies. For more info, see [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md). + For info about how AppLocker deployment is dependent on design decisions, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md). + ### AppLocker deployment methods -If you have configured a reference device, you can create and update your AppLocker policies on this device, test the policies, and then export the policies to the appropriate GPO for distribution. Another method is to create the policies and set the enforcement setting on **Audit only**, then observe the events that are generated. + +If you have configured a reference device, you can create and update your AppLocker policies on this device, test the policies, and then export the policies to the appropriate GPO for distribution. Another method is to create the policies and set the enforcement setting on **Audit only**, then +observe the events that are generated. - [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md) + This topic describes the steps to use an AppLocker reference computer to prepare application control policies for deployment by using Group Policy or other means. + - [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md) + This topic describes the steps to deploy the AppLocker policy by changing the enforcement setting to **Audit only** or to **Enforce rules**. + ## See also -[AppLocker deployment guide](applocker-policies-deployment-guide.md) -  -  + +- [AppLocker deployment guide](applocker-policies-deployment-guide.md) diff --git a/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md b/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md index 68200b376d..5733fd532e 100644 --- a/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md +++ b/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md @@ -2,51 +2,33 @@ title: Determine the Group Policy structure and rule enforcement (Windows 10) description: This overview topic describes the process to follow when you are planning to deploy AppLocker rules. ms.assetid: f435fcbe-c7ac-4ef0-9702-729aab64163f -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Determine the Group Policy structure and rule enforcement + **Applies to** - Windows 10 + This overview topic describes the process to follow when you are planning to deploy AppLocker rules. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - -
      TopicDescription

      [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)

      This topic describes the AppLocker enforcement settings for rule collections.

      [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md)

      This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.

      [Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md)

      This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.

      + +| Topic | Description | +| - | - | +| [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md) | This topic describes the AppLocker enforcement settings for rule collections. | +| [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md) | This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.| +| [Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md) | This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. |   When you are determining how many Group Policy Objects (GPOs) to create when you apply an AppLocker policy in your organization, you should consider the following: + - Whether you are creating new GPOs or using existing GPOs - Whether you are implementing Software Restriction Policies (SRP) policies and AppLocker policies in the same GPO - GPO naming conventions - GPO size limits -**Note**   -There is no default limit on the number of AppLocker rules that you can create. However, in Windows Server 2008 R2, GPOs have a 2 MB size limit for performance. In subsequent versions, that limit is raised to 100 MB. -  -  -  + +>**Note:**  There is no default limit on the number of AppLocker rules that you can create. However, in Windows Server 2008 R2, GPOs have a 2 MB size limit for performance. In subsequent versions, that limit is raised to 100 MB. diff --git a/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md index ad2925ee0a..a02d55ecc7 100644 --- a/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md +++ b/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md @@ -2,24 +2,35 @@ title: Determine which apps are digitally signed on a reference device (Windows 10) description: This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. ms.assetid: 24609a6b-fdcb-4083-b234-73e23ff8bcb8 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Determine which apps are digitally signed on a reference device + **Applies to** - Windows 10 + This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. + The Windows PowerShell cmdlet **Get-AppLockerFileInformation** can be used to determine which apps installed on your reference devices are digitally signed. Perform the following steps on each reference computer that you used to define the AppLocker policy. The device does not need to be joined to the domain. + Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. + **To determine which apps are digitally signed on a reference device** 1. Run **Get-AppLockerFileInformation** with the appropriate parameters. + The **Get-AppLockerFileInformation** cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information. + 2. Analyze the publisher's name and digital signature status from the output of the command. + For command parameters, syntax, and examples, see [Get-AppLockerFileInformation](http://technet.microsoft.com/library/ee460961.aspx). + ## Related topics -[Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md) + +- [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)     diff --git a/windows/keep-secure/determine-your-application-control-objectives.md b/windows/keep-secure/determine-your-application-control-objectives.md index 55e77bdb3b..65098f5d72 100644 --- a/windows/keep-secure/determine-your-application-control-objectives.md +++ b/windows/keep-secure/determine-your-application-control-objectives.md @@ -2,19 +2,26 @@ title: Determine your application control objectives (Windows 10) description: This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. ms.assetid: 0e84003e-6095-46fb-8c4e-2065869bb53b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Determine your application control objectives + **Applies to** - Windows 10 + This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. + AppLocker is very effective for organizations with app restriction requirements whose environments have a simple topography and the application control policy goals are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is to achieve a detailed level of control on the PCs that they manage for a relatively small number of apps. + There are management and maintenance costs associated with a list of allowed apps. In addition, the purpose of application control policies is to allow or prevent employees from using apps that might actually be productivity tools. Keeping employees or users productive while implementing the policies can cost time and effort. Lastly, creating user support processes and network support processes to keep the organization productive are also concerns. + Use the following table to develop your own objectives and determine which application control feature best addresses those objectives. + @@ -149,5 +156,3 @@ Use the following table to develop your own objectives and determine which appli
        For more general info, see [AppLocker](applocker-overview.md). -  -  diff --git a/windows/keep-secure/manage-tpm-lockout.md b/windows/keep-secure/manage-tpm-lockout.md index efe696a11e..7c75700ed0 100644 --- a/windows/keep-secure/manage-tpm-lockout.md +++ b/windows/keep-secure/manage-tpm-lockout.md @@ -2,48 +2,73 @@ title: Manage TPM lockout (Windows 10) description: This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. ms.assetid: bf27adbe-404c-4691-a644-29ec722a3f7b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Manage TPM lockout + **Applies to** - Windows 10 + This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. + ## About TPM lockout + The TPM will lock itself to prevent tampering or malicious attacks. TPM lockout often lasts for a variable amount of time or until the computer is turned off. While the TPM is in lockout mode, it generally returns an error message when it receives commands that require an authorization value. One exception is that the TPM always allows the owner at least one attempt to reset the TPM lockout when it is in lockout mode. + TPM ownership is commonly taken the first time BitLocker Drive Encryption is turned on for the computer. In this case, the TPM owner authorization password is saved with the BitLocker recovery key. When the BitLocker recovery key is saved to a file, BitLocker also saves a TPM owner password file (.tpm) with the TPM owner password hash value. When the BitLocker recovery key is printed, the TPM owner password is printed at the same time. You can also save your TPM owner password hash value to Active Directory Domain Services (AD DS) if your organization's Group Policy settings are configured to do so. + In some cases, encryption keys are protected by a TPM by requiring a valid authorization value to access the key. A common example is configuring BitLocker Drive Encryption to use the TPM plus PIN key protector. In this scenario, the user must type the correct PIN during the boot process to access the volume encryption key protected by the TPM. To prevent malicious users or software from discovering authorization values, TPMs implement protection logic. The protection logic is designed to slow or stop responses from the TPM if it detects that an entity might be trying to guess authorization values. + The industry standards from the Trusted Computing Group (TCG) specify that TPM manufacturers must implement some form of protection logic in TPM 1.2 and TPM 2.0 chips. TPM manufacturers implement different protection mechanisms and behavior. The general guidance is for the TPM chip to take exponentially longer to respond if incorrect authorization values are sent to the TPM. Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM. This can prevent them from using the TPM for a period of time. + If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner’s authorization. + ## Reset the TPM lockout by using the TPM MMC + The following procedure explains the steps to reset the TPM lockout by using the TPM MMC. + **To reset the TPM lockout** + 1. Open the TPM MMC (tpm.msc). 2. In the **Action** pane, click **Reset TPM Lockout** to start the Reset TPM Lockout Wizard. 3. Choose one of the following methods to enter the TPM owner password: - If you saved your TPM owner password to a .tpm file, click **I have the owner password file**, and then type the path to the file, or click **Browse** to navigate to the file location. - If you want to manually enter your TPM owner password, click **I want to enter the owner password**, and then type the password in the text box provided. - **Note**   - If you enabled BitLocker and your TPM at the same time, and you printed your BitLocker recovery password when you turned on BitLocker, your TPM owner password may have printed with it. + + >**Note:**  If you enabled BitLocker and your TPM at the same time, and you printed your BitLocker recovery password when you turned on BitLocker, your TPM owner password may have printed with it.   ## Use Group Policy to manage TPM lockout settings + The TPM Group Policy settings in the following list are located at: + **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\** + - [Standard User Lockout Duration](trusted-platform-module-services-group-policy-settings.md#bkmk-individual) + This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for TPM commands that require authorization. An authorization failure occurs each time a user sends a command to the TPM and receives an error message that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, the user is prevented from sending commands to the TPM that require authorization. + - [Standard User Individual Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-suld) + This policy setting allows you to manage the maximum number of authorization failures for the TPM for each user. This value is the maximum number of authorization failures that each user can have before the user is not allowed to send commands to the TPM that require authorization. If the number of authorization failures equals the duration that is set for the policy setting, the user is prevented from sending commands to the TPM that require authorization. + - [Standard User Total Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#bkmk-total) + This policy setting allows you to manage the maximum number of authorization failures for the TPM for all standard users. If the total number of authorization failures for all users equals the duration that is set for the policy, all users are prevented from sending commands to the TPM that require authorization. + For information about mitigating dictionary attacks that use the lockout settings, see [TPM fundamentals](tpm-fundamentals.md#bkmk-howtpmmitigates). + ## Use the TPM cmdlets + If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command: + **dism /online /enable-feature /FeatureName:tpm-psh-cmdlets** + For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). + ## Additional resources -For more info about TPM, see [TPM technology overview](trusted-platform-module-overview.md#bkmk-additionalresources). -  -  + +For more info about TPM, see [TPM technology overview](trusted-platform-module-overview.md#bkmk-additionalresources). \ No newline at end of file From 7535ffb5ab884c5d1eec7e433a0e2cdbd5c93451 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 23 May 2016 15:57:29 -0700 Subject: [PATCH 068/169] fixing spacing issues --- ...s-allow-undock-without-having-to-log-on.md | 82 +++++++++--------- ...wed-to-format-and-eject-removable-media.md | 83 +++++++++--------- ...t-users-from-installing-printer-drivers.md | 84 +++++++++---------- ...m-access-to-locally-logged-on-user-only.md | 83 +++++++++--------- 4 files changed, 159 insertions(+), 173 deletions(-) diff --git a/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md b/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md index 1283cb2181..0d237c5cd4 100644 --- a/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md +++ b/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md @@ -2,84 +2,78 @@ title: Devices Allow undock without having to log on (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Allow undock without having to log on security policy setting. ms.assetid: 1d403f5d-ad41-4bb4-9f4a-0779c1c14b8c -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Devices: Allow undock without having to log on + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Devices: Allow undock without having to log on** security policy setting. + ## Reference + This policy setting enables or disables the ability of a user to remove a portable device from a docking station without logging on. If you enable this policy setting, users can press a docked portable device's physical eject button to safely undock the device. If you disable this policy setting, the user must log on to receive permission to undock the device. Only users who have the **Remove Computer from Docking Station** privilege can obtain this permission. -**Note**   -Disabling this policy setting only reduces theft risk for portable devices that cannot be mechanically undocked. Devices that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality. + +>**Note:**  Disabling this policy setting only reduces theft risk for portable devices that cannot be mechanically undocked. Devices that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality.   Enabling this policy setting means that anyone with physical access to a device that has been placed in its docking station can remove the computer and possibly tamper with it. For devices that do not have docking stations, this policy setting has no impact. However, for users with a mobile computer that is normally docked while they are in the office, this policy setting will help lower the risk of equipment theft or a malicious user gaining physical access to these devices + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + It is advisable to disable the **Devices: Allow undock without having to log on** policy setting. Users who have docked their devices will have to log on to the local console before they can undock their systems. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Enabled

      DC Effective Default Settings

      Enabled

      Member Server Effective Default Settings

      Enabled

      Client Computer Effective Default Settings

      Enabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings | Enabled| +| Client Computer Effective Default Settings| Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If this policy setting is enabled, anyone with physical access to portable computers in docking stations could remove them and possibly tamper with them. + ### Countermeasure + Disable the **Devices: Allow undock without having to log on** setting. ### Potential impact + Users who have docked their device must log on to the local console before they can undock their computers. For devices that do not have docking stations, this policy setting has no impact. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md b/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md index 146ef13dde..9c9a232738 100644 --- a/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md +++ b/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md @@ -2,82 +2,79 @@ title: Devices Allowed to format and eject removable media (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Allowed to format and eject removable media security policy setting. ms.assetid: d1b42425-7244-4ab1-9d46-d68de823459c -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Devices: Allowed to format and eject removable media + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Devices: Allowed to format and eject removable media** security policy setting. + ## Reference + This policy setting determines who is allowed to format and eject removable media. + Users can move removable disks to a different device where they have administrative user rights and then take ownership of any file, assign themselves full control, and view or modify any file. The advantage of configuring this policy setting is diminished by the fact that most removable storage devices will eject media with the press of a button. + ### Possible values + - Administrators - Administrators and Power Users - Administrators and Interactive Users (not applicable to Windows Server 2008 R2 or Windows 7 and later) - Not defined + ### Best practices + - It is advisable to set **Allowed to format and eject removable media** to **Administrators**. Only administrators will be able to eject NTFS-formatted removable media. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Administrators

      DC Effective Default Settings

      Administrators

      Member Server Effective Default Settings

      Administrators

      Client Computer Effective Default Settings

      Not defined

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Administrators| +| DC Effective Default Settings | Administrators| +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -Users could move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices eject media when a mechanical button is pressed diminishes the advantage of this policy setting. + +Users could move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices eject media when a mechanical button +is pressed diminishes the advantage of this policy setting. + ### Countermeasure + Configure the **Devices: Allowed to format and eject removable media** setting to **Administrators**. + ### Potential impact + Only administrators can format and eject removable media. If users are in the habit of using removable media for file transfers and storage, they must be informed of the change in policy. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md b/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md index 9a31968fed..c71b4b04d5 100644 --- a/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md +++ b/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md @@ -2,82 +2,80 @@ title: Devices Prevent users from installing printer drivers (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Prevent users from installing printer drivers security policy setting. ms.assetid: ab70a122-f7f9-47e0-ad8c-541f30a27ec3 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Devices: Prevent users from installing printer drivers + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Devices: Prevent users from installing printer drivers** security policy setting. + ## Reference + For a device to print to a network printer, the driver for that network printer must be installed locally. The **Devices: Prevent users from installing printer drivers** policy setting determines who can install a printer driver as part of adding a network printer. When you set the value to **Enabled**, only Administrators and Power Users can install a printer driver as part of adding a network printer. Setting the value to **Disabled** allows any user to install a printer driver as part of adding a network printer. This setting prevents unprivileged users from downloading and installing an untrusted printer driver. + This setting has no impact if you have configured a trusted path for downloading drivers. When using trusted paths, the print subsystem attempts to use the trusted path to download the driver. If the trusted path download succeeds, the driver is installed on behalf of any user. If the trusted path download fails, the driver is not installed and the network printer is not added. + Although it might be appropriate in some organizations to allow users to install printer drivers on their own workstations, this is not suitable for servers. Installing a printer driver on a server can cause the system to become less stable. Only administrators should have this user right on servers. A malicious user might deliberately try to damage the system by installing inappropriate printer drivers. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - It is advisable to set **Devices: Prevent users from installing printer drivers** to Enabled. Only users in the Administrative, Power User, or Server Operator groups will be able to install printers on servers. If this policy setting is enabled, but the driver for a network printer already exists on the local computer, users can still add the network printer. This policy setting does not affect a user's ability to add a local printer. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Enabled

      DC Effective Default Settings

      Enabled

      Member Server Effective Default Settings

      Enabled

      Client Computer Effective Default Settings

      Disabled

      + +Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings | Enabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only administrators, not users, to do so on servers because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. + +It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only administrators, not users, to do so on servers because printer driver installation on a server may unintentionally cause the computer to become less +stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. + ### Countermeasure + Enable the **Devices: Prevent users from installing printer drivers** setting. + ### Potential impact + Only members of the Administrator, Power Users, or Server Operator groups can install printers on the servers. If this policy setting is enabled but the driver for a network printer already exists on the local computer, users can still add the network printer. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md index d4a806d762..e42ea9042c 100644 --- a/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md +++ b/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md @@ -2,82 +2,79 @@ title: Devices Restrict CD-ROM access to locally logged-on user only (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Restrict CD-ROM access to locally logged-on user only security policy setting. ms.assetid: 8b8f44bb-84ce-4f18-af30-ab89910e234d -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Devices: Restrict CD-ROM access to locally logged-on user only + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Devices: Restrict CD-ROM access to locally logged-on user only** security policy setting. + ## Reference + This policy setting determines whether a CD is accessible to local and remote users simultaneously. If you enable this policy setting, only the interactively logged-on user is allowed to access removable CDs. If this policy setting is enabled and no one is logged on interactively, the CD can be accessed over the network. + The security benefit of enabling this policy setting is small because it only prevents network users from accessing the drive when someone is logged on to the local console of the system at the same time. Additionally, CD drives are not automatically made available as network shared drives; you must deliberately choose to share the drive. This is important when administrators are installing software or copying data from a CD-ROM, and they do not want network users to be able to execute the applications or view the data. + If this policy setting is enabled, users who connect to the server over the network will not be able to use any CD drives that are installed on the server when anyone is logged on to the local console of the server. Enabling this policy setting is not suitable for a system that serves as a CD jukebox for network users. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Best practices are dependent on your security and user accessibility requirements for CD drives. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | Disabled | +| DC Effective Default Settings | Disabled | +| Member Server Effective Default Settings | Disabled | +| Client Computer Effective Default Settings | Disabled |   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -A remote user could potentially access a mounted CD that contains sensitive information. This risk is small because CD drives are not automatically made available as shared drives; you must deliberately choose to share the drive. However, you can deny network users the ability to view data or run applications from removable media on the server. + +A remote user could potentially access a mounted CD that contains sensitive information. This risk is small because CD drives are not automatically made available as shared drives; you must deliberately choose to share the drive. However, you can deny network users the ability to view data or run +applications from removable media on the server. + ### Countermeasure Enable the **Devices: Restrict CD-ROM drive access to locally logged-on user only** setting. + ### Potential impact Users who connect to the server over the network cannot use any CD drives that are installed on the server when anyone is logged on to the local console of the server. System tools that require access to the CD drive will fail. For example, the Volume Shadow Copy service attempts to access all CD and floppy disk drives that are present on the computer when it initializes, and if the service cannot access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail. This policy setting would not be suitable for a computer that serves as a CD jukebox for network users. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) From a75ee08f729bc0de06c6d5e60d004b9f203e7595 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 23 May 2016 16:37:43 -0700 Subject: [PATCH 069/169] fixing spacing issues --- ...y-access-to-locally-logged-on-user-only.md | 81 +++++++------- ...-users-try-to-run-a-blocked-application.md | 9 +- windows/keep-secure/dll-rules-in-applocker.md | 64 ++++------- ...tructure-and-applocker-rule-enforcement.md | 11 +- ...pplication-control-management-processes.md | 24 +++- .../document-your-application-list.md | 26 ++++- .../document-your-applocker-rules.md | 16 ++- ...llow-server-operators-to-schedule-tasks.md | 86 +++++++------- ...roller-ldap-server-signing-requirements.md | 85 +++++++------- ...refuse-machine-account-password-changes.md | 84 +++++++------- ...rypt-or-sign-secure-channel-data-always.md | 105 ++++++++++-------- ...crypt-secure-channel-data-when-possible.md | 98 ++++++++-------- ...-sign-secure-channel-data-when-possible.md | 95 ++++++++-------- ...isable-machine-account-password-changes.md | 83 +++++++------- ...er-maximum-machine-account-password-age.md | 82 +++++++------- ...trong-windows-2000-or-later-session-key.md | 91 ++++++++------- 16 files changed, 545 insertions(+), 495 deletions(-) diff --git a/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md index c031c438a6..3246e36da5 100644 --- a/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md +++ b/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md @@ -2,82 +2,79 @@ title: Devices Restrict floppy access to locally logged-on user only (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Restrict floppy access to locally logged-on user only security policy setting. ms.assetid: 92997910-da95-4c03-ae6f-832915423898 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Devices: Restrict floppy access to locally logged-on user only + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Devices: Restrict floppy access to locally logged-on user only** security policy setting. + ## Reference + This policy setting determines whether removable floppy disks are accessible to local and remote users simultaneously. Enabling this policy setting allows only the interactively logged-on user to access removable floppy disks. If this policy setting is enabled and no one is logged on interactively, the floppy disk can be accessed over the network. + The security benefit of enabling this policy setting is small because it only prevents network users from accessing the floppy disk drive when someone is logged on to the local console of the system at the same time. Additionally, floppy disk drives are not automatically made available as network shared drives; you must deliberately choose to share the drive. This becomes important when you are installing software or copying data from a floppy disk and they do not want network users to be able to execute the applications or view the data. + If this policy setting is enabled, users who connect to the server over the network will not be able to use any floppy disk drives that are installed on the server when anyone is logged on to the local console of the server. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Best practices are dependent on your security and user accessibility requirements for CD drives. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + A remote user could potentially access a mounted floppy disk that contains sensitive information. This risk is small because floppy disk drives are not automatically shared; administrators must deliberately choose to share the drive. However, you can deny network users the ability to view data or run applications from removable media on the server. + ### Countermeasure + Enable the **Devices: Restrict floppy access to locally logged-on user only** setting. + ### Potential impact + Users who connect to the server over the network cannot use any floppy disk drives that are installed on the device when anyone is logged on to the local console of the server. System tools that require access to floppy disk drives fail. For example, the Volume Shadow Copy service attempts to access all CD-ROM and floppy disk drives that are present on the computer when it initializes, and if the service cannot access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md index ea5e8e17a8..267ba483ac 100644 --- a/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md +++ b/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md @@ -8,13 +8,20 @@ ms.mktglfcycl: deploy ms.sitesec: library author: brianlic-msft --- + # Display a custom URL message when users try to run a blocked app + **Applies to** - Windows 10 + This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app. + Using Group Policy, AppLocker can be configured to display a message with a custom URL. You can use this URL to redirect users to a support site that contains info about why the user received the error and which apps are allowed. If you do not display a custom message when an apps is blocked, the default access denied message is displayed. + To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. + **To display a custom URL message when users try to run a blocked app** + 1. On the **Start** screen, type **gpmc.msc** to open the Group Policy Management Console (GPMC). 2. Navigate to the Group Policy Object (GPO) that you want to edit. 3. Right-click the GPO, and then click **Edit**. @@ -22,5 +29,3 @@ To complete this procedure, you must have the **Edit Setting** permission to ed 5. In the details pane, double-click **Set a support web page link**. 6. Click **Enabled**, and then type the URL of the custom Web page in the **Support Web page URL** box. 7. Click **OK** to apply the setting. -  -  diff --git a/windows/keep-secure/dll-rules-in-applocker.md b/windows/keep-secure/dll-rules-in-applocker.md index 545d8c5359..4f99109b04 100644 --- a/windows/keep-secure/dll-rules-in-applocker.md +++ b/windows/keep-secure/dll-rules-in-applocker.md @@ -2,64 +2,40 @@ title: DLL rules in AppLocker (Windows 10) description: This topic describes the file formats and available default rules for the DLL rule collection. ms.assetid: a083fd08-c07e-4534-b0e7-1e15d932ce8f -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # DLL rules in AppLocker + **Applies to** - Windows 10 + This topic describes the file formats and available default rules for the DLL rule collection. + AppLocker defines DLL rules to include only the following file formats: + - .dll - .ocx + The following table lists the default rules that are available for the DLL rule collection. - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      PurposeNameUserRule condition type

      Allows members of the local Administrators group to run all DLLs

      (Default Rule) All DLLs

      BUILTIN\Administrators

      Path: *

      Allow all users to run DLLs in the Windows folder

      (Default Rule) Microsoft Windows DLLs

      Everyone

      Path: %windir%\*

      Allow all users to run DLLs in the Program Files folder

      (Default Rule) All DLLs located in the Program Files folder

      Everyone

      Path: %programfiles%\*

      + +| Purpose | Name | User | Rule condition type | +| - | - | - | - | +| Allows members of the local Administrators group to run all DLLs | (Default Rule) All DLLs| +| BUILTIN\Administrators | Path: *| +| Allow all users to run DLLs in the Windows folder| (Default Rule) Microsoft Windows DLLs | +| Everyone | Path: %windir%\*| +| Allow all users to run DLLs in the Program Files folder | (Default Rule) All DLLs located in the Program Files folder| +| Everyone | Path: %programfiles%\*|   -**Important**   -If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps +>**Important:**  If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps   -**Caution**   -When DLL rules are used, AppLocker must check each DLL that an app loads. Therefore, users may experience a reduction in performance if DLL rules are used. +>**Caution:**  When DLL rules are used, AppLocker must check each DLL that an app loads. Therefore, users may experience a reduction in performance if DLL rules are used.   ## Related topics -[Understanding AppLocker default rules](understanding-applocker-default-rules.md) -  -  + +- [Understanding AppLocker default rules](understanding-applocker-default-rules.md) \ No newline at end of file diff --git a/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md index e97b186290..f583b63513 100644 --- a/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md +++ b/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md @@ -2,23 +2,31 @@ title: Document the Group Policy structure and AppLocker rule enforcement (Windows 10) description: This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library author: brianlic-msft +ms.pagetype: security --- + # Document the Group Policy structure and AppLocker rule enforcement + **Applies to** - Windows 10 + This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. + ## Record your findings + To complete this AppLocker planning document, you should first complete the following steps: + 1. [Determine your application control objectives](determine-your-application-control-objectives.md) 2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) 3. [Select the types of rules to create](select-types-of-rules-to-create.md) 4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) + After you determine how to structure your Group Policy Objects (GPOs) so that you can apply AppLocker policies, you should record your findings. You can use the following table to determine how many GPOs to create (or edit) and which objects they are linked to. If you decided to create custom rules to allow system files to run, note the high-level rule configuration in the **Use default rule or define new rule condition** column. + The following table includes the sample data that was collected when you determined your enforcement settings and the GPO structure for your AppLocker policies. @@ -111,6 +119,7 @@ The following table includes the sample data that was collected when you determi
        ## Next steps + After you have determined the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain: - [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) - [Create your AppLocker planning document](create-your-applocker-planning-document.md) diff --git a/windows/keep-secure/document-your-application-control-management-processes.md b/windows/keep-secure/document-your-application-control-management-processes.md index b5a9cd95a7..e0ef522601 100644 --- a/windows/keep-secure/document-your-application-control-management-processes.md +++ b/windows/keep-secure/document-your-application-control-management-processes.md @@ -2,31 +2,46 @@ title: Document your application control management processes (Windows 10) description: This planning topic describes the AppLocker policy maintenance information to record for your design document. ms.assetid: 6397f789-0e36-4933-9f86-f3f6489cf1fb -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Document your application control management processes + **Applies to** - Windows 10 + This planning topic describes the AppLocker policy maintenance information to record for your design document. + ## Record your findings + To complete this AppLocker planning document, you should first complete the following steps: + 1. [Determine your application control objectives](determine-your-application-control-objectives.md) 2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) 3. [Select the types of rules to create](select-types-of-rules-to-create.md) 4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) 5. [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) + The three key areas to determine for AppLocker policy management are: + 1. Support policy + Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel know recommended troubleshooting steps and escalation points for your policy. + 2. Event processing + Document whether events will be collected in a central location, how that store will be archived, and whether the events will be processed for analysis. + 3. Policy maintenance + Detail how rules will be added to the policy, in which Group Policy Object (GPO) the rules should be defined, and how to modify rules when apps are retired, updated, or added. + The following table contains the added sample data that was collected when determining how to maintain and manage AppLocker policies. + @@ -125,9 +140,13 @@ The following table contains the added sample data that was collected when deter
        The following two tables illustrate examples of documenting considerations to maintain and manage AppLocker policies. + **Event processing policy** + One discovery method for app usage is to set the AppLocker enforcement mode to **Audit only**. This will write events to the AppLocker logs, which can be managed and analyzed like other Windows logs. After apps have been identified, you can begin to develop policies regarding the processing and access to AppLocker events. + The following table is an example of what to consider and record. + @@ -210,7 +229,6 @@ The following table is an example of what to consider and record.
        ## Next steps + After you have determined your application control management strategy for each of the business group's applications, the following task remains: - [Create your AppLocker planning document](create-your-applocker-planning-document.md) -  -  diff --git a/windows/keep-secure/document-your-application-list.md b/windows/keep-secure/document-your-application-list.md index 1b7c7906fa..c20e6831ad 100644 --- a/windows/keep-secure/document-your-application-list.md +++ b/windows/keep-secure/document-your-application-list.md @@ -2,21 +2,30 @@ title: Document your app list (Windows 10) description: This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies. ms.assetid: b155284b-f75d-4405-aecf-b74221622dc0 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Document your app list + **Applies to** - Windows 10 + This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies. + ## Record your findings + **Apps** + Record the name of the app, whether it is signed as indicated by the publisher's name, and whether it is a mission critical, business productivity, optional, or personal app. Later, as you manage your rules, AppLocker displays this information in the format shown in the following example: *MICROSOFT OFFICE INFOPATH signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US*. + **Installation path** + Record the installation path of the apps. For example, Microsoft Office 2016 installs files to *%programfiles%\\Microsoft Office\\Office16\\*, which is *C:\\Program Files\\Microsoft Office\\Office16\\* on most devices. + The following table provides an example of how to list applications for each business group at the early stage of designing your application control policies. Eventually, as more planning information is added to the list, the information can be used to build AppLocker rules. @@ -81,29 +90,36 @@ The following table provides an example of how to list applications for each bus
        -**Note**   -AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary. +>**Note:**  AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary.   **Event processing** + As you create your list of apps, you need to consider how to manage the events that are generated by user access, or you need to deny running those apps to make your users as productive as possible. The following list is an example of what to consider and what to record: + - Will event forwarding be implemented for AppLocker events? - What is the location of the AppLocker event collection? - Should an event archival policy be implemented? - Will the events be analyzed and how often? - Should a security policy be in place for event collection? + **Policy maintenance** + As you create your list of apps, you need to consider how to manage and maintain the policies that you will eventually create. The following list is an example of what to consider and what to record: + - How will rules be updated for emergency app access and permanent access? - How will apps be removed? - How many older versions of the same app will be maintained? - How will new apps be introduced? + ## Next steps + After you have created the list of applications, the next step is to identify the rule collections, which will become the application control policies. This information can be added to the table under the following columns: + - Use default rule or define new rule condition - Allow or deny - GPO name + To identify the rule collections, see the following topics: + - [Select the types of rules to create](select-types-of-rules-to-create.md) - [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) -  -  diff --git a/windows/keep-secure/document-your-applocker-rules.md b/windows/keep-secure/document-your-applocker-rules.md index 97bd6545ef..5603fcefdc 100644 --- a/windows/keep-secure/document-your-applocker-rules.md +++ b/windows/keep-secure/document-your-applocker-rules.md @@ -2,25 +2,35 @@ title: Document your AppLocker rules (Windows 10) description: This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded. ms.assetid: 91a198ce-104a-45ff-b49b-487fb40cd2dd -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Document your AppLocker rules + **Applies to** - Windows 10 + This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded. + ## Record your findings + To complete this AppLocker planning document, you should first complete the following steps: + 1. [Determine your application control objectives](determine-your-application-control-objectives.md) 2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) 3. [Select the types of rules to create](select-types-of-rules-to-create.md) + Document the following items for each business group or organizational unit: + - Whether your organization will use the built-in default AppLocker rules to allow system files to run. - The types of rule conditions that you will use to create rules, stated in order of preference. + The following table details sample data for documenting rule type and rule condition findings. In addition, you should now consider whether to allow an app to run or deny permission for it to run. For info about these settings, see [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md). + @@ -101,9 +111,9 @@ The following table details sample data for documenting rule type and rule condi
        ## Next steps + For each rule, determine whether to use the allow or deny option. Then, three tasks remain: + - [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) - [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) - [Create your AppLocker planning document](create-your-applocker-planning-document.md) -  -  diff --git a/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md index 9830087bd1..73dd753654 100644 --- a/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md +++ b/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md @@ -2,87 +2,85 @@ title: Domain controller Allow server operators to schedule tasks (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain controller Allow server operators to schedule tasks security policy setting. ms.assetid: 198b12a4-8a5d-48e8-a752-2073b8a2cb0d -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain controller: Allow server operators to schedule tasks + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain controller: Allow server operators to schedule tasks** security policy setting. + ## Reference + This policy setting determines whether server operators can use the**at** command to submit jobs. If you enable this policy setting, jobs that are created by server operators by means of the **at** command run in the context of the account that runs the Task Scheduler service. By default, that is the Local System account. -**Note**   -This security option setting affects only the scheduler tool for the **at** command. It does not affect the Task Scheduler tool. + +>**Note:**  This security option setting affects only the scheduler tool for the **at** command. It does not affect the Task Scheduler tool.   Enabling this policy setting means jobs that are created by server operators through the **at** command will be executed in the context of the account that is running that service—by default, that is the Local System account. This means that server operators can perform tasks that the Local System account is able to do, but server operators would normally not be able to do, such as add their account to the local Administrators group. + The impact of enabling this policy setting should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by using the Task Scheduler Wizard, but those jobs will run in the context of the account that the user authenticates with when setting up the job. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Best practices for this policy are dependent on your security and operational requirements for task scheduling. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Not defined

      DC Effective Default Settings

      Not defined

      Member Server Effective Default Settings

      Not defined

      Client Computer Effective Default Settings

      Not defined

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Command-line tools + The **at** command schedules commands and programs to run on a computer at a specified time and date. The Schedule service must be running to use the **at** command. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Tasks that run under the context of the Local System account can affect resources that are at a higher privilege level than the user account that scheduled the task. + ### Countermeasure + Disable the **Domain controller: Allow server operators to schedule tasks** setting. + ### Potential impact + The impact should be small for most organizations. Users (including those in the Server Operators group) can still create jobs by means of the Task Scheduler snap-in. However, those jobs run in the context of the account that the user authenticates with when setting up the job. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md index 50f94a37d3..8f75f7faa7 100644 --- a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md +++ b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md @@ -2,86 +2,83 @@ title: Domain controller LDAP server signing requirements (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server signing requirements security policy setting. ms.assetid: fe122179-7571-465b-98d0-b8ce0f224390 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain controller: LDAP server signing requirements + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server signing requirements** security policy setting. + ## Reference + This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. + Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the case of an LDAP server, this means that a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower the risk of a malicious user accomplishing this in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks extremely difficult. + This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL. + If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected. -**Caution**   -If you set the server to Require signature, you must also set the client device. Not setting the client device results in loss of connection with the server. + +>**Caution:**  If you set the server to Require signature, you must also set the client device. Not setting the client device results in loss of connection with the server.   ### Possible values + - None. Data signatures are not required to bind with the server. If the client computer requests data signing, the server supports it. - Require signature. The LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Sockets Layer (TLS/SSL) is in use. - Not defined. + ### Best practices + - It is advisable to set **Domain controller: LDAP server signing requirements** to **Require signature**. Clients that do not support LDAP signing will be unable to execute LDAP queries against the domain controllers. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Not defined

      DC Effective Default Settings

      None

      Member Server Effective Default Settings

      None

      Client Computer Effective Default Settings

      None

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | None| +| Member Server Effective Default Settings | None| +| Client Computer Effective Default Settings | None|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Where LDAP servers are concerned, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks extremely difficult. + ### Countermeasure + Configure the **Domain controller: LDAP server signing requirements** setting to **Require signature**. + ### Potential impact + Client device that do not support LDAP signing cannot run LDAP queries against the domain controllers. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md b/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md index acab069b02..3d0dc98ace 100644 --- a/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md +++ b/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md @@ -2,83 +2,83 @@ title: Domain controller Refuse machine account password changes (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain controller Refuse machine account password changes security policy setting. ms.assetid: 5a7fa2e2-e1a8-4833-90f7-aa83e3b456a9 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain controller: Refuse machine account password changes + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain controller: Refuse machine account password changes** security policy setting. + ## Reference + This policy setting enables or disables blocking a domain controller from accepting password change requests for machine accounts. By default, devices joined to the domain change their machine account passwords every 30 days. If enabled, the domain controller will refuse machine account password change requests. + ### Possible values + - Enabled + When enabled, this setting does not allow a domain controller to accept any changes to a machine account's password. + - Disabled + When disabled, this setting allows a domain controller to accept any changes to a machine account's password. + - Not defined + Same as Disabled. + ### Best practices + - Enabling this policy setting on all domain controllers in a domain prevents domain members from changing their machine account passwords. This, in turn, leaves those passwords susceptible to attack. Make sure that this conforms to your overall security policy for the domain. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Not defined

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Not applicable

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Not applicable|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If you enable this policy setting on all domain controllers in a domain, domain members cannot change their machine account passwords, and those passwords are more susceptible to attack. + ### Countermeasure + Disable the **Domain controller: Refuse machine account password changes** setting. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md index b6ebe0166a..dde52ba0d7 100644 --- a/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md +++ b/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md @@ -2,103 +2,114 @@ title: Domain member Digitally encrypt or sign secure channel data (always) (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt or sign secure channel data (always) security policy setting. ms.assetid: 4480c7cb-adca-4f29-b4b8-06eb68d272bf -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain member: Digitally encrypt or sign secure channel data (always) + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt or sign secure channel data (always)** security policy setting. + ## Reference -This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. Logon information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. + +This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. Logon information that is +transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. + The following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic: + - Domain member: Digitally encrypt or sign secure channel data (always) - [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) - [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) + Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data. + To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a device running Windows othat has joined a domain to have access to the user account database in its domain and in any trusted domains. + To enable the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of signing or encrypting all secure-channel data. + Enabling the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting automatically enables the [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) policy setting. + When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass-through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. + ### Possible values + - Enabled - The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. + + The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure + channel traffic. + - Disabled + The encryption and signing of all secure channel traffic is negotiated with the domain controller, in which case the level of signing and encryption depends on the version of the domain controller and the settings of the following policies: + 1. [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) 2. [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) + - Not defined ### Best practices + - Set **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled**. - Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**. - Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) to **Enabled**. -**Note**   -You can enable the policy settings [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) on all devices in the domain that support these policy settings without affecting earlier-version clients and applications. + +>**Note:**  You can enable the policy settings [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) on all devices in the domain that support these policy settings without affecting earlier-version clients and applications.   ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Enabled

      Stand-Alone Server Default Settings

      Enabled

      DC Effective Default Settings

      Enabled

      Member Server Effective Default Settings

      Enabled

      Client Computer Effective Default Settings

      Enabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Enabled | +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings | Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Distribution of this policy through Group Policy overrides the Local Security Policy setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the device is configured to encrypt or sign secure channel data, when possible, a secure channel can be established, but the level of encryption and signing is negotiated. + +When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and +sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the device is configured to encrypt or sign secure channel data, when possible, a secure channel can be established, but the level of encryption and signing is negotiated. + ### Countermeasure + Select one of the following settings as appropriate for your environment to configure the computers in your domain to encrypt or sign secure channel data. + - **Domain member: Digitally encrypt or sign secure channel data (always)** - [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) - [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) + ### Potential impact + Digital encryption and signing of the secure channel is a good idea because the secure channel protects domain credentials as they are sent to the domain controller. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md index 693a34601d..9412bf6ae7 100644 --- a/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md +++ b/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md @@ -2,99 +2,107 @@ title: Domain member Digitally encrypt secure channel data (when possible) (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt secure channel data (when possible) security policy setting. ms.assetid: 73e6023e-0af3-4531-8238-82f0f0e4965b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain member: Digitally encrypt secure channel data (when possible) + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt secure channel data (when possible)** security policy setting. + ## Reference -This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Logon information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. + +This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Logon information that is transmitted over +the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. + In addition to this policy setting, the following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic: + - [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) - [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) + Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data. + To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains. + Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting. + When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. + ### Possible values + - Enabled + The domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise, only logon information that is transmitted over the secure channel will be encrypted. + - Disabled + The domain member will not attempt to negotiate secure channel encryption. - **Note**   - If the security policy setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled, this setting will be overwritten. + + >**Note:**  If the security policy setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled, this setting will be overwritten.   - Not defined + ### Best practices + - Set [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled**. - Set **Domain member: Digitally encrypt secure channel data (when possible)** to **Enabled**. - Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) to **Enabled**. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Enabled

      Stand-Alone Server Default Settings

      Enabled

      DC Effective Default Settings

      Enabled

      Member Server Effective Default Settings

      Enabled

      Client Computer Effective Default Settings

      Enabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Enabled| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Distribution of this policy through Group Policy does not override the Local Security Policy setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. + ### Countermeasure + Select one of the following settings as appropriate for your environment to configure the computers in your domain to encrypt or sign secure channel data: + - [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) - **Domain member: Digitally encrypt secure channel data (when possible)** - [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) + ### Potential impact + Digital signing of the secure channel is a good idea because it protects domain credentials as they are sent to the domain controller. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md index 670f0b9024..6f0cdd5ea0 100644 --- a/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md +++ b/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md @@ -2,100 +2,105 @@ title: Domain member Digitally sign secure channel data (when possible) (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Digitally sign secure channel data (when possible) security policy setting. ms.assetid: a643e491-4f45-40ea-b12c-4dbe47e54f34 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain member: Digitally sign secure channel data (when possible) + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain member: Digitally sign secure channel data (when possible)** security policy setting. + ## Reference -This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Logon information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. + +This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Logon information that is transmitted over the +secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. + The following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic: - [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) - [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) - Domain member: Digitally sign secure channel data (when possible) + Setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data. + To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate computer accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains. + Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting. When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. + ### Possible values + - Enabled + The domain member will request signing of all secure channel traffic. If the domain controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit. + - Disabled + Signing will not be negotiated unless the policy [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled. + - Not defined + ### Best practices + - Set [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled**. - Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**. - Set **Domain member: Digitally sign secure channel data (when possible)** to **Enabled**. -**Note**   -You can enable the other two policy settings, Domain member: [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and **Domain member: Digitally sign secure channel data (when possible)**, on all devices joined to the domain that support these policy settings without affecting earlier-version clients and applications. +>**Note:**  You can enable the other two policy settings, Domain member: [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and **Domain member: Digitally sign secure channel data (when possible)**, on all devices joined to the domain that support these policy settings without affecting earlier-version clients and applications.   ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Enabled

      Stand-Alone Server Default Settings

      Enabled

      DC Effective Default Settings

      Enabled

      Member Server Effective Default Settings

      Enabled

      Client Computer Effective Default Settings

      Enabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Enabled | +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Distribution of this policy through Group Policy does not override the Local Security Policy setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. + ### Countermeasure + Because these policies are closely related and useful depending on your environment, select one of the following settings as appropriate to configure the devices in your domain to encrypt or sign secure channel data when possible. + - [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) - [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) - **Domain member: Digitally sign secure channel data (when possible)** + ### Potential impact + Digital signing of the secure channel is a good idea because the secure channel protects domain credentials as they are sent to the domain controller. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-member-disable-machine-account-password-changes.md b/windows/keep-secure/domain-member-disable-machine-account-password-changes.md index 39fdae996b..a7e862cea4 100644 --- a/windows/keep-secure/domain-member-disable-machine-account-password-changes.md +++ b/windows/keep-secure/domain-member-disable-machine-account-password-changes.md @@ -2,82 +2,79 @@ title: Domain member Disable machine account password changes (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Disable machine account password changes security policy setting. ms.assetid: 1f660300-a07a-4243-a09f-140aa1ab8867 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain member: Disable machine account password changes + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain member: Disable machine account password changes** security policy setting. + ## Reference + The **Domain member: Disable machine account password changes** policy setting determines whether a domain member periodically changes its machine account password. Setting its value to **Enabled** prevents the domain member from changing the machine account password. Setting it to **Disabled** allows the domain member to change the machine account password as specified by the value of the [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md) policy setting, which is every 30 days by default. + By default, devices that belong to a domain are automatically required to change the passwords for their accounts every 30 days. Devices that are no longer able to automatically change their machine password are at risk of a malicious user determining the password for the system's domain account. Verify that the **Domain member: Disable machine account password changes** option is set to **Disabled**. + ### Possible values + - Enabled - Disabled + ### Best practices + 1. Do not enable this policy setting. Machine account passwords are used to establish secure channel communications between members and domain controllers and between the domain controllers within the domain. After it is established, the secure channel transmits sensitive information that is necessary for making authentication and authorization decisions. 2. Do not use this policy setting in an attempt to support dual-boot scenarios that use the same machine account. If you want to dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to make it easier for organizations that stockpile pre-built computers that are put into production months later; those devices do not have to be rejoined to the domain. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Disabled

      Default Domain Controller Policy

      Disabled

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Disabled | +| Default Domain Controller Policy | Disabled| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -By default, devices running Windows Server that belong to a domain automatically change their passwords for their accounts every certain number of days, typically 30. If you disable this policy setting, devices that run Windows Server retain the same passwords as their machine accounts. Devices that cannot automatically change their account password are at risk from an attacker who could determine the password for the machine's domain account. + +By default, devices running Windows Server that belong to a domain automatically change their passwords for their accounts every certain number of days, typically 30. If you disable this policy setting, devices that run Windows Server retain the same passwords as their machine accounts. Devices +that cannot automatically change their account password are at risk from an attacker who could determine the password for the machine's domain account. + ### Countermeasure + Verify that the **Domain member: Disable machine account password changes** setting is configured to **Disabled**. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-member-maximum-machine-account-password-age.md b/windows/keep-secure/domain-member-maximum-machine-account-password-age.md index 9deffaa2c2..b97cf3f485 100644 --- a/windows/keep-secure/domain-member-maximum-machine-account-password-age.md +++ b/windows/keep-secure/domain-member-maximum-machine-account-password-age.md @@ -2,81 +2,77 @@ title: Domain member Maximum machine account password age (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Maximum machine account password age security policy setting. ms.assetid: 0ec6f7c1-4d82-4339-94c0-debb2d1ac109 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain member: Maximum machine account password age + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain member: Maximum machine account password age** security policy setting. + ## Reference + The **Domain member: Maximum machine account password age** policy setting determines the maximum allowable age for a machine account password. + In Active Directory–based domains, each device has an account and password, just like every user. By default, the domain members automatically change their domain password every 30 days. Increasing this interval significantly, or setting it to **0** so that the device no longer change their passwords, gives a malicious user more time to undertake a brute-force password-guessing attack against one of the machine accounts. + ### Possible values + - User-defined number of days between 0 and 999 - Not defined. + ### Best practices + 1. It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days. 2. Some organizations pre-build devices and then store them for later use or ship them to remote locations. If the machine's account has expired, it will no longer be able to authenticate with the domain. Devices that cannot authenticate with the domain must be removed from the domain and rejoined to it. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and configure the value for this policy setting to a larger number of days. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      30 days

      DC Effective Default Settings

      30 days

      Member Server Effective Default Settings

      30 days

      Client Computer Effective Default Settings

      30 days

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | 30 days| +| DC Effective Default Settings | 30 days| +| Member Server Effective Default Settings|30 days| +| Client Computer Effective Default Settings | 30 days|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -In Active Directory–based domains, each device has an account and password, just as every user does. By default, the domain members automatically change their domain password every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer change their passwords, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts. + +In Active Directory–based domains, each device has an account and password, just as every user does. By default, the domain members automatically change their domain password every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer change their +passwords, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts. + ### Countermeasure + Configure the **Domain member: Maximum machine account password age** setting to 30 days. + ### Potential impact + None. This is the default configuration. ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md index 2a95144b2d..320d44e467 100644 --- a/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md +++ b/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md @@ -2,88 +2,95 @@ title: Domain member Require strong (Windows 2000 or later) session key (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Require strong (Windows 2000 or later) session key security policy setting. ms.assetid: 5ab8993c-5086-4f09-bc88-1b27454526bd -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Domain member: Require strong (Windows 2000 or later) session key + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Domain member: Require strong (Windows 2000 or later) session key** security policy setting. + ## Reference + The **Domain member: Require strong (Windows 2000 or later) session key** policy setting determines whether a secure channel can be established with a domain controller that is not capable of encrypting secure channel traffic with a strong, 128-bit session key. Enabling this policy setting prevents establishing a secure channel with any domain controller that cannot encrypt secure channel data with a strong key. Disabling this policy setting allows 64-bit session keys. + Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from eavesdropping and session-hijacking network attacks. Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the name of the sender, or it can be redirected. + ### Possible values + - Enabled + When enabled on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of encrypting secure channel data with a strong, 128-bit key. This means that all such domain controllers must be running at least Windows 2000 Server. + - Disabled + Allows 64-bit session keys to be used. + - Not defined. + ### Best practices + - It is advisable to set **Domain member: Require strong (Windows 2000 or later) session key** to Enabled. Enabling this policy setting ensures that all outgoing secure channel traffic will require a strong encryption key. Disabling this policy setting requires that key strength be negotiated. Only enable this option if the domain controllers in all trusted domains support strong keys. By default, this value is disabled. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO +| Default value +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Misuse of this policy setting is a common error that can cause data loss or problems with data access or security. + You will you be able to join devices that do not support this policy setting to domains where the domain controllers have this policy setting enabled. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Session keys that are used to establish secure channel communications between domain controllers and member computers are much stronger starting with Windows 2000. + Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdrop. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.) + ### Countermeasure + Enable the **Domain member: Require strong (Windows 2000 or later) session key** setting. + If you enable this policy setting, all outgoing secure channel traffic requires a strong encryption key. If you disable this policy setting, the key strength is negotiated. You should enable this policy setting only if the domain controllers in all trusted domains support strong keys. By default, this policy setting is disabled. + ### Potential impact + Devices that do not support this policy setting cannot join domains in which the domain controllers have this policy setting enabled. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) From 089af5044ecf90419b60c66cb91fed5c88dbe31a Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 24 May 2016 15:30:44 +1000 Subject: [PATCH 070/169] new topic file created, added in TOC --- windows/keep-secure/TOC.md | 1 + ...md-scan-windows-defender-for-windows-10.md | 60 +++++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100644 windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 56f8c27db1..b169a67beb 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -428,6 +428,7 @@ ### [Windows Defender in Windows 10](windows-defender-in-windows-10.md) #### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md) #### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) +#### [Run a Windows Defender scan from the command line] (run-cmd-scan-windows-defender-for-windows-10.md) #### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md) ## [Enterprise security guides](windows-10-enterprise-security-guides.md) ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) diff --git a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md new file mode 100644 index 0000000000..aac8e0f470 --- /dev/null +++ b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md @@ -0,0 +1,60 @@ +--- +title: Run a scan from the command line in Windows Defender in Windows 10 (Windows 10) +description: IT professionals can run a scan using the command line in Windows Defender in Windows 10. +keywords: scan, command line, mpcmdrun, defender +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: manage +ms.sitesec: library +author: mjcaparas +--- + +# Run a Windows Defender scan from the command line + +**Applies to:** + +- Windows 10 + +IT professionals can use a command-line utility to run a Windows Defender scan. + +The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe + +This utility can be handy when you want to automate the use of Windows Defender. + +## Before you start + +To complete the procedures in this scenario: +- You must have administrator credentials +[CHECK WITH RAM IS THIS IS ACCURATE] + + +**To run a full system scan from the command line** + +1. Click **Start**, type **cmd**, and press **Enter**. +2. Navigate to _%ProgramFiles%\Windows Defender_ and enter the following command, and press **Enter**: + +``` +C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 2 +``` +The full scan start. When the scan completes, you'll see a message indicating that the scan is finished. + + +The utility also provides other commands that you can run: + +``` +MpCmdRun.exe \[command] [-options] +``` + +Command | Description +:---|:--- +\- ? / -h | Displays all available options for the tool +\-Scan [-ScanType #] [-File [-DisableRemediation] [-BootSectorScan]][-Timeout ] | Scans for malicious softare +\-Trace [-Grouping #] [-Level #]| Starts diagnostic tracing +\-GetFiles | Collects support information +\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures +\-AddDynamicSignature [-Path] | Loads a dyanmic signature +\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures +\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature +\-EnableIntegrityServices | Enables integrity services +\-SubmitSamples | Submit all sample requests \ No newline at end of file From ba84f42c2b2f7440d1233c0074d8c7fd5bd5d546 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 24 May 2016 15:52:59 +1000 Subject: [PATCH 071/169] remove space from TOC --- windows/keep-secure/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index b169a67beb..df60443abe 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -428,7 +428,7 @@ ### [Windows Defender in Windows 10](windows-defender-in-windows-10.md) #### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md) #### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) -#### [Run a Windows Defender scan from the command line] (run-cmd-scan-windows-defender-for-windows-10.md) +#### [Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md) #### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md) ## [Enterprise security guides](windows-10-enterprise-security-guides.md) ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) From 9c85b83432cd449151a65b68d1ce20a582bff9ba Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 24 May 2016 15:58:31 +1000 Subject: [PATCH 072/169] minor edits --- .../run-cmd-scan-windows-defender-for-windows-10.md | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md index aac8e0f470..c9e4438386 100644 --- a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md +++ b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md @@ -18,17 +18,10 @@ author: mjcaparas IT professionals can use a command-line utility to run a Windows Defender scan. -The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe +The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_ This utility can be handy when you want to automate the use of Windows Defender. -## Before you start - -To complete the procedures in this scenario: -- You must have administrator credentials -[CHECK WITH RAM IS THIS IS ACCURATE] - - **To run a full system scan from the command line** 1. Click **Start**, type **cmd**, and press **Enter**. @@ -37,7 +30,7 @@ To complete the procedures in this scenario: ``` C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 2 ``` -The full scan start. When the scan completes, you'll see a message indicating that the scan is finished. +The full scan will start. When the scan completes, you'll see a message indicating that the scan is finished. The utility also provides other commands that you can run: From bb360441b3dfc8d8abbe01e5112cff79cf775e1e Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 24 May 2016 15:59:00 +1000 Subject: [PATCH 073/169] remove wrong character in command --- .../keep-secure/run-cmd-scan-windows-defender-for-windows-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md index c9e4438386..9eb59d5dc1 100644 --- a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md +++ b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md @@ -36,7 +36,7 @@ The full scan will start. When the scan completes, you'll see a message indicati The utility also provides other commands that you can run: ``` -MpCmdRun.exe \[command] [-options] +MpCmdRun.exe [command] [-options] ``` Command | Description From 1eb2e56e63e4895d7d5202e1ae39cea6bdf4cd0c Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 24 May 2016 16:12:46 +1000 Subject: [PATCH 074/169] remove topic to fix link --- windows/keep-secure/TOC.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index df60443abe..56f8c27db1 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -428,7 +428,6 @@ ### [Windows Defender in Windows 10](windows-defender-in-windows-10.md) #### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md) #### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) -#### [Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md) #### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md) ## [Enterprise security guides](windows-10-enterprise-security-guides.md) ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) From 3088b2740d14378d1cb944e746ea917f04fb7c70 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 24 May 2016 16:17:21 +1000 Subject: [PATCH 075/169] put link to new topic --- windows/keep-secure/TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 56f8c27db1..df60443abe 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -428,6 +428,7 @@ ### [Windows Defender in Windows 10](windows-defender-in-windows-10.md) #### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md) #### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) +#### [Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md) #### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md) ## [Enterprise security guides](windows-10-enterprise-security-guides.md) ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) From 677ad59c0de5f2f846b5252cd8dfe60659963cd1 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 24 May 2016 16:57:33 +1000 Subject: [PATCH 076/169] Update based on Omri feedback --- ...dpoints-windows-defender-advanced-threat-protection.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md index 8ac1ba2c6b..78366779a6 100644 --- a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -25,7 +25,7 @@ Using the GP configuration package ensures your endpoints will be correctly conf > **Note**  To use GP updates to deploy the package, you must be on Windows Server 2008 R2 or later. The endpoints must be running Windows 10 Insider Preview Build 14332 or later. -1. Open the GP configuration package .zip file (*WindowsATPOnboardingPackage_GroupPolicy.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip *) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Client onboarding** on the **Navigation pane**. @@ -52,13 +52,13 @@ For additional settings, see the [Additional configuration settings section](add ## Configure with System Center Configuration Manager -1. Open the SCCM configuration package .zip file (*WindowsATPOnboardingPackage_ConfigurationManager.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Client onboarding** on the **Navigation pane**. b. Select **System Center Configuration Manager**, click **Download package**, and save the .zip file. -2. Copy the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a folder called *WindowsDefenderATPOnboardingPackage* and the file *WindowsDefenderATPOnboardingScript.cmd*. 3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic. @@ -76,7 +76,7 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You a. Click **Client onboarding** on the **Navigation pane**. - b. Select **Manually on-board local machine**, click **Download package** and save the .zip file. + b. Select **Local Script**, click **Download package** and save the .zip file. 2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. From 3fe0c958429d056169b7cf3b0b0f83f990c54bd3 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 24 May 2016 17:15:06 +1000 Subject: [PATCH 077/169] remove extra space, edit a sentence --- ...e-endpoints-windows-defender-advanced-threat-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md index 78366779a6..5ba1e38a0b 100644 --- a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -25,7 +25,7 @@ Using the GP configuration package ensures your endpoints will be correctly conf > **Note**  To use GP updates to deploy the package, you must be on Windows Server 2008 R2 or later. The endpoints must be running Windows 10 Insider Preview Build 14332 or later. -1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip *) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Client onboarding** on the **Navigation pane**. @@ -58,7 +58,7 @@ For additional settings, see the [Additional configuration settings section](add b. Select **System Center Configuration Manager**, click **Download package**, and save the .zip file. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a folder called *WindowsDefenderATPOnboardingPackage* and the file *WindowsDefenderATPOnboardingScript.cmd*. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. 3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic. From 0f940dccdbc495287a6d77e75cd25294daabe243 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 24 May 2016 17:17:18 +1000 Subject: [PATCH 078/169] add full stop --- ...ot-onboarding-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 09251bb1f6..9199881438 100644 --- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -38,7 +38,7 @@ If the endpoints aren't reporting correctly, you might need to check that the Wi **Check the onboarding state in Registry**: -1. Click **Start**, type **Run**, and press **Enter** +1. Click **Start**, type **Run**, and press **Enter**. 2. From the **Run** dialog box, type **regedit** and press **Enter**. From cd59cf836b1b5f0007976b3baea4dd15adbbf416 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Tue, 24 May 2016 17:41:15 +1000 Subject: [PATCH 079/169] Update TOC.md Remove topic from TOC --- windows/keep-secure/TOC.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index df60443abe..56f8c27db1 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -428,7 +428,6 @@ ### [Windows Defender in Windows 10](windows-defender-in-windows-10.md) #### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md) #### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) -#### [Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md) #### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md) ## [Enterprise security guides](windows-10-enterprise-security-guides.md) ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) From b236db120a21002682f8f5f89a95678b3892c3e6 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 24 May 2016 17:47:42 +1000 Subject: [PATCH 080/169] fix numbering --- ...endpoints-windows-defender-advanced-threat-protection.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md index 5ba1e38a0b..79f9ff560f 100644 --- a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -81,7 +81,7 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You 2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. -2. Open an elevated command-line prompt on the endpoint and run the script: +3. Open an elevated command-line prompt on the endpoint and run the script: a. Click **Start** and type **cmd**. @@ -89,9 +89,9 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) -3. Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`* +4. Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`* -4. Press the **Enter** key or click **OK**. +5. Press the **Enter** key or click **OK**. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reports telemetry. From e125a551b19cf80c3f753068accb2aeba22143f0 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 24 May 2016 08:09:16 -0700 Subject: [PATCH 081/169] add how-to steps for setup app --- .../windows/images/setup-app-1-access.png | Bin 0 -> 30326 bytes education/windows/images/setup-app-1-usb.png | Bin 0 -> 23731 bytes .../images/setup-app-1-wifi-manual.png | Bin 0 -> 16389 bytes education/windows/images/setup-app-1-wifi.png | Bin 0 -> 20635 bytes .../windows/images/setup-app-2-directions.png | Bin 0 -> 18590 bytes .../windows/images/setup-app-3-directions.png | Bin 0 -> 20938 bytes .../windows/images/setup-app-all-done.png | Bin 0 -> 23020 bytes .../windows/use-set-up-school-pcs-app.md | 26 ++++++++++++++++-- 8 files changed, 23 insertions(+), 3 deletions(-) create mode 100644 education/windows/images/setup-app-1-access.png create mode 100644 education/windows/images/setup-app-1-usb.png create mode 100644 education/windows/images/setup-app-1-wifi-manual.png create mode 100644 education/windows/images/setup-app-1-wifi.png create mode 100644 education/windows/images/setup-app-2-directions.png create mode 100644 education/windows/images/setup-app-3-directions.png create mode 100644 education/windows/images/setup-app-all-done.png diff --git a/education/windows/images/setup-app-1-access.png b/education/windows/images/setup-app-1-access.png new file mode 100644 index 0000000000000000000000000000000000000000..1de1081d1da4f18ca0df46aa40da9942bf1e459f GIT binary patch literal 30326 zcmZU)byQSQ|Hca<0z(QzH;4?~UDDl1*N~FZ9TG!JNOyxsm(nqGcPRoxN=S+{-oyL8 zcdh$d_Yamb=N!&Hv-keS=Xp-FhMGJ!hzx{;goLfAAfttZgzO0X$fCahJ{cBWk_Y}l zcGr@ZLaLdh*av=jZY!xOiG)<2fO!u^1%AhHQ7~{vLc-~P`aw=*!68RN^1@V_Aih5y}jfqtjWZ#+w^n1{;#6?MuX*Bl19 zWf@;=f!uEbPIht;}g7I5AhF|nzd1NhZZGk_aRw`>k=fTPi>VLYbBMMIR zwz}`q*jfZQ&*lry;`d0sr~d}c!{aXy{Xr+4SMb6}Dl#=eMEKEY(N-9)`1E_q;QOgXvT&{d@7%f5SOF+p@^+`5q2y}VcvE_c&eT$X}sWO zl*{AIo~<6mkSh^2gZPn~;qul{0&aPZo6@rXNoODMtU>sI8s_8qo?$}hOc&)k) zX>|Hs)&a*OCUZs7NvVKIkd85^6qUXc(hR2{nEK}D3!j+Yxy&U&RjJ;fMQ!jo@j~(yzKw_^o-@PNHfdZ}? z-Rc0!_@8Z_m@L&zTFaIRV(>`npwCODK{wW_G%35e-fI;xWU}|aiW9!1I+_q z4i(FN1nHRtHdCz!-Tj8H2VT8JwXf>BJ^12ylV;EeERohWX6LS(-P8Mvsl(>{pj#&6 z;D<}ZpE>oV(dW)Bh!$RFPd|aia0I#YXK0m6T^%*4C~thGph?{D`Pp`|x?H_RF=WFBSg?bGAIXPy(u~-> zet+kSp^HDPX?OP8W945q54*mYk~plFc^!ivx0fFrbU!5VSh#e1c}OgKv+p{ptu9u2 zLM0yHBf68Ky(xCJn*5+8wKthttUuw`aX!j2q?r7AU_sZ2O)cLPKVKS0=v7QJr8=;q zAgM8?TSiN!{!S?|G{@cl9{nbk?JKJ-=E_tpA8s#;ApxCU_h&;xAt-1EuA^)ICzK40 z4Lrc^K`YAGLZc2y%$*Wn3v9A}yScJ`U)khlrd>xvFbXk} zMs}|MaVr9ttfklJ?BTWDkA^0cY=%wf$&BiYcc9(}WbJabx5~O*)WROW3YO|DWJeCT zG6rs!x*y+WQ|LDYjIBWxtThkLHw0E`cvGud`*~WR*Sa6c7}%*N$K1>mq#UY8uJ!|- zS2)5uuhuGuB6P6q4X8b)B@3Z_5%v!v@r^!jBEgoDca20ZUWgY=kutOqo{ zJM5%`?1f(s|1n`b&iQzR$dMzbw0=K0DIzDhd-VpYY`TJXPz)2#%FFU`vGl#~(IpZ)(H z8GIT3eDip>{x8C2A`9ksc~GIAfpFCy=!m>RG^+XjU9nxTQ0pFOuixGm+@^#C2Ng$b zWvD4^7{FU+8ab9$A^>P!*0Tl$AZNm|KI0K zM={$?b847l9NisW&xGT*QqaJ_c=E-5eC96pJX{pEaCGg3)T7{vYE(PCuBcqOOd@)DWfndD$jVtDVK52n_Q4Eb> ze5rGdW-Uw#e7Z{L{~lrh{fLZy%7T8Y|2?;+4oJ#wQl4^=E%HDTEI;2O`U+g8<^uaI z7@thw!S*trA4tX8HzVM${`J7Q%pyQ!)^mS4ti9q&{hyORQ~eBnIvukgUbAcS^bwAW z$$zdlh64F>`?=oJ69`ELF0cLm_4LOyF@H=r0(oduJ-X(vFAs1qmFmCe&>AWKCl?>J z+KjzY z=vL1q8dS}uB3q~;&6=+uZR4*YKNvgP?16L2!8!Rcq|@a*rNa#0($`Yj+7-z_mtMj; zJ@rnueb#j@|&hN@{4I_rW9us9PR+LWZ@bYYna6Iw~ z2k?0{Jcs_BphX|`xaqVk7KR@FWs~|z#-|kY*&MyECx0-UV@Qn^JB%R=RwylvAstCn zxJCyG+Y%&9U_QbqsuLJ)g$Jpy9+>3ap*w+bjEbd~g9pAsi>Kf59(If5|$ zQE?lmT#cXR|6asu_jXEtFyso52y*i|9-4uEk0WVoeh1cd)Oyb!8pRi%ok0JYB>-aKtClb#kyFnkjHoDT`S-nkvu{Ii zvZzoAawI8{fYC|i%h>c1Rmi;38M-B-Nql}h>{@sgD-EyHB!F*;R1^TIx`=^n?3xf{q2!lh^YN9uL7O6TFM!v%5=@3^A1GvTdy%j39K zWAJX>g&m4F@GzTT39mgLkIyv>XRm3ZET7e85T^7O``bNT=-YQX$$mKT)}T+gnk*96 z+eD&@=HKys|3COVDNmyrQT$NkM|9Q0d8~F1J3c*YY_`J%oOUlK%J1{Fgn1LiUffuT zIeFOqF?G~7LRTO1`&=WLv&o6bexw^E_))C=04QG>mWcR^C8_=eSuHm>WYzf#EF>kE_WR9fo%-RX z%?4qoVg1lgMl12!6(h~?AoqT1=r%P$AE|@aXwCQ}W4AiG$+0ir{Z%n^C3Qu}rui>) za9*OXv1pno9{{KM+}&Nl^6aM&kN6*^b27EbjmvG`Ai9Pxu0o;P_tpKEV6b`4YVG|@;LO~ zW0^Erc8-hAa^=?DaH++#Zo5#n)6kDv`asJt7AC?oiM91FC&>gu*xBC{THpyiT~p+- zN!u4$mw~^reMea#8q+#vv`|S|q(ipVujLJd%uf!O{-Yi<;u#UvAM*Vo)r#u&zSooV z^~-1$Vx8O^ES+u$bQ3?)nw{fwhN9>msg)pBH@euLpIC; z_jpV`yKEW3k1&e~%9numydw@fxzKBj6dg1Um|y#ZB>g5Dy@rMY!W6B^T)X{j}Mj;lZ{MbDX%Ca z=SDw+2OosQR{!2i6-xKD0fEPzSsBbG+~HL;yyQ5e0iQ1Yb#+6JrP9G=KhhW;5-mOO zYpqCgxyw@7Nm1->D~B?Nr^01B*z*+|CD1vgu-0a23ky^cONF%|>Y?-vEEj0W#xg%( zso9fcVa6t47bnf2>%7>9GxA2Xk8;iS;Sqce;U}-h-6~V)bT3TI?kN@>*FKM{%}_I{ zCcRfGO&agWS?A=O=tv5OX6Wz2HcWf5!<0)3!<+Td927~U-lgdn18Gd$?Ki$bw`cNn zjccciP$Th}`LixWw02|TO6&d{wKSWiRYkLKcheU=7TzT908ziR?EY)3aT(7aaT(lf z_uki^Pgik^_eie9{#-@#;!8#P#{JAAX9J>w>fs`Ynh>K8m!K>H4G8F>T#i=P0Z09H zsxMiBe^DnlB`wqsLx_Q#gv*B`eEPw?e8G|8`!{E@gXrc=#yVctuD^FKKJRAh)PAj$ zDgGT}<;N=xf)BDp-dco|tum#Zq`nU%oHP!;saueOI94Gb|H!%hEIu2SQD0j{dFD!+)b*;Z; z{_1JSH-o{$WR{RyV%f6fw6Y8&NgX#gCurZuPZ1dV7%vWE?0I0@@Tq8uAEu@uQ|$xy zYl_E%y+Y41ImEqZ+87Y5s>o-*N>-o#9d?CYUmMiCTqO$VuF)aFwqKZ5>PxwN4{T|@ zpaB2fVaYrNi8pmYynKC1G0XU1Q%WShYy(;7vjBI%Ikqps}9cHih=_ z{J7LO{9CIYj8}90+3^Z}A=Gcjm@8kUV>Og#5t-C-kypu@uLiD-tNd4A@sz?ECZw7;DTWLJbo?(< zC0#9Y|3W(#M0Wg|#dSyT4jZXq>cM0LZB2F*@kX7}%cbs>(-oSXr(69@!aq(%6N1sr z?$70a(WG5&P%eErMNN3El3i2G8I&W)*Hoh?Qbnu#-u5P__&Z-;zl7~CM>s7I@w!#A zn014H*J+m%6}qB&|542l7ZbheJGrgaJ^#p;l^!0VHl!FXIUCA(&kD7QUNLEF!usgo zYg@dv9by3T=hIxqKCi6%$RcqozIwL9f#A_p`o1#!oWPh4`yk@2jPIpEm#UycbzO?d;(@A^6aBw)z)^+cuY z%$Ik*1M;!jfYxu|P6P)rKp3}&IGT%|C(dkn?rWrR4n+QxV>KNV*qSn-;4Iv|VhWB> zoU;ud!Ov@3s2uyIe811y)+9)SRb|F4gdzQt6$=a3gM!gaNAW*(AE72stShEC(^C=a zMi0v7>R8EqDiZBp!q~nxXFs8t)Vxo5jNhJ$OJ=bHeAoY6cEhCkpGvk=-h{5E;pvbB zgE&wIQk2hb{kNq3UjfTt6n-Q4R39oO=r7k)181JU`I=gpK=4Fqj#94cOw69JjGqql zZd3i~X4KRSn@{Cx8Z%7H>3fsQQ#Xa^vvr#HKN}#9>kd_k7z0U=>N9U#!aP+Pc}xpE}n6({Xp) zUih|B7twywHC6+*U9N*7{{DE6%VRS>T%)6!2T-Ev8k6=Xf?}(eb5p3qL|C=){B-;Fv6 zr}-Pf?L=w#2xC5l7r-5k;tf^s$U)~NPlzw zDHYckG4+H(5I|QmHmUSPcSh;B+ggNv6@tsKBI)dqhT#FTZ}budMt1^+$wdywL0Wli+`t>SC8V z*8pH>5D7D!Zt2pP1%__%AI|0V!-@EbQn?IKdjE2djcr~uWWk~k`?yrzWae6 zX!@yFRz5|7;uiNd%`YYdaNl=c>b{#TQS=(fr2Y~IFT1(xLBajZ*NliDj{qQ%_}zd3 z{`{A>%GHB0Hlry_E1DQ4Z5|l8BHlPpXwHiv+{9}|*2L_``|d!mQa8!inyMxP{A#f- zMdhA~d!0;UKLCKhm+LLx8l1Ep)*yf;9+O@!Za9cdLf>`C*j-iMsd-`kO21q!ce>G5 zy&5YH1xN4=+f9nP#Dh-tn@3f|6S!$;6!HadSKsSw$0DVtz7yaPIEW;9s*#}F0Tb_^ zgp2x?*iN$o&Z~lsO*3)_beujB4%glo7q^GC)Z&lVTSrTu{;ZgXVJii;8acOGUju8Z z(M+0z&t7L4=$ZSt$5@NIFFpbQKsC5nDEM+gFA`|p)!68>j%{;XBOZ0pPYO@X+(sA> zz=D{+N_t__`v5SH12|1rc(d=tE)-~pv49~htnU%8iMVd|KjAmAZlH&UH;l0x&8uo* z%{p~nF3x$_O&3Tm`)qw|G~2bBQx(W94&Ltm_fR`{Ql1|)TJv00uLe<0Ddbi{mCUZ6 z=Jew$w!o^3bPF*5yvG4|OJ>0fp!fj#iA1*9e2@M;arfQvqX~wMzx4kS3D3W%X7eKe zewJ4~>v!C`_op3Jvh*~&sjgOuL>M>q6Z}8I0bsO$0{e5Yp!|~&Hhmy;+Jn;A`04tB z>O7Cv#5(oud^&E+=WCpObH4{9LE5r9cpZk zkv7JVu$#QnGx1!QgE+btS753WI66+HC?tXcQfvZ` zmTJww$k6~#{I*6v%Ar(tSns-%s<&AZceNfI?8Pt$L?wA9pA`ew$G_jY2f7096Hj1+UW-Y$RHY1Ap3Gs(0R2*(C^PL2r9=T5I=73*uJgemu~Ez6ul}! z_e+r?>ApJ_d3XRg#K)rkO@L>7IeS@3iYxYKdb!iz`+?GH85#*8s)&%TTD}HAqr6?) z;rk+Ei@U$Sx1O+KxoS3%#J_v@z`a$$hd*;$Uw=4P4wcZK{#45q9(Y1@K@XQpt_SlK zu0R0OWbT2WzEXl!UJ-`*m%^j8q5)c*7^5>6;S;8_2*4-x`7PfwV3hKjK3UHF$|-Vo zRK(KEVJ(xwhgP->iNV`4Yyw%fMdvLUd{p8~%9OhkNMFgtBb}T}fFqG`1^E z-2_5o)s=#ElEN=GC0MblSdPC8D zvr8_<@qFjw#)PW*fRcu_i9);A?;?FcKNSW^Ssg5p832kK8qd!Fkgm-VlA;q$+^`wL zB3B;@#GgVMWlZV5(9LZijQ*W-S$CfjTQT8^AtVG+9q`>9D^xN(;a!nz0f?L(G=`A(y^4(5aF~H#H{PSs)6T}AdsR3B-mmcID{cBbY zXyLS}?+&3DM*^ImAE1cWK*SdjVaYy+ID#q9u7RL)*^$@)_JVeB1++M8*gfoU1dmMG zNane$cYyzHk0du1<9|j;*EaVfKH~NCDmSjiip{ZhMvwh$?5fo z7S5857ca|Z-=B%s>)RYQDHTd9SD85-6K(-ZWd5~4-zJF`LyXbCYaCT&CWv1?WSJ(- z&Iic-%@Q=SDb4()1G7t4sc4%rWF#$F{r0#Piq?8I@~n9-fFfjLJ3!m9{qi^*AmnP< z7rfP1z%D$BFDS+ZJ*-+wqLDbGuToU_SFpa5!Uy@L_tigmoHQqD>K_H24*YSiz>D1s+gn)YtV@r zLEmA5bwz_KGlT(-?il(jce$)A?G}!6L`AA+DG3LC_R7m=X0Ot^GfM zde3)9hc-V8*O;i5&xMbBYv>Hnh`-Ut*aK>d@?af)h;P8-2l$}(kOH|J|HcK+X??Nd z&6d6)_62JcY$JhzwZxT6!7OEOwWoZi?~-|%2ALuC5X3hIq8^naqUSQ1*Dxr zJe6B5PVjCz+{Zm0iwyz^sGn|jD+`8+(<;nmHwz9N1!&4>f zwZT1;A}3X-pWJL;v(dS25iH&T{jq{9KfW$9~LCOJ% zAqKDTd0m5wd4=d;0(I@sz=n5gDDgoq>VzLq0c}*>5F~#Z(PsB)95Qc#w>n3A;u_GH%^V|@9*>QNN=K8 zJwz1ou@E5p!GS`O`tk9qJ3XxrR#^2uJ@WD4E;5$AP2nTnYsQ~I*=Nq6ky@S17Y;n)>jT48?D$ovq zU+H2k&XlH`eu3vo-6DwIKnc7K_c>misIf?_DeuUvfkWSh4VW!rE!>2R#$$-IFpnN~ zAu?{C42y=C#!FtQ zzcYDOOn&|1Oi>aCbkW&?=%ti_<-s8&T@GyJf5cK=uF|)lR`VI=#T1hKy9)kS9-&H0 zqI~fTriw|jMCZ(lMPeuw7hy1c%F5(cU02UvM+8)Ke~w0vXgDLO{C+t$wtyUTCV!Jj z!_ox$oR8X=(UDuHe%SFd(BISB{1W8j2Sx zaA7G>uOcy3#32)kKAJEa8jEZT5E>dN@dV~IG3F1yPr*s0Ba+Z%y|H5#yhrG;ZzF)Z zt~vs9Z~&+ucq2a*1&0$6+x47Sx3;?oX&EG|VHs?j-j5E)btWHP|50>5_XcXn1CGZ- zvwvT@iOXdDLfoiOg5M8)q-w{?siEF~gCQkk} zpRE?48%PrpWroqp#EEW*#o<6pUeK$NsHM;mea3M}wkgE1w0xI=O^9Nr`m2t8tqTyY#3Bcbm#=@{ieSb`X7P3->a>Sk8T)`2RWC3)v1uLC>hU|E7N=E(%s+#SPS@aR>yu3 zM%3WjlDBdP-g;14#KyVe7P~n16DU|0ORJFDp=zy+zoatPw?}w#z0z?mb<;LTCCbEs z?uc`#HMGaj$B4&RS6{{S7OWFmi~ab;1Rt30mTF;-fIj8s2zZ`xci^vjt)b}-$$=>q zcL2boZ2Tx|wsRi&qLNAibmWt>7{^4bp_tsvj0sPzefex3I^(Ug*69P!Ysz48%3fuZ zC;h47&ot8*I)j|f%$X7zAHm=+8k=MIZ0H?uXaqIRe+U&0VPv%*Y%iy8N_+7?Mala~ z#rl7RrQZK(LI2gP{*UI=OX$U50}sb&n^Q%6N{ioO&253#^mAVF|AY^_=9H4_EvIGx zO7|g^uOsFTfDrs)6GeZro!cso>w5iAj%xKBhwzBz_PU`M zItGnKAiv1Qs>2g*|8`2b$kpbX8;=|L z$q*BcWv#dq&9l0X_$SYG8R@Hza?YO|2UMv?Z3w|hEtNd)9Aqy}rtn;Y{?WxPKu(s^ zENcACngqw8uB`3y16ya9WD;n8Z9`F}wRkvaFLj%~P-bs^6+>7v!~_^A>{cye*%}%@ znaI4_|Bw7`!h`^vBXL@aK#>o%6?kcfVFj3546;T#VH00W@NrFgF%L5yj_aD7B&7Mv ztu2kJ_AKf&S?*2&+!6#x2hd=-zZI7M2Bntg-UFtEh0fo*Xn&6_PkQE6pB*`595YXf zd-hk0l9vd_YhPBx|4aGVb^*!`ZFtRIgSR-+dA%9?7CHNq^gg1N9TQ9^?sPvpKodAV zWQ67Wgu;bqm&usc54LY-(z8aA5*u;4q5Tc~NAi7Rg7tb`w z%#EiMv5!Rj^j^<3$wYM~{<``tiMHCXIm?oq-dtxm6ymfgWoucl^t4hE4lc=g(J4hd zwUl|^KRHV5t+&3}Y`@@nMoK1NJ({Am^sJbFS?aT1t*L$BR>C7N2+#fj#{7UH%bY2Z zlMa_ZGxCuDkm9%pnls^;aDP(DXWlnEvg&P!qM`8dfDUCjG z-5uw&EMswalCI;`D}j(Vg7IGkJ(T5%SLST|ACCFoLsF?4%R?0IaW!^;59zlHP}tk( z?NJly3j?jPXMI^r_`v7eKl{Z-QT1XZEa*gVI?eu&=8@@YcP&%At$U>K}i9dYhU2 zo?&`2y5Qo9Ul&j{QtwB-r2o^>;0nN^Lks7(A6Hq90HcuRl~|6bZ^JQfSW#&AJ%FPt z%JXKo&O_n0zB+5oG!#HV%sdUNQ{#t1WqZ%Ih9dLC{3pK}a5$K9bl;!fn!vk(oO!sG zgozT9-#lsHmv-4@u%F=Bc_ThH#m?Ffqx9B)^wgBnUpZYi7y1FLbukeZY90NmadaKS z{h)mJuo0`H*G+ieD=F~*kL@M>4pvXQ|86omrTmy)q16V1{+Ohb$Usj=!lt8yD z&F}zVM_bzqv~2fAV|QO60GIVyr<jKiF2?#@KGLEz5JgK)}>4d?a30jFd==S4H@vpyAA0 z9xEFW^`}y>#;dOU;wufoVQU65#>;bw_YOyBH7%U1l{okqb6#O|Fj+L|(|!u@hpMyXT%aa6V> zP^vdh3M)^I@OY)~Q4YT-aox>G8wU!JLUL1*Bdz|cInwTJ^7A)c4fpIfSv=iq6nT9IK6MTkIYl9p(C+hX-vTA+oaHRJ5Z!Tr zB~ZlqiNQDaiXQ${ z_wSKl*>z~zr>PCQbA`n)#4$~6WBdA!Fr>euPz+{vsInPD*-jKBt@2F}HT7J0>z6kw zWF6m9(hxYow-i1ley7s+aTawOZWZ4o`4@u+N>{77%cL%P7QTz(u%;c)HF@25Lddg0 z6al2tuc*?krOiwtlN!>_fNK$&tja$F&o~x*93+1q4m3lDTrp^p@-$Co$0r+~No3Zu z&{Kr&n~;V0)xh#{ zTL%`Cj((o+Zsw6ahCUudy~pp>{i27wf=j0cGVRd-*n_q|`;?{yg7X~jsUmnQ+SAR; z*NQuqi%sqYL|qfy98h@269Qk@={u>yP&00wbUtl?X>?RpHN=!rl1tYG2_?#dUBE&o zL*KVMx2ctqPwHaDl&pSD7v5s6)2M*4n5}7!o7xlv{_by^=pvUFG>vF$(+u|k>03CP z@1vBIL1Qaw%}ele7Se3cp6K)Ngb-{BSsn6g#DkkRrOLL3sEr3 zZfG$q^6n^{KuseyD}W^embyrEJ}QE-1PCG(`xeInvoBDia*&CF4R4Tr)kK-RtCZCT zdj1AG(n*nhA`185a|3M8pwZrJ_lPowvpZ^yXsyhbtYCIf-;pxv~bZqum$ zrO?J*N$kjKp8s(L+gmHYShlazfhJ~t`wW4LG;AXRf1ck&RcSs(liNuOXN~Ki`>yj* z%0T!1W~!iU7^O=kobsA(e)oW(PWGj~Sj2yr>jyv9%rE~!(WStM1g&KGk$H#`UCbMK z&0$TD4A>e^wqAzmxhA+qoL&l#qh;fn7!fp@F3K;5uGzzJsm27X%%~I+OSh_-@&=5m z;gRl{2%-mU&u_MXj`!TueS+^Y`SARA}VsN0^V^z;h1sXRQDs_4%4aAWHxyS;wsr($UQ2xnC6=(ts7Jo z_^A_2fZ56GT(nW7fA7bdY6F)2GBnuYy0!VGvc`}sc#{sM?R}6ACy`yT_oFwfY81EV zNAJWPmN=JT&NxyUxfrg{k0)cV!1AbeH(v_UWcACD5{`w>+DaO_ls3e6M8jt-@wRA{ z4(UX)2c9xksqE*W@YYkRMX&TUeZXF8bq~b;x2@a;TiF&12lXVVWa9OweBIiPSHat+ zSh+rZ*aGivR)7fqr%fm0_I->_16fxJ5XZP;;PaMi(!TW`X)#7id1%|8>d3SV9KI(2 z`3iWadZ@?$8z4+U zst1ln;Yt3OHkJm#g@T5HGOBU`0Ehe;Ot)R^^Q;EjV@-dTj5RQWncUW>`_qj-S>_G zsb^JaSqr>p3b=KgX^}vitiy)EN|5DiGmz+I*O>0H)mehFJ`}o(tNbZ<1ABIXHHg*n z7>(&wX*Qi@r~U<*L-K=AeNdg(g!-s^I4#V!ju+!S2vK05#1di>QP(z-Ert1GP2TJo z5pf!sDs-C>=7TTipLcRTbitdt-y_41&Z7&qGfxcGUp_Jp--&#yYMjVnj1rFP%Xx*| zo%w?v#(8S%+tcl(BDhR6RWP6xr^9Z?Q1ZYCm~`-b)q7#ERVc=m8ke$gDk_bWPq~ic zN-93Eb;N$}^_a*W#@?68%8cRaz2)lWt>!#OUa2QyKz#M!GGI+38YZNieepom|M8yj zqk{XIIw@Ch;|@pN1^9ei;JU0e{zCvfFnqw#EffA=cUu+)>i;#nn4{COk_szUf;fh) z1=oB1$xz|%=E_t|9f8}342`|v=)>C$tGMVm zsN@2uG1L(A7Uyd@E|-Dn@RHUzkwQE$vbafjxJ`~e^7leHqm5d*qzx3g8)Q4H zQKH`B3Z+}T_m2vUv!wadsPjFYGKi+TxIdzu?A75kY_EQk7nmEYC6$%2V&(NwTKYOA zrbE!Os$0IeXqTea;?)PtbHw}zQ#+6v)-yIwTiT{|rJLO5>9X7o#V)w{#(84LzNI%{ zE$yD=om2zyz2CXEyTMLmiFF6rsTO|YJgqI|=`M{)<5f>hOG-nBgZk|G zHm)>$mXzTgcev}D0f*DT?T93UI4eYUN$X`Yl3nH~&H5&8X8rqTgv5j*sYo~a3eek4 zL!QseH%5tKCb3BlFx60cyz7!P)MAfu#?jpl52RUFm|2WUPuoCw_|)hd#SPnH9yD4> zT3YmuJ>W$Mt$fnO7qIaZAyRYHsAun*8G}SY!G<&+{3k5fo=aW>e(BO6{>=}egU<@^ zpv{Qd0gys9on?OD-glm5L$`M1tU*qqItn z5O~j0nF&2m&pPS_e;vToaJiO0L($IA)YV@S9dZ$b$HANfS^flWurNNTe*N$s(Z_%_ zOq=@L_1Si)n$TvfS#}JFl>NDH!9|ky+-*T)!lW>>;5is36Uzo$#6N>`+ni`s@A;Hw^DczH61M#2?Fc3!8n_0dcm95YyF8RJO`|B(TEGl;fHcF1E~?q0_+v zUX&;z1E=jRdWZbW48j>zmf(sR_J>CsYY%dLdY7sxuE;}kKO7;MM@v0S5y;&1JQ3Fr zWtjR#fx#F(0y%d-9F;y{G@%7gPB<+Z^Q;Elo+4m6WKXSjL9oeb<<)#;F2}>ijah>? zJZOjbbzVrcrB{?8Qoh>7mLIhg-kodXxljUHIF%o^wd}>mc+!aFnGS~HVRY{N!Y~gj zy4{JVg!V`OOZ-rjitra%3$-cT?Sg1%dk zXEyRZEy@cRxk1lDe|L+V#+w#YjTimNhY&KjoOQzHz@_Y3IT01*dkCxcatZa-1&;9t zh+jv zwy&hPh5@Ng$*@N@zmtwlqV_RYF;Wx<2zRA8HA*D9Wg1l4!0-=)U|*#riEx*QhJb{5 zo1g(e9Vh$YduH%x&B&kvR!#m2V6c+jhsJ{Yaf&*w`cip%TP7Y8)U4bSrInH zji20P@{+oAObKQAgee)9-c$Qk&2#a-=VU5>yyDLPUo-drnA>MJQ1%Em)+JNUMK=v6II2*A5Yfe zvq>rCB!~&QR%tOmU~4?hFn0&u8afEadyQ9eO1^H{Bd*xT z`Pu-hv`w6wN+lPJ*BT#}+ty9WlqV$I`%~FCl1&c3LkOp5-W3li=#a{Q)+Fg>F^#lr$BmWE5#i3N3u7ggH%`CO9)3Mden~8DpwLx6*?sXSH1>BQOe2lP2Q~ z6`c`=kpYT(X30-E8o%P#GtOZ%Uf7{Yp;FEkeuSuwFtt+-==g<2~M zaAT)&b@4M$mPWZ**ii8_U-K({cxDAlGKe2fv=9~?{gi3L1aSw^pbir;OWkN~D590Q z7$I8>k~VH;z*SLu&kNpIN5GL@n-;u-m{){KM)Qz{8RVC+!CvmbRpe%oO5f0`d;cjg zC*Uw&q#=BHQaWo+MCIFaJ2?K@T9*Md2bVETM1x>6BON1yDH_4i4uuV6=cRB2Wq(4z z3uY)hN_68X{qZ+M0R*-xf74#|7x#~f3K$b$YUx#em z!#bDrJTiu>`WlHrPXEJtCbH7?b-L&qU38RG8eiP-$V}L(wCpFT$3*I3n(j09^8}@y z#Yh{Fa4KUeMsP>IQmjF957;S>LDgj;=^Mn+<`uUpwQu>kh1Sb`#g;@pIPSiR%6aZ+ znB6gn_;5~R)NrG+3@fq;ohED2ky4z6SVg5IE4m5XBhpbw9xt}iLrA;cSSj7?;Qmk(SSPEJ&Wk!D0L*6}n)sJhFfsBd4f$om9wCB(jFg6rH zG{n-R2mx;PWr!xmB%O|J8+dgssyxrn-izpxl!?=C{Jgwq`cfa1#vaQws+f*V2rE6t zs25dEhl6+YZyjTro)tl80?lF|D_ZI3W5Z<#0#qW|8QF?A9tPU`X{d|O7irSMTT$we>OR!3V%Y~T zawBEcunJmj4E6}KU{*CXq2N2jl(~Xbp{x>F+aLJCWMg*{n)T6ZP>d8JugY1f5#qgm z?BTnj!7tAGg`cg35aQ~Gw-D$rqgP^9E@oZ6s79SF!K;E)sS^Dvw0=WC>eJ2U((kXu z5^K38&sf~5h~zNW)qBzsh)xhYbP>dAJBy_Jz2{3)heCH|sC8WPSQ|a>fNa{O@FLHl zXUWE3FG#geQJrPzP1*-hgo)j19dC$WBhCxxvsJd&DBFq#l$C!)@rd&nCtEr}#3q{* z%9*yKSp!j}>MYTVFWHG$tsO$@Tu7=FjCk|CXFkzPxMmxm@wwIqAdH%_SWR0(>;8r~ zR2Vmy6FK;w#tp=J6ueco<*y+y^c6>OpGovjM@LP9MQd<>)nNz?f3xXe8A2H*r6$Rz z@+M@fDUpc&trrY5Rsu$Fi|L`xI_oZG}O>Y>ePGL4%rMz}< zwLRq^Bp7AKmjA-(JJ^*O8d?A!U{s}GQ*B9)5rKIdG1zM`O&FE5^ZN#9@L&aDUJo=<_M(i|gEOi^K#Hl$OF_qx;pbr(h7dH&Gz+8?reGI-vYFn5_T~EVXKcpF!+vPZVdF8?8~PxR3&+QRB(5V z=QE2P3)H$cVoCvY{#;HE&dfv$L`fR?R7o0(OD)@2^c(jC&7+{6bfrk*E}I^C)pB6j z?z`)2>nrJhfY{y0;J;oI*|~ zHk>zOXgk`=-wWP`OyylxReY|lMM8y55u$#4pV2&6FKB0tr*_{o99BJQliO0IZ_6@; z@Gs}V$t;`-A;Q0rHcVQ3Ep69Q?-EVSMvmDoSzdt6(=19CthueT?U*Y|qQE0uVK;J? z%d4vOE4znr@=Bj*IpE~_V&!#QOxFE|ztw3ZU3pEEm12KLnxp1=(8Ou4xvRf81jx(Ic6>oSmSvr z*ECq+d30!BLjo^q2t4vfsI3;B##-+K?}N%2-S$3r;R_g^WEoF1U|#~~RsS3F{#8)4 z5?u=ajLl5QObklDyw>)4r%TkP_3qPbUjnyGuM2gqr#>%5vHmXwsh1lz1q9%M0UPx2 z)RPOGM@Y(FN6?iy(+pJpcEjx%vkWUAi0h=ByC_o?I@lmRlUUXds~=>wRUBejr}=sP zang*HQ&^95rS}rvLG$ld6d!DGwhRK!dVG-^1u+Y<%n=~OWFs>sD!~M0fM7APGZG$U z_4kbX6W*>rre{>jX^SaahP;9c=>}4zzeCXzy|z*IWp45L9~nAbB@3+-jZz3xDZ8@| zv9CXZl1l@U7-!R!Pz_2qrO#%Ww;sY@vUF>#X(dt`8$&d}bO`zf1>DVvi(#B<<;^Jw zts&i4B7srD8-_{!_5Lthbb;#UaQSjhyO zf5DHNvkmaAXSy0sG)WY-@f`5*vf(1(lKq~Bwkxn)WOad(>`BBsmH2*ee~(mG#wuvA zs7Q&mc2o(fa&F#$A~hENEIcC90_>Nz($q|(uZ52}{rVNB~8|VmU<}>TDYpoP~0+S5R-V#ciWKEJx*`aWJn_;e`57966sZ{3VXfiu`<}JWr zyccEmJlLzO%J3;G@aDj{TUhTl&1`Ej7#~|Ry3GB)Z!eqz>(=!4i8uOi1ZGnTy(SgW1-H6 zU`unCB5eR$|Sau zHzor21T|<{XwRERhDaB(pi7s-J5T*&BlvuVqsLx*Cem$y%S5j zV0u^p)LvGi6%Hd2OImJxzXlo%_APRLc`^LgAvLZ#H0&lhwHh}nm&+7|LKdBFy=Eob zHHm1##;erv-!tEBnD&rjKWv!+hy0;i@Jh9BIhZp|nsL2}_cS$KkUU#;ZLl!?b zLHSs=i2p2UP#S(S=axfe{uC?nvN3fw(?a5NUR@r|(@Eh8G$wdAFP|SHZ}hc!w6?3x zJ(V{-%=&3)1Csxs#4Rf=ujy%0GqN(O(#f!kA)*iY;_1qL>Nsb4WT#b<=v4_#Xo6IO zI9luFHMQd{7}}su7|*2J@-fWCaA|!okBX2x^FkM2=N|rdwqZJs8TgmY>=Mg zuAWF@_9~KOG1jkQqEvb-hqd@v2h(&Svxc~ZU;1Rxx_b;}9@O8?R@~Gsu-k2YJVJcb zv|fO(+ZBcgoe1lR)&G7DJ&XcFkBe^jmwBBQIh#aF#Xz;;*VeuTxh9N%StV>KFZ{G%Y2hnDshT?&aZZ5lQ>Q>I_7)y?cF8S7q<|N zzk>uUUg)(Pf`J*HTRLg(UWhq^0{w8C1S={|hK+2K*3$>b7*5_T%M9k{*$Vj(y=+SZ z(Qr8XD2~;)6Wz}Mhi(S!R^tJg5W;WxWAx2|bp=+)yIxSCs@)rFR z_K)MXJKidH75;nx9_?72fp$2U8qjvSqgWU{9$$F97eQCl?~&%3*gDnPr%_Rlf9-}R z&b;~ENsYgEDE9ECq^$+b5O^ePHW5)XnWtF5z|SzmY^!R4*m{F+WNj>+jG{#Lct)07 zqL@$eIiJpgSH2|5std6}*QZVA43)XOmWPY4`lWxJb8Kt8Tm&hC?W=xf-1>twtZ=hi z{)60#N%V_J%Gv4ba|vuc=QCj7Yv@8`=<2)w%6pAIkb>O0pul z#j&ep)$O=cX&<-1bNr?TfARY)$!m`Cyb!^xvDKVykA;fI9E_F*|ioMU(LL>4Rix62Ex>(9GLB9j$b+DAHEc88S=*{UfM zPG}{{S?k`pnSb+s-6(OfW{A=$a2?L8r3 zElBon7YsJzdRmP{9&yUz=AT|iVvN1B__dj+D3%wfTgd3$V_G~k5VeFZ3-3FJ+iu?oU-q-l=G1=A3`zJPuU?lp8@Wy+uoO|6LLv!xoB zr_^jsAdkuRgONcsAhg;7a0ThPZIAc_3N-reQ8mG5XRhEwb}kn*f}%)0ai6sL9pZpv zSGHPZXVlB9FfIN%%U_{mO>{|bRZkm62EFZoC`)2$pjYuiQI$PUswCv`{&F%d*9w+( zVbAgGlFy-x>4e%JW;Zy8tOaL3#CRjG9@lx9VKs>~b*?fa2S%9>JUs zv-WecyYwQGk62GcrXp;@hTf%Q)Y6%Xk^gmdEMXdoHn5z{JS=!bn@yW^VqTAh8y*XA z7YK+mjq7siXFXi0_n|%_kSr!{g5WZenn;>nHU2i;IOJh!}(jFdjZaY0_xozITW1@qd%m%R}|jESebU zp{#`hdpb0;-L6K3xI^A6-uvn={Ujj}_G9fU2PxL+T8(IJP5iAX*@sLJddezR4S_Ez z*VrT3)cp9R4QTP&y&KW>l$yLaE4a@{5Ml4(aDgi%)5|a@<~7W-Eyj@CJvX>5NlcQD zKhu=7T4zk!ovJx66n|7{b209x;hh|54c#n+*6+M*n5%dL^e`bPS7eO6)#Mzk*YOuz zcQrzEO*d-}lN~w=*?KpW-#U2m5vyN%;Pk%YjMqKxM*Po=!+WPLK7xbD@*i`I`m3)OIVJ5$q~?2_~Y;6Tp%}stT}xzq$dTFXum&pb0a%ss4u3D zo$&hDjZ)h^E$ep16%A*98PYTVLvC*;p}#)_4(N6@B+^5Ls$eJeT)`$0GwNgf+vPnq z8I2F;DTNp7bQswSIQ;l6y$#&ua(5UZDV}s@vA(`=!KA_jqnbK9ol%NQA`lV}y$_W5 z_`HVq0x~^SWfv$hIW;jpQKSiJ76ZPGb@?V*E_O^g8JkK_N~8E`SefaMh`EcR6&juv zB!u&5O;MWCY~d6#oiQ<}yJ8V7Pb|z9N~-10$~QiA1!_lLmJlDNXIVKd6*X%}TXdBY zLQ}|XsBdNQF6;&BKJCTt_oQb%k*qTAVl36O7ll?l{V|!-GHj18<5m za7EwqfR(&CiA<|T6x-E3MxMBj5OAHU$n zE)YdmCFttg3RpE-ZNa3n#Bd6)X~3yjLUXkcvL<|c%%Px~gSlSWCv8QruAa+i9@-Zl z^QMsk<~PeRj2}B!AiHNKzzc)H?N{|Fbw@>8)8TFd&&s{(OZ;M44AueLq`T|66B3th7S0Y zgdL7?=yo9{B|7Ihc%C=0d4oYn8~fU*d+S}()fxW4E!o}Fu*r`c{UXWcp+$V##B)n$zBLJYf} zwZEZpGN;^^?2vgnO?xCkWU!Jw%9?s`fc>!0D~BUlhZT=Ao6SL$n=Q*Em!c{&5?m`f zEf1{hzzDNZ#u3&;CO+<OO*smTXg(!)@Xs>qx$wKXWj^u;($ic@9bx%P?nW87bHrx1q_Fth1qZ`$+f6s1C-X|Z)k#EbBeLW2?x$ogN z7QiliBkiES%U1+ve>0G$(2xF$gmXpYiRT>Irkn5pjwdrWnv_`+EdWOidSCuAF za}{Yq+!_&abbn>H2M#Muu%uL<<=+*(prm``<)VVgr=f;PL*xIK-DddDvXGZ2}QiA+4GpB&nFX0kAV7x>cO*Xb{YPSgAY zyXncmX%$$1!A5z_RfL^|?t=;Q`nyTG7~nL89g^nXE?Mdi8bY5S{F92KBeEcr2F5l? zZgTXyE`#@}Q%n^}Jhx?iQq!p6v>GK5URNeEY1os{MKo>exSf)j0rzvBpI>e8$HxC? zICS0NmZY0aHB>QStg!~QVgbF+OLxd4d4aSv@h!@RR-Pp+|H#U_H)p=}R zCeht_Qd-{AEVE}IAu_Tr?W1{W=(nNUE9jsSl<#0sf*3m_#cHHZ$_-GOXSLH4!plY` zZG?FYq#de8zG?sRktJR87%ML%pUrC*;VXseq%$t>JnLkoWxa%I^xqG3XiK_$LC@2j zb>yAh z`*)LfCG?(plFC2F#UR2bb>NQ0`|TLapiJpzdY1)K~W$eRoZxxETnxnDh@+6oH(mzcNo|lN{1hvyb9$u zVx=6x8bP7E(@*K+m_2KFXN&C0CNbJRb=9RIdctHq*Q6W)uj07xFTj_a+#kT4QW`WQRp{)pW3lp zVb2XaiM-_=81hb=iq2hg96Ui+nFMbzZ0IcGR#19BZli%ruEa#Eo7590_>x_uKzhTZ z!PGhbC`SI0nfVHw#;-8VGJY#E(pno5FO@i!R|jgyO6LoxSz%7Qgda2746pr?VZUG) zp{wZ#teF$lCEbFjQcdDEId_fM(<}%-OQOGCO{VsN8rv1Wh0;0{H*T##5oS**>IW?H zT)TH$tmvL@iQrW3L3uOtt>h4JZ>L9cx{v~?O2aPj;6&MJglXt76T~IsdD#Sw4Cd~` zk(k15LBngS0TZdbAO!ss+6=RF63mY^Fb5qvBnPLmT)_Q;FHs_6;sz=y~m0l+M)YXTywazSjpE zS{KEmL5S}98s%1pRc#bqQc4dGAoTnvs`8xcB~aUMseHz+jxD+}>Vd&+;_TiLrlWb{ zF(+~KO)AWR?pv{u!RElpi`b$nQ>JwLIVD|aw-lem!&ESQX3@PxdOUIXl(#9R?Sb#?zq2mqvj&8BP!vhCki)Lt6fawGSiF9wYS_edTqT^BxQO20=P|sc>h+bPO$*o4 z@}6+MndXRO5C2fRt5q-|U}{z6Du~e8S^4;2M@^ zgPac?nvFt<#m!F*%dZ5jU9y;vq4evVF{SDedOlrt5&2+fZlQ$KPXId3@{j>;vv6g= zV%yF>CP|{hz^4T&MMnvrdtontU5+=-P#O57duHi<(86mB0k}cp4_Tx!n$-a1T)&GC zD>9|r7_=AdDh=jqI1maX{HCdE^B(KK>mj{=y&7s1!!SBnvR!U8oT^nPeD#)UGhn(C z0L|B|5rZQM_1$`;lxH2c<|yjB$Hu)CoDMi{OtD6x1VmTFc7IQ4)R?eP?U}3vp_8>z znH%lKPY6$fOD!O@<1~MjcrcyJ>@0}BJAZz3F+zn=o9|%1=WkOG`h1c%ztu3;%WN)= zNG6_$nmVK#+Y=3?XOp7ww(u{jNXSzw;Xd$)vrv z0p6lU#>14b#E!I}*(6@wI6RJtnUL91&m?!6kEKW{%wS2~_Gw`UurA7nvB# zWIhQsiwQ#_U`V)1r&jIv=cP#^TPUcA-)c;J?$uGwmi{*dbV3kM^6W)q}qSDQ8S zq}dsggsi>$+hG2^9_6+goYMS~k+&dg0uOWaZQc#8O-JWAi3hq@9wAV3DRG6F*Etgt z3i%GYzng7UDY(3_T-E0ze<-z@LMHln|FeUKc8Tek!G-BahGv>W-e!2$2qZhS>`HoS z&k1h$(@a23{rgdnY=dFY4T}e(7#H0Z*B?jD&!eU~g<0Q*hdkVm!a&PltnI(chB4WK zLs69h)e)i&P%ww;2cCU@Cg>a#vkFqGVP>uPunOB@Z!dnoxmoP~Ofd1`-OiO8#y?H% zD=g|QQlG3w`GqTr*4Dp%Jgum25%H7rj=@IjvS+!^Q>Zrl_j0E>{&Cvg1)UaMMDV9R zs##4)RDqGk?TMzU{H~>i0KzxJ3$ykGPn_k6iHq~1YL1;ob!(*5e1AyLA)`v^*HzG= zqij9E)zE8EYikyE7|y*z^f8G8Ds{+)sLFi<4=9+Xmi|i1NbB_Y0$*nn*(t7xfk$2C z!%$klJGxHZP36SPdA(!kb_=81hhqMQx)tZ>*sD>aRYdV&wVQJ@#AZp75u3#kHK*5+dTo=IF*^B zgwq6eb@Axw+5xuM8$}TB^RJ%tf2Os@vJFgSu5@9z0020R6rD`$3l2v&{Ny;7u6RK+Wh7)=6tjBxo3%?sTS)Jlq`#t+$A{2xf~V*%h&4@hcEhj6;Wm%rNXhZUkSyl;(oTn% zf2uFnMk9{qQ$qhvTc>icwU@Jx12xx^#`2do6yLd$$LY%{J_wunFBsF_@=3@{b!$a^ zuf2E#Dd)kzeGHloj*2eo`o3VOz^iso}kQ_hsKL<+ZDU<*}RS(;V*fCzkNUf zSqIF=B>3T=PZ;>BXlKQHwdYvt#c%K{=JQww5+n5c;DG#e04Ny7JB0OfuXWSQ93{R0 z3ff5W0Z8~NKa&gU1Sdg2>ur!q1AcZ*+VoYBujG0JNRBU`zQh2y>A@1$C10qGW5_W0 zkDgy|{7@jD^~!Ap4u~g2vB~C0=Fc}EMc1_W>2)*P+40NRPnU@5wiXayv_bZ4K9d~C z*qLghN8ldB+&+hBF3&u>wTByKbx3M7El&p4lePmhOe&oE-W&`4)h{?A$n6*JN^#z1 zpBQeCWPmgt0F38zwD-dbkn@Pjgrs1;5%1uRT9^GHfuf3C4GEjdt2ES?MqfAEG7zm7 z=S1KSIqz+j0vtD>7aB7zl&w;`w{r|4_^@Z3T3_FE41&xQvmyX;!n#S0?-0?W1NoOK z7k;fq2dS`5CJHnOKs}gdzCo8@3sGaplqi<+C(k*FRGfqe2e9HLRQXw z9liw)>^Yenw$OgI#2(#M8zhQyYR}r%$=bsQWarKUrKT^r8m&?mY)}T z4Bl4=xOkNp(QXoRBR6~hfb{04ORHhTFi(2n=P~k`CqvJ2zfVX#GkM(L|8%!e+%HK! z>{*WVmNLuF*uN*&pZ@|@)5m8oq^Sf+BIh4DT{V@U5h5nBU;iX~tl>yPX>ynM z)=J24(+#>GDY>GKYhe8ThdmevGU|J7P&0QheAJs(CweM|nqmVg!8IslQDtEj$S&&n zczSx>yfMsTtJC6JOYIKz6Tk%PAmE53yV$>Lf6v&8?L0YDshB=?0f*YltBq*g)G0{( zM8d-=91)Q0y9^w17cny*Wm9o_i1!EzQK=^@H$qMc2T@LCP9a~GS`Y;m+yF&)-s}ZR zm2vjtr=K3c&_)1VCb<0>A%@L9)YjL+E~&B(q+8JJ9#FD5Rv*Pf2}`XW#;Qf0&d}k8 zQT_z(bLTnh_gLaH!Sjn==QaPfsalwus>tdr-NGh7UoIO7q**Zj=r&bc)_JU5Eajvi zrLqWuJ70V=EG};VtOz*Qd=?+u>ew6j^$=ZUdKT}0+Jh*{CisgzUQ`5!d>6>3?S>(e z5Cxqhw?Jew>MIDeW?D4uh5!jiVVWNz`s?dkB@7wNRK4kom7;|XhxbbC*|C>uapUa* zE$k=`2w|V)$11Jrm#xEM^bku?J-g z_3)-!Wd0L(N@Q1SE2PAWP{s3J@Wclq?Y5t8GnK%}S`B(2OoQ;=AG5|$a29K#l>U>z z_m`mWb0r>TSE%1aM}&m7@5QA6{ z{f#Z$0`&?N;Cj5TUxCYsRHK}rnMlS7kSA64bkIBB9d;$IE|`xROrVO%{^7B&KcOqm zA8;Fa761}*n&RB5tRDA6av&BCYRJKMOim`$-W(Z+eAd4dyAr5kd^uG;QgdbhEf;cf zVYjT)jKKDpo3NOrTjNuqDL(TL-EERfg`6EyLf^s&zUo=$on`Dc(Jac*M-bj5xV5wR zq)M04-!vH1Sc;I2t-o;SJ0mVrOf6{=^QNA5p^sfa+-uAFO|83CF*_LN3nFGOH=%Gh zd?!%wshZv!ekx{Y`b$Wuq7IM=hHzz1L$Gc=al(x(PVH(O=|Jt9XVuzZ=?_WQx= z2&TMFm}3DIrT}7y)d~ntZ)i9W#x_!PWshG#r%xo4r8mdn)IndNYy=%S)#g){rwF6R zXMLvfkhG~`J)9rCJ5q&nAV^-LHGC|@217wvSuV2puRD^9hvBm6;fx;sCymhfA2_4*P?PU7)tf&7 zoM_>ecFTU-9=S~3XE*G#zp79%)^q#9EaA;jntWuyenwd8p#!JcH0@(a2q0AshF#YY zG6vX4O)#&aciU_J_ckRObDf=%Dn{wyYo^fNYumZ_U@h#7Yjw=NUoAC4g_;f@7gq5* z8ljjWC#%l4Zzj$Jr7>FCnC=^rRlSCOi94YK^}~Wn5v!JwBi7}6bjt^^6{{lHB@KZR zLDAa>krwP}Rd&8G_7OZ6bjY=k&j$XoA-1U%f2DS|L-r@k*4{yE>jEq9nc+sVI`hOd zTm*Xs?gx>(&FmRD`}92rJ{Dk-pDw}euIL}cUO4wXyL9(a6FbrNe>97M$(HZkwfx z^sM}*&d`G%jgm3;vO8$4@`MIYN;;f|_rjbC)s^qwpX7GR@y3?T$P{u&LYfMAB!M#_ zF~=*sK&&V%vpSzt$o`Q;x2@b;tvi45Zo6EpNR+24fC?4Q>iT~+*eUQrDm8C*D|86KRa*I1I_|A-w7 z(_Yqm@hX=(DSdqETb+jvXNdy|rSU|noEE!svXvC+aT_abtEq~GFkMom$_J;e7WhM- z0rQa@az`&KNGR4qDwW}7&aL*LvDm}H=pb;lot4vR$mIV1?Z>lv%d)#k%Pagth2z|R z$U{loswHn6uIzfxr0MC`UUUifFuQ2kE~MqV`o(B@W>)~MPMnTFK!rizLE|1Rk6KRD={nN1bsW=}m zrhVxTRO?T?`ZqjK%;?&^OOQUXqUvynCd!`Cc~uy#@Qk?*YWBQpTEk%TvN|Kxs`io& zlg~LW1Jpun{O3~+bO_HS--3~11;f3%xl;8+83)JN6T05YMyBAYL%3-We(KUUbs!tm zwcl;Mj!6;C)Go`WdbzLm83#}LaY=bwb;}D9(x!54@I}}oyR-T|O)5Cgaq)*-@~pYj zt!Nc(HM=g$Zi-be)JEjDYum&8cSO8)_jMt_g|jEa{aMWNca4BhjO*!9@!c^+h0vRWIVxMs14>y7RF^W%-T7Qym@ zy{)HnEpYRh3v0__!V0w^R00TS`}?KT6KBD?|=Q6PgGP7TNp!|*3y*}~a< zW=J%sBOYLvHGTpbk%4&E4al&dF3{BYK>$fW$m<8zv;bFdi1@vGuk9Y-GY)kNmy(L# z%_uFq=LZA$G8xpkp0-|Ihg&b!C*@z#Wvd*fe!K6y;GFHhl72(leP^LFzy}}8I&O-qCl`p<@*h&O!L8=(dpneKSdQn0j5wTSTRb=@f*zCgwcJZ+MKHB5s zRPe5rx^TK9b7N}^M-*twF8L(`GB#RqVg*Pef&k6uRSI-0kwIyBgIz-59;*sLtB!@A zz`aGTQz@wL%kDRC&l*dgC)&f8!CPx>r~Y%^616du_UVJ3^7q>X$KdXT2cX5gK+wd> zgngR-A_<-(vJfW_cv4Pl;1jf!DVKcbsliuXJc51*ial{4mNtW8_bO^XfO4~yo^7Z& z(*e|1cR=0z@~-Mn=V@Dj2h9Lz^f@>n?$v_V82GmHq5UMtBA9_!NbC+gz!HN}PGV*t zeSrt8W1SIua3nV<*Z%=Uh{SBxo-?Qn{~?vBKtJk;4{VZ&0-L+0Yxx%;(eJ_*&#OlL zptf}k(FNb~{f75i@AK)T3a&2IecSKS?cT2hiFHNI%@5O8W+^DAgWN_kXu$jbloyzn zdqy1e4gBFASIz;^_+2oFTzT3~>$MqqZ zGObDUW@qezW2%6?xv>O%j=`*}-|n}G*@E)+U%zS-^93)Wkk>4y25Mz14z^8D>%X4X zERY=Cj%VTz)p&D}ORqTQ=-sVP=dOd0*=wHfprlU*es9z8RA|H*nD(`U0`2p>iT3Eb zcrG`hq6>V_PWxAYvI&m>H*?nil0<+fI(0V~3!|9uf*htDLfbptB*pWRvD-!PA_ zm(2>R$Hj>1%md8-8=v`aT$=yCzGVLOr|r4X7eC*o@JfWyO>xanO4&-eX8isD)^>q2 zZI`dBM>#$5)9Vjw&eLf8890{lKuO^7UBFhX-#na}ES1-8wt0vL+R*(E#0^{kHV%ut z$x1Wk0AhiIps!NoB&ObNz65R{9M~28OW63ma%I2~Hv=v+GaY`ms(-GA#l@qQjr$nfT))W8<0nLcnvCvjf#b?=j6&kzd) zWC~Ga3Lg&H$$rz}mtx=H>)|EL->eqp2{!pe(`b{HTn=$v3R`p<6mQ1X#-4m>y9S)7 zNivCmf=k*d02-_h{@Sq^MS63G%l#v;T4?vc`m9BtASAtN028n~Qezxn%!rj9{&Gi)&28)5^lM6WsJF7Ld_R9a;> zyZW_V2F!$8q?dn)D7L2RX#?Yz<|HHwci{iN$JI1uQGd*Wh=9tjRywoWGd8W_d@fKp$3n|_m2 zw_My|>pVFTWVf|jzZeit!v3tMbe|;-mgE>sSWg*bv30C5x@!~H7OHty zNWXnDC%qlN!+v}MKDx9YJ3q%0Kb7?oe)h$HHGsZx-~qJQUkNNOq1OwrSFc#hAHQyO z0iGR2HC)uBgz@g3-@CzJLtirR>%_i*_KG+m7{KaH{juPpgaU0WU)`J13yMd3Kzd&X z1quz=cSa8y1I_@H(MI0>`T8|xU>xQ97c@?=MrCGGYPWxT#}6LLetxUr^PLM_=m|IC ztNKk`+Ep0e7J2}7za;~qpFdgFtoVpZF(T zDGABK(`_oCCHfXk3^o>m#Yz(Qr)Mc!6Y+YTGSK_;xeVBCk0LughwFr=vSc{|bm!ff z?Kba-M}0fz{$ksE0Gu*38YL}yUla>s*VlejuDC7IocjR1d}3y8vtYIiwZx9;ieKdxl0FTQj%~yW z+&(vYYC|x)clz(m7ys$QC8r!Ah;2bta%EZOzPFU*7RG;MFIMtG#P!HVd1~sVZTTXr zGBbiJFhfwqw!?mC=R|qi{rj_nzrmd__t8ILeX4)Wp8dB#=6@(YXtfBjGkvRWHXk=$mpQesGz8@v&G7vsEv_q^zS00qZz3g zX;xRiUW~b3kGpvLeVS}<-Mu}lYdTqJ;dvHvwK`Uj@AQ8(vU&>M%*1>9@L>f~9u6iR z2#_BL3|fbL-Ld`soj|$2QlG6{r}{czz9dkjNq(;4TB0)(iv715OdNi;p2%g^C7|~1 zLmH(OVM<|nUgcWdU(-2Fl>*gj%wEnX9`3sv$_+yN3i=4%a+)yo?HGPCpb4QkmB)1< z{l@80>t4>-Oci?W_JPWA10IZCP8Ze;5{Ee5BbzZ!jNYNz66Mfvxi3M)FElojc z>MYMSee`Iz6`zy#I;*kNhVStdB047CI|R=UwzL~l3X~~g*9$VA=d0S)a%YQF$%aQq zziFun$$g$Jsa-n-25HB^edo72F*d&N-aw$5r7*?;)|&zD4Ij2lGp0vG#)xdR2zo1Q zJx)$AcYCp`97D)f;CZrEx0~(r?&;z7iny=#%hds7+-2-LpXKpNi)M)iHHo-y^EVDt zlY_a+^1+@+9NO*87>?8+L=<_$x^!_r$ivwnW!;RLh*JBPtAbB6MbqWF92r8cMMoX? z$C}MfU@?c&jqcCh0(J`;zf;-Dmj_}=@^^JhHRVnuY$mC^pKf;x6%yV+D6vFOB^&Bk zbSg?lI65Ed+8(c$nGfboeC*w{31f&jQj=&E$`Vf?hgF(2X5BUkVB+PN>W;g2Yu>vQ zW1gjnD3rdZ-8T03uJ`|%MkqX2a4IX2D#-;LGRb|8YNt}|L&Tls2a5Ov`9Dp|9?VyB z*e^GxnEKz!HTgYW&67$+THPG4ekj4&^j!DTt=xtqJoxo#rY_BTBAYEi^gNQi^Rx$j zy2H2HY}(Y z3>vZ1FmEzrj@i5L)CSv((X2G!6MBMe?d;_zj6c1vAGE)93_gowpi1$(S=H@r9_#M$ zFMehea2#fKlyxAb^oQkM5SCpa9ID7_sRG1e6*ylsWW9U(uA0fLQ19jxGs;^&wWsu0 z0H3e8PJBvl*~L*H&&^Y&?sG>76?)?!c)Oi^1;N)2MWMcFK=K9}?>9Vj*-lchx*x}+ zZ3@PbU4DOn9kK(wv#9vrKYl8&Lfn&Gc76}Dw;tizuU^~aZ>@|*PrD>6k=eV2s*B&s zBH@mBHLZHg*aLH4uaYgQUujHwV8hv`&^{r4Z-Gwoc72dCfYtK%wj2QBTXd|NXugb!hUyds4x(+AZDU zGj2&l#>3K7QQzxDYtn4ox9|2`H&KegL8pZm&Sc@W|GKGKFQ=6)tJ|-m8!N)v#2we# zZ2qkWsS(Zga9v7^EG4Upmj*QP32()sdDN@o9oY|G&6{$#AIwh4O9B=|6~4RUYR+(e z{{vx(MsDym@qN?JG`$EcidjgJ7ILP~af^YIUBVi3hA>liz-6KN;ap`s+l%Q@4O-$| z57HQ^(k|7!PB@{p8v9N_adpxqK-O#!qKDYNRx&)Z<7jx1W3cdI8H?)mMYwtYu?{__m_mo{HZ4dT{LSiM{?o@DleXc=g$IJwjy3mj}u z9G*18Mfu;3xc%*Xx#`tf&p0Q~%SG_%I{zO}H~Y`kpxFrfv6le|Q8v_!jRH3e-CBHV z@Dnfx9<{~w->y&T(EwM-s|~KqzqC)C%uYjsC9-@M{n9s!ys5i79iTU{nKA#J0?z+- z;D5&bKYjLz0xkwxxu2c_x657ofJH}wX0mrcr=F((#lf$nbe{>PUn$@I-md3;` z^2J%29H;z~a$3xfR=w}@<&2JRre!~;GLmOC*k?4@75a)gr=sy8=+B~?KgD9`w^+ro z8aK%QWjAHwiy=zwElWw(^nboK%kCVE*s>nEv>Yi^$wkl{9h7<+Z2+4E?0gK{R-{C} zCJRrhANmvgFEhC{;0;F;=7XvSqn5O=Ksl3rSz7YJ+h|#Z$k@}5t3E3#`wx%AI2>lx z4GyfubBjz%t@beYahiPr_v~+%(rpSYUp2>w(461PGY)bX(1%#Fe&ZvdLD6NVy=rS{ zWg`(!;~Y(+x#hN;IM)X=QsC{}hJw%5&$mXA>U`sp=Td(E9$z~U09JWoInq58inp_* z9*`nK_9127knd|9nUhcKY4F_LmZ?QiQ%|RarRk#WpypI|rTHxIp3XuSHH$6Y3$=aL zXKI6Q8q6ao-w8S6vAm8>arrogrdhbqSbP0!R3j^X3NF#Ch~%j8NTeY{?VbKm?n~T8 z(BT$FZkV4rdkN*optVl4C8G$)Y|yBB^eV}0Hgvx|8d~LNoSSU6drjhb;ICON&9r!5 zd1BFjz&Dl6W*tPdb~8BkHGEA|tjg*ZGn(%kW4gLpd26!vmGtA^93G35YHB;Skq6hd z$9dLL!?KcJmB!$ZkC<{7yJ;RB;qU7$aQ3g}RrEVBH-QylFH=Qu#MAkt`tDf!-SKL@ z+Aqs3{IMLS=jGNacGLS+;>T9LjbKL8g1{r=Tnpfj78VvmCQq;)an^N}A4K-6E_bRK z43=oSH{gXfQbfL3T%>d5=Tg^vHoy|imzeD~`Y+J#vL#Kq5)NC&m6cg$#H%xmC(%1% z$Is2VsKlMunKn>t({@s>pQm!K8_v(9v8RO>MtdK2nEi5R6MIf)UJb}$u8z;BdfF09 zX%91QwRoRVZHl&FneJq`nKTRyeNz>k9;A73N0>aWmBo{``m7sx<}5 zz#=Hn|IXRfu@>!MTAf#6P%kf@$;q+=NnIUD{nl@C$-rSkXwQYQ)k$Z2T5M$Xv3%$j zp+uT=#3PQ#1#(HDQM~yjhphJ7PPs+yGZHa-u(7i|`X6i1 zs6N{oF_k|&KF5avFa0^*XusE_E{NIJNn5MW5t;@JL*pX=Wv?)_XgVkWDiPyPwxjp!7G7y_`5J<*=x7 z&{Rb)yE-X8RQtI9eD=d4qXR<`wNkdqB7jL*4)X$vP0Dfj(frjHSg)6Jx_i|u;S`8H1LaA91Ttf9bosb9nhSuca~ zbED4)e9CWG!=~6I*EGc(rTU%3-Z6)&8ai5H8wAUyk zwESkrMjXEcoSs;-Cc@ABRbDpODGc}fXG1K6;2yONiC@V6@qO;w=ahFNDeF(UTV8f( z2^c>Z9Uu5V#5?MFm-myBrmz(`q)=M1O`6dE=y7x<8sU7l)qw2j#PDrAS3#>~IKD~{ z*%=TM{{d0@u4;yJ;+mlxdlupQqO}QrCL<+)y{=GiwMey~u|8 zA6HNySIu;!xAOMmS^ahcG+FlCdgyKITw<}oY{K}8$K=hAHPX%r)3V1ZvNSgKKgxuu zo3|Ik!8_${1>!wD&Z@st5<{3%udVHugTL9{WO3_uBCzeDgL*XbEpQ0_hOy`lhlT}= zoO;JJtn)qAV^?K%{Kx?lKU1`r)F7_Pt52;_ntHK#AXNofj>x^kPdYD*c{lRTa(m@2 zWm|(|dpUWXh&AcVgt(aX){wBmh)wx1L43Us{qIb8`|GfQp;D)m=1#v2@P-mZX&1U8=wd6SJR1wkb;=dN;N$JEgZ1DOv*w#< zKHJ&vY>636NIX2h(APV|v3qeTk?Gm>O2I>uPMo{p2-@>Nvo|M9xM4r|9Sr(N~F zcyMtReu9Ai2Hy7Kt~W~k+sq4mw?ApTc=^Ic;9smtcg~CZNUQ(ihW>9q@4v2E_p29Y zkviS%|JzyoA202H+`RufhyV9YJONL>i$LsbF;}5KmAbu^nLNVYs$$}QyJHgrCRSol zN4*B(Jvv%i8TR(eX~14o7&N@=cz*KHZ*j5w_12oxd;miqzze?`{Xx4DPcT}8k>Fhl zzR%xOe(B;mDhw_kU699Fe%N3&EVdSCn< zPLOyawjaBVB@Njkzzw&bAuNx>I_uP_W;yc0QcP94m+InoEF+0K8z( zOO8r-Jt6U20fxRgL_Y!AE`o08p#=#h)2n_RPG+#}mNe2Zj0(9A^CIQ8hy)^LR={?W z@_pWhN%wQQ2$O^$Uwe*3>m(IjmGAu4pQ(l%Fz+unRbxX^tYvpF(xLXm z?sygp0gH}y?ly;ZnYL2A$gyAsw`DY|F+{t+#-QQzbgQSM_uYPRp=qc8fwa^%mdFvO z_fCrLrD!^jb-WP}<1#Pw#}Mh}N}sYfZy>Zl!^!AOJAA*8SA7>bZkBnM%F3ji%KH9H z{&dafM9iL57Vd?uF`0I>@j9#sR${}B>L=!Ukl@AsrkiV5ICk7x3El1G?+no<%u>>{ z*-X(8fcqYoY^zg5PTE{4h&1l6|21eVd@9bmBrQ}0&+*>pYUiG4EcYTb=C#1oin1S6gf!F%c{D>*b%NmmBTf?}2?* z1dR~)yA$M?9XDKpVD07vblCnWOZg!Y&{5^%?D=o0Va6KO$nWaUcuc*|Mi7eIb59t$ zdn=Jy)AQ4PE3n@8A=P1m98bqTL$Ic=Bxj0Ljhh@+U$9MMs1e)3N#}D1T51z(KHIo4 zu!WiXB5kO$%zVn{+)viT3`RDAmFxi!FQ>JG_(qGVJUR6FQY{AKr|V@$V}R_;wfJuU z0LmGYj9>fgh1o5GBPdpYWlZ|-kzq~R-Ld^j2iWJ~SQOvc7Mz!UecFl#IH-+18=GOH z8vyK@*nMI|{XBleaM)k_?7?J#-AxYs!iIr zE9%F;N{6Az8Oj>NuPyy?@FmMr$>3f*PLc#zg~cF+=Qn_S$QjmcG;dt&KsqERvl&Wf zt4&RPN;mksihZW!h=!pNlR0AWlSfrN0N6weJBr{uk+2JZ9<6f@!;B{igQn&=^JwMTb{xg+dKccg zG?;Da4y+rre{nAb-u093AEO)S{2FNg6*5?*Da&5!=b3sjp6y0k^ZJ5e%Xtqv$B>q~ zSYcj^*c}t?QfVKOIBX`0?BV+1R1VMjW<4OlBe!3u@LkIEj-;SK=3v5BZwssi5w<(S zClB~Y``ZTHMN{QY(4Of^LjiAK1UtDAZ>HC26GZb;|Mg-^RABlolafN`Zfeoz_<|`y zvEl_cQSCv6*2t;<09Hl$Z}@J3j{S5Q5rV1dx>2rJadevRj6aewFeq8}RvjCE{O!vA zc-*|~o}6?D!2J!?fH(-{jhCdF$Uk29s7&Deb@|OyyqAzoId9||=O6#{uW4Og!BM0c zrCn7V;GQ-k28?ujY*N(;+BFY`jdrE&>InFZKc+psZSMpqy*7fl0hIHLo#xAoT_kWe zn)<}|^^*V8jRst=R3oMZ-&=)%tt)rx{8kdET!LX+4E>!V*h10=?HYV5%+mx&ktuZv&8eXFn1>2J=!>Q@Xe~{ z#M8#xJ-NfmLfth2r4(W58f-ccUUhHIhy0JcX-r;w!TtK5FJ zdLSF{Ij#UWaF_?+@602Dsj>Lb?i??iar0hq_935*21EPBsIHCk^Pr+IO`}wB;Z5dab=^rDuxfEG!hj=xzV2X@6Qw`46vC;*eRzoe04Sp z1RG?aa2I#gw1A}}#)8hqN%m}&!KXE|@PiwbO>5JhU7U>%V$Tm3`C@tIfcb}Q35#QS z2R)Mg`1QiU2-$R0%05(Qms=r%3k1W}Ejek!buAlR=}RqL^pM|u96itmz_2(4?`JKq zirkBRhVxCm$w_DCVjSpaH;jH(D&i1&Tp`S+R@#sygmH?xqGm-7YQ zXFl69^0Bfg!U>c6bm%kg09!F=(a0|1M;N_ODWfQAj$WX(vDG&*Zd3#k%33Vq zuw&q0o`-){7v856O8_g)Ocf~MwIkPmE1m|9?fs>Oa(13p;rfaQ3_0pvjlxmIkhiT| zPPYBU2!M&baJ!U{v><+uoz9iDo9EHR^Qu{3rnJ^^@~0H@cd)Fq{J!}?wO}kN>~=Tj zFfs(+L=s*e96S`BYnE{x%d|+`o;Zc!JuWyaZzDl1I{MJT)OIm0Lb?X0LwklaE8dI^ z#YUnCM@?qZ@Isua4}(cgro-nf5jC*Tr$_egg@(pW5w`Ht6631J3M;mqKlP?VS0Wz4 z3kFtg*m$B&tFQus0*cMD&wl_SQQKMSqa&dF(Ko$(L$i^N+q*yW$*_1aAmS`)`OO7uA{Uh$W(6tPh68N^tGe!u{ym66_yZkko`hUZaiMRoN~~3ViSI#)X&!fhmn`S znOEvOCT@f`IwWHRw@W+Q_Xjw?ip{fofy0#cCA&9(z8?+t#j)Lt+Zry$XD#jPjn%+o z&koD=nUT7)6f{0oujCf^Q*nWi5jhsKYI;uMR*97Oqr0x_0Fjkug^tdIn^b}-gtL

      _O=8i^{&8By9gl(QVC{-bGyNy@b&H3roM^zED3F2%4g3o@lq)`&|ABrYK80Ppngl2-QlmD20GyYWTG}J3D#C_a3lK&$f$0a{95?cc<>ke?T+OkD*4jN;i z;@n^pS~QEFh_^k1I@~z>$?Km%0o{cJMAqXwEy0SkiC~En-nDViO|PrO8bPw`FWY%F zV_l;V1gdOyCa>TaE5H4~;1svM22}I(u}Eu6mw300>-@i6p``e!R$zvhQ5w0JcZJa@ z=d&^BB!Qg|((>p5!$*2hZTl@PV|z4DxSLN`EmQHidYhjZllZ zth*thdlQDB=kOva*OWOUz0ZGF`3L%CQ-~AQi~U;5Ni9?GJ-RsUZt{LxSA|KkNIxk~ zmu9@7mqjWSmIa#cJe_Zaoown>DFW@Q(Yov^UAQPQZD%14n1WE6CF#NSs;4P|Y?Vw( z*1%8gp_*nI>3oto+`JGtgn60}_&?69%&c5JnOF~JsJNT4s4f$nmGfdZEBSNePkR1( z538-7^M2ho6sW6&wI5%TRRw8F#pTH4_PSExH%p+>I^gt-J9kfzMIa#Mu+3SmbSCT} zdEz;biYOsb(^oO7*uWuuk)yI3eB)DL5U-b%i$mgx_hhg_*US>k65$i(nTFQkosD#u zf`9;JV0U($DjD(iTy;;oyFGi)BNE`H=6i>4*5+fRTtMU>s2plrhaJFgkDkbG9Dev7 zkDBfMeYDJyavGsi6V#!bZ=m&WODWqK`*HIY7F(Y;{hAbz!{_r0zkYE#%8OBHlg*q5 z$XadwRlm=dzn;&kpmn3O!j3EPa#mEu+S zVZj~2aH5`7E>~2|^j>HKCT|4}G9(nbPM?V{j>@Iu&AdXXj6npS7j@P55Z4XaB603C zYvG!wBcyQ>`wZ9p9HX&iLbak-)JJ<0b3d~+2scOeQNC^CEA@&f^7FJ{_$JT^I{_)PH+>&o zjF2e9L>xA0Oe(LeFK#vOL!DR~QO~$YufUj3{#iOF{CqkPqz^Fc2iq1ar{TZDm+qrJ ziS&Q&v!%+uo|ZD`vBzH{a{yJz<&L}JSWOe2q`vW1x0M`nxpRPpSr{OzGb17~X?L(pgmih4xM zPRssb-sS{NB8ZYrq|3Tgn(>Uw68pv1W|0`j;r!l2{KtSPKX1<4rA^G7Qrgu>gi+U5 zLEnND8qAf;)P{pMjV4oofCmqVP*8-+DDqFaqRk*lI9gy{>2Rr4kc#!d!oo8_?C4+u z4xE6jpo22>4*EuAvwJ9Fe?#nnY^&SpnKOam)GjLPQ$($72RZlLn10*zq5d%xI2_!? zLz;nTc!_|`;9C-Ol{$iaGnLJdkOFE1#Nn%+q+)Y-pCh#HI@qmNT0uY45+MozZ|ApJpzaA^j3Ic%iM8M-{;plL_(s2F}&{|C; z>4PZ6Wn^u~Dcon@j~jk<*d9tc2Gk4gK+xJ5-fieHg>yKauYm0dI8e5FfX)e;%5HoB za2ozyHbc)v%QQI!%kK6zPRQNW;h|XI=?Z`Ys#JgQSGga~LH^|@h))Y{2>>FNRl-5T zg(~N*fvNAVYoxQT?Ov_S9{}|JJPc@sa-o~)Ev~!rhV`(WG*cr$ot4K|JRz+I@D^F) zo3PIwqK$To(_jTaa$9d@;VC-b`bgZYi0$YJ5?i-4Ys;Bz>7aP2dqxD^H{s)>)SZL0y5K9r`=4~ z_|~0NLnA=5c4<5?!+WOY6^W8fOVLp?52KPma2~zD3kTvbwWix(lbJ(6iBfojb+!lu z0dduo0T1uzgD!`B%-v!hm}oM3UoL}<=v3jJ-4HU z_h~^xbehE~8Job2v>ibMAfouSv$op;v>JcO| za+30R@QTrV7C-GmWUiBh;%EQSy)k}aU_u11P`XhQ_nBVda2}JP6#`NCrz~r1Dr5_z zJpj38&j6ItSOU0h6_Bh{jNn%R8xF#bO(Cp}gsuq7s5#=FKZ`ZEZIMV_|vj`4Bh zvcuGOt@q70Yd#;e9h;%yHir-m7^QO`4n&1|fJ4owrX{{<+&#mMXbm%r+L>Gu-%CQ0 z_(f$kBC4(zU;nWm&2vKRM%GqMF3#MwG+dlU`cb_`>8Wa%bp&mY{He*w?;IqZnZecW0Cc<`s_FkI)X77*en zIWB!|;az_L0xT%QCHAx6eR}3RgD*vT_F2~14woe%Ptu0DrIUYSgwqBZc;Ju|^8>k+ z1QbQ3>JUBYsD<1Q`45RaY5+NXhNTXnZ}pn+pJC*5otWmH$8Nu~rgPTA7>SMBs0c~D z-7gqj2@-f->{Uqz5?5iljRJ6Z#GLwYh*u%%L!_pmAyQ8nh&bs~K}_Am+mz{@UrGD} zt}+WmTY~~tC`a3Ru3kbyzd6`_TyOoUiC08u%=(=fJqdla*&J!v zmI@u**-hW<$37hB+lpT}UP*uaLWNZDDI%J$kaEU@`)1wS45we?ac?w&r4h^^g2yAF zgw0bu-&{xId$);K1h6hVxntrvR@_#JmJSlE&r#QicsP)p+WQ|nLn+f+c~>8bo4=u& z3wzy+;=gKElfK6t8C~dA5o)gRk`To^`SF_JRDlN(glEnvgSU%AIeOQ7+6onhKi5fb zdF|AjcoWo!X5~d=$`$tJQ()V0t9gcCY;Wx-qpV=hrO&8U-#4G_A0U$rU#pJ@R`N9Q zL7uo)Q-iAVUv{$h5UNNWoA)~0w)ahF+MKLRz}MJTf(*2$G@90H8%VVL78tntW_}sV zM4^k~qEFn2?}q5serpGiYVlL&p^|c>>Q7|Ercxq=P&u2lQO7JQHhVDJp+jl9Lo-wn zDo}D!6Pa+3`f$7HGkNQ{`gKq#lMyarEmmNzgV2`EGf?&q&O-j4Bn>}z9w5uJ6`}#^ z>~r^$&rTa1c-#s@pwht)CXeYt0x4`Js!Yu4j?&~Tl??eYD&o`tQM1K_;jkV1*+8iv z?;IEQ+YX1dvGC@nyF+(+a&FFD9JRWi;4{i{;x2#vDr6Jb!lIMk^-s# zvXU2JUz}(cuWKKlGg6xtS{QJGen4mM8LLpo-+r)Bk)8E!a@Oqa659$VydMfNO4wia zVkp2|^GpYcoGzFre4?HZF@x}JzyMqFDYsj+in?t@pum2UAzN)x0V3}>bRU}It7w1` zt|WZ^%M39iL+G`VogQT*hAS!e>W4rjOD3dG+8+(*WpQd$`019;I_c1Gac5${k1nRT zh|5ZD_@sKNDobRzuLpsQSTSUDWXFG>^{yH9jyVJClrq8{tw``vPm<9~&ET?@Zs;c} zr|Tn5JSQa`c>8Iessc=7(B<-0)Z+X_t7%wIUn-}fB}cyL-0!0pCjtbpgnxPI%#)ml zM?+cI@gu1k2t&Uz)q*O#|8VqP4ktndOM3jbt8RpoBhbd8uXz zB+dp%GaO==siJkD#(P1Kqsrv{R)U1QPaW%l7xq_JYjn)VK%f2`krcOGt(h+F!a2z; zM?uQ+^bBZ@&#{o7?luzI+i_Yf!-mg=Nd9f72t9#RgRgHeK?;$ad}z~H`#GehpZ#gs zG-x-Q$FoEZzq$3{5c1!3KfxMgmST$!;chIxNKWH>=Ul!c-kj+wtULZOB1cu0+ecrI z!oomM!3lZpZymWh_@i9zB}+A50!Rftu22q>N97Q5Z)Anx^T^(N3AHi4GirR_Ph0DX zStd@0jD~JRy%IyD{^2#e^|Vp^AVPr%A%JKit%2wX%xyT{4p{GBzvba&qEy2zx#y@l z;437#=~9VbQ;fuUK5boh=jrlbZI8H~X|gCX5e9YntGX^%ur4Qfz1sY43N7V6zq3qkJ71 zsc|1##E2!MvdQnerX9qtCPEAW+bfa*hJb(9Z2iH%C6_3Oa=Ye;n|8qFKX# zB_-EG-lg&GNwuh^&I0lJr3%L6{N0m<_P7T zFe=1fnteiO_qmz#>Ng&8-Gb0$4RlM=_^kmz{=0-Ado!WT_bo9kADRwMt`B}Ig-->1t&Kk}@X=oQ0R4k8{Ity{4Pi&ZSTWA_@LgCG>aYcfW$QDM%_s^)( z3Vmmq)2ce}qz6@l2%~@r{4l3g7sacqC^Syp$o7uU-;DCcP}c$f9VrDy(}qzUG2xB-8`$Rn%wk45TCmp2FaXBu*Oq2RY&> z7H$kAVrRl^B9<)J04^p;m`WGlCK7H`whwMvXqfFF^@URor-&c3QL@U2i0owxQ5b@A zTdpmQ8@>rDNh%R|@LxD%=vEX_m9pr0tlnZ5e}(W*E8K^v(nJqMme8yl)$ecD6d9o2 zJ+C^Og_;HSQ_Q_{M9Gp#>m{(xem5}nWwfPlNq4J22U|B5U(-Uvy#$pwGAG0~sZ4&w zIjN&93l@-#?=IrJ?@=YCW^I!|BcI0aAw0(oj^rF@-TmqqiMJWl6Xm5I<~b+^ay;it z73>6gwlN$l5SQd8O_b#J@xk|4jQ6ofqlc#bQZng|>~f;<6_qJjbirEc_6t0%Nw@(` zlhsHVi@)C9XX>djs_lq$B4v%WN6Em?F|i>A5*CNUGvapQiCw|(b`y9Tu|88k&GCUG zCMN%DATb39axdCnw6$M@|Bu8)i%!k{!;{V>l40Pni?0F3Wqn~Qv9ZrykBlxS#9^v1 zs-y2xx9|u4sxv<_#a*widZ|;^q@}fOZVtO&xd0I)V~Q`vL4WxN43y{Av?W$>jh`Ds zV)|`0;Q0~IK1l0wL8zzKmpB^*fQD{=zV)r9{Fy`d7`OjCeDfU1^;om-s=99SDz2m4 zLi$eryx(-b$~eD%9{W*R>z*E^S&ew!+!jhp*5R>iwC6geAb6HQ*hu7-fFaX<9`xE7 z?>QKIZ*W9`7XvBLZLdj1!elxcZ0C5Msr+gxkJcY{htb1Og38}{xi@}$>I(w}ab!b0Ppa-=iow;nj35{(*ApM9DFmrJc2v#!IWDd>b_l8b+u=t(#4u@C z;wzX-(k_&RM;u`T5l*~-TE&+b6v4#-vx)TcH5u7GK-CCLi0)Ak^F12~d`CXA+fwSb zKP`vydy_>~yrFP}j*oaV#8O-m&3T0DKi>C61L@}YAWkSx3Qz~4x|L=QlZ3BX5^>w3 zdWp=gBN*YURJ*0xT-LARq*U2r4mC?a;axA$%GqE9E&f;P@!Ow~2^6rdU<42>FqnhZ zdvKOKlBna?RtH88K}QKsti4n=o?S=VX1xomJ*&ejwm=a4mQrHIEi_y)Ea_;kHLjV* z>J=VpsFVruW4!w{^>l1+AVK)g>sWaqT66O-8pcSLV|?)sJ0@U@2DgomsQD4pde9jk zG=k5Vfr=OVoHrXsr?`N*<^e}-%rDs6RT;M$U$-)g1uS6up()4npkqY0e$deVVcP_ zN3WN^xX)h}0jkk9TJeb8j#!B#1D@PO+NWkL=mrIdelyy(HqJ6MvzjpIR}T+uk8k)Y z5K9yIb`Td%%5Re(BF>ZD6jE)>IP@;)YzuYM&ma;KO9v@({luaojKs;npRzj5hW!)- z^)biB1SOCvb3~G7@E`xM%o>f|Aqg*~!!u8zCiU%zE&+3GnXV^t;G-u~I<0DSoeHqx zS!H87LwUePd>D{WL8PFB-bR=pGwft5Z&-LEnZfErd{W zOc0^F;(8n8lszCyWU9c8^9+$Wv42?2bza!Ma|s0Kz8|8TXulaHPn}3-Y6KQy=@0vu zKfIonBsRdO{=4d0y|KBO9ZEn<8S2^By2-MrVTd}>bAc;Ct%Bd-90H{8QjJ&^EIMYn zkZLYB%@Gsd<0w}sh`-uvx5&3xIQOt5D&}FRo@5B!Xq#i}RCO4ap=PvIP~~1Kqx}ux?kvQ<_o5GA$_b(y zIaiF$^mr$UsyI-1v(&>@81h+gGfffiD0jH@!Aeprd`N$EYa})JQ`*m;A+RpPl@LLC zc2pkrD7ej$_AL-rm6B>qcT`O{liT7O%9ZE~ul24Ctiq$KJo;|`M1o9^LM75j%6A2FjBmF@d}Z_bfW``#ui) zb@VcG12oNxL5%Z`igwYN9h$#NBMw=A$qDhnO`{`HO?gO>L%E}3T&bR7StDRwH0rv& zT(M)+^Jx5kjJc`*=#d7O{GI+8z7w__6ot5;=1%fnMsfI?g)FO3_=!bHzZ<3w?<^Ng zV!j~gbuHE$J!VX#6&yNFIl<6gY-OAXJSbqmL|(9&@}@s{%K(<5MSXz+9=IFK3L&7# z2_)*|3nQ2lrjZMwO=W;~UG=UD>XkbylQd!Ox)}RTqf$-ua=4?a`_ks^Lc$m_V++{s<9p1xM<_@0Zp96{+4 z=ag5b&0ssGmM^S0+?qpl7Qz(_RESWKzZ|K|gbq%&lNZ4%q-6^*vzZ`A+?W`!#_&)i z(_nH^ZKh00CNk3;4iPtR7~+RBvj&8AB~xEwF1t98BE!Teb$XwGuZ=WGrfjtP46C+Tg#R#; zV7eG?^O0ulVK1rAXRx8Z!yq1PhsF=n!V2C0ou1D*suigR-6{mfvpb-gm_$eieV6pL z`U!_8yCMJj0?7eOZ*bP-)W_UiD}-iTYtV&1_Bq&hH+v@cq730};l~zD%>uKkt3*1q zP+<%=tjnMQzK{d~6^$SBx$+@Mu|JpyDhw$AXQjFU^u(8dFj25GKjy)20Eku zhjXiZeyP9t|A}+||8o<7sGk9x3&1bDER_bm+K<%CR{I4#G{aoj+@TXOF-80JB=g9 zZymtGf=d_b=^vg#@zf&c8nb1v#dz<9a=sjt9&w(U8G;bp z@;12#`2{HxY)f|d-qP{#99{uZGvhU{Elf6YP!BvJ@}5ULn0sBw^{ zpx>NY`rCVS@&Zm*fRan$ea9SezXD*Mrq%*_TA2Vz(yzuVjr8QkKu;5h+oxL~ueuG` zlUZK(llGf~j+YwIrAGU58gXBk6M>dh@%kHlRy~d9BIOY8Ea2>Z5oOB9k;>W90BWj$ zUvw@2SpNJmazf>eb$>L0K@V*rzzL0heXsyjF3evu0oCAq*{N9ypujUw6TjWwV|*WT zSdgst^-sC3Z8&WG`6(?6)v;xVupK#rx5jRfdknU6ayg@((C8q{V>PO0eSHe6uhOrl zH^2p?MvKCPTA42z2Wzsm-U|yzlk`S>)HF{NiUsRk`fcCSYrbUM_mXKAC>ZLBx zp?LDA*{1$6`nuo_+E}}wrm_IJUseNak32v#^zv^+NEFH0D=k0@>CF} zW>3$0jHHd9^m!H83sl*DGAQcWp`b1sJ$f^(6Zl9W?3M_W-G06U!u}7x7+55ZfEWIy z62QVtKmkPo!Dkn}vw~tW$F}$AI8@_+zR|x0kn0ox8HDfb(hnL#8W%JxrAS;zIN%rQ z*kz0NI7k8z8P|-zn{ZcheW@9C*v&#fM#%)${!8Jo@f)s>p`=(3krxp6!-H#4#QLHD zA&ZJ1^E5E0Oh0a@11Lu?q7<5f z)IrDf6XLFT^eRp!ZuyntFJ$5Q&41D-N|4Oxrll+*A>(VEsEet8$k=Zx4#lTL97zuA zh)@MS&oUZ!{QYjb0_eqxN1V%atE<4MAT^E$$PrJ`GJx~1^nKkmn}V9cvnJ@ioB(Nr zwcA+YfBI>JYzECh&FUWagtTA;21(u_tIyQb4lwsKw<>?zx|(~jL`HARS{+URh42L* zsqtSRCp5VOWM7v4qnjfijENp#@=9`B`{=n=_vh+`qKHKI-fwk?*B{&g?G^|4fy)Ad ztnbf9II=h}R)AMbY42VI2r|dfTQ86be1PPN+Yb(lE5G8Ni_)tLULvdU7!MC}AFfd~qLrK*q7BlH$tllmbYTJ8xeB08spIL+ww?d%<$nZN49a!Q z8@P3H(DDAO_XQMd2jZqRw%Ih4r{->n|uHi5;>>Gd4N->yy@4panww4Pk!k!}&;7 z6J1slueNMEQsLmhCqUh6RpOSY#Gsa0GJ;B#A+*6JO(5+k^f_H|a_!D#&A@eSDK6eX zS-4wGwPFp|W9@wM73P|Ydk5sO?L)=9RcjNzyJ?qUf7QqS=qUrjwWTq3JrLb7k_D9` zd>NINnfHiNlTZ0V`|aN!%yyC0)!sHM)UVbyXU#Wj;!Q~~E~w389TUj~Bx z)cN%jh68uUKfTU2@8%7An7?=N;1nsdxAYl**)JsZES*PK!;|j!cYFlWXFi(FxtwQ& z`NvzU)Qx@EoA7G~?rYo=gm#W$2Vy~--iO+0L7uV1NNsQbMH8|ecr02H#W|wsSH&sz z3q73n)*~eZM|$3ji=31=5whrvdb8-?c#oL&4!e6jpY?qAl4A5zoy_w7o3VJWxSkm@ z)zxZALK`0Z{TDgfrl3^li-ufvq%`rbVk>-)LA{l#F}<2h5Hda%zF^1ormyO|86;D5hl1Z7U8Fxc4IVBJI@1Vj7ADa=X2RB!LGWc)>3WYD07B%r!77;g*L z=|kQVbuvXnwM6`z>!Adoa(#G<6ZqC=oBam;aUtqF&6=nI2NyVmEAa3+&b;Cb>e&^4 zj8a>$|Ewxd`tb@gi)k#iH zLdd~n7>cIOy0JugHcaR%YQM0ZG6fhf+oAMbe?WkaAMJj>VLz$b zv|b=T>KgTNt=lIe0o0T2rgeXYCLd+xn|JI|-ODPz4?LdL37t}2QhH>KyuI?Ay;T^HBBQ|(t}(7;6CR<)1Nn{Z<$afO?+Zo&b= zKa`P`M)4&~mS%;^XdJ`kdh%v2cv3IumUG5%tCm*b{7!{kD|>I3T?m2MM}sB_iJZsI zIx&0x>5GcrqP!{Qu#ld9>sEPeJA$D9>FB@w;v4mNy+xbcM7)*~gSFJDo01M^Lnb|$ z?V>L@sCTefj4~$?5B9BB)%c0Yk9bCJ4xaozU>Kl4$KsHzjhmlgV;|q?B}e|rmeF#! zmBSsbxVBQMx{|Oox^ZD1O;;efA4LyQjkZu~K5o8{m{bMIiG%1h+5P&C;??u&H%^18 zV#$(X+(hs+WjflYXAoA3MYHq)UGypocf@n3ZZ{7?{?LW1_oZO`sbbWDj?vy;Pidn&ph?tH; zsd&=nPIUPp)$hm_J4`ENh_a-3`w1WrmW4w2n0=~_!qjvJ`btF12H+O73MHwG|5Pa% zT31u#;Ss8Jth+f*dwN(PN*5J=Sy(07_5K5e`kiR;gE`07kLT@PcoLMHNGZ<{fc~`O zGu_ec$4j1P_EDV>UeB5gKzpn3lPqilHTx5UN;Zf^o|qVaOr7SK8{OuJbCzE^DXh-f zBho-#)9b6rEIbD#!G>&KaO2W{}fRo3W%f`?n!d} z6~7<3aZ2J6BxVavuZTbQ0~XA4%s0H)#$O7SQv5#F#QkTV1;w9X#-gRXvi_C4lJUvi zdZsAG2sfYW)>xth5j9Rjj&o}~!b(cEqS})w<1d?if1zs0orpRYPTU&M4x$Pftk;ZW zY)y2r?586uglxscNu=3@V9yUn$BPfi5Xn%qXZ#lAvtjvGpf<{VO}2@;Yd_bYQs>Yr zYi9ox@r;pzb9a|R7Wa#3W~a_mcinj$vt}^*omj1bimJi8V6Ixedvp)GYRD*BJjO|H zW?mAvAk0^&`uQ>*gFk~e7Nx=07@09CGyQ1MFJ{Ksn)VU}OZ#wYI4xi5#N7PS zKfPJ#DA|34T9>6CHQdjxHOj0k6(B}#*(oMZ4n1ks(2ty9vgspSs=ybU(JG`9#}q4G zO^OMQZ7x3@Q_4Ids#kZbIqx{WDcIA@Q@J4)Ge@gadaf*zw%w1gshCY{vYf817Vn|F zn&iAn`}`>;J7GzuoO0En)P(JLXKJiYIZ-s=09n5?(kI?$RQ{_%LY(~vsGi6dz2IV0}7<8vjbj z;Y2TJWv1*V$Zu}HOdgK*H4Iz0R665OdN=3C#~|>oxDuBbU~J69FBC};Bw`(cJvNjk z|3pNfnVD8in3(8d7X*hd4|@dV7`g5?_@eNZsu-GdzGwBWMXNtqkz1);*vMEoT|_{W zVfv?>PUCu4T~M=s@|BDSPvj!r@q~v8)62;w_r-o*i8M1jZJhW76`zwOF1y6~uks1$ z;=d|}e={!s2jutfa$WzEe)qqSAluXB^68LFOHEDPaT|J79D; z#8JGm+~U4HFR$g~uK3M++IkD3P`6&YtAIM>5t51s%7VaC8;qYhe_v!=Q-q<`at2gD z=k|7Y@|E`rpd(&{MAo@)wV^L_l(!+Y&BiUz16gau*@C-ym7)etKfc zp6v}Kjof9aKuGerRq3M4;|mFqh@Y}D);zH zr_Nii;}5wawa<_`;GSFv0cdxCV{Tg1cJ}sfZ763(0I5WmUh#tNlvJ}eYV|-nnQQid z^0Lv)`=THXtzF1QrX^K9zY0=fpt zaZ}~BVe|e6SgYx3`%~Aue=1o+`4`mjK_~}5H`#K>9|>9o19X*Hm23lgGT&hP4`~A3 zX}xnY*GEU7>-X54RLl;X=CH{IOI3T0>boN{E-7U#3$!_N2-&a|b*2kI%6CxL`n~b^ zN+N&t|Mq#R4iOot0vMZdvxd^V+!otzfls+FVxejEIyqp4%RphAW@C5jkKYDto)3xl zxl+Ek{h0cBH)Fyt;$-rKCV~p_+h%@;ve=k$6B>zhqzBp{G{nj7`orHQG)*A*W4HnN zW2DEQxM`+!=O{Lg`$h(d6_U!wA?tJ>qOy8jfq;yCF1gm7cXO9wErvaK5E|?P0JjFo zsIiQ9d%IS57A}>oElvm{KBC|vXiy#&wh zOBV^A6&)F}7J`OZe7#N`X@N`ZZQHbo)o&8fRoCJfiB(jEa6W&E)j8`{9`#g(frrE} ztryH*X1@W6_@kEZZ0wI9rKlp*yV5GLDfs4JsOqiW2&d6whmkay@-*bu9sv7c_&&9P zI`?dV7uHj}DRYX7mcb>mPR?$APIBaq=j7`6pgLd5fwDiPo>&>+YieEG4$-U9q)u(l zjwvwEOz;^%x$&7>!-0aRjwHWrR2EzL&05*Ttc&I%o--`u$X~YwPn)-(;DF@Q0IzHn z$JZTMRcEF@+Kpl7?i<%7az<6yj~^2sVD#IQ*|U1-v~=?ny$gjd3nM$yg}nhU*yl&! znX2A~SsY0@-kjn&SB`kz#awk-j#D?>U(Mv$-|r!^*R^>7Dsh`f)%GT9{bL2MJZm6G zhX@G+NCS%uSTGXV;h<8wi%cq_zlxMs=c((5%!_7rNxmhMo*#`CNHWZDBrKkc=!wM1 zdyL@97vQ9w2hcW8`C`lxi{seEVvc*F7mfQTJ(En;TEg|Q6Y$Er12&}fGV3=l4I-2m%7eEEwNJ6yf9c zs(-dX?lUpGZ{_huv&6JGPrW6KVPDMc*czJ~gPN{i@WoVm)coOIUDhDJ^X|K#eRcBW z7wMS`_PihIPquto4}|Q3?rcxt%kr!PK~8;THdaW4ZH{Oa5kOCiA*YbPzMYe*IZsb_ zj3@5eNTRwBX5#S{n|YZo9|j({Qw4v+fvpH`0yD7(=kE(^T0z)5?HO(GhqOZPAGvhx zOI<1gU+sSUEG0Hr)`*!FrI5Q?TTQzyfe-JnxN~QX8J({D~yqV`W_0lq`P~ z(INc{QIS5>xanmj#nl1FD`Rz$Bql}<79YGZ4L6H;$P{iTeg*~xc-sB6H2oTv(SKl; zWCY$VDHzZ_Ji64xW>|z%r#BSF)%J;<;PUJ>GU6>esE%N}j)aJP{D*b{P%G)jT9jpy z8F>eoIAuOrQqE^nI0z*}W;VAHWqtazU4&RVF>2nb5xT-uoYcMYi@0x$ki-o18k z!&a%Gv_;WWq7{Prk6OR!K4_QaF2C>8`M4ebP})p^T@(i){$d7}mIeP6PNA91P$%EQ zq-ae19=qiGyh2Jz+xIP&M-{ybEK6nD_-@fNubtIFf16g(!ws(|q4^ouV(8@Q2!D`< zk6m+Kax!e}4Ha${_s%_kJk7^TeysOtZpv?ZFA9r&{d{^5TYPD`cknb3`@?{ac*SL# zv1QDs1smzIh%f&1Rjf}TK!w~Ada{VcgS1JxHnmHXAhh;&gM1Kkc_PyJu(XrjYv#;` z_=Z@8F_or^6zm6QKDD05h3)P57h9CuzUqfZKG2eo3lcw92fhpwLH$$=#=Ny;R%EKM zth}w`q4cp-+tM#w>GH~QH?F- za0T5fH&T1vcS_@P7_1TYIOo1RpxQOvE)>|YV{?OhnDzgyn)+`V9saM2y?^?6DUvSs z;Z^@Q$?2*?nM><%%jO9*4y@vBYb=rLSM%1v?iD0i4B2@>4h{~I$Khet9;^GpW(6>4 z>`vF`myFthm+CE_k5VZWHn=z5g})HpBpxSe!vlvJ91S=r=~7l#_h3l37oyZR7N_#D zkF_q*Y=K0g=bhj{^D0HXM^8b*L9C@|e{nbV;)^Dl;Q=w;fl9aj^uIW{9FuO+UpC@D zv}R*W?;ty9BRDi(hK<4?m45#a zOqD-C@!%-J_%6`&`{oh9T1xSUTK8xI-Wee0iddhDEHy0>CI- zE#3s{Ev1#fD)61qc;GI?{GHbvm}hRfQMNC1u-na$xZYt!!}t~Fccbl@IixgtjqIV0 zo1>Sznqr5WxsF4npEJpn2iJwJu2tl|8wVn3>|h2z2v^7yTrdxyy2T+xT*40cD@+%5 zA(FpLoN9m2j=as0B4iaaeOStz<@zpSM}2_4M#E02{fZ7u8W7y?ahnk1<9FzcE8krA z5?iZlc*Z+!J2EU~IeG~s4?R!RsP&IPnG}43&(M;As`ENXPNhOOeKB6E3-uSQKOtp- zs%ywLEV@dElR8^yPSL5MayQRC3t|lzd~xN<_WDB4>uXk+>ncZ&<@^5ZI|tD+>;?i@ z14ZY$FDrC)@DT?CM!4W1ZG8*I8@wWO&IGtQt42bWIv1fp)P+7`3Qkq;T({RAs6>p~ z=^TXaj;FyzehZ0t9}WDD=8&+D7=eEp2KV`8!|497_iXH}9)vL}xbhsvT z0gV7r`Da%XeLFUxs`ne--dHm0cm|RQoB9E3J%SHQ{BLk^oB%}RF0y|z0GJo!6$UlN zVTmvqN}*W(d}~^I?vbpUtJ$I4Q1ILOZ6KxC7Wu8A zW{%q>KOX}^_J8yWU9EG)fX_s}jedoD-^ z77R-PsIko%^CVX)8 zL5+*C!Dqv-q1~0Qq&q#y&TEp!fnL@XuQ4r8de2kRq%{iU%W4YnURU0JjA+Q_9D@-_ z(bYv5I(@O^97bQYzJU=oHR6x)J*R(%C%vlT%HI#y&t{;Yrk#Kw8G=DHoa*W=L-m%m zP^5nDx=p_aeVp(-?u?B2Dy(Ga?p=jO>qhgKWoDcL-5$T0iAKi$SXu5MD&C1-lVLbb zoX)|+up``7MLtc0uXZphZwG1#H_l_F1a9i+Sa0j=+X^Vp7D-NS50+%=9)}SL2|1qj zP(>P6S*Cd0yX}dD)AZuzZEAGf1z~O^%1aAjAk!s*&(8}gIL)D|>*f6u)*o{vcugRl zbA#`$GEfse;NHM^<8#?<1CZ{q@C&P%-Rnt)dLHU#C{l&!+flP=2)A&j2Ai zjq&6oH0WpJsVL1Jk*hCY{YB#Dk9pN5rA0r(VHFEcFNIsWmsf=j?m)^#oe|hY_3A}n zkR7iZHE2YR7S+0soPZTxPiU!SrLo&#z5`zrAI64qeS_6sr!UYdcP;fmdO&cJ*bMUt z6}`rJ=cB^pek{ejnmM>+Y^2xQD@M+u^M(9(7cK9kS?)o+8<*GK2J{j(eXkW<^& zOcB}}eWtgjdo%OMFk{b=Z@5oWUdZ1OEv6s7*7={bnE#8j7!BUV@Fs%6dBcM5rXU)p NIHzf#QKoJm^)L2_Pn!S$ literal 0 HcmV?d00001 diff --git a/education/windows/images/setup-app-1-wifi-manual.png b/education/windows/images/setup-app-1-wifi-manual.png new file mode 100644 index 0000000000000000000000000000000000000000..92de4f784c66d95e82cf949feec13d63c8817af0 GIT binary patch literal 16389 zcmch8bySpZyeHi;bT^1}2-1y&ASL3^ARrxrfOK~^BBg+UbV*2ecXvuR(%?SxyZ4^G zd(Yn8d(PgofA~5K%*;FQ`#j(8r@mooD)QJE2Xn6QHBdN)^NJx06$b@(ldl8}Qs*n7M?rLs+H7x4%d+?xiWwG9g z5ja~k;ArqI=;T-x{{QeJ3zs|)a><3IhDIj?{7WD$(THiVgL$uu14O=Lh`(y zwhQ4cEiIz=CmkBio;M%QWzgufgH{$>e(S_}cjcOOu*OSlw&M=p-yOG%H+i^zmhfq& zO2A?tD=2tMG`-Oiqg3^N$nPvp0@G zqs7|`9Rp+hA(>PEN3!cs8h@Tqn?HH2^S+i?^T*wB_s16z#CEz^hD;O1JH zr94%a?f~bNLgRC<{^B7o#h~))<&!5*(8_DUZ3~z9d;j{o^5<`V zhAAf7{yrT0Tn}I%;Jfc4F;vJ` z$*Zxe=t|YZ}<1{;jE82tJml6ouRFAD_9sm_Q7|k z5WU^WAs28x(sMSK%+B(<)Yh(gAGO(+AYbd|?}0~6UAi_q3&qaiX;=%U;2S2`+~~lS zNVIRhk-K6FG!--HiB76C8+iH4 z6DIy*6xkbj3Kpntw{%S;oUWMrMR|LBd-2O8R&63St?EdKE;hyU>MK$Cjqa!tL{uD$ zS-nUz*->)QPvui(h7wT}0(R+UovIy~_h$oKX_uK|9>wBbw@`v7%H_3;ubVyH2B1Ua zr3Ot6&U=$A`wjc0RrvVvW!t;?SwACdY{6+=`F)PE9E=7?`Edk4C&bpAN$x`IwAK&he zhx2bbz!_Da{T{OJ>gm~ce{XWdGJLF)i>wC+S2C9^6|fnAD?ZAJriZrh)AsdS`LEJJ zn-{wi4Os#XKE8Ezf;FZ?H+jmRdC5`PrbCN^{Y)x;T29FQqAWN4z{!k_IswhC6D`NK zgM3U%Kf;gpqd?j2Phy+f3ixxeNb+0Gx+v`2 zI*o{t(dPZyxWCyP*4yGy1N1*Td+i zZ;X(P4|+ZP+Ro<8v*tXul(Usgx+CM-gD{m!bZQP}2jx+zVs2AnbtyC(cCr~#`K^;N z7}+-(ocFC3!6h?WY4)-@e3y-b7<{5GU^&kCqIdLcD3wPBgYYSBTU*;6LHC6qv`YbX zx6S;pudL`;lHUxQ>w17hKN=(7ZtJ|<)m2;OwAK1C5+GYK)I z3P`~rh3jglWy1BoI}{jFwXi5KV7^}^g-Sk-pM4;Z=A|JuU21Sn0DFEcS_pOTw!)<6 zpr#1%iGDT-j?4&|JO$6Yz{eq*i->2evjV2d<qjc zp3VkB*75I8BN+^fL2sO+(fQ|ze|cK7d=0-|?%5q0U7#uC-~S>W`OAbX8Xe<;3?}GU zdI-p{qrb%akWmI$JNsYWqJ&70!Jpb^8a}(!2Qw@{VzT7%X`>seeQn`eKF4%)R#`1E_sS9 z?Kn5qJTgs?ZyKSElNFuP$*A;l8#~_dtCU8Sq=83F@wTj|KW9DxewV4#+3!B4uk}uf ze%Ydz)Y_`mLVr)K(@~`rx)q2IMCHo&H?i85-^(_P#Fw0H`SL3R@q4$Ev4S>P?&EZu${Epg?zM@qu);GnK0!4*R%%Y7(%!?;3%9k>-@3r|LSZ% z_~A@%qyJ31YVR_c4K)g(v%&qbaeNbD+Inyf>9fyCpp7Uo19o_z;(7dM=G1{#)W7L) zzoU*-Tci?VVU*YAK6y^3PE4x4;&7ih$&s#V$EH2HER9yLwYhh1x-E73Xsq%5lQ;Tv zePhGTyTg#YtE~N8nT$%_rZ-e9@7U)rdhKPaUnk)^_Cix~v5BY^)C^G>|cLMx`o=Q>&==wLQtVvz4!xo-+(bTYvQbeDsz56@Zppocw7ott0ZkUvh(uGe3t=di}<-sP>n zkT;*!_oMJ~6V8|=9&^TVKFZn@@s$z>`p4p8USjrSG3Jqi7yF7|#)F)n^l?@lzLcb1 z&3cp=lG&rVhc0Ssli`&#A2N^z{`uzoSvn2%0v}*joUAN=G4~Dc`etQgu)HRt6^F`w zTn7**{>E_$(3G1DtCy*zE~+&bC@;E?M%Rlzr;eDi3}BKTcD1$<_wI+bByaMzbmEHO zD0P0G^w;KoTAPTAom?_j;WD^YaZ}eP(@e{fDMyWy6+RX3_1tM4pImFZ%8)_Z+IJ5(Wzc zWix6$pJX5}hzWgURlz{riu2Xm&dM>4bFkFpQ??@N&2QdsV%|95=rcl5VqvIUPCjPZ zrh9IH@mUlpFAfz;av935XSF%PHg>vA6S2#XCyg*A4Z5X>=U=*>*(za+6k^;r>`$tW zez3&{t~FJ&gqn=x5|8~YnPcdfK8nMg&|cQ5pICnOc>-NA9`(sbawAr%>nms^BPm<0 zvW1#sAgW*e!Fw(0FlT+t-`8X$^m2%0#l(oLr1p~o=%$$Vm+?`&tT$c3BAv5wv?cuq>! z&A$X?Z?O@CkN}6a9{**n;znoT-&V#p*s1>ijbD@ouOwigs0o^`mSa7I}?*h$vzt?pyHF{3vFaJIb*TrCUC|<&&J1&{C?fL#YuD>fUIb~sE;*W<}q0o23 z2Ml3|D^nopn7xjuo=cW!jw-hBH3eSh$Chy8HVqCR1Ftp0_l|-#g2Xw=wh!%J-`?jk zWER`JKPwlwj4TcnH12tV>z+JFQLtS`PVKl1$D#LJSEci1hV;$&MHzu~DRq73-lChD z=aCwV{-7((tCqq~-gBN$48(OBUqn9%TU2AzG-OC4?%5cA*OR6}^y@I{i1I03e!5(GVL4`+EAyHO)rP8qZ(Kixf;Zh)zmjv6ARD zzy8V({@ne=klT^9Z#v!JbsJy6;yS7Fc9fH>jz6*{MqqV~=eP+JztLRm{RJV^_f@Nw zJwm9_eGLVqHSW4eoQ(CnY`Ag`V;hnIpyYCrv><TbjyY?M^kMm{$*qc2I#reWiG&_wxp9Ewol*oo^2gtDS`{ODe;Whj|45My z+~+&Vi=O$`uk<1=@(0Eq_~9MYYbhJC)boU({p`38=rKKABdFxKtrjo$=Nf8#n=ySS zUWqY?CS=O)F^Htd>(=_#0E29RCMMR91Lun4GeEl<2(>Zhbm>tHGZ!F640H{R7#20QQ5)7xMb_ zi8d?70Dzv|Y-bHzt@zmY=#eQZD)M^We!SVqi7`E1ZgM%8g5SOaM5MDlf3ec{;qJ=% zwyt}SmXlKju$ZSIxHLaa#<#(1Q+yt8dJGs+5c|7|wW~~LO7&eLj}s0$E{%^G_Brd% zheft77wlEF$)DS#+WKr-PJHk4c|6Y=z%K;YxPM4sh5gz4!C1g{7AoF$SB;3XJ>33D z2*M(h;`skeqTGvnLf;dtR|X6+iQ zB&r1Qvc|LUNJ^n`a7HrH(*BLt>k(%&hCXvV%`qdG&vjPUyCMcSY8UBWeR)2W2Xq2_ z2*l_(j)yk;Ddj&hL}hRi+uMHE6)*ELeR3Eb0CI=n3mW3nB!oCQgU5#}!<*9{nmnlh zl*{Bn0HM6uR8J^^f`Y<)h`lPra&|WaKJ%LOzu-94t9J~`$}$Y@*8)T%Ffee|`Uv4_ z4e&2edR!NcWt5df&6tCNhxETYFSIeI^u=O9WTK+2b#WNk2kRdKD zW%)d6M^lNs?=i&=K*dcaU{XJv~Z*mLAjqcu3fAqm3O1x%#R0RoX?_sm-E68;Xp7 zFk2x*?Rg?aL`=B;7kpdtV_(0g*W-XBvF0hIB*PS`u4Lk8=EKTn4-AK_Z+;YvJcKc4 zj&jnTodI1Y|Kpg??JjdoZ>`V<3D@*upKWEy#%?J%B}>k|Q58uRHNXR8%k1 zeUBw9ENsk)Uey8Hcj=ew047%>ZC5za1mFHl85htR$82$c4woz!MQ-_M-*_rFw6Zr< zbXc-|ebRx;Bq#`7;yRqKnXv9?LUrKD{`Jdt;ko5Xb5m)@y3cXb)yH4V7J8$vM!pD? z8EiZo5p^2tMsbtA-I;gY8I_ul?>Gfo%e)8UGnWHs{o&7rgBnwO0)nX*!Ds$w6BQ=% zbJdow)7E3)SAmpddE={#UP_}^<;sO&0&$pGBUg(Szg`W{d~`1E*b2(T?S2<47f1i1 z+EYI=gxXzU+4KAr$2OqnQ+J*Ze`fM`|LWJ;Wh6UIBHkZGdtkfOA2;7!WM&9C$<@-~ z?o_M`+-)YPew0AHNGttyB>Z4YX_T=s55zG0o>0%5trQ)(SY}dLu9o}CbaAiwe)aM()8j};thR76nPo5;&v_s;%dA-2 z8r;kVRUKJ*d0m-ctP16zYI+8S5+F2LHx>>i7ebQpo;H>B;vS(7pZ2qr?TD{}ZBwHx zW3uGFUy_U`+VmU9x3jt` zq!!b;g8!~w&Z=2p^jWTxcfDv|?*7kJyK`;`o(k-g$21+pt|kj#^LuS}83VZ`8IRCo zs4^0&D|b*Va#YvB8x_0!cCiR7$NdU9q(d=|BG=>PWXsuNAP0^KyBwsNkv|_m`)<}b zzc-N|)0C3e!s2~}#~`=!z#a8#Sz_X3-UFI!S#TlnyxWi8?aZ`ERj%_-y5OU<=t(PL zvL%#*;X2upvL^itihRtAS@;%$qk25crc$7G?g_yJ#-(WM)?m>7-$7j zd9s$Hs+wYy8BBup5AVlPBaI{Oe0V3BOB;&gadk9hk|Dhd=O^_-8X4i~B!pu^Y1G-b z-M;v9qV)+UdpC&Av#o zXMEVXTZ%w?D*0m9&}UFpjh|zDh7!d|K5!wK9U2Hrl#y4MJotZr-Q$7}&(@egDLC88`;8=sJ?*s-oaM|w%_TMwvzj5KHT-=wS=xYz63iWhH*<`w$1Ddu zsHv9HQJ84c#DJ;MDmCZb&|dc;hda1MwvQh`eKgQ-fe41UF2n1oe2<$vDrZjJ4e--W zM_f7t&BHQ-)Rr%pN&?H?V@%E*0n`CaUEs2^2AB%b-Jl@D%i=Kvyv;^}%EQaUiS z(i|^7`#7-X;ychwP^YFGkPt7fXWNUpe)46V+`+q!Vl|l?yXh$8foGvmHVnVv$Vm3; z8{*G80hoY2Gi*%mCG_beJD3L%f+Hq9`Cf@dz2#Ohe;!to*g_=$VdTxs z9XrbfSV=saPu9rx6}(Kzw%$EMRI{M_eu7C}BuQejYn4~5Sr~s5AdT8Wj&ZT&D=PSC zg_=+6aVI4vwY=)15`jsTLal)NsB{f&l6q8gqpWCeuETxnpOAb$({?`p!G09#aR*v6cIkg-2D4?B8-fTe5Fyp41nnoYGpR?EbEE~0sRe7!os46k~ zZLczt!(qvql#f(V8XMuvtP1^okaqh;N+LpRhTI0*idZn9;symX29AGl{=1tyT5x-<>p*@-kVG#w+>nvverbXA+tQ1i;h-b-nypd z2nHGn90uhgQm8zW3o&6`gtnMAwjO`MQ%ip6PD49J6JdWMOU}|qQLRJlhE2%ez=yll z=5Ox|_8!_l?9{Zrbjswsc*Gu0tNFl0`)V*cRoM9ll@kv1q7FyC+L%cuZ~~ucaN6Mv zMM?y8vW6!PxQ%6NR!I!`0{%DmnQkY;^6o7pdeJ*$UZ-6o!c~2rFGIFzSIOHRq&|Oa zjU;Kjq~$RB+VLXL=~MVm0Si+gq34e%82!W;-Wb?KYg-0Q`1XrBq{8Sn@tGM{PPXG$ zk&vEdzl|#yct0APiFqRyDay5k&IFH{G+_Vz_=}f}Tg(V$?_D`r>)2YbZy6fhm|h0; zQ7)^15;!``GJ4P433pztRvbiV8(aEy<9I7WjSA9Fa{R0H@G}L8$gapSWeI0OUPj6h z&V*eBnLbYq4`s1QRY5frB32fn;IoLeb3KbH{0O0hCgI`XrEx*aNV(d0qF2At0qZMY zrAf8}u?TMfv^P3f|M_8{q~#xs`&v8>7uw&;b;RsBllhv33NMJqx4X9xv(7G3AluU@ zEeG-Ys<9OVyH#jI2QWJFXTn&%Je8qkWqk>}(;pjbO&(X%f_xAXge&}Rg6~o7{g-BA z!+8GKZT>4*h|18_g!7-VEII)1a+_wKGlSJ zFru55hFuHm$2&N#rjQSk?zNIADn(Xw4mA?;J z$;?>S-%vv;)oQHXETNjAT|ruYF{?B>wZxI|(E}c$S+q=Y+ELv+L6?_jP*bVFZ9grp z?!w`F{Wa*)CQlvj6bJp|AGk}Yx5Eo7sam3}&oBg05=1d+*401I#*;c+ETX8tpi{9f zAEwyEMkc*M>=hXQLoKSzM!mmV4g|SX7CPzzlF3v zJMxQNiZrg&sVr9fvh8>ay%Tl8!BA}AY3q%{;qpw-r_EF8EzI5ZTGf5e-7b^1ny-;= zzdPVtB!;6xLSlmvkNjNSy7<4YDUQ6@N>n`vINQbELps|zTn1-+)BVsY*-{1+B|zDm zrK26fAkv{+l5H^C~fC@pzsFe@F=MJxUWuT~$cgRJ=c zZMxVQ>o6D)1;ytHpkO~|DrtaQo(K?ZFH8wA^m(Y^e4Vc{bys0FK)kdKmSsF(=Tv<<=@Q=Z^<>22r&*nQf&58Ta7zyrtS zcz~o+MsSxs*4Y%`D*=dsMu8gL5av$;X-<{s6Jr@k@yBbE!}**qM?)}yr_~qU@$x{M zOv1Yni{iO*7o|T6CRLBm)spMkvd8i6V>zwvPa76>b#>NFV9+)kNmxxjT|(`VDyDYZ z#8Z6vG9LJwmWy>2ncJOV1gz!tj$7l^nclaSH^BVYn5K%wk%ip-1;s2)0&cCxxwEr# z=SKYgL?$Z4;~NlN(z3vL_eTjV7i=&5axDwrINj)RmI&oqB&nNDF>qI;ptdjPVmBHE z(Ey@D{a-G-4KhGf$OVtw?KzQ3R}vQNegPxZ0YCuj$5;|+1r#WZ%l3r-!(|6Zc!-Og z!B^2m#i1;Z{9`%wiG9MOJTj3k|G8>;OhR-(MK{N5P4)@6Ii9{%Z~EoX1}YP62D!*` zAfb61%)%7EX@I8F9jUquB=ynrK-iNhvz(tNeT zbON?fk&hUMk@Ga5{vF1~#%bcME2a9stf<#aaH>YO4Ah+Xb#jyr5_q@~l!!5KM=6+o9^oEt6%S~1+Z(toh55bL ztSU2ok4pqM#`r5 zuq24%{ecgzdw$xBYW1hDpv>f|q05=CTs9~Z@7R6F07B``3)*09{h(s7;&r9}=YhU# zB40HH0U5(W^ki{mV#wENLzo*5?Q5_ua!-fqBiL7S9!vrIz6JCn%bq7~sO~Gu_FbUL z6_qu={7~`;6j1t z*+Dh#ZlxfWM~b82gDWrP8CXwH6(9SgT8EHjJwsx*Hh5U;mBP%owkEPs;m`UCe&Z1fkL zV9ErP_AkT-^?HrxDSDQKQQBotmgVRh?ESyQGZ&Ic)b%e0=Zq$^UMHPqY^ig*$EqmBv#|Ula}-PLIg~ z4)m~B8Ssc|ndx^ywt_Un$VKEc5%9YCwcJ1~an8#YkU^^#^!DM>G3wglV5?zEN%VKq z{-D6S^XlSo;VlqgEP6~iF-bTzX+(?9tG^TDOAq%P9|xV6OwgI-+D(lU+QcJ#Cupx( zt25-Kz(O!#(Wx$=0`E!sxOdFAq>FP8Q9bch(+cDF9m#t4syA;f#?ru~<^H9=zlKDe z6z~Z=)(lJage+%{48mfrhNR@B(N2l(17xIgO~c|@UiZS%9jf;wxr~a+-=GB23NFk& zqG`Yeupf3J=XU=P#Db0SlaAT5)eo}n{Vze5|F>gs z0<-Eo9SGSptCeHJDxnO>p?G~YqJSxbA|MAdM*_1(>H;b0X5E~&D`f&>iy3_+sYPTf z{V7lJ4E~PNvJg|!hAG~A;(;_|OIB9r6UP2NhB5rHa}}0Bd*S!O;#{-X`J4%oK0aTy z2;%=---V@zs>TLgEz_=5|9nOTt}yJT3GOHWcg7C}1^?TQbnf8+ znR)a*C>gw_y$}|y;#5BCY2}y6?1c+Pct8zToi5d9^Yim#{k;m{6R*#sXH-l?L;^4e z`T<(Y1EI|ZD&pJA!-YH$mZ~%#p$-cTjRoNDhtb{Lof2>}OaXM_^}Kcf2y60VPEHOC z%EU9Pp1l=J=FoitplA|sF7ze5@9R8ock?UX50SGNHa7z4S|4Lzmc@Lur2$d{` zW&z+Q`fxG9>X;4OCtk-*g&Tln2@`@(ZO!?nNKa$*y3<~{ct za6!yKh;T1lyT!YS-JlT)vTaW!9xf873CPG;0JO-$DC+<)&9oyJ+i|rOUc1sXERsgT z;CyYg#`-Og;SD!|;G6{Ro`LuE8me}~$3pPta*sFLG)v~U7rT3Bez8CV&L}05_Qdw2 zKZqe(C@Dy-lI!qH0O3ApxA0Hax1}~@>eGS@@25ekvA}q=*4}U*ochm5s7@3)f29cr z8w*PxZ*qxQv8hORWu$`+XraG?qqueC8u_uPKdr)B?@bnxAI(%tvp!l1~@RUFX!r=^4|bxiyc7DZ?$7M(F*;JH_pwC9pnuBHH$j4f#h3~RJnej zeaAM*fy?aJnQan;K?L&_&p-&a;0v4zkXxFC7FU z&UG3<>as1%LpcfuB*3x`99W2t0oL6DyLYUd*}<bAsyBBXcTmH4%*u%!AIJgaj0;|7DdCpauIWN^y*QtU}4gl8U{V!lzRL;l}bLcR> z`Jt%}A4qBkSipvHpWRZ!n@X+ZY|q&WE$6{0KxsgHLP7RHQ*= zz_47I`Lt;a3^(#8f!8RYT0y#D9vnznmsSY_&_)k}nHsh5?_(shc_K`J39+YA0LW1I zCSY5v0KD;fT-v-seI_^m)3%5{@(|*s1|WOl90MGpe|auE3U&yPSdvBRHljs7Uc#JR z8vQGjT^ccWO_+es`}Q7Ck+%YhVfaiR#X$Djys`C1aI1+2NFjfuAWt95k>BTM$f|oT z9eTVPBGvOhWdl2rG*e_Yt>V!TSK4ASWNZZX$J;;q`@%?MuhDoSf*|o#z3Soz*2s$_ zF#d^y(Eeit4QS-*Ef;_}exaX+vux{s61XX9Vf>G?9`t`Iylva&VXKNV$}#7jn_nRD z&Z{iCqK#d`DL2=RMjPt3gy|Q{S5jzwq9@HRll+ZUsAWd9pCd*vFF~L?7eG&tSqOhl zr!8NqSAUUb^2y$#%%Dj_d{~MX7Zm@-0mL!}+wt5mP>1_iPr_G#wN()Gs%_X4YzPJe zzn5rz?$DV^;$eKc|BEh=i$LS((rlPUeC@#B?Dw)%oX|#Ef%W9!wP*S*Sk9Fu!+u<6 zF%$wSfLK`f#1^3gw?7_3)ZlUO*~re!El@q*ifH{)RX?oDk_kFw2L=bvS8Q5I14SZN z5wIjiUS16#4iwqN&Q+Q33&{1=1b}{}m;%1y?wyqQ-+L#beNb9GFzbn7@lFz?Zx6uP zS28lnrjjWo0%y~Uyyj6-g$o{`eL(-ujzZGqr<=rdjQg5HO$vgMt(_ zG~z)??z7>3-~y!d@_2=dtMLS(Wj7TW+zB7x1l;nQds|1x7NdTnqM_l!6}y1YRQDkO zi2znZz(gI=KMnoA?FhStUtGbqI2%{uQXI(?GXomKW%5BE=t8ETPF|AJ1*Ugw zBZ~+N>oni)u@&moS1!73XRs~<^CPo~|E|LQj}@7ido?J6blWFxZQUf?;lv!Qu1n4- z)pkod-O*HR2~S>)+roqokb)Qh3}3@5?mdVeRGRkT&w+srDu&9ByBbjytW-IhEhHkKA7G?GC{><8iwA5IVb!=L>b zYe7Cf%?)s=2(tdJEB`AV;QhFxR;W|+BisorThs1HvT@Ldh^)};B8WLQ0nv^HF0u;j z=CkNGREL9^fWPcq&DY;#Wn}?TmCps_^_C==JCJ5~szmoK@F!UEUM9ug9sN>;+0#PK zdx?#g^VS*w#nzmi>MQ0($bEZ1l;$|`N{ywI&u!qUO?GO#cUT(xo@XAa#59$f69zUf4SNZanS{S+BoNo15-!?Agw%g+x0fxc&Qnz_y+9eL;4rt z3ZNU9f%Ra8j!VWXdj-qQOs;ciSLTX>b9yH$vK7z_X!F>{>U`>R+qCcIvU*Ewp{VA= z>2UyMSd+q(k=nW1}{Mpg3*4t5vG3e5Layuq^QC=xh)}W zFD&zKvWkC-q%W8(PprhtHJ29MT{_h*W-dCsvvn-kh zJ`c{=CRTLhA>hjGuQCwJC*q-I)pqyYg z(?2j9NUVRFs6UybV&Ky;TKhteLDU77m;wm{uq`1Tn0@S^UI7i%%}a`)SrBvuof9Ue z##WooP&~o|c3OEs*R|ISU|{EyGk2e`Ai4a1BV+i__y=GTE}5ck2M{_&HgJin|FtZ0 zy!nwx$Yqe8#YNAEd3tq~lA21Y4I(Bm-48ZPV^8-v2(&>kKXYL{d|%2yr;RInH~9J4 zI8e2`0|hWawF6?epaF z1scUB7{Hq%X}JR1<)__J8ZYy;qhwwlc$ z@|phBR8%FH?w(Ls56sjPCOoh~Vnu7nO4W=(03RSVS7V(bdNC@)y8P)A8d08Mi}x9r zf$IfXmG3LXflL=5|72y>`nE`2oA%lvsM>zTfF_{J^%4b(lolrP0aDoqY?0z!i*P6kgon|@RVzfG(n%3w^&cVS# ztt!VU7>E=C*_>pKM3dq&otl>$(KHgJ@4Nxo6G3(?R4cE-gDkx33h!$RKs5t?%h_rG z?vGFt7$O5RXYzo`6sjtKYyAp9gCb&VRt&wTE%#>;03Q_+MfDW3X%=MbYoi^4*dxCv zuxiM7O+&-Q#{;LLOepusk{|(@q;L;l>TatrKXbg%6A;IFNNhTCKQ$KW#pEb~6B5N1 z5`y>jiSZ#3=z1D3ISwJ(F@*QyW-s1@zi=jPm&xqbKuQWIzY3s|@?$&hf>TC^Ot8HE zt^i2QR*-%yB38hqHQ75C@0bpmM+W1sN|6TmK1>oW~i*-C*&M2d^ zIjGkFaaex_VamMAaR_c)@IWch3#S!79xu%@e@ z5x~($0~N5C9;#r$4OB;0gOt=wEVU!66E60eLn5@oqHVwJTG#HSS_?{oX)S+rO~`54mjR@~GNTYBnJ2vi;xYW)u1_CyFX zpYj{!SNI-7QbLG9A`{<{Lx5x_&q*l!i^R8yeK65r!#FUzm>!D(sV8nAz&``qmp|fa zy`5fa7Cs3%=od&C>Yy7T3)n3}QQ^J_*q1ij)TzVLfJ-g_dld3x(YX{mX_DJ?JOVB? z_VR7xrw=u$F#Dy%DD^Jt!r0Q}WCxbDM1d3U1s22)Ym`Sv=#dKYlV)skk5G1ZJ2b>Z zJW{NkAY+PdvDII}Mylz8JZ85vdJJo8YkPOyzD!{GVTs#ZoN+%&bK*7|@PC2xlVxg+ z#8ov)YMuW>c_NeNu)Kg}9GrycAi7?`6-ac2ff(-Kl|8;jS>Ovt{H)jkRg;@C<`X5V zHTiZMf&)%I-pLCip|d|f3Z;Z3Z=Bpe!F_ltUuUR77T~Z^Hj&f81J^@Gz16RX*z-<; z6iFC~!=RLWJdx381sLJJRp4)xQB1Y% z_?M^fCY(zFl42 zFa1DKd$U;jtvSaW5~-{tjf{Yg009AkEGr|S3IPFW2mDCFy$8M-5SWt&enGmbN{d01 zg9s0R573sPilPt@Rk4WA#xTHVcqbVhR|p7{9`FxjGCc|b1cWk+tc0k#m%&LEtPxf( zcG#zP&@!agtD=0tG8)RI+A39^y)mtxRf0DUAF86X(T;OTJu)~{;^;Jd&RV}hz%OvG z4LUUFy@Q5}L*DDQ^{`wzJ{}Ra1dV|Dknq@gqDBd5viBk}o;6ysw2-@5qPwL=DmMas zA`AY=F4m217TBjwpDeAcabP)($tV6jIo(S!T?RdKB6YK%pt5#{y==(F(_P+u^IFI} z4Cfopc$-Wmmsq@BWI@`hL}z!~XL0n`Gv{rUm86YhjwP|f4Kv>6Fu8flrWvHQ5F!9R znVG~Na5(xtW*Fm!#hXTcznIK4d9n>N#+8bZ)F*diU_;Owr*nv*ov2=wzAdV$t0GDU(=!O!J_eQ)%PVXr2qb6>qhr(*)^7=nx4e(JSaau z|K9eguPYRBC!8eUd~WjLu%u$Uy!kYt`K;}8q2iC-@WQD^SIfqex~1*Lz3eM-@D&mr z2pu!%&J%DuB*BvSDVH~FA{46?#UR*N=(&z^R{K8%eHYl!y;}=xHz;vfY0_0O>yu}0 zrL?wwnzQBey|sHdt{Gc?Ig|M^XBeoT!DUa!X)`@vtZFk?p4HRWH)NiwPpwg+xnl1J zJ{UHu_9Cx4bud?tKE+0 zRl-n7PQ&wS>=xM4Sxv)|7(Z*;%>1GHPQaaF(CRbz4U2wz-ZVD(9Sp*LK%Ufh)!}B~ zYtovMGJs%Y14Arj%l;pm4 zK%w6I7SvczQKz$+e?#yFc16j=1X?q}?d#kGZdmGStFLWiR2bVm@Ejg(VRMRd0(7(e zZ*>CgVXbzS8(nvvug31gt6^KW($Y%ZdARK6m4VyFm}=lttdPbc+Wj7txD@`YmB-nt zekeZK=~Pjy?jWT0Z~0WFQEh`-n`F0xNy${<$9;;%$HNj05h#2PtDh#rweM_i*8<-( zv?S-s^$P;uUh(U^E=;_S%Idc#q)BFmpjW;3i1Y)mM!9!}=qsix$;88c^Fsx-?WBC( z&Ix>t_j|ZJsFRV2BA5KO@1m-jz@&!9X+0^?O-@E!(R!QVchQT}RAGz@n-eSis!gX= z&Tz6+pXxd$$h{>!OkBV73wjIvlL$vYNnlGK>r!Xesi0d%Js0f^UcAm0@a1)8=pirU z?P=2y6EiF8M2SjXm{zNg`xt!HT&WIw;26}7gUJkdJTREZm2ADg_Zow53tIuM zWc8l;eeL*I`(qT6J{d5@w6Bs{=>_^)>AECzd}1M z)!8>?uiV>z)Bk~;9)t+-doKlr%I)0Tb)5U&=n$ z|Dif6XHKTmm}Du{rm1d13hMO%@$OkALdmDt!tB90B};}4huAlWTG7FbQpI#4ch_ES z%X&Ukw(;ME%3GCjHVS3MuG0}b0E@_-w?hNTMrX~b8(H$x^P;kfo~t0Qni6#Kgo8fu1w(derpl$VKa)^#*!lV zr3drVz~jx)3xy<8`?HH+om!C+URE-k)moeXPTSLIA|%xN0q?!6qKz+K4Bclmd<^*B zIfqupG>52AG#H{8`|SpeV+w0EN7iKA=mBp_bJ)g`&{j12_RHPc9FOa04Tw)(GF2|( z3L0&1z^j`oRWEn1AeUSSuF;lp060lTkZx+tm=J%rrvq*yRy65jOl}}9!&&QHcKcjB zeAD$tIEma~0@cobUhJ)S4atd{9_D8yB?n#8imaIPql)%FA|`kwt|P4YTn@`TI)AO= zb(`I$CyXOv9~-t}hSAt;+JKd=0~7*k7({IK9G32_%5S`=d)<~qgO2Slh1jm!wLIJ@ z0z~1NP#2a2oP@(}V(-vpXtMI$oHkASE0p%kA&7pKN`Jl_uP_w;{%NBt z^hW3+WU5N!neED%AT0jHC~n2MpJ*~y5>eO;HtD9;cJ9$O{QZ0VafJSH#K(!%fG7Kx zA1nJfmg<#1%oHnY5`oIC9m99{@dTO!XbA{#w`!jRYo~r!f0-Xlhso>VbKCzp z%NfG9-bdg#{cX!AS~GGc7K5;mo9L6^%{0>R0t*ra{dmT%Ae!#N&T#73{Y5~}P%`~X zD++Q;O;8CZnyt|^0i$==vpIM8OcxhWm#aZS?tJ(_s|iQNv;!Js9NI8{3|G}3phJQB z8UFdkDA*o13>`zg(m9f_Fy0^Bys%jjmw-c2rWpZE?(0{#&N^dqaJwR|sRSCBSTKAY zu#rrJxm$#{1aJ@+Aq!*hhS2{y#821Ad0X~>+M8kJXcVyb_^C*ZvKZD*;EV&l?3voNda0l()Oh9V>IsH zsP26U{Zc6HlhX;fYzgZM3mSPo#IZ4&|iiol!*S1P5CFU zYCGFAkaDtQt~TVcupdB^L{HbB!f;%-BP-1EBfZ)p5y_xhQ&pevTNBT=r}My8KN&5R z;;f_m3=apb`}w93ZeP$Av~NT`Z6J(wd=#|r$*g*#S%(B3hkX@Cg^p%6Z(S3iVO<0Q zHEB{}W<=}bnBRe*bI|l}ZM^{gBV67;GA#~cD0L2>63OIe2YP0HiGp= z$;-H74P}(kvRT_FL>o4$4AE?-*3hNInZQ(6Y|ig)ve+%?;_ZP91*?9Re84COZU%vz zWsTmbErYmZPCTJ+=;if zNl`--;K%)IR*QM0=#o&AO~79TY7Qrk(mCQD{vv6cnbtpWQ#)+=8F*L&LX$JJI9QPMe65u{?QTVPx`6@t&qG}r1UtuTuNUH|(d}BLsqmQYRhS!44tR1 z1l}u|90ShOO1CS`0|AGa%yo(T4BegQ@z$v>_{HzYB?Dg;hG*D>(40b}4XQ+Kc+tzX zO5;eHJms*X6Z=3IInA^>yN(LC;&-TeL=>rxaT$^ba(SCNvEmo+9`a=mBy<|Aqed2- zjGTc*|1_9=8;G*8)JQ+g;#cgAENrIbKy+InAmEbHUKcVKQ$dx$9ebS>?%wz|vQjBI zsYjW?JIseKW$l(zCDHWBkURvtBK`x-Y5ZRXHHnwuD=vo%@!MGMA9a7MxEXbN%1-ns zm_1CQ34ZrS7qAW0Lg!km(5WD7e@|{CsDC5_u=WR+WTSQ=>tBD%^~7|O7Bm{FNSiwhEfJsYh#B@lnF|txvKwn3A8hXp2q6 zzmuMOV1DKKRkzI`{20d0Emv<`=djs;Lh7*Lil(n1w&UYIgLN3Olo~^z!9r%jZs|2q z{}$@nXF}B}j~H>kwt0oAUtU2xM2v||D~S#BxPv*eG`8@Yafh2uq@1b7xC=_<7{`B; zP7(sSw<2PlHMg*&lP7jo29<*`b)EM*3edkC<*s$jOggIUw&(0txS1TB9e2=;)}#gm z8RC>D@ZgLM!Na`75smYvVUV?T;2sM0ZtOjjTuY`w#H{J>^)!{yPTJnOJXmkY@s^m# z7V9;9X*Y+BPWtuk{CaBy{7g*3Pzg4vb}BxO5~#z!RJKhDhRaT=MqUo<^xu;;V_bOz zHvTbyc{omb3>ZKme(_Cd5pc-PU-9|VbG$c@&TPq;DE4qE(@acbV^+hO3G#i6x3i_1+#ldM zv(j@7eB1ue=)!G+jF?y_SN!e)#VP^kdGAP{kjrlAH2nCB);6Re7nYcX!Qq2L4#vY4 z6mO0 z+9Zi#R*bnKd5ROc=gnsCpFmmUkV>*wF&U2^Jr`5@k=sr_IsGUh-)18i_Igt;EBB&& za*-M_!GkD+dr|{`rI0bxwX@O~Kj#@Uk>*0no0BBk$tbs@boAz|d zDj9PnYOZ-u5MZFxIm-X&%Sj72gF!4njm9-r*$MV0aq1_lr_WYdG2W6I}o0y67W zEgWT12#!(`yB?|^GwNwb-kR0<-z_!EiN74cLSPz<>elO&m+32gJL?vp6|`iSk<0hL zQDr)9H2w3gdw}t`JTyNYj+aDI>gVYXgE?BDH~ZYurKXb4^fJTK2}J?TQlloT<_7DS)@T zS!r>^g%jRIJsTDeO={+W|q;+K2%);_W%PLIUPN#fng1#WHC>HZwzQl*O2O5fwtu z;NVWw!7!iUm=2Tc-T5wg&8@$nZDX{Hv(^5lvM0&vI0w?!_%EjTQ5ZV8L?4ZOFD9o* zXcn%A<2CAmCi9~Lr5RNh*A;}x$$Gvw?IzK-AI)N63i_1r1sDZK@U=UK84DD%@ueQK zho7!AhcCCwREw1%iT3oV$y(V_Nv`y0_SNR7iyP|betdNQX3?%(zLY}lzgM1sRSu&f zB&3A@ftj*k<;E*70kqIq&X(Tfkr*>31nT{@DjES^iQ-L0IBvoE+@A1UEdB?+YS{8; z-t=afm`h&jzc1AtwM_SJ zULMM`!FhLMgrfXGd{;j<&B=uFqiz6$W>SG!Uc0KnPj$LCh?||Dk>|Xw2#lp@=EYk_ zFR=1uvzBS*AzL2m*?1)rRO^RtIX->kiKp9yP8f_q!Gbe$vB_wQ>x$xauBv)8U5yck znOi-cTzBg0WQl(1hreZ^ncs1(1>?-^_iR#;|KKzNTg3kk1Sc&wMi?u20W7<1k{N1m z0|u?{pC9J!G9$p)k7gy@-Ukddw^Taoybr-Vix8I_z`p!X6#H**`fphIZ`AiMAj<*< zrf~4mrA8IHwQ@21r#w2%9%UpZ+th_hS#&o?b9ZyM->KwN1|Ifum;v0K3d~6Nzrw?U zpkU>I`S7K7x%2tqs=$0Wh0S?WLbzw%(51krsGvah?sTQVd8-ctvs-IpDp2E(dc15R z^??vAEiIeNwv4Qz;*2|m?|g%EUa59fmm$9&B^6b%)fs&h4s(iW46hV0`BDeI+@wyI zeV$uOc!^Uwnya{*o7AbX_#TbN-e<^v?esEJqV;6E&^=rB*?ju9N;N=P2vhpXDk-HD z$frKq`ckW+-uL$R58KzTP=BtoySSTAe|>oxPPfda^}gI5^AR8k8oX9FveX&8 zKu<#eH&tNN8GPCP_VS7T9+^)_)KQ`AvG@8uxRfo&`P5&%05N*a4m=`Lz2r zPdYYbFWXlM0gG(iO}{`jwq@n(9s`1Ek|+bv^M0xqBwa740)P)}_SCf+=AoZTjgT8w3vVZWSjbeneu z!vySu*2RkkM}^oeM&ba<<>~X}LZxwtLHN;V7XKXT3V#$fqpIzfBU8pxyYD+eku&KEdFNxFe$Wy*hF{h* z`G&WXumH&j~W>M7Cx#?t*s5GCFW30uiA7MH!G52%PlwJcXXj zxIZ7MKE#Hb403fHYk(Pa6j0k7W;f%1cz4mKi1APg1&2B*gpmzz9{FTgXP2&9o31mL z&wC*A94YN4*~v+3c`S`zX}Epk74tQbIYQXFBlc+tb7G9-D93O;n|w?V%y%p~wp$DL zt&$3>O(bUL6FBo)MdJ!h6YzM{)%&P@Yj$YheYu`$?I-pfFij*npmr_3(t4|jF4x+UxjOsLFH1i~q0RuR;r33ZA4}xy8-4jX zu=om`ofT;X_XO{jw;D(G&w%ndBB1rzmnO?C!Snf|-xuH@Z}p_E>V2{?ZIEpNg44kh zJ7_P%_;q%r+dY$NJTubI$W^|?f?emk?erOc6P*fBNWGNAu?hQ;k#CQfPbrITuS-OHm}Nr|N1ER+VnX< z-+bQE2iVb-)2~LUM+r>8;=9WveIny`3Y}?weLQMCoGI~rxZ1k|-pMU}fFI1pgj#v+ zgeCF%j?a0iC$Bj5Wv{X-G{l~E2rdd$#&t}87JDM53~`2uDdugtG@M>&}Qc6t1{g(eg7*F)-Go{JvLo0e^K z8c+s_d@|h*Kr}0ExdBY44@mi<$>ZdYH_PMWSAKc-A}1Ob;Hc!tjj)$8LGNHV3}H+4 z8da|d4h94hQ1&uiV}$M?CeK%W&u&gzu9O%(%WF&byf-6h+?q>pTiC}0)N=UE(_4ml zDRN{v$}i6WX7;$^q(dV?muaIQ)nKy05@yr)VJFpgbw}tUX3w2bdYvdiE8@aO^NqTUl7e#!iD&sb0WhEd6Fg zIu3Ffms+|q7gNH2KQ^FK$`8*4L+m_HAV336<3+q)Y9xp=CV=K^Dd`PxwST|S=e`%< zw~V*`MWxRhUK8#9*}^GHWIW_~vfk0KHO1D$mKX*kNlbYHg_Z>rY%dVqta~;d7DGRu z{O4}Akn3ik4!v-Wxz3vPxkH5H0aRoYVNc|@pl@`l3csXdiET)sHw5@Emw*aX{(vr% z2qqV|u&m+8oQU{6rY~W7g09yaVU=ZJr8MG-LVVrIl=NZgj!F?2lFj~#hQ-Il#jRI( z>%zyy*1WTpEWpZ#OpdU{JGks5)q>|jWgF=5rKn`cv;E9~)>ZWm5`7!eq7Uekg_@K| zxGW;Q^y~v>)5l*p#R_Bo{-)@h^f~W@eW@i<=JCLZ6%3NBE<%!cFJ7sCHG?WkBSV5f z*mA!aWpf}E^3w$Jz4H3U>v%o42}wE;$YlzcT&s!P0GTFbNzEj^A44?wr=bXOawtL% z+n6id_z31`G4tc(LkMtOvj(J;B2gPtpM-DbJi_D{t!U9`%4H1(5cICx!pialG=&F1;n3UZ?)wz>#!BDdi$i08^m03_8!0iNMsOPGdn&*rvWST}A zAZ&?#=)wUy)NH2=0J!37A%0uE*Q=bjV>W1%cB%jtKP%5Q|N7U=FGu@`eo5s{_r4Y= zLgIdF<#B_iv4Vwdo||R05bXuJUt-+WQ&Y?1?7iZOsHR$-D$!RZ`t-Z#&nrC-jjMK>H^8t$3h?+@{ zOZ2ly($^s28J$6&wQ{P$qlpHK%17fM%dJuaBK-uc22H0dh}lNZupg3QxOrOdyb7;p z&XI!mI$POdd_7-K*T2f>9m(E}j=W_qTrCl7+n=uJ%rEldATN1abT%F=8LiYpux|zc zT=rqCe=wVwwBg} zHAzP&HLxtVEDw$c=sv{kqeSe7f9fN3HGgk{?p7E_i{3Z_C&4wJDmGPXt93H%G+T@! zinJ~Ohm=Ls8S9*bq+vFIwd4t#XOg*702Ac)Qw=fqj1~XX)A2xLnO4N?mej!Pa(DDc zlx@N(*Y}_L%^te(sx0@;1~Jk<^uOk#OA}!)`VMl(2vC~mo={BIxA{V~JHr$+EAgQ^r zh)V=6Uv8(%I!vwCs-tu9EY(O*RP<<;e7&@J(LC1EzvDedNEiSnh(bML?NrL*81+NP z%J;gT+h4@(0k6vJ*s301j7fjU&TgOFFVcNcYk;a*m-y2hTN(i}@BOOR7BW#0GWV)io^GV} zLNdLUW(n-?%1S3T0z6SZRmk^@qywc8YV*aFxc(vqA_8}?ld-lZ4%cWY0b*jo?R6zQ zC-9TjpRmqX0aO@L*G8TLVwy&$`SEMmHFjahd6dpblwDgh9Udb zCWLxl_`_k+f}G{c8}Rt&cC2pIU8flMk4kHvYu(VqCFq-eo}flRh4Qnb_u8Xka z#6Lxh7ZHG(gT*!|RxQ{L#W9$tJ^f%&dWR}>-+{Uy3TSx+3h8Va4mzP^KI$K$%T~00 z{|2`ocNNL*ICeT|y3&`RciB3+<}eK1S_a;|hD(qK?aeJDf3L~CZ)UXE_4vLtyl1R| zD3uAjhjIA*1;@}&r56ibg5?wc3CHNsgfcZb{Q`YOi|QKb$Ver*;vLpzOS5t86BHBU zkf3#D`Vw3)$L=b{2D0sPLUYMFYTEMj0h}8)n`*a?RCbMAE1&|+J^_tRfF^j67Z7GE zqhFR!&ZfmtknSi1sxgCOaA|z_q9b4MntI|I0j0{fC?*YRzO;ITZfG2f>yiIrPdJy1!hRsjM!Cu5&f19n%5D=%d^rGOu8Y^qXTSSE zIL5-yhllro4o@M}ptSuFW8Ev8totu8mi{4%E64gpA^ZA#^(l~f%onIS9=tR>CHi9o zB73w)n$!)^&NvP>9KmIz^lx8T zTfS0g$CD~WyDKUvOgj%WV~R>4IO!ws8q2@hm%>y zn`(Q)ww_)4sIBA0f&^JO=x_})0Q5Ea^qpz@gF{!|mQ1+$NSYwUj!>YC_+ZjfRCNGHlc!5A z4RA+((Obnv#SwYZRipx6VJWn$-{m3whQ=d@i)JwvaOQ|W+VZ0yQw*8ligqJi-98c& z4gJ#D!3yWZ63vFu_smWn`YWLvYdzeDPC>v^B2vy3C@=VLB9&0Mv=XmHJ;>WKvg{c;Ii26s=6$qLV$e8EWC9>|A%V$ zf8bjNYJ*3S+@IL_30R`=F(27m$<=tiDsOcx3oZ7nYM$pY=3b>XQYWxyA|$TEw&nki8&^ID4BEDEMV2eT;kPN573I ziQ{GJTyb>1^PF+F&zDRenR4(S^02-fHN@C@#oM4x8SFv-y$pQ?&7R6;f;YlGs>PEQ z!u=C~@0WlJ;Ak%=tpuM8vCV6fSN<#NdnY?mr%vdDk=pO1Y|>5;)&qnMe$K)0XX(Cp zl`a%-0I-@RAgV7SZjUg%D8`N0h{g+Flv_R9F~U`qNk45S|OZ#y3DJF(sm z9j|^~K`+?>kJeet0$;EZ%Mi0+4EM;sKS*evKm1+^LT)sFib2KaU{2m=7;ziE1XQm4 zj_`K*-NTX-^Y?60aP%(Wvh@Cx6EsfS7T`B<;!qvY}*FE>(tO}~| zm-|8o*oITiu4s9Vu2UF=)TT75wH1O|%2q~a4ViC!j;_0_OC8gpH{bcUC{sACFqxJ! zT?sSICy}=zgjPGpYZLwjj!Dh4Nlvl*UYk`dXw-?f`*U&2>RX??e#wLk2UnKgUS`=IoAi=S~QMV-#kb* z%a$^P{P*#MV{eG@d8eLMh_v2*T*rQNoX~DC`l# zB<-?yZoQgEF?F?+tN6Laj|Az`fiOX+_u%H#G0$;oFZy)-bgS@}ntS8ivAIDcvA8>L z!qwBumLR)DOzL08nUcp|lGSK;+0`8=8t=PknVi_C5*>L?J3zS7I?r3<9D(DmDrXtk zN!8zF__e&Tw)teEo#Os`Gx9XI3Dmdy}3(JLRuY<^6*u5efbdro>n0R+;51grX*$1nU5&Pl2|X#aJs#56zE&Mqz2=d{ zDE{D@IWvAIWYz{7nS&q5J|q(y+orEvLa4{1<~v_e6zhV_Ls^|Yiu zKM?-+?;5W&>$q2yHNbl@tZCUQBw$mh3o5D09~wi{lr3%UqpJ_x3&fV$Xb^Cb>cyxY z)H$Gv!bynwlRRNMR;;edm49r5MN?2XSeSIp+`g{HM3Q5eEl`(Ho@4N<;Z@OP@37wL zdwxR-r1Oj2E}Ks4VyrE7!@f+WEu>4E+7M3SYB|+}<*8g_sgzE!4yA!6rDLLcs%5Y* zN0+>vpIESZxhmDv7;Gpyf#6u4jCp36zvw0k(5LeEqEi)HSQ(a3ig&ZBvt*F9(f#~M$G zrtq1h-~A@vnm~T_#*|J244TJ!`b7MI<&cw(@&iON;#>!3w`J?S-Quax_pp2E$M3~5 zzX@ev+qwt5@AGjSF!_vwj$rTl?r0teF)pZ(Wj&uy{Sc5?`$IeL@F_Ngg3k_NNc3Rn zK77r-awT5ZrW4kqjJIy#cM1gSQIC22TxCr50Sa%rk5V+jMVbsusT#}_IO>d4f%@a> zeA9FlOXQ-_P*X6Sr6W9GAi-`yw}GJpJ|}uL^W>CfFQJtGA=R zJGT?*i@{v>3}MrNCcI7!<2>|WfAtnXs&j#~H8% zxL|dTy3-H%(oDzG2jo!FH2Lo7Ehlciv34OEj!%pIAQ0KFjH5jVkCtcMtxu=TcmW!1 zqW#ilRXh(r8B@sLfm#2OtoR6iC&g37 zlFC4c;Y=KPl3$doJ*mDZU$dSN_*5Ii0llY0gHU_yFLgs8seaWpR0Iwqp)P_tPrP^R zby0BVBC4)PK6{(prkHtu>ed~!XTot0-m1O6v=oye%^JULjclaEgJ&7P)`0}?AiP7e z7z|}Q=FAA3Dg~KiDZ^UzsLn1-fnuY{WWJeku}c2W(xnVK4MdzIDkTXuy=UJM?LY5` z;-h_HNCPE;MO=|8lV8YDrgp@$kVsS;L;ryU7*3uq}jfO4nI{a%wrlXi(0 zI|{4*-K@|?&p~lf_M~ZECw?D{OBXyp16@zlub}8_h-|#Q-UJYm1k>a2__DMGxzcio zlK8qd-^WH+U6KZ4r!8e`Xrh9A$WxS3n~s7`XTp%1Xnq$nuu zETxco`$8k@GXBSnJax0=WU-7E#HNH=VOScMx&O84gc)6ptD$_2NQHIG|`Zu zC*YK@e7A>$v*&y{c>Vj=FQzs<%sY7Jb%D&Y-Ho?HL5ww%zSge4Y_o!WF8wk!I{ z3_u8no;$c-5!Psv@eK#1K337;ElTk)K{BX8!^HQKZ}WV`LTm#pmWN!OhdCUy{?{Tm zhcoOim)v`zf6wRMx9M+w{Q-%N#PHd#B@<^ODr|y6`({}hBKUiSP-PbsnxbD%CZdzE z6Dl01Q#+*grHCJzd0&xQ=XtFc9onNfX++?*a=&QEd+Vc6H~3P=$q-i2JuB)e5<#GD`8qwu#e<9k;rYlhV?xLwPC} zVtgYG)tEO3@DByruh(w9_{8-tc?hPz{JaaSi@R)kl`h6Y3IdY&QS*3qd08E`$ya*2 zy=*1eBBUWwu5bkn|77a5HRyH{#@5E}Gbt_7A?xXVu^P`~cK(s=h)=H)$U6d3R z>-t13Tb6rKO=)f4UX@$~=+d+=r)HXQ!i6?~p~30s5_ymoFBIa0zHg_hjS%VklKF)7AKf%}Dq5 zwD!hv49KlX?~(CkfSJAkki%2~K?RTBqx1uvx(uDhA4+5bt|S0|$^y3hZGf7dFnxX4 zBe7nnE=Xd~QDtgaf42armtoyN;NZFe;3MVAbZhf1$FlL2^v(cVIzU)`b3ojzG#|zW zOUv6yYDyC??*KK4PD|fC*>0(B6qOZe%g8j?A1yL6QpH)n&9AWqaF+*I@##0Y#RCq2 zeN;dRqd04SYx}lM;MfvR_7$+~1G-J&08NfxZa-K8Pz5~iSPHjU9M%bXfKB}JwE1jE z$1;nmqW!gr5HK!J=F4Ip%$EJITl_1Ffq`K*{!`Sajnj5^AXhSK8&I4Qz|0*G?cgi> z2nh5PTm7+f2qCWRfYR);n{N4M{!_Mq4mdur0f~siloW|c^9bZk2r;CPNDh$+`IkPo z()O}f<5<@EfQD`|y#VL@jkuuW%pVPW%{(dOGjKR0^P>-74!8yDkO1_inauW8cwH>7 zJOPH*>77Q`Js)Rh=T!iF*4h*d`#;^@Wb)W9uLI5LIy1R^`1lG4N$k6H zRGSaCWN_O0fK=}=Ffj#brtw#c)o9KDU;j;=!^)o{;N1L1x`YM*f4qD+3XxgwH!QIC z0hxfu>1TdHL2(oX6_q3cHp6eGXhh}~<@ZRqKcCECK#&cLMqOXw@jZI6wDx^EPU_dn zHTfK3=jX4bK`tUTHh=23o@|L#6PX;%aqTX*&^vLob?#9^H$zwi?>N4fk=! zTwk3hi5Ek1HU?*2E-#0fZRY_AmjdupCo#cx9WWSr152pDeyMJ=)IMD}uq|xs4@CLc z+5J}R+|5YG&1R`V83Z{PE`4A&(5vX>y+0~-arb@R6Ml=ACia%Nqt|PwYyo&Eyt&8Q zCC3{*^>^hisfK|s8vdu^VMr?6QGoRt8}nG9Lu>iB%0F=qcOuce8izptI>6153fyLO zNeqD9T&j1hNU^2-B=nGv!1=ldsB${pXmZ*uURBWq+)6&z`@fFTMf?vw z+YzAjTd4DCzvKiw7Ox)F&KZ>SuUE8PPs*F$9xt$2jNq0DfSWlns13+H48hZ6{>btb zY|Y<#jnx8xq|WAfs;7@CfzIl%+)y=Ls-rf?4wVXn&D$^C#ko{#TeL^cq&?Ohjyi|1 z4QQ@2{t<{+@Owp)A_ehjX=&*FKR17dxGYqgPXcMBnrh@NG}GXdkSC})>7&^)jZBAz zjrT;0bw-`<{>eT_Nd9&7a&#hQnCR&DTe7b=*Iu%dmy=UXg+B#n2tI=Z@AP=jTCTQ% zOhXc&duhiS=d7Sdd?ZIgngR={)1#fr!hV}TEm8Xg7$#!fNjAHkmp`vNKz5;7hP^ik zc-XEA%%$N zL)^h`C4lEmchnE`nhKKV(`uh)PIMsUvALm7k^4+i=``fVoF5O0j&2(oc&q^q2k`G` z^(#2eSBjQ7>7gL4LB;epp#V_WDF8Za!?On!P=#nx^*z#w!?o9Zj>-=CE%DH-H#=Fn zWIA{C?n@f6+w7pT8tQCjkrV<*e;Lnva^kQB< zc1oi}yY^KV7RT-&8v0#?wtaA!l%=umCvN z7jx8fg`r{D7+@r^L>gvC>gFLNoCqF0+Mtk%9qS56w%CU1p2c+? zVc}X`2XOS6+a{$*OW@N9x4$?#u7135V1Pd0!vYRmg?$UiK)HETXtw)+n*e18idy|} zrMVvE#&n*jdkYu6v%&mdJEfl=QRt7N?r`Gk`wTdh9-2VsLVaTF?gzm6()vGMPyF(4 z@iV~#l-7?H&+ZnT=7z2GH*=GnFTukw+^}7Q_ciG<@LI5r8k>(DZ2jiJ zA~nqAm~~M7(jX`x{1zVs{-?+!G(!VdR4*U{#bz*K?1o?%47pk^k(urlNrKHC;7IKu zmWh6BWFa82%EyGfHP8+HMB0s`mll&$PlZPn+@6ts=@iK#z6N;Mwo^VkOjL}p%>H1p zK=E4-g1w$H@Z%)k1Om)e+#Kv4EbUV8l6< zK494hyhM4|bL=5Ae;Vsc3ur11@x7NOU@ZoH=rTO7||sN;o1#HS9nSOSn_>f8Ev z?$tQ3JnxS}$fFESy8^zaIfT+rIYRiBn07s5VtuSs6ST+&>p!7!@tZoC*L>fUF z=O_yRVEtp6YE^ z2yIgU#Cw*^@lpBb7vei0{%NhN0YqqX=4>lksq0rfek9RrDaFzt3q7BUw`yf`gX6Y~ zbh*`nfU#PTBX{*#XS3%N&1A7$`L6p0B20AoN6T=DFgYdYX!-huG-{ycaKM6aI~w z%Da z#Ui`{HbUya=Zo-D%t0VpS~OPdb+PFJL{M!cvEi{t?CgdtGO;lS= z)n+?es$vU%<`rN#qdBf1SpyZ{|O*ngO@UZy{Wh_jun5A3;fplAa-Y>1=CI$VIzB4?`? z6BfPZ^j|N)z2qJU8hru$xXn!<*9<=QKbkJ;5(0sj;Gv)-87|I~8Sq@Jgg=p@h_;FC z_ebN^s7cxqQvc^b$(w#Nn1;W3`)Ho6ZlBW3Yfkk|+ zS9q71eB3BjXw3Mz4hRP44QGy-gHyPBY|VQKi>@ZcOPS{Tja|pQQ95&3$-9m3_ErGo zlTELTzgwy}7Af6VjrmdEL$i604o-hJQ>{>8V&_Y?ps$S=WqI;CV5A;&)l4GU^agvg z!MXM^EQggfEE8nUcW1m+lRE&enRnI9*ei9?ZwE#)K}+-_wtgP@QP57d8^Bg+!U;s;iZ;2hsoCRN2AjOB&RGf#Ml3vB(B)pKGhJ$ckMGt@MLBpn`jsi(Tr4ZZyuOgawt1vw{~@)1Q)U_Wq$m#1a%Z!NIw^}t_vCD{z=b?*GR`y$Jkx6%iY;iLae1SyQ=(M zjNq+yI=iJ(7*=QrRAsbtID{s)qLJT-$TIm^__cF#v~G#Ezjn2Di~Hg9#hnab=;8~S zX^)3C?)1O90}tKiR+IUWO+UPt;>RmQyR5hIaltf3q z2>-c-SMn4_;Glf>ZY;9_;sCo9)mj`8v4n^lq^4&lj_ zh?K}_@O*g?vFFF%zTiE4k!Noy<-b-c_M8)o-5G^2;aD*+qc{36Wf#4Im?GNieVcqi zCCG3&fLEbODHuD|`JS~iCOBB4vryJ=N|8IVMvOBvSd_Yt@nT#Y)q3g!NkNSm8v-k7 z%mlP?&|B;-b8bWj86`)^1=*(9uk};-az#u+5~|ZQtKUewpsb^cf{+H~eP?Ir%IHd1 zEYZJTpqeR>V*w1zoCsh?_l!roPVi`Q3B}K^5!!vmUSG!tQ2+% zfwS2jmA7YWhV=fHjU_oNI>m?Ia5=2vG_Qk(88Nc`%`$`iLdTm@!U{QqM+70q7^+Q# zpN?y0di!|K1E)NL_^EzFG#1I+VT4J=tu^Ef2z0Pv2|OTcDJkunaVk`@|8yEJ#?jXQ z0P0w@AV?wAL={qC_zVpt9~q1f$Myu>uLkiE>8pxUr7A6iw&4f67*V~0ogz#`dgNhV zo;jdJvx7n_VTbQMFQ~{9?y2)cpJ_|AZ9ce!LA%)d)c{HHRtI6gzWWy#--elM)v(@e zP$D;Qq2ZJh+2xJDhe>rc1Z>bYysJRzU95`Gh}4L>QNrB}WyY6BVQM~R!>X34wBiME zw$@UlfHc3tBc^QukU;W;@;mf!{7{&!@XfRuTfp;u^mXJ{gt&WGVLhlo_Ta%6aZ*h< zy|`1zWrAe5fPEYTFHuIT($SypJ>I;+$t+Lnd3~v%myNT+UI}To2N*;40Dn3jItWmd zD4MK=wPK5Ri~vwU7XL9b-bF{eBii0px!g>mRpS^vs4SS=&Vb|DR6<1IiHYZf;}LSW zr6GZw`}V>7k`D`psQGW(z5-Q+a=I$-rQUb(*zXt@WSAz5D)aj~(%Wb-2)yIV=IXFa za0n2Zl!BLV$aonl2p=pMXnTULj3sNBb9)SXet>8Z5NAL3Pj!ZRxiEGWBkgZ*`1FJZ zV>BXZTYm7-g-F*)0lPZ6itx}yM5R0M{KXPe-wh8y@TFTxLFKW3?CHUwk3K@CSMO8`Y#06)r3XS%BU|Nc95>s4;u_s;o#_k157?`W7B zIGMYktHh;^N9axttY7AGN#_$~!;avMMT*mJttK_%6np*eq2zLwFos|E-1f(h+;F&3 zhfdvXB11^qmagn(plj2?t)$)zxn;4iCV2RiRe?Qv<4gVV`#(<=k9D=kRGWs9vyKPn zcCXdrjNlBEca$*G5^+Uj_33Q%rKrN-u9Mn+mZiC!4)-ncwXWXw875TY4=E4eO4s_x zcV*Mohq{&zovpl>w?N8?$9n5H);Kur^c(LB^j6j^^j_s1%ipBl=&~r=iwkum)E}!) zzrDg(e!!wI=S_Jw{qJkv~rnuP=?VH0uU6SOZPNknj z6fDNJ zxTf>gj$w5kknJHIWV$m|7UvcAp9Lr>GAEMJ;?y-51a79-gY*i-doGH(_-|Le;U6Zg z|5tYW8SB$uPx@B0{m<@Uwgk+3np(G9FmK$yFH=waYg!Z$5zob7jqYzryi16AzIzX} z#``NkcO$gZ-95We!#S3mbeYb(0Ho-#O1pa1Y6+aEtg(1nN_HCA%`MYB?71sY;ON9h zh5Cqj>r~El=epBN)wQ(^Y|jR7{q4Hp>CRl}#V#iA_#B>@`bl2l1*A@l_6JuKK?8O^ zL}NiN6`_&mpoRiPH>OnLeeXsLk^674M(nd<%WdQ5f+gE&nNcYEGf4I6;oVc)AAQ>V z@SqRojBSXDIF|_7Ee3;#Hd_KtYJha|i{N##p`A_KL}wqFjRTB&Cp(063vG45 z?$~?;-Yg)!d~MvyGN zHyoLr!7Lx;35f-VTRuBOSc@Jq0Om_ZiX!#|SPjGd9j92w{UX~pd{LKx+!3GBE6;05 zTzJ%7MH#KiAok3fMM#0L(K_V)FXav8??W)M`c^lD3kXgq6%-#xvL2~fGa_PV-i2<$ zpbs6#P({Tb&#Y+vDdefn_4|<2WE|ex_@dd#J}7Ziaa7 z5{^oE3ChgZX8cZVt=gZDemVn(w*z*pjz$Gh{=BUUrE2W!UCi1!C+YWU@UFjLqUwhw z9DNnj+YVCd(vS3e(+@QwrAwbK?^QAn?Eeu+jlmtdolrBbl;{$5rcG#?LZBkP zMA^;~o7}By!LdaM!n4|)9T8yr;Za?wN|Clh(g(A+;q-mu@Q9Vlib!2pn7)2&|%b z_hu_Kp>`)*db(C$$6ZEHqU^j(Yxv+u0^N!3>Wu?C*XtVUK>|MS!@DkrCKnE&KK^7g z*=ofK&Cy$f^E{O|9HxcMfR;pFEN~UH_QhS98^ws8M{5Nv&15|mv!?=TN~3$I?{5a- zw6KSzUzcL=Ll1_NASP-Q==#ejmXXjC?^(w^%ew0+vWc5Cg6t!jwov^GFwkm1JYmL9 z=Qa?0&@Z2oa&0e+IdF4GSz7D!bL(0^XF0N`@{8*RSZP|r(Y8HRu1OnqS%h>u2+YW$ z%SO!fh*DniS;iQO8+1-hEh~K#rJ#83E>JOFG&dD|to52HNO0Eyi$jI*dQ9B#^00Qg z>Yr}K?bJ6v$dsyVU-VSm57g{MKmu41no`U@o}XogK8ufjvb8s4d5Q|KvYGcK`~#d( zqAG(FM+wXo^+Yo9A`)&@Q(K?&J^7Y!xdm{Xbm6{cgjc(s)_K2BD_FzdSTQ81Epm}& z@sj)I8m#5y^2x0yb6vS^+*s1K#Z9XG<|pVaH021}AxRcDpBBAo_)BFsOG!bCVa7Zz z@7Zcq9>EcmytP?O370E!I3(BcwASYpen#fAX~>X_znIixC}N^5lhd%8LX>c|M~gxy zpC`#!&C;bLNV?`4ph^$HH(hzdf??n9f9SQ%%Q&n0F2(iRXhOj#orB4I9I3M=| zvyAhQpW@+iVq#|FyB3T(pF^As!u79wh+;mIWd|L(m}70Jj1^lB@))8K`xEP^sC-;iMD~fr2QilgExmG9&e0gy?4F literal 0 HcmV?d00001 diff --git a/education/windows/images/setup-app-2-directions.png b/education/windows/images/setup-app-2-directions.png new file mode 100644 index 0000000000000000000000000000000000000000..f245aafb2b3c3e0b0bf166978088c65443d8225d GIT binary patch literal 18590 zcmcG$WmuF^_cw}^q;$s+(y64RG)k*CwRg0z$%-3;9&4Kj3hch}kT{NHoE zb>8coFXscd&K+~t-fOL2tcg@rmczy%$3Q?pzuv&LDG<*Qrm;gVmT?!(SmQ_Ln$ zh=`Dp33JfKY^>f~h%ffpdwO{hNIpM0NLjq>_%=W7=V57S8E`tlQ^}(p{1oR|MWIG5 z4cY*~{W-FY0|sr#l&u*y)rFU8?J-OP$~qj>j@Zw|>==OA^y#TYCJ`~TtJtzG_?j&Q z*W~mopX-)o;Kb}-*@2}TmFhLEHZNTf`yr9TQg(M1?uR* zp}3Mc6w?onG-d0B=3-S*X)$`v~1Z)1`s% z<($iYg04Nf6u7x@wY3h;?9e8&KKzE2&un`+@yZn!`?Ee0N-~EFO~t>KV$VgEbpmc@ z7w@Xwr;MK(s^+Z32p^QSx1UreKir)TU$kR#L2nJ?5guRA9XR51 z6_u6yAq2{0{B|?nNg=c$`OFol0YZX5QzrghEV}6yX6W98^N8Oa1?zh*hw{5_jd16n zv5$J4Zg?5%Lme~Ew?;b*0`A>r?P}+XK28)okajv17T2827CAJX!}tRpd<)gG!=kB0 zXUGNYZD;Kpip7b$zmS=3rg@}eQ}DB6v6#S$wE2zOk!@f_N#IM|VRbH+KIapfb{Bio zuv`U_{=UBB9zU>R;bg(7hpJd27*))6r8Dy3l0&!VY!V{o3l%-?B!HC~inl;6<~#JNPHW&NxocHOz) zxr+U`z|bM=IV^e^qDwR!EwErEu;}XotwybKK3VH?UyG9qqosHn(4(zwZsWK&k{N8* za)04|cic1UvFNwiA$EWEKI3)7M&+>BZYVje|LLGW(+|qPP$8F%ftB+*m(7{`%f-XV z4F4Nz;q~wD8$ZeJHJ%O`*w$&74aPvk7aCZpefC~Z@LGMvNqJ!!CVDm^IWSBd7p=>splkf z1O{V>&u6Rg-%3kG7A*_Sez!DSTwGJud1*m+cUiZuc8e+zE$yBr8hBeTVGu#OtEoMg z0$YiY+y3OG?{v^T6I}ZA%m4mH!rtC~33)LbKE2v{AOU-m1h2Mp;t?;)+Bs-Df48E$ zaDV)l?`UJEXD6gL>-y^je8?F>1nl)x3pI+3CJNO3eM|{pEU;po97GZX)#Q2CaV7W5 zd5>FGG|rGW@r+)YavfpVcGoBC4^T75fY!f1*qRu2OB{-Is!xoy%9YLTg`|mhGsCHO z3MsWJ^w@;tLfF_p>r?M_U`wjA6mT9>%yH`#zWqU$h%?Jj$E7EE`!0TW{0gn4to#WQ z>eV@#Cbwt*%@>}bvYBcdpIt+=a_iSp@6;A9io_AAAR|0N@_JtDKQ6jR40DQ_9I*cW z{znTHvO<3T4oYG5UHGUKX&;R4^XRzRMgIl|Tj{dWh65qpDl4@sg-QYykk3ha({_6l!t>7?2}6g_cD(1RKyp4RMWqH{wPJ#5L=a zDwFT)hQuFzAz==;zk;7tfTugxlVn5fd(>v&$`T@|g6yRHMS#*{&gr3%@I&WQT90ZJ zpX>F+LG4}lUfOWN+o90j58Odk!fy?@wI1#d1H$Fhl}B>((!KwZ^L;b}*P=jLe|#Jr zb6S})>pwqJTsw+~`iyc51-~EqK2KR}Z`PrudV4(2$0jjMh#c!!?XYe$y-QNI@3Q6b zez<1J1hY`P^7keBxahOOpQnyuzOcx~$A{Ym6XizY&F*h`%U@k+9`>?BOw(lLmufp* zN}DcDCPSFhd1J;}BV(yrgrXDict2I7+4gljh4?P5f^$*@WL&jbYti`s@tu>5h{i#k zMj_ENYB+56A+11NI7h)G4$)0P71CG5>=}ug8Kw5WGJf!3gkxt2P}Ul8pnNi;ly=l@wY8m;0_D~jHR;7WeS z`>zckA5v4Y_uAXvy4qRl=6H$kIbkMDyNC}~MMj<4-c_ zh`G1D^Xcwd&I|S8ciYC8o$tzg-y!6_<33pIUadqBj>2|o*WPYkW2D~9p`YfUq zBekGL|6Z>!!Q_h(t+a*e^C|UIBab(RZPbEpC29PgMT1U3cItRJMST90sP@k7ZWfcp z`xy-mrqRx<7Wjb@;~TS1kVm7aG*!*gG}H3}&FURx%EYzJ*%hK|i>O51Lwns>KOcL` z=#LtTlon9QosR8O+e`vmjPM=x3O|92yY^NMV#1jfbre{xn%(Y#EoR~N_#3piH#yZt zrS5dDyZJ2c{YS?Z6NRB^xKb5!-tEjj5$>lq)qB_Chi119+Prf+-83yDUCXm9?x#zT zV(al6SnYcX;oo+qHrj<&s)ZBwkNI^9`=OCM`<{p7&uUR%Q$(m~X)-NtX_STg7|~XbjYNgED_QIOCKo1!n%M zN~)HJohjF=!aCmaFezPuiqW0}W4AdcDnp9$7gFi4}}IgG(Zy}G}aTYR|gr-NOiz$%oL`i*6iSf}~jMqf4@hFdQW zow%GZnHE`B-nc(f+jRFEKt@1jNkurm`8k0_vf2Ay#?3F z{NvyLN@c9Vi6Y}X`&o7@?T)Y7QF}G>Gt+19y{EznET-45rsJU{E)=)E8;G~o#@Ckb zGs^uZl%1 zc7|vld@u89b~wlJNpr_%+5PR z6W*7mY-pTD$DY;TNp?cce#x(mMKGY*eLAYgW`besPdrq2)N7gQ5$w4jPUkBt-JX>V z!2(te-TO7;Q-joXZ^csOi{Ji~xGvygnw~iHHBD@}wfnn%^B7ZAx>Md46il zJ6Kwp&#vCuI#^aOj#Xq_O}T$m?MHpcji=$Zh`9Q>^K_9y?Ata!q z+51=WP^D)o<^9IYm{r!SZtZ{iTrG(Q=+5myQ`&w%4dx2i_UC*Zc%~%;N7PzQSLzULm+C zF?%$Fcavo{ zqs!|1`%0pBr(at3#illuICzd!dAY|D?B(GcCci6M9%QL3Hon)hIeEG=BA6#+?|m!k z;6_>zmgL1Y-<%cn=X1m350-(gK7|C``5pE1iELc5AfNckv68}GmLa+-WW$o>47VWH zwvpqDfvd&61&DvO0OO$EYNaw`ORErX{_gGbL=s4NE?eD4#_=#4<-|KG}FGtWv3ovft(MrPF9Vc4GD>SEXgZ&EO^BpN(&M za+PcL0fEs@Jxjr*d9juuy=ZXENXcF@)_(DpJ`ru?>5aI!vZ3zxa=K&m%IM%%KeQT5 z3pDyFGUZ&WMN<-*4xL$*ot#LIIzISpZt3rr!J<1x&Ru$24{ev$rumCD?P1y1kf@HY zNtm|(<`~?~Qo3v0(kh}JX*6$tmI)5W*w1$Atd-1jsG;GhjMbD3^sp-JOzJdPqR}aN zw0!GKF7ap6ob3{>z3DK)#&KO-*qIovHh{!dzlll=&&)j?K4hGIZF!zPnRyN&wpl{@ zc~de%E@B#Z_^40ZoY64V&1JChk*t~lCTWIi%{JwW`mon53?;2+zA>QBj3v(GY^$hQ zFSNacMei+$_CJ`LSo042vEVvvspK%IX|Hd5_#t{a?y#KxkMgDC_j4+dAtC$eR_gsx zF|2#jfBEma0=}hhVw4Cl4VNEdCWQIC!<)Jt-9qBvQS^>E!2Q8?T`w!JJZQSi6q~ro+J+8Swx$}#Ds}XK=otd)~^tP}$ z1{l=XuHpBoMvX%yM=CR{EN&>-&+@OHkN4RJhwF?(_FXytZ(2;>HZeHJUs`e*?qhya z9`d#~VC!)%w3wYED%_jQ?YBD<5hKJXlFAmU@u>8+7nNya42j?{C`%MgdIq* zF5L1sfvS{oc>9toyY!@BLZet&2_*Zl(i_8h>%!<2RF-JrmW-7yud4wR3*VS#lWOhx zWLTMf$)oB9IZ1f*GAawUSmUybi+3b@Ki5%4{y0I7eKjjAL?X{II7F%igZ5<M%@4EIiFCRK4^g%mDQJhuA%iBf~Xnu5x0PsI+V^_+eQLky)$oCB`8!%L|P zg?G~>GC+->5ND+65;Xtf9z_=*Se~<5Tu|&GjnyPZ;7UeR_x;|KAx7f3<|KtP89yAW znzOKJLvXjFkip(2LB9V(W%yt9p)VI6e7j0qXtAsuZHT;2qme>sC@$T79L|4^_^;zo z1MoqKNrU-6tRmQZ-6Sn7TlsNf=R+zCH3r8Co#JgZdgQgpPC$% z`LM{TBJ_t>PHt$^e$DI*Kq8d(#r^0^sYYo+ZWy(lzn98;s4I(#imDR;F*4i?7Do}) z5gSC;Wn>c+;IekXlQfL*xbHXBz}Rb4v#@#+mdvj_kYR&1Ij zSW;tAVb~Nm?Hna=TyQb2A|9%nBo}AYkjRpjZ_re)UaWI+7ox@7L*=0dW#C7NSa>G9 zXGAX-Q^nPCHzxLY=dueB{{6N}Km}Lx6`e>yL`J~FwEL``fX_kQCV*0$m3Z{BQ<{c; z>zK<49J=<-Lgx|$v+#>PVqJk*zsq?$z)4g+ zrS@!{bbq)W4hWMYDnD$#)dAE`6Ewqn=T8kd%KORY6ooysEt$`Tm^x{CZGCfioh@= zm;vg0eZpO3Cis~8%B8)S?|HcCo55th{!*9dQu#p|Gyx>d~7lL?&cn+k#8h1zx?}{S1yw#fV3%hw9zkVzS(Kj z_FC4!O$9@=t?emfFQ9VLzy}2mbyX`Z2A2S5hY_pQ0Z1T-Alr*6ugx?h%`TjJ_kD7x zBK3jNpdp~igNkcrSgjVD{f?HyAz^aG z{QzDLr4SbB)xE^hmg-O72rewC|6AICMFl4fBoaCG??m1Ard~{W?-mCG)O;A|V|@Q& zq|#C)gRzg&?`+g2G#)jzR3$?!u+sb9{f!79oZ1$A4yo*mmoH`=a4r@D0$L8FS@Qu~ zxYXI^P#SyK@+c+! zI8+WL(C6Ck>MO0(T@3;CqcD?&zi>NxpV0Eq+h=-%G*mZ>icRa z=cU_z^<gPS=+qjrV{)4fhFdCHnj@m*IDz zeU#X8*JW4=ST`|4EOK6Ekpi@IJTJ?J{TfVgiEHDN6VDJeQ_xe(ajAcJb-pWmJdO=O zeoE!43MINy)NAr~iIXCVI$GPNMTxtux=NAEdaa+x-J%ume393K)x5W#h!pU*9KoZxX@Lx`f zA6jk8yNC@&z-_L_rige|h;zP*WpJ4?4o8{P_t1x`yFNDRs)(L{kBzUqio*Omnk^SD zR}5LGhDSsS&Q3f}$g9}OnS1_gQC7!rY>JIj+U@tJW5+IKdyNT#)StK}P|H{RGaG|MO*+vsEZ@!J zY)TEhMRJmK#Y;!S`ndY8)+uzHq}Gv5qY~o#+5iX+D(zqC zJT-C@te<1@I|;6S;Q`THRk#V{kM`mdDWT@;jTC>Xw(cwWs`@7{e*eZNYW+uhOn+*?I9{mq1J4!F)+7`DA z7+sP$v9yEPLKi!w+ZVrvc>l;Q}HdE1Oc zWfnp2Os+m3OO4&{f;@e`O(LNqtWfX|brntLH0{$*0ty$HPhI`oE86o-CoTuT#*xdU zA%yF$cW56q2l7qaS6PoU=BkL}tt4KN$V=T#mXu*hea<&*X+9Limzeoxc-VBgu+sQ; zwWP4?x)JaC$E&c-4EcCQCEt3%7hq2s!xLYA^~=-+FBK6kq%!N9fUDw zH!r0#1P?3NLfVVzwqC$~Nd%if8rkyq0ULj@+xH#Tz)qkwzNPh@xIFY}8Wz`wvkIB^ z=&7&PS)l`xla*_V-{ilmeS33GM?VwEWrb{<>$d)Jwx$?l{=XiHNS4?)24unq(CkG< z`h+u|k~fsuJ|Ptmj4cvd{fOHQAbnhycq5@=9Z4#!n$WpUOL^+^@nNx0AXBU)CFDX`Sjh;VWCXDG#|)`zIc=@Fc=Su2n) zI`?zfxarfUM>=vQd|1w1Z~OMTDxO8*hH>@dpjhlU&HZ1t(kW2L_)zfBVTl zC-)oE}jq>b4pqBn=GG z4OPM{)n?8gnMD+e`X7|hwz;TMKe1cS(O&9zSr(jvDR_O8zrP_xn=ujug%rr;_BM_lL5GPKt@V#%h} zxFgKVi4}WJ2+Fr5*5%y#?1MoG$yU! zKi`?C=k*Izo1jyiBIL*G<1d}+S~I+Lyg^|}~d_K8+?llOTAs21qVb>jH9 zkuT*J=!O$IL9$pnbu^)UyPx1QJ<`5e*759gQX$MT$fr_dn~LNv&6w%?{7`|X{Lykp zxR2q4@L}U>B0TAn)lbVDLeb~oTl6I2=}mg~@RU$YP9+(Z3UxdKw={#b4lRlwcxg52k>WV8dc zqQWT7`d&tr^u5&}-6!G#h(zk~bz-5?ptNZ^qz>4UcuHla3qq~VgzgyQ51O2y)xXZR z4etAUV62}_7)X;|qCdRt{2H6)eX+M~_#xzY$~5-;c3L){#S;oyviZwa0&SmUe@j>4 zc-U|#cF4Fy7PpYYqv5|+5y`&U`>n&!x0}pz>J3wx8N~M}P$e5Aq8?pe+9wrdt?($b(R_CMVOZHJz+a}>kD?LQIIq2JBs<(AJZnQ)fEH$<0a?z%W+mLY0m zJZrC*41;esug2uX4Bu?3VC5mK*8R}BSVVdB&i`F@#W=!B z4=;C+TQ6zdU`2;8bsfl_Sww~pd$WQT>sEte>Kll6*hmn>E&go?XUN%`JcWe*xn>V6 zebQ}X0*L^-`qm#Pnl#ADMjgfHQmLK>XI3lZ!j-Uu1!5-&Ip$cwl;{*S3ZgP z-4xaO5N~E_KKp73eb)40t2iD_^xeg@WyVqzS2LQ_=U>9BK+fK7XdP7uFY!5(Q8^H8 zcXH*+e&lU(Phi(xx%C?l_w&O|{H>I7bGw%0Xzwj67>6Fq9CQ#AGETu9l%l9604vUdF^yOa9Hdp?Cw z!~uuI5T5!w(UXBIMt+?(IQeCr|Ow?gG+3hn4M zua?=zCkrSj*kubg{+X}}PwKfum(GvI%Y0y$8A|_bBmC!kPJv_s(MwUz*uPkI2)rY| zcS;gDmsWnM;>iq09h*vbts>9rDI%hNYmM!Ctubj8%T}m`w#ayUvd$SH(iy(;sPe0-#4JDlO5pY zN@PQ<4b+a}@L}}PvA#yGOMy>s9&XO0<-_}MrPt|qD>J2n*XuZn6nw7B9+|(4$PVM) z&^e%0Igg*HTuL;5Cp1U0xlD0rK91KH=7!u@wZJC%fe_!8HY5T)X|_WT zjrJuLdJV2*XGj)HJAYBMA{uR{MXUDII~%YEl1%pb9~;9uV@j-UB9>uKAa|A15?+^$ ztCnu}4`{V+^M1wj^N*LiFimNTh6$YI<4WGCH5zFyl{K%2#SLC%eaU<|9tyAN4glP6 zEJTwfHtQWzq#jd4i=)md{>zPkn}M1)t{E_%r($^cH5sUBYB^~}s~E<6h8qHAjjNFa zOx`vrEZ=C7Q(h#kIkLM9b;;YK1@PJtEkm`Zdc4R|)7$P9kTlVbjTO;jWT15h$j6<3 zE#5Mfba^S{bUJpMSftJY#T(^zzcvHX^V6v??dtjn1Q%LC zP~rv8do0e!@(p+nz`Z1ocC2B~sCHJ{1e<~Ih%V&5x3#*}IU74aTkmEQpxljo04q*` z+$K5wNGl7qWH$MiujVhlx$+>0v#OXFM!+oYB2a0|lW+{g{hb~S3ttP1SmjQ12S=E; zCCdJ6?WJ|M*4!7a0q8uQ9F^NYp-QI~IR3lW3nU0bZUg!G?rLn5bnMHU0j-gNgr?OP z;hX7JuKF#y791$QG2DJ~XSOO}pG9B=PYL%AK8lg8bdD8jmi}^BY!+k3Ct_qdG z0Lsv3lj6WYa{q!GxKOy(9s$SV8yM6IQkajy)X%D4&r{v@hgF`m=Ah3Z^#f&nxr0TK z4)+79_v3b6#@&m##k>sv9i|t*UI&6={+H*-BU(tj3tk2qYOdu=gcWqfpx4H)g-+Nl z27WGQsC*!GTqM+rCg(e`?sv*n!V2U*^}*0y*(o|Py1P1-_-{a-RfP2@_>`dbbXa^b z4`q@uEvb<?$c!F`# z@%10g6q*v<09|{vTnr^y7~wI9UOva4r3*a{7rIO`dfg`VH!Y)CBIV2CEfoR*ZP7C< zh7^p7eM0QSii$T<+$!?Xk{{gLi@-R%Cp(H7WtD6MhnC|6U97Cjr;bAjxOR4~%0qqodlk3&R78 zCrd^Ay8x#Fe@%N54kup8YSFP{p_yO|1KwRriIKLY1!33*vUlteg(Z>q;x61fW7%xs zl+Xmx;Y%)jNtBvVo>)6=kpjxKFMB<6-&>#Or3rh0n*45^E8w`)NR-!uS-*?o-594&c+EMN`dSt-9esd?tnT-2sx-W?a0q%$q7xn>f z+mE)xF_#cA)dv_)E_=9z1)~FepA&Ya$;wGnE?d0QrJ>sW_h)rdAy~UYAvyKa?V3pB zZDhd990%=_K-?s0AQnUXXdffc5~aOXrH9c&@ORGui^E|6s&h_p1#fFd$e)rZE0cL7 z6hz5n4CGiB>B@pbP&_{LE5=wddaa-gm<(Z^Yt2}uxh3EP%Qq%9v%ffCA5e~wm*b1w zaXgV#B`u;Sg?@(5wK9W#Is zTkb^x0vig46Po@jy3%()O=FIYUk9FmLy2)#GSKwN1ir(W;g6Fgc5pHoC`lkBUiS1@>KR0AZg{2%5U)DJ>7w`kzAf;nPf`zjEAxX0aR-ZI=f78`ls;b%=6$erP}k@TSb zjq{AFRsKH-FlS}geEU#Av8QV zcs{$k3a1M%rKFf)V$naYdRamuJ*0uP>K#9K0wJd~W4uglGpI<4PcMr3WVFa7JIuhV zZK|FF9!a3>tC79gm6a<;Ww)c1UY8Bx2*G_J5tOzuQYOoV$5)0<`+Um!S#&5b-QNI? zkgrC0ug>O{-k*GHHX)S!K>c5$$Ny$X{NXAX7&n70QwAne-DEBMh2X(f%|^OUbXj@34X zI-q_x`F#Rxp5ZpO*~C@*0Yce8L8ZOx}O12^zHW=%ep$mY5>=RU3G;ZEoxDg010=e&8>6wbNzfMc`x!&Np!GxcnfnvS^&%5RMc3Aif{sQDtQ zO!+27T3)If!lY07Kq4Oy*5tRHn|Q}v-5I4uxSSm;cH(skPj`_w3~CoBN%hTH((5LLnH*`Y^RW8(DEc8aXWqi zjl};R=t!plZRSI*O`d^1%lGVyc#0MMYo!DH)Jop{SStrzC%ci2AejUbq&pT`Icqbf zgaUw0{~xO-M8wl^DWtn}IEkl6g&Ol97ai1Kf`O-%u?=PyPEQ$Q*6;ebz4ig)yD>Q* zMOg(nr(ypCL)l}$SsPF~q6}kK@R!;B zAF)2&J^=<%z;NtLCQXZqi;HhfS6VK0_NpXf!KcMi$WW;vob(4d*`sC1Wtj}2g?1hQ zHYNx6to4pJ<6BqKKeeXNjiE%y%3toUe>UBNBKQ2dm&n4u=9amn89XQ3V4edUXyUH5=SddM9)#TQ6I=NstIf`K1l*<0{fv1B?)*FLztn zu{UQ7u~5m5;m+YxS3Zf1XO0_5mc-&Dny*oZwvKk`nmd1w;`Q$aKBYc_(T#t6QNz2+ zvdYzEVqxTW!J|(^Kz+6|QRulK$xe!T>#<@6!g+eeeh9kbwcm*%XX_;Jgv}f2%Ml=O z8^7k|7l4VGO3F?4pah=F?za+Qz(6(bK((wKsmE?>+Q-oG>mG=FsfHe*!L`njDL%3b zE2dbsA1U=RY@T;iN4k7qGd_80k@KXxF{bEMkte&zN4nGuGSgJmD?hxx62h@yA3Dx2 zp;SuAuXT8o1vtO=o+wcUi`0d6UQNWAM~A*`K;S{s2UNA#7fa%Kq*Z$YoFdm5f-Lke z({e&GVr~|Y73~v6FIl~eMJM*J2O^JVSw5ea1mOCEN7RvGEihb)qfo$vAMDu84|v|n z`DgeB;8nG7vmjl6pLu5LixmId^d2dJYrD@ct~SYvE?IgyvRZ}dgulgn!0{k_<|~ij z-3!IR?wnplWr@@*>!o}r>G1|Nn(tfm)WalqocRvJ8nwJbl!^o90dlQ4muk z4+M21i)F_5-$u!n(pg_{iEy#2yT9b+V$A9|6okY>o_9DkD&iF}-IQhfp`lMoM|cMQ ziCJlp86jXokR{EEM5ViYO9$1@+HRo3^*IQJK39JC=@)K-qH`)iK#!>0igfm`%Dp?q zy*UCD?1_76{NZ@C<(vTIczGIoC|-V;Q~^}R7s$-bU(I|8E#jD{@=KUHDx+3DH3Zt= z8$P_e#deZa#Pc~p42XQnbFhSOEbRRL>p~=UFJ9lajQ?j0iZSNoh$olCDCl0HA_PRR zyP6!=tWTX(au4+L+0f@C_=-Ozp2+BB*&tmGi=CjLJiU(cksFD`xeV?P-HlI-eD5m0 z_Sk#w1VZz5J5eomcW8t-aBeidj^t^ju`>Jc5&}cxLh*m+TdX+Qwa1~wamR>{?Hi`$ z-}s5LzrS5f)BKW)wt1(Qq(SUmQ>vC>qiQN9g!VyI8b6BV*b|m*_rR!Y(U~MD3!^Z) ze_4s$Q*wBT7ioeJ*%ArE;~_ps6Er=h$2DhotJ_*&+D-Y9H-bTf0R`jo8`flxN3;X^ zqgdt4QZ4l>XS3tu$jz9QDEXCJ#%QmD&J@YGyVnls%y-}4DkG%ds%Cn0z9L@XX7c3|sSu#U1 zy6W=*m7y3a8VXey#y%!t<7m_K1*GLQhm#2))vef|{cB`KlNNcS+a{a3{Z4k`9;WMX zp78RNWo4%IJdkv}EF!c`LGnDlyACM!gqR3iN0u3W8$3KFPk57GB+~S}7hRw0TXHvk z)|am{cuhdDiHpMis-Pq_7*%3JcdhYLmsB)O&}w#=q(Q=(EbA{d!rG@Rj&Nswq%)52 z9(Mpcm)+Uznu{FG0dLT;&&uDZB<7G&zCS25_BpiMMB3evN4K4vL3;7K1nFABuU|tQ zO5Oy@7bEOa?UEVG($L9EZA3~>S)X;Pw;hL!&IVQeW*z2>U^BrI5kPHe=a5ciG0WdL zwe?cgg6U=Wv`>Uw;q}NvzpYZX@tSGf5uT~tNGGt&=0Gl$q?pIcX+0x6T(R^;lcM5z z71@6=`{H?Hp#TFGxu|f71Su!)Mul1ZD`_IO6yMLYp{P9%_qVqqpNv*xXrrMXbGC|4 zdi=%(V^EX=Bd?H-Y0|QNHp%}5S$)kVmgWfEo^p(e^nABIz;iSA-LSZX&*1~`8md6< zyMrS1u&>n4KK6fRU}!O@{;Uy!p?ANe65g9B8g>@(c{LY#-9VHz3x?9K~PgC zI!?-9@gFWHlJALRp;w}u2t$L5()ksu=}(4a+PV$d4g7oft^c~=$rp)^5s$8m;b-b7 zDTNtuwBEaL7U_(M*FUqCZhKpdsMh+f=S12FSC4(H*L%}IOHQ?JINvdQ6UAxGLoF7E zcue@D&O{wwE{4`Fn`|Dha_hlUS!9>FDS~2>?$9Vs&M9VTp$@g@YmHWwErHxnj}Rv| zMpkd~ZzDzyD^nT{!7#spj6SbVEuD!$LCIL5=uWiMT0{S^-f)d2y7{Yc1X~W(MNXP0 z>T9H4`pO(h-V?g;cwO>ON2So_%~OS%mZ7jNZrB zGWtJ(^E-!Y+EwDFN8H{mi(^*@7=w~*$zLmrEFMXD(y|*M*QR3-kxpYyWG!)6%`fjs=`ZYo)kEk;uB8i1iB`T4k;NkM|zB&AxS@ONo81@>;vm zvpjaVNV{^3)qw8wt5KBJYn7NzYAV;RY@G8A)I#sB&qU3W=%E-+gjrc&^VHXr6dTZ_ za+(!wgPb`x$F5zGbG1sbk_hDS13Z&eaG~Xypy5gbxJy>J2=Mv`uYZ_)uu}bGWIS1- zFFZ#t-9-a-$x==e>avd;v@>5#U}0uH3Y7(-(mkED3?0~rSYD!ATSD@tNQeB6|0&w} zSgwMfuNFQgJ}oN-dQAis5Gq;i=dwo~T+Rlxs;uH3DYPf~KK?tJmHhA=-xg1pF5rbp zU&SAvFVdn?W%+et#4Wffh~Pj5UNQR;YWhA=DKq^jrBLupzUBAGcmCdak(Ews;sQUl zxyu=;+AwbUt2l70L0a@P5u3la{%bS*&Me+v{AY6=*sN9g$NNjZWrY0G=TmeSwx6l# zcgX0*o`Ca+63v@}Q%l!_J0+8Fj>XfX&&5Oc)()X+fqI8UxV{eJc!}6a-cM4Cau9bO ztuS~T*F}l$_r{TvIOaY4U>zlbpA$9Otr^d%uJ;uTI<%I z;iV90PtlpSo)n{%qh6QD2!V6KeQ^IDmcMW;JB5y{FMH$Y?Uvg^n;**~xO^4=6{xe# zg8AQ$i)ZfZFI$rkjN5tDt3X%Vg$2=lpY!C0HdZIdNc*_vvN ze0}5EoWHXZ^`5w>f-8@`ddK#I^Yf{saOY}ffx@&OO$9V%6V??)e-jm?&G^Bnv%l+M z9_`_=F2g0Mlaywp|8HmHJ+f1WK-_Pj(jz`zSWaIBH%qr@iq z|B6)zD{1F%{0);G;!EZ@=VqW-k9@-qH{Do;iSHS(@YW^fZ(f2_nl<;~J9eX)j4_lk zL>|nuze+Oao+XSOIuYM{8R)>1NbJobLb>Qw9Z0` zlPJFddbGN1xAL|l+-0h;>1ObE#bc0#Pe*iV|6)f6o!i*o$(V3Re>}55qm@?tY6SX= z|JP-CQr}RPrQ$X5AfH~{$SSc3PmtEIzJ^tBfVOpqzkanu|JS}k+r3oZNOvF~>qHDH z()vwf4q{*gVe14rx=N{e{f}QelDGYz0ith9d1RV6i4!gNyd|U!``p@lgBDXaVh}5< zq2QOV!W$EgmjwTF>ih5W^&B6s>-i=ApV4cpLbo;Xe+tikn@!kTVIIu&2d!g*k5V9$ znZWS(f_w|depRd6P4pF)V#MM)(G}{%6qBDe2l$7E1|kb1!FR()p}@6^*Xp5Qn$gyt z)=*WYX&XX-M-Q_$;-p|?VIKHSxO>3Z`?ib+7rEi>4_1ED?l0WZop|8wZU8>I8l8ag zKfYSrxHp8v#5y1m0&}RhaYO_KzU{I^Q2ZmIP>rD9sFLJB}*Vj=Tczo`E5Lj;1qUdn~uc>`hld zTwgUg==8$X@h+m>i+a-Jt3b=` zE+$>vLNCL+zTW2oXpT5&ZovC;XgT1g{;&O7dt)%g5(r$+OmQ8cTo~!V_osajM@rLH zA}wu?E6qgENnVCqmv?vPyJ#NWLR9C7-6>R%X@)rJ2Q0i38$)TklQQ0P;5uo?=V&5n za#Df|)OmLO;(VUp1FJcr#Zc<@JWZ0BHdDo`0~Uh2$v+WyXS~uoQN3qUL21iJf3D$d zFfh>=N8siL8VeK}bSZek9CB>FTEX-Ic7S5IBRK+h*AnEz3qZ(e@6S|s z;Kn_ZFXKrC_)M$C|DIhyK!ARp)?_u9DR}J|g1ml07O8>8GA_fyu%~>by>~BcX6t@~_J7vpS9&T(NHG?=DWSzhrA| zr(dGi(8>{_ow7neTjY8_iIdi4-V94jCoHQ2?y#tfzy4edeXoKE{iCo3YJ4v9KDuulX)y- z=7I0D#%h!%6x}3by*|8fWDXQ zxA-4d3)~YA?`ypWo z3;}=O5LuB-ZzM$L?Z3M|wF5s=V9+_;^HeS}sM+(_q(ybr)R-|qO$-PP$XsX>Dnb+S zZ9p|NdjDIo9K7^}C;w>&0z2`O9{Hy#);bKMUd0|I~Psp@V_Pv>WRdXi|F*w}-XB z%{&8i3GF+z$b1o1N00rP2~7TWDl(MU2ANAthl&|u^SUdbjI0Em%U6vuVirC?=@+vF z)6QTZ0O-RNp_?~xVQrAJ_cp2PB1(Zb5$IyR3WHR&t z)m#}*^-Bg0Mlw?_(R4DZZvLr=p;~?5`Vl_;krpBC`?(DhVgLG zMyKIxnrzQZn@;n3f^K65 z86NculMoV5b{cXvxQ|}^*8tEqwC+qCIsL;0JG~ZD*+}|PAWe<>h<&T{C`jWUMpcf@<nY}^4{uvZ2;lj6_LAG-S& z8a!BfDCyYSL*8Y;5$&jcIomxGl6h@`yL+x}%Z<+04g9Jq6V7q%B5?Ts?fJ%p?o+N) z_)ofvJos~TfkVYfZ;^L990dxc(2{*9Hv?gVhpe8qL1e?>aqU$BbJ z9%66KRmo_n)~l= z4SA_JQ(p&#O3oJ_Cvt>wUdu~rme+SR$umCGGnM(zyn;U02v2P(k;2*!mkN2~91bKM zkc!;C~L783F^4>uHR+$g!xl^$YJI~C)}5WPdP4-_s`ALs*d?j zU%{u)627|Ag%W~OB`+%S$7B`xYrJxVRBG zcl2*^)`P_=Rkv4M3=Cm0vAPsHUEk5X6O9b*)vH&S?-XS}ym|%a0KDW-kbvL(0nI7^ zZ*cA(6r^8OjZ*9Z9}sM$RHa_Ms!2qDFhc}Bqq->Sxxada)%)^-OJ~C(fAvbk)ms-|$W>wZrQh>e>15T`TBbXa&^=XEXN!)G|LtdS&|b@=Y?{ z{`h-t?#qR&vF&Mow%Mq!GrzWD}~d$+-USV-_?&Lr^mo5=Yv--sNs5kaID1wNyS%WU&W zH+oN!Dk-mJv|fXgQKPPC;O!Ri`F?qIq#tU2z?Gi+)9p?!I%i|2|MTOunQdsxar@%K zk#i8A(6WyO$(wMTbcG`9mT;o0UsglI-!hFqCWyg=r<&Ytn7;oI-YZE}F2d(L6 z8oI@_%y=z2?y!E=f&%Z1k{u4krF_=I-0BjyC2h}`s4go3*V)T$ez{nbq7GUtm?Yet zme$re76~H#b&iYm<2NX@vU15h))!f(QvEvC$6rLV?*w84UAGUaI|O&Wc;}M}IT@0q zyi)d9>yA(ZXR_;=-(4R&8~dNi)t--v<$j$0*<^t;An3Tz7$DJLKRe2;qx&` z=k1YPn@?AVc0YBiVF~1tfvvTzEgpO3WP%R6-KDCz+kq=Twb{HM6D98cfbMpSw_}*{ zT~>NvEyu8mLtx*QF*^A;Zm!moQ2fh|=f~qU4b%)S6Q}maD+8v@rDjh)5fPC!A?fJP z>yOtfLR@VZDQw<@?~#t152{?M*KY?TpUj*Z*CJh<;cd5uv-w8Mq9}5Yb!(667judeB^FfjgeM~6sl*o;aEe46=D3;up_~qJbsSb$ViWB{o7~YQxWJH3 zsNZoL?A#(z+*%EED$7)uPw6$+6~i%mHgkwA`LNo|N)>ox28`ozBg7==aT;{98n*qH zt=c0U_2InW+2bA?bP_D`bhBYJm&IdY=#BI`U`Ed-`&}wy_Tiz!wGqK&k#XB6*!gEd zHmD72G4OK}gt>Pk-w(#4F8Np|rh}q!3IcX7^*or_KIy?0ilT5+?2;eKcN+SOu#ub} zZ0R*`MNB;4hKzpyt!4!|R=1)--g1yc;G>o)$G=WA7Z>13MFw`p6!qA}sdHYDfJjpu z)=jCcC6n(?m8o;vj8a_BFRPf!aW|g!lZTa8HUEvkq?Q0d)^{Wne2;$5LYsnsL#$3J zb7AKDpADYmA^=YvX2tZOgf|Q-0&a4%f;?U=A|K2$!FJ;KMo}t$QyO|q$c0pD8IsI4 zKR?~W8{i@^75M)`KR*PfiPYoWWmt}YJ(A9e(Od+vF-hz7vLDPnZ6iU96N1eK#h2DX z(#Z-##b*rnBeyV^S}XetA1`u$Si7`y-0>{&UAtTd;&r6oV6q(U_*pfV=tm*?tM4O7 z*i;U%)^oL4gsx@`t84ETfJEJ; zBe?yeEZ?m_yx!a;ot4W-6&fmh+l!P z7lGN^ZVJJJqZDx~X}VdD9RbG99!vbgdp08Y9}nsilxvlqIfc?tpFM z-I#*PrMTZYOHHF9I~2t7D_2kV$Ieu~o4CX_Rlchs$f6V9@YX?8>lE=q7!<uyBk1{lWlh6?ad&e3tBmSKfBXor zl#xVcNIH$XYFNA1+8kr`VTpDF%flW5-cY08HH`DHytW zHEr>>-{a-1Y8VoxN<5i>VF5SH72KB>bv|K3xmDS)>_+5%p`S;toF5`H8gg?^DL_#` z8jcXC47$HO*r`I5$j3{E6h1mE?R%RKrT(VqY1sK*1#TkZnvuZochr z5J{&=l34EK`&HcznLOb|It2e}_c>j6sdnq!3)K;h%%@iH+x;2^T{-Ko6y88+(H%r+ z0X03G4XF+!P%hCF;z*|N{#;i)=1%^e;cy;TOU1-mkl1F|v<;m3<9qdpDX zW!7vbjZoH4Q?AEt*PM_%AZF2z=WL7P=+ATL*D=reNSZ%A+^%V)!yh}0Pw)4UoqQ^0 zNE|Zp)%-?O55%Pu&7V>VwBb0~Q3wVowC2)`$HE`YwShnuWN8M(CzT}Am#s^vYNjHg z?-dZ?m}!4OB5>X?D*m^%jHBdZ1m{gd4`*t_>~Ly{ZQAuuqDTd;s&37nc+dA*zm@96 zQ`8zg>Thp4=H&J)2nu4lv03+5Fyj+*@+CfVm(gIU_6X;V+p)P@wv?vhMO71X@I5~{ zCERW{Fj%L=%T(@*SPw)BQi=))4R}ER@>hflqtLSEgVC-K*#6B1JQe#s-p}`Mf_b_{ zlH(I@{O`w_L8%&ii-wEEZKTkaFONSTD2Z|R4JYl@i}0Ac$41emDPb5s0u1Q9+!kc;m_&zmG2jBh#32aV_U4-L@XD#xA)q-xINwQl+)9Z zxyJHr)Tkc6=(W44#;ikv%B;7W0$OsKDGb!&as*Z=o?x?#V`%3bEzZsf4MdMKzklXd zK+M5bY#0cSpU14TTvx_;{5R zV9y~J{zG^u+qY`AN(kAY%YP8fT1^C;mFh^*EOCB{RNfx$I@htGV_iZxd_(C|C+Yj2PLCS(!NMKP$Ycvb~7(abM^7tciygg7bJl-G+Qa8(E9lM zM~1IS@qc1hL<5 z?)&Q47W_(=AKJbg(OdkDAtS`SS{YNiZBeY+-?1#fH4MEFZGb_$p2&qKh^2cI-$P`9^st8iy{a9`f__myX0*m}V zcJ$Gtqi>RVoY;-ua12+8FO(e>Zm19GU93ovktT7*XZV#Y+y1Be-U^C31(IJOPjnsJ=epGbnhEm^ z7{INI!1L(W5r+$)oe0!rn|a=CiT6D^F-Bdhm(GenY`exPl{+%5U1Te8W}l(;sPxG& zu)kblaUVXP3RG@t136Zair7o}c+A-m#D|GL3k2=iE{k^SyfUNUJ-W=VceQowYhD>D z$Q20ptHIKfxmNu1*L=gYL2*|84c09qaltXcD&~iP-Fxf5lZ4x0aN<4V@q@nzhxQdk zQE1m?`sZqj!x;29rWU&MYu)1QE;o@G-`ec1LyD&BbgHsFHcf_iMU;n6kAp0L>05p~ zuir%+_sHoQ_uE70_3>v%{Vd{ZjzzqS^9s*J2LxBhFVg<6t|Nx$)5&7FryX1Z3I@uz zw*g-K=M|TqMoGw#*^aDjfgRX^<1A8US?C(p{-w!wV8(2>6w2e8 z(KM+)-!&bCDTDXk>@x6{Z%SBbAdXXZJOXDgRy!@OPN>%2#)bhp+v@qT&u5vsT;*A} z!=u`COx#tM?=dlbI}|%mkz>ZR@8h-gWzUyM%_052V(X{4F+HJHb+)H zpQpF;T+JvxTzcY15m_b5j8w2s{dh-df9ovjBkH*KH`JwKS4+jD`LBP6PsDt=To|`3 z3NF*6Q8}e&ZFx3)gHzrvUB5DXMer!N4odMbBkR64pgH`FTJ?7bxP!$hW@Qs`JMKt7 z9PV3LMkPO%-4}`|6+ZhxH23jb{1HS!EaCwEJ|rUis8QhDRc*^PlsVZvlEXYJ;I;T) z{*RyB^Hsw{d-}762GseuC|9^1tl<;=pJN9NS|=YWmCOIT7~cK_O8kf9>Fx{V4Nlyf z3H^To3V}}B94570pX3nsidMPIey}UI8?-FvEfrVZ>OS|rGS|!g?U24_!?7=Nbu90C za>~qzW#eV9$sG*V$)YRSi7l8{wgQ*8ceELPv=`034m7g8^1Z@$|5$xxJx68K{hn4f zPtgpmlz)kqb!c5x;T zqLpRuqF3>u?hT%5a5Nj0cR6W4$?!BgS!xDpHdt5XDwJ4NLQi5P2Yvvf3A1EN_|W^+ zI-cVEEO04rE(5vDVXE73vaHxQQtvLG#Ga88OchwmBIJKry!Y@=!MgA6(upcraEkz$ zR(30u$Lny;R8PmfRyoHzM%LH=FNOOCG2e(f`m-Xq9^=gSfC%?nL6d&z{5L)L^E;^} zm4H%H4x9We(E*Gnx6*6@Nq=o|ZHkJ^l?Gq<>o@Af`yw&Nf0Ne)v2+6jdxo=HdN20= zK@Vqte%&)Oz*nBF;sX*1@4btGB0}r3dexC~WG{h{k7?@P7yxaL7iu(u=5>98A~>FT zpG8@uyI)pt= zhK?M$_x!|5)sTYKT*7Irnr%k-`Cun7&xVl;l0NXJWy?DEuvuUvSTKI+HIjmU*VR-N z8tuBWG^DoD)H^oQ)X#_9#VD}-oTvXwe8lUIrk=WQhEHpBTydnexN90(TDhkibQod@ zv?3JE+E}pwJ;^9&{6-q3=38n^tfGAI7o+foFd#`|WttkP_<70wc$HC!kJ{I|#d>}M`{n~Edt!1AXX_)`{5 z*UQ!vQ7kDFU=+Qt^yYF=iH$sxoAyd`yW2Q20V>hw0fWxRQHlv-yrYJ-T^qloqElaG zqPS(FCzEjw(G1-opc^2+Us{NB$j;7&ITy>v55r@FaHwjmcpMk_Yb^&;T)4WrBhZCV z+0>m{js$Cau*Aasa^1GGZE}{p7CE5GCu>pEIY!<~(=h~N>|$bz6fT``)?J~9u=^jH zWjRnNG}LBjrqR{n{JP_LiQUBbM(IQ@IWyBH@afj3)_Np|yTqk&`5n_20+=>?BIqo- z3D$ft%vRlM4$y@@Zml$=0)=0{enD57Jr8o|5`?>lzlaHe%q`>-DD1B0EU+~@0t383 zx7bTQKtkS4x2|CRX_`N(*J->k1Q1T@!xwu~BXOjB!|r3^HdW30tnSxK-cbsUq%^Vv zl-_yS!mj2dDZwhkIvW3~j22_;%>I?@j`0IZ9;zHIuaO(X8H>T>F5iI&i9_>D+5P3a>e{HDeqK&wm7Bc2F4LM z;EaJY=H2B1F)TfyAn=amyJnf%2>>R-Y4_k<0X@^wEv`XSp@GwSIb*Q4jO2hw*?JFa z0geZC9iZ$2*b^~$NDO1%KU$UAD=@JAKk${g$`y1Qd%KY+Is8+*9N<3xO8CW0KJ77B zpu3Rdm@c>aj;_N$ng0lSI2~}J-qrB|fI(a(hGAviXRD!%Y;1{}&Q^e>RmF(ejOLw? zTj*39J63=jeHdhPJIS3}abXNJRlTX_4|fOEX0{(4`m7?csbN)Sd{y^LH>Vp*-pjwj zuUCRr`lyGBAXRV`M(gVSyJ{@z4()DxD(AKI^pd)h`1U{PUD#(1YR4oFCYiLAdnB>X zUSA&?Fx5};Nj}{a->ZnS8@J8{By{u9i5I(WistQ1>zXXl2Ql#ZT{&D=?5<~Xn}x=* z-6rtgtvo;NB;0Q2IvYxqM69imx>MX{#XIF&wm+OH&)PU+5_vBJQ?qF`FxW@p`Qd!~ zsA0uxfS_-8qF8eo{Wj_%cAIW8&pl<}28&Gy%_`bYjZs^;gUPYu>CWC;0#?TCutgQP z@T#&SolUoSENz6Xs=1js-bK*Cn^LjOT^O#(bk(bdKQwY^#$^k@$mleiZy z-vxLDT2OW;n!|sbCgAP@H9_Le*2eQg?h0_zVSWbVp^=#6qOts>?5kBqEs=gwE?eok zNR(n;7zv=WKc-IReXEYN{qIQTqmrH32JYji-!qg6F+=d4E4CAj1|q9MId zCN=R(E#fj}raYI>7UaN{j-cm4F;axEx+*r0w!`E;?13q$PE)-@vZI9^`b;>wp=tal8XH3<@b@Y1Z{Sv^B_odaMX zbZ61ILp)0|DA1HG!*ugcveeG#moUeMCBc_925`>9ZLGU6Pv3$Sy7=~Te;Pgi znl2H9=W#GI60l4W6K|UOt|A>TlAcPC^z`|$0A(<5cIGbi-BhAY+@$av_`oa zqF^?anH1N1fMh~q?d$NQlWJ>gd)oe07`4n;IiOjk0SnSfUxCsvpG7~0?p%cc0dRUf zn=f18j0>0{II?UhT4_2EUx{#Bre^z!E&RY*I0SN6dG<;64%!CnnMtgVGZmy@bbgF?m}4QO%>()=uv>T4#ctQz7<;<7Xdyxw{=^AH zc``jVQ4CbWZ&C}lAjD|urKr4FZ&a5+j9foh)4)+#s2_dM!puitxdb36`U@w!&W1$; zp)Q_PW?dz4K=@>9s$OD=PZ5~9_fb@zY)|fwJ6ibTmfd+T4`x?N%I!~9yQC`he|NWa zlClyT`?uMNnr7 zh?zUA9}w1n#mwu?rU6!jRNqDfJzBsV*l=JSMzgt$n-J39qISY!ep30f~EmCY1iR~!O_I>L`!CMPL_ssfs-E+GO{ zeqqSo9YDyj1H!SA@2rtG=CvSVF~Zj}e;;nF?*tvd>e-MeV3f6ceK^lYBI@z|-cY|w zjcBc#rp=b65UwucrgcPck$}YFE&5PHp`e1`g;}bH9oplpDPm94-gtGiSeD~nCT%dl?`Gt}0sG8+ERs~I7^KE<`Zx8Uh7D3yoC8dEXzg;0)#(ui<;k`IooDERx z*LkxI1PAo%xbp-O9&_178^dQPPX@4CGc*qs-X6JAn1M=t)98p zv+Ro(+O?pm+@B^sxY;efy^ZQ2lSK!wfYH87YN8$AWC|u4)xCm}#2I~w?e$o$pLG88kNV%;YTXl0n_g20k?kRVA`zAzxPm%h*@| zV}RlYz)KglSe}O~^b zM=`}wHmWAK+e+qVW&GYpGM0{0^G&Bbg`IE7vB&fi)^KB95A>MROwP2APDddRT>&wq z{4IOPIYSt;CQWLL_1SKxF>fB9=$xD(%L58tcNosbBvM|KJ+9FDo)Fq5#H=Uox7L#D zHwNv80ILnD;qQhI0x|F~??lNbpX9)qBv2zkL|wxSxUqpHnwM}P;CjiXKaLbXlF>An z11%yMP8kUiJ?vsThoMh@X|1fgX67e(D?9>;E9e^Pz9cag=lv==cg)1$@%~y!CKAK- zjj{e8gZgiTFospp!LU*)SoX2_gM=?m!j2Kx=c3_<@KN2=Fo4miV5IKAGbvKsE%S+( zNN803?rq($?CFXEty)C-56i|NR>j2}cfuVYv%dwwvnHr_{@$%0r zJMVr{o5oD%`b8%(Z$rCx3B+8!t9mJD`WgNv8XiXr(;j=1eWb!5y2%jYB2e_@!|i!b zTYMM#z|M2`nKkPe3-e&@DZO7fgN#IJ`q?nwSU7Diu^Qyvatf2)r?*`@BcdxD($-Qq z&h59>4b&0c>a?6}5;CVcgiasY{TTlKo;5xY#Li$>bqL3>2|}wcQ_U3|(YnP#Bl;Fe@KIe z90VBp+%&y38ID9E&e(?24yl}TK(3A^e?>ZNGtNnhL`iCv7^;ghAaC-aYh+0O+{uH? z83~$1qGD;vM~W0kf?~DGNQyKNEe5a9n{LmY)c;n=mAi596<(O|au^&j8%%(-`>~L& z6{wuSnrDJ%^A@r?E=}sh|lN`pOrnu|p5txj2MBf;ZvV zsE&0m2Hv7hl)Ljc|0Fe^P#lv{@`!-RR{A+2^JJ%L4HukMsNrmVuhCO?F-GR__b4zF z5-QH#6L0JWCM5PRw; zUGecCf`BL*wETBK+S@o}ar01iCMjQ$dQM~&juzn~?|U_GqkIVS0%ST73oH#kj^>Q| zn5X2^lM5h!#j2S=iVo$2q+l&ks>RQ4`J(j#M3DrT>*SZ~ELeZJwhH`c6O%Xr-TPhn zzA+`lw7O#A@5Mq@ydAjwVnmU)cN;MuT;FHs&_@v&?Lj+rX_^`MpoCIG+CA)T;(r=Z zGZR4aW-=xmC_dHOl6V-`*(Q@S58NXP=_dyg_yC}z-ta_1s>D^Y4R}6#-UEINe_ z$WLqZsoL5*NW|QSF3i+x3Lkg8Os(Yn-t9h8TG_s?gSFNNx*9d-|3M*m%HeC~oZ&cc zDr<=9|LFrH_pN!o#4T`e*@e{Io(y9#aL5ko!Gc%3~^iuy9FUlLpH-%Ym*(IF7d>39fHj;t@A3Tp7qz8nY%M>e%?a(7OY^< zO-1dfTP*I)Mz&Ih$a){rCIeo`ZD6dsy?Fv6`)N0$TQwTFE{nV4d*AEeCWtS26`;V(6bJQM zeOwoQEB++Y=dX+YE<1$JKJ__#b~bf~OC516cg8T5h$An^8&H+Q>AJ>y+rf#Wdn3}Q z6~Vm}M=$z77_)F#7oy+LK6=QjJj1PZZ{V&rd}$JZDX>V}F6qfrt0AJ^bk z{VAx8c7tz{>cd@^0KPISkS$(9xKq*+$;dTulDnH?T7qg;vIxvH@Xx`mCeESwHsIo& zJkzw2nB)_wj5c|KU2uZdyWHa>$P2jqL7E(#?@97v?cJSLIAotzjcck*{Eh?~w!c3o z*bu8)V6P1t8H4b+61&`wuL>A5^Cfsy(uZm#Dl*KK&!=(=OJ%EsGwEYMy(*h_|B>Lyt!N#0L{N-xS-LDE(kD+aTdSE?@0B{ z>Rj##-wW4x-i*6g$%O#i={i~K3G+O_8w;5RN2}K*xl#6pr#lIkbx@ruxPVp5 zgm1+6Hq02PdTD$kQY;nK87mry^hr{pv174m@~L#PzMe&&1wCH}Iay^e6MWEt`QGi7 zp~JFY51XU)4(R7`vJ+~B*Z-iLv#wLNr+NBqKZ^ypi$ogK{RgpU$T)=~(L#k&nLzBp zT|cEugvQ|h5YPPeEck(;#}nPU(_uqMGHPKUEzaXB;ja!?UF7AK$^C&U1j}Hv66J0kou`am9?r zhc4`xTUJeEi=Y9!glDY3dRdDAMKE2409J5tqf{Wr7;V6hDLc_C577*Xi2imc6%9E_ z>ALIVea-8nqmyx;H#~1sV07rFJ{YRHJ+NTX?(Yi-Pqf#unQ>#@S~wA?tU5M7wOznu zpVL)AmRFnKvV!eRrOY0Q6@Hm&qBIp0A>g6mA8P3kt!cQLA*OC_4S~%fwF5uYOsR=A zF?>OTADT8O*Z2;_$u9acILKlv=Q5^6Hpqr1*F|Qzm1zl)sBXJj08}?P{hRAXKY(Uw z=IS_gD)k8?(+nYcp5J`Ww_)zQ74>14FsUp}JxB$~##9zz8aGKR+=dkR2T8y(W7{9L zK5f|BK4lRLIWm2{5<2A~T-aBJ2%arAN)1pAxkpKLLWGOn+*Kd3iN~Y!l?2qgk$hf% z380w4Imb~YEAcT-A0`0B^#OZfPI?>G0POG&t5V(0M&s%0x7v zW9H1eO4VT}&pqM%?@7QJl@6DBKauVAY?+MRNylZ7GCX{S&ujV~8rw6Uw{FngMUG*s z*y-umedqp-U=K67G}}*l<)fF0wZ6Mi3}aw8Pk1oK)kFbS9}vV>~ng(;hIGyZc1he4_TvX9M;OTTW#))6SILgRgsPJOrgo^ppE z4zf;E!%Xesb&~TQJ`-jkzi)&Ei3fehFVm~9QB?c=R*m&hXI$a2 zQXvYwUSm!&PZ6n5dZI0V7%e1%uucoHkly8KQ|0jbQ3RI&DT~CR2(ma6f{u((1+2`R z7JNmc)|Ffql?>HPjS{+Cl**+JYnedAXCp>EP%Uw`B zkxWK*NfhX4eP~$zbRZA=0>$2=`qt>jjy4(h_W^K_dP&UJM{KR*B97s*657{9(H04t z)6PZnv6;nDh)n7s^+aO2XTMTr*EVBCLu1zQWo7+z>sL_;xa7w41Y5;{77+d z(vHZf9@s@8WNE2X5 z+?X=$HpZ;o#}f|$9NC=8XBBStFKxU(*$hxS@ntVL+hxJ_A3~FA-p;Xyo?p+1(@Szq zGN&uzspVe|Xig9k?R?*z+_#{ni)tlMEeCQOAuIbz`ZWFmLS4Zh|E?D7xtR8gEPJIP zgB9S6wojL6GI(($JVpPAn5y$N%RBD&%K;gM)~U?Zre!_B7N;dWSMO-xz8=Fw)QJDV z$ES&&FhZMC1BV99x{j@o-{p8KU_}FBnVQ?y=(gm4J_6`B7q$`xHvr{E(B?`nOfY09 z;rM?t(_m8P3l^ga-7P>ZQeO}UELu*Ie+z0jX+@mCx2sExB9co26Awdtg?Oi&UipAI zY}B*(mIyV2MLy1Z>)aG&m1y4}2}Lln({t8n=c;%WNnbyj&%l>V&_fgOs{OsSja`q4 zFrA8c+b;pQcMT;;G6ZMfjObB98nQm1!qZqw7=4A$=#P_4c2Jgp|G0=HjwnRWPTM7TpX>LNd zZ)%rx*{$#WQA10+k$<@^(HRn@G~Q8vVf7bb3E*zO&@A^ETh>NNm>8>N`zxkYiiA$n zQ=llfGa5x)p5a%Pn7ShsvLymK?Zq#(7)aRu%vQzhrk45QdKIYN!=vL$Dt)ooqMu8g zU1U#s%IBOsVhTY`tJ<#gufM3vz;bP*ya`WfD{;F3!q>D~sgZBS-v%1o%Nh>Dme_5k zP*m5C@Gn&-heNy@@s;01m7Tdiv%qwJjx)hI2Ff}UF=QQ=w+T*|ux~-nPq2}<{(tPG zC|rASVfVIHQp?*B1kJN2#XD4_3TDtgO)%9qseI2~J>9adk!SkB^4DD6>2u_u(e>T= z+A`$>fNJ(E&B|blZ#KgXqLc7$;^NYB8oy~IUn33fV5Wn{9WJVn&2?`Z=5&5eIHytU zx7OcLAVmIN03ll}QvgbEs&F-y%Ky6vCZRwp`3>!QRU_mY z+qK7$J6!=|nSAEG3oKw`AQ4*zeg}T^91!RfUl!?>-$T_25_)E{K@M!BJF1~$0(KOL zv(liSCx2E+Q;{n?sRPLyZLBb}R9gl9px3W2{z;8+QzWs=$xAFs>K{DDB|y#>0CBAk zx)-uy@kahX67K(g3#@JI>R@gJ3DaJNCHHduS$I_c@{s150+*j{H){7rNW0xCsrxkvbkz`x;q$2R-oFG zaIWGOGjVn2;r>Xk z0%Tyf^05eMNY;FtPel+PZr>So=DuEVpcIZ|@%n#-!tj{ZtoN}oc`39BD#F@xZ^ksT zaM-4$>9-K4t~2UEJR-!kV!Tr}+IZ+)%OA@tp$;F1EqBb|f;a7$m0yz%scR0Zm<9@R zqglvtVRiCn4o4a3KYZlh>I=L-ve_OhIF{feH~dMcA;^?vUHAR=cL*tV_HSpPvaV)m z;=4sC6idT>EXcRSbMQv9=q%t}X)R;r=D@;1t0Z@)(woVek zD>YB^H0%@2%w^IJ)h1xafs?|?;u`}^u^TpyZ?ReDs1ONSe<=CI>hQaac^Lh;jH(JH zD>)g6Bk*>eI&($j>2eOuvfzb3#5AQ|^zb#Gkr2NF_;7T=T1k}`+tiNxv3Ms*2Fo?u z4p6P^SyA)U1_UpR6~B@%NeAB12juPk?K$juN3NEk{`LPP7?;I-|_9z8^%PU~v(d=?J z;|{GRvzkFsWN z*s)aN+wZE)(p05Vbjjw*Y?@|fBDv%oNGq}bJ>Xp2ujo7ba>u8>a9h3l(LVTZw9{5 z2C6SvT;yGAq7(-DSz&&FQ32yxrR&TEL??O4cJ4bxrk4L{MweYH`YnSZh&fSWSVqJm zM!+;jzcgnFC_@@9$JYPSgNEI2eWI#xA02AD-!ppWzTLdD+(dP{`qbim3|p6b7@T_G zY(~Sr4PkNcHLe)fTuyh)j-GncS^*j1Pu6K&Qd+7XZ}~w|8QpZOhm$eg6T(8{DCJcU zGCi*M1B5n}#2df>LGwIYFHeb17(wefsmV!sto3f zbc>^Tr9Vd&(|pP8CbtnDy`gZUV~w%|>xv7%RuSw}4I%B(e6e~ECF~5cS(*SyQ4`TD zT#(abXccu~2i4Hvc0j}NnnbJBFb{ik=W$G#dO=a=>yoXg>9}cm<3hp^?YIb)ycVD# z1oG#V@^W&6uq20+zEVZE%uvXRDdoc7%0jld^V7V&glK8y&kvmfAs#2?i?4h$GG5!F@73xK-JA`A$@P;RHCT^LQZy$iT7je_4F!RIf=wT>1f3Ff(1WXw>}v#} zg>aH+t=g9~{>s=x#6&4>T7aIaD6GD!JLB80v@->*%KgWeKA>K>j z)osMIlcKl%ZFBm^;J=0R@Nw)W3Zml-GLl?7U#T-dpKVhjCqRl&--L%qVcJcPMU7h? z9hv2531ta)_S3i&!_yOS*Q=yu6awkbe^Mj|J1SmTa*UmPM<{vcCbHHHf-hLPq2jSD zOy*zDJ{4OZ{VV9PHh$TCtJx)cRt$=H%XeBL#49(e1Djqgvqr4)>O(ywbE+S%QjMbe!q$C9k8Z~cAp!CpSB zG{O%VJ5n8QDoOK^iRe4Z+@h;^sgF|C68z47M`Mr0?d%!62_8UP#~ZQ9qib48_m^I? z8HPXoCaq8hzKc^rm^g8L^_;!aSt$BOU2aUi4~_!=QT3Qpb+p+3T=b ziIops^w)!vWy(W)Wd(s~GI8YeWyh3j^3387`EGv#aLa5#O-xnUXbBra?8yBlRRd>E za=79`1%n+V@O3w~@$Y$fM}xC0G*Z@ce+Y=WB6Nbo1MHVLU&PB4}{}v@hi48udHP`t5%6}@o<7wfo+1o-KS~TPV z^K7#%Jhd(b5QO!Q=|tmXF9Rk-CmI_u=A18Bkqn2a0=^fe{Iid_2IQykoBfUOxe5KZ z5FBsbT540v6(Qspa@S7#(7La_>UZ>9C7-iuc|l_+W?NLk4a7+K@j;AW{=t!ez_9=` zIXWByJe`M9Qq@^v_;e`oDNO>#9BmaCj3HZtNd=ngnB%Av_S6=xn~$e+ zzUoDR53WLUrto1t#5kNJM2x0%h3kzuke^E8mvd1ExY+FPp7S;6OJFUc9!Y&j*hq~? zvgvK|&G&J2F|7O6UAxtshRp6gi9eL=NwX)d6gfkGo3J5_Jr)C#pn0|+c`tIx{zm~s zR~57S0d9Pfp0c=7hGu!$)bw!>AXZJh%0qFjxDkF=TNyUQZPb(DHgAo4_N_Lq>w=vD zpD5G6-sGKka@~at9j8V#Z$-}ynU(XRKyu5p1u2;%C!3%&rZb^~Sho(X&zr~?_3 z3038AS{SkiA%(#hwpMx)HU{>^}$)G^_N$FA|wI56t6OQbEAI%z(D zub};7kP|NsDHbFFA{~;G+0HdOSTn&$m_!O0#-U&({^%xu9kRl+uNKL~nHR=b>^-q= z{D&W`$S*Ru3(lrmmmy0cZ9>u^%RuOk)K-?4xoD(1r5S+)v$#;mEWBD*BhzGNMkyhV zh!-|nGBdHp8OQVsEzb<-Di!?a?VLjhR5DLFT zE8(G?gayU#9=Yy~_?+RtcCWC9JWw9SPm@=-*{oro&QJ5`|Lo1XNf?M+B9;#tq|pLN z2C0JsHnGnL2@yKVsMCB-Fy>kXMrt;xCy8V8?8o)rB;IgRHyikB$5$4x0vB(IWL zxNB7q4p@t3**g#~`!fb!`a#p?+g^h0JD!QEA8;{+pP_$m8}KFx7TR1Er_;$3P&39a28 zP!Uwybe&8Eb&I=KKP1?v=rZeS(S#>U{wYY4oDBZ^>(@k1!i%}teD=lNY`~h$@B2ve z(nx*5keWP}>(o5|xxQHjsMviOv`pHXvq<2vpK);U!vz|$11)DNw1?`PrmXS3X@PdO zJw#_&hxJre;LDGHWGiOF)wTicIGL$p{MN^RE=c8apImGM9q>zY@%oBi03EG-_Ol@QvmgPWV1;a`j1B%8)6z4WXKy)dI} zF>fc5H|t7(L->b5L)E-<$K&v7SC}f`KJRvxm80zp^+Rzu-6G+i55;tHd?aO z8shQw^|c0kk=EVesHK6AcWVtrZ<2uPDF$kqqpU-9@?d!{Rn7BGHu?n~#2RD1Q|;QP z9j^Gnzg~o=|9)ty0yMRUPF4=^+o$&f9unJ`Y7=KfF>cc7gKVVCc)nXUqR5rc!pX@7 z0~J0;^0i*wv5a(OrTB*|nx%>mHWJkO@BD&zhtTHIr@rHyx1p5Ed8Qq{xq4!Igs5H& zZzTT@4`g!2CUVH&ka~w|^iSDPj!CRuQ8v0BOB<`KkJ)>*TXQ#xb#mHoxNtS>(*7x1 z4*mr3J!I*W>JE{aDc+6mjs7ULb4obm7PAV20u%Wu<+HALF+|Fxrr{-3rb z3@`2~J$ z{B~q9=lJ=uv+@a64ChEXXD*I*OtY-)H;qY7+}`HE_>YVY`tl3$8;|V{OGIn+x)l3( zKgj6kfHC}GT5VL|eD}NDqQ0uYv2uYM@_7(K)+WKl&E?-Vr!}V2qZMi-z`PSvXW91q zmmYVpNX?Wv`oXgH~+A8-gTjVf&4tR`E4ugOO%ygk>;HGMaA&4P?07_v! z2QgDS=Rj?zX{ylq)3Sj=HkxdLAi7zxjq5}<;~CHT^Y z@k6IF=Lg`c{^kT!`@Dhx>%CpR&w32Ed^)_*8

      AI=Q|2T0D4%{83IZz}G~&s#FdZ zdIa_&zpm48Drc~>co+a}{Wom?tCKSihjQ)XxP&G{jLeWIOGTDZWTb^K$lhcUS+Zm) zOfe#5-(rxIH5^N*7<+}WWKCI*sBnbr(kq87gY^EMbFOo}=X$T}{PDj3&dl}9^W1aa zzu!Ig_xt%mu!LxX5w*s~^kB0Xm~v$;UUtaB0hAkAyx?N7SHQsZ$(1l(EC9^$f|q@4 z{?(nT+})9Uv`N;iB(r|q2~d7vSl`z?sMJmfKj;8}yt8$GfUAdxN8|N29*$E>GS0ij zi(pniQ#UBh2kWt+si|p@vaU}9^Oml|d&c6(2YQlo)S7rj-7%-0Y%NDnj`0F&Gi4fT z%j!Est`yZQ>V3S-{l4I$cW^EI2LvQVNLe&eM;EN=L#xlEo>`1MxZva1e6-M@J5j0e z{$g%#x`|=$VB1^(N7eELWQC>J1jYqvH#5Y|7!12Z7<2nVSFte~JkUHU+cqt}U{b$_m#_`x?+l$B@ zJ!^>C{*9MFpIcnv3mQ~O$+PXGdyE|TAl`)xlx_X*YvZxXpavDIj73ODyN;4jrAJ|u z#cxIRSoFD8E)|-UHqtFBy8gA4KJ3Y#Z5LIl zaz9(rE6g#w;Elg-9R2Rhex(nd=_hUu1#^VC)s*2wpB_KZe|4ALThu8Wp6a#WW$Qrk zylJDpRHYS#%cD+r9j?GzF_OXXc()Wc%jUw7baVG?*wFerVQZ!;SYbLK6<|*|nHw@y zj(n>2=2>mizB;r{WS$9A^Itjf&_r)qaC+@wobCGaHp1Nb8c*qpIw(^jyD5y>Ly7?4 ztil(nI|N-;(vJt9^Ib~J2Fw7z&9Pxvh~xK?LFxSSx5;n#xY3B!{s)==b| zX4CyV*y_+Kb*C32%UW8D;JsK_Wl*7QPKYywI+PGD`!!#zB3j=2oy>za29%HsA+oMw z1nLK~9=UeYWV5Jz&A-uIe$*YV|M2aTkhtaKTS z>v4Ke^QB{08@f7<>@in4mQRA5@z$VIC1;%+!aXHis@^OB1=sm451gezo1XoqSjh7m^;mLfF?k>2k7pyqdIDwnpY& zw&I{pEqc}6w*IkU2jXT`ECQ;zW&4tnBBZV}CHy{(Tud3cSUp3# zh=f%wg*mo4-QTSGKkF?j?_7h$VRjnStG%aLYa58b-2@a`n>Adl9mkC z(y83!P7*yUpI9y}9Z3tnlZ_3sx&Gq4sqIrKZdhZEGtz>pzLmo^{JD0JMdJuQ00ofn zcr=N+ut!oTw`<{~f@AOzKv;LhH28U#Qy}yxfo}%=*C#wC^{72s0x7V=dfSLQ7)-&i zZGbz1fKWM_T7O(c^VKrwbl1S5GQpWmwBX<2*AIa!N>I`iz(Iok^HXZT-S&_r$tF0K1JD zlRGMO%$YYlKDr;Z0z5zwQ<@mo5T5}fK#dx0gba?k#JNG?={4L19vQT)=&`Hs4sadb zQ;PX2U$@ryBf%z$#?ml9_@cm~RM@%aXh9lGa5j|J-CZIE2zGG)LDrDee<78BExPnW zCHLj_aUxyJ!pqBR&2YfBK3e@4cUojwJxf47d*WMTq0M3;@`GL$&KB72b;1d{V^Q7u zH7av5DHUXY>>67VJLh{aJ$E7kXCmH8x(Aobs_xj?1rF80!h7G?g+2}lES?IG6fOK+X1aO>pUu%}S5OqOO?Z@|r8@tq3_lnj*5D{fbBh59=$u0!%>gX5H`g^JD;il=^%@YgI+QHR*1P{Mh#H5%dbEQnQQq5u#%FY{}aYSO1Jx zTZ#)Qr&_-GuYKMznX4AWcG6I^={iKzI3`(n9Yq)_B>1Kip@39;FD$N``|%3P?dS|z zsEfNB_PHDyXFfkvRo=eWB+uaR(}}nG)|mr1xl30-zfzVQ^KC`zkko$y_BW&*73&7N z72Yy_-%c+f^=({>LggEsPD2@=agU2iJS0K;6 zaB5O0MKZD|RVy*%Jfpaw$hvmWlG>@{2=JBT*Z$I}vUWUmy2<@#FdBa&k*Co}?6Lk7 za9c_sbpFxjAipZD3gUq{t)(#*yU0T@$R5ElH|{)Uc_TyKoJfaqa8f^wJw-s?`s*T& znfwE?gDOi7g8pi4D=DOJ?zM_>l*M;J<@=7FMDTeqpRxk-VUlp#3z z(gGiTd!xBD)u}k*yA*RLB>rOwc+y=SDPN~Re%5T4m|iT*hcgBUZQ0AX=~Dh1rCOyR z2e8Vn#w?b;;>#m`c`kNq3!foXi%^6P!=wH00G*Hw+DK2Wogd_qrRw9Wn$6#zF-aWf z;1V1q3KTp6*T}s0F{i`6uKPF-hGEpz5VWGIbj|OfnXAut@C+h(X6#l@XB>>tH~OBE zz+nP8MMVkP$HfhktNxdz0%*bY%$Ie(XxRAb9JNSajVcNuOSIu-gy7^>rc6) z$Yvd$)#u*K*KJUGUj+n6PMB#TwAs~>y4vzY=XE}#i>MDh*o&5*yMk<@DVo<`5*Zin`bQ4dma=@Rccf&m z%)7lDc#UPHkE;5uS8l5Zm+Gfwhu)Ynm_XIv5XX!Yw?y;si6_4T`&1Wzltc!n!V7=#`ZuXuvLej&PV?= z69`yG_ixch>?c`XNv7FjOyAMAX)#o#JS{_5QDz-xpZ9SJ!W$#DhEx&4s8AhWzi@*` z-}n5znsC_2#O>qNRu!-H-KSZ}oU`!U=l<|6!f|JAb*iXSIdZ4q+t{MZ}ykIUjP6A literal 0 HcmV?d00001 diff --git a/education/windows/images/setup-app-all-done.png b/education/windows/images/setup-app-all-done.png new file mode 100644 index 0000000000000000000000000000000000000000..af7343f0e56056596e5ff6ee835721476144ebfd GIT binary patch literal 23020 zcmZsCRX|i-xHiooHGp&uNJ)2hON+uF4N}tG-O`|hgfu7!Lw9#7A>G{_L&@2E=f5}? z{{;iX%;(b>0=AN(>{|o`L|foT9fSt_$GZ3u0{lXBd8;6e zP(DVn2RuQslv0&KK&Xtzd@w-;o?|#F>bf8x;PgEIAbw@RAxA*a4N{Vodgp0)l!YEh z_;)V+H<55KD36BevtlJ`uRUw!&8*EkR!y_RrI!cPPd(w9PtbfO_i?L3LRnt-&frSp z-r&HAFa!607rs8fok@=0dMu?c-HZ>9Wr=K!FrVCx30SrY7kK(|aQkdn6N|S{Cu7rZ6Kc-A16%4VsuVsLxBS%cx@$6Z-F=aszS@*Nx zqr&;31Es1kFzxUc?wJphrNCeJX<=Ec;RN@w0?UpH)P6N0x0}hBHv94Q%ihCdZWBt3 zgwrFxffsjQzkdBlorKgDLyR)fNRG4%-?W(0X>TM5DB?NiAFRgCwSDuzzPrER~ z`2HG4sbva|hhFtl2e@W9v^A0oyOu0Cc4HfOc{SRF2$ok3y}r)cdaq;fSM?k3V6D}7 zSL?-?i2dzWsz)AJM*)9R2{qf%8V0v^+!g*8CqZ?bG zp)&-1;RLpoqWA6VQlT=jUfbjK!qVf-ibJ0Nymc{Q-A{}88tdcMn`It|k;jso!Nv9{ zW;+P7AH9?9GbVQ0fjoUY@du5g`LL?1{%)t`V$6kD-%)C9LI2N?y2RtuQDr|>7@u2+ zfs@i;-jbufWtN-%$#UzG|NYUuEF|Eo$S&{ofzvwvQJh`nw$T^s zqGRM&D{_BW{fj5arlNJa?dkC(zyqDqHQ^UIzinD04|sRw-*vtHREcJ}Zned=9+ua5 zo1c$fwzyvt+a&3)_J4PE?BTBZPQ8T3Vh4v2Hj-*T~)duOw6|F6B4#&Q1cJM9zplt)mJGt%VXKxgX8b z14X2wt!G!;gXvV&iAMgiE_1k#+#%EV@oJ{-kb~ijHcj7iEo@L|C)4b}zWJ!GC;B^E zzv%e@o%x^^WbM``5Rw_1Pbrn+&XsHlKTSvFnhD@M3dV=4`$mhk-dWCB+Ku9 z(+qNg1_#M;0tUf=1!bUB~ab0BORjiy#5PVpE2leQ5jGM3UGLz-M;J;{(R=2Pca zVe`W5^KArCZwD&ErNz$ofVSq#31vG_Fy`7uyad0FLVq0P(nvawT{CZkgzy+Fc9R9|np+~&IL{LXpw{|$< zq_&a6S6;7T@V4<5)K=}}vFH@RhVI*MoN|SyK(RJoXJ<3r4xBV1HgjLn^6w91Y4E^o zE~)hxo-s#Y?Qk9+_c4H3y)i)0K^H(&dU=dyKV;YbczwL+^1C)8G2nLC=+J^L_%TA_ zp;I+mv=LV9f==NWcyzxb@zl6&L63CzM+Uc1OHHU(47daKH%lJ%SAl`lzNek;`t~U6 zFV;kkaV%n2{iQI9UEF$4 z*CO5gQ1~pw#VqKO@WKfbvQLFo1ysSZUCp?B7@te-uP0!+3UiRaRcSJQ8JA0ZoNwSV z%6DB~UMVn^W?a#36>N~2>9w7151ey-MxZpPl8I(E;BNB!cKUmw-NnZ0QIh*c&aXVC2a>-N;Q=Vm3q zXm)=m$dcc&7OfJ^qLnMja>&SFGKZ)RXjpQVmG;6fAfZ-*uV#TRNASk0Pc!KKbDJ9I zB9e~Gr0INq)Zq4=g>6Pmu-ivp`844OrO|h3MLDRX?YE_KE%;t#ZqIZTp3o z(4eHPE!Q9m1!Jq$;x5$Ru=1=1=`3zg``Kt0u-s77oc;gNnvs3i0_Cg*{$f>K<>MFo@{XCA^}2 zEAhSo+1tbIsai^1V10qQGz=TFTDP%zt9$=Oksaer2$)v+qc)83ce$gHdX^@eFrtH4 z(;EkCH1Ln1*Yy`<28)z>6?@m-pK6-Drgr`cZ03~pv<9!#cTluH*7I02Vn~d#-;qkV z)MfPWHX_CH0k_E4bn?!hRd4*!x%Dp(->;J+j7j|`5&4nU!EL!u!}i0CZ#dNGB)+fe zUpVV|D6V{6jBP(W;P=|)ySbi`cvoTRQg_qw1#Gy ztu@t7>vFO`z?*e)s4lGU8&D?v(cwdjg$RP8yLWf45b1v>Fb+mo;lr&do;-4Ulx`v+pgr)n*JDQ z*Ye)0ciV5VZ@H=r^M8xJ#kih{!;S8mWYwFkJ?7Tb;A=e@UOvqSlk`18Xa3%--icYrjSpU?^b;F!# zRaLIHj90r*i6~Wn{xTWkV6nfL*F{2jw!oV8^W8nnrqO{u6ih3k2m=-^#wmVg6##no z4LsC{LqfrSznshJD+OmA5&s9&-(DCEbI^u@(-nf*Lcu~(;=n-$F!2A+Bfs)9a=#u= zj(c7VRbb@RhU)3uz3<<>d)fA$$7NgPev1C<*RSsEkkAqivQ}K5ukW>;0Pv=~rpFgS zpp9El(hOJbiwo_FACuZxvxOST{*clVti0P_Fo&2H2IMa0167;Z8@8Iygso;I7 zb|c|os-gFwUF+3!n1gg=SyJ<=Ist=<<8x~ej!%|-Q%cshG_b8VWGoHTNpiXqX)B${{wvh2#gmws+n8_VD)<_OG?URtS)e6 zr@>j97AXUnLN2zu{|=0v=Cl0o_Kx%8#hohvpt+_4jOya%P*)p(_Y5iwTW#UXd2*OD z%^nUOC#^R`{*PWc$;R>nS2IQq0cTIrx^uxR5kg+)A8$r@e$QfSUHie;B9;IU`X26P z2y>_Q-i2JubORm8VP)zqXOzRS%{CaN7;Bj;aN1s|FdOh-Wv4IoesvepoCvI1K`){LK~s?ost{Oq-qa z`u0aQW;QleDgZeZR8>{M>b@n?DKJn9yDF*)ZGGwb_NhoEJ;^gjwWWkn%==PNK9=k~ zyzm=n)aPbN#D0Sd+Ia)81j%2()bGhzn+>6Dc z=tcS_U{YVlOZ>Ac59-F1Xn|R<`<%4a--aAuQVB_%v|Nm!Y8o0ELPa=4(=M7<9>+%0 zxbk5|WZ5v$)j(t-xa25+(Lc@fs!ox_xt(^RH`m!M5KWI@vJ?2uO%|!LlsO&Gn#I?q z^X#FAA^9BDrrJyv#gdErdYZ(7Y1IL=(5Tywg;#V@XhNCi4sbxi=_xkgTjMeWo$^Li zbiu$?7e)CPPZTH}|J5;ai=cFeny4PpjEwlNks(VwUMBylzz)r}`}y#O-19% z)4!WAv7aW|Z_=chLI>Dg{)R4Sl7{}UM)@Qi>B;&CELYh(GOKydq;?VGYHhfPr-Qz# zffb;&*B+W>bHD^%DTB}Z{*Fe<$11ZEj~kIhOp zCzTagbw2sd>Rv`J0xXzPw8GGy4A`X4uiGl#*))BRJknu78>eqjH_#Mq-j7ZOR?RnY?N2T;nNoPC0qHcRQAMTp}q$m)7%@h3!TU~Qq z?Y1$SgixB5)DV_#tpQJgwEerYxiI?fI-wNChl!RtNab_L_1)M^vncH4*&EE0;0}%v zY>`D;o3hIA`z?+DYw2cyb$)vyKJWzSunSPy1}5>1;N}ccR$yUIZq(sl@pZXhWuF6d znZ>7v-%leqp2Gh;i`Lngf~ndoRYeKGyC{OSoUbjo-DBJ zX_nm%jP2X=b~znY4Iur7CVSnqopinLy9aN3?kU>)Ul)09yei z`u#7J`G16FG$?DlLmg25w%6Hgf7F7dH-q-A{Jt?hpB)MT66M1}Nt1Wu? zxrgSeq@skT{VD0~N%qiTuO8vHzdx$4kMwbpm6W}U4|vG$MP|IC&NcFabmhSS)vGa< ze|}(jY7(0JZ*$M@tE};>m-YsgPyg;Y#`PkJ(Dtx6hDr{2i9=@3L-n@BibFLG7jNom zucxjov%QL77K1>O<5(=MX!|tWlJ;?!t-h?@V~~ihI(Ss%g}TTQuTPZJ>TZ5~9k}oc z+d+g;_F%oshe8Bc=;3vqr{{sdy_)T+D_WClYX>Hl>K`v;T*@Izk42OAGwEPp4O#AL z21@+k`gj;vXqWu;z^-6*v8yllfEZ-cZ(o+_)JHl!aE^4cP{vkpoCM=_bC!Cz{T)#5 zrG(~iP%#Xg_Xa^4e|tEHAwt`@K$r~iXzJ~&o$H+Em@2m3!a_}*r)u|@-KKt*197Wnn=b}yJ_rB0ijBF ze$Z$FO&_;^$IX5dGlgUiLL}(0p@f@17cbny6;eW={y5YAueKE)D7`h(aJl(fHDNh>(_~~6sr@;H{hgW&V|9N-z-J0JQHEt#; z;~R0=&P7*0UYXkMfZ#7ueF4QW%t5KD>jldzK!;Tphp&e8U;_HQ>98S+?JayGUcJ0& z|Fs^Kn78XXc_7<8QoU<1$6`Ui)4!++3U{@YAG3G7{!D3}XH34z_#D?Mz*<4D((%G( zCrtENiL)MVbDCR8Q%YtSb%|YS_E2xhdD%uERbdt7@M;hcyUe_HB7(wm#>Izi_mb;8uJnp*f3Pnnw1L{TD)A{(+RZ+vC;XulnUr!~U`f za6I{QK%e><|5=f zvoc3y-C=L@_IwFJ<|H}uV4TRY)xm=m|5={(Fc(muby>(vm@BvRZPk@0o3$rt_$!U{ zZ9KJZ%g{FuCFAE`Y7zt-m%VoApAjva529L&lj#v#`N1ZxS2#|=0nc7^?sAwfodLi? zlzscHSAL*pA`6ZIY{vE$SeTT(ulCJ{m6eOwY&$%9ZQ4C$FlGF_-M!)0M+*xlP~!&iLhhap+E5haINS28D zrBitlRuC(aw|ANBN~A40D{~n+E9Y`bNNGsBHEc?dsN&@Xk^>RCS7nY)xcpqjd5yFbESnaoG>vm=Ds+E?BJI9rKteyxO3AGI=2=_EIFW}p4aEw~>%hvGefCkcx%}YhlB7YZa2@qqO1B{IZxR}mRA_N8f%#S_iH4iEq0RcRUY*MjYc z)*n5+0GJQWFLnyuh~Pa>MKYYtvM5iV2?IO}yD>fM(=Ft4&^aVH;uCpV{?GIwTM}CC`jvw{rWZSZ>@I>G_h<2JcyP z6RcPY0nGL_97#@TM#_81#v(`7&=~GbZ!oRC2v@^lgP}g6ZU4PYLVGw}HMAJU|Mj{eu?KH|Ng+i&(p6d69R^fRa*KeV<2HNwiV3q`D_$_lN& z{8b&j<~^9)z-C4hR);#J+Cvny1qboos{HG{cVcr|DvDjV=u++UYIHBpxJxhp-LN;& zV{I%{?m!_DDP%4qQi!wYdog<9cCI|MNR(`{izfqFZU1cPxaxz64KlJhO?_*7&3>JbO!M8l7V-Up%|qs@Q2Sq5|k|5*H_~WV9;wb zJ1+(CM2`_}6C;#_1DaNNT+pKuwY5~4XR&!;OHmRBNH_!F73Bs|w4} zzszGF_bOVG<_1)f93#KGiV#ipvbp)zZe zlcv3p*H~MQt&aN332~_5a(#aiUnrWb37{}%qI2a$^d@!8cjBYG;C{#OBHJckil=6s zgOFLw*VLy@Sw?uzu|Y`Yj&wfBVv+l~liS3myG(LgadJU*O+FCK+yQ`e!G4PCvM0|x z9LIVMiusL5;E*LP0+avNQR(zgj{;nx(&;UOh7U0Cl!!Z0@VxG+Vs`1Pf+4y--b z1PkIfLLXubq$^zEeR*{AmhBcC(5 zGVxm3qr5dz`|DSC4uY$9?8-r|Ttfr8Z_szehkB2X)TH`8mZ zR{F5Gud-6fXx9o@un&Ujj&raWrb^1awb`@UKQyywnx^DrFDMbJ^=26)$%Jqh2ty9A zW;%qxPYM2#Ws|fr-b#9lP(ie>@hc?UNW+`VSu$LJzD8c!V=cjW?`T&L;ftN1&8is6 zrjJWWV;*i!$hyT_5G%TR!)dy<*c;bv^{UO#cb`JU4;v0`G!zbTj4g;)&z#w$pHcYd ze!SRd@scn{JVCuu4?#0ml-aDzY$)}J$>_Q`F7(`#++yQ2>n=PYOjy=%je5K3Q;1m= zb%OgC`H-8`RqO?f!+NJlG2rflAjg%27=E5=B7YpYJYlY1;Q>oN=GdrsO(H^Ggh?2j zIOJ~7NyPooYDO|W$>jjeh?C@et@JXW7xOtm2n= zKa6_M)D=7O!Ow|PMW=T38)RkqJEeP3=_<>8U}U6qJRcoYOtGQa z&}uif=?<$+^?*CAwT1P>h&$H*G|^zz|09t%64)LGM?~$rA$pWIX0V2Wbs0T^N6m6j z?0>L?W07*N&;c=k-)B2lPYn}x*Cfffz}X~NxLBML??B@u?kMPO9R$3 zRX%makN;ZqxX|zsY?|%8>DyseQxM|1PGGq%wj-B=@vn#c^=x<=x@~u5_oRX7hu@ic z6H+lT;F^d>ua=Z6Q8&3o6Nv02!(?zQ$c&FCSFA_AL%4TeR^LnID+!e(1zMRd3PB=W zIa-h#0^TbyK|9_?@Ji%PM}92@CJRMFuGh4#{n6}|WDj>}X3lNTcM#%%5~h?Nf^xRPr*6PkC{ijy zy{`y(ER7`lW?lp%=r%Wb(d<=e)bs+2#6ve?M6DiZNy9UU(RSF4F>4>f< z`dWc5e=tChZ|ne15B;J5#Z&FURel*Qh@uNg!?i^t6y z@!zYVnMY}*{g4LE+e_5#l>g$S4xUJAm~0@1MdDd4LIQ^a9g`YJL0>}d5p#Q9TQnOl z(SEM&%{SM}3r3WVE~S->2r{RVnSIwKh`$nafgcs8@flw2WV4#GW{xUJ7K|GIUUkH} zt}`~|gbY@Op*fi021+Db=IG~3Iz|}Z+>HUDeD{}$0OwgJ>{u-(g(AMxb{^Ukd6MdrK<_V-BaK^uRfixOJaE&f4!0kfko(yAykRV12 zK7==f*DDgZ;|UrbzV7tyqsDa=hlqiE8gR;!Pct$j#u)V(cd)pEgw%xJm4Nfkk`KIQ zM;;_w95Xm6^u!lLducB78mu=+sD6E$J+(2|#M-s73?#R_00TgFkWSuRhHr6FU1CWb zGbHD|=+{O;4M-H9bjy*TAxK^N+?8=0`TqLIW~)~#2T{7=93;W@RvT)9>M_Jz{L){S zbHr%JdgLxRZPj-l$+S*`xS zhA346=otzj_iQ+#jY^sL!5{DrL?p5B%2R1H z&H7?0iOEAf=Xr_p$eyYE^*J(?6Qha^1wkQyWFUO6_&ZVCUojwYR`0iuB>V%=q=%n< zmuH)*iW9{eq%3Jm6dagHyg5_-TU-zBHlAZU=~n(jW|cdeAr2Bhz#{x0@wlf>)Oikw z8!%3AtItgxR5H{&hh2-P#~s(nnFs~RNbjEZQf86;8*O1vw;*8ZEtTocQGCKzcohz% zMtqHqm<)E3&N6kAxcnnSL@pv3CIrOM?9$)J`QnJz>RLfx^qfGaaDtAan)tPo)C zUKrBt{*R0Fsrse|rc?kapJ{ZlRQ3Ro-va~u0fC8?l$F3VY6@+^?|ROX2p#nRorOP6 zH<(YxGNP8WC)*cfJow$Q3!^U1`9x4bAj( zVCVjn79@{>X!t^k3>kXIYt?XAHGKF>TF`!#y`hz2M!@%wD`(KB%;dgzN0~ZLCB3yP> z93+Tq&`_f7BRN}Y({?T5S$4IHJp520ln?oA8t5fvHT__}BpPc7yBe9W@z^LI0grgk zPVUkK75u1|*r?{DrWCN?Y^cm4Td*lzny8S><+4@96BFvbOL#%bq_hd}kymeh+^bC2BjPZ+puCG&d{f-(okfmOrcbI%Iny z!dCp&7y$LWh0O@?x&}=mC@qHDI+Cm>i{`3+?`{IIKsDbG)d%q0bWnw86!GV-`cExk z2{9yGT`594fWhK0%=Mf=bY2T1o(DwFicEOlr{Ps{$MvwO6hFGE%fho*0bL-5_+lmL z<7!9HAYdt44Fmp8z^HQ!Ab%J!KfeGF$jKMQ^bICpIqX_ns|4Y(-GE_cW4 z4#}y++}A~3-1`FwP2yJn6)pyUE1Tg>JV%O^9NRe^_{WV{fx0cgo#Z~FH67+Mgb^6s zVgkp7pRNr85kT`{LsxsM`^3paoYzA_|!3OIc9rN8PvtcT?Q*5J?>ZaU@)zVb!_ zL?#KH%Cnz}@nVzq;76!ni;?pu=URv>Ce;IKvy80D}NAl+&1JT6B(=Zw|=LZj$Q zqC-oRLqpw|M+e_+0N^;!b1x*=Uta~=wF3!aQeLYBwi6(inPPF;m2_A$sa8j^fy#VF z8O!$FecqbSd>eIceh9Fzzrt}w_lr(EZAB#ZVZJCsd}<>7r&(!iTIdboyfwKC_RYUe zf03=+PL*BIk&7^xtG6NTo%Ow2$0jPR0A93H^)|JtZ!@bj=eUa!_=qpzU3D_WQZDcZ zh^n$!u9)bGV0m)YwJ+FKkBVOX@c`Znak#ni;3K1scDe66Bi437!6i68_rpb z)!Kc~;#o_=jPHO{oLRCHl?-1NmtgDl04~vA6Bu8PBxl8B!ZbuhwW9 zrDb0r(x!t5jeAaLu<4&spF@;m+Tks85$-Q%WR_>%Ec%{jCcXz6A{&vPorZ#RD;=Bf4q4^AL(7>wX8g!5 zJ|>k|?pVU_&O5`G)Q=Ny-yn{j6DuQCqmfFZjpszlsBWyuHA+o63TWiW?&nWvXm;rR za(79>+I;-{63M|+2*|Lq;_wCK0e-RdLN6z8KCD&F{wqz(0T;GcFPH~w9GQ1IfuBr+ z3rgLCP$IjRw$Lm2Kysdh-U14e|J`;r>}%Fw5q=FPRC1^sV>~Xw(-zJ_kP%x%-Ag5& zWWsyh)sgh{?j0H8Fz+jI$V$m!?>?ayct@RenYFkb-2)d}!gazLq!TR|y5VgzyvP+= zVD2+LiHPc$MN`7-IYHsUx@i|E8oA_%xJX8kY!(lM49W=wbg=9Z_AwU52apTs^pR(X z7tuO6?*ZdSAS6hbVumnBKcu9`K8A+9hIC)6g?b0XjyHiXtdL{4=1zlKa?ubc?YWB3 zA9I7aucmLb>*?4DG2F@W$S#biIZL7M!Iu!Q;|;$|;@@`)jN|Bxlz)JnN5c3t5v<_m?QSuI+UIK%vkK`aoZ1Nk?IehCx*FNl{U;j;M z?`=*N(3FH$(gD?gqIZ%Z*nb`;M<&D@R}NW)L;Tk=ss;WU&v9UpL8ku-ACzg)G4Zm# z#?V&6A|$M|5INq|`cX+Xnb7u!hNRHg9G%2(HJOpaG;&8Zzo2UZT=}W89Q^7$RQ*&Z z89g_smxdRrzDD_V1nothBJ$diG@|`aw9?3f-hN6lSFD|W;`kM=aNqnEn&TW;$8pPr zS}CT!mQ~3n2Bm2S?%c1*c#MA8L%jF$6jK$K*xLSd5(6QEqXl$Cg&MexYC~~%BN4oX z2UflmDUa46T5*YOtTo4mtx1G(0y14x^NcxFh`=)jjaWRl7V zZ@dl=1{&B6$*EXe;#6)o1%2?al8PK6xo)ydKVXABSiJTHs=f`jNTo zh+n@!s3<#tHfNW@N|=%HJF-N#%*;!QxK z8kyPO4`_c65VX0l>2t^|U)CbA6TKG8C$^}CiBTdECctX3QaAdL3&?F=aP>FkaM7s5 zuzP0UZ1rNxh6bAPye!)29>vp3hswE@feiHBUAal{pgdowwe?9boG3S0OoO(*plO=u z**kM%6~&OCYW7zK@AV+L8tY@4hniEIi%pTAhpV9;q}KE&^cO_?g@{CY2i}JtFvO0u z<(U=Xx!5^1CdC;?IGY|^o}kesKk(AZ%y7H*COx1R+Mnv}9$I?ifcH->^ukcvKjRTtALAnd&?`E=D-Ip^}nT?H_Rl zz4X#X5p#7wiOiP(Me2JkG{iO+oSgD??~SloNnJD4{wuI%|EgpG*D4dT{0ww4rskyi zM0`O&(lDPug|a7yPJJA4pRf#?=N7+0uDt82%XOT*r$vjT&Wr0PjEaw-PjvSQMZ*uDp@`pj+b|*y z(s23_TEL@*{AcyFy9&1-cXFVl%epq=87ys}$15|FE6BsJ34;~E+`3*P3eH?|j51!H^3 zaA$jLVK^ixZ17f5#?d5n9Pi#G%ewTX2SL^=uOxfS7$}pnY$gIB-4u-vcj=is~yvD1(myi7gagXM=BcT(e>p&-z=A_$u z-`cL)cptyFn!p9v}Zqd>Y=nVOfZgC>BK^3{ki%9UwXuRnd>JQ8>`I& zV3oaz#=vGMwS@ok2!y72#3C5+k!!;YHzBx1r!OHDMkuzz1Fcn5qTh7CtL2PH z7n&LQZt+4#rn5$D8%Y3V@uk6RO;=&q?b4oOQ8e;Vpu%*c7kQC2(&Vdj(#}i%qS>=m zWe^?02qhyKmCNV!brK{?HVhRvvo@DBBkFG8AROoo+U2^enJSq4F7#d?+Kz`w&wo~d zN|*2W{eO!*X9puN$dIULq-rKP1%!EhWdps|_ZUz8)jVmx7ORj4J3d}vxIAq1?-CPl z^YYwe3(bmx2tyQkBr+N&MMb+p>r$$*D4<@okde9zk-K9bEbp(02phl_nHCM2n8NHc;uA!7Xeq9^On*? z7)UVKQQ~r(hRy*Nr?EO)WdMv911?>Lkey=s-4u5LL0d-90klJAEQV{uS)YazIe0C3 zH=DhJ{JhV{FOZSl%apBvS+qur98$xy5Yg{f>Ff!j@9|JX4_cQ(FOMc6T0_hx$xhj5 z;N?6ILdO8JwpANFoFd{<(16Pr?J@rtM?Fb1_S`lWojSh3x{bY3n3vI@r}Cz0_tXe3 zUJEQ%@~TQeP&^|jkeoZW62?_RP|rJui)u{w3^D`=QmN+L57}JQ7sX zcSk{@ePL?I1);*W#tr&r3aS7L`>ZD-tE)^{?9r^_ z(d}*Q=}8uN-KC+cl@N#;40)AA2RX)4WZ)E$h#o24n;NnDNQ&(052k9Ycygzn{?tdu zB`^V3aojr{lT0U8psWwQ9O?Goj#cL-HTsAu+|&A3i8*(74j|(@qsvu=1@jW6bSFl++!vc&IWdTw||k8F}v& z_Tav^Yvdmjy%_0w>$V(7?KP6@zf$=(lwu1G5w%s!IAJ>S83B|L9fG=~4OrHR;E~9! zJe89eusaV1PH~*lRM7Q&Kdof}35b*U2ltx5_)_iA6GdIM;4y(!wlOOSQeVNFuR6hE zeQEb?#wcK^%M-urr9BYw+ywTe)SGi`@_8Y#lsA};@}ai;nJJj`Ai4+*#14J9q%~i` zKs*!?)4R^oCpad)yE!pRJ~`w8GC_LRl&Y$raRc``dSK6%i)~|GUYB&M_XcEduDbXa z^7U1g37{6$AWkQHtfJO4P#gmu^7q5K1$%&Rg$d6ATN!PJ#-amiDHzFQ(WfJ zR_8fRPkl_$cU#a zc*u037BPHEiwHE!Ab*t!{BG~y2{VIadwC>iYzz)S9~l?I6TZdZ!<=Dxr#$#K2nRep zDWGXe$0JdBOehv~+sVHGLWH_z7{!JJ1s6~c^A&tgMCmpoP(5HvsSR)spw?gLuEI5ygilF~uP)&HomGJiYz^2<#MiiP z1cDxLH7_$K3OVKVz}{WzXr!(KZ2Kn z2*@6<995YDGs_H|ALiEJ3_5)oQak28g?k<)tRhB>+bA!uYx1(QG7^S9rNp`mRznI9 zv!@*j(L@dEDe*6WL0AiQqqgFow}qoSU0IJ!Oh>sy#fw@N4}J3e*B8?3V{=VK@W zoGN&wAXkcRgjc>N(nLhScYr4ad6Rla+B3TF7c@UsDHY>ZGNgDMQiFoi^(ZNmTMY@A zW7uSqd2&rhM1+Bv<0yksG#MgE*$LNW2zFlp`gpjcqTWC?wB?q~b-$x>!xs@HC=TSb z-hI7?leAIrI2=hf6A9|w0a0@F+`b{zhy&@_%}9x(D%uGD-hIW%iewv);IwGkk8&Ps z2bR?T=o;R@I>0f+Y!`~)wfpOn4Kjs*-$|f%oCtp9W?I9$&yCDUSyQ zz0G8jfdO8H#h9*lSqK>jVJu635qxdjMYCpP>E@-#A4Jrxsqman{ zfuEPryF>4Z4UrdO*S3M7V7z{LGX|xG4)T({M#2uyrm~?W+D?Oe3o!;uHZ`V@NL!iO zttu3r(@n3XNwEfPoMqw3R@U^=5*Qn>%Iya z0cBG$go6egVI$v-N(5qMMr<$yb6s8rhY}L}W)78!WsF#cNr%LQ)s~ zGz0x~p|2u)L*6rU8^KG8G!zFSjy5wQwDDjnlw}zcvwk<)SfT*8*f@^^Jl%+Mh(w5- zvLwCl;hqmi%r_=nEG%Iy6avk-+~jVgelqjTpmFItB@RjwH!*B;Vk7E;$&ogacZ)iC z?3(CS>U&2ZP}tw!tyJ)M+a0*sYI zBug4a(6C7H1ude=H7U{r#z4JrGp=(wI}mswTn(M6-L>)04;tf0Li6rXBl{u9mo@la zO)@bBiyaE0^vD$r^r5#(?qPsupU(}2j&898*LccU@=wqoH6aI>6*I2=wnNRZu;LvmT=f*g;hw(Zk3mut4SXsCFPC9NKT@noC@tsDz_dkIh_RXx&JA`g&&Nu0= z($80+PUN;$+|&;kH>fGpt)AdqV^WPq(mpN3Q{qYJS$udf$bW(4HPXVwF8D(kMVxY> z!s>0Dqoz`zPRw{@6r;*kA--mswG|5VO+m!Q1hgw5`cH9Y2wGpI463xoZYa#NL7o+3 zVysP{E=4#?1vb&eH=#J;Z*2TU(tn&efhv6D9lx|?_!hO%PI|XmwyBbFE?19= zURXh@jTr+%yGu&~`eFC=S*^4Ed1{UGlC64izk4S6c#a85gQ2i`Ii&|;_W^=eAa0Vc z8C>l)!4PRQ!lj4C7EUQdY~Fjzj9aE4j2C{QkL#7)rba_K;x1(iEJ3fBOl9ww1wucc z$60EJKF-A-n0^UzqaMNmqs6J-1$y_2H;9wmYJ^YifyH9bpDb9JJ=vMe zo;`c!_k9aP<5iw7JWd(Z-&;Cv$kdhg;u3vH{0ns}axzP#xwHrNkN95JicI=}Y{Aat zINgM#;8Z$Eq{E{)h#<@Ncs2w!yLJCHaDGu{#0abbF31xvM*ejZ?16G*H!O4nsn12k zThZt+_NRZw#`Pe>1*=Y;vi>EI33I>{h#`%-XSjKM{MzCN`7x0?pl`Z;3@(-pp7Zlp?270S6Kqf?ax zF3T9kyi90xK5fk$u`S=`^p3?w&K!ET(u3vsYyCC-0K&`s94-yRI-`}pXGvlu%h*vj zIT4RWMPif0TScc}OkWve1>0_?Dy0@D3^T(P9}Alp@reI&Q44wln99?1Q5*nUe&~^v z2=D;HKiReZ{vUV7tK z9=FOsTtSw7i2ur1jU1LM6d5gZKVYqm=K~0}4g=(W)WX8T02jy_ZSUYfjRg37Euh%Q zrPbd&;~bIW;OT$&&f?o5XkT`|E@z6TKQ-qewJESCfZ1zmg^PL6YR|_N&D7#ti5a+1(0y5 z>L$xp`l=nVF)h%-oX8W&66{%5`WaKTdw_6X#hf_xgNFq*`Eww7 zUh|7Tz_X_%d*8jEfcc8NPds6(c)HKIb;n$;uduPiPsq49D9`j=kmFA8NKyv6d*|x* zmP!RBg?Ya7>qR8JS=ArL$6M75o?~W9n71={evEP*C2t7n5K#e`xf>Gbb^vv&qO11@ zY{%bM>XASjO5PhrZ69rOm7zi`@<|vaeQeB`v4E-RxC3*!MNYRH29@z?~KSQ<}+~E zsCKjrT*=*MmVf?@0&OeymTkQs^O(uA>?=4uH>l#1RjXPqjZCpptq!Vs6mz8M2r#FKr@&Gkzanp(2={apD(gKh~&4#ycJ zH&mTzps&Pj^mK_@rm|_TG_&`7T!Yt#i%iuWtQ_9`KeYXB+P&$n@**T!hG-8B{}}Rq zv}vE1M+-iR<0p;Lgvo4KB{^p_@FR0!>(*Is_J%^LLDEu#H^H_c_^r=5q$Sj3$878z zEWayLN#xSLhVBgO1NPrcwQfCE$!hjF1Pk?and&av#6A6JnP;rpcZYviQAzgw z$?E~GWhFeTTw@sosz9gx#B3LZ-ah9;h|E>H*F9t0qPCz-p3tgXE?MUo?qLb;o$a(Q z2WLcl?^@>KHNpR}zceRBv;-=2!dSm{WxCYk=xVVZ>5)^i-Svg9!IrKTa|oRwDG9O5 ztfp?&)VaNFhf$f~Hy?2}imqGZ7+)2j))@v!?oFjx^%}AxBKY&rTAU-FU~5>0t8HzD zx}w6;pXU|j-`w7>1@jTD87Auy z(cAL)LgS6=HO&`$$m>2`3LDn_MVAL@^ddx?xCtlhXEGdiaw|60elwaq04FYcR!+vh z^jSt-=B&i&y<*j*Jw1f?1tIHgXQ}bWZ3S&FdmbBi<+R-qEQ*c83JZl4>PX(}5MUG) zF%Kp47b>66>rSe258CmRL>_7J^89j+w~q+NEhp#7g~t|~LLJBKf|P$rko%ma=S_#A zJZhJ6;EGN9w;mG_`0-s_Tlim;gnIdg?CVqQFTQ^GS&AlLh8|GmdZSh|JRT(Ho5^e(3Nr=KFR&3T!66=1?T*c}Y>Qu|XD1+A!)GWG(S3-ZADvsbJtkG3dQ@<3lWG)JA|Cb}&X<-) z2KYuQ4Q2-3vlC5awgz8!&0H^I>Fe9LF&t*;^`3WMY1P-+MC$i#RZ=+_9{cHR&@ zCXH&w$;xyDGA`bzUoPeU{n_}X)Gm&X>pf1duy82(Y{lxcj11|`gq+k^|5@`+DN~dT zTmW2SXS6GqrUxIQdhX=!&9Z$CFHFESjQAF;0U3xWgK$%~N&evESN8+9=5EJ2n1fk+ z!dH%!_9TD;r*O8``GB6ZcFu=_KFqA*%Xe;PuDD5B9Ozsj*VK>UO)>TL^)N9|&$N?_ zg8J*I8fEmZ@@&~ai9fp+t4AhAZlbg2-LIv?EG4y?AwzEXS@82+G_lACq-6R~)i8LI zgDBV6I|D45+&j*0ucwXI585xva`x|lrg`MwH=bR=sS+|E{X2UF@nYvmj=i<((yrpR z=;8YOAX$p@7U6f~?6_wSd;wvqy?cf(g2Po$=^z@8J(A&DlLr3LC(~K+|o&SVFF^J@Fd9#g}#C%ejMd0eT+UCC`4n z&QVxkxq01Ew&{y12l(yqPP7Fw0Y)B#B&9334M13TU$(*NO>0Nz`a+$vdLk0D4a`Zk zb3Hjcq{Q~)(U&}j&J343Ha5c_Nr4iAkq2v+w?Rh9l33K|9ivYKu)p0{wU4Xw{2#_k zoJvN(#T5Z!RHWi#{iGuQ2yjEE%zS=A0WtFBcXwj1&oDDp%LB}Du{}+|E0wpa&dO!D z$UnTZvy=SF;EA`m#CqHb+gd>NG(og~bqbv%TqUR@T|w*}$dNSSEJ57#i{!~vWh+vu zHkLpy-LZExLunL3Vmi~$20WNyqy%|4PtxxK)s;8lLZVW^#!Ah^H(VoPYNt!OB4w#B zUzZw}<~0RZ3t9dVwzX_+b^iVR6CaYI`Cj3zNz=p!HKq}cr$mYAM2Kan%Do-!KFG8Q z<~BIXzhDI9GvU-8w&RH>15;qv%HB3;a&d7f)4ji76v0Y`^$31Oa4bveYw*SDf8(80 z!(jm|xN`3Nd1IrcjTY6NzBT_Z?KA~o9)uQ?1BGS5fFOcngn7+bt8n8_IytxWdaMO} zX?Joac3gVwBR*mryD(Vvp%<}_HM?I`Y|HMW&z`Fm8~^|^2!_okRgSh&-{dEg@WaPaFPd#nwot#8WT~%r zhymq9E{m5QREv(^wj&DEAnl#n{yyQKk-xfY|I>W&pJqP)dwEUF&mxdbB0#<+B`*>d zr=M6S_VIyVZZHWC)I9|VgW;OJxm!HTKr2uSCTk_flEUuM54|zw107a#zidx(@kvlb ziSG;t?7w6~|5OhB`)e5h%Dm=5k8sZeN(@p)mfYcTj%BIMD8;=VS+k%cz_{rN;rTMQ z)zSyo8!G_{I`?r%yWj5$Zi%;buXZ}E!UF-B0LDO~iVV)S;>KX7d+|*>|2Xy8baOJe zM8v-tvyMA_v6}!%!okhu(ZSOCt#6h!I}ODJ#<^$DpSN9B$#?O4etSF=ovK9gs}I`@ zh}s{UF#41=V})8UOB=qRm;#(?1c29mgVa-ywICP@H9{f+COM&V;XohZvrj6u&FOF< z^wC%esp!PMAiMx!tjv9)=8-d-gaOA`{GoeCzQUvmi9!2TL^8LGXXa?8>7O+nhr6A6*v2AKu+-N8}&9p0XNp#D*@e16jmW zUC7F!TF{S4u)|=q4G`aNzONp+n3cESb?V-F<$p=2>$qL*l8cO5JEOjycyIouvKN@^ zd#>6jmH+N8DK3Uq*mIK%U1H-mz<$982=6V$H8cNh=mXx6`@lD`Ne1mU?GUkPaT}zQ zvwxuL7T!=F8_N2tko{tSt1u-(2oYYZWF#GAcUI$9(^1fIAjqpMEozrDey#;TZ9nCLf#hE#bz+tpf}fnw#y&L z7lOe7h5KNvB!iaoXx;~92>`h2G0sC!wvNR@QRo1$xsfK|0{jt{58gIHLmZ?Y^bz3J z+>LCaX` zB)W`;@km-NMP8dDz;@#A*MS7)2gjrJEJ@N0RDAYwAovD3Z923%FJY(S>lLw(O0bn5 z-xgLR0zuSh5OoQGz#(f*^EXERy&4-SOc&;V1IV-#?{`uyF6N|Khk)OwW28yFt$dU2 z=cl}^&KLFXrtJGDtZsK50#WJs&5@LHB z=+ttAHx5B0r)HY2SSsphBaZ^Mz!n|uOwn=rsU1seD;!Bg1QX1QOwd4t;Rkdr{!s_h zLNfOJoJ*(88iD!IxEP{PfuC?VTSPmT*zt+Nk!LQ=%M@}+>opV|^w}|pBL+Bx&Sn^2 z0hSU+FGa9-Rfqw$I0~=~df{a)Z9F6@qLs;hx)pB4KXw{M)8h5SKB1;+fVMGbHb%mj z_O(a@VA{9T>mzv62Ar%f$4I=PKi&YI3~gy!FLI71sKs0p^-MpXD~D!Y{DX91*0|na znBjy*t^S|wkUR2QjqfV-OdGaM^$AWip)st5HkR^TR84^iuif}wzm`38r|hBAsow?R z%2HXEyH0J>=21XXva-4wxvj2Ff^cTk1HL%LRnSlW#`o0@Ab=eTHZE$2^+B=K#Y!th z@sVIwuJrp!Bj3M#diUwRwy=j5;~8#+30R0UUwq+2)bD!8*5l1bK3jW*w{E}+wlUc- zxwC8-Gxg{5Wc}s1Kj8S&Bi^17=n1O@` zj5j;NyQSk4>{Kv}hlTjY<-zu}dP~HK%(}o4=LG98+3X7GIg z3HPZ14xM4LJL|rSPb!~EncJBpr8Hci16+P=GHrJ%K?wVZM)!L7Q&!z_06=@a0{r4= zOu#Ez;>uku^YQSaW%eH7r?sC4Ht)GcCQsc7q6zn_hqBa?L*eqgxEJ{5>BEuCJ>o9= zP3c>)s;^Qf;1&jeQ5=C}uB_*mSMYTd(+nTxk4-%lW#D zFC#;t#r{Wb6 zev8bZ^h1VjML&7`i9XR>k-*t%!_dU$-3rfB4qgF__WKAh#9EdRc?DlFh{gI8*Bqo_ z=#~U)dcf#8uMAS8&-h-2ia{d`Q;2}>u>oOrZ|S@~ryavW=MZ`okK&h#NUR;4!;)SF z9i5S)834Ast9GlcZdgg}ob-@aq=(Cbd5lF()@7^h?x)K=43Ci42nNOs zjbM{9bVq4PX32!3f0aX>;0|doHW7E(&jEhNWn2q_{%bz)t#HHQ(W z%c59uL((2}Bgo0K2f{KShk;A|cU@-;;7ek@V2!xr;or;4VBH1Ml>J{{37-hR8Js;* V8D+;TG=ZU+#z4;mS*GI@{SPE!&I$kk literal 0 HcmV?d00001 diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index 512add4af6..855a3279f6 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -25,7 +25,7 @@ Teachers and IT administrators can use the **Set up School PCs** app to quickly The Set up School PCs app helps you set up new computers running Windows 10, version 1607. Some benefits of using this app to set up your students' PCs: * A computer set up this way is tailored to provide students with the tools they need for learning while removing apps and features that they don't need. * Places tiles for OneNote, Office 365 web apps, Sway, and Microsoft Classroom on the Start menu - * Installs OneDrive for cloud-based documents and places it on the Start menu and task bar + * Installs OneDrive for cloud-based documents and places it on the Start menu and taskbar * Sets Microsoft Edge as the default browser * Uninstalls apps not specific to education, such as Solitaire and Sports * Turns off Offers and tips @@ -65,19 +65,39 @@ What you need: ### Create the setup file in the app +The **Set up School PCs** app guides you through the configuration choices for the student PCs. +1. Open the **Set up School PCs** app and select **Start**. + + ![select start](images/app1.jpg) + +2. Choose **No** to require students to sign in with an account, or choose **Yes** to allow students to use the PC without an account, and then select **Next**. + + ![account required?](images/setup-app-1-access.png) + +3. Choose a Wi-Fi network from the list and then select **Next**, or choose **Manually connect to a wireless network** to enter the network information yourself. + + ![choose network](images/setup-app-1-wifi.png) + + - For a manual network connection, enter the network name, security type, and password (if required), and then select **Next**. + + ![enter network information](images/setup-app-1-wifi-manual.png) + +4. Insert a USB drive, select it in the app, and then select **Save**. + + ![select usb drive](images/setup-app-1-usb.png) ### Apply the setup file to PCs -The setup file on your USB drive is named SetupSchoolPCs.ppkg, which is a provisioning package. A provisioning package is a method for applying settings to Windows 10. When Windows 10 refers to "package", it means your setup file, and when it refers to "provisioning", it means applying the setup file to the computer. +The setup file on your USB drive is named SetupSchoolPCs.ppkg, which is a provisioning package. A provisioning package is a method for applying settings to Windows 10. When Windows 10 refers to *package*, it means your setup file, and when it refers to *provisioning*, it means applying the setup file to the computer. 1. Start with a computer on the first-run setup screen. ![The first screen to set up a new PC](images/oobe.jpg) -2. Insert the USB drive. Windows Setup will recognize the drive and ask you if you want to set up the device. Select Set up. +2. Insert the USB drive. Windows Setup will recognize the drive and ask you if you want to set up the device. Select **Set up**. ![Set up device?](images/setupmsg.jpg) From a7221a902d73f4921a8d8e193c6b846044cb8419 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 24 May 2016 08:19:45 -0700 Subject: [PATCH 082/169] add link to CSP --- education/windows/set-up-school-pcs-technical.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index a93a867cf2..dc9d74d077 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -82,7 +82,7 @@ The PC is also configured to not interrupt the user during normal daytime hours ## Provisioning package details -The **Set up School PCs** app produces a specialized provisioning package that makes use of the `SharedPC` configuration service provider (CSP). +The **Set up School PCs** app produces a specialized provisioning package that makes use of the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx). ### Education customizations From 6848136f4c6b620547075114bcedd26c7541a2ba Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 24 May 2016 08:39:24 -0700 Subject: [PATCH 083/169] remove uncaptioned video --- education/windows/set-up-students-pcs-to-join-domain.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index e0634038e4..32b42572f0 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -18,11 +18,7 @@ author: jdeckerMS If your school uses Active Directory, use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package that will configure the PC for student use that is joined to the Active Directory domain. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) -Watch this video to see a demonstration of using Windows ICD. - - -
      ##Create the provisioning package From c9127db0867bed177ed7c05fbfb22ee88ae84b4a Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 24 May 2016 08:47:55 -0700 Subject: [PATCH 084/169] fixed typo --- ...nfigure-windows-10-devices-to-stop-data-flow-to-microsoft.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md index 7b24cfdfbe..6383bcab54 100644 --- a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md +++ b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md @@ -1083,7 +1083,7 @@ When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings scr ###       19. Windows Defender -You can opt of the Microsoft Antimalware Protection Service. +You can opt out of the Microsoft Antimalware Protection Service. - Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS** From 4126ec8b61e7042e937394edcdb8f78f09a63e4f Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 24 May 2016 10:19:18 -0700 Subject: [PATCH 085/169] changing lsacfgflags registry value --- windows/keep-secure/credential-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index cd7d9d5707..45c0237c18 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -169,7 +169,7 @@ If you don't use Group Policy, you can enable Credential Guard by using the regi 2. Enable virtualization-based security: - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard. - Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it. - - Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 2 to use **Secure Boot and DMA protection**. + - Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**. 3. Enable Credential Guard: - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA. - Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Credential Guard with UEFI lock, set it to 2 to enable Credential Guard without lock, and set it to 0 to disable it. From fe3a71b6eb10bc93ed6d52ed44bbf51e94060e20 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 24 May 2016 11:31:22 -0700 Subject: [PATCH 086/169] fixing spacing issues --- .../keep-secure/edit-an-applocker-policy.md | 53 +++- windows/keep-secure/edit-applocker-rules.md | 19 +- ...r-accounts-to-be-trusted-for-delegation.md | 94 +++--- .../enable-the-dll-rule-collection.md | 19 +- windows/keep-secure/encrypted-hard-drive.md | 43 ++- .../keep-secure/enforce-applocker-rules.md | 13 +- .../keep-secure/enforce-password-history.md | 85 +++--- .../enforce-user-logon-restrictions.md | 86 +++--- ...port-an-applocker-policy-to-an-xml-file.md | 11 +- ...le-system-global-object-access-auditing.md | 13 +- .../force-shutdown-from-a-remote-system.md | 89 +++--- .../keep-secure/generate-security-audits.md | 91 +++--- .../how-applocker-works-techref.md | 16 +- ...w-to-configure-security-policy-settings.md | 36 ++- .../how-user-account-control-works.md | 284 ++++++++++++++---- ...personate-a-client-after-authentication.md | 104 +++---- ...-applocker-policy-from-another-computer.md | 14 +- .../import-an-applocker-policy-into-a-gpo.md | 13 +- .../increase-a-process-working-set.md | 83 +++-- .../increase-scheduling-priority.md | 86 +++--- ...lize-and-configure-ownership-of-the-tpm.md | 126 ++++---- 21 files changed, 840 insertions(+), 538 deletions(-) diff --git a/windows/keep-secure/edit-an-applocker-policy.md b/windows/keep-secure/edit-an-applocker-policy.md index 725e1f5ac0..2faffd200f 100644 --- a/windows/keep-secure/edit-an-applocker-policy.md +++ b/windows/keep-secure/edit-an-applocker-policy.md @@ -2,70 +2,99 @@ title: Edit an AppLocker policy (Windows 10) description: This topic for IT professionals describes the steps required to modify an AppLocker policy. ms.assetid: dbc72d1f-3fe0-46c2-aeeb-96621fce7637 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Edit an AppLocker policy + **Applies to** - Windows 10 + This topic for IT professionals describes the steps required to modify an AppLocker policy. + You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot create a new version of the policy by importing additional rules. To modify an AppLocker policy that is in production, you should use Group Policy management software that allows you to version Group Policy Objects (GPOs). If you have created multiple AppLocker policies and need to merge them to create one AppLocker policy, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You cannot automatically merge policies by using the AppLocker snap-in. You must create one rule collection from two or more policies. The AppLocker policy is saved in XML format, and the exported policy can be edited with any text or XML editor. For info about merging policies, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) or [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). + There are two methods you can use to edit an AppLocker policy: + - [Editing an AppLocker policy by using Group Policy](#bkmk-editapppolingpo) - [Editing an AppLocker policy by using the Local Security Policy snap-in](#bkmk-editapplolnotingpo) + ## Editing an AppLocker policy by using Group Policy + The steps to edit an AppLocker policy distributed by Group Policy include the following: + ### Step 1: Use Group Policy management software to export the AppLocker policy from the GPO -AppLocker provides a feature to export and import AppLocker policies as an XML file. This allows you to modify an AppLocker policy outside your production environment. Because updating an AppLocker policy in a deployed GPO could have unintended consequences, you should first export the AppLocker policy to an XML file. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md). + +AppLocker provides a feature to export and import AppLocker policies as an XML file. This allows you to modify an AppLocker policy outside your production environment. Because updating an AppLocker policy in a deployed GPO could have unintended consequences, you should first export the AppLocker +policy to an XML file. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md). + ### Step 2: Import the AppLocker policy into the AppLocker reference PC or the PC you use for policy maintenance + After exporting the AppLocker policy to an XML file, you should import the XML file onto a reference PC so that you can edit the policy. For the procedure to import an AppLocker policy, see [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). -**Caution**   -Importing a policy onto another PC will overwrite the existing policy on that PC. + +>**Caution:**  Importing a policy onto another PC will overwrite the existing policy on that PC.   ### Step 3: Use AppLocker to modify and test the rule + AppLocker provides ways to modify, delete, or add rules to a policy by modifying the rules within the collection. + - For the procedure to modify a rule, see [Edit AppLocker rules](edit-applocker-rules.md). - For the procedure to delete a rule, see [Delete an AppLocker rule](delete-an-applocker-rule.md). - For procedures to create rules, see: + - [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) - [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) - [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) - [Enable the DLL rule collection](enable-the-dll-rule-collection.md) + - For steps to test an AppLocker policy, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md). - For procedures to export the updated policy from the reference computer back into the GPO, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). + ### Step 4: Use AppLocker and Group Policy to import the AppLocker policy back into the GPO + For procedures to export the updated policy from the reference computer back into the GPO, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). -**Caution**   -You should never edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed run, making changes to a live policy can create unexpected behavior. For info about testing policies, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md). + +>**Caution:**  You should never edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed run, making changes to a live policy can create unexpected behavior. For info about testing policies, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md).   -**Note**   -If you are performing these steps by using Microsoft Advanced Group Policy Management (AGPM), check out the GPO before exporting the policy. +>**Note:**  If you are performing these steps by using Microsoft Advanced Group Policy Management (AGPM), check out the GPO before exporting the policy.   ## Editing an AppLocker policy by using the Local Security Policy snap-in + The steps to edit an AppLocker policy distributed by using the Local Security Policy snap-in (secpol.msc) include the following tasks. + ### Step 1: Import the AppLocker policy + On the PC where you maintain policies, open the AppLocker snap-in from the Local Security Policy snap-in (secpol.msc). If you exported the AppLocker policy from another PC, use AppLocker to import it onto the PC. + After exporting the AppLocker policy to an XML file, you should import the XML file onto a reference PC so that you can edit the policy. For the procedure to import an AppLocker policy, see [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). -**Caution**   -Importing a policy onto another PC will overwrite the existing policy on that PC. + +>**Caution:**  Importing a policy onto another PC will overwrite the existing policy on that PC.   ### Step 2: Identify and modify the rule to change, delete, or add + AppLocker provides ways to modify, delete, or add rules to a policy by modifying the rules within the collection. + - For the procedure to modify a rule, see [Edit AppLocker rules](edit-applocker-rules.md). - For the procedure to delete a rule, see [Delete an AppLocker rule](delete-an-applocker-rule.md). - For procedures to create rules, see: + - [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) - [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) - [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) - [Enable the DLL rule collection](enable-the-dll-rule-collection.md) + ### Step 3: Test the effect of the policy + For steps to test an AppLocker policy, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md). + ### Step 4: Export the policy to an XML file and propagate it to all targeted computers + For procedures to export the updated policy from the reference computer to targeted computers, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). + ## Additional resources + - For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). -  -  diff --git a/windows/keep-secure/edit-applocker-rules.md b/windows/keep-secure/edit-applocker-rules.md index 69c9a61c3a..2f47922cd0 100644 --- a/windows/keep-secure/edit-applocker-rules.md +++ b/windows/keep-secure/edit-applocker-rules.md @@ -2,42 +2,55 @@ title: Edit AppLocker rules (Windows 10) description: This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker. ms.assetid: 80016cda-b915-46a0-83c6-5e6b0b958e32 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Edit AppLocker rules + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker. + For more info about these rule types, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). + You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To edit a publisher rule** + 1. Open the AppLocker console, and then click the appropriate rule collection. 2. In the **Action** pane, right-click the publisher rule, and then click **Properties**. 3. Click the appropriate tab to edit the rule properties. + - Click the **General** tab to change the rule name, add a rule description, configure whether the rule is used to allow or deny applications, and set the security group for which this rule should apply. - Click the **Publisher** tab to configure the certificate's common name, the product name, the file name, or file version of the publisher. - Click the **Exceptions** tab to create or edit exceptions. - When you finish updating the rule, click **OK**. + **To edit a file hash rule** + 1. Open the AppLocker console, and then click the appropriate rule collection. 2. Choose the appropriate rule collection. 3. In the **Action** pane, right-click the file hash rule, and then click **Properties**. 4. Click the appropriate tab to edit the rule properties. + - Click the **General** tab to change the rule name, add a rule description, configure whether the rule is used to allow or deny applications, and set the security group in which this rule should apply. - Click the **File Hash** tab to configure the files that should be used to enforce the rule. You can click **Browse Files** to add a specific file or click **Browse Folders** to add all files in a specified folder. To remove hashes individually, click **Remove**. - When you finish updating the rule, click **OK**. + **To edit a path rule** + 1. Open the AppLocker console, and then click the appropriate rule collection. 2. Choose the appropriate rule collection. 3. In the **Action** pane, right-click the path rule, and then click **Properties**. 4. Click the appropriate tab to edit the rule properties. + - Click the **General** tab to change the rule name, add a rule description, configure whether the rule is used to allow or deny applications, and set the security group in which this rule should apply. - Click the **Path** tab to configure the path on the computer in which the rule should be enforced. - Click the **Exceptions** tab to create exceptions for specific files in a folder. - When you finish updating the rule, click **OK**. -  -  + \ No newline at end of file diff --git a/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md index af9eb0fbc6..b3dcd0cd1a 100644 --- a/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md +++ b/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md @@ -2,95 +2,99 @@ title: Enable computer and user accounts to be trusted for delegation (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Enable computer and user accounts to be trusted for delegation security policy setting. ms.assetid: 524062d4-1595-41f3-8ce1-9c85fd21497b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Enable computer and user accounts to be trusted for delegation + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Enable computer and user accounts to be trusted for delegation** security policy setting. + ## Reference + This policy setting determines which users can set the **Trusted for Delegation** setting on a user or computer object. Security account delegation provides the ability to connect to multiple servers, and each server change retains the authentication credentials of the original client. Delegation of authentication is a capability that client and server applications use when they have multiple tiers. It allows a public-facing service to use client credentials to authenticate to an application or database service. For this configuration to be possible, the client and the server must run under accounts that are trusted for delegation. + Only administrators who have the **Enable computer and user accounts to be trusted for delegation** credential can set up delegation. Domain admins and Enterprise admins have this credential. The procedure to allow a user to be trusted for delegation depends on the functionality level of the domain. + The user or machine object that is granted this right must have write access to the account control flags. A server process running on a device (or under a user context) that is trusted for delegation can access resources on another computer by using the delegated credentials of a client. However, the client account must have Write access to the account control flags on the object. + Constant: SeEnableDelegationPrivilege + ### Possible values + - User-defined list of accounts - Not defined + ### Best practices + - There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It is only relevant on domain controllers and stand-alone devices. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Not defined

      Domain Controller Effective Default Settings

      Administrators

      Member Server Effective Default Settings

      Administrators

      Client Computer Effective Default Settings

      Administrators

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| Domain Controller Effective Default Settings | Administrators| +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings | Administrators|   ## Policy management + This section describes features, tools and guidance to help you manage this policy. + Modifying this setting might affect compatibility with clients, services, and applications. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + This user right is defined in the Default Domain Controller Group Policy Object (GPO) and in the local security policy of workstations and servers. + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -Misuse of the **Enable computer and user accounts to be trusted for delegation** user right could allow unauthorized users to impersonate other users on the network. An attacker could exploit this privilege to gain access to network resources and make it difficult to determine what has happened after a security incident. + +Misuse of the **Enable computer and user accounts to be trusted for delegation** user right could allow unauthorized users to impersonate other users on the network. An attacker could exploit this privilege to gain access to network resources and make it difficult to determine what has happened +after a security incident. + ### Countermeasure + The **Enable computer and user accounts to be trusted for delegation** user right should be assigned only if there is a clear need for its functionality. When you assign this right, you should investigate the use of constrained delegation to control what the delegated accounts can do. On domain controllers, this right is assigned to the Administrators group by default. -**Note**   -There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It is only relevant on domain controllers and stand-alone computers. + +>**Note:**  There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It is only relevant on domain controllers and stand-alone computers.   ### Potential impact + None. Not defined is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/enable-the-dll-rule-collection.md b/windows/keep-secure/enable-the-dll-rule-collection.md index bf0a849440..1dd233aee5 100644 --- a/windows/keep-secure/enable-the-dll-rule-collection.md +++ b/windows/keep-secure/enable-the-dll-rule-collection.md @@ -2,24 +2,29 @@ title: Enable the DLL rule collection (Windows 10) description: This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker. ms.assetid: 88ef9561-6eb2-491a-803a-b8cdbfebae27 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Enable the DLL rule collection + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker. + The DLL rule collection includes the .dll and .ocx file formats. + For info about these rules, see [DLL rules in AppLocker](dll-rules-in-applocker.md). -You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + +You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer +AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To enable the DLL rule collection** 1. From the AppLocker console, right-click **AppLocker**, and then click **Properties.** 2. Click the **Advanced** tab, select the **Enable the DLL rule collection** check box, and then click **OK**. - **Important**   - Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps. -   -  -  + + >**Important:**  Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps. diff --git a/windows/keep-secure/encrypted-hard-drive.md b/windows/keep-secure/encrypted-hard-drive.md index a47495f67c..884275ee7e 100644 --- a/windows/keep-secure/encrypted-hard-drive.md +++ b/windows/keep-secure/encrypted-hard-drive.md @@ -2,66 +2,93 @@ title: Encrypted Hard Drive (Windows 10) description: Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Encrypted Hard Drive + **Applies to** - Windows 10 + Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. + By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity. + Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. In Windows 8, Windows Server 2012, and later you can install to these devices without additional modification. + Some of the benefits of Encrypted Hard Drives include: + - **Better performance**: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation. - **Strong security based in hardware**: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system - **Ease of use**: Encryption is transparent to the user because it is on by default. There is no user interaction needed to enable encryption. Encrypted Hard Drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive. - **Lower cost of ownership**: There is no need for new infrastructure to manage encryption keys, since BitLocker leverages your Active Directory Domain Services infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process. + Encrypted Hard Drives are supported natively in the operating system through the following mechanisms: + - **Identification**: The operating system can identify that the drive is an Encrypted Hard Drive device type - **Activation**: The operating system disk management utility can activate, create and map volumes to ranges/bands as appropriate - **Configuration**: The operating system can create and map volumes to ranges/bands as appropriate - **API**: API support for applications to manage Encrypted Hard Drives independently of BitLocker Drive Encryption (BDE) - **BitLocker support**: Integration with the BitLocker Control Panel provides a seamless BitLocker end user experience. -**Warning**   -Self-Encrypting Hard Drives and Encrypted Hard Drives for Windows are not the same type of device. Encrypted Hard Drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-Encrypting Hard Drives do not have these requirements. It is important to confirm the device type is an Encrypted Hard Drive for Windows when planning for deployment. + +>**Warning:**  Self-Encrypting Hard Drives and Encrypted Hard Drives for Windows are not the same type of device. Encrypted Hard Drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-Encrypting Hard Drives do not have these requirements. It is important to confirm the device type is an Encrypted Hard Drive for Windows when planning for deployment.   If you are a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](http://msdn.microsoft.com/library/windows/hardware/dn653989.aspx). + ## System Requirements + To use Encrypted Hard Drive, the following system requirements apply: + For Encrypted Hard Drives used as **data drives**: + - The drive must be in an uninitialized state. - The drive must be in a security inactive state. + For Encrypted Hard Drives used as **startup drives**: + - The drive must be in an uninitialized state. - The drive must be in a security inactive state. - The computer must be UEFI 2.3.1 based and have the EFI\_STORAGE\_SECURITY\_COMMAND\_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive). - The computer must have the Compatibility Support Module (CSM) disabled in UEFI. - The computer must always boot natively from UEFI. -**Warning**   -All Encrypted Hard Drives must be attached to non-RAID controllers to function properly. + +>**Warning:**  All Encrypted Hard Drives must be attached to non-RAID controllers to function properly.   ## Technical overview + Rapid encryption in BitLocker directly addresses the security needs of enterprises while offering significantly improved performance. In versions of Windows earlier than Windows Server 2012, BitLocker required a two-step process to complete read/write requests. In Windows Server 2012, Windows 8, or later, Encrypted Hard Drives offload the cryptographic operations to the drive controller for much greater efficiency. When the operating system an Encrypted Hard Drive, it activates the security mode. This activation lets the drive controller generate a media key for every volume that the host computer creates. This media key, which is never exposed outside the disk, is used to rapidly encrypt or decrypt every byte of data that is sent or received from the disk. + ## Configuring Encrypted Hard Drives as Startup drives + Configuration of Encrypted Hard Drives as startup drives is done using the same methods as standard hard drives. These methods include: + - **Deploy from media**: Configuration of Encrypted Hard Drives happens automatically through the installation process. - **Deploy from network**: This deployment method involves booting a Windows PE environment and using imaging tools to apply a Windows image from a network share. Using this method, the Enhanced Storage optional component needs to be included in the Windows PE image. You can enable this component using Server Manager, Windows PowerShell, or the DISM command line tool. If this component is not present, configuration of Encrypted Hard Drives will not work. - **Deploy from server**: This deployment method involves PXE booting a client with Encrypted Hard Drives present. Configuration of Encrypted Hard Drives happens automatically in this environment when the Enhanced Storage component is added to the PXE boot image. During deployment, the [TCGSecurityActivationDisabled](http://msdn.microsoft.com/library/windows/hardware/dn923247.aspx) setting in unattend.xml controls the encryption behavior of Encrypted Hard Drives. - **Disk Duplication**: This deployment method involves use of a previously configured device and disk duplication tools to apply a Windows image to an Encrypted Hard Drive. Disks must be partitioned using at least Windows 8 or Windows Server 2012 for this configuration to work. Images made using disk duplicators will not work. + ### Encrypted Hard Drive Architecture + Encrypted Hard Drives utilize two encryption keys on the device to control the locking and unlocking of data on the drive. These are the Data Encryption Key (DEK) and the Authentication Key (AK). + The Data Encryption Key is the key used to encrypt all of the data on the drive. The drive generates the DEK and it never leaves the device. It is stored in an encrypted format at a random location on the drive. If the DEK is changed or erased, data encrypted using the DEK is irrecoverable. + The Authentication Key is the key used to unlock data on the drive. A hash of the key is stored on drive and requires confirmation to decrypt the DEK. -When a computer with an Encrypted Hard Drive is in a powered off state, the drive locks automatically. As a computer powers on, the device remains in a locked state and is only unlocked after the Authentication Key decrypts the Data Encryption Key. Once the Authentication Key decrypts the Data Encryption Key, read-write operations can take place on the device. + +When a computer with an Encrypted Hard Drive is in a powered off state, the drive locks automatically. As a computer powers on, the device remains in a locked state and is only unlocked after the Authentication Key decrypts the Data Encryption Key. Once the Authentication Key decrypts the Data +Encryption Key, read-write operations can take place on the device. + When writing data to the drive, it passes through an encryption engine before the write operation completes. Likewise, reading data from the drive requires the encryption engine to decrypt the data before passing that data back to the user. In the event that the DEK needs to be changed or erased, the data on the drive does not need to be re-encrypted. A new Authentication Key needs to be created and it will re-encrypt the DEK. Once completed, the DEK can now be unlocked using the new AK and read-writes to the volume can continue. + ## Re-configuring Encrypted Hard Drives + Many Encrypted Hard Drive devices come pre-configured for use. If reconfiguration of the drive is required, use the following procedure after removing all available volumes and reverting the drive to an uninitialized state: + 1. Open Disk Management (diskmgmt.msc) 2. Initialize the disk and select the appropriate partition style (MBR or GPT) 3. Create one or more volumes on the disk. 4. Use the BitLocker setup wizard to enable BitLocker on the volume. -  -  diff --git a/windows/keep-secure/enforce-applocker-rules.md b/windows/keep-secure/enforce-applocker-rules.md index e71f69a725..0f83a7ff57 100644 --- a/windows/keep-secure/enforce-applocker-rules.md +++ b/windows/keep-secure/enforce-applocker-rules.md @@ -2,22 +2,29 @@ title: Enforce AppLocker rules (Windows 10) description: This topic for IT professionals describes how to enforce application control rules by using AppLocker. ms.assetid: e1528b7b-77f2-4419-8e27-c9cc3721d96d -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Enforce AppLocker rules + **Applies to** - Windows 10 + This topic for IT professionals describes how to enforce application control rules by using AppLocker. + After AppLocker rules are created within the rule collection, you can configure the enforcement setting to **Enforce rules** or **Audit only** on the rule collection. + When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log. + There is no audit mode for the DLL rule collection. DLL rules affect specific apps. Therefore, test the impact of these rules first before deploying them to production. + To enforce AppLocker rules by configuring an AppLocker policy to **Enforce rules**, see [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md). -**Caution**   -AppLocker rules will be enforced immediately on the local device or when the Group Policy object (GPO) is updated by performing this procedure. If you want to see the effect of applying an AppLocker policy before setting the enforcement setting to **Enforce rules**, configure the policy to **Audit only**. For info about how to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)or [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). + +>**Caution:**  AppLocker rules will be enforced immediately on the local device or when the Group Policy object (GPO) is updated by performing this procedure. If you want to see the effect of applying an AppLocker policy before setting the enforcement setting to **Enforce rules**, configure the policy to **Audit only**. For info about how to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)or [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md).       diff --git a/windows/keep-secure/enforce-password-history.md b/windows/keep-secure/enforce-password-history.md index aaf1fdefe7..b78ac67236 100644 --- a/windows/keep-secure/enforce-password-history.md +++ b/windows/keep-secure/enforce-password-history.md @@ -2,88 +2,85 @@ title: Enforce password history (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Enforce password history security policy setting. ms.assetid: 8b2ab871-3e52-4dd1-9776-68bb1e935442 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Enforce password history + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Enforce password history** security policy setting. + ## Reference + The **Enforce password history** policy setting determines the number of unique new passwords that must be associated with a user account before an old password can be reused. Password reuse is an important concern in any organization. Many users want to reuse the same password for their account over a long period of time. The longer the same password is used for a particular account, the greater the chance that an attacker will be able to determine the password through brute force attacks. If users are required to change their password, but they can reuse an old password, the effectiveness of a good password policy is greatly reduced. + Specifying a low number for **Enforce password history** allows users to continually use the same small number of passwords repeatedly. If you do not also set [Minimum password age](minimum-password-age.md), users can change their password as many times in a row as necessary to reuse their original password. + ### Possible values + - User-specified number from 0 through 24 - Not defined + ### Best practices + - Set **Enforce password history** to 24. This will help mitigate vulnerabilities that are caused by password reuse. - Set [Maximum password age](maximum-password-age.md) to expire passwords between 60 and 90 days. Try to expire the passwords between major business cycles to prevent work loss. - Configure [Minimum password age](minimum-password-age.md) so that you do not allow passwords to be changed immediately. + ### Location + **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** + ### Default values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default domain policy

      24 passwords remembered

      Default domain controller policy

      Not defined

      Stand-alone server default settings

      0 passwords remembered

      Domain controller effective default settings

      24 passwords remembered

      Member server effective default settings

      24 passwords remembered

      Effective GPO default settings on client computers

      24 passwords remembered

      + +| Server type or GPO | Default value | +| - | - | +| Default domain policy | 24 passwords remembered| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | 0 passwords remembered| +| Domain controller effective default settings | 24 passwords remembered| +| Member server effective default settings | 24 passwords remembered| +| Effective GPO default settings on client computers | 24 passwords remembered|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced. + If you specify a low number for this policy setting, users can use the same small number of passwords repeatedly. If you do not also configure the [Minimum password age](minimum-password-age.md) policy setting, users might repeatedly change their passwords until they can reuse their original password. -**Note**   -After an account has been compromised, a simple password reset might not be enough to restrict a malicious user because the malicious user might have modified the user's environment so that the password is changed back to a known value automatically at a certain time. If an account has been compromised, it is best to delete the account and assign the user a new account after all affected systems have been restored to normal operations and verified that they are no longer compromised. + +>**Note:**  After an account has been compromised, a simple password reset might not be enough to restrict a malicious user because the malicious user might have modified the user's environment so that the password is changed back to a known value automatically at a certain time. If an account has been compromised, it is best to delete the account and assign the user a new account after all affected systems have been restored to normal operations and verified that they are no longer compromised.   ### Countermeasure + Configure the **Enforce password history** policy setting to 24 (the maximum setting) to help minimize the number of vulnerabilities that are caused by password reuse. + For this policy setting to be effective, you should also configure effective values for the [Minimum password age](minimum-password-age.md) and [Maximum password age](maximum-password-age.md) policy settings. + ### Potential impact + The major impact of configuring the **Enforce password history** setting to 24 is that users must create a new password every time they are required to change their old one. If users are required to change their passwords to new unique values, there is an increased risk of users who write their passwords somewhere so that they do not forget them. Another risk is that users may create passwords that change incrementally (for example, password01, password02, and so on) to facilitate memorization, but this makes them easier for an attacker to guess. Also, an excessively low value for the [Maximum password age](maximum-password-age.md) policy setting is likely to increase administrative overhead because users who forget their passwords might ask the Help Desk to reset them frequently. + ## Related topics -[Password Policy](password-policy.md) -  -  + +- [Password Policy](password-policy.md) diff --git a/windows/keep-secure/enforce-user-logon-restrictions.md b/windows/keep-secure/enforce-user-logon-restrictions.md index ed3f79446b..40eef86d2b 100644 --- a/windows/keep-secure/enforce-user-logon-restrictions.md +++ b/windows/keep-secure/enforce-user-logon-restrictions.md @@ -2,88 +2,88 @@ title: Enforce user logon restrictions (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Enforce user logon restrictions security policy setting. ms.assetid: 5891cb73-f1ec-48b9-b703-39249e48a29f -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Enforce user logon restrictions + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Enforce user logon restrictions** security policy setting. + ## Reference + The **Enforce user logon restrictions** policy setting determines whether the Kerberos V5 Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the user account. Validating each request for a session ticket is optional because the extra step takes time, and that can slow network access to services. + The possible values for this Group Policy setting are: + - Enabled - Disabled - Not defined + ### Best practices + - If this policy setting is disabled, users might be granted session tickets for services that they do not have the right to use. - It is advisable to set **Enforce user logon restrictions** to Enabled. + + We recommend to set **Enforce user logon restrictions** to Enabled. + ### Location + **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy** + ### Default Values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server Type or GPODefault Value

      Default Domain Policy

      Enabled

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Not applicable

      DC Effective Default Settings

      Enabled

      Member Server Effective Default Settings

      Not applicable

      Client Computer Effective Default Settings

      Not applicable

      + +| Server Type or GPO | Default Value | +| - | - | +| Default Domain Policy | Enabled| +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings| Not applicable | +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Not applicable| +| Client Computer Effective Default Settings | Not applicable|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + ### Group Policy + Client devices will get the new setting during the next scheduled and successful Group Policy refresh. But for domain controllers to assign these new settings immediately, a gpupdate.exe /force is required. On the local device, the Security Configuration Engine will refresh this setting in about five minutes. + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If you disable this policy setting, users could receive session tickets for services that they no longer have the right to use because the right was removed after they logged on. + ### Countermeasure + Enable the **Enforce user logon restrictions** setting. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Kerberos Policy](kerberos-policy.md) -  -  + +- [Kerberos Policy](kerberos-policy.md) diff --git a/windows/keep-secure/export-an-applocker-policy-to-an-xml-file.md b/windows/keep-secure/export-an-applocker-policy-to-an-xml-file.md index 5812fda7ae..a5ebd52102 100644 --- a/windows/keep-secure/export-an-applocker-policy-to-an-xml-file.md +++ b/windows/keep-secure/export-an-applocker-policy-to-an-xml-file.md @@ -2,20 +2,23 @@ title: Export an AppLocker policy to an XML file (Windows 10) description: This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing. ms.assetid: 979bd23f-6815-478b-a6a4-a25239cb1080 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Export an AppLocker policy to an XML file + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing. Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. + **To export an AppLocker policy to an XML file** + 1. From the AppLocker console, right-click **AppLocker**, and then click **Export Policy**. 2. Browse to the location where you want to save the XML file. -3. In the **File name** box, type a file name for the XML file, and then click **Save**. -  -  +3. In the **File name** box, type a file name for the XML file, and then click **Save**. \ No newline at end of file diff --git a/windows/keep-secure/file-system-global-object-access-auditing.md b/windows/keep-secure/file-system-global-object-access-auditing.md index 8d1bf75dc2..5853de4758 100644 --- a/windows/keep-secure/file-system-global-object-access-auditing.md +++ b/windows/keep-secure/file-system-global-object-access-auditing.md @@ -2,20 +2,25 @@ title: File System (Global Object Access Auditing) (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, File System (Global Object Access Auditing), which enables you to configure a global system access control list (SACL) on the file system for an entire computer. ms.assetid: 4f215d61-0e23-46e4-9e58-08511105d25b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # File System (Global Object Access Auditing) + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **File System (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the file system for an entire computer. + If you select the **Configure security** check box on the policy’s property page, you can add a user or group to the global SACL. This enables you to define computer system access control lists (SACLs) per object type for the file system. The specified SACL is then automatically applied to every file system object type. + If both a file or folder SACL and a global SACL are configured on a computer, the effective SACL is derived by combining the file or folder SACL and the global SACL. This means that an audit event is generated if an activity matches either the file or folder SACL or the global SACL. This policy setting must be used in combination with the **File System** security policy setting under Object Access. For more information, see [Audit File System](audit-file-system.md). + ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) -  -  + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) diff --git a/windows/keep-secure/force-shutdown-from-a-remote-system.md b/windows/keep-secure/force-shutdown-from-a-remote-system.md index 4f4d1d9ed6..c9f51b7ed0 100644 --- a/windows/keep-secure/force-shutdown-from-a-remote-system.md +++ b/windows/keep-secure/force-shutdown-from-a-remote-system.md @@ -2,92 +2,93 @@ title: Force shutdown from a remote system (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Force shutdown from a remote system security policy setting. ms.assetid: 63129243-31ea-42a4-a598-c7064f48a3df -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Force shutdown from a remote system + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Force shutdown from a remote system** security policy setting. + ## Reference + This security setting determines which users are allowed to shut down a device from a remote location on the network. This allows members of the Administrators group or specific users to manage computers (for tasks such as a restart) from a remote location. + Constant: SeRemoteShutdownPrivilege + ### Possible values + - User-defined list of accounts - Administrators + ### Best practices + - Explicitly restrict this user right to members of the Administrators group or other specifically assigned roles that require this capability, such as non-administrative operations staff. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Administrators and Server Operators on domain controllers and Administrators on stand-alone servers. + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Administrators

      -

      Server Operators

      Stand-Alone Server Default Settings

      Administrators

      Domain Controller Effective Default Settings

      Administrators

      -

      Server Operators

      Member Server Effective Default Settings

      Administrators

      Client Computer Effective Default Settings

      Administrators

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Administrators
      Server Operators| +| Stand-Alone Server Default Settings | Administrators| +| Domain Controller Effective Default Settings | Administrators
      Server Operators| +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings | Administrators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + This policy setting must be applied on the computer that is being accessed remotely. + ### Group Policy + This user right is defined in the Default Domain Controller Group Policy Object (GPO) and in the local security policy of workstations and servers. + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Any user who can shut down a device could cause a denial-of-service condition to occur. Therefore, this user right should be tightly restricted. + ### Countermeasure + Restrict the **Force shutdown from a remote system** user right to members of the Administrators group or other specifically assigned roles that require this capability, such as non-administrative operations staff. + ### Potential impact + On a domain controller, if you remove the **Force shutdown from a remote system** user right from the Server Operator group, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should confirm that delegated activities are not adversely affected. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/generate-security-audits.md b/windows/keep-secure/generate-security-audits.md index 71e55bf774..78b578d1e3 100644 --- a/windows/keep-secure/generate-security-audits.md +++ b/windows/keep-secure/generate-security-audits.md @@ -2,95 +2,92 @@ title: Generate security audits (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Generate security audits security policy setting. ms.assetid: c0e1cd80-840e-4c74-917c-5c2349de885f -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Generate security audits + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Generate security audits** security policy setting. + ## Reference + This policy setting determines which accounts can be used by a process to generate audit records in the security event log. The Local Security Authority Subsystem Service (LSASS) writes events to the log. You can use the information in the security event log to trace unauthorized device access. + Constant: SeAuditPrivilege + ### Possible values + - User-defined list of accounts - Local Service - Network Service + ### Best practices + - Because the audit log can potentially be an attack vector if an account is compromised, ensure that only the Local Service and Network Service accounts have the **Generate security audits** user right assigned to them. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, this setting is Local Service and Network Service on domain controllers and stand-alone servers. + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Local Service

      -

      Network Service

      Stand-Alone Server Default Settings

      Local Service

      -

      Network Service

      Domain Controller Effective Default Settings

      Local Service

      -

      Network Service

      Member Server Effective Default Settings

      Local Service

      -

      Network Service

      Client Computer Effective Default Settings

      Local Service

      -

      Network Service

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Local Service
      Network Service| +| Stand-Alone Server Default Settings | Local Service
      Network Service| +| Domain Controller Effective Default Settings | Local Service
      Network Service| +| Member Server Effective Default Settings | Local Service
      Network Service| +| Client Computer Effective Default Settings | Local Service
      Network Service|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial-of-service (DoS) if the [Audit: Shut down system immediately if unable to log security audits](audit-shut-down-system-immediately-if-unable-to-log-security-audits.md) security policy setting is enabled. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + A malicious user could use accounts that can write to the Security log to fill that log with meaningless events. If the computer is configured to overwrite events as needed, malicious users could use this method to remove evidence of their unauthorized activities. If the computer is configured to shut down when it is unable to write to the Security log, and it is not configured to automatically back up the log files, this method could be used to create a DoS condition. + ### Countermeasure + Ensure that only the Local Service and Network Service accounts have the **Generate security audits** user right assigned to them. + ### Potential impact + None. Restricting the **Generate security audits** user right to the Local Service and Network Service accounts is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/how-applocker-works-techref.md b/windows/keep-secure/how-applocker-works-techref.md index c482e1a4bc..ad2bc595e0 100644 --- a/windows/keep-secure/how-applocker-works-techref.md +++ b/windows/keep-secure/how-applocker-works-techref.md @@ -2,37 +2,47 @@ title: How AppLocker works (Windows 10) description: This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. ms.assetid: 24bb1d73-0ff5-4af7-8b8a-2fa44d4ddbcd -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # How AppLocker works + **Applies to** - Windows 10 + This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. + The following topics explain how AppLocker policies for each of the rule condition types are evaluated: + - [AppLocker architecture and components](applocker-architecture-and-components.md) - [AppLocker processes and interactions](applocker-processes-and-interactions.md) + The following topics explain how AppLocker rules and policies work: + - [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md) - [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md) - [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md) - [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md) - [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md) + - [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md) - [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md) - [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md) + - [Understanding AppLocker default rules](understanding-applocker-default-rules.md) + - [Executable rules in AppLocker](executable-rules-in-applocker.md) - [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md) - [Script rules in AppLocker](script-rules-in-applocker.md) - [DLL rules in AppLocker](dll-rules-in-applocker.md) - [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md) + ## Additional resources + - [AppLocker Design Guide](applocker-policies-design-guide.md) - [AppLocker deployment guide](applocker-policies-deployment-guide.md) - [Administer AppLocker](administer-applocker.md) -  -  diff --git a/windows/keep-secure/how-to-configure-security-policy-settings.md b/windows/keep-secure/how-to-configure-security-policy-settings.md index 9ba376ff63..275dfdaccb 100644 --- a/windows/keep-secure/how-to-configure-security-policy-settings.md +++ b/windows/keep-secure/how-to-configure-security-policy-settings.md @@ -2,59 +2,77 @@ title: Configure security policy settings (Windows 10) description: Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller. ms.assetid: 63b0967b-a9fe-4d92-90af-67469ee20320 -ms.pagetype: security + ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Configure security policy settings + **Applies to** - Windows 10 + Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller. + You must have Administrators rights on the local device, or you must have the appropriate permissions to update a Group Policy Object (GPO) on the domain controller to perform these procedures. + When a local setting is inaccessible, it indicates that a GPO currently controls that setting. + ## To configure a setting using the Local Security Policy console + 1. To open Local Security Policy, on the **Start** screen, type **secpol.msc**, and then press ENTER. 2. Under **Security Settings** of the console tree, do one of the following: + - Click **Account Policies** to edit the **Password Policy** or **Account Lockout Policy**. - Click **Local Policies** to edit an **Audit Policy**, a **User Rights Assignment**, or **Security Options**. + 3. When you find the policy setting in the details pane, double-click the security policy that you want to modify. 4. Modify the security policy setting, and then click **OK**. + **Note**   - Some security policy settings require that the device be restarted before the setting takes effect. - Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.   ## To configure a security policy setting using the Local Group Policy Editor console + You must have the appropriate permissions to install and use the Microsoft Management Console (MMC), and to update a Group Policy Object (GPO) on the domain controller to perform these procedures. + 1. Open the Local Group Policy Editor (gpedit.msc). 2. In the console tree, click **Computer Configuration**, click **Windows Settings**, and then click **Security Settings**. 3. Do one of the following: + - Click **Account Policies** to edit the **Password Policy** or **Account Lockout Policy**. - Click **Local Policies** to edit an **Audit Policy**, a **User Rights Assignment**, or **Security Options**. + 4. In the details pane, double-click the security policy setting that you want to modify. - **Note**   -    If this security policy has not yet been defined, select the **Define these policy settings** check box. + + >**Note:**  If this security policy has not yet been defined, select the **Define these policy settings** check box.   5. Modify the security policy setting, and then click **OK**. -**Note**  If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console. + +>**Note:**  If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console.   ## To configure a setting for a domain controller + The following procedure describes how to configure a security policy setting for only a domain controller (from the domain controller). + 1. To open the domain controller security policy, in the console tree, locate *GroupPolicyObject \[ComputerName\]* Policy, click **Computer Configuration**, click **Windows Settings**, and then click **Security Settings**. 2. Do one of the following: + - Double-click **Account Policies** to edit the **Password Policy**, **Account Lockout Policy**, or **Kerberos Policy**. - Click **Local Policies** to edit the **Audit Policy**, a **User Rights Assignment**, or **Security Options**. + 3. In the details pane, double-click the security policy that you want to modify. - **Note**   - If this security policy has not yet been defined, select the **Define these policy settings** check box. + >**Note**  If this security policy has not yet been defined, select the **Define these policy settings** check box.   4. Modify the security policy setting, and then click **OK**. + **Important**   - Always test a newly created policy in a test organizational unit before you apply it to your network. - When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings.   ## Related topics -[Security policy settings reference](security-policy-settings-reference.md) -  -  + +- [Security policy settings reference](security-policy-settings-reference.md) diff --git a/windows/keep-secure/how-user-account-control-works.md b/windows/keep-secure/how-user-account-control-works.md index 488f2bf4e5..ca5e6eef25 100644 --- a/windows/keep-secure/how-user-account-control-works.md +++ b/windows/keep-secure/how-user-account-control-works.md @@ -2,143 +2,311 @@ title: How User Account Control works (Windows 10) description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. ms.assetid: 9f921779-0fd3-4206-b0e4-05a19883ee59 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: operate ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # How User Account Control works + **Applies to** - Windows 10 + User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. + ## UAC process and interactions + Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows 10 protects processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials. + In order to better understand how this process happens, let's look at the Windows logon process. + ### Logon process + The following shows how the logon process for an administrator differs from the logon process for a standard user. + ![uac windows logon process](images/uacwindowslogonprocess.gif) + By default, standard users and administrators access resources and run apps in the security context of standard users. When a user logs on to a computer, the system creates an access token for that user. The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges. + When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed. The standard user access token is used to start apps that do not perform administrative tasks (standard user apps). The standard user access token is then used to display the desktop (explorer.exe). Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token. + A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows 10 automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md). + ### The UAC User Experience + When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows 10 is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt. + The alternative to running as a standard user is to run as an administrator in Admin Approval Mode. With the built-in UAC elevation component, members of the local Administrators group can easily perform an administrative task by providing approval. The default, built-in UAC elevation component for an administrator account in Admin Approval Mode is called the consent prompt. + **The consent and credential prompts** + With UAC enabled, Windows 10 prompts for consent or prompts for credentials of a valid local administrator account before starting a program or task that requires a full administrator access token. This prompt ensures that no malicious software can be silently installed. + **The consent prompt** + The consent prompt is presented when a user attempts to perform a task that requires a user's administrative access token. The following is an example of the UAC consent prompt. + ![uac consent prompt](images/uacconsentprompt.gif) + **The credential prompt** + The credential prompt is presented when a standard user attempts to perform a task that requires a user's administrative access token. Administrators can also be required to provide their credentials by setting the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting value to **Prompt for credentials**. + The following is an example of the UAC credential prompt. + ![uac credential prompt](images/uaccredentialprompt.gif) + **UAC elevation prompts** + The UAC elevation prompts are color-coded to be app-specific, enabling for immediate identification of an application's potential security risk. When an app attempts to run with an administrator's full access token, Windows 10 first analyzes the executable file to determine its publisher. Apps are first separated into three categories based on the file's publisher: Windows 10, publisher verified (signed), and publisher not verified (unsigned). The following diagram illustrates how Windows 10 determines which color elevation prompt to present to the user. + The elevation prompt color-coding is as follows: + - Red background with a red shield icon: The app is blocked by Group Policy or is from a publisher that is blocked. - Blue background with a blue and gold shield icon: The application is a Windows 10 administrative app, such as a Control Panel item. - Blue background with a blue shield icon: The application is signed by using Authenticode and is trusted by the local computer. - Yellow background with a yellow shield icon: The application is unsigned or signed but is not yet trusted by the local computer. + **Shield icon** + Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screen shot of the **Date and Time Properties** Control Panel item. + ![uac shield icon](images/uacshieldicon.png) + The shield icon on the **Change date and time** button indicates that the process requires a full administrator access token and will display a UAC elevation prompt. + **Securing the elevation prompt** + The elevation process is further secured by directing the prompt to the secure desktop. The consent and credential prompts are displayed on the secure desktop by default in Windows 10. Only Windows processes can access the secure desktop. For higher levels of security, we recommend keeping the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting enabled. + When an executable file requests elevation, the interactive desktop, also called the user desktop, is switched to the secure desktop. The secure desktop dims the user desktop and displays an elevation prompt that must be responded to before continuing. When the user clicks **Yes** or **No**, the desktop switches back to the user desktop. + Malware can present an imitation of the secure desktop, but when the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting is set to **Prompt for consent**, the malware does not gain elevation if the user clicks **Yes** on the imitation. If the policy setting is set to **Prompt for credentials**, malware imitating the credential prompt may be able to gather the credentials from the user. However, the malware does not gain elevated privilege and the system has other protections that mitigate malware from taking control of the user interface even with a harvested password. + While malware could present an imitation of the secure desktop, this issue cannot occur unless a user previously installed the malware on the PC. Because processes requiring an administrator access token cannot silently install when UAC is enabled, the user must explicitly provide consent by clicking **Yes** or by providing administrator credentials. The specific behavior of the UAC elevation prompt is dependent upon Group Policy. + ## UAC Architecture + The following diagram details the UAC architecture. + ![uac architecture](images/uacarchitecture.gif) + To better understand each component, review the table below: -Component -Description -**User** -User performs operation requiring privilege -If the operation changes the file system or registry, Virtualization is called. All other operations call ShellExecute. -ShellExecute -ShellExecute calls CreateProcess. ShellExecute looks for the ERROR\_ELEVATION\_REQUIRED error from CreateProcess. If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt. -CreateProcess -If the application requires elevation, CreateProcess rejects the call with ERROR\_ELEVATION\_REQUIRED. -**System** -Application Information service -A system service that helps start apps that require one or more elevated privileges or user rights to run, such as local administrative tasks, and apps that require higher integrity levels. The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required and (depending on Group Policy) consent is given by the user to do so. -Elevating an ActiveX install -If ActiveX is not installed, the system checks the UAC slider level. If ActiveX is installed, the **User Account Control: Switch to the secure desktop when prompting for elevation** Group Policy setting is checked. -Check UAC slider level -UAC has four levels of notification to choose from and a slider to use to select the notification level: -- High - If the slider is set to **Always notify**, the system checks whether the secure desktop is enabled. -- Medium - If the slider is set to **Notify me only when programs try to make changes to my computer**, the **User Account Control: Only elevate executable files that are signed and validated** policy setting is checked: - - If the policy setting is enabled, the public key infrastructure (PKI) certification path validation is enforced for a given file before it is permitted to run. - - If the policy setting is not enabled (default), the PKI certification path validation is not enforced before a given file is permitted to run. The **User Account Control: Switch to the secure desktop when prompting for elevation** Group Policy setting is checked. -- Low - If the slider is set to **Notify me only when apps try to make changes to my computer (do not dim by desktop)**, the CreateProcess is called. -- Never Notify - If the slider is set to **Never notify me when**, UAC prompt will never notify when an app is trying to install or trying to make any change on the computer. - **Important**   - This setting is not recommended. This setting is the same as setting the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting to **Elevate without prompting**. -   -Secure desktop enabled -The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is checked: -- If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. -- If the secure desktop is not enabled, all elevation requests go to the interactive user's desktop, and the per-user settings for administrators and standard users are used. -CreateProcess -CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the app requires elevation. The file is then inspected to determine its requested execution level, which is stored in the application manifest for the file. CreateProcess fails if the requested execution level specified in the manifest does not match the access token and returns an error (ERROR\_ELEVATION\_REQUIRED) to ShellExecute. -AppCompat -The AppCompat database stores information in the application compatibility fix entries for an application. -Fusion -The Fusion database stores information from application manifests that describe the applications. The manifest schema is updated to add a new requested execution level field. -Installer detection -Installer detection detects setup files, which helps prevent installations from being run without the user's knowledge and consent. -**Kernel** -Virtualization -Virtualization technology ensures that non-compliant apps do not silently fail to run or fail in a way that the cause cannot be determined. UAC also provides file and registry virtualization and logging for applications that write to protected areas. -File system and registry -The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. Read requests are redirected to the virtualized per-user location first and to the per-computer location second. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      ComponentDescription
      +

      User

      +
      +

      User performs operation requiring privilege

      +      		 +

      If the operation changes the file system or registry, Virtualization is called. All other operations call ShellExecute.

      +
      +

      ShellExecute

      +      		 +

      ShellExecute calls CreateProcess. ShellExecute looks for the ERROR_ELEVATION_REQUIRED error from CreateProcess. If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt.

      +
      +

      CreateProcess

      +      		 +

      If the application requires elevation, CreateProcess rejects the call with ERROR_ELEVATION_REQUIRED.

      +
      +

      System

      +
      +

      Application Information service

      +      		 +

      A system service that helps start apps that require one or more elevated privileges or user rights to run, such as local administrative tasks, and apps that require higher integrity levels. The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required and (depending on Group Policy) consent is given by the user to do so.

      +
      +

      Elevating an ActiveX install

      +      		 +

      If ActiveX is not installed, the system checks the UAC slider level. If ActiveX is installed, the User Account Control: Switch to the secure desktop when prompting for elevation Group Policy setting is checked.

      +
      +

      Check UAC slider level

      +      		 +

      UAC has four levels of notification to choose from and a slider to use to select the notification level:

      +
        +
      • +

        High

        +

        If the slider is set to Always notify, the system checks whether the secure desktop is enabled.

        +
        • +
      • +

        Medium

        +

        If the slider is set to Notify me only when programs try to make changes to my computer, the User Account Control: Only elevate executable files that are signed and validated policy setting is checked:

        +
          +
        • +

          If the policy setting is enabled, the public key infrastructure (PKI) certification path validation is enforced for a given file before it is permitted to run.

          +
          • +
        • +

          If the policy setting is not enabled (default), the PKI certification path validation is not enforced before a given file is permitted to run. The User Account Control: Switch to the secure desktop when prompting for elevation Group Policy setting is checked.

          +
          • +
        +
        • +
      • +

        Low

        +

        If the slider is set to Notify me only when apps try to make changes to my computer (do not dim by desktop), the CreateProcess is called.

        +
        • +
      • +

        Never Notify

        +

        If the slider is set to Never notify me when, UAC prompt will never notify when an app is trying to install or trying to make any change on the computer.

        +
        Important  

        This setting is not recommended. This setting is the same as setting the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting to Elevate without prompting.

        +
        +
         
        +
        • +
      +
      +

      Secure desktop enabled

      +      		 +

      The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is checked:

      +
        +
      • +

        If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.

        +
        • +
      • +

        If the secure desktop is not enabled, all elevation requests go to the interactive user's desktop, and the per-user settings for administrators and standard users are used.

        +
        • +
      +
      +

      CreateProcess

      +      		 +

      CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the app requires elevation. The file is then inspected to determine its requested execution level, which is stored in the application manifest for the file. CreateProcess fails if the requested execution level specified in the manifest does not match the access token and returns an error (ERROR_ELEVATION_REQUIRED) to ShellExecute.

      +
      +

      AppCompat

      +      		 +

      The AppCompat database stores information in the application compatibility fix entries for an application.

      +
      +

      Fusion

      +      		 +

      The Fusion database stores information from application manifests that describe the applications. The manifest schema is updated to add a new requested execution level field.

      +
      +

      Installer detection

      +      		 +

      Installer detection detects setup files, which helps prevent installations from being run without the user's knowledge and consent.

      +
      +

      Kernel

      +
      +

      Virtualization

      +      		 +

      Virtualization technology ensures that non-compliant apps do not silently fail to run or fail in a way that the cause cannot be determined. UAC also provides file and registry virtualization and logging for applications that write to protected areas.

      +
      +

      File system and registry

      +      		 +

      The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. Read requests are redirected to the virtualized per-user location first and to the per-computer location second.

      +
        The slider will never turn UAC completely off. If you set it to **Never notify**, it will: + - Keep the UAC service running. - Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt. - Automatically deny all elevation requests for standard users. -**Important**   -In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**. + +>**Important:**  In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**.   -**Warning**   -Universal Windows apps will not work when UAC is disabled. +>**Warning:**  Universal Windows apps will not work when UAC is disabled.   ### Virtualization + Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you do not need to replace the majority of apps when UAC is turned on. + Windows 10 includes file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app. + Most app tasks operate properly by using virtualization features. Although virtualization allows a majority of applications to run, it is a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization. + Virtualization is not an option in the following scenarios: + - Virtualization does not apply to apps that are elevated and run with a full administrative access token. - Virtualization supports only 32-bit apps. Non-elevated 64-bit apps simply receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations. - Virtualization is disabled if the app includes an app manifest with a requested execution level attribute. + ### Request execution levels + An app manifest is an XML file that describes and identifies the shared and private side-by-side assemblies that an app should bind to at run time. The app manifest includes entries for UAC app compatibility purposes. Administrative apps that include an entry in the app manifest prompt the user for permission to access the user's access token. Although they lack an entry in the app manifest, most administrative app can run without modification by using app compatibility fixes. App compatibility fixes are database entries that enable applications that are not UAC-compliant to work properly. + All UAC-compliant apps should have a requested execution level added to the application manifest. If the application requires administrative access to the system, then marking the app with a requested execution level of "require administrator" ensures that the system identifies this program as an administrative app and performs the necessary elevation steps. Requested execution levels specify the privileges required for an app. + ### Installer detection technology + Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 also heuristically detects updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry. + Installer detection only applies to: + - 32-bit executable files. - Applications without a requested execution level attribute. - Interactive processes running as a standard user with UAC enabled. + Before a 32-bit process is created, the following attributes are checked to determine whether it is an installer: + - The file name includes keywords such as "install," "setup," or "update." - Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name. - Keywords in the side-by-side manifest are embedded in the executable file. - Keywords in specific StringTable entries are linked in the executable file. - Key attributes in the resource script data are linked in the executable file. - There are targeted sequences of bytes within the executable file. -**Note**   -The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies. -  -**Note**   -The User Account Control: Detect application installations and prompt for elevation policy setting must be enabled for installer detection to detect installation programs. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md). -  -  + +>**Note:**  The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.   +>**Note:**  The User Account Control: Detect application installations and prompt for elevation policy setting must be enabled for installer detection to detect installation programs. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md). diff --git a/windows/keep-secure/impersonate-a-client-after-authentication.md b/windows/keep-secure/impersonate-a-client-after-authentication.md index 45f008dc87..6735e29692 100644 --- a/windows/keep-secure/impersonate-a-client-after-authentication.md +++ b/windows/keep-secure/impersonate-a-client-after-authentication.md @@ -2,111 +2,101 @@ title: Impersonate a client after authentication (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Impersonate a client after authentication security policy setting. ms.assetid: 4cd241e2-c680-4b43-8ed0-3b391925cec5 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Impersonate a client after authentication + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Impersonate a client after authentication** security policy setting. + ## Reference + This policy setting determines which programs are allowed to impersonate a user or another specified account and act on behalf of the user. If this user right is required for this type of impersonation, an unauthorized user cannot cause a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created to impersonate that client. (Such an action could elevate the unauthorized user's permissions to administrative or system levels.) + Impersonation is the ability of a thread to run in a security context that is different from the context of the process that owns the thread. Impersonation is designed to meet the security requirements of client/server applications. When running in a client's security context, a service "is" the client, to some degree. One of the service's threads uses an access token representing the client's credentials to obtain access to the objects to which the client has access. The primary reason for impersonation is to cause access checks to be performed against the client's identity. Using the client's identity for access checks can cause access to be either restricted or expanded, depending on what the client has permission to do. + Services that are started by the Service Control Manager have the built-in Service group added by default to their access tokens. COM servers that are started by the COM infrastructure and configured to run under a specific account also have the Service group added to their access tokens. As a result, these processes are assigned this user right when they are started. + Constant: SeImpersonatePrivilege + ### Possible values + - User-defined list of accounts - Default values - Not defined + ### Best practices + - A user can impersonate an access token if any of the following conditions exist: + - The access token that is being impersonated is for this user. - The user in this session logged on to the network with explicit credentials to create the access token. - The requested level is less than Impersonate, such as Anonymous or Identify. + Because of these factors, users do not usually need to have this user right assigned. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, this setting is Administrators, Local Service, Network Service, and Service on domain controllers and stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not eefined

      Default Domain Controller Policy

      Administrators

      -

      Local Service

      -

      Network Service

      -

      Service

      Stand-Alone Server Default Settings

      Administrators

      -

      Local Service

      -

      Network Service

      -

      Service

      Domain Controller Effective Default Settings

      Administrators

      -

      Local Service

      -

      Network Service

      -

      Service

      Member Server Effective Default Settings

      Administrators

      -

      Local Service

      -

      Network Service

      -

      Service

      Client Computer Effective Default Settings

      Administrators

      -

      Local Service

      -

      Network Service

      -

      Service

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined | +| Default Domain Controller Policy| Administrators
      Local Service
      Network Service
      Service| +| Stand-Alone Server Default Settings | Administrators
      Local Service
      Network Service
      Service| +| Domain Controller Effective Default Settings | Administrators
      Local Service
      Network Service
      Service| +| Member Server Effective Default Settings | Administrators
      Local Service
      Network Service
      Service| +| Client Computer Effective Default Settings | Administrators
      Local Service
      Network Service
      Service|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + An attacker with the **Impersonate a client after authentication** user right could create a service, mislead a client into connecting to the service, and then impersonate that computer to elevate the attacker's level of access to that of the device. + ### Countermeasure + On member servers, ensure that only the Administrators and Service groups (Local Service, Network Service, and Service) have the **Impersonate a client after authentication** user right assigned to them. + ### Potential impact + In most cases, this configuration has no impact. If you have installed optional components such as ASP.NET or IIS, you may need to assign the **Impersonate a client after authentication** user right to additional accounts that are required by those components, such as IUSR\_*<ComputerName>*, IIS\_WPG, ASP.NET, or IWAM\_*<ComputerName>*. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/import-an-applocker-policy-from-another-computer.md b/windows/keep-secure/import-an-applocker-policy-from-another-computer.md index 02cf23e310..199d82deae 100644 --- a/windows/keep-secure/import-an-applocker-policy-from-another-computer.md +++ b/windows/keep-secure/import-an-applocker-policy-from-another-computer.md @@ -2,25 +2,29 @@ title: Import an AppLocker policy from another computer (Windows 10) description: This topic for IT professionals describes how to import an AppLocker policy. ms.assetid: b48cb2b2-8ef8-4cc0-89bd-309d0b1832f6 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Import an AppLocker policy from another computer + **Applies to** - Windows 10 + This topic for IT professionals describes how to import an AppLocker policy. + Before completing this procedure, you should have exported an AppLocker policy. For more information, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md). + Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. -**Caution**   -Importing a policy will overwrite the existing policy on that computer. + +>**Caution:**  Importing a policy will overwrite the existing policy on that computer.   **To import an AppLocker policy** + 1. From the AppLocker console, right-click **AppLocker**, and then click **Import Policy**. 2. In the **Import Policy** dialog box, locate the file that you exported, and then click **Open**. 3. The **Import Policy** dialog box will warn you that importing a policy will overwrite the existing rules and enforcement settings. If acceptable, click **OK** to import and overwrite the policy. 4. The **AppLocker** dialog box will notify you of how many rules were overwritten and imported. Click **OK**. -  -  diff --git a/windows/keep-secure/import-an-applocker-policy-into-a-gpo.md b/windows/keep-secure/import-an-applocker-policy-into-a-gpo.md index 94411b2263..a5dfd645ac 100644 --- a/windows/keep-secure/import-an-applocker-policy-into-a-gpo.md +++ b/windows/keep-secure/import-an-applocker-policy-into-a-gpo.md @@ -2,26 +2,29 @@ title: Import an AppLocker policy into a GPO (Windows 10) description: This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO). ms.assetid: 0629ce44-f5e2-48a8-ba47-06544c73261f -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Import an AppLocker policy into a GPO + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO). AppLocker policies can be created as local security policies and modified like any other local security policy, or they can be created as part of a GPO and managed by using Group Policy. You can create AppLocker policies on any supported computer. For info about which Windows editions are supported, see [Requirements to Use AppLocker](requirements-to-use-applocker.md). -**Important**   -Follow your organization's standard procedures for updating GPOs. For info about specific steps to follow for AppLocker policies, see [Maintain AppLocker policies](maintain-applocker-policies.md). + +>**Important:**  Follow your organization's standard procedures for updating GPOs. For info about specific steps to follow for AppLocker policies, see [Maintain AppLocker policies](maintain-applocker-policies.md).   To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. + **To import an AppLocker policy into a GPO** + 1. In the Group Policy Management Console (GPMC), open the GPO that you want to edit. 2. In the console tree under **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Application Control Policies**, click **AppLocker**. 3. Right-click **AppLocker**, and then click **Import Policy**. 4. In the **Import Policy** dialog box, locate the XML policy file, and click **Open**. 5. The **AppLocker** dialog box will notify you of how many rules were imported. Click **OK**. -  -  diff --git a/windows/keep-secure/increase-a-process-working-set.md b/windows/keep-secure/increase-a-process-working-set.md index 8b8320a5d9..da0458fb81 100644 --- a/windows/keep-secure/increase-a-process-working-set.md +++ b/windows/keep-secure/increase-a-process-working-set.md @@ -2,88 +2,87 @@ title: Increase a process working set (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Increase a process working set security policy setting. ms.assetid: b742ad96-37f3-4686-b8f7-f2b48367105b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Increase a process working set + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Increase a process working set** security policy setting. + ## Reference + This policy setting determines which users can increase or decrease the size of the working set of a process. The working set of a process is the set of memory pages currently visible to the process in physical RAM. These pages are resident, and they are available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process. + Constant: SeIncreaseWorkingSetPrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + - You should make users aware that adverse performance issues may occur if they modify this security setting. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, standard users have this right. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not Defined

      Default Domain Controller Policy

      Users

      Stand-Alone Server Default Settings

      Users

      Domain Controller Effective Default Settings

      Users

      Member Server Effective Default Settings

      Users

      Client Computer Effective Default Settings

      Users

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not Defined| +| Default Domain Controller Policy | Users| +| Stand-Alone Server Default Settings| Users| +| Domain Controller Effective Default Settings| Users| +| Member Server Effective Default Settings | Users| +| Client Computer Effective Default Settings | Users|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Increasing the working set size for a process decreases the amount of physical memory that is available to the rest of the system. + ### Countermeasure + Increase user’s awareness about the impact of increasing the working set of a process and how to recognize that their system is adversely affected if they change this setting. + ### Potential impact None. Allowing standard users to increase the working set of a process is the default configuration. ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/increase-scheduling-priority.md b/windows/keep-secure/increase-scheduling-priority.md index 187e8ef3a7..a7d5d1646b 100644 --- a/windows/keep-secure/increase-scheduling-priority.md +++ b/windows/keep-secure/increase-scheduling-priority.md @@ -2,90 +2,92 @@ title: Increase scheduling priority (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Increase scheduling priority security policy setting. ms.assetid: fbec5973-d35e-4797-9626-d0d56061527f -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Increase scheduling priority + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Increase scheduling priority** security policy setting. + ## Reference + This policy setting determines which user accounts can increase the base priority class of a process. It is not a privileged operation to increase relative priority within a priority class. This user right is not required by administrative tools that are supplied with the operating system, but it might be required by software development tools. + Specifically, this security setting determines which accounts can use a process with Write Property access to another process to increase the run priority that is assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. + Constant: SeIncreaseBasePriorityPrivilege + ### Possible values + - User-defined list of accounts - Not defined - Administrators + ### Best practices + - Allow the default value, Administrators, as the only account responsible for controlling process scheduling priorities. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Administrators on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Administrators

      Stand-Alone Server Default Settings

      Administrators

      Domain Controller Effective Default Settings

      Administrators

      Member Server Effective Default Settings

      Administrators

      Client Computer Effective Default Settings

      Administrators

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy| Administrators| +| Stand-Alone Server Default Settings | Administrators| +| Domain Controller Effective Default Settings | Administrators| +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings | Administrators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + A user who is assigned this user right could increase the scheduling priority of a process to Real-Time, which would leave little processing time for all other processes and could lead to a denial-of-service condition. + ### Countermeasure + Verify that only Administrators have the **Increase scheduling priority** user right assigned to them. + ### Potential impact + None. Restricting the **Increase scheduling priority** user right to members of the Administrators group is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md index 4325b85cc9..2b407e7511 100644 --- a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md @@ -2,156 +2,176 @@ title: Initialize and configure ownership of the TPM (Windows 10) description: This topic for the IT professional describes how to initialize and set the ownership the Trusted Platform Module (TPM), turn the TPM on and off, and clear TPM keys. ms.assetid: 1166efaf-7aa3-4420-9279-435d9c6ac6f8 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Initialize and configure ownership of the TPM + **Applies to** - Windows 10 + This topic for the IT professional describes how to initialize and set the ownership the Trusted Platform Module (TPM), turn the TPM on and off, and clear TPM keys. It also explains how to troubleshoot issues that you might encounter as a result of using these procedures. + ## About TPM initialization and ownership + The TPM must be initialized and ownership must be taken before it can be used to help secure your computer. The owner of the TPM is the user who possesses the owner password and is able to set it and change it. Only one owner password exists per TPM. The owner of the TPM can make full use of TPM capabilities. Taking ownership of the TPM can be done as part of the initialization process. + When you start the TPM Initialization Wizard, which is accessed through the TPM Microsoft Management Console (MMC), you can determine whether the computer's TPM has been initialized. You can also view the TPM properties. + This topic contains procedures for the following tasks: + - [Initialize the TPM and set ownership](#bkmk-initializetpm) - [Troubleshoot TPM initialization](#bkmk-troubleshootinit) - [Turn on or turn off the TPM](#bkmk-onoff) - [Clear all the keys from the TPM](#bkmk-clear1) - [Use the TPM cmdlets](#bkmk-tpmcmdlets) + ## Initialize the TPM and set ownership + Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. In addition, the computer must be equipped with a Trusted Computing Group-compliant BIOS. + **To start the TPM Initialization Wizard** + 1. Open the TPM Management console (tpm.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. 2. On the **Action** menu, click **Initialize TPM** to start the TPM Initialization Wizard. 3. If the TPM has never been initialized or is turned off, the TPM Initialization Wizard displays the **Turn on the TPM security hardware** dialog box. This dialog box provides guidance for initializing or turning on the TPM. Follow the instructions in the wizard. - **Note**   - If the TPM is already turned on, the TPM Initialization Wizard displays the **Create the TPM owner password** dialog box. Skip the remainder of this procedure and continue with the [To set ownership of the TPM](#bkmk-setownership) procedure. + + >**Note:** If the TPM is already turned on, the TPM Initialization Wizard displays the **Create the TPM owner password** dialog box. Skip the remainder of this procedure and continue with the [To set ownership of the TPM](#bkmk-setownership) procedure.   - **Note**   - If the TPM Initialization Wizard detects that you do not have a compatible BIOS, you cannot continue with the TPM Initialization Wizard, and you are alerted to consult the computer manufacturer's documentation for instructions to initialize the TPM. + >**Note:**  If the TPM Initialization Wizard detects that you do not have a compatible BIOS, you cannot continue with the TPM Initialization Wizard, and you are alerted to consult the computer manufacturer's documentation for instructions to initialize the TPM.   4. Click **Restart**. 5. Follow the BIOS screen prompts. An acceptance prompt is displayed to ensure that a user has physical access to the computer and that no malicious software is attempting to turn on the TPM. - **Note**   - BIOS screen prompts and the required keystrokes vary by computer manufacturer. + + >**Note:**  BIOS screen prompts and the required keystrokes vary by computer manufacturer.   6. After the computer restarts, sign in to the computer with the same administrative credentials that you used to start this procedure. 7. The TPM Initialization Wizard automatically restarts. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. 8. Continue with the next procedure to take ownership of the TPM. + To finish initializing the TPM for use, you must set an owner for the TPM. The process of taking ownership includes creating an owner password for the TPM. + **To set ownership of the TPM** + 1. If you are not continuing immediately from the last procedure, start the TPM Initialization Wizard. If you need to review the steps to do so, see the previous procedure [To start the TPM Initialization Wizard](#bkmk-starttpminitwizard). 2. In the **Create the TPM owner password** dialog box, click **Automatically create the password (recommended)**. 3. In the **Save your TPM owner password** dialog box, click **Save the password**. 4. In the **Save As** dialog box, select a location to save the password, and then click **Save**. The password file is saved as *computer\_name.tpm*. - **Important**   - We highly recommend saving the TPM owner password to a removable storage device and storing it in a safe location. + + >**Important:**  We highly recommend saving the TPM owner password to a removable storage device and storing it in a safe location.   5. Click **Print the password** if you want to print a copy of your password. - **Important**   - We highly recommend printing a copy of your TPM owner password and storing it in a safe location. + >**Important:**  We highly recommend printing a copy of your TPM owner password and storing it in a safe location.   6. Click **Initialize**. - **Note**   - The process of initializing the TPM might take a few minutes to complete. + >**Note:**  The process of initializing the TPM might take a few minutes to complete.   7. Click **Close**. - **Caution**   - Do not lose your password. If you do, you will be unable to make administrative changes unless you clear the TPM, which can result in data loss. + >**Caution:**  Do not lose your password. If you do, you will be unable to make administrative changes unless you clear the TPM, which can result in data loss.   ## Troubleshoot TPM initialization + Managing the Trusted Platform Module (TPM) is usually a straightforward procedure. If are unable to complete the initialization procedure, review the following information: + - If the TPM is not detected by Windows, verify that your computer hardware contains a Trusted Computing Group-compliant BIOS. Ensure that no BIOS settings have been used to hide the TPM from the operating system. - If you are attempting to initialize the TPM as part of the BitLocker setup, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM is not present on the computer. If you have a non-Microsoft driver installed, remove it and then try to initialize the TPM. The following table lists the three standard TPM drivers that are provided by Microsoft. - - - - - - - - - - - - - - - - - - - - - - - - - -
      Driver nameManufacturer

      Trusted Platform Module 1.2

      (Standard)

      Broadcom Trusted Platform Module (A1), v1.2

      Broadcom

      Broadcom Trusted Platform Module (A2), v1.2

      Broadcom

      + +| Driver name | Manufacturer | +| - | - | +| Trusted Platform Module 1.2 | (Standard)| +| Broadcom Trusted Platform Module (A1), v1.2 | Broadcom| +| Broadcom Trusted Platform Module (A2), v1.2 | Broadcom|   - If the TPM has been previously initialized and you do not have the owner password, you may have to clear or reset the TPM to the factory default values. For more information, see [Clear all the keys from the TPM](#bkmk-clear1). - **Caution**   - Clearing the TPM can result in data loss. To avoid data loss, make sure that you have a backup or recovery method for any data that is protected or encrypted by the TPM. + > **Caution:**  Clearing the TPM can result in data loss. To avoid data loss, make sure that you have a backup or recovery method for any data that is protected or encrypted by the TPM.   Because your TPM security hardware is a physical part of your computer, you may want to read the manuals or instructions that came with your computer, or search the manufacturer's website. + **Network connection** + You cannot complete the initialization of the Trusted Platform Module (TPM) when your computer is disconnected from your organization's network if either of the following conditions exist: + - An administrator has configured your computer to require that TPM recovery information be saved in Active Directory Domain Services (AD DS). This requirement can be configured through Group Policy. - A domain controller cannot be reached. This can occur on a computer that is currently disconnected from the network, separated from the domain by a firewall, or experiencing a network component failure (such as an unplugged cable or a faulty network adapter). + In either case, an error message appears, and you cannot complete the initialization process. To avoid this issue, initialize the TPM while you are connected to the corporate network and you can contact a domain controller. + **Systems with multiple TPMs** + Some systems may have multiple TPMs and the active TPM may be toggled in the BIOS. Windows 10 does not support this behavior. If you switch TPMs, functionality that depends on the TPM will not work with the new TPM unless it is cleared and put through provisioning. Performing this clear may cause data loss, in particular of keys and certificates associated with the previous TPM. For example, toggling TPMs will cause Bitlocker to enter recovery mode. It is strongly recommended that, on systems with two TPMs, one TPM is selected to be used and the selection is not changed. + ## Turn on or turn off the TPM + Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC. + ### Turn on the TPM + If the TPM has been initialized but has never been used, or if you want to use the TPM after you have turned it off, you can use the following procedure to turn on the TPM. + **To turn on the TPM** + 1. Open the TPM MMC (tpm.msc). 2. In the **Action** pane, click **Turn TPM On** to display the **Turn on the TPM Security Hardware** page. Read the instructions on this page. 3. Click **Shutdown** (or **Restart**), and then follow the BIOS screen prompts. + After the computer restarts, but before you sign in to Windows, you will be prompted to accept the reconfiguration of the TPM. This ensures that the user has physical access to the computer and that malicious software is not attempting to make changes to the TPM. + ### Turn off the TPM -If you want to stop using the services that are provided by the TPM, you can use the TPM MMC to turn off the TPM. If you have the TPM owner password, physical access to the computer is not required to turn off the TPM. If you do not have the TPM owner password, you must have physical access to the computer to turn off the TPM. + +If you want to stop using the services that are provided by the TPM, you can use the TPM MMC to turn off the TPM. If you have the TPM owner password, physical access to the computer is not required to turn off the TPM. If you do not have the TPM owner password, you must have physical access to the +computer to turn off the TPM. + **To turn off the TPM** + 1. Open the TPM MMC (tpm.msc). 2. In the **Action** pane, click **Turn TPM Off** to display the **Turn off the TPM security hardware** page. 3. In the **Turn off the TPM security hardware** dialog box, select a method to enter your owner password and turning off the TPM: + - If you saved your TPM owner password on a removable storage device, insert it, and then click **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, click **Browse** to locate the .tpm file that is saved on your removable storage device, click **Open**, and then click **Turn TPM Off**. - If you do not have the removable storage device with your saved TPM owner password, click **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then click **Turn TPM Off**. - If you do not know your TPM owner password, click **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent BIOS screens to turn off the TPM without entering the password. + ## Clear all the keys from the TPM + Clearing the TPM resets it to an unowned state. After clearing the TPM, you need to complete the TPM initialization process before using software that relies on the TPM, such as BitLocker Drive Encryption. By default, the TPM is initialized automatically. -**Important**   -Clearing the TPM can result in data loss. To avoid data loss, make sure that you have a backup or recovery method for any data that is protected or encrypted by the TPM. + +>**Important:**  Clearing the TPM can result in data loss. To avoid data loss, make sure that you have a backup or recovery method for any data that is protected or encrypted by the TPM.   After the TPM is cleared, it is also turned off. + To temporarily suspend TPM operations, turn off the TPM instead of clearing it. + Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. + **To clear the TPM** + 1. Open the TPM MMC (tpm.msc). 2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. 3. Under **Actions**, click **Clear TPM**. - **Warning**   - If the TPM is off, reinitialize it before clearing it. + >**Warning:**  If the TPM is off, reinitialize it before clearing it. + Clearing the TPM resets it to factory defaults and turns it off. You will lose all created keys and data that is protected by those keys.   4. In the **Clear the TPM security hardware** dialog box, select one of the following methods to enter your password and clear the TPM: - If you have the removable storage device with your saved TPM owner password, insert it, and click **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, use **Browse** to navigate to the .tpm file that is saved on your removable storage device. Click **Open**, and then click **Clear TPM**. - If you do not have the removable storage device with your saved password, click **I want to enter the owner password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and click **Clear TPM**. - If you do not know your TPM owner password, click **I don't have the TPM owner password**, and follow the instructions that are provided to clear the TPM without entering the password. - **Note**   - If you have physical access to the computer, you can clear the TPM and perform a limited number of management tasks without entering the TPM owner password. + >**Note:**  If you have physical access to the computer, you can clear the TPM and perform a limited number of management tasks without entering the TPM owner password.   The status of your TPM is displayed under **Status** in TPM MMC. + ## Use the TPM cmdlets + If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command: -**dism /online /enable-feature /FeatureName:tpm-psh-cmdlets** + +`dism /online /enable-feature /FeatureName:tpm-psh-cmdlets` + For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). + ## Additional resources + For more info about TPM, see [Trusted Platform Module Technology Overview](trusted-platform-module-overview.md#bkmk-additionalresources). -  -  From 171964c58b5b45495f3df91fc9affba2f2f4e2b8 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 24 May 2016 11:53:45 -0700 Subject: [PATCH 087/169] fixing spacing issues --- ...-information-when-the-session-is-locked.md | 91 +++++++++-------- ...ive-logon-do-not-display-last-user-name.md | 85 ++++++++-------- ...ctive-logon-do-not-require-ctrl-alt-del.md | 87 +++++++++-------- ...logon-machine-account-lockout-threshold.md | 87 +++++++++-------- ...eractive-logon-machine-inactivity-limit.md | 82 ++++++++-------- ...age-text-for-users-attempting-to-log-on.md | 94 +++++++++--------- ...ge-title-for-users-attempting-to-log-on.md | 92 +++++++++--------- ...case-domain-controller-is-not-available.md | 97 ++++++++++--------- ...er-to-change-password-before-expiration.md | 83 ++++++++-------- ...er-authentication-to-unlock-workstation.md | 86 ++++++++-------- .../interactive-logon-require-smart-card.md | 87 +++++++++-------- ...ctive-logon-smart-card-removal-behavior.md | 93 ++++++++++-------- 12 files changed, 549 insertions(+), 515 deletions(-) diff --git a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md index 094e59fedf..998c7d3a6d 100644 --- a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md +++ b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md @@ -2,91 +2,98 @@ title: Interactive logon Display user information when the session is locked (Windows 10) description: Describes the best practices, location, values, and security considerations for the Interactive logon Display user information when the session is locked security policy setting. ms.assetid: 9146aa3d-9b2f-47ba-ac03-ff43efb10530 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Interactive logon: Display user information when the session is locked + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Interactive logon: Display user information when the session is locked** security policy setting. + ## Reference When a session is locked in a Windows operating system (meaning the user at the computer pressed CTRL+ALT+DEL and the Secure Desktop is displayed), user information is displayed. By default, this information is in the form of **<user name> is logged on**. The displayed user name is the user’s full name as set on the Properties page for that user. These settings do not apply to the logon tiles, which are displayed on the desktop after using the **Switch User** feature. The information that is displayed can be changed to meet your security requirements using the following possible values. + ### Possible values + - **User display name, domain and user names** + If this is a local logon, the user’s full name is displayed on the Secure Desktop. If it is a domain logon, the user’s domain and user’s account name is displayed. + - **User display name only** + The name of the user who locked the session is displayed on the Secure Desktop as the user’s full name. + - **Do not display user information** + No names are displayed on the Secure Desktop, but user’s full names will be displayed on the **Switch user** desktop. + - Blank. + Default setting. This translates to “Not defined,” but it will display the user’s full name in the same manner as the **User display name, domain and user names** option. When an option is set, you cannot reset this policy to blank, or not defined. + ### Best practices + Your implementation of this policy depends on your security requirements for displayed logon information. If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have computers with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy. + Depending on your security policy, you might also want to enable the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the logon name and logon tile of the last user to logon. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or Group Policy object (GPO)Default value

      Default domain policy

      Not defined

      Default domain controller policy

      Not defined

      Stand-alone server default settings

      Not defined

      Domain controller effective default settings

      User display name, domain and user names

      Member server effective default settings

      User display name, domain and user names

      Effective GPO default settings on client computers

      User display name, domain and user names

      + +| Server type or Group Policy object (GPO) | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | **User display name, domain and user names**| +| Member server effective default settings | **User display name, domain and user names**| +| Effective GPO default settings on client computers | **User display name, domain and user names**|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflict considerations + None + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + When a computer displays the Secure Desktop in an unsecured area, certain user information can be readily available to anyone looking at the monitor, either physically or through a remote connection. The displayed user information could include the domain user account name or the full name of the user who locked the session or who had logged on last. + ### Countermeasure + Enabling this policy setting allows the operating system to hide certain user information from being displayed on the Secure Desktop (after the device has been booted or when the session has been locked by using CTRL+ALT+DEL). However, user information is displayed if the **Switch user** feature is used so that the logon tiles are displayed for each logged on user. + You might also want to enable the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the logon name and logon tile of the last user to logon. + ### Potential impact + If you do not enable this policy, the effect will be the same as enabling the policy and selecting the **User display name, domain and user names** option. + If the policy is enabled and set to **Do not display user information**, an observer cannot see who is logged onto the Secure Desktop, but the logon tile is still present if the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy is not enabled. Depending on how the logon tiles are configured, they could provide visual clues as to who is logged on. In addition, if the Interactive logon: Do not display last user name policy is not enabled, then the **Switch user** feature will show user information. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md index 65a5067ae3..945989b859 100644 --- a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md +++ b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md @@ -2,86 +2,87 @@ title: Interactive logon Do not display last user name (Windows 10) description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not display last user name security policy setting. ms.assetid: 98b24b03-95fe-4edc-8e97-cbdaa8e314fd -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Interactive logon: Do not display last user name + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not display last user name** security policy setting. + ## Reference + This security policy setting determines whether the name of the last user to log on to the device is displayed on the Secure Desktop. + If this policy is enabled, the full name of the last user to successfully log on is not displayed on the Secure Desktop, nor is the user’s logon tile displayed. Additionally, if the **Switch user** feature is used, the full name and logon tile are not displayed. The logon screen requests a qualified domain account name (or local user name) and password. + If this policy is disabled, the full name of the last user to log on is displayed, and the user’s logon tile is displayed. This behavior is the same when the **Switch user** feature is used. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + Your implementation of this policy depends on your security requirements for displayed logon information. If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy. + Depending on your security policy, you might also want to enable the [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md) policy, which will prevent the Windows operating system from displaying the logon name when the session is locked or started. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or Group Policy object (GPO)Default value

      Default domain policy

      Disabled

      Default domain controller policy

      Disabled

      Stand-alone server default settings

      Disabled

      Domain controller effective default settings

      Disabled

      Member server effective default settings

      Disabled

      Effective GPO default settings on client computers

      Disabled

      + +| Server type or Group Policy object (GPO) | Default value| +| - | - | +| Default domain policy| Disabled| +| Default domain controller policy| Disabled| +| Stand-alone server default settings | Disabled| +| Domain controller effective default settings | Disabled| +| Member server effective default settings | Disabled| +| Effective GPO default settings on client computers | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflict considerations + None. + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + An attacker with access to the console (for example, someone with physical access or someone who can connect to the device through Remote Desktop Session Host) could view the name of the last user who logged on. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try to log on. + ### Countermeasure + Enable the **Interactive logon: Do not display last user name** setting. + ### Potential impact + Users must always type their user names and passwords when they log on locally or to the domain. The logon tiles of all logged on users are not displayed. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md index 19bd4de7a1..34a748af68 100644 --- a/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md +++ b/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md @@ -2,89 +2,92 @@ title: Interactive logon Do not require CTRL+ALT+DEL (Windows 10) description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not require CTRL+ALT+DEL security policy setting. ms.assetid: 04e2c000-2eb2-4d4b-8179-1e2cb4793e18 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Interactive logon: Do not require CTRL+ALT+DEL + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not require CTRL+ALT+DEL** security policy setting. + ## Reference + This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. + If this policy setting is enabled on a device, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. + If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to the Windows operating system (unless they are using a smart card for logon). + Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to device running the Windows operating system; however, not having to press the CTRL+ALT+DELETE key combination leaves users susceptible to attacks that attempt to intercept their passwords. Requiring CTRL+ALT+DELETE before users log on ensures that users are communicating by means of a trusted path when entering their passwords. + A malicious user might install malware that looks like the standard logon dialog box for the Windows operating system, and capture a user's password. The attacker can then log on to the compromised account with whatever level of user rights that user has. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - It is advisable to set **Disable CTRL+ALT+DEL requirement for logon** to **Disabled**. Unless they are using a smart card to log on, users will have to simultaneously press three keys before the logon dialog box appears. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflict considerations + Beginning with Windows Server 2008 and Windows Vista, the CTRL+ALT+DELETE key combination is required to authenticate if this policy is disabled. + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + This setting makes it easier for users with certain types of physical impairments to log on to devices that run the Windows operating system. However, if users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. + If this setting is enabled, an attacker could install malware that looks like the standard logon dialog box in the Windows operating system, and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has. + ### Countermeasure + Disable the **Interactive logon: Do not require CTRL+ALT+DEL** setting. + ### Potential impact + Unless they use a smart card to log on, users must simultaneously press the three keys before the logon dialog box is displayed. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md b/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md index baa13fc5c0..3e7824eedb 100644 --- a/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md +++ b/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md @@ -2,84 +2,85 @@ title: Interactive logon Machine account lockout threshold (Windows 10) description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Machine account lockout threshold security policy setting. ms.assetid: ebbd8e22-2611-4ebe-9db9-d49344e631e4 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Interactive logon: Machine account lockout threshold + **Applies to** - Windows 10 + Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine account lockout threshold** security policy setting. + ## Reference + Beginning with Windows Server 2012 and Windows 8, the **Interactive logon: Machine account threshold** security policy setting enforces the lockout policy on those computers that have BitLocker enabled to protect operating system volumes. + The security setting allows you to set a threshold for the number of failed logon attempts that causes the device to be locked by using BitLocker. This means, if the specified maximum number of failed logon attempts is exceeded, the device will invalidate the Trusted Platform Module (TPM) protector and any other protector except the 48-digit recovery password, and then reboot. During Device Lockout mode, the computer or device only boots into the touch-enabled Windows Recovery Environment (WinRE) until an authorized user enters the recovery password to restore full access. + Failed password attempts on workstations or member servers that have been locked by using either Ctrl+Alt+Delete or password-protected screen savers count as failed logon attempts. + ### Possible values + You can set the **invalid logon attempts** value between 1 and 999. Values from 1 to 3 are interpreted as 4. If you set the value to 0, or leave blank, the computer or device will never be locked as a result of this policy setting. -### Best practices + +### Best practices + Use this policy setting in conjunction with your other failed account logon attempts policy. For example, if the [Account lockout threshold](account-lockout-threshold.md) policy setting is set at 4, then setting **Interactive logon: Machine account lockout threshold** at 6 allows the user to restore access to resources without having to restore access to the device resulting from a BitLocker lock out. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings| Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled | +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + A restart is required for changes to this policy to become effective when they are saved locally or distributed through Group Policy. + ### Group Policy + Because this policy setting was introduced in Windows Server 2012 and Windows 8, it can only be set locally on those devices that contain this policy setting, but it can be set and distributed through Group Policy to any computer running the Windows operating system that supports Group Policy and is BitLocker-enabled. + When setting this policy, consider the [Account lockout threshold](account-lockout-threshold.md) policy setting, which determines the number of failed logon attempts that will cause a user account to be locked out. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + This policy setting helps protect a BitLocker-encrypted device from attackers attempting to brute-force guess the Windows sign-in password. If not set, then attackers can attempt innumerable passwords, if no other account protection mechanisms are in place. + ### Countermeasure + Use this policy setting in conjunction with your other failed account logon attempts policy. For example, if the [Account lockout threshold](account-lockout-threshold.md) policy setting is set at 4, then setting **Interactive logon: Machine account lockout threshold** at 6 allows the user to restore access to resources without having to restore access to the device resulting from a BitLocker lock out. + ### Potential impact + If not set, the device could be compromised by an attacker using brute-force password cracking software. + If set too low, productivity might be hindered because users who become locked out will be unable to access the device without providing the 48-digit BitLocker recovery password. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/interactive-logon-machine-inactivity-limit.md b/windows/keep-secure/interactive-logon-machine-inactivity-limit.md index 969511b2b4..9fb56662fb 100644 --- a/windows/keep-secure/interactive-logon-machine-inactivity-limit.md +++ b/windows/keep-secure/interactive-logon-machine-inactivity-limit.md @@ -2,81 +2,79 @@ title: Interactive logon Machine inactivity limit (Windows 10) description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Machine inactivity limit security policy setting. ms.assetid: 7065b4a9-0d52-41d5-afc4-5aedfc4162b5 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Interactive logon: Machine inactivity limit + **Applies to** - Windows 10 + Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine inactivity limit** security policy setting. + ## Reference + Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver. This policy setting allows you to control the locking time by using Group Policy. + ### Possible values + The automatic lock of the device is set in elapsed seconds of inactivity, which can range from zero (0) to 599,940 seconds (166.65 hours). + If no value (blank) or zero (0) is present in the **Machine will be locked after** input field, then the policy setting is disabled and no action is taken on user-input inactivity for the session. + ### Best practices + Set the time for elapsed user-input inactivity based on the device’s usage and location requirements. For example, if the device or device is in a public area, you might want to have the device automatically lock after a short period of inactivity to prevent unauthorized access. However, if the device is used by an individual or group of trusted individuals, such as in a restricted manufacturing area, automatically locking the device might hinder productivity. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + Restart is required for changes to this policy to become effective when they are saved locally or distributed through Group Policy. + ### Group Policy + Because this policy setting was introduced in Windows Server 2012 and Windows 8, it can only be set locally on those computers that contain this policy setting, but it can be set and distributed through Group Policy to any computer running the Windows operating system that supports Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + This policy setting helps you prevent unauthorized access to devices under your control when the currently signed-in user leaves without deliberately locking the desktop. In versions earlier than Windows Server 2012 and Windows 8, the desktop-locking mechanism was set on individual computers in Personalization in Control Panel. + ### Countermeasure + Set the time for elapsed user-input inactivity time by using the security policy setting **Interactive logon: Machine inactivity limit** based on the device’s usage and location requirements. + ### Potential impact + This security policy setting can limit unauthorized access to unsecured computers; however, that requirement must be balanced with the productivity requirements of the intended user. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md index b8962d626a..2277884c62 100644 --- a/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md +++ b/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md @@ -2,94 +2,94 @@ title: Interactive logon Message text for users attempting to log on (Windows 10) description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Message text for users attempting to log on security policy setting. ms.assetid: fcfe8a6d-ca65-4403-b9e6-2fa017a31c2e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Interactive logon: Message text for users attempting to log on + **Applies to** - Windows 10 + Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Message text for users attempting to log on** security policy setting. + ## Reference -The **Interactive logon: Message text for users attempting to log on** and [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they log on. Interactive logon: Message title for users attempting to log on specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited. + +The **Interactive logon: Message text for users attempting to log on** and [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they log on. Interactive logon: Message title for users attempting to log on specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons—for example, to warn +users about the ramifications of misusing company information, or to warn them that their actions might be audited. + Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers. + When these policy settings are configured, users will see a dialog box before they can log on to the server console. + ### Possible values + The possible values for this setting are: + - User-defined text - Not defined + ### Best practices + - It is advisable to set **Interactive logon: Message text for users attempting to log on** to a value similar to one of the following: + 1. IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZATION. 2. This system is restricted to authorized users. Individuals who attempt unauthorized access will be prosecuted. If you are unauthorized, terminate access now. Click OK to indicate your acceptance of this information. -**Important**   -Any warning that you display in the title or text should be approved by representatives from your organization's legal and human resources departments. +>**Important:**  Any warning that you display in the title or text should be approved by representatives from your organization's legal and human resources departments.   ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Not defined

      DC Effective Default Settings

      Not defined

      Member Server Effective Default Settings

      Not defined

      Client Computer Effective Default Settings

      Not defined

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes different requirements to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + There are two policy settings that relate to logon displays: + - **Interactive logon: Message text for users attempting to log on** - [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) + The first policy setting specifies a text message that displays to users when they log on, and the second policy setting specifies a title for the title bar of the text message window. Many organizations use this text for legal purposes; for example, to warn users about the ramifications of misuse of company information, or to warn them that their actions may be audited. + ### Vulnerability + Users often do not understand the importance of security practices. However, the display of a warning message before logon may help prevent an attack by warning malicious or uninformed users about the consequences of their misconduct before it happens. It may also help reinforce corporate policies by notifying employees of appropriate policies during the logon process. + ### Countermeasure + Configure the **Interactive logon: Message text for users attempting to log on** and [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) settings to an appropriate value for your organization. -**Note**   -Any warning message that displays should be approved by your organization's legal and human resources representatives. + +>**Note:**  Any warning message that displays should be approved by your organization's legal and human resources representatives.   ### Potential impact + Users see a message in a dialog box before they can log on to the server console. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md)  diff --git a/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md index dcc618ac81..7e5719c49b 100644 --- a/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md +++ b/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md @@ -2,93 +2,97 @@ title: Interactive logon Message title for users attempting to log on (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Message title for users attempting to log on security policy setting. ms.assetid: f2596470-4cc0-4ef1-849c-bef9dc3533c6 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Interactive logon: Message title for users attempting to log on + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Message title for users attempting to log on** security policy setting. + ## Reference + This security setting allows you to specify a title that appears in the title bar of the window that contains the **Interactive logon: Message title for users attempting to log on**. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited. + The **Interactive logon: Message title for users attempting to log on** and [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message title for users attempting to log on** specifies a message title to be displayed to users when they log on. + Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers. + When these policy settings are configured, users will see a dialog box before they can log on to the server console. + ### Possible values + - *User-defined title* - Not defined + ### Best practices + 1. It is advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one the following: + - RESTRICTED SYSTEM + or + - WARNING: This system is restricted to authorized users. + 2. Set the policy [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) to reinforce the meaning of the message’s title. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Not defined

      DC Effective Default Settings

      Not defined

      Member Server Effective Default Settings

      Not defined

      Client Computer Effective Default Settings

      Not defined

      + +|Server type or GPO | Default value| +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + There are two policy settings that relate to logon displays: + - [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) - **Interactive logon: Message title for users attempting to log on** + The first policy setting specifies a text message that displays to users when they log on, and the second policy setting specifies a title for the title bar of the text message window. Many organizations use this text for legal purposes; for example, to warn users about the ramifications of misuse of company information, or to warn them that their actions may be audited. + ### Vulnerability + Users often do not understand the importance of security practices. However, the display of a warning message with an appropriate title before logon may help prevent an attack by warning malicious or uninformed users about the consequences of their misconduct before it happens. It may also help reinforce corporate policies by notifying employees of appropriate policies during the logon process. + ### Countermeasure + Configure the [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) and **Interactive logon: Message title for users attempting to log on** settings to an appropriate value for your organization. -**Note**   -Any warning message that displays should be approved by your organization's legal and human resources representatives. + +>**Note:**  Any warning message that displays should be approved by your organization's legal and human resources representatives.   ### Potential impact + Users see a message in a dialog box before they can log on to the server console. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md index 14605564d2..651f08183b 100644 --- a/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md +++ b/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md @@ -2,91 +2,100 @@ title: Interactive logon Number of previous logons to cache (in case domain controller is not available) (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Number of previous logons to cache (in case domain controller is not available) security policy setting. ms.assetid: 660e925e-cc3e-4098-a41e-eb8db8062d8d -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Interactive logon: Number of previous logons to cache (in case domain controller is not available) + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** security policy setting. + ## Reference + The **Interactive logon: Number of previous logons to cache (in case domain controller is not available**) policy setting determines whether a user can log on to a Windows domain by using cached account information. Logon information for domain accounts can be cached locally so that, if a domain controller cannot be contacted on subsequent logons, a user can still log on. This policy setting determines the number of unique users whose logon information is cached locally. + If a domain controller is unavailable and a user's logon information is cached, the user is prompted with the following message: + A domain controller for your domain could not be contacted. You have been logged on using cached account information. Changes to your profile since you last logged on might not be available. + If a domain controller is unavailable and a user's logon information is not cached, the user is prompted with this message: + The system cannot log you on now because the domain *DOMAIN NAME* is not available. + The value of this policy setting indicates the number of users whose logon information the server caches locally. If the value is 10, the server caches logon information for 10 users. When an eleventh user logs on to the device, the server overwrites the oldest cached logon session. -Users who access the server console will have their logon credentials cached on that server. A malicious user who is able to access the file system of the server can locate this cached information and use a brute-force attack to determine user passwords. Windows mitigates this type of attack by encrypting the information and keeping the cached credentials in the system's registries, which are spread across numerous physical locations. + +Users who access the server console will have their logon credentials cached on that server. A malicious user who is able to access the file system of the server can locate this cached information and use a brute-force attack to determine user passwords. Windows mitigates this type of attack by +encrypting the information and keeping the cached credentials in the system's registries, which are spread across numerous physical locations. + ### Possible values + - A user-defined number from 0 through 50 - Not defined + ### Best practices + It is advisable to set **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** to 0. Setting this value to 0 disables the local caching of logon information. Additional countermeasures include enforcing strong password policies and physically securing the computers. If the value is set to 0, users will be unable to log on to any computers if there is no domain controller available to authenticate them. Organizations might want to set **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** to 2 for end-user systems, especially for mobile users. Setting this value to 2 means that the user's logon information will still be in the cache even if a member of the IT department has recently logged on to their device to perform system maintenance. This way, those users will be able to log on to their devices when they are not connected to the corporate network. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      10 logons

      DC Effective Default Settings

      10 logons

      Member Server Effective Default Settings

      10 logons

      Client Computer Effective Default Settings

      10 logons

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | 10 logons| +| DC Effective Default Settings | 10 logons| +| Member Server Effective Default Settings | 10 logons| +| Client Computer Effective Default Settings| 10 logons|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ### Policy conflict considerations + None + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The number that is assigned to this policy setting indicates the number of users whose logon information is cache locally by the servers. If the number is set to 10, the server caches logon information for 10 users. When an eleventh user logs on to the device, the server overwrites the oldest cached logon session. + Users who access the server console have their logon credentials cached on that server. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to attempt to determine user passwords. + To mitigate this type of attack, Windows encrypts the information and obscures its physical location. + ### Countermeasure + Configure the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** setting to 0, which disables the local caching of logon information. Additional countermeasures include enforcement of strong password policies and physically secure locations for the computers. + ### Potential impact -Users cannot log on to any devices if there is no domain controller available to authenticate them. Organizations can configure this value to 2 for end-user computers, especially for mobile users. A configuration value of 2 means that the user's logon information is still in the cache, even if a member of the IT department has recently logged on to the device to perform system maintenance. This method allows users to log on to their computers when they are not connected to the organization's network. + +Users cannot log on to any devices if there is no domain controller available to authenticate them. Organizations can configure this value to 2 for end-user computers, especially for mobile users. A configuration value of 2 means that the user's logon information is still in the cache, even if a +member of the IT department has recently logged on to the device to perform system maintenance. This method allows users to log on to their computers when they are not connected to the organization's network. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md index f499d1b051..6e08f688d8 100644 --- a/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md +++ b/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md @@ -2,85 +2,84 @@ title: Interactive logon Prompt user to change password before expiration (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Prompt user to change password before expiration security policy setting. ms.assetid: 8fe94781-40f7-4fbe-8cfd-5e116e6833e9 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Interactive logon: Prompt user to change password before expiration + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Prompt user to change password before expiration** security policy setting. + ## Reference + The **Interactive logon: Prompt user to change password before expiration** policy setting determines how many days in advance users are warned that their passwords are about to expire. With this advance warning, the user has time to construct a password that is sufficiently strong. + ### Possible values + - A user-defined number of days from 0 through 999. - Not defined. + ### Best practices + 1. Configure user passwords to expire periodically. Users will need warning that their passwords are going to expire, or they might inadvertently get locked out of the system. This could lead to confusion for users who access the network locally, or make it impossible for users who access the network through dial-up or virtual private network (VPN) connections to log on. 2. Set **Interactive logon: Prompt user to change password before expiration** to 5 days. When their password expiration date is 5 or fewer days away, users will see a dialog box each time they log on to the domain. 3. Do not set the value to 0, which results in displaying the password expiration warning every time the user logs on. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      14 days *

      DC Effective Default Settings

      14 days *

      Member Server Effective Default Settings

      14 days *

      Client Computer Effective Default Settings

      14 days *

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | 14 days| +| DC Effective Default Settings | 14 days | +| Member Server Effective Default Settings| 14 days | +| Client Computer Effective Default Settings | 14 days|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflict considerations + None. + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If user passwords are configured to expire periodically in your organization, users need to be warned when this is about to happen, or they may be locked out of the device inadvertently when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections. + ### Countermeasure + Configure the **Interactive logon: Prompt user to change password before expiration** setting to 14 days. + ### Potential impact + Users see a dialog-box prompt to change their password each time that they log on to the domain when their password is configured to expire in 14 or fewer days. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md index 97aa85187c..9660b5770a 100644 --- a/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md +++ b/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md @@ -2,87 +2,89 @@ title: Interactive logon Require Domain Controller authentication to unlock workstation (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Interactive logon Require Domain Controller authentication to unlock workstation security policy setting. ms.assetid: 97618ed3-e946-47db-a212-b5e7a4fc6ffc -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Interactive logon: Require Domain Controller authentication to unlock workstation + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require Domain Controller authentication to unlock workstation** security policy setting. + ## Reference + Unlocking a locked device requires logon information. For domain accounts, the **Interactive logon: Require Domain Controller authentication to unlock workstation** policy setting determines whether it is necessary to contact a domain controller to unlock a device. Enabling this policy setting requires a domain controller to authenticate the domain account that is being used to unlock the device. Disabling this policy setting allows a user to unlock the device without the computer verifying the logon information with a domain controller. However, if [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) is set to a value greater than zero, the user's cached credentials will be used to unlock the system. + The device caches (locally in memory) the credentials of any users who have been authenticated. The device uses these cached credentials to authenticate anyone who attempts to unlock the console. + When cached credentials are used, any changes that have recently been made to the account (such as user rights assignments, account lockout, or the account being disabled) are not considered or applied after this authentication process. This means not only that user rights are not updated, but more importantly that disabled accounts are still able to unlock the console of the system. + It is advisable to set **Interactive logon: Require Domain Controller authentication to unlock workstation** to Enabled and set [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) to 0. When the console of a device is locked by a user or automatically by a screen saver time-out, the console can only be unlocked if the user is able to re-authenticate to the domain controller. If no domain controller is available, users cannot unlock their devices. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Set **Interactive logon: Require Domain Controller authentication to unlock workstation** to Enabled and set [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) to 0. When the console of a device is locked by a user or automatically by a screen saver time-out, the console can only be unlocked if the user is able to re-authenticate to the domain controller. If no domain controller is available, users cannot unlock their devices. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflict considerations + None + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + By default, the device caches locally in memory the credentials of any users who are authenticated. The device uses these cached credentials to authenticate anyone who attempts to unlock the console. When cached credentials are used, any changes that have recently been made to the account—such as user rights assignments, account lockout, or the account being disabled—are not considered or applied after the account is authenticated. User privileges are not updated, and disabled accounts are still able to unlock the console of the device + ### Countermeasure + Configure the **Interactive logon: Require Domain Controller authentication to unlock workstation** setting to Enabled and configure the [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) setting to 0. + ### Potential impact + When the console on a device is locked by a user or automatically by a screen-saver timeout, the console can be unlocked only if the user can re-authenticate to the domain controller. If no domain controller is available, users cannot unlock their workstations. If you configure the [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) setting to 0, users whose domain controllers are unavailable (such as mobile or remote users) cannot log on. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/interactive-logon-require-smart-card.md b/windows/keep-secure/interactive-logon-require-smart-card.md index 417a99a5a3..faf1834204 100644 --- a/windows/keep-secure/interactive-logon-require-smart-card.md +++ b/windows/keep-secure/interactive-logon-require-smart-card.md @@ -2,85 +2,86 @@ title: Interactive logon Require smart card (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Require smart card security policy setting. ms.assetid: c6a8c040-cbc7-472d-8bc5-579ddf3cbd6c -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Interactive logon: Require smart card + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Require smart card** security policy setting. + ## Reference + The **Interactive logon: Require smart card** policy setting requires users to log on to a device by using a smart card. + Requiring users to use long, complex passwords for authentication enhances network security, especially if the users must change their passwords regularly. This reduces the chance that a malicious user will be able to guess a user's password through a brute-force attack. Using smart cards rather than passwords for authentication dramatically increases security because, with today's technology, it is nearly impossible for a malicious user to impersonate another user. Smart cards that require personal identification numbers (PINs) provide two-factor authentication: the user who attempts to log on must possess the smart card and know its PIN. A malicious user who captures the authentication traffic between the user's device and the domain controller will find it extremely difficult to decrypt the traffic: even if they do, the next time the user logs on to the network, a new session key will be generated for encrypting traffic between the user and the domain controller. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Set **Interactive logon: Require smart card** to Enabled. All users will have to use smart cards to log on to the network. This means that the organization must have a reliable public key infrastructure (PKI) in place, and provide smart cards and smart card readers for all users. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflict considerations + None. + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + It can be difficult to make users choose strong passwords, and even strong passwords are vulnerable to brute-force attacks if an attacker has sufficient time and computing resources. + ### Countermeasure + For users with access to computers that contain sensitive data, issue smart cards to users and configure the **Interactive logon: Require smart card** setting to Enabled. + ### Potential impact -All users of a device with this setting enabled must use smart cards to log on locally. This means that the organization must have a reliable public key infrastructure (PKI) as well as smart cards and smart card readers for these users. These requirements are significant challenges because expertise and resources are required to plan for and deploy these technologies. Active Directory Certificate Services (AD CS) can be used to implement and manage certificates. You can use automatic user and device enrollment and renewal on the client. + +All users of a device with this setting enabled must use smart cards to log on locally. This means that the organization must have a reliable public key infrastructure (PKI) as well as smart cards and smart card readers for these users. These requirements are significant challenges because +expertise and resources are required to plan for and deploy these technologies. Active Directory Certificate Services (AD CS) can be used to implement and manage certificates. You can use automatic user and device enrollment and renewal on the client. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md b/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md index e7daf35333..29eba6fd2b 100644 --- a/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md +++ b/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md @@ -2,93 +2,102 @@ title: Interactive logon Smart card removal behavior (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Smart card removal behavior security policy setting. ms.assetid: 61487820-9d49-4979-b15d-c7e735999460 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Interactive logon: Smart card removal behavior + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Smart card removal behavior** security policy setting. + ## Reference + This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. + If smart cards are used for authentication, the device should automatically lock itself when the card is removed—that way, if users forget to manually lock their devices when they are away from them, malicious users cannot gain access. + If you select **Force Logoff** in the property sheet for this policy setting, the user is automatically logged off when the smart card is removed. Users will have to reinsert their smart cards and reenter their PINs when they return to their workstations. + ### Possible values + - No Action - Lock Workstation + If you select this, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. + - Force Logoff + If you select this, the user is automatically logged off when the smart card is removed. + - Disconnect if a remote Remote Desktop Services session + If you select this, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation. + - Not Defined + ### Best practices + - Set **Interactive logon: Smart card removal behavior** to **Lock Workstation**. If you select **Lock Workstation** in the property sheet for this policy setting, the workstation is locked when the smart card is removed. This allows users to leave the area, take their smart card with them, and still maintain a protected session. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      No Action

      DC Effective Default Settings

      No Action

      Member Server Effective Default Settings

      No Action

      Client Computer Effective Default Settings

      No Action

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | No Action| +| DC Effective Default Settings | No Action| +| Member Server Effective Default Settings | No Action| +| Client Computer Effective Default Settings | No Action|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflict considerations + None + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their devices. If smart cards are used for authentication, the device should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources by using those credentials. + ### Countermeasure + Configure the **Interactive logon: Smart card removal behavior** setting to **Lock Workstation**. + If you select **Lock Workstation** for this policy setting, the device locks when the smart card is removed. Users can leave the area, take their smart card with them, and still maintain a protected session. This behavior is similar to the setting that requires users to log on when resuming work on the device after the screen saver has started. + If you select **Force Logoff** for this policy setting, the user is automatically logged off when the smart card is removed. This setting is useful when a device is deployed as a public access point, such as a kiosk or other type of shared device + ### Potential impact + If you select **Force Logoff**, users must insert their smart cards and enter their PINs when they return to their workstations. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) From e0ff338ac3bc09347b73a07638f389c423dedced Mon Sep 17 00:00:00 2001 From: Jan Backstrom Date: Tue, 24 May 2016 12:06:23 -0700 Subject: [PATCH 088/169] content cleanup Fix headings in Diagnostic Toolkit article; add ms.pagetype tag --- ...nced-uefi-security-features-for-surface.md | 5 +- ...tomize-the-oobe-for-surface-deployments.md | 5 +- ...irmware-and-drivers-for-surface-devices.md | 5 +- ...-fast-and-cisco-leap-on-surface-devices.md | 3 +- ...-adapters-and-surface-device-deployment.md | 5 +- devices/surface/index.md | 3 +- .../manage-surface-dock-firmware-updates.md | 4 +- .../manage-surface-pro-3-firmware-updates.md | 5 +- .../surface/microsoft-surface-data-eraser.md | 5 +- ...icrosoft-surface-deployment-accelerator.md | 5 +- ...-by-step-surface-deployment-accelerator.md | 5 +- devices/surface/surface-diagnostic-toolkit.md | 195 +++++++----------- devices/surface/surface-dock-updater.md | 4 +- 13 files changed, 114 insertions(+), 135 deletions(-) diff --git a/devices/surface/advanced-uefi-security-features-for-surface.md b/devices/surface/advanced-uefi-security-features-for-surface.md index 9eb6cc703e..ca850266d6 100644 --- a/devices/surface/advanced-uefi-security-features-for-surface.md +++ b/devices/surface/advanced-uefi-security-features-for-surface.md @@ -2,9 +2,10 @@ title: Advanced UEFI security features for Surface (Surface) description: This article describes how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices. ms.assetid: 90F790C0-E5FC-4482-AD71-60589E3C9C93 -keywords: ["Surface, Surface Pro 3, security, features, configure, hardware, device, custom, script, update"] -ms.prod: W10 +keywords: security, features, configure, hardware, device, custom, script, update +ms.prod: w10 ms.mktglfcycl: manage +ms.pagetype: surface, devices, security ms.sitesec: library author: miladCA --- diff --git a/devices/surface/customize-the-oobe-for-surface-deployments.md b/devices/surface/customize-the-oobe-for-surface-deployments.md index 1985b76438..3c18712be2 100644 --- a/devices/surface/customize-the-oobe-for-surface-deployments.md +++ b/devices/surface/customize-the-oobe-for-surface-deployments.md @@ -2,9 +2,10 @@ title: Customize the OOBE for Surface deployments (Surface) description: This article will walk you through the process of customizing the Surface out-of-box experience for end users in your organization. ms.assetid: F6910315-9FA9-4297-8FA8-2C284A4B1D87 -keywords: ["deploy, customize, automate, deployment, network, Pen, pair, boot"] -ms.prod: W10 +keywords: deploy, customize, automate, network, Pen, pair, boot +ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: surface, devices ms.sitesec: library author: jobotto --- diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md index 61d56fa1b9..b2a06e1583 100644 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md @@ -2,9 +2,10 @@ title: Download the latest firmware and drivers for Surface devices (Surface) description: This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device. ms.assetid: 7662BF68-8BF7-43F7-81F5-3580A770294A -keywords: ["update Surface, newest, latest, download, firmware, driver, tablet, hardware, device"] -ms.prod: W10 +keywords: update Surface, newest, latest, download, firmware, driver, tablet, hardware, device +ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: surface, devices ms.sitesec: library author: jobotto --- diff --git a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md index df0f2600d3..e562f5599b 100644 --- a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md +++ b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md @@ -2,9 +2,10 @@ title: Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices (Surface) description: Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device. ms.assetid: A281EFA3-1552-467D-8A21-EB151E58856D -keywords: ["network", "wireless", "device", "deploy", "authenticaion", "protocol"] +keywords: network, wireless, device, deploy, authentication, protocol ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: surface, devices ms.sitesec: library author: miladCA --- diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md index fb580c032f..0addf8e26a 100644 --- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md +++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md @@ -2,9 +2,10 @@ title: Ethernet adapters and Surface deployment (Surface) description: This article provides guidance and answers to help you perform a network deployment to Surface devices. ms.assetid: 5273C59E-6039-4E50-96B3-426BB38A64C0 -keywords: ["ethernet, deploy, removable, network, connectivity, boot, firmware, device, adapter, PXE boot, USB"] -ms.prod: W10 +keywords: ethernet, deploy, removable, network, connectivity, boot, firmware, device, adapter, PXE boot, USB +ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: surface, devices ms.sitesec: library author: jobotto --- diff --git a/devices/surface/index.md b/devices/surface/index.md index 2a2598a5cd..d0bb077b72 100644 --- a/devices/surface/index.md +++ b/devices/surface/index.md @@ -2,8 +2,9 @@ title: Surface (Surface) description: . ms.assetid: 2a6aec85-b8e2-4784-8dc1-194ed5126a04 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage +ms.pagetype: surface, devices ms.sitesec: library author: heatherpoulsen --- diff --git a/devices/surface/manage-surface-dock-firmware-updates.md b/devices/surface/manage-surface-dock-firmware-updates.md index 758f8027ea..9428200756 100644 --- a/devices/surface/manage-surface-dock-firmware-updates.md +++ b/devices/surface/manage-surface-dock-firmware-updates.md @@ -2,8 +2,10 @@ title: Manage Surface Dock firmware updates (Surface) description: Read about the different methods you can use to manage the process of Surface Dock firmware updates. ms.assetid: 86DFC0C0-C842-4CD1-A2D7-4425471FFE3F -ms.prod: W10 +keywords: firmware, update, install, drivers +ms.prod: w10 ms.mktglfcycl: manage +ms.pagetype: surface, devices ms.sitesec: library author: jobotto --- diff --git a/devices/surface/manage-surface-pro-3-firmware-updates.md b/devices/surface/manage-surface-pro-3-firmware-updates.md index fac455f9ac..8e757fdaca 100644 --- a/devices/surface/manage-surface-pro-3-firmware-updates.md +++ b/devices/surface/manage-surface-pro-3-firmware-updates.md @@ -2,9 +2,10 @@ title: Manage Surface driver and firmware updates (Surface) description: This article describes the available options to manage firmware and driver updates for Surface devices. ms.assetid: CD1219BA-8EDE-4BC8-BEEF-99B50C211D73 -keywords: ["Surface, Surface Pro 3, firmware, update, device, manage, deploy, driver, USB"] -ms.prod: W10 +keywords: Surface, Surface Pro 3, firmware, update, device, manage, deploy, driver, USB +ms.prod: w10 ms.mktglfcycl: manage +ms.pagetype: surface, devices ms.sitesec: library author: jobotto --- diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index e35e41bbf8..6f76da2a15 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -2,9 +2,10 @@ title: Microsoft Surface Data Eraser (Surface) description: Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. ms.assetid: 8DD3F9FE-5458-4467-BE26-E9200341CF10 -keywords: ["tool", "USB", "data", "erase"] -ms.prod: W10 +keywords: tool, USB, data, erase +ms.prod: w10 ms.mktglfcycl: manage +ms.pagetype: surface, devices, security ms.sitesec: library author: miladCA --- diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md index e38d23d94b..8b9b17335c 100644 --- a/devices/surface/microsoft-surface-deployment-accelerator.md +++ b/devices/surface/microsoft-surface-deployment-accelerator.md @@ -2,9 +2,10 @@ title: Microsoft Surface Deployment Accelerator (Surface) description: Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices. ms.assetid: E7991E90-4AAE-44B6-8822-58BFDE3EADE4 -keywords: ["deploy", "install", "tool"] -ms.prod: W10 +keywords: deploy, install, tool +ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: surface, devices ms.sitesec: library author: miladCA --- diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md index b04c37e9b5..07c32b693b 100644 --- a/devices/surface/step-by-step-surface-deployment-accelerator.md +++ b/devices/surface/step-by-step-surface-deployment-accelerator.md @@ -2,9 +2,10 @@ title: Step by step Surface Deployment Accelerator (Surface) description: This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices. ms.assetid: A944FB9C-4D81-4868-AFF6-B9D1F5CF1032 -keywords: ["deploy, configure"] -ms.prod: W10 +keywords: deploy, configure +ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: surface, devices ms.sitesec: library author: miladCA --- diff --git a/devices/surface/surface-diagnostic-toolkit.md b/devices/surface/surface-diagnostic-toolkit.md index 61e867468f..a20e52b118 100644 --- a/devices/surface/surface-diagnostic-toolkit.md +++ b/devices/surface/surface-diagnostic-toolkit.md @@ -2,9 +2,10 @@ title: Microsoft Surface Diagnostic Toolkit (Surface) description: Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device. ms.assetid: FC4C3E76-3613-4A84-A384-85FE8809BEF1 -keywords: ["hardware, device, tool, test, component"] -ms.prod: W8 +keywords: hardware, device, tool, test, component +ms.prod: w10 ms.mktglfcycl: manage +ms.pagetype: surface, devices ms.sitesec: library author: miladCA --- @@ -18,19 +19,19 @@ The [Microsoft Surface Diagnostic Toolkit](http://go.microsoft.com/fwlink/p/?Lin >**Note:**  A Surface device must boot into Windows to run the Microsoft Surface Diagnostic Toolkit. The Microsoft Surface Diagnostic Toolkit will run only on the following Surface devices: -- Surface Book +- Surface Book -- Surface Pro 4 +- Surface Pro 4 -- Surface 3 LTE +- Surface 3 LTE -- Surface 3 +- Surface 3 -- Surface Pro 3 +- Surface Pro 3 -- Surface Pro 2 +- Surface Pro 2 -- Surface Pro +- Surface Pro >**Note:**  Security software and built-in security measures in many email applications and services will block executable files that are transferred through email. To email the Surface Diagnostic Toolkit, attach the .zip archive file as downloaded from the Surface Tools for IT page without extracting it first. You can also create a custom .zip archive that contains the .exe file. (For example, if you want to localize the text as described in the [Localization](#localization) section of this article.) @@ -38,299 +39,263 @@ Running the Microsoft Surface Diagnostic Toolkit is a hands-on activity. The tes To run a full set of tests with the Microsoft Surface Diagnostic Toolkit, you should be prepared with the following items: -- An external display with the appropriate HDMI or DisplayPort connection +- An external display with the appropriate HDMI or DisplayPort connection -- A Bluetooth device that can be put into pairing mode +- A Bluetooth device that can be put into pairing mode -- A MicroSD or SD card that is compatible with your Surface device +- A MicroSD or SD card that is compatible with your Surface device -- A Surface Pen +- A Surface Pen -- Room to move the Surface device around +- Room to move the Surface device around -- External speakers or headphones +- External speakers or headphones >**Note:**  The Microsoft Surface Diagnostic Toolkit tests verify only the hardware of a Surface device and do not test or resolve issues with the operating system or software.   -## The tests +## The tests The Microsoft Surface Diagnostic Toolkit runs several individual tests on a Surface device. Not all tests are applicable to every device. For example, the Home button test is not applicable to Surface Pro 4 where there is no Home button. You can specify which tests to run, or you can choose to run all tests. For tests that require external devices (such as testing output to an external display) but you do not have the required external device at the time of the test, you are given the option to skip the test. If a test fails, you are prompted to continue or stop testing at that time. -### Windows Update +#### Windows Update This test checks for any outstanding Windows updates and will prompt you to install those updates before you proceed to other tests. It is important to keep a Surface device up to date with the latest Windows updates, including drivers and firmware for the Surface device. The success of some of the tests that are performed later in the task sequence depend on these updated drivers and firmware. You will be prompted to restart the device if required by Windows Update. If you must restart the device, you will need to start the Microsoft Surface Diagnostic Toolkit again. -### Device information +#### Device information This test reads the Device ID and serial number in addition to basic system information such as device model, operating system version, processor, memory, and storage. The Device ID is recorded in the name of the log file and can be used to identify a log file for a specific device. Several system log files are also collected, including update and rollback logs, and output from several Windows built-in tools, such as [DirectX Diagnostics](http://go.microsoft.com/fwlink/p/?LinkId=746476) and [System Information](http://go.microsoft.com/fwlink/p/?LinkId=746477), power configuration, disk health, and event logs. See the following list for a full set of collected log files: -- Output of **Get-WindowsUpdateLog** if the operating system is Windows 10 +- Output of **Get-WindowsUpdateLog** if the operating system is Windows 10 -- **%windir%\\Logs** +- **%windir%\\Logs** -- **%windir%\\Panther** +- **%windir%\\Panther** -- **%windir%\\System32\\sysprep\\Panther** +- **%windir%\\System32\\sysprep\\Panther** -- **%windir%\\System32\\WinEvt\\Logs** +- **%windir%\\System32\\WinEvt\\Logs** -- **$windows.~bt\\Sources\\Panther** +- **$windows.~bt\\Sources\\Panther** -- **$windows.~bt\\Sources\\Rollback** +- **$windows.~bt\\Sources\\Rollback** -- **%windir%\\System32\\WinEvt\\Logs** +- **%windir%\\System32\\WinEvt\\Logs** -- Output of **dxdiag.exe /t** +- Output of **dxdiag.exe /t** -- Output of **msinfo32.exe /report** +- Output of **msinfo32.exe /report** -- Output of **powercfg.exe /batteryreport** +- Output of **powercfg.exe /batteryreport** -- Output of **powercfg.exe /sleepstudy** +- Output of **powercfg.exe /sleepstudy** -- Output of **wevtutil.exe epl System** +- Output of **wevtutil.exe epl System** -- Events from: +- Events from: - - **Chkdsk** + - **Chkdsk** - - **Microsoft-Windows-Ntfs** + - **Microsoft-Windows-Ntfs** - - **Microsoft-Windows-WER-SystemErrorReporting** + - **Microsoft-Windows-WER-SystemErrorReporting** - - **Microsoft-Windows-Startuprepair** + - **Microsoft-Windows-Startuprepair** - - **Microsoft-Windows-kernel-Power** + - **Microsoft-Windows-kernel-Power** -- Output of **powercfg.exe /q** +- Output of **powercfg.exe /q** -- Output of **powercfg.exe /qh** +- Output of **powercfg.exe /qh** -- **%windir%\\Inf\\SetupApi\*.log** +- **%windir%\\Inf\\SetupApi\*.log** These files and logs are stored in a .zip file saved by the Microsoft Surface Diagnostic Toolkit when all selected tests have completed alongside the Microsoft Surface Diagnostic Toolkit log file. -### Type Cover test +#### Type Cover test >**Note:**  A Surface Type Cover is required for this test. -  If a Surface Type Cover is not detected, the test prompts you to connect the Type Cover. When a Type Cover is detected the test prompts you to use the keyboard and touchpad. The cursor should move while you swipe the touchpad, and the keyboard Windows key should bring up the Start menu or Start screen to successfully pass this test. You can skip this test if a Type Cover is not used with the Surface device. -### Integrated keyboard test +#### Integrated keyboard test >**Note:**  This test is only applicable to Surface Book and requires that the Surface Book be docked to the keyboard. -  - This test is essentially the same as the Type Cover test, except the integrated keyboard in the Surface Book base is tested rather than the Type Cover. Move the cursor and use the Windows key to bring up the Start menu to confirm that the touchpad and keyboard are operating successfully. This test will display the status of cursor movement and keyboard input for you to verify. Press **ESC** to complete the test. -### Canvas mode battery test +#### Canvas mode battery test >**Note:**  This test is only applicable to Surface Book. -  - Depending on which mode Surface Book is in, different batteries are used to power the device. When Surface Book is in clipboard mode (detached form the keyboard) it uses an internal battery, and when it is connected in either laptop mode or canvas mode it uses different connections to the battery in the keyboard. In canvas mode, the screen is connected to the keyboard so that when the device is closed, the screen remains face-up and visible. Connect the Surface Book to the keyboard in this manner for the test to automatically proceed. -### Clipboard mode battery test +#### Clipboard mode battery test >**Note:**  This test is only applicable to Surface Book. -  - Disconnect the Surface Book from the keyboard to work in clipboard mode. In clipboard mode the Surface Book operates from an internal battery that is tested when the Surface Book is disconnected from the keyboard. Disconnecting the Surface Book from the keyboard will also disconnect the Surface Book from power and will automatically begin this test. -### Laptop mode battery test +#### Laptop mode battery test >**Note:**  This test is only applicable to Surface Book. -  - Connect the Surface Book to the keyboard in the opposite fashion to canvas mode in laptop mode. In laptop mode the screen will face you when the device is open and the device can be used in the same way as any other laptop. Disconnect AC Power from the laptop base when prompted for this test to check the battery status. -### Battery test +#### Battery test In this test the battery is discharged for a few seconds and tested for health and estimated runtime. You are prompted to disconnect the power adapter and then to reconnect the power adapter when the test is complete. -### Discrete graphics (dGPU) test +#### Discrete graphics (dGPU) test >**Note:**  This test is only applicable to Surface Book models with a discrete graphics processor. -  - This test will query the device information of current hardware to check for the presence of both the Intel integrated graphics processor in the Surface Book and the NVIDIA discrete graphics processor in the Surface Book keyboard. The keyboard must be attached for this test to function. -### Discrete graphics (dGPU) fan test +#### Discrete graphics (dGPU) fan test >**Note:**  This test is only applicable to Surface Book models with a discrete graphics processor. -  - The discrete graphics processor in the Surface Book includes a separate cooling fan. The fan is turned on automatically by the test for 5 seconds. Listen for the sound of the fan in the keyboard and report if the fan is working correctly when prompted. -### Muscle wire test +#### Muscle wire test >**Note:**  This test is only applicable to Surface Book. -  - To disconnect the Surface Book from the keyboard, software must instruct the muscle wire latch mechanism to open. This is typically accomplished by pressing and holding the undock key on the keyboard. This test sends the same signal to the latch, which unlocks the Surface Book from the Surface Book keyboard. Remove the Surface Book from the keyboard when you are prompted to do so. -### Dead pixel and display artifacts tests +#### Dead pixel and display artifacts tests >**Note:**  Before you run this test, be sure to clean the screen of dust or smudges. -  - This test prompts you to view the display in search of malfunctioning pixels. The test displays full-screen, single-color images including black, white, red, green, and blue. Pixels that remain bright or dark when the screen displays an image of a different color indicate a failed test. You should also look for distortion or variance in the color of the screen. -### Digitizer edges +#### Digitizer edges The touchscreen of a Surface device should detect when a user swipes in from the left or right side of the screen. This test prompts you to swipe in from the edges of the screen to bring up the Action Center and Task View. Both Action Center and Task View should launch to pass this test. -### Digitizer pinch +#### Digitizer pinch The pinch gesture (when you bring two fingers closer together or farther apart) is used to manipulate zoom and to position content through the touchscreen. This test displays an image in Windows Picture Viewer and prompts you to zoom in, move, and zoom out of the picture. The picture should zoom in, move, and zoom out as the gestures are performed. -### Digitizer touch +#### Digitizer touch The Surface touchscreen should detect input across the entire screen of the device equally. To perform this test a series of lines are displayed on the screen for you to trace with a finger in search of unresponsive areas. The lines traced across the screen should appear continuous for the length of the line as drawn with your finger. -### Digitizer pen test +#### Digitizer pen test >**Note:**  A Microsoft Surface Pen is required for this test. -  - This test displays the same lines as those that are displayed during the Digitizer Touch test, but your input is performed with a Surface Pen instead of your finger. The lines should remain unbroken for as long as the Pen is pressed to the screen. Trace all of the lines in the image to look for unresponsive areas across the entire screen of the Surface device. -### Digitizer multi touch +#### Digitizer multi touch The Surface touchscreen is capable of detecting 10 fingers simultaneously. Place all of your fingers on the screen simultaneously to perform this test. The screen will show the number of points detected, which should match the number of fingers you have on the screen. -### Home button test +#### Home button test The Home button or Windows button on your Surface device is used to bring up the Start screen or Start menu. This test is successful if the Start screen or Start menu is displayed when the Windows button is pressed. This test is not displayed on Surface Pro 4 because no Windows button exists. -### Volume rocker test +#### Volume rocker test This test prompts you to use the volume rocker to turn the volume all the way up, all the way down, and then all the way up again. To pass this test, the volume slider should move up and down as the rocker is pressed. -### Micro SD or SD slot test +#### Micro SD or SD slot test >**Note:**  This test requires a micro SD or SD card that is compatible with the slot in your Surface device. -  - Insert a micro SD or SD card when you are prompted. When the SD card is detected, the test prompts you to remove the SD card to ensure that the card is not left in the device. During this test a small file is written to the SD card and then verified. Detection and verification of the SD card automatically passes this test without additional input. -### Microphone test +#### Microphone test This test displays the **Recording** tab of the Sound item in Control Panel. The test prompts you to monitor the meter that is displayed next to the **Microphone Array** recording device. A recommended test is to speak and watch for your speech to be detected in the meter. If the meter moves when you speak, the microphone is working correctly. For Surface Book you will be prompted to tap locations near the microphones. This tapping should produce noticeable spikes in the audio meter. -### Video out test +#### Video out test >**Note:**  This test requires an external display with the applicable connection for your Surface device. -  - Surface devices provide a Mini DisplayPort connection for connecting to an external display. Connect your display through the Mini DisplayPort on the device when prompted. The display should be detected automatically and an image should appear on the external display. -### Bluetooth test +#### Bluetooth test >**Note:**  This test requires a Bluetooth device. The device must be set to pairing mode or made discoverable to perform this test. -  - After you receive a prompt to put the device in pairing mode, the test opens the **Add a device** window and begins to search for discoverable Bluetooth devices. Watch the **Add a device** window to verify that your Bluetooth device is detected. Select your Bluetooth device from the list and connect to the device to complete the test. -### Camera test +#### Camera test Use this test to verify that the cameras on your Surface device are operating properly. Images will be displayed from both the front and rear cameras, and the infrared camera on a Surface Pro 4. Continuous autofocus can be enabled on the rear camera. Move the device closer and farther away from an object to verify the operation of continuous autofocus. -### Speaker test +#### Speaker test >**Note:**  Headphones or external speakers are required to test the headphone jack in this test. -  - This test plays audio over left and right channels respectively, both for the internal speakers and for speakers or headphones connected to the headphone jack. Mark each channel as a pass or fail as you hear the audio play. -### Network test +#### Network test >**Note:**  Connect the Surface device to a Wi-Fi network before you run this test. Connections that are made during the test are removed when the test is completed. -  - This test uses the Windows Network Diagnostics built in troubleshooter to diagnose potential issues with network connectivity, including proxy configuration, DNS problems, and IP address conflicts. An event log is saved by this test in Windows logs and is visible in the Windows Event Viewer. The Event ID is 6100. -### Power test +#### Power test Settings such as display brightness, the elapsed time until the screen sleeps, and the elapsed time until device sleeps, are checked against default values with the Power built-in troubleshooter. The troubleshooter will automatically correct settings that may prevent the device from conserving power or entering sleep mode. -### Mobile broadband test +#### Mobile broadband test This test prompts you to enable mobile broadband and attempts to browse to http://www.bing.com. This test is only applicable to Surface devices that come equipped with mobile broadband, such as Surface 3 LTE. -### Accelerometer test +#### Accelerometer test The accelerometer detects lateral, longitudinal, and vertical movements of the Surface device. This test prompts you to pick up and move the Surface device forward and backward, to the left and to the right, and up and down, to test the sensor for directional movement. The test automatically passes when movement is detected. -### Gyrometer test +#### Gyrometer test The gyrometer detects pitch, roll, and yaw movements. This test prompts you to pick up and rotate the Surface device to test the sensors for angular movement. The test automatically passes when movement is detected. -### Compass test +#### Compass test The compass detects which direction the Surface device is facing relative to north, south, east, and west. Turn the Surface device to face in different directions to test the sensor. The test automatically passes when a change in direction is detected. -### Ambient light test +#### Ambient light test The ambient light sensor is used to automatically adjust screen brightness relative to the ambient lighting in the environment. Turn the device toward or away from a light source to cause the screen to dim or brighten in response increased or decreased light. The test automatically passes when the screen brightness automatically changes. -### Device orientation test +#### Device orientation test >**Note:**  Before you run this test, disable rotation lock from the Action Center if enabled. -  - The device orientation sensor determines what the angle of the Surface device is, relative to the ground. Rotate the display 90 degrees or 180 degrees to cause the screen orientation to switch between portrait and landscape mode. The test automatically passes when the screen orientation switches. -### Brightness test +#### Brightness test This test cycles the screen through brightness levels from 0 percent to 100 percent, and then a message is displayed to confirm if the brightness level changed accordingly. You are then prompted to disconnect the power adapter. The screen should automatically dim when power is disconnected. -### System assessment +#### System assessment >**Note:**  The Surface device must be connected to AC power before you can run this test. -  - The Windows System Assessment Tool (WinSAT) runs a series of benchmarks against the processor, memory, video adapter, and storage devices. The results include the processing speed of various algorithms, read and write performance of memory and storage, and performance in several Direct3D graphical tests. -### Performance Monitor test +#### Performance Monitor test Performance and diagnostic trace logs are recorded from Performance Monitor for 30 seconds and collected in the .zip file output of the Microsoft Surface Diagnostic Toolkit by this test. You can analyze these trace logs with the [Windows Performance Analyzer](http://go.microsoft.com/fwlink/p/?LinkId=746486) to identify causes of application crashes, performance issues, or other undesirable behavior in Windows. -### Crash dump collection +#### Crash dump collection If your Surface device has encountered an error that caused the device to fail or produce a blue screen error, this stage of the Microsoft Surface Diagnostic Toolkit records the information from the automatically recorded crash dump files in the diagnostic log. You can use these crash dump files to identify a faulty driver, hardware component, or application through analysis. Use the [Windows Debugging Tool](http://go.microsoft.com/fwlink/p/?LinkId=746488) to analyze these files. If you are not familiar with the analysis of crash dump files, you can describe your issue and post a link to your crash dump files (uploaded to OneDrive or another file sharing service) in the [Windows TechNet Forums](http://go.microsoft.com/fwlink/p/?LinkId=746489). -## Command line - +## Command line You can run the Microsoft Surface Diagnostic Toolkit from the command line or as part of a script. The tool supports the following arguments: >**Note:**  Many of the tests performed by the Microsoft Surface Diagnostic Toolkit require technician interaction. The Microsoft Surface Diagnostic Toolkit cannot run unattended. -  - -### exclude +#### exclude Use this argument to exclude specific tests. @@ -424,7 +389,7 @@ See the following list for test names: - WindowsUpdateCheckTest -### forceplatformsupport +#### forceplatformsupport Use this argument to force tests to run when the make and model of the device is not properly detected by Windows. Surface Diagnostic Toolkit is intended to run only on Surface devices. @@ -434,7 +399,7 @@ Example: Surface_Diagnostic_Toolkit_1.0.60.0.exe forceplatformsupport ``` -### include +#### include Use this argument to include tests when you run Microsoft Surface Diagnostic Toolkit from the command line. Tests specified by the **Include** command will be run even if the test is not supported on the model of Surface device. In the following example, the Surface Book specific tests for the latch mechanism and discrete graphics will be run, even if the command is run on a Surface Pro 4 or other Surface model. diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md index 38115ae721..ea56c4cc95 100644 --- a/devices/surface/surface-dock-updater.md +++ b/devices/surface/surface-dock-updater.md @@ -2,8 +2,10 @@ title: Microsoft Surface Dock Updater (Surface) description: This article provides a detailed walkthrough of Microsoft Surface Dock Updater. ms.assetid: 1FEFF277-F7D1-4CB4-8898-FDFE8CBE1D5C -ms.prod: W10 +keywords: install, update, firmware +ms.prod: w10 ms.mktglfcycl: manage +ms.pagetype: surface, devices ms.sitesec: library author: jobotto --- From d137ce0a03ed89198a8d7028e53809772c0a5811 Mon Sep 17 00:00:00 2001 From: Jan Backstrom Date: Tue, 24 May 2016 12:19:08 -0700 Subject: [PATCH 089/169] fixed heading --- devices/surface/surface-diagnostic-toolkit.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface/surface-diagnostic-toolkit.md b/devices/surface/surface-diagnostic-toolkit.md index a20e52b118..4fa7514559 100644 --- a/devices/surface/surface-diagnostic-toolkit.md +++ b/devices/surface/surface-diagnostic-toolkit.md @@ -409,7 +409,7 @@ Example: Surface_Diagnostic_Toolkit_1.0.60.0.exe “include=DualGraphicsTest,FanTest,MuscleWireTest” ``` -### logpath +#### logpath Use this argument to specify the path for the log file. From 3411ddec3cd926039e6fd262e92197f13aea7eb5 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 24 May 2016 12:48:00 -0700 Subject: [PATCH 090/169] change author --- .../manage/application-development-for-windows-as-a-service.md | 2 +- windows/manage/introduction-to-windows-10-servicing.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/manage/application-development-for-windows-as-a-service.md b/windows/manage/application-development-for-windows-as-a-service.md index 69df22ff69..cffbdd7092 100644 --- a/windows/manage/application-development-for-windows-as-a-service.md +++ b/windows/manage/application-development-for-windows-as-a-service.md @@ -6,7 +6,7 @@ ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -author: jdeckerMS +author: greg-lindsay --- # Application development for Windows as a service diff --git a/windows/manage/introduction-to-windows-10-servicing.md b/windows/manage/introduction-to-windows-10-servicing.md index 23290ae499..0c6c2ab9a6 100644 --- a/windows/manage/introduction-to-windows-10-servicing.md +++ b/windows/manage/introduction-to-windows-10-servicing.md @@ -7,7 +7,7 @@ ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -author: jdeckerMS +author: greg-lindsay --- # Windows 10 servicing options for updates and upgrades From 4f7cf536c2468e33fd61dc39728d43d0160d03be Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 24 May 2016 14:20:34 -0700 Subject: [PATCH 091/169] fixing spacing issues --- windows/keep-secure/kerberos-policy.md | 59 ++++-------- .../load-and-unload-device-drivers.md | 91 +++++++++--------- windows/keep-secure/lock-pages-in-memory.md | 89 ++++++++--------- windows/keep-secure/log-on-as-a-batch-job.md | 94 +++++++++--------- windows/keep-secure/log-on-as-a-service.md | 91 +++++++++--------- .../maintain-applocker-policies.md | 48 ++++++++-- .../manage-auditing-and-security-log.md | 92 +++++++++--------- .../manage-packaged-apps-with-applocker.md | 44 +++++++-- windows/keep-secure/manage-tpm-commands.md | 37 +++++-- .../maximum-lifetime-for-service-ticket.md | 86 +++++++++-------- ...aximum-lifetime-for-user-ticket-renewal.md | 85 ++++++++-------- .../maximum-lifetime-for-user-ticket.md | 85 ++++++++-------- windows/keep-secure/maximum-password-age.md | 82 ++++++++-------- ...ance-for-computer-clock-synchronization.md | 88 ++++++++--------- ...r-policies-by-using-set-applockerpolicy.md | 17 +++- .../merge-applocker-policies-manually.md | 86 +++++------------ ...nt-digitally-sign-communications-always.md | 96 ++++++++++--------- 17 files changed, 653 insertions(+), 617 deletions(-) diff --git a/windows/keep-secure/kerberos-policy.md b/windows/keep-secure/kerberos-policy.md index 7fc388203f..fa68f49ac1 100644 --- a/windows/keep-secure/kerberos-policy.md +++ b/windows/keep-secure/kerberos-policy.md @@ -2,56 +2,37 @@ title: Kerberos Policy (Windows 10) description: Describes the Kerberos Policy settings and provides links to policy setting descriptions. ms.assetid: 94017dd9-b1a3-4624-af9f-b29161b4bf38 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Kerberos Policy + **Applies to** - Windows 10 + Describes the Kerberos Policy settings and provides links to policy setting descriptions. + The Kerberos version 5 authentication protocol provides the default mechanism for authentication services and the authorization data necessary for a user to access a resource and perform a task on that resource. By reducing the lifetime of Kerberos tickets, you reduce the risk of a legitimate user's credentials being stolen and successfully used by an attacker. However, this also increases the authorization overhead. In most environments, these settings should not need to be changed. + These policy settings are located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy**. -The following topics provide a discussion of implementation and best practices considerations, policy location, default values for the server type or GPO, relevant differences in operating system versions, security considerations (including the possible settings vulnerabilities of each setting), countermeasures you can take, and the potential impact for each setting. + +The following topics provide a discussion of implementation and best practices considerations, policy location, default values for the server type or GPO, relevant differences in operating system versions, security considerations (including the possible settings vulnerabilities of each setting), +countermeasures you can take, and the potential impact for each setting. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      TopicDescription

      [Enforce user logon restrictions](enforce-user-logon-restrictions.md)

      Describes the best practices, location, values, policy management, and security considerations for the Enforce user logon restrictions security policy setting.

      [Maximum lifetime for service ticket](maximum-lifetime-for-service-ticket.md)

      Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for service ticket security policy setting.

      [Maximum lifetime for user ticket](maximum-lifetime-for-user-ticket.md)

      Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket policy setting.

      [Maximum lifetime for user ticket renewal](maximum-lifetime-for-user-ticket-renewal.md)

      Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket renewal security policy setting.

      [Maximum tolerance for computer clock synchronization](maximum-tolerance-for-computer-clock-synchronization.md)

      Describes the best practices, location, values, policy management, and security considerations for the Maximum tolerance for computer clock synchronization security policy setting.

      + +| Topic | Description | +| - | - | +| [Enforce user logon restrictions](enforce-user-logon-restrictions.md) | Describes the best practices, location, values, policy management, and security considerations for the **Enforce user logon restrictions** security policy setting.| +| [Maximum lifetime for service ticket](maximum-lifetime-for-service-ticket.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for service ticket** security policy setting.| +| [Maximum lifetime for user ticket](maximum-lifetime-for-user-ticket.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket** policy setting.| +| [Maximum lifetime for user ticket renewal](maximum-lifetime-for-user-ticket-renewal.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket renewal** security policy setting.| +| [Maximum tolerance for computer clock synchronization](maximum-tolerance-for-computer-clock-synchronization.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum tolerance for computer clock synchronization** security| policy setting.   ## Related topics -[Configure security policy settings](how-to-configure-security-policy-settings.md) -  -  + +- [Configure security policy settings](how-to-configure-security-policy-settings.md) diff --git a/windows/keep-secure/load-and-unload-device-drivers.md b/windows/keep-secure/load-and-unload-device-drivers.md index fb07375002..0ef993463c 100644 --- a/windows/keep-secure/load-and-unload-device-drivers.md +++ b/windows/keep-secure/load-and-unload-device-drivers.md @@ -2,96 +2,95 @@ title: Load and unload device drivers (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Load and unload device drivers security policy setting. ms.assetid: 66262532-c610-470c-9792-35ff4389430f -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Load and unload device drivers + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Load and unload device drivers** security policy setting. + ## Reference + This policy setting determines which users can dynamically load and unload device drivers. This user right is not required if a signed driver for the new hardware already exists in the driver.cab file on the device. Device drivers run as highly privileged code. Windows supports the Plug and Play specifications that define how a computer can detect and configure newly added hardware, and then automatically install the device driver. Prior to Plug and Play, users needed to manually configure devices before attaching them to the device. This model allows a user to plug in the hardware, then Windows searches for an appropriate device driver package and automatically configures it to work without interfering with other devices. + Because device driver software runs as if it is a part of the operating system with unrestricted access to the entire computer, it is critical that only known and authorized device drivers be permitted. + Constant: SeLoadDriverPrivilege + ### Possible values + - User-defined list of accounts - Default values - Not Defined + ### Best practices + - Because of the potential security risk, do not assign this user right to any user, group, or process that you do not want to take over the system. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Administrators and Print Operators on domain controllers and Administrators on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Administrators

      -

      Print Operators

      Stand-Alone Server Default Settings

      Administrators

      Domain Controller Effective Default Settings

      Administrators

      -

      Print Operators

      Member Server Effective Default Settings

      Administrators

      Client Computer Effective Default Settings

      Administrators

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Administrators
      Print Operators| +| Stand-Alone Server Default Settings | Administrators| +| Domain Controller Effective Default Settings | Administrators
      Print Operators | +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings | Administrators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Device drivers run as highly privileged code. A user who has the **Load and unload device drivers** user right could unintentionally install malware that masquerades as a device driver. Administrators should exercise care and install only drivers with verified digital signatures. -**Note**   -You must have this user right or be a member of the local Administrators group to install a new driver for a local printer or to manage a local printer and configure defaults for options such as duplex printing. + +>**Note:**  You must have this user right or be a member of the local Administrators group to install a new driver for a local printer or to manage a local printer and configure defaults for options such as duplex printing.   ### Countermeasure + Do not assign the **Load and unload device drivers** user right to any user or group other than Administrators on member servers. On domain controllers, do not assign this user right to any user or group other than Domain Admins. + ### Potential impact + If you remove the **Load and unload device drivers** user right from the Print Operators group or other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks are not negatively affected. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/lock-pages-in-memory.md b/windows/keep-secure/lock-pages-in-memory.md index 3bf58d8f5e..c2d3f4a39d 100644 --- a/windows/keep-secure/lock-pages-in-memory.md +++ b/windows/keep-secure/lock-pages-in-memory.md @@ -2,92 +2,93 @@ title: Lock pages in memory (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Lock pages in memory security policy setting. ms.assetid: cc724979-aec0-496d-be4e-7009aef660a3 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Lock pages in memory + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Lock pages in memory** security policy setting. + ## Reference + This policy setting determines which accounts can use a process to keep data in physical memory, which prevents the computer from paging the data to virtual memory on a disk. + Normally, an application running on Windows can negotiate for more physical memory, and in response to the request, the application begins to move the data from RAM (such as the data cache) to a disk. When the pageable memory is moved to a disk, more RAM is free for the operating system to use. + Enabling this policy setting for a specific account (a user account or a process account for an application) prevents paging of the data. Thereby, the amount of memory that Windows can reclaim under pressure is limited. This could lead to performance degradation. -**Note**   -By configuring this policy setting, the performance of the Windows operating system will differ depending on if applications are running on 32-bit or 64-bit systems, and if they are virtualized images. Performance will also differ between earlier and later versions of the Windows operating system. + +>**Note:**  By configuring this policy setting, the performance of the Windows operating system will differ depending on if applications are running on 32-bit or 64-bit systems, and if they are virtualized images. Performance will also differ between earlier and later versions of the Windows operating system.   Constant: SeLockMemoryPrivilege + ### Possible values + - User-defined list of accounts - Not defined + ### Best practices + Best practices are dependent on the platform architecture and the applications running on those platforms. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Not defined

      Domain Controller Effective Default Settings

      Not defined

      Member Server Effective Default Settings

      Not defined

      Client Computer Effective Default Settings

      Not defined

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| Domain Controller Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users with the **Lock pages in memory** user right could assign physical memory to several processes, which could leave little or no RAM for other processes and result in a denial-of-service condition. + ### Countermeasure + Do not assign the **Lock pages in memory** user right to any accounts. + ### Potential impact + None. Not defined is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/log-on-as-a-batch-job.md b/windows/keep-secure/log-on-as-a-batch-job.md index 1d61c2f659..6ffcaa330e 100644 --- a/windows/keep-secure/log-on-as-a-batch-job.md +++ b/windows/keep-secure/log-on-as-a-batch-job.md @@ -2,98 +2,92 @@ title: Log on as a batch job (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Log on as a batch job security policy setting. ms.assetid: 4eaddb51-0a18-470e-9d3d-5e7cd7970b41 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Log on as a batch job + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Log on as a batch job** security policy setting. + ## Reference + This policy setting determines which accounts can log on by using a batch-queue tool such as the Task Scheduler service. When you use the Add Scheduled Task Wizard to schedule a task to run under a particular user name and password, that user is automatically assigned the **Log on as a batch job** user right. When the scheduled time arrives, the Task Scheduler service logs on the user as a batch job instead of as an interactive user, and the task runs in the user's security context. + Constant: SeBatchLogonRight + ### Possible values + - User-defined list of accounts - Default values - Not Defined + ### Best practices + - Use discretion when assigning this right to specific users for security reasons. The default settings are sufficient in most cases. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, this setting is for Administrators, Backup Operators, and Performance Log Users on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Administrators

      -

      Backup Operators

      -

      Performance Log Users

      Stand-Alone Server Default Settings

      Administrators

      -

      Backup Operators

      -

      Performance Log Users

      Domain Controller Effective Default Settings

      Administrators

      -

      Backup Operators

      -

      Performance Log Users

      Member Server Effective Default Settings

      Administrators

      -

      Backup Operators

      -

      Performance Log Users

      Client Computer Effective Default Settings

      Administrators

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Administrators
      Backup Operators
      Performance Log Users| +| Stand-Alone Server Default Settings | Administrators
      Backup Operators
      Performance Log Users| +| Domain Controller Effective Default Settings | Administrators
      Backup Operators
      Performance Log Users| +| Member Server Effective Default Settings | Administrators
      Backup Operators
      Performance Log Users| +| Client Computer Effective Default Settings | Administrators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Task Scheduler automatically grants this right when a user schedules a task. To override this behavior use the [Deny log on as a batch job](deny-log-on-as-a-batch-job.md) User Rights Assignment setting. + Group Policy settings are applied in the following order, which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The **Log on as a batch job** user right presents a low-risk vulnerability. For most organizations, the default settings are sufficient. Members of the local Administrators group have this right by default. + ### Countermeasure + You should allow the computer to manage this user right automatically if you want to allow scheduled tasks to run for specific user accounts. If you do not want to use the Task Scheduler in this manner, configure the **Log on as a batch job** user right for only the Local Service account. + For IIS servers, you should configure this policy locally instead of through domain–based Group Policy settings so that you can ensure the local IUSR\_*<ComputerName>* and IWAM\_*<ComputerName>* accounts have this user right. + ### Potential impact + If you configure the **Log on as a batch job** setting by using domain-based Group Policy settings, the computer cannot assign the user right to accounts that are used for scheduled jobs in the Task Scheduler. If you install optional components such as ASP.NET or IIS, you may need to assign this user right to additional accounts that are required by those components. For example, IIS requires assignment of this user right to the IIS\_WPG group and the IUSR\_*<ComputerName>*, ASPNET, and IWAM\_*<ComputerName>* accounts. If this user right is not assigned to this group and these accounts, IIS cannot run some COM objects that are necessary for proper functionality. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/log-on-as-a-service.md b/windows/keep-secure/log-on-as-a-service.md index ac574fb9c8..04d7784d74 100644 --- a/windows/keep-secure/log-on-as-a-service.md +++ b/windows/keep-secure/log-on-as-a-service.md @@ -2,88 +2,91 @@ title: Log on as a service (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Log on as a service security policy setting. ms.assetid: acc9a9e0-fd88-4cda-ab54-503120ba1f42 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Log on as a service + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Log on as a service** security policy setting. + ## Reference + This policy setting determines which service accounts can register a process as a service. Running a process under a service account circumvents the need for human intervention. + Constant: SeServiceLogonRight + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + - Minimize the number of accounts that are granted this user right. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Network Service on domain controllers and Network Service on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Not defined

      Domain Controller Effective Default Settings

      Network Service

      Member Server Effective Default Settings

      Network Service

      Client Computer Effective Default Settings

      Network Service

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| Domain Controller Effective Default Settings | Network Service| +| Member Server Effective Default Settings| Network Service| +| Client Computer Effective Default Settings | Network Service|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + The policy setting **Deny logon as a service** supersedes this policy setting if a user account is subject to both policies. + Group Policy settings are applied in the following order, which will overwrite settings on the local device at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -The **Log on as a service** user right allows accounts to start network services or services that run continuously on a computer, even when no one is logged on to the console. The risk is reduced by the fact that only users with administrative privileges can install and configure services. An attacker who has already attained that level of access could configure the service to run with the Local System account. + +The **Log on as a service** user right allows accounts to start network services or services that run continuously on a computer, even when no one is logged on to the console. The risk is reduced by the fact that only users with administrative privileges can install and configure services. An +attacker who has already attained that level of access could configure the service to run with the Local System account. + ### Countermeasure + By definition, the Network Service account has the **Log on as a service** user right. This right is not granted through the Group Policy setting. You should minimize the number of other accounts that are granted this user right. + ### Potential impact -On most computers, restricting the **Log on as a service** user right to the Local System, Local Service, and Network Service built-in accounts is the default configuration, and there is no negative impact. However, if you have installed optional components such as ASP.NET or IIS, you may need to assign the **Log on as a service** user right to additional accounts that are required by those components. IIS requires that this user right be explicitly granted to the ASPNET user account. + +On most computers, restricting the **Log on as a service** user right to the Local System, Local Service, and Network Service built-in accounts is the default configuration, and there is no negative impact. However, if you have installed optional components such as ASP.NET or IIS, you may need to +assign the **Log on as a service** user right to additional accounts that are required by those components. IIS requires that this user right be explicitly granted to the ASPNET user account. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/maintain-applocker-policies.md b/windows/keep-secure/maintain-applocker-policies.md index d028b6c454..bc85d3af36 100644 --- a/windows/keep-secure/maintain-applocker-policies.md +++ b/windows/keep-secure/maintain-applocker-policies.md @@ -2,64 +2,100 @@ title: Maintain AppLocker policies (Windows 10) description: This topic describes how to maintain rules within AppLocker policies. ms.assetid: b4fbfdfe-ef3d-49e0-a390-f2dfe74602bc -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Maintain AppLocker policies + **Applies to** - Windows 10 + This topic describes how to maintain rules within AppLocker policies. + Common AppLocker maintenance scenarios include: + - A new app is deployed, and you need to update an AppLocker policy. - A new version of an app is deployed, and you need to either update an AppLocker policy or create a new rule to update the policy. - An app is no longer supported by your organization, so you need to prevent it from being used. - An app appears to be blocked but should be allowed. - An app appears to be allowed but should be blocked. - A single user or small subset of users needs to use a specific app that is blocked. + There are two methods you can use to maintain AppLocker policies: + - [Maintaining AppLocker policies by using Group Policy](#bkmk-applkr-use-gp) - [Maintaining AppLocker policies on the local computer](#bkmk-applkr-use-locsnapin) + As new apps are deployed or existing apps are removed by your organization or updated by the software publisher, you might need to make revisions to your rules and update the Group Policy Object (GPO) to ensure that your policy is current. -You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. -**Caution**   -You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior. + +You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create +versions of GPOs. + +>**Caution:**  You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.   ## Maintaining AppLocker policies by using Group Policy + For every scenario, the steps to maintain an AppLocker policy distributed by Group Policy include the following tasks. + ### Step 1: Understand the current behavior of the policy + Before modifying a policy, evaluate how the policy is currently implemented. For example, if a new version of the application is deployed, you can use **Test-AppLockerPolicy** to verify the effectiveness of your current policy for that app. + ### Step 2: Export the AppLocker policy from the GPO + Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Therefore, export the policy from the GPO and update the rule or rules by using AppLocker on your AppLocker reference or test computer. To prepare an AppLocker policy for modification, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) + ### Step 3: Update the AppLocker policy by editing the appropriate AppLocker rule + After the AppLocker policy has been exported from the GPO into the AppLocker reference or test computer, or has been accessed on the local computer, the specific rules can be modified as required. + To modify AppLocker rules, see the following: + - [Edit AppLocker rules](edit-applocker-rules.md) - [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md) or [Merge AppLocker policies manually](merge-applocker-policies-manually.md) - [Delete an AppLocker rule](delete-an-applocker-rule.md) - [Enforce AppLocker rules](enforce-applocker-rules.md) + ### Step 4: Test the AppLocker policy + You should test each collection of rules to ensure that the rules perform as intended. (Because AppLocker rules are inherited from linked GPOs, you should deploy all rules for simultaneous testing in all test GPOs.) For steps to perform this testing, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md). + ### Step 5: Import the AppLocker policy into the GPO + After testing, import the AppLocker policy back into the GPO for implementation. To update the GPO with a modified AppLocker policy, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). + ### Step 6: Monitor the resulting policy behavior After deploying a policy, evaluate the policy's effectiveness. + ## Maintaining AppLocker policies by using the Local Security Policy snap-in For every scenario, the steps to maintain an AppLocker policy by using the Local Group Policy Editor or the Local Security Policy snap-in include the following tasks. + ### Step 1: Understand the current behavior of the policy + Before modifying a policy, evaluate how the policy is currently implemented. + ### Step 2: Update the AppLocker policy by modifying the appropriate AppLocker rule + Rules are grouped into a collection, which can have the policy enforcement setting applied to it. By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. + To modify AppLocker rules, see the appropriate topic listed on [Administer AppLocker](administer-applocker.md). + ### Step 3: Test the AppLocker policy + You should test each collection of rules to ensure that the rules perform as intended. For steps to perform this testing, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md). + ### Step 4: Deploy the policy with the modified rule + You can export and then import AppLocker policies to deploy the policy to other computers running Windows 8 or later. To perform this task, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). + ### Step 5: Monitor the resulting policy behavior + After deploying a policy, evaluate the policy's effectiveness. + ## Additional resources + - For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). -  -  diff --git a/windows/keep-secure/manage-auditing-and-security-log.md b/windows/keep-secure/manage-auditing-and-security-log.md index f6bfc0e575..48c840cc7b 100644 --- a/windows/keep-secure/manage-auditing-and-security-log.md +++ b/windows/keep-secure/manage-auditing-and-security-log.md @@ -2,95 +2,97 @@ title: Manage auditing and security log (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Manage auditing and security log security policy setting. ms.assetid: 4b946c0d-f904-43db-b2d5-7f0917575347 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Manage auditing and security log + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Manage auditing and security log** security policy setting. + ## Reference -This policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys. These objects specify their system access control lists (SACL). A user who is assigned this user right can also view and clear the Security log in Event Viewer. For more info about the Object Access audit policy, see [Audit object access](basic-audit-object-access.md). + +This policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys. These objects specify their system access control lists (SACL). A user who is assigned this user right can also view and clear the +Security log in Event Viewer. For more info about the Object Access audit policy, see [Audit object access](basic-audit-object-access.md). + Constant: SeSecurityPrivilege + ### Possible values - User-defined list of accounts - Administrators - Not Defined + ### Best practices + 1. Before removing this right from a group, investigate whether applications are dependent on this right. 2. Generally, assigning this user right to groups other than Administrators is not necessary. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Administrators on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Administrators

      Stand-Alone Server Default Settings

      Administrators

      Domain Controller Effective Default Settings

      Administrators

      Member Server Effective Default Settings

      Administrators

      Client Computer Effective Default Settings

      Administrators

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Administrators| +| Stand-Alone Server Default Settings | Administrators| +| Domain Controller Effective Default Settings | Administrators| +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings| Administrators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + Audits for object access are not performed unless you enable them by using the Local Group Policy Editor, the Group Policy Management Console (GPMC), or the Auditpol command-line tool. + For more information about the Object Access audit policy, see [Audit object access](basic-audit-object-access.md). + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Anyone with the **Manage auditing and security log** user right can clear the Security log to erase important evidence of unauthorized activity. + ### Countermeasure + Ensure that only the local Administrators group has the **Manage auditing and security log** user right. + ### Potential impact + Restricting the **Manage auditing and security log** user right to the local Administrators group is the default configuration. -**Warning**   -If groups other than the local Administrators group have been assigned this user right, removing this user right might cause performance issues with other applications. Before removing this right from a group, investigate whether applications are dependent on this right. + +>**Warning:**  If groups other than the local Administrators group have been assigned this user right, removing this user right might cause performance issues with other applications. Before removing this right from a group, investigate whether applications are dependent on this right.   ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/manage-packaged-apps-with-applocker.md b/windows/keep-secure/manage-packaged-apps-with-applocker.md index 33641e9491..dcad549bfa 100644 --- a/windows/keep-secure/manage-packaged-apps-with-applocker.md +++ b/windows/keep-secure/manage-packaged-apps-with-applocker.md @@ -2,47 +2,71 @@ title: Manage packaged apps with AppLocker (Windows 10) description: This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. ms.assetid: 6d0c99e7-0284-4547-a30a-0685a9916650 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Manage packaged apps with AppLocker + **Applies to** - Windows 10 + This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. + ## Understanding Packaged apps and Packaged app installers for AppLocker -Packaged apps, also known as Universal Windows apps, are based on a model that ensures all the files within an app package share the same identity. With classic Windows apps, each file within the app could have a unique identity. With packaged apps, it is possible to control the entire app by using a single AppLocker rule. -**Note**   -AppLocker supports only publisher rules for packaged apps. All packaged apps must be signed by the software publisher because Windows does not support unsigned packaged apps. + +Packaged apps, also known as Universal Windows apps, are based on a model that ensures all the files within an app package share the same identity. With classic Windows apps, each file within the app could have a unique identity. +With packaged apps, it is possible to control the entire app by using a single AppLocker rule. + +>**Note:**  AppLocker supports only publisher rules for packaged apps. All packaged apps must be signed by the software publisher because Windows does not support unsigned packaged apps.   Typically, an app consists of multiple components: the installer that is used to install the app, and one or more exes, dlls, or scripts. With classic Windows apps, not all these components always share common attributes such as the software’s publisher name, product name, and product version. Therefore, AppLocker controls each of these components separately through different rule collections, such as exe, dll, script, and Windows Installer rules. In contrast, all the components of a packaged app share the same publisher name, package name, and package version attributes. Therefore, you can control an entire app with a single rule. + ### Comparing classic Windows apps and packaged apps -AppLocker policies for packaged apps can only be applied to apps installed on computers running at least Windows Server 2012 or Windows 8, but classic Windows apps can be controlled on devices running at least Windows Server 2008 R2 or Windows 7. The rules for classic Windows apps and packaged apps can be enforced in tandem. The differences between packaged apps and classic Windows apps that you should consider include: + +AppLocker policies for packaged apps can only be applied to apps installed on computers running at least Windows Server 2012 or Windows 8, but classic Windows apps can be controlled on devices running at least Windows Server +2008 R2 or Windows 7. The rules for classic Windows apps and packaged apps can be enforced in tandem. The differences between packaged apps and classic Windows apps that you should consider include: + - **Installing the apps**   All packaged apps can be installed by a standard user, whereas a number of classic Windows apps require administrative privileges to install. In an environment where most of the users are standard users, you might not have numerous exe rules (because classic Windows apps require administrative privileges to install), but you might want to have more explicit policies for packaged apps. - **Changing the system state**   Classic Windows apps can be written to change the system state if they are run with administrative privileges. Most packaged apps cannot change the system state because they run with limited privileges. When you design your AppLocker policies, it is important to understand whether an app that you are allowing can make system-wide changes. - **Acquiring the apps**   Packaged apps can be acquired through the Store, or by loading using Windows PowerShell cmdlets (which requires a special enterprise license). Classic Windows apps can be acquired through traditional means. + AppLocker uses different rule collections to control packaged apps and classic Windows apps. You have the choice to control one type, the other type, or both. + For info about controlling classic Windows apps, see [Administer AppLocker](administer-applocker.md). + For more info about packaged apps, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md). + ## Design and deployment decisions + You can use two methods to create an inventory of packaged apps on a computer: the AppLocker console or the **Get-AppxPackage** Windows PowerShell cmdlet. -**Note**   -Not all packaged apps are listed in AppLocker’s application inventory wizard. Certain app packages are framework packages that are leveraged by other apps. By themselves, these packages cannot do anything, but blocking such packages can inadvertently cause failure for apps that you want to allow. Instead, you can create Allow or Deny rules for the packaged apps that use these framework packages. The AppLocker user interface deliberately filters out all the packages that are registered as framework packages. For info about how to create an inventory list, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md). + +>**Note:**  Not all packaged apps are listed in AppLocker’s application inventory wizard. Certain app packages are framework packages that are leveraged by other apps. By themselves, these packages cannot do anything, but blocking such packages can inadvertently cause failure for apps that you want to allow. Instead, you can create Allow or Deny rules for the packaged apps that use these framework packages. The AppLocker user interface deliberately filters out all the packages that are registered as framework packages. For info about how to create an inventory list, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md).   For info about how to use the **Get-AppxPackage** Windows PowerShell cmdlet, see the [AppLocker PowerShell Command Reference](http://technet.microsoft.com/library/hh847210.aspx). + For info about creating rules for Packaged apps, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md). + Consider the following info when you are designing and deploying apps: + - Because AppLocker supports only publisher rules for packaged apps, collecting the installation path information for packaged apps is not necessary. - You cannot create hash- or path-based rules for packaged apps because all packaged apps and packaged app installers are signed by the software publisher of the package. Classic Windows apps were not always consistently signed; therefore, AppLocker has to support hash- or path-based rules. -- By default, if there are no rules in a particular rule collection, AppLocker allows every file that is included in that rule collection. For example, if there are no Windows Installer rules, AppLocker allows all .msi, .msp, and .mst files to run. An existing AppLocker policy that was targeted at computers running Windows Server 2008 R2 and Windows 7 would not have rules for Packaged apps. Therefore, when a computer running at least Windows Server 2012 or Windows 8 joins a domain where an AppLocker policy is already configured, users would be allowed to run any packaged app. This might be contrary to your design. +- By default, if there are no rules in a particular rule collection, AppLocker allows every file that is included in that rule collection. For example, if there are no Windows Installer rules, AppLocker allows all .msi, .msp, and .mst files to run. An existing AppLocker policy that was targeted at computers running Windows Server 2008 R2 and Windows 7 would not have rules for Packaged apps. Therefore, when a computer running at least Windows Server 2012 or +Windows 8 joins a domain where an AppLocker policy is already configured, users would be allowed to run any packaged app. This might be contrary to your design. + To prevent all packaged apps from running on a newly domain-joined computer, by default AppLocker blocks all packaged apps on a computer running at least Windows Server 2012 or Windows 8 if the existing domain policy has rules configured in the exe rule collection. You must take explicit action to allow packaged apps in your enterprise. You can allow only a select set of packaged apps. Or if you want to allow all packaged apps, you can create a default rule for the packaged apps collection. + ## Using AppLocker to manage packaged apps + Just as there are differences in managing each rule collection, you need to manage the packaged apps with the following strategy: + 1. Gather information about which Packaged apps are running in your environment. For information about how to do this, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md). + 2. Create AppLocker rules for specific packaged apps based on your policy strategies. For more information, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) and [Packaged Apps Default Rules in AppLocker](http://technet.microsoft.com/library/ee460941(WS.10).aspx). + 3. Continue to update the AppLocker policies as new package apps are introduced into your environment. To do this, see [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md). + 4. Continue to monitor your environment to verify the effectiveness of the rules that are deployed in AppLocker policies. To do this, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). -  -  diff --git a/windows/keep-secure/manage-tpm-commands.md b/windows/keep-secure/manage-tpm-commands.md index 0683127abc..1aa0ca5061 100644 --- a/windows/keep-secure/manage-tpm-commands.md +++ b/windows/keep-secure/manage-tpm-commands.md @@ -2,54 +2,75 @@ title: Manage TPM commands (Windows 10) description: This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. ms.assetid: a78e751a-2806-43ae-9c20-2e7ca466b765 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Manage TPM commands + **Applies to** - Windows 10 + This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. + ## + After a computer user takes ownership of the TPM, the TPM owner can limit which TPM commands can be run by creating a list of blocked TPM commands. The list can be created and applied to all computers in a domain by using Group Policy, or a list can be created for individual computers by using the TPM MMC. Because some hardware vendors might provide additional commands or the Trusted Computing Group may decide to add commands in the future, the TPM MMC also supports the ability to block new commands. + Domain administrators can configure a list of blocked TPM commands by using Group Policy. Local administrators cannot allow TPM commands that are blocked through Group Policy. For more information about this Group Policy setting, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-clbtc). + Local administrators can block commands by using the TPM MMC, and commands on the default block list are also blocked unless the Group Policy settings are changed from the default settings. + Two policy settings control the enforcement which allows TPM commands to run. For more information about these policy settings, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-idlb). + The following procedures describe how to manage the TPM command lists. You must be a member of the local Administrators group. + **To block TPM commands by using the Local Group Policy Editor** + 1. Open the Local Group Policy Editor (gpedit.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. - **Note**   - Administrators with appropriate rights in a domain can configure a Group Policy Object (GPO) that can be applied through Active Directory Domain Services (AD DS). + + >**Note:**  Administrators with appropriate rights in a domain can configure a Group Policy Object (GPO) that can be applied through Active Directory Domain Services (AD DS).   2. In the console tree, under **Computer Configuration**, expand **Administrative Templates**, and then expand **System**. 3. Under **System**, click **Trusted Platform Module Services**. 4. In the details pane, double-click **Configure the list of blocked TPM commands**. 5. Click **Enabled**, and then click **Show**. 6. For each command that you want to block, click **Add**, enter the command number, and then click **OK**. - **Note**   - For a list of commands, see the [Trusted Platform Module (TPM) Specifications](http://go.microsoft.com/fwlink/p/?linkid=139770). + + >**Note:**  For a list of commands, see the [Trusted Platform Module (TPM) Specifications](http://go.microsoft.com/fwlink/p/?linkid=139770).   7. After you have added numbers for each command that you want to block, click **OK** twice. 8. Close the Local Group Policy Editor. + **To block or allow TPM commands by using the TPM MMC** + 1. Open the TPM MMC (tpm.msc) 2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. 3. In the console tree, click **Command Management**. A list of TPM commands is displayed. 4. In the list, select a command that you want to block or allow. 5. Under **Actions**, click **Block Selected Command** or **Allow Selected Command** as needed. If **Allow Selected Command** is unavailable, that command is currently blocked by Group Policy. + **To block new commands** + 1. Open the TPM MMC (tpm.msc). + If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. + 2. In the console tree, click **Command Management**. A list of TPM commands is displayed. 3. In the **Action** pane, click **Block New Command**. The **Block New Command** dialog box is displayed. 4. In the **Command Number** text box, type the number of the new command that you want to block, and then click **OK**. The command number you entered is added to the blocked list. + ## Use the TPM cmdlets + If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command: -**dism /online /enable-feature /FeatureName:tpm-psh-cmdlets** + +`dism /online /enable-feature /FeatureName:tpm-psh-cmdlets` + For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx) + ## Additional resources + For more info about TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md#bkmk-additionalresources). -  -  diff --git a/windows/keep-secure/maximum-lifetime-for-service-ticket.md b/windows/keep-secure/maximum-lifetime-for-service-ticket.md index 35118cc805..3a0a6fff86 100644 --- a/windows/keep-secure/maximum-lifetime-for-service-ticket.md +++ b/windows/keep-secure/maximum-lifetime-for-service-ticket.md @@ -2,89 +2,91 @@ title: Maximum lifetime for service ticket (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for service ticket security policy setting. ms.assetid: 484bf05a-3858-47fc-bc02-6599ca860247 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Maximum lifetime for service ticket + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for service ticket** security policy setting. + ## Reference + The **Maximum lifetime for service ticket** policy setting determines the maximum number of minutes that a granted session ticket can be used to access a particular service. The value must be 10 minutes or greater, and it must be less than or equal to the value of the **Maximum lifetime for service ticket** policy setting. + The possible values for this Group Policy setting are: + - A user-defined number of minutes from 10 through 99,999, or 0 (in which case service tickets do not expire). - Not defined. + If a client presents an expired session ticket when it requests a connection to a server, the server returns an error message. The client must request a new session ticket from the Kerberos V5 KDC. After a connection is authenticated, however, it no longer matters whether the session ticket remains valid. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket that authenticated the connection expires during the connection. + If the value for this policy setting is too high, users might be able to access network resources outside of their logon hours. In addition, users whose accounts have been disabled might be able to continue accessing network services by using valid service tickets that were issued before their account was disabled. If the value is set to 0, service tickets never expire. + ### Best practices + - It is advisable to set **Maximum lifetime for service ticket** to **600** minutes. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy + ### Default values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server Type or GPODefault Value

      Default Domain Policy

      600 minutes

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Not applicable

      DC Effective Default Settings

      600 minutes

      Member Server Effective Default Settings

      Not applicable

      Client Computer Effective Default Settings

      Not applicable

      + +| Server Type or GPO | Default Value | +| - | - | +| Default Domain Policy| 600 minutes| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not applicable| +| DC Effective Default Settings | 600 minutes| +| Member Server Effective Default Settings | Not applicable| +| Client Computer Effective Default Settings | Not applicable|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + This policy setting is configured on the domain controller. + ### Group Policy + Client computers will get the new setting during the next scheduled and successful Group Policy refresh. But for domain controllers to assign these new settings immediately, a gpupdate.exe /force is required. On the local device, the Security Configuration Engine will refresh this setting in about five minutes. + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If you configure the value for the **Maximum lifetime for service ticket** setting too high, users might be able to access network resources outside of their logon hours. Also, users whose accounts were disabled might continue to have access to network services with valid service tickets that were issued before their accounts were disabled. + ### Countermeasure + Configure the **Maximum lifetime for service ticket** setting to 600 minutes. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Kerberos Policy](kerberos-policy.md) -  -  + +- [Kerberos Policy](kerberos-policy.md) diff --git a/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md b/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md index bcb1a344e6..c1f175c55b 100644 --- a/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md +++ b/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md @@ -2,88 +2,89 @@ title: Maximum lifetime for user ticket renewal (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket renewal security policy setting. ms.assetid: f88cd819-3dd1-4e38-b560-13fe6881b609 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Maximum lifetime for user ticket renewal + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket renewal** security policy setting. + ## Reference + The **Maximum lifetime for user ticket renewal** policy setting determines the period of time (in days) during which a user’s ticket-granting ticket can be renewed. + The possible values for this Group Policy setting are: + - A user-defined number of days from 0 through 99,999 - Not defined + ### Best practices + - If the value for this policy setting is too high, users may be able to renew very old user ticket-granting tickets. If the value is 0, ticket-granting tickets never expire. + It is advisable to set **Maximum lifetime for user ticket renewal** to **7** days. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy + ### Default values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      7 days

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Not applicable

      Domain Controller Effective Default Settings

      7 days

      Member Server Effective Default Settings

      Not applicable

      Client Computer Effective Default Settings

      Not applicable

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| 7 days| +| Default Domain Controller Policy| Not defined| +| Stand-Alone Server Default Settings | Not applicable| +| Domain Controller Effective Default Settings | 7 days| +| Member Server Effective Default Settings | Not applicable| +| Client Computer Effective Default Settings | Not applicable|   ### Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + This policy setting is configured on the domain controller. + ### Group Policy + Client devices will get the new setting during the next scheduled and successful Group Policy refresh. But for domain controllers to assign these new settings immediately, a gpupdate.exe /force is required. On the local device, the Security Configuration Engine will refresh this setting in about five minutes. + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If the value for the **Maximum lifetime for user ticket renewal** setting is too high, users might be able to renew very old user tickets. + ### Countermeasure + Configure the **Maximum lifetime for user ticket renewal** setting to 7 days. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Kerberos Policy](kerberos-policy.md) -  -  + +- [Kerberos Policy](kerberos-policy.md) diff --git a/windows/keep-secure/maximum-lifetime-for-user-ticket.md b/windows/keep-secure/maximum-lifetime-for-user-ticket.md index 4d15d5cbd8..e1a9089dd7 100644 --- a/windows/keep-secure/maximum-lifetime-for-user-ticket.md +++ b/windows/keep-secure/maximum-lifetime-for-user-ticket.md @@ -2,88 +2,89 @@ title: Maximum lifetime for user ticket (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket policy setting. ms.assetid: bcb4ff59-334d-4c2f-99af-eca2b64011dc -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Maximum lifetime for user ticket + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket** policy setting. + ## Reference + The **Maximum lifetime for user ticket** policy setting determines the maximum amount of time (in hours) that a user’s ticket-granting ticket can be used. When a user’s ticket-granting ticket expires, a new one must be requested or the existing one must be renewed. + The possible values for this Group Policy setting are: + - A user-defined number of hours from 0 through 99,999 - Not defined + If the value for this policy setting is too high, users might be able to access network resources outside of their logon hours, or users whose accounts have been disabled might be able to continue to access network services by using valid service tickets that were issued before their account was disabled. If the value is set to 0, ticket-granting tickets never expire. + ### Best practices + - It is advisable to set **Maximum lifetime for user ticket** to 10 hours. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy + ### Default Values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server Type or GPODefault Value

      Default Domain Policy

      10 hours

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Not applicable

      Domain Controller Effective Default Settings

      10 hours

      Member Server Effective Default Settings

      Not applicable

      Client Computer Effective Default Settings

      Not applicable

      + +| Server Type or GPO | Default Value | +| - | - | +| Default Domain Policy| 10 hours| +| Default Domain Controller Policy| Not defined| +| Stand-Alone Server Default Settings | Not applicable| +| Domain Controller Effective Default Settings | 10 hours| +| Member Server Effective Default Settings | Not applicable| +| Client Computer Effective Default Settings | Not applicable|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + This policy setting is configured on the domain controller. + ### Group Policy + Client devices will get the new setting during the next scheduled and successful Group Policy refresh. But for domain controllers to assign these new settings immediately, a gpupdate.exe /force is required. On the local computer, the Security Configuration Engine will refresh this setting in about five minutes. + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If you configure the value for the **Maximum lifetime for user ticket** setting too high, users might be able to access network resources outside of their logon hours. Also, users whose accounts were disabled might continue to have access to network services with valid user tickets that were issued before their accounts were disabled. If you configure this value too low, ticket requests to the KDC may affect the performance of your KDC and present an opportunity for a DoS attack. + ### Countermeasure + Configure the **Maximum lifetime for user ticket** setting with a value between 4 and 10 hours. + ### Potential impact + Reducing this setting from the default value reduces the likelihood that the ticket-granting ticket will be used to access resources that the user does not have rights to. However, it requires more frequent requests to the KDC for ticket-granting tickets on behalf of users. Most KDCs can support a value of four hours without too much additional burden. + ## Related topics -[Kerberos Policy](kerberos-policy.md) -  -  + +- [Kerberos Policy](kerberos-policy.md) diff --git a/windows/keep-secure/maximum-password-age.md b/windows/keep-secure/maximum-password-age.md index 2c384dcf41..30fb8319a2 100644 --- a/windows/keep-secure/maximum-password-age.md +++ b/windows/keep-secure/maximum-password-age.md @@ -2,82 +2,76 @@ title: Maximum password age (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Maximum password age security policy setting. ms.assetid: 2d6e70e7-c8b0-44fb-8113-870c6120871d -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Maximum password age + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Maximum password age** security policy setting. + ## Reference + The **Maximum password age** policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If **Maximum password age** is between 1 and 999 days, the minimum password age must be less than the maximum password age. If **Maximum password age** is set to 0, [Minimum password age](minimum-password-age.md) can be any value between 0 and 998 days. -**Note**   -Setting **Maximum password age** to -1 is equivalent to 0, which means it never expires. Setting it to any other negative number is equivalent to setting it to **Not Defined**. + +>**Note:**  Setting **Maximum password age** to -1 is equivalent to 0, which means it never expires. Setting it to any other negative number is equivalent to setting it to **Not Defined**.   ### Possible values + - User-specified number of days between 0 and 999 - Not defined + ### Best practices + Set **Maximum password age** to a value between 30 and 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to compromise a user's password and have access to your network resources. + ### Location + **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** + ### Default values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or Group Policy Object (GPO)Default value

      Default domain policy

      42 days

      Default domain controller policy

      Not defined

      Stand-alone server default settings

      42 days

      Domain controller effective default settings

      42 days

      Member server effective default settings

      42 days

      Effective GPO default settings on client computers

      42 days

      + +| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| 42 days| +| Default domain controller policy| Not defined| +| Stand-alone server default settings | 42 days| +| Domain controller effective default settings | 42 days| +| Member server effective default settings | 42 days| +| Effective GPO default settings on client computers| 42 days|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the **Maximum password age** policy setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access. + ### Countermeasure + Configure the **Maximum password age** policy setting to a value that is suitable for your organization's business requirements. + ### Potential impact + If the **Maximum password age** policy setting is too low, users are required to change their passwords very often. Such a configuration can reduce security in the organization because users might keep their passwords in an unsecured location or lose them. If the value for this policy setting is too high, the level of security within an organization is reduced because it allows potential attackers more time in which to discover user passwords or to use compromised accounts. + ## Related topics -[Password Policy](password-policy.md) -  -  + +- [Password Policy](password-policy.md) diff --git a/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md b/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md index 5923108470..f5f976b55a 100644 --- a/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md +++ b/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md @@ -2,88 +2,90 @@ title: Maximum tolerance for computer clock synchronization (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Maximum tolerance for computer clock synchronization security policy setting. ms.assetid: ba2cf59e-d69d-469e-95e3-8e6a0ba643af -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Maximum tolerance for computer clock synchronization + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Maximum tolerance for computer clock synchronization** security policy setting. + ## Reference + This security setting determines the maximum time difference (in minutes) that Kerberos V5 tolerates between the time on the client clock and the time on the domain controller that provides Kerberos authentication. -To prevent "replay attacks," the Kerberos v5 protocol uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both devices must be set to the same time and date. Because the clocks of two computers are often out of sync, you can use this policy setting to establish the maximum acceptable difference to the Kerberos protocol between a client clock and domain controller clock. If the difference between a client computer clock and the domain controller clock is less than the maximum time difference that is specified in this policy, any time stamp that is used in a session between the two devices is considered to be authentic. + +To prevent "replay attacks," the Kerberos v5 protocol uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both devices must be set to the same time and date. +Because the clocks of two computers are often out of sync, you can use this policy setting to establish the maximum acceptable difference to the Kerberos protocol between a client clock and domain controller clock. If the difference between a client computer clock and the domain controller clock is less than the maximum time difference that is specified in this policy, any time stamp that is used in a session between the two devices is considered to be authentic. + The possible values for this Group Policy setting are: + - A user-defined number of minutes from 1 through 99,999 - Not defined + ### Best practices + - It is advisable to set **Maximum tolerance for computer clock synchronization** to a value of 5 minutes. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy + ### Default values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      5 minutes

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Not applicable

      Domain Controller Effective Default Settings

      5 minutes

      Member Server Effective Default Settings

      Not applicable

      Client Computer Effective Default Settings

      Not applicable

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| 5 minutes| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not applicable| +| Domain Controller Effective Default Settings| 5 minutes| +| Member Server Effective Default Settings | Not applicable| +| Client Computer Effective Default Settings | Not applicable|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + This policy setting is configured on the domain controller. + ### Group Policy + Client devices will get the new setting during the next scheduled and successful Group Policy refresh. But for domain controllers to assign these new settings immediately, a gpupdate.exe /force is required. On the local device, the Security Configuration Engine will refresh this setting in about five minutes. + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + To prevent "replay attacks" (which are attacks in which an authentication credential is resubmitted by a malicious user or program to gain access to a protected resource), the Kerberos protocol uses time stamps as part of its definition. For time stamps to work properly, the clocks of the client computer and the domain controller need to be closely synchronized. Because the clocks of two computers are often not synchronized, administrators can use this policy to establish the maximum acceptable difference to the Kerberos protocol between a client computer clock and a domain controller clock. If the difference between the client computer clock and the domain controller clock is less than the maximum time difference specified in this setting, any time stamp that is used in a session between the two computers is considered to be authentic. + ### Countermeasure + Configure the **Maximum tolerance for computer clock synchronization** setting to 5 minutes. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Kerberos Policy](kerberos-policy.md) -  -  + +- [Kerberos Policy](kerberos-policy.md) diff --git a/windows/keep-secure/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/keep-secure/merge-applocker-policies-by-using-set-applockerpolicy.md index 3b95f2b434..42b8495ede 100644 --- a/windows/keep-secure/merge-applocker-policies-by-using-set-applockerpolicy.md +++ b/windows/keep-secure/merge-applocker-policies-by-using-set-applockerpolicy.md @@ -2,27 +2,36 @@ title: Merge AppLocker policies by using Set-ApplockerPolicy (Windows 10) description: This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. ms.assetid: f1c7d5c0-463e-4fe2-a410-844a404f18d0 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Merge AppLocker policies by using Set-ApplockerPolicy + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. + The **Set-AppLockerPolicy** cmdlet sets the specified Group Policy Object (GPO) to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default. When the Merge parameter is used, rules in the specified AppLocker policy will be merged with the AppLocker rules in the target GPO specified in the LDAP path. The merging of policies will remove rules with duplicate rule IDs, and the enforcement setting specified by the AppLocker policy in the target GPO will be preserved. If the Merge parameter is not specified, then the new policy will overwrite the existing policy. + For info about using **Set-AppLockerPolicy**, including syntax descriptions and parameters, see [Set-AppLockerPolicy](http://technet.microsoft.com/library/hh847212.aspx). + For info about using Windows PowerShell for AppLocker, including how to import the AppLocker cmdlets into Windows PowerShell, see [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md). + You can also manually merge AppLocker policies. For the procedure to do this, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md). + **To merge a local AppLocker policy with another AppLocker policy by using LDAP paths** 1. Open the PowerShell command window. For info about performing Windows PowerShell commands for AppLocker, see [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md). 2. At the command prompt, type **C:\\PS>Get-AppLockerPolicy -Local | Set-AppLockerPolicy -LDAP "LDAP: //***<string>***"** **-Merge** where *<string>* specifies the LDAP path of the unique GPO. + ## Example + Gets the local AppLocker policy, and then merges the policy with the existing AppLocker policy in the GPO specified in the LDAP path. + ``` syntax C:\PS>Get-AppLockerPolicy -Local | Set-AppLockerPolicy -LDAP "LDAP://DC13.Contoso.com/CN={31B2F340-016D-11D2-945F-00C044FB984F9},CN=Policies,CN=System,DC=Contoso,DC=com" -Merge -``` -  -  +``` \ No newline at end of file diff --git a/windows/keep-secure/merge-applocker-policies-manually.md b/windows/keep-secure/merge-applocker-policies-manually.md index 160ae52209..c511afb3cd 100644 --- a/windows/keep-secure/merge-applocker-policies-manually.md +++ b/windows/keep-secure/merge-applocker-policies-manually.md @@ -2,84 +2,46 @@ title: Merge AppLocker policies manually (Windows 10) description: This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). ms.assetid: 3605f293-e5f2-481d-8efd-775f9f23c30f -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Merge AppLocker policies manually + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). + If you have created multiple AppLocker policies and need to merge them to create one AppLocker policy, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You cannot automatically merge policies by using the AppLocker console. You must create one rule collection from two or more policies. For info about merging policies by using the cmdlet, see [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). + The AppLocker policy is saved in XML format, and the exported policy can be edited with any text or XML editor. Rule collections are specified within the **RuleCollection Type** element. The XML schema includes five attributes for the different rule collections, as shown in the following table: - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Rule collectionRuleCollection Type element

      Executable rules

      Exe

      Windows Installer rules

      Msi

      Script rules

      Script

      DLL rules

      Dll

      Packaged apps and packaged app installers

      Appx

      + +| Rule collection | RuleCollection Type element | +| - | - | +| Executable rules| Exe| +| Windows Installer rules| Msi| +| Script rules | Script| +| DLL rules | Dll| +| Packaged apps and packaged app installers|Appx|   Rule enforcement is specified with the **EnforcementMode** element. The three enforcement modes in the XML correspond to the three enforcement modes in the AppLocker console, as shown in the following table: - ---- - - - - - - - - - - - - - - - - - - - - -
      XML enforcement modeEnforcement mode in Group Policy

      NotConfigured

      Not configured (rules are enforced)

      AuditOnly

      Audit only

      Enabled

      Enforce rules

      + +| XML enforcement mode |Enforcement mode in Group Policy | +| - | - | +| NotConfigured | Not configured (rules are enforced)| +| AuditOnly | Audit only| +| Enabled | Enforce rules|   Each of the three condition types use specific elements. For XML examples of the different rule types, see Merge AppLocker policies manually. + Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. + **To merge two or more AppLocker policies** + 1. Open an XML policy file in a text editor or XML editor, such as Notepad. 2. Select the rule collection where you want to copy rules from. 3. Select the rules that you want to add to another policy file, and then copy the text. @@ -87,5 +49,3 @@ Membership in the local **Administrators** group, or equivalent, is the minimum 5. Select and expand the rule collection where you want to add the rules. 6. At the bottom of the rule list for the collection, after the closing element, paste the rules that you copied from the first policy file. Verify that the opening and closing elements are intact, and then save the policy. 7. Upload the policy to a reference computer to ensure that it is functioning properly within the GPO. -  -  diff --git a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md index ae89b2c502..597e001a91 100644 --- a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md @@ -2,103 +2,109 @@ title: Microsoft network client Digitally sign communications (always) (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting. ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Microsoft network client: Digitally sign communications (always) + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting. + ## Reference -The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted. + +The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. +This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted. + Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security. + If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. + If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. + Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. + There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: - [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md) - [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md) - [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md) + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + 1. Configure the following security policy settings as follows: + - Disable **Microsoft network client: Digitally sign communications (always)**. - Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md). - Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md). - Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md). + 2. Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication, and gain unauthorized access to data. + SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place. + ### Countermeasure + Configure the settings as follows: + - Disable **Microsoft network client: Digitally sign communications (always)**. - Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md). - Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md). - Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md). + In highly secure environments, we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems. -**Note**   -An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing. + +>**Note:**  An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.   ### Potential impact + Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. + Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure devices to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, computers are vulnerable to session-hijacking attacks. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) From 8dcfaa850a1e0943430e0bc541441758e8b7a87b Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 24 May 2016 15:34:51 -0700 Subject: [PATCH 092/169] fixing spacing issues --- ...ly-sign-communications-if-server-agrees.md | 100 ++++++++++-------- ...ted-password-to-third-party-smb-servers.md | 84 +++++++-------- ...time-required-before-suspending-session.md | 82 +++++++------- ...pt-s4u2self-to-obtain-claim-information.md | 95 +++++++++-------- ...er-digitally-sign-communications-always.md | 98 +++++++++-------- ...ly-sign-communications-if-client-agrees.md | 97 +++++++++-------- ...connect-clients-when-logon-hours-expire.md | 85 +++++++-------- ...server-spn-target-name-validation-level.md | 95 +++++++++-------- windows/keep-secure/minimum-password-age.md | 81 +++++++------- .../keep-secure/minimum-password-length.md | 85 +++++++-------- windows/keep-secure/modify-an-object-label.md | 94 ++++++++-------- .../modify-firmware-environment-values.md | 90 ++++++++-------- ...onitor-application-usage-with-applocker.md | 46 ++++++-- ...tral-access-policy-and-rule-definitions.md | 20 ++-- windows/keep-secure/monitor-claim-types.md | 27 +++-- .../monitor-resource-attribute-definitions.md | 21 ++-- ...icies-associated-with-files-and-folders.md | 32 ++++-- ...ss-policies-that-apply-on-a-file-server.md | 25 +++-- ...esource-attributes-on-files-and-folders.md | 24 +++-- ...or-the-use-of-removable-storage-devices.md | 29 +++-- ...r-user-and-device-claims-during-sign-in.md | 26 +++-- 21 files changed, 748 insertions(+), 588 deletions(-) diff --git a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md index 287afc0542..3f25ac2921 100644 --- a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md +++ b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md @@ -2,103 +2,111 @@ title: Microsoft network client Digitally sign communications (if server agrees) (Windows 10) description: Describes the best practices, location, values, and security considerations for the Microsoft network client Digitally sign communications (if server agrees) security policy setting. ms.assetid: e553f700-aae5-425c-8650-f251c90ba5dd -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft + --- # Microsoft network client: Digitally sign communications (if server agrees) + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting. + ## Reference + The Server Message Block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted. + Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security. + If server-side SMB signing is required, a client computer will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. + If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. + Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. + There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: + - [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md) - [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md) - [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md) + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + 1. Configure the following security policy settings as follows: + - Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md). - Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md). - Enable **Microsoft Network Client: Digitally Sign Communications (If Server Agrees)**. - Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md). + 2. Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Enabled

      DC Effective Default Settings

      Enabled

      Member Server Effective Default Settings

      Enabled

      Client Computer Effective Default Settings

      Enabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client device after legitimate authentication and gain unauthorized access to data. + +Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so +that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client device after legitimate authentication and gain unauthorized access to data. + SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place. + ### Countermeasure + Configure the settings as follows: + - Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md). - Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md). - Enable **Microsoft network client: Digitally sign communications (if server agrees)**. - Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md). + In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems. -**Note**   -An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing. + +>**Note:**  An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.   ### Potential impact + Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. -Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure devices to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, devices are vulnerable to session-hijacking attacks. + +Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure devices to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, devices are vulnerable to session-hijacking +attacks. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md index c14351f372..56635e06cc 100644 --- a/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md +++ b/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md @@ -2,82 +2,82 @@ title: Microsoft network client Send unencrypted password to third-party SMB servers (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network client Send unencrypted password to third-party SMB servers security policy setting. ms.assetid: 97a76b93-afa7-4dd9-bb52-7c9e289b6017 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + + # Microsoft network client: Send unencrypted password to third-party SMB servers + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Send unencrypted password to third-party SMB servers** security policy setting. + ## Reference + The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. This policy setting allows or prevents the SMB redirector to send plaintext passwords to a non-Microsoft server service that does not support password encryption during authentication. + ### Possible values + - Enabled + The Server Message Block (SMB) redirector is allowed to send plaintext passwords to a non-Microsoft server service that does not support password encryption during authentication. + - Disabled + The Server Message Block (SMB) redirector only sends encrypted passwords to non-Microsoft SMB server services. If those server services do not support password encryption, the authentication request will fail. + - Not defined + ### Best practices + - It is advisable to set **Microsoft network client: Send unencrypted password to connect to third-party SMB servers** to Disabled. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings| Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If you enable this policy setting, the server can transmit plaintext passwords across the network to other computers that offer SMB services. These other devices might not use any of the SMB security mechanisms that are included with Windows Server 2003 or later. + ### Countermeasure + Disable the **Microsoft network client: Send unencrypted password to connect to third-party SMB servers** setting. + ### Potential impact + Some older applications may not be able to communicate with the servers in your organization by means of the SMB protocol. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md index 754051399a..76e38d84c1 100644 --- a/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md +++ b/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md @@ -2,81 +2,79 @@ title: Microsoft network server Amount of idle time required before suspending session (Windows 10) description: Describes the best practices, location, values, and security considerations for the Microsoft network server Amount of idle time required before suspending session security policy setting. ms.assetid: 8227842a-569d-480f-b43c-43450bbaa722 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Microsoft network server: Amount of idle time required before suspending session + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Microsoft network server: Amount of idle time required before suspending session** security policy setting. + ## Reference + Each Server Message Block (SMB) session consumes server resources. Establishing numerous null sessions will cause the server to slow down or possibly fail. A malicious user might repeatedly establish SMB sessions until the server stops responding; at this point, SMB services will become slow or unresponsive. + The **Microsoft network server: Amount of idle time required before suspending session** policy setting determines the amount of continuous idle time that must pass in an SMB session before the session is suspended due to inactivity. You can use this policy setting to control when a device suspends an inactive SMB session. The session is automatically reestablished when client device activity resumes. + ### Possible values + - A user-defined number of minutes from 0 through 99,999 + For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days. In effect, this value disables the policy. + - Not defined + ### Best practices + - It is advisable to set this policy to 15 minutes. There will be little impact because SMB sessions will be reestablished automatically if the client resumes activity. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      15 minutes

      DC Effective Default Settings

      15 minutes

      Member Server Effective Default Settings

      15 minutes

      Client Computer Effective Default Settings

      15 minutes

      + +| Server type or GPO Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | 15 minutes| +| DC Effective Default Settings | 15 minutes| +| Member Server Effective Default Settings | 15 minutes| +| Client Computer Effective Default Settings | 15 minutes|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Each SMB session consumes server resources, and numerous null sessions slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive. + ### Countermeasure + The default behavior on a server mitigates this threat by design. + ### Potential impact + There is little impact because SMB sessions are reestablished automatically if the client computer resumes activity. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md index 5a59300d6c..ea1b074c71 100644 --- a/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md +++ b/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md @@ -2,88 +2,95 @@ title: Microsoft network server Attempt S4U2Self to obtain claim information (Windows 10) description: Describes the best practices, location, values, management, and security considerations for the Microsoft network server Attempt S4U2Self to obtain claim information security policy setting. ms.assetid: e4508387-35ed-4a3f-a47c-27f8396adbba -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Microsoft network server: Attempt S4U2Self to obtain claim information + **Applies to** - Windows 10 + Describes the best practices, location, values, management, and security considerations for the **Microsoft network server: Attempt S4U2Self to obtain claim information** security policy setting. + ## Reference -This security setting supports client devices running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-for-User-to-Self (S4U2Self) functionality to obtain a network client principal’s claims from the client’s account domain. This setting should only be enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts might be in a domain that has client computers and domain controllers running a version of Windows prior to Windows 8 or Windows Server 2012. + +This security setting supports client devices running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-for-User-to-Self (S4U2Self) functionality to obtain a network client principal’s claims from the client’s account domain. This setting should only be enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts might be in a domain that has client computers +and domain controllers running a version of Windows prior to Windows 8 or Windows Server 2012. + When enabled, this security setting causes the Windows file server to examine the access token of an authenticated network client principal and determines if claim information is present. If claims are not present, the file server will then use the Kerberos S4U2Self feature to attempt to contact a Windows Server 2012 domain controller in the client’s account domain and obtain a claims-enabled access token for the client principal. A claims-enabled token might be needed to access files or folders that have claim-based access control policy applied. + If this setting is disabled, the Windows file server will not attempt to obtain a claim-enabled access token for the client principal. + ### Possible values + - **Default** + The Windows file server will examine the access token of an authenticated network client principal and determine if claim information is present. + - **Enabled** + Same as **Default**. + - **Disabled** + - **Not defined** + Same as **Disabled**. + ### Best practices + This setting should be set to **Default** so that the file server can automatically evaluate whether claims are needed for the user. You should explicitly configure this setting to **Enabled** only if there are local file access policies that include user claims. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Not defined

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings| Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + This setting should only be enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts might be in a domain that has client computers and domain controllers running a version of Windows prior to Windows 8 or Windows Server 2012. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -None. Enabling this policy setting allows you take advantage of features in Windows Server 2012 and Windows 8 for specific scenarios to use claims-enabled tokens to access files or folders that have claim-based access control policy applied on Windows operating systems prior to Windows Server 2012 and Windows 8. + +None. Enabling this policy setting allows you take advantage of features in Windows Server 2012 and Windows 8 and later for specific scenarios to use claims-enabled tokens to access files or folders that have claim-based access control policy applied on Windows operating systems prior to Windows Server 2012 +and Windows 8. + ### Countermeasure + Not applicable. + ### Potential impact + None. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md index 224f74984a..23d423e6d9 100644 --- a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md +++ b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md @@ -2,104 +2,112 @@ title: Microsoft network server Digitally sign communications (always) (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (always) security policy setting. ms.assetid: 2007b622-7bc2-44e8-9cf1-d34b62117ea8 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Microsoft network server: Digitally sign communications (always) + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting. + ## Reference -The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted. + +The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. +This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted. + Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security. + For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md). Devices that have this policy set will not be able to communicate with devices that do not have server-side packet signing enabled. By default, server-side packet signing is enabled only on domain controllers. Server-side packet signing can be enabled on devices by setting [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md). + If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. + If server-side SMB signing is enabled, SMB packet signing will be negotiated with client devices that have SMB signing enabled. + Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. + There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: + - [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md) - [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md) - [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md) + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + 1. Configure the following security policy settings as follows: + - Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md). - Disable **Microsoft network server: Digitally sign communications (always)**. - Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md). - Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md). + 2. Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Enabled

      Stand-Alone Server Default Settings

      Not defined

      DC Effective Default Settings

      Enabled

      Member Server Effective Default Settings

      Not defined

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Enabled| +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Not defined| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client device after legitimate authentication and gain unauthorized access to data. + SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place. + ### Countermeasure + Configure the settings as follows: + - Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md). - Disable **Microsoft network server: Digitally sign communications (always)**. - Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md). - Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md). + In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems. -**Note**   -An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing. + +>**Note:**  An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.   ### Potential impact + Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. + Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, devices are vulnerable to session-hijacking attacks. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md index d63b5a83c1..2f327071cb 100644 --- a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md +++ b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md @@ -2,103 +2,110 @@ title: Microsoft network server Digitally sign communications (if client agrees) (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (if client agrees) security policy setting. ms.assetid: c92b2e3d-1dbf-4337-a145-b17a585f4fc1 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Microsoft network server: Digitally sign communications (if client agrees) + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting. + ## Reference -The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted. + +The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. +This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted. + Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security. + If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. + If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. + Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. + There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: + - [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md) - [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md) - [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md) + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + 1. Configure the following security policy settings as follows: + - Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md). - Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md). - Enable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md). - Enable **Microsoft Network Server: Digitally Sign Communications (If Client Agrees)**. + 2. Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Enabled

      Stand-Alone Server Default Settings

      Not defined

      DC Effective Default Settings

      Enabled

      Member Server Effective Default Settings

      Not defined

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy| Enabled| +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings|Not defined| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication and gain unauthorized access to data. + SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place. + ### Countermeasure + Configure the settings as follows: + - Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md). - Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md). - Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md). - Enable **Microsoft network server: Digitally sign communications (if client agrees)**. + In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems. -**Note**   -An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing. + +>**Note:**  An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.   ### Potential impact + SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. + Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, computers are vulnerable to session-hijacking attacks. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md index 054c5a3be3..b2737896f1 100644 --- a/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md +++ b/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md @@ -2,84 +2,85 @@ title: Microsoft network server Disconnect clients when logon hours expire (Windows 10) description: Describes the best practices, location, values, and security considerations for the Microsoft network server Disconnect clients when logon hours expire security policy setting. ms.assetid: 48b5c424-9ba8-416d-be7d-ccaabb3f49af -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Microsoft network server: Disconnect clients when logon hours expire + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Microsoft network server: Disconnect clients when logon hours expire** security policy setting. + ## Reference + This policy setting enables or disables the forced disconnection of users who are connected to the local device outside their user account's valid logon hours. It affects the SMB component. If you enable this policy setting, client computer sessions with the SMB service are forcibly disconnected when the client's logon hours expire. If you disable this policy setting, established client device sessions are maintained after the client device's logon hours expire. + ### Possible values + - Enabled + Client device sessions with the SMB service are forcibly disconnected when the client device's logon hours expire. If logon hours are not used in your organization, enabling this policy setting will have no impact. + - Disabled + The system maintains an established client device session after the client device's logon hours have expired. + - Not defined + ### Best practices + - If you enable this policy setting, you should also enable [Network security: Force logoff when logon hours expire](network-security-force-logoff-when-logon-hours-expire.md). + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Enabled

      DC Effective Default Settings

      Enabled

      Member Server Effective Default Settings

      Enabled

      Client Computer Effective Default Settings

      Enabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings| Enabled | +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If your organization configures logon hours for users, it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours can continue to use those resources with sessions that were established during allowed hours. + ### Countermeasure + Enable the **Microsoft network server: Disconnect clients when logon hours expire** setting. + ### Potential impact + If logon hours are not used in your organization, this policy setting has no impact. If logon hours are used, existing user sessions are forcibly terminated when their logon hours expire. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md index 1cd20cf6fd..b5d71aae14 100644 --- a/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md +++ b/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md @@ -2,94 +2,101 @@ title: Microsoft network server Server SPN target name validation level (Windows 10) description: Describes the best practices, location, and values, policy management and security considerations for the Microsoft network server Server SPN target name validation level security policy setting. ms.assetid: 18337f78-eb45-42fd-bdbd-f8cd02c3e154 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Microsoft network server: Server SPN target name validation level + **Applies to** - Windows 10 + Describes the best practices, location, and values, policy management and security considerations for the **Microsoft network server: Server SPN target name validation level** security policy setting. + ## Reference + This policy setting controls the level of validation that a server with shared folders or printers performs on the service principal name (SPN) that is provided by the client device when the client device establishes a session by using the Server Message Block (SMB) protocol. The level of validation can help prevent a class of attacks against SMB services (referred to as SMB relay attacks). This setting affects both SMB1 and SMB2. + Servers that use SMB provide availability to their file systems and other resources, such as printers, to networked client devices. Most servers that use SMB validate user access to resources by using NT Domain authentication (NTLMv1 and NTLMv2) and the Kerberos protocol. + ### Possible values + The options for validation levels are: + - **Off** + The SPN from a SMB client is not required or validated by the SMB server. + - **Accept if provided by client** + The SMB server will accept and validate the SPN provided by the SMB client and allow a session to be established if it matches the SMB server’s list of SPN’s. If the SPN does not match, the session request for that SMB client will be denied. + - **Required from client** + The SMB client must send a SPN name in session setup, and the SPN name provided must match the SMB server that is being requested to establish a connection. If no SPN is provided by the client device, or the SPN provided does not match, the session is denied. + The default setting is Off. + ### Best practices + This setting affects the server SMB behavior, and its implementation should be carefully evaluated and tested to prevent disruptions to file and print serving capabilities. -**Note**   -All Windows operating systems support a client-side SMB component and a server-side SMB component. + +>**Note:**  All Windows operating systems support a client-side SMB component and a server-side SMB component.   ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or Group Policy object (GPO)Default value

      Default domain policy

      Off

      Default domain controller policy

      Off

      Stand-alone server default settings

      Off

      Domain controller effective default settings

      Validation level check not implemented

      Member server effective default settings

      Validation level check not implemented

      Effective GPO default settings on client computers

      Validation level check not implemented

      + +| Server type or Group Policy object (GPO) | Default value | +| - | - | +| Default domain policy | Off | +| Default domain controller policy| Off| +| Stand-alone server default settings | Off| +| Domain controller effective default settings| Validation level check not implemented| +| Member server effective default settings | Validation level check not implemented| +| Effective GPO default settings on client computers | Validation level check not implemented|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflict considerations + None. + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + This policy setting controls the level of validation that a server with shared folders or printers performs on the service principal name (SPN) that is provided by the client device when the client device establishes a session by using the SMB protocol. The level of validation can help prevent a class of attacks against SMB servers (referred to as SMB relay attacks). This setting will affect both SMB1 and SMB2. + ### Countermeasure + For countermeasures that are appropriate to your environment, see **Possible values** above. + ### Potential impact + All Windows operating systems support a client-side SMB component and a server-side SMB component. This setting affects the server SMB behavior, and its implementation should be carefully evaluated and tested to prevent disruptions to file and print serving capabilities. + Because the SMB protocol is widely deployed, setting the options to **Accept if provided by client** or **Required from client** will prevent some clients from successfully authenticating to some servers in your environment. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/minimum-password-age.md b/windows/keep-secure/minimum-password-age.md index e132b39e0f..a975b21ff4 100644 --- a/windows/keep-secure/minimum-password-age.md +++ b/windows/keep-secure/minimum-password-age.md @@ -2,81 +2,78 @@ title: Minimum password age (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Minimum password age security policy setting. ms.assetid: 91915cb2-1b3f-4fb7-afa0-d03df95e8161 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Minimum password age + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Minimum password age** security policy setting. + ## Reference + The **Minimum password age** policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If [Maximum password age](maximum-password-age.md) is between 1 and 999 days, the minimum password age must be less than the maximum password age. If Maximum password age is set to 0, **Minimum password age** can be any value between 0 and 998 days. + ### Possible values + - User-specified number of days between 0 and 998 - Not defined + ### Best practices + Set **Minimum password age** to a value of 2 days. Setting the number of days to 0 allows immediate password changes, which is not recommended. + If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box. Otherwise, the user will not be able to change the password until the number of days specified by **Minimum password age**. + ### Location + **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** + ### Default values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or Group Policy Object (GPO)Default value

      Default domain policy

      1 day

      Default domain controller policy

      Not defined

      Stand-alone server default settings

      0 days

      Domain controller effective default settings

      1 day

      Member server effective default settings

      1 day

      Effective GPO default settings on client computers

      1 day

      + +| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| 1 day| +| Default domain controller policy| Not defined| +| Stand-alone server default settings | 0 days| +| Domain controller effective default settings | 1 day| +| Member server effective default settings | 1 day| +| Effective GPO default settings on client computers| 1 day|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users may have favorite passwords that they like to use because they are easy to remember and they believe that their password choice is secure from compromise. Unfortunately, passwords can be compromised and if an attacker is targeting a specific individual user account, with knowledge of data about that user, reuse of old passwords can cause a security breach. + To address password reuse, you must use a combination of security settings. Using this policy setting with the [Enforce password history](enforce-password-history.md) policy setting prevents the easy reuse of old passwords. For example, if you configure the Enforce password history policy setting to ensure that users cannot reuse any of their last 12 passwords, but you do not configure the **Minimum password age** policy setting to a number that is greater than 0, users could change their password 13 times in a few minutes and reuse their original password. You must configure this policy setting to a number that is greater than 0 for the Enforce password history policy setting to be effective. + ### Countermeasure + Configure the **Minimum password age** policy setting to a value of at least 2 days. Users should know about this limitation and contact the Help Desk if they need to change their password during that two-day period. If you configure the number of days to 0, immediate password changes would be allowed, which we do not recommend. + ### Potential impact + If you set a password for a user but wants that user to change the password when the user first logs on, the administrator must select the **User must change password at next logon** check box, or the user cannot change the password until the next day. + ## Related topics -[Password Policy](password-policy.md) -  -  + +- [Password Policy](password-policy.md) diff --git a/windows/keep-secure/minimum-password-length.md b/windows/keep-secure/minimum-password-length.md index 30bd818de2..79281f850c 100644 --- a/windows/keep-secure/minimum-password-length.md +++ b/windows/keep-secure/minimum-password-length.md @@ -2,85 +2,82 @@ title: Minimum password length (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Minimum password length security policy setting. ms.assetid: 3d22eb9a-859a-4b6f-82f5-c270c427e17e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Minimum password length + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting. + ## Reference + The **Minimum password length** policy setting determines the least number of characters that can make up a password for a user account. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0. + ### Possible values + - User-specified number of characters between 0 and 14 - Not defined + ### Best practices + Set Minimum password length to at least a value of 8. If the number of characters is set to 0, no password is required. In most environments, an eight-character password is recommended because it is long enough to provide adequate security and still short enough for users to easily remember. This value will help provide adequate defense against a brute force attack. Adding complexity requirements will help reduce the possibility of a dictionary attack. For more info, see [Password must meet complexity requirements](password-must-meet-complexity-requirements.md). + Permitting short passwords reduces security because short passwords can be easily broken with tools that perform dictionary or brute force attacks against the passwords. Requiring very long passwords can result in mistyped passwords that might cause an account lockout and subsequently increase the volume of Help Desk calls. + In addition, requiring extremely long passwords can actually decrease the security of an organization because users might be more likely to write down their passwords to avoid forgetting them. However, if users are taught that they can use passphrases (sentences such as "I want to drink a $5 milkshake"), they should be much more likely to remember. + ### Location + **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** + ### Default values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or Group Policy Object (GPO)Default value

      Default domain policy

      7 characters

      Default domain controller policy

      Not defined

      Stand-alone server default settings

      0 characters

      Domain controller effective default settings

      7 characters

      Member server effective default settings

      7 characters

      Effective GPO default settings on client computers

      0 characters

      + +| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| 7 characters| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | 0 characters| +| Domain controller effective default settings | 7 characters| +| Member server effective default settings | 7 characters| +| Effective GPO default settings on client computers | 0 characters|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Types of password attacks include dictionary attacks (which attempt to use common words and phrases) and brute force attacks (which try every possible combination of characters). Also, attackers sometimes try to obtain the account database so they can use tools to discover the accounts and passwords. + ### Countermeasure + Configure the **** policy setting to a value of 8 or more. If the number of characters is set to 0, no password will be required. + In most environments, we recommend an eight-character password because it is long enough to provide adequate security, but not too difficult for users to easily remember. This configuration provides adequate defense against a brute force attack. Using the [Password must meet complexity requirements](password-must-meet-complexity-requirements.md) policy setting in addition to the **Minimum password length** setting helps reduce the possibility of a dictionary attack. -**Note**   -Some jurisdictions have established legal requirements for password length as part of establishing security regulations. + +>**Note:**  Some jurisdictions have established legal requirements for password length as part of establishing security regulations.   ### Potential impact + Requirements for extremely long passwords can actually decrease the security of an organization because users might leave the information in an unsecured location or lose it. If very long passwords are required, mistyped passwords could cause account lockouts and increase the volume of Help Desk calls. If your organization has issues with forgotten passwords due to password length requirements, consider teaching your users about passphrases, which are often easier to remember and, due to the larger number of character combinations, much harder to discover. + ## Related topics -[Password Policy](password-policy.md) -  -  + +- [Password Policy](password-policy.md) diff --git a/windows/keep-secure/modify-an-object-label.md b/windows/keep-secure/modify-an-object-label.md index 4f06c8a9e8..a984a42a33 100644 --- a/windows/keep-secure/modify-an-object-label.md +++ b/windows/keep-secure/modify-an-object-label.md @@ -2,96 +2,102 @@ title: Modify an object label (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Modify an object label security policy setting. ms.assetid: 3e5a97dd-d363-43a8-ae80-452e866ebfd5 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Modify an object label + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Modify an object label** security policy setting. + ## Reference + This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. -The integrity label is used by the Windows Integrity Controls (WIC) feature, which was introduced in Windows Server 2008 and Windows Vista. WIC keeps lower integrity processes from modifying higher integrity processes by assigning one of six possible labels to objects on the system. Although similar to NTFS file and folder permissions, which are discretionary controls on objects, the WIC integrity levels are mandatory controls that are put in place and enforced by the operating system. The following list describes the integrity levels from lowest to highest: + +The integrity label is used by the Windows Integrity Controls (WIC) feature, which was introduced in Windows Server 2008 and Windows Vista. WIC keeps lower integrity processes from modifying higher integrity processes by assigning one of six possible labels to objects on the system. Although +similar to NTFS file and folder permissions, which are discretionary controls on objects, the WIC integrity levels are mandatory controls that are put in place and enforced by the operating system. The following list describes the integrity levels from lowest to highest: + - **Untrusted**   Default assignment for processes that are logged on anonymously. - **Low**   Default assignment for processes that interact with the Internet. - **Medium**   Default assignment for standard user accounts and any object that is not explicitly designated with a lower or higher integrity level. - **High**  Default assignment for administrator accounts and processes that request to run using administrative rights. - **System**   Default assignment for Windows kernel and core services. - **Installer**   Used by setup programs to install software. It is important that only trusted software is installed on computers because objects that are assigned the Installer integrity level can install, modify, and uninstall all other objects. + Constant: SeRelabelPrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + - Do not give any group this user right. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Not defined on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Not defined

      Domain Controller Effective Default Settings

      Not defined

      Member Server Effective Default Settings

      Not defined

      Client Computer Effective Default Settings

      Not defined

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| Domain Controller Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -Anyone with the **Modify an object label** user right can change the integrity level of a file or process so that it becomes elevated or decreased to a point where it can be deleted by lower integrity processes. Either of these states effectively circumvents the protection that is offered by Windows Integrity Controls and makes your system vulnerable to attacks by malicious software. + +Anyone with the **Modify an object label** user right can change the integrity level of a file or process so that it becomes elevated or decreased to a point where it can be deleted by lower integrity processes. Either of these states effectively circumvents the protection that is offered by +Windows Integrity Controls and makes your system vulnerable to attacks by malicious software. + If malicious software is set with an elevated integrity level such as Trusted Installer or System, administrator accounts do not have sufficient integrity levels to delete the program from the system. In that case, use of the **Modify an object label** right is mandated so that the object can be re-labeled. However, the re-labeling must occur by using a process that is at the same or a higher level of integrity than the object that you are attempting to re-label. + ### Countermeasure + Do not give any group this right. If necessary, implement it for a constrained period of time to a trusted individual to respond to a specific organizational need. + ### Potential impact + None. Not defined is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/modify-firmware-environment-values.md b/windows/keep-secure/modify-firmware-environment-values.md index 8662f8166e..2dcc1d8dfc 100644 --- a/windows/keep-secure/modify-firmware-environment-values.md +++ b/windows/keep-secure/modify-firmware-environment-values.md @@ -2,94 +2,100 @@ title: Modify firmware environment values (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Modify firmware environment values security policy setting. ms.assetid: 80bad5c4-d9eb-4e3a-a5dc-dcb742b83fca -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Modify firmware environment values + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Modify firmware environment values** security policy setting. + ## Reference + This security setting determines who can modify firmware environment values. Firmware environment values are settings that are stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. + On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the **Last Known Good Configuration** setting, which should only be modified by the system. + On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the **Default Operating System** setting using the **Startup and Recovery** feature on the **Advanced** tab of **System Properties**. + The exact setting for firmware environment values is determined by the boot firmware. The location of these values is also specified by the firmware. For example, on a UEFI-based system, NVRAM contains firmware environment values that specify system boot settings. + On all computers, this user right is required to install or upgrade Windows. + Constant: SeSystemEnvironmentPrivilege + ### Possible values + - User-defined list of accounts - Administrators - Not Defined + ### Best practices + - Ensure that only the local Administrators group is assigned the **Modify firmware environment values** user right. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Administrators on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Adminstrators

      Stand-Alone Server Default Settings

      Adminstrators

      Domain Controller Effective Default Settings

      Adminstrators

      Member Server Effective Default Settings

      Adminstrators

      Client Computer Effective Default Settings

      Adminstrators

      + +| Server type or GPO |Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Adminstrators| +| Stand-Alone Server Default Settings | Adminstrators| +| Domain Controller Effective Default Settings | Adminstrators| +| Member Server Effective Default Settings | Adminstrators| +| Client Computer Effective Default Settings | Adminstrators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + This security setting does not affect who can modify the system environment values and user environment values that are displayed on the **Advanced** tab of **System Properties**. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Anyone who is assigned the **Modify firmware environment values** user right could configure the settings of a hardware component to cause it to fail, which could lead to data corruption or a denial-of-service condition. + ### Countermeasure + Ensure that only the local Administrators group is assigned the **Modify firmware environment values** user right. + ### Potential impact + None. Restricting the **Modify firmware environment values** user right to the members of the local Administrators group is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/monitor-application-usage-with-applocker.md b/windows/keep-secure/monitor-application-usage-with-applocker.md index 4a0e489d50..14b94f4745 100644 --- a/windows/keep-secure/monitor-application-usage-with-applocker.md +++ b/windows/keep-secure/monitor-application-usage-with-applocker.md @@ -2,51 +2,83 @@ title: Monitor app usage with AppLocker (Windows 10) description: This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. ms.assetid: 0516da6e-ebe4-45b4-a97b-31daba96d1cf -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Monitor app usage with AppLocker + **Applies to** - Windows 10 + This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. + Once you set rules and deploy the AppLocker policies, it is good practice to determine if the policy implementation is what you expected. + ### Discover the effect of an AppLocker policy + You can evaluate how the AppLocker policy is currently implemented for documentation or audit purposes, or before you modify the policy. Updating your AppLocker Policy Deployment Planning document will help you track your findings. For information about creating this document, see [Create your AppLocker planning document](create-your-applocker-planning-document.md). You can perform one or more of the following steps to understand what application controls are currently enforced through AppLocker rules. + - **Analyze the AppLocker logs in Event Viewer** + When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are not enforced but are still evaluated to generate audit event data that is written to the AppLocker logs. + For the procedure to access the log, see [View the AppLocker Log in Event Viewer](#bkmk-applkr-view-log). + - **Enable the Audit only AppLocker enforcement setting** + By using the **Audit only** enforcement setting, you can ensure that the AppLocker rules are properly configured for your organization. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log. + For the procedure to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). + - **Review AppLocker events with Get-AppLockerFileInformation** + For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to determine which files have been blocked or would have been blocked (if you are using the audit-only enforcement mode) and how many times the event has occurred for each file. + For the procedure to do this, see [Review AppLocker Events with Get-AppLockerFileInformation](#bkmk-applkr-review-events). + - **Review AppLocker events with Test-AppLockerPolicy** + You can use the **Test-AppLockerPolicy** Windows PowerShell cmdlet to determine whether any of the rules in your rule collections will be blocked on your reference device or the device on which you maintain policies. + For the procedure to do this, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). + ### Review AppLocker events with Get-AppLockerFileInformation + For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to determine which files have been blocked or would have been blocked (if the **Audit only** enforcement setting is applied) and how many times the event has occurred for each file. + Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. -**Note**   -If the AppLocker logs are not on your local device, you will need permission to view the logs. If the output is saved to a file, you will need permission to read that file. + +>**Note:**  If the AppLocker logs are not on your local device, you will need permission to view the logs. If the output is saved to a file, you will need permission to read that file.   **To review AppLocker events with Get-AppLockerFileInformation** + 1. At the command prompt, type **PowerShell**, and then press ENTER. 2. Run the following command to review how many times a file would have been blocked from running if rules were enforced: + `Get-AppLockerFileInformation –EventLog –EventType Audited –Statistics` + 3. Run the following command to review how many times a file has been allowed to run or prevented from running: + `Get-AppLockerFileInformation –EventLog –EventType Allowed –Statistics` + ### View the AppLocker Log in Event Viewer + When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log. + Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. + **To view events in the AppLocker log by using Event Viewer** + 1. Open Event Viewer. To do this, click **Start**, type **eventvwr.msc**, and then press ENTER. 2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, double-click **AppLocker**. -AppLocker events are listed in either the **EXE and DLL** log, the **MSI and Script** log, or the **Packaged app-Deployment** or **Packaged app-Execution** log. Event information includes the enforcement setting, file name, date and time, and user name. The logs can be exported to other file formats for further analysis. + +AppLocker events are listed in either the **EXE and DLL** log, the **MSI and Script** log, or the **Packaged app-Deployment** or **Packaged app-Execution** log. Event information includes the enforcement setting, file name, date and time, and user name. The logs can be exported to other file +formats for further analysis. + ## Related topics -[AppLocker](applocker-overview.md) -  -  + +- [AppLocker](applocker-overview.md) diff --git a/windows/keep-secure/monitor-central-access-policy-and-rule-definitions.md b/windows/keep-secure/monitor-central-access-policy-and-rule-definitions.md index 228daa4fa2..11e4efc2be 100644 --- a/windows/keep-secure/monitor-central-access-policy-and-rule-definitions.md +++ b/windows/keep-secure/monitor-central-access-policy-and-rule-definitions.md @@ -2,22 +2,27 @@ title: Monitor central access policy and rule definitions (Windows 10) description: This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects. ms.assetid: 553f98a6-7606-4518-a3c5-347a33105130 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Monitor central access policy and rule definitions + **Applies to** - Windows 10 + This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects. Central access policies and rules determine access permissions for multiple files on multiple file servers. Therefore, it is important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule definitions reside in Active Directory Domain Services (AD DS), and they can be monitored just like any other object in Active Directory. Central access policies and rules are critical elements in a Dynamic Access Control deployment. These policies and rules are stored in AD DS, so they should be less likely to be tampered with than other network objects. However, it is important to monitor these objects for potential changes in security auditing and to verify that policies are being enforced. + Use the following procedures to configure settings to monitor changes to central access policy and central access rule definitions and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](http://technet.microsoft.com/library/hh846167.aspx). -**Note**   -Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. + +>**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.   **To configure settings to monitor changes to central access policy and rule definitions** + 1. Sign in to your domain controller by using domain administrator credentials. 2. In Server Manager, point to **Tools**, and then click **Group Policy Management**. 3. In the console tree, right-click the default domain controller Group Policy Object, and then click **Edit**. @@ -28,8 +33,11 @@ Your server might function differently based on the version and edition of the o 8. Under Dynamic Access Control, right-click **Central Access Policies**, and then select **Properties**. 9. Click the **Security** tab, click **Advanced** to open the **Advanced Security Settings** dialog box, and then click the **Auditing** tab. 10. Click **Add**, add a security auditing setting for the container, and then close all Security properties dialog boxes. + After you configure settings to monitor changes to central access policy and central access rule definitions, verify that the changes are being monitored. + **To verify that changes to central access policy and rule definitions are monitored** + 1. Sign in to your domain controller by using domain administrator credentials. 2. Open the Active Directory Administrative Center. 3. Under **Dynamic Access Control**, right-click **Central Access Policies**, and then click **Properties**. @@ -39,7 +47,7 @@ After you configure settings to monitor changes to central access policy and cen 7. Click **OK**, and then close the Active Directory Administrative Center. 8. In Server Manager, click **Tools**, and then click **Event Viewer**. 9. Expand **Windows Logs**, and then click **Security**. Verify that event 4819 appears in the security log. + ### Related resource -[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) -  -  + +- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) diff --git a/windows/keep-secure/monitor-claim-types.md b/windows/keep-secure/monitor-claim-types.md index 88650d8745..9220126e6c 100644 --- a/windows/keep-secure/monitor-claim-types.md +++ b/windows/keep-secure/monitor-claim-types.md @@ -2,39 +2,52 @@ title: Monitor claim types (Windows 10) description: This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options. ms.assetid: 426084da-4eef-44af-aeec-e7ab4d4e2439 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Monitor claim types + **Applies to** - Windows 10 + This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options. + Claim types are one of the basic building blocks of Dynamic Access Control. Claim types can include attributes such as the departments in an organization or the levels of security clearance that apply to classes of users. You can use security auditing to track whether claims are added, modified, enabled, disabled, or deleted. -Use the following procedures to configure settings to monitor changes to claim types in AD DS. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](http://technet.microsoft.com/library/hh846167.aspx). -**Note**   -Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. + +Use the following procedures to configure settings to monitor changes to claim types in AD DS. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic +Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](http://technet.microsoft.com/library/hh846167.aspx). + +>**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.   **To configure settings to monitor changes to claim types** + 1. Sign in to your domain controller by using domain administrator credential. 2. In Server Manager, point to **Tools**, and then click **Group Policy Management**. 3. In the console tree, right-click the default domain controller Group Policy Object, and then click **Edit**. 4. Double-click **Computer Configuration**, click **Security Settings**, expand **Advanced Audit Policy Configuration**, expand **System Audit Policies**, click **DS Access**, and then double-click **Audit directory service changes**. 5. Select the **Configure the following audit events** check box, select the **Success** check box (andthe **Failure** check box, if desired), and then click **OK**. + After you configure settings to monitor changes to claim types in AD DS, verify that the changes are being monitored. + **To verify that changes to claim types are monitored** + 1. Sign in to your domain controller by using domain administrator credentials. 2. Open the Active Directory Administrative Center. 3. Under **Dynamic Access Control**, right-click **Claim Types**, and then click **Properties**. 4. Click the **Security** tab, click **Advanced** to open the **Advanced Security Settings** dialog box, and then click the **Auditing** tab. 5. Click **Add**, add a security auditing setting for the container, and then close all the Security properties dialog boxes. 6. In the **Claim Types** container, add a new claim type or select an existing claim type. In the **Tasks** pane, click **Properties**, and then change one or more attributes. + Click **OK**, and then close the Active Directory Administrative Center. + 7. Open Event Viewer on this domain controller, expand **Windows Logs**, and select the **Security** log. + Look for event 5137. Key information to look for includes the name of the new attribute that was added, the type of claim that was created, and the user who created the claim. + ### Related resource -[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) -  -  + +- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) diff --git a/windows/keep-secure/monitor-resource-attribute-definitions.md b/windows/keep-secure/monitor-resource-attribute-definitions.md index 71c872ac0f..42bd9b783e 100644 --- a/windows/keep-secure/monitor-resource-attribute-definitions.md +++ b/windows/keep-secure/monitor-resource-attribute-definitions.md @@ -2,23 +2,29 @@ title: Monitor resource attribute definitions (Windows 10) description: This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects. ms.assetid: aace34b0-123a-4b83-9e09-f269220e79de -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Monitor resource attribute definitions + **Applies to** - Windows 10 + This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects. Resource attribute definitions define the basic properties of resource attributes, such as what it means for a resource to be defined as “high business value.” Resource attribute definitions are stored in AD DS under the Resource Properties container. Changes to these definitions could significantly change the protections that govern a resource, even if the resource attributes that apply to the resource remain unchanged. Changes can be monitored like any other AD DS object. + For information about monitoring changes to the resource attributes that apply to files, see [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md). + Use the following procedures to configure settings to monitor changes to resource attribute definitions in AD DS and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](http://technet.microsoft.com/library/hh846167.aspx). -**Note**   -Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. + +>**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.   **To configure settings to monitor changes to resource attributes** + 1. Sign in to your domain controller by using domain administrator credentials. 2. In Server Manager, point to **Tools**, and then click **Group Policy Management**. 3. In the console tree, right-click the Group Policy Object for the default domain controller, and then click **Edit**. @@ -29,8 +35,11 @@ Your server might function differently based on the version and edition of the o 8. Under **Dynamic Access Control**, right-click **Resource Properties**, and then click **Properties**. 9. Click the **Security** tab, click **Advanced** to open the **Advanced Security Settings** dialog box, and then click the **Auditing** tab. 10. Click **Add**, add a security auditing setting for the container, and then close all Security properties dialog boxes. + After you configure settings to monitor changes to resource attributes in AD DS, verify that the changes are being monitored. + **To verify that changes to resource definitions are monitored** + 1. Sign in to your domain controller by using domain administrator credentials. 2. Open the Active Directory Administrative Center. 3. Under **Dynamic Access Control**, click **Resource Properties**, and then double-click a resource attribute. @@ -38,7 +47,7 @@ After you configure settings to monitor changes to resource attributes in AD DS 5. Click **OK**, and then close the Active Directory Administrative Center. 6. In Server Manager, click **Tools**, and then click **Event Viewer**. 7. Expand **Windows Logs**, and then click **Security**. Verify that event 5137 appears in the security log. + ### Related resource -[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) -  -  + +- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) diff --git a/windows/keep-secure/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/keep-secure/monitor-the-central-access-policies-associated-with-files-and-folders.md index 3aff0a5708..db6155e24b 100644 --- a/windows/keep-secure/monitor-the-central-access-policies-associated-with-files-and-folders.md +++ b/windows/keep-secure/monitor-the-central-access-policies-associated-with-files-and-folders.md @@ -2,53 +2,67 @@ title: Monitor the central access policies associated with files and folders (Windows 10) description: This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects. ms.assetid: 2ea8fc23-b3ac-432f-87b0-6a16506e8eed -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Monitor the central access policies associated with files and folders + **Applies to** - Windows 10 + This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects. + This security audit policy and the event that it records are generated when the central access policy that is associated with a file or folder is changed. This security audit policy is useful when an administrator wants to monitor potential changes on some, but not all, files and folders on a file server. + For info about monitoring potential central access policy changes for an entire file server, see [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md). + Use the following procedures to configure settings to monitor central access policies that are associated with files. These procedures assume that you have configured and deployed Dynamic Access Control in your network. For more information about how to configure and deploy Dynamic Access Control, see [Dynamic Access Control: Scenario Overview](http://technet.microsoft.com/library/hh831717.aspx). -**Note**   -Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. + +>**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.   **To configure settings to monitor central access policies associated with files or folders** + 1. Sign in to your domain controller by using domain administrator credentials. 2. In Server Manager, point to **Tools**, and then click **Group Policy Management**. 3. In the console tree, right-click the flexible access Group Policy Object, and then click **Edit**. 4. Double-click **Computer Configuration**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Policy Change**, and then double-click **Audit Authorization Policy Change**. 5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**. 6. Enable auditing for a file or folder as described in the following procedure. + **To enable auditing for a file or folder** + 1. Sign in as a member of the local administrators group on the computer that contains the files or folders that you want to audit. 2. Right-click the file or folder, click **Properties**, and then click the **Security** tab. 3. Click **Advanced**, click the **Auditing** tab, and then click **Continue**. + If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. + 4. Click **Add**, click **Select a principal**, type a user name or group name in the format **contoso\\user1**, and then click **OK**. 5. In the **Auditing Entry for** dialog box, select the permissions that you want to audit, such as **Full Control** or **Delete**. 6. Click **OK** four times to complete the configuration of the object SACL. 7. Open a File Explorer window and select or create a file or folder to audit. 8. Open an elevated command prompt, and run the following command: - **gpupdate /force** + + `gpupdate /force` + After you configure settings to monitor changes to the central access policies that are associated with files and folders, verify that the changes are being monitored. + **To verify that changes to central access policies associated with files and folders are monitored** + 1. Sign in as a member of the local administrators group on the computer that contains the files or folders that you want to audit. 2. Open a File Explorer window and select the file or folder that you configured for auditing in the previous procedure. 3. Right-click the file or folder, click **Properties**, click the **Security** tab, and then click **Advanced**. 4. Click the **Central Policy** tab, click **Change**, and select a different central access policy (if one is available) or select **No Central Access Policy**, and then click **OK** twice. - **Note**   - You must select a setting that is different than your original setting to generate the audit event. + >**Note:**  You must select a setting that is different than your original setting to generate the audit event.   5. In Server Manager, click **Tools**, and then click **Event Viewer**. 6. Expand **Windows Logs**, and then click **Security**. 7. Look for event 4913, which is generated when the central access policy that is associated with a file or folder is changed. This event includes the security identifiers (SIDs) of the old and new central access policies. + ### Related resource -[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) -  -  + +- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) diff --git a/windows/keep-secure/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/keep-secure/monitor-the-central-access-policies-that-apply-on-a-file-server.md index 54838b32b6..aeee1c4b35 100644 --- a/windows/keep-secure/monitor-the-central-access-policies-that-apply-on-a-file-server.md +++ b/windows/keep-secure/monitor-the-central-access-policies-that-apply-on-a-file-server.md @@ -2,28 +2,37 @@ title: Monitor the central access policies that apply on a file server (Windows 10) description: This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. ms.assetid: 126b051e-c20d-41f1-b42f-6cff24dcf20c -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Monitor the central access policies that apply on a file server + **Applies to** - Windows 10 + This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. Central access policies are created on a domain controller and then applied to file servers through Group Policy management. + Use the following procedures to configure and verify security auditing settings that are used to monitor changes to the set of central access policies on a file server. The following procedures assume that you have configured and deployed dynamic access control, including central access policies, and claims in your network. If you have not yet deployed dynamic access control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](http://technet.microsoft.com/library/hh846167.aspx). + **To configure settings to monitor changes to central access policies** + 1. Sign in to your domain controller by using domain administrator credentials. 2. In Server Manager, point to **Tools**, and then click **Group Policy Management**. 3. In the console tree, right-click the flexible access Group Policy Object, and then click **Edit**. 4. Double-click **Computer Configuration**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Policy Change**, and then double-click **Other Policy Change Events**. - **Note**   - This policy setting monitors policy changes that might not be captured otherwise, such as central access policy changes or trusted platform module configuration changes. + + >**Note:**  This policy setting monitors policy changes that might not be captured otherwise, such as central access policy changes or trusted platform module configuration changes.   5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**. + After you modify the central access policies on the domain controller, verify that the changes have been applied to the file server and that the proper events are logged. + **To verify changes to the central access policies** + 1. Sign in to your domain controller by using domain administrator credentials. 2. Open the Group Policy Management Console. 3. Right-click **Default domain policy**, and then click **Edit**. @@ -32,13 +41,13 @@ After you modify the central access policies on the domain controller, verify th 6. In the wizard that appears, follow the instructions to add a new central access policy (CAP), and then click **OK**. 7. Use local administrator credentials to sign in to the server that hosts resources that are subject to the central access policies you changed. 8. Press the Windows key + R, then type **cmd** to open a Command Prompt window. - **Note**   - If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. + + >**Note:**  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.   9. Type **gpupdate /force**, and press ENTER. 10. In Server Manager, click **Tools**, and then click **Event Viewer**. 11. Expand **Windows Logs**, and then click **Security**. Verify that event 4819 appears in the security log. + ## Related resource -[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) -  -  + +- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) diff --git a/windows/keep-secure/monitor-the-resource-attributes-on-files-and-folders.md b/windows/keep-secure/monitor-the-resource-attributes-on-files-and-folders.md index 8c4c23bf12..fd2edb8b75 100644 --- a/windows/keep-secure/monitor-the-resource-attributes-on-files-and-folders.md +++ b/windows/keep-secure/monitor-the-resource-attributes-on-files-and-folders.md @@ -2,42 +2,54 @@ title: Monitor the resource attributes on files and folders (Windows 10) description: This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects. ms.assetid: 4944097b-320f-44c7-88ed-bf55946a358b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Monitor the resource attributes on files and folders + **Applies to** - Windows 10 + This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects. + If your organization has a carefully thought out authorization configuration for resources, changes to these resource attributes can create potential security risks. Examples include: + - Changing files that have been marked as high business value to low business value. - Changing the Retention attribute of files that have been marked for retention. - Changing the Department attribute of files that are marked as belonging to a particular department. + Use the following procedures to configure settings to monitor changes to resource attributes on files and folders. These procedures assume that have configured and deployed central access policies in your network. For more information about how to configure and deploy central access policies, see [Dynamic Access Control: Scenario Overview](http://technet.microsoft.com/library/hh831717.aspx) . -**Note**   -Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. + +>**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.   **To monitor changes to resource attributes on files** + 1. Sign in to your domain controller by using domain administrator credentials. 2. In Server Manager, point to **Tools**, and then click **Group Policy Management**. 3. In the console tree, right-click the flexible access Group Policy Object, and then click **Edit**. 4. Double-click **Computer Configuration**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Policy Change**, and then double-click **Audit Authorization Policy Change**. 5. Select the **Configure the following audit events** check box, select the **Success** and **Failure** check boxes, and then click **OK**. + After you configure settings to monitor resource attributes on files, verify that the changes are being monitored. + **To verify that changes to resource attributes on files are monitored** + 1. Use administrator credentials to sign in to the server that hosts the resource you want to monitor. 2. From an elevated command prompt, type **gpupdate /force**, and then press ENTER. 3. Attempt to change resource properties on one or more files and folders. 4. In Server Manager, click **Tools**, and then click **Event Viewer**. 5. Expand **Windows Logs**, and then click **Security**. 6. Depending on which resource attributes you attempted to change, you should look for the following events: + - Event 4911, which tracks changes to file attributes - Event 4913, which tracks changes to central access policies + Key information to look for includes the name and account domain of the principal attempting to change the resource attribute, the object that the principal is attempting to modify, and information about the changes that are being attempted. + ### Related resource -[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) -  -  + +- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) diff --git a/windows/keep-secure/monitor-the-use-of-removable-storage-devices.md b/windows/keep-secure/monitor-the-use-of-removable-storage-devices.md index b465dfccb6..c850719ed9 100644 --- a/windows/keep-secure/monitor-the-use-of-removable-storage-devices.md +++ b/windows/keep-secure/monitor-the-use-of-removable-storage-devices.md @@ -2,22 +2,28 @@ title: Monitor the use of removable storage devices (Windows 10) description: This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects. ms.assetid: b0a9e4a5-b7ff-41c6-96ff-0228d4ba5da8 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Monitor the use of removable storage devices + **Applies to** - Windows 10 + This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects. + If you configure this policy setting, an audit event is generated each time a user attempts to copy, move, or save a resource to a removable storage device. + Use the following procedures to monitor the use of removable storage devices and to verify that the devices are being monitored. -**Note**   -Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. + +>**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.   **To configure settings to monitor removable storage devices** + 1. Sign in to your domain controller by using domain administrator credentials. 2. In Server Manager, point to **Tools**, and then click **Group Policy Management**. 3. In the console tree, right-click the flexible access Group Policy Object on the domain controller, and then click **Edit**. @@ -25,22 +31,25 @@ Your server might function differently based on the version and edition of the o 5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**. 6. If you selected the **Failure** check box, double-click **Audit Handle Manipulation**, select the **Configure the following audit events check box**, and then select **Failure**. 7. Click **OK**, and then close the Group Policy Management Editor. + After you configure the settings to monitor removable storage devices, use the following procedure to verify that the settings are active. + **To verify that removable storage devices are monitored** + 1. Sign in to the computer that hosts the resources that you want to monitor. Press the Windows key + R, and then type **cmd** to open a Command Prompt window. - **Note**   - If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. + + >**Note:**  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.   2. Type **gpupdate /force**, and press ENTER. 3. Connect a removable storage device to the targeted computer and attempt to copy a file that is protected with the Removable Storage Audit policy. 4. In Server Manager, click **Tools**, and then click **Event Viewer**. 5. Expand **Windows Logs**, and then click **Security**. 6. Look for event 4663, which logs successful attempts to write to or read from a removable storage device. Failures will log event 4656. Both events include **Task Category = Removable Storage device**. + Key information to look for includes the name and account domain of the user who attempted to access the file, the object that the user is attempting to access, resource attributes of the resource, and the type of access that was attempted. - **Note**   - We do not recommend that you enable this category on a file server that hosts file shares on a removable storage device. When Removable Storage Auditing is configured, any attempt to access the removable storage device will generate an audit event. + + >**Note:**  We do not recommend that you enable this category on a file server that hosts file shares on a removable storage device. When Removable Storage Auditing is configured, any attempt to access the removable storage device will generate an audit event.   ### Related resource -[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) -  -  + +- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) diff --git a/windows/keep-secure/monitor-user-and-device-claims-during-sign-in.md b/windows/keep-secure/monitor-user-and-device-claims-during-sign-in.md index 43db7d7f40..8e767cf028 100644 --- a/windows/keep-secure/monitor-user-and-device-claims-during-sign-in.md +++ b/windows/keep-secure/monitor-user-and-device-claims-during-sign-in.md @@ -2,36 +2,48 @@ title: Monitor user and device claims during sign-in (Windows 10) description: This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects. ms.assetid: 71796ea9-5fe4-4183-8475-805c3c1f319f -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft + --- + # Monitor user and device claims during sign-in + **Applies to** - Windows 10 + This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects. + Device claims are associated with the system that is used to access resources that are protected with Dynamic Access Control. User claims are attributes that are associated with a user. User claims and device claims are included in the user’s security token used at sign-on. For example, information about Department, Company, Project, or Security clearances might be included in the token. + Use the following procedures to monitor changes to user claims and device claims in the user’s sign-on token and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](http://technet.microsoft.com/library/hh846167.aspx). -**Note**   -Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. + +>**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.   **To monitor user and device claims in user logon token** + 1. Sign in to your domain controller by using domain administrator credentials. 2. In Server Manager, point to **Tools**, and then click **Group Policy Management**. 3. In the console tree, right-click the flexible access Group Policy Object, and then click **Edit**. 4. Double-click **Computer Configuration**, click **Security Settings**, expand **Advanced Audit Policy Configuration**, expand **System Audit Policies**, click **Logon/Logoff**, and then double-click **Audit User/Device claims**. 5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**. 6. Close the Group Policy Management Editor. + After you configure settings to monitor user and device claims, verify that the changes are being monitored. + **To verify that user and device claims in user logon token are monitored** + 1. With local administrator credentials, sign in to a file server that is subject to the flexible access Group Policy Object. 2. Open an elevated command prompt, and run the following command: - **gpupdate force** + + `gpupdate force` + 3. From a client computer, connect to a file share on the file server as a user who has access permissions to the file server. 4. On the file server, open Event Viewer, expand **Windows Logs**, and select the **Security** log. Look for event 4626, and confirm that it contains information about user claims and device claims. + ### Related resource -[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) -  -  + +- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) From 07bf40944a154f3003ae44b85ea10ff0deb5ffda Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 24 May 2016 16:37:12 -0700 Subject: [PATCH 093/169] fixing spacing issues --- ...ess-allow-anonymous-sidname-translation.md | 90 +++++------ ...-enumeration-of-sam-accounts-and-shares.md | 85 +++++------ ...w-anonymous-enumeration-of-sam-accounts.md | 87 +++++------ ...-credentials-for-network-authentication.md | 92 ++++++------ ...ne-permissions-apply-to-anonymous-users.md | 84 +++++------ ...-pipes-that-can-be-accessed-anonymously.md | 138 +++++++---------- ...-accessible-registry-paths-and-subpaths.md | 89 ++++++----- ...cess-remotely-accessible-registry-paths.md | 86 ++++++----- ...nymous-access-to-named-pipes-and-shares.md | 83 +++++------ ...shares-that-can-be-accessed-anonymously.md | 79 +++++----- ...g-and-security-model-for-local-accounts.md | 85 +++++------ .../network-list-manager-policies.md | 33 +++- ...ystem-to-use-computer-identity-for-ntlm.md | 118 ++++++--------- ...allow-localsystem-null-session-fallback.md | 85 +++++------ ...-this-computer-to-use-online-identities.md | 84 +++++------ ...e-encryption-types-allowed-for-kerberos.md | 133 ++++++----------- ...ager-hash-value-on-next-password-change.md | 80 +++++----- ...ty-force-logoff-when-logon-hours-expire.md | 84 +++++------ ...curity-lan-manager-authentication-level.md | 141 +++++++----------- ...curity-ldap-client-signing-requirements.md | 83 +++++------ ...-ssp-based-including-secure-rpc-clients.md | 84 +++++------ ...-ssp-based-including-secure-rpc-servers.md | 82 +++++----- ...rver-exceptions-for-ntlm-authentication.md | 98 ++++++------ ...lm-add-server-exceptions-in-this-domain.md | 100 +++++++------ ...strict-ntlm-audit-incoming-ntlm-traffic.md | 97 ++++++------ ...udit-ntlm-authentication-in-this-domain.md | 95 ++++++------ ...ity-restrict-ntlm-incoming-ntlm-traffic.md | 95 ++++++------ ...ntlm-ntlm-authentication-in-this-domain.md | 99 ++++++------ ...outgoing-ntlm-traffic-to-remote-servers.md | 97 ++++++------ 29 files changed, 1312 insertions(+), 1374 deletions(-) diff --git a/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md b/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md index ce3d50eac0..6c14b5a06f 100644 --- a/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md +++ b/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md @@ -2,90 +2,96 @@ title: Network access Allow anonymous SID/Name translation (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Allow anonymous SID/Name translation security policy setting. ms.assetid: 0144477f-22a6-4d06-b70a-9c9c2196e99e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Allow anonymous SID/Name translation + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Allow anonymous SID/Name translation** security policy setting. + ## Reference + This policy setting enables or disables the ability of an anonymous user to request security identifier (SID) attributes for another user. + If this policy setting is enabled, a user might use the well-known Administrators SID to get the real name of the built-in Administrator account, even if the account has been renamed. That person might then use the account name to initiate a brute-force password-guessing attack. + Misuse of this policy setting is a common error that can cause data loss or problems with data access or security. + ### Possible values + - Enabled + An anonymous user can request the SID attribute for another user. An anonymous user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. This setting affects the SID-to-name translation as well as the name-to-SID translation + - Disabled + Prevents an anonymous user from requesting the SID attribute for another user. + - Not defined + ### Best practices + - Set this policy to Disabled. This is the default value on member computers; therefore, it will have no impact on them. The default value for domain controllers is Enabled. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Note defined

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Enabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Note defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Disabled| +| Client Computer Effective Default Settings | Disabled|   ### Operating system version differences + The default value of this setting has changed between operating systems as follows: + - The default on domain controllers running Windows Server 2003 R2 or earlier was set to Enabled. - The default on domain controllers running Windows Server 2008 and later is set to Disabled. + ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Modifying this setting may affect compatibility with client computers, services, and applications. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If this policy setting is enabled, a user with local access could use the well-known Administrator's SID to learn the real name of the built-in Administrator account, even if it has been renamed. That person could then use the account name to initiate a password-guessing attack. + ### Countermeasure + Disable the **Network access: Allow anonymous SID/Name translation** setting. + ### Potential impact + Disabled is the default configuration for this policy setting on member devices; therefore, it has no impact on them. The default configuration for domain controllers is Enabled. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md index 95f97f704f..52eb452b76 100644 --- a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md +++ b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md @@ -2,85 +2,86 @@ title: Network access Do not allow anonymous enumeration of SAM accounts and shares (Windows 10) description: Describes the best practices, location, values, and security considerations for the Network access Do not allow anonymous enumeration of SAM accounts and shares security policy setting. ms.assetid: 3686788d-4cc7-4222-9163-cbc7c3362d73 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Do not allow anonymous enumeration of SAM accounts and shares + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts and shares** security policy setting. + ## Reference + This policy setting determines which additional permissions will be assigned for anonymous connections to the device. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to give access to users in a trusted domain that does not maintain a reciprocal trust. However, even with this policy setting enabled, anonymous users will have access to resources with permissions that explicitly include the built-in group, ANONYMOUS LOGON. + This policy setting has no impact on domain controllers. Misuse of this policy setting is a common error that can cause data loss or problems with data access or security. + ### Possible values + - Enabled + - Disabled + No additional permissions can be assigned by the administrator for anonymous connections to the device. Anonymous connections will rely on default permissions. However, an unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social-engineering attacks. + - Not defined + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflicts + Even with this policy setting enabled, anonymous users will have access to resources with permissions that explicitly include the built-in group, ANONYMOUS LOGON (on systems earlier than Windows Server 2008 and Windows Vista). + ### Group Policy + This policy has no impact on domain controllers. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social-engineering attacks. + ### Countermeasure + Enable the **Network access: Do not allow anonymous enumeration of SAM accounts and shares** setting. + ### Potential impact + It is impossible to grant access to users of another domain across a one-way trust because administrators in the trusting domain are unable to enumerate lists of accounts in the other domain. Users who access file and print servers anonymously are unable to list the shared network resources on those servers; the users must be authenticated before they can view the lists of shared folders and printers. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md index 2324359e3a..20f6455173 100644 --- a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md +++ b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md @@ -2,85 +2,88 @@ title: Network access Do not allow anonymous enumeration of SAM accounts (Windows 10) description: Describes the best practices, location, values, and security considerations for the Network access Do not allow anonymous enumeration of SAM accounts security policy setting. ms.assetid: 6ee25b33-ad43-4097-b031-7be680f64c7c -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft + --- + # Network access: Do not allow anonymous enumeration of SAM accounts + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts** security policy setting. + ## Reference + This policy setting determines which additional permissions will be assigned for anonymous connections to the device. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to give access to users in a trusted domain that does not maintain a reciprocal trust. + This policy setting has no impact on domain controllers. + Misuse of this policy setting is a common error that can cause data loss or problems with data access or security. + ### Possible values + - Enabled + - Disabled + No additional permissions can be assigned by the administrator for anonymous connections to the device. Anonymous connections will rely on default permissions. + - Not defined + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Enabled

      DC Effective Default Settings

      Enabled

      Member Server Effective Default Settings

      Enabled

      Client Computer Effective Default Settings

      Enabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflicts + Even with this policy setting enabled, anonymous users will have access to resources with permissions that explicitly include the built-in group, ANONYMOUS LOGON (on systems earlier than Windows Server 2008 and Windows Vista). + ### Group Policy + This policy has no impact on domain controllers. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + An unauthorized user could anonymously list account names and use the information to perform social engineering attacks or attempt to guess passwords. Social engineering attackers try to deceive users in some way to obtain passwords or some form of security information. + ### Countermeasure + Enable the **Network access: Do not allow anonymous enumeration of SAM accounts** setting. + ### Potential impact + It is impossible to grant access to users of another domain across a one-way trust because administrators in the trusting domain are unable to enumerate lists of accounts in the other domain. Users who access file and print servers anonymously are unable to list the shared network resources on those servers; the users must be authenticated before they can view the lists of shared folders and printers. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md index 16fa1842da..ec12a8c647 100644 --- a/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md +++ b/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md @@ -2,91 +2,95 @@ title: Network access Do not allow storage of passwords and credentials for network authentication (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Do not allow storage of passwords and credentials for network authentication security policy setting. ms.assetid: b9b64360-36ea-40fa-b795-2d6558c46563 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Do not allow storage of passwords and credentials for network authentication + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Do not allow storage of passwords and credentials for network authentication** security policy setting. + ## Reference + This security setting determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication. + ### Possible values + - Enabled + Credential Manager does not store passwords and credentials on the device + - Disabled + Credential Manager will store passwords and credentials on this computer for later use for domain authentication. + - Not defined + ### Best practices + It is a recommended practice to disable the ability of the Windows operating system to cache credentials on any device where credentials are not needed. Evaluate your servers and workstations to determine the requirements. Cached credentials are designed primarily to be used on laptops that require domain credentials when disconnected from the domain. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or Group Policy Object (GPO)Default value

      Default domain policy

      Disabled

      Default domain controller policy

      Disabled

      Stand-alone server default settings

      Disabled

      Domain controller effective default settings

      Not defined

      Member server effective default settings

      Not defined

      Effective GPO default settings on client computers

      Not defined

      + +| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| Disabled| +| Default domain controller policy| Disabled| +| Stand-alone server default settings | Disabled| +| Domain controller effective default settings| Not defined| +| Member server effective default settings | Not defined| +| Effective GPO default settings on client computers | Not defined|   ### Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + A restart of the device is required before this policy will be effective when changes to this policy are saved locally or distributed through Group Policy. + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Passwords that are cached can be accessed by the user when logged on to the device. Although this information may sound obvious, a problem can arise if the user unknowingly runs malicious software that reads the passwords and forwards them to another, unauthorized user. -**Note**   -The chances of success for this exploit and others that involve malicious software are reduced significantly for organizations that effectively implement and manage an enterprise antivirus solution combined with sensible software restriction policies. + +>**Note:**  The chances of success for this exploit and others that involve malicious software are reduced significantly for organizations that effectively implement and manage an enterprise antivirus solution combined with sensible software restriction policies.   Regardless of what encryption algorithm is used to encrypt the password verifier, a password verifier can be overwritten so that an attacker can authenticate as the user to whom the verifier belongs. Therefore, the administrator's password may be overwritten. This procedure requires physical access to the device. Utilities exist that can help overwrite the cached verifier. By using one of these utilities, an attacker can authenticate by using the overwritten value. + Overwriting the administrator's password does not help the attacker access data that is encrypted by using that password. Also, overwriting the password does not help the attacker access any Encrypting File System (EFS) data that belongs to other users on that device. Overwriting the password does not help an attacker replace the verifier, because the base keying material is incorrect. Therefore, data that is encrypted by using Encrypting File System or by using the Data Protection API (DPAPI) will not decrypt. + ### Countermeasure + Enable the **Network access: Do not allow storage of passwords and credentials for network authentication** setting. + To limit the number of changed domain credentials that are stored on the computer, set the **cachedlogonscount** registry entry. By default, the operating system caches the verifier for each unique user's ten most recent valid logons. This value can be set to any value between 0 and 50. By default, all versions of the Windows operating system remember 10 cached logons, except Windows Server 2008 and later, which are set at 25. + When you try to log on to a domain from a Windows-based client device, and a domain controller is unavailable, you do not receive an error message. Therefore, you may not notice that you logged on with cached domain credentials. You can set a notification of logon that uses cached domain credentials with the ReportDC registry entry. + ### Potential impact + Users are forced to type passwords whenever they log on to their Microsoft Account or other network resources that are not accessible to their domain account. This policy setting should have no impact on users who access network resources that are configured to allow access with their Active Directory–based domain account. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md index 84c96fe8a5..eedd57751a 100644 --- a/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md +++ b/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md @@ -2,83 +2,83 @@ title: Network access Let Everyone permissions apply to anonymous users (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Let Everyone permissions apply to anonymous users security policy setting. ms.assetid: cdbc5159-9173-497e-b46b-7325f4256353 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Let Everyone permissions apply to anonymous users + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Let Everyone permissions apply to anonymous users** security policy setting. + ## Reference + This policy setting determines what additional permissions are granted for anonymous connections to the device. If you enable this policy setting, anonymous users can enumerate the names of domain accounts and shared folders and perform certain other activities. This capability is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. + By default, the token that is created for anonymous connections does not include the Everyone SID. Therefore, permissions that are assigned to the Everyone group do not apply to anonymous users. + ### Possible values + - Enabled + The Everyone SID is added to the token that is created for anonymous connections, and anonymous users can access any resource for which the Everyone group has been assigned permissions. + - Disabled + The Everyone SID is removed from the token that is created for anonymous connections. + - Not defined + ### Best practices + - Set this policy to **Disabled**. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Polices\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks. + ### Countermeasure + Disable the **Network access: Let Everyone permissions apply to anonymous users** setting. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md index 3046386e99..ab8eff2298 100644 --- a/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md +++ b/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md @@ -2,129 +2,91 @@ title: Network access Named Pipes that can be accessed anonymously (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Named Pipes that can be accessed anonymously security policy setting. ms.assetid: 8897d2a4-813e-4d2b-8518-fcee71e1cf2c -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Named Pipes that can be accessed anonymously + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Named Pipes that can be accessed anonymously** security policy setting. + ## Reference + This policy setting determines which communication sessions, or pipes, have attributes and permissions that allow anonymous access. + Restricting access over named pipes such as COMNAP and LOCATOR helps prevent unauthorized access to the network. + ### Possible values + - User-defined list of shared folders - Not defined + ### Best practices + - Set this policy to a null value; that is, enable the policy setting, but do not enter named pipes in the text box. This will disable null session access over named pipes, and applications that rely on this feature or on unauthenticated access to named pipes will no longer function. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Netlogon, samr, lsarpc

      Stand-Alone Server Default Settings

      Null

      DC Effective Default Settings

      Netlogon, samr, lsarpc

      Member Server Effective Default Settings

      Not defined

      Client Computer Effective Default Settings

      Not defined

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Netlogon, samr, lsarpc| +| Stand-Alone Server Default Settings | Null| +| DC Effective Default Settings | Netlogon, samr, lsarpc| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes different features and tools available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + For this policy setting to take effect, you must also enable the [Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md) setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + You can restrict access over named pipes such as COMNAP and LOCATOR to help prevent unauthorized access to the network. The following list describes available named pipes and their purpose. These pipes were granted anonymous access in earlier versions of Windows and some legacy applications may still use them. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Named pipePurpose

      COMNAP

      SNABase named pipe. Systems network Architecture (SNA) is a collection of network protocols that were originally developed for IBM mainframe computers.

      COMNODE

      SNA Server named pipe.

      SQL\QUERY

      Default named pipe for SQL Server.

      SPOOLSS

      Named pipe for the Print Spooler service.

      EPMAPPER

      End Point Mapper named pipe.

      LOCATOR

      Remote Procedure Call Locator service named pipe.

      TrlWks

      Distributed Link Tracking Client named pipe.

      TrkSvr

      Distributed Link Tracking Server named pipe.

      + +| Named pipe | Purpose | +| - | - | +| COMNAP | SNABase named pipe. Systems network Architecture (SNA) is a collection of network protocols that were originally developed for IBM mainframe computers.| +| COMNODE| SNA Server named pipe.| +| SQL\QUERY | Default named pipe for SQL Server.| +| SPOOLSS | Named pipe for the Print Spooler service.| +| EPMAPPER | End Point Mapper named pipe.| +| LOCATOR | Remote Procedure Call Locator service named pipe.| +| TrlWks | Distributed Link Tracking Client named pipe.| +| TrkSvr | Distributed Link Tracking Server named pipe.|   ### Countermeasure + Configure the **Network access: Named Pipes that can be accessed anonymously** setting to a null value (enable the setting but do not specify named pipes in the text box). + ### Potential impact + This configuration disables null-session access over named pipes, and applications that rely on this feature or on unauthenticated access to named pipes no longer function. This may break trust between Windows Server 2003 domains in a mixed mode environment. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md index c4154f266c..d7a01b9e6e 100644 --- a/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md +++ b/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md @@ -2,69 +2,57 @@ title: Network access Remotely accessible registry paths and subpaths (Windows 10) description: Describes the best practices, location, values, and security considerations for the Network access Remotely accessible registry paths and subpaths security policy setting. ms.assetid: 3fcbbf70-a002-4f85-8e86-8dabad21928e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Remotely accessible registry paths and subpaths + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Network access: Remotely accessible registry paths and subpaths** security policy setting. + ## Reference + This policy setting determines which registry paths and subpaths are accessible when an application or process references the WinReg key to determine access permissions. -The registry is a database for device configuration information, much of which is sensitive. A malicious user can use it to facilitate unauthorized activities. The chance of this happening is reduced by the fact that the default ACLs that are assigned throughout the registry are fairly restrictive, and they help protect it from access by unauthorized users. + +The registry is a database for device configuration information, much of which is sensitive. A malicious user can use it to facilitate unauthorized activities. The chance of this happening is reduced by the fact that the default ACLs that are assigned throughout the registry are fairly restrictive, +and they help protect it from access by unauthorized users. + To allow remote access, you must also enable the Remote Registry service. + ### Possible values + - User-defined list of paths - Not Defined + ### Best practices + - Set this policy to a null value; that is, enable the policy setting, but do not enter any paths in the text box. Remote management tools, such as the Microsoft Baseline Security Analyzer and Configuration Manager, require remote access to the registry. Removing the default registry paths from the list of accessible paths might cause these and other management tools to fail. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      See the following registry key combination

      DC Effective Default Settings

      See the following registry key combination

      Member Server Effective Default Settings

      See the following registry key combination

      Client Computer Effective Default Settings

      See the following registry key combination

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | See the following registry key combination| +| DC Effective Default Settings | See the following registry key combination| +| Member Server Effective Default Settings | See the following registry key combination| +| Client Computer Effective Default Settings | See the following registry key combination|   The combination of all the following registry keys apply to the previous settings: + 1. System\\CurrentControlSet\\Control\\Print\\Printers 2. System\\CurrentControlSet\\Services\\Eventlog 3. Software\\Microsoft\\OLAP Server @@ -76,22 +64,33 @@ The combination of all the following registry keys apply to the previous setting 9. System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration 10. Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib 11. System\\CurrentControlSet\\Services\\SysmonLog + ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The registry contains sensitive device configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs that are assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack. + ### Countermeasure + Configure the **Network access: Remotely accessible registry paths and sub-paths** setting to a null value (enable the setting but do not enter any paths in the text box). + ### Potential impact + Remote management tools such as MBSA and Configuration Manager require remote access to the registry to properly monitor and manage those computers. If you remove the default registry paths from the list of accessible ones, such remote management tools could fail. -**Note**   -If you want to allow remote access, you must also enable the Remote Registry service. + +>**Note:**  If you want to allow remote access, you must also enable the Remote Registry service.   ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-remotely-accessible-registry-paths.md b/windows/keep-secure/network-access-remotely-accessible-registry-paths.md index 33f15de3de..86fd1783e9 100644 --- a/windows/keep-secure/network-access-remotely-accessible-registry-paths.md +++ b/windows/keep-secure/network-access-remotely-accessible-registry-paths.md @@ -2,88 +2,86 @@ title: Network access Remotely accessible registry paths (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Remotely accessible registry paths security policy setting. ms.assetid: 977f86ea-864f-4f1b-9756-22220efce0bd -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Remotely accessible registry paths + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Remotely accessible registry paths** security policy setting. + ## Reference + This policy setting determines which registry paths are accessible when an application or process references the WinReg key to determine access permissions. + The registry is a database for device configuration information, much of which is sensitive. A malicious user can use the registry to facilitate unauthorized activities. To reduce the risk of this happening, suitable access control lists (ACLs) are assigned throughout the registry to help protect it from access by unauthorized users. + To allow remote access, you must also enable the Remote Registry service. + ### Possible values + - User-defined list of paths - Not Defined + ### Best practices + - Set this policy to a null value; that is, enable the policy setting but do not enter any paths in the text box. Remote management tools, such as the Microsoft Baseline Security Analyzer and Configuration Manager, require remote access to the registry. Removing the default registry paths from the list of accessible paths might cause these and other management tools to fail. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      See the following registry key combination

      DC Effective Default Settings

      See the following registry key combination

      Member Server Effective Default Settings

      See the following registry key combination

      Client Computer Effective Default Settings

      See the following registry key combination

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | See the following registry key combination| +| DC Effective Default Settings | See the following registry key combination| +| Member Server Effective Default Settings | See the following registry key combination| +| Client Computer Effective Default Settings | See the following registry key combination|   The combination of all the following registry keys apply to the previous settings: + 1. System\\CurrentControlSet\\Control\\ProductOptions 2. System\\CurrentControlSet\\Control\\Server Applications 3. Software\\Microsoft\\Windows NT\\CurrentVersion + ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + An attacker could use information in the registry to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users. + ### Countermeasure + Configure the **Network access: Remotely accessible registry paths** setting to a null value (enable the setting, but do not enter any paths in the text box). + ### Potential impact + Remote management tools such as the Microsoft Baseline Security Analyzer (MBSA) and Configuration Manager require remote access to the registry to properly monitor and manage those computers. If you remove the default registry paths from the list of accessible ones, such remote management tools could fail. -**Note**   -If you want to allow remote access, you must also enable the Remote Registry service. + +>**Note:**  If you want to allow remote access, you must also enable the Remote Registry service.   ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md index ab84cb8711..84be70c08b 100644 --- a/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md +++ b/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md @@ -2,81 +2,78 @@ title: Network access Restrict anonymous access to Named Pipes and Shares (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Restrict anonymous access to Named Pipes and Shares security policy setting. ms.assetid: e66cd708-7322-4d49-9b57-1bf8ec7a4c10 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Restrict anonymous access to Named Pipes and Shares + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Restrict anonymous access to Named Pipes and Shares** security policy setting. + ## Reference -This policy setting enables or disables the restriction of anonymous access to only those shared folders and pipes that are named in the **Network access: Named pipes that can be accessed anonymously** and [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md) settings. The setting controls null session access to shared folders on your computers by adding RestrictNullSessAccess with the value 1 in the registry key **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters**. This registry value toggles null session shared folders on or off to control whether the Server service restricts unauthenticated clients' access to named resources. + +This policy setting enables or disables the restriction of anonymous access to only those shared folders and pipes that are named in the **Network access: Named pipes that can be accessed anonymously** and [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md) settings. The setting controls null session access to shared folders on your computers by adding RestrictNullSessAccess with the value 1 in the registry key +**HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters**. This registry value toggles null session shared folders on or off to control whether the Server service restricts unauthenticated clients' access to named resources. + Null sessions are a weakness that can be exploited through the various shared folders on the devices in your environment. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Set this policy to Enabled. Enabling this policy setting restricts null session access to unauthenticated users to all server pipes and shared folders except those listed in the **NullSessionPipes** and **NullSessionShares** registry entries. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Enabled

      DC Effective Default Settings

      Enabled

      Member Server Effective Default Settings

      Enabled

      Client Computer Effective Default Settings

      Enabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings | Enabled| +| Client Computer Effective Default Settings| Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Null sessions are a weakness that can be exploited through shared folders (including the default shared folders) on devices in your environment. + ### Countermeasure + Enable the **Network access: Restrict anonymous access to Named Pipes and Shares** setting. + ### Potential impact + You can enable this policy setting to restrict null-session access for unauthenticated users to all server pipes and shared folders except those that are listed in the NullSessionPipes and NullSessionShares entries. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md b/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md index 604898a019..b4505320e4 100644 --- a/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md +++ b/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md @@ -2,79 +2,74 @@ title: Network access Shares that can be accessed anonymously (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Shares that can be accessed anonymously security policy setting. ms.assetid: f3e4b919-8279-4972-b415-5f815e2f0a1a -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Shares that can be accessed anonymously + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Shares that can be accessed anonymously** security policy setting. + ## Reference + This policy setting determines which shared folders can be accessed by anonymous users. + ### Possible values + - User-defined list of shared folders - Not Defined + ### Best practices + - Set this policy to a null value. There should be little impact because this is the default value. All users will have to be authenticated before they can access shared resources on the server. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Not defined

      DC Effective Default Settings

      Not defined

      Member Server Effective Default Settings

      Not defined

      Client Computer Effective Default Settings

      Not defined

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Any shared folders that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data. + ### Countermeasure + Configure the **Network access: Shares that can be accessed anonymously** setting to a null value. + ### Potential impact + There should be little impact because this is the default configuration. Only authenticated users have access to shared resources on the server. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md b/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md index c1f32eb9c3..fee079071d 100644 --- a/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md +++ b/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md @@ -2,88 +2,85 @@ title: Network access Sharing and security model for local accounts (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Sharing and security model for local accounts security policy setting. ms.assetid: 0b3d703c-ea27-488f-8f59-b345af75b994 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Sharing and security model for local accounts + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Sharing and security model for local accounts** security policy setting. + ## Reference + This policy setting determines how network logons that use local accounts are authenticated. If you configure this policy setting to Classic, network logons that use local account credentials authenticate with those credentials. If you configure this policy setting to Guest only, network logons that use local accounts are automatically mapped to the Guest account. The Classic model provides precise control over access to resources, and it enables you to grant different types of access to different users for the same resource. Conversely, the Guest only model treats all users equally, and they all receive the same level of access to a given resource, which can be either Read Only or Modify. -**Note**   -This policy setting does not affect network logons that use domain accounts. Nor does this policy setting affect interactive logons that are performed remotely through services such as Telnet or Remote Desktop Services. + +>**Note:**  This policy setting does not affect network logons that use domain accounts. Nor does this policy setting affect interactive logons that are performed remotely through services such as Telnet or Remote Desktop Services. When the device is not joined to a domain, this policy setting also tailors the **Sharing** and **Security** tabs in Windows Explorer to correspond to the sharing and security model that is being used.   When the value of this policy setting is **Guest only - local users authenticate as Guest**, any user who can access your device over the network does so with Guest user rights. This means that they will probably be unable to write to shared folders. Although this does increase security, it makes it impossible for authorized users to access shared resources on those systems. When the value is **Classic - local users authenticate as themselves**, local accounts must be password-protected; otherwise, anyone can use those user accounts to access shared system resources. + ### Possible values + - Classic - Local users authenticate as themselves - Guest only - Local users authenticate as Guest - Not defined + ### Best practices + 1. For network servers, set this policy to **Classic - local users authenticate as themselves**. 2. On end-user systems, set this policy to **Guest only - local users authenticate as Guest**. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Classic (local users authenticate as themselves)

      DC Effective Default Settings

      Classic (local users authenticate as themselves)

      Member Server Effective Default Settings

      Classic (local users authenticate as themselves)

      Client Computer Effective Default Settings

      Classic (local users authenticate as themselves)

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Classic (local users authenticate as themselves)| +| DC Effective Default Settings | Classic (local users authenticate as themselves)| +| Member Server Effective Default Settings | Classic (local users authenticate as themselves)| +| Client Computer Effective Default Settings | Classic (local users authenticate as themselves)|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + With the Guest only model, any user who can authenticate to your device over the network does so with Guest privileges, which probably means that they do not have Write access to shared resources on that device. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources. + ### Countermeasure + For network servers, configure the **Network access: Sharing and security model for local accounts setting** to **Classic – local users authenticate as themselves**. On end-user computers, configure this policy setting to **Guest only – local users authenticate as guest**. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-list-manager-policies.md b/windows/keep-secure/network-list-manager-policies.md index 931739dc93..11de5e4da7 100644 --- a/windows/keep-secure/network-list-manager-policies.md +++ b/windows/keep-secure/network-list-manager-policies.md @@ -2,50 +2,75 @@ title: Network List Manager policies (Windows 10) description: Network List Manager policies are security settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices. ms.assetid: bd8109d4-b07c-4beb-a9a6-affae2ba2fda -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network List Manager policies + **Applies to** - Windows 10 + Network List Manager policies are security settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices. + To configure Network List Manager Policies for one device, you can use the Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in, and edit the local computer policy. The Network List Manager Policies are located at the following path in Group Policy Object Editor: **Computer Configuration | Windows Settings | Security Settings | Network List Manager Policies** + To configure Network List Manager Policies for many computers, such as for all of the Domain Computers in an Active Directory domain, follow Group Policy documentation to learn how to edit the policies for the object that you require. The path to the Network List Manager Policies is the same as the path listed above. + ### Policy settings for Network List Manager Policies + The following policy settings are provided for Network List Manager Policies. These policy settings are located in the details pane of the Group Policy Object Editor, in **Network Name**. + ### Unidentified Networks -This policy setting allows you to configure the **Network Location**, including the location type and the user permissions, for networks that Windows cannot identify due to a network issue or a lack of identifiable characters in the network information received by the operating system from the network. A network location identifies the type of network that a computer is connected to and automatically sets the appropriate firewall settings for that location. You can configure the following items for this policy setting: + +This policy setting allows you to configure the **Network Location**, including the location type and the user permissions, for networks that Windows cannot identify due to a network issue or a lack of identifiable characters in the network information received by the operating system from the +network. A network location identifies the type of network that a computer is connected to and automatically sets the appropriate firewall settings for that location. You can configure the following items for this policy setting: + - **Location type**. For this item, the following options are available: + - **Not configured**. If you select this option, this policy setting does not apply a location type to unidentified network connections. - **Private**. If you select this option, this policy setting applies a location type of Private to unidentified network connections. A private network, such as a home or work network, is a location type that assumes that you trust the other computers on the network. Do not select this item if there is a possibility that an active, unidentified network is in a public place. + - **Public**. If you select this option, this policy setting applies a location type of Public to unidentified network connections. A public network, such as a wireless network at an airport or coffee shop, is a location type that assumes that you do not trust the other computers on the network. + - **User permissions**. For this item, the following options are available: + - **Not configured**. If you select this option, this policy setting does not specify whether users can change the location for unidentified network connections. - **User can change location**. If you select this option, this policy setting allows users to change an unidentified network connection location from Private to Public or from Public to Private. - **User cannot change location**. If you select this option, this policy setting does not allow users to change the location of an unidentified network connection. + ### Identifying Networks + This policy setting allows you to configure the **Network Location** for networks that are in a temporary state while Windows works to identify the network and location type. A network location identifies the type of network that a computer is connected to and automatically sets the appropriate firewall settings for that location. You can configure the following items for this policy setting: + - **Location type**. For this item, the following options are available: + - **Not configured**. If you select this option, this policy setting does not apply a location type to network connections that are in the process of being identified by Windows. - **Private**. If you select this option, this policy setting applies a location type of Private to network connections that are in the process of being identified. A private network, such as a home or work network, is a location type that assumes that you trust the other devices on the network. Do not select this item if there is a possibility that an active, unidentified network is in a public place. - **Public**. If you select this option, this policy setting applies a location type of Public to network connections that are in the process of being identified by Windows. A public network, such as a wireless network at an airport or coffee shop, is a location type that assumes that you do not trust the other devices on the network. + ### All Networks + This policy setting allows you to specify the **User Permissions** that control whether users can change the network name, location, or icon, for all networks to which the user connects. You can configure the following items for this policy setting: + - **Network name**. For this item, the following options are available: + - **Not configured**. If you select this option, this policy setting does not specify whether users can change the network name for all network connections. - **User can change name**. If you select this option, users can change the network name for all networks to which they connect. - **User cannot change name**. If you select this option, users cannot change the network name for any networks to which they connect. + - **Network location**. For this item, the following options are available: + - **Not configured**. If you select this option, this policy setting does not specify whether users can change the location for all network connections. - **User can change location**. If you select this option, this policy setting allows users to change all network locations from Private to Public or from Public to Private. - **User cannot change location**. If you select this option, this policy setting does not allow users to change the location for any networks to which they connect. + - **Network icon**. For this item, the following options are available: + - **Not configured**. If you select this option, this policy setting does not specify whether users can change the network icon for all network connections. - **User can change icon**. If you select this option, this policy setting allows users to change the network icon for all networks to which the user connects. - **User cannot change icon**. If you select this option, this policy setting does not allow users to change the network icon for any networks to which the user connects. -  -  diff --git a/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md index 532768f78b..929606cb16 100644 --- a/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md +++ b/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md @@ -2,115 +2,87 @@ title: Network security Allow Local System to use computer identity for NTLM (Windows 10) description: Describes the location, values, policy management, and security considerations for the Network security Allow Local System to use computer identity for NTLM security policy setting. ms.assetid: c46a658d-b7a4-4139-b7ea-b9268c240053 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Allow Local System to use computer identity for NTLM + **Applies to** - Windows 10 + Describes the location, values, policy management, and security considerations for the **Network security: Allow Local System to use computer identity for NTLM** security policy setting. + ## Reference + When services connect to devices that are running versions of the Windows operating system earlier than Windows Vista or Windows Server 2008, services that run as Local System and use SPNEGO (Negotiate) that revert to NTLM will authenticate anonymously. In Windows Server 2008 R2 and Windows 7 and later, if a service connects to a computer running Windows Server 2008 or Windows Vista, the system service uses the computer identity. + When a service connects with the device identity, signing and encryption are supported to provide data protection. (When a service connects anonymously, a system-generated session key is created, which provides no protection, but it allows applications to sign and encrypt data without errors. Anonymous authentication uses a NULL session, which is a session with a server in which no user authentication is performed; and therefore, anonymous access is allowed.) + ### Possible values - ----- - - - - - - - - - - - - - - - - - - - - - - - - -
      SettingWindows Server 2008 and Windows VistaAt least Windows Server 2008 R2 and Windows 7

      Enabled

      Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.

      Services running as Local System that use Negotiate will use the computer identity. This is the default behavior.

      Disabled

      Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. This is the default behavior.

      Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.

      Neither

      Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.

      Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.

      + +| Setting | Windows Server 2008 and Windows Vista | At least Windows Server 2008 R2 and Windows 7 | +| - | - | +| Enabled | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.| Services running as Local System that use Negotiate will use the computer identity. This is the default behavior. | +| Disabled| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. This is the default behavior.| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.| +|Neither|Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.|   ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or Group Policy object (GPO)Default value

      Default domain policy

      Not defined

      Default domain controller policy

      Not defined

      Stand-alone server default settings

      Not defined

      Domain controller effective default settings

      Not applicable

      Member server effective default settings

      Not applicable

      Effective GPO default settings on client computers

      Not defined

      + +| Server type or Group Policy object (GPO) | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not applicable| +| Member server effective default settings | Not applicable| +| Effective GPO default settings on client computers | Not defined|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflict considerations + The policy [Network security: Allow LocalSystem NULL session fallback](network-security-allow-localsystem-null-session-fallback.md), if enabled, will allow NTLM or Kerberos authentication to be used when a system service attempts authentication. This will increase the success of interoperability at the expense of security. + The anonymous authentication behavior is different for Windows Server 2008 and Windows Vista than later versions of Windows. Configuring and applying this policy setting on those systems might not produce the same results. + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + When a service connects to computers running versions of Windows earlier than Windows Vista or Windows Server 2008, services that run as Local System and use SPNEGO (Negotiate) that revert to NTLM will use NULL session. In Windows Server 2008 R2 and Windows 7 and later, if a service connects to a computer running Windows Server 2008 or Windows Vista, the system service uses the computer identity. + When a service connects with the computer identity, signing and encryption are supported to provide data protection. When a service connects with a NULL session, a system-generated session key is created, which provides no protection, but it allows applications to sign and encrypt data without errors. + ### Countermeasure + You can configure the **Network security: Allow Local System to use computer identity for NTLM** security policy setting to allow Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. + ### Potential impact + If you do not configure this policy setting on Windows Server 2008 and Windows Vista, services running as Local System that use the default credentials will use the NULL session and revert to NTLM authentication for Windows operating systems earlier than Windows Vista or Windows Server 2008. Beginning with Windows Server 2008 R2 and Windows 7, the system allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md b/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md index 393c0a9382..34b487bba3 100644 --- a/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md +++ b/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md @@ -2,78 +2,75 @@ title: Network security Allow LocalSystem NULL session fallback (Windows 10) description: Describes the best practices, location, values, and security considerations for the Network security Allow LocalSystem NULL session fallback security policy setting. ms.assetid: 5b72edaa-bec7-4572-b6f0-648fc38f5395 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Allow LocalSystem NULL session fallback + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Network security: Allow LocalSystem NULL session fallback** security policy setting. + ## Reference -This policy affects session security during the authentication process between devices running Windows Server 2008 R2 and Windows 7 and later and those devices running earlier versions of the Windows operating system. For computers running Windows Server 2008 R2 and Windows 7 and later, services running as Local System require a service principal name (SPN) to generate the session key. However, if [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) is set to disabled, services running as Local System will fall back to using NULL session authentication when they transmit data to servers running versions of Windows earlier than Windows Vista or Windows Server 2008. NULL session does not establish a unique session key for each authentication; and thus, it cannot provide integrity or confidentiality protection. The setting **Network security: Allow LocalSystem NULL session fallback** determines whether services that request the use of session security are allowed to perform signature or encryption functions with a well-known key for application compatibility. + +This policy affects session security during the authentication process between devices running Windows Server 2008 R2 and Windows 7 and later and those devices running earlier versions of the Windows operating system. For computers running Windows Server 2008 R2 and Windows 7 and later, services running as Local System require a service principal name (SPN) to generate the session key. However, if [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) is set to disabled, services running as Local +System will fall back to using NULL session authentication when they transmit data to servers running versions of Windows earlier than Windows Vista or Windows Server 2008. NULL session does not establish a unique session key for each authentication; and thus, it cannot provide integrity or confidentiality protection. The setting **Network security: Allow LocalSystem NULL session fallback** determines whether services that request the use of session security are allowed to perform signature or encryption functions with a well-known key for application compatibility. + ### Possible values + - **Enabled** + When a service running as Local System connects with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. This increases application compatibility, but it degrades the level of security. + - **Disabled** - When a service running as Local System connects with a NULL session, session security will be unavailable. Calls seeking encryption or signing will fail. This setting is more secure, but at the risk of degrading application incompatibility. Calls that are using the device identity instead of a NULL session will still have full use of session security. + + When a service running as Local System connects with a NULL session, session security will be unavailable. Calls seeking encryption or signing will fail. This setting is more secure, but at the risk of degrading application incompatibility. Calls that are using the device identity instead of a + NULL session will still have full use of session security. + - Not defined. When this policy is not defined, the default takes effect. This is Enabled for versions of the Windows operating system earlier than Windows Server 2008 R2 and Windows 7, and it is Disabled otherwise. + ### Best practices + When services connect with the device identity, signing and encryption are supported to provide data protection. When services connect with a NULL session, this level of data protection is not provided. However, you will need to evaluate your environment to determine the Windows operating system versions that you support. If this policy is enabled, some services may not be able to authenticate. + This policy applies to Windows Server 2008 and Windows Vista (SP1 and later). When your environment no longer requires support for Windows NT 4, this policy should be disabled. By default, it is disabled in Windows 7 and Windows Server 2008 R2 and later. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or Group Policy Object (GPO)Default value

      Default domain policy

      Not defined

      Default domain controller policy

      Not defined

      Stand-alone server default settings

      Not defined

      Domain controller effective default settings

      Not applicable

      Member server effective default settings

      Not applicable

      Effective GPO default settings on client computers

      Not applicable

      + +| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not applicable| +| Member server effective default settings | Not applicable | +| Effective GPO default settings on client computers | Not applicable|   ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If this setting is Enabled, when a service connects with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. Data that is intended to be protected might be exposed. + ### Countermeasure + You can configure the computer to use the computer identity for Local System with the policy **Network security: Allow Local System to use computer identity for NTLM**. If that is not possible, this policy can be used to prevent data from being exposed in transit if it was protected with a well-known key. + ### Potential impact + If you enable this policy, services that use NULL session with Local System could fail to authenticate because they will be prohibited from using signing and encryption. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index a5ffb6243d..a381d1388c 100644 --- a/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -2,83 +2,79 @@ title: Network security Allow PKU2U authentication requests to this computer to use online identities (Windows 10) description: Describes the best practices, location, and values for the Network Security Allow PKU2U authentication requests to this computer to use online identities security policy setting. ms.assetid: e04a854e-d94d-4306-9fb3-56e9bd7bb926 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Allow PKU2U authentication requests to this computer to use online identities + **Applies to** - Windows 10 + Describes the best practices, location, and values for the **Network Security: Allow PKU2U authentication requests to this computer to use online identities** security policy setting. + ## Reference + Starting with Windows Server 2008 R2 and Windows 7, the Negotiate Security Support Provider (SSP) supports an extension SSP, Negoexts.dll. This extension SSP is treated as an authentication protocol by the Windows operating system, and it supports SSPs from Microsoft, including PKU2U. You can also develop or add other SSPs. + When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. -**Note**   -The ability to link online IDs can be performed by anyone with an account that has standard user’s credentials through **Credential Manager**. + +>**Note:**  The ability to link online IDs can be performed by anyone with an account that has standard user’s credentials through **Credential Manager**.   This policy is not configured by default on domain-joined devices. This would disallow the online identities to be able to authenticate to the domain-joined computers in Windows 7 and later. + ### Possible values + - **Enabled** + This will allow authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use on online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. + - **Disabled** + This will prevent online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship. + - Not set. Not configuring this policy prevents online IDs from being used to authenticate the user. This is the default on domain-joined devices + ### Best practices + Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or do not configure this policy to exclude online identities from being used to authenticate. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or Group Policy Object (GPO)Default value

      Default domain policy

      Not defined

      Default domain controller policy

      Not defined

      Stand-alone server default settings

      Not defined

      Domain controller effective default settings

      Disabled

      Member server effective default settings

      Disabled

      Effective GPO default settings on client computers

      Disabled

      + +| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Disabled| +| Member server effective default settings | Disabled| +| Effective GPO default settings on client computers | Disabled|   ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft Account, so that account can log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). Although this is beneficial for workgroups or home groups, using this feature in a domain-joined environment might circumvent your established security policies. + ### Countermeasure + Set this policy to Disabled or do not configure this security policy for domain-joined devices. + ### Potential impact + If you do not set or disable this policy, the PKU2U protocol will not be used to authenticate between peer devices, which forces users to follow domain defined access control policies. If you enable this policy, you will allow your users to authenticate by using local certificates between systems that are not part of a domain that uses PKU2U. This will allow users to share resources between devices + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md index 6fa8240e2e..7ca22f98c0 100644 --- a/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md +++ b/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md @@ -2,128 +2,89 @@ title: Network security Configure encryption types allowed for Kerberos Win7 only (Windows 10) description: Describes the best practices, location, values and security considerations for the Network security Configure encryption types allowed for Kerberos Win7 only security policy setting. ms.assetid: 303d32cc-415b-44ba-96c0-133934046ece -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Configure encryption types allowed for Kerberos Win7 only + **Applies to** - Windows 10 + Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos Win7 only** security policy setting. + ## Reference + This policy setting allows you to set the encryption types that the Kerberos protocol is allowed to use. If it is not selected, the encryption type will not be allowed. This setting might affect compatibility with client computers or services and applications. Multiple selections are permitted. + For more information, see [article 977321](http://support.microsoft.com/kb/977321) in the Microsoft Knowledge Base. + The following table lists and explains the allowed encryption types. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Encryption typeDescription and version support

      DES_CBC_CRC

      Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function

      -

      Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES by default.

      DES_CBC_MD5

      Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function

      -

      Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES by default.

      RC4_HMAC_MD5

      Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function

      -

      Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

      AES128_HMAC_SHA1

      Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).

      -

      Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

      AES256_HMAC_SHA1

      Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).

      -

      Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

      Future encryption types

      Reserved by Microsoft for additional encryption types that might be implemented.

      + +| Encryption type | Description and version support | +| - | - | +| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
      Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES| by default. +| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function
      Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES by default. | +| RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function
      Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.| +| AES128_HMAC_SHA1| Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
      Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. | +| AES256_HMAC_SHA1| Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
      Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. | +| Future encryption types| Reserved by Microsoft for additional encryption types that might be implemented.|   ### Possible values + + The encryption type options include: + - DES\_CBC\_CRC - DES\_CBC\_MD5 - RC4\_HMAC\_MD5 - AES128\_HMAC\_SHA1 - AES256\_HMAC\_SHA1 - Future encryption types + As of the release of Windows 7 and Windows Server 2008 R2, this is reserved by Microsoft for additional encryption types that might be implemented. + ### Best practices + You must analyze your environment to determine which encryption types will be supported and then select those that meet that evaluation. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or Group Policy Object (GPO)Default value

      Default domain policy

      Not defined

      Default domain controller policy

      Not defined

      Stand-alone server default settings

      Not defined

      Domain controller effective default settings

      None of these encryption types that are available in this policy are allowed.

      Member server effective default settings

      None of these encryption types that are available in this policy are allowed.

      Effective GPO default settings on client computers

      None of these encryption types that are available in this policy are allowed.

      +| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy| Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | None of these encryption types that are available in this policy are allowed.| +| Member server effective default settings | None of these encryption types that are available in this policy are allowed.| +| Effective GPO default settings on client computers | None of these encryption types that are available in this policy are allowed.|   ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -Windows Server 2008 R2 and Windows 7 do not support the DES cryptographic suites because stronger ones are available. To enable Kerberos interoperability with non-Windows versions of the Kerberos protocol, these suites can be enabled. However, doing so might open attack vectors on computers running Windows Server 2008 R2 and Windows 7. You can also disable DES for your computers running Windows Vista and Windows Server 2008. + +Windows Server 2008 R2 and Windows 7 do not support the DES cryptographic suites because stronger ones are available. To enable Kerberos interoperability with non-Windows versions of the Kerberos protocol, these suites can be enabled. However, doing so might open attack vectors on computers running +Windows Server 2008 R2 and Windows 7. You can also disable DES for your computers running Windows Vista and Windows Server 2008. + ### Countermeasure + Do not configure this policy. This will force the computers running Windows Server 2008 R2 and Windows 7 to use the AES or RC4 cryptographic suites. + ### Potential impact + If you do not select any of the encryption types, computers running Windows Server 2008 R2 and Windows 7 might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol. + If you do select any encryption type, you will lower the effectiveness of encryption for Kerberos authentication but you will improve interoperability with computers running older versions of Windows. Contemporary non-Windows implementations of the Kerberos protocol support RC4 and AES 128-bit and AES 256-bit encryption. Most implementations, including the MIT Kerberos protocol and the Windows Kerberos protocol, are deprecating DES encryption. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md index 97a0897fcf..95b335005c 100644 --- a/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md +++ b/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md @@ -2,82 +2,78 @@ title: Network security Do not store LAN Manager hash value on next password change (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security Do not store LAN Manager hash value on next password change security policy setting. ms.assetid: 6452b268-e5ba-4889-9d38-db28f919af51 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Do not store LAN Manager hash value on next password change + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network security: Do not store LAN Manager hash value on next password change** security policy setting. + ## Reference + This policy setting determines whether LAN Manager is prevented from storing hash values for the new password the next time the password is changed. Hash values are a representation of the password after the encryption algorithm is applied that corresponds to the format that is specified by the algorithm. To decrypt the hash value, the encryption algorithm must be determined and then reversed. The LAN Manager hash is relatively weak and prone to attack compared to the cryptographically stronger NTLM hash. Because the LM hash is stored on the local device in the security database, the passwords can be compromised if the security database, Security Accounts Manager (SAM), is attacked. + By attacking the SAM file, attackers can potentially gain access to user names and password hashes. Attackers can use a password-cracking tool to determine what the password is. After they have access to this information, they can use it to gain access to resources on your network by impersonating users. Enabling this policy setting will not prevent these types of attacks, but it will make them much more difficult. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + 1. Set **Network security: Do not store LAN Manager hash value on next password change** to **Enabled**. 2. Require all users to set new passwords the next time they log on to the domain so that LAN Manager hashes are removed. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Enabled

      DC Effective Default Settings

      Enabled

      Member Server Effective Default Settings

      Enabled

      Client Computer Effective Default Settings

      Enabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings|Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The SAM file can be targeted by attackers who seek access to user names and password hashes. Such attacks use special tools to discover passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks are not prevented by enabling this policy setting because LAN Manager hashes are much weaker than NTLM hashes, but it is much more difficult for these attacks to succeed. + ### Countermeasure + Enable the **Network security: Do not store LAN Manager hash value on next password change** setting. Require all users to set new passwords the next time they log on to the domain so that LAN Manager hashes are removed. + ### Potential impact + Some non-Microsoft applications might not be able to connect to the system. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md b/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md index 410ead1171..f6dd03a829 100644 --- a/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md +++ b/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md @@ -2,83 +2,83 @@ title: Network security Force logoff when logon hours expire (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security Force logoff when logon hours expire security policy setting. ms.assetid: 64d5dde4-58e4-4217-b2c4-73bd554ec926 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Force logoff when logon hours expire + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network security: Force logoff when logon hours expire** security policy setting. + ## Reference + This security setting determines whether to disconnect users who are connected to the local device outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. + This policy setting does not apply to administrator accounts, but it behaves as an account policy. For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy Object (GPO), even if there is a different account policy that is applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (for example, member devices) also receive the same account policy for their local accounts. However, local account policies for member devices can be different from the domain account policy by defining an account policy for the organizational unit that contains the member devices. Kerberos settings are not applied to member devices. + ### Possible values + - Enabled + When enabled, this policy causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire. + - Disabled + When disabled, this policy allows for the continuation of an established client session after the client's logon hours have expired. + - Not defined + ### Best practices + - Set **Network security: Force logoff when logon hours expire** to Enabled. SMB sessions will be terminated on member servers when a user's logon time expires, and the user will be unable to log on to the system until their next scheduled access time begins. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Disabled

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Disabled| +| Default Domain Controller Policy| Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If you disable this policy setting, users can remain connected to the computer outside of their allotted logon hours. + ### Countermeasure + Enable the **Network security: Force logoff when logon hours expire** setting. This policy setting does not apply to administrator accounts. + ### Potential impact + When a user's logon time expires, SMB sessions terminate. The user cannot log on to the device until the next scheduled access time commences. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-lan-manager-authentication-level.md b/windows/keep-secure/network-security-lan-manager-authentication-level.md index 1b3103d943..5d8a5343aa 100644 --- a/windows/keep-secure/network-security-lan-manager-authentication-level.md +++ b/windows/keep-secure/network-security-lan-manager-authentication-level.md @@ -2,25 +2,34 @@ title: Network security LAN Manager authentication level (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security LAN Manager authentication level security policy setting. ms.assetid: bbe1a98c-420a-41e7-9d3c-3a2fe0f1843e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: LAN Manager authentication level + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network security: LAN Manager authentication level** security policy setting. + ## Reference + This policy setting determines which challenge or response authentication protocol is used for network logons. LAN Manager (LM) includes client computer and server software from Microsoft that allows users to link personal devices together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory uses LM, NTLM, or NTLM version 2 (NTLMv2). + LAN Manager authentication includes the LM, NTLM, and NTLMv2 variants, and it is the protocol that is used to authenticate all client devices running the Windows operating system when they perform the following operations: + - Join a domain - Authenticate between Active Directory forests - Authenticate to domains based on earlier versions of the Windows operating system - Authenticate to computers that do not run Windows operating systems, beginning with Windows 2000 - Authenticate to computers that are not in the domain + ### Possible values + - Send LM & NTLM responses - Send LM & NTLM - use NTLMv2 session security if negotiated - Send NTLM responses only @@ -28,114 +37,68 @@ LAN Manager authentication includes the LM, NTLM, and NTLMv2 variants, and it is - Send NTLMv2 responses only. Refuse LM - Send NTLMv2 responses only. Refuse LM & NTLM - Not Defined -The **Network security: LAN Manager authentication level** setting determines which challenge/response authentication protocol is used for network logons. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the authentication level that servers accept. The following table identifies the policy settings, describes the setting, and identifies the security level used in the corresponding registry setting if you choose to use the registry to control this setting instead of the policy setting. - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      SettingDescriptionRegistry security level

      Send LM & NTLM responses

      Client devices use LM and NTLM authentication, and they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

      0

      Send LM & NTLM – use NTLMv2 session security if negotiated

      Client devices use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

      1

      Send NTLM response only

      Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

      2

      Send NTLMv2 response only

      Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

      3

      Send NTLMv2 response only. Refuse LM

      Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they will accept only NTLM and NTLMv2 authentication.

      4

      Send NTLMv2 response only. Refuse LM & NTLM

      Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they will accept only NTLMv2 authentication.

      5

      + +The **Network security: LAN Manager authentication level** setting determines which challenge/response authentication protocol is used for network logons. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the +authentication level that servers accept. The following table identifies the policy settings, describes the setting, and identifies the security level used in the corresponding registry setting if you choose to use the registry to control this setting instead of the policy setting. + +| Setting | Description | Registry security level | +| - | - | - | +| Send LM & NTLM responses | Client devices use LM and NTLM authentication, and they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 0| +| Send LM & NTLM – use NTLMv2 session security if negotiated | Client devices use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 1| +| Send NTLM response only| Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 2| +| Send NTLMv2 response only | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 3| +| Send NTLMv2 response only. Refuse LM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they will accept only NTLM and NTLMv2 authentication.| 4| +| Send NTLMv2 response only. Refuse LM & NTLM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they will accept only NTLMv2 authentication.| 5|   ### Best practices + - Best practices are dependent on your specific security and authentication requirements. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Send NTLMv2 response only

      DC Effective Default Settings

      Send NTLMv2 response only

      Member Server Effective Default Settings

      Send NTLMv2 response only

      Client Computer Effective Default Settings

      Not defined

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Send NTLMv2 response only| +| DC Effective Default Settings | Send NTLMv2 response only| +| Member Server Effective Default Settings | Send NTLMv2 response only| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Modifying this setting may affect compatibility with client devices, services, and applications. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + In Windows 7 and Windows Vista, this setting is undefined. In Windows Server 2008 R2 and later, this setting is configured to **Send NTLMv2 responses only**. + ### Countermeasure + Configure the **Network security: LAN Manager Authentication Level** setting to **Send NTLMv2 responses only**. Microsoft and a number of independent organizations strongly recommend this level of authentication when all client computers support NTLMv2. + ### Potential impact + Client devices that do not support NTLMv2 authentication cannot authenticate in the domain and access domain resources by using LM and NTLM. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-ldap-client-signing-requirements.md b/windows/keep-secure/network-security-ldap-client-signing-requirements.md index 533858f613..5207e6e65f 100644 --- a/windows/keep-secure/network-security-ldap-client-signing-requirements.md +++ b/windows/keep-secure/network-security-ldap-client-signing-requirements.md @@ -2,87 +2,86 @@ title: Network security LDAP client signing requirements (Windows 10) description: This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. ms.assetid: 38b35489-eb5b-4035-bc87-df63de50509c -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: LDAP client signing requirements + **Applies to** - Windows 10 + This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. This information applies to computers running at least the Windows Server 2008 operating system. + ## Reference + This policy setting determines the level of data signing that is requested on behalf of client devices that issue LDAP BIND requests. The levels of data signing are described in the following list: + - **None**. The LDAP BIND request is issued with the caller-specified options. - **Negotiate signing**. If Transport Layer Security/Secure Sockets Layer (TLS/SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the caller-specified options. If TLS/SSL has been started, the LDAP BIND request is initiated with the caller-specified options. - **Require signing**. This level is the same as **Negotiate signing**. However, if the LDAP server's intermediate saslBindInProgress response does not indicate that LDAP traffic signing is required, the caller is returned a message that the LDAP BIND command request failed. + Misuse of this policy setting is a common error that can cause data loss or problems with data access or security. + ### Possible values + - None - Negotiate signing - Require signature - Not Defined + ### Best practices + - Set **Domain controller: LDAP server signing requirements** to **Require signature**. If you set the server to require LDAP signatures, you must also set the client devices to do so. Not setting the client devices will prevent client computers from communicating with the server. This can cause many features to fail, including user authentication, Group Policy, and logon scripts. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Negotiate signing

      DC Effective Default Settings

      Negotiate signing

      Member Server Effective Default Settings

      Negotiate signing

      Client Computer Effective Default Settings

      Negotiate signing

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Negotiate signing| +| DC Effective Default Settings | Negotiate signing| +| Member Server Effective Default Settings | Negotiate signing| +| Client Computer Effective Default Settings | Negotiate signing|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Modifying this setting may affect compatibility with client devices, services, and applications. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client computer and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers. + ### Countermeasure + Configure the **Network security: LDAP server signing requirements** setting to **Require signature**. + ### Potential impact + If you configure the server to require LDAP signatures, you must also configure the client computers. If you do not configure the client devices, they cannot communicate with the server, which could cause many features to fail, including user authentication, Group Policy, and logon scripts. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md index 1fcbb6bbc4..ba6527767f 100644 --- a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md +++ b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md @@ -2,83 +2,83 @@ title: Network security Minimum session security for NTLM SSP based (including secure RPC) clients (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security Minimum session security for NTLM SSP based (including secure RPC) clients security policy setting. ms.assetid: 89903de8-23d0-4e0f-9bef-c00cb7aebf00 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Minimum session security for NTLM SSP based (including secure RPC) clients + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) clients** security policy setting. + ## Reference + This policy setting allows a client device to require the negotiation of 128-bit encryption or NTLMv2 session security. These values are dependent on the **Network security: LAN Manager Authentication Level policy** setting value. + ### Possible values + - Require NTLMv2 session security + The connection fails if strong encryption (128-bit) is not negotiated. + - Require 128-bit encryption + The connection fails if the NTLMv2 protocol is not negotiated. + ### Best practices + Practices in setting this policy are dependent on your security requirements. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Require 128-bit encryption

      DC Effective Default Settings

      Require 128-bit encryption

      Member Server Effective Default Settings

      Require 128-bit encryption

      Client Computer Effective Default Settings

      Require 128-bit encryption

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy| Not defined| +| Stand-Alone Server Default Settings | Require 128-bit encryption| +| DC Effective Default Settings | Require 128-bit encryption| +| Member Server Effective Default Settings | Require 128-bit encryption| +| Client Computer Effective Default Settings | Require 128-bit encryption|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflicts + The settings for this security policy are dependent on the **Network security: LAN Manager Authentication Level policy** setting value. For info about this policy, see [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md). + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Network traffic that uses the NTLM Security Support Provider (NTLM SSP) could be exposed such that an attacker who has gained access to the network can create man-in-the-middle attacks. + ### Countermeasure + Enable all options that are available for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) clients policy** setting. + ### Potential impact + Client devices that enforce these settings cannot communicate with older servers that do not support them. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md index 581c58aa2d..6bd65a6591 100644 --- a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md +++ b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md @@ -2,83 +2,81 @@ title: Network security Minimum session security for NTLM SSP based (including secure RPC) servers (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security Minimum session security for NTLM SSP based (including secure RPC) servers security policy setting. ms.assetid: c6a60c1b-bc8d-4d02-9481-f847a411b4fc -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Minimum session security for NTLM SSP based (including secure RPC) servers + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) servers** security policy setting. + ## Reference + This policy setting allows a client device to require the negotiation of 128-bit encryption or NTLMv2 session security. These values are dependent on the [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md) policy setting value. + Setting all of these values for this policy setting will help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by a malicious user who has gained access to the same network. That is, these settings help protect against man-in-the-middle attacks. + ### Possible values + - Require 128-bit encryption. The connection fails if strong encryption (128-bit) is not negotiated. - Require NTLMv2 session security. The connection fails if the NTLMv2 protocol is not negotiated. - Not Defined. + ### Best practices + - Enable all values that are available for this security policy. Legacy client devices that do not support these policy settings will be unable to communicate with the server. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Require 128-bit encryption

      DC Effective Default Settings

      Require 128-bit encryption

      Member Server Effective Default Settings

      Require 128-bit encryption

      Client Computer Effective Default Settings

      Require 128-bit encryption

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy| Not defined| +| Stand-Alone Server Default Settings | Require 128-bit encryption| +| DC Effective Default Settings | Require 128-bit encryption| +| Member Server Effective Default Settings | Require 128-bit encryption| +| Client Computer Effective Default Settings | Require 128-bit encryption|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy dependencies + The settings for this security policy are dependent on the [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md) setting value. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Network traffic that uses the NTLM Security Support Provider (NTLM SSP) could be exposed such that an attacker who has gained access to the network can create man-in-the-middle attacks. + ### Countermeasure + Enable all options that are available for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) servers** policy setting. + ### Potential impact + Older client devices that do not support these security settings cannot communicate with the computer on which this policy is set. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md index 64151c9c05..ca5c6d20da 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md +++ b/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md @@ -2,91 +2,101 @@ title: Network security Restrict NTLM Add remote server exceptions for NTLM authentication (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network security Restrict NTLM Add remote server exceptions for NTLM authentication security policy setting. ms.assetid: 9b017399-0a54-4580-bfae-614c2beda3a1 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication + **Applies to** - Windows 10 + Describes the best practices, location, values, management aspects, and security considerations for the **Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication** security policy setting. + ## Reference + The **Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication** policy setting allows you to create an exception list of remote servers to which client devices are allowed to use NTLM authentication if the [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) policy setting is configured. + If you configure this policy setting, you can define a list of remote servers to which client devices are allowed to use NTLM authentication. + If you do not configure this policy setting, no exceptions will be applied, and if [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) is enabled, NTLM authentication attempts from the client devices will fail. + List the NetBIOS server names that are used by the applications as the naming format, one per line. To ensure exceptions, the names that are used by all applications need to be in the list. A single asterisk (\*) can be used anywhere in the string as a wildcard character. + ### Possible values + - User-defined list of remote servers + When you enter a list of remote servers to which clients are allowed to use NTLM authentication, the policy is defined and enabled. + - Not defined + If you do not configure this policy setting by defining a list of servers, the policy is undefined and no exceptions will be applied. + ### Best practices + 1. First enforce the [Network Security: Restrict NTLM: Audit incoming NTLM traffic](network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md) or [Network Security: Restrict NTLM: Audit NTLM authentication in this domain](network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md) policy setting and then review the operational event log to understand which servers are involved in these authentication attempts so you can decide which servers to exempt. + 2. After you have set the server exception list, enforce the [Network Security: Restrict NTLM: Audit incoming NTLM traffic](network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md) or [Network Security: Restrict NTLM: Audit NTLM authentication in this domain](network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md) policy setting and then review the operational event log again before setting the policies to block NTLM traffic. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default domain policy

      Not defined

      Default domain controller policy

      Not defined

      Stand-alone server default settings

      Not defined

      Domain controller effective default settings

      Not defined

      Member server effective default settings

      Not defined

      Client computer effective default settings

      Not defined

      + +| Server type or GPO | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not defined| +| Member server effective default settings | Not defined| +| Client computer effective default settings| Not defined|   ## Policy management + This section describes the features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy through Group Policy takes precedence over the setting on the local device. If the Group Policy setting is set to **Not Configured**, local settings will apply. + ### Auditing + View the operational event log to see if your server exception list is functioning as intended. Audit and block events are recorded on this device in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. + There are no security audit policies that can be configured to view output from this policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -When it has been determined that the NTLM authentication protocol should not be used from a client device to any remote servers because you are required to use a more secure protocol such as Kerberos, there might be some client applications that still use NTLM. If so, and you set [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) to any of the deny options, those applications will fail because the outbound NTLM authentication traffic from the client computer will be blocked. + +When it has been determined that the NTLM authentication protocol should not be used from a client device to any remote servers because you are required to use a more secure protocol such as Kerberos, there might be some client applications that still use NTLM. If so, and you set [Network Security: +Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) to any of the deny options, those applications will fail because the outbound NTLM authentication traffic from the client computer will be blocked. + If you define an exception list of servers to which client devices are allowed to use NTLM authentication, then NTLM authentication traffic will continue to flow between those client applications and servers. The servers then are vulnerable to any malicious attack that takes advantage of security weaknesses in NTLM. + ### Countermeasure -When you use [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the remote servers in your environment. When assessed, you will have to determine on a case-by-case basis if NTLM authentication still minimally meets your security requirements. If not, the client application has to be upgraded to use something other than NTLM authentication. + +When you use [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the remote +servers in your environment. When assessed, you will have to determine on a case-by-case basis if NTLM authentication still minimally meets your security requirements. If not, the client application has to be upgraded to use something other than NTLM authentication. + ### Potential impact + Defining a list of servers for this policy setting will enable NTLM authentication traffic from the client application that uses those servers, and this might result in a security vulnerability. + If this list is not defined and [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) is enabled, then client applications that use NTLM will fail to authenticate to those servers that they have previously used. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md index a9dd8ee023..8a29a1cbad 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md +++ b/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md @@ -2,91 +2,101 @@ title: Network security Restrict NTLM Add server exceptions in this domain (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network security Restrict NTLM Add server exceptions in this domain security policy setting. ms.assetid: 2f981b68-6aa7-4dd9-b53d-d88551277cc0 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Restrict NTLM: Add server exceptions in this domain + **Applies to** - Windows 10 + Describes the best practices, location, values, management aspects, and security considerations for the **Network security: Restrict NTLM: Add server exceptions in this domain** security policy setting. + ## Reference + The **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting allows you to create an exception list of servers in this domain to which client device are allowed to use NTLM pass-through authentication if any of the deny options are set in the [Network Security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) policy setting. + If you configure this policy setting, you can define a list of servers in this domain to which client devices are allowed to use NTLM authentication. + If you do not configure this policy setting, no exceptions will be applied, and if **Network Security: Restrict NTLM: NTLM authentication in this domain** is enabled, all NTLM authentication attempts in the domain will fail. + List the NetBIOS server names as the naming format, one per line. A single asterisk (\*) can be used anywhere in the string as a wildcard character. + ### Possible values + - User-defined list of servers + When you enter a list of servers in this domain to which clients are allowed to use NTLM authentication, the policy is defined and enabled. + - Not defined + If you do not configure this policy setting by defining a list of servers, the policy is undefined and no exceptions will be applied. + ### Best practices + 1. First enforce the **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** policy setting, and then review the operational event log to understand what domain controllers are involved in these authentication attempts so you can decide which servers to exempt. 2. After you have set the server exception list, enforce the **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** policy setting, and then review the operational event log again before setting the policies to block NTLM traffic. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default domain policy

      Not defined

      Default domain controller policy

      Not defined

      Stand-alone server default settings

      Not defined

      Domain controller effective default settings

      Not defined

      Member server effective default settings

      Not defined

      Client computer effective default settings

      Not defined

      + +| Server type or GPO | Default value | +| - | - | +| Default domain policy| Not defined | +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not defined| +| Member server effective default settings | Not defined| +| Client computer effective default settings | Not defined|   ## Policy management + This section describes different features and tools available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy via Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. + ### Auditing + View the operational event log to see if your server exception list is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. + There are no security audit policies that can be configured to view output from this policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -When it has been determined that the NTLM authentication protocol should not be used within a domain because you are required to use a more secure protocol such as Kerberos, there might be some NTLM authentication traffic that is still present in the domain. If so, and you set Network Security: [Network Security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) to any of the deny options, any NTLM authentication request will fail because the pass-through member server will block the NTLM request. -If you define an exception list of servers in this domain to which client computers are allowed to use NTLM pass-through authentication, then NTLM authentication traffic will continue to flow between those servers, which make them vulnerable to any malicious attack that takes advantage of security weaknesses in NTLM. + +When it has been determined that the NTLM authentication protocol should not be used within a domain because you are required to use a more secure protocol such as Kerberos, there might be some NTLM authentication traffic that is still present in the domain. If so, and you set Network Security: +[Network Security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) to any of the deny options, any NTLM authentication request will fail because the pass-through member server will block the NTLM request. + +If you define an exception list of servers in this domain to which client computers are allowed to use NTLM pass-through authentication, then NTLM authentication traffic will continue to flow between those servers, which make them vulnerable to any malicious attack that takes advantage of security +weaknesses in NTLM. + ### Countermeasure -When you use **Network Security: Restrict NTLM: NTLM authentication in this domain** in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the pass-through authentication servers. When assessed, you will have to determine on a case-by-case basis if NTLM authentication still minimally meets your security requirements. + +When you use **Network Security: Restrict NTLM: NTLM authentication in this domain** in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the pass-through authentication servers. When assessed, you will have to determine on a +case-by-case basis if NTLM authentication still minimally meets your security requirements. + ### Potential impact + Defining a list of servers for this policy setting will enable NTLM authentication traffic between those servers might result in a security vulnerability. + If this list is not defined and **Network Security: Restrict NTLM: NTLM authentication in this domain** is enabled, then NTLM authentication will fail on those pass-through servers in the domain that they have previously used + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md index 1f01809e6d..30716f504d 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md +++ b/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md @@ -2,93 +2,104 @@ title: Network security Restrict NTLM Audit incoming NTLM traffic (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Audit incoming NTLM traffic security policy setting. ms.assetid: 37e380c2-22e1-44cd-9993-e12815b845cf -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Restrict NTLM: Audit incoming NTLM traffic + **Applies to** - Windows 10 + Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Audit incoming NTLM traffic** security policy setting. + ## Reference + The **Network Security: Restrict NTLM: Audit incoming NTLM traffic** policy setting allows you to audit incoming NTLM traffic. + When this audit policy is enabled within Group Policy, it is enforced on any server where that Group Policy is distributed. The events will be recorded in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. Using an audit event collection system can help you collect the events for analysis more efficiently. + When you enable this policy on a server, only authentication traffic to that server will be logged. -When you enable this audit policy, it functions in the same way as the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy, but it does not actually block any traffic. Therefore, you can use it effectively to understand the authentication traffic in your environment, and when you are ready to block that traffic, you can enable the Network Security: Restrict NTLM: Incoming NTLM traffic policy setting and select **Deny all accounts** or **Deny all domain accounts**. + +When you enable this audit policy, it functions in the same way as the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy, but it does not actually block any traffic. Therefore, you can use it effectively to understand the +authentication traffic in your environment, and when you are ready to block that traffic, you can enable the Network Security: Restrict NTLM: Incoming NTLM traffic policy setting and select **Deny all accounts** or **Deny all domain accounts**. + ### Possible values + - Disable + The server on which this policy is set will not log events for incoming NTLM traffic. + - Enable auditing for domain accounts + The server on which this policy is set will log events for NTLM pass-through authentication requests only for accounts in the domain that would be blocked when the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy setting is set to **Deny all domain accounts**. + - Enable auditing for all accounts + The server on which this policy is set will log events for all NTLM authentication requests that would be blocked when the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy setting is set to **Deny all accounts**. + - Not defined + This is the same as **Disable**, and it results in no auditing of NTLM traffic. + ### Best practices + Depending on your environment and the duration of your testing, monitor the log size regularly. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default domain policy

      Not defined

      Default domain controller policy

      Not defined

      Stand-alone server default settings

      Not defined

      Domain controller effective default settings

      Not defined

      Member server effective default settings

      Not defined

      Client computer effective default settings

      Not defined

      + +| Server type or GPO | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not defined| +| Member server effective default settings | Not defined| +| Client computer effective default settings | Not defined|   ## Policy management + This section describes different features and tools available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. + ### Auditing + View the operational event log to see if this policy is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. Using an audit event collection system can help you collect the events for analysis more efficiently. + There are no security audit event policies that can be configured to view output from this policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB relay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. + ### Vulnerability + Enabling this policy setting will reveal through logging which servers and client computers within your network or domain handle NTLM traffic. The identity of these devices can be used in malicious ways if NTLM authentication traffic is compromised. The policy setting does not prevent or mitigate any vulnerability because it is for audit purposes only. + ### Countermeasure + Restrict access to the log files when this policy setting is enabled in your production environment. + ### Potential impact + If you do not enable or configure this policy setting, no NTLM authentication traffic information will be logged. If you do enable this policy setting, only auditing functions will occur; no security enhancements will be implemented. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md index 6f7df9f011..4bda1da37a 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md +++ b/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md @@ -2,92 +2,101 @@ title: Network security Restrict NTLM Audit NTLM authentication in this domain (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Audit NTLM authentication in this domain security policy setting. ms.assetid: 33183ef9-53b5-4258-8605-73dc46335e6e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Restrict NTLM: Audit NTLM authentication in this domain + **Applies to** - Windows 10 + Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** security policy setting. + ## Reference + The **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** policy setting allows you to audit on the domain controller NTLM authentication in that domain. + When you enable this policy setting on the domain controller, only authentication traffic to that domain controller will be logged. + When you enable this audit policy, it functions in the same way as the **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting, but it does not actually block any traffic. Therefore, you can use it effectively to understand the authentication traffic to your domain controllers and when you are ready to block that traffic, you can enable the **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting and select **Deny for domain accounts to domain servers**, **Deny for domain servers**, or **Deny for domain accounts**. + ### Possible values + - **Disable** + The domain controller on which this policy is set will not log events for incoming NTLM traffic. + - **Enable for domain accounts to domain servers** + The domain controller on which this policy is set will log events for NTLM authentication logon attempts for accounts in the domain to domain servers when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain accounts to domain servers**. + - **Enable for domain accounts** + The domain controller will log events for NTLM authentication logon attempts that use domain accounts when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain accounts**. + - Not defined + This is the same as **Disable** and results in no auditing of NTLM traffic. + ### Best practices + Depending on your environment and the duration of your testing, monitor the operational event log size regularly. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default domain policy

      Not defined

      Default domain controller policy

      Not defined

      Stand-alone server default settings

      Not defined

      Domain controller effective default settings

      Not defined

      Member server effective default settings

      Not defined

      Client computer effective default settings

      Not defined

      + +| Server type or GPO | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not defined| +| Member server effective default settings | Not defined| +| Client computer effective default settings | Not defined|   ## Policy management + This section describes different features and tools available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. + ### Auditing + View the operational event log to see if this policy is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. Using an audit event collection system can help you collect the events for analysis more efficiently. + There are no security audit event policies that can be configured to view output from this policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. -NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. + +NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the +Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. + ### Vulnerability + Enabling this policy setting will reveal through logging which devices within your network or domain handle NTLM traffic. The identity of these devices can be used in malicious ways if NTLM authentication traffic is compromised. The policy setting does not prevent or mitigate any vulnerability because it is for audit purposes only. ### Countermeasure + Restrict access to the log files when this policy setting is enabled in your production environment. + ### Potential impact + If you do not enable or configure this policy setting, no NTLM authentication traffic information will be logged. If you do enable this policy setting, only auditing functions will occur; no security enhancements will be implemented. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md index 500af92295..270051f5d3 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md +++ b/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md @@ -2,90 +2,99 @@ title: Network security Restrict NTLM Incoming NTLM traffic (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Incoming NTLM traffic security policy setting. ms.assetid: c0eff7d3-ed59-4004-908a-2205295fefb8 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Restrict NTLM: Incoming NTLM traffic + **Applies to** - Windows 10 + Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Incoming NTLM traffic** security policy setting. + ## Reference + The **Network Security: Restrict NTLM: Incoming NTLM traffic** policy setting allows you to deny or allow incoming NTLM traffic from client computers, other member servers, or a domain controller. + ### Possible values + - **Allow all** + The server will allow all NTLM authentication requests. + - **Deny all domain accounts** + The server will deny NTLM authentication requests for domain logon, return an NTLM blocked error message to the client device, and log the error, but the server will allow local account logon. + + - **Deny all accounts** + The server will deny NTLM authentication requests from all incoming traffic (whether domain account logon or local account logon), return an NTLM blocked error message to the client device, and log the error. + - Not defined + This is the same as **Allow all**, and the server will allow all NTLM authentication requests. + ### Best practices + If you select **Deny all domain accounts** or **Deny all accounts**, incoming NTLM traffic to the member server will be restricted. It is better to set the **Network Security: Restrict NTLM: Audit Incoming NTLM traffic** policy setting and then review the Operational log to understand what authentication attempts are made to the member servers, and subsequently what client applications are using NTLM. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default domain policy

      Not defined

      Default domain controller policy

      Not defined

      Stand-alone server default settings

      Not defined

      Domain controller effective default settings

      Not defined

      Member server effective default settings

      Not defined

      Client computer effective default settings

      Not defined

      + +| Server type or GPO | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined | +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not defined| +| Member server effective default settings | Not defined| +| Client computer effective default settings | Not defined|   ## Policy management + This section describes different features and tools available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. + ### Auditing + View the operational event log to see if this policy is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. + There are no Security Audit Event policies that can be configured to view event output from this policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. + ### Vulnerability + Malicious attacks on NTLM authentication traffic that result in a compromised server can occur only if the server handles NTLM requests. If those requests are denied, brute force attacks on NTLM are eliminated. + ### Countermeasure + When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as Kerberos, you can select one of several options that this security policy setting offers to restrict NTLM usage. + ### Potential impact -If you configure this policy setting, numerous NTLM authentication requests could fail within your network, which could degrade productivity. Before implementing this change through this policy setting, set **Network security: Restrict NTLM: Audit Incoming NTLM traffic** to the same option so that you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md). + +If you configure this policy setting, numerous NTLM authentication requests could fail within your network, which could degrade productivity. Before implementing this change through this policy setting, set **Network security: Restrict NTLM: Audit Incoming NTLM traffic** to the same option so that +you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md). + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md index 27500c1d95..8389b3ad72 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md +++ b/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md @@ -2,95 +2,108 @@ title: Network security Restrict NTLM NTLM authentication in this domain (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM NTLM authentication in this domain security policy setting. ms.assetid: 4c7884e9-cc11-4402-96b6-89c77dc908f8 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Restrict NTLM: NTLM authentication in this domain + **Applies to** - Windows 10 + Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: NTLM authentication in this domain** security policy setting. + ## Reference + The **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy setting does not affect interactive logon to this domain controller. + ### Possible values + - **Disable** + The domain controller will allow all NTLM pass-through authentication requests within the domain. + - **Deny for domain accounts to domain servers** + The domain controller will deny all NTLM authentication logon attempts using accounts from this domain to all servers in the domain. The NTLM authentication attempts will be blocked and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. + NTLM can be used if the users are connecting to other domains. This depends on if any Restrict NTLM policies have been set on those domains. + - **Deny for domain accounts** + Only the domain controller will deny all NTLM authentication logon attempts from domain accounts and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. + - **Deny for domain servers** + The domain controller will deny NTLM authentication requests to all servers in the domain and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. Servers that are not joined to the domain will not be affected if this policy setting is configured. + - **Deny all** + The domain controller will deny all NTLM pass-through authentication requests from its servers and for its accounts and return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. + - Not defined + The domain controller will allow all NTLM authentication requests in the domain where the policy is deployed. + ### Best practices + If you select any of the deny options, incoming NTLM traffic to the domain will be restricted. First, set the **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** policy setting, and then review the Operational log to understand what authentication attempts are made to the member servers. You can then add those member server names to a server exception list by using the [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md) policy setting. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default domain policy

      Not configured

      Default domain controller policy

      Not configured

      Stand-alone server default settings

      Not configured

      Domain controller effective default settings

      Not configured

      Member server effective default settings

      Not configured

      Client computer effective default settings

      Not configured

      + +| Server type or GPO | Default value | +| - | - | +| Default domain policy| Not configured| +| Default domain controller policy | Not configured| +| Stand-alone server default settings | Not configured| +| Domain controller effective default settings | Not configured| +| Member server effective default settings | Not configured | +| Client computer effective default settings | Not configured|   ## Policy management + This section describes different features and tools available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. + ### Auditing + View the operational event log to see if this policy is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. + There are no security audit event policies that can be configured to view output from this policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. + ### Vulnerability + Malicious attacks on NTLM authentication traffic resulting in a compromised server or domain controller can occur only if the server or domain controller handles NTLM requests. If those requests are denied, this attack vector is eliminated. + ### Countermeasure -When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as the Kerberos protocol, then you can select one of several options that this security policy setting offers to restrict NTLM usage within the domain. + +When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as the Kerberos protocol, then you can select one of several options that this security policy setting offers to restrict NTLM usage +within the domain. + ### Potential impact + If you configure this policy setting, numerous NTLM authentication requests could fail within the domain, which could degrade productivity. Before implementing this change through this policy setting, set **Network security: Restrict NTLM: Audit NTLM authentication in this domain** to the same option so that you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting by using [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md). + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md index b73aff9db6..439657d395 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md +++ b/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md @@ -2,93 +2,100 @@ title: Network security Restrict NTLM Outgoing NTLM traffic to remote servers (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Outgoing NTLM traffic to remote servers security policy setting. ms.assetid: 63437a90-764b-4f06-aed8-a4a26cf81bd1 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers + **Applies to** - Windows 10 + Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting. + ## Reference + The **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** policy setting allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system. -**Warning**   -Modifying this policy setting may affect compatibility with client computers, services, and applications. + +>**Warning:**  Modifying this policy setting may affect compatibility with client computers, services, and applications.   ### Possible values + - **Allow all** + The device can authenticate identities to a remote server by using NTLM authentication because no restrictions exist. + - **Audit all** + The device that sends the NTLM authentication request to a remote server logs an event for each request. This allows you to identify those servers that receive NTLM authentication requests from the client device + - **Deny all** + The device cannot authenticate any identities to a remote server by using NTLM authentication. You can use the [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) policy setting to define a list of remote servers to which client devices are allowed to use NTLM authentication while denying others. This setting will also log an event on the device that is making the authentication request. + - Not defined + This is the same as **Allow all**, and the device will allow all NTLM authentication requests when the policy is deployed. + ### Best practices + If you select **Deny all**, the client device cannot authenticate identities to a remote server by using NTLM authentication. First, select **Audit all** and then review the operational event log to understand which servers are involved in these authentication attempts. You can then add those server names to a server exception list by using the [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) policy setting. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default domain policy

      Not defined

      Default domain controller policy

      Not defined

      Stand-alone server default settings

      Not defined

      Domain controller effective default settings

      Not defined

      Member server effective default settings

      Not defined

      Client computer effective default settings

      Not defined

      + +| Server type or GPO | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not defined| +| Member server effective default settings | Not defined| +| Client computer effective default settings | Not defined|   ## Policy management + This section describes different features and tools available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. + ### Auditing + View the operational event log to see if this policy is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. + There are no security audit event policies that can be configured to view event output from this policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. + ### Vulnerability + Malicious attacks on NTLM authentication traffic that result in a compromised server or domain controller can occur only if the server or domain controller handles NTLM requests. If those requests are denied, this attack vector is eliminated. + ### Countermeasure + When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as Kerberos, then you can select from several options to restrict NTLM usage to servers. + ### Potential impact -If you configure this policy setting to deny all requests, numerous NTLM authentication requests to remote servers could fail, which could degrade productivity. Before implementing this restriction through this policy setting, select **Audit all** so that you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting by using [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md). + +If you configure this policy setting to deny all requests, numerous NTLM authentication requests to remote servers could fail, which could degrade productivity. Before implementing this restriction through this policy setting, select **Audit all** so that you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting by using [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) +. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) From 06948bf968acffc5406a8c2335d4cd819d853bdb Mon Sep 17 00:00:00 2001 From: Tyler Donahue Date: Tue, 24 May 2016 17:01:40 -0700 Subject: [PATCH 094/169] add section for custom images, additional edu settings, and other fixes - typo on line 89 - replace variables in group policy (sleeptimeout) with absolute values since they are not customizable via set up school pcs - added note about custom images - clarified bullets about admin accounts - added some more customizations made specifically by the set up school pcs app --- .../windows/set-up-school-pcs-technical.md | 32 ++++++++++++------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index dc9d74d077..32de82d832 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -60,7 +60,8 @@ The PC is also configured to not interrupt the user during normal daytime hours * On a Windows PC joined to Azure Active Directory: * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC. * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal. -* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. However, any new local accounts created by the **Start without an account** selection on the sign-in screen (if enabled) will automatically be deleted at sign-out. +* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. However, any new local accounts created by the **Start without an account** selection on the sign-in screen (if enabled) will automatically be deleted at sign-out. +* If admin accounts are necessary on the PC * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or * Create admin accounts before setting up shared PC mode, or * Create exempt accounts before signing out. @@ -78,7 +79,8 @@ The PC is also configured to not interrupt the user during normal daytime hours ``` - +## Custom images +Shared PC mode is fully compatible with custom images that may be created by IT departments. Create a custom image and then use sysprep with the /oobe flag to create an image that teachers can use the **Set up School PCs** app to finish provisioning themselves. [More information about sysprep](https://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx). ## Provisioning package details @@ -86,8 +88,16 @@ The **Set up School PCs** app produces a specialized provisioning package that m ### Education customizations -- Saving content locally to the PC is disabled. This prevents data loss by forcing students to save tothe cloud. -- A custom Start layout and sign in background image are set. +- Saving content locally to the PC is disabled. This prevents data loss by forcing students to save to the cloud. +- A custom Start layout and sign in background image are set. +- Prohibits Microsoft Accounts (MSAs) from being created +- Prohibits unlocking the PC to developer mode +- Prohibits untrusted Windows Store apps from being installed +- Prohibits users removing MDM +- Prohibits users from adding new provisioning packages +- Prohibits users from removing existing provisioning packages (including the one set by **Set up School PCs** +- Sets Active hours from 6am to 6pm +- Sets Windows Update to update nightly ### Uninstalled apps @@ -137,17 +147,17 @@ The **Set up School PCs** app produces a specialized provisioning package that m

      Require a password when a computer wakes (on battery)

      Enabled

      -

      Specify the system sleep timeout (plugged in)

      SleepTimeout

      +

      Specify the system sleep timeout (plugged in)

      1 hour

      -

      Specify the system sleep timeout (on battery)

      SleepTimeout

      +

      Specify the system sleep timeout (on battery)

      1 hour

      Turn off hybrid sleep (plugged in)

      Enabled

      Turn off hybrid sleep (on battery)

      Enabled

      -

      Specify the unattended sleep timeout (plugged in)

      SleepTimeout

      +

      Specify the unattended sleep timeout (plugged in)

      1 hour

      -

      Specify the unattended sleep timeout (on battery)

      SleepTimeout

      +

      Specify the unattended sleep timeout (on battery)

      1 hour

      Allow standby states (S1-S3) when sleeping (plugged in)

      Enabled

      @@ -158,9 +168,9 @@ The **Set up School PCs** app produces a specialized provisioning package that m

      Specify the system hibernate timeout (on battery)

      Enabled, 0

      Admin Templates > System > Power Management > Video and Display Settings

      -

      Turn off the display (plugged in)

      SleepTimeout

      +

      Turn off the display (plugged in)

      1 hour

      -

      Turn off the display (on battery

      SleepTimeout

      +

      Turn off the display (on battery

      1 hour

      Admin Templates > System > Logon

      @@ -214,7 +224,7 @@ The **Set up School PCs** app produces a specialized provisioning package that m

      Admin Templates > Windows Components > Maintenance Scheduler

      -

      Automatic Maintenance Activation Boundary

      MaintenanceStartTime

      +

      Automatic Maintenance Activation Boundary

      12am

      Automatic Maintenance Random Delay

      Enabled, 2 hours

      From 8f0b93bcff2f8cd544de0b95061537dd22e39889 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 25 May 2016 08:50:13 -0700 Subject: [PATCH 095/169] add change history --- education/windows/TOC.md | 1 + education/windows/change-history-edu.md | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 education/windows/change-history-edu.md diff --git a/education/windows/TOC.md b/education/windows/TOC.md index 6708148826..4ba71e288a 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -1,4 +1,5 @@ # [Windows 10 for education](index.md) +## [Change history for Windows 10 for Education](change-history-edu.md) ## [Use the Set up School PCs app](use-set-up-school-pcs-app.md) ## [Set up School PCs app technical reference](set-up-school-pcs-technical.md) ## [Set up students' PCs to join domain](set-up-students-pcs-to-join-domain.md) diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md new file mode 100644 index 0000000000..7926bc8c25 --- /dev/null +++ b/education/windows/change-history-edu.md @@ -0,0 +1,20 @@ +--- +title: Change history for Windows 10 for Education (Windows 10) +description: New and changed topics in Windows 10 for Education +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +--- + +# Change history for Windows 10 for Education + +This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation. + +## May 2016 + +| New or changed topic | Description | +|----------------------|-------------| +| [Take tests in Windows 10](take-tests-in-windows-10.md)
      [Set up Take a Test on a single PC](take-a-test-single-pc.md)
      [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
      [Take a Test app technical reference](take-a-test-app-technical.md) | New | +| [Chromebook migration guide](chromebook-migration-guide.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in November 2015 | +| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in May 2016 | \ No newline at end of file From 9da8801d84d7ded52e4c1d35fd1690b6c10b29ee Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 25 May 2016 09:00:32 -0700 Subject: [PATCH 096/169] tweaks to techref --- .../windows/set-up-school-pcs-technical.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 32de82d832..742103f585 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -80,7 +80,7 @@ The PC is also configured to not interrupt the user during normal daytime hours ## Custom images -Shared PC mode is fully compatible with custom images that may be created by IT departments. Create a custom image and then use sysprep with the /oobe flag to create an image that teachers can use the **Set up School PCs** app to finish provisioning themselves. [More information about sysprep](https://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx). +Shared PC mode is fully compatible with custom images that may be created by IT departments. Create a custom image and then use sysprep with the `/oobe` flag to create an image that teachers can then apply the **Set up School PCs** provisioning package to. [Learn more about sysprep](https://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx). ## Provisioning package details @@ -90,14 +90,14 @@ The **Set up School PCs** app produces a specialized provisioning package that m - Saving content locally to the PC is disabled. This prevents data loss by forcing students to save to the cloud. - A custom Start layout and sign in background image are set. -- Prohibits Microsoft Accounts (MSAs) from being created -- Prohibits unlocking the PC to developer mode -- Prohibits untrusted Windows Store apps from being installed -- Prohibits users removing MDM -- Prohibits users from adding new provisioning packages -- Prohibits users from removing existing provisioning packages (including the one set by **Set up School PCs** -- Sets Active hours from 6am to 6pm -- Sets Windows Update to update nightly +- Prohibits Microsoft Accounts (MSAs) from being created. +- Prohibits unlocking the PC to developer mode. +- Prohibits untrusted Windows Store apps from being installed. +- Prohibits students from removing MDM. +- Prohibits students from adding new provisioning packages. +- Prohibits student from removing existing provisioning packages (including the one set by **Set up School PCs**). +- Sets active hours from 6 AM to 6 PM. +- Sets Windows Update to update nightly. ### Uninstalled apps From a0f6d4e8b7d9318fa92262f00157895fb111f0c2 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 25 May 2016 09:06:59 -0700 Subject: [PATCH 097/169] prep for initial publication --- education/windows/TOC.md | 6 - .../windows/get-minecraft-for-education.md | 44 --- education/windows/index.md | 4 - education/windows/school-get-minecraft.md | 72 ----- .../windows/set-up-school-pcs-technical.md | 262 ------------------ .../set-up-students-pcs-to-join-domain.md | 69 ----- education/windows/teacher-get-minecraft.md | 60 ---- .../windows/use-set-up-school-pcs-app.md | 117 -------- 8 files changed, 634 deletions(-) delete mode 100644 education/windows/get-minecraft-for-education.md delete mode 100644 education/windows/school-get-minecraft.md delete mode 100644 education/windows/set-up-school-pcs-technical.md delete mode 100644 education/windows/set-up-students-pcs-to-join-domain.md delete mode 100644 education/windows/teacher-get-minecraft.md delete mode 100644 education/windows/use-set-up-school-pcs-app.md diff --git a/education/windows/TOC.md b/education/windows/TOC.md index 4ba71e288a..4bc5d61f86 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -1,11 +1,5 @@ # [Windows 10 for education](index.md) ## [Change history for Windows 10 for Education](change-history-edu.md) -## [Use the Set up School PCs app](use-set-up-school-pcs-app.md) -## [Set up School PCs app technical reference](set-up-school-pcs-technical.md) -## [Set up students' PCs to join domain](set-up-students-pcs-to-join-domain.md) -## [Get Minecraft Education Edition](get-minecraft-for-education.md) -### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md) -### [For IT admins: get Minecraft Education Edition](school-get-minecraft.md) ## [Take tests in Windows 10](take-tests-in-windows-10.md) ### [Set up Take a Test on a single PC](take-a-test-single-pc.md) ### [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md deleted file mode 100644 index 21bd8a182f..0000000000 --- a/education/windows/get-minecraft-for-education.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Get Minecraft Education Edition -description: Learn how to get and distribute Minecraft Education Edition. -keywords: school -ms.prod: W10 -ms.mktglfcycl: plan -ms.sitesec: library -author: jdeckerMS ---- - -# Get Minecraft Education Edition - -**Applies to:** - -- Windows 10 - - -> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] - -[Minecraft: Education Edition](http://education.minecraft.net/) is built for learning. Watch this video to learn more about Minecraft. - - - -Teachers and IT administrators can now get early access to **Minecraft Education Edition** and add it their Microsoft Store for Business for distribution. - -![education.minecraft.net](images/minecraft.png) - -## Prerequisites - -- **Minecraft Education Edition** requires Windows 10. -- Early access to **Minecraft Education Edition** is offered to education tenants that are managed by Azure Active Directory (Azure AD). - - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft Education Edition**. - * Office 365, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/en-us/academic/office-365-education-plan) - * If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703369%28v=vs.85%29.aspx) - -![teacher](images/teacher.png) - -[Learn how teachers can get and distribute **Minecraft Education Edition**](teacher-get-minecraft.md) - - -![IT administrator](images/school.png) - -[Learn how IT administrators can get and distribute **Minecraft Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft. - diff --git a/education/windows/index.md b/education/windows/index.md index f7f9f123f0..5ab182367a 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -16,10 +16,6 @@ author: jdeckerMS |Topic |Description | |------|------------| -|[Use Set up School PCs app](use-set-up-school-pcs-app.md) | Learn how to use the **Set up School PCs** app to quickly configure new Windows 10 PCs for students. | -| [Set up School PCs app technical reference](set-up-school-pcs-technical.md) | This topic provides prerequisites and provisioning details for using the **Set up School PCs** app. | -| [Set up students' PCs to join domain](set-up-students-pcs-to-join-domain.md) | Learn how to create provisioning packages to easily configure student's PCs to join your Active Directory domain. | -| [Get Minecraft: Education Edition](get-minecraft-for-education.md) | Learn how to get free early access to **Minecraft: Education Edition** and distribute it to your students. | | [Take tests in Windows 10](take-tests-in-windows-10.md) | Learn how to configure and use the **Take a Test** app in Windows 10 | | [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. | | [Chromebook migration guide](chromebook-migration-guide.md) | Learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. | diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md deleted file mode 100644 index 684fb0e0c2..0000000000 --- a/education/windows/school-get-minecraft.md +++ /dev/null @@ -1,72 +0,0 @@ ---- -title: For IT administrators get Minecraft Education Edition -description: Learn how IT admins can get and distribute Minecraft in their schools. -keywords: ["school"] -ms.prod: W10 -ms.mktglfcycl: plan -ms.sitesec: library -author: jdeckerMS ---- - -# For IT administrators: get Minecraft Education Edition - -**Applies to:** - -- Windows 10 - - -> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] - -When you sign up for early access to [Minecraft Education Edition](http://education.minecraft.net), Minecraft will be added to the inventory in your Windows Store for Business, a private version of Windows Store associated with your Azure Active Directory (Azure AD) tenant. Your Store for Business is only displayed to members of your organization. - -> **Note**: If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 subscription when you request Minecraft Education Edition. - -## Add Minecraft to your Windows Store for Business - -1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **Get the app**. - - ![Click Get the app](images/it-get-app.png) - -2. Enter your email address. - - ![Enter school email address](images/enter-email.png) - - - If your email address isn't associated to an Azure AD or Office 365 tenant, you'll be asked to fill in a form. The information will be used to create an Office 365 subscription for your school. - -3. Select **Get the app**. This will take you to the Windows Store for Business to download the app. You will also receive an email with instructions and a link to the Store. - - ![You can get the app now](images/get-the-app.png) - -4. Sign in to Windows Store for Business with your email address. - -5. Read and accept the Windows Store for Business Service Agreement, and then select **Next**. - -6. **Minecraft Education Edition** opens in the Windows Store for Business. Select **Get the app**. This places **Minecraft Education Edition** in your Store inventory. - - ![Get Minecraft app in Store](images/get-app-store.png) - -## Distribute Minecraft - -After Minecraft Education Edition is added to your Windows Store for Business, you have three options: - -- You can install the app on your PC. -- You can assign the app to others. Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more-tech savvy students who always use the same PC at school. -- You can download the app to distribute. This downloads a provisioning package (.ppkg) file. You save the file on a USB drive, and install the app on PCs from the UBb drive. This option is best for younger students and for shared computers. - -![App distribution options](images/app-distribution-options.png) - -## Manage permissions for Minecraft Education Edition - -![assign roles to manage Minecraft permissions](images/minecraft-perms.png) - -## Learn more - -[Roles and permissions in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business) - -[Troubleshoot Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/troubleshoot-windows-store-for-business) - -## Related topics - -[Get Minecraft Education Edition](get-minecraft-for-education.md) - -[For teachers get Minecraft Education Edition](teacher-get-minecraft.md) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md deleted file mode 100644 index 742103f585..0000000000 --- a/education/windows/set-up-school-pcs-technical.md +++ /dev/null @@ -1,262 +0,0 @@ ---- -title: Set up School PCs app technical reference -description: Describes the changes that the app makes to a PC. -keywords: ["shared cart", "shared PC", "school"] -ms.prod: W10 -ms.mktglfcycl: plan -ms.sitesec: library -author: jdeckerMS ---- - -# Technical reference for the Set up School PCs app -**Applies to:** - -- Windows 10 Insider Preview - - -> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] - -The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode, available in Windows 10, version 1607. **Set up School PCs** also configures school-specific settings and policies, described in this topic. - -If your school uses Azure Active Directory (Azure AD) or Office 365, the **Set up School PCs** app will create a setup file that connects the computer to your subscription. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity. - -The following table tells you what you get using the **Set up School PCs** app in your school. - -| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium | -| --- | :---: | :---: | :---: | :---: | -| **Fast sign-in**
      Each student can sign in and start using the computer in less than a minute, even on their first sign-in. | X | X | X | X | -| **Custom Start experience**\*
      The apps students need are pinned to Start, and unnecessary apps are removed. | X | X | X | X | -| **Temporary access, no sign-in required**
      This option sets up computers for common use. Anyone can use the computer without an account. | X | X | X | X | -| **School policies**\*
      Settings specific to education create a useful learning environment and the best computer performance. | X | X | X | X | -| **Azure AD Join**
      The computers are joined to your Azure AD or Office 365 subscription for centralized management. | | X | X | X | -| **Single sign-on to Office 365**
      By signing on with student IDs, students have fast access to Office 365 web apps. | | | X | X | -| **[Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) via Azure AD**
      Student user and application settings data can be synchronized across devices for a personalized experience. | | | | X | -| | | | | | -\* Feature applies to Windows 10 Pro, Windows 10 Pro for Education, Windows 10 Enterprise, and Windows 10 Enterprise for EDU - -> **Note**: If your school uses Active Directory, [use Windows Imaging and Configuration Designer](set-up-students-pcs-to-join-domain.md) to configure your PCs to join the domain. You can only use the **Set up School PCs** app to set up PCs that are not connected to your traditional domain. - -## Prerequisites for IT - -* If your school uses Azure AD, [configure your directory to allow devices to join](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/). If the teacher is going to set up a lot of devices, give the teacher appropriate privileges for joining devices or make a special account. -* Office 365, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/en-us/academic/office-365-education-plan) -* If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703369%28v=vs.85%29.aspx) -* After you set up your Office 365 Education tenant, use [Microsoft School Data Sync Preview](https://sis.microsoft.com/) to sync user profiles and class rosters from your Student Information System (SIS). - - -## Information about Windows Update - -Shared PC mode helps ensure that computers are always up-to-date. If a PC is configured using the **Set up School PCs** app, shared PC mode sets the power states and Windows Update to: -* Wake nightly -* Check and install updates -* Forcibly reboot if necessary to finish applying updates - -The PC is also configured to not interrupt the user during normal daytime hours with updates or reboots. - -## Guidance for accounts on shared PCs - -* We recommend no local admin accounts on the PC to improve the reliability and security of the PC. -* When a PC is set up in shared PC mode, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account managment happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Start without an account** will also be deleted automatically at sign out. -* On a Windows PC joined to Azure Active Directory: - * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC. - * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal. -* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. However, any new local accounts created by the **Start without an account** selection on the sign-in screen (if enabled) will automatically be deleted at sign-out. -* If admin accounts are necessary on the PC - * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or - * Create admin accounts before setting up shared PC mode, or - * Create exempt accounts before signing out. -* The account management service supports accounts that are exempt from deletion. - * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key. - * To add the account SID to the registry key using PowerShell: - ``` - $adminName = "LocalAdmin" - $adminPass = 'Pa$$word123' - iex "net user /add $adminName $adminPass" - $user = New-Object System.Security.Principal.NTAccount($adminName) - $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) - $sid = $sid.Value; - New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force - ``` - - -## Custom images -Shared PC mode is fully compatible with custom images that may be created by IT departments. Create a custom image and then use sysprep with the `/oobe` flag to create an image that teachers can then apply the **Set up School PCs** provisioning package to. [Learn more about sysprep](https://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx). - -## Provisioning package details - -The **Set up School PCs** app produces a specialized provisioning package that makes use of the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx). - -### Education customizations - -- Saving content locally to the PC is disabled. This prevents data loss by forcing students to save to the cloud. -- A custom Start layout and sign in background image are set. -- Prohibits Microsoft Accounts (MSAs) from being created. -- Prohibits unlocking the PC to developer mode. -- Prohibits untrusted Windows Store apps from being installed. -- Prohibits students from removing MDM. -- Prohibits students from adding new provisioning packages. -- Prohibits student from removing existing provisioning packages (including the one set by **Set up School PCs**). -- Sets active hours from 6 AM to 6 PM. -- Sets Windows Update to update nightly. - - -### Uninstalled apps - -- 3D Builder (Microsoft.3DBuilder_8wekyb3d8bbwe) -- Weather (Microsoft.BingWeather_8wekyb3d8bbwe) -- Get Started (Microsoft.Getstarted_8wekyb3d8bbwe) -- Get Office (Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) -- Microsoft Solitaire Collection (Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) -- Paid Wi-Fi & Cellular (Microsoft.OneConnect_8wekyb3d8bbwe) -- Feedback Hub (Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) -- Xbox (Microsoft.XboxApp_8wekyb3d8bbwe) -- Groove Music (Microsoft.ZuneMusic_8wekyb3d8bbwe) -- Movies & TV (Microsoft.ZuneVideo_8wekyb3d8bbwe) -- Mail/Calendar (microsoft.windowscommunicationsapps_8wekyb3d8bbwe) - -### Local Group Policies - -> **Important**: It is not recommended to set additional policies on PCs configured with the **Set up School PCs** app. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

      Policy path

      Policy name

      Value

      Admin Templates > Control Panel > Personalization

      Prevent enabling lock screen slide show

      Enabled

      Prevent changing lock screen and logon image

      Enabled

      Admin Templates > System > Power Management > Button Settings

      Select the Power button action (plugged in)

      Sleep

      Select the Power button action (on battery)

      Sleep

      Select the Sleep button action (plugged in)

      Sleep

      Select the lid switch action (plugged in)

      Sleep

      Select the lid switch action (on battery)

      Sleep

      Admin Templates > System > Power Management > Sleep Settings

      Require a password when a computer wakes (plugged in)

      Enabled

      Require a password when a computer wakes (on battery)

      Enabled

      Specify the system sleep timeout (plugged in)

      1 hour

      Specify the system sleep timeout (on battery)

      1 hour

      Turn off hybrid sleep (plugged in)

      Enabled

      Turn off hybrid sleep (on battery)

      Enabled

      Specify the unattended sleep timeout (plugged in)

      1 hour

      Specify the unattended sleep timeout (on battery)

      1 hour

      Allow standby states (S1-S3) when sleeping (plugged in)

      Enabled

      Allow standby states (S1-S3) when sleeping (on battery)

      Enabled

      Specify the system hibernate timeout (plugged in)

      Enabled, 0

      Specify the system hibernate timeout (on battery)

      Enabled, 0

      Admin Templates > System > Power Management > Video and Display Settings

      Turn off the display (plugged in)

      1 hour

      Turn off the display (on battery

      1 hour

      Admin Templates > System > Logon

      Show first sign-in animation

      Disabled

      Hide entry points for Fast User Switching

      Enabled

      Turn on convenience PIN sign-in

      Disabled

      Turn off picture password sign-in

      Enabled

      Turn off app notification on the lock screen

      Enabled

      Allow users to select when a password is required when resuming from connected standby

      Disabled

      Block user from showing account details on sign-in

      Enabled

      Admin Templates > System > User Profiles

      Turn off the advertising ID

      Enabled

      Admin Templates > Windows Components

      Do not show Windows Tips

      Enabled

      Turn off Microsoft consumer experiences

      Enabled

      Microsoft Passport for Work

      Disabled

      Prevent the usage of OneDrive for file storage

      Enabled

      Admin Templates > Windows Components > Biometrics

      Allow the use of biometrics

      Disabled

      Allow users to log on using biometrics

      Disabled

      Allow domain users to log on using biometrics

      Disabled

      Admin Templates > Windows Components > Data Collection and Preview Builds

      Toggle user control over Insider builds

      Disabled

      Disable pre-release features or settings

      Disabled

      Do not show feedback notifications

      Enabled

      Admin Templates > Windows Components > File Explorer

      Show lock in the user tile menu

      Disabled

      Admin Templates > Windows Components > Maintenance Scheduler

      Automatic Maintenance Activation Boundary

      12am

      Automatic Maintenance Random Delay

      Enabled, 2 hours

      Automatic Maintenance WakeUp Policy

      Enabled

      Admin Templates > Windows Components > Microsoft Edge

      Open a new tab with an empty tab

      Disabled

      Configure corporate home pages

      Enabled, about:blank

      Admin Templates > Windows Components > Search

      Allow Cortana

      Disabled

      Windows Settings > Security Settings > Local Policies > Security Options

      Interactive logon: Do not display last user name

      Enabled

      Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

      Disabled

      Shutdown: Allow system to be shut down without having to log on

      Disabled

      User Account Control: Behavior of the elevation prompt for standard users

      Auto deny



      - -## Related topics - -[Use Set up School PCs app](use-set-up-school-pcs-app.md) - - - - diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md deleted file mode 100644 index 32b42572f0..0000000000 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ /dev/null @@ -1,69 +0,0 @@ ---- -title: Set up student PCs to join domain -description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory. -keywords: ["shared cart", "shared PC", "school"] -ms.prod: W10 -ms.mktglfcycl: plan -ms.sitesec: library -author: jdeckerMS ---- - -# Set up student PCs to join domain -**Applies to:** - -- Windows 10 - - -> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] - -If your school uses Active Directory, use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package that will configure the PC for student use that is joined to the Active Directory domain. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) - - - -##Create the provisioning package - -1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). - -2. Click **Simple provisioning**. - -3. Name your project and click **Finish**. - -4. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length. - -5. (Optional) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to. - - Home to Education - - Pro to Education - - Pro to Enterprise - - Enterprise to Education - - Mobile to Mobile Enterprise - - -6. Click **Set up network**. - -7. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network. - -8. Click **Enroll into Active Directory**. - -9. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (Optional) Enter a user name and password to create a local administrator account. - - > **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend: - - Use a least-privileged domain account to join the device to the domain. - - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully. - - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory. - - -10. Click **Finish**. - -11. Review your settings in the summary. You can return to previous pages to change your selections. Then, under Protect your package, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package. - -12. Click **Create**. - -> **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - -## Apply package - - -Go to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and select the package to install. - -![add a package option](images/package.png) - diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md deleted file mode 100644 index ab019d66fb..0000000000 --- a/education/windows/teacher-get-minecraft.md +++ /dev/null @@ -1,60 +0,0 @@ ---- -title: For teachers get Minecraft Education Edition -description: Learn how teachers can get and distribute Minecraft. -keywords: ["school"] -ms.prod: W10 -ms.mktglfcycl: plan -ms.sitesec: library -author: jdeckerMS ---- - -# For teachers: get Minecraft Education Edition - -**Applies to:** - -- Windows 10 - - -> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] - -(intro text) - -## Add Minecraft to your Windows Store for Business - -1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **Get the app**. - - ![Click Get the app](images/teacher-get-app.png) - -2. Enter your email address. - - ![Enter school email address](images/enter-email.png) - -3. Select **Get the app**. This will take you to the Windows Store for Business to download the app. You will also receive an email with instructions and a link to the Store. - - ![You can get the app now](images/get-the-app.png) - -4. Sign in to Windows Store for Business with your email address. - -5. Read and accept the Windows Store for Business Service Agreement, and then select **Next**. - -6. **Minecraft Education Edition** opens in the Windows Store for Business. Select **Get the app**. This places **Minecraft Education Edition** in your Store inventory. - - ![Get Minecraft app in Store](images/get-app-store.png) - -## Distribute Minecraft - -After Minecraft Education Edition is added to your Windows Store for Business, you have three options: - -- You can install the app on your PC. -- You can assign the app to others. Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more-tech savvy students who always use the same PC at school. -- You can download the app to distribute. This downloads a provisioning package (.ppkg) file. You save the file on a USB drive, and install the app on PCs from the UBb drive. This option is best for younger students and for shared computers. - -![App distribution options](images/app-distribution-options.png) - -## Related topics - -[Get Minecraft Education Edition](get-minecraft-for-education.md) - -[For IT admins: get Minecraft Education Edition](school-get-minecraft.md) - - diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md deleted file mode 100644 index 855a3279f6..0000000000 --- a/education/windows/use-set-up-school-pcs-app.md +++ /dev/null @@ -1,117 +0,0 @@ ---- -title: Use Set up School PCs app -description: Learn how the Set up School PCs app works and how to use it. -keywords: ["shared cart", "shared PC", "school"] -ms.prod: W10 -ms.mktglfcycl: plan -ms.sitesec: library -author: jdeckerMS ---- - -# Use the Set up School PCs app -**Applies to:** - -- Windows 10 Insider Preview - - -> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] - -Teachers and IT administrators can use the **Set up School PCs** app to quickly set up computers for students. A computer set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need. - -![Run app, turn on PC, insert USB key](images/app1.jpg) - -## What does this app do? - -The Set up School PCs app helps you set up new computers running Windows 10, version 1607. Some benefits of using this app to set up your students' PCs: -* A computer set up this way is tailored to provide students with the tools they need for learning while removing apps and features that they don't need. - * Places tiles for OneNote, Office 365 web apps, Sway, and Microsoft Classroom on the Start menu - * Installs OneDrive for cloud-based documents and places it on the Start menu and taskbar - * Sets Microsoft Edge as the default browser - * Uninstalls apps not specific to education, such as Solitaire and Sports - * Turns off Offers and tips - * Prevents students from adding personal Microsoft accounts to the computer -* Significantly improves how fast students sign-in. -* The app connects the PCs to your school’s cloud so IT can manage them (optional). -* Windows 10 automatically manages accounts no matter how many students use the PC. -* Keeps computers up-to-date without interfering with class time using Windows Update and maintenance hours (by default, 12 AM). -* Customizes the sign-in screen to support students with IDs and temporary users. -* Locks down the computer to prevent mischievous activity: - * Prevents students from installing apps - * Prevents students from removing the computer from the school's device management system - * Prevents students from removing the Set up School PCs settings - - -## Tips for success - -* **Run the app at work**: For the best results, run the **Set up School PCs** app on your work device connected to your school's network. That way the app can gather accurate information about your wireless networks and cloud subscriptions. - > **Note**: Don't use **Set up Schools PCs** app for PCs that must connect to enterprise networks or to open wi-fi networks that require the user to accept Terms of Use. -* **Apply to new computers**: The setup file that the **Set up School PCs** app creates should be used on new computers that haven't been set up for accounts yet. If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost. -> **Warning**: Only use the setup file on computers that you want to configure and lock down for students. After you apply the setup file to a computer, the computer must be reset to remove the settings. -* **Turn on student PCs and stay on first screen**: The computer must be on this screen when you insert the USB key. - -![The first screen to set up a new PC](images/oobe.jpg) - -If you have gone past this screen, you may have to reset your PC to start over. To reset your PC after you have completed the first run experience, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. -* **Use more than one USB key**: If you are setting up multiple PCs, you can set them up at the same time. Just run the **Set up School PCs** app again and save the same settings to another key. That way you can run set up on more than one PC at once. Create three keys and you can run it on three PCs at once, etc. -* **Start fresh**: If the PC has already been set up and you want to return to the first-run-experience to apply a new package, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. -* **Keep it clean**: We strongly recommend that IT avoid changes to policies unless absolutely necessary, as any changes can impair performance and sign-in time. Get more information at [Set up School PCs app technical reference](set-up-school-pcs-technical.md). - -## Set up School PCs app step-by-step - -What you need: - -- The **Set up School PCs** app, installed on your work computer, connected to your school's network -- A USB drive, 1 GB or larger - -### Create the setup file in the app - -The **Set up School PCs** app guides you through the configuration choices for the student PCs. - -1. Open the **Set up School PCs** app and select **Start**. - - ![select start](images/app1.jpg) - -2. Choose **No** to require students to sign in with an account, or choose **Yes** to allow students to use the PC without an account, and then select **Next**. - - ![account required?](images/setup-app-1-access.png) - -3. Choose a Wi-Fi network from the list and then select **Next**, or choose **Manually connect to a wireless network** to enter the network information yourself. - - ![choose network](images/setup-app-1-wifi.png) - - - For a manual network connection, enter the network name, security type, and password (if required), and then select **Next**. - - ![enter network information](images/setup-app-1-wifi-manual.png) - -4. Insert a USB drive, select it in the app, and then select **Save**. - - ![select usb drive](images/setup-app-1-usb.png) - - - -### Apply the setup file to PCs - -The setup file on your USB drive is named SetupSchoolPCs.ppkg, which is a provisioning package. A provisioning package is a method for applying settings to Windows 10. When Windows 10 refers to *package*, it means your setup file, and when it refers to *provisioning*, it means applying the setup file to the computer. - -1. Start with a computer on the first-run setup screen. - - ![The first screen to set up a new PC](images/oobe.jpg) - -2. Insert the USB drive. Windows Setup will recognize the drive and ask you if you want to set up the device. Select **Set up**. - - ![Set up device?](images/setupmsg.jpg) - -3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. - - ![Provision this device](images/prov.jpg) - -4. Read and accept the Microsoft Software License Terms. Your last step is to sign in. Use your Azure AD or Office 365 account and password. - - ![Sign in](images/signinprov.jpg) - -That's it! The computer is now ready for students. - -## Learn more - -See [The Set up School PCs app technical reference](set-up-school-pcs-technical.md) for prerequisites and provisioning details. - From 3de247f4c1ccc0cf93f92722235ec49a0f19afb5 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 25 May 2016 09:27:24 -0700 Subject: [PATCH 098/169] add link to Heather's page --- education/windows/index.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/education/windows/index.md b/education/windows/index.md index 5ab182367a..cc96968ca3 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -21,4 +21,6 @@ author: jdeckerMS | [Chromebook migration guide](chromebook-migration-guide.md) | Learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. | ## Related topics -- [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index) \ No newline at end of file + +- [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index) +- [Try it out: virtual labs for Windows 10 Education](https://technet.microsoft.com/en-us/windows/dn610356) From 23a0ade7efd7fa9c7a50e429cb91bb47bf32c09a Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 25 May 2016 10:02:43 -0700 Subject: [PATCH 099/169] fixing spacing issues --- ...protect-bitlocker-from-pre-boot-attacks.md | 18 +++++- ...s-of-attacks-for-volume-encryption-keys.md | 56 +++++++++++++++++-- 2 files changed, 67 insertions(+), 7 deletions(-) diff --git a/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks.md b/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks.md index 8edf687f07..1b1c4370f3 100644 --- a/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks.md +++ b/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks.md @@ -2,27 +2,41 @@ title: Protect BitLocker from pre-boot attacks (Windows 10) description: This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. ms.assetid: 24d19988-fc79-4c45-b392-b39cba4ec86b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Protect BitLocker from pre-boot attacks + + **Applies to** - Windows 10 + This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. -BitLocker uses encryption to protect the data on your drive, but BitLocker security is only effective when the encryption key is protected. Many users have relied on pre-boot authentication to protect the operating system’s integrity, disk encryption solution (for example, encryption keys), and the PC’s data from offline attacks. With pre-boot authentication, users must provide some form of credential before unlocking encrypted volumes and starting Windows. Typically, they authenticate themselves using a PIN or a USB flash drive as a key. + +BitLocker uses encryption to protect the data on your drive, but BitLocker security is only effective when the encryption key is protected. Many users have relied on pre-boot authentication to protect the operating system’s integrity, disk encryption solution (for example, encryption keys), and the PC’s data from offline attacks. With pre-boot authentication, users must provide some form of credential before unlocking encrypted volumes and starting +Windows. Typically, they authenticate themselves using a PIN or a USB flash drive as a key. + Full-volume encryption using BitLocker Drive Encryption is vital for protecting data and system integrity on devices running the Windows 10, Windows 8.1, Windows 8, or Windows 7 operating system. It is equally important to protect the BitLocker encryption key. On Windows 7 devices, sufficiently protecting that key often required pre-boot authentication, which many users find inconvenient and complicates device management. + Pre-boot authentication provides excellent startup security, but it inconveniences users and increases IT management costs. Every time the PC is unattended, the device must be set to hibernate (in other words, shut down and powered off); when the computer restarts, users must authenticate before the encrypted volumes are unlocked. This requirement increases restart times and prevents users from accessing remote PCs until they can physically access the computer to authenticate, making pre-boot authentication unacceptable in the modern IT world, where users expect their devices to turn on instantly and IT requires PCs to be constantly connected to the network. + If users lose their USB key or forget their PIN, they can’t access their PC without a recovery key. With a properly configured infrastructure, the organization’s support will be able to provide the recovery key, but doing so increases support costs, and users might lose hours of productive work time. + Starting with Windows 8, Secure Boot and Windows Trusted Boot startup process ensures operating system integrity, allowing Windows to start automatically while minimizing the risk of malicious startup tools and rootkits. In addition, many modern devices are fundamentally physically resistant to sophisticated attacks against the computer’s memory, and now Windows authenticates the user before making devices that may represent a threat to the device and encryption keys available for use. + ## In this topic + The sections that follow help you understand which PCs still need pre-boot authentication and which can meet your security requirements without the inconvenience of it. + - [Types of attacks for volume encryption keys](types-of-attacks-for-volume-encryption-keys.md) - [BitLocker countermeasures](bitlocker-countermeasures.md) - [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md) + ## See also + - [BitLocker overview](bitlocker-overview.md)     diff --git a/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md b/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md index 057ed8dad2..4f38eca5a6 100644 --- a/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md +++ b/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md @@ -2,43 +2,69 @@ title: Types of attacks for volume encryption keys (Windows 10) description: There are many ways Windows helps protect your organization from attacks, including Unified Extensible Firmware Interface (UEFI) secure boot, Trusted Platform Module (TPM), Group Policy, complex passwords, and account lockouts. ms.assetid: 405060a9-2009-44fc-9f84-66edad32c6bc -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Types of attacks for volume encryption keys + **Applies to** - Windows 10 + There are many ways Windows helps protect your organization from attacks, including Unified Extensible Firmware Interface (UEFI) secure boot, Trusted Platform Module (TPM), Group Policy, complex passwords, and account lockouts. + The next few sections describe each type of attack that could be used to compromise a volume encryption key, whether for BitLocker or a non-Microsoft encryption solution. After an attacker has compromised a volume encryption key, the attacker can read data from your system drive or even install malware while Windows is offline. Each section begins with a graphical overview of the attack’s strengths and weaknesses as well as suggested mitigations. + ### Bootkit and rootkit attacks + Rootkits are a sophisticated and dangerous type of malware that runs in kernel mode, using the same privileges as the operating system. Because rootkits have the same or possibly even more rights than the operating system, they can completely hide themselves from Windows and even an antimalware solution. Often, rootkits are part of an entire suite of malware that can bypass local logins, record passwords, transfer private files, and capture cryptography keys. + Different types of bootkits and rootkits load at different software levels: + - **Kernel level.** Rootkits running at the kernel level have the highest privilege in the operating system. They may be able to inject malicious code or replace portions of the core operating system, including both the kernel and device drivers. - **Application level.** These rootkits are aimed to replace application binaries with malicious code, such as a Trojan, and can even modify the behavior of existing applications. - **Library level.** The purpose of library-level rootkits is to hook, patch, or replace system calls with malicious code that can hide the malware’s presence. - **Hypervisor level.** Hypervisor rootkits target the boot sequence. Their primary purpose is to modify the boot sequence to load themselves as a hypervisor. - **Firmware level.** These rootkits overwrite the PC’s BIOS firmware, giving the malware low-level access and potentially the ability to install or hide malware, even if it’s cleaned or removed from the hard disk. + Regardless of the operating system or encryption method, rootkits have access to confidential data once installed. Application-level rootkits can read any files the user can access, bypassing volume-level encryption. Kernel-, library-, hypervisor-, and firmware-level rootkits have direct access to system files on encrypted volumes and can also retrieve an encryption key from memory. + Windows offers substantial protection from bootkits and rootkits, but it is possible to bypass operating system security when an attacker has physical access to the device and can install the malware to the device while Windows is offline. For example, an attacker might boot a PC from a USB flash drive containing malware that starts before Windows. The malware can replace system files or the PC’s firmware or simply start Windows under its control. + To sufficiently protect a PC from boot and rootkits, devices must use pre-boot authentication or Secure Boot, or the encryption solution must use the device’s Trusted Platform Module (TPM) as a means of monitoring the integrity of the end-to-end boot process. Pre-boot authentication is available for any device, regardless of the hardware, but because it is inconvenient to users, it should be used only to mitigate threats that are applicable to the device. On devices with Secure Boot enabled, you do not need to use pre-boot authentication to protect against boot and rootkit attacks. + Although password protection of the UEFI configuration is important for protecting a device’s configuration and preventing an attacker from disabling Secure Boot, use of a TPM and its Platform Configuration Register (PCR) measurements (PCR7) to ensure that the system’s bootloader (whether a Windows or non-Microsoft encryption solution) is tamper free and the first code to start on the device is critical. An encryption solution that doesn’t use a device’s TPM to protect its components from tampering may be unable to protect itself from bootkit-level infections that could log a user’s password or acquire encryption keys. + For this reason, when BitLocker is configured on devices that include a TPM, the TPM and its PCRs are always used to secure and confirm the integrity of the pre–operating system environment before making encrypted volumes accessible. + Any changes to the UEFI configuration invalidates the PCR7 and require the user to enter the BitLocker recovery key. Because of this feature, it’s not critical to password-protect your UEFI configuration. If an attacker successfully turns off Secure Boot or otherwise changes the UEFI configuration, they will need to enter the BitLocker recovery key, but UEFI password protection is a best practice and is still required for systems not using a TPM (such as non-Microsoft alternatives). + ### Brute-force Sign-in Attacks + Attackers can find any password if you allow them to guess enough times. The process of trying millions of different passwords until you find the right one is known as a *brute-force sign-in attack*. In theory, an attacker could obtain any password by using this method. + Three opportunities for brute-force attacks exist: + - **Against the pre-boot authenticator.** An attacker could attack the device directly by attempting to guess the user’s BitLocker PIN or an equivalent authenticator. The TPM mitigates this approach by invoking an anti-hammering lockout capability that requires the user to wait until the lockout period ends or enter the BitLocker recovery key. - **Against the recovery key.** An attacker could attempt to guess the 48-digit BitLocker recovery key. Even without a lockout period, the key is long enough to make brute-force attacks impractical. Specifically, the BitLocker recovery key has 128 bits of entropy; thus, the average brute-force attack would succeed after 18,446,744,073,709,551,616 guesses. If an attacker could guess 1 million passwords per second, the average brute-force attack would require more than 580,000 years to be successful. - **Against the operating system sign-in authenticator.** An attacker can attempt to guess a valid user name and password. Windows implements a delay between password guesses, slowing down brute-force attacks. In addition, all recent versions of Windows allow administrators to require complex passwords and password lockouts. Similarly, administrators can use Microsoft Exchange ActiveSync policy or Group Policy to configure Windows 8.1 and Windows 8 to automatically restart and require the user to enter the BitLocker 48-digit recovery key after a specified number of invalid password attempts. When these settings are enabled and users follow best practices for complex passwords, brute-force attacks against the operating system sign-in are impractical. + In general, brute-force sign-in attacks are not practical against Windows when administrators enforce complex passwords and account lockouts. + ### Direct Memory Access Attacks + Direct memory access (DMA) allows certain types of hardware devices to communicate directly with a device’s system memory. For example, if you use Thunderbolt to connect another device to your computer, the second device automatically has Read and Write access to the target computer’s memory. + Unfortunately, DMA ports don’t use authentication and access control to protect the contents of the computer’s memory. Whereas Windows can often prevent system components and apps from reading and writing to protected parts of memory, a device can use DMA to read any location in memory, including the location of any encryption keys. -DMA attacks are relatively easy to execute and require little technical skills. Anyone can download a tool from the Internet, such as those made by [Passware](http://www.lostpassword.com/), [ElcomSoft](http://elcomsoft.com/), and others, and then use a DMA attack to read confidential data from a PC’s memory. Because encryption solutions store their encryption keys in memory, they can be accessed by a DMA attack. + +DMA attacks are relatively easy to execute and require little technical skills. Anyone can download a tool from the Internet, such as those made by [Passware](http://www.lostpassword.com/), [ElcomSoft](http://elcomsoft.com/), and +others, and then use a DMA attack to read confidential data from a PC’s memory. Because encryption solutions store their encryption keys in memory, they can be accessed by a DMA attack. + Not all port types are vulnerable to DMA attacks. USB in particular does not allow DMA, but devices that have any of the following port types are vulnerable: + - FireWire - Thunderbolt - ExpressCard @@ -46,37 +72,57 @@ Not all port types are vulnerable to DMA attacks. USB in particular does not all - PCI - PCI-X - PCI Express -To perform a DMA attack, attackers typically connect a second PC that is running a memory-scanning tool (for example, Passware, ElcomSoft) to the FireWire or Thunderbolt port of the target computer. When connected, the software scans the system memory of the target and locates the encryption key. Once acquired, the key can be used to decrypt the drive and read or modify its contents. + +To perform a DMA attack, attackers typically connect a second PC that is running a memory-scanning tool (for example, Passware, ElcomSoft) to the FireWire or Thunderbolt port of the target computer. When connected, the software +scans the system memory of the target and locates the encryption key. Once acquired, the key can be used to decrypt the drive and read or modify its contents. + A much more efficient form of this attack exists in theory: An attacker crafts a custom FireWire or Thunderbolt device that has the DMA attack logic programmed on it. Now, the attacker simply needs to physically connect the device. If the attacker does not have physical access, they could disguise it as a free USB flash drive and distribute it to employees of a target organization. When connected, the attacking device could use a DMA attack to scan the PC’s memory for the encryption key. It could then transmit the key (or any data in the PC’s memory) using the PC’s Internet connection or its own wireless connection. This type of attack would require an extremely high level of sophistication, because it requires that the attacker create a custom device (devices of these types are not readily available in the marketplace at this time). + Today, one of the most common uses for DMA ports on Windows devices is for developer debugging, a task that some developers need to perform and one that few consumers will ever perform. Because USB; DisplayPort; and other, more secure port types satisfy consumers, most new mobile PCs do not include DMA ports. Microsoft’s view is that because of the inherent security risks of DMA ports, they do not belong on mobile devices, and Microsoft has prohibited their inclusion on any InstantGo-certified devices. InstantGo devices offer mobile phone–like power management and instant-on capabilities; at the time of writing, they are primarily found in Windows tablets. + DMA-based expansion slots are another avenue of attack, but these slots generally appear only on desktop PCs that are designed for expansion. Organizations can use physical security to prevent outside attacks against their desktop PCs. In addition, a DMA attack on the expansion slot would require a custom device; as a result, an attacker would most likely insert an interface with a traditional DMA port (for example, FireWire) into the slot to attack the PC. + To mitigate a port-based DMA attack an administrator can configure policy settings to disable FireWire and other device types that have DMA. Also, many PCs allow those devices to be disabled by using firmware settings. Although the need for pre-boot authentication can be eliminated at the device level or through Windows configuration, the BitLocker pre-boot authentication feature is still available when needed. When used, it successfully mitigates all types of DMA port and expansion slot attacks on any type of device. + ### Hyberfil.sys Attacks + The hyberfil.sys file is the Windows hibernation file. It contains a snapshot of system memory that is generated when a device goes into hibernation and includes the encryption key for BitLocker and other encryption technologies. Attackers have claimed that they have successfully extracted encryption keys from the hyberfil.sys file. + Like the DMA port attack discussed in the previous section, tools are available that can scan the hyberfile.sys file and locate the encryption key, including a tool made by [Passware](http://www.lostpassword.com/). Microsoft does not consider Windows to be vulnerable to this type of attack, because Windows stores the hyberfil.sys file within the encrypted system volume. As a result, the file would be accessible only if the attacker had both physical and sign-in access to the PC. When an attacker has sign-in access to the PC, there are few reasons for the attacker to decrypt the drive, because they would already have full access to the data within it. + In practice, the only reason an attack on hyberfil.sys would grant an attacker additional access is if an administrator had changed the default Windows configuration and stored the hyberfil.sys file on an unencrypted drive. By default, Windows 10 is designed to be secure against this type of attack. + ### Memory Remanence Attacks + A memory remanence attack is a side-channel attack that reads the encryption key from memory after restarting a PC. Although a PC’s memory is often considered to be cleared when the PC is restarted, memory chips don’t immediately lose their memory when you disconnect power. Therefore, an attacker who has physical access to the PC’s memory might be able to read data directly from the memory—including the encryption key. + When performing this type of cold boot attack, the attacker accesses the PC’s physical memory and recovers the encryption key within a few seconds or minutes of disconnecting power. This type of attack was demonstrated by researchers at [Princeton University](http://www.youtube.com/watch?v=JDaicPIgn9U). With the encryption key, the attacker would be able to decrypt the drive and access its files. + To acquire the keys, attackers follow this process: + 1. Freeze the PC’s memory. For example, an attacker can freeze the memory to −50°C by spraying it with aerosol air duster spray. 2. Restart the PC. 3. Instead of restarting Windows, boot to another operating system. Typically, this is done by connecting a bootable flash drive or loading a bootable DVD. 4. The bootable media loads the memory remanence attack tools, which the attacker uses to scan the system memory and locate the encryption keys. 5. The attacker uses the encryption keys to access the drive’s data. + If the attacker is unable to boot the device to another operating system (for example, if bootable flash drives have been disabled or Secure Boot is enabled), the attacker can attempt to physically remove the frozen memory from the device and attach it to a different, possibly identical device. Fortunately, this process has proven extremely unreliable, as evidenced by the Defence Research and Development Canada (DRDC) Valcartier group’s analysis (see [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078)). On an increasing portion of modern devices, this type of attack is not even possible, because memory is soldered directly to the motherboard. + Although Princeton’s research proved that this type of attack was possible on devices that have removable memory, device hardware has changed since the research was published in 2008: + - Secure Boot prevents the malicious tools that the Princeton attack depends on from running on the target device. - Windows systems with BIOS or UEFI can be locked down with a password, and booting to a USB drive can be prevented. - If booting to USB is required on the device, it can be limited to starting trusted operating systems by using Secure Boot. - The discharge rates of memory are highly variable among devices, and many devices have memory that is completely immune to memory remanence attacks. - Increased density of memory diminishes their remanence properties and reduces the likelihood that the attack can be successfully executed, even when memory is physically removed and placed in an identical system where the system’s configuration may enable booting to the malicious tools. + Because of these factors, this type of attack is rarely possible on modern devices. Even in cases where the risk factors exist on legacy devices, attackers will find the attack unreliable. For detailed info about the practical uses for forensic memory acquisition and the factors that make a computer vulnerable or resistant to memory remanence attacks, read [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078). + The BitLocker pre-boot authentication feature can successfully mitigate memory remanence attacks on most devices, but you can also mitigate such attacks by protecting the system UEFI or BIOS and prevent the PC from booting from external media (such as a USB flash drive or DVD). The latter option is often a better choice, because it provides sufficient protection without inconveniencing users with pre-boot authentication. + ## See also + - [BitLocker countermeasures](bitlocker-countermeasures.md) - [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md) - [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md) - [BitLocker overview](bitlocker-overview.md) -  -  From d62a1c230be6f144dae7af79dc4bd68f79877b9c Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 25 May 2016 11:13:23 -0700 Subject: [PATCH 100/169] EDU changes, to go live tomorrow --- windows/plan/TOC.md | 3 --- windows/plan/chromebook-migration-guide.md | 1 + windows/plan/deploy-windows-10-in-a-school.md | 1 + windows/plan/index.md | 1 - windows/plan/windows-10-guidance-for-education-environments.md | 1 + 5 files changed, 3 insertions(+), 4 deletions(-) diff --git a/windows/plan/TOC.md b/windows/plan/TOC.md index a188d6d0a1..d6212238a6 100644 --- a/windows/plan/TOC.md +++ b/windows/plan/TOC.md @@ -7,9 +7,6 @@ ## [Windows Update for Business](windows-update-for-business.md) ### [Setup and deployment](setup-and-deployment.md) ### [Integration with management solutions](integration-with-management-solutions-.md) -## [Guidance for education environments](windows-10-guidance-for-education-environments.md) -### [Chromebook migration guide](chromebook-migration-guide.md) -### [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) ## [Windows To Go: feature overview](windows-to-go-overview.md) ### [Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md) ### [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) diff --git a/windows/plan/chromebook-migration-guide.md b/windows/plan/chromebook-migration-guide.md index 9504345b46..12773fdd7e 100644 --- a/windows/plan/chromebook-migration-guide.md +++ b/windows/plan/chromebook-migration-guide.md @@ -1,6 +1,7 @@ --- title: Chromebook migration guide (Windows 10) description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. +redirect_url: https://technet.microsoft.com/edu/windows/chromebook-migration-guide ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA keywords: migrate, automate, device ms.prod: w10 diff --git a/windows/plan/deploy-windows-10-in-a-school.md b/windows/plan/deploy-windows-10-in-a-school.md index f1ba01d1a5..dd53f66282 100644 --- a/windows/plan/deploy-windows-10-in-a-school.md +++ b/windows/plan/deploy-windows-10-in-a-school.md @@ -1,6 +1,7 @@ --- title: Deploy Windows 10 in a school (Windows 10) description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy. +redirect_url: https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school keywords: configure, tools, device, school ms.prod: w10 ms.mktglfcycl: plan diff --git a/windows/plan/index.md b/windows/plan/index.md index a82ad27fb5..e57a04c1cb 100644 --- a/windows/plan/index.md +++ b/windows/plan/index.md @@ -21,7 +21,6 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi |[Windows 10 compatibility](windows-10-compatibility.md) |Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. | |[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) |There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. | |[Windows Update for Business](windows-update-for-business.md) |Get an overview of how you can implement and deploy a Windows Update for Business solution and how to maintain enrolled systems. | -|[Guidance for education environments](windows-10-guidance-for-education-environments.md) |Find resources to help you plan your deployment of Windows 10 to desktops, laptops, tablets, and other devices in educational institutions. | |[Windows To Go: feature overview](windows-to-go-overview.md) |Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs. | |[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) |The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. | diff --git a/windows/plan/windows-10-guidance-for-education-environments.md b/windows/plan/windows-10-guidance-for-education-environments.md index 599ac55e24..f4ce0e1a32 100644 --- a/windows/plan/windows-10-guidance-for-education-environments.md +++ b/windows/plan/windows-10-guidance-for-education-environments.md @@ -1,6 +1,7 @@ --- title: Guidance for education environments (Windows 10) description: Find resources to help you plan your deployment of Windows 10 to desktops, laptops, tablets, and other devices in educational institutions. +redirect_url: https://technet.microsoft.com/edu/windows/index ms.assetid: 225C9D6F-9329-4DDF-B447-6CE7804E314E ms.prod: w10 ms.mktglfcycl: plan From 72b52b9606614eccff417a7b2e1113d875a3b00a Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 25 May 2016 11:56:28 -0700 Subject: [PATCH 101/169] fixing spacing issues --- .../optimize-applocker-performance.md | 17 +- ...ckaged-app-installer-rules-in-applocker.md | 12 +- windows/keep-secure/passport-event-300.md | 26 +- ...sword-must-meet-complexity-requirements.md | 88 +-- windows/keep-secure/password-policy.md | 65 +-- .../perform-volume-maintenance-tasks.md | 86 +-- .../plan-for-applocker-policy-management.md | 53 +- ...loying-advanced-security-audit-policies.md | 295 +++++----- ...ion-for-bitlocker-planning-and-policies.md | 286 +++++----- windows/keep-secure/profile-single-process.md | 85 +-- .../keep-secure/profile-system-performance.md | 86 +-- ...-the-health-of-windows-10-based-devices.md | 446 +++++++++++---- ...nd-storage-area-networks-with-bitlocker.md | 84 ++- ...le-allow-automatic-administrative-logon.md | 89 +-- ...py-and-access-to-all-drives-and-folders.md | 88 +-- .../refresh-an-applocker-policy.md | 28 +- .../registry-global-object-access-auditing.md | 13 +- .../remove-computer-from-docking-station.md | 87 +-- .../replace-a-process-level-token.md | 92 ++-- ...ements-for-deploying-applocker-policies.md | 22 +- .../requirements-to-use-applocker.md | 225 ++------ .../reset-account-lockout-counter-after.md | 76 ++- .../restore-files-and-directories.md | 97 ++-- ...the-automatically-generate-rules-wizard.md | 21 +- .../keep-secure/script-rules-in-applocker.md | 54 +- ...advanced-security-audit-policy-settings.md | 12 +- .../keep-secure/security-auditing-overview.md | 35 +- .../security-considerations-for-applocker.md | 30 +- windows/keep-secure/security-options.md | 508 ++++-------------- .../security-policy-settings-reference.md | 51 +- .../keep-secure/security-policy-settings.md | 218 ++++++-- windows/keep-secure/security-technologies.md | 55 +- .../select-types-of-rules-to-create.md | 62 +-- windows/keep-secure/shut-down-the-system.md | 100 ++-- ...o-be-shut-down-without-having-to-log-on.md | 89 +-- .../shutdown-clear-virtual-memory-pagefile.md | 85 ++- ...e-passwords-using-reversible-encryption.md | 81 ++- .../switch-pcr-banks-on-tpm-2-0-devices.md | 1 + .../synchronize-directory-service-data.md | 85 +-- ...on-for-user-keys-stored-on-the-computer.md | 80 ++- ...thms-for-encryption-hashing-and-signing.md | 137 +++-- ...nsensitivity-for-non-windows-subsystems.md | 84 +-- ...-permissions-of-internal-system-objects.md | 79 ++- .../system-settings-optional-subsystems.md | 81 ++- ...ables-for-software-restriction-policies.md | 82 ++- 45 files changed, 2207 insertions(+), 2269 deletions(-) diff --git a/windows/keep-secure/optimize-applocker-performance.md b/windows/keep-secure/optimize-applocker-performance.md index f8eb1d4d8e..cdd61ef5e2 100644 --- a/windows/keep-secure/optimize-applocker-performance.md +++ b/windows/keep-secure/optimize-applocker-performance.md @@ -2,22 +2,31 @@ title: Optimize AppLocker performance (Windows 10) description: This topic for IT professionals describes how to optimize AppLocker policy enforcement. ms.assetid: a20efa20-bc98-40fe-bd81-28ec4905e0f6 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Optimize AppLocker performance + **Applies to** - Windows 10 + This topic for IT professionals describes how to optimize AppLocker policy enforcement. + ## Optimization of Group Policy + AppLocker policies can be implemented by organization unit (OU) using Group Policy. If so, your Group Policy infrastructure should be optimized and retested for performance when AppLocker policies are added to existing Group Policy Objects (GPOs) or new GPOs are created, as you do with adding any policies to your GPOs. + For more info, see the [Optimizing Group Policy Performance](http://go.microsoft.com/fwlink/p/?LinkId=163238) article in TechNet Magazine. + ### AppLocker rule limitations -The more rules per GPO, the longer AppLocker requires for evaluation. There is no set limitation on the number of rules per GPO, but the number of rules that can fit into a 100 MB GPO varies based on the complexity of the rule, such as the number of file hashes included in a single file hash condition. + +The more rules per GPO, the longer AppLocker requires for evaluation. There is no set limitation on the number of rules per GPO, but the number of rules that can fit into a 100 MB GPO varies based on the complexity of the rule, such as the number of file hashes included in a single file hash +condition. + ### Using the DLL rule collection + When the DLL rule collection is enabled, AppLocker must check each DLL that an application loads. The more DLLs, the longer AppLocker requires to complete the evaluation. -  -  diff --git a/windows/keep-secure/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/keep-secure/packaged-apps-and-packaged-app-installer-rules-in-applocker.md index 64303436c2..db85e986ec 100644 --- a/windows/keep-secure/packaged-apps-and-packaged-app-installer-rules-in-applocker.md +++ b/windows/keep-secure/packaged-apps-and-packaged-app-installer-rules-in-applocker.md @@ -2,26 +2,32 @@ title: Packaged apps and packaged app installer rules in AppLocker (Windows 10) description: This topic explains the AppLocker rule collection for packaged app installers and packaged apps. ms.assetid: 8fd44d08-a0c2-4c5b-a91f-5cb9989f971d -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Packaged apps and packaged app installer rules in AppLocker + **Applies to** - Windows 10 + This topic explains the AppLocker rule collection for packaged app installers and packaged apps. + Universal Windows apps can be installed through the Windows Store or can be sideloaded using the Windows PowerShell cmdlets. Universal Windows apps can be installed by a standard user unlike some Classic Windows applications that sometimes require administrative privileges for installation. Typically, an app consists of multiple components – the installer used to install the app and one or more exes, dlls or scripts. With Classic Windows applications, not all those components always share common attributes such as the publisher name, product name and product version. Therefore, AppLocker has to control each of these components separately through different rule collections – exe, dll, script and Windows Installers. In contrast, all the components of a Universal Windows app share the same attributes: Publisher name, Package name and Package version. It is therefore possible to control an entire app with a single rule. + AppLocker enforces rules for Universal Windows apps separately from Classic Windows applications. A single AppLocker rule for a Universal Windows app can control both the installation and the running of an app. Because all Universal Windows apps are signed, AppLocker supports only publisher rules for Universal Windows apps. A publisher rule for a Universal Windows app is based on the following attributes of the app: + - Publisher name - Package name - Package version + In summary, including AppLocker rules for Universal Windows apps in your policy design provides: + - The ability to control the installation and running of the app - The ability to control all the components of the app with a single rule rather than controlling individual binaries within the app - The ability to create application control policies that survive app updates - Management of Universal Windows apps through Group Policy. -  -  diff --git a/windows/keep-secure/passport-event-300.md b/windows/keep-secure/passport-event-300.md index dfcc826405..1d055b34c7 100644 --- a/windows/keep-secure/passport-event-300.md +++ b/windows/keep-secure/passport-event-300.md @@ -2,18 +2,22 @@ title: Event ID 300 - Passport successfully created (Windows 10) description: This event is created when a Microsoft Passport for Enterprise is successfully created and registered with Azure Active Directory (Azure AD). ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04 -ms.pagetype: security keywords: ["ngc"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: jdeckerMS --- + # Event ID 300 - Passport successfully created + **Applies to** - Windows 10 - Windows 10 Mobile + This event is created when a Microsoft Passport for Enterprise is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. + ## Event details | | | |--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -21,16 +25,18 @@ This event is created when a Microsoft Passport for Enterprise is successfully c | **ID:** | 300 | | **Source:** | Microsoft Azure Device Registration Service | | **Version:** | 10 | -| **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da. Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} | +| **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da. +Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} |   ## Resolve + This is a normal condition. No further action is required. + ## Related topics -[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) -[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) -[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) -[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md) -[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md) -[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) -  -  + +- [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) +- [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) +- [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) +- [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md) +- [Microsoft Passport and password changes](microsoft-passport-and-password-changes.md) +- [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) diff --git a/windows/keep-secure/password-must-meet-complexity-requirements.md b/windows/keep-secure/password-must-meet-complexity-requirements.md index fba24e4fb4..c8b513828e 100644 --- a/windows/keep-secure/password-must-meet-complexity-requirements.md +++ b/windows/keep-secure/password-must-meet-complexity-requirements.md @@ -2,94 +2,98 @@ title: Password must meet complexity requirements (Windows 10) description: Describes the best practices, location, values, and security considerations for the Password must meet complexity requirements security policy setting. ms.assetid: 94482ae3-9dda-42df-9782-2f66196e6afe -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Password must meet complexity requirements + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Password must meet complexity requirements** security policy setting. + ## Reference + The **Passwords must meet complexity requirements** policy setting determines whether passwords must meet a series of guidelines that are considered important for a strong password. Enabling this policy setting requires passwords to meet the following requirements: + 1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks are not case sensitive. + The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed to not be included in the password. Tokens that are less than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password. + 2. The password contains characters from three of the following categories: + - Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters) - Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters) - Base 10 digits (0 through 9) - Non-alphanumeric characters (special characters) (for example, !, $, \#, %) - Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. + Complexity requirements are enforced when passwords are changed or created. + The rules that are included in the Windows Server password complexity requirements are part of Passfilt.dll, and they cannot be directly modified. + Enabling the default Passfilt.dll may cause some additional Help Desk calls for locked-out accounts because users might not be used to having passwords that contain characters other than those found in the alphabet. However, this policy setting is liberal enough that all users should be able to abide by the requirements with a minor learning curve. + Additional settings that can be included in a custom Passfilt.dll are the use of non–upper-row characters. Upper-row characters are those that are typed by holding down the SHIFT key and typing any of the digits from 1 through 10. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 218,340,105,584,896 different possibilities for a single password. This makes a brute force attack difficult, but still not impossible. + The use of ALT key character combinations can greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements can result in unhappy users and an extremely busy Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of this range can represent standard alphanumeric characters that do not add additional complexity to the password.) + Passwords that contain only alphanumeric characters are easy to compromise by using publicly available tools. To prevent this, passwords should contain additional characters and meet complexity requirements. + ### Location + **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** + ### Default values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or Group Policy Object (GPO)Default value

      Default domain policy

      Enabled

      Default domain controller policy

      Enabled

      Stand-alone server default settings

      Disabled

      Domain controller effective default settings

      Enabled

      Member server effective default settings

      Enabled

      Effective GPO default settings on client computers

      Disabled

      + +| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| Enabled| +| Default domain controller policy| Enabled| +| Stand-alone server default settings | Disabled| +| Domain controller effective default settings | Enabled| +| Member server effective default settings | Enabled| +| Effective GPO default settings on client computers | Disabled|   ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Passwords that contain only alphanumeric characters are extremely easy to discover with several publicly available tools. + ### Countermeasure + Configure the **Passwords must meet complexity requirements** policy setting to Enabled and advise users to use a variety of characters in their passwords. + When combined with a [Minimum password length](minimum-password-length.md) of 8, this policy setting ensures that the number of different possibilities for a single password is so great that it is difficult (but not impossible) for a brute force attack to succeed. (If the Minimum password length policy setting is increased, the average amount of time necessary for a successful attack also increases.) + ### Potential impact + If the default password complexity configuration is retained, additional Help Desk calls for locked-out accounts could occur because users might not be accustomed to passwords that contain non-alphabetical characters, or they might have problems entering passwords that contain accented characters or symbols on keyboards with different layouts. However, all users should be able to comply with the complexity requirement with minimal difficulty. + If your organization has more stringent security requirements, you can create a custom version of the Passfilt.dll file that allows the use of arbitrarily complex password strength rules. For example, a custom password filter might require the use of non-upper-row symbols. (Upper-row symbols are those that require you to press and hold the SHIFT key and then press any of the digits between 1 and 0.) A custom password filter might also perform a dictionary check to verify that the proposed password does not contain common dictionary words or fragments. + The use of ALT key character combinations can greatly enhance the complexity of a password. However, such stringent password requirements can result in additional Help Desk requests. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 0128–0159 range. (ALT characters outside of this range can represent standard alphanumeric characters that would not add additional complexity to the password.) + ## Related topics -[Password Policy](password-policy.md) -  -  + +- [Password Policy](password-policy.md) diff --git a/windows/keep-secure/password-policy.md b/windows/keep-secure/password-policy.md index 4d1c366110..fd3d56e268 100644 --- a/windows/keep-secure/password-policy.md +++ b/windows/keep-secure/password-policy.md @@ -2,66 +2,51 @@ title: Password Policy (Windows 10) description: An overview of password policies for Windows and links to information for each policy setting. ms.assetid: aec1220d-a875-4575-9050-f02f9c54a3b6 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Password Policy + **Applies to** - Windows 10 + An overview of password policies for Windows and links to information for each policy setting. + In many operating systems, the most common method to authenticate a user's identity is to use a secret passphrase or password. A secure network environment requires all users to use strong passwords, which have at least eight characters and include a combination of letters, numbers, and symbols. These passwords help prevent the compromise of user accounts and administrative accounts by unauthorized users who use manual methods or automated tools to guess weak passwords. Strong passwords that are changed regularly reduce the likelihood of a successful password attack. + Introduced in Windows Server 2008 R2 and Windows Server 2008, Windows supports fine-grained password policies. This feature provides organizations with a way to define different password and account lockout policies for different sets of users in a domain. Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups. + To apply a fine-grained password policy to users of an OU, you can use a shadow group. A shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password policy. You add users of the OU as members of the newly created shadow group and then apply the fine-grained password policy to this shadow group. You can create additional shadow groups for other OUs as needed. If you move a user from one OU to another, you must update the membership of the corresponding shadow groups. + Fine-grained password policies include attributes for all the settings that can be defined in the default domain policy (except Kerberos settings) in addition to account lockout settings. When you specify a fine-grained password policy, you must specify all of these settings. By default, only members of the Domain Admins group can set fine-grained password policies. However, you can also delegate the ability to set these policies to other users. The domain must be running at least Windows Server 2008 R2 or Windows Server 2008 to use fine-grained password policies. Fine-grained password policies cannot be applied to an organizational unit (OU) directly. + You can enforce the use of strong passwords through an appropriate password policy. There are password policy settings that control the complexity and lifetime of passwords, such as the **Passwords must meet complexity requirements** policy setting. + You can configure the password policy settings in the following location by using the Group Policy Management Console: + **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** + If individual groups require distinct password policies, these groups should be separated into another domain or forest, based on additional requirements. + The following topics provide a discussion of password policy implementation and best practices considerations, policy location, default values for the server type or GPO, relevant differences in operating system versions, security considerations (including the possible vulnerabilities of each setting), countermeasures that you can take, and the potential impact for each setting. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      TopicDescription

      [Enforce password history](enforce-password-history.md)

      Describes the best practices, location, values, policy management, and security considerations for the Enforce password history security policy setting.

      [Maximum password age](maximum-password-age.md)

      Describes the best practices, location, values, policy management, and security considerations for the Maximum password age security policy setting.

      [Minimum password age](minimum-password-age.md)

      Describes the best practices, location, values, policy management, and security considerations for the Minimum password age security policy setting.

      [Minimum password length](minimum-password-length.md)

      Describes the best practices, location, values, policy management, and security considerations for the Minimum password length security policy setting.

      [Password must meet complexity requirements](password-must-meet-complexity-requirements.md)

      Describes the best practices, location, values, and security considerations for the Password must meet complexity requirements security policy setting.

      [Store passwords using reversible encryption](store-passwords-using-reversible-encryption.md)

      Describes the best practices, location, values, and security considerations for the Store passwords using reversible encryption security policy setting.

      + +| Topic | Description | +| - | - | +| [Enforce password history](enforce-password-history.md)| Describes the best practices, location, values, policy management, and security considerations for the **Enforce password history** security policy setting.| +| [Maximum password age](maximum-password-age.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum password age** security policy setting.| +| [Minimum password age](minimum-password-age.md) | Describes the best practices, location, values, policy management, and security considerations for the **Minimum password age** security policy setting.| +| [Minimum password length](minimum-password-length.md) | Describes the best practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting.| +| [Password must meet complexity requirements](password-must-meet-complexity-requirements.md) | Describes the best practices, location, values, and security considerations for the **Password must meet complexity requirements** security policy setting.| +| [Store passwords using reversible encryption](store-passwords-using-reversible-encryption.md) | Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting.|   ## Related topics -[Configure security policy settings](how-to-configure-security-policy-settings.md) + +- [Configure security policy settings](how-to-configure-security-policy-settings.md)     diff --git a/windows/keep-secure/perform-volume-maintenance-tasks.md b/windows/keep-secure/perform-volume-maintenance-tasks.md index 8080674711..4a7f305290 100644 --- a/windows/keep-secure/perform-volume-maintenance-tasks.md +++ b/windows/keep-secure/perform-volume-maintenance-tasks.md @@ -2,89 +2,91 @@ title: Perform volume maintenance tasks (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Perform volume maintenance tasks security policy setting. ms.assetid: b6990813-3898-43e2-8221-c9c06d893244 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Perform volume maintenance tasks + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Perform volume maintenance tasks** security policy setting. + ## Reference + This policy setting determines which users can perform volume or disk management tasks, such as defragmenting an existing volume, creating or removing volumes, and running the Disk Cleanup tool. + Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data. + Constant: SeManageVolumePrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + - Ensure that only the local Administrators group is assigned the **Perform volume maintenance tasks** user right. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Administrators on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Administrators

      Stand-Alone Server Default Settings

      Administrators

      DC Effective Default Settings

      Administrators

      Member Server Effective Default Settings

      Administrators

      Client Computer Effective Default Settings

      Administrators

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Administrators| +| Stand-Alone Server Default Settings | Administrators| +| DC Effective Default Settings | Administrators| +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings | Administrators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + A user who is assigned the **Perform volume maintenance tasks** user right could delete a volume, which could result in the loss of data or a denial-of- service condition. Also, disk maintenance tasks can be used to modify data on the disk, such as user rights assignments that might lead to escalation of privileges. + ### Countermeasure + Ensure that only the local Administrators group is assigned the **Perform volume maintenance tasks** user right. + ### Potential impact + None. Restricting the **Perform volume maintenance tasks** user right to the local Administrators group is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/plan-for-applocker-policy-management.md b/windows/keep-secure/plan-for-applocker-policy-management.md index d7b423cdb3..0fa131561e 100644 --- a/windows/keep-secure/plan-for-applocker-policy-management.md +++ b/windows/keep-secure/plan-for-applocker-policy-management.md @@ -2,71 +2,112 @@ title: Plan for AppLocker policy management (Windows 10) description: This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. ms.assetid: dccc196f-6ae0-4ae4-853a-a3312b18751b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Plan for AppLocker policy management + **Applies to** - Windows 10 + This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. + ## Policy management + Before you begin the deployment process, consider how the AppLocker rules will be managed. Developing a process for managing AppLocker rules helps assure that AppLocker continues to effectively control how applications are allowed to run in your organization. + ### Application and user support policy + Developing a process for managing AppLocker rules helps assure that AppLocker continues to effectively control how applications are allowed to run in your organization. Considerations include: + - What type of end-user support is provided for blocked applications? - How are new rules added to the policy? - How are existing rules updated? - Are events forwarded for review? + **Help desk support** + If your organization has an established help desk support department in place, consider the following when deploying AppLocker policies: + - What documentation does your support department require for new policy deployments? - What are the critical processes in each business group both in work flow and timing that will be affected by application control policies and how could they affect your support department's workload? - Who are the contacts in the support department? - How will the support department resolve application control issues between the end user and those who maintain the AppLocker rules? + **End-user support** + Because AppLocker is preventing unapproved apps from running, it is important that your organization carefully plan how to provide end-user support. Considerations include: + - Do you want to use an intranet site as a first line of support for users who have tried to run a blocked app? - How do you want to support exceptions to the policy? Will you allow users to run a script to temporarily allow access to a blocked app? + **Using an intranet site** + AppLocker can be configured to display the default message but with a custom URL. You can use this URL to redirect users to a support site that contains information about why the user received the error and which applications are allowed. If you do not display a custom URL for the message when an app is blocked, the default URL is used. + The following image shows an example of the error message for a blocked app. You can use the **Set a support web link** policy setting to customize the **More information** link. + ![applocker blocked application error message](images/blockedappmsg.gif) + For steps to display a custom URL for the message, see [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md). + **AppLocker event management** -Each time that a process requests permission to run, AppLocker creates an event in the AppLocker event log. The event details which file tried to run, the attributes of that file, the user that initiated the request, and the rule GUID that was used to make the AppLocker execution decision. The AppLocker event log is located in the following path: **Applications and Services Logs\\Microsoft\\Windows\\AppLocker**. The AppLocker log includes three logs: + +Each time that a process requests permission to run, AppLocker creates an event in the AppLocker event log. The event details which file tried to run, the attributes of that file, the user that initiated the request, and the rule GUID that was used to make the AppLocker execution decision. The +AppLocker event log is located in the following path: **Applications and Services Logs\\Microsoft\\Windows\\AppLocker**. The AppLocker log includes three logs: + 1. **EXE and DLL**. Contains events for all files affected by the executable and DLL rule collections (.exe, .com, .dll, and .ocx). 2. **MSI and Script**. Contains events for all files affected by the Windows Installer and script rule collections (.msi, .msp, .ps1, .bat, .cmd, .vbs, and .js). 3. **Packaged app-Deployment** or **Packaged app-Execution**, contains events for all Universal Windows apps affected by the packaged app and packed app installer rule collection (.appx). + Collecting these events in a central location can help you maintain your AppLocker policy and troubleshoot rule configuration problems. Event collection technologies such as those available in Windows allow administrators to subscribe to specific event channels and have the events from source computers aggregated into a forwarded event log on a Windows Server operating system collector. For more info about setting up an event subscription, see [Configure Computers to Collect and Forward Events](http://go.microsoft.com/fwlink/p/?LinkId=145012). + ### Policy maintenance + As new apps are deployed or existing apps are updated by the software publisher, you will need to make revisions to your rule collections to ensure that the policy is current. + You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. For more info about Advanced Group Policy Management, see [Advanced Group Policy Management Overview](http://go.microsoft.com/fwlink/p/?LinkId=145013) (http://go.microsoft.com/fwlink/p/?LinkId=145013). -**Caution**   -You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior. + +>**Caution:**  You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.   **New version of a supported app** + When a new version of an app is deployed in the organization, you need to determine whether to continue to support the previous version of that app. To add the new version, you might only need to create a new rule for each file that is associated with the app. If you are using publisher conditions and the version is not specified, then the existing rule or rules might be sufficient to allow the updated file to run. You must ensure, however, that the updated app has not altered the file names or added files to support new functionality. If so, then you must modify the existing rules or create new rules. To continue to reuse a publisher-based rule without a specific file version, you must also ensure that the file's digital signature is still identical to the previous version—the publisher, product name, and file name (if configured in your rule) must all match for the rule to be correctly applied. + To determine whether a file has been modified during an app update, review the publisher's release details provided with the update package. You can also review the publisher's web page to retrieve this information. Each file can also be inspected to determine the version. + For files that are allowed or denied with file hash conditions, you must retrieve the new file hash. To add support for a new version and maintain support for the older version, you can either create a new file hash rule for the new version or edit the existing rule and add the new file hash to the list of conditions. + For files with path conditions, you should verify that the installation path has not changed from what is stated in the rule. If the path has changed, you need to update the rule before installing the new version of the app + **Recently deployed app** + To support a new app, you must add one or more rules to the existing AppLocker policy. + **App is no longer supported** + If your organization has determined that it will no longer support an application that has AppLocker rules associated with it, the easiest way to prevent users from running the app is to delete these rules. + **App is blocked but should be allowed** + A file could be blocked for three reasons: + - The most common reason is that no rule exists to allow the app to run. - There may be an existing rule that was created for the file that is too restrictive. - A deny rule, which cannot be overridden, is explicitly blocking the file. + Before editing the rule collection, first determine what rule is preventing the file from running. You can troubleshoot the problem by using the **Test-AppLockerPolicy** Windows PowerShell cmdlet. For more info about troubleshooting an AppLocker policy, see [Testing and Updating an AppLocker Policy](http://go.microsoft.com/fwlink/p/?LinkId=160269) (http://go.microsoft.com/fwlink/p/?LinkId=160269). + ## Next steps + After deciding how your organization will manage your AppLocker policy, record your findings. + - **End-user support policy.** Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel have clear escalation steps so that the administrator can update the AppLocker policy, if necessary. - **Event processing.** Document whether events will be collected in a central location called a store, how that store will be archived, and whether the events will be processed for analysis. - **Policy maintenance.** Detail how rules will be added to the policy and in which GPO the rules are defined. + For information and steps how to document your processes, see [Document your application control management processes](document-your-application-control-management-processes.md). -  -  diff --git a/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md b/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md index 8a2a90eb1f..c9a1917ba3 100644 --- a/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md +++ b/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md @@ -2,290 +2,283 @@ title: Planning and deploying advanced security audit policies (Windows 10) description: This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies. ms.assetid: 7428e1db-aba8-407b-a39e-509671e5a442 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Planning and deploying advanced security audit policies + **Applies to** - Windows 10 -This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies. + +This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit +policies. + Organizations invest a large portion of their information technology budgets on security applications and services, such as antimalware software, firewalls, and encryption. But no matter how much security hardware or software you deploy, how tightly you control the rights of users, or how carefully you configure security permissions on your data, you should not consider the job complete unless you have a well-defined, timely auditing strategy to track the effectiveness of your defenses and identify attempts to circumvent them. + To be well defined and timely, an auditing strategy must provide useful tracking data for an organization's most important resources, critical behaviors, and potential risks. In a growing number of organizations, it must also provide absolute proof that IT operations comply with corporate and regulatory requirements. + Unfortunately, no organization has unlimited resources to monitor every resource and activity on a network. If you do not plan well, you will likely have gaps in your auditing strategy. However, if you try to audit every resource and activity, you may find yourself with far too much monitoring data, including thousands of benign audit entries that an analyst needs to sift through to identify the narrow set of entries that warrant closer examination. This could cause delays or even prevent auditors from identifying suspicious activity. Thus, too much monitoring can leave an organization as vulnerable as not enough monitoring. + Here are some features that can help you focus your effort: + - **Advanced audit policy settings**. You can apply and manage detailed audit policy settings through Group Policy. - **"Reason for access" auditing**. You can specify and identify the permissions that were used to generate a particular object access security event. - **Global object access auditing**. You can define system access control lists (SACLs) for an entire computer file system or registry. + To deploy these features and plan an effective security auditing strategy, you need to: + - Identify your most critical resources and the most important activities that need to be tracked. - Identify the audit settings that can be used to track these activities. - Assess the advantages and potential costs associated with each. - Test these settings to validate your choices. - Develop plans for deploying and managing your audit policy. + ## About this guide + This document will guide you through the steps needed to plan a security auditing policy that uses Windows auditing features. This policy must identify and address vital business needs, including: + - Network reliability - Regulatory requirements - Protection of the organization's data and intellectual property - Users, including employees, contractors, partners, and customers - Client computers and applications - Servers and the applications and services running on those servers + The audit policy also must identify processes for managing audit data after it has been logged, including: + - Collecting, evaluating, and reviewing audit data - Storing and (if required) disposing of audit data + By carefully planning, designing, testing, and deploying a solution based on your organization's business requirements, you can provide the standardized functionality, security, and management control that your organization needs. + ## Understanding the security audit policy design process + The process of designing and deploying a Windows security audit policy involves the following tasks, which are described in greater detail throughout this document: + - [Identifying your Windows security audit policy deployment goals](#bkmk-1) + This section helps define the business objectives that will guide your Windows security audit policy. It also helps you define the resources, users, and computers that will be the focus of your security auditing. + - [Mapping the security audit policy to groups of users, computers, and resources in your organization](#bkmk-2) + This section explains how to integrate security audit policy settings with domain Group Policy settings for different groups of users, computers, and resources. In addition, if your network includes multiple versions of Windows client and server operating systems, it also explains when to use basic audit policy settings and when to use advanced security audit policy settings. + - [Mapping your security auditing goals to a security audit policy configuration](#bkmk-3) + This section explains the categories of Windows security auditing settings that are available. It also identifies individual Windows security auditing policy settings that can be of particular value to address auditing scenarios. + - [Planning for security audit monitoring and management](#bkmk-4) + This section helps you plan to collect, analyze, and store Windows audit data. Depending on the number of computers and types of activity that you want to audit, Windows event logs can fill up quickly. In addition, this section explains how auditors can access and aggregate event data from multiple servers and desktop computers. It also explains how to address storage requirements, including how much audit data to store and how it must be stored. + - [Deploying the security audit policy](#bkmk-5) + This section provides recommendations and guidelines for the effective deployment of a Windows security audit policy. Configuring and deploying Windows audit policy settings in a test lab environment can help you confirm that the settings you have selected will produce the type of audit data you need. However, only a carefully staged pilot and incremental deployments based on your domain and organizational unit (OU) structure will enable you to confirm that the audit data you generate can be monitored and that it meets your organization's audit needs. + ## Identifying your Windows security audit policy deployment goals + A security audit policy must support and be a critical and integrated aspect of an organization's overall security design and framework. + Every organization has a unique set of data and network assets (such as customer and financial data and trade secrets), physical resources (such as desktop computers, portable computers, and servers), and users (which can include various internal groups such as finance and marketing, and external groups such as partners, customers, and anonymous users on the website). Not all of these assets, resources, and users justify the cost of an audit. Your task is to identify which assets, resources, and users provide the strongest justification for the focus of a security audit. + To create your Windows security audit plan, begin by identifying: + - The overall network environment, including the domains, OUs, and security groups. - The resources on the network, the users of those resources, and how those resources are being used. - Regulatory requirements. + ### Network environment + An organization's domain and OU structure provide a fundamental starting point for thinking about how to apply a security audit policy because it likely provides a foundation of Group Policy Objects (GPOs) and logical grouping of resources and activities that you can use to apply the audit settings that you choose. It is also likely that certain portions of your domain and OU structure already provide logical groups of users, resources, and activities that justify the time and resources needed to audit them. For information about how to integrate a security audit policy with your domain and OU structure, see [Mapping security audit policy to groups of users, computers, and resources in your organization](#bkmk-2) later in this document. + In addition to your domain model, you should also find out whether your organization creates and maintains a systematic threat model. A good threat model can help you identify threats to key components in your infrastructure, so you can define and apply audit settings that enhance the organization's ability to identify and counter those threats. -**Important**   -Including auditing within your organization's security plan also makes it possible to budget your resources on the areas where auditing can achieve the most positive results. + +>**Important:**  Including auditing within your organization's security plan also makes it possible to budget your resources on the areas where auditing can achieve the most positive results.   For additional details about how to complete each of these steps and how to prepare a detailed threat model, download the [IT Infrastructure Threat Modeling Guide](http://go.microsoft.com/fwlink/p/?LinkId=163432). + ### Data and resources + For data and resource auditing, you need to identify the most important types of data and resources (such as patient records, accounting data, or marketing plans) that can benefit from the closer monitoring that Windows auditing can provide. Some of these data resources might already be monitored through auditing features in products such as Microsoft SQL Server and Exchange Server. If so, you may want to consider how Windows auditing features can enhance the existing audit strategy. As with the domain and OU structure discussed previously, security auditing should focus on your most critical resources. You also must consider how much audit data you will be able to manage. + You can record if these resources have high business impact, medium business impact, or low business impact, the cost to the organization if these data resources are accessed by unauthorized users, and the risk that this access can pose to the organization. The type of access by users (such as Read, Modify, or Copy) can also pose different levels of risk to an organization. + Increasingly, data access and use is governed by regulations, and a breach can result in severe penalties and a loss in credibility for the organization. If regulatory compliance plays a role in how you manage your data, be sure to also document this information. + The following table provides an example of a resource analysis for an organization. - ------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Resource classWhere storedOrganizational unitBusiness impactSecurity or regulatory requirements

      Payroll data

      Corp-Finance-1

      Accounting: Read/Write on Corp-Finance-1

      -

      Departmental Payroll Managers: Write only on Corp-Finance-1

      High

      Financial integrity and employee privacy

      Patient medical records

      MedRec-2

      Doctors and Nurses: Read/Write on Med/Rec-2

      -

      Lab Assistants: Write only on MedRec-2

      -

      Accounting: Read only on MedRec-2

      High

      Strict legal and regulatory standards

      Consumer health information

      Web-Ext-1

      Public Relations Web Content Creators: Read/Write on Web-Ext-1

      -

      Public: Read only on Web-Ext-1

      Low

      Public education and corporate image

      + +| Resource class | Where stored | Organizational unit | Business impact | Security or regulatory requirements | +| - | - | - | - | - | +| Payroll data| Corp-Finance-1| Accounting: Read/Write on Corp-Finance-1
      Departmental Payroll Managers: Write only on Corp-Finance-1| High| Financial integrity and employee privacy| +| Patient medical records| MedRec-2| Doctors and Nurses: Read/Write on Med/Rec-2
      Lab Assistants: Write only on MedRec-2
      Accounting: Read only on MedRec-2| High| Strict legal and regulatory standards| +| Consumer health information| Web-Ext-1| Public Relations Web Content Creators: Read/Write on Web-Ext-1
      Public: Read only on Web-Ext-1| Low| Public education and corporate image|   ### Users + Many organizations find it useful to classify the types of users they have and base permissions on this classification. This same classification can help you identify which user activities should be the subject of security auditing and the amount of audit data they will generate. + Organizations can create distinctions based on the type of rights and permissions needed by users to perform their jobs. For example, under the classification Administrators, larger organizations might assign local administrator responsibilities for a single computer, for specific applications such as Exchange Server or SQL Server, or for an entire domain. Under Users, permissions and Group Policy settings can apply to as many as all users in an organization or as few as a subset of the employees in a given department. + Also, if your organization is subject to regulatory requirements, user activities such as accessing medical records or financial data may need to be audited to verify that you are complying with these requirements. + To effectively audit user activity, begin by listing the different types of users in your organization and the types of data they need access to—in addition to the data they should not have access to. + Also, if external users can access any of your organization's data, be sure to identify them, including if they belong to a business partner, customer, or general user, the data they have access to, and the permissions they have to access that data. + The following table illustrates an analysis of users on a network. Although our example contains a single column titled "Possible auditing considerations," you may want to create additional columns to differentiate between different types of network activity, such as logon hours and permission use. - ----- - - - - - - - - - - - - - - - - - - - - - - - - -
      GroupsDataPossible auditing considerations

      Account administrators

      User accounts and security groups

      Account administrators have full privileges to create new user accounts, reset passwords, and modify security group memberships. We need a mechanism to monitor these changes.

      Members of the Finance OU

      Financial records

      Users in Finance have Read/Write access to critical financial records, but no ability to change permissions on these resources. These financial records are subject to government regulatory compliance requirements.

      External partners

      Project Z

      Employees of partner organizations have Read/Write access to certain project data and servers relating to Project Z, but not to other servers or data on the network.

      + +| Groups | Data | Possible auditing considerations | +| - | - | - | +| Account administrators| User accounts and security groups| Account administrators have full privileges to create new user accounts, reset passwords, and modify security group memberships. We need a mechanism to monitor these changes. | +| Members of the Finance OU| Financial records| Users in Finance have Read/Write access to critical financial records, but no ability to change permissions on these resources. These financial records are subject to government regulatory compliance requirements. | +| External partners | Project Z| Employees of partner organizations have Read/Write access to certain project data and servers relating to Project Z, but not to other servers or data on the network.|   ### Computers + Security and auditing requirements and audit event volume can vary considerably for different types of computers in an organization. These requirements can be based on: + - If the computers are servers, desktop computers, or portable computers. - The important applications the computers run, such as Exchange Server, SQL Server, or Forefront Identity Manager. - **Note**   - If the server applications (including Exchange Server and SQL Server) have audit settings. For more information about auditing in Exchange Server, see the [Exchange 2010 Security Guide](http://go.microsoft.com/fwlink/p/?linkid=128052). For more information about auditing in SQL Server 2008, see [Auditing (Database Engine)](http://go.microsoft.com/fwlink/p/?LinkId=163434). For SQL Server 2012, see [SQL Server Audit (Database Engine)](http://technet.microsoft.com/library/cc280386.aspx). + + >**Note:**  If the server applications (including Exchange Server and SQL Server) have audit settings. For more information about auditing in Exchange Server, see the [Exchange 2010 Security Guide](http://go.microsoft.com/fwlink/p/?linkid=128052). For more information about auditing in SQL Server 2008, see [Auditing (Database Engine)](http://go.microsoft.com/fwlink/p/?LinkId=163434). For SQL Server 2012, see [SQL Server Audit (Database Engine)](http://technet.microsoft.com/library/cc280386.aspx).   - The operating system versions. - **Note**   - The operating system version determines which auditing options are available and the volume of audit event data. + + >**Note:**  The operating system version determines which auditing options are available and the volume of audit event data.   - The business value of the data. + For example, a web server that is accessed by external users requires different audit settings than a root certification authority (CA) that is never exposed to the public Internet or even to regular users on the organization's network. + The following table illustrates an analysis of computers in an organization. - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Type of computer and applicationsOperating system versionWhere located

      Servers hosting Exchange Server

      Windows Server 2008 R2

      ExchangeSrv OU

      File servers

      Windows Server 2012

      Separate resource OUs by department and (in some cases) by location

      Portable computers

      Windows Vista and Windows 7

      Separate portable computer OUs by department and (in some cases) by location

      Web servers

      Windows Server 2008 R2

      WebSrv OU

      + +| Type of computer and applications | Operating system version | Where located | +| - | - | - | +| Servers hosting Exchange Server| Windows Server 2008 R2| ExchangeSrv OU| +| File servers | Windows Server 2012| Separate resource OUs by department and (in some cases) by location| +| Portable computers | Windows Vista and Windows 7| Separate portable computer OUs by department and (in some cases) by location| +| Web servers | Windows Server 2008 R2 | WebSrv OU|   ### Regulatory requirements + Many industries and locales have strict and specific requirements for network operations and how resources are protected. In the health care and financial industries, for example, there are strict guidelines for who has access to records and how they are used. Many countries have strict privacy rules. To identify regulatory requirements, work with your organization's legal department and other departments responsible for these requirements. Then consider the security configuration and auditing options that can be used to comply with and verify compliance with these regulations. + For more info, see the [System Center Process Pack for IT GRC](http://technet.microsoft.com/library/dd206732.aspx). + ## Mapping the security audit policy to groups of users, computers, and resources in your organization -By using Group Policy, you can apply your security audit policy to defined groups of users, computers, and resources. To map a security auditing policy to these defined groups in your organization, you should understand the following considerations for using Group Policy to apply security audit policy settings: + +By using Group Policy, you can apply your security audit policy to defined groups of users, computers, and resources. To map a security auditing policy to these defined groups in your organization, you should understand the +following considerations for using Group Policy to apply security audit policy settings: + - The policy settings you identify can be applied by using one or more GPOs. To create and edit a GPO, use the Group Policy Management Console (GPMC). By using the GPMC to link a GPO to selected Active Directory sites, domains, and OUs, you apply the policy settings in the GPO to the users and computers in those Active Directory objects. An OU is the lowest-level Active Directory container to which you can assign Group Policy settings. - For every policy setting that you select, you need to decide whether it should be enforced across the organization, or whether it should apply only to selected users or computers. You can then combine these audit policy settings into GPOs and link them to the appropriate Active Directory containers. - By default, options set in GPOs that are linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, a GPO that is linked at a lower level can overwrite inherited policies. + For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of additional settings. To accomplish this, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level (unless you have taken special steps to apply Group Policy loopback processing). + - Audit policies are computer policies. Therefore, they must be applied through GPOs that are applied to computer OUs, not to user OUs. However, in most cases you can apply audit settings for only specified resources and groups of users by configuring SACLs on the relevant objects. This enables auditing for a security group that contains only the users you specify. + For example, you could configure a SACL for a folder called Payroll Data on Accounting Server 1. This can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events. + - Advanced security audit policy settings were introduced in Windows Server 2008 R2 or Windows 7 and can be applied to those operating systems and later. These advanced audit polices can only be applied by using Group Policy. - **Important**   - Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both basic and advanced audit policy settings can cause unexpected results in audit reporting. + + >**Important:**  Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both basic and advanced audit policy settings can cause unexpected results in audit reporting. + If you use **Advanced Audit Policy Configuration** settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.   + The following are examples of how audit policies can be applied to an organization's OU structure: + - Apply data activity settings to an OU that contains file servers. If your organization has servers that contain particularly sensitive data, consider putting them in a separate OU so that you can configure and apply a more precise audit policy to these servers. - Apply user activity audit policies to an OU that contains all computers in the organization. If your organization places users in OUs based on the department they work in, consider configuring and applying more detailed security permissions on critical resources that are accessed by employees who work in more sensitive areas, such as network administrators or the legal department. - Apply network and system activity audit policies to OUs that contain the organization's most critical servers, such as domain controllers, CAs, email servers, or database servers. + ## Mapping your security auditing goals to a security audit policy configuration + After you identify your security auditing goals, you can begin to map them to a security audit policy configuration. This audit policy configuration must address your most critical security auditing goals, but it also must address your organization's constraints, such as the number of computers that need to be monitored, the number of activities that you want to audit, the number of audit events that your desired audit configuration will generate, and the number of administrators available to analyze and act upon audit data. + To create your audit policy configuration, you need to: + 1. Explore all of the audit policy settings that can be used to address your needs. 2. Choose the audit settings that will most effectively address the audit requirements identified in the previous section. 3. Confirm that the settings you choose are compatible with the operating systems running on the computers that you want to monitor. 4. Decide which configuration options (Success, Failure, or both Success and Failure) you want to use for the audit settings. 5. Deploy the audit settings in a lab or test environment to verify that they meet your desired results in terms of volume, supportability, and comprehensiveness. Then deploy the audit settings in a pilot production environment to ensure that your estimates of how much audit data your audit plan will generate are realistic and that you can manage this data. + ### Exploring audit policy options + Security audit policy settings in the supported versions of Windows can be viewed and configured in the following locations: + - **Security Settings\\Local Policies\\Audit Policy**. - **Security Settings\\Local Policies\\Security Options**. - **Security Settings\\Advanced Audit Policy Configuration**. For more information, see [Advanced security audit policy settings](advanced-security-audit-policy-settings.md). + ### Choosing audit settings to use + Depending on your goals, different sets of audit settings may be of particular value to you. For example, some settings under **Security Settings\\Advanced Audit Policy Configuration** can be used to monitor the following types of activity: + - Data and resources - Users - Network -**Important**   -Settings that are described in the Reference might also provide valuable information about activity audited by another setting. For example, the settings used to monitor user activity and network activity have obvious relevance to protecting your data resources. Likewise, attempts to compromise data resources have huge implications for overall network status, and potentially for how well you are managing the activities of users on the network. + +>**Important:**  Settings that are described in the Reference might also provide valuable information about activity audited by another setting. For example, the settings used to monitor user activity and network activity have obvious relevance to protecting your data resources. Likewise, attempts to compromise data resources have huge implications for overall network status, and potentially for how well you are managing the activities of users on the network.   ### Data and resource activity -For many organizations, compromising the organization's data resources can cause tremendous financial losses, in addition to lost prestige and legal liability. If your organization has critical data resources that need to be protected against any breach, the following settings can provide extremely valuable monitoring and forensic data: + +For many organizations, compromising the organization's data resources can cause tremendous financial losses, in addition to lost prestige and legal liability. If your organization has critical data resources that need to be +protected against any breach, the following settings can provide extremely valuable monitoring and forensic data: + - Object Access\\[Audit File Share](audit-file-share.md). This policy setting allows you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access. The volume of event data generated by this setting will vary depending on the number of client computers that attempt to access the file share. On a file server or domain controller, volume may be high due to SYSVOL access by client computers for policy processing. If you do not need to record routine access by client computers that have permissions on the file share, you may want to log audit events only for failed attempts to access the file share. - Object Access\\[Audit File System](audit-file-system.md). This policy setting determines whether the operating system audits user attempts to access file system objects. Audit events are only generated for objects (such as files and folders) that have configured SACLs, and only if the type of access requested (such as Write, Read, or Modify) and the account that is making the request match the settings in the SACL. + If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL. The amount of audit data generated by the **Audit File System** policy setting can vary considerably, depending on the number of objects that have been configured to be monitored. - **Note**   - To audit user attempts to access all file system objects on a computer, use the Global Object Access Auditing settings [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) or [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md). + + >**Note:**  To audit user attempts to access all file system objects on a computer, use the Global Object Access Auditing settings [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) or [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md).   - Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md). This policy setting determines whether the operating system generates audit events when a handle to an object is opened or closed. Only objects with configured SACLs generate these events, and only if the attempted handle operation matches the SACL. + Event volume can be high, depending on how SACLs are configured. When used together with the **Audit File System** or **Audit Registry** policy settings, the **Audit Handle Manipulation** policy setting can provide an administrator with useful "reason for access" audit data that details the precise permissions on which the audit event is based. For example, if a file is configured as a Read-only resource but a user attempts to save changes to the file, the audit event will log not only the event, but also the permissions that were used (or attempted to be used) to save the file changes. + - **Global Object Access Auditing**. A growing number of organizations are using security auditing to comply with regulatory requirements that govern data security and privacy. But demonstrating that strict controls are being enforced can be extremely difficult. To address this issue, the supported versions of Windows include two **Global Object Access Auditing** policy settings, one for the registry and one for the file system. When you configure these settings, they apply a global system access control SACL on all objects of that class on a system, which cannot be overridden or circumvented. - **Important**   - The **Global Object Access Auditing** policy settings must be configured and applied in conjunction with the **Audit File System** and **Audit Registry** audit policy settings in the **Object Access** category. + >**Important:**  The **Global Object Access Auditing** policy settings must be configured and applied in conjunction with the **Audit File System** and **Audit Registry** audit policy settings in the **Object Access** category.   ### User activity + The settings in the previous section relate to activity involving the files, folders, and network shares that are stored on a network, and the settings in this section focus on the users, including employees, partners, and customers, who may try to access those resources. + In the majority of cases, these attempts will be legitimate and a network needs to make vital data readily available to legitimate users. However in other cases, employees, partners, and others may attempt to access resources that they have no legitimate reason to access. Security auditing can be used to track a wide variety of user activities on a particular computer to diagnose and resolve problems for legitimate users and identify and address illegitimate activities. The following are a few important settings that you should evaluate to track user activity on your network: + - Account Logon\\[Audit Credential Validation](audit-credential-validation.md). This is an extremely important policy setting because it enables you to track every successful and unsuccessful attempt to present credentials for a user logon. In particular, a pattern of unsuccessful attempts may indicate that a user or application is using credentials that are no longer valid, or attempting to use a variety of credentials in succession in hope that one of these attempts will eventually be successful. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. - Detailed Tracking\\[Audit Process Creation](audit-process-creation.md) and Detailed Tracking\\[Audit Process Termination](audit-process-termination.md). These policy settings can enable you to monitor the applications that a user opens and closes on a computer. - DS Access\\[Audit Directory Service Access](audit-directory-service-access.md) and DS Access\\[Audit Directory Service Changes](audit-directory-service-changes.md). These policy settings provide a detailed audit trail of attempts to access create, modify, delete, move, or undelete objects in Active Directory Domain Services (AD DS). Only domain administrators have permissions to modify AD DS objects, so it is extremely important to identify malicious attempts to modify these objects. In addition, although domain administrators should be among an organization's most trusted employees, the use of **Audit Directory Service Access** and **Audit Directory Service Changes** settings allow you to monitor and verify that only approved changes are made to AD DS. These audit events are logged only on domain controllers. - Logon/Logoff\\[Audit Account Lockout](audit-account-lockout.md). Another common security scenario occurs when a user attempts to log on with an account that has been locked out. It is important to identify these events and to determine whether the attempt to use an account that has been locked out is malicious. - Logon/Logoff\\[Audit Logoff](audit-logoff.md) and Logon/Logoff\\[Audit Logon](audit-logon.md). Logon and logoff events are essential to tracking user activity and detecting potential attacks. Logon events are related to the creation of logon sessions, and they occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For network logon, such as accessing a shared resource, events are generated on the computer that hosts the resource that was accessed. Logoff events are generated when logon sessions are terminated. - **Note**   - There is no failure event for logoff activity because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown, and a logoff event is not generated. + + >**Note:**  There is no failure event for logoff activity because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown, and a logoff event is not generated.   - Logon/Logoff\\[Audit Special Logon](audit-special-logon.md). A special logon has administrator-equivalent rights and can be used to elevate a process to a higher level. It is recommended to track these types of logons. For more information about this feature, see [article 947223](http://go.microsoft.com/fwlink/p/?linkid=120183) in the Microsoft Knowledge Base. - Object Access\\[Audit Certification Services](audit-certification-services.md). This policy setting allows you to track and monitor a wide variety of activities on a computer that hosts Active Directory Certificate Services (AD CS) role services to ensure that only authorized users are performing or attempting to perform these tasks, and that only authorized or desired tasks are being performed. - Object Access\\[Audit File System](audit-file-system.md) and Object Access\\[Audit File Share](audit-file-share.md). These policy settings are described in the previous section. - Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md). This policy setting and its role in providing "reason for access" audit data is described in the previous section. - Object Access\\[Audit Registry](audit-registry.md). Monitoring for changes to the registry is one of the most critical means that an administrator has to ensure malicious users do not make changes to essential computer settings. Audit events are only generated for objects that have configured SACLs, and only if the type of access that is requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL. - **Important**   - On critical systems where all attempts to change registry settings need to be tracked, you can combine the **Audit Registry** policy setting with the **Global Object Access Auditing** policy settings to ensure that all attempts to modify registry settings on a computer are tracked. + + >**Important:**  On critical systems where all attempts to change registry settings need to be tracked, you can combine the **Audit Registry** policy setting with the **Global Object Access Auditing** policy settings to ensure that all attempts to modify registry settings on a computer are tracked.   - Object Access\\[Audit SAM](audit-sam.md). The Security Accounts Manager (SAM) is a database that is present on computers running Windows that stores user accounts and security descriptors for users on the local computer. Changes to user and group objects are tracked by the **Account Management** audit category. However, user accounts with the proper user rights could potentially alter the files where the account and password information is stored in the system, bypassing any **Account Management** events. - Privilege Use\\[Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md). **Privilege Use** policy settings and audit events allow you to track the use of certain rights on one or more systems. If you configure this policy setting, an audit event is generated when sensitive rights requests are made. + ### Network activity + The following network activity policy settings allow you to monitor security-related issues that are not necessarily covered in the data or user activity categories, but that can be equally important for network status and protection. + - **Account Management**. The policy settings in this category can be used to track attempts to create, delete, or modify user or computer accounts, security groups, or distribution groups. Monitoring these activities complements the monitoring strategies you select in the user activity and data activity sections. - Account Logon\\[Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md) and Account Logon\\[Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md). Audit policy settings in the **Account Logon** category monitor activities that relate to the use of domain account credentials. These policy settings complement the policy settings in the **Logon/Logoff** category. The **Audit Kerberos Authentication Service** policy setting allows you to monitor the status of and potential threats to the Kerberos service. The Audit **Kerberos Service Ticket Operations** policy setting allows you to monitor the use of Kerberos service tickets. - **Note**   - **Account Logon** policy settings apply only to specific domain account activities, regardless of the computer that is accessed, whereas **Logon/Logoff** policy settings apply to the computer that hosts the resources being accessed. + + >**Note:**  **Account Logon** policy settings apply only to specific domain account activities, regardless of the computer that is accessed, whereas **Logon/Logoff** policy settings apply to the computer that hosts the resources being accessed.   - Account Logon\\[Audit Other Account Logon Events](audit-other-account-logon-events.md). This policy setting can be used to track a number of different network activities, including attempts to create Remote Desktop connections, wired network connections, and wireless connections. - **DS Access**. Policy settings in this category allow you to monitor the AD DS role services, which provide account data, validate logons, maintain network access permissions, and provide other services that are critical to the secure and proper functioning of a network. Therefore, auditing the rights to access and modify the configuration of a domain controller can help an organization maintain a secure and reliable network. In addition, one of the key tasks performed by AD DS is the replication of data between domain controllers. @@ -295,41 +288,65 @@ The following network activity policy settings allow you to monitor security-rel - Policy Change\\[Audit Audit Policy Change](audit-audit-policy-change.md). This policy setting allows you to monitor changes to the audit policy. If malicious users obtain domain administrator credentials, they can temporarily disable essential security audit policy settings so that their other activities on the network cannot be detected. - Policy Change\\[Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md). This policy setting can be used to monitor a large variety of changes to an organization's IPsec policies. - Policy Change\\[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md). This policy setting determines if the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe), which is used by Windows Firewall. Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks. + ### Confirm operating system version compatibility + Not all versions of Windows support advanced audit policy settings or the use of Group Policy to apply and manage these settings. For more info, see [Which editions of Windows support advanced audit policy configuration](which-editions-of-windows-support-advanced-audit-policy-configuration.md). + The audit policy settings under **Local Policies\\Audit Policy** overlap with audit policy settings under **Security Settings\\Advanced Audit Policy Configuration**. However, the advanced audit policy categories and subcategories make it possible to focus your auditing efforts on the most critical activities while reducing the amount of audit data that is less important to your organization. + For example, **Local Policies\\Audit Policy** contains a single setting called [Audit account logon events](http://technet.microsoft.com/library/cc787176.aspx). When this setting is configured, it generates at least 10 types of audit events. + In comparison, the Account Logon category under **Security Settings\\Advanced Audit Policy Configuration** provides the following advanced settings, which allow you to focus your auditing: + - Credential Validation - Kerberos Authentication Service - Kerberos Service Ticket Operations - Other Account Logon Events + These settings allow you to exercise much tighter control over which activities or events generate event data. Some activities and events will be more important to your organization, so define the scope of your security audit policy as narrowly as possible. + ### Success, failure, or both + Whichever event settings you include in your plan, you also have to decide whether you want to log an event when the activity fails, when an activity succeeds, or both successes and failures. This is an important question, and the answer will be based on the criticality of the event and the implications of the decision on event volume. + For example, on a file server that is accessed frequently by legitimate users, you may be interested in logging an event only when an unsuccessful attempt to access data takes place, because this could be evidence of an unauthorized or malicious user. And in this instance, logging successful attempts to access the server would quickly fill the event log with benign events. + On the other hand, if the file share has extremely sensitive and valuable information, such as trade secrets, you may want to log every access attempt, whether successful or unsuccessful, so that you have an audit trail of every user who accessed the resource. + ## Planning for security audit monitoring and management + Networks can contain hundreds of servers running critical services or storing critical data, all of which need to be monitored. The number of client computers on the network can easily range into the tens or even hundreds of thousands. This may not be an issue if the ratio of servers or client computers per administrator is low. Even if an administrator who is responsible for auditing security and performance issues has relatively few computers to monitor, you need to decide how an administrator will obtain event data to review. Following are some options for obtaining the event data. + - Will you keep event data on a local computer until an administrator logs on to review this data? If so, then the administrator needs to have physical or remote access to the Event Viewer on each client computer or server, and the remote access and firewall settings on each client computer or server need to be configured to enable this access. In addition, you need to decide how often an administrator can visit each computer, and adjust the size of the audit log so that critical information is not deleted if the log reaches its maximum capacity. - Will you collect event data so that it can be reviewed from a central console? If so, there are a number of computer management products, such as the Audit Collection Services in Operations Manager 2007 and 2012, which can be used to collect and filter event data. Presumably this solution enables a single administrator to review larger amounts of data than using the local storage option. But in some cases, this can make it more difficult to detect clusters of related events that can occur on a single computer. + In addition, whether you choose to leave audit data on an individual computer or consolidate it at a central location, you need to decide how large the log file should be and what should happen when the log reaches its maximum size. To configure these options, open Event Viewer, expand **Windows Logs**, right-click **Security**, and click **Properties**. You can configure the following properties: + - **Overwrite events as needed (oldest events first)**. This is the default option, which is an acceptable solution in most situations. - **Archive the log when full, do not overwrite events**. This option can be used when all log data needs to be saved, but it also suggests that you may not be reviewing audit data frequently enough. - **Do not overwrite events (Clear logs manually)**. This option stops the collection of audit data when the log file reaches its maximum size. Older data is retained at the expense of the most recent audit events. Use this option only if you do not want to lose any audit data, do not want to create an archive of the event log, and are committed to reviewing data before the maximum log size is reached. -You can also configure the audit log size and other key management options by using Group Policy settings. You can configure the event log settings in the following locations within the GPMC: **Computer Configuration\\Administrative Templates\\Windows Components\\Event Log Service\\Security**. These options include: + +You can also configure the audit log size and other key management options by using Group Policy settings. You can configure the event log settings in the following locations within the GPMC: **Computer +Configuration\\Administrative Templates\\Windows Components\\Event Log Service\\Security**. These options include: + - **Maximum Log Size (KB)**. This policy setting specifies the maximum size of the log files. The user interfaces in the Local Group Policy Editor and Event Viewer allow you to enter values as large as 2 TB. If this setting is not configured, event logs have a default maximum size of 20 megabytes. + - **Log Access**. This policy setting determines which user accounts have access to log files and what usage rights are granted. - **Retain old events**. This policy setting controls event log behavior when the log file reaches its maximum size. When this policy setting is enabled and a log file reaches its maximum size, new events are not written to the log and are lost. When this policy setting is disabled and a log file reaches its maximum size, new events overwrite old events. - **Backup log automatically when full**. This policy setting controls event log behavior when the log file reaches its maximum size and takes effect only if the **Retain old events** policy setting is enabled. If you enable these policy settings, the event log file is automatically closed and renamed when it is full. A new file is then started. If you disable or do not configure this policy setting and the **Retain old events** policy setting is enabled, new events are discarded and the old events are retained. + In addition, a growing number of organizations are being required to store archived log files for a number of years. You should consult with regulatory compliance officers in your organization to determine whether such guidelines apply to your organization. For more information, see the [IT Compliance Management Guide](http://go.microsoft.com/fwlink/p/?LinkId=163435). + ## Deploying the security audit policy + Before deploying the audit policy in a production environment, it is critical that you determine the effects of the policy settings that you have configured. The first step in assessing your audit policy deployment is to create a test environment in a lab and use it to simulate the various use scenarios that you have identified to confirm that the audit settings you have selected are configured correctly and generate the type of results you intend. + However, unless you are able to run fairly realistic simulations of network usage patterns, a lab setup cannot provide you with accurate information about the volume of audit data that the audit policy settings you selected will generate and how effective your plan for monitoring audit data will be. To provide this type of information, you need to conduct one or more pilot deployments. These pilot deployments could involve: + - A single OU that contains critical data servers or an OU that contains all desktop computers in a specified location. - A limited set of security audit policy settings, such as **Logon/Logoff** and **Account Logon**. - A combination of limited OUs and audit policy settings—for example, targeting servers in only the Accounting OU with **Object Access** policy settings. + After you have successfully completed one or more limited deployments, you should confirm that the audit data that is collected is manageable with your management tools and administrators. When you have confirmed that the pilot deployment is effective, you need to confirm that you have the necessary tools and staff to expand the deployment to include additional OUs and sets of audit policy settings until the production deployment is complete. -  -  diff --git a/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md index 56db3e6526..3c5e402383 100644 --- a/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -2,17 +2,22 @@ title: Prepare your organization for BitLocker Planning and policies (Windows 10) description: This topic for the IT professional explains how can you plan your BitLocker deployment. ms.assetid: 6e3593b5-4e8a-40ac-808a-3fdbc948059d -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Prepare your organization for BitLocker: Planning and policies + **Applies to** - Windows 10 + This topic for the IT professional explains how can you plan your BitLocker deployment. + When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following topics will help you collect information that you can use to frame your decision-making process about deploying and managing BitLocker systems. + - [Audit your environment](#bkmk-audit) - [Encryption keys and authentication](#bkk-encrypt) - [TPM hardware configurations](#bkmk-tpmconfigurations) @@ -23,244 +28,203 @@ When you design your BitLocker deployment strategy, define the appropriate polic - [Active Directory Domain Services considerations](#bkmk-addscons) - [FIPS support for recovery password protector](#bkmk-fipssupport) - [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) + ## Audit your environment + To plan your enterprise deployment of BitLocker, you must first understand your current environment. Conduct an informal audit to define your current policies, procedures, and hardware environment. Begin by reviewing your existing corporate security policies as they relate to disk encryption software. If your organization is not currently using disk encryption software, none of these policies will exist. If you are using disk encryption software, then you might need to modify your organization's policies to address the capabilities of BitLocker. + Use the following questions to help you document your organization's current disk encryption security policies: + 1. Are there policies to address which computers will use BitLocker and which computers will not use BitLocker? 2. What policies exist to control recovery password and recovery key storage? 3. What are the policies for validating the identity of users that need to perform BitLocker recovery? 4. What policies exist to control who in the organization has access to recovery data? 5. What policies exist to control computer decommissioning or retirement? + ## Encryption keys and authentication + BitLocker helps prevent unauthorized access to data on lost or stolen computers by: + - Encrypting the entire Windows operating system volume on the hard disk. - Verifying the boot process integrity. + The trusted platform module (TPM)is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. + In addition, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device, such as a flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented. + On computers that do not have a TPM version 1.2 or higher, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM. + **BitLocker key protectors** - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Key protectorDescription

      TPM

      A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM version 1.2 or higher.

      PIN

      A user-entered numeric key protector that can only be used in addition to the TPM.

      Enhanced PIN

      A user-entered alphanumeric key protector that can only be used in addition to the TPM.

      Startup key

      An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.

      Recovery password

      A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard, if the numbers on the normal keyboard are not responding you can always use the function keys (F1-F10) to input the numbers.

      Recovery key

      An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.

      + +| Key protector | Description | +| - | - | +| TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM version 1.2 or higher.| +| PIN | A user-entered numeric key protector that can only be used in addition to the TPM.| +| Enhanced PIN | A user-entered alphanumeric key protector that can only be used in addition to the TPM.| +| Startup key | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.| +| Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard, if the numbers on the normal keyboard are not responding you can always use the function keys (F1-F10) to input the numbers.| +| Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.|   **BitLocker authentication methods** - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Authentication methodRequires user interactionDescription

      TPM only

      No

      TPM validates early boot components.

      TPM + PIN

      Yes

      TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM will enter lockout if the incorrect PIN is entered repeatedly to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.

      TPM + Network key

      No

      The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication.

      TPM + startup key

      Yes

      The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.

      Startup key only

      Yes

      The user is prompted to insert the USB flash drive that holds the recovery key and/or startup key and reboot the computer.

      + +| Authentication method | Requires user interaction | Description | +| - | - | - | +| TPM only| No| TPM validates early boot components.| +| TPM + PIN | Yes| TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM will enter lockout if the incorrect PIN is entered repeatedly to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.| +| TPM + Network key | No | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. | +| TPM + startup key| Yes| The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.| +| Startup key only | Yes| The user is prompted to insert the USB flash drive that holds the recovery key and/or startup key and reboot the computer.|   **Will you support computers without TPM version 1.2 or higher?** + Determine whether you will support computers that do not have a TPM version 1.2 or higher in your environment. If you choose to support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This requires additional support processes similar to multifactor authentication. + **What areas of your organization need a baseline level of data protection?** + The TPM-only authentication method will provide the most transparent user experience for organizations that need a baseline level of data protection to meet security policies. It has the lowest total cost of ownership. TPM-only might also be more appropriate for computers that are unattended or that must reboot unattended. + However, TPM-only authentication method offers the lowest level of data protection. This authentication method protects against attacks that modify early boot components, but the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker’s multifactor authentication methods significantly increase the overall level of data protection. + **What areas of your organization need a more secure level of data protection?** + If there are areas of your organization where data residing on user computers is considered highly-sensitive, consider the best practice of deploying BitLocker with multifactor authentication on those systems. Requiring the user to input a PIN significantly increases the level of protection for the system. You can also use BitLocker Network Unlock to allow these computers to automatically unlock when connected to a trusted wired network that can provide the Network Unlock key. + **What multifactor authentication method does your organization prefer?** + The protection differences provided by multifactor authentication methods cannot be easily quantified. Consider each authentication method's impact on Helpdesk support, user education, user productivity, and automated systems management processes. + ## TPM hardware configurations + In your deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM of your choice, so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment. + ### TPM states of existence + For each of the TPM states of existence, the TPM can transition into another state (for example, moving from disabled to enabled). The states are not exclusive. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      StateDescription

      Enabled

      Most features of the TPM are available.

      -

      The TPM may be enabled and disabled multiple times within a boot period, if ownership is taken.

      Disabled

      The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and to perform hashing and basic initialization.

      -

      The TPM may be enabled and disabled multiple times within a boot period.

      Activated

      Most features of the TPM are available. The TPM may be activated and deactivated only through physical presence which requires a reboot.

      Deactivated

      Similar to disabled, with the exception that ownership can be taken while deactivated and enabled. The TPM may be activated and deactivated only through physical presence which requires a reboot.

      Owned

      Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data.

      Un-owned

      The TPM does not have a storage root key and may or may not have an endorsement key.

      + +| State | Description | +| - | - | +| Enabled| Most features of the TPM are available.
      The TPM may be enabled and disabled multiple times within a boot period, if ownership is taken.| +| Disabled | The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and to perform hashing and basic initialization.
      The TPM may be enabled and disabled multiple times within a boot period.| +| Activated| Most features of the TPM are available. The TPM may be activated and deactivated only through physical presence which requires a reboot.| +| Deactivated| Similar to disabled, with the exception that ownership can be taken while deactivated and enabled. The TPM may be activated and deactivated only through physical presence which requires a reboot.| +| Owned| Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data.| +| Un-owned| The TPM does not have a storage root key and may or may not have an endorsement key.|   -**Important**   -BitLocker cannot use the TPM until it is in the following state: enabled, activated, and owned. When the TPM is in this state and only when it is in this state, all operations are available. +>**Important:**  BitLocker cannot use the TPM until it is in the following state: enabled, activated, and owned. When the TPM is in this state and only when it is in this state, all operations are available.   The state of the TPM exists independent of the computer’s operating system. Once the TPM is enabled, activated, and owned, the state of the TPM is preserved if the operating system is reinstalled. + ### Endorsement keys + For a TPM to be usable by BitLocker, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and is never revealed or accessible outside the TPM. If the TPM does not contain an endorsement key, BitLocker will force the TPM to generate one automatically as part of BitLocker setup. + An endorsement key can be created at various points in the TPM’s lifecycle, but needs to be created only once for the lifetime of the TPM. If an endorsement key does not exist for the TPM, it must be created before TPM ownership can be taken. + For more information about the TPM and the TCG, see the Trusted Computing Group: Trusted Platform Module (TPM) Specifications (). + ## Non-TPM hardware configurations + Devices that do not include a TPM can still be protected by drive encryption. Windows To Go workspaces can be BitLocker protected using a startup password and PCs without a TPM can use a startup key. + Use the following questions to identify issues that might affect your deployment in a non-TPM configuration: + - Are password complexity rules in place? - Do you have budget for USB flash drives for each of these computers? - Do your existing non-TPM devices support USB devices at boot time? + Test your individual hardware platforms with the BitLocker system check option while you are enabling BitLocker. The system check will ensure that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume. CD and DVD drives cannot act as a block storage device and cannot be used to store the BitLocker recovery material. + ## Disk configuration considerations + To function correctly, BitLocker requires a specific disk configuration. BitLocker requires two partitions that meet the following requirements: + - The operating system partition contains the operating system and its support files; it must be formatted with the NTFS file system - The system partition (or boot partition) contains the files that are needed to load Windows after the BIOS or UEFI firware has prepared the system hardware. BitLocker is not enabled on this partition. For BitLocker to work, the system partition must not be encrypted and must be on a different partition than the operating system. On UEFI platforms the system partition must be formatted with the FAT 32 file system. On BIOS platforms the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size + Windows setup will automatically configure the disk drives of your computer to support BitLocker encryption. + Windows Recovery Environment (Windows RE) is an extensible recovery platform that is based on Windows Pre-installation Environment (Windows PE). When the computer fails to start, Windows automatically transitions into this environment, and the Startup Repair tool in Windows RE automates the diagnosis and repair of an unbootable Windows installation. Windows RE also contains the drivers and tools that are needed to unlock a volume protected by BitLocker by providing a recovery key or recovery password. To use Windows RE in conjunction with BitLocker, the Windows RE boot image must reside on a volume that is not protected by BitLocker. + Windows RE can also be used from boot media other than the local hard disk. If you choose not to install Windows RE on the local hard disk of BitLocker-enabled computers, you can use alternate boot methods, such as Windows Deployment Services, CD-ROM, or USB flash drive, for recovery. + ## BitLocker provisioning + In Windows Vista and Windows 7, BitLocker was provisioned post installation for system and data volumes through either the manage-bde command line interface or the Control Panel user interface. With newer operating systems, BitLocker can be easily provisioned before the operating system is installed. Preprovisioning requires that the computer have a TPM. + To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet or Windows Explorer. A status of "Waiting For Activation" with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not protected and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use the control panel options, manage-bde tool or WMI APIs to add an appropriate key protector and the volume status will be updated. + When using the control panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then the drive security window is presented prior to changing the volume status. + Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment (WinPE). This is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option this step takes only a few seconds and so incorporates well into regular deployment processes. + ## Used Disk Space Only encryption + The BitLocker Setup wizard provides administrators the ability to choose the Used Disk Space Only or Full encryption method when enabling BitLocker for a volume. Administrators can use the new BitLocker Group Policy setting to enforce either Used Disk Space Only or Full disk encryption. + Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, you are asked to choose the drive encryption type, either Used Disk Space Only or Full drive encryption. + Used Disk Space Only means that only the portion of the drive that contains data will be encrypted, unused space will remain unencrypted. This causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method as data is added to the drive the portion of the drive used will be encrypted, so there is never unencrypted data stored on the drive. + Full drive encryption means that the entire drive will be encrypted, regardless of whether data is stored on it or not. This is useful for drives that have been repurposed and may contain data remnants from their previous use. + ## Active Directory Domain Services considerations + BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure Group Policy settings to enable backup of BitLocker or TPM recovery information. Before configuring these settings verify that access permissions have been granted to perform the backup. + By default, domain administrators are the only users that will have access to BitLocker recovery information. When you plan your support process, define what parts of your organization need access to BitLocker recovery information. Use this information to define how the appropriate rights will be delegated in your AD DS environment. + It is a best practice to require backup of recovery information for both the TPM and BitLocker to AD DS. You can implement this practice by configuring the Group Policy settings below for your BitLocker-protected computers. - ---- - - - - - - - - - - - - - - - - -
      BitLocker Group Policy settingConfiguration

      BitLocker Drive Encryption: Turn on BitLocker backup to Active Directory Domain Services

      Require BitLocker backup to AD DS (Passwords and key packages)

      Trusted Platform Module Services: Turn on TPM backup to Active Directory Domain Services

      Require TPM backup to AD DS

      + +| BitLocker Group Policy setting | Configuration | +| - | - | +| BitLocker Drive Encryption: Turn on BitLocker backup to Active Directory Domain Services| Require BitLocker backup to AD DS (Passwords and key packages)| +| Trusted Platform Module Services: Turn on TPM backup to Active Directory Domain Services | Require TPM backup to AD DS|   The following recovery data will be saved for each computer object: + - **Recovery password** + A 48-digit recovery password used to recover a BitLocker-protected volume. Users enter this password to unlock a volume when BitLocker enters recovery mode. + - **Key package data** + With this key package and the recovery password, you will be able decrypt portions of a BitLocker-protected volume if the disk is severely damaged. Each key package will only work with the volume it was created on, which can be identified by the corresponding volume ID. + - **TPM owner authorization password hash** + When ownership of the TPM is taken a hash of the ownership password can be taken and stored in AD DS. This information can then be used to reset ownership of the TPM. + Starting in Windows 8, a change to how the TPM owner authorization value is stored in AD DS was implemented in the AD DS schema. The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 and later schemas. + To take advantage of this integration, you must upgrade your domain controllers to Windows Server 2012 or extend the Active Directory schema and configure BitLocker-specific Group Policy objects. -**Note**   -The account that you use to update the Active Directory schema must be a member of the Schema Admins group. + +>**Note:**  The account that you use to update the Active Directory schema must be a member of the Schema Admins group.   Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change. + **To support Windows 8 and later computers that are managed by a Windows Server 2003 or Windows 2008 domain controller** + There are two schema extensions that you can copy down and add to your AD DS schema: + - **TpmSchemaExtension.ldf** + This schema extension brings parity with the Windows Server 2012 schema. With this change, the TPM owner authorization information is stored in a separate TPM object linked to the corresponding computer object. Only the Computer object that has created the TPM object can update it. This means that any subsequent updates to the TPM objects will not succeed in dual boot scenarios or scenarios where the computer is reimaged resulting in a new AD computer object being created. To support such scenarios, an update to the schema was created. + - **TpmSchemaExtensionACLChanges.ldf** + This schema update modifies the ACLs on the TPM object to be less restrictive so that any subsequent operating system which takes ownership of the computer object can update the owner authorization value in AD DS. However, this is less secure as any computer in the domain can now update the OwnerAuth of the TPM object (although it cannot read the OwnerAuth) and DOS attacks can be made from within the enterprise. The recommended mitigation in such a scenario is to do regular backup of TPM objects and enable auditing to track changes for these objects. + To download the schema extensions, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md). + If you have a Windows Server 2012 domain controller in your environment, the schema extensions are already in place and do not need to be updated. -**Caution**   -To configure Group Policy objects to backup TPM and BitLocker information in AD DS at least one of the domain controllers in your forest must be running at least Windows Server 2008 R2. + +>**Caution:**  To configure Group Policy objects to backup TPM and BitLocker information in AD DS at least one of the domain controllers in your forest must be running at least Windows Server 2008 R2. If Active Directory backup of the TPM owner authorization value is enabled in an environment without the required schema extensions, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8 and later.   **Setting the correct permissions in AD DS** + To initialize the TPM successfully so that you can turn on BitLocker requires that the correct permissions for the SELF account in be set in AD DS for the **ms-TPMOwnerInformation** attribute. The following steps detail setting these permissions as required by BitLocker: + 1. Open **Active Directory Users and Computers**. 2. Select the organizational unit (OU) which contains the computer accounts that will have BitLocker turned on. 3. Right-click the OU and click **Delegate Control** to open the **Delegation of Control** wizard. @@ -270,26 +234,32 @@ To initialize the TPM successfully so that you can turn on BitLocker requires th 7. On the **Active Directory Object Type** page, choose **Only the following objects in the folder** and then check **Computer Objects** and then click **Next**. 8. On the **Permissions** page, for **Show these permissions**, check **General**, **Property-specific**, and **Creation/deletion of specific child objects**. Scroll down the **Permissions** list and check both **Write msTPM-OwnerInformation** and **Write msTPM-TpmInformationForComputer** then click **Next**. 9. Click **Finish** to apply the permissions settings. + ## FIPS support for recovery password protector + Functionality introduced in Windows Server 2012 R2 and Windows 8.1, allows BitLocker to be fully functional in FIPS mode. -**Note**   -The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. federal government. The FIPS 140 standard defines approved cryptographic algorithms. The FIPS 140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS 140 standard. An implementation of a cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm.  + +>**Note:**  The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. federal government. The FIPS 140 standard defines approved cryptographic algorithms. The FIPS 140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS 140 standard. An implementation of a cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm.    Prior to these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. For more information about these issues, see the support article [kb947249](http://support.microsoft.com/kb/947249). + But on computers running these supported systems with BitLocker enabled: + - FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS 140 NIST SP800-132 algorithm. - Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems. - Recovery unlock using the FIPS-compliant algorithm based recovery password protector work in all cases that currently work for recovery passwords. - When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode. - FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode. + The BitLocker Group Policy settings for recovery passwords work the same for all Windows versions that support BitLocker, whether in FIPs mode or not. + However, you cannot use recovery passwords generated on a system in FIPS mode for systems earlier than Windows Server 2012 R2 and Windows 8.1. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 are incompatible with BitLocker on operating systems prior to Windows Server 2012 R2 and Windows 8.1; so recovery keys should be used instead. + ## More information -[Trusted Platform Module](trusted-platform-module-overview.md) -[TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) -[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) -[BitLocker](bitlocker-overview.md) -[BitLocker Group Policy settings](bitlocker-group-policy-settings.md) -[BitLocker basic deployment](bitlocker-basic-deployment.md) -  -  + +- [Trusted Platform Module](trusted-platform-module-overview.md) +- [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) +- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) +- [BitLocker](bitlocker-overview.md) +- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) +- [BitLocker basic deployment](bitlocker-basic-deployment.md) diff --git a/windows/keep-secure/profile-single-process.md b/windows/keep-secure/profile-single-process.md index bcdfcfa6c0..bcb68afa86 100644 --- a/windows/keep-secure/profile-single-process.md +++ b/windows/keep-secure/profile-single-process.md @@ -2,89 +2,90 @@ title: Profile single process (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Profile single process security policy setting. ms.assetid: c0963de4-4f5e-430e-bfcd-dfd68e66a075 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Profile single process + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Profile single process** security policy setting. + ## Reference + This policy setting determines which users can view a sample performance of an application process. Typically, you do not need this user right to use the performance reporting tools included in the operating system. However, you do need this user right if the system’s monitor components are configured to collect data through Windows Management Instrumentation (WMI). + Constant: SeProfileSingleProcessPrivilege + ### Possible values + - User-defined list of accounts - Administrators - Not Defined + ### Best practices + - This right should not be granted to individual users. It should be granted only for trusted applications that monitor other programs. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Administrators on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Administrators

      Stand-Alone Server Default Settings

      Administrators

      Domain Controller Effective Default Settings

      Administrators

      Member Server Effective Default Settings

      Administrators

      Client Computer Effective Default Settings

      Administrators

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Administrators| +| Stand-Alone Server Default Settings | Administrators| +| Domain Controller Effective Default Settings | Administrators| +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings| Administrators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The **Profile single process** user right presents a moderate vulnerability. Attackers with this user right could monitor a computer's performance to help identify critical processes that they might want to attack directly. Attackers may be able to determine what processes run on the computer so that they could identify countermeasures that they may need to avoid, such as anti-virus software or an intrusion-detection system. They could also identify other users who are logged on to a computer. + ### Countermeasure + Ensure that only the local Administrators group is assigned the **Profile single process** user right. + ### Potential impact + If you remove the **Profile single process** user right from the Power Users group or other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks are not negatively affected. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/profile-system-performance.md b/windows/keep-secure/profile-system-performance.md index c35951cd49..5166f4de6f 100644 --- a/windows/keep-secure/profile-system-performance.md +++ b/windows/keep-secure/profile-system-performance.md @@ -2,90 +2,92 @@ title: Profile system performance (Windows 10) description: This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for the Profile system performance security policy setting. ms.assetid: ffabc3c5-9206-4105-94ea-84f597a54b2e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Profile system performance + **Applies to** - Windows 10 + This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for the **Profile system performance** security policy setting. + ## Reference + This security setting determines which users can use Windows performance monitoring tools to monitor the performance of system processes. + Constant: SeSystemProfilePrivilege + ### Possible values + - User-defined list of accounts - Administrators - Not defined + ### Best practices + - Ensure that only the local Administrators group is assigned the **Profile system performance** user right. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Administrators on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Administrators

      Stand-Alone Server Default Settings

      Administrators

      Domain Controller Effective Default Settings

      Administrators

      Member Server Effective Default Settings

      Administrators

      Client Computer Effective Default Settings

      Administrators

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Administrators| +| Stand-Alone Server Default Settings | Administrators| +| Domain Controller Effective Default Settings | Administrators| +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings | Administrators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + Depending on your version of Windows and your environment, you might need to add this user right to the Local System account or the Local Service account if you encounter access errors when you use the Administrators account. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The **Profile system performance** user right poses a moderate vulnerability. Attackers with this user right could monitor a computer's performance to help identify critical processes that they might want to attack directly. Attackers might also be able to determine what processes are active on the computer so that they could identify countermeasures to avoid, such as anti-virus software or an intrusion detection system. + ### Countermeasure + Ensure that only the local Administrators group is assigned the **Profile system performance** user right. + ### Potential impact + None. Restricting the **Profile system performance** user right to the local Administrators group is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index bc3658f201..2550941ba3 100644 --- a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -2,232 +2,331 @@ title: Control the health of Windows 10-based devices (Windows 10) description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices. ms.assetid: 45DB1C41-C35D-43C9-A274-3AD5F31FE873 -ms.pagetype: security; devices -keywords: ["security", "BYOD", "malware", "device health attestation", "mobile"] +keywords: security, BYOD, malware, device health attestation, mobile ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library +ms.pagetype: security; devices author: arnaudjumelet + --- + # Control the health of Windows 10-based devices + **Applies to** + - Windows 10 + This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices. + ## Introduction + In Bring Your Own Device (BYOD) scenarios, employees bring commercially available devices to access both work-related resources and their personal data. Users want to use the device of their choice to access the organization’s applications, data, and resources not only from the internal network but also from anywhere. This phenomenon is also known as the consumerization of IT. + Users want to have the best productivity experience when accessing corporate applications and working on organization data from their devices. That means they will not tolerate being prompted to enter their work credentials each time they access an application or a file server. From a security perspective, it also means that users will manipulate corporate credentials and corporate data on unmanaged devices. + With the increased use of BYOD, there will be more unmanaged and potentially unhealthy systems accessing corporate services, internal resources, and cloud apps. + Even managed devices can be compromised and become harmful. Organizations need to detect when security has been breached and react as early as possible in order to protect high-value assets. + As Microsoft moves forward, security investments are increasingly focused on security preventive defenses and also on detection and response capabilities. + Windows 10 is an important component of an end-to-end security solution that focuses not only on the implementation of security preventive defenses, but adds device health attestation capabilities to the overall security strategy. + ## Description of a robust end-to-end security solution + Today’s computing threat landscape is increasing at a speed never encountered before. The sophistication of criminal attacks is growing, and there is no doubt that malware now targets both consumers and professionals in all industries. + During recent years, one particular category of threat has become prevalent: advanced persistent threats (APTs). The term APT is commonly used to describe any attack that seems to target individual organizations on an on-going basis. In fact, this type of attack typically involves determined adversaries who may use any methods or techniques necessary. + With the BYOD phenomena, a poorly maintained device represents a target of choice. For an attacker, it’s an easy way to breach the security network perimeter, gain access to, and then steal high-value assets. + The attackers target individuals, not specifically because of who they are, but because of who they work for. An infected device will bring malware into an organization, even if the organization has hardened the perimeter of networks or has invested in its defensive posture. A defensive strategy is not sufficient against these threats. + ### A different approach + Rather than the traditional focus on the prevention of compromise, an effective security strategy assumes that determined adversaries will successfully breach any defenses. It means that it’s necessary to shift focus away from preventative security controls to detection of, and response to, security issues. The implementation of the risk management strategy, therefore, balances investment in prevention, detection, and response. + Because mobile devices are increasingly being used to access corporate information, some way to evaluate device security or health is required. This section describes how to provision device health assessment in such a way that high-value assets can be protected from unhealthy devices. + Devices that are used to access corporate resources must be trusted. An efficient end-to-end security approach is able to evaluate device health and use the current security state when granting access to a high-value asset. + ![figure 1](images/hva-fig1-endtoend1.png) + A robust design needs to establish the user’s identity, strengthen the authentication method if needed, and learn behavior like the network location the user regularly connects from. Also, a modern approach must be able to release sensitive content only if user devices are determined to be healthy and secure. + The following figure shows a solution built to assess device health from the cloud. The device authenticates the user through a connection to an identity provider in the cloud. If the managed asset contains highly confidential information, the conditional access engine of the identity provider may elect to verify the security compliance of the mobile device before access is granted. The user’s device is able to prove its health status that can be sent at any time or when mobile device management (MDM) requests it. + ![figure 2](images/hva-fig2-assessfromcloud2.png) + Windows devices can be protected from low-level rootkits and bootkits by using low-level hardware technologies such as Unified Extensible Firmware Interface (UEFI) Secure Boot. + Secure Boot is a firmware validation process that helps prevent rootkit attacks; it is part of the UEFI specification. The intent of UEFI is to define a standard way for the operating system to communicate with modern hardware, which can perform faster and with more efficient input/output (I/O) functions than older, software interrupt-driven BIOS systems. + A device health attestation module can communicate measured boot data that is protected by a Trusted Platform Module (TPM) to a remote service. After the device successfully boots, boot process measurement data is sent to a trusted cloud service (Health Attestation Service) using a more secure and tamper-resistant communication channel. + Remote health attestation service performs a series of checks on the measurements. It validates security related data points, including boot state (Secure Boot, Debug Mode, and so on), and the state of components that manage security (BitLocker, Device Guard, and so on). It then conveys the health state of the device by sending a health encrypted blob back to the device. + An MDM solution typically applies configuration policies and deploys software to devices. MDM defines the security baseline and knows the level of compliance of the device with regular checks to see what software is installed and what configuration is enforced, as well as determining the health status of the device. + An MDM solution asks the device to send device health information and forward the health encrypted blob to the remote health attestation service. The remote health attestation service verifies device health data, checks that MDM is communicating to the same device, and then issues a device health report back to the MDM solution. + An MDM solution evaluates the health assertions and, depending on the health rules belonging to the organization, can decide if the device is healthy. If the device is healthy and compliant, MDM passes that information to the identity provider so the organization’s access control policy can be invoked to grant access. + Access to content is then authorized to the appropriate level of trust for whatever the health status and other conditional elements indicate. + Depending on the requirements and the sensitivity of the managed asset, device health status can be combined with user identity information when processing an access request. Access to content is then authorized to the appropriate level of trust. The Conditional Access engine may be structured to allow additional verification as needed by the sensitivity of the managed asset. For example, if access to high-value data is requested, additional security authentication may need to be established by querying the user to answer a phone call before access is granted. + ### Microsoft’s security investments in Windows 10 + In Windows 10, there are three pillars of investments: + - **Secure identities.** Microsoft is part of the FIDO Alliance which aims to provide an interoperable method of secure authentication by moving away from the use of passwords for authentication, both on the local system as well as for services like on-premises resources and cloud resources. - **Information protection.** Microsoft is making investments to allow organizations to have better control over who has access to important data and what they can do with that data. With Windows 10, organizations can take advantage of policies that specify which applications are considered to be corporate applications and can be trusted to access secure data. - **Threat resistance.** Microsoft is helping organizations to better secure enterprise assets against the threats of malware and attacks by using security defenses relying on hardware. + ### Protect, control, and report on the security status of Windows 10-based devices + This section is an overview that describes different parts of the end-to-end security solution that helps protect high-value assets and information from attackers and malware. + ![figure 3](images/hva-fig3-endtoendoverview3.png) - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      NumberPart of the solutionDescription

      1

      Windows 10-based device

      The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.

      -

      A Windows 10-based device with TPM 2.0 can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.

      2

      Identity provider

      Azure AD contains users, registered devices, and registered application of organization’s tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status.

      -

      Azure AD is more than a repository. Azure AD is able to authenticate users and devices and can also authorize access to managed resources. Azure AD has a conditional access control engine that leverages the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.

      3

      Mobile device management

      Windows 10 has MDM support that enables the device to be managed out-of-box without deploying any agent.

      -

      MDM can be Microsoft Intune or any third-party MDM solution that is compatible with Windows 10.

      4

      Remote health attestation

      The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows 10 security features are enabled on the device.

      -

      Security verification includes boot state (WinPE, Safe Mode, Debug/test modes) and components that manage security and integrity of runtime operations (BitLocker, Device Guard).

      5

      Enterprise managed asset

      Enterprise managed asset is the resource to protect.

      -

      For example, the asset can be Office 365, other cloud apps, on-premises web resources published by Azure AD, or even VPN access.

      + +| Number | Part of the solution | Description | +| - | - | - | +| **1** | Windows 10-based device | The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.
      A Windows 10-based device with TPM 2.0 can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.| +| **2** | Identity provider | Azure AD contains users, registered devices, and registered application of organization’s tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status.
      Azure AD is more than a repository. Azure AD is able to authenticate users and devices and can also authorize access to managed resources. Azure AD has a conditional access control engine that leverages the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.| +| **3**|Mobile device management| Windows 10 has MDM support that enables the device to be managed out-of-box without deploying any agent.
      MDM can be Microsoft Intune or any third-party MDM solution that is compatible with Windows 10.| +| **4** | Remote health attestation | The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows 10 security features are enabled on the device.
      Security verification includes boot state (WinPE, Safe Mode, Debug/test modes) and components that manage security and integrity of runtime operations (BitLocker, Device Guard).| +| **5** | Enterprise managed asset | Enterprise managed asset is the resource to protect.
      For example, the asset can be Office 365, other cloud apps, on-premises web resources published by Azure AD, or even VPN access.|   The combination of Windows 10-based devices, identity provider, MDM, and remote health attestation creates a robust end-to-end-solution that provides validation of health and compliance of devices that access high-value assets. + ## Protect devices and enterprise credentials against threats + This section describes what Windows 10 offers in terms of security defenses and what control can be measured and reported to. + ### Windows 10 hardware-based security defenses + The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that they can take control of the operating system early and prevent protection mechanisms and antimalware software from working. This type of malicious code is often called a rootkit or bootkit. The best way to avoid having to deal with low-level malware is to secure the boot process so that the device is protected from the very start. Windows 10 supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-req) section. + ![figure 4](images/hva-fig4-hardware.png) + Windows 10 supports features to help prevent sophisticated low-level malware like rootkits and bootkits from loading during the startup process: + - **Trusted Platform Module.** A Trusted Platform Module (TPM) is a hardware component that provides unique security features. + Windows 10 leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation. + A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that are not compatible with each other: + - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard. - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015. + Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Microsoft Passport, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=733948). + Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. TPM 2.0 is required for device health attestation. + TPM 2.0 provides a major revision to the capabilities over TPM 1.2: + - Update crypto strength to meet modern security needs + - Support for SHA-256 for PCRs - Support for HMAC command + - Cryptographic algorithms flexibility to support government needs + - TPM 1.2 is severely restricted in terms of what algorithms it can support - TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents + - Consistency across implementations + - The TPM 1.2 specification allows vendors wide latitude when choosing implementation details - TPM 2.0 standardizes much of this behavior + - **Secure Boot.** Devices with UEFI firmware can be configured to load only trusted operating system bootloaders. Secure Boot does not require a TPM. + The most basic protection is the Secure Boot feature, which is a standard part of the UEFI 2.2+ architecture. On a PC with conventional BIOS, anyone who can take control of the boot process can boot by using an alternative OS loader, and potentially gain access to system resources. When Secure Boot is enabled, you can boot using only an OS loader that’s signed using a certificate stored in the UEFI Secure Boot DB. Naturally, the Microsoft certificate used to digitally sign the Windows 10 OS loaders are in that store, which allows UEFI to validate the certificate as part of its security policy. Secure Boot must be enabled by default on all computers that are certified for Windows 10 under the Windows Hardware Compatibility Program. + Secure Boot is a UEFI firmware-based feature, which allows for the signing and verification of critical boot files and drivers at boot time. Secure Boot checks signature values of the Windows Boot Manager, BCD store, Windows OS loader file, and other boot critical DLLs at boot time before the system is allowed to fully boot into a usable operating system by using policies that are defined by the OEM at build time. Secure Boot prevents many types of boot-based rootkit, malware, and other security-related attacks against the Windows platform. Secure Boot protects the operating system boot process whether booting from local hard disk, USB, PXE, or DVD, or into full Windows or Windows Recovery Environment (RE). Secure Boot protects the boot environment of a Windows 10 installation by verifying the signatures of the critical boot components to confirm malicious activity did not compromise them. Secure Boot protection ends after the Windows kernel file (ntoskrnl.exe) has been loaded. - **Note**   - Secure Boot protects the platform until the Windows kernel is loaded. Then protections like ELAM take over. + + >**Note:**  Secure Boot protects the platform until the Windows kernel is loaded. Then protections like ELAM take over.   - **Secure Boot configuration policy.** Extends Secure Boot functionality to critical Windows 10 configuration. + Examples of protected configuration information include protecting Disable Execute bit (NX option) or ensuring that the test signing policy (code integrity) cannot be enabled. This ensures that the binaries and configuration of the computer can be trusted after the boot process has completed. Secure Boot configuration policy does this with UEFI policy. These signatures for these policies are signed in the same way that operating system binaries are signed for use with Secure Boot. + The Secure Boot configuration policy must be signed by a private key that corresponds to one of the public keys stored in the Key Exchange Key (KEK) list. The Microsoft Certificate Authority (CA) will be present in the KEK list of all Windows certified Secure Boot systems. By default, a policy signed by the Microsoft KEK shall be work on all Secure Boot systems. BootMgr must verify the signature against the KEK list before applying a signed policy. With Windows 10, the default Secure Boot configuration policy is embedded in bootmgr. + The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and the ELAM component. This step is important and protects the rest of the boot process by verifying that all Windows boot components have integrity and can be trusted. + - **Early Launch Antimalware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading. + Traditional antimalware apps don’t start until after the boot drivers have been loaded, which gives a rootkit that is disguised as a driver the opportunity to work. ELAM is a Windows mechanism introduced in a previous version of Windows that allows antimalware software to run very early in the boot sequence. Thus, the antimalware component is the first third-party component to run and control the initialization of other boot drivers until the Windows operating system is operational. When the system is started with a complete runtime environment (network access, storage, and so on), then a full-featured antimalware is loaded. + ELAM can load a Microsoft or non-Microsoft antimalware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasn’t started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: Examine every boot driver and determine whether it is on the list of trusted drivers. If it’s not trusted, Windows won’t load it. - **Note**   - Windows Defender, Microsoft's antimalware included by default in Windows 10, supports ELAM; it can be replaced with a third-party antimalware compatible solution. The name of the Windows Defender ELAM driver is WdBoot.sys. Windows Defender in Windows 10 uses its ELAM driver to roll back any malicious changes made to the Windows Defender driver at the next reboot. This prevents kernel mode malware making lasting changes to Windows Defender’s mini-filter driver before shutdown or reboot. + + >**Note:**  Windows Defender, Microsoft's antimalware included by default in Windows 10, supports ELAM; it can be replaced with a third-party antimalware compatible solution. The name of the Windows Defender ELAM driver is WdBoot.sys. Windows Defender in Windows 10 uses its ELAM driver to roll back any malicious changes made to the Windows Defender driver at the next reboot. This prevents kernel mode malware making lasting changes to Windows Defender’s mini-filter driver before shutdown or reboot.   The ELAM signed driver is loaded before any other third-party drivers or applications, which allows the antimalware software to detect and block any attempts to tamper with the boot process by trying to load unsigned or untrusted code. + The ELAM driver is a small driver with a small policy database that has a very narrow scope, focused on drivers that are loaded early at system launch. The policy database is stored in a registry hive that is also measured to the TPM, to record the operational parameters of the ELAM driver. An ELAM driver must be signed by Microsoft and the associated certificate must contain the complementary EKU (1.3.6.1.4.1.311.61.4.1). - **Virtualization-based security (Hyper-V + Secure Kernel).** Virtualization-based security is a completely new enforced security boundary that allows you to protect critical parts of Windows 10. + Virtualization-based security isolates sensitive code like Kernel Mode Code Integrity or sensitive corporate domain credentials from the rest of the Windows operating system. For more information, refer to the [Virtualization-based security](#virtual) section. + - **Hyper-V Code Integrity (HVCI).** Hyper-V Code Integrity is a feature of Device Guard that ensures only drivers, executables, and DLLs that comply with the Device Guard Code Integrity policy are allowed to run. + When enabled and configured, Windows 10 can start the Hyper-V virtualization-based security services, including Hyper-V Code Integrity (HVCI). HVCI helps protect the system core (kernel), privileged drivers, and system defenses, like antimalware solutions, by preventing malware from running early in the boot process, or after startup. + HVCI uses virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification. This means that kernel memory pages can never be Writable and Executable (W+X) and executable code cannot be directly modified. - **Note**   - Device Guard devices that run Kernel Mode Code Integrity with virtualization-based security must have compatible drivers. For additional information, please read the [Driver compatibility with Device Guard in Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=691612) blog post. + + >**Note:**  Device Guard devices that run Kernel Mode Code Integrity with virtualization-based security must have compatible drivers. For additional information, please read the [Driver compatibility with Device Guard in Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=691612) blog post.   The Device Guard Code Integrity feature lets organizations control what code is trusted to run into the Windows kernel and what applications are approved to run in user mode. It’s configurable by using a policy. Device Guard Code Integrity policy is a binary file that Microsoft recommends you sign. The signing of the Code Integrity policy aids in the protection against a malicious user with Administrator privileges trying to modify or remove the current Code Integrity policy. + - **Credential Guard.** Credential Guard protects corporate credentials with hardware-based credential isolation. + In Windows 10, Credential Guard aims to protect domain corporate credentials from theft and reuse by malware. With Credential Guard, Windows 10 implemented an architectural change that fundamentally prevents the current forms of the pass-the-hash (PtH) attack. + This is accomplished by leveraging Hyper-V and the new virtualization-based security feature to create a protected container where trusted code and secrets are isolated from the Windows kernel. That means that even if the Windows kernel is compromised an attacker has no way to read and extract the data required to initiate a PtH attack. Credential Guard prevents this because the memory where secrets are stored is no longer accessible from the regular OS, even in kernel mode - the hypervisor controls who can access the memory. + - **Health attestation.** The device’s firmware logs the boot process, and Windows 10 can send it to a trusted server that can check and assess the device’s health. + Windows 10 takes measurements of the UEFI firmware and each of the Windows and antimalware components are made as they load during the boot process. Additionally, they are taken and measured sequentially, not all at once. When these measurements are complete, their values are digitally signed and stored securely in the TPM and cannot be changed unless the system is reset. + For more information, see [Secured Boot and Measured Boot: Hardening Early Boot Components Against Malware](http://go.microsoft.com/fwlink/p/?LinkId=733950). + During each subsequent boot, the same components are measured, which allows comparison of the measurements against an expected baseline. For additional security, the values measured by the TPM can be signed and transmitted to a remote server, which can then perform the comparison. This process, called *remote device health attestation*, allows the server to verify health status of the Windows device. + Health attestation requires the presence of TPM 2.0. On Windows 10, TPM 2.0 also requires UEFI firmware. + Although Secure Boot is a proactive form of protection, health attestation is a reactive form of boot protection. Health attestation ships disabled in Windows and is enabled by an antimalware or an MDM vendor. Unlike Secure Boot, health attestation will not stop the boot process and enter remediation when a measurement does not work. But with conditional access control, health attestation will help to prevent access to high-value assets. + ### Virtualization-based security + Virtualization-based security provides a new trust boundary for Windows 10. leverages Hyper-V hypervisor technology to enhance platform security. Virtualization-based security provides a secure execution environment to run specific Windows trusted code (trustlet) and to protect sensitive data. + Virtualization-based security helps to protect against a compromised kernel or a malicious user with Administrator privileges. Note that virtualization-based security is not trying to protect against a physical attacker. + The following Windows 10 services are protected with virtualization-based security: + - **Credential Guard** (LSA Credential Isolation): prevents pass-the-hash attacks and enterprise credential theft that happens by reading and dumping the content of lsass memory - **Device Guard** (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container. - **Other isolated services**: for example, on Windows Server Technical Preview 2016, there is the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers. -**Note**   -Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but recommended. + +>**Note:**  Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but recommended.   + The schema below is a high-level view of Windows 10 with virtualization-based security. + ![figure 5](images/hva-fig5-virtualbasedsecurity.png) + ### Credential Guard -In Windows 10, when Credential Guard is enabled, Local Security Authority Subsystem Service (lsass.exe) runs sensitive code in an Isolated user mode to help protect data from malware that may be running in the normal user mode. This helps ensure that protected data is not stolen and reused on remote machines, which mitigates many PtH-style attacks. + +In Windows 10, when Credential Guard is enabled, Local Security Authority Subsystem Service (lsass.exe) runs sensitive code in an Isolated user mode to help protect data from malware that may be running in the normal user mode. This helps ensure that protected data is not stolen and reused on +remote machines, which mitigates many PtH-style attacks. + Credential Guard helps protect credentials by encrypting them with either a per-boot or persistent key: + - **The per-boot key** is used for any in-memory credentials that do not require persistence. An example of such a credential would be a ticket-granting ticket (TGT) session key. This key is negotiated with a Key Distribution Center (KDC) every time authentication occurs and is protected with a per-boot key. - **The persistent key**, or some derivative, is used to help protect items that are stored and reloaded after a reboot. Such protection is intended for long-term storage, and must be protected with a consistent key. -Credential Guard is activated by a registry key and then enabled by using an UEFI variable. This is done to protect against remote modifications of the configuration. The use of a UEFI variable implies that physical access is required to change the configuration. When lsass.exe detects that credential isolation is enabled, it then spawns LsaIso.exe as an isolated process, which ensures that it runs within isolated user mode. The startup of LsaIso.exe is performed before initialization of a security support provider, which ensures that the secure mode support routines are ready before any authentication begins. +Credential Guard is activated by a registry key and then enabled by using an UEFI variable. This is done to protect against remote modifications of the configuration. The use of a UEFI variable implies that physical access is required to change the configuration. When lsass.exe detects that +credential isolation is enabled, it then spawns LsaIso.exe as an isolated process, which ensures that it runs within isolated user mode. The startup of LsaIso.exe is performed before initialization of a security support provider, which ensures that the secure mode support routines are ready before any authentication begins. + ### Device Guard + Device Guard is a new feature of Windows 10 Enterprise that allows organizations to lock down a device to help protect it from running untrusted software. In this configuration, the only applications allowed to run are those that are trusted by the organization. + The trust decision to execute code is performed by using Hyper-V Code Integrity, which runs in virtualization-based security, a Hyper-V protected container that runs alongside regular Windows. + Hyper-V Code Integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with Administrator privileges. On x64-based versions of Windows 10 kernel-mode drivers must be digitally signed. -**Note**   -Independently of activation of Device Guard Policy, [Windows 10 by default raises the bar for what runs in the kernel](http://go.microsoft.com/fwlink/p/?LinkId=691613). Windows 10 drivers must be signed by Microsoft, and more specifically, by the WHQL (Windows Hardware Quality Labs) portal. Additionally, starting in October 2015, the WHQL portal will only accept driver submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation (“EV”) Code Signing Certificate. + +>**Note:**  Independently of activation of Device Guard Policy, [Windows 10 by default raises the bar for what runs in the kernel](http://go.microsoft.com/fwlink/p/?LinkId=691613). Windows 10 drivers must be signed by Microsoft, and more specifically, by the WHQL (Windows Hardware Quality Labs) portal. Additionally, starting in October 2015, the WHQL portal will only accept driver submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation (“EV”) Code Signing Certificate.   With Device Guard in Windows 10, organizations are now able to define their own Code Integrity policy for use on x64 systems running Windows 10 Enterprise. Organizations have the ability to configure the policy that determines what is trusted to run. These include drivers and system files, as well as traditional desktop applications and scripts. The system is then locked down to only run applications that the organization trusts. + Device Guard is a built-in feature of Windows 10 Enterprise that prevents the execution of unwanted code and applications. Device Guard can be configured using two rule actions - allow and deny: + - **Allow** limits execution of applications to an allowed list of code or trusted publisher and blocks everything else. - **Deny** completes the allow trusted publisher approach by blocking the execution of a specific application. + At the time of this writing, and according to Microsoft’s latest research, more than 90 percent of malware is unsigned completely. So implementing a basic Device Guard policy can simply and effectively help block the vast majority of malware. In fact, Device Guard has the potential to go further, and can also help block signed malware. + Device Guard needs to be planned and configured to be truly effective. It is not just a protection that is enabled or disabled. Device Guard is a combination of hardware security features and software security features that, when configured together, can lock down a computer to help ensure the most secure and resistant system possible. + There are three different parts that make up the Device Guard solution in Windows 10: + - The first part is a base **set of hardware security features** introduced with the previous version of Windows. TPM for hardware cryptographic operations and UEFI with modern firmware, along with Secure Boot, allows you to control what the device is running when the systems start. - After the hardware security feature, there is the code integrity engine. In Windows 10, **Code Integrity is now fully configurable** and now resides in Isolated user mode, a part of the memory that is protected by virtualization-based security. - The last part of Device Guard is **manageability**. Code Integrity configuration is exposed through specific Group Policy Objects, PowerShell cmdlets, and MDM configuration service providers (CSPs). + For more information on how to deploy Device Guard in an enterprise, see the [Device Guard deployment guide](device-guard-deployment-guide.md). + ### Device Guard scenarios + As previously described, Device Guard is a powerful way to lock down systems. Device Guard is not intended to be used broadly and it may not always be applicable, but there are some high-interest scenarios. -Device Guard is useful and applicable on fixed workloads systems like cash registers, kiosk machines, Secure Admin Workstations (SAWs), or well managed desktops. Device Guard is highly relevant on systems that have very well-defined software that are expected to run and don’t change too frequently. It could also help protect Information Workers (IWs) beyond just SAWs, as long as what they need to run is known and the set of applications is not going to change on a daily basis. + +Device Guard is useful and applicable on fixed workloads systems like cash registers, kiosk machines, Secure Admin Workstations (SAWs), or well managed desktops. Device Guard is highly relevant on systems that have very well-defined software that are expected to run and don’t change too frequently. +It could also help protect Information Workers (IWs) beyond just SAWs, as long as what they need to run is known and the set of applications is not going to change on a daily basis. + SAWs are computers that are built to help significantly reduce the risk of compromise from malware, phishing attacks, bogus websites, and PtH attacks, among other security risks. Although SAWs can’t be considered a “silver bullet” security solution to these attacks, these types of clients are helpful as part of a layered, defense-in-depth approach to security. + To protect high-value assets, SAWs are used to make secure connections to those assets. + Similarly, on corporate fully-managed workstations, where applications are installed by using a distribution tool like System Center Configuration Manager, Intune, or any third-party device management, then Device Guard is very applicable. In that type of scenario, the organization has a good idea of the software that an average user is running. + It could be challenging to use Device Guard on corporate, lightly-managed workstations where the user is typically allowed to install software on their own. When an organization offers great flexibility, it’s quite difficult to run Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the event log will contain a record of any binaries that violated the Device Guard policy. When Device Guard is used in Audit mode, organizations can get rich data about drivers and applications that users install and run. + Before you can benefit from the protection included in Device Guard, Code Integrity policy must be created by using tools provided by Microsoft, but the policy can be deployed with common management tools, like Group Policy. The Code Integrity policy is a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10, along with restrictions on Windows 10 script hosts. Device Guard Code Integrity policy restricts what code can run on a device. -**Note**   -Device Guard policy can be signed in Windows 10, which adds additional protection against administrative users changing or removing this policy. + +>**Note:**  Device Guard policy can be signed in Windows 10, which adds additional protection against administrative users changing or removing this policy.   Signed Device Guard policy offers stronger protection against a malicious local administrator trying to defeat Device Guard. -When the policy is signed, the GUID of the policy is stored in a UEFI pre-OS secure variable which offers tampering protection. The only way to update the Device Guard policy subsequently is to provide a new version of the policy signed by the same signer or from a signer specified as part of the Device Guard policy into the UpdateSigner section. + +When the policy is signed, the GUID of the policy is stored in a UEFI pre-OS secure variable which offers tampering protection. The only way to update the Device Guard policy subsequently is to provide a new version of the policy signed by the same signer or from a signer specified as part of the +Device Guard policy into the UpdateSigner section. + ### The importance of signing applications + On computers with Device Guard, Microsoft proposes to move from a world where unsigned apps can be run without restriction to a world where only signed and trusted code is allowed to run on Windows 10. -With Windows 10, organizations will make line-of-business (LOB) apps available to members of the organization through the Windows Store infrastructure. More specifically, LOB apps will be available in a private store within the public Windows Store. Windows Store signs and distributes Universal Windows apps and Classic Windows apps. All apps downloaded from the Windows Store are signed. + +With Windows 10, organizations will make line-of-business (LOB) apps available to members of the organization through the Windows Store infrastructure. More specifically, LOB apps will be available in a private store within the public Windows Store. Windows Store signs and distributes Universal +Windows apps and Classic Windows apps. All apps downloaded from the Windows Store are signed. + In organizations today, the vast majority of LOB applications are unsigned. Code signing is frequently viewed as a tough problem to solve for a variety of reasons, like the lack of code signing expertise. Even if code signing is a best practice, a lot of internal applications are not signed. + Windows 10 includes tools that allow IT pros to take applications that have been already packaged and run them through a process to create additional signatures that can be distributed along with existing applications. + ### Why are antimalware and device management solutions still necessary? + Although allow-list mechanisms are extremely efficient at ensuring that only trusted applications can be run, they cannot prevent the compromise of a trusted (but vulnerable) application by malicious content designed to exploit a known vulnerability. Device Guard doesn’t protect against user mode malicious code run by exploiting vulnerabilities. + Vulnerabilities are weaknesses in software that could allow an attacker to compromise the integrity, availability, or confidentiality of the device. Some of the worst vulnerabilities allow attackers to exploit the compromised device by causing it to run malicious code without the user’s knowledge. + It’s common to see attackers distributing specially crafted content in an attempt to exploit known vulnerabilities in user mode software like web browsers (and their plug-ins), Java virtual machines, PDF readers, or document editors. As of today, 90 percent of discovered vulnerabilities affect user mode applications compared to the operating system and kernel mode drivers that host them. + To combat these threats, patching is the single most effective control, with antimalware software forming complementary layers of defense. + Most application software has no facility for updating itself, so even if the software vendor publishes an update that fixes the vulnerability, the user may not know that the update is available or how to obtain it, and therefore remains vulnerable to attack. Organizations still need to manage devices and to patch vulnerabilities. + MDM solutions are becoming prevalent as a light-weight device management technology. Windows 10 extends the management capabilities that have become available for MDMs. One key feature Microsoft has added to Windows 10 is the ability for MDMs to acquire a strong statement of device health from managed and registered devices. + ### Device health attestation + Device health attestation leverages the TPM 2.0 to provide cryptographically strong and verifiable measurements of the chain of software used to boot the device. + For Windows 10-based devices, Microsoft introduces a new public API that will allow MDM software to access a remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy. + For more information on device health attestation, see the [Detect an unhealthy Windows 10-based device](#detect-unhealthy) section. + ### Hardware requirements + The following table details the hardware requirements for both virtualization-based security services and the health attestation feature. For more information, see [Minimum hardware requirements](http://go.microsoft.com/fwlink/p/?LinkId=733951). + @@ -274,33 +373,57 @@ The following table details the hardware requirements for both virtualization-ba
        This section presented information about several closely related controls in Windows 10. The multi-layer defenses and in-depth approach helps to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them. + ## Detect an unhealthy Windows 10-based device + As of today, many organizations only consider devices to be compliant with company policy after they’ve passed a variety of checks that show, for example, that the operating system is in the correct state, properly configured, and has security protection enabled. Unfortunately, with today’s systems, this form of reporting is not entirely reliable because malware can spoof a software statement about system health. A rootkit, or a similar low-level exploit, can report a false healthy state to traditional compliance tools. + The biggest challenge with rootkits is that they can be undetectable to the client. Because they start before antimalware, and they have system-level privileges, they can completely disguise themselves while continuing to access system resources. As a result, traditional computers infected with rootkits appear to be healthy, even with antimalware running. + As previously discussed, the health attestation feature of Windows 10 uses the TPM 2.0 hardware component to securely record a measurement of every boot-related component, including firmware, Windows 10 kernel, and even early boot drivers. Because, health attestation leverages the hardware-based security capabilities of TPM, the log of all boot measured components remains out of the reach of any malware. + By attesting a trusted boot state, devices can prove that they are not running low-level malware that could spoof later compliance checks. TPM-based health attestation provides a reliable anchor of trust for assets that contain high-value data. + ### What is the concept of device health? + To understand the concept of device health, it’s important to know traditional measures that IT pros have taken to prevent the breach of malware. Malware control technologies are highly focused on the prevention of installation and distribution. + However, the use of traditional malware prevention technologies like antimalware or patching solutions brings a new set of issues for IT pros: the ability to monitor and control the compliance of devices accessing organization’s resources. + The definition of device compliance will vary based on an organization’s installed antimalware, device configuration settings, patch management baseline, and other security requirements. But health of the device is part of the overall device compliance policy. + The health of the device is not binary and depends on the organization’s security implementation. The Health Attestation Service provides information back to the MDM on which security features are enabled during the boot of the device by leveraging trustworthy hardware TPM. + But health attestation only provides information, which is why an MDM solution is needed to take and enforce a decision. + ### Remote device health attestation + In Windows 10, health attestation refers to a feature where Measured Boot data generated during the boot process is sent to a remote device health attestation service operated by Microsoft. + This is the most secure approach available for Windows 10-based devices to detect when security defenses are down. During the boot process, the TCG log and PCRs values are sent to a remote Microsoft cloud service. Logs are then checked by the Health Attestation Service to determine what changes have occurred on the device. + A relying party like an MDM can inspect the report generated by the remote health attestation service. -**Note**   -To use the health attestation feature of Windows 10, the device must be equipped with a discrete or firmware TPM 2.0. There is no restriction on any particular edition of Windows 10. + +>**Note:**  To use the health attestation feature of Windows 10, the device must be equipped with a discrete or firmware TPM 2.0. There is no restriction on any particular edition of Windows 10.   Windows 10 supports health attestation scenarios by allowing applications access to the underlying health attestation configuration service provider (CSP) so that applications can request a health attestation token. The measurement of the boot sequence can be checked at any time locally by an antimalware or an MDM agent. + Remote device health attestation combined with an MDM provides a hardware-rooted method for reporting the current security status and detecting any changes, without having to trust the software running on the system. + In the case where malicious code is running on the device, the use of a remote server is required. If a rootkit is present on the device, the antimalware is no longer reliable, and its behavior can be hijacked by a malicious code running early in the startup sequence. That's why it's important to use Secure Boot and Device Guard, to control which code is loaded during the boot sequence. + The antimalware software can search to determine whether the boot sequence contains any signs of malware, such as a rootkit. It can also send the TCG log and the PCRs to a remote health attestation server to provide a separation between the measurement component and the verification component. + Health attestation logs the measurements in various TPM Platform Configuration Registers (PCRs) and TCG logs during the boot process. + ![figure 6](images/hva-fig6-logs.png) + When starting a device equipped with a TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log. + ![figure 7](images/hva-fig7-measurement.png) + The health attestation process works as follows: + 1. Hardware boot components are measured. 2. Operating system boot components are measured. 3. If Device Guard is enabled, current Device Guard policy is measured. @@ -309,90 +432,138 @@ The health attestation process works as follows: 6. Boot start drivers are measured. 7. MDM server through the MDM agent issues a health check command by leveraging the Health Attestation CSP. 8. Boot measurements are validated by the Health Attestation Service -**Note**   -By default, the last 100 system boot logs and all associated resume logs are archived in the %SystemRoot%\\logs\\measuredboot folder. + +>**Note:**  By default, the last 100 system boot logs and all associated resume logs are archived in the %SystemRoot%\\logs\\measuredboot folder. The number of retained logs may be set with the registry **REG\_DWORD** value **PlatformLogRetention** under the **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM** key. A value of **0** will turn off log archival and a value of **0xffffffff** will keep all logs.   The following process describes how health boot measurements are sent to the health attestation service: + 1. The client (a Windows 10-based device with a TPM 2.0) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client. 2. The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate information. 3. The remote device heath attestation service then: + 1. Verifies that the AIK certificate is issued by a known and trusted CA and the certificate is valid and not revoked. 2. Verifies that the signature on the PCR quotes is correct and consistent with the TCG log value. 3. Parses the properties in the TCG log. 4. Issues the device health token that contains the health information, the AIK information, and the boot counter information. The health token also contains valid issuance time. The device health token is encrypted and signed, that means that the information is protected and only accessible to issuing health attestation service. + 4. The client stores the health encrypted blob in its local store. The device health token contains device health status, a device ID (the Windows AIK), and the boot counter. + ![figure 8](images/hva-fig8a-healthattest8a.png) + ### Device health attestation components + The device health attestation solution involves different components that are TPM, Health Attestation CSP, and the Windows Health Attestation Service. Those components are described in this section. + ### Trusted Platform Module + *It’s all about TPM 2.0 and endorsement certificates.* This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting. + In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device. + A TPM incorporates in a single component: + - A RSA 2048-bit key generator - A random number generator - Nonvolatile memory for storing EK, SRK, and AIK keys - A cryptographic engine to encrypt, decrypt, and sign - Volatile memory for storing the PCRs and RSA keys + ### Endorsement key + The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a pair of asymmetric keys (RSA size 2048 bits). + The endorsement key public key is generally used for sending securely sensitive parameters, such as when taking possession of the TPM that contains the defining hash of the owner password. The EK private key is used when creating secondary keys like AIKs. + The endorsement key acts as an identity card for the TPM. For more information, see [Understand the TPM endorsement key](http://go.microsoft.com/fwlink/p/?LinkId=733952). + The endorsement key is often accompanied by one or two digital certificates: + - One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it’s a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service. - The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device. For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10. -**Note**   -Secure Boot protects the platform until the Windows kernel is loaded. Then protections like Trusted Boot, Hyper-V Code Integrity and ELAM take over. A device that uses Intel TPM or Qualcomm TPM gets a signed certificate online from the manufacturer that has created the chip and then stores the signed certificate in TPM storage. For the operation to succeed, if you are filtering Internet access from your client devices, you must authorize the following URLs: + +>**Note:**  Secure Boot protects the platform until the Windows kernel is loaded. Then protections like Trusted Boot, Hyper-V Code Integrity and ELAM take over. A device that uses Intel TPM or Qualcomm TPM gets a signed certificate online from the manufacturer that has created the chip and then stores the signed certificate in TPM storage. For the operation to succeed, if you are filtering Internet access from your client devices, you must authorize the following URLs: + - For Intel firmware TPM: **https://ekop.intel.com/ekcertservice** - For Qualcomm firmware TPM: **https://ekcert.spserv.microsoft.com/**   ### Attestation Identity Keys + Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service. -**Note**   -Before the device can report its health using the TPM 2.0 attestation functions, an AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK. + +>**Note:**  Before the device can report its health using the TPM 2.0 attestation functions, an AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.   The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations. -Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10-based device. + +Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft +Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10-based device. + Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Microsoft Passport without TPM. + In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an endorsement certificate. + ### Storage root key + The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048 bits length). The SRK has a major role and is used to protect TPM keys, so that these keys cannot be used without the TPM. The SRK key is created when the ownership of the TPM is taken. + ### Platform Configuration Registers + The TPM contains a set of registers that are designed to provide a cryptographic representation of the software and state of the system that booted. These registers are called Platform Configuration Registers (PCRs). + The measurement of the boot sequence is based on the PCR and TCG log. To establish a static root of trust, when the device is starting, the device must be able to measure the firmware code before execution. In this case, the Core Root of Trust for Measurement (CRTM) is executed from the boot, calculates the hash of the firmware, then stores it by expanding the register PCR\[0\] and transfers execution to the firmware. + PCRs are set to zero when the platform is booted, and it is the job of the firmware that boots the platform to measure components in the boot chain and to record the measurements in the PCRs. Typically, boot components take the hash of the next component that is to be run and record the measurements in the PCRs. The initial component that starts the measurement chain is implicitly trusted. This is the CRTM. Platform manufacturers are required to have a secure update process for the CRTM or not permit updates to it. The PCRs record a cumulative hash of the components that have been measured. + The value of a PCR on its own is hard to interpret (it is just a hash value), but platforms typically keep a log with details of what has been measured, and the PCRs merely ensure that the log has not been tampered with. The logs are referred as a TCG log. Each time a register PCR is extended, an entry is added to the TCG log. Thus, throughout the boot process, a trace of the executable code and configuration data is created in the TCG log. + ### TPM provisioning + For the TPM of a Windows 10-based device to be usable, it must first be provisioned. The process of provisioning differs somewhat based on TPM versions, but, when successful, it results in the TPM being usable and the owner authorization data (ownerAuth) for the TPM being stored locally on the registry. + When the TPM is provisioned, Windows 10 will first attempt to determine the EK and locally stored **ownerAuth** values by looking in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Endorsement** + During the provisioning process, the device may need to be restarted. + Note that the **Get-TpmEndorsementKeyInfo PowerShell** cmdlet can be used with administrative privilege to get information about the endorsement key and certificates of the TPM. -If the TPM ownership is not known but the EK exists, the client library will provision the TPM and will store the resulting **ownerAuth** value into the registry if the policy allows it will store the SRK public portion at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Admin\\SRKPub** + +If the TPM ownership is not known but the EK exists, the client library will provision the TPM and will store the resulting **ownerAuth** value into the registry if the policy allows it will store the SRK public portion at the following location: +**HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Admin\\SRKPub** + As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is performed, the resulting AIK public portion is stored in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\WindowsAIKPub** -**Note**   -For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: **https://\*.microsoftaik.azure.net** + +>**Note:**  For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: **https://\*.microsoftaik.azure.net**   ### Windows 10 Health Attestation CSP + Windows 10 contains a configuration service provider (CSP) specialized for interacting with the health attestation feature. A CSP is a component that plugs into the Windows MDM client and provides a published protocol for how MDM servers can configure settings and manage Windows-based devices. The management protocol is represented as a tree structure that can be specified as URIs with functions to perform on the URIs such as “get”, “set”, “delete”, and so on. + The following is a list of functions performed by the Windows 10 Health Attestation CSP: + - Collects data that is used to verify a device’s health status - Forwards the data to the Health Attestation Service - Provisions the Health Attestation Certificate that it receives from the Health Attestation Service - Upon request, forwards the Health Attestation Certificate (received from the Health Attestation Service) and related runtime information to the MDM server for verification + During a health attestation session, the Health Attestation CSP forwards the TCG logs and PCRs values that are measured during the boot, by using a secure communication channel to the Health Attestation Service. + When an MDM server validates that a device has attested to the Health Attestation Service, it will be given a set of statements and claims about how that device booted, with the assurance that the device did not reboot between the time that it attested its health and the time that the MDM server validated it. + ### Windows Health Attestation Service + The role of Windows Health Attestation Service is essentially to evaluate a set of health data (TCG log and PCR values), make a series of detections (based on available health data) and generate encrypted health blob or produce report to MDM servers. -**Note**   -Both device and MDM servers must have access to **has.spserv.microsoft.com** using the TCP protocol on port 443 (HTTPS). + +>**Note:**  Both device and MDM servers must have access to **has.spserv.microsoft.com** using the TCP protocol on port 443 (HTTPS).   Checking that a TPM attestation and the associated log are valid takes several steps: + 1. First, the server must check that the reports are signed by **trustworthy AIKs**. This might be done by checking that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked. 2. After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it is a **valid signature over PCR values**. 3. Next the logs should be checked to ensure that they match the PCR values reported. 4. Finally, the logs themselves should be examined by an MDM solution to see whether they represent **known or valid security configurations**. For example, a simple check might be to see whether the measured early OS components are known to be good, that the ELAM driver is as expected, and that the ELAM driver policy file is up to date. If all of these checks succeed, an attestation statement can be issued that later can be used to determine whether or not the client should be granted access to a resource. + The Health Attestation Service provides the following information to an MDM solution about the health of the device: + - Secure Boot enablement - Boot and kernel debug enablement - BitLocker enablement @@ -401,8 +572,11 @@ The Health Attestation Service provides the following information to an MDM solu - ELAM loaded - Safe Mode boot, DEP enablement, test signing enablement - Device TPM has been provisioned with a trusted endorsement certificate + For completeness of the measurements, see [Health Attestation CSP](http://go.microsoft.com/fwlink/p/?LinkId=733949). + The following table presents some key items that can be reported back to MDM depending on the type of Windows 10-based device. + @@ -446,90 +620,139 @@ The following table presents some key items that can be reported back to MDM dep
        ### Leverage MDM and the Health Attestation Service + To make device health relevant, the MDM solution evaluates the device health report and is configured to the organization’s device health requirements. + A solution that leverages MDM and the Health Attestation Service consists of three main parts: + 1. A device with health attestation enabled. This will usually be done as a part of enrollment with an MDM provider (health attestation will be disabled by default). 2. After this is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return. 3. At any point after this, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it’s been attested. + ![figure 9](images/hva-fig8-evaldevicehealth8.png) + Interaction between a Windows 10-based device, the Health Attestation Service, and MDM can be performed as follows: + 1. The client initiates a session with the MDM server. The URI for the MDM server would be part of the client app that initiates the request. The MDM server at this time could request the health attestation data by using the appropriate CSP URI. 2. The MDM server specifies a nonce along with the request. 3. The client then sends the AIK quoted nonce + the boot counter and the health blob information. This health blob is encrypted with a Health Attestation Service public key that only the Health Attestation Service can decrypt. 4. The MDM server: + 1. Verifies that the nonce is as expected. 2. Passes the quoted data, the nonce and the encrypted health blob to the Health Attestation Service server. + 5. The Health Attestation Service: + 1. Decrypts the health blob. 2. Verifies that the boot counter in the quote is correct using the AIK in the health blob and matches the value in the health blob. 3. Verifies that the nonce matches in the quote and the one that is passed from MDM. 4. Because the boot counter and the nonce are quoted with the AIK from the health blob, it also proves that the device is the same one as the one for which the health blob has been generated. 5. Sends data back to the MDM server including health parameters, freshness, and so on. -**Note**   -The MDM server (relying party) never performs the quote or boot counter validation itself. It gets the quoted data and the health blob (which is encrypted) and sends the data to the Health Attestation Service for validation. This way, the AIK is never visible to the MDM, which thereby addresses privacy concerns. + +>**Note:**  The MDM server (relying party) never performs the quote or boot counter validation itself. It gets the quoted data and the health blob (which is encrypted) and sends the data to the Health Attestation Service for validation. This way, the AIK is never visible to the MDM, which thereby addresses privacy concerns.   Setting the requirements for device compliance is the first step to ensure that registered devices that do not meet health and compliance requirements are detected, tracked, and have actions enforced by the MDM solution. -Devices that attempt to connect to resources must have their health evaluated so that unhealthy and noncompliant devices can be detected and reported. To be fully efficient, an end-to-end security solution must impose a consequence for unhealthy devices like refusing access to high-value assets. That is the purpose of conditional access control, which is detailed in the next section. + +Devices that attempt to connect to resources must have their health evaluated so that unhealthy and noncompliant devices can be detected and reported. To be fully efficient, an end-to-end security solution must impose a consequence for unhealthy devices like refusing access to high-value assets. +That is the purpose of conditional access control, which is detailed in the next section. + ## Control the security of a Windows 10-based device before access is granted + Today’s access control technology, in most cases, focuses on ensuring that the right people get access to the right resources. If users can authenticate, they get access to resources using a device that the organization’s IT staff and systems know very little about. Perhaps there is some check such as ensuring that a device is encrypted before giving access to email, but what if the device is infected with malware? + The remote device health attestation process uses measured boot data to verify the health status of the device. The health of the device is then available for an MDM solution like Intune. -**Note**   -For the latest information on Intune and Windows 10 features support, see the [Microsoft Intune blog](http://go.microsoft.com/fwlink/p/?LinkId=691614) and [What's new in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=733956). + +>**Note:**  For the latest information on Intune and Windows 10 features support, see the [Microsoft Intune blog](http://go.microsoft.com/fwlink/p/?LinkId=691614) and [What's new in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=733956).   The figure below shows how the Health Attestation Service is expected to work with Microsoft’s cloud-based Intune MDM service. + ![figure 10](images/hva-fig9-intune.png) -An MDM solution can then leverage health state statements and take them to the next level by coupling with client policies that will enable conditional access to be granted based on the device’s ability to prove that it’s malware free, its antimalware system is functional and up to date, the firewall is running, and the devices patch state is compliant. + +An MDM solution can then leverage health state statements and take them to the next level by coupling with client policies that will enable conditional access to be granted based on the device’s ability to prove that it’s malware free, its antimalware system is functional and up to date, the +firewall is running, and the devices patch state is compliant. + Finally, resources can be protected by denying access to endpoints that are unable to prove they’re healthy. This feature is much needed for BYOD devices that need to access organizational resources. + ### Built-in support of MDM in Windows 10 + Windows 10 has an MDM client that ships as part of the operating system. This enables MDM servers to manage Windows 10-based devices without requiring a separate agent. + ### Third-party MDM server support + Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise management tasks. For additional information, see [Azure Active Directory integration with MDM](http://go.microsoft.com/fwlink/p/?LinkId=733954). -**Note**   -MDM servers do not need to create or download a client to manage Windows 10. For more information, see [Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=733955). + +>**Note:**  MDM servers do not need to create or download a client to manage Windows 10. For more information, see [Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=733955).   The third-party MDM server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. + ### Management of Windows Defender by third-party MDM + This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that aren’t domain joined. IT pros will be able to manage and configure all of the actions and settings they are familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows 10-based devices by using MDM because many of the settings and actions are shared across both mechanisms. + For more information on how to manage Windows 10 security and system settings with an MDM solution, see [Custom URI settings for Windows 10 devices](http://go.microsoft.com/fwlink/p/?LinkId=733953). + ### Conditional access control + On most platforms, the Azure Active Directory (Azure AD) device registration happens automatically during enrollment. The device states are written by the MDM solution into Azure AD, and then read by Office 365 (or by any authorized Windows app that interacts with Azure AD) the next time the client tries to access an Office 365 compatible workload. + If the device is not registered, the user will get a message with instructions on how to register (also known as enrolling). If the device is not compliant, the user will get a different message that redirects them to the MDM web portal where they can get more information on the compliance problem and how to resolve it. + **Azure AD** authenticates the user and the device, **MDM** manages the compliance and conditional access policies, and the **Health Attestation Service** reports about the health of the device in an attested way. + ![figure 11](images/hva-fig10-conditionalaccesscontrol.png) + ### Office 365 conditional access control -Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company’s device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include additional target groups. + +Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company’s device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include additional +target groups. + When a user requests access to an Office 365 service from a supported device platform, Azure AD authenticates the user and device from which the user launches the request; and grants access to the service only when the user conforms to the policy set for the service. Users that do not have their device enrolled are given remediation instructions on how to enroll and become compliant to access corporate Office 365 services. + When a user enrolls, the device is registered with Azure AD, and enrolled with a compatible MDM solution like Intune. -**Note**   -Microsoft is working with third-party MDM ISVs to support automated MDM enrollment and policy based access checks. Steps to turn on auto-MDM enrollment with Azure AD and Intune are explained in the [Windows 10, Azure AD And Microsoft Intune: Automatic MDM Enrollment Powered By The Cloud!](http://go.microsoft.com/fwlink/p/?LinkId=691615) blog post. + +>**Note**  Microsoft is working with third-party MDM ISVs to support automated MDM enrollment and policy based access checks. Steps to turn on auto-MDM enrollment with Azure AD and Intune are explained in the [Windows 10, Azure AD And Microsoft Intune: Automatic MDM Enrollment Powered By The Cloud!](http://go.microsoft.com/fwlink/p/?LinkId=691615) blog post.   When a user enrolls a device successfully, the device becomes trusted. Azure AD provides single-sign-on to access company applications and enforces conditional access policy to grant access to a service not only the first time the user requests access, but every time the user requests to renew access. + The user will be denied access to services when sign-in credentials are changed, a device is lost/stolen, or the compliance policy is not met at the time of request for renewal. + Depending on the type of email application that employees use to access Exchange online, the path to establish secured access to email can be slightly different. However, the key components: Azure AD, Office 365/Exchange Online, and Intune, are the same. The IT experience and end-user experience also are similar. + ![figure 12](images/hva-fig11-office365.png) + Clients that attempt to access Office 365 will be evaluated for the following properties: + - Is the device managed by an MDM? - Is the device registered with Azure AD? - Is the device compliant? + To get to a compliant state, the Windows 10-based device needs to: + - Enroll with an MDM solution. - Register with Azure AD. - Be compliant with the device policies set by the MDM solution. -**Note**   -At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Azure AD, Microsoft Intune and Windows 10 – Using the cloud to modernize enterprise mobility!](http://go.microsoft.com/fwlink/p/?LinkId=691616) blog post. + +>**Note:**  At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Azure AD, Microsoft Intune and Windows 10 – Using the cloud to modernize enterprise mobility!](http://go.microsoft.com/fwlink/p/?LinkId=691616) blog post.   ### Cloud and on-premises apps conditional access control + Conditional access control is a powerful policy evaluation engine built into Azure AD. It gives IT pros an easy way to create access rules beyond Office 365 that evaluate the context of a user's logon to make real-time decisions about which applications they should be allowed to access. + IT pros can configure conditional access control policies for cloud SaaS applications secured by Azure AD and even on-premises applications. Access rules in Azure AD leverage the conditional access engine to check device health and compliance state reported by a compatible MDM solution like Intune in order to determine whether to allow access. + For more information about conditional access, see [Azure Conditional Access Preview for SaaS Apps.](http://go.microsoft.com/fwlink/p/?LinkId=524807) -**Note**   -Conditional access control is an Azure AD Premium feature that's also available with EMS. If you don't have an Azure AD Premium subscription, you can get a trial from the [Microsoft Azure](http://go.microsoft.com/fwlink/p/?LinkId=691617) site. + +>**Note:**  Conditional access control is an Azure AD Premium feature that's also available with EMS. If you don't have an Azure AD Premium subscription, you can get a trial from the [Microsoft Azure](http://go.microsoft.com/fwlink/p/?LinkId=691617) site.   For on-premises applications there are two options to enable conditional access control based on a device's compliance state: + - For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more details, see the [Azure AD Conditional Access preview updated: Now supports On-Premises and Custom LOB apps](http://go.microsoft.com/fwlink/p/?LinkId=691618) blog post. - Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server Technical Preview 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications. + ![figure 13](images/hva-fig12-conditionalaccess12.png) + The following process describes how Azure AD conditional access works: + 1. User has already enrolled with MDM through Workplace Access/Azure AD join which registers device with Azure AD. 2. When the device boots or resumes from hibernate, a task “Tpm-HASCertRetr” is triggered to request in background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service. 3. Health Attestation Service validates device state and issues an encrypted blob to the device based on the health state with details on failed checks (if any). @@ -544,34 +767,59 @@ The following process describes how Azure AD conditional access works: 12. Access gated by compliance claim in Azure AD. 13. If the device is compliant and the user is authorized, an access token is generated. 14. User can access the corporate managed asset. + For more information about Azure AD join, see the [Azure AD & Windows 10: Better Together for Work or School](http://go.microsoft.com/fwlink/p/?LinkId=691619) white paper. + Conditional access control is a topic that many organizations and IT pros may not know as well as they should. The different attributes that describe a user, a device, compliance, and context of access are very powerful when used with a conditional access engine. Conditional access control is an essential step that helps organizations secure their environment. + ## Takeaways and summary + The following list contains high-level key take-aways to improve the security posture of any organization. However, the few take-aways presented in this section should not be interpreted as an exhaustive list of security best practices. + - **Understand that no solution is 100 percent secure** + If determined adversaries with malicious intent gain physical access to the device, they could eventually break through its security layers and control it. + - **Use health attestation with an MDM solution** + Devices that attempt to connect to high-value assets must have their health evaluated so that unhealthy and noncompliant devices can be detected, reported, and eventually blocked. + - **Use Credential Guard** + Credential Guard is a feature that greatly helps protect corporate domain credentials from pass-the-hash attacks. + - **Use Device Guard** + Device Guard is a real advance in security and an effective way to help protect against malware. The new Device Guard feature in Windows 10 blocks untrusted apps (apps not authorized by your organization). + - **Sign Device Guard policy** + Signed Device Guard policy helps protect against a user with administrator privileges trying to defeat the current policy. When a policy is signed, the only way to modify Device Guard subsequently is to provide a new version of the policy signed by the same signer or from a signer specify as part of the Device Guard policy. + - **Use virtualization-based security** + When you have Kernel Mode Code Integrity protected by virtualization-based security, the code integrity rules are still enforced even if a vulnerability allows unauthorized kernel mode memory access. Keep in mind that Device Guard devices that run Kernel Code Integrity with virtualization-based security must have compatible drivers. + - **Start to deploy Device Guard with Audit mode** + Deploy Device Guard policy to targeted computers and devices in Audit mode. Monitor the Code Integrity event log that indicates a program or a driver would have been blocked if Device Guard was configured in Enforcement mode. Adjust Device Guard rules until a high level of confidence has been reached. After the testing phase has been completed, Device Guard policy can be switched to Enforcement mode. + - **Build an isolated reference machine when deploying Device Guard** + Because the corporate network can contain malware, you should start to configure a reference environment that is isolated from your main corporate network. After that, you can create a code integrity policy that includes the trusted applications you want to run on your protected devices. + - **Use AppLocker when it makes sense** + Although AppLocker is not considered a new Device Guard feature, it complements Device Guard functionality for some scenarios like being able to deny a specific Universal Windows apps for a specific user or a group of users. + - **Lock down firmware and configuration** + After Windows 10 is installed, lock down firmware boot options access. This prevents a user with physical access from modifying UEFI settings, disabling Secure Boot, or booting other operating systems. Also, in order to protect against an administrator trying to disable Device Guard, add a rule in the current Device Guard policy that will deny and block execution of the **C:\\Windows\\System32\\SecConfig.efi** tool. + Health attestation is a key feature of Windows 10 that includes client and cloud components to control access to high-value assets based on a user and their device’s identity and compliance with corporate governance policy. Organizations can choose to detect and report unhealthy devices, or to configure health enforcement rules based on their needs. Health attestation provides an end-to-end security model and integration points, which vendors and software developers can use to build and integrate a customized solution. + ## Related topics -[Protect derived domain credentials with Credential Guard](credential-guard.md) -[Device Guard deployment guide](device-guard-deployment-guide.md) -[Trusted Platform Module technology overview](http://go.microsoft.com/fwlink/p/?LinkId=733957) -  -  + +- [Protect derived domain credentials with Credential Guard](credential-guard.md) +- [Device Guard deployment guide](device-guard-deployment-guide.md) +- [Trusted Platform Module technology overview](http://go.microsoft.com/fwlink/p/?LinkId=733957) diff --git a/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index a1a5ed3f34..fc092b8a95 100644 --- a/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -2,112 +2,163 @@ title: Protecting cluster shared volumes and storage area networks with BitLocker (Windows 10) description: This topic for IT pros describes how to protect CSVs and SANs with BitLocker. ms.assetid: ecd25a10-42c7-4d31-8a7e-ea52c8ebc092 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Protecting cluster shared volumes and storage area networks with BitLocker + **Applies to** - Windows 10 + This topic for IT pros describes how to protect CSVs and SANs with BitLocker. + BitLocker can protect both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes allows for an additional layer of protection for administrators wishing to protect sensitive, highly available data. By adding additional protectors to the clustered volume, administrators can also add an additional barrier of security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. + ## Configuring BitLocker on Cluster Shared Volumes + ### Using BitLocker with Clustered Volumes + BitLocker on volumes within a cluster are managed based on how the cluster service "views" the volume to be protected. The volume can be a physical disk resource such as a logical unit number (LUN) on a storage area network (SAN) or network attached storage (NAS). -**Important**   -SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](https://msdn.microsoft.com/library/windows/hardware/dn930814.aspx). + +>**Important**  SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](https://msdn.microsoft.com/library/windows/hardware/dn930814.aspx).   -Alternatively, the volume can be a cluster-shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume will need to turn on BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations will complete. +Alternatively, the volume can be a cluster-shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume will need to turn on +BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations will complete. + Windows PowerShell or the manage-bde command line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item. -**Note**   -Mount points can be used to support remote mount points on SMB based network shares. This type of share is not supported for BitLocker encryption. + +>**Note:**  Mount points can be used to support remote mount points on SMB based network shares. This type of share is not supported for BitLocker encryption.   -For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde –WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This occurs because Full Encryption requires an end marker for the volume and dynamically expanding VHDs do not have a static end of volume marker. +For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde –WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This occurs because Full +Encryption requires an end marker for the volume and dynamically expanding VHDs do not have a static end of volume marker. + ### Active Directory-based protector + You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order: + 1. Clear key 2. Driver-based auto-unlock key 3. ADAccountOrGroup protector + 1. Service context protector 2. User protector + 4. Registry-based auto-unlock key -**Note**   -A Windows Server 2012 or later domain controller is required for this feature to work properly. + +>**Note:**  A Windows Server 2012 or later domain controller is required for this feature to work properly.   ### Turning on BitLocker before adding disks to a cluster using Windows PowerShell + BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation. To turn on BitLocker for a disk before adding it to a cluster, do the following: + 1. Install the BitLocker Drive Encryption feature if it is not already installed. 2. Ensure the disk is formatted NTFS and has a drive letter assigned to it. 3. Enable BitLocker on the volume using your choice of protector. A password protector is used in the Windows PowerShell script example below. + ``` syntax Enable-BitLocker E: -PasswordProtector -Password $pw ``` + 4. Identify the name of the cluster with Windows PowerShell. + ``` syntax Get-Cluster + ``` 5. Add an **ADAccountOrGroup**protector to the volume using the cluster name using a command such as: + ``` syntax Add-BitLockerProtector E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ ``` - **Warning**   - You must add an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to failover properly in a traditional failover cluster. + + >**Warning:**  You must add an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to failover properly in a traditional failover cluster.   6. Repeat steps 1-6 for each disk in the cluster. 7. Add the volume(s) to the cluster. + ### Turning on BitLocker for a clustered disk using Windows PowerShell + When the cluster service owns a disk resource already, it needs to be set into maintenance mode before BitLocker can be enabled. Use the following steps for turning BitLocker on for a clustered disk: + 1. Install the BitLocker Drive Encryption feature if it is not already installed. 2. Check the status of the cluster disk using Windows PowerShell. + ``` syntax Get-ClusterResource "Cluster Disk 1" ``` + 3. Put the physical disk resource into maintenance mode using Windows PowerShell. + ``` syntax Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource ``` + 4. Enable BitLocker on the volume using your choice of protector. A password protector is used in the example below. + ``` syntax Enable-BitLocker E: -PasswordProtector -Password $pw ``` + 5. Identify the name of the cluster with Windows PowerShell + ``` syntax Get-Cluster ``` + 6. Add an **ADAccountOrGroup** protector with the Cluster Name Object (CNO) to the volume using a command such as: + ``` syntax Add-BitLockerProtector E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ + ``` - **Warning**   - You must add an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to failover properly in a traditional failover cluster. + >**Warning:**  You must add an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to failover properly in a traditional failover cluster.   7. Repeat steps 1-6 for each disk in the cluster. 8. Add the volume(s) to the cluster + ### Adding BitLocker encrypted volumes to a cluster using manage-bde + You can also use manage-bde to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster includes the following: + 1. Verify the BitLocker Drive Encryption feature is installed on the computer. 2. Ensure new storage is formatted as NTFS. 3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using the manage-bde command line interface (see example): + - `Manage-bde -on -used -RP -sid domain\CNO$ -sync` + 1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption will continue. 2. Using the -sync parameter is optional. Using it ensures the command waits until the encryption for the volume is completed before releasing the volume for use in the cluster storage pool. + 4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered + - Once the disk is clustered it can also be enabled for CSV. + 5. During the resource online operation, cluster will check to see if the disk is BitLocker encrypted. + 1. If the volume is not BitLocker enabled, traditional cluster online operations occur. 2. If the volume is BitLocker enabled, the following check occurs: + - If volume is **locked**, BitLocker will impersonate the CNO and unlock the volume using the CNO protector. If this operation fails an event will be logged that the volume could not be unlocked and the online operation will fail. + 6. Once the disk is online in the storage pool, it can be added to a CSV by right clicking on the disk resource and choosing "**Add to cluster shared volumes**". CSVs can include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption, administrators can utilize the manage-bde -status command with a path to the volume inside the CSV namespace as seen in the example command line below. + ``` syntax manage-bde -status "C:\ClusterStorage\volume1" ``` + ### Physical Disk Resources + Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This means that operations such as encrypting, decrypting, locking or unlocking volumes require context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available. + ### Restrictions on BitLocker actions with cluster volumes + The following table contains information about both Physical Disk Resources (i.e. traditional failover cluster volumes) and Cluster Shared Volumes (CSV) and the actions that are allowed by BitLocker in each situation. + @@ -211,11 +262,12 @@ The following table contains information about both Physical Disk Resources (i.e
        -**Note**   -Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node +>**Note:**  Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node   In the case where a physical disk resource experiences a failover event during conversion, the new owning node will detect the conversion is not complete and will complete the conversion process. + ### Other considerations when using BitLocker on CSV2.0 + Some other considerations to take into account for BitLocker on clustered storage include the following: - BitLocker volumes have to be initialized and beginning encryption before they are available to add to a CSV2.0 volume. - If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete. @@ -224,5 +276,3 @@ Some other considerations to take into account for BitLocker on clustered storag - If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver will automatically resume conversion when the volume is online to the cluster. - If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) will automatically resume conversion when moving the volume back from maintenance. - If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver will automatically resume conversion when the volume is moved back from maintenance mode. -  -  diff --git a/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md b/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md index e1f339479c..394b4421db 100644 --- a/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md +++ b/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md @@ -2,88 +2,93 @@ title: Recovery console Allow automatic administrative logon (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Recovery console Allow automatic administrative logon security policy setting. ms.assetid: be2498fc-48f4-43f3-ad09-74664e45e596 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Recovery console: Allow automatic administrative logon + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Recovery console: Allow automatic administrative logon** security policy setting. + ## Reference + This policy setting determines whether the built-in Administrator account password must be provided before access to the device is granted. If you enable this setting, the built-in Administrator account is automatically logged on to the computer at the Recovery Console; no password is required. + The Recovery Console can be very useful when troubleshooting and repairing systems that cannot be restarted. However, enabling this policy setting so a user can automatically log on to the console is dangerous. Anyone can walk up to the server, shut it down by disconnecting the power, reboot it, select **Recovery Console** from the **Restart** menu, and then assume full control of the server. + ### Possible values + - Enabled + The built-in Administrator account is automatically logged on to the computer at the Recovery Console; no password is required + - Disabled + Automatic administrative logon is not allowed. + - Not defined + Automatic administrative logon is not allowed. + ### Best practices + - Set **Recovery Console: Allow automatic administrative logon** to **Disabled**. This requires a user to enter a user name and password to access the Recovery Console account. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy| Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy using Group Policy takes precedence over the setting on the local device + ### Policy conflicts + None. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The Recovery Console can be very useful when you must troubleshoot and repair device that do not start. However, allowing automatic logon to the Recovery Console can make it possible for someone to assume full control of the server. + ### Countermeasure + Disable the **Recovery console: Allow automatic administrative logon** setting. + ### Potential impact + Users must enter a user name and password to access the Recovery Console. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md index 113bafb66c..23aad36087 100644 --- a/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md +++ b/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md @@ -2,95 +2,99 @@ title: Recovery console Allow floppy copy and access to all drives and folders (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Recovery console Allow floppy copy and access to all drives and folders security policy setting. ms.assetid: a5b4ac0c-f33d-42b5-a866-72afa7cbd0bd -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Recovery console: Allow floppy copy and access to all drives and folders + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Recovery console: Allow floppy copy and access to all drives and folders** security policy setting. + ## Reference + This policy setting enables or disables the Recovery Console SET command, which allows you to set the following Recovery Console environment variables. + - **AllowWildCards**. Enables wildcard support for some commands, such as the DEL command. - **AllowAllPaths**. Allows access to all files and folders on the device. - **AllowRemovableMedia**. Allows files to be copied to removable media, such as a floppy disk. - **NoCopyPrompt**. Suppresses the prompt that typically displays before an existing file is overwritten. + You might forget to remove removable media, such as CD or floppy disk, with sensitive data or applications that a malicious user could then steal. Or you could accidentally leave a startup disk in the computer after using the Recovery Console. If the device is restarted for any reason and the BIOS has been configured to boot from the removable media before the hard disk drive, the server will start from the removable disk. This causes the server's network services to be unavailable. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Set **Recovery Console: Allow floppy copy and access to drives and folders** to **Disabled**. Users who have started a server by using the Recovery Console and logged in with the built-in Administrator account will not be able to copy files and folders to a floppy disk. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. + ### Policy conflicts + None. + ### Command-line tools + Enabling this security option makes the Recovery Console SET command available, which allows you to set the following Recovery Console environment variables: + - AllowWildCards: Enable wildcard support for some commands (such as the DEL command). - AllowAllPaths: Allow access to all files and folders on the device. - AllowRemovableMedia: Allow files to be copied to removable media, such as a floppy disk. - NoCopyPrompt: Do not prompt when overwriting an existing file. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + An attacker who can cause the system to restart into the Recovery Console could steal sensitive data and leave no audit or access trail. + ### Countermeasure + Disable the **Recovery console: Allow floppy copy and access to drives and folders** setting. + ### Potential impact + Users who have started a server through the Recovery Console and logged in with the built-in Administrator account cannot copy files and folders to a floppy disk. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/refresh-an-applocker-policy.md b/windows/keep-secure/refresh-an-applocker-policy.md index b94e1582a1..fd227910c6 100644 --- a/windows/keep-secure/refresh-an-applocker-policy.md +++ b/windows/keep-secure/refresh-an-applocker-policy.md @@ -2,39 +2,55 @@ title: Refresh an AppLocker policy (Windows 10) description: This topic for IT professionals describes the steps to force an update for an AppLocker policy. ms.assetid: 3f24fcbc-3926-46b9-a1a2-dd036edab8a9 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Refresh an AppLocker policy + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to force an update for an AppLocker policy. + If you update the rule collection on a local computer by using the Local Security Policy snap-in, the policy will take effect immediately. If Group Policy is used to distribute the AppLocker policy and you want to immediately implement the policy, you must manually refresh the policy. The Group Policy refresh might take several minutes, depending upon the number of policies within the Group Policy Object (GPO) and the number of target computers. + To use Group Policy to distribute the AppLocker policy change, you need to retrieve the deployed AppLocker policy first. To prepare for the update and subsequent refresh, see [Edit an AppLocker policy](edit-an-applocker-policy.md) + [Edit an AppLocker policy](edit-an-applocker-policy.md) and [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md). + To complete this procedure, you must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. + **To manually refresh the AppLocker policy by using Group Policy** + 1. From a command prompt, type **gpupdate /force**, and then press ENTER. 2. When the command finishes, close the command prompt window, and then verify that the intended rule behavior is correct. You can do this by checking the AppLocker event logs for events that include "policy applied." -To change a policy on an individual computer, or to implement that policy on other computers, without using Group Policy, you first need to update the rule within the rule collection. For information about updating existing rules, see [Edit AppLocker rules](edit-applocker-rules.md). For information about creating a new rule for an existing policy, see: + +To change a policy on an individual computer, or to implement that policy on other computers, without using Group Policy, you first need to update the rule within the rule collection. For information about updating existing rules, see [Edit AppLocker rules](edit-applocker-rules.md). For information +about creating a new rule for an existing policy, see: - [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) - [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) - [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) + Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. + **To refresh the AppLocker policy on the local computer** + - Update the rule collection by using the Local Security Policy console with one of the following procedures: + - [Edit AppLocker rules](edit-applocker-rules.md) - [Delete an AppLocker rule](delete-an-applocker-rule.md) - [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) + When finished, the policy is in effect. + To make the same change on another device, you can use any of the following methods: + - From the device that you made the change on, export the AppLocker policy, and then import the policy onto the other device. To do this, use the AppLocker **Export Policy** and **Import Policy** features to copy the rules from the changed computer. - **Caution**   - When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied. + + >**Caution:**  When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied.   - Merge AppLocker policies. For procedures to do this, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) and [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). -  -  diff --git a/windows/keep-secure/registry-global-object-access-auditing.md b/windows/keep-secure/registry-global-object-access-auditing.md index cf9eaa2938..087c5f60fc 100644 --- a/windows/keep-secure/registry-global-object-access-auditing.md +++ b/windows/keep-secure/registry-global-object-access-auditing.md @@ -2,19 +2,24 @@ title: Registry (Global Object Access Auditing) (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Registry (Global Object Access Auditing), which enables you to configure a global system access control list (SACL) on the registry of a computer. ms.assetid: 953bb1c1-3f76-43be-ba17-4aed2304f578 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Registry (Global Object Access Auditing) + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Registry (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the registry of a computer. + If you select the **Configure security** check box on this policy’s property page, you can add a user or group to the global SACL. This enables you to define computer system access control lists (SACLs) per object type for the registry. The specified SACL is then automatically applied to every registry object type. + This policy setting must be used in combination with the **Registry** security policy setting under Object Access. For more info, see [Audit Registry](audit-registry.md). + ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) -  -  + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) diff --git a/windows/keep-secure/remove-computer-from-docking-station.md b/windows/keep-secure/remove-computer-from-docking-station.md index fa16818895..06949c5258 100644 --- a/windows/keep-secure/remove-computer-from-docking-station.md +++ b/windows/keep-secure/remove-computer-from-docking-station.md @@ -2,93 +2,96 @@ title: Remove computer from docking station (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Remove computer from docking station security policy setting. ms.assetid: 229a385a-a862-4973-899a-413b1b5b6c30 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Remove computer from docking station + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Remove computer from docking station** security policy setting. + ## Reference + This security setting determines whether a user can undock a portable device from its docking station without logging on. This policy setting only affects scenarios that involve a portable computer and its docking station. + If this user right is assigned to the user’s account (or if the user is a member of the assigned group), the user must log on before removing the portable device from its docking station. Otherwise, as a security measure, the user will not be able to log on after the device is removed from the docking station. If this policy is not assigned, the user may remove the portable device from its docking station without logging on, and then have the ability to start and log on to the device afterwards in its undocked state. + Constant: SeUndockPrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + - Assign this user right to only those accounts that are permitted to use the portable device. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + Although this portable device scenario does not normally apply to servers, by default this setting is Administrators on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Administrators

      Stand-Alone Server Default Settings

      Administrators

      Domain Controller Effective Default Settings

      Administrators

      Member Server Effective Default Settings

      Administrators

      Client Computer Effective Default Settings

      Administrators

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Administrators| +| Stand-Alone Server Default Settings | Administrators| +| Domain Controller Effective Default Settings | Administrators| +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings | Administrators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Anyone who has the **Remove computer from docking station** user right can log on and then remove a portable device from its docking station. If this setting is not defined, it has the same effect as if everyone was granted this right. However, the value of implementing this countermeasure is reduced by the following factors: + - If attackers can restart the device, they could remove it from the docking station after the BIOS starts but before the operating system starts. - This setting does not affect servers because they typically are not installed in docking stations. - An attacker could steal the device and the docking station together. - Devices that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality. + ### Countermeasure + Ensure that only the local Administrators group and the user account to which the device is allocated are assigned the **Remove computer from docking station** user right. + ### Potential impact + By default, only members of the local Administrators group are granted this right. Other user accounts must be explicitly granted this user right as necessary. If your organization's users are not members of the local Administrators groups on their portable devices, they cannot remove their portable devices from their docking stations if they do not first shut down the device. Therefore, you may want to assign the **Remove computer from docking station** privilege to the local Users group for portable devices. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/replace-a-process-level-token.md b/windows/keep-secure/replace-a-process-level-token.md index 237f74debf..0beaf15c90 100644 --- a/windows/keep-secure/replace-a-process-level-token.md +++ b/windows/keep-secure/replace-a-process-level-token.md @@ -2,96 +2,94 @@ title: Replace a process level token (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Replace a process level token security policy setting. ms.assetid: 5add02db-6339-489e-ba21-ccc3ccbe8745 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Replace a process level token + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Replace a process level token** security policy setting. + ## Reference + This policy setting determines which parent processes can replace the access token that is associated with a child process. + Specifically, the **Replace a process level token** setting determines which user accounts can call the CreateProcessAsUser() application programming interface (API) so that one service can start another. An example of a process that uses this user right is Task Scheduler, where the user right is extended to any processes that can be managed by Task Scheduler. + An access token is an object that describes the security context of a process or thread. The information in a token includes the identity and privileges of the user account that is associated with the process or thread. With this user right, every child process that runs on behalf of this user account would have its access token replaced with the process level token. + Constant: SeAssignPrimaryTokenPrivilege + ### Possible values + - User-defined list of accounts - Defaults - Not defined + ### Best practices + - For member servers, ensure that only the Local Service and Network Service accounts have the **Replace a process level token** user right. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Network Service and Local Service on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Network Service

      -

      Local Service

      Stand-Alone Server Default Settings

      Network Service

      -

      Local Service

      Domain Controller Effective Default Settings

      Network Service

      -

      Local Service

      Member Server Effective Default Settings

      Network Service

      -

      Local Service

      Client Computer Effective Default Settings

      Network Service

      -

      Local Service

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Network Service
      Local Service | +| Stand-Alone Server Default Settings | Network Service
      Local Service| +| Domain Controller Effective Default Settings | Network Service
      Local Service| +| Member Server Effective Default Settings | Network Service
      Local Service| +| Client Computer Effective Default Settings | Network Service
      Local Service|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users with the **Replace a process level token** user right can start processes as another user if they know the user’s credentials. + ### Countermeasure + For member servers, ensure that only the Local Service and Network Service accounts have the **Replace a process level token** user right. + ### Potential impact + On most computers, restricting the **Replace a process level token** user right to the Local Service and the Network Service built-in accounts is the default configuration, and there is no negative impact. However, if you have installed optional components such as ASP.NET or IIS, you may need to assign the **Replace a process level token** user right to additional accounts. For example, IIS requires that the Service, Network Service, and IWAM\_*<ComputerName>* accounts be explicitly granted this user right. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/requirements-for-deploying-applocker-policies.md b/windows/keep-secure/requirements-for-deploying-applocker-policies.md index 996718cd10..f1608ee829 100644 --- a/windows/keep-secure/requirements-for-deploying-applocker-policies.md +++ b/windows/keep-secure/requirements-for-deploying-applocker-policies.md @@ -2,23 +2,30 @@ title: Requirements for deploying AppLocker policies (Windows 10) description: This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. ms.assetid: 3e55bda2-3cd7-42c7-bad3-c7dfbe193d48 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Requirements for deploying AppLocker policies + **Applies to** - Windows 10 + This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. + The following requirements must be met or addressed before you deploy your AppLocker policies: - [Deployment plan](#bkmk-reqdepplan) - [Supported operating systems](#bkmk-reqsupportedos) - [Policy distribution mechanism](#bkmk-reqpolicydistmech) - [Event collection and analysis system](#bkmk-reqeventcollectionsystem) + ### Deployment plan + An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). + @@ -116,6 +123,7 @@ An AppLocker policy deployment plan is the result of investigating which applica
        **Event processing policy** + @@ -153,6 +161,7 @@ An AppLocker policy deployment plan is the result of investigating which applica
        **Policy maintenance policy** + @@ -194,15 +203,20 @@ An AppLocker policy deployment plan is the result of investigating which applica
        ### Supported operating systems + AppLocker is supported only on certain operating systems. Some features are not available on all operating systems. For more information, see [Requirements to use AppLocker](requirements-to-use-applocker.md). + ### Policy distribution mechanism + You need a way to distribute the AppLocker policies throughout the targeted business groups. AppLocker uses Group Policy management architecture to effectively distribute application control policies. AppLocker policies can also be configured on individual computers by using the Local Security Policy snap-in. + ### Event collection and analysis system + Event processing is important to understand application usage. You must have a process in place to collect and analyze AppLocker events so that application usage is appropriately restricted and understood. For procedures to monitor AppLocker events, see: - [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) - [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md) - [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) + ## See also -[AppLocker deployment guide](applocker-policies-deployment-guide.md) -  -  + +- [AppLocker deployment guide](applocker-policies-deployment-guide.md) diff --git a/windows/keep-secure/requirements-to-use-applocker.md b/windows/keep-secure/requirements-to-use-applocker.md index db3259ce0a..f9c5f24fae 100644 --- a/windows/keep-secure/requirements-to-use-applocker.md +++ b/windows/keep-secure/requirements-to-use-applocker.md @@ -2,211 +2,60 @@ title: Requirements to use AppLocker (Windows 10) description: This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. ms.assetid: dc380535-071e-4794-8f9d-e5d1858156f0 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Requirements to use AppLocker + **Applies to** - Windows 10 + This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. + ## General requirements + To use AppLocker, you need: + - A device running a supported operating system to create the rules. The computer can be a domain controller. - For Group Policy deployment, at least one device with the Group Policy Management Console (GPMC) or Remote Server Administration Tools (RSAT) installed to host the AppLocker rules. - Devices running a supported operating system to enforce the AppLocker rules that you create. -**Note**   -You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md). + +>**Note:**  You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md).   ## Operating system requirements + The following table show the on which operating systems AppLocker features are supported. - ------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      VersionCan be configuredCan be enforcedAvailable rulesNotes

      Windows 10

      Yes

      Yes

      Packaged apps

      -

      Executable

      -

      Windows Installer

      -

      Script

      -

      DLL

      You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise and Windows Server 2016 Technical Preview.

      Windows Server 2012 R2

      Yes

      Yes

      Packaged apps

      -

      Executable

      -

      Windows Installer

      -

      Script

      -

      DLL

      Windows 8.1

      Yes

      Yes

      Packaged apps

      -

      Executable

      -

      Windows Installer

      -

      Script

      -

      DLL

      Only the Enterprise edition supports AppLocker

      Windows RT 8.1

      No

      No

      N/A

      Windows Server 2012 Standard

      Yes

      Yes

      Packaged apps

      -

      Executable

      -

      Windows Installer

      -

      Script

      -

      DLL

      Windows Server 2012 Datacenter

      Yes

      Yes

      Packaged apps

      -

      Executable

      -

      Windows Installer

      -

      Script

      -

      DLL

      Windows 8 Pro

      No

      No

      N/A

      Windows 8 Enterprise

      Yes

      Yes

      Packaged apps

      -

      Executable

      -

      Windows Installer

      -

      Script

      -

      DLL

      Windows RT

      No

      No

      N/A

      Windows Server 2008 R2 Standard

      Yes

      Yes

      Executable

      -

      Windows Installer

      -

      Script

      -

      DLL

      Packaged app rules will not be enforced.

      Windows Server 2008 R2 Enterprise

      Yes

      Yes

      Executable

      -

      Windows Installer

      -

      Script

      -

      DLL

      Packaged app rules will not be enforced.

      Windows Server 2008 R2 Datacenter

      Yes

      Yes

      Executable

      -

      Windows Installer

      -

      Script

      -

      DLL

      Packaged app rules will not be enforced.

      Windows Server 2008 R2 for Itanium-Based Systems

      Yes

      Yes

      Executable

      -

      Windows Installer

      -

      Script

      -

      DLL

      Packaged app rules will not be enforced.

      Windows 7 Ultimate

      Yes

      Yes

      Executable

      -

      Windows Installer

      -

      Script

      -

      DLL

      Packaged app rules will not be enforced.

      Windows 7 Enterprise

      Yes

      Yes

      Executable

      -

      Windows Installer

      -

      Script

      -

      DLL

      Packaged app rules will not be enforced.

      Windows 7 Professional

      Yes

      No

      Executable

      -

      Windows Installer

      -

      Script

      -

      DLL

      No AppLocker rules are enforced.

      + +| Version | Can be configured | Can be enforced | Available rules | Notes | +| - | - | - | - | - | +| Windows 10| Yes| Yes| Packaged apps
      Executable
      Windows Installer
      Script
      DLL| You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise and Windows Server 2016 Technical Preview. | +| Windows Server 2012 R2| Yes| Yes| Packaged apps
      Executable
      Windows Installer
      Script
      DLL| | +| Windows 8.1| Yes| Yes| Packaged apps
      Executable
      Windows Installer
      Script
      DLL| Only the Enterprise edition supports AppLocker| +| Windows RT 8.1| No| No| N/A|| +| Windows Server 2012 Standard| Yes| Yes| Packaged apps
      Executable
      Windows Installer
      Script
      DLL|| +| Windows Server 2012 Datacenter| Yes| Yes| Packaged apps
      Executable
      Windows Installer
      Script
      DLL|| +| Windows 8 Pro| No| No| N/A|| +| Windows 8 Enterprise| Yes| Yes| Packaged apps
      Executable
      Windows Installer
      Script
      DLL|| +| Windows RT| No| No| N/A| | +| Windows Server 2008 R2 Standard| Yes| Yes| Executable
      Windows Installer
      Script
      DLL| Packaged app rules will not be enforced.| +| Windows Server 2008 R2 Enterprise|Yes| Yes| Executable
      Windows Installer
      Script
      DLL| Packaged app rules will not be enforced.| +| Windows Server 2008 R2 Datacenter| Yes| Yes| Executable
      Windows Installer
      Script
      DLL| Packaged app rules will not be enforced.| +| Windows Server 2008 R2 for Itanium-Based Systems| Yes| Yes| Executable
      Windows Installer
      Script
      DLL| Packaged app rules will not be enforced.| +| Windows 7 Ultimate| Yes| Yes| Executable
      Windows Installer
      Script
      DLL| Packaged app rules will not be enforced.| +| Windows 7 Enterprise| Yes| Yes| Executable
      Windows Installer
      Script
      DLL| Packaged app rules will not be enforced.| +| Windows 7 Professional| Yes| No| Executable
      Windows Installer
      Script
      DLL| No AppLocker rules are enforced.|   + AppLocker is not supported on versions of the Windows operating system not listed above. Software Restriction Policies can be used with those versions. However, the SRP Basic User feature is not supported on the above operating systems. + ## See also -[Administer AppLocker](administer-applocker.md) -[Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) -[Optimize AppLocker performance](optimize-applocker-performance.md) -[Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md) -[Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md) -[AppLocker Design Guide](applocker-policies-design-guide.md) -  -  +- [Administer AppLocker](administer-applocker.md) +- [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) +- [Optimize AppLocker performance](optimize-applocker-performance.md) +- [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md) +- [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md) +- [AppLocker Design Guide](applocker-policies-design-guide.md) diff --git a/windows/keep-secure/reset-account-lockout-counter-after.md b/windows/keep-secure/reset-account-lockout-counter-after.md index 04fdcce682..ebefbb2d0c 100644 --- a/windows/keep-secure/reset-account-lockout-counter-after.md +++ b/windows/keep-secure/reset-account-lockout-counter-after.md @@ -2,76 +2,68 @@ title: Reset account lockout counter after (Windows 10) description: Describes the best practices, location, values, and security considerations for the Reset account lockout counter after security policy setting. ms.assetid: d5ccf6dd-5ba7-44a9-8e0b-c478d8b1442c -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Reset account lockout counter after + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Reset account lockout counter after** security policy setting. + ## Reference + The **Reset account lockout counter after** policy setting determines the number of minutes that must elapse from the time a user fails to log on before the failed logon attempt counter is reset to 0. If [Account lockout threshold](account-lockout-threshold.md) is set to a number greater than zero, this reset time must be less than or equal to the value of [Account lockout duration](account-lockout-duration.md). + A disadvantage to setting this too high is that users lock themselves out for an inconveniently long period if they exceed the account lockout threshold through logon errors. Users may make excessive Help Desk calls. + ### Possible values + - A user-defined number of minutes from 1 through 99,999 - Not defined + ### Best practices + - You need to determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements. + ### Location + **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy** + ### Default values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or Group Policy Object (GPO)Default value

      Default domain policy

      Not defined

      Default domain controller policy

      Not defined

      Stand-alone server default settings

      Not applicable

      Domain controller effective default settings

      Not defined

      Member server effective default settings

      Not defined

      Client computer effective default settings

      Not applicable

      + +| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not applicable| +| Domain controller effective default settings | Not defined| +| Member server effective default settings | Not defined| +| Client computer effective default settings | Not applicable|   ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users can accidentally lock themselves out of their accounts if they mistype their password multiple times. + ### Countermeasure + Configure the **Reset account lockout counter after** policy setting to 30. + ### Potential impact + If you do not configure this policy setting or if the value is configured to an interval that is too long, an attacker could attempt to log on to each user's account numerous times and lock out their accounts, a denial-of-service (DoS) attack might succeed, or administrators might have to manually unlock all locked-out accounts. If you configure this policy setting to a reasonable value, users can perform new attempts to log on after a failed logon within a reasonable time, without making brute force attacks feasible at high speeds. Be sure that you notify users of the values that are used for this policy setting so that they wait for the lockout timer to expire before they call the Help Desk. + ## Related topics -[Account Lockout Policy](account-lockout-policy.md) -  -  + +- [Account Lockout Policy](account-lockout-policy.md) diff --git a/windows/keep-secure/restore-files-and-directories.md b/windows/keep-secure/restore-files-and-directories.md index dc9f47c01a..b428c37092 100644 --- a/windows/keep-secure/restore-files-and-directories.md +++ b/windows/keep-secure/restore-files-and-directories.md @@ -2,102 +2,97 @@ title: Restore files and directories (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Restore files and directories security policy setting. ms.assetid: c673c0fa-6f49-4edd-8c1f-c5e8513f701d -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Restore files and directories + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Restore files and directories** security policy setting. + ## Reference + This security setting determines which users can bypass file, directory, registry, and other persistent object permissions when they restore backed up files and directories, and it determines which users can set valid security principals as the owner of an object. + Granting this user right to an account is similar to granting the account the following permissions to all files and folders on the system: + - **Traverse folder / execute file** - **Write** + Constant: SeRestorePrivilege + ### Possible values + - User-defined list of accounts - Defaults - Not Defined + ### Best practices + - Users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, so only assign this user right to trusted users. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, this right is granted to the Administrators, Backup Operators, and Server Operators groups on domain controllers, and to the Administrators and Backup Operators groups on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Default Domain Controller Policy

      Administrators

      -

      Backup Operators

      -

      Server Operators

      Stand-Alone Server Default Settings

      Administrators

      -

      Backup Operators

      Domain Controller Effective Default Settings

      Administrators

      -

      Backup Operators

      -

      Server Operators

      Member Server Effective Default Settings

      Administrators

      -

      Backup Operators

      Client Computer Effective Default Settings

      Administrators

      -

      Backup Operators

      + +| Server type or GPO | Default value | +| - | - | +|Default Domain Policy | | +| Default Domain Controller Policy| Administrators
      Backup Operators
      Server Operators| +| Stand-Alone Server Default Settings | Administrators
      Backup Operators| +| Domain Controller Effective Default Settings | Administrators
      Backup Operators
      Server Operators| +| Member Server Effective Default Settings | Administrators
      Backup Operators| +| Client Computer Effective Default Settings | Administrators
      Backup Operators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + An attacker with the **Restore files and directories** user right could restore sensitive data to a computer and overwrite data that is more recent, which could lead to loss of important data, data corruption, or a denial-of-service condition. Attackers could overwrite executable files that are used by legitimate administrators or system services with versions that include malicious software to grant themselves elevated privileges, compromise data, or install programs that provide continued access to the device -**Note**   -Even if the following countermeasure is configured, an attacker could restore data to a computer in a domain that is controlled by the attacker. Therefore, it is critical that organizations carefully protect the media that are used to back up data. + +>**Note:**  Even if the following countermeasure is configured, an attacker could restore data to a computer in a domain that is controlled by the attacker. Therefore, it is critical that organizations carefully protect the media that are used to back up data.   ### Countermeasure + Ensure that only the local Administrators group is assigned the **Restore files and directories** user right unless your organization has clearly defined roles for backup and for restore personnel. + ### Potential impact + If you remove the **Restore files and directories** user right from the Backup Operators group and other accounts, users who are not members of the local Administrators group cannot load data backups. If restoring backups is delegated to a subset of IT staff in your organization, you should verify that this change does not negatively affect the ability of your organization's personnel to do their jobs. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/run-the-automatically-generate-rules-wizard.md b/windows/keep-secure/run-the-automatically-generate-rules-wizard.md index 105d076374..12a5620d21 100644 --- a/windows/keep-secure/run-the-automatically-generate-rules-wizard.md +++ b/windows/keep-secure/run-the-automatically-generate-rules-wizard.md @@ -2,19 +2,26 @@ title: Run the Automatically Generate Rules wizard (Windows 10) description: This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device. ms.assetid: 8cad1e14-d5b2-437c-8f88-70cffd7b3d8e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Run the Automatically Generate Rules wizard + **Applies to** - Windows 10 + This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device. + AppLocker allows you to automatically generate rules for all files within a folder. It will scan the specified folder and create the condition types that you choose for each file in that folder. + You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local device or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). + **To automatically generate rules** + 1. Open the AppLocker console. 2. Right-click the appropriate rule type for which you want to automatically generate rules. You can automatically generate rules for executable, Windows Installer, script and packaged app rules. 3. Click **Automatically Generate Rules**. @@ -22,15 +29,13 @@ You can perform this task by using the Group Policy Management Console for an Ap 5. Click **Select** to choose the security group in which the default rules should be applied. By default, this is the **Everyone** group. 6. The wizard provides a name in the **Name to identify this set of rules** box based on the name of the folder that you have selected. Accept the provided name or type a different name, and then click **Next**. 7. On the **Rule Preferences** page, choose the conditions that you want the wizard to use while creating rules, and then click **Next**. For more info about rule conditions, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). - **Note**   - The **Reduce the number of rules created by grouping similar files** check box is selected by default. This helps you organize AppLocker rules and reduce the number of rules that you create by performing the following operations for the rule condition that you select: + + >**Note:**  The **Reduce the number of rules created by grouping similar files** check box is selected by default. This helps you organize AppLocker rules and reduce the number of rules that you create by performing the following operations for the rule condition that you select: + - One publisher condition is created for all files that have the same publisher and product name. - One path condition is created for the folder that you select. For example, if you select *C:\\Program Files\\ProgramName\\* and the files in that folder are not signed, the wizard creates a rule for *%programfiles%\\ProgramName\\\**. - One file hash condition is created that contains all of the file hashes. When rule grouping is disabled, the wizard creates a file hash rule for each file.   8. Review the files that were analyzed and the rules that will be automatically created. To make changes, click **Previous** to return to the page where you can change your selections. After reviewing the rules, click **Create**. -**Note**   -If you are running the wizard to create your first rules for a GPO, you will be prompted to create the default rules, which allow critical system files to run, after completing the wizard. You may edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after replacing them with your custom rules. -  -  -  + +>**Note:**  If you are running the wizard to create your first rules for a GPO, you will be prompted to create the default rules, which allow critical system files to run, after completing the wizard. You may edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after replacing them with your custom rules. diff --git a/windows/keep-secure/script-rules-in-applocker.md b/windows/keep-secure/script-rules-in-applocker.md index 5f1570086a..10efd57b91 100644 --- a/windows/keep-secure/script-rules-in-applocker.md +++ b/windows/keep-secure/script-rules-in-applocker.md @@ -2,61 +2,35 @@ title: Script rules in AppLocker (Windows 10) description: This topic describes the file formats and available default rules for the script rule collection. ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Script rules in AppLocker + **Applies to** - Windows 10 + This topic describes the file formats and available default rules for the script rule collection. + AppLocker defines script rules to include only the following file formats: - .ps1 - .bat - .cmd - .vbs - .js + The following table lists the default rules that are available for the script rule collection. - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      PurposeNameUserRule condition type

      Allows members of the local Administrators group to run all scripts

      (Default Rule) All scripts

      BUILTIN\Administrators

      Path: *

      Allow all users to run scripts in the Windows folder

      (Default Rule) All scripts located in the Windows folder

      Everyone

      Path: %windir%\*

      Allow all users to run scripts in the Program Files folder

      (Default Rule) All scripts located in the Program Files folder

      Everyone

      Path: %programfiles%\*

      + +| Purpose | Name | User | Rule condition type | +| - | - | - | - | +| Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: *| +| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: %windir%\*| +| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: %programfiles%\*|   ## Related topics -[Understanding AppLocker default rules](understanding-applocker-default-rules.md) -  -  + +- [Understanding AppLocker default rules](understanding-applocker-default-rules.md) diff --git a/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md b/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md index 768c9de4a0..a4f7e13245 100644 --- a/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md +++ b/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md @@ -2,22 +2,28 @@ title: Advanced security audit policy settings (Windows 10) description: Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate. ms.assetid: 6BF9A642-DBC3-4101-94A3-B2316C553CE3 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Advanced security audit policy settings + **Applies to** - Windows 10 + Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate. + The security audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as: + - A group administrator has modified settings or data on servers that contain finance information. - An employee within a defined group has accessed an important file. - The correct system access control list (SACL) is applied to every file and folder or registry key on a computer or file share as a verifiable safeguard against undetected access. + You can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local device or by using Group Policy. + These Advanced Audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity. + For more info, see [Advanced security audit policies](advanced-security-auditing.md). -  -  diff --git a/windows/keep-secure/security-auditing-overview.md b/windows/keep-secure/security-auditing-overview.md index ee62474c85..135ebc41e5 100644 --- a/windows/keep-secure/security-auditing-overview.md +++ b/windows/keep-secure/security-auditing-overview.md @@ -2,42 +2,31 @@ title: Security auditing (Windows 10) description: Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network. ms.assetid: 2d9b8142-49bd-4a33-b246-3f0c2a5f32d4 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Security auditing + **Applies to** - Windows 10 + Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network. + ## + Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment. + For info on the changes that were added in Windows 10, see [Security auditing](../whats-new/security-auditing.md). + ## In this section - ---- - - - - - - - - - - - - - - - - -
      TopicDescription

      [Basic security audit policies](basic-security-audit-policies.md)

      Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization.

      [Advanced security audit policies](advanced-security-auditing.md)

      Advanced security audit policy settings are found in Security Settings\Advanced Audit Policy Configuration\System Audit Policies and appear to overlap with basic security audit policies, but they are recorded and applied differently.

      +| Topic | Description | +| - | - | +|[Basic security audit policies](basic-security-audit-policies.md) |Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization. | +|[Advanced security audit policies](advanced-security-auditing.md) |Advanced security audit policy settings are found in **Security Settings\Advanced Audit Policy Configuration\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently. |       diff --git a/windows/keep-secure/security-considerations-for-applocker.md b/windows/keep-secure/security-considerations-for-applocker.md index 023305b4f1..560f73ba5a 100644 --- a/windows/keep-secure/security-considerations-for-applocker.md +++ b/windows/keep-secure/security-considerations-for-applocker.md @@ -2,33 +2,45 @@ title: Security considerations for AppLocker (Windows 10) description: This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. ms.assetid: 354a5abb-7b31-4bea-a442-aa9666117625 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Security considerations for AppLocker + **Applies to** - Windows 10 + This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. -The purpose of AppLocker is to restrict the access to software, and therefore, the data accessed by the software, to a specific group of users or within a defined business group. The following are security considerations for AppLocker: + +The purpose of AppLocker is to restrict the access to software, and therefore, the data accessed by the software, to a specific group of users or within a defined business group. The following are security considerations for +AppLocker: + AppLocker is deployed within an enterprise and administered centrally by those in IT with trusted credentials. This makes its policy creation and deployment conform to similar policy deployment processes and security restrictions. + AppLocker policies are distributed through known processes and by known means within the domain through Group Policy. But AppLocker policies can also be set on individual computers if the person has administrator privileges, and those policies might be contrary to the organization's written security policy. The enforcement settings for local policies are overridden by the same AppLocker policies in a Group Policy Object (GPO). However, because AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer. + Microsoft does not provide a way to develop any extensions to AppLocker. The interfaces are not public. A user with administrator credentials can automate some AppLocker processes by using Windows PowerShell cmdlets. For info about the Windows PowerShell cmdlets for AppLocker, see the [AppLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/ee460962.aspx). + AppLocker runs in the context of Administrator or LocalSystem, which is the highest privilege set. This security context has the potential of misuse. If a user with administrative credentials makes changes to an AppLocker policy on a local device that is joined to a domain, those changes could be overwritten or disallowed by the GPO that contains the AppLocker rule for the same file (or path) that was changed on the local device. However, because AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer. If the local computer is not joined to a domain and is not administered by Group Policy, a person with administrative credentials can alter the AppLocker policy. + When securing files in a directory with a rule of the path condition type, whether using the allow or deny action on the rule, it is still necessary and good practice to restrict access to those files by setting the access control lists (ACLs) according to your security policy. + AppLocker does not protect against running 16-bit DOS binaries in the Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or later when there is already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it is a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the executable rule collection for NTVDM.exe. + You cannot use AppLocker (or Software Restriction Policies) to prevent code from running outside the Win32 subsystem. In particular, this applies to the (POSIX) subsystem in Windows NT. If it is a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem. + AppLocker can only control VBScript, JScript, .bat files, .cmd files, and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example, Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To control interpreted code by using AppLocker, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision returned by AppLocker. Not all host processes call into AppLocker and, therefore, AppLocker cannot control every kind of interpreted code, such as Microsoft Office macros. -**Important**   -You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded. + +>**Important:**  You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded.   AppLocker rules either allow or prevent an application from launching. AppLocker does not control the behavior of applications after they are launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an application that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must thoroughly examine each application before allowing them to run by using AppLocker rules. -**Note**   -Two flags that illustrate this condition are `SANDBOX_INERT`, which can be passed to `CreateRestrictedToken`, and `LOAD_IGNORE_CODE_AUTHZ_LEVEL`, which can be passed to `LoadLibraryEx`. Both of these flags signal AppLocker to circumvent the rules and allow a child .exe or .dll to be loaded. + +>**Note:**  Two flags that illustrate this condition are `SANDBOX_INERT`, which can be passed to `CreateRestrictedToken`, and `LOAD_IGNORE_CODE_AUTHZ_LEVEL`, which can be passed to `LoadLibraryEx`. Both of these flags signal AppLocker to circumvent the rules and allow a child .exe or .dll to be loaded.   ## Related topics -[AppLocker technical reference](applocker-technical-reference.md) -  -  + +- [AppLocker technical reference](applocker-technical-reference.md) diff --git a/windows/keep-secure/security-options.md b/windows/keep-secure/security-options.md index 1e083a249a..d8d9dbe293 100644 --- a/windows/keep-secure/security-options.md +++ b/windows/keep-secure/security-options.md @@ -2,417 +2,127 @@ title: Security Options (Windows 10) description: Provides an introduction to the settings under Security Options of the local security policies and links to information about each setting. ms.assetid: 405ea253-8116-4e57-b08e-14a8dcdca92b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Security Options + **Applies to** - Windows 10 + Provides an introduction to the settings under **Security Options** of the local security policies and links to information about each setting. + The **Security Options** contain the following groupings of security policy settings that allow you to configure the behavior of the local computer. Some of these policies can be included in a Group Policy Object and distributed over your organization. + If you edit policy settings locally on a device, you will affect the settings on only that one device. If you configure the settings in a Group Policy Object (GPO), the settings apply to all devices that are subject to that GPO. + For info about setting security policies, see [Configure security policy settings](how-to-configure-security-policy-settings.md). + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      TopicDescription

      [Accounts: Administrator account status](accounts-administrator-account-status.md)

      Describes the best practices, location, values, and security considerations for the Accounts: Administrator account status security policy setting.

      [Accounts: Block Microsoft accounts](accounts-block-microsoft-accounts.md)

      Describes the best practices, location, values, management, and security considerations for the Accounts: Block Microsoft accounts security policy setting.

      [Accounts: Guest account status](accounts-guest-account-status.md)

      Describes the best practices, location, values, and security considerations for the Accounts: Guest account status security policy setting.

      [Accounts: Limit local account use of blank passwords to console logon only](accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md)

      Describes the best practices, location, values, and security considerations for the Accounts: Limit local account use of blank passwords to console logon only security policy setting.

      [Accounts: Rename administrator account](accounts-rename-administrator-account.md)

      This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting.

      [Accounts: Rename guest account](accounts-rename-guest-account.md)

      Describes the best practices, location, values, and security considerations for the Accounts: Rename guest account security policy setting.

      [Audit: Audit the access of global system objects](audit-audit-the-access-of-global-system-objects.md)

      Describes the best practices, location, values, and security considerations for the Audit: Audit the access of global system objects security policy setting.

      [Audit: Audit the use of Backup and Restore privilege](audit-audit-the-use-of-backup-and-restore-privilege.md)

      Describes the best practices, location, values, and security considerations for the Audit: Audit the use of Backup and Restore privilege security policy setting.

      [Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](audit-force-audit-policy-subcategory-settings-to-override.md)

      Describes the best practices, location, values, and security considerations for the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings security policy setting.

      [Audit: Shut down system immediately if unable to log security audits](audit-shut-down-system-immediately-if-unable-to-log-security-audits.md)

      Describes the best practices, location, values, management practices, and security considerations for the Audit: Shut down system immediately if unable to log security audits security policy setting.

      [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)

      Describes the best practices, location, values, and security considerations for the DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting.

      [DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)

      Describes the best practices, location, values, and security considerations for the DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax security policy setting.

      [Devices: Allow undock without having to log on](devices-allow-undock-without-having-to-log-on.md)

      Describes the best practices, location, values, and security considerations for the Devices: Allow undock without having to log on security policy setting.

      [Devices: Allowed to format and eject removable media](devices-allowed-to-format-and-eject-removable-media.md)

      Describes the best practices, location, values, and security considerations for the Devices: Allowed to format and eject removable media security policy setting.

      [Devices: Prevent users from installing printer drivers](devices-prevent-users-from-installing-printer-drivers.md)

      Describes the best practices, location, values, and security considerations for the Devices: Prevent users from installing printer drivers security policy setting.

      [Devices: Restrict CD-ROM access to locally logged-on user only](devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md)

      Describes the best practices, location, values, and security considerations for the Devices: Restrict CD-ROM access to locally logged-on user only security policy setting.

      [Devices: Restrict floppy access to locally logged-on user only](devices-restrict-floppy-access-to-locally-logged-on-user-only.md)

      Describes the best practices, location, values, and security considerations for the Devices: Restrict floppy access to locally logged-on user only security policy setting.

      [Domain controller: Allow server operators to schedule tasks](domain-controller-allow-server-operators-to-schedule-tasks.md)

      Describes the best practices, location, values, and security considerations for the Domain controller: Allow server operators to schedule tasks security policy setting.

      [Domain controller: LDAP server signing requirements](domain-controller-ldap-server-signing-requirements.md)

      Describes the best practices, location, values, and security considerations for the Domain controller: LDAP server signing requirements security policy setting.

      [Domain controller: Refuse machine account password changes](domain-controller-refuse-machine-account-password-changes.md)

      Describes the best practices, location, values, and security considerations for the Domain controller: Refuse machine account password changes security policy setting.

      [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)

      Describes the best practices, location, values, and security considerations for the Domain member: Digitally encrypt or sign secure channel data (always) security policy setting.

      [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)

      Describes the best practices, location, values, and security considerations for the Domain member: Digitally encrypt secure channel data (when possible) security policy setting.

      [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)

      Describes the best practices, location, values, and security considerations for the Domain member: Digitally sign secure channel data (when possible) security policy setting.

      [Domain member: Disable machine account password changes](domain-member-disable-machine-account-password-changes.md)

      Describes the best practices, location, values, and security considerations for the Domain member: Disable machine account password changes security policy setting.

      [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md)

      Describes the best practices, location, values, and security considerations for the Domain member: Maximum machine account password age security policy setting.

      [Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)

      Describes the best practices, location, values, and security considerations for the Domain member: Require strong (Windows 2000 or later) session key security policy setting.

      [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)

      Describes the best practices, location, values, and security considerations for the Interactive logon: Display user information when the session is locked security policy setting.

      [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md)

      Describes the best practices, location, values, and security considerations for the Interactive logon: Do not display last user name security policy setting.

      [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)

      Describes the best practices, location, values, and security considerations for the Interactive logon: Do not require CTRL+ALT+DEL security policy setting.

      [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md)

      Describes the best practices, location, values, management, and security considerations for the Interactive logon: Machine account lockout threshold security policy setting.

      [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)

      Describes the best practices, location, values, management, and security considerations for the Interactive logon: Machine inactivity limit security policy setting.

      [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md)

      Describes the best practices, location, values, management, and security considerations for the Interactive logon: Message text for users attempting to log on security policy setting.

      [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md)

      Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Message title for users attempting to log on security policy setting.

      [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)

      Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Number of previous logons to cache (in case domain controller is not available) security policy setting.

      [Interactive logon: Prompt user to change password before expiration](interactive-logon-prompt-user-to-change-password-before-expiration.md)

      Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Prompt user to change password before expiration security policy setting.

      [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)

      Describes the best practices, location, values, policy management, and security considerations for the Interactive logon: Require Domain Controller authentication to unlock workstation security policy setting.

      [Interactive logon: Require smart card](interactive-logon-require-smart-card.md)

      Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Require smart card security policy setting.

      [Interactive logon: Smart card removal behavior](interactive-logon-smart-card-removal-behavior.md)

      Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Smart card removal behavior security policy setting.

      [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md)

      Describes the best practices, location, values, policy management and security considerations for the Microsoft network client: Digitally sign communications (always) security policy setting.

      [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)

      Describes the best practices, location, values, and security considerations for the Microsoft network client: Digitally sign communications (if server agrees) security policy setting.

      [Microsoft network client: Send unencrypted password to third-party SMB servers](microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)

      Describes the best practices, location, values, policy management and security considerations for the Microsoft network client: Send unencrypted password to third-party SMB servers security policy setting.

      [Microsoft network server: Amount of idle time required before suspending session](microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)

      Describes the best practices, location, values, and security considerations for the Microsoft network server: Amount of idle time required before suspending session security policy setting.

      [Microsoft network server: Attempt S4U2Self to obtain claim information](microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)

      Describes the best practices, location, values, management, and security considerations for the Microsoft network server: Attempt S4U2Self to obtain claim information security policy setting.

      [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)

      Describes the best practices, location, values, policy management and security considerations for the Microsoft network server: Digitally sign communications (always) security policy setting.

      [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)

      Describes the best practices, location, values, policy management and security considerations for the Microsoft network server: Digitally sign communications (if client agrees) security policy setting.

      [Microsoft network server: Disconnect clients when logon hours expire](microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)

      Describes the best practices, location, values, and security considerations for the Microsoft network server: Disconnect clients when logon hours expire security policy setting.

      [Microsoft network server: Server SPN target name validation level](microsoft-network-server-server-spn-target-name-validation-level.md)

      Describes the best practices, location, and values, policy management and security considerations for the Microsoft network server: Server SPN target name validation level security policy setting.

      [Network access: Allow anonymous SID/Name translation](network-access-allow-anonymous-sidname-translation.md)

      Describes the best practices, location, values, policy management and security considerations for the Network access: Allow anonymous SID/Name translation security policy setting.

      [Network access: Do not allow anonymous enumeration of SAM accounts](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md)

      Describes the best practices, location, values, and security considerations for the Network access: Do not allow anonymous enumeration of SAM accounts security policy setting.

      [Network access: Do not allow anonymous enumeration of SAM accounts and shares](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md)

      Describes the best practices, location, values, and security considerations for the Network access: Do not allow anonymous enumeration of SAM accounts and shares security policy setting.

      [Network access: Do not allow storage of passwords and credentials for network authentication](network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md)

      Describes the best practices, location, values, policy management and security considerations for the Network access: Do not allow storage of passwords and credentials for network authentication security policy setting.

      [Network access: Let Everyone permissions apply to anonymous users](network-access-let-everyone-permissions-apply-to-anonymous-users.md)

      Describes the best practices, location, values, policy management and security considerations for the Network access: Let Everyone permissions apply to anonymous users security policy setting.

      [Network access: Named Pipes that can be accessed anonymously](network-access-named-pipes-that-can-be-accessed-anonymously.md)

      Describes the best practices, location, values, policy management and security considerations for the Network access: Named Pipes that can be accessed anonymously security policy setting.

      [Network access: Remotely accessible registry paths](network-access-remotely-accessible-registry-paths.md)

      Describes the best practices, location, values, policy management and security considerations for the Network access: Remotely accessible registry paths security policy setting.

      [Network access: Remotely accessible registry paths and subpaths](network-access-remotely-accessible-registry-paths-and-subpaths.md)

      Describes the best practices, location, values, and security considerations for the Network access: Remotely accessible registry paths and subpaths security policy setting.

      [Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)

      Describes the best practices, location, values, policy management and security considerations for the Network access: Restrict anonymous access to Named Pipes and Shares security policy setting.

      [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md)

      Describes the best practices, location, values, policy management and security considerations for the Network access: Shares that can be accessed anonymously security policy setting.

      [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md)

      Describes the best practices, location, values, policy management and security considerations for the Network access: Sharing and security model for local accounts security policy setting.

      [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)

      Describes the location, values, policy management, and security considerations for the Network security: Allow Local System to use computer identity for NTLM security policy setting.

      [Network security: Allow LocalSystem NULL session fallback](network-security-allow-localsystem-null-session-fallback.md)

      Describes the best practices, location, values, and security considerations for the Network security: Allow LocalSystem NULL session fallback security policy setting.

      [Network security: Allow PKU2U authentication requests to this computer to use online identities](network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md)

      Describes the best practices, location, and values for the Network Security: Allow PKU2U authentication requests to this computer to use online identities security policy setting.

      [Network security: Configure encryption types allowed for Kerberos Win7 only](network-security-configure-encryption-types-allowed-for-kerberos.md)

      Describes the best practices, location, values and security considerations for the Network security: Configure encryption types allowed for Kerberos Win7 only security policy setting.

      [Network security: Do not store LAN Manager hash value on next password change](network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md)

      Describes the best practices, location, values, policy management and security considerations for the Network security: Do not store LAN Manager hash value on next password change security policy setting.

      [Network security: Force logoff when logon hours expire](network-security-force-logoff-when-logon-hours-expire.md)

      Describes the best practices, location, values, policy management and security considerations for the Network security: Force logoff when logon hours expire security policy setting.

      [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md)

      Describes the best practices, location, values, policy management and security considerations for the Network security: LAN Manager authentication level security policy setting.

      [Network security: LDAP client signing requirements](network-security-ldap-client-signing-requirements.md)

      This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. This information applies to computers running at least the Windows Server 2008 operating system.

      [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)

      Describes the best practices, location, values, policy management and security considerations for the Network security: Minimum session security for NTLM SSP based (including secure RPC) clients security policy setting.

      [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)

      Describes the best practices, location, values, policy management and security considerations for the Network security: Minimum session security for NTLM SSP based (including secure RPC) servers security policy setting.

      [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md)

      Describes the best practices, location, values, management aspects, and security considerations for the Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication security policy setting.

      [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md)

      Describes the best practices, location, values, management aspects, and security considerations for the Network security: Restrict NTLM: Add server exceptions in this domain security policy setting.

      [Network security: Restrict NTLM: Audit incoming NTLM traffic](network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md)

      Describes the best practices, location, values, management aspects, and security considerations for the Network Security: Restrict NTLM: Audit incoming NTLM traffic security policy setting.

      [Network security: Restrict NTLM: Audit NTLM authentication in this domain](network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md)

      Describes the best practices, location, values, management aspects, and security considerations for the Network Security: Restrict NTLM: Audit NTLM authentication in this domain security policy setting.

      [Network security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md)

      Describes the best practices, location, values, management aspects, and security considerations for the Network Security: Restrict NTLM: Incoming NTLM traffic security policy setting.

      [Network security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md)

      Describes the best practices, location, values, management aspects, and security considerations for the Network Security: Restrict NTLM: NTLM authentication in this domain security policy setting.

      [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md)

      Describes the best practices, location, values, management aspects, and security considerations for the Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers security policy setting.

      [Recovery console: Allow automatic administrative logon](recovery-console-allow-automatic-administrative-logon.md)

      Describes the best practices, location, values, policy management and security considerations for the Recovery console: Allow automatic administrative logon security policy setting.

      [Recovery console: Allow floppy copy and access to all drives and folders](recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)

      Describes the best practices, location, values, policy management and security considerations for the Recovery console: Allow floppy copy and access to all drives and folders security policy setting.

      [Shutdown: Allow system to be shut down without having to log on](shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)

      Describes the best practices, location, values, policy management and security considerations for the Shutdown: Allow system to be shut down without having to log on security policy setting.

      [Shutdown: Clear virtual memory pagefile](shutdown-clear-virtual-memory-pagefile.md)

      Describes the best practices, location, values, policy management and security considerations for the Shutdown: Clear virtual memory pagefile security policy setting.

      [System cryptography: Force strong key protection for user keys stored on the computer](system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)

      Describes the best practices, location, values, policy management and security considerations for the System cryptography: Force strong key protection for user keys stored on the computer security policy setting.

      [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)

      This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting.

      [System objects: Require case insensitivity for non-Windows subsystems](system-objects-require-case-insensitivity-for-non-windows-subsystems.md)

      Describes the best practices, location, values, policy management and security considerations for the System objects: Require case insensitivity for non-Windows subsystems security policy setting.

      [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](system-objects-strengthen-default-permissions-of-internal-system-objects.md)

      Describes the best practices, location, values, policy management and security considerations for the System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) security policy setting.

      [System settings: Optional subsystems](system-settings-optional-subsystems.md)

      Describes the best practices, location, values, policy management and security considerations for the System settings: Optional subsystems security policy setting.

      [System settings: Use certificate rules on Windows executables for Software Restriction Policies](system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)

      Describes the best practices, location, values, policy management and security considerations for the System settings: Use certificate rules on Windows executables for Software Restriction Policies security policy setting.

      [User Account Control: Admin Approval Mode for the Built-in Administrator account](user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)

      Describes the best practices, location, values, policy management and security considerations for the User Account Control: Admin Approval Mode for the Built-in Administrator account security policy setting.

      [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md)

      Describes the best practices, location, values, and security considerations for the User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop security policy setting.

      [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md)

      Describes the best practices, location, values, policy management and security considerations for the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode security policy setting.

      [User Account Control: Behavior of the elevation prompt for standard users](user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md)

      Describes the best practices, location, values, policy management and security considerations for the User Account Control: Behavior of the elevation prompt for standard users security policy setting.

      [User Account Control: Detect application installations and prompt for elevation](user-account-control-detect-application-installations-and-prompt-for-elevation.md)

      Describes the best practices, location, values, policy management and security considerations for the User Account Control: Detect application installations and prompt for elevation security policy setting.

      [User Account Control: Only elevate executables that are signed and validated](user-account-control-only-elevate-executables-that-are-signed-and-validated.md)

      Describes the best practices, location, values, policy management and security considerations for the User Account Control: Only elevate executables that are signed and validated security policy setting.

      [User Account Control: Only elevate UIAccess applications that are installed in secure locations](user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md)

      Describes the best practices, location, values, policy management and security considerations for the User Account Control: Only elevate UIAccess applications that are installed in secure locations security policy setting.

      [User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)

      Describes the best practices, location, values, policy management and security considerations for the User Account Control: Run all administrators in Admin Approval Mode security policy setting.

      [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md)

      Describes the best practices, location, values, policy management and security considerations for the User Account Control: Switch to the secure desktop when prompting for elevation security policy setting.

      [User Account Control: Virtualize file and registry write failures to per-user locations](user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md)

      Describes the best practices, location, values, policy management and security considerations for the User Account Control: Virtualize file and registry write failures to per-user locations security policy setting.

      + +| Topic | Description | +| - | - | +| [Accounts: Administrator account status](accounts-administrator-account-status.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Administrator account status** security policy setting.| +| [Accounts: Block Microsoft accounts](accounts-block-microsoft-accounts.md) | Describes the best practices, location, values, management, and security considerations for the **Accounts: Block Microsoft accounts** security policy setting.| +| [Accounts: Guest account status](accounts-guest-account-status.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Guest account status** security policy setting.| +| [Accounts: Limit local account use of blank passwords to console logon only](accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Limit local account use of blank passwords to console logon only** security policy setting. | +| [Accounts: Rename administrator account](accounts-rename-administrator-account.md)| This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting.| +| [Accounts: Rename guest account](accounts-rename-guest-account.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Rename guest account** security policy setting.| +| [Audit: Audit the access of global system objects](audit-audit-the-access-of-global-system-objects.md) | Describes the best practices, location, values, and security considerations for the **Audit: Audit the access of global system objects** security policy setting.| +| [Audit: Audit the use of Backup and Restore privilege](audit-audit-the-use-of-backup-and-restore-privilege.md) | Describes the best practices, location, values, and security considerations for the **Audit: Audit the use of Backup and Restore privilege** security policy setting.| +| [Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](audit-force-audit-policy-subcategory-settings-to-override.md) | Describes the best practices, location, values, and security considerations for the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** security policy setting. | +| [Audit: Shut down system immediately if unable to log security audits](audit-shut-down-system-immediately-if-unable-to-log-security-audits.md)| Describes the best practices, location, values, management practices, and security considerations for the **Audit: Shut down system immediately if unable to log security audits** security policy setting. | +| [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)| Describes the best practices, location, values, and security considerations for the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting. | +| [DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)| Describes the best practices, location, values, and security considerations for the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** security policy setting. | +| [Devices: Allow undock without having to log on](devices-allow-undock-without-having-to-log-on.md)| Describes the best practices, location, values, and security considerations for the **Devices: Allow undock without having to log on** security policy setting.| +| [Devices: Allowed to format and eject removable media](devices-allowed-to-format-and-eject-removable-media.md) | Describes the best practices, location, values, and security considerations for the **Devices: Allowed to format and eject removable media** security policy setting.| +| [Devices: Prevent users from installing printer drivers](devices-prevent-users-from-installing-printer-drivers.md) | Describes the best practices, location, values, and security considerations for the **Devices: Prevent users from installing printer drivers** security policy setting.| +| [Devices: Restrict CD-ROM access to locally logged-on user only](devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md) | Describes the best practices, location, values, and security considerations for the **Devices: Restrict CD-ROM access to locally logged-on user only** security policy setting. | +| [Devices: Restrict floppy access to locally logged-on user only](devices-restrict-floppy-access-to-locally-logged-on-user-only.md)| Describes the best practices, location, values, and security considerations for the **Devices: Restrict floppy access to locally logged-on user only** security policy setting. | +| [Domain controller: Allow server operators to schedule tasks](domain-controller-allow-server-operators-to-schedule-tasks.md)| Describes the best practices, location, values, and security considerations for the **Domain controller: Allow server operators to schedule tasks** security policy setting. | +| [Domain controller: LDAP server signing requirements](domain-controller-ldap-server-signing-requirements.md)| Describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server signing requirements** security policy setting. | +| [Domain controller: Refuse machine account password changes](domain-controller-refuse-machine-account-password-changes.md) | Describes the best practices, location, values, and security considerations for the **Domain controller: Refuse machine account password changes** security policy setting.| +| [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) | Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt or sign secure channel data (always)** security policy setting. | +| [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)| Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt secure channel data (when possible)** security policy setting. | +| [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)| Describes the best practices, location, values, and security considerations for the **Domain member: Digitally sign secure channel data (when possible)** security policy setting.| +| [Domain member: Disable machine account password changes](domain-member-disable-machine-account-password-changes.md)| Describes the best practices, location, values, and security considerations for the **Domain member: Disable machine account password changes** security policy setting. +| [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md) |Describes the best practices, location, values, and security considerations for the **Domain member: Maximum machine account password age** security policy setting.| +|[Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)| Describes the best practices, location, values, and security considerations for the **Domain member: Require strong (Windows 2000 or later) session key** security policy setting. | +| [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Display user information when the session is locked** security policy setting. | +| [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not display last user name** security policy setting.| +| [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not require CTRL+ALT+DEL** security policy setting.| +| [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md) | Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine account lockout threshold** security policy setting.| +| [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)| Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine inactivity limit** security policy setting.| +| [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) | Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Message text for users attempting to log on** security policy setting. | +| [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md)| Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Message title for users attempting to log on** security policy setting. | +| [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)| Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** security policy setting. | +| [Interactive logon: Prompt user to change password before expiration](interactive-logon-prompt-user-to-change-password-before-expiration.md)| Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Prompt user to change password before expiration** security policy setting. | +| [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)| Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require Domain Controller authentication to unlock workstation** security policy setting. | +| [Interactive logon: Require smart card](interactive-logon-require-smart-card.md) | Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Require smart card** security policy setting.| +| [Interactive logon: Smart card removal behavior](interactive-logon-smart-card-removal-behavior.md) | Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Smart card removal behavior** security policy setting.| +| [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting. | +| [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting. | +| [Microsoft network client: Send unencrypted password to third-party SMB servers](microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Send unencrypted password to third-party SMB servers** security policy setting. | +| [Microsoft network server: Amount of idle time required before suspending session](microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Amount of idle time required before suspending session** security policy setting. | +| [Microsoft network server: Attempt S4U2Self to obtain claim information](microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)| Describes the best practices, location, values, management, and security considerations for the **Microsoft network server: Attempt S4U2Self to obtain claim information** security policy setting. | +| [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting.| +| [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting. | +| [Microsoft network server: Disconnect clients when logon hours expire](microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Disconnect clients when logon hours expire** security policy setting. | +| [Microsoft network server: Server SPN target name validation level](microsoft-network-server-server-spn-target-name-validation-level.md)| Describes the best practices, location, and values, policy management and security considerations for the **Microsoft network server: Server SPN target name validation level** security policy setting. | +| [Network access: Allow anonymous SID/Name translation](network-access-allow-anonymous-sidname-translation.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Allow anonymous SID/Name translation** security policy setting.| +| [Network access: Do not allow anonymous enumeration of SAM accounts](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md)| Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts** security policy setting. | +| [Network access: Do not allow anonymous enumeration of SAM accounts and shares](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md)| Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts and shares** security policy setting. | +| [Network access: Do not allow storage of passwords and credentials for network authentication](network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Do not allow storage of passwords and credentials for network authentication** security policy setting. | +| [Network access: Let Everyone permissions apply to anonymous users](network-access-let-everyone-permissions-apply-to-anonmous-users.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Let Everyone permissions apply to anonymous users** security policy setting. | +| [Network access: Named Pipes that can be accessed anonymously](network-access-named-pipes-that-can-be-accessed-anonymously.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Named Pipes that can be accessed anonymously** security policy setting. | +| [Network access: Remotely accessible registry paths](network-access-remotely-accessible-registry-paths.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Remotely accessible registry paths** security policy setting.| +| [Network access: Remotely accessible registry paths and subpaths](network-access-remotely-accessible-registry-paths-and-subpaths.md)| Describes the best practices, location, values, and security considerations for the **Network access: Remotely accessible registry paths and subpaths** security policy setting. | +| [Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Restrict anonymous access to Named Pipes and Shares** security policy setting. | +| [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Shares that can be accessed anonymously** security policy setting. | +| [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Sharing and security model for local accounts** security policy setting. | +| [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)| Describes the location, values, policy management, and security considerations for the **Network security: Allow Local System to use computer identity for NTLM** security policy setting. | +| [Network security: Allow LocalSystem NULL session fallback](network-security-allow-localsystem-null-session-fallback.md)| Describes the best practices, location, values, and security considerations for the **Network security: Allow LocalSystem NULL session fallback** security policy setting.| +| [Network security: Allow PKU2U authentication requests to this computer to use online identities](network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md)| Describes the best practices, location, and values for the **Network Security: Allow PKU2U authentication requests to this computer to use online identities** security policy setting. | +| [Network security: Configure encryption types allowed for Kerberos Win7 only](network-security-configure-encryption-types-allowed-for-kerberos.md)| Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos Win7 only** security policy setting. | +| [Network security: Do not store LAN Manager hash value on next password change](network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: Do not store LAN Manager hash value on next password change** security policy setting. | +| [Network security: Force logoff when logon hours expire](network-security-force-logoff-when-logon-hours-expire.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: Force logoff when logon hours expire** security policy setting. | +| [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: LAN Manager authentication level** security policy setting.| +| [Network security: LDAP client signing requirements](network-security-ldap-client-signing-requirements.md) | This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. This information applies to computers running at least the Windows Server 2008 operating system. | +| [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) clients** security policy setting. | +| [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) servers** security policy setting. | +| [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication** security policy setting. | +| [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network security: Restrict NTLM: Add server exceptions in this domain** security policy setting. | +| [Network security: Restrict NTLM: Audit incoming NTLM traffic](network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Audit incoming NTLM traffic** security policy setting. | +| [Network security: Restrict NTLM: Audit NTLM authentication in this domain](network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** security policy setting. | +| [Network security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Incoming NTLM traffic** security policy setting. | +| [Network security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: NTLM authentication in this domain** security policy setting. | +| [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting. | +| [Recovery console: Allow automatic administrative logon](recovery-console-allow-automatic-administrative-logon.md)| Describes the best practices, location, values, policy management and security considerations for the **Recovery console: Allow automatic administrative logon** security policy setting. | +| [Recovery console: Allow floppy copy and access to all drives and folders](recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)| Describes the best practices, location, values, policy management and security considerations for the **Recovery console: Allow floppy copy and access to all drives and folders** security policy setting. | +| [Shutdown: Allow system to be shut down without having to lg on](shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)| Describes the best practices, location, values, policy management and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting. | +| [Shutdown: Clear virtual memory pagefile](shutdown-clear-virtual-memory-pagefile.md)| Describes the best practices, location, values, policy management and security considerations for the **Shutdown: Clear virtual memory pagefile** security policy setting.| +| [System cryptography: Force strong key protection for user keys stored on the computer](system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)| Describes the best practices, location, values, policy management and security considerations for the **System cryptography: Force strong key protection for user keys stored on the computer** security policy setting. | +| [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)| This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. | +| [System objects: Require case insensitivity for non-Windows subsystems](system-objects-require-case-insensitivity-for-non-windows-subsystems.md)| Describes the best practices, location, values, policy management and security considerations for the **System objects: Require case insensitivity for non-Windows subsystems** security policy setting. | +| [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](system-objects-strengthen-default-permissions-of-internal-system-objects.md)| Describes the best practices, location, values, policy management and security considerations for the **System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)** security policy setting. | +| [System settings: Optional subsystems](system-settings-optional-subsystems.md) | Describes the best practices, location, values, policy management and security considerations for the **System settings: Optional subsystems** security policy setting.| +| [System settings: Use certificate rules on Windows executables for Software Restriction Policies](system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)| Describes the best practices, location, values, policy management and security considerations for the **System settings: Use certificate rules on Windows executables for Software Restriction Policies** security policy setting. | +| [User Account Control: Admin Approval Mode for the Built-in Administrator account](user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Admin Approval Mode for the Built-in Administrator account** security policy setting. | +| [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md)| Describes the best practices, location, values, and security considerations for the **User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop** security policy setting. | +| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** security policy setting. | +| [User Account Control: Behavior of the elevation prompt for standard users](user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Behavior of the elevation prompt for standard users** security policy setting. | +| [User Account Control: Detect application installations and prompt for elevation](user-account-control-detect-application-installations-and-prompt-for-elevation.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Detect application installations and prompt for elevation** security policy setting. | +| [User Account Control: Only elevate executables that are signed and validated](user-account-control-only-elevate-executables-that-are-signed-and-validated.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate executables that are signed and validated** security policy setting. | +| [User Account Control: Only elevate UIAccess applications that are installed in secure locations](user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate UIAccess applications that are installed in secure locations** security policy setting. | +| [User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting. | +| [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Switch to the secure desktop when prompting for elevation** security policy setting. | +| [User Account Control: Virtualize file and registry write failures to per-user locations](user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Virtualize file and registry write failures to per-user locations** security policy setting. |   ## Related topics -[Security policy settings reference](security-policy-settings-reference.md) -[Security policy settings](security-policy-settings.md) -  -  + +- [Security policy settings reference](security-policy-settings-reference.md) +- [Security policy settings](security-policy-settings.md) diff --git a/windows/keep-secure/security-policy-settings-reference.md b/windows/keep-secure/security-policy-settings-reference.md index 83e2f87051..06c6b96d8d 100644 --- a/windows/keep-secure/security-policy-settings-reference.md +++ b/windows/keep-secure/security-policy-settings-reference.md @@ -2,53 +2,32 @@ title: Security policy settings reference (Windows 10) description: This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations. ms.assetid: ef5a4579-15a8-4507-9a43-b7ccddcb0ed1 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Security policy settings reference + **Applies to** - Windows 10 + This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations. + This reference focuses on those settings that are considered security settings. This reference examines only the settings and features in the Windows operating systems that can help organizations secure their enterprises against malicious software threats. Management features and those security features that you cannot configure are not described in this reference. + Each policy setting described contains referential content such as a detailed explanation of the settings, best practices, default settings, differences between operating system versions, policy management considerations, and security considerations that include a discussion of vulnerability, countermeasures, and potential impact of those countermeasures. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      TopicDescription

      [Account Policies](account-policies.md)

      An overview of account policies in Windows and provides links to policy descriptions.

      [Audit Policy](audit-policy.md)

      Provides information about basic audit policies that are available in Windows and links to information about each setting.

      [Security Options](security-options.md)

      Provides an introduction to the settings under Security Options of the local security policies and links to information about each setting.

      [Advanced security audit policy settings](secpol-advanced-security-audit-policy-settings.md)

      Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.

      [User Rights Assignment](user-rights-assignment.md)

      Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows.

      -  + +| Topic | Description | +| - | - | +| [Account Policies](account-policies.md) | An overview of account policies in Windows and provides links to policy descriptions.| +| [Audit Policy](audit-policy.md) | Provides information about basic audit policies that are available in Windows and links to information about each setting.| +| [Security Options](security-options.md) | Provides an introduction to the settings under **Security Options** of the local security policies and links to information about each setting.| +| [Advanced security audit policy settings](secpol-advanced-security-audit-policy-settings.md) | Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.| +| [User Rights Assignment](user-rights-assignment.md) | Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows.  |     diff --git a/windows/keep-secure/security-policy-settings.md b/windows/keep-secure/security-policy-settings.md index fb4adf5d9d..1551485d7e 100644 --- a/windows/keep-secure/security-policy-settings.md +++ b/windows/keep-secure/security-policy-settings.md @@ -2,111 +2,191 @@ title: Security policy settings (Windows 10) description: This reference topic describes the common scenarios, architecture, and processes for security settings. ms.assetid: e7ac5204-7f6c-4708-a9f6-6af712ca43b9 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Security policy settings + **Applies to** - Windows 10 + This reference topic describes the common scenarios, architecture, and processes for security settings. + Security policy settings are rules that administrators configure on a computer or multiple devices for the purpose of protecting resources on a device or network. The Security Settings extension of the Local Group Policy Editor snap-in allows you to define security configurations as part of a Group Policy Object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, or organizational units, and they enable you to manage security settings for multiple devices from any device joined to the domain. Security settings policies are used as part of your overall security implementation to help secure domain controllers, servers, clients, and other resources in your organization. + Security settings can control: + - User authentication to a network or device. - The resources that users are permitted to access. - Whether to record a user’s or group’s actions in the event log. - Membership in a group. + To manage security configurations for multiple devices, you can use one of the following options: + - Edit specific security settings in a GPO. - Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, applied to a local device, or used to analyze security. + For more info about managing security configurations, see [Administer security policy settings](administer-security-policy-settings.md). + The Security Settings extension of the Local Group Policy Editor includes the following types of security policies: + - **Account Policies.** These polices are defined on devices; they affect how user accounts can interact with the computer or domain. Account policies include the following types of policies: + - **Password Policy.** These policies determine settings for passwords, such as enforcement and lifetimes. Password policies are used for domain accounts. - **Account Lockout Policy.** These policies determine the conditions and length of time that an account will be locked out of the system. Account lockout policies are used for domain or local user accounts. - **Kerberos Policy.** These policies are used for domain user accounts; they determine Kerberos-related settings, such as ticket lifetimes and enforcement. + - **Local Policies.** These policies apply to a computer and include the following types of policy settings: + - **Audit Policy.** Specify security settings that control the logging of security events into the Security log on the computer, and specifies what types of security events to log (success, failure, or both). - **Note**   - For devices running Windows 7 and later, we recommend to use the settings under Advanced Audit Policy Configuration rather than the Audit Policy settings under Local Policies. + + >**Note:**  For devices running Windows 7 and later, we recommend to use the settings under Advanced Audit Policy Configuration rather than the Audit Policy settings under Local Policies.   - **User Rights Assignment.** Specify the users or groups that have logon rights or privileges on a device - **Security Options.** Specify security settings for the computer, such as Administrator and Guest Account names; access to floppy disk drives and CD-ROM drives; installation of drivers; logon prompts; and so on. + - **Windows Firewall with Advanced Security.** Specify settings to protect the device on your network by using a stateful firewall that allows you to determine which network traffic is permitted to pass between your device and the network. - **Network List Manager Policies.** Specify settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices. - **Public Key Policies.** Specify settings to control Encrypting File System, Data Protection, and BitLocker Drive Encryption in addition to certain certificate paths and services settings. - **Software Restriction Policies.** Specify settings to identify software and to control its ability to run on your local device, organizational unit, domain, or site. - **Application Control Policies.** Specify settings to control which users or groups can run particular applications in your organization based on unique identities of files. - **IP Security Policies on Local Computer.** Specify settings to ensure private, secure communications over IP networks through the use of cryptographic security services. IPsec establishes trust and security from a source IP address to a destination IP address. -- **Advanced Audit Policy Configuration.** Specify settings that control the logging of security events into the security log on the device. The settings under Advanced Audit Policy Configuration provide finer control over which activities to monitor as opposed to the Audit Policy settings under Local Policies. +- **Advanced Audit Policy Configuration.** Specify settings that control the logging of security events into the security log on the device. The settings under Advanced Audit Policy Configuration provide finer control over which activities to monitor as opposed to the Audit Policy settings under +Local Policies. + ## Policy-based security settings management + The Security Settings extension to Group Policy provides an integrated policy-based management infrastructure to help you manage and enforce your security policies. + You can define and apply security settings policies to users, groups, and network servers and clients through Group Policy and Active Directory Domain Services (AD DS). A group of servers with the same functionality can be created (for example, a Microsoft Web (IIS) server), and then Group Policy Objects can be used to apply common security settings to the group. If more servers are added to this group later, many of the common security settings are automatically applied, reducing deployment and administrative labor. + ### Common scenarios for using security settings policies + Security settings policies are used to manage the following aspects of security: accounts policy, local policy, user rights assignment, registry values, file and registry Access Control Lists (ACLs), service startup modes, and more. + As part of your security strategy, you can create GPOs with security settings policies configured specifically for the various roles in your organization, such as domain controllers, file servers, member servers, clients, and so on. + You can create an organizational unit (OU) structure that groups devices according to their roles. Using OUs is the best method for separating specific security requirements for the different roles in your network. This approach also allows you to apply customized security templates to each class of server or computer. After creating the security templates, you create a new GPO for each of the OUs, and then import the security template (.inf file) into the new GPO. -Importing a security template to a GPO ensures that any accounts to which the GPO is applied automatically receive the template’s security settings when the Group Policy settings are refreshed. On a workstation or server, the security settings are refreshed at regular intervals (with a random offset of at most 30 minutes), and, on a domain controller, this process occurs every few minutes if changes have occurred in any of the GPO settings that apply. The settings are also refreshed every 16 hours, whether or not any changes have occurred. -**Note**   -These refresh settings vary between versions of the operating system and can be configured. + +Importing a security template to a GPO ensures that any accounts to which the GPO is applied automatically receive the template’s security settings when the Group Policy settings are refreshed. On a workstation or server, the security settings are refreshed at regular intervals (with a random +offset of at most 30 minutes), and, on a domain controller, this process occurs every few minutes if changes have occurred in any of the GPO settings that apply. The settings are also refreshed every 16 hours, whether or not any changes have occurred. + +>**Note:**  These refresh settings vary between versions of the operating system and can be configured.   By using Group Policy−based security configurations in conjunction with the delegation of administration, you can ensure that specific security settings, rights, and behavior are applied to all servers and computers within an OU. This approach makes it simple to update a number of servers with any additional changes required in the future. + ### Dependencies on other operating system technologies + For devices that are members of a Windows Server 2008 or later domain, security settings policies depend on the following technologies: + - **Active Directory Domain Services (AD DS)** + The Windows-based directory service, AD DS, stores information about objects on a network and makes this information available to administrators and users. By using AD DS, you can view and manage network objects on the network from a single location, and users can access permitted network resources by using a single logon. + - **Group Policy** + The infrastructure within AD DS that enables directory-based configuration management of user and computer settings on devices running Windows Server. By using Group Policy, you can define configurations for groups of users and computers, including policy settings, registry-based policies, software installation, scripts, folder redirection, Remote Installation Services, Internet Explorer maintenance, and security. + - **Domain Name System (DNS)** + A hierarchical naming system used for locating domain names on the Internet and on private TCP/IP networks. DNS provides a service for mapping DNS domain names to IP addresses, and IP addresses to domain names. This allows users, computers, and applications to query DNS to specify remote systems by fully qualified domain names rather than by IP addresses. + - **Winlogon** + A part of the Windows operating system that provides interactive logon support. Winlogon is designed around an interactive logon model that consists of three components: the Winlogon executable, a credential provider, and any number of network providers. + - **Setup** + Security configuration interacts with the operating system setup process during a clean installation or upgrade from earlier versions of Windows Server. + - **Security Accounts Manager (SAM)** + A Windows service used during the logon process. SAM maintains user account information, including groups to which a user belongs. + - **Local Security Authority (LSA)** + A protected subsystem that authenticates and logs users onto the local system. LSA also maintains information about all aspects of local security on a system, collectively known as the Local Security Policy of the system. + - **Windows Management Instrumentation (WMI)** + A feature of the Microsoft Windows operating system, WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI provides access to information about objects in a managed environment. Through WMI and the WMI application programming interface (API), applications can query for and make changes to static information in the Common Information Model (CIM) repository and dynamic information maintained by the various types of providers. + - **Resultant Set of Policy (RSoP)** + An enhanced Group Policy infrastructure that uses WMI in order to make it easier to plan and debug policy settings. RSoP provides public methods that expose what an extension to Group Policy would do in a what-if situation, and what the extension has done in an actual situation. This allows administrators to easily determine the combination of policy settings that apply to, or will apply to, a user or device. + - **Service Control Manager (SCM)** + Used for configuration of service startup modes and security. + - **Registry** + Used for configuration of registry values and security. + - **File system** + Used for configuration of security. + - **File system conversions** + Security is set when an administrator converts a file system from FAT to NTFS. + - **Microsoft Management Console (MMC)** + The user interface for the Security Settings tool is an extension of the Local Group Policy Editor MMC snap-in. + ### Security settings policies and Group Policy + The Security Settings extension of the Local Group Policy Editor is part of the Security Configuration Manager tool set. The following components are associated with Security Settings: a configuration engine; an analysis engine; a template and database interface layer; setup integration logic; and the secedit.exe command-line tool. The security configuration engine is responsible for handling security configuration editor-related security requests for the system on which it runs. The analysis engine analyzes system security for a given configuration and saves the result. The template and database interface layer handles reading and writing requests from and to the template or database (for internal storage). The Security Settings extension of the Local Group Policy Editor handles Group Policy from a domain-based or local device. The security configuration logic integrates with setup and manages system security for a clean installation or upgrade to a more recent Windows operating system. Security information is stored in templates (.inf files) or in the Secedit.sdb database. + The following diagram shows Security Settings and related features. + **Security Settings Policies and Related Features** + ![components related to security policies](images/secpol-components.gif) + - **Scesrv.dll** + Provides the core security engine functionality. + - **Scecli.dll** + Provides the client-side interfaces to the security configuration engine and provides data to Resultant Set of Policy (RSoP). + - **Wsecedit.dll** + The Security Settings extension of Local Group Policy Editor. scecli.dll is loaded into wsecedit.dll to support the Security Settings user interface. + - **Gpedit.dll** + The Local Group Policy Editor MMC snap-in. + ## Security Settings extension architecture + The Security Settings extension of the Local Group Policy Editor is part of the Security Configuration Manager tools, as shown in the following diagram. + **Security Settings Architecture** + ![architecture of security policy settings](images/secpol-architecture.gif) + The security settings configuration and analysis tools include a security configuration engine, which provides local computer (non-domain member) and Group Policy−based configuration and analysis of security settings policies. The security configuration engine also supports the creation of security policy files. The primary features of the security configuration engine are scecli.dll and scesrv.dll. + The following list describes these primary features of the security configuration engine and other Security Settings−related features. + - **scesrv.dll** + This .dll is hosted in services.exe and runs under local system context. scesrv.dll provides core Security Configuration Manager functionality, such as import, configure, analyze, and policy propagation. + Scesrv.dll performs configuration and analysis of various security-related system parameters by calling corresponding system APIs, including LSA, SAM, and the registry. + Scesrv.dll exposes APIs such as import, export, configure, and analyze. It checks that the request is made over LRPC (Windows XP) and fails the call if it is not. + Communication between parts of the Security Settings extension occurs by using the following methods: + - Component Object Model (COM) calls - Local Remote Procedure Call (LRPC) - Lightweight Directory Access Protocol (LDAP) @@ -114,146 +194,204 @@ The following list describes these primary features of the security configuratio - Server Message Block (SMB) - Win32 APIs - Windows Management Instrumentation (WMI) calls + On domain controllers, scesrv.dll receives notifications of changes made to SAM and the LSA that need to be synchronized across domain controllers. Scesrv.dll incorporates those changes into the Default Domain Controller Policy GPO by using in-process scecli.dll template modification APIs. Scesrv.dll also performs configuration and analysis operations. + - **Scecli.dll** + This is the client-side interface or wrapper to scesrv.dll. scecli.dll is loaded into Wsecedit.dll to support MMC snap-ins. It is used by Setup to configure default system security and security of files, registry keys, and services installed by the Setup API .inf files. + The command-line version of the security configuration and analysis user interfaces, secedit.exe, uses scecli.dll. + Scecli.dll implements the client-side extension for Group Policy. + Scesrv.dll uses scecli.dll to download applicable Group Policy files from SYSVOL in order to apply Group Policy security settings to the local device. + Scecli.dll logs application of security policy into WMI (RSoP). + Scesrv.dll policy filter uses scecli.dll to update Default Domain Controller Policy GPO when changes are made to SAM and LSA. + - **Wsecedit.dll** + The Security Settings extension of the Group Policy Object Editor snap-in. You use this tool to configure security settings in a Group Policy Object for a site, domain, or organizational unit. You can also use Security Settings to import security templates to a GPO. + - **Secedit.sdb** + This is a permanent system database used for policy propagation including a table of persistent settings for rollback purposes. + - **User databases** + A user database is any database other than the system database created by administrators for the purposes of configuration or analysis of security. + - **.Inf Templates** - These are text files that contain declarative security settings. They are loaded into a database before configuration or analysis. Group Policy security policies are stored in .inf files on the SYSVOL folder of domain controllers, where they are downloaded (by using file copy) and merged into the system database during policy propagation. + + These are text files that contain declarative security settings. They are loaded into a database before configuration or analysis. Group Policy security policies are stored in .inf files on the SYSVOL folder of domain controllers, where they are downloaded (by using file copy) and merged into + the system database during policy propagation. + ## Security settings policy processes and interactions + For a domain-joined device, where Group Policy is administered, security settings are processed in conjunction with Group Policy. Not all settings are configurable. + ### Group Policy processing + When a computer starts and a user logs on, computer policy and user policy are applied according to the following sequence: + 1. The network starts. Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) start. 2. An ordered list of Group Policy Objects is obtained for the device. The list might depend on these factors: + - Whether the device is part of a domain and, therefore, subject to Group Policy through Active Directory. - The location of the device in Active Directory. - Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done. + 3. Computer policy is applied. These are the settings under Computer Configuration from the gathered list. This is a synchronous process by default and occurs in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while computer policies are processed. 4. Startup scripts run. This is hidden and synchronous by default; each script must complete or time out before the next one starts. The default time-out is 600 seconds. You can use several policy settings to modify this behavior. 5. The user presses CTRL+ALT+DEL to log on. 6. After the user is validated, the user profile loads; it is governed by the policy settings that are in effect. 7. An ordered list of Group Policy Objects is obtained for the user. The list might depend on these factors: + - Whether the user is part of a domain and, therefore, subject to Group Policy through Active Directory. - Whether loopback policy processing is enabled, and if so, the state (Merge or Replace) of the loopback policy setting. - The location of the user in Active Directory. - Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done. + 8. User policy is applied. These are the settings under User Configuration from the gathered list. This is synchronous by default and in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while user policies are processed. 9. Logon scripts run. Group Policy−based logon scripts are hidden and asynchronous by default. The user object script runs last. 10. The operating system user interface that is prescribed by Group Policy appears. + ### Group Policy Objects storage + A Group Policy Object (GPO) is a virtual object that is identified by a Globally Unique Identifier (GUID) and stored at the domain level. The policy setting information of a GPO is stored in the following two locations: + - **Group Policy containers in Active Directory.** + The Group Policy container is an Active Directory container that contains GPO properties, such as version information, GPO status, plus a list of other component settings. + - **Group Policy templates in a domain’s system volume folder (SYSVOL).** + The Group Policy template is a file system folder that includes policy data specified by .admx files, security settings, script files, and information about applications that are available for installation. The Group Policy template is located in the SYSVOL folder in the domain\\Policies subfolder. + The **GROUP\_POLICY\_OBJECT** structure provides information about a GPO in a GPO list, including the version number of the GPO, a pointer to a string that indicates the Active Directory portion of the GPO, and a pointer to a string that specifies the path to the file system portion of the GPO. + ### Group Policy processing order + Group Policy settings are processed in the following order: + 1. **Local Group Policy Object.** + Each device running a Windows operating system beginning with Windows XP has exactly one Group Policy Object that is stored locally. + 2. **Site.** + Any Group Policy Objects that have been linked to the site are processed next. Processing is synchronous and in an order that you specify. + 3. **Domain.** + Processing of multiple domain-linked Group Policy Objects is synchronous and in an order you speciy. + 4. **Organizational units.** + Group Policy Objects that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then Group Policy Objects that are linked to its child organizational unit, and so on. Finally, the Group Policy Objects that are linked to the organizational unit that contains the user or device are processed. + At the level of each organizational unit in the Active Directory hierarchy, one, many, or no Group Policy Objects can be linked. If several Group Policy Objects are linked to an organizational unit, their processing is synchronous and in an order that you specify. + This order means that the local Group Policy Object is processed first, and Group Policy Objects that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites the earlier Group Policy Objects. + This is the default processing order and administrators can specify exceptions to this order. A Group Policy Object that is linked to a site, domain, or organizational unit (not a local Group Policy Object) can be set to **Enforced** with respect to that site, domain, or organizational unit, so that none of its policy settings can be overridden. At any site, domain, or organizational unit, you can mark Group Policy inheritance selectively as **Block Inheritance**. Group Policy Object links that are set to **Enforced** are always applied, however, and they cannot be blocked. + ### Security settings policy processing + In the context of Group Policy processing, security settings policy is processed in the following order. + 1. During Group Policy processing, the Group Policy engine determines which security settings policies to apply. 2. If security settings policies exist in a GPO, Group Policy invokes the Security Settings client-side extension. 3. The Security Settings extension downloads the policy from the appropriate location such as a specific domain controller. 4. The Security Settings extension merges all security settings policies according to precedence rules. The processing is according to the Group Policy processing order of local, site, domain, and organizational unit (OU), as described earlier in the “Group Policy processing order” section. If multiple GPOs are in effect for a given device and there are no conflicting policies, then the policies are cumulative and are merged. + This example uses the Active Directory structure shown in the following figure. A given computer is a member of OU2, to which the **GroupMembershipPolGPO** GPO is linked. This computer is also subject to the **UserRightsPolGPO** GPO, which is linked to OU1, higher in the hierarchy. In this case, no conflicting policies exist so the device receives all of the policies contained in both the **UserRightsPolGPO** and the **GroupMembershipPolGPO** GPOs. + **Multiple GPOs and Merging of Security Policy** + ![multiple gpos and merging of security policy](images/secpol-multigpomerge.gif) + 5. The resultant security policies are stored in secedit.sdb, the security settings database. The security engine gets the security template files and imports them to secedit.sdb. 6. The security settings policies are applied to devices. The following figure illustrates the security settings policy processing. + **Security Settings Policy Processing** + ![process and interactions of security policy settin](images/secpol-processes.gif) + ### Merging of security policies on domain controllers + Password policies, Kerberos, and some security options are only merged from GPOs that are linked at the root level on the domain. This is done to keep those settings synchronized across all domain controllers in the domain. The following security options are merged: + - Network Security: Force logoff when logon hours expire - Accounts: Administrator account status - Accounts: Guest account status - Accounts: Rename administrator account - Accounts: Rename guest account + Another mechanism exists that allows security policy changes made by administrators by using net accounts to be merged into the Default Domain Policy GPO. User rights changes that are made by using Local Security Authority (LSA) APIs are filtered into the Default Domain Controllers Policy GPO. + ### Special considerations for domain controllers + If an application is installed on a primary domain controller (PDC) with operations master role (also known as flexible single master operations or FSMO) and the application makes changes to user rights or password policy, these changes must be communicated to ensure that synchronization across domain controllers occurs. Scesrv.dll receives a notification of any changes made to the security account manager (SAM) and LSA that need to be synchronized across domain controllers and then incorporates the changes into the Default Domain Controller Policy GPO by using scecli.dll template modification APIs. + ### When security settings are applied + After you have edited the security settings policies, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object in the following instances: + - When a device is restarted. - Every 90 minutes on a workstation or server and every 5 minutes on a domain controller. This refresh interval is configurable. - By default, Security policy settings delivered by Group Policy are also applied every 16 hours (960 minutes) even if a GPO has not changed. + ### Persistence of security settings policy + Security settings can persist even if a setting is no longer defined in the policy that originally applied it. + Security settings might persist in the following cases: + - The setting has not been previously defined for the device. - The setting is for a registry security object. - The settings are for a file system security object. -All settings applied through local policy or through a Group Policy Object are stored in a local database on your computer. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the computer. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database then the setting does not revert to anything and remains defined as is. This behavior is sometimes referred to as “tattooing.” + +All settings applied through local policy or through a Group Policy Object are stored in a local database on your computer. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the computer. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database then the setting does not revert to anything and remains defined as is. +This behavior is sometimes referred to as “tattooing.” + Registry and file security settings will maintain the values applied through Group Policy until that setting is set to other values. + ### Permissions required for policy to apply + Both Apply Group Policy and Read permissions are required to have the settings from a Group Policy Object apply to users or groups, and computers. + ### Filtering security policy + By default, all GPOs have Read and Apply Group Policy both Allowed for the Authenticated Users group. The Authenticated Users group includes both users and computers. Security settings policies are computer-based. To specify which client computers will or will not have a Group Policy Object applied to them, you can deny them either the Apply Group Policy or Read permission on that Group Policy Object. Changing these permissions allows you to limit the scope of the GPO to a specific set of computers within a site, domain, or OU. -**Note**   -Do not use security policy filtering on a domain controller as this would prevent security policy from applying to it. + +**Note:**  Do not use security policy filtering on a domain controller as this would prevent security policy from applying to it.   ### Migration of GPOs containing security settings + In some situations, you might want to migrate GPOs from one domain environment to another environment. The two most common scenarios are test-to-production migration, and production-to-production migration. The GPO copying process has implications for some types of security settings. + Data for a single GPO is stored in multiple locations and in various formats; some data is contained in Active Directory and other data is stored on the SYSVOL share on the domain controllers. Certain policy data might be valid in one domain but might be invalid in the domain to which the GPO is being copied. For example, Security Identifiers (SIDs) stored in security policy settings are often domain-specific. So copying GPOs is not as simple as taking a folder and copying it from one device to another. + The following security policies can contain security principals and might require some additional work to successfully move them from one domain to another. + - User rights assignment - Restricted groups - Services - File system - Registry - The GPO DACL, if you choose to preserve it during a copy operation + To ensure that data is copied correctly, you can use Group Policy Management Console (GPMC). When migrating a GPO from one domain to another, GPMC ensures that all relevant data is properly copied. GPMC also offers migration tables, which can be used to update domain-specific data to new values as part of the migration process. GPMC hides much of the complexity involved in the migrating GPO operations, and it provides simple and reliable mechanisms for performing operations such as copy and backup of GPOs. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - -
      TopicDescription

      [Administer security policy settings](administer-security-policy-settings.md)

      This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.

      [Configure security policy settings](how-to-configure-security-policy-settings.md)

      Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.

      [Security policy settings reference](security-policy-settings-reference.md)

      This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.

      -  -  -  + +| Topic | Description | +| - | - | +| [Administer security policy settings](administer-security-policy-settings.md) | This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.| +| [Configure security policy settings](how-to-configure-security-policy-settings.md) | Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.| +| [Security policy settings reference](security-policy-settings-reference.md) | This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.| diff --git a/windows/keep-secure/security-technologies.md b/windows/keep-secure/security-technologies.md index b1beb54dd3..7d54d652f2 100644 --- a/windows/keep-secure/security-technologies.md +++ b/windows/keep-secure/security-technologies.md @@ -2,64 +2,14 @@ title: Security technologies (Windows 10) description: Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. ms.assetid: BFE2DE22-B0CE-465B-8CF6-28F64464DF08 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Security technologies -<<<<<<< HEAD -Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. -## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      TopicDescription

      [AppLocker](applocker-overview.md)

      This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.

      [BitLocker](bitlocker-overview.md)

      This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.

      [Encrypted Hard Drive](encrypted-hard-drive.md)

      Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.

      [Security auditing](security-auditing-overview.md)

      Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network.

      [Security policy settings](security-policy-settings.md)

      This reference topic describes the common scenarios, architecture, and processes for security settings.

      [Trusted Platform Module](trusted-platform-module-overview.md)

      This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM.

      [User Account Control](user-account-control-overview.md)

      User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.

      [Windows Defender in Windows 10](windows-defender-in-windows-10.md)

      This topic provides an overview of Windows Defender, including a list of system requirements and new features.

      -  -======= Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. @@ -75,6 +25,5 @@ Learn more about the different security technologies that are available in Windo | [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)| Windows Defender Advanced Threat Protection (Windows Defender ATP) is an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.| | [Windows Defender in Windows 10](windows-defender-in-windows-10.md)| This topic provides an overview of Windows Defender, including a list of system requirements and new features.| ->>>>>>> master     diff --git a/windows/keep-secure/select-types-of-rules-to-create.md b/windows/keep-secure/select-types-of-rules-to-create.md index 7f3a82de40..6e92663943 100644 --- a/windows/keep-secure/select-types-of-rules-to-create.md +++ b/windows/keep-secure/select-types-of-rules-to-create.md @@ -2,77 +2,71 @@ title: Select the types of rules to create (Windows 10) description: This topic lists resources you can use when selecting your application control policy rules by using AppLocker. ms.assetid: 14751169-0ed1-47cc-822c-8c01a7477784 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Select the types of rules to create + **Applies to** - Windows 10 + This topic lists resources you can use when selecting your application control policy rules by using AppLocker. + When determining what types of rules to create for each of your groups, you should also determine what enforcement setting to use for each group. Different rule types are more applicable for some apps, depending on the way that the applications are deployed in a specific business group. + The following topics provide additional information about AppLocker rules that can help you decide what rules to use for your applications: + - [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md) - [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md) - [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md) - [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md) - [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md) - [Understanding AppLocker default rules](understanding-applocker-default-rules.md) + ### Select the rule collection + The rules you create will be in one of the following rule collections: + - Executable files: .exe and .com - Windows Installer files: .msi, .msp, and .mst - Scripts: .ps1, .bat, .cmd, .vbs, and .js - Packaged apps and packaged app installers: .appx - DLLs: .dll and .ocx + By default, the rules will allow a file to run based upon user or group privilege. If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps. The DLL rule collection is not enabled by default. + In the Woodgrove Bank example, the line-of-business app for the Bank Tellers business group is C:\\Program Files\\Woodgrove\\Teller.exe, and this app needs to be included in a rule. In addition, because this rule is part of a list of allowed applications, all the Windows files under C:\\Windows must be included as well. + ### Determine the rule condition + A rule condition is criteria upon which an AppLocker rule is based and can only be one of the rule conditions in the following table. - ----- - - - - - - - - - - - - - - - - - - - - - - - - -
      Rule conditionUsage scenarioResources

      Publisher

      To use a publisher condition, the files must be digitally signed by the software publisher, or you must do so by using an internal certificate. Rules that are specified to the version level might have to be updated when a new version of the file is released.

      For more info about this rule condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md).

      Path

      Any file can be assigned this rule condition; however, because path rules specify locations within the file system, any subdirectory will also be affected by the rule (unless explicitly exempted).

      For more info about this rule condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).

      File hash

      Any file can be assigned this rule condition; however, the rule must be updated each time a new version of the file is released because the hash value is based in part upon the version.

      For more info about this rule condition, see [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md).

      + +| Rule condition | Usage scenario | Resources | +| - | - | - | +| Publisher | To use a publisher condition, the files must be digitally signed by the software publisher, or you must do so by using an internal certificate. Rules that are specified to the version level might have to be updated when a new version of the file is released.|For more info about this rule condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md). +| Path| Any file can be assigned this rule condition; however, because path rules specify locations within the file system, any subdirectory will also be affected by the rule (unless explicitly exempted).| For more info about this rule condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md). | +| File hash | Any file can be assigned this rule condition; however, the rule must be updated each time a new version of the file is released because the hash value is based in part upon the version.| For more info about this rule condition, see [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md). |   In the Woodgrove Bank example, the line-of-business app for the Bank Tellers business group is signed and is located at C:\\Program Files\\Woodgrove\\Teller.exe. Therefore, the rule can be defined with a publisher condition. If the rule is defined to a specific version and above (for example, Teller.exe version 8.0 and above), then this will allow any updates to this app to occur without interruption of access to the users if the app's name and signed attributes stay the same. + ### Determine how to allow system files to run + Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it is denoted with "(Default rule)" in its name as it appears in the rule collection. + You can also create a rule for the system files based on the path condition. In the preceding example, for the Bank Tellers group, all Windows files reside under C:\\Windows and can be defined with the path rule condition type. This will permit access to these files whenever updates are applied and the files change. If you require additional application security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions: + - Traverse Folder/Execute File - Create Files/Write Data - Create Folders/Append Data + These permissions settings are applied to this folder for application compatibility. However, because any user can create files in this location, allowing apps to be run from this location might conflict with your organization's security policy. + ## Next steps + After you have selected the types of rules to create, record your findings as explained in [Document your AppLocker rules](document-your-applocker-rules.md). + After recording your findings for the AppLocker rules to create, you will need to consider how to enforce the rules. For info about how to do this, see [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md). -  -  diff --git a/windows/keep-secure/shut-down-the-system.md b/windows/keep-secure/shut-down-the-system.md index fc101c8428..e07bf9633a 100644 --- a/windows/keep-secure/shut-down-the-system.md +++ b/windows/keep-secure/shut-down-the-system.md @@ -2,105 +2,101 @@ title: Shut down the system (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Shut down the system security policy setting. ms.assetid: c8e8f890-153a-401e-a957-ba6a130304bf -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Shut down the system + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Shut down the system** security policy setting. + ## Reference + This security setting determines if a user who is logged on locally to a device can shut down Windows. + Shutting down domain controllers makes them unavailable to perform functions such as processing logon requests, processing Group Policy settings, and answering Lightweight Directory Access Protocol (LDAP) queries. Shutting down domain controllers that have been assigned operations master roles (also known as flexible single master operations or FSMO roles) can disable key domain functionality; for example, processing logon requests for new passwords, which is performed by the primary domain controller (PDC) emulator master. + The **Shut down the system** user right is required to enable hibernation support, to set the power management settings, and to cancela shutdown. + Constant: SeShutdownPrivilege + ### Possible values + - A user-defined list of accounts - Defaults - Not defined + ### Best practices + 1. Ensure that only Administrators and Backup Operators have the **Shut down the system** user right on member servers, and that only Administrators have the user right on domain controllers. Removing these default groups might limit the abilities of users who are assigned to specific administrative roles in your environment. Ensure that their delegated tasks will not be negatively affected. 2. The ability to shut down domain controllers should be limited to a very small number of trusted administrators. Even though a system shutdown requires the ability to log on to the server, you should be very careful about the accounts and groups that you allow to shut down a domain controller. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Administrators, Backup Operators, Server Operators, and Print Operators on domain controllers, and Administrators and Backup Operators on stand-alone servers. + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Administrators

      -

      Backup Operators

      -

      Server Operators

      -

      Print Operators

      Stand-Alone Server Default Settings

      Administrators

      -

      Backup Operators

      Domain Controller Effective Default Settings

      Administrators

      -

      Backup Operators

      -

      Server Operators

      -

      Print Operators

      Member Server Effective Default Settings

      Administrators

      -

      Backup Operators

      Client Computer Effective Default Settings

      Administrators

      -

      Backup Operators

      -

      Users

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Administrators
      Backup Operators
      Server Operators
      Print Operators| +| Stand-Alone Server Default Settings | Administrators
      Backup Operators| +| Domain Controller Effective Default Settings | Administrators
      Backup Operators
      Server Operators
      Print Operators| +| Member Server Effective Default Settings | Administrators
      Backup Operators| +| Client Computer Effective Default Settings | Administrators
      Backup Operators
      Users|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the computer is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + This user right does not have the same effect as **Force shutdown from a remote system**. For more information, see [Force shutdown from a remote system](force-shutdown-from-a-remote-system.md). + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The ability to shut down domain controllers should be limited to a very small number of trusted administrators. Although the **Shut down the system** user right requires the ability to log on to the server, you should be very careful about which accounts and groups you allow to shut down a domain controller. + When a domain controller is shut down, it is no longer available to process logon requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. If you shut down domain controllers that possess operations master roles, you can disable key domain functionality, such as processing logon requests for new passwords, which is performed by the PDC master. + For other server roles, especially those where non-administrators have rights to log on to the server (such as RD Session Host servers), it is critical that this user right be removed from users that do not have a legitimate reason to restart the servers. + ### Countermeasure + Ensure that only the Administrators and Backup Operators groups are assigned the **Shut down the system** user right on member servers, and ensure that only the Administrators group is assigned the user right on domain controllers. + ### Potential impact + The impact of removing these default groups from the **Shut down the system** user right could limit the delegated abilities of assigned roles in your environment. You should confirm that delegated activities are not adversely affected. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md index ad159693ce..a480adae03 100644 --- a/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md +++ b/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md @@ -2,87 +2,90 @@ title: Shutdown Allow system to be shut down without having to log on (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Shutdown Allow system to be shut down without having to log on security policy setting. ms.assetid: f3964767-5377-4416-8eb3-e14d553a7315 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Shutdown: Allow system to be shut down without having to log on + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting. + ## Reference + This policy setting determines whether a device can be shut down without having to log on to Windows. If you enable this policy setting, the **Shut Down** option is available on the logon screen in Windows. If you disable this policy setting, the **Shut Down** option is removed from the logon screen. This configuration requires that users are able to log on to the device successfully and that they have the **Shut down the system** user right before they can perform a shutdown. -Users who can access the console locally can shut down the system. Attackers or misguided users can connect to the server by using Remote Desktop Services, and then shut it down or restart it without having to identify themselves. A malicious user might also cause a temporary denial-of-service condition by walking up to the local console and restarting the server, or shutting down the server and thus rendering unavailable all its applications and services. + +Users who can access the console locally can shut down the system. Attackers or misguided users can connect to the server by using Remote Desktop Services, and then shut it down or restart it without having to identify themselves. A malicious user might also cause a temporary denial-of-service +condition by walking up to the local console and restarting the server, or shutting down the server and thus rendering unavailable all its applications and services. ### Possible values + - Enabled + The shut down command is available on the logon screen. + - Disabled + The shut down option is removed from the logon screen and users must have the **Shut down the system** user right before they can perform a shutdown. + - Not defined + ### Best practices + 1. On servers, set this policy to **Disabled**. You must log on to servers to shut them down or restart them. 2. On client devices, set this policy to **Enabled** and define the list of those with the right to shut them down or restart them with the User Rights Assignment policy **Shut down the system**. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Enabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ### Group Policy + For info about the User Rights Assignment policy, **Shut down the system**, see [Shut down the system](shut-down-the-system.md). + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users who can access the console locally could shut down the device + Attackers who have access to the local console could restart the server, which would cause a temporary DoS condition. Attackers could also shut down the server and leave all of its applications and services unavailable. + ### Countermeasure + Disable the **Shutdown: Allow system to be shut down without having to log on** setting. + ### Potential impact + You must log on to servers to shut them down or restart them. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md b/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md index 042254e9c7..1e23676be3 100644 --- a/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md +++ b/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md @@ -2,85 +2,82 @@ title: Shutdown Clear virtual memory pagefile (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Shutdown Clear virtual memory pagefile security policy setting. ms.assetid: 31400078-6c56-4891-a6df-6dfb403c4bc9 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Shutdown: Clear virtual memory pagefile + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Shutdown: Clear virtual memory pagefile** security policy setting. + ## Reference + This policy setting determines whether the virtual memory paging file is cleared when the device is shut down. Virtual memory support uses a system paging file to swap pages of memory to disk when they are not used. On a running device, this paging file is opened exclusively by the operating system, and it is well protected. However, devices that are configured to allow other operating systems to start should verify that the system paging file is cleared as the device shuts down. This confirmation ensures that sensitive information from process memory that might be placed in the paging file is not available to an unauthorized user who manages to directly access the paging file after shutdown. + Important information that is kept in real memory might be written periodically to the paging file. This helps devices handle multitasking functions. A malicious user who has physical access to a server that has been shut down can view the contents of the paging file. The attacker can move the system volume into a different computer and then analyze the contents of the paging file. This is a time-consuming process, but it can expose data that is cached from RAM to the paging file. A malicious user who has physical access to the server can bypass this countermeasure by simply unplugging the server from its power source. + ### Possible values + - Enabled + The system paging file is cleared when the system shuts down normally. Also, this policy setting forces the computer to clear the hibernation file (hiberfil.sys) when hibernation is disabled on a portable device. + - Disabled - Not defined + ### Best practices + - Set this policy to **Enabled**. This causes Windows to clear the paging file when the system is shut down. Depending on the size of the paging file, this process might take several minutes before the system completely shuts down. This delay in shutting down the server is especially noticeable on servers with large paging files. For a server with 2 gigabytes (GB) of RAM and a 2-GB paging file, this setting can add more than 30 minutes to the shutdown process. For some organizations, this downtime violates their internal service level agreements. Use caution when implementing this countermeasure in your environment. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Important information that is kept in real memory may be written periodically to the paging file to help Windows handle multitasking functions. An attacker who has physical access to a server that has been shut down could view the contents of the paging file. The attacker could move the system volume into a different device and then analyze the contents of the paging file. Although this process is time consuming, it could expose data that is cached from random access memory (RAM) to the paging file. -**Caution**   -An attacker who has physical access to the device could bypass this countermeasure by unplugging the computer from its power source. + +>**Caution:**  An attacker who has physical access to the device could bypass this countermeasure by unplugging the computer from its power source.   ### Countermeasure + Enable the **Shutdown: Clear virtual memory page file** setting. This configuration causes the operating system to clear the paging file when the device is shut down. The amount of time that is required to complete this process depends on the size of the page file. Because the process overwrites the storage area that is used by the page file several times, it could be several minutes before the device completely shuts down. + ### Potential impact + It takes longer to shut down and restart the device, especially on devices with large paging files. For a device with 2 gigabytes (GB) of RAM and a 2-GB paging file, this policy setting could increase the shutdown process by more than 30 minutes. For some organizations this downtime violates their internal service level agreements. Therefore, use caution before you implement this countermeasure in your environment. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/store-passwords-using-reversible-encryption.md b/windows/keep-secure/store-passwords-using-reversible-encryption.md index 1d0ae2465b..386e132579 100644 --- a/windows/keep-secure/store-passwords-using-reversible-encryption.md +++ b/windows/keep-secure/store-passwords-using-reversible-encryption.md @@ -2,80 +2,71 @@ title: Store passwords using reversible encryption (Windows 10) description: Describes the best practices, location, values, and security considerations for the Store passwords using reversible encryption security policy setting. ms.assetid: 57f958c2-f1e9-48bf-871b-0a9b3299e238 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Store passwords using reversible encryption + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting. + ## Reference + The **Store password using reversible encryption** policy setting provides support for applications that use protocols that require the user's password for authentication. Storing encrypted passwords in a way that is reversible means that the encrypted passwords can be decrypted. A knowledgeable attacker who is able to break this encryption can then log on to network resources by using the compromised account. For this reason, never enable **Store password using reversible encryption** for all users in the domain unless application requirements outweigh the need to protect password information. -If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Digest Authentication in Internet Information Services (IIS) also requires that you enable this policy setting. + +If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Digest Authentication in Internet +Information Services (IIS) also requires that you enable this policy setting. + ### Possible values - Enabled - Disabled - Not defined + ### Best practices + Set the value for **Store password using reversible encryption** to Disabled. If you use CHAP through remote access or IAS, or Digest Authentication in IIS, you must set this value to **Enabled**. This presents a security risk when you apply the setting by using Group Policy on a user-by-user basis because it requires opening the appropriate user account object in Active Directory Users and Computers. -**Note**   -Do not enable this policy setting unless business requirements outweigh the need to protect password information. + +>**Note:**  Do not enable this policy setting unless business requirements outweigh the need to protect password information.   ### Location + **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\** + ### Default values + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or Group Policy Object (GPO)Default value

      Default domain policy

      Disabled

      Default domain controller policy

      Disabled

      Stand-alone server default settings

      Disabled

      Domain controller effective default settings

      Disabled

      Member server effective default settings

      Disabled

      Effective GPO default settings on client computers

      Disabled

      + +| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| Disabled| +| Default domain controller policy| Disabled| +| Stand-alone server default settings | Disabled| +| Domain controller effective default settings | Disabled| +| Member server effective default settings | Disabled| +| Effective GPO default settings on client computers | Disabled|   ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Enabling this policy setting allows the operating system to store passwords in a format that can weaken your overall security. + ### Countermeasure + Disable the **Store password using reversible encryption** policy setting. + ### Potential impact + If your organization uses CHAP through remote access or IAS, or Digest Authentication in IIS, you must configure this policy setting to Enabled. This presents a security risk when you apply the setting through Group Policy on a user-by-user basis because it requires the appropriate user account object to be opened in Active Directory Users and Computers. + ## Related topics -[Password Policy](password-policy.md) -  -  + +- [Password Policy](password-policy.md) diff --git a/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md index ea019eb343..dddb84f0a2 100644 --- a/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md @@ -10,6 +10,7 @@ author: brianlic-msft --- # Switch PCR banks on TPM 2.0 devices + **Applies to** - Windows 10 diff --git a/windows/keep-secure/synchronize-directory-service-data.md b/windows/keep-secure/synchronize-directory-service-data.md index 4554452349..853573d001 100644 --- a/windows/keep-secure/synchronize-directory-service-data.md +++ b/windows/keep-secure/synchronize-directory-service-data.md @@ -2,88 +2,89 @@ title: Synchronize directory service data (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Synchronize directory service data security policy setting. ms.assetid: 97b0aaa4-674f-40f4-8974-b4bfb12c232c -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Synchronize directory service data + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Synchronize directory service data** security policy setting. + ## Reference + This policy setting determines which users and groups have authority to synchronize all directory service data, regardless of the protection for objects and properties. This privilege is required to use LDAP directory synchronization (dirsync) services. Domain controllers have this user right inherently because the synchronization process runs in the context of the **System** account on domain controllers. + Constant: SeSyncAgentPrivilege + ### Possible values + - User-defined list of accounts - Not defined + ### Best practices + - Ensure that no accounts are assigned the **Synchronize directory service data** user right. Only domain controllers need this privilege, which they inherently have. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is not defined on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Not defined

      Domain Controller Effective Default Settings

      Enabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| Domain Controller Effective Default Settings | Enabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The **Synchronize directory service data** user right affects domain controllers (only domain controllers should be able to synchronize directory service data). Domain controllers have this user right inherently because the synchronization process runs in the context of the **System** account on domain controllers. Attackers who have this user right can view all information that is stored within the directory. They could then use some of that information to facilitate additional attacks or expose sensitive data, such as direct telephone numbers or physical addresses. + ### Countermeasure + Ensure that no accounts are assigned the **Synchronize directory service data** user right. + ### Potential impact + None. Not defined is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md index 811570c873..c72f3b1385 100644 --- a/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md +++ b/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md @@ -2,82 +2,78 @@ title: System cryptography Force strong key protection for user keys stored on the computer (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the System cryptography Force strong key protection for user keys stored on the computer security policy setting. ms.assetid: 8cbff267-881e-4bf6-920d-b583a5ff7de0 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # System cryptography: Force strong key protection for user keys stored on the computer + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **System cryptography: Force strong key protection for user keys stored on the computer** security policy setting. + ## Reference + This policy setting determines whether users can use private keys, such as their Secure/Multipurpose Internet Mail Extensions (S/MIME) key, without a password. + Configuring this policy setting so that users must provide a password every time they use a key (in addition to their domain password) makes it more difficult for a malicious user to access locally-stored user keys, even if the attacker takes control of the user's device and determines their logon password. + ### Possible values + - **User input is not required when new keys are stored and used** - **User is prompted when the key is first used** - **User must enter a password each time they use a key** - Not defined + ### Best practices + - Set this policy to **User must enter a password each time they use a key**. Users must enter their password every time they access a key that is stored on their computer. For example, if users use an S/MIME certificate to digitally sign their email, they will be forced to enter the password for that certificate every time they send a signed email message. For some organizations, the overhead that is caused by using this value might be too high, but they should set the value at a minimum to **User is prompted when the key is first used**. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Not defined

      DC Effective Default Settings

      Not defined

      Member Server Effective Default Settings

      Not defined

      Client Computer Effective Default Settings

      Not defined

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings| Not defined|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If a user's account is compromised or the user's device is inadvertently left unsecured, the malicious user can use the keys that are stored for the user to access protected resources. + ### Countermeasure + Configure the **System cryptography: Force strong key protection for user keys stored on the computer** setting to **User must enter a password each time they use a key** so that users must provide a password that is distinct from their domain password every time they use a key. This configuration makes it more difficult for an attacker to access locally stored user keys, even if the attacker takes control of the user's computer and determines the logon password. + ### Potential impact + Users must type their password every time they access a key that is stored on their device. For example, if users use an S/MIME certificate to digitally sign their email, they are forced to type the password for that certificate every time they send a signed email message. For some organizations, the overhead that is involved by using this configuration may be too high. At a minimum, this setting should be set to **User is prompted when the key is first used**. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md index b762727564..f7137a0c09 100644 --- a/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md +++ b/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md @@ -2,125 +2,112 @@ title: System cryptography Use FIPS compliant algorithms for encryption, hashing, and signing (Windows 10) description: This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. ms.assetid: 83988865-dc0f-45eb-90d1-ee33495eb045 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing + **Applies to** - Windows 10 + This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. + ## Reference -The Federal Information Processing Standard (FIPS) 140 is a security implementation that is designed for certifying cryptographic software. Windows implements these certified algorithms to meet the requirements and standards for cryptographic modules for use by departments and agencies of the United States federal government. + +The Federal Information Processing Standard (FIPS) 140 is a security implementation that is designed for certifying cryptographic software. Windows implements these certified algorithms to meet the requirements and standards for cryptographic modules for use by departments and agencies of the +United States federal government. + **TLS/SSL** -This policy setting determines whether the TLS/SSL security provider supports only the FIPS-compliant strong cipher suite known as TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA, which means that the provider only supports the TLS protocol as a client computer and as a server, if applicable. It uses only the Triple Data Encryption Standard (3DES) encryption algorithm for the TLS traffic encryption, only the Rivest-Shamir-Adleman (RSA) public key algorithm for the TLS key exchange and authentication, and only the Secure Hash Algorithm version 1 (SHA-1) hashing algorithm for the TLS hashing requirements. + +This policy setting determines whether the TLS/SSL security provider supports only the FIPS-compliant strong cipher suite known as TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA, which means that the provider only supports the TLS protocol as a client computer and as a server, if applicable. It uses only the +Triple Data Encryption Standard (3DES) encryption algorithm for the TLS traffic encryption, only the Rivest-Shamir-Adleman (RSA) public key algorithm for the TLS key exchange and authentication, and only the Secure Hash Algorithm version 1 (SHA-1) hashing algorithm for the TLS hashing requirements. + **Encrypting File System (EFS)** + For the EFS service, this policy setting supports the 3DES and Advanced Encryption Standard (AES) encryption algorithms for encrypting file data supported by the NTFS file system. To encrypt file data, by default EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key in the Windows Server 2003, Windows Vista, and later, and it uses a DESX algorithm in Windows XP. + **Remote Desktop Services (RDS)** + For encrypting Remote Desktop Services network communication, this policy setting supports only the Triple DES encryption algorithm. + **BitLocker** + For BitLocker, this policy setting needs to be enabled before any encryption key is generated. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 and later when this policy is enabled are incompatible with BitLocker on operating systems prior to Windows Server 2012 R2 and Windows 8.1; BitLocker will prevent the creation or use of recovery passwords on these systems, so recovery keys should be used instead. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - For use with TLS, set this policy to **Enabled**. Client devices with this policy setting enabled will be unable to communicate through digitally encrypted or signed protocols with servers that do not support these algorithms. Client devices that are connected to the network and do not support these algorithms cannot use servers that require the algorithms for network communications. If you enable this policy setting, you must also configure Internet Explorer to use TLS. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ### Operating system version differences + When this setting is enabled, the Encrypting File System (EFS) service supports only the Triple DES encryption algorithm for encrypting file data. By default, the Windows Vista and the Windows Server 2003 implementation of EFS uses the Advanced Encryption Standard (AES) with a 256-bit key. The Windows XP implementation uses DESX. + When this setting is enabled, BitLocker generates recovery password or recovery keys applicable to versions listed in the following: - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
      Operating systemsApplicability

      Windows 10, Windows 8.1, and Windows Server 2012 R2

      When created on these operating systems, the recovery password cannot be used on other systems listed in this table.

      Windows Server 2012 and Windows 8

      When created on these operating systems, the recovery key can be used on other systems listed in this table as well.

      Windows Server 2008 R2 and Windows 7

      When created on these operating systems, the recovery key can be used on other systems listed in this table as well.

      Windows Server 2008 and Windows Vista

      When created on these operating systems, the recovery key can be used on other systems listed in this table as well.

      + +| Operating systems | Applicability | +| - | - | +| Windows 10, Windows 8.1, and Windows Server 2012 R2| When created on these operating systems, the recovery password cannot be used on other systems listed in this table.| +| Windows Server 2012 and Windows 8 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.| +| Windows Server 2008 R2 and Windows 7 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.| +| Windows Server 2008 and Windows Vista | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + You can enable this policy setting to ensure that the device uses the most powerful algorithms that are available for digital encryption, hashing, and signing. Use of these algorithms minimize the risk of compromise of digitally encrypted or signed data by an unauthorized user. + ### Countermeasure + Enable the **System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing** setting. + ### Potential impact -Client devices that have this policy setting enabled cannot communicate by means of digitally encrypted or signed protocols with servers that do not support these algorithms. Network clients that do not support these algorithms cannot use servers that require them for network communications. For example, many Apache-based Web servers are not configured to support TLS. If you enable this setting, you must also configure Internet Explorer® to use TLS. This policy setting also affects the encryption level that is used for the Remote Desktop Protocol (RDP). The Remote Desktop Connection tool uses the RDP protocol to communicate with servers that run Terminal Services and client computers that are configured for remote control; RDP connections fail if both devices are not configured to use the same encryption algorithms. + +Client devices that have this policy setting enabled cannot communicate by means of digitally encrypted or signed protocols with servers that do not support these algorithms. Network clients that do not support these algorithms cannot use servers that require them for network communications. For example, many Apache-based Web servers are not configured to support TLS. If you enable this setting, you must also configure Internet Explorer® to use TLS. This policy setting also affects the encryption level that is used for the Remote Desktop Protocol (RDP). The Remote Desktop Connection tool +uses the RDP protocol to communicate with servers that run Terminal Services and client computers that are configured for remote control; RDP connections fail if both devices are not configured to use the same encryption algorithms. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md index ed8f8e7cdb..6f9e3c9d43 100644 --- a/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md +++ b/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md @@ -2,83 +2,83 @@ title: System objects Require case insensitivity for non-Windows subsystems (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the System objects Require case insensitivity for non-Windows subsystems security policy setting. ms.assetid: 340d6769-8f33-4067-8470-1458978d1522 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # System objects: Require case insensitivity for non-Windows subsystems + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **System objects: Require case insensitivity for non-Windows subsystems** security policy setting. + ## Reference + This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is not case sensitive; however, the kernel supports case sensitivity for other subsystems, such as Portable Operating System Interface for UNIX (POSIX). Enabling this policy setting enforces case insensitivity for all directory objects, symbolic links, and input/output (I/O) objects, including file objects. Disabling this policy setting does not allow the Win32 subsystem to become case sensitive. + Because Windows is case insensitive but the POSIX subsystem will support case sensitivity, if this policy setting is not enforced, it is possible for a user of that subsystem to create a file with the same name as another file but with a different mix of capital letters. That might confuse users when they try to access these files by using normal Win32 tools, because only one of the files will be available. + ### Possible values + - Enabled + Case insensitivity is enforced for all directory objects, symbolic links, and IO objects, including file objects. + - Disabled + Will not allow the Win32 subsystem to become case sensitive. + - Not defined + ### Best practices + - Set this policy to **Enabled**. All subsystems will be forced to observe case insensitivity. However, this might confuse users who are familiar with one of the UNIX-based operating systems and are used to a case sensitive operating system. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Enabled

      DC Effective Default Settings

      Enabled

      Member Server Effective Default Settings

      Enabled

      Client Computer Effective Default Settings

      Enabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Because Windows is case insensitive but the POSIX subsystem supports case sensitivity, failure to enable this policy setting makes it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of uppercase and lowercase letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files is available. + ### Countermeasure + Enable the **System objects: Require case insensitivity for non-Windows subsystems** setting. + ### Potential impact + All subsystems are forced to observe case insensitivity. This configuration may confuse users who are familiar with any UNIX-based operating systems that are case sensitive. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md index 1aee1c46fa..708cba1b5a 100644 --- a/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md +++ b/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md @@ -2,80 +2,75 @@ title: System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links) (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links) security policy setting. ms.assetid: 3a592097-9cf5-4fd0-a504-7cbfab050bb6 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)** security policy setting. + ## Reference + This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Windows maintains a global list of shared system resources such as MS-DOS device names, mutexes, and semaphores. By using this list, processes can locate and share objects. Each type of object is created with a default DACL that specifies who can access the objects with what permissions. Enabling this policy setting strengthens the default DACL and allows users who are not administrators to read, but not to modify, shared objects that they did not create. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - It is advisable to set this policy to **Enabled**. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\ Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Enabled

      DC Effective Default Settings

      Enabled

      Member Server Effective Default Settings

      Enabled

      Client Computer Effective Default Settings

      Enabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled | +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + This policy setting is enabled by default to protect against a known vulnerability that can be used with hard links or symbolic links. Hard links are actual directory entries in the file system. With hard links, the same data in a file system can be referred to by different file names. Symbolic links are text files that provide a pointer to the file that is interpreted and followed by the operating system as a path to another file or directory. Because symbolic links are a separate file, they can exist independently of the target location. If a symbolic link is deleted, its target location remains unaffected. When this setting is disabled, it is possible for a malicious user to destroy a data file by creating a link that looks like a temporary file that the system automatically creates, such as a sequentially named log file, but it points to the data file that the malicious user wants to eradicate. When the system writes the files with that name, the data is overwritten. Enabling **System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)** prevents an attacker from exploiting programs that create files with predictable names by not allowing them to write to objects that they did not create. + ### Countermeasure + Enable the **System objects: Strengthen default permissions of global system objects (for example, Symbolic Links)** setting. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/system-settings-optional-subsystems.md b/windows/keep-secure/system-settings-optional-subsystems.md index 96633aece6..4e096fea50 100644 --- a/windows/keep-secure/system-settings-optional-subsystems.md +++ b/windows/keep-secure/system-settings-optional-subsystems.md @@ -2,81 +2,78 @@ title: System settings Optional subsystems (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the System settings Optional subsystems security policy setting. ms.assetid: 5cb6519a-4f84-4b45-8072-e2aa8a72fb78 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # System settings: Optional subsystems + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **System settings: Optional subsystems** security policy setting. + ## Reference + This policy setting determines which subsystems support your applications. You can use this security setting to specify as many subsystems as your environment demands. + The subsystem introduces a security risk that is related to processes that can potentially persist across logons. If a user starts a process and then logs out, the next user who logs on to the system might access the process that the previous user started. This is dangerous, because the process started by the first user can retain that user's system user rights; therefore, anything that the second user does using that process is performed with the user rights of the first user. This makes it difficult to trace who creates processes and objects, which is essential for post-security incident forensics. + ### Possible values + - User-defined list of subsystems - Not defined + ### Best practices + - Set this policy setting to a null value. The default value is **POSIX**, so applications that rely on the POSIX subsystem will no longer run. For example, Microsoft Services for UNIX 3.0 installs an updated version of the POSIX subsystem. Reset this policy setting in Group Policy for any servers that use Services for UNIX 3.0. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      POSIX

      DC Effective Default Settings

      POSIX

      Member Server Effective Default Settings

      POSIX

      Client Computer Effective Default Settings

      POSIX

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | POSIX| +| DC Effective Default Settings | POSIX| +| Member Server Effective Default Settings| POSIX| +| Client Computer Effective Default Settings | POSIX|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The POSIX subsystem is an Institute of Electrical and Electronic Engineers (IEEE) standard that defines a set of operating system services. The POSIX subsystem is required if the server supports applications that use that subsystem. + The POSIX subsystem introduces a security risk that relates to processes that can potentially persist across logons. If a user starts a process and then logs out, there is a potential that the next user who logs on to the computer could access the previous user's process. This would allow the second user to take actions on the process by using the privileges of the first user. + ### Countermeasure + Configure the **System settings: Optional subsystems setting** to a null value. The default value is POSIX. + ### Potential impact + Applications that rely on the POSIX subsystem no longer operate. For example, Microsoft Services for UNIX (SFU) installs an updated version of the POSIX subsystem that is required, so you must reconfigure this setting in Group Policy for any servers that use SFU. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md index ce05d099f5..85e0a1c7bd 100644 --- a/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md +++ b/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md @@ -2,80 +2,76 @@ title: System settings Use certificate rules on Windows executables for Software Restriction Policies (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the System settings Use certificate rules on Windows executables for Software Restriction Policies security policy setting. ms.assetid: 2380d93b-b553-4e56-a0c0-d1ef740d089c -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # System settings: Use certificate rules on Windows executables for Software Restriction Policies + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **System settings: Use certificate rules on Windows executables for Software Restriction Policies** security policy setting. + ## Reference + This policy setting determines whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. This security setting enables or disables certificate rules (which are a type of software restriction policy). With a software restriction policy, you can create a certificate rule that allows or disallows Microsoft Authenticode®-signed software to run, based on the digital certificate that is associated with the software. For certificate rules to work in software restriction policies, you must enable this security setting. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices -- Set this policy to **Enabled**. Enabling certificate rules results in software restriction policies checking a certificate revocation list (CRL) to make sure that the software's certificate and signature are valid. When you start signed programs, this setting can decrease system performance. You can disable CRLs by editing the software restriction policies in the desired GPO. In the **Trusted Publishers Properties** dialog box, clear the **Publisher** and **Timestamp** check boxes. + +- Set this policy to **Enabled**. Enabling certificate rules results in software restriction policies checking a certificate revocation list (CRL) to make sure that the software's certificate and signature are valid. When you start signed programs, this setting can decrease system performance. +You can disable CRLs by editing the software restriction policies in the desired GPO. In the **Trusted Publishers Properties** dialog box, clear the **Publisher** and **Timestamp** check boxes. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled | +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Without the use of software restriction policies, users and device might be exposed to unauthorized software that could include malware. + ### Countermeasure + Enable the **System settings: Use certificate rules on Windows executables for Software Restriction Policies** setting. + ### Potential impact + If you enable certificate rules, software restriction policies check a certificate revocation list (CRL) to verify that the software's certificate and signature are valid. This checking process may negatively affect performance when signed programs start. To disable this feature, you can edit the software restriction policies in the appropriate GPO. In the **Trusted Publishers Properties** dialog box, clear the **Publisher** and **Timestamp** check boxes. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) From 92d18aea5eadf76b18f3bfb3485b4126cd38f22e Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 25 May 2016 12:12:29 -0700 Subject: [PATCH 102/169] add it showcase link --- windows/manage/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/index.md b/windows/manage/index.md index e6aff0c940..412bfc3d9b 100644 --- a/windows/manage/index.md +++ b/windows/manage/index.md @@ -74,4 +74,4 @@ Learn about managing and updating Windows 10. ## Related topics [Windows 10 and Windows 10 Mobile](../index.md)   -  + [Learn how Microsoft does IT at the IT Showcase](https://www.microsoft.com/itshowcase) From 657bac8dc6f466ca9171ced7ef66d49ad9a24098 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 25 May 2016 12:15:19 -0700 Subject: [PATCH 103/169] fixing spacing issues --- ...ake-ownership-of-files-or-other-objects.md | 94 +++++---- ...er-policy-by-using-test-applockerpolicy.md | 24 ++- .../test-and-update-an-applocker-policy.md | 26 ++- .../tools-to-use-with-applocker.md | 27 ++- windows/keep-secure/tpm-fundamentals.md | 190 ++++++++++-------- windows/keep-secure/tpm-recommendations.md | 56 +++++- ...bleshoot-windows-defender-in-windows-10.md | 21 +- .../trusted-platform-module-overview.md | 78 ++++--- 8 files changed, 320 insertions(+), 196 deletions(-) diff --git a/windows/keep-secure/take-ownership-of-files-or-other-objects.md b/windows/keep-secure/take-ownership-of-files-or-other-objects.md index 5274e1f278..255f2d4ff3 100644 --- a/windows/keep-secure/take-ownership-of-files-or-other-objects.md +++ b/windows/keep-secure/take-ownership-of-files-or-other-objects.md @@ -2,98 +2,106 @@ title: Take ownership of files or other objects (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Take ownership of files or other objects security policy setting. ms.assetid: cb8595d1-74cc-4176-bb15-d97663eebb2d -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Take ownership of files or other objects + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Take ownership of files or other objects** security policy setting. + ## Reference + This policy setting determines which users can take ownership of any securable object in the device, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads. + Every object has an owner, whether the object resides in an NTFS volume or Active Directory database. The owner controls how permissions are set on the object and to whom permissions are granted. + By default, the owner is the person who or the process which created the object. Owners can always change permissions to objects, even when they are denied all access to the object. + Constant: SeTakeOwnershipPrivilege + ### Possible values + - User-defined list of accounts - Not defined + ### Best practices + - Assigning this user right can be a security risk. Because owners of objects have full control of them, only assign this user right to trusted users. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default this setting is Administrators on domain controllers and on stand-alone servers. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Administrators

      Stand-Alone Server Default Settings

      Administrators

      Domain Controller Effective Default Settings

      Administrators

      Member Server Effective Default Settings

      Administrators

      Client Computer Effective Default Settings

      Administrators

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Administrators| +| Stand-Alone Server Default Settings | Administrators| +| Domain Controller Effective Default Settings | Administrators| +| Member Server Effective Default Settings | Administrators| +| Client Computer Effective Default Settings | Administrators|   ## Policy management + This section describes features, tools, and guidance to help you manage this policy. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + Ownership can be taken by: + - An administrator. By default, the Administrators group is given the **Take ownership of files or other objects** user right. - Anyone or any group who has the **Take ownership** user right on the object. - A user who has the **Restore files and directories** user right. + Ownership can be transferred in the following ways: + - The current owner can grant the **Take ownership** user right to another user if that user is a member of a group defined in the current owner's access token. The user must take ownership to complete the transfer. - An administrator can take ownership. - A user who has the **Restore files and directories** user right can double-click **Other users and groups** and choose any user or group to assign ownership to. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -Any users with the **Take ownership of files or other objects user right** can take control of any object, regardless of the permissions on that object, and then make any changes that they want to make to that object. Such changes could result in exposure of data, corruption of data, or a denial-of-service condition. + +Any users with the **Take ownership of files or other objects user right** can take control of any object, regardless of the permissions on that object, and then make any changes that they want to make to that object. Such changes could result in exposure of data, corruption of data, or a +denial-of-service condition. + ### Countermeasure + Ensure that only the local Administrators group has the **Take ownership of files or other objects** user right. + ### Potential impact + None. Restricting the **Take ownership of files or other objects** user right to the local Administrators group is the default configuration. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) -  -  + +- [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md index 09ccf98b7d..aa27d42260 100644 --- a/windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md +++ b/windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md @@ -2,28 +2,42 @@ title: Test an AppLocker policy by using Test-AppLockerPolicy (Windows 10) description: This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer. ms.assetid: 048bfa38-6825-4a9a-ab20-776cf79f402a -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Test an AppLocker policy by using Test-AppLockerPolicy + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer. + The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collections will be blocked on your reference computer or the computer on which you maintain policies. Perform the following steps on any computer where the AppLocker policies are applied. + Any user account can be used to complete this procedure. + **To test an AppLocker policy by using Test-AppLockerPolicy** + 1. Export the effective AppLocker policy. To do this, you must use the **Get-AppLockerPolicy** Windows PowerShell cmdlet. + 1. Open a Windows PowerShell command prompt window as an administrator. 2. Use the **Get-AppLockerPolicy** cmdlet to export the effective AppLocker policy to an XML file: + `Get-AppLockerPolicy –Effective –XML > ` + 2. Use the **Get-ChildItem** cmdlet to specify the directory that you want to test, specify the **Test-AppLockerPolicy** cmdlet with the XML file from the previous step to test the policy, and use the **Export-CSV** cmdlet to export the results to a file to be analyzed: + `Get-ChildItem -Filter -Recurse | Convert-Path | Test-AppLockerPolicy –XMLPolicy -User -Filter | Export-CSV ` + The following shows example input for **Test-AppLockerPolicy**: -`PS C:\ Get-AppLockerPolicy –Effective –XML > C:\Effective.xml` -`PS C:\ Get-ChildItem 'C:\Program Files\Microsoft Office\' –filter *.exe –Recurse | Convert-Path | Test-AppLockerPolicy –XMLPolicy C:\Effective.xml –User contoso\zwie –Filter Denied,DeniedByDefault | Export-CSV C:\BlockedFiles.csv` + +```syntax +PS C:\ Get-AppLockerPolicy –Effective –XML > C:\Effective.xml +PS C:\ Get-ChildItem 'C:\Program Files\Microsoft Office\' –filter *.exe –Recurse | Convert-Path | Test-AppLockerPolicy –XMLPolicy C:\Effective.xml –User contoso\zwie –Filter Denied,DeniedByDefault | Export-CSV C:\BlockedFiles.csv +``` + In the example, the effective AppLocker policy is exported to the file C:\\Effective.xml. The **Get-ChildItem** cmdlet is used to recursively gather path names for the .exe files in C:\\Program Files\\Microsoft Office\\. The XMLPolicy parameter specifies that the C:\\Effective.xml file is an XML AppLocker policy file. By specifying the User parameter, you can test the rules for specific users, and the **Export-CSV** cmdlet allows the results to be exported to a comma-separated file. In the example, `-FilterDenied,DeniedByDefault` displays only those files that will be blocked for the user under the policy. -  -  diff --git a/windows/keep-secure/test-and-update-an-applocker-policy.md b/windows/keep-secure/test-and-update-an-applocker-policy.md index 4ae1a87af2..cf77664f65 100644 --- a/windows/keep-secure/test-and-update-an-applocker-policy.md +++ b/windows/keep-secure/test-and-update-an-applocker-policy.md @@ -2,37 +2,61 @@ title: Test and update an AppLocker policy (Windows 10) description: This topic discusses the steps required to test an AppLocker policy prior to deployment. ms.assetid: 7d53cbef-078c-4d20-8b00-e821e33b6ea1 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Test and update an AppLocker policy + **Applies to** - Windows 10 + This topic discusses the steps required to test an AppLocker policy prior to deployment. + You should test each set of rules to ensure that the rules perform as intended. If you use Group Policy to manage AppLocker policies, complete the following steps for each Group Policy Object (GPO) where you have created AppLocker rules. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules for simultaneous testing in all of your test GPOs. + ## Step 1: Enable the Audit only enforcement setting + By using the **Audit only** enforcement setting, you can ensure that the AppLocker rules that you have created are properly configured for your organization. This setting can be enabled on the **Enforcement** tab of the **AppLocker Properties** dialog box. For the procedure to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). + ## Step 2: Configure the Application Identity service to start automatically + Because AppLocker uses the Application Identity service to verify the attributes of a file, you must configure it to start automatically in any one GPO that applies AppLocker rules. For the procedure to do this, see [Configure the Application Identity Service](configure-the-application-identity-service.md). For AppLocker policies that are not managed by a GPO, you must ensure that the service is running on each PC in order for the policies to be applied. + ## Step 3: Test the policy + Test the AppLocker policy to determine if your rule collection needs to be modified. Because you have created AppLocker rules, enabled the Application Identity service, and enabled the **Audit only** enforcement setting, the AppLocker policy should be present on all client PC that are configured to receive your AppLocker policy. + The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference PCs. For the procedure to do this, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). + ## Step 4: Analyze AppLocker events You can either manually analyze AppLocker events or use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to automate the analysis. + **To manually analyze AppLocker events** + You can view the events either in Event Viewer or a text editor and then sort those events to perform an analysis, such as looking for patterns in application usage events, access frequencies, or access by user groups. If you have not configured an event subscription, then you will have to review the logs on a sampling of computers in your organization. For more information about using Event Viewer, see [Monitor application usage with AppLocker](monitor-application-usage-with-applocker.md). + **To analyze AppLocker events by using Get-AppLockerFileInformation** + You can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to analyze AppLocker events from a remote computer. If an app is being blocked and should be allowed, you can use the AppLocker cmdlets to help troubleshoot the problem. + For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** cmdlet to determine which files have been blocked or would have been blocked (if you are using the **Audit only** enforcement mode) and how many times the event has occurred for each file. For the procedure to do this, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md). + After using **Get-AppLockerFileInformation** to determine how many times that a file would have been blocked from running, you should review your rule list to determine whether a new rule should be created for the blocked file or whether an existing rule is too strictly defined. Ensure that you check which GPO is currently preventing the file from running. To determine this, you can use the Group Policy Results Wizard to view rule names. + ## Step 5: Modify the AppLocker policy + After you have identified which rules need to be edited or added to the policy, you can use the Group Policy Management Console to modify the AppLocker rules in the relevant GPOs. For AppLocker policies that are not managed by a GPO, you can use the Local Security Policy snap-in (secpol.msc). For info how to modify an AppLocker policy, see, [Edit an AppLocker policy](edit-an-applocker-policy.md). + ## Step 6: Repeat policy testing, analysis, and policy modification + Repeat the previous steps 3–5 until all the rules perform as intended before applying enforcement. + ## Additional resources + - For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).     diff --git a/windows/keep-secure/tools-to-use-with-applocker.md b/windows/keep-secure/tools-to-use-with-applocker.md index ed1080877e..d0ffd99ac7 100644 --- a/windows/keep-secure/tools-to-use-with-applocker.md +++ b/windows/keep-secure/tools-to-use-with-applocker.md @@ -2,33 +2,52 @@ title: Tools to use with AppLocker (Windows 10) description: This topic for the IT professional describes the tools available to create and administer AppLocker policies. ms.assetid: db2b7cb3-7643-4be5-84eb-46ba551e1ad1 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Tools to use with AppLocker + **Applies to** - Windows 10 + This topic for the IT professional describes the tools available to create and administer AppLocker policies. + The following tools can help you administer the application control policies created by using AppLocker on the local device or by using Group Policy. For info about the basic requirements for using AppLocker, see [Requirements to use AppLocker](requirements-to-use-applocker.md). + - **AppLocker Local Security Policy MMC snap-in** + The AppLocker rules can be maintained by using the Local Security Policy snap-in (secpol.msc) of the Microsoft Management Console (MMC). For procedures to create, modify, and delete AppLocker rules, see [Working with AppLocker rules](working-with-applocker-rules.md). + - **Generate Default Rules tool** + AppLocker includes default rules for each rule collection accessed through the Local Security Policy snap-in. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For info about how to use this tool, see [Create AppLocker default rules](create-applocker-default-rules.md). + - **Automatically Generate AppLocker Rules wizard** + By using the Local Security Policy snap-in, you can automatically generate rules for all files within a folder. The wizard will scan the specified folder and create the condition types that you choose for each file in that folder. For info about how to use this wizard, see [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md). + - **Group Policy** + You can edit an AppLocker policy by adding, changing, or removing rules by using the Group Policy Management Console (GPMC). + If you want additional features to manage AppLocker policies, such as version control, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. + - **Remote Server Administration Tools (RSAT)** + You can use a device with a supported operating system that has the Remote Server Administration Tools (RSAT) installed to create and maintain AppLocker policies. + - **Event Viewer** + The AppLocker log contains information about applications that are affected by AppLocker rules. For info about using Event Viewer to review the AppLocker logs, see [Using Event Viewer with AppLocker](using-event-viewer-with-applocker.md), and [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). + - **AppLocker PowerShell cmdlets** + The AppLocker Windows PowerShell cmdlets are designed to streamline the administration of AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the Local Security Policy snap-in and the GPMC. For information about the cmdlets, see the [AppLocker PowerShell Command Reference](http://technet.microsoft.com/library/hh847210.aspx). + ## Related topics -[AppLocker technical reference](applocker-technical-reference.md) -  -  + +- [AppLocker technical reference](applocker-technical-reference.md) diff --git a/windows/keep-secure/tpm-fundamentals.md b/windows/keep-secure/tpm-fundamentals.md index 26e6b4403e..c4fb6b2cc3 100644 --- a/windows/keep-secure/tpm-fundamentals.md +++ b/windows/keep-secure/tpm-fundamentals.md @@ -2,23 +2,34 @@ title: TPM fundamentals (Windows 10) description: This topic for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks. ms.assetid: ac90f5f9-9a15-4e87-b00d-4adcf2ec3000 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # TPM fundamentals + **Applies to** - Windows 10 + This topic for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks. + A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer, and it communicates with the remainder of the system by using a hardware bus. + Computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called wrapping or binding a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the storage root key, which is stored within the TPM itself. The private portion of a storage root key or endorsement key that is created in a TPM is never exposed to any other component, software, process, or user. + You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys cannot be migrated, the private portion of the key is never exposed outside the TPM. + Computers that incorporate a TPM can also create a key that has not only been wrapped, but is also tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as “sealing the key to the TPM.” Decrypting the key is called unsealing. The TPM can also seal and unseal data that is generated outside the TPM. With this sealed key and software, such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met. + With a TPM, private portions of key pairs are kept separate from the memory that is controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system (assurances that define the trustworthiness of a system) can be made before the keys are unsealed and released for use. Because the TPM uses its own internal firmware and logic circuits to process instructions, it does not rely on the operating system, and it is not exposed to vulnerabilities that might exist in the operating system or application software. + For info about which versions of Windows support which versions of the TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md). The features that are available in the versions are defined in specifications by the Trusted Computing Group (TCG). For more info, see the Trusted Platform Module page on the Trusted Computing Group website: [Trusted Platform Module](http://www.trustedcomputinggroup.org/developers/trusted_platform_module). + The following sections provide an overview of the technologies that support the TPM: + - [TPM-based Virtual Smart Card](#bkmk-vsc) - [Measured Boot with support for attestation](#bkmk-measuredboot) - [Automated provisioning and management of the TPM](#bkmk-autoprov) @@ -32,156 +43,157 @@ The following sections provide an overview of the technologies that support the - [How the TPM mitigates dictionary attacks](#bkmk-howtpmmitigates) - [How do I check the state of my TPM?](#bkmk-checkstate) - [What can I do if my TPM is in reduced functionality mode?](#bkmk-fixrfm) + The following topic describes the TPM Services that can be controlled centrally by using Group Policy settings: [Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md) + ## Automated provisioning and management of the TPM + TPM provisioning can be streamlined to make it easier to deploy systems that are ready for BitLocker and other TPM-dependent features. These enhancements include simplifying the TPM state model to report **Ready**, **Ready with reduced functionality**, or **Not ready**. You can also automatically provision TPMs in the **Ready** state, remote provisioning to remove the requirement for the physical presence of a technician for the initial deployment. In addition, the TPM stack is available in the Windows Preinstallation Environment (Windows PE). + A number of management settings have been added for easier management and configuration of the TPM through Group Policy. The primary new settings include Active Directory-based backup of TPM owner authentication, the level of owner authentication that should be stored locally on the TPM, and the software-based TPM lockout settings for standard users. For more info about backing up owner authentication to Windows Server 2008 R2 AD DS domains, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md). + ## Measured Boot with support for attestation + The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components. Antimalware software can use the log to determine whether components that ran before it are trustworthy versus infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can initiate remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate. + ## TPM-based Virtual Smart Card -The Virtual Smart Card emulates the functionality of traditional smart cards, but Virtual Smart Cards use the TPM chip that is available on an organization’s computers, rather than requiring the use of a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user. + +The Virtual Smart Card emulates the functionality of traditional smart cards, but Virtual Smart Cards use the TPM chip that is available on an organization’s computers, rather than requiring the use of a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a +Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user. + ## TPM-based certificate storage + The TPM can be used to protect certificates and RSA keys. The TPM key storage provider (KSP) provides easy, convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP can be used to generate keys when an organization enrolls for certificates, and the KSP is managed by templates in the UI. The TPM can also be used to protect certificates that are imported from an outside source. TPM-based certificates can be used exactly as standard certificates with the added functionality that the certificate can never leave the TPM from which the keys were generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](http://msdn.microsoft.com/library/windows/desktop/aa376210.aspx). + ## TPM Owner Authorization Value -For Windows 8 a change to how the TPM owner authorization value is stored in AD DS was implemented in the AD DS schema. The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 schemas. Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change. If Active Directory backup of the TPM owner authorization value is enabled in a Windows Server 2008 R2 environment without extending the schema, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8. + +For Windows 8 a change to how the TPM owner authorization value is stored in AD DS was implemented in the AD DS schema. The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. +This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 schemas. Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change. If Active Directory backup of the TPM owner authorization value is enabled in a Windows Server 2008 R2 environment without extending the schema, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8. + If your computer is not being joined to a domain the TPM owner authorization value will be stored in the local computer registry. Using BitLocker to encrypt the operating system drive will protect the owner authorization value from being disclosed when the computer is at rest, but there is a risk that a malicious user could obtain the TPM owner authorization value when the computer is unlocked. Therefore, we recommend that in this situation you configure your computer to automatically lock after 30 seconds of inactivity. If automatic locking is not used, then you should consider removing full owner authorization from the computer registry. + **Registry information** + Registry key: HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\TPM DWORD: OSManagedAuthLevel - ---- - - - - - - - - - - - - - - - - - - - - -
      Value DataSetting

      0

      None

      2

      Delegated

      4

      Full

      + +| Value Data | Setting | +| - | - | +| 0 | None| +| 2 | Delegated| +| 4 | Full|   -**Note**   -If the operating system managed TPM authentication setting is changed from "Full" to "Delegated" the full TPM owner authorization value will be regenerated and any copies of the original TPM owner authorization value will be invalid. If you are backing up the TPM owner authorization value to AD DS, the new owner authorization value will be automatically backed up to AD DS when it is changed. +>**Note:**  If the operating system managed TPM authentication setting is changed from "Full" to "Delegated" the full TPM owner authorization value will be regenerated and any copies of the original TPM owner authorization value will be invalid. If you are backing up the TPM owner authorization value to AD DS, the new owner authorization value will be automatically backed up to AD DS when it is changed.   ## TPM Cmdlets + If you are using PowerShell to script and manage your computers, you can now manage the TPM using Windows PowerShell as well. To install the TPM cmdlets use the following command: -**dism /online /enable-feature /FeatureName:tpm-psh-cmdlets** + +`dism /online /enable-feature /FeatureName:tpm-psh-cmdlets` For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx) + ## Physical presence interface -The TCG specifications for TPMs require physical presence to perform some TPM administrative functions, such as turning on and turning off the TPM. Physical presence means a person must physically interact with the system and the TPM interface to confirm or reject changes to TPM status. This typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them. Here are some are examples of TPM administrative tasks that require physical presence: + +The TCG specifications for TPMs require physical presence to perform some TPM administrative functions, such as turning on and turning off the TPM. Physical presence means a person must physically interact with the system and the +TPM interface to confirm or reject changes to TPM status. This typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them. Here are some are examples of TPM administrative tasks that require physical presence: + - Activating the TPM - Clearing the existing owner information from the TPM without the owner’s password - Deactivating the TPM - Disabling the TPM temporarily without the owner’s password + ## States of existence in a TPM + For each of these TPM 1.2 states of existence, the TPM can transition into another state (for example, moving from disabled to enabled). The states are not exclusive. + These states of existence do not apply for Trusted Platform Module 2.0 because it cannot be turned off from within the operating system environment. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      StateDescription

      Enabled

      Most features of the TPM are available.

      -

      The TPM can be enabled and disabled multiple times within a boot period, if ownership is taken.

      Disabled

      The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and perform hashing and basic initialization.

      -

      The TPM can be enabled and disabled multiple times within a start-up period.

      Activated

      Most features of the TPM are available. The TPM can be activated and deactivated only through physical presence, which requires a restart.

      Deactivated

      Similar to the disabled state, with the exception that ownership can be taken when the TPM is deactivated and enabled. The TPM can be activated and deactivated only through physical presence, which requires a restart.

      Owned

      Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data.

      Unowned

      The TPM does not have a storage root key, and it may or may not have an endorsement key.

      + +| State | Description | +| - | - | +| Enabled| Most features of the TPM are available.
      The TPM can be enabled and disabled multiple times within a boot period, if ownership is taken.| +| Disabled| The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and perform hashing and basic initialization.
      The TPM can be enabled and disabled multiple times within a start-up period. | +| Activated| Most features of the TPM are available. The TPM can be activated and deactivated only through physical presence, which requires a restart.| +| Deactivated| Similar to the disabled state, with the exception that ownership can be taken when the TPM is deactivated and enabled. The TPM can be activated and deactivated only through physical presence, which requires a restart.| +| Owned| Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data.| +| Unowned| The TPM does not have a storage root key, and it may or may not have an endorsement key.|   -**Important**   -Applications cannot use the TPM until the state is enabled, activated, and owned. All operations are available only when the TPM is in this state. +>**Important:**  Applications cannot use the TPM until the state is enabled, activated, and owned. All operations are available only when the TPM is in this state.   The state of the TPM exists independently of the computer’s operating system. When the TPM is enabled, activated, and owned, the state of the TPM is preserved if the operating system is reinstalled. + ## Endorsement keys -For a TPM to be usable by a trusted application, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM, and it is never revealed or accessible outside the TPM. If the TPM does not contain an endorsement key, the application might cause the TPM to generate one automatically as part of the setup. + +For a TPM to be usable by a trusted application, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM, and it is never revealed or accessible outside the TPM. If the +TPM does not contain an endorsement key, the application might cause the TPM to generate one automatically as part of the setup. An endorsement key can be created at various points in the TPM’s lifecycle, but it needs to be created only once for the lifetime of the TPM. The existence of an endorsement key is a requirement before TPM ownership can be taken. + ## Key attestation + TPM key attestation allows a certification authority to verify that a private key is actually protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys which have been proven valid can be used to bind the user identity to a device. Moreover, the user certificate with a TPM attested key provides higher security assurance backed up by the non-exportability, anti-hammering, and isolation of keys provided by a TPM. + ## How the TPM mitigates dictionary attacks + When a TPM processes a command, it does so in a protected environment, for example, a dedicated microcontroller on a discrete chip or a special hardware-protected mode on the main CPU. A TPM can be used to create a cryptographic key that is not disclosed outside the TPM, but is able to be used in the TPM after the correct authorization value is provided. + TPMs have dictionary attack logic that is designed to prevent brute force attacks that attempt to determine authorization values for using a key. The basic approach is for the TPM to allow only a limited number of authorization failures before it prevents more attempts to use keys and locks. Providing a failure count for individual keys is not technically practical, so TPMs have a global lockout when too many authorization failures occur. + Because many entities can use the TPM, a single authorization success cannot reset the TPM’s dictionary attack logic. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM’s dictionary attack logic. Generally TPMs are designed to forget about authorization failures after a period of time so the TPM does not enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM’s lockout logic. + ### TPM 2.0 dictionary attack behavior + TPM 2.0 has well defined dictionary attack logic behavior. This is in contrast to TPM 1.2 for which the dictionary attack logic was set by the manufacturer, and the logic varied widely throughout the industry. -**Warning**   -For the purposes of this topic, Windows 8 Certified Hardware also pertains to Windows 8.1 systems. The following references to “Windows” include these supported Windows versions. + +>**Warning:**  For the purposes of this topic, Windows 8 Certified Hardware also pertains to Windows 8.1 systems. The following references to “Windows” include these supported Windows versions.   For Windows 8 Certified Hardware systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every two hours. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts. + Attempts to use a key with an authorization value for the next two hours would not return success or failure; instead the response indicates that the TPM is locked. After two hours, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next two hours. If a period of 64 hours elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again. + Windows 8 Certification does not require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated. Windows does require that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for two hours. + The dictionary attack logic for TPM 2.0 can be fully reset immediately by sending a reset lockout command to the TPM and providing the TPM owner password. By default, Windows automatically provisions TPM 2.0 and stores the TPM owner password for use by system administrators. + In some enterprise situations, the TPM owner authorization value is configured to be stored centrally in Active Directory, and it is not stored on the local system. An administrator can launch the TPM MMC and choose to reset the TPM lockout time. If the TPM owner password is stored locally, it is used to reset the lockout time. If the TPM owner password is not available on the local system, the administrator needs to provide it. If an administrator attempts to reset the TPM lockout state with the wrong TPM owner password, the TPM does not allow another attempt to reset the lockout state for 24 hours. + TPM 2.0 allows some keys to be created without an authorization value associated with them. These keys can be used when the TPM is locked. For example, BitLocker with a default TPM-only configuration is able to use a key in the TPM to start Windows, even when the TPM is locked. + ### Rationale behind the Windows 8.1 and Windows 8 defaults + Windows relies on the TPM 2.0 dictionary attack protection for multiple features. The defaults that are selected for Windows 8 balance trade-offs for different scenarios. For example, when BitLocker is used with a TPM plus PIN configuration, it needs the number of PIN guesses to be limited over time. If the computer is lost, someone could make only 32 PIN guesses immediately, and then only one more guess every two hours. This totals about 4415 guesses per year. This makes a good standard for system administrators to determine how many PIN characters to use for BitLocker deployments. + The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization value. The following list shows the advantages of virtual smart cards: + Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPM’s dictionary attack is not reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors. + Hardware manufacturers and software developers have the option to use the security features of the TPM to meet their requirements. + The intent of selecting 32 failures as the lock-out threshold is so users rarely lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must to wait two hours or use some other credential to sign in, such as a user name and password. + ## How do I check the state of my TPM? + You can check the state of the TPM on a PC by running the Trusted Platform Module snap-in (tpm.msc). The **Status** heading tells you the state of your TPM. The TPM can be in one of the following states: **Ready for use**, **Ready for use, with reduced functionality**, and **Not ready for use**. To take advantage of most of the TPM features in Windows 10, the TPM must be **Ready for use**. + ## What can I do if my TPM is in reduced functionality mode? -If your TPM is in reduced functionality mode, some features that rely on the TPM will not function correctly. This is most often caused by doing a clean installation of Windows 10 on a device where Windows 8.1, Windows 8, or Windows 7 had previously been installed on the same hardware. If your TPM is in reduced functionality mode, the Status heading in the Trusted Platform Module snap-in shows **The TPM is ready for use, with reduced functionality**. You can fix this by clearing the TPM. + +If your TPM is in reduced functionality mode, some features that rely on the TPM will not function correctly. This is most often caused by doing a clean installation of Windows 10 on a device where Windows 8.1, Windows 8, or Windows 7 had previously been installed on the same hardware. If your TPM is in reduced functionality mode, the Status heading in the Trusted Platform Module snap-in shows **The TPM is ready for use, with reduced functionality**. +You can fix this by clearing the TPM. + **To clear the TPM** + 1. Open the Trusted Platform Module snap-in (tpm.msc). 2. Click **Clear TPM**, and then click **Restart.** 3. When the PC is restarting, you might be prompted to press a button on the keyboard to clear the TPM. 4. After the PC restarts, your TPM will be automatically prepared for use by Windows 10. -**Note**   -Clearing the TPM causes you to lose all TPM keys and data protected by those keys, such as a virtual smart card. You should not perform this procedure on a device you do not own, such as a work or school PC, without being instructed to do so by your IT administrator. + +>**Note:**  Clearing the TPM causes you to lose all TPM keys and data protected by those keys, such as a virtual smart card. You should not perform this procedure on a device you do not own, such as a work or school PC, without being instructed to do so by your IT administrator.   ## Additional resources -[Trusted Platform Module Technology Overview](trusted-platform-module-overview.md) -[Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md) -[TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx) -[Schema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from Windows 8 clients](ad-ds-schema-extensions-to-support-tpm-backup.md) -[TPM WMI providers](http://go.microsoft.com/fwlink/p/?LinkId=93478) -[Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx) -  -  + +- [Trusted Platform Module Technology Overview](trusted-platform-module-overview.md) +- [Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md) +- [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx) +- [Schema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from Windows 8 clients](ad-ds-schema-extensions-to-support-tpm-backup.md) +- [TPM WMI providers](http://go.microsoft.com/fwlink/p/?LinkId=93478) +- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx) diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/keep-secure/tpm-recommendations.md index b9e5bc42f5..9decdf047c 100644 --- a/windows/keep-secure/tpm-recommendations.md +++ b/windows/keep-secure/tpm-recommendations.md @@ -2,76 +2,116 @@ title: TPM recommendations (Windows 10) description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10. ms.assetid: E85F11F5-4E6A-43E7-8205-672F77706561 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # TPM recommendations + **Applies to** - Windows 10 - Windows 10 Mobile - Windows Server 2016 Technical Preview - Windows 10 IoT Core (IoT Core) + This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10. + ## Overview + Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. It has a security-related crypto-processor that is designed to carry out cryptographic operations in a variety of devices and form factors. It includes multiple physical security mechanisms to help prevent malicious software from tampering with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can: + 1. Generate, store, use, and protected cryptographic keys, 2. Use TPM technology for platform device authentication by using a unique endorsement key (EK), and 3. Help enhance platform integrity by taking and storing security measurements. + The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system. Traditionally, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips. + TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows 10 automatically provisions a TPM, but if the user reinstalls the operating system, he or she may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features. + The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). + OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key truly cannot leave the TPM. + The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs whereas others do not. -**Note**   -Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +>**Note:**  Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.   ## TPM 1.2 vs. 2.0 comparison + From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0, which has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM. + ## Why TPM 2.0? + TPM 2.0 products and systems have important security advantages over TPM 1.2, including: + - The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm. - For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017. - TPM 2.0 **enables greater crypto agility** by being more flexible with respect to cryptographic algorithms. + - TPM 2.0 supports SHA-256 as well as ECC, the latter being critical to drive signing and key generation performance. - TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](http://blogs.microsoft.com/cybertrust/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption/)). - Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions. + - TPM 2.0 offers a more **consistent experience** across different implementations. + - TPM 1.2 implementations across both discrete and firmware vary in policy settings. This may result in support issues as lockout policies vary. - TPM 2.0 standardized policy requirement helps establish a consistent lockout experience across devices, as such, Windows can offer a better user experience end to end. + - While TPM 1.2 parts were discrete silicon components typically soldered on the motherboard, TPM 2.0 is available both as a **discrete (dTPM)** silicon component and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on the system’s main SoC: + - On Intel chips, it is the Intel Management Engine (ME) or Converged Security Engine (CSE). - For AMD chips, it is the AMD Security Processor - For ARM chips, it is a Trustzone Trusted Application (TA). - In the case of firmware TPM for desktop Windows systems, the chip vendor provides the firmware TPM implementation along with the other chip firmware to OEMs. + ## Discrete or firmware TPM? + Windows uses discrete and firmware TPM in the same way. Windows gains no functional advantage or disadvantage from either option. + From a security standpoint, discrete and firmware share the same characteristics; + - Both use hardware based secure execution. - Both use firmware for portions of the TPM functionality. - Both are equipped with tamper resistance capabilities. - Both have unique security limitations/risks. + For more info, see [fTPM: A Firmware-based TPM 2.0 Implementation](http://research.microsoft.com/apps/pubs/?id=258236). + ## Is there any importance for TPM for consumer? + For end consumers, TPM is behind the scenes but still very relevant for Hello, Passport and in the future, many other key features in Windows 10. It offers the best Passport experience, helps encrypt passwords, secures streaming high quality 4K content and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage. + ## TPM 2.0 Compliance for Windows 10 + ### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) + - As of July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7, https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) ## Two implementation options: -• Discrete TPM chip as a separate discrete component -• Firmware TPM solution using Intel PTT (platform trust technology) or AMD + +- Discrete TPM chip as a separate discrete component +- Firmware TPM solution using Intel PTT (platform trust technology) or AMD + ### Windows 10 Mobile + - All devices shipping with Windows 10 Mobile must implement TPM 2.0 and ship with the TPM 2.0 enabled. + ### IoT Core + - TPM is optional on IoT Core. + ### Windows Server 2016 Technical Preview + - TPM is optional for Windows Server SKUs unless the SKU meets the additional qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required. + ## TPM and Windows Features + The following table defines which Windows features require TPM support. Some features are not applicable to Windows 7/8/8.1 and are noted accordingly. + @@ -255,9 +295,11 @@ There are a variety of TPM manufacturers for both discrete and firmware.
        ## OEM Feedback and Status on TPM 2.0 system availability + ### Certified TPM parts + Government customers and enterprise customers in regulated industries may have acquisition standards that require use of common certified TPM parts. As a result, OEMs, who provide the devices, may be required to use only certified TPM components on their commercial class systems. Discrete TPM 2.0 vendors have completion certification. + ### Windows 7 32-bit support + Even though Windows 7 shipped before the TPM 2.0 spec or products existed, Microsoft backported TPM 2.0 support to Windows 7 64-bit and released it in summer 2014 as a downloadable Windows hotfix for UEFI based Windows 7 systems. Microsoft is not currently planning to backport support to Windows 7 32-bit support. -  -  diff --git a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md index 24182d9e16..f9c63208af 100644 --- a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md +++ b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md @@ -2,30 +2,41 @@ title: Troubleshoot Windows Defender in Windows 10 (Windows 10) description: IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take. ms.assetid: EE488CC1-E340-4D47-B50B-35BD23CB4D70 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library +ms.pagetype: security author: jasesso --- + # Troubleshoot Windows Defender in Windows 10 + **Applies to** - Windows 10 + IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take. + ## Windows Defender client event IDs + This section provides the following information about Windows Defender client events: + - The text of the message as it appears in the event - The name of the source of the message - The symbolic name that identifies each message in the programming source code - Additional information about the message + Use the information in this table to help troubleshoot Windows Defender client events; these are located in the **Windows Event Viewer**, under **Windows Logs**. + **To view a Windows Defender client event** + 1. Open **Event Viewer**. 2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**. 3. Double-click on **Operational**. 4. In the details pane, view the list of individual events to find your event. 5. Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs. + You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx). + @@ -3257,8 +3268,8 @@ article.

      Event ID: 1000
      + ## Related topics -[Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) -[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md) -  -  + +- [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) +- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md) diff --git a/windows/keep-secure/trusted-platform-module-overview.md b/windows/keep-secure/trusted-platform-module-overview.md index 02ba8d12dc..03e37a250b 100644 --- a/windows/keep-secure/trusted-platform-module-overview.md +++ b/windows/keep-secure/trusted-platform-module-overview.md @@ -2,81 +2,75 @@ title: Trusted Platform Module Technology Overview (Windows 10) description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM. ms.assetid: face8932-b034-4319-86ac-db1163d46538 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Trusted Platform Module Technology Overview + **Applies to** - Windows 10 + This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM. + ## Feature description + Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can: + - Generate, store, and limit the use of cryptographic keys. - Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself. - Help ensure platform integrity by taking and storing security measurements. + The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system. + TPM-based keys can be configured in a variety of ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM will activate its dictionary attack logic and prevent further authorization value guesses. + Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, consult the TCG Web site (). + Windows can automatically provision and manage the TPM. Group Policy settings can be configured to control whether the TPM owner authorization value is backed up in Active Directory. Because the TPM state persists across operating system installations, TPM information is stored in a location in Active Directory that is separate from computer objects. Depending on an enterprise’s security goals, Group Policy can be configured to allow or prevent local administrators from resetting the TPM’s dictionary attack logic. Standard users can use the TPM, but Group Policy controls limit how many authorization failures standard users can attempt so that one user is unable to prevent other users or the administrator from using the TPM. TPM technology can also be used as a virtual smart card and for secure certificate storage. With BitLocker Network Unlock, domain-joined computers are not prompted for a BitLocker PIN. + ## Practical applications + Certificates can be installed or created on computers that are using the TPM. After a computer is provisioned, the RSA private key for a certificate is bound to the TPM and cannot be exported. The TPM can also be used as a replacement for smart cards, which reduces the costs associated with creating and disbursing smart cards. + Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM management can determine if TPM provisioning actions require physical presence of a service technician to approve TPM state change requests during the boot process. + Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry. + The TPM has several Group Policy settings that can be used to manage how it is used. These settings can be used to manage the owner authorization value, the blocked TPM commands, the standard user lockout, and the backup of the TPM to AD DS. For more info, see [Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md). + ## New and changed functionality + For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](../whats-new/trusted-platform-module.md). + ## Device health attestation + Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. + Some things that you can check on the device are: + - Is Data Execution Prevention supported and enabled? - Is BitLocker Drive Encryption supported and enabled? - Is SecureBoot supported and enabled? -**Note**  The device must be running Windows 10 and it must support at least TPM 2.0. + +>**Note:**  The device must be running Windows 10 and it must support at least TPM 2.0.   ## Supported versions - ------- - - - - - - - - - - - - - - - - - - - - - - - - - -
      TPM versionWindows 10Windows Server 2012 R2, Windows 8.1, and Windows RTWindows Server 2012, Windows 8, and Windows RTWindows Server 2008 R2 and Windows 7

      TPM 1.2

      X

      X

      X

      X

      TPM 2.0

      X

      X

      X

      X

      -  + +| TPM version | Windows 10 | Windows Server 2012 R2, Windows 8.1, and Windows RT | Windows Server 2012, Windows 8, and Windows RT | Windows Server 2008 R2 and Windows 7 | +| - | - | - | - | - | +| TPM 1.2| X| X| X| X| +| TPM 2.0| X| X| X| X| + ## Additional Resources -[TPM Fundamentals](tpm-fundamentals.md) -[TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) -[TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx) -[AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md) -[Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx) + +- [TPM Fundamentals](tpm-fundamentals.md) +- [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) +- [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx) +- [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md) +- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx)     From f83e6d198cd5eefef0e7ac6d95178966da601d4c Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 25 May 2016 15:19:12 -0700 Subject: [PATCH 104/169] fixing spacing issues --- .../executable-rules-in-applocker.md | 53 +-- .../export-an-applocker-policy-from-a-gpo.md | 11 +- ...m-module-services-group-policy-settings.md | 240 +++++------ ...derstand-applocker-enforcement-settings.md | 41 +- ...stand-applocker-policy-design-decisions.md | 408 +++++------------- ...ent-setting-inheritance-in-group-policy.md | 19 +- ...the-applocker-policy-deployment-process.md | 11 +- ...plocker-allow-and-deny-actions-on-rules.md | 50 +-- .../understanding-applocker-default-rules.md | 61 +-- .../understanding-applocker-rule-behavior.md | 17 +- ...nderstanding-applocker-rule-collections.md | 18 +- ...standing-applocker-rule-condition-types.md | 32 +- ...understanding-applocker-rule-exceptions.md | 13 +- ...e-file-hash-rule-condition-in-applocker.md | 34 +- ...ng-the-path-rule-condition-in-applocker.md | 71 +-- ...e-publisher-rule-condition-in-applocker.md | 86 ++-- ...-create-and-maintain-applocker-policies.md | 44 +- ...restriction-policies-in-the-same-domain.md | 12 +- ...he-applocker-windows-powershell-cmdlets.md | 35 +- ...rding-to-assist-in-instrusion-detection.md | 192 ++++++++- ...-for-the-built-in-administrator-account.md | 84 ++-- ...vation-without-using-the-secure-desktop.md | 104 +++-- ...r-administrators-in-admin-approval-mode.md | 95 ++-- ...the-elevation-prompt-for-standard-users.md | 86 ++-- ...-installations-and-prompt-for-elevation.md | 82 ++-- ...ecutables-that-are-signed-and-validated.md | 86 ++-- ...-that-are-installed-in-secure-locations.md | 96 +++-- ...l-administrators-in-admin-approval-mode.md | 87 ++-- ...ccount-control-security-policy-settings.md | 43 +- ...re-desktop-when-prompting-for-elevation.md | 89 ++-- ...ry-write-failures-to-per-user-locations.md | 85 ++-- windows/keep-secure/user-rights-assignment.md | 253 +++-------- ...-monitor-dynamic-access-control-objects.md | 74 +--- .../using-event-viewer-with-applocker.md | 148 ++----- ...riction-policies-and-applocker-policies.md | 76 ++-- .../view-the-security-event-log.md | 9 +- windows/keep-secure/what-is-applocker.md | 18 +- ...ort-advanced-audit-policy-configuration.md | 19 +- .../windows-installer-rules-in-applocker.md | 53 +-- .../working-with-applocker-policies.md | 92 +--- .../working-with-applocker-rules.md | 353 +++++---------- 41 files changed, 1484 insertions(+), 1996 deletions(-) diff --git a/windows/keep-secure/executable-rules-in-applocker.md b/windows/keep-secure/executable-rules-in-applocker.md index b215d8ffe5..b74b7fe29a 100644 --- a/windows/keep-secure/executable-rules-in-applocker.md +++ b/windows/keep-secure/executable-rules-in-applocker.md @@ -2,55 +2,28 @@ title: Executable rules in AppLocker (Windows 10) description: This topic describes the file formats and available default rules for the executable rule collection. ms.assetid: 65e62f90-6caa-48f8-836a-91f8ac9018ee -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Executable rules in AppLocker + **Applies to** - Windows 10 + This topic describes the file formats and available default rules for the executable rule collection. + AppLocker defines executable rules as any files with the .exe and .com extensions that are associated with an app. Because all of the default rules for the executable rule collection are based on folder paths, all files under those paths will be allowed. The following table lists the default rules that are available for the executable rule collection. - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      PurposeNameUserRule condition type

      Allow members of the local Administrators group access to run all executable files

      (Default Rule) All files

      BUILTIN\Administrators

      Path: *

      Allow all users to run executable files in the Windows folder

      (Default Rule) All files located in the Windows folder

      Everyone

      Path: %windir%\*

      Allow all users to run executable files in the Program Files folder

      (Default Rule) All files located in the Program Files folder

      Everyone

      Path: %programfiles%\*

      + +| Purpose | Name | User | Rule condition type | +| - | - | - | - | +| Allow members of the local Administrators group access to run all executable files | (Default Rule) All files| BUILTIN\Administrators | Path: * | +| Allow all users to run executable files in the Windows folder| (Default Rule) All files located in the Windows folder| Everyone| Path: %windir%\*| +| Allow all users to run executable files in the Program Files folder | (Default Rule) All files located in the Program Files folder| Everyone | Path: %programfiles%\*|   ## Related topics -[Understanding AppLocker Default Rules](understanding-applocker-default-rules.md) -  -  + +- [Understanding AppLocker Default Rules](understanding-applocker-default-rules.md) diff --git a/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md b/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md index 565c1d0597..90c10baeee 100644 --- a/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md +++ b/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md @@ -2,23 +2,28 @@ title: Export an AppLocker policy from a GPO (Windows 10) description: This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified. ms.assetid: 7db59719-a8be-418b-bbfd-22cf2176c9c0 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Export an AppLocker policy from a GPO + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified. + Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Therefore, export the policy from the GPO and update the rule or rules by using AppLocker on your AppLocker reference device + To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. + **Export the policy from the GPO** + 1. In the Group Policy Management Console (GPMC), open the GPO that you want to edit. 2. In the console tree under **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Application Control Policies**, click **AppLocker**. 3. Right-click **AppLocker**, and then click **Export Policy**. 4. In the **Export Policy** dialog box, type a name for the exported policy (for example, the name of the GPO), select a location to save the policy, and then click **Save**. 5. The **AppLocker** dialog box will notify you of how many rules were exported. Click **OK**. -  -  diff --git a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md index 4b274eecc5..4ded5c4844 100644 --- a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md +++ b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md @@ -2,230 +2,188 @@ title: TPM Group Policy settings (Windows 10) description: This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. ms.assetid: 54ff1c1e-a210-4074-a44e-58fee26e4dbd -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # TPM Group Policy settings + **Applies to** - Windows 10 + This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. + ## + The TPM Services Group Policy settings are located at: + **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\** - -------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      SettingWindows 10Windows Server 2012 R2, Windows 8.1 and Windows RTWindows Server 2012, Windows 8 and Windows RTWindows Server 2008 R2 and Windows 7Windows Server 2008 and Windows Vista

      [Turn on TPM backup to Active Directory Domain Services](#bkmk-tpmgp-addsbu)

      X

      X

      X

      X

      X

      [Configure the list of blocked TPM commands](#bkmk-tpmgp-clbtc)

      X

      X

      X

      X

      X

      [Ignore the default list of blocked TPM commands](#bkmk-tpmgp-idlb)

      X

      X

      X

      X

      X

      [Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb)

      X

      X

      X

      X

      X

      [Configure the level of TPM owner authorization information available to the operating system](#bkmk-tpmgp-oauthos)

      X

      X

      X

      [Standard User Lockout Duration](#bkmk-tpmgp-suld)

      X

      X

      X

      [Standard User Individual Lockout Threshold](#bkmk-tpmgp-suilt)

      X

      X

      X

      [Standard User Total Lockout Threshold](#bkmk-tpmgpsutlt)

      X

      X

      X

      + +| Setting | Windows 10 | Windows Server 2012 R2, Windows 8.1 and Windows RT | Windows Server 2012, Windows 8 and Windows RT | Windows Server 2008 R2 and Windows 7 | Windows Server 2008 and Windows Vista | +| - | - | - | - | - | - | +| [Turn on TPM backup to Active Directory Domain Services](#bkmk-tpmgp-addsbu) | X| X| X| X| X| +| [Configure the list of blocked TPM commands](#bkmk-tpmgp-clbtc)| X| X| X| X| X| +| [Ignore the default list of blocked TPM commands](#bkmk-tpmgp-idlb) | X| X| X| X| X| +| [Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb) | X| X| X| X| X| +| [Configure the level of TPM owner authorization information available to the operating system](#bkmk-tpmgp-oauthos)| X| X| X||| +| [Standard User Lockout Duration](#bkmk-tpmgp-suld)| X| X| X||| +| [Standard User Individual Lockout Threshold](#bkmk-tpmgp-suilt)| X| X| X||| +| [Standard User Total Lockout Threshold](#bkmk-tpmgpsutlt)| X| X| X||||   ### Turn on TPM backup to Active Directory Domain Services + This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of TPM owner information. -**Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table). + +>**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   TPM owner information includes a cryptographic hash of the TPM owner password. Certain TPM commands can be run only by the TPM owner. This hash authorizes the TPM to run these commands. -**Important**   -To back up TPM owner information from a computer running Windows 10, Windows 8.1, or Windows 8, you might need to first set up appropriate schema extensions and access control settings on the domain so that the AD DS backup can succeed. Windows Server 2012 R2 and Windows Server 2012 include the required schema extensions by default. For more information, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md). + +>**Important:**  To back up TPM owner information from a computer running Windows 10, Windows 8.1, or Windows 8, you might need to first set up appropriate schema extensions and access control settings on the domain so that the AD DS backup can succeed. Windows Server 2012 R2 and Windows Server 2012 include the required schema extensions by default. For more information, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).   The TPM cannot be used to provide enhanced security features for BitLocker Drive Encryption and other applications without first setting an owner. To take ownership of the TPM with an owner password, on a local computer at the command prompt, type **tpm.msc** to open the TPM Management Console and select the action to **Initialize TPM**. If the TPM owner information is lost or is not available, limited TPM management is possible by running **tpm.msc**. + If you enable this policy setting, TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TPM owner password. When this policy setting is enabled, a TPM owner password cannot be set or changed unless the computer is connected to the domain and the AD DS backup succeeds. + If you disable or do not configure this policy setting, TPM owner information will not be backed up to AD DS. + ### Configure the list of blocked TPM commands + This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands that are blocked by Windows. -**Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table). + +>**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number 129 is **TPM\_OwnerReadInternalPub**, and command number 170 is **TPM\_FieldUpgrade**. To find the command number that is associated with each TPM command, at the command prompt, type **tpm.msc**to open the TPM Management Console and navigate to the **Command Management** section. + If you disable or do not configure this policy setting, only those TPM commands that are specified through the default or local lists can be blocked by Windows. The default list of blocked TPM commands is preconfigured by Windows. + - You can view the default list by typing **tpm.msc** at the command prompt, navigating to the **Command Management** section, and exposing the **On Default Block List** column. - The local list of blocked TPM commands is configured outside of Group Policy by running the TPM Management Console or scripting using the **Win32\_Tpm** interface. + For information how to enforce or ignore the default and local lists of blocked TPM commands, see + - [Ignore the default list of blocked TPM commands](#bkmk-tpmgp-idlb) - [Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb) ### Ignore the default list of blocked TPM commands + This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands. -**Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table). + +>**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   The default list of blocked TPM commands is preconfigured by Windows. You can view the default list by typing **tpm.msc** at the command prompt to open the TPM Management Console, navigating to the **Command Management** section, and exposing the **On Default Block List** column. Also see the related policy setting, [Configure the list of blocked TPM commands](#bkmk-tpmgp-clbtc). + If you enable this policy setting, the Windows operating system will ignore the computer's default list of blocked TPM commands, and it will block only those TPM commands that are specified by Group Policy or the local list. + If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to the commands that are specified by Group Policy and the local list of blocked TPM commands. + ### Ignore the local list of blocked TPM commands + This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands. -**Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table). + +>**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   The local list of blocked TPM commands is configured outside of Group Policy by typing **tpm.msc** at the command prompt to open the TPM Management Console, or scripting using the **Win32\_Tpm** interface. (The default list of blocked TPM commands is preconfigured by Windows.) Also see the related policy setting to **Configure the list of blocked TPM commands**. + If you enable this policy setting, the Windows operating system will ignore the computer's local list of blocked TPM commands, and it will block only those TPM commands that are specified by Group Policy or the default list. + If you disable or do not configure this policy setting, Windows will block the TPM commands in the local list, in addition to the commands that are specified in Group Policy and the default list of blocked TPM commands. + ### Configure the level of TPM owner authorization information available to the operating system + This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information that is stored locally, the Windows operating system and TPM-based applications can perform certain actions in the TPM that require TPM owner authorization without requiring the user to enter the TPM owner password. -**Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table). + +>**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**. + - **Full**   This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. - **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. When you use this setting, we recommend using external or remote storage for the full TPM owner authorization value—for example, backing up the value in Active Directory Domain Services (AD DS). - **None**   This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications. -**Note**   -If the operating system managed TPM authentication setting is changed from **Full** to **Delegated**, the full TPM owner authorization value will be regenerated, and any copies of the previously set TPM owner authorization value will be invalid. If you are backing up the TPM owner authorization value to AD DS, the new owner authorization value is automatically backed up to AD DS when it is changed. + +>**Note:**  If the operating system managed TPM authentication setting is changed from **Full** to **Delegated**, the full TPM owner authorization value will be regenerated, and any copies of the previously set TPM owner authorization value will be invalid. If you are backing up the TPM owner authorization value to AD DS, the new owner authorization value is automatically backed up to AD DS when it is changed.   **Registry information** + Registry key: HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\TPM + DWORD: OSManagedAuthLevel + The following table shows the TPM owner authorization values in the registry. - ---- - - - - - - - - - - - - - - - - - - - - -
      Value DataSetting

      0

      None

      2

      Delegated

      4

      Full

      + +| Value Data | Setting | +| - | - | +| 0 | None| +| 2 | Delegated| +| 4 | Full|   If you enable this policy setting, the Windows operating system will store the TPM owner authorization in the registry of the local computer according to the TPM authentication setting you choose. -If you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry. + +If you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not +configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry. + ### Standard User Lockout Duration -This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, a standard user is prevented from sending commands that require authorization to the TPM. -**Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table). + +This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, a standard user is prevented from sending commands that require +authorization to the TPM. + +>**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it is global for all users (including administrators) and for Windows features such as BitLocker Drive Encryption. + The number of authorization failures that a TPM allows and how long it stays locked vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time, with fewer authorization failures, depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require that the system is on so enough clock cycles elapse before the TPM exits the lockout mode. + This setting helps administrators prevent the TPM hardware from entering a lockout mode by slowing the speed at which standard users can send commands that require authorization to the TPM. + For each standard user, two thresholds apply. Exceeding either threshold prevents the user from sending a command that requires authorization to the TPM. Use the following policy settings to set the lockout duration: + - [Standard User Individual Lockout Threshold](#bkmk-individual)   This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM. - [Standard User Total Lockout Threshold](#bkmk-total)   This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM. + An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally. + If you do not configure this policy setting, a default value of 480 minutes (8 hours) is used. + ### Standard User Individual Lockout Threshold + This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM. If the number of authorization failures for the user within the duration that is set for the **Standard User Lockout Duration** policy setting equals this value, the standard user is prevented from sending commands that require authorization to the Trusted Platform Module (TPM). -**Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table). + +>**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   This setting helps administrators prevent the TPM hardware from entering a lockout mode by slowing the speed at which standard users can send commands that require authorization to the TPM. + An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored. + An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally. + If you do not configure this policy setting, a default value of 4 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure. + ### Standard User Total Lockout Threshold + This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration that is set for the **Standard User Lockout Duration** policy equals this value, all standard users are prevented from sending commands that require authorization to the Trusted Platform Module (TPM). -**Note**   -This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table). + +>**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).   This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. + An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored. + For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. + 1. The standard user individual lockout value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM. 2. The standard user total lockout threshold value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM. -The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it is global for all users (including administrators) and for Windows features such as BitLocker Drive Encryption.. +The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it is global for all users (including administrators) and for Windows features +such as BitLocker Drive Encryption.. + The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. + An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally. + If you do not configure this policy setting, a default value of 9 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure. + ## Additional resources -[Trusted Platform Module Technology Overview](trusted-platform-module-overview.md) -[TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx) -[Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx) -  -  + +- [Trusted Platform Module Technology Overview](trusted-platform-module-overview.md) +- [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx) +- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx) diff --git a/windows/keep-secure/understand-applocker-enforcement-settings.md b/windows/keep-secure/understand-applocker-enforcement-settings.md index f62646c2e9..6ac72fe3f1 100644 --- a/windows/keep-secure/understand-applocker-enforcement-settings.md +++ b/windows/keep-secure/understand-applocker-enforcement-settings.md @@ -2,45 +2,28 @@ title: Understand AppLocker enforcement settings (Windows 10) description: This topic describes the AppLocker enforcement settings for rule collections. ms.assetid: 48773007-a343-40bf-8961-b3ff0a450d7e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understand AppLocker enforcement settings + **Applies to** - Windows 10 + This topic describes the AppLocker enforcement settings for rule collections. + Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. For more info about rule collections, see [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md). By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced. The following table details the three AppLocker rule enforcement settings in Group Policy for each rule collection. - ---- - - - - - - - - - - - - - - - - - - - - -
      Enforcement settingDescription

      Not configured

      By default, enforcement is not configured in a rule collection. If rules are present in the corresponding rule collection, they are enforced. If rule enforcement is configured in a higher-level linked Group Policy object (GPO), that enforcement value overrides the Not configured value.

      Enforce rules

      Rules are enforced for the rule collection, and all rule events are audited.

      Audit only

      Rule events are audited only. Use this value when planning and testing AppLocker rules.

      + +| Enforcement setting | Description | +| - | - | +| Not configured | By default, enforcement is not configured in a rule collection. If rules are present in the corresponding rule collection, they are enforced. If rule enforcement is configured in a higher-level linked Group Policy object (GPO), that enforcement value overrides the **Not configured** value.| +| Enforce rules | Rules are enforced for the rule collection, and all rule events are audited.| +| Audit only | Rule events are audited only. Use this value when planning and testing AppLocker rules.|   For the AppLocker policy to be enforced on a device, the Application Identity service must be running. For more info about the Application Identity service, see [Configure the Application Identity service](configure-the-application-identity-service.md). + When AppLocker policies from various GPOs are merged, the enforcement modes are merged by using the standard Group Policy order of inheritance, which is local, domain, site, and organizational unit (OU). The Group Policy setting that was last written or applied by order of inheritance is used for the enforcement mode, and all rules from linked GPOs are applied. -  -  diff --git a/windows/keep-secure/understand-applocker-policy-design-decisions.md b/windows/keep-secure/understand-applocker-policy-design-decisions.md index ea6833ec44..5687229616 100644 --- a/windows/keep-secure/understand-applocker-policy-design-decisions.md +++ b/windows/keep-secure/understand-applocker-policy-design-decisions.md @@ -2,123 +2,86 @@ title: Understand AppLocker policy design decisions (Windows 10) description: This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment. ms.assetid: 3475def8-949a-4b51-b480-dc88b5c1e6e6 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understand AppLocker policy design decisions + **Applies to** - Windows 10 + This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment. + When you begin the design and planning process, you should consider the ramifications of your design choices. The resulting decisions will affect your policy deployment scheme and subsequent application control policy maintenance. + You should consider using AppLocker as part of your organization's application control policies if all the following are true: + - You have deployed or plan to deploy the supported versions of Windows in your organization. For specific operating system version requirements, see [Requirements to Use AppLocker](requirements-to-use-applocker.md). - You need improved control over the access to your organization's applications and the data your users access. - The number of applications in your organization is known and manageable. - You have resources to test policies against the organization's requirements. - You have resources to involve Help Desk or to build a self-help process for end-user application access issues. - The group's requirements for productivity, manageability, and security can be controlled by restrictive policies. + The following questions are not in priority or sequential order. They should be considered when you deploy application control policies (as appropriate for your targeted environment). + ### Which apps do you need to control in your organization? + You might need to control a limited number of apps because they access sensitive data, or you might have to exclude all applications except those that are sanctioned for business purposes. There might be certain business groups that require strict control, and others that promote independent application usage. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Possible answersDesign considerations

      Control all apps

      AppLocker policies control applications by creating an allowed list of applications by file type. Exceptions are also possible. AppLocker policies can only be applied to applications installed on computers running one of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).

      Control specific apps

      When you create AppLocker rules, a list of allowed apps are created. All apps on that list will be allowed to run (except those on the exception list). Apps that are not on the list will be prevented from running. AppLocker policies can only be applied to apps installed on computers running any of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).

      Control only Classic Windows applications, only Universal Windows apps, or both

      AppLocker policies control apps by creating an allowed list of apps by file type. Because Universal Windows apps are categorized under the Publisher condition, Classic Windows applications and Universal Windows apps can be controlled together. AppLocker policies for Universal Windows apps can be applied only to apps that are installed on PCs that support the Windows Store, but Classic Windows applications can be controlled with AppLocker on all supported versions of Windows. The rules you currently have configured for Classic Windows applications can remain, and you can create new ones for Universal Windows apps.

      -

      For a comparison of Classic Windows applications and Universal Windows apps, see [Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions](#bkmk-compareclassicmetro) in this topic.

      Control apps by business group and user

      AppLocker policies can be applied through a Group Policy Object (GPO) to computer objects within an organizational unit (OU). Individual AppLocker rules can be applied to individual users or to groups of users.

      Control apps by computer, not user

      AppLocker is a computer-based policy implementation. If your domain or site organizational structure is not based on a logical user structure, such as an OU, you might want to set up that structure before you begin your AppLocker planning. Otherwise, you will have to identify users, their computers, and their app access requirements.

      Understand app usage, but there is no need to control any apps yet

      AppLocker policies can be set to audit app usage to help you track which apps are used in your organization. You can then use the AppLocker event log to create AppLocker policies.

      + +| Possible answers | Design considerations| +| - | - | +| Control all apps | AppLocker policies control applications by creating an allowed list of applications by file type. Exceptions are also possible. AppLocker policies can only be applied to applications installed on computers running one of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).| +| Control specific apps | When you create AppLocker rules, a list of allowed apps are created. All apps on that list will be allowed to run (except those on the exception list). Apps that are not on the list will be prevented from running. AppLocker policies can only be applied to apps installed on computers running any of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).| +|Control only Classic Windows applications, only Universal Windows apps, or both| AppLocker policies control apps by creating an allowed list of apps by file type. Because Universal Windows apps are categorized under the Publisher condition, Classic Windows applications and Universal Windows apps can be controlled together. AppLocker policies for Universal Windows apps can be applied only to apps that are installed on PCs that support the Windows Store, but Classic Windows applications can be controlled with AppLocker on all supported versions of Windows. The rules you currently have configured for Classic Windows applications can remain, and you can create new ones for Universal Windows apps.
      For a comparison of Classic Windows applications and Universal Windows apps, see [Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions](#bkmk-compareclassicmetro) in this topic.| +| Control apps by business group and user | AppLocker policies can be applied through a Group Policy Object (GPO) to computer objects within an organizational unit (OU). Individual AppLocker rules can be applied to individual users or to groups of users.| +| Control apps by computer, not user | AppLocker is a computer-based policy implementation. If your domain or site organizational structure is not based on a logical user structure, such as an OU, you might want to set up that structure before you begin your AppLocker planning. Otherwise, you will have to identify users, their computers, and their app access requirements.| +|Understand app usage, but there is no need to control any apps yet | AppLocker policies can be set to audit app usage to help you track which apps are used in your organization. You can then use the AppLocker event log to create AppLocker policies.|   -**Important**   -The following list contains files or types of files that cannot be managed by AppLocker: +>**Important:**  The following list contains files or types of files that cannot be managed by AppLocker: + - AppLocker does not protect against running 16-bit DOS binaries in a NT Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or higher when there is already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it is a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the Executable rule collection for NTVDM.exe. + - You cannot use AppLocker to prevent code from running outside the Win32 subsystem. In particular, this applies to the (POSIX) subsystem in Windows NT. If it is a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem. + - AppLocker can only control VBScript, JScript, .bat files, .cmd files and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To use AppLocker to control interpreted code, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision that is returned by AppLocker. Not all host processes call into AppLocker. Therefore, AppLocker cannot control every kind of interpreted code, for example Microsoft Office macros. - **Important**   - You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded. + + >**Important:**  You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded.   - AppLocker rules allow or prevent an app from launching. AppLocker does not control the behavior of apps after they are launched. Applications could contain flags that are passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll file to be loaded. In practice, an app that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must follow a process that best suits your needs to thoroughly vet each app before allowing them to run using AppLocker rules. + For more info, see [Security considerations for AppLocker](security-considerations-for-applocker.md).   ### Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions + AppLocker policies for Universal Windows apps can only be applied to apps that are installed on computers running Windows operating systems that support Windows Store apps. However, Classic Windows applications can be controlled in Windows Server 2008 R2 and Windows 7, in addition to those computers that support Universal Windows apps. The rules for Classic Windows applications and Universal Windows apps can be enforced together. The differences you should consider for Universal Windows apps are: + - All Universal Windows apps can be installed by a standard user, whereas a number of Classic Windows applications require administrative credentials to install. So in an environment where most of the users are standard users, you might not need numerous exe rules, but you might want more explicit policies for packaged apps. - Classic Windows applications can be written to change the system state if they run with administrative credentials. Most Universal Windows apps cannot change the system state because they run with limited permissions. When you design your AppLocker policies, it is important to understand whether an app that you are allowing can make system-wide changes. - Universal Windows apps can be acquired through the Store, or they can be side-loaded by using Windows PowerShell cmdlets. If you use Windows PowerShell cmdlets, a special Enterprise license is required to acquire Universal Windows apps. Classic Windows applications can be acquired through traditional means, such as through software vendors or retail distribution. + AppLocker controls Universal Windows apps and Classic Windows applications by using different rule collections. You have the choice to control Universal Windows apps, Classic Windows applications, or both. + For more info, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md). + ### How do you currently control app usage in your organization? + Most organizations have evolved app control policies and methods over time. With heightened security concerns and an emphasis on tighter IT control over desktop use, your organization might decide to consolidate app control practices or design a comprehensive application control scheme. AppLocker includes improvements over SRP in the architecture and management of application control policies. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Possible answersDesign considerations

      Security polices (locally set or through Group Policy)

      Using AppLocker requires increased effort in planning to create correct policies, but this results in a simpler distribution method.

      Non-Microsoft app control software

      Using AppLocker requires a complete app control policy evaluation and implementation.

      Managed usage by group or OU

      Using AppLocker requires a complete app control policy evaluation and implementation.

      Authorization Manager or other role-based access technologies

      Using AppLocker requires a complete app control policy evaluation and implementation.

      Other

      Using AppLocker requires a complete app control policy evaluation and implementation.

      + +| Possible answers | Design considerations | +| - | - | +| Security polices (locally set or through Group Policy) | Using AppLocker requires increased effort in planning to create correct policies, but this results in a simpler distribution method.| +| Non-Microsoft app control software | Using AppLocker requires a complete app control policy evaluation and implementation.| +| Managed usage by group or OU | Using AppLocker requires a complete app control policy evaluation and implementation.| +| Authorization Manager or other role-based access technologies | Using AppLocker requires a complete app control policy evaluation and implementation.| +| Other | Using AppLocker requires a complete app control policy evaluation and implementation.|   ### Which Windows desktop and server operating systems are running in your organization? + If your organization supports multiple Windows operating systems, app control policy planning becomes more complex. Your initial design decisions should consider the security and management priorities of applications that are installed on each version of the operating system. @@ -172,259 +135,94 @@ If your organization supports multiple Windows operating systems, app control po
        ### Are there specific groups in your organization that need customized application control policies? + Most business groups or departments have specific security requirements that pertain to data access and the applications used to access that data. You should consider the scope of the project for each group and the group’s priorities before you deploy application control policies for the entire organization. - ---- - - - - - - - - - - - - - - - - -
      Possible answersDesign considerations

      Yes

      -

      For each group, you need to create a list that includes their application control requirements. Although this may increase the planning time, it will most likely result in a more effective deployment.

      -

      If your GPO structure is not currently configured so that you can apply different policies to specific groups, you can alternatively apply AppLocker rules in a GPO to specific user groups.

      No

      AppLocker policies can be applied globally to applications that are installed on PCs running the supported versions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging.

      + +| Possible answers | Design considerations | +| - | - | +| Yes | For each group, you need to create a list that includes their application control requirements. Although this may increase the planning time, it will most likely result in a more effective deployment.
      If your GPO structure is not currently configured so that you can apply different policies to specific groups, you can alternatively apply AppLocker rules in a GPO to specific user groups.| +| No | AppLocker policies can be applied globally to applications that are installed on PCs running the supported versions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging.|   ### Does your IT department have resources to analyze application usage, and to design and manage the policies? + The time and resources that are available to you to perform the research and analysis can affect the detail of your plan and processes for continuing policy management and maintenance. - ---- - - - - - - - - - - - - - - - - -
      Possible answersDesign considerations

      Yes

      Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are as simply constructed as possible.

      No

      Consider a focused and phased deployment for specific groups by using a small number of rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment.

      + +| Possible answers | Design considerations | +| - | - | +| Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are as simply constructed as possible.| +| No | Consider a focused and phased deployment for specific groups by using a small number of rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. |   ### Does your organization have Help Desk support? + Preventing your users from accessing known, deployed, or personal applications will initially cause an increase in end-user support. It will be necessary to address the various support issues in your organization so security policies are followed and business workflow is not hampered. - ---- - - - - - - - - - - - - - - - - -
      Possible answersDesign considerations

      Yes

      Involve the support department early in the planning phase because your users may inadvertently be blocked from using their applications, or they may seek exceptions to use specific applications.

      No

      Invest time in developing online support processes and documentation before deployment.

      + +| Possible answers | Design considerations | +| - | - | +| Yes | Involve the support department early in the planning phase because your users may inadvertently be blocked from using their applications, or they may seek exceptions to use specific applications. | +| No | Invest time in developing online support processes and documentation before deployment. | +   ### Do you know what applications require restrictive policies? Any successful application control policy implementation is based on your knowledge and understanding of app usage within the organization or business group. In addition, the application control design is dependent on the security requirements for data and the apps that access that data. - ---- - - - - - - - - - - - - - - - - -
      Possible answersDesign considerations

      Yes

      You should determine the application control priorities for a business group and then attempt to design the simplest scheme for their application control policies.

      No

      You will have to perform an audit and requirements gathering project to discover the application usage. AppLocker provides the means to deploy policies in Audit only mode, and tools to view the event logs.

      + +| Possible answers | Design considerations | +| - | - | +| Yes | You should determine the application control priorities for a business group and then attempt to design the simplest scheme for their application control policies. | +| No | You will have to perform an audit and requirements gathering project to discover the application usage. AppLocker provides the means to deploy policies in **Audit only** mode, and tools to view the event logs.|   ### How do you deploy or sanction applications (upgraded or new) in your organization? + Implementing a successful application control policy is based on your knowledge and understanding of application usage within the organization or business group. In addition, the application control design is dependent on the security requirements for data and the applications that access that data. Understanding the upgrade and deployment policy will help shape the construction of the application control policies. - ---- - - - - - - - - - - - - - - - - - - - - -
      Possible answersDesign considerations

      Ad hoc

      You need to gather requirements from each group. Some groups might want unrestricted access or installation, while other groups might want strict controls.

      Strict written policy or guidelines to follow

      You need to develop AppLocker rules that reflect those policies, and then test and maintain the rules.

      No process in place

      You need to determine if you have the resources to develop an application control policy, and for which groups.

      + +| Possible answers | Design considerations | +| - | - | +| Ad hoc | You need to gather requirements from each group. Some groups might want unrestricted access or installation, while other groups might want strict controls.| +| Strict written policy or guidelines to follow | You need to develop AppLocker rules that reflect those policies, and then test and maintain the rules. | +| No process in place | You need to determine if you have the resources to develop an application control policy, and for which groups. | +   ### Does your organization already have SRP deployed? + Although SRP and AppLocker have the same goal, AppLocker is a major revision of SRP. - ---- - - - - - - - - - - - - - - - - -
      Possible answersDesign considerations

      Yes

      You cannot use AppLocker to manage SRP settings, but you can use SRP to manage application control policies on computers running on any of the supported operating systems listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). In addition, if AppLocker and SRP settings are configured in the same GPO, only the AppLocker settings will be enforced on computers running those supported operating systems.

      -
      -Note   -

      If you are using the Basic User security level as assigned in SRP, those permissions are not supported on computers running the supported operating systems.

      -
      -
      -  -

      No

      Policies that are configured for AppLocker can only be applied to computers running the supported operating systems, but SRP is also available on those operating systems.

      + +| Possible answers | Design considerations | +| - | - | +| Yes | You cannot use AppLocker to manage SRP settings, but you can use SRP to manage application control policies on computers running on any of the supported operating systems listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). In addition, if AppLocker and SRP settings are configured in the same GPO, only the AppLocker settings will be enforced on computers running those supported operating systems.

      **Note:** If you are using the Basic User security level as assigned in SRP, those permissions are not supported on computers running the supported operating systems.| +| No | Policies that are configured for AppLocker can only be applied to computers running the supported operating systems, but SRP is also available on those operating systems. |   ### What are your organization's priorities when implementing application control policies? + Some organizations will benefit from application control policies as shown by an increase in productivity or conformance, while others will be hindered in performing their duties. Prioritize these aspects for each group to allow you to evaluate the effectiveness of AppLocker. - ---- - - - - - - - - - - - - - - - - - - - - -
      Possible answersDesign considerations

      Productivity: The organization assures that tools work and required applications can be installed.

      To meet innovation and productivity goals, some groups require the ability to install and run a variety of software from different sources, including software that they developed. Therefore, if innovation and productivity is a high priority, managing application control policies through an allowed list might be time consuming and an impediment to progress.

      Management: The organization is aware of and controls the apps it supports.

      In some business groups, application usage can be managed from a central point of control. AppLocker policies can be built into a GPO for that purpose. This shifts the burden of app access to the IT department, but it also has the benefit of controlling the number of apps that can be run and controlling the versions of those apps

      Security: The organization must protect data in part by ensuring that only approved apps are used.

      AppLocker can help protect data by allowing a defined set of users access to apps that access the data. If security is the top priority, the application control policies will be the most restrictive.

      + +| Possible answers | Design considerations | +| - | - | +| Productivity: The organization assures that tools work and required applications can be installed. | To meet innovation and productivity goals, some groups require the ability to install and run a variety of software from different sources, including software that they developed. Therefore, if innovation and productivity is a high priority, managing application control policies through an allowed list might be time consuming and an impediment to progress. | +| Management: The organization is aware of and controls the apps it supports. | In some business groups, application usage can be managed from a central point of control. AppLocker policies can be built into a GPO for that purpose. This shifts the burden of app access to the IT department, but it also has the benefit of controlling the number of apps that can be run and controlling the versions of those apps| +| Security: The organization must protect data in part by ensuring that only approved apps are used. | AppLocker can help protect data by allowing a defined set of users access to apps that access the data. If security is the top priority, the application control policies will be the most restrictive.|   ### How are apps currently accessed in your organization? + AppLocker is very effective for organizations that have application restriction requirements if they have environments with a simple topography and application control policy goals that are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers that are connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is to achieve a detailed level of control on the desktop computers with a relatively small number of applications to manage, or when the applications are manageable with a small number of rules. - ---- - - - - - - - - - - - - - - - - -
      Possible answersDesign considerations

      Users run without administrative rights.

      -

      Apps are installed by using an installation deployment technology.

      AppLocker can help reduce the total cost of ownership for business groups that typically use a finite set of apps, such as human resources and finance departments. At the same time, these departments access highly sensitive information, much of which contains confidential and proprietary information. By using AppLocker to create rules for specific apps that are allowed to run, you can help limit unauthorized applications from accessing this information.

      -
      -Note   -

      AppLocker can also be effective in helping create standardized desktops in organizations where users run as administrators. However, it is important to note that users with administrative credentials can add new rules to the local AppLocker policy.

      -
      -
      -  -

      Users must be able to install applications as needed.

      -

      Users currently have administrator access, and it would be difficult to change this.

      Enforcing AppLocker rules is not suited for business groups that must be able to install apps as needed and without approval from the IT department. If one or more OUs in your organization has this requirement, you can choose not to enforce application rules in those OUs by using AppLocker or to implement the Audit only enforcement setting through AppLocker.

      + +| Possible answers | Design considerations | +| - | - | +| Users run without administrative rights. | Apps are installed by using an installation deployment technology.| +| AppLocker can help reduce the total cost of ownership for business groups that typically use a finite set of apps, such as human resources and finance departments. At the same time, these departments access highly sensitive information, much of which contains confidential and proprietary information. By using AppLocker to create rules for specific apps that are allowed to run, you can help limit unauthorized applications from accessing this information.
      **Note: **AppLocker can also be effective in helping create standardized desktops in organizations where users run as administrators. However, it is important to note that users with administrative credentials can add new rules to the local AppLocker policy.| Users must be able to install applications as needed. +| Users currently have administrator access, and it would be difficult to change this.|Enforcing AppLocker rules is not suited for business groups that must be able to install apps as needed and without approval from the IT department. If one or more OUs in your organization has this requirement, you can choose not to enforce application rules in those OUs by using AppLocker or to implement the **Audit only** enforcement setting through AppLocker.|   ### Is the structure in Active Directory Domain Services based on the organization's hierarchy? -Designing application control policies based on an organizational structure that is already built into Active Directory Domain Services (AD DS) is easier than converting the existing structure to an organizational structure. Because the effectiveness of application control policies is dependent on the ability to update policies, consider what organizational work needs to be accomplished before deployment begins. - ---- - - - - - - - - - - - - - - - - -
      Possible answersDesign considerations

      Yes

      AppLocker rules can be developed and implemented through Group Policy, based on your AD DS structure.

      No

      The IT department must create a scheme to identify how application control policies can be applied to the correct user or computer.

      + +Designing application control policies based on an organizational structure that is already built into Active Directory Domain Services (AD DS) is easier than converting the existing structure to an organizational structure. +Because the effectiveness of application control policies is dependent on the ability to update policies, consider what organizational work needs to be accomplished before deployment begins. + +| Possible answers | Design considerations | +| - | - | +| Yes | AppLocker rules can be developed and implemented through Group Policy, based on your AD DS structure.| +| No | The IT department must create a scheme to identify how application control policies can be applied to the correct user or computer.|   ## Record your findings + The next step in the process is to record and analyze your answers to the preceding questions. If AppLocker is the right solution for your goals, tyou can set your application control policy objectives and plan your AppLocker rules. This process culminates in creating your planning document. + - For info about setting your policy goals, see [Determine your application control objectives](determine-your-application-control-objectives.md). - For info about creating your planning document, see [Create your AppLocker planning document](create-your-applocker-planning-document.md). -  -  diff --git a/windows/keep-secure/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/keep-secure/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md index c4438ba57b..066f32d60e 100644 --- a/windows/keep-secure/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md +++ b/windows/keep-secure/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md @@ -2,34 +2,43 @@ title: Understand AppLocker rules and enforcement setting inheritance in Group Policy (Windows 10) description: This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy. ms.assetid: c1c5a3d3-540a-4698-83b5-0dab5d27d871 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understand AppLocker rules and enforcement setting inheritance in Group Policy + **Applies to** - Windows 10 + This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy. + Rule enforcement is applied only to collections of rules, not individual rules. AppLocker divides the rules into the following collections: executable files, Windows Installer files, scripts, packaged apps and packaged app installers, and DLL files. The options for rule enforcement are **Not configured**, **Enforce rules**, or **Audit only**. Together, all AppLocker rule collections compose the application control policy, or AppLocker policy. + Group Policy merges AppLocker policy in two ways: + - **Rules.** Group Policy does not overwrite or replace rules that are already present in a linked Group Policy Object (GPO). For example, if the current GPO has 12 rules and a linked GPO has 50 rules, 62 rules are applied to all computers that receive the AppLocker policy. - **Important**   - When determining whether a file is permitted to run, AppLocker processes rules in the following order: + >**Important:**  When determining whether a file is permitted to run, AppLocker processes rules in the following order: + 1. **Explicit deny.** An administrator created a rule to deny a file. 2. **Explicit allow.** An administrator created a rule to allow a file. 3. **Implicit deny.** This is also called the default deny because all files that are not affected by an allow rule are automatically blocked.   - **Enforcement settings.** The last write to the policy is applied. For example, if a higher-level GPO has the enforcement setting configured to **Enforce rules** and the closest GPO has the setting configured to **Audit only**, **Audit only** is enforced. If enforcement is not configured on the closest GPO, the setting from the closest linked GPO will be enforced. Because a computer's effective policy includes rules from each linked GPO, duplicate rules or conflicting rules could be enforced on a user's computer. Therefore, you should carefully plan your deployment to ensure that only rules that are necessary are present in a GPO. + The following figure demonstrates how AppLocker rule enforcement is applied through linked GPOs. + ![applocker rule enforcement inheritance chart](images/applocker-plan-inheritance.gif) + In the preceding illustration, note that all GPOs linked to Contoso are applied in order as configured. The rules that are not configured are also applied. For example, the result of the Contoso and Human Resources GPOs is 33 rules enforced, as shown in the client HR-Term1. The Human Resources GPO contains 10 non-configured rules. When the rule collection is configured for **Audit only**, no rules are enforced. + When constructing the Group Policy architecture for applying AppLocker policies, it is important to remember: + - Rule collections that are not configured will be enforced. - Group Policy does not overwrite or replace rules that are already present in a linked GPO. - AppLocker processes the explicit deny rule configuration before the allow rule configuration. - For rule enforcement, the last write to the GPO is applied. -  -  diff --git a/windows/keep-secure/understand-the-applocker-policy-deployment-process.md b/windows/keep-secure/understand-the-applocker-policy-deployment-process.md index 225dc8c0c2..76bbb8d904 100644 --- a/windows/keep-secure/understand-the-applocker-policy-deployment-process.md +++ b/windows/keep-secure/understand-the-applocker-policy-deployment-process.md @@ -2,21 +2,30 @@ title: Understand the AppLocker policy deployment process (Windows 10) description: This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies. ms.assetid: 4cfd95c1-fbd3-41fa-8efc-d23c1ea6fb16 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understand the AppLocker policy deployment process + **Applies to** - Windows 10 + This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies. + To successfully deploy AppLocker policies, you need to identify your application control objectives and construct the policies for those objectives. The key to the process is taking an accurate inventory of your organization's applications, which requires investigation of all the targeted business groups. With an accurate inventory, you can create rules and set enforcement criteria that will allow the organization to use the required applications and allow the IT department to manage a controlled set of applications. + The following diagram shows the main points in the design, planning, and deployment process for AppLocker. + ![applocker quick reference guide](images/applocker-plandeploy-quickreference.gif) + ## Resources to support the deployment process + The following topics contain information about designing, planning, deploying, and maintaining AppLocker policies: + - For info about the AppLocker policy design and planning requirements and process, see [AppLocker Design Guide](applocker-policies-design-guide.md). - For info about the AppLocker policy deployment requirements and process, see [AppLocker deployment guide](applocker-policies-deployment-guide.md). - For info about AppLocker policy maintenance and monitoring, see [Administer AppLocker](administer-applocker.md). diff --git a/windows/keep-secure/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/keep-secure/understanding-applocker-allow-and-deny-actions-on-rules.md index 30f5de5bcc..b6d8502af0 100644 --- a/windows/keep-secure/understanding-applocker-allow-and-deny-actions-on-rules.md +++ b/windows/keep-secure/understanding-applocker-allow-and-deny-actions-on-rules.md @@ -2,52 +2,38 @@ title: Understanding AppLocker allow and deny actions on rules (Windows 10) description: This topic explains the differences between allow and deny actions on AppLocker rules. ms.assetid: ea0370fa-2086-46b5-a0a4-4a7ead8cbed9 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understanding AppLocker allow and deny actions on rules + **Applies to** - Windows 10 + This topic explains the differences between allow and deny actions on AppLocker rules. + ## Allow action versus deny action on rules + Unlike Software Restriction Policies (SRP), each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection are allowed to run. This configuration makes it easier to determine what will occur when an AppLocker rule is applied. + You can also create rules that use the deny action. When applying rules, AppLocker first checks whether any explicit deny actions are specified in the rule list. If you have denied a file from running in a rule collection, the deny action will take precedence over any allow action, regardless of which Group Policy Object (GPO) the rule was originally applied in. Because AppLocker functions as an allowed list by default, if no rule explicitly allows or denies a file from running, AppLocker's default deny action will block the file. + ### Deny rule considerations + Although you can use AppLocker to create a rule to allow all files to run and then use rules to deny specific files, this configuration is not recommended. The deny action is generally less secure than the allow action because a malicious user could modify the file to invalidate the rule. Deny actions can also be circumvented. For example, if you configure a deny action for a file or folder path, the user can still run the file from any other path. The following table details security concerns for different rule conditions with deny actions. - ---- - - - - - - - - - - - - - - - - - - - - -
      Rule conditionSecurity concern with deny action

      Publisher

      A user could modify the properties of a file (for example, re-signing the file with a different certificate).

      File hash

      A user could modify the hash for a file.

      Path

      A user could move the denied file to a different location and run it from there.

      + +| Rule condition | Security concern with deny action | +| - | - | +| Publisher | A user could modify the properties of a file (for example, re-signing the file with a different certificate).| +| File hash | A user could modify the hash for a file.| +| Path | A user could move the denied file to a different location and run it from there.|   -**Important**   -If you choose to use the deny action on rules, you must ensure that you first create rules that allow the Windows system files to run. AppLocker enforces rules for allowed applications by default, so after one or more rules have been created for a rule collection (affecting the Windows system files), only the apps that are listed as being allowed will be permitted to run. Therefore, creating a single rule in a rule collection to deny a malicious file from running will also deny all other files on the computer from running. +>**Important:**  If you choose to use the deny action on rules, you must ensure that you first create rules that allow the Windows system files to run. AppLocker enforces rules for allowed applications by default, so after one or more rules have been created for a rule collection (affecting the Windows system files), only the apps that are listed as being allowed will be permitted to run. Therefore, creating a single rule in a rule collection to deny a malicious file from running will also deny all other files on the computer from running.   ## Related topics -[How AppLocker works](how-applocker-works-techref.md) -  -  + +- [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/keep-secure/understanding-applocker-default-rules.md b/windows/keep-secure/understanding-applocker-default-rules.md index cf10480b26..76aa56e251 100644 --- a/windows/keep-secure/understanding-applocker-default-rules.md +++ b/windows/keep-secure/understanding-applocker-default-rules.md @@ -2,62 +2,45 @@ title: Understanding AppLocker default rules (Windows 10) description: This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied. ms.assetid: bdb03d71-05b7-41fb-96e3-a289ce1866e1 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understanding AppLocker default rules + **Applies to** - Windows 10 + This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied. + AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. -**Important**   -You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. + +>**Important:**  You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run.   -If you require additional app security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions: +If you require additional app security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. +The Windows folder contains a Temp subfolder to which the Users group is given the following permissions: + - Traverse Folder/Execute File - Create Files/Write Data - Create Folders/Append Data + These permissions settings are applied to this folder for app compatibility. However, because any user can create files in this location, allowing applications to be run from this location might conflict with your organization's security policy. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      TopicDescription

      [Executable rules in AppLocker](executable-rules-in-applocker.md)

      This topic describes the file formats and available default rules for the executable rule collection.

      [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md)

      This topic describes the file formats and available default rules for the Windows Installer rule collection.

      [Script rules in AppLocker](script-rules-in-applocker.md)

      This topic describes the file formats and available default rules for the script rule collection.

      [DLL rules in AppLocker](dll-rules-in-applocker.md)

      This topic describes the file formats and available default rules for the DLL rule collection.

      [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md)

      This topic explains the AppLocker rule collection for packaged app installers and packaged apps.

      + +| Topic | Description | +| - | - | +| [Executable rules in AppLocker](executable-rules-in-applocker.md) | This topic describes the file formats and available default rules for the executable rule collection. | +| [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md) | This topic describes the file formats and available default rules for the Windows Installer rule collection.| +| [Script rules in AppLocker](script-rules-in-applocker.md) | This topic describes the file formats and available default rules for the script rule collection.| +| [DLL rules in AppLocker](dll-rules-in-applocker.md) | This topic describes the file formats and available default rules for the DLL rule collection.| +| [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md) | This topic explains the AppLocker rule collection for packaged app installers and packaged apps.|   ## Related topics -[How AppLocker works](how-applocker-works-techref.md) + +- [How AppLocker works](how-applocker-works-techref.md)     diff --git a/windows/keep-secure/understanding-applocker-rule-behavior.md b/windows/keep-secure/understanding-applocker-rule-behavior.md index b065509210..2e1353c3ed 100644 --- a/windows/keep-secure/understanding-applocker-rule-behavior.md +++ b/windows/keep-secure/understanding-applocker-rule-behavior.md @@ -2,24 +2,29 @@ title: Understanding AppLocker rule behavior (Windows 10) description: This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker. ms.assetid: 3e2738a3-8041-4095-8a84-45c1894c97d0 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understanding AppLocker rule behavior + **Applies to** - Windows 10 + This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker. + If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For example, if you create an executable rule that allows .exe files in *%SystemDrive%\\FilePath* to run, only executable files located in that path are allowed to run. + A rule can be configured to use either an allow or deny action: + - **Allow**. You can specify which files are allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule. - **Deny**. You can specify which files are not allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule. -**Important**   -You can use a combination of allow actions and deny actions. However, we recommend using allow actions with exceptions because deny actions override allow actions in all cases. Deny actions can also be circumvented. For example, if you configure a deny action for a file or folder path, the user can still run the file from any other path. + +>**Important:**  You can use a combination of allow actions and deny actions. However, we recommend using allow actions with exceptions because deny actions override allow actions in all cases. Deny actions can also be circumvented. For example, if you configure a deny action for a file or folder path, the user can still run the file from any other path.   ## Related topics -[How AppLocker works](how-applocker-works-techref.md) -  -  + +- [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/keep-secure/understanding-applocker-rule-collections.md b/windows/keep-secure/understanding-applocker-rule-collections.md index 950a47ebfe..9c569f7f53 100644 --- a/windows/keep-secure/understanding-applocker-rule-collections.md +++ b/windows/keep-secure/understanding-applocker-rule-collections.md @@ -2,28 +2,34 @@ title: Understanding AppLocker rule collections (Windows 10) description: This topic explains the five different types of AppLocker rules used to enforce AppLocker policies. ms.assetid: 03c05466-4fb3-4880-8d3c-0f6f59fc5579 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understanding AppLocker rule collections + **Applies to** - Windows 10 + This topic explains the five different types of AppLocker rules used to enforce AppLocker policies. + An AppLocker rule collection is a set of rules that apply to one of five types: + - Executable files: .exe and .com - Windows Installer files: .msi, mst, and .msp - Scripts: .ps1, .bat, .cmd, .vbs, and .js - DLLs: .dll and .ocx - Packaged apps and packaged app installers: .appx + If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps. -**Important**   -Each app can load several DLLs, and AppLocker must check each DLL before it is allowed to run. Therefore, creating DLL rules might cause performance problems on some computers. Denying some DLLs from running can also create app compatibility problems. As a result, the DLL rule collection is not enabled by default. + +>**Important:**  Each app can load several DLLs, and AppLocker must check each DLL before it is allowed to run. Therefore, creating DLL rules might cause performance problems on some computers. Denying some DLLs from running can also create app compatibility problems. As a result, the DLL rule collection is not enabled by default.   For info about how to enable the DLL rule collection, see [Enable the DLL rule collection](enable-the-dll-rule-collection.md). + ## Related topics -[How AppLocker works](how-applocker-works-techref.md) -  -  + +- [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/keep-secure/understanding-applocker-rule-condition-types.md b/windows/keep-secure/understanding-applocker-rule-condition-types.md index e6b6e8505a..d4e6ceaf84 100644 --- a/windows/keep-secure/understanding-applocker-rule-condition-types.md +++ b/windows/keep-secure/understanding-applocker-rule-condition-types.md @@ -2,39 +2,55 @@ title: Understanding AppLocker rule condition types (Windows 10) description: This topic for the IT professional describes the three types of AppLocker rule conditions. ms.assetid: c21af67f-60a1-4f7d-952c-a6f769c74729 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understanding AppLocker rule condition types + **Applies to** - Windows 10 + This topic for the IT professional describes the three types of AppLocker rule conditions. + Rule conditions are criteria that the AppLocker rule is based on. Primary conditions are required to create an AppLocker rule. The three primary rule conditions are publisher, path, and file hash. + **Publisher** + To use a publisher condition, the files must be digitally signed by the software publisher, or you must do so by using an internal certificate. Rules that are specified to the version level might have to be updated when a new version of the file is released. For more info about this rule condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md). + **Path** + Any file can be assigned this rule condition; however, because path rules specify locations within the file system, any subdirectory will also be affected by the rule (unless explicitly exempted). For more info about this rule condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md). + **File hash** + Any file can be assigned this rule condition; however, the rule must be updated each time a new version of the file is released because the hash value is unique to that the version of the file. For more info about this rule condition, see [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md). + ### Considerations + Selecting the appropriate condition for each rule depends on the overall application control policy goals of the organization, the AppLocker rule maintenance goals, and the condition of the existing (or planned) application deployment. The following questions can help you decide which rule condition to use. + 1. Is the file digitally signed by a software publisher? + If the file is signed by a software publisher, we recommend that you create rules with publisher conditions. You may still create file hash and path conditions for signed files. However, if the file is not digitally signed by a software publisher, you can: + - Sign the file by using an internal certificate. - Create a rule by using a file hash condition. - Create a rule by using a path condition. - **Note**   - To determine how many applications on a reference computer are digitally signed, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet for a directory of files. For example, `Get-AppLockerFileInformation –Directory C:\Windows\ -FileType EXE -recurse` displays the properties for all .exe and .com files within the Windows directory. + + >**Note:**  To determine how many applications on a reference computer are digitally signed, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet for a directory of files. For example, + `Get-AppLockerFileInformation –Directory C:\Windows\ -FileType EXE -recurse` displays the properties for all .exe and .com files within the Windows directory.   2. What rule condition type does your organization prefer? + If your organization is already using Software Restriction Policies (SRP) to restrict what files users can run, rules using file hash or path conditions are probably already in place. - **Note**   - For a list of supported operating system versions and editions to which SRP and AppLocker rules can be applied, see [Requirements to use AppLocker](requirements-to-use-applocker.md). + + >**Note:**  For a list of supported operating system versions and editions to which SRP and AppLocker rules can be applied, see [Requirements to use AppLocker](requirements-to-use-applocker.md).   ## Related topics -[How AppLocker works](how-applocker-works-techref.md) -  -  + +- [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/keep-secure/understanding-applocker-rule-exceptions.md b/windows/keep-secure/understanding-applocker-rule-exceptions.md index 0a89f17cc7..a99cb1f8cb 100644 --- a/windows/keep-secure/understanding-applocker-rule-exceptions.md +++ b/windows/keep-secure/understanding-applocker-rule-exceptions.md @@ -2,19 +2,24 @@ title: Understanding AppLocker rule exceptions (Windows 10) description: This topic describes the result of applying AppLocker rule exceptions to rule collections. ms.assetid: e6bb349f-ee60-4c8d-91cd-6442f2d0eb9c -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understanding AppLocker rule exceptions + **Applies to** - Windows 10 + This topic describes the result of applying AppLocker rule exceptions to rule collections. + You can apply AppLocker rules to individual users or a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. + For example, the rule "Allow Everyone to run Windows except Registry Editor" allows everyone in the organization to run Windows but does not allow anyone to run Registry Editor. The effect of this rule would prevent users such as help desk personnel from running a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Helpdesk user group: "Allow Helpdesk to run Registry Editor." If you create a deny rule that does not allow any users to run Registry Editor, the deny rule will override the second rule that allows the Helpdesk user group to run Registry Editor. + ## Related topics -[How AppLocker works](how-applocker-works-techref.md) -  -  + +- [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/keep-secure/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/keep-secure/understanding-the-file-hash-rule-condition-in-applocker.md index 1be8c8cc55..b778f3c76d 100644 --- a/windows/keep-secure/understanding-the-file-hash-rule-condition-in-applocker.md +++ b/windows/keep-secure/understanding-the-file-hash-rule-condition-in-applocker.md @@ -2,38 +2,28 @@ title: Understanding the file hash rule condition in AppLocker (Windows 10) description: This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied. ms.assetid: 4c6d9af4-2b1a-40f4-8758-1a6f9f147756 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understanding the file hash rule condition in AppLocker + **Applies to** - Windows 10 + This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied. + File hash rules use a system-computed cryptographic hash of the identified file. For files that are not digitally signed, file hash rules are more secure than path rules. The following table describes the advantages and disadvantages of the file hash condition. - ---- - - - - - - - - - - - - -
      File hash condition advantagesFile hash condition disadvantages

      Because each file has a unique hash, a file hash condition applies to only one file.

      Each time that the file is updated (such as a security update or upgrade), the file's hash will change. As a result, you must manually update file hash rules.

      + +| File hash condition advantages | File hash condition disadvantages | +| - | - | +| Because each file has a unique hash, a file hash condition applies to only one file. | Each time that the file is updated (such as a security update or upgrade), the file's hash will change. As a result, you must manually update file hash rules.|   For an overview of the three types of AppLocker rule conditions and explanations of the advantages and disadvantages of each, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). + ## Related topics -[How AppLocker works](how-applocker-works-techref.md) -  -  + +- [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/keep-secure/understanding-the-path-rule-condition-in-applocker.md b/windows/keep-secure/understanding-the-path-rule-condition-in-applocker.md index 2adb70d6c6..d62cf0c8b6 100644 --- a/windows/keep-secure/understanding-the-path-rule-condition-in-applocker.md +++ b/windows/keep-secure/understanding-the-path-rule-condition-in-applocker.md @@ -2,18 +2,24 @@ title: Understanding the path rule condition in AppLocker (Windows 10) description: This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied. ms.assetid: 3fa54ded-4466-4f72-bea4-2612031cad43 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understanding the path rule condition in AppLocker + **Applies to** - Windows 10 + This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied. + The path condition identifies an application by its location in the file system of the computer or on the network. + When creating a rule that uses a deny action, path conditions are less secure than publisher and file hash conditions for preventing access to a file because a user could easily copy the file to a different location than the location specified in the rule. Because path rules specify locations within the file system, you should ensure that there are no subdirectories that are writable by non-administrators. For example, if you create a path rule for C:\\ with the allow action, any file under that location will be allowed to run, including within users' profiles. The following table describes the advantages and disadvantages of the path condition. + @@ -40,57 +46,22 @@ When creating a rule that uses a deny action, path conditions are less secure th
        AppLocker does not enforce rules that specify paths with short names. You should always specify the full path to a file or folder when creating path rules so that the rule will be properly enforced. + The asterisk (\*) wildcard character can be used within **Path** field. The asterisk (\*) character used by itself represents any path. When combined with any string value, the rule is limited to the path of the file and all the files under that path. For example, %ProgramFiles%\\Internet Explorer\\\* indicates that all files and subfolders within the Internet Explorer folder will be affected by the rule. + AppLocker uses path variables for well-known directories in Windows. Path variables are not environment variables. The AppLocker engine can only interpret AppLocker path variables. The following table details these path variables. - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Windows directory or driveAppLocker path variableWindows environment variable

      Windows

      %WINDIR%

      %SystemRoot%

      System32

      %SYSTEM32%

      %SystemDirectory%

      Windows installation directory

      %OSDRIVE%

      %SystemDrive%

      Program Files

      %PROGRAMFILES%

      %ProgramFiles% and %ProgramFiles(x86)%

      Removable media (for example, CD or DVD)

      %REMOVABLE%

      Removable storage device (for example, USB flash drive)

      %HOT%

      + +| Windows directory or drive | AppLocker path variable | Windows environment variable | +| - | - | - | +| Windows | %WINDIR% | %SystemRoot% | +| System32 | %SYSTEM32%| %SystemDirectory%| +| Windows installation directory | %OSDRIVE%|%SystemDrive%| +| Program Files | %PROGRAMFILES%| %ProgramFiles% and %ProgramFiles(x86)%| +| Removable media (for example, CD or DVD) | %REMOVABLE%| | +| Removable storage device (for example, USB flash drive)| %HOT%|||   For an overview of the three types of AppLocker rule conditions and explanations of the advantages and disadvantages of each, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). + ## Related topics -[How AppLocker works](how-applocker-works-techref.md) -  -  + +- [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/keep-secure/understanding-the-publisher-rule-condition-in-applocker.md b/windows/keep-secure/understanding-the-publisher-rule-condition-in-applocker.md index 053ee2e59c..34ac6444f3 100644 --- a/windows/keep-secure/understanding-the-publisher-rule-condition-in-applocker.md +++ b/windows/keep-secure/understanding-the-publisher-rule-condition-in-applocker.md @@ -2,18 +2,24 @@ title: Understanding the publisher rule condition in AppLocker (Windows 10) description: This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied. ms.assetid: df61ed8f-a97e-4644-9d0a-2169f18c1c4f -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Understanding the publisher rule condition in AppLocker + **Applies to** - Windows 10 + This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied. + Publisher conditions can be made only for files that are digitally signed; this condition identifies an app based on its digital signature and extended attributes. The digital signature contains information about the company that created the app (the publisher). The extended attributes, which are obtained from the binary resource, contain the name of the product that the app is part of and the version number of the app. The publisher may be a software development company, such as Microsoft, or the Information Technology department of your organization. -Publisher conditions are easier to maintain than file hash conditions and are generally more secure than path conditions. Rules that are specified to the version level might have to be updated when a new version of the file is released. The following table describes the advantages and disadvantages of the publisher condition. +Publisher conditions are easier to maintain than file hash conditions and are generally more secure than path conditions. Rules that are specified to the version level might have to be updated when a new version of the file is released. The following table describes the advantages and disadvantages +of the publisher condition. + @@ -42,70 +48,42 @@ Publisher conditions are easier to maintain than file hash conditions and are ge
        Wildcard characters can be used as values in the publisher rule fields according to the following specifications: + - **Publisher** + The asterisk (\*) character used by itself represents any publisher. When combined with any string value, the rule is limited to the publisher with a value in the signed certificate that matches the character string. In other words, the asterisk is not treated as a wildcard character if used with other characters in this field. For example, using the characters "M\*" limits the publisher name to only a publisher with the name "M\*." Using the characters "\*x\*" limits the publisher name only to the name “\*x\*”. A question mark (?) is not a valid wildcard character in this field. + - **Product name** + The asterisk (\*) character used by itself represents any product name. When combined with any string value, the rule is limited to the product of the publisher with a value in the signed certificate that matches the character string. In other words, the asterisk is not treated as a wildcard character if used with other characters in this field. A question mark (?) is not a valid wildcard character in this field. + - **File name** + Either the asterisk (\*) or question mark (?) characters used by themselves represent any and all file names. When combined with any string value, the string is matched with any file name containing that string. + - **File version** + The asterisk (\*) character used by itself represents any file version. If you want to limit the file version to a specific version or as a starting point, you can state the file version and then use the following options to apply limits: + - **Exactly**. The rule applies only to this version of the app - **And above**. The rule applies to this version and all later versions. - **And Below**. The rule applies to this version and all earlier versions. + The following table describes how a publisher condition is applied. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      OptionThe publisher condition allows or denies…

      All signed files

      All files that are signed by a publisher.

      Publisher only

      All files that are signed by the named publisher.

      Publisher and product name

      All files for the specified product that are signed by the named publisher.

      Publisher, product name, and file name

      Any version of the named file for the named product that is signed by the publisher.

      Publisher, product name, file name, and file version

      Exactly

      -

      The specified version of the named file for the named product that is signed by the publisher.

      Publisher, product name, file name, and file version

      And above

      -

      The specified version of the named file and any new releases for the product that are signed by the publisher.

      Publisher, product name, file name, and file version

      And below

      -

      The specified version of the named file and any older versions for the product that are signed by the publisher.

      Custom

      You can edit the Publisher, Product name, File name, and Version fields to create a custom rule.

      + +| Option | The publisher condition allows or denies…| +| - | - | +| **All signed files** | All files that are signed by a publisher.| +| **Publisher only** | All files that are signed by the named publisher.| +| **Publisher and product name** | All files for the specified product that are signed by the named publisher.| +| **Publisher, product name, and file name** | Any version of the named file for the named product that is signed by the publisher.| +| **Publisher, product name, file name, and file version** | **Exactly**
      The specified version of the named file for the named product that is signed by the publisher.| +| **Publisher, product name, file name, and file version** | **And above**
      The specified version of the named file and any new releases for the product that are signed by the publisher.| +| **Publisher, product name, file name, and file version**| **And below**
      The specified version of the named file and any older versions for the product that are signed by the publisher.| +| **Custom** | You can edit the **Publisher**, **Product name**, **File name**, and **Version** fields to create a custom rule.|   For an overview of the three types of AppLocker rule conditions and explanations of the advantages and disadvantages of each, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). + ## Related topics -[How AppLocker works](how-applocker-works-techref.md) -  -  + +- [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/keep-secure/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/keep-secure/use-a-reference-computer-to-create-and-maintain-applocker-policies.md index 4b888e3d71..e9c7b0645e 100644 --- a/windows/keep-secure/use-a-reference-computer-to-create-and-maintain-applocker-policies.md +++ b/windows/keep-secure/use-a-reference-computer-to-create-and-maintain-applocker-policies.md @@ -2,35 +2,46 @@ title: Use a reference device to create and maintain AppLocker policies (Windows 10) description: This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer. ms.assetid: 10c3597f-f44c-4c8e-8fe5-105d4ac016a6 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Use a reference device to create and maintain AppLocker policies + **Applies to** - Windows 10 + This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer. + ## Background and prerequisites + An AppLocker reference device is a baseline device you can use to configure policies and can subsequently be used to maintain AppLocker policies. For the procedure to configure a reference device, see [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md). + An AppLocker reference device that is used to create and maintain AppLocker policies should contain the corresponding apps for each organizational unit (OU) to mimic your production environment. -**Important**   -The reference device must be running one of the supported editions of Windows. For information about operating system requirements for AppLocker, see [Requirements to use AppLocker](requirements-to-use-applocker.md). + +>**Important:**  The reference device must be running one of the supported editions of Windows. For information about operating system requirements for AppLocker, see [Requirements to use AppLocker](requirements-to-use-applocker.md).   You can perform AppLocker policy testing on the reference device by using the **Audit only** enforcement setting or Windows PowerShell cmdlets. You can also use the reference device as part of a testing configuration that includes policies that are created by using Software Restriction Policies. + ## Step 1: Automatically generate rules on the reference device + With AppLocker, you can automatically generate rules for all files within a folder. AppLocker scans the specified folder and creates the condition types that you choose for each file in that folder. For the procedure to do this, see [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md). -**Note**   -If you run this wizard to create your first rules for a Group Policy Object (GPO), after you complete the wizard, you will be prompted to create the default rules, which allow critical system files to run. You can edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after you replace them with your custom rules. + +>**Note:**  If you run this wizard to create your first rules for a Group Policy Object (GPO), after you complete the wizard, you will be prompted to create the default rules, which allow critical system files to run. You can edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after you replace them with your custom rules.   ## Step 2: Create the default rules on the reference device + AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You must run the default rules for each rule collection. For info about default rules and considerations for using them, see [Understanding AppLocker default rules](understanding-applocker-default-rules.md). For the procedure to create default rules, see [Create AppLocker default rules](create-applocker-default-rules.md). -**Important**   -You can use the default rules as a template when you create your own rules. This allows files within the Windows directory to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules. + +>**Important:**  You can use the default rules as a template when you create your own rules. This allows files within the Windows directory to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules.   ## Step 3: Modify rules and the rule collection on the reference device + If AppLocker policies are currently running in your production environment, export the policies from the corresponding GPOs and save them to the reference device. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md). If no AppLocker policies have been deployed, create the rules and develop the policies by using the following procedures: + - [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) - [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) - [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) @@ -39,25 +50,34 @@ If AppLocker policies are currently running in your production environment, expo - [Delete an AppLocker rule](delete-an-applocker-rule.md) - [Enable the DLL rule collection](enable-the-dll-rule-collection.md) - [Enforce AppLocker rules](enforce-applocker-rules.md) + ## Step 4: Test and update AppLocker policy on the reference device + You should test each set of rules to ensure that they perform as intended. The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference device. Perform the steps on each reference device that you used to define the AppLocker policy. Ensure that the reference device is joined to the domain and that it is receiving the AppLocker policy from the appropriate GPO. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules to simultaneously test all of your test GPOs. Use the following procedures to complete this step: + - [Test an AppLocker Policy with Test-AppLockerPolicy](http://technet.microsoft.com/library/ee791772(WS.10).aspx) - [Discover the Effect of an AppLocker Policy](http://technet.microsoft.com/library/ee791823(WS.10).aspx) -**Caution**   -If you have set the enforcement setting on the rule collection to **Enforce rules** or you have not configured the rule collection, the policy will be implemented when the GPO is updated in the next step. If you have set the enforcement setting on the rule collection to **Audit only**, application access events are written to the AppLocker log, and the policy will not take effect. + +>**Caution:**  If you have set the enforcement setting on the rule collection to **Enforce rules** or you have not configured the rule collection, the policy will be implemented when the GPO is updated in the next step. If you have set the enforcement setting on the rule collection to **Audit only**, application access events are written to the AppLocker log, and the policy will not take effect.   ## Step 5: Export and import the policy into production + When the AppLocker policy has been tested successfully, it can be imported into the GPO (or imported into individual computers that are not managed by Group Policy) and checked for its intended effectiveness. To do this, perform the following procedures: + - [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) - [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) or - [Discover the Effect of an AppLocker Policy](http://technet.microsoft.com/library/ee791823(WS.10).aspx) + If the AppLocker policy enforcement setting is **Audit only** and you are satisfied that the policy is fulfilling your intent, you can change it to **Enforce rules**. For info about how to change the enforcement setting, see [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md). + ## Step 6: Monitor the effect of the policy in production + If additional refinements or updates are necessary after a policy is deployed, use the appropriate following procedures to monitor and update the policy: + - [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) - [Edit an AppLocker policy](edit-an-applocker-policy.md) - [Refresh an AppLocker policy](refresh-an-applocker-policy.md) + ## See also -[Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) -  -  + +- [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) diff --git a/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md index 01e857dfe3..ef970cd8df 100644 --- a/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md +++ b/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md @@ -2,18 +2,26 @@ title: Use AppLocker and Software Restriction Policies in the same domain (Windows 10) description: This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. ms.assetid: 2b7e0cec-df62-49d6-a2b7-6b8e30180943 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Use AppLocker and Software Restriction Policies in the same domain + **Applies to** - Windows 10 + This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. + ## Using AppLocker and Software Restriction Policies in the same domain -AppLocker is supported on systems running Windows 7 and above. Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier. You can continue to use SRP for application control on your pre-Windows 7 computers, but use AppLocker for computers running Windows Server 2008 R2, Windows 7 and later. It is recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, Windows 7 and later, the SRP policies are ignored. + +AppLocker is supported on systems running Windows 7 and above. Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier. You can continue to use SRP for application control on your pre-Windows 7 computers, but use AppLocker for computers running +Windows Server 2008 R2, Windows 7 and later. It is recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, +Windows 7 and later, the SRP policies are ignored. + The following table compares the features and functions of Software Restriction Policies (SRP) and AppLocker. diff --git a/windows/keep-secure/use-the-applocker-windows-powershell-cmdlets.md b/windows/keep-secure/use-the-applocker-windows-powershell-cmdlets.md index 4ccedff7ca..cf988054c1 100644 --- a/windows/keep-secure/use-the-applocker-windows-powershell-cmdlets.md +++ b/windows/keep-secure/use-the-applocker-windows-powershell-cmdlets.md @@ -2,30 +2,51 @@ title: Use the AppLocker Windows PowerShell cmdlets (Windows 10) description: This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. ms.assetid: 374e029c-5c0a-44ab-a57a-2a9dd17dc57d -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Use the AppLocker Windows PowerShell cmdlets + **Applies to** - Windows 10 + This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. + ## AppLocker Windows PowerShell cmdlets -The five AppLocker cmdlets are designed to streamline the administration of an AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the Microsoft Management Console (MMC) snap-in extension to the Local Security Policy snap-in and Group Policy Management Console. -To edit or update a Group Policy Object (GPO) by using the AppLocker cmdlets, you must have Edit Setting permission. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. To perform tasks by using the Local Security policy snap-in, you must be a member of the local **Administrators** group, or equivalent, on the computer. + +The five AppLocker cmdlets are designed to streamline the administration of an AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the +Microsoft Management Console (MMC) snap-in extension to the Local Security Policy snap-in and Group Policy Management Console. + +To edit or update a Group Policy Object (GPO) by using the AppLocker cmdlets, you must have Edit Setting permission. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. To perform tasks by using the +Local Security policy snap-in, you must be a member of the local **Administrators** group, or equivalent, on the computer. + ### Retrieve application information -The [Get-AppLockerFileInformation](http://technet.microsoft.com/library/hh847209.aspx) cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information. + +The [Get-AppLockerFileInformation](http://technet.microsoft.com/library/hh847209.aspx) cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. + +File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information. + ### Set AppLocker policy + The [Set-AppLockerPolicy](http://technet.microsoft.com/library/hh847212.aspx) cmdlet sets the specified GPO to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default. + ### Retrieve an AppLocker policy + The [Get-AppLockerPolicy](http://technet.microsoft.com/library/hh847214.aspx) cmdlet gets the AppLocker policy from the local GPO, from a specified GPO, or from the effective AppLocker policy on the device. The output of the AppLocker policy is an AppLockerPolicy object or an XML-formatted string. + ### Generate rules for a given user or group -The [New-AppLockerPolicy](http://technet.microsoft.com/library/hh847211.aspx) cmdlet uses a list of file information to automatically generate rules for a given user or group. It can generate rules based on publisher, hash, or path information. Use **Get-AppLockerFileInformation** to create the list of file information. + +The [New-AppLockerPolicy](http://technet.microsoft.com/library/hh847211.aspx) cmdlet uses a list of file information to automatically generate rules for a given user or group. It can generate rules based on publisher, hash, or path information. Use **Get-AppLockerFileInformation** to create the +list of file information. + ### Test the AppLocker Policy against a file set + The [Test-AppLockerPolicy](http://technet.microsoft.com/library/hh847213.aspx) cmdlet uses the specified AppLocker policy to test whether a specified list of files are allowed to run or not on the local device for a specific user. + ## Additional resources + - For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). -  -  diff --git a/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md b/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md index cc7a0adbb4..060d693df1 100644 --- a/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md +++ b/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md @@ -2,22 +2,33 @@ title: Use Windows Event Forwarding to help with intrusion detection (Windows 10) description: Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. ms.assetid: 733263E5-7FD1-45D2-914A-184B9E3E6A3F -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: tedhardyMSFT --- + # Use Windows Event Forwarding to help with intrusion detection + **Applies to** - Windows 10 + Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. + Windows Event Forwarding (WEF) reads any operational or administrative event log on a device in your organization and forwards the events you choose to a Windows Event Collector (WEC) server. -To accomplish this, there are two different of subscriptions published to client devices - the Baseline subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect subscription only includes devices that have been added by you. The Suspect subscription collects additional events to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios as needed without impacting baseline operations. + +To accomplish this, there are two different of subscriptions published to client devices - the Baseline subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect subscription only includes devices that have been added by you. The +Suspect subscription collects additional events to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios as needed without impacting baseline operations. + This implementation helps differentiate where events are ultimately stored. Baseline events can be sent to devices with online analytical capability, such as Security Event Manager (SEM), while also sending events to a MapReduce system, such as HDInsight or Hadoop, for long-term storage and deeper analysis. Events from the Suspect subscription are sent directly to a MapReduce system due to volume and lower signal/noise ratio, they are largely used for host forensic analysis. + An SEM’s strength lies in being able to inspect, correlate events, and generate alerts for known patterns manner and alert security staff at machine speed. + A MapReduce system has a longer retention time (years versus months for an SEM), larger ingress ability (hundreds of terabytes per day), and the ability to perform more complex operations on the data like statistical and trend analysis, pattern clustering analysis, or apply Machine Learning algorithms. + Here's an approximate scaling guide for WEF events: + | Events/second range | Data store | |---------------------|----------------------------| | 0 - 5,000 | SQL or SEM | @@ -25,54 +36,91 @@ Here's an approximate scaling guide for WEF events: | 50,000+ | Hadoop/HDInsight/Data Lake |   Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF implementation, including enabling of disabled event logs and setting channel permissions. For more info, see [Appendix C - Event channel settings (enable and channel access) methods](#bkmk-appendixc). This is because WEF is a passive system with regards to the event log. It cannot change the size of event log files, enable disabled event channels, change channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events. Additionally, having event generation already occurring on a device allows for more complete event collection building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF subscription refresh cycles to make changes to what is being generated on the device. On modern devices, enabling additional event channels and expanding the size of event log files has not resulted in noticeable performance differences. + For the minimum recommended audit policy and registry system ACL settings, see [Appendix A - Minimum recommended minimum audit policy](#bkmk-appendixa) and [Appendix B - Recommended minimum registry system ACL policy](#bkmk-appendixb). -**Note**   -These are only minimum values need to meet what the WEF subscription selects. + +>**Note:**  These are only minimum values need to meet what the WEF subscription selects.   From a WEF subscription management perspective, the event queries provided should be used in two separate subscriptions for ease of maintenance; only machines meeting specific criteria would be allowed access to the targeted subscription, this access would be determined by an algorithm or an analysts’ direction. All devices should have access to the Baseline subscription. + This means you would create two base subscriptions: + - **Baseline WEF subscription**. Events collected from all hosts, this includes some role-specific events, which will only be emitted by those machines. - **Targeted WEF subscription**. Events collected from a limited set of hosts due to unusual activity and/or heightened awareness for those systems. + Each using the respective event query below. Note that for the Targeted subscription enabling the “read existing events” option should be set to true to allow collection of existing events from systems. By default, WEF subscriptions will only forward events generated after the WEF subscription was received by the client. + In [Appendix E – Annotated Baseline Subscription Event Query](#bkmk-appendixe) and [Appendix F – Annotated Suspect Subscription Event Query](#bkmk-appendixf), the event query XML is included when creating WEF subscriptions. These are annotated for query purpose and clarity. Individual <Query> element can be removed or edited without affecting the rest of the query. + ### Common WEF questions + This section addresses common questions from IT pros and customers. + ### Will the user notice if their machine is enabled for WEF or if WEF encounters an error? + The short answer is: No. + The longer answer is: The **Eventlog-forwardingPlugin/Operational** event channel logs the success, warning, and error events related to WEF subscriptions present on the device. Unless the user opens Event Viewer and navigates to that channel, they will not notice WEF either through resource consumption or Graphical User Interface pop-ups. Even if there is an issue with the WEF subscription, there is no user interaction or performance degradation. All success, warning, and failure events are logged to this operational event channel. + ### Is WEF Push or Pull? + A WEF subscription can be configured to be push or pull, but not both. The simplest, most flexible IT deployment with the greatest scalability can be achieved by using a push, or source initiated, subscription. WEF clients are configured by using a GPO and the built-in forwarding client is activated. For pull, collector initiated, the subscription on the WEC server is pre-configured with the names of the WEF Client devices from which events are to be selected. Those clients also have to be configured ahead of time to allow the credentials used in the subscription to access their event logs remotely (normally by adding the credential to the **Event Log Readers** built-in local security group.) A useful scenario: closely monitoring a specific set of machines. + ### Will WEF work over VPN or RAS? + WEF handles VPN, RAS, and DirectAccess scenarios well and will reconnect and send any accumulated backlog of events when the connection to the WEF Collector is re-established. + ### How is client progress tracked? -The WEC server maintains in its registry the bookmark information and last heartbeat time for each event source for each WEF subscription. When an event source re-connects to a WEC server, the last bookmark position is sent to the device to use as a starting point to resume forwarding events. If a WEF client has no events to send, the WEF client will connect periodically to send a Heartbeat to the WEC server to indicate it is active. This heartbeat value can be individually configured for each subscription. + +The WEC server maintains in its registry the bookmark information and last heartbeat time for each event source for each WEF subscription. When an event source re-connects to a WEC server, the last bookmark position is sent to the device to use as a starting point to resume forwarding events. If a +WEF client has no events to send, the WEF client will connect periodically to send a Heartbeat to the WEC server to indicate it is active. This heartbeat value can be individually configured for each subscription. + ### Will WEF work in an IPv4, IPv6, or mixed IPv4/IPv6 environment? + Yes. WEF is transport agnostic and will work over IPv4 or IPv6. + ### Are WEF events encrypted? I see an HTTP/HTTPS option! + In a domain setting, the connection used to transmit WEF events is encrypted using Kerberos, by default (with NTLM as a fallback option, which can be disabled by using a GPO). Only the WEF collector can decrypt the connection. Additionally, the connection between WEF client and WEC server is mutually authenticated regardless of authentication type (Kerberos or NTLM.) There are GPO options to force Authentication to use Kerberos Only. + This authentication and encryption is performed regardless if HTTP or HTTPS is selected. + The HTTPS option is available if certificate based authentication is used, in cases where the Kerberos based mutual authentication is not an option. The SSL certificate and provisioned client certificates are used to provide mutual authentication. + ### Do WEF Clients have a separate buffer for events? + The WEF client machines local event log is the buffer for WEF for when the connection to the WEC server is lost. To increase the “buffer size”, increase the maximum file size of the specific event log file where events are being selected. For more info, see [Appendix C – Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc). + When the event log overwrites existing events (resulting in data loss if the device is not connected to the Event Collector), there is no notification sent to the WEF collector that events are lost from the client. Neither is there an indicator that there was a gap encountered in the event stream. + ### What format is used for forwarded events? -WEF has two modes for forwarded events. The default is “Rendered Text” which includes the textual description of the event as you would see it in Event Viewer. This means that the event size is effectively doubled or tripled depending on the size of the rendered description. The alternative mode is “Events” (also sometimes referred to as “Binary” format) – which is just the event XML itself sent in binary XML format (as it would be written to the evtx file.) This is very compact and can more than double the event volume a single WEC server can accommodate. + +WEF has two modes for forwarded events. The default is “Rendered Text” which includes the textual description of the event as you would see it in Event Viewer. This means that the event size is effectively doubled or tripled depending on the size of the rendered description. The alternative mode is +“Events” (also sometimes referred to as “Binary” format) – which is just the event XML itself sent in binary XML format (as it would be written to the evtx file.) This is very compact and can more than double the event volume a single WEC server can accommodate. + A subscription “testSubscription” can be configured to use the Events format through the WECUTIL utility: + ``` syntax @rem required to set the DeliveryMaxItems or DeliveryMaxLatencyTime Wecutil ss “testSubscription” /cf:Events ``` + ### How frequently are WEF events delivered? + Event delivery options are part of the WEF subscription configuration parameters – There are three built-in subscription delivery options: Normal, Minimize Bandwidth, and Minimize Latency. A fourth, catch-all called “Custom” is available but cannot be selected or configured through the WEF UI by using Event Ciewer. The Custom delivery option must be selected and configured using the WECUTIL.EXE command-line application. All subscription options define a maximum event count and maximum event age, if either limit is exceeded then the accumulated events are sent to the event collector. + This table outlines the built-in delivery options: -| Event delivery optimization options | Description | -|-------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Normal | This option ensures reliable delivery of events and does not attempt to conserve bandwidth. It is the appropriate choice unless you need tighter control over bandwidth usage or need forwarded events delivered as quickly as possible. It uses pull delivery mode, batches 5 items at a time and sets a batch timeout of 15 minutes. | -| Minimize bandwidth | This option ensures that the use of network bandwidth for event delivery is strictly controlled. It is an appropriate choice if you want to limit the frequency of network connections made to deliver events. It uses push delivery mode and sets a batch timeout of 6 hours. In addition, it uses a heartbeat interval of 6 hours. | -| Minimize latency | This option ensures that events are delivered with minimal delay. It is an appropriate choice if you are collecting alerts or critical events. It uses push delivery mode and sets a batch timeout of 30 seconds. | + +| Event delivery optimization options | Description | +| - | - | +| Normal | This option ensures reliable delivery of events and does not attempt to conserve bandwidth. It is the appropriate choice unless you need tighter control over bandwidth usage or need forwarded events delivered as quickly as possible. It uses pull delivery mode, batches 5 items at a time and sets a batch timeout of 15 minutes. | +| Minimize bandwidth | This option ensures that the use of network bandwidth for event delivery is strictly controlled. It is an appropriate choice if you want to limit the frequency of network connections made to deliver events. It uses push delivery mode and sets a batch timeout of 6 hours. In addition, it uses a heartbeat interval of 6 hours. | +| Minimize latency | This option ensures that events are delivered with minimal delay. It is an appropriate choice if you are collecting alerts or critical events. It uses push delivery mode and sets a batch timeout of 30 seconds. |   For more info about delivery options, see [Configure Advanced Subscription Settings](http://technet.microsoft.com/library/cc749167.aspx). + The primary difference is in the latency which events are sent from the client. If none of the built-in options meet your requirements you can set Custom event delivery options for a given subscription from an elevated command prompt: + ``` syntax @rem required to set the DeliveryMaxItems or DeliveryMaxLatencyTime Wecutil ss “SubscriptionNameGoesHere” /cm:Custom @@ -82,122 +130,209 @@ Wecutil ss “SubscriptionNameGoesHere” /dmi:1 Wecutil ss “SubscriptionNameGoesHere” /dmlt:10 ``` ### How do I control which devices have access to a WEF Subscription? + For source initiated subscriptions: Each WEF subscription on a WEC server has its own ACL for machine accounts or security groups containing machine accounts (not user accounts) that are explicitly allowed to participate in that subscription or are explicitly denied access. This ACL applies to only a single WEF subscription (since there can be multiple WEF subscriptions on a given WEC server), other WEF Subscriptions have their own separate ACL. + For collector initiated subscriptions: The subscription contains the list of machines from which the WEC server is to collect events. This list is managed at the WEC server, and the credentials used for the subscription must have access to read event logs from the WEF Clients – the credentials can be either the machine account or a domain account. + ### Can a client communicate to multiple WEF Event Collectors? + Yes. If you desire a High-Availability environment, simply configure multiple WEC servers with the same subscription configuration and publish both WEC Server URIs to WEF clients. WEF Clients will forward events simultaneously to the configured subscriptions on the WEC servers, if they have the appropriate access. + ### What are the WEC server’s limitations? + There are three factors that limit the scalability of WEC servers. The general rule for a stable WEC server on commodity hardware is “10k x 10k” – meaning, no more than 10,000 concurrently active WEF Clients per WEC server and no more than 10,000 events/second average event volume. + - **Disk I/O**. The WEC server does not process or validate the received event, but rather buffers the received event and then logs it to a local event log file (EVTX file). The speed of logging to the EVTX file is limited by the disk write speed. Isolating the EVTX file to its own array or using high speed disks can increase the number of events per second that a single WEC server can receive. - **Network Connections**. While a WEF source does not maintain a permanent, persistent connection to the WEC server, it does not immediately disconnect after sending its events. This means that the number of WEF sources that can simultaneously connect to the WEC server is limited to the open TCP ports available on the WEC server. - **Registry size**. For each unique device that connects to a WEF subscription, there is a registry key (corresponding to the FQDN of the WEF Client) created to store bookmark and source heartbeat information. If this is not pruned to remove inactive clients this set of registry keys can grow to an unmanageable size over time. + - When a subscription has >1000 WEF sources connect to it over its operational lifetime, also known as lifetime WEF sources, Event Viewer can become unresponsive for a few minutes when selecting the **Subscriptions** node in the left-navigation, but will function normally afterwards. - At >50,000 lifetime WEF sources, Event Viewer is no longer an option and wecutil.exe (included with Windows) must be used to configure and manage subscriptions. - At >100,000 lifetime WEF sources, the registry will not be readable and the WEC server will likely have to be rebuilt. + ## Subscription information + Below lists all of the items that each subscription collects, the actual subscription XML is available in an Appendix. These are separated out into Baseline and Targeted. The intent is to subscribe all hosts to Baseline, and then enroll (and remove) hosts on an as needed basis to the Targeted subscription. + ### Baseline subscription + While this appears to be the largest subscription, it really is the lowest volume on a per-device basis. (Exceptions should be allowed for unusual devices – a device performing complex developer related tasks can be expected to create an unusually high volume of process create and AppLocker events.) This subscription does not require special configuration on client devices to enable event channels or modify channel permissions. + The subscription is essentially a collection of query statements applied to the Event Log. This means that it is modular in nature and a given query statement can be removed or changed without impacting other query statement in the subscription. Additionally, suppress statements which filter out specific events, only apply within that query statement and are not to the entire subscription. + ### Baseline subscription requirements + To gain the most value out of the baseline subscription we recommend to have the following requirements set on the device to ensure that the clients are already generating the required events to be forwarded off the system. + - Apply a security audit policy that is a super-set of the recommended minimum audit policy. For more info, see [Appendix A – Minimum Recommended minimum Audit Policy](#bkmk-appendixa). This ensures that the security event log is generating the required events. - Apply at least an Audit-Only AppLocker policy to devices. + - If you are already whitelisting or blacklisting events by using AppLocker, then this requirement is met. - AppLocker events contain extremely useful information, such as file hash and digital signature information for executables and scripts. + - Enable disabled event channels and set the minimum size for modern event files. - Currently, there is no GPO template for enabling or setting the maximum size for the modern event files. This must be done by using a GPO. For more info, see [Appendix C – Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc). + The annotated event query can be found in the following. For more info, see [Appendix F – Annotated Baseline Subscription Event Query](#bkmk-appendixf). + - Anti-malware events from Microsoft Antimalware or Windows Defender. This can be configured for any given anti-malware product easily if it writes to the Windows event log. - Security event log Process Create events. - AppLocker Process Create events (EXE, script, packaged App installation and execution). - Registry modification events. For more info, see [Appendix B – Recommended minimum Registry System ACL Policy](#bkmk-appendixb). - OS startup and shutdown + - Startup event include operating system version, service pack level, QFE version, and boot mode. + - Service install + - Includes what the name of the service, the image path, and who installed the service. + - Certificate Authority audit events + - This is only applicable on systems with the Certificate Authority role installed. - Logs certificate requests and responses. + - User profile events + - Use of a temporary profile or unable to create a user profile may indicate an intruder is interactively logging into a device but not wanting to leave a persistent profile behind. + - Service start failure + - Failure codes are localized, so you have to check the message DLL for values. + - Network share access events + - Filter out IPC$ and /NetLogon file shares, which are expected and noisy. + - System shutdown initiate requests + - Find out what initiated the restart of a device. + - User initiated interactive logoff event - Remote Desktop Services session connect, reconnect, or disconnect. - EMET events, if EMET is installed. - Event forwarding plugin events + - For monitoring WEF subscription operations, particularly Partial Success events. This is useful for diagnosing deployment issues. + - Network share create and delete + - Enables detection of unauthorized share creation. - **Note**  All shares are re-created when the device starts. + >**Note:**  All shares are re-created when the device starts.   - Logon sessions + - Logon success for interactive (local and Remote Interactive/Remote Desktop) - Logon success for services for non-built-in accounts, such as LocalSystem, LocalNetwork, and so on. - Logon success for batch sessions - Logon session close, which are logoff events for non-network sessions. + - Windows Error Reporting (Application crash events only) + - This can help detect early signs of intruder not familiar with enterprise environment using targeted malware. + - Event log service events + - Errors, start events, and stop events for the Windows Event Log service. + - Event log cleared (including the Security Event Log) + - This could indicate an intruder that are covering their tracks. + - Special privileges assigned to new logon + - This indicates that at the time of logon a user is either an Administrator or has the sufficient access to make themselves Administrator. + - Outbound Remote Desktop Services session attempts + - Visibility into potential beachhead for intruder + - System time changed - SMB Client (mapped drive connections) - Account credential validation + - Local accounts or domain accounts on domain controllers + - A user was added or removed from the local Administrators security group. - Crypto API private key accessed + - Associated with signing objects using the locally stored private key. + - Task Scheduler task creation and delete + - Task Scheduler allows intruders to run code at specified times as LocalSystem. + - Logon with explicit credentials + - Detect credential use changes by intruders to access additional resources. + - Smartcard card holder verification events + - This detects when a smartcard is being used. + ### Suspect subscription + This adds some possible intruder-related activity to help analyst further refine their determinations about the state of the device. + - Logon session creation for network sessions + - Enables time-series analysis of network graphs. + - RADIUS and VPN events + - Useful if you use a Microsoft IAS RADIUS/VPN implementation. It shows user-> IP address assignment with remote IP address connecting to the enterprise. + - Crypto API X509 object and build chain events + - Detects known bad certificate, CA, or sub-CA - Detects unusual process use of CAPI + - Groups assigned to local logon + - Gives visibility to groups which enable account wide access - Allows better planning for remediation efforts - Excludes well known, built-in system accounts. + - Logon session exit + - Specific for network logon sessions. + - Client DNS lookup events + - Returns what process performed a DNS query and the results returned from the DNS server. + - Process exit + - Enables checking for processes terminating unexpectedly. + - Local credential validation or logon with explicit credentials + - Generated when the local SAM is authoritative for the account credentials being authenticated. - Noisy on domain controllers - On client devices this is only generated when local accounts log on. + - Registry modification audit events + - Only when a registry value is being created, modified, or deleted. + - Wireless 802.1x authentication + - Detect wireless connection with a peer MAC address + - Windows PowerShell logging + - Covers Windows PowerShell 2.0 and later and includes the Windows PowerShell 5.0 logging improvements for in-memory attacks using Windows PowerShell. - Includes Windows PowerShell remoting logging + - User Mode Driver Framework “Driver Loaded” event + - Can possibly detect a USB device loading multiple device drivers. For example, a USB\_STOR device loading the keyboard or network driver. + ## Appendix A - Minimum recommended minimum audit policy + If your organizational audit policy enables additional auditing to meet its needs, that is fine. The policy below is the minimum audit policy settings needed to enable events collected by both baseline and targeted subscriptions. + | Category | Subcategory | Audit settings | |--------------------|---------------------------------|---------------------| | Account Logon | Credential Validation | Success and Failure | @@ -232,28 +367,46 @@ If your organizational audit policy enables additional auditing to meet its need | System | System Integrity | Success and Failure |   ## Appendix B - Recommended minimum registry system ACL policy + The Run and RunOnce keys are useful for intruders and malware persistence. It allows code to be run (or run only once then removed, respectively) when a user logs into the system. + This can easily be extended to other Auto-Execution Start Points keys in the registry. + Use the following figures to see how you can configure those registry keys. -![default acl for run key](images/runkey.png)![default acl for runonce key](images/runoncekey.png) + +![default acl for run key](images/runkey.png) + +![default acl for runonce key](images/runoncekey.png) + ## Appendix C - Event channel settings (enable and channel access) methods + Some channels are disabled by default and have to be enabled. Others, such as Microsoft-Windows-CAPI2/Operational must have the channel access modified to allow the Event Log Readers built-in security group to read from it. + The recommended and most effective way to do this is to configure the baseline GPO to run a scheduled task to configure the event channels (enable, set maximum size, and adjust channel access.) This will take effect at the next GPO refresh cycle and has minimal impact on the client device. + The following GPO snippet performs the following: + - Enables the **Microsoft-Windows-Capi2/Operational** event channel. - Sets the maximum file size for **Microsoft-Windows-Capi2/Operational** to 100MB. - Sets the maximum file size for **Microsoft-Windows-AppLocker/EXE and DLL** to 100MB. - Sets the maximum channel access for **Microsoft-Windows-Capi2/Operational** to include the built-in Event Log Readers security group. - Enables the **Microsoft-Windows-DriverFrameworks-UserMode/Operational** event channel. - Sets the maximum file size for **Microsoft-Windows-DriverFrameworks-UserMode/Operational** to 50MB. + ![configure event channels](images/capi-gpo.png) + ## Appendix D - Minimum GPO for WEF Client configuration + Here are the minimum steps for WEF to operate: + 1. Configure the collector URI(s). 2. Start the WinRM service. 3. Add the Network Service account to the built-in Event Log Readers security group. This allows reading from secured event channel, such as the security event channel. + ![configure the wef client](images/wef-client-config.png) + ## Appendix E – Annotated baseline subscription event query + ``` syntax @@ -416,8 +569,11 @@ Here are the minimum steps for WEF to operate: ``` + ## Appendix F – Annotated Suspect Subscription Event Query + ``` syntax + @@ -486,10 +642,10 @@ Here are the minimum steps for WEF to operate: ``` ## Appendix G - Online resources + You can get more info with the following links: -- [Event Selection](http://msdn.microsoft.com/library/aa385231(VS.85).aspx) -- [Event Queries and Event XML](http://msdn.microsoft.com/library/bb399427(VS.90).aspx) -- [Event Query Schema](http://msdn.microsoft.com/library/aa385760(VS.85).aspx) + +- [Event Selection](http://msdn.microsoft.com/library/aa385231.aspx) +- [Event Queries and Event XML](http://msdn.microsoft.com/library/bb399427.aspx) +- [Event Query Schema](http://msdn.microsoft.com/library/aa385760.aspx) - [Windows Event Collector](http://msdn.microsoft.com/library/windows/desktop/bb427443.aspx) -  -  diff --git a/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md index 9f31ef56eb..a4fbc0126b 100644 --- a/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md +++ b/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md @@ -2,87 +2,83 @@ title: User Account Control Admin Approval Mode for the Built-in Administrator account (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Admin Approval Mode for the Built-in Administrator account security policy setting. ms.assetid: d465fc27-1cd2-498b-9cf6-7ad2276e5998 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control: Admin Approval Mode for the Built-in Administrator account **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Admin Approval Mode for the Built-in Administrator account** security policy setting. + ## Reference + This policy setting determines the behavior of Admin Approval Mode for the built-in administrator account. When the Admin Approval Mode is enabled, the local administrator account functions like a standard user account, but it has the ability to elevate privileges without logging on by using a different account. In this mode, any operation that requires elevation of privilege displays a prompt that allows the administrator to permit or deny the elevation of privilege. If Admin Approval Mode is not enabled, the built-in Administrator account logs on in Windows XP Mode, and it runs all applications by default with full administrative privileges. By default, this setting is set to **Disabled**. -**Note**   -If a computer is upgraded from a previous version of the Windows operating system, and the administrator account is the only account on the computer, the built-in administrator account remains enabled, and this setting is also enabled. + +>**Note:**  If a computer is upgraded from a previous version of the Windows operating system, and the administrator account is the only account on the computer, the built-in administrator account remains enabled, and this setting is also enabled.   ### Possible values + - Enabled + The built-in administrator account logs on in Admin Approval Mode so that any operation that requires elevation of privilege displays a prompt that provides the administrator the option to permit or deny the elevation of privilege. + - Disabled + The built-in administrator account logs on in Windows XP Mode, and it runs all applications by default with full administrative privileges. + ### Best practices + - Do not enable the built-in administrator account on the client computer, but use the standard user account and User Account Control (UAC). + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. -
      ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + One of the risks of the User Account Control (UAC) feature is that it is intended to mitigate malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for malicious programs is to discover the password of the administrator account because that user account was created for all installations of the Windows. To address this risk, the built-in administrator account is disabled in computers running at least Windows Vista. In computers running at least Windows Server 2008, the administrator account is enabled, and the password must be changed the first time the Administrator logs on. In a default installation of a computer running at least Windows Vista, accounts with administrative control over the computer are initially set up in one of two ways: + - If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. - If the computer is joined to a domain, no local administrator accounts are created. The enterprise or domain administrator must log on to the computer and create a local administrator account if one is warranted. + ### Countermeasure + Enable the **User Account Control: Admin Approval Mode for the Built-in Administrator account** setting if you have the built-in Administrator account enabled. + ### Potential impact + Users who log on by using the local administrator account are prompted for consent whenever a program requests an elevation in privilege. ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md index 3215dba248..cc8ebe93f3 100644 --- a/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md +++ b/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md @@ -2,104 +2,118 @@ title: User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop (Windows 10) description: Describes the best practices, location, values, and security considerations for the User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop security policy setting. ms.assetid: fce20472-3c93-449d-b520-13c4c74a9892 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop** security policy setting. + ## Reference + This security setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts that are used by a standard user. -**Note**   -This setting does not change the behavior of the UAC elevation prompt for administrators. + +>**Note:**  This setting does not change the behavior of the UAC elevation prompt for administrators.   **Background** + User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI does not interfere with or change the behavior of messages between applications at the same privilege (or integrity) level. + Microsoft UI Automation is the current model to support accessibility requirements in the Windows operating systems. Applications that are designed to support an accessible user experience control the behavior of other Windows applications on behalf of the user. When all applications on the automation client computer and server are running as a standard user (that is, at a medium integrity level), the UIPI restrictions do not interfere with the Microsoft UI automation model. + However, there might be times when an administrative user runs an application with elevated privilege based on UAC in Admin Approval Mode. Microsoft UI Automation cannot drive the UI graphics of elevated applications on the desktop without the ability to bypass the restrictions that UIPI implements. The ability to bypass UIPI restrictions across privilege levels is available for UI automation programs by using UIAccess. -If an application presents a UIAccess attribute when it requests privileges, the application is stating a requirement to bypass UIPI restrictions for sending messages across privilege levels. Devices implement the following policy checks before starting an application with UIAccess privilege. + +If an application presents a UIAccess attribute when it requests privileges, the application is stating a requirement to bypass UIPI restrictions for sending messages across privilege levels. Devices implement the following policy +checks before starting an application with UIAccess privilege. + 1. The application must have a digital signature that can be verified by using a digital certificate that is associated with the Trusted Root Certification Authorities store on the local computer. 2. The application must be installed in a local folder that is writeable only by administrators, such as the Program Files directory. The allowed directories for UI automation applications are: + 1. %ProgramFiles% and its subdirectories. 2. %WinDir% and its subdirectories, except a few subdirectories that are excluded because standard users have write access. + **Resulting behavior** + When this setting is enabled, UIAccess programs (including Windows Remote Assistance) can automatically disable the secure desktop for elevation prompts. Unless you have also disabled elevation prompts, the prompts appear on the interactive user's desktop instead of on the secure desktop. The prompts also appear on the remote administrator's view of the desktop during a Windows Remote Assistance session, and the remote administrator can provide the appropriate credentials for elevation. + If you disable this setting, the secure desktop can only be disabled by the user of the interactive desktop or by disabling the [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md) setting, which by default is enabled. + ### Possible values + - Enabled + UIA programs can automatically disable the secure desktop for elevation prompts, and unless you have also disabled elevation prompts, the prompts appear on the interactive user's desktop instead of on the secure desktop. Prompts will also appear on the remote administrator's view of the desktop during a Windows Remote Assistance session, and the remote administrator can provide the appropriate credentials for elevation. + - Disabled + The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting. + ### Best practices + - Best practices are dependent on your security policies and your remote operational requirements. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +Server type or GPO| Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ### Group Policy + All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). + ### Policy interactions + If you plan to enable this setting, you should also review the effect of the [User Account Control: Behavior of the elevation prompt for standard users](user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md) setting. If it is configured as **Automatically deny elevation requests**, elevation requests are not presented to the user. If you disable this setting, the secure desktop can only be disabled by the user of the interactive desktop or by disabling the [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md) setting, which by default is enabled. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + UIA programs are designed to interact with Windows and application programs on behalf of a user. This setting allows UIA programs to bypass the secure desktop to increase usability in certain cases, but it allows elevation requests to appear on the regular interactive desktop instead of on the secure desktop. This increases the risk that a malicious program could intercept data that is being transferred between the UI and the application. Because UIA programs must be able to respond to prompts regarding security issues, such as the UAC elevation prompt, UIA programs must be highly trusted. To be considered trusted, a UIA program must be digitally signed. By default, UIA programs can be run only from the following protected paths: + - ..\\Program Files\\ (and subfolders) - ..\\Program Files (x86)\\ (and subfolders, in 64-bit versions of Windows only) - ..\\Windows\\System32\\ + The requirement to be in a protected path can be disabled by the [User Account Control: Only elevate UIAccess applications that are installed in secure locations](user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md) setting. Although this setting applies to any UIA program, it is used primarily in certain Windows Remote Assistance scenarios. + ### Countermeasure + Disable the **User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop** setting. + ### Potential impact + If a user requests remote assistance from an administrator and the remote assistance session is established, elevation prompts appear on the interactive user's secure desktop and the administrator's remote session is paused. To avoid pausing the remote administrator’s session during elevation requests, the user can select the "Allow IT Expert to respond to User Account Control prompts" check box when setting up the remote assistance session. However, selecting this check box requires that the interactive user respond to an elevation prompt on the secure desktop. If the interactive user is a standard user, the user does not have the required credentials to allow elevation. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md index 2f01c9ecc5..28718b33ae 100644 --- a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md +++ b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md @@ -2,94 +2,99 @@ title: User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode security policy setting. ms.assetid: 46a3c3a2-1d2e-4a6f-b5e6-29f9592f535d -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** security policy setting. + ## Reference + This policy setting determines the behavior of the elevation prompt for accounts that have administrative credentials. + ### Possible values + - **Elevate without prompting** + Assumes that the administrator will permit an operation that requires elevation, and additional consent or credentials are not required. - **Note**   - Selecting **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure. + >**Note:**  Selecting **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure.   - **Prompt for credentials on the secure desktop** + When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. + - **Prompt for consent on the secure desktop** + When an operation requires elevation of privilege, the user is prompted on the secure desktop to select **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege. + - **Prompt for credential**s + An operation that requires elevation of privilege prompts the administrator to type the user name and password. If the administrator enters valid credentials, the operation continues with the applicable privilege. + - **Prompt for consent** + An operation that requires elevation of privilege prompts the administrator to select **Permit** or **Deny**. If the administrator selects **Permit**, the operation continues with the administrator's highest available privilege. + - **Prompt for consent for non-Windows binaries** + This is the default. When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege. + ### Best practices + - Selecting the option **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values -The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Prompt for consent for non-Windows binaries

      DC Effective Default Settings

      Prompt for consent for non-Windows binaries

      Member Server Effective Default Settings

      Prompt for consent for non-Windows binaries

      Client Computer Effective Default Settings

      Prompt for consent for non-Windows binaries

      + + +| Server type or GPO Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | Prompt for consent for non-Windows binaries| +| DC Effective Default Settings | Prompt for consent for non-Windows binaries| +| Member Server Effective Default Settings | Prompt for consent for non-Windows binaries| +| Client Computer Effective Default Settings | Prompt for consent for non-Windows binaries|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ### Group Policy + All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + One of the risks that the UAC feature tries to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations, and it permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so. + ### Countermeasure + Configure the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** setting to **Prompt for consent**. + ### Potential impact + Administrators should be made aware that they will be prompted for consent when all binaries attempt to run. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md index 727d8b7ba1..e382611db9 100644 --- a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md +++ b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md @@ -2,86 +2,88 @@ title: User Account Control Behavior of the elevation prompt for standard users (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Behavior of the elevation prompt for standard users security policy setting. ms.assetid: 1eae7def-8f6c-43b6-9474-23911fdc01ba -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control: Behavior of the elevation prompt for standard users + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Behavior of the elevation prompt for standard users** security policy setting. + ## Reference + This policy setting determines the behavior of the elevation prompt for standard users. + ### Possible values + - **Automatically deny elevation requests** + This option returns an “Access denied” error message to standard users when they try to perform an operation that requires elevation of privilege. Most organizations that run desktops as standard users configure this policy to reduce Help Desk calls. + - **Prompt for credentials on the secure desktop** + This is the default. When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. + - **Prompt for credentials** + An operation that requires elevation of privilege prompts the user to type an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. + ### Best practices + 1. Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to log on with an administrative account to run programs that require elevation of privilege. 2. As a security best practice, standard users should not have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, set **Prompt for credentials** so that the users do not choose to always log on with their administrator accounts, and they shift their behavior to use the standard user account. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Prompt for credentials on the secure desktop

      DC Effective Default Settings

      Prompt for credentials on the secure desktop

      Member Server Effective Default Settings

      Prompt for credentials on the secure desktop

      Client Computer Effective Default Settings

      Prompt for credentials on the secure desktop

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Prompt for credentials on the secure desktop| +| DC Effective Default Settings | Prompt for credentials on the secure desktop| +| Member Server Effective Default Settings | Prompt for credentials on the secure desktop| +| Client Computer Effective Default Settings | Prompt for credentials on the secure desktop|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ### Group Policy + All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + One of the risks that the UAC feature tries to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations, and it requires that the user supply administrative credentials for the program to run. + ### Countermeasure + Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to log on with an administrative account to run programs that require elevation of privilege. As a security best practice, standard users should not have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, we recommend setting **Prompt for credentials** so that the users do not choose to always log on with their administrator accounts, and they shift their behavior to use the standard user account. + ### Potential impact + Users must provide administrative passwords to run programs with elevated privileges. This could cause an increased load on IT staff while the programs that are affected are identified and standard operating procedures are modified to support least privilege operations. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md index 067ec3619c..178aa242b4 100644 --- a/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md +++ b/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md @@ -2,83 +2,81 @@ title: User Account Control Detect application installations and prompt for elevation (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Detect application installations and prompt for elevation security policy setting. ms.assetid: 3f8cb170-ba77-4c9f-abb3-c3ed1ef264fc -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control: Detect application installations and prompt for elevation + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Detect application installations and prompt for elevation** security policy setting. + ## Reference + This policy setting determines the behavior of application installation detection for the entire system. Some software might attempt to install itself after being given permission to run. The user may give permission for the program to run because the program is trusted. Then the user is prompted to install an unknown component. This security policy provides another way to identify and stop these attempted software installations before they can do damage. + ### Possible values + - **Enabled** + Application installation packages that require an elevation of privilege to install are detected and the user is prompted for administrative credentials. + - **Disabled** + Application installation packages that require an elevation of privilege to install are not detected and the user is not prompted for administrative credentials. + ### Best practices + 1. Installer detection is unnecessary when enterprises run standard user desktops that capitalize on delegated installation technologies like Group Policy Software Install (GPSI) or Configuration Manager. Therefore you can set this security policy to **Disabled**. 2. Enable the **User Account Control: Detect application installations and prompt for elevation** setting so standard users must provide administrative credentials before software is installed. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Enabled

      DC Effective Default Settings

      Enabled

      Member Server Effective Default Settings

      Enabled

      Client Computer Effective Default Settings

      Enabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Some malicious software might attempt to install itself after being given permission to run, for example, malicious software with a trusted application shell. The user may give permission for the program to run because the program is trusted. Then the user is prompted to install an unknown component. This policy provides another way to trap the software before it can do damage. + ### Countermeasure + Enable the **User Account Control: Detect application installations and prompt for elevation** setting. + ### Potential impact + Users must provide administrative passwords to install programs. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md index 7c3f3ccfae..19768449e0 100644 --- a/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md +++ b/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md @@ -2,87 +2,89 @@ title: User Account Control Only elevate executables that are signed and validated (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Only elevate executables that are signed and validated security policy setting. ms.assetid: 64950a95-6985-4db6-9905-1db18557352d -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control: Only elevate executables that are signed and validated + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate executables that are signed and validated** security policy setting. + ## Reference + This policy setting enforces public key infrastructure (PKI) signature checks on any interactive application that requests elevation of privilege. You can control the apps that are allowed to run through the population of certificates in the local computer's Trusted Publishers store. + A trusted publisher is a certificate issuer that the computer’s user has chosen to trust and that has certificate details that have been added to the store of trusted publishers. + Windows maintains certificates in certificate stores. These stores can be represented by containers in the file system or the registry, or they can be implemented as physical stores such as smart cards. Certificate stores are associated with the computer object or they are owned by a distinct user who has a security context and profile on that computer. In addition, services can have certificate stores. A certificate store will often contain numerous certificates, possibly issued from a number of different certification authorities (CAs). When certificate path discovery is initiated, Windows attempts to locate the issuing CA for the certificates, and it builds a certificate path to the trusted root certificate. Intermediate certificates are included as part of the application protocol or are picked up from Group Policy or through URLs that are specified in the Authority Information Access (AIA) extension. When the path is built, each certificate in the path is verified for validity with respect to various parameters, such as name, time, signature, revocation status, and other constraints. + ### Possible values + - **Enabled** + Enforces the PKI certificate chain validation of a given executable file before it is permitted to run. + - **Disabled** + Does not enforce PKI certificate chain validation before a given executable file is permitted to run. + ### Best practices + - Best practices are dependent on your security and performance goals. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Disabled

      DC Effective Default Settings

      Disabled

      Member Server Effective Default Settings

      Disabled

      Client Computer Effective Default Settings

      Disabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ### Group Policy + All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Intellectual property, personally identifiable information, and other confidential data are normally manipulated by applications on the computer, and elevated credentials are required to access the information. Users and administrators inherently trust applications that are used with these information sources, and they provide their credentials. If one of these applications is replaced by a rogue application that appears identical to the trusted application, the confidential data could be compromised and the user's administrative credentials would also be compromised. + ### Countermeasure + Enable the **User Account Control: Only elevate executables that are signed and validated**. + ### Potential impact + Enabling this setting requires that you have a PKI infrastructure and that your enterprise administrators have populated the Trusted Publishers store with the certificates for the allowed applications. Some older applications are not signed, and they cannot be used in an environment that is hardened with this setting. You should carefully test your applications in a preproduction environment before implementing this setting. Control over the applications that are installed on the desktops and the hardware that joins your domain should provide similar protection from the vulnerability that is addressed by this setting. Additionally, the level of protection that is provided by this setting is not an assurance that all rogue applications will be found. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md index b79b29a94b..890ec0f2ff 100644 --- a/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md +++ b/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md @@ -2,103 +2,111 @@ title: User Account Control Only elevate UIAccess applications that are installed in secure locations (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Only elevate UIAccess applications that are installed in secure locations security policy setting. ms.assetid: 4333409e-a5be-4f2f-8808-618f53abd22c -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control: Only elevate UIAccess applications that are installed in secure locations + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate UIAccess applications that are installed in secure locations** security policy setting. + ## Reference + This policy setting enforces the requirement that apps that request running with a UIAccess integrity level (by means of a marking of UIAccess=true in their app manifest), must reside in a secure location on the file system. Relatively secure locations are limited to the following directories: + - \\Program Files\\ including subdirectories - \\Windows\\system32\\ - \\Program Files (x86)\\ including subdirectories for 64-bit versions of Windows -**Note**   -Windows enforces a PKI signature check on any interactive application that requests running with a UIAccess integrity level, regardless of the state of this security setting. + +>**Note:**  Windows enforces a PKI signature check on any interactive application that requests running with a UIAccess integrity level, regardless of the state of this security setting.   **Background** + User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI does not interfere with or change the behavior of messages between applications at the same privilege (or integrity) level. + Microsoft UI Automation is the current model to support accessibility requirements in the Windows operating systems. Applications that are designed to support an accessible user experience control the behavior of other Windows applications on behalf of the user. When all applications on the automation client computer and server are running as a standard user (that is, at a medium integrity level), the UIPI restrictions do not interfere with the Microsoft UI automation model. + However, there might be times when an administrative user runs an application with elevated privilege based on UAC in Admin Approval Mode. Microsoft UI Automation cannot drive the UI graphics of elevated applications on the desktop without the ability to bypass the restrictions that UIPI implements. The ability to bypass UIPI restrictions across privilege levels is available for UI automation programs by using UIAccess. + If an application presents a UIAccess attribute when it requests privileges, the application is stating a requirement to bypass UIPI restrictions for sending messages across privilege levels. Devices implement the following policy checks before starting an application with UIAccess privilege. + 1. The application must have a digital signature that can be verified by using a digital certificate that is associated with the Trusted Root Certification Authorities store on the local device 2. The application must be installed in a local folder that is writeable only by administrators, such as the Program Files directory. The allowed directories for UI automation applications are: + 1. %ProgramFiles% and its subdirectories. 2. %WinDir% and its subdirectories, except a few subdirectories that are excluded because standard users have write access. + ### Possible values + - **Enabled** + An application can start with UIAccess integrity only if it resides in a secure location in the file system. + - **Disabled** + An application can start with UIAccess integrity even if it does not reside in a secure location in the file system. + ### Best practices + - Set this policy to **Enabled** to permit applications that are located in one of the designated secure directories to run with UIAccess integrity. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Enabled

      DC Effective Default Settings

      Enabled

      Member Server Effective Default Settings

      Enabled

      Client Computer Effective Default Settings

      Enabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they aresaved locally or distributed through Group Policy. + ### Group Policy + All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + UIAccess integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. When this setting is enabled, an application that has the UIAccess flag set to true in its manifest can interchange information with applications that are running at a higher privilege level, such as logon prompts and privilege elevation prompts. This ability is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms, but it is not required by most applications. A process that is started with UIAccess rights has the following abilities: + - Set the foreground window. - Drive any application window by using the SendInput function. - Use read input for all integrity levels by using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. - Set journal hooks. - Use AttachThreadInput to attach a thread to a higher integrity input queue. + ### Countermeasure + Enable the **User Account Control: Only elevate UIAccess applications that are installed in secure locations** setting. + ### Potential impact + If the application that requests UIAccess meets the UIAccess setting requirements, computers running at least the Windows Vista operating system start the application with the ability to bypass most of the UIPI restrictions. If the application does not meet the security restrictions, the application is started without UIAccess rights, and it can interact only with applications at the same or lower privilege level. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md index 0c53ba8b97..63ac1e4a65 100644 --- a/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md +++ b/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md @@ -2,86 +2,85 @@ title: User Account Control Run all administrators in Admin Approval Mode (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Run all administrators in Admin Approval Mode security policy setting. ms.assetid: b838c561-7bfc-41ef-a7a5-55857259c7bf -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control: Run all administrators in Admin Approval Mode + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting. + ## Reference + This policy setting determines the behavior of all User Account Control (UAC) policies for the entire system. This is the setting that turns UAC on or off. + ### Possible values + - **Enabled** + Admin Approval Mode and all other UAC policies are dependent on this option being enabled. Changing this setting requires restarting the system. + - **Disabled** + Admin Approval Mode and all related UAC policies are disabled. - **Note**   - If this security setting is configured to **Disabled**, the Security Center notifies the user that the overall security of the operating system has been reduced. + + >**Note:**  If this security setting is configured to **Disabled**, the Security Center notifies the user that the overall security of the operating system has been reduced.   ### Best practices + - Enable this policy to allow all other UAC features and policies to function. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Enabled

      DC Effective Default Settings

      Enabled

      Member Server Effective Default Settings

      Enabled

      Client Computer Effective Default Settings

      Enabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + A restart of the computer is required before this policy will be effective when changes to this policy are saved locally or distributed through Group Policy. + ### Group Policy + All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + This is the setting that turns UAC on or off. If this setting is disabled, UAC is not used, and any security benefits and risk mitigations that are dependent on UAC are not present on the computer. + ### Countermeasure + Enable the **User Account Control: Run all users, including administrators, as standard users** setting. + ### Potential impact + Users and administrators must learn to work with UAC prompts and adjust their work habits to use least privilege operations. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/user-account-control-security-policy-settings.md b/windows/keep-secure/user-account-control-security-policy-settings.md index d1a286bf5e..569bf9892e 100644 --- a/windows/keep-secure/user-account-control-security-policy-settings.md +++ b/windows/keep-secure/user-account-control-security-policy-settings.md @@ -2,66 +2,95 @@ title: User Account Control security policy settings (Windows 10) description: You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy. ms.assetid: 3D75A9AC-69BB-4EF2-ACB3-1769791E1B98 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: operate ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control security policy settings + **Applies to** - Windows 10 + You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy. + ## User Account Control: Admin Approval Mode for the Built-in Administrator account + This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. + - **Enabled** The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. - **Disabled** (Default) The built-in Administrator account runs all applications with full administrative privilege. + ## User Account Control: Allow UIAccess application to prompt for elevation without using the secure desktop + This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. + - **Enabled** UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. - **Disabled** (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. + ## User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode + This policy setting controls the behavior of the elevation prompt for administrators. + - **Elevate without prompting** Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. - **Note**  Use this option only in the most constrained environments. + + >**Note:**  Use this option only in the most constrained environments.   - **Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. - **Prompt for consent on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - **Prompt for credentials** When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - **Prompt for consent** When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - **Prompt for consent for non-Windows binaries** (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. + ## User Account Control: Behavior of the elevation prompt for standard users + This policy setting controls the behavior of the elevation prompt for standard users. + - **Prompt for credentials** (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - **Automatically deny elevation requests** When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. - **Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. + ## User Account Control: Detect application installations and prompt for elevation + This policy setting controls the behavior of application installation detection for the computer. + - **Enabled** (Default) When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - - **Disabled** App installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Group Policy or System Center Configuration Manager should disable this policy setting. In this case, installer detection is unnecessary. + ## User Account Control: Only elevate executable files that are signed and validated + This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. + - **Enabled** Enforces the certificate certification path validation for a given executable file before it is permitted to run. - **Disabled** (Default) Does not enforce the certificate certification path validation before a given executable file is permitted to run. + ## User Account Control: Only elevate UIAccess applications that are installed in secure locations + This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - …\\Program Files\\, including subfolders - …\\Windows\\system32\\ - …\\Program Files (x86)\\, including subfolders for 64-bit versions of Windows -**Note**   -Windows enforces a digital signature check on any interactive app that requests to run with a UIAccess integrity level regardless of the state of this security setting. + +>**Note:**  Windows enforces a digital signature check on any interactive app that requests to run with a UIAccess integrity level regardless of the state of this security setting.   - **Enabled** (Default) If an app resides in a secure location in the file system, it runs only with UIAccess integrity. - **Disabled** An app runs with UIAccess integrity even if it does not reside in a secure location in the file system. + ## User Account Control: Turn on Admin Approval Mode + This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. + - **Enabled** (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. - **Disabled** Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. + ## User Account Control: Switch to the secure desktop when prompting for elevation + This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. + - **Enabled** (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. - **Disabled** All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. ## User Account Control: Virtualize file and registry write failures to per-user locations + This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software. + - **Enabled** (Default) App write failures are redirected at run time to defined user locations for both the file system and registry. - **Disabled** Apps that write data to protected locations fail. -  -  diff --git a/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md index 9475c83eba..ee510bb52e 100644 --- a/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md +++ b/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md @@ -2,85 +2,88 @@ title: User Account Control Switch to the secure desktop when prompting for elevation (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Switch to the secure desktop when prompting for elevation security policy setting. ms.assetid: 77a067db-c70d-4b02-9861-027503311b8b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control: Switch to the secure desktop when prompting for elevation + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Switch to the secure desktop when prompting for elevation** security policy setting. + ## Reference + This policy setting determines whether the elevation request prompts on the interactive user desktop or on the secure desktop. + The secure desktop presents the logon UI and restricts functionality and access to the system until the logon requirements are satisfied. + The secure desktop’s primary difference from the user desktop is that only trusted processes running as SYSTEM are allowed to run here (that is, nothing is running at the user’s privilege level). The path to get to the secure desktop from the user desktop must also be trusted through the entire chain. + ### Possible values + - **Enabled** + All elevation requests by default go to the secure desktop. + - **Disabled** + All elevation requests go to the interactive user desktop. + ### Best practices -- Enable the **User Account Control: Switch to the secure desktop when prompting for elevation setting**. The secure desktop helps protect against input and output spoofing by presenting the credentials dialog box in a protected section of memory that is accessible only by trusted system processes. + +- Enable the **User Account Control: Switch to the secure desktop when prompting for elevation setting**. The secure desktop helps protect against input and output spoofing by presenting the credentials dialog box in a protected section of memory that is accessible only by trusted system +processes. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Enabled

      DC Effective Default Settings

      Enabled

      Member Server Effective Default Settings

      Enabled

      Client Computer Effective Default Settings

      Enabled

      + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Elevation prompt dialog boxes can be spoofed, causing users to disclose their passwords to malicious software. Mouse cursors can be spoofed by hiding the real cursor and replacing it with an offset so the cursor is actually pointing to the **Allow** button. + ### Countermeasure + Enable the **User Account Control: Switch to the secure desktop when prompting for elevation setting**. The secure desktop helps protect against input and output spoofing by presenting the credentials dialog box in a protected section of memory that is accessible only by trusted system processes. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md index ffb892226b..afc3766b73 100644 --- a/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md +++ b/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md @@ -2,85 +2,86 @@ title: User Account Control Virtualize file and registry write failures to per-user locations (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Virtualize file and registry write failures to per-user locations security policy setting. ms.assetid: a7b47420-cc41-4b1c-b03e-f67a05221261 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control: Virtualize file and registry write failures to per-user locations + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Virtualize file and registry write failures to per-user locations** security policy setting. + ## Reference + This policy setting enables or disables the redirection of the write failures of earlier applications to defined locations in the registry and the file system. This feature mitigates applications that historically ran as administrator and wrote runtime application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKEY\_LOCAL\_MACHINE\\Software\\. + This feature can be disabled for applications on devices running at least Windows Vista because it is unnecessary. + ### Possible values + - **Enabled** + Setting this value facilitates the runtime redirection of application write failures to defined user locations for the file system and the registry. + - **Disabled** + Applications that write data to protected locations fail. + ### Best practices + 1. If you run applications that are not Windows Vista-compliant, enable this security policy to prevent the possibility that these older applications could write data to unsecure locations. 2. If you only run at least Windows Vista–compliant applications, this feature is unnecessary so you can disable this policy. + ### Location + \\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Server type or GPODefault value

      Default Domain Policy

      Not defined

      Default Domain Controller Policy

      Not defined

      Stand-Alone Server Default Settings

      Enabled

      DC Effective Default Settings

      Enabled

      Member Server Effective Default Settings

      Enabled

      Client Computer Effective Default Settings

      Enabled

      + +| Server type or GPO | Default value| +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Earlier applications might not write data to secure locations. + ### Countermeasure + Enable the **User Account Control: Virtualize file and registry write failures to per-user locations** setting. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/user-rights-assignment.md b/windows/keep-secure/user-rights-assignment.md index 3e96944b76..401613dde1 100644 --- a/windows/keep-secure/user-rights-assignment.md +++ b/windows/keep-secure/user-rights-assignment.md @@ -2,212 +2,75 @@ title: User Rights Assignment (Windows 10) description: Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows. ms.assetid: 99340252-60be-4c79-b0a5-56fbe1a9b0c5 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Rights Assignment + **Applies to** - Windows 10 + Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows. User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the **User Rights Assignment** item. -Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment**, or on the local device by using the Local Group Policy Editor (gpedit.msc). + +Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under +**Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment**, or on the local device by using the Local Group Policy Editor (gpedit.msc). + For information about setting security policies, see [Configure security policy settings](how-to-configure-security-policy-settings.md). + The following table links to each security policy setting and provides the constant name for each. Setting descriptions contain reference information, best practices for configuring the policy setting, default values, differences between operating system versions, and considerations for policy management and security. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Group Policy SettingConstant Name

      [Access Credential Manager as a trusted caller](access-credential-manager-as-a-trusted-caller.md)

      SeTrustedCredManAccessPrivilege

      [Access this computer from the network](access-this-computer-from-the-network.md)

      SeNetworkLogonRight

      [Act as part of the operating system](act-as-part-of-the-operating-system.md)

      SeTcbPrivilege

      [Add workstations to domain](add-workstations-to-domain.md)

      SeMachineAccountPrivilege

      [Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md)

      SeIncreaseQuotaPrivilege

      [Allow log on locally](allow-log-on-locally.md)

      SeInteractiveLogonRight

      [Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md)

      SeRemoteInteractiveLogonRight

      [Back up files and directories](back-up-files-and-directories.md)

      SeBackupPrivilege

      [Bypass traverse checking](bypass-traverse-checking.md)

      SeChangeNotifyPrivilege

      [Change the system time](change-the-system-time.md)

      SeSystemtimePrivilege

      [Change the time zone](change-the-time-zone.md)

      SeTimeZonePrivilege

      [Create a pagefile](create-a-pagefile.md)

      SeCreatePagefilePrivilege

      [Create a token object](create-a-token-object.md)

      SeCreateTokenPrivilege

      [Create global objects](create-global-objects.md)

      SeCreateGlobalPrivilege

      [Create permanent shared objects](create-permanent-shared-objects.md)

      SeCreatePermanentPrivilege

      [Create symbolic links](create-symbolic-links.md)

      SeCreateSymbolicLinkPrivilege

      [Debug programs](debug-programs.md)

      SeDebugPrivilege

      [Deny access to this computer from the network](deny-access-to-this-computer-from-the-network.md)

      SeDenyNetworkLogonRight

      [Deny log on as a batch job](deny-log-on-as-a-batch-job.md)

      SeDenyBatchLogonRight

      [Deny log on as a service](deny-log-on-as-a-service.md)

      SeDenyServiceLogonRight

      [Deny log on locally](deny-log-on-locally.md)

      SeDenyInteractiveLogonRight

      [Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)

      SeDenyRemoteInteractiveLogonRight

      [Enable computer and user accounts to be trusted for delegation](enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)

      SeEnableDelegationPrivilege

      [Force shutdown from a remote system](force-shutdown-from-a-remote-system.md)

      SeRemoteShutdownPrivilege

      [Generate security audits](generate-security-audits.md)

      SeAuditPrivilege

      [Impersonate a client after authentication](impersonate-a-client-after-authentication.md)

      SeImpersonatePrivilege

      [Increase a process working set](increase-a-process-working-set.md)

      SeIncreaseWorkingSetPrivilege

      [Increase scheduling priority](increase-scheduling-priority.md)

      SeIncreaseBasePriorityPrivilege

      [Load and unload device drivers](load-and-unload-device-drivers.md)

      SeLoadDriverPrivilege

      [Lock pages in memory](lock-pages-in-memory.md)

      SeLockMemoryPrivilege

      [Log on as a batch job](log-on-as-a-batch-job.md)

      SeBatchLogonRight

      [Log on as a service](log-on-as-a-service.md)

      SeServiceLogonRight

      [Manage auditing and security log](manage-auditing-and-security-log.md)

      SeSecurityPrivilege

      [Modify an object label](modify-an-object-label.md)

      SeRelabelPrivilege

      [Modify firmware environment values](modify-firmware-environment-values.md)

      SeSystemEnvironmentPrivilege

      [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md)

      SeManageVolumePrivilege

      [Profile single process](profile-single-process.md)

      SeProfileSingleProcessPrivilege

      [Profile system performance](profile-system-performance.md)

      SeSystemProfilePrivilege

      [Remove computer from docking station](remove-computer-from-docking-station.md)

      SeUndockPrivilege

      [Replace a process level token](replace-a-process-level-token.md)

      SeAssignPrimaryTokenPrivilege

      [Restore files and directories](restore-files-and-directories.md)

      SeRestorePrivilege

      [Shut down the system](shut-down-the-system.md)

      SeShutdownPrivilege

      [Synchronize directory service data](synchronize-directory-service-data.md)

      SeSyncAgentPrivilege

      [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md)

      SeTakeOwnershipPrivilege

      + +| Group Policy Setting | Constant Name | +| - | - | +| [Access Credential Manager as a trusted caller](access-credential-manager-as-a-trusted-caller.md) | SeTrustedCredManAccessPrivilege| +| [Access this computer from the network](access-this-computer-from-the-network.md) | SeNetworkLogonRight| +| [Act as part of the operating system](act-as-part-of-the-operating-system.md) | SeTcbPrivilege| +| [Add workstations to domain](add-workstations-to-domain.md) | SeMachineAccountPrivilege| +| [Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md) | SeIncreaseQuotaPrivilege| +| [Allow log on locally](allow-log-on-locally.md) | SeInteractiveLogonRight| +| [Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md)| SeRemoteInteractiveLogonRight| +| [Back up files and directories](back-up-files-and-directories.md) | SeBackupPrivilege| +| [Bypass traverse checking](bypass-traverse-checking.md) | SeChangeNotifyPrivilege| +| [Change the system time](change-the-system-time.md) | SeSystemtimePrivilege| +| [Change the time zone](change-the-time-zone.md) | SeTimeZonePrivilege| +| [Create a pagefile](create-a-pagefile.md) | SeCreatePagefilePrivilege| +| [Create a token object](create-a-token-object.md) | SeCreateTokenPrivilege| +| [Create global objects](create-global-objects.md) | SeCreateGlobalPrivilege| +| [Create permanent shared objects](create-permanent-shared-objects.md) | SeCreatePermanentPrivilege| +| [Create symbolic links](create-symbolic-links.md) | SeCreateSymbolicLinkPrivilege| +| [Debug programs](debug-programs.md) | SeDebugPrivilege| +| [Deny access to this computer from the network](deny-access-to-this-computer-from-the-network.md)| SeDenyNetworkLogonRight | +| [Deny log on as a batch job](deny-log-on-as-a-batch-job.md) | SeDenyBatchLogonRight| +| [Deny log on as a service](deny-log-on-as-a-service.md) | SeDenyServiceLogonRight | +| [Deny log on locally](deny-log-on-locally.md) | SeDenyInteractiveLogonRight| +| [Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)| SeDenyRemoteInteractiveLogonRight| +| [Enable computer and user accounts to be trusted for delegation](enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)| SeEnableDelegationPrivilege| +| [Force shutdown from a remote system](force-shutdown-from-a-remote-system.md) | SeRemoteShutdownPrivilege| +| [Generate security audits](generate-security-audits.md) | SeAuditPrivilege| +| [Impersonate a client after authentication](impersonate-a-client-after-authentication.md)| SeImpersonatePrivilege| +| [Increase a process working set](increase-a-process-working-set.md) | SeIncreaseWorkingSetPrivilege| +| [Increase scheduling priority](increase-scheduling-priority.md) | SeIncreaseBasePriorityPrivilege| +| [Load and unload device drivers](load-and-unload-device-drivers.md) | SeLoadDriverPrivilege| +| [Lock pages in memory](lock-pages-in-memory.md) | SeLockMemoryPrivilege| +| [Log on as a batch job](log-on-as-a-batch-job.md) | SeBatchLogonRight| +| [Log on as a service](log-on-as-a-service.md) | SeServiceLogonRight| +| [Manage auditing and security log](manage-auditing-and-security-log.md)| SeSecurityPrivilege| +| [Modify an object label](modify-an-object-label.md) | SeRelabelPrivilege| +| [Modify firmware environment values](modify-firmware-environment-values.md)| SeSystemEnvironmentPrivilege| +| [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md) | SeManageVolumePrivilege| +| [Profile single process](profile-single-process.md) | SeProfileSingleProcessPrivilege| +| [Profile system performance](profile-system-performance.md) | SeSystemProfilePrivilege| +| [Remove computer from docking station](remove-computer-from-docking-station.md) | SeUndockPrivilege| +| [Replace a process level token](replace-a-process-level-token.md) | SeAssignPrimaryTokenPrivilege| +| [Restore files and directories](restore-files-and-directories.md) | SeRestorePrivilege | +| [Shut down the system](shut-down-the-system.md) | SeShutdownPrivilege| +| [Synchronize directory service data](synchronize-directory-service-data.md)| SeSyncAgentPrivilege| +| [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md) | SeTakeOwnershipPrivilege|   ## Related topics -[Security policy settings reference](security-policy-settings-reference.md) -  -  + +- [Security policy settings reference](security-policy-settings-reference.md) diff --git a/windows/keep-secure/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/keep-secure/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md index fe7a396637..13d5fc93e5 100644 --- a/windows/keep-secure/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md +++ b/windows/keep-secure/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md @@ -2,71 +2,41 @@ title: Using advanced security auditing options to monitor dynamic access control objects (Windows 10) description: This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012. ms.assetid: 0d2c28ea-bdaf-47fd-bca2-a07dce5fed37 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Using advanced security auditing options to monitor dynamic access control objects + **Applies to** - Windows 10 + This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012. + These procedures can be deployed with the advanced security auditing capabilities described in [Deploy Security Auditing with Central Audit Policies (Demonstration Steps)](http://technet.microsoft.com/library/hh831542.aspx). + ## In this guide + Domain administrators can create and deploy expression-based security audit policies by using file classification information (resource attributes), user claims, and device claims to target specific users and resources to monitor potentially significant activities on one or more computers. These policies can be deployed centrally by using Group Policy, or directly on a computer, in a folder, or in individual files. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      TopicDescription

      [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md)

      This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. Central access policies are created on a domain controller and then applied to file servers through Group Policy management.

      [Monitor the use of removable storage devices](monitor-the-use-of-removable-storage-devices.md)

      This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects.

      [Monitor resource attribute definitions](monitor-resource-attribute-definitions.md)

      This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.

      [Monitor central access policy and rule definitions](monitor-central-access-policy-and-rule-definitions.md)

      This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects.

      [Monitor user and device claims during sign-in](monitor-user-and-device-claims-during-sign-in.md)

      This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects.

      [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md)

      This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects.

      [Monitor the central access policies associated with files and folders](monitor-the-central-access-policies-associated-with-files-and-folders.md)

      This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects.

      [Monitor claim types](monitor-claim-types.md)

      This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options.

      + +| Topic | Description | +| - | - | +| [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md) | This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. Central access policies are created on a domain controller and then applied to file servers through Group Policy management. | +| [Monitor the use of removable storage devices](monitor-the-use-of-removable-storage-devices.md) | This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects. | +| [Monitor resource attribute definitions](monitor-resource-attribute-definitions.md)| This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.| +| [Monitor central access policy and rule definitions](monitor-central-access-policy-and-rule-definitions.md) | This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects. | +| [Monitor user and device claims during sign-in](monitor-user-and-device-claims-during-sign-in.md)| This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects. | +| [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md)| This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects. | +| [Monitor the central access policies associated with files and folders](monitor-the-central-access-policies-associated-with-files-and-folders.md)| This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects. | +| [Monitor claim types](monitor-claim-types.md) | This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options.|   -**Important**   -This procedure can be configured on computers running any of the supported Windows operating systems. The other monitoring procedures can be configured only as part of a functioning dynamic access control deployment. +>**Important:**  This procedure can be configured on computers running any of the supported Windows operating systems. The other monitoring procedures can be configured only as part of a functioning dynamic access control deployment.   ## Related topics -[Security auditing](security-auditing-overview.md) -  -  + +- [Security auditing](security-auditing-overview.md) diff --git a/windows/keep-secure/using-event-viewer-with-applocker.md b/windows/keep-secure/using-event-viewer-with-applocker.md index 304915e207..dcee6821bc 100644 --- a/windows/keep-secure/using-event-viewer-with-applocker.md +++ b/windows/keep-secure/using-event-viewer-with-applocker.md @@ -2,145 +2,61 @@ title: Using Event Viewer with AppLocker (Windows 10) description: This topic lists AppLocker events and describes how to use Event Viewer with AppLocker. ms.assetid: 109abb10-78b1-4c29-a576-e5a17dfeb916 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Using Event Viewer with AppLocker + **Applies to** - Windows 10 + This topic lists AppLocker events and describes how to use Event Viewer with AppLocker. + The AppLocker log contains information about applications that are affected by AppLocker rules. Each event in the log contains detailed info about: + - Which file is affected and the path of that file - Which packaged app is affected and the package identifier of the app - Whether the file or packaged app is allowed or blocked - The rule type (path, file hash, or publisher) - The rule name - The security identifier (SID) for the user or group identified in the rule + Review the entries in the Event Viewer to determine if any applications are not included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example: %SystemDrive%). + For info about what to look for in the AppLocker event logs, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). + **To review the AppLocker log in Event Viewer** + 1. Open Event Viewer. 2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, click **AppLocker**. + The following table contains information about the events that you can use to determine which apps are affected by AppLocker rules. - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Event IDLevelEvent messageDescription

      8000

      Error

      Application Identity Policy conversion failed. Status <%1>

      Indicates that the policy was not applied correctly to the computer. The status message is provided for troubleshooting purposes.

      8001

      Information

      The AppLocker policy was applied successfully to this computer.

      Indicates that the AppLocker policy was successfully applied to the computer.

      8002

      Information

      <File name> was allowed to run.

      Specifies that the .exe or .dll file is allowed by an AppLocker rule.

      8003

      Warning

      <File name> was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

      Applied only when the Audit only enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the Enforce rules enforcement mode were enabled.

      8004

      Error

      <File name> was not allowed to run.

      Access to <file name> is restricted by the administrator. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.

      8005

      Information

      <File name> was allowed to run.

      Specifies that the script or .msi file is allowed by an AppLocker rule.

      8006

      Warning

      <File name> was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

      Applied only when the Audit only enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the Enforce rules enforcement mode were enabled.

      8007

      Error

      <File name> was not allowed to run.

      Access to <file name> is restricted by the administrator. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.

      8007

      Error

      AppLocker disabled on the SKU.

      Added in Windows Server 2012 and Windows 8.

      8020

      Information

      Packaged app allowed.

      Added in Windows Server 2012 and Windows 8.

      8021

      Information

      Packaged app audited.

      Added in Windows Server 2012 and Windows 8.

      8022

      Information

      Packaged app disabled.

      Added in Windows Server 2012 and Windows 8.

      8023

      Information

      Packaged app installation allowed.

      Added in Windows Server 2012 and Windows 8.

      8024

      Information

      Packaged app installation audited.

      Added in Windows Server 2012 and Windows 8.

      8025

      Warning

      Packaged app installation disabled.

      Added in Windows Server 2012 and Windows 8.

      8027

      Warning

      No Packaged app rule configured.

      Added in Windows Server 2012 and Windows 8.

      + +| Event ID | Level | Event message | Description | +| - | - | - | - | +| 8000 | Error| Application Identity Policy conversion failed. Status *<%1> *| Indicates that the policy was not applied correctly to the computer. The status message is provided for troubleshooting purposes.| +| 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.| +| 8002 | Information| *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.| +| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only ** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules ** enforcement mode were enabled. | +| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name> * is restricted by the administrator. Applied only when the **Enforce rules ** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.| +| 8005| Information| *<File name> * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.| +| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only ** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules ** enforcement mode were enabled. | +| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name> * is restricted by the administrator. Applied only when the **Enforce rules ** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.| +| 8007| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.| +| 8020| Information| Packaged app allowed.| Added in Windows Server 2012 and Windows 8.| +| 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.| +| 8022| Information| Packaged app disabled.| Added in Windows Server 2012 and Windows 8.| +| 8023 | Information| Packaged app installation allowed.| Added in Windows Server 2012 and Windows 8.| +| 8024 | Information| Packaged app installation audited.| Added in Windows Server 2012 and Windows 8.| +| 8025 | Warning| Packaged app installation disabled.| Added in Windows Server 2012 and Windows 8.| +| 8027 | Warning| No Packaged app rule configured.| Added in Windows Server 2012 and Windows 8.|   ## Related topics -[Tools to use with AppLocker](tools-to-use-with-applocker.md) + +- [Tools to use with AppLocker](tools-to-use-with-applocker.md)     diff --git a/windows/keep-secure/using-software-restriction-policies-and-applocker-policies.md b/windows/keep-secure/using-software-restriction-policies-and-applocker-policies.md index e07957331b..54b12a4568 100644 --- a/windows/keep-secure/using-software-restriction-policies-and-applocker-policies.md +++ b/windows/keep-secure/using-software-restriction-policies-and-applocker-policies.md @@ -2,76 +2,60 @@ title: Use Software Restriction Policies and AppLocker policies (Windows 10) description: This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. ms.assetid: c3366be7-e632-4add-bd10-9df088f74c6d -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Use Software Restriction Policies and AppLocker policies + **Applies to** - Windows 10 + This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. + ## Understand the difference between SRP and AppLocker + You might want to deploy application control policies in Windows operating systems earlier than Windows Server 2008 R2 or Windows 7. You can use AppLocker policies only on the supported versions and editions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). However, you can use SRP on those supported editions of Windows plus Windows Server 2003 and Windows XP. To compare features and functions in SRP and AppLocker so that you can determine when to use each technology to meet your application control objectives, see [Determine your application control objectives](determine-your-application-control-objectives.md). + ## Use SRP and AppLocker in the same domain + SRP and AppLocker use Group Policy for domain management. However, when policies are generated by SRP and AppLocker exist in the same domain, and they are applied through Group Policy, AppLocker policies take precedence over policies generated by SRP on computers that are running an operating system that supports AppLocker. For info about how inheritance in Group Policy applies to AppLocker policies and policies generated by SRP, see [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md). -**Important**   -As a best practice, use separate Group Policy Objects to implement your SRP and AppLocker policies. To reduce troubleshooting issues, do not combine them in the same GPO. + +>**Important:**  As a best practice, use separate Group Policy Objects to implement your SRP and AppLocker policies. To reduce troubleshooting issues, do not combine them in the same GPO.   The following scenario provides an example of how each type of policy would affect a bank teller software app, where the app is deployed on different Windows desktop operating systems and managed by the Tellers GPO. - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Operating systemTellers GPO with AppLocker policyTellers GPO with SRPTellers GPO with AppLocker policy and SRP

      Windows 10, Windows 8.1, Windows 8,and Windows 7

      AppLocker policies in the GPO are applied, and they supersede any local AppLocker policies.

      Local AppLocker policies supersede policies generated by SRP that are applied through the GPO.

      AppLocker policies in the GPO are applied, and they supersede the policies generated by SRP in the GPO and local AppLocker policies or policies generated by SRP.

      Windows Vista

      AppLocker policies are not applied.

      Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP.AppLocker policies are not applied.

      Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.

      Windows XP

      AppLocker policies are not applied.

      Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies are not applied.

      Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.

      + +| Operating system | Tellers GPO with AppLocker policy | Tellers GPO with SRP | Tellers GPO with AppLocker policy and SRP | +| - | - | - | - | +| Windows 10, Windows 8.1, Windows 8,and Windows 7 | AppLocker policies in the GPO are applied, and they supersede any local AppLocker policies.| Local AppLocker policies supersede policies generated by SRP that are applied through the GPO. | AppLocker policies in the GPO are applied, and they supersede the policies generated by SRP in the GPO and local AppLocker policies or policies generated by SRP.| +| Windows Vista| AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP.AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.| +| Windows XP| AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.|   -**Note**   -For info about supported versions and editions of the Windows operating system, see [Requirements to use AppLocker](requirements-to-use-applocker.md). +>**Note:**  For info about supported versions and editions of the Windows operating system, see [Requirements to use AppLocker](requirements-to-use-applocker.md).   ## Test and validate SRPs and AppLocker policies that are deployed in the same environment + Because SRPs and AppLocker policies function differently, they should not be implemented in the same GPO. This makes testing the result of the policy straightforward, which is critical to successfully controlling application usage in the organization. Configuring a testing and policy distribution system can help you understand the result of a policy. The effects of policies generated by SRP and AppLocker policies need to be tested separately and by using different tools. + ### Step 1: Test the effect of SRPs + You can use the Group Policy Management Console (GPMC) or the Resultant Set of Policy (RSoP) snap-in to determine the effect of applying SRPs by using GPOs. + ### Step 2: Test the effect of AppLocker policies + You can test AppLocker policies by using Windows PowerShell cmdlets. For info about investigating the result of a policy, see: + - [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md) - [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) + Another method to use when determining the result of a policy is to set the enforcement mode to **Audit only**. When the policy is deployed, events will be written to the AppLocker logs as if the policy was enforced. For info about using the **Audit only** mode, see: -[Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md) -[Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) + +- [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md) +- [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) + ## See also -[AppLocker deployment guide](applocker-policies-deployment-guide.md) -  -  + +- [AppLocker deployment guide](applocker-policies-deployment-guide.md) diff --git a/windows/keep-secure/view-the-security-event-log.md b/windows/keep-secure/view-the-security-event-log.md index 3c67e1191b..745195b4f3 100644 --- a/windows/keep-secure/view-the-security-event-log.md +++ b/windows/keep-secure/view-the-security-event-log.md @@ -2,19 +2,22 @@ title: View the security event log (Windows 10) description: The security log records each event as defined by the audit policies you set on each object. ms.assetid: 20DD2ACD-241A-45C5-A92F-4BE0D9F198B9 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # View the security event log + **Applies to** - Windows 10 + The security log records each event as defined by the audit policies you set on each object. + **To view the security log** + 1. Open Event Viewer. 2. In the console tree, expand **Windows Logs**, and then click **Security**. The results pane lists individual security events. 3. If you want to see more details about a specific event, in the results pane, click the event. -  -  diff --git a/windows/keep-secure/what-is-applocker.md b/windows/keep-secure/what-is-applocker.md index cfa573d478..b4d758df7b 100644 --- a/windows/keep-secure/what-is-applocker.md +++ b/windows/keep-secure/what-is-applocker.md @@ -2,18 +2,24 @@ title: What Is AppLocker (Windows 10) description: This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. ms.assetid: 44a8a2bb-0f83-4f95-828e-1f364fb65869 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # What Is AppLocker? + **Applies to** - Windows 10 + This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. + AppLocker advances the app control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps. + Using AppLocker, you can: + - Control the following types of apps: executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.mst, .msi and .msp), and DLL files (.dll and .ocx), and packaged apps and packaged app installers (appx). - Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file. - Assign a rule to a security group or an individual user. @@ -21,11 +27,17 @@ Using AppLocker, you can: - Use audit-only mode to deploy the policy and understand its impact before enforcing it. - Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, all criteria in the existing policy are overwritten. - Streamline creating and managing AppLocker rules by using Windows PowerShell cmdlets. + AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of help desk calls that result from users running unapproved apps + For information about the application control scenarios that AppLocker addresses, see [AppLocker policy use scenarios](applocker-policy-use-scenarios.md). + ## What features are different between Software Restriction Policies and AppLocker? + **Feature differences** + The following table compares AppLocker to Software Restriction Policies. + @@ -99,6 +111,7 @@ The following table compares AppLocker to Software Restriction Policies.
        **Application control function differences** + The following table compares the application control functions of Software Restriction Policies (SRP) and AppLocker. @@ -167,6 +180,7 @@ The following table compares the application control functions of Software Restr
        ## Related topics -[AppLocker technical reference](applocker-technical-reference.md) + +- [AppLocker technical reference](applocker-technical-reference.md)     diff --git a/windows/keep-secure/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/keep-secure/which-editions-of-windows-support-advanced-audit-policy-configuration.md index 35a67350b8..c60d303826 100644 --- a/windows/keep-secure/which-editions-of-windows-support-advanced-audit-policy-configuration.md +++ b/windows/keep-secure/which-editions-of-windows-support-advanced-audit-policy-configuration.md @@ -2,25 +2,30 @@ title: Which editions of Windows support advanced audit policy configuration (Windows 10) description: This reference topic for the IT professional describes which versions of the Windows operating systems support advanced security auditing policies. ms.assetid: 87c71cc5-522d-4771-ac78-34a2a0825f31 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Which editions of Windows support advanced audit policy configuration + **Applies to** - Windows 10 + This reference topic for the IT professional describes which versions of the Windows operating systems support advanced security auditing policies. + Versions of the Windows operating system that cannot join a domain do not have access to these features. There is no difference in security auditing support between 32-bit and 64-bit versions. + ## Are there any special considerations? + In addition, the following special considerations apply to the various tasks associated with advanced security auditing enhancements: + - **Creating an audit policy.** To create an advanced security auditing policy, you must use a computer running any supported version of Windows. You can use the Group Policy Management Console (GPMC) on a computer running a supported version of the Windows client operating system after installing the Remote Server Administration Tools. - **Applying audit policy settings.** If you are using Group Policy to apply the advanced audit policy settings and global object access settings, client computers must be running any supported version of the Windows server operating system or Windows client operating system. In addition, only computers running any of these supported operating systems can provide "reason for access" reporting data. - **Developing an audit policy model.** To plan advanced security audit settings and global object access settings, you must use the GPMC that targets a domain controller running a supported version of the Windows server operating system. -- **Distributing the audit policy.** After a Group Policy Object (GPO) that includes advanced security auditing settings is developed, it can be distributed by using domain controllers running any Windows Server operating system. However, if you cannot put client computers running a supported version of the Windows client operating system into a separate organizational unit (OU), you should use Windows Management Instrumentation (WMI) filtering to ensure that the advanced security auditing policy settings are applied only to client computers running a supported version of the Windows client operating system. -**Important**   -Using both the basic auditing policy settings under **Local Policies\\Audit Policy** and the advanced auditing policy settings under **Advanced Audit Policy Configuration** can cause unexpected results in audit reporting. Therefore, the two sets of audit policy settings should not be combined. If you use advanced audit policy configuration settings, you should enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.   -  -  -  +- **Distributing the audit policy.** After a Group Policy Object (GPO) that includes advanced security auditing settings is developed, it can be distributed by using domain controllers running any Windows Server operating system. +However, if you cannot put client computers running a supported version of the Windows client operating system into a separate organizational unit (OU), you should use Windows Management Instrumentation (WMI) filtering to ensure that the advanced security auditing policy settings are applied only to client computers running a supported version of the Windows client operating system. + +>**Important:**  Using both the basic auditing policy settings under **Local Policies\\Audit Policy** and the advanced auditing policy settings under **Advanced Audit Policy Configuration** can cause unexpected results in audit reporting. Therefore, the two sets of audit policy settings should not be combined. If you use advanced audit policy configuration settings, you should enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.   diff --git a/windows/keep-secure/windows-installer-rules-in-applocker.md b/windows/keep-secure/windows-installer-rules-in-applocker.md index 05f9214263..b12d94b8ef 100644 --- a/windows/keep-secure/windows-installer-rules-in-applocker.md +++ b/windows/keep-secure/windows-installer-rules-in-applocker.md @@ -2,59 +2,36 @@ title: Windows Installer rules in AppLocker (Windows 10) description: This topic describes the file formats and available default rules for the Windows Installer rule collection. ms.assetid: 3fecde5b-88b3-4040-81fa-a2d36d052ec9 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Windows Installer rules in AppLocker + **Applies to** - Windows 10 + This topic describes the file formats and available default rules for the Windows Installer rule collection. + AppLocker defines Windows Installer rules to include only the following file formats: + - .msi - .msp - .mst + The purpose of this collection is to allow you to control the installation of files on client computers and servers through Group Policy or the Local Security Policy snap-in. The following table lists the default rules that are available for the Windows Installer rule collection. - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      PurposeNameUserRule condition type

      Allow members of the local Administrators group to run all Windows Installer files

      (Default Rule) All Windows Installer files

      BUILTIN\Administrators

      Path: *

      Allow all users to run Windows Installer files that are digitally signed

      (Default Rule) All digitally signed Windows Installer files

      Everyone

      Publisher: * (all signed files)

      Allow all users to run Windows Installer files that are located in the Windows Installer folder

      (Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer

      Everyone

      Path: %windir%\Installer\*

      + +| Purpose | Name | User | Rule condition type | +| - | - | - | - | +| Allow members of the local Administrators group to run all Windows Installer files| (Default Rule) All Windows Installer files| BUILTIN\Administrators| Path: *| +| Allow all users to run Windows Installer files that are digitally signed | (Default Rule) All digitally signed Windows Installer files| Everyone| Publisher: * (all signed files)| +| Allow all users to run Windows Installer files that are located in the Windows Installer folder | (Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer| Everyone| Path: %windir%\Installer\*|   ## Related topics -[Understanding AppLocker default rules](understanding-applocker-default-rules.md) + +- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)     diff --git a/windows/keep-secure/working-with-applocker-policies.md b/windows/keep-secure/working-with-applocker-policies.md index af1edcf35e..8963fa665b 100644 --- a/windows/keep-secure/working-with-applocker-policies.md +++ b/windows/keep-secure/working-with-applocker-policies.md @@ -2,83 +2,35 @@ title: Working with AppLocker policies (Windows 10) description: This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies. ms.assetid: 7062d2e0-9cbb-4cb8-aa8c-b24945c3771d -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Working with AppLocker policies + **Applies to** - Windows 10 + This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      TopicDescription

      [Configure the Application Identity service](configure-the-application-identity-service.md)

      This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.

      [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)

      This topic for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker.

      [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md)

      This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.

      [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md)

      This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.

      [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md)

      This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.

      [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md)

      This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.

      [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md)

      This topic for IT professionals describes how to import an AppLocker policy.

      [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md)

      This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).

      [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md)

      This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).

      [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md)

      This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.

      [Merge AppLocker policies manually](merge-applocker-policies-manually.md)

      This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).

      [Refresh an AppLocker policy](refresh-an-applocker-policy.md)

      This topic for IT professionals describes the steps to force an update for an AppLocker policy.

      [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md)

      This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.

      -  -  -  + +| Topic | Description | +| - | - | +| [Configure the Application Identity service](configure-the-application-identity-service.md) | This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.| +| [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) | This topic for IT professionals describes how to set AppLocker policies to **Audit only ** within your IT environment by using AppLocker.| +| [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md) | This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.| +| [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md) | This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.| +| [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) | This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.| +| [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) | This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.| +| [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md) | This topic for IT professionals describes how to import an AppLocker policy.| +| [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) | This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).| +| [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md) | This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).| +| [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md) | This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.| +| [Merge AppLocker policies manually](merge-applocker-policies-manually.md) | This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).| +| [Refresh an AppLocker policy](refresh-an-applocker-policy.md) | This topic for IT professionals describes the steps to force an update for an AppLocker policy.| +| [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md) | This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.| + diff --git a/windows/keep-secure/working-with-applocker-rules.md b/windows/keep-secure/working-with-applocker-rules.md index 9ee115544d..762d21c78a 100644 --- a/windows/keep-secure/working-with-applocker-rules.md +++ b/windows/keep-secure/working-with-applocker-rules.md @@ -2,338 +2,207 @@ title: Working with AppLocker rules (Windows 10) description: This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies. ms.assetid: 3966b35b-f2da-4371-8b5f-aec031db6bc9 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Working with AppLocker rules + **Applies to** - Windows 10 + This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      TopicDescription

      [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)

      This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.

      [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)

      This topic for IT professionals shows how to create an AppLocker rule with a path condition.

      [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)

      This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.

      [Create AppLocker default rules](create-applocker-default-rules.md)

      This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.

      [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md)

      This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.

      [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md)

      This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.

      [Delete an AppLocker rule](delete-an-applocker-rule.md)

      This topic for IT professionals describes the steps to delete an AppLocker rule.

      [Edit AppLocker rules](edit-applocker-rules.md)

      This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.

      [Enable the DLL rule collection](enable-the-dll-rule-collection.md)

      This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.

      [Enforce AppLocker rules](enforce-applocker-rules.md)

      This topic for IT professionals describes how to enforce application control rules by using AppLocker.

      [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md)

      This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.

      + +| Topic | Description | +| - | - | +| [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.| +| [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a path condition.| +| [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.| +| [Create AppLocker default rules](create-applocker-default-rules.md) | This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.| +| [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) | This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.| +| [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) | This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.| +| [Delete an AppLocker rule](delete-an-applocker-rule.md) | This topic for IT professionals describes the steps to delete an AppLocker rule.| +| [Edit AppLocker rules](edit-applocker-rules.md) | This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.| +| [Enable the DLL rule collection](enable-the-dll-rule-collection.md) | This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.| +| [Enforce AppLocker rules](enforce-applocker-rules.md) | This topic for IT professionals describes how to enforce application control rules by using AppLocker.| +| [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md) | This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.|   The three AppLocker enforcement modes are described in the following table. The enforcement mode setting defined here can be overwritten by the setting derived from a linked Group Policy Object (GPO) with a higher precedence. - ---- - - - - - - - - - - - - - - - - - - - - -
      Enforcement modeDescription

      Not configured

      This is the default setting which means that the rules defined here will be enforced unless a linked GPO with a higher precedence has a different value for this setting.

      Enforce rules

      Rules are enforced.

      Audit only

      Rules are audited but not enforced. When a user runs an app that is affected by an AppLocker rule, the app is allowed to run and the info about the app is added to the AppLocker event log. The Audit-only enforcement mode helps you determine which apps will be affected by the policy before the policy is enforced. When the AppLocker policy for a rule collection is set to Audit only, rules for that rule collection are not enforced

      -  + +| Enforcement mode | Description | +| - | - | +| **Not configured** | This is the default setting which means that the rules defined here will be enforced unless a linked GPO with a higher precedence has a different value for this setting.| +| **Enforce rules** | Rules are enforced.| +| **Audit only** | Rules are audited but not enforced. When a user runs an app that is affected by an AppLocker rule, the app is allowed to run and the info about the app is added to the AppLocker event log. The Audit-only enforcement mode helps you determine which apps will be affected by the policy before the policy is enforced. When the AppLocker policy for a rule collection is set to **Audit only**, rules for that rule collection are not enforced| + When AppLocker policies from various GPOs are merged, the rules from all the GPOs are merged and the enforcement mode setting of the winning GPO is applied. ## Rule collections + The AppLocker console is organized into rule collections, which are executable files, scripts, Windows Installer files, packaged apps and packaged app installers, and DLL files. These collections give you an easy way to differentiate the rules for different types of apps. The following table lists the file formats that are included in each rule collection. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Rule collectionAssociated file formats

      Executable files

      .exe

      -

      .com

      Scripts

      .ps1

      -

      .bat

      -

      .cmd

      -

      .vbs

      -

      .js

      Windows Installer files

      .msi

      -

      .msp

      -

      .mst

      Packaged apps and packaged app installers

      .appx

      DLL files

      .dll

      -

      .ocx

      + +| Rule collection | Associated file formats | +| - | - | +| Executable files | .exe
      .com| +| Scripts| .ps1
      .bat
      .cmd
      .vbs
      .js| +| Windows Installer files | .msi
      .msp
      .mst| +| Packaged apps and packaged app installers | .appx| +| DLL files | .dll
      .ocx|   -**Important**   -If you use DLL rules, you need to create an allow rule for each DLL that is used by all of the allowed apps. +>**Important:**  If you use DLL rules, you need to create an allow rule for each DLL that is used by all of the allowed apps. + When DLL rules are used, AppLocker must check each DLL that an application loads. Therefore, users may experience a reduction in performance if DLL rules are used. + The DLL rule collection is not enabled by default. To learn how to enable the DLL rule collection, see [DLL rule collections](#bkmk-dllrulecollections).   ## Rule conditions + Rule conditions are criteria that help AppLocker identify the apps to which the rule applies. The three primary rule conditions are publisher, path, and file hash. + - [Publisher](#bkmk-publisher): Identifies an app based on its digital signature - [Path](#bkmk-path): Identifies an app by its location in the file system of the computer or on the network - [File hash](#bkmk-filehash): Represents the system computed cryptographic hash of the identified file + ### Publisher + This condition identifies an app based on its digital signature and extended attributes when available. The digital signature contains info about the company that created the app (the publisher). Executable files, dlls, Windows installers, packaged apps and packaged app installers also have extended attributes, which are obtained from the binary resource. In case of executable files, dlls and Windows installers, these attributes contain the name of the product that the file is a part of, the original name of the file as supplied by the publisher, and the version number of the file. In case of packaged apps and packaged app installers, these extended attributes contain the name and the version of the app package. -**Note**   -Rules created in the packaged apps and packaged app installers rule collection can only have publisher conditions since Windows does not support unsigned packaged apps and packaged app installers. + +>**Note:**  Rules created in the packaged apps and packaged app installers rule collection can only have publisher conditions since Windows does not support unsigned packaged apps and packaged app installers.   -**Note**   -Use a publisher rule condition when possible because they can survive app updates as well as a change in the location of files. +>**Note:**  Use a publisher rule condition when possible because they can survive app updates as well as a change in the location of files.   When you select a reference file for a publisher condition, the wizard creates a rule that specifies the publisher, product, file name, and version number. You can make the rule more generic by moving the slider up or by using a wildcard character (\*) in the product, file name, or version number fields. -**Note**   -To enter custom values for any of the fields of a publisher rule condition in the Create Rules Wizard, you must select the **Use custom values** check box. When this check box is selected, you cannot use the slider. + +>**Note:**  To enter custom values for any of the fields of a publisher rule condition in the Create Rules Wizard, you must select the **Use custom values** check box. When this check box is selected, you cannot use the slider.   The **File version** and **Package version** control whether a user can run a specific version, earlier versions, or later versions of the app. You can choose a version number and then configure the following options: + - **Exactly.** The rule applies only to this version of the app - **And above.** The rule applies to this version and all later versions. - **And below.** The rule applies to this version and all earlier versions. + The following table describes how a publisher condition is applied. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      OptionThe publisher condition allows or denies…

      All signed files

      All files that are signed by any publisher.

      Publisher only

      All files that are signed by the named publisher.

      Publisher and product name

      All files for the specified product that are signed by the named publisher.

      Publisher and product name, and file name

      Any version of the named file or package for the named product that are signed by the publisher.

      Publisher, product name, file name, and file version

      Exactly

      -

      The specified version of the named file or package for the named product that are signed by the publisher.

      Publisher, product name, file name, and file version

      And above

      -

      The specified version of the named file or package and any new releases for the product that are signed by the publisher.

      Publisher, product name, file name, and file version

      And below

      -

      The specified version of the named file or package and any earlier versions for the product that are signed by the publisher.

      Custom

      You can edit the Publisher, Product name, File name, Version Package name, and Package version fields to create a custom rule.

      -  + + +| Option | The publisher condition allows or denies… | +| **All signed files** | All files that are signed by any publisher.| +| **Publisher only**| All files that are signed by the named publisher.| +| **Publisher and product name**| All files for the specified product that are signed by the named publisher.| +| **Publisher and product name, and file name**| Any version of the named file or package for the named product that are signed by the publisher.| +| **Publisher, product name, file name, and file version**| **Exactly**
      The specified version of the named file or package for the named product that are signed by the publisher.| +| **Publisher, product name, file name, and file version**| **And above**
      The specified version of the named file or package and any new releases for the product that are signed by the publisher.| +| **Publisher, product name, file name, and file version**| **And below**
      The specified version of the named file or package and any earlier versions for the product that are signed by the publisher.| +| **Custom**| You can edit the **Publisher**, **Product name**, **File name**, **Version** **Package name**, and **Package version** fields to create a custom rule.| + ### Path + This rule condition identifies an application by its location in the file system of the computer or on the network. + AppLocker uses custom path variables for well-known paths, such as Program Files and Windows. + The following table details these path variables. - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Windows directory or diskAppLocker path variableWindows environment variable

      Windows

      %WINDIR%

      %SystemRoot%

      System32

      %SYSTEM32%

      %SystemDirectory%

      Windows installation directory

      %OSDRIVE%

      %SystemDrive%

      Program Files

      %PROGRAMFILES%

      %ProgramFiles% and

      -

      %ProgramFiles(x86)%

      Removable media (for example, a CD or DVD)

      %REMOVABLE%

      Removable storage device (for example, a USB flash drive)

      %HOT%

      + +| Windows directory or disk | AppLocker path variable | Windows environment variable | +| - | - | - | +| Windows| %WINDIR%| %SystemRoot%| +| System32| %SYSTEM32%| %SystemDirectory%| +| Windows installation directory| %OSDRIVE%| %SystemDrive%| +| Program Files| %PROGRAMFILES%| %ProgramFiles% and %ProgramFiles(x86)% | +| Removable media (for example, a CD or DVD)| %REMOVABLE%| | +| Removable storage device (for example, a USB flash drive)| %HOT% | |   -**Important**   -Because a path rule condition can be configured to include a large number of folders and files, path conditions should be carefully planned. For example, if an allow rule with a path condition includes a folder location that non-administrators are allowed to write data into, a user can copy unapproved files into that location and run the files. For this reason, it is a best practice to not create path conditions for standard user writable locations, such as a user profile. +>**Important:**  Because a path rule condition can be configured to include a large number of folders and files, path conditions should be carefully planned. For example, if an allow rule with a path condition includes a folder location that non-administrators are allowed to write data into, a user can copy unapproved files into that location and run the files. For this reason, it is a best practice to not create path conditions for standard user writable locations, such as a user profile.   ### File hash + When you choose the file hash rule condition, the system computes a cryptographic hash of the identified file. The advantage of this rule condition is that because each file has a unique hash, a file hash rule condition applies to only one file. The disadvantage is that each time the file is updated (such as a security update or upgrade) the file's hash will change. As a result, you must manually update file hash rules. + ## AppLocker default rules + AppLocker allows you to generate default rules for each rule collection. + Executable default rule types include: + - Allow members of the local **Administrators** group to run all apps. - Allow members of the **Everyone** group to run apps that are located in the Windows folder. - Allow members of the **Everyone** group to run apps that are located in the Program Files folder. + Script default rule types include: + - Allow members of the local **Administrators** group to run all scripts. - Allow members of the **Everyone** group to run scripts that are located in the Program Files folder. - Allow members of the **Everyone** group to run scripts that are located in the Windows folder. + Windows Installer default rule types include: + - Allow members of the local **Administrators** group to run all Windows Installer files. - Allow members of the **Everyone** group to run all digitally signed Windows Installer files. - Allow members of the **Everyone** group to run all Windows Installer files that are located in the Windows\\Installer folder. + DLL default rule types: + - Allow members of the local **Administrators** group to run all DLLs. - Allow members of the **Everyone** group to run DLLs that are located in the Program Files folder. - Allow members of the **Everyone** group to run DLLs that are located in the Windows folder. + Packaged apps default rule types: + - Allow members of the **Everyone** group to install and run all signed packaged apps and packaged app installers. + ## AppLocker rule behavior + If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For example, if you create an executable rule that allows .exe files in *%SystemDrive%\\FilePath* to run, only executable files located in that path are allowed to run. + A rule can be configured to use allow or deny actions: + - **Allow.** You can specify which files are allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule. - **Deny.** You can specify which files are *not* allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule. -**Important**   -For a best practice, use allow actions with exceptions. You can use a combination of allow and deny actions but understand that deny actions override allow actions in all cases, and can be circumvented. + +>**Important:**  For a best practice, use allow actions with exceptions. You can use a combination of allow and deny actions but understand that deny actions override allow actions in all cases, and can be circumvented.   -**Important**   -If you join a computer running at least Windows Server 2012 or Windows 8 to a domain that already enforces AppLocker rules for executable files, users will not be able to run any packaged apps unless you also create rules for packaged apps. If you want to allow any packaged apps in your environment while continuing to control executable files, you should create the default rules for packaged apps and set the enforcement mode to Audit-only for the packaged apps rule collection. +>**Important:**  If you join a computer running at least Windows Server 2012 or Windows 8 to a domain that already enforces AppLocker rules for executable files, users will not be able to run any packaged apps unless you also create rules for packaged apps. If you want to allow any packaged apps in your environment while continuing to control executable files, you should create the default rules for packaged apps and set the enforcement mode to Audit-only for the packaged apps rule collection.   ## Rule exceptions + You can apply AppLocker rules to individual users or to a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. For example, the rule "Allow everyone to run Windows except Registry Editor" allows everyone in the organization to run the Windows operating system, but it does not allow anyone to run Registry Editor. + The effect of this rule would prevent users such as Help Desk personnel from running a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Help Desk user group: "Allow Help Desk to run Registry Editor." If you create a deny rule that does not allow any users to run Registry Editor, the deny rule will override the second rule that allows the Help Desk user group to run Registry Editor. + ## DLL rule collection + Because the DLL rule collection is not enabled by default, you must perform the following procedure before you can create and enforce DLL rules. + Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. + **To enable the DLL rule collection** + 1. Click **Start**, type **secpol.msc**, and then press ENTER. 2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. 3. In the console tree, double-click **Application Control Policies**, right-click **AppLocker**, and then click **Properties**. 4. Click the **Advanced** tab, select the **Enable the DLL rule collection** check box, and then click **OK**. - **Important**   - Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps. + + >**Important:**  Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps.   ## AppLocker wizards + You can create rules by using two AppLocker wizards: + 1. The Create Rules Wizard enables you to create one rule at a time. 2. The Automatically Generate Rules Wizard allows you to create multiple rules at one time. You can either select a folder and let the wizard create rules for the relevant files within that folder or in case of packaged apps let the wizard create rules for all packaged apps installed on the computer. You can also specify the user or group to which to apply the rules. This wizard automatically generates allow rules only. + ## Additional considerations + - By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. Administrators should maintain an up-to-date list of allowed applications. - There are two types of AppLocker conditions that do not persist following an update of an app: + - **A file hash condition** File hash rule conditions can be used with any app because a cryptographic hash value of the app is generated at the time the rule is created. However, the hash value is specific to that exact version of the app. If there are several versions of the application in use within the organization, you need to create file hash conditions for each version in use and for any new versions that are released. + - **A publisher condition with a specific product version set** If you create a publisher rule condition that uses the **Exactly** version option, the rule cannot persist if a new version of the app is installed. A new publisher condition must be created, or the version must be edited in the rule to be made less specific. + - If an app is not digitally signed, you cannot use a publisher rule condition for that app. - AppLocker rules cannot be used to manage computers running a Windows operating system earlier than Windows Server 2008 R2 or Windows 7. Software Restriction Policies must be used instead. If AppLocker rules are defined in a Group Policy Object (GPO), only those rules are applied. To ensure interoperability between Software Restriction Policies rules and AppLocker rules, define Software Restriction Policies rules and AppLocker rules in different GPOs. - The packaged apps and packaged apps installer rule collection is available on devices running at least Windows Server 2012 and Windows 8. @@ -341,5 +210,3 @@ You can create rules by using two AppLocker wizards: - When an AppLocker rule collection is set to **Audit only**, the rules are not enforced. When a user runs an application that is included in the rule, the app is opened and runs normally, and information about that app is added to the AppLocker event log. - A custom configured URL can be included in the message that is displayed when an app is blocked. - Expect an increase in the number of Help Desk calls initially because of blocked apps until users understand that they cannot run apps that are not allowed. -  -  From eb21dd338dee456b2dfe8eda6f68c5279a07a688 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 25 May 2016 15:28:24 -0700 Subject: [PATCH 105/169] fixing spacing issues --- ...cies-by-using-the-enforce-rules-setting.md | 28 ++++++++++++++++--- .../user-account-control-overview.md | 13 ++++++++- 2 files changed, 36 insertions(+), 5 deletions(-) diff --git a/windows/keep-secure/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/keep-secure/deploy-applocker-policies-by-using-the-enforce-rules-setting.md index cfd595104f..b7056845e4 100644 --- a/windows/keep-secure/deploy-applocker-policies-by-using-the-enforce-rules-setting.md +++ b/windows/keep-secure/deploy-applocker-policies-by-using-the-enforce-rules-setting.md @@ -2,34 +2,54 @@ title: Deploy AppLocker policies by using the enforce rules setting (Windows 10) description: This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. ms.assetid: fd3a3d25-ff3b-4060-8390-6262a90749ba -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + + # Deploy AppLocker policies by using the enforce rules setting + **Applies to** - Windows 10 + This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. + ## Background and prerequisites + These procedures assume that you have already deployed AppLocker policies with the enforcement set to **Audit only**, and you have been collecting data through the AppLocker event logs and other channels to determine what effect these policies have on your environment and the policy's adherence to your application control design. + For info about the AppLocker policy enforcement setting, see [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md). + For info about how to plan an AppLocker policy deployment, see [AppLocker Design Guide](applocker-policies-design-guide.md). + ## Step 1: Retrieve the AppLocker policy + Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Using Group Policy, you can export the policy from the Group Policy Object (GPO) and then update the rule or rules by using AppLocker on your AppLocker reference or test PC. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). For local AppLocker policies, you can update the rule or rules by using the Local Security policy snap-in (secpol.msc) on your AppLocker reference or test PC. For the procedures to do this, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). + ## Step 2: Alter the enforcement setting + Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into collections: executable files, Windows Installer files, packaged apps, scripts, and DLL files. By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced. For information about the enforcement setting, see [Understand AppLocker Enforcement Settings](understand-applocker-enforcement-settings.md). For the procedure to alter the enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). + ## Step 3: Update the policy -You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the [Advanced Group Policy Management](http://go.microsoft.com/fwlink/p/?LinkId=145013) feature from the Microsoft Desktop Optimization Pack. -**Caution**   -You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior. + +You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the [Advanced Group Policy Management](http://go.microsoft.com/fwlink/p/?LinkId=145013) feature from the +Microsoft Desktop Optimization Pack. + +>**Caution:**  You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.   For the procedure to update the GPO, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). + For the procedures to distribute policies for local PCs by using the Local Security Policy snap-in (secpol.msc), see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). + ## Step 4: Monitor the effect of the policy + When a policy is deployed, it is important to monitor the actual implementation of that policy. You can do this by monitoring your support organization's app access request activity and reviewing the AppLocker event logs. To monitor the effect of the policy, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md). + ## Additional resources + - For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).     diff --git a/windows/keep-secure/user-account-control-overview.md b/windows/keep-secure/user-account-control-overview.md index f2eb1a4824..ccabf37ce1 100644 --- a/windows/keep-secure/user-account-control-overview.md +++ b/windows/keep-secure/user-account-control-overview.md @@ -2,24 +2,35 @@ title: User Account Control (Windows 10) description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. ms.assetid: 43ac4926-076f-4df2-84af-471ee7d20c38 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: operate ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # User Account Control + **Applies to** - Windows 10 - Windows Server 2016 Technical Preview + User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. + UAC allows all users to log on to their computers using a standard user account. Processes launched using a standard user token may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Additionally, any apps that are started using Windows Explorer (for example, by double-clicking a shortcut) also run with the standard set of user permissions. Many apps, including those that are included with the operating system itself, are designed to work properly in this way. + Other apps, especially those that were not specifically designed with security settings in mind, often require additional permissions to run successfully. These types of apps are referred to as legacy apps. Additionally, actions such as installing new software and making configuration changes to the Windows Firewall, require more permissions than what is available to a standard user account. + When an app needs to run with more than standard user rights, UAC can restore additional user groups to the token. This enables the user to have explicit control of apps that are making system level changes to their computer or device. + ## Practical applications + Admin Approval Mode in UAC helps prevent malware from silently installing without an administrator's knowledge. It also helps protect from inadvertent system-wide changes. Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process. + ## New and changed functionality + To find out what's new in UAC for Windows 10, see [User Account Control](../whats-new/user-account-control.md). + ## In this section | Topic | Description | | - | - | From 1d1c430813b634fdb60da727ab434a242f596568 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 25 May 2016 15:31:12 -0700 Subject: [PATCH 106/169] fixed broken link --- windows/keep-secure/security-options.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/security-options.md b/windows/keep-secure/security-options.md index d8d9dbe293..b9ddcb4bf8 100644 --- a/windows/keep-secure/security-options.md +++ b/windows/keep-secure/security-options.md @@ -77,7 +77,7 @@ For info about setting security policies, see [Configure security policy setting | [Network access: Do not allow anonymous enumeration of SAM accounts](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md)| Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts** security policy setting. | | [Network access: Do not allow anonymous enumeration of SAM accounts and shares](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md)| Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts and shares** security policy setting. | | [Network access: Do not allow storage of passwords and credentials for network authentication](network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Do not allow storage of passwords and credentials for network authentication** security policy setting. | -| [Network access: Let Everyone permissions apply to anonymous users](network-access-let-everyone-permissions-apply-to-anonmous-users.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Let Everyone permissions apply to anonymous users** security policy setting. | +| [Network access: Let Everyone permissions apply to anonymous users](network-access-let-everyone-permissions-apply-to-anonymous-users.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Let Everyone permissions apply to anonymous users** security policy setting. | | [Network access: Named Pipes that can be accessed anonymously](network-access-named-pipes-that-can-be-accessed-anonymously.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Named Pipes that can be accessed anonymously** security policy setting. | | [Network access: Remotely accessible registry paths](network-access-remotely-accessible-registry-paths.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Remotely accessible registry paths** security policy setting.| | [Network access: Remotely accessible registry paths and subpaths](network-access-remotely-accessible-registry-paths-and-subpaths.md)| Describes the best practices, location, values, and security considerations for the **Network access: Remotely accessible registry paths and subpaths** security policy setting. | From 7963ced4f2d5ae5555c612f6fc8e139b710abc9b Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 26 May 2016 07:33:45 -0700 Subject: [PATCH 107/169] minor text corrections --- education/windows/TOC.md | 8 ++++---- education/windows/take-a-test-app-technical.md | 12 ++++++------ education/windows/take-a-test-multiple-pcs.md | 2 +- education/windows/take-a-test-single-pc.md | 2 +- education/windows/take-tests-in-windows-10.md | 6 +++--- 5 files changed, 15 insertions(+), 15 deletions(-) diff --git a/education/windows/TOC.md b/education/windows/TOC.md index 4bc5d61f86..fe182ab2d6 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -1,8 +1,8 @@ # [Windows 10 for education](index.md) ## [Change history for Windows 10 for Education](change-history-edu.md) -## [Take tests in Windows 10](take-tests-in-windows-10.md) -### [Set up Take a Test on a single PC](take-a-test-single-pc.md) -### [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) -### [Take a Test app technical reference](take-a-test-app-technical.md) +## [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md) +### [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md) +### [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md) +### [Take a Test app technical reference (Preview)](take-a-test-app-technical.md) ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) ## [Chromebook migration guide](chromebook-migration-guide.md) \ No newline at end of file diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index 3245416d58..149c29d066 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -8,7 +8,7 @@ ms.sitesec: library author: jdeckerMS --- -# Take a Test app technical reference +# Take a Test app technical reference (Preview) **Applies to:** - Windows 10 Insider Preview @@ -46,11 +46,11 @@ When Take a Test is running, the following MDM policies are applied to lock down | Policy | Description | Value | |---|---|---| | AllowToasts | Disables toast notifications from being shown | 0 | -| AllAppStoreAutoUpdate | Disables automatic updates for Windows Store apps that are installed on the PC | 0 | +| AllowAppStoreAutoUpdate | Disables automatic updates for Windows Store apps that are installed on the PC | 0 | | AllowDeviceDiscovery | Disables UI for screen sharing | 0 | | AllowInput Panel | Disables the onscreen keyboard which will disable auto-fill | 0 | | AllowCortana | Disables Cortana functionality | 0 | -| AllAutoupdate | Disables Windows Update from starting OS updates | 5 | +| AllowAutoupdate | Disables Windows Update from starting OS updates | 5 | ## Allowed functionality @@ -62,20 +62,20 @@ When Take a Test is running, the following functionality is available to student - Magnifier is available through Windows key + "+" key -- Full screen mode is compatible + - Full screen mode is compatible - The student can press Alt+Tab when locked down. This results in the student being able to switch between the following: - Take a Test - Assistive technology that may be running - - Lock Screen + - Lock Screen (not available if student is using a dedicated test account) > **Note** The app will exit if the student signs in to an account from the lock screen. Progress made in the test may be lost or invalidated. - The student can exit the test by pressing one of the following key combinations: - Ctrl+Alt+Del - - Alt+F4 + - Alt+F4 (**Take a Test** will restart if the student is using a dedicated test account) diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index 116da7017f..742aed682d 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -8,7 +8,7 @@ ms.sitesec: library author: jdeckerMS --- -# Set up Take a Test on multiple PCs +# Set up Take a Test on multiple PCs (Preview) **Applies to:** - Windows 10 Insider Preview diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index 724aa1066b..f62fa9805b 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -8,7 +8,7 @@ ms.sitesec: library author: jdeckerMS --- -# Set up Take a Test on a single PC +# Set up Take a Test on a single PC (Preview) **Applies to:** - Windows 10 Insider Preview diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index 09ed708476..1360d736f4 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -8,7 +8,7 @@ ms.sitesec: library author: jdeckerMS --- -# Take tests in Windows 10 +# Take tests in Windows 10 (Preview) **Applies to:** - Windows 10 Insider Preview @@ -18,7 +18,7 @@ author: jdeckerMS Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test: -- A Microsoft Edge browser window opens, showing just the test and nothing else. +- **Take a Test** shows just the test and nothing else. - Students aren’t able to go to other websites. - Students can’t open or access other apps. - Students can't share, print, or record their screens. @@ -33,7 +33,7 @@ Many schools use online testing for formative and summative assessments. It's cr ![Use test account or test url in Take a Test](images/take-a-test-flow.png) -- **Use a test URL and a dedicated testing account** - A user signs in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing. +- **Use a test URL and a dedicated testing account** - A user signs in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing. - **Put a test URL with an included prefix on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments. [Learn how to set up Take a Test on a single PC](take-a-test-single-pc.md) From 14c33eb6545a2c151c3027151de48a4992772131 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 26 May 2016 08:22:28 -0700 Subject: [PATCH 108/169] add steps to apply task --- education/windows/TOC.md | 2 + education/windows/change-history-edu.md | 4 +- education/windows/images/choose-package.png | Bin 0 -> 23200 bytes education/windows/images/connect-aad.png | Bin 0 -> 71209 bytes education/windows/images/express-settings.png | Bin 0 -> 110041 bytes education/windows/images/sign-in-prov.png | Bin 0 -> 50574 bytes education/windows/images/signinprov.jpg | Bin 22869 -> 0 bytes education/windows/images/trust-package.png | Bin 0 -> 43329 bytes education/windows/images/who-owns-pc.png | Bin 0 -> 38019 bytes education/windows/index.md | 2 + .../windows/set-up-school-pcs-technical.md | 262 ++++++++++++++++++ education/windows/take-a-test-multiple-pcs.md | 2 +- education/windows/take-a-test-single-pc.md | 2 +- education/windows/take-tests-in-windows-10.md | 2 +- .../windows/use-set-up-school-pcs-app.md | 142 ++++++++++ 15 files changed, 414 insertions(+), 4 deletions(-) create mode 100644 education/windows/images/choose-package.png create mode 100644 education/windows/images/connect-aad.png create mode 100644 education/windows/images/express-settings.png create mode 100644 education/windows/images/sign-in-prov.png delete mode 100644 education/windows/images/signinprov.jpg create mode 100644 education/windows/images/trust-package.png create mode 100644 education/windows/images/who-owns-pc.png create mode 100644 education/windows/set-up-school-pcs-technical.md create mode 100644 education/windows/use-set-up-school-pcs-app.md diff --git a/education/windows/TOC.md b/education/windows/TOC.md index fe182ab2d6..56f2f7ffd2 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -1,5 +1,7 @@ # [Windows 10 for education](index.md) ## [Change history for Windows 10 for Education](change-history-edu.md) +## [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) +## [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) ## [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md) ### [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md) ### [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md) diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index 7926bc8c25..49e7b6303a 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -15,6 +15,8 @@ This topic lists new and updated topics in the [Windows 10 for Education](index. | New or changed topic | Description | |----------------------|-------------| -| [Take tests in Windows 10](take-tests-in-windows-10.md)
      [Set up Take a Test on a single PC](take-a-test-single-pc.md)
      [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
      [Take a Test app technical reference](take-a-test-app-technical.md) | New | +| [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | New | +| [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) | New | +| [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md)
      [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md)
      [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md)
      [Take a Test app technical reference (Preview)](take-a-test-app-technical.md) | New | | [Chromebook migration guide](chromebook-migration-guide.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in November 2015 | | [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in May 2016 | \ No newline at end of file diff --git a/education/windows/images/choose-package.png b/education/windows/images/choose-package.png new file mode 100644 index 0000000000000000000000000000000000000000..868407df56b3ae221af81788c9a1abb32b27f598 GIT binary patch literal 23200 zcmeEtb>rIuex8$y|?cBEN)sIoE=Y9Btp48LFOi16<<&DSYx?>87X zHEFRAH50^#?*%w3QAN=YALOjNOoKMCYyH7(s$7l7JtJYF+ zXO2IbL`1MfvDs7rDiYW@VDSARnX0-12Bs<;oWzf_w6itibuW*%Nw>2uwtWhTxcGB~ zMA}WEyNB*c-wn6DFqqjY@-Pgs;dAGf+RqeW7;1<})bBS_*iXqAVu*lXSXo4hundu4 z>i3rv@`>by1(OW!~$+aR2|a|2ZUbqA)*F5O#J~(J@@Z4+IPE z5;nxceteM}!5)TXG{!9a`SYW>HVf0QhP)i)ofy@|QO?2UPly*#iO9#KvM-ooNz_^i zYm7dV2VI4C7?R09lEbm!6&e{OKZ{CEtq-v2a*n|l>i-z>W>)w++}~crR3+?+>#Iz? z+<`!umP4riC%LrKbR}lH?e4}qs1~1Jj78dqOUMs|cV>eXKEcY|H>sB}+O=;hEQ?5g zmP(ASrokqJ>d(K}JNlX1=~vEt{MbO!Kp7AeIKXK$8nrHUZ~pE z0I0>0{z#LZCB5Zu9AWYIUwTgXSZdfK)!tW;el~>l2Sb9AQpSTiI*Nk<&UVjo%(sui zeN{L;%M-nTkSaUI2^ve|1HB&OtJlV$tk_fR|5j-jg!u#ic)sZ&$ z?Vr}4Mbryd1pOl5LJzVXA6s1c)b0wROE~@>t6%%X7rMw4Kla;XPH*v7pXH4wr;DYW{^u`-{kH4Y zB-qtiP4=t2jrSy5e=k#6wm5q5#?na_e@zhf7#i_Zk#;7(KSoXzEjVXJ_SqcX&M%}# zF#6>2j27Kx>?xk}I&2qMgM5UVW!kR|r;k~GvQR8i4EW+!;>Qd`D2VHJ}yM=&fNl+H(jSm01|E@A=E(OK--sd*F&Q<-WfWs zhyM8tO*>_0JQbUzD`DE`s^mS=L!(n zXEE>WsvMS%`e$cVFJG@q2F`o+GAC6vX!l9!-)rI`<*j`M=35rJ=TEN65H40G@F>ZU z!)fKAm8{?*b8P(NW>jJTZ;-E$J`G?g{KocJUQ%!LL8O%rcoKoHj?%a&=?T-l;f!(@ zaL?HHBItb71!K+lptCicSm2%P%cOlaPC&I<=siDkan-P1n3X_n25#D20zIMpqdzpX zS;bQ8qu+p~9~7{Am9ZC04q{0O5cBD{4y&C*!2K74d0GhY>i>Mg zn`65aBlQz@s@xOK(vc?yhLxoWb&D@9>UKCM2k_GC*;c86Q?-#7L?S&&LBXy}ti)*h z^Gb5^QMEvo<=}cojA_*!4x@HaBtEU|`^y2_Ge-wr-?IUm-8v?5g0gf#E_=4Y1WmQO)*Wp0(d1bi zZE)h9q?_@EXb^-QdE?FYXHas=b+{1yGbR63;zRFCh@pgkN3b|j1|us*Q>PM|1tvEph}-OIDPS9>oq zn^QjlakR3ikCITu&r8X-1)Ta@6#+hF?Wi~fXbJI+4PMfalTFy-nRVFqXB}Wr6KeGw)1I53=&Vi=L;dW61{jV?DRG zyukVT^TVp^p&PhfB zW1-6#OYB8Z^`%}XN?xXQ7wQ_7e{H9S!yQd7{LSnm1TC-YUvrVg)_i0qB$~)4D0vjM7E?mx*HuD?l(a{Cz5lDk8R60(&zge0K+!Rn%4Y}HYQF0DE!Sg4TW zhXN4fJAf4leC?T!$t|AAzRn{VL{s&eI!$@^SZPjt3`50kB_yym=lKo6z?T}!wnlG_ z_TsDQ)1L!)0=gqs$n8T~!kZt-ss(~*h4dneW^X%Y+IGFJ*2`EZ8v{=U{ysKMeFUN7F3x(A;o_v zrIwN$gSa7Bvn)}C`g(i}C}b#h!A1f6vCzEgaE*lC%>e&=?k`1+)6OUQ{aK*e@2Hpr zz67k1_%okYm5it6cB5jk0G}CB-&BM__n{8j9VS23T0l#yCvrBb?bs^09i{dwJ-T<~e_? zbmu~{Ph;dXTI5`4%r-YS<|6&Qd9^n=*t|bRa~Gs>wlC!L#`F>@@Vtr9E`0OAN>OAELhz<3^i1zJK-qv6 zDcFBcQtRKs7t?4eW!@O*UP75;!XuX&atr}GD|WWxK-9hs#PS=nTcb@*2M*i?Nu2V$!Dd4-0gm~Aiz~f5xsXomh6U&>^su0oiL~u4 zFpw%eM(6Glx|(Q&94=@5J65IJ{Nhx}U}B9$645D~hL*k2dAq;8pX9egQ)IGR!^5Fr za*H$FJr~9yR)h6=FV7nB%$s7DP@2Wwt?Q=71-8cF1jpcykw{}n@+0S9Q7sDaVY_jW z3qCuDD6V)4^_TFLdNo2nKx8M5T))3UvgAjqW%&jj0?bLcikpaKPWc z#bq-t)bd!n-;y1uA)_A4W;0~tKE-JvbTGHn_@wsK`2_v zoozJzGsu;yeAyFB&;J{Oqmg<6fV^;)>k>}Xkj_YHEy}S5)@$%FQDR%lbo`oum-oyQ z-_P8F{5xc;c**vJ<#>A(G#tsQ1?u69!Tq)zz?h4okDL*OXy8imG3HcAo1O-{$p}%N zy41IDPz(VRj)T`{&n10=CBZI$iGku}xP>akHwFJg_M^*QYgHOz*1r$qT+adZPZE5* zd9RctoCt*B)K~?o+F6?9z|L=BJ6TbYFPqys<9G&&iy$JO`nYsQr?|1dD2evZCZxc8CI zOb~$cF1!gl$E1^Tm<`*=aJFJ>s@5`;pqK<2T9V&DhzNs_e!o(F^~U!I)D!TP#+u!Y z_SMbLjFQPuuQaf)$yd?{V|pkv6vC$RneV-RS~Z)$-&o=*NB0EzFb4Q{AP{PyV867> zg=W!gn5ovT1tW%Q_#hJ9=C#;}Zc*<557mP4H>z1SFj?P90qb@9@!i_OP~4M%7tL!Y z-QIxTTFc_3MmQA+8QOh+U`p#iv4K)3_$0xz=}(L>^yVI8E@V`tYm0zbp~l z6R=m2Po;731arEp$=MfYqO&D$jp&9UN{bFO)e4hKF!#6VbO^;J*wJHW19S9{>B#QF zm$InsJLuDlV-UmfTwsnhRQav!6xKEA_4yq0W4gyhcD+vi7Fb0p3=ThH{YGvuYB%}5 zNk9juLsKA?*>`*D;PCw746=^zEAL>&btYZNM@6n8v2>;w@d-$f;v}H257--w02b*9 z&RYD9kH?@X@V&54Q?D*@`{hTlTW2cMif`|?^;Mz0lcwV5&4BdSUH+t=yaW?&K|lCm z@I)7V$oV{P*K|XTLSI6p*>J)r(^0hZD^A_s11T_28@Z`ggLKSuu;6V~erkI+Jc{6j zq@?zX@=7qGc~{I9B}>ilqI7M#@}#{ zux(TCl3UjI7o6_)q)ujUP|5F)gz$2gY2XUS9fiax9ICAG;WU%wMY|YP53F%U)|ozi zes0-@Grh@CN0`CwRL&D`*?w&g*>lc^WaQ`tJqhU`aJvvLDie@P4~)&W#k3sH&!tyg zUh7m`@S{Ia?%>t1j_XALmwYG5IoZiLr61=dCG2Z(OtswxFa}evnib*OQvrC}z(Raii__Oxsg2Uw zC8rawGEz&0qINpnuXwcTh*v|u+uXA>Jo6*e1(5~6J`g+%CPtCoFt34Qb*@ZVw{=SC zK1~#v=c|>a1Fp+bv{+hp& z?f21Z67};*z?|p{d6g<* zS-cI?M|dAT?EVH;E*NAluxX#e4V#FO^3 zBBX>o`Jp|7`oYHE-+M-MtqGW6%LARYs`Cj{CQf z=z}J=5#muS%!7v8?jF5o-^-=!o>J4Bt}~*_4+}hX(is6iz9=snv!3vHqVc+naKWhk z_6)-@LAr#BsnZMB&*IUqTHp)UwV%#fTgv#imZ>Vm^$_7YCi%!tMsy+?J!QB?DUXM@ zdg?YQHR)&48c2Mgq!gQK=s0a(^OoSyiW=suCXC3?ok?m}k1R&iT`@L7XEJIb6BpLD ziP}k2c5f-xYBO`@yrFs6WLc~g#E5-b8Nff6GfYjj7g#KqL^pNY$DfSP#$KPEW% zvy^UDyDOMJFh;?=ZbA$O_m;Abi0p2#CrfRL7$cMfQnFU03q^}X1nwXB06wnz@jvnq zNT2-J9c{5`C>crXe6V|v8Dj};p`>{y^nDUW{)C7_4#f`t zk0gtMMRZRbWhuxUki^8jIu^Wpz8xPkSjnVCZf&~ek!iqfMV9R+KE=#)OnBYR89ZJC%yv#gyM{6;A zvC+B?=mo_x@r2wv-HdOw-5NNq9gKXWk&+<3brGgNgzX!w&gy!%)p&3*lPDv@{3o%H z-)ws4wX8tOFz}i|+g4$I$wJpz{A%>x)1H;1hV*q&QZ4QvnmxMhCCB1mp6yFd7xxFH zn%faTW(lEMeIGiyeat!Oag@f>Hk;F-Az;w4<)R@MEweJJxC1vpfK1IU-85fIh_ zt4E$u=Xu-UUIX1Id^qUB!&4sfn+UC6=sH!o8=`m;jutUw$M0%cuYRNA1dVenN~c-8ld~M8FWPGgJ!efEEQ!zcL(M1T6|z0 zxs$z5YaTRbuHL9tTnvPm6qD&L!$sDh81V?{ZQ(kfRn2R7SvJc76ghBcp72|(3GF96 z(S7IBoRrN$wbq0|9`uZ?^vO@~Xs&Eap*;-y6w_H)mEt*cWJ9HSZU zdwI;jXxB+;uL4I@=#QHha%tf5*?I+%TIptdQVxFxLpx5!7FI(K_5P|pe7nXg;-DKd>D zCe`)8LGHn96|sP?BEYboZK`SDVq>a?PzZkoHmSE;MrlmC1z#ekT9<417Hup*e+25!A6@Z>tL7hfOyyOzthf4!s#5P2EqPV6qg|i=u8Kw2_tlM{!d$$ZGZXk z>Y$c4%3MnFZCj}?Gias<5F(iY*?FzslMTqJrenTSX>b>T?|x#$J&1%Bqn5-S1!JBv z=5K=~?=6m1SL@36C@4tG5L$b~R*8&XOTM?=?Wh0jHAt;7S~pze~FB$^XsokoYW10FxSBQ!>n83oO) z!sLM#^Be5ef}X*^oLeRQcOy(APEJyWgMCifq07TJA0r|W#qB5IH}|*HYM(+f4xCmf zs}1^&5_!8Z58T-;G+icNV>Rp@eSzMK_Jmg$YN>)#4pvL}OetTWYx~FXvRpk>R0ywI zLTx<`%y18#y{qez_HiiyH+Sf5%F@?CX{N37f$88qy|4-$1p@b4Ez(y*mO+a&Vp>4v z$i2_DYSEFG6z6!KV`7wN<)FrNxg{O!K*q6t;v9+$uaensp~^WKq|(v|JtiCTU&d>5 zMX(IvzVi4aw~Y`5xv!Sh!Xe*}{14&M#-a;9-dIcib+T8-WG?70?#?OtT(#uSKtRU2 zW+7nLRVuEyJ)@j<-mD1QuD=%kso}+(CmmTVZ}8`InQPr#WeUX+E!H>a7VA?|&1N(6 z3a(Ts4YEU)rc|pB=FFx`(w>`GGH@Cz0J~Nn=+Wzk_+SSpiW`zu`nS!`o?l5c_6m^BnpTr%SpGJHtA?S1YoK|LhT+XpKM z@HjNIUp%ilS_d}Y6jRb$^n5>?KeB+0kCx&4_~@QIa6kN#^wA0f3oAIMb|cP{^)<|> zReq?K;z!KR;_BkiJ%jSknO8LjCD$kUdvj#mbH3nHekIxVB9`$pRk0dzxik?5TjF`^ zN)teC<5FT}ysFDISx*2)zB9T`twt|)zXd}AntPk#Hk0iS66=nm5nEE?!wQ$#>p5p! z+|~kX{F|>H^x0OZwdeDPd39{!v$O7;Mllhp#dCP0<6$zhs-g?-#5aZMHX9r{eekbx z(?EAbwX3Zt<>O_OY|g}(Gb1J9pM9{)56r7~HqHJVn+f;vK1ug17JoSnr2TF2nF|w` ztnmvscJxhLnBsCfllf+R#n#(n=W~P_=lB-gN%r65{B5)ajoMgrMUrcqd?1{~$v-u`HbX@Ax$AF^S^cp^h%qK2I?b z3;mJ_rrsfZ2XEg5CCE2HJyfKJgs7z~P9JZD7v0wjuxzt~EICJwj|`YqOa1a+!chI= zcLU`;O-CVuGO`M#JYQVn^F@;1zEUPnIaL~-Lk|9AJY+fnQ(6eB!UI|o2wFPXyxdx% z4NIkqsTGMqtnq#F1dkJ&u)Et9NigjzwxM8cPm4Ox#!CQ`7!WN<%%F_eS?8nog?7~nZBizz6KREbyoQz$ zVp?O3jQzfgNWtRcDz~1qIZH(U^EfLGY%;=H?Q#Q1pj1l2^^O~y(Zq}2R;D6Hw3eP& z?frW};HNswGC}-&Tc7j4y6V$exV+?qxwjvox4M|T;fMBbH^Grp-ek&`(M0wy2G!Tx zqT360^J>As0ZRD#I#qQiiT+Fi9!?0MVY>T`_Q^(~BYy(#6mY)KIUDPvEumF#*y1w} zgqaCDlhqfr4;E)|AKZJfUYh|#rQ6M@AyXgsboNCIR`0riYrUsH_|VbzKAxG`fh41w zuqLLC+QnntX|n`7kJT^~d9-gN9(wmaL-j={AU`WRKLHS@GuOE0ZS4HegTOGrfIlHt zn_1fnL+Nz$Pw;j$rJt)pKR;yZxVZ+2>gh#KYI~oyv#)$oz0D&48Bo|W0Ck&ra8Ak# zN?TR6O1SVb%2w*_9`RSL)~DyCHQYZmCk8g6cg#hzO(ebtj3FI8v2b0B9DzPPyqCZ2 zn6oZB?|0kMhFm6Xcob)oxF~jnL*Ehm6eAmeq`+We-a&+l5%)Feo#5d5JfVN4mdN_5 zut>@+C);gF$HlF4?_m*>0IwOAsWRA1WfK14>chs9Nu&v}-eSDS6JarQX69iQLXXHDJLcIoa`70FCErA%D-#(&?!iS73EN$DD7GQ+D2b; z22S%daiCK8L_%qcXTaFUw`2Q-f?1VsNxo?~#<7-FG}uSql*j25J2Z(~f=Y-}`nvZs zH)nK+^0}7;w*FMTi$&a#4l?h<1ErWqq^-r2^D}XFG~RC)kNN>tsfWc&+IpZB$Cp6_eDUmwZ>f=Q6Un~Ck20LQ@_1{o~)X7IM)@t?-iF%d~j0SCNOl(q^H*u=4}8O1PGW`6X^$>j*Y z^8HfBs!$ka2DAPxxWAjO>LCv%b#voqDY6;2$0k+$_=)_w5|Ci-bVvyrr)rO1nR+y% zDFZx2LjS9jUjtG*FXi>b1h7pS#b-V-_3`iEAl1HcIOB#c-Ch0~RwL|cH)#pffc3gEvIBimqJLpp`%R415A^)u?8O+z zG=;tX?12b|485raGx+Sro-{~XYc2*ws%P(~#6=UsiT|g=d4AvattmbKB)UP5sZ^ul zf^11vgNx-C2g#r>Q_^v!+qNe6Jwu%^^g7n`Ave1pPuVOUNd4*`$qi3d5qrDOB47j( ziHy#0WYQ`6|wtnmbcESP-yRXO5mVDHKWNz z^-Zvw4X`edU4di+_Ty_S%A|iM&WoOU-w=8WJGjWZ*%{;_&8}eNq5?Lh%9PEu5?-3d zcuwCt`(xF=`rBYut|Yg}r`ZIj45ja(~sMk*eiY3X!15JVvBj z0~7yz_b2+-f;$b|8AGLf^}U!)G5B|M6!s)+Xa*Ok2Y1(Rbi4IA+UUW20LJg)ibW#g z(M+QBNNT9aBwP*HQtLh}aX|WH`f+8EKEBk^!BpVtWS$MlX?+<5t7kJfG3|WFynL1D z=qLAz-4M82Mt)MV$1Cl(r}=QW0G8ORM@*}T-1*y7v;?Tr4{t$uk>rXi2eUstR+W3< z9rX0tdYVUYz6Mg3yf)y$7?L91+~H=W(s~+zrxOU>Z;v{SVn&Dl#yteZr-Ao^GLUK z1L!iS`ru&@HtZee#*KQ@O=0GC3B z42Ia63K2s)qg1whu=FL}Cvtfr7Ye(<-QP!|6vqck%;?JqNrS3pqod^OqpmVTsh&*Z z6J(xre*^6obm8RpEv9_ORJj@8xHlIt$|*@@=|5#$oQXjP)sjlZcWy7srSpE7{X`2X zVt(6=UWk7%<-C3MB=iC`A~G|iOU^PtX!s)L2SP)E4NBF9l0Q1Rt16|p2YRdHug9Xb z?iCUvfG?5NQ7N~IKR^#Y-UXKJ#?(?+OuM$`#Cow{gUy62Q z^)quYxA#rGsySFp1aum`vFl6eTZde*@#=i0gCmSplS3ohj1Z9#=iDH zd)`M=+apET{gpV27&^FCsnGA}18E7t_}@ulo?gp|F6M`CfyG8t)02J@3-J<%C(3bMQglieptax)oKk5@dDWjqudds@%#P_c?_mF zJG%^AOR^FSTFGC6XB%XFRwdww(VAirN9mbki}o2wGi$9_B3f!0Hr)9AfXa;b?Yw5W z_>WgGNJ+Fehd7YfH^DW6ylCl{iTo04Rc4V2^&=g~yw8jzyHT-}4%J_`u472QNp&4i zfm`9tL)cTMbkG2F4ZR*g;~_9|}TaImE?PZ$6FvVzni*xskJ^2q=ZXJpuTj_~z! zfmA>|0>9Q!>JuM1{Vc4@4pgR*>3kxkjdN)h5)8TMY@h-U@SY=g2^5NnTTaVaP`NrFh;E}U7h*#N5`i+Qa zDc9hO*eljj0Ca!=pkV8#*5D2|kE(e%PitO8#qf8?a_+L44(}v>CLq8EkU(2RE&{@- zFLGre+ky!wp|nYIiyuWWxcH!9J;My#ulb4(9nrn+2!t2X36N>p6~n2h<5BTtZn?NK z-!oq5C#lmBNWw+``{xJxVy|+XrM_zk6T!hkUGn%brp4Tr_&m#cg0gbsPifSq)OlI; z-qqRSvMWzgtImwFbW?jrI;4vD$k)&qr;zCjk5XZd9#=H8 z?u|H6#Y%G8RuMQRbg!NsByIsNB7>p7l5Z}XW>>kh`=6!{RB#FoxV0nE(xB&4O63?%_yA2Leck0w@iIzgrh zKI%s(1X6Y5Aj5vuQrdzw+9!WG2 zjdk4lqa41oF78zXAwG%)6csU;>&Gy~>gEHU7O_yIyP>i(PDwp`DTOY|NJKixJJcPu z`Pq9g@jrbA%V>lYDoAQd7A>hMQVFU9e3W%+3}RnY!o0nSgnIfZpGm58q&25g%DFwu z;JoJwO5|@%Q4RqdeufOgFVfGwJWMaAD7Rg_BBNg^X)N&PnF)m*g{{DW8)GRnj5Jt{ z3&exZ(+2<4zhbP&9;|f`KDw8gU}cM0>oTBZM#QF+b-FWvo&~21z;m1*A&bn&u6ZCD$tkk5%^I)xc? z10$ty;-6sXm#uX<;iSK-{Yd{Ai`DQ3jnW)sx4k(sBwYTi!8rP2a?bO~+CZM4huG2x zo%cts!wKKf;=%^rW#tp;N`KO$UduVP;gOLMBqiY2S{YTR1QAKJe)QGxzGK9$2=Ujz z&H+Tcf5!>vxd#c#7OE!2GG8vwO&o(`uuKs=GA@UgQS>Gao2dr+QW{qOPxgR#6guwk`Ge{_y3oTEYevb%?*sRx1aq|e<4p6=y z4vLlesbKP4>j{Qy{!{NtzM;Lv>=IEK6WPg~`gT54v^NasAa(c!QVNsF0I7 zf_8dBh{x_W9nns>E~LFzH;8L8Fj2vUt=jE8^d`&1xrJ}*4-AxC@^9KnTz`XA$M!D5 z3em%x@v@Q1FZYXE z=_H=k%Av2f4Q_ir3GIf;#Ndg#Y7;H}$(5hWUf42@^Z=u=`olX<{*^iA&W;of{E>Y_ zR2^LeH5I8Ct(?HfBk9U^_+~lZfB0|P0`yyFBtGS7@iF^gA8G91Z?VF(@6$XS0jS4p z-L~NC<;=WveOk&&n?p{yX@7)-yC)7d=X#b90LncbQ$+IYIq$9d3!uN$s! zN5VJ0Q9XR|55-KB_IxIvm(}0{qs0Myup#d$u7qoB4~J$nb?4@|7$NrAm%c;B%#y^8 z6I(DcMGmb0p50tw+Vlk>4QL_9=ljuKY+Fv?rt(-d^tfA)NGj*ROR0R z4^_{5yOmi*)!QrKcO(Zd`LX6BBIln9$7w(jE<0M&0@ft9Yr0c<59K#vTp7 zFVO$d3V5y@>t?4PR%6xbvK1Q+#C=yR1ky4j^QqUwek5_-o1&+9^S)=K**TZUGdp6d z@QFmwJr8E$%uW@g(?-tM!O-1EEzb0%X zb^Gwv&HGEDnlaYy)fNXDjZvTFh)2S)+pZ7JMZtlKVC^E#L}G~*xb$$;d;L9mYyFt8 z-LY`}E**Jxz&1ix3uj>_=Wvkyg4zVdT6d?(fGu`Az4GNU@En02m}fS4 z@gRLG&_%x#HI0S5HnO8NN&Ex=)7h&LA|b|QnA53a2S(Iu_0d^dDf%Y%tnb1#5OSAx zBIW1D@NX}MUsp>ig~8;@1P*d*Zr>f_Z6D(jk@)JO$ojBIw(LmXJ|o)JpAm_XM2Ul< zBqU1vX1i3Ww-Ox8o#TX}I6n|qAW`!6%oNDb``XD6X0u8--|=p6^E(P@c1U_S z$Wy3qBTO&OoQewl^Lt6b52SyYl1l&JQa_;hJ}H@ykd>~X)z(-%h)c7LHjem;dfz)= zz5nra2u7Io&-#4J@Iz+@nEWf{hjE6VlEpKx2kUgO?`iCd@n@2Q#b%an-zqBGpJ<}X z#>&@NE)`ns*xk6SO@^m*OgJ0z(bS={c--l352c7p@+X zd6v7=MYcA6EvCYbj=BWfPjk}e5jYro=kXI?oZj|upwDsDh{$)nRgtTOR-tk{NvZEd zNa;d_e7rpe;ph;*LsTBPjCbh}XW>0sJ?@9!uepPJduAhCs!Sm%h>`QUL6O3G(JNjG z{e$A4t-lMRT-<=gyKE`h3qJ(6g5oR0OU(M#a@xv8vDf6%`|=a!G0x6|^G%HMr(cYI z@7oC%dhe=mRO+GuR4wA$^0L}-Ne2Il&RXI9i%8Re8V?;E+>El~KkmT_@c1(yNx{Y3 z(LcDMG+OTeOX)o|=SJ`D7m{3m>Jb@|?a3Fvab8;$gqP*pVfef3ij4{%7$;p)%YDnw zRm%{fi&i~Q=y1D6jN<1{Dkb;q)lw64@!@Xnxo}PVmsfuI^;h=Gl zvMpxc^D8ehqbBhO(7MTp*B9xU4`(pl?_MU-iF?dNnfp&a&d_8rk%^;|7RgVs(0bQ% z0`r|6{CzA*&?Rye{!%yJ*T7bSA*_bFqla7`zEhUAj@>a+qP=H(b0YJ<#KG?ySVY%T z$Q4QWJoQ3U)Nsk4@>3d?tVj@Ez^~S69*vbv^aoFhoUXH`qC+Gt5(ZqPownG<)3tZH zxaeTq7O>mN>_j-rBsF}4>U{$W{`Uu}x-B<#^}KZ!IDaPlZ*?PmOl>H$`3R((r?(Vu zSS*UO7-)Il$vacK1&-$Q?S?huqrr*kh{bge#>5R*%w>eQQ6K@#uh8dgn*71WV`~A( zWJ&%Jl~LiMoxJ4sTAjH)cab%5Ul&=mWIKWtrRB9(*(=!VJxQBHuDDa=iVLz)|&`6aM&zk5i>KYSn{;eBy6 z7vCclHJS^uBh)f2#j`Yz84nd@L06*CfM!5nrc7rl(<8|k4BRESnFOSq&Pv3oU*=WI zc(ENnLjYU9YudWJ%;FAl%oI@8n;*ynmR*R8#X%R_W$)~2MTh6jd`qc&R;|;4Rx{u2 z>9ZS*tmJ57C{iITY&|U(D!q<3&`#ugQ>`iziCubs8<82t0lnA(z9|mt&A24L3dI~= zp76rQkG^2zPdAe=9s3G44aG_vDEaC%EEzo>-Cpy$RkD5xpga(~} z&qfL~=_{-qs;o)+XGza?`wEje>4#>})Rxf)nB05gdg3=r#+3!e(7Yjckso=ix(RuS z*WYDj8qFcauQzorVyxO%SJOM;?NP!%qx5K5r95*#xk-8S(cZO$m6mcd@y#v-BmRr~ z)U!2kewT05DD!Sv_$A=l^P_WWel%QYF&U)`EL!j!V$`PvG3e=?F)5o z0be_+9V!G|f6kqd*Z;Om1ok=lCprc?-uA&tf(ZVSgSwJdpwlvMiy4ez%eIXU-mQnL zd_;CD`T$|AS=7InF-!hZXnBV1Y1tniSwFsKn=pF!HAJezLv|H^bhWF(g5pUUPV}Qg zJ{2dmO_RCWXP&-ePM_-S7ip3JjY*YRuajep`m^JLEp-LK-3%dNkGO$%nPPhhcHsY1 zExy9X++i@jd%;U?(f=1^jJ=;fmgt;J?Yle10}ZsHjiaPG5C4X7*D1R_C$A1a%Tae3+z!)#*+pN=PWzHT{&_ zsQtgGCdH|ozg6u8g&@bCy?w`4ie)=`1=Da4!uXVqEi0H#1>^QsFs<2tei9aAk{cCWS4@Tj zL8IlpMd(fP7p!@ROSQWemsylZrA9A)URUV>wW^Y`dRbA$>+W(W8xU34Z6sQBh7WGf#yT{jwqba`JWBLA(} zPe0x-z+2io%h~{0uwiGrou#;bcPmCjjYU`U8ZfhTld)I+<#za%+e@N%SrSg=2)wxZ ziR^|sR$O`Ivh#ZlKlv(Vup<{{*8=v0k#6n_`TJ~l>2Jc8ZzSNqM6SRUdV8Z^zd^7G zyZo`&h4`ZLZi_!Y;)$sjeH)-F-CIdJ@q-dy4HQDbalsZ6GND1{ytx)VQWFGGs=__B zxg}KgnN=Qo+t@A%h|c}&B%#p97;28xrq$<7m$(dnB5sdDF@5cGlHMwNi^O{GS8p>OXy8T8@ zNL~x=Hc%{q0)BKql#%jyeMQEnl1r+IHPjY!W9i$snW;(NtOt|n*?B;X7q;3)ML3Ix zgoMNzd@ED<-?xE$k9drx%B{%1UdR6;B1Cy!T^)+LNJ5q2HP|9FNdm`QSLu;kPGkl~ z1u!u)2s^?d(d$xW=2W z>YyGW9O>js)y5{YR-Zy&R5Fx2tXQu=q1gCH_Bzu*!tV9tC??Edy{y&CEXD`ES2dC> za=ss@jZSmDrQ(Gbk3pAerGO>A8oo?*3|4(U0yomKkkd)cfjXt)q-ReDusnfd4Uy@w zHV?*DCCOoYA?y5~+#a5Au$gfh@ zv#3y+u`dqZUGTY}Vpx!$fkSRIke5hGQ*y|f_4?_ESV%i7ik>?%Uq}4|>92HiiF#vY zc&We9DHrV*ckY1P%|o`r+N!R#>@5npZF;#Q8dVlzb+qpbCB{$~WO#09KUU7@7SNP5 z?PPKg@1vYqBK|`VIrksMOBzG9#?0Rtg5<>I5Xr7K4j4VGu`(u7(b`Sy$^ zCd_I^psDt@@rVg`yw8!3=3bKPk>P^ONbqx@tu0{p}Arfn|COw}7!fm18NA z7Xr?Y14op(6-j~Evh(W9@}aJ|W%xTG{hycH^x)VyiL~A3C?8TAY`sbBFx|(`H{5vJ zpoQA9YLp9np81nsx`IU^{+dY6L-#c0Wm*fUvybU8umYGnyCHm(*WyPAkX;McD*quh+RxNCz9ev>MebPl0#uBU1 z1IOs^N0}IPvf?#88ojE1&Bixqa!l#ITW*Sow)D(Gp*@BD}-& z2FkJRvN{d+BVJCSE3jbyhh|lEu~P5fgLqivlu$5fC0)NKgG=f_W2n>+HF9l+-$RFK z;lKXlS*$7Q2T;-b&++=lq#qhVgXg3J@|!~i{l~r-C#OhWm?Js$?f4hV08kq>X*6XV zV3)dw63i*K4scY3l?wDBE-WP*P=0co5?molQWZMDIgKnvXk>d{4+VPeeHIWB{%rA_ zJyj@+_$^jIx>@E?k#da`0DgPu#H~yHC8&kL_9CNsg})~GK{{x-THoy z;?Hqn>(Xey&cV}zD(Kr2oz&k1@l$7RaH@-Vjl?e#dXY&R>5I#3GwZ7j!1g1N9kAE5 zjFYX!i$Ef>BY#Yq7A3Jsd0j;u5#cXSJokRCXrmVz{-REKLfDTU#7}C1w9w}kQpF*M zyj*aOsWs!LPGi?vHLhBjD5Ps}{@@n=d<#nVdQQAY={K;rJAh$Q11vX0l|z!7Y?59* z%uUdeT`vw&3gp&izjP6x(F&75iz%~+CKT-XheFun1}A(n22LgFR{_jmJt)=iq@^aV zX=7TF$;yDf4$LoqM%ZmDIX*sQ;@b@qP@K#)4*@&rv*upx&GKGAF%n1DWx?YNAuMvG zqz&1d-kRzvh)@q+RtTCptDa=L$qcGR-H|c;N)M~4MLk5qHFqu&nG%*d0BRop=*Fa$ z*xwT`e$0@o?Gfnxx2F?yx}3ia%IVr~NMa@VSRK0?$sTX^kesWurijbRu@#o8H9^An z9_sZS8ta!DpCq>a69Ki=f3Z@}XH=rurxGs+ZH-OUAlfNdc|T5T{k>uS5wVrlEVMl% zOMbX~Z|XtGMLH&Rb=e)!tF?EoDA}rYSFpYMG`;^Ke(&N&`7B_skzPFcLJd;7P*;lw zUP`*#2l6!4(XxZQZO8!#7Nb7-iWW}U|D&C&jEb`D)&dd&(%l0BqJV^S3JzT&-RYnr zFyzok4U$8Hv~-trGjt>E(A_Y=D9xGo#9HUyx7K(5p8xmS&$^$z_TKlt_O-91i^wVQ zSOv+NyO#HSewM9k`9SPOHkr96y1m9{+%K1NGy*2SNw{Co=6pIk3GU3)v4P=bYgmzj z_svGhxl;8=nNTDdS`B4|>OVJq`orr%m7L_~&mKCGDbR#uXj%=4fL{y*#94Kv)XbkC z?g0t}-(QWbH+`g0S3Ku9$hIK%VUc6L*mRJrV_`Zfg=EW5Io)j1a^-$_Q)E1go0((w zV^fS~j=krUNDv4Ry6IwFCY}5m5Vo4Z*c(r!&E2#k!NRyK17Iq|W%`u6hsFD&WGm2w zWSvJsyTZxQI92VM6aCOFY#hTTJ0**;?vfXRp&S?)Qg!ILD$!-gRD)S5O-eYjt~9E)#jZRnB*z>G}AzVx&cO_DLj8h6JN zh|_W$@4AfsY9Lx6?k;6SX?te^-bt+OsD9IFx-%6BF}jYX{MxUjLjmu#`Hhs`Wfm+ zn#Kh*TJJ&Dc5GgUJN19_IIu=F8qrJvNTwQWR+EK5q}5nkN z8oYPyg+oV`W&2-9SGAiG;Bxk{AW`B9w8suiL zDi+cMsFT<&?GY@J5P7jhk()5E&(c8n#x zkkY!D9tOw8dH_vWjy)!=_d!}{6dF}22Jb~B7GFZFCCjXAK=!Is@T0&*Ok|BoSxOrl z!TFy&mRF;JQ|pO)+|%+%v6OaRjQ+SYn7&rPMsd?6xV43^zx8E( zB;Llo%L3$sGV3g(h7bjBC!DcRyOuOLiER$Fwif~dzW~tFu6ve8@yI%uVWelABM)*I zxaZ?vAe*d?klgm7nOu7kfQjMW`4tEU!O9m^xeDF=ZZ2Yw;MwVN$y+r;fLT^0f$)ij z0{$W_F+M`a5M4|=u>>_~$DjDVWpSf%?@OX+RP`})&@k|OPTtY`fznz3OG)jPlelnZ zJ&W>CR!VBb%G=iUNX7g z65Tut+?d($GMgOa>#LQP;*4;A{MvMB_I1=L@DB=w(@&Gj=I9O<42?&nlV&kYa(vKMAs86$+&=c2$?)~3DEZ<1wM`g!=UzZ;;gzwV~X>hHt{6+Mjn1j+<)53TMFO9cwEoaTcF`umS zbJvJD_%Y7TxHAp;Ow-T5BvKLYD^>8B|9F|MW7Yq@m78c%V7-BPs_``sRP@CQt)20~ z^?{geq|YVmjlyr|a^C0-B8DA?k9(-_Tp|ie9w`t<^w5=f{CTwa6hvqxy3wtCjqz%- zH&Z7iQy=_#*4bo=T&`D@JC`w|8_|Ao*FTQFMe^@WF!(AVDcb!g~=DTJzFvYat+86pK(*LzQQn1y- zcj(Ll0cp%h&1e8xOzCVK<_K)!^GIhfb~ZnMK8xvjHVkkApUZ_P<7y2dwD#X^X$obuKXK-g zWlJu%wy`{G^u7ki+wZUm^ib=n;&u)%&G@CGU5Xk*0bu+5A9lKzrWnf)-dfF)o5l*B zn;C$Xv7Xt4Dg18j!)!yNqIje#?Xq<8B^q{GxrFVIY%D!V1fy?SLVr^pAveMW=ai%} z7JZ6KZjgE)UGfsrvX;@s1EgWAUb7%;ZvXlCh=W_UL7xgkn&}V0Kkg?;u>bmV^M^vn zuOgk_#KivfIPk*CH&cb}UF)Mz@Tv_N_d=64*4&)60s0pD3WK`1z7@NNflH2y!IjMW z!SZ0PON%k#PTlasW6Z`uXQA~XL36hs#AwT8>VuR6gal^IrFGR!4iAQTw%;0dk9gVL zG1G0D=-x75`AAJR>xr=l_WQv|fUy!QH*cIdr*9j z3%3A3k@GaniD+M&AZvLAXG?Lc2Pw!Ue4-7UPFc0?&>I|9OdPN{Oqs?N%Dlws*Wh?$ z#@ZZwJGHB%FnF^?#a!_-Hv?4d2=m9D>k#hGv%$B~BMSXn7V{S>48M&koN&2i=v+DY zEAlfu>$uQ%<4;B1=~mE@)}MP?QSz6V#e&8tQ|128%+YjYYdprnB!%~mkK(kQwYHFs zu#`AJ6icAWfJ{i3bx{ZLt)$e|r(Ycb5%W=vKM8GYA}&o;p6N1_x)mth8yATlo1Z1W ztwDd^OSnMt7dD%?POo}=^6HH)l%*o?E-yokV3~0lgV?pyLB{Fp+WR?+>k?nlQ!oFw zArVz(n1%Gq7#9SR!ME?jWRuSRCQ377pRLGZ3kVCDj*M(Q7N9R$UaIGKkgUk;T*j_P z>Hha^v$WdugxaS z#3p71QF@PCpxQ;tmYF#b)&H!%M7;>1n`^(?aNz#!cN-($5PX{v_T0<65iZY+4fAK< zB<)2rw4Kk+Uh%-NJ!S1E4PCTXIs$8NrPqmvuJ?~z1}|6=^9Yg8@}bn*{>T`NUC@^E z+37Dv9=`1)@x~4Rm#16ZM@|GtV8xiu=uq|3+7H`wm65y8va~7X!0!99YM1U3eZEbz z9MQnuWLO8eb(pS{Qp~v~#()g8Hq2^~(i^rU+H>ugBVX!Gea}u@V>4zoTD9t*D-Lfy zdlH=Z1V(?sDkVxO>_IIl^;zmR)Fms z?AS&YD%Vo&+gFRuMafPWZaf52~g&%LwJJaoD#V3#3I zh5MmD?9CvB5@mI(Ph?sfeBS4{{u+;a%X=#;Y>K`&4(b)f%3r1H$sn2bH3ZSa=0?~? zCP!!=$ZDr^sg$sInv}tDKW_ZESfRc=!7ykZu40 zr$w=~^-6}v@>sGOI%8`;K>;iEsW#R$^*4^)XOKtMrW1J|9>Y>WH%TS%+-dWi3qMq; zxPt=|%}fi^c2qk$b2=1Bc?q|hx+M5hMZh9pY32dXuB0;5Yb*v5W>T6j9vSI8h4ZMh z=F7ZT&W2DA(uygmHLxfrao?3Myc-wff(Jg9;+!i|+Bd44$+9hAAD`E&j5Co?5GJlt zSE1;C^};ODZp~+Guw}{iyxc)`-l61eL^Z5sfaY|t6C}a zYNfSnsVS9icc9ZXgmv|q2o_ZDNz?Odw^SWfqJmco&?fpA+Ke%L%Vk!3?4oyL%*=$2 zAwX;KjZ!Eg$NC5_FFd=zcKe5$8W(z6WX$bT!iFAUw*jJwE{F*U?MOq+``myn-}AZR z=EB$pv3GT+s6B-6>z+2CF>YCKh3tKs@#MSsYLd zH(KjKG+-e28gp%J?IB2oR?%z>BOQXSP`2WthYLxc+D}HHiWn^6_~wx_?3P-xOFO}^X`5*2hbQRim}HcFq!QJ~%2 zujPINb;wvOhk%q^z$#_)uCJLY#HZ44Z9g2T^^Y)qOj%a^%_Vhm%U3TRtzlM?vLJ&Q zwEyi96L)9SSzZjDDob+%l7|9r^P(Ny?vZ+Ld|7MAz!6R#;(b@5 zeRd*BDI&j;emZ!o?zDf!dwu69)^6s3$w^ilIVT*KFVccCz%SsDiF76&m7QA4vPip4 z$v0L5KikCDvMe>~Bc4t5Sle56L*CWL4-AY7Nkjjlz6b51`mB7a&mJp`n#2gaF*_vz z_&PeN8l0U?-lj57*mko*h_5g$F|K_L5xHecua+a*K);+;ekLl7j|lc8-MR@lpYiYa zi&}e+ZA>cF&r@ha8-}l&Rzp86Lmc)D)esQ6wsy&{`}ro50z>rWW)k)$4fkEoFN%+1 zgr}^47CaD89Zv;+gr>!8b8S6wQ36Rt3~y?9`h8=o)FX4v5u`+Q?C1XwhL@U#QK6-|&WIfmTN7cOz)0pknn+~p<(J}jA zPYiD>m#SmC8bByr*7^bO0okm^98{J{Aw>J32AcKLIiTSv#jjLI_76}}?0q6kCPq3) zZKQq`?%BczJ|?MRCoGnF=lPDK%+VM-r5%MwQO5mlV@H%)ux_|cWDwH`kEfB zW{&Hz2=gN#LYp^kg?#SY3XO*6V2?DF&`0|-2Fa+3@j;zW>H~q^xLv+AIZ=A2+;o(Lc%+*@8_A4 zWBw%GY03PejrWi0FBkrc;i;Dwk&>Z2ESS`I z;bXJ)+iX%SITd7r#kfvY9h~KhOsM~rTHIcPwg?#z^3tfB;Wv`1xOt!iw<=5oJpv(-W(phl({Ora&ZZ<=jq*AF}kNiM}`tOw=iDJlq2`YDj{tx2G1I&-^nQzk`w+C;|>Y)XsA1MPh-d4z2 G1pWtt-=N3< literal 0 HcmV?d00001 diff --git a/education/windows/images/connect-aad.png b/education/windows/images/connect-aad.png new file mode 100644 index 0000000000000000000000000000000000000000..8583866165fa3065700b9a0a1a946dfa3e043ce7 GIT binary patch literal 71209 zcmcfn^;4Wr(+3JCAwVEVfZ*;HY_Y|IJ0!Tf`{IkcyKM*-Jh&|G?(Xi3yE`Y}`}qUj zdaF*IAFi62uIe7?zIuAPKjA+VBvFwGkl(#~hbk>4ru6RJ2mE*M-s^ut_($2kS~LIG zymwNP6nR%ZMs)CR@X=gYUijU+s@TuZhVcK!NDfk(PVe5Kb^Z6f$EK6<`$xoc7T0iA zwl{NjGjue4=U`}Q=ge$p>P*JL%*xDT!|tQ-?%kWew3x7pyWVjIyn#ypT)%H~T6D80 zrc}Vk&!?w9=-_3v^Jf13;LFKSn%Qv|JTjdW2NXe z_^&J4Y9JQ!j{^@S#G^9|<^Sx^s$-C z@u#R!6ZhO=1|RFB3?9L{``9Kyefj~&QE~34SyRbvNNb!TqVOSZc;;D?kwpR@q9^{_ z4AwbfBuXL55MU!ETy%sn(LVT6`xZNCKIo?oMJ^I|=32bZBn2P}>xDXoK_p?T z(bL8p0YT;kPhag#B^+ZnGGjLqm9IBb^~cA4rzgt{yp(-vTZ*UjsV{5UI$jdmcK>&V z3In9H0O#+_Sd$wt(eccT`_0i3(5nOL80qSA?d6lzt$^S!yX;Jtpb&;gnW5+oAhT-u zBj|_Sv&KvAhi>k;(6ukiFO|4SVFHnw%|Rh_8vtxPJ28u-B;hIyyc^ltnFjLF>d=l#%bDW6D{*^+FYRN<>6nKLq^O=CjsgZ&@gS3ex4}K)Wq(-IC8otn zxG6gNR>J-ZN3#u0x1P?3aaP6N=o$A#h>iWI-Z`Bhh2%kTFq2KRiMf2kTk zh)XJkms_18mH5FI5GB=UH>i+)F*>i{qKPk_tO^k2fNR)13j$VFGdwEV4YXz5R&wU+h=pKu`Eue!PP>$- zrDEVAbPFY{b4MJaI`p=syXc~Sh=B6EG~NL4!hW4s6YGoZ3zkrUMf|fbl7;o8M^p5X z^F4H*)e-PoWAv!@cIGp4wf&#VC$bObe-u*0h)w@Z(*wc6r=3>alS zMba)dwBDX8`{AQ5v!G8uR#<9$k$0w)G zd9SeH)~nEK>G!3WsJq+Id*p8br*anJQcG)H(s8rc(eezwZHApy z+e1NhAw`q*M_~C{Qkex&u*=l+EznM2K3i$L!ZW7XR>3*pSV%9e=_%}J_X1M}R=-=U zVLMK|JAXX#&oh)&vV!_5P>I`P(7r_{YCH{mFW&PK-ZP&jAJFqW=l($h*T1m|WU=p1 zb!#8EitK8*zujD!Vg6#DmKZT5)AnYFukKabZbsdsWj^DEIs^C%?sr(7$&^z-ChO7; zVaBgV{(K2OJ%Mkj2H*ym7G~}Vsv-)6qSP!VJLAn~(JDq$u8qeGP^f#Paod=TToHEY zk3mZ`ih0T;MpPy)XUJOwtKWlO)hYSM`Wt0c zts&a=vW>oqTVX%NjK_HX{Sn2Z{-wAy`@_zl9C~%b+(&R&8E3u0Y2Q=N};1^7pvHW*&MLd=~Ufn#tBKCGC zI05y?$}Z`N$>SxYEStg9R&Gi@^DtC;*~VmHxaO;+hA#;E*YKWjRAo(FYFEZr+s9W5 zn*_@rngp}x9}>4`U!5&Zdtc!+chsbiwX%}8wlE*Jy*R>~_3o3Nc4Zb%9DOQxt|o;! zbnci=viPY~9pqADLzg6q7FuSrru*(-oozprP!+zZ;!IUffe#`%TdMSI=0uOwx~#mV zTG2CS()c{Y67i^>dQoJDWPWkFQBMo5P@bGJKE!)jJ@lMN{_3X)#0RHDAH)oBf%WRZR;X>DLZ4DZiIc=Od?o z-Nn9m9s##BFenab)-%uAW7`Q z5sWOyoiJO`PjOr>YFfYqa1fuqo|wW@j2Dm@NzpPSq*GAE1Q#TBIKF%;Jy&O1<7v^~ zzMT5cmo8@;-$+xy$>nD#FZE0dBP1hc%EkL1necj#euvGLQZlwR`$=l^rq)_8y7|@x zW;vBKSPXqiM|bXqo<@YADP2}99vD0L@W+HEoaCMIbinD`Z}y7Q+mxJd=0A=*6ct^N-r?sH)|;%&t3z)iQr!1;E_Tz)_^(&F%t#pu#ov5@?O9#P7l2Pkk(Jl{ zx~P9|x3h68OpZ*Wi=?Do@^AWn6ERQ_UL6KsY@tv^@xA(e6ifqirZL;dP5KA6aClP2 zK70Kd8W7uUaVIB5LwTz(Ge#>6?3g>zeC`GFPmPV0X4N~+mkN9vy4-k_RiM7QwfnfQ zOjk~Ax_Av8lBh>2+)NHWQtLf`CoOxA~97rV9=#F|gV<1K_ zTFh3#8YChsAX4iIvDvFy|>S;$@-T3r88Q+ z<^8Z7D>h7PYPnp&LY z_vZL#H+iGUM(KnKExrm{&tmU}=Tmx$E{`wzDg7g0?Z&sXRvQO|iym9^I4AXL*>Cd; zk$=3UZJ^!wMrouOy)T2ArK>fN1ARNwzM*avagLps>E(oa`ry#Er5@$a%2LVGDPyb5 z7j`hiqQF92llf1K|6-{6y&ZLc^TfBi1pH&XH4^Oz(;ah8=roodG7nl)0-FWh7~}7s z32EJsVQ$bZl+YyQ8(jOyA37&Yb|bRo3cJCPr!|8^5Bxv;)IJwKnQq#s-T>P%0wi3`Aw5&n+=;?zGo_pIDeml})A+6qS45x=3&sjdZBlu~9%qh>y)ILm- z$;n}^85)=0)%hVWa{ZEA3ESJ$H)f_Q4cT5E3Lnct+WYFhoary+*QGJVS=;~aFeX_y zXjfhNH5L&&|J8RuCS=CY5_^)k$>F>_=G(&~twc+6+LV%;=1v3EDF%L6SwoOxm1z5d z*@&+VSvaBk%*BO109ZR4qmd36&m9NLy~qsh zXq6@K^YR1Fn%Lc~D-lJ{m*P9I)0Hi$+t$C| zt|awDnG0@A!A}V}*Gkz`yo3ptHveTC7kc8H9})UqyHs!sr=I5V1#eGQSfVPZEGSPb zMTjkd6Sr*;8=so9&NT7-G@0YSUt$-yw!xjVodYy~!}Fz!>x7w@`;=>9?3@96YSg(S zb1#zpWqKkifRP61Xyfahxb&=MDmh{A@OfOwkSm?8z)a^0l?m*EOETrNl4FVI9@4#v zL^44vp}1vR&)lwG=9>wXy{S=oZmJoi+`9e(-ytg6#MO#QBBM>SG9+kB5-(eCA5J%7D22D6T)n z6Ndt7$?!A@Y{bV5Tf5|?!Nk1?91))(ozj7>Ssm~OtFg~R1>GP*9NxdJ^TS7k``l!EH*k!s(J~vEN zr5kC6seU38nbJ-XbEE|iH9ztgBIM4`ukXn}DUhcxM> z3xu*GaAdT^(&vqY;BLP&h`Ezfas zIaVr8)!Dmf{qZX*dzezDVkm|!megfRTy5bjM{uw$A2;BJkL@qnVA`$dXqp?R{kZP9 zOh7|PeNDw0i!#%#p=DPT+vdox3wD;Wfj|d0{i(XDD&JSHQ%FHNYb9K?_`9OG+J4E4 z=cK+ouN!Q2?<|pj7P)(7k+wuP5I-0SnTb8Vy1o7mODlvt>v!*)eGKV5kKNo64?&aN z`eDP1HO=jo`3+}O1be(}tqa42!UeKCd!f1uz5PL+9WQVBC(y-(IvxYA0a)`(c`Z@1 zwcLZKS*!x8mdaVC)sU8ouU4RoL&+|U@h+cjgaE6rS~KmzBykMIbmOtN=(1ZGq3Zfu zrVo2!K`!smFM4n#a4`Yafl1H_9t6Z$>73?+N87D;ncHQV_}zplJaO%ISAzlDv;GZY zQ}pGlCN$E!1SCtR1{Na53A4mA5>6D~YVn^P)*O+)CDb>W&N{P4EY#-4b%&VAxK(BO9I=K zatohWvok-|)>JK6D7Fs6e8Yn+*#^y?)s}KQR~>|6I|7fo(YV)^J0m*9?>Z~FJ>#jp``RtXLV; zmPN+*u|hxQJ*wadYp`we1@rN!ZbcmxY+KzioNB50DYmdo{!FM}qN!|JDocnJ)Tcz# zv)Q%a8!EiLNHS782`fVfjhL!x`|8Rxo~Hrc2}k1hmXM`T`M#g=D0#*d z_pC}g!TH_GFgIiceDjW^@h^8Q33S!>=F3>vMF%r4p;j;@0G#5RsfBiKa}{ zDqT7lJu#2JjxsIPbD*=%1?G&e*=&`=J<;cuLrd)i@exa(^!;VH)C;y<>EL!}E7C08 z|6U|oCRjGyu{$E=2f@jY)6E0dO$*R{Q6ze<(fk;qN5e96a!vG7E!@@Yp+DNZ?BzBihN`aoW8 z=95T+tDG-M`r}#M>p2V#+~WBsZ#%NSA_@buB{gDL{wYrbbFd1`j)(Ggc3-=BDnuDm zKv(u%OhR-^;jwj|lTyBRc$vh0rfSHf)U4eaFL|++Q%RzvTB&$uFvB4);ib+oRYmp7 zm#-2*ypwoBsW2Y;inuEU=ieliD#|-_c|Rn!-V=;b9H{1jPFAxVFOD(GQ&+Mm*~fMt z*tW25*ret$TX)9j1B>n_4c^{))J0{RD~Wm#L2qR3jGraf@7T6S{3@1N-`g}mlw-|<~DgV~@S9FKtQ4|Z*n*uh(+bYRY22$kdZ0&Rf zTCP(E2soJ#SkoH}wtX!PFO!}~Egs3llIZJ*|5j&T+G=uLG5|WWA$cfBU>3#vgcd)f z6tAWhb2nhpBCGshm>-7S8Y+G$IB-gvg@*Q4nD*SWc{-MS%w4k$D?Itp{3dix82BQ{ zfuRUGo@@h5LwFx!Ps$W2!j-T$y){@+UkQ{>DLuNYfUgCkROAnbecKDz0Zl~B5nB?+ z1ELl3MCkwS#)+*=xdF+j2pN5QEza2dd5}%3dWnSd4bw&_ER-jX)-?V~J4D#0yxT>! zLgG6iO32&zGi`-~ku!}clabyM$>ljLT-hW<+2gXi?y0)NR}7J+m8O*2*OEkGhryY( zv~Ck-nA<=Gkt24NE$%Uumf_XP{K7MCiP646pI>YgE>WR5t?3RTVK?&%GTm9$siuG+ z;i7auj5c1!q_n8Wd{0e1>L!5hRhSLH&L;OB(PNu$+Apxid~D%78S}<`tUo{FZiC8q z#fPjX7jt&s-1mLZKfBta4>?X-A1ZNcb3w}d*b0L%HqNM;4C!!tQyedHFwg6&ZB%iZ zk<7Gw!~gLAMqCbtI(NIKKwd+tE%5n|ZPMHQGTJWqzcR+Cvz)nez)F;JG+(Z8+D51N zEjp|iN*H&hBkG@~X2Rp@&~8%3uVolyc61>7#YL4^O_rz>XgBq0Z_>Go6J`@!KQZn| zBXWScjVX@v&;0KR=s)h~qhL&Vx=D)|h4>OA=oBqzto0E`HE!uX>biMppYfd-hX_^r zVTa~1i3c6FmP-bY*#G_fFMJ!{y^F2_B=S^~2a?`MRD)VA|Hjh1(uSUU#%tR4CJ=p! zB9mg7CTi6Iq40i2`CO0+tX^qB;ZaQAC|5BNRDga@RXCXb+TV?xk%1781TfpHYCJV1 z!{&MgG^5e&MVq(NJXeFCN-v8}giT7Axx#N1oH_&i~whUzJtms>VHbZhgyZEJQaPO}JQt29`Zi#TB}T z64RF^9onqZ|6~B9*r9IhftO9WymROsbZ0QM=;X#XSLGdE!Bv2=GP1vJD6OKKWh_)A z-rhAK(3C1(A#Jg2+CajHFFe9djV5A^-0IYwrz(izFvs%zgy$h69y8h*Z~Sa#EoviP zB({VRr0o|t`ieXU`;@#zzrV)%fLnWasq+k?p2(_KBYUg$egSb;H3ZggS`6hiL8I-r zNlM;iAGW(iO+V7gkXq9l{j^`=&&)U~@b0|1{`3ukwm;7i#V~(3<6Hcn9u)WP8hKor z!1Qt+ZbClM+E;7)1wW|R^;$W8&hs=+dY79Y`Sx!ZK@)u);I)x9H(ddKjccYL8?Q_4 z0=aDYF8or3^TZYcP4Z}7#zDi-)VNER99cwdMDnaiG5*Z0U>gL_?# z-pvoC7_t8HIpM2KbQ-H%>~ch-xjK(LF9#KyLf3xU=cAklmBI?{gIS0ZG%``IE?P$< zHG#}@LRR!mO>Xh$CfQI0IaZHk>z%F7C^a%uq1W-iQa|9ifeS4J4b}AZ5~Vs4Mx=XC zS?DxhXXHV}wOy+AN(F?1EfSC4$`ll~>BeBqoXtJMZrQd)8OmB*o%I%!EXVP@PW_b7 zHMq2h1?Is_7c<5x=;d#(d2wGz1Q38t^qISe3ePS1ibA7b~@NbK!4FKI`!B79#a`N%P6Ch$7H zhT4;?iFnWY%L!>e&ZsVWZ39mJ4s?w9p9;}MBzD#VoqhEci+8mNet17J)ahsFz;AUih_pxfWBl`1RU_*! z{hqNd`8GF7<+Aab?MIlwHkX=U*4RbHVLYd`ALU4+dx5K47b+SDVQ03c<4=6_a#nr0 zSXz~C7l2EFW6sQt`ahtsHSK11A=!u)@WBCBIy=yhn`Dg&y2cx$lwmeRqu?u)oSCbz zIml+n>7rksQ7Z`d`+R#kgI=fJf6t8gujWrsS*0oT&pYO(>QEp%28BmvU0_}4EQHaH zQ0B9=gjGT2EziZ3vdR#l{7WLXwAcgNAp5g z)6F&aH=#}K@u?%Oba^X9<5hrR)a|&@Mqp^qE!CJ17P?|Fy3aTq;t4-b+2<1@>g`7@ z$1>y5!n){giO5|h{AKx>bYu^7TE@AG?f4fQJx?bT`5TY8n9t>}**9eCj5bq+USfOm ze>}TDo33qYX#N(bL_Cs4tLB$aS0xtO7C|WG z5?Es8DorSCUzCoI<>f#OMI$w|m!i~bYQQSLyORUd$6ceC( zz8_Kcx#6iv8Cg5#bSYwer1r^g&lH93}WFI?LU@9r%9!bA0u$WRecm?PU+W-91U39thVQ1V z$wrEBqwGAD1Q*?QCW~8OtjZtYC1tbnK$QFr47xnIpeO$$jOEq;l_U8Pf3BI6WpyFc z4zYgfrRZj#FD7QKrikKC4a)d0DdxlZUo8TN;N4u?yk#m|Y)lV+?pR^-+T7f%V2GaP zXp2|T2G**aJHL)%-A-kprqk*1WV%FAGmr5c^ChEc`x@W2h@b$|PU(`QxX1^$^tJF? z3|IaZuROv0RswNAxguj`V>S0nY3KpFH?ww$H7V*W@UmJ{3$HUHHvxa5Ln40_>ulpY zFE#gO2&1B*$eNm-5RnA;_$oiJzOo=AR{f(l6&F?JfoNB1yA@;PZTRpsp?ym?&{K-y zy=AjIIQ4I;F)4dl}*kOXe!F$CswA>uz#npvkgAwO93VNb*xG6p#V|Q zEtwEg*2Ci33THm8dEb)}`gz~swrtCFksdK-!^JbXPMXe0ji=d#eED2^9{I~4^VW9X zG(lw8awmF`_?wkFHyWazd}3p*H;?`3YOlXY6@&p%IwRrN!boH)J9oAA(*ny6zAMvn zKb)F7V8^yob>4U+xlA=9H*CsNik5_6ChpRT@V&oaP$>K))L6MM_He8pw`S}7@aEb5 zdyoH`kdj7EdKu3({z6QlLU^z8$6^SCI~!GGpTfAOk+R9ry8gRhR(+NdlD_Vtuw$B< z&cu8uOp>UF({|*q8JF7WD-$=tzu2+;_xfGE?BSM2XmIjG7^_6qS|Wa6?(3@WF78E- zxvaa%t0BOps73_gSXpvA9dmd!R-nIi*xU5H81+cP%vSjnm^H7BJ-uJ5C_M?$rhl|U zOXJRHrn#CjB|h*P(RCype~u{<%8xIpIGbyS-*hGOXcVa?_<}v!s-DqRE8VWb3D4&S z*vaQCOKAMCG58`HXa&a*BXa6)DTqEYPfNjpDlN9{ruE5UA}G}j z%^*px&q$VLTmaGQsV8vvC}XH6H_#sZ%gm^XT7WueT}_UlM#iLb4A zP2=;ga3T)>Vlm|{#U=;OJz`(X*XaVXRu|$6IBAJYcSpcF57T;=5md)jXiCe}jf5~a zH>2(JMQ8Bt9~BK-fkx(^NltUy>gPYV3=^0iGBX~k&)PBYBg&bBu6rJ=5Zj*InG3xe z5*b?aTx>WV-Alqk^G=D~_i|jFQA=0Pasm_u^~YABZdFW@!`g*J3hThdaN#l9MsH9!09h zhG9vB?Hf;UMl3MXsP zSyMfNGX*^{t%UVPi`}i3`qodDvU^h-h8Q#L`D3UE-TFiSunk}5Z&dK(oGsUGZU>iM z>}HCJDSw6@XI34e275#=y#YUTM>C`IQMG6rH2e%LpD(xp4K+dZomr>rm5Qe)HJxmg zBtfV#2|~IBg12o*t%btojxNFBIAY?_ufa;K@e{53+jHDsn&3kS)t@o-AiGB)^Q@0F zqOJayLP#jwO+h*oAb1i+))lGONUD+c+1R`imo2TP6t98#+=fHRE2alvJa9s2OqDLJ zz6X3vnlp8Y{Z&?b`1Q}yY~WjpqvdqnR?At8*<~3iyAz}boHP5*jqeB++{BG@gzP_8 zIQMp8R?EOKgX5B_o2Cgpu!9qje3OC@WFY_5XAD4&{vfSwZ#Sdv$+$J43qd^oXMiBr zB_ZcQ{b8kg`Ri92Z|#EekjAT=o6%Ey~{O3=igw+1Qa@yftULP`7o<~gVKsFQ? zyVN_ya1}?P|HIP6?tN6249sr(B41KMWxJKSG}4E@UO_f5YE~{`@DI_`{l@nX&-2W) zUtO6~?>?93;_0)bubhqWvXwx$>1_O~4WO(;a- zv|YG4F1*gY=@B42GWwztBUp41S%~((^}ZpoM{_*$H0br7B5uBN#!An%ar^@={7aMg zvi*MxTKaz-1@-?!pikBSU76od@e-*>t=GJ_>ev!-$Q!aGbrMe=iM6l#Fa%IE9>IHa zfTql>9q#pJ|2OH}BXe`SbCq;x71aY1n13=%9iwE){qpMhH{m%+N++fr^fm)flOl;6 z_O-l22;3wc9E?Q4=Vt*HqMO$vLxg`Iun_+^$(GBcdLkHdqvTMKt3}BXub#aTpdhi4 zPfQi$jR&G*z^OV;kaUE_w>FeQiRRy{!%Nu6p5i4A?6-}&-$szsyp{a}U`aG{t?>V0 z)4QSPAey=r-y-99dmFa!J&!avd_ku$rp0N%L5XdpGOp@!kVVc6NV6z5+v@!hfa{l8B2Bz}xAq z-Hc}6viPG=Rg=(A7Y#m&`h;V$@5c}rfR=#0HE|8qLi|iDw$qH}@TmM&sBqvOAcnXk z!!z&QX8kU~`%xQ_pdQP~3i#m7!SvvrzOS=qt>tp1?6z(nuH1bjC?I*Y8`CeI(cok2 z8;p{ase6C1Mp9D+nWJy^!nt?61F!BAoT(;eZM+-HoJhf?buHDb{To+iu3g|3x!tj= zvZh;|73k`MhdGxGo^u>fs~4RkHxn-A)OmbHAe_DHF!?p*L9y`ueAz)gf`0uh(v_ST>H8p>9{BE}lvF zHh0bM%5w|&luZC$-+9TfGTLX`RKS%`mgSh{(J6f<>@j+XjD4VLS1F} zw5igc_~#ojCC1A_Nhj#O!=6QlQmqzi{1J6kojsu*)k4i;ylKI4m8@Dpd{V=Z7!BK8 zLmS}FTO-FERyAU=U? zZiyc(j;+BTXi2;mt^Y^JmU@hil=eWJ8eq0)u>wTlZ`n`BlMu;6r+$DX{dFp<{IbTH zP%bZ;*P^G?2DoVC-O%_HjaH~V{X=>_)CgU%iNmtjwh#ey?jVSmUykguQLO<=$)7Sc zQDopIHrhPppZtiVLlZzTG#+`@w(#AmFTJM#j)a zUX}}YUd%w&EY=$umhk7tBel5HL(AVNtC5FScz)={AGy*JBzpqU`o2yov8PQsrW~?$ z2`J6xJufodmv$+sPrA9S1B~C2s}>UHF8rC-r;ABP zh_neFKt-DEUK8_hCb1AUR{He5Nq;eSwYcBp57i}Yv+tKBR7^gG`{$c{9k4gYCc!YI zLiCKw)C-Hvn{C&`i_ZCgRQEL@h0^xmOg4>%90-V@o8`Ji%M&f-Uc`rqaV1o~lJwAs zO)V((ZHidJ)iOe$e`)?0eihhR38M2&&xh^csvBM17OF;(zTfPuvEG*zRwK!OPkwEQ zFFnm_&%p0ZrSLgbN$nZ#V3|Q_4E<}fg9A{OD6;~ci2%{C>^xi4T3UaJhb7<7u}ZkP z9??`BUgarxs#Uxp9rt_S51}oJmqBU9K1N`AIa8O^*C%LFq{Fz&RGl(qIsPJnxvQXM zu+r{_N#YdDYUJ8+_b-WLuHQ~@NH=AF+Ewk3Tk*p^TVS2YX8W?fU&Z238lu(I)fe-q~swA$K*FUc7?i*qFS6N6ie$v*_4>!y0aoo3iOhx8FjUWHSIfQ zFr`zB?+`BAhH}~wEeF43&mp?GXDOiwDT@J~T)xTnrZ8fobnK~h0n;31t=*1(+Mv4V zlf1p;?d$72Q=Ly>_}(e~vKm`_N?XPo3=3+?c8zQQoo-VP2ILQx>oaK-RR_rUX*rm= zVOUSYm}%#isQIdJpYe_CZMFIb@UX;e8fXumkddtL6owsu35>3#uGHH~d!H1QoJyo^ z2;>o~f`5?_((~jTrG*;C`)H`BS%>}$Snz0B0M086MHK8cBfadbR z)w#jFX(2!vK}WVy2!eVvurKzReb3ZstS8)yk2%n@Z7`*i&QG#1YjF0p1Z*39?Uj*y zgwjPBwz(H$*a?)Xh%)R8GF!R2@fpkF&`7s?7hV<5?_wp}rri{s(9xO4zZ!^Cg;V-- zlHVCb>otF3=+6t#9^H_sO_q2;gx(edQ-3@HYVBoji3Fwe((1gNUCo=^)uwaAtw{)0 z{oK@#yA97I51m?5X9fb8_!FL3PG!zRR!2sw&M&X9z&Z8-DD7O#cq?foT1glG&;nh? z&FpU}G(ql9tZn9!eKb738mTfWLv%H7e&7b=+fX)B$9=(+I11^!j_Z`aa&xdHXm&2h zh4ai0UKvnZ!FLEMoQK7K1D_@*$Vl7Jr3A{RYR8SNVr^^QPU4oHa76`j*KQ~8-8uA* zZaadpwDeM6Qi5TgE>>Zy0!)(kzzh^6BxhhvYNPSFsde zJ)IJZEgi{fz~~RSNIT*W!o4211j{{4D9+Lu#waGR#?$3+h%qt#93(*uNhe~n#%)E1 z4HyTRwi}F1KC3aUh+B#wx(czyIbrha1kl$uq?eo#jc3du6OCducsRP9T4{|2W}Q$x zEU|elb|^?kQkm&Y1Yir58Y;>$rU(MluW|{$P>emT$$Cr*ynH#cKZli>_dCXWqh^_L z?oPc2QT!IoN59@(BXP}qW|ZGvx*RxXHG54Tn;n>&{)uw6GuMhP|i~eG(dXJr) zx#ITIzS#BDJopo#4Kt;Gi$Ov9ax8?Fqet^V7;^EFN)p$ZhG-i_IuW3phr)%IM_%hS#bMr)Q@xR28z$#&;GTK@Ye*Fd55ZVF#MpRsFryx34~4=kmzY z%xA;FtJ|M$Zns7zTk%O<<6^ny!_dDapi6QP>fsMgk>!M>vj|4{?loAIHtS?qruTh(yVrMMeeptwkyKHP$8Ow4w<K`OcMUh9G25=bid7O?Fe#J!xrdpX_X>eXyS`BXg| z9dnxw8?C8xcdc0C>j5VX#|J3QiLk*xj*QF?Z2nvDH;*9I@A)%`E}D;HH&76s zqsbMmzU?0FXZ>ir|9EG={`0`Or9J@GmgU}sIhGnuu5u`El;qG~Skkc7#v}K%Hnek! zk-(i%G(Zj_zySd((r5i7^|FRxilf=v-s|T##jJwOrEo<;UIUhjV|y*MZF^3biK>T$|nOoJLeAXj^o#K3#9dSSPseC5r1f z4nwYeJn%7ec_)MxB9AI;yVdnyMv^4=0N1Zs?)Tg9I&ZfafUD`omqoDGQRZetp9^g- zA$!=t>~}NCiS|PDtP1_{?kD0cl;5J$2EVmsAH1T8)4~FWwvZX}<9hSAP=+1xE;rES z8jRQoMVB4aqLN<&Jul+k&;sl;hUFE#y5XBYBgFw!#AP4K%jk~ex}eoX9^ed1vNhdW=M}xEp~v!T2Hi_m+X_JJ{zT|S_x#~^Jo`|Nz%sE))|ni5;+vv ztpY&HsGQy~B-XCr?kX5QC~|^|wx=9?8cMOXQ%3f#L-zm=YvL`51btA-0D8KTxO5fi z=5NMJSK47V+yQB}!_skFX}1Gz{FPjxMy)Cvrh5bCLKy7cIQ2SjoUwN3Tf2Hn2&wW% z6eFGT(1!b}vrnE!WZh#HlwAb@Iz^dV#SDNtJJ@epGpE%O#81^Yph2kYKtWW!(EV@W z={DGkWSgOj28wQ4XQVxg8OV+&*1P5xuJ1sPs8-{j$`95C%4UiYJCmtbJu!QL=RVl6 zJL`)95rr6kCwg^CB?sZU0j#^ zkyls!{hF?AOFL8oZ?i0=mNmAr*p=99_mXa%mD>GlUTwh!f?%Ymy5z=_3LB#h632v>8ceCC4;#N*STEmD{(^)-gMhWHJ8KG;z+7ccl&w zAZue!5n$xeA=^V(92j6o^21(et}#Cfolkrke2|NcmtvT$*QEa@ZRo9)xzn#8EWwFt zYUW;J;;8p)+yLSJ#CX$n@P{9FGBx0mmOIZ|_5D@K;CBoPr@msPloyTfv3i;Ak;X$T zLL(s@sow6MN^xr9Dun3s4LkJ4M}<$9rW}_)?i32#=n_prrUcg_4g)sj4B z6JG;rzUn-*+AeLei7vICW@tW1&9Pwbx78ogp$PsOnad;o68_h`g-nHyyP&xdM}&Sc zC!g`}DR!Ep?89j6p=v;%wxkl#|BkD>&p&i)2q9r$B5f}O)PZ5SGp3Kj17kB z6cf?FAG`%4Gmc;ERbk=7y4oeWWAXYdl2?5Chq z%>xFt$;$W;q1(;QMeMq^#RiJP;AkGOyOJ7?A%(+1Y|JXX2UY7pNWi(+fKf^`GBU4AO(k z%z}dfSzb-U8%cosO&a1@8W&8Xup$o7h~DhiueezF zYbuAkxSTgEdF%HnyB7l(ZugiJUE-S!-Lh+GlJ3(56p@JN(ybq5y(8q?6O|-HOeH2~y$@ZW3F%QI_ zU2GSiuEck$VsXdVgRF1-DaQ-n>WnszLo50k&k?4^?Y^r8qb`RKw^Y_9uoY5ca1`;F zS4GO=m{dBvC^CNV6Mj`3BgS=-4yI6Lm%+rM0MIa zvCB)-P+JTw)^=%3RLEOKpr~TWlHPw*~p^Zdoyf*k*I`z&(#8M`HZoEz)pqS1E zbvw*&%mgh-i6Sscl&G1pw8zw%E`Xx8e(*t!X?ikE)up9m(SGup>dfOw z6qKBJbovlAFv)@;XowIk(LPL>e?U>pPbFA{E1+)wB~iY;2}jFnn=c~8(4KnuPL0h& zjFJHjx0*%!@;MjSH#geYp!kt+FU;U#>e@GalzB|6L=?e{zG_FkLLFDOHE763`ma)u zl3!VY%;%m|RgDWPvUV!cML)!~qYl26Hmz?m-25MtR^BE1}4TVQntr(DfOhgAYkJ@v`esL z>xy=)Az@Xbz&{846r&QiQb=tKr_^xsgZ?2o^po8x|q@2SuQW?We33BRtgqy90-OTc21AG!{TYMesewqw;@LU8s zE)IHiWc_(c8Cw?0=g=snraDVSrTzDr!{{3q;lx!$@u}GYF@=h?SI2eVhG0Zz+r9K} zGmz%odH*@tA>E%l8z*NBU|7i97JuG1|LBIJx>t7%DA>-P>`XoegEmo7!-ykssc&=h zoQz@yF0{5r!o6WKzU}x^iJLi_g$`Bd9jqFvf?&SvisSh(#XmJz8Pwv)lNB;`?C$*gbU zySI5`=2=Ztbae-?kw;wfJec5;m>7#tE-hX)dbYCcDG+s3hP*F*Gr(toxr0QVisE?P z#4+YZ z;iO5I12#+Dhg2tND0ovrSA5IjCNiF3#0%6ekapD?VqII~_~(IfhIm3-ta}foPsSC$ zhu?eu$ordg$?rS3h%pC|@oH7re5Nbe=L{E9xI?)p2waQ(p#-zC)^E-bsV7E{j%)hX z(XRZpzShNY?b#}zWrtsSI$AZop*-X{V9Co$Xtr95x@Ec0njljWK9TIi-Cdp}@~Z3M zvRVU3XFE|vh+bcFdGqviev2JXQ+KA&Nweqiv_OCF!|mxs>Aqjh6*h#exE>i=A@8b7 z10ts|edxDL>aE+k_~{=x{WeWeOZJ!Me9ZMNux7WRfCVDn*th6=KH(!Y#n zw3e-q86|c&lsEiE@2m=Ld0e7!h36()JRF=>%;@Lz&dGaz6F&c!m{%-fFHWZd0FzB& z)t3f>Xv8}vDojExX}9&yQad#lUq>6$A99B+fiS*wa=mX)27L45jOJ%umZd<>Uw05v zBkQ(uKMRwoi&@c94T=5Ll7{EklEEw|G;Wv5xc`T_w~C5$3)(PGLJ|@*xI=Jvf=hw~ z3+~cDaCg@b+?~cPK;!NjoThPicbBH2(IMyjGi%nGi_wd@?bYA@q_(_OyXx7#_VfrH zP=o6Tjq1m0#nmjISTPPUd-c6qL$_BFXwo{SEDIhB@pul(wjis7Tcp~i%f-r+m0fHZ z-=>TOU_a(z>X;8+TlbU$fI4PQ`Bqya%NvTIr=>-;WkAm8wx_Zlj^%h&Yq^Q-dNvZ* zCHanzK(!R|QiaNspse$j%AY8n?83mo4XLv^c{<%I zP9N}93ml`{P9B+UrrVYI;){^r5XPIO#*gV%XPY3_zzzG5=5`2)aRkW`u10MH_=>KK zq;<$7b(?85XlmurKqfUTfK5f(4W-dtp@n>P4~O&XG4neMG)VHQ_zov{`C`MD+azgo z?`XS5dh8rfn}z-8&fKT(x}MsawFgd$e`|-F-k}9fZbxit`ZAQN(sgJ9AAZ_JJTEnt zRU%+*a~JMglQV|SE(CTkld70bvGi&IZNNLDJm?q0R(lt)w@Tiy@q3i#+>DGM9!1_~ z=N1;P5L;G_(5qr2Pl`i2z`#|W*zD-yP@2zXhPRBzQlgi5?1pm>+pDSIO;LI0oX-FX1?qLAELRq8 z-dZs9xO$J~$WKylTDvr>QtBT%WRZgtW{OR{|VpIlYJ@Z)D?iK>AAUYYJGw=vW6gO zWCNkfwVJeWSoH~LWZ#5JpDps2T_yE%`I`pc+Kz9Tj2s`js?!GJWbqw$sF3z_B}eH5 zNEDt!cQzBNajPvAI-m(HF!J=!<|GBC-`{)nS0Q2&-X`alEhoyXA?`=W4&%FoYO0`}VhPoQ6hqd{#d7)ZIa>pp;LwQ&$JAjigBv2C z%H5qsnb)z^=|WmiXX_Jc@Us%r_l%25i+!*%16q?de?>M5rY$rRt)Rx@Sp6We!*TfY z&#=6?^nPd4qD(ae_i(rIR80Uhcr<=-AqMR`$L)~`*4$*hgu!R@r zzgl+?`{;R4Xq(uwTz-}|u7;)I3)NkygrxFg&3&EMxgr-R<+9;(<&qz%%-CWcfJTLR z0yO(#g+(gu)}W<;4&gg)i7?r*8MYSVlhsQ2tn+pUAyMQe;8s_e>Pp^ znCn$0xn(}QOk%3O9UE)koqDDN}lPgz+QrFl^+eI&28FzITRWG{1meLK;- zddaa$XjPKf;?vLRhMBPpa2((#FC~47%EKZvlfJ;Dsi<>yEkna`CC;sgRnC12Xqxh z;sz+y=Bd!nnx+UV23S6+{quJ4!Vz9>GAr18EHybJYa*PcnR%Y(vT|mrA63fYn3W75 zv$+PgwOZ?MPJ0z`rOEIWCLl4lHbij8H%Q8hnLe>a=QVb0OrEJ&-DN>e>oKV_W&>b; zKE-Jbxr?bUI&+ZhFRCO#6w%$U@H=5Ir`flft5&yzOZl+lqzOR(apxNhe3JY6y&if% z81B~%>{lM^D}B&=TdZbz2jWw$stv!71Pl;C-Xmy7n;>~y8#A)`n@F zm&X0r>p7(})x3s|l{7v*G5Bv3o-$!RkG)*~^vdLv?l_pYb%$N$FU z*{ICoB>b1abL$uW|2388|0Eyf|32pDf7c)~mKm>A=kpD3sa5CSq@V04i6^k>OO8-O zM%$pG|Bsubv4lCg7ub)za#2%JNuXs22I0G&wUn3q4mF&QQ*y$k+kbxv*ih)T40s4o zOr!su;?0AP;wSr(CSyL{Y)bPNW#mW0z=VYMRV(@B)AX$2zvLDDA6Q1+`ivaVLM6%1 zs!v1eHm5f)SG}~FJ*e-d5R8OU8g(m0CVD*TH-(7{SI9P4NLT;vFV>+mLbClXAQ#t3 z;cv0#Ix8kYe167ip2}-kR@*O9C#zc*Pm<|;X12mJtGh$dT?R#cFYKfZvadp3wis9g zt#9&lnv)uSd}Z;!_ye#qcYfyACSIBS=y3IwV@Gpt|BEO@Vvv{>ZDrVt|3BO6D92E| zK#VfEo8q zuM`866{pzlRld*@ge?kPcVz;ZcYV`Cah%3p9=5|&ZfENloRjA>Xa~6JrW{ztN;ZHZLIOfZsEk+z0?|gg)YTi5!YBecm^D1 zKQ?05S>x0!7+2NL6_&>wnQK8EedN~5p-+E+k`-seqep3uu8inWPmN(HQIg{QK@=Rpt>WKKI`s3Y@2%0)&xSX9 z%KI(>zE&-2F5SfU9O!*Gz$6$T&HjG9e>t`2VwU)>5id#&%pRqnA+)@2w^E5=;eNw+ zS~DkfcvZDR1e>(0gQA&Q>1W?%iD>vrwMgyz5W ztC!LCr9A?r{Y#CF5w{&Pgfdr+%jxtW>?$nTIsCGJiD9&M@LOrGpWo{OCl$ZfkX{0Q z=D-lot9^ivz3`-eI{$68jTr733kLb8BGX&B&?y%B$~@i9Qlm;(j+inVg7({~%4QL6 zK(oEN5|za+cEtOdMRQ`jFTY}VGPMz>c<4iUTeI9EYc<%{Px|s_cLZywfj^9la>R+- zLxTcuKfSYfU`9BYr24u2o;B}Rn+4gH8YLGMS(nl)E@Yf8RomZM86qQ;-upA$Deh5A z44VZWYzWlRFpR9{j+RYKiq++L@}GA4LXkqvAyq|f+fF12U(5TLJq-SF{{ZG^k@^%cHJ$E;-dTE zV#NVU@v8%rzo<_>b#&B|9F0nEFQVnv)$umlI%39T;6mo3H@xiu96<4i@o@;bt$6-C z5uB5&A^bo9c2(R1rBpTd*uAMY%K-@=WACWb=)?frfqUj{vP z>4=PRC|(E;$lGS&+E;4cDCq|fzj_DXsd4D&D)mA^*)>egXE-c~ zW!{e~wk+xr8AV&eO^)7CX(G&Utqxr>EGX-i}1I=`@ZibqVxt zWxFK<+)fL`$c-6<>a}-UlZcm{49J-jM3Y&#vZws6elZb=6ZXC9!Wc3?xUmo!tg zY2-CUo3mDnP|w$LeCG~&H=sFMioEbvbf>E2cdxQy6Tq_+w9IM#Tl!CA=&28O+T?jO zQr)3!_KQCI%c2yHYmd3#+fkG=-=)HH>g6coBOC07jw8BLU8iW^ z2VpU@?wJpB0L3C#)!N4|$%zxe<#O*QqD1G<9rbJ0&LH<pn{<2{fY|s)D5~@a*GOw&^ubt#cUc zkAenf$xxLRwa;8$AaNNKxBN#RdF_Kyws5^wOSo_7Rz;cDn6VblhSpq2H6H*#EK*4}sd~cX%7*Di`~@oNS=Kw30+Cly8!{DpXkcWu*t{dc4g1ezT7A^yN?s$%Q(F` z+Yaq$GLuDeh&kDcWb{lBar#v1$ycRYJK>T_AygY$PeAd$Z01;o-lWz1)f|$H$=gyi z?6^WdSG`)*6DqdZ^uQ9)3hhq^Z^8^N6Xc%CAAX3m682Z;bfP1^e$aZhB)c?&Zu~hZ zx2Sg)!U85;j$(-w3690YMTF01vmSWx&(rO!>NCZa)`02r?!~+a_zQ&Ip218uw0xO_ zGJ>W`k|;{@`F}N5W;g<3mUw9Jd@J>GX2M4{b|bQ|PYLH}xHfBB_JR zUchl!GckQk;Ag^rQJB}m+0gzmp*pXte`Y%BW#4ongKbk01LSSSGS;B|3NO(dNgwIt z7#6u{&p8=zw(v%7(bjC+L9Q}$jQ1Q7<#iK?*BBsIJb8`@jA`E`Aq-#rqeOE*-9;v+ ze+g1>+o#MM5bnwaih5I7YZYWL4lrFV(PXQKDXuXWmXhdUc0LFYDy#?|HlNmAyH{_| zh+UNsRQ6>mC@fUYxmqf?(Np4l-Q@_|ct+Tb%6>_N{^f~Bz(>I$Iz)UtRBXS3s5n59 zMI~QS!W{VScKi>SEoR)sd}a6x(DVEm?LRr!xwiLANSahO%3@-5N=D6wjm%w|kkO3^ z+s1Qx37<^hy-ap5fWVWYfh3dy8B-$3xuc_3N_ekGFMp`M2uYD3E%1wc$C$4DixUm@ z{PUmUebi%N|Es89{t)qh)jxRXV58E&5#br@4&FwkY^Y*fkB^+dtl>Xp##bD3N{N~NO zk9au|O!BL~cDQ?faY(NJt1zd%zzao@W|`|MqNlt)9{x7Z=+u0_ay_gE>@I1CJI;rf zI}rCI5ZOO&v!I{^z7=6H`BO_YlI`;1 zL2s+ue_w1uA?$s;e&S!-^b@e8?C$166IY(*WD4TV80DDV&zUOJ} zQyHxBnoNJ5pahBUYN8VEtV3`c(WH2hQ;OZ<;r`_(-e|ym(?j*bLn1m5;K<+O&9KuZ z@_hK>+59!cbC!sbaVT$*Gv*?FWL9;RPamQ13KjT%LEip@I1KLIvnsY+O$X>eWH>>A*<*IhAeK)Wbi9^+WwJP;1v}su!xtwG%?@r#QTGa9{I-M zmCJ#eVhPa4(r*@V2eUJ|YoGn!P8{^m%t)}Q1u2o)o)UFNaDa98eKAY+dWe(G-hCxugPLW)vz}*YfYsF}Gy({G1BrMwju?sn_jF;}-$dyWtBqqc;BQ@O6HvZ}JYyhAas zl>*^FNWwbN7f`eVR4$rkR3!t-8W_xbtjwz25E|!hctCmKu0GVE{~nbOG$>!Yi;6#= zixCzjNY7B3^W9aY9QfJ$V6r2Qk*qylv>H#XsaM?DnwNR=m&KIwq%DT@PYs-ns62vk z^59vej=YdMlyxFfX)->yFZb`b&|ry9ncLFD%@Rr2iK-a%7hF*v@};kWQ7nn%wm!0A z5dCMJ+$XrxT0(B=N6B#Mu*j_pm=cwz+2zwAF}Tkmi*16ySNb#a=sqMOpc|~)o<>iW zzj;1`=QtA#FQ2Y3{!W}FwWwjGwN5r@u@|!mS#?DcL}=PQK7~3ZpMxhwZCh<#SGqxV zHnQ72j;g2J8*ET8TxreZPa&ui1%l0N?YqJledHA6xp?WeD4=|fcrTipe3yw=9n16# zLt@wI`8vmPAW{TPUo#4L5b1Zq`Pi2-i4-0$90-G9lf$JwDcO(QNrK))*?SJCB7e5E z)Lz8^==>=~%G(-uloup2#s6-y^{Y|5A<@MUoLRHQ8Qm*9QP)?%h#^!MX*jd}#v5!je?>%h4NSfB zV`TI7pK`gT&b5*3AXfa|>gBsxh_@T-4gPkQwG>o6fn$u9l%SKxh>I33vu^P8deqw) zZH06>P@~cK4tN+Y$*hh+^p?ontB=Vx?TMa5WC@Z=8UICtAaTgjdW4A0NSl(hV@Ib@ zh$m!1;gq_5^4IUYU#2~a7yCakH!C0fEm((5*5!x@1nVhR3>oRL{p)SvwuOQ)p-0Op0b#%(Z}ud=}X%%2<`mg~GG9}n^#+7$(t44f(A%ft7aH;Z6-TINQVjg@-_sl&Sg z-sDyyI#)s#T>3q)DL1DtI&wXmo6Kiq$tqn+x8)QV>KR0c_iu*#oh(xXZ2M3>K_3Ie4C(o*^2^<5G{m>73f|)L-WHI^L zGo_OXN2P9US>!hAscLYzJ(8p0L^wSP2`in&oi}Wr7!AZQ5J!tz&l-fONJJ20(UPqL zq9_#{T_dBbTlI}9$S_sUdYp6R7dazAq$$0{BFw!U>mR!H*S@9J%O}a`zKyn=+_plN zlO6j26qLe`81ye2QWh*J$U(z-Tf-;%p*~qrOOIlJIbM=a@;S`53d~39$ysu&xUpXJ z@ztc&NBxY|&^Q%6%HwG~c;UEC1l-Pj-WbHlBBxQ43yk@92`Vy+-iklOaDnyptP z=E`xxdCe6Zpe!P1cg%1)oUZk{IF%YwiZlniXWTb4KAkDNu$~aeyeabDOkAEknl_(} zp_8`9;zfhTc~>46p)0{~5D7B01qHxL`h9c5*>_brI;Ig3wn%Hil-95fzE2h37LdC=jY+S6v+WgWLn}az(wzF&Z{)eZyfWXXTI$LT5qo8bpy;!%~ z!Kjv`eS)XI^9RJbaRV=ByfhO0JUCnQpD87oHcjTrX-=a}G8~RnFZXl@O1f|~N1q72 z1*H|n3~fq6(PgPyVLMgrQtd6ODkd1EFypx0*t5gmpGl8=M}1vB#BH&F9s!hTcR)nH;6RBBMPfda9Q!@uT2) zY{X8yd5653kkSh$odYbm~pl{$_(ehF-TZ|u* zK=&Ct5-}6~=@x|`NGgx>LG8A|az`6RiTrCn009H7x8U_$5$-rYNe z>-EDX7o0AI&60?$QlK{%Gb>*OP!f7pBgL_Ag5Ex%s`M4((*b=S1zQ>BA4zVX>3Z?e ziH9R3nXn9_MhF}e7(6xbvmV8BSf^W6`j!D4vHROrkO3OL-3UB(6CpQxnE~I430>^H zz~_;*guS6)z6_j5N_yVw}`=c_uh?mxbc+F|2|j}EpM&37a?ku7}pr~b9zMteY# zR6p?F@dXbg#eQ+QmGx+0d!w+8*zB%!WZ0~3+O6D6Np;|LeU;Uf{OS@wTGi2QG!i%N z!paW$^Iv0hodcDhDSDJ7>>WP>jD8%=jtoQ2c`tF+A8Hx%=Dv(u42OMvGA;NO%{gwIgK{X_MMITmRwxQwIOm6;@Jv0=_y5_CSyFnr z!@<`gzoMhLE>sG(!w$*KPKoToc`f;7ZyTIrxu#}q!@r-dXD!*&w?#a!qUIwp=J#52 zA}?;Uc%#M#;EmCA0U?98`3l27j^XohTEBW8^XUKcVf+}M0wp!o%tLv{8Hw(q!xM1v zZK+s%$_s=$Ug)6zJ+aQy8`g5eKk8SPpfzSTY;X-=ljFrJ`m5MGKliKr8@)34e{x#G z|85)Sf5bW4^#7~lAO3&aV0SOU=nK$B!Q*Wrzop-MVPVYL2bRirehP5gVxe<96>YSc zywZo`dI8Jg*ax7ro=@9GikP2ZynOCxan)rxITpPnrE|3^KQWpy)YqmtiSDQ&`=G(# z`U9i2Q7Y3zim%Jl=Q6B( z%P@5ws4_a`aA8*!d46A$^LB_i5Vk@GzjJgHX%3uZW!;;|lHfWX4`z-*ue6{;z0pvl zw%AJ^{KI%4J3uPv%N9{_Mu(7%A4^1n?**ed>$ysqRYL4teDtH*ncVl7^w)h&nG&Pd zmJ$SX{geZBqoR4;Gi&l@Cp){3z$Tv(TkYeT^Ls=yKwpJ`jue3l_Pt;DqKXn9rfW6MO1K_oYmt3?JaGtrG~StTa2BZ%?u=|xU@3qefg{K8 zUP#Beuf?o=#!>eaA6HD;#%KM_erx*ro*|)i3I@Anb%d7VeePDK{-IDPi;Ls1bCOVe zYghukq8FTy*;I0?&{NNmP>W1g^b`bChJu5ZX8?C! z+tus0L7J0v@omL_%ol>;tkEX!{?L=P0Hnwox(>e|#8^wxepCLB#<31X*Ka{ed`48D zAaK*Ci6^6vv>D5_%pslai4YRyClN>8vB908*3lmL4ECul9=(kQI?nIczrP}o`rQip zwo!ev&L3^c#p13`!eRZsemHwL)#7;D6VcSVdUB0_i6oW5`+C4l1@5YeHJI3jot?uX zZUE)07g)*`h&pEigBn8WlxnNZs!kV^#XY6q@{`}6rR067#gMn{?eF+{ZjbBUp`6{k z7I6=&v004)zRN$~&ee3)Tfm0U+s)B&l>EbwAIQG0$LH4 z#7A1pid(cd)4qPlDsiT6%lC8sW~MSjYcc(8%aNu-PV;>BV{+CLW+RS<{q9JDd!qx* zD)2#*)5&E(p9VFN)!{AT;P*;ydAXsI0h9Y6Lm&bUX8&h_gvXL5m(pY>24j_l-K+zP zW?2(^BHlN9CQ4kycQld|K7Fyh^z$aTSXAj*dzglv;Tc;6@c6Txc)t~pOFjiy%$2m% z5<;CN2$sy5wUP}NIqN@|YX_sJQ)6LZHZn%`{`PRlWV|rXR0BI?hFJhKEGd2o__`RE z?4De%h>e!UuW73*@KtPlZo&oh9CfsqYxCdIk=CE&qRAbp1gJ}UYp=!=ezZiF6_LeC>x5S8Xntv(x69@4QY-TE1(>$J z9wC%!EckY=PNATefaN5wNxjvwgS4I#r_?f`MLTClMQ8T*^O0m6RCXr?0JBnSJ^qTc zSuC>M+8PzJSQj`$klRq6EN3GjOb7Hy3x?oQWt4Mcl!wR&OtJ8V3Ld3&qSmeT#o>wWXS&gCzn^Mw$+s*8%7W;2JDUfPTO;bHwre(kyV zj>Tq(@Zq)!>=SGo%)B=KorMLO{AT3HKtLyYW+`?}|!&*8i z(0fN$^6j3mGX^D(H~4mr!+4kOfY^>&>?)^LR!##_eqFIJk!q53I{g?=cB8posC=0} zDitulodU{8x7#WqqIL9J*Lbt?$%J$jn5U!TwDD&TPM6~fE9W$kn3_q=Q9YS>JoTKg z1ftK)=buz?>kv!s&h<3kOx(EJcFbo16D5~423ST)XMab(T~xP>S(M}=C1G{`Zl5H# z$(ZC@nntU7C<@8(=K?T?EXH^xiPL^LeL7gJY$$qEafne^1Obc+`}Na9TFeOm*K`9b zM&-LV`}i~__E8|r%3zgrXYzaJ&oWmhhX|hEM<E*MTjn{$9CP^l?&YY4D1ld6l*N z_#}t2@W9uejiZB>>|`a^6VxF61xvkyBV{C}y+6?;K3M zdLsp*7aVMaT!q<@3>1vCdDL=5f+V?3-1E@aDn=8(%l4UiID)C$Qx|#Ss#lEY7n;-C z`;>Dy4!q?A&WHKR`P#j(7DKeO>hu^IwfUuQSlT>2k-xbqd}?wQA%a0Vn%-mycT$4f zWb=&-Xpr5cDGzeWP-#a!kF{3#Iz2w2Qa;dQ@>!zV{mH39+I`Et*|i~OeyZOWKf;%1 zi`C@e&B=gHvd&h$?5JlpdX(_zk2|Bt@n9)^CE>5=Z$a{lE(*I@4&{91I+XDxj+&l1 zZ(@QmbcO5an|)C|Hiy+Ck8$Ph@_dY`xz>ZLPY5t~sZ^x!F#ZU^NkPHG6q;U3wDEQtf;5wM^Q6 zTJ~>;b=CFpNdmQ0qxOYz*3w#f+>(wYZ^VNg7h?OZSAi0`ozan@G20nmnJuu64dA2% z<^XxcLxIkeWQ3OU+j;fK{j@LfCm&@SBf7XP2S0;oFmb0-?j=7PcfooRy{InE3vBpg zC!^y0YgFRVm(aF1NU#S^_FQ+5^}_0q>#JOh_^AW!X9AOZ#S!gc<7gQ(G%1N?){|3= z`y$O`K7uj}__$;Ddv!+kd;KVuc(R?dKd?b(wB^!7dg=4YahX`=M=pWcwQVVE9gGQS zcT=B+6dpVX2pleSmxMAtFL4wla%8xUD%uj_v$`gSQacd|L`%W*Hk&=%jW!V|o7RVo z-*H`TtatPn3*;xXykjdqnxretoYS?wXQPL2R{k<y(ZgA*rkdS2rWEW(isVu01>y%*MXQ}ihD|=bN0Ht9 zUHpX7bjiuBCcXGoSk-2=3#ew}zN;#tr_gvlScF^m0aGUeiK@iKsh>7zlZ-&hUFvOf z`I3Fh^jsR00z;=umm@bF+C_sR1vOa8rQF5~c7PNJQDuigLoZCbN+@|>umlnP;v>Tu&+a7blywlHQPHk|M9A1rx# z{E<8sI9Yq$lE2S&B7AVb)8EFFtTJ3){DC*L||bG)g^M~w^ui2pIB zC(Inuyh0%z_mq*WC-XqhG5dyB)2k_#p|x_DG5#P82uU`i|F*`m?4pecYCxwH5DE}u zXLdJNq&k|#8TS&G4CZzm&$V-_IGuVwc8StJoD5}O(7qJGhWW#iu#U^}1%zZz`lCWhVu6PA?5(-}a zxPyd(XIX$Va=B?=788SwUL@&E7H(8tv$v)!!E;+m=i5<{Mr0r?3{)IB0*MJ#um>p$tzLJWv^f!#fjw`%Mza~ zULM{Wf4i2-G5NwyBumj$W5>nZQoq?f+hM)bmfePX;^E`SLD@n*&N$S){MoP)mjFSh zVPhr?oI$e%z*@pcK1-G^*PsGsucXS}QHKM>YfP@mtJ@U|BTokRgI90Ag-9)bFsz)Q zdI!ha)$bn)c$=qT1<5OF0`v7Utf>nMQ>6e+ZF0cdwR~&M{*X0!3{+L=!C1XEwibfl zy?Uah;qz6p-cq{Arvw<%hyKnr635?otVgI<1T|{~fU6+a-)@F)65iF*fCWO-?q@(P zSb}_(%okK25ph?lsT+1$wc=TD4h|oF>0Mnb)vL-`NQns_s`Wn}mEa3?h{T{JzIz!{ zsEwIm1QLk*#yzv3iOp~fdPet0GKVITmIO~XyazYio#HcY&fQJ&HcpPOs!oWrx|xwi zSDsl?HiOfnhD;Mt?g#!qdWV;W5RPOBe4Y-L)AKV`-XWA@DV59e6gqsFJ_|PSN@bKU z`)-Q=Vffu!&xBo)mERC(OA#7&pY*Ed8 zs+^W-t?1F@WX@s*9JS{q~;XXsprz?}YIR`2%yG1BX?4fu%D2GSEd(tE5mYgMwo?*Up>DdX9;#v z10H%c^TirdmlHma>#1H7i65#_gmc?$%>;QhJ@qRs&k21S!vC|f#UGY{K}+L;hl$aB zLUH=~WQGc5f5=P2)%c`B?4e0Vuo!ZiuNPj1Ldq9duF<#+KI6XFv=wmE6G=_ykN6tG zZE%+=f6S=KM%G<@X zeA#06#twRu?YPgYZu`xWN_|&*+8&$5ovnI&C^5-b0K3qr1CJJU?$t-{;6dCD(c(p^$(PGKbvPBTy5$Y`WZl4gIq; z{vJTE0c=a%6|CB!|2;+gghN=v?@G>AqHk7gJAdZD&fnKsk1e~d2!GKN@2al?Gu+WJ zwf^Cg6AziOz6DMxH(Bgs0Sa$B=N$K}R$ju=sX&5&^-dey32BF-4zrJ4nD0^b9is91 zpFN^|!4g)5m?)rQGo&cgs6k4rFWAP&XkRsD=yQaLTP;m*GLACe!}lTIwv1_wZ{yMuObqo?U08KOna%Dm2LV`3)%8hxoomAbNzzPd!m%uIj=rVb zg1)v2h9`Y(9SkS>uf5-KO6q$ z9b9%55f-6VjM`2qliP7yK_7V)dNI4)+QU&8fo>X`*zii})j{!E7y@!I8(A5Fqqk z3V#r|_lC`FhQ{G3ieUWPoqa8pEx}aepf?d^u=8d?>D>gAnGm`=*Y0mCuc;*kaRXHz z*X6~uaJi%AJ!FN|CaaG=gm0Xdt|{>i0jv$GT~)Tq*&M~UoBhJai>cjiUQYYKjGx(F zpOrL3?{19XxBbW10$z)q>~sA?yq`9m;3SU=G_c!oa$24hp|souw9Ry`or~gtRMn~| zGq*oYoUKl>SReFN<2 z4{tVffEH$~9G^sscO2(>HWWyD zvMOL^Uv0#S?3f|w0X-9E$eQgpWyL#Sh#sF7T)z9Zgx*w-R-C7EP$qyf}M=1 z-EJybZ7Q$FdxhwTgs?Bj9UaBAxvjGo^Q#7`A~I7`SfTi~kKfN$lMBJx67U$Im5=6IgxU~lzQ^!_l$d~Rx4{c9Euu#@S)p-9%)qXg^)EH`f}r; z9mm*cB9M};ON1cff`qyivgVX&So;JNTODdeBKv5JK*vC%s@h!o6bECOs-!~mc zsQMHGggkCX`vqaK!>j6~hCLxp&D%@PH1d|Lwbe3nhlgSs-aWHE7Q;=ZBmys9e1Fbs zW!Lc6NnE=XLXovq@iGpp&2M+Onp!?5^jsczJvz>wjBK|Gn4TLMB6`*#{m!e2Z%ayd zcj@Q%)qCb+HGVtAN7ME#sud$wsjOIAX1!W1+6YUQSZ=ENrNuFI>k6A&<`amTu|i|Je4_j=#Q0jIlHpSPmBuuGBLkc%*}nni zC?atMyqd`)d5KtPC5|%4;^nP(r-U+qc>j8F} z2JwdHqPtSqLU2dDtP#>1K^%85F6DwXk3}I(7|cr->Vnp#hf6A;I8t<*c4-*~YHv?a zz$4wALY&<)Ck^{PO&=F}Ei5K0&n?2dFqT%OuA8nZ)mgnZXx)-nyf?OOl`3>!He?EL zVB2a*PN2O`qz)J?oI&KvP@?e62@mgfB=(7SU!TUW;J-4OJp-F=>2Nl!+Z)liSf|H!SM$4+-Sv(P~F#^Wxx8*245{ zv1jvMK{>zBh1v*DWtvRBAjRl-r3UeU4IdLwrL$$3z%LD=t{Hk9Yysit;M z#DJG`7$;F%o3FF%G{-B@=RPxUg`vlMJT}|u2

      iuj3<8Q*DB1GVIBdhFlFC(Fu+v zMBh9{cIqk1UgrCVQ)O~$Y_8n1f3rg~1E*7lUSF-JU1j%iY!irrSf~tcir9PPIe-$%m(z> zG3_E?ygtHXG20Iz!sj=pIu;o0ha!bLP0qJ{)=BFNma^3IJ;2(vUHJluiD4^Iz#{y7 z1f~RuU!5kDUL^Pm-5;nfM#>sW85SH_{<&Z47#kqslzyoos8AbDbAH^}DsgkYfdA@g zYcQZ!z#5_b(P12s!ic$ddYHL6Jp^H-PYz4YZoKt(q>V1a)Jx$@2oX*KCsv>g^6tcT ztClje%=gMEpS7N5jL19KN>_7NG}Q^s=%`;Uzp{I6!+6_7l^h0$mqu}lZ7)sp2}vH` z-3+3z_b!4}U{5f=z6zMph4w2W#pvx$4k2~x_cvTqyyjVjBZ=XKIKcn-_Ey4E&+>(R zW=RaSJlUq~&dED9uUu06&q#LH6|6jL)!4U8Oy#xS#9T-2M4)$4ly`p%tIfdd{K(Q_ zPgh##H{^4KR=e@ojN)y|(a{2vbL*w*43s`SN#97m%5J;If@lEenpVmiw)5UmlGqc@# zWvd5O%xmj;i%6H6yVmB2VeBdUV;d%+GvX$hOHJCmrS!|Nsi`YzG2>3DWSnR&zMN8T=htz>hu1<*@)92f3D*yde(ag1R_`m9f=Kkwh?R_21M_Xx;AGtIi2%aKiHZU=^LlYLs()kuN#QHshwsc+Cg&s^%e6EwQ&~q3+P6 zg?I`6Zxtx^Z#`|6dazpQF1bDRyQ;5`^9sw<*?C)!_^Vpcwp*E_2JkdE|M2|m2cc0I z?6K^Y*F)aSgZ)XgJ}WG`OABdT6+>ZvXwW(;0DLAtD`tr1t!Id(lYG>aT~F4-iLb63 z#><)#-RitOZ6+m66A3t`F0SLYIAWE%p4yeaNrM7H!^%@J!#aoejsJO{=#!?arA1F! zf#37Mc<%tnHjNCcQr7gk(vT>Ro#el{tll8|7#K1i)XJhu_BGd=y_%VG?LJGw(=Uj( z-HA1Gu*52j&BK66+LuDAu9$j_8z?tDolpp%_OK?8{#-{96Z4u{-}C!rhbpnBlO3Fy zwEbt+p}|c)j-S6)3i9!!J)qiEyao9m`A&BR zZdJ4$C)Q`bLs!QDPB(D`bQevK{Vll(uk0TLPfQ)?$LpzxH0R19)jri1HF@7jeI-pZ zqXM+9`_*N(5Du1A<)I1TG4Fq6jAU@r#_axZcyn-VE`i2_j7gi23K47<(6bqsN>}qh zDws=D>j$1ucKRX3dM|p|w;z(PUf3@S`b84+)3q zXI37y)CNqlfkM%V9)s&Qx_z0OEsY7#+ggLJlSnJ3!Y60+3XUtTRy2D-YJ)7*679>% z7QY2sUlX|K0#3}OEZj3uyylPdNp%09MhL?9b89_ryV2^bKOwZWp1c9mzcukNw2S8v zQFve?b-(4IR;P#vwdz$1NO$U^CmGCajc)d8yu3}17(C+oMWT?|6*U=6ZQ-E{J9U+B zHRigvJr-+J=P+$<519pJxQz^nW_jBS)}EcnMoRR`A)x;<+DcvQe5;YQ7@Fvk?(Un= ziSjnyygKv~bGqLLh04)S6#V}AG(VuWs-x{9o_Q->CUYIQp1~TIL8F4YM!AdeNw~`B zVPPCB=<=H-r%`k|HPK|Xkfyy86Ju&;gPWe;%?H!s2a)xnDi~h%kixB6E8U3;h>~>L z>JsHi7E@G5$0wCTsgo}>@|Ud{KM50(cUbALb zFoz!?sbfIP_|y0+?voKrtT^b(;2RKwVCcR(`YdZ)or&mri~itR&x~!7$=iyh4fA!0 zFLep^A`o`{50pMxCqdYf?pPY_35@zH-`7fMs}8GG@H35Zkddgi{$OB~P0CyDZ8ADK zmfwD!j+A~*Lh-bGPLez7E4*>r50r;^F=^xTW!3n87TDf{oI&PGfQ(osjyoF$S2EQ` zBMH;#bF+qmSjH$x9~LKsnX}~yjFv@gUW(_bhZx$k^D8KCNv4Y@o-vCv>d5d6PA1d- zD6+rvQ5F?wUzGyIMACQe=X~}MX5!SBl;UN7i>a3>r9@wDY{2S5nk#DR8-;k?v|5a=Oq`8{=(zA2 z&nqg{;S6@oxSSQK94xho(AD;=!d4MMgqO_FYLnJ`&3;jZ^1Yi)rq%91oQrLA2Ru&Z@FrFCH_Z^ zT2T>+{1n`gS)(IdcH_#V2+aJ|iz#o}lIR${VO9Hx)OA)NgD&oc@2(8i?XM6UuG={O zjz#Lgalk@YtS6xXl2=_#kZp(f7OD$*26ZWq~YA<)*I6t@>^!l ztlh|c+sa64FQREdK1aNK>DW~Aqn8(|Jn@h^tkj#Si)1{|e2OiFixcn^LpYj4`LZkD ziAR_p?eysnSGY2|hRUF>_UEc|sr#e#F1Sv%uvCiQQ~Q-G{}ot+?1WU8vsaFJ$$3?E zZ~7JVUcIA8eAaA>>p?P|onQ0l94>oY+ThLgWM+A|7LU}|*sQ7mFC$5iLP zBLTc|uy(^94!3Q=d*`%Z&9jr#%YARp)$+1Y7GO4UW>0=ox#`UDV<&;WajcZZsk0qVT)&W$e zNIEM^D6q??>+x3^dz%E{C-J+6GdWeOT|WLWjw#ZAf%L?Tb^96id=^_?y@=~uH=t+h zD7s9X#DYs3QlNM2*KzoE5hWpko>YCapIhd8vGu*aw2u#`-Tjv``M4hnF}s5i~!qS z@lp>-&wV$xR#RmOnS~xqzA%o+NPm1p4f@x~lRlW>{yJYB&Zo5zkC+MdqvV& zW?16u|20l&!{wE6`~8QweR^MpcZ;R{#DP3FD1=+4tra8b~{Z3Q|@1b&=_lpSW->f({P;qCS7oNwf}RAl`l;o%J#8rDGTJ#Oq>M!H4Mg z?heLJ9>asfqv_Hqp095T=iGNvD3lKJd4`?m`*vkW`xqX)w2~2IFg%1(0<$)*7mk?^DFapDlc;maV{EGW`^ItzXL~yHoSOYLt3}) z!OFA!s1m_rA&t$&0dyYToaWufv8StDW+9rARnE7HDb=KEmA3MeHq@%{(#fXPfp^Sl zqznk)#jRUt*0C{tJ4ij36q4rKn2QsdGIe?~QySFDl=5OSiftkw8xbAq>k^ip0bY3g zyq#NSO$Jsww=%R_;BOt zW9Xd}&8%me5G*rdC-d5b-gIl%lm~7bNuMR{qxmEmA*79RzP##FewNc;@*_IlWU1y?XU$#bf;ePMp@Q0ap$i!}y}b+?$b2*6hPHIjbX+M>XN>9wWFtT!gv^pw^Qw%elMI%P}@0L_@yt>{P9?Q^Z5q_=2PW6#}b$p7{LyH^FVb`TGGzpKUl_Yc6TENFY z|42&Lv-qe_BFP;Z@y`3_aE{FSD|IHIPpc@pG*i8mE!h-za*wYe<)~2QX_&6CS)~J#8oU;?9fO(6M(i&)$CqT^lrH;Rly;Q9=me z9fPoCOC`ATSc^^VR#%Q(Kjc$vL#)HKYVi1V>uGdaSMEEnIqkc*A5Fs!DdT(;35*Nxf;+x*KaJ`Qq!;iIgNSUDNm2G5&XQ@=up&HoU4hxNS3U z$_#33zj)fp%(!Q8Hn%;onM`T0s_X*h>5{xufZnr`axjynnMYVQ=P-^Y4H=#kNpG?^ zZ~8*EY0uifkH-(&7$LK69Y7a-yM)K*q`Fo%{2Mi4Xv;`^Q};9OWzn|fh0NNKPh8Uk zdWmC;J$!(Rz8A@^#iY ztTGXLg)Cg2!p2fx&gv3FYo96}d|?p_b!Eb3#1f~yn)H1K`6=Ct30)h|Js3WEegSWa z#reiWa%HzDp8hh6Q@b_9J2Q>*o?lI&I575Sv$M)Z`}X1NJ(Rd0=H~WWqW}*o}(R9W@DB-7HrNY zyWA#|#bTE3kO8ku46>%*$*070#74`u&1jvnh-qtesaKctcJWGqKciYTptCr@cRpOm zCu?)$n2k*<({MBmrAO0nR{pSr&$gAYVQ-FW(wM$CmF3x`t~}KsdGV}b-=-9n6nSt- z_gFfIIe7PtADD4Kmpd&YmJ9fKOFHSgG?=xImv-10*s2lT;w$;!XDi781-!d_2XE}O z(zj_O{aX}r`-l74k)FwBNvqtalEs^kkWwIOTReMVQ63Ao0RiV ztonH$nNbmpX%$6}paQ1J403*BY{;CC7yMs)X8~B%kv;rh+}(kAf_rdxC|0ycTd2FcZ@YC}>RaEsZc9sP zi`pyFnnM8N z`$jM#u$udyUdhS|N0K+^QXJ;R)Q;f{=vdDSuYb??rFF!2Y0tO>f68|6;KDDZo#><4 zmZ(+#WOSQ)fR|GnxMEl|y<>xkD#>BeAJ(wnCe~J}U7f+o0%>RI<Sc7jKP87; z8GSW0**KM&&Ca44KHru`sMNu@1YfGtPV&`}Ts~PO-HAy|9 z>EM*cRd1(|U8~rrg;^vee0LUCb-xs&lJj{h>V4PaNm@JU7NhO9$RD6m}ovPfMi@dHAqM%ADv} z%}q~;eX1|TuR}OvxU4G&r}60tXU267VNkR;C$=2olO1VfdiqNnXvc`48XkUjB}=7j zmaT3p)TUSCK#URnixvf?< z%J(VxREs0D=ST(N?S1L*S1oB3(QrJMm1(6^o^B7#h>t*RRV~|-bI8<@v8&j`9m%Y8 z7TY6jvVW{NYkyh8vi%}3k4ipBZlZsT55qe;@ywt1v9_#~9VaWLu3b5LB$It&BbuKa z{O|dh-uNjQx8FNfDXFk@dPfVZZlPANP7A3)w!GCw@v@~-t(05B+m)d8`!IBrtTPXd z5>}@t^{_e*r{k34E%)tzaJ)5|uFh^)!+pt*)`opHL#K<>Yu1j~dTv<0>#Ao>U*l14 z_eYg!#i64+D~~O4H8tYhvlGepjN+R4FY}o$Y|{$Tk(%WY$Td2Rs+VY-I{l?{f#P}U z6Ci)Py(HJDEEJWgS~$&<&dX~LucNTm`LW(NA?LIqI!YY+?g{-amz<_dM$R#@q&+u{ z*Kc~8`*hKV{T7g>VJ*0jJgR&&KblGVyDd~!c16>3dK*adZOQV-NZQs^c}sj+PEE&p zzFp4Q7o+K7K7BEn)?H;dTX!tt;M=RX;IA@rb(V0}Oq5(Nms@FBQ{oa<*SY9-)dj1r zB!Jef)}P)|IIVwzRd;e+)7E;@GFbPHRW@?Y(pUMdVf5y?S|@AxBHwjNR#`Ewc#XMcx*>aND4a!{SN?l4M!Kr=_d8TkE1FujZc?r}g5; zWfAn4P7~`XZHrcYOIVHX@5=ro^hqgu`_OXO-xXuo4E?Qn`!N#OYX2$+38V7X`qb#H zvdKrwpy{b@oYudVy3_jBy4Tyhny!^UNmtvEmQnA$w=TP);Z+wktm>S`uX58g^tajt zEvw4f>ZCOSiR<(`VdS@#MQw~6wx&xoKIx>Ir^z%w^4qTKt!<$-x^D@uZOoFBTql1l z+n~Wz?kZ!A%8uF^Esvt@NoOkb+SWQ`Kdy4qplWmM`efIAEvL2x4RhMA%X!NdYCQ5o z^P^!jZo7T7+ZEM~f2Id26OBgW&^)Uhu-BOuPS4xdn%L#2@u^N*c2VN9@-Khw?OJuf zYD2BkvihY~$E|ebuhlQfIc>kzJ9Xr*rf0XOmd$8MU+YH~@5&+TI(z)B!|44vm8q^j z(m1t!sJ^J&G`w9$f9kl#p|(e{*Pq6xX`Z%KKSIl;?ZK-5mi%bksvCB>tDIEN^tiSI zyRB7cPy1#)r)5xG`$-%BpYiiJ8UMc{it3pd%?B6t;hFoEv$|F)++NYYCRH^Izj_Ye zkMQR9hgR^&E`1?Vi}L;&sDsgYB<1&aqESZHx|sFl*FWI;r80U6kdckSU@#c|r!Y>& z&xLx#I?C|U>E+*mgJH-19(-MytsefbjXD~wUwN)K0oCI-7z_r({~V4je+~aFIu)gl zqW+c~3`G~u`Fs2}91KNYtLyLiw~ui!3K47a@UX4W1wXp=wl3Dv@0urFeDrgnn~UjQ8~-#) zNw;3Y=_Ya3a`pcLEsM1f@Ar%dOP_yly)*F7hR9mmi&ZD0gVsAMe#ZJX{NLz8zH*Vf z%Kvwd=#wr+)ki4Re*9KZJ7n2fu?=O?w*DO(VYiV#)lPH~=D$^!5>E4?3*B`=@BgR# zzMKp-n8QX;{lPh0)k`Y-U$)DlI5iSpUjSCufPc@9Z29y`-stBbzuUU8sDlx}M=xH? zx=a4a_U__fxX+%<_N$VJ`LUy+E7!GCwyzTZPteBGXk+xv^Z4tSC`;*If8rd@NecQm zJ058)nwK9JLmE^6%VtsY;zT9}{3Az0@*oaIP}pcvzr32l$9n(gj)oY5p4ZLe>oXJa z{aG9hEm!3)pbxDPAytO)_`Mf!k}HkMMp#IP{8~tEIX$&> z946~qtpCrtl=G!dOqw>Hvd=H${Y8oYo}-~pij=5B^Ba`$zsY~^WT>ZJCEi+Pi}$EP z(aKVfS09Jb7YbRAnTpU`hqJ;qM`1lms>k(Xf0>p(24#h7Ij2glkClD@9Uf=C!E?K$ zqV*l@_Uo)Ll7==4`!$-jDnofA<0sF-_F_jXPbE7KGidS>&fg*D^flz_q1y9iJ;JDY zkaJcUTAll;4oGK3evnTols>#|k4yKN@G0i33tnL4b32>&70}04^}H2c!e|3%Xu=^l zkbdpFu&F0)os;AG2$aa=gU_z!`XRyMC`md$M)P3LqxHCy9Mi`Qe^4)StjR`TR4~2$ z-7L9uPw=OmHW+=xNgq|Shu3s1oRy@+FWyi7otE+h?xXuNtXw*y~&dJP}whIuV-^s`X;YyMg{ zcGXuapYpM%p>L_Rhq2OV6^A}XW`A7p2T0kya=7{Sm+5rZR*_+gEcAMNoc2c;TkELm zOQ|Ds&bpZLJ7c9okb2Qzt*_I^@1$ORef;Pf>nrCS2#pS*hrZ6=dZeut+Ggx+@N^wW z7)?{_P>*Svt&5;W&^o92k+N!>KZv6xoF21>)8i@!d$`kjCTKgg%Tnu0%dL-S+jZ9p zqje#_HLce2XdRCoZNqlGvgFuuT-%$yOs%iA9;21xT34;}pjdfpN$daWth60jX*S2< z?CL_lgkan>e(kt5Uc3BTw_CgJ>h+ord*1EkRqVQGEPdlP#?FK}% zd{HRAbDn3xt0`D-7dtI0d)ehW>n)-!X=yyQHH39Zp#1YWgy`E_HLT|Iv<=bUE%kM} z|7nR+%VoEfR(#D@{6H@?+%L#~@iHz!8*ErGH!m2#`NQHE-_eb=M+!tvZVVjRgK=R& zoHM%{iMATH@2TOU%Z6E7TMr9$CA3>4KIK`Y=hxG7+7KQ*Ba!L-V{t7_;ZPQIAJUC; zdidbos|WXtizUXRo-N765FXE+b7RRbs%PSq0bDyKjtPAt8PPkMUV#;CKIzJ=Gn2S} zLITse2eLIapQ^Z?JUcszxFByr1H8$WPJHZ)B!W|NIH3w35zS+Zl9)X>mgyb6Shgcu zD$9q7<9abBsE!d+26MsSX#8uAvoA+9OrHf;q=Nmr#dH0z2qHRlNR;o`xZ+clJEe=nkatN8AaG=BU0GE})@qxj?eBo<11gF|arn_7g; z%a2>m8ES2=;>F8*WdwM-`AfIDVMW2 zbq7zCQtKcM)+>YyX7;3A&Pk3|NuKIzm@#t*Q4aYWJLJG6mksAKNn_@q4pgS3a$LmL zV|Wi1cXDHsZt5k*aqyJ>3~;X@IY*oUyY5)1L2zaC#J)_4tz~<*8)u!_onAE_%s#I# z^OD-b$uy1@i&5wh!($7Rm@9Rh+_yZPzTOj&gKUKhq;yNPb z+KUH;&}DEp&hO;Gk(2op*K1ujkl3dqmx;V02KMLj#45fzSWM)Eq5MheXiBdzinCKm z&x0|OlbF)Uk0HZ)u}JDJBR`w?p;F&d<4AC6A~~fgDo*=E2G zE}p4nvlGZMW>7|@-Y#w8HtQpdK#`67=PZa6E7n6LoOpW2%lz5FhSyN zHsbxca&$byBVq5ULMm&V=sR_=wGI4)E`Fq?9izN^A6`BqhEBn5B((FSHb(N36ik%p zn76+ZSv784BerSn-U7Py=*d|LHoA}M#}(2BdU_SG{-oF=?R?wC@WeSu%oE$_q)WL)uJDRuRWbr0i-7)uD6<;g1*eCn?m8PVIxS6{T?4 zA(A`KO=8i|cm@PY*^h}GukmEaklx%rtFyGd2r5=c$Nsa+6MP*~7ExUr@wzt1@tJHp!MXP2v(U%4Bxn-6fNl5>UjG%l0$u{PDab1~*nb z)`mJ8e%)il8EN3J>l=9L`f*I`>&>d2$4RLYhvRTMpIXY%(oyNCATo@PADzOuh4{+b7~@?((w-% z*@qXzsq9S#Pv%DQ=FLMG-m!=k+j1xoqqlY6G5&hAgt_-G-FCds&~^mA^_^0(^9T5J$RA?m~QNF;DNwr`P#svUaQwy1CiI zkIv%C;$oJpN~1Qo6U7gYgkl?m`Xuq-cnPC3E7HNwoRnmBk~<_{$HZ10-IvPp6QxwE zGoVE)fip(*5`!Ns20`k+up>{O+l81S4=%Z5E)Vvp;rVY4@+YTgR^5LFgFVaWHn0cx zj}=RN{=qb)rL*RE9c8)Me6k~*K5@PrcGk=xKP$F-OW10IICvCs#jKGGiw}}8jdYG2 z%H0EvtCl2a^Md4%h(oXk9N)KA|AQpeOOhI@yHvi$Siyc872SBr<@FLq_n zm?U1hY$#oAxjeh-2-n;&jfaM|gR(H5oHvxWMg_2T;~|pEda?DsLAZJ}am{VBSm0XA z>(VyDhjyp8j;eo*+7h2QUU_g5(_QxQamqPuq~g2xno%~TJ*KvgXtH};Dd4H zJihz{UL6v7a_&I-l~#&#--#V}j%3dldw3+vkvs1_lPM+A8L5709lQ82ckvV+jV|QL z4Y~NncOcfI9FKF)L|@Et zcQygy(BCt!yR-!ddL(w|xf^G4PDL^wmpX9oH8WVCqv!S=c=ooJT<3J~>c(NE2%vkT*Hn#IyS4ZOJ~nZ5O{eDma)bgpZ{KO&evoXpR7+XoYTd_PaD^y2ApepG55iL-u%*!kJtdVxL zqkTAM>dU6OwBv@Z@ZM_ah?{!z&E=v8P7PE`8yJ0FPh1a*ejTf3?zMCHbCNUFE$z2f z@)O>r58qxJ$LAZ8StIT3!=IaH4v$Kg4V>{_~qrwgO_@|F>Fatz_ITPHHG zem9RUZ)E038NB@D%xc^4pF0_1a62wImq{nLan-V&>^+#wC7*1dBw--Kni{E)GF0yP zlxMe|BuhH-`)7u7@vM(IbTW^>+_;9F(rMcCEn^2)-Gzl|X; z9Hz;smIFmch)d`!4nrPWPv};{g?zt1ho)-XO|eNjI}augn9Qu>Uo&}I8p+8Ane@kf z#0>Ao6dBEzNqrvKw2rI4%;vr8cd^eaf+_u_U}8_~=tf<&GCI5Xq1~h{`JS(focMav z8eUwT$@rIYNbDF&xOAAh?RRl$9qq2^!NP!C24B0C!)e*fx#A!>E-jmFsb_gInft%k z%$n_+n3m?wbDaaoJ(xk7bnJ(Y=ddSL94!rJjn*8QGI%n>HmqjIcSkt%{T622xr5qE zCNd;5jYpr_#GV7E_~WZzkeM)&PQG3;$Zu)XEi~%%P=pUuAhsJBB6tlD|KXaxuvJ4j(10Yz!ZDtLC=PzT}I8IlQ*?du~7F&u6h-mUCet zWvx$5W8s5q*%vH+nWwAfv2Goldr}S$;#EjuMmeNw2YS>gXwsWQp^n<Mx zyG;5I8bU{%>b#~GetY-wZFmP>8t+c;3%+MhS^@j-`7|Of8p(s?sX}kXN$04()i%2NMr(gq-9N7+8?h#CVRXxkUIKb0iW^(_PhbV0<;*M|E^7W35Oiy-TL9leVljd`w(=l#) zTdtQ*?ZL0UV!2ySu5znl#`Z=Y>>Mh3(8z#u+Vhupk5YU7D29o?ez8e60)c0bIq~#> z_V}uEq2<*#U)H8F>Z%o_ie2I3EUG)Vqjz+Z46++Z+jN*eynKLN`_h^7Q4QCf8G?sb zBUMyz?#H`WwmE}mH-F7`-|k%H=ZUkY7pLkgIC4ClORxTjZ*&LYA0Ua=I&kLHZd}l? zk&buga5QZ{9WP%>kgq%5BD0Hb+s3giyZOVXd+0T4l3Y{3eJ?L#S#lX=#r13|abbp! zo3%Z>v#pFykDuW9w}*J;-5h!h76&vum=DI<=zQ-Hk`JeH&qsS%C+(=304^9llJ?uz z@r{cM9y?C4Ip3fAu9G}gw^Y8^*=QdpvX4N{(fwR{&nmVa?ZNRg16jIn8_90&6mDLJ z*TBIXVkmTYZ)S#NWpXP{k=S26s~6lvzt(W*{~P51Zf%c=oY zjCf-Q8~11P!c+Ts?vyvrOm?EArb&X;bM8YY*_~QUsSIRskov9-;K|to@!s_%vp&ot z<=_gUSCkN>Z?BZRR!V!QmO8h22M| z2)R1r{TK&7+R2~SRdCh<89YlF)ZRCUGc@VC{v7-|je_z9v58e|4GHJ7 z_BuEcq3Fy^Qx)5F7QMEbFZX27HGBy7yB_8qN#Cb1oo^49bMASAWmI#33m%j@sBq+P z*-0w=M33F8Sf5-VcB+Oo`!gslc4)q9ZNGgdeOFaYy>-_^+aa|jEPf=7T}S-*O7gjT z(+XC&dE&TZ1;^Xz6`n;y**m<`U7sk)tx2s+J7v zYf#H<-HM%%l2b0BLZ9u>zMx1Yrai{m+OLO8zS zsi_X@4tLen6*TIa0S|Y4L>Jv%#iLh4qUdXHYisE*Bb_T5DT*Xl94t-V!tx7HEwhZoxHV$r)ANp!v-P0qjiu@)S#mRB)$4d%x zn_pz*rJIjA<0%8$AKwpjlnzOEW7MshUBqx#mCEqf!v${-M@tE$I2PLNbd>TJWoJ^a zTU*O_^?pxRf{Z*HOPi>+wzhV`PrUpJRU&66Yx2U{vRglPBwfGZ?i@I%8L|Xq-PfNO z;K088a?;fpTCeGKj;1bJ3H`ijDlRAY zq{Qnf@$1Cai8>;BOT3oQqyicn@d@b47f(#(o*6xvn-ooultP^)-FiMJN8+nf9ciFI zIsuOb zZj>(H%~3BO`t}Lqt>Iz3{rY-r0iIBtL8cbW(rFKlR5VCAeNWF)+i6fm`j?QhNK~ac zs+jV{-BD!bMtop4e|&BOwyD!N`TR7l7^HhOYhJYqL{^$uXb_8TU&!Y3JF{p|J32|W z?0w8XMk?Pah~n}B8uW<)eI>D1oj6JLctl8~(m6F&mrC`?_g3vjv37Hp5dXaI0>xCOR}kQEiJ}x=Q;?DUZeM9?;W68ziA7$F^ewR{r4wj0rP*P0r3 z>wYaFUoUM(wIXXT52ju+Wn-iFaT)t_~fj zE=iYGF4t<@l6OhP+8@R#+?jw5Fl06RL-YQEoA-eLkOvHA~>oi-!GZQRpYxbt4BM$q_0pXLhVXMx}+ohiSAgP zQCn_3m}R9YNxF!0(@Vxdaosv_{@5;DKfs?utM>6%8JModtTp+%dlzeleDfGCyiCtrTs#* z&icQHT-lK6L}aXZ&mJONU5MiANIOxyeIg`FzcqIGYg%vbZPUjfL;Ldn*?}y1aTOT_60e6F^DY}s z{%2db^1kI<{pkU68YL$Zja5*+=Vz^owxSS&BCa~c-UAY9=qt^5773yu}r>XW^nU;UvcGA ztGW75YkBqC{p^#56&2J@lvwhr3;lG_kQC5K1X!mQTcvY zm$UDaP`L*XuPuh*AuxEz<$t4sL`5hcKQ%%4jto*qxEd7k_bd!Z#u27-}2b%T#>y9PU9Axx$Nwrw5$A{p*Mcb^$#AU z)bnq{@T#HA zPLRL_l`W32omv_5R1y;-J)+(+P@S|tp&`*05te&XY@MgJ)jp`HR`op^c z+Mo(g@azjK8GOTP(jxlu+SwkAJbyS1t9Enoz00`lgFR$OUtupwy{4~qSmjO!Pk(F` z8IqQkRnCd?y;n}1`erv*KeB==maOLbr`GUBvM9t4D!LibaQU|kr?NsWeCAuOd{WxS zldHJrgCk5hcOqvTKEmjGKIf{xY-dNMqZNe}i*z=%I>;=lr&70**9D?l#&B2s#mUqG zl7*FNy+{nXh;`t7tm5d39Zb3VL&mQw=dr6M6J92c_Am7GifZA1 zhA6_358q*X$AP>)J&9i3y71>&gQ;2jAsfVl^K)|&Z(Is4!eC<-OTKI3t+z+eIXZ&J zp6f!i3P=pl&Xin&BYQJ5A(jW<=tZJ>e|niqtF3>9=55&}yN=FysA9WE@YX{k2tKl# zzchq1YH$p_+Iw*5WH}@I2hjhFp4@WPNWy)awJlFZ69FB2Gp0{_9Hql`lcM`OSF?P} zH|*#)nXd=M(zRj3+-(m3KJX{&SI8YgLxE;8b1KJ0*}3_a{& z9CYhpDZl=7mxBS~X=klC$+ylie05uUI(AHA=cN&%IFd)z5h=5yl-asm6vstIkltEm zaa;4sUAVY+JcHxK@@dDSie+nH?Yo~*GI|2fjqFIz5d-<;?j)RFTEX7f9z1&EAbNL? z;+_kq;qu*Tjuckm>FJ2K_C9jGz5(4+M_WtQursCy&)q+Y-hE=YXYn~)J1?A@p4>~9 zDWiGj+z1Bth~(pYrr=an!l^oECQOMUA;=R)Z3K4ot*0_-RYTw=f3@t*s9f}vrYmxk zk%gzbh zHd^~2HA!QSnLC&TQ@Su_Mh~8x6T}sdmr$7TIj?#5Wz)nYx^;=?=_~pYdvGI9)YY>8 z*b#ht&*qBm5nOg-M=p$RX#~=dXGrHYW@vu^}wZ^pK*vkzmr4qo(zKf^pbWFM#2r}aCw--q4S+RCSv<)5fgsk zXgJ8g*`>Lyh-|d4_t4Hmk+$G1nXByDhp%23#i;(ibPNfQ}(Y6Xw#Q!~lgytJX5 z&*um7#b@71=ju(R=r%W_`W)ymPpEsBb)xM$oVKaJJ5_=hE*}#5U`e@FDzZ%vi?th~VZ+XA!Y|4I54s^U=Fk zac810{%#SX?>U^P?#z~z*YHY|-O-SUT`PHR%{IP>mN?Ikpi@E*4n8}XqN;kaW9k$) z%g|Y82c$7Hlpdo%oTupSU70&|1TS=V*G-%_wjniwk|&jO^K4upSEYGy|H75^>wSr9<+dWhelglx4-k@A}+LM2*k$f!rp)o{`kZkZapiAC>>ch z>a6Y&Ixa2dnaied>BLCJPw&I~500Uuw>VnGWyJJt&)MVk-hDkKrS*)N6-l>_fq2LrrUpt10(x*(lZ~zYsf(1{M;^ZUxD`oaLe5lat~J^($uGpDfV!`4CJUSH#C$(>-MvL zbv_wE-i%CYN8Y9sJ~~;zj>CmyH#m`ezE6 zj}tjXyt}WM-os-V5${Lt;XN#VTf9~o`P7S*PClN+u3Rav82)Y@TELmAa#JdPaCWq;~1-q~G6?`{c<>Imq)c^J@u_P)xn+rP*Wpc7aMvsm)Y&?`tPQ5#OHXhNi z|6v`;q2dG{JI3ZlAL8QMGqx;^dF%4XKbpyr?(tmfp3NnzGR0tu4zD{P!U zD4eQ-T$UcpV54-jC&g@56cw>9rBnvcHcqByu~Q#|Rtu%_6(u{l`#Af&BbePioc6YA z&i(UdN@b+4+v=CfwQG-*h)dHFz6Eu`^0Er~Uh3M~e!t zwNj5x98S$yH#u(&QvIqKQn=kwemneIae%zf&aRq%FHt9^#@mQz)+$ zkIO~35)nN)NLupFnu zEBEo&jAAw($fM8be#GUS)QYcEwg00^BM|;9!_bF)vp|hd{OT_D5nv-1Lafmm+uP(@fe+Mei;!YY_y-BC!LwiTJV~ zg2$EM;}Bg+GecE+?KzulB_9g%twHE;?<_1{$?^*!28QY258v8=JOIb{W6p77{!qa-2r@OM-)MpykT zC*8OXqr`I}{FR3D6XBBv-Z;>wo|Dtq^6KhUWabP z3&U>Oid$pPN-Y4(9vmH1f%Nlc!*% zVo;fD4AJ)@O4U@#*S)2?4|EN&?t$Ra=6(!0Z5zofW)Bjp$ry_9uh_eKmvGQ$ITQAI zAbfXLXZG*eK|9}i-q8k>hliX}xC!*JU;%o3+%M{py&j{3mR2$0Uf!9|Zj3k@%ktIU z8lT9X2_3L9!ED>ZK%IP?1j{-q&0K~QH4IEd8g7Onn zrNEZ_iu~^!T)O_-TCk^S3F6n!u~dT_p5k5dMia0&))sKgVU>w;+#MgN?Ko^NuUBK@ zO|K#6?@^{d#^UJEci}Ln&CTy{8y7=|Xr3zHqbJvvzR#DODex031>2^b8MGYcZMp9* zK1pOH^XRH^rcwB>v$B*CA>+TCrv-+FB{|Lv&R>+2cx^PRUhYP5zs<5NcY0lVJyY-A zWO8e`J#goFQl*rXR1tp=y%+0DFm3XUBT;qECb{HJ(X%D`+w$jn{=8GJnL-@56fH5r zqGp$R_mrr&q8Jq`FwLD3IRgX$YV9RXLRFIO*PYs*KYq5NV2IK#f zcS0u|@6M(dcJ2m13a6PNBvsafd69awJKMELVi(oH+>YOaC5IAA(3EicS z2EE?OhuY{G11=rmjjZ!O-ZcIC4xa||=&4I?r|*mb)}+@($LJazpMOGzUw)a(o{a*Gkp7gbSICqIpHkKgdXi6wLpI(;8DJzM{x#U0B zN$#Q20+BU$WC4A#!nv*!)P8YCS$&R+Q|U&?m5B7U(vX`)rLw`lS@zk3U{v& zV$k(xOs^U@>V;A{HtMo~HXyxXhpBP4u;tQ#yg|CQnmb@wS>=?gj^Pu#Ve8^V??Ps@ zAJ0!qlZ0KTVdAi|YRTX9T+%v zI{Lhx-=pb#?PCIGZMGekuH6|D|Kg;8^!y=w-eKQRYfHP-`&Kqk@7(PC^@*Vq#twIU zn@N#(;lA{kXug<^pLWCSY3@C2_g70x0i3;wjr!V~ylB7QOU$v%$A@ZCz`!AokxHeg z#^Fg)?fTkL7!P_Pv;Ph4uW_!q5Ep#i@4>7mU`VGeJZs7NsMfmTo2zZVa)K8fhO}*{ zjk$mkarY;w+>K8nB-~OqJe}qCDDf-E3-A0;ku?4hl`2^=5U$|GF3yj%dbsj}%=yzVv z44L^J(-OC)&M%I!-Ne@4q}l5cj07pQuA((j7I(Z&b|pJ8z`Kf|F&%5B!>!)o8MUnp zA-TeA5)Ps2WRvK|=GV;@RhA@mwm9hS0CpwDMrjO?Ju0 z3FGkjT`dcU+!hk|-eKR=;v08bm-mpM@h$`2!l1#FMa24vHcT@veMgsfhWm0BC2EG- z??I1|u`ZcgYT2trgL>jDxGuieC;M#WEn=xjpX%C#UkQK-9}yQ%-WO8~(xUVv1v7Mu z$CJ|t@9GeNbH3@G{Y58MC5VRN67ApdNBXfXrf0g7`u$XnYU!~8*oA?(w6Q)@b4@ne%wIH5 zO|FdRQAB|dGn9$vo^W5jVw18}K2`U?Gd=Vf--seNl)mTd?Vded<=_KYoXGCjN~!gX zTLgPJs4J(fM6}?$!9O>CmHTaBzc?l8w(&z9N&|t{=3?H{F3Kb(Hk95D=#ro3^WNMe zHCYvYVj*EvvAVbPh2i3Xd6kvF*BX!1MVzDB+*|j*?s-)u>Y|q(Ud0c{pJrW8s;@^^ zpyj+c+TXRi%_PoQ^8x3p^UTG9nX%k!Kb<<#26QWwNW>4$xhDR*4Z7R>WoaOoXE`2= z6|Z0ixMeXiW}dB0_diYRJuFlcKG+#ZhWLF)N9r~>$pD2EMDtGR!Pd==2WO7dpYzxI zdq<;}Dwc*V>)cdN{7?ap>!GyWUdPA zHnL9a_wj8!yF8M+P@r-6TxD5kpCr=DMO7{Lt!?yHg)i=|p{;=g$XH#) zVwqEvua1NlOLlB3BQDBj zlQ=gp=Vh83k(IN_SxE|jw83ZJW*5I|6J#m!-vyn-it&9JanoQy${k@eVG1#6q z#)Bl|u9bi&@As`!J!EeY#iW8%zAQfz_1CfbhPzGEBN{=NDF0CZ2fOpVSXk&$-tH&y ze&CxK+)5DM!IPQ0RqB^kM5xr~C!z;juu1d8`2^kHnRsS;@JGn|c7C=(VtHPE@2(1S z%}{foKhPHb{J#DwawHou)Y&GdW*2c2mIdT)MNll@k$kZVkdx9ULdc%2#>^p0O6n*? zq~GZ$b$~n+g%vxmIyr*$g+2zeRB*B{tM}yF+$V3Ebk$PE*p#rnXF9W#&U{xplr{C#AKLXlS@IZgys@C+K)k1=*5lm zQj&D7lhTG~JgJo*l{jk}$tZfb+Mhepe)(@W8WKGj>mXk?)Ac~JbuSi;r+;*VPqQblgC>Pw!?CH_^p?V_hxH-p3mhR z@!w5XyvHUjtr4(^%~7OEp$<+7iE-r$EQ)p&m2o@Vl{6C7DvP2yz2&QP(72@c;i0ch zE9pH`iHlNBUP>Q<{>pyBR3nqa+_0TSwXJ$w>~)E+=Z~$I>20D?c_SC3dq=maJ~dWP z^kth29ZvRbW(^;23ml0VhYJ}2I;JKFLLs;-i!WP}7TDrChO~H2D7Sf9Ni+$9wkMkC zb=8#rMA%_0L=)m`}Y_;mq}UAAMB+t$WQu_S?y3D&*#su$a%^in~u-d^-f4aeL!4Uh`j z{a2^D+ed~$mp_**Y4As4Yj}5X$m78C*X_G0rj!D)`FA8Miq2o&FH8*PPbEsq$bh%> zjmeN>u%lNJwy^G=&@yh*yZ;W-5||xC2|@xjpz?;md+0l`i5P~jOqrRd>&CN_6Lctg z`j^BIy1)1bz?qeE%~|zjX}gILZvZKY!dyr-WMejr(k|0ub?@0(IJVit)snREx8J`f zVFqRRX(=;NVJ)BgM2+O3Kvn~PcT7qo8L$#7D+ojHW1dKrPsr~^dc=>@9+%sEQp~y{ ztMdn!G4qP3>-I(Pgy{$Xzw@kpHM{JIzrV^=2Euv6bP0U*TE(I?Q4VDb zkXSCf1pK8kUJ5AE&VlcNjW-oR84CmubmvHjEJ3_SXkMGJ{PG;VzDH?x`eB!s>+R_x+;iZ9sftzi zZG_Q;#)ys8`PN!Q=9LG86|{NdvZJEeu(U>a8IZ=-YQoZTj9&so2)iX{h^31 z_~EtL>igg-^nhNa$HC?=_h-#Mm#=QTtWL%@3CPy9D!&bK*P{ErR26bfDjfbbPQ0*? z&nBIm|A1n`S?hU4UDz4oycf1qZwWwkPqCb}nGvK%M!mDjNE_TbH}i!@$CbUak^ng- zAtUewvF0z8QNP%N$0aGD(Rdr0<`5jqpL1Yor`lzqpDlwIC(Ru2Q<0{D6@9t<)hFgP z&bRVZtb}hcK1ae!wevjVrWa|#674DHf6Fie>P5ryv)q-_W}=laknKpAt5aIH5;vph zg$nMo2lW??+9y{nr(~P@{Zi=%blwj_3EOcEt)I{!8H=iwW`;l=%Jo%0cevL9gQHp; z+HmxNd6%@l>9}2LZ6_Jj;SW$?gQ{v-Sf2RV62&vl`Ic|IFbrK!>)mpZvSuCig$<2_ zdJ2dMKo5YGI%hK4UTJV)o-m&eyYiYqXy}M&O*wCx7p>9bw*DfSm(dwh@;>T?|Kqx+ zS!F7za3&W7I?gegLuJ_|Vr4*Z3T(_2Q5K^ex#RG|(7V{@=Gk+|t0iu`hFyQ`52;B% zTtja|*^+)Gpt;BLFOZ%WyXwk9 z@J^6G-tkz4nR?VyddzQGTW~~BhGBjP#C(TC>NT)2m1+D=$f;bU!G~uqe&*BCG3?Gg zfV2Bp%*&z~E1Dgt6l}#jctHB5A*UF~3jJmbU}JdTg1}cy6)^P4$b8Goe%ku=$LFeR zbX9V6YYAvo=*)K-96!%2g?HY(PV;TzPIjuY^So~-8+vmVcNePcFWn+!_ORbnb(70! zk4)?!=^gOA-aJP22~E)Z=J(}=_a+?B`X7)|QGU2#!o5Jb#(MfVe#E+>oVKp%>oC;y>tBZr7peO%{)cnf!BiG|6C3)l2ZHFsad~MWV!oJ1hJcj7w2=2gcwmJ6Y)}B)1 z(Q#^lP?ONfd8>>#-t##b^}!!Wcu@O z7p6@w%bU#XDg;GO&?t59@ zV(N4*Te)D)#b$w^rqVr?>DqmxTUp|!%XHLJ~1E^U--(eSje&XOw_1ahI#^D8a~8 zSBwYM%b|Jw0b`g?x$Bx^cqSHihmKmv*LOIa%B!s~_j*Mu5Z#EObK>gVoD+41nj_Q3 z_SX?VGZvP2y!9-#f$`~p?#_ke(Pd`K)j4%H?6}DLqTtESUzhH7+aKh7c`IlA2a+r9 zrFBZ~3CU~{rh%ukMI@-Z1J)1C)v)L2{Qv@0KvA=i2fQ%1HuF1&i0k$;SK6)j*2F4Q zlTs+HGo9-?aK8c|Y}II#gO8Dg<6# z>USM(Y5(deJ`)E^abP#!x+XzEu)eU?F_}MXWcqkFJck{bs#b7Anj)yqu6yTfU$|xM zMLX!|iCDmETK&+*w&yfKXlu(r&#@j9 zH}UbqTBuE1FJ;0`_Wpqmp(l5Pj0i~%$U1H$_pyaJd@qYLTbe81zp*wDJm$; za3a}!ZL#61<=nTKKNW9TVH0|oqL*3s%~s2^1Rv{<3FX+=I-D%GQx>S@vlQ5+Cy%{IyJC_){vFSTl z6E!jy2mIA{UMk_a`o}}%qJ818Yj0x6TXA=4A?t?|ZvK+Bn9}t|bAp5h zx_vIf?t?o@lw|=~%kBt@={XMSwr2*LE-~ZDcK3qUi;%-7GtAxX$J+~Ov2pX84qfLp zZ8y*VFbnUXhRNPHy6hx5Mye`rJy_=Tjgi>he`%J8D)j-MTkQ&K3cFm=j8KuuE&tmz zoG%$eFd^pMH@=k_9T?Pv$WoIX&s!GCCmTr%76aH2$k(oKGkDfQw{!2Nbun(&V>C9u z*F{U00?JSaJqcxMUr=kk^*?cq7I>4amc*r*+Ag%d<;c%5`upA2M=ENvQ63#**O8wt zYdBO=wtS=PYA?>qmEYA`$QN^(=M-P;qwf}Hf1I#SFiQLBB;z-@so{}wwV-oO5G_Q* z{|o5Ka9rOIqhZ3;n^N4Q*o`Vq(BD@XG*GU%daeqvC(PB3F=6dJ7tk&dl0yA;OBhV0 zq%2@&`3xzjH7O|BS38^1Zd*79?SGHEOwoNZ!tP$%2l(=wHpwgG;A-c<&zehq;382C zk2}}R+(OVn@0V*V?o9K}Kvlsh*X#N|2%5ZQ)sitKv+EaZ&aao$5s==O3?7-(M~8P| zhQYucALtol!r}p7lUQx>OgwRo2k)^3@w|-(K_i*Xn?h^qu_w=r%Nut?FEtXSYJPXe zpW%+$IZP3%3auRXeH+#}ye3PME;Uh&h2Ac1KK^;k^Mg4pBE2rx^{VW+SjhmUuO@)0+9F>L6ZGJ6uXsLyrYWiD~tG3nd2d~`OSdN=MeE(O5IHMR!d{<_7Z zE=cjPOXUqAR?8OT4>UMM(@eA#Rmh~{ii9n@qeSVj`0_B zyU8T3duKpz7pJzJC|v-AMKh`BbSLb&pUfj(c=mFULtMPbL|fBz;-uOyyb9FE+4VNJ zeT%0S$=bn&(Zi%Ir=Kljv~Pl{|yGKkcrQY4X} znA-3nNPMNN{!$4!2=gj6^0&lk0q|UFdeHN$TzkH(H7de>J1Diiz4pmCc~aA%Mw-b+ zuQw?4RHJv_$=xpchA;N8r;uLM`%z;aS)P)_O0;t0p_X`!(MHLtAT>^KQc$A=`%QP4HG$y@Z2*NDkN|&2wLERsrUP%64cgNu81a7Rwd`|2JwWH}BfZACth3U{pY;v5!J(j{PAcR$71R);$ z%cnK>^d98e+sm>(Dd>cJESrFPAZoUGsRi%Am#}xxnk4OAT}(RM3&SLd4uz8n?MW8M z+OtyMZHm$>nB#p*xNa?Gg}plAp!nVQ>r4Ocjb+_6>lyv)H4CmfIuOF}(Xm3|k+4Rv z#Mv#M2szNpDf#D|Ta!6KZ zD^8G0^+A{lTaff;x;4)u9nTxZM+^FR#I5rInHU*2ZA=qaM5mK%%aDPrwJ8nloUL$*;~y~DV&Kr zI~=lnm9XMEiYk2vKHHm!I4>JAPjalx>d`EbS9nRyKG)mqlgFbdTXjzoiHeAL?{!yb z%rHdSC${C0dHJt&(Y@bP{Bez#`vljs|I``BatjteLj@}*;h}_84 zhVK3C3Eq^g1N1P+L`>EH2gZ{rU?r>pnIxQzf$fwcnVsjsGaj~`KUCv|ewfH#j0nH7 zwRuC&nXE9Q`W5cJ_K9-`Wj}lp*OoYN-|tW8E1I$-HqU!i8KDQ!|LMkeH2gO8^}$la z%RFcmqa39yS#o2O$ja8H>cv=2^X5e2FzjZ$M#*Za-jVh7PWq9wx5!exIk7ox-gUKk zr@2b#8Nuk^i{Wk~qT@?wFu9o;8S!qYuFuB!9-V;j?a^mxkq=A2pQ$h-2DbS*p;bnA z)-^>k-^P`73^qrvjuX2?fg(`z7RQ^?daj4uvV%GVD=X3X}qYk%8T`6 zNWM)FEJs=60rJC~?imVo54$-xrOIQVy^k77%cVcBgtHL(9V&_u{<7h}cAZpI`j(wDhGy|6MTU7*ylbGL&D_CY=lezL z*eAMcvRrTMHnHN4;LOoY@uxLwQh(xyqLL-Mfj3vqAhP#4u7~KYzPzH#s#SS1Lte#x zag)D2Cm)Ezkb&qb9U*t zk~+1sHzF}|+hjl9@ROH)JYy1^MSxbbUn<|;ZlR(8b$=-`{Jg5dXJ(b!PwKO^)a@Z`2Tpx1! zlb4L|XIV#jECIF++wq-R+ZU7J2M>t_3wblVjk-8N1X2pfa@c~nij*kVE`WTN@mi5H z4tH0svmBG`8ZcRMFlgyEuGfxxZGxs4{K?sllM$M_Br5Yw9pk zlc};bEUMPiEB8-gI{i*1}ymttFbZodlr8e<|;%p0%KHDsm+FNcai2c9Bvd} zW@C)`eR~5v9e<}Q3$Yu;4-43;&y)_!3$_KbV{ZOz;4Y>O(cvcNKk1?q$9%%o~7;bwLvO8({G zw8bh6zwbBn>(2(_lf?nCb*-=;rB9iUK`+<&w=PKIv3An;i;W|2By5^-`+RwoxEv@T}Tl{VSmv?!m)_?8=h8) zIJs~4c!NImgu(6+-}J1wbo{EIOfzv`mDpCkz~~WJ(gfh$R}d$dr-sZWc}Ih{5sjU0 z9{!R9^kB}$=>7qhM|#T#x-Zk#;p?&9^s&~C<}jf77vAN%QrSTl2}Lx)tbQFBucP4( zpQPCd&AiV>st!8x3U|ea?96i>+zJ3$8}HXDAf)n^Fj@mvlI^t+(;ukKA?>A>!t?ZXpE`hUk z&XC#?@s2t(A0;HY{!=wntx@rs0~+0alzsv_Fs4h~oy=856oRXRMFQQIbw_s2^7&I> zu8kYT7d60^f@OEl1EckjznNc#ov`jpPZYtiT`*? zBsiS^&;4bhYLp=wV;!zaqB}(Z-qE+mTmBp(_a>XZmLi|zMV8(o3_dH z#Xk<0>Z~1fb&1$$c&;6C_xB;IPgLi8V?CqElPpiUZ0clQZmJ~O4o+@#>L~aj9`*f& z+|jU|tMkK}Pvn9w?K$0ywI{;AW*M`*H)}iGM@33aewY^%hg%=fJ)WrrP92j+Nw245=HMxw zJ1x+28J12{WfvIH|AJtb;?oeUOj~N5glGzVMOpI&MGhB z&ZEIhgp<8!x{*Y<+wvs^c5fELmTl8s`%)jxLyDXNq>l}bLr~0-YGhZDlspE zx7QFc=^ah`vl>F6m_e(Lc9F2JSF}$mus$V`H@C{aRukm_Z;h*q=|L^pXNI2uZ~gY0 zQmDQzL(kNysBtVrG6)jE_Zvv+FW784~-wY#%7t* za}%h8ssAy!*jUqF&)N@z(aVq6Z?n$NxL(}Ll!u8vI3&w&rfMae)RhcoT-#Y&kF2%P zEkC{ro2do_wI5OB?jvycclm3+aHOXIxtk?;Ld_VAJLlg~?*^G0k_}FK<(D{#Pcs8P zA$%X+**2pY>{H$GOJZDRlnmytYjPD%whm-I`(l}W_5)w(Ze)2)H!pM+WofWgI@yLT z$A;W_xH8dxcuv9;5@4b##`K64{BmuFZsq~@r|s4JkEW|}+C4d*G2n#Dy`HkcjKPDf zoNwTh5Mp(nJ))L1WD^fE-z_uFIIgz)`P}5>qKYm#@#N~496rVFab2STDNgV*z607q z-fDA?to_O+tA3@J+lbHZ6|$qHd%KpWe*BqtZFHvY?SJrn#LB1w%&k^MGBQ;-Az~|f z1FnEPF3A7!Pv{#CIuflWOg^qJjQR7Um!4Ynql2NG6fneF4S1oH2@$bUSV&8tEOX7< zst+^bZQw<8+<~>MRv$YCiZJ{_&X~lzs=WC2H>DoAF}Bw;kI{$DvZ{MZkuWwfpzP`a zyX{c`k$R#1#T;x0kcn^~tN=yG_Djv09vBI|DkE>2U~VL)Y>(XO++NYK3>(eNpsM@l zF$AB*yChE)QdB<+bxAyR(91h_e{oLMS>hVPTaF+B++5@ZDF0m+nSJC?8TlzKJJ!;o zyO7ZPKPl=`^Nan?PhS6JXe*_-^KWFbKfJ}1bpLtI))Vvg%?{3P3bTG&ike_<--@A? zhyhN8e_32KsXd!fgKyz_ok!-px=syc6;xNseXuylja949siO=OzqtAkAWq)Az<1`Vn2$Ae?R{@n|3tb?P~&)h74`h_Ot`t(Xvj$Lc3(v% z%4x=i>MU!yh;dZsgxpC99`DlP@q(W``sV~%aRWYLswMPpxrj^bIb(Bz)YzDFO=K_z z@@lWfNw0!Y`$kFLurQ{0BAC`+Y zjI;+K@nJyV#f=7589%u$x^eOaIYZ6mJe~Lw0_pm11hF!3>r|4_#r<6$dz8WJnzP49BBcvO{+w0K*-)KsCV|RA zMH+&+(cDWd!4+Jp>Gc&T+Q=SVM2yQY*%I?~h93C%F}_663?)k>+l-yZO$o!iv+*Ui zI`584TJUE=^0?$t4OmO7`Q$r_0mMjN#3JOOBb?r>E5{Wqzc-?S-NU1Gv$7`Varzfa zpS=Q%U#jE{n$|q>#|DgrB>&(uv0%ww-1@9UiZ10WG3aVks zH6HKKr&kI%65=UicS*tXr`QCK1{$+gP@nVEUF*%msZ|-Le6PAm_TG^7m`imQxPUX) zuS^aC+~1psF}a*4gRg`p!JeI%X(0NUH?#;$my7S-X?|8Bt71K_o3k%~345qU#?X3*J(5kvDOMQ29V#dVWYr|rxo;P^1MVrCxjKOuG zZt?u#85rmG=pP1sD07+R@|gE$QC_c=Yo~$}mnxw3=)rwMjvW?HCSdleD~~~mdKa(| zR@EE*$IzMOa`8eK$)z{6-LtXy2o|Q_RJD+N{I7Y}zWHTq$!3^azY^6UZ=dZTF^^Uvm!!S< z!MmT{1bDhK@*dVhU#m`OMWhkkV7gwFah;AqZRtkplTMq*XDR;0Q#F*GZqEqxq>F?! zp#Fsj@g4o62-q<7(>-X)C6Pq=WbZ#J55U!|`X3#FK0BAPY!u*4m!p4H^CS9so{klP z6_N^0mGNY)omc-DW3GNHlGVpgFwj>5iX_aBF+eLcS?wu3zB&#-SysidCNpl7Jt{g-)(#nybp<5~=-RmR{UO@b$kfmo0z0XWDua-yRPg z?6P1idW+ich6t&Foj&w(B-r==z;_pd+LcX3R3E?er;)X0=e~jP^sG4gp zcmCU7paHMF6h4d%soy*`@P_Ph;!5%3TITqkuZq9}CS;Ag8OLh;{yQxtA6a5D*}N+P zt=;dD-(^=lWQ6SfEJA~)sV=O}@`b=3+2pqc;|k%L>)Il#%o`;oCArm^m}Lj_q!b!| z-RmRf2~uw#>?3tx9d8~9$Ts7I$bmB+Wr=V53~USg66?f+aIY~Pt}#E zb#pgAS`1hO#_CqC1m`te?Krqm@{^^D4K~=Skl7{r^@>5nhm}Hh_0M+%MK4u?E!5q{ zr)k_5(<2&*UFW8voiCySXpwU8Rc^%fO}wtY+eU;vIKs;L^DBPTe}K6fsGXC~uev(z zckky^1~yceO9edk=cW9OIV_3rQ~1IwYLz(~j`cSsTH(gpv_@_oqKC`J3?%T|H!SKf z(#0Y%*V~YjzPCz3TeX5wK~DwoJY1meW7J!oSoC;mB2_a~*Ku2IKDbPNw2VZ=P)^pS z6o+3dyC^2IuMb(v^vePyLD%SRs#;GUFqfdDEyH1D+?u3I)%Lr;-92uGZ>#_jnGd0k zQ+NK)BFDu{m%mr+xq|aC!v}%LP9|GE+5OJ03NXDBS~l(4^d&UO#AcTYbj2uKoH4NJwon@{Y_3P`Fp+KXp)81 zLHxI|f;a5FNoi?)qY&zV(@UL668!snEEb;d!RCRa^%t6#EOJ8Oa7c+6#D(~^SXPPt zW#FPFVS}QVaksEKeBDQuD1@!!U^3*t|A^lzNK0xhhCNH&B^!ryNLF8bHF#dyAxfRo%ke%pV_&@tIvzmj^e^02;is1lo=8EeMll1+uib^f^gE^)=f&8^T(C0wYeU1gn;IrB3- zGJyczGuMrn+^0ASeNB{?iJb*hvU)^thY;}kk-O{2gsV@ML3u@v9h5Fz% zIO{1BgC0pAP`;%>(J1Z2c=yXLLBCX0r4k^)5tV%C=Xnri*kEd3zu{SpeY_r6L~`7r znON!hhr$?%bj~kgs>*)x+_!HjUNNe)YG)xNEUKYcNF%CAdTxDBHYD^_?Ex{<#9-9? zxEncz)HWe%m`KpLC!#EUc#jzmWjxprUVGPyq$tKWRfA!XajJ}m zt0ztATc{?`I&7FH9ELk22_#^;z7=#+M@dfSc)KJ=9$-U@b2=D*VsoWSPJ<*?QK_J< zAh(JQ7ljrW7Jxo0BbUHesymc=bHiN*&MOi4Dv>?b)j&4VySKGJwfq&xcAQt<=Ul~v z(`mG8X}>#P3Ez-@8pqNQtf8l4yPgf1AzmgA%Ay$v20hE9)+QQQH8mq?+q8YK#UnHXK98M0ICO|4C z@E7)eC6FQ4b-BXm8p96%_Dy7Zz1jf{{Smn^$vc4Te{^j?CKT{REF+>JONbCkC&%U> z5{s3>Gn?caK34S&UprmO*5GZCAkjy^MMA}K$QM0hS}%LQD2$O^xV#A^xjo-Nff=}# zfc||(CXR3HHeg;pt0XquTh057*eXML{ctMY8bYRGwQsiZPHrTHvbzG#!7j4X(@ZvI zk(;2w@k_LRQ-(9;TsK^n!^~gT7?0+qlQoTF*XNM~c+XU#Scm1|rg{-kaRWY?u>ScM zHFKDdU`|;;M`m{YW=tS4YrP49`;uTCmYkT&?s*~tj0RL zI00JV`Ul)%SXAI1rDHw%C1>05%MpV+hC_QIE6ZU}a=?E290AKU^_cnz$MyfNUOxN8 z3v`c-y>#NjyK5FJR!8Xhh=qrQr1F<*!i|telkb`%*a~h>!l2PKjQS#r-X{|gJ3=-u zwm7MJvoCm15ZABgkfzt$62TNCQL7!@@3%h$b$OF*2zN#0t#*NVA~wEj^HgltP$?$~ zBCts!EswjgllS6B>Uwje`UaRp{)mx`Y%4jKa6`ce;oHKhq#3qX5RwMYvJ^hw28)9) zqNmWxi3+S}6Vae<5*72Yy(J+bkrhtdAbtv(;3Z>O#B|o56J#e6L+z4oxB!0=b{_9YQDB+Cl)Qn932>A8JY#+#HeO$9@>9Sr>{304SKyX6KkPhsh}G7v ziyQ0_>nk84Ms>hBd`$vJE*>AdSsgYG3!PIAMp;E~EnXv>V{oSi*9bwrwaNajqgw-B zSq&?wR`{JQRl7}TeWz&3a!s&XD#xb(az!`>@*)i9^ zsLTsJSx~aVBOjQHOX;lt{b6Y-h6~U*(5KP?T-ikh*VVCkvDLw-mg3P|X?^joqo$_K zeVy7PMOhmL?LF~DV5%qj?l5&fs%UGie#b{(OP0s2hYa-*Y96YDE9bCLtXG#L6UwL@cq2I}(<}Xjj0k zu2WXVs41r?gbucaI;e*S0Kc3XDF2288Kgm8hPz5l*{zP~?z z*Y&%e`?{a|exB#|e7?_f7hZL5)RRqA#>-+Jvt)|4$|yzdL`!N;ZVN7R;51?R>ib<` zO|Zm-N%FDt;7&#Rg;azb1bY{D{ra&B&CUG=Y+_k@E481}GiR?i4uc<&LM$zz7Zk6B zRg&YarJs1Oe6)>~)1)t}`ESMXjGIP}UXtz~y5M;W$A`*74M-NM1TTeGpIcdEbN5Av z>q%tPv<6^n_gE*VFP3MT+?V~+&8w(jM;ZVMi;|Z+QzAp?vyo9WEM3Lr=e#wU`z)L- zadyK?LaILTYu7_Wvt~|?Q{#x z-M?lPz6;Iur)!(wSt@t58K-A))Hl5~F>zuv9eV;XzZKsxOZ3L0CcAwM?`>s9n!J(P)q(*YTm4oB$Ykx#Eiyw_^1_1=gM5 ziJTX>KC?JBZWQP?NA_xy)Jr$qu8dEY!}(g7itE?3w8=NBEAxo9w#eltESzNR6~1sV zP?zet>2dCKb}l5QI3SV$U%OPJv+`a816UWTOh%h|`~MIo`SK z9v3%jAAI4v>2&WyuST#LQ%0p-DWMp;c|Kvxz`|S%|Lu4Y^?8YCr1|J8I|F}n0G^qR zYOZu91W0qbaF+?U$$!esxv&IXIWz=6LMHR>dHvoBCH7}QfP{+eC zLO;CKN%!lY>G_eKeo+V3N8DB8mct}zKdsrem?$Cn-hwsFUJm~4u2QeevpividhhLf z#(UdCy61O|Y3eQv;4S0tBMKf*LHUp=G?74=_4QUB`4vv?3v{s#7(wezaDw|va;>-Wcq{I_~ zisp+xwEsPH_1%|Rz=go{H3Ary^lV|}cmG6DpTV+1)x9C8;>|0}jZ)-PHTdS9qSRXT z-78yptdeKAxp{RTUH2awH!Z6J#xhs^km$pSOxHVbHNDw4?0$Cesov)|ZQ`NQWPr>zo(myd zp}_Z>RWExW0xVRryov)vln5EFsbOF?xZr_Ym!GN_;?L)YY$f7Kv!}|in2&V7^B%WL z7(`(Hady6|&-^}Tmr(g3XW6CYlw>&vwBw_76_|UXjsFvVK^YIcqn*Yrr8`B}Nx)+E zVhWr#YaNbm1lWa}aW=*Ih=JBzXSmAfNNHAO$N)%hNpPD(#!n0`D@s8fG?7|*nn*fe zKTS*QE9{8jN@uumH6hBuvf|mJZA|t_p)}}r5u^BTzxllQ{k!OE!e^x%^;|&=)5H=F zHR_2YGBoZR7Clde-EI}}^Rkp)OcRoy$*jwYd_RB5S>w2~&->e$zw|eg>8|}Py#2+?}alvcjv}r1g7KsXta9g`ean|O7_Tf6amkwYq{8(_Mitm zPX#n}MtGc0=*56=9=A(_4e(iRM*9%2nL3}I!OriyFI=b2oVB!s=mTgOg(8gX6 zM|~|iuvoCF4$BDG?s9l2X)eW;vf6KMFDeVptH6$y3)34+BEM1JbS-;5`p4+M+`Y;g z#>I8p*2hbX#IT>9mR=GY9uXFxjJ!x`vL^+WX{1olyo=+kUvCW3)~22K*8NKR%Rsx< z4;{@MR!W@ru_C9I5rf==|MkOumyRy>Q{{9YQYFx6`If1p?7Yjs5B;5ZT^UN;Td{b z{|3sb+Op#fiVD3ve{~3trgS*;(JjKD6VjNb3A^c73i!<@@Q6&XN*p>Ex#<)0WRHg* zM7`fqJcVyz0Etvo-M}X=YsOzq9Xmf7JHLEIuDi0rFCqk^d;XJ6?f0{;4?MQ=#Qk%T z?EH@IE*@%Yad&h+ZkW`hy$i8wGsY{GqP_TL8m`rmTfSR#Fnqa}6lq|f>|}LBpL58f zw_w$$_1W@2@_Y};CCWd0i0QeN8kz-Zy)3FZEe8sPp6;N_&$@|j6?`X?-2Zgg9upZX;dXnwgDGRZX!P@(tSJAg6QlDdPdzeJ>Mj%xa}illC8}J%9l|Vh`Q=We#Tc2|5KHr>L+*1obYtZ0(;BOA7%Hqb4q%)WA+M-2e$T zU;uH>`mDDy(hx99)Zyb37}R;=I<8nzQQ1{yDlj<6F=S92B=!%W%%NZg$&ewZ8S$g`m}X*fI2RtV=U6KbAtFbDOAs>S4Mj#5w=MyWM#@8#HMVvm+?^o=)DP&$|O$VXl8{Y`-)rJ%ccF#riPyx_FOIG`N#53Ro zCm(=mP)>KrcNnQdGK(=D8;+G@O9%yEb03E`wn6Egjgskmd_9|%=dPw(0GrqTrp}I6 z^PKyRR%i1;j+|^#Y9T0-`8hK`zA&-~T;9Y=Qv)eBsP8lhOhg`pi=(n;)BB`fq{Sm0 z{XS;*h_x1YxrO|oeSudJ-faGHqzv;zkRDcXs9|75j$Nu<1Br+8t7bAMpoIchk!0u4 z=!EY|(tm@nN(I-Ht)GAgcfz9iR?!hHF(|F>Ia@_SaxPIAc7r=zho~=MJCYY zu$LqB)}Dn|g>-j!S)X%M`c+<-sJ3$Xi~LYal5DwMp5#%N?;o#+Q}Uyra$J6s>)Z=+ zg%@k@VbAy`PfMBXci$`}AMf@SfEQLk$O%@z!{=5)&+ca)t9gSylpZv>MccXYTY3Y5 z*yWWR9JEM7v@`OO!_4tQ)Dlm{tEQ~ftXx(55Nz2!-9=o*)9$N^`KFHJ#(^aHFLOb6yX90~D8InaM<9O9K$_y~t_cHze=A#;DEOyUuU#MPSuJillH6wOH6;cxG6>yG z60Op0GQyrw4LtJI(o5Q?gWxt(;hfcSVoZnSthm`;;hAfPo7M*los+8z_#l#b| literal 0 HcmV?d00001 diff --git a/education/windows/images/express-settings.png b/education/windows/images/express-settings.png new file mode 100644 index 0000000000000000000000000000000000000000..99e9c4825a4f7fb29f0ea2930894c78a63105991 GIT binary patch literal 110041 zcmbrlQD2VTt+VTs;?=N6`c`+fNswupa z?+q{$!9RlEyP{#=^}xTkp>4#~?16v~`u_6)MyLGk^WBK$AfoD^U~TN+tY>EgWTR(h z8j%KD}D|xMorPaN+sLI}E0f z%qkp=fY0S{Jd?Wz<6nAH{qKhGFgkeV{&(yD?5+|&CKdblI9m}R3eNvIK{z;y8ii|g z_Mc-MG-GEZqW;@gSb((Me>(lo=_;fSarysVrsc;?HZdnTEdu@*HVYf@qN9Kjt?ZU5 zPw9Ve@NR?(G>jTM!1Xgb>d+W8cf=$;?QA9XC{77>h42G~RL(`2l{1Jkk9G_nX<8Syp|jt-VvAe8sO zQQ#T`Z2?1X)|r2gHIe)mZB3;AE+}KMiG`G#EvRmcnt1)Q^_k{BpTyM><5^*&H$gA4ubp$Fm{bDdMBvtYvqRNC z1NbiZUYm#)m$alkwbEwFgAxyG`>~!L>&Svz!)7oV5mV>3cj`lY)60>m6_&7p($lw* z^0FlW0?@|h^YXyc@7J9DjH(`SJq2P;`q&Z>2A!CsMcOtGPnh`8voz+iLofOVpRe7W z;W3lC2X-74*xdpY8QJp-yQFG3pSgWINbq7-Z!>tL+%jkCVG-|t=GDz~|3URW3rnd6 z4nGewMmmC#{=Pza44Jzvh!zmN*!Oc8g839uEnWU0?%iR%!vGW6E!x1Ks)qROny`q~ zRZfO0KeZ3SmK0=P$6lOaG=9Ot`SV%rHd*V3x1{(wX=Fj=_Uw$Q>06=UJkjm=L!5a6 zvv)oky`v;&B<QA2 zIAc@xQ^vicEl7wV+mC#PW*xA#%~#GeBQinQPg>$PWg2lSL+jwCH6rh@pL#pG;kD2^ zA=Z0=*8(aT6QvAD;3%0*y_d%*gb|E99T@;wO_gZ6Sw6~g3!zwmG20us7rAd+9)h6Y zB~~m_gmkR7ja{wSS}9%tq)SFRQhyM-(+o+On3v&5gTsh#7$vzU6obmG(%f}KbyNz^Jr ziYrzs^pIm1egSNo*Tlq9QRA6c_bZm=8^F>kmFEFcPQNtSiB z91C0>!{p`Mx(b*PDiPfP!dItjVZ8Auxa*!!`vfKN7*U2qFZ0>lNPY-sgaW<|Jqzpb zigy^7wiP` z#veA2Y{F8u_L7u9IUX-#tTBLE;$;PCY=oyQG4+YB}&fFdjnfoS*uZv-6Bwt6B}U7<$3 x&dumo*zf_?u zu%!GT9ssv2>IQ#qFImJG9wPU6nsB){y9j+pDY9nrjc>#TSWep9wY%R8-D>%iXa0c5 zcW>%zeuDEGjZuMrVD`RqzGK)vA-wLZs5%y~i&s;G)e)0alo!*we1@U0gONxO{|qRJ z$@t4riMyGBA00Qwm9Wf0+%t;1f3QG>3^kmz1=&Io^a5FcUyZ!Cmeav7sIvdTKQI4La+FhqI7Xl_TiN1VVs7U)`VJ z2Yr_Kj%~i!DY-H&TSQkeCJ24p#To}sKh&^XkB&%<5E2TJ-E}e}exju0%6LYfPU!c; z$XW8f!e9BoBi2?FFX{DHkv3wQ3V1MdbvrXuh<51_ak4&`YCC?14eFZXb`qBdUKC*8 zP-s3EeU{J+LXYB3*cFXZ4e{m3%Yf!XC$Z{a6}@$tVPI3M5lr+=OCN z=z8aQR}u^64BqM>1o-R7pZ0vBe=wl2j2iEq1Doqv=MGH1T#Z_G+O%7WyjgauJ)`$S zxSS2Y#0fvVB>&B*pB63Wyqs%)e`t({k3C(MO=kAiq&7Q zEx-Ai>hzbvfL^RiHkYxm-&WKeyX>H~%wyIK>f(0ypj5c2TR7qjUuyWQ2}m`? zn8O*&c7CFb5TqkfrN8dJgwnr<1cYt^h%sK!gCL>C_|nU8Hr@`r;KJb<&W+3fY)gIKji(KsyqNj9 z(D7}-L?qofqZD=CUKS$CQa{UUPmWzxHPQs#Q?~Z@46bjYSXh4lMWD^vA#vnb-%gEw z?3-GH^IVf7SZ(mIT^uqQp?N-x(d!Ol;HO#}0x?mzTj}6>=3J+?W278Y!LYpEJM|9( z)1s6bfj#4PDMEU%!@W*kdy+f?r^%PTWxI>{Gf=ot{yvatNU8G(&RCv0Vs7aRPf^Ff z!w2St{|<*}NxG`==D3iBFN~j7*4Vw~`foJN4j8B4oDAw&CJpetxd)+wW5H`i9Ox?^&T%h+1W5dzn2ZeA zX%?_jVhoWv!|_FjWP&Rfpe4?WBMm9}ZLU;BrSJE*#?)xHkX>rL?6+0z>+zv(A=EN` zt`tGg%5Aa%$kH;+TXX?aT+E0pd&VSLYF!Q(rghrk!y$Rr7weBZix@X?EdP(cH|LR_ zwI_oTlwS@AY29tWC)F|{f@+b17!(>EkE7Z&YThuZ;l&1{!u{Kary~%G*bXKC$RJI@ z7M{3%Rn6spnj~ANq@PEzcfBzZPLPp!itjc^+0c3{uT~ySMJe! ze1qybVQ%46*D+=G^)8npJ0-}PH5L&hJ1PN9s+yyc$^$vAG(=mSaZS|0%LcVH!D=BN1e)C5kX18Ap zzFB*pVjjnED>M@QwedkX5(#GqOX}`0n!@%jhcYLERMfqaAWp9t_h%0ZYB|m(XAn|YU zfV+Jw9@R64=Lmif;=ZrZ;i)ClVYel_vZjXn=&ZPijSz>8NH6x>zJ}vRBOxu}h>zjv zh*Yh!j;c5sBymmbPzLc~Q??w={gu#Gbq%dl4?tek%S5?W$ zx0MzlnzEBmF@!Ug@TWzHGUaK(mFO*o^ zSJ7Ni4T%?4aV6SvX6D||2B8codZFf}tc1*i-|H{zO*$4lY(=~*sc)xH60Uuzn!Y7Xaapg`S$gMxn}=Ki(d@ywazLM+tigpUzf-( z7pGR&PEEs4!SZt2TGf69k%i!|O*g-k^U2AO5&_e5YYNLVstrOk!)Z z0PuNdm>crh(!poUB@)_Vsmd9Sb=4mxt27VscQA22Pi&-mA6@pOtjeOq>NyQKvvS%i zFAJ)qCdmfNt2~a$RAbZ7tAR=-=BA?5h+_AxH=zB~gA&FdAAf5;P8jzM99Nu}AS3@w zUfVPf>s|M;x69j%`w;^1n~30uKEMq-KfzhuF!YGBcsrA3llk~I`|TQRbZbX80R*1VOM_OB~-;Rjn8s!;M*?Cvsw3B)_MCL zr*o-3TtnggrtRy$x?*@Q$gVE++}tl(U0GSjkL zSEhukso`f(5X8db(vG1zb@DGt8 z4B&5y%NJC}+D{7FfH7}%6m9YC=v9Xb=Y;n80V_IU9{hgamMikmhfF#%wuwetnLvB8 z-%1a%YH=&s9fDG_h%iQ6AWW_Pc&@mx-F`Hbo3%`_@l~nU_^WE1SVlgHmxtCUS!>Kr zL+sW(=7YxWY)pCTuFZB()XMV%_9V`tZgeH=NTaL!w-xkg?jqSMRryf;-K(y+5EPg8 z9q{%GEHx*{AHpBW$Aa_mfSgzjkF_F;*}}*3ES#m{(TcU1JTD1~gAr}YMZJKz+~a{1 z@wICU#GecQPNJY^d-16)a3Pw23MgCC)-riDSREY`!%kLEL3U4H2Unarr1)-}+c2<~ z#S|nycv94+CFPZu4Hu8h6km$X^@=Q$|5BxA15;$nuN~8bC$m(8sTrqh$6EiyP-vP_ zii($JOKN(6mj_yuVFK}oVUZr|akZ!jyz!$&q%!bjO|E8A!g!eX!3!thUuK{x=_MD( z7wI1Dt*5+yc?x!mowD7&Q)(b58xIGH@8yztKR{Tx-fblt5qcntxwU1dGINBU?(4-e zs~aW|-Q{8FGi8AnqU5dQLz4nDw3*Qw$yN;23%B6FEZ8Bzx!< zm-#^zXkOp67JaW0Pyb(jH<;K+Ax1>aB}A#-^gG1=(Wm!|yg`Mcr1-qi=X^Gn0{QG+ z^xuRtZ*y=yI!n}T7pDU=lF*&M|F!*c%f z!~OrGf4TAh?P(Yt`u`(feE%S#-~6l`rWg2M0NIVna+}w=^16)Rdh$Szlu3O>yZ>J} z>CKjwrfX~*lmbMdxXgY#P`IT}d$n0*0T4C!;ylF>H=%RGZkD$De2lrA)sg$>aX*7+ zR=^}B?WH0Sf0;Sr_ivN!67}b&Qpsws``{Pf$*Qdnpz_N+4O^*<-pU%$T9h#2C88A+ zZQ8sm%_P4~#mBVaL^yt~nyRsJBP1@6VP6pX?N{e%pQ>&Witvt?F(fGs zeq!udK$l9s?qx&Gwl)+W=CL*Y!nc%K(-Cz~?oRe=(5d=R<~8NAFq65}0<oPo1n-}Yh@ZHKC_YO{a_z%jpjx>Jt!5QjT=R9uz zJjl_hD2y)Od(gpI{J*@)7R@1pS*&ST%fNu4RtBtt2T#|`AaFJlr1nW1LRZg9O3IiF zK{6v1PpF|`dW{&VsHhOt)EoS#RygWVgE5Z>K0sDmIdTSworjZzfFHnn_vP43qcHBZ zlX24#6h03{8u_^VJR6Yxab77aLMBP^PGcGF0CTIx&0?BOmd)XCQNM451gq;l_S<}> zI-cJOe;xWP+Bi=lBw8{5AhCPR1fF)j zG`hJQ6hm_!fBv<32x#r)N#8=*_)7=zZFG1P0#RC~Cv^d2N+5z%r2J}^tybF|R-r{z zBW4-~c;{hARMj4jmyg8vC@nTI4N-?)Oz8^IeV&eGPbd}Sp>q(rH28p1F6qhoBA6JO zIE6I_9>Ewbw2 zB(IBxGQGJHeQdlO8GR=b(yV=5<}gPaDw{^c;)QPMAn=Z7!TAC#_kI>gMnh6{j?N;0 zXOv^+Tp=pyVASM0ZoEJB)S3>}t_>|q#A2gHjfNwB=4%S^8ps&iq96I;bzuIjYU@bE zvxRebev-QKLp*vEGS()888_Dx%!O#Y8;)t>1ETJzDI*CG&*ZS_RY!FS>BD^;#=YkE>3qtOh!hTp;SuX64glE>R95pdgNTWo4 z7tW{H`A+koglmLSLo2-Yrg!N>iMF5k;oYWQgo?di|1;dXkTyi0LmEZUdoY*^QZM_=7wieHAjL7PDV)S!uJ0p0b}`uZniJrmb-IWKgO|hv;WwIPvd*%tXO%VTwgk7r=t7TC`U6QmFO0le7inkJ zZ^=Jr5p(NeIoRosOt|lNe=d)$6XX;wEy7nC+;&}CJK#yOM%*(sM&!Q)L6&@!JrLwl#&=D8lPRWeG$RrI`b%^+v&{dfkaz7_ zR~=D|TIvKROg$=76Xl3YqTGSb=(;)roRfk}&Z)=l7h9>=D$jK2*y32GoQj>+0sB}^ zV)5F*bed+IOua3Y%G~0etPys1_#cHJcXEe55@vTGk;HFK9o1}w4J3(j_;X2a$n8wx zU9r_1?z(z`*3pz{%z5#vqiFPp_d)x8=7^lSfAkezz*(^KzGGIhMcL#~cOL90$?MFy z)OVKpGS%G7!s7}gB2+2pVub!npdF~i9S7tN0nSwd{siA&g5{0(oB9_Z1(Lj@f#9XJ z(B-WOION`OXmmn9!pof2_#Uoz1NlNuRXtj{3!&w!{^R+w{KI8uRu5}-laT5K-Nw15 zPoSug4Bh?d&`ZiBI=ZQNdlu0dB;&=ee(v3|x&QAJh>lIr+iTn2%Ih@)jiw{o-mc&E zsSL%<8u$9Fvo0(<3N*l5P_Wc)MFsxM2Xfen zl;3oKS%kAoiYXx(@jrq8imIR|RS98hb ztEkJShH2Q*`l{z#J9eQRyiW4W<^nhUW^M5=V@@ZgfjDZFn?1=~*jdc&7+Qq87ryaR zq(DnMYMa&<-S!C>rkDjWf;+#=z}*(!P}k8=PpIJ6{)_yCS{=HpkO1vUF5J)P zS{ZT&SP@Rpsf=Xyywx$dtqtaw+HtVzcN;is&n8HP;oiaeDvAZ!>)$0r5 zjjxSppL{Y$fInqimh;g=AY$mrt|P_u=QmUUjIzLWJlNxztUuCYA==LySFEImifMmA zLu>V4U&42;!l71dX8VSchI>`9xwu|PY;?JhteZekxVvY#TB2NjkRo5vZuvLigV@{` zhB9D3;y^rw_3WW?_h-9)-&yc}1B!>+k$@4dMU?U0Av+teG9Do*>W*NQs{NO21I`!5 z2!;;>eF1&CFLc7z;v#T#ghlYGWbd+m zjeO^1G;@Y;1k`9Xe%Rqgq_$v32^<1G4U??vg&_V7UB{E6J7iyQp{RC9)S2E6*+ z1!rC6C|}1yh3BiEiifk7B!goKR12;#H5=sRZ48K)KGQk2PYE!3PNmIx{!$+aiHRtxQph;s7kRgL!yb)xW@-+|E;svqFUXSpM;-6;Wz_fU3S;McOVofJ znRlOMFOE=)pazj*8${BLRw2$cvSmm11Q`TVee>V?i4iNo-NFh6poa*dz4cr8@}xUU zh)%drQ8XXvY1;s4@K?S@oM}&IG{ng0z}8Aux4OiXEAeD(09Iul7);*sJu+>0Dxs9U=v@4Kce4)M8G{9X zG8dz`XA^`!1lu#dOr{I_YjkbHF zyGXq~C0~gr0(k0!4e>Q2BYHL9M$1oC{q4WGeCV9rnX}nj#HOGbWi-;UKNsZF#>g~AvAungjaYpk;&A6i$ z{mPQp|H{Qv=QpzU`)5j>if@q)E9eenlPX`SulM@3={fN%*84dZ=|O_Q=%iSaZn<>(4|o@vuU-bCzIFfvpPrn+U_0xsEeC1PpGo9hoI2jsO@}xBc{X( zC(q3!Fb``fs=8b=uM1su4Gv;F5)Wf3^X>TQ?8Q{|Om!wdf!-D`M-}Mdd=*7^9dxgD zm5ZA>4Fz&&i!W+86L$D6;57aEC-mz#TseLnF-J>W-eZlb_PaG7;C<&kd_>Hbx$Zq8 zO<0%4+&(4KsJRt@px{(;IjsK`=b-_2g$DFJ)!+`W#HXo;d9yDEzjYdMf`Q3JXMZh! zBUZD`9FnL;NM5AOF#(8%h5dj%NZpM%f<$BL?Vl@4F5lf-2#=Zvye^KIz{=?8A7<4< z&zS7Qaq&$@hmQkxYpY?M*hKEiuk+urfgksqIv>Boa%$`i;FCK!jGZO{XW}4Qa3v(R zPwC&iaods>f?+tUb%dQki0EO0mZfK+^PHy!^KpkG91S?X*}ks0E-?E>jKdt}OlUqX|b&Oqzm5nRr?w8@M16lE4| zV-2Y)D}(O%N452V=J8xw&{c~>lM~hR{O&InI&M&)!X9>jqzxS-dQGz;Fmb$eb6Xei z5i_h@zkrfKhf&=0c8%dYHh?D~EThi6vS&HdzmW@H()kgG7lHQXEHf{zFt#3 zO)Yo*yem(Ck!g&8nv&45Ak++6l)M|K!@z2y&f|VB#B9{n9xtsyI(yWCp5RLBjeknP zouQel-WXg<{-NrbdnmqsxcFeKwx(W_2CbN!ycwFSyh@ zXMPM{5QZA9tzqdcUbv|3H2cjj*-T1edq%Y&KQy9CAK=oy4UE#(Pr7ktX0QxrD(0mW zy_ZV1A}EhKmfD5A-u_ewjkU6gXhvpuaXv2f32)c8;TG9mv}rr^jSP)kH8R z@VY)Pj)RA-X~~ei|ITq?ww%i2NZ49hi+q?R4cAtcGFy+{)#2`=K6pOQ2317kJZs`! z8(c@QYLAde>iL51I5I}Vu$Bp(hTdx~+S%5rY~5l+mE)mvDc-x-xxT%q)~Tzm?mt_b zi`Bn6Wfc{j4@mc?9S%06n2>_!b@)+<204vZwyr$w)r!bSY-Nr(F>VbA@Q-JW<3v`g zz2r!$<_Rn4FptB4R2s1VwnXvW+12$9(Dkl7?7G|*i$01lZszhDb1xGNw;8mu z=%7CSVe1n=N6E&Ebdbhdz)B1i7YwXZA^r_dTCB$>oih1IsOAlKRl(y!^_RrfPUolc zyUVZ2nUinsk&P%k@Z9+=O<(s?NA@aSNgyUd1lS#5ZUh`O_#G{V)Q$5Ilxv8gOU=v& zXyXlL%M&q0Y1G5x%0wZ&6}V_n(R&7b)9QKbxgJm*B6=O9E8PP1ZfmfH&|nWX;_b&d z+J6flL3R&MUS0GeLdw%kxL7_f#{;No66(!wN>NDhD)bC8LRph$a%by#9~Y6Q@Kkm# zr=Rq6Ze2CI9k{h$cQ_vTnUnZxQU`LtK(n>O8N=CjCm$pX#WFr-Q=4I*`X>GJ7_WHa zni_t*0#JvDQ4g5&-?em&$KAv$K(J=I+8XHzG-E@Sk8O-3VWrYir_h${EFzgDMlA;S zI6x~nj@!i=hv5mWKsN#!7(wUR*w}kR>)xKZm_yP_1xRkDGJ5-Bk17E)oQ$l2m6@z~ zM$?e>=!^nM%8NT)2aq!dv4q#xx1QpBIu#CzYD(ii3Q*q8aRgIV*>7(A#NsMD66Db+9-qN?#+Jo!9Z}QXeD!O^;Uz-D+p%MF#)hS5lx2} zHujC*63?cq1!Va?0tF)|iZph3E*!4FcMKZFW>8@ZueZl!X(y`|f41B{CctUqUGGO5 z&nu|ai!Qy%9h~gIfJ$>7;r!nhxxBf2;EMFGwK=DXa~iWaau!ZlRe6fMyNy03#pNY^ zuF(2FHIQvV?z-cnQbo-Eg)yvaMKKzJ-<}`c{kt>UH!=5wsI?dF?U54znA>WuyTz%v zp|LtFGxPoBCXAqTlgr!i-cM`O7TmEi98>0Eq^FtR8~2w4ct3pY4f$CUlwwiYcJ4CG zLOe~;jp3oRb|rx!8$cm22VML`I53eTsbUtw;^YvVpxDvDXE(H8L}_Y8!$#p+y? zvZ18GREfv`@T7)UMOXe>hBDb;%cp*$!sI6y6~b)VYioAeDgQfq&hP(`9{WxF7q&JyN7gdUwF_$9NA}4;I-AT-CZ+Ne-Sl3njeXewI!V&&z+@v6-v?)P;EE zX-x9mj$*eu56?GqRh9gKLQTzib>1h&kMEycPwS^yp(iM>s-#j)F6`wc%}^MjueY`{ z@Y%fU!gTaP{uo-(A$@}FtGi~R84`X=Qi?5d{IaiZh?!`xHE$qpSE7I&bMF4aE5rev zfj&-8G}~&R3aM%z@gxJ)AGD_iWp)snl_@b4Nv-z{Zl6tr`xdVtGet=J&6mZL^&F%q zrRlPQKBl9GwG>c}mvOd*{73|6(gcT71r4TsSvb};cIRI{bgeBQs3EM0g`C(bva%$T zlKeaHZsrf;Ir^}7LzBr3Of`MV%DQTO1-X$`=0~&L^x(9!u!}*`ebG{Eil&eCzjyV{z8r^w3o;f84H)rDBdgdNh`+=il2_k>GFEb8y; zLkZ5t^NI=w1--6uJS@9`0N;$zZm^<-3giqfy&K ztwYxLcND_P&LVN(_zd5qmbn$lRkDcarW82@kwT7*Q5e@-g_K}&=&ynP^->40fNf!1 zYZjNMfwnhkH#=&2Hn#utV^+VfaH>m`9Y1R+$y5gm@U(QK(yy7>O_(Xt=XmWkKW@c-%LlXwNUG(Vlend%-2{dd3b5DCG-jL3eM84)Jxl^b~YkK;J;}vH`%4pJ_8a za9wQpTf*k?>)z0M-pqsg%gvkmT_G0j%+jMW{$PVD#)#~FTXxR>!w?&Rhz)fvLoW>y zx0&W^PpBC8_-iiNgIxhk6av;UQvrPE*s~vu>yq&AkXuIQ#l1h7#ZZXLr zXYxNy3c{Uihwmp3?fgA+CuUl~x40w>DYSRr?rB9SkP{2V&~Cy;f1HX#V2c7q3!(4(-zpSKfAHHQg?y&{ufYV zs%^bEOhbG|2T|H#d$ERUZmw9kw)oV*)Yl_(b%RV0E+R43o?qKDw2MbB+iXTYLnHB1(N(X>8nr z$c0SM(Yy&C$&~3Z-`3czGcx`+nOD*KKGneAO@Y4y@E>GH+YJ8Cbe-1y#mSwNcSq6W;fn!EwWP?03@>vyA zjluygMeSCWj|ZPHo#eP!6G47xpJSPH*HKVwBHwCRvL=~2002-)79ts)P9^+K`q0Z; z-VMX)@cd$MxOWsi|C8N6HYHOowTfJ0NC;I{g^}o4(x8d`6=h4na(>MZj7bt zYS%d*4z5k&XSS)InRn;yB>%OeKc=kFo>n}RY_BDI?0@tL}kj5E*rFFDu zQN-aa-jQEcUn(X0Xmq$u#YdkXBIMuX$9kJO)ElG5l_lqgOx9gN!A#C?l=Ngta7daFVDsn!-gp4f1^lXu^} zM0cS+?yzP;t2O?PS&VAB6LcC*=?rh|7#hUi)i&f3*#C@FSKlOlagdX=-IEu(r84!qbY6vGfQ9SjP0if9)%1jcv%il=*~y z@rKz=Ij;~09GC3t0aQ?Wk;OGgea1xbU4tfdL^ukxSGn_1GjxKFB>dIHBV-2MS8!7D31Y^ zbJQJq^XcbvLztlWJ5-C9gW%9kqbZ=|;Q8wyl#18?|E?a|LYkapU}hC7-<(HYse&~B z8Rk30_3J(ZZ0pf~R*`~VPVT9K{{Jxmd?uM%0emvs`FZ@-^J&;N;+i;Ff{G zRe6a20-LZK{b8XNP&T)T{9q#Z8U<01C3&xsm-InqtncAlP?ufC)$fmdfGvc%w|oD? z9v`u`d29VhKDmSOi(ikv3_n3BYxPzo67+$A=P{pWPqY&*p6i91XHN{EJXAdLki8Ii z+>yq$ti67n9pn~Myx<)BF+y_GcolcZ|KLGi*_p9gW)iAp-T}4W7GaI8;2o&_{U4C= zF^*Wn@n9`R{{g~t+;&FKSOG`>`U$Y+!gx>UXCyY5b{P#B#|3uKC+?EQ`pXScAJiFclH54Vui^4uO2E@N@R;lsQCA(Kl`)7ad5o@=Q`52_9EIQSfx=Z)M= z@lm+{nQY%p27e>Tm6PSki;s-FZw!Uk4L0kpmgwv9iPK;{;zFW!_}mo>0a>}DGw=o8 zsxB1wzQiWi^}R+W;H6E|G@8?haG4v%mjEFMhZ_M_0W-o3u|-pQ_>YYnQIvZMPST4fd@vO?e0E-y;0KUYtYsPT3m~^{H?H! zp0DzhL9kjH__uYw+pnJKOs)mPwhSk&h^=^S$?;d=m2P2_KDcTx`6E}&vJ!6EL0+fGu_uWHqTSC&Y?U^UsH8zWq6sa1gWFB(NFS-&+b&Ga(cJH(H?pkqxH$QuSRg zq!%RHmAOh+jpig+#Hq~Pyrxj{dpMryKInJ;tZRp`Rs0EmH)=s_xIOlyp3kGsnFnqw zAm6k=|588)T@@#KJI-n#ptL-IEzZ?SZdAf{8-ou1LN{1;Hc`B0QlWv@;E|jNN+mOA zeu0@v8a0eVpK*%o`^HM0_Q}p-ImLrC;qM|8*>XL zUtOdzTYjvy_*aVXZv+=KP#WARLs85zf(a&WEI!4*8-by2?oP^!;jq+u!bX zzi$Q#RC)Nwrvy--TI1EJ=`Af8mZ)3{XgH4pvNO(Fp9vI&%`-EFY5EN_^w;A7Z9kg>;rY3!^3kWrQixrq?jdj1+ z7hbrZ;Qgy%q4Vzj3uf2oyc-+d`H1E)`S}>oRN@n;*Y({28GxAQ39Jcxlt{a#dUb#Z z+@H@d8u_3FS|gQE-rJ5kIRmXUo;=*j=zX_wzW9z?-fp;J?UaEcHhohMsLRfxWWlJU zwp@h%?-zYLlb}e40E?Mshp?5vxyV{+FYmXm-tVPt`FIsFbH_6`?7vVyLZ03GXB}qs zII2Ci=zHKUM0t(h-`53i8447j5Hjfp$LT*p$eqQ${TL)S00M%HG#`Y@4%x9@#h3(t z_o~YvCp`jld)X&8KCC4&G(qhtj-dumE(inpE1QAFN7e%V_+a~hRirJX-)SsH=GPk`H_xWT<4%n{@z0yBucX&>xx`zSf&V7CFwAewy)^;4jQ~p%i>O%Wony3} zKx7{0pZQpct_N5fBw+b%jY1v;(QeR&=%7!usCzTT@%$jXnKtK&2o(Sto8c7cW7IuJ zdv0zK(Kh*PWrrfrl}~(%Dcn~9jUZ#(JpYZF`!<3a-M`XPPEfZ_1F6idAyD@{5nh(E z$|}LB@9VjV6t9EN22Z1!9BOI(!Bf{#w&;flmgUM$1@uvc=(%D0WfYElO=4JWqAz*8 zqY4P~iQ(}Jr-hpGPrRty`LGW=h9;5w1)34Z=)Ir!Lm_m%P9eji116omNsfX zX}gN*W+gr&n8BI508O!Wnj`_>ukWv@JNcVFpt2L4APXnDM8LU;6^Qe|kunLpx?|4I zG9>c8?`A?CE&^UuvtT8hpQp6Gz#uh6%Kc=P4v2T{l{oDMQ6ZS*JNi$}p>Z~Z0&5BB z4&PEZ!47YDA(t5GuGq6kKD2gxcu03Itz;{Qn1O1Pe@;-AD)(AX>lNv3w+7nxh@3y_2lv!g~L zya<-4D0lQB337nynJ2syRczsYQ1`Qm$_)M6zlz{}f3h8X@iwm~!8>id{^|fHVCX~L z*NJBv=Y|&W+^R1nM2S#aiSmA#f*0O-bUT~u7;%9-#fTYFDaN!jt;-R~)^MeY(P8?w z=iXe@nKc}l&y~aMXl`LK`pQXA0?E!T>B6nHCuPiNwfiul%MNFdeVDYIU(x{M9C0?m zco`I{C7im3R(jriN z^f!r{sP627>ViU?C58P=XqUO&71X`?m30jj@vwDLTy{FNJ-a-D%KB?DPMrc9G zGRwXl)CT$sCpIG|(%Q47B|;07>0DW>+_|TqxRh!A7f&wu$>A-SJ`E1wER-u?XA15%SvNI=bq~`0iO9x$6RRIdzi<1!n*>Luwd&Q?rTI^@UE1qy96L(FSI5`oMYA@XB)Xz8e z2fcSDVJ=VrQ)qvm*-Z&M z0Wq!|$l+n)Y&*#s^6a)QH%#FoGPDA2xjTH+*Ea7nyMOFmZ z{;KR6=iCXsQ#HM&T=#FogE>U3gx|hxm!yLReWG?tMH9gDA<#RZ()OaqGy)$l5{s*b zbqjxJp-Rsb_i(B~3;F0OA|c_&3df4^>S=r?-&Fb1% zPTIjPdx{Xso!XuzWfdI0^&lgFoe~6H!m~uJ1mct_#O@GHX>Y^VVS}9xfsUmn9oxgo z*hcDyp69or=qCpc8x=w4{~_(Hg5vtZARmGUcL*Nb-Q6K*Ab4W+>=8$c$ggb$!GDC z)+V4@?(i2Op&rPj8vg1}EUdXHyQv7jtY#7@@ox*Y2X!_+3bH;<1^4s}) zzf#}j;be*dgiRhsU|4$DPdzNvoh%QZEd@un&n1N;dDa9!S{zxsGgt&!S$?rTzQ}=# zt7C#OP5UF-vJ7n~grd6jGo zO{qaBj(49pBMip~Wo1b?_tO8(*Z&jsmcyy<<}Qj6ZePP(vHs?&RbwF7YugoO4iP}8 zsqbZ_YZp|12A$AOy^26O;*ok@PrmIQ*gPA-nOxy4VpOO@F8;LTi|%4^c$&HQJ6V-9 zr0`PmfkrO~|(jaPaH3trW%u1GYJNId?qE)OB zgpFWSkZ4tYYDRugLabadSZe;uH`2@Xh(y*lE`~93UE+ou5M0@cYcTPEl{{y!{5yn{ zJieaE)Nm2C^LZA2X$DpT;4Cot!CHW<+f$8m#)BrkZOoV%WQYbY!AwQGOr8M#rbWE; z0PYX>fsJi~0$S5t1OKvJy#S6+^-S2~Cn3_{xi+DYVjuQj9x_AeiAW1jG<6YS%2bT9 zMIbc)Ba@etIXcc5fR(%9-7WSqidKQ#)lQ)=q9Zhpj`LRw7WX)ODk>R=pz~4dR|gOB z5*cq}0V4cOq9Rx#aSID*-z6vPe!ge@>$eT}i{@_Jm0sA)nX!|N@iF6PLF z!y|p1IR_;+&hlP*YW*)-lP|;>b68;6Agpk9`3P%2oa=%pEXDRbkaSu%?7>ydg3a-# zeH=1tdc$a%fVROw2L85eXve-dvfyfVlzR6Pq?wsjBfPVSS{eQB&nRnAMzi@HIj7@2 z>?*$KU2BY8;oMFy zJ7{&NQNnNHUx_oq{uv{x9s@yWd>urq&mSqo9Yn_&S)uI)8?&o^6xeyezdGcw8Qnrb zk6hWiaxvsm$r(-iCcGPGJKu}}duOH{x;k~Sz0G*%o)XHN{;ihXbNEBG7oTINrc+B!|LnTP!U%KCmh(|aqe~o?7 z)872|Wi6^jXep+}HOI)_=HQI)i-4BL?%*Qlc7|%G17(HA`bPWKzi7V`JnEZK%d3eN z*eksA19JFZsVRiCmiX6w=@?6L+V9>{=k*CEu2R8$!ya6so_NA&Io?o0jDyop_1*>NX4O#rNd7hB)Rx_=btkfZNk#ge>p0ld;Q!g+iegrI%WTn~mPG`zS23rnCD=w+>08*kZJ zMwHl|7KF|C;mUQ-??ukmU|U5HSv@b_c1+u7v%zgI;-AL_?3XF~cwM$=-TliH??sQ^#af72JcV>>@BlA~5GyFobX>ERj zc{vxiBwJb&pziuti)1QJpZkM z)1*uWu4y!(rV}{P4#prX7k2X(?W_70(SP!EQ{_}9Q666x1zV6moP|LUkz7R^11@D< zNX|3$AaWt<1oe^CQG^l9U*-qm6Hziqz0KJZj;m$XYkc(>YD6aX`piwn%nbnjvA>u@ zHxX==*22X7y4I+rzZYq%5u}$a~rN@S%M>H zWVTJEk{P`UGT$_rqF37rYiS}$OC!2qy`8`7mO`IQb-@W+%3sEI=5jHTcVopq`U*S+ z&IR)y$J({}gr?C^Lu2sp8eQ8#q$Di4sdYX&lHL9in?#b^?b=gCMkH#)!{Sf>)VC9B zQFY(-gn1#mDwRQ1SWXBC90qpe+s!QpunSgF8BLg8B#8=eY`#i!YcUU^235Xto&HYV1s4R$(+zz(VH*Cy~;t!j$|Ut2Q;YgK>HH)(YQnO@}~Y&e^8 zI^jrkC{SyfePt6`df5?fZvpi*AqiDXStV5#RwJ!%avXbg0<(8;;#>5++(6xqa0ZLX zCW3n~w*sb1CsyC5yZtimaOxW9xB1+3ocSb%q4$j#{=(>ToKUa3eS*TQ{F|B zh7PipRsvPCTapiL9@iLsbuYGk0%X>uHNkvB-Hvitpfgz{M^Qp9B(vv(LZ$~}YccFY z)_5-=8^+YiYWPGenk*4v3=q8Qkh&x?#C>K>J&tN2=8K)kOe@|?$%|)O4y1vWHs24H zDj729jefT$Y5RhYu42#Fg8I0zg3}@&CQ%q`p!$!)qnJS4*5ec$$;Xy!g* zMS9F(xuA{xWKfLz^MuHMN`7a@2l)j7ZuBZKzCTwEZg6iu-&QxuBgx^oMXHw(llL3Q znR}Y0`{A9X(#IJyJ98SVt39N`eJ^(ykFb(kfVW{faMkF~B%BMKw6jwGR<^2c_;cVY z3G*DnrsDy3Yk|;+LbCL5>)hY6b?xos5qNh)Ln``p03sC*J^%+s1_1+xDOvGdV=DaH zvh1Fmsx4usxQ?K`4GKDJvWV>SNnU)tvHldw7bYO3TVvOXU+`s{47zkNM88IcN z=7xh!)68+&-hetnme+ROBaCyYf>*zW1fU~dytzglzr$PeP#3f-{bEQczRS(T%j{BC zVt7qyikk04BZ|{K0=hPQHvLb69;!eE2(xxsE{g5`;9Yy*nXSD;lNo`9gViJ){8|jT zZA4<-`i&Lc^5pLcVc*@{=2SNqx4W>bA1pOPRN4xL6S=ObE-qYABxrT|*?oPqP~3c5 z8@~uK9WdcU5`4@q$1h_;tB;W{g>mRVwo#V>kj(^>5}KM63Zok&24!cloZXD>mc8yz zO24dPjJJ=L{|voR(rd93#jdl#u~|&2ow-qI7ax8q*Bt%GG0{lpGT6QsxL#^is7%2b zl>DuiPP@(rYE9_Q?c%=TcIHJ$cn#VPvGO#OGxPgB>{te~a&sNQ%ie&8A6q<)EO$Lv z-EcJBixWE*)?W`BVzfMD^yE28^P7WxYkL)TyIAJ>%DL9mFCmP%Cl1O4LvolWUTQcq zvQ~js^K0i)oi#e5eM?_M!tV7IVW4X6MjIdevh|`%S0A&V0+Ta>Q=Uf}X;UpC`x|SB74T4L-Bi;J7^`lf+;%pLyI#U}GO9I59YlY&UTp&IcSI$#Y8mac0u?E4=J1+p4knL@(ZUaJ>{+kzFzBA+b^2)G@VD&z{lW6U zDp)vKAAxpe5o-l2zI{RC;2swGBXEZCgZSteY+q~c*TFEF*Ui5vr}eJaN4#jSBE}Zv z*Sc^hsIDhcl#kiREfx&AI-PQW-nroF>aZ<3y%9-6)#EZwgh%&S8ibhfOi5{yt8;aO5J#5}SNG(rrps}zX&&f8x&rhGPV>wyU9x>*9$h4qHBg2A%^&k#(AP1g@UI97noWc6;qYwNWP!E z8^~a`C0?R5&WoX`s3j9EqQHCdvc@Whj~;D8t_75FtdA(SC+A7=S4_T?y*h~nPHU*g zx`eW#i37dQtOW%(;(~Suv7~>J(fk~jD&mI5(odh3CLEsRFzLTR$hjP(Mvn{VvpiEA z1(rEIyZh~0fXNH`0;9K0Ex#Z89$83;`I4d&@FZ&Y+c4-Km!8qzT7|H%@06p-nNMZD zvy~o_jd%=K+6tQ*w5>4HX0%`|Z_IVFo@9vxwXgV5;xs!iNoiK|WPK>1594%8i_-`_ z#v&QSRrOv+iB<~5#Uy!6=7|oI-8+VukY|mGeREM))FCwMA(W*VXzwbs#Lm?H6Wp9f z#4VqNbb%UHv`NU$uO0eM{VMop#9GsRw#rz1fg;c&J;Mwy338%~ z4B;j@aRO3jJx+7WL?^e!zgV6=?6D!W(Yj^j24mPfEMtK@2ixBG#9*hgj?7`a3?3_< zvAABSc?Y_)F~ydZGiP#!_KgHi9H*>FeTUHo_f7F_p5^R?u7jht-22pgFY-#v{gqjp_~-o_T| z2a&uLYp(##E$LMu;3carg`=&}DnDLjY{S?iSElH^m?jaa~TdC)j6iS3j6zZn2z@W=USp{%OqP9@0OSlgeN;53!K>J=_Vp)~M%A zxNY=?&R}E&c)CeE_$yg^gth6~E6&GKR$ESvX+WKClC*C=*{JI4WCVC41hT7LFG`eu zdBi-I8(JLNgnsjldPoGh5>XuU^pDIws2mzd>HU@>zC)TNED?-}XI8DRjFw`Z z`mKtBk3KbM6+^q)koR&{YS-2r&@Qt#P+b=AE^%`w06c|R34;%RhF|&T0CJ`5`RZ|3 zA>Vj<-WZCRoJESiqUnnzqX7f-#qB@_sPp%9KX~9fUUBy;(lihjvH(aC0kvz!@)8i+mM=1*8)>{ROie1Gu^8 zIhGMf^p%uC#{x_qNJV9|(4mub1xNoT)bFvG$y>sb;}?LiOZva`mnE%uTci@owz7+Y zlHZ0jn|~^rk;?Yy+PXenf8-5Uln!1=spl!&{CxkB!I=@?2nao%CtZZD2mCOJ$jq06 z$SV9vb{;ob>2}QUKIfYfifzXUg+4;%sJEtDroER!6z2p`5R~mGqPMw>AOLh1Bb&bQ zRZBrFoXZ-#8GGbojF6w3O&w$71Tfj+{f&Lh9P}A&uKP1Fc1axIL{9S9)f|3fAHr}i ztu2AwHcoOQ`>c#|e>teRC17NJF(=zydI}V@}7TRCOjdl z`6J;@gkzP|589B4UiUt-ec}a5xnzcBR>lL}eXqeG>8B1(ShaCM#~+O4CiZ$m66Ev= zEn5tF@W2sbBH5Ddc@eh3{uBKH0=}MBmgHr@`loT+ESM3sFHv#09W#lt^S>)_n#d_WPsy>=shB)650g!j!w(k_ZrrMqa>_9I zanRVXS(RNOB8}_~?NxiD>K#qXojCG%iZpM$eBc~u=v~_!Q#-c6s9C(&E#3-uoLKIC zRU(B&WAnE{mBwy#Vk&v^<>xe?uxbu`R3EFC-!D6`@{eHsSTJ7pj?n_jP*zz|b``)& z(ew06^Eu%Z>^#dN>8~w@*_?G({3m;=X) z+-7zmO{Gf9Cg#A)y7Vbmiqw7**t^~6{NV>PAo9%vRf=k&oWgxP0C^J-)1Yh{UHU~1 z@AuR`Y0Meduu&fjw}v(gOnPnr+k|JE1jW4!2`cQH8}zq`ol*~PdN56vu6G2RW$hY2> zp`=LgX_1J1G4h_)kkmN(Ll<9>BHWP!}F z7FBDonV#QF+kz`iU~TRSb5tJ*`9+oC$MU2Xbfk(V^6^{%C6(*E9tGI3g!Fi_LnVMX zughk80!JDjN`7J6+{+A!8L@#zOX(!iKLf#c;Hm0~t-W_mRjTr8Kc8%Q$+nt3bB|spsE4#MACIW0Y0u@_*gbVb4tt<9 z3_wXbt0mh~WS;YoYZ&8v#3*sl9G#67jh(EAF9JF4h%PZH=Sg#K4rX*Bqi-k?6YR=K zX0!9BSMISw?g*``cU#fFBxrP;K?<`uhgIR7 zRfyj>!aXjU`8XDlC$JU6SP5x2Qc7WN!Vwc#JDUvR*6?72`vfVj^#`oYonrVlG3-R` zbEaa8r>Y%{iFGsvR8)5Vk#jC2ZP)3}Y?m(`_t-Gmm=eROFS=~>cWkmvcZ zUjNh`p3#)SvI+DV;B*eV+TzLXk;d}FmsY~^C~F}ie4Ap7;-v5W6oM~`HEl$GP`WgK zR)HV1gSO$~9U$!Dg%a-iUev05pB7pH8A2IUE=B!j(3aT6MaDiQ@s56`2g1;1$c>Kd zKIW2>8)q(dqYDCcOgQI*2}LoZ|NfUjhn)x8Og9~l?VcZrH#b6Sp!r&CCt&*M`!+NJ zjOTM&^~w_!@=rCoJ=B|jjS;DE5P-CLSNSTz+PCCG^3s;E8a2BUu<{hbff9Xi53|NX z0Ul0-d}JO;6WOTIip$-Et0a+7?wjw)nwDv`eJ9=Gcn*I91!K&sI2v_j)tz70UBzj3 z4_BK$GTeZA9kbR5uAd9Y{KxtbOw!WX`^S6Hu>mb6p7GIzQ>*J}eAxuBLO9y&!zZcy zAvy_C8RxWyvr&q~_(t4RBEq(0I@FP&lzaw*?Q7Om!%glAcl3+{F5X- zewpX5RenVik>Ru8#0_^{eIiru!*L>#D}INb0}!4FFWm!>aOR`kPkTjXJ137xKe~XJaq7Yjm=5QHT}B#wYXR zvy;FOp=kc;X}azz-fTW`UVql802O}+UKWp!VYT`!alhh{UN4$r*M&zM*<_Ys#?o`f zxdQyce8T_PP#iv{HYD?&?y5r3$%W^%kuAn3@8?2c`x-{+Sy-J}n*`X$N9#zM-+w0M_aDaLH{1>>ds%}}=!^p$h7 z>Se<5^aRcV<$*L^^*;=@_J3=AP};5~yUi@;X!~IE%5&0i{CKgmWtOPGbXii$Hle}? zik>~x^az)Gwyk%_s3CtfU{uS{eprCpvCr)qP zsxSQ*0rQ~0onpi5z28QH=Ud%=dmXs-1?F6syqNysp#FAU<+HVK9O=|n6mdJ^#N*j~ z+aJlc6EB-pjIG+cI{kguvq{w2%C40ew`iD2Ra|(%%+3G?2j)oSP}bpni}UKidFZdg z2Q>vm>I@Y+VV{6KV+Agw0&?mK8|H_u0`7O>s7}@gO--x=#0be0PQluyCP^&?8e4q) zg6>7;S}ay~xf26-U{W0DRI*VF-DM-16(#urx?>lvW~8H^9QE-MH|mh41gcPB+4S1dYDE;JdUsUF;=`MRoGexFes>>vCsJ}T;)(&PcEKH2eyrr0_+6y z4BpLs>s%f}Z%94-*DLp=`HnO7I`I%cZ+3`WXQWpB#RGN#N=MlCcC#LdI1I- z{*Gl1s+&|$F&jTyTLtT2UuOwNsC((u-TFyZfLv6Q{S#vZ5?D#YlV!r26TP?u#6h-l zEssheo(%o&E9S5EiUUp8YLiPefO(WQ9Z7Vw{lkdq$`btZ_Uf2swV&$^J;thr!iQgm zbhC|!!!By@2&&X1UL~H4mXlS66XAn&0e3)hKs80l|n_%m2>6CPp z{7K>StW{9aQx7yONeu%8Sh~%)d7E#3yX<8#iT$k+5i;C!_LN~*fo>zIPU32B zdXz|QDR>!ajSOt^l-6@D<-?YfC84tThXSjDc5v{Qj9z;f=pwfIBjkasUtISWvyHy? zN=1vOpC-xd2pQoV0}ClOe>LIK_iYHGBcQ_%6qKGtR+ zzFgRYKb?%$Dk@jh33|ktVL#u$5MXHe2ZFPkvQWQT%LN#pef<~=)g!b`wRb0(0)f4w zZxpl7r_53y1&$*XFhC}@HQ_A~j+hD*r}E{K!OT8;w(*rewx&)yENg508=Z%-`?E+W zg3MWJsIT$7WzWr;%W-qt@`x1D6v=RrF@-men0ZsEXy%1a-&H5H;?DDfs{^w}Z!;ri z4YG(rHB*DLH>$U>v>rkgaY~+5R;9NNxxgsE9wjhkZRc3Ngg?jF6!g!vHA|t5pF&Td zso5=-8qo$Ptlvx7feaaykh?Br@m{{4&mJKDhVRpe}YJe)*+yon$;3pT_B^01kH zBJeuJzWC)?2Xb4sUR4bJacr#G9DmO;RiHtB-#Wos2xQT~i~An(_Hem)`@vNYULRyvdOP4eHw zn;aVPycUsZSsdN%P9zG1(p2#ce=8c0Hrnc9zhw(H=Co8_7Tqv)w!`LoRHfe2n`}B$ z_Ga;Nf9v1vQ;OFKu<+3`+KA&c$2tjq1-cFS+nBL%fMAXAtW(yQzkFCHkio`5eje1? zfk3B9BClTVhF>LJki<5FP{;6zqQ8M~4t4{i%-lrcO2{@k!t3KO2LJ^0>GMg%(Y;wF zP5B=u()l21a)d1yNggTfg_9r&qwzq)aQQvU2MzH0zz@StPhs(>sw-bLe6g? zt`5GHw&jWviP4Vy0H5_aS<9T<==mZXr_RAVCMt$q3k*fM%aFb^L%{L(-^suGV+LN= zS7Aw}HVJdq1X1PLS+rMn5@tL4(v5CSk_93;bu_es)er8(QSS@XA_@uLI-=h9Plp}k z)NgyMAoXQ<_K!DjtSm@>EYHQ`xIFyZbJwWd9JNeeift-2e!rQ!HeC_1w$fA0p|Bar zJb&I=__%ts&;9TsizBbAuKo6?a8&rx&|QjtN<`>S-Q1#*OE(G3kM5zfC0>RYB=5cv zq;BE`*OC0U3KNZxo*kvSIZBeFkl+jP!??ws2U+QE!m0Cm)BM)`o;JR`Tv|=~EqEcfUWaEJ) zDs6x9%#Nl9R$Mux*qAF-NSd=I29IxxPP&+H6tb!i0a6N9Z0sH$<^nf+C6l74+z82! zC^iBqk;D2_#xuQ?AI@J}kfQqrE=1fj_AJF=^_=tBRK@*09$2cbB8m6A*vJ_MRgv7? z<_-8ikBRObrQKk%rMj1*Ihf@8qHKHZom&ReciT?PZ28(D(3~9A)VD-qk7S zcdL-7YVU5lPIOeV#Qt25OgKsJSa+nmK-+V^Jk5-|e};lb+g|9N;wnUK3?eh`M}Guq zEx%u#FR)$Rx%|tU^X6~3VaEP+Cy3-C=>7YoFZP#WZ(ZC2@#&^3{l5F|Ue~*w4-3nB zwS@R`$Z;ZnHMqTuq@C)RU(Lr0j?1qTb{$f{;F9_hMEkEl=Tc1V7c_dGfWx8o>XqQ@ zk@Zi!V&~X_mQdEI<#m_@L&&S%80SW#t<+5>f=FWAh%%i(=5m$4+phje(9M~{qK>u{ zoY}*YD!$N0dTiO6E~s37^*FjQ*kO@Y!4^7!b#c8{*T)X28v;;j6RtDC=EglR$~7t> zP5rmTXQHMG@a21pOXWI9XX=3SFX}<9s|FiXURUE_Tmw@RCMTy_>Us^~hQ6Lp8wGr% zh1)Y?y2^`qo*zCFeYYK|W{NHH-va2;WsW`74{s&4N5{4dh4=L6;qYqhg zU;%nxt%2QlK`_qzadxQWF+z>WTOeCC97Sj&IM%JCcXb)!;s(>!faa_w313nF=`W{- zyAyHiaz=$iyoBg$-z(qM&4KZQi2yG!xUYYMD7O2JO!tomlo=~sp00^Oken8X7XSJ! z0@A#=EBb6JxCjM#&}Ns{&@;!r)7eFD?cqbgyX%=9yQ?eE^AT9x;GyxcFUWtl@2ion zK{h;zWz)505Bd5idvZtu-wi%oq6ze}Jh1=|UUqq;;ansj!p%v~59}R@W+Kb4@4J7` z#cAeH#a~DQGIf+g)diPDG-H1}d&9R6K$qi~cQ-w7cjwCEB+mWNk`7v`WDkT=+E~8( zHY;>LFSwMh{V#h!b!-lRQP9-5ZxzzqOV)tFJ#_AHH|CM3%CQ5xvWRk%uMEgUX{M-n zjL%9Ab*>hSfVQ(MVLYFT$H>ae_vCLjW^2wI@$XbWvuWP%k2X`1&gzoN;(yZo0pxE#o+)Lz!vLO?Xh6tFg zp$|hTyUQDq(VNWXJAP1F=1FXnk;Qs&aj}Iay+ufM@<3MaF;J8pbM0Yyzx5liU$(*` zUBqMxaF$WfT!Sgx#UbjW%sokK-)rlFsybC4nYlr?x z4@POl4o*fH_$m`a)2$DDK?Hx_-q}N7Z3yQFV6xJ3XlRT+O*0_a>uCrqPun9t)@adlSSV&MDp}v3LbFfbwpTS(bx)pVf%rIJG-Cdm9C3o?Yc|_&rpG z{@joK3<3mgv^w+sfayj|Kvv8LR*gbtqsxAy#D+jxH63Ai0HQ{N5&qp?~-)$$Kk@liL)+b-gKA*U8b!CFfy@zn`oG}po*D6HJ$*RnQT=iB|3c!oDkVy+Y>*W z*)tC{T25MW;tcIAA-X_pO-3BPS|KAWB=olDB=ZH`Q;*zokji zQ=S6yJK4DLbGLBOSIXIwRDEIU^1&+C3>hmuJsws(NZh%%^4v;4*5NL=>z&C_D198{ z2F-eD3V$_Jthp`PiM(v-x3we!*+}X#$bjC6%j)t~%#?tPS5}evG`I z@=3mnOGeG7**5jK$S)#Qe*+=09T zadG@20(Qt*E!Lb#VO+&aC?q<O{RVZj*hw6TiELJDov(lAn2K(*hK$Z&h{w)}CYW8Ap8e#$YH{D{5f2<% zLC3?Bkd_NYO1lwJC|81piu$3hlIZfqgBT7($HHON+p-KJ^D);2JJ*gLpf2 z2(S0+HN*73tPk-?nk|c;F;Qc2V$jlA_Au@1O72 zHBKJtWjJj6Sl6eM`OvuT9b3kZH5@wp=zwEdV}nB|rX-n?CHiAd0HBxJ2;H|XVKwT{ zllwEjCth~0$;j`w!rEo3`qfI}043>jD%~Cml^uR)d^OnkD1$o4SdmAJ^-$#eK!RFmV zo@NGnru(JCn+LVw)EJ0vaNF6TnnD^xJJdFY zo|*52uvN+5Qi{H+uumefA?wtg$Tlfi$&(7>$LptA<>CG;=%P&%hrAdnBDP`Xa$_yn zOtt?nTwydx+;F>GYz2Omb1%GLM9)5i1mQm2bb5lE-D`5oh>f%*f{YAzq~g zAF_t~!aG@iJ7K2}xmM|WJXiL|KT zI{EdYEJd^GlkEsHo$y94!vy6Fd||va`$jVFa4p2q z=YUM_%h=R2%`Ottl6(Jcu2R;x3)ohk44;mMPmM3ikQh zySfVhsl`~Zk(YG!;Lz1_`kj=b@J=+sNUCQIM#Rmc3a6112tMpXB>r9~!;0!3;dv5d zfz~|xGzLsHSO>@sJyxJvQ z`CHKBd3r~?0JgH{rRqJzxyM1J-*k3vv8TD5fh|+nYQ-mnW~b=0wK?_G%PC*2K%VLQ z3K#R(lhuMjHmeE0Bs|F=`nm|0dXOw{?=3)HTYm)myb0n&`fAf2+V`cgdE<^u>du1c zQ1SrArzHcwHI$1XtyiNq&|2M=)%Kj;vU3SjegT7TVrU+MJ&AFFs}?JDoq=*{w-5V? zyYw~|lgED^RA5$G0Z{WC1|zY+U(#8|N*7skVrW1kPh?>DQi~j>v3%&wCTB63;JPce zY9?l9=L0Tixn-H)^(H`O`WMN_Q<;;5M)xivtGVnAK+g}oR)yXR1$Za}(5jem3DA?~WUvVuc6S0{}M>Sv6lUIEnN=tO$(<#S7zBDIF`sza?ucHX$n2zcI#W zK>n-YFEOypBognfcPBY%DU0p_SdEW-?TZO{**bNz)id1>at>d$xaN ztVOysdVx@~;q_mQrd085#MNlT;DQQSV6g5lzLR2pH|7xCOLo3dKLK<)>fXp^DR(a@ z@Bnl3brDD`isag=i&8kHHGh<>@dDb}(+X|l#b&;V>srW;D$F}m92WftsOp2j7D0pvBk_Yj*%V`H(bsN8%c{vtLMn@GB80SS6h7=-doym*s`-#O@bn?$|{Vf-#=3jIi^~-!x zoC~~5rK<$C$ZDBoTopMCT(YQ%B(FVC@CW?-nbsqtW5e*@<1=*MZgG-7N=P0CKTQa;4{&ZK0$sIBq8<`f^b%HF!ryStO>ty*5xf zZ($CTh@@*;`qbwn8i7AI6p^FV&%1;Sz3W9(0{^9yGWe4@+N2B9|E8sz{ue$UDWnZn zZB18-q3te)5W~f`41d9%>Nmy~s_Gz4T}E+Y$5W}}(Do-fxEL64b;3bSrOJN-sn-9| z2=V_=N&Ej(O7VZU-VW?1WQIugUwi#p{KEeIc0?Pn-|>bu?BSu^nEA?JBJ1hVyXS`y zE&u6*_Yoc^sQ$i~|M>|wpu1-h=T}HS^6CYO^Zl%Hr9DpfHG5_t_4uUMk-=+96vGeg z!MPu!a;*^oC2&QLKGPB2p9P-q_LK4^`X=>!BG1?uGBLa=3PuXB>lDhCiN)vz9_gLT z8$UC+mWqt7)}w$MDJa3b6e~NhwhsZGYgw2FBxGTo?T=6Nu($4Ic_%dqYc_2+{DoXx z>?cY-IDiS22A-eW+S$j^1IPLh!6fCKQ$#zQ4n5+aPE!K|WH)tfG0jgTB^X&*wpL!1 zkj-7=j|=_J{K6BVQz*^mq$HlqOzRI}fxB#IEJRF~D}7?H=E|CBi^uLumkJykfYK>= zM^w;^(Sx*^2y8Z^Vd{S4c-E|LD&he~G=0<8S$*jh*VUjY+;0gm8AiQv-qnb2*Mb3U zej6b(if?B%dAI5Bky_^@A<>OoVw*oo~$d)gwTHim&r_ATja*C4bO|*d zW+Q)4FCDthY5p$dLtlBR9VfDPs+W*!4fX%~fi6CGKp9wr-X>v}&zp^Kvln^4o~zzo;K%B0_t|mZALEr{E0M6AdP~X$}e$N z3dMkaaA1_|&x)(-ruFNKwQiVDvN#CZz{-fwG4vy)*P&qjjU}+lwT)EXfpB zbn+BkJj1~kjAA<>_-c%`9lb12w-aLk=iDTfT0%C;GLc?5MvG24jy8N2Y7!H34_wA6 zh6L+g!aAw*rJ6<89m0F@PG4zc2>`SyCgsZxk^WQ``<;JqV8MXv*J|S}w|J2ma6g9l zAxWi&KAedmPkKKpPt)CxP{8t&&dH*w-HrM@&`Hb3vDBGg3!SR0rD$x1=sqhnSz+El zjx2|RCsBpNH`$TgXS5!ykha}?cVE#q_(){5M?IYa*_J6*(Z{PM8PUt0BseQ43s>|M zovm>A_817`dwVJtvt7pxE(vEnsYuk zJk&8-#4LO&yNB2oam}(Wr*OL?5l-UGv*`{UM8+7VXtDHg>sTi$;7f$T3v2f1=Et#ac_Tx_Lxq|_lK1fv)2s10 z1s8RO8wPRyhPHF?*Y}rT$eWe`!ztk5cif-)bD(Z2oZq#T=o~jCJ>H#)UQSdSzp`U^jMTjS0R4^0=MMY9p(MuR^RnffhTOkx`)i;V?4y`wIKOYsdGQrbaT0*rmYC z1kR}vt@JeTBNB37iFXd8r>&YBWXFk}j|7J27R91JGakin?$^vwO}#YdW7p`;L%Jc` znNh2NDI}=>yFLb)_irzum=Xx$=6%BW-@?zTm8cj5QSVkNYi^ZcP|ZN!@;Y;sHr<;u zH{tV6qPy>59y>p)0EAtY5InIW)tX=@!?y^lTH9L-`t(hFC*9SkhyZlQ?4Pan$;8Ab z;kIbmaF33Xj=Fg18YSFG7tS-jf-zTa4g)h-UT6wbe63wVE3obP&CO`d&LQi4K5?1J zu?m?@yiUS6#>x7IkIaeJp6Vc;xQ4o)G5ucwoC>>1kViv~A+-c{W_+0=41r{~(U!!2 zsr|rvGi?EYYM;n@P^L>S5m+nYDkIQqH76<+GAS*T{w7@b03Z4TMO)*3 zBUZ4-~VRj7g+ zCvAWE)>3NH=D!)nvQ)N+(diBCNmg#SC_s1qUJ=JhUiG&*r>*#sNSfk9?HC=4BuReH zR7jZtC37RAZ% z->WnKjix~T;e*M#F^%-_|@;gM=7W=f-&~Ro3;ziUl;l4r%sc>D_NR?^9A^liT%8gT|TlN#3a@G){sJlAp_EpQ$i!&op!-r z8gBF$9y}DOD`Zjc#}IC?R)zM6t-Q+yU}iT|gCd4T$*_*5Zm{c|d|aqNeVJQoo$blL zOej~!8s<*+283?GxER!x@}3I9`lamVURyZl29@IyiXal&e-hCNM2&ULh#%M67odgF zay;iE2J})oOXfN&Two!rw|R=0W=ugAQphZFaMa!Q6L+eXeyQGB(6iJ-#6Zew!u4H3 zMctz{vjm*`Stz;J3HrGf7H90vU0cr>4m*hqa=}ysI(cZZ;d5u zKf`3@5Ep^aezB>$z9d&?#|a66=Am;lT?j9abM==%UZ~vco1_^*FY)KTWe~wgS@1AT z)$ezq4!58i*?U$sa}12K9`}`^O74TH7}XxD-Jp+=Bzhm^6y^a|MGqT{2-)%@+4n@I z6KS0l4b2~P4XDY<$*D6GPzK!!M*}SO>;-YV>^Qkhvw6Fl0b-bUY$`iPOh;5Fc(3!c zPZG7ckb(fs2%C|+K=Lb`3j(}eg9q4LtRZ3k%osb&EWB@{EJC3u>(xzEW;}OacJ505<-u>8A3VMe0rQ9<+qmB* ziEzI%Ez||=4+VL}6Sx~~XX?V;I+E92NhZ)knzIq{`nw|H#@oi&=XDa-UzqB89X3Ox zvUEa<;+E=lwK4S_4G^bc$1WZ`gplzaUsrhPiyxw{@#jO@en+he$Q&*KC25l({b@;PyWNo@gB8*eAX(jmV#x0kZaPwpCsRty?#c|FL_2}9z; zV8b>Kp@V;DdOUn(C4#W0)9u;L4@>VI4AW*4e9SiWVW4uOjePas2$+$aJUBTH&)?V^ z!S>d8@ut4$$v#vog&Js=P9z6EE}Fm~VU71_ZzFm}pbgV4xp{yZY;Ur!hWBiRRwSfB zw1avE-D=8zKZDCe%0||JhiCRwL3=z&*5lXqWPe+sZ?qqp8d(>E%lhXhz?phoa!Wr< z=of|73<}F`8Kh?V%V-yIinzMtv-=056Um*LX$z>UW?8YJtt_CejEfJ2i;E4uynh&+ z-5ogILUHHhc!ZEVbmO=P_jgma;cjh-m*@5;d9_7NO(X2A&EQW0zx4JYXh%Ix>K~1J zY3ok57FcjiFO2Km2AydSUp_hl(adw#lsL>E7Q?Z_;3}a0t<6o*CfXYwZua>8@!_!b zaKybN9tk8_cT9-o*b7Dn*6r`_0xR}SU41?4wZOGwI$`dJj&Qdz$HTL_(0)P?5$K68 z9vFs5l8WbMcg4-aJE|3v+sAiCub5zEds@9>iyqWxB_}D?^neeHja9PCiqcgBqj9UO z8q>Buxo-&KTY18lj`7<^hocAO8b|#s;Fu-rHH<0t{j{NNap#0MxLKLuz8MLa(4!Rs zeckaD$4Ofs7u-1}26v5R`7#MII=coEjKQ4(F!h@5=uG+h#0KKiy9dLUeY=k1Gpv<2 zNnk5HJSBmX9&>zs?@$DjC=QSICkb;zqY!B$EX~d6o+?m4;x(~DAm|wJ;e%uF_QrE) zV7upYoZdu#0FwAy#&*KMxKM+yGQy62(S#ELupc%Z$zmUx!kle+;hNsC;F#~##vk|6 zCaxbHgLx#LWHngz&AX@u4V-By)9~pzz9D5F~woKmzy+~MWS^mN~ecQ9fv=DJedPdHBnergDN^?nOUqod>(Hs-h$XttV|<@hcwxgCe6c(c;LKP>TsoT%ww}gy!`gDz#hId(Pb!{yXD8lVcY-r9KgD64A1jW4f5GM(<^cz;|wHU<;BhvMo1t?|;eeelqid+_q|eOU0}ZlscAh)0ni ztZp~Z=@pdLC`a?)h;|s?GYoS`Ou9w5qf2WaOor8JO3l>rY?_XmEnyw$51CL zNw!v4yX!3SO6uWD#~#7zereQJrY8;8jr~#3PWFKtboTRohytC;vPNWsGebsOv3GjEd#*MU@g)HkZXR_nF zMuWx8(olPo`oyso4i>nUfp7(cgf?bC`31OT~ zSYzsQ>+mq;*t78jtW6AUC@8CD9HgFDcWy}q@)$_F#|7h=Pj=(^&-dZ=HAi40t9&Gb zg_SIy#3h-8=*88CaQ}NdQCLxpK3#&<{;v5iugCqL?Z%Gee8o*QnD9U8J1+*K0j&ct zYsqFTdUYdqoXo?6V>)9>&qyr#VjrITazCD0z86OiXP}-szHVeRTKhZTNLCTYVhKLp zb`~4=r>gN)LECtW1oQ(Q^i)gUgy3++PPa3A%&d)+a7&3-#ZAF$_WHXa(?8Dm~p zhnGLzgD=)6VH*3gie&m2`|c&$d$-3|VRH9i*!a04*wqE!Z%?9cF}f%coLbuAQucKg z>)N;V4Dw4V$!`oR4aMd4$SZ6$2BN84wt=f13HDQKaK{&kNaqC5TxJkPm{M+#lrPmEg$S}>(Eo_TvKd^yH^yM)7;6UraH*@sff-C$)wqSy)DpIC`|Kiq}g9Pf{e zj>d?%09-x19R{@VKy-i`$4Lv4!*O!ra3;2;D48<7*NGd47`LmCmw$C_Yw25HFRbYuxeyR#6Z^AWJ(1H80X-P$xdXB99EpC~&Oq?|rKGp`S4mBp1TyNQh!8Q7;e%jaO$ zn_DsC!IiKf86`Wu&iAa|GTrT@0XzM~sWh|LfpT#6Bu(e=O z&6M9Lmjdf&+neMb9s_tC^O{qRCJGfy;yLxEPcY`0HK_ezK6(ymtHd$mbs_6Yuar&n zCo8&Amu!Nr7sICB($40gsooUx$8;dcOT($u0+^Eos0IsIj@+hIc1d|<;$$kfo+@jV z{!N5*QfX?uTAHej?M>nqI0VcsEMPAEWh_f%7I{?LY3o8f%~_Ti^DBA8COJ+U<-V%O zV1xzh-hDC`E5ALAqX*MqCClT4v_pua^rx&|iE`~oBFe=E2y@D-Z>w^g?Nf%Gb>Q#Lk;#5>j4^$+7+@X$<_Pl!)+PCsS%-~lP@s!Qj^|F^o)Z}D?GTN~<^-y0= z8D-3|?b6rcH+AUvt3k`Y4A97l{#_L$N=(0B>$R zfwq1QSjpL>0|%<7y(P}HUGB~_JJcIP0B9oZiD-8K;I+Xdj!>0PjR^&y<(jGrz~wRv(}2-_y|QwDa> zdtdFvkdA%~XpJa3n~RrM@5hD*Mq*$)AG|ZG3$`WYAtfmbR?d!?KRq7LaHcG)6SARK zZnsGrT0)lF-5srwl3#(oZM-pea5Qe46c2k6*e5>Uq4q${7~2`MX;Tx2wr9{bMJL+L z4cGVLtdM0<*K#*U_OS%H+bbKX;t5X1@z}I@j2RPy9+BSoV%tghy4k7yPZF?XZ%;kR z%Y9e%LMuNP!-@{|EWurLEVmI{8FWN$69ztCR~ww9-Fetr<5reCr+X^|#)ZL}ICkV-z zC2(e+-7&K(=Jk(60>@2VoiVTwqC0c$57#lKtG1v+X-R+<~KM1=L+E zrgsU!4HG&ev#1_noMBHK(+(YjTwu!frQ}v%Sd72ggJMIuty$)CD-Yr0xqUILe``E8 zxeFfsVlM*S9AGc2n}h^vCn2U6&`g`QHe6?!p0o>Frm^F9S(&`|j)7=Jva^C?QdS=; zsv3|G;;vRj-`sc%pWoIWqk2YQaL+Kjx#ox(Q_^lBq(X$AU40M_v(MM=N>eK+U)(>~ z!0u&?QipkLf0(BO;%NV$C#GN=^*e%NXk3qQMfQXkO5e$5XwjLC9YyA6As!x1B*i2j zWHKn@#OBqXj^N8%`(s4+aEu=iNqG*lEoN{Od1&(De>@yybGC7Cv%ONb><>_@zbsQo ziUY}@^r@$djVfR24REu^j^pPMML#flN*6pls5PRzofY{}g%d)u+{Cw(RAG10d6F{f zkaCHAI?H*Ig*SgVi5EDwzTA{#uv6hwltb!^^moLhgkan_t}`a|ZH-5l@5Ne@k_zi) z+~U$CUqjd)DHFZw?7oTaYJV!$ zksyzm7>nC(HQYx1^e(yOEWgBKKhR#&3#wsNUWFU(7z8VlDj_hkU&vbQnYs$`w86nM zx%7iYxPMMh+}Jw;*Y%5FHyHJ(L&sl;%iDO&!C5ARgtH(I4|@)BYb^fhBuuJn)Xytr z#bWole4HT3akaNVt+_c)(K#s-XWm*4)~w88ytVNZ>ggzCHYgiaS00ijcFs;YgFi^8 zon2gow473$%qv&7(o=Fvv3BoSMY7t`aj!j)hMgy}vFCI)PGprLI@lG~bWksTcL-b?0nk2c5xB z$1;(_S#VKd1&(Bws(^Z)<*weB22%#0Hmq;w(JcIQFde5!jwFc5Y(+NWg)rzAv;J>) zCgXTsB?fg2L=9&_mTd0_8&Bde^UWF29&3(dAjHKE-!Uj`-kXY0&f*fnJa8tb9IvlE zhB|TnJfz%`f^zI&ur24z^-yv?A_JV^O7d_ttq@z8zl?ed3v`7AXOxbPw)pN)Dn8hD z2ED`GkyKcTJtRk4NJO@>&Io541bW)z0KaGClprC>2fmzGjDK2au6f%y`j&!|4Uc zl}*hR)kvZ(-8nWE@6ZM-<@Or;PF8!0spFkz^HEV!jiW59lD1mInesuF{T=(K7wyJ@ zf$liVJeQV_L$s%p=L%rUHnj^_UkV%d0WSPd%5r)){N*i4&`_H{&S zl8J{t--~Sa%g&TMc#xEb1-KxCZCkZ36>Z#XV9T;T+;oQaRDyjBJRQ6pki)^W?^G6& zsQdNQqbCDc8_K!nU@BH@KCS9cA=yo#?KhHKq*2bpIb~{$2x@3&iR|NS&f=>m|IXxG z)sHd(aVJUWLi^p$K3#Vx3%R8Xh>i6m%cgki+k+1GFYc&72*&H zn2;Jf5{3Sp6y5X2M)c_$g_{Sr$4l>T1DS`io94QDG*>sM6{&CcoI?|32xXZEX)9~! z4^nAoB}L`fOIc)fshD=ZlYJySJxBD%fZxnIC0Os-p9Vi?YlPBPeq>(R7;Z`(N_!8| z7c|O*g??!t`&w3Lr2ZPV_Ym8DPB!FnEH^YX;%sIS4rZ0mPjFH}zs1pl5?=rDa5{FL zI**}kypYH~+CV?CpJPGBh-wS}lvCcFJXc&^ho9*Gk~0gHpE;Xdgwtp8VM1SZ3nyGN zU*0IoK8CTwqpF6UvZhY?UpxATXQ|thvPqiPR#C5mIPnZ10sVsGrlh(al@&GEaq>Lv zCkM@xyP~X0-6s5W*I9J-bx|ux>GY4U(&vQJHw1I+pUt4Jp?)8qoPei3+Nma_pf6uf zViZq5pCaw0AKS(LFJ(Ipq!yx-`lu$c-NkmVV|%)A64Ahk&gYxYBJpgV+E}hujdbYv zcM!rrzx_uy9-Cn5GAZi!L;ZY{!&xe2C8Y6yEX~RQ78@qRSH>*A2B49v>zaTPFlC8U zW<%m|WJyz&U1i27WvOL;<3NxRFN0g%j$+xew}C-kc?dcoRVD|hDo<`x3AFk|7D>yQ ziz-LT<%~o9+*@u{2t-bqWs7Dcy)4r!Ir&)}n8zoh(hlZPc{TkA zG@aS8tKXQ zCB#blL-Zlv86o5sO;fst;MS2H;C0=HhIWc(W#`Dx}He#bk!k4e@Y#ijzvzdG`%9J)ry&{X!AM2OTa!%^fbSmfN zoRoK|^5ti?{5-2yBz&E$)E=d3mUHL3I~n&`pV*)#o7lQ$%Tlh$A+m`r%B^GhD}5m2 zNOT~wN*z+Clp*=VUii@w0+9f*Gbgqp-fus{TB(Kyh{V(kh-AkLb^zvEy zN8}-SQFV%*)!1b@+I8u3sgIb@Jq(Y{h{v*@&fw*bc3||Nwy-7f{_KZ?29l#eY+BkV zb|SK?0trnfkx#oVs_9JYJF$P!i9oW+?N&)Ak2GM=RjkyY|YdbuU8%3xZt8)>7QsISKW z63tew4p__y3`l+yL_SF)ZPLb^lrQCJK0)f$>XAC6d>PXsi+t9hMogGHcAUyVy#(cd`X)jxn29s~ zqx$(Xz_FrivSBH+j3OdR82SH|VGTW0Gxi*WF*`ur`wLJG{ zL4u>2O|xv7b^aO9NP)~2<g~=1#M#+wBU6mLfZ9feg9h__8_Yl za=SxTm;N2Wk^00$+9E(cPE5N+uz4XQmXuVr(zbc#Ilnq2=+Kx|fQObEK@w541c zLdMxAZP{?3&G8N4?OU$bI{oI`uQqwqYJHk^9z~V`O=Sy-API@II$kK2nu9f^NY zKWD$V9MPZbArgK58YG=ObnxG$V_(_WTA&s6BR_-x85z}~L&v}1@=1=&rewx-;j?ij zBOBhtIcbhl``*$isTmXpv;398EuSU5q>;2*dbuW_<*z_nzLi;woR?Xc2CW=*o`2=L z98!N-6_(EFg@@$ns4d?!q{%JcC7+~~Hc1`wU7f4L$UdzR?Bk+-ayz$Q6zpULMyrc? zeC@3jF*xa%g=ZdehET)uEHWD@xy+r5wCGIzL=q-YA^^8S+`K$$9zS5>k$qU&@l}@>kVo{H$G zdE{uR&!S4iGQb~yagyO0Pm4`W?cEC5OQ$2;*V#}GkC;~8sQTb4^&rmJFn0`elq|6*!v0qJ&NS}x9;xl?h@T>+?}`(LV#cag1hVCE`xsUw0J1&RjHxDK|($igCU0wCMXTItF7%FS6svA*7M|5Rcu=-@Ud|^|*qajnT>NEVouE^uarMaaAy+b|JPf=}nenh;F%CDU1 ztLSux$NAt)SuNTaAO}RcBfGK@G48hL?C*jE2GXP1rR|SW*zpEMdLlW%3C>pL>H}yZ z=P2eEQ zz2T&qx^^-*!D~16LEj)}tUQo|YU)VzBkK#($CS z7t3`zukpzN)SUwgs~S;L(}3_LxvbUYjQ|%L*0V}|uV_rXAL1x`S#1-l zNLo?@T#)SJgm^zEc-vXxY-Xuid#F#O2jac#)v_J380E|%ad_taP3psP*=*~y2rnec z>;v^9A95>U@ESsWr3T8V)P#JFZAREznj$^OU9GLuOvfvFleN3VMkXfvA>6}W{VcY+ zxEjL~eNjYPlb`ku2&a9J2>Lr%qfdxCf<5eTDzB3EL7mW9hq>9If3zn8oosNvv=055 zzKF85(TVpC^FSH(*)xbb^R%ZvoEY<)Q9+q(IdUEm=Zz%R`4nwhzKxP5I$+wY;wog) zu1*!#LcS?8F3A@WyuYNXLH$&CF!K#&8>IL-;ym@=M7bT; zg)(_W#z5=q<%mJ-tM7cX8-c8E|0oZ&97rw8FIT^m0wyHUUMYus_eef9G>UyBnr)Iz znSP9?eH7?MZAjjJg#c6iJ)=@b><&XllZ?KorgP)1l*c15NC=_zC%? zksLb9FYg|JS~Cmm+jAaIUY8DgI=bn-!x6{e}&5`wACR~w(1BY`kHa!9lOiHEmYrx>n zLHKs-S=@R>Czfx44eL%~Tuf23#PrUTQ z0n8c}j~PSbRIvK;-a)8nHp04HvSfoP`rM=%M3o1-;W9?erfb^ms62Ik$| z8!s+7q)42vi!CPiiG&RYaEte5;r1~p7)cT-->SKdMC=F&SXN$zY9jfF;^8+Y!QR0Z zwshz>jZ4ATn@-^RVM*xA;4WXSy>&t-e6i#Jw!Jk8adgyMvnnumc3))E@uejCVdtqr ze0*Df_49Ej>gM*bDfsxugIMs$NDS>3jO>yse0KLhJp27YjOY@G7`D5Aup6%6D09iq zbC^9k3D17A1xsI>O43^ocRJMwXKTE1M}O?kEJtjJCx&(nKpUO&GzRTMBulcGrX|V3 z{QHM0(sS%|5q^AP6pH9@Zyy#1N8X=Ghdd-L9N+zP5GOvp2Fv$mA|tl~N9J6Gk2jve z4FjWa=lEo`0OYn4`AQ$6*LQCnh{BV3=-)E}wv;7>#P>#~-FLPG&t8*`W&5+S_my#| zY-mG_uRU%Xn~e8KBIKifp?2o*CkYwPdylfLZ7+;LBS*C-*}1-bY8002&A}5>yTFLS zFE!8wT@nHr6zj3^xlza@p__Xq90L;CkAGT*#;{J)LIFVh3RtBc|_YFl!Wi81}BuMcvccpx3yq)C4Flfp`i!e6D z`h6LwqoY}H_Xyrwj>X$fV|dSS+%hs5i}z=!e2nRYTsT;0H8sbo$A_YjM5K}Z?b^YK zh$oqHakjxNqf@c*bOAoNsSoO_>k!C5eE57RUbw0|b>aeF>h`8F$yi3aAC($_NCtNK zKx8Kp7;BOb`Mytv5Ixo@kOXf42Nxf0K8>HA8;fQJ?JnV7m^3H>pZ~B2Pq7`R_lr_r zZ?N7MX=Yg-H*N_{rMnXys|6ONmxvI-#ydQuzbf^ zJT$&D9-rO=N9mJhk4Z%a?>*JASgEWA|1tZ#4{b4w#A!rY7)js}gp(xpWdG_B>IpAd zAC5LKyhku9Ngj5dD#C>RF|eXvnLH#>4GK?Xm8gM7G<7(Mwv}62jokby+&if=Qkb_{ zYYU#az7Kw)Z5GQnlbE&(?Qrgc!}0z89PE2(EQ;z|F{xVst{fDjCR(l@9)nhyVKO(y zs;95OZuYf_odS@a8i<8U*=Ihx8h#{IyI7au?5o#MU$T77UGyP~_hn+?gF~_XNS-2f zr{BL4pKLjgd&j4uv9t=~2E@R@)*8DHWc>YqVX5PP)fv z(&#=0=_lXcjEVnP4wJT41T$dDXkPv7nu1r;DKxM%%4))|%-@9vKiJs*^HLIp76#^r zKHq}rBjVJk*@cAQ;W3Hm_slXp`R+!nK9~c4S6kfi`DXM>@PiwPR4X0Gs@2Ev_~=-q zb3{3i=O%U!gdLsMhNDH8_4azax^OSHo-D%qYfd63vy5doLDnJaK}Tj~Z;J}m;X~gs2?ZIO&{DhXKHpEAGU~K0Q-1+_{y!P$}yhY+BA1S-IA$|tA&QVz7 zxdK?K4{))WIBGo2fW2&gE`A_^IJN5>X7mcjn3q@Kp|{pz{+i<$pB~*lolJ;9)YP_N z;+rdR$1AIG_IxpkRuUc_6_2OyA1N}Ahn^Ml{R z!O9HLK5n@3AIosZv&%qDBb}rC^99v-|HlJ(p68C|R8wam_>?mEd)lH0M}eUXQnpTZ zY6LHJkx_pY+iuRBbvRs9j}-^<@$r}2arfW|^o(#rf0DeBiQY&Gp?%P@Wwqo@2Q$$< z#usgLtR}3#4CG~n^E;ngfh*rx4_i|+gvR@m=(cba-#*QrSK6Q!7L^&NcUK*!jqGlJ zakHrv-8p(59OsT7Rok4@@?`##x-0+v-;(~Mc~uEF#-Hz1Ou ze+l4^jE+Z_7$5YE^TD+AVAPVZE!vxnX|yZ(sGfW<(t{)2iCz8BJJ}a$3BH&$Fp@;m z0`*kFL(eY3L*MK}f0?yP3PhZ%1ExK>3=^JRuGUq1Zb~XT#dxDnq7NoAST&oOsdd1f z`(!g-d~aR*x1BVQ_{c2h><`xC+byR^w#K1vdK5a5Pz;D+{YZj`(Uz|n7OOsbxB6fn zUVZupe7F7-k|VruJIUmdt!MD~ORMlO37oZjzs3L-yl4Hfd{j3yA}q)a(}yHr-?>5@ z%qUhfk`kD+OR90hpjfOTF~6OCWZTOp97^S1Xl;*pQG;`xR9*;f)!!nXN(%V|9K z+%l{r(d-rHOFI(*8gWHRAcDP}antk5am#1hvH5r&oH(#pzvLjQDQJ4UH-^UhV(E@k z*q2d(mzM0uITGwo*Pp;}`oexOZt&y4LOlv%UzblaoXV@lQ{V4HIc?dId0qMLdOY&+ zR(!hUB&K$eM`5&cI(b>jBe%2`^^{K*$$aSL<#_7reQ>q5#v`=d$3EYIZuD`DMkdHC zuE*Q&tih01Rw3EX70x8q*=4kG)^+KIlX!&Wtsm?62-|7r;XK^XKb8Z9lNiB1G9t+j zOAqA2$-)TN^$0?L5~cp}K6r?IM?D_Xq2q6WOP+63>(R(s4fQfD->Q}|7&7fWJhosT z>i0a1>qaE07vy@4e;+;X`3^??Ud5)pS?#|ZVMl#q`9a({ED5Q>p7?ynIkn>T8JUGp zAD?SMO2kw?;Z}^&Fg|$EWTXjwQR!w7*9r<+E)01ipMmU5HP{~NCSY_G3fFq;yIufqz;tJG|1SH)!5B=|20HfY7!MsMM;Ehmk z%>13L)LK@KPL?>g^me$r*rS95MP4433@d9J;c9C^^3u|=c9A72SgxzHHP$Y;9zSMO zW9Y0eVQgj!TPq8a$aYx-G7|<8+E4H9i=j_16&3~u8*6lVWEuL+rr!I%f_WmFz>|)_?U#sk>s{mUb+^rZuMk6>P2$uSC$WGCwF2f5;tVMCGN<3G6JUe zb+f^33`PU*S%{#?A0l?fCqPjpP8L@o(A@?nv&z^`#>|U1%KHZlJQej6h3&ZMcnQ*I z!->~?3ZwKF5lZr{9wE^_EGVzEpCi+4K2?Q5w|bieyMBwsgA^^-l@Pa|;pr#SS`5wOlR z)ce8}N8s51C4Bk7U<^tN#;AX+z<_%fB5=Y7xZ>t7V8ObSi!I47me__Crlzo?ym{p! zyD4p=k+K`uBBA;m>;J{-<9KXhXFNSN0mJV33Vtr^PgIRc&41+4oa$TB29!(ASBNdr zCLJ8DRRC6Gp0d`mA6Sw!MRtFR!~r;a=usp``KX0>)q6FjtdG=>iW2!`c2m|ElQLv! z4Q2Zs(7K9{|FcE(7h*3wQ(RFCPcJ9R#`Fc{s($jm%9+Kp)Z?Gw5Bz|t+GZGAo2ti+ zCaOP6!^j_FwsoT-4>Ds`K>e7Rn{!ZTtQO#ejTtSAZAH6QeSz)fNb+1J^%Z-eytTB) z!jc-)t-BkC&ljQZqd%gusRxYxCjz!NqzQH>yPpZe(N^#7>h%yP` z6#rt$yk*U+W+{vNGSIUySlCmbxe(Ss&8*8kGSC!#G%&q6kL88x8d*<^{k4q+mDJYL zwX{-v+1g-Eza?t{Hp;tlEW5P40b!mFnD^;+ghhF)RqgNkYzqS19r4@`M=|97?_oLc zHTX{dxc$R~I&}OEp!&#v4R)TRd6nvYo8g@Tam%0>j@E1N_#-1xb|xQh{&bi=#spuk zKaCe&7>m9!UbySZ?rMD#1rnL99GzK^JPc0u!=kMx)gy;TCL|-BY44lR1+MPSIKL+Y zThA2Z&54~bd0Z#h@;+HW&yjy+%^-0O?Pycyx1K4$h&WF?JifCU_^sHVkNLBDV_4^4 zjN>TIlFp`8-oa=!!sN6-yz|o`)Y7?_8aLtDtGi=RuW(Ges=IQ!u69<6$VtGo zoR|7at`Hs@jtsB8V<28zunm><#&BW~k~lN)}vnvXOO+Oq5fS_gs3#df}QeDQZ+dDk7&j^reqQ!iwC)6g z=-_1SGAYE3IW`a7C81B}5L`*3 z>uh6+hrir|*RJcy0B;I6doxTP5QQhMh{u_tYW4Wf+{y?~UD*XA2FGG7ZBZ6;6kC>c zii}x5F9!8B)fGbrMPustRK%qOqFuY#Oon=eoP{4to}(L zq(2D(@OHDq#vNx6;%SR5v=?a)S!+w|(}ubgdtG%f3s?7yz}Rj<7(E~c&Llyy=8^=< zJty)>PRwxUpm>ZM7=tJ;M{Le6!=$^1VDa*O*ppjH+p1P$q-!U2!j$eIi1KqpPGJSf zu?d`noKkNUb*<y_OQ<73m#E&1PoXkVDnChgd#gdjQ5Uhcah5rY%F@#N$# zSiJ5K+<48=mOhK+$}cFbrEiHzbAQR<9QFgY4ez-%Jsgv}1dy+_qLhQaHV!E6X8Xta zxzc~MBA=vbLe~&Psr&#eVhZ&;$&Q z^Tr*ti|=HBNZm@GGba(1HMGQMsFlpczIe^OW6&ogQPvZyqn$?i+Mw^K6udAp5t*g6 zsL3gZuQUB8`%fcD>c-Rj?}KRg=kS;f?)6%-7gv^IqF)z`82BQo3Z^wA%=DfgcV04FMhudxg23E zCei5=>CO>g3-;4_u4kI2`g-;LMy~w4R9=2#XWw$V073Q^@D6ar4_nUSXl@zitT>4D zPdrueRWOk{Vmfyt@nfTUP zruTET!V$`xn_rH7EPFtx8@k8%;AP6W<#-;9=%n^!l&VkhY^I!r)%6Vg&D<}*Y7)2z zIxSa@_NyuH76$C&@+_Wm3tBjeJ-|F=Wb8@j6F`00SXtn`rM0vo2qq$Gk9Hq{3l)n2%Gte;bJ@U!%dWtNL)kcxQH(MY-;F2P=FC5bj=s300<9eB$Ax>LiYH%LatP6G z)`(;ftEy_mZnh!g13??fuRwT+D{QPS@yVjSsOI_2Ckrqp$q%NqkJpzTL_UM!*3*UR z1zuU~a>ubetUj8j9s!*v>Btb>$!MKh8ArPZ&y*l7#a}H7x|gH-7*BgV_RSugr>*!q z*&vfLj_n+#UPQHHka*(TT_|B5JI@p$CD;woBzdwfP!WToypSw5rY1rd$bQ3~XKH#cCf%_>!dE{l!k4J5`7Z_J_nMFF5eN zT_h(3m9;oWJ3qj7Z)2a8#bpT}^vfvk_U@<2A$?a#)TP66tr z`_=ohv03D-uB8oFA+xf9HdLwBPLp@HlKh>3pBjpK#Y?2{STpIL@n)+Z&<4c{{?U zp_2Y-&-oIy2Gu6oR~t!eVQDpXu#H-nB$xG))*PG|fHP+cVC!guC%@Z+Y7!PBV^eH6 zp3ebVBNoy(^$K%WKiU6e&2hCBUn@z}v8-bC)$POdOY%OH^q+Xzs3!^L63U`h%$L5U zL&xt0G2q|eot#Vm;xRk+&z{T5%!;u4c0Z{eIjA{R`9_3{HYkWX$B~Hq5~wdns^8x~ z2wpdTfqZdbbSUa4#;k~fj9O$Wnn6*mt-@fco?lBxmlrgIAgG~G2PB=`FOc%(y4)jE z$|8qMZHSDLr##vaS!I+aX=SQhI;|W?xpJ?hQFY*HnX(qSv^uIhcuqu>GGv4&$C6%t z;UVcH50RU}SDw$OlDG(oxOYrvB;7wB)gqV3uRUs!a)k}Zz8ak|Z@JE3`%mz?JW7#! zrA*POtXCvyM7qGk$stIl6H|iRa(|Z?z5wgZN_`G@>m)9 zg5}k{!tmI*&PaH0AqwPY^ir1AZX%x?i*7_dIWNUZdq{nRX$s`Jq!mc}OIcEXfs`+8 zs_cXt364jA8}i?u3Zr3fwzq}IqqVK9(HE)xs)&U7yXNj zQa`D)=w0rY>yn=wi`~loQjTgn9!ohQo3yXWNA^Weye{QR9wMVGGa%=sPGVP@zmWXp ze(_7nrkJOamuW?2{;&Qax%pXt7QHK*;We#Iq&`~y0=X`EitJK`$SaWRBCE(Hr$k1v z3w4esB%M|#eLv z)Uo*8PQmWjak`-WoEF6X>Y$F~r^RU;^=H#jpFBhPt?9UbZ;(hBlXN9<@|$__ORo)0sAs)}iC?44JKxHS_*2_*fm6A0%Y{scTnhQ{k5anN?7a0y;XM z~kXDEoITT)sgfk0oULqo#R9$1+v^cOy80i|yl&f~GT_;OMv%+`AINlA4{Iw6__*1U{4uco zob|D-v~rK+CodDK7wbCC8A7iA?3$!EC`-HFpzI4W)-)h7 z*cCSoh=Q#=M$%-IO=fsxGd#YyEG-`$I&|pJp+m=C4wpu97~5s-q1s07)Hfl_*#;wG zy)Yu$lLUYSh3DLD%rTtDL!vxkXKI3IS6lVd&h!8m^``#tL_fSeqbuS=Tyfxh3BFmn z9}V@5aI`SRXr>zx?FCmW3q>dryqwUT_l=72Mv(lHK*~^Zu>6)bb!~LKH=^Y`E7c8% z_q11Q;&kz6Sv*egbija6ck~JKKw5xPJ3(n|LT~1`<3JX^`0)^`NY-S1q$^mDp)A{l z`}U^BYHgZ9ksfNjEs?udu$wv;IY=i`Vt%3RahhP%cj!>FbnL%N2++shG+Bz7-e z+e3XN+0oM(`%e|9Z&K**aOlvXLx&C>zaeD);LlsTiZ`;bf{GeEF+Ck?_hjMD7gwVD zBR}GS;Yk>t5{Tv|VDbw;VfNeWux|HRe7gDs0%V0}4_meR^E{H5f{Ipr@ZNgVRgAr5 zS6tz?t(yc3!6Ct2LvRT0TDS)<+}+*Xp$c~h7Tn#vaCZytZoyBjb@#sQd^~?(N}Kbw zF?xUc{Eo9OTqQ0p5)GS^&dt;V?!&2LaNFu1G{o#NhCaH@^In*DjgP!mNU*GE>;$tj zk@}px&T+ThNP1_3R+9`pY;2yn3W;r6ZbPf{UlN{&{(imjeTpJ-Kg(*+aBcn|n$Pd> z>p-!AQAX1hk5#6Wx!sA`nxVpBoI+6lX|ya}Nj0Rzf-D@-1rS`tPYkZ=5A`DFhQL+% z`JvnSRA(22MNT2c{?7nP>8DB{3@ESr`qw&27W32NvW<%g%v>#!D>fwA#b(azP&*!b zJD}nnH|BZYy8mW079^Y6y-;ctga4LvSCTHJ5y*EM&mi*>rD|jIy{aOt0`8{5PFYVW z2@Uv7jq^>#TpP*z{#Br0?UpLmhna}Y_B;f8-)Ys0z`l?7#Ng+PT>Hzi8W*odSqMMI z-^k|!n}J__m{VoiAF@5&h{_2orbfKH2`h%-M^`j+BUr4*qURS?iaY8thus+cPYSr* zo!(GkW4zD~I@{sjo6QuT!%$HK!~gvEUxsRhM*l*mhm04Fb=aP3&6mejhdyW^tkms* z_G0nYD8o?At2wdfpu2(LB(w9y*YJNDdZ&|>61jCKruV3Ug(0-8GRFo+aIm3Xy_p_x zt*bi?AzoALgG4a!gZhKr8uj(~TdMzs^+57uRi`U!C&1nxRTUS*17Hld4s3%4tmH{q z`U#Mla{9`rhb`x~ylC74BI<|;rMivfh#zaumfIc0p1FEg#xQB5MvUi8+`zde2zAVz zQGzpGfD)HVdg}@n$`J&Mby1c=8PaXTj_EEpN<-yOSC?Vh2DZkL#Z_kmtu)}%_^JO8 z{{B0Bm7D9`9APE8mw)41FF9hO3`*dNu~O_B-4j?Ts;>L5UGv<=-h@^quw!402w54y zcse8Y&H&T6z`)4Y=ej9l!{E#BcBfqG(buIsr=-(M&aJpAUZK6?!(ZHdYKW-B=c~!3 zmfb2p7dFUM*Z&;Y-+BB4(o<}xCm&nIph&aRlp!E~cg1nd84GIb_|^(C=GN5QdXAyd zH!&z$&>E?z1URYCMbaH#o;A)w=*v~>IL6>d8?$?eM_95-AL|8n+6?pV6VJlIy`>R@lo;83K;8z6fIbQ zm>#Y(`5M7!I>Vl#pIWGosPwp*9xbeDzI*U2D$snS*5aZ7V@m*kvH_M0N8hT$S`ZMHpH+`2P108W#rV=m(12F-I^o$^Z#U^gdOx;Z)pOsahF;{iswUCmFJS6_h?4(#gdL_Z z85(ZCFOp*a`#?OtaBrrR|GRqT?JNq@{5S9o`n0j5m^{P(vkExtBu`2G&kT{bQyVPr z_`erOp>hU8*qZ_UFfbNK(?!$DKz|K%3_g$bFB9Jz%JuT`N@ zaqJLUmx|ZR+OWBXmc7XeJ1c;8IDIWJT1^)V@7-LdIwN*x6z;d(^wB$7)pRN}ny?l{#HJBpto@2Cp+$?W_{7w?2a&lJ(IRLq9{p-DAn7q|%f)Bf2`QHIytIOCOR>XyL|<<7fB#99Jlmt#pw`^Ax0ninGB zqoI}FJ2rPX<4o}&srRbz8qQ%tcTYe37A^3gEqsTupm`dRkri{8GUQjt1B?e{?7u@@ zuu=cn+Bnfg%S9{kx$(4TTCWo6`ocMGWWy?O4&CRH5#>f4v|O0mL=Z8_iPh)-dS;iZ zvcVDMWqPpusKJxys>_p@+(hWKnJ(O}a6lTbR`13m#k6QLOZp)BG)TRqk^0-t5?!{? zPTDiz#iZkFJ?m~&=IjXA=qz)^OzW)O{~NZ(FmsPY`@ARpGw9XW+) zR}R;>0!LMH&*x_x+B8UT4uGrSXl8eVhv#|CJ{q4Y&#`(=WGNPRiFGgVwiMO?2^o+dy5Qq>7R4a}L#a zbg5E{U8|Z`Pf*C67cXObrUs^>POi=_M+-@Ou`+_Ad5ie_ZxI#ND9t zh*B(VkA0qRiFJ>qVYp{*sIztJ6cpMcC`L1RaVG3CKGEi z>zudTwwt#{k)akANtYYj3!BcryAoxA*~%tQoX zpq~lMEnfZ-b`y)sH8D0m zfhlJQadtF7Rg*-s56ozxwM+|j%gyUV+-SrO|E(f>R}TP}0lnhqg#dU5#zB$*D`&In z>ju+<{lm2gRQio&_^b{hRdmE^b^xay!1-?1L7ZXc6R_qmy9bx#JdY;<22sPUh4HBD zIFT=)G5N>j=aKoaBOGvWG@?T>n$1P9Eul^5a#I4c3~0QOk%y4J`i zI(3rM4Y`{i#&8LnUN4i^B=^2V&+FD0IN&?5|H+~$4>ftDs9l4@eDwE$eEp93ao@%m zCWA6c3Cvkf;B{~$zmnhB$AGy!jI*(bTIo&}+c~T|6Ip^|@n=lUn1bh3&dRF z0nMW1jV%*zZ{4O67%+_(@e32dI{j>yM+-)ItX)Vfpe z;e8i%{n}5;}|>r(D@2;lwuV(HiI6b{FLg7l+}}gL-);Rd*2`oe}WT|T8`D%mnJGr z2QT%#3U7#~6A}+5JtY(wOUe!dl2j)9H%t*zt=^h$ErY#Q> z+_NZHt56R8TC%e6rE%ur55f`C_U5Trj7W6ZQ3GZ;CGr2}8?{tlA-;yl=qz)Rr||8^NI@XvNgQ)ik1Hpiz48n(sx zv57USP>F7%!{!6_Id|Ca-LzK$#*A`E(!X{P)dLQ>RIivg|o)oiCJx$lR3!=0vpo!sbdpG^821_6+ zg=;k!%D^%>f$*Tj2pd9!0uMR-PduswH|c!17=F5?rD33*g!Jk<~MOr^^qbmNBd92 z4A(4STMPDNJ{Ej9Dwk$kNkY%ymfv=Zq+e@&&1z-1133m#(2#|79T>C@H)A{a;S{_( z2uL=$(Zvbx6ppZBKi25tq94TdYY3L-GPE=2BN3iTIxoX7qJ;MqTg8?NQ3-FRxM=*F zVuocEiaCbneLS;XEuVfoBtDO@l@)B&#>K9l&|Blg?ZAAA&)y9Kt@k=Gb`j2cO2jW| zl0wz3{Fs5v?EGIND1Fs$k)at3KTh2(K4qr9-)?M$BRc~S5ijRo^Yx|8ynj}G!lPoB z4i)pm;d2*f{RFIVcu%zbXMcuB@8kIM$pw|1rMl-VfoG?Ky?S6~Q-D{Z)7S!$QKB;IekQk(3dl4rzl1R80(@_74Q+X6IVPKmo z{i>Znc*+Bw-N3p2QFD+bb@-J8+I|MCNosF+)uLA-i%mw$4fw;7z*eK4ED-ml#KrYO z#Ppma5PP*b>t5A~`>Ojt=tx~BLvp#opESLgkz$An43%>v%RL=ottFd_kR!qv-ZBgkwgB1Jv55XW@!)78T!d!W$!|<>O>k)4or-bcH|cZCYH4X3JU7mM z*Rh8gTXrMKUFYRmGFac=`7m5a6ET@3YBV1`9T08k4wCKUsKXIivtjlz|HK+)Y0p?J zyBv$?Gk%0t)w4EEy*DMBQwes~ zwVwZExyfJlKi*O=BSx}P~wq7-T(B-a~Z8Yekahnln;0&2p{f>`_p zBQg7yd1`IXRs8klFuyg}BUh!IDIy(DV8t{2&4gMP=m9&apwLHA&(7rK^t51`+Vltu zPYL(OE4aFgr%g~AU%Mvg4EbIP4(}3F&fsg#<^4h!FSL1$b;jbi74zB9ODv>y%eJvE za{z(aN1w3hE>=H-+sHgck$%++HE!nMF7{eza#zS5WNhjv^!O?&x}{*qNxGb~RspAH z$0zlQ)M7ahdO$;3*A73Vuxrq>L!tCbBji#Mt=tQGw3;1k_A@kVEW>N8dyD^Aj!FdO zyr-leRq?b;SFOfZHT6ouW8w5fzdh@_!f|9(lIN3IbbUvxxWN?un0_>dK=t_BuUP0- z4yiC7^eOsst^OyhV|~2(ynlhd*R9MK5eB?=j4Y*JK(_q~{zz>u5xlz*$FVH_Y9q>S zKb`^)?>G51=XY|bwWvFuIPXt|RZp?A*y2t0a?tOq>6L`$tE0WonXlhEn;SUyD|sV) z@b*%ldL6}{+6+7=^}nhv=EoDAhlK(DX0uR2jRN{JSTf8YO4H>9CocESPn;bMsC%c) z`u1sE=eR3e=?>vHAtb|tizf=(Tf-%(uSc#r@4Kwg9xiZMX7u=nlG2iQ+K;g#EaPX^LtI$tM9OUif-R(x<*g*JREF50F1QBT~I1%Q7f%2}8t_MGMGhm1%kv z!ypd=I{fnFDz(%G;h%}Gs~f$ied6P$j)3XrP-XkR!N!Hz=$uTIG~VoWjxF11BanF} zE5%H~V~T|DfFdOO&y67P0^bv)kpGFo8iwNW1Ayy^xRd@}pYYcgszU7{A7zbzg2vUI78;qyMuBR_&8p6_ zSq&_caM}t6+Z~%d%L|yBc7jnLg{p2LOdG`ac}hHSJiFA7^?T5U~ zD1;+UpO{jpbJLVL;Jk7Wl#hjRXd6=}o`jpc8-(|2c(sT2>_FNSommIx!~Hpx+^4t| z5sO$S7|^*Mo3BBt9Nt#lC7dYg@Xf<34^gx$s`*t0sjU3 z>6%cpZ)obbg#Y@F>$m5-hlWO4@5(&t0%3qAgn~wplYS#Ppje%-XAX^n>@Il{V;D44 zA{+bfu;5s_)L;@+3rk6t=9t_~tqp|PcU1Kr`eRJ#__HBBzxJ~o0==dm@@IRckE@Vy z`QW>FeOh6Oa}cV`57OQ;9~v(tY6IV~wixLV`iek)z^3xWj%H$jumDZfCwb@OYg;dNm)|xzF{E|fD-pqqid@V)I(SE|CZ*xCE&QJ-$@K6T@=H>SB z4p)Mn=<7`^YEqwN(Y+qPqlzwdn zwqc+5oFU!!-nC9nNo4(+N=uR1DBqnfR|cCj@{Gp6w2D7XgTO+XY~gAPEL>br@?4g? zcab1aaTwP;`U|F>5!t*LEnwn}7`3`czMMh!uc2K?f(N_%+fbi-=JAL(`T7r}Sh0n!bfRCRvm4W-?U< zhD9;_ko;b1LLE@MuM!rTAI-56`Gwp02_>?*zNfwuiiF)5iemHpTgOSA4@g8?Ao8F&V-Nw5YoJ}K^3+{gZ~%WgFpraJd4DO zZ8Dx}i&KJ`!07Elwdb-OOiRL;G;yq}brOyB+;O8P1d=NRs-)wzWyQ+n=%+iOB(BEW zzV~^6W!uh0ZxKw>z&>lbBhkHqdGmOIQSabWUgr30#_s@Emb)F}AX8LELP;?jh7vnn zE0c6=Og>ICgqP~5e0T6={#brdo-lteeKFBuMp|AZWw-pwI`~zYSO#p*qezV8flNW+ z*SMMOB<>%?K7pgwJKod&+QIYj-O@qj$*7^7V1Rm@v7~3ZmsMlhmLRP-RSBhP@0(H; zVItv3NhtRjBv^LOSm5NqI!5TeXOR~I1eaL{_0#$4D zq~_I_C0oxGc2iX$CbfBo5OXg52%$3T-Udh?GvDE&z|_jU60z}3YOu3OUmg~$n?R6)4;8TsWZK^ z?`iG{_opl`QM+d4@Wq@Ae=6s}m`6<5m?{3Ltf3(coa4x^ZeCo|Ebh;|JI^*lEVlN@ zy|}4^C{X}JsSr>a24=_UDu2E;qib_o{t5svlm`mfrUbZJN&4-#A10s2uIW&2GDuyX z^;59>%J&KLVIkXzzxv|EN3t}HUh32vt!B6)?t}z;F+!M}obYoM0LQ=Qh7n37!ki^wB{LYe{10lie)kV z=lf{j9OoR6#wEz3%@Pw4Az*JX(CZDH8q6g*wF!Z$tHMvQW4CC@G#ax$raBIfO|{1$ zIBb3^`F!croBNSPqxPB0W|)K)@uOtyjc{TyOe7sXuFSaPzB$8O-QiN84Y0dA4f|N! za1ohi#k3fz7@JLVQ@9jISzU{SagbtaZ7^F+z4mn&sUg0n9G&Bz4abW;{~C;971x`@ zVbC*OQBz=sm(0rEe`0%&Tzhb%1O!HuRh>qj`%d7dV3W#;C_c)%UFsluek#LD zt^cf0UmHy<_11h|BW{1=I(YqRhC#9$E~!A{uAJPD9_Olk3MtC&w{$eK>xXO20|ay4 zXVL3t@zt0NaYtV|h|^D+5srvBr_zMp$MpWWWp?LE-?lb@JNXrL3+uPUHZ=(PJp3IP z6#dUj%#(C@6~hfRQo_U}!IMNbyeWR+48S@?+l#U;rICpTQC@mOYRc?m2--mx!DNp1 z84mK%O5BqCohnQo|MwvB#4`j+iN2LW0vOoB8F~Yyo*3qtUNRxuUD|FR=!gjs)$tD# zg7THL#KH14gt&jl#jogBB|gWH{XwvUcV-)Lq%Ve@ls|=Kx?jEOptzjP*7?~)2YjU9 zU5WpPYn5z9LzHkJCO}6#%Bvl_Kpol6%c_AUbrn|Eg_KQz6QdxqAGbjQ$Ocky%&QHoA)vV|v^!-v# z_0EIiG;A!5R-em{5L#!eB7mB+#Wp}EWRtYcM8-a_~SD006cI8~q7bHGoh6&J(D zqo*1US0cM}uj=nX?aNa%_?6B=A5ZOxaPycHA)) zgpV!F%Vb@$62`xl-_CW`}#fY*q+-!h&z9pA)h+9ZJIaP1QZj1h8%YjkRyf6#+w-W=obQ zZK8N2T};te`Yf;+J2FVUJA)BT{*igRW!+4sI{l7HPz8O4jAGIS;It)9-t;IY5Gie0 zb85~Zp-2NvcvTvA%+6?niFMv^T#Z~m*pdY#_3#iIzUlza?78xBxmokYhwOwA%q&ey ziFY7gOlsJJk*6)n#Y2wL4gy_YV8AcOALLpRl+35lic;r1`6m)eSI>TxY)aS6s; zc?wOW&B}HNtkUz6_Iss$T(XY#dr<7^8FpZqu6EE1)OjyTB!5mEEhNa9oFrGPDgEdJ z8gyc%xLZ*GOw)_X@svsM7-=6norhu_V+6IeQFN}lMp8WETMKAMUmzhmw~nB=R!VvA3gON*{0Ihk#u90>cd8#Dej=auyAf~aIT#Gvyd`kV zz}uDCKc+UHSMXcy^^3`Snn-Lg9W&)TTJhnjpq|$!_4_ZP%H^EaxRlVyf)J?k-Ebur zFDUYxjXf68;}O`iV91NKtO#+ro@onr2+uy0S%2t{o3M2Cxnd>x&GW?9yx{(E;L3sX z$IcZ`VmIWtkg_HiRwS#d*&cdhZ1w2~HryJ8Owz0NMm<b_2+=?(V2I)*qizW2j!B*n7zX#2?hvj2$Z+Rq=vA(U$+$PzP^f;IvnDyI}|lCsxn z?^|P-@G&}s1rwoeXu(+(?3ge7mrr1rCAl`@L7|Np*DayI#w6Dz`qPx2?|}to-x1>@ zg5Y$dbT3}5=@{~20v10JnDbu8>ikk+lek3|rAf|G=c)nj@TF{OI7Ks)LXRx7yj%v09unjD+X7#wrM-NO z-%wR&sQK1xY9f6_pK5TPpTHfOr{5Bj1cY^M&n7ypCdcqvHj;ITB~bM;hM;RUIlkIC^(djDLl z(yk>ztU*k!kz+HrT11U75VS9TuP9t26oTi;<9yX%^m#A^pTE|3aENO}tLhz%I*OzT zBnX(WMC8UH__&k{A{f@Q4~AK7XhumKk+42Z|A)c$df4PnGxRw@FtPm23*uZ54}%Ak ztWM~);_|Fc#9*l!U43`dbxirmDmVPWes?tEYQ8o97zc+iuxyAC=Ugx=u8|0h{JiqQ zJ~iN%1Qa-O#t#<@QEg$Rq9c;Ir?T^~Cae8yT+d)4)dH5_XwjunDVnKq7rst3qE*+O z$u|NYZO$pWjdkRac$@k}Qqzi7j?PuV5+R~f65xzrno%FXk{6fK#fekX>g|GQomv1R z@jTyKsEB4Ek}Bcf0LFwx4JR_^Df&#$%CU3eq?F3ns&y!``PT=XFG-GY(z?@#RWh%0 zr>T(f7x5;r{BCj=pBTYA$m;qnXl%%eUaoTV^>~qBOjH7ReF;1krcm*)xVAEp5nz>L z@C3JxwR7sul#h}flv#%g zvoTOgMBv!Ti(X-Zm!!Qaun^fqTQ+|gRElaiWS(xl5=Gphe;Qm{YINkK91=@}mQFaKu z)o%FgyeO(|`bQwgU*p=qN0fr)j3cVtO+>)m&4Qr_t-4g}nO6!>+V`_zS zsw1UGDbIjJs<@COT@U(Kabt9X`rLI%-A}^`)^ZINAYW{&P}$1NG!_Tx=ylyHt&Z%PA0sy%HXoH`yOP>cfN2>>2aBAfw^9 zl(~*{1(nuakLk9h;;*z8uq)h;Wq14_h2x%ebSU`9p_`no>mf#d(1ygeKPw+>KN^;y zNbx3TI;fBEI%tiuM?h3skA5DopviS=o4(EF0?1WqYP>RNfVJc-u} zqE0B7J}zLf99Af6(n+b`#%*Y)^y4lTP5`zQ-7eHrO~??hCC0jsE9!yO%DR%fT&r|a ztdx_ftCHhRNBNKOO_=Ax4A!a8`mR-5V_PM&>Yor*@f=@qu0e9ftg`vXmiB@a%EUp3 zy0J@EA?1?#uOWOfc)=3jwP26cvXoyW>2)6~9OaPuwKi~8%20k$veDd>*-LEXft+!S zkN%a-E44vK`*TBk{aazy^S~`w50JH&?mAH|2-GXZ%TMPnv@E=l+pS&-mmoZv&%mPkf0it#9pP9+$(SM@{Tdbg%vc4Wc$ zQPcN@Zjt?QK)%6eSb?{Agl*|3_ij~@XoXI8!cdZh60!Z(hqF4Dq3Q!w47CgXID9e= zEv;q7-Qiky9kJiFH`ZkMX}f_yDNm{V;ga){c)6?t7lxQ*C_#@S0782Qx|t#Q*90y& zkaWe1#hzN|-;@#1@`Q?iiGokxOW3$mKGEv5E^jyoPGo4u z2aW-b)@udhd;DJ?pS|Ee2m@9#!iiqMFt2)KkMAq4$`s1BpF9@DOhtVwB$ZLK+VMkP z$~-0UYY03Jgy%D!S*24P#U@9J+++OYD1}~W)~!5-+c3bJ?_cKc6U8^y|1n%YSCBoS zx2aw%C<=IViN!L_OB6<~Jkxgpe0Z;aCJ(8;N7+EXbVuPhQ)p%a-my#t%pFaahKl0Z zq})@~@jH=+Woyb=l{o>=o5IeFBx=lZ?-(q1jt-nQ-Zu*-+Aq6R&h*Rue;a(3VOKoP z(uM8|^Ua~*G9zIy>H>VwTGCArs&0C)(4$o4zByEB^@?AAgR^_sY@4ck&s5NMNGxTSDj$?L z_5%pe3UJL4l5x7Kan0HC^X_uCyLQataJp=11=e*4^~D5&K*9Cc50 zbb+kEsi{_gv2lJ6?Ug(gt1Qmw>Ljnx4Xt$;8DkP>#FrmCZ?#(EALCC`42Jnw;>W93 z`qs8zgYw*O_BVutsXhTuLC@39uH}fIz znW0%EgUJ&lQ{-ZS}$=C1&I*!mI0q%JY+cOsZWcqPl!s zGsCMTmW?b!2`uo&L{BR~HKmC$#;ai+XOa)dH}Tpa-myf|vtnc4?!3HH9NC5NJZeF- zeyUy8GArp>$hp+mRt2}W&J!q^U*^qwMP$v>VhTjft5O_Bq5>9 z$lHN9fSgMlUBFj#Wy&p2Sdsx=8h|2O0y5ILERHF}ZpF8$tgwckcxx9x1SdFO{$dC~CwJ_%R1E{ofz zvg8UH(`M)gbUgDcE5=kXC$$prFpQj=T1Hat7p|mxMqm_=-m@2u)ndn&o9xJV%R zATT^yWuW=~h{{qEP65fO0X2Q8u&^G^g}f0H!2eY9s&i(ua+Z3hw5Nn1aIKNw_^~rl zbfJv3kl}fh$y&0u;G(rwNBchO>#^ulDfyG()G5NC1ohWZ*u1&2rI=m11JR1HB-GtL zZ;mmQ6;`zdyE?7e;V={0RfFYPc<@py(*?`^>-1d0(w~Z3#HTRxgUo2 z*)JN|+@oOE7(*XTp3(DaK^3gT`0)0oV=idVT~JXgNa}Ul;ecj!4z0|XHum$QESybW zss}8js^kw%%_egR#oq1LHcF*0SQ#exCaW)c@Y>f70~#xtHEVsH-^7+FJmjslj1xPV zd?1l`tlJ&Gt!nTHO#d>)C8l;A3Oxl7n0zC+cc|-Y{}pDxC_^{DL!sy76nrC4l2drg z4z{q`$mwpU@K_Iehh>JLskK=aDA^X>)A_}Z36oXxR)Z0K=d9|( z8tfS5D~@_6!=9u^$5*gkh|=#XE@;h!q4(2FuRn-vh2{g>`WX67HN=yu)?XPc^r}@B8Ss#rhP)g;pOAzM+tKr z1&x9>Y1~k{!(mBoC6N_LmY?0v9K?6~G5AItb#sS`O#~-K=!M@a$(9^Qu`+biqt_xW-934BLP1xD1lys|SDQbWCOCv8 zJX*qrW>g(~DYd^>{fO$r3^Pm1@{~b0-Fqo#SB0DpDX7JE-ptq z4_=h-Qq;o*NrcxB%@07=i7X4g6vyt4WtGk*0oF|5{AARuq0iidtZru>)Bf0Mqyc}g z{d)l;m%3`qA~!fXudl<g1#+%LZ0vnrO%Lsn)XBI#>7(d4dLA~N>v3{ zWFB9W=_L2pkx9)XzK$cV&FyfeGYTq|ii zJvCYLfbGUpfw1DrvyhtM&gKBhZAo1?a?$nb?W<|YONVX=_`4ty**>UY{&F`7$ig*D zLb2mxAV+huXBz~i7^-wVxhEG;6t@!t6_4L&Z9#K2N!q!^D+1|jsD|wR6T+ltQ=MDLceDJAn1dm(?20|>CH@!E z!fL$8sXuh0Qtj@C&GBx8+>YCBi~qIat#Z{7KWCj2mZCKzR}V_meIdH)H(O=y@T1Q* zUEdB|@>@b{Qluf7JP)HNjzq^k476d29bkj{!_3@JLem;(P2(g*HYo*fWxw>h5y;oS zgF}PeovZATk(|Hhy7P@ zAJCrRH4N@qTtMn}|A2aX9ap8?+n&;^!rW1VmcrHwm3HOlII6IfQM22YH5wCKslD2L%r$5=;(u%=n!Mcf_Ll5`6qB-es@fV@MQ2e5U?&y zMw&ldY|J3gw!2aKM3(!x>RPcu4{2DzXz%b{mEfxxD&dg_=jy?+I1c?wAd@$SP)jW!Y$>DR$4(h?~r2Fw_E1Fi@t$ z`Wtc9)_38=o{_GG-49u6#B1DvM-#E%t;~lf&1m=@DT=x}P~FfJx<7!+O~GkB5A^*( zdKbSQN)M)pmecT?42I9^QXOwnAZDZumTV%&F*ot2lQmz161;aWSF`Yz+&W?HrX!M) z=ex7>(--Y7;t;DChT5X;cWPJ=%}s!@rYT02i=@#e=-}l)wY6H-g1|s7o=*gJfW{IG z$HRghk#&}T5d*l+?+;MDGN4J)?rZXJoeQ2$Q(kEiD2DNbykR>-uK4ORkwubsQ&1=~ zb1zIMV>0e7#1PrbnuQOqA8lW~8w!NGrzD*IIHA$R3lkS37vQa?Cy*pax`LAbB=I{q z_ORu`btj4Yq}uqvf_}{z`Mn=%~B-7SO3QwZV?@;8H` z6qU3>0Z-|{e|a&x{ph&^<2u&@7JYd_o79Mh24iS0?-)89LLWx}AM6NlrTjJn>yY2_bM#{4 zQi!c-RDy4j9!az6Qwq9bIeh0cPOhG!opWoGY0d3UA@8{z)PQD?HNw`n`?NhkEpxgs zw20~Uvn>3m;EZ7Do`KMs(`bM7gawL)`b;tWIs96r2};3l+p!vRcVcMyMOVHIs3O6x zdKxKM*4xQAJ7BRg|Kys@7>oyFq#Vy1`6GQk>}Q`3VU4*NHMI*;KMWLyIFcVVhn(Pu zZ|(Z{`$GDD#p_V-!-t9vDKTNyS%N>SZfb-*T#Yr}!dxjnhOn!3GVxII&|&e~9m*5m z9fd7EZcNrQtD=&6Ts$)ql-$^N87$Q7#k19&Mhb{2(QVROxL}2-QNAH~^;}-!7Q{4pyOmuaoVRUvi|!N%*6HW2Svq zW|{GU^Uh&XYo9y5^W?2%^=hqdRB^mhu}^@Ghdvk8&P4k@^NwoJ6{Y*~qr;_3qgW1< zp!UnITr~TITpC}vmBeR>eO=U`=S5=bL4es0E!}-1()c}z3ZW)MOz%nmf>F5HXTpnn@`Z;?>T7mWAZ^bcS7K|`+q;I-|u(t)^V6|dRm z2S=OnaL%P2O^fCmmx4pm51Ht358SPiiKla&TEKiEV&-57-jnhy35M<*kr~r=Avke+ z7JU{x)`+){-x|z+-`KE$2R@&CV4{gd9s{-9eH9Yb^Q**dOdjNF-uVgO|A@QD_LUQo z{v9ZSv2{`2`N8VvwT<`VKS}TBQ*$0Xqi_8KQjkDT6XcibrtYgXR!UaE#|3d>#Gsc? zRCU3^f!BZB+;&BsXCex2YCWH`@dB_2$(SgnF?x-~?9>>o1Rb2UMy6|vJ5a{PqwOh+ zRriv#bq9p4>PmAyz2jbWsnjmSgdjRn&TIEkWhwQ3nn>^to;$PvOe z_Dn8+;_qFrb~w@G;?*W=EBKgW#~0)Qa71@}=KSaBC-Lk?k@~K%I?+8ji>IJ)9x#M+ zDi$BbP#Z~kiBTR_-gw%lUr5NB_1oK^6|^_1ZfOFVD+gQNNs9Um1-hh|khsoleJ7eS zxDW)6j3yJBBNpQ`<~L2K$ZP&K!Rc>PMrDavSQ}8PwOTv+5nmj{<8hsBXS>Sh{tc=&ruP zuG2@AW72m>@oXVUmKG>%DirO_&VmanRh>=VAw)Dc`jh@tGQ5x#VaD>Xn0OpBg0Bvg zFJAytcGX$0xVgK)O7M>rIuq&}JEq|H?E?Dib64#mgA@*q-eAWjULRXzS%mvcQFYW0 zrpVz#S4NLZ_CHC`P!&R9_IMpz{i)5#S)@R-e2;6Nq>{W_T1#sXv$!DfOcbNYrf@DQ zTI;Yf`xayHJQD(>C%-EM)IKn=v6Zj;!p}Ydpoygjw$IjVp$Yw!1|C$8CWqb^|6hQS{^ma2RJexL)*?{O}tlUX@>plbsw}FGyQ2_g*yLX z-OF8+3HG2rMFEj)NxSm+Sj+O@WFPwks@Un3F z!=t1vPs&GK(kCxfbDpFAxBLbTNKfNOeF?y+*yN1)o?TPFKJ<>oaI-X5e&hrn{n$2a z$0JeLx7W@f+6WK2!QKxn4Er)g)sN*R+26SV3W>YG4{itlpeLh6O?{+|^|t?Z-qL|~ zT;Tom#ptO3Y>C&ch>b6Wbw?!L>)~&#VBH?td93J4yLV*2C`&D)0_CqO36wl{-d_i66-rQvk`fomK7iTe|USR?#jZhUAI!PRk3Z`6(#u&c)o+EOyEvtWw}nPoTV$Q;ecZ zCg-BN5d*bmgfwpg|LI6U|6{>jHaj_3E};u{@_B?-bhuZ*26H^w%_GxuQ(xrE%G#>_ zSueg=o3{O5`m-M9>`^`#1hhKLxW+=*TbWa4X2EX;RgW!A>fG zhwk~J;h&4N3_}b_9};p-wmH#j(7ACZsYFW&c{&}LmCH16y>C|3m`%I?Zsg3jU1sLk z%sM~%yVp|Dod3Owo9ISpFI76cN(xC#s{tz>Jd?$rSJ0*Do2yqHq0q)6QPRT$xAPAF zqtWtS?rtqLIT&obtCkd{u`WK{OCB>@1Tgm5ZIT2cRv&WaM7k#7p@v*hDh^ z>Q-LurqoOCNkY^SemxWphth4h=yy96tqCYZi(_rfR$ zSv{wxVHNjV zL@JGj=%M zaHb9_r9B@b`HDY=&NGmNnga#6=e2WY^v7Y%Ma`VRrbt(&`+Yc&oF3S{?pBArpCGEF zryJABH@){ySZO2~(lBi(+xWh1-|}AeHlP>~(zQZVKqPyLivVv6Eqja~7@q!kr8cs! zYfyj3N!W9y{^W=FHnMnPU}nuK4E|92sKF^g?g@O_^~#)}>Fw+{yuMgUIG$%io9+bN z0y>+)<~^awiW|P~ulhPlD+~N?AFG2XS}28;mGbg*hU;6b7Ya!W;uv}e9S~siD0`|z zAZ3; z3?cUWe#{VUD?6vn%gX9LD>=PB(_P1xCNXg!d>E>3{;J7R>_dsHSjfGc$njt`cihY+ z$t)hqSqOKsz`{1_J|A>m`he^o)|{#8q3Z);2zzE8{zW1hu&Od|YkGp(h>NpbeF>h) zW4LwSfnC`zhwVUi+3fmg^5x$zSP#l=PK2jczAmtR0y?o1UJEOH7XjeoeL8Yj+ z?C^Rv_yO>t~Bj2PJog7apu$W>Yq}_t|l9(HbWPR#KT`=sie`4#p4>M0hSKY7MzrS+~ zV&6bj2a$_qJ2^;}j-%gJWK79q8c|ACI^%mspW*a+2{5}(N~3ksvyZ?x{i%93{D5s# zo6Hl{OkJY;Za(@6^JHHn&xR`7%0*b1eVj@!w%l4y|Jj0zMs-+3QJtR>3g96{2Qrumsh_e8~y(dO^Zhaig z)wcz^PbXXH*B46e?LY?4$YDEce}R~=u4FEf`S$ojZQo0nXNVP) ze5Lg2*yXm#mGzE)m&V3bWxjK51oCKFh%sJ}K=fvjZS<{CX3|irKo}E*H4A{pR0cu% zY`8-iC0{)Dcp7=r!;X|6ZpN-bosOYyUvLK`EQDYj+L`>^_<2ih$x+E0Te)Q&@0`}e z`jOU$yTQy2$0*-KT~RTdau#iXWt=V+&sN~cEctclwwsYjE>=u*lQfe>Up0e%A^Pk$=)PXZ7+lrJ+QK^Rd|hyUikTQDCt^BAABbZ?LCI z{OpvdG&ftYaz2>wilIJ$jlZuD_}dThcrFiX)1m)MZ~ zBbeywNC$Iyt8#<^`ew~B`HL-ofAVT1ND4}#E+&{FE-f#7OW;WDO3{>C>rLKwr;gR+ zBq@;vnp&2cWP6CY-?iZpzF0v2`elhia2}bnLPTdKnQ@GMNo;VHg622Pnb|jVQLMjb z22W+<$VDg#Cha1YO7*XbS7J^-!j!VOCyTXHcyshTJ{Cme%-GtB)=Dlb(1%g)ORt z#?pb$1Jv^S(TO@-d>#OTcGD`<8q#9HJ!5y>199o8#Coix|MbLmnDzZUNI*HTWiZxl zh2=}a^qKH{I&(ur()3X5bE9FxYecJ^*%Apeu(nuD&0QBSV&w8?s46-s;lMe~5Hn5gZ~aKU~lS7x0Ky)nb@0gGBzId z458IPL-!*Q6EbolcLnk6G`oe$u~@kS5br#Y_KkK&iBc(cK}I528H+~ck#Fqx$pKX< zX~+TDLo5zuE2BqjL*1w>GTxDht||z`LwR&iT@c5g*5TR$t(P%N@Z=534j-om{vCDl z@bpI-;c@35x<73gVT@4_^P$m(iB8t38vP*c&P4x^_Fiz0i#RI$oa1!p9wB#-`8Y_i z1Th3rHl+zks~b{eJ&oa6^y=!SXwsoIWE49M3iKzSvhQL1 z^zmnicPpPu;CG4T4X^u+CzZ{A-XeZj z?u-fL>8!U(G#@5kh+mphr=6X^FRnluajaQY>aCaJeMy^vl2*uX43MRIKpAo8p*lH8 z97{M1jT-q-E~3mVz#xE6%zUSNje9@TxLjP5Z3LSh6}WYieZbkG8&@?uGE!6h9P=)V zCU^?9QjP{?3kn+f6r?`$0F?@Kx{d%VK$Ubm8=orSm-_3R3A(r%2o9NV#OQ&-Q^;ib z7Tkuec_=8Z{H%WPgU1M9Ra%?>6^@|H6{kHn0+4e}XBZIx32^fpYrQZuZdIB_faXFc zlEH_ioTgi(2?eU|_6d)1yfR-&KpM#^8KO8Zv7GpnpC{#HOtTrsDi6p-s97Uj2f0R9 z)Y|Qmx5^$EIX!o>wgX;Vrt@Es4A8LlgD0 z{ju6ES0|tYf?yQ@^OIZ_c31Bh?KJuc>%tu1^Yd?#xmymDsC&cvC$KHrns|F2>btVmMdohj*J=7Y$3ReBXv7uj`y5Z>ynT*= zPp~^ILOc!jzrtux7|p?Mwi6d&{?m6ynuLd(no}*grO6jU$9hspbvg1SL!Pv}rY(!# z?CI0@;n;7t6;M$P=2P0WCV+JXhy=7P*Wka<4P#B+5Cv$1c7&Rr=cT7|VB<83tQ%*8 zBeRXjOL^C}E67HVf62wEm|2cLDlHwt;n0jxYwL}CylG~EsxN$_f70*%&(LWX@hPwO znkWQcDc5*$ncb#R7_4Li5`vHaM&!u23GgL(LbusMe`#8rK5QvmkPC96x&o#6IKerxYkCt$a)FobSbzX&pM}ppEb+R2T z$wjlD#_C<&u|yviDcP@G{Ss*oN9s)|WF*u62LuM9dv*W#kQXvfRu0-Iuq~13@)Z_j~N!;4z<3>t*G#%JoEU>qr z5J{ms{C{X|fbS_%4%pAq#P}^(=BBwzj%a-(mgM5=H1jZdM|`v3=Ru#Wh;QNn%80 zSd|+VI??Ox>rr3v1#^vgpJyT4kq;ZCaptkKtTrM67caHZ%Y?K%U&J zNEtbb`u||}oOIS)9dI)ie@zfg5c=)1WQQtT_y3s}ciU~-!X~^5gZ&_lRaXw^k`~r@ zI;U>o1$m*$+YBx~>19ud!m3#G?3^10!@)I6%FV@=L78L1Y(ITh?H?%%B#b?fOgi)6 zo1(h*+YRjREqDC1v}X$nsKz%#!darb2BuL!V^wZ@a;${lA+nxDB=_5k5JallhkTrs z@w&YJ&6|sW{y5BCBu7a)*)xKOBNHdp?ICj(&LK;#2azu+WLX^i5Zd^B%J?GND}qpA z7Qvbuhaq#c!a)U{KYB`pEuK152Puoh8|ye+NKyV|hgS(Z0YAnV0r^R`Q6pR~3w)ga zeZXWwCUD-NwntkVLMQt2Ib8msMtq24RL50?Vl@YB8&7C>R-wAD!g6l+(kKFXDSNQ1&Vs-80EM!<11)(-VuZF* zwHu*?golL!zP2%m0!dc?On+7Ij3mZQ3hBIZV#mlDi7LK0e#``aj1Jmg_hvA;-ma0% z{n+hLT=34;+CaqL0ZK`)$?nD_IG_@?DSIk}exA6*)=J`MET2WXoKnph0x|q7hH7u- zArUtK!i}$QY!uCMi4go<*N(ScY!Z#(`GokA5@#&cmq5Agxqp20dv&D|E|FxW{-@l5 zriq|@jRDUiX?H}_t4(skJDkYYW@*_nk>>w?_NxCZ}^T$!^@P0^U4ZYpW-X8pClq6!S%Ln6Pj7bX{#@Y$!I zhW~m3uEWmRwn9KFFsS+dkCF_X4Q^UsU)eAAqm=%swLEWozA@W@b9~L}1!|@V>^Ou6 zNYf7rqyLRnR2Zh{N|+B^P_*UeV}T?I>w0$Br|I~*V080X-w)okKgPU@VAC{?b*_tw zimGuq(u9C&&#%jcwS3GDY3?R_Eq(?*^y0IFLO)WN4zw2by4!X}>dpGS$@8g8OmN_H zqH!v}gF?Djq8}T*r7|_VTDs|6G8y{TE{bEZFQU{ji2~a*2&}9pYCLQy4f{H4-lUMW zKzl&dx>>=A*b2Al5)b{A74g3seWr&Zl@X#JhWrR~?V4(P>fs;%GR+I{wzA=S;om&o z20Y&mcY;taeyAq~p|Ey?a*mw&!3VUI0|e{x2V~VHxGtBR$Aez{Is`L(YtVpdp(2x@ zA9(Zs3pMKW{uIj-`#(_jx4l~a_&9*XXkZY(L%jD3oeb^B8U>sz*$KI;ySjMSAF?-A zGO~Jte*}GIBIB;63-`z|#@j2{5=E3|2>>-%^O@TuO|(&&DQTazSGDgirOg#Fq_-o0 z#wEnN1W5e@K}}EbF-6NkX26SDOjEXe#z-&Fy;gE`vzEzyB%QU6F`@vq^)OSy=%9RD zIXRKxNoGsA=)cU$XqkY(1)+(PI}QYCRHiI_#ThkQl(aV#lD6Zp zkX3O;F8D6{NzG7 z#mbrIyhv}Vo^y(YK&Cx!?Rr{TWF`xpsRPs*T<>u?p z(~|Nq$3(jt=OrL~GL-RC*Y}en_Kofsi?Pt_KY#e=sO#=Hd|o|MDwzs*d-@J*dfxAl zS!lz#SR(sQ%3?9A`kQt)>))6*GNe@&4`S#axZ(4vlRPpZMhDNEyE-^jVsV{td8of(H z9i8+HX$H9c-N8qYb=xZtzK>7V)e3=W2$Tr(I5z(|2VY*!fx%@)K}_sywvI>3DbPc* zZyNyu*`m4M(cN5R1)%Jng%_AH9sY>Qz-DK!>-SdSwZ?*nukf%U_gG_#jWzpQ1dD_( z&@Qc*I7>O7aou6;jh=ZtqqNz>pT4_BzkG84vK(oyv!-Q0=02ZR{K`kRKPgRn5wd;J z54@@nPe1{WC&c=fduwhL3=7(7Cy=2@nOYv(K0oZIVqAjCcBVh}leBJ}N98lgsYtoF&7|eJtu-^jPdJ3>w*59U zjCc55!xuW+G5P&hxjhx^x<8&r<8*Ww!UWygAmR2VAA~uApaoQT#>hVH(}EJzOZgwL zO|>LphXK|}jp#6)BgzZIjS0|L+0llyn&QEjmfUYy%r(B)8VEmOY$9w_Wyv(2=B#Ed zPLO`1x9IYYXJH+^$rLS_SML4hoJ_S$pB6HQHLrbLop_;dfJ9_^s^e6O&D8sDT~H|= zqiiBdCMzbN-CRr`O`3B2Yc1I$*{O-3joq;8AIHV*s+4=YJhA(oRtmH0C0>8DJ2neI zypKAc;eqji9rJq+XXXsgkLrnIFe(xY{w7lo)7n3jr_pUJxjKdloOx8MzctC9W%s4< zB%KK+A}4FU2JP)EcQ{U<6BX9Ba!3*`3VURj}lVvDe`8)JW*9Zz#~Rh z-Me~G@$MxmY}w}8MS?!hl5DjTl?#crg((-TpSbF&k4Yq`9r>KZXb83z^P_ zb@DqS0Bi0RASW)`6MCRe>|Fcy(Am+LEHQ*v$$GplGA*Yr1u0FO>0ifoS=>=%B+A}J zbn+S{HVa5nC_YwHQRc<71Os8*U`RNpAotsSB4c>2_&48mHRPSkQCHkb=t$)s2dVW4 z{C~>J@Q%gz+#bMfGpX|FCmsa0NdClt#|bDq26p*&{#mme_;E` z%zX#QeEgHXur6L?GLDJ9b`-(<&G;&BVunk1bj*&1tP+Dz`p=sH5*h(a!1QUbWYF3|I-3X_Zp^J38hfdYR-d}HrW?f<5*Ec3J>3T=6l0xo3n{UheTL-1h zHZ~(P7ePLOiR|5oUR`fv?exgR)-#EV8PL%|3$YA7{T+W32z~v`@p&Ws9dj z?l<%;4*MeDsrm#79thlcc_7?iVFxRB$r(Iz-{GVp$i23ZJ0=1><2|={Af;WT^s_s(*yNoRRGqoM^6z4qt z`^L;!TH(k9!!RA2Cuvk$t$od)vmC;f~2anrhh5+_50}M!wq;F^)(PAkC zVde@K{?4_3arTy5)&&LvIrQ1A;I()gVimZ;^{uoY?dzR-{t73OLauppg57#I!Q$)| z#F@07bThp%;QxeN&wv<89JtGPgYM6H5SVO}HO1TFVZmT#k(84oh-fIv<^&_p6ZyR) zXb-7lT{*L~7MeiO*m8TA1fwrVw7p7X^5d*{|7FFy2x5C<3oq>jgB!5s=V+|jaubBH za)0`RzgC~h#WYbLXFT(HjFz9TmCkUZV#dtm&#L1RS#<}JCm_`i{iRUDl{n#pA1POT zs&~k>Xs_o*8GnMdFVzje9eXSYGRD8xoNya+1ebSWWM?fA)G|&)40m2VLm^K{^`9Gz za(l7jA%D7IyMint)%iTEw0O)xpHRt8gygisAhXKrk|1;8`xQt%Zo5)_R2S3AoHO>1 zGt$?GCoe$fdMQf4Ky zq3$eMkdL8ttR4*FYN<9rr`F1XDwlT_{S;Aefv#>IxHuo1$lm)w z+(?vd(~2bmU1P#UuR^*dPg|Z?xM#6+Rs0QX4g3|B2qaV5yZTe7K2z`dLCS|Wf`6ME z+EG~3ay~t{y0%lIR?d$4);9^&pAbY(H@8V0ZbMouHSk5Gek{;Kjm}SW#f>mk ziGMfNsXt}Lr=MI~&&=0R`L`@3pvyyz*&cnEcQ$~0J-P<8Gm6DuVMDX;Wjtno0iW>l zBsg7>H{rz8c)iE=syoFN)b##wrLzh7N7&~0$MG*s!G5Yl=OxebTBdeffh%pl0V7|X z*-_+rp|$UL@jcMR1-plM9=qj;R4i_5R2mKY?5)_aq46OcY=v8dgkhx!sWiYNV!mPs zWSvED<3&U>1HPyhQxYh_XMwHMEy#K7YtRRHKs3jCxb)nCpS6+BiW(re?(-bk`fR^% zE=z>}RIk)b0KTg&L?H4$2_RmWM?yl-h`2f(|JM1vw89f8N>+uP9T-+!-N#q1U^w)# zy^~g|Tl1;NXlUvc{J}R}j+1=%qKeJpNSLkNf|awqg7uLAE@fdA=hcsO>^|M>cJ)g5 z>~V)~Y7sbcRf|Cm2( zpJB4oyP*>RAOa9?NZ;HlQtze9vDjSp-jRP_orG+DXX0WbvHR(;+s;1dXmw~SDj9YR zO~cud(DXiSge)|R-)v=vYa>C0T!#sA7^3HNa{?5Q>^IvcK3bILszQ5^ z2Px$eG$&gC6D^PVn} z!-h4zJ>NW1_)U)@5@~k&20=9=ub`uvu~(?& zn_NZPFxB~8OXMl*t9y)c$ZHt3Fd)7)Daho2@w>7JHO7+(GwXt+H*Kg+a%L88=U zrXOn__f5i-E-+7eZcd3?BfUSHjN6enfsE&{Bsm2Q=V#Z37h!2H;eo6*cbp0oouvx> zRz?tiTAoR4nSRgC3_6ou8eEPP({INCT0_1y%^qbFZ5^xM*HxBQ!laVtwpILasTqGe ziU^}r5#63nw_u9zrYkFobMkZuqRXPb(lXNjl6UJweM&w?_y?uoxY+WP!o25fI8^IdUd2^oMJI_V;@wLS zIJ7s)Mv?^z*EQYAk_5QJ8=LicM9a2Ac+#MOLw!j8yBe7Fr_D@tWw6qer#mc3=$Ym$ zEs~Go>3eXt??ZxeXj#+WpXG1T#6$ZasPz&${Hr&<%1Ol&@9Nqp3G{}4#8BP00-{rP zw<5j89PFeSL&tGE;UfG(EZ{c@mt9ff>dgCK@qN==sh8U#q4BtF*F8o*3@ChKqsicD z%Axm1h0XnbXm4K^1Q{?Zcir>~>-M0U;%Ls6KB+B(CXV?>} z_%%QCWhMUSrO*&6>?mHEkRavF72z%t9C&}D0PL4G{7(BYldxMbZ>eEXmTpKu<8@EPYN4$&1);Dc5Sj+HN z_A}r4Ou5+MGVdInNcOdfCG}w%KDC&vmLN}_o!vOtntVc}BX!nlwFbo$s$(j0U(+Se zms%?~*3Dy67gG=yBO1e1~B$L>b@blt2^z&Nqd z|ATfve%8(<+j~zTz6m`DrSlV>aqNSZN*BaZ0qBGUxgz)6Zt~dK*PALb53fKpyI_r@ zTF`wt=H=TM_C(z}NI3aLz~QTK|I&6P2X{d@U&5rsU%`ocOPyP0H5!Rc{6pJmO7CEy z#c~y4&CJ1NsD+L}ZiK1VX)26G@kBUQ+9x1txG2yiLfdh%duSA_(7iV5XdPL9@si>A z+iXnVQrwiP_i_EA_@-X~{Q7w>zz+jF?5D(sQ!J=3DJ``p5>n5ktsE-(4Z!AOnPK^Y z@#U-F(fR3PC|^9;0b}{eVf=!b2*@mTQ=pk1+xYQv$Pnt#+#64Xq<y{L(Pv0zndf(ptt%k%@);ch0-`*;WJr-I96Q_>L-)%j;aW;AZsK0T2C$+-N11 zGZVR&E8mPiJNk^5gv%I0H(JXm$g0(ZaaECxa-a~DAK0d-#uI1c2^xZKUm&nbb;wG`TCH5>k+CH+6)b|1 ztWzRh1(l_~z@@>Bkssb|P~~T!ZqX1jUrYi*TFGNQrvV}T`|K0v9`zZ2lVl6&v?wn$ z4PNRT0|MZJAC^+|%MA^=ww{=)g=OVZKt1oEiG-vvAK&xQi1eiCrNvf+^p;ansa(6SLM?qZ2L#uVkXVmxsS5Ud zpeHOKOh-qVCJJOk5NZG%;i!F8H#v$Xy8n@5vi4J&GH7m_G_ALWTVO9Y8lKdVtw?+) zZeusrlxN*nQ;l&RhP&QcJaIFg;^k&v*liN7)sS~zlM)-6b0NPT4s0!5O(iXAP67?( z|5jf2R!(M56F_Wq^>ZFwe_~I(3O)ND z>(Pg~u>lz#NWUm$GL|{|`G%my3pqmVnh$^W;o9d;nH3`BFot%C2Mpt2Br$8Zkcl(Cn6dEHZJM<8+e|_NpvC@3U zKBu`v0(HNC6h6}}3BgG?rYuZeTm&1Ua6~q+Ee@GG+_f6ETy^rNYSafi5!-K(Z`xpd z6|KWwmlw*89H6-#THTy^cq~Mi6qzc?_6tWA+p_Eo<@6#{d#GrylIW>Fe(I|&x3;Ct zm3vFa=Dir`x42(zmW4>#^;@8#(-Kao!}R>m~eZhwY{frb_gF3xojy_biiF9bCA z{$`S7?UxPuMF(iHM0&7O{35d z|4v-*cI$TWCV=yNoGf_U|Hx4A9@ABe>n%m6DgVEiMe|mrsEX-*w@&< z&l3B}NLOBHBNZy0nPSBorhyhf$+@2HJ&{4KNyy}+a6dTr(R%8gBTo+StRJs2JJRIm zt!0C9MienOCewSi2uTOSk>d+Pd=PnpaoynLMa3Z3W%6mqBa>=s3*;sV>tzWgdpntC zkaRI7;8juwz6S2D3C_0M?K6yUr-IR8@on(3!Y(e%gEyqnEc5~aS3y)^yZ3sz8lxWY zt{8oBKlc3VgOa#^r9~Sh_bp9{OtLes+9Pq0+j7N(4#J#@oqG)qp_f=#_i}iX>YG~! z2{bSn{0>@-ax)Y$C0FEBk1wBIc>)a?m9~wXDry z9{P|@ofw^;mSooe&BTH3Jcbx=k>wGHlts`$NpUiHEH#p$X|U=9_Gf!LL+k!WfDa5b z^%Kn60`*e4WC2t5&Nneaw#U%B0m%k2VB5TkT*xFV92h`B3f!P&vyc=6b z(>+Q!?Wt5*2~vC=ojE|4?=8Qf3Q^`MGX(vjHQn1D3*;@c7!Z4$-V*S)6YbXUBCRj) z+cXoZHzS&!>B8lqPOHCV7TmD={uCqE7fVP2vP(w3oCCEL{_S7V#WPn}67v&S-ORlM~*+5)Y>-uon64^lmEBtC5#bF32CU)ZHIPGoJm*Kmw>Kpm)v#Yq*h95 z|DTV27D-oKD^3D$Ywuz&l-zwx_q}{H&i+&HIh+-*ZlTv`ki9N6M|CAF1(FHE&Da$ zjhc9fUHjcSie6Hp3qh~(mR^r`j)hF0Zc6d?2Pg3nw)nwp7(}Fm`@*1CWomZ^&>{C$ zOLGEn*&PPP%R7L`)zyiK=%9B>7OTWYP+A#4Q9k^BfQtI1wVqzSdgc+0hV!sKFP$CV zy}?wcLmi&u^#RFS}5xJVzhRlmuLv9fG<#JAu%~Y>@uLV5hr~xx&R;3 zLi9zeWX8i-dqT1 zKk6we@;g@7pW;e4;&44?_ktp1HG`aiP35q0obavcfN3|?lfpp=nKu;X45RXLIJ)xtr~ikc9TE(X=+9m^^CF=JhS#AU}L{Y{h3k5tL ze=1?4T}3qe@`ncCh$E;G1PX(2ULK|IVlJZqR&sJ7p6Vpi7N#ehv4X;sj)q&%n3{Yn z4o%BLPTe0cmqWg6ghK6Y2b_Df#2TeL!VcXR5wP3$qh@E3!c1J+Z*|w!zp#h_5eNEa z*M7Tw+tTt->>SR6)JVGOrq!;B@N&=%XI<#-sqy-gI|;*{HR3+TUZf5YX>oeJ+2m;0 zOYm~rHkR=vB^cj4*0c|rO8-5qyeD2JuPwNUmHvC$-|ZlGI3K4*EWO}8QCx;pPw6~d z>*%i0&R6fJOw=?VZ7xM|k=Q({%b z?h|1oG6jOn{c3MIxPzI#>BjU#bP2U8!ZjpB)(bQe+Uo3p9rw-Uj(ETT>rD0KtM7)&HZoWF-54?Xmp7 z4#xk#s4`oz>$nedAS=&>RDyjYy8UcE;hx8vrmK6e$lG(}KP!EBt3H&|;X(Q0rjI`} zV_(g;0JzT`k9WTJf6nu{`_)ljQ3p~XG}T~mbnDIj;Q&3jUvnHBUz`LLg&5S8CO!-V zR0za$W`JKjl@s-O$+z`Lh;sZlcq1>{B1Sd_S>a_qcmn3J9kgeDv^HOsU5ki6ah$(o zVqMHXgE(IlP&U8T-U`mW)>2orV4n(QOI57*g{&2uws8$XK)w|hmi1yKs{?hB*N~N^ zZY@mNbJg?5X8+^;l-J;&^QwZ*FWnve&bn0lOzgcXvA_w>AOw0T|O?AyXDG;*nZ*^QlJopJu!s18?BY zU*afll|P|@Mi#+`)4H>a-Q4lp-z(OwE7luD_jxnjhhM%h7avj=sJ`1y;jUcLBMK9w zr{VUisWE>kM9-mA-FcJ4Rd3ATd2VHdTieR@;Wa-7K#nKsr~cRtlCzZ^ z`o~3OxGA&02EJ$uxz@^YX3SWgH{X=PF95gunT>$CaOf-I&On&H1dc3wx=R#T(c3Nq1@hGnRRJ6sSOm z4QDDd|L9-@d?ec9L$L&;^*AurvBl?U4^tX^zbICzK-NoJj5u0x2S>)=#jn?Ato!3sI0W zJ0#fUNsQLVzqUS%(qUt64yB^9_S}8P*I{C9-RpGj`o;L45G@HPQHBa$Z8@+JB9Utv zh^K6u8RFy0FmSXk52ohi#i|8VWQ|v%mt^LYpw#$0rXIkVPs5A$H+K2+QWDMd#yXa` zqcrx0O}r4QP$lDzP)A)IVD3y{D6(N-(1$eYC=oBu*=l1IerG!)J!;nd=ZU2Tdz4!1 zdnC8azrwk39vlWZ?17C6dgffoA2uNIpw*U-7SB4oIrp0CL#*7Wh^Dc`9|#3&(&ore znY1nD>#&KAZK=86b_pGU*vWPPqgdWw-m04#gwu`o11Z@*<0+2V0n`Ix2PvKf?RnaW3?lH$97qq3;d%;NMHBe6-+$?-FR3S*f74+9w=VUO4!x`raLGUnwEn)#E~lB z_i$TcONJm@8<&H4EtUnw3k7X138M#Hk*QFrfvXeh2}(|6hf;5$ga?^WOYNQwL_V2| z=p(e&wq$zUie0$QE`ARusAnO_T-ifC?O3EVa|Hb$cjn<$;9?B&Ffhlu|I6}<_gg+~ z+og0}#-`kr07;;p$W^DSut!2PsTvCWqra}O5`+?pSS;gTYX9$~Fms+E-)IV+w!R#x zG`qb*eZr%Nj*iJ}w=+DBraF(NGQ8J!yACzniQ%q^!IB-sC|4`gUk!pzO*yYr%`zgJ zQOHgrA|sOc={o6q`aJo7zs^p37MANFUTF(=+jq2%36%HmoeOTd+<&HAd_P$xgSC(P)k|Q8zc*+}Pp57)=1FQxqcWs;FRlhw5T%@RFOAg7^iZ== zXTKx-68z$6xPDJ)Tpo`RhP00MV<&9i7U5?lw7TI=Ibh!qZM+^Rx(KK1-b(6NDl=6m zOVaR5!7cGDO~wGWul%()8bTG;59n!|ae964H0%d0$Y7a4y3kSlsv5eM)PZ`i4`(Xr zxqxWwTgYGDpK`BE^ z`J|hpIlm(>&7nnWNdHiD4HS-5)sDB_$!sMF&Zu2f0H( z5Bl0F?|#oo`It*OAZ1GJ^&5RA)!2|UEb){d&{`j~u85xm9HdN>3Z=2#Y9i4n7?~{Q z=A0gJ%<`OZ)OxCgx)n}OsPr{)z`^^mNr%VhG*&7@8DB#MERryk-?E(KZJg$ z_IX{;>RR)JUEI7(JH}Y5K#{rq}G=tT&8yDB|w+ za{Vk{6cKqMeF>+T&A;RQWRv@0i$InrFhqh=a&L?ewcQELgBh-_c$WLU7vlZ;Qi{B~ z6Azqsxv$OCR`j6G-b_(6ufQR{r_PfdzQ0g`a<505Y({cKMnbTvss(SmlLun7{A%E* zM3dBXzd%67?kyF1&BLOP)OcPmO27Igc{z8+&BugrOPdoZ<>pdsaP_ylV&}oZp#0i@ zrCrSNid}q#R88Fi2&P-z;N>|Ng^}Kk#Omj1Y&wUIer{$HX#gAW!%P@7ABs&hF8U9X=0;;{L1M{fFXJ-OA@gfox{P zs2FM1U3BrA;Rs$v?S&nA`1{87=Nh8=_K9^l*hIp96h~?RVZd&c*<{=a1Qz z+ffaAW4yt?+p}c&#e!Y%RNF*B^+YknDtTlm1e1&)lU*Zog(fp0(JBPu>yoIGAt&J# zfaoQIu;;w=Tw8>TmM zCvm$bc3)sK+TrH#n@wkj`~7+f1|sl<#+|e3G6I7M(J$v-6hGe|QMPb!Bv%x^AfJyY zA^L)Enl{hg^b4wGfXCi`76L+LTf(V40^Cs&xIFzcH5g9dNNdF(O zGj4)~0abv4*QzwX^C6fLdRe>n! z(8S+nd=Rm7+U3SK0SM5O&hc*ubx>q?B^;!jxOT80U`at4%TjowPxU864DbFpdbBwm z-;r-*F0&-a)PF-(IeO~i`ra5MHG49hF$b=m965Ls1e~o@GG0-_N*35cucf0jTnqi@ z_SIzrY6V@Hl<7FZtM$8*$g_4k=P#`&H70( zK>APM`cnfRsNK}XA~xCmbE;CeUUG;2tSjZVgVyLLjXkQxbK9=UsWpXqef-yQHS!*Z zdL&S2%2Cgk%aZy%i{8ysnMx;<5C4s)y8oRUONu_)n;Ggz2sfznPC~J{y(Xp=d%GD- zewrW*9zSEPA&1rtP4Q}t3qcs|%`VcR6eMyYkB>Xu75)WaV*AMYz|ECxPj9LAbf#}D zM%3ag4S$2;7{pmyOn@IEks3)up@&L&LN*WYO&mY3WnigLL3DH60_5qoz20zpz3RKJ z(Ck%)MGs8|;gRvMvxBFr4i@#RyJd&0C3V^XK%0eLdH)YnUl~8V*=RlD}4T;t1PHud85x|xSz z^E3hH;9o*OGQT` zWZTqO6w52Y8u0k*6O)Ip7D_hf5*qKTdvoyk*<6tHZew4Iw~+Ovy9TAayE}{*dz_}2 z?l$X~rQXUcXVdRovTBQgM`~%MXLFtK-QXEj)NnN_ob6W*8(-{(2GRYcVR#jz7Yq>= z^Z{12!cJ-Or6ZpW<;qSow3$An{J<)$&-)uV6OPl5~NvXx0 zPb9GH4wJ04m}jTBee6&<3UAZ8K4t;27SzUZ)#UL5&c1J0cDUs1G_1ZB$B)Zd+JZTc zlT5{q(i0+DE9g;x_dAU?j&j6k{{)s@-xs@?xYVQT)~-!#Z|8~frC&)u{2b1c0HQ>} zmUK+0j=KYg@jTWL^Jjac+g%?&mk9s$&eElT3rXmuwk*p}l;PZlw`cgU6MsoR=qF5z_An*Nqh!BK3#~MQ>q8UB6hOvnb*E zCZoe^Y(D-vYC6D~!cVlewQkr`DJhCSr6D@thr6|kK4R4&y(OD1s0R2m5cEZr!e)9r zDe-Pi?$@$!ZXAStMGTTz6;q&yV!zvclP^mD&JT8uPM#mJj(WCB-5mD;%uZr(YaF|@ zZ*HWhneL3CPHky*za^f>mmOi@E=~hNL)b;V6bS!$bVs(%iE7W&CT}?WHLWh%$&Vi5 za?xbkKSua*??CODBo(kf&I3Q^8Sn2wCt2bf0mL!Pqdj!`gW8fR+0>J1jriAP(sc z`5i0dDo3>P{heC&l2_p0b9sYyp6D;~wjX4hD*?=`-MvpuEMFob7Gy5=F^i`>c+sNk z)3vI$9TLx7vfT4WyjZnX>G+Z`;}C^$C|{BxjA&r{JOAp|JF>6FKq=TSgPcc9?$mYI zfbmTq*uI?2u=T?ord)lDv9vivN)uG&%2^w_&kMd^j)-CBdR(~}7hV>48aDiq{ETZ= zBWi%`kh^vZk3P>c(gyQSM_E`ZTJQvuStgeS&NP|yN!)c*Lp$!6!$o}YP0nVM$(Y2Y zM#1md+ID6(G>43VO4DQ$&#tK#y^>!Q6|Q^NzOGTOmk0X>PcQKAFCC)#>_)iZPl7ik zhN8Qg_NIW)5c&`_&W;4i@BkD|G}hWIiQjx=-jtNA39R+;QsCb6@dlkSAR!K+)12DHwQ2tfDW#Vf+`SzeMB}5Xv zk{%iER}AUNSd8)`FF89O>4B@JUJT3-SX|AVbUsBWAGbU-VwYLe(c8f9A6))4_BnvN7Ry#b8q2On zxI=&18w#s?(D|tE7RySj5a9OU-VIKEjq{?>sXQrtt-Gs!X!;h}#qF<;h3eol?6!pC zCLh(XwyP{x$m>C;b3Bq)d3eMn8ZT<%C8LqL^r5P$swA8DlUh;ipO3rpVwPC9-dS?} z2Fk#LQ-{e8%NE*MaKIa%*p!6~A6 z9>L*y6`aG9{i$@&bysj3{D>4cZ@Geu_eIQ-*!L;V!NZg5G2Q%C;+{aK2=6M5Q7l1~ zOQ1n5(gt8<(_z9-jDnOJ<0mSjub~CqvJdW$hn``lS`ht?Uh*&vWMT~u=&h(?YrCLq zoVEa-%K&HYo@E_1>0SLZ#gIh_Q(T;5iQ-;)$VJtcpcE+>e-?j&gzS8HmMkL|JlvWi zyczA%y`6UpZ`$_cn6jNLZ3E=c*!vTTpV)!EsOr$+t!)nB-x$tnIIt#18CXbM2yHG8^e{1u;yDl!c3_d&=3i)L;GXf-r+eJ-YL7JwXEZ zTdMO|+S`_>|24Tot+sW(E~Gh6Nk1j}CnN;C#I@bEwv#!E|C%pa20D`}|&gs693uLU(-nXg8e z)w3V|g&tbb)JQ48+HIff=Wk~3$3gvk$?Y-^l3uy6*~XsLm@&{Wwr@HV!8O^nET^s} ziV@G%VUkXDO9Bq+itYl3qQ9DQ0@>Rcs7$BYE%XcYW7ZezQh2{ z7#Gf3qgtMv(~f@F25F(E;OXPOheg?_UAyK!)(O`XgZC4Kqrp&={ymhiR@nNd!sCNG zqQiD{gWsyZn(^b0t4Jd;Qq+kC9&659Kmld-SkH{nQiPN7%hD*dr3xzq(d2rFc+`?h zwtUZY2|C~12!$C|^47#}=cb*gA6E5T=+CrxcLkLuZ-^2_Ml#JO6`Vwb&Jl=gHN(TL z_9mYQb+BT)px-6m0XmKKJRIqJQGX>}t0Io;y9NXjP>Ha3tZ`wl4^8&Ytk}%e#Rw-C zVO@gK_k&+rrzTP>9jR-so*ML`d|kj}a$*MhL^F*!qyH$lfN9WghH@?viGGi+O|-!^ zOW*0IuOMbfmYD3qHvVJTZ{?Rcf90P&KUkN|ERC}l`O|HNn`;Ve4#7b+7WK>qyEAbK zL{`f)&v(sluAyhs1A(jSej!j|Y;G2pW__*PUq#dx>G!%+HsNM}niJoeewY{g3g3uJpw?>CfND9AAO=SA*<>}XN>vfs| zh{h*cRwbKAvUMfhUUp3KXngtBL=>)8&MEsSw$u089;P%;rsN)_Bd0y_WDkui*Z^C6 z2p{UNT=H@NA6`$O-lai565Ph~_YZdV7s7jnI?aqvJLE07ODzZ)Juoh(!({1pZR2kV z#^;L4PdVLRLS|y50?$v9bekCdM_fF7)QY9T=>}5qKNHkQTwL;KMcRJ6=!-*5h*2uL zp4YhaF?WbdKD=LRu@})Gt;z86?#|jNls=SVBxZR% zweb9fJq#!1NvcP?pQoN8P#&r_ft+os+zw3|^GdUY*J|GWu|Zy|)BcFsnu<|K;^P?p@-?CK>b`^(AX9cUyQ0W2N^+pdTmn>% z0kdTj)Ps;maL@YQJ5Q9LOdhF-nivIGLmjDvYxvqY(?Q3b$~`xaIbq^jsp)BR-6TKZ ztzr(?1FnwHfV~^TBBU0fqtfna42Hx~AQ5bsV5GoewF8G-A75GCcKdx{ua%glCS1jeB*(grKlUNKJ!&r~xniSiYtKcrC zS#290DN1U@Amoc=u|8E9(R5uUDYEgfOyy;`NM9k6Q~l=)doR{}L5Yrf45%Vm5*Q^~ zVY)*Vl{Qi`lQdTI(iA8ScL46$Eqyg2tUMb=q>8%%f7 zl%|PfKA(7S%Xw+o?jfPiJTfAD7Gv$;^AaIz{rWkm|(Ux-Nv%v{lOvET?rO5D&aulHlsMgk@=@+W;r~j zyY-r>DAqEHJS)^zz< z+kH!ak_f?IzDbC)f!(>W614Cqpyu%0*zIM4Xy=SO1qL64k(rDV?I(AmErpwcF5=9yY4gA zR*qo4ju)arX0D^K!2J=9A1e=?e>E7yk;a+JZl3-FI$?w{=QuE(@xJdNU)k*`v9rcv z>Ux6qeX7>u8;i8Ug>DNt|0&cqWK*f)Esa#N{J*(Aa@|SeU8m044EM`(9ZeKHb5ZPX z{2gcC5bgCgz5hnOdKJt2rW`71bQG@y*t9@uZS-8{tKdda*05!c=kS40X z;dkb^hiTloBM3yzWDsTMZdwrduwh!6L{g;HWF(2F+lXKkqHMI1k`ae{-X@|r_R~FZ z^FzMlUK7%n?}q!_GaDUHptF3JW8}O+B@cGfu}_}Xg|YY*?uKB1ShOp%WtM8L)%tS} zaO=Xn`%8twwuWA$Gkfmme18Kzl)S{#jR9%6&~F#*RSd3IbGtYj)MUOJkSu*OoI{*P zC%&b#Revzm)bU7JBq;`frw%qw9^4H1pBR}2VABZIwCHAq*zX;UGL>E;?%l-vMj+LFpRZ>Y45xJfU794DY807L2=3Qt69h|woJ9`&b5n>|83ixI%vKSL9mT%! z`ibu2_=0i95Bfri4e`3;GZnshu{tsw}J{@cj1PUQK~clw+jsefaAXdLF9T zn^Kp=C&Rq-TT&w7VnRZU^3WdNR#__Wa*RXTnR-xHgCYV4W|ZAx)Nv<`QZuTBt`ly_puST%9^a}f zp;jnb6~(JFd)_Co9RKh;kDlNH{q&cP)2}TzYIm8>Wfxb}Uz8(EGJ}b2W=zYp?RucD z5m>)F%5JYSb%;ruJWdv%&)d43)Hsb8;jp@2HJ*%C?#kA<1hqbzw=vJOtb4z4AB#CTlVKLl zEQIRNt#%i3qRI)7uPT9`m>Qr(N}*k-N-0McOTL$LWLoFNTB;ZGanllFKEUKx=(XPqWYVG;vwFY<~Eh74&Ggj z%1KjW^k)BbZh_hOv!jHl4p;R+&6catR&71FVsU6ldzdls231Ac35-aQQap`=e*(`$m?XOqn|M>Bu)qiQ22p`La>>T0l4C7(X;6=2?_}hRW}OH65;*~CbLA!fK)tx zn19iY-p1D5IyTn4a%7R=OGfk#OcP!t2$18EcN}c}%%!j2k}=_kdPssiY>#b*!>5Dd zn<)m9)+fo)>QEiG^?gvjOgh=Aid@k5_6qu^^WS1pM=ztzu*g^tXC<0t5X+g zpv(34G77MyaJj20H&>A2i|@P4;+?Dlvow<`@fSQG%WUzmHVWRf7r z=ti2*W;GtG{1e^hOgCQUo`X7l7q4% zH4n-kBY&*ZckBzKtZ^1RRhsVg^cg4Z&SM*^>)J@`kU{LNjDKJ&toEzd(7fxKWUJuJ zx}=xCm!9e@gGlaW$ke?Z6{K(yNYP3a z6I3Tec@~8abp${p$`Jr7A6br6**KDCpUUwv+YSa`q1SPD!(_(bFIGTy4^4Rlhb$~| zz|VI&EAm*cBAj|=D}&4gWu+9wiGMq~ zK7P#1(~vVty+V>!Ti@#+C(ZRvs-);8-Z{z}byA#T;9RM#Yo714{(*-qTX&3IRP)tt zDrj!f7TulvK7V#V%Wy_i6Uc`Q@kvL^#t^=z-$3H+Q z4>SvG#D^%z&b($4iV)Gf7(_!OQhKLdon^UJ_LL|!F>a1i0Nw(f;(nrW{w6S6R(a4&5_I~6 zsWYzi%FplkYVb9m+k`bX&H{DA)B(jG^gubNjW!;)bTaSV{dURiA%lW2)2gS}b|M2l zpQ|rbxekFX%n719q^dT{yZlV0ihXsOo^Vob60Vie#gffRnY`UVcI=p#B9`wr7G#t} z^uJzrdpyaQ$}ISoq}9m!WkvtT{%aIfoia>$9?r6WLrFFU&&?=g90{z+7|ZCG=zw|7 z_!oKIKpXeh?1}@B-4%#YY?Kq%Y+roCi>~{KZgVifE&&t~g|DKZj525UW7y(ZB0dgF zn>isBM1GyICq3M&YpP?k7C=<%`$~Q0=I~9#Y`5HNRs4S@-!+WI^VJg>XV-pxqO<-^{yq{z!L=t# zq$tB0xRXv;j;0^+i$Q3Nv9^J+UHk~2RhLE^gZY-&C;qqBRwWy*3`Ne>;X+uR5U!rk z<3zf#^+1JxVGr~1nTFp!KW>@r){WQr8(KX&-3oh&Ovb)S%NN^KTJQVP_>pqLiIjq( zkCYn5nqo93a&Oq0yDWDhdwvDII7NiP!`33xjgU0v|54JYOIu5i9d zmCJ!!XAwsiLV?sx(z1g<{Z~?>I?kQAw}pg(Z$zAEDd!#Eg50*IG$prw*Y&v;@7UkT zz#=jb1~zn{-Z$+cyfT7cU}nWgiAne{(`Y`1bi9phu7l<9Wu2dIT^xr2H_CG#iLEXF z%ihYbLp2`*Jb>>L4aD0TE_|(ZS#*bJ;WqkkYThnCeAyY;hgSAr$7zKm zKVg5f$e*qG)MGR7`pfziGDZ+g-U<7?5f^pzs{Zd69**a^Tf0X^@82F+dM5cSBRlFt zpd}TY9sSa{TX81h)|MVmcR5DQ;NP6e`ldI|g^~!RtL%0xQ0igRQA zuQr~#=Fu4-T`S}x|Fn~geqZJgI2<;z5d#9zi*$I&M*eBxiBlTB9IL^HjzsAl!-`Ks zh#XEihLzs_m=Z}2`EMH(1k=uc8rpE93$CeCd#2%niS#%F7`~^xGXaFOxdGTvcz{u) z)nQ%dafy5I^dUy_M7(4w7PW``Ksm)5Qo#~83Koo7Y3-9#pZ(kYCwRRiLnexN|4tO~ zF(&~Ef@_hCkxfUM?yHI)STKqT#>^85LKv7>WTI84spkLLvvP-BSppGKGw|rQN;ign zai2Z;iAupLEB@5Yw0Iyw96#^=s|&huLWkqz%jle=;>5nvzHG*gwMtCepy-XXH^wc< z&{~)6f9#`?$^!R)tr?STc=~@FxP?4dI_5u*Ob;XP_@CQ zUSA9unK|pLixOJK*G6?(j>W(ZOh)o%h)qdMvhJk^3t3JN^8Y*Dckbxy-Y~vmrGnL0 zlG#1qb+SHzZ;*&SHI0e$SwJ+B|F>3wq?Def0%R!kUZdOFK82VW(jw}FeslLKe+usZ zOwCDMAvg{2t#$$d4gcTOX2AdV9QB*W_9zOMSR6+FL>TZ2Ib5J)DcXgx$ za3akXk~Otl%<34wgvxy3B78#yq*;=?&US$zUNMPBdqmV)gBv^x%lj|19-oRLE2OuI z2NUD4@ttFjf;^ID0!5&;T@n`&fzhl~=F%UfiWiZD;d&}*5(gDgpVf`RXCgeaZ~jPf09R3V|M(2eS?UIGu^F?sUf zF`n?wR^pw?h5|x~ODQPB6d~FKtr#1eymg->ut-aVxK@O(*N611j+RCpU6rT~!vPg8 z#dm~E$&P(0vo%26r?$u^;ms5-PqFcB9N8Fb9@!_*rc$A}=Jy(G9t(VBml%kUABEdz zYc;4{-uo_I4{~;F<@=#L>KzVtn=j@Q7ao5!-ri&%t2-a8pU9qltyc_XUC-~WXLSU1 ztF@)=#I-f#?1I^2W%@*qje<`X`|dCFJ>@63IS^=Gw{nG}N2HEF|4oi;g=TrJt=9|W zU@s>jwts7GE{n)!4gIU~_w6JYk7OB;?!VRXf|{jZU7-fHu))*F zqsM-CxT%n(XiOqs)Or|F^~jS&jxG`_OOPB%bp)`Ckbp^Vwa#T`1wN&rcQhP9XRSC9 zvPw1%6)-gVg+bg|;XvgN5VoZK0My|#+kZzzjhsg8Tv6+ty>%g0UcsMyb->|rXF!bY zc%?V8qqDYPTSe;=)vyBSBtA&3R@WJdloZ$wces$CFf_Taxon#sn^L(0BX?RNIX1UU_TGhTNC1 zqe@WsVsgf5Qit{ST$A79LCOX~#EyxREC%5=vgnif?pm501=%by6_?!_4Hc$z$NdiB zXZu}uhBLAP)P{NL);{H4g^b4?j3`xJAmjD|MM%0t7L8+Z%>tk4aJ8>6#r#_DW-nrG zS;ES7AX(Ibh25xVXj183 zGD{(WN)E{2#Owpy4lzXhPIK^vW;C9MHLZF_D?&B#begXKDDqJ#*Gj=dR;T&WE08Vg z7uw1Hr!E3l5|U&_<2|nJNJt$3?Byx+mKjRZSiv7)ara$blw@|D7ha-%uMFW7SPrCx zuBsubkX<1zhot#o+(`;&{p=W~V6RYK+u463E)ZdVoinCdej8m3zo)kcc#m@dJ^e5v z1bN4+K4&q|)Ajnfuy2_cl(xnxEf`8O*v1+g-~iD_#7E+i;lH4>n#WlUnQ=|hKygI? zs8-~dadv>EvqAHqE6NF9khMqou`u>V^CY<;LE%nj!kmt3woI7N5^ds{;yk5mv?U@+ zY=Z?TZc$(ppB~lRP`l$6`CHYu+wI=P%YlI~_KU=Qm%5ed_F<}tUD{cvXL#J-YKh{( z{G*eAxxf@*ui$XIf6V{sO$nXQumhU8qHm%qKsv?IoFRJqvOjyT2iVW^FWnpB;Pkm*ThxA3UN1yNeJ#EQRh4|^ADoqWe zJfHjZdx_U*omi{HH;K<=H>u8F&i2Elrk1^g^*+RO+Ve&2zR{tUvOD0*_nfyb1QgsN z6q**Yfm^V&e0{?#@9UK{u8mv4o;+lZ@9R?QJn}eMI$c#-{HDlFot&tL3kv`26}*_) z@GKApJZE2tA8tLFJ9uG)OrSF6VEzrLC)%4lL(IA4?&g}}`Ram;`EcM!rYQ8xCbk

      +w?kQ#3n`~p!qyyJ;(D}ZY?Hwi9u@JPwuDFROdN%T*)Ka?vSKE3rFG-FTF zxZ5x!HkQFO6P>PwQhCB&UIaSWD|MI6=o!9*ufC`OU3&=RMXwodJ?qZfv7!cJiJ}Lu z2>)F7-gW&7*xcx#LG3Fw@J-=N0~P;yBHfEs zhUBKP{T29`U?lK`n!_c>rNZ4akS`-9<-yUM>^FU{x?OsG$63O&K~W6Y!#Rr$pKo%=_@xH3dh%foAB=#rI!zA~G=7Qqj*^q~--A%2JgsN-JOhfdyi$aeWRD= ziV*kM#{!?V==aE>JPAL%Yzvkg;2I7yZ_&=PvV1&6khqy54tv>2=;c8SwG+Pc66?k9 z*o^tNsmKXthuQb1m-E~!)}^fnM0R_(WBnzbLqs`(S;So^j(=#PnL85;#%U~77(-qx zxEha|5Ej?7om2G~*=91BCmIj`9&d;K#Yt!HrFD5JdOBNUgwXgffR>pNQkRMqlCht}HM<9)`4FQBn)yIKak68s9py2mZD@sg-;{hWwLf7>LXnvyTfyGOB(XhyT z$23JbBZHXXw;_+-G~J7(<0Nmdtn2wR`M-ZFSn7~{gYM=DcS>5G`4bu^I}G6g1HXPRg;>Gu39aLkym1NIJDRPI$z7VL$|A0@`RH~Y6w+IFLo)C! zV|0|U**ZM)t6tcQCrnwY^}9I$rc+8SnKb)7c&y;jJ~FU{cq#O=*l~Y3+ZWW#B7_+Jdp8K%XK11YzeFHD?c@IbaASQ`^BFMAzxq&9>Ev=I#T znY8Io+PF8e;4t}=^`5?*mrwf~fU)s%f;iE97-R*ml*%z z9Y5oP<4Us+nHGr)1t+LQiM@lDG`FLCn$dE#MGvxj&=X5-6JDy>#}@cFz|S#s`ZkLB z`HeD?0DRE|;t?2|b5E1sF6QXWFaW@>uHf_g6KbmDJ2Q0U+WeOWL1>k7VfX48qM`gE z`fmnUTCYG?uaoQ}Jsqk)=F8VhwJ!Cc$l#4SR@NGbvlLle0ERd-0 z^tM^~fiAG%Byis|ZuEQCvpu{=W4Xlg600Y(*Kx;Tlx^@cUaaX%$2sWnu%B2`S%5d-t1rDjP6Ux|yZFL|oxksT%t>U21LN{BjH$yJr8fG*B?l<-|HupG zq?+huo^TOm2P087^dlYaqRhAwI$}$AG39Zu(M#~?<2vH5AtOnCwcb0mAXq9569jIq zMMd*+eUPe2fM_pH{Y0Z4Xc6AN(RK^QVldu`I*U+MV9xP^wsLyMrG4an;MXEMaS-&y zVR4XB)FYo0eZVuq{}S2E@|VfS+@4x?^9xcj+fx{Fr(-6dC)67F#!FByB{q&9T6@mz zVv4mh%8!z^)W!3%u>fJZ5=2t-sAoe=jiIl~!hvglSfLG1995^3pGIhGGzC?r)J8fG|%gtWC z6IqX1se9(IqekaNaBlCp*k&n|u+b19Sa&PykhM4LZ@RSm%vif+mEgs*{gO*)k4z?F zu~bn8jSz)^8{)RJil#Yz@qwZC3yVGFp<|=cpU6O`mIw?D%k(&3e_KxbNr|(Y#|=i9 z3~MX>17X{M_S>nH*2d=vn}{6{4oOjRjlT`yyB>j(AP9s0QYXMPHG#Ro2?7308;MLu zO&Iy`^ISeay(eG8go+aUP=3+_4Eyfji-m1ewSfe|c=UM{5Vcp)0`XH<_hC8mqY(l; zBV=np9h&)N{j%o1li>s6!H}0=(#s_|^oDyQ-7kSUH>gSZko5_{@E z?`4rebEWk6!3VyDa*hK#{z+tZpvwhi1~un7;)AUsM;2#7=)*RUX9BWW_3Ls!q8b z@p-*TapH4%Vjv9C=cd;N5)HM9-_l^uR>7_abRm{%KR?|Z`(Vqqw{9D;(R^`sxMqJcsubPVt&`;@<%LvVvxq#1WyB8>iLfU z{1@7Gker_qDCWPQ4%>XfI2;AcgoJCFd5*L6s&z*Cew3y6w(h{kfz zU^D?jLkXE_!KQ~hQ=Q(nPfm`V*8|LJ%grPVMSG#K(l>*6$@*LFzKixN<`~`$L8!o@`uIX=~6B)aeF{5LTG|m_0X>M^~Z~-n~4&c zga&(jT2AB!LZCed4dm_OS#hq+z;y{*gPjh}pW}`L?>gw5DupMnA@>AQvg`rnr`Oh8 zu;DeZgtlpLJQ5aW49^Mj9%6+os-K>$IIURq)8tVmvefyEkK#tBwX{zsohWz0!C$dy zG`(b%(b(2t3py}HKQ%$h#Jt0%=3EQ@O{jAT z;Mxr(Ly72UAH&P7!nU}= zKHv;=T(LWGydZ*FOfSPNor}mm>{oH_rFQ8~rDaCMjWCFyZl5El!Yb;WWRl7b;;*uz z$2G)sUg(h7$0oi%Ty_W9jO@bipG~|uSS@oANjqZ1hds@aI+twAJEjGmLo+&c5L`bL zk(EfBn2bJm82cvabS6V)(tX@oPQEPR#RtKx|0;EN(jolBDUl2s8v0~+n?;^%fD|v}!bl81iwx)bLk)Q!SZa~9tpX)CZN(kd zk>)pA%ZU>+7uMA2Dj2g`8!yR4~T`J^K!kC+nI7|e&FpVsM%Ah~1FD}EZ zfM-QHt7IIcU<3H8fvKussMxR`1F)x`@QupS3vpnrDx|t*BB;~)Cm`7dUw|N z6?anbV@-*gr9|Rajx70M5)MM4ClLj{zAUh#%iRvy*4x*;(e_e=%fl>*@NAzynYo7Z zeoGYZ8$T;dC?||T_;B19{1K$QD)#CDMV&b*CCH$`{ z_YEJ`GGa7wI#4AP*+x#DUC0?5dlJ*r`$|R-ADlsTcL21dqNEVRiagt8#;}ZI%PK(O zzcIE`j+~y%NZ)>0q8c)1iDc~KQVWorfF$ysfDb1W63%7YpL@0T(-|H=`|SAXSWO%e z_5HRco@0i%Qr{c-)J0zy4|m=K@gsf78UD8}WEa39SgzZ72!}3b21ihDucej{ZB_qQ z?yl5?|M0S$p+*E7?(JR2_c8O&9PJwDTTbA&_n3s#2DO*3hF^2^)t-S3%xQqJYiA1z zBU72~s|};M&8(HwW@a-uBi%-zJ3vt+!YrATn;ftGr~%lTPah*Ob3Fh^Ols-P4ALT0 ze9~|f6_yr&QK0@+j}I`LeOjfm0Q^H0)xori*rJ*VK;_CfQ#WJuNErA0XC4_0!Tisq zE^YhVQW)j6Fe0u4Kfg{jMKW71Mpm-fg&kSS@%KpT+wX~P?%pMY(ws(2q?BaHc%qqdx>?y=?tByb^eD(od@d!hCQ13WfqS*a zs}JP`DMdUTb{ord$v`XA&L^xYAd& zpWcC&ll?PVHQh51MYV~(Pu+a^sn7JHr)T|+IC3~zMd0RSm=YOfU!+t}(?lsGlTYFn zL1!8ywVFB^pNZ#w2q4xNJR#VCwG}62ii`=?L$qDl{Dd)Ve zbj-=>W&#)Q-=fs|Is&V_OXoMq4g8>LM15hBKQmP4sN4zP`W*x|Kc|sOaP}gMPW)*S zYm_ukAnNtuGlJH!>gmi)#afqR#S$hp2O9$LUYTzT#NC4E>{)rX9$p_E+RhPu8Gq0+>7QE%VK+7|}j`DwlUgOC%b{?Qgi(MzPr z>QZw&(F`AjP`;Rs#-`R}1ue&%v#VBP{^pGgesmEf1?8pK4K_s#!`WP^z5$ z@f18aI4w^^>iDTyGWVA@AmjePIX6L-(-&qR^U^h-fHV|s(dtez%+nV@n6ri{n{yh7 zHQ3ZQSJ*z)ZH}GeU57QJsUQ+aZM`+}qdx^L|4chW?jNdxqwWM5u7ZLdGao8sKg*47 zJtOMsVN}m4l5_uR>|H+`aF)=|xPB7)hzX7+!jv4dOFl5NI9 zqa#Z-m)|>Zn$lXY{d5q9Nslv`%h(CM8)!*43Br9C zz5KbYkxbkonK~vM^d7_%;dATN@no$4-KI%E`NPkVBn7UI1En*IppToLqO@BxySp=u z%y?tEi=u1%=>}9n?;5le!FfE_+RBI|Sgk?1grebW8q*C!s4g&E^oi4Yt#t-b(Qp_8z?z2Xz#P{zkOnHlJd(<$;X^p=a7doeq7!^-L zur4iw5hrc?nrNLe# zsQYcjDUZi#J}qwQ{24qRXEX+{J3l(45j8qE@eRkY{WvPi9Hg|0KJjq3h&qmQoCCA}hb3$3)7YI-K*Zx2wXUY#Xy1_R&bagiGLy*Rb?aaPg zFdgz?`2oM$!_`fnL2SVhpV zn&3P>1D+zzO28WFnLwf+(wC?p&%~q`u8_kF%L2z6tvjqar276g`v;llRvQy`y1Sxh zmH|HutHxVcA%Js;amZ+tm+a~zpZ{vFg#%PrVJpKmIM;p5|1bWFc4A5Pudpua-bI+H z9a69CTqtB#acLNjk0KRTvD*e0%!33Z?`HUj<|2) zAPNf-N_gx`!#e0odCR~>?$07c8*o=`e`VA0Cf4q_{;z;3&!T+9?Y{8CQe{3Bs@uje zSLK^4<(-cO?Si9%Ja9qWRxgI4b=l>P<<}Fh$%H9?O{VEe#cyJR&T{?@&pOIt6Ka7~ z*JnYom>U`L=_HQj>i|$(_Kp@7a|^T4bj)m;Km$rn#+>l5kOs(gGy-MF?)gyi2xwMO z(D)T9#;8C^a5PEG5j-LDb&4X-{ACr%cq}?LJ))bQuihH;4c5EkAVaE((lCn+I{J7B zRF=uz$MJNF!%L`#v)^%JJL}Znmaap|%&DyVq9|d31u4_AX>uI{MiQgj!qXwC#>YhK zuY{o9nz)?FAzQWGne18Et4~BT4a4#&tNw``&V~Wa85QchR>f#6&^4A9Aybc#0cEge z?K{U$k=Pi|PB-LNdW7|C@V8>9FmX0#^2M|CM(KnA?7A_=SR9C*ALL~UMxF>!3LWl* zqg2B}&?ulL!`6&4jRIWF`y#N$-dHTOVT_TydFLiW9A+0berB|)sJs)1)-9I&T2kD< zL1XxAe`_6#fG$8qB}AIJ%*XvzRgnZPqZl@W#y5RzdYm~^|G>kY?fq@P6|jpkA`1pU zPsj}{l0AlxA6zY46sb0D+Rt3VU;A4sjvRSps>atfC7m+iQAgIAj{}8sdULt?ZZUgS zJ8J}CkX9cKpueVkgH0upgggCG9Jq_HgCn6lxhG4pJy2f? z>q-xd{i9$ORYkL4OdjT~J|DkJ_RhnOlJL#yHt0~Zzs2~n5%en}>aGm1hz9T>kGvI| z%)~j9SZ=m=F8o50`Ro}O&}y%(uC5)7xiNVv`P8l*OyZsAujXp02tbM^VHV{@Si%5|N<=h! zuDFqDFB;EFid_r|$dA5eF)p4Xa`8D@}vRAQYHTtMdP zj6oL$km9%l8a8`mvFLRrsoSd9-x2V8?nn`~WWjPMK`z2k*jM z2mFHs!zJLE!PkAK!A#r?wHFLAi5n6ET4g*;3H*7@EaK3S7s;tg^vi7CZw^$Hy`@xa z0z|y|#x}>KM)oxLAte%DaJQ)%c2*XHxF~8<(G=7w{ANfN*NH9+Xx?IgeC5p4!cf9c zNXufZYs---Ck~Oe@rtF0rYER6GJ&R0j#oc&FIn(zQk%r@l9hA$j1PXV+h`?DR-m`j z2iJo{y_rJAn1tV)D-K29k`CNi&O#dM9HC}yO1ZQ4qzO%s0l&|pm}(Re{1#&diQfqL zzkz4T>BY(6Uo-qdIsN(~;8~*W+-8Oyv>jJw!6>eP2aDGiipM|NP_J)9ip6%I#L%tS zPdcO3pYl=esJ4$|qZdB5HcZL@v_)`f+;DX#32gX2cMQ=h|JzlX6Jqr_%u=Ft$$iS20vi;MAmJGS zz;s=|`T_3zQr!K|AtGX4@%hZT6~!BEvy8S4R9@=QS1(bx50gAAJ-;oO?S46zqrr@} zPHG=KQ4wT!B^Z$mY3yC%4aqUtV!Wuu(u-=0QqsH8E_E3}$oJLA&OvC?JW8zdRa?KO$!b0q9!W7gO`6=YW$y#sMyb7sq4Dd>V1pxv5V`$C z3&_z~RSK@$5}RWw-n6$K?P#idLd;5arOnSkV_UZfulqU4%ci1(G_K55u^Ir+d^JGp z^SXUt@g=0vyVj@keg--JykU(><-HhbYczRNufzNUrIPj_R6a#|JrflD^}(u>*G~=? zar2^UT1-ymCA?uo?{+XzIzC3sKG0TU0Ug4Ns{_ZX0;Hb94AW zG;FM?F+{6AH$t^tfVx(PuX)*x6oWYT5~=ukv|R@I5Qw;AT>a~NPS@nSX#;W%CDt8% zaz%3ObiF)e_L+(q<-ksshuWXunlsaGxa*vxlKmm!aEVVg#UIn*sBt#i(`Mhm!N4Yp z^4k)cIKEt9%82Z(T@x>04Qn@SE?qIZ1UD_+Z;LKj`_S(5I@1Uk=#ntEmOnhaHr*Zl z(9*2-Zu2Tw%q$r;Qc)?9u3s4wZrr;rl=U-+8!~nMgu)Slk(=`(e%4mr8hWjRmh(+e zPPlYLZ|IU&P*HhCd0jnhS3Qh|{&)tT@!H_$jXOHE7P0)wu4sfJNKuh0ZRAU2s2g@6 zkDYA!PLcw^V&KE$%UV?vl1-&tWujrzDI@25fr6A12Fo)RNA``CZYIv<^JmhG(?KML zQ3AtjQJ%L&ooi6#BSAqo)OmVQtVW>?Wuo16a|99hNGW5(M3M3bS|J#_a&o-(R#*f`m|1pqHg0@P*HpQV(FjNV4ozX>FW)y9tZf6_=S4g+AMON zgXaG(^cwTARjxgcXSB%~YywW+H90sq8K|{8@oY|gN%JpDh%gl+f2|I%G1AtzE`rI~ zWNBtEz_RJ%?Z$(xW$ z{{<8aPlpkWa)syWfiGEbT!5aHM}0-*{{6px;*RfQY|Pz>TWwbLinKa#Rp?&^S7tNX zA#OE3Ry(c;G`BqnE>qN)kT>?00;r*X68EVx9#1Ciq&DGKf5=O|y$tymjEo$j{f?7D z6&EI1Uyr4Aw%(NFqXj(H(dcSff2{HPv9lPT*>sBPEhUbhmF1WDvx7(YAmPnPX5#5; zYx-9MUc-kxE#cz`jE;h`{7QuJ$&>@nTDfPJy~STP@rh)_llq1y?N(*=!(nfbE<@Xs zN^9@1o^VpWf`cxEnitmzSfmk$@7-u-V_I66eL2N8~FhDcfUEz zX>|d*n4$6D${QLE6&+7n-xfq7tiaG$ANL#<10)28|0O=J4c?iZv+~v>im%(I{wbSa z|CuX<&|pqadMW#{hBUg^eq&u8ae=&U=s}+qg693LD$8&{t>&P)NOBf-p!aTE#tp+`|Ku0FsiNEeEzb|G72w)SiRMQAkPP{85JH<7XBd z7)fgNAJcc&qtAj{>4?@lvaM{{bf{f;XN3&H&L-QnNAK~$>lSY+d5xc! z`{}Lce%nREo6j{Kfn94FPvAS^6Z3pOw+F7E8l{TAe{Fh1yEG*`@e;@B`|u178w-S; zhklVgT+Q+&oq{8#OWbva&2#3?jL9BAS7uZd5;4?%y8%Q@uk6=p_Wj+j3_zy*kpP&( z0IF#V>4M*Bv*IbfpC@4aOY;T^9pJBCwZYHUa0!y-n>aU3O*y8ur+@!(cv~!{rwO)W zw%H--v#OP=v}^iN;7_KW-xhvZ-KSOV|H@gQ!15Qzm z2e**@3q3oet`8Z8sNK-sn3&2CXcLEt3(23IK*{FHiDNVAW+z{4x>e$dh!knX)0Hrn z^^Ze<2^Y@4`)=48zZ&2qumm)55N_`$oYW%a#H;o$ta5+2QAYl98o0Gb@1R%C;e9L~ zBX8OJ9Q*R!&X5;=c51?qkjxM8JCsH@P3o|Ap|IR3&F1O9+;idEm6K@&$8R{()Ahl# zstYL=2V#I{o;%gUOHC$Im9C5j4@b|{b5+6zt%kO)i4LScyp$Up6bTe2C}*_NG&RMt zzJaP(YGF>u4Xyt!6d0L+_8&d4&dpT40p$;*ew1yf@_poH=a!?woJelSSU-YAyWUN1 zg!wtw!5gZ%5>XZEc>Xg|QZkD&3wylE*f>3vd}X`jK}1AU>=ez*qSlFXloqC`YaAL9 zCRU{G<=(`*;L;e?1$o}k^~^3sa?DOZRidSin~~Yu+q*VXP1RxJNxn>|H;rlgdtKaf zxaY9vu_P+3xyArXN#EiWGDbiEm4w$z*S!c!*w>@4`W+l9Q-43acbn4x%#QX14cEB9 zxj8}*LY{!60Ei@LcmD~yEaa{DRs zVQracprfeN%e^&w)`l4qBZ--igewjrBcN|9$GvfpY~f}ViA92R#VYuT5s;DLR22tr zjkF0#pOM{UvDxG@!*O`kJpO))9KpbKbb8rMV}i38zZ*$^yP)yj6hYi?Zog5& z)T~gO;Vs%oBsYJ--SHG}o?>n(^)v;2Xv`|^j%FRdw=16=`P%mI$;|(yOyl!nPNCM2Zk_fXgW2%mfl+b~b za|`H5pSvnimw>0Q?dh2sqr(NZ$t>J?damzI=Rs8Ke10-6B8!G9UB-cbG-pVUtHiNd zSA2^R;n~gdhiE{%Nbk(zGr2)#D9|DGEwCwMfQ4CrQi|mR+$8+gcj|z|aq$6L z7!l#xa+2;n7ct@NGbhWtrZ3K|CZuubMI)Htq}}w85C6V0IS1h`){5P#clCDi#Nt4L zC`Nre^z^hV*J9>Kjc(yRXL4lZ(BxatCgNFl(6^HDVEK1@o_3WHUdvxw5K(y(dv z%?Oq=z@EvxR8rTqg7PNixD==#!xi)?p4ey9Tp?rHG zzd3^;USzFC%T&6o?9P==X_Q3UL{RIxY+G-w2498JfF3Q%p!A zCCG8ITqRp6q$uNEi))??3}IcnBf-!Z?re2}-$6R+~q03tmhFCqB<|RI7GhzoO!Z zFJ63(ILpodnIgG%rb}qd^d4Pa3|BTw_&Ro;|OsItvZ2C z3q$-cb2F%JBIG*F!dro+oqh_|Rk=$vS&g4TM=kgv+0<=l5hovotPcCBKLqpNoDQxU zzOL?CD$Z7eGqRP8!Tk)k=s#x=(<%v6`?!ip1zfac!biA!%$qTdyIo95^m~}{NAzk& zKeO}3^&XBEQ&?Su9lp#@FQ0}=-f-F~b^V-t%BfOWcd`%T9n$Z!rvAKGXocGL<-=*+ z-XHVfHXwej`CgJR)^1%ONvOpZvg$m?068mdMPw#x5yVJ>L{n0rUf-<4z!-TP#X!onx71 z>{Pzy+QZrCo^wl|YuVUr&{=zOEm%4VHo~ChFPy%%{E~g~#;|!G+rn}f&8Ezbznh}a z?D?sO_6spRrO12Jv0By?SG~m-<1#B#f(z7XzOAAZwO8Z4Cnp~Zf-gF-5TW~#B6^WP z+_|o$f1gtQyXy)TYP-p+R=-!d9_&sSZH1O!F+v^UY`hrqV=AxP3j&#at~-pN;50P% zb*Oii!?0uLQ@+fSo4s?~B<*2n36Ls$rG=u~r&|7azPUH-bLIBVz(NC=*#t|tuNcUM zsJI?1@Fm=@FDjv1j@Vt|b?Y;+xxzEn14VQvjP|0yXpGMHs*0uVU-vePU`D^zaJo|q zQ|Agm7@z*&0lm>XPZyO`uRZXb(Ax_?*lNt4_`KDFt~k_&q%3|ND%KCCRFyZmg#^j} z+$i6AFB=KRsh7DN0Pm2V3ZR^qJ=!(m)X^<0j>IuLYz$BKlIYU=ad{pvy<*}URNZ%K zj+hbHvGBZl*;&s_q83X18{&K^SL#4u5t$7Mj+C;Sy$~+84Mv;OBY$IS5FmIiRO}ax z;$o=I{FB*B(4OMkOoZ64*|nk?BkblA{^dfU$*l%s*(CL(*#!WJ;Aukv_2}sbCY5n+ zIc_}0rC0A=H5!b2{R)~`^Y#uRC{`~s7Zz~buTJGhq3R37Suv5vX0o~fDW@A{e?nta zsQGQ6QS!#g?3r*OGg!#Vq_V9+qPYuqG|hYV#6pZ-KZx&dwn-TU^wNJebY2nGgaNi# z?o|v9EB01uXgIn=AN%ryMCUHD-=VSp;epa(v#`>^bP%Jm+~-}7zTT^% zfihl%FeQ=|J#w?x%xkL24e4l4oBG&YGL8^@)gRql=%7DGd3E(Q;-^q2U#Fg}>K{WK z=S#Dp4M_D5@CRmDCL0UDypwOB2P3u%P3SLD!jtph$XHDrSMtb;$C?FihV+`Krw4Vk zWa3U>&dNSiy$kh6xftOCe@MN3ZgF-yBSX`36OHozMMyA&TcYk>lVWM!qjw0C{=`$D zFnkLmAgj*7_mzYxcIN6L=`sT#Ig>?$-34FuA?wE&nmCV5|F}z7m9|M0IVG_7;@7&H z@bBE-w+qC2;gVNT1@DDO5yT%bBjCnjqFa!QQi~jXc^QeLq+?u1y-NG1e9yllpZ0Qy z*h*89RAOTX7nOuv!(WG(o~_r?!nw zMo+FT@#7J?#PTmZ&PltCc(cIg9>U*yvr0G?fE-M3Pno3G9}^4%6!2H?=~0GhD`Gno zBl{HXR;?(7sU~GIoDvoQKDGpw0?T`GJWVTg2ZkIB`Bf8b)`@%FxYtLfEVJ4}7eksu z3ehfm%>2YUH-l@5()PmIuTH#W5)p7Pne@__($zk0ph^NeaMQW7XREQD$bS-W zAmWROF*#f~(KV`dH=&_vJ7zUYeHqgJH2tO6@Pbj?jw5Kb98u++8U#112vg#@zKp#Z zZV7D|q*4EPpukgZ(Z9|%Pzvjvvy$Ce3d~$66w5RGfbW|3D_k^t^2cL(QDl!e&AtiV z=FU^Fd%_@__Q?}@{d68ED{%lQBa$5-TT8y{GQCR#E`z<2i!rWFR2qHjThIY*crZoI zGx9`j5Kdpbve&29HqmR3!YCY8Su5ClVa~`Ph4PsaoiTU7aVu~1&&A&Bim{8k;#Uqo zeVlmJYY~-=p#ldusB??!$hg)#?X@jLD$@n{hvW$SJY#ACeO$?#3p+2O_WoCGyY>EZ z>nJI=W?xE0eeByY>7<04eQUmsjMuTsv9rb9PI>4btJlBk8>3EpC(jUo3WQQB3*R!c z3i`1kSHBx?E$<>73L=PLG-%LU+RYy>8jQ22>v*$ww>(o$vcB2Bn*qnBTeszv7f_L^fO1@@qPfOgUSAvlcVsY?53WSL>#I_vw$^NqsMFm$H& zw;J}0U8OP3D>s2gTn%TOJA45KSRkXGxC3j3X7jN@0rO$T@+9Qz%A!oby(p8y5?OwX zq&s#W2A)sp+;7DZKqfI0XQ{l&%Go2XFWv)E@&`wx#UNQL^r8*^R~0@Y-T9)1d@VPE zG#cZ-SSpQeRn`AV^})z$z$uHUme;wFIz4C$pZKv=LUQ=SMS#ec~(XV5L&~ z9!ZF1=*^Xn%809?q-w!)=3IYj*ec&-Fi|wr$hhDqfu_i#yR6j(iI^DN{%%^Mk<8wy zsIBFsBadbCq~nD9Ep0KO-7(JkgPfsH1=2%0v-O|yWM5w|Y$?g~kZQuPA4L^}$axZ+ zOR=1Zk$t^W+LsGsBeS&YUK^JFb^7kUZwAGYb?FMz64P#75Nr(9Nbu9N5ThZ)%J4;U!V-N}#_MjM*>pWUMtKPzQH0f{6pH1H$$CxaB%^VFM? zWiQ>%y@!4^bfY^6o{;k1I3a3-4tf&hgNBG_3&AY(zV^xi=h%1ymos$;*W|&rR^3*y ztl#^4(N&=`1UVuuLEWsYWXs6bV)_OF9yJ5yo5^W+Nx-? z5&~bz0V=UC)4s%j^ABQge41sChYGLZhD14vs5b8LNz^yqpsJxvhka@o#c*%3x`}>2 z%^qPwnWdS?M|Rw+`p3plQv&4zN8+F|zCsXKVG-%^SAoK0NkjgfH9w8(e&k|G-^tDU zLJ{)(DDZ@x<>PzHXjby&k36J$pU1A@EqGGW`|5}`1qfw852En^5Af#3QqZUD6DW8$f){CK!_k)<)(77NQr ze{dn4_;`NzY>E2a5!V(wdX9bd9pzV7-JS?0$rO9)V@q&&j@0$Vsou+Xfcgt7T(NnN ze#*7-f}r=Tx@YxrqjV^MSooZ>eTLHnSx^8{(c?D>cfBKSZPCz5u1Ou1asQRp3a8VWNx5Y-==@8AU9T%hAOy&qh3pk10U?OhMQb&R1p!w97{er zXgH55gvhnAL5@F+ixh*gTZ}5+Kw3JawbAtAVpp3|{Gcl-_%mtBDP-czgD(po=4P3i z8}b$ALUBaJb$yA<=v{2QD?*u4s4w;i6@JnS05DZo@qF@>AXx;?+UnH8q&$UQ#eS`Fh3j%Kl@9Za^A#=r{{nV z>!vRgox}oh2u*?rX-ec7W>&>`kI%(H;t}L!Ayo|YoxeAqQ|poz9@YtL8`YF~>f53H zkgJ}mq9W%|=L5On{X2#)H`!XtDea~d7`{K(NXcD#_feRg_Q(ZHxC5zwU_bG!E$1Q9d_)`B@pYHTz`?uR8XloC zE#Ru~TinckA!?|u&CGD=SzBuIdgG%Nk8mz@Aae<~Ruh=$uHN@8(?$IaOZzIB^0u_4 z#zg+rvR=`y?#kCR9|m?tJe=|xZD;`vc1238MH*ZP-bj^WD*P-`n^N$TgAf45m$B+l zRd{-gj$^XuZeXOT%as@m1wWxBjSt6=-|SIp*T>AQTD-txO}X{=qzHQ@uFoT@qED^* zaR6d;6Du*|6y9mAKvh;bX!hB2#HCRu!2faY5{mb+%x;TL^lUz`14@V{C)bmW^c*Wr zWj2ufW;^qHuZ?D<;I1gz-V~^+`vo}xKXZT@>{;YUKg1<5wMyc`;azt;vvo$zs-Hge zUcTwAXkK@3@)jgHCksyjs;7@^Lz@sc7`<|DMI_Kgt&#@LH;KtuNdatC?oKlzd_J6C zPxq{yFYCcka(mFVus~E7$kL9X5x7SB`mmRvCHua9hOvk%ep|1^7+*>_4ogB}sEb=N zf2MBlh#(v_oJmV^Seg6HoN=CrG&kzF-TS`BO~+u)(Z*UJRXV$d94yDW2CAi@;VW|T zMM4X=A4ir=QxZMvP(2sfIB5TWo7g2vSKA<yEq2ti1(PT?=Iyp7u%*LFBV&wbY(WEFGhwKr12aJXM;4(V-g2UK-zpc=ohZ11 zaZhY^I_x<=VEu4A_z;XIn~P+y!e>u9F~qt#P-+9K+r;Vb{84PiW=8Wz}>o1jsg&&-M)6$7PnVX-wgkD8pEwxKk>Vh--opdEg(Qd<_E{go zq=9Ouuv^SdI31_tA04rvmCTGs{p6$f?{D6-^L+^~-IVP}2m}KCm|4f>4;)pyY~5q6HDos$N#HWdf)aD& z=SR#z#EBn!xO)&C#QO_2_K-oF(3IOD?Hi$ZK;u)4&<*#p~t&Xvh!Ih8)Nxz1zIS z2b`(AElU6O6p5c>?jNd|X%bk3xgq^Rn~+{Cl9E*f`M)e#lRZv{d7e9&;+}&-^Kp?n#a00zgxr_RH!UEO={uGOo%RM5Nao=|GhSlZKYME5fBXfx_t4Xb5UoR1QwJHIgU z(st(M%kmc+TcmGlor9GgH6iMRNUY&RX7es0y zy;t6Rl{EzIRYJI8AGB5`C`d(IR1lSIgDi~<8R844LI!rFUN{tjcb0mWriu;JzmVy_ zd7I1l$xiFr^b+afS31E`SgF6GW{JEdmAD{1se@R{N$OQTPFRj%VcdO*>0Sq&v5T>F zxUG9?-(#w41( zZu~>yrAut^G7dTE(aNA4FlJT8%GC8q)>(frA3I`t(G>0BVzr?nOHIxcpOfzy6>lTK z!-F-U%D(7c#oT?-YHLf7{5$l)F->1jULrlRxJX*C%%$AQFw^6p041@LG(WHfJm~X= z;UamuDy_YfQhu4aqN=R@T%CI3g@jE^jf9N8yo~aQjq|bxKkCodw|;oQ!MX(+b>l^X z#g>bQ7PJx5lQm?+9vP0TQe61FF{$>_b{@Qbqw zi9f5d%Drh`@YtXU)t;|+z_ZgXmOl!SFr);Zp7ZV1Y3LUDD%Iaur zB%jg3^0uBU$`OT~O}3k_{7N6vn>;~R(WuX$Q} zHpjc3JeEmOUq5sUVnm#$eu#zvj0gFCkbb|=2!h{pW7n+27oxQy00TxEu=)~n;z{YM z#cK06@Pt^}2Num^=bZ-PBNe$1TR18_-I=wA5M4K23?3}`uYRt>Ag2}8RsH`kiIPxh zl<@$AKW|&1U(JM9mL2NZ%Q5w8w6`jgC=E59z~|>XwIH?)1jbCqG8DJ#Nh9~w+j8^i z46G|fT>Qn%OBg!XBq*`)2ie*cTef}LdczU=+n#1pj$xcWwEQ*hLkNlRwhNp&{|70A z4W}05kAA9lEr&qUI3p8!IO=Zva6_8cpegmwPFk;R=oC+DOUqJLE*p*CyG7Vk3olYS zG3VE(Pl1jSf;t+;s#d)diF6$7ce%uuIP?mc+o@Q(=k0xXLrmfpqOT z@*6rT*=q{_0rRy(tvGhm%@p1?scbZHg*iQtJfx`7J{$iGRZY{#C^lH^)&jgw5vHm5 z#yhUp{XHov&B)g64P8?NIPYY~U+&~cs+98P^HLH#eN6RqrR;6U(iB`#uNn57$1lLt$XNt(G!%XNHlQ!@(1kCz zA#~9+DddhWz*vO9@$J5>=LzK!$l|!PfNboKwW33HE8ND&< zAXE69#}RkBfp#-F0=?sRr54MHCi_l36v3EjH!ncb+OEIdD)@XreuNfzxs0GTvSFpf zo@XdZav2CJIoPr9YPdk(qp6Ycd$<|R7s3&W(GZ_eUGg};nPK$%vg}U%tC8_Rj`Vrl z`6t}f<*&SgK+923NtL$6p9?~!7M0XgzOk=*s`ALdH`^fg>(Uykm#BceNX-@zSwTsRcSmW@|TR>G#n1C zu7um`AWTsI*4$fbG%g&OqSc8_LvNl5!dExNe{L`a(~9dR%8il(lQ_7%W4}yOUOfc? zlpTLNLRdC`2g-avmh`vfR{$<0?(7TF$L85)D<%CwtpD;`SNMFL_tWzZtG^tRB&D(< z?U-w~8)1wV*Lzbh5-lGmMKB+gMWa?w%80+bBI8P4YQ~O<*%Ebe$HHgGVi!q@_&UZ2 z=`Wcx_0+HZ(hw)5^HMWs1fX9%;PlgFtkFkW29^oM?|A<4JJa@0B@H|6ZP28y#29G+>$7 zYjk-EY{2hPKdp7q61bizl6217N_-GCE$&z4QXA|9F5CH^Ssn}hv%pRsNg%tY+ufqS z3UQ?I+1FS`J;YMXCCCVCSH~XA^j0MB+%(Ml$u=N|#A8W(yx49&BWnh|9N>Js0M}Li z>i?!#JD@@<64(B~LL4YsYmp;(Fuu_N}4Q{4;&o@)5D3P-yxn8id&SZ zmLz=z6hhkp*Meh-v*+S&Si{|XsN2iH(+@D|3RhD_#y-y(k&u1xwv}waB5=u1pISjR zC;2RMU*MO>P0$%~P4Svz9@Kz<2Hk_`A~f6(T`N z$oby7BUxD{b{4zbq@|a&(ai_TveW6fp>4OwHND@Y%yM?dW5-zU7~NUmcL-SsYr!Tg za1wybJ|1q`cdZ{lrY+-EmiXveY`orX3aLHKpzaceIk~0z1O5uW`wr{kGqlw-+Y-S5 zk(Gm81%~w0*n%ZAIfW9}#sbS!{$@=y8je%L(&Xm4W*8#0_5)h;+lwV-$T}l!_QHl1sSDLDd*ItSxl-R4ZX$_IkU~xIOeBaD(TQpEt)% zGz)Z_R%f#pS|n9l-iue<6+WN4P!xkq5fms}iR8RIgaZxPh#h5h#`$-i?E)GrL2Z+2 zO79B6yzyxs$d~-hzVUp`Cf-wLNHC|+UEKG;xgq#BAOMN?w^9UIDtngd<#u0)_)`YO zKSrW=#f)E6afa3Y#Wv55xUU*)550&U;F$(2k%Hfm*X3zhLOD$NA%rP{afybISj9z-U z=n0JRE|}A=ofr0!)fl~BNVy87B#q&<)|zp_XxKrRjVKcj+7bQ>d^x)zlxI3)f6t7* zI8FI-({yA$J1uipeS7rT*q)w?wXZlIrMb>!%7PTR`wbWFZ6BWNsk{PhOR7ZIuyeBp zghhXwC=pi(?N0gy&@%lde(NUqsNqdNoFQ}YH*_@a$YRFQyiJLzsv0&LXlvI{?xw=O z=d-YVlzMArBzYp#WA?YckP@f)V<=R<AM&6=3aSq|lwCcdu|E906fP3Wah*cWeW|;| zb+BL`&RLuOO4%RQ#?d9r`r&{GopQ*!Pv0MvTk}wY)OXIdBi|lk5Bbl~Z_@QQ%jEf6 zN^yZb|3E?@TC06)aB&gh8F2EXXTLY=NB=BX!u&(GjsCcP&*A z=aJn_T8=e}IE6+Zh4b}A;Cos^1ZjQQ`?&?hYE-{qE;1|MZLNOKDoB=wN(mVm0ZHaRZpoUhwx$e6 z3VA=w`?0Nho4B7j$J5y>MkTW7*kJL~FplE0ehA_C%=1{a+3u}#QPu<{9tRNac;dah zXuxogj%$AM?Bz|+=qF?5II$(2U<3bz?os0-L(;d`T8;_9YDX!#TKzjq=2wm+@sb>& z-PfwgGMjt-qhdL!A}o#-0xyt8Td$$CQb&TjD^wjJmEmIB5sL?+?&%Cb1XRD`*)3eV zztFp6QZ!Gm%B?7%q9P$VRdaYw!Blp80BQQR%QyXwV;$RoHbPP`%f&2Uda4m(5sz;IPfW}GKsq> z>hFI!lCQ?03cI-D`=YiD*=TY^u<`tPVO{3# z+-$GV_GC%5+T5=TvJa}mxjC3xpKxkXrS8=RqoRsJk2X{63%+ZTPtzlG;uZ8?91}L) z&P_#WQq) zn*#enMp>cb@~NG@{m#{ilwI{N$fg=NY}O}BiJVrOQAfWdDsY@r=Fimn504l=62BPi zIO9%c4&6T*vm&vVHf*J(>J^RDkl8Uhub(}W&W8Mr{_Jg0bZ1qO&-6_ME5*W}ncLp$ zC`M&iPpl*P1aY!NtR58BWl2h4`rrt9`F!oSFLPb))=3#KG+#aBQ!XqbdAv_zs#a1| zRl!;Dr#HMV3{>fEH==gcdx3LsW|De8Mf@woiuXoM^-Wa;4cX}5PY`iYhid@wp5I%@ zq~5;>4PC#Do=4dJf%_lVktT~0|G-IKKPUUvi=eoKf~0c6bPOf?No^$Nxa}z);J|C_ zXx{?^s|)q53M%GS#K&h&9K3W9K*+ni<%It!Po4!&19H%c&0vZ=@v+FolDRF z;jz}3CNJ<6_xDVy)I&LvYy^pS7x8rD3-E^^nepP4@Xy7(RHa1F8I#sq8s~h~(3#8H zO2jlDn+ih>-_=bf^WPsfcxNm!Y=I;F7~T79f2Kh|y+RE8Ij$sQ{%c@36_+tXCbuPy z0k*YG78ZKh*+t%I(I?TZ)K~rcQliZ*M0tG@?Ia`O+XZEc*5_88(ghtQ zex0bGCPn<_0Jaw)sM5n4Cx9lv>pIGLR#I6uVz{^kh(oIm_n%pUJ-}=s{5#O$`(ppE zIUU#P3k45_FmehdIvj662zzUM{Xn;03=xaCUZ_naxX8-H}^{20X_7%?P}ecA6$*CHlqcQ)--nU{K* zvG*t!+(NN}5Q?pgr5F`HlV`HY@z^PJ&Xl_EWIS;xe$>lw8bBs@mu7yhUVfq8?2%)L zi8mL1_Dla;=2Ij03o0gyX7kD4VJh}N)7vo(*`)H``zo7{+waG;VN7fe>Yo6cc(ZrE z*)pvB_r&efULeVl+{`~MFfb}F935MdS4Qu?+Ag+fW9M9^=CL|&br{?Ug>AVMHp1UI zb0)T3w!n<}cTm1N4HL;5u5GrGd{@UF8W!lRKOhEpwq{7q>vdfX($2Li59H84Hs6YP zZx?*f?Sz(5=vx$XqP+v`ziUJI#!l1{$TL|5-d?vPC@O+acs-s9Kb~(b+1N>&JeMN_ zhrTA&ZYB}*n(kFa0+w}_%l}kzPIL%Gpe%-9>WAirhs_CQ2NO{^8oTa`Lkn7JG)vZ7 zBw+3xTAA&O?sitg@jTK`4BmIUk%AkMMB zGY_{QF`!ZNtB>k~mu)xwR_-=ky%)$A`BGr3N*N0$OxlA(q(FCps_r13!c4reOBD?p z$@1j=NUxT9FqV*6ZUnIqm5oF%u~^NVLU|v%vsO{nF9i0gF4&;AJvpt?L`kfe@wzcS z>2b1J4V3$7<&9sluE1$_3!;=w2K#u{P3D!if!R)EpkisE{#W3=IvSUQww4ytX;}~X zQ3xequd^tlH66Poqhi+=&V_8oY`2UVORE%1=KZ4}i+yd)c4z>X zG91I7*9S4sdl0)0vFmQuo_Jof$2x5J_7%32QJm6#i_mdhS+uvfx{|{jZ;LPKglzZs zWD9VSZ?w!2fhc9J6e8*7q*t zYnr%+%HF#?%#LU;*y4O ztU-UDT!e7h_05kp>>u6F4(yIMzl8(T#Wud$B@H2Zd-2kKY=R`}D!L^B)V#2(>Cj)O zpJU7#69?CB(I8_Qic@zLA}O4=90SARgw$#!-qLloG_Ze3Ht4Q#kTB8?{e`XdNdM7y zwyrbuPVZNq8{qfT&*UmOdEeU;hvxNJlhzHKO z3hc3&3~FHO!8HV{_=kN-ZBhoQwrvH&{|FsQE^jwPl2y1jas?2z8K^85fMXvf(e%yP zUkoPC^s)}evL0n+xX*q-$hF&%svKMMy3wB4;oc(Es00|(ekT)>R(Z<5&dC_5<#RIUGhd33TdWryz~QVl(1J%pO&uHOYET=ZZ=>BCM??(#XUOu2?}`~ zZK4*ee~qY6=r9Pn=P&C9QD3&unEQ*+@)g|UzijL(I~VzXTSH_4oFz1#ZAc%fD;*e5 z66jovuHK%7InSr611HyAqKqR4^RRONlj9 z0ll+|PQY&YsDC}of&}*oClb@+Tn?w&JC)U1#4rfhrZ^bkid|MiF**O}H&!>1vJrf5 zH9xMI?RTOGPY?C~3OM9%4ZF*z&3@S9O)~OsgouO>&&|thzBtUOH<|wp_JobQH)`0~ zp-97R-P2Hj36|2jA$>yxUXuLHTj!I1E}%n4SsuOVgsiPkPm(hA(2$|0wv>d!oB z0s3oR``lftMT9FbDe#z-?orfHACPTRS;Ot8?uyd&*1gzJKBUng=x(M>i zzT>&a=Ese;3!>)z@R1}O#M98-bWz)hf~X6kKAo})V36$8 z=R9Z8hXLsn^fl7w28y1RzDbhvf#}}V-Zj0I5CMf0_!^7yUGt>BTkp9uLQl@DAMQJU z4a3^R3-QSGjyFKD$6Vy#7;uOpx6RrM{f49h;^d^xQJWAV)-YVS5DO|e0H9A zuS+~s@_F{TT|-oDTl}W{J`4J+MiP=avdsJLSpV~j8m;bIuWUh7qkt+NuM6tOQK`gF zE4S76W);9*vVEBoec`r{zh`qWD+FPE_+<8s*D zX@5HicJPAbu>nsxQJ2PI2t4cJ1abv;qr{+dVcQphC+2_PY%I0s<<`P{BqzvHpI>B` zmMZw5r!e4B_W|<6w+x|MMLtN^7m?P@*P;9!gO1gwSx@d-hx2fJkNJ+f*>4N;M<|{3 z9D3=|XSI+t-QSW)>1o*tKa{w4VZj33DFF}TdvTZS6Umois{oI1_&%0cR+BsRLj>L9 z_G?DA=N%YY8_||37UX@EUohh%`DR@G`LZVz0oYl`WvKJT>Y$2}5Z+sKbf@LPF<&|p z^A#q`t!EOU*h=dPhvjV=9l!jm2X(g7M-)tH1HmlP`ol4jcNo4cWG+2LVzsFVz`#J& zfnBH9q;{xq=m7J589Ihi3;SuWE4j-p$Drqtr<-^$rmaJbo9C^ZaXs2FwrgVe#uv~n zgxT-e4JG8Vb1zhY>9qf213C3C*={4@jb1_8++O3P9#6G_y{>{)ok~UmfFS0LyMp-3 z2|e}us{UuNA$hVw)O~x2*{xu9Iy3?hYLHL_05XKTLQzxc(6dk&&R>WsusC-5AMUox z;!Vzt7tN%SC!LJikc2|K@dG~^aKdAao|UT{rnkeX8p^Z>B7?=gKPJ@zXg<*N5{34& zG~}W`7Uor>4d0xE*}fg7pCCA965A#}eR1NFlrokJ?$6qnUwgG3`;3S$Qjzk&sHlQ$ zpJ!+eV)SJO^!?#+i&();&(gW9c2MVsyB48ZJpal^z5ZPWoA(#uf{$LJlYX{M?PhRQ zgxyLX0^e7H0Pd^E+6I4V%qB-RgO_jDSUR}c{!Hz+z8LQ`zA^<=<9Z<<>&mb(kP`=^ zTYGa=Y9z^WJy%0d-@cLxqVWIUM=JRLPHkuhA)47D9&&_@H@G$+wh-HRpyKZj-!UHh zD7%(b=!Hglr|q3#PFZg7xpd1VrQ^R>zjLE|#D;PuLccIF_Ekw|N#>u= z3Ap3HYEt<3F(uB#QenfJB1uBbT(5wOaKZz~uUyZV%$L{Ea9MHV=c0q4qbF#}dh8Tz zza1d5eOXR85j&C5n=k2zcz!NGDoK zpev;pVCrzFO$UJ5SCaj27Om&Lm(Mf7SuVw%D;8kWm8Y(=Hrn|CR2T8L50^J3+_3 zlD7PbSNw#HbLU23h{PZp%v#F@l@%}4jmk**;l%CNP9F}=)y{DPjG4ifYAUP)%V9NG z@@th36*%J+oWG}g;%fO}^OFGrkB>ChNf$9~361pbKCmkt zs6Yv?tVBhLLA?NFRLmU%IGJI(XKYC6=?ICd1;tRGY%sl`83q+?BkAKR+*+^FQs@RB%5>CN?n`{XM@?8GLRF+`e+$EWA|X>j|-qxi><0+1AKEM_6e0^cQ0ivI|-$!6TtYTb*dLX{Ro4K9V+j zmy&y)Q3sVc#&~nxC@khU9E)eB)=6$glkq86*eYEm_4{2n(1SRzN4f3OG&%rPzp17z zy||9^fCx0V)FiN_>jKM>?nQHp4+JUp!T4vTMM%-)e(P-pHohZCxiOG&PT-h4CRrnZ zG^8DSz!nhcn@gJgqJeh>t1pUSJ2W&);z{M`6EXrfcz>4qRs*Ma+LS=9pYG2(WnY7h z9qB`SdJU}|*73IumP>t(X++KEC6H-k7K5zIe8JbuAy%>eVOW8lSStu1`K;B`Mb+T0Eop*ZJHFVr)1-!_r`xb}zVX2=6ds|R+U#H&ohyx%-`w%4g&(7_dMe- zf6DkywA0*cnuzk?=%Wxea6Lvh58DQgcAc^!AQ0EGJS1hSQp)^eH(-Ni6E)zXXS|oE zvjV}2#x!u73Z(ucc`3fytq&T0)TxNTk-<|i7(6~Ugx>DYS^OF(-Sm%wR2yX!ZFJ#E zYxl}L25&+eEU`@6^9LmYr9?MxL=XY@7+7=k@E~QvYcmNuI}PJSjrt*L1)5;3wqhWF zj_Jk)n7Vb81sy>&zhC;k^fK-t-kycrEsiH7{!Ak|S;xE`Atv*>IPlJPKg7DS=-#EI zn(9AAF3Z?yNI3%g* zFWnT8si{K6$H}IftSvj-__W;bc}7@H{m$nh`iwyTZN;vp8pf19J1- zhmnRC9Ta6eAovjJ%Q<>{ID25%w;@RP>c>1|R^GtPs1!+|S7t^EhVO=t1e@tW6qN6a z5>ARN+g%UehDb^T*u&bIxbSP9Bhn_}=u+f7#odx`7djPtr9+XSTyqKwBa|B`mK~cA z!4TBQjP;g{yFCky(CS*aE94z-lY@r;Au>?H7^l~qj0v9MyAD4TAIN&BglN`?(Oq8V zYCeBd|EckV#D-&qkGf^KXnbZYk%PSVOGtMo_>W^97kSLqGgg1!q7=qm-DChy4 ze}>D5c3Ibfu_RQEMXAY7=Z{nt%mbtLRu$juEr-^)FfD$IB}Fd_oC_Xqeb$WD>Pa>i z+WtiU`C}f+ZTl;M@x0BGK*Eo7HNblBONky;OkHQY#o`1nab^x|Z z2qFF#$@N>THHmcu&jEHfmv9AT*YNx^AtDD}@@6$x&C-~TEB@~b4%|K3o_=>4O_Uf+ zQV+UH1q3_E?6*@N%}q?Ml!F~AOxG|daWDd`oVBKVIItMYLgJs#P6tV|46L6!g)GPZ zWU4&A3qM{F6(p2pt~A7{`97m*I(A~mwxp$n2MVMMGx10{vIzrPt}35A&L9K@M^Xai z>K5r@xQ23%xigL)sq&dpS2}Ic9{Jy4=I({y6&MMbqYd$Ch{!AFVxz|u-oTC`=6p%M zJMc2i*%8Rm^zX9W9cGnJrnA^vS$_BbJ+{2vvxH#w2z{Czkjd+T1NdBN|nW^Qw53xdOIRGk_T z)TUg5(;Y-kqmL1%dQtnnWPKcOG1#ByY4lB($*L77(|Vf_6dP5!)4BhBT+64dnEqOC zpU4CIr+V(NNt){t$E?ZNZ{cmpQQc~}A&QlwdJr#E>yk*JExLWmuYdfxJy%x+*3Rnd9t9I|8R-#!!68dzI zBorf{{}!!Hv2;$h#5l@=e@;!{x;Nz}^;|YeGCW(n2T3$=y3c^>GxDqJ2;Ll)C-#ew z=#v;S=%^;X^S@ha-_+GGXyyc>JpMfi9Yfz zy#D3QU46yMRw1wOS>pYUbYr&Ox6G1kacH_pAopWF5&G#mm8-AiSpf==VaWkD5x5Dh zo%hb>ZbSkeP{rwbhR7YY+g7OgSQj*GSu@YqH57VG5*y*qx01Aqi;-tUuybz%0S)C> zOsJBrm{>lE(R|yMcyB1b|oB2wMl@6SLTxSvQcxdZBDM=?L z3@8EbkrFD`Ce5C4+n$W0*kj5dEz$%Aop4*PfPcvTk3QDlPM2;S=0bcMBm(fV0`~rOX;kPH_andRrg(TxpQ9; z+V1fFfcBd{$6~?ZwzBuupG{?;4qC{4%8`!ZuA5{KdtWkiHdd?7L3uwY)OcU1t{6n} zP3kP8zF=tCm)dM323a?3wI7e-q9%#5$3Yslbnd>tctw5v)7tjvHvtHc_l2?oyQCy3 zAmL9IyuBvqA+p=u_mC{HDQLSygM!Yxdd$0>upaWR~Q-8`If&S3JhV zz=a-4@)-M4b#y|0VJfKMAJrQ4${Pp$1%VI&^JuqMH~pTGh&17^{;}@43C}f6Y}iW4 zE5qH5!ehFixNRw96KK#H^kX~s72M&pkhUwoMbF~PT66R`3x)Um*ZUvpdzY2h*9ig% z_h9^|k@EtN-x&X6)uX>iFr0_JK@lS}Us&gJf04a~nECcbwJ17LD{|6b2tsPqZ~LH2 zB>yqEo&gWgPv-@P{tfY})6b;ptQtnbEo#%pAxA}J=& zONlYPDxd%VPL;eE!n2yYtkP(m2gBri6}MdP-226^RMm$gn5DM;d}tAiEw{inO3tL; zpX#XtaRDD{MGzaLQJF(Rh6Aki5LjBd22P2X;}R2P78d3W+Wn6uj~DL&HCou1~fO`RoCXbNug~YmG;kI8cytz-FvTi!37L35|hmo9|I4H|FP7 zjDDuFx=Vj?W^S50lsJNrXv=b9sIef0QJj<9P}CIUDB|;(0sr5Z;gnL92Kz}<>MCA_ zcYk9)(ebIBiXvt-(B_hH^iLp?q+24UHFcM^>dJrj-!aO2Ee>V0PAH`Q}80THjJ z(kQxJ+GqehSSR}~f;q{j_zdk`CvNH*oG$69e;0P;ptvQOS&2pZUuHo^A(5G`5%>k91Z!m>{$w=&1cw%wcsJ&P!7jlxW?tRD)%qi3z9c%1VeA8b5TGL}=G(cE4ZY1{Ves3XZadY%M`7wJe;na#JIN$qZZ%k03eSZ!sNL?kMIgRD`v(Z1C z;UkAj9X=-iM~N{0vBq!z=)GLCk^)E)a4EHh>ww_k+Z&_)4XO^^MJXr1{}3a)$7yZ< zG%YTIsaw5geofFQqqK!r`$(PI-HBvT$y2coLT{oCK|gYUPL1_qo^{=mP_TTW_&ymz zbQa`6F8MJ&&VzlBrS7l%JAj8VtA%Gtz&;h6dw`51Jso1!fm~O|?jU?H2#j4U$i`7o z@*ErjLH@e;>}tdholW+C%q4>oS(*!9Fwz=%X~YA2gHeF(p0r*y>03E%1TP_1v|YiY zNHvxw_0K2!?myMyUjtZlkI}{+h-R+5eJ(e$9=YFNGc1T&PvMbgy|{JsLdBs0j?K!> z@zu3J^rMSi^GfYNWctdp7Q2EO?8p(bL|hjKFTe~1O#rsEVIp1L-x}HVhHGJupUg9} zIgE{;8MGvvg?l)NhE}u8Q!Axvk8@M>oJB4Fg6Nk5*<{_D zY&$z^}Hzw!p*r$jAMRT?(sO(4y+{6=pIqwMqnKJfTts1J9rtl$ z)O4JHJU!{uS!d}-=44G-kPNqnml?n7!kdg*`*1#>1W%7`Ape;^M_G*1@CIRm0_;kG zZNc#&DAg|D+Y;i1#1<%iIrTm6N|iXlGR1K7NYGXwk((Q?yg#`H9qOr&~*S zX5hLPrlhkK!kQJ_VO=D!W_=(@qvMmC?n|wbs&lNxqPpBc@yV8@t`CW*I&~Z=MkRT` zHXSipb6+!rX6n~E{+bX7Rf;B^3hC9vh6=nI+y_urMpiJotHib7_ZkrydY_$wE4gac zwixs%!!uOb52Q;X`tN+xsE|uGenn>)F;Q}k<$grg)o|pm*W0&HoX~rp{lMG<58`ai zTBM`fz}qctKX)N09n^EXj4}EV{b&k4#gf8vWhT$dcngppBAr|KzBL8G$(Fih4}vZ0 zFV!f2_)0Yowuy~-$&MY5s#5l~TNV(^AACl##eZdIrE*Fa`HG5brt(n;9vk10^yKiN znFTkYlRO7+Rc{MMF^c=J&~8vAgp5-aqmUJCP`Yv=6{NRDCVwfA!v*&#~MHONV=$p2=1k^UtdhN2@2RK(0hf5s!EYJ>OH{|!DUyuSP_R{x09X9Y_*ei|6%MTfH*>k?Fl+# z(6u~kosAWQENM=?wF+@JK@Q1#wCW<7E4azsd|SHSkZSQ8JM({*V(33hQJl~>yuDlD zaT_k3mAZmSlkP&D=zP`_ak4zb%E>v@cqSEPKT0kiH@+9JYr!z=(ge0_6doMJtsX+m z_>H{ylNNpcec$7?qNdKb#O_?*Ejb^Q2vHn`sUKYR*1n|5m`x3Pxiw0Os+!nniObl3 zmJ9BiwR_%{4dN20m?e5nClmT`Ao z-UMCbuM^nT$?Jv)vSFn_@?Cw4>Jws<4rQ;KL_=?~R!m&)gyS>6Wu&dwWXmdR$t z=hy#>6cN_YivV{?7&JAY7tx3!p#(PA?eh?4?O5IV7L){h@Y78t54ZqXU=yz z=8e%7zY@#&+mF(JIa?>`Z;;+$X+mGwqQZ|t@D*YjlHVE~E?uhMrgJcUnrby+xN^X2 zcBD<}t|l{IpTGt&-Sou)VPmDPxkK1wFB%tp?X^DHMuQcED- zSjlRUSmub|aQT4uYHD`p3I4@}8vXVt!SQ;->*+?Tgze}D&eME&OE2FELO;mO-tDK0b#Fm@|j`m@U~%8$8L&{aU<{~A7QX)HtddN?gcG{@ux|k+ylHw zcSPg(&R#^&c|E!DoEFp&nlPilj?u*{Qhy(;{EdIThYZ}SgbvQtE6%i zr{D97h5OFOtJ0&BA?bJLIYzjNc)Ax9s~@B)agi7zQ|*}8 zNyD);P4$0jJIzmv7QzevH${3f%`MdrPD1z1{J+FsZ9+@^*pc@K3semg)>n{}Me&*o zq9FB`#^>aGf6Q6MilD`qkIw%bs7L<}JX?K!1y<)|mgO&SYO2{zjvg^fX&Vfbv3IYIDhZkH z*4e?Y{+Mo-dgq5XAId%d;|GW02A+v>*qHL6U*at!_F;j)jLMV2RUh~ozKj&bNJY@2 zgUuqxQE@1yeN~US{?o&|i=4dwa1#Ijr^eXhA4bf9XSd`iv2CyNxTEGE(_t0!ht z#s3z{V|#|skI=WKntfQ6Hg&`$H|(>o8dyUA?SQJRjBB@WD(2&hxqIp$DE?`BLHo6e z_I2uBpl0L^mskbc56U3gOES(u#3f}r%UM9TpEb*1mtpVBtHVr^kBtHK;YMWwp z=Im!45$F%rQrD<5#H|PzW`=5X-DQd<5FpvBWr#YHSiYjWE4K7`CMzaUdf?wrK)I{z_N_{ z)J1pg_NsTn4DWxVvO=qDFbV!bt;2WUQv+7Sk9El5t+ zXYH17RtT&_+o#P{3k|oy`lg+TM4Law3>V6uNv{*oC>7Ug6^+!>gDN}m{2@Ma^1k3G zpDP*;p3C7{bpAQ|>R-6-kui`~{?Jm+d^Ega*^->1u0})@W*4Os33Q?B^C8%=;~SbG^UmC8EL-`U7PNnBVJ zZv~?E8($6mW-r+}HRE(I&@oL`5x4VKHsv(vh3pG_I3DFM#>^ z8D#TSXv5E2;07QXAp)@7(#fYWyvuj}Z!;1?XFBCv+xly7WeO%}c-rye&vO8<^BJeU z3h9fja6jwg4{K9gI49!2`&ncQ9nL1>&8+>n&Is_wAi^vm&T;;;`@x((%bjjD= z;#brR{NP}Le22zQO}rc3bVqi?l;EbDBEuNAJgyy8^yI?f{d0kkZ+b@noLLE&bL=jf zt|;O$a?d+kKH^9BnD6fv1fbpNiN6@&Q84Lj$Bg|~n-69NznU_(7SzKInV{zZ!mj6j znZKLr(9^1zSYNVF_Lcpk(G-eV?vt zNKjXoAX&a5jtp82$`9|)Q^>=G&cATWed~tPssg<1rjxo}cy;o5=vT`kdKXB>Wc^9m z*D7tV4i96DPy-FkZ*^Z#UeSWx$Ub zTKXxJ)uhim(Yb1R&Q`J<2fNG-C>ixvI_=D9NbYG-FJ+fYQ6_0*$CM+f6L^=MysC%oRxc=bnGeB^6cY?dSTOhc*ySuwP z1PBCocOBdULvVMW;5xYT^83HFTeVg1uvB#2zYHIA|bPRNYH3fXc=*iu?_B)Hux<_t_ z1zULT2YAF5m$MFM76hQQ&$~cHfc@^M5kP(yv9$vk8#?{OJ~p%{<@@rtuZlgtPKsS> zl5^Vf7;z%=>p=CsV=_3(yQ*UEEAeFd_xip+ODrKQ8||qskVK~H4#)3DBIO^5qM)_p z^X2dy7&kVkaP+LYo3#*#cIAk+N|mlBf^=?IjIGmfxwzB026od9!m9*l2e8Zgk;-7<$zQlrC>IjQYKdni6&PDgOKa ziC(TcEp5G+iw^d}p|B(k+-J{nx?IFT3WRpD$q@X1uHe~!3JOzaH|dmCS#Urz|9OP+ zyO?@Vgn|6XIrPQE9pwL`i=VoV@t>})ol`m>{(!x3{+! zlW4GR=A7}>`!$`yiH5Scm!u)N0v>tK5mh|9#oF6i^53UWWFdUUC+D6=`a-O(#x&tR z)@g5%&KUZw=(*BJ{bWW$vGlek`y$-Ht=`4PMz;Q0zJ#VrxWfR&AZ`+;DgWae9-oskyU*pd z*naAyLoO zZ@s`D9-nw@uv`9b7Xp__2bmgCJId z>sqXB@$9KDMz&FXsO=e%!={D40G`{Bc0`NH&}@c`@qoh6U(dirSunte)7Sf&jU%R2 zdN~<&aeF9YZQ@OI$i4(bpNlT0&dh~gp*57d_xR#7Bs*xRArBJQ`R{#FfI`+q37P=E z)klOYnYl~(R^t(E1$`Z^*|Wtlz|6Wkiebp|qvRchg?llgk8Wd<^CPxdVEvTlfva*-mG9;bpcSVOn&}D9(_fq= zY->Ql%f*V_HRGq`XFyz!FZ4c~GFfT%MID>)5Y^}D77;?W!@ZPD$V*GT27i|wWZ*%S zQC6qrABHip{y>4NtsJZ~>ky6G^7gmqpo*l~S%V->4)Eo1wexp5FG)GdC5q0o`3_f6 zH)7bubCJ!Cv?(DtQ=~)#NY5Eqf!8W;*7=4V_^gChcXu zTj@Qgm18m|`7i^qj2eEtD1kr4d5>?$xuj&t{yG_w@TViM`&MK7HJB#P zDAwcG!4aqlBB_TLcfLgY?}(?f>$@#plmwHdl}J8BsB3hud({MGHa(cb%V@6ZEm zbAi(`w2MyH)y%xn?&|VqGAzdKAIo)=Dh~Z<2Y3s{Zv_^Et>h#O7Lk6mA3$S01EW_>EW<|2MKS$Qzr;Vx3;q$ zpK&YopKX>aq?m58Vu}=UjazPt+4;~?nYb@rTGy|34Pa|w3<}IN`HeL>j<$UAR(6?E^P|Xd##Y&hQiVo4e8IM^4W9ZsO@SIiWyCRJvLZyRBS}As zKNb6zFHp#?3xVLe!NI>iyKy~TZ~rjj&+qz`n{%k%umVlHG**kK>$wxIQA01t7X!#y zA?~jya}q0hP98*F;-=s4xYau3#F%vfRW-Er@PmH@9L1w*CINxZdk(2=y?%^3xYbwvlli-ELnMHpgS#Wl5~-zGj3YC(876i(9~x9+gEHbU z-*!>BYnM@T@!Zu&-D(}1rt73%YvOOCLcmtFREQy?2^_*PCM?_XfI!cF2~@4vz(Qv9 z&+^&3kG_5gO`-aHndyKaERF+moVkzC{UKoI1R{pYHT|DUq?vv@T8)v9Hu!cCOXhoh z<;chcMoIZYXi{C8Bs&5K##_vZ`cmJGXk4+wSikR=XaL_~A_TE`!=-WSwE?IstUNb7 zS@70KY}NHGr=mi!?}&Rjw^LqW%YRtRp8lb~M2sofkBroF*!l4rF(KhyuOVKxJtV>z z+{N$ct5DF2(IsRMs_{);z`r+Ofzv53U=YDfouPzErr37TRj_X;^jC^B)%}H3o)5`= zKqEq&+oJV09UgB=*c&%0lA}&i&KP9QYX=(nd3GvK5QYaf_1UUX_gopOlyLTF91w(`A8H>T!6p@1U1&yDi=y>yg+;MO#l@Vy*Hg=H!FKHx z;HlJ)LExpk%+wx6+RqmU=SH(_E2AAk4*~!C4Tnr2JHZpL`afQJ(_e5n?rVhOSE^+| z`=?#X0|}B_V}{&5Z8?2wiM~~8OnuG37fnp!YMSy4LEiwOHv4+AX+cyw6jI7r!NUPg z_OE9?!xeU3$ijhc^oFPAzzNj0)JCzq=cYG2VF!NUyj9eZH3SS>%!y9l_zp)#;lNYR zjbF}0PE(r^#Z|0=H&?`uJH^LGzuIx8nI_9!6;1AXF)|tCT&}6GwSUJGuRU^c;TRzLjAH*w&!!Dbz@5wQfDcHl9Y~c=r_DI7mXHyH{-9`|=pwSPr+e8KJuIib% zl|Sl@XWnm=H!P|K+G7EfiF%247_(3R_>PT0^bKms>~82I5AWaWR$Nd= zefv{1QUBrc%FixppZI#VfXkIOwNpX4jZ$&w%Pj|-#=koC$>~ekbLn#vyy)V;APQYK zFPupC${|j~LUM)PaGl(OoMM!i=f#b0?5&G+iAZi z`FK&zaF3=DBR=Y#+md)JNOIIz{>$*a{_jo%*)+d<`9A^N@WI0sYyFDvOYG{&0N}7(UOyc zU6|r|bF`olm&K&s#whBz$yz-GpJgEYlr(s5%PG4ps=bj)u7swpKCl;r!!kr7m0vo! z5G6zVP$Eh-D$3}J7UchH>Xcy4dtO|mv=GPjcaia2bB`6og1 zlAbuPw+m7Df-uCBSPlHQ)?jwJxpzRXeQsn>l{mJe-5vM>wYOtRF`Wnhh8Y#W<`XS7Cic!k%b~@TS_;8uaEil;%nhabpE?onpGNC#dpD zrzzW7ft^N{56*iL|9%?W$McE0^0bFM_;HzNGkH3CWRsS`(aTZCk@IP4uv{n!TecNR zU2Z*IEiJ)0e}mX(O$5r-y8stKemnDjXE~*7UK9OWNHS%2^EdEbvQ z{`+cH86qof2O-sZ{8&=Qi|Cj7i%7l)qydIaib6a8JDL9u#^BR`K3#YWRQa~E7e&V7 zg#iaugh`Pmkta55ZAU}S!zmH8mfynyyFO;a#`M`Kqu5 zW-RX}G~$n1X-IZ9#Fly;Y{s}r+Qtlk2!|prmq@1v<3P$pSEg6lZs*t}IIGu{zt#{{ ziDxP*yEdvz1u9(y)hQM<<^gi`C2k7 z0i8T8lj+sP^Se8!4CsE7G|_}$`mG8z(Aa$-oLezKJ^a6q4)DK`2s@P?8=C8#*cZs} zWIaen%LB-W+**S>mvMEqvhKcL=TtcEE%T&_jeM6oL3uVH<##ZZ`cyAUeVHGW)Yi)T z{a5?UWJnDa;=`{6L{uf!i5aX zPIb|Kz4lI1%{gg@p&(x&O%mQfVXC-2LZRcmSLN|eZKF4}EcJ!`V?1!GK9vn}{&{jc z@8LoPz{xy%Y%noPe)vl@_CfI3CyP2RbSRiLmCek0mSCOlO=h|9c6cC@WQuz#Uqv%k?KH8AT5UUk6N{E+ zynr2Ye5(frznv;&06TbfT0g1jppbf|c^gfBpN6DZl|9SBB?Z2wQE8C~r@|S_R`M@}kFL`Sd+ExQe+DCoww^Jg8 zmRYa}yldB2)N8nE7iTSEcU{AY)|EhS#GF8G@KBT& z)zJB&fpx$*QH!q^54|4M?q;DOZH@WzQY^v!&+oTYw$}M4cGM4TO<75+S3{ULXwN6; z>RnMLny6ePL9T@NDqZYt#G-4IddefS+7pl5lG~g}H_X6rphyI;h4iX_+F}eF{i5i4 zPQPS2GfF0Du~-I3)slobBGBFzVYwYhwf&BrCDa75cEEJyn`Ikk`gF=iS;24I+6&D&%46@4^;)bQj0ch+88jiAl;M_|k5+&gybZ zm-#do@t@)k=I?zPZbmrFjm9^f^wxTR2I~FX0Kf9YJeMpPYn07IW%V|QcjLM-X&Rd3 z5VZoW$8{4e7?KJeovF9RAzynqo!!Xc$%WW|*UFxd#E|(xZ{;_mzp%$O`hC!0;n*23 z*eScPBRXA-4j(_Qj+X5uz$nQbp?OPrSMRKMQhN6IK`Fj7{Jx*8P>V4A5oes)jIy(Y zt;3tA5uG3qi-x^Ov`Z`YaGA7wbZm+skO1ky4x^ft9W>RSmm0Cs1?I$2Bi3t03>~(S zrG0iR-^+oNdoC&S+~42HeS6|GGSg0FKb5rm;B+;5L24d0-TO0K|W<`C+lWzh7Fe%-X zkn4QatK96fVP?g>0;5-mq9Rw=`>hvD>+ko4T6OiRys>K8M7{kUuvHHe({3+r!ewz? z4NL!DyM7|e*{tjoKiD21)EJ~kCl_mX^;*W?azYw8P#eF}X4dY?x2?m* zgh&D3=4RuBMpFks7=Cre_j!`W6-x6v^A}l07aQJJ;U8`w3!K${R<)9eI*r_0Hxbk3 z@}ny<;)^C2Q>txB=G7~lC7>m#%%@b!PAA>wCXH5aIYjOtFf#%j(K(5TDky z`s2y@{QHV6U9JvtZr!dhkCs>^?vRHaqjnnV<(e$oDW8Z{Kx^9lt>&ZQ4RKjee$1~h zzn!B1hhW>dqG#s89OcisoS!)YEkVMMZ~pz zy(AqAg*T?jd|OAtz6JVeyXX>79&Deq_gPwar7GhIYfNdlw*@F$gstsB4Y z_Xerj==;-|GW^7WDV9nVevcZfuesIhi!Q00ETqzR4Sm?EcwK{FRD@u$Vm*_C2KCp| zHOEX0sae_6X(^kL)iz$X!VUHBp+t!?G%Y|To^~-OrzV;onqNKThvm(nu2wgOwBHn#VKHgGvTvTH0x>{@k zQ1*}Ac;kaCHC-!u`aW#KuX?$R+>vVR67MsiET)F#N1X-0QNlF8{78Ta@{BnD4GRDGq$2$3itghxY2#EievS+zYWug{3@97&tN?10p-w zhYuH&xqB|?5xAlMWF$i*$IQA-lT{gD z9O&mqcP?6uHkbRV^sP+(b5J9`GY{{1oM2~cdIUXX`$O3-De8b%ZXGkLc+C9Z6X1a!ZbO+VJ;@J-BKn||uxgU+#OJqlwtwUE z)~mHlfxhNn3@=F&2-6`)_0$OHG&EJWXpsU%&DP!lBm^VAZi@D6}GN2uz1c zxo=Uzj-RLnbSQSd@T(FQq(wFw;!)Y!u*%{2s6sOOWhD{5UR>s^R8@{im_G1kUfwXW zyV3so-hEB@wWT_qB?9b#z!cz0Iu|vELc*Y^EAR58b&F^9;{D?UFip1+wEFPR0?|)ZpNEX2U1wOO? zoLds6bKM%}0N{=rt1O37S&hWI&~{z9^~a4i<#!@OiCu1fgZPaUtm^rQMNX}WRkCVu+^mPCXk^*L@0{e$pK-KtKY zp5x>6MBor%y1Gvp<;VXR=B!0nNbl#^iE+43iQe@*i+ zF-8kz;Ms4UKr#=y{im?bMo%$#Z}W|nI(RU!ewCWv(S4}rA!*Q8m&NYnRJrvZf3bFDNz2 zaS~?Qq72psszl$A=LGKhqf#LWma;#}^!b7Ox2M6V)UJf@5-EqB&`~?bGC)v|SXR)l z(Pn^JhGM`K{VT690m;e7E^iY$4pyQTX%A%erGkvrbf4ls4ZM$m;bV_Dc!=HelqY|L zI=?_Z9Fof6gs^#I!6s4`V&;hUID&n5_LWtH!pJI@ISbctsW%H z3~T@E%R<>#OYXV8V(0-`7mqYWkTsOiCa>PI^e#f;bI3^*$a#%twl@-_VsLsaKqIuy za+?cccyhsmb~fUR2!D}RFd3sccN1aN9h+VaOkC$xDn&_nR);Squ7fS!?F5U3;^LL> z&hx%9y2sDcsnC-46i=Jlz7~u>MZ`{pfPcqvGEpez`xo_&nPsLGoTehq+QMh zN>mEW0)nOwjo&IW>{C4PuVf3N|$4e@DCwSns>;?DFbUFN?`%kIhQgb!8=jwddRjM!}$k~dQC7e1cl+Jca#j&c~)1qG}BU)Hg^_w~s~oGnSBBC*!->ZDI4h5}GuhfjYPs9C?`C z@3aA<9;KIppX2w{wDG6aRK>hw8x5kT$6@&-moZ)WM!~f*?wOoEkiy3Rf|Fx>yXzU#{h0qfq`I(&5-5sbtgtuDf@=Vx;wFH z*wQs^;C$(H$8m?`$qr1OGpk)sYWPYZZV0~GHdARh|e|OVf>+> zRSxYT&3-A-;j^nri(BtgZ4Gw#oF~HJ`+?gK{&rpD>^PjzFG3(&5cI&ZRk7Jx^5 zXCv62)}a8ztIJ;_M)V#!tNy&NC0l;g=l$J8y$>bxUn_GE-^xT>3nnOY9xj5 zi^V1}oIQN;R4E0ICBdQ%i{bXRm%;bw6*u=I;Vp3P(aysuuLPNCQe(5U1j$z`&MjV* zQqmE`xpPH@?7llyi77{DhY7Kvwph(TAlOFL_O2IiYYI_nc)z028hw=?rAO!ouf8^_ zNR!~pFa*A|$nD)1IsIJo~*ltBWh z=5UTA^GK9gPlcUJk*}QuEq3cfhOn;6$pm4-@PRWKIAmRsd#PG`c^FZZ#|v#=gO218 zoU?|~+f+gIpa-%s9>WyrX$~A~6zziZIAzQ!cUuf_0%KQW9(_UY+j&wpZdG z%wW7sg7AA2=9R$CQ0ioe^EIjd>7xXOF3AFiXoz)=A9(Dn&~I7LWZDMt#Sv-0XzYz? z9ghj)?!jVk%UGZ*d<2oM;JF6^T=ySIz@xSSYl%AsK?7+w@q`tCb;*-1n#3DtgAdtY z>o;C~QSjlTCtGWt@!NR`b1br0TO z3L{ud1&0Z)xZ#wkROh`GvOO zBIR~l`aW4v0d(m?*YZLZyJ!;xc*u$35=>v`2&U=UkgJ!$rAtg^-M?D5Y<3{j8f{0Z zV$j(cLg3if{<%Gt*y*_=OB|sA?TSHE@TtW57qjqt{^*x=B1B2oFyol47lW^(B?lG7 z3MxBDLQ;Dn%2;KoZP{Wb=F>+}vk|nr7e7fKW-Dp1CC;Pe7|2_z2=zR0_D+}gpQxt2 zbnF;GrCvQo`OVmx^7!XC!=&&ymVg_JVv!`Fw@eulH<;c6) zu)3BJ(g`|>gaW$tQ{>1_0{MA>invErCGy~-iObQfAY7xPC(&qgfyX#&xH75b=>}Vc z0xP|Bjbnk&BK;gOkV8%dh$0uk@O*ChTcR|P7{)RvddNZ!C5Oe&F z+rHigxzOnYa#wf8;aPv zwO3l2Mqy0_j=^)=2wasC;aqU4-?fTeD_OS`5w%CGsBRI1I9huhqaI z$qqeul~c?{;6(k}{0tx&TEJXG(=-s(B>2%*MLpJytUGtVp&AY^uyldQcpi&iUcFmM zkzts)yQAqeGfBdL_rtGZ?_==3hv#p}Pue^L-o(%DCkd@yR4Rfe)`{cU1Hm+o$6-_G z|Dn4j1xdqHsp=AngjJ;hn zrd21(SwG{Y9z0~4F)+BG#|oy1mlIDCR)?&2&E?ydkdqWn6OQ4zOKy)sFP)-`Qx&4{ z-&A)Gt0IiN`G0K?Kp8RRRy0;>yZYIkU^1-5pGMs!-HV53ptSNU{m5G(waX`rhTv=z zxRo6~@$>6f)`fatW&%rVp{A*KneH_}JlX?7M*5-Vt!{z6F9JpV7m0MsC?hB3(!1cc z)+=f;!z*>87Ai{E!W8d!Fgc!rp=hHKr!XK0E%Is3`z924mHCYt6xJwATe~y^zluLz zp2DS3Hk?c%)Nr<{0uX3HF|5S^pQl2l$VK8~P+U#kNU()G*M1sW9C|MWTgM5s%H_-W zE+CDb#rEVg9cY>ob|EFBkc9P@8rq%2-i?H zJW|JOEqDW2&~sUIgXjXjwqAfq5_~1EFg*CTwy-ErtQjXW$WBCm^XH$6QSACpAZoFV z*olBA*?|I*6jRK1kEr_BznD^{&BOA+v9G&%ipdq}>44Aa6K#PlD*rCq%prt5kBdvz~MC zxB!P|&3E*B14igCnwYu(V_z*XKVVU;)-GZAp;d~*s0tOk_En8gam(E){-&&v4&l!@ zhaYID5Nr;wRrpll_~`W^d3(AD9Y-yr*5xoJZuSj(Vcw^p=y~O6qtDfurlqECD1qmG zz={$>RyG$i{F)~U6#Iqim%}QmcLz6IDZ}JjD)4F{(H4m`AC4hGghxrqFcs0q*4MT! zcCRDFSleuUcfCuX2(g|nkg4$0)C=ul^#3EZ98$aP2YDU55!6*ffif7_?Be|(_r-Uylgo)xDrlZ3_?WF^Qg zxCWKS%s7>BK)a8pM@AE6cid#o7 z(|6sudsPI*(Grs)RKRSLl6dE$TxHFvxK&odqIpW^I~k<)xo_KV;*0OInIDg$xBv9Q zRR$jS3dLk;SQ1fLCEP|jL3UbL%3Qn5YW;{1YB@NNb^M%s!4w-{q`njA+SX7;;a>J z$%@(e_^`Bwp$pzBE*|~ODK;vFd+HT|vRRkNR|LnANjEr(dFrkf$j_g9 zA6qbo>nmlB9tX4q$Wa0b*xUBj3Y>}%h%4$y6JjKEzSZV~e0RnR8?U01hC}^)$=jMp zRC-cf%1IM0b>y=AYZWzT zxJs`YDKS^01?EnY2d|bC}nkw4ye zD^R;f^w^B8-@NNrkU8FZY|!H*ojkvWsalJ%ku`M*^y=%!AY4bESVJ)Lx?!)IX=GnC(kLE*>W_P7Ll}^BWa^SXQ&Ur#qZDs z%!#`{uOtDUvNtmyugTNC@c3>&{#1`Vn?u7=|X8%4^;M0;Uh^}pwV?zbA9+p~0I-=Z3`8~S@RNix!-p9XcYa@@?k$yeDPwIz^300s z3~&!k5qk%2S=MZ-mE20Hj9_eV2Jtw0-+f7xmNsLAmsp%8OupXZ_HXqi%-izCFyo(x z{DC?1BcS`N)Z+0uZV}+Ii+&qlE%6f74myTyGqG@>8Y#DCE6}6)!SoK_lR-MPF&+5l z)XG|=hdpbpr~+yd`Xsw1*ZS_t(!bY|JB}a^kEi|fSJ~7O^J0ww-D(0*w z9(e1DVfZ4rJHPQARQ%0Jsrz~nodSB1AN+NqPs?HE2OXvGSCtgQfYOLM(CMe$;uWGG zO{F*!`~YT%#V>cM zbtF+XE)ON$h+6rBD!LrpuPulojO$6OGS$lRhVS#+B(~n8wNvpw2?*=*m(V-U)VM6LxhHb<-z0}$Mf`1G2H*@eB^5mI z07Jgu0wQ5|p6S5e`-RX)O{}P(%lzO|8{#p&K14?z|5!E_r(vF9HrfwkID96~_l1Yp z8Nwbm$34*&y*?zhgUex>Z6>k)4GKYy&#jzycVo@Ie(at*2P|G@I&8?agh*6J*0Zoq zUT#CMPJv;EK`TkHhs=L6*02O|?1q4GC=}&oIQfj*5y&zc&V_E`8bJh`TbnVsmJUNS zt6~7Z8V29iix}bG*)H=WO<2U+D~U=xpYulIW~Z5n^sNN< zd+ZawCszJV#<0HAm4ApqAoLT1Bnozn-1Y+pPu(c%UX5kK*{(1K?mGP>mOg`o(U;|9 zm9j#Q*v_8`+5}p**qXwvSVnIR1Yy5&B$H6wNm`Nqtb>q_UiQQ$44R?NGyWMrC%YqE zd5A^Z(OK57gz4q!CjM^WmQJBD^nHcPGXfA|mQ4(IU9`Y4D8K)kyth3FIZMFLY&Pc7 z6>7i2?`n&N(^imXm9U$ur^I!iw4hNOICZ&8m@aqj9d~mm?#@m#rfOc*{`G zs$lmuEolCmQ#Tg=ww*6-j*HrYw}}8;A{xSd$^+00!oKy$UwN32Fj6hZEw&Qy`>40H z&F)F=yA_1|@p6HlG+bL=pQH*z#<|m>Wy*IZAW+xp)sj3!*=85%$*+~{QFTIu&!V4z zet(B)AyaxSFPAn2shz8&x*&Abnh)nqrql>m!FowS{ew;!c398=HGAlRo8`6A{Mpdk z+reeBnl1NQW@o`D+Bg4X?F+s~O)zFw^z!FoM?EYLIF`j8RXX0LwB{=c00Zos6{4sx zY;Z5p82tkj!Q^hIpkN_8rE>OT&$_21Z6?m)Ks`y>b^1&;C}4_3~}^w zX$lKL66TX6lC*Yc|B`nZy>|GtW+1kDyev zTp;10I%d0hPrXX;lzJh_s}TMb!)4AJp^-D7+9qm{PSco%$vfI*^7^B+bp^QWeAjq% zWHJ1%Mnibeo_E-;fWO>4li1pZqjX+11Vt_lpuU&RpBs9#sV6abJ73B8{kKfyu8+7p zR;eEcZPQt*QibGfmdh27pa4XFPejz^-bshs>`s8#Mxqm;bh=h>QEkUs1=XrW9Ly=g z#P4wuoS%mmf{c0>N{A0gZ&BpR5#~%m?(lZ@qcauHGLc(1KGS|h=GOK{TM}EO)yyud@4ZDA3GY)lHRckfzO1^9H(N!?WLqPKut3`k z5#tDxrkUy@cZg*~KA(zSvJv-9;=6(cV0Odax+21U?f@^_x__xwhWJf-z>(mqG=RLx zfIyS(P>;Xc)va+@e5+)Sl{GEOkGpL06)r0!e-GJ#V#=Q*jk*tB7Ztm$uMv&#X*Iz@ z0Q_vYa{&uVi-NP0EoB&+-r2X%YcwJa4FU(KMM`Zc#2GiG1in_rUYB{!zy5hgP=5iC zrzfsI=?l8V?}0n^w96m!JlvEj5ab%~KX<#nwr3^(wvrK`+#fhayvvX;zSqht5?olI zNrPR7^&~|WG!sHgTfkr-DR;ZBys*~H4)fr8=OkKCDYY`z;HrU5z`^5RUaX*{8?+%L zzTqseG(bnNL0;g>lL^l~Rm2?HbcUJl6AIncGK#82eGu!DmGkmEgOjsr&~3r6nv-9w8jlPpm750UTLWJ3uO`n7M!(xC zjLgIRP(Tb$$Zu6G=sZQd8fZcub#jAt6~;>xo1~o}iNGPz{ei!UDKf7eB(rt@4)qjW z#3d`QX2;d%B6eu+;t4Ix;sLA{^9|>empPvT(H1r?UFo+f3kkGK`b)9h&(3}IGW@7C zA#Yhy5!v>iMym-hP@ufa7!gQPIaS zZb?Nq95FE!JgVd(-9;JMz2!q_z45f++(>!oOg!kl!H1fKItDGGRi#-=Oc={xZFssX z=TY)2hiN3n499@#u~NJ38B#E~qnh>lgKnT3iF zwWm|!=$tE7P6Z8wx}55cp#A5%pxg(w3Sk(lfFl7T-&bV!6-9>1bR~7*ZnMudY&lC~ zzqELp+Y`@`kOK<;HXG^NHfQ9vZP(T8+o z`;PB(EV&5P=VY+ zmfrPZyfjf*@r|MT)T5d0{#2rZ3^e>*LN`_(?1QenHt@OLZq%&=bJ^XW=2`Lm=h`)w z@1`*BLxB9?zwXY$oBjp-FgBAL#c-8(1L2MDBgZUpagnts-#D1VI%@}Gv-Al!LMv4^ zk``c9TJYY+Bpkx$mScg&;sFIH9_~fbNGFNy&)PHgC-%2JzI2|dK6U!}7TL4lHWoG) zGod^mb6VeJ4U@MVsUtoM5@?j5(66NTu~;qDRLMOKz0K;q?P1wyh_kt?#fEUjDg$fi7EfEm}pljz~! zrF_(Zg(+MurQ4wcp$^)528oyi92KF`{iv`BdO-E7aScmBjXkf#mJhN>umnu8KrSu` z)pPe%Uc~cInp%{tu5s;IMAs~&3}SjB@KP4#BJ+t)x2FvkRE|0fRZ0JES+~*pFU)P; z^|#Iq#hXJTk)7P0h_TQT(a@$K6S`1cF5mQ`vBjb<32L)XWG-!Og6}@~kF4YI5V@+OS;eVgz_e}Cm{?%gxqhQFGkn`kNEzaw zo!qz4fr#>Ukvl@BG5siU%$j|Aa|fMpVKu_3cH#EPfq90%p(;~6kz=4k8>9t<0H(mK zcI0fd2>eB^(eb*nj?cl=K}N@gsD0>;1t3=bX=VSZ*wEoBYASK7g>Cq-G7(8oAR2=# zERUGPZsqn|`vzixGGMFY;{%V-(TC5ATx%?~U+*f)I*Q}b z9lFb|aO?O95s-JMp6>0^o{g|hPLl=CNU%_D8L7!=V#M$>;cfj( zP~28a@`G)cj$*~880rMIYBSXyA}4S(0gp3@&MN7YXt*7*1D1~${x!_w+OpzvThU+w zy~y)ZYd4!`C^EfT5D2*%y*XnAf7e=M_H@BjhGm2P3^1NmE+t1zY{`U0nHNW}asKRn z`^qjiO2(ETe_^f9Ha={3W1$F7)7#I3A5uH|{0SKSgA zQ(PaND2+O6dGV_aJt^<23r?!`+X((fK0{vsDWty*hRUk6ZIUX~38H79e$HJX=B6w* z=ggj__zl}gDaO$Z28VQeczp^aZ*LyA4C!@%2yURbmYBj@ZA4NpLjEOh@T(=%)tIPl zTsZ@b5E}_gOG!lf6mqFCM$(=j@~bIgu;rx7WrO?CUzdNviz-k4r6mw2X1Ye3DzV70 z59B6);7Zg2W_zIWj*n%=2`1y*cI0o5kBQkTq0jL;&D2;Bx3+sRfsf=uwTNqJw#n?( zg#4XrD!Q17N%}=; z$zqz3mxzNi0{y{#(h28MN4;5}ly1uT1dy%{@o~<=iA9y3ubJ#85 zcf&$FWjm*QR>qZ0W`>nG&3>@`-xdfZsBc3u2$_VZE>uRwLtp2u&}MrmL*Ke*dfeDA zqA5|Q%OsXhWp4c91sPBbkc!8Ab=ARfCde+R-c z1?3Dee2m75mQftBUDN++@2i3;3AQbphQ_67+}+(B8h3YhcXxM(hQ{69orAl(J2dWc zaCzs>{7uZyo0!j6e-%*~QIT1dd*@zjujSw!1SMCsS)G-6(cH;>6dnmd$;kKz@GAr0 z;)iW<^~LP^tV1q;WWzCwfkdn_+=p$8X_I#ZpluJ6yQCae%SuiWG;wjzEe^l?C z+ZlWRZpY4_Z|L>9-o}!8I3wj4~5a9{c1xg^D`@jm$%3k-tv zo%KwEi${N~=p+VgbW-fE#~D7KMlX4o2-CyounO``)EoIz$yIHKFXfMUIJ;1Di=-Ma zQK@4(voKxD&=q{&toNI-{HK;-=-@7zyc|{AYD$AL;;1&TFamz|ZbQqh8ov9DAuBI% zTU85=%~JyzpSo(>3D#4}mlEtrRukb&(xkeS<@PR6iMw9+Czi#~QziSpLOa;{H+zx4 zXoh=p%qk`Xp=9-FR~IOuzUT7&|BeGMz2y&7%3-)UNc!QaeOmb@ZkL6Gv!$djILm?k z(gP?8$_@||vN@DoZojPWEC&(jBW@cF&$nqWbi6S)bo(8yo2wm^uTjeoZH7?1D?K2c z%pS`7BN5OTM_%^=Z*7s2+`sFaE$xlwAFSFU^;RBi?50cyu6{1VZhBUshK8EtSrFgs zmzl_%V~0$Vz1@DyIkknp_Wd?$VQqzF&qn-oX-GBC>5szIYLBIlxKlTt>B#nYl0fSK zk@dvq0d)tz5fQU#`}c+aLKB0Ny3bJARIm>WZDhNY{@S@FpHo(T8*t_H*+qT4nCKrd z<>qw|rI5K=zzwcwWb(rIP<-$OfrQ8i`n z7Wlo59V;zSM$sUTJ5pep{@lGCjD9TF#x)p}xq=~>s~<5WK66>~+ydhBa*>DAGvExLs!;&H82kBn*T=gtP_pe(2-0%gm z9~$~1b|v=>wEkJ;f-)PVMSpEa+PGL5y5P(B+X(Kh3vb^wGDvg_>d!lK9pCO27X5JK z@W#aq!XG_~)JgAhGM~(;02JB)PHplYbt`xY= z9)Qp{?EC4SBV!s$eVIooT@?w#4d2t-+1td!cgykpR=v(*oDMBlYGiQB^51p%5({bv z<2&yXt^rV!-)*UTrK4G9oixOGxyraoT;PZ6*Cyt^l(~a_C8nypLc*;b9puR$)fD-+ zb0TVK29VyO4IXbqq*ttH*D~WbW#4XFh`{V)rG}FE1y?&vG1Ta}BUIV#c|DZ9H&{oE|>2fimCIW*UDL!HKn>&Vlz)KMdorKZ~IH5K?UaBtSSVeUg5Ke}%b6J}|=minlR!B&LB9L_3+$0mNZGRDP+Lc+T=?H1Jr2{Q5@BUm# z&1i2v#{e`LWx6F4o=wXQ-5<2`@Rfmxt67Vo%ANBe33k72;C{eG1Em42LeqD-bwMcs z2&{;oCO-kpC1iGT-|adQr@ZN=!)?)d%t zzK0R^xiR8U6vkc|==OZ=KeTmh+nhAKc^N5@9ost@pD(*O(J^DqYwW`_A%7SHF>(*| zX)N&D9J|V=57|8+#CJm-%hR&tOPPJULPHNdi8|Hw*PTsY5$MH_*T~vb({7AdhGr7uQ$( z?D(NLnVT7#21W$}1D!W#Nq*|jyy532zwEujT#hQnhOeZ%N_YqFJmh;h;jNvNv|q|Y z3hw38+SIi4jm#h{-_g=?ia?e`LuzB#g|$0#JlzjA&iDr*J+;qb@5ZS-Vbg9W zMrU!ey<5`FOys%p*Fth*xI=WP7{7G?Qqi*bnM2YlT-2;B)A9AKZHv z!QI)YDGaU2LU;G`Vgpbh&R9od;D5wnOJvW~9#h(}umv#K-*$QXX^n7Ey_6W?x&Cny zi0pr+`f2Xd?K7OJ@PdC@JBcff?Z*~!Ux1?hLPqI^XNmFtk7Y-|H6QPAzRfuIz^S7V zn9u5SntZ@Eol7STI)yShdvp2I4ef=7^f+f*%;}1 zB{6Dgk#e=O$j4n*p?DG@D0qbO=y{$}yNu~YG*QU2{~JlAeAdDp=#diDWQV3gn=~HL z!_g-)N^Td-r4N4-vc&&!4XG=Lbqz7gJg6AdbgAuFAI8UaEhOcuaHM?=kJ&$K3Bpm%Rs2@2vcL zJKH>-b~I~EIc9F1!5TL1y+5Qyod&w+sBe~L)hc`7%-Gx2GE=n4i2F>(A0M?}8e*3o zeyZnS<+a?@-qv?cSg*8G-p9{7HVog-w;wt3wCPg6PS@hFPba~f-rWC;oj8>4=cVVh zryOIrZ$rk-ZBQ8BH31ymbd20wquzA6gy|Y~1N%+67Z}IE9dvrWtgrdM6_s7{1^BmK zZ(jkY@f_T7vx5uW1Ezh?@^^C+JIa3)DRX8hvyJkSUt}%=7N1qO zAe`OjpH(bp7wA=fsx5lg4wrjYK5g&p^C@q1ry$7L>M8Me^Js4zjh#2m6vwCoqvF*! zY=G`HEl65Wf{81Ym$6nl_-{A~%vRb}{LXX&(P#I0ae<6uoXxUos`Dk)k5}VPWrvGr zbhWAruR?6bK$Q)G^eQ(2>ZfMg9EE#Tb1#*9#YI+AwGsXWtM0Q+G`jPWmeRYMXU}H4 zUVprJq#qnQfn9}JWl0=kxHkuh$6rtapDI>Wp8;`S-+tkd_#?#9^S(#lGdX61iHwJb%Ci21A${Hu4byD~M>L(itWgx$pFhBQhzfmb&?wt3s>CZa^S1{U z))outX?35y?XfUz9xV2m@N1$k8LN1=J%a{Z?>@kJ5EB!>`dhzDeM3e@J{38K1aK>e z=n^ydDF&u2_TitY$en!)PI=P)J1LJxS}+}iCUB08j68=`2K=tqzm;+_D1V(EB@S7M z;@brM^7|VX-rdb)@B!00&TqXLBf!V=OPd6q?Wz?K!@VV=(clS@#^d?D<4PIsC173O zJ?J|zalwM(`40d@^OD(6a^Fjv?G^MXRV98yNCm88B??MO%up4-=n0uIk}XdFjsGp! zb_{_|(KMjgPb%*NLTJ1)_pPi^sXUk1Lg0|QCZ;8vaGBA9OYc%pVX^uZCPqz7uhwsW z4=Hae57EQj3yl69DD-~T_0#XYG2O#7VsUR(lrbVAVj8}>BU{O@UCB~-EC8(k+yz+wwm{jDw&^VS^h1tQdN_5$9@#B(~yeWF21!x5_v zZ`*I`(}CxCH%tLi0`pe){Of?LG>wc{(&mxCh=>#TxsIJaoEQla1Us#j2pY2|$TKn< za6eKcoPd}p?kfA3UdllG(^Y&pJG^Kmw5wmU44+oiM`;MqCK!8tlI0Te)I;7+a=q7` zrj~~r=q-Kc0_h=&>?A>RGVc%TkscO8Q6YYadfn!iwf zuuBuwgs}e2C-vRar}4RijB?DzQxu)sGiu(q*Efr=RM<_XdV!7-a$^anpBz1n_yS%x zbTZlvD5nPuyrHwuG{JFK4wF;Mg{oSPY%=mcBlzRjt~!c6P>LMe1z-L3rbU_3CEX(p+7T_GLWjRHA(Vm=SoVtiMy zbpPz}1ki#{I!OJQIIBAtSP>B3$SHnyaN}R@?!uL&pTMAJC@))}ej|-=hV7q%8ZN)T zd?i`$dx8vJ&!%5O65Xq0C#?LPqkb%-W;#D5ftabVMw$xDIVb;x@q=e_dF4BqoAKk!Mymjj~fF_b4qQ;__;}6u^NEzfPua zJD-HOn7W4~&dk`m6u@-NYRPAo$!ngd!6xCr1CP$h3)BEOpoQtMU>#RPUtlEf-fF(A zv!P$86+X0(1$D(fAHUHs?v6{QWf99lNF)3CJ97AR+#s}3JPau(Nf~asL)+VcMe%4W z-fwHKu2ggQu@-5JcR1|r=3_eiL*Ye%?zjB&B88Vx+lsS9U%ZwdE^N&zlgS3d7N0Yf zKtWuRbog#K3U_|EA>8o0S@ypcv_}!B zhAKf?4ee0qv-&2g0B4Xs@n92lOX{0pq}R>sI?0qeC1~&Ej%~g>G$NU$$19^>DP>mr zNa3@x>E6_3rR{R`tfKEK^Xshfo2a2DDf3#OV{k6h-IkXXzZxkmY@#is_phkwMe7kM z))I2{9Q1g3E@qQw)zghq&^=O|Qt#9$S`^l;P|(eh$J@f_(IEzH+mY+S5M_OPBCU3!5-bzi zC3NwyX1zIS!EWtxn2W*osu)zb>?CZh2zN@|cIiD)05Lstx1s{yPLs6Qofbq2Nlwah z3AQk!cr=)&D#W3atn7y=VSdtcF3N=$`o-hPliwRb><(p7jQ=9b{x<9Nf_w|W@7{7k zxmYN6mn(-23=FlL70P3G>IKJNl4i{p8Iw&$KT?RkLY?$k1|=~cxx6{OTARm)wT?_1 zjBd*ID5oTnM}9%n$ixV^Q?6%Tj!sI24cI)NSz5-c1{1=dFyMr5kNx^ajTz7IWgFg> z5+C1V-$KYigYZ}erdb@!RKO{GhAgxZXKpA-zEm6CqJ%`lpR$~S00WMEu9eXxxsNHUcir2G2P?0)sy^<&xBwMR)FLlcD|bf;kPzN% zmpu$O#mIO5?%SAaShXfd;VQ>Gx2}rVx<^1p*rpYZHW8Rg(!!6_WOQk)^p?H|WDqO% zoqtTL7iWRlK`oV4^X8( zxiWZ;UK{TvM?+9)4OpqlQ68w@x@5-n)^%>T&}BpKX@x(`A#?(@zXte}_sB3%o-bV@ zNGVcLOuUAgu9Q@kpj9gSXvRen?>-Hb_Un4{v-`7I)F!T2UrSy9^*dA-qNSRJZ={S# zx;dxr?G>-!&K0gI9j!XfeylqUkC!{rt;qXqTY25yt$QiWlxt%xdRL@q%IbH?@e9Na zB4X-ffOiUZv8xd@Vs)m_4^eE;m?V2;Q`6KcF4({5Rccr3%`1$aM;T@}8qVd|E7q81 zFR{karB0r&b||+BvU)$gIHGRSuZv7`?1H0==Uo0y^3znMD_TMS1kY@v^32SFlO z1{P(*;@XvSo&Ue0yM)YT3ZR&B$}4Pv)5ukTvDDbVU+{5>t278*QEI(`!VL@Oyej8!D~aG zyQzNTB1_{l{$&<-7STa;62fD;J}Cx%pG2DrHchHOs^Fz zxs)BW708W?_I4j~#XuZ>lvmr6SPg4A){QbJcOOZ+4<|Mrkh_??j`22^9T*bkF|>*I z@p)g9lL5SNZ?Y7Sh{@oF_R=_&FyUp)1E8na7_4S8jmDFbMZ&2 zJ~Jx#W#{eO(a%?1Cn7)QVh-|$$-d*1@0$YT7@qB#Ckx~;NbH%8`Bk}G#ykhOFIArE z_CsL)P@8X!_YQiNR7Y}Wu|qWKc~ohk(&qXBYsONurEPeyN(CA%E+kgPhA_cZ?!*OZ z^Im)&jX%UWd_oW;2C|(Q210|^$Hi8loLBbJ(pxcBra#z@rr&VE%^wD?QnyF6--JDY z#i?}$LxQ~p{Zh@yK^6~ENZN@x{z)Uzc@GL*^ElE10DSk)6D%FzyjK>B8DYbcw93es zL6ATLoR~VjlN0UKX*>>h5$ClvWb0eoe zI{Y$iwg>!ASp3Ltn7`3c_E&7D{uXSw47Y*QP+Dbp@7pj>n*W!-@loxv;qzZ`D~1cP+!-v0)H^$B|>EuOkYFuM9$R#0kqQ*Os5KqKO=4lpU-!Bb#qI!>&Ca-y(IT z=g5ZQKn)GxI6FhK%%5?oD|zeiRj(V?Y3}#ejOKI5GAG8V(+)OzBcsOF%-bHXqPE?w zw2sE(buM|z_M3`r1Qqs&8J@v)w(CFR==iU?Ry_ObNk=l zwgb%v86RYnys3O{hR^W+aEx9i=`{e%1q)e4&;fy&ey{2m)+Bs(8)m#WZyy@1=5#e* z2c1etYqcUf{aPXTrum_4#|4ICo$>o@YrPzni}V=Rc%LUwW_HyyhdYxR=k~9eWx$BF-!9c9CbYA_wxoIYkD%Q_XUJ3u^s+5AR2F((1GaZY)~HH; zxx@_BS#{sAF#A8QjsjAOAm7SXLtk46aGnf>EZqK2@}&(9s|Aixe?ypru5eQ?D&(r| z>#(KdAo_IlDy<$k32BJ&I3w%ArtiPzXSdA;`w>j%73IDo;`MeUz`dw3j2CE9)*}dY zz7}feB}Glg3645>?P_*lK2@7Y&Tb?j8VGQYLj;fQM~3Xpw9_M*G**; zJ|!i(JP>A>@RhL{)@hhB#n!D?1x!^{FE<2-D^PST8k{g%Z6T&LZFdq&qprsGE2i$h z9NYD07sHf2jlajC{B@$jLbTZ=p0KG01NzyNv*#rZguRn;s9karo~zM4`7Qpv6fWAJ z1Uzg`focsnm>-6=0(}@`BjY{bngjIxa5FP~!NEFZPTF%sJb2n_c92R*foCLTk7$H5 zDsg`^t($>bU5)Tm>0=r%eQKJyO2eH<1XpkcO`R!+>#YbCEy$K3miAo$^ZYO^o0>!l zc(V)s{b1>3`Je&PcDt|%`f~|y^>~up*phXx7vD`h2I{ehfFsR*cq^}tWp?kT~{o@eLZZX>}#SZvR)M3%;0{Q>Q4?+@Q- z?~kcI<%!t2DR*hm`g@{qCsaRZ)<`-brzfQHK}Q+y*LFj3yhzOGSPFl$x)KP4xfBYo zlPvB@S*8Bxv)W*b(IJN)`Pn_7;arE9TUFUR>WE@kz7_6!h%k@%yrQPjHCPo|1Q9Wg z2%&J!mZyDelb0{~y@JonO!MdM%N$`KbDgi2jStR)17y9mE>}uwCzF*FkyR^wf59*% zxh(bXk7c|vCM<=IaRR27tJXwrSK{Fk9#b$C-NS0=_WCOa>=JmJ@c5nTzP(r0nCl%Z z=@i?<-M={&F?}XNB9~?gJ1}rb5ZRK{cz<6jZg_@|g?p^+2e}Rj3|`rKhGx{+hy^ce z_`z~lVy;5xC)Cb)=fV)F#4hfCAUBg0TH~Aoz4@5=@xU26AUMoz2UOJsqP)>BLPrc< z@4_XHHf)Dw+uA-+bew_4&wKOSbk`Z*Azi4(?Df=ZL^Npi(tb70)+=l;KqA?2okFwy zP+-;=UzEm@=6^j-uQyf~@uor1ndgMTPDuU(Fa93kt7+F*rF_|4CEhFsUqOWmGf>!_ zYi|eZ6De5D0_0ZKz(#}|^GV+>=-GYuoH5oeZDee0ss=pW`EZgVbVF~t`T>BCJ51)E z2Wec#hMRX2NORVYmzbKj9aS3?w-blJI?RHbQ6HYe_J1tY=S(CpLzeRnJdS7)5posF zaL*FZk+xojSFTA83(d+78>ZQc^?p!pJ{`X**Rx{9uRDG^AL+$Z&RkOA3>L1^f^nJN zLBOA8EN%L-NP6J$MqM7cJ)d4!KKHeEDP|eXp%W6%ls;U?pMz2Z;iQheM%PNyfhyaN zOsKVp)TN~YXAbajj#|-0OK}rlJmPHS1P#SFtz1o^ep)_|?LdlKxadY>Wm=URX?xJ> z%bXFbYgW)((Wf)LHA9ydPF7!`#?88xONSA*T^bV>()KLO1V)vJt`W30wGXDknb75< z@M>cr7@k*$gU5;+VGmACr(BBbt3w;LyK(Jnq#hue0!-C=F#d6x5i#?|10KPE{jd+dt!#_#%XhR1omUSAjmNUj;M{nJymR>S&ihQEU3??NLYH#nH zVt*TFdSLYe{Q3ONG|gk}upv1fCuKVQpemHcjC$4t8@EnYcshr-N5YIbZ~=gUf-{N4#(Cj-h#2Q0 zK9OZISp~2tmaUKIoFOYQK2kj=+>;|KT5rzDrouL))`+Gm`*lAh+RJEao=pOa{m0Xe z8<<_YC3e^YU2jVDlEf+7w?E9>*_qEiF>5{${Zdo>&Tbx{?^U=T|@2Z6U;# z{ng7(`8OZPLeVixJ_K3&=a9h!P#7Lh1Nis zW1k{2#1u8w#k1o5^?MymLkSATBRE;s6g3m1a2Npe4#hHn(L_|sFMOnGMh{|}W zdC35}g-H8G4667ySA>Q*(oLnJN}ZjPNYjjW1`A=a4Ux8@@bz67q7!?eLiKI9YEx2I zP#X5jsW6|3w(HcSN%2~kGvaQX+ftpaRzTbeyCF*qB4e|x43?OS;z#*1WyU))1TR7v z(rQ8m=3nk-lkW8p(9zp_i=K*ohf&Cn4M{T}X3Qcro$wxdPr{VX=T|S)8kR&0_Fj3d zxM?-5yAtgB1h*29)1?hva7ltiD5~@8qh3287dsF}t&$+Znc!PFq5@jg&WwWS_>j5o zxNgg4$^gh$UK~Pn0`Z`)DGvntC=%5It3uaTCG9nBJDYQ{%HP!&J)KC;PRLil$4f&7M{aDIKH6Xf+jpip+{& zbV#d?+m7-?C-GQyfu%pCakAPpD4B9TK0e#Gr{$&~1IYH;tHBjP0Db+KC5qy`ntbIc zrIxOoi@q%5rPMv` z@zcS%%uB_K)qO;)`ng!7ygpxTiK7ozHGaLLRg+g0f|Gu1G(&tvC3bC@rNu<$R_UV>qpI(P>LK(xE@zhJ^VB?po? z4&@QAYLWdj-L4SaQwB!Fa_foYD6c#sj^O9YSm}EBPNj~J{RawU%r_Yiu79IQ4e8`7 z=CNz{#WssOkG>aAAzW98y)<>bD}vCzkkS>jM~PEeDcq*Xuh1=@Bs@6eat);y4b626 zWyr6YFV?-387@C=zP;1qiS7gOGixCQKl0+ zEh8?Zvl_)rjzMtg3eV!EJbG}#`F6z`s2p$XI)6sF5V1nxN5-T|q$-wacW+Vc^Uih_ zWue6cUZUqoG`|(@SSN)o$ooN$jO;63jd3%_crg}wlA;@%%XjxnPv3U1cmb-=YDF+a zX(2KDPe|OFoQem6M6v^0sVU)_Mm%|LNG{ipP*3{P2aqGsCc0>Qd7Vg5nSJthO>(pO zQDKoVdBZQf1`#<@t{@O&G=K~&^s)iD!ajr*qo^vT(Y(-n1-EHJHl%et3V*=Mz`~m( zP6ZSJxkIXgd|WIu<5a{^|28Y4rn-!*`f1K%TJ~NsbM!x&xLhWOyJ;%rzDhy(NRD16 z#F?nWb~MS0kE+KSXn8--NQe*WgSV<6gOSWfuNM^gLh6t+RGbGpn3!q-F*Jp5gMz!w|e7B=dv?oam@ZNE4ab28aVz_{70 z2X<8Px19zl{lnywI0IQlFW_;OsxyDKI}yZ)ZaJDr?cAF)l;er3EH?@=$zYBQg1_ zz_BMDi9AQiJPd@8vAc*Ku(;tx6NAg@jtopzcr5|X3U0fEac#xZ>-gV5XtRCk(i50? zA@XxDf7+ig!{35r71&lkZy;`F$lz|~`=@?WhA1?_RPytEQ`W=CqXG+-TB!3{gT2`3 zMvw1#N7wVR#Y!1_ZZg5~LcD_f8jimi>7gCS&GpCg*Kmi93*jZ)|GlzFe4*EZCH~#2 zrwtyNhP%1ZXsY!3z+X=77oO>=YhML!%JJu#Q>%|5Js5JaThX_WB+t*3PyUhGZf=dwZj{u#ToL$ti4QZ}@~3Ie`>eu5 zy)M+E7ys^ou&^(rYU~?wn7O;lbB77xuhW}>9@FpLN2cu{A>trJI0VV-nNzB2hsYY2gH5ros|56@{on=)is}E)pO^9g$w~R z+kQB$n|BaLJ0GYyUgj8C?9NqLw4HNRU2>m&Htf9=hseppKR`I3`(g!{eKMgl=Y@nD zR}qJ;y7;#;)DTs#t9ilYG+Ojk6?-i^B-_>S#RpcK>Ko~A-t{iBT=ZS8kU7sw&6r1j z@VmC+WbFZgv7Y7!OXA0SPwK#sYCR*T0W;k3OR)RT%d$HyV`-``D|hipZwvYyZ#VQB z*^ThjmX`lR619SgAq<|tvVM}(-UHzM(<%-j&zql(fPEO4pmLz&vv=6YQ-uYnPE=? zUfdr>1af?Scz@KO-zyOjEXDy={PvF$PAhWzJx#Mc<9)#1U#2NvID| zih{sY!&j-3#Gs3^gTy?2gBEv4TlG5_VzGiZ*@sFhUr%9}w*q7qC|l=~#1(Q<{p%{< z_{)Q3^s$BNa4R`MOV>Kz0p_nXW)vbbdOeGBthbI*!?8V3cs`yfoCM+zc#G+S5is>$ zNeSw8fW5h^6Bj+cRqFA920q2aJ%ULm;1u4pSJr#mqx~o4=w5MoB&&t>gmGi}U$;9R zs2Km<6y*OMB+eEDBLI8n&s(N(FRXV2#Vi-%QukhQ(#2py!k-X6=rLU0%;Vb~zZM3V zbBI9T^TS`cnE>^^tHkY&p*X})O-z+P(Sr)8^yUD?b4@z; z>NE`!h6Ut4)MQ#0&wxLKp(~AZ7lTn0_v{ks)5hije5Fak)n5tnVZG`-7<5^XU<{2& zA$vC35ft<^y$dsbL2P0e@8Z_Tss!jsTF@^y9@U)w;~WSc=_Ohf_I2Mu%po+`LUTo& zRXQ`XaY++)ta{+A;$l0QMz>Wa4&ryu;sBb;_EbrV@G*FmD+sH{QE#HBp5gKx(OS2! zwCXfwTj&y`lMwA_+MB;CBvz5(Z>`1seDEGZclihUe2F=sq%uPDjf-|%Sy_V1_79m& zdBhD{s)7W24)bAk51UI~pJ8&oz2QL;wkvQmaSlWcj#%{XgK(Th?w{G-JHIYs`EKXz zp$MmFX^2OcNkMtrSJrF56O6VM!&9B9KU7rqUT{Q>^UX&SuyhL zuKJX_<(x#`iub=4bm3wsTew#PV0N)Y{n)uG7bw18Cn~?=0U+#S!TkO1wRFzbBDV!} zVqC>11Gw;Ss5c8wJo_YQa}vVy=E62jP%5Z5|E#&Tz0M)kmGQzbd{_}rw?OT#q>u*v zo{ft0L`?gqxK*ap7dlr>2<6tO$@4Ev4zY1A0uSwPnf)KRrJgrL z{#FPFvr)55yo#h@%5t@4@gUotO@YfEkj;;@GkVou1dZpJfwHRP5&h?HW4@hWIC>fp zl^oAa4(iOz!EH~PFi!}*!cXxdnkD2ao*+D9IK0k^+X5g6S7pWhpNx*Av`_H?Y&TCk zXcMuhJXdp2thES{8amCfPd4dxMbT~YeQoD<^BA9S2+~qbN?H${sG!?BRq*o9)5B2C zVc}1$d#u+_FL3PO`8cNBS9_9(6M+-fv%c_tB33UU=n-xdvr3pqW=w=I`?)UY!ezV^ z*?hFP+Uu<5jD;2`0)d;E+PG$`Zn)-BHSW*^xg0nBw{ecgP51onZQxj59Ne26l8Ld z+gew>Ngwce&J$BwMg!lR{U@PAO#efDI#H?HYbSzw+myd&y|v^kC~DlZW`LF z8A1^f(7uhs;jm9W0N}2Jj?&Kn^;hZ#dy74K;cP6H5*Lvz`;Pp*m92VXv0qh3lzvY7 zFpoM}u%)oc*XyrI4m0+-5x{u&0b|QQ9Ok>V4RVfmlF^h-m`n6fVMr5VVkure1%D|I zRIO?Mjan5cEai6(-# z-B8pP9>nuQk^}o0pi1&2g@{rAYI17y8`%L~S-u*j!5 zurGBsGk>xhE)#86kD&%m{#XPF82l~`dVF3(^S#Zid^Io|VO{khdM2GsYFuzQF7~}m zi|KKtZQrp14FetZED<=F!pnX-j8z9W)O2UZmQVq1S zMYPlve_^9nq~%oXB|A<@b;D$XG20Ltuyg zL%bB_ApD=f$`v!9y%~E&e-1}T?Q1^!?L^Dur(*vY} zm{*B*ePt;k!A*Tpfh%5}V1WAd-Wxo&g1Voc(*Ux0zEJS?50 zRSCX7&1^ z7LifxVY&vJM{X{Nu!)|;8uIwqw)F7#15=~pix?mN_Uk)B z+t<)v4L45sR*1e*WH@pO@`p4Z^oCUX0X(=TgM|)okKIsPjZ=0>0FJ}<3!j7a40#rh zKNjM63!{-quYcrvG|l<#0g`+F^MxXOTNPXZl54NasY>MqGz5tSe3+q>UHr~JR>Rkk zLyeA3m>&H$0vv33Mx25v{c`W~Sz|?THGqDw_zI@u=g-K&XE1MKVxk>Vroz{3!@rWq z0#W*Ig%|hSyp4nLpIt>Du#8hT`!zsa+*B;c!@G}}7kH}1+e8x)@{WqRWNN&`lc#nT z37Pw_n6xlEbU2_dpcUIgs}V(DpLjbz530<_iY3A1kL$MW9^2;);1L)kRw8^dcm4L- zA>U+t!+pQKFp4?-6G;C^c}Dg#td+x1S(ya;5`C49ob%F5gVg04j~52I(U!onLG=SZ z9{iL4jHRHQr$c~`!*Sv=AtKp)soCICNV);1wrR{N){5!@Ht6j^+Q7bE#)gH9@q;jr^56|$f+I&~7-*-+`YGa>D8pwDqIWz|cTSx%S~xuUG&@A zf(76>7UYJsrC^eS7w`x(nq%!rr7S**??#Cw6eA`@R4b#c(;=Nk`G~fSSgO<82!2TI zgX9_^017m+rj27kud3QNXNVk8-oTKr?3c3lkC!%cCvnm@Vu{i5J~s8(p}i-2u?2sG z5m8G+z{?9dEia*c!!m8sUi5ix#7U7dj-R;^F(kUV;qy&R8cR9KGW~X7i2>i)h2;r5 zA;CQq;t&A0(M4o(_3lB7Gt6z6?HJu~H$dq9xq<$Kj!&3^cJ-zYR_9g>E=AxmlnI+?DkOhv6Bq5zQ7sweTqu#IZT`W zb!zZ1)S^DKs^J}V+`hPRNSn&)A@L2qlMO07vT`-tRS(qM6mR4@@A}(39BDPxfg}SV zEhUIf>P?F%%$_@37K%)6P5I^xaDN4Er4gV(ykd`;)MUz{v;tDbNVX00L^eJ+V@B%>9t}w5nJ+wSMe(eHkyVzx>;EZ8 zoZmv31Z_|QG&IS8@x^Ugzv4M!(B60{Q`H203z2d!o=AQ&5mFvL;oXkEq4TPJ7O{+) zZz;n)pJiVA$1d#3xKZRiCOw-LlW`{Io{CfqL zKPvfMM2hrF=h83w6B&I1{eexfn^0Dd&0?p?zT854IeNS`cNujU|Cgr)19<`F0TkK!_U-r($$w`hz^OEmL~Au|<1X|ea0xSBMJ zRK1Qx-}AFV&Zkf*)*>m+oC;myFMVJImuJP)Uy5%a_>Yp;M zX4%moBJc^RqPJ)EuaL<4JsHHO>wy1*{5ywL`65C#MM1OYa2Iy;<%_4PL45d(;rxt* zSPy(dxFzHv=4J^cp`4TrpR$>cD=tVHFk#*Ot%|p~9pD1fL##tgMA(JtP?V(ywRRfI zJz8`1b5>){=gXRLH}Yh%SXVD2vo1*vh}&~zZc6xv?m`)h&&+CB7tzsEb`|39ws b)weGwI33bTie=#XH_#<1DkoASWDxXUfR>%* literal 0 HcmV?d00001 diff --git a/education/windows/images/signinprov.jpg b/education/windows/images/signinprov.jpg deleted file mode 100644 index dccd7e98e2f123b8a1e4c17b2944cb9624e22799..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 22869 zcmeFZ2Ut_jx;Gl6sep*|uJqnJNCc&cfb z1VRg;B{%M~_da{?bME(@^Z$SMxzBy>S!BXwtywek&U(wt`~GHOW-u#&yHAzXlmR$6 zIDi+}KL7>>U{UgMv;zP%GypsR0N^I}+C2a+Hiv`#`^$lu2RsJcz`^G zyTpI*!2AG^-NfO*8N|h50o)+N!6n1NbOM;MeZ|L8^qZ)^9ym8}@$d<-UAj$#El_h8 z+kITz8`#d`*jZ$Y6!6y3hP4KPT zRMa%IbnG0QT--cj;u4Zl(lU>qC@HI`sy)@!(>E|QGB&Zcv9+^zaCCC_@bvQb@%0ON z9~u@O5gC=3^f5Ul^;24UPHtX)L19sG$@gkVO)a#pzM;LNv#YzOx37O}d}4BHdS-SG zwz{^yvAOkYd*|@z_~aCMhC09aO&1OT_ut6+J7xbu7a5kW8`x)nNBEmAoEzTQgiD5p z|3H}Fo`N=^l^Z#W$h(^qiV4|OZMRrObr6&<-;Ca-ViSY0AO0roFO>b)2n+s0l>MEs zf2V5>K#YrneR#NJ03hIed2Oqwl4(1ONzNApS{tD^H8n*g>4ec(P4BP8(M;_>FDhYc zF9HAv01R$X>lgqmCy2!j1E41A$wFycfDikD4j~u-E$JZ~pb z(%Iw91v3N~hKZmxUY#&>n?78)wLj zB{>EIfJ_8xkzxSyYiIW_kgVt+^#gk>9VBFj?N*6qLmM(VD6 z<(nh0a-MiOJM$md`acMcSrB%-MA73qe?~z6-%}0$)AD~)5f@+oDQ&3!UlL2se=xaBo}dL0^mnv08u zYhCdkDa2s_zQsEjfKW~psmYF1d(>VFyN_~5M+*SuALvM=;#ui%ytq{Va>=GN(EX+q znt{zhNNP131xBcJT9QMyDRnUml4{s^BxW4wZ}D`xxoHn>yXiYbS-i$fxa>pP znJQ!Ol|N|G8B$f#7_~!1oc*z^N|g0R9@DL>n=DW{5(H~!>s=50Nj?zdGEhRzw4a3MSg%8&eMm9bSmZRC47xnb4az@E6UL@=Hu*GbqjO88x>7;|5p+1hi14 zcFcuBBjg7KErvIqkm9$dZl>i6Jc<*_61KmO)7Rx;L4Tbjr(YUifN%}n&#ej#aP&!; zGD)t;cJ{UV#r`BMQU9az!QEG%&cda&<3HJRuQ@1K=$KjtWu$lDT7ZcykTb`0ykAji zh!H)M)~YY0+(gRyi#p9!W08yG*EiXbk&6nlTK$?T8^%j)i0))#2sm zk(SKO(7H&wFol?_O8QdLvr>nt_la))J2AG(ZXoe0#i)G`tyySy`f`MvLcx~@9_Im^ zZpeprAmt+>dUKIAKD>Jxyd}5P3~+GxyfUTO?42aZ+ zVf({k-u|C#6?Ke)ySLtml75K$8Z|6c!au7PxS6F}mMR(z%^nyv6ssg%c21#7p8Qgl zH2({kb96f41|rg+xS@;`8M^1Tq@e4g(r%I(clDScId4vU<8%rhLBms0#5X+H$-`2_ zXB?pqNK|s#QL;DyUB%>TYUHJCf+!b_uEd)Wg0U`;Mbi$XJa+;_y>TXI{IqBzjDqS& zs)^jRn&3!6EKEe%>+Yk~Qj{PPd}tVVB}!0kYi~^wyC&zQW9eitrBN)ySW&wxTKuUr zpzsAylF_Fu2&(QiX5t*U4?5*(WILGap;z)s2kvdJeR1zj4-W@j373LF+jk$k7a8{k zbAF4`k4;pA-euMJo_lYBOZpYSO=Xq34GxCAPq#|Z%QWMQDQMIg*L)x;dHLt6u#&eWexx+Zmv4w(%zFs=&ds^AX{ zfGmK2?A0lW!BV$|{DpT-)P9FHwB@blThaCrqB^x3ALdO73FV^J8w@6P6>~O28jgfY zl|7dECO>H_QD$SmC;)#T;mib$G9S4C@3!taOoC5poz^a)Q;no^tY}TnRqE?lx=M7) zkQvzPVp@RkdM*oPxE?p?eL19Mcpgd+b*p_^yEoqE5Ico#rSw@|*=qMMCv9)xoPvYD zx#WsEUMO`fScMgOC-c(@joe?8u1H)~x1{8qjdYCW;4xi z+5ieofok4vLTDcLu6+K+mq(s{WdE+1t4Nxk-Z==mH01p-!j1yQ$(C8n2~`JqTrw+K z82MzZ3PuERJ4iC!%1}DwkM9@)s?{PkKDwJN-7FV8>DK2OJXYiRk@1P)ds)Cc$h*yD zT$V$sj0&GD^=gDf;hHmVtaRCxQjUVF+g5plxnf&nsEMkDYy_+W{=gLH9bVK5pFqKw zz*=2RinDPxXmkKCOqx|b`(rQ=S983^w4CEqfN$TWY+v^Q2Q)1^L18ychZJa1_rlDI zi`UuZ!gMPr-T4h?oX%%^-bKm4S}?EQiOfN~CCOe8b$|kTaD2Gf74$H<`LJs828oKQ zuP(pio4Y*cqX~Vt-xurX8zozetb*IMC<4q8mL0LW?Lo{_O}g1Cu*N_d5}tnbuJOvX zL|u2h9HA$gW5TIhKWsk;^$yFu*hp(ZZnA$$n#fcG>JE8ZlI9?2e;Vy(@}WXum&H(( zqB(~-KI#M~GGh2GUW><&m6b?qPrSo~E}4@Z#k+~1etE-|tf}nqa!pT8s&ZQ2xw&QN zN+8K9|7~Yd3RFiM)Q==SUd~*yqw=N_RTfjeD5D~;tPj)v(vqn+sa$jf1Is!B)C zMJ>4Jh#iD1x1>Z#_m+y{Em~5aBhxdO3e8Z!nm^brXlI(5+^mnmnZ_|+pua?@%yta^787-@v5GX&UQ*pZ8#|NY%z#at;EN@bD0SPuy4L|{P_FCm2Q#4 z1-jgSl~?_y#nF*$X>F8JOClS|gE%E!=8RxmWxWroi`Y2{qIv7R7#P<_)GYjxv&*lm zFe<2{aQPdwt_C}~(m3LOkZejomA)da|C;oG0zqTHIZvXvrq-&SVH&x&pNq$bJc8(O z$=#(@m12$ei(1L(TlY=NPxKb#?e!Kb^X2P2>daJosK)W}`?mPrL}KhdWC{(PKQ_U0 z=PHELxo8;g7G|a_pFS*wRko2*`7p1jbjMm+{1kU3HSK}<%W|zvzS^kH+)_$WGB4@+7vL)Nejni@8mkdL%kC^!w+vHycJ%1#%o$%RB+jMcj+M8kOSi@D! zo|{cm`{zZlkP?WP53c*AU}GJgqu!bjQ>AylvR&{oVDi*^&mS3%Xy||~caF$ve4F;5 zIwb5kAlo7TMb}4C^eYi;XCct@Ks#Mh|DN)2#0LE)A$;}_Dp6;a*f^g5^XIJ!P3L+9AMnmdxHWp|P^%Lpp#Gk>WLri#9wa973BNXCpKf31 zZN<-L-_*YC|FANv5vp;hF}NB5Wn6hRPAlxW+Ov41nNDdO|$q{jUq} z&ORG3q+ay_zqM>asVsEJqpW^X zbthjur@6&t>t}jq=xSvsRgh={6m^R;e823(Tt#c5CT(kytvZ;f$Ye>)KrR1>eQ`5{ z79T3n{d|T}Wo`P$GEKk>)T-QLmyR5KEg-xxf1O}` zlxJuw{OQgcp`H%=i3$M^6v(c=A$|B~5*{h9*z=@`lBCcbzdH``+I1Qt&f<0T>aqo- z;@{HVi+t-Q;_#}XVfdg0nA9EEy5+7=;VeG6UFf}WMy4xLDBdS_?iv(r?$2NIkQzA> zr3!RDh!P%R84*F1Y8$f~F0fm@K7ZlARpEbHsfM`Tm`W6zk2dCn)>*za>}QMl_@YvL zRr28@p21e-$_%@-{4aAVzBbk=_Uvi##hk^vQ(utv6oLl@7=Xb`nh%Jqh21kX&bZGf z<@u?{+Myh1iqysIWQI0H$d2hM7@_qD5ww1tbmf0<|A@MCjtGzWwPZpG@mj%az}mM; z*IBB#4@RHE-oX~PozqxwzSQYgQK|0hhOAG zaRL57!u|GNUHVm+kzUpS5tV(6pAOE_Gb@j8%Zw^{GFZjXkv`?hX?x8n=A9D-5I(kx z@z+*%U=}5yg-6{SqIgbi74uWsAtyN`Efmi#ifco`3-I|l0SSdJ(Kkl$ZD2TaRx^e6 zi_I5GgqfRBTz9S0H6W1Zvfpwkw3R|%{{f2raTNXxbp-Uj_<w6)v4J>D%7ZIl~>=_3sIca?+LN3}I=zUE4(R~b5_Xc_{AEHCmR0fC z6$7}rW*p6%ZA&^Ymm%HNRbG|^KW49udQtJMngZW2KH2Tqne?;bRSnCf<>~j6pz;&> zM5CA-M~ly?{@{*_%DSBvR&?id3(obI@+*(@sZ_9Q;m$=tZ23Zm7rkcO=90S4N^MP& zgJa=`KDVRzR8ZqLSwl|N_T?(c*e2WTU*1%LuyaB2UOvH>Ho3M?e+(eOy4~_SFyhMnP^D{$a_kgHytwGY zGUYsEu}|NVK6#H@hdbbVLK+7bJZvWPk-;lCeQ5>C`SPZPPtLLhbXrae)=X_tjficH zEcZZ8C|^?5HIC;%)vvmr@bXE*ekhvV{rYaKsRIV>X(bEbL`Ax-4$*1w`9%2+%~_f| z{xny!e{Cajj_{2ND1LlIEA*&$yX)05dWH!&2{Lx6iI$Bn_V@%*&o~<|AG*HI(={ET z@TR7h>#Kd3UuW>!!uv3*-wX`Iiu9~qk$aT8V{4uF1UzBDUy|wd;(<)N2|d#hvM|<)_xP>e!X1Vk~W=Z0-@z#7uLRp=VpkYIgZeWaG(5 zAx>w8(^_E0JmKZJjQM!TqKfNl>cL=cy8(#XHyyQKxA5hxE^V$94kyEEoCC{^qg}~N z%;t6yOdY3?eMK2*@O=RncCxP|?tCe=d&kV5&tKT%MUBjE!t=QmrwyUbn7+uT z(xSdb&x6XW?5Y*Z8Oc@Z&aAL>>S(bdv0^cEuWLTskvCIt>jv4#C&vema&Q>S_H2}2 zNH83^=|Nm)4mvZrqSZj0Mu?zN&dAfpc_=>`anVhmC?$s!HU5yCO`5sqwCgiCYJlPX z_zqz0R%az4%2jpjWSQ)-t7}eREGXkresR+QP6gv%Nl^^V4`pqviy!##k(-yBhNIX7 zJj%Y63DOF4k;#>HO6BA;;7$G2UQnyGwE&ToC=I4^3_`OTyQ(8R7%!$55ZS z3)kA(mJIk&tB&;de9F8^Td=txC=iTW5Q4-z?9MGj**_n5mE$dSSQ0v1Tcq@kqFs*rPU@Q2+_}bXjquSE^4r^BsI+Fa{(cYII-f-3L zUc2f@pV|2B4S@1<@sqOjkfB9}dq@1pH8#efzjGPkMPK>4a$-BCu%EZp zx49M`Iub__^0j`!vE!$(d+YwF3~N{be>DAPKGBK}B-YQL6p0GO0IZcuF@XGPL*~Vn znt^v1fL9@!@|?Ar5q+#XiMCQ$aj_tw@X)G!x?}n|0*x(iBZ%T?{gD;H{2kg6=x&6v zf3mz0Dfv{UEQ(VWZpp=V*rmPFaX3&tYXH739n?bklxt1pE?Zq+evk$&y3gs&n}}Q z1>a);2jdvPq5cVh!w~cQdDb-^_P!q*XsiF}%KyPpNfHCQZh}w9buj?k)bsF*))eqh zap2Vr;JOdtAAC6A|0SR3Fr(O2_V$6BSZ+gL7ht~Dn&A*z znATj|257jJpGe zQRw1a-tlPvS<8LkM`5z3d5Qb&*g5mF8&OKk zPJXR}+`#CpjJS^w7Ft_qy6+ zXCU#ML}c;3Q0F_cH_wwopNqJgfDzYObN1-)Qt%a}Dfp1`C^b^$y&UVR#$&bC!#oD#S6(`4D!eHE+_%I5&* zzeUA3>8XJOF@Utw=_{Z;5-YOVJIh$NyutF767#<{DtN_aK>$2{Xo>->q+o?OG8cW1 z85jKX6gwFWHXT886waKulpwqB-`JZ|#){6Lm`uEO@`OAf%1F^jNgB1hlji19RsAFUyng9bByx2lB zS6@EE>YBfFqtq465|0WRfs0}Qk0)Evx64~mQRmeE($RR7Y5>W<6}aUJM5RB>RKP+N zuV3FLam8V*nAk|DnkiB@Ezw_>bj(EA*cZ zPQ3jG@JI<5g$F*r`#%l*&k#lAGb7Bi=A5B%<*kf7zuBrX0SJ45kh~@}z^X@fEIww{ zku;*|whU@#IS#x|rr#K6XJivw%=rI6MtyR+4Q_{#F$;kkP zQq}KH>5~(wsfj$H_nvOK*An8gCG}7ym@skwR0;D;ftW^AS_^f!F&yTy3@}u&6?xU( zlr^(qI?b}w(9E-^-k-?I_5JcFw8PhR(Sb9{GsJ0CHp6=Uo;%u zAb3p4C_e~qia_4uzE<*3w@%6Ge3Nxo?53RVrTOj!X!_F>bcwqmOkZWLOQXYv;6D7~ zgWD9OhIuw(7Xxr=K%nyrJMfd!7Z&Hum!jjp_f_R30wGVrIA)?~l7dA<7pB6yT;Ewp zHKMjwLGCK!lerlt4NcYcaThZ#25C`s17~=irzP_DP*#WTKTPzd=;U-~j2EhWAH-e! zEauCmi5+xH1~6FPC!XFID>T&95Ca;=KJ|98bw$}M8tsVAb2NYL{kfpxLW|#b&o}Fh z!ev>6(F$MT`peh1ifXiGwagLA;Wm>sU$m4)_g>UQ9r<$lerk`4dYY`-#}~`y@Z%2c zHI8^Scx5@3F19J5cUn>Uk-^cytJMbz26MDVlx8J~U*D?s5v0qJ9%k1(@UWd=t23;7 zV>3~1V<7syY1ZIPo-9w|O;#Q$nqs66*4Lb7F;03dN@#MOE>23K6mW)SK`iF^IjKGD z46R@zdlZ*YhBAtrIbgF=Svs!=+)$A`3~#4e0-*9M9BSXF^H*fJuXi3XRL7RMeJlO8j*Ck&zE)sO|c}+OewlYubuXhfxSiRH$Pwd1|9IN6PiZj#zecRw*e)}If0BR^GFXXIggkmvyxoBGN9?KJ4 z%d0!JzoBoZ$5)Tjyrlp^5Zs=_|7~B?ErFfVsqSwHcOL;w{$T+k z6wS8jGC6 z(r0MO6aM8rYy14Ur9SbVm_l?{GE0Kh_{+sr<`Zt0G{|y>2rI>-{OXSjGo0%dmdN)g z_UtPb#GO=$^cI$ei7fs4nuf-vSk^GMyQV{oO-1!b`yZZZkNeW+rWV~umec2!H$p4$ zF&dQ)9Lq&?6Cw^DJ@OAq-q#5llBce%icu@~DTEJZ+!>H{zuhnP$y53M!Gf+$EDg=@ z3cXaXlq3dFJ(>CCFsnnJEXgF%_K*@b?~RAkZq)aH3VJi|?GWF6b?AMo3HxT9&T%l} z2ckx&b;sADix9f;$Px*DdO_5lRaKK3gKMVZy~@whzokLmMOEySU}0h=T~FqV_-ei0 z&;O|u5QQ5%EY!FXjno=5*iKikq%s#g@5O?zxk2&r$q6Eq(%PD#fJP0(t~K*Fbrz^&b_kSkH=m$P#EmUr_g@(M@{aZ z79edEEWoSh{K%DmQ>{MLO17Ri26SN^<58#%c9UUgo*ay32zpA8obeLuVS{K{p>B19zQtO%}R1KaJCTmhUtA zE&-rnl?%>wWL{j$e>HHZVv@1S2#u24^_(nQVg=PMQW4ok;<-IZz^SoToz#C$49Kb9 zd+sZC&a$}2G^Vbe0<3YRb7YrHwNv|`e6ZEBr5$s_J&}L_XXW`t*Lse|bZYEo=ly`; zo&f6{CSUDeJ|%1M?QtKuzIw7Re6Se4jYfl$6M7CviF2JYn;)$(b-a70&VO<=I3{*1 zmZ-{Z?|943ZM1KMPvo`VkrNNs#*^dk>ZSFS1&*BQ#(A$2kEFe%*)p{rssUqFlqjD- z|7@`19|IqM%m0}G2yHO0@CsL-{6`&`^AOjwFw(JxIMtm~Nl)f53%1c^9n*4LBPfVz zb7}Z;5aM~scD&w3et6XMNmgN_s@n-<2_uaXBc*bbp+tui&+MA4@yr;TDO#uhf(!v} z7osy*3orXsoGz+iXIB)|KN|SsLts;4aHj*Wc#`E9;OH6H(Ye87wjyffU@+lpmBwDr z26fU3!}Svc> z?G{*Mq~PZ1=6ZWSk>;y`@0V~}B?C4jV9NN*4HtpNK(*DD?~v=ND{`3sBGp;P@eZ9v zTow#utuAu|Wis-LuDmODohWGfeoCG3MqO-_YMyev4vi9%djQ#`=9TbIFv#406>ko7 zni=j}F#9k@qJgqn(G!qj2@;vz*E`y@Y5o!Wkt$gYhc>0bI{js(ywjaNb6*JD6>EMt z+y{8u{Y%6r=heU z)-czB)6naHk%YnCuNxDf-K4Sn#5vV+SXyp^Ro%kNgb$&qjvb(fcSs2tNdg0N(NkGB z(ex@Zza-A+@~6`R*$knXB-M|Cw>nd(VRFSx`sZS(3M;(pDNt!BXtFD4)Dp5B8pQ3R z`@>H@+|$iD8ztJ6-qk6?xc`o}8anPG&g}xC0R{9HyX=yi-V^OzctoPFF5Wqu6a96< z)URdA4?e9_`G&_<%0c%Ha=T@qB{Qh-Z5u3BajR|ICrnm)`7yL5UOn+#`GtBhYogwJ zs0N%tM~JaqGT;7uyQ$)Ip;_6N@{FMP(kFnQ+R$L&PJXfD1$LdrSHthO1SX!Vd7rYK z?^HY11Wgsek}=cAZ9)TYGz)A(KFWbJcIW;sJaY*s1M=NFBJ;4z&a%Y z(x^jEZ(TibTg9vX0#TQpfy^ERqc?fetP@pN?S9cF(i)Mf&W}|r1c)7ylpzoMa&|0i zH$Sx84}C)1ts(uP7i!IX)cKXawLrSEB!KnOD&PTPBz*5gvTCw|4?f<}qCfBRhQQQ+ zo|Jfp?p1n{N!n9&7E7}ZDP=nWT!~dZg7qfdOB0m6F$yAHUnw4|0EB4)-`O{Ucz9JB zCpAKT*dA#k^E6mpdZlsV2Qsg2s8tK z&j8u{Cw+FH zISS~6os#6(yhun%bh{IX;E9 zIib)W02}^i0L4E6KqTBi_U5Foz4@Nd_`3UHGjIMmL)F64L<^lyyvpdFYo*6SlkNfC zVD(bj=nR7}-nv{sW49^JTjIiv5j?WbQSJVpj)pb``+d(#f0?_kxppiXDpXC#DTwz( zHyLxpKMdXI^pl-w;{(2oqj`{Kp{(l>OQYa^gKI`o*shH!;Zix^+0P&n)SFFY7eu;A zqnx8&F#JJkyNsTQgT$CdE;aNOZRLe()LYb@)C zvydMck6kkY`>NRU-#Ek8I8zM>l7(#y7DgroU47*zI%8?fN`P)#HpmWZ!xma zf9Cd#c`Yq%ul+75Nwa0t<)o2_zBJnS1$2_dac|wTeWANTI}O-`%PXMbW~mMXx$Pyuo-IEFe4ITLz(FLyt6RsAwvwiU?PE>~hMcx*oW&Gn&=BMhji%K^}r( zp$DO^0-#fra(Gd9>JV&(f1`dfZ!&hMc}#v;0{@8a8Bem_vGMKC>FqREdWEjmwuP0Z zC)?IJ#$J@VjpdcFu|>a3W?R_&wPOFyD!ptm{~kzw`SmXCJV{-Gl}OU{i14K39Z3n9 zN&cM$7xS56Q8aku=>@0yb!9H%tZj&HZe0IZP9X<%=eUDPB9)1$Hl3cRb`tKAlj>ir zrq@Q+_CZ)By1>+}`BFLP=ko0U5F*54^okzV4Af|7o)Qq?UjtEs)?@mDripwhN`PMY zwewbY;3Z}KtlczvZZpZc31eO^(=E|MOPvFP9scq@Q-)8G&Xu;s$I=OkNBzQmavoT} zZ|iXC(4&q`vxH17*W;y@SOl<#G^~Lj7H0ak_S^3BmiN%@Kv-xd5owiU!I_RJC z4+6@p%s;Ax)Y}!<8p|q&_{C)!D^&V@SLrL2p=$r0DMh=hl9{1*9v#LIu-xDB0Re`q ztSlO8jGrvi8nw93=hUfo#}7Yz1q*JZg3{p#qjKE>6df&=7_< z3!?F&6)guS&c2|RYY$R4w?~$k`#<)6P3CKI@B0PJ4-^-KOCzSWQQE5xSX-9gw>omy zvG$D z#AQIgky?gLQvS(@os@$IQC7j$Nm|Ei4$EGf{fOI>UxNikY44b=a*HqWUsYjRgr7YdFrcZaItu5i&?}`9;Zf5x7rGq9uEO3W8 z*a-K=AAJ{+;t6b9Z7IUSI*fhrRC1k6#vjA5f@i!uH&o%IMO$6D$US@6dQuo@!k{i|}18AxL+$9csd6ipL_1Tk_zn@m6DCQBuqRk|Rm z^Dc!u@sk?u7~ifA^VTkMDDTGHIUIzbI2fA%^0TJv_e;g!~^+9>KLhrhgeKW?VW z(9i(rt9j=Rsa82w--ldTW1l6NPxu;Vv^a_U@LC7*;$tTJ&&}pI@pSXYa1kPPQD#0J z&w73q!G8QY&d~A$GW5?Zq5!pmZKTelDx*cy#d(t+>i7J)No{UgIcBpob9yf>!dwfY zwtPVy{Q}sHNdz^bbXBQ5dCUF}AzD?R-}LK5CzYf+pH5#~j(kcE!9j}!>y0d#tw{~} zA#)Fjel%3VsaN@*@J+RlPI(ZOvrMfx{2H;9Yml5}t-s`Yfuo+a#8_TO{EfY?(geG` z75)(6t$v6&SJb*BK`VPO0N=Ytqg8S zjlCHKqL}hV2ONf4oQj>M7bniyM845j9eebE^Nqfbxp?y0r7tZxzmHRjIJb6pc`=yF zsHrHt_B|cR-6H5iYH(e23Rl-1gU|n9dQgQPZZahi)=}Jcy`|op4Qerq_jP5ce4A#> zPXFjl&Gr%z*03<6bbFYXry$KTK;k8h()rznyxJhfVBG>Uvw4d)Fy4dkAy=}*iSFo_ zSk!Gjy{SQAGWC?`Mzw?LJ$;5&5^i~?KDN2zQ+e%)6VoADK9ij#Q>$VV{_E@nuj`z} zXrBI-qNh@LZb#`q!Qo5~qTAe12@pox09mn|o2S64KBO^2)$^QZAhvHjLcaIoa+uA_sGb!al%g`UwQf8>v|!fA90RaY!0XVB*3EQIYeMAc$Clgjls4KAL0_?RV(c4)y zldqMgGj*Wh2_IKK+kUy03S-o?bS_BWK0bx+_;gnyqC4kEnop+F`LE0TYzl}9l5a$? zk?{?NXEm|fz9dj377cbY`agn1Y_(C*` zUq74gt4+E{;rr56+H3vmjb~5NhNZ)VdG&HDlg9l$Ek!m`R+b>Ujun^ip!oHG0p^ez zUpaQk2x|2SdPQhG)tj9g1QJ!x^n_ybx+h=Wl;Ui5-fqQhax7gknV&zcl*4sN%USW)l8tV6q~o4q9at z`jglDrm;e!VXRTZoyfY$052X9CkjYo^@;k(#g$se21-roX} z@+($RvyX~O4K8{M7{DTZnjt5{H^!ZBX`1r3=M67TD_yQXx7_!UY;Q%RjFcLMj~bec z)u@bd%!;L6m`TQOn!MdB6@8Gnq)X1A`ry@Pn^?hEAOss7%L<>XP0by$FY`&#`95AI zE=VT$zFaH|-o^kO(_&GKM#luym#wfXHnrLktM-=X$CksJKRVVzrkz2pSHRs@29_!_ zmnzzvGYBab=h8Yj%phgePA^W3K2wa-o*FI{~g<#2dvqOvW8^s)@V6;ej8&_(0B3x)Vd7aA0wE`4~MWPj=`PvRVox zn%Nd!+AS?GeR##h6g67;Ahyz`PKrw|Ro=7gNoQ#@C@Be24e~KX<{}8bz~XNR)Dt-) zP%g|Q^8>leMDxDi`mDVvrlFRvycUK0J^VdGpN3~CF0k#iFqVjCo*maArZt6Kq|*J??hbK4kkfipyC8q;dtT>Cja zdO_Xo8oES_=-P~CTw65hf(wa8sf%R46dT^lop;$2%JE2?^qiEIi)5eO3&0NaGRNM~TW z;DzP%5^%3cK61)(vb8ed=w~twx1nz1yAjKLrZ=F)X0JQtnS^VWIzAo9B$R7K&l>*S zZS60Q91FN#U2#QoG>Q>3rU$m^^N%bha&_KW73bOVH+<-M*xJT>`4S5=F~wiM=OAi) zGryq$vEwT-&7|3l-Ei~B`qo<(Usf-g^T{I(M=haBw)wot_5rj1A{wd^*n*Gb8D!y)N(#HqW>tg-)e=Ln zgNM1^qD4=!kKe6Ib{6$if2a+US*A}Sg%6ZcU!x?ds#s1l{8AAmaMqCyI*Wk#95iW^ zIZPv&I6cN6=%qVAE=&D6!<|Z4N7y?xSWDvh;R)x(aaIwItuLoXPO7x{J2+BnpCOde z=<^aX-8$~HB(s-k_`5R*m1>B6=Tl>_c5kd|FTyRo_XxMXvfRUUt`HWKx+X|z;Uw(1 z#PWUOe#j*OZx+7k+~a&BHYh1a#Ax@O)g8oxIvO@*l}}$c>v)&rm#D{r*sn+r36kIZ z99i*?=C1MCJCTBeUctiry}0iQiD(GldOd9ZMO}o#mao5pHjG7Q1Ih1j+LB>8JpgJq zcA?`|n=%(@IB-E8pU43_WyGi7pEeFj>V%fn5Zxj+y!-T#kC~^zRxnS-)2iz&?QUQ3 zla{1QLmz*m34Vj4qmjoGY-27nKJS_sZG+~5$^}Z@fOAX>Uyq?iVy|!DknO|X5b4oD z;g&0loSIW3@5LA;6%!9n2b$$+uY|3nA$94SqbHmAV@ff~35$25o+@pE=)-uZtRib6 z=GTD%QRt!eW_?>%EfnXl^xCeHCo}z(LN=;;jX6pjNIX{_AAU-r>HkH37Sz?yMpV0! z!@ep6Y>;BWd1uz_ce1`gF;~6kQ}Z&HlVTqm!!!Q9A@Wc77FZEL6BAK$f$KX)`+<=w zma{#uma0SDA2K!F@lH$h(aK|D<^C%ETly2?r9<*dM(o2_PmRrh+_;bqKth!C<6Tlx z(!JE2B_GkY^rXkDBsyA@9P!TL!?BbQi6Dk!7=)i6anm?m_x1d(*}5lccCU)gr-uUP zp(0R*klr5LEUU54sUpg>29C*W03kyjde_C?5tpSerJcrhECPpR7lI=r z_C_-0BwA&RYWX{9i1;#zlT32#RvhbiZpyW;!4b#>B~&+nQkh>;71f2GoRogP-W*+Ws)#Ty$UU&*nL%6{MxZy!yKppMCWp85u%d=&K8M?UgqA zu~>h40WZfttKPfWLK+}+s1+VSmu~s?v^2W+;EFnbslg&!ImGB&rfFp1QLdrgan!2H zOa0ELjfTR|zD!<3&2&gjG2eb}npI3HQ~&x70~I^j>&?Q_D=ZeU zA~%LBmmuaRjuPW9F@UzR&(}YMZuuQ*`>&=y71JhHV$|?tuy@bC!cGR?=e8y7m<0BG zo=PDFyUX?mPt98Uyf0d@Q?fDS#MitkHVZMf5JWk9!*1@grEK=4O!j0@Asx%tM8wot zVO}4MX{=~7>MfM)Dq}n&3~-prir6+D@q-lL zKKbWlq@4DE81#;lcXM2{0gAck7Y6XEE=haLdK|>@MSh;QzvQrsRheyuRWQuv6(BDr zpzTfGkzYlId}N8a(W1)6qR}AonB(y)kC$a4QY*ny<@}PX%FTI@A%e;x-e=#r-Cu8f zsMpymlqQ~6R$Y&Y>arK;%5WEDNYqq&c;u8lf{fXb65s!t6UF=ZZqC26{NGsr|J46K z6WSwXiQ+9ie_CRI84J zWVwVB`Q&)E3(|T3vr;tCwLfGpX{2+kyFnAQ*shl<2*Nz9zNLRI;i(WkPCZF-$m3x<#$wrfSZq z=;1_%eI~}z%br+cUH;fEJz2PpSMc5=yd*5Zti~m#v1Qb~H9lkL72+nt);G4mTlsym zF7kes1E?=utv`Au%gSB&YSh63Fn;~m{+qP}0zX$sy3+LOZvSBHBn$0!7(?Tek|{By zyENOsE|A(t8h$(P>v%uO>U@SkHYe~0!&@BsdfZU;+1!|t0g+O`?eP0|?>yR_IX=xH z>MPGPh*Pt+{iWZ_T3I-Ow#%x{a`RUO3$A)zWVL4mGAm37cqpkTfB4HS;bbL9G41nY`|hepF;{D-5mp0M3;jRD zW54;!=Q>CJfgiYCyX4>A3bV$R<%cAlKl?ESCTV?z4SmgNW=@mXH54@wcoSdlTgB~Y zKEh?P8F?2+K=@EAz7qGa0=w1U$%uJm8aX%_ejnlsV={=`y z2YW0G@k!`!Q}9OXsPS1IL9ghJ- z<<38DAT6EP8>Hj)xe_=80FOwL(C8lQ<_`leC~W?KWQf6g3hv4l-K_Tw)FHK}K~_w) zmnM=cRSMC`fruRtE$>XVcs4hxk+Bgh5VGz#xuO(2UC)nQFX7^{3UP=`wJ_CbYQ*8tN4BDDQ>XHbxmcG7dzp)4A~WHP5Vm+@({|!#IJ^&`iqF}nfu@#mL=1N+UtCT9hTB5 z=h-6~GqFf>d^zlfn-f$524HCb#%`&qB&hVoV$L(ceHQ_$7(ity5DQf^3^9!SfQ5%Q zVjYqeSl3`)?#u`_aB3fc1>dzwP~H99LLv>%Lz@Q>lU|a&MDGG=x~;H+LRwl;xe?m6=scg+RTsb8%l??lgf`_o!QW2 zooE{({UDn2BU46}UqgtQSYht_xWDdkf8G7}{^R|4|M7Xe-;c-p{r6%u0<8^*6rd!EmoW& zK>=df8%1FMi_-Rk>MqN(c^<+1YxaKnf4WiT3}nM_z53k~4+^1@S;wo{e&SghZW+H4 z=XuSd`#|kT5@zd=Lb~&4jZ-SYJT_@t{n*mmZE}qk2W|JUz(I zWM7y?KFotZCCiI!{UjnwIdb&du`Ak*8aDb~hYOXfQAN$?L(1Dmop zHx1TfU!T=qckvNSU884r-_Fi?zqPd4`soMrPn{vkukr`IjucBc3={1%RByBImeNsg z7r}!X#-O{gf75?$hyLxiL6``P(7KS5bI6s?1H?mhj*SK&O30fI0vTBxjiE5=i~WR^ zGr(d8n3!{_3ANy>9-R5@nSQ3+bz;&}J-iAj1k*!-S`J_O0S}b3w4dO^K`!Ow#B z<+Z^Vs9Z*+Y)AZsw4VvC;g|y1vG-Q_N!vG+M*!9PGOAg|HWJE^<@Vq--MfTt-=;1r zG5)3*%={)n|Bpm#w%_J^^#Mc(%j&gq>u61%YKe7Bju%R2G(c|Cy9e-IaN8i{kf;kp z7}BZdw1e(>Oh2ph#&C-1=5{{554;9H=_Q!VsCXxG6d47k&U{TAHEcHBKSRi>Hr%tL z1-a*<4t|e_17Dv1`+Y+43C{6-g{15C$*Q*4>}Ea$8h^ZlP^_9N?l62>ws?s|PQ$0Jz(L>Kz0ZwnUi*b)NvAaqxb3ePm zRJDJj=n}!gS0Qx`1x#V$4SyJH9z9AQZz%VEAu#JE%uu=>1|oZ7{Cdp0$jjfGE&i(P zsZvFgqQmhxD@l8A_VYB3laq(N=o$Q09tB#*hg?|`MfJIkZnLM#?1 zxBmL^x;I(cCaxH)ow~L1`MTC^O*mJ^mtkA392oU-o@jVdp^Z0_A#NR^T@95rm^s)b zcnsDmbm&>w&JR|!%I+$5*}018{*-Wwj8-Qjkf`EotE*!QrGdSV`9H_N|7+{vJ9PKT8k{V7BoXtOMbD$S56A*IXUyGLf(3D1f$K&p%ZOQta8OO0BK8ty2mP*E>)Arqr PVGKCvwli9htG#~#-VA*# diff --git a/education/windows/images/trust-package.png b/education/windows/images/trust-package.png new file mode 100644 index 0000000000000000000000000000000000000000..8a293ea4da1bbf90bb90e33e5761c201e435da42 GIT binary patch literal 43329 zcmc$lRa6{Z)TWd01qd2~dw`I}-5MGQ4#5J!A-KD{yENK34Fq@hV8Oa^cX!vuee%z& zHFtA87ghD1I{RGITD7Y7e)n@Ceke#`qLHAzdGiKSMp|6?&6~H6|MU|o^1rkFJ?84a z%UdU9DbY8TqhtsF2LG9f$cwyrQxl8+Wbppq_=CN)rqi1@Sl$0~yv3*c?*H#5k+Xz` z^G`cdXEy^!lQ;GT7PihTwkFP>xmeg(fYzM83UA&N*UE^CsJQDMXTFExt3Ja0mR45Y zx1ysn)j0F!em0?se2W$txl*ro-&l*=c`fzB;bz&R@EUf{ zs({l26xg{3OA0`aiL#-w~eaY`Y~RY zi@iVk0h50?Thk%@_XPJTldguWkQQrsKP4TBep*Z%3$bbXk36ok8uliNOs!sjBj5_i zAunC%{02Q@Js-*UAI|W+(Vov)UZg!N$aFHTUwx?Q`zkEIy}GlO`?=#GbSYyAOe3iywm36ae4a1K_gRs@^so^?!?otevcj}`gu4pJ5*Tz zT9`kD?y9EC7WK-NVh1Q6)tkQv1xjZ9!uw83 zGgb^6qt9lGzZelN_DSkO&)tQxt%U_?YHdE^1FJ1;OE$)E_O~=s>S`Kp7Q$8Tf;+vl z|3Fm)haShQ<;L2&hy&UE9hcLkbB&0EP0)d-9nw})42>S?eRh1|wgG)O9;CEX@))RP zTDxt6>#Ldt$zLIfFiLE7d78aPL;Pa8-ST*niR1By2d zF*KArsr6H51y&Kjn3O0%hNDA+v3u2LK!$TjKFv^KvI);*Vy9od{B~-v>b+(#Z+Bzm z5hZCl2$L1?H3vcvocuE+d>Nkg9Zlj72a!)Eq6@uMvqW{Nr6Q&?3+5?92err90q>LL0y-5oNfxk!9N@|VnIc?s?B=J z&?-`kOq$HUp#=1XH0K06kj@MY8G(RC1)!Ho)N7Z(lng;j4VWizKs!Y$4mb7j(fM5M zfNPqYT4*@)f>sZ}$3LH|VoQYgr6br(%NImIz8+~m3mhN9u^nxsW2iK;;snRX23Obw zV#mU(V?ObuUg$ur5B}rIiBR(a9l86S>4P46l%{2f-_Pdo4sGon_98G!7`bN0r zC*|Yxz2rE@Vls21qsS(XQ@`E!09Kq9UZGKj0*d;=u2)Xoi+Kh1ZZ7)l+CP}*E(Gp> zhx@H8uw;q};`H*+8NYHzy@i9?feQS!-pYg)xF{B8Tl|GJ41YgxmgF_1XO~%#PB2f( zhNxecaIB>c)b@sWRI|#Nq%UFBRA{E-m_k2-E>gwZC(>eJu@Em>2ITKqHXha+5 z!2e%MiNo31L2-JWGOYcxN8PY31=jxOtzZvny=JH3lxeQt1tNzQ|8YlmqQST`)py$# zl1F2B_6as}$o`VFP$fO`SFb#$Rf6YY$gmw>qiaW1l2yg6&$A&^7nLWETM58<{)<5Vn z+TMHBF-&)O!m285zwwQQNH6f4BGf^HUn2wecsJiV%^Lh>U=O1K&ck2A}5Y83Yp%YB}4-s#h&xV3bky=#SxzdFL@J(5FiLVIh%ft}qG&9d0G}+7Hjz9z8of!sJ z&tu)63?vzzS@(w`yyd%5+lFc1cTj8FtYw^7#nb$+u>=GogOLE@EwHC2Zt@x9-%0HU zn&}m+s!BPy(VlZ?UIp~OLR^Cvz~lLHLS7*x6nE4p#kGf-CT~0=`EqvqlRt9T(}a?{ zDalmR`fA8P^O;kYiX*O$6`y8v4RnVU+;@C?oBJ~k-IfU7M96#-IBWLu=p_fBReUOW z?l~Xq`?X$n2yo#^vKxJDy*R{%zuBUAr=Wl&aK9Nego`sU@HZiX)ut=AK{K`Y=JBCa z_q^Gaeklrxm-Te4R`j$$hPa} zl83$nREC*;(SJ#e`5`jWCWd6Aqb_V*gM9wFc?Ez|J4MUes)?CTqEnv z%cgv@{Q{n?rmPY!qsbCVIbnj-4K7V%sgGNEJeLKT-|v!vI;ru+4BN*Ar^O^>@5U^T z6CbliVh$^pOghR>VhE4T+{O)#IGcGJ>y zU)&T3Hp3GYgy1{9gpK-B0o3;A#nqjGJ`~>#JY7A_=Pi%Td|1Ks(t!K#iHMdj~79w zMITgux4_=Kew}$|Y{L()X<3#tQpu(CZR?=4efdhP=sWPDUu5TFP4`X^dNI(bv&5z|nG{WOl{MZ@K%o^!JiZA>i`&N|=#9U&(Sc|X-^xE!Tj<7^dk zKvo}YV4FUVqi7E*A=_^Ixu9V%+uC}uyGe8RG#ZdPJ%fVHA{6Qc=p7U}9-xEY5jIh6 z)okovuWMNg58jLI;s=EG_4Rb0v%qH-s!slPyAYRV$vCXuS-UEVPxNz||K6|^K4Dz; z(d1ngo-kLWkAUiq@ZC0K-dT#>u~rWZ+_8g0Dj&s; z_|zNh>$)rOQp-Z63^y5?_z5E9m@ z2+PbS=aByc^%lxp!-hweRqJ~&WW<|(n(}ZlRR_o12CZES=YmgYao1+Hj4n1qGA~Hp zBSc6f<(V>KGsp?_lJeWyXz|iNjM<3fF>%iFZWgtM85x(ONGj#uOwoJ_JIaZuN#*`R zMt-IlLUXVKIFTYmD?w_{OEGos)BNSl4mP4Ls;8j6%C|(6jU(<=ctp@w*Ajx3gqE-s z(T1sJS=qbE1_Q^C;1j9;GWGmWhs~8T;%>VoeM|nR3Z`M@ke&#{y`olsR#rMPb|LoKC#pT zzu``op~|?}>9;exlaptQ+XbWXEvp~WG~%aykw(jul_ybRcn!VUeufl{_C>c^H%}UJ zy49F#)`R>a$0&e1{p%4V`|Bc<>UDwSi078=(-$I~qoUx7S0mCNf9o^c)6FN=MxzFn9gyL)LQ4so^CwM-y{6zKK)Z-8F{457nn#i$kf*dh3u{34s zn;N=MM^)`u1d(}1EuzW#XIL`>-ZTDm07P@DXVGjfQ0l#p=gAMaU2e;2PWIsf8#yPX zrwmI%Brgep1J-lMKk##(f6c(X2(6`bMYwCxt!e@c9hGwk`PPs23n&K4c0HEMVQx6W zMZ0Q@7d5*MX&;08Th)#Ba;Ue@xA_v4BQu2a)Ws?b_E;c8RqJiI$1<_$Ou4ArKkPX) z3z@^B{IvJAH}>_hUxC7(wfibWJZ%xxVM% zWK{aby0PijRKitBL6VDsla@HUyi6#-@qJ=vmU6^GjV8!1<)pvoEsj!DfuUw#riUr` z(*wX)x+~M}m`C38Q)u$5$Cz#J$yGWhU8?3X$3et!9wF0Zu-3D_U-Kj1rU%;dztYQo zXDTDU%XP%`@dT(Gd7eSfw0#E^eVeJsDitjB6q8-!?S!@Thu|JV*sDv8jJ~)Jea}^u zk*+iFS*0(cIrU&@2Q>|@Ow5{r+we!%a@6>;=9A6?3~O74(p0TDo6@G!>N5`oqhv~J z3Qd>|w2wIjF8nJi@bW++bAt9`01n_Kv9`Jvnb*5ksvujo#`A1Qte>g83qPpmAk#(y zt?w61m%e>=f~(YXyg%~Fl}El35ae@t5Q@>O(~5yY%o}Yolqb??Z1iGyr(nSj^7FE<^okk-PvB{mQ z6U%ptlGceKHPJDL=eL;72N^nzOLJCr=iQ~wZ9;jZWI&jos^5X}&A`stspx;0HQz2~ z`@S1#emO7C$vJ+MWLnThtzN}eI7MwKjpMVTx+zF5bCeeF5fjUO#U*8{(?cC4CM&@h z?F=S~lBe5g`F<2uq>CO?E0hLRpVlze3wK}=6+UbkneS?$XRbmc1}0gHZ5iJorG{-0 z9(Qt$(ko}Rg{VmhbS?( zMy*dw4KP=!&Rso(w$d9s;)7Y{=7MEM!?|f$0O`H2NTRIEt>?f0;Qc=Qe9;@VF7xNq zK0?dK9@~Xi-hR{LqBnZ`)`@RmqyXS8lg*YCn#UZ=9uo$^6tqNHewi^y?t>=hTjVqP zG4s`BP_DMr3kdD~XOA9&xmtKM29M{MfPCLy51~gAV>fdI*^&_EVO>XDDBB3PsK*^1 zoB4uz@1WplPw7k&tvGFi2TiEXw|Jg2irt9vPb8l+_FJSg1`!p*B~e94uNqrBGsB8%X8Agj8TL=s1?RK1 zF}&ad`#_P~g;|hF|MN%5)|Pn#G0*o9b5Z0zz3Z^!qN3zvy}V6nNcJbyuU7Mp;OG-_ zuq<4B^RSMe8cJJTL*dtiG?)FNl zaNOM&*tyhZY1pSRd$zpokM_vmzSfjO4|UnRkzoqmK#Jhk#+Ob}7}*})Jq@F-Yi&A> zM;bi$;^(*z*YJ9;YrGLb=nZ8znYZNH$N$7V(ii39Y5)NLZ3Bg$J7&}BLbBSmew9Q7 zF&;FzY?3URgQe)v)XZ1ujlndhTz@}olWMgnzPjTnW=#&~KafbJ=qH@00g}u8Hs5wOLj>^3h#|`S6^^^3D4b{xI>rysh0|U@)iy zy#>~&&7^_Td+j3y1=*#ftgHWR1JHKoaY>~ zXH_US9$TfJ5;uy-pJR$@f9lz_FDUMN52WcG`hX$~4K`wp7VIGR^m@l~NSe88{F3B9#Bj)6+;P zN07|h7nyK=XxwcSGKruSyxFR_5*o^)45FR8R!d2u0JhRR^tu1NP=QfRrKqM|t}aKg zXST<`%+s|wxagVoBO>3hS$Gu3Ej!<|m)mC^gMQzU4>L>L+N(F;3uGML>V0-$$>AHK zg>2b$-yDu~EN1D3>UiD*$eoUZa2!_ak*uo^8ejMjhj&{(zIP25cQ1>p45?5vK!}B@ zsoMGy`F(R-Zc&!AOpk$c_GcIOowp<(%cEK$79l4?C%d$kvR^D36%9<7LtQuTTpFM2 ze)dsHV)&Onc)E^65I;*YD`G_#U9ejB?f<8@EhO}5Y~&QnEsOH-LsqByTZ%>_LDqf3 z$TJJ$=VtaO!0+X=f0i(Fk<{^y+=lB`M(c)O56721wasJ)@^Qqq%GJp*MB~33#jL*9 z85#4>4aTlhl)qwA1^gs!e9#GW;`|Y}MW5$mbt`r9UdVfak1o5+UljxJ#`7F5UBpKM zFQDT#6OZu?)#*31<)e?E0;W17kpMrZmY3e~N=*$s!G|$Ex3=N*Z25d#n^^iHDY;a$ z{EOec%qmKr%Q^Q{>qD7Lc3H(M4e5RyFC`(mfKftnBd_@Sm;QVJ?jLu1$IR!WOihh? zfxWv%V?CBEJqHYIUq93qL#F51?N@>DIlnd$P4TeVcdw*eQQU?TI2@Wyr-VJ)k5%kV zN7_!F>k}544%bp%1}^t*)#(rKm&aa_=ll%+=v-w;Yih(w9M$Q&Y|PzRTk)7)VT%uG zd8+Cz6}3&nGK;Turv1izDC>?OUg~~r1ojjuOj2ygI<9F1vWqoR!j6-_;gG- zXRLEABMO_>Y<-5C9^_`8pK1M+di3%FbG~+&ZONQz2eB%g1e@U1Gx?QRxidcRtxIqvwQi`!L{l;55+7?L%$ez3v(DLrb`s$B;i$z<|Oqf zVkrizE24FjmX$l3a}@;$^YpwB8#g+*eG`!pgbB7`tx#&nv!+se>AqXuVLAON$6xfG zJ~o9W#zZxDti6nFdq5uV7h@YoUIx^rQ=6h?;`>NtGJqw7vv*3O!jW=0DeOqfQ4|nF zx#nN-cp$!No~N~xk!B%4p>h2Fa2ypD++*Uc;j6MgJg7jjI* zjd*htuB%CsG}Q>oBGHY+=cUt0k&Why%OH0%88o-SW`}q0ez8-p)@wO_&!5`MBL}HzkY_Me!l}BfRQaZOG)BCw!Odgb;FzMYdf*H+Dlr& z^ST+ay9V}oKcBucCYUo6FDLZQ6C9`N$EO^O4pCNvL1f9gr?XzZ_Dp@EC%CuB_Kgn9R<1h(d&@t;=<89;+4@2Vve^YlTV zHPBX9fu`hRtm4ssfEF^R(v}c;O*oIwQ<%}6tyCpPDp&ec*8!=fW3(<$8ln09>0(xF z%4}hdS+GF&cKU@K*w4iSf}|@Lp(sA^v9U8yJjFzwK2}bJhexB10n;i5FIPL2G|)RA zR5ZHvFo9DzAj3nCJB2`V?wZzpJD;IC=)-)@`-)e=ADhbvsF3@Fr_fL?Gkq2eEE&u^ z>Bbk^?jl|W;Qm%pr#C7~3QcTd&^bR;JB%hz)?1TeUXk^kY+UKqIRJ6>X!)Lg7RdJo z35~RQm+sOhn=HJA1UNhrvoqleI?@QEHKGH)U=y|&%{v1+QAd4AuncrZ?IZFWem}$= z41EiFUcNUWBAJwA!Xz$Jk@7 zBK=E~fYdkHjN*w!+4g`E=PRLrv5AV|;*hqg(|ZT+>1q}|>#;7?o;;OytvSvdsgEG2 zO`MuaNv{}~+at8s1Zh4ydbfJlVV)*IR9vBe7Oiovjxjb@yEwyhyB@(44KgW@n1D6< z*m^|%5%4oFkF_wZK6W}dTsv|i7FecuJShId@;Y5V%5dlP&t6Fo+DbtJ;?Kux#yswr z*@hfD4Lzt&8{~rILh)2*YMv_=z|58n8-L;r4t?XdOuqW$$q6q#(I}=S*3gu_KTIP@ zfSrje71_Gr?#80=wu2AdJ4W`Ik^Q|nCgb?~>&WxRGEd@CbVnUL<;Y1Gg|(BMX5^yt z4W>0e>3cPtpTUP>HX7`(7=vUQ@+7BVsiuvMg_R$8<@WtsjPhm_|A;<8*N1SoYkfsD z;&p;)98X@1A;@ks>fD<}?f0k`jv}b-#2(FIPhS*2>|}pCZA`-5F8~U%8)bpvW5FL;oROoi&_TF`M#Dqtm|K**#5}|9q?NYRU2O_IZ+#%3y z;gJ#4fM>&PGqU_icM3U>28t?)&Dxva6JBBU3jF(TW3R+<4D<+^M#pryE8JO%@@@@2 z*sc8ZXSuBq6^$dk5f((Vt;7>oAhW9+%rDe1GJXAc$BF5|7QgMWr!j@;S*iuq)~55M1XS ze`U`r#P&`Mw~v!k{*NDV+Om27mA5&jB+SdGj~prX_UFe-K|2+^)y_5)-Cs$OQ0J&M zttM{ka%zP|FAm0Yn&{H;A8s>q0dFgdy&RY#cVJyVyJVhnyKvn114pd^yfYoXA}og& zVr<~Hn|MA|Ie5f+$)cwRsE`Ucn$4uR z6lAIro?>Ds?V4MvyBH`x<+BqHMx${F|KJKQ1NpI#5?5e!{p_x}+|128jCqPe3Eu46 zIrwUj6d-+3nS0@Nx%arfbLc<98Z9B3-#RGPI6y;vaiS`CJ~>u$r|dg8_y8zM+DMv7 zBf{AWa~h3Q+EN?s3IoE-Zg^Mj9$M|2nO1)WvUBM?PMTw&+pA&2?njQyxsJC}n8#QY z#j4m?b?jZs2j|w{#BTB@!AGG|rTX6?9$8ruNY~F+k5q|U;t!L;)A(ktm_H0U;`emI z{W(X1Lb#iq?TP-lU8`?wQ;8aW)|d+SjNE#JONC~DpM~|?%(-5fZFsCar*f0vc_eeP zL;K83&DH3Wl#~I(@X$Q}cS)+sVP$JeJs-eo)xhNs{R=&xd>RC?TXrzPyzitaC}ING zR|g-ijVXj2&HNa*v3xx?v%;7P(r^M2Eq-`df~ZLOa60`od5zgehT&l}XC+D+KJ`Sm zETCQx@vd9>fws_^VqOo{f+AR);ONU(3zlP@YUe`b$Jijqa&CpDyZeQK4v_EDy__DR z`5qjDQKwr#wWEH%t=Gm#$+@-=ed&2e^EeP+8m&zCM^P?XDy!{Nav!@b@=u$=hZ6yn zKqW;xNq|C!z$r!W8?=GK#7}Lt4CHnr$DwTiDXOrgCj*@3n=L_x%GPCrav{F;P4%XY zC32v>_r7NUlD~2 zZC7MQwhi(xvv(jZS)`Jf-7ChzniWNWDZyxP)(uP zPQ<6N`_8Osqi1B{?rBiB90J~opTEc!*(W$I%~Jn--TAcAey8t5Ae6T9GbEm$%)^`x z*85m$hL>uq3w)n|-*;4J({gy!BmAX|pEAtI@O~H6u!ys{7ukM`rD_8msP%R+QEY4D zz~_z3p{*_kROe{lCh)bdZ&Gt}@^V1L*XWLkWNT@J)N-J0$$b6SWLA~6;_Zir=+*@} zqTM(oB(5F6{`>PcEw@_AH;e^0;LGs2qaY}Yq6nlY%)M4mM)nPxuD9pyqj}C8dnKo0 zBikt?dqAdP$ADMLJz=o6RLc-V%oKLflBjw`lIg^ipb@ESWO#pFgG)eL7+ zOks25ek-%UDQg)A=Q*G_%A?3ipqEXd=J}Kikw-nkTi-2qjmU$ls|7)oBL%18vn~2i zS`1~s(|3Ni43?DT^#nLV)<%aNRoLaVQM8@&n>GhKYmd`3m7~0E1&I`V-=#5DjU?V| zf((0V;k6Yy!!87hJQBV~&xabvgC(%wy~bS4WEx_fuhdd#Qc`||4Hyg(#fC3omu2H$ zWaF3Jl)ro)qKXZ;cCG27@c0~yffeBQIMwrgv_dqVNG2IlUN2*W`_y}snBBteLmvqe z110Ik^V_0wlgd)0Wb}FNNjB>*eCZ%y>5Pvp<*9z-<2dGw9#?{ z5;GkV)rT$^skW(@yoljbD-<=>Q6mU(Zlfp7?q(jQFtEUVMLTMx4oQ59_)h*f!Y2;~3~GFrMeK(L!UB_H)$J33?TI_03X=IdXdv zBZ?(SpX99oQp9F-+3nD8(mpaRsjxk)a_DuLkF6cu>LrOF)=iI_j$>z~Q-5BU(3V08 zHo%_Wt7i?OYe|U=OtPQ27k^)S%#-Bl!iNA3Eixp?ooHg)%?ue5&5$mk3xu=i1!o@H zK>_)l+UY2-S_%{UqB0LsoB z`lmt{N@zJo#a6bZwFQ^o+n915QRI@HZ%HCdYbFsR^WYB$w?6=p5;|M|S!IR=I1F?6 z;Adyx+#2u1`@CX0BD7#BAO$sofhHHC1v5>dF1lO00{R_@PqK$bpF|r^UuF$f-H=}PxHd2cQAXli|E-F&&Vcshqw0MD zxHBGh;qLcYF$pWSVb}N`P4bs-)l(-!5YW#^@5q@s-l*vCr>sJMP=?YNB!qi#mA~9O z*%`yQ)4EetGQvspe)vEGQO33lQc$(Sk+}cmVInBhk_&K@J*uWJ=*PP?me%T2eT7W? zTgH3%s_noO|HO3k#=OCfMvuE73kuG zYKoRXaKrqCRD2(3OfV`NSkX>Cy1yN5B`oMqxb5-m*sdE3h~D+X8j%^X>z4Vx%kI(G z+LmywCuq^K*z*X>uI6aL5bP0TZ;?Vp?!7alY4^xJO4*EH#rpTPe)8b6MRq+G2@Yef zywj)Djl0MX(apPu{}y~)6Pwnx-GoFOHQ8=IHhrFR+6nz!0=fD#+*6xK=K?VikKP?K zWZD`^O}G??CH}+t;J^EH|A$aaca3q~`yVhd&tlKKX6_%z7+si|_kZUIy#CEhm@fjg zj=BF|L8Aw_ULGUP7_ZpjM6S6KGKgxb#^niA(v_pV6TZ3Nn{k zh2FUR&N6xB-JxaOiu)szF<_SWn$N1pn@|+LX4laAne{4u@1dy=mzoI<&9~TQ)jo2d zxhH|=3o7tbzA$k6RaX_*DR8rFr-Hu8#IY&s5}zT?Gp0iFneVka_;$1ZmcS;@sB8dx zJqOlJoq<A)@-w{L-zLd}J@ ztdKLkkb^c)lTUx7yt3Rm*s4|?I_{1iIywow)6RFccY}Af4*bu~h@OrH0^yv5;GV<| zks`fd&9J7utH0ZwG_16z*Yh|1_E(V?ZxE#uhy&xq4kv;`VZO)dXFxY~RrzyWwQX02 zg87T_r_$Bz@Etd7{`)WTUG2^qcrQ-AW{|s=Bw*^6{trUGHsM&K%4TFYg&2v`qb(%_ z&(Y(?g1t)kQs}@4<8=BE|fmItPnf96BI9$EJTr5b82BlCiiN`AM7W= z%okwb7<)Y;i^@;od;!Jm1{0QJCfPHyFw3RhzkIGpRrD#u4jMu;7Axvax2OIOPy9K4 zV>tG~{V>k{xXlao0aW{zVyZI~el5HSCw<&}k^Pfa{v+*Mk{b*n72F=P27GnrU!r24 zUU8O_-`)pIUyN}vHPrW!?RBzDN+Z9*9vk8 zQZSy9_YbrqBQ(ykaJcZmpx%!kbxv?R7u@bFjT#RoeoG4GgC*16-!r*DMx=ZAsAkxm zfV3SZK;vBA?n|dRef7Jj^ZqZ)9?~EYA<_*dfW1*?qPh^N1?hFli7_rxpXZj5*g4`* z#d=9QIN7eK>oBtKyv?2J*vuQfSs=B$K_SeqiU>C%@jZ>jXO*-;)_W4^1u(~u9?-Tv z&D->zY~eO7HrAi}(y`@S8|gZ#8#7M=Q%t7 zmodctX|K<_HN<|nhD@+$q|=z;A&YCdt2C7B8|IdEo}uiEN{cexB@a9~Y1yp4 zP5|AGYR0xU;#J3|YK1+)nzwVE4N`qx*5A#pJdMdmJIuHbkBAfonM@#0%u5w6y0rs) zTPBUDtc)%dhm3o&>Wu~MZN#HQWuNpWlRGCVlP%C3hx>?8x~zwmHi>pbGv%ERsF;=iWxEkNEV4Z zlhjgHED6dt%eMh5uI}%|+jSGJ>8=r&p1<6y?wyvtDH>7=_UsGzN~*B{d=+#s$;!uk{qXek zX3(q7w-01v&EEhKLD-8Ifww z3v#qIgDwD2G0CP@M3>JOW8rdkwOcat^ozJn;AoNHCfwx%6M}KN)Olu9uR%-uv2DID zk{*ULrf8rR11+=T!3uFC!482Uw>~*fBOiWG1N@^2Lns^c*%Sjqq&XXRh&agNS+qLa zMp;L>=ffO{lcapJD;W+a3XN& zFtY8Q+=IT27CeEFn(yS z{I>;3bOD>0&#{<@S0TdWm3srSQ}Skt@8utjCpoI%>iP5t|1O>VPpZWr~ni~xLs zAL#Um(zDWswGX3bxZpSHD12T(BRk6y5`bWC`*i7F-7H>1<8U+ggK^aI zwe)DJ^0N~&ID!mAl6Xm&x$fOW*J(A!h z2E6Ip&Pfdf^3ie?r#7$cdGA=g+=bjJZB?b}zj#&DQSuT0mKrVo|Cw-s?f_fW4ZO zl)Q9BOW>;Q?()Y0A@tu!HH?r;d1hQfbg5Cdm@U#Va2Hb{ceqb&^aP^tg}@|K71l7lrYta+0lCJ1NcU5$9VCS<+%v{;}f`a=1RjQuG9kJ_%Qk_{8UZ?A7MJr|cuz^<5DMt; zuP~f)UU;d(Aqy}8u@_%gzEkb9vn&gOK9s%VrWtA> z^pE&{!Gx7_3eW}ZW<@wK95NF+cl|bZW70?qJxi^G0?;TDr*{6mtQuTZ*q6gSqgNbH z-j{FE@Y%~Dyvy#6LYGEpdr(u5Bi4|j;%{Nh6e+sz*~W;~Y%c0|(bkgM3L>x_2nfn#rbwc-CE*_QGEDt}HoK^eQsUgP zm=?w@SH#y&mH|w|Q<>dp$K(ptxOk)|2$kABGZ>4g&9iI*a-9mb*79Q6*ZL*<+&;Vb zj8`eXp?ExG8{OUJbudmW4MX_Pr{3Tpg0Qjras}_*{lo}(l%`4Dj};n^VuqDxX|d0A zlZ!#*!oq}P&333f1u2^a*;DqqRi8nQ>`Nh{4v+Vl8lhP39wz*7Ifk1xf&a3)Y#Eqk zNeYnqXpFMM!_u|1Vh02*RN881jDzi=WMQx!#kt$iXd850?aTmfj@{_nE6$aCX+^R& zJ33|A(tn8o-Y^A8^bkzEduV|mHhb!QEObTb8Up>gwgwcR5uw}RJ544EhXdfXRZbIS zUY~`sGQ)3qO>=`iIz(|&m#6gP``1njmHvLvX-IkdXvwqGV)UDnpth>c;*IZ6$0AhJ zAQ^Gdc410Pk%5QqCE#n8u8tWciV_naPGnc!oP&+I4a#B!y5D!RghyS7f5BY8Cv$52 zlzqYpr4~rp8+WK$1VeH0k8iCcrE+m491c1}Js)i~+=kwi3#tV^FYMe|Dq!;g7pQ{` zo3Br)=KF<`Uef0UiLjxh*m^hj&t?)mk(ZK0eK)GJbMbqn%ptE|Z(763rw3%la>-2A zgg9tpy5+^vwvIwB1sJ#F53eZEiXjlpqNuM~llIg2DgT+>#+4UWKT>U%31i z%kq6g!bL`pf<5NvPFd_A@7)c!(~&F5-$x+KZD{$2N|2(vu39*+?WrX@N%G2c*!9)l zBP)(`%%wl6lAG$hvJ25(Kv}Ng_wFK(r3#z@28F*xT7l*g6gj-BVrF-h-kTgGf ztRBq1d}^!ClPcLH>C*b$UaPALXsBT{?^?T^rP#?V7t-;+^hEwanoiF) z%O`#2XXlD9d5xw*OP2I8ypCc?I`)uoYoj%K!957KJSZ9y#hdtHQtT4TzKfHvccU$( z$&i!zzEyW^v_5L)3DjUlN1^A6Hv|lLu4ci#Ws=+NHC8hY2(a9LCLb*mxAkDgI%fVx zi-`#=F=NXVgZ3A-cc4#shLu8c5&*hJPIX$!3e072SA~31H~iv=>FP*YA8oY9e=M{? zU$S-E-3(P$>VkWM?#1BsQ|mENnc)begXEbeb7SMgAG>NlG)iwRfRetEQ4=NYFUh?A zWvIlu0tpEfFO!s#3}%OBN(kJK55tY2Pt=n^%n<40d>8H<2Bv5g%Ix}^A*YL;qXV3o zoKRfEFEi)fqq5iu`i3qlt!E%t+iBK9U%fM+dMLLITFsD@Me&Hrq<(IKjJzpc0Z%1UGt~_>?#^O_PSK$g@-vYG^Uui%^d^udB(J z7qTk{M$Y}S>?st!r?fSp?A_#=b8&TB&Kl}S^;GWG)oswHV9+Ta{p-^o39p2)0xe{` zj2$)|3&ZLd>oBsJgaXfiGF5y(0x#)wQm(Q4j;vF7I|RWi<$ik$Yg0jo{{MO2&&5WE zoQ16EqYSk`d>+aAb_hHrXJEYw`NBp>I`JRRg0N5bV}ssf&ckayZP>(q^85z)*BMmz zG`MHl`&vk!wd8P?USHiIOitHZMrP%e5aqB+s_lR~q%_Low#}#5d~Zf3$JhrBy8|jb`_65%l6Ap@m~R} z`T0aoaf>fwt25m2ie|_m(UA6;VQr-13T zE}QIc?Q`GY8*==!u+|QtaBL6VQ$A(zgkmL}JI}CY>IiF0=qf!QIf|KikT^CQsAfS9U-t zu0m6E5?qI>FaubKTosb0sq|)1t7EiY{@Izp7Bhn{nx9;|nFw;LU29Y8a#N zVo2UGd`Ng9Dn9ew$Mp3m^hf0N7`ucG#WA1BvL*YayU{~3rE2V<%d*6p&zGt=@L$YB z&Guf%LeDRB{Kzezr{^%uR%@UqT7hn}rsLAq-ToSS{3^^)x5;yu`hdo;)3t^#(DwEC zjjv%UoUlm$9j2{Dje?|<)gq=1;|$E2DApq;{fJ zEwmZ^pn?BqeQYeNnLt}Tf(~%T2HwXJXKd8aEP#ikW%-0jWA9|@^0VQYxnA#i*zu?8 zs>CX@^BB{EMK#upOLI|2<8?g2)W*x%>NCBU)6(M@igFh^*2dHu#@0if1>AB`o9{hE z=|KzR*4yH2@7-#e`UKZ#^Ku&BW}K4vM~KmBIS%XKFeaC@{lS`Lwno>yG3l7W6BGtm z@lBQK_&Di#N^KA+4*g;PY)nOwTI^Tb^j2@=Gr1%y$DAI=wh~YX*{DGIy;{;WW*dT8P(;u(Q~1u5LFmgt*p0cz8%6xJX2M zS0)Qdrx;ZzWhu!E-$a;|iHD!?ASzW;uO?lO|9E{YZzJE>+6ZI?vIj!4EU|B5iKI!> zs;(mPsa!DfQOwNDqF61yl+@EQ0X8@yRXSr<`xy+g7%+Ef?kBwx&XXZpG<`MN#R8T3 zD~>~?Y}XqzZvZwa23d0h=Yw{KM09Y*F3jPNJaJsOWgR8 zgba+1DsbC0CWcXzGXP%IRA#8-{3L#`9*_oNH*V9UY;JEGhwZ{78*{)^p(ZQaUUl{K zk1~roYCQ^}SAkbmU^A2hv*bNKGQHYv7XgWSvs6H1esbxKwg6X6ED+hajia;8a@VHM zJHps#+xULrTZg*ilebV2;8f4MpGz&RioB_T+Mhc8n6t%rnR%JKi;E>msTi^Om3p;1 zD5L>zmINc_vakM&-?Cy}qj2=SIf>yAc2aIKayD#JI2|#dCXyCywF3<)VCO=U0$J>V1T^JNFetPx zFNhp;Ts~d8!repTFyQ}j*-1@m`KC`u6}DAPHd)o^xLOTz9JQ0%0(J?>u7ffXv`tCQ zIP7ZcdfznVY)uS%1fC`jDxPYW?(iv>aa;RoT3{w*Fv`94&9=Vv%D-wH#TpT4Nx#!^a@2Gi-=b^~mT`=SL5g*FpWN&2J?lT$VW8|W z|J%mW7xQk|%aP_ZZ+-S3EE|;7NZv;7(LEsE)7eGQXxX`qBX%YuKhGV#PqAHoRlrUC z#gM4K*EmaYCW5wK#sF9~c+24_HP=y#Xe&yIT zCiVS-3lP}X8fD*yOX?sX=*#T^p-UE?h5$;$6B@T{fryDh43M9QIwVe&r})D<)h_Tg zZN%O2Kxro++=a3WqAD)STs4`8j$m8aHXTt(2Bhe()@87}b@42pPpTcu?F4_uP5H~9 zHp83C3NUbK5g%kUS^v+&U5_gHc&x|cD$Yd4nY(@W-(CUbgJC}d^aT3vl~AVb+Q{A! zrjig`0JF<2M@0~--riOqs}1Q_*zf$26L6LYT{5kPs-A)<-hKh&q(-u5WHDfn;b^=- zFT6C$65EO2l|v*gUMOLu;Tms$RirdiRiltmc9(KO7W2}moxvEyfxXLJmRSEI|@-nsPUKkIB-ugi;4rsu(Yrh~ykkN`=_6&kz_TTd?~py_`R_m9za zzF+t++BQ~W8*P#XD=W6mCTVQjUQuJ)jcqozZQHhuz54zA_jz^38Rx|wW4}$FWF^n7 zdChsv&kc}z{$^7jFv~KWX&`&O`%VgO09Ec{PA*JEpGm|=+{1~`^0rZN(o$+&GEvUk z4kgV#oLoX?K{OB%TAcrb-gXPOGP^c5G;4)%zyR8h*bY&j-9hfMd)l5hz?tE|A?JM3 zEnl_hCP4IZjHd3 zp6=g?f?d#6gKG5q&jdNOxt35E8V4mR`A`@Zzjzwk030%-CCCn{f{^Ho3!d172k3X8 z4_Cj-y`UGzn$rk+Qdh?ow=GM+)Ob78ikUd5gK~@arIv)?q{yJ9#l9oY4{Xy7vk=?3@~X7{xUa-W~l> z)?J>K>ufw@e?eQc3v*CzW~`9h}7|oG$wb4_x}kS71nP>y6AAIBy`6_6#A^5-}%)dKFuZ3@$yJSkM*CD9U&= zO=}X3;!9F;aNVaR8M6Gio{_%xyv1>nt}a03-^j*B0k`n6EH2p*8A7^%|o zMTfmioc>1T&K{Va&KMc$3V0%7BZJ(p{u8Hd1LC~W^4QwbFC8`}f%c2n0(-E-uhP+g=fA(`0fdmbDx@5awjk;>*^Kb)Tu)fN%X zp`H7UMCu(ycmn^#%|(y5OTG$!!kR|tcuhYub$gS3^lv6@Dw17GTWnGxvBq8aEYCYW zxTfMi;j+7v`qUPKvKJC{jw@&|AW$yZ-p&ejF?Q-J94L3ZALR##P>h?lTYM+BnHZS- zdMj&|HpWE`A2oIw`fkU2IK=Kr=6T7DR3-P%d5gfwlunW$dp#l@I_zwY;m544!t{0=mO^a95|R z&h0V&sB^9S7v^-Qb-NdSX*{$*JvgsR1Y7yII@rHHOnmOsQXoAeJY!_UF4{=0rWE^w z5reDgYm8aLUz^3mU$ZZJBo4c-Z*`l3oUeOmFie{ew`qy~=JmASMWmYxf^he zj9D=LzTI#0wWf96wyL3fUMz?#v45`MU_f`T>q~r9yVvd4hka!|NT_YFX)L<8_Tu%J zfw!Fu6`~ntlm324#1o=e{`6P+pW!Z|M$6S*U9oxo z&J=N^o^H@5L+ly$oX0a+nqCf1GBZc4>Wckg@xZbm&3^om8_%nE1?D|vT^nP}FFXX* zE*7ZWfsaA9Cf z(+)6{^sjoz=N4P5&9H;v$R->tRv=Gnk8U1Osp!L;=3Gw{ zjf&IT?$)%+tHKIfxPh##HRm8w3^k{=mBs0fvl!b#^JpQ5S>Y(I-1+_W#<>@ln-qCp zNq_2G@N}3;48G44so@ACcJULNlflaQsQqb{l9xx0p<3kh$^DIk^4|IwV?O4bE>jyD z9C_(GqmLBm4zcB&fs!Z#VTQ`X4kH_%kL&lBK$RoA4$PHpkI>f!j7?bq>)U55;Le#= zQ5Izbpc1}~jGG~ta)%KVxp6+cL!lH>o_0xNIvQT6>j-Zze?}o?3*$gj9iyKnD<`+z z+V}&Lur-|_F|NyG#lGrC6V8h16yRV(l@B}I=#4Koi8FfJbL9XgdcraBab)}(k5D!CHe$QbdpU(Nu-bCQt_J~ZFoiHrsM52F@!XzQ#-3WwG6 z{30vk)QmMA6q`x@!Gg_npx1^GqEMm z3H$fA_HimdzL@a?YQ@6Y?q^1{YGMv>L|Buoni=z@Bg~#~Pa_Dp?8{qH0{bK*U7G%G zgh5YQ5b&M2X`dRo6Y_ZnuNt-hS~Si3qwB=TWU~FTpHUeGhwonpy>-dbK{QEU}(4a^jyt1u3d#`#tk#KhsIPh z`E&fW!PdjjZdIg;IIerGD#oc2%TH=KZqLm~Ch*vVgRO_-!=sTEJ;;6LZVEp~(q1iG z$IxV2kmn-FVIiap>xB3f#QAY39UvQ zc>pQ_<78#@AVK;c@Y_6+u04~{%zG`nvx^ZnU|e_TbpBC0m<6N~L~1L1jyR3p-1*ah&cOx4&%9P_jyhUAxp-MC)qufh`` zp4Kf(F75|Jw<<2;uHHhK75~^vKZ`BT!ve%p@!cBE*_P<;5*x48B1e*A94XQ~uqoQ( z$C63DdG;vAcqKW`SC?p6iFTY^<9} zDlUg!J@>iqjL6rhILFvadgiC0skBS+M7-{{NN>}6yRz}+@vx%NFVJ@7Dsp9~ z^>1h~Gb*WtgW%Crjw#(jsU%i#&ZxyTY;{KPO-k^|l{9x6ds&uW{Jjo%kKEzDZy7Ni z(~56MX^wcs6acsJy^T7+*r4~=YxQ}dVJf|FTT#Bc{zLo_nj=Y$e65J8*hsstQn>j% zzj$BiGb4EG%1V6*;y9($(Nw~JgivnKttfWm9u%A=)ly{W=}P=0w_2j4@vqU@7I&8* z7-@w}38LWffj+o$21av^(1+M875Eytg?lMj_1OCM0i2af zj?iED5Ma)pAcU@_%7_|w&j?*FC_{Z$AFplvC?iSBRcty0%$%9^xMZ%B@n6PZ+X4reT8Uk1yrZy&n`yGOO>P!YXyt91 z=h+=XVyAe}2!0gb81^J9l+0z3zA0NLRdsZdlLlFFwQC6p{puA4x3_7$yXgah6MoD$ zswM`CyxRzu8UBU2Yk*CS$=q@ZQ|3~v{V1CJARHX-*_b2xurMSDBcTCI=OFiHp+zZF zguJ81Bszwl)S+qmKULO)sZ==dlsAbiV9wfhCiVZIYNpHKtlEWh|2#{gH*!M%FX7bw zzaZYs+^Z|iAcv1-SAU%NfRSpU-g2S=Pmdb{PCXk*N&k`IK0bl-_|&&@If3yq^pNV1cd*Nd`ZiNL$sf4(5!m{lW9uns zvR?nfFbscv1L44-y;mmlObqN5SRH?Xf3tqUUCMU?pUTW`^EGpr3%6moY zB=Z6LvvPr9xmB61bq7l06nmqmpqTU#diZE4=Pt(lWfrD2&c^2?@Ijm9N_;w4#$Olg zpafCyHL^2e$AF>T1ZCd-db&-kB%}wd%$xgTmy-e?tgaEsw(09I4f`0*F`gUj>+89Zr|R^&rN)DLW)PL6l5YU) zQx(<}@aqiB1mL5EAT`_$xZ^Wclh$F-SRWTcdMZqOnq_6)PRUf*+|>O5qq#bMcRm219rqz%i#cMG&%7>W@+zNErJ8f|3RM*9&a{I~DbyXTd z_q^&ScM~lX94Wo4r!ku&ob%^XtE%()_Y$Hg;P}H$>?byuGR|MU<-LYf|64N1TQ=zK z8t}TfZD-&nix8opFuNu97a%Y2CtaAzJZo-K6RzHRB)fuUnAL47TgYOVv3iQXqVoJ2 zVL9*-tiBghHz;=e>Tq36ywKX!{)Dp48+QAw-%h>4hlkw!R{4#P!3p?!(B6t!>awS| z$6KJH6eWs>`H(h;s)C3lHgMu4Z01Hd4`xBk*_>ugt{8NcAch~JK}Jy_YqG@ZS!??E zndK*6Z9)?a77KHnRBd+CtJ-HpkGCW+65SgoY+V%-+HH!%Ip-&uRsQE?{GfVgRjMg4 z#a3pSiL?2Xb`~A00tJIl#Gpgu;#}3|1YRClVTALmQ^W=@L0>S8cb=O}z2Mqh-SI_p zOpwGhFc#)|hSu?T<+W8EH25?{<-DYQGn>n-O$;L5mYl?sjJyJs9v~(`wmB$K;SW6t z#OF*Qj5BhQm;ELS_kFj#U5(KiJm{B(L{0fhRrZVnPIW>`GHs0fcuSVqL|>D6*bx^H zqk7v<%{`iUkZW0MC;t&4_lXBKN~Fz|wBJmwZ^t+*qc8eWFdJ{1%3Zeym|IzMPwa&F zQO3Z3zfk__Pm^{D!1M?v47|nF=`Cby6DRsj#;Si17P0Xn7BgD|$@<1;Z45J~xQwUo z&BuYp9<9_6I^#!HjNeW9x!I{dBe)!F;q`YMypT&yjwFly4nk1hE#MB(kdM+OW>fmA zQEF_-t>ABwvF^`-P`_1>)Sx%hg@$?Yh~)9l`#JS0#BQZ;BX{Louwcb6hEKo!^e4vR zGSZ%j*v_d|)JO{*?2_h!zJvDA!LtUT?n2hz zq>9GbC{f=ylfRb|YJ2V|M0$iMKPdESt6$Ty)dXdm9BjXZ5JEZCD^#W;QUxKp$OaF% z#cfaKh7q&!Fnu9fk37UU4(t_2rhEMN-#m#;-Mj3hn&qUX%4>$D>FF7~}bIf^tn7DX}hw2OivSs+s#tY;3lT7jkIn$mAG2qDy+3xAoR0#5V)oraxYGN}e_Vgu>++Aw32 z>w|q)TS}%8$Li(zUWzeUi;u%e>SM@sK?RqJ=G91Ax`sDQ*|M{8|^W4|$3cTwe zH)_9^KT~H*7ItYWhmacqy$mX?MJNAlH~X1g;J~KdU*F2aB*J7|uJh%DvHECm=}PKei+e&dpqnuD2Yv zl)hczBmQSfermX6D>lX_Av=+-e7hWEFQ0RzA3{b=eQiuENO{ z&ZVsre0TEilXp=`ae^PmrxYGtt{+TYNi~TxRpw#!`I9!TrWEHH%U2!fuh0&-cz;l~ zcY?_$A_W^@|F=kP_#F~A(7wZLj}R%*PS&_ZNS4J znZb#YO)vb;jMRt(2}CNC=;=Y1B|v6`=eCtb>cfc6llFu`zgL&fK-r_(J^nV?i)C_$ z(X;cb^}t)AIHwavT>;i&GuP%Igdb3^%lTA-&V+y{?lCrE7ohjeO+o|3&Zu=KXYdjJ ziC*tphF`fE@rqbJr4i${hQ1o0I4oZ2+L?JEsnK3@I?m%8kB=UYM|#yw2I-;O#gBN5 zxlhdM;hfZYr_G^{L$5!tbIx8H;&ghb!Feoh{8{8gRf1fj_@yuK zyQ9V$KU#XIeiR9sM$=dmpd+#MYc$djBQzL)kP(rAXgA`poqg~FzH>CdgBx`_`!3G= z-h29R)@fjwUIMbp3Q!w7JW+Z$UH?kgKbp#5_07O%zmFf{Z$*SIgMKki+`S;oUf*dk zp`mVBRWhH0sfG$n<+dldQ(zZoSFGpLqoq-^1T2#9YFWA6TQU_m&=Ap9BV0G)3O_*$ zK4_OxCNmX6P2-_Ltfb|E#|DVCx_bFee?+Nff(srD-oKc!&PMxO+~KdT9)j$a^4M>q z?(^!^xA?+hVIx{5G$*qg$In=+uYI3quUq(D zl%Hv%`)3X`94^=HHUB#}ZYUX=46LB~hIx9S)V|#<_QDa#8r#fDLx`|YPow8HKktBj zU?|v|p<&R0KMJkY6-b;7mxqrHoP%a`?CW5+hU&d3!0En5*RU^0yqt9sE6@x=MKrPby3 zFtaAh4`^_Yy>vz;N$A*Fs#_b%@ln~f=U=9%FDt$;x3oSR* zn>qB4hu1{l#?G%R)3`QT^9WR>eMrm%&4En@?&`R_t7!q)OY?e`*c$g?>6J_c_Xzze zT=v!H;=mo3fUph(tg~Se(h-ukWC?>kP-q=kym)w|RUg%VUhJ`#+>krm4$`0;CniPS2rUnon-=ihdl-m7G@>l*wryRw8fp}asQAejCqX7CaPj*qGJrQ6 z6Qg#8m+LqF;TX&d2l?sbp3xSeaqtT+2;#oMJ%v?WB~M2d&YH`d?a?3|xq$6R+O&+;5L*qNBcj}B+u_aE zYA{F7fus_C4{09u-m&{fVpF(htED%oLYVo_g-&M^uEi{Xwf>U9nF3pH-Q>lN zD}oKEPq4%XbgAe^O>}t2ewkv5J(DCK2uz4?*QjHKC{FbJr&#}dgx06?PzPIZEWI=- zbkaf&^V825PZ?NZ0Or@B>oC~GV6c2Lwv`mO<6%5Gc;4FOGbAa5xfP|3rThJI>Fx@l zGU}y+wjPX?bBY_)%ZY+r6CD2LGCVR~*nxe$7C)1(al9Af{A#8-HJ|T!(>4GY2>ahi zfr0wQnij@tzFL-c?3wHBw8czFY$h7N=H|jOa{BtA+j`dQ`l4;6FVOwv8WdDVj<2Tr znMa9me2#j^ZAnV~Gn@%ayU-Y8TXK2Y*Oe@=rXd7mGaPn<6}Ifr2xmBRc7OLGxQXJb}JOE!AX(Tpi% z=g81+d)T~D{G~<~jW-}LzT6GBwYi=s%ZL0;*T%vRO)Xy+r|O(;{`G{eKam4aEGC4W z(MIwa{BihqN)eZrjz3GW7osBjMcxEe*~FmDjMWPm*{e>ciF_&0Pq%`H|EMbxjWT5# z72D`H;p7D$ag5x#&o}+@g3{}IOSo&iyLme#I1PomdC78zxrmFT{!ef4rYWtU$X;^X zj+3>W0mZqUZ?u*M*vJHR=Rf7!k)do)Y4fo{vw1q9EOb;sjeNx@`sN`}E8F@DBIXbp zzApH8#Oj{lEhHn!>y#f7)WK%3Mwn49u#g&6S@H`bq zYKsAosYvpdnw9W%Rfey@U>TD|=JLT-J}4C*FP=*0?bLYG(+vOI-30lETBVAL5$W^- z+`$7}A13jsJek?#wqPSTs8tm5 zu)+RP{rQms(?>!Wc%_z$k&51(1Lwe89Ljy>|3c{jGmUC&Zh}qFnw+Y`$R|y{Z$uE=o(y?^ ziN_1sXzT$*X|7qmJSNUfdKEeKK7v|N2ywm)dX9({_^2XuSQ8oJg>7ecdT0>*-3N*D zlP8wlgkV$VZ((olPLI_y+@cCpFz~rAkqcUPanttp=sZeJHIjswlADbSRf4cBp+Q}g zl)Hld_IrmmC>~@QkW_gQAsdsy{Sexb4MDx(kd>?NtR`qN@b~&W~ZZOt^M2 zRHh{Ax{Fi+PCF!+zv#r=*_ZT(<}KrAS+{OdU$W)O*r1*7ML13l4Oe_kDoz73)?V#4 zMy(rdh4UnWp%N(@iUNI2Ba-$Xgg)4b`|sqBA9^yrygu&Q_KJcw3-O_I5(9rHB#~>k zwF8=KWRYa(;-zV3F&9WWT0h5uAdA6R&_}A04EzXspf#CbRruDzg@azAbz4M84BBy+HVKdqar}sL<+zKJuI;YBB zXnhxlGpG8MsxVSCGG@Acnl1)#gXpug0zrL$K>Vfu#0~YrFZ(U@aBTSQxEygq+(s!J zs;Qvk#*`ZCf~L2M9dMf+)O4gu{i=0#)gMTkH^a4_tmJbO`vpkSkKf=O7hbk)-V4*D z$1U=sbM143cd9f@9GQhGDl^IYBL`GmobMFhG6J#naDQwY)Nw&o`AcYY&$IL))^Afj zlh!J3q!hQgAItPa8}Z74ZMc{PAf_fyS{G407T&c#e%f0^IE!8Q)!_~PdvCgm-@%MI zef9wE${eB#%TY$RjvW1(tD7JV96&dc5a%<=@4%Vy)gP@Nitx~skAK^F8z0XIsR|D| zJXLs`h28%~cqTmX9=x>;lgiQ+_boBopHi(8d${1JMbIVB)1ah((PVfomMO@$C5m%i z9d*VGEAa{JzQ1KOobtoIsm$10bgdPBTT55^3ZQh)!(7m(5NWn3;$o9)eV73n{v|M( zvW;;kUDwPEfUu0>4jd^q?PO16^Xm^=jc%a)`$fbu&gLGo=+bZTyUxXEpTLJRUzWlK#HG@F(66EmKFovRS0pAtH2!dp3Y zJ0)oxGq!%0PB6!RZgD}9c{llr%WX)iTcZ71<(TvdzDBOX2SL;Z(toGrBjb+E+{JM~vqiXvm$prL_+tu!J9(d01~Lp?vNK z)yZ`w-PhH0C$Zf^!IxC+#Y{CCz`yKwpn5b}w0GZT}hUt3!$kr)jvLBJ3mwhnyA;P(`(!5l~#j9RLkFEED-Y zGoe(Y`Uytj^NGbV8##3jN==(ah;Zyu>S_tCZc_1GFoHY%C2$P`1n-A*$UUFbQey&l zZPZu|j0C%-aCVa8=fpQqBt}?cGTZ7zuNk++*#)NKCeYT|zaPQY$g$?i%kGdzg8VlIwl_B(*P5#=rfz{g71ZoZ*sRb4THkVB!wr`d?AjE3Nm{`d<^|n z_&5yzC}hlA8OF;G+r(cOdj8Yke^_(Rh)c+Snie3#_LTTN9TM(E(s5u8j#esXb4#9Qite-M!bp4zC-PZLQ1ThR20glQY|g_G+HG|*IEL5`5W#B^ zBK?*M^v@B?gQ>v54cO9pt)gr}OR!h-{lc1Hw(g-U)*H~AqY;lCN|lozFc*yI+y`;s zs9=SDS zg8}W9bAei4*FK~G9!^Sq*|-Vi?@8McPPoalJd3+)SBvBaPJ$ESa;=XJ zKb}RONW!~G)(rvhZ^s(Yn`2<4R+37{k`VbUxdVhg_tg<5&(;1iqDLc8k;hIB7wHSs zLe~(M#syBWerQ=MCkq$>IH8@Kb=_=f3;7?QcP%zI!_sAyzo=;7?7$`aGGJ>@$;>rr z`@3AtjcvhU25N*{z2QutY1aw1Q}!aOfp{5P$qD||^zbjl{evyL^nNhowkR3$o=&I&$)%kI{TC)A^%wauOy zpM!u3`_jsG-Q1C?i@zX%?;CR#>g{luwQHbgRI8T?5fhhx&gqG96n65t6WGn<1z>~m zU?`>h`7^?;r~B%>OndN0d6$OeM}UL7u5M1p&`~Q zp#Gqfd{8Fj{$Rzv8ki4BJfZ*Ok!FgLqOJ3?G*7TQ3EQkE9S&+v@902a-C*VC36Oi% zmDK-at^1bWM4X8ggk9*;oy$icLNMd$2E7uW^ZtHHaXMC_P+7SK5KW$9`oaoacmk+qL{hi;ZsMN?iidU!gF02bt6)};v9|V+UC0Z|lx1$Q?-BYIP1p=} zGCW#kCT@oE#Yid>Ff9*Lu$0(JRH_o?i=q&OgyOCPJ64r`!>q4F5DxVr77c6D7dc8Pof2kro2B}gBxnYT+D(g0-8I+avsO?wQQ&G zxvHH_c!}J+k=yedM;vwroZ+%`u}BMZzPdBfL}#c(!c3g`+`Z5{VH$`{*%#>ivL zrU<%u@kSGf$SQ4cmcsuk-E(da!GZ=a09@QzCd{0_!c5kWMm?Ab!Rq=x3k7z2rMX_Hf`bEJ7E0Aa_=(d#fJH{F;0ES?Y zo+Uwm$jQP)=qkqLY+m*;h!+mW~9Ngl)V*wgMrk4z) zLrPt!kmyd%+tjH@MR@g?%VYOo=Dxrp^Qp5;@v|+I_?vg z<__v>jA7jZ(pXqPx^a~@*W;MW?ZyUll%i{Er$aT4oOr5fCvJpUz20K-{L6RJpJV$n z$hmo1g&iaB+|~7mS>%y^!EGPjzN>R%Ha=d$Qs~dQ#!DQUt;DRU(H&sm_8KvPiN-k& z1WOJ9{o16X_AmbejWn!L_{G3qb32ht`d3&y^)`nHwC@J3~DCTx^~p96rj%71rE<;~yZyvPa^e4H}EoNsi7r46%$ISyU`I<^VR4=#RZI zy9$gd6%)sP1R4c~i;xJ{!xsY#E_f`6;AGrN$NapK4jI~{%v29~BR(!}X_La6c&)r=-u`)VHKEM0WfA^9#k0NKBr`#&D|3#r4K#6akhax+Wu3LOaljA5UL&2v6-x=4Ra%cUA#o}% zwdq{adL2EgIy=Fiq8vuh>fr{y}|A7b%1xNp7fhsP9vXM#ItUCeC&Bfky&- zQH?4K0}t7m!EW)gWX{y(a(l-o6`mH{Ap25N46p{SUAX#B1J5MZmM$=~%4o9Ex`kWU5D95H!x@T6HZ`IR|?Kb?Tt5q-N(N&D-4^{ki ziSo+)NKg1*dkcErMfKoZK)B#Uq&Chv9Y0)3Yv`OT^`FBS%z$<12wGu!9&mdt5e_H! zmywE#E`#qv-2v+*uDhbHE_l#J7>g63+}#MY@8QJ-nu)tty#3Ftb(y1jFE zYD!!`BkUa4Kbl{Ko0`I=H$pQ ztfhm~KReyyYBDY3*r}ICzb!^hJq#9^D~*E$LnSh_>$kW|eosIGk}cSqIZN~z_QB2{ zVr6=29S=Y&)zyP;V2gY5y|S{+?iVvrehg(LdE#q0eKc!qzB?H5vdVauw6HMTa`7)~ z;qYv_(sD&z1;OcR0Bl=m6JZ%H#k8ZNE)qp;>(70C*-NxU%q0mAf9M45v%k z6CWw+yl=(RTx3foGYm5EmX@y+)AA~U1UI)0n8GW7>{zgV3gaQNrD>q^49V3W=uiPYe?(Td`bBL{pks%e(O>VO6Vn2{U-DaZoQJ&TsXx&&K^)y<9BRIV2Ci zu_-c?nx|ILH^G*EP11KXA-+@W1m~4>&tlLBhKqB=Sqx^X8NXeQNq6}BwsYho;zuQP zPs|ClZ9k~Wv$U?IU3NzeL}#i**gWiQy{>m1D>ZDK)Bju;(g4?Ho;n$N6(27&9ASgh zpy!;w%&ZOHr_3|KqOOm-nqKMM9cw)~bp^Zfwbpz`ntAcpeXE9Fz1w%LbM(H7wpGg1 zm7@e55hdSrS)b~14J&{kl-wO8sqsuz!591pNl4IXuSJL4B!im?ThwblES;e3%~aDx zgtBA%2e|NSW@Q|&pO-b^+h2XjBJN^Oo?6uE1@BK9UJ!slAb;ERgTwtm%PF5mXj@s1 zr7WGvza7WwhgFNY2``!If`dC0HN+8Ey;2!2KbJfI8$*!k3-%Vyf;Lh$WAui`$}q1n zrPM(UB7i>g71Ks>RV{?(yfus4*xH^){XWcs+L!J~9ln9Y&Ja%Boa`#R)yPewz2W{G zY1d^PO)TrM=<@nm6Aths@h3J>la=B4o7>3uZi<1uO8+E=?d<8npGh#iox17hMgGIZmW5;in#LI6(nyZ+8wK(F(SHR8_6*Boq7D^5{Wxt zFfF8we5a0vt12$*4;~4XW%cP;&l0}y8YU||8TjJV+o0Q+(*>gs_3>vBl@%n4hOy6zk0rd`lCzx-FaqcFmd12*hsS;XWKled828M z1?T1zD{t@D+w!O9zduh~rVYFgPhF)wED1LStJ$)$ulg~0stmn9w=X8IIlKMy2JGvE zVZGFgLh4wDGjTiFsrKzyTTCc%dtQyx1+4QcV^Q$Y-GVR`BS~UKySNUh=(}J4mebSD8z|zptYQOcHwwU8xsX z&Tq%%Tj%+7M=aC5z;*{6YJRzSTY)pjvw4B(F(gIQeq-XVvP}i#lW@zAgko8ITBJgh zx#X>W!#y~73G7)Ky3YhW>W9B!?(!nKJ@j16#aY!{9NFQ-Zr+SkQvG`i7~m@Ufq#XL zodx}0@SyhtsY_$pJ+Nq3^6qxE)`I2RzR1g4AiYcx>t74u&*s{3J-2jdjl*bU;Fw9uEh~28pOIOS+I^FGvP`KsHNdX` z*+Mo8gGvf%Gd>{&XA%>Ky08}L&)s{>yupgDuY$zfI@P_JO=_F$q>s&Y)v$&XhiSbd z>Z32vRH{zdmUffnwMXug-V*g7hZMV2>l=2{RRR*_C?T%Xyy0kG!W${^-4h4C@f4t= zZTiN#d}nMGQKK6%n+*t*n}(pdx{Qac$6OJao(9Wh#Vj4W7dfv!IuU*096lm2c!B|$ zOStbjO9O_uY$GL10&LY|X!!CHmDoKuf*O^!f_w0QEPxqsr)r(>I^I3I{$*uwX-qqS zBT28>zr|p!T7i9eWm7M4Z}mM}Jp8`**}%xOpiz^73S*7BiYX}2Kwp6&5@Rl_C=32# z;w->ahtd(wsfTEv6nVGlV^y}%)Rw)Ko3JX*Ebx(YhU;O#KMzHdl^JpCeSER|y%FR{ zQBWmg@U*tF0;Ta4^Uv|%HD@E&Hqedd+|%N-9A#D!o{i1|3_1uZyMG+spc!&IA9LWR zj%FBwnDAz^9WZ&83n%{$NnFY#Q&q> zozKRRp#qgSE~9%Jz_qt(-Z~5yxp1XQ=z2YMn8gA#%0K-Zf0>$f?K5>xH*x4`iu#ub z6oCTt1Z-0!bSLV6Vw9Al@C$qOe^Kf{R(T_1*R%~=T+M?cz!1As)%soOuxiTwPY-P# zW@H8TNTN(P(&OcZd;>W)@swnygF{SFaSvF!>q~@lI0-74BRhqA0g`BH(oqhvukzhD z`&CBE|8@biWv{@jo(OA*wM^JOnp z8F_biPb{KzEM&Hx9c)!uK0K6E8{%-nBO_NEA*{qx8eygtkA*detu4bSD4H1@qQ}SK z^Kjh&d{MEjwh{E|ZCzAG$>YnZQ=;Etgy71m7;8kP9P0r|OBq(B;%KZ|0c9d#Pp|bm zjtuZYAD_Ot8QWvk^6FdP(dSUt@rgF#7JLIy52^a)g|4OJh_eTRA<&-1J&^{Jb z#|spAw>VHaIPXN!i6v9C`@m%8-wOPTKOl>jp^@R6z=qWMvp-?s*}AEXkE}KAGO#sH zPmG?-BkeMiX-Roo=`RwR;2JPfH0Abf4qQGR+@%M*Fv)Smg=o*VwqQ;0d9L43!MEjN zHxIZK!+g-TRj?6h*ds>SYj`U1v7CROc~l?dj6WvvOP9vE{@syGj0)HT;{CauBHksxvQC>9vsSq?N;embn-H~AE^g6Lj3|7 zp9I5z&Af_jr2<`fc^`?VbUrQQFUyyY;P_*ojh#-vQpavZw6f92E$rxR#2`@dh^~VD zm%ly8o^c7`dNN}w{q?7Uk{>N-sqfaffqJ>}0%a1_|A1F7`4=5X}0brsV%8Aa%v-ayC zG{JuIYP`a4e-srD)>1Cs<;2|nEM^yDI~L=pFa^; zG?67K!tR=j@}-MY?`?ZmGMlD0k)enj!^|zLy3buGl4JinB50fpZ5rzpU#wbo0>JjB zocVHG%qwCE(6F!wHH7$sC*vthD4Y+{qVofK7iYpcA$)K$BD)!Xq-Afx-Z^*gNXY;? zIDV;?T02BPj*ZD&IvL_Kwe}{sTodawRq;naZ0j2MB?PI_tEESCHZG=|yBlDbb%^5e z_LKiUGn?e#TGj(ykl^WIsHwQE0d}f96r`n|6!(DSdxOy~Y*pT^9M-dRkk^U)^+I}X zB-csmk3>-KG_d5#3{zGQngB@|rsKPy$0bEl~h%}cDQkUZTimbo-+ z@$DE~?nQWR(N-d}_S23`jn--wTA9{XWHg5hFHd<8nn3y3i8p=FYVaPP9;{YLnQO~Fwg z!&!md+_bdaL{DoWo59x;mz7ekXuH~YPgBNrMCm&w?-)VJB~wdU^%Nf_c5TDG+CcIYucZTXX4P;gSymMIX7lMOfmGxthU`Pw^N7{~;7RS+#H zC4w`aYu=u~y`Kd1oaE3#oG+x=er(E?V?sqONZM`LnV|BsJ-_ZMoceaam!qlc#$bPX;qb3cN*a1^OOX`z&@zzQMX{ zgC--Kl_i+;oK|VJVz{y!Hh1_bKZe$9`qlVkspf?m>UKWyc-#Y};vby?@+mv!e~ z+-?JU!?f&9&JqJFF=_I$i7IAnEjOWKL zdz|>pB}%3GvsAQs$#qIhjr$Bvo7om=D>pf+;&`Zl+`P>WQ_p9B*c|;dF*KU?F%@$+ zG`4LS{6@76*9ZW)tZdFat|l3B{^4W|>JV)|B$fU+^jzz$`ZT-iaB2)$jA>-)gAQkb z3wDL+$K`l|?~Z|^uu7!-eODEvj_Xhf%*`qGnNO>IXj|SI=syE1)H7zo$F0gL+Ats3 zs7K1tA&HBW8kvw4lVe9x_(e@E;nC3~qnT7;*=ubIjh3&I`CAT}J5Bu5%bUFmeSssg z@P#xBEn)X#mnNwo^_rPZl{!p=qz{gaEfF7*T7@7rKA z<12j!=(DS9+KS-SiuWEJZFuQ(`5(gWd(rs_d*0K`|6LN=wTqUgJiEnRzwsLfFbcB4 zW<8_%!cBNZ7QyS*R&ko7V^?O};hCu!K4rHajBG#PjYZfGtlyB0tb>NX-=9@b0=S)7 ze~TEDp)PR$#;!0+Vut*aIhCvDf~mQvs{-Kd|ahEMa*yJtw!kCu{+l)-BQUjccB{Ot-CaOedr0-ID1uP9j8po zGiY!Ivt5HK$5b!0J8;u{Xrj}s%L2pskyn3D!EV$5RGsU%$LY-2B+hZq>m^v5c!BBq z%K{_J?wB*3n`w4LS4TqDpQcI#T~vO(NsPnnv8))hE0W!VKn{wnJU+S;+M}ZC{x>w) zZAtbJ$~&fE@~!;U{>C_F$Pj?h&w-~kQ)IlI0b>YHNVqpksT21buEeV7@zwo5%}(`F%MXn)}ExeVTIiBPZNEY5GA zy^T&yy&`H8aB%cz|CN9*vijP~QM;13Mv&yR98Vlux0U}Zq45PPXVr@)>hC?5fwf-! zznAkb<7oO$q8{*1e*VvNoOBX$O@Xnr8{*PGru+e!N85i<{Q)QLwrk95u=KGJuGt-( zI%{ZwkS8;XZu9TQZd6R&s|%yw9T!M;+kixv7qXrEVu2~bosFeW-f#hP;F_!&AhPe0 zzR;DYOb=x+eZm{+|7z~7qS}hqaP5{BXmOWfEo@u@r4)xkAwY2`QY5$(mtw(+yK9l) zF2M;9ym%pKad-Cs#ZKD2Z~vSB=A2w5Vs@uJBg)ID)jn^H2UO%p^zIu8LxN&;|Z( z?ykJQlozSnU_puskVK!!s$M?luZ6JyVkKGJj3TZFECjj4b%}Fg*K5MG2gPn)#s}I) zotCPGv9F?s0d7sz#U0n&1V<|JVPtP=+xrkL&Wh91Q6|7wL~SML?6efYVXXlQx#fda zgup@TFfabIgtHexQ~kc)Xc(^Nyp(vrS(ZxrlU-lZ{QM<=HS;aVqdj*tW0^kN)S=S*M>xr&-4^f#?2wu*kcrYpUH#jHtMYZ_ngYg zGyy8t)I;#c+K~CrB&U~W)1gIkNxK7XH#Yg~HzzGE2{d47*ttLqYA{4?DNi7wu+0tc zLzpFpxOQZB4_`mjsw2qT|75p8B=YzO-=5zye_N}wcLakMBd7$kYGy{;ggPebU@u0H zfx+n5GUEPhPAR-+=IANx{6HILe=Wq@V~T}*HF22{`>ZSJ$0Con;fr`7_qFY3J)g9T zaHG3$*YkK#=BozY%z;+4QNb?a^FEgk($2iVs|y)(k7sD!)I9kKbQmaSXByAg3;b_A zTiuMQyli@+=c0psFa3PDwA&k>XhlZ#PUYo|F^)fLK{Xng=^1;s+hh=4PO-8^&xC)Jp?et(D(cgAA6`ifGH}M<=`; zKFO4e=tZKs=iPiH&;b*MlV{zes#T1L`jCi3iPw(#(b#UAImM-fboL_>nsT^9Yk~3@ zfh+qof`f5B2XL;^s6TGF9Tz^G?mp6`e}*5!RR z2V*G!BJQr332u6t5!*#>s>f)kXqhAJ1}FiY%`fw79gQ|M@FI$h(3fmd;BE-k`gY-_ z4lO&RJ&Kmc2x0Hu&5@(oEooV4+AMMRH0LjGEfCkFVUyHxq(Nm4kY{ZAaiO#c+>gi5 z-KTDtx*|0j6n2!vVLA8R+(MniwHO%bBH&kGg#IWx;{|dVW=4Qzy?@$|FXJ$LLJ?UI zr^adYZ^}#&)I@O=X!luTQu)xWRb$v~^WB&ctSK_F zgSX4=e^^Pc07BtEx!q>QB1rHxmQLHEb9EWzyMndky;#Uxi-ATFibm_9Q!dl6N`9S0qw7nOgdNcf`uz`R`4^YgFPM!Yd^bx8>Xs!H?;< zpXz{0r+gCuDH5SavY?Bj(whaP>p5h28r}|rd&TX(3CyfiULjYDyl?h?>>G?~|Hz>5 zcM4AG+p#m8jpn97U$3hYJA+)m4PPA>y(um(wMZ)Gj`&)hd+po6M=WQgbaLU^5mMW{ z;u&6DH^v2C`k1#!_yM5*vUP_&;x(ci0f2S~(|Gg`S9UB$;G1k^%YOG4J6;&ku4Bdw zIWHZvnJS0awu3)14N`(Y*1FON15mndhC$Sqd&$$D296ot)+9_UM{HcO?GNM|n(tR> z8xW9tbl7fL04&A(ToBhE>T23OT!Jok_FIHC27RxGpXBB!?!n#FBOLrPh5}nFCj2M5 z{XtidcOFGCWxyYFBVQ$4ky*R$b-h!vsP`Un<531j-3;nNwO;@HMTMMyZ+zc1fAbm6 z5L2ys-oO3!^76YcyzwoXjnwPmuGhXeAt*mcEpr|YXHDI{X#^R&^-uIB`qnC-N2fgW zI3m5sMGdm$$nu)sr-=@7*K#!SKp~CL9$!w-54fN&WEg7OlF9w8X2{FxbLK#`j?Ur_ zr+uFnSXmc})gy-!w}rtzGpAElH@WX}+t3DUL zSsQ$_D!|Z*e_W1GLo923m2p!KXzd?AEK*}m)G&70J>9KZha3$2^nRKpmF zt$W%ZPXhNc(jqNM$RdVkuoBfg=itwE%(BcY=%?xrhgFbv%g&&r*#dJpg>p;s%Fry# zOhD#&ak-R>-vePnG;>=2uO zbJ&sA62MLV=2`-jU`3)VhCLoU^?3qwM`MUx1?uya{m9#%f3KjNNW1IwxFOSn;;bKx z0&Vn7Y`du69+_oiRUTs+XjxMij7A6mmQ#Zy@GDghIRRAhXY!y@ul(#9JU6d|$R-;^ znZZIh`ZBF%3Q?k}F;}`F7i1UENNjB;x%50WPBS>;OlYCs^+$`L@D}&5{j@n-z}5&9 z-^4iPbs$*K3O>m&jOy0eWXXvGY&>*4-9CncpE7bdtG*^8E?W3Jz@|4m7J zQMq|p+8yt|DiNcfT;seu)>g|(HDrGn)46!ZlV1y1u_*&#mchT#)3a?Rh%hR8JX?%H zF|7OZUwiQsVRHG})1|TRRRd~?P>i%UIeFwcS=NeCCcKc-TogzrW8TqNTmm zvca}cHkJtlOL<3uw?6^Rkr9?P*&P@wJtdEiE2r;h)e5?22M^c!sc~c!D^IKZkQ!~j zb=m0v?$uHb?;e`I46bl*8Mj=pLB*twMYWD)LSRxU{5b>XSM9o4LD#RfysA0r3Ys)_ zsP?0T5y~GBEXtq9wTqL<7h{9}fb|xb2_S7sGjTeBZsx8ZV^HOnEf}rx$E0dlYgxdd z<1?v0(wDe#N%&e@1)A0zvFqbYb!nrcqoG%{6onu{&&v&gU+EnUIn(We1r%;d>b6id?w@U&^M3dQtXQU2}9S_Wf$c z`bguM?_^d)#Fx_Iu< zperZ$hNuO)nQ0VHciYLaeqxx7XH`3Ub=f4U8Iq9Z(p8zTpj25X>d&GA7oFa{AhOE*j_YKWT?k&HH?(al7 zy?TPrDG~`YB#)Fo(dt_QWtHFrfE&((^B4=wJhwc`v(q*!RG}9YhBWVMGn{@%Q3|N> zJEzu-zk*luV7D?XPO*RMsRDz)gzqh5y`pM*rvSO(A+0xlQf=oX-ctXQlQWU zzw-tk`ks=|X#usQjk_rLRbwEAoos~jAJOjhly(0=9;E#2X3Hu%l`Z|@>szxQ25WMZ zQD|_^G)7h4CJT2w0o}On6V^<@apJbCGmWTL0S886O_oE~6#+=*Q^t*6tnqLRu8p&g_HHtYrMWeKqNUJvSX!cTm6AS_uyS z9QTiWkL?DID58&h?xSlCKS9hFP04(vBfPE5ziZu_$7m1S%SYCl$pug#D3;Nwi8|-M z`<-NWkN>j>KhQaVdqA{5tZ$yAi3e~f4(TEy)8{rih0bn{CGFlP7C1J2QSg~FU-TO+SVG|MT?gkEl zW^9DGJcbaH`59;WD&jxZ-M;j24>D~gzKhCQe5uB@&I|^&{uN*32@Yo@hwO#EP@*FU z*1$X;6CR||bz+PCpU~9kCZG*BVfb)Mm9}+Z$`i!_N)ScN|!G@r!~e z7%~RYt`{YLuhft#%z=ftcX%#p?9H8>E{>OoC*liFYzdZw9YRE^uIKT{>|R+=&$9y(Mm zOBY>A%!&cfzSlmk+o#g|ypHoh`qi4W#obkHVoL6t<5C&3yaa6!SC$g{&Ka@JnUv0& zF$!3iS%S!2D|NMKL1M22Hp)lR!L#r)O@n3^wLUz6-nZ!s2A2TC` zBrs{9z}-Y2gUJP76VxOEylgn7IqimvxtnPSsbQB@??ZC-bledy+{&9u==AgtPkzO) z!m{01jzq-qTzWsc?8xDVA`7btO5y9bg)X_yHc@>kv>&N^9>Q~0_q_M|=%` zs`Wnd`&f(!FbI3Bug|uQ@^nxtqogy#CS5#N2LhLDOVa1Jh7RQb5a>sAz09Yot*wW> zN>>kIh(E@!fOqt$v@)7Jk*f0}33p@>$yQQS7Cvd7aw0PqB}Jis8+TqAxcZl~h?r0( z{(1}M=o6GjncTILS=afLXPqRRFxU4P6g4fSwfjxbBXcgyD^kyvF5YtdPYX)7m9xag z3{_F|vZQgP<@gzJeAJ1YB+?V(q(wQdW>VCnbwP{K_ZNZd$GTzGz~1!a?%_%GlTE^k zHlLAqOlZ}pD(Vd9q4kFu%thh(LWa$l0zPTEflU zb{qdV=`Tg5VjL+U_dJl!A;Ed-u~eWtLE;-y7k67lp|;GFKpBACbJLfoJ+Xg(9?IWd z3SMvoaxCej`=PjRt4*XOsBwy6M?+o!H^mJ1(%@uNU4m=QewX!i;}F!AGO7nsNYl9# zX6^SNUwlv{6+KVjaEUNd(bS087h8%c11*GmEI{txe&MVazghK(^swSJN8_$SzBM=xJsHS1~h9y`D)S#s19<^ z)cNlRcvpr)X%h4`Bj&}HW12Wp;9SW1cP|8YOYGR*&y zm&)@(f>pE99gk7M-cuFA2G#y7Z7{|56<%JSwR|58UHEZ=ZgCBMy5`bKxOo_gOI4dx z9KE{{!p_{AD~|~%hc)oi>Uqg}+;DA?uk?GaZ6*~371Yn97zD&r?)c@?`ney3Oa01R zAVf*#PdW~0Ly>%~M2+=oLuP@h`gf=O8ML7h7auMoOiqz$IHq(gT}u~4j;`N0C=C_mHwZ)qm-OnaE zr9~>qB%kxLD+zl@x(G>H@!xM6%9h9cA)TAlYRH2uop!j39{|ezvl3{6dv8`2aeug5 zd?{_FGLQmKR1>`$8$z&@boxbNd9^Upp%}6h2`drdb4>7NHX51p(kXUFOqYwU#uluT zrSU`qP#8P^j?1~p3`Rc5 zYb%n#xb{vU(!H-X{ZPztr_w5}R-9VQkUSLeyi~i9W|x$uxV*3J!pW;yl)SY|l)JPR z@TrvQ+@BX8B!!fk!)CpRXD=};L z(rO>rc63aRYPmA2SU#I7{`I&@nHl#1aChMOBjiPeo;5!xoqe~zrukIZa~ANmAC=+D zxGO&gOp9-HJcryJfx2FqB`iAW74+P{;;Ee1Njy7By54ME)- zg9UWxAypztN`WfR&%dek!F%?}o}%_tP(9_xm$t{VSyJfOyz^B z-}>HQPgYgve$!>QnStQhOpE*dD=u&Bvquq>#8Ie*|2wNran_^g2H5HOGp4u)_P;fu zi52zb@Sn$4TQh6hpt@Yt!a-zH`DNSxKFU(oJx1O~KZlrwe{_CpQ+fAvSaJA?^q#W1 zT0}CUD7D=ZX{M1q6eT{E=EQw`v;HsfGwl&0{61$Jm{&7^*J?L|37bvDw^W&qtOZ^h zjuos{HLrP26hyx#xV?IBYP2O<_C(9`-0#uC;TO&Ii46)~me)5tR6m2NM2EljaUi39 zBV}RR1U(N3{g1XODhC#LCqIR^gX&6Vd{Jebde%&T!^0yRvR>BXEA=PqSC4fw`z@#c zD#icr08&Byer3d~G(V;XzN6^){h6qRE4TY(g|p;4okvamwycBHYJ;R%M;PaS4{i5*LQ6m<-yatTiSI?Natlo!Li5>fiM%5EHcIU)>I?qx zgE5AMFZY`Fu$AI=&CpY~57R2lKK#cC!-H6kPw{p-Osv`|p4F288IIZsSv^g#Gcs*P zIme0RXy8pAoy!wrpZg{>__4fUS-j2C9vve!_m7zWJ-ri8`QCO6<55*c|NP@Y^F16R zyM|C%@x{+A>)e&C57pv}&c5Enc2ty+hv#_&fHh7?MTa=O7~ODaNA%4Y^MPAKZC7xa zan(hQEMu&rgc8itEA-}im+R!KKcqejO02m&PSt> z2Mq=lAj60Erx0lzOM;B5W0b3L)yWyAW;eCfH#lhJm;dG#M#_ypyZHL6I$VSL$ezVo zO2UjdytFCikz}%UZ_Zpw#Px+7fL3*LpLFf}ZC^E7yfV%CUE`Ze*Q#CwKT>AFQq>0SE+h6zN~;bY7aB}XJUW2T%y={~)Wav&O%x{xNhu0i4<3lS zc4!_bv-jX6)T)VO240h^Oow_h_cEZ|31e>ekxBDTvFe{Ay1$SLBv6mVZfZcBLDbUc2bJG*YJjT10#vkDMf#}mwPa}=?}RdqBt%*#c=o4Sb;UaP<#ZLx|nAuek}H~C*HcBSwZSpH_g$K zQY!x>d4TZ&&(%KKh0hzBHZG=W)}p=#WRpZyJvvicdJwkQpmcWn6jXC-%3s1Z!U>f1 zz)FQ*$)b5HED{&o*pOT*bU*J<-v}hd%~>%0-P5!58M8i2!aNH9y*d3_H0jQHzs^OJ zQ{Q!^A4_p|ijr$#a!%i~{VM(zlz$*Bai7}V!kk}f!lC)1RaD@%paK;K_p~x=hLFL; zo4^-g^$li13heVRaZ=;9+5~p^KKb7mU$cn_Au}tDsmXspCcg~?&*cU{ahaF|jF&Hs zVEHL!LLiIZLEFqXd0NH1WOjKlh{8dW{rU*KyRh#1`tB;ME~X5uqMt?J`JW)6RYM5| z(3kj#3eQg`r$;&{y@M&G$A>`PCF6&P-{h+ihm6`ONZ-RnY#VhAYK#;6a{YPRL)y`| zTdB_$+!ex{iQ@uUh*OzfJm*^{G>~{2Mu4smdFn?L)hiV#fu_3t>TX~G70rOWwmws<)R4QW$l!iM7FH13Q$3x-6f$#pP}`T!5tIgyu4~dHiu+E-j7pmiXI(^h4#iK8 zm7Gja@)kefOBU!PS{FX%&`Ig+eU*C#Cc9f^Z@jIGdEG}z(N8+1Oo(?gf%-aCLd8(a zfhuPoToKCH-?W*xv`rz7W5MW@8YbWUq_dH?U}MUT}AsUp|w#I;<*4H zJ#K2!BCC_hxy8azF(a=05TE2%aT>?~gLvUO%)R|||N0ki7%FO(-B9VCaY-$w8)?Q1 zH%M16SOs-;#Z+M>cd#g-szriI)hA2KP^lr`#k64aiS~Vn0%mk(iF8FBmp&OCQ`E`p z_IBb4EjsD?M#_)s)D#(Uq0+=)69+48d+@+MN27+$$#zxs29A^3Ge3HdfcS6>9Hcfk z<8nZppq#r1U?ih zQ&(4}#Bcn^qK{i>BG?Zv4I29ICJX}(Z}yRCQA?&~%yD>^T6b{b*4X@(^-^q6wbv!al= zIGfJGzVRwc1uQ(xn^*`74?(gVSqVSvKy`b+Q2Qpn~+4G#}9x-#^pdm$j(vePz|w-m}6zf#rp75_ke;%&

      h1(nVaF~#ewf&_~#u~DPB<>H1_ll^C~ z#<7kN$r&=KXu)HfJv|hv!gZZ~dI^7e0<(d+ zs8;7!@d-%my!3%4PJ3Lcw170XV^@A3J%D#JA&=8r84X;QKdYC1%1mo86JLnJON!>R zx9gG`7V6eE*_p#><%ioPJH@Qafj<)#E+A1(^z*m%;?;#d~p&o z!fa&U(5SRE-M6yjl^soQPe`6Pt{k$*7rTrO zElwZJPEKxoDUPd&JN%qdDKVwZn(>2fLeA<6Y^r^FWmB<_QDp@C3nyKgmd@c;ZS=(E zesjG4#Jm1W{Q%%IIq`kCkn#>G7Px>kWTko7os(DxQQ+TJHgTvN8>`@22VXNyFRxLQ z>oh{0B)8{}WPfJs4$QM&P~#Q2u>{#hP*E}2rCdAPT$MeHjfB_%}|O>+?%I!8YvaeN@i?zDaQ zG-L5v#8t-n#6-_W+3V609O629YpN?q>+{umE^@Bdb(^2a9cDRG z+Y2eSj4w_g54M|^t4+5UY1Z@5OZ^IdQ=!kBJ-5rWIC^hqfd9T>T({!w4nPrL(2|jj z|58*l87)P+fnkRfb!mmNbXD_<5fZ8fn#>Rr5=sl8rk4MIFQlG5JY~tz!huos?ma<0 N0e>`)WP);FmSN$8LzTxJ( zTibRwktsm!HsSa0H!9aASPC0n0vjHpl6Q8G_n#zjuMr;pKV9zU{|^co8C1PiNGp~O ztwLJJe(VPR%ZN)Eq+JLS*uifyAW?wC2P%$cq*n(I%u{J|?%-^)$7?_F)0Bq#lAaEFmxmw?EQ((&09SX!ny1b^AG!5lg&J7z z?CWVa{{3+u!%JCZId_v6uCJWGJ-;1>kj{1L7q7cw9;482YrnrSY-~q31#Ci=2*z2q zeK)Z{?wkO*jC{2}xWITGYjJ0tY>ty$S-xJ4-up}!{Kidig_K~K0|wEbq6v{uQGh6R zohxo#P438>P4cYy)Yi$Zj{PKWEVWFJxJxap`Hm;i_(LTF5v2JY{n}yAjO;YG-|i&4 z{90l4&w&xs4xzX0BntA)RviN<71`v2N`wKKn_sI=+$@C`P5W%&;!l*rk`kRNWR1c6 zWWLWwQhn;ptbEsUKiNZSK0keghwT1aib8I{51Bu%@qd0c!+nn3{*LU(vGL-aAa2wa zC!YtFa|G5`jT1C|R~7zZc5h;fmZRZfg9{?jWY-c2jXQ}c3q>UDhLJTldtWaIuFu$>vwd^E6^cC%t_@Os2#@VEjTdvavwe(^LptkZB%z+&Co;~1LA z>phZQsSeP&ynfJeR7U0XX+v<@)XVSh8MS%zoeUIC%lj4&kdsUeadKx7^>anELuDBH zdS2P{5%27iUgc9cOs*-C@%eL)yt-~u-n)zO>#CXjBOY?)-_66+B=%3Y7bQ^HPZH-j z^rA=;)cRskB(Bg{3SOzN(Q(%ObaaI__0*cJN+z4%GXX_NdcOwud+xxJA zNkgL|_ZL@!(DPWboYjif#NqPmii4w+%NkC^Vpeu!gmM?f#Vb{JHc7RGz7zwmj~m^X zSoy&HVpGr2=bJY#sAV?1rMo|Y^|8`iXfX)OitB5^dKM4bWbjiF58>@LUAOjPP0UJe z)J*t!0Qot2OvD+LbJso6E`pkn=Fh^@aaLr}7bR|k%F;xgJ6kj{K7Y!tfZmJu(1`^Fi#&n{>t%{8^ir38s-Zv*1pjnAk%7mWbOx1I+H{LP z@|b%v7>ktW)12e(5=Wxp2JmgNNY+hYbtE2!1<8WR+=0tx-NWI8@O{xk3u^QyMB=WY z7NSb{K+d06R(S=>V_6kGZ`6{<4s zNPt|Qgq2h0?+Okza9Q#Uw7=(&6s0lh?vUh6ej-r?u70MmPg%86A?GG@G-Zb$|3l~i zs=)nV2Wt*KOg4q%i2?7L>@yW~=D`X)|IcJat_A$`&^YNys;~tW#GlHtrP0}v$l7p`su;AUZaI1W8yuu@IUZlQUz|sy8hsD)r9Nd@|3dJL!%UefGH>%2yoOQRIaqQ znA=ci6Z^0gws&&iOo|Td#l6pUa@Yu-S~Nt_!(vDx=KVkaQ<6GMPtCo4(Pi-Tq1*UH zhBY_a*hfkwL`~g-D#c*e3_(BfHO0rA5-m742)&6@?)O-4|0^+lE9TNe7t$~#icbpq z#fz_RlpTT-o0yWxo*98O^pllE_5R2&l*Fw|pIv4n( z(*|Z;{(Nx2Vs_jq-!6r&@~V%|#Q|69R_dWik`b4B80NtCKD*2^k|w6TQTX0nw4}5C zvB@HfYKH5|;&#Yrr4aGzhFwzwv?2<69P@(Ri+OGNU;ztQ#A+cojM%O!+$ud2Ux-Ix zxc|mGBAOB7GYRUi21)iRJLn#>LeGS-%ZxgZ2hP=&+r1bU#>r#9ixl*^ox4{H#IMkk z{t#`(POXu=TjG|%$8U%9#DaJCb(8EKCAU%K1q zzLpZ8_r(lQvnOm)=h+RM{!b`I_D@dNLd<%4>Mxe&Y6sBe{`gzJGTJBWQF~%^mE`d*bKk=C?Afy zbZ4URs(2jJO&&{=trc(bZo&BCQpA1tsY6Hobnt;dMfOxfcdB~!ik})Eo7aLIlt9f~q8@bXd*gC_ss6hRhfRRta)y8}qo7R%j z=SrF^?Iiob>T4sJF!fN|Fxd5KzaComx-QIBzLP%cC|6SxHD+~L%>K_Wj7uiJ&nZq! zjuoLSd*``TcP36jXdee;+@a}T-EF4Xgj@c=cnN0YIhF>IoIej)-&Sq|x;bO>wYU=?1O1oQHG_efd_M&0;|H_^+ zRbnlyr$x|4;csUt*S~hfXuqe0@Q&Wn@cDPWjb=P^3W!uK+V@?V2traWpX`ufJ6VdQ zxX}OL+^QC3hSwOrMslfv1+hu8B3SCTmvMj{4nt>$_9aqu5djEy7`<3k-f{6|UELVu zw%yD|cHJjJVlpSDPks8?!;8sk4Z<(&j;IJMw!S_i`@VFe z%5D$01lGmZU<6i^VJ|TJ3_2b?N_l8r#ga7UZ6(e5?X#m`JO2$o4+~=FH4m>KY#-ck zx*J~D_H*4#JSLjfDU%g>kGg=4JYh&|R&-IjD}~c765-v!xAxaly0yDr?E{BCtR+;x zu`UX<0Hz5n+Hbc5wtVPvI1vGV1jx64YA%5_SQd^Fm6rLxA6YrB?Kwpsx) z*b`s;vp`rfERuCn=G=I)p*DQ9rZ#-4A;chEtXN`bF)1=Li8W#kHF)KnaQ9}+(r+fk z5@~{2US#X%`{L>C=0si`^QOgOhhrxk=b&o;b2f%h6xHodE1c-PQaqC zB<9}D&+I7U>9(m)Hjq8{DkxTZ$0hDmwc_>>w_3oC(Fv0N76%3-e5vrWLoI`-$Cxr(P@B2SOp z83X@2s~cOmk~?#(UQlqm>ir))pl&L~qI}=kMALHumvcf<6stklC_Y}#p0Z?rD*MlT zTAi>JS}{{1g!G?jFn*xaN&B$Doe*83;-wmr#EoU7w$O|avC|=f_J@mC!K5nvpd_r) zsUIWQ25B-fPE+ZmD2^<$eq$ZR$lK|q4hv!n-h|Q*6 zTaRirk;OIj4O_Dv-CGwll}SWc6I`sXhVtY@alKW{Q#gQV$_@n(Ly?4K`h1LuX}*7` zEX$@eX3370cGfU5a)Zggm$I6+1TFZ4ogK9M`zvu#HiK_6TAP;6aWf4_t_ajz-Tv!d zuK9l=j)t>GV@@#s)UN>JH>Dk(7fzE|XzsVAanQ<5xq*>=P63b}G@}w<%k-*3lqT<1 z)Z^b)KE`soNRKc#X3c)KjL+(=kTGN&fLyv#&gJ4Q%7@!jC{)m&A#F~g5z5Xe1vIX~X?xg+X10X8? zaspmq-Vc->Wt=A^%1KyEId62J_jIcZc1T6Kc&SfwE5*S0x>%Lw=bJ`G+PuI1V1J*c zYA`$RtRV0rcQCl%^9nYfh`vK@WKbjg_5*BpX)*>wp~NaBL9yC?Spb|{XL~jYszCAt zC~kKC_XRsp{1(JTK~=mCdq<8Jci7V{a%XGn1`RWU4r<(VGNl>mEA$Q#Xgn2Y?EBSw z_yiVBBhl=X_K4~f00Z*X%aD#Vn2D|#+7}dj{ls$q|6ps*XPapBZ!pw!ilSb zpT_6$v`A*J2q_5-9`0FzrrKDoDX)4UGHd-4fJnY)xQ6LND5MQFcKV8_eYi5OVE5T+ z6()<7pODpOx~;|*OTZ$N{gbEqiX5|fDYYD>z|*b{`e$0s=?5Q1gGN6c@n(}6SZa%C zf75{q@SD5O)8+9v*w2x!^18COg|9PgKaxSUXf)K zG-j}Si_DTVl>G*Ek{uTqV2zz0hU4L4fvM$JW`PKY8dd$6;dLFS;REPqwZ5>Y#TZCR z;_!`!#jB*a)TxXP%wtbpIIjK;$WZjX_Ma6_~n zDNfQUW(o9Yy>;*GxJC1uMaw{xmQcubE_dmV%xmvA_nT;0WA0_!dE@Wj(LW8-Zt9E2 z#=Z*XPm_tLFzp%9I~$7oiq_hH4Za(Xa6fCb;)h;x8%zhyK!yZgbI}z2$Un+SeK?l~ zssu!CHAN}~SR}7Cr1|XA^Sgz>y)|2ZC^h^Q(NtIzk4y=@ciMkWuG&k_e89=(jK$ZJq zDB4+CU>lb0dGLWPOY0xJ-z>qD?Bh;qP)h2`be;kEROg<&&fglSQoG@1=cXEDTr?@J zP&RE<36I``+X-N}q7@ZAri4BXO?ty#BQhN#SiSwZe<>@~C-}S@-tR&Qn*mdcRFrFW z>Ph$!_F^*$>GX3WcWM%3h1f9g=#spqofWT2#G8_35>u`^y?>$x8)v9jxAp^MR;dx+ z`?fbsHS>Y8a@BH>F*WPM9pC;|63oiK7MEMBoY|jgyG0h4H(VoU&{VQ8OUZEJJC zU%=w{`Z$z`70k|mGU?G-h?ZF;j$ew~b|H%j1ibTYUQlATOTumyO77p)_McJW(}Ki} zFls{|cDk`1NcYc0NSS>2<{-&FH{lUcl6Q0R*D6z{UT0^wpx3Uz8P$f|wP6A+_#Hfq zmY4iTI7j&u%M4P~UEK=H=L%i4m6X-*QUIS*zG&IBuA5J^>7>+8UU12nIu9tJBvpnX zd(1!lyE)L0lsz&?(7Foso?Al@LV#yl#wL|$`_U-y&pu!+qpcgG=u@*tV)GYHh7Y96 zB$B)hcsqIeo3d+HZ6+tvNJbz`Dwpda(kq9s5O||9z}9Epbm&T*5ry5vozD5k5Vy*+ zAWNS4{RHk;C%K-0Z~<>9oql z#6y7!VWXyJM$B^;%&%3plC#O_loQN-*@cO*OnF5_f zII+LzOpUpfJg0ssT#}wp`YTq@_pR3`=ra2XIv|=eN#U55C1mA`bbDUO=CL3KyQ#aw zsNKmGd@i`09apElioMPX!>E>&YRX2%V5)~!geF9vlWpi~za(j64SEr8V_q5p`AkA0Y)E_YJuvKEIo|ywfEh zTF=HP-KY6aRE@5D8~=pJ7$V<*u1Wf?J4aPzoEN=y7sFHjx6CgO6Y#`FapKvw&lEYG zOB_}7iVJpwL1=$Xt}?0Rf>ac8kS%=Uqoxc6?vDzc%?2eRQg?Rsbp=3Q7|480KH&gw zcXF#56B&+%6CDW@I4hTr`gLa!cg_Mly`Qamy6j(O`Jq45h#E^xF9ybmiVgHaJ3>-i zFJ{b!Bdprv@uW~=?6tSTbZaV})1cz4RDl7lM@M25n!|`++WOF^j#hWJpB)9rKFf;- zONUVCC`$&8&S+@cu{!q3+swC2&Gj}q2aBaZqvM+3M#-N@wCy=eHfo*Lh5 zY0$?Fd`Z#X3cISSVeX;m`WBQuld#iXx%zr|p0eueZxP4*?{xR;*>hIY{W)Yhzl0=v zmSIh33T>5_JEt~9aQTh@i+Ca7?+X@zFZPZbA`%;qG$+Tcr zx9Fa|qCY0ilRD@pnW3L8&2m+})8R8Q_JKlE@S!Z$Nt$cv)j zPA(I7esVTKYfNh9tPDepiX2rN5_;ns=vfSbr`hWBD%zPHMcS^dVI=%T6og{x1f6MD zO9L$U>x(kwdAsml%E#OO7W8iK0@U~*L2fnFIT?gVwX-(R*6+Vk4xuJ~+~07-cirIq zzz3S>Pcw8N-2JUr~>Lc2BAre1#Z`sex)-xFZn{yI4ITz^vB6bPZh1lWG#18Uy)lFFOtHUYzck- zZ|mjwU#S8+vQpvD8k?B97BrK4#(KBqC*m`#H&i~3EXFlXPo2eUki89lmLuiy-tvLs zN54r=67(UszdTK&2s;^Dc8jQZ$0V@tQ)ZIvBQ<42-e4*9T&~h@71Yht*!AG_Z#KZU zo%mhz3Zvrw8E7JZ^=}SKp%nXsU~j-h_L)2*@a8UdXf^d(X7`np&~rWY{!@0wF{H?x zTaY`|{!3+9_rI?kE?H)({o0Hvi`BC=ru&VbM(%Sr)C<(8lMr_SBNerz%ve%oH+hP; zfmoZ6UWcFZf_LjwN?9}H_7frqqvZUgVw)W31W0qHN9{8Ajj^($VRTOL44gq|qZ>~s zDx}b!ohIeM)~7*;k%noG_C{E)1pEL1k}u?`sVCC@x3U|gr>t_LLK`Qpvg~yXJrql& z;H#j|>Tsk5`{zdK)tuqo@!Gzz^+}^?JG;s!tXRKu zXtn^h`L12U-Ru_J?lRAz7rIjrh4{_Rh+X)4ue{I zXKA7#@&px$f996=#ra3>;+!Gcg)x8iT}70(p!kE{%qi84GwmkH6cQoF_Vpy+B z`OYkrx0gL~#T7D&FAGl>Thc5vZNO!~O}kq1S*r0B*2@=HF?|))=&GCd5^h?sw!E7T zdc&pokf0oftcp5(8pA#|moQFa^Ii*j)xJNL4u0o*DUjbZoXPUh-i7z0*+g3UKULrq z?f)(zX)I((ae^t)lL?V1FkkFPR z$rpJNF94(-wnl12?A^rgG_`=*4;WK~DZS;_7vy*P6CmQBgjPcE-xM|oq-ou)sZ5o3 zR7@qwR{p=r>HoueX$C(4;s|GsG$k9=Hv6^kdHu}B$X=|`E&G*I@T4}oJIt(w!ImpI zV25yTv*&_TYl0rN((SX{!z;$vd)A2EIuQW??8;wv3K|HoepLCI7VaAq#<%}I4Cn-fY>UaXwBO~&hBMNvg*9H4=knz*Qn&NQ3b;MJ^0szGR5Bo*N z;dS}ZDtIgu&Ojv*R#HBTCm7I3**s?bt1^7-`!@|O;y0n{O_%N;FB;fNnMP?g$w|&Y zsj!gSuISq>S?BOm;;u9SnB)Rl6^7A605h|U?`*X#+k=k^TSDybO zARGn>u@IM+Uh`07sXRMFVif{U@@{l-J+I;tu#?2qcJ4IckXP9oRczH1U5U0&m~yf6 z)&@xTci`fHt%bkD6=>+FkjRaMS*$`XG?tc{VT8Hq@J;zoAk~%^!FRi}rdWP={eRJR z82w_S`kWg>`aXsAF9VRIvh_Of@04SDXJ336tHdXuSxZ7)LOw;+a;+jc zaNX{59gTM%;yPmQt>4qsf7L+VARhh-rgNkeBey~QaCo%R{R4I>G7QGH>GQPEN)9r~mmI7|b&vi> zs{{or=_fT`p^-Ti02W?Rz&6cOsJiHrv|10iHN&p~HCBr`bhCxXgnZ#cO+cCe4IWYb zx%kNEKUg7<9%)Eeb)rceZeFL%((BBB6(HHy^G5zHI>0){z_a ze7LtrBXBF7SX&#TTL_{wl1LG4!CG(OBq|rcFx+mZQDmz(Yr1 z{Mpdcv?QhgBP)>k{4j=`O}>Az>3T4oQFNEvrTMOQV@ZmarIQzpxKdu+z#mr@M?5w9 zJk+Rad{8#>JgfwQ4Az0H3c;qI9R|hlec#^KuTukCxET{i^~ zxSkZ6CWt1hbQn5*{nC4uyCi8gWLM?W)Xo!2DxsKijOBM?)`zEUw;*7LrZveX-D_4{*FQNB8Z3eL*bT zx+Szv(>cLL6J_jAK0hC-Wg4Lsb6m^qJBYTto@$^vOTh?l_o1%bn2nx__|+`-Ii$t@ zOngivJ^r-{Cy8i2$<5f!?jzzx1EL11|LcnsfGB6ciC}=5w+a~a&sO{-zYSWVO<^cD zDn7C7uU!4(iK{@9Z@SlQEDF1@xX73Flk>VF`#Xu3eh z#nwiFak#+Cl0!941frssjDa7i{dyh}pyr8wbth?M!n$Ga$XF*s>*Y%I+IZ^Dxf#m1 zgTuiZ*{`5Rc{rFmf;CsU~j#tMG2fWMCJp zqtI=@Jw{O3F@Nu>52rW0O0f7-$I-EYpV6E3_wbJ0+V>Cg^h*ihTs{G*Zu8%yf-ouy zDs-C1QKS?pyj>IyWDX7Mi%WDuP5?_1{ z`DHWLn`PgBrLV+)^Ai9TONa>ge%JFW90c|HYFrmon_J&YhZE$=w^&rG`(MU^!VjU6 zEL+UE9+FH7>o@Kx0Whq2!Tcy2mSCh-zhnsIeKxHFBt$^mJ5?A|Yskf>MUg1?H>5G` zO>x01jMK<=#eH64bCQ`P;a7-A-!`o;{{VR+&?%@hGl-0eOJ=Czalrf}U{#<2vL5Q} zS-0laC^0WVV}kqCPQszuX_LO^Geu14RrIxfl_ZSO4~Ywb_1EyiDi^#$pQ(z#I|%LP zK+Crj#b{4sX12G+53u=()o116Hk4O$lu3E9uDd_D-PLB)6U2(-<%8WXc+I{NM_>E7 z+2aUlr7+vUhpFo7uyt0H@gL`*CgQCw!`!I$H@{|hrfOg9%lA|^-vT~q~@VhAtr z!tNKUh?V8jvC8h54>w1=*gMY4OK|9m+bh0XG#%j}_kLA&dK$nZn;Zru2KW6|EVk$Kh zpfqwfXO8G^tq8M|Ic0tA-dopPKQC^_@Yb9q=nNH+I$x*J>sk=cn@XV9F6$1&16L;lR)i{h4`WUE z_e67wy3C1GWEs5WD@JfalGS@D+y-17#JtM1Uo>a^u_EiMD|mXPJxJqih9vVbHc#qv zy_(rSq%+l|oLtbsb{F{wJA(3y>G^uSWVb5xXSdjX^pJ5`bi*_qsUqagI@V~o3;j}4 z-YdNv&`4D0V2kK%%EtJgJwAYZFXeGy{HmrX7_LrKdwLWcO>*_wrLtSG%yM@VCcdWY5Es&9n4Woiszigb}*wJ`0?3jan zGJtq8d@$Y}=y_!Yi;r^adB3jhKX41PCM*EEu3yFp>9N((``eaYQ&stqRk&7ETAp9k zqQ-bC+>W7H7^R{N4g1avcjY#P;&dK03E^p{^8zwF*9^(KT+*D6oY7K@lTI053hh-N z2}?yJ7i&PQTU_D%=8k7~Ryk;DZ`T)HAd4eFXYhOg68>7+6Z4*BJHKfexW4ImFXaRb zS`T?Lg^k=={d8@Ur@$*`kc{I~goMX+ubWcmKPn(`f?(_mSDzA%Sfu4y29N;GKq}rbJxBp9J_ZAM8KPc2K8PXqQ(a8SfBD+ z`9U8;F-hwL~^>a(~V84fe&wgdg^9Y;gBO61RjsZMLE$1VqKy_%IIwwpBr9&P)A8 z&ffeOm{O~HC6b!g>9Z~x{J5-!@2gb&nP&v~qSC(fh_Bwa4Ivg72%eZW+bQ__AFDF@ zp$XB#y%Z$-mPu8o3!J{&RAc2v|_jM zuSosd`#)IoU&b0$pb4eK1yrNtJ`aH$SQzR5AJ7cmnIy*s;BB9yt2lVUQhIh9(SMNq zZ{k(kT;zYCBZ27K=)2p6~pS`(=oB9dzNw zhU-hA!_2Cg+)ExX5*^1pN?!3N7V51;rec8Shen!Mas3y|XeTV~!ru45z~WxQsr?jd z^^G9sTK74=0T(toD0AlDYs%=jWOn8z)^!)m{@<(8z%HCyIW0x~3pvtb%&@*{c1Yuj z2ShZ2e0%708=6Y@O2qGLcRm7#&L~Q2s5fcW`+7|1^i3Mx<)8f~7xp6NR;rkq?4ke2 z0d9($2sW;hC?ka;5*W;3 ziGlvOFY7v&kXd$_m#RJr!Ixf_osoqc9VfW;R_+7t`R?mZ7s z*jvtTEyd2ihn|S}TtQ;fSX4(S&<%l2h`K3xlW_+ZqiJ63xcZ*4XsxCOj@N5v5bX() zILqzV4RCTdTI2Deu>M!1+Ui&9FCYTCyAxFN#f+gvT-_iEX+%oQRTG-p--ZQua-n8p z%&BKOpG;m@p*OpnVV4VP-yxldp_8rEtLhmn4xt{MQz6lszIpfqSm`gXEA&Ga=qDDp{8l$xQGIy8AQwXm*wEc*G-ZwKb%{A=e6tf8LTI}SZV** zqg!ZYK%Wjt^In!(b(bJ|vId5V^0yo=8>u5s@08FdLadwo zzxDg?}&r zt3Z;*9St4Z!tP{Mr-#n`tnX=ruTxmRtNW#6JrOSEe$6O#=u*qo&L5A=PqlVfrN#|Z zG)zdb7G62TUBhb?l1druol(gUa^6n5PJ(2s!Y*5yl%Hr|sPi5Kw#7a3uzofx%^{*IUWRt1^m@%03%l(8MOy_| zSAa7zXZE~X=bH~p)b5+fBY5z^VciZc!TZgEsrvi8Innr*`upA<(h)@&f>owMnE&3Y z-y2|qucmAQCe8Yc+bIFX^!sBFkvQN!f2?NF_a-`4)WW8)o+#2N-4J-e%Gw}C5+RX| zxJ{3poQx-pZ zs!AVw7@7O72ZartV+QGsGm}`bDz8>i~ zor#&=!lm;|?c7+Kp?|jjI{U^r7V#79eSy&vewlJSVABf)v^hiB*rcE#qdA#PNGOz| zgh>Y&JYBH?vj+xoVM(Mu`!_bDls?Qp^g^u#z<7YtOX=4z2|y?Ete`^9{WsNU*pqT-%H0`PKaX{pgV3~21c5GF*I^{z9-A@|LiN+tmEWF~3g7S1eX(MCC~zjyk= zHk(OuD3-2HNrFBxF(NxXd6|Am_y~tMWRkb?P6Nh_K8EJSH33GWirevoR-;0Rtvs^{ zg*h34iJoB;^VYqO)<@4TKH%wo8UrzIbZS$7(qvo9hFQ?sk~-DJzg@6%+#D6{1d>-H zF+fNdNQt23OiU1P^@z~Z)*rm?&Cysg97`z7!3iw7Llw7;0GMg&1uNL!st>)4<+YB{3{N8O zy5?U?*bC{{qe~ms4H-n(dZdKa$+QS&8za9eqJ{Ln<`NQNl(Sofe5vUBRYXV8G9T?T zzAGO1%;9A~1B{F=rYX`lTnxOqVN)U}jaslxzAuP4vW!M0FE1Vl;Kj)xbs0i3rP{lh zR!HD4@WTEEhkj7$NR=9r*TgrGnG~KL8j`@Ersl(IdQx)OToOjE9(WUu0ye!69SOSZ z#ETp)@4Gj-Xf~CEFH{w1(yY%7CgpJ9=MVj%1o$WIvc=p!PNMZw+~K1@;Aj+0R$`;2nVU zjj6g@+eme4>EkEFF=1gLd2aFex&T3M2{UAJdjlWDhCPYgw6wF33bP7Jv$qi!#l3== zhwW)691h_zw7j;f#4q^jSK4Tbr_sM8qhUqYjS~H4$TEq z?R-S3&_PH$H{ZgX75FTeq5lyPlBzf#Av(XQ5*`}~UUat}nk%o`n$|~8bD8be zzcpzor1C)oxRKEk?ngffci|I6Bt+#gxO4b0?3%Q6wlFUTP81x%mo@_fd0Ay=Yeah5 zKI)fh5()?c++uPsbKGrsY#D6osVQc#7BMj-U?S@D9}lLF^82p&Nev%c@szC~?qEgX zUZsYmb@7-BXfA2Puj+aZ;ZL-&E0P?MV(yfl0LkTn{y3_hiHO-F{}6V$&NHrwejnQJ_q68ss=>eWgUu3{ENzG1J}Nb`{WU`K)< ztMIFnAq zV&THA8ye#W$sk74Z=8&vxSGC_O?o46PCd$DzB-iRX5T@OfcIm9(UhuA2PWTyeBa)# z(;&SEWmP+hG9Ay)F#4@)e!npioRCfl*Yah^;5%jquMUHi6s`ub5Gue8I)Aa|16H0&z}eN^;NF4zR-J z^yM{ad|N-^2wnZCzVt^lEm6y3LT5f#k@)_Vi0rxMBi7hitdmzuwXqZK(Qtz8-?ARb zBWKJM?2@$uN)-2Id+aq$0kn}5%Szim0%D-r5Gj?^$kZkuOdKdewpNUw6YT;;!aYeE zA;TK|h&Zn4>?F2+{);=)WCWVUZQraELrjqMZ%i^TY{N9dh(#@}?NxJ(tmalEoScE( z!w#rY2EwGRO(-QVp-2z|%lV+yB5{qsbYevRbe^)yaK2%;iJIxkUQO{=?J%GVg=iOT zGJG(a&m*1j@)%5ed;N!WTS1l<(HI*I6KIb6TI!xMsXyXk_OED}d;@n=TR0pqI>-~3 z5A>6OLE8$_dfv67=;}D_G~P*we%q7ja+TS=A$d&IBuJdlW*7*Fn`8$CtbFfpdg!?a z+kJSHo$)n{Sn`%bKN>l{uysJAi@TN)-&bQb8!^7>4cZ^b)hFB=&+FN`=3ZM3$_SxD z)<2sFZf*ILkcNj5F0MB3srgZsfQEOX10(S`W2P7c3FWb|p-d-Jo`2k1?y#Q<8 zlQ>kNpQL>ZjHF_E^4^O1tl{8;*TrBMV-oj^M}Is?WI7@&x%$`hy2qV#=8~@(ZK$6y29DA{O*J;)vwsodjFd&+;C?i8 zb5l8prfaXOLm?vSfnLUS$MF?X*XN*Pz3dLQfA-uup(qEl2QOMO-&5NKLnF48wq?5$VKc=N`YMx|q zUe+8OJJcy#6f)kVzvV{=Rxir4I+ZBi85ne&CGPRiNpD-MxHa85Pu zu6&i)31?2Hp$+h0PJjYI^wu!$i4Ul8w`?|g;*=cPO5#LmE~k$eYNtz5YkuAq^zJGn zGa^_uw%fbi^v8+wH%5{-^O6bt*!EjqSk2=a_}gE_UNJ!1klHau^xl6&=kqsON*>^6 z^AHnAp(0C(6Qu6Pr{P=P=jJv9R($5pKaVSN-)^Rf)bKV!sr3TGb@EIr#Ul z-IZ!fu>BmwoS?bDvC)=N4y>42M7lFt z$87>e>!|lRF!J2l7iR=2NVB&IB8<8%K=N^f&e|L42i?m6t6Z2>V~PRio#wlZ(p#x= zh~Jh=tc9yrqfKVLwy#Kl5x;#Lh%ta#`|~?HILwtT_4J^tc?ud9cr4`z@f-r4&rF5+ zQnm`2;Xj^=FKFf+6s%c9`J+}oN5x1>3mdj^popv~yIZ+n*rjF0$UQ!2h~fGdP09}l z!TDSq4>Ilk+Nr)Mbhj+Y?y>?IWmGh5SIp0c|BaBoO~Bco=EnGQHp&5+HnN7G$Mnb5 zNiit%$lgW{bX6WkLFO?1R3EmM1(pf*@3 z(>Ikm$$@WoQy{rb;@PhI3Q`j8AlM*Z3PtiQ4WJgr5voMiII`i1kkinC&vX9=RoN

      }lnXWI6d?qYc<9mZxqs?kn6IPdZ3HrKZzVA)$rJck?JTlEyRCf1b&R%(^qrd8zxgW90COIWLpol{Dt4N?JCVsZk5LEOQoDAcc^Hw$0O? z({pX(;dV`Q%aWlEeQxAgo}J(7B4m@OGRKwX+^Y2L7Jed*KbrgU;RR>FD+a=FasRBT zQ|9?itUvASXO2_&t&_!q)rQRe$nO3caGa8u8JRV#-#FCjsW(OXuh`b{`F6WC2H${( zuA@WhOHTN;a@ut_X1!V-!jpc&@o7{^y%GFj){#12X;c|_-N{2oec~Jd`D&SMj*CyQ zVv;*y=V6!l4XbOs?d1J;Dl<3Iv$ui|#J!RZ^e*2MC*%6uHs`K>kw3RC1_my12%nwP zC9AkH&DNZzti2k-@t#{tR1ic6I}x)CY8hM|fxNqd@EE&>f+>rv@&JPmRVO|8K!BdB zR#0eYIEDlB1G}zaq#J?OR{E*XMF}T7BO?16w-~0(=TYb|UxQ9#C1BCVJRnAe(>>>T zZaxWOr0mfPGxJ4PeoZZ4UyONxSMj)&9c?Rp9WLNIQrsWbEX;_E z+`mWG*$&zpkt>X^)RM5QOx|3~Bxrt2lr<}X1Nu=8|LBNUG(ql2{l*fAjQ5eAOC+u~ zn_pv05_i-z?D{bi(`C72ZPrvsf9?D45hcGA@ShH#a;weT+1P}zach<&T}}R#hWro$ z@Bc%zdCSF4+^CcuoYw{0GxS!Fr+m9f(Hrv=z)GA@>GuzPX|B_WGPV^kEV~+*m%>dD zmzhzQb=oN4)kcSqlGY-8sU zLZwe?_f<9g<_XC0mg-%O89CJO-1vo!-EIg(tfjX4!-@Z5G>eX#yLs!hK<01k*R;B3 zglu8GK-Nc!3>QTTG9Xc0EA4}h)XjNA>4ygi%4Xl+sLB-}>pMKkd4#4jd$E-e)(6=+ zC=X8L!M}cVdClpAdGo$XK0cFs9Oew}-)y-rw~6w_d4R5nqq#Y&-^-G{gA;X`1r^1G zylq|eupuGJI(iWQ`R@ZWq~n%H*iwo>Yq)FYDc<=@w*lHb2P;^zCH0t8tt5!k{T8aV zX+E36VAe;BVxHETmbuWFo`8G7-T?AjHGz1aQ3Ypj{iV?7czJ`;8%b+t;mZTn1J2(W zvKa()mcJd;Op$M6z*`wrXcsjGea>p#os4Ba#QrS$rw?N4x@zd`HxSNYkJMRVDJ6*$1-&(0 zQO^iN^R?^=B*5Hy(lW~6oWkP6P>?uyjA{PKWOlwS!fz3T0V~IUwp`@b_MJYQw+#xsw5ANTMl+9c{;4qxzY*@cigehZtGJns7x&B+hxO+~A#%0*Q3 zZKMz}pPd#N$#q>wx&8iNru|Xrr4#xG1Hpo=p61iVK*4kLVM214My5g;L8!1;#H|Es z)7m@c_VXIPT&wShM$gr#<_zI9jI4xHh>6`cyuDNNkp$1bIA1emD<7Sy3|CAQuoge? zZW0}|o;WS}WiOcggXTO+P`WzQ`%|n(H0srwf91iICyN)FL?*jp167dLc4-9nKxPgp z&U;E&4!xao4v~MDVbXb9bVZBJA8FqE|R`+34jV1BmygSl7C&6&H6$#>J%`s?Daudj;1A|C3w^2es0vk<9mnj5}`pHBQEK1MbJ7 zpoY;Fc$(k;e2bAXbu9;&Y_gV`>3Qp&TJT;2*Q1)rSkXoc-SOc_`q zKS%>s6WScF=q-^rFqc!uRiZkN5@Cq1Z(QLzXh6FW;=}vy!o$gx0X*~Rnn!4viESRU z*C8tc+NYBc6vuMY9V|*phaj6EL)>MLDvmU#G$&rX zjJit5qzw6@Wh}7&U~+$~x<(vAgJ@ zCBVUUpr5HALkx3xjc$R8;V@>lyFyf~`@N!eFZSP|#h8v*+`M`y1n7#7u}$*ciO3mk#&E(k}Q2C|_qH?I$D>W{RPKYs#bH^QbXyIsl>k_PSq^qVRiTTt* zFvan~e?dC`EkIy0ugePh;A;2PIBrLH^iq#Wu39V)Z|I+! zTO0?xrRu<`?;~a^!`iA*J;d9|TsBAgn;iFc_t{)IH4COSY?~Sw_JYqChso|W+0o1) z2)DWY`3Ot)vIH^Q`pHoUU$l=Q<3v!m?QLt9Y-a(Hct}A$z?o91MBdbjjw??M-YA+) z4knQT-9H!U*|_%`$kSpuQ^$2RBc|8PT3uISU_{W?_|(d4E8#QOFRdQUzw<~N3yTHN zhEA1Cb#4*vhUwm!Od5E$9yN776h#UvVtHeqd!ZiZX6?s-PYT2oz*ZbKPet3tWqXC- zp`bcJr$Ns$XnEz3b==ti!9_|z7->U^{=>Bi!3?`ABlVJ$bYH67!3obuoiJ?^r|Vew zXF}fD7bi6en|>LtyCem>4NK_=#o%NuEg^B?W7aZ^NAeF8l}F$1X~sOnWBAWR&AuZm zWiupU^+;^$e*RTXsI|=gf7KpiCATk+y!Axsg zA#*fNliVM-PsKY5s6WVmu+yTRR3hrjzeTw`W0Y|uh`G~Ro)Z%7UC1r|)5tt5^(=he z1CS=DsP^bplx{VdGFrcy>P(Z_cOEx*uJy^uLXytv!&Nd6eIF@lIq*z%U``jKKqM@E z`Bu~$Sqk}9Iq%f>T`qJ%RX74;`$O(%0RHh26N^8#`+`L_YFKaFuC4L-ZyBLI;oN?L zwNgPWR*vCy|MOnH`Qi1OCnF!dJvy9TxTDq`ex=)=%F<>~&f}cbRrLo?A+*jH(9*V~ z-KfiK>j;W*XLbkyg_vQt1>1`P_HV16icHnw(g!cKu+WH&Z$rB|rI-7evidSZPTqoj zSxoG+O}EJ9Tn7_kt#`LR`)R&eq(5^QxB=w;!@5JNmm!HL{vR7qOFC-tJi3~ws8WR2 zt}8UHsL8zdJe1|6%{k;$?SM>r+hL4XM>-4{}utobI1bGCj!coJU0) ztv*g-6r@RJ^7-Zcs~aDy;@ zKn?8_?<^Cx^*+sN||QSOW8BR!IaIXgW+oo(z` z3;#*KtQ2| z$o{JoUv^T1=OZki!E$AFdhA1anw!&b9XVWtNM7u*vbMH}cqM8|h7cOtM{v2-C4pZArYON0<_p-Q^%oza9gJh2`jz5 z{sl??IfXQi?U|6Fe1m&NSg`|juI#e;@xko8qbp5fkjRNtz{e14e#YcrE1uRxKQHRC zcV0?rTGM+WUhV4EmGI_B-qa_9?P0IV`A=&DAPj&Zw`F9#d@Jc#j?OH@%p-BmdGzkK zs9tL|PdkcC?IOyXLsb^YDI}${@52d>Ox<}cUj8AK@IjD=jaW^5o`Pv_zV+2b?BR2! zlKRtB#wqIU%=Su+ZM+yWQcE`Oj|kty%OiEnQC77O3Xm|}A>psS+T3=E90x|YoQ{p> zRrWL_I?=Q`?VHzlQ_KV3i@Oe<IL$+Bby9=-{9nCKshj4r`R&Y zm$M%q^q?`<2cm@0d$ypXPNKQ>dA9M(0_MygpjPF>7==)b*wL_>P1Ye27j7;l2I5zS zlI`*I1n^m&nQW};5Ur)033vA}J$I zqKrfyE~53_V(<7vQC#9u49FOb5O#DFO(wwjhuy@TH+Xx5x-HMr*QnCEdw_7r=Z2r1 z|MJZe$sB@?!1Z$=A_Gm=$$4JJ<(i*-k*U7_lOPKjqAsw&APo>9C7|?3V^xBHSw))Z zV!?@P-T~b`*9oz3AI3X+6TE)H$Rq;NXqO2P_>^WrzhM>7f8Unx1}re+Pj3b+*>olh z9UzQK9kqUC=7D>^vM1C1s+jx&9rMG;%8F=UkezW#`0>5vfSN`t7>MisI{-U#kp%-a zkKLzv^GDAO@eNIH?bLd-2)Z`0s8ZC__2`^P1(#I;)>d{-*c>+kr>zCAgA#ZCQXGGX zX8-l=EaOh#%(RtY&swNFq5a_P0vAXk6{$O0L+|o0qaneN2LZ@nr`DnJ#R8cW_3 zMq^`5w%ra?xIXk`@qE!_$-4lgEWs=%r!WmvAxk;0%e7Qx7CL%g`CAx1urZ>dN9oLW zq*h_w+v^?DH+u6kItB~J(mmzMZJGX(gRt)=thZIylT$$GU(w2%Cdjp=ys1$=oRpE& zJd%Db2Rn{7Rdinws}V6j?A-CzJByfi1-*lH9ORGSJ7lB%>DtN97dCf^a-Tu$S= zb?yd%e10Mm&8FlU#o}f)U*y~5#TT9RCpR)e(KXC3Vn<+cHuQGKsFImq=p;_!KWyy= zn4s7@nYemCK(GeKM1R`Q6zdPootm+kg5LJAi)qIJl3jE z|0t>Yvzb@}ok)IeI%oTo0 zyx5#vzQn0m-8Sv=kfz5)UdnV75sW{aN5_I6YHb)Ddu^_^V-_$Oc^*u`L2zWv0(t5E zQ0d2&Y|9{+_ay9nSuIFgNC*E*ZP%aJ55YU}wW+`&r?<4jn!Z%yyL5uOZ1k`?tMACDIvLW8*vFTufc1 z>x%(C%s+Ns*_Ovz5@%+<(Q-Alm6EIh(&{=^V$d5D<3C#0g5^*b=LM6jTYfq-x9Ep+ z|JE~@4)Ur%SfJAjD?u{jP4=JpX|~=`5E|PYTm1{GuepOXDRk~G8?JOyJq&<0v8-gx zE7HiwWK4%Mw8)=N$S zfw*;^p!QNgdJgH)$U@KehV24-dW@1->u;F?q|N}7yIK0|9w{j~o~8`RPb!P%YuThP z@s0y22vt_<`IHDGs>-d5z%uB*-iwzstCY<;lv(WE3h&duFKr^hJDTn4i}TSwy3~^@ z*FZ%LHoplzGlUqkld%{*b;tnXo-6VroN{TFV|h(~_}T{Xh6r|W|LyYcb}U=86Q~iB z+w5iUq5K(7aR=HpA+g3qk?uL?SmEx@0-C=X<5-e&oM>9Z~|CP zg^X5qHdlS-RDQOs{!Mx&){E74&O{PxB^x_n-A(QxHz?LO`$HM0nM!CDQUSXiixm(q zj$2Gj#Ftk<82cx7bi|Q3XR^*t$J8i}=E@a?WLI6U!h+D{$xoZp!X_~nX>83eq2A3I z8hSPZ*+8OG(qpp7QkACi2L}Va3>7_X2dNBsQ63+QUJ2rs;$`S@ijH#!sg`>C`bY^m zBNY~|sK~v5Ir74UhZYAbOv%G|-pRa_t*iyvVhrw4tXdSZlD*HNl z#pQ@BEcPIEADsqFvO{9ca|Nw-r`(~C+jhnYeTK{re7t1C=#=iiQ3Ow6u#uZTIriiCT9SoAJfPqyc zRvYx5FB`mIKPj%Rm5JBSj1HNF{Y#IS3Lo-F)xQMV`j<;5$_48O3jo!Pxdb-@pEox{ zG2!Z3c_yNx{L90m z$?|KF6NDY@%_L%T2weOt0HY%9*5fra-s>0E$KqcI^J@IdkiwbWu319-6->d@D_-i5 zrv?B^t!@>}md?=MocE53P{fqRSWgn7;(&acl;fs-=6=;=1Jv~HY}DwirLHLZ zxYb-jK*p3)1=D7*Z2*|;=?%LYarg;0<@BR7i35)ZMW8kW6``uu>M!oWh~sz7`LpF= zWvf5-iwFgU!ynlmz^_^DJTTWO(({mccp@6D*SqA&4>J1&l8P(`j-%>Da5(ETP+k`0 zl3+wt(}(r+;m_g+t{}3iJtkdtdmWRpn=kTGlJkO6peai%uFC}j$|r&bFWNQ3m`hkaVhe33-ic}((@3%5S+SP7 zp|M~go6S@K=M`vDwPoS>^NTm}2G&~tod)Mes!Rb&ac7~+7mkZ9r|NT)muNGDs=c#J zWUQ%9@|uGk=w9e`&k-d)I|X?6M0+ z_8X&-*od(QoCSvI7JyE!*Px3=?t+aH!&8^enTA-6?LPsNfP;m(FcJrsto{a)4uJoa z*Jd0{r}vi0LHT;=emtFY`)@|vI?K`+YuMA2ENPD8X7uDHYajqw?b%Xf8CWEKC~(n# zNojkh7-b&2SVihXKM1KF;*smRV&8-3LocU!K5Zv$gIBNL`kp z&Q}>{H}eS$|6tlo4&*qlr!%2y*QEHAE@+Za$@ur)X67~F9q7R5iB&^=_KB_#5)*rK z+<4&GzIa%i_NIk1wIx{CNUhoI&%r(?^I1|e%d}s%dDw*J)fNteF-GCM+OYfEq&o<# zqf^KL_#3t4QfP-j1)%iCUmM95@2tC+*C~{!&p`?@ETw=3OuL-HAB5WHLht`j#qv}{ z%^VbcChbe?v?EH5;~}{7N8IiR7uXqxj|_)N*Qr($;-q3Db(}KNU8VSqWSM5gt&8Cb z%uGbGn|nceYHMO?97c*;ZS0MP95;z45!a)pLTnB-;VsAxJWAcNrZ8n#&nrzT^2LR< z+WNVW?~@=ny0-tX^XJ&$Sg^>FfQ+eEju6V)5ZTQAxv1U8z={wdt7}t`k6}2a2*8@5 zBWt(#EYqXtVz z`KI;dEJmH-V3ENX|#7<@S=%b?1SP>VuW%0lNQ# zGpGwx!sElWLFFeWI5_3lxYr1V)SqGuSItWeU!``t8^TNsf{U5NI8s<5+}vm^2OctU z*xK#8;zqRr&{;^YH?Ze*(!{V&^#Nq5bQcmTXErECa)`4nJr6a~bCDy*bsJVx&|8k6 z{QJ!xfQy}IanrM-Z2qq`9<-V_`_cT~pupreN8an$cePDGmvAQcp?OcD$K5bnS=OfT zFue3dXvG1h{Od&*O(vo&BcZrBb}|R1%ymV-21plawu0^K8QL}%@UG)&8#~R2BrHW& z-sE6Eup6)BKP$Y)!N3m`=Wj+vFU*dPhYvL5?xkb)hNl`@UVZ@^fVFuix+&&ao@$+)AR2fWd;f1TjT%=*;wez@2U} z=|f8PWG%v9mQo?M<|%W4G0MmZ_;Nj^aNSSVRLBo&JT~Xeq>?CcnHC#K_Z1Ncxcg;xidzX)EZrd0s{YVCT4r zorc6Br+fhY{cPxnHhdoLP2DyTlzW~~>dA`!1aO9Uub{nO{}tuPCQbo>2umCNU$5zP zEmLX~QgL8wWgKBfC6b|lDBAAMg5H-^r1meN4o8qyZzWa>XhlqwyB#yX>0){rikn_- zcQ&xeiy|yed7zMxhd;wG&Cl!C74s_BCDJL2wQParoSzhBM8b3?_{Bw!a|gcZkfcD) z$yJd4S*WgH48EloeHS=LT~>to-NyJ2#ow5gRPBCzieOvXiHC#VNW85IZXmu# z3!*q=1|V|{x_g>EBO|}Gm>_}Ur^ue9Om(`GQ$6ElpeM$_t!95bWoiE(CsaW(?YP-7 zFXHx(+Y2)v#%u??=??4IYcO|*hG~R^i9MpRLMxg`p06-lZzI1Mt_t8=-e5}3{1Tr3 zNz(Z=w2j}1s8(rX*Bz%9cxuzQGtcuIQjKFOm}NIDplj}t&QY967#>ycg9E9NZygIv ze%U4vcS|6T5GV;Luq-5us1q+;UWwf7FQ{vo4RiqlO>CMaNU_w@^|Z!V`Z#_xn@_-r z?BJP0x1+5xlPP53`@=;2UMroY04pZ9{cf7Uwbm*^{B51;zZ`qDd4iyi!aS6}+0c=@ zHbc;tG6Jb_rRWR^9R-*Hd7out{`=7HgP#w&_bYl({r1b4sqr1}n|F^W*c3#YMEodD zRR~Ey>_YuPJNiE9OOf&%Ct=Z?n555xJGYtGhbpR8FK%E9XF<~Gu(|5PI1!lg?VyC) z?jkj)W>~g=iD#omC$Fp$XG@?}-FP9gMFIa)CUJP1*lX^7LZfQb=q?@zm`3zaX5Sq# zfwcuER=3|Lc{*9scZ`b(EGEgNm_ztT1T3)g{Fwc9Gm^pLzOPBp^eT1fbkrp}&i z>S{B|#RX9OKuWOXphWX4B+B{jK)k_^|dZNq>OZJW>vOMiqOKo%= z-u4+i%f2x&;J&a-Vz4oy+_b+=2Hx1Xn;+h)!(|@_5%Nv~zS}JU~N}D z->1uwWV#Ux-1`=?y_pT96I}^dpCx>`o{U*eAdS5SRwNA*lf$FuiEDtjld#v_H+1Y+ ztOsLj1h&_In*5<8MpZWAA!V%b9K0Q=DvoBM3Bujg4JUH#5cbi0e-PTwdp#&7UbVnHGWA@$EJkUx6l&_ro_g2jxmN@^tl4yb6&_7j|Lg z%U871+e;wWmW=-w;|AW+>i>**J*X#(k8IzobkKbscI3pmf2Vwc*rIf}wLUzNvr4d0 zrv80zp370?US{f=WER0jys_Yw=@kYy?!n)awTI|v#aZvjTTMwAfqKL)`YMBfr6;Uv z$w@~iXyaFhYK#YhvcB7Or|PJLwB$*i>wU92D~0H~Ug6dMHv;tKZ zN`8p?(p3Sdsnnj^Ml@XBUaZ<%YRH6h+`S*%cE)T|R#;cRQ*}ofRLCUt64?_hoLxGR z`dOUXeqgvbKyPuLP+%B&Ly6@0W6{g-;>zoXMxVU(8z}Pm@p9OwJaG454k^?BNi+At zNQ>}=U-V6@Z#e+oZ#6v?=s8M!ke*}r2eh(ca17d~q5W$(OEhj#Vge!^yl87KMDXjp z3ityu_8FppcPvW89Hn{tPY9<{Wk%spz*x?9RGTVDzkA zg`T8(&)9C#cjU$ltl^nqZ;twHZk;vmHgViD*4X*mVG>B9Brh~evxZX^gd@qc4W`)d zMJYTI>a)xE;rtv%`k&EuCnN%;>Gv*QB}HtMvF8}Ar?~;%uNRCFO58}E@Y^B0OW`Xn z@?uO52S&N|k99xRzed)qj+_bKoBpL_+Z6YIH#vzl^hI;$a`0o>kK@yI6u+}-j+km~ zIv^T9zv*(J!XFZf01}>hr$GPbGEB^sT{XxuMohD>g>0LJdZ5nnNy1eWNnFkxx-J&9 zzlioXB=4vvX^MqwH*%)6CWFe$g3fFUk$Jto5?`l@u(y$_drdAPaOa+{vHSCiMI#Lp z56S@m5EA%lA+d(9R+9Qzr>bJOpy@;DZ?^ZHxGzo{1+O^G4H$9k$U(k*S{BGLHaVWl zI-!peE!!2k&eI|@fX*rMA8|pypf7RzW0gTvB-?e6E!gN5T}9SJM*fhA)}vgP=UZ{5 z|J`bYoS=hItaCLqE$!3GgM!)(){GQIQE0`Y=dv4rV;nGw+Rs;nV{Es4RHurfz)?J) zfqi5MMv6DFDwlWys125%>|oYtDwzc4!fZ9LFP0Ya!f& zWZCo1-s$ugx0uRh<9xRuSl?4OSo@?`w-xzo7Afi4b^z~oxwR8@ftUC|SBvQC5h0vJ znZJpeT1eUx)85bpp}1Qg-XK?JRGwtz_wV(wIi#B?!cO$HrKLR95h6?X>)~xl^?a1c% zs9AxK9-=KR)6SVdeujO4?qo+!p~A`kCSg1b!25sAHSh-pn2+D(#}MIfGD_N#bsy_z zL>E*}mP=~QHHwiBHCMt3DJQSne1@(oktY!?)8r4b?I|Btu(IvRv;8%BmDb6%+V}&P zJeK=Ch`~lI>q5*^E;NT1@r_uX1l%j`P`)Po>>Ar#iG4oU!HGa@V$AmpA!o`umrNzW z&A4qJFQc!MM~oNoxoTL$&x}s4Verg=nd661O@NYNV~|<{*zWMtf%7&xoyc0x<3T!{ zYB&ceq|x&qZKvuhbz{u+iD%Un1ZMmj?vUu`_ZrI_pGoxiZ_r=#Qi0)8I|eoX=luRB zySc;kKXBQl^#6s;ef|G+vGX9xKx0AeJLWpPfvU(QoicER`swi-u3Iazu8KMx;8 zjY4sO(W+C$?tbCGwub*r(-N$du{6|ayR`rNqtrvr!Qs{ac7^XD0@yhJyGJ_p|I3A- z6HVVf{Hk3*qWC`>^2yl7{c|1It4JL(!*t5=0n^Wq+pFW@yFs9wZXE^K?_t@U6y-3; zJO~$$A9>ma>CesA|Mi8$A5>f%2k`T=$>!0QR+{x^3Cs5|>#-&Ja_`zvV#~Gg+c|Y_ z@75Ra@}Ypg$D9WYC>AGi*2v+g+vhPbK7Cgh{Y{iljEqQ553XB5)O9Ho{BNDJ$4Y{? z61L2xMv>nS$(jTu#9I|jHTNUF&-n`~$0ooFlM*Z7$~AcZ^VPc3Af|QRYESk=fw~n! zwjJIjMvH@ri#AQmCxlz3;T19O%^TKUd%s8!&!b^$EeH@Ks}*K59^a3 z%5RTDYB-7_xdk;hfrKa*!BiY-&&L*({%Qu*{+brGzTe@+ zH23LTBhF9^nQ-n}5p3~VqVhL4@lE1yJx#mZIPw*mFh@p%%Pe-){z}YU?*Dm%tnSnw zpx@gBq>)55r%0?{(YhS=tBo2H;JZ>89@m zx^03sfX0o4H(hUEzjZeg(96&`P|5BT&Si{d@gtKSHq;fP{sa4qxeEudRixx?b-U*+ zSMLi%{@3F{P?4823mO_9TrM31(FYa2Pq3h#FNUGXgOV)+CamJ>0i^G@i{AWN1)E7+ z+=*ve*3{Q=C;**KfUagM?9u`&_bM4>dop)IKH4eF_rvPzg|t}m6AgG4WO^QgXF9pb z$w*8nI5_`nsr{u>_PwWLMulAZ$3r4TqpeS>VtTOfv$4iS;!ZHNmpWM(bQ)QcE8bKohd%(s}-{2|X#xcth%MBn*c zvOcEs>^#`JGhH^ARG)3IzdS&rY;8`EHI=yu&FiV~YoJAs>{Frf9re24N0J02Ts--- zrvJvmdx$!WnXNE zOOeAmr}Em`nBuFtaKv}J>1-C{%NcP1vKah0vi(7zT?MtaWDvX#dNYwhZA<#j?OxJA zRR6c3VjJ2>ayqWaYtZ#@yHgK#hzmD7IoMsgAY-R@>VD!cJt8@AiWKXZP|ZN~b$+!Jrhu%Hy*!YKyjmno8sHo(3B%CMWa1 zg4WLVnI(H~Q$OvR9DGDTbgx+5nK6t?AsZABDiwvJCgFtoHzv*&)-oY>pd$F>v4OK{ zB~Z#--h3_C_gyDx-dNC5&Pf!1R*k4ZQLT0zk;;1*1fyT}8aB}|gW4V>enb7xfHz%DnN5I)}lsw_c zk&(DXXWf*)ghs8k#)|SgbqP|i3rwO8=rlQl#1TNN08=}Vkn3t5quCC_h zfGJaol4yMTc3bU&(YDxs|F^G9>^Vo-4IHm`@g%ofYV30HVhvbEG8q0n+3d#7GW92V zHe0akE+;Z8`)U7+RJHuajaaZ=Yem!Y>qe7cO=?&y=2R@Ka_kQbuH-qtcz9cq%JQM! z0d0UWH@_G}3;R-6i?%Za`F7+wvJ9_Pj0VP$MlqLNVl4RG z)r^7t2FkwKs1@!yFf|heQDHMA(6OA;>JvYbz&<3Mt!htUm(C5rg?2Q58T zuQsn2Tb$y+T%u+?&T(jVS)g8f9XXo~n#|+XZPXy!9IpE3nSc}>I! z>qiohk@|AldLc=#^*OzMOcyNhrz_W?ko=e`lZa|QMIIr-;8sv;WTpHG7}ku6$hS8y z>S$T?dm7_UFWJ0>Dph=lpgk==!DkXrqouJvCQdlr?439Swl@%wwi#@R>76s=+1 zwcM3YTx=u;ojN)?B={z2riU_HT3J#UPV;eqYG!jnFJ0~XC`Y_G91eEKb@6?FjQMA- zybM6IW+x1~<4@0lL6RK&IL8eFb_=%JWGJlv!WIEhuK@1=k>M=`nC(|Kfp0=!7YmL| zApZ@zyXoU1DK$4vi>g|1dk6Vguc9Fcks`jYTmV^x7aS@9v*;fQN@ z#Gtv%x3r(6L9Ov7A%e`07%aKvd zOL_h_gfY&n#0wnn*pl7!G*4qzS~3Ggez$BV)U@=ku%Js!=5e}dgHQTnmW$>nuNR z5NBo0OCUo>2_x6NIeY_y6K?hB6WCNA&~fL&-evz8 z60t^43y1Wn3(TFZXx-;h!ECA!D?i0~+~YZ4TKq4vZv+QxfMnzG7Xk}B5@7IE2*+wv zc_6MPGwj1A-@^f*ZCTVxu-R}8xl0vqGGh^$hsSzvyx>zXWrO97j72=srq!;!X$O!UodV0S-soH5(M&nDAv*L9t+ zVkjKlLt3nn0qNH~vBYnxb8KW7LrPD zC_WQ+oG_3wgRGmCji!7K6VP_#x{KuAe}IFzR({^>wLWJDt!MmHH;RwC@UU@G>Q->Q zP+8-kikhj;0=rNM?KKor|I4?+ci0S$Yth>2eVhZCw@8+DAVX5y>PEIYDYnj{`)=~Y z>E3yn?knTPn{S2^b!}m86yoUl$YJ?JF+;WUNQ#H(eOjuCw;b7e{TdK#T>vH;lo7^i z-ZVG~33xG4jOI1}^aK7@LiAjLykHB4hJWD7HYQ5r>ak%;8wr_$GQ);p(p*JfioIe**uxO_3e#xpt#~ z5*0przdQFam5_dEf`$GeMQ1LO z&AIOV!Qef8+X##&6Ani5`pU9CMA-5C*wXr1WKVoGK#gI=IMiv|gmNt$V5{T{1?R{% zI#kFaxRra~B~!QjB*&ZL1V6dr;?f_BWU$!ORrbMY`ttZ~e#VNzEf$N93JIC{8xUO5 zi5lJ?p_A?4(Vm=cHTSp1={8pB^!1Lxu%#YOSLIhON|Jl2?qaIxtjbodN|h8`jDm}A zFjq26a6Omz`(5MdklX!hIgKad*o^J%y|A1fSv+7tD7ntH7Wh)ts>}p}!5+TWrMKFL-Fw&w_E2 z$vzsi?EHNuGIzo&S{n6CV-scB!~vYy6@%@PEIa)OSiIJ4TH z<6%$Tx!CeQqGergM^2QOlrgK34UxYeKuEpmJGk$R^|3{iWZHX(5En)Yx9$mVZopzH)!?EHf>ddE(r#v0p`!&&yp0R0Yrc0 z%!XbDAHK^7W&64ioWC8t6L0^BK-GPZN%>Gu7`4bcR5Z1)6XO!r*LElgC==g|MvlMEoo(bnEGOn%$ z?``Wx;-0GMImQ}7{nCB#J_1FldFBVjICDH$pOahdemKk!eZBlu&-fyy=TdB1WHnaJ zfBr)}Qky=^_4gU@hjb0^dXDsRTE1N!Uy1UDbIVzFUSDhJY)IR9VYfNMV%Exuk^A>i zf+W@)3oph}_AI7u=C2r>$FZY@SMQ&LMuEt2Fwf_$!#Gys!?^t4y?h zsrpusvFnS9s~5TFw?&2kx);|C;(QvCZ)6yz4nUH41hFgE96gayvrePi#DzcM*fU6? z#J_~WZqazVOK&}Elnpsl0E4eC&SEUPnEG?|jIA1wc9d$6d|qt1!k$QLyUQ^g{7FX} zdc7#hD{Y8jqQk>~VkN8E%tWj}0bVRzbbhifKXU^9d(x0!{wf0m{X3BUr3zPR?+`Es z-FX-FaPzVRD&mxCKa5KCJ~~zv50SZCLm(3E=B&nuVQrr7W(R%)8cHGYH=z@TCXd51 zVx1Q5FLCTJzZ|ijgU-1LwSw(%%{teS)o!Wa7gVgA_%>G;f7ni{%1xa|OxJ7%#*mgj zPr3n*`_IQ@IsAFXBFPkd<5j%sV+JB4`&QPXYp*Nzn?B$#MwjEF$utN4aTSSCMXyzG2C;W3hLyCvJC&M%2xh*EMv!vHxG&d*plZd_l_oLCwUI??HQ~%O61`7~71>71k^O27&N(cU7 zf4W~3i{iXbH+H&p>E7P-Xf_W|5N?$)6GKl~)baT@Y35oobK(v0y*w|(Ag)qPW2pcg zyh@m04SJu=DMPPT(T;hWrZqfl4$v`HXx-1PMDp^%UwL<$p}cRs3H7A>xbsN+(0zBaS=p$Z z-(u+RbusYGky`xY9($(85iy1$O74j8&VtQMtu>xbSlIUD$xn^cZlVnR+vS6LT6$h` zX4;}r_n+^6+(Kp>&1zN@J@?!i_3RWlt^Tpmm5wZXN}ot>#!j@}PXajiVwBeXCO{ZU z^p-n9O_EY~`mL336l$V_{dXn@^y|J`x<9%k07S-uq^WmJEK7*)VZjt3JI(@aGvDS+ z)ji169MwBRKP>3Fjih5NlPjbp1&eSS%$)t=a5_M+tu0#cg*yL`(dZu@{xRiWCbde^ zfB83_QM4;8geImLut0A!<|t+@h#*a)$Ou~XnW0I>DcFIB0Q2U{j?iJm$8Z^0!WK{kZ4uv-ogOGw+Ffqh00R|A(l~ zi+kLDEO)p-_dBEju>!P@AOX4KP@XBD)o4o1S0O@+8A?5c(N9aOR%}f?;z1GTwJ~ds zie#(D3kqio2}HP6DU@(f2iLssRfs?bRG&*awnbiv_n%j@Q^w37CJ8^8Vq^KM^Qri& z9UZ)@TtQb=3t1=fu*7&>^172(bBg@Y}0}$?zP)s)!OIB}sw+O>ZwngHcV8v1Qy&ZN5iKnH~(C zb%S+{l&@FOdig4rQQIlc;dB2$z4vVx68YG0c~~|Nx3;PdPxXnI>s`7AK1WW<;UOKL zkubMLRWxap3XtwTuJ>`*EcYNbN92n$ze+J7t6Qkq%=RY?v5yq@hFNHQM-+0jdS4aN z_z_$h@~2%E@qGl1!cQC~5MP!velpA~$LqSk`}L#iFl7PZnu9Xrs7t@`G1TlF&(i$O zGw(-1LOI|T;+E+fM>Sgtv9js4Y^S|6u|P3;G!eme=ovz8HnCSwdx3(CZxo|?J_5d? zT+}R@Dm#$9HC4eis9nUsyv94xo7RUXH3dlo6TX^6WJ%dVc=<1*%V&J#o3v-(84*!CKzK=aCtaZ4GJNqoU=^Zv45i!K5;F68M6a)^83{lV+Xt zbP}ZxIV?LCVIB?EN0-3m^~!?NYr>Axc`&VIp+a{VhwCKl;tg7|8PO=`;{`3z&bDK( zEPwQ3Wn|VJQ zR3hRy5q^L|$f!9@$*XLN8r?Uw>8PVr$=e%Sa2SZg4I^YoqLc7%e3Z}>K z={+_bCyax-Vri9F@&3;2{zHvp4teELr(M>x+)ov*yu{7M2bZvJ4Oaf`W}5ziu#0p~YY zdR+H&S&h&5^hmAH{dQ%jD$H&#YS5>sPOgGTUuo@TdN-}Wo1|@~VML+>W4Y(izT5R0 zqG9L@U=Y`fNJixSrJYIE`#j4jA9r%CRJI}W!x^9gJLJutJyTFS?T%)ffwpX1LrZyRs#!sQ9nfKSK>xc1iKIq zzOeCNo7yFOzncWVuHZAToKRG%cF)y8Ot^Yu(8|4uu-I(n=qwkeC-u~DMP$v(1Udff zA<%L`I+E-vp;WH0`k9EyL_+jVM!7Pyv4HY?4d4Vw9t7{VW`{biik2 zyx0X_m2)$2);{ku6f|C(xMhO<(5&_5^X!m{P*ZuJ{zT0W?s?F zb1hx=XTEN7!i(R(`gI{;Wk;1cF1F9!)h`fHpT_{rx33l$ow?-HPRDyLc$p$>E7P?k zhGRL`9$fz7T~L#6Xpgh4VK#6yzw7GZA6RJL+lH^>tAc4W*yTD~f_r#Q8LvlkdF2_I z=Ivhp@r1tpbTYB*9Wq;o)7EauWlawiW$a zpv9g-A*>Snfye=hS~+6lbF1~Ir*J2$A}G&2Owz=O+9mZ_PxyacFV(+0F$TouJVYv_!&nW;d0b5mJ> zd+UIJd{7_q_qV+w74z9bJVIhclaSi9%P<~O=o{>oAm?6D@l?%JJX?lBWFXV);+bTSK&b> z0gKb{`AUKob>P;J{rX71Zb(ZjZ;VR2k6v8Tgx2lLCCr<4HK=X0lDqL8PnG)++@!Ty zqK3;h?Vsaqo*}<@b6Zv5)xYm43(vwsk5R-dP5qD=hF}bd?E;;McofL z2(S}{A}7C0{I%rdVQbpSy+vE}J(@i6NEZ@iV{V@^l7w8r#q0%3zf&(E_DkP`onHvA$dt0*H6$@qC%oMSDWBST2&*pn35-zg+^>n14t719E$<&>f`d99m<@x^&z5jC%B6z{$ zObbEvE=1CQW%4?m2q3tD9v1(*20a;9iG6y{KlZDx;wAxeq6F`!?|8$b`{@QPSU{k!l_h70>v)l|!)e0~Phb7?gl4Qr+2+%K zBRh9!0K9(I1O$uH7bn%Sx*85y3LyN??^6(gPRb4YVci`=yEi;MGbCNerRMZ{Z>wkcClqt|62?Qx^3(u_y zTv3~p-lwrET{+x}F-F_oh>s@{vLCxf?UHR}I}ESl#@-O0`h)`d;CpJy5{O3HkTEHY zUo&+Q#{nHOM#t^Y)5xNMQ^x}vAu{4yw+H|`ctuFLn6k$gNm1=W%(W(a6@3ia8-MLs zbYvJe@C$`UH$N6vX~`nB;jSWWxk}dj==7v8%WcX(oy$r=^eRxlHlw=@@H%^An$0V! zwZsZzqa&_CRSXSx)ovaI)866qG(!BV@*vbhyOhZ)(LL+XCyTVJx0SXMKRgysz&oUlyV857GErobW{Ptb^fk!F@$8#iTcS~ zYC5aJC$i#s$AAjDhv>6i5v1&}Abr{LVA`mp1=84dA;3e^#ZlZOK8b0rlTY=fTxQ4< z4T4mZIl`X41B!@p?heY65i60A@YawB`U(}-5m$~B%NziPMyPq6KQ-6zljFDy*-?AJncR}^6Juj1S-HrcrxI^o5;Fs5>HQGe3J!&~ zJZ+*8gg;;6Xc@c07nD+7-*RJ?I|2b!C3m^CJhxZ#kZ*4Sj{XB|__FDKQ&67x+eT8E zb*pnRF|Y!t5M$F5*pgXDWG>={9td}NKMiOYVXmWXjb&12^0@5XKS z-NLG&&on9kN+6;! z7wGCCqxsGJ52#gICzrkz?C=AQiS&8j2xlDr7_xxOnMUaCJrFgvImEPUSzoSIdIfoX z|6>alNoxA-Cf(LaBSr-KObW#jlh2W;TIyufWGBN;L(yS4%Yb&*whPPKOqxo$PZ$%u%i@KBYZ!Z<*{j6oi zQp2Mei^7UlmdsWc$fw>G@r~u0Y35}MC89jaV7%b?PgLWUzMEg}&2vE|_X{|#6dv}> z%bxV)%gx;F{_db7mom*>ufHrTH1EMo0(s>LW4G!`{F#udi)&YgcB)zl zvw5g|O$8RT%8oi1Y#%LF*A?eR1Z62Z-R<@mM)jT@-0Ryx%~dOY-FeO$x`^#3V3Jj< zcX}$nMN9_RG+ zgxy!8GFx3k&70Ob3$0T_qqO+%NGa>G4|ItV`pO}c?`oPIwd?0pp%=tcH$X9|MV#H* zJFI~N1y?@U$_d8YCvVOEcp)`DKpVB-My5zr^~O zUwd`kJ+^k*Hf?JLtzF@vV#!odgl<9)?@cqMtqsCt9JbE-TKBU@-$uQPJod31!lJ^& ztg4FHs-z}X0vwU%wj*t&hq3+6p~5D!A~*r$lco@zZ@671r+_3zE~UJyQ`V~}w`AZN z|Ffe$FYp{u%JiM#%jKd+75$?Lb(RLo!sj|9ZwIScYzOx84{xR$kkPrZ{h z+K#gl$j03x3JrZn8~MF1^daF4461;WNvDs9srvH!8&Zuxs9oC-XeA3?=?fb;v`0wk zyGhXc7R?)1&eqw!E~3_{_&bi{vln~$zT=~fj1QS@}v20jYR_Fs^(~6`?K<2W)nlUG$ zpv?0(Dcf_8d^4B2Mn2H(j{BW2HoHN+_x(@q?vLk7zaid1VOJBedgn(fLyMM@L|6sZ z+%>%<+|2?`(*rQ(tbwx0yYEO`&U)RJTczWid+i1Oq^z7&Ji1V$AQ!~?1_BI?f*c2GbcNuqD2s=(5nTM7VZEqZYQB>Um$SM!C52fvaz%W~|te*Bd*005r5 zjzI;*Qf|nCC9BO&Hltj#c*4 Pb_1@%jSUK5PEr2>a_ga8 literal 0 HcmV?d00001 diff --git a/education/windows/index.md b/education/windows/index.md index cc96968ca3..ee04b99e62 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -16,6 +16,8 @@ author: jdeckerMS |Topic |Description | |------|------------| +| [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | Learn how the Set up School PCs app works and how to use it. | +| [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) | See the changes that the Set up School PCs app makes to a PC. | | [Take tests in Windows 10](take-tests-in-windows-10.md) | Learn how to configure and use the **Take a Test** app in Windows 10 | | [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. | | [Chromebook migration guide](chromebook-migration-guide.md) | Learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. | diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md new file mode 100644 index 0000000000..f4966f227c --- /dev/null +++ b/education/windows/set-up-school-pcs-technical.md @@ -0,0 +1,262 @@ +--- +title: Set up School PCs app technical reference +description: Describes the changes that the Set up School PCs app makes to a PC. +keywords: ["shared cart", "shared PC", "school"] +ms.prod: W10 +ms.mktglfcycl: plan +ms.sitesec: library +author: jdeckerMS +--- + +# Technical reference for the Set up School PCs app +**Applies to:** + +- Windows 10 Insider Preview + + +> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] + +The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode, available in Windows 10, version 1607. **Set up School PCs** also configures school-specific settings and policies, described in this topic. + +If your school uses Azure Active Directory (Azure AD) or Office 365, the **Set up School PCs** app will create a setup file that connects the computer to your subscription. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity. + +The following table tells you what you get using the **Set up School PCs** app in your school. + +| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium | +| --- | :---: | :---: | :---: | :---: | +| **Fast sign-in**
      Each student can sign in and start using the computer in less than a minute, even on their first sign-in. | X | X | X | X | +| **Custom Start experience**\*
      The apps students need are pinned to Start, and unnecessary apps are removed. | X | X | X | X | +| **Temporary access, no sign-in required**
      This option sets up computers for common use. Anyone can use the computer without an account. | X | X | X | X | +| **School policies**\*
      Settings specific to education create a useful learning environment and the best computer performance. | X | X | X | X | +| **Azure AD Join**
      The computers are joined to your Azure AD or Office 365 subscription for centralized management. | | X | X | X | +| **Single sign-on to Office 365**
      By signing on with student IDs, students have fast access to Office 365 web apps. | | | X | X | +| **[Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) via Azure AD**
      Student user and application settings data can be synchronized across devices for a personalized experience. | | | | X | +| | | | | | +\* Feature applies to Windows 10 Pro, Windows 10 Pro for Education, Windows 10 Enterprise, and Windows 10 Enterprise for EDU + +> **Note**: If your school uses Active Directory, [use Windows Imaging and Configuration Designer](set-up-students-pcs-to-join-domain.md) to configure your PCs to join the domain. You can only use the **Set up School PCs** app to set up PCs that are not connected to your traditional domain. + +## Prerequisites for IT + +* If your school uses Azure AD, [configure your directory to allow devices to join](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/). If the teacher is going to set up a lot of devices, give the teacher appropriate privileges for joining devices or make a special account. +* Office 365, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/en-us/academic/office-365-education-plan) +* If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703369%28v=vs.85%29.aspx) +* After you set up your Office 365 Education tenant, use [Microsoft School Data Sync Preview](https://sis.microsoft.com/) to sync user profiles and class rosters from your Student Information System (SIS). + + +## Information about Windows Update + +Shared PC mode helps ensure that computers are always up-to-date. If a PC is configured using the **Set up School PCs** app, shared PC mode sets the power states and Windows Update to: +* Wake nightly +* Check and install updates +* Forcibly reboot if necessary to finish applying updates + +The PC is also configured to not interrupt the user during normal daytime hours with updates or reboots. + +## Guidance for accounts on shared PCs + +* We recommend no local admin accounts on the PC to improve the reliability and security of the PC. +* When a PC is set up in shared PC mode, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account managment happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Start without an account** will also be deleted automatically at sign out. +* On a Windows PC joined to Azure Active Directory: + * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC. + * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal. +* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. However, any new local accounts created by the **Start without an account** selection on the sign-in screen (if enabled) will automatically be deleted at sign-out. +* If admin accounts are necessary on the PC + * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or + * Create admin accounts before setting up shared PC mode, or + * Create exempt accounts before signing out. +* The account management service supports accounts that are exempt from deletion. + * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key. + * To add the account SID to the registry key using PowerShell: + ``` + $adminName = "LocalAdmin" + $adminPass = 'Pa$$word123' + iex "net user /add $adminName $adminPass" + $user = New-Object System.Security.Principal.NTAccount($adminName) + $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) + $sid = $sid.Value; + New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force + ``` + + +## Custom images +Shared PC mode is fully compatible with custom images that may be created by IT departments. Create a custom image and then use sysprep with the `/oobe` flag to create an image that teachers can then apply the **Set up School PCs** provisioning package to. [Learn more about sysprep](https://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx). + +## Provisioning package details + +The **Set up School PCs** app produces a specialized provisioning package that makes use of the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx). + +### Education customizations + +- Saving content locally to the PC is disabled. This prevents data loss by forcing students to save to the cloud. +- A custom Start layout and sign in background image are set. +- Prohibits Microsoft Accounts (MSAs) from being created. +- Prohibits unlocking the PC to developer mode. +- Prohibits untrusted Windows Store apps from being installed. +- Prohibits students from removing MDM. +- Prohibits students from adding new provisioning packages. +- Prohibits student from removing existing provisioning packages (including the one set by **Set up School PCs**). +- Sets active hours from 6 AM to 6 PM. +- Sets Windows Update to update nightly. + + +### Uninstalled apps + +- 3D Builder (Microsoft.3DBuilder_8wekyb3d8bbwe) +- Weather (Microsoft.BingWeather_8wekyb3d8bbwe) +- Get Started (Microsoft.Getstarted_8wekyb3d8bbwe) +- Get Office (Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) +- Microsoft Solitaire Collection (Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) +- Paid Wi-Fi & Cellular (Microsoft.OneConnect_8wekyb3d8bbwe) +- Feedback Hub (Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) +- Xbox (Microsoft.XboxApp_8wekyb3d8bbwe) +- Groove Music (Microsoft.ZuneMusic_8wekyb3d8bbwe) +- Movies & TV (Microsoft.ZuneVideo_8wekyb3d8bbwe) +- Mail/Calendar (microsoft.windowscommunicationsapps_8wekyb3d8bbwe) + +### Local Group Policies + +> **Important**: It is not recommended to set additional policies on PCs configured with the **Set up School PCs** app. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

      Policy path

      Policy name

      Value

      Admin Templates > Control Panel > Personalization

      Prevent enabling lock screen slide show

      Enabled

      Prevent changing lock screen and logon image

      Enabled

      Admin Templates > System > Power Management > Button Settings

      Select the Power button action (plugged in)

      Sleep

      Select the Power button action (on battery)

      Sleep

      Select the Sleep button action (plugged in)

      Sleep

      Select the lid switch action (plugged in)

      Sleep

      Select the lid switch action (on battery)

      Sleep

      Admin Templates > System > Power Management > Sleep Settings

      Require a password when a computer wakes (plugged in)

      Enabled

      Require a password when a computer wakes (on battery)

      Enabled

      Specify the system sleep timeout (plugged in)

      1 hour

      Specify the system sleep timeout (on battery)

      1 hour

      Turn off hybrid sleep (plugged in)

      Enabled

      Turn off hybrid sleep (on battery)

      Enabled

      Specify the unattended sleep timeout (plugged in)

      1 hour

      Specify the unattended sleep timeout (on battery)

      1 hour

      Allow standby states (S1-S3) when sleeping (plugged in)

      Enabled

      Allow standby states (S1-S3) when sleeping (on battery)

      Enabled

      Specify the system hibernate timeout (plugged in)

      Enabled, 0

      Specify the system hibernate timeout (on battery)

      Enabled, 0

      Admin Templates > System > Power Management > Video and Display Settings

      Turn off the display (plugged in)

      1 hour

      Turn off the display (on battery

      1 hour

      Admin Templates > System > Logon

      Show first sign-in animation

      Disabled

      Hide entry points for Fast User Switching

      Enabled

      Turn on convenience PIN sign-in

      Disabled

      Turn off picture password sign-in

      Enabled

      Turn off app notification on the lock screen

      Enabled

      Allow users to select when a password is required when resuming from connected standby

      Disabled

      Block user from showing account details on sign-in

      Enabled

      Admin Templates > System > User Profiles

      Turn off the advertising ID

      Enabled

      Admin Templates > Windows Components

      Do not show Windows Tips

      Enabled

      Turn off Microsoft consumer experiences

      Enabled

      Microsoft Passport for Work

      Disabled

      Prevent the usage of OneDrive for file storage

      Enabled

      Admin Templates > Windows Components > Biometrics

      Allow the use of biometrics

      Disabled

      Allow users to log on using biometrics

      Disabled

      Allow domain users to log on using biometrics

      Disabled

      Admin Templates > Windows Components > Data Collection and Preview Builds

      Toggle user control over Insider builds

      Disabled

      Disable pre-release features or settings

      Disabled

      Do not show feedback notifications

      Enabled

      Admin Templates > Windows Components > File Explorer

      Show lock in the user tile menu

      Disabled

      Admin Templates > Windows Components > Maintenance Scheduler

      Automatic Maintenance Activation Boundary

      12am

      Automatic Maintenance Random Delay

      Enabled, 2 hours

      Automatic Maintenance WakeUp Policy

      Enabled

      Admin Templates > Windows Components > Microsoft Edge

      Open a new tab with an empty tab

      Disabled

      Configure corporate home pages

      Enabled, about:blank

      Admin Templates > Windows Components > Search

      Allow Cortana

      Disabled

      Windows Settings > Security Settings > Local Policies > Security Options

      Interactive logon: Do not display last user name

      Enabled

      Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

      Disabled

      Shutdown: Allow system to be shut down without having to log on

      Disabled

      User Account Control: Behavior of the elevation prompt for standard users

      Auto deny



      + +## Related topics + +[Use Set up School PCs app](use-set-up-school-pcs-app.md) + + + + diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index 742aed682d..64dde75a76 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -11,7 +11,7 @@ author: jdeckerMS # Set up Take a Test on multiple PCs (Preview) **Applies to:** -- Windows 10 Insider Preview +- Windows 10 Insider Preview > [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index f62fa9805b..e1c6bb189c 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -11,7 +11,7 @@ author: jdeckerMS # Set up Take a Test on a single PC (Preview) **Applies to:** -- Windows 10 Insider Preview +- Windows 10 Insider Preview > [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index 1360d736f4..7d15a79d72 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -11,7 +11,7 @@ author: jdeckerMS # Take tests in Windows 10 (Preview) **Applies to:** -- Windows 10 Insider Preview +- Windows 10 Insider Preview > [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md new file mode 100644 index 0000000000..2e0fd6199b --- /dev/null +++ b/education/windows/use-set-up-school-pcs-app.md @@ -0,0 +1,142 @@ +--- +title: Use Set up School PCs app +description: Learn how the Set up School PCs app works and how to use it. +keywords: ["shared cart", "shared PC", "school"] +ms.prod: W10 +ms.mktglfcycl: plan +ms.sitesec: library +author: jdeckerMS +--- + +# Use the Set up School PCs app +**Applies to:** + +- Windows 10 Insider Preview + + +> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] + +Teachers and IT administrators can use the **Set up School PCs** app to quickly set up computers for students. A computer set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need. + +![Run app, turn on PC, insert USB key](images/app1.jpg) + +## What does this app do? + +The Set up School PCs app helps you set up new computers running Windows 10, version 1607. Some benefits of using this app to set up your students' PCs: +* A computer set up this way is tailored to provide students with the tools they need for learning while removing apps and features that they don't need. + * Places tiles for OneNote, Office 365 web apps, Sway, and Microsoft Classroom on the Start menu + * Installs OneDrive for cloud-based documents and places it on the Start menu and taskbar + * Sets Microsoft Edge as the default browser + * Uninstalls apps not specific to education, such as Solitaire and Sports + * Turns off Offers and tips + * Prevents students from adding personal Microsoft accounts to the computer +* Significantly improves how fast students sign-in. +* The app connects the PCs to your school’s cloud so IT can manage them (optional). +* Windows 10 automatically manages accounts no matter how many students use the PC. +* Keeps computers up-to-date without interfering with class time using Windows Update and maintenance hours (by default, 12 AM). +* Customizes the sign-in screen to support students with IDs and temporary users. +* Locks down the computer to prevent mischievous activity: + * Prevents students from installing apps + * Prevents students from removing the computer from the school's device management system + * Prevents students from removing the Set up School PCs settings + + +## Tips for success + +* **Run the app at work**: For the best results, run the **Set up School PCs** app on your work device connected to your school's network. That way the app can gather accurate information about your wireless networks and cloud subscriptions. + > **Note**: Don't use **Set up Schools PCs** app for PCs that must connect to enterprise networks or to open wi-fi networks that require the user to accept Terms of Use. +* **Apply to new computers**: The setup file that the **Set up School PCs** app creates should be used on new computers that haven't been set up for accounts yet. If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost. +> **Warning**: Only use the setup file on computers that you want to configure and lock down for students. After you apply the setup file to a computer, the computer must be reset to remove the settings. +* **Turn on student PCs and stay on first screen**: The computer must be on this screen when you insert the USB key. + +![The first screen to set up a new PC](images/oobe.jpg) + +If you have gone past this screen, you may have to reset your PC to start over. To reset your PC after you have completed the first run experience, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. +* **Use more than one USB key**: If you are setting up multiple PCs, you can set them up at the same time. Just run the **Set up School PCs** app again and save the same settings to another key. That way you can run set up on more than one PC at once. Create three keys and you can run it on three PCs at once, etc. +* **Start fresh**: If the PC has already been set up and you want to return to the first-run-experience to apply a new package, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. +* **Keep it clean**: We strongly recommend that IT avoid changes to policies unless absolutely necessary, as any changes can impair performance and sign-in time. Get more information at [Set up School PCs app technical reference](set-up-school-pcs-technical.md). + +## Set up School PCs app step-by-step + +What you need: + +- The **Set up School PCs** app, installed on your work computer, connected to your school's network +- A USB drive, 1 GB or larger + +### Create the setup file in the app + +The **Set up School PCs** app guides you through the configuration choices for the student PCs. + +1. Open the **Set up School PCs** app and select **Start**. + + ![select start](images/app1.jpg) + +2. Choose **No** to require students to sign in with an account, or choose **Yes** to allow students to use the PC without an account, and then select **Next**. + + ![account required?](images/setup-app-1-access.png) + +3. Choose a Wi-Fi network from the list and then select **Next**, or choose **Manually connect to a wireless network** to enter the network information yourself. + + ![choose network](images/setup-app-1-wifi.png) + + - For a manual network connection, enter the network name, security type, and password (if required), and then select **Next**. + + ![enter network information](images/setup-app-1-wifi-manual.png) + +4. Insert a USB drive, select it in the app, and then select **Save**. + + ![select usb drive](images/setup-app-1-usb.png) + + + +### Apply the setup file to PCs + +The setup file on your USB drive is named SetupSchoolPCs.ppkg, which is a provisioning package. A provisioning package is a method for applying settings to Windows 10. When Windows 10 refers to *package*, it means your setup file, and when it refers to *provisioning*, it means applying the setup file to the computer. + +1. Start with a computer on the first-run setup screen. + + ![The first screen to set up a new PC](images/oobe.jpg) + +2. Insert the USB drive. Windows Setup will recognize the drive and ask you if you want to set up the device. Select **Set up**. + + ![Set up device?](images/setupmsg.jpg) + +3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. + + ![Provision this device](images/prov.jpg) + +4. Select `SetupSchoolPCs.ppkg` and tap **Next**. + + ![Choose a package](images/choose-package.png) + +5. Select **Yes, add it**. + + ![Do you trust this package?](images/trust-package.png) + +6. Read and accept the Microsoft Software License Terms. Your last step is to sign in. Use your Azure AD or Office 365 account and password. + + ![Sign in](images/signinprov.jpg) + +7. Select **Use Express settings**. + + ![Get going fast](images/express-settings.png) + +8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**. + + ![Who owns this PC?](images/who-owns-pc.png) + +9. On the **Choose how you'll connect** screen, select **Join Azure AD** and tap **Next**. + + ![Connect to Azure AD](images/connect-aad.png) + +10. Your last step is to sign in. Use your Azure AD or Office 365 account and password. When you see the progress ring, you can remove the USB drive. + + ![Sign in](images/sign-in-prov.png) + + +That's it! The computer is now ready for students. + +## Learn more + +See [The Set up School PCs app technical reference](set-up-school-pcs-technical.md) for prerequisites and provisioning details. + From 6bebf4c3a5aa88dca328bbac824c9fe28dcb9933 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 26 May 2016 08:46:34 -0700 Subject: [PATCH 109/169] fix link, art --- education/windows/images/license-terms.png | Bin 0 -> 184465 bytes .../windows/set-up-school-pcs-technical.md | 2 +- education/windows/use-set-up-school-pcs-app.md | 4 ++-- 3 files changed, 3 insertions(+), 3 deletions(-) create mode 100644 education/windows/images/license-terms.png diff --git a/education/windows/images/license-terms.png b/education/windows/images/license-terms.png new file mode 100644 index 0000000000000000000000000000000000000000..8dd34b0a18da1dcba98834674bed57d26c3f3b79 GIT binary patch literal 184465 zcmcG$V|XS_|1BC#Y}>XcwryJz8+Sb69oxo46JsW}t%+^xj=kr3-uJ)H*aOalwSH?=N2(}EBf;atgMon|$;wEmfq_9Vf`NhS!9xGd5!{C^|9b#;Q{ zOE70s8%K9$M@x57PG(kSUVDxJB`~nhAXy1f4S>;kCrl3J;G)o*!sfQO zp2j^`5X}U%rAE3XBGg~ye`yb&vy%d|Q(sT{b2a}~zUve{PQl10C7ieCv6@Z}xogoV zf6Unu>GsnjT$Hfc+$JGQ^ly`?b!Lmh=^rrx;^N-gp#Yg?#u0Txjwt$dFgjJo}q-3 zl|>Wi!pj!M2j*Rzf*}v7|NCA8<=?#f$T=9K8@5+&Icu(RAT(T|e94XhO~_xdJG~IN z1HB0pnE5t7D>&K=U}YPY>yN8vukF2aev}-8zUfJPYepbr{(w$OvZcXaj2cRayGOH~ zxy@mD3qn`s*M0oOQIYEUVV;W)jHIx62LbPfOej5`3D>a|BgZuX4B;p>iYt4c{34d?a zU-uS9CZfA=m6OwdB9*!UzVsR0z_vC=&(Fx6l*%wLEmzOPO_TFEzrsPrASyNC?@Fq- z5KDvi7Tw52nMk3(D6#Pb`=|Aczk|!1Deu)xFc=YEA*&T>-pDv&SlB46L|^&)#GxO7 z)_>kFi@^szw%Ez-r$l#cs}5!0sxZY~{H}o0>)2aN6ewZQ-M)9utSKChHX*INxb(F$NB^NHm!m9ALO?qE1^LWr->| zDh~1pQ-?5}(Z8R8f%lVq=mAUr$z2T-ul_(a*a-bi_!lupu7gxx>2+R#{4qeo$b#@V zS#u_cp`+Pn>e|5b*pGZ`rLBw)G%|N=eR2c8)Tj@UeNK50IWghBlmO6yt`M z!jK@Kc3XjQkDOuS61{CUR#>dDZ>6GrCh3?AX8~TGqPZKnDf#C!kX@X@rUdbW-SWCQ z*s>!-Mz>iN*Mwzu-s+oQ_L66io!<|?sOqRr*OI&+F@c)eiQ4!DWoEvW&B%@N35xs( zQzPWMpWdov5jF!-;161)p;CR8WYxzSeV)CpD~M9(0^0DvKVQ!1nL1%h7L+vTxxZzW z2nhVQos8e6VdcNqs&5mJeXdPJ@euR5HEw<%yo#54UIm)!3S;qicVP5FZ**g)uummy z(q+7lIfsU4)}MyJUEAkJJ(k^-g@DG&MPXh~<{?!YUeI`&l?GRpokaKW6Dj%Jdy-J3 z*AuNEAATJ6QCUR9oj#a4s5ZT+E^`ZqH$9`6gEDG1?`d#07q?wTg^$9DER816nYuvlrjqF$Br;havg@^vBg+ zg?sdy(;D5QZgza?^(X;fwH-rvGKLNZLi+i4){92#oV*Dux|RAy?DXe^nu59&K;pg& z+%P-I6_BZZ)!C)nGs<3thPhDdo|@uS`7Q*Jn7OSQIO7(-`B-gDR}l(l<^hd-ZHYsIsC2-R(rbpC4&eQT&`C zt9x}h0_@um9?deoaALV+iF1nY>(D7N8d zhpN9l;N=cCVpB3q2n_+k_WJn+{+E(x`?y!T2LBlgnnR(#26zW8bwOEB1~5wNy02M) zrg>aQAz2AJn%n1R(|ym*(ysfQWB#@K1?y$>T1m3`N_YDKM!5;MU%Ec z?|K7N?Ci~Xyj6ouZM1>Qb(I}*oimTLK3t*U2Z-$WvljcqA{Vsi zh$@$;oN};3H1hGJoy)R`%bbJp$6ZkGuA z%hX|de$1QhzA}JQIP7(6YUspG=i$a6Bbm*3j|u#VKpNCU!eEO!U_186sDESSteTQp zyvoLCGg)0)QxQut^Wdr9(ZL?GOrxsn`e!;88{C3Um)421=x=nwx2oZdTYq!K4UK^k zf#S_|L_Ar+g_*+IJ3L{)qQS(o@5%ET+6F3?-Q@5H@i|a=h7pbP>QP_xF0e3a zb%JXtbt1D&tN@R?mtlRFMWo4;kdXb@v4QOJ&bMdd-U`!nQ^0Pg%|NV|rkcn~;!K3- ztzI}h(;ES|ONq1Lz+O>4hfr1;np>oF8mR#nm#r(rchqnCI+3M{7%q1q^)pTWU&_%g zsYu=1_JCe}US6KPM|R4)c_=#A1aLrsO9u~=LEmDN@7UVPSzl%{7b#TvZhL8)a`{MJ zsRAkX5@#f5R7vuL;O7s|2b-fG)$+Fkm-fW^Kp(aRt8v;ikHg2z_p=8l-n0q~*L-*M zFh0pm)q$R1=$Fsn&npK}8_3=K_-FA)W^?+K{AS`SxXo_EK00g;V6J0C*4$B{B}$yX z7Pqs0|Eha8K^{AJNRM=7^1Qp$B9Sjek}4Yx=&e6D3msc6i2sB%CDXMvpn)E?iBD6< z*}0BW-vn^eOvonIjWAV!=%I$CdtNr6nz9?fUOh`7Oq)VPfhbpJkjYZ{Qadr2Fvn&x7LQ?c504UKY=!!L6o6@U}Prj4m zF%N|7AGL4A73->T+Wv{TsaZjlITVuq)|k+7tgGP?p{h_8Y8+YxOBq9Pr{V}ti88y? z3|JB=)3&W1YQObVhmw_aFGoD_HUeIK%@vP7j1)1;aDCkw9__3LDDypB37k!8gTB2r zys`Ur-(wo#uN<;Fs;g|V6XX%jAx^*5A%&e#GO$hX$GpsnI_bE;K8G!|G%A~0Zj6v7 zWgY%1lF>T8>({{!{HQlwcA-Qtb`TIvej2NtO(JQ%S&QQY!4iziXF@CvdYg;o85CSuFei;#Dhm_=HmL=em#RNxd#BTf5Nno&x zH{ggRQDm!W3vf4HB2xYkZOHhVbCA}iF&gy`s(!0>@$PJinTcH6)Q=SP@(&3>@teK? z-s*pjZkeM7b{Fq)jGssIkaR*X{i+CISt0>WU5JqrAsDtb49=?Jxyh*-Ra1=?nw$C& z5p864xLRPl+%Zy^CyI8>R+uuz?Wc(9TS%Hk^fH8;4kXg1XzL{!83bKc+tL;Le%WQ^ zh4@TutMd1NU2U$0G{l-7)x+r>9FZgS3s4U_e~r6$50y+sPSH@M%iKVXh@<2@Q^I7G zk%m!#5P!~9+hx5dGmI#uQ2cR$nOmWS=}_l+#QP`CvIAjh)&O3MKg)PQWknFcjKk*M zrxqYdt>^&Dz3nW;b~=rMOydf#p<=>ZuQV zG@YjT>TSt-VKlZ5+SH+x4DG2xC3IpBOPHyM2e^H~cHjpd%tM=<`F<^ODu%kM8p_XQ zYJvTsAawb_!n%bTvXsM2CoqkZOjr%DB7F$p0QW7gG(LjlpxIrMu1Tfw)rCwNs=Xum zPFZX@sblFi${}8NRk?<#OYZi!;=O&A$0G4Y0PevTo7qBGl*JtlrTSV3W)-bs&4`6( z=T$NBBsaq)=;hDnNu8T>u=V*$AwHTgGSM>0)c(C_pP(Fh(V{Szy~QPMvx6y(iR?L) zabw~rRiZPxfwSoZ&eU)J62vHxH>y5YVjMoK{Pe^xzu=EsLY=IC5&PBclR^tL!}c5L zh3|l`MWmom``EdF;{J95(nIH=1QpbU8~Q!nPO)jpsI9 zZj=wuzC`=uMH^_jQ|?NzH;oF89`CnxKGX8JXm*ScJw1-GQfypEq&rmBy*7qRNlHmI zJNBwbIT&_uN9(6pK|==QhH*Sy!yPX(0s@7$f;W}lqw<<=zgOI{feuP&YhC-Uoe(dC zMXWqBKCf}oijMvmyPO-a9V)aFqioI$wbQOD%dkL@wb*~@D&7(&^Zu77?|ync<)fv2 zg4OP&X?wS*aLmT+(YV#0DSTWt{}DLn&kcdkyjQUzc)RA6!CSpGFs(q6MJwcKJb;=% zFeIfxX;(fd(7-l@mxT-EnHn)69H$+cC#mgs;Naew%;qary;u&c_G-m_`&hXmWtlfd zK!Y{g%v1NKw1IZQ`@{&2)oFijYRFbs3GyHQFg&bD<{e4# zsyTKaVXhcZ+)$U1I{%~(5s`r(m3HuM&D&?#PcSuaTNq|QKsKEPy^k<9_$(n)g;T^> z%EZBi?YU+K?^E34VFY8emH_tm?ptm)764a^j^*h|+f*@KX2!HDCoXg>m-7*b!V*ii zILRZYw7cvJs{f&TPH(m7*wwqJf=_@;rI_P&T!+;^57lg@EfYB-)v%q|Y_hXsA5@(x z<#6-qBqEcvfB!fy>cbS;HtaTKrP6X!qgZwaB#HW<~-5IQrU=9$(Dvo$-aXyx0{`e^=`Z> zbZyd~@B>2s=~5)I-4Z$-5(8e&Xx3bMTY8wpP$%^?)v#Agt05P)8{b8>xg-(d)(L1N z3izd08%es6uQr!Q&oW@qs#BYSSWi?Fje=#3o%-9pz3g-m@Bu6bqzknBq5J@WPJZsb zETK@;#T=Zt_fID`0mpMZXo?xe$@r=O7X@E?zPu2~6Gz4V3zdsc6ApPL7+cs?OGlw zZ8nPfot&*GFPss>qXG;Hf9K|dqrh2d8=iDqNJ>ni(_z!0{jOsf-bop1{RR1fvORt? zC%wP4W>PiJacr7NQZ|)nkB_D}V3PLEA?L@4L0(ooL{e34*`0V}R-*M7`-8PE0Yg4< z)t_jAjUUT8prcx?yPFjw(ssGmSM7xV#Kp4rrZKQxkh`SCQ`;faU7-=ZoZXq6LNo<{ z_LRue)2m^x-7CSc-38`_`lbW=_hEQg&yrnoVEjL+Vd|?cln3U`V3Sj9V5X#;b7~`vn!% z!eE~k@F;uB$sUQummN}2R6=o(TmVa0PK+79Izk`k)PUdXS3}OQf;nql8H1O{Fvr8 zx6dD1zMj(Q@Rnvdu=KTDcl7h6ig9Gp>K1~QHztfBA-;#pY(Tz)>tPX%af8Ud8K^_kbG+Gn&{7JF5F(_9Q4@;wj4UHhF35G9OCtJJVo=v582I1N<`M&zT$ zAx81g4QXMi`X|?<#dTuO=*=lq@{UYV{&W;s9^`tMqgj;UHh5b61EGxaTscXt-Esfr zD%gL?DU_H%sENTCTm| zc)-2qOy#2}y~piruu|?t+0ChJke6RANP5 zU0y{~a}}HZ@!qCnTk)fXQGRd10;(Z&+66Fw`z`$+nc+z|SWf4oBEf^O0ruBKX_da} zqWcIw%ClKh2e`HnVfj?mf1qbK-2Wk8Y@+;c!QG#(NSh4`-=^gD}Z5WA{0FQ;|Rkp68vfV`Fr##kQz0^M6F zfTIL~#U*c)Ky0L?d!g366yPYl)LNT?utK+lmZiB!DtZXuCE?~S2iv#VgucwV8a;xz z4E6DDOOVCo0Q_1TE2XCd=Q;{3xREX*W`?;dmFNH{!^AkG#}H&eneY52%yXk?Gldio z?%1iJs?g%#uH1zDv!~a9OspxIm(UB*F&^fnw7@?K{LB*ztm%2M zVCp|wS5zSLPojtlbsQ9A+i*TI_ZDPy2qq$HQ#$A03HtR;7SnF2SUq^*xeVYSIW)a? zJf&_wu2q{+bo$oFZcqLo!cwL>pGXS?E@mD zn4QVcpEK4%b%9mH)8N{x%Sb+-wBeM{)cm;Nr9HiZz^F{`#vDpk<#i5J(v)OMe3@;FwZbL*&#IX7E-fDV*H~PfcmA9c%b7oo2Xc1Mw$O*%jk^M$tT9Jy31>uz>_TH$7B zCN8@r-a}%t!5TH%r2473L=5Dk&@)nv|1*@@>Y~^%E)qGvr--ml!ino#3^CxRz4dwx zh0zs$jBkEE@XRqYl0cXbQDSx~{ri6v-9ce|q2|ligTP$K_V{l*%^@p1TIKzF$*-gp zsxV0jhjpa~=9jDU%ehA34rTj75s=x)2L&_qjR@qTAyDSHSyI_4`ckT!j8Foc%Z+^4$!a|hP+6g@LbN3rrB`eJL?*f9L${LlXDh3sXYV z@hMQ5b)2l>kWsb|zVoV;Qt{-AqOjXuve{4#{6ji{mllHoRPM(jtQvU7q1Be(AY``Z z&54#(+(TP!!)UVx-K;*?X2kOG`66InO$_}Ed7c?w>|3SrDd-r9)2dfJ78hf)^GD9h z2tW~PqlXf%;S1TLq{eS1Xv624nb{uN@k22Re8=Xjrj*AZz~`bJXNIOdTY-TtU{buk zju9_kO0pPL4W>vHoyi;fWOKmuAKH z63qC3W`fo*)U#Lp9me?cOLjCOESE}6&hI%PGN~~y4*F^g?6{dMtAs;uQMLpR zfpEEwmk+VKY;WveHK)P#qYC!v$)Cvo^%g{Z8k6#|W45vK%|eep-5gqt2>GG^)$Xu? z$ZVH#0xz?!?s;7pu{E|pC+VePbuO?&);nud>7y}g&>vLO>lPD7Jp?i&^O@pEXy$Yn zV%-defiivg)h0PH+IX$YNeQe@`{_298DwQ}sy=M=aGc@a(n~)HJCbe1$@@9=4l(2& z3gAS`!Xrm2$$80Fhg(^Fr**4V^ML9{RWTTGUAeYJPQy9}e%r1nu@fIEKtULe`uVi) zuLP$uEpw=a97zJpDve%W*O&RwZ;>quXB3M_ZBol()@Sf_T1=Q+M@8EfD!GCc(lj^o$H+Wn~y z-G4i(6LYBn>HDpAkW3NxFwl=c=+sc1E>o5z&M*TAO^puLVpxZbW#aU6{Wo17=v{K= z3tj=oiHeVim1S`Ke%@xwFYLV}5hw)qU<#VC3C^Q=-M#Vu3wjuq+(iRceC0I&Oz*AMt1Bvn#sN5mQ>|gK;3zRhYe5(m6 z1NiH-DPF)4KD12PdJZ1)2%*g=+gLO{bYi#8N|gsI41t$@Z2(OOadQVeY!PBQbRinG zMw({733t-<@{Y4DDxRf;jVab$O0ip;ilGe^T!dIkZ)5{IK`Rj2bXIhxeS`Lw>aFc5 zI%W)OF$|U#PG3I~ZEXQLUjv&rL`1hL8Fb2sueyR%#=WDC4mZXDjGX~3Q+Y5m86k8u z5_c?ep+-r=SjaVOh^y~7RU=5UqzZ`+zjJz=ZB(Aw8<&% z*eV^ZiBMCjN^-R5e;q}C(Qj+&UZ715K){j--fKS(el!MDIYG!8mxBXj%qFB|aogjS zr3jVWPN!)$rHqK<>j;234=4gR3h*cH;vZy1hd<~TNogTB9+lolN2g{#=tw~3bxL0& zLsZu)VPEfkA~&7|@)se5U=Xb0U^xF@3|jx2ue7}343B1?zR~TUFnNc{_d$X70*l7G zYXx=(A-xlGg=cW?_@A~&X;nbi!}o(YIiGVFfvL`p-O&ufAFNcnB>g1DsI=1C!Z;aa zP%m51$0!d#h8KW1rh(k%Ro`=Ehlfg^-%+Z`Rz1YQz?Y*Ix?yzE?Rqm~5{Tew@xBk* zt{nc_?5iigjISf@d+9E4Ps*?JP^fmbf1v<_N(tp0!5|r-E%sl(-YjzRGf`*LKC6bV}y@^-@58}It zy(jAjlHJjP!tncC{f6&Q)tX{wx=!IxKcookW1@6E*ZavCp)(Jo=XaZd!D-tw z&eG}A5%dB!J7DRe{Q^T0v5aUh=4)FQ* zF(kAl_Q|=@Wq)>v^!X(i2G+Tf%1R)9rOO%~CBhgV0t;+;#M*#56PINHs`1Qjd7b)g zjMe@#e!hvjc!v&BY{9VZ4E0{Hw&~)=oePB9AgBc`JFm0VVL@}o4*d*UV`Wf|ZoWGG zeig79t_YMz%TvRMM{x*ysE6jEAG<#3qma3rA=LgGo~aWJ`58>^*Km%ySeDKa54-N+ z#*g?D2f1@9w&d1pXKyl7M1wFdV}@AJE|fmN=j4>=X**rPop>HPxt&YoM{g`>T|mLd z3nL1{cDLS?X|_HM&#D;t;SGYYINs5Kf_O@f!N46bYud}x;DJJ{pH%4nFv^6#HyZE@ zjl_(!_S)oesvodZ<_7r4C9_uQv;0BGQ+adQOiJmGh@66mWqKt# zM3Z`~h?imgc%zoe@hl}mMsO6%zT3-eVmXapZ>j+f>cO4q5T9`xk~+>BxWiO*ecYrwqUac&?&KI<&CqQ6Fa`0)W(77L**df> z4r2XoR!gHzQO4SUWE!a)7^+g-cjl^;JD7}s(vO`IgL35*DYH6Ah#qq%$nU)L#>nTH zRN+cs1n%hVaD_F z`%Ubmz+%6iR@{l3SF!%5V+;LeaQoJBsDUDD4Z$)#iaV!ik74DkpNYP}dN;T&E*Gt( zzQ4mJxPiYRj(e?*81DUuoM3diuJAVokMbqzFC=j`L8l;kjUv`P}aUUtheOqGsWg{2B#`?9`*{ z&fM7!9eKjjHVAfCeR`Jxv_$%iCzqBMV`%Q~285TFD`07jCp;SXK}T1YvEeR-Ej5M? zcTq5DR}4~RN=P>s`+2aHpaSJ)YFwhLp7u&5v*$>1%obW{=oWU)8qZ?Wkkyu7ZieT) z?#P3y)*a5u!gpmHaX$?azPd+9pWbl#byH#aj&oWsG-21AsbZM2|G@4m;wmy;8p6#z zE_%bzaqYl;R)U}Q*zSs~W-C`@FO9Q_GQmr16mo1SWHCC%3qxvGHuEpRW7-v;E!AWn z@`xH(I#V*c>>~W3on%ih?k*UPcol+E6V+F`QC3$-j*CPwam-nOuqeC?$2FbTJ7fS^ zy1s(bIK&-HVI0k7m^`~|F${vlTXt>&Yge{3U5I4AyG#@#;9+wcx2d9^e&?mXmDO$ z@^K&8x-1=U0^%>mcaVDrJV&oFadxB+8((r3^uLKUIv^uDsAIenNcsqGOTOa8La#5E zGV3)EjcJQ?``U0CU7*Dl1LMq1m7pB0@#2`P3Cv}Zuy32o%yu>vFi-kj#FsD;PuB6L zy^tWse$F(h8X9ahK;x+pZhCLi8xU9xcEn1%kpBd)sWlx)AdYoTttTX@;g97ii&8x# zbDObI(b9^P^a9Y#&Hlb3hzayVk+*L*K*OWfdbQMLzFVR8MkWp+CO zE~;>=v3Rj)vyv?b2V4N(2h$GFR6M}8^NT7qlhOrm)EAPPUSFU?xs4TYt3c4muB0EB z&or2uUp@R|_;3e`|IBx|NpcC3k92qY#_j1Tl@|c;B;NF?!Xa$^HtPy9@OzqMzsoTE zZX~$6Q_8Khui2L9a*ccF-vLg-BoOz-PI>33mfMT~i{FDAqxQWHqnntvR6OZbj+kek zV`(5>*r`XqvAGDg5I2D^OfCF^7XY0lEx;L8I zPT^j46aNlv>09#ia*|&7xf$OpboGr6;q^*z@<@#J_u)0Dd7HnY4T(~bdH-ed3Bcj> z5nyY|Y?r2KS8w8LE3}xXQj+=vix5Jwhr6X3>t8l^b85b2HinH;8fOoj$<3a5h^+>g zzp(qskn{Q(eEk#AT$JKdz3vG`5?Bw%flW9(#s$2-?11E%V8lA=^q9BKodZNFAA9$%qh*+%PEt+zG!N1-w>L@E8{M61>~0;?U$YrT@?o z2*lWY^P%zN`R=nLD%Z)g(|1y3b}l#B|Dryjad}0{v?Pu&4pb|-?ATmYT;ssOOxGfF zyhe>7JMq0ACV%p>b%uwHIQSr<>Rl)6ycl>LUtW<D$p=4J$6bzOFG zMycP`e`B0Qsw^6{ej~s7F2ywLY4;#>S6ZJA`!!pRCV%l9!jjdi2LHQSf&{K)t=r(( zom!(LuQwnX?dl;)a!-$|?hwH2x;#vwP2asR*lsVaSVtMr9c+Fu zc{E&(DC}aY1wY$(4*YV81Ba6x+3+GHA!#oDR=Ik-#Ef2sY(=)_C@GOkjcZs85xrE~ zE0_&GYXk88v)F1<_Fg^VGN#^avgW%~EV^p5-gOPtr}N0Y*ym5tZvK87a^rq01A?uu z78%KVeC)d?U{2~uX8<`tK(xXc&<}NY&Vt@ z!OiCXg2%|>u@gr;dYq9IQ+20sPX9o<2xYGm2tGppY6AKmDtNvv*ka! z`xDGA3mP_)^cAr$^X5iU{0_#enS!Bb(JP1PH{gjE!JL<^hhBn8eQP03ATvh2n2Z_;DB)_~?{DaSgjDSg@JPMaNB4((e72>PK2>vb_(a`1E`a5 zP3QNiSGuai5144Y!dCGad_NUHctJT6akcK*N6TenT@~@)Wi520q-RtLBP13|g~1u! z&*b>Rld1m&@*XLSD88c+EK*!}Fl5bo*rcK&P;{hrITk6bV_tu>fv0^=4nnGLhBK40 zD&e9c*rQM34jNL)emTs?{9D1O7ozh;PE zj#<$-&HAj*4_&yMl(-A{g4~n3acz*o{jpn@->GsO9+IwSB>4U=Tsoui4|=L^ytxe` z2MMGVj|H25(Yy||uD1xRagA0U(TF+G9a7qwnsjsdIo}@!2@g+0k<;|Y6 zI}mA|>1=PI{z8Qz^dK#4{2#N{4a(q`yrXGRSowstNZvE0Bn`@f3Jw&QX)V$S|BAo@ zhF}Wv2_0@P9Ms(JPFFVZXxd+U9L#HbL#?PS{}=@9(h>)_ASo@Cht(1vBc3nES>COn z#Gb`ShyNZL0M>~4j%EI$$0`Os40VcU_f4WTw)}ZIWfx$5L?pK>*=`56nQ!+@J$c$A z@gNiTp$rqrAaWGF?aOw&omh4Jx*>Gs1Pw%kj{M7y#8?y9Sbcl76ka`rJ@-}7l8JZ2 zr+(xOD%Mu_*3ZyZ0b2Q0G{WKefY*Am$DW4j>obi)!SHHqfH`~jfNLB-X*CRb3Ol~` zvTlROZ%f#_^}t%GdF!vB{lZjMju%gx2!fYpsat#>4UPHPP$`q`1x2=oK#rzLEJOlX zd26Jxt1Zls)di_ZDUVquRbb2>Rry*M_7wKGU^(mhq5$&J#xe;DqKt@77;M=d(&CKE z{7Sgw_Rq>}Q-fM)nYdCRC6{HNb@w%q4guE0o6bgv@Feny%~as^l;QPM1~#sX`d5Kj z3Tzs!b5YMoVpVt0+C$#J{FePtWo3g&`j^_>iLkN=uzH%&lL~VhSscaVxy6XRZ{w<6 zmzZI|g03!n-|2(I6so<>n!DLSt?yUG$tQLOPXU<%aymLTzD3VNSbHl@ z@FVeM2;BRb>G|>5wY4+`yi6Rr?U1=f{t)hJC%A3m^azoFn>DNRHfo-3R`@b4nPii4 z=L_KVLkKs+UQ8D&674>goHw~_(DrM2Y~>4Ae*!XBs^r$Dbn+W&vGZ-RnWQmO&DkPu z|0}oDd)v-FHK&OtUS2>TRhNKTSb82w1gtU@DECj+4~Neze`j2Z*>Rn4LrOnUN(OB7 zhRPSOL54j&@(~+p-V*4>Y8bkbE}i~=7K23vLNn*rjRZ?mBcMF=c(M|?mVJoWa?_73 zcQ#JPlyV?&`;agop&&>OZW38@_zNpkukNN-gxu_Sz|r!l*9g!VP;f(x@J8E^5Q&@# z39|Yc5Fru@qqrfEv%T+}T`$aJ0WKGK0j8qVaxy+b8Glg5^De>@D85~fDElUK0lo|c z2118G-}fa|7^3=vaK%X0!2A_>Vkj|PToFVrAAxha3?JgrsL-wML$}IM48&oK452>J zQw^ICsxg$!(Z?#sne5r^`=@{@j! zkO>HT2?soz;a%z&h5|_lV~nY}`%lC8XLpmuVPlb0BP6VU;I-lE^`BD(%$%X^x%ZPd zFG7JZHUCPzswUG6gCAmP6;C{IH!W}OLUFl2B{qD0$Rbk?J2UN^-$UG3A2yAzhtN>k zzE(yWDR!QPsU=PDbh+YeZfX5>OE?WNO>`veU;w=ai-v1^%P_JV2q~?^z+}28AGs&9 z>pot0DuK`iowHvG9l}*kv%C;x?NO-ckgg|F3ZG8WUU-_*=VX*9)YVvhPw$^B)tnHk z9lkT_!lg^~p5`}N2&d&H>5ENt^u$>i>YMFUinG3-0^T_NnK$_**=2)On&n}te18iE zbX0Jy0_SMQ_Ew<|vO_34<0$h|OPg47#hQ$}0>J|Oi-hw!N}0(O@OffQ%l|Uh`FscQ zJT64(0Nk)NZ*1Hc=nMqcx&*0}fI6t*M%li5Vu=PLCQr!A_KL3$egT5`*r|J$e@*P} zT(_;X82?zC{^|OkgD#E@=zNsN;>XJ;9dl7Z5zfeGE4o(B9XOKcow8E`NOI zTa2I*M^lqJF7JoqYhfLWJksjz0A*@ZTCP?^hy6xHlWLokNR!O@EwYcr{;9@S-Nu$M zT$niAgg<1?If$L4GKP+$DE-ZHg;u-IB1$eI?Z?eHPIhDsC4sffJEg){#*_~$d@H(Z z&usTTL0`kD4-y}HiaajG_yuddHtm@_h|#LetW=mJ-*Ud8%609B!n&Yna4>G3n|io_ zBk>7^Yf`g_*7rjdCD{Hwe{N4Uh1HO_I3d~d-jOmHn-E%QM>gGMW4pLro$;DTjx?@-U z*?$Piy^p`@Llx+c0yqLIF$KEi%w0YHRt-$u4C3cUKlKdl=+2q^%I$)o%$KJv`lO zC_Jz-|NaZ$Q{$-=of%_J^o4)4X9}eD3UN}9IvIHWdQWk!^8mT`;!=nx%#6+aiZg^^ zz}QKG6MMDxc3q~;z4Az8j2N^d=XZ74J@-Wd7BShxvi&+kpA@1Wau1#v8#^L8H~C#Y z%oq^|;j_63hxj$%J;6M1IqYT%=yqi01IO%nndI^|++aw_h$=_;*DARCiiV4g`o?d7 z8z9tm75WA>bTbZ**u5|0^>*_w>HUOxvisjZCn((gB>VqQF8hBw2#1XUT*AfU+NK9w zkDxZdfw((jy3-QuzRr{^saNV!YJ1C7JcZM7%AKoH+`)l1`8-OufpAKTYo6(cz}wCH z^V99!8AU>iTvu0@>D*v$2!Lwj0gZNn_h+ zY|q%)S!?a1eY$_ZI2z--zH7YC{oL=vk9QoZox*71z#~clpf6aDFYn#io?`6^-8VGF zKCu1+9ThTzAo0>3TNxZ~UgGk2@w?%)?b~+rBfGPCF%l~YK)xJhwvj(R?QhrbN7L&; z9f_B|Lfwv^bvKL*yIcG0amLsNt+q#JflqpG-!cME-mlj+{zs`U=ZlS#PQN~UvL7Sd zpI_UAW^TLk?KrmOFXJn-i$iDi%lGVwR;|X6#G@ioCFZ97jWbKMyU$VaPF6fvLrxSIp7zCa(`J|Jb#mqsg#7+OCEo8NAMnC4`^5d zkM^C2kE7otfIxSvEL4C>LX{TLR!jaVhD{KHM@1-_0gxS5VMGErF}yXgIjEu}2D!l) zr!P_wSKj`$WFcW%$v;My?qbBmTv#1(K0#H;5l;;yJ10Wi6+?iTw?Q>u=qG=0RI1@& zD}y!G4PBcj%qI+p&w2&R)MmkLP4A6J3c(>+b6$};++T+5}tt~Q)ZLGtcnI})C)5= zr;f#KoS_k-9B!EV_#0&a;sjOZU6huaEW&NawYPeie70EQCVJniax(BY2{~HZm66}N zp8~(yX@c9SvlOrI3k*$vJ|~TxxKL~|21C0I=JU@bx))zT<8sMjV;%6I5!33Q4A7%; z9D9H$p&Jo-F6c^8JX#HL7vYGV$f_-pQ!FFXoCbvhQx><#k}302#3QecoQu8@chkbI zL8QdoLVxD1y_D&jbl1i@UzYjHA5Ffsl4R?;Fz~FTsSj)}m4yWC^TTXgC~IpB;^7yJ z%10tzoa>1)+W!HtcYC77vyAFil`E~-QspjU6}R*wr!|UqmRg4Po{MD!uAj9TgiQVp zO^2EE*Pa0vb%}-V3fS>lu#g2dUc4|CZ|+5&eq|CH)k=pHwCesz+bkbdpTEn z&Q?G+j)tF30<12`NZ7x#)5)$68^E1Z|DjmAA-%o*GZ)}sMpV_ujSXD1!r}2_k3q~d zdS(}NwCttZ09~-gcsqkpg&yu*636XrM*d?hRHl$lffoMggi>S}4@!zt7sAl2bYkpu z*I>S@{30tPc+GtqQ0JFTi>_kdL9;;Zu^$_9&@cVm@YjdR=$pA4@PcTuFeUSA?MA}- zTdIK?!_8t{G~{=9+;d2|10lpn+qxM%lZFCp1=LiJa(~Ba({^*sRwGW=h$^Yve#DgF zN&K`A34tm~ASHg0)&YVp&On=z^uTfsB1wbuAVD3Z-2#UPvgy*^@GJQrPdkFG7fCse zl7l;;{4YDrHK>mB)PMp4JF3sG*SGk!7cW8~IGNsw zN)u^aDKII2`_3zq;td|C_!gwTsw?iDQA~@#0iI5ONyUv7IIgBawvw0VdHX`$p3 zj-3RbT9F)=VUV;mMC!je7$!a!a>BRvk~0=3ectX&A&jnmftjQMjGXbI`7Qgts6v>x zCr{+YXn267CJNnyon#&|GP&YcSYn>U=xTIVe0J@9B-JYQr_r6ix%yvZRsc^hzQbv7 z#qttGKWo-XmszeH8wq_qg!YI7z)(JL zJ}cb{T0B@$k!vP1c>AC8;uCX*(E#e0W{fVKW+EogjR$Noe6L%-u6!LxrM-w?4xJN| z3o4+Ir3V;KN{KH=B^$9?Qv(V`L>Yv#HgL=7!bfcZSu2_l9l8;*@e(Etga&@CDBzny zVc)yfcZMSgQSG9J%BGP@OgN0z&~LBLGo1xIx4sFiGk-x}M0eI{A)ac5?$KPw7=$7C z+QVWdu!A$Xpcxyz;{ZK=ff-uZc==bbBH@*IwXBItur0C;2*VTL@adM3(jkDe%bP7mkHTT4~%(hQ9GvBVm#@^1bldv@4h8gcR z2>#A&C!(YVvqmXSN+$&$D};ksG=alkE@*E}TrvU1X^#?=tVzDn?$`-BH!OL}^ZUTJ z_j0Gr)zXPtfk6W=$X=q$m(}Q;ZGd{1)CmlnuIaCFhF+?bm$-e9pDp%>s3Bg&MI@JH z6{d$_-uy>oin9-eA^39`u6W5@-0m0y+qR+17PI5W3z;crWff|{huUt~2(EJR_)5Z`Vjh}F>B?6qwVZaUD z|8Lh;o@kx#gQhuS2yo?J`A=@tdr@1@{R2u($ECn5`_p)P3j4z+oJKYbld)u8oacSE zs)>a{>3=i>%kV|r6w1!{l9iHasjx6>&5-X7??@g~0)e7o_z0}60hWRbh{%J#*7-eq zqzG}Np@;AP{!nGA$>hLiW*!$Ol{P*zk1W^o#CoTm?3=v07+kvNXEo4)o{q6X0@~5H z2>wsy5CHkrmWkn0GsQGnSLSc$hK1A~EMg31XRn+k=fbm8kDmI2)1at%tU6#-H($Ev z?9#(S4j&3jtI1u;>g>Yk$g)A1Rb`Oh@Go0GD!4M$_z4VNyD4@sUu2TC)D6O1Kp1)} zd#oRu*nSWsvz@!y)aRH0)0QQ3~tQ2*VV+MR4v9s7?5;GTi%Slos*#hn*5MC=gAI~qf^y4>WwN|E`gw6@)JgM*L9Vhe(G6N`0ZnNB)#uCoz?V#CokcPvP}C=A+}MLgSGOJMws zf&D%FpLAdEB$Mf1aOlYVu1+-BmYm*01bS7lRe=LnmN;Ip>KePaZjEILiO{T3OX@8< z*1(na>>F~Lo~`oKauJmax)!nmJCnP`l-&xg;Sp|YV^P_)#<5t#wtLLHU-q;B-@5|< z0gnn2wpr$`F{`r@JckvYVu8Ew!}#|*TLa?dIzN#cwf_QYpP0HtMhVCE@LVN_WcAWw z8*|N+1YWD2Zd1ICHh6*5fFjxrp(`)-pJ-#AZpF zM#I(ujTI+YftwU0aZpxD4dvkGY4M6oDl4Pr&eqDBC|IPG8-7dga6X_mcL zlhu(zuW5~rU*b)YdfVr1zGHJD^PqVK`L_a*URi!CRODkl*uF%(B2!ZCr)~3nV4ya zS3R$4HE=Yhjxdq6T$$|@U&?-9#(3*C>lzlh(1vQaSpji|IS^t4Ehrq&BDy)N*4gX` z?Vh9~S6E*#Lg4c*=6S>ck^tf?{lZ53CckA}?a?6cdbbz>3F7Ld7*3bc6~m z0wA1;jaB~720@Q<^?X#oqsFa3Kr5oJ#*j;-ja|Y2xC`z5Q^S~E&f2=q0e{+wLU#B7 z{~}s4bu<+S1Flf39gjR^c|Fle6j5rTen|ksL&h}8d@!RO{%S7+1xNp7(@7AudbyAJ zK9w-AP#$PgC{Hs&^J6oEjDXLoKLplpHoy3rft_&R`!mtTY!5gArNq-iI=a)4uUzY% z3rBV*q1B<3fRmVu_;EUEj+AuW1XQ|{d?g7P#o<8A zEY{O;beT6tBUZ9hXuQO>M`9o1Nb)1&XDjU7)-L?pMw9U=mzAGj1bP8DUZF(kWUfyK zS(wNC+b+KC%V9QQjYHLdackz zin&s>TQ1{w)v2Q zA%~*zm*=e z1Zl_AB|!WVWR=6-NeT*)G>hZ9Dk2=p*P!K@7~ z!^0dIm0I}3R`X7V7?-#>E{YsV-ymeri9rFHk z8>WMzZ5-bi16mF{Ij@_713{bF;5j8WfT zbdhZDn7bMY@OX<*S4}k<%#axnSE}g`YO$#4eGRWhSwM9N49QY70|HSfif9ia4e~mQZ3a z{a^Rx*ZoXoM0%`g2U)VhY=d%Be{JZEX*fE(OWrmz!52OlF7v$sD}$HdqIBLU?D%)8 zM%cx(yQgTda)vvUho4{SMC-S^S)$ouncP7O!eTy!`0amtvg+zA_Qcklg&jwG5UEus_NI21*ZX2f6A_b|D zd*|DLb#@4NNhk%ni28=m%})ev^}xWcEECZV%WOVZgm_{Kau}{_ftJN^<d4@0B?2LIIQ&)YK@yIEYj&}$sVD}nW5}x9b$tBtqP=rRNV(${2TT$ zBW#QD)(qU|5ju||w`fy@b0uufN&9RbjR@OQy8@FfJ?+4&e(JiI4Ev-QGW&0`UY8LObod$P2`xp!du}Xca=+1G8?4!Zl`aservn5&7uFo zZxSq`hOX^LkJo9SMDVDcW$i|4OnGCp_suc4bpe!QLH|6Dirk()TrvG~g-}R`8yw45 zg6-|j@(r@IEpaNuPFLBo#~uw$uQ2XxH1OR-1y=n3ptKE1A(-U2J1F5ZBSa3bf`7r_ zw}emoY5$%+{$Z}zE*3$aT`<6EElQRI1e>k#s>nDZ9xWd=dH@4Q8=-oM>B2#C* z={PPz)MVwv?3oN`)xxR%1?GMS(Y`#FEr`w@}K{m#}Ljfz~%}D&-Y1(rB#D zfKs1Q66kD09rYY}OJ9_2>>aZrr8V#)LxB0p4z*2G$e0%ox!B@H*OAF=oKBgK;vhGE z0xm_#q0IziymLR49?Xkat{~JF5c1`yVY}go8Hu;>rwWS}9MC#z!%a6p82{6m6bcwS zXk$4f?!AT^t1#3=I2gyn%2=f-u2G&akj;Th_hJ~wAe-k)&KqjnNyZeTW~Ru`4|$#; z0t3HSFxCBZjmWB>EARP@$V+X;rmUFphsLxOCDihigb$NNQ7eS5fv-@OC4f?|xr)>{ zo90j&b%gmD7K;~qjsU4cZy3uU77zi>050frg(LUiszBeS0F!6cu)e5-s+h!KUI#H5IR;s zgLBV2!U1)z*t^C~%&C`sEWLxfkYv|S!h@Jn=>Z)mX?z}ad&207juovze}U0CX}ARO z_$6%oq(pDRqbN`D2i%SwIRA-Mo*$XrH;J)430nX2c;D@ZNd{=%dZ(OBE5UfI&>-c% zmW06o%z&J)emls5RPp$@?R`F{b;Dm}tfC(CzfhIK|Lb%9@88(}zurLiBg_7PQp=t@ zfb&;wmTw@BQqZR$2HG$s^TKX-XSi70!Q#WsqOg~|gdyK&bo2gR2pSdWVDW5hIo3|RRI>IK&Lr4*PR@P z57VyV$&M)EI-At%@5M}|wNhGzR_mFa-q_xsU*egQFBHk0_nTgk4tKbf@(JG$P$AZ4 zc8Ya}l+Q6>415EGqI`!yy7}?MX^G5AV*|HnlFvUV0}fW=g%jPn5xRlDOph+8ua9=Z z4N6yZ*P01r)vOe;mpcAB2#<{@8gvG6MEuZxdGI@{CFHbuyUWVy&3gC0J+g<@3zn|v1H?R|!PxhB< zleR8p1a&Ed6hANV9*?SZ4TPS|Ao>gpK8nfcfz>$<4T%mv1Oh*^g=>VXiT(dU%Dft8 z{~!dvhqYY?`|1phU2okdG^QD=UcTP*GKWLoES>zwUfzPHB#uN!ao2|~eQaT#l_(rN z(*CI42)u|sVzPxMnBpHLnrE2bMV`8IY1(^oJ`@q}kOHM)&6PSty8w$>i zRh9pa3+I!_2>xAsyRDXj&sZooLRUv(@SGe2es64&U)fx^P$3}-jJvNWD7DX~Z7R?` zO_G4)!kuAIi+>Nrf`EiB2-FIXDU?a3Ajn<#fo&aNI;2SNu!mo-Y+IVA#V;YO^;joX%%KkQ47BS(-*DFrAHwo-F%)f|@g44z$X=p_YRUjH^aVSqxFA{T3 z|6b7f%T*gWir!X=xdLFS%X3=it3V6S9|z8R;D~<*gN$g-Gp=qZfibSKe%yOPM$gdL zxMV3l??~=EUa3TpLwVK>h{d6(f48JD5nflCEN3}B|H-3sC|We21OeKeXK@H03@R#- zLl^C`oJw9X)ZPeHmG}u9t-Q)n;E0G0D*c02R$YbP!>+{VglrAm+}-DwtrFAVw9`_8 z^z($t48u#%vX_X|{Zz?A%QJr%^Pq3npv^&ZPj6W}V<3=^9Z+jSdzTiYAnoDa4!^QvW2U0!z5GCMb#HVA7^cPjQf6%a~4JgU%cP z)_-Q|r0&ng16esWH!^WsR1 zK`j{TAUgfrqo|DxYw9xss_&>}5F)M74-f=}0kBn80XiY4K=zIhyQo;{n|!^ys*a%q z(wUCzF^jyIbCW+64q=nQP(}cK3(WFeH}nDj0#5iw@&>dz2Ax9X@l(UsJ@?X9goB${ zng?RkiCU_`vbo&FMhk)00#8Lwq%>aT=x6b>Y@TFQ*m&jm{NE^z2p~h^b$Lfin9Qt= zl_@rkXynj9J7%Rk*Q~7NvOr&HSydZLdU`l5_Q~?1fNXUo?Z6l|q7YSV$c>|W6mH#|W+aY&JAp&Lt9W~dVlx(k>n1PS;D zdZxqN=?{)A`B&g%YesG0vJTTl(#7>D*}DN;tt$ALBGVbzX{K388Y~=Ok0v$xJvq*< z{fqxm3mdoSNhAwSFoc+z<1#j%t#g;7DO`mHN-8g`rg zX|{WSj8Ybn_HWo~rq4h$evwJ{I9Rr#MJR@f3YcgnE49E4JgcpNlSDYp5)X@4w)ubv z19Y9Srj*fU>bx&n#BGCYCHUf5T^z``h&;cercO(@DlCKVfG6D}v7TzRnkI>}(o;`t z{vuNeS$4bfJWD+&E}kE^6y|3e42w!yWx(j3$Ef_`ofPT!{p?7o8>T-Q8A&o^ zp?YQ7Sd7YV;aTX$A!?kO0STGN-w>yCnNeb8lAh(h(ucLWK>r!3Fago&37j3cT?HS8 zH@fn?`9s{C2r%|U*?Lmo^u?YE@Wp+g9mK8~E(Pbza7~SrUj4mm(J($ORJ-$XW$^D9 z3oiBe{I$0PBXB?G*{Q~k-aae4ir1eUPxXMq`7H}TZM?7AW2_J5Qu2P);{YQh#UwUY zwmRa|fo$&IL(t;qLlB`5W;TVW$!kI03@F~N{@@&7?p0F$WyH+T+t(nlYgu~qi)qEv z!eoJn6TLbNxo^(N4Y9b&OE+K(7%a5p|}w{B|=bGXQNp;jeYhln7yg-nqI zGzi{$`e!Mfw*vj^a5bt-r)?R;EvFtCogR7YHZAqqivK{VO_(;X?n8&4D$I^m7AnX7 zS<9ueMHE79@PTW9y%_TTkBEbvnb`>?i%aD}gk&NF-+}0t7Wcxy6RX2+*+}ZwJGrOP zsRQ%dnjVH`Hi%vCSWxSJ_Ap&0-FVqFKZmV|j$y7D?n@IID84^WuRV$Dq~yPG(=J`}{cS@h3NiRYdpa^gJQOS5<>)F6;XN7PNo2qRSu5F395?9AII zl$*1&cx7w0I$?)(wZofGBlar#$wlBlz}x#CaQV(q;t)?hAtnU~#)S~&IGSr?r#dhR zX(~so6Q9RYhc}CZXQBcN?)A2IBGWEKS1#RfZrrh^sylE;&-FdqL{)!BpOw7_Vd72z zMO?BoH?e77;N<*`nS}U8+sQLl+D}E2Yd2!fg!sk5Rm*kb7Z3+Uo*uIBon#RUpgI-k z$FDbZg!csX;FAT{zk3M0!*}yh5r>!_i5f?Q0C?^{nvxA7CG)bQJrty(soMUmxHnYrWsBV z@pnIgur`#}_w9mzQXbzg7~75+ZvNy#=sDnf6DUQMCgA5oO9h9H+xru)VKU%?eytL# zd*|oQ8)vZ&0(A~M-De0M->fOiwZ7AJ@|QQa3i8BViCvF}Cw%mK+CCYh+HVmD%@gZ` zPp+yV__{+r=mcFK+Uz+w9K(kE^T3G~YWp5s5xu>ifZqDtrHA7+jUs17ToYoa-wen7 zX+7BDfDE{jV*LXp+mjwC0&lfW!tW~W=6DkAYUH57r| zLb{ADXHh-_JO3py|)x-cez9l7}5ajvt zU9QxGryGvFjbTuXPf)d4`t^q5ifRi!lDu`K!lQ4bUa0Mn#NXr-?%i1Toj&P;rWBL? z1{c<=2tvJAkD)~9HPUuA?8ufWKrVYoaB`-n&)8yX9TBw6K(<5L?){(k6(2Oz$?Y%n;?FE__$n+T3()7C_`$op5 z(m1+CoL%9CnsG0f>$PfO6BydBhNC*zioWVV8_h;&TGo6LpkbYfQ{=*f3W>RA9gV|pl52FqxU}=N@Jl8e$ivEv#Dn*XpIfNi zsouPX;WG4=E5A2Pfg+^d`+5A)tcq_joAIAfu@a48tKTHO@u(QaCI5xp&(=DaAY7^A zLu*v^U*1sI`n5q9&LbC16AEun-D3&7Xa>mHqQizGNbuCp*4Kv+WTY!M1w?6VXC?gV zEl~>r8=5~k-sCx@5%NUhrzw=J%#7gF{smw>9=Om1QiA6y>9k*^x`%0@PAFs+Rm8XrtoIqxLnBzG&X@f#+*g>IxQT$EmS!Mn1P8n%>~s8 z>&3VuPxb>>k2(!7mw2w{Gs#IH`xiirGetiM8|M#pa^vInx{m-x&S@|LpAWhmZ5Eun z{LKStEzM#K{MJ_GfQ%`Op$mLO80p!>S!kyT-owaMoVyFy#^YI{$EJvT{lx`Qz)%7K zrLBHFl-{LY;F$JkYqf(|98tNfGFFYxwWL5-={K?3)2Jy59;`ZIerx25BSN=h7AsMH z4mPi3WX*73hxH4m1z%!I<`WreR!10@U4iVpjk$r{6l5o@C)4{CS<48^( z)U*f(dn>s8R+cIYL9^0cExVy6!6Zy-W^xJ;vO6y4NaL?sZw!_#mbexAcmmPjQFxGx zGK{__5Wnh6iV5`?02oAhI)Zm{AIeIEPK_98>Mz^PHgSU>ie53F-O#_ z7;#nT{T=Jl#q{y(1l>8aVYMuNaSb2Vz%Lnbq*n-!DgN-K>MYU(!K%hM6uLjCW;wQx z=MJ_6@>%N~{rD90l|rvjZdaNi)as^=j#ZGfL38RQV_q5gfMBR}HlWbBW_67A#aJ>| zTjy#>e{>r8&WqygW9X#R@wy%Ae;aUU4+_8FmWDdrBf)hN)2eaF_x^zv);{e!HntNt-J zgHCohr7>3#j&__9tXQ>})y4D5LX!Pb)4d};0RzQ@3*i(-$LubwH#v4AwR5zl2bYpU zlEDcEyU&yvFmS1);+Ryzx8#|ft+?&UroNxz!V4aCcB6KX;ZS=HS0Pvj7OcB*iZh4R z?_Wek*gExepCJ64r8PG|@DV<2&M1eby7XV7lkljFSsgk!|FW3fLlW-JV`i8MY>Ef2Mvf2;ZVJ~UQpHc9|)6FA3Giku_fBi#Uc8)D!>h0mOS z@Nm9XzcAM!!72t)RRZf?mU{A5*4-ht8>QXo#K*O{s=MT>_R8nL3V0DB90P z(b$KNna;_QO24gadOP&s*;1&SxSKdNMr-S;fAlwxz&bn5nfm3h&iI_u?y-nK+gKD= zb~*cCLzG z0NZKWVIjp$>AT=S4W1fMOmRISQoza5sQ2#K*lwvIF@){-4HYk_z-}+0&K>%4Ln+Qa z)~3h`=3*8IuFbyWBW&BRxM1;EC-!8hhssMaKe*7x&m8wxaoSx{eh_P;N@0WN52;Li z?ohOF-ax^wtHA4q5eXNO-Kpf?A-QpvXh+XI>8kadSh$QoD(UFaWJq`gnzx5E0?XuZ z(*bwzao8H<=|sB%*y#Mqei;El{~+B(THQ^BITjCgyNKhJBR0-Wb=SnkEb`-5>o309 zF;3JHIg?QE@iihSqu2NxS?Kx?nFSXs6IWQ8qLqFt=P_?1I3#>TtAxk!lNw4Yd zLf4re?yYoeBQdn46w6r(H&hsB0!w2-qm@OV_eKSleYTCV=tg#GH&lMwhr1K1Q>zmO znTId$yM*k<8a1v2g%_HL+~JJ}k8N_{bgu6SrtXR#9kC?aIB%GfNcr_VGV*Y(gI@e) zQ@^FKRldUcG{aEjq7TdYJo^t_FnddBYK38HN1)~l-#zQc3xJ2kfpSxDyLYvb;oSU_ zJapBEkGO+&OWR&zV$rUkc4YWMmf%(@e z56wy}e{VAkA)kD7w%o~gNZ9d4x&zW*o zeIcmxL>=E{H+!HE1#Jn1+=_cr=+>L~F~b$sF}vGZiWBuPphfPmJvMwfmwZ_XmWSq{ zC?@^*7etkIr0-r18Thzle?0O$WZ04yIzZaBFgBok^|wPE>VL&ep5BR-x4k&MIjE?X~i2)cSb%rdot#xVO<6097tQOV;FR?LgmTXLn>HiY`-#b;I{G2Zrq&if)0H*X25Ql! z8(v145<^Of{d{``18@THffwst7+8T=%Wi+84jd_9dV4#wJwe*poiIFq zn3-Eh@-CVcd?^?RB&fJ;VAnIsu8ru~C9AiLJh<@FHgwgmnFT}CMwA?1sF8bJuBC0e znZj}Ja{$$q@+V)N`T1||HNQG%u;!5_zFI4S(Q!1SgM#aRN7`phW5o1!u zhx7S6XjkQ_5^C7C`fvPzxX-p3M5;MF1MaK=gC^HxL+ zM8?H!`F(nm_9+H?Z}Ksqa-ZJg=i7`EhC%AjkltEb35l(4O&&gi5-e)bNxsII<)RIh zu>Nxn6p`@KstaX|VuCtwLcUK$Urz#o%3+c=GVHG0wW#DuenU?a_QUG6ATN9s)aCN; zL#|c5n<9KDqE_(rUdZpj^*;%&_ng<~oy3pDD=eVy1DGV8Xs}3ndDT=9}(L(41*9DHZbp&{RE0=mVVKp%SU=|L?9+62cj58u# z!7y$>$Vv-MKjY&T5EkD8DD8K8!4GNXO`WP;HT};ZXDb%Ao^ctg&&(~ ze((1X4dNT_A_L;sLPZf}NR?YUuho||*cKAfe=+J*5Mj=8dDMdjrkE=?(ASunt4F(|TihgABpBqJ#>GZ&mIR z?)k|eY3OSHp1jeCd&7YS_E(?W47m7WPoa;7Msa2~JZdRW8e>x^j{kgr-=_6JtFCtj zLA>S=R6c4akv+>7Oq8}~OHI?OF12de9$0RickySL$N7882`bvK)Sma@iv3sYOqQ}Olmr@>;}|zXI(h`-u182h zJ26tU9O*j1B+irWnv$FXS}1IDTQDn*rbrmsVA0#1f6y+2AB^B77-mcsC|PySL7$qL zD=OsHDjM`AKa>a><6qaeA5A4!x15c)nKq z%=QH4KEKq;1$kvQx+CB;z_@wZ+2LwH|ExFv!OGNY(@PV)V8}Seu*pTfTsddzcMU`k zS);ql0b-&%T!p6b1Fi*N@m|TuJF0`SRg!Uveh;3_Hu%vAusi(F!)=t!_#FDp_iS^W zvi>*vr#&p9mp4(ng4Qo^Kn79LZ43%gsGyEJ%{i!SPeP`jMqms{fB|kfL2la>byu6K z@0&h%xPrxwEu;^918yBzr&@3rD&Y7J4przXu^G*vuGK6LFX=k z{{-t!LV-N$IM>UWg12N6s&|IWxIm;1lwVZjbanr#3>SpElKvB1zkwO^z_0RpgqW8b zgv`g&So$4^THzhZCGNb=g@NsfjPmI}C0FGaAMHrTDR=u4BQxrA)ahdZS=Qg%2ddWcbMW)62n4c{V73emnH42VJRjPY&nCumr&thI9ZG( zv&O_|^Vk1JY1TcC-%mCzDbkBdk%o5C%>)?$UD(D4B4D!%W_aJcr_qbA&Tm*sP3P-_ zMGU)0;s8^mD@D)EPE@SeBjf8W3QR^4ROuk9GR_>L|c@ zV#ATshy~4Cp3YfCbg}KGOD0zDWO>I@7Gm;%96j58~@^_x{!5V@RKq79w=8Ske6zIY!IXD&qJwLX+cm5%k zo~D65?HWl@pnTXsVIeUPdL15xo}_!3^MVM7c||>YJWSe)QZ@bjt^A{R$McS_ncM;w ztF(Ss!pjdvrEtU3{zk)+)vSZf>BM7_^D?iys>4U9FhM;Q+zM1o+~@Dfl>! z$95(Lplew_;v-Rp)&`m#>Ni0N}|e5>YdW~9(x0~a9oin^Dl8FI8N zV?eT84h8j6_b=rO+sqYXC97M)E$Xx^ApqF%N|)Q24{{cEZD(nUZ1An zzE>pTkIdjx3FYxxHDo3P@3D#RGk*@vIHS2o{%|q>>XsI7`O)9LvzksP3_o5PiBr-} zA08NPk6N)w9u%`JrQaqJqVeXfbfsubVbcTbI#o2)z+N)Kdx^ENE!ZenCTt^$Z!F_o zT!>^m1Is|R2g2!rhrL0^5rM`n8X~qqloqx>aEU)x3(SizR^s9nctB5L!FBiJuqzL0 z^lI6>kq++W+XLJ_$~Ex)Z`{Kss}@C0K7xpw7?RBJ*S?sT6!4Z4PEU8Ms4Gu{lj&}X zCO8ZNl72BNMGE-p_S2$|P-+vIVOrtGJG^Y_>axq$fhm>510Pp_ofj?-<*(%!qyr~5?i z$8l#kV1Oc(!nh!zaD|FDN%)3}Bn)gy4Brmj(EEIR0bss#-9$1^#Uhd&1yqu6Mu<;cf-4oHd{lJ%G^$slodqvtO z=~)98GiDensbm|S3w{a z-Y6~#@)v0Cf)jISg_9KShQ$}c4_EAvEGmx5QM@o;5qu>&Pj^GlJyobSL(1KEy?m^6 z8bOWKs*N37%lH!C{$*j%ZH2Z`RLfUrjr1Rjdk?P%p6T*FYL<1|3^LdluAuqr@Zjp? zoxo}lefVWU`=k;KWL#%z-Ym&i4X@9nh_M)3X zewZSKbK>?6_WB1wy9}o!9JtI1t9JpBfrySRzx&sQuFgWz_Vd8s_Su}_QpSiLRRy=S z|K(uV@ki1x1A`va{{v4zu)oWHz8yoT*7vJU!RgST2KAH?JPLDh>*w1M5-$CL2|+Al zm^}F*D{y@C_I`b&TNC|E((e&JeQ-CnEV&PF+|q)&viyb!{Pg;GZ2Dvj?rCDg3vaK* z;R+T)%E96OeUFaEp`UKW>lo5Juw|Hg>ZxpDKub1?P& z)wtukQ#_x5>Ak6w)lL5=0y%P*JgJ{a7FQBqy>}5#> z;P`BJF`oZ;JYE?=;#1}&Em~fKkzpEWtQKrLn1SPkY}b)SRy$8J!s1uQVB1&Y@zU7V zh@!&}Z_*T-XWfTAzl=k-Td&1aF~ItjTX`+5#J$ff#~zm+eY>~BJ>z;{<4^Zv!&B|h znN_tjHHXcCIvdTH_X%yb?0$SUfUQ>u7-2FRmG)b7_6+X-cnfSPjdA?Rjxbco`4D_M zZ4@>xz7Ib<)df9zwnbDyCT@Fs6`p%%1zua4joPhRqDSLk$fS3V?ya%mlUs1|?Q0S2 zEWndr?1xnrgGrHmFv}ung>riBr_AK(%&5<{1-7x;a_dPsFHKX6jvR<>`}IDo|6(+5 zNMHhm@v^^?fpLvGSoZBC{Pu2FwwH1&J5qt@P$>=jUG|ZoivMJPO20Pi`{nrdtfVy| zL}p&3gEz+F{b?hxg8j!!t#tTc-d=1uUV)@2BSNI_X1pl5p2De5RXLvgdIRGaacZmEEYY~19!9y@!quvDDU4DIUO|Vx~;H!CC@Ww`t#AV^B4=!F%ZigLb%WNnm+dgZ|rVb%5woGPQ|7Q)2*cTuh9hPFo8*~8d+qy#@~O+&dMm}PZf$?E;M z>-!_L2OVmN5jhz-*ebIg+cObVF9!PRYV15o=^T-}dC?k;dTc$AjktgDTkAdHuL0Z{K5+&IEszZZNZD5tiWeGIRc8-;Na3!Sn7qr z3cU7lf=K+j%S-du3i$ z87cBlMpS9}Sa-4j2Tm2B*kD3(B1h_bOHj@FT7IYi4tAWmS$SA}x&)QBDr}|GHECEk zv~5Oi7Cv8<17}<)s!0})Q>U-D>>^WpUiG46KpIiWO4I zy4LBHkxY821qF5&3JNVKEHA^?D-Pr51C*avj{PN+PlvIcWnH@HAoh@S8I4+w>nid7 zoC7#Rn&e>Fa;()PFHY<_l7S=g3^EV*o}PZsgDWA-o0nBtI!S;3DT-P=WwFhjnwoCl=4D6b?_YP zoo&bHK}K;EN_ahFaMV0!XFAN$!R&V(*tq2oo}76Ahd7vSmK=hDN(&Y)-Hu0==D-ok z&X)ShEm9AO=;l4CSbeq%5pf}KXk6HN;1ni(ybbw!dVd+gvKw zJ9nSK?!qc~QcI9Zf{?~*c;329^m}?VZZxD~?AOO(kq$Y)J}yHDVyesV%f2k?sDq2w zPKd{fMZ8u@*?wJYvx%Bw%-fj*7yFgcQmG$1ida9J4)WTP1tz@CY{dmw$M$Nf5d;UX z<1c?+gXybtl-qY6l9Qu{(y%Vy3dfl;oF+-hJC%jSM+#7(2||2Hq0&a=dT^1s$2v-> zPqy+{wcK`c+HFXybfC;;$HB9C*q&X1a90&hRk~1KQi_*n$hFClvp5>Lv{^6G%wwZ< zD6Oi%FLO5Hxh<6>RtC6fvlwRu=IqUY)f9rJHA0bl`Y2xg^$bo{Sa2Y_95xONY?T%4 z|E$W|g;-Yw=FvWtvX+VVk@BTg*imYC;OOBD{CKJYP2)`@lNNma-D-TW$Ae{$cSG*h zefagHTq8PG7Y9#Fd;D}ZcI4V3Eu#@GhmdA}P4&>!l z^15>%H?I)W7ahiilO;HlRf6MoBQzZNEId*ObEt{7s>brQ`!H?J2~^T?hoc&&N~%%L z!P4FnS=cS>LD=uP<<^G5gSCe;aW<_4I|`jhY#4>3TQZPF;+az*uVQc`E4>tUy&Wso z9mQu`GjKY;61#FL5ghEnk#x4N3Jw7C%aKb$k$XA~S3kD`M=EK2aY}y3^`~R|vJ_)3 z`ze_zmA+0_QG&$>a#2NMDh~w&TMDsYUjaO34T?&v$f>fk@2H}W$V84TAz~aieW1o> z#TnYYnsxKc2P?7kxE0#4aKu?k6!{+Z6At!SOOKbp#<+)Be_>`TmTXVMIkpGA&dvc= zH7vBrx8E$o3(GS((x47O;ix*Dfu$$dzjIJsekKQt&z5uCDvx$MU~m@W*WKC3%Fe^5 zyq+Q=LSQ4|J#{u0Z!X=3{p=Hz5%1raxcs#j$5patlt&Swc;T_)l$T6#boo27;)k6^ zDrX}MBSZB$4P~KY1#4LD1qjm>LLwtyF{G99%6VQ!XL8>$TslZ^G6hzqlLbb~!d&SM zC11v85F(g|baFQ4SHX=Jv65cahDd%gt0C~~D~?zoGG&Au$@J`WlvTFj+!w-NqjQmW zfk-FAMxsF0UF4Rb=ba<)c_$b8KD&mU0ON>WGP)NAElgO%m$E#vm`u{kggqT3hljpn zLhjX<(Vk)K;I)(?q)3*wD?_&nAT}v3XFQ*LB?@&B{n=3}29#++S!*HCP_}q6sWWys z9Ljp_Eb--;e6hR8DCMz-JIXPC<@SRt&)5hr_Rr9~QBb)FB}<&5Wn$Lmj2Q z{8RrjT_G>rk@oOe3SFT4Xi#!f0Z7H1brJYNBv7?N<#U6C%z7^RFV|t0B zEHag2o)>v`9+xwnH7qhn%%GQj#$}d@F3}A0$CGkPJgI9bcOGpJ!m=qd zJ#6nqVp|7-J9Wg)N$v6ctKVZ@mXx3I1L40$#r{Hss+ga&`6#&s%{-Lz{EcB<{O($p z_R2JY|Qbs_7mBn`7v49%QY(3pIoC-pVEGm_&lb= zh1^P)h4ga!(yx!yg>Nm25~ooL&P-~J$*(TJQj4@1#uYor^~u4OqKhOKNcrW~QDFIG zfvK#Y6NsHfrrZXUzE!y%xG(*m=pbwML?^1CJZ&X5RqF5(_K|)<>=_YCy?89;mp&_s z2hy(ndPutzTZl|~dQXCt>yKeFGcR`Z-tz6U8~gw1Kp7Stl1wTT8u)eH8r|U;00>fxn+s`V+ zZ^Bn6{{{&c{E=pVCeDTUD`^Cm(zAr*!Oq4I$4*2ViQrOk|F`i+W&6L<>5uT=)aj4P zekojTnhWFqne>-i#y^sIsdJZ`M<6aH^Fn!lq|=4?tGbA@va!RJCx)WJ*}-4Lp^dm%`Owak{`w>_s370e?Q}Xi9 zwkVKz+@x&&e3URzlKV;-eaC*g1nMU7C0xRMLFe<}pBFqK@+FO&6I}&DUkF2GGB;5n~MGX^`yx0?ke!-_d8jV55xWGm3yeZFcBl^CGLf`6Px3|CC z0?9)X1w>OId7amR`w}g%t;qTZ!Jo0SKP)hh3(M?>VmJOu+6&Vtw&$kk?1NwSdHV!} z`O{v^=1Q3)UO?F8*vH=n{C%RLn=ecv2ey@q*~D+l^JU_`^mn4Gq`A<8u|Q-7 z_Q!J0-yRej`qGMA$=e^*uaCc7_;r*BN`3)0kTjCF?E9iCkTjCyLVHS+_+4HMka*|8 z_>#u2n^OM)VFC$K^yZEt%NH&P>@NcANZ^-uv2aP_Zx4#@zAZ4Wv>iF;udBf8UXJ~C z^4m_5@$ldB3bd`jua}Ddh`&ZyghaTss2^#9i7oF$kp*s9MCjI{VU!65sXSJK)>ehX z@;1*16Y7K*Ay3ZAlQ>m2J5uF79pj`#hrw29L8;DwdLeo^94`6;?{|sv%d2297?Et0 z_jPz*I&~txwL(n@ayf9ig!<|Hx&f88YGhDeGSAEV%H-QMB~{hPly?|N=O!JhJnCoAE8kWr zw^Z>Q%R)QLO8drU9Wu&TKDpJ*&Y@vsFe)rog%vGi|QCKSSaxouvV-q75jvP(OK+Mmk5U1L3rbdx-#i6*nJ8^gS`LA`7@VNbM?``|;egFG?Zx&4E%sKn)z4r38&pvy* zcsSu*U&AqDj+W|(6P-QnjLFuXP7b(8r}UNcqKYbGq0k89&8tSaPb(4~(RpJ!*F z@W^V|iDJ>IG+l5^>DUY+XHF{DA{&PbDv0*=z*%^z>kR1{O1iMvMd5$B29+u#hGQ_% zLgdL^WcGNT$hgo$WhFx7-&y*nucB6qo}I0<(#FdytdVn~lNHjRq*@1Bc{ms=5$NmE zsUp9|qKS46wDEHhiMLWwBl0Ko^wNp9hU2osMQC-gxRjz&(X&ujg7QzS39v~b)43@Zw^kh4|1lYw8D@t#5Q&m z8=N7sm0Mkhx2Ff;VpEQ28%i@FU5wZ>v%xd5g{FEATr4)`RhXU3v=iHKw6L67F`Qna zqhZcM7omMxX(jbicZgYa){X{|vC{=rG*~Re`8bhYSZ1t|;vjaoz1Y;#VjF|qorDh! z#)Nizp{IlJ2xVrMN`W%%>Z_%mXrXb8L@_RnNgi>9;Sjw11?pld{s|YxV zjAi7NkS~7AS!A+>vxA{mx-L&nc{$l74Fvg#t(P_$8tR3<)s&VA9i3ch=cD_GSvjAk zw#X5aw9{Jbr0Qw5=!(6_MWp;TiG4VyenZN73T+~Vcc(<&TKI@hY@$JSQHl6ExhAw$ ztd&g}LQj1fs&87_;2* z7US+)%JPOl);=?ip@DYd=NqUkDdv&aHuCzxLe4Fj!_IHlu+%Y@?#wflMDPB5*xl8b|D>-6zw-HN9$t|m`Ygia+aBw}fl!da$S2pa`cO909-qh81KdUK z8;za{#TQ?#VToHTKaCfI*yk%jGnBh;7{VjH{ER^V#NH!Z`}#HxmxqwQWIX1yBt|{H zj;$wix&M;~xsy}$cybFD#mS2%NSzK09o&@_H?)&u6ZP4d^nYU~k3VoFL2Fjf@uL*M zO$@RIb`qC8bpN$H-PM_`pD(4~H>u#_&XW&K;1Tyzm~Pn)EkarR*myc->?P*@bG-Y? zDCQ>m8}mJnZQIN2btQcN#9&&=Z-wuETF=aH&rqWiO4TY=+cRtCKt8=9ibK2h(f`Gr z61X_fbLud5%!+2o((TMzxQ}9=FmgVd$g+=r;r_Fp9DSw_K@N>8!WQM`@!2<9xO-i; z@KF^<#G<%{9{oD;%Jn_y<=1EwZhqiH9LG)Le%Fh{KfRqoon)yXPGZ3H@%%a^j03w5 zG2xYM;`B|#w@YB*{H}Blkf1~0!>8ZnZEH`K-PM5zaXMlixch+*c;%$jqmENwt#yVY<=Kg~Y8Ie!qhbqg@~R=#~R@3iR8{ox{0*2cxMOkxzLzqyg& zSB;=|>Mmj)JwQ~KwtTdpFN4Be~K!r7R%Z-ySeuLJ>)w1arWD( z99z1P3Gbbh;Gltaefx6c?gSovelbsfm&#k~=5woa4p%&~jAaG>RDXU2KYZ{r*M4^n z68d9(tsAxJ$&7qr9UF4$aQE}z$j8%o^@SyvhK=Nn$U-{a@DoRJ>ly#>RDSMhWy-s! zxqDt865R|E@%@jRc|X^kpXYVPO&o~51TBXSpWv!DcXLiRGSuFS^ZNRYnG8F#1^-vG zS^d^{h6mR$Z1!iY%XeVLyfJ(}$^%pP_tk4jbXQMsKset$H-dip?zm9?)8{|n^QbG> zbajx#h`NW7iCJ@=$$xIhKKRm{bQLLsjdJPeYc4jA0MRa;J&PVAd#x$NAaEg3v_J5YOx1?hjxd~6*-3y>!N|K-)4qRao){Ntyl_oX76Eg|oygjY2ZK!5q!I_4}ZFg&?SI~UorNv}-=)t?gLya909P6rhyVS9){9f_M1n zP!+9bP382}W+uLRnEP%ULN|9&UkQ$Mvqe+VIfCBJB<;n%5*X;(+IDRIb`cY{2eIby zUUcs7tM*bH_kz2o@=6~!j{LBSjvt;kCZ66ie-tkc3^LvxHd||1 z@yiazzI23JpP#{7y*!Qehtv{Hobx@m1l67z7irsc>S&`xFg^KE#Hw~@3}70`$qYB{ke}= z7de7oriN23cv%FmRC2l2_R9kG+>+#=ED&p)oE{gvO6=i$xtUXkKEM3A&fiE5Ys zyoGMFK4wFMiIc}pGW`A@cy3)f5&o_eq$hFJ&7br5!D{ZBIfPNVQCN{3!^g$y-PAk# z(J#tZA{r;wEn3BZM^~~uL(E3Q ziQM%i3KtETHKbR~udl`1HJEE9SgDlcv+q?MCCimeN$S#(9pfz;@xz*3YF1*dt-+~F zC*~#k@yy#l)A^2{cxZQtkqxPfzWLejX+8N99$1z_P4hYel98C)y|}Vt2q{U`By?&` z58cLD*S(hPNMZaH35_Ta8Nu4J&YSPZoa z;usuSMziC-UU(-RVbJ_982r)!QgsUiaVEMpg^}qi68dHVUOX@)h?1NdI>(38B}7^( zsb>7_-gGB}nYVsK;`4hsXz$IO*_{YDw~u}^K4$ED2T86GsyB~FN!uNwThJ@gLZy&u z;*<_jPnj4IGcVmgT7ngK?s(=~y5F~vw@;Sw`V-%A3D3 z!@}j_e7ys>I#zk-$((L}B%exRcSpQE z9piX1wrTwy1;NkBqOW5LUZO|3@hB!&-jX0kN5zaix738|aI`uCkf|)nH zA-oU+ncaYoiv*Hcsa!knBjT_5f)(X~+&gc$1S{^`{_0}-+_Q{_)?VP{4_DFo{*~m5 zF6>ylgMPOy<>2`eYdEM>%U;^H|Lo=WdP3)4yIH`#sqxg+jCnF zkZXjjbVrzLpSm0K?d)fFA?5IJ;dsO9>* zeq`1MyQz?>9{YGbeIH%R9vz<2tXu0Ao76i#5?^B!!$b-@BJ` z_lgU=DFH>-`9G5;+}^oqFMa1NVs%LnFG{eo{Ks{~-TWQb{g{MB-w;%&6P}5^u#>F3 zGBpoUN~o%rL`@kh_UGeAN6;z%DD7|fng=%&a{WzXnGssS!ebEa=Zvoqeqx6pqpDVs z5|FwCGECyjO}o;BHqv)xztBp>b>p&aB;NcZPwubco%=^}qu7^PL-y^dk+OrX>O&X1 zR0hxagpsdoWplRfYAv*=&YV9#3zhszEoawDSIQ-w`!wAyXD*G3U1abgfTg`Yj*QRqV;>Dv`ft7K^=f z7kfFamz$yc9VUtHmo~lys0&$AmrdInzT$yj^B6O>KYh%0)LSf+rlc@_&PTML{uRGg zi5@!$4I4!7#7@agJoNZCjQ{i`?K-z-L7b&z-R6?%5KoWFH}T z>ZeS5e;=DNU4#eYnA^6J>+b%BzV95N->?pRHa$*)p(+$@L&fAzeO3Y6&lKSt)l&Rb zJr3^P^l9VD#wEuo^>W2rU&#IUd`0W2pYg&GE1{lpb7=Rmhs&fk2cR1D9GQFgAEt`==5+GGLo%w|>^wG~%ppr3NtBmx37N;<_|-(TcFau%O$I?ma=y2g>-=3qtth_bnNk0UZ8hXp^M5~C8yxK^Uk zl~$2UDW}4zW#y|u6inZ~vol^3H1X&)iDaF+z_RZTNyh1DWJvc+AH-Kr4rfS92|k*a z)UK;1G~Ac268{Z-VTU*l53Y(616I@cNK6gPf#h;Nm?@5|rqyLfU)w;(zFh^ADxUjr8^4|@W#f)LtT7JL z`q?q_wH=&u^A&{^9E28i!YTqgKIL#&d6rng+eOizSPVD z_MXfpr%HFB7WRwdw)AdGPp4WQSh$~+Cvy1i$6c&1fzdsJ#kgt@>e+iCpZ8{WH3AGV zkHU+lo{7_|61hAgKA?Lm2|zme;~@xMOsb=chX?L4;xOv6Sa?CA(NI6`=bvbyEIX6DK%Cr1nAM-EaXR1a?@PBYY3f(LOX>yJ@b?_j9atV#X&=GoDVZSO<5 zt`Q`6uh?{oL+7fDKzh5r)nQo4Mo=E;rhO`x4q}{-?mCKp_a3}5AV_pZgM_Aj7+|77 zSCqAPWyaV9POjO+C)+CV(hdKDf_U)GD_HY(f2xZ-7}3**9gBDH&bm~#pG#xu)>CXc zoyU>0xyGBl8M%dQJtjd~bz?AADF!^OYYanz;i*SAuqh><74PlgNHI(r5QUxa)}cC| z&(79JfH@IQw>t7G8!+|?Q!oPSS~j0aXXoi^TJ&hc=1m7#DRTSwGEQR=ECC}sJ)X+u z^Pf8fj&BGrjx0G-o0Az;i5f!S5V6|U9#Q2UUCy-M=eesI>&)kC)szR zK)9uN)Ua>g8FsBY#)*^)%=+lg+h2nDF|2!UFs5Qx`t=Ork3@%#;lR#3V*LDY5BE3T zZhq;o6l|WSBA}E?%_-vK>5Dve=Q=~jdv^$LT46%Be2}15UpMxN;iZ|aSpC*oem&H* zd1Xl<=hvR)Shm;$cZ(s%TBBjRRGxHxhxDUHg02%M)7hGCSQn07$YS?7vHMNsCQKX3 z%J;_7-NVgz%b36jrVNc{-=a0VA`aZx#$KVU0`J6DbjizQ!H*{-P6=gNoFFQ;+-SSB zkPGY2bGlGDSIh;izgB{r@F1SPZ#;{i?@fKOK2mSwz0rI_H5-3DC-zxA4ID4m@h?60 z2J8Hlbd0ajoXT1BH#dO-qtC_om^jes2U}Wevs}hMK`{ z6}z)$2lVd3Sqrh&Mhv2kS2r2+KM}^bI>P2Rj+Yp-Shj>>W-chP++>p<>sL`;K*@)hC zKN_>Hs40S1Sy@Nhgw9ygAK{r8Ck9Ucf@A4*bQ+k*IDb1{_+&M|o=C;NZ!fNiP=-sF zyiQve=rh% zF*9Y)Dfg|*AYu4GtOp*ZzfUpOKkz*->@H)@b>p#~x{U;HsYmx&sjb1) zza{sL4Pn!sgZ%W<0qLF#H;!$ObFhQ466oe*5^XpL&6}V1ip)5RQ`3PhW3^GW#Les$ zI@#%Z58}>>bdH6tMNm^gssxweK5mlOOWEow9(;W}-#N!}_@Oow7D{oWgW6F?>gx*m z=|BoTt>bugXeaVgj&a-K3ykX@EJ0uZ=^IZ{QEkuA5uJ&bre6DcHLDM2&|z42#)LYF zVQZwey$WPTF0UW1rC&lUH;sys{xq=Q>kD{#SqvXmru;3eF!rI*;JQM1o4)laPQ2EW zPd-}7J6kgT&*$7t%+Q7Hvi2OO(+8<6xO)h*TWdM#vtCy{FiUp*ZH7Bjcb`h>0CE!cTacUnm{Y3%o?px-(wAW>WEL7kc3 zvYdC8CsC*SV>R*ecR_UBN%^mbIvQi}zlkVSr9`wG#EqfloI16KnF~|!?b?+EZQLmn zdCRS`if-H`GWalCZfr+`F%o3qlh5zNdhB67?dwjmuI(c3vaqyL=u=KWfSGtt2{ezD ziN2^D%10YF?3ZH`eFSN-ClqbN^w=SeYT#Hk={^b?CvOSlZW>27g|1AuTcQ=CId|la3*T)fUJe*O5#nTN>CyT+t z#{Nlr?xLsbPjggE(}Sa9=-8<(rN_>(KfO%ssY*lx#UejxLW5fIX@+c~tEw2jrlYIxp50P_ z)!vVgHcr%(%XzV3UoBeC%t@c}%uyKH$rtsFDir#3HJw5R9 zw&%rr7Sd||R&u1yb=P&IE+>oo=YBx! zU~H6wWW-t0oU|#%)uk+(rxzWkL$BWSaIe2qr6COUCbG{KQx@#Y^uAu4Sape-;owBqR*lcOzj|i@Z;aQuSQZ9!_NPI2NH(qrO)WJn-Eo1)_+V}rs+*b| zq{!@PjP$t3<)_|W!i0&R@a?K(EUp&8x}NKwUCH-Jwe)H2he_x7Xs~)YH2qX{2?#Nh zvU~?iiha4dd$^p{U_`z&6Lxf^L!1i>Zdyp2n}6lFB%-Uvwe4E~NHkEta%xqIMYmWrgB#^#zD70@F`aT*uWON{LO%5h;5&1XZKD6a4` zbMbhZ$h8vGk!~HUnf3H>f@5Ro9p*^Q-(-_=TxHMrL2b!Ckip($kt=nw#o`6>B+^&s z_&3JX5!9&UHjtou^We(skIrJ(3_UiHkQgF-sgqd1#G0>`)8XEqnY}&* ztFfGY1Fyfml&%l`%v~od2@@QwscBqy=cn`?^chF%?2IkUW{+!43$u9CloA}>-0@bQ zCSL3k3OX@Assmk*tfb?R&v`2bRqfEN%8?L!;4U5k=;3dIM za(0Da;l$MbBD3f62o4RUU!(&|cBDW~jW}|llkNj_?mQP7N;z5J&%m}pTs)gjk*K5* zy*GijR9U3^W=UVBv^O3JpGnF!9*ZdGL|Rwp2Htw`1AL}zk~4Np>Jve=(z+sp*xSFS z!~CCkerK+jDZR%`n6I1kyV{swuEB1l;l2Nh{>Ha{42NFJ8!vs!u)!bl)yZ-qLoGbN z;A7e>*haow{pD)i4@qpHKEjUhqnnVYL$5^ky*81Kf~;?7AYuMaBKC?;8r>e*LUN@u zgIbIImxfIC4rH88V$6*nGHAjgN+c0!Y+Pdkr9(A$zws+O#g=w#D>QS}N!@b3Hisb# zzGU1r-?FK|Ov{FB?wVEKR`VU&j;ZiFeI{Yiad|t9x zG;d#~juyF0%_Cda^~w=m8Tw*_zX$&%*?$CT>u?PV=0 zPB^)W@aS9`9idT!*Q7k|#!}1@G34d(>Nm#;?3BRnx2Cb}tt*)mRLkApNfcFUZ#>3w z)71&jpQ7Iz$8hl!hbD&1NFG!H8|wL1cLgw_8Y=fH*IsS<EC!u=m?;r0*qaIwK%GBbDjTswtRUrp!h>)H|^+vCGNko|o70@`t~0+xIzi?%A4At~p%&!C9huByjwVsjPZy3VW`R z`-^If3{pqU+>Ff9ikR=2e0)Y0QCSh$af{@pk*TLN>i^iM%1 z_b%LtP*gyq*|6R6r`pPxsbkpl{q?N6A&z({`rV-v>AN$Q=onT?u)AgT?L6q4!^0n+ z6#a;2=j&7X_07qAHLC;u`Z!gz+gJXYwJ(NVS&hegUViS>2%fhu&tmXZW7zh=wH$bD zFfP@F-1NmUe01YZp|h8#4@uj%^VC)iJ;A5B9@TX<5Z>P0ljta!Yz|2hyii&~?<*#8 z@PR(`^O8bZM#?wt{Ux?W6A<}rcC<4_-<*x?S}PRLl|I8-@na7s&K^9%O)qcY(U(^6 zZ90tW9!1v>dkK|=ELqtc-J8bwoGM&2tCBwEq-3#gPZ|Z{k32d9~~;=x?9Gx>^-qj4|K;l{Q~!G(G6pA zSaqg~08e}N9TG=cQpNGSGNb=TkEZG{lhCt?24b%?1eW^JuQI?fQ@4S*_ zpUvc#k-n^1d4yeAqBo8v%=$JTI>$}dqI}M&Y2rkz=6P z|Cwz4ZaTM5>%`qRO=SPq*YfmLnt<1kv41a<7oMZjz&;#*_gc2RK7s^GJ@a1OB5}2= zkuTnH%|O*!M+u&+Aj&7;NYzDqFjSn_{t2??RhMm7)Y+} z5f>c8y4R+#>(win8dl4#pX}yhT^mllKau+rMIM@05VpbJz@OVosIDG=QLuP%;;$?| z#EN6toX#xabV)5?64)+1oQr#anQcc>IeapQHJSCqg?VxzO$@v^mhAFs<8j8?&4;=D zhf`FT#L)WraO}`U_DWWvQHsSUl$7Ha*ql@%qHDrIjBr*`Cc9Gd*t<6amoQ%?=1P3xpt0|GpF<-t5YQ&fvI>tjw&vG)qoRo9S;v zp{}fgY*BpO`zEWbl2aE`c<9ID#vUifB?Zl>b;QF|$%i}gh>LcSHY!=Rd>eNy&cMUR z1z#V*v964l-&xIvM}>Jh#9(z}WTH1q)*RxMP05_jEoEOyDIo#Q98bv=hjD~;6}mB_ zMeJK8U#&X9uKYTz!e0+@0$Y!zaw@+Dt3Fbcfb6hjoSRb%`E}oU$x2Q5N^p>T{yei@ z-O8bYdK{!4Z)+J#4`z^6UBk}PC4_{)#$8DqR3ohckkF#uFdmXEWuwk2a?h9vMsJ121zM}94xgXu7fWtR-U6;A47^w zHaWPGbuyVXN#$51Biwf~jqN!icX_2;thC3WESvB5Wax7~G2(TkO6Jx<t{)1_=zEeLXmG=z{30 zI4RXv|1gq{USONh`M{%*&pVymZFiznYU(63Dwb<78LGszd3LK-O?7wS)#2 ztFeF9PM!Clbk>Qxk_5C2v9Nr@362(vQ8(4$5gI}ppDI=#&LU4A!AkO?`|SACRjHoxbX&}ZX$R%KS>?qM6Q781V`1*3}@Ok#?at>+5m=l6=&}9$OQn^_I*>gHuQ=fYa|LnxJT|AS@ z`U^r2soT!MQG$hZHl598#kPy2Iye#PX2<>`XPEoeZX`}I`ma;?d_*@N-FVJ;1-Y=H z0c&k3@BMO;)F!-*1|%pl2fK1Mv&@)Vb9&EVhCI823TF#;;>?3hWqiLgg$hX&0z+M> zH`TCk(I#HqkSTW914juQ7oRE=C)^km;~_2pzt6x2URks5WJ<)x1 zTG&mg}Byq=avAcDZ#zRDUP+LIZaJCe;=i!)I{&Z3LCWZKnJqOUGX5PW$5MGlnJ6X4@aenlZK zeZHNaju((Fa=yOQ9)CY4YKn50`}`W#XVl{8ZpN{}p4^fON<{uL@`~7UMsO-Dpw>fl z{oonC+9$H9k9hP^s(lS9qTA~4j-E(nW474dh8psv?ShF|i|U!a+u?tZEJ9q9YW`pmFO zEQn@E3e9_!=!7;+V{}~=HNxsB^CZB~xh0wb*h$@bT{2Lke1kACUsTU{)+g5#2UR9L z)@QEzyjf@U>u=p#L6uDR&rux3sTwl|{RB6?F2ZW;MWTXj;45v^OZ~cTMe}|(YqxMbby66ny=HI%$hy*hRt@OQll>yyBQrt9qx8ZgezMWyR2M`EBfTBWQyh49{S3V+DmQolD(928qn%(ioe<<)fe6GNM+8DQ@N&p zyqaks4Qe0NC#Zhw<1FQkuKD6Dj zbY(%iZ6oN|wmY`f=@=a+J2pDDt&Xu{+qP}n&fc+Y+?;#)$dAB6;se0Y&JDXa36W@+reA4txy-<22d!Tvk zc=?dheLwE#I_ujC5LDdXg8U#zeN}ku;CSDB>I$3s$YOhS>G25`_#kk9rTzOPe)*c` zW%f@nV9Dm>z0T^5^^x}Ot;55+O77#Zy_d-Bp~?7Tyn~||A}I*`@jZL|3BYuyJFx2m z&EV4*-354mn0!lV{rK@Z!{eh__|z%resQt!0obnEd=Wo?D&u;i-LASnnd-i1xO$lU z&{^?;^4ZJ$aD2R&KIjsT{+R5Txcuw^nK47KpyvJcwNGQkXGB3~m&??}!d3L-$7aJ; zug%zdiiedg%)9A#OuXf8D2{4B1WUbut}l(g1OK`Cj`ungK(ANxUk|?jSIozi9-P{L zt~siEeE62X{ol5iL`eTHO<$jUMUz^Vw5^>^&iA7k&?<@e-)X~l4q2vJ*{*F|a^GBh z8}nSv1>aeQJ6gY=>z-X~eJ|+ofvz&~gilXB{wq+_K2uQj!F%_iz~s6jgU4U59$c|Ag89Q z2ZpnvL?IXfMr;gkDt*4sFK(Y6N|`cJjW-~mmwfN=%!&~FrlIwXmNPts>&PbPwn+or z`GGi!E0c^bd1>FXq%3aTFui^475S+GOE8iF;V4GsD?142c+>l; zI7}PhUpSF_Jm7a!V;zyqco0t8!yZ$$)tuPpV7R*p8oZuZvpAvDd)kY{Q!=y7!|P0t zCcw2sAE`;CFEeW|Oq)L1H%sjS47=obrg|AfHXe*K+Q^tbyu>B1kzl{r^HV*tFI5>k z847L$jxXPq!UUU4Parr*6IX=2=RrBhKl64oAUK+CnV+TmT92z_JHhHqq}iMO%6*`z zOyX#nbC~^?IhJtEkkfv(?0SB2O6fYry>TkbxvaSEI44jc&WSbW?qtYQkYgQTvaKbq z)pU;k;mR|FDQhZKoj0#8db{m+`eMsNm5C$ksmI00$Ce1q>%nHdS>QDl=j`ObRRMS@ z$JSV~3R|>Y`*gcu37Jm!p z17hT0UXFiX5nRaWyx#$3<97F^GAVBp_#N2u+R7j49^P+^h&d>S)BCo;FUgZN2#ptI z%d-|GZbQ&}x8XlLLQl+I5^)~D!`h)lOaS^G>R5ab2&IdNim@Ayyivw#^T%2|q>T(R zN>*!bC946tHkqr0_AW)8{KPts9dX_HP2Tzl?_UX1niAG-y6Z!~4uR|6-yY8p%QZXI z5Kf?jwfl&J0cwInqP@|bc~nvZt(Dq4zJwX8l(k8WqQx0LHm=y$Q^%eP{Fmgvn{AEX zy%{Paj<6(!of)Y2P`T$9z$obb5dxcR@oRCZ-kI!F7R@%!HqWk0zzpr)Hate;*})92 zwkZdumh|Sz8a`(ys@BKVxKQ4uhiFnJ(wNYSvz68+-x|QZUe6&{E00RGnNJ}EHfCje zEvrjpRDnk`+7OaX_BwrX)4`pA{qHZPlZA1bJKYX&gUl@rWWo0tM(QolTa$7|25Y~< z=IWMB??64B?{r$V(RrvzxV%rR|4EgX(A!gxbUcAJ4T?Y|nO~mhtUQnQA4R-BsV#|V zNWw}8zGKhTVT7LbCKH}aN()jlfAr+s-rAe!Evb%2G=hV4ahGo`1q&U+vz0uV0F;3> z7IKt!{Dvi)4l#kjL#zWeu}hdlWO+U06AP>l|MbW0XbvK+o=!cj& z)tVXS{?$_nQpeRM61dqYLI`?xq&?0AxY>FBWbA4QHfLnzYH>K&odjhQTwT{2zT}t_ zwtlKt-oX|aJ0jl<#rL^_)*>47-{5vN4q;lddA z6{|I;g|ZN>JUe@81Fc4^v{`s#t}r5bn!yeS{fV9*7OmC`V#{1s5CeV^mcdBTZ;vR;(1G3({ z!zoeVO#M+!>SpK`6in4YR^8KsHz!kdugdgnj?QF$M_FP18^TxQCQT&61F#evQSr~J z!ntzlahDR%bJJo?mBc7Fk32x3hgUG2xYp(iuup6okT?=vM3chxGs5`7Cs_A|)73y1 zLoO1&XQXq}l}$li#niK&z|gxWj||0ZLWn-Vb$QY5Sj~EYQjmLp+xaq;m zm8wepD4ap8mB$4jM`3y7u3Y&FMD>lp#{J{Lh^8MJjr=lfO%rsl>IJ_DfuLqr<6`)- z^4+x&ZhI%K71Vg~4WV6Vh!AA3SEbSZZG*fl4`?z zSP&3?REr$3|9>5RtPT&A?@pJty1I`b0^cwM7L%|Bn8 z7fFfnx9dtJ%-X!$pQpUwUZ8ic-f3drj5CzRHwoMVQ- zeT&8r$Aact7)eT0z+Ve~Ya$1UU|_-aZ!F9!P$ACK_yvZS;iThTlvLCi)Uqlh#tRpA zpb=;uWB;2kM_ifd?*x}vmcbkKMe3if*awn{A~X-5Rc2ZvgUQsp_=9+W%D`$)6nv0h zRh#ofX=M${DaGF_X54Xf9O43<+v7-)fI*X-?O7Ta)6KLOz{0 z1UibR_2_%C7zN>E7Y7N~)bVZYzWTeVlX#0Tf7e5;YM z#&L7mcJzF6sdZlv3u^O5vv@rquU7t{^PT3~b(HV2g~7a0RF`qEZ?DV-f6;}j6x&w% z(*lth*ev~v}A4S#UyQ_ZpQ}nIE z_?ycOF!$?~tNU7l{RYy3ddoe;jy4)sr!5pw#I^p;F&dlWSuZbI?hi*+B~|5LQj!P) zsM~?f+#oZ|=O-?GAo1kf*e5l!+C~?4D8Iu{SN0$P28jDz-#S8+&ANL<{W~NKNUHAf zPAvt0;rgw{k?)nS8tvJgD`ketP#=>vJdubp-vJu2i$7B3;h}e`c>%)*VfH%Q^&yE( zOb)-hv#N+y5I6IEkB*G$VP_{Z=aF{}n58-VQ1);w85@d_HKF%`_GU*j3@(}Ac6GBL z&a+}CZMu-*Cunur4Yx47!dP|wyCeL7*{hk6Zu!4A9iJNwA_z1kLF?;7pKqlWmk3A( z5`l1n=dy)5Ak?nQFVAAF)z&X&>%U2lPz;Pm8sXg$tRqeJx!qKGzh#uF*%kZGczxq? z=1SRx(yf%T)qmNs^wj(Z0>lqitq{tbUkt2}spAhbByCIJYg)6r2nq%yxwGpn9XOPy zR`4bt5fX{zw}s9}d~;48TRI?cyub+sXtN&`sA@nZtJP3LmbGyic&!c3gi~vGtay+H z+@vTr1@n@%27)CC#2HQOK%O`|XQXBasuTBU>hXta0f+`{65GlfzwlZTk+&tJG`^bV zzw1bdX&+@x`+o`MVW2dw0UY;__${lF^g~KyD=YRg2D92B zAR7FQz`9>_pVW~6OEiY&@c$kWNRVk=$?D8Opxa6ka!tctRg+S0;*EroL;6NRoNOm5 zsDpn#(afDy*RF=lwg3i!`?41|Ew`LddApcegV*Z30W9|wn#|*Qu_{GlM{&p^Gc86r z7W5Ts|KurEi#!+PcEJ#tWvbt%c$huZv4I+7w*VhEF!|UCPSRw1Z3$ zo@;)hqsL$bDuSGt3!0W85b@rC!s-ZjMsRLb`>_+WM?3xf>ANRK#qPW2g?F&aq|{rb zVl;y+rC*$C&K~YboWrN&kZ%;h!WfYY_tv^Ff=0bnc>0_vU+Nw}(#@;h02AL4RWfM4 zq${Id_s;|Mp~bw0>Y7u0t$T&oC&>xHOGUGk<+y=kp#-u%ecNVTv%+|HO~>29$0-9H zykKRe`9c$%pg2f(W^SwzRF}R42!=GxdW2x$+rpBgH?`W%LrS#oJC@1mnilTK{;;{6 zc_|BeNAQaz_R3f?d3xS~@74Paq z(kdfE$$-527`Zue-Ty%k-gSdNUhUingrtxjySH&VXYN4474AD zU!7WCJ?CO?KT4+CryvrrYK9 z>SWBa>KU{*b(_go_r~ z1^n<5c~OlBy+QQ@cD|)J9UdQtgdye#hm`%WMbpmLhK_@&s~kQ#l&QM!aZN7R@SzM= z1lYzfZfHR3&30r!EFr?shu+m;Pi~E@$V@qtK!`yxmjKkjI&xjXW!u|-?ef#6d;4^7 z-(5z)HbTaIpwU46GaUSj$PR4XI?&^VrOpfG$HrL!$xO#|G3G5I+B=*Z{Il}XHU`1K zLg>4__TjT;D)l6y$skfVnN~&jRvgd=f>dy`!Vnvq7=yQ!rB)Z61kqmSVdr@Z{RW9U9H-$72`3;q4L(sut^q4}*Tv&`|Mgqz;W2oFOr+fh>_G1XH8( z!^q6JxZH=$9uloNUbR?XjaJ9#TNLWSJC~C9CBu#G8l0^CMq0Ko8=4{~YV9%q72b|h_ZT@D^#n51D^1)UN@{6IT{Z| zyP7zwbx{)EsBBW7^}H5ibJlgQFa=YIp{U~|b|*O&62S7jN(T@)SQk znI)gVZ{g2@imHla144q+LXQ1Y#iX{e`ioLweNrpBPeI43+*#haW0jX`YB7JiCxomm z%c-wlmZwDqE;8F%?*6^-C+)u%gl_~4xB_d)oVu01 zG*fH*;e;NBSq!uq{dbWz*d0fah2pYMXfY4Ps?qXU)w9s!+?~1I^wH(5Wuzx;&sKPs z3URl*CFKM3A#>>S^yN_Ey^hBqjT$1FYbd+4v$R$Cf-drvB-c#ZEXrD(=1@e4peDU{ z-=B1Ys*Hcmw4%B|<&R|q%~}^UWmlo$hBKGQ5|}>a&KoiMXL4wN?$S4NTbC@e7B;cp z6|aC>rJNdtD;J@11cKT8XnFhvozlba49j!g>)<~_KJfXInKeE5TVDQhoSCLmBj~WN znzq^&oQY>#av~QZo$V!@bEsZiwp@|8p`-iJfAqArIQZBb_)~%z?KzrIrDfQ*#!vdn zbAa<&5_=KST+t6OCcF8Y>tqjvf?0n|OsD}9ghS$>>TjA5vjsW6SR5wI<)-M|MYDgI z+Xa#88)vstZ2>yeA%+$7SE`| z&Kf?w9&3V{q2!I$6ZW37if5`?eZmg5O`_4Od}(YpRl5aVr^EnsZB;MA(`}CN|?396JTU|x?9*- z;}ePpDq(0on9dpNeG{TK9eD`f&t$G>c2|S0JR$7w>@XG4B}lQKAl}Sc%)B@7d?1j; z(6$2w6j9m=Z!sCXu5&vuL{?x8$V+FVtX9%zZB1ubfV~D75){DOzYk=Ad_0X6KTH^c zW5bx5tj6}+o>@CBzL<@)_e4sbB9!a{OwKcyc>-R@nZ?4v2rv9;0b^HMMkVP+r=4PnE`QB@DRai+LTC?*nHW#^bF(X+PO%@rMwB>L>r8Id@ zO+*6~9JW9!md(`R=yap?X`Hik{l&3X#l04%@lQtCli_uSbI;a$($=xZd0LOlYxJ2d zXYYDPH1|D?7AG03{Rj)u<_78$Xo&bI53v<6>`UxJHSTF>2hzkM!EK_ z@5$2>KVXQ0MQ}1Rqk-hr(S?Yog}e5|6;}n-cEf#%Tqk8d@qV9X@pKZL+R~RYw-|?4 zbtF1g4~PFFY9}pipmM;i7GT6jtqWhz)lr=+0cs~WWF-aix<;#Hc%XxL3vNd@?D&XM_Mr%25_m+0~=M)Yi1eSbSAc_F`HABGChigC&aE7`A zanfVIs@76Z+L>vX+m0U$s(ihHd_JpmR3S29N_S+(_$gPiG^lt}Yfo$PT*fYn<~wTo zM6)ycg%;javYOl?kxWmIU}{m7*;M{ltL8EvWI-zd>B!-g3Z>`Eeied4Y|w8}SrX~! zec!x}%Q+E8U(PE6@(^wpe|oG^n77( z>@As}%OA~jR`LNB)W_Ws+LTz+HrqQ_=V4nmZJ?_`VoITwyGY*Hf!9GWmwYuN5ET-= zLYXBqquaJvvBJ_tqy#MrmIqAcfJGxZY6Tzet%M$I;TAFN#xFpWjU`Af_m?JpJu;yM z7DtOsXf_k5FU;laW|GwDjCD-HmhTg!a~bQ$#f}IE8EGCYK902a*1W+5N}2-gmC$i( zt~GaBn9RVO`1}H3g65DRlH6_$N(Bzl$)KG0tgRi)Udl-;Qw{+BAtK6XBXKUilz~>l zfWx}?m%Yoyb`sgsbRz=ZIevFTK(1|_YKD4XhwUCP!CBf#i)K%|IkwIsvJUCc#g&gs~d~n{SNi#vY+TPjl`! z{kI}KCEi3MJrtzrE;iWR@n3i9Z|wJ{YmDxV;W`LDuCPZ1JD)v>qvlR6p&BQ<{4=;tJbEGwpY}zQVd=OGp_oF$3e}h+iX0}I4 zPg%P1WPdUp>0!oN#*}oxWz&1gl@IaUWc`GyStp)*QmM5V*p~6rJS+h~L?HECwU+XD zZM_E-9Qu+a zb?&220e8bcAn!~(1)9M3Y6ltYyThn~UN@?dtc2Q|aOn`J@s@#mBc~)^dp+Uuc!KO7 zC19cjc+&kpfwe~vVy{TbVCc>R41Bg#^)w*&sPPjg+bit(RQOF%)%y$Y0)M|3fV9Nw zY{wwT&(j|=nL(<-w8|Yl!g$)<;sA|FE@4~qieGRrdGmUG#s&7FdU zYgxqAlh^&xzX|ZgA-H}!E*em~0T7q{7D_N5w4-8r#QI=5$U<~7yhOJyqrjPrZ1i0t^@T3Mw%n?7U{`6 zEKxTe_pBcw>gZkcIyEd}P4{RsdHiI38^ds6 zdNRfQUu)=7cp3wy=lxXmb-03usy$OV11{7?v5LlQ*}}^u3%Aiw&F0^ZEl%9_Gs)*>=8L@`DBBcFv&1K}nf?Q=nZRbr1iCCLN=-cO%S7zW!jmux5RO^68+gfO*K7R_q7iuKGZi?<2Kv)64E3X2 zee8@EAj^zfX@r=J$*<4)&ZhIzUYkh^7$^ zke}2)@@%?{lB{&_eH#=S{osjIm(;nNH(8c$agOkBynj%t_TWEoZgu$-NRifN*fNmf z3gH1%at?QQx|bOae2jNDg&ka179cvl$92WT6w(w&?Yj{#13ydJEq@lO zVX}lyCC4N83&U|%(`nmgOiNWlUfw1M@wsj_t+&B#rlfYug*RQ_ZKCVEUqP%0(KnYA zKsM2j0=sn8mKe$a1VsIeEpN*dh>LV{G!5=_dKxk zvj@BmJmYGyBN`jyPi71y+)E{Avt?UKfeGjxaQ@K&&Mk?f^LWiLH1jzB0uX3Q8Snm^ z3G6PK>`5ZD61kwU_+f@2>*AyDt3S01K9#s`se|t_WL`7>){(Qc5KD_w3I+k_hl0jtTZcxTqT5J{}>}ja_j;UDHiY6bD90 ztgg+mlf)*HR%McjU8(+N00^`s*hFC&UhEGcfXN=u^Ulbj2Wt1ti3Yct{HZuFuB)eK zd*~B&P2BA_I%pqN(`zKZg~(N1gRhbRtX{^6=*$lI4$(a#TI)m-a|INo{DZXA=wK&-;8!l9y*x?kJx^1Xg@y zu6Hlrxdt17jVOIcxWkDv4Bf*>p!VnwSN-%^v2 zf+}EKDf<0a)rHjZP zcDWO2Umuy;$BnADUBnL1J4YfYl7{v^&my09D6Y1LEF$ats27W<(s=N|v}OPJJWzsb zy3oOb=XvRBR8AZ@4CmEsH*TGwM>SAutIOa!r%kE;23dy)W0~ZL)IsA~m(i^^%SR_#|?iqX1@rv5E11qVl(KGK!=`ez|k53fW+ZuB0_ zcG61=q>K#~xli|0!f*Xz4d%4k6H!E1V~9sZ-5pnnMeurimxUdZcC*=_zGml*(NR%d zP$WC!;Z9L+J_MA?CdDXh{#sl9A=Xg5542&B&-BVvFN3{AH`OPm!Ql<{Y8jzU5%-oQ z>0(NQw6JffXhI5Ff%I&@gEx(ZTZz^A6D@%^IHCim9+uAQ$ zy|aXdk6~h^Wfx0he5pDGBEzj_Lsc zN=%zHsfyy;$r|tyBnRrI4rNH!rL4^b+oKHHBP8da)rJjr;>xQE@s8M+IujThyTiEQ zMP1e{giE5B&?qXkIJu#62er^`rHc+F8W`mh@|NVa=4Q@xK`dtgBIByQ`gtH#F7j~N{pG+B)0)1|(mGo!7;7NpR4}#w8SMyP z!$-ltl1a?z-t?f#bR`im)kweg^zMn_tj$x?-Qe4nq(d%9m9%t^X{Y3YrTXEHc(GW4 zjU_)YY0&$NZ0*mX@%|qk_OvI()K!J5f3>v$azO%w-0l(4*8?PxFuTj8H~6;*`4%78 z{%|ZSO|+2{`UEA~4g?SP4+BCX{XIQ?XJwo~EfO4$t)KrSrtQ7o==nG(B@E!omL)$) z#{S0{`17GcF35el^edSIE1?6@P4XEkwDww3Yl+ru67otafH5E#2R@lA1czSw=_ucX zSqxG!=upv$-&p<0h#TTE@0MS8ciSM+72vh5Z!_rriqF~ZgH?19M#UtL8owpbwP$6PW-ahea~Bof(Kz zrAV0{bOG1sN8xiP3qSNvuCuq3od6iNmw*h(^v=nrcurl7`BA@+bU9w_d83_O(4dcg zrw#wQw-gxp3QVaeHHD-CnAJG{qcD z-p)K7|G;PPl~y7;D>hm{dM}9c4ZLp6L8>7yT}p+cX#tCp<_IjZ$ z)!-)4R9Q)^FL7OaIuS?FOoIgzaCXS}Kq`4-H5?H|hxFh+LfUew z&PAuEhOu)0J_MJqZGg2*1)HdYIc;O=_JAhzkJdW=iUWuZ4#~Lo)CeadZ@v;nF-mqm zi?4g}ACr6iLv}-S0s>^FCwq6OBqJedS5ErDQo*#~qLNW@s-j_3T7vzNQV^vq?D6oZ zXs505P1B9*ahQB=#%W1xxBWsTYq>z&RMJa0_UuU7v>v1PhW9@uNQ~ENYeDYRM$WMq z~&MS!@(_K9ebgpDde>#v5@KP@^cDu4V2;vTFcb~4vE;wd)n%A!yIec24;0SR&~j$n`X0H^~NX6kJ~OQH?|QW&bTM!%#4ljr9eaT zP?h0!#Cgr>2%1r`x+bw|3!}Xk&M{fqy>qmTsK+M~w=tW|q1tM6uj6YTu{I9$GG@jk zFIuQm=aL1=j@%vfelMHNnKv#j{l_GHaoM$6j&xn+ik6j!zRP2tSwB>@NJ8H_cz@cK z?ypcBkSE^_R_3I#drZ|Gdm?68O%=-V$_c5R{ev|mw(1DuO4AT}jDc7s?CL%!f*s)j z_8v$&txpg7jr-esZ@B-6Y`|kHF*~mHPSZ}8)aeS>#**T?Tp*bgg`O)Z6e)Gye!IBP zyIAFvE(kLVgw3#trQgxXfLpplFnlY)w^KF7*KO0TjXHqAzl9Qr&LAQ0{w?B5 zYyDi#v7AL1wSZ4oN^x>&*9+AlqxP|M_}XtBmB1AWL~$gqb3zwVP_IC~hs9cXI`_vIX z&9jx7X%8GqDfHPTYl*GKh9o=7|M_xk7TO;dpGg(&(h*q*^RwsP0=+9Er%qq_uU!7> zT>!~vwJ6ANcZZt7T?~ovdv>>_1bEenA0^j7^(8dm19aZajOEZ9EX90XxB1pb)IACW zjQLpPok7u_A@$LAPcIIazZ>ZHaWrkLH1;2Klg%zEW|p9VsKn3 zP*H6*w}2{$2mNe2ByX~Jyzw9ot7z_G+gz*7b2zEwt~q>emb@q>5fQ{pFd)<>xwuO# zRywXR5`g3*t=wDZ8l^srrO9g7_&_P3hKw>a%`^SIZg#|X(8dY%j)%IjaPmh;dtheN zH8Y%`MTJWKnV`tYqy|F6o@ zmx?>5mR$RTsxtQB+vbSmb>#Kss zad{aCd4qkDAf9<8tDoQ8Ork>i8d#Fz|0$ZtdIY`1k*<7-UIM@utt&n(VG<=1|?ZsswAvh$+-)1VmCuHBr>7@Bl8B6D8@_&!~S zkt$&fz{d{oonE-y!eva5`~%<1SR?gBb988H(QxXjzyqe8R6IL4ui~9k{zR--@OJ~y zz;J09G@ip<5XiiyOm##tA2FxtS}~<;P82^Ke}vcB_c2r#mBS7Sx)K)sojr2C_)Cb+ z=aKPsuY+KCZG#-OZ^h0$55+p8=uo!1Hz}{SZ>%Eg?JLOw`Vh%~^b%eo)ieZq#oJ01 zXOHRok6t6cQB%1ms;G@_zzO83fWloPJ(4&l-O;v5pDVaDPJ@D+=dp^I@4^7;dyCO? zj1PIWq)Av?x_?frr*^ns$tpjXRnp_4+!N<2&xku)dLt*bGmTEev^=#$OttCyA0?R* zbR&fInCRC4U|3nWt+gJBz-d1@0#rPl>>iZ0Ok?ge) z2Ws|cUfM6ZE+~BC?3of0mnsNq5 zDs|M6xbfuY)}~q*{1=*wm4vc=Kr(Pj-c7%E8r9K%hw8z-&AxsvNK?B>I-fp%aw8@D@b;SxfUDu&cfW#?RMCQRV8A~E#ykz@X8{qpQ3Hv zsvSt?&_mH$C--nd^;-J+{kyVkP}jxj$X-iXFzQ^)M9v&eZuI%Bwb{RNDGjJ*1>&9@ z$;aLD9)p~OM4)vto7uE`X~Ffd&}l1Ke80dH)9>0_nuM<{`@}4##AmI;MLIkeyOaXm z+Q;IQJR!HuWR++Tp7(omlo3NBMcn&xgNG z<1;d*NB&l4-umOVN`m~S#Yl<2Q7AaU)|(zzAGncl#%d!W=Fm086stwD3|M8cuQR)CvIj?p>!|$d0P)q8Z>@Kc{W+?hYKiL>j4- zm)2JG&voK_6~d%O?G}AZp`K*yq3s1+#_*h+h1fM6IM%3aR3-C2DcSVOd7kgx7j`xx zPGK4dN(Dj9D9R}iLhAFY+u7j91@nu}hZpVDvkn;8tjaz5UrMqr^H8XLdsnt@exNmI z4K0^_kD_{5m}Z#$u3KZLyoQE*xY@twgGhtogL~S~EnqkItJA~eTNxqIzpEQW#Z+x{BZ}J_gleZJE+?M|b-UL@V5lI# z1j03(wPI=yD4OEgU`r{;&mF-XQlJZwhO}4j5}GA;(8jPVkI+G?sj|Av+Gidve6bx+_ZOSDM-&WPWeQnIZ3_v z=iA+7c7Qm26&+8n)0B+<1Xi8eJqUyRai97A&Y}GM+`ZG?6`K_`;7XAPM^^5|bkD#X z2WefvU!C9I7L5u-DmFV~P^eN&1-XV)-Cu?goVYn&C|Be#_DPrZr3|n}S17OCwuLJ_vMKx;yYMR}iG>!vaO{&`1~|6CuMkJE#dQvD;S1#|d@{5!Ptz zye|Lmw9&A|*KmhpH!a790$vX=I{EWTx<1^Nb_b*`r=6k+>kcT;tCXeXY)#4YYD8wS zog)PcjOTjQMy7Q$e)syifFCP>69Bd9Ctw{JjmA9Jdn)GW>9P6tC?y8LU47UslgV!XCrImNc(Azl7IBe+lr>d8(98mge&)OKeW~2r;;{>%wCLy7bM4s1e>Q= zYs@>+sR`A(L)seWcnEKC_I>%iWI2to61fU_H!$!vB>6XJ%FiCpz--IR1>2Oa$Q}t7wMGEK7WR{(1 zIai2q>mzDJfwYRrcbSM%@bGcnP3xmDQDcmHr)po;Y`gHz~~g<|;k%9XO*anB{t(KoW}rGxKC0_bo_=Gc2{9ByZ7_Fn^e}pS^8&-<$*sg z8yMO#FT{t$h@{cRUTt!M^ZW;QG?kO`>d+VS(VVUL6c9r^v^1x(I~4j{VOnB#Ht?h! zJMQKVA_=X;gulKco-g<(uA?y&LRD0Eycg=p$qdCAjs_IyWwi6$daDjM4AoYDStaM- zpGisw7cIx*4X$LFUjFhBzemTc@fs1kA96Mh9)5mag0_E6deiDo`QpO)Z9vv+Q6WQN zv^?bvd*SnMeFFCol&U3PzkcwK#&)hyiYcugP6xD-6$f9_Yksc#MP=1?me^r`cu6sf z5SVKgf3=|NFmoux!_gO;KZYITur}6Hq&M3F_Z}j3qGv;EhCf%GV%VQ3S0P$ptO$zB z=}qL!32X%U{EE&`LxT^Cj>kvLO*?%&$uk1zegousskciHny#mL9n?r%-?)0Rl0?MT zH~2%)1xq)_)nEU{cmA2rujPTYCDs1c=ISHmOt?J)Zz|jFML(vCBic4AgGm9HqnVD= z1GMBU1E~n{uXOLlXl6K>It(o5P} zXy*uY9m!0}->bd*#nQCS9+a@P-d%bSyrU2^nair;Nqv8I@&e7;8PJ8Y`+>s5dd2@BS+&is!EtW_L&trG_?$O^SjSBG|TC_&GRMiYH&L1RiZ^zx0o zm7xkXZ_jve0K1#+%E^8izoh3DF zL1RaDeQX3S?YXQ8bI=`nnD4WO<8pnJXK0iY_Pl~Sh^)y3u(U%8f77@K)LHSZsz=Et zgKbzyPk`Sn-L0-eK2jTk49(~7*LVF9H^-K;5TfapnQ+|U(evfY$E~D@kaD<7m7gc? zd~YCDlLEEV;rLae4g<(H2=P-H5>9|87L^ilYoSLx2hFMsi1_v1Um7=ITC->C=X62Fw@P0 zOemp4ohyu%<_$3gp5e~s3bX|osr)HC%2Dx^Xej#18)sLi23$KTMGkWUeu$cXVIP~> z?lUKqT^+{QWRnP%?sr?#I1^Eo*^O6Gvbd1oEvXYy{3s98fMw&ifpvBqY)PtHVR|ef zg>z@<9Z@(g&G~((kHYu5D^MU8Q}!J)p}K#bZ{a_KdcxU#L-u5e6aBrrF;NM<7M>vl@18uS@b7oy60= z$%43{I4t)Wiq76A@RRj!vu7y;sX{tsO$x^V8g~dpM4Ua4$Pu=4s_^qk9=3=wvSPRI zEWo}C=ONR5MnBr2W6*RZsnsT3k#68h{srt~15d>8c&<~ZHHM&6lJ!xE#X6%rOU7XlOQ$L*UPeoc<6hTBAt$QYvw_|k&vSUEFepd~ z1!NYzLy5l~0Km|8MW8S+?h8!zYd(QT&eP2A88evE(%t6r#VAZr`*lG?*R0y17eiON z6p(;%$GG}(i-u1QWu;^q$OSp#8nB@yx``)2i-j)&U0Xm9e!Hf0439G(@WR8*`Vx?V z+Ruw~h9|scZWBm#?+*YD+ZWE8nc7iq3OlMX6os89z)opO-TNpQ&HXW&Q91q9co-9W z7|&oKudE{+LN2{&P=CDpa1?9qSrFNpN)t8!)qtKMH^&(-LTHdLh|}v4stsArCE4~q z3r%&DBzfqrb6ko=$OG$@7sUD7?nsWEbo5c8>$|9mT%t0FhO0GvVx+WuNY~XWf#=3? z8Ssq0!{99Qs7&%zBX*naw`loc5@N_MU`b-DA~1YIx}uy}EWCI3cWftn;be{)Dy3cT z2+>{cTKUC@GujYiJKUU};%LGMzvT0N`u6F;Zs2~{0O@yj(yGWt1p!hy64W1VB^jmV ztbb!^aSURnnWQa!MJ-FZwlgU?_$7`XP;h=GisWcqPATC4z>IH~s4oSc444F0XdN^d zZMyU<_!KNoLeG0AmN{a(Ey|Zy5B99bjA%R|J`^IJVyUYbyIj%VDo*PKH3L z^$9po@|Luses!8zoXS)q{51uliZw`OUSiGq{{CO&FxneCdvXXyS`0lKy*z$HmVH*o z@-X%lfF?+VG(eIF%VJ0ScF5#2|F{I&{H{}%ZT9t$r?Q-{jl5Mxa{JZ_py4|`oxbkzr`8FzQcEqB*zO9sK*#S#09~z8 zp?yW?E>U+Dk{bH_3^uUUcd=?Pza?Ye;y5HQ#EPe3zjD%h{r$TP-ieqzo&A$!fCf|l575E!m1w9&d-(iK{Y~G^pyl$rr!{+5pjszJZz z`!2Pu$MP}S(c(?z^~c}T(R8gDn)_nZBfp#P(c|X2^}2%ozWiPVrM*^q2@m-+%huoE zrNxYsP3Pp;z*RoYb^f+JJ+J5V2BQyhte<9nD_m-$>Dr}pzd7IBmcr%d^cFpCZr5l} zK#Lmn$$=j0`Q|c45&6?p)PUx;n`K|Wy}aq;Ue2~;QFe=12?OL}Gk+EIOFvCyG}^dS zS5sS;>uPhqn#=0(<$YIZ#=$rxf13NG@He!R&*lA6xYU37ZPcOn%eR4_92;^gA3gq? z_M6J+IX(U@&dv4feUfAZM+C88e1Zf|6ALu$csXjf0mceBhj|8B-ffB*Kl86?o_(J30cf;@Jl zmHpQ>{WkE|dnDcT@T8Ah1zS@tvp3E4UBX@Ok?-H)+k8&HFZq||GIFvRx8^d<_vp2M z0)H)F`J>R(F^dE#)e-?WGUwk25~aDiyBeb{_SA7US+WRycG^gl|9?SnbM|n@r=fy$ z$uf<{ApZeq+2H>Y&^b*y@+7itgUdi1goC4Gs2m!5U1s=w#a6T{-q%HUPn6|>uZe>rT-ZEs!x`n1)Vde0sZfR;IB_3{?qKuzc*k} zFrqK{=*Y_d1ZZGnv?&6j4{!gI6j5P&41avZ@S)xZB#`-IY zsK&2Ka8i_X-3#N{@V^KYH;rm9$4gh+)czZhZ#9i8GHO)wPr$%a%4=};XF%`Mm0g<+ z{J$G6r|18TpybszK8#79e*kKvoc8yRg7UgX$~Ql1_(!0ti2f^e<+q@?=-YfM^UcjD zUVnvub#?z*-Dw7ud8P5?ph1f2ynd8ne}?{l50nmnL~vtQuy}=EWZmPq}BCAwGJmC$Sgwp2L=4!394ig5qF3WC)A-9OGr4Adxv1xytMqk z8YEch*1rQ?L!87&)Y7^`8|I9R#7*BU_(!043ihxn z`ddx3YaK#Mcj1Rl^7}my!|vBAhCTtJvi}YPZ#bbU68m*za?eoQm01$3=qr-lJA~t| zuOR+W5Xa`^=g+i35!jWB!~0j+Y@tC+$5;ln@i1)1|52~-$HmKyZfydw*JbJdig*jZ z_4QexTJU)!#(!9O~Zo*@?D$sghOzXAj)k+aaKFy>8bhmYDOV}uEM4Tz_+m!lyc zg3+I_3j$h4O#=f4b>xc9e%RI9(YtpX zJ=d%(s`$EhioV;fD+C(*1j%_Fy~wCw;)uT7+(ytyE0X)gxG9K28V{m%?*ZMPL!aLp zdo9R0RZwleK-$skIzzk}G~3Zx$*K&-u|)5xh`Jzw;+iLQC_cK6fzH@g(ETWM-v9YK zuOz{tIWv*$ra||G&^=3>g8B5icGPFfJ(oc4YsTH!E28N>buQAxld}d9Ym#f(LWkyk zZnQ3alS9kszBI;&inOhD6jaGiD-D_*Nl|0p3*9G0uQk)-5^d$9{Zhx7&M9 z`_bIa<$;x+*UVjcp~t#%r^=GS3;F0QK-LwLEPI3(@A_C>E5@+J3Zf11lHZd#S@ zO{BjKUNzC(04du{f1`e>PuG~J2xH})@i+>v)op8?-cC+Da&=dNDy5w6Q>C(R&_~;l zdJNr^W5vB0Cy}K($;#_Re)KH>gSG~J<$gnEq0Zbwy3#EK!+^>;8vNpvB>Dv`ZfJVJw*-Yue$FRE9U z)43U%>8JH7|0@MAuQq%$HIj8&xNc+wDVO*E88VIXy=^9pY-P_BP8;7=+#7lW|8Gbgf!QX*D zzn72-sFx3q&+5bc(d`-B%7Nt@(unWhi96!mxoTQpt_*Qx-{~w$^_?ft$g4*r5NKD$ z#S?Wr`bb|a$4_wHrwwoQb7Nh#CnF@jwm)`t!u}-rP5(6D@L6*;eSv z^?l>GZAK@8O7b~X@4*{44`Tj=c9iTp#_0-ar=b?R7Lj~%MFdMXUxcVuESeI^kDD@? zHghn~O>EE2gM#^F`Dvm%v}I;H7Y?1v#V@iQclCB>+p&DCIz%clT<>;aTsU}=>=tbq zRFjUWV?4304V;(q2_yP3J*bo&mEL@LOJ8G;6;oCY$8y9l=<{HukB1kJ2>y4CZO^dQ zPAuJ;N=(=G+|ePF*;C@kJDEv}zFsJbKdg5wS?M_pp4gW=x_EQu&_#Yp7G>7gN-G1|^5foz5j?@kZbB930Pa?7o~ zjislZy0qi{IX#%3;KkbgsdQ@}%GtwN44u-K*)g76KdlEXYfIR1F%LWcAl|%XDD%fg zW1p15;an3Ft{KF;GZSbdyx4%y@V0*3&^wUivzerp)?w%4!(-#xa`a3(W^)Ukm>kaW z184E-)sNdls>yWqrcWDx=1%I0`Rq9kWmXd0u`Qp>?ZM=}Eyz85fzrq}+}k;vS<~Xl zIGRR4=MH=@yDOu+1aM;S1@iU1@ybeijOfF}fLeAR&L(_NKb~w|%IaKKUc9M4w~lJh zfS_7dY%bu6iCyVdm(P)07&52>Eh{RB9-PR1oq`yY5WwN%*_4T~_i%INmWkaNofyGG zS0~Vrkw(HE~XXoRT(22*pcyh&6y_piwz?##!)Y_T3VTQ=p zWZ|_(0pDjkGr$*iY-$I3M_D*<@I3aNyRqT6ZVYSd#i=vdSlmYG||wl-D) zF0uG>^WZ4blM3lOx(}buXeYW}!G#7-Mmd+TA=AQblRI;DVmS9qP9$T;K`xe9Y2Q16 z4`+8{e78_8>^?!JO9b!T*_*lj#9>~{z&@@$3+HrWP%CE+9!jG`_d}_yqDzks1f-tj z7-76G<>&Noi8VEY~-&oT%rK8wc~~ggE;6HL(0pA&=iRfd>b*prd^;i}x2Yea1jux+a0qJ~b@f zk%db{5YNu;&z&P8aj>}2kaB@#=Ovi9{A~&e9-KS0XX7nBm?SusloWI3WGT}m$(YsF zgE>=r(zY;z&7$kx5n;SMw;y+2*`BIHCpb|ec0?C4(O}Tt!b3NY;J#69nH%TC=bO?Q zII%a+3=PLMGn=>fW;H$vlb~f{LQD2vOykDu$MNLwmL%F0@qMlbUoPm+b>00rFZ!A; zXc~(G`bF^hExovYXe^<2qWd{!UbuZA!=;Z~FH|vhbSFkfxNuWcC*B5eMmza*^Ag zUCWX1L|z#kg4HdEho;4H-&^a+X&uKk?foQk5F;WPgHK2h6C<4^5b@*w0qqzZ=}mas zmb4H>K^$(Vk3Elld6>aB^v6{Me$ME&q;J{D$Q#$u?S`@Rm*jKGRSBHiyq_OW)-!KX zEIU43%Fw$G^UCw%2+>s+MZX);tPC903a^qHMhxkI)0s5F$Mogu;0o@3el2%h^yARI z9V9Ptr&qKm4z<;|`2;bzy)UNA9>ZwDVwDV0x6hvx?TnL?4`XB8B~x(ZhKX?$W!3Z8 zmC?NU_6qL)ESV7#x)W#C%v0!7@5s%QI^$W8&YjP%V|PG1-WnG{y^}xpPmbc554Lc) zOxn`-;w5YDJE$`W<}$wCoXnB)8N4h8sd2eMLB!dSvZk7Rw#S(#)m zPC?#`a4li>2M3Ajo51*JHv%HUNeEQq4n2EC5$)#1%svsU{B8>m>@2|5)lB~$vG|KI z?Aos*L;cHn@aMA(6$9m!YtQYs_Tj`AKQsLKQ`|bcClRgMa$RI8b6(uWmh5`wOzTO( zrXAe8ESX|OMCmSxVUKQ6^s%qNBo5`i5v>TSw=iN2fkvDpJ;n|}vpA4`v_4!SFzPm`AWjmIRaHj7yU-NUi zD>n{oiIZmQQiq*a5T9HZ$KoINaQ7F-=`f_1=%;sos)ov*Gj(NT0a z>D)!8FFeEin}^UT$c6T8f{n+K_6{y2w(=(?p(BsAuVuue>-jOG7T?HlCU^1@Ido)- z1a9T$PcUUGe0gUV@C;{OM>CH;{4KApsbT*0{dsI&XOh4Fl{*)or^r8yyZZ<5!kepk z>1sNMF2(yOt!8p{qk0qYV0`0$ER`)sqkI?ahuKw{YDT zrx`aPk#=&u=cob9iY(*i*LL$$vN%W&J2r0E!PDW9!(*UY?&V`c4rlL{gTaH z*LKB2$ltYp99_IBnDb*Qci+_qvK_g8Tx<4xxtyU3_Vd&;SJ0wHgGH$`yM}9T96|e{ zGt7Nr9lwTj=KTpl{JP-`tB+;!%xX!@nip>r(HPnyA%=u6tF zZOmUOL7$^Q@h$BG%y zIg;2ASECJ+wq%_$B-WFdHLZhNnUmpU8~Dz5#d0_@l$-bBb|me zu{<^`ju&5;LE3kNs4sUU*jEHyGF@_y^UQu%?wZh&86G8Ev#XW|#T+s zmVb0TTb}DnKi4XJ-Q@-`RBoXG^zw6I>Bh5Mpp>8AJ&J!~C~aJ=Y+ARKGnrOObt0A; z4*676TB*~a+Oj(88)`*)#lvcrp=CvuQu)VL5@Imx-^VN-htEQKZ9vg8zn zk~zJ3xR|RWEXFRPmHLQ9XkRM9O?h!C`Bo3^pV9`?(KBRJ>(bM;h)Km-S;w2p_Hf}; zF}ansxJuUhT8AL+ef(O|KNw1fU@siWm0Zd-*Y=`QX&T3}C3sS2 zQjpK0Q#EvL8N}4i_I$V~9pACNc-%jY=MPDHIhm|Jm`v`bB#MFqxkj?+Vcj~g{M(yZ z^Kd7E#S(f;(0X9wHcn-j=+--)`6Cio^V99Dy`hCMkHXDK`sC!osr|b+TpvRB@o`Mf zJje&uSjM{5^37UtT=s>$^6nYh^a;UST}83d!6eR0`dcN2)?Nb2FIMd!x6DLs(?oC$ z71r)b=G((ritf03tlrcxvhzFHi8Op|Wp7R$o!g1= z?d8L}?;RwqB$F?96ya;OQm(1yOy;p?aX02xHu{7e_wWmv58_sUNgSRKQqMc_o7V&L5GS{+O`I0_AGjHgTu68M(YTFE^p4zWci zew^sZ*&P?jtFcn1kK`QfIB_bKl?PJDUwICf_TfzF7tK@&mRBsgjpYxv#YyVecPxwh zo}Nz2q7!V{pGA?qA3xs_N6Om6oYlRJ6d%!->Z&?wt14N)r?Gr=;W4%*iQ{V;+)${g zs=}vtCx+#v@uCD@S*O!@|70aoBM^wFg1c zMrLUh73EbNtu!&`iUj6eGk^=f%-~u-dpae0;vxN7yC;pDvP(Ct)qia3v&8e-Yjs1Tn#F$CVtK`SEhbY-Ccv)QN-Mb~X_HWBe&(9)l(J<`F z>4v}doeLA)5)hXjJxBbMNu>NRp0R-vc$gX}FA+N^Hm|Cr zO60zQTB)b3ybi0#UG=5M*xHtqmHO*Uc2r!%+enO$x3S~ ztFd>r;O8QWl3sy(n*i(z$|!5F7auC;%uV~ehyoa3F>(6Hd8&eG_HS{II zy1q!816rb>h2Khwzkp(+?dde9$X|^m&<<_ibfs zu^3ec6Z-7lP8?gHF7=;LflIV64q{k}>g=%UD{k7?%Rp7sP*XJo3dXE*`BX`k)p|Jl zZVMry*Ru@&>>O3P#eOr0^R>EIXzwNXNsQAW#Dx>$L_H+yancEgVl>0ub&2e1-h5;s z6PGt|Z1Ehz>MJO3vJ1K=h1qzc%0bXF;apcik~rSj!7mcp?FB5?EarSk89hgTNKvPe zTwKtJ74LjQ)We5)>BZ}~F;0TgDyht+mQPoorN{K4bj!HF3&+!$*tad2n~oZrKAJ^t zbbk>YF>!^jJBd!j@)j}&RLS3+z zz(c!jXUyEcoCj73c%ATQ5F$Fc(Z$z})A{vM&V+{!%L|PRS&))OcBwKhGGQ;gbhOrx zBR-==px`F=ICwfxZ3L9^5&k&(c+t{HoIe&iN@l+Dj00bNF$edbe!c}@D~TZvoXf4p$JLRNvI=VKoe1-B!lf#Mp+lZymDd3Fy*&)?+Nw+Q=uJW^ z2Mugp#WAYm6aIhq?G{>ef0n?$uW|J!hgtRg2E51q#5=Fw%bWepESUE`y%(9OSU;Bp zYlV^BD=4kZUS^Ii`31L8Kl1u3ck|u=Z;ZJ$g1phBv{zYLiY3rnx-0#X|509!oGY%S zvZjvEAh8F!9I~mBanr8lHa~H?J>TG|BgME2p1OCCz0SQ5XI)%U%H4N=NmSzVxDS7W zM~-{aKHLRQd%bQ)&lVn3X<#OD9^x!*E1q@@zwzCCuCeY$+t~P{fr7$n9)El;y;64&*6(AsWS3(R`ssc=4NddV(hAENKkaQ= zCcc2%n78;b-JaX8f0Or1Vn};!q~KCTxQ8Rz8XR3Rf;O zA8umt7jyY+YNR+#bqWGzXRS(eYa@~rPs|zpQJe03rpTJbV zD!$Y`YEI=b{@T&Jc;6sKyQ|~!X8yBNd3tD|WHiZCI5`NNU2qkz6ck{OpP;0p0inS@ z#Fn1rfo;_sUUM5urC(poj>bJYkpu6KVz_%5pQRQs`o38#xh0m&GZ~!JiN|U*&C-Dj z83eTsz%MPG3wb7n#=7#O4*9y83Gs0i=dU=MY3c64*=leI5`Zb;)S%UJEGY{wyGnjYt*0S7g^!Py^3=oQ zS@it1yxymdS682A>DD}^&HDe?dkergj%0oOTdioN6*IHNXxWl1Gsetz3}I$w2FGD$ zX0{V2aS~(fnAtMOAZDf&tX3=de>K|iDZbo$m%QBl?!CXtTJKCxcXf4j;Y{!JbbN6C zM9d9xR$hng?PWvfP82E+31$YXK7PJ<<>smQ_VxMbK5_&A4uNSGC*Vt-EGn&5JV; z-PM4#wJkW9*MueW#$d&xQ{d^$0Hc?<$R9Ul*G&sy3|N}XcDVo6DOmI5Jd6$Mz}q`& z;pXFtP$vyeRMw!zIRxK*cpk1u_kq8C7oL1?7c#Dyj2|DJjdw3jLhhPhQ8;cK)_!&o zetmlh&P{jcVCh7(RycO>BtGkK!dDN@#_E-`G1<$2H+I(2i8{f@M`W;{3;_-2Bbko! z<(tmI>em)>eox`E6Lk!1?eWIF^YPwAX-KkT)97@3_2EK{v8Myhtw4{f9+9Fu%;p2U z?4VaNdwXS{u-!i&fK^sJe&zgr_r@|@Ho_m5UN{5aKb(fbyi)A4^~8g+x6v3+>^M+> zGK({nAkf2I2WM*?&cAdv>kmaSGyFZWxYQD5>6k2p_`0Ge_c-o8)rXuHmSNQs(=o2E z5#LfjzWV+U##}xdYdBv&E(pi|l6<(wCE&#u=i%BUcO`)mM?8GYP<(lQ7+&~jKjzG=`;_Dlk6a|3Ss^aO5R zu@qmfT#P;E>2cM2C#X}h_YUP#jVwiOsE2`G&Tx{~~-;c@ZD& zwsM`c1-R?sqO-z*q6%bZ569!r&BACO57^LFS2mh4chMN!Gf9uTK0J=+KfD@WzIO=@ zugr$lH3(n5v;db3vBUcOYT~kmm$N;pWC5_u@gNMse*u4LFCn?D973b)!U*2f(T-Cs z-E{8Ea+%7M8Z~gSvw=e&4YoKLNd+jxdTN9Zjb8z?3^xZGW~aTV?dpLmgAltOGisQr z2fEs!wYdW=8ZE+IbV?hOu@k4-8L-fjRLN~f_HRWeGK5NGN8HV=9VnsSRQi!$urTX+ z;Qsk2_~u7^Tu4Jk@8s#^hyb0I*?kudFjJMf?m9aqvah9a(oo4OB})<<3>bW9^xE04 zkpWOJ$0Yj~iQ$z5<+SW{D~hGHMw|-+0@Bjd(Sb6dL7caRKfx{zbaHY>%7~LKUGxPy z`1W<9Sfy2R*3P`!JgSwv)ocPYmw|>2P+!8Lk&i_(-DQ*@fzzE%CCmxj)O!13=RVv z?a|rMiH066f*6EWcXYu_qbhsC7?{lq?r0|)$?(fsjcBH0SNK-f4DZxbJU`JJH@&?bHOlUm8fMTs@* zGGb5fD|?{Gqa8cSnuhb*APkgd%(lI0WS>};fpyemPM6t?7STk~srB~3x93LV+0PH4mP2V^rdr+63kTVc zrJGqR`v~TEWerKOp%*%h8I^5jc)IBk!pvPBah`7MfVG1jNiJGWO&>}qAI<&Z(I2=_ zp5xpozvNvV`Cp~Tr8T1U8k}mC;JaT2HPqbz@=ZtH%f@#_bS%x(5gP`8QLgsNBU5<< zR@b9JgrX1ZtG*Sjw)Ti1eFdajHic~J?1Hh+8ZnMqoNVfVgQK0Y-;Uf9DVJXm+1V@m zr*v_wC)+9aZgi4%)cLv=)X2V0LJ#HNRc8+^^}NT<4#85N@^(^wZKcpFv4R!n!U~m? zPuZ^|!P61e)P-sTc__NWV?XMYkL=OJwkIeXQ4APud%KmrrCN!*g)$ZFOnG8(e4H}x z=g#?+yStRj0}UO@BfCiQU(cXa_Bm>YBi^|x18;mT>%7>nylY7o-_scnb+;qgl>g=qicXsbJ!uvt+qifC85 zIR_Ce>!r>VF?b5~W&+4SxwoqmM_cFvkxzD`s)s?5Y8wY( z5Pk>#+?#I2nJRYz2y)v{b=2a?#ULuzEafVw^?y^>a%{QvsI1RWvWBzp%QXe1dVJP( z!9xR~_43BYmrh_7bP&tlXC`9L)Q<*Ksc)$+8Ri-MQYQFRS_G83{7?}UgP~qi`?Rcm z_+1)Q_`PfD`M`PtG-hYUELHvy9)aKVW4WeYReM{K@-Uz7m z)pHfUoGRBW*A-x)GJlo=1-Io`#VvCob%cjR-d>Ht4%Yvb*UZssm!ln><^zxj8ju3BBL z3l0G(Q}IZV^r7~t9;@x7SdP_i0ky8c!11X4ow?2vAx}MLz%zVo8hVc(#r|eqU=TS7 zgYaL$zy8(y|1J2F3V48^rd=qabFdlDo_u<}=mjNnu< zXd?Y*gB2B&Ku3RnhV5C&lo24N5e;r}EI1}uXx2!k*PgD?n# z@E;F@0m~o^!XOO7APmAF{Kvy!z%mGfFbIP%2!k*P|M4&wunfW=48kA`!XOO7e>@BZ zEQ2rzgD?n#FbIS29}j;%V3D6(4*u+N5C&lo24N5eVG#Ze@W%rd+3>E;090E(^=&{q z%UVtN%|7|v-MrS$gTDUr|BWCo@KWA9`VT-}%iSV7$@2Su0>Z0i@=9J7)<%4?chP?u zNO0Op8e1)UDV+^xcwsqLLE)k0_^$#J<*l9aHW07cPag^BF#h{_*iF8)bn<{i7}$R& z=TtzIAK4kXiRJ%WgZvJT&3G11h0g|#>+CTJFT@`F2a54u4g+mOkI2ATa`}%y-nC<( z?KH~UjCn3LKsEprTyieF?I1p}2eQA|e+NeP+eW?kcgvT^b$x5UysLcpSAy`#Kv@*o zlCidvPyY;m{!1XTHsa~}69OxCPi&FNqVFmw_JHO8llkak`^Nu?%@`n?vd`YXLOxXa z7rcr+_}9wd9}8Hz%;H0w~)$5#UU^dpTNNDYJK^rc+PGwFz~v1 zu9hkN%C$atNSVAnmtSW<%H*}_W-DB~BoqF!sj0lxbRZ1^zelHXZmA<5@>J{WiaW0! zgZS=Fq)r)ub0h8gjg{I?K#qS8*TDYddmwH(R)uz8UFDj5t8FZ0YCZW@K(6szt{d8s zHhnA}o*qcSCv9q7g)Z`uQztmUj zSjqdJg2VDXkRJISc&-A^MaH$_T|1bTPG4TQ*dR5JEF&r!0nTQVI|H+=u`2W!Oe5dg@1fBZkj;d zY#mTfK63nbV^qs5*VVDgu?hprRl3hUXOQF(5r)_ApN1LX&d`g)@8X=R_*Fj2v4YR? zJ&-o3qg)$+_xI=#kj*dMU2*M#^nPE{)Q+(1blf_@pK{4@|AsybPPLCS#}-igl=>zu zW==`Ns30xJWRdUwN`IqO#VOa+kJ26(ofVC-(e4U;O1WYWe5f1o3^*tk3P>9Z9(8O3 z=~d48QL6HrfuKG#3UAz!2`BNP18Gs~%J-RLOFI>Z6wnttN*Q_M9T|=L&hcepOnTJ% z0t0C{8>Fr1@7aB+^_8}L&`Y_Y1Hsu@cyVb2G)mBJsi(G6Xy^C;5dK)eVy#7UV-p^J zXA^SGj)*ch;j%Y(;b5yhmZx|_Z*L8qY#vAAdfQv^)TakgW=|m?t$I6K=y|9NQs|aJ zP^q0AY@nAmT^8qKGQ-Z!2F^A-R+*&?Tmu&!3wd40c4s@S>^dvg`E9M$!b7gh*6e~u zu31~dMfOdn{RV&%{~Q>?B45W z4{KvP-uo#R$D2Elo)V4G-o#;T1D%!h#ZOQFIGu@0cKB6zKpJ$UL3V`h=PAqiv6alt zB1~F&^REPuL#0uS)8~s@rnXTKrHq7Ax<0Clbv~$a|=!@){xz%j~~dz>j&z{ zewI`CoXIN(4QZ3{_SjzogmD&KmX_mMMl%=G6)g;gd(=odwYxUoX<4 z0+GN;k@gDTMSeIoJ6mhG+EEBqxe<`|B6}JuWv=XGY;w+W;kP4E^!Lqj;?meqUSP?|55P^6l5k}JgBJsJX>>G_?M*nf?<77vT#H_jTZ?_N6Ff3UqGK9s z^1Kf|LB3cL=h1K9*ssXGB41(;Syhn}nYS~tCcECVP-vuHxs&%=UQ+m=@|QEwI4tbRKN-Mno#B7Y9jaBT4;86NvUFm~|w$hHtjL5z#9Yo(xdo6?neV|(&WOMQ1!e3%6%K_l%2ui)f&+K>PY z4{#z4!h6bz;BME@G?i5-b zNE2oFjK3mZ{-*a9T7*7+%Z}g5x!mEgcgIKfPe&GWH)kI|Tog+?4Dl<{PWlvj`)ROI z9v$o1 z3Qo2W+u$s=RMGW64_YM7deCzG-vb4_kCSPtZbC?0Bz!vR@a4u5^ticVYFZ#deOYjM!*j8`Z4V%6R{Oq(_oS51n*vM@@T$ zo|b^@tVqmoF=E{b6K+^M4D*wGFlFQrjP}J=UgD1-olAeND!F1F?Ay~N}0za)gfp)DO7S9}x3)2HIGAjhlIfdws zO~5NN!;vsN9QL^d$di5MX?Rv#IT4jdPNPoafw!+p!loTXm@zXOS7ZiYc4ibD+Z%AC z%?Wp%6M_?kRj_ss#P#C?QC_RT4ReNJafTaOYYix>r{Qev#ktET;%9-oGE zLjevpS>w`0Be9G@YUc1rO!jlY##2q0G&Tl_PBxe_HX8n&Ey!~X#;fPXBB-weo9Z>V zbXqdz4);fxeGiToH^VFe6-99Ij1jnGcmQsk6^V`OPQo=J5|1p1#n506Ts|WfrTb5y zLgS2wFCT}A;jYL^41`rfJ-$C)OLx=SOh}K!IF~kTs5If~IU}$j*#~pd z!qC}Vj{>6$p15Er#zuKy$>>mMnwoL4tQ8ksFcBB0`XD+c2$S7ScxZJ27EMcpEdzF! zVM(}stPjeH>d+PtipzXW*mSHB2_uv6@QfIwLw=|pq`5_v=;-yvD>n|uP#-5;H!m5d_MSvl7x`c^!YO+! z-Wg)R>Ro2sbir7}S=HiDZ8vo~6W{I(!VZ$ZKSvW8;D= zr^P_qP=)daCp>>!I&!vGW8oai)97#vbLz#m!e%U-B@$PXGuACkLFTD;Ij*moRNi~Ywda-2MFf7jw!GaM1IJT!4jnq>{OlU1P z;qsZGcysG%Ov{W!lcyghYRd6et~G9*Mcw)M0Q{$nL}qgtY6Ii&+&ScLQYbDM?uYzi zMX2r6;iWsLVMLG(H67Sj(~a9N8H;(8 z|7oc~XsWA4nR^J{TpR;qbv;fyc;KeVQE)bQAu2uqo|L}Rw8IbGGZ~TPr*P0F1n*CB z#3qL4?|CmI)FgXUv34xds<%D1N*J1p*qcFL(82c*i zaLxHc;Zjh8LM4G?f*Tl&*XG9}jebkt&;px4KTHUALVR*4rUvVlf4Z%c*=x}uN(unVbAiQxh<}D$I@gseE-%~-18HI8@5$|*->Lf2`+x{d))s` zDMn>Qz^={(E3S*jFJElNBR>@>4#bgZXH1AMe0mLd>HS?b`0xf^!iu4{jS>$HiO8qkY#GQzNb-%-4_wiYv{kWssLV&V6lc>m&PXuLzQ(AS8^ zpIn1CKd8WYOEVBl1Aak@J05&}8%nI{@Ivgc4T`j(5ek zpZ$ubH&!Bok+s33!)4>c@$0&6xb3Okun!2qObXcj$-o8ouESfKs}VkaJf4Yb#PzT5 z#@m|}MFU{@L2NtR&jQL-5~8nSnO&O<D5DRKE_q_Q5v%aH0dVGDDTeGd^B=*A$ zz+(GGT(|O9tU6_YSxIF{GmYcAUk~Ay`&VK1P6vFpIEbR*j49DBSo6&ed|B&(MJYiT zHzggZji+$m2m5if!U#_ndj^mcJZ93}%`N!pXce~a%fpxZ>k;asM@wxzR=%5q1kOXE zqX#a_^u`;XZp1?`Z;){DT;KkUbkCB2vs?hA*YL|hYZ!lUo)#O9MtbfnCYNK#6aA7X5KaCBP< z3>DRQcU>MF-Mug+l&May53ZdSh;3_j;nBCYLz|w3d0|e73k$>$Z9AU+ z$0_T<-dnpDcRa8f&zE@Nu}mLylmGMGOt5kC!?aiz)RnX<){j;UNui$ble?r{whV@S zksJ|(NiJr*@Z2wWes?{FC&n_!t-*cweU0~yJ20@1gtohj8LS=h4xhrR;o15*iB+4Cnk0=avX~Z4(tj05^oblRR|NgrmlC(9I(UJQggYp^UXN~8d z*#-MC@dyg=fJ0Y3PBykNaSKMOvlaAi9=K$fn_`~|t=uun#~Y)W0L2{Ng?l;Y^{qXy zu_JG+0&vw7PyD!=xTeyGbT(=!bK6}Yp)lkWjI3b8G%`z&A9RY z4fv|e*nexNs~5vYBw~uG8aF<<4Il1n#jJUm7;Y%UUGMC{+Tw0pGLb>~seF8Nycs(W zmSX?TLgX=#eQR|N%DSDge26mudO(H0;Om5Ci6O`g@q|}c0OD-A(AUy{=ilClE1%qr z#OwsPQ|^Y6w(i<$y!=TSF1l<4j6ZF}ZP%@Xej=TzUmG)Y&W#GBZ(~k1{G$Ew0_Xjy zFZTmpfw*TvAl7fo!HSO$q0uK8i=w^Y6X1@? z_3C~lLGg0c!Q9-0SH3u4Ohu_G>@N?1;TXYE5 z-Saa}H@PrL@j~e6Fa$Eu8JZZ5AhQuob}pC^>;QNM;@Vg(o_+2IJpW!X#!VYapXiFq zgNfh68JCY4f?!)mL?%Td%xqwv?2vxs^q!O0Qq+uZDVueMZlseZFTVRLj+&h@+S?t$ z6EiTW`T(xIel7NCLU8|Z9mhp_J9^-s9FKean{e@s-(vM4;5^z1Zx44Yj&s0$ukMCb zJd-=x{9kq!VOwq~zS&s{pU_Z@_0qsj=Zxtwdc61fUNrXxVM(eLo_XXeT(Pb{a z4kOFt7E`A!f_!xN_1n9V_v9#KIGABdPC|A|F+SPbjGl@Le0;bD4#aJ2Z^6$wh0JPb zP-n*D_Dg4=Y{%ue(z6St{vMb;E)lOkycE?tE<{38EoyD7QIlVRon>t(C~Lv);szWn zZ9>!W2H4W64o?oo@<}7G^P8Kn=ZRF5p00wG-X7m=*n_^N9u(DfA%y{p+`j7T;YS{$ z$nDckBfQdM;LIRqU4aoj`FU8KZ-8^8A4X>-;O+a*Mb+0!F+Zpm1$z(U?Y0m!zBPuz zV};A7`r^eWPodGKn>5v-x!V?bIY*IS-Gw$zypaM;xkpcz8M}Anp|h(4KfQY#<`iai zS<$$2)=1>6yA7K!^+ic;9-jTN8ZW+iDK3faMj-NA1}hybSCovOj&>t9 z@5`k|TET2Kqm8LyT9O}5>?z0b=5FL1K8YWT+m**tEj9I6b+i00#4ks1I4KJ!?_==T+G)9~-tTm0os)vo99!;1{%GjYkmtSFe30@~*N*+Cnh?x@ zWqFz--u$wdfxj7>4j1EeORuoCpGekkHTBSFa7;9ArWOO%=a!+RtQn=9T1*@7k4$F5 zn_j#GMeol*vbGI%mRqTIUQTqbuK0N)v*wm23Au2mp5QTu7O#&3uz{;_B4z;H{j#W1l%=07^{9dfj+%6VwMesW^)cIp~r@; zd(hk1g9_?LVz>kPx=freEf!7*$B7?Hu%*(Bs>%{n81*PWorhypZ8%!kZx7;J*oVdz z&9$Z2%WOR{BNli1cVf|jCQKU{fxWv*QPpk2)(u54P)FlwKk66&NRZY^o#@~kTOQs} z)~!*MUydW??Z_`{!rsD094cu-BLfF#PYH6&n6Y#c44ZGl`!hLFnij11suVZRi$zeJ zKY9-5VsATzht5X$X(SK3Ec`T4#`6#5!EJ18!W`1Zz6V zM;={<>W>y6Bg_#FW(^t|>haT|LbSWNxb3#3sN8V@hIX}}LU<*{LL9$B8< zJUnsI7SpXx;FDcugk=RGjC1}oZADv43pVYmNAwU!*!0l;$a*?j)(+7@C3ui|H{;W< z4kPN;rTA*D9c^4M+70da_Fz7$8#~d=;5uYpDlWBY#_QW^(Aw0D4|5DyoMcOxq%6u^ z8V1g79bNJyN`X$=(G&*er`PA9ih<_7!zE~KrejtTGXZ%FYlBUjcQHqD#reZRuzc}U zRBpW%k52VMd&L1vc)uH;+`$CP!wNh0m(kg4&_cTwl^Bc}*+cQ`S2y733)yfiFT-ow zs*sZCh9KV%e6h6v{=>qtG7Y%$M8t*oWSR9vm<4KuDZB z6R;@Enmq-@yRX8%=}xE;<0*ELvNnEr1V#=U#%nj@^GhPo(bfhVCS*Tv+yhjbki*1d zCUb)d%1oD8d}I%0wOd)@W<&klcl{3WI0;lgBQO>(hCjv;r^NM*3zh(sod~G z?%k6xedHZ*x#kx}<+ji;x^(pNMyRu7AkG*X=Bzk!YcfDD&ot?*O3PdE*vc;v6u%Pw z7k+@Xr>$Y&1fF~OTkws45*ZJz$AJbNJgHE2wp!)6re2=c3zO`umFMqGt!>z}X%_-V zJO=Nvuj8(@B{Yb3aMv?PvD`UQ9_LZO>?Pxn>`)PQEzBJTc=>t2RTh`(eK8_T4^vYs z1+ENBuXzi8X-^>Wu3wSYr^RzOK94b9+u(;gN29i)6*FYfQz;FWtxl3yCTLVXM*UV) zA{+8bxM^)?hapiO4D>n?wjc&h%s{JZ8}aT}n-DzwQTWdI7_aAbp?v!e_)Po+3vW0V zE8-dP%VIH|9m-GCz$PjR=LK2gU@`kDuZAzP3v^O>7$Ijn^)Pq=g54d^-qZ=bmj}Wr zh~i&m4*Pc)mPzdgYx2&4nWU7-8V73{Ruhd(dJG+1ODnW~LCk(_VG^Uts9w*&#hy4= zP5C%D*gzu+Zq<$}<~)f9%3`qTmf`SFB8yH8i5-fE(yS1a`~Zf2Qh^Y8&`G(H=e4%v zy^c7o%qBVnYs^Sz)>hRH|6pGPIct?iZ=xz|>4TGl z$cL76QN}rEbq$gYd9lwfIQV(O$(`592W#?4Q4Q90l4tb>6UB$R!TD|}u0^lEC!*cR zoa$bT%Tt#@O`5VuA1Zu6t|JjUg)Yb!c4jBUu&jiGN7f8CeOrp zNLJ?Bfi;KBxGFOcxp~K!X!ziz@h*21MwME2pv;xDWa?OH_mFoD*su>7kIXX#j{!t4vSy9JC7Mz=4|xbT zY;Hk-1Tni#;z(o?-pg{r7YD1Ax&kt67e_m2<*o;_)o7gqblOfle(jscUh9U!M@ONv zu@rB7wjLqF9zno@Pw?^{ItB7w5pdxF<*i$sHhH3_4(Z5Op{I||wKKm6tG?QT@L{wy zGv36byJ$<~8NYO_>%+d{DojX8gkwuR+8tW){jok=k`ac|2KFJmw$k>mSD-)%opK^J zP0K7bmx|n*Dp}U|Gbb{~v%@5Rn)1Ma(GIy%;T z2j9sbVo!q^4%BgLSrs}?nw-}aTRv9dm}B<4X&cwmg$Fs2Klwk zD6gX*(OaX5L7?7`b4PK3p%-xxE@-KxUR&8AOctT_StH!nseg@*$PoLoYb?RY5l^Ee zX%60%C+yjeh)OeqsiTLEAYjbn@EZ9FF8lfvO7>TyV@LvSO6b8G3_ATnBaztK zjKi{KM)k}5cH~%l+fB-n6(?1GD6iI>r(#0~K7Z>Qgho9I|7Gvvi9I5~Y|G%Q#?Xf2 zyZ0b8`~i5+d=q#6P)(8N*u@4?F2%;nGCRRVtDvk=6nh}DcROr%H>lXV*T2 zk9rIqqh7^bo9ajd?cAS?JpNoWGQ!NrtwXGkFo#0WE>20-xJWcBlgMHv@^@$q&jwX zIe77%EjSTB4BxMuiFcPL!rO}3DWg*9PZn{tOBO*I+bM8iNzr)q$)(sjp$C_|eHX5hf zS8VL|!FLbO!`BaG;w$oRcWDE*R%`LjeY0`P2ye7C7}2Bcqn@ersm!t>+?^)LO!|+z zD51TyR6ndcgqnaM`1YxVSUJj*F<2L!hX(De+b0uG84!68-k&OI$MwszFmqfw=XDNd zxOd^Rt*2pN@CU6eD(dpFwZ#?d-Z~dI$2z0DgY8H_hs*^XcP}GH+n!cD_vSuCES!K3 zA3O)k5?oQks0^n|@ z?>v0|^kPJo?ZbNqniPF8ixVUNI~iP7X?*a-i;MB{csKmI{U}bznhC8IogGbBf6R!x zZ=Z?#riP-px&u~B6lxl}vG}s_`0l}}NHbSr)xJVpd*2VpVix&1$MM1l8$7-$mzgo0 zC}pjWyzT4jL8~xI=3EG{(;>g0SXm!kncsljZPplLuEyFjS$HYgQ-56(4Vv6Ml{*q< zj(7k1UD##ok5v!N!N<3ZL}+h28sul?#M#Gx?Ubut=|jMV0n33>=-sr~y1PJejvxJa z0Di-V;_Js2;;9Kvc=d-PIB=*0J6t01(c|Y}jGqq8ZF0AzAB700=u01Qau}4m?tc6n zPdjyY|H&eh=mW6!qh%QBV~slDolO;P*wBeow|cB85Kk-ifI)9(3)UZP#dTLt#RChY zQC?<%Ls$f!d2$Z!r0%}8?kK+Bco^oyp;-Oih4^sAbc_n3ZBQdHvl*4mJy>}uGhY`i z8auib2i8kEy2;Oy&D&5KmVzHYyabz{pM_{<&x-dDU{GDjjI)UHQdZuCK07BA9z2TD zMxIw1lz><6YIaI>+Cuqpp6H>-w4MpT1NUykn7fwXllv!PLa-y6dacoV@(^A*4!nN< zJbe1ZOqdVu!IvCwPDKl5MO)*AADFo_;qawS{dl4kp0q1_UY>=e_RVt{W zb>+QCwQt0p6DF9N=}4P6N3;nW51v5sgls(a@HlwV?wL7nX6ls$($E_4(3^X)?9q$x z#d{ZE%ZD+PmxhaUZmCh8d5g7bSmm-4<-kJ-GasT!j+<(P6_~PNI$h2w12gfV$ z-TQ};bk%IUaMdulYv`Ah;DMhmD`bty!e_5chig?SK08*U*cruU5N}tX73}H@vH0Cn zc;=yV@#({pF|4ZwuN5@Y{ujV6BMU2U8-bus6AYxkm-?XPT$X&Z1zWrm@#7P-aPR0q zbjV#dMJ@%ehH(IOh>5)134ikStq8whEVV@#$HZ73aeIvJ0)EX<<{$ynf z9RnxH(TU@=LsP2}rw!fk)>)xaw4OrbL#JCydL;|@WH;_^j_7SR;21LoNeygm?U3Nb z=-k|eqqXgDa?&Hx)fP?lEy$B+I1=@fHdJ=uru*hXcVGt|+tWIQIqxUA#)=EM1C7&uK(-cQ8*(3Qazm(`>0NBC+!jT!aeK!Lw`DreL zEnn+igwXihmEnN%U)%;;X9x0`85W(juQ*YT$BOb0?`h8fqYFMRIwqA}I8xP)Zd=NM zC>Dbt7bhngISuwyo8WHKjoNN4zkz!Bbr%)UOWT90<}SFCztPO7Dx2C-OYxE5Q=FEP zHE|4qo=$KheWy78wv?AP&WX3)4jmmv<%eG3%nZGm0+ctmqny_iIh0#zlwof-JtCZ~ zQPI$fQiGY!!sevV3hm62vQ zW;JFS@;1t9Y@&Xqi^mLQdeGs=gwFnu~wT#Hs_g7S-&-tKM~$Y=SbgE-+p zcPDt+^rC5ISBQ`rq|2>jIxR@R8wX&c6Lbia)eb6=eMSlJg{ca(r*uZ?U;SaBLgv_)D7r@ zu=&0e-1^i8925h~F}OH8BHGm+216@Oa;_;H&^p*-xQ7jjspIVo5Dc6$HE8kS9MqG) zJ(OcF8rWviYi3_zw$yKq)7QfZk@Nw3DvfaA80wGJBKygkaBsz0OkLFgPn8`;`zH*y5pS<26zrrBBF}_Zm$3E;UZA2F{ zW9cuLHnCJ}AKM2|mMY{?u$2vxXv=I(9oSbV*Ek;{4h)Xt+#O-v(}^S1w9J%k8)rR+ zd)m=1cHor!JeK2d(b=Jo<1&bSBd&BmI;pxA22avQA1df19him754f5bn2D{9@pguW zV``)>)RP7ok0htVt**y#oy%P)oenIM)cfsZwk zeD$#B9G5htyL8F1lnGvGD{wZw1N&0jQ9(C-awR%;@50QN4#_hoUOT(3g*Is` z^eJPIkCgEvxCVl>9bhQrr@j6WA^7r^Nl4cBG8?SHyeq%KDY?}teW|=qx?>}`GsVB( z@KvQj0inZEU+TyOxu%?3+FR~C^v`>LmEX`UaArIf-0DYg3y;)(!)eJ@xXf0p*lCpDgRSsp#PHcpW0q6r(;lpLluYAQ;!vTrH+)#1q&$c`H^AC zBU2wgtX&?Bt6$xY0=csx^s3`icqaH*CU|}`4!Oo}wXVQFx-R2X=;xQvrx40-g=Wij zwOr{(4lQ-$Sa8q?2FFEW$NdxV;7e=p&Q@mhG_*fs3cr-j zEytF&1M#UKeakg zTBelqMDBzQ>`OVe)K$kK^s2`KN`F$9$LgK5fjCvY6p%7Gl}pk_<$-#xw6Vazc@q#m zsD1q&KL?Icj@3DpbNLL!cQ$Snq+FrTQm)jM0?YAlXy8Y!Cm?N=x-3)X)N(9yqVh|s zE4m{G>UaO)nd?$lrSEL{|AX-71D1aU2*WCw{m89P5l~P4nP<&|@K1mU1%p1h8vu8H z&KBOk3MBfLw{nWDlxUgR+`p`^LHO^1nU3;SO*aOOVi5k5L3uMOlMojM4SLD^E#?18 z5C_;KzcwLnn5F*4C=bFQ48s2!_|FPh1P0oY|18S>cYyHk-@&)Rc^ZU23;!+|JsbXC z^*acIFbIDM{O6@(Vo=o2p9SSs+CM-bOPgC{y@A}K`forCTuVFTndg5C?aUnI=g&&E z`%mKkSHS;-Zv#R2XJ97$kH#*=>gP`b8~>wu5|I5-l%KX*&gEP74v}>rW|lW_Zq#f4 zO8Bqj>8}E{4|xnDvLugo{!38nTTcHs!GA@w$_IH&Ci17Og#3#@PzirUr)3?Ma=ZL5 z#Q#@-ynR&OD*0EM53zY7Q=%-*ZT)uYY>=15DYnjX{@;PBi?ZfzAgJ^AuLiLV9sew` z|7H-mk~x&eb)CX{S(Eiofc)&LmUAGB`&Cf*Dc{7|Onn$|>A!`4*IfJ?;m-vu!US>1 z>hrI&%jB7roU6~k2A-?e`y2hOOvR(L8Bliib@@Kihvi(3&y?}g-3vQ8Kik<-aovM_ zaL)x!xxo8B2$m`nw zOZ@T~fJXrytM%oYQY2;ksAcLo|N4(vJ`l&i{?1&JV}9gNz6atHP;m}yOQkt~;YdU~ zNpN7P`*&>y)E{`PUYB#VO#KWjBYzyFohY`P55z%(6Fm^;dMn>u=b2P|OUqEdqALY0YcI?MWS%j-1BAi`MEgMMR?~a|{ z%DL2$DpJQ%rnXa$1?2qi@LI~x)KlvWs3#!jYW;!7@=cjgc-?45_Pp^};LG_vdw-X+ z`&2>BmA?5cm(HA9>Wb0t>cjMfWAN6c$#5keyGnc?K-hUJrE;3B`lRo6-k#4pEZ_&T6WIhSje`sy(Qd%r+GoIfrS z+Qw!qygfq3NnAJH?guHe+#;M~da2+~`@Co%}jMukwuNavYm18}K)ZR>zdToQhMY$CGd z=lo)8q>iEwoU1k)Tyfz@gj-wYN2TFxI#m!`!ZJmdls@ekl%`{Bq0DFY)>R#wp4u#AzZwXJ0@71jB7Nk2Bqis$}Gl|HB>%1Uis z?=WNNh-5soFa-fN{nyTbwHA$a&3I?aDHKTtE0b!ag`@mZ$ zDIW#~TH%MfcZEU|%QS z<$=pld_ z#3>OA4OLQdG-iiUp=;~$#MejB=xD>X-Q-*UK1Is7iA&y-B6|ZV*`@R?vO;lpR%J~Y z6YFp;ly?Ux^)&r^9f=T%ya|Y*areht*N?>rHxepyz-uD^dU+Xz@K50};3SK~mEaD_ z`(x~cSDn4&8~GybL>`n?`j-8O)cN4J;>V4^r_16w?*6@yQvK~=N4e_XpQInBo_#8^ zYGlUNXOES4&c;$725-t-kXFIPAl;t$72Q?x_ZzQ{I{6By|2pw#a+YX*x<- z?j+qR_1TZ|9uI{NM#N@i;?v7gluhGO8MsYyV%ABSQDtADO=ArYAw;1=5Xl#D5w{cj zR(LBsVRkF;)NoZ~knPFmpqK>Qo$ZD%e>#fhkW3WbokTr1_b@ntoV+5NnI+ z^n^#0RoUakO61hggXt6Fk*;Ha*vVj6kv)-ve!bGF{1;ufl0Bcg;U6;uiz6t1lFSLv z>5gAM4=;}QCJy2xFNFV!&PjWrn;#qEmLicm`PG_Uctg7_{zKV!O?XJY$o_C*%an2P z?+lQJkjM}$lsEQLhaIK8B7gngBL9jXQp!jh$0_zx*@s8;ld}J}ec4z?DIr+;QTEfK z&WKM@^hj(m&*fc7{r1e#m)eHM@-7}1vD>mni#joDXea{h0B=8U%!wyIL>|@pVtX|G z_S9Z(nMfP057ym30-HYGi5;?Gq6lP12Zqg?h4*LpF`xt%jgLdHbr*e(g`YwLaVdN6 z$$Sc4wGX2iOvqE4)|ymdqpj z($Y7GtyKJp!Y6*H1B%a3{f){O9*U2)61n7`y8~^i@KEaf58;pPB_u?$-;7~#xORL5 z85j+ZhFTn?0%S}YirYtqK=#);H`O2YC#w)RaU>oe>V^>#hS31g>@ zzzt(UF?pCD+VjfM>^TI_FONlfgtxLs!cTikFk}8`T%70*>y9S;a*{Jm$Eg4(%E#Xu z3*$Ypr^tkRE*^<#;m(*lDgy4N4&)TnVZ_vI+&wlN6XShxte^n#BeHO6a}E+F4n40pn;(UI^r z8*wPF4m0MC!L`|eh>H)!U1R+4$(AD0N9_`4rgO(L%ZFh?N&x1v-OmRrkUlCC_f87H z@U$>o8|#2?3r)CrW+L*B7o*)Z2=6Zs!;iZv&?CWz)(LlCoQ*}pec{}|EM!tDGHZ)) zxK4-b&Pzkz;X?RK8I4CqdLcM86c5W@MQe}4HaHLuEl5Fnq$lQP3}KLB#NJcQm^v;2 z`*$8hvDO7w%^ZqZ!-6m|)(tra%P?$QD()N`gw(`fOe3#`_<3U4jAUe>4ZobIM{sI1 z9-I_|%#093b+_VRvlAX$o`g|Dys?~e(pFiAo`gg^KQ$PgO)c2gVuwd&$757VC>F-K zVgHdbbca&L92)S-z9wn_y@9b4vFUN}sVKnOZZABW<%BhRD&dn7iASaBHs|UAT1KP%KLJ#*9&si0o~{o_Z~AT$GLl>3#^+nX$L99amj2 z8VeJBks0HTic?i+pt6Z6OUsPM?GwWgYuklSa;h+8LOL#|Oimviin4wAaE*+?qYL9P zhVxTarp0~d4aKk+UtBia8{H0`xN>?t<^F@})gO<|k4Gqj@?#bC zsA;48ba%l!Iv$VDio%qv2#l~dV^dBwJmMqp$g~8E7#5GQy@l9haK?Re(=Z`D0^>Z) z*jV0%3uk3vX^JnVr-VU6y*XXqi`$lu#yrv?+gwEZx*N_3TC9$Yjj-)8dz-<>>Pc#8c-F z<6MVhszV#rA2CoiXuz4}yQU@Ms|DeR4RuF-UKz}Bad>M+EQTfoV649#Hl1p~oOvU$ zB*X?eMJ;fo9lK_z9(nC{SUTJvhmMxO!7Tr;<*mo%3x}d=&oPuT_`G~UHWt%1rY8r&*VKkp2g_lkGZtqV7#4zCX2fH1 zS_CHg_F;Wa3l`1E#HHz87(F~3Lmkbi_Xxq=$vUjtQ;Xz`7%Yi*!Qp~N`jlRHcza-& zk1f90dI}4dPJq?%(+J5Lin~YpA~h+LbL@&=_f#PBoT145`4{x1jl@IaJ@CWcI^1^k zM9iR0OpSEFulq}38x({m&(Fm0C=ZNcVBLJ`1imZa+|mAM{rqXahGM*XFMd8zi4OAV z#f3>2k?eacn=7b``+YKXV6R)T2R_-f8saGIg zUl511)FAk^G~q}s`%o8@Gf?&!bxbTth) zQP+u?Q!{YY$S_P#4#43Pc^Exu46exV!}T+xu<@sp2un)9;%F`Q=T;*ijeL#h#&IiO zyfH5dap_^uu}wozBvwp~M#gaZIIW5Hf^sK89i4V;LKJSAJOr~xu)b9rb`*DDVrl^P z9V>>>*%Rq5z4-1(4e6KqOj!LrmA%WdWBipp)N=A`U>y~K$0mg!?|2RNHnyUZ0i3nB zH|}4Wf!V%2`0Q9Sk~1TatkYoZm{`Qxn6dk0CE~KuanCtX7*E^m(bR||RT3~Ui1G8o zeGAes(Z>o$ifYl|=7SY8Xd{OQA&&I#tF^_QOGe<_6eq@;)>x1cjVZ~#m@%3*+uH_V z5s_GVQ3{U#l!Hp|Agq`ZkBJjvkXluW?X|Qu@^);k1MXUyjXCu93*tPnHMbN#5y^P! z+&Byivc|5%^;mYnI4n)|!`viy?Ac%4zgN-!V9~op0{&TGM~q7I@`~}qi$7ucn?-o^ z0%k)xFABdKRRxL`uK1HM{)2nAlDxX@RJZM*a69E$P99(fUxq&*g3RH=7zL^d5WdaSW@ zd?X6?9>>>5+c6=IQLH8$&n*wY>Th=9>7Vma+{SEx(Yx8CK|-`IVw^bs9u1;HJ>hKB zT1;2-a|J(^tC_a#jFAuk2TwDMHlQ7&p-4!2wvJIc+ z7%(*}M9CHukV&M`fAf=HaQ#y|VCx@%3^zN)A!K;;;mP-N;4>i+iOqfR^>f1zhhBuy z0S#$x=|>^iZtO5z;ZcLjANv(+PPQSE4kk%QuWQyKE!H1CJ!XW;-Xu=Fc>B|>c>I(r z)?6LS%)u5jX_U5aKZ4iRmr^j(kQiXgWU?2gE)7N`M8c`12zTB64R#?EmyPg5d{h8J z`dabqr^gYM5CgBya@_VwK9Z$K;un-^y)lzPO9vzNzY}fpNq*Z87gx-Sm0Q~k z(&i_j{@77G_0ewpSWD+aXI+$Y2zTA~BTOm7aZ!u|CZvU;DZc=3ZmC7)&Fq6 zi`zE$;)x|g5ajKSWDgDA`Z$M%#|I-BoP6}j9vpE^!4ruMxc<#!h-b#-s&m8bi-us^ z+gtF+k432AFvN)U$zDjus z8()=LVabG4_@f4|eYywl9B4*%LOjO%bmGm=cH;xeJ#gXlyicwjRbudpmK< z^dM~eVK+W2w8q7g!pIwITsAEUYk%gPeN}=f=cHm1T@`w=Rl6@j)7MiaYB-0k1si62fQuiG0h zo)?L)zTSq1zdVW95wV!8x5mz$1=v$ok1ad$v2|}POr>S`bbTd8P(HG)Tj4!!7%ok4 zfveFCOJ;|{x~37kj-19lE5F0cue$Kv6+@Uv+GBpIJHA-8A2sd1I4|1)Z$0%5u7AH4 zE3eLku2bL-)2iyz+e^Vv>izzL|JO z$v#CU#KnZcy}Of%@_>w%ie%=sVJQ&^v+hA;SRf|&Yw+Yp`(g44M`nl%np)Zs9v6uR zXN6$(rzbJ|ya|Zgw*@!dwgF8Z5jZbMk8_uffbHS^Sn5GTprDs;--j540HX{m7w7qi}DD3(r7h5a4aKnrke6xBNzB{GG^^?8v z%eOo5afK5upAd#6Oh9_~9L0TaAHuKoa>rqSt74ZT8{r=I_;B?ee4X2gYo`u@b)PSj zIafUY_&2!w`)1rcI}(oiP+T>EvhnRstXyA!R*f~b?99QP53j+(-8y`}C>Zv(PDl%M zq%H1(lcyJkFsZ$7VGOo>x*aP&%0Vve(JiCA@b2fo;IY?^BQ`Su6TF3?B!qfWURHr; z-`I%Do;`$_vxmXOhIUh(KQdlSdp~eKdTem+$XHl6Rp8~1w&U}9XFN7161Ce(kk`|S z)$32AS>DuXYlH5pDtvjMo{ql|CHXA~@Nz_DK^Z>WUPC__3Y#WR1`IxUgX6vFt7=@g zAes1$Q`0+4)VY0B0 z0r!q=hwY;spH1W?_Eoaa?!PPuQmo#sjifk!;QLKY%|Nu+T8jfq6y- zVQ<@oGKy~wX}3vKm=o#=7)#x!QZw_Z92l|NsJ zd!xH?n34K*k$!mW$;(jv*#eAn?Ls5RQd8B-OsE!BB~93yUxtH4&DdW@r))66ZB`~0 z42{FSRo7tqb#dsVlj}2gW8>ih94T$W=8`VVVwO?UYJ$;dMu{xSlG{*nD^h@xBN<1B z7&sdEVov@Sxm7q&)d^o+4~ASm3ho;Z;ip^!@+)aXX>8>Vnm{M}QTC9a(6zR9qA4H{ z7X@|Vp>HbD+1$(sx>9)~Y#;H<-XtQ(rA4Lq@^}>vRvO`>??osx3fr7~>^$9u;@lz> zQ3#bNT|iKi=6N?RLhG03;eu>GIBWXQ-qDG52Tr27v>AI_9B__*Ed{Iv5)iAT2hY^`p%eW2BcXjSpV9^$a{M#;xz5(AU}>BJb^gDQymCs*+ z%2&>TlRPep@WBvm4_0ldL49*I4mDaMGsznpHWZ_{sTp~d9mpCLi=rI`$ZauU*MSn$ z_ANAQ8_{FOB!Gcd^}(a4DC$5BlY_lY-SBgCgs-n7 zzW?ejR6H^a?jEd1+D;W!V9Uu0v>d2LWUL4FAIXIe^(Sy~8piD1g|8YYzj8-{f3+N! ziM;M<>xK&*+}9iT!d%vYCK|esNfCHF#SeErcp+-GoD28HW*B6xn7lQ)y9rl3djzXD z-;O!nZ7>f@z?g&zGVoS#ryPWa4`22b{wgKEwlFS6g$?*4Ty8<}O4B+MuP!3QycM9~+}zkCA{P@sDK0%U1sHuVN+8pkQ|A{ z(P3Ei=2a+qX$s@6lPd9Et2 zRHo56XVT+%zbOo#T#`W9)gnL)ipCa^etH_`J_g^`hzj!rs*LcSI|Tat1~hbAA%eHu@HRnb6WIltjPwqxxn>E~Iy$N|Cc;)fF7&%7=YqU3X;rvUc;f{uV&XF+-!`vb-|Oky)X*vZc0Ui(SVm<_!9o{9OLpY@y;OzETa4Z z9HXPXR^mx$N=vY1(@unsTnUeHui&1I_2h${vc^Gz4{OrZKVSXwevI&wG97FG;EmFMyzLmf7F=gw(3`s7>iU$6>I@)pqMR`lt07~)Afnkf%X4077d zh!4?|U)|79K3W@^5Fg{g>us?1aD_MJysSmmirK=E{E|I;WL=7UOA;bu6ocp!5ezGH zGvMQiOwT^-E_cQL`zPVbiFYI5mhGg8eX^?Pj_j{P1j?8?^JtxCVO@zqWKDx4aZd6mkp0@QtsNcP4nqePo&P+1;-5n5y=!r-&53+xLoa8Tx2}W3 zvh}$1qB)rF&<>-&2fXY!X}vbc_P53Eie6=JBiZ9jw)~K_F|wY55h+&F`A%Mzji`Mm z@m5_ct{fhPty_-4Aw3PRO!dKt(GMc*@mvJEa?Ut@S?6ZwsDq}W0=xDdMC62(a3Ap^ zZu+5&+AVh;sHoZ@`2M^Iqz=0WaZevn-pZ?Czw&%v;fL~8*&bzs#rSY%^1m6{fMCQh z&@(H}nI9`V+_G>aPJgooK3Q*KM;q;($eFAy5*)M<);zc8FhAH|jyo4kKu|{oc30DD zl5Yb2Hc$2{>)+=}Ml80$Stl|^-m*;gev@?{UwpS4lP(#D5SQ+Pg{&ne+sFvY)}w$M&JCL#w=z z)qye~JQTSQd64xv!V{SnnIAg`d)U_$AalfXXdONm@6QT_mzyJeBoMT8CtvAtL8QZg zz(7wrNwPBF8)G1&n$*moiPCA`?uo zC9jnqpES0jF25L)mb|RkuTn;|_yl@^~xMl>RoULG>^AV#Uk5aTWBC@Nl zI6b-RVv@ja{~o+v?}wkCnumv{g|nur>?Fpv4?FiCLq}Kwo_S_EQoQXUdxprKB%Km$ z5s!)Z`lz%;M=PM?n09Z>MV}o7RAiuwj>|U*#~I~Mbu==gD8#3)9LAVi=Hcl}QsF{= zNdZp^YNwl;^ifHXkHZK#cpNi zW*LW!N%qvRZfn85R!6*YO*$%16{5s59B;g}0O@}A%H0F4>~&+ATg7-&v1E5?@xvO8 z;NaXHMshk>G*0T9hH*-uW!o3?8|20v$rn57uTj!kz_||@{VYT0)`F~Y$6lz z-m7yl+p8Drf6c*TZ*521Mf36D8%yx%-Q$t&BXTQ!vkzwSC%g4nb>{?>?%shNw&D2h z-HWm6rTG{eZl~-fY_iZPvMTd0%idg#hAHtBJRH>3k>;~vQ^>5U(0dcWmECx%2~K9z>L>_IE19}*;w`HY&<&J z6JP(h6Xm`U_~OCYcxOoze%X2yC2f6>{lfZW{FGDK4@h{?Ck|EuB-*ors%|{?@B(bP zI|GG#PUCoE6<*n2kLOn`#Qlro&>{==I0m`n*dx&g1F{Y#HxAaVc;iqrBJG;->Tzb{ zvRF}o4!EYM8rI=axOGu9%+zh8%rOI!cC!XvntI&z@?kvo&UN_c_4Dx6WwaUclTnF& z%{p9n{ak!@NjMJWmSX$P{kVEl6IMO603Y8!4jyGic&p4vr$AdPL82U-%0u~(RNTER z0qtdFaB$aS_udlJwf7;$suk}arOp^D@KbRgK7D2(?wAmOG8$_w$I(e1SnG5sKDr-2 zw0Pi$cP_;zuPni$1c&}0R73oI#rV8bgD;<7gh$5)piLGWbEqA3KFT&9q+9lv*|Z@C z&7pBvwQ@f09pQzdCMFJYUFNUPjO{0ikv3rjRy;igIyxT{<)y1zc1PxQ>YrlIXa-Jg zIthJ}C-!YP2{Y}bVi)-7WiTi*DT~@ol+|v|qx4HMl=gDBrJMap!u93q9eDjjAKtiW zBv!xrJ%-+Y1wMUaDc0RP4t|c!xbu}`Sbit<Ryj?zpumYPp`sfvZvbY2+m_KZ2$s*hnqlM~jydM@rva6vWo>rhS!dIDnb{R?w3wz~tz+HJ7p z{E7JTfh^P?$i>^+PvV0-BVK*%TzpP@_Qd>X>K5rG&w9*8tUpnSWy>ewzT2~4;@ru; zRm`KNEXW-k%Ct;ki z3U}tz_UkKyr;>uB$fYfO_W9X3CrnQn>tFb-{AkR+7azRx6HE)|Z|wJR&_{hV##6%d45FHOVy&wYn&8Yj5)bfCV6 z1LS15F?&mLwMGLo@DnuFJ$kK)W zL-s$B73ygL&Tyc?K3La=PAgk@(jnE7OOA}pUAj%EH1;9D-GPSD7I$4d3NO9328UXS zKq6mGiU*_k+KwLh>#b2u{PIf(KRX6Gt+HPb@dvrWh5^8V>UOv|JHXW0L7FrO33P_9 zbvI5_l6G6!lDr$S;hu0~^j_FvftNtq80oBBTpSVSu0tnrA8IhdMQ6{L zvK!45baxtm6PLECcp)rHX4-F8&GDlLXe{s$~Z2WPfwd(RC2x@ z9rcKH)!-nrjSw#vcylfb8ao-RF<9YThuHL>M4o%f7+EHF>~v-`>SztZIA=w~A$OM| zeO(Zw*WgG=BO1Ci%Dzq!l*i^q1GDfRcr%-5q72F=YrggxG}CcLc{{;@p8jyTtOM$y z!*auLPqtw|Bm2d4$)g6j>%lRKY^C$s*5YQ0pe<7ToSEiugIXFK9}gD{pZu9a4Q9VeT+0a?eRZ0C`r$EL*Z* zAJQp%2FaaBkM2&?1x2B3u@{Cslf&T73i~VC89=gsTL+8_(BXKk5e`;8D5k;lrXEO; z*x6@|NCx)#IhBY$e?C4KQj5%|asV%STLt=cAdq};rcRZ1G3)H2{pe=@q(%03X`wy^ z2YMltvQ$&oj8jH7BfllW^P-H#yV#(x)__v^xhu&@4D*C5UHg%016p{lW!C6LxvAw? zdTE%0{oLUy`&-qw!<)L^(rSc>2typSC}kZ6Q29lKFJOR00d)Mwd8tycm8 z%1M%+Gv~bz2bj^fNs=Z(c9#kEj;_e^w8GK)PFPc4syXMr%;v?G^)N{aqhT*(-sS}B9F*GwN}CoISvVOkTm)px@~_FuCE>xvwc?a8#yHO;N4ZtOyQ zgeTltr?8=2+4m>V$%c9_d)8PZSa{51$>QBbXXJ5=tt~t_am|$D6mLfu8=G)MAB2x) z`r)Aub|as(Nk4L@&yB3`lecWQwVXEO z4Xw%}Ud1NS=4)x+lfCt{jqTJC>Md=F8*QS2cDI+l#hvp|t0ZfzFLs)Ng6Ll~^{=s^ z8M%U=^BLr9gX-o^n3cPJ1cje{NT5E;{!P7{#}@i16Tkf#G}LlFyJ>S1g52On9-pKg zsN;G6T#z}OTe;TN(u&iZi-D$A_77Z<8 zbV-YVFk0$MQ#FH@f`K^B;FrEF^oZkUf?@!pwphq&xGwr0FAXD*4nbIdeMjE!z0PJ~uHa`3CM?Cyv>2DVmOQtEt zL#5r~Y?X6q-($$2?T%;DJh?DxYWg$72OpPsT6Rm9epsA|rC%Z$K3gItPwTXb@ad zPwJ~>(ud#~I4*SzYJK@n$W_}Z*Dc3V=L{|>8-Pp7)OrF6z0#KD{8Anh$R(*GZB;td zcIwzwKB@A{KjoSnP!8>4;!t;iFPyLViC%+FL#6BQ`scTDE_is24(;+wrs0iL1}1m@ zj0z?KO3@lgh1XLbLnOa9c?9Ul~vRtKGJ(g>N zLutcf<*p*H^HjOUzcce7Wg>r4roup*cc#AJA`+1!d6cWl{=hz^o_q^Px%450(zle$ zIFx$)w6t_nKc$^qQ$gjqQkUm)%pwJsoDb|njuk%eTj~fNb(|^{0PW(!6(;cobvrYfWPL|{2~CdSBKmSl0kbgL>=fz|6hSRVP_kW z|5qS_Eqnbia8Vqc?3JVjEB`FWuYu}X!L$!>vHxS^5@D%t2Gc$UD-7V&nWqC%=1vx) z{wMHh5dQN)-lHSIwq&?skp5W^ofKOk8LB7c@Q=#>ApAXu&bD^+zrEMPnYLH#-Txs) zRssTk4|JA;@c&ErYxfdTb>y$Z_YR|_rMrTq=9&4f2u#qXLauWT_6rqGW|}@{ar~es{#luaUWBKXw+1)5I#j%JDl69iL z@k>i!1jz%qWTGz*;RN6Pt496B=vv)dXo$0sAj zhwK;Q{&#pRWlB3sTeXgWQf{fI_NSf;47?^F*9YPyoi-G3EBQ5poDXboX`+Axr=;0l zl%cT?v(FueQL@*F$x^Ag6^kxB2N$Kd_Zx{bI0hg&yKlAZZ2HxYT2DPz#~|=~X$_JIbJ5 zWJGv%rhkGQt2C(R3JsQWwXS@tb>*6@!E$oJ&9mcK)`PiAvT%8<7il1$2i8;Ds^^v> zb?)>+kJ|Tdc-~*6fV3ZoOF5SB0rh`#&2lWCfnaFI=sDxDe26WLDCNAz4mV#i0#SCX zr_!PF{lCMdT(`7QugkG|uFipc&Xf%RrM=~vz}dJ4_T6DZa&`(l${xC|Ft@8m&5Agrj#7`GmL5!;o`orajG{#M1;;#Wz{{mp*7yZ28fseJW)GuKxxGv{mu{ zKY~Aaheg8QUToQ&hqZ-G{m&F>SZ(dBVXN$$(xdE~qLHXi46clg23GcyQ1-162Pp&Q zHTm6l|K1C1CuPE5;9i2E8{v zxOD=?y3YONF%~0SNr2R+;L4sW%3c*JJ;ZHeV-0s{rv?F1m;K28A6g|#?||1i)9}-|!Bi|O z<;|;cZse7WL3pL~*T46PvJZ>!!y+WI%3of!a%NntFXML++!B^6f@;~zMsaAeyv3$} z{|}20%X=S`Jw22=V|KXb>It|an#v$XiTLE5FYfYQh)#>amVTJsC5{`1FVBmD{G4F& z_ynZeGvkmoK{7Y?c38h92j9tSs#)KTJW%$Fk+JYk!6Ctsln>lzNa(k+>fhHw8GApC za@}4h`xWtA0szXDgS-M-+DR6~U|IGWQud6Jc7mVn90ZR97c6!jxYq|AhPCu9;}%}X z{PSDhiKCN6VMY^l9v*n;s>zt{OW6@#DGFRElzq4?H1L4! zg?D|*+H|FyNr+2e5N=BMB(J;h(~gtaRNmUZ$dG)KJ%W_IkPJPTIw2X^PISt&mCF03 zEPNJSwo+u2eXxJoPtCs1jG)*^oEzbw)K_TL*x>Tz6L9Bn30_%78JGRXT;v@k${Y)Q z{qkTfUbOXKTy`QRda*ufRNkFK`!7DqS$vm8ClnBz z%KTXN!K0nkknjDzM|jP;GS3{J6e+*rY1QEBWf|xzC_`XuC}u@i0#mt8nRN*b#m#9< z2AkXP@%mgGl%!C`&G}XQ7005{=rDVDIO6pzmtV>X|AY>)Z(T;b`rQ$nlskH&AC!7! zY+_sb9Ps4bb8xPgyb^)eC`a~eE7#A+p$a@!-rFO#Ks~IfRC} z9>p$!_7k3!-Qaz=hdK`27S!< zbY(xFafxAwb?m_ILK7BF&A@e|{SoA^M`nB!rcp@?ODa$okcii2hG6<=_E}qlBXxGT z<$^5C4A*1fqTz5lnTOKgNZd0c8i}?&Sbegle{M{j@J`Fb8#DbeA~_7ceQh{&umdX} znS$}|c33bq5#Aib!Ln9NJtqTKjSfY8LLjne8$R5bhbH-XSVspY%pQkZGkxLMWxx+P zby$4C1Y8;Cg?XdHp=oTwi82F{GU9OO)Ho!?cw<&d1bS*pQDoHNMrOscsQ5!e^eCz8 z#`&{{;(`cUY%ghrQ-BXf2RR}wEezS7TI@Jp3AdPNJTor=S;>CNej+&)c6jmTv6xI= z80y+kBH0HcVttSw?wgu`F~f%-+pY;!j-hyXUM#XA?XYEE6E0nxg*n56abA)WzWJpb zal>PA!=xz89XSMn#wP6Rb;8{X(=dXNcj-XOAZq|OnS zFBwIet?^@S1H6)=Fh<{v_)$q1>)MN74wPf=qH)j{o<>t>EMA!vj)e43IOY}Ow2}N{ z5bGQmjQeKAV_JF$W(3$^?fwdQM+f1~=_wc)>xqdOF^DoYqR2524^521xS_5n$Zx{1 zQOUR>GYA=(q3AkMfKu}F>hnfoKKYpu?T-BY1qhfh4zG=NMRaNuW<;grXA%PW0lX`^O{8(*a8-Mx(8u1U4x{@#v%w1Y33BhunJF zKN?1VZ`?9J4P*Uu*jrqOfbc-1_&H$QlvE6Bug0%s8eBLd8M8U23q}T`B)=MnjmC;8 zk?3h@MQ)vezJdJfXh-y@(RgaIKjw^%LQh#WPB!)8nq{LgKh_ng@k6jI(H=i+E5)dZ zDU|;ZB$GGirTe3}q7F4?J1k4~z#BV@mDhP2nj2AP(%}3V!>}kT7>m+8v2j}&BC`^4 z`{YPW9u|P&{ijjiOK0Wegjv(lsh5s8T2PM@Jv!XKI0KVnyf7od2c>mQsFg*tG)@sw z!MHRt00)nj!6Q5j*JgPlr?wlnQI5`G{pksQD6FhPlVdbiPSIiG-g*qB<6Z93haIJs zJyis(ZO~FyjHuLMXe@8S!#57clMj4}Y~QjfV?&jJb7*iHtsA% zU|b|Fi}%3s;zpQg@Ff6n4hzB)GZK-J6o@bwP^9z2le43d9v6mDeoUHnHsY%5$6;x( z4iiSjBE_K_yNg=TC!Vym7gIS`H)jVUKEe)1PaARB+@UyUSTM!~+M=@E1{YA@j~p+9 zJ}?lMXZym*%>zSqoj6!*K=zn4Tst-l6URiM<76pP#tcJnM>PtHU9kG05jeQ*FkBK- zacKmw<1_;k4IM>L5Egp0;g#J@SU4pfJp~o;9h;5EhB+Z^L_FpNS>eaMwHPra5ye~g z!g_c%9vJJ2@Aq*Wv=cL_uNNgcV%3Hc_#}tp?&(R$O7cZ!hz~jn^RXtMK_7#6_s}3* zKPMRzJT=%z+IsyWu!1&YlzV54Vz+=~DVP1j@%1$@oat7X0X)9-Ehr`=RkC`K) zC|?06&96e0-Vd)`kb*4EvChznQ}POYIy+}~SIkTchP#&@^D?60*VBY@&j>u0=768~ z)*vx`2$m$e;z(hm@(vf@AYa@yCkewMJZX2L5N2bl#bQ|$5CLk!TIyD zuq@RFnZqJ5&X+P>T8|FPPk86f$iU@k-mq(Lz_xZ5oR{i`(5OIMM`!=#jw0xT{cy|F zWQ6h1sZ9vLZN7~^S$O^54{J|-TmhYz7H zEE&(w4a6@;J8{d>G|XfYGbhLvKOCm+i~M(VVfm7=xRQJyK^lhzQNJVoaS`o|v!M}3 zT5NIMf}zUZWnm6|IB~iLU7jI$Vv-(LzpxkEY~1nnXm`B2wH%Cc6xwuQ;aKF*h?h@v z0c&?wqEDhCXII>j z9e@p|4Y+7#|6Xe6WJe&XuLF4wUU*<$Ji@fyv~e|XO^L^oW5SS{7>bFs(_2o~DL43Ms+JR3BZ1LKKF$^R;am6{F*zo;cJo4p9Oqrd9 zM7=#mrv<{gx(e@pcM8XfYVgDEB5coZgQ2k!cRl?hF8H__&z~oIlK@kOhrp1RkDEVl z!jspfqL~aVWt&$vsWBu|oWE ztN}irj_7Kv$9q2&Avz%fVRk-v@Z3;%0_OQ`=;O4QOc?(8y3^>e}!q$DKGl5eepUWp9}P z#N+dq*5ICxPSemu!G&_RU|1Lm_MO1DB^q2iJ_g6P9mU#{^;oroN+<@<+6rwoO*lw{ zvgVf)I96&xh_@3ei^}o9r=_^|iVWp>^2XiA@yL@u;N6pUxN}l4s`i$mv85g_|9A?G z^2kgw9A@t2rG>cd@$Yf|nr1w^B$o2qg$b!)=&G&6bMNnfU8)#cXM}_VU`C(~p8tF= zcDLwo&lGw?CJ23!Q8Bw29_>fo^&mPr0Wq2i-1fka_|_DHm#6t)Y)UAO{k#tkuRe_y z1`Sfb+t7@)2kOvSRD#u;8*s_&R0K7aVC5$Vk<;mbD>5QrCz%+t?S^)1WJYaqcJ703-5oi2cP8_7%V0r$iW$78KlS^3>Q}yWCgjwPR1$*veyOo z%uhyp@oBuY`WQA>8eudvV8uIIu=344a7;`>nzJp&Wk$oTp#raOEJH?mG=h{{9vl<- zpURANm{SK{_#z*pMlgdeKaIQZ`vDccu~-!4il`7T_-WeV9hHE1TO%Aid@w55j#;@M z7H8`49`*2s&l+(5#pww0cEMBz97u~-HgSv6yJJ*x0D@@vm0v|#Kr!FseMU?mLbQGG z4G+Z(zivGI;Za0VCS&D&DMmA5Qp0h_SYLej`3a1k%3!E67kAvT4!I%exRn9yJO&kp zf;>F)=@D4FIQ8Gjkz~=@8jWR4+Hz~~?cO|`+6z2*Z9LY$z6Q6xavIARUg7N74yHNxuj2YsEi8C|cbMO%EdH)FZH<&mSr6Yb@ z!QaIWJ9eMIyIU(Tb4m)rdh9S|T%dB7CN?IV380BSn!J_($Jqr7nPlzUbsTSRu3)g3 zhAi^(#ECrI{KPtZyw8BiDQp`v6xaGS;M%8mVnbd%_8hE2M|l-K`?VOp{(hJe>PUP# zCO3g7*-!o2(}%m~4na_01ZD=C@xkZ2urc3+McH9+ka-p`cVk~pDYhJ~z~|d4;q9h_ z4zz_|9)nY69I`d`IEP78Y0e?sd*?c6hmXLOkrJ$spA6PLe06AVY(|^B=ud0J6R&T; zjjtR+T5<&Z^)@gVJK-A@fQM#A;0w`h81ccUzv8;*_8~GO0dYFczjC*#2a_phnz9nS zwyqjWCdHuQ_;Gy1BzeY&FeX(oIN!Y$H$1ZgKjgP6FKP=Lor?BDCt;A_sh|-~OnBA1 zfoDK;!pN-%*Bq?sfFg(lT?Qz6sbf=q)eByT8<7baot*%u4JjX~ybx$IxKqgGXq4zh0Mv=hoyxGb9!l#JQ3d z$@~RO_~hpUc;L}Bc*hWo$0sxDleIPf58!Xw_D@5f^5#l;3#&$JL*su6rs8%SZ)wBE z&E;q}w4kus1ih0Dtg3woIGIiRwl z7N1h^I?0G83Sn!T5iKoNi1gOslaFpi>52@v`}7;gyrK$hJyn4wI#aI*Ke*T#DOhGy zHFuIePPTGO-4eC}!1K8SYWa@?P#Lsh*2b)CKFki}&*s9h}vtU6SJ{OS(0(`ZLe zWfm3_fi>@3ffLV6K)hoo%rqQFPZi?(Q?*nR0u@Xj;En`Od#u}BhRVh|94qKVZIQ#nJLGZ&(M-F$TA)u3H@H#+&)(}PMnuTIO)p5^h!S6dIEwyYhUT5H7nTPe3uHJwd( z^@mcdeB}}>3vEYU1C_-}41#QF;E3DqUW}Ue=Oa792`&ygl=|@V}fl)ES5wBYtG0epTBkjVm(lV?)QI0JI?MPLe zZ@aROPpLs*}%hWH}5+I1e5k3ND`!87TSgT6}a~7;I$C zQ)?H@G!nJ);wME0$pgw@bdWQ?|MCu$+?xttd1Tq!hy3DdY&lqg_O^Pw|5FWuBJ?n~ zn(+SC(+slP@ZEt5#c9~m?kHxNM$1Tp*woyP^hLvQ*P<~f`Qb{uJ>HdBYZJCJgL>|s z3CQp;qtd{>C9v)3hM9BI+tChqQXZN4efUEG8jKzIW^WaOd~Dz?bkhkoSC-&tn-yZb zeQj zWX>9f=dYNGigj1x)@Uo7F3HEihCU?t`QpL}zF5047oEKft{I5BPtL@3SqWJ4@%3n2 znT!I?`}TuHXmm}$tJmpp(bY#0cR?2BIveoPUh-BPmSy-Nw- zwxZHxjf`Lo%=S*W^OEuS;*GV~TGWB%3zBf>h3BAj7-;a)Bf#DU+YVHrwXO~? z?J9>o178J{+x%wENe^X`nOk}yt`G6Yi!WS(ns+9`vDJVsX4c0G%dq)mjS?^y7Sv;X zUL%fIHR0ENB{0>t;&4qnTRBXWElclV$ zfxhJszNqoX{A^#O`dH!TedUxL5i|nFy!BwAa(5~xuN-@eI^p4H5BD%1u;A0 z8!7v{b|W`D1M6>&Lp^1=yG8Esao!DG9F}FTHjeSw>2my&)9yi<@$9FMl zsxx8#!4vqY)CfCEa3!kN+|h~l4ioaJgLde_)|@<46g6Udl?IDOIwNCj8s5BpE-E)% zj2XIi)JRY)!0v)voSB!kia^1ty$zQ>b`@IQn~lloZm=P3-8wyPy=*eJe)==k?5~B+ z*%`Oqz5vx9F2wjqXE+GW@(6{p-`+^wI$DXsDg$;OE5rV>W*jW5he>OPh6Bg3J7O44 z-5rT)`hp%N0Z&eL$GzX?_rDLTsueptT#+dFEJHg3eZ6R7@F1^5X>0Ak#$CBEWG} z-vPtcIx3gE_(?~@Cu>dQ&V~)oW$A&uzCAiVNXbZp(){7h^On<9a0&N>i#07vuRWF6 z9w(~0l>KO&lyxLlu(xL>Z>EzpxM0hDQ}DpNhY)zpR>+nLBGAg37`Y8crIR%reHtz7 z9jwtsp;aQ%Ucv2y(nqFa`M5jba@9r@m}Ji&Hc{HL9|k2_4xoz$-N(lb&Q=TwoV+nK zz@Em2#0wCWyctt@j>|wJ_f#WB$d0Jh6!1__B=;I|h;|{=j~TL~7;Yyligtprxr0uy z1&==V5dxA{BIKgg_~KYQ9GKzT3w?BkvhRXk1dAEHydAZtt_iL6Wr!O8IDAJwi_}N= zql+{>j2p|@%2gOj@rb>(mS*VLA_;K?UfBP8_+c+GtUA6EP0 zgNxJf;)8D^aPb;6F;kMgLv)P7wRD2UMg#Wc7Gl)=7vP!r6sA7E9l7nybmWl`LH4+j zU8rSIt?Waj=iCU*vLBN?B9?tJ>^vM%ylpGICVhf)Z(fe4Qb?QZy2yS zGx0rat?q)3L58cFBO+vPn>Jv)WEFJo$`}MUhiYhP#s^<+MsVf|_)L8lFMVHx%1#qr zeCBibCq9P2lgIm`xrCXz zofSreyD{+TL{ubs!XS=*Pnj#3eBrl^4Ku#tI=ub*T7;xO4(}PS;hCer(T$tna_Me- z@Ze%hb*B!fuS+LgHnPsFvQc@X>G)VDFlt6%fD<}8`WPgzp5UiZTStSnZ1O~8S{2h^ z)p2UHn2_Ksuk3}tzcV_Fbi_;+{A7n-8oCfq7dVSS^YlQR8^^EejNC@Zep z>h3~oZ3_}&I5tB&w64zZ)zN@50SKZT$Qm>ky$b?$Hngv#hqlGo*oIz5I}G(EUU6zV zPkegaI2?NUJvfZ{2-}*hmGu?2oO9XZN#9(K92Cq zR^js_X6z_#!t5!NFi~58?@k)wKw5>rsIJ7Wy$296ZYA8aUc@awl_Q7F&ow>@iyK<- zep4wDeIlT5CQro~2%iZezv@0PGFNgac2dz7%B8Yj4~>5xlbto&PT_*(8St>_Ms86H zR;>5}!O2g+d(oTt?6f^XeeEe999KIt<9H8>rG>Ww?8lb0Dn$&^8_ZQ0HscBS40{e~ zkL_eW=cuf&u(voZ37W)K%K9?dBSz+1_D-{*9yqp^B4*5+=uQ}qS7(P&ZY0|4SA!w6 zZ~7j}rJnN}sz+C24?f;khT9iSLb$0yc}uM5T7UgMLk6)^!?R9Hvg^lkA7 zNxK`75A8#(*$&Pj)|fisalCH`!*`b?krs-*tT}7%Qurr(BFR6|Cxw1l`$M@hnKeim zLfJL6!OGhYah|mG118&=W0bW~olII~eM!Gfpw1FU7j10~1Gr0X`Vjspk0biVHTb5C ze6ZsLvFjQpo8F$3%?>L(|J3>LeD@u=jQbGl@;lf)<%&G{VQVhVSuh+Cwq`6}J`>J6 zeunS(cd@RDazm%$@9PFzs>T1u-d6y|bscMe%M4;>X4$eWGczS|5(n&X8s>(fNs}gN zsNtr;h8Z1>?U~FO@PBiq_1pN*`(M+hef{6lSl4^uoH=vm%*>g&a7ON~ zS%hx3E$^6^XyZlyWK~|9wiDN$_9*T+o`khGjzrj~T*TMx2K}%B8H)15?CJ*W^9IY@ z{zIntD-$l|M{@s|WQ{YnW8}47&V7B9*;m%r;ki2}K__1|4Gbee>J5yM$hL(vNnj`` zJNjsg%nTg0boNT=s6?jt!M}&Lqg#W-1Sc9QUBt~csrO4ypN4aKis4B7J#O68fpF#J zqW>Nk=*=$yc0#;i$z!3Wpeo6)$V?BtQMb70#Mn)b)6HwW9PHruSUhmw>G*7p15bQ$ z3@ycb@OFs_uiUW^FW)x<4O_P2^RjNrem|9s^*MR%DQ?E(=_9aYiVhF0ufn}7d(Ziq z135rwnPeGwg_$hd$_Yi=)`l(32E2I9c=+o{52Gch>u~?}8a#Uc>3H>`Y#3eiL^*ga z3b6c&#&<%8hJ8EmX`Melcz6-+KRX=-61jNU!gB2`?PxXm;i-#;Vb6!(9a)JiV&-{@X%1c zwE7t4oIV-v{eC`f%C$0z^e8!eB-(rD;|+*fGzag#uoRmgodu7(3Ev#7!IkIF#O*hX zf~&PlNv5@?upL+ZW;$l+s_@dbRy^^i^YGUf&ck!3$0)bymG&s$4M!^xoR@_&XGL?; zau3`+Ak9ifYAU1Ti)!sL(Bd~_svi#lWirLXhV_uJ8yl8yJ+hu0rI4X3B~s?yhd-BP)>!$?YOfbc8%NmC;gr6z6?fg|+Woh1bc?`_4#aIZo2@ zk~bAyMQ=s&70H)w4LwFYdVU^dXAl7$-pz%rIP;tdSe$90f7(4DZ|ss}?Jg;=!sZqu zK7RIWEY0;FNC)52gtsd6`1tnmh>@h3y)3M)!IS%%@zfs{;i1!$2cjKb>Sx4t_M&_| z|IpbO*R&TeY;B|g=|_5cJpORseB736##>v86a&>MFJ!T8k$JP#gcV<|g=*X+eDvZ{ ztbA+^0_}QSeAxngba^^9t=)(HT|y@}9Vg0z1!&6~jmzga@xXh#kTGu(Ub%Y~Zluh- zv+)?3C1ewV41L(R_BfIkMB;~+HnFY;4}Q24X>%vC{A}Dj+=}tx zVP1#{)eUXPn>!gdkMkF$CoTcrVpR3+=lX?M7(|Xe7w9Qje+(d>?$NpVqh^Di+;+3`N zH`ytF9`tb5so%F9-*pD#^H(myUpc<#lD0AS>H~5?W(E7 z>+33T=6Tcc<{i@!XY4_f*jS=bptlEw*YajJXhKRPhhml5eXAjb*Ou-kAjEAne3M-D(vJK%Shm!PbEl%8b z?F@W)=}46A-bZ=&pm2Qw^y&WCz3MQ!CCT0(O>$?^?DWSy*RcF$qfoQ|5Oy6a#>+dq z@bVL9;t%uX-L6)&hUH-Q%X2Z?)PXPdRny@r!;zpQ+_^LZdWC=e%F}$|pOR~d_PvMm z%G%|7(HxzM_a8U~_fHB_(w0bKK?T^i`kGc~qN4Er`57o_>QvruRpueegr~I?A8#ne z8J8`@o3w9|Tg)iYwAc+!`o)FK(1ipb(&om?-yB5xtZ{hg{;7zR%-Rx|(^h`>?Kb>z zp9e4Bc`AC3ZbM-1NZiLV(e!)TwI*DA`WQ@$Goi&r8D_&O;+Nb=!gqO@y^VpiB{36k zKDQ9_9B#a}x&jwX4#LZy6#~KZbUOMGKP(7qx0K5pl)GP8s zk!y~lWaICrzNmY;@cP?p@Kl2zR@^on$$C01if&5|E@}wrkep;9tt!zK?rZ3rEI-hS z`)-(p^x9*1sIV7*zLENN+YDs6%kbKkI>r7=;JS$cZLK{5AG~rlrUt1|CzH(}`~TJO z%NC9k*PDNV^zgdfoTxbACz$$itl0y*!vvGN3pJcI{K#~7Z9QTyz6dWjeut&IbO`8e z$9BnTrFf7U42yCgP}7f91vQGH2)62!MP{N3XE+H~v0?01<3XWE-aDWHiwSiik=F{#8c{=^ z*-9s(K@3~B2Tn$@IYB1$GkREC*#VuI{R_3Cna)=;X{aUdB$tQ07*0`Drykruf2=%K?|Lc z7>W>0FN(;|<88f&2{53%sf&uPLoA&m$pK}vS}=^`w6&_8vcrB4(w$5Gv`OwB(%H+w zYxii7;IG56+71K;I+5$A!7kx1?v=9GuRI!1KIzE zRvZ%i5^>99)cD@z73s6-bn?UEFX6IWdy_svr*zN_kEyW}5?fjBrahhVrPi zQ*TC~svG6vISQ^p8xh4ZsHOo|f;~=}2D6zH>_D!fEtPCf%F=P06l+ISLpvI&pAF>u zz~oB#p?)Mp_#xV)LIGu}qFaZNkq&6OJFvT+ZE@mv+DvF`??8u2hX}KlINWfFbtfKw z@=NV;qh7pN%2SZPUC9m8*3yQZjkH5_YGVS;sH<&7r`$QDJX(pfnlhuJYz&WZz>hk$ zrL3MZrB*WA$}{~YP5>cR108mceDpKW54NY_SVe1lQQY23S>#wzMpf*yjr3MiZo(*^ z?d>i_M*8WrH}~i;D&C1b$Eu+B3q)S90e#e?wUWn)jzcnaPV%^{sdB?Xyfxz0i%!xx z(D3^3FdHhG+fdoyMtVXp!Z@)MRyQf~6>ig_P99N`yeOLym9lP@R?mQ;A0?dZt>lf4 zve~ZEV?v}A^&J1b4J;#fm^hP5#@zr$^1=QVIMI!*<*jhDEm%`g_0lk;T=WTAZG*Xr zsBAcD zj7kbd7wvPCs|S^|yEZ%Zj5e>qO*BxhL+ZCA16V4{3W4kkNgUfbP;deRfkIj5nKw%01TdOA6mXpkT8kAjMN#a7EB z5Xp&E!hVEMADgLjV(ciXXh3C$8Y2_@lpJOS_e64yD~@oYvGr#bSnl)xpgbV%07Pw6-kLSM2NYI=2ncn>Nj|{ zW*J6*LV!1c4THP8&EW2CmoN9bZ{EK***{KlvL`tw>+H;4 zYwhQ;Q5`|nuRp)->OA#4#3F&zF}hx8j*NCW2$Ua{NJ8b}uR(ec?KkU30<9c3-AcC> zn31sH?mzmWdSg&KSU2lN8WhjaQgGWm$#d(Q*)}$@U#N$CprF5by)iDr-*G?( z;fWs6Nv@y8HPcRWf z_jx>7VP9|;v6kw`DI4fSA&asR$Z_=)zE2}8B(_0E#|{bP`FlN+KT9Ot^y_LCm^yBb zDu=PYG48goMbjU^O->HSH*Y%Y-<8ChkhFe%FSh%_a!Swb_$(l7khv>ZL&#zw?AEXD zdpm&t@HcvY=gvL?SyNvSA!_&8X;w3~p1+mhG-vBtd>z})Yc{Ych~ zGC(Kg%`p$2kBW|Pb5jI$QtVlP%s`uGs;g%*^?g{tzL&U_{Mq1_OVFjTa-?;bbY`*7-vYFQ;wP0SysYpZv0fng4CB{ru?1|Ms{8vZSiT0L-sUf`hJGvj zb(5S1x~HcVy)gC$xkC(4=MM}w*VH-hYlq3Tr){=+zKgn^Hexx9UUh1L$wmXU>T7%} z@k|CQvG87A^GxquPk(Ph9(Gv&o*P zo-p{{c?lqk-S|VEC~^H5FWp<+YBIj0Q4|8NhR7lJ!TwN@e2iYSJAP3Cn!i>x>)Zaw z>Rr7<3+g{CcL2I^q@u!c4jm#W{9k>5Q(7p%0J!%YPRKueN$00-BL9!(rsivH^MyX{ z4{-HZiWwvvW=W-Na*Bs$wf^H}kQd6772qKUoKB*1Z-3rMX$aMdp3S zn!zlQ(=IMH2VD>BE@64fb8FjaP9#7CMV`xc1leum(NN+V0|ofM<3)ZeebX2-!dwfb z9_FCda(-$ULVxuqNnvZflbz^ah=A==sve<5T=qTvc@6`1r|nh8cM_~KCIJy)k?+nT zLwqL?M~s9@^o%SvMCpv>dmk`(3xrl81`NM0cL5}wa^s!`n;>N~Ye`SrwnY-7?tnu+)(#(QD~2-zLh!jftU)_|{0 zrq~?oYe4|{xfa_E_7@8s{wJap$Knp$3-sP+d<$@q15%q_nEY>36fIWdH-tOS&yubZps?P zhtxG)G4_)%DZhgOo>EK_-v|}EX$$UbIGu!{UgV}&H!d8Jn4T~N9?fwx*u$ezVyyR2 zi=bdYJK3bx>lL$-)gHm@@WI09VGadl){UH>1CLKZSt=k7t#m>;w6zm^ww}sJQfwy4 zl%1F0VO9ts@t+ZY@5(=Z2OTWI1k!#k0BPX-W_WIsKdcgA6mhWbMUT+x#l{&gb58o_ zxnn0_`Q^yWFqbSXr1yn9e;EB*Rw&=vBbiWgV&p%u+70dB3M!oLnVpG6UHzuAI3Mot z?v40*7=)-=adEn0XK6ic@{nSdV#gnz^N&=ky8;K5k;@i$u(oJ2bg2)VeIpOHRxuv) zD*FC>>h9ZGKvb&7Puxvh(F^rpI(=g+>~pSN_H;&K)~YjQKbPNFizr4?CL2@9M8R~y zqqzlf5ORDcbgJe12ac2M%y3fT#dAy9Y8CPO#l6%?-CO~R!_`GEe6*zExc?$zyr@S zqc@#00T1!JBWuA46#HrBOEZ?z`PxN0Xe#t++01B0r^G(&@4bXW2W+5qrX$B^LXeXu zh@z)5OoeKca<+TsuMy`jjU0HHGmkc(Emr~z^X+*h)V)%K=?W)fWo^Da1w`19)lXu` z(5O0|+;*N0rb5-3*`bgtKhNVxm;eKe=$ZvQ5E*eKH`n1W50n3Vl%WGNEz1 z!xeYqxr-!BP%PFd9g<}#nC(1b=Ib|U2}@SqxB5JKad{@F=Qc{{d0Fmq2~HI_aPeUB zGJNvG$LAslf`lynMGGxzfZ9bk!XPvmcy1@g-Iuze8G5Ek;*%UsQZyV~pGEL66%k$1 zitEQ$7-VWzkSvr=1D_AHJ5&P;PQaeq@!Aht9j+uxt{AdyC}m8nLGmSE{It2;=Wb0> zns93XD&Xt}I>?>vanGW(Bs=W?jtk{5!(92utvPF><_wH;2Ps)ak*0Z1qt8v0`HOKg ztaulmMzuN|w7u}kKM{D-{uLT(+^X3mo=riF+~~NKuvO$>az(Xa)L|4ti_SLOVfq zZV#Xd7iexZEc4D^3idbH+E&t(?J)9AvST6y7gzsc_O9UDf?b^e2ir#Up9LjbHis|G z8cd)0G3`0?>-)n*JE4A4t6g=#KIs}ec@#)tZK8I13jNnJcC)4bvc39UW1EyL?uTbK~lY$xTU*PSi^44z7cL_x`7qg|>rOn1A`7)Ov#sRm=akU>YI5{bq0Ee*dqp zX%)0}8c9JA{GSnENZ_pXU-7p|7EY4(pSu(f%@Gt4=KuABr^Z9Zg#R_&=l^p$7~rAx zRuN{f`!t#Q*m}L;(zWk5`Iw8(|M>6@_f8n!4d-8-%hr`#;|1QadH>;Mc){}g&iLNE z^`yJC*vs`luTu=Y>q)rS;p3{C;4Qx7@j1`}-)OFZ_nx>dkbN+qMYMBWyi<4B6GeHy zrz>z4X$f`B*yU7sbId!5nPUn~>z{ZtLYWPWx7n}{Dn`%Mib4J#{c_Gv%z(b8v5t-Y zC$~P*VN)pWqwXfS+T|46@sXs*@v1%`uYPfJ(a$Nl3$d7}8$yJUoBBAxCa{qYEd*EC zj+t#3cXz3u_vou8n~r}*`!*SNI~SF7dRkX@nW2=Y7Km4lsIc*x;?SIGX@OO?6M zNYYy$%}ebe{81hXX{86JKXEhJ43+DLOsFG`S7I2HtcLf3d5Ss3?o-FsWWHnDH-B<+YYV30mgSd1d%{gYfKg7L}ZWmEdqvVyjYY8Q6^-F1mh z))1PBb1K6~$DYknC@ zP12nPvFGE{>Wi+_rtv)Ylg%&$gVrC{%|X7k-#t*@*;cfa%C8(G-n)qe`Tg}tG{xeN z-}%aQ`HlWHdRWXbUnj+GZo+V~jixx1+P-7Ay^W3~BHGs=@#zcV?*DO2LP;2WyH6({ zo$tHu*jPj@5`=aT^=GtLX*ZtCi+uaX2kd;4>1d)SdU9v9tw2ux6E{%j;2{0}MC`aK z2Pyv}xrHCv{O&9usHvCmR>Rgy6LsP!$IPg)7Ts1;-Fs=SSrl-4`=E$NxN;CIApE&M zFBesjFb8M&eYU8VDxeE`a%Z}%(Mi?Tez1`S*>TpAuDbhJ!nLLaZBVowt9p0Q^l`k% z=!blcXa*{L$J>n;Ki}`$KJa&&%dC=QCkw1qFf|z&W{{%c#(@7?;Cc1%r|2wplNI_D zUk_yKt`_LsO}&H#K73ON17?kNG2KG|kq)M)FaNjhR!n^{g9QA^=#pRr<9Q*?g4YP* zEgdJ^+zed!sx0^?v;6HeF>~1HApp=&=7q(9dB7@JcIzM0lE2!ZI2kn&ub&h%ny)jI zvk(J?^91M%M#K<)AJnzTxk%cTbF`;A6ve~cYsKa1a(VRB-~RGnB#KFr!@7g*Y#n$4 zzmDm)Q*E4;5|e>`hTcof`3K*9ALm*#4wOqSYTv&Rrinl?pO;K?c^X^{3s}v{H?uv= zP%SF`(Y#BId!}pl;LO?Z=WaB5fs3g-ZL%%vW4O07bo9E%-MS12m!0q$Z5M{=NaZxp z>Dabt+Wx2ev$q-&O0$SVP+7V~D!d=F=rb{T{)g90fjHzR-uI1_$U$T=F#5gU;qBcQ zFh}zQ>ynA-#ls^A6CQHWd1j~lv120f2U0yF8Jx)rlrSfBo_g2#JkkyZgXBXZd^v_^;5?dbUt7*5W-r0LX7EfQ z+uORzBj0=sbas~T52WI=_y|$O)CCx&G9@;w!2bGud^%ed-N@x)^Evd!<;R-t&v1j5 zb`22<+Po*a_uG}|8O0Z<*&?o_^Gj+`mrP zjXT#5f9&N2L|YX{Z+BX~RZG+{42^U`2Y2w@ZSPJtiSwL&?&we!_N7u9{`{p=faIL{ zq9|FsKc9|xt#n|ynPuQcJZX6&tY^x|jElhYDSW@6+lUbIykb1^24f-I1$WBK)T!z8 zi83kpVy(m!voBwk06=;qtLG{lJeUtz{@QW}p(`M|qu)RslLnJMF1;P<^zCc}t;T;; zrLY6S{LYBAG&f>~t$@Y-am%HXeMj~di&tqBwRgZSe=PLt zu?w!Q9rd7`NZ#qHTO=>^Fd1`kgJKvJXU%W4qy9Xcp4m*(IsAe;T>b%f{M=PqVIN^T zm?Z1aw}6agw0N*pgRR%ej?pbGf4JS%t&M(p3r&LeQTU)7>$$EbBXHFzQTi6D=+uWI z1LI7Y6FGI=M&JjPR?buf?9~SSA@t>Ff95wU;i@(bTm$%-gX5vN_Y z`ddaw8AmRLED;W=tIx}BzRmRyFtiU;$tZc9`+F;Wl4)cu1mIu zB+5l2RV*gIV=74ze$`t1M27vG1@z|^e{{WtBt5eZPLy2MM$c5ZeFMxw6V&<0A%t=8 zF@DMvHBi&y=;0HKKm}2rAoA3*-04b2to&Uh7hQ^{Z#6DgDC>08Q5-_~2i!E4u3rli z0-t;p^TCAt{PAFVw3p%H%$*gB)EPAc(BzvVLbVlnjU-pZ>m9MHajk7lVK~e=q z9#u;&33_P97(L4r&acJ&qf8%o_d%Xg$f*4F7WE`_$Sa1;JbCcLsk3bClXY>|AD`PF z&`p7IC;qn|y^Rp%a$1gJeKUp`etP*(@{vfLLZ_UsbyVeO2FDPB+Hf&*C6--v9oSJ} zmtNkRUfW{P)ekg$9mB-GSu0tcd`z80`Dw#s?ZiZ_I)+9#s5#`ASe_g)Y;(0l>~rdK zXP|ZI%Z!CU*w?u#0-@t+Lbcg6>AJk6>dn6@RJ21uC}OR&et0X~CtQbjRM&z8!ZY@( z+F}g6pPn_&form9MXI@Yzr>smvw70QCiyJ@Hlu7ZD#@LVE85VLdQB-!$ zyH)KXTUhYt^J+8T%MU$TrBgN_ah5J-B4&&~(o)Cu%w=i&<{(-$V)pBUlLsHG02Tb^ zX*rO^wDVvB;TqeCERlRAV)S#)CHrEqPR>Lx2Q5kuFN13Egq#0$< zaAP%!ECw~E0d%pHiKWNKL*&3F7Tf0p!d(0wTEobn?^Mv@pi1rEeMSFM6d5iU<&O%7 zi;=1X==-;bpV{rGnWM#lYAq%5HPz^Zl8828g+Yd1a3G$N~aV7R)okm%H3rG-Z^M2wYbPas^G zJD-kIJ`V-Q@_QZaI6+9u9;L6rGP0T+`9xMqBtaHh%pcmKJbrW?s>{pe%ZCd`A$vg@ z1ge=}`h2_-F|8;xualjb?Pg8Ifmmv>ou#K*=Kxas4lAfVfm;G04qVU=J1zYhAY|EU zh^wM@wg_bPcqw;e(+kzjzxKNvL|0M4v429Sg)<-bk5dL;QPR#7c_J?<9x*_yi8$d0 zQ#|F*J%Sf24HURGblFki7E6EDxHeQSnZW|*00wKHzVA1b^xPO8*@+=6aB(d=*&G>) z`@CuJf1VuSh#2B2lUxW3nB_i%t7FWtnrWuW4j8!|w$w6kM;tyI?4gT4jBNx^EBVP> z1y#dow%h8a*-L4+gx}ps7Nj8HuR#yCrnqmO$G%!eHi3hj^1fBV;;K!^%*nBO}UxaNb{w|M*-Vy(DRYGv0hUcLSXK*MI?TcOcE1D{d-QJ z683{N5a7cEXCFA^rUu?K>;nm%T0D$dCHRAKI2oa;>$e}w9Hrk6Z1(vt&^2m5<7 zaYC3(pD&it@L7ded_JAuaF@w5sn{nBT<^#2>}*CP@sjSAAON_R>rAY047}gjUua{2 z?OfcRE{Y;KdP?FHV9)n@mB^cBlaVDHh0F8)`wAPU*K@q>HfoW~EFu-_m=AFz7A6L1 z=;s2#O6~bz&G&jlmykJndb>bF4MBSX!svroIclG_+M=e9L+~-Z#H06A{7i5j3b7#p zzU;ISgte{taHW&Pie4P1-UgI(1Kv0{>{Bh|S;1Ron5xKp|16qBd(>^A~hik2jW`n$W=Y zf+@m^ZS~_LSD7H_@l7!J)W791h2Qrb#1UI^>h0~$ZwrLd;^alqZPK84zlmz01w}_b zh&SS^=g%nS{QK=VGN%yh__y|7ZMbP#xECf-XuRCu{Is8^ha}A21aTBxlsj`qGR*cR zCyro<6L?7u_O|u%by}xorEMCJ9QqG`0L*p{kRT|!X#ax%&RVbX1iwAXfwP_A?S6gq z%nYtr7O_S4oVkTrCQN|ZONB1p7-eis*p9QD=Evn76@@W4gh}zugfJvl{q91gLT}uR zbd9lDMFQ|>!w($=CrQP=hdyxOLsHJRmmGWIvK(?_^6Q~bY$%C+4zvWQF0W`nM#vYS z6Mm62z{1vO!~nP=;m+jH!NR1tf@u8rTr=GC_pI!eV+eSu*%zHr7+%lyNlpQEe@9r9 zG@feEm`D_Qay+JJb_F4X;uG=}sMc$rLm@-xGrldJ9lGYXm2Sac(~zc0KAeTC1l75WaQcRDfl&)DA6c4QUfP%Knc7veB$pN`|L!Ds2H=VT>Hw&Wd#_sg^C~>HL z#A0*sq)RUb0cmhk5)yOU4tJN@VGg z`4hY+Wygd1`>_^V<{+=4!rDtYxThCr4%Y7x<~}XT2=Ss5HAwHnv5$s8a@<%soeG<} z7cGDcHDLj<2vOn>giHNIVmwA0woV;ls>&%iffjb%i2H=U9K&b514U+CzZG3f&TL$Z zKK8M&aebnu?C!okq#A7Ty#RytSW{OlTt3COKHcQFTw@EpPlCrf-|MdsgjEg_T*7A` zjf-t=i;Q)<;B1B=$g+<`Y8`TL@Q(CZ{2#5th>U`$8gaD1>`EQfOkFLRY^GM)fss=Q4`c}G8g_|a2M<5LIDYE~8hTgw?RZs|0MNTzKj)F$8abP==Qw%;Z{q&}gEFuk zKsM)9{ZykLJO1R)34V*AV4&5T=hg6Ti^npDnNn7?n#iEzwl1+#e@ukaTk1BLUoZL= z!TR#`jMG-X9pFG>4WeaSxj#N)w}VD)?Lu!j=!?Zy-b{*@UKS}6)C(@{UWxHoJRKC| zp#x&RUAQ~|H-CI2gM@-Hv9EvqwCX<|MF*P447kloA_#lS*y+T(1$TcYlczuXjTuUp zs~QyzUX)aPJKdh{}k`P_L>#Y{iUw9*%0n zPBv`kH2e3=rn+WdLvskw5u3iOUJN84OqZd7%(p;A8f))Y8n)CQ-tY@hu`S1h&*hLIA7rrJ{fKP$N8rnJW{A^jC5}1{{`Mq*RAORz zwvN6GzJ_%*CV`g>h%hghEhZ3dYTBpG@Y?cxXt%Vv6Rt!XNjmR{sw{;>HC|yMWBeGM z8FW8RuzP!qnvsVW$hV;rS7EpolC5%>L0Tp07>ZpY22{(=##l`efM+^*mZFsx39&&QzftA$`=| z{6e=7KWYMHDn~6N@HA~A-%Hg>B>eJ5Y}zY?o^Cd))JePQqy3W`YYFS%lf&r$_?it~X=4+=stJRD;gYsfagp z?D>Q5##}8Nax?et;1XqbNKKgQLcQelY^h9T9wyN{;u`-zl$hu{Rqop#j9Zmr4TuvI>B2Bc5`lV7Q_^a&;y~lpnDT z2cuXhlsW7~Y2Neg1}}sLkX7k<;xRi_Z%=HXr60bN2y(Lb#65d2KtC6AW&CqLzkRBR zD;I|*BQ8mr>*s+x;aNp^zV>A0fwbG*dbHN@MN z;ZR&v9pl98<_2>)(lvGKjgN2Za!wIQQ9-$zXXpn!!qiywWZ z`-C;e594Sbj6I$``}Vtr^|R(X)b}s5n{j@FHW-Az0)3Q92A_uQ8#8a5LjtdT_^t+a zw&EFpEss$(PL*ZJ1BMZwu)|uih~ZSs7kd95MO0`;>`dtFu=t_pxoiI-9sI0s@09zA zv7Mf|@k4lzydNLizn#F+`@)W##*T%(y*67DUa}bHp-I-S>it?k%Yzy?mv|J?O&64% z_IY^96%mwYGk_kDiPpXvM<(+p?nBU!`sUA&TH&M>4JD)aXkeAH7v;2? zR;bv?hqG*O&sa4ZO8<%yU?siEq4z+Ddw$5p&a@m~d|5|tXc#}SA?gY!8_-B4ERyt| z?yvj)K)oNP*D9pu3cEQ!n??2;PEwKrsltcD#EF)%YZ)~?fHJqkpEH-A2Iec?g8Add zhW`n_-kAGsq$zhICRSvY(s)?w8NH}rpQXzM+^WBlyFMdoC6BDr9RlhDxWBhf7@`SUDJ+r+Z{tEnwD+FJvDGtpqS3yG)oqM ze_4CuHp?CNOF)UMs$mICgsIUc*gKf2`YMEfv%IGbX97>{$TG@C?Q%qx+{;p$1mV>r z-6EB~_A4g$)}~HCF5~^Vc^Zv9oKSC;IS9V&+pIh&Fe`FE8gk5SeF7~=b85%RjCPXt zbZH|@2XiHtdOq)6+0btFhk@9`raSWbBmexXxU`lPUJzl&j9((pmJB&^lG+9~sC^&o z^3|0#kk2nT@4?>G+^YP|AQz7=vkESnDwgRrv;*;!?i)pe;?VEs3e)S`O9MIARzvm; z^<(}KGuqvgIp6W+tro^6w#C9wzPl6dw^3mcDOMTNcjC~qnUVg1Y8nJ27 znwH{{jT~JO0tIz6e#8WayQln0IK=cGU>8a8Le1F=X}M@uvh_Q39s63BFL@(54fli* zcgnA|_<64NJH)E*aztsa(X}9fTTqt9xV{^AcEB9`2h;lH?3Jpvj~WtnObg~XvLUgn ziHwLqn;(FoDLfew>Jqqv&%T;seYtE!b`*n&ZE_#UL*ZFHDI&#|Rds49>u#44%Uriq z{V-qiZr^YXY_%fGfY;23+xn-;d~KIDX!t!VF%jBO(tW`|N%@9E%j3bj84JM?v;iNwf5O<0lj=m7bWy+GlxcO{h{gkGV@>h@kfOkoY&`u8?FWn#6t8@Lr@pEx| z+U{DVgOp3R65v|}k6TK(P1}>4#(>~HaxWiz8O!M@U5uYeS8h&~aN)I{YeHgZviAVc z*_~*mRu}wq5v2CWl8{lyr=VcFaaRuac_SuzcTfee-BUY;LA~-?=c>WFC+)fwmO2R5 zut7L6tVy#iBrT~V7b7iqU7(Gf=zC;fd@)z#@OIU~(U{xzj6n|LS(p36JXrczAf8L> zdRI_hg36IHZYKLF4ddNvI>!?nVd82@Ans^@L`W9Vcjx{x)Qa<(v(#7wg=tE~L0JnJ zU0ArzMyL|8&Q7xFZwLI~LOYbTvtx3NXMZ`%ZT0k2V6H!e&AeTI7|qk{;rS`r)y|6Q zebthD?M7$L$-qQ1k8nISGMryqhRFhvLa=tMtRzCP3aAi(r*QvP&w+!!DT13Yq439# zlOf^M3Kf3fC=V85qY5^0Q2_U?nHGJda};O<@tXfys_ zUS-eieRa1v#ptq9Sm84T zo>Hie_Y*uzYQ~7|=lEU*Cy|!B-G81h&(LeHd)A(m$%!~7pncI0?7v>g z5+5^>NB7y#{YKfPv4^?LdL^;c=^{C|#&WukBtKZ^X@M-8dS2xYBbwY)+}%)_ekDsn zBk5tH>63h%cEaLCgmw}xQ-Bw=E^`1*w~=K_Y!l=I@`Zx2qvN@f`un~qals(KJXxiL zmqt)X%9h*-{^;sa^S)YUe<%sOB8%v_?%fQ!78Y1C^y036uQg@XxNV7+QduPSW0I7np$oEL6NWNE5ibkrw* zOgQ{*L4fAlihJxMae4RK*z>BL(tEG9mQ*mX#KS+tPoHRM7=iTJil;u{ME>{^>7{m; z-QLecfNENQNxe5pvXG|)z?dP|%sLev&DJF`Fk8~1VK4SHEAHlnfkPNh!#(98@&HGs ztqqkdJ;|X88tFRzS`?2|GsVbERaHHJN5WhK+&_2dxkaxT&=n&Q&k-O@P;LNEd&Gmm z*Dl&qF#kZ&U+Xk_Oa|8y3odZ}8Od59Bi)}3>Z3CczB<_c37JkH&&nN9$aNO}XDdIT zX{LWhaI~D;$o5P$W5oI0VtF$y$+~h`rRVJ}uzhnWY<#fYh>IY_^4q}B(B%wP1V7x{ zP9iTa&VIkHV}Fq$q;)s-VBwNvm8*_Ko?)B(T&7srl-tn#6TVm@^fBS?@sK2o)%Tr1 zQ%j3yYoa56qPsCz1i0luhC>S19)w3wQ#%0#VAt$vS2oLW7N7~9uep=VONr`#;?2H{ zsJUG3!rOg?u3EEFzxb;a$1QJ|gNNhWM7;fhzRr!7QI8&!7KHN_A*uMtw5%@Mew0uX z;H%bPBBWuGhrH}aqlMZoF6k;9w~LrAm+)l;hQGg52^#G8>8V5n@5udS3%vu6!{to!$*$>1eyhaX+2}UkVNv-`Z1HP<^4m|4;E%A|Ne~}Ts?pgIb z_=TD<7Sofqf_9?c{Q+a>hDPsJZmqzeq3ooEsoneJuP`+5oUGva(+@Y3p6~WH_2Cs} z6B6EC*&m^s6{)IB<~Vlnk&w-F+_tMR4PihJ$d>gwJS>&`Q;PP3oLhuMNstEq%|a!@ zeSQY5-mvgE+HU8QAoL46OSCt&hl)8f&M$Ep*SI$FeW_{&beTE_N}K4V&*xqnlc7a< zzCo4y){f`W+rM_n$?D8^x)Zml>nX1sN=^>o@`h+~_LT$^ZRiswyI-iPy-avS*HsdJ zZ`T_Ow*c_h-cXVF3v`xqI zW=cDo%ytbmv~B>~#A#QYxR%|G$%~;(>!m7Zk96rMp_I0Y4oMpSEKn@f+;njX7sv8a zG~k}k=oW~U-9V0X#L5#aBO|W44EAK@tQbi^82{Z1eFqlinE_(!QR`P%Y67@j zTjVl2RhsB=2-b0$uru7cmaK~QA6owxLP{&lwF#*4)0E#4rhBor28M^TR=)dF`9EJE z3HOTc8(9IAwApc`g<|T+X^1d+dDgNiU6Li15Li^%MuNR$Y3=|H0~5U_!Z&m1Eg#Sd zt$^C!I|N4Q9+HtduERs0a0lg8ROUl}8t6t5=jz1l2ULbi%eITt$=Lo5@|~ac`fJ>s z%q6kp!1MBwV_8vElB^yoCfZ4|_~ON-L1G=O+x22vyQ!`)I05c6TR|^l8JfJ6yo|R# z%0%M23g*xDUMdS&jsIu55zB7r^P^VhRI7s>f$HuI=oO$B$5O(2aAE=5PUQ5seh$vy zLEcY5rxl%GDlTp6z#ML*;te5UxP)TA_Y!|kQp4YOyHk9qGBLsz5&%4=!nIrk;c98l z414LkKqu1uGwFRJycpdyKGdY(Va51SGS9!mVe(BJeM8%c1o#_jsm_*f!ToO{5g_!a zsD$1loT|B$$Z#%dnj93Tb7Ei^d?VnMkxCYMDZqhvZl9m{bB>H85bm=^M`JaCom-XT z2kX3WHmv53mqM8Klb|v_FKML&WXKgojc==N61}MZ^ow~F0%1A$#*(<8fxq^3%Za5Y^H(6XkF2sY@Dat!iH(hamc^%<>F@p>nxXGgTP=-qQB1KHiUC4Y z(^ZN6L8H(9@NBH^i2mWdM}8k7554y=l6FIvc`mQ5+z4z>M*%(1BX=1#6K?{JjovM{ zn7=+i{%|i@{^C7j>60})4>uk0Wd3>qBDp)PxaTvrGX)fG2j@d}>cY6K$CR=sZJy&7 zOG} zQ&A>jVMG70!4+Lujmk#kSs?i<-OYn203`G6?nFAx&Tl6^R;hM^B(-YG4ab6lsaZyD z{RxV!`fu4B28Pt=#0}M;+${O={^(#55yzM*Vw1hv19)v&2dx%!qoY*R53Ht_YKx%# zzk(gp$p)K7>_dwOL0`l4W{suYKdqL&+-8L&VnKSH2_uTNLKpDByX!m|9CkPsd*Q}+ z7xXDEoV;*P1to3J&qV5Sr8DU+l*`M-pxs%>_hGpb5?bc5gu*X~Upy2^yI5@dB3nNB zcE?O-wmiE!X6mhH2n*wVwlbDO;WXX9Go@cx!YsD~u27vu78T_SITHl1xNhH+6LMF6 ziQJLW^sL0OiJunAH=Ua8rB^oxhBY+&$|j7V0V#T34ysa@z?z;6Y3-JbMkhJjnqdeq z)*=JWY(qtdqEJeSj^nxWfociGJKQH54G6?LofJ;OKHm8se_Gd0z7tR~Yb5~^I*C2N zulg(myu3su?daRzC6UwS9Sd7*NoKG^5&<>?BQWCxJc2kjd}NaP(ky83eUL*hhM|$T zFU&b7Ec5yVSz8I_6?aBrwkI&CG>D30uT2AF$v*=qZPgP znx9sK6+-S~E#kefGw%#xd7dCGY&+VIBJI9-Ak-64?P7MIz+cmc^%Wv+lA15dZ*ps# z!UV~*G+$O%q6__*IRE{7crgMf<%yyEREiCb_r6TO4ZA=_QP0jsUHzclB*(#J8{x&q z^p&1h_eQ%@$;cAoJ|1xJ{~|$D&ysXf&i!12WZI93lW$6xgM}dJ#-Neb2xEcpTmh;d zH)oHCpwwTFR*s)lxt%p~t00{;Oo>OVz-)IX>uZ)>CFsCLrweU7_>_W|&cV)U^n!!X z_1^SJ@k>Dl$y9_#_eQwCU~#&la^C?s3Q>~>(hfn31(3y!VLC+?be*lakf7qx-HhWd zX>CM2Xo-kF|K5n_7MvUTm#p;3=P z4}0yM2WZHHCn}hYMFrpgsc+@{NM$dT*?w`Q>td^vDE(+Zn%VgFlPv(H&D{Z1Uo^hd zQH3(gnj6pHnudqk41R2G+7hoo#!Pg|5MV%Rb>;tdTv2PA(2*dmv$ifb{#Ax2WB`T* zFP2cor}-~|-xnyk+Oj%#2TZI6ERN`8JJm=So_>^UORmb#6d6;iv0{}>vZX^cLm{Pv zfHTYfytB-R6vO}p#Re0X3K-=)lfe$+uHg4#;XXI@0&03F`6R^y^q2ut?Ar{#^KT?& zcG4>kVE!znw2P&=`9Pfbgqjy zRnyz*Zv=&fiR+qCvSkUTQ4TuR7~%a|7ngjx7{Y=8`D-e6Yb~r7hW7SR{p{u&%NkbM ze>6Dw3SYN6@DqmipoMRCp-yanYzMb`4MjOo_8$UW^3FjwE~Tc{WpL#j8n(-Z;e9EH zQYwoxk~dndF)oK?wt5^K1gP`351ykOp>zX#qTV@1 zO}N`#kfRe4>-j|RN;ti-D^uzmqZj7r-Gk(RS&Kl52Zca4f<}Z*p;q{TAJg9mI84F^ z2>poM4z>81I+JO^efvQST24Ow9S3je(>5)*)Xfg5Nt%4zasQL%hr-Swfxt+-`n3iL zh(;x$Kty9u=5Q?KBX-~3K22fYI<<}5$L8?w*hknhkv=2@Ko1onzd`?#JItV;0O4q^ ztQ45Wh8m2*NK*DID(@vF9o0)Te8lwJtth_^*&d?arS!Q$oaTIcXg|YpmEzNsv<=o;I3hMKE$6;cDL%$KNMCA;~OD!jhzfa5kXaH zME%sDoGdyi-5K2kQ52u%`4_6k?}|lB^yj=c?vi$U)VO6473*QWc<5s(Y&?_A*rmBD zN#)JREV0$uJAN@YIj@eYto^@#u{DgHxFB0iGsS0MuBSAcj@$3brubm0O@zdlNw$aThG=2~w}6dq*v0*)j;69V0tl=5Q76#pY(cZ#MH)cY$JCY1uxdDHJFHBV<>|e87Mot&}Va zB{Sk7i_Yz8{i5zy_OqL0?i>#iebWp~xFM^uqOvOlRQ6i)8r)BHxvSVi+v#vm%S3Zg z844_@;FZ)Zku#m_JSYCu*kuj!b;2#VH@@cTO!<~tnRqUwv;;RS?L>To-*&Czn@Fq0x3x03_*=RCagXO0v1 z9HU8r4g#uf`5oH_iuZ2Mb*$mn(v?`qYB`3G^L@fe4b(TXrSPYb`$t|%*=Qt zaT9;@>s{kW+t365HoBuId4}HbbP9gOt20c{)}8;b;|A=BZ65h!C8619c)pZ;@kgj` z8tIRLBUsm#t^5XTQ`*fX{~vj1i6rk=7Do*^P3U z=QJ2*Ek{f72*xVsw6xm|@O@l;2Q(v>#nkrjknq(&* zRn}vk+|h4Pg0Wu}EgjCqt+4GrLK0YGo|oYCcA(*MVIEH~w;xGP9L&G@0ST0CuH=#N z`RS&Gq3l%#&Y0tF%{Td#OKK#Jy-x%r#Mlxq>q01DF_HHc&?HW+VKql#(pj%v9#4Te zVm-|cZ&KW=Ib%IatGw;ML^1N=q$?Ac6#S}WDvJ+IActV%^PS-?>WU@dnY3d;f=GGn zv77RR6nU`jVThyC*u$1D(U2KPHbplEt{~Ca5m1RtILMb2^`yy-1XjAbZCB!A}TGNfz9& z5kq*#_s_j1!h|ZPYrkSLhx3QbUlsCGI7=LTuEy@T&)qhM19)_tB35IE=MIh#Tx8>1 z&r~(ieH=Q*5&j%8m#i3Xo_q(plWFVh8*E`^bJ4bSx$tAcDVf)k-;sIofvV95D4&p` z@=$|AW|ax+9!nov)LX^2UTT9dTy`h9=}~b z__L>`<4*s=09eBhk!#+2w8hzIAKSC4%+Y8&o~rD@N4+WV+|w%ou2eNIYfGbgl;_OH z{QJdF5voJGs&e&L?Wm=aT#0n`n{v7>AvEYNZaGqi0J!e#bck@ti?>(NjiM5UQX`L+ z#zFe=h!+{ML72P4`WH4?V84w-;auv~hN**Lhg&F_VOvS%+Z#)Yn5?n=qT7;1{ubLWMEmpLkb{cVKYbZT`=D zK%?g~T`0XP+8HwHh*xkg`kBw5id9Irvo-_WKEiSK7R)I9=`#dSxev#t)LOa50g)Cc zodXLnyklpt-IF0xzA+3UbctUWsvl@cFbDR_MR@WMiVo3&d(NtJ^;BMkd~%Dz+kBGfzV&BHArd9evc z850om@>;bUz9km%zUlcOe|Wp``9U*yik_W1>zzvc?DoaxOWKKDigG=C!uv9LbCV7M z4O*AaWkAr{%oVH0yURs0eMX9vao!GBR{+kAy*N!#a1yYp(Tco#lZ$8oeNwVv5S)E6jUQ~9Q|h~(-2B_u#zbGI(b z*P3y%4eqvP{5-(p0QXJpy+6D$@f~&T{{X;1KfnK5!8&VtW8^lI6QjW^F z$x6SzX(0YHkjE``l#yQ|d%p&VPP9?SvRAlD^?z+|8eW z$YYK4;Xj%4PKN&6JydLYan=joGRiYC!U;TrbKsN$zWAkWx#(?Q=<&8GzhX%H)VTQEi8wue@DoEX zNF83+sCBsMvS}FQPgW>23hu!+rA#Ml^6T*W1*roxc>5^7zV!s3x6S_yzxSMM za?ZDmw~jCGy={2u_C1z;Umhsntt01r_GR<7>pNa2m-B*@QSeKfgJr!m3dpm5FFvU! z=TBVYuhbRj>V|(p4qm<_krOz_P-$ndjMP23-`;CpdQS9PF8F|~qtZbmElX<4B`K%S zGg$8g4B}9(%Qc?z?F*fiQRkk4-FFX%rhd@b@ZwRb`y2~R?JOfkSLrX0z1QfhsGWg$ z=CUyead%?E!pXRIQV40Jya-5Ld68Eh?^O2V&il^BJO?KZ7ted?^|mFnoeW-@1&{aG zx4*&;W(Kd zZ=d8?KxMV(HIbRyRZOH-q5D*cBWzQ_dlmPueeedSQ z?K|(C49#trefCT|KAUZ|N|4DiO8*DjIsrV8bG~?f(pM?M|GZ=3?Z0>53t|g>`yxR4 zG&X;H{Mu4n;BOeH^K)$}=Xvb4XA*2n8{V?=tCSr)=f$IdZ#f^FzQ-r*G=B$A{TlGg z9Tw>njdg(4jGS;g0_2TpIt6yK0jaWtUsoR@1MSETHbW~Npg~osv`7xNBi5>8zw}6s zav;WOLX5n4C2zG4Iu7Y!JTJL$#Ng2rk0+jVf1~my_J0f_5EW=cc8D1|Q3Ntb-pIC@ z3`%|pvqUP=uBRVyEEnr%Kt!+;VUp{>%Qz9-el-$FQ-)JZdYy1;h`3vg^av+XInZhu zNE(tGAGrpr7RNv>6BKF8VxQxb%*kv+=uv3uM@*#^Ocy!F=y7B-I^*F6}{F_{L#nq-+)w za>8r~kx!4Lk5WyktAe>-rF>NpEAJW*f2f}gdEr*5Bmz>D42UO98G-UPJNv?M3ir2? zk2VBI*6p5tgv(21QkMM*u;`(a$Q>GFMX=9;m%P=oZ%%`byd@r?*-JaeLB1%`$^cQA zZ6+OT5@oRON=_EZO(VG3j#aN6NcPHoKbF%eeB?3P)o?83tF5>oJECQc8jrMZg+mI6 zlF(Sj2Ro3ha$xlk)hJTu5#=LSv%w#giA}<}Am+*!HTC#Br6k@duokL4FXg ztmES3z{LbxV4|}QjbR|y2aC#!z*|530=W-uLoa!0X1~M8rvy9uB4gIwk60edTl^a6 z@!0)K@X4Z7Sb9BBQ=gJTsAD2ulCV>&MNX6*2I_-!-NFx+p;3{wg7U&F1Mm8HLB8ng)gYTPujFP?3=)ta{Fhu*ZeH)# zQ%B{2=P&8L{AOmjgzvR748_weMRR= z$1%53hT|#U7V4)gTqpTyV%UtrS1%08doagLE&HTj*4wa21mD$LabW?AEeZ6#6`hv~j|J%7BJEit>ZQX2hm1)?xO;t5GX2cDwtPTvDmDVFqbOGiX0#Ef5KWbPlY1 z^BUZn7sLs@2BQ|djI|a9R^*v1j3@k&&yZz|g+FHUFDk@=D1{dCo;sXL8BOtHf4w^7 z3v9z?vkuq{84L1Ja`ia$dg_;%V?-F_r`LYOoMbp=+ltda32ef~}h+RE#&@aFfhs-FF3n<4%-MJD{@>$pxAES7=% zRt~Y5VrP7T_=3ZNkU^c5cFe3FMqP=OJZ{Q-!7@S{<VCE%DNyL0OCveUsl=0&EUjcskIxOyPMCK;r4>MB`mXwHD z=1Nos<=}8%sbp#d+55uHH8&>UU#${(`!b-uv zcxgTwx9-Q$UK1`qZ3ITsV2+%a4A=fL1m@@Bw$XtI8I=tCo^^ zoKevzs;omz3;RRG(Odj*Bl~;xSbr3j)k7T?jhiOLz@C+ibFGc|c3UgvoHqeCr1~K= zD-{8i2jI>cj>jiN!5JHd^RoP~rqqqsuFS`~-yQ&hBk|<{fpgEDgb9&$%pMzw zvaO{E95WWro{@+!b1!xmG@?`J73k{4RaeYKNJ$|MH5+lqdBf0rv>5TzCgHaH5F{i; z;`|g7KHc7gi%-piqpJqT%Jg{fw()4(coY>>PDxFkJUj!>pOuNQ2!C9`J_H5^WBQl` zEJ?EAo6SXt%pZ-rC>NP|Ntj{m#1?fh?wJ~n@7EW>IARPwo}tDYYwI}~a2~gZ;I=t& zoJcIVcuE|O>@P)gP&96zm5lVnFkC^WJxZ|ABsMvcH4W$7P5_Kut@vnrB`&#g4$h6VVR(KLCOJJ=zNdlXM+4H{ zgY*gccX0{i7_J!|4*Q5q z%gaWS2db8=)2AR|`pD#uwD&B8?qcJe+SG<6$r&AB6> zEiXgr8B=gwm>H?G1C#xG@xule?t5@Dy4UQ(aZfltxHlKeKCZ%VZ<>YkGt6kKr4CCH zPCDYDnVCxNC;#whoSA9Gck7N~;l*=t|5!iR!oqOPglKHqR|Zc|F#dYgSR~NlnLZ^O z<9nO1yto@@acou9p+p*9XG`~ltsasYU+_OdL+(DwPG@Pq-|+H zMQ{vm8y^mLQxn#A8S(ao*?50N0mAcA@X*|J1O<>ka}%(8b1_U=xp?)g1cWd!I&X3; zj_xjndE^K@IXMX7aY1lZHK0^hr}ciR;UdE#;_=bdqZvq;v2=Vi_7;?)+b;=kUYkcJ zLXEu#>d?dq$Y7=YICCtnqWvhK{m_O-;f6`Ea8Q<(Seo(e9?B8}Q{^#!;!&Y^sG^_C@-r)jejg&TAYOF_#k*{TM?L(fQ3OC_AeO= zB6L`_zm9Pf@!A9M^toBszN-}N{TAGMULI--DzNaRcQuY{cb@$KW969OJNDytXh65s^U%?r*@Z zHY;AdbR_&k{4qPxjGcSy&?z$MwSjc*(ne+?xuG0i_k`k|OS2gm*s*j<0_u-dp;%e- zfev$U2=1Aig5;cNjL~*rRYNcCK4(1gX-8&`N`k$+8GCE{@#wWvF+0MD5u*|?FEbo5 z)a6Uh$bq4-1beD_aNdOzF^z#>{@7UPIc^1#Fq4y!#y=3xEy>2#ZRMDL)(qS=#vifS z@whF+fWNM7#HEWzVs>5_#s_mQGWcUjUMOr`EqMQ^8+V;O3RzK3EFBSvb^A*Yo;DmW zo|A;g@BrLABMu*~I0QpnBpy5^7YT{sm>lfE%JNQJwjduPsjp+lC!k?(IpQV^$BiQb z5SE_|^Nxc!+Q<2uCjK9VUxtDaoZ1kGJ7=e&VB1dI|N3gYu+xoEaek;RE63ws7ooDU z7|$)+i^ph1Pvr!wQyDR5SSY?eIa_?p8A@8WbvbA2M?@Fv-+{KfSvdFMqxtZnG6S zgBCU0w&A8P3-M7w3#N@vgI{?u{=BaRKW;sSqZKXKymAK~Sy_yAP5qdk8?7vw`gvn8J}dxJV(obO?bUeb%Q8$Im5PYY8r*a5SNO7x zlbb{azCbTr$x9^2#WUCX;pW+i*tl*x9(Z#r1zdxRhes-_Br5Hz^_ZSy!MmUB!0Iv! z?p~CL!}|*G^!tY~@1l8FG$oPF9q{bOTk+uA>v2FGi@QcS@!D70Nat1*r~|Pi!i4Q? z=cZ^ivXUd9s&1#j8jWjXJMi2$hd8N5;HmlkP?_wowAbQ~UlgEDJ^>VE71olL&Br~s zU{oL&mLOTzk3*gD_~UFN9(i>YZhmzajAODe)1rZ$QCFbc@nRs68XE|wx37#?0{yLU z!iC>Iw;n$ll5wi~Ag+6EH$svkFpQIZ@$Nl%sT>fT(%oet}8?I=u~9(^}@|KIw?ehxKWwV z9?n6$x@(%S^I#Re*l-L*1+8!}IzP0x05?2y7^j|<1*19~znve6Et?PE zsdta!x?2|@#lp!>BB|a0+;dtKUV3H~ZuxjGtSNMg<6ChX`+MDs`!VIh35Y4K#)iW+ zSia*pzFBt|KkRA5oHi@Al)}bqDZX zb1?3l8lo&%INaQTJO8{7={Y%AKzs1UsskwN2*kAnR)ngb`LIjWj!AJY(EY#V&6pj@#v~ztZ(ecsrm6} z+j$sY7q?>Bs>7)1P-6@yENE=FYGMKoY~F*1-(HIsc4%O1(uQRx1u|Oi!=^nY*s!l0 zudJ1thQiQVgN>s$v{GL74CR`HP#lk!)Z34@X#^b`Q{-6 zrNq&RChvvhs&+Ix1F$Hp7mmmzsu&$N0B`ym2?}Bl;8)et+j5IvTCu?s&c8Q_Vp*RCv_w`|^68>i7hi5!uO zJEQ54e|H3XTCKQxUgSVlc)97L(IGv=s@#=|i{zNqm*bAdcOYnHHj*euGjoIS>4zI| z*Ox`uzxNovJKTsjRu@r;n(@lV+wjcV<7f;B#+flT=qz^ltJ?A4tDCXK9)=4doH%tt z4mv6daNq0e@x;nn%o{ZlGXgvC#*YV342RYqz#pDki~VZTui~r-{4zA6 zkkNh!Q}<%kK6>5VZ768yfr=CLjkP=rBg$k6%9tH;fE})vQxa*Vi{=YgLo-vRh-n5mQF^p`*%$Lk->NYiLq3SIUyY zgR?s_QUXz1)QqDoJ!q(^!8T6LstzM&&CkMLub71MvpL8*6^&#s1y_YGNy*PhV(BHL z@zNQ?F)PI}kg{BEKl*^DvkT#q($IUj619wWx(`=j4@`(`Ey8{KRoM3E9E_z9zp-p5 zYT|RT^`X%yuOe;{S=WU)(-0 z36U>)y&eU}8MQUJQQSg95yDA0HU*DeKOT3Ek3pnE53Q>WyDOUz84`~h$NS;A^~Vr1 zA_*CR{h@M(}#B076mC7fky>c6RTqGt0IWaOX4bPn(h(Elw3w5#(m8_r9TZ7-cUWg~2IveLDn_-)h z3f=B<)U@`Xzql65S`C;>r=iQ;JMgHQ#<++5QF2jL9KzE_3|KNb9cEVv))aaWcWFM% z-)u&aHUjruH33gA%0ZsL8eMcOHLSC9e<6_=5kEW{NkM+N@{|!sSC!-4owb9yz`hA? zT?Zchz7pq7PeGz&7Cw9o7S?ImUW-;<_7vA+55*uUQll)uCW~arE%bJI{LHp$8yc~r zf@A7+wmUQ!IWh@Z`a6( zGY~uRPM|z4h>O4_VJf`3rh&LUSa+Zq$qqDWpuWgi99w2igZv>)Zo@JkHE zINF<$IVrRsQF!j1?Wp$)$8Y9j|;K5@w-_8dY?QnIrqr>Kh%MuvahQ;IlQ({rfdK>FGFG zUVpv`#9}=Qy1Ir!`KWH{DZC7 zv8xt+?k-d`yAhcihveV@Ty^RQ#P?R<>#axe`!9;H;IjF6=B#j(OJ?%H$AAAQ3`p$X z3S?wQV;kCOG{#6?7QF?D{yOwf_$+d3tVf3{7I7ke{af7i`d&2msbMi|P`r8_rafMO z+b)`fK&xcz)yhJCFi@y1G)1lDwOG5G*B}2LH@>(9>nnTFTTp;mSAB-qX)|!o2uiKI zs72YhbkQ*EdTTlEdTkHAIhC>!>OgJ{c7;M>p=a9K*vY8dhBT)ZDt{*?#Mz-zm?hS! z59M_(Bq#YHjvjtMXfVcxnb4#Q#9zJh!N4qin^kN4rQJk}k>J z9iv_cGb2iOLo@c4Rpb4)*5KL)SK@=^hp_9g3$dwA$$oIJQ&#UqJ)^>#2^)SghG~NA(4EIO6 zf#V`{vwaj+;v01!9-bP3!_w*f$I%fTjwA{{f*qJ04t!hK2PY#`2YH1sf8_X^p<>@C z%}T$;vGnH3kz76Ayd`ED_-0OKx1W=Rk01F2_tBx1Xjh)e?%3Cei|9x;6qZv?NZa7J zNKPCjKMrNnNGHbK-HW+%Mxc7-7TomgCLHNd!9gRkjg!%s$s=)^r3ydp?m~B64OVVD zgj*i_9(TU74Qq}uaufL?iE81sQHNlw9%Z}B5JdxPHEEzp4#s#+q^m21UN+9M;;>jH z4TQ&y1GVkgw`(tMyZ?LK^6EBhEb1UlG-50+4yT3u(~)k;6J@d);a^vdOKx}zm9gXT zrIh! zJf*z!R@PzT@oK#O>PlSw(2w|NLkSwYIW~eK*oLyNf5f~OkK(4YMngxZ%AOesKh8d? z*dWX@b>O>F(#}pO`EgiBk|H`RbR?a`d(~zvyEqmPy}t*u7v&?d ztOTduwhU{kx|MunGVW%1?}MY-R$hY*J82Id`vJdwc`Lr#-+_2W_>$g6ku~Yds{L4< zn1i>K+(6Yd?yX1~6#_}4rHu_hnz4`K=%G>9A;d{Jr(=_7H7LHMiM%$5PLm(X1gEy( zmQypZ;^l8}Zja{N(@nQ3(Xxx2jsX5TIys{q!UpLmJFO=XR14~qn2`H zl>8}TFUVJRqo}X}@p&Pz5{Do8?4Oo|-(?vU`|;QHRh$?(ZX7W!+7+xO^0*G`mr4y#-!SD__!NtwrinY$$L0n5c^@$Yn69_x*D6Y+sA&qzxpVS6xHD2 zXTQVgw|Ke2s4;$S@k<)VXo{U2ouvwix_& zK|JFKc^`tbiEfL$ii`=Eji_052<5{@;iZutJiDR>1?BA+H!&1M0TahFRNIG2ItV(o z5rH-n3<*I<gAPR`i%h<4g8tSxFY$Esd&`!gNBy)GLy6%B}E z5G_1ON#HNXu(Y{fc@I$LH_2INV;>d!KwMT;AIhp*QCm@rd++-O*Z+AvKG@L&kMvz> zgZ5x>d}Q@^S$SRp5V56Z%4y;ED>3(lQapIcc&H3?I(2$DIfhYF#~{DrFfO8vT3g)3 zzDUj~_Cw^7{V-BKG<2@pT3pCZ3XlmL!G1<`lvQHwwj;Qe_VO0VB467N&%ynec-fc8 zSvU)~j*wNgjWEa@tT5s4hhO#%3p?H0+Ki(;Mw~M)85#7fhIy*7t;+&kR}=P>x590; zV|s2F!jdBqYjNYnwT-yp^6{7vqi2M01V0?<#;_za)^0C>D<~S%>xvmU(MZv_bek=hniGoflqkg8d-2j&$B>j7gv!!N z9BtHK(&!L;@!kd;jflf}!@`k3gA=Y}gt5C61+uKNUWKxP8bpmq!~D!3#8a5Hoo)DW zM*)hA0XT<|QF3Y&934&gWJd*hZGpHTKNwpJD&ev^F*`2;>G2_Gr$8^~r0fyJ=RhRI z1fiwA3G25PAUr1r3o}A6e|!|a`CtuxG)CawB{>*P$LNc-`_UJbhMVR`BDAvwe^^tF z-<&-T{Z(Z+)Ij=_$g7tDO8{mC_2R`%Rm9(k-EA6NBJV6D1|rMSgJ)MCK`oV8lvJZP zBR5=+O-JicUr~n|OAxM{pM`|9IGmBL#>*e48v zL?YVLfX7!BqrJZlB>|a;Z99aQcGjcr;Bmw)nt`*aOs7ptKxuIeT=oDsyE&ok?ZMN} zoCW8Go!Hn;A~;b3&8YN5;^LfcJn&H=T53yC8k&wv^CK}jCj$Kk598@A)i64om_9BJ zsf^@;Je~M_V=-!|;BvdvFC+jVDjJ3Zjfl>QfVQXz>zi~Kk?KdUz6g~@C+6pcAtH%% zn_YO}tHY@1*WxVl`onLwV|NQRLYxcXp)&w^ex3MiXCopK!x7R)+I)WmG!DGh9VE1Qhv9dvy^=`qm$)glGn>#WZH8pi87w=F=W)3 z6!uB$s>3^58Zau^iB-GGV2O@^Ut1l1l$SolP>~OPCL0#zg`=>#iN>G0vg-g2cllv< zz90Vj)@oD+C*r0>8A#-$Iyu~hANFy=k-H4~NW6K&Foaum*m}4G%f8u$-kg!RBqIV7(Fo`^JovIkBCK8jT^tebR4=1i?OGL zIwG>xTZJvg9NZpJhAY1+MSW=v8nUu+YpOp+jfqCdwuAWaXeC-(190(@Gz3#e0_>f5 z{p(7kWclIH{!&yjz*4+ChQXaCD`pK3MO;=qA~-pHx48g;BXY4MnhrvIET&M_uK!{$ z)c*dsd~yN;tVWzaB@yquvmC3Mv>21%#G3tOFb0Ppw5Jtce!m}`BZuRrG=F4dFoG^A zN2@gevqyv@H9iy_8JYg5K3;-%EA063mMlE;-ahnM>7cnA@X5h$+;PcR zWXc^AM>p>Kiq~k*lKnhbbD$1AlHZ56OR*ne25dN5j|SS0T1z0VnxBn?^f;WBqQ0AA=P-l#eb5MtgGy zK3{(nehHDN-Lnt--45g>*|7gm1&TUkmZzL{)WVgLhnbCg@!;lq6c$#)IXxd2QD4TB zXZttp$I7Bgbg81T!A?m_#!aWCB7;2q;Kv>KXm<@pjmp8)v>=R6_QN+kNB;wp zll<}d)?%2P{z!K8V)da~XlNg@jjed)gWU*WUoJ_uW9pO?=-QfbfPuKkv)X9Hs4z2D z?yf{gN+dkx#n@6s=QlqHyY@EYlqKUZg%R?aorkgdU=y9CIGmDbz{lImF?v`G64N7) z5^BNjUB^(Ub|6~Uf;ER*5t|haW8opZaHJFGOwK}HdN}f}ol35)aZ|>SCn1 z83pnh2}%yMQK4Mu^7Nyw)1%}ui4f1OrUmVN8u(kZXzuK0lwlai?a}In)@)L87xcN^ zI9%5Wr_+X5haL^JO(=7*gA&y%x0O^#3bMgX{GG&K@AANE)>BqI=;~1^*>+pnIze9? zNg-Bx=q?;>V=S)jQ*P2I%#ydC4Mx&QC2ViQAx7o;9!Ay_x?$mF)H2Fx?CM8XUk|&> zh$`5My2e&IO-AGd7*Ih4l)NWhjQ08^OdwtIY*q~_ znmSM;c~a;xlOa-xQK}j(?jEJ8yzwr%CM0iBX;l;IIfqIn&ZJNqjC~#)scuJiuL_Za zZ>g8mwW6^{B%S5hZXkJ8&;BX1vxX6hd_B_TCas;&)2lYpz_*%0u;s=KjJ^AN^qQ!w zQulB*rvL6r+|{=QQ(i6x9CR`nEyRZU!Kw0KUkw#jxos=i-8nWMH)=ZiC{DeM4v2uV zCCMl)>V7o4C2tfXT~9ZoOEvu2m)1_Vk^?0p#EkmZF69oRWERyVW@F_QF}UK9l{hR} zO_ec`oH#lq|B}d{-2Jk!KaztgCddID`%vrZRc^<7C{s>GGm;0WQ|KVgk_#!xUvg=< zP|(DYk=w2E7_g_0frSCdP93}33dZnAi?CD9y0BOB$|%wDz!>WEdf591b7>K`#%e=$ zpaJca{i22rs4QmKD0j`I*}-bkXNiCvD$=FWA=%%E*5)=GZ{+}Tl8&J~_wcxq(RNml z5oH_?xyx7I)q?;=o05k}XV5FTwwmP`#h`4;7c#Ly7Id{UdMDogt}eLxH3+k6QLXS% zh3F8<0%fS6ya8?Gu@bGaui@lXsHO*p>O0|*Tk#y|dOBKh#1x57PYJ^9uWds?KWXbHjswlO(wvzX_%< z-@?mf26)^ZsBY{+!thkwJ24WEezH}0e}8YajJXc}1`V2sQ=(N1BVfrDBiX03qwVle zZVT%>&~LIJJ3z1KuhA1h$yrq1(gicaaFJDUcKzjx9omKZ+Gdn-QrFQza!`lr z-Tlhl5Uo6#)SHk-IV@rDWS%qwFNG9g&TFM~E(RP6$(3Ud3ZTtUp`x*!x+XbdbjsuI zCV8AP7;OD#_9K)!S0eU zv;Wl9cG}~j1~+U@GkPf(l26BvPQ8nExT{~rjrvvIi)Y@x9LHaK3x7H&wvAiA0mEag zaCLN{px%XExlQ3#BQ@57hPo~pZnoR2WX@I|EqljP`qbTvV9rCK6qgFgJw+MsmM^O` zdSrxKp%#1A>_R{7pmK*sbcX$wY}rm8w{ZOWh%+)GK*{%0LL4nEl-1B6C7Eq~b34j7 zuLR2+MLF*kUXpo6MgKf#YfoVH}$p5;IZrTLe2M$4#*azy7A8kd0=#+-@Rg?wY)cc}F7j4Gi7!d;4 zhep~Nli2_b=b^T46`gE7+S=I%KL^68b4O}gl{`;!M=9B<$G*x|1O_@eC-*41g(P>G zoA$z{=~eQmnaxHRJzd1x2RrFcpnb1yXrrEcptlUz%O3Jo@`}mVO)+*I%4tusCy&5L zbt4{KUW9)3OBtiT6aK!HZbcv%4J&h{c(j9)<_QBSxA?sRF2BBI<+R+^m3=8oK^nNL zz0frES&`$I7>y(BU(nKfxni7@ROq&@M&goXoCb z{DofWw?fk(E-!95FPrzAFK)^8;L9(GCVXl0(*JYxNqL381YaB{^WSD-Exap(9yBF^WF<_Q{R3B-m`_y%HWGuQeK(p2*L|r z`UH=l^6mSH_W9!-3jwbz_>K{kJ7dxath^u{w?Fg+UN54ebK*V$QdSbLDLnRR@8q@x zeli9^A2&JY?YEac?=}7n$iyH$KUYrbD}5O}CljO6w3HpJ>!m}AN;#oZbi!L-&M9TN zFMK>Pc7xXhlzMXPgVTFWz{_vt`d~RP4zGNkJVpu(p6AaA897-V(pS^h@=G5;-!hO4da5~fi-nM;d z^PcnKmGcVk2I=#{$^B|-!$sGh1FZZ4e=Xp7dCtQKI+79er8$9k8S8TnZWN_+hAw#C1JKJeGe7pZrGes13DJXXn=NfR>n zN!fn@hL+|Zg1-+GK_-ZR3dnI?3wP*2%Ni-(^Z#sM6sfEP9AF!G6f*?>^WbDz6UUE{ zosuIa$gCK{Umc{a2FkOA&XB=JuH?>%+?}wq-G7mY|4nc*kN$rGdFfcjQ%}1g>-+pO z#&Zb%`@rk;{0gG^KhI$irusQFikzudyEX&%t|Ukl`JM=fzyvoAl9p}}9tt0sAe zel5Ovq0>d%(Zq5275nmEfqW@b%{C?fSp((Lx4(Z2{4K@3cfG2FpYpunZ-HN%xxX@q z9!vfqd0g}V6Nt_?ar+lfPk*1oA_heSMxN(+1ygxu#eLs%0zX&Id+aSH_~g8D>xkgR zCC5@$o+Ek<^NDiYe1(?Iia9sW;f3FJ9%`;Pn&j$n}A${{e$# zPvDeeZoYL+T=VX8^S0%M6K(p?;oTo7@Kbzp-M3FC$`KS?gXg@s1ibi_e#mw1xB2AR z5$JFsebQ(=J3nGTseJ3p?}_>Yr%r$`?Xu4?e&qHukZB@r$+e--qr$>jxmY}kxChrZ zIZ?+KpImFE94gCf^VqjtFP*;dleT$XDdMfe&9{ym8!h?pvq$5MJm)|?-*Ups7V=Wo1CevSxP04}^MXrw+v!GJS{8nPdK~QCJeIOv zIMFAcx&l&P@Ci-6?Mr##o2MT)-*YyfS11I1h=<6Z{K9S8Of_9Wt6@QmXl*IEwXu! z6}qIpQjq(D_)vDemCZ|^YzkgE9;m8ZqwK0vGO_G8X|w^<&wnBO za)(7aL523W7?BZTL!=01=RmFtBReNc5r-LAPSyjEFC+9uWQAA}CiySKcteZqP{~Um z%ot<@aXRHo1EGdE40;VDrHbH{94DE9CK$zA=Q6Un} zcn8P)EHHBLtTqc$oCfH`xKe2?MiVlFEO2S9>oimVSR>9)uhqM3#{Qb=cRC4kR&?)?pJUtd=l8{ak z245J9@UtOV7A=#`bJCE!LYcur#i2*%B8$ukmUSu^ z$*B6(un2!hr$(!VlczNr9g>4>h?fGvz6wy#Cr4V_LJX1Dg1aLgXF=L$&S*Jw4Mk4w!D+Nc9i2+>lwTshkL4s8Wm7-t+ zVFNz|PL%9Ms-i$)kiC(PeL*$|nP z&x{AZGEn45t;L8aIvtY3Bgm?JsiE|be^Jz#i~u9l!gDD*D36&Tc39cr&|p7A%V$ZH zwFt_sED)veM;x@5uEhs)!k`hoaP=Zu!DWJ8X!gpn^e-SD{oh`Vn6_^CIqgVdd*MzC zVnqI=u6&W9(jiB5U1ULM5%7*J=`tz$NLdj6@VbSvEOg3(eoy@2Gc5V;DD_&+;%X#P zZZajOiY!RO`X)M#LH-uvCf}vsJQqHwA7X_4eDTpp;@1G!-W0yx%Y?SOoEWk-xS$2Y>y ziVVt$pU8>J1x@Nqyfdi zL>A&CPm9Qy7rMJ)7_?!2qMs7w>S%}AKc%b$QFedaa#|kVe)L^DTG)-R-n#+!=Sr?L zjby7J{(hL*7rn>@$sEwXLHkD=q>KffCnIUF8VyMF6Fzz19JFW3DzjcW5RmffK&*OX z5jMT?9#o^B!s#C!gI>dWUEK)ziT&uMl&fH;4T+I2M>VY5twDN-1vW)*xzRRR%tqvJ z&aeqTZm41=;roUC7;(u5*jdMM;@pzWav@}$!YBSEQ^r$Bvqp~FI&tPbS7Xm_ z5;-3Ia8OoMirxtgAUYU)YJ2@s!Ssm4DFNj0TxmBlUUo9LP&at%pX{0++&oY!zT1#cEofO)Bdmm+2 zrA2zM1qRVUkyZZsTTROREsMa)SHD3fEh!nG&&;{NBD7MRa>54WU6D5nntZv1ed88`lBDn^hAi^hfF$o6W~3zKN{&tH^}q@H%{D|O-g(?=rO-GI*2 zOuR5P1|bRII4jkTFE&--tg|N}&r^XN#Tq>Phv{heVlOI8v_@_>Olj%(XkjQmIM9s; z&L4}}@fJ*;l7{52W^Cwk;_1a{h)M`X5+|_O=nzbav!SNC9wmlATsI>T=?T#|JKcz7 zJ8Li|Hv!G%WjNwCV0yeA-|j3$mn_6VV>WwwE~Z5pQCC}wqlPeCl;cETLL}}U7l>EC zDL`mW0&bj=jL_6boS&$}S6gb)FB2LSVARAB`0dn4@RIYW_~)(OAA2Em{er9)nZ#2rBU$^WlVdq zV17QPTHV-uqy>u>4o8Nz6}4fBcxfT~5gCMYvi$M+j&jVJIUbW74cK<57dPBG9gfX~ zD3GsOWYP@`!DrWvSCajmIW7*#(V-ZX7J&=KMdHw|BGd$@;LSzR2qvFTi_qcg8Vx?U zGzaf~e;BHSG<SxnlXPuA`DGU*k9C&%dee_vmB6pqby#x#1SA@J5SN*Zn}^x))~YgOXGcNJ zx?2y|W9gE~n3L#-Nuwj+K3b1riRL(g2B*Z~5}uRK05=rXB6aF0+%qf$p~*2gJI#vK z`>N3;U!jQs;lzI9(utT$Ig1~ifwNMa*h&5AOUcHY=VTx(Bmn0O55c;^8u~B;Mn#eu z&Yzru;X!7kQQj^}vElR0#}Ph!819}Fip=Z;oE@sh7n{owH98%Cn3aO))MQLGRN#mz z1Z~F;qbYeb-a9)SKddc5vrOi3akzJ8G6H%!u;M@^LMf|HkBLB7Y81{$v|#yxTJ+FZ zi^@i4B;e|CA!w*=!Lfb=PRomcpGA*z7U#pWdmj!r8FAN@%}K6+#nx{p?Ys?Gi~ za0m{?gBRpubetVI$?;g2qQ^JOYjD#Yb8&T&8J$`+rVLAgS=El?t$nz8$wW+#b7JO% zG=z56U|X{Vcbzj17me{lWkoZNR<+WB3dgz|hT|{q?T0o#9*><8i8Z@wam9s`Fe=P} zMH9lXb5#kl=TE|;v!h`ULmi!h2POs}DlQP!#B;-?({c2`VYmZ=@xY=HNTow~_V`3} zR8`}+E*x)MoQIS!E6$ygfUe309I2-ciIdL>YuKzjJTNK(L5UGqlIg(ef<~m}r{b~^ z0VphP#qO3)^mB5FAC`v8M};A%uMKY=?8c2}q#}UM(HYZI;V!Gek(ORuurME!ll?J! zQaq}*A4ipZ7SD+X)(|{#$#4KzK&QV9PYOmsd3B;V!K}3H9cd zX>mxP{I1al;hOwVbhWi1C^G>`eI3|S*^fJ}m;z%{847y>@#2DTtZXvi##zZoj)}tg zIYxZGtr3gQ7?1m=grl?1g_%xP_;PnC5{6~r`7_fH9vzIUCPu*OABy=C6LDs&8Q-(7 zJ>ijf=*(<{#f9U_EImG2S;c;{EsYkrBa?AOejo~qXn))~{O;UQO2XSQx#6hYTZG1} zvH0s$2V&9_k!SA4x^_KonU{`qeFv5uR^xY9q+-Tix)raO_YKR7h zjyEB8R3oo95jUE&*!EhiE~DPyB!CrUCPoG0TB^+@`6!xj`dJX&|V)5I_e)wS3F_@ww@wvn$Y?42Y9;rraAMFL5jS;z7c>J7nWJc@p ztZ0TN2+fdrBeI)olV zGd*A%OXU&>j=NRJWAm4f4RSpj_xUYW_M?2XJ^jYvoj&olj`0O zo{&NLt`}Ew$16J_Ii9oqP14>Xkopy)GV9g`YR8d5!r9Y{adNM?9n4PkW#tz; zd3;F&<0d6DD?65%URLh=^OwB6riAwjn<+k6#?x!7X|Af``Oo+A=T$`{O&G&i5yW2g z+5|?Qv_lWXvs$;~2&;CM^UAs!W98Sjx_a(;dK*1?DNK^`Upgn9zWNHDd~ZJ~3y$aN zWGSPubhZo~;eiCCNFf^EX`B5?$`g6gYaN5dhS+Ty5msjj(aixv3#aQrmF>&@7 z6L&tdg*LxfZq4&z@#cekzP*!6&mT{sNtCToMX8hwnuRrkoRcdO?e4+&C_l;?eR=Yt z1pfG!<^1Zk9n^$Ga+P!*Hy@2QE5?@$oJsM4gzDfaO=t|f?w%YM<-tQQuIK&w0Ip1E z<@P^spxEleLNTVODB||F_wvlO~=K zukPT@4|mZWn82;+t~~YL7Vi1$HmWVrT%H$T7>X(v6UL2Uf@>4MeQg7;EH+~UcSwR^bZ*{xVpQslZfmAm)z$B*{$ z$c9EPJu6ev`*7RBR1R*Cy1lfDH^i8CxAl`hdkP;ev~b;H8!1&8Fu5~u;1I7I=;YIt z1soxUr{?){i`;Yj%e(N-PUbv)swG9%yvqx!XliTavBd?(n<2APKOcO!iRV`LalQ<` z(@vhu3H{al_KU;R4+e70!dToi`m=bSF5)@r>e5@J9e(w)CQ#h(^e@r$43@TJJt?XPcVU&j!+ zF#*!#PMk6+8*6nD_r11`r#E$S*@+p1IeBnumN$<+yOzIKIWsRU6c^)ZgcZN2IFSQy z{_^2g?tOhLW$qFDJjaLaOT^e{Y2cl86;f>xBu@_x?LN#$g-yJ%@{s60n|SJ0UjASQ zZFFk}!KF*QQB_v4;UL zKD+JUzGv3ckUWvSFP+J$@v11Jc<$nO{_vvck5_k48!84!v^OpmZ-VLJo+s9^(Kn0J z*u%9??-645hBw_iCO(~(0wy7&Mw3ukd@oW3rTJO+E&CHkS{Sr!c;& zlE=R+#^xQtQC!r^xYR)0t^K&Vn@9=v z#>wi&BynorT)d3~&QbjNgkYXsTEOxuSFWBF$F%8LOJNsDGNH?W--Ki$WEpLCv^??sTsLPv8W5BzBzZPK@rS_`@I$wC&MoGLVY zxPDeFTbFO;q1RUNO0hq8%nYXlF~lPWv4qDl(MOVnr0__(jl2H7pPlVqTrw?+sTG)bnjqfHqY)@>~zJ~xp7KYxbW zYbl5fC09Iyot53jM61s$L=nY1)6#7fXINTI42q7Pel%dZ0r}B*D_#03N(QTnifT4A zcT?Tii?5#twL8SX>Pe*Zu_^ew4+$Mfr>_AztYqY*^M@;@@yodh_=xc6^-rc+n-lu1+>~mR3Pa4~JV^n3?BIf*5NPQ{wpT*~x5OQ^00pxp>*!Y`nO5 z2Pr2V&kLu>;Fg}s0;gs^*ewIC46Yw-Yv;HuGkv0<`lWuIsubi`K_9m^kZ#$vk_`I8I2h7++!PGR~#NB~-T!kRi%7#y@~FXXkLG z47hKuE}=mcsJ_loxH(a{w-~p$C=!B$@EL4oePAH7q}^8T7lqN@$&w>I9G9SrV+{`T zUwGXq{MT3S_9jp|hl}gzZ0V<|r;Tl*ICbrc;?_R;t*&@SNAUQs=5zb_2;)_RFZDdQ zu7fidW;4yTi^qyuM5cy2frdaYE-k0JsgFvb7i@7N@5EFZ*Of^bLPCH>(Cx^a%D>2hj$a1rA$wE=`9__rk zU&`;H%#cD@hlIT%qrC$pWrl(bpqrXS-rL&Qe5jMiI4_L#3G^XnMi5m88mSOjtS_%- zn+(FX>;z8p?Be|$ZDMqEv-DsGQxl}D2E%1@b)~1Fg=I(NdR-e!Yr64rau%a5o!|X@ z2G{3{aifo@qXUQ(#w;~rf3>r>ZU9%2h1=(fG4#mi6lerAZaU&oz>IPi+OA; zG4<^ntPz8*zJ<@K2AC@SPwOQGmtS48b4bK?01r1eilh%5=igOE#_cUQO6x@)pe1Cay4I8UE8R}?b`=Jg@f$ns5_OiZ6S9W$n+nq_mQC`dUEO+0muwT^l&(uZ{fv>Ri&rq1jg2MDFBx0-gQ2 z&CoY>EUxau!`jCdjiof$#r5}p$tm|-!ZXqrZK4ml`>a?!+(=3Z+lh|04%QXbfsZ#iX;F+%iRIz5 zQrNw*fb|{1bNj1c?ffE(t&O$(^p4lL;EP@!{K-s`<|Z+&tDRK`hxNzO;$CJZNV=W@ z_Ej_)b02DZTiK=Y(Ykx7?;4;z#E&yF0*Q!-<@e_%vvbt}w%de{$~(^w-|Ay!gHcY_ONiyf-#&H?Zk@W2G)MMhP7d1S#$e1V;X|Zkp1DVQe4)+kuEDG zmCYQgZ>6!di`@;qScGOsLOhRLJ&pSpr4b+^@6}h&2gUtNjE&~xSy8NCzFYc&zN6GQ zV$L)-x3jHG_%P7Pm+R{>WrUI=277d540kL_p{=@{O&X6!4IE{Ilzmre9d%9JjG384 zzUb;3Ps=2#sf;%&MGyA%v8z)0dwV}6jZGXVll``C8e}~25XUb`28cC>+@;g|c6RWoG}7f_wK|Cj z5NHu2qDq*zr;xkuTf(h>{*u=UM36kC5%lq*D6rqRdhyx08PcJuXg}CMZo z@s>1Bh?5vcW+PUEGiIUZ+|x(73_9<>zk!<{`hwrTxsB~DBAlw+efTpw)l-y`iCN+yZ{F97$>d_x!-!Qh@-8_j(3L}P?jq;xX&mp-z_lNg^U$To zQ@*PZkFnB&aPv6T2M)SB5x5vT$F3!i~UwCW@#TOQ(IXbJBp5Q=c7xx@rmU;zFODq(1sp{lkh)S z%2iXOJ4Un1YPlzbl!0-^V!^{kp*KkmVk69VI z4v2|q31&7IOF1=jYJe(a*VWaHKpzvmB@Ngj{0I*g{sj6kGt`;Q zCBj^FFbp{3VwOIj*0EH>EN$&B*R=0j2KqTv+r@!hySe>0pL64L8(4Bcj1%=x1!@R{ zMFx>2Mv9Yf0QuQ|w3PSZDZDa|#Q1TSw7Sx9;~`b3Ax0l_6E8fouU!TPS7T*jBW9Al zIKEQ9SJuFy6F5&i*-ZyqsHtz`;NE>B`eubV1_Olpx)19JUr#J0hnRKSXGG^t;LKcK zAtL=<46)|s4l*=WinPy|j9|S`5NuC;y$xZWCNFQyeX~$D!WUS7y@$!;B zW2Q#me@Wlf*k<;m#sDvM^AH{dD=qCW!Z$6C(liM_yAGDItl%)ed~7K<|7itp?iM=6 zt6R}EL2f*D*Q?yU&%zU@#mk`6!8!B7(A9iHa>XdF>!7Po^^wNb8R4Vs2l|MNlvcBJ zAehHa4dJ=hH(`m(5nbiUDN~@uhJ6HkP%S$+Nan<>f=3PGT1QF+Ike^+yJc zc_aq^wS9#TCNXw&Uss6r?&>y-hZUc0;1~BV0zX#4z zcC(bntoo_8jq-+S?*8o(u6nXeR@Twn)kS?}DRW|6U{+^$X5_|_=-SElJ}&~g>sVi6C2vv;r7JhHxXX*H7UYnW5zS?j zgZOAmC4;K9`knd7CG)s2$80QF{P~KtEboru2H{0!LImTT>$v8_!}x>+lBTgb4%g9P zb!FOk@pfJMS--7>xD&?Gv26z{wso;!b}TQvyMsgRgT%%JGCePfY~g)pZ7nNH#iEaf zcX!lLUD1H=*lezt7)j>XB;wo#$elZh)5Y`ss90a4sM6?S?|w7S-x$FyzuQ1{TQh41 zgSdY|8mVG+hqpCw&*l>GsNE#rR1##cOt-l5$?`%!~A zdEm@3q{Ro5Vr%2qtBYl9656U6L=h(>gt9Qzm%K3v*vg7|T;$Bz&!4%uVT7ecOaB<+ z>6bQAB1XYQ(^4ew1o8$dDH!snVdoZZ+U3HVKbgRRy@x3m9V(p&ui$Vl92dy?wY&Jj zErQ=qizOu|64#Ove!shpL9LtWP4OTk7DtwD_Gv|#k6QQBeqJ%p!6#>>}Akopn}$Wpgb^)Yx5&X%#I;;pn*r0 z9HQGTkOg_}ys@kTtCtuk3NeVnVj?&<&5QRAcQYZuoliEE<0a)9YwqK@Pj`}a{8UcQ z7vuT(6l%m+C~p@XInaws=5&@^5{iC|wPDK+o_MdA3vOD#1Togm%(w8=o0~b@?@Cg9 zh%xVGUrjfG$+0X-^kmb%a<+RXa8p79w?Dg|$O*{=wv_Rj@ZCM!!pt$@B;+R&H`L4L zJ1X%OXR)EGMh2;NN{8IIWPUCw>Cs#`K7dW)fIWI@BI^n&Y1LQVE`Hp6{&%?`>rT!8~+An&GvFw$^jkx)P!yL^hqejTknGdC?3VI?RT46XVkZ*tcUpi^V9v z;it!u8WY0L=SK+dj)=h{ywgeFP8Q~l^XC1(?_;S5?3F*A!?-9P=1z>Gx~77iRxf@s zErR%rSfZqT-rXwWg}X18PmgAEQ3(gTr9Uo=Bf-}n50S^W_O>!D*PrEEN~t|kN7I-r z9-JJ_IFVPs!5+F3bNSOL!F0Fx@!8fx9BS1vh^^scA=TGe>QIf7PpFI!JuKVSKu~%- zfiRG*lJ*4+n3*#sk-R7mV$*Y& zXf5QHH+QqA&x2bey#_;^mmSLC$_84L*K$u-XaL@Hu%WC=&et+y{uE|shI9FXWY+8~ zlRhlUwY!7eN4m%mnQS_6gx#GcP8b`=D{pV+fZ3l5rX`b{5F@hD!!KUgMVo5}6=5k% zX({Bv%?(r*)e<~^2A8M$Fndlq=I#dGlCkOZ>*kU!#(q*_Aa2#Ae9#obTh}M?!KVl4 zQU_UWnC}taE|yU5AR)m%#Q3;VFCJ@or&#j7CVXst=&Ly|DY&~>v@NY&c!|=^@N=TN zv5PAGWYR2Nd$DJd6 z{WikFd?YW83o}T2S3d)4c}hd-Bm8i;A!>St2=sKJrDuR4F|q>Oos4B75`w*q_%-|L zyCk_2{y|a)=YDoK^^+Lti>I}l11&mpd%%dvVjCEsN7IQV+uAF%jDcD585H_{UPL+% zu&2Xj%;IkCwc#(Gsa3oLT|Oc>$Rhl4qp3kUe2)madY9tK`uKR0L(tO#*WaC{egboMqG*mjh&c1y>Swa)it0q(M>dV_hOUs znDo7BfF~7AZS)K}(<$CVsL6Ra=8$>@qR`VKEO-t|nPrUrmDq|Vvy^g5ksQ4&q}Yhp$?)ln1*^t zo}FSu=o6?RX(Q=mUg9Y`TlZWp&Pq$c4sx>JqP@TI(y&sKpjBVuL~@ zZC4Kmnk93U6X9oKgufB5=dkee=zynRl(>5{F4Ucx*5O!E8tcVZ>Y-nzMVOr_6i-?w zUTbt>Cn;m6u6pX~PL}Z1wXdH&Ol-EG^?=Ht$fcj;<76?D z>}jK*wsZIqt&5u&=-#vmv#oMmtDgl+`tT5ubuVZ3SGLhBWp{o2 zTiQ^3Qqn`csBiA1vCS$IK&z5($)+>NeV z*U|}Mn2ZZC(b?HcaZ5J?>X`KR5s;F`E3*T+@BMxB%UE={s+}I;RiK}y?GeYo86T4y z1KR(@p>g)`AVa)3jSIH3O4{7ZgFxxi`g&5|2pP}l71FjYlGe|r@tfpWUlW?VMBjKy zzwBX8W3Lfg#a;S9oAg(UuQwUKE|iHJ)QYYN^zo!k`jb`oZnk)m8t6%TO9#cR{W!^e z`ZY?e7-}9;HgD%a(LXBllDD?CusJ@`mjKZ}rM2zD`AdBxd|br%S2-EsoAgCDX`_rF zljxxy{5+j$6oug`#%qxDvs%f^S@KE`_QqZM%udl&>L_a4sArok1N4yep98{ktH_*_ z7^vey+-Ys@;Bc$9$?#JMop|0QZKSb{Qi421|F+X=lk$jfSKVP1wz%VE=upu?&MqW~ zzVaUGrl8R#>OkXQxf)Nx44D$W6%=40)^|jo^@;v7xf-u#4gO2@{e*XM-fl8H*eI%N zqf0M{(f$?vp-$muqUG*IY;Y zF<6AIMcOP}#)|`GO>}8L85qPj&|-Wb($LmD9D_^8AGtx_9C$bn(WXyEg~#sRX3|9W zJN5RkTO1~{=qzVxlupsTKEh+0@VHZW93c*7wXO;-Z4|0sItuNo%0{XOM85PZC^wTB zlLOSMTQ^(mb@T%0E4? zm$dwPkCNB&8|9P(dp(T&HKFcHT1}&nH10yPU(+c~>3C;fG>^Aud*F1I@ZaC_A7wk1 z|5~1-?=0n5>t^SZrZ@7GWBs-BMfdG#^j_W9*D#^sls^WG?Pic?x9WI03GdgcO?EKN+ z(bw&H+RLGNYZ|-U8D-HMUXnq)mjcmvEbuE+B z*Ecqf`zHDE&^tS+)4+OKCM}lI8{KF1KE1~%yBzDjy*|cu*_Tsa!O{LPa$$6vY8mui zqpW&O>B_HBfB8L1Q-1ArJDR7a9igFhwAa@TrF$%|48F@|@Z63Ox(1ImjhxavmHtt_ zX<=4c&d8!dyzHMyka(>yedy*`>o>B%MI*WiWx z>b_AANu$4F+96Ik?VR%e@EBD&?6(|Gx8ltujMlCms1KYhy6Y+fL$(>NA|px zj_!+|^N)*X`EAGZ>D!-k&(hkj4(xVX`YV4%K6c(2JePBNe3aLMW982-FPfj755{%9 zCg+c)lYP4!*zXxVJ}F(h4BC(F_0ao_`UubEHakt7hvz2s?^gp%uYb?@aV*WR3=~gB z+$=FxEb{OBulRpFl;?H<(|uiSQNP#<7yjD?{QHJ_z;*57iA$c^iU0Q{@qY)pzJYj% z#)MjTos;7If14NmQeS-%CSJLrR2^{O|1z|H>#Ecmm+JqTp3|{I@dFquiXT@jA+7Vj zyENYi&Hsxq1Wp+BL-WefKEoK@-yQt;eqiUZgTFrx{3rE&ho1Yl;Jf=b`uM4{$Cz*O zo$+-VRO6uNd-?wfIsmtc*IL;&{21&15>)s*gb$5kwcC~OXsAWs*8BB4h+4^QLhIkr zhTjzbzjk8dsbKr?Bl>>_ln?gphlD;>ZNi@jDbcSMGurU=_HilN8{fodi4Fi@M?56+Fvzp(0|82Ex*R#v3smPW+*>3 z?1a89P~C5YLK(UCbzznIR!f`cYl-g)jo5CK;XBeAE$`hzPs6SJPx7vxtSc}6Cz<-X zMN>IYddBhv-w;}UjcxbO`tm=6%4wa9k%qJS{|COE!J>kp@4(a$7;xgGxf3{hyg#~H z=urXGG%C=>dpOzGO|R*({hUJ2+0%`_*PuTtouaFoNwX(%`>ZGtroQ1cc4#^~9Ytdk z5%W)A=<`chs0&{8OC#zv-ISzJo{?kC*Pf?wT@#Fg{hIyVs>1$$PtPk1ddJYP?~lH& zH0;;)emgydo#yB~j?$2G_I(k`DJRcj&m*&O*4doKyH}+vY5E6mu0N0;rNrLiB6Bsq$s_mAeE{MyT)*A0xE z)3gR1IsOVw`Df6P%}&Rj&Ys7=qGg;ONoSmsV@+efX5Y7`(R>tod~8{}db#ns)0q_{ zJnogvULJ)#?dWrM=>4PXG&(PP`eV<1C2u_*bzRRLTei{n+mA=5(M|WIJ)B)V_~RoN z@yoHgke$@SI6rbZ#l^gE3mGCH5pb+jMb>o%GXBD1NdoW!4| zc*tO&*X5jE)3gRg?z5*iPH7r@f3Y8r+@t&UG`*q=yntZG*0gG@n7p|AqRE7tY~;_K%(8pt5~CB)HSK8qW-q64 zEVOhm*2&m9dEU#P)t_F&$r=FiDE(3T!MNW}Z`8S?^hVB!b2eq(SU$gF4xu{VOt0BD zO`_=x+9UUtwC(xW(;4k%KR0r$oBf)7|6Aaj8!TEV8T|b`JxC8S<0TYA{QZau^dQd9j75b; z20$k#7vciU!*N;E3YFW;^3TiDWSnz0Dy&R}1W6ZWawSkF`{=p;L1V3t%wRK~8k59c zL7@{A96&~(33rPpX&SerTdr#-lE3%>FOu|Jmo$FpII6CXB603B{Jmb3fUBG2<3+qK zBW%#r@;Kq|?I9h{#c1FtUo$Db9=NHJvoqhQ?;t*&?owYb0(GLeC`0?o#k0me#XQYL2? zcQS>iK{{hw1`l1Mz|YNZ`CjeVue|1UKS+^ve*rUptn_P^9ort;z={#qNy;5DI{uGB%OIXpyj)ArcqLkH z;a#Z3OnQI`H|4F+a1&Cx&P$T;(=s?9t>G$d<%zp0FsY}mO{emhEZ5y+P;_oo0y*xIDDTSh8(!@`1Pmab#M!wx%ZOv;z5GlrK8AT<73wT=oTUGHkQN~Fq=t#;k-WG-f_y#Mv19}D?psE= zeyu0%l_2tysQpd*xyo&@=ty0gNZWYO#JjKGz@w9c#Bgb1#wpM6v3{m6y!AG@8?kR9 zrAn&nT!cp^>0_aRqAyi`^s6+XA1m#jXi@qjJQCh+Sh|x1zx{$boAh_lEB-Pz#b}Ls+mxgLFuERx@MBnQe7!++_7gTvFE){z36pgyz=)Hognf# zqN9WK>mxa5#C=n_QOM6%^pl2+z{Su{9x5-A&P4=LWjakipX%EX-Axz3i5{1{r z=5iMvz3w>X$4JMVmPB}e7uyasaK+^(a(22OiMc8Kc0oALy}OTy{3LFknM_n>EEmN& z@$n{6riReV0G5`(x%ol3di!zfCF7}Gzn9`xIQispoSPa*;^Z`b!SZBq-1|4=OvNg*1^^?XYRgsHkYKEC~xk>5);F<6QYP8AIC)JUe@bMfZD(! z*dZD5Jg^{>q>LoydDXF`*~9~9Ph?DtA7@Kldg|*q-0#h^S4|@~(u)(OBr!Q5nB>TC zu0L-K)ob@r6_vtUmu3?d?$7DRr${;<5@X`|^%?Q3`eHwAmO$=4e>_=oeo}S_hc{Jo z(pB^M)fiuFE`8Jv`SR$Qxg-nSSoa=GscBrD>cW=?ySd=ZY0QuJ;b*63vVP@$27-c_ z7U|BComF(}tp2V+W-pk)gR|lY4|nEJX&;v^$|XN3kh%F0?AcjCQdT^J4Yh2p>gK$Y zCbA$Sh*>j|Y1m#wUwAAxEl43PE{cou%zU`5i8&{X<;t;A$Gm9jHXkH)&Uh}*3=;mQ zlGWM3)(X+~`nj~oOVYSZ9$1)0XmBt$%?abPFH6XqHvZOXxiD>Nn(#1yF-ehJIwPK@%34Z#y}1AUabzb1aY0TfAMUE;wrdyBU$~$0K3`tA zejHmj7SpD)_Io_|%}uj7GuFhU$;o7U4zhN41rz5_HDbBsjEyCzvJ$U(Cvc`yIqM60 zxaQ^sgjO7Y3PiSEacU_R!%=- z0%xcAOZ_v5DLcX**I2nX-uPnb{ILP7+gwT9@ss%D@xeqV2Gew?0#oi7emyOQN}2+rS#rgAf+GC6bZQh~5n&vk8_W38&(6qV->L%QXCKE;lSKxLO+5Rn z3;Ru}bf z(h1{@I-h+?4jsFSsIf%yz`5gDm~9sOEP(lALI~+@q;kv@u5hp9i@iOZef9*Vdv>#_ zRGc|6j4df?{Qg9#qvUaVrZ-=#E8@5d7VzkC0r-hwdELwycJ8aB+v3O5*Gwl{43F6} zvzh8F`c&HXl<^TP*?O4pvAJBG>%*GeHB3EsCijjBB{e(yWBFk1VFE?JK6LUJ;$+~zYIYp^c9r3rl)>}oCKDYM%q7Rg zQnIIl!OU!)kut|5hR|2nNU5%~AOrq{38|c!6Ts$u{rv5r`Q-Y!bH=<3Tq-Kr?;62F z=VgG77SOMwkf-Y^H zy!`$;&i`{2uibMTxnf9MmhQp3>-Wnb-Ny|V=FzyTgsScq{V{dpL7u4z3NQMy!!%HP*<23{2wToSh%S<9}Jh8wEB_NOj}wcUJJ10#~k|7bVW9 zCyNr?dH9J{tS|RqMy!qJ|FVR|{n1=3LUGCyO$SN zcFKU1PpMeMcm8!d?{2NdPdtDu^`LvZ`F!~f{KESWjnG1kK3O^5hodncEiH;xof@u-AlgQH`1n6*u(FZ zRg;$%iK}Z8&s-YKvM+Y?-T@nrT%Jq$jyfhy3J0GsuFP;^U3n09ogU4G4Fx>$aSeCe zJeTYsH&XnpJonOe#GD!a>`$`r@ibAi{|FDixS5Rv^XLR0(#K9>Zg20hzos z-^(x<^=XBF)--O>&*K+^+yD4i;;OPqkdG6&E{Nm+p3}j_+YN$KGLB900ws7AQ z>*$QjAie7VS3Xt9DW_!_uVk{sU~4;E!rk|6B5Bc7+&6#81+Uj}=ebEzxJYh4IfiYU z3i#dIW&Glo3&{_5B_q(rvwvAfi+?sZPnALQZ)>^x&27~5d6F3!K(Ib3EZfhu@9yWR zEe*_`nnaY@MI1Y+=m=cJ0PQ~9N&J{FOfH^0bzv+oEv}RSR-6ejSUmlLm>t;8Z=NY+ z%E?nX-B!bcOAk>$6vS1F;-p!u^!3;X8kfUQQ(Sm^?S7VS@8yOorxMs!%x&)#^2X*; zdV(XFlMv2bSLN`@OY6ApwJnsm#qpQ(<9P3jU3_?WkZb0|5So<7WvSiV^THZlTvuUu zl*3-`2vnw=2YLO2jqLMC;P5M#@{@E;BhJp;MAod?!M#FzXRn3Ja>As7CT7OE@z4{i zSveRj3b=+}Jh_QFmq3n-4C3S)7La&oHxGS$7$1@OpHCFeR0G%z^s;+LEnVWc{P~kZ z=qeZk-5tF4<{B0^1aXcyZWgmQss66G%GHc8ciwq>6Z>6KxOJk92VPjsGpkCZtinej zXF$DLljx`zZz=zJe){x5uDNywX+te6Tep{|zu3nwHV^Xh4;s@u2Bp9H`+5`S?TSRWDXH}AF66!94nAIWkeaq3rpEb6ojtkYxKzsb z>=S*unwNIF@~bn_@OKf%FV>acKDm}{9iB{0jpmxOvngJ-o7-RBLV+$qsQpkpb$=f( z5&})4Kirv|?8o0f+s@Ow#W@%oNl0u8Q%%kM`u8jO=x`HjwpX*Yu$<5LHq&#skQ?4V zz$*nU%oQgy(9_A7I$|_|lGdo?{z=@vFoN~#3wY|&I&QsgE^{X)k>lLNBd@LJmE|RP z`f8XBqty((bHey+qWY`2U#>r~rjb);W)k7y!Gi1no_TvCZ;D|xFFjI5I=RWkna-Lf zF`(-BaM?a~l=l(l?IK3UL2mqGA&V{=M|5Zuw@>ot!z~B-Nc8JDXXcabB@UrJ6*dKP znK(5Ymu=<|(L;6OFb#IOaQu1GnbTLr!^;lSizehjoWi+);9 zTTB{RJ%_mJsl6;Zbqt6hwq^SPUXr@pxuKKaUYt!;Sr5l2`=G0{oj*;C&wZk_RSv%e zzS&&^gZOG}5*Hg^=;~v=ZS1SJ8jG=QFK=L|rH87nArb>U87JQ7^A}C!j699YqOT;J zsjLwXu)2-PmH`4hZA4E`#k#kG+J-(_%j;>;_y^(sW{cvr_ZvAr8j{GBqodXiETRpCATMmJ@HREu~ilPtxk5M0vT9)b6dNy30ms zSpzlQgCvH!QCHo->WUUZ)j2M;MqYuG+Y_ znC?DdjIo}9z}bb$>MmoEvig<|;bA>PoxPN_^@#GYiI4|!+bzfQ(3})f!aRv|8{&(d z;^m1_x-i?1PsHF*qlNHa|S>$=TGUK=`E=hIay**8oRqf@_ zKs;xhl}+`swRB}=a!R;`sS~q#WS$R?eRP0sH#ZKKR2mBm8tWXWHq+N4y@M>@S0fp9 zvGi~Y8bu;;Y8rWBOx}EY7Lm;ryj3M_q>ti7UNaY@QTt_)v|k?;)zWDvjA3G9HS3DH z7;0)`@u6N$&2*=^xkuze`d4coMGZ~tJ0kndT{P$-ck3CaF?Ki6Wk%VyE}us z%%Fo^_Bm(YKlP`cs$N~yUER-;_q)F$685tB+@;$NRQAA#1ggtZ*wcPb0u2VLN^ zL=kN4FqxW)t!J}IfkL3yl_>WQ&EJ2wuTK&FaOY6=a} z-`fYH5cc%Xhmf`1acv!sAGLJ9kyKnJy#xwd>LJsjZ+{#f$HB4V;h#6yzr$?FQ!OJY z8!AXA!@rzA_6wimISO`f!q>SFh_yL>JP`9F0+LaDb(FxxVKErXi0=n*wre%Ep#rZ; zmu^$k7MB!kt;x=m1QEYR<^wy<$i9+hRV~mtJe-*%e;)(Eb#uH5hlEC+ zK5W2cy>6V zC2FNkL#=McJ-wMr;G`by!~$s<+a+_*=8lAn4l3~3m$yk7NY|&&ndpobIa}*3n?8N; z1CM*l-U(-!&;*Ej{V4r{fLyM%x+C>FHIai|BV=08iU*%zGz(X56ee%8@|HrdYGuRe zG_%|y9Psi%S@EuSo2e-2N^HDNV+VYHxtI)N<8m3gK&c`MWD3KIggUwA$L@V}Rb7mAcC( zi9NDSF+~a$ESdG)zYxH7PVu7H<1Ty?J0tC%pM=#N%WyFqBfAZpIGwTi#Yf&MhIui@ zZujH6DCnFO`R5UdOHN4(8|xE#1_HrhA9cv5Z{(J-)bZ437i`V%;NlggZ5hR@aLE|C ze)O;rfT*c{(%>gcc;-`Dcwf)w^LJ+3pV?L8FIOD@nN^Eki0BUXesp6Ck>7q#p}EoSd9m zhQ-cPrG}kkyt&Yun%q@D)iDTto;kUL6l~djMcOY*!POdweWjl+sTtUEuI8Wwy+0c@ zUowr&3hy)G0*gQzn(tgq^pZRYs&e}7N50adnE*ki3Fu&a{E>On-sZC!49~3&s@80g zzCSZdSXJB6)^=%NPlD`*v%aDaQ6a~XK7T1*;3Vn_Qfnib@L%o8_(YqdWjB__s(6V$ zxsqZB{!EVCk0PkL*nN{Vrc+{>CEL>{WnkLxmQDTHpfwYKmuEQy@0d7+C;j%7Q8tl( zCwTY6aQHp~q(z(kRde?STcNtVBeSdwIp+oHT=j59AbblJAL+N9MxUB3E+0YX!Y)M_U{BJEO%a#8Q9~Vib*#Szxja~dti7?h zZ;Uxw2+L>D@l)$e09akVr!G|w>zpsO1z~mjW-ey)bXBk8&NlsZjp0e^JP$zyvgsOs#QL&0(X9@Y}vlQg7nGTy$uK_{TIR& z98qke%I{}q6rer)wt>d^2u|K?k4J#ymFP zfN7t$F%&$ZaY@n#--h35H&kboaO7?Cw_)#E!V#IRNJ`29akZf}{{i0YAtGM#u0AFX zw}{P)Ht_;kQ{GH3#xjK7$IwFt78NCOgUZ_L}G0LMAa-JiU)s^ zHfcC1g%6p_`nY(*58r9Fx3hj|Sw$6@qkh>iyvQ6(Ocfbtb;SL?$;W*f9YtAw8(wvO zRJw<$y{SJn;-?8Tze=bD_rD~q*OqqYL!$Y=gh_K;tac`@p1(xf=IV^j_}S0IQcX(a zch&^yKcYkbU5N3)PMB?vTlS9yTsvx#Mgy8c{W#yR|wzbdfHfz2>)#OUb5(-VzaNn zd?SmYK0{g?5DiU1Zhgzlme9BFLM`rn;)a!6sy+TaxAmo&tYSl!5_iNdxFzV)?y;Y& zwp_+KN)qgnAXvo)DLw*k1N5;TJutg15~k%ycplx}{Jp|T z7&oE$pDUeGAO^-YWUGZJ>AW((#;{r;J$r1;$)9}H;3>NNr8&a6{E#ls7^jz+opCI# zXoo&TMR(cuFrgUGnl zf=8R>zuLx68+!m!Gee!y@cuYr8S`3fFS2I1OU@Xi%|&W=FrvG$&Bd{{AuJT>;PitP z#?;UAYtb>S+b>mY^d^8A*9((am2w`B>0*GCIDT&|s`Iw0Xaq-P6zOQw*A< z8SMl1XL|}#Vnvw}P$wf%Xf$5swj#|?^A=rg94WysZPL{dcX}dvR5k< z({}xzwfC5&C&h)ekq3sl<2M*=dpTWa<^h?U{Uv$P-NXgoJWF75D??RLV>5_rJ-y93 zsQ+Xsp3@LFg`(S151(N_HY!593`7GvgwP{ht}%2raW{oizT2YErnOkvAP<}PDHq39 zb{I6@HT*5FNX=?zu(>1O{u>n{{eWd=(QoWvyLIvSM(1n%>pF|2_g-QM!)ZSo!vmY& zPnaHbk4=Qr-DAdg?&nUn*9oU5Di+pUZ&fA87Vfe5BYY;+K**?{k19)`wDW_s)MeW& z75{~1?%$Teko)wVW>-7@^qrX@$hlE3SbSdzWj6?b{$A*g-}N`+6=fCP zps}H=gHe0gzCYGQB5bj`#eFzpqVYQgYyFQl--o*wmX#w=I|&p4)Y8YC^F^_Pyo*kd zdeVVNFt=uVSd-|6ME9?VkWU-!jd`fAmzXAseiiu4Yq&&8$KR<(iPzI`mL^GbNj?El zx))1>c(yfy&5E&qs0{_#W;S1qv_wbTf`cPCl9KqaQplxms{C*l?!JFH?2d8i(}}&J zpK$p_%rPVZ6S_Y%!f7!zA>^aW82ubGS%e0+J2Z>F8=ML|V&a(xSFk zpV{ayb)ox0$(1xqH>jqr66Ilp34c~uvFaSRd!)wiqelapP%P?bjLavuv^bE#%*>S% z?C^ChiE>dMHkNV6j4@%@cwS`HqKiGS+@Y2uNgcWW1L&x!Q6jU8mBt1Sx zL7||fgDaqd-)PTl3~-}XA(Er1Prh0j5JZq(CMK`0U*3KC!fS_VPE$|U?^)w}#1xr7 z04?|W6g?S3KN}Et<8$&e2JLfQWvpx?@06-x3=e1e2|;l}LVVBeUpC%_=D1UOH*7#V z05?6)tWP0&B7B=hr9Qs&Y8So1d9=(VHXJ18Gp%k>9OBg9!+kZQFa=u7542iu%l)^^ z)xtm<_en6!d{mIvyU?Z5v&BnWg$hx&+0h=&`cs}(+sd+AVbs_YLk0%9v1S-OeeBJ_ z9<6ktrS#Ni`yX07eM!s4cKScQ6=^bn3Y)KbbTbc?zwH;RaYiU8StzShl=t}qpce#^ z6;Uf0oMVizSZ(1Fjv94x;c!hUTn$8wnzG3-TObNO19c9!8he1gw&G!$x?LFZ@(%d` zu9}cz)PX)L!XlBixbXdhL)lGoc&uK24SYV897UP=)eA50dFkHoOngp(zOnYBVOPGn z=|hVCv4q>@R+D`xJg{XxE(%McEGOHpSI zpXhpD)gRm(A&!u_C;qn`)oyS_F-R%SPIREML@m=E-{ zm<#$!;<>5Uixxj3VuaboqtM!Ht(dX()A-U+An(It;vt#dW?z^Vh+=vG%*uh?Yy8wd zNCh4JdHHfQ4fTf;U~t_b16ES%0E=IrF!zmX|9rJyrBL1d*o0zP>1i#3a zNwZr|O;~O&OQ*{i&DWyePVa%of3F!)K@x`JU;&*kpNl!X^wN)ej9ghjVJpqnSIXWU zzAf(l#FQHjSpw8SJh>ISy~reLiSSE*yO1@zzHaOJJlGwvtqknBw4tV16Xn$}s?XZt z2T8-W(&nr}3!lZ7)s((UkkZq8);3lpK7DcA(AFR7hO;iPCMxU;b5ac@!RV@w=ZzoM zYofy^aK&b}=U!R`K$=~ZM{YnZjS(0gDbq{z&+^wY-@^IZl;Q0d&Mjm*#d0edf5#yW zwDLfU49Tl=v1q*8GZ%lHftp9htOx0*rnE+NoaEWFNtN|}yuVV;Zg06oa`HN=KV4U7 zq5aJg54zJl@6AY?m?S8UOG)p+oknE$Rh8N}^|b)OqU@xMZEa18<|^&KyPi$GqcsUv zPK)d1cCxW7M1($++1pw1aPUnBdGKj&)1&*9wd58(l1Ph1iPoT-KyMCyJE@RX+4l4f zMvWxM$GUpfS!Ga6cKi)Z$r7&0#grQf#w`wA(kcQVN-M)MGpv4MY@P1lL?|QCPj5!R zw;_8uYx9W3zwn99MR}Q=+GN!wWSE2oD+9XGH{wNYVq=X$TY}!`J%E58#A4&9lpJDk z3eyf7N4E!oIJHQVu_m3-tGZFdhZ?lB+@5f>Qg(u8Y8{W0S}&H z;t`aJcn^w+SF5utRK8+gje{`Q^-0F@Fe?5ilfG8-muYxv2EO_+!yL?!Eja-Dgu zv9}!Qyuj-CAPg+GO`9v;^-lzp(KXGg>M(!WfH&CEGEt@>d_x z*n0-e!;8t8tH`&BkQ|8-vLY@C^L5U7A~cQ}bCeY>-jNdrnEd>O&lm>k8W^~Ydv@5F z&dcp0fZq;uMU#__gX3ga0!l^IxrV!6A@!*_5f#>yV{E<)sPzqdQ!JB>8~mfSsr&&s zfM+3OqYOye(f2sJM8o<+AO+o|(UXYlpzWow{YOQ=k-XCZmevt79j z4%nH?g!KW_F*4y%ZFJ0F#ejdr}xH|J>Zk`dHB439}!47AIqW(avH=`4wPEW%O046DH13!pjw z?d%N)7RFoq6|Rk|PEbC>B-<|ve~QJc&?6VNi#X&QBC3yf1oceD$MTlsWVBHNot$gh zYta0**@(8l_H>f%exP%5_e0BrZ9hUN<27DRRG6{da;wiWy+NE3BpQfLwKPAHGx9?P zdHcpQa*^fc?63}eau%p0yoY`zTHw1@Vt3R(xJniSotbBTLjE$nvA`OdB*bB$oD|h= z+oT+QNiDVOWGE++?O+jqk_Uz`=l0u9gkScXotevO@O94MKZ~qihcEJSOoy$cIIPgv z>l%t#II`<`_oKK&KCk)3Wz1NZ3<3{IXMaB&QT$LVuYQSkC&v}dD71%_s!ZDaG;TWlrxO0r@~d{WoApbBLttt zhq_Cm*Xyh9z+V#8s?IG*N4+uXUy=zdinTqb9Le&FSLJ`D3axYgyE%q8ix+bQ;6(J$ zCniC^OD7T%t@!r{#UDvsF)2u+bIV}P$WlqCsyASK>kyF=MU1O__X z@?aR-+iaEjIMVpsWIk1`^~D`7Kn4tYW_LVYjRgTL8=os&O?))MjC~QkTBp`#*~_}g zC@eFvfU?=aYcz%}O}Wqc@GvEOy3kg&0b}vY}%wXBOKfk8xLK$;+bJJWu=M8$%uaWG>{5_k#G?jH>PPx ze>RLaUS!%hFQ38|mNgs&!LzK0>3|^v2r-LVE4xPTwMM83PDJ zW&rSeFW$*0M{Q*oNrOJ4#L>;dbdG@1FoKS8R?<@!j(tls!jT^<>aGoKsp*Ow3qC?^ zONR7ISv99gV0+p@`ne^sNj{0xzK1w1Hn^g;6@@u)1XR!KrHL?|>|n=f z{Px0}A~$>PGAFYx&4H@>pA`9rruMymu5ZM3R=j^+K~42aBG8Wl!lV|pq&I{M^$a-C zOR8qAAmA!ax+82#ld)piM-%*@ldno)L-{!I;7$`MA(cF*i)*|r(Hd<3lT|o^__|op zXB!v(A1YxQ_s7iktj{w_kM@5-LjaH~2K{kl|AUx=Xb^#1Zl^P=l(&NaCiO-u$CBlY^Mk7^ zmXWNf%`CKO>D*q)!Vz8@>jw@r&v~ZfC$JdoQnI{cuxEF%zQ@BRWyjgql10arb+9Q9bwbVJqXQ+v2s1_TG|#KQ;SulOf+RZ-RlB`EF%CtA@3C&ZKF8Hj5i`_Kfua}&e{91gI3~yTx1$dH@Q?8Z_-->j?;w^$3XE-4<&>m(V zu_;(=r>wOt*{QE4DYM5dj7gv%MrP)yv$12}mOX0Z{!s9^^Tmc}_aHZA(?Cq*yLW+? zX_C_HaB+Q7tby9lAMYnG6i?d}j8u_Jj~4^>#puCDDb>?hfD*c^;cEIw-SX< zkJULsBMQsc2n8>T#CmDK&yhJQ19HX6wstrh#HrayY)kaGffvn~6 zsZY^tbsZJ*vL|JrqOLI!Yo<|UG|TOVsAWzD=c4OQ+82-1{l)Z4!8d<6P9!L}Gl-XX z5e~5vUCOmQqn``EW%^glW+w&zrQ08500Qq$IsH{Q5ZwUXS8S?5!L`=(7u(-!v=H6Z zvQiDJA;)mf`djhCuAul%rD*?Zuz;rfVTJ%~ZcuhYC}TCy5t--7HQ7@C7yH;jKuYf` z-0Ndau*_ZW>v{tJ?qCcTkuG`dzT4Y26U+zZ+<^N}m#wZC8RBVdZ9{-w?K6}g~J^TGN83t(^{{ls^eazZS7 zkV}*TyT8|3HwKk5w;ij6%9QpV3Z9srd9yxx9Cnp`6$+^mWu0k}&d9ww2A@dG5MNom zNOyFhCCQd$mKFMM%H)zqRZB`dEPsZS*q1!;jduFK74f!oc53>QRFid5b6@`&_^p<~ z+SBzKalnLPpP<|o_QD}PC>--oxb=xi&7Mk45U41ovJfHUeSY$F_6Ye*kniARtsw6+ zH~#FQrlgpKFPXp-@jX65)NX}DW#qt;R9w5C*WvajDIa8LY)+~Yih$r*4YC5Tp<5QD z87&I>D^G26@2CHMQ@PjwqUI4+KG?c!P1;fHHMC%}cRg$AY+ltiHFx6ePZLAtp5abh zaD+yGKUgCI@DaUzF5tfLRM*ky5sX8PcI~O&Eg0r`=D1tB!ds!Xj$V(4B0u`Q9cGIN zuuF~*rvp5knDplX=N-wawSZTFH9jQ*3li`}jn|6xGneSHaTkEkhgium$$U;kM*HoE zc`$_vrNqV?1jw$JPi^MFkvAXFs4C{adz6_WA(Z25WpO{O$?l8?6(^5>AD1DQ^z_vZYB$b2&1Dli`o8H<*gxY2rhlOM?iGc7?`vxIXag%b%2puf46?P2zU055#lg8}#)6L2B{cj?2L1Q%vIJg86`~1K;5{qIJFX zW^e+L8Ei>AMWoD7iqgu%^J~=b&Qc8E)VSO{jON-jkhd;9LhfQUTPZ7KTr6lGP?1E#EBO1phRl1=CaiVwf7Uvi>GSb zR05~9jt^w|><(|}>X4J+bnv!bo-3lq!8L`c`FnGkPv**}upP05hRFV8pb!fXwS=|46d1@D zK*|YONm@}mAcJ4N$jmIyy5A*mS)=kzL?YB-1UxLyfde%!nxJFKvkY}pe+8Yoj}rNL zx*y9S=GC(`d;E=d?$OHC)-saS%NKQS5S{D|BAF^RP=Xig~{C(vtJD8L&$Z}tvqy)>iz8zxAp8LWSY+0Q4Au`oa zJiltOkYC<#*2=qM(f`P!Ck9?vi=&R*scDa9k@N>CEfS|2UtS6@JS@ z#6igYz{l9Kf0U+x`vPkl&qQRva*n-<;@v015-IZ*{LrVqFNk%@fWo) zQAz+zeg=!?NF8<(E2{zm-sD-U5k*@YyZ>Q!3wEmrr6)}euJ?zx7)>SA%h-Jq;|gqq zYoDoIg6w)_5!(+7y>P`VTgA6vjCE(5EgrHl{{@)q%DMt&O)Fvg6zh5Rbc3D0ReR8 zQ$(*h=3aSCT>{T-Vq+AktuHw{B>|;51~=U;8Wy|#US(}D^4PvqFhmj-Ue4rn#l-Hp zbzs-V0GGO9aQ<@Brq|K=J{#$fMuf@Wu+I~Hv~EC59{rj|>oIZ2=}%Wk);B{*FkmP$ z1-3Hf78C7`+36XzMzptR!{it&Q&LS}TuiyWO%<`gh-pID(uNG6p)jlrLXFlws_By> z-b<}&ivRqCJnwFGX0+A;AeXd1j&(7|G>NUN_A} zvdWapnJu>X*?-MICksRs98rtcjA=-wLIp&AqWa$2N=#kGe0@@7S43n~?6gX`{|pgv zzx9F)knlkUodWsY>Ycmys-cRNsL`s1n(-hS>rAOi(6y!hNuT7zBMNH}h}y~YJ?rfY z(_T_L3zmu^O2P#Ac({*0KzLWwFk8}+5D7Csm!MpDd3s$^-kpv)mp?c0w;sm>0;hoD zb=IOYBVN*rAnSqUEMF$Ji&#X zgDBrg)LLfUM2J+7=RCLA&%^f=gLtbRFJg||HBswyd~;E!nHXtzGyfJT&~UsmP@_1X zA?R16k%2(x0(E%_Lfv$K9X5sse|UN6>(?tgVRO@s@l;}*No6eqNb!CA@Q_%3GL8h? zFAPH;{aqj9@03b+R%x3;2%$ZYknRfgZcD@@vZ^TdNlFdvta(=RGsPA?Su$I2pMA;u zz7b^?8vdf3;uF0jC)m7N{Yf|^m6)AX^??>bPRafI%xR-OHeYQ=IzZ;+i9DH}qu!F{ zgFK%H&&s6asM*zaFM-&8{U9#~A>LRIu9##O+8y3>9vt1#WAB*@E{ry(ErR9@qd4wtk-(JV%fSiuTO)XZU+{hv0bC2DjKiTNN!L)y@ zgM)D|omb-v#?w8+yrw4j1kpgVsw$)Pk71X& zU(z?(6lqv_e=9(Iy&M(hFH=#7i)L~Ag}TxdLp|jQ#^ei23sVxRD62#~1nEHtPTSY& zzCy&yd%L~ngYS@AF?Dq-Y}*= zy)^UZ&*lrrt~KG2ln)8H;Rj^lN4Ft$d3?nje{8H7cO-Q*Oz%rMOXe;El>(RQsYh-s z*|QZLDng`Zv580sq`VbB@a1Gm_qRSLX`6WMk4g3Hs7ZW+)pBOk7BWtoISM)rQ_m5d5!WHQQ>rK--|8ejeB zx8~N5S{&8W?ZqN%S1DgliTd09&VeO8BSh(J1vd>@WLUolDEhS`VQVV^egn6C2dweDA zVsMiMpyel^E!FjjX6xbIkIi)t-x(Lur2Kv45vIYEYy3h9=H<6LiJ6n-mh@PpL}Nr; zi7^1e!9tMJY{gg6``WajCsKbA=7ilsev4qVnyT?^+x@}>hsN51&Zv)d16y;mGH%se ze7Qo&ICc5_wChnoWRm8mXd+UAi%B>7K4^DY?+2-nc<{xTWv0Aq z!{Gk;Xf->z!dW2aF^_Kup)CCvIs0BTy}GBTZ%I0>t-IPO(b&4>ULq?zv@hwM`x%4j zX+;FL{pLulD3@lIpfc`XibVQ>X}#&5`-r2l2xxvwRgV3-!&)mtYIO7$W#v2L^?l^+ zw=$5;CvGYnNq$C=VAi(CWrJ1dJiAJT--i&IpH7`9la(iC#zUVe&TX)lo%W8Q#m+xu zFjZRQcGD_++l$}nI^$0oq$zk7in(w~YS%ry!}ABPdHSM;_0v8K*Yk6rBQ8xl?7Rtdx;qAtH@h<7^!mO5A?Tr-EVz$@X z-!0fP_H)sPwdf;yH4Ka$eIjqyJ{bTJ&_W<#h+p;&uFi+?4GdNI+6nXW>oQAGK+X;c z1ljhicBi-7D-n5~vLVjT^+*d2>_y|NK*OvYfP*}PrqZX~^`br0Bct*lc~xXUcD$6T zGlK&f52-WSPRt2iBJSy1#EfdGy(#*ilYkx)oO!+}FjggR6^QI$xN#P&q5`C*Jv&rc8OjbE!3MAhPEK&7&y zru~iDko+(OONZ4Zkhs|bout${*YOudCwtif3sTcgEf z(x+DHlHwyQFpGW0#AeBBrS?3>HB>*BiFx|Vaz&1@U<_zamUau^xXSPb^?CRfW3cec^;D+ z`-W~b-A9wvnjtXtWvG-ZG5SxP8aq%@2ZOchl?^s z*EKuoiDm+Fv<=m->@_sLxxpsI8Sf=fq7fJX;y|}+$XT|={W`MT_CF{C(2`ndb{6Kk z0RYn8jSfx(RBz-iC=#yeIXL919U5|&Ax9+q_v^qmM>;9Jh`DqVMVDTZlDGE zw3-f`W}iTv2}mz9u{UDc!A@uQQ8#l!x1*JDvBDOUKG zwBU_Vmk>c#nt1PoPU&P{rOnl!Ox31hSBt1DMc$-#H7De`gnh|RG{<8 z?TS~_`ewhFB>;Os*;K`d8Kbi?r978?A8a^D>luJ&jz-pgb@%?3HIDPp{i@a${ewyWOme&_`JF0`M_zehwVbwXIyT*6YOG{xU4#sU0n&LujYlE`wil7S(z9&qD};?ccWh=P?_|4 zJ)UdVS8tAv{Fl&Xbt!6&lY`TBJOr7u|g4+c~bXP(!Cs~;b^kdXjVnq!s2Ku!;U!RqP zH4jIF2HS|;PEjMa*81KF5)*rBnw`{WB##MLlUi?&d){je0WZy-PMtn1@=oPD5y)(; z%M5?*w0#u!zd7a2q62J&3X8F2iN(fkc)wh~7?>0*?ZH@vbuXNpipm?(?=*~G(<}eO)6Rftp7A3PdgzsLtU?W|l z8HoquV2HNlK+eBf^lN!tFBfss#qL2k@-G!ey^Q-QRStO+vp8bc&ILDwXGR0b5c{_d zcbn_K_=dvLxEw`Mo=94tdkw;W3+JX7ZF%t^r!yU=pX7JI*5aYP)zj&CaNAhg%tA;J zQM-LeNMnSfs26PL3+0-;Uw{5Y=9@szxv z5=XMHKgcsGc~h(_y|si;84Kfa&BcOayeM#!m93D=kqWpw{CSnSJ#IgpODt>&MojMM zgEETYQ*)muVCQd7)aC2OT>kj%wOz=~(Tu#TwZatS&KSb^uJPIxI)nIFavQZVAGQS~tREsUQID;{MQcTx^m z$YRZ?4=4p}43-iAD7$-sA*S$N7weV64IL33LKtx?;&PpGR1tPM@ zkCeI&wKn7DgW=~fU7IdP)dozCO28NwXSBux+z!|sKF`6J8_#wqU5|g`EHrUMTYr{# z+dc;sMvsFviOz+YecRQpV|dsSpE>(UmEB?+}qSxX83Nr!M$U|O0hDg#A7n06WX9?%>v zyCM89LNn{%(^n2c#6rDFhc*9s)KFgg?Q?>rpCy|yU%?8Hq$|DL{ejINcz>&w(rx!a zoP?*7$)DIh^n;w`lVbGI*s^lK%sc7~z+Ar2+8CkxBnOQcx3Ih{8Z)b8t#JMon1eu(m3etY7g3>OF6Ug@st zcTOu#P6@dvE(0`E(@VThQ?H2JKX5lsKSkN7SsUs19glgL_QCVkHU3GW_0j#w+dV;z zrXDq&fM;tmy3p$y+RtV2H)HU}!ca%hsUr!Ey6~^F8yiw2Rsy~Z65D%EO%b%9D$g69 zn!(ZB{dL6t){CO9nker8jEq?I*+Uux@tVR}SyvmLyW79z<7i!hGPitaH3enKOw*_S zB9-m>Ge8$zAqrAEqwfe0&R0XQ>{iD3&2e4#nl9;RW|hCo*5d6ir^qSlH<6s!pX#{` zg=!dT@&;r?S7*Nw@S>;A*W|UwL^{xCJqj)9XvOgGB!UR~r{?FzHk-(H�Im;GS{a z&}-F3yqlHklL+5upZTTrDJWBvfa^NWt|P*ZxTgjO;2S)P`=(kS-`SRV6Iz|;4~%Bt z9(#}I_;}h{;`xcdCpBVBi7xf~Um4k}-gxJ&3Qb9tGpy-nGBNyg=>dVV7aMuOBs;we z8i)ccp;92Ne|}Cmq@wDwD)wZ#q&61+hBXja#4=D6S{`?Tw4}YP>c|-!|4c6@ldazV z1$loH7O*7NU9D+d)oO1K<|RV)Xj~z*voUESjwvAjBqIfr53AUlt>q1cAx8IKc^9_h zk@0rwb%o7{VxjB9i(kZz9T)0r%B{PB3n7tA?zkRPR0!XK2$73o*8BG8T%tTH&~9$p zTguXG%42THnO_Xpd}~!=Z{&W*QY%kvHw!|i_o-S}5SG~G{}nZa{CG8j9IA%~!N=$}W`C{9EBAitvnN{YLh7F0 z-HsYPN*jxe_dMQ~5#REbqbdY2+V(MXhKszhK|Y6?1=Tlnu0v5#c8jI8gKxMY3j@yb ztvu)Q>>=}K&E7sLfA8LfWSzq+r1{BMRy7l$y}8#UaqlZllq zO45(gjkR<$?`um^5<`Kmy-yDiIrJH%h{zPAdyqqHl-&aX;yI!kNanB!8O!brZ|02aMXgd7) z<{D5&{Z!Bx4#uYr+Bz6T|LiecT+R&2SZeEvhwnLHk6bN1A?`U{9!w!KU#fNXv=RSs zb`!(0p+f7tH}ch#OgBT?;cqRdIk=L{;J(G3V`;s&yzO{Oqwj2>#vNDR^Y5nMznlaa zm|~7P9)(3OnA}>I04A7uc!|M*FOwNh6fLXSl}CW?7FBa(S0JBNu@-Ta4o~)m^RLmpH=vP@Y;?OE z#G7|*YpuDwXJH$z|7+~nLYO)3>fQv|IJd#<^;Qh#bE=`tN;(={=$NnI*HX$<8l`cY zaZm6@Lqo4EmpDJEn--g5-f+R`Fd1S9rO9ikPCeUWy$%O;dXK`59NS$#wABV!a#V^_ z_D%O3^aNxcj*EjQ4dTxlZdn&;WyDFxd?-IAT;NO2 zcTA~Vm(*@M^e8pZP@t3w@NeK*DQPsVQ2d2h(E|NcSi;y=Y@W3PHJrS}+78rE6xGzIL0nC#K%2P$vq0_- zcc?7=kL00)Uv`B}Z9EpqR}3@uF{UM*_*0z6^WfKQ%FgiOJbIHPq%66-R@mhSye^F<&#I-`rV;^|z|5&mwFb zzpuZr$9I2+ncKng|3v4bW2Iq{Rj>-uv|8m-17!SGG%xGP_wLN?~-{t4|s4B>l|F^oZyc)M#`MB^kZQpuB2!-_+u#tmnEdc!06Kwh%l zJuOxn4rgvbR+zuu!AMDJ=|H5!Cg^C)-$Tw8N02y1;bJ=d9G0V!`#x*Nx*(AX1cw>t~KkiX3C=!h8I6EJ3agxVmWn^2wN`fY|SrQ&`7Rl>)WAsP3}b1 zsx>7PmJz{&#cDjz{&rMMn4+g$d8prj6$REk*^p9IR=Xkx0bx1nB3OQ$dA@22{V!HJ z2;Xj&LeW@CgW@RCYOrkQ+$y`W16fJvTn`}tE;whxXX@j{wSGnFoR_QfUO6FCxUt2Y z>DLq5On;FrwuAaL{RH4hq7JRNbJvWDzm1SpJKA1^gn60djJI4m5751cQi!wpHAoBs zFrQxMC+w7^cd*GugQ@bdR*%$lE+q$IvxB4dkLcXyd8a{KBh0kM$v%&}q67ktiM7WC z`a-NX0}aA-JX5<#jV;7W@^2w@qNilvdKSTM?a{J>wY`<;k4qm$0IUU_@2`_#wnQ{7 zlrHjW1X#0>qhI-)^f{t}P4anA^Llozdiy=i$MCQ<5cf^{Er~q|E0B^|NArOPAqb0{ zQOxZn+RV1zEz{Lx+>qUtxI=bNW>0R?`nf?V_DnWIX0X_84nGy#Y@)+)g(*rIN(x~jDp{WH;!=xg+gI3wS9#!7k(xQ7^tsV9-9QWZslm$0$Bawz_Y7AY1`JQ zK-^-^FZKXx=h;>8`aE_-p63{V_RM}0GXab@MWe60E7xPFXD@kC74V36wrM$Ayk_Ru z%PyuMjVG8-FH7tzPEw?+a9cm%niNPMI|K3JfAZhzClRdK*}9^St+X(iyGg!sm*iNScaqBRbeX&D~Q*% zvEw5EM#%In*LAJ|>Bo8Y0m7m?1(SJ&6^v^XHpjf8r$y(J9sOi!dtKJVTgJV*HyH2* zVxNa@m^2aO?Bb;h4iTf1!dJ6%Md&0zb|=iHi6YVWi8;rY%%9Pp#qFW-o^qvkg1H}K zxH>?iiNfdc`TO1@<;rU=ICEh#$Kc9-$tN;{M1nJlM58+|^oqpIi0%`kNvj-QD1M>ItU#@a&j$khvAcwE2pU(P{mBdemj_ z)iv5taCPzL%CQgQRdEmwk@V-k|1?`9J;s0ew|>E+|ECf2=10Z<|6Q^eVcpyR*Mt6a z2>zn=e}n!7QizZuME&m=bpFeNuwEml|C#Qs@xT5_$nrn4y*2-UI(Jtpt$>USceH<%=^U z^9&NQZgzE>;6U8$d$IU=bU+1u|7+JhAXui{J<;h4w^}rQ%vc3Lr&EyO^*|yT-mf+v zYvBZigKFpGilI5q58^0u`zrGN#Of=tcyDFXn>4(+$wL8%i{`+cVE%Ox^ZNhnzs!9{ zMxnpf&93UN)C*r*7iG%DTZ5Jr!e`U$Iv43=`OJt z)?6h7fqu=IHGJ)(!G>%DtYZgV4JrTKs{bS+b+&bzG=RoTqo1BG|J}k)k?TtNYK_JVYsL8{+S@b40S|7i!hg>{s&vxc6k<${ zj?Y2mo$zb=|7OYblGCra}7RmniLH-x$h)^EmN#S82DiV3e9zHO9 zD)@9OksIn7el;_PQ3)yEv1@X>ZotcZ!o`${^j%yy<2~t>Iw($4fiJ-gd!Yc^^z5yE_Tq=> zHLkwuPP@YTBH&)C%&aBZcKl7{sqJ6L0nU4?Q(`KPe<2vR9#^LWbT$`&-p$>fFriic zvj^47ML_&3*>|-*X{{M}4WHd6O)cudg3I-szx)D}gYG9VAHR~S)?ALvyyQfu#% zl<&X8_D0yOau0IbTuBYB?TWAgkDExS75y< z>A0s&u-G|v*(6ZcLYkds)|*d%NyO;PF(m5diXL(%dV5&yNg5K}6c<4PPbu%sTfkh_n(eFiGQ$B`G%OrBba2EP^G$*b0p5g(eI@cP9tvvxM7<3pjd?8WX85pgDwpYveC~&lnQ?6 zf|cA(iv}81JCe)K^!{iP{CH_iFvTa|?3d&9A;R#z=MDU)n+%Zk%Au^a+k<0M<}0@x zu{+C$woUQt!<%4slVb9ylcmp;Ei~LfI*0Qdn5SN^l1es~%ST8UjhL8`QNbbJ%tguv z=z(!QEgpGtMlc0Wv7O8sUVij~8+hHhUKIE;Cq%OqnWfcuPw7kum;e@v6CPr;jlb1O zi^w53yPQ%l`8aC=Z8fg=yAlI-Av`0~!{~NiPNihkC?>ukT6dwkk`d;_vc$ypIRHb=AQ?I^gFV3ta(b+=QeL74mB5TquL9u z;P7{RH_k*sj8ji(JC~Sr7g&{OlP-E_X{n?OXM@3{DCH|ef?}$!P(hSVRT}wv9_8Oc z<-3Oc+|9-%&h^kYnsBP`=y#DB2?D!nD&!=(U!g|YK?8D=5d0|DL3N7`K<|%I(^2iT zd8Pmb^XMP2109iR(wcpKWwx&aiuj7WMmqrmoKLqvg$ZlrG+jXBq}QeLDun*47zxh& z1XBuFbtmvI@i9T^STrGghlf~P7Xz{~Xgy6);IV~L`itVd>FGG9w(n*T!gyQ3%sh_( z?__r`&*{5WSV-A8XM++q_jzh=!ZsagIi$OJ4_Y{SXoF>s{ik}&&Q^bkPXo7(jc1W9 zW0FCJG{1^xnF!$vvW)$o9HxeKFGR*Jrxr4WtV^s-0h3d<7Ta;V3R!QKK83|~xJD}I zV#7yVH{e{C)1poYwR|r<-ya(={6w9&Z6^@b{08{61;=6r5f5sqC#G!exph5HnuspcTPwVGG&Yz}VwANTr^Re?zJyJj?4Ekg+h{c{@NLaqCU4e- zKhTSzbG%ymm7(8!i&L&)6!P-MiCb>}6&FwD=>G||wjWjK*CGPM;rFO **Note**: If your school uses Active Directory, [use Windows Imaging and Configuration Designer](set-up-students-pcs-to-join-domain.md) to configure your PCs to join the domain. You can only use the **Set up School PCs** app to set up PCs that are not connected to your traditional domain. +> **Note**: If your school uses Active Directory, use Windows Imaging and Configuration Designer to configure your PCs to join the domain. You can only use the **Set up School PCs** app to set up PCs that are not connected to your traditional domain. ## Prerequisites for IT diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index 2e0fd6199b..97d233a07f 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -113,9 +113,9 @@ The setup file on your USB drive is named SetupSchoolPCs.ppkg, which is a provis ![Do you trust this package?](images/trust-package.png) -6. Read and accept the Microsoft Software License Terms. Your last step is to sign in. Use your Azure AD or Office 365 account and password. +6. Read and accept the Microsoft Software License Terms. - ![Sign in](images/signinprov.jpg) + ![Sign in](images/license-terms.png) 7. Select **Use Express settings**. From 41eb775b23528cb1feaaee1fb1021f60f729917f Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 26 May 2016 09:16:31 -0700 Subject: [PATCH 110/169] tweak h1s --- education/windows/TOC.md | 2 +- education/windows/index.md | 2 +- education/windows/set-up-school-pcs-technical.md | 2 +- education/windows/use-set-up-school-pcs-app.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/education/windows/TOC.md b/education/windows/TOC.md index 56f2f7ffd2..9e07262fa7 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -1,7 +1,7 @@ # [Windows 10 for education](index.md) ## [Change history for Windows 10 for Education](change-history-edu.md) ## [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) -## [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) +## [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md) ## [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md) ### [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md) ### [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md) diff --git a/education/windows/index.md b/education/windows/index.md index ee04b99e62..26974a5cdc 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -17,7 +17,7 @@ author: jdeckerMS |Topic |Description | |------|------------| | [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | Learn how the Set up School PCs app works and how to use it. | -| [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) | See the changes that the Set up School PCs app makes to a PC. | +| [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md) | See the changes that the Set up School PCs app makes to a PC. | | [Take tests in Windows 10](take-tests-in-windows-10.md) | Learn how to configure and use the **Take a Test** app in Windows 10 | | [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. | | [Chromebook migration guide](chromebook-migration-guide.md) | Learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. | diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 43aee04cbe..515f82d2d3 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -8,7 +8,7 @@ ms.sitesec: library author: jdeckerMS --- -# Technical reference for the Set up School PCs app +# Technical reference for the Set up School PCs app (Preview) **Applies to:** - Windows 10 Insider Preview diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index 97d233a07f..a9120b1881 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -8,7 +8,7 @@ ms.sitesec: library author: jdeckerMS --- -# Use the Set up School PCs app +# Use the Set up School PCs app (Preview) **Applies to:** - Windows 10 Insider Preview From 6229c6b8e6d00fc2aace09c96fac6be9b1fcfccf Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 26 May 2016 09:28:34 -0700 Subject: [PATCH 111/169] bug# 7669633 --- windows/manage/images/settings-table.png | Bin 70908 -> 53302 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/manage/images/settings-table.png b/windows/manage/images/settings-table.png index 527d92d9b23c3efbd4c6d9083b60c520191b738d..2acf11d281deb136db05e093d42f839aa648364b 100644 GIT binary patch literal 53302 zcmc$`1yqz>7dAXJl1dNVCFOv0cL@lnAQI{zgD`YRH%iI?f=V|iBGTR9AcAzav@|G4 z{x@LoKJmWK^L_un{cjY1<~= zTukl73mVr1CDt*Ejyv}4js*63^LKH?j<=4FCXV;%6t0s1e?Fx!rd>Pzu32oA1f2Hn zxm5)>yfFb<$ko<joX(f!=48lgX;T&Eh?F?2IEELQ zxWS{ku=Y^_+?mWSo3SEfXS-i}gt`Hy6=RR{^59*59(W~P+SIdsRy8$~n&U@HBu7<} zN4xjqBy>mYs);W;q0@Px3+@vMh8F4}Y*Sue?zo}d97jvTzgApGeQ53d=8p|-9}>G$aL2edB!sTqE5{F%tSJcg77-8 z0taNd6@7l)gR0l~jjq#2)f4L+k1=q$-{8VY80X*2e!TRlG{8MeZ7Ye=9P1N0{_=@E zy*R`mmoP+|7e7l_J(p(o!0HZEQ?}_+SXG~&Ywe!jCh_r|%}bBUT(RVZZ>=jf2#1h@ z^UWgr>||**G)nhPx0rkG2+hA~E_YZ{dDc3&#LAuPeG5w+&jw3Ma8c~dHM`;hxbRY+ zJK0l3W<%)U1KFNNhN9V`cZhFVUZVaT?j%%)i*DM`!BDlq)x*G8eujzfoz<2d)En*w zP0n{-9{0jntJJ)33XqtV$K!vo32>;ok{hdWu|>6er^k77U9#mSU=2^@-rqtN-5pfkYwGoHyvw!v@v-HJ z2dAgJHX)~?T*s&jHxz*n!ywP82o$>KH`QSceA5mE>zHCY=~u3VPpnStA;g~5UZ!Y8KN-Nb@$+G_;LneEFt zXrPg88fqAnaD>7-lVqV*IVcptVGGiV0%a0!+ng&iFmE5wd3HOX9M&rx#m(n4QEz^d zE@7JXl%>MAq~m&>#${p$yaf7e% zF{UDuG2yV!7uW86#$$n@mRMCim}1+ruSj`HO-&Wv@Fb9bxCFidlkfH_Z_=ct!w+pG zwm(8_kS@v(p;X$SNWlx610^p_aX8sB8V3k|8mrx*qV?k!zzo-nYUV$<|9 zW045P)|@Tk@a}EVTzV=$txFUTfOMXMAm zExuw=4pm*BIrVnEW_)uN65mW=E*S41`Z4UY%%iBSQg|YlhXB}#n(Fv_H*|rpV+fz> z(@l-IkrExtAn6um(JDbYa@+4#LZP3vp`C#$oh(e#U|b)UwhOI-qCM>>xRvrpX=u)k zij~y3W2Vx`xbkhmsQn6fCnfCQB;bn;??LbypJ_2rj*$zqSilEXH-GKt^S z(`+MXVoFRm=QT_Q9tO>`FG$1H(VQTuGKG=$X@=^;k(gw|Wd^R3B z$t58TC0i$9YD_04+E(Iale;A^r=i&KVmb5;Td4>EQ3bUUYvd7eeZIq!(4vqY^Btp- zUKV~1NPY@oCasE}VR`F?R;Q*F&(ueE3s;t$yx@t@mtPcxg6>?kaqhxrCH`33-ghmL z&>B%rQm0we%04pq=t85WM${8w1Z7dHWKsJUF^wQD_X`?A213Io=~qm%6AW1I$>IAd ze!eW46(;9RpfI-wtURcaPaCWJZUizOx5_n@it3%q>dDz5Kr8^WdQNohQwiq1*zjSe zA*O;J9?uU)GZ>D^k~44l1D%VxSH%o523V9}lHT#nWaVzxpBy-MEHhE&qv2pzwD!ES z)f@E1KV({za-dEP1pE}A%246nv&T9V6hBG(pJdr0hSR3pVd6hI?5$M7zhVARBgw!8tzoW1X3W4wY-bCgY9@ zTP3bwo5f)~vr5JHS#?Hx4(}vb)b);djTE^V8p>!>cSdJcA-Fl@?HaBjD*pC7^Ruyh zH4h|qrxDaZoDxya*hoek?gt<4#Y$MzVjg=OLoe+$&8MwCqe#QfirDTBl{s)a9=CoJ zs=0w!d9o`6F1n6BXigJx7P+n+v3KQ_rnpy9a(b`7gM zyzm(^|?F~E|IMw2Sp zi`g59pqXkHbs;d4vxza?tUq+CotkBVDP&-beS41|vXWP)skcC)e&btKS8l@g?yidB zFymrRhUta4*J}q#>Quv6(1TPuDF0UXSoy1a$Pg_|<9moW?r({g#rC?@ykD_{_ z-m&nZybSdh{Z#2vwyjUDMto^U$|V|y?t{OuLfC1>eIe3D!chO+_7&eiZMGvfAV%YV-%B-A&Llc5i*?~XfDGGt7-_+P-A?q|1^eN$R_)QD_ z`%mJ)_v{3EodY^yWvL2*(z-xk1SW}UbIj=YXQED1a|{Sb;p`)Kl$)Nzqh^lS+5FlBLti|{Lvt&esxCY;yI zZ{K({`_4D<)!v$-b=d9q?yT7`|10O7F1O-t%F@)q_bp-nq@s}EsmXf3-VStb2wpw# z$ldMokneq^191j>pM%Ow?f6{XrjhU8d@&ZStVll&Y6y8&Z2UB|Dfj*nv9y3J6?#;L zLZS4%&4dUB9tF%-=y`mWmV@~Wj&_u7(W_nuyS93-UcX+v=zZyNwh_Z4^@mZH&>}BI zV2s|lmIlR@gK!VdUNyQt^0Kr%Yon*_GjUXmW4QdmM3OuW%n~FC<4|)y@nXV%rdhrvrmMqCGouQ5L+7Fi=wLt5-7v(oMQuz z(%rz`sdqGu3np|(#_R~Vo)q9u2TW=rB*uI6-My=?dv9uQKrHWI4@*jbwhZjHKlvh_ z{8QeWWsj1Y<1XLK%~zik1JMi(Wca$U&CacwbQ3ujg#Ozd@L>Me`Fp7N@d}FcA$WnR zSP#?cX>7RX?Quivo=QY_-c!!RSe{$9obG%~lkwFLe@z|EVIks~YH{!0^b8?6PFsyv zMfT;a6kcuT!>NO)*&9hs_fQToZxg8ttTJM!)nn8{%>iG0?#>3q*7bbHcz>J?%#ORe zfmWa4{f0H46r2;%ULWHUg7>|Wf*aEC6!3+rxOank*PAsR*EDX>y&TtdwQ~FZF8)oH zy@hMiNKfUrXRFU#CZbm@Lz}JitNmE=VS~Q;?U(!u3}vu>Po}Keyy*80UdQtqy`?`X zBq#s~m1a`16C@?Q5I%*wwol;FEb$bP=K8i<>RYp61}`}YHQ{cTOWw`h9)B%lN5%6d zN3zzgah`>g4v)}m%Gz2!q6^#Lya8v)FGG^|3JAQ%b!fbOK@pe8JSV5PAh26xWCE-r#@BWSvEuxz^!mEwbGmRmvgwb#5!jdXZ3U0E#Hx*lC@SSP>N8Hl{5j9=K*&(OpACoJ1m39Nli9hU!{wyyot z8I+E`SHSeRl3knzC6(fb#~80xU2KI`?RT$L?g+f$tlHF*(Y$f!oL1`Y66?dmP85}P zDSC~e;yV~XPQ^yjSjNvjShUJtpUc&>co-36zH@>|dzzJ-+DWfTysI}>%=1S{f^Z|$ zJ-@Deor^ho#Ax+`I&?fyc+>XFUTjAm&!SiA`aRQ?0Vbv^U!D&v_%dD*p+woGEs0Ay z1AmnZf*zeU_#?07I>RPH1bLkepeF8|{V>>vF;Xx{ zqLq=3ualU-6N55Y^57MJXq4y>3ORT|1q0oaXS<5o@ct+Vq%&;%NR@xeVyb(g1-^v0 z8)jv9v6=Xwt*9f!OVZe(xX82Y=xg}p+M{~Sr&v}ksRMn2>Ya;s-o3EbuZ%R|es5DXRsVOsWCHIcM}?6n<6OW4X2(R-?-Xy z@7=r9;H0JTgjbRR)j8Xv-!|`y7--J-Z%dYDIj>wEyS!DyF*ZaIGFITaA9UtQ&(})g zyy8C3@s5yo{&Yxbcb%onSM>^zQFz{IIa@tiru1Lqyd-3VL+~6X>lYE2p4wx4ymmGb zE(jU?AZn#@=Yx(S{`OcQEAv<4;>9a(23uZQxV#-l!pn*>_YOYbC&lWz^NCY;8h>_> zK>*%Q??Kr5bFy@jSV`DK;2UHFQ8*@@EY;)A2uE)&rMYIO>kcvZMG<~}EK;pn;_uhg z)tEn9FH0eGM&G#{OCMR>8t6OR)V=Y=@5@uNXVr8xlqI6ypPs!``Wi#|&;9YlTGfNR z+e9B4@xXq}Tac7Yms*QT0rW6rdn0=6`?jnvkqjCB_8s}#mg%aY8D!uR3yyIj=}dh5 zWk8yw%aAg!apJRK`3myp%NW2(Wz5X31Z>TlRC7?0hvKCb{z1^cq?_YuW)h zY5Es$RpM2&xxPmtk_iRMIVfpG6E_ejGsUoy;9KZX=D!eHqxsQxwZrr#c6cdS@oj-Ax?( zxuws=bFE!k6Qr_fQy&r-(dxBNm{^64U@-;7iaD+53~#a4huju;w)}FZ?CZrJFbP0B z5M!pwTCkq&o7+%!S`+2WfQj}OFJ9n|`IWxUeB&W?J>@F#vl}M}#SI}LSb0$J zc5SXkXoT@QympMD)Y9{049?dld++BM{q3z@thM6(`dXt$TIsJJtSv5rJtC)gmnvm} zKy;%TDV*fFrH`z=y9IzAb|c>6WmR$)H?=?@*7B)6l%T+CEvg%fzh)hRP;aT^J*;ul z?0MC2`6=nPZl9NstC}(Syx7@Lwj2;knNYNccp}htu7nO!ym@Y zzU05EBY$`l2R?E;1TODIu9L8^}}y&E+BimhmPBnEyS zcea!wJ#G+7l3IkU4%Vv+@v$xL${i@8ot9lF5tr`U#mxsLiC?CkRZF{uU*WK~>!s+I zpa^moxez#u$k3ting7UyM&S~>r$gn}8Ssd8aQ0Fs>)R{2_6-XyQFxfAv8|aI@ngwl z_BV8vkIWvb>9=hV8xj)}vw4+i>3uuwQ7{z2_dry9A)HU*db`I=hPyCv7dYxXD9>x6AR6bZbSwj!VSDxM#6O0tZa#@FwTCaCDHj9*q0S&;Zr{PVX! z+*n@;4hbW@aiF`is{1u%@mj`wNi1F4kgI5E=1#dpwT1Db(TkmHiybX`%Q1aodjIiw zSN9gtBh88Vc`&riaLUr@9igO6nw;1+WMA*vAb~7CPGGYfw^-#F3-h44ZEe~r%;537 z=%hpUec9DixT9e*(wn@0>bqyNU(XeZhi!@IL**z?8R^wz6t#+d8kjncWCdd1-@f5C zbXWf7sCbXN%jcNP4~;q_OTsUIp+f}PJBSQ z6+PD%^jNvuG9uwd1TLyT_K}I@y+!{|hUpS(A5HZ^cQHp<#RjC&F&T_IO~j~XVZzr- z$ax_%K|~^EBG^1ikNJGLZ=w%%B|T1XZrIZJcnfgN+_D$SEfa%Yj9F#(w~l-c2J-S= z@6YDE>c<+O7dX0Hs z5WZxBsB#Fg%c?Bgg&UJBk&03~GAAra9CbL~9yr-P29MYY^jjMUP~f#)l0);z=AJ_M zaACvLf#l}1vdMc6cTqwXHm>)l?q*;`@b@Q%*##h%zOMfafG{7vauRS3t-W5q2>pY8 zl$0mwxw*cBrXpCq;C!6h`{u|7q&@jVG!c~w9?xzbS34@CuOFKx23CSH29~tufkQZE zc9_mwpWR^B`{D0vypqr{Kg0O&5^8@Q<`I7fvia_yrYhn@=X*6k%4OQsu9G!P8$|71 zKuy}BG!jCHXZjV4neq#DIXqGchi^r*0O$>TR-UoOd7_K-HNkSWu(&Wqajw1s5FYE^ zWciKzZFzB@KYNvy?u3RNny#2p{d%o(9Vort8O>m1n}t*!pbjn|v0>AHV;aU__29|R zW9Bq22K@dsvTm0zlm@n%LI_?n+G#nD`DD$0N7_GFh~bNnb3r-Uf1Ejsr{QYKw#3kY zv;9OI9C1)GVHIj1NY{BvTwKXRK9a7waB~CajJ*JY^tiRCV|7oL+`{Ct!xZIP?c+T? z{Cmty^gvorMgoqQ(S0hg>Bh!y*66;5n?N3_X{?ts>U{RZz}c)-^C`2mS()|oSghwn zb(Z;!sb}wTTwg8KQdQ5ciEaHjwENIbB4%u_K$Zqs7~(GK*^2;iyZ2fUbn~_KTcOhJ z_r$hsGbY>Lnh;M725KFg9952q1IRC1)Y5{3^xwP7otnm!Ljkjv7j3<3Y1=|ZOFJUr z14g_?rFX>@aqQ|KzhO|8N$hxykD(~1@l1UHcJ&*yP7Y93ved}ksqb1?b+qkbck2dZ zH61|ETVw#G0UX)@&4aow0fg)Q|1ey43qbktQV&(>imd%uUid^5W`Dk@!R*3nZgz;d z$g?HY>K%Y}*W_*n+e((;Bx1I2mL;1cxdL6PtEJ0jzLA!@*C$LD4nrU={IWynS_1j8 zd(FZ_^Fy1%FEqD25B4DDNb9H(Ji1BieyJgnI9X zbso_QKn!vg3z@hlC0wK4%TFuv%%4ig;Wp)dujz12T|NF_O7`y1jwZR|tiZOyQl3=2 zS3%WM)L?e)F@fBfV@AHBJ;AknW`4mivz(gOjA+swIs;?_&zL@QIV1}PW+dV{e!k>= zO97M161~LGl;O;=flPyM;{G3^^OC=a&PV!AqjN0Z(=<|5HRU7~0A?#mMbW<2S2som zM(>zSgaOGxvdmR~^nvLL6gXiBo(uPol0Nz`C-2_*2hsQ_Kc4KVm(Avd;9(2KVhA^} zb-W&uj=|N?x?!W~!tFw~H_3U&>tX?AT~M!4c76oB=0g>6rp0xvhZg5oGac~igRnz3 zyI?WFH9Dl%%2GvzapJ3o9yW(vsRcV}a*a2$KxfIMPw2QI0wuXJr>8sr8?P=@dNPM? zg~$?JToPZ6ZCI6fJEgyswE1rN~9+>sk{ zgmx%~r+7IO58!5g#@UjRN6v0;p9Tkw`#odMa7aak!{h%79%Y}I^YinQS72E`y=JgK ze(4CKS!yD|Uyu^z9K-YElyqS2iS+Og+NmBQYqj2AX(=<^3b)~9KiXSmj_$%{KgZad z<_dT(1iycpiG44M8$3c6?9jI?At7z?k&=h>{zwJZ+ig=^Gd}oOr0?1IRhBtwV^ytoZM>)G)%u6~7!o(WPK1qb z&ISu4MVUcUwr}<`2CwewNJyV!;Y>TEISrTS@d`E%$B4Uw*5{0JBA^E6x zeDcu^iLd?%8uMuaHy#$&+OaOEAE8RpNR<1vhwNh?L*8snCw(F}caM@jKO-i(sEPL?=L@G3

      cNE!A%>**xVsXVedYTbOLdGE@E7cSMhFA*nTXX3C*>;{<4iJ=?fFi^%p zp(phK=>hGAl8CBzHU$q+W8`ka3efs>Ir2bX(GxoGQ9W!#MR_48dAfB~1I^x}Sc(;S z(JlrmO&-{i3E`5@L z>3f_h^el12$dk+L%i`$E@%eAtc^(;VrsF~xVpR9v8Qip%y5K2u;pv(NYDgeA_6W5M z`v|GSdA}Xd{-7$AkZ;pr00mKB!@rUho|{v0&)4}1!B;bzRNZ@2;wZj*XaZbOyM1W& zFR$U>iG7GI88ZJ-3yYJSPwpkRr#97NW?}To;wZ_GJ!FnuS-M4;mh0*(Opqmq!mr4BmxZ9oRIgMvT~)U;Fy~8I>e&&aTO$Mu9jSP7Xa_{yAeKgjAF9yg$V3KVN=VV~I&@n@Anq~5iJ-|Z!>ryY2^pZ|R3D|7 ztWRztuQ*}D0-8l#FTx@DZH#_q%CStJfdc(iBq|gOm27CLrtTkcF`75YqW|KV=*>7J z43zuyWPmUqq;L81!|+oE#JvCK^MUWqvS!>7Im+5a!4lz9CcKn({v{B zK9<}f2tje7c3IqB&b4?~TjCw@+3qGx>@8z;B`-F8PhjA^IGm^QP6@`hoUOig%#oId z@y1q>hlT4sMq@C*RiywR%|<|$^c6fk)BYK1+CXC-}M zlZz_d6wgW1--z7YNOufi;Cck@IrUOm4AW+c9DT~VOFK7W2cK}D5y@r$WU*hwW z4@Kt)pEc}b-|3_^4S+FM1_^neG9qU*_}`vLO*6Asqie7n(6Vz?f6(&M6cG4kQY-IM zM>3L9DU!ukLvF6FEy-+Pl-<>nk6YGYx%~Jz#VshclxKXci0%dsz?%zJb1Oo?Yc<>Z zs}k2<yO?QeEWhx zJa_zP;d@7`VXl%mDs}+mPPl@fe42DdcAM`ddr+ltL*|Oje96F`lRB9!ksHCo{Z;J} zVM#``NzaRN?U|>Kk4Ej_?^o#tELYq!ohCQPhcCaXeWK`b2kLij*!TEa;15*Nr_2OP z4N%7woNRJ{wAtDGRSmH}!tEPt}mP4o=3$4c8W0LbDOo2kGb1Tp>YAdxP}G zX#60E*%TyBr|uoz?VcSbv%sG3IC-Jb*KnzEmc#`Gm(W!B$n^Gnvs4mq#qHZtcaB}( zKQlg_%zBR|bl;jzJZfutsQ6j+r~VzO+nu^bUx$$SwIP;uxT@Li&i6JqDMQz$s!+}n zMeSh~0CMEWzzb-m8G<2~hrNe&*|n$`uN7Ror_P2-WJzW%8rzf@n!i3-CJKhzm<6ih z2z2+TgsDWOh=4eSJL>>V6b(|$o4_Fz-mr{43FuS6q?5*(?H#NH9)s6!OAW4f^u`p# zd}ga)Wo6YkvPsEb-p>lDu%p~#bR3}TkkU8$s$$u@;}vr8?0`90_0Mj?KUW=QnyG+k z!QF@6t6@=b1DcFx!M_)=)F_LOy7|$glfF9E4@67N#-j`6+gt*X4QDU{dDcL~^@p7b zL$W|>HS0f1FRr;g^M$i+Ks}_nC79Fmm7DXcz0U2-Zu^n8r?Zw42?jm;qlx3iZynx# z+|P6{yU*p+wzR@l&&xiwF&5O?W?@n@V&x4Fr%JZG)%jzmsH$e2MEauuMZ9fPT-v%Umi*BhqF-2FHTI zD)$v9taU&(E--TIE>qoNuf7uqCWcGD7=Vh3EJ{fk%xqvn7|sv$B^Xo}x+qwEZev+f zNMq`sl1BFX5@DY0@@2Pds~@|3VOfF{+>1FH=7eHis8gt)ILlDSozQ8JWOZ37-;Hvg}obH^ewW;zS zJLj*s`+~}3=)kE3^*1D#f6Vaz0#^_4CMW#-&ot(YpI@8%`0-=FYW>Llp8lGoUsT>t z&SuJq{|_w7Z;t<2B@aX}-Pq4+DKGEIau9YL-aSZ2Nh)z$u*b# zf#QPNBHZ=UBRwcz-&VB}J`7=de4;g2e8BkPU}@w_JNMy+{3t|(qFTas=5zm7-ULI# z?qm6><`2Vfl@#ywUpf9&rZ{i^K(}0dp1_?FVsQ1wNj;bM&9keziJ?sltc6AAmCf@ z5^rkPBqv_-Z_cef6DShA(?a+Jiu(&bBcXU4y1;Z9Q-xIlld=~}@g9#mc+C4!F(a4*U(G&80yl;_O8qOh$ir)T7HJ|F-Fj2 zZ~DIZRFqlShr;#UK=@SLk>ocg{n;Ytk}SZ{PL75Cb8MvH`bE}8M%tX5n*iSR&V2yY zY0NfE1J4davVjFVy%1@tHvtl-V0!MwTpLxXzzy2O;cquB@3$9M-Ljq$ymMQ}!*e$9 zlNzTa1#L$IKyUnd-qjo=ef509^r!9Gz4)EQfTm(3h~mAI;e!n#`Bt1$F_`-QtS*|O z{W7mDFGO2n&Rc;Dta}6b5CmVkK*osy;ef!PzM%^bR?M{Cv!mPxNY%FX{{mQC=ZM%7 zr}#z0{&&*$N2%=pXTtUmj6@1UUk#d{In2-=XJqA0JZGghmC{r z_Qo~$j5Mrvn{4TfPk-iAXZ)lb8uV8l`1M08-j?~>ZWu7EpXWY5`nN+CDY1G#G zwx)V~w3|+|i95=#YlK)y(#r6-d#I1)P?N+cH}}vL%KU(4ixLnN01Sks5a|A9Lh>n# zJ#7S?jBppbAnk%uNd^uj1526$$L8B?c>Bm`&+g*vMvzLIs1oDR+9&P-r{yEt_WlmD zhgh^;Db=ZaA+TO0pDqjqB545|G~K|(bA}xa!9!+UYwiM*Vv>Vl>53|HWZz%$QzQUq zb@~ykbB#O~ZQ8?}ubY9M4Wz)vlx#>nD`FB`QLikqc;};!D2NA}Oo|-8fZw5a_=Q^x z)7X3cZf6ski#(m`gI5zjdW3ns=y%!pG#`=|(@!{1J8nBWAhp~2y{>(51nbjG)gvdk z>005}!>42d&u)1LLYCjwovbJ;WlF{GMS2$9al$@$8$~{}O99aY@SsNO)j?F81kyY2 zK@AWx-Bv3=ufX82@O1)N#rQUz3{h_`0k8{6?4;o2B~akA!}9jn&y0RP0c_IvuSk(s zDMYY^KYUKE|7?Q3B*&(WK108A^~iMiUkS<-4-c=3cLEkw7m#&C;{$|*XQhNr;T=Xa z$VWyTT=`3tcc6S1b-OhYdf z48BM^H5;Dg(Z?7RPP8`@k+E_@Bd`}FICgq9fc@G;un2Ncyx( zkyPG*qUr~G$-#0`&sbntWM32@K{)AuWr)bFhebUo>_iP!|FGhZnJyR>T3A*nj^KSy zY_gk*o`k^^B1EaZb_F#dvbCHV1+}t6&dz<)m(tEARNYAcS~Od{Y7A&b%H;N_8j$qe^_PbK2~2lLlyApHFooFo7C{!iS(dF+{EN1_c4O=jL-eYQ0B+ z?hM`p0wfBNp>=|v_M<@%IE=j{XI&XO@ZHgI{^pvc5n^Q5uGOt;;fbU0MS#~urw-#A zJ>jL!XnCA%o-}~?U(_ei|BA8)Y`|ls3*EOlit6@IZ8LPtEiJSVk1xq zce&yoMHLZ?_fF4igBj|t59WkPLWH5|g@ex0P9SomEPsk%e*2ar%X4)x$5$%|WIbCO z10NlnSCWrp*Z8g@Fh5;b?!@o;RaK9HB1B=pHP>hRAtr$Q>dD%evqSSMG%-#BLIOo@ z3-1%FNmA<9{@eDj|suCCWJs=o2gj%ntnJFX^v()}G8;_uQu3na+jq z0_QkvEdIc3v+aHYM)L}xLdC;xiHV6oiorusG+68d@CppKja zNdMJ}kn7ZdAVFD(xOL{%gpsw?;#0QinAZA*l^`a%(mb!l<)z3YHXPoY{hksKqQda+ znxHOh_&J)fj2zr|>|qU-Hq)iJ12rL!)P(OjVkYb4hgebg2PB1~im(ntXRdV7<0ca+ z-KM0XdK2@A4I2nC>xt8Bxn7qEa8kH14qKM0e`o*}p`PdMKjtC)3=Cxc@G$8P(STkH zvnU1{*M|Ls2c61B#@l|8J@k%fgkWQX5=zV6c12BU1+>pvehAm6ueY%Cw|4Vw=vu23 zFnQ|Px}(e5V->L^FTpnnZXvdAom6IU2iyOo-6IV9JMG?-^uW!F>H-btOB0=1JB)Ju zDEZP3@4j$B;$7p(Y`@5dHmVYKM#&rA1fe^14GpUh%4VnpDky%)5P?x|`ig=E%j=2f zP~c2kea}uxgQ!mS|BAv+`=L+%j|bskISKCTH`QG~LI@X&Nx_0}R;W;X8&JFVs$pM- z*`xT_+C&d~W3}cZZHD3FU3qZy@#1G3(jj;!%7%X#HTx(q`Jb;(5M4isojVOVA@p0` zNml^5-ouCh#F!0ZEOwnfOESN--&@%_Wk~G|BO2LD25G;!R(xO0J20r}rBhXf%l|$g z3fD`882>;rCl`WA!OX3>8y7vz5C|TkTr*M!T_-e(up}H4b{A}*1uGo0O+2r|zK|5W z)!{PEh}QVw#a0mCrhnHQ@vQhW_0y34pXr*z^3S0FHoDLW3_sO(?Q$XmgR~PUZC9l{ zkXGn47`dx3J=QB&@un}D00lM3ft&Vma;pDSnvFjf1-eu#HWJ$;wlB!^+Wi;N0VlHR z*||h4QpcO|p(@7GjoHYZ)UHckY+|s5DN}HMmsT#S$=^`Do`A$rEWZpG zj;q3DNq2+^;inmMAASgP+we)rJz5FF{u5WrMT=}12;rtW{hb%eO*^Y%75DmlXhKV+R`8?CVr%Hz% zbK2bzd#>blxm@?m^k*jik2DnrO20~fS{EQ@hG-gGb~t=YDsO1`yZTDq zXWpV)x?Y#UFmIj9!htj~J94r#I>Q3*H8MG^HwJkGWC3jyf8Badfxz_{)b%?=M_uN*P&WB>J>02QSV*S($n%f=w-ZL zej;^h2HJK0M=+@)curKw4gpnDC4}G!Kofit9hAw4DNy<@Py#D{A6RkAauETN5#2}3 z1z!#-D(qi73%*6d-OFdHVGd2A@hrb&c(bd)c)i2`zzDyjWW*PZy437%x@WDBs?cKB z{GWXgoS{GZAkMQAXKt9vg#!4)Uv@$KTJpc?fB41G{eM9TV&BMY|BVN3O1tDF$L`Mm zDcQaFQeExa*Rj!^2L{ZwE2UJQW7@?Us*`uWRQ`sB@`2M1g}Uz%T)=9I>_P>>5 zwOKTx8f(eUoO=?LK763iCOBiEi$Y4hJ&KCF=WCRt2L_Cmx9ai?sl+D+ ztXOHKY~k*s6-OC`uhsUF*sJvP_rD^QKZ?#>mEmE(yEXP39svropn+aXy^|Q%RiDx) zvf*Kd+Qsi*h+c^=WUw7*`6qdSiV_qtoj4t`8AfgrZZhEC5-ejE?R;wos;tY}k|S>> zcK-mRLPq-ktoBTp|9g-t`MUzt=h5uFFKY;c36(G(Z75rab zhy!)5XGGf+U+cku2?7iZ8F6GAdHMpOi!94sJN-;Cv{EhKqs z1KpUPn~du6tKFQ{v79Bjo;cM{@XJy$gPmh30rP|k=A#t`Gmx?$Z?sIgk6~EE9H@TOlV7jLCIPi_eQPeXG z7UpxWK$^XBPXUvD;{lfiB@b&IV6BHeNbfds%$DX5JfQ1_|8PxiHVRMOd-)DrS!s7E zm<>I`{J(UA`9!?IV8J^#!I_PC389zL(53laIQ8T9#zZJiK zSoim=R^1A@BPYI%gxR*u zvHc0K|0*BtVgnzgo>niOb&`Uy2x({57Iat1fpZ6FU6>uH*Yve!UD(Qa3ZSS@{8Tzt>{A}*Z6r)zt&E(Z_Y<@?_ zuk^Q#w)s&=`NxE%K-sw_0GuMAO%u&&Bn`J0>kf}rN(3e2p(g}_`ijBZUF5||EWJ2E zi;|`&h7=*Kxbm85Gmr6YBa*P*&b`P&zPl&gq7VL5jW$le8x5`YSXb`|F&nt~P10cE z7$&3R(r3oh=yQ`o`ge5q@ETnauZ$_Z8Wv`P%2Aieic(yny4H|PORw8#52;@v64V=%N@1F=zk*eOEB3t5i}#w!5vKtLMx*Yh0tlwFZxFvKMyz`JtG{!xa9=l45I ziq`Epp>Y%1uu&^Io;?=-pwLo9ND;4qNlpxuXka}&8t-{rMK6=G;GKqZ{D{!ncgOM? zw(sW-(Z0VmG`zLbrgP&BVV=}&-EW=_u)(Eh{9hX$W3NUJff5$`3|&Hvz7=cpA~`sl zFCOUUMJC_Psa6L1YqdI jSaE_+ww2MtMfy#+>q!z@jqF)vGSFb#tT7Y;GL^yMU>osSVVb? zg9ebHCuhf*EVz;#vU~V?+x3!bh8T@(X|MG3*cW%kimuB&z%3XU6h2(AWVT`y3Ep~^ z+{1DmGENALQkqP<8)>FehDHfx$N~)wUDC68vTrXi6W@9da`YFfng4=Qk^oMfmtg5p zmPcsYy#XaxYTXgYMl}&be~wPuKq%H)3vk;=iE^X6mQSe{WP1U9f;}17Jv!7u!My1P zu>U$T%mGYs^^H#z6h*47BX@%YDZRzm>uS~G{++a)_e9!$z7ab4*$Y6t)9Ct<1=YX* zCbbrw+G`2LmnkDq_^?IoF-%@# z&gA0)dt8){qDL?s9-H!-7#5{K2K<#kgcg!gKfmY666RWf`pAo1?}jH4!2Tt#KgX_+D|5>L8qulWU=v zN#4z^vhSsvnwV%*MNg@jof(gDHY#X4gf#C#8JhtGUfFIGDR47}^erW{#(TrU{+K&c zY3QK>W&+qQBnhogE_LGLf2nJjpni37dqE~bTlIv=)$&-#F6PJLN-sJuRl`zEN**}z?_Z@Y{&LM3LOcX}@;zj<>q zA}iXWx(ZiF9x;qFykJ}orXPxOSx5+5B$*3R#_Ao=Qm_7FbA~?MGP+pc9RalVL|8nhFea!RjjGmzsc*tkT2HTcFi)3%DG4)1 z?JEkp!jTbW*raV={TyY9Dw&158zeINv5B<3R{qbC4o?Qe%^iGXKMMJT6LQC_FFfPMOj43FX4BQu9n#At;`M;1dS0B=BMc0u>U;Mtxe0mqplAAYh zBaixISK0CUJEZqumZB!{%z!cwu!^4?^Z!i4_4b0D%!N2Wr2j+_=9gT9<@cZ-LVp7V zh#cH7Fr!rorwEq~N{W!!wEw4_AdE#DAG9zTC?*1pGHQe|rmA8=r(4?sDH}k0>;~V4qCfpBN~M1BZ>1D#dqlsQB5Y1fi`VYEpAan$ z1mSKCjA_@e$gE(^8G$uTv1)Tj)1PLwFfdhg@!rWsP7>tnU=`>v_@)7~hW>j_<$O2B zuZd}t3xS(SqK%Gl@rrZ?o?j-hc^5Y7oIaBTR2qrn(`+#!DiTc) zK-KDX5A_|WmZq;)D{2uEN##b<~FwD)(^f!0EL4N2I^D5 zs!;%|Mh?i7o=9LuI|k;0;xqiXaDi)1T^nv90H~&n$wS6=GBTO`j|2RNo)r)uXq}8o z3yeylT)3lviJ){P(AVQS!X@B=WW&GiCmpAF@jSc?(R#mr-6ImA0I(>(BxGOOPWyf_ zj)b0b@v!UfjH#@5VQXIO-N{YXw~>m}h5<%U&`15tQ@VB9H_{P!t&_TxjK?ROml!)t zC#lXwz09zu$7AE;{DR+Ni|M$A47CcrR7T~>Gcn6(O%w(^sP}mPe}A9EpF{*+Xsz`v!XqqG#6lF#);lph0XvOt~@As@~mmVeO3 z5%G*Kk>E*NT3F{fErYTR&}o_zl93V{deL(JR!k>Pvdm0Sw%|N;V&FLLy9AKc(y@PIs@R_drHq5`L zM7q%8w4IWq>#OxfdTb^NPakMdHA4YpoR2l4d3Dod{-5&xJf6z6jr+&fVp-;Srpz-T zgou`TDpLv}LrbZU44GNxjF~BO$WS3u=9v~U5249WNTvpvitmYb*=@D6@8@}bfBf#h z_UnGFmTR5Ybsgt%9>?){e<(H=1^OiZK^qf4_$%7jS0iJLbDFYmDx*y9kaq66WnM6B zEhOSYjy+SiR}iKSZm+e^O`yL@t=ABM@Zc7nGL=z8NgLkak{;W?Xy8=?yeieV&5^TS zo;7h-Yn@Cp0=gP^lf104>ZyW$`0X>dfnw+q%+O$Kr`khOcIKawGV@Bh?~<~It2Hmi zT;F!0fFwyzM3x3TzU=Sx!<#AVwpn-?zKPp`PoafHLkRgEYBF{kG6(*k$R`y=~Mn&bhfu^-D^@Z7**U5gH_Y;pD|vRR+HRDbhf->jexyZyXfT zUuLJ7hQg~G*<7e?dflm`n94M2#4iq^y{1D&i<(6-I&7^R6gl#nzB?20iVUs~*w@1p zvv-XNv9Wi7yfLT{_6K3^?|eZ}iH`k8+Z|C@mWq4b5iHed+M*( zN4~&fudI=5RTYsX+x3GTg9u=1JM3~^z%GA#TTUw$W1j6^$^FAk9RvWUwL_fQMcw%u zMG=uLWVLH5O0uCgb!DnDs#}p2wd<+h`q!v#XzTF>;sTno*Uhy}CESGgc}Q-3XX z|IXZONG=AT@D%#+Qi^0_4!35*{P&x^#V^$Q5jx3~(C8?;EZ!hknf`H;A|<`1RF^X)ce;5u}3k z$dQ~=RyXB|r1is=-lWepWBX%l(x0HBj=sM>50c~U>-`I|s@(vl4*_~{Z%CNFp=RNH zWz^_D;fts`A*)?8MJBED-jPPHl750JZi`Go34C{v=YJhHAjv(Eu&cEewg>N+^0d2!%c-~J zb8jBomL_*Tcez89^)hX)`kcOT-k9`XAvFs}eVlD}a3KN85=T z3jiyZVX-z8&~U5bOS)%>!Q3PIEEH{BCo0BIjf|)-X_i&+pW|^{Vw1bpydTy6k9RQ@ z4R&})CWN??he+?mdvbU5^nC@0;`vr3Y-!)3vJQ99BYAyV)5?Z%9UWwV=?D@H%D0kV@G>X{!I&#*}9^QTPj-*)}5Bh#SkYaW)$AoYn@)EQx-n%`97> zrGH~rF*=~lqqusdPIJ`rX4lS{^?R38RaGABzYDCI$RUreJIKAq<-h6jzdt_Pvj`aN z#k;zBKJ1nFs@L6jt^WU&w2z!}goLc_n}~dS>T3_)EbDXppxPSA!_LlxnG4VtkRJ#| zlHbfzZGAjpLFVPRk1sn$FxRSHxdyP*)SK#uraW(CE=*M1tXYn#NqRDZOSO%ny;k!p z6m7cFPCB?H|BhZT{Y(D+1#%C1?|}Rwr|-D=#OLTQmf2YMeMb zc$DnDr>Av!>G|cGS4yu-pORc$!JnfXFqTi3<}Ux=Q&ddoaNXczT*wnq}4^3S!r&F@x(QEt>BP({mbfZuCw@)-xO8=wZ*( z?!|lQoA@>FML~3j_p)`>Ez2Oc-MRbRt!Z1a;6}C`LMRe%oYRr1Rmq1foXw7zb$|*L zgsC?vH3JKJn}Ej~c(t|xn^&*Eqplx99v zr|vHB^HV}aNQ{zN{-um$yc=2W`K|KW%DiYGvf7h;`qz*V0v& zGtQV_Yh2}Qzb73Sy0&qZ6dd8_8r=PednuyTB zUO4GlD+_X9t9C*O=@_5JEJ2_3q|%waEU@vZ!?6u_ZQ4Vm-}X=(?2&>|P9&(-Y|NO9$xVnWImmu~=w)3B3_<+N!f;1H zM@g5ku7N!29A*N(#S?leI^Pgf^&+fR7+{?LWqRZFaZpGdUEh4MSqmzOTPTC@nyjlE zB!7h=O>zdR?$a3xW(mv^=i>xmule)ZlUlJvOs@GWR47_~XdwTyO6eBq;fL}+ zCb}PJ5M40_$YH#+mx|24F1+D8Mb}=8A_dPr-Su-v{K5+7g+SlJA{8_ArqQ77Jlu&3 zm8M;!vaED*29uSLo!RJOM)UBk*;zVxlR^$*L2$bkV=}V|b$2~2)#Z=+G|=#`FL62g z)RQi|ve_=S+VU0tCEA+!R#X7!gZg!b_f)gQpArZlsoRd zeSw$oHsvch+iwgNzD5>S!BKS{w@YrhmYU~GYz&SR6ocG!osO8708k-84fcEeLgg*t z{|$)Q_nrD*U@<>3l79o2{Ya2nC~4`b+yO~`^IHF^LSmcj%B@Skbck5}Fqpm5oBHvm z+yE7SbGhR!)J`z8#7=CK?$B~Fs7q| zY;B0N`F}diq7*~8)9d=4sx;@bOmuxp7=CNOaj5S=j@sR^{0AAv8jv%NrKvJh&osG= zr|lEH3n7}GYX`9xFrHnNqB>5hbcs5nvg^E7BEXja6EWZ}_$w0Q`n^J^09V?FUDMBc zBX7&SBYo5B@2HQ;R;dw2lNuU?V`UX!`Iu0Lf|?}*xz)@GD}+_xyTCG*l=xhk$>gRw zH04dR#(j^fENoIS@9cd)MnR|V3n;)p#U~RYn)PeV6A+9EwtcK5S2zhftlo3dBBR|+ zu=``nl5tp5Eb#F;{F4X6SQh`uN&nqwipnCss?+YQJG>`4Y^47a!^0RNn#AIx57swH zJ*K62rM&E{{BV+pUbA6x37HhfNDgJTsXQEWyqk2Xrs|s7sW)ReR#%%v2Mya@mlUlV zGmi{R=~}N;WsLibjlKD@$qo8bKMqq~r7p%uMAoSZJmpehZtle1us$n75(MCfQ+i3a z>f!uxu>SkEhTOI9zk7EXM={EbkI{0JM2Y}`P3C&w4xGtB>0q4@aqE;e%GC@OGI17J zU}USS03QKtH3O*(!9Oe1et#&jMrN)>9L}e)b4S>!FXl7c|GK(S8+ah-GQN;^^A)Tb z5@SCbDN;o+q`1~6Zpg{4zPpsmv%ZaG^xBk?-r=PDc%QjfGqy1afXBlAvu6Zh_)dT8 z#|ZG2r3}L4mgp`XV*%1prZsQZLGjK1D0JPsC-visf8UMzal^OEyMoA(f3i|!G=wk~ zcfD}iMmeD4^jp*c>mnAr{H}RyO2%MmwZm^*D~MENc^dSCnw^w(6^Y=nU}< zviQB~5Sa@BnRqn@W}Cp&q`+bgF95d~FLHx%^gmC+b1lR1Rfl%JTp;-_ed?)fqG2RN zNKMk8lH&H|mPa{VZ4Jysx8{?t@imMUJ^~EM66i^Y;)v1Nm~`Zgy?X5Xk}asJqP~@A zHDQZaS~N{l=?BPl@H9KTM5$pPRNz7InG>9mqzB7{Pcw+OX$YB&m5%f7n?B&a`3UFd z;EBkW;uq4y7&^k5H2jfC_zB`(v*UBPm=f0 z9$z)I=a9UKpql-_jaujR*o}VD{L89g;r&ik^~d|Gf-4BBUw8PtewV?0kB|Q^>I*=z z`L6~yW5$|ac1xMIBc_GWp`SQU3pmT(&J3zRhBwNvzb+AxcVhXmUJ z=Z{qN&L{VXHQ{dhrpnq+)fx|iV%b%CuZTl5gyBZgq|ErK(#Y4zAF#M+LTA_DnsgUox}y=nvb#PDCb+MNDY8`zZ}<%1C(RqQ-UDyVz*=qL*&p@*gye1QA| zH&zUX#b|aFOnpk4Amv8-ttU$5)c^H}54!X}UWKhfIZ`B=2;`z50&rp7$Gk)Z%r;K@ zJy%Fj#|G6B%^=T}+n4s?&h?dT1*>^-T{K|9yb@z~@|n>Tztt!&vo7!w@}3Jm-fBVx zMkL?C=Y8PMfPQIM|2^h^(_n$|E_e`RtN#<}%+HsNS#s@$OBhmZBYpLnd*79R1c-rw$RZ+`&e!*2Sg zkgsM6MA^?NH}(=aF#b}EwUPS`4f-SYa|dpBD##qZyncF5wv+kw2fu7_yzJ0>r;ecf zzpw{?#L6wu)W{{yE;@ksb?T7N3R$5r{Us5wN&JUl#yte0-Dhfp2&To}N%3V9BYT+g z<6Zp2shnt3mT*5!ktW&@dKHz4$ee%4;?shCjQ1#QotLtY?HLxlu{OiWn|K!?Wfj{r?^ zA2+jb0(Zp`cJ_g-O{MM*k%H36y0z-=C<1z&%cEH(DS41-`F?B~-w+)+&5MPQJZ99D z2&g2j*KGRpL;J#ae$V(ZygolfLp1Ff3<37eP4gLUXQTq0lGnoK1uBImc0|1C4aSI$ z9Ay3&h+hM^pk+=)tH$w1P4XXSHiW^~LqeK*Hdvr?33;etBu$7+j!sVPdk?JAT?@QO zE#iW3c}RiIL;|UYgfI|N*^f%My&&6#TmD^=ro!jmz44XkGLHUZBoQ8I|AE0U+qmB$ zI)6OD?Ld}xk!(=CB~?TQHfv}M(Q zLtWlg4C5Bki65Z$9zKkow>&!k&OpqK9|Bq!6Q_R?#q#vz(V#~ z%J~0MOA`>4ok${n$N z%F##KynvKl`%;^Kcp}c`^NFouwcsl?8PyTM@l#zmBz=P4KWO*~0}3^guj^WgIXE zu<-{-rf-b_o35=o{(J6(?3+d`TdfsS{^(;M(8#;*S?L z+}1Og03|9Fijs1uwr8)`m5)Ivj(%~#_3F#Pd`hl!mt^{cBD=vpo7*wb%3yq-w~Y*E zSEnF*_S;nU^2(l7tKSVOevil7?cu#g6u%z;V*W=<)V;j^el@)#>I<{kjdK6>K@zkw z{_5$*g0XusSC<5%a9kdCoDbuG(16|3I{7{OOGPP&GF`--5O3X0%7 zzcR;$sIg)rQ1G{1_q7ug|zB#U}vWHpxhAdtZxe8;aDX9+|S;ZI?E(^8KV#_cE9aW&O^VKC5rh5QHup- z#h|Anby?7i`noee99AleE%lb-K%qV|NuCNp)%bq9xc0|q&~F`Xq3<2;0${efgXL$B zdKvVlDqSWw=L1SM>NO^r)5sfdOe^%!Wf^@0r|eP>^aZ*z{Pn4XTtYgS6+gEiT?|e^ zx7OwJA{G4l-Jw_TYq$)YUOQ)*?x}zM57c<3I54EBX}nsD^3nmeK$`S*>h8)LtvL9t zZfEBYRmat#yJ#TrG;I_;N+2j%1joRMsI--&*W2!`tl$SU-v2T)wAEI7FO~RLkN33@ z`yKUb)zp&*L-BFWI2LF|MBI)=wP6?>t{>&&UabmNZI(DrXhfl#L5GvxQ{qHqYX&tH9F?6UY6rBE+0*f4{#MC9GKa#_o>)cFX0WgrQ`GMZ$g72-{*617j zESYK$vM^}o;`z9DKF(OlpkCmB$;67;4&Z(2V=~z%ORyyDj<7OI-V~UENE&<7^^PN7 znxPSYCVfSk%ix0Cb!)*tNm+hh@PTy}A7w(RfVn`7Vp_!;%RqBm(wB8NwU3%d2tuT# zA!5T~95#nix*KfE`0Rj%H7dWE3f0-4qL;BD81ygf&cc#Z-}>#Pg|0K?{?&%fjQ-~U zdGKEm`Dxj=hzz>hi!}jL-$?n}1^V9=_qKl44+{KtGxH}!tJ-zy=-IVx8w=i=fY;x? zcn@jozMS*^f2a9ln^kD37qLjBHdd^G3F3I(EDJC>LqGYl(x2wTqZ=2n)=E!Z;ndrg zB~<@11ou2id|mpr%`vqIsDehQ z%Chu8+(;vW9}DF^xpgA-JwYKQr_HX&1oGjD$K{xJ-e0_sFV)B5v(I{8p1>AWvrQ1_ z8cEU!pAyz(FVvHaFbT>iPDrztvB=fvhOj>$h|fC=^Z}nDPcuE{#7|9zjUY36VU_lH zg!75XK!|%=Kl{E{68v!i$YKlZqd9ShxJ_>L=3h>~GMpIsQ3+cJgTdFex5!qLLa37i1L?F)$<9k$MpC#As&QvR%UVUj?wNxoWp^u9TMv43|@dE&^`w z8Uq_M0S397$h;(z0rw?)yw}wbm7-Q*z8qd$rdWJhFNd>h@*@s2BKJ7x23PHFBDz!M z2;g2?VNCV<+CDvso?nn(FIY-B$MHafv=dT!M^ss!vS4yX`qi=9;L(YzHrnPebGDW= zR|!AXO61~PVE&_x;8(gxZN9A(2-QCvM3B%%c8jJb`4M_ltxg%^gcX^th@L<04DsY? z{R3Eo>U1H3S2YNDv%J(!i2)@dkuqbI@Wpw>Zt(aX_4{1)@o_nl^ELZx<`9*0sr82+ zM&Nm|PA-FVADqYj#lH1J%6&er@A{?wWmFGenWxuTEG=X>{F$#ODJw2#iHf+2zP@BR zF}|=vs;IiDR#u<0YJueG*v^vcy+@$eGZnmfd*l1>;`iwE)M*OdCB93M^h}(GQ^PJi z2|CibI>9#_Fj}5QPaJ&sl3DM;12Lp6d3|49Isd3&u`|`*zdQ=AOT&vMv;W4CR&u=_ z_6#=|?{t+S4zoT}9!-!Rc_mFO(ZfR9i;0~qgk_wByjigHQ>D%a5LpF&5`sD!B-3(9 zFRb}9F-lNlF_+5d6%uS?$9K=Lk3##Wgfh0@h(-WT*JwD>SiyM*K)X^E& z(r&)81z;KVf6~(sI0$T&8vfNg;0Hb9m-_TA*MRRI+hS~eFnCbd`C(laKV?z4??T@* zvtRfV8o_tdXPVOoteUvJ;ya2Y2Y1=LUk-3;#BdanVwMT+NDtj*- z5}H@qpBB@Y68<-sM-4TtcGfCxfSW1yY09S6k5lFmG6K*vQMihuO0@uCRyuu%Ju?^q z?8jatr|_u8@sj&sSOKH=N+gzm6bct&*2=-i!xyNSSrG|y$5iUl5RF1Fy7n9e`n4(R zx}GWIZ@;ql=vLTZ`g&J1I%X*WD~9oExJjR*W%{9D0{d7$3|K;(fT)swG6_n5iK7!pyXm}gv4zHapDSY5u!J15s|m7FZHMgFS1`TiizGqdZgPkh z&YCtdqvfPr;blyr6W6T;+2#s!A>qh81_;r$w7M+051F>{_h`TWP7*-Adtoq0KV_m#tQ39B>BnzZoTK9*T0C`G7)5pp zd+-88h2s#XlkPd3iSBqG67Yj2%wh%fc%6 zJA*%&-Bcw6%$-|Ed*bfcI7IJm@qFPYS&Ktg&K5xF>~FL%w+7H;RX+JxtJdp&D4Tfn zJs=iE&~@5@Fsvg1(d+hF7c9`kzReJ-nAFPu4nEtqfkfh`_ANN>9#Q&crj4~i;PbZ^ zlRGJ$c%)VUXUq~{Y7ZmN4@Z**lke46Bia3g*ltqN4vg29`ePpwx*yvWvRhieJ088+ z;1YVhK;5uuk;mdJ{k1uV_{;JOF0U=>-~8k+2LjeA#9!@Dq*Ze{K>6|!G(v4jx$#v{ zHOaJ%&AeJ!&uHnZ(TYJ(5jKw#)zG2*=)v34o4SS?i|9F*fiCE9OB0yEfdjtZpM&^s zekZtP=!62^j4UPmUE)0&IhWP1NKxERl={z~&)NB9cJzH@@wvjvBhED`w4!b)Y+P0J z3h?k`Du7S@pBA18^L7!QF|5uOpu@*6Vt($wHQwq~j8?+mT(8{>PU%-VbBHD}7aDmQ zW6u6@zuUBec}Dt&O!IyjmSBPk7@dgo&_lJxHvOIh8GdW%R+G4J#YA*6#(@~!DQAql zN7zKgA*%{tIqYaHI)}c<=J`C1%z0f@{z)Db2zF&7qph@W9efb zCpj7pS~8t(M$!uYTvFGrOrj+FGILH|#}juxX@$CH5;tOjM)wUY0PFWdCSn)&B`N!f z=qSRTDRN&-J=I3MO#*uk34q)#KF1_?(a0r@!wzRn!%g+V^IZAcd&RCy`T`_`+}w)F#$$qgOc-QqrTxCVx!2 zKFR7jfihG^?i?Neq9yg^i(z{rw_W!@ZqHl(jNDE=$=zf2_ACw#r3wWFsf4_u_nVV5 zQPC38e$mM-5#DjPn+{l-x;K~G-w5XDuDelM2Ch{5t3I}N} zHR+3ZKi~`zp`C|V7O|KV=f$-YZiwO7-(XU^{PIpbDoJ9(wony8PaZ{xVKrZ>DQWkg zK$Dbe#d;M~&>5VguX()2>@uZ?*}^;7@kgc=F+zIu4(24y9AYCM(&-D-xz@rlW$_UO zIi-LNY$J<1W2`Q`y!Y`fD&P8DYkKS3;R^~+t^kCQ;ME&WZr58~l5Xefv#Btvr0Goa00EFhr(Kxe?XRX>THlpjXm=n$wARcK7!4$t%!L ziMl?t1pMYP1>9m1CK&y(m~GDE6c-OhECN~%yKufXI)I7Je*J3jUz&#FBoR| z@d?y8Z0%ISEDa;!iFj5>20ng?@MFLYk4^XuYgd04>QaWg=T3?`lLvt1Dc{2>7057P zb3joNSxLa~NA7!Twt*0FRbnwJ#KHy}F|Jx*BCOp^n`Qga4`qJVBpIewCNjcj(SENz z`2hcL{ZU@Qd{PqYbLVD4U9oG(w`g$oz> z?TKG9B$R%xX8nR6PJveqw^9wN652%Z8|D5oi^W8C6$=yV=p%>js|bj*ye?a}(m4vbG~p!W z7ba zs7%4!dcO~*Qu*NI9d!lF5jVWIVkPAnOx>Zx*9?+*o9ROV)@dl`P=qjBHfPB-2_yUh zQj-G=ZD){Z(UX``&dD^PkH?7a0$Pm2xi24A@7&8=YFx^9G+bRG_OOxor4*vF2DT?E z21EY@E?avBIhhvK1qg0{WqN%>NXm1sCOy$f1qMHpJ`|09kjS&1sJSu{Bb`_xvaEwy zHi16Z%3u*Mdh?zbBg0ASlqYOpIP*UK#R)$9g+XZj%~;)L7byq_d6+$1TXhOcqGRNV z%M(x`0TjsBv6~gg1$5;2GS*NE2d`I4Z z3Em@nn43NLr@2|%^&>mxW@KNy$r!fEV1x!FrIOy76~fb7_fNmed&f>o)<1(HLfXQU zG_@lmNrwtehw)*SPbiz7b_&b;BqioONie2<88bvfH~RC5AOehuQ`m{J&0d6WOA-}< zU1rzgLF{lp$#~QsHjr!Ch(Y_oJ4A747fl9sIi5^8;RKoHwZRJsHnP^4wsOf}VGv?x ztgV$bVX4H#!O|J?5Fb0j`ibt*{_BT?x^GFK)7W}hLt6P$kDruV!!Tis>xr5QES;4b zwLMmdyMJWZ4_XM$r)ygrLO#GD?3TmAIEx=#Qe+bWb%Ny*SSpurC>PX5Sxgr= zMabB(I(3RS3kBZlE0p3cGj}nz3xc|u!om&AYEV@W;aOqMmdq>Z$ zQ}k1P9F$Nb-8EqIuYTspKn3_(J2t%HjSAF>$iW`Jo(8H{dHb2!CG}= z^`-=5B;?wBwRS7s2SWBa|fBWm5kc_~qIjiH+mxIva{6f#X0DF2&u z%{GNEzlKEgl}{BE6vD>3yzl!ejLSq^TO6%_QX4vxC&9an|NE)wcBY-FY23{ZGmJ8; z3@!ACB1B|0AC7|_8vtX|Hzg>c9!QHXe4Zge5#``#=vN85Tft3lMXzJ;UkoyAaIQ!L zQWNlbYgLf!_zjFyf$TFMRV8a1d{QMwyH;Ovm6CAr39VKf((g$1V+f!4!SJLm+s_%xv0lw7sa(mxOZ=aKURL~dBLwD%@hHhu{Q?@x`~;&dRHF z?k&a!{>IKXjs)|T>;HpJwHj{Y&- zY-D+}159lfR#shzV{#{M?dU=Z;LB3LI4bo?MhcXH5i5>pH2sWvC5gvuWGwmeIixcF zW&8>%4_os_bRXD8_(TrpiAI~?{8229eDUT;C2U*341UvK5mTaR1hD?gCbQ8Q#2bn+ zudk-26}&qcp~#@{tT4!Pw)G&Ot1!=CuGre1C~nPOk>6#s!5SgG<5I3IwIia7TzYdP z7`EW*w7p<7g-pKR77S$TzvZHt>YXc6*lvV_cifj5UzUanVAzAO_ik>p5wu?^MF%Ya z!%py$Ft>Ua_yId4|8c1QbZBegOw((N>;=5E9-IFI>3zfB{mOks>7am8x!ab~?^y@Z z_*IAd)l!8I&pav*TMvI>i|)bU!ucDJ?a*GHW$`O)tZ0A=-MZFhAC?J|wbLAfVf0@* zUNL)}%e*ciAmO#X7J3J`Zj4%Y{>p=>XvWc0wR@ zLd4LEL_iN2u5KXtRyrKH(SdOp%SES7`=kQy^;13@%Z?;EsgMIPKtqbW$V#kc#Q<|J zlM!dssY5HkQ&)@p@)gdTbr$1i6C0F$s4MQdrNPFU8WE@ycvu%{q8jUvC*16-7;9&6 z0Tj}pmBafmBtBr_2lWnA6bC5a9fx=#eG04awmV)anyPDoM%u&nahnvhf|28QIvg;= zw6Rgp;V{v5VF{pDjyB5*WgD_*8L^L^5*C=gN^bip>#T3Sf^Zh#BQ|y4RfF(bn~ZfH z!$3v&XZB1Uyrq~P&nGnX#tT$x3KEKn0_7O5M-LKVs+ig=n1D^nJVwTPOeel$8M391-cDinAoNM^4y=ZS!nM}roTghZ% zI7HDM9p-`iE+Vl5J7VvG4pLtb)3KQiY68Z-O{#cN@B{qDu_Cyfu@-iLIwsdUAjrFk zSmdWBCs@jYdyI2Av}jz;a@DV03b*ZC#3AUQ8V&d5=n}>r^g0S8K-!tUWfBYH6z^Ui zH7RaJezR>8?uZk!zLb0HSjpUjp_bcMobz9zt;&k;u6=1EOo`KR6FipacacVZ8)Vt< z=+|vgW_F4BYa;cH3LVv6onDVpu#;%|@IhQO6yQW!K4aE2gfA?(iVxp^z?lmA!*+|5 zfeLvFi%*~uXgk~|Uil3#)9Nomiw_gg<&=r5GD=@@-ZE65o<(W``MZ8<>dEWQcXY0yM0vkfeWjIzDzs$ z!iJIn!}7Y|)f2J2Ac|4FIQEnE@K#|*euovjz3P#Xav;?KsNn5SpI{qzT|Q{^aHcLS zsL{tqtNr%r?HvBwJNK>0Q21_g7e8~DgSQ7qg=FU@+Ge5u*LKD3-pF=~;-^ul{dbg! zgF<{Z-Cftmzm(UBxdjBwlrNBFUL9naAQL~noH@y{XNhOq&gr`y%T|uPvEFvd;P68c z(xnnKin=rZX~qI^W(6~O85(^cF*4{p-DmY+f}8OtuLeh)XsHzVTH~tGm)pR5lk$_! zfTx&Cd)y<%-SFd>XntTgre zuK2{4Lr(J~CjL#IqG@{sRh{DSt>YaEWDL(XV_Sba^?tlnCT8OhRX>>QbkJK>1YT{?}wToxU=~(rxC!- zomOS#t$guYuC9ycx?i24>9KI5I@qisA%9+#)hJqGg3|$FyCEJiLJ(F+IuY(uXg}K5 zlPc=*f%~~SW3h`F9SxMwP|Jlv9cUu|;ZFRUCW!leLDb*6pdN?LAQ4}bKQEHsQF93~ z;;wtHLw+P!apYUJrju#JB*9hfO&q^;SD8~Fi zL6{)v`#_jE|Hi3oA3h-(hEog*K9~wr;kPYZo-`W~;qG6HzUoLrwz~z1VWfte5G{rq zhr#FDeGG?<_b>_;d4EKQ_WU>ngBKw8a?s3Z5PoUWnh8niS6?plXcWqy|3G;O20Re5 zhRvu0*pNtL$bzb4cd7cy!j*a4qkN1p=CF}L)At6%wxJVM}u(MomsM@fVnTBQCcq*YGD((zlydLK23N}r`3F;o;RK$GHpjt1ji4CEPkpx4WfJ^A(2=&CR6AE`yxH-2jS zb{~mj!Q{aSMUt}5AqQX?(H6>BSbVF3g@WlFQ+GNV?_e&cU7IE`3L`#TAf6eQf1{{- zvPh85fkTp(R;Z0UN4T<)$lH&jF-%azPQ>W|3jXMtLa{m9!*>U;6|=HT8^3}3HeV%< zhjpxDe=x4B$eWML%00_y=vkaS`*pgzV4&4=H=q-bZ6FiP^rBhg%JCQac!#bO=$t}X zXFTuc=vHdu89~Nzj`QiQ1X&cdbv{e+O3J@Mbj-W|l86PY?pz&KVJc@xKhVMR*i(#h zr8L(S0^=R0k!kLW>TyNadu=ojHR#rW*nb(k-F-2ts!zZGObnBZ3iG{3>v6ldeM)}s zw^<)Qo5+A>vi`)1+vebFY4&(fFZgM%p=0`c=nt7i)KZNZ&p%)I=}_`-9y0$225tY| z0QcqSi~PwWIm`yYP1knuA^)ug^h1!sKtYQ=^)lu*uBXH~eKPfxchXkI$0Y=&3oJK; zXL`3rnO2wP@qe|4+=A7l`hvOg@4c)-V7C?%^D5Sgm*e%*3m4Vng9*gZ8*K{|j^-~} zCOo*aj@9qOr|V}MRK7FFAzv!1oV(rUrwoo6_OP7S-=3Iy-!?K>)gcv{a*iP-zWBZ! z+xX_jb6cy&^Ndd|=iKgIAAL_f!kb%rL(yGl_-9%Y6|WFeRBxDQE?&04oUF{-I2=Q( zaKZCpN3xyn(WYWxjRNbJ;?_<@hS-r~IBPaOHXC@DeW`LHjJIj%-?$CoWJ`xrg`B9V zv&P5Jh?j)Sj#CsyML0qg?^?Ih>@_mGFKvBHG~SjEC<+-VI>Ff#2{t3ud_dM{;x8$; zuG5-<2r@nEx!VajsGMxd%=%U&>4xaRH>=`aNo#^M*sPkKw*?2t3+yy*3zziimL6{n zPi|;9IEqE=O*9)_#X=t^wf~^L7hr^(npY?_hwbAE?i{k&oDjaV`DBC5=aa;dcyOd( zVPCPkDb>yNCRXSw=0Qu$J6VauuY81CFi# z;G^z~MUr}xdo20`w`nHQltbl0J-oYr3ljx48SY+~+L4oRr5s@oZOIqyYkpX|m}E59 zZU{UkXVu%dipc|4)ipthF-m9;8MWx-hYG%w22;XP6^s zjMNUcYIVX%Yno8@16Bm@bgtZvDfwtD$S4uVsaU6+g>JIx_#o<%H zZ;Fxaj~V$t-sx^7uvg^bK143DKZyAdD3|d@+YzcJ5W@G_;$ykR$AalPcZ&lO@^KS# z1bjM&#m6wPSQihNAQ?@wh#)?TZbPJXHJ~BT9mN?UO5C6erSV!rlgCNzlMjF;F|CaZ zKQ;km!t;EmQ%aoESbRo&DI8Fu!*2rFy4)0s%ah|D9rwD_&5U@O8Tg+27%c=yhs|$S z^4Dbod3G6Qc&Aw$_7n?dDkf2@-XY!H!%@HC3~*P2?t-zp&C&!mm(Yo91|haRqx;Wr z6%b1TnasYpDd6(;wLIRmzPdn5zurDV96QU;HN5mUHqtff#jEE~XK2Xegih`r3Cs8t zDNVw+WyhpNkq;(UGp-OR=;M_|-5)G$ArTY)UYGhd>Lju|IohdT{lD;orQAAz*e$4b z_#Qv$k{)mr)IPi_kN(PAWYE^b$WU4H6{T$YSeuzbi~nYg?u#=g5;qs{8-<#lviQ_M zlSXef;;$x62Qhw|N8+em`|M(;=6Q_t(Fr2Os~QJZ%N)L{UDS>HbX?2nVd3X@5fSkY zPdvZ3;de+9WUDSjh^ynHarS(3_wv2~1bRck_1?a8P_2RjN+8zT3xHvl{b!Dhe{+ci zmkr0mxTHjX8q2ef{W2EW)jZK`u6pas-J2eq9F$xTCG!X`(cxiqqjmze45KwkX>a`* zGGGqHgs(xoh$Bv#)hNpvJ^`aX-Ny2ZLXj@#uNKfinOwSvI44Lp z>z`Xvu@p)53}F5)+@zd-3)bdSGLrsyTA86i>d9QugGsN8{OapY4z-_jl2_N-x!cfHK1|5N8 zqlKZj=8^O7a4pUZcDgMNm`5-_L&23WuQL!5+A6gk0Kb?Q*dhO$he@H=j~^Or1b9>Y z6bEBqbJ{Tw3+gf|TERlge`fGD`UsOad>oM>R)S`!p3!>({n&Psw|Hr{erbD0TH4Uv z2G$6psiy-;2GvE*3f2?t><9Ts=Ngs~L+F!dDQR*rW4ftGzw3t$MzEeMQPH9dIVP*a%^E?4=uSeGdWjU-(G}!T zo{*cR)QmK3Gr|Nv27|OERJR=gfO;2vHc;Mep(dU8%)ue8Yfd(Tm-UN+zW?fPEznpa zvBy6GYnSNvobmrbnP#_3-H%Q_HYRaq=b*Oxvh-GjAE6Cz8~e$?NYcTB zS?Y9_`irou19o@otsQUbqxAD6x!)_sa?Yu)b~#Z5ulfXd=+(HiC!JKXPI4_Sn(DKg z5?&nAYSqW#r0S%We}Wsuqt{deoU{_=UR^7- zUtQINR+z^l^#sSV;}Lq1X|2;4ltInQ$B#aAfBe>sIVJu;=U1V^jnE`vhL@twt#6+t z5ZT}VVq+s1S3E$MLak~6{uoK9$*wu{RkG#_)z?o{$M08P==Wa(9J)@{2eP36_T( z91F}9X&pgo4`a~vF ze<^+Jm@V_eFm3ea#!}eCP5w=@HgEUk`^W5_`BcvtEi5fxbgEscKKF5sdG1BCoQOA} z?33Q{RSK8`X4%e)1+DljQQW!VM0d1ejcwAiw)yB&Z9ux=(p+Af!_9P1vdOc z`lGSt+C== zy4dRS<5pK!^;bfUY6er1KA6KV1(F4#Q$Np-bJCf@nJ-*=cq%n;RVAAYt*KHhU!i@& zP5YF>YfY*F3dZ^YEeK<7K9i4)4c%cZKf|-;+9-_Eqy7mJVWmL zu2zm}UBjolj1yl~OiYBXD=8|9x^GyWdUw%LY~iY*LvGr7Q%8|li9=0{WZdej2A3L5 z?~%&j6boNk-}uaCbuW%d&NNjf750<8Z5gCX4ZO`UGxylf++!-gTU!74q|gxQMy5kZ z18tA$!GVTWXYC$Uko;LYepwhT(sARr3F;)uynY4xB;=m_L&IJQ^+nMv&oE>Y~4#WP2 z^KRow>>C2n{V%DHx?a_vxwOFl@(vh?G>eU`Nb#0<3E@9{9QU*~nec|m3oIU-v^y^` zad=RqE{eg{>=v1b%S=Jj@j7ic5~wU?{0ACvJ@K*#GId!pCL_I{BiUxM&gR3xy||$|YnW>3)pTcaomYVz4@huqSdgs%K);$hVN1^w>ewvnY+~ z`ysKQ9jDeNsRiAe4ej(0rmsT8@v?2VQxe6I}svPuUwKCBWt*8*$ z!<$cThlU0_b{W`R_#E~4u7jtY?o?;Og{tA_YpR~F5aZEO4&|B!%bxdF9bYWZj|5RC2?S7WJ&zckPo#IM@d7$;4%phcJ*JSfl)VJjJ=kZu68RKG3SGP0kN!0?u~`jeHF_m&Q*MEc}vfr|3TYx)1-IS&&7y~dG@V%tHtCLYT78@}^1Q0&szg5@_mujO$HT7m ztAY+ynlm+y)SEpxoH&Qof|D>#KGBekk&i$wF1uE7EY*6m(+-SIWl-X+K2CA@*dl4{ zR{Zr%(ZzN0drC7-Y5ndC{2S?{>fkw}lEk_lpW@4NYehv-cQyY~o}^X*TRL4;Qt{Z> zD;HN_y7u*U|5xo-_?b1XjyY-~7`VGG){}!4C)Sk4-;_r2!HRGz*VF<3Yf_^ss;cC- zl}q*64=Xi(wk8QyRN!kByo_Mu?BJ&e#kEQVdxV|{kC}?U7N)nvr8oiOjnAXQ#{T^5 zOCzKkevvO;8hMBM2W;Ijj(c=}{cAza2Tn8nT^e8QbQ@=lHdj5w9}a{S2t->h&jT;G zV^|;{9o8TC>w9IzFHvu}ju|t~CRCO!UnN}EJ+?8B*-ly=HDbGB=r?_wV0J$~T8 z6LzbTmMK57k(Wltr>aSUup3|y6~}F7jQt(VE}`; zn1BEN!cd_?yww#oF8dv7&-%lnmOm%fn9s+Sb~?hb3n^*3s8uz=Mo%6pxV6#8-@nX9N6CGO&9fjG zgG}w#V_snb)%$1caf;Yz1+}xZs17Od9)!RtB->bKY*G{B>}xDD@`_m7EMu0+bWRB6 zl`{<8VkwZ!QoM!56i5^zAxSFvRONi}f7(%M6&BsnU?q;!$9r&ux8A+h+?G39q|*~l zD)8c1mk?cxT%7X3tM7XhAsQ?1Fi3LLFNuz#BQ;F)5R4Sr(-yL{Sk(FnsZV`4ILHxq z)en^&Gj*}C3{|W)(PxvdX9tpE9j`7%Cr<)G2+zQT)I&#*)BYi`$!zjnW; zq3%9AnxW5F!uKM)JxQagsAf*yN%q z^SROyGUlCH*K@*=XdL-m?j-o9i_mjGxlcVR+4Lko=W~v4e%`)0ZmCwUrrP z2fVy+KX0BgRA2%(k2bX1`^U}01vhUV!+hYf5!HAvJ;9yf>@#khK2(sycXh6GaE$x+ zuwj{sMty)8p4O&SxWHB@n3{kjq>(uQX`62F9%{~}p1q(P5w)bkOYyPm{_s$l({k03 zix-YNTb^AOb99)my3~@;@gV=xG9jD#@ToX__FbFQi8Dv2LW2-)ylk|Z`Zsv}s5H|Q ztYw@K9wj)a00R}{w$NJSEmzVd|bQJEb!TRld?37T6JreJ5DzS`yK+d zd(p20cEYliX~p4(^`dXADAOmM)TROgJm1YpNr-&9qP?uZ*EWta${-C&cMT2FAT@MI3?U(c2uMgHT{0kzG$`FEA(B!O;sBBkBHbc` zfPi%UZeVY>KF{9Y^StkO{JuXp96aW}@9SRIy4G6fd9FpMhMEG-HS%j{XlOV}in5w$ zXy|&tk0kgq@INxx3sk^Amz*^fq|wUyD3^g>Ko(F{C>q+UD6AusE5PrV4vPBDXlS_Y zXFr$T+ZURlp`GR_$wIZ=jlLb9+7s)XoJJiMG!pspc2}xDaL7aMTvo=)lM1i?q=!w* zVe9A*f1)hdjpYh`%#>0*h~SzdS9}70qQUZmJx_x}!{*u*w)iU&nX(VUjSp7mw!Ur) zr;2|N_}IrIKJvl;kQ36o@7p)w_2s79QnrygupTtDC-0Nk&OdyAP8TtAy55Py$f!j~ zWvGHf$b^`agv#t<8h9v2_xQnsk_jVdV?8iu-wHyBPcg~gs1I~&!3|G{_>uAVK`|dx zz!)`{m3!&~13vIO>4XcL8JSu6Achb#BWd9Z)#!J?9oC4dHsfiNPC+;VOr%i8Ey6Z` zTQ~=BhsPP22?e0~BZy@oYb%)kMG`))%|}!Eo|5urWxAD>$p+5t_E>5q90As#@d2%C zhGjY>ca|F*3F90VB=#4G4w#12Rhs%`opJ9MRWnLR5waPG*4_5TDJm+mW+IFoxo#tz z$#-;m?01@>#Wc;)?wj*QDc$VV1X6Zx_jW(ys~sQBdms#}M|*^Ymdi5`oFcmQQ7hOK z1-sIc|0WyimB`e9lt2;gNKewvK+LCDepbQ8T9YG_kd~eaNb|xhp@ZJgjMIik#gTQP zC4qnW%DUg_q0HCz7N4O}P02=90fB@&Sv@fVjb+y+X*XKz9w4TZo*~p%I@zu6k_B}z zTYom)esU0)cSrT;?qfd%eZg)FU2$SXMTxj)4l@#i9@LBu-;a5}2^FU-7!i-L*=qWr zIwYM4qdD@!^0eH{Q-pIZJ=1ZDvb>+Xd(ZEiNOUxA5o6AdAwSA?YupGdR3G&w0HPX( zvuVHKC?qq&i_uGQSaKPk+cCt(S~;F@WTOHEEz zZZYgBPg$vd{W4TtlwPuwl)K0_uSXVrQLnjoxaY@<{* z@apO&;x#EUUuk^QqVpVsYzOy-gHqgsb}tH15p;dZ&JH-^UJ-w;;nCOlhFFN|RPhF( zhq8BB&@ri=X7K}%hu^QRgXU$6=!Dmw+wU-lJ$=-6R$MUXXyvL?Skw>~`Oy0KC6ZS>^M8QcgP z)rzwh_7ufNzE~MH#@L3i$ZVr*5ec`|)Se+G6(kbs6x|71eaJPrj8sls-BliwF8Jh5ggdk%HEhcqx_a=fmS3c(;XIfL=u9TdfL~mMWxYZL+u64IB-%eh2qFA|? zRcAl%J%lPIBXNGEvh=n~ViGr0dOK0e+CM)VhEig1XDeo0h*Z~zNnt74ZhYZB>cgBq z0drHEP@tw&tAZ6T;B3^J&FW#*!`3>3m5wL1f@bK%Qlou@)s;?g7aV1!hX`;dAfl1p zcDC#SlZAG%6#5*s7T&RLl+){*Q}IHX9G&WNa>V}Yo}=C3^Kx3~mm#S3Nq35(U7ELI z=p-Iae3)ud;T_(xs*dn{*WjZB}}_Q_GR*b2q?(k%#X?R#@MS(29RiQV@2?_{!f+LDw8>A8677n`9KK#HO}jb;R&^ z)I*`=8twLKQLR8$PM~a1yOPzHTG@$>D_?^2goD0^%q&Pqsss@+mSGw{LEZcC#lVGI z<}cbJJg3m;Nb(kuxT)^C{E2){ArbccVFtG4A%xt;pHu|C7A#&ikNbeIvR&FO{``F^ z$QzSQ?bd91l}B-I#LEK4M}-L%GuSw=hF7#NMf#bScG&=Xp6ujeuZPvNk{xtW0c`gAre)1D2M@p#WukKPgudD{e~ zGRvacW1p^EhRu&o8!Zp?U!Z8YNzCUw*909NP>ZQ~zpze^Yt;LstoCT%1u?vcU;R*z zuvg?s-Y3BgbNnimDNC^`NjRTaSb4O1K%-c`bkA<4A0dYOg!UV2`axt6zu@`g#^tqz6T%1&2B zL`DXJ(xhdrvAe%ZBjYv$3g`qDiY%>M)QEetsgenGk)Qy4}Lujb+Gsh8w~wx<$2kmM@NcobfnboV82bSzOm?PNYc2n~14cNmVt0 zBJ-)D5P6#$|M3Dgx9WGbIW5%jaRq`uVT_H4JGZ+}>3F!~A_l0u*3QRe<0kQ_B`ixa zfIX<+XGEILRh`!5u5~7*SkW7w6=^Yzl0SN(SJ;2y9OM$%c9L$r0PWO`fQzSeh_D>82E!k#E@IH55~ z>rj!dg}$z_bzU7zs&!S3nszw;v2+ z)>9bgUyn;cc6e%HaCO5BxpfOVutwG9AcLvsde#_9-Z71XNDO;vwZzC`-RzS!R)%-k zvez_mToipY+?0{MngKtapC?e|NGh1eN6k6De%KTB&5CItmL5V>k8qgQwR%qKjhgg4 zNSuSplL;g9=%y8|Kn`cVSb5RCOIL z)k(~i+hi~FvXP(Fgw>CSJr9(eH6t7OyGyL_O_nX-Hz=mYqu=G0I>FXnY;Gt!g_Rf3 zk9;=D{MH}0RsNxp3sUTOVZB5Rw7kME z%jtPy)AgG*ixe443lzqx)>0LW)UlqDmc?@EhMm`}vz5CYm=-+@rV`8{GWmdCcI8PF zy;=%v1nGzq2dWu=L%k07#7L6$U+O^->Wqq_-L9QF4;P# z1E+h)sVhE<9_nG2Ey17lO-cZ@uU&qxtf#99ycVZYzxM$1#KmEb{Nx=>^IcX(d{WxJ zQz66xTxJ0U7cb3%qAIU@peHI+aA*eAnv_uFX`4$r;qe!Ilj763=_@>Z*Lp7Q8G>8L zsze@@DIc8|-NMVY`P9KLopbvH)9hwF1yg$DfrB^@YZYKj7T~EThKj?^dW7nSEtWSj z_TWsY^-wo%r6#{>4iMCIF#$jE)Cb#T{v_W02C=jeXH0T(cS!}lqGCL7(AAYXaYJq9 z;>6BNQzamCs;gqIkGh^tKsN89%k%1o9?)^Wc7kNfRnaauL$>S*D_?6vaBOc(gEC-s5y^I3T!ULxi2df;wK8Zn-TXzS>NQffTmIPni!^S_h+#1Qz9{Dc7X#oysRme~d#|6{zWP0+$79zPNk zLCb>|h<=wg+%GfBD>DH?n*@Adz7O*Ecus_yotAd5mvf|H%{Ba58YwjsQE>v%Lu=BA z$L?%iZQk|p78%C{{!0wt5A7ii10y5Os2@*-?ojplEPhRRmLXTF_8~Ghbfg<|o*!F7 zR4hT@P>^gM=NAxDY^3`nMK~|(M&mUx1 z-{u@Vhp=i3Ah>>Sox%E&qOb`r#^mIr!phyS#BZwIR-|de$uDY4XFK!<^U3D3&7K&D zn1ltHMB}QPt3PMa{k*0@DWY2E(z%c^J4v_Lk;_i|M1RjWl=4RVRV$7E2I z;DSm>8*S3E8_Tm)=Fb?o4?(qdlcMezyKlj86S|n$OdI;HuhMXYs7&h}s#RnVD@?`$=+@CurXYsko959*qN;VcdBK1;3r(C#r7ni?IX zbu8m8jdL3U*kE;T`^A;&D{{5Q>3&CXs@t{p(*!s-MH}9@u2~~8Ui%o@spjsr?Zt-Y zIJ14MR4yqd&l&U`WQBpKnQ(@>Lo@mLVQ20`aJBySxyM28Sfc?;=}lzmXcdI{+*3f1 z55K)h%wP${jkgEYr-v9nrF$Kc1dpP_#KlNyu}1h-FZbezdz1?#y*&EzE7dG zAB#RigXUrmCJVRji7!>LHHhr>6XD~xxi9eo4$7B!WR8A+XJ-m- zNs@3)iPtWm8Zst(IBj}T?$tQ!9+MbTztFGX6lr0$?b;7z;$+22kyo82da-Gw<8t4T z4;wagy)+f9Av2%bt~E+T7t{0g)^!CnqBgbASSlpStj3!h+Fhce<*Uem$dFYrRo-d` zO9U}WP^Q|5W{5a@ZH)E3quFk*__4W{y4r8CuE=ha-Zqx&rU1pg#Q-yIwsELR z&S2^29$z4lS^(32YzkVW3I9IC18l5+V8C6;39jc`%ekZPw>~{KYZ~UYTCOd6SFMD_ zrl2;-Yu7fuxHu;-HQ!9jtb$6g=` zUimlt^iyEMZ>;s{HZ)Q6!jicJ3nanV!vkVx4~0GrK#k?UB07!PNXq|_7s)D@ptOZ2 zp0;29Dkk9&4;eUHj*`B?BvY0^WHK;tefhigj_l_J-VNM$F&_hYbh1HDFhL}^*?xC- zGbCkCUT7K$?DQ|HTiB7OyzxFgu`VWA^(U-kA+rYdJviv0;<>+>jn9~8wK&^Ud@0%weZ=oJpE%z~Qs{l^)}VlZ z8}Btg>K3RQzjm9B@!Bi2(~vGnAetTIIXeHkL$~>-U%x&z)$F{)RaikvyvUXd#}jBX&b9V;v;Aqp4Y0NF|*#|EdSxDLb>Jv~LM z+rSdBfg+TT-P~wO?O6>fg;)zr9^ZNNaH=MV$U-jVAwJVFU^dgRJC~+n*@O+w(lmaJ zQv5esn$CP>=}%!n(db0x7KKZnO7F_G3Vd5dU>R)6NcZ5Zk+Jy$a1-GxCOgz=zcC9h)oz(Pu z+B=4>w%zb&H}?y8og~Ujaun3&nmed23dY17($n;-J1|s_TJ;LC9DiC;GO`-J;4N=p}R(h9s;?4PaRB~LlIE+^L0B|e_ zODXmnCLM>WGatNJHS$UT4$@~4RA2a@o4;F{=PqFBo4Ev4QmMvll&w*)N;Ww$9$)(#07q7i_A}f~;46iA|VJ zm2h63YO?h6n|{HUlvvKD(lwgKTPsqU%USugK~hbUhjpbr(@5+OTS%4OuK&{(P-Y7> zSY^P=gi?ZBSaH|92kBh~L|GsFT`hrF!a>n1eg|#IIy#CWaB(SW3Y?r8j`X{4ftS4l z@{gNw`2I011B+xm{jSsYWdGVCam`{c*LZ!&NjP`Z2aeB)sm5_N3r8KXiSbWWbMn_i zZ+ny%i&iM$X6K$&l$Vj+@pm<^D4ZYcwy!`!sgaLfC0{DiN%P-SlaCHdr2&mEUafII zJq7cD+s#42hG3A&TzhL*{?-e=T9Wcr!z0)_mI`-N|LBSL&afVZ3@|LFQ3z}WN(yG9)E*IxOxuf!XyMP}w!O_-d^_3i>+%P` z$jFxyewoalB^Ay7h#6N)rF~V3XDrWRwX{1G?DAU>91CNxrSuRGBTjF#mXRMWZ5Hqe zMXKIw_VW`M4&RZ2#{U4|g}QLnwe6n~;VdFw3JN$iYKTcV9w}fxJuE6RK4LW=O)tk& z$k|g+jKT$?E8QU5huYk0&l3N{A0P@`+&h#is>W#&KD|>u3Tsc7=OGuC2vjH;_!%+J zfDM6-@YmJVTW)JkUWe5uzDEqX3OJTu)4yBZ82iinz_HEeIcesVG%3^s>k`i;(K>pJ z>wg1%{yn3efgJSNx5S9KvxH;0h>7@_Yyg#zluM=R_3M)QMbD8*I~V~-*x=uAS9pEp zkL~SLQJ>jJonU8U5zoAN3mC<3-vqw}+fBYnxKrh=o~Hj@cPUg_Z+89a^`|D;6%{<# z(~S`h_rtR)CmQ$X^Lwjb>|_*?n+Sd zz(X&|e|Kyb)_>E`5cR3{I_GFg{6`+q5&=H@yX~Q`vpH#hyZHXMtF>4Q5RU#60tWd3 z{G7DZK(0W;G?u!~JOain#CBMlgUkWsq!x{V^x@^CyxQ9J-8E_$Dg1<;YD6fJTFK9G z`t`o8>83$JQ`O?vS6bOOg@3(2)aU_lSQvmR%M6TI41sqIRJViQV94`)0CB1OSGk9Q zg!D+aW6rYvXCd+6?G?gov*1z!GZK2v>m+0+GtWz7QLpxhOu7dGi$k^F7jMT$m1~=5 zwb48wY~(uD4ksLqoVmB*%lPdxQn^Q`=LKdsLHu1Ncc(Sltl=W3=q@G>+}(JeIid1T z_}Z*~42CjtpMouDk;B8`dFd1WGsCPoCz@b8CJyJTSAYV>zo+tFQI<8&nCmPG<#I?b zVjPv?;(9dq%)%+k{KH<|n=iSRc;u9vyHf1xQe0<&N-yKbMzlzU&(3S(EbJ7#Wk_Lq zkVcTaV^ECTvLKkcXA8fw#bDV?;`56Qd_gWJ6~n5u*2=rxS~yFXE_5DrpkCVD+XF1{ zEq+7SoEzribi3`ss%6p%{OFvJ?!J_zNAV73Gevv8Wh5Ld|dn7xVuv;T$i?A4$7A<<`=>ft6JQkFP z;M;O2GczNCsumMyXGwU^iUo{Ca`o~S$gV0K!V+LHad$I4UA{mC?PH#XqnwJZw7dwB zvOsdaYCB#@ob#!~`6?JNxkRxUANx1XMx`6I0X^bp&arW24t9=1)_uyj{Lwd6pM&bW29CVvsLmoI))$%}tEgfksuOe|9Zz`t za~A&!lb#)Tw92lZ4TyQ!hg@Jr2NYNfbcG2VA=Y-<IhDB8Epf`d^&9)j7Z7Mlb5lnL_+Lpn{NP|URcUT`$ zF`3JlEBwsB{FSmoiEAm*S`zj$OD|n&AHJ;PG1p&NShQfkqKL&>kyo2c7TZXZxv@Qn ze-!B;_G_@tR5(Hd0?E79iV}@SpIH<$pk(B29&j5RmphMurFyt1w{TKTs}I z41u4e^Ed3pNhhJGMd?PezSm^2TUtUQ=t5oT@iBZFer(-6uw5R+0vl45s{^~zBUzTb z*S%Ije339dsf4I1Y%ETQphwYi^h3?_et6g^S zSw6*EAJff=?lP4viJ89As0_`|o}-OZ;h5ubqRp~P7jtLueKD#@2KRCVbXyh}Z`xwKzZA++aW9FAw z4bRvPAcLZ{T?Gy?T^!Rvt;^}Y%t8k1I~~(g!;{Bf@?RD8?5>yNwx0@k;{WRNf282V zimuJ+M?#gArw7OdKS_b@aLGK5@vZGyOMWC*^xHwFf8#c#S$bN-OpBIFJ{FXZHmoC> z@crmHTL1QoDgXso@0>I~UcS9cF>@L7*C-8UP&_zmivl`~u9<+Ia)RE1zRraG-}9_L ziw)EKJA-|FWnU6k?zuI{$z{JC{C9>n;$v}n`4Vy&%l@Tk>S6aFJC$Vkm@IJE&Y^E> zD+>ol#A%xlzA)fPQp9Ife&4%t=eLZ?zkX|ECnvmeQECMV!cilA zyeN_}iLtlfAflgS@a@6khK55+AC%WVaaV*hGsGs2*HtzlXRu*d?<%>!x};)+sFei$QH`RsWx7> zR>4EiqmpF{^#K{2ybx$Dgkpds86}2GVf<>c@pmhHSk_o!b}eG3dyo{A{d6+}`Gd!< zE~^v6(UKO2brZ>o8&5ZwNEDW|^UV|P=m^N?Kz(NgE;jUY6}AaTu7LEL`(9qs!CE8^ z{zzeGNJS%EPGc#7wuMF(j$TBjxl^^G25d|qR8+*6V1$T2D^Jm3>H)|+J-T7;#V~vJ z@Gxd;MZlj*gZdK#+mm9t!{K}(p&tuPpA0KEQ$AX7O*W9MuCL#6{xYV(eeyCj8O8@<&ObhqWhKJLoqH|pw8HJ+v4Ggg6M zOCjqf9Gi>-#X$9$Rz5O1h=aN~N%d$-EeahQoiM@1up7+l9 zCffJBPgq7xHk1g9wO6k%=2?(WfDI@U0^f9b4o~U7OgDFeGiyH*?w60A)*wVGtU*16 zJDvQEB59#yFP6fY>cEem{M_mpgUSB_(ayQZ!2dY%DT%>1;h^F04ZIVw^%?o-NGiH} zuHJ8|QbO zljJ=aif^vEnODebb&^%UcPb!Q>2&I!eE(ElnEDS^z{~#;nHonq&#z7@Tora=JLz|V zzi*-JIQ&^MNiwb8$_BN0d{`22&?1j_`H%B~(N>KOsafY}<$?cvYsIRA^=be^%SE2p_yC>0aq%Qx#uQY@ZqA~y6 zkDrM!kO!X2eGYxyU*gMae3nML{RFoRap}t6quGnR@e`fA1z+C!8S{QZt~2g7SY(!V zY;<&Z!l`M+uC{O>bQZ>&1xRoCL9OTH^@k+(y>rpxjM0q%WBB-p7pNJ#n-0%T=sq)A z-qS~-Iwn|NxR<8#sI{Zzo#`C%J=-%kSFTrMVgOo)=Q+ok#*BALvN^PaW`0v7-9jD1#*_{}vHLAwlw8QdLfE95?|9=QR#)laq zWc*CXBQmcf6Uh%q{%l}N!ScuGk}{`HkH!E3mP4r1hL%uzGB}(`BGTCq3~P%x3TyuRHmEi<_q3Nx(beb zj?;cL?(zJJ>=5|Sfb6*tLAv0HFx}DAJJ&+b?;KzaVwHT*0T!f;IB0r zh|#{@t1d>cZcvx55v&oDO4NT_M%EVFAep`B^lb$sJ<~3Gwb^9uhShjwtQVo7j7%Zk z5}9@Ojm3rRPj+7My7$ryB3eX)4!@U?4&sleOh8(7dp%IxB#SF^Vp(eD`ury&8;I!t z8)5RR@|*D4*mG45%2n(3bz0_J&3Ry%bN?nBsZZSXRPl8-`E@HxZHydOW~2*enMzt% zLy@aiTMk$x`b$y|EGSt!N50g_G=8?X&^J6<&P7FST&w)qRZW_D+hpS}I)!+2ZgTC5 zsQ9FD24rLrR@X3QcVWs>mq@v*R)G({qM5K|gS*c|s4aAGHED_F)J*Gmb=*x>CZeyb zEUkfjbIFD#=`Im#Gf(rv+}G6Zs+U8>#hsS?gTHPI{bUsLg~sz!KNfT6gQr41)4ft* zP@q4KlocfnPon=U;+X!X=;6~hUCiCW`=sew_u?@&eJ$_R+rr-z$-zB0ea(V0B^p!T zm=vsbVYm924c@_lixz4Xl_2uS$R+9sC=E3WaKy+Ng(+?RCKC_(3GMFgrinOP?H5HVSPmNFXw3@ z^f6t$t}(R8D9|?AoNf8Oc2rv-SJ;;b93QkD=Xgh6{tdN|Xn`S~oAETye?Z+ITF<46 z(Uq5|N$l;^;hEP#ZVY>HXf!Q4<(lT;c=5uK{v-(lLzSI7XAbkfAfmb7zIP_g&SeGE zzsw*!MP0Ke=jtD$lgAsG5*gQX1#q(MzH4h9ff*u4L$xsgW{Z>ahS*wDJo?)9D`AMz z5i0OyOi(DSDgFwo-%G1pJIyNK0gm&t>%Krf_xwiC?wODX+7CQq zEQYCJMlLsM?nGoN3knUjRw%%XV+XaJ?pfK*#b~{2FDWT4CaU~kHClhg`T-xLT&}4K zTBA_n%x*73tfNvO?Od$dc&&#Q5mc0JAi~{%!&P)mN7Txa1sWLewR6aa$f5bV(i)F!%uHmQOePUUcjF+<&V|_$p*yb>*$%g~z3HN` z|2rkPm7Ox3h0GUFRt?(^hXewR&;6IJ9=qwxe_OwpkVeoBZ)peqxLq7TXGT+OHcwA} zou*x}M0US5GE+3V1~T?7f|l;!okqc85ptIJbfHQdPE0RLcSoD4Qp(ioUQvK~u=au{ z>g}XilOdcJ#R5?>7oTO!tOwn|Eq;{Jsdl8$X`DQiB$$6)hq+hs$Kx+8o$`0qBsGYF zT8goB;<4)ic@-+7b*}cC#PxJssQv6Au`sMQU92|&yQ_l5WVp-M@tBdcK{dkB~& zG-%}Z#l;$2D^zbF-_9l8&lqjs%W*)K0Fq5&aObO z#q;z%8{hNteBs~FO+fxi0EO@Ab=a5IFfrv@+9GM_$QKCXtpZj_jnmFemEN5WE--vJ znI-I$e4l0y^#4RMe&8N|yYPAS8@n65)+WPi1i#av$KU5x< z)ye;&cq{NIKY)v;1#GTWnK+v465vq#6JSIBbIIWkiTtZ8>oYS>6hW>B;g=VdSGu1 zAonPQfZ=oCO|yhT-!uG884xznQcN0y{SlZ=6C)jicxx8O z!+Kl3z0Z-IS5#1Vx*03WuY4wN*fzMkY`^h|NiBchD|*Y<@jYMtd)|lMhWDH`s~}-- zb8?{uBEQ-7fy6sN4(zLBX}T_>TKqc84(Y%3?YfA)qsox~s|?d5)+LjGcOKn{#X5?m z`7EXdmK!1|qN&{7ynOck4?wKkZkLox3cNv zEp$iv?&0h^*F^P{hF&)&HFk1*tY&U-$4W=Xlz(=5hWesz`=0CgvwjDS6WYs1Z-K_C zmaSO0OYzKes~;31*1{gf5fO@o{&)(iu58U#u7=Ph0S(`390M%Y35rCWIhJzuWNl6` z(DssxhkYZx%WFe|UfM@247xzeSkl|VhP;R|5H%bW9MEelVAeAB<4aI_<4Cf~9be~z z4|!g@+5gZYWq;tWq)&542V={Z{h~|hZCvMHM5LL@8C*wHD+)clDO0RYj}+UEP(4Dk zd15Iz%%{&xXNGamg|74YZP6z->g3ign~l`XFmR9DS<{MFct+f=ln)EgynTmFGw#Zo z64^4ewLRwFQ-Ae;(xADeEQo?wtipbGP|O+@gNV#`_mpz`O|J^Ui%qpmh?uWAcBBYm z4u6z#LEpGbMa=NE>Js^7hOcoQ!2xlqOMDh~+(zT|dpT1iiAK~JuaEb?QCU6hjnhqy z;;>fcvL+R*qdDa_`=p?*f&27PS0 z+>9x*xFz_w&%o_bXBd`NVzrvl$-RHi%F|6j7g^bTsO~3RgWGhS5!=>JSR_LTs-Dxa z756E9;bgYLXHe9L8`D=KlvIBDrs!4-f~r^|!5XPk7iv-SGTU{Y*=m_%L`?>H2ldj3 zAR<%!GA2f?Z{0nfrH@LlDK`J9?`lWkW=tSNImnnD@|z!z#-5cfn?ggrFkgHI1aX+g zD!~Z;5X6HQ4#Kn0#**`?i+zZ%vztX$rzE}g@gcHTi-v1cuB(^Gsco;x5ktPTfJ_@$ zamiN_nLZ^CQfS71kzKuTF0$)yA>WlXfUH%4I=tb^ETql>|9Je(=@H##fBanWD?ctj zQRk1Jk&B1Bx>`+^c=6G4T^f%TLFxRzin@UW{84D_t<`_eM04~p+rW4~{7am<4>AGu zGJJM$sF>5UK0y6gezdbD?!#R5ICyV@3 z1^)l52@7Z<4xg=*y>+W0`EHrpJQ+(j#Xo z`09oO2taJWqX7;2-ze*U%cQ>x+JEX2Z_Qc9#}A-Z^Y7N}Ln_f*PIds<;p6M@?)08A zRsDgR%%|G&eM>Gb3zu`U6&!w*MCRxs@87#e6=@AT`i%>_g{;iWmLrsro%z*MN|7lP z3|98YYEeCsY%H{}$t~*Bjp_g+0v;-WsK1TQ&#YPXZU{A>fG?~ z%8r~-hdX)yL`F~ZrNXG_DvQJ1PPmm4%|xCqhq)tzORn zgz7d*5Ghf`Z}FA^6ELQK&yefJ!3X#lJbRqGU-G0Y|A6MdYvHy0Rlot-5-?$vriu)O zt}~u}J-FEQ{8q?0m@TD@oJgsSxlC6Aw!o{^*L$$X14`O3#cz64z&`{--sE?0ZHkz=$kNVta08@XyWE* z5|gkv+#0<#bS(u^E=;43j5kE`SdTqZ>>TSZCVC+C{5N&0KL0G33du(wk!@!wkH#4j zRkA(~sPZJd%kXu`Sd+&4_R+Z=EzLszo)>Nj=de-adPyPT@@TWe4Oa)LAoKlS#X63U zXK8~1h`BLuigv<{`$DB{(xKj2DhvpZ?WZ)uTY_d5<^!@5NA!)tg<}0 zz+LT<_Zl$VS5=y@+n%R1V8R7lxf@0p5~wpZnoa-zjHuFE2%cg58Y6@*#n zKM}p{-~A$~LBA?~e=wg+HkF1At_I-3WA1^(De00lEQp--HFUp83eUH0?!WH@G2c};^1`FD)HX2;JsUyda zU&cNh1*kJqW$b#&SuEWf%p?Muxt`~l(Ej?|O3E|opU~2AQ(YlI6!OrH%%oAA{qf^542=tb z4M4ZpVN-*`^`OjC<@ei>c?!Hn6T3FPRu<1$#36x04=&^CFJZW#KH#8NgJ-*I!nA5gY?-l^gX<+~hjd z1mMVE2;;(1ZZRH32Y86^l_R=_&|1+Op*5)&fWT=Ga*Joee^%X!Y${~}O_z}WhT9kB z6Q#lg!ZOCWr7Us1WR`waHp6lw+I!MA6K^e6vQZ~?`>47E4Q{Oj15~>zXcbx|j$-7c zeCg5h@V50loM}6_q<{Oz=jPX;HTN3dcuqDe_KnOxOrvV4n}0E3O2#KqRwlwaMsx-6 z7JyXFG-Yn}*t!@Z3jB@_1c|CA$VeO<8Q-VLh-Zp!(xpSwg`JAMuYE#YJkYAsJvC!^ z`S~nJ$F5Qc8$1>5sV+=+Q~Yk=bbWV88P4v(S))2}-M*qO;r?#E5x7-#g71V}r%=;Q z-Y!;SC9f^Q8U)CS%?^EAD5s@~xUDF$zvr0s9lj(V(78+iJP9nQo_%*u9$3?L*Nenk0a`ZUn1tz=SKRVLZ9`*`UauDA8T_z15 z`%f|{$;><%aAGc5TXz3)VjjGWIdcwcEtd8>0oXVx)NINOidUcJ$36@})xWlmom&mR zw#&%UE`SQF)HGm{?^Ab>=buoRM3Z@KB>)%0({YNK!CHDmXQ>9?;(;3}c?%1VK9+F) zvNKnm7A}eMFvnU{S5smL0z= z3jU$}91Uq9k~PvNg7|O7C&_DwN(SXGW?RP=KK#B2UJeAK)IG@Ab?K0}fub$ucoAd% zj=T=CN7z-LXwz&{3XPOIG+?D!BIbi#U_yRK?*|Wg04OT4bs8TsDB;i2zIpX{Ixuz9 zgF@7zv_Zi1-BZ>c0|@siS7ilVeTCfuvb2k6T0|R0gEJQ;!~`@iV;abyKYIaM>iuH~ z!i@S{^%i`(8Tc5oAcjbGFmjQM&$1d#Dr9DzYUV*2zhOx>?vnv}j4G!e6e{}2&bICs zQ7kU**xVzZHJbrXWr?ES5LtJkE{;i7wCt~pO^P0|9F%PmHM&{35cg1Mp>!GHSzPe5kU|HI|D&>tcIvJL z40dGjSdwo35|U&;7-L(5(BIF=UiweW=@q~~W(RnXzosETbOSH;%c9X<#>N;an?!V< ztZ2oZ9wU+5C-Idw{UgCSgB4=wK*K)~Ax^vZ2S#E0Kc+0f4FnU#-aoL>h-`#~^&B|_ zd|VEG2zc#M*9S+Ts5#qmOe~{*+2vUQ_$JMGC@^tv5t6(SD!5`2&*tL$~tZ=({`+%3lGU=uI(YW^Hx| zP!*7#2@rw%PFMWS{A9|JZV3=x40F^QSd4B~W9kc02bu#VD$DC5 zcY{7AYGVk_%rv$TnClhrfzR6D@d0&8Zg_`jmt#~9!b^ke}G+R?Q3Ytv-ZUSWRE ztIa4o3$;mN&RvZ|C?QKswQCi;G8>=n?YCC^jqLhA;9fz6v*<%NaOv*3fd8Cgtvh#1 zOcQ+oyIO%TyDOR)rrWtJ@PRo`8_+nnzWquk!lmfpv!(b+mYi|$P+&H`j9Ru4D^Oh} z`b*J-;$i#`K{I|JqcV9`0#U2AaNy&of3yuKaJ_!^;uTNaZRMNL# zu-ym#|BymA3#`Skwf8| zf&9+El++e5Y3&s*1fNj-r1$cM1$e(Xa`Jg{vTMEYID&DzGpTI*Du|n0T+L^j%GRj*1%Ul_N4dTtp!>m^z`w z-(kx!We%UE|4&Js=Sb&XVYV5f+KC>UJemGnDNHeBo;p(s@yq1mpOA2Lk}yWhv_XH^ zubgZJBP6xLN;*&KkCs2EnrbDjPaCUlXNzk{6En$_0yC}y1K8&>`rZQX`niODC{_0& znC|2XqarpinDl7G&dmIDyQu5b*BV9Qr>tMIw9-CksWkXNdy;%j0aAwAz2SJbtOjCLm&JukOH9pcY)OSPl1&E=;G=#h4db5Z$@Zj*7(v@ zxr*6LV3KB{zGroH&q#dh6Y)!1AZfB|CrysshxN+PV1_C z(h7-t*6-Dn{d%j+^7q?f+k!^Qjn&V<)HFm~T)a8fA}(aC?i8Iyca!8~?z9u55oomw zcdYz}A=alpL7oR!l&x?ZAtx%$zYU$5WFG z*JK9#^5zdZhZvT**SrK05VdDR}Ez3ysB3swLooQLR{wptq&J_)4WuL*CL2ru6(R3ITsbd;x zmpCiNUmvR(kwU*aoUvVX9FL~T$>PT9?kgS7qMXIWYs#L=ONOXaCaU zE}j7_d&GCBR*6A4HzUUmnFWZk@$2XeU~1fR8aeNO@h2Lx_G`R;b&zNxiZcuiwB<%5 zTQKP9>I&^)gS;f9s{?r8GqXSkAu#&#cMVAYu@yMo%^&;!BksK8ss7*p-#BrUEqgmw zp=>GZ*dr^X>>UzPGP3u~CVS^ZN;WBb3yJJdMoEzsGJelP^+xKgKA+F`_rAUV=+^Dk zdF|KrysqoyZgs*dKj zHwpz4pTe?p>}LJuLd0YnJuy=6ee^MSkp18+HHya$C&5*7A-qNJ$4jC(U*9ES|EqZZS~+|QwZA0Su^w?y@?E(c*^hZLIiVHfvi5mI_&Lf z+4nM}N`5E9#wqR3&S~qzn7&XV(AtKe^+4tPPq%2%=zrh_$(sP`ThpC4^*d~UI(%%W z;?_qHskr^;?*FqP(%bm`i;Q8pv%v3xL+iK+-Ko&`WOb_|IHYsvrllAr;~vS?-s0I` zfDc;GP`8;tJmt`XLeaW*wv>_C-5$UlImIlz8>t3w3U(58mBT$Ews=ht)^ zWF1@1nmAx<{7+r>#11d%cjfF3ok)&4X&-bp>X;1k5c_!rI&~p&7Vt8R(EX+?tFIA` zuCTMGDcbT1!w}L~dU++lhx+K3PX$FqN~kL)>S-e#&_lyWf$RQNvpc%%-&#wcjhHzR zrjYJ%x`7fRGjZj_<}v7^IH_f`T2-ESkI;$_Z}0` z!Y}aU51TSNfvE>UD>USby&2b;D1QAld#uNYv3_Y#!s7K~XP4(6OX*l`EMuOfC}xDmL8ja1}HC>>g?QBX3p^~r^t!5Qa#oTpM%KL9Q~qBr<^7&Ln$2ZQ7FB< zWDOq%LfJpJXgGk;eQ1mMBaX`bMAoG^2aKvmxY&OH338cgd+l+7wh@pjFX3B3ItVSl1vd)$uvttUXL; z8AY<=GS+h&96LRYEy_?MY|Ei;bUv2YgO^GH!g09_BR=odV9et;RpEx&VNr>JyBmdv z*Pe8@i%K2dr6vom22cVrsxLm{|f-q;#w!omt8Nu`A*Q#H;8tLY~k zP4uM|4LepvH8U7nKg^}O^rTxstTA|(@Wb{&;2l!}SNJ|TK0B0A-!zeXLVOm< z?ub{vF{>h=tA4QSVFor3Dpp^e>dKuaMpnlr;wnaBpupT~C%c4~d&)+7PzB&C|074E zUNQ5wFeZi#0&M;H>_g{_wkS8>V01r25mJ>pQ4WH|Uck$fJ^Ef-cBrrbD(C0%j4t&= zV6BQCF}6jGix1slXWZ0=07B0aTlF_PVMX#F{>JGqw6kB`C}S2EZ?Q$W8Q(Y{j?Icx zm@vrL*nD}h5}87GJIsni{7Qk*__eENu3yYQf^6fTe{qtw9(~JHV^-m1srvr?`$z$p zo==rXrFgKD->hTe#E_nw1jW|kd7lUbK!)+6;Mj5@Z7l(*t{8n-Msx(3fZSdbC_q#? zh5v(Mih+2Vx|(JT5@H$KEM#p`8nl3@}r40ukayDXsHl$U)o zCYoM1tezbDkO7D?Y#Jgw)Y35JWZWfC{yG_Xk>h~J2JW0&M^pQ^=f?M72A7X|?xj=s z+@_tbvj*ioDQu$^qcZR&OUk-8b6%WoQzXQo1Qm0UTaiCjP)+h-Gh(m;hV*9rXK(?$ zq>J?5?{jeX7A=m*q8r-P7$T_8RM((-eW3o(Z7%ELqt8=G;9a6k^ujA*!nabJT#rzA zoGc-=HP}j){w4@*aRRm<0knu#`j$f0M;Wfn@JB;P)njzn8DjV{riCS}Av;{L2%aE6 zUI{}7r%fF)X7F;kCA#0g`_`#-#23%>sQL*rXMx)iYPxfy_!BVyn9yUS;J~`HOL~>9022Ht*U%NyO0;8BJ5^U%snJf=L23%*$lmf0<5zkRc)D1nTKx7tar%1BPw zsTs8WCNC{pg*YboIg~emU7<}TJ#5aoX2^WQP2w+YQzDldM{_ViNi`=lAI{N!qd4ZjU2q(unE%AtM9SDqDeQ;QFvnhs7LNm;BMd*`>5VXQ>t zAV$&9?lDjk!Ksi*{Y4xh(&>08YA?MBNkE}yap}tR-lQD)<6C5}9~@ikTcV%@K?J`g zW|o0SnC(~tZX#TXJkOg`nzQ1a zq_;8D4aPU|VV?CE2z%riJg1aUR2jw0pnMvmm=+|8e^CcR+nBw*>z>pM_z}V+<5hyv zxfSJmML`Rk!GO&z^J_9SpI<=u3a+BC%$X9pMfJE0sZk@w>KhkOo8y!XhVGmD<}7hA zFf*yqt9BQ((DNhC9tKtdGE8pguHZG(m$9VwvszbAU0#0vo+Ikhp#S3Ue0%3tfrB2j zwzrcNN2NBk`7FM2Y|3-Aj#wgMFQi}&7SfvUo?Uc+-X zUCy7!LZXlKht6H?h>T0T)DfDSW70X#A97+^MHTh!A+%i=3%!Q~6qSO<=_%e95y>dl zf{I%Y>wQOr${jj{)S~Lp!~1g$@$Ev*GUvn#3~@67)X)5)fd&cO%g@8!q=If=9ig7> zGD_?%gxf#b_`!x5qDotR+Uph&;;stCEV8T>R$-^t(ulc+!29IPmkKL6>PagrRr8C_ zmvk-l8tatNksI9B!FGe9z6ebJND2klug=;n_cl~{jaHS0C>7Dm zJ4`5uIdZx>!^p69eMlO-(LuB<=5br?kcr_I#sq-V`|da8GP9KC2;8}HtZO3ypCyDe zHQkUuSx!cOjOlEGbb)!xFw+GsEkZ*?1Kup-`&DJbcYR}HO0s3=AR@SuXNni9Kf3WI z%EdVHS;$JfQfCQ^bc$8eh|N#38tr6xOJAm`WzNs*i`2I5crxTSpNt0xacQvyb@X!- zzVq_t0aPlpjKT#HR&rYYYXsF!{!be1pv`s0+@Itdu3>jdbk@-)Ct6jXbbo{>wBoNE zTw;KozMM^4jBER^9iEyEKp@!lX1kEv*(!f9aUD!>7=(I7{ieGU->`9Yo@)1P1c}mc zHK39m-y1f^4@4UZAYkn}b7WRVi9%GFw6lQ&9B#)dfogNt!-{m%IS}bU+-Z7{U+W){ zklM->vg_{toL+4SH!xV;w*GM9H-D%kf~zU6W%A@n22mrYa~(KPS0!Kxg&~~cPmOFi z2T6o^G(kJ?Kc`Efl!z0-ksI)lK!;$`w~iAK+#zBUKCX8!2av9hll7EZXPxy(qVpod zr!s@2FQ=|~JAi3j;Jj)9p5C0>so&`o5Rfd0*C!7vr?GmZ)}3#SIJ0B8eYgLv?lwy&dC z(-K!pxVsRPmRa3m`X|~h2|!e1jjj693^zChPh%jDA_;#)67+&^2@~X1DLkFOHmV8i zm*LNXlM_0^?tA%S5LC*RMRFQs(&d`D&sv%Izr2u4+=&)H%yNIwm^$HA?kVa(sx{>g zT`4UHLK%gp%3d+XRu^5a`YgpGfBk^5n?^m7@oST}M6pmCF{#rqWXtXbXe+K$Gd-@? z>0nRqsTPUGqfT2y2NR^wOxTf5UNV8Oq>i?-v?r7}ui~>!3i+2nkU!Oq${Ti2)P%9K zbyT$&Q5AW|ERX?ad^N9AH6Xw=)Ye))!FL5OWrnJZ&bM^g_6xm@WIM{4Ho~fi^Jes} zFToF4zZkv1i2S7k+0YCc=~GnARi_Ub(kG07j`Fffb&bLml27>Hxp^bKs*4&*j%|QImpRb1i&ad_l|X zZbNQEnW=_B8+?kq@-T2`35RkUSY9KfdNh5jl4jH%<) znT8axd~KGYGUhGeZ&KiYZuSIq^OwnkIY2S!jgEI(70R8*`I)i?SBpda%`%`(GYD|Y zl3V2?AWs;ZODDm)iy=S$3gB2rQL&J7Lhk{ZKY*JJ;PV4tv9|C%6SoAl?j`3lq|!^(m0M<+ zb96hY#Xr~?U)XEs3^Iypn>2VusifGYRtQ^#_fFFsY+^V;u=pFN(JT=D;! z@Z5qlto!W8bQX!A`0e5-K)MIlLYI~8-cYh``%H+3W0Dq(NUr(F)^GjZj#_r}By3`? z^sHa3;tP>)=2oEEkqyUGv!g+$ubV%|iB2LAN?Qf(Shcpc23qo7_Sb0C=LiW10J6$r zuvCSUuULK|&uAI{nuZjIC4ag5C?9M{x(XVzSDD`VyabZ%wD#rq&QhFkV827n=EFh3 z(_bMcLBXJu^5Dm%!^mO4JA&FXb3Nf}p5|Mu@bt!1fxY??B*8O%{8p6K7sgl^{?c&$5@EgncBZ zRvqc>q{lZ;PYn0Q;f&hb7D~4=J-)vFjN{5F7HyTt(7bbo<~P)&)D2$PILA5ZTzKUT zU+ew{xlkvCybic{`t#%@xEPfD4TPXNKtd&NbgtatSOYopjJi;-x8l$tE1qM@Z5M;= z>%^hVG8NDmIk)Occ^juw8fCZ58@p@-pG2wmMDjc_n|Qc#`WYX4o(=#s$@YcL;mN37 zAm9#+dB(s#_H=Tx;*HS{+QaT$d+>l;&~ugp)SpW_s)m8UuRwd%YIHGeZ$d0DuMf1MF~;vkGAhqlpWk^k*kaA>Txg#+tkK-d>>CadcJ;I3~DJ zw3_(el`4lx5En$m^kiY^L6-SbI32=uwHsQ2M|tdth?-dI0q|Ds50~)D=Cv=w4{$!p z=6yVgr~i(e^Q1F9ALy_!Z_EZUv4{sNJh{&S?xW1V z7umB)w~FkdM4X&rXN|{vbE1jxrrUE&mKrKhPT+`RyNuB6&z~uJhLckS`3p1AM020o zXH1rS4uD1}tip2UXI$WBgLpgmKwJ{}s0!oh50H}xV^Csj;`Vm~h(}UO;b`A6_{i<$ z@bq7ilgMFE9{jfbZ)gYkv!Z8Y11{SbpW$+V>^+R-|H|<5hn%L}p$I7meqrS~ij-2- zq?$n9`@I4yz@x(<|BQ6mRh+-6XB>_$3iQMste3vYcs(b+DY2f4=dgM)(n3mUh$S<#e+?mEruIBu4BXsJB>_0)X(;M1EOF18$z^P$6PP=$+}S#p$6bW>Dj{q znzCX3>9_2_PG^4atyU~Bqr`n<{t!EE@_vwp#x(D{SotJycHLPO;5~gURdzeflClvf zmjdF)=n^N{P4Ek>gRS8R$)8*>`%)8K8bB8b=M-aNIMmsGW>a`5Im*7W`L?*k(}+r8 z0Z7=jp_UieCY?PWE1?1j`MI8vnpS60kO1E0QG{zXRThy%|h#y1H-I&LoUWOK4?eKp5ILzn{dh}!?g7iz& zX`K5JejU&YigM{l9jn#Cl9UcamUe$#-ngOzX!7Cc67h&3H%A z;O%SpsrpplwP?}Ov-CjM!Z|SAmPpQFMmC1sD@yDSxPiWkK=g+}_aA9Z7bU|Fu)6-H z67hSTDQMgxApy>hesYi`>=KxgP;b5|$r^Q=IGk@x`|S=Aa-@RFxJ&bQ6CA@J8N zYoB9_H@2IOiQ00aZ%KLMtfH-v?*O3RcMxu7KYSOVFh(=#1N1_us-rH4_B|TxXV}1| zCMnJm`{UGq3>mqgKcQrGN(F)*$tyHbEss0{s#$Ww0V&-Ra=}o_FCK93~Q>%%NEt}^Ewtf>|cpH|D-s+Uq7{O z>25X?jLq3V-??$Px)76fAoEl7(FZNxGE`wlS;^NSWVGedvWPt0U}$ zW2nz38IcV5DNL1S#_l)HIcI$MkLc3>ZJ{0I%daj$1LkIGK}jFq8yp-MrWGiTPe5Rm zkR+?-*8$7C7#b|AY+-UCnZE2eXZU|7wb|5y(?q@4T!NrzP*F>h3>VpeB-4)lH41fh z>`FpVQp$>XkiC`STE1$PEN8?dIq?e^NP+5I-Vw zdbqe93~EOwS8ugv;f$8m&NK$3YjJ-r1?RTEsyD?dC57h}ljcx&`=*;r6fw#^zqt(U zO+F|p#W31fqsNve2D?$m6;6GH{%Oo@nB)vPm<4?wKxcd?*p4+c`=aO^|IfyNiKqN; z#(-@qh;VtTw-iLwFWRA-OAqK6`=`xQM8=}sA|ieVWgf=lt|s3ZVaqlo5}nerUtkemv-Xbs{Ti_RmMHsjjvo$z0thz@X26`FoTywqlf8k6c1!vSMA_p`|$C_AJ5E{m}3r|LM9(0E~pDDJR ztCx+vnlVc0!2W)zteffVxoJO?cp?(I!!LHKZ*lTmV*;t1n{&cGq|h&~Re@{);}1D* zn;$EC9T?+aLK8>};$v=#e5itwNbiMl`{fAA9Xz5q08>b9 zY5qw2I!OGp(iAj=Cwag)0ep7{BH~IgFB81$c9|o5@H)k*X*`4VBh`}sB?+u0OG+AQt|%my z791RTL>P`ikpy|Mq-^d5>)XomT(g=m7FyMiTY>&%2f-vV`WV({zKf}+;C3Y<35mc2 zH))7BE&Itsyb-N(2DlpAcN1>7_Nh~hOh&)IN|w)F~}Dx$yOpzF|B`+_&ZIWaxA`e zyilw#Na62Wpw>>N7bc=&^OtztuF-TWQ1TwGjOTr%MGm(sU?39z%l0q&X z-vZQe1$v54C|<~_;4U;y&cC8@y1HC>W4ESh?vRwzRy_)~qd6ll5cDx#<0dwY5hIay zR9qn*`yK4_$nYNuk=%ksrC__&sJB4_VxCp!@H8nrS2~;_Ps}pVw2bkzHt_}e*Q%ET zsNiCm$32OxsMhjtUhGbxw|45o=c$dAiGjDmp0G^<#IBv95YrzKQGdZ+YeD9m2T5&* zz|f<+4Kh;BK&o^?o-~X;h#w%%N6mA+2tqk>aKgjpE}5)%^1%-q$~QGgL7SS_vcTX0 z!LqmkRzur1ou2*83@cja@T$Sv^78F?Fby;}3zK%C;(k=O4Nmldz?zL;Eds<+m0H1y znlU$x21F$R2?2>T2%n(#n4Dl9Wd5qibKa7U=$6}2)Zbe>s=>*hl=jltDfzESHM`ss z>3hi5TJdp)-1Uhd$` zZH@wiT$wE^NjCYwSaqF5=ZLKS3SGnvztCCQSV4?C@tQVWy z_!zzm(Ib*-K(!S@TRKk8{7_aRIiK7Os=g6=K7AfD?}#h!dK^X!*+0M{g3JHHs26Lr z<+(@3EjF>NV6tyY*qqe%4=oLk5RsmI1SNEe?QK9F#RCM2gNUfN;~fp57kCtHmG>g{ zbZBoU_SjE_8+Xe8^EKWkhlP9<3KS2gH(osI+;}ebH*c$g2lUIYCWEP_+ z?tH`~B~OTqJtOa*8&6Y=^<^TviQXS8wXEzCgRj{L6OApt8&9>}v3%5$gKnjt6NpXU zFc~&8@>G0Pd?cJ5MWf{0?AhFCC!FBW19H;8q^fT-?Z|@>SoYsu7dX}ju&gJYQigVY z$f*uC_o7OytaDrSFx7^dTxLvF1GAl;iQXv?ikM8v-JoiJXv^}taMH+_`MD6Wc}hIO z$VW#oO^tEkkR8Yd!G*WQeTvp&AeGH30hg>k4SR0ui4)ak$-*lIUQ3uuj6>f)7vk8-$#3D3*9Or zf=>XLp%QJor|wi-&q6m=IBgR&FJmCs+_z&iK#LtQ9Xu$FQ#gFit(#ZHot~W zn%pNo^_Tjt#Rjy!k2`4kpy&zeU_qUY5|lbr5&}F8g=T-%0XmI!Z>gz8wt-% z{eAfqAVCv!3fMn=6U4ev3?25lARJ8LL+&+C1L;y?GE|<^b)CHS(Ua_|>y(da3G>A| zf)WqYn?xpe4e(?oiS6)}Vg8?0;bIBV^pB?^Z`E>~tK{&na(rWB>>8P;ar)X_f)wgW z6h_K&%Ga6p_yh}`UH7%RqGN5nbQ%8IZUf1V(Ea|t&gW1Fg>wp>f-mq)8TFh6Px-og zY??KdezF=~bP>_%$u^N5yM_W|Zmn891!X3fjUL<__S)zLw=G(MuPI}jdJ0K&h7_Yb zF&e&|(I} ziev{n(Y&LCsw%T7%?VqUZ+1+*wYz#Y_qAzs{(OJuo4&Lo5ny&IG0(`yS*zF~Rkv>? zUF1ctC}98aF3pAB3b*6{g5Xs%wyHBe#$QU!Ar}#4``<0=8nWvzO{-vDKQ{ zFAD4TRwBf`fd)`RUMwc=wD%*$0tIyZbe=Z}=qergd~;N!Fk5QzTVZYp^@s-Q6o+#0 z<9ajJI0H(9F825r`0Hrg22kL#ol06$Gq}oU5D%}Bocl~k>}(>f-FNqbax~{g`^)GJ z64J{h8$z-~>z}xk71>9(;$Kx#1pNC|M}8%J>0UF?;aahnl?fkGXKSL>(La1=x{_`b zjD20RqGW^FPHXK4P5^vs3}kA=H@>~zAiE3#0>}^gU)Px#C65-$qV*7E*G@CjRhxqr z*Be#hQ-Dac@$@Ge;cd*#Nvew;U<5ewi?L1S?M4AE@C7}zS5TB=%d}m#Ay}lNZ-++= zpAKqwE%CTn4kY)TN4~JyqcA=dtgU><1UR0oLja+k8rAFZVa}j0#C+?$P2yeC<1d(caZ=9bn zM)4^Z8OFsMYj%0QTyV$&79LNZ$Mb}boK}bBuUjY`z+1PpoEr~{xN}DJ7#{RUg}`xxFOG~vDYH!liz+9IX|2Nv<>%z@xxku*)zxV+GvLw8|f$M zWr-H38AUFhA7rr(eu>#r0S`>7Exn$QWDh2?aVDEWOu|d~OUTsEzoxEiZlpPV<@2)& ztiS7z$}U9>q5fD&{$Mr32@DS?cA%6nnj|yA_=(|my|j<#b(x*~L%7%|&wyF!r*J3v zJ_RPV-~rl8d+y^UrWDuD-B5~{y=&ROp|_t|t4Mo*|v0iyw^wX z?-?3=7ToxJNofWd{}mU3dt=U zg1q!o$>YQ)o5Z}kp}3#%IxabI@&){vO6Lp7mP%*GE4Fz}QQpWBi9}3AHc%^Sl`?Xl zH_J}@oO1D#5Z9!cK@PN43DugSsX5{E?WB}>Q%?8E8D)xAs8tyA>=7#p^ke&z?7ZnF zryB7M9qHcr<=A?%DxhOQ&MFPcig**fylk1hxGHR-U5=+45bkIe z)5)K2U<3WmBS|fKqEmmF@_Vo{{Xva;M}-2Zh5U7Z)4k5E>mRE7YUdduTaUY->gRp~ zRYz9Aca*i8dp&-pum2xQady-rkXj-l9L!yqozHoDSG18^|IsKC+E(Z+;jHuwM%i#O z+Mk6XYO`oY6Bs{#{6*^1j7^V8LT)qmT+GC?ubQyLX8tqn=k{>CIlep18x)tZzJ3)X zs;rL&(wE;eb-s@}`wgDSQ)9AZtNO|tIq$8>@#z+B2IRXLU+%GF{hhZNgVnsOJaCoET12dZMhA= z__WDi^5Wo=a^Q!O?#nr}1Hk^BCAaew~J?i@+}Gr`T?Yz5?<%!kWd5=e=_3}QFM8%xJZ4G6=bWqkDPP)CiM)`@8dxzB)=Y=1J; z^({@HUNLEMYg;^;^%?7NzGO_u2<^X1ZU(Pz;oWw=F<)TP2kr`4j!^w-DD*x17Zi-t z{-Mcxg@8SUo||)_e>IK66**o5^CFpytaiMB!5}!QZE46OvW_I+~_7d3e#_q8p z2%hu*hk(`{Rd3MY#e!AAf1bMW-AJ%~Yf)P;_riJNwC254Cte-S9~IzhMmu0_?Y_y1 z?ASjsCh&BTmeX22wuT8`6jTs`@cys`+7n^I;|4y)`A30+;7*rM++h&<_Z*w~cF(by zl)_o_F1z|YHD*ahFi9u#hA+;a0g0dCUp1WHF{-?=HI7fr|EV4S@Cr{I2I7MlXKd6$ zfKPgTIQbcUJ`r-f^b0AwJjn=7(RkMn#03f56@n#F@v;xAD79|L3p+Za35)%@#o7JQ zf7F5B{8jH~|8ohA{E=*L-%iGarSL0m%>vy)HL6UINX0SGraOA;Otc`Eyki5%Nj{QK z^tK^$mMd?~J6aU^@zZg_2h*0r?A&67jQ=YY)E{18$T`ZuSKjE+U)wwzm!m>3ji~d$M_hQ ztjY0!z!#W`hv|WJOAsJ9R^zfi=5?aCSW$LC`(nhfPySW4QU!I~tZH+#<<844E}4o$ zHlX>~TAxx}q3#tl^U<0z04K}?fMsxh5?U9_3-mJVAgjKUP^|w_42f$)W<6GFnVL$9 z@s!CV=S(1|b{X%GT|(jo5iN7QFbNS`Bk@xZnDNp7LPK(McNl6_vloLf$aq;x&fYGt z1p__0W*S$i#DilD5|a3+1Cz*VNnLO_{kIqRyvn%9FIyCxS6jJedi`35TN7}&2E@+X zva_41r{`0geRi=P39Z~7A8E#e=1Jjh@zEZB8uAGNR~bdT&Z}{DL2;Ew%{?Aa)&Pux zpK@Aa$LMvsN+w{v5&L)3z@B6topa$(7_`C?N8^mouSR^_*UCqgZb&ge>}u;F=XOB% zY%)4Ho*}{T&qGrWN6*_eOAI+RaKA0az3c&dGI@|2{;aP2UyX9ol{@2e>((u&1xjyWuW=$j6&Kj6p5+laZ#p$CS#8t)YG=ujfMp#%g3 z9k|HV`50>QJ>;YgD6|h)W#IqL@!k=uziD9rnzs8R;zNP|;u^BRads zKv}Eif2{iD7^nosLz@!)9oJ1qH4F-C_#~}dOGPNgEmNS>;e9>i8jT?$mP{twtkqbK zH`vtnxM6Wb(qqoU6LvNX31pO`Pk#8?Pnlo2`>FCU{X!cf90w?{Lo)H3RKAN=Ka%D+ZG{JkY)llO2*f9 zA&>N$=?Dvm;QpFQx>4dY=;#;|(x*CBArrkLQZU3F8bqurjPa2h7&_{=uTt7R<{DlB zr8IZbwNbaTwlsogNZTvqAfufSB1Nqapf*QBN37xGtV}wW0H5OWu9@0Pz=> zx?bbtW8>RVJx^_IkxdAovI!%s!mEO!2ycU8FMj@2P%Am3b`WbA+JzA;h@~4>*s&mI+M9@l4_usLBl02BDz0`Kfa3EhR>RX|8<;%CBol%}tA&@;O zbk78SEvc!H7=niCD-CVDpv$6^f8wf<3i?J~f|#YAVY_9ePk+ItVF>$J>Nc+PyR#YCEZa6w{+3l#J>R$cdK(BXWg{o5xg!fn+ z{EQZQdu4CjDv>_qn0^D_`ZP-r#~&qCpj$H9U&GEu(OO;W0FZw~RKI}=?ZH;{V7&sC zkX_X{AgjXCeajr?vROv^OQ0%_3yvAEso_6$YI|geJ97pU#ePo}I=_BDAg=AhWJ53Q zr+(`#2iVT=LU~sK)-be4fAle-2kLfPeR~nDO2}J;7y3Hs)9BbpYRVv z9doz*ODU*vO1UP_9$heY#m$aNmK4ge!d*VH^5e8aM$0xHnOR|W>*3L4wA~!J;;kqY zZ2w)Ar`{`OR|`mETq9q#kzCa)*#gJ&W|&!E#4$m+qyk3yMrtA-L$|wx*WbuFRemAo z%u$k#!^tnJPPISTWaBYQPH~yP*}G(t_EaF12)~K%l6i#&E+wWMcYIr1$y3{F6K{g- zwJ+J*IkYZLn)VNSVrNTLdcYeyYGD9r3V+?#` za66Ocv^jla28}d<(Z%A>SjrB@5=2fzSzxV zFm0KvchvtIs5bo-kLVpqt2gX};)vBby#yyBra$%^V^_W}CyXf{A3U3qs7HVnBis4L zdN}oOQzmQysXwr{ZC|}28|V@)Bf~$l=C(#B#K~@rPS{c3+sv|dkC8w2G9!*UAQYGo zcI4pSnmXGNJ0n)ydu;gsAvNMCI6Acrp|^*SK+yk(l?`0A`ZL)Sd`4gZslugoa+rJ;R`;44R^=otV@-Zd8}{nshY3W6}}DIXaRB zydS24?b3Ab%)*_ z#`GxFwJOq(Lg*VlEwwA)kfky8UU48h6S7Cwhk|CmT^}H!?AKrXVoCl@)C!fL0nHzg zanABS(MZPiz@!Jdb2SMqZz8f9c)jN}wZ4o;?On3%PqwS`7nB47D~ zG*^wb?%IgXOgYQ}5CZ=yliCrDwqsd0=YXdjoITs2e_3HLG@X=`-XslrGM5*IT6fP6 zDP|-tkP@@jL4OVlOfqCKrC}7wYZRCi?tpeMW`a~t0kvziF-wU7f+hRcnboh9jod~c zqYx@P9ENx$twu-hbR54|O_8TbU58YH_!A!1GPnQXu!MjjUDw#2iO-{KHyB?Zy1+CM z|L_#IH-6>>8d`?qA)dd|B4lDth5R!uKH)&Y?9GhI{w%EFr02#jNL(=E`21tMbD z7xDJ@1&LF5L8fnsz?hLDLac=m-mWZ#z@*Y^ja28T(-!h0j-X4usjh6iHy6!OMEK~V z#;W4%RNWRqY7|-7H8iz3}nl#+vUVneX`dMQS#-c6ijL${D+wCDuM})WpzJL5m44Rb;X; zVr;uT{P;7y6?V}{0L$Waz5UlAP`+J__`CWXzIlUCSdv#*7v(b(-$og9C<4$(Nd~6_ zr)X>HEA^ZQlBWXwI=n$unpa*SYw}o0#@Rehx45E!^u#h}UNpnv1o6hJ$_xh+ptNKI zDtp7&DF#bh3v$TAh|Ax# zV+N`q1B=h;4MoWL>q>|zBm^Gs=1>m581OVnRE??W9N^AAr4lI&NWvHEckfsFfM$;C zNko8^aVLUwSSHw#j^$+2^{fM5{%m@D0;{oM`!~e02P@qlY8*z|o9=#xq#{d)2ff@k zw4Q`StaWG5Z+yLfUwie0VQ<1Ctlc`kT#7t?YW{89Y@Ge8^!A9NOA?YI*x#Vx|3A2` zTM1Uxc?|aufN837z{6W5H+|+sePnM*-nK|uX97&&URS$LnBsZ9pr^m|o>u%Skx>h` zn0ZqSYNs+7Kxa#6|c zoY8p9-HPf-k<$yjbtXYXnGIUeXL`?p{H(n_R<+bR1<> zhW>eM_A00V8K{H)o~SjNxFza)WAx_PcTwLaA%*x}m&`%RJl4BJBI#is@M?+ByBO%L z&1s<&^b+m_9I<3(ZN!?EeC!0^ALoB3> zh^(RAMMXvavv~6D+{Lj1U|sU6Oq+wg;Cf}~N_E$Sy}j9n{@K1;pC>1+e+7}<#zi^R zskX_R9XY%Ga=jS=#s?~O{i~QgPb?GSk8W_BTcpvDSI{cOZjzC&8%&ee^QQHmO1BkW zIq{*(6Uu&Jk^=g0RHakOYy{I|03VK*StwN{GlvW5Ke5nZpcT=4;dHDmcNZXFfFbq< z$)lx{Vv1U=LgWUN1%hxfYb-0MY}JA(s>)GWAZ*OnEEC8}DolE}*gO~HoO^%0zTZYv zB%t--!}up8vlC{NQR;Xnp0Pd~ee*7^DgQx7W@epnRr#vGHi(Ud6u1ePOec>vWykpCSQ=QSiPUK1o%ov79x&@Sxy=;v>&J&!KvYz#K*O zr7p%Y-NQM;9m+NJ3n9r1XPz&6^J>fAqtY8XUQ!`%*~x7YH(sc}dr{Xm86P0TQf`I@ z8!x?s%g-P)u~A-Tf$e>(#hpBHl{vfYpcl{mJ^^vf=39dK&d)5HJsVmF0u`=N>fTSLnSP$@ z=W+6W(6unkpL>ca|4O($vSf?74gOMo^cMTC9k zIo;0ZFE6RXBn8L(3ejh;l8gU(rD7A}iP7k34J-w+2}`ZXek;bixM-divhu*VTwQiH zFDVAJFt4EF^PRvQF+V(7gt%ahKPucKq~P2a%86$n(BqlY7>wz)qNHd~7!&9>5H@_V z_2tQ2((W5Pg?hQZ;|z=lo@#ct2b3N*_Yaqy71b)BlUH!IPP97yTz-KwZ>r_$buG&65>AX?nIvX6 zmdBHz+qgHL;#qIS$?_DUiSp9IJfy27(Ckf-uQXLu5(y@LCgC~T8JHM1Q^5RL$X8M? zK2(g5RO6GUtg_DfX_APfBBc6AggI-5NxD!z%b9&?yC+d4C-abw=icmw#q@x47NV4A zef{*hfskW)-Hhq6LR41*X;*^BuY6Dx(pXL&hbZfXyPUQSf(ME#E4ZWi9fgj)VoFzF z=0Q_9C2Z&Fg6mtWZs9$BqqUE@=!Q`fdUaec>8lBEqeqUHZ?{#)aRn)jyzBOiUXg0A zzBd1otdvG*&1L1_+4pJ)%48?WLFl11L>WXUVsdT5)lPuimlQ&YrE@IFjkC<;W{nEw zBx%2u*HgtMW%bGjugaSG2JXkA5IBa1-7RtwaYu8`YDJthDZZ$6Hz}E=!}p>q>+_nP zB{VMCYEqPinTsJh_&E`!Sx@YI9+A;%YpwQv^evjpoU}?n5MRn?W^is@Sy*_d`u4Hj zr3g+nrqeC$?U?UHvxM$m(VP0}5tA{3;RYHh$x%rsi=%xWlf?-*78Z|s9)t-}u-Y#V z+U0dSJfVx`OgE3YNGJQM>6i#-zVKO*{FOwJEH1CtMkp~v>S_AuoilYp0ZFp&rZ?Ud zwOn4}f8bi9j>&EQIzc-pNoT66;A)Xpq;}VW|6?^f-8)|6GGGDnq2=lG7EZQ{lJ$4* zk6;{F7GiU|m9%j>LTKT&1Ng^ahzAz=+3TxI@1F_eP2O`=>9~|##wsB)myVZxNcW!a z;}3YI_q=!xG+hwVhGRp(|0DN=iQ$IFj#Q#pzRiqGqR#b@;G7RK#)pP5@uldBf)CJ? zNRulQjf}0R$cE2FSL~817>PLOwN(nFkrmVIv3YfZRq)hQS^jiIv`o46{X2{yCy6Ou zvDXA@$tf;7FWo@Vrl{c+b^H^B@&{`4XdjAcBbqa+`MxX~7zoUF{5}QWVR#4e zb*0w=h^gVbsH$dHUuUDFO6)oX(WWEfAJuNcpbwWxt!g)ar*g6YRa?8ye!f2MCz1lMdGC;Je!m8S$}fKNU~ODWFi z5a!Ec!d_?59DSbYcLTIf1J0p7Oa;MLdgoTGxSjB%IMCA4<@!SKz#9~fYGQ)#g-9HB zY7fE@MTt4Q)O|;VcIHdOtIU64Jw6J*)!v|8$F6iv}B!)^YqIB*G zY=ug}>v5Oc?s?y>Lkl4jDZ{>j-7z+NfDePe(~cwfxmCN#W|U)-h`*Kv#!b-t&t9-OMC5jw9_yo=fxGS zh1E4bN}^2d^eWelt!;-8aTU{Wiwk`bfrwkf8m_q%J|ocKUC`))PTG-W&HK|lx_8JT zI1o?onbT8yxt7nRr8nKmgKo|Rk6Fz$PO#7g74m;IwdvLWnmOTEbY=Q+b5xk4<5Mu( zJ(k1STI)TJozf!4BXfDawd#$)LDrO|=cOxV<;Q5#b{$)VMVf*l=b6=`W`X9lIxd~m z9Z3u?)o=_T6OP_=X;)jHu4lr`{cI=WETCbG0#V6_B4IDbF-joCvV7 z|CDI0XZ$|%w#+j!t;ZIl1J%A6{a(t218n2Xq9ZANrSYb4vfXbu)iE4*oK8{*F^TDw zJ}#j-U7KK8ZJ&1Ch@3bZQFR{6`>Dp>2dAPsRe&zA;7FRDcAGBw*% zLrJlh*HTq6i5K78d;YwUd7XUZ{N6V%Z7OJ7QRgZn?XlWA89_9=6BINE$ze&pK#kLsp^-VUHJkz{nwS={ z8G1MfJRM)BGSb*fO_j@ur_RT%uKP%_7#=(4mw1j<@70%OmB5mhrWT}6^=2H~x;tw& z`t9zAj^JRd!PJfjj~)#&Cc-f}jQbQvxj#+!%i)Gs*apd+E{mk{LNdl~pCYk4{6z}2 z5Afe@dtz{wcGeA@fmYd~?{=lh=gsSu>c-@K@Y0)NZ1Mzg21sWR1(`Z!x|0hxxx1GO z$x=qnN+@YUaTDB8U%fSl=V+oS)7`EZ)yuKxtY2271X&G*;wxOY`G^(%bW_Z6~SLHZo}#;?pFB6|LY4x3wa%_U5^ zL;-b;*(#S1N-UzMtDnkxuRa?LJx?-n$o1#XY5o9|n~UrH^oCCCymp`3!F6a2bcNxy zRnGOf#Z|W>NAw9FYCc)WJy?!owEJ!cW95UoZD{}}cON~OdO(u%8x~Z4{-@rU@n@V? zZ)zvPPhtP`+)m$2T{FE@{5ZsF*slS1M_^12pqj@=24y(5`N?n`jH zApHI&TI-cCH@3FQe8r3_nOBdR^f_Eou=>vf0;1&CU~o`R!Sv%>)30xgMlY+=^Ob!x zsDG5ngE{(Y_McUOs4+xUYdLrL-o2&rprK1iLF@Q+FGiNE3^tTCmc{k)NnOGZt1?H7 z4U{BCId)u9e)jp*0C|vLNlD%u4;MD7)z#&Hg6%sT=ZGtOd>%1T<4d34npTjuRGz=V zOeH7meWg=qV3@Z11$6O7bhiY_+zuuAjM0M9X0jUm#=%G*+a?h)Zpl`6BFi!dVCUNCB|c9m~N(@SIn0)`xb4~GMq*zr!M@B|m$ zDpI(eqMftNjPMep8bfP3pG0}%oyWV3uy*-FH^@e~U}F^#J%*Q;)T)zKUzu>k7Ijii ze!Atzb=OSL-n8=(eKB{eKE*}Bv*YeRTvw(S8J^^8Z(Dca z!#HK70OaOGeWJ7fIY;G^D9k#WTM zMr#Y7))N@D*HY;j!L!RVm?zp7JHj5u@N{_JTq!x3@>s~ZJvdRpuN#*O`UH9Aw^8-+oy)l1+|M2C>=MoO6R+}S;oRt zF%sH?5og)+SKh^^7gYO4z3M8U4|6oVFwl@a_RqSrqWY|-Us^Q46VW2z#NUCaHC1$`M5jaY?MT7 zlmlKrk{3ByU+}@yK&v1t#EMM5yrpFo5`R$e#7#2N*je#Af=Wpi-X?r_?bsP91@`ak zi4rAwEo&i{1(wUwM_&|P(f)Yqwwd-q+4SNR|E*=K+((aWreEvd7=P5tv_@~y^lYT- zqi=@uQu$+2@#E!}RV|vH2nn0B{IkS|B($DTzR5M;XggW0t`M7aMey=bZxc(trQZ6a zgRIijX5QvD?a{AUkHn&nR^pl-cEqgqa!<}AM)AR?VxLL{X@8a5y;B@Kc|mmuA#ba$s9DJ7Dkv~)KTQqmyJyMQN@$0xqO zga5(n<&oERt-0r#bB!_Y`!mM=wqE5-94}xt38sj0)pXyd;3ZZGs>lyZrwp8{-len= zY7W7YI-fl`&4DNSIxM!=^jzGmCxp-S;$?(XdSbmb{0e_s>NVe9A7Tu(VnvL!+Uel% z=MMf!Zr3lk!tI2<-47nTITD!Kt>9@cln8YE#EJ|4d1G273W@T~e04c*{K*PQa{f;Ny}ZudH5Ib zalR6E{K3>N*~~(@c8^*miP}maezC9BDO_?%kF3OjKDsQn`SW;tW18AuU{1w_%;KTC z=Z@Tk1ZE_Cz}v>*<(z4mxA3XGKz&0ezlaNuRFl3jyqH=`<1YWIi2!h_Yi1)ep-uuS;jbYDS#icCpANAUdFGUIa)&gCBp7*)eLlR$3sQq~q0Y3;< z$fbdQ&}wTZL;@#kh1|RNtX{8mE7NWS&fUinrzX+#70I@>T1QI*>*USeI>(SE87y>2 zx|cMuB<4!67(bqwpQ+GLdIf}dVHo18Lf>8P!&OT{MSiWUSeG&>Tq&Hg-X_?tJ8N0VTZLl7nq zjxqccV1tFZWyIxNaZVznAYgmDnGy7z*C`q@{O@<98e*XBau@}JF+G@R-+6#Z-^~@s zNa+}e*~EvTPc!NDTWW~=LWU#_!|K<-%IvxIB$93~$c(FLipDvwKu6g`>#5oLfHZsn zU%N!7dVN}B;`RCUADDa42~ou?4FRGlY6Rus_LpvR*_tF3rI;O&&kgBMxelKX6%}#J zY6q<&{xXysmHv$|F?Iv)m;b?|)O4bTw_ZoEam2@D*u2(s)5077Z$1eGND^+FF9%!w zE-tsL1jv32y?~~$bPw!F2K=2+q=Dp`rjd=nm}?B)WEF}2={O5!_VjcCURDfgAz+>8fbJI*z5qv=J;B)5AMt1$@krCE1~ zdgC>&LPd|pBLKnT<>A82ud^7+Xl02$W5pNc+aDOv=AtgIpu+I{>I#gID*d*bY>a4b z9&b`1P$rXD4fN{j>Iyc}+{Ab6m1PTEU%W)0YL~4|6g5*cSJUEWC~J+Rry=#VDR5!3 zw?7@DRy2R-FE=G4YR-9rCZ(&O5P@udpDfb#n;b%}Kr6*4-9?`1W^0>2L%W-_#|eA8oZ-u)OBDGQ-bBA2wa zXr{K+fa~$KbOh*Ftbg3AfO5M?GSZdjAna85nau>7uG4Il-74XW*ITAoPEosAgJB9N zXN2|2S|790f-WBdRqNB^tA~&*ENULQZ1ou5on+FraRP?5RdmbQrj#Bs_bGpO!Mh2k z*Lho5yww3_tj1^V4mu=vV+lq$R>~~di!w2;tH~GDY}-d<#q)ewjO!!p?)(uxQwupb z6;rr|ZD_mB)5|p4Yd_;zv#e?2V~5$a*F00|Lnk{v0mfv~U$Z2&T_zv#ISkGqp}ow5 z2&U!AV=@vM2K@jJe%IorEIK6iU1%d__!4$&G?$K~Uxgbam-HoD+R1k6c!=Fc@TWO&Jr)j`E8VV%(~2Pd+mGMslF0IM_el z^Qc)ivkTOWz}tJM!GIYnM|qy6^hv2KFGThpcp`46xwH##eo|1{>RhRe>^V;U z=pI@j6$Gw5ND0-^D0mWlGd7S!EGISM)Vlb8OcK5{gwi_T6wn3&yUm`hO!9KK5xrYG zz1(g3TyXa2lc&Wh{Vc`HZjl6^?Rch@i~mk` zCF*O#YO~#T@+Pf`vUgngtJ8Tb*$=CY%cp4yYW&rO6EY)mtjVOpJBDO)C#4uAgT8Y)BCdkq)UHr<*%!1JS8;6z=q*VejS6wAT$}m$AlG%*Dmd zJq20a;e&aaTA>HgpV3Rz=6^f)up~5Opj(QyO1e&NI-UR~i7s-6EZW-gEC&Ufx}N{Z zBgxSZ!C$_j2gdHXxGL$bmyL}>i}0MMci7le90rqabiNK(DI3#$18kMTG||f~4sCn7 ze7VIhw~8W5VQT$N_+rjr89&~1)CV2~7@MVr4Ys#<%P^PNQ5rnt`73e#+(72Git;*Yu1M6ixWzZ9%#_boRLX7# z=<%YY3wIU^rh9Zg05g~Okf1OMm&(vEz-C(!-P_1|^Z+SJoq;0qo1DC*&9E)8U{}Jt z3tpTg4*2YUa49Yp?#_Ja#?`{bsCfZ-lzPe*wkjI2KP+Nyf8_A&u056>7pKdSsZ|>a zJk<4p&hGa69fP977n1jl9!|0rJUr`88zk^5+x~!wRuFm-*_h-QRxcx)2oTKA)poey z^laeIpD2E>+T{*)vtT&5^B2A3B(G5WY{)oC^*8h4GVt7u(Yy>i6lU;V30!BSYrE&= z3=ekekCxBXr-BeQA zv{U1qE9xDgvP(f*TdX+~%)_JL+nMqn7PPdq=E-h?YT%GRk`B&1=edG+JS1+`&!2s@ zFeZCQR}fxexbP`xD--xRL?fJIGlPwSr(M*$2nY5AO6#%tc#TqeV&|TzbK@dRerH?t zorm1J8`P_E$*zH^XOkais@(!!>OiPsyb22o%|0X2J}dl8Z}#r(fsXtrE9? zIK4Rle!^(wDntdOK>5QY&Mro)y`b!|t0ogBnllt@UZ(=g^2OHHQ z%avZFqx?3|7ESC5++e55I^7t8?%O3Q5&^*e%B2pP{g@S%RT+m=84cuQ8GOkc0`K%9 zVIPGNZc3OYjI=dcl*|f;nD9iTLPMv-s!3$E)9b@U_{WYM?BiY8&2?@`=1L>P@Mh`I z0Tc2~tUEAegtKJ(gRp{KP34=z5C0*NSe>3B`RB=b`qur`1Q`dks9h(aRi#lp%q?A> zT~>w7b9wU2_oxl zfIMd@wzI)?PY;CDDM&I#tS+ZUJT@Hm>J4>yZ%BnJ41ulXUR;2Z)b@DRTXM$rUj?(08Ob4louVuTP610))_Z-I@___0485 zoPPGgL~AA~L|g~XaTEJnr+g#wf3ri%ezHUG9#Izbw4?MVvr=IfDGyB=EKaEHy9%M5 z*sE!-KrE~EL_L}K6`qbI%sB|UIs_!QRWo0ZDZlLl0iY89?RLBNeQe!H=6 zcB9JcgIDy=-_+JYdzkUbWrfx4vL^QLds;e86dm(-4%;;nZTT!>OLB3Z_xrqzm?mX5 z68qcmeSR=4tJj!FYg7lUfx}GZ$dU5WRd$w@q0(J!fSc=DHC)_FP z&3MlYqhRY2q;q70EN0*m=~oj-mKq1DA+v>}lds+82dfEbETqgU4HV>N z295XTt4|}ejtL)A1`W2OM5M50>jo<;PZ$_Xsl9L!LOZutQ(4EmIBs9(1o&1ElqK|l zbL=K{kbG=L6i#JaTxB#6sGInchoX3(fvGyA+hs4VAJOHYm`BK$M|>~`PCJ-Zod(SA zPN-52LJOmOke>FZ4li_Z0YLM{QU%a~A8huE2_Ro+!1+Jt5W*J|`vB zzxLoPmTa=W04T_nE}4kX{4G}9xaM`hu87^(WQbLemls59apu?W2lr`l7e6sxGwvzZ zW<(M9$Erd27sEm~z?Vw=&vBA5&KrGLx`Brp`ifCot5hG!v2`D-aEJ+Wl*1Evm6~ih zoY8dMg>Di6+UPGmiU&V=6yM$t>NsB>X#xHvH185_&@p|KOXDRKp&};-vjL~*{E04a zCf+}N5Zz7=kDEU`Q7IMHh`ay^m11G43&jPs}6vX_4MiR1dvw9|J=SBj0WzjLY!#90k)-%6n z06)N;6e~c8RsCt;czL86YrsxkQ{@aS&U_lmL4W0__!P0Bwp%2zzjcs2Oqe=Q>MS0SRxj{os(aJ|H8sm#0 zf*~de_ak^IrkjHilYO7V#Y>oNOFY0v^N#dB!Q9is-QCez$^jyY`4XTH8fH2VMa>_< z_Plg?E$x@a-s49@kI%REyuaOYJA^1-On&*Hg6Sr=o-t4=*mJ72dm&@3~V7Mw~ohm!j zINF+?=7EI1B!1NP`kVXxO%J3*OyNjaG)-*xxB+2mI{{&5c8_1X1!e#07G%{;(cywG zkNkjhC_Z>;mbY8xw!&9o+GF|o2obV>ngz`K6Ffmb`F@rR!Q_{{E;yr90tpo4W3e-v z5=&wvV_hC|w0Kj)R-)V^0mCb1h^K^tErY!{X^ltvecfT^G8bbw6u{#p1Ue=r%hs4mhYX3r|6|E-+}lv&8u}mL$poFu?9%hDOh;OAb$}sO=o&Cxy`Q z@td!Q$-l)2PJGLMoqUjhKMS^`vNAD@umPB^OydhI348#^INQG2%dRM9c(^TUlS`b7 zs|YClFy(FXRwT#{OAr)f=^psXS;~9*8m(Ba;mh2`u!qk)^I31I* zLQ;r7xjFn;JmYP%$<3|0Cm`YrUyDe!>)b~7%lvmSsWJJ#6Z(U8_`5sFU!c*4%K$8w zV!;J$2D=d^Bs$gLuM@wX-#T5aNJV^l(|NESs_&$LvwQ#pr3c+c~$^{Zlu97Wb zL`!~mmiq9z=9oNT)cc7Va#mWvaNC|BUnT{9cLMRI(-G0Y)L=lF4h+xw#}s16&KpP^ zgw-?u3>-AwX%vFRuy+v)@u(!X7e1u`i7ro39>dp{@gAZb*4tm-XlsYKvYFp8Ff{c0 zVQzoZ$Um{Fp4nYLw5z@aI72|rza$I+{_Rouk9^*fR60Tqi*Clpa!fB~$86OZ2~P-h zn~Bgq$NV`%mpI4C3TV;LuM7 zPaXIwD<#Pu%>OO0|0)mAmE{tD@j`3NZl*J9x>`}}FGSy^A@J+t^>xJJ_h2uqeVh%4 zlExU;BwMzuc7U=V@Z3ll+n&H75{#2i<-mk#aT8&`gKADlnA{% zfv&aga!w#E_QcE@bbS|Q4 zUMPGjjN(=JLczv*vc-2cr;TUON`)XDC$%!E*{bK1Aj#fcL{1==Mbb^l7ov zsIkE|5y0BX*2*c5#r;>UzCMHJ_)n9G=;UvHYN`6rN_N2bJXlIZ)!Gs z28cK4P3kOX(+R};9hUo4v@0WJwb<;1gwt1AdsZ^+qKD8KwbWFG<2#RHrX{c8uVgAS z=5pZ4M-5V;DLUtZ8EdpQU%g!?r#IF7#9*r>`sh&_QEdIZjl>HHsU9x1CL%$N81?(< zZ;j#gF}5(nF1^=@?Nj^cjnM6~V*)=uByqfMj17L&e9G8Y5GLA#TJ~~TVdvS@ov@Qn%5mb(YxtMA`|9(MuQ+Cf~ za$xHCQ*zMEI)=hetez_UnrLP-(qj?xh!zOE`o0y4m z_Tt`)Lrua&JS7h!bmRZL`ILnJcA#AQYR@43!ZyfrhYAnT#ND2H1i8+F3M9I;F?QHK7N*j zr&hf(70&3VvPQ`D-SW$F1vw6IL_NGOUzJ;7o}-3|_?LZ(4D3_*Qa+~J)yx!(p01M< zz;GjjOtC#EoqeTLLxg(Lmg7nu4-L%BLwwaVTj_xXL4Vvn!R61H9+ZtD!3bigTp zt(_A6?p0fjK7!;@UmwAV*^3ep3?sYf8=O>2mNHH+Gl=d?t5vVp^~JYne{bi^I2rW2UTFogFzEPJ?8!yn)gRI=%$&&LQpvcweas~OTd=a~ zq|E^T`fJ?s29TDanS!!QgyHnvM+mVtDO>}|$l%5Bfs>68bWaNwWwam0+fl8YDky)| zdQDU%%@Y*@e)O_1RU4f>ONK~5Ta+PaaS2z*Y#2g5s1!t|^U3lMvW&=w7TRn8digLRt}DVU;CN;=5@sHd8fQZ`Sue3y{>pW7?jB&4`&!;&A#LPv4e_ z^;f=NBB-=AO>|xtd|MLW_Nd<3r#z0u#LL@dRY%bJij_ex6dFdQF`0`UQW? zx2fHua#_3}SoK;CDmN+wBvlhtd6b6!bU!n%zax#;ILqHNo?m^uIEUyC4-exv9?Qi( z3(Y*pL%O1HRX|U1=sWn6S-em#bVa#<-%_5c{o2a1Qz>O{Ki(EBbHx>`0kRR`5&TJ3 z{x0w@b@V9eut-MJy<2FD__36|c$Ylxs2S`dB8Rs2rMn?U4lm52Zfdnt!Qx?!19E*rqr^m}iIb$!kIuQ`~H7Rh` zd?)KWCHCkl@8Bs0@(!(J)KlZ;DCy;!OL*Q*uFI14;v1Q@Hjvy7IHt^Ot#?}04Eh-_ z9Piv%7{-8qtOWb31Y`Z-KPMO;wJ7QPt}UR*Zn-eR>UX;JHv*c5K)i)!?NVAnf#~Wq zv3IU=445scZHY)wLTSQBhNZ8yJ+fw}FcUpichV3XLxWrr>h208#Ps+qsdG+{XyZn2 zVjh*e8iO%QB^1;WWibM$retBp{sJs;p8X)o7Mi`&msM0}emAAYc+=ZgWH2mkP;7&) zfLN=htgw(Ru5+IQtK}DC?u*XUhKLXOX<&7tsZy{Du;vlsqRJDVP9W4M%Zi8Mr&pK{ zfVKRMOkC=5BPkcCii&_NZC3Lt84({}( zhU`5c7CUb{NVa8|b=Qq)?vK>1I81*Vbz0kA(AU=9n5u1A?9@(DIg*}=bZN>T$Cf?c z+_5)`%*b$q4@=yI%%sBQSXeI-$>vcDE&tkF^8)m6_ zYqkjuCV)fKYn+rnY35MKldautTtLG4_B2A-ZO?XRTedPd<=|83w(l$p21Y(#C`awL z;1ZLY8CtK4LOzcIn1NaEwWTn_eG!YdS*xev44X25N|d~gN-P^ZHXwBXzm{HFe-((8 zDjkMtCe_mo(-ZQbEa_fs2vTBncXM%5lWZNum$5)H+nY~7!r}jkC`kViJG>wYjC_=} zS|ghOtj>ZR1`f<5p;1<`BzVN`u9KCGRmEl>Ld~BLHT#=lUM2{0qJJg`^kJiY-O)%X zm=YrmSk9;?nR+abKSU5`fLVfc79~PGa8lX#u$^hipgmE4UtKYp5<7K2GkqB#_WV$t ztoj!h_20N{493zLdHia0Q$4Jck*R12UmgdLY|Azlhk z;{GD=BTW5!z2uW3y4u>w_uq*e49=pFFf4dRdjSOTr;mQLW%s;cq&P!(#1XAT23EPK z=ZJ2%UZ3dh;4>mp`lnKgRz%16VktellLMV&B+vj{kkwPw`L?n1QlOG z+elym6{Y~MXb}5mbwInbUJD9yP%SQ(JUUkzs~PqMi-;E;ZzkoEnJSUlb7u?)f|$*H}4&AZ&qlbHnF z?jf*eLNM(?aK7B;K zZZZw{3;kO#TASfajd?EN?qH7A(ag5@tNl`m{Q9G6hr=B87TJ?0;toxlaejVEq^${4 zFIq;}Udk5@3@0qWdHjULFQ@?uJwDl_1#Fq_a*u4$DmVq&qZ_{4X;{nx83Dtw78CVk zi~F-vEj@#|Fb)dccISaM>T@GPHWxBCrs{tvjQo)V@R0av(Yt#9t{X<{_a#201{~Pk zRfN_MESoACcS>i3&RJBDnTQ#xJjqz3unXiv4p);95CB_k^2pFq=yz@s;ocK@b)jpA zQ63KU*?x~2dT?g^6%x=LlHjC2u;vB%x+eP{Y69?LuY3S4Ke|Z00#XQ=2~93R3g>HD zC~mq(C_OH;B$PU18msha=dLkmLy~NsvJAHz)~8jNyf8qFC8D3^yAFM7h2`Wmy1y*L zR99^4IU=<4h_616*-q^nP>G3Jw{aLx@O(O{PzYzSr`Bbac zFCGbv>Ob}w;Bph=#Qte*wpZnfW13!+SNOJtJ3DMWtE8Ul%FpX?NH@^wEloV(S{)uv z*ers6_xfq&{1=h`r~CYVxc!;g2LkHV$U-O0Gsy6pCV$KsbXG-F;0ix*;JF}kQg?FyRDJ6fe`G4%A#Rur3ku2SsODc4~ z9pLFM=zH;T0Sn0EQ0NV#rF*`6j93V_c7K!w04LsG+_ab#P|6TGgVxoU;u10IF`8%yQ#YZQoZ)0r#9Jx# zoI_uAz>CdRw5dFb)@2}VbjDd%7Zmr1oh;@ht8%Nd8^kcrglSzAPRmd!hq3!?)BLDr zZssarc+}yB+#isQk=<0XH1N#nrO{yn59W_*uOK?dt^q7!@%4C3+W(JWz_WlWo#C$q z6GFTLO7jQ~1jcitvStTJFWBcb?~e!asruFUAhXWA8o|?rBSg0;P3z_O!WA6EsgEsu zS`&S={0inBQ8EJNlVIdR_d_ibf4@-eZYjcL+z+^5OBwVMZ;nsS4~4|iL&t0shu@aK zy}{`@4)eo6pedMIEVIEWgJ{B~lAkh-0v#GsPnY7hunDP^wd@U7g1<+zX;=Mw_XDc8 zr{Aith(ihnG_%WU7bZc5asG>H7ZC5nF^gyQR~h;H?VBxX+ggX^U&`%2x% z=G{|z2OEq3h!n6Co;$LqJseAq!eur#OuEFT$*omSFR|%OOIaZHjgab4slt}tFyzz_ z&5nSne&08H2Ym!DEsT4DKMj6~FfD=@Nw$GTJ!O}hdMO7!RQ1koN29e$h8Lw40@%a| z{C>3*hL@!{PP#lzLN6npqEI%y;MD~$}AhJIU7BRyo?vPmQGu8i9 z4Ja^=zf=PP@Yu>^F5e26@7|nUz7_5UzyMjqJJ?dVywz8Cd!cswBFUNWVe z!SmeJC}|OLggdXbE9H(r#40-?yfA2kd$Kh$qLQ1~W{H9v>M)2iBy__pOGw1)59^T| zaD|-09)d8iY>X0-(bj~_PVc~w8>FYDq%<}f>SikkXBb5MUwj2$MTvW5+Z0-8-@-2` zaWMv`t2ITkenBd{M`p(+Gc$N}Zt%)nY=i?q0+=F|0UQBglIf`d#0J;%&YDLkw(#b? z>fxiI;Xe0NtheM=1jC|BAP!sAbAbGhKdJ{ax0FT@g*L=mRq z1#Z?N9&(8wXcAQu8S_-YKNkJkHqb6PNcTS?jTVDfNMk@1Tbab=bGY-)^s1)9zA6X6 z3R$J?kmjk0OxjX8HPF>D5#yjeVWFkV=3WZR44~(`Ub^7^U8Q;35%#p%r{*x+cj3Fc zLAbfppx6)+AUpSb<246^_v!Wk!ehc_@T2YBgXtdF+#n;vw>G!7l~y}gx|hY%O%^zf z*VUMcLI`nT6r3~$$mRGt;eTD!CDJ;x$Szpo_(NT9LZQ5$^7u z$E?R=LGbQwMSCSDPYL_U03~kKMcr=znly@48E72U+v9v$OT@BJy82s5#x0;!!21`) zjsH&pi^p1&Z}XyXUl`+sT)s!IS|9zpvtdinOmi_6zqKP;H3gycb9mzoI-p zLDwed`S01*Rl6oK(j}u07nTP6cze`6r9_11OXHmPzaEn(KzsI59Ge$3#_P}NpiH-= z7!d!i_XC!mW>ld3Jx0^s9?<24Up27GG)t{S@)G_))0y(B$obUwjMDUir{t)>y5nMl z<`epVOr(Bms!~kzhqv*p&kQ^6f~$A}@(}>8`Y&~q80!plr^T<4LcXrKymVSq>Z1TE zs3e66vo0#AuKHxb1_0$#<_$|ge=w#vXF}IU7|>DFMwv!He0{D{{5wE-rD1fvBu5cV zs(B3=NYZeWM^>@0Q-X+N@3L&-VBuxCYQ&p^h+DE{q~xp!_?SB2a>X`f0o3EeFag3s zrA)$TP1c#5UF9lIg8uPEA>?}o`J-<$V*40Ly;j4(Yh-S!z+xn;`K{E8O<)QZzu=wJlx_iG zQ&3507ZOv8F6LH*&M^}Yu2?M%;{=M=Pt*+im#>vWDV{#Q171 zyIp-_v!5haSJWcfOx^x*N<%})1K{0+*}?lhfx%4+OSch!H!;RDD%SVGTDjwFQUDG? zZKL1yanSxLfuJ$=ND_lGKXs!px+OyLawu4WNV3q;piwZoqmeqLGV;OL{#yRz(~xiZ z$=@fFYg-t!W%mE3G?L`KuE1L_D}*Z~!Gu@ccfLBZx}Fx{Y7cX?wk z*R@FV1bY^z_$-ZdJu1P%%r*@=s$_S@)4=GSr&QO8{H<&J3sudJ)izl zbwk3Difx7Ag6Qwnnpb-r{8Z#maYMT&M1F8#9L${6WkVPZ0GwWo)wiyBakKr)dBVKf{x1gZ2DGy-fi11`<$<5s?@&Gh1Hew z9kV#c&@SFY`)V_B(GFt0I;mR>c?ILIZ-4Y4SL#Cswup-G`^zBk!xkY4E$EfTAX5Pd zm&!&aU4n9E5Q?Z-1A>2P2{YW|56>Eix&(Tl1I?HVY0_K+92Bjt%g-S9?GTrV&!#*v zgg0q?iAb>2;aO?uZQ&CAg#EBOr6@p@!9YyR%K>IkA7`E&oyd@3gF&2__kkKLgIiBoq!BAKurrJE<1DqOi1 zrXBeE&{+ku8*kNiXic8ym=iqSm6v%kb%cgSbyBO6k(W6OoZmftE5t9V_^!J22svQk zAgKhVB7-3R(E90mE5?f=$KN{?+E74yoc})jZ`-q9ITOByhCV;cLL}C$-+C=^pY0W$ ZBSPUshBgVr*kFJ^5~4C9g+e->{~tUlwS52p From aa7c5cd31fcdd13ec8233040601061ef79796727 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 26 May 2016 09:46:02 -0700 Subject: [PATCH 112/169] feedback from TylerD --- education/windows/images/app1.jpg | Bin 34004 -> 43896 bytes .../windows/use-set-up-school-pcs-app.md | 6 +++--- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/education/windows/images/app1.jpg b/education/windows/images/app1.jpg index cb7f4991836d2d930995a9d56fcb27e41ff71c01..aef6c5c22e9f797d84883aef593082464a05b07f 100644 GIT binary patch literal 43896 zcmd422Ut^GmoFY)6cnk_n<%{_y%QTCARt``kXMlsLa(7lL3)#}AVldcAYE#t3kXOT zkQSu3gc1UTaN|4k&G*eWbMMUjpZ|THd-Cj)bIv|xt-aUUdzIh5_;IlapwrRR)&yL- zbP4b$=?A!20@!Q7Aoc)&o*qC1003MCkYBn1AR`@JBK-hlmjGA(ItBpD$jE+Q`Ktg7 z>Hg*T_XR_Gz~z6re#6`F#@~-g*GP9qd;kEd5-(-}4*-9VK6~lX@BJUYx65R|_g5}o zCc8|2g`E7aLUHXXImI;!a`LO!uU@14y^)Tnu2WL|KKcEUe|hweD`aF>C@IJ({<`IV zw7d8Mpuc(v`3H#X5)a@H`b%W=moB;h+$2h`{6*exj{e#%{Xus53ONOdjO(Nu>gY)1 zlaY~#zCxmybaybR9&nld%8lDn_sAIxpHc95FiO8l`goQ1epNe@(Flf5=DBC+HA-d{ zRyKBi0YM>Q5m`BT1w|$02M;wgwH|5f7@L@ynLo9#w0&V`@8Ae=^78ia^@I5bguM=r zh>VJkNlr;kOV4=wE;BbTzo4+FxTLhYrnauW;d5hCM`u@ePw&^h{?W1ViOH!S(=$ux zSAHVy6;x}KH{_rCeGWyF`ZcCBh zxMxW5%!7eP`qfp&`$-?G+OP4-7-5*6dyY^t^T{spV}G;u7ia%H#zOx;arSSF{hhBF z02N6v|DY$M2LJ&}D_Ghn+jn`1U6!GxRi>tGZvYg|t{ZylyjTH$ta`x(AnY0(Uy1}O zNRwRv)Yx0Mmbg1eStO)J%DXwkbX2Z_p~`?uc` z!rBDm{9pGlbzT6B>|yJR`D<$LksJFHD2;>aX5iq@JjrhRi2|L}9e$2Vwc2KgR$%?i z2*mFN%#Xll!+Qbvh%mYUw7*6XOt~>h_(WnvyzT{n{Kf?UYr2i14`C+AVum{sS=z!d zv!-F-G1pqQ_fAvN`7>6=T=xW}dVWA|32->K#9Z~id-n0VGeP-0RrMMg1hRJ89X1;m zcPl@fmdyfjd0qt>zdIDy$8ECy%-a$5fm~LJK}ZG)Q+1gm&Ktu`g3Bv12C9S4fbFe` z2Im%oD{)Vqyo}OPd_AjM3b?%YxLkrQLF=%qSeEE(%U!1kA{GAy09||mc%9f4xvDNO zj>0^XyZ|uSR2IP$I&&`Lmuw3+7N~rvAr-2(8Ul(UZaYd=dSCC`p*i66lFaZEyOQqH zkakbywd(_6j|IH(B5kND5R2%j!N>Fu^o&@;#^5zXfnKAIU?<*s#>C%!ffQ`?2AKHE#D4RV}nW3X|ewb29#$jk0-F{xcN<2Ub043Bd?CbuI9KqQTp! zop|YmZo_M;w{2CuPEJ!tYk7w>9IF*dbNwGzXs1g{1_|PsFbD&zL8OnG<&erC&^|>x zF{)1dz7pw^47xsc?#E^u&YP;J+r7uJnl5j34|KBZEpTia(>hy)2;U39{|L0IKQ>y9X zC8IK-A#tGv&JN`}5vo!cthANo&KiT^A}Wg09Q9%oJq z|Lx90<0eq=&Q~h``9=RMkw``x>(2i{L(u-;;m!U30dhnBhf?|9?~MPUCYAk9G^ycl z+8?a~`?rxnkfh*(q@g0wm^9PIp_WZc>M<=#CYsK2_)aC;4%ABMP z3?xPAEx7e8Cj=KK*aa z{r%jHLlUW3zemhelEGnx_xm^vD?)Qe28oxlsSlJwaq@oZ#x8IP(A#B~qW4_o?(Xi; z52GAQy|I5zZacTJYZneWENz`_fxZ&%$9B-%|@4$#^TgU#VDm9|P$w&mXAZ!o2sZF2vm7Mvw;D@C#O==wH9|0Bt~;IKL14EBPN=Ge<#v z6|!3b4X=LLM^GRJ9pB_IwoT06U96wzTO<1r3n3o47VxH*eNt|p=*5iCP&0En|DPn`+(^yCnCZA3EQpVY}D9IJv#Rvfh&~sB0s!S1neK~c0IC!f* zC!%)CERUchx4u);be7YWS6PvdYDvdEdajwN>HFyR(-Cc@+opF-$vy!9ie!uvUs+`h z^)$rkZ=~k$c4raQ^Dh7u@!GooCKq)`0wkdNevD8tAU8$`@Uh8DgV+8go7f2GV_nCGpCR5_e4d(o(G#ir6e@V+eq8`=gb2W9m;K^+unMs*&aQH?QOkAqBZp7L zEqC>P7>&&4M)N;!_p|j1%6m_FfWepkc&A-laQRndup5iR?yQFQ=>oD&ZM##XbLH^a zH51p`ylbAtf%WfA(h3HBwO8n2534zt10mD^jXt7jvsHK{+aGI^d-RmdIgwXMnfBk-E0 zRZV(HS+QuJOI!ckjQ*4=drTdg`o=-0^3idmI9tsm_IsKoylM!(+cll%G!*SsA;e;HnNr_q@S5X8((!;G-?LBX|jbzo>l_*zvAtK2$A? z`GJqdZ1s=^Q&mVX<^TLr=&_pE5H{3PQQz8tA(#AcyQb@f(~MkLA2Wp+Z* z9vMW>1c&P7tv96=B$P<&H}Cvvw0L|aMWtRLg(tFSZXj+gW^8r@=Yf!}MLGm?;iiT^ z4j+kGR*Fbut;L_@Irt2eS2UQ_pj->pn5q^RBHP5Ugn;oj)=%1b7-E=wRk=2Qhh{y_ zL)CFemp<9%>4b^h+XlcvLS6@=hN2tD1e5MXGmX!4VTiG1HPp;!-Sa}VqdobIZ-!kP zZiwo<488uUL2XdO%APq9E08{5K2b)rJmq-i`F?=S?U{~Ilk0|xg^EHjGFWm!Zy1={ zEV?(nhsI@L10Unr;7ee^uFSdaT1zo*=jab8P}o`Y$Ly!we9|;#8qf3nDvZ>4h%OLS zAg5AOV7qhGE~|9L4;H1~`MuE!*7s@}us$`0kp-=(F}-hFcKB`8MyIh5(-S$i;MePpFu2z8b-yuL^=B!ar$=ocDTBIoWZ$R=xtpwbCG{d7dc3t5$9ZIW z)@|q1*X_C8-?Z}&=TxaQN=;>`n}Jx%XQI5v^t_?QHT80WF>~}z7m>Saf)twv7$YsBUC6H^_MSuGQdpexsgfVy8JOl6TY$mjzA`hJV zODi!U-~626x?PaUTYGvRE4~sTeXF0yN>AyG^!N(U zcGljk?jc^$mJ$j#r=RDUKsydpJdjc~czHH!gZ&pJ?dSY_Hd^2EEZ$u5aNvvRb>o$Dr#YsU0@*j$Z|zG+zctZtMV zrWWiT0DbaD%@Z1eEmg(fM?u|uN>w|*Go*=PCeLE$@Jvy_EZXi-rb7BsT2|oB{SWMG33kFEyQFxO|F`7< zAD0_04TO3q$Yyu4EizA?D;&7c-}E%((V#)vT#1r~#(k1;D*FN%XenX!vkCP_=;q9x zzzkZ+V`|`yJWwRFl?)Bv(ZKpGvxLufkV0IQvU)~x?*zgO;Zzn60-a4`nG(=K$r_qN zY@Q~|MFDjlXZ%6nv0Ax_x;|Bzg1P#X^TIZ+i6CoRw=xbl(Lu8_j(&csk!KTEsrv7c zC0TP@#j{o-J=+^{S6hjPZ2^w{)%`26C6e1K%AaEN8fZY^JRKuz*(saecL+mGWv_<$ zaFr>~^T}Shbs|58rQ3khns5gblym93m}`*UhglE|c*Zk2KXC-J*;q^nEP8P8?S)aH zw)+o2j;K>zo~EG@L@=&x4nlt$%yYi5Nk+7m*{X#HAq8Ep_QgSK21&3 zMHTArjU#ood8)8Q1evKvL8gNQ|JE!`lR!Il=643V74qvf&!}idsbQ$dx^&V+X;-OLFb(DqEnWku>HN@hQ!;*&+@sG$qh#F9X&ByP z*!wKaNn)dNf8=B{GV=xgTgIJq2G&M97Ke>MYZsrqBbnvK`b^CT(bo>(maeH1%eSA#*uBM7`wGd~7o&FiaYyO2)2nTobs zRj;#HxxSbW`VRA@kF?~iI*vC~b!)OP86hDfWlU@u8tc1A(OHnVx1ZVeY38bhEBE#A zf|$;6uOh=f3CI0DMb8D@K8q4j+2f|_Pp6`Fcz=@dpovde0wr>7ROW6dGqqx>i8EMW zlz8ocMMeGYovve=HfZ?mw-UagGBJm!=?0wSM93|CS?>&O{I06%&Jvtra|g;9B3~T` zcjB)#0zIZ2I2(AvPi4;*#Yz4wRK$a=g5o+`<6vNO{*mSE5!k2;mUMTTxgXSF zVVP4~cy(CkjA;L)x#fZzs>mzjj71(NQ?|`NKt7(Gos!rM*Kck5v9w-!7jpsFZpXsG zBjrIxIA#5Jxtr{&mf7{KmC(sad7H-#46{8EkZkioh2w=-t4q5xqQ+ziBP1P%Oy zVn}+32IDri%_jTBv&^r!Lpq7tAO=CZu7Ej!(zRE{f#C8!Dyo8G^*=!SQ#U!P%8BIo2C==@Fdkgq zJ?6bM3=zn(!iKkGFD#DyTKp3uJRZikTTpS(@ppgwZ+`dR|C!zJrzylHIexJP?2+KP zx06oOLQh5+$>|jN%ikAfPfw~De?sAfvBgD@JO{0_2ahoaKQ?o?CtK>UEU$y^*-IR@ znwsyPe5zXNh0v8%kaN5ug|RS_OQ;Sc1MWTE8r!_o5P1aRqU}*_uIM`E{g+uwYT!4U0e~c?5?Rv=l79Q!p#+ z>--p3^8sKL6&&EHTs_djq=W@sv|jI)6ejP~DDS*xJ%BJ}-AOJ9|ctZ`4I*&$DHVENyAM zMZ?W)dqw|Aq-d*reu0XPnHlt*XZPp6I)M}|AIvZsxUGd*=*^_=HMImR(rl+ zR+r-f)l&B!`O0_l_95$DJC#>5TjOd44D^&Fs?jL>g&A-ckz<5IZ_LMl8D_I*F!t-u zL8zNVS+O=JUjl2cbVUHCnfURJ`O;bQ8a4=6UD*i>G8OCbuiN`%t*W`0-Lv?#c6H)~ z_(5<-R<*BJuOudNIUx^INxVTVV~nv$LC4c}`&KzA!%$ve* zVW9aejy)q|GF!no*=nN`o#|(onW9@bpt;lbb?gjEreEtA=olzax<%=kC|aV|u46vY zYAzkW11%D#VFl#9vgtj$Kft(9lkvrn@l`#{+|sOlh!rZ6tp1tzpi*#3?y6k2>w$Uw z2-17qwIb)~;TZsZ-Om1Ng4*_Al@^&7!>c~I`5@)<4^tgEmlK!#x@cdwabbHS%a4S8 zsBiXKL!<1*B6|Y?1PMMp6|F8 z4Xr4~aVetRCrUj_KN%X=K;#tltVR0=HINLDx`K+Q*aGArYP$$iv5KCXR7vE3AwSw% zU1OxC*S?u|EABLA{sIu1=#+`8IrAVq%IM0F8I)^l5=Uwb!Tp@xe28Y`UYzliY99)m zx{Wo*g<=ssdfc5hG*hzH+!uByyaEZdRn^5x;zmrbOO-{gGQ@6a&qy zWc@{)HXK~~`q{rG%toCybn@9JrhVJmBFD{2(w6rvF%h>rD4#l(=tzvZ7Z|D(&lPx| zcn3>DbD(E>{SJ5_MndmdzKbo9DL+;zV=wrXkLbrg)pNA26MKe!kTO|S6G!Qd*y|>E z+6t?yhr=>@8}y!g8cDJRUY~GMlxp<rrg; z+Takz%=%|IBj1w;>@Taj*#S{6|Gf0`R~CX?odth}Ug*kZX-CoWG$s(YOrp(A5}2hn zK0Z~kezd$2&todh{2Xwtuj1sHDQB+9mbR9bz^O+4FJwap?(hc|vTD@rp{I<0q*T^J z33T!>G?{^dl)6r;FWCts(DWUEC9F zbqM*fz#)!uG?-E8=BBUBF49gW>grLvcxJkd_BF`@P_bnNcT&BO-Fg2$6QOlpl)Tq* zY90|H6-0-rOhkS1#&64t8(0Q5L$^Q=F97Dw2bKeDIgFRXEiQ>DQc*AsM0PFIDa4@!Qqam1&v{{6dN%UXa=eb?@Cg-^LXM+3oGa1DldF z*`HcC?rHcFEaP^H1pzX?BWsp)*I;{3Mc>bQF3q(dIInP{U@!CJ0-#adj97L_$Y83; zio~W$iK)=+$?SaeU9RxzQC=;?M`9a#!St%;1^7aL7jGX7LF(R8utF#90$^7+@+|sW zQm^yNhWpE@TjEOdne{?~xQi>*{+yHmsIDHO zSL=5}${xZj6=82j*+pmEVf(2%?NPh-xX~!i(A6lpIj~IEtYWuTPfe0O^VdnZvbTe2 zyJ0GON~~+Xtv;Qv4lbi{w?wwlQm?RXtHltl=FkDJqu8-4S@(-~b0@N4HS!+C-J>5y z2Me$Pcqh0ru$7rirsNa)Qlrgk4$E$_M+TB?RaRXX>rx<;&Y z66x)n>Ato{&<10;7YBlP&g+RZYKgIj3pX6qd9cigQkX+mfV18Wuw_RsvTWAfuz*#kulQW@vL7arD4=6tE=0}4?PJ};+;$Gby7ygC7Ms%4dYUmnT#_H zQ$}yZXL-zH`m4Gu4?tmlvIvTxC%mRM2B*?D5qAy7!x%5$pIr!cHWG6uqYWypbhlk=q|H{i2A!9e^MskzWjVV zuhGmYqjgik<;l}x5wEUi*dyUd!vf?}{_>2bQK)Jp-*VCqv><}oe8VM z*IDnaKJpI)S`=nFneArD5cC8}AZIi%4*i-s(=i{~sF{_a0-nm#tsmmf%MA;gMr=j1 zNnet%D>2}>(s6)h5 zv~l4h7Z*a+Z{poL+UT(SEmHH2mTE1-?`%IuczBKt@M?>7bwoGzncnX&ZH|^Rz8<&Y z&8sK7DSTjU`EwKG_6=z_+NXky?p%GRQ%3b-OR?_0No!`TTh_ErW)0q-Z$V~qqrTB* zEidGI19x?BJ~xf5WK^a?w{U!72Q77dieRLh_g81jYum|7zoH$Y+BO7}?USNU^2IkS zxi5u?69lkRI~r%oc-kdkB*730T?}^8m27}j?9YJSaFny9#^Oe!|8clH~b2i`cyJ?xnYBvxDYU z=lLzh9|_Me!#&*BV1gZ|d^xmf-1kOgv-!I1m?!PK5K8I3{BLWM9}U6Q0F=uK#!;uu zc|v`)MfSfMLCMJm8G+4PK6ZX(-w&NUG%2<)J;v{C*>qA;O%;Yx`LD^YgqYWnmN0AIJ=nsS3f7Ovx))}DS&F+rf2(za*99tBN(4m|WtZLscsn;fhckPJy@cZ-EX z_2h@|?0%#Q?I&_HC)R4S{y;yf?`ImB z2ot{7_lx@h$E!*stMSoMDYKbf8KZ`uwW?MK<@TkeJ{vuo{8?Yue(wSrhbhf5rzwb! zD)#<|X;w+n~#a8u~HmOL{l$)Hzoo@20`#y`-_k@5A! z_YGhO+8Jblv>@eS8)kOjEd_G1&u=dFx#e#lZ-%5)hK zcoP?!K_m>vi%zuJ)C~hM(rg2P!fW1u6sJFV_joPTdE0)fld9bim4j$B%V%n}nCKo9O2+8dD3OFw~h|qs-&WslgqMb+7GEdtl9VQg+x`x~OR%V`(GZ z(xf=+_bu*m^c025`w($ychZ3)h3p7b|J;vmM;d3cf@R ztZ7+`uQ~N`L0zVxHZmI(YrEsR>FMMUmd;$D{KIh}OP|kS<-W>4lii5hy)FT$pg^1VpswME zJ9m~)SBOLE*DyiS)*7kLQ<=M;uCQg?So!XMmU*xQ)!=P1GQP)X5GwtXeJcnfTVno8*UI+p#w<4uFnY~!HbnI&j;CS-yX>vp;IbU6_% z-&EBT8*a)Tw+K)JRA{K`l?cXZ#dmoGSNXW@0Gi=`t0!%)Qi$f}`T)PO9C@rl49SFh zJf-UAmwz&Yimof0Gus@~ZSV!lL-;I%ZsR3D3|@RjVNKt;!* zGMt*vbeS?HK2)qJ_d`cV4OV9@;YsUei2Veld&&hsu122#MC-!!&)Zfb+-AnQGCXvU zjG4fQUkMsOQDMyL+j|t>6Aq!1mJ6>?&$5A?Z33f(RVm#I4728=ADW|j`Ecn0UbCu8 z9MmiCTy;ohYR{r~sV}%r%&(1o)EgCzxJ2My)&q5(ItPSAq7CT8zc(gKik;B?0nfS-LZ&L)xq5#QtBX^U$ zAga&rUW@<6V&vk?RayJy?yZx(ZthSpEyGgk0w?hj41HjUscS2sc~=HezctofU-{vu z9%mw@!Ag1rT99739Q)}?1f{T?U^LLlfFtNGzOsM-!dETPQsb+)3^3aP;*(kB8%Uhq z{W)H5YM!1=BSVyDi=BLR#dkor2|fe64jX8X#SDBwQ4)ZQmDGJDy(LcUHW5<{+HikP zPc6b#h9hG!U(98UW+C9SB+JP zVv5a(c5qndkd~Veh(No<od&P)kLTyK*~{2DM{(*pBEaqx7C1OraEpf^T$sqX@&2 z{tut{b0i8cA{bGjK^C^?E>d#7EI7f;eoStF-owGOfQ?f3rsm4+#QRqjZ-ri})RHU$ z(Ps3d=9QZweUMEj;Gsbut?+F09oY6REXGu=zk0Pbd->b$n6*_<1wwN;1W$XW0n5XM zV>Jd?2PsU?)n z_(h5Hl<}kbg74KV8uLu=9su-%l6dJ$b0z!p00Dt!Y`)A-111F7LxyhX&NcZZx2_b7 zHdQZxoV?ej(^Tzm#IsG|j&7~&O_$x<-)~pqo6Ag@u<)|5**-#%5gy=Gu(XTB#4{kl zZ^Flbx-#+zI=euLpVh5l`DAfkIUv&>3`z6nk-YIKoq7IUyXF&UHU2s#qYHRhT`mZW zw??m3Wgh6^S|{1H+BQRZY> z(1Hu-$qIJTh~IfVxnLK_93$QQC*76!`)^D%UvtJyi3i=3E~+om5x=k9EMLCzEz@H& zW$K-p#6tf|frOtb#OcmbvBSS)TL2N&|3tlhSSARbfRwJ zjhBXBs|)-D!=^f<9XE3X#%p_PBA&^b(^*xwvo|^xL|ePV)+QT)w8ZZX^H=e)r7+YN zAocICM!`O4;$omX`?VD}HB7$OKv1_9 zEUU-U;wdA$3Q``MG1B$i9h<)~BjTC1TRxgvtLr^GGG{q8k47DD0<3Z|Cji&wsf!ZBInC6-uKx+hLACN89c}mvp`Djz09G-$hHZL&2)CLr-!<( z&EOhP|>_~U<5uKXvMslTvvUq~pme?XZ1 zJ@2HG@wYdU@FmJ@tM*B1m>ON`7_|}XXcg^u%bKTxo5?d?cOEFz9 zSxJ;TO)b^d=s8u-26!W_xzQ9|v@|e3BMdxJHMj!Oq+WFaxE(KOFzFCFc>y3J8xH5> zYw7Cg13mgQ_)O2-QlV{L#pEQ3ZOS92jW4rABXwPK5K&ZzMQdVdp zsO)7N20|J?RS=j+s9%wuADVX`KYOiEMyZh*f3 zQ*z>W-G7y!_&O!Bf z^~LUBy&6fo!gk_U%6aF7JsBb3PbQo}XJt5$s*PdY5bw7X*?G?0iIe)EL5gOt?~K3N z`b6E^rmwA<13e)0b~&SH1*!PBbbUfL&p~HNXC!Bq3}IVR+E@VlZm?Z249w1qxd41Y zWCCehNC@`J#Phl!w?C}cfi+q&ucZM-&@FmL+H;Z*4=nITVKx!7YkdcaU#^$C_AKng zsx4$>fg9}k1!euU$6J6UZINhd`7MLC_^9L_;@r}^tDBUH zR9APeR<5r<3`-(xW#i*9VM`7@)XWAnK_+qfY} zz#c^Jkw3^6Cng!WC$={ZXJnvF>rtBRq$2by)3){DvxJ9QXBcWP0O^*xD+|A-@qSD& zuWr@bd&`dVY1^gu4j!x?C!V)tBz25DlKC7rI`y5KlF?9uq$>YVjQvY$=YU3&J{-Xu zT4TGCk`k*=U7UBGLHIN8yVKL(6YIi}$-YlDoi==3#Lrq*e}Dd5xLTL-fp?9_izPpK z>0tG`W36q{dVtH1@FiHDnXw*lZBaC$z3K6XM{PH&;_W5`?knDq5>T;ey_$3yO1H0m zil;xjO6&*LRQD=$g2OD0oG3~0obe@=4CG;^^|zPD*J?Rw6f2_!KOYDV{Ms04wUAuF z!!eTkkIz#gf^ML{;od`^??e&f`0NfN2Bx$3)0N5MMD4@#?e+DVyY0*12 zZ01sPmg~m;G-?maKhiEjM@iTtJb%&7RtZlFyk_Vlomz#Q=%e9Zc9lPGyo`G>>aV>4 z<^^@d4H=zJuxj|v5zF?0rXA-uVV>{JC#8JsPp36ScWV*o5Dq99^B6wc`!Kvh0`5Tl z+y}f=)l{F|w4D1$n;_cX5{!vNFLabp2I=F$Xi1uvKMv&L*`csLoZk~9o&o$F8%=9y zIQMi03{p!wZ}IBnNlRvXBmMdC7DmI2yQ{oI`uyl>pT9g}(=Ps0^@ZFmVo6-dHMqYf zbl0j93w$r@BgA#pj`wydCV1n^)K22g6;kt8o+pH;#v*kLBBe-nQ`3Na-O`1u0BL1cG@Me3!Ak?g?i z#xG}&^Wr^&Ms?mJYO*%O8A1%)+P)FsF)iHadA1@EY-pv1(~AC1!Tghu{R5{BABTZM z6UeP3va-;kHv{wem7jpZb)o;kKGIZNlMVA#{NT&!l_30iIc&7G6Ze>u?Fqr5XU|k{qF70(}EcAAipUT1?OyE5yG- zc1EOc*(BN}1+A^r8X3E}RI^Ddr+~%Zd-xipYLC5dTy6X216Rle2NM!UVFn#-V(70T zhb5&Z;Mo%IOyXvPY^zbjyAzhhz03GnwD>U&+_^x$#eOsl^R|`%)q_2G%zE2kOj{v0 zNp!k}{3Hs!a`oPuuI!@gSr(aj88fTuke`qr!h`Y%Qdz2`!5izuYGCTa>ge5JgO4l-7U>21aVQO(CB>O9e_L2u z54mkX>QCf(oA}2YsO@vuf`o5(>2!_v#w$rnbdbjxO9;uLqs|LVWF>{=?$k#BTRq5Q z`M>=cu=`T6w-JpBBBXK^(-*HBtUWct^2*1d{B@}PtwYMUyMk}xpXY*6O)8%(Z;3 zHf@SJ&EJS-z&y)|HpXS8$iL}bO+{%u{KC?#8H8Y@4oYBzi#lIW&{&5H-9se7`o(u}lX z#N@A4AWwpe1?xpOB=G`8+Z^ySJAz@B3D#R?7Ejyhsd;)dYR68r?YDT?*~l&P=`1=S zeDd=FRS36uhXK9yjFkBWfUjl#>(M@E;vKZuWI8xBQBJ#AVxT!V*|Oos50YGw_-vPM z0i9XfJizjzWg7yxJDdHZ&P;&(L$#ak&+GZPszR?qT0=}p3mdi?I^p36S|S}xVt8q- zQ<8Fey-5ObbHG}?hb~I(>9K?DfD-@PU&-1?afbV&EpmAlc(2YG)7At;(M+$4tpk+x z(PB8Gh-QqUsVQl_2f%cb2p|3&$$@yTw5f6r=qqZsde*kLTXjD5g>WSWqi<94UB@)P z^)x9d*J9jfj|qYayHjXN=xjXJSm-jhZQ0&`KB1ugaCOQ!$Cw#AmZ2|Bf0pH>O@y zVXUv^0)XNrK#I_n5yL#9sIz?_zO>XUTdAad8ksrAHkqeOuVYf$ts`wlawKv#ikkL; zJn+SjaEuHo5g$<#lf{ZzZT@Dr zhe-_>gT;(4#Ec+XFR=suI_GAJ$)sBYFr(So7gO@&;2U1uO1sgsw^;~~4j^`ibb>MZ zz}Mia$!MB3W=T5OCKN1bjMW?bd_K8!(CHL;{?HoL_9dwI)A;!-QVfIpS_mmMmizrX zXaQgIG(xEbRH=#DS|y9(;d^n9jZa8Xe1Psco!T5@al0JejS1`HJX6;B3?a@m>wkih z7+58sYE`8$l@uL#M|-w7Mr^YAl&Q`+@A=+phF*Gx%jJjO0Z-m44Jyary>Ku8)g8H1 z(cC=t_#xF^i7>Z^l{g?s`~q<0I!SXL!NAK`>OW!=aSo$9-f&jC3OR1t-g;4S$D`+A z;h~G~vll#O_W=6XlV@cc$|S5;EC~RAYS$fq9zLEvHR)%_m_GC3c_l{)$@HeXx2^%# zEU)|?gLflRE|JFI;|6^15|k9^St5@BE=iB@*qjbPB4=^EWB1H3l_mcxTQP zVBxXwevkKF8gdpoyIi!gi(cSQh`v`EjK*}og~3?Y>y>_Cjsee0`dKHpH#>%Xq=fWU z63d?Oc3$(I`T%$@cxFH|Sxwr<;*k6DPhsM0U>~#jitUWHV$sS4=hsU!{kQr#L2X5a*hOy7EZ={zn?N8ezQsRMLt(k(D_7i5@h2A zhB!c=r)Hv1kmEy-PWCtvk%~WxIRWGVCgDgmON2&<;VS$IUvBwJ>O96L`s9$pCp2?~ zFS#@TYjK8mFBP&zulcCQ0QUE0B5^u+$ukh1n!tpGc9w}HiE@cr)|u+gNk2%;VY}l_ zL;g!ilWdhDE<~P$mZ?H?gMaj*B?&w>O0V2%1CM<%d(q;yJk*-E`!2%=lv0E7eT)0o zg~?Gc>ubL#(LhJZmq1z|1RNfa(ZLR(S^~l4fk1IYMbQe82L?&UR?wK1@Efo&?GB$HYaQm)6JdvA4^Hrx zGcET>@h#fv&R$e?WKXd1;#$|$Z^_eW7X_n7{oTdWjq0Xd{@d=R8F*`pz!xXPU5}Xa zJ=&}9@8Xbmv3>IbJ8D6S;DtGy?mBQ9l5u8BED2$^vAf8(D27cO($h@Psa zfxgFG_W3Iqt>`uZ{K6x=&tfxe?dHsG9(6(%?Je2SJ5QeC470xl3JKPQ9EE%X*X+GU z*^%V!l)D{HPQ)!}*Ixi0w>fsS9*qT!St+uuEC{lxXif}W3GsrrQ-uIDmJQxZztclor`W6lkI@ASIYKR;Tf+}6kan8P-(NrD$^N7fS3kB;WHSML8N_s^w}Ghb zja9W>u8gj4SfFu3S_DZh{rL5OKQ;1e=N-C|W#_pUZmoO0i+cpM2SiGerKr`syg;A| zBLTok?9o0U^%yDXH?oUACWZZOk=6{ETspr=93~L-uwdYR5BK@i$=;o3XNoX$TsfWz z8N`mgpKpK4t)M;5uGZ6Wa_Pm<{RHf!8#>=4Y#Z}a58n_kS$XCg}fb5<*p=Nd6b}yXAa*;-_r%wY}@GQ$vNjL?G zj2n#6I=H8-SKsmp^X!Ga&?Xg19}oRQK}iM7^Z}fnc<(2fB@jYNBU8>eEP%#dd>ec2 zaBSz!>|D+I!biS=FfecSC1Nf0O!7`n#>>j#lHcRD^74)fN0D2Hvm-JmdROl#g3jB- z`(;bm)Pr@Y_553qq{ecRc@X{LE77YXx+tK(ekmSO2aSO&WkV`j(+Cd(HL!vy%NT!e z%)`eMrAOKkJVRzKwzC`m2=r%Hemi6T985o;7Ic5nYt3}YFgizwwGmPSv@?ln+i`}u zr%Ka5gr-5TMj*Tx5)(y`fzQwqgyDTiN;2oR!B*y_8XR3ki643Uh@Iw?{>J0b>JK+0 zM>1w3_|v1G?_n5SG;&l zZ~yFE;iD=W3)rb!fDai!qYKE_k$~*I-T`tfaVJi|3rt4+q38vRL$MZUy!hpjh%)ju z_>g4G$mpRNAn9ve-iTrq-9HrTj0pE1_@*$MR!NXQL8K+XE@p?cO>_ZaE%fl>LZlnR z(_?=qF4iE)k8{W%K!&co?*Uzc*y|CgClP17$n&gDfI)!@QV-n;2b_$bma2y*+5rI4 z^LAVJ0;+o-AA};_WJU~LC#3_`y1rC$~6e z2l(&bx!7CnmQJkCZ(NLB#F{P6?4L~j^jdrmsb>8?{C-kNY3IiL!&1DXH_N!V07dy` z^c3BD=?V=KL+T1X8s=C{&joaLy^GyQ-wT@dPg#bl`^}{@CRK#$V+|}KlHFA=1!t`F z#p>};jO|c^Pn64{#@fVG;y)v5Ec>AJPypw>y1ZkZ2gJgI=5ZJog1Q6ZDrP-_R@KgV z@rJc}13@l>j;3sPK!Y7(LSmuRIe2=?x%|EvLDX==1BXvX&wk( zfVXjhU^X0x!*wcB%NVA1CEAqGKyY4{ZT?oR`^?sfo8)*H+qfui-2JcAKT8pu_#REX z?^29S5Bc_CYg^WqJV)s1$F$so7ZJHZCGm+hx>q&8XS#?b41I7_q8yUIf}hd$QLIbQ zV|Q{Db6{jpiFBa(}_T^+3GTV+Z19 z1EAje1Wja$B2&M?=8&nSuzE)LmSyBsr%Z-4HQeP?-J%@lL=7?iU~m$T;!A;7>M`R- zS1df1mSnDgo+t>oiQ&Y^*J*KtlkYebktNZZlm_P}Pa_yqIq|0Li?p(38hT^IE9IKc zD=l>gMw=ImvXVZ3<4n&ej%23OBvpq!%@jx#oGbrY5)erg1H>u~(dP@l4LZ-6VLfEo zcWb4mja#8n1u^hAXqh-So;mrc7({n2DIl0Wbo3{?$BganHD#KS;s`FWXsikS3@6ZD z+CNN&Xq-SW0I8BDl$3?Wwg9o>>hTe}EpDd29dfPtg3FSN#fc8yd1VW;Czw<-%;c~I zp3Bx`Z_pd)J~0H9X4_dZ;l zX$F&rFd+{2;`j2Uq`SoXni~ql)OCBU`{!MI#b&in9_IlV3o`TXiT%-fK90Ir({+BQ2CdLi4>G3D~Ubu87T^M}^tNDa^&2iw_ z-?DsN$5$_M8YU%flPde=^CR|8T#Of9drq;V;t}>gR4!p{$kem|g$$y~x64XRm22L? zrDVsN=iB@3Ns$#fPTHKs`uME**BnbFkEtBq4lC>Zno{3e=zEZ7-of98YzWghSQYyD zk#6LO*`EEi$G{^#DtX|znnp#J3A_PU!eda<9+snK`8*!!Pi?8R=td1=R!((X%jSiE zX7ZIf;vsgJeAxh0knM`s(heeW^Dw=hvl^XK^GMAca;E2ik@( z#&s+*P^n1dgaVKH>d%=z^SDnCM;`T|Ke?#_RI6&zuU{wU7CW31*;oMPNW=(hHpdwP&ib_}P=Y2vVdQpDr9i zh&PeTm3})Xf~`1db=8q&?tp&dnBcWtahF`44%;>xG6t?e7Yy%y+x=KGrzyXL>{k`sv%2R zEo5>0U$u6$k41riKggY(TR^lqd+#W7>Q!6nV2vKeE-bnRPAPqQXT*K*nC-N@4Q&@U zdr63V#}1ejRT_e<2(5A}m5#u+f_93N&WbH&Jb=QMmWI@Wmbfl_rCF(83BxhO89Roq zS|^)29~5jjpJjv-<$&l=h8#H+3c+#$o+vdI9eX#>0OuR&Efo!6KF$y&Je_o1Ap~_J zy(x!pg}yZU-PIlwFT7+EeOkf;L3X351GN_D@JR#+9`ZaHXoV{<%k4eYp-fh5pZM6zNLT#tdK$@Zf-#`yfiCttiT5lgKnx5T< zVrgfDvzuj>+kwo~)yINfuj+J0FL^$+FzZyj32DA~*n*eZo zUH#=S1&5Gg0$mWxF}wg@=;A7E&4BO7FM;`{=9_Xu?X2R=PZ}&A=S4qxz^7umqd^o# z27`{&|GIJSF?D|^7%Uov!e!}cw%j-293w7Xv%=bJuXiOz*%Cc(zUHO4`Ygdskw5e3 zf@DIaV9M)+?!JE4cS(&!GYVilpmVOs{h|1@7x>Q~ib_ben;J_Hc&UE)X zr3id~9mFFd>mLdMbta>#5EQAa_FYfpsdg7O{Hu#_IQ4g zThy;CU$jxiW;YrU=n-xAfdG!bt_y@$0VFiebiY2`$4HMsVVFrvLf&h`F5|>GO=FID z>H53D;up)pFN%9*OUETs_mGnFHPXI;kN;5Qz(ycgT1a=HUwD_QFg7V+8_tiX`fC1w zKO3B&4Q}(G>f!l5C4u8q$B$s+x>>C$@G);nw*m%J)lW@ioL&!d{CM~Cw`HvHyPapO zGYd_{4^Lc7t(qI7<(9d-#u~$p+k{e&?%*F!Mmq_yKiE!nnfKK_Q6Z{JKeZKg(ULJY zD=bkR^q5QOYUR~qah53U$eP~T9^nm2ZogL%lT&_AFJSoo{q+=wJe2ue{m95^9+f1KlXC6`Fy84 z0PxZ07MFV7$Z<*6CU*Hiv59`^e<%hz`~fMTwFXSaWi0NKsw^oskja;8c2Tz?@dCJ&_W&VLb{GVneNq_eFm@i*bVG=Av&RaxIl3W0k|PpFd!f+z^2V;{#K5*4)04 z8qN`~HBIIZ*{R(;cN&{_R>C`4I9E{}&Y&<52b|8y{3HqHZR784FPFudy$S|DeZhdvynbDqkE}KbXu`{Y$q)4yDYKwA z2RmwZ8%%(6^cw9;%wxFJShY%@W*<3jrygpsV&j(4?*RmYekWC^4feJ!l`gHsDZwdm zOHSThBG>dP*pN3umpASjT^F}zkNHt}Yjf0NLSTT(Amn3Z(EG=&b}Opup3!mENh!eK zl-ii(mVb{8!hZ8=MPg%i7V!cpM3G691%vT;iIB*>SzlOwS!4{gf|FJfTVdDhgi7lO zN}|95pxd+U0ZKtj&|ef}6=xp-T|WH~-^%Hv#o5vLR^0XLD(R*!{1_oT<1aXQ7eJA_5T?L$C#e8l z+59MCdEQ+UyZ2RIE=Kqg>873&*8)q9t^xGDkIo;y%rc6& zQ}5j@0=$vgQA9RSCx%vsAcI3jBh|MCDclg;V@f7p6hS^K56*yjhx&Iu$+uP9i9EOY z4ylq$Az1mX>foh{h(_ZoTvJluiE>oFV};e@gRbi!zE`C=<GHYs@Tw0ldcWs=$Lh zuPOm7UbO$Ox{CkoPB!cCHeq7W@<>AY70wK{9_Zz4!q1i$FRokabyRdN7qh z>X;oxZB7|&0hZoIfBdg=mTFRBQ)Ky_bH((-=`~kw83I1&+A*pDT}ylb&?W<>noJ28 zjxN(dC{_nH-PD1ukl#I~-|f#Q-fzZ%5?8L1%fw;Inp?WC109?w7EQ_nPt=`OogYMVE8Pv*Od!OcX#<9VwY~{3`oXRE zWQ(+h+(a^SatxtY!0rV(oz#20-cW(UhbRIjDA5oQx4$&yK@0>Z;G>c~sRZGqjGD1& zL)6HBXr}b{T#nMAcGi*U@Bw%SZyv~m&&veM%hLIESr<#cnM#a-K;e z!_snYL3?AtT3h!0^Inx`%uzq1qx@=K05HE`2=S=_paib)<51)qGk}ZFYB`R?>g?b% zau9e?Nc5@L4R2DEUNQuK|23-{w|g=R zfRWI_@r8?r2~wPJ)hlBNd}ATLEPfFWh8#f2kD)lK!^Jbwe+=cfm$Cw5f;usnL;Wru z46#!&T4{PkSK!h=DxMIXxAyV3=E+&MtEd_8*EO6U#n)7%K+?*UF5BD8ej`R za8W=hi}3zkapT_=L)C$A!RS{KkP|K#_cLIdIF6wli^Tg=65h%f8b#*0pJbv4FH{OLjcNY6oE57lLBydz6GoKKm?vjV18|^j>y-_dzSwtorJ%qiJDkh z<-+YbufXsk!@F0Ohw;LCF+|oC;Z{W_GJV?jNz=*N!>s^u*5G}NWOUDId6Um>5Bm^2 z3F|K>muZov-}O|dJAG9!86)HiliBx7XL-^uf(p$a^}a2ff1*?3yare0v2b}K-@Z9u zeQ7MjH)i%QJ|^e}5_?~po%<<#9xl$lD%9p<2`J`r6mv-XjPJXoX4agYL#N5qCvo;J z#g^?Az5ZOTeO1yTqIuuvo-$r_hmNo#IBbbVgW9yZ?rT-9COclWFz5j!E>L%w20{IM zT(!oK@g%{=z?Hl`v7MZXY7SyHu#U&q|5ck~fwbeX@wle8nc~_p*h-6%&cf%0=&8NS z3qm-N)cdWsn%Qi6W;iF&S23u9G0B$`5}xZb1668q`+QeHg{V0_D!=5OE;7?-Gc;dU zux_Hd>CLZK*3p%n<@9S4XHpTLpw%752MNS4B+VnQu7|(u*j(!hq>^&c{rmFhWkDQ- zL?e&H-xvpo<5v*pY%mD+cJas8xJYwiHTkpTfBCi$IMZo=A@@5Ah^2?dO2QX6i2Q%; zP*&I>5YBU;xq_FLSumWK&La$aajqhecZZ^agdLUZ6v;+B5^vVF@1u9hrOS5r~UK9T0X3RHZ?> znZZQmt!0*PVJ*pA z@{i#g0sh6gjA70X(!_qsM3WNp=v7YhJqZbOZIegrdL<(LU1r$vsZCC&DV=8{((D3$)DLr2PCrd)1?JZ?Usj@ZMF)I>=Lz? zTXdD@I}C^Y_<0wIg6v7pC4 z9ZZ}uuIoYf3m`08FB&50hzhYyW`T+Y!KF%|$}XrPfWfxiL@cG$@`#THIxJR7hI{*G zEdYI)ba{nV^X8>}9_1&aS}#*5t0OyRT0h~S5l2#2@i2W{K~xR6dd#ay5e62^-{KO^ z`%Fmp;vS;dF=p%YFo>Mk{7__=!Qtx7ot@~?l3-D_yoeX?>8j61TnnTe%cJ?J0??0K z@_L!i`HILqw1^crLWMb(WLEn;*mvM6_%tM@ibAxevT?~lwGFQ+-x@iH>?)ZWgIC7MT zc1}nPz&8Jz@X8c4!^1uvlh-@lv?i&PH7qvwZp%uG=Z=nY2s9Qs86J%MC8Ku_;iMN0 z!kYssh(YrY1r2KfVq}B}1zg<`G(PgQQTS3DWI6a~|6Br?r)NH?U-OEK# z8HCxf(n&Pr{3lL%cxSzK@k`U5;*PZ`FmLw!4G?x5$p*nzBgnih*jS~fuQG$*s;ZNU zA@)J60F5n@sEM-$2nPeX*>l)7?@L+cW;fjc+ITWy}ZF7%{r9Q$0=|nyC4D zCedVQBEhUgt7QEMYJZH7!54Hd2o@mSp%V^TN7(*Eo%Gq}#or);mp8Kk^fg@iZ$vK} zeSFSA(gy~69%vc9;=7xXyU8kZb-bC=TQbHkuhRTR;H;x+n8;qd-8&ch2HMvQPYM#eRGQ+alu063Pv1%P6x5Kjv z?9j;Jy>Ho(v=p}Zl+Ic>S0zDbc$m-q@`Z1fe<RG z*%Fk=IpszV%}i~}va)tlSR{Cs3;wF2>b2Uksluf^FDNJERa_)+a}b<=(Ql`Hv6eNW zS;)qhS&Tk>*X#2}*soltXoKh{DAlbdldx z!=B*s4Hq{dv`44cWMVyU>{ua*ccgj{=a1#1A^*y7COANUajuR=OA(ocx*_4={~C?r z5P{cU{I*D9gM=Wk(~fAOE7FkwA$Q1|#+%FU-d_6fC_&VJEKp{wHeXlT9i(*x!#|IU zLmYiX1FY1_AOI>G1^wb%9RVEiE7Z6YG83?*104z*YpRN@ms{DD4(cPuFPc7Tb}U z(OY8ef=!n!EtKJ4P!hWNh1aA*g`+v_gv-4)%a5o=0juWz`q3_BFfq^?fhlW3j!pc0=P< zoWT$9+J>SoNa=e&t!a7Dv0e_j&QxREEu6&$4^b)j{KC67Ax=|mpY^O@BzJh;kj_2U z)6ldB@lAus4AaJcakj;pp1hq*80)&x{cVefx9O9(`HxE%6+bU&c#f?LF&;11!@hla z71O6wSy{_&QOH+=xVQerT1Kc#iS5I58B)Ee;1~I5Ia9FDuSzUd`GRuSUh6pYS+AG# z-kXxFas2{5S<}>@|8h}+EERuZe>7uHsPX>&3p7J4>Y7V7EpRwsx}O3`PGu;|f+j(N zC^tT-&8>=ig$v7q-Lh?Hc!H@kq!-}~91ZwUjQ;)rgMb0i*-6Gyn)7}zsH(fMj^i*a z#1d!xX*p-K=k`+Fi;Pq52OqgKesF#!qBGyR+@c|a&kHVN^B#}K+C;~cmGYjV4ztM5-s(ZRoVK(|1BqjKN_o+}EmFFylck8hc zDe!rDffiWtk`s)i`XY>vfqPCe&$ccQaVd+hm5$9LyCFa)yQ)k*lQ*rvz*@qrU_v!q zm!9>*_mvkPvV_>%3U1cvDCft`ECvJTUj?Y4ST0Y)87==l%_!J5xFpaVt+FHXmdCdG zyZ!4Ay7VvaJh&AcP-3TUYqf+c?AJ{W zG%FtB4?h_t-6T!>90VaVhsVjkv8$c0DLHMoGfc9gf=`!;lLYrYg_Y5qox0p{?xPi=rL{iGKza-j9(n4i(mzWGnFarlZ~T$w~^f(qq3@OW4}Uv*Qqys z@`+S+C!NmZ1b0G7Wr)|vu*FJPD95T*JXnu$;b8`AJJ#|_^2-OEmFXbS3-cfPz4SF# z4+>UJyU^T$9{7mDKs|g+8F;;@=<#(fm)M2d?GG6@s5m4k4EA)NCBS#y`1#9pC4&D{Fz2gRHrhQh+Qznm2o=%t@JMV50L+U>!oSe%DfS=y z2O{GPsaG@N#)k2NfOd$25$*>n$1U5(f*Al$8x{6CSet*8Vx}d*ErnX?3xiMYSNo43 z{0GnzH+mMl|I#o!zF-+0<+ab_$7z|SGbx*vS3kC2HcQJKau!TwV)U_3D?L~Zo=5IN z)Iov~PA$|BdZ!Y)xYa1-z-=W^s@y^-2t1hY|LT^j1Nq3FZ(W~@EY@u)WOTv&*_=2` zb9@VvNP2$hOnR^|(lwX<|gM6kj8G%~+Q-ye#hTJi~D?zB%NG-A{7_-u>t z{ogGI1`oD$_>aF*K9x6>tNp0$ALPs3dm$wF^1RChwPC z$@bLGndzDKF)J&}KEBv%J*GYi)L(rC(F*9LuL!JuEq*2idRdjqdXPS3@_uS}WvTIT zx5-c!7jy09OTnHZ?6)K@oJxy_vuCc5k^~%3kygCu;mYkm7>9egQJbPg=SpsdI+CAh z5_S~1BbfoNREWb1vtoRKo~MU69a;3Xp`E2+TA7Y4F*lf^{TXEMFz&(;Fex`nh!qhYBy}@^l+ixi-DV`IHJNTIATWY6} zUu^xjrs#Lw^$o3*3+C^Q-P;4LSnh=4`dO1F-BPTJwW||HP|&2f8CdXQwNM*+hE-ds zplzSW+?kUps4H?^xd{m2bZ)uvL(A{(k2dkHxkE#JOzY0Aj+Dw1-?%$^!)_%kY){(7 zKKtxt>wWtZA(-|}PX`1q;)_9GXV_lb;ln{6Ft_#5_BgeK`MUGw=_;2n(m z)v}%V4WGbA_t+5qRzlXv08;qMl-_nnGK2l>o7A@hx?)RGOo%pz<`?2{(_k`%qg>gH zm8oUwDhSKA8h17o8wfzj!Jpt$06e*z+Cjeg4?bYjRdsmz4Y=xgYo?DmwDS(o#Y^FS zl~;R4xXsrUcpAOwuZWCIr+pW4-dtdA#r$%V@Vg(@a4vIHvI@h1u+S6lF-W!Q9lw() zt@sr0*3@FVmUJ7wS5zst&Ofp)a!q{))c~3Q{T0(5PUqnZME>dqY_zgZfpeFp*az>b1Alld68{sckP-r>m?&&V3`L7@RzHHC{4DIybzA-aRjG0M}27}I635#$GM?ik_P`aQD%ezkXRvuTTsKx{z z$1_>@C-M*k3lzPCAQ^AfVo$qwp!kR2`792?dZJb%VxRJNS?^Bmlftca9#6%CfNi)I6r9m2<^hEK^?(bu0bjoURs!WLOuMTuPF(5HAK9Q`vav65>@ zwrL|4K-U-J_8`P-jADnSQytBMyt?_+f8iRjNr+?#4gz0Bf~ua-DvS&{6!$s~-^_ue z;sF2x3;IHEvOHm?qIZXWRt2OmxC%bGz#ggW0^jIpy&Vf#nUJ+gKu;{a8vboH5l+0B zxFY);;Y1!LgX+n+y2(A>;q{of$yW6`3LJ}~`Q7N0PboV#$CjX2%S#`Ey+w7?Fv5@_ zl^>+bi~H(_ThPn^pg{P|$~aDX6M0!h#t8@yPL)Cj@WiV_3&-nZ6<`8i$-i3VLd(Ph zJzp&UvZxF9`n>#+{(O_Lc)*LIUj|yjO_K6+=*^%9Px`r6>n<)k)~OqdwvL3N*%gol znX34ZB}8cIC4gMoKFW(kscS6YTBDrzK{Gb%!tdeAVCPl(8K5j{=VkIK4W%x}0;K2rh*NBb88ca?NoV6^q?9qlrPaWZv6zq}|Y?obpf>jI1; zPy}1|T?4INFUa*G!#t;0PnWt9n8~8A8y5{w=%@bTzuewM@nA?zCvQ8TJfvuLC-r8L zr%jOkoz&6uq2=sUDoPCvL-uC@A*o@((xSF3!qt<%|M4gg5N-k&+s`2?Pl+tu778vz zcEVG~$~oS`XMwi4v->Ht7?Yh-(%J{t%5bEGdFGxxNfUvdBVd zydP+(ApB?!$2Ak1b#IkE=<6fM=Tb*E4aTQQ8Jq!qkQ{p-p>93;JJ|JStq9?E7xLZ5 zB$^o8)CbH4RWe+n#cQbt^fUA)3#3el-H3YuezQxj$%?(O_Y07v}O{qFu| z3Dh_V?>hbo2big6~Gi0O4<=(BdGi&R@lf{{;lO22q;pxDP zWC8D{DvMd&EZ*ixy$y3cM9dNma&V76xOl0rPyxL18D?(qJsbU`ZON?x&TY`qrY@FE zu7Sgh&idtsJfEC$i`%J|6d797oe5NGXPZ2}U#~bQ!E9=<{$CaEfB*b%?3yFte=2PK zZ|%vKSE8d=Wy2FAPg;bQHNLl)p0MCpyRCp*OZ8S==(_@Rkwtm{QM-@aj@uYga+*&$ zoo(d0O1*L{GljIj`?E$rHCEY0*-u`ZYrCjvo=l6R$w2`V**xZDDxLY6ZEB3<-aI`^ zcBEM0;l=+?&;EboIZE_6AFViZ9);L$?jIvRK(HY|Bazz(T);2N@?d3Dc0OQx%LQYs z>6rHd#_wm<Oq%RIJ+;1nY zU!@a^yA)dxmxH;LYU-Rbp?uHC@jRb=I5|}LT3sXRS-_}HeYd%Y1b=yXZVo>&)#}6n z0Oza~mXc+OwcTrM}eA3c46}Jwoj4W;1?~ zWX&{qB)x_sm$irr7-m2s^0pmyW6aT)Esmys^k!!hbQ+61J<^P8tNcSkOl1d!o=%ou zsZFuvAKZAzDUIrj5szYik(Rv|pY-761%7IePc|h#`Lyyhg}dYyUs8+d?zc7WWvp;} zwx`BTyX+H{PBn{X=bUb2#cKPjG}stgQgO*&xRLyt@dCx zoQQ?FyRqSQ)UFua#iP$;SQDY`(CGco=1i?8Y2gdTFXHhg-i3yp{KaC^`7K5|a6!DK ziP$9(-6((&j!!vG~ zww0o8#!nnZrcqTB)>Br;IyBixaBP+{zP3xQd1Q8PbCuv*^|+^nB?R*p7&0WiTw@e?E(` zN7N7A6B~orBWD1Q{3P&apv7_%EDS)AxeKDJ@#5a^$~3(>qn^z*g!0TdWElL4*-2M0 zrsNA*4_o-HJ6V^KY}^*pdPq~aH6D9^TkSPIWqCM?DB_YkT(TuuU^X&qTocCclb~!{ zpFCGxRChO?U+QDP#R8QnRnbf)7QJ7SRfe@Gz>P>F1$pJZzrCxTG%*}Eb2#ZYq9t~7 z)2+sIoYKt8bKtk}B^o$Xlw_dh*FeaqijZ{2riP1FF z-Ihn-tSlgfqbf2{Dhr~;yPlsPK5f)?QCe7-_)>27nk82C4uH~7W({jKElY*LrEvLK zMO&#>c`enc637{ElL=IImG(38811)(G3mE~J0B8Zmi4=Ivc`At0fEiE!g)>84mB=| za8yxrp$%^0jFje)_C~$8Wj;Yu0$gb>#YY#p4Qss~_;6%&7oVtGGcq$o-tNts^wxf3 zCRktlvW}s%QbGFjFBbt1`M|GuTM51b%r|rN6K3J~ovq`d zvZeZ_;O*^ED*niBaKg#s@ygkp#}#6aHRi5rJi5Ge)7v_iS}{dGMk!(BR(5r>^3o!+ zUolMV(I|fkiShjRD<6h#+_VK}NvZOUyqvc%QMz4e+#$_s*#J#pzdJjlJNtqv;>C^@ zm`_ADvjnlTPl!sQ9tlp*9(|+ifGI}`wjSviZJzp=!)xpjMUD*HH?dY40$tH#vW}h{ z-z1o%1N+!6=A!r%xhA5dsQd~HE2_q;Nf)=BgC0I54^^Zpkj?h6;XjP#alF9Q^J40= z%k*8G{mkQKfwb_S{Q(lU`FWeGI6u`;e|V-GSFP01@W5)r^#LXOP%XEkh``tzgdR>V z=Y6-9me*FDi;s)fl(Pj)&aNP%$)3DoDlera(OleChI zm`j2p!#7P6b;`>O#!}VX+B(=)Ln`3=$C zX*X1NtNDBf5RL@up-CgNu5O~Ge&D}E1;%3%G2|brTGBv@i!~} zVl!PTlYfk-_`(bya0Ndod=g)BrX#&Ko9?=K5B_O9(ezPYdX5;lNPy+~{A@17L7wV2 zkikgE$+zj}i(*AOGgovnDqiZp2B)93u*d zN@BmpPh9gdk`jZMd@JFu!+W+sj9xhKfAdHFom=?yZz$^jmuWb3br`Rm9#{#qpgU7xxKIBr~h_}dQ}2Bob*NAZY5 zDe-UgD{C8_755&cbbC;DhE5wQ`{kuNUIU4{tMBz>r|zq86F`1w%W)M&sffTg%Y%YF zol1Gp3=xu&v@5fgi$U>{hL>Db2ENTzxH4X`wSPS2DHZ>DvcHw)5ys_p-2~VrbDQA2 z86>9>I;?1A$t`IsA$g)JDM={tsI3X`ZOLeI)|-i2zL(iTs&FpZ*5A3FH9hT^x~9tG zS9i*?*Y#_ zgG-e@jt%!qR5t#wdyNsj`d!!ats~J0&%Ht)dPhetXH}2Z>EjH(zyKi2ch8=)`jKoN z6aPTgBcd$Z&QihF@BO>CFHXZ|R&qjnk8{{-H(YqgJ7^d1=J_t_&H1nB{s_|ClP&%t zsBv9u>FjCwUgl0-`EF8+g$1dE%!#kE90#MBEf%fjbjtj)s%Og{cGONqxx9Gura-V2f)01ZA z2Cpk+{Y+8@)#eydsA8*n0Hl7S14*0lvge^1I$ZB3aMA2UX-!ELc;dJ`Ezh!Y5a#a8 zn4L17^eN}YQ_O9xgh13P>vtGiApN+DEKo_#A@CbB_=Ub(q)AMi4f_CR8&kdEfTWiU)Q~F^IBj2~*0A|1n8rBcFg4PdFjy$Qy_OcjmT*=7 z-JIpO_zLPvLw?~WYB<#Utkwyj5r?y_(e+FI)`->o_NgyNLVNM~yRiW{^q0=}cp;E< z^~39j7yU1;XAs1o_@{owvnzWw`MB}1GO{=W)Va|ayLG#k}i7 zqu+9yF|*Q)`b>jB0rlgKCQ%9J0ba9X~MJb)T1R&M*PG0 zA`hWJjY!pSTq~91Pb>V`)1R#)0;^`$j5W>Wu zC&74zyg<+x2nu6%{AP)0w+z*EYk-@rEk&(f-65s3eJ+j8$;1Lh z*oe>o={CP4#!!MMuow zJ!nQ)^Zh{a*1OpBfTa8ix+IkOV4+n=mQ}y4r(ebVof=Vux1$?XolK}-U&Yl1i^Y)E z+qJl%@Fi_4d!5$APV=BVa$?~YZb1_UZfUR5xUE-pJwB$C{fY8Bqc%1nbA`Zyl<9wR zMv6$YUNe0=Wi{qp_);hnL9f&#yJfQxioY3$x#zmO(5E|knx-g|*@`bPeSp(mj{DHc zfX`DAS+Qv1jL09|J-+^?OwN&q9aH{XbH)3Rfh(~5f~nf`@6k4w50CeaigathhICuo z$atJz`n}f@js_(>W@^&~jShhQ{P~w(`Crto+bVoG#-0uYRkJttz)EgKJMN}NZj|!p z=|?`@qq{?dHbv!kGjbc5^(@;wf~4|55%+R@NLMD+sESU(Hk`K}2R=%a{i#99@Gf~a zYwX>;D`8Q%oJ*{43^x48TYO^b2?M;Jn`<29a)sr}yclaQ26GYwvUrPJe( zHW1XLzQVTG21aGW#};n>uiCCVs)=pg+m5J!Vxc#sC{m>gf+8aQ&=r*4A;f^vOCZMr zNEeVqK|nfEf(S|Iks72*OCS-D&;$&D&;kjZH|L&v&hp;1Zhi0lH9NCr&&-~^XZFtb z{mM`PTbbs=$zpN(Lfr=zb2?1j9_?(kU%gZp1 ztIryB#P{$Od6V98?4^aTt5zrQ@$=)&Tb{2p7K8cqt0*C@vm9cIAS_xhIw1Mvw|)Ni z@g2U8@)pDFPSeXQ;#kWVglhQCGlh17;Bg+oTXd}| z3<3%_qzF>z<~8R|-gc$sk9+NG0$7paUO%Up~Z?+*A}*zI4_Lk@EnbRQ0e*P;M;XUswE#BDbhs>UES+LZ%I*d^Tin=4^x!05gn*7q& zQfEV{h007W?Rry!3BfQg7%`4;dsXG#wD1XU2idyjhE*n7rCDy&*Fw-VpuVr@EnqC9 z`0}wRI?(KcJV^E;RHV+lmHA*T=gGb(QxAXRJYa4!Ds56%;msE{hs>RQ5Yt~D94kVr z9#XL<#qMlFW;naPFFZEX=DV`v!_R7&okgvf*lwx}q+t=aV{x8i%+BNw<->8P8X^Ie z%}~hX>4$+;YS<>1xd`Mx__s%9qN=-qv8F!!>_)S*I z7273k?NMZ-=cBTFU%XcJ5f)3_rydm=NPGNj==9?DESJ!IHjWp4IXOYuFv%PK1bpqI z&`4okiSELUre>IImd1dmO#j;JyK1db6;cjMjDU@Bp#Hdt|%@no)K?WETE{of8Hn~l*x0^B! zY(O_S<~G~53+Oz5_OSNeI;|kJI%v?+WP4aQeS^d#iZW=?hex_u~PG?w+K5$!| zO1`khS-rUHJ;C~|vBbjG&*mPpPSIDW^ZdJ$q^g?3gCXHFF|A$L4^X|CP#;vHw$U0p zJojy9v*0~yz_HHiEmEd==vMMZgE_0|TW;RZ!D!$yt)8BfWkox;((fFdgNR47+;U?SiU7S&##{w&PveNA08!V11Y z#QC_TvGqu2yOry`8itUbw_(i5SmM(*_OBI2fd5!983K05Y|GdzLR5P5X#`Q-l~)Rj z`VO^2cla)FqRPJs9+Ov;Y(Es`J`L4kNI_jz;aN9w$@YrI)v0)?9gpF8{CS31bT{=o z!awu^=6fuy_tAbiH?NsK3dB$`WuYjSMD~Xv;$Ssy!!q%NKnoHmHM( zT*WLtq$v!fUb*R(Ud^IwgxJm8qDea&5@^e+-cG7S+Yir0z?e;l_I%)#fiLmAJ}BLf zdqxCzuN*lPY-=5q-0Le-aI?H8=jDsz2WCo+JRZJO0ebRr4pm{1tZ1N=NxJKizPlUf zJJ*rv$ve+$7=2kwO^Il`DCvNz_2hZUpiz`l^F)t+8yk z@eR&sL35_{#XQ;PY(ejb3$BDdl~!;Oz95!;mQGnsHl>xoV{XSFnM#-gS1) z6$5ZG9i^H1rKH~NL*lh6lXgF4pS^_OPHX6a7C&dp_99O71;Sjv?j=`S8)arjqA^Ti zdy`X}Wr`s&4t5o_eh(-;eSMI9TO#q^E-OyB#<9)!G)|+Ldo2=`3*HtI8iEAM@!HUX z`)fxgiQt(>KJ&IkZ*XE3V~I5VPIK?7ZWT#_=Gp+DLV@kbIlj!t1}^FCL3$B{xQs~p ztswOKMF=F6kE0zoKQLFvnsULOvhI1~n)ca@E8~6V6zl|#>zX&speS?r9u#KKt42sJ zZvAI>-eH8KB|Wt%r(=lXIO((15ajb6NKrUctsnd$SNmi65Rj!8wtx|I3kv`A$FR1g z4{bUDGsa)EU-*Q$*Bnq^o1B&V4vg>Rav$HKND^uC>ql97>XL4Exm)o2Xz?DgnxNuf z@nPws$an8Ta1@*9oDhUnSO-1}axs^!%+CkG4LP0Tm6c&C-Q0&;nTeZ|z@c2FRfGz5 z=8jASrHtzdC+3=t55E%^`czX7OI43h--@HZ^TImS;VW!S;WshxAfjLb+g3#g!jFg( zxhXWs{aT|n?XnbFklzZ1&hxOc+87etu_VB1n}O{8nDUEqWyM{FCD@AbLJ|JE_r{>;;8X z(w|HO#;a2?vhO^LY{q*D9y%|+bg$}0gW~h5;Ku#!ex}M*45g6x*2yz_ZvpLYO@33~ zlWAaNd*E?o{;6}11adu(oUY+I^5)^e>t#)=oFiB^jSJI`CkzTe^@!)vzsWBntl|yV z#M7Jeoxy(fc3150Ps)c3eOKaU=h%65!9VI$?L)Hn^!q?HXB`LP1B^v|Q-!;GWJaYZ z@uL~epHVssK(i%L0>D_@;)>H74&g9CZsWVVWzI}+R<62-N{Ms`Ssl*!t zM%Ade+l>27(=z0nihe&AB%EoVP3ZtFY1YKx1jDB8d>DoL5E3i2!?}tz>aXX2F<>8= z@~VsVp#5BRo0fb9$1i#G(*d`IFPnS*ExVqr6wlV+9L@^n?XpK?x-xqxivKRU@fFT< z%V4G4TE<`fn*NI(fdtVsX#6}|+QsRlJj>SqeC<&%?tsX+}hImyR1##~bs#XE`;y~JNiN8gD9G1J5b zsXd_K?At_HuS(uBdG!76wR@vI=SJ&@HvSh=mntGN9T#RJ<>@g1 zL_&B+A*9U=(_9<>Q)LnYA~@Q1Z0P#>fB;yg=X>JOo!6v<1+g^Egh*+q7X2wW5H#b< zAzOgS811Z3v;%E1_Q$W~4Tz{FD7k0}gb$v`=NU;C*W%@yj}M=o@Ls<;;)Vvt^G8RA zN>fE^pMQ9BCRNu^zd51c=~zbj+s9p%epzf+rR_w@Q8qGi$gF0)Pj@?A>xzmktl_B* zVI<@5vG22cc{h|z@HA|)*nP--M+$2(Ng5-IuJlT^(-&b679o8SGZLHEyPNV}%f-Yv zrsI^*Vg|sNwUs;5g{hZ)S?`f4W!v5=CC`uB@=GWbyOr8ipbF`pRRN!jGjEx8DSz8M zx3K>}Ji|jV)vw}`CoGm)gnhzDH07l)cQ|rvhHMUSFUe2XX*v74LT1NWAOb3%bw#7k zB^}WpJbg|w%Iv^_pz?Z&ig&|NswExwWm0-+FB56alB)yN2$K8^h_wu5U zDsi2t6ROW?BXQselX6)A3YM95ycS&%m|y)Z7(Z2mZHFkfQQmq5gJ2VRO% z-N2>5zO^2l`M6Hey+oBE{FK({Mz}55Sow_VgU!nx@FiuzX3*?d*xQc_0=Uq%%Fb=r zS>*l|pAYeNSafsTZU{v)_#pxAZ)4YOR&{VvJ=Vnf1kaOF`M5c+3a(QpD!pVZO-+&m z*Oy$SrxXw}OFg<71W!&c)OcauRp#Y2DXUd%^!(}r;>ENw(3z zl$62OSIQ4V9+uVFdZ)Z5%W)WyjmD_%LrNq$S-h%7mTZemKIEy8tH?w9`fAwe`FDdh zdZ%g5dL$U<~Tzei31-6T>ebp{T(*s|9SsU zf36#h{#1qg=e}D1&Rg*Rb z`@FWGg-d$F-qS2*plS$tDOq)0^!fXNVor%wOl);BT@Q&}6~wkSOg+<}+i2zNKw-0} zQP(eopMJK>y~_U};;8WDe47Mswd;2W0Or#(+xD>mrYOOYesXGBk0~+sj%&B(9|ABhNxNW{MX_Ui$44W|&>_Ho?b9N!6>76LGB9|7f%6I;;m4CChc9D?VV z=I<3e_fPwtg?(-c1PINP{d1>SLo!u?tNwX~HLCH0qy!LfiKmQ{$?MpUYdLhCM&kqk z&3XN=b+D`PA({J8%awrY%xa}uq6hqL^ts?5MpYi%b@`WTpP?P9f$o&`Lzg4MtWhsu z&X#jnMNGJmiiQmN!OZ^Y-|H3pT~i%C)g~EP{^FBZ8y;r4yTM@D5)|CY`5Hp_+eaYr zmugcRa`v#V>aeKr8`l?A7#TMjZnW&h=r+HjprMh?7(IS=l8gfxUWwokCcP&HYDN_+#FOn<(-ms{M&@;WO! zz&+S?*z`fnNCQfpLJV@$ODZ9%0^ZMxj0gs$Nnsk;E4#ft+dk-@JQ2 zzF+HddjZ~t^;4aQvIBW>lK$fDCh>*n&^`yOtMbxbq$bT~sVs$V9O~&i z{rXIJZN4vBvqvnhIBz!t;4jx~Ozj>c0je9f0Ljph(UGR=8^ebs_DuLTZg1QXCWiU$ z9f1Hy;|s7(Akuwx|A`7fOy$7N+^6+ajrIx6{5EbWEGWIdB$>qx~tfwOdQg64_FjF(dPsTDWOF;$TsB;NB9h z3EJ5ycH+3E`X1JJfcZ@3uZ=-3X8p8Rx%cY<$F)kS)9{fBM`97wwB)IqP0*-TZ+WoJTH zOgyul*EZaB(|LyDQ&SCzwmIQC4$O%S45ZxL3+h#gZfCmGqigwK z<14Od?6OqZn`4aTXmo3*!?;i+NTN}oy#FFVM|9fZ$os+H@INg73y*+*XY$Sn1+dyT zPp7jJlcnB_yfm{`6s48WN)0dHQ!CJ$^Uu)8jZ4kIy>W?WQHtIHFYCdZ{B8M!A46@) z_ScrJKL@DELLSsLW~gyUi~1pL#hkd@&BD%nJn5}@B1GG9tv5|)8Z6%EC5ABw`XWLB z6&r=%dfUoBh%kIUeLOO9?PdB3K9iE$=;a~~)>%ep?glF`bBC2e!NW?XA~p?rfeM`@ zG_&{GLZQ+Z(y?AF$T+vEp_ix6y5619GHJ6=A#`ssLkxcGR?Tqf!pe%%!J^Fgz=S^W zUT3XN>J=w}je!b2mS*)HM;i^)W`QCpIURXcJs2W;Eo|>{*Yf$3$#wVK?}r{u{E2#e z&V269OUw6lK&yW%nLEv=@FW~IIrer=Z_y<06%tsJzt#For3B4?l1}dK{h?0!GW>yjAYFM)m1<_Ao;GHPI#3Qk$_3!R!v&0>@Gi#zODH zr8%o47Q5-X^QWKaQ{U3}rg@m!;`_NWo3ol;AHX1j!Rh`N9c8u?J8W)sX_8g9TTbgI z@_aWd_0xbR3_%u@dn}I|mcJ>4Eltgag+NK1QAN3|poy?w54^_jUoVuZvlhY` zc0)xI?2Udb)zP-mby3?ww__zQC#S#gv7V{a&SmFSFS6#*VvKUm_7!)sF#oO2g+cdQi+q|E@x3fDW<9pQ%}U8<#ZWpl)hd?PsPBY)FF{~S8~UyQIHLvw$WS$-Y=AJEz0Z~y=R literal 34004 zcmeFZcUY6(mM|It>4HkHQMy#=ASEI{KtM#g)QCtIB0WGLic+Ks2uKi6dNCl$P?=F!Ze`~}UfF^+K(xpGozc=#B{?DKM`T3t;k)HI_RMda& z_`lbP-vQUCFC~#Nkze8ikX^e(e(e&m0{|q!dYOdLAEf@?E|HN_T&5&}L`z4yq53Kb zd~$L!60nykC`fmQkgfwLu3f%_}?`Zy|rLA*cSI@-M%-rI!rIo`oM<-_&S2rJDKmPz|V9@I~ z;SrHhZ=;iv->0OeeMm>-l#K>_FhbUGOwta?RsmcU2$B%Wq`medX5sIASoC3=4#s@*sK+q=QU#;0VrZ~G!~xN8F=s(Igm{4EzJCX=$!emX#y#Fj_g!UZCNp1AmcVE#tD;$|o03=~`k%K1Lszx$ zCh=c?;}Cc~JEKPWhd4E5L8`OkeCv%WmOnqfz;U z%bQl6{c&9>4%{{6tEq&a^xyivDIUBFSIK@}v7{qVLwWzkRTz6!*fO7#BrL|V1AX(6 zt!`a}Kcle4<oiE9^LYZVPr8@-f51W*e_5&?H@g^7Sm{6qjP zXo=z%5wJm*M+7Viz?ZD*bLIXEcQqFE103OPG@prpUu?QW!1wz^KwAP|3X^od`GYo0U!Rc;K;u>aQyj9;-kMUK-)37 zQZ>(h!Ab-?e(Ul|=vCsz2nR5y1J^B8nIQHy~1695a zx-3rebzY$Ctd5WDpnOM?&b7Dtx?=b58vne@RdJf22T1t049l$e%2ytE@OOcOv>lCw zeqwm|7y65L56#eX^~p4#6KhTvNO^MIl^pn@NTN~YUYIWXjptIYsuce1l$oTpYTMdY zgQ|bXYkBi$JNIyNRi1>Tx89SkTNix!JXVBj!wWA$F8lAsHm`B{#MntBS#N+=n-(dU z06HW){Ky|&vT4V|SZMk7s3yr!RQQ=e{~CSG7>5!EvK$*y+bwmrxwwF1swDz=%99|d z)mugIiQ@@ELQsM{{z}Bs$1>ksr0|}NPLg{bN5hJkfkO){7!06zq zOi3a!p$xTjvcQd6FMkb3KU~21C;SUc+y8(m(Ippe(F@<;1-*cG=q@LmGZYg6uYk7j z_T3g`_#l{)B$G2y*j*s{0um2CoM=U1g&_nLFyD~QdHH*i=v56}Bm$z6JAp?$CPV<4 zdIJ#C_?=HSJbNh zBOI_8E#OuQX{5WDi`N7`LuU9dKSLb#`8EOQf$1XzVHJr0id`b0+vR_S!u^#+lI5Sava#3xi&M-DFF7;BlXveiV&AG75dj)wAT---N>3C;bFaJa8p zkp?n5$Udh^m<3|4LvsnQOW=z-6X1V8qdNbA&J#bXjQ*9Tp#P!h|4{UQc=UfS2LFdg z|3~WnP5S>=rLNZhi9Sg-0$~(JLED6NB0#5E`;J+h|H4kojWPbchH#Rv@?+m@d%SH^ zo31DH{@KrMf;J0DK7sJJ!kLY1sZyDZv;hB|-3mi@mL)KjG4Y6`jEDBkEb<>uB;ZV~ z3h{3w;YYz^eoOB3is;-8lt7SW_XQq~=_3O4?6sK9*Af4nVE-BW@dN`*tAq%cy!W?> zx8M=&BAHG%cTEUwir{m#t-4Jctn~$ZkW>$EsuzI>0OLrO#_$ItEtX$_pS74DUHa3l zdCAd2r5M@HRD@8B`w8;iVW5^PtH{b<+JORzli~M=Skg12XiIeE6Ko^DFTAZm(c=6B z*YfSv3v=BNe)Dl9*4Di@>w@)*tZvauYS4*B(C5E0wxD|b_-VeeT)wE@K~2mcT1DpE zSNLrqz5egl?&&8M6S=tTT&|VOc0 z%%|5W7(FLYPNn4$pldhLB{0DunEuk7=(CEk>WqHJr(^OuXIdTT+l^Yav@^K(2X(Xs zcUKVy^Bxc1v&q$Gpj?_IeD}s1c0#zJ&ez@|CG|oF#8O=Q<<82TKAJSyW;Kch{5tcV z(P(KJDywGq@D!-1NKz{EWTA)H?3oZHGrm4=!m903?0| zlzrhrc47eVO!6bCMLl7gM*|5I3$e@V?0{2FP;_g@x zRBybKAHAclWGg7%UT@@nG8WS}mpM7<^>IC`8dV6@X;r7if-#02cM8K-#>;WaD;XhN znl-6wF1zN6Y-jOsiLvP$UnAPSI=TE}rG3ni<;vbA6KlO@Q&lnd6Q)w? z)aX~(hj^9ZEz7&u zB`;t~&RFyGUCB4yu)H#Nsgpo-Xc|VUqoF%|U&0~Hd_vCsJsQ_JWySOGhH#kl>oDPK zP3%ts)9C zPPC{n z{s>rrN`|*}bKESFSGM-@iuQo)!SQyQp-iDt@csD-{e4}+1F;tbz7)rM9zIIFU@YBx ztK%ly79Ea{w9@^-!n<+8Z(!FjF`e@?X!x6|W-0w&)o+m#Mya}MqtAT(=U*WVVyK0m zetNJQ_qf7Ir~>XJMYS0!hmov@colA*pGMsrwu3Ni)Sgn#&selv?`ScRX<%~<&-aZ9 zI*X5PT6g77Fr+&!WKBt~Nvo{QOg&$4te5Sv`U$VhmA@r4;&#%|JUqPbAztl&f6?q9dmN}_9)Izw(=NI-jhA=7(Z-Nsn= zr4UAw_^$KuwE_L$3;%DaYU-G&4g;?b^ID?u45mfB;R4k!7#(w=hl^CPFiT*>kq6zQ zit!_NuKQIZFK$#vKbCs%`LAz37F4u2R6ZOuIUstK-#6#Res*-(_B~E^Z&{ddD6zbv z7-8l*+O%)HSx{BTB3T*`(yTgon;VfdFjp>hGyJ}JmR2m&uj_XS)tkK3STo2<_N&zE zmNPm;0F7k%%8V4ljIFF<6UVdNQnc{d&=cc3c{SLdw6k=lDV}3q#%J)9nAev96tZjoA4AZmN_zmur z@#Vw{thmq3^%X>K^#u%X`}|ZFfJ#Cl7Ou(fGtAm(`6;|AnspsEV81Ek^30`AMD?ZK zdbU-k{4r%MS_Z<3Gscdrh`G0%9i;kMvVf5&PTnQVLJ++*1*7sfZI_}=`vUt6*rCRbz8kTY~-0!Y8BN|QGU4KNw^ zgsC_br|*FuSAXcmX!<+KoH<_)7m|{ClJL9LzG)ae(Xk6Mz(=gcL&&g-kDyKVmoxNV zNCo`dEtplDws!1IPy(1fp=edU7g(C=3i8v=X!IJIakU$SOT-7kl=VhZ^tMw)gYu=K zxofRTXXYQ`4X+OSPWd6t$9u071otG(OLWs(PKvIcKZ|!ClLt+9cZ^S;gdy&LO138i`DYaO^)bO zL#)w-8#JanO8`^&de^s^s#|e-YjU%pWWj9$!unZY)9u|~H1Xz7uEplFs@AL|hB+zq zR+SW)_@7$qO*9&aG4l0(os5-5+A-*7Nkh`Lv?UaNm(-+gLD||3BdjJmn*)#V4CBhH zVU&&aS%FE@<87C_HVYB=_@kxY(WzWY0`%PA$!5o0PiPC}Y8XZ0{LuS$?yOpfLH#ko zq@6v#2VF^;>>tRcgoK`pNc?hYFl2IPvJUM|JvATFA%!w%CgS$j#?=Q8a_RJgoolK= zNBx|8u4Gv4?$on)CcgBJWa{}|wKHko{;O`_ox9&=e|~M}aH8dyt25*1arn+5 zzq7!BlXXBJejl%NQ78N5mq5NXZCj;aCne#dHkwvWCimqauT4orsd3LAVHjeBBjvYu?^y2a36AUu)CMAjEqB*MI`wtKSSUZ41PB>b`;ar{Ax|l zy=(3I1ey)poK}n@khzA+jvVnwwFl*=HVeHfn%Qh|o3_ifmgry-_g48Z>yg5JYkJ}4 z_Z#c9%7_g8l<7^dzHO)cINoDxpvjq0FV;~KdT3>AWC2Mr=-hr*hVYy-ZaL=$y}|J- z#zG_)BM$W{-BoUtr&rT;RO_+|&Khz2xFY6j%3ZN&ZoYGV;nYli@&fIjwvx^6p4xy! z*lCc2uk)jDj`Vwmm*0HrAOdbt{q{3?-P(O)L|qiBX@EX$8w{Tg&-~UNSiTWpVQ~=g z)YH*GZ;RzA&G!zk9L%eO@qPB(sFUk+GY60(rE!Z}PeNQ@+ECIXB`h4h21U9L7I|5&Gu&Q0og2VmK|Bh?0>1xC%2S0)>d%-cFF zty*=~WCz1eY7lExeO{~Wa-9=>y0*+u?of&r*DI!Sf+|x{pa_sBIP#8DEqbs$lye+; z+^E78qf^~n?UF^ZTva|Z8NQMM+*6ePRxfD%+9t)vu}9e?ZuaRsQlfl4pr+M+Ha=lUM>WyUBJh@3Y%NwWpQ&Op~r$H!vtLmssQGFYA9PDZ>zeIei%H zZkGLZeO#)?NB+Q~er4&!QI^!?rhKqiUm{3h4tZFSfnog4S=hF~Zs%h4Q;hQSvuhcB zDNfO*iLCd3$7>1NDaH+ry?Win&QTYQr@=5*cw*N{xI&Fj1`xlKB8YDt z(wNJ&qme22PM77kXtTbuv6)xFCq8J2@)#W3a{3YK$|gYpGZtHenwsX>{xP%j;en^; z%`ipn`V>60!_1$)AZn)hA-a+3oa|HtZH2f&CWZK6|EPjD2yF2F8 z$00GXL;wSh%d>AutS?=B)%LD9mvBYg?h8*%@dsz#dHamtpX7S*l3^u$kTAZOZcflk zIpB4-EXlF*Csh@7jR(Fc#u@APSH9hnG}e6k z>1i!|#H1{Z{sMaMvFo8i-fF#LPHeqrl0|^O`QGujM)isT>+ukmVhRoUEU!4S2X;{3AWM)_P-=ltiBP`XE>p}?(Bp;&7o zz;Tmpd^)66=Bb86+XKw5jdxwxgO8Z*a^BJvvcIABJvIpb$P$2e|oS{GAcIt7N zr{fUq!)*#}5uv!xuaIrJCvkafPM5p-s|T=l5UCSYOr4pyAjUI7b`ZGHkWNT}-1at1 z^bq9nz>NplZ5x!Y{&Yy}%CMWaXjV3`I=ABPv$ovMt?8E=l+B428&iKSk`oR1&w53f z*D?>uyJZ9Y&AT<1UpQkw247IykOHEoB`f(3kpyNnw$%iEB_aS`PEdw#J|O+gwD!#!WlTlTzl>{1?I@Y8dYSD^_jFP`7XSJE?D|Tzhd=upBkDhMqV}5iu z>8E}=*ysNK_q!!1S3c+KZIJE!#HMG=Go%Nj^F?T>-GJ%x=9D0vx|!3o zyY>7*aBc9m&yYGBbg-=gE7irzf}xn6PsqcDtqq(HoOBJVoFSi82i9~7cnI8V?^e0e z+ZXZ3fAO8_@l4-`D)9v|&)Bc4LC;KF$`DX!n{g6keh!v|GgcCFC^TnY5@_zr8$W5@ zozb4F+TIAB&1P3;-$L>1go?R=(P{l(T96Rr0`{qx2;PVsJ42RzNmXndUQOb8X!@b!C##L5QSN;G_3K=s zvWLY;YdEJ{Y72D}dNn}B*Y@5yk6tibA~ZP4`0+}}Fjq%>fRq@F6SNy6qU9n^}oG#h^dJMw?Sq$Q{-E`h@*?C8)Q zUF9V++g5KlQ!Br?nZJE@>NNMvIv9!^*HzGtaJ5bUSXn7Wd)0Fpb`$Al$AgJTEOIH( zKu#`b_!I^{sl?|Cn8&zqr_Qqh{5CBYpEgL5_?yMA{0*X`Au@8kvT{@);i*lZJ;X=8 z_y^y8D^myhPqA&(lP)#sQ}$ zA#;0kGaj`*!=UF0z?n^O72jqSbGWaE$`Za$BKA?QQ2c_CdqiWCpAsOvF(B?CXl$nI z&LvZr84@OpO<8W-XWdG(lN;Levra{g!sHzaT2+k)cI=+jHoH#rh0lE`!*aaihOLsp z;^qoc^8B3w*;B>!Wtm2k0tLm77(F3rG#%~19Fs^;hrq099ll)*CF zZpBOufnSkL-|lH2KUJvlrY-?q4ZR6fpE(I7B?nNoVYUM*g`-AnGOR`=R%#TnRS2>$ zmPA~>0cO{D@8Pqj+KahAT}mu%nfJN!eRqd9E!8h1PYzlN;M=UXIuE_;ohE2M)1e-eY^XoH*MQR7hlIy_dgl3m2NK@HvKfME6})E zbE-P!;HawKF{by>peC!o*{&Z{pF4X4pI>Fmv;t|zn}L>YOjN-sTxDDWI8(6qj}6Q@ z!iTFG6~C3gPqVWzs)~E_>XQ9ONyax#7K;gtuIi#_t?|-jl|gE3U%PI@YNCI~Tj+{uRp(rctQmTYc$`eQ^XAnhv)uCO*V>vd z-W4g*Q`uQgnwTHnoZmU#4PH?U$8n$|@1twOP_>@&5{#XR&`iI6?P(QwjV`we+f{-1 zr>2euCAM$RdhFljc(`|gXpYOHzCpL{<7{dzf}+OCV0<+%Lf+5Ho_*7n!p-78^dwOw zu2HDSCbl$rMuRGEA@c?1_V!C#PDc)^8y zp{3eT(ROrWO)7rN2Hp}>mbIhRDy4nY;_5@(ChdIP6m$Y_Zqo=^{%&WrxeQ2NKQhyi zEaWPxNuKkao|wJ}oI#d3o2Zu?4}W~R&gLhkQXY($nVx9b+ElUY{sg63p3hzaPnQ~E zes?ynB5Vtz;k9#;&C9zO*{yM!*w*F!t5e-_ z3RyQMq^j@pf4C&zHRvPI`{fe<3x-Rr{K~ESHoGjSiiE0@W)Dcpo)_M;@as8h3Z*zO zj!R#F-NKgUZt`9oQw6SE0X-U1F5=%j$P0>ygGD)5mxi3_%yCHfa4p{1JxfV3 zu)vhPMsMq&f46V&3Ss=4zvx!(4B2j6b*=e@TY)2%x11o!{$wI&Uv;}#I))zOABq-M zz4-_!)py3auDjc85k@~2iL%&pc$aEbo#iwNAsTFzlWX;Po0rOYp=?WvZ(v5kk$&YI zTWML6Xna?U!rS12b`NLrfmg82Lfu)z)tdE~Yq#dF{(j-J)p#255{;oop407i!oF`4N138}MMNi6ZR9L32^VRt)G?N=I*k&G zpA(pY$2b=fdMfE4tk|~A2>Wkn^=5&ejMqvZ_s}LECp{hwN+WNUOe487mvMh#&6YCR zIvdiWnn1-+2}zIVdsY3C650~l!>))$?XAPMrzwI-HtLpo4Plq;0vq?^=J`=rn5xuC zoce^0%W|||*g{Q0~%|73hRKciF%y<3KnehsHCV=uK8<_;-)!EwkdmdjJxKw!alBw+pof^2$A z1XxPzd6%-VD9g?QM3^ys}y1PP_3``!6%cX?h&o&tu?(z%i zKX|U|NFlm&c1mBf{~jP)yV%UOG+(|{H_*HcWOKRGAx`j~cKPaNKB1eP+$Xfm8drnX zq@*~Y=4OzL-b$g|Eb?hQ9VP-&P~`pbGNM%_4Mwi`w0_6UeK1CaF%EQHyyfOL!sd=v z+(70M5pZSmg-e5}qOo|IHg!yWlG7vR9)WNAH)$2h(77t!PqAJFP+61eI+7+!v%^S5 z`f&vsTdQO$>cu>I`*J|TL{&10velekTlTw>e6NxIR)uNvd#>ocS{x+!ECrvh{M1hL zi)qHjUYet)Iie=D()^p+H^?-<2FAGy#pZVBn|taxFa{>6Dj}KU5Wj8O+xfh-=wZf? z5JIQgB1JRy3>hKtYIjF3D^ohawb!XIg^(0c);cl zly!br8n-0H4O7KRl>k|x+J~Lf2+=9SO}7JUUeoJ zvzJWP2v;x#h3Jb8>8)wC?kRcd&slSV2jdR}&`sB4Z}YFk>)5RDE3@C=>@^DS&UY5C zMSRIuR#7Ty4yg24cv!pXIm6W+rIy8cHUFWg*T=QY7Oo5_iXgrb(84i$^hXk%loN3!RPM|pYr zx}id`sC4^*mbT)4X_9Wwc1w)A*!B~WZ}asa>|b4x|L{u3d5Vj*DklXUQAe;88{bkZ zA^;Z~^yiB|QAnfVdNitylmVQ$=?vT-BLz^U{vJU6Z;wJ+O?0X1{4)w^#v?l3GKJwS zB?9c}vhlpfroLq`sec4ekN*)swa{22MS$;K{%`E8^807()rS9cAT2Reynotr)+ zgK)l-AtizfYjgxoQWIan6HtE=$?|WL$mr8gE0Xi_pFLL&;LPmQtbgK+k5j)HI*wSe zhJrMc+}W)?29NNW>3%x1w6HURK3$S1(Ok-= zz*_ue+CAu6pvfJp;~&!a;UdYvzZF&y{(ZL-<_KY8+0~24B87?t1}9#?b(EDBSmJew z0Dm@ca1t(IUD#+uvI>sHRX0=;0cGea`1w^9vO2%sj|oQLp@Py+Q|>j$E617nI})e4 zSuBZ$qqpUk7uZmX8Q{yIa+x8a8|NXmxfvjIDmLv@zQT!dLp6L#fES!+rd#jwS?F?Eh@{pCJp zQcV8Y7MH~F_k4(-r_77h$mq#q;ocCD2i(mo{L&0p&G?6lq8@xvL^sVzID z$uY}mpp)P0pEvu%5ovyvc11XgD6FQ!kCF@V-k9){;LdYh*MsJZoP1_lS-axHoBtXy z|MRNtG9Wq-lQR!ZFs~jtno&XOJZgHc32}F)Gmvl3ijMkJ$+U4vUM5Lz|LJEcghtXaZHMf*{!8etHJLLcGba*xR&iG`CC({=8M^!>{Ax^6!IY$Sh6mTF`fV=)uFR*eWrBZMbVyB&dBD9l|BvH>o z3?b1+{>i#2C)V!fT!ka+YOj*X`+V>{WXS_El4bJY#%Hh+ps7aLmXKGNXh(x z&5Xc);SU7{jS>5M>j=Cn_A+T*Yhhi{=j@VAuEE97L(@leU8|FuTk}Kw5PQPKyO7Hv z252JSB!uJ|#mGgr+g(9-g(a>4?MH5gzdaT&p;2E=249ZHa8Vf?EPYyEN0)c)qd^`$ zp$TVQe6$7jR&ua3lvE}nf$(7Py9%7r-NLnjhwX8?j!JGtO5_@Au^X%GrbNx&e6YD1 z1?IybLG?0RdrRSHxp012Er%^{Z}~$Os=MWER<(UvzycAM*T>ER_z#{(bNlAJsvvQ{mIyUQ>NukpO^Qe zqB&)FFa!l@>0WQrSuDKj_|C6L(2nj*>Sr3(4&^r(rP0r#P*`BIfr#r&IYy49{Qekm zYj@Ay#pzYIneP*h$3a)G+*4vXF-mgVz(u@x0sCf7O6f7X{-0&^SWaLuLdbv7W1{ zKhDFlD2tW3l70dAj$Ea26by=CAV+a=`;q7NHMJ2+61%^&n2m}|-!eZDA%97#BHIOL zconkh)6bJr;!iQ^6B|tnp;?V^O{m6_hib2wO8-ib;^~c(46rK^;HQ>mUOnV)*rv`n zqDsEhs0P#;**QWA8z%JDR8>W3(Tk{v#$R?TT8;~QPj9gjZ_wC0xUJ{ALS3X`DUmdE zBbOs5nwI`)v{)u)Ax;1t`L2&!f;)O=m*0b$je8wKN)gZLgo1Z7FD^r6Pky4?C6S&D z;I})=w+gn$dtzctM)~6@Dx8(IHy94@B`7=xFPgi&a11G$*iqE%V|Z(G`>sB(%}hY84B+-Z#Oe5((TfBil-kG zYg=P?wU@3M-R#pw5WZZw(nE zGL@IqXDRn_2AG65@=}rW5~EcTZUY7&^P#}sO!5Qmx4?t zUs6q$Ws{phwqGWuQ}bV>*3=Bq_o$Y&8d23hrCOOTAVvNhM+$HCXp8PP3XWw8e=mP! zCxp*!5qb`fc8ouMcRJT?Y zq2|z~Xmoj0zV8iwh1-Xl7Cxqx)xP%pN@o;%+6e&v_6RjOxI}L*nR=QfF-~S!<|Zn; z)-z3^2K#VumuFy2wU+mUA7HW6WZ9V_eauUW;%oU|*g^WfomF1wv=ISxU(bYiIU?*? z#7$F<$4pRK_`QS8Z-@ROoy->P*;SW$Tu6qNv=;NF>}5j+SAx{9y{cy8-U;IoNUn>g zhi8tZeI|9Qx%uMj4fg{SfmVwIdw$xYLH>Sx3%7>a!t1A$w)%RKBQ`F%O^L~=!Cngj z-<%s(%eM%vMmBeoyEgg6x)w{t=p!h+sgKIt1qQv89pSDT7tIbs<%c_i2`jubeRVOE zXzY(^_a%hg5qPT+nO##7*;73sMACrS}MBW$-5h8zQL8L zE>wBXWqLLv?E12kH2UEhj_GmS{+vn(M%_@xl28`{c2% ztiY^yY`g9@iM_}P5!0IeHCQU?E%YH)=5A0)80TH@`!*1~)~_lt5dFr zd-VML^iAg5IkA_`9+ACNp{?ZBFqQnp{6c!tG~+T{ZQXKBSf+f}z4?w#&Jo@cztoCj zOM9_*#r~_;X?CYV^Cn1f$lqGZR)^uek=ZdF*0)i2&(kS-dU}pjl_&NlUce~TN%-X_ zGF??#%wU=L(`d9kY1>2#pV5t*fWK*ikB&H#bW_Jf2xtqAOSq_Ej9S`&S9%cvh+T9Vsa7uoL{J8+kqSFB2~q@-jama~(~g)}$!?tib8g%} zbg>v*&JdXGa75;L5CL0x-+?<{&37~|%9xgWKX4|tKh4}|Ap)HH0|UTvp<>Gk;Z?GT z>p#6GMV52QhKEe`a|x%;6V5~BeZPFP6ljLm1e28cQxuY2;fE?6_6CA=Rb2u&8yTH4m-|&$EO!s_XHHVSzMc*{{DImVezCW zcea8YQ&PXyLaJ8`Q^oNnEZ6QL^X6^u300syK2EQcGQRI^d>W~~tgD#-#g|6Pc6|}L zULXW^R3w1k?!H(vRGpChoTeF+q=!#Ah70l7A1GAKJ`lM%He4Qavk6WbaL!_uN>Gt8tL7BbxDn!4( z4wDA|WeIyYM3`drtCMc>dw)K0kd4XG%3d*y<9YZSesxQn@w77FRzDzg9(IE?yB`SM zaIzL)Z8%OIBP6EAs_U5kIql(?)6-!9aLq;b2l=LHC@;KKkK`)>Ujb=6abkapkuX-9 z!+NK;=o|ctWjVNSIMgo={$;0DimqjL$nJUxD&C)zJvql}TtIMYb%x=gN+U2!uf<8^ z7r(~Gi&^8_58i*KThqKF@al1Hct|6c!;_EPuox204&c*rhg3CkaF2(PsY=HI20+_` zi7!ixQ|pkDo3Y9GACW=WL&6p6^^;|M0ceLR7rxOWc2aoq3o8NaCIY4cx>{IWU^7Tf zgCzYM%3^+351;T8ruhgI@yEO9Jx6f{`-ja(&Dpu6ZOH5rb=eLEo``@%i`MEuYXq-J ze93%ckU}W+(1QpwgkWOm&db|4*JC^%JZt}MPPE8X-jq`i?waf(Wl9-Lf2>6i8ttLZ z1*T8(=zAZasdokYJSekr5vHcL#1SVnq-b`8Q6V(e0-mP zJeqqrWA@6ix-M*sd-ss<-TnHbAIr#z-;6lUQV4Gv`t?eDwkIc-7?^EZ?lz^mjaC&l zhK1w%0HxPB%A)kFmgh|>+clFbiUBlAjUKrb_{~?HIxG=|Z^OQQG)*}jv*~Zac&6vi zRw-J=XG3IOKJcE+xjp!hrk|u5Y1T-j(TF42mSiNSi4!M)9lTJ-DPqq^1e3#m&cl8f zA0PjUoe%aZwRx;xtn0yPY5igOT4}LZ79|6-`JW97@6aC5k;)`|i7t>NiA%R$z}TY7 zBMaY}d_y!;iRvS3V>w$g2j6#LYPcBR7Dv1YcwKqA*W8jm zQsG=85fCSWS$j)@DU$>fIsYG+fY^)+ve15Y4m4`INxFD5RCG*r)$nW2QgEi49Y=jMKfQ< z4?0z4$jtB0%G7#NFOHUZfl0u&)|b5ko` zLjI@GCsjV+hf8PKy(s_1ES|2#7a*%*rQQ@X4uNvt=|l7Bo|zwn2bgy0?@sc$qH@1E zM+KIIc3rgz56|`8kDl)oGOTJKp0ZCr(YdO;yhfh=aE%?t?YY&`svw_|Gsoo)vCw?#B zuCXodgo5y2JaPJdbh?m559z(9Pu0yD>V95ZpVfBe|MfEH6}aprYz#XXRi9fN9ZxGY z7uI+TUq#8DZ+~at3a76r@G=TMwvL76@(|AK2vPn6u4A|c!UC|Gt&QL`GS_Q2@}Q{2{KnN93^%Xy#0%*gESBLG=b27xneIUCO+^>zVk?gqpKp_DPyNT4N|<|2pKO(NhaWjzs)$MlG5nQF)Sf_DR6MfIxb zO73PT9omo3T(VJN!y)A%k#iXRoo6a9(JSeaYL-FBHBx%iqY2bT22P4p?wYC4Bz$5t z{A5C%7Roxlc0OScVQ_s$kqvO>8ubdWGLawj6>FPA;#2;@NcetQ`DWA;0rZhA(3z!& zXVXVz%H2;8^%>V~avS{kOKGsKyt0QyqSd*W9I4=E1GLo3d5ULB2w%W56-=;UY6&!% zkP9^zbE|~61RzeWwt7@DwC7TFeAi}d2FIBx#j9#V;pkD)2?4gb@L!ut3m3mP3?uHy zz<+Ko?e}aySEuwU%C{YPAC#|EK=6FH;1$o$!(rkUU6eo6(35{)WN|UHnvEWuC-K;4 z;WjW>fIl9W!d?dBYNiGWp7D~O-@B#r(n_)U8C5e;u3#5H3PgxrfD;ly1P=TJWMB^w3 zYpVR+*;fg-aEACoKf_Bn&}b8AF#}G%dGF->)L3im>DV|%&uX_ODlbtE!dxhbZA&U+ zzcduuy};}@7!RU9g_iW&PpDFr8Z2G({ivocv#@BcGAEr(GacPx)s*q!7T}!*J4*@% za$=93=!5{LusQP}Zm5(U>*>|4JCWhb9+DRphYoRUyG&i0KPt}L?$u~~-?WX~IYjrh zqb{j(f6YKlCD9)%E-A+zT@6uZK6!+aay+o&k5Vqi+tCQ5fsM zeroTuy9$(^74ea_irPZli2zkUIF8ML2WwOLhRnrnsYE@V>-jlBJl7Nk7H8U~)Yi=azZ?T8f}1Rk@^kXR zfgea%Hve)T{~LurXTC%#BC2h}V1-w7V&xvgM>p@x?S6#8>3tf?H!l0g&k{y0vZsMn z-5p}DYft9|N7)wxE*_+`TO9K;82ox2JQaGM2#`B;(Pp3i72j)&n5?uNI>*N}Y%H650DY{JPZHhFoFaltiUx+YmLHJ^Ou;oHxa+CSqJ zzS37v+A%)TV7bVqH|iL?)zH009S=*J!opP(kP4QnMd@GrtFGVW5UMzWaB6;WleW&!LelAeR2`4wq$dj$jvpK0 z^iC~WOSxZ=?7UHnEQx!X@a6M z7P+!;!Bw4&mqL*I(pQQUc5aVOp6TE;_|GRemg_m;Z`BnNTaL2C#wPIwM_mmIubyQ3 zV^0pK2yevB3;DsA1d{o>Jqr?mb7M&-Fszj04oESJ1OsxCE9;XT9nRzO>6cvSXLu_a zOy(<$6Z;D3f&abMd?f-t6)`112%v1a07*562EkjIn;iT;5q`D^*HpWVp_arEI<`kpc5&YddqmL3&1S&gVg|c` zScQZ|!|v?Zc~MN~X$;}ED`#X(wRPOny}^g$&$aSo2i9~|Kg)kix-9u~()qdP_wN7( z3&PC@_-xV^$0wK%X|a!!W~ul5qMg9{@Xx3ce@4yyw;#$g)p7Y3BB9;tboh7zH5B|^ zou#^=VMJA!PRl*Gvx&xT|z%L+g~++AgW4!DmK0ZUFK(D@7_;b=-jOt}I+l5lGqbvcv^2EwpK z?6Vn;i&u#lb4)XT5P^~@_AVCpCXaf7wTXcC0d)ljf(|ttZQ@DAU_AzJQaY!2+GWa`a>~;*3rA4VoOW?+54v7T|fxwPz7KiYc$*uDov9$&#@%6a= zXVA(nFKo^@d-7jHM<|KYw92Sl5PNHnsyV9b|0wP|pqkpcby1YwEFd671q7uDh;*VN zARh`z}V=P}_ z?n)Fgv+b!>LZJ2*8>&%JEz@ox*JPBS_E$*{_VGW0VWJNNis#-ukE(YfVH@G%K7@QD zaP@=H+yl5o9cTpzu_C~!zPOFB)~z=N!u)GTXZn?ym(m&j8HP9qPt2QvyB=$PK&M~n zOID1b>9rV-e(|0UuOFxRN{_!eyN=`;`o7Tf;VB;xaOi$fpO@vo0RAo+@HxR~j8`X7 zHP7*u;G*WhjA~a$hRT0PQt1KVve!B>IJ76|wj+AoAUCLOhRtAB3UdwRa>i6`VWrFM zdBs`3z~mQJ@8a-v!NA@m*n$?KEAjO-J~LGae_TL_D+R1`nNWik>4#3LcKO+&YW^@n zLJj`Rkb!2d#(p4;%qh2rI^q-OE~c~1+D0cY8ah3<=HU7~&)rt>Jm8@ah9|tK=Zn?l z+R+_XQi$IqeV$Fssz3Sz!_r%mQ%zPK)&UDIu-&a;5&Yj1@;5Zo8M2e z-um=|DKb$4A26u;7y&ByANT#PrT14YYJa(v`(G9GovJh!OveD^&z3k-{2Jj5P}}GO zlAfYC^5Yh?EvDjqRk-I_B~Odp8Xrlbfw51ARc%Z%^~u85kA9N*k<3B%7OzP+uprF2 zxgIHfY*n}rJY(xLzTC-D@Fd)who|uL<;3@|Svi>QoIkNx?oDvi1vGN}NiSuWNVGYC zfoi9Cdi3Q_vbPL?E&uuuiAyHKCy?lkfpF#kF$)Y}BEU2sw5U8V&PIgU^X<(?F=t0R zxyn`Di=kNLU;aEgCq-cI!opi>T`<&mC7;fnJHtf*VtGa@$&YiOo(@ov1$TI=YL!85Zr zNrKFpjP&!s3Jm(X?Y=&eW&$y2ANJFY&fZa1-tkgha0!>cBO1Af$LKpvd*!?HO>C^y zs*1R8COo!3|HO5$LKv*68yT%fKt}|6GNy>CGJBMr0c!RfT6$e1pF?`mxIelDkRzj`F zXmtP=)qLP$3!Yya{UQiGi0Z@gdYY9c;o=G!`G7Ls0K3i@&@c#fXMg~c3K>cY1Ac2&dM zH9I@}74+p@p7G+@c{2C*!G=J~z(B54d)|Tgk~SG>qGH9I6^R;;Z2&Bp2#atADi8pj z0)AiJW+eEuyxdlLb5gQqxG-EqsK~}B!^Hm(!)AC*8xoNi-ngvBjEi}YkT0bJt@Eoq zaN6iym-WbaM3X9MU9R>#emQ_=D}hAqh-M52amxqJIg!s%6rxPPoNJmejU3SsVYqT# zDX-7j4iS?#oM8iBz^DO|VlN?u1=t7P2*({uD3yf~&TXQ=MDl<;fM<0z0|0FD0HL42 zWB2c~OE?IdH3Y)#`RPeaw#7(3i1BR`w9Xn({b+Kft5DC=QR_|Cf%CP>fIDz-!p}ORL7n8MGe8d>4e{mx{1?rx(=Eb*YPqB8b!EL@$8>vB{0q>=o~lB z0~uHLlZ>CT5WtzNfM(lqW7Xi?jEB`4z&b!>!VPFD*@Bx9hzr1!|5tr+IPV!CqI5)o z16C;-4W*xCaoVKPXUN?%AOdyRQPq3k=9?hw`6s}>DFd?QBgP@9r+iqzOjACY+dHO+ zQR|`HFD5+lkcY)<3xzjWpJ-C1?6Sf?i&o?jK+d99C-rZgx*lDY_SGO^IsHp|vkQZx zmtRQnr()Vd0DM17x{Q3M1f|f?>sF$B)p&}16(Jhbi@1PW-={~bo8UtSy@~1T$1oa{s@c^?^e%J^hU*mrb1HS6$Q|`KwO1u$xP6; zNwHWN!g22sxKR;tAt7#kh6#*P%L8w%6224jM9VKC_@>~4_=wfuggnfXZd1bT-~MNBu*URG}oJGH(4U;^CC9gJHbroQ?%9wSgNycq9g zI<9ChM~Dx~J*|A+U|n@lo?&b; zm?DSIS;VJfH8rF2u?G7E*uCMQE`~%{QoqYs?8z+LnG%K9-B);z$Sq(Y0ae#$d>_#V zoooMbLFuNapPm~0F_eHjhj;u+Sd{+G9?MSJqkbUlE7hHjCM^QHXMh@>$>3cO(1Pu! zV0O^D>Ii5z(s-}NR3+r&>w?#6{A4uS+!sj$T+Ac1#^boc=FA}uIk3GFev{z8f%gWa z%eY?y;TmAQp$@o&ML@vC>h$}mIVKa6s{7OvRt03umv8uTDtpXer;xP3DsA}*F!4vZ z3Cckw;HDqgI3nHjMPQV@;U+xh##YMn{3KJ70un{AmXtuYhy_$@OX?={!A&TY@iji^ zGK|o^BppZRRy%B?ubVnQ;a6M?7;mvDyY2utWLjXuYOas`5*5XK4;{N#q@(~i{1p;6PAK(EfUmUwO*(hYR zpILW&abc0qt>N1gx2lFeC%A4<39Ay6g(eO!AAm^rL1^X$P%o$fyv@Hb4Z%AG$ZS#M zx>#8iYr6XSUJ9iOO@ATZZWY3I?Nz*ATA~$iLPEmi(dd*#6{J1&q9%^sHOsEH5|U@( z6N?g>G&WV0P$pBfj`m83#^^2K7ZJ>GB&ukKEg7X)5vAs6Hzw&(HHFCCv502#q7?42 zggnVw=(^a6v0EtZ7fAvi6Ze+mz5!d%AGu(^ziG{{ux^O}i>BqpKiC|FX;)dd9>I@) zfc_+VH=X|~vYDPBaP%KlRBHZBVC138?-4%r>?KGCG@A@6p9FITQ7L_1H8@ePJzJew zQq3?HzcEDr#nin+`XbQ#z9*!o1(z{n@Ky`JZD8B$9Rth(=TB%jWA|CSW`O)7%|u_? z7ufr9&{%~#&2&su#23U=fMyL4Wd^zFG4;x*!!N8ee~2%Vz?G^YjI= zwWY`iv0O&y!KXB42%-hMfr@i@-Nv6}OxJ8#sTMxefXfH;M=`C>N0W^u7lMj5DIZ+R z$p1QT(9B(a%)~swmY+E!a!DiKRaRh`B^n zQ=6W&vMrB)HNi0Fkha2}wuk`c+3O_I6n5FzIRiV|=p7}J?E!N_(?6JgBm|Y0%z6%5 zfV%NsiV0r8w_tE&bX*^H+Z~AhFLBO#2K%v>jVd?2Mku)cYKbaGOOhM-XA>sA1uZ`%{4SEW=Qad?hTpA8FWa8ihs>+ zQ?POdPl?ElM)dg^h{#cDGT$}yL((OFT(usnC!@c`;8n-{suc~?g^t^C8CT*eu^<3wnrzLnz&oDuIjm=YYH&8!AnGOBY z-CS+&mt@Z|0a2qzI?XW#x3)FdJX2QHTn9gki(l)g2%E2}x~td^7GpDfs(bKZZ#8M# zT2j5Ite-l@%0Ab*o4)yFSMpE=YF9k5AB@{74jSM-53koQ{$f-t##vDyV^@xMO?}(G zF0Q6v6v3ZhYT-wEg$jtU`5^hof}aaFg3uW}8-e2Qi;)lnV z0>Nm+2g34kvM1vl&I>-`@`HRoC2s#c?!vQC2+gzrc3d^rVcBHqeMpOe^jgGYHGcdm z8hO=!)Eh4y)aN(4-n*sK)p8`dS&y8uFp@}&(yHWjiD-}*HlcJRyFDAc!}0iSQ7?4| zcdTqH$^MAs1-g&zib=l7l=K1bzr^|4pk3&v zg@PK-7<3(HP8w@zn;h5ywJWwOjgQc^LTw z)XXFc?Dx*zAJMb1p(~;(eb-FhNKxNQVl6|lfwmvX^K|qQe1!cxnLqaV#u3D9n?OhW zTmbU>^@Qr*O6IA`WdG|MQXXBC(xUtbZe}?~xHDZ*+ypXa&h~XjY|zNG+B2O0><`Nj z^$y-7hkW)|@!e`)$=uYI1&1I)6Sq6$$pmM?xNBg{90k%P5Zl{m&?TAgBG|&7U00=r>&%m>rB(vVcIR@cI?7oGNm+)G-)rihA1mfM# zElL_vl*J-jxMPefW?t_qNZrQ5%4juYX{F^8t7F9JHe@&6MM;$=a+U`CBs)(dcqDo{ zI5#wdPJ!93l^0>L2u?pl*oSwQREYh^^&N6TrfVvfZUe)kHty!}==kfW25lL~3=kBU zYL6AW^m>i!(17p9e2lwT(jG73_xFw|d4ICy_mIEI@_%FGohLi@3Q)A#jN`gWObu}7 z4wo0qyC_#-A>v~e(B;2emT_p9WP87nKJ-yJr)+iOhTM^33umVVx) znPq%HsFTKSYnMKe@n)I98uW%p@NWv$+fcU$DqdZ}CL_eF zs1|ppQYnZ+qqDuESj6=g#aB4`+mwADY=I+HhuN}v0uq5fZhT7OFr3&Z0lfZbNor(u zU!yZ1NNVk}V6M6)MWW?H_c*hC#sYG$E{xE5;htSso+*DdH?Jk4pn1(0(cMdf48&!Q7+XCk-dH%J#9gWB z{)0jDiR0|d#5od8HYloSqh1Qzu(69#v=K9N9B5xKGrcwoD@}W<18f;&1njx|LsfKo z8lrfNu}XWX6aNrd_mZo>?Z&$}8*S5XD;62n@|0msY6fi}d&z<6RWQ7F z14J?B!Xb8;D)VIfL+$yrSc8N42K{%3W{06};C9$~ZGgfbToritFQ&vP(2d3w3oB9^ zVCCug_lD_vA=q$lN0Si|G)1?PThtfL4L`He-dMZ&dFE_@luHo~tXDEpUYPM= z1IBk&WxBog%LeQ{yX(Pbq9yfkoDtIJbA9{43Rgj!P~vAgp#=qy;-{sSIKq z*IfJftH6jcyJSIaI?9*!CTw%(WuV~TSL{`LGt&O`wIe7^p}KwZ&$DliLqi2kyyqU zv0HsxxolLsxKd!fG}Op|^VL(z>_GZiBuLOub~x>!X$_Hc#D0Gr0540B^<#NTfj+gpp_tvDtk| zWn1rU`&Rnh4>gR&4+t!BsD)^@!2mfl@xh~4*0HoeU!>>7HWh2N^4V-Z;%?fc(}4NJJud0@CKQ%JmH^@AO7YH$Fa zemZh1H#{?GrU}8-A0Wo@@gy4cNvl?SwT7Arq~~x5MuS>GX9J#WG45AIdiJQB4~c~& zZ#*Swkyb^gl=rnx2XYw!6Q@w8P3^8i5`3@}-`ndG*WR5=OG%f*P>!$YI(>le9q1(X z=Kdsm4#!=mKWJ4~@1+Y+z(0#ZO}w#lkyJD2L=0(RyI8+lhQ|V-3RW&JH^y(5o>)}~ zGan%g-lIy7uE(<9GP5vPoY6fDj*y0m^}4#SeHdDVD3?F2Q}(b(*8*H$Kh@s97weHEU;SqkLE=CJ=x7p>_8avJ9Pe+HcbGxPk$w%HyXsDY{;p zF7+E-FTS*(S5T|!iE7zFqh58x_A|O2Vn+k$kCa_!W5dXvrkg-x?>8Rczy6~ZC^Qr`_9Vt-U+(Gwe*ZlMQX{3OHzzNzDDf?`S&C(?6 zAdia8nJ@5gOKckyEf}L~S}_nH=W65X2bA-%X!i5V;U0r{l&YyWsVcR z!YUaKkjm*N?djx6v;dS}>Q%{D0+4wHeqF6*n15a6_P18QgAn9%I4w@|K?MLzqbO@fZU$b};1hCk*|eOJ*MC%Oyr>*? z_JX24Q=;A5S|)MWqHlGP{?$}(EQ7{rAOdxJAuX0u4zctBTigYi6;d1{D=sxnXS)0%ggx zCNZl{W413MN}^b4zTjJJTt1{V0NZTiopL9u7Km|iHcBuGrm|+_51>!f!sB+BkhW|g z{n-zVr_Ua0$(ELW2)=eoL}t}WY%AV1!_#IzaWi{#v2y+Uk<24?f$<#i@7osS6^ZNk zH7I`gC|%^^W6f!EUyi-coz?iR-ba3;2m&QBUtVzbBK*RHgE@0`5;wa8=0%yQc~su+ zgtwd34l}eHPR@x|K9RC?Q7m-#B77pOvCrk&o9xPUV2@eIUQG9;xs~RO!OZP^HiEv>_erLtX)iE)C=LrP@UzA6 zXOFKT&xk^?#P6{IP63dlum{Oh)17=07fJ*BP_V@vt&WB8?Y?4)8yBE!hFSBeoR!|j zYc5?DUs1l!rgPM)%(cVP3f#gN1md8!a(e0QVHa^>*1h*Zvg5Vc!HjyJXX@%*hp_(hWy_Bv#u@(z8Y+3tRm8a_q)7y6J>M`P-GnMZp_8yc#UcV)5g%XHN!m zt|MDhC%3!Bh&N^q#ewC#FIF|aZicJY zJ!sqvSL94@!raQ3v){NHiI$mT8M!ll>kX9`Sq_WpxUT&b-I$CQ)2e-=*te&_98kXJyhZL+L+jXOi^ zCHFIYNTw{<;+3n;)#RhWhmYYLxC=%&TQtQ$fKv9fU2T>FCq`s$dr?`Y@wzW3qs4=c zyP3+*v^tAe^EZPn?i-TEk7@jGD)A-_SmB>aK_OgV7#<2 zMNsg}C}sA;%J_<4v+#Mx`->*tDVN2HqS+E@J?I{Dyh?eSwM)_9j)r4Y8Cxxa2Yj4& zlr1n6k^KWWWfyLUC+F~d!bAD$;joYNE!s~wPEf6r74PU1>jgn0FT-m{t@gdmDOu@T<3z4PUvwyP>*d=ERy-=;t;-U#t@Q{ij6DwOepxx5! zZE?Pwo6{#)X^SfZ?az6OQ&d~q(}^!}K=rv(cfX(t7aNBqLgnN&wkfsm<8atB>X|V? zBhQijIy2cR3#_+9tWmu5c9HsGoqQvFB%c!R#=(M=NB^E8s{I$E^iWT+g zze`K5gXoZUQyVCUP}YkZH~BL4r2P z5&msw)ux&i6<98IZK$fT6MsNLUL_PqQW^{P$unjC5z0Tg6h=@8ME5vMXbh}xNYdZk zBGmZErq^TD<|=I4T{$Az%#0q%^ujy=syB(J6(E&g2n*0wD5~mPhJfw;eNt4m zV~VQj?vQVK!!58gn0yowbibl}NS>RoY30aoWd!b=RH8v=F*f2gkg2h-8C}2MBlgx= z`u*!-w)cmB?5R4yp6cT7Se*WD)21fK!aVL4|C#k%f1}p&k>r&s-6fC=xW2)46q)U4 zZ%#EL*~VNGU}``>UHqHOhS^Xz`?B;q( znj{aKl}zHE13fQHWCNcEE7w7)#GOEtCp;XwT2alV(OMrv_by&MHmgvSv+dz=CQb_f%nn3L;;5Jj#+CAIsg`kd)D^W`uBgxoj-a0>$-TXl-Rse-^gm`nxo?=bnwXbVQF;CaI{r) zxszZO%lf7rENRVP8K2|BlACR6*XvxRee>!n)kemo>gJWVHXQzER6b^#u4zw6774$o z)W>+rJmkL4cS$1s$$i4wba~u_u5#t;HVu=n#xCKKw5&IAT~k75+CAo;u0B&Xj752J zI7GemVsU@{NKnyYyy{Lh@v}?4r6)>yvq;1vuY94xPB`P;6o06u%vXIKyw$bph44mx z4ti*Gn_R9^_JMK3O?+KSLZ@368WpV}oB+qUo!mUtj9+M`ofB{E~$$7h=UG00p~ zL2&ZIe(`_^NoJW#9Dyy8(#WxgR9>KZ`pRfN$+5DsM)|RxsLOe5=KRT^?>D+a1OZlb zv$Kz6xqvVjWl=Aso*(2t&KoTu*c0<$LBat-<=6>(@3^ZFu9PH$(NKzH3CfAn&GF$3winKv{fwdD zO84fHF{_qM%%vTT6Wl}Y0jEA~OFUFO8{=%s`N(HXZhR!rfN%rgb`JeJW9+wbbn=|^@fnn2maP{4EmR*5yeOSEYfz zyZht$idr)kAPhEilp=b@GGALSJ2+QZXrf_y{7^yG#LM3n!-%!|Izt=8VK0^Jw7b0q zdAH(i@8J2Nm=9T5Q|_DVPSe6Zrv2tJ=f~iPM<>Qz*UYci;^emYjYnXjo|}xz$&d02 z8{S)3WznLRk~|lMq{V4YSXxv>1TWabKp~){z%|ujpx%6~ zr_g@>Cs`p^EM@q)mIrC)Xc>&MYAg=);KiQ+k`hC0TE=Yen{*oaJ6j2@`%&sgS#-pufk9# z3fg>OZN6lFMXRu#NuiQpcG*ltTGvM0=KeD?LA1@rr>r$EN7RG`LTFR}Ga^xzybr-{yT$q|820+R|ezsBWJPahjRl%vBmO6w+r;u@yQkW9~n_ zfvHT|e;{XJ_=lRG(ucXnzJ`a+ zG~&7O1zBY|6rROF)C4NPW^L|r;g~jBIb&fs)=2?%ala*kE=%Z9jWL$sEMbp!zwwNw zX=d?K>JY&Uf69C%O=ycR_EV94Y|=q|b7rGwVC71t*^?F5hHp&k-KB+B)@{1BZ)+*P zAjuNr1GKSgsE=DJa8DH8B=Ft+O5wcI$R{MjfO}tUGUK(+M=~sU1W-H{Hr9pRErOJ_ zN>6tPOO+D9Js*ae=57qlRCZ;Em~?a*WV-k(B#w6QdYPZbE;WG}gZdDcD(Z(=G*20i z+dIE=kgD{iz)WZl1`SiCaf=!0U#$t4s7|ncp1rk59yc2oilpD`aRETd;w80yQ1B+MBsUFkAeMwL!sX=Bj>p1wK{6sHS%0X(~@e)cSMC zosrA)MF`KPla23LCF)LmLn$iY+?#{W;;IVlNoNp&>djx;?fJ4c-I=?b;|JKDDe>Ne zvM&1a9IBCbwW*y-yBoROJiGKrtrHrrRw(D_?N6wbb{)%R$G*3`d&A9s%Hm#PQGMEG zH-Il~$iMh=Vfk-lRRTt!vveLef!3ukXSU-1;5 zse0eZu2~ksN)k=BgR>U{OV9gZU%}m# zCIlyerUs%l%Cp5hlI`npRGG_HkydD9>nIepUvs%Eg3LGb;=q)4w=$>oq1xohMI5{d zU`N*TZAqYnWa&r3^6W-}ME$``Gp4I0Q-L`ho&sa+i&svDBRYSG16vC7&5>3YB+4Hbso3lZ@+b*5iFy8WoSKj!E*^YbLjPByX-mIa6emGpkhK94)Gq|I|kD? zv0{)PzT01_i=vb}_*&hCH6=7($I|>}at$fHc@EtT$2xO33 z9O)j%AsPQe98yrTkt8*u$mLkFn#=&pTdsY7{Tt+#0sW~ALraL;+XwH4ID(DdpGp4M zsOHvT#;#K+>#iGY57RZi`Mq>>ZZozB0}TbS`D9qdX^}=~iTM(Y6^Cgq>0R#pA9n!8 z#9{5u<2hU}8b@%Hin!2fe#L^x^q$lF5Jc;}nf$%e+ufha%Ivf*eE#~CmAMBUtq%e? zQBfPJy4@vCysKTRo`wB~4j$eB*|XlLu$On#{OTxwvJ=8O&S$-+a(PShx^x`xV9%V^f{JO4Ud%JRS2Ofn7fWP8vx zg5#JFK`K`vMaTnx@}Yy;t!4MG`^A34iE^eJjkDR|PRir$vFK=5^B%xt`~C?y&JqIx z1e6kf9WZRG0gzd}fC$dZ4ia;Q~Rr+ z{rleB9iBE<6~QrzSJ??a$u1FrkjIHZg2D!1`n! z=kg8w!<}Svz$FnY(CRPsw+Dm%^)YmgcKw6y{I2_wyAqwh0Z_Z--)ct(iP%>j1-6D) z0sk1{s+CzaCS$9avxRh0YMxt0bS|iT%9~G(RRjV6WgUNwBK&u*Iemds$%K_i$YLPU zFnFg&c9V41IE)B311}$51LiJ3$bEG@j)r>y+dmu_UqHwHI;L#E7YO_OaZK5N@l9^B zk>1wO_7xZl0NKqHm`8V*QQgv#D}2O4r<^N*k^0BI+3m!`o7|B{ir^7b@JxdG zkD>MEwfCUZz@-r`j;-h3e)^G~buh}9>w&WEcWXvq@S9Qjpi)~y5vv$$icY0Vkus;U zl@vNIch3zxL-ZF`|G;l0junLREI55qOo;x$Z^=yhWAs|{JTMI(@}zO3^&Pd66g@s zKQ4QL+&c{?pcidLM+LyL`0q)Pi(u4qpxHYEb0k8t#b4e~9Pm;Y|9B_DFF@>|xix?) z>!!I_QTFF60WM||OsiVJ=f`kqjGWl1<$^X4;&f~^%0uyoryc_U-ct!oVOuKnR`nA8_ zr#S64i=0A{m=C!sfj|@w$K9V~xqr^dA>YgY=!t*!%>V83$tmzR6#y7@282-uw3Xdv n!BZ>1@D5UirGvk90aQ8*{@*&CdE0mYLeV+-|KXbP=h*)M22Yu1 diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index a9120b1881..0061fb761f 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -71,7 +71,7 @@ The **Set up School PCs** app guides you through the configuration choices for t ![select start](images/app1.jpg) -2. Choose **No** to require students to sign in with an account, or choose **Yes** to allow students to use the PC without an account, and then select **Next**. +2. Choose **No** to require students to sign in only with an account, or choose **Yes** to allow students to use the PC without an account too, and then select **Next**. ![account required?](images/setup-app-1-access.png) @@ -93,7 +93,7 @@ The **Set up School PCs** app guides you through the configuration choices for t The setup file on your USB drive is named SetupSchoolPCs.ppkg, which is a provisioning package. A provisioning package is a method for applying settings to Windows 10. When Windows 10 refers to *package*, it means your setup file, and when it refers to *provisioning*, it means applying the setup file to the computer. -1. Start with a computer on the first-run setup screen. +1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. ![The first screen to set up a new PC](images/oobe.jpg) @@ -134,7 +134,7 @@ The setup file on your USB drive is named SetupSchoolPCs.ppkg, which is a provis ![Sign in](images/sign-in-prov.png) -That's it! The computer is now ready for students. +That's it! Sign out and the computer is now ready for students. ## Learn more From bdd179da263266e828dbe8539262a8967e80e583 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 26 May 2016 09:50:32 -0700 Subject: [PATCH 113/169] add clarification that Windows Firewall does not block proxy traffic --- ...nfigure-windows-10-devices-to-stop-data-flow-to-microsoft.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md index 6383bcab54..af80d923ca 100644 --- a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md +++ b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md @@ -285,7 +285,7 @@ When you enable the **Don't search the web or display web results in Search** Gr - For **Remote port**, choose **All ports**. -> **Note:** If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. You should use a network traffic analyzer, such as WireShark or Message Analyzer. +> **Note:** If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. Fiddler is a network proxy and Windows Firewall does not block proxy traffic. You should use a network traffic analyzer, such as WireShark or Message Analyzer. ### 1.2 Cortana MDM policies From 1be0b4969c678c719b6011d057241d39241a9f5f Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 26 May 2016 10:00:04 -0700 Subject: [PATCH 114/169] Bug# 7673920 --- windows/keep-secure/credential-guard.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 45c0237c18..870a49c024 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -239,6 +239,10 @@ You can use System Information to ensure that Credential Guard is running on a P - Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. - Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials. - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials. + +### Kerberos Considerations + +When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead. ## Scenarios not protected by Credential Guard From aadf64b246dac67d9edce845ea304c029ee1e050 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 26 May 2016 10:04:39 -0700 Subject: [PATCH 115/169] fix link --- education/windows/use-set-up-school-pcs-app.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index 0061fb761f..c70d97b92d 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -138,5 +138,5 @@ That's it! Sign out and the computer is now ready for students. ## Learn more -See [The Set up School PCs app technical reference](set-up-school-pcs-technical.md) for prerequisites and provisioning details. +See [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md) for prerequisites and provisioning details. From 2bd0f78cab549ec80f63506ad78b0eb0a0159a95 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 26 May 2016 10:33:29 -0700 Subject: [PATCH 116/169] sync text change --- education/windows/use-set-up-school-pcs-app.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index c70d97b92d..1e5af39910 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -91,13 +91,13 @@ The **Set up School PCs** app guides you through the configuration choices for t ### Apply the setup file to PCs -The setup file on your USB drive is named SetupSchoolPCs.ppkg, which is a provisioning package. A provisioning package is a method for applying settings to Windows 10. When Windows 10 refers to *package*, it means your setup file, and when it refers to *provisioning*, it means applying the setup file to the computer. +The setup file on your USB drive is named `SetupSchoolPCs.ppkg`, which is a provisioning package. A provisioning package is a method for applying settings to Windows 10. When Windows 10 refers to *package*, it means your setup file, and when it refers to *provisioning*, it means applying the setup file to the computer. 1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. ![The first screen to set up a new PC](images/oobe.jpg) -2. Insert the USB drive. Windows Setup will recognize the drive and ask you if you want to set up the device. Select **Set up**. +2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**. ![Set up device?](images/setupmsg.jpg) From ee33567d363460eb64df083fdb6a12ac91805b64 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 26 May 2016 10:35:25 -0700 Subject: [PATCH 117/169] updated settings table --- windows/manage/images/settings-table.png | Bin 53302 -> 53290 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/manage/images/settings-table.png b/windows/manage/images/settings-table.png index 2acf11d281deb136db05e093d42f839aa648364b..6b77ce6002fd066d381da73078837f7d6bc3b679 100644 GIT binary patch literal 53290 zcmc$GcQ~Bu`t@jo7&SW4OUP(L2+_+RYLr9`Vlbix38MFCVGzCdM4}6#6TJ=6h~A~B zNf7OOv3IuJ&e{8S{`jsdJu~mq*K^-%t@{ntR97TCM|%zg0ud@J$!mc?n0>&{7kHS! zzq~nT{1NyK!&ysF7F0YyzXJRP+e$`F1_UaLBG@;>0sfBfsHE=<0ui+x|HSBYC`5oj zgH6ivGCFRzJ|BE>pwQj!jPf}QUNc!&^OPlzgfrr?Fj(V^MRUNzFkgJ7G_Xw(&U`fw z1N(4eN^0IVM^iia&nl1)1F$sw*S+ zi7YG!&<(eeggi<{E38V|pB>yvZB07bJ34GSDp9yj4*Y1>)->JE$i5f`{4j}-&v~$1 zHjlM%C(J^hA-*PQ(ac%swX4K38d<|&fLNYsF;mW831%UtFt|$GkLivSG9u=IeO;d} zWgBskLxr4so)%*1CoV)=970L+z|B!F#`0l5lk23o>*a^VmO@hi~oN{eZZ z7_ZJp7q~j|E^M0%)jLgDTI2U^Gis!@X1wcU^hv!<{HDw(13U0SODCgDm=`|oViJ3M zPiN30B0-jJ+3Glgm@h}$M+ZJb9cn=_hdT-HB@ zcM~B-tnos!pa72?>dKy0X=~+S9TGxJcG7QL^}N_OPBIL<>QQ?O>ue)N#7jBtwJvMQ zj|XNxa@aldb;X53)C=BLSW`x!ZX31UT_dhH!rvVzSY2>je7Mxf(m3~azW{z|hWB7->hYac0;8BsyotRQ z1#my{4*7*}@uY#a*yn>QD`c(g32C#fWJJV_Y<+?%VULMZuPNW7pO^A`@j0I)R351< zoifhhwvwMQesz6hYe_lElt=^C|IJZyJ5^;nU1x>9*d9)~^XV$l*q9?_Gfomw9IH+y zQwmZX9D6~^BCJInYbUyKge^{Sz;Ifc?tbl)>pG#hjGiP?7C~%vT%EH+582Wd_J;j< zBd!F!FcQ9is$Jgb*(HC}<#~SA_j(8JyO=aijPyF6HDYng#k}DkPt=%Mmf!AJ|4>$3 zKmVyf#gV(+b>y1AJz^DwMXg-Tv|Z~_4Ge$e!jnkwYAZ@HV60Rd%WA>DjGNZ_hx5QN zW30>hXm*y>_Lf)rl?!g^Nkpo2%D1l6F?G%b2HarhLDh1OxVx2q>&A^CGLSm-ETc9c z_7fiHQN)~XeYg{F=yRBH)LFUc)bA35ULeOdH~6X?aKJ#E?0C37!?c~d6&L%}cUb>f zKtv_e=%a^A_-JutG-{k_yO75rx6{kTEylVy#ItfalT%aJQ-abpRx3`c%^iJS-O3s_ zOW2qqR9=fWL?IvFj(1a5GI#BDhtAd{rkxN!SU?_YBR6_@-ep}^JW(T$K3tJCCUDiC zmq=)u!1sc2t*sbRK#xvcA?DrYHDn9_tW)_q#?`1?QGuwb)u}zK!Pwq~8P2g%G{}jP z&=*`?=Iyk;x7OIEaf_d56AufWkCb1`?$2VqT9x1koxM7dHde{MA9!`1^|_$acDD4$ zW(E#nzLdPROaPog;sLpoh2Fd$3Z)d7f#DuTWaWu82)olW)BSeI2ol1(Ks;0n(d%-p zwH?jp&zA8yhpK%JHsuz+4Wb#E{$9^J^+iT|f)pJW5Kpj7Ea_yG-uB3`OA6~`y6l7; z9dp-X+meUh%pHn}cMH9flQeK~hk_3gFAj z(sTti;Q@kinK-$SISB$Of%FkV^ZEHJj+Ahr)FE|I$|yM7Zi34G{O(Y5YCZoFBh3_w zHx3IOM6i=oZa`0co-{o>oM4yN#clPlL25lQHS02Za|a_6Xa8vO0fCe|O+EL@b$K`L z1T~CYVeetL%Asa1+NMBr(kW|+8Y&(v%6)mmVs03fvmP3bh0FK2BNkOh&2g0ICQLn) zZw7KLaOVe0-K8*LAvU5&x&&L-PR|bDoRKS*T3APX%4sj1yRtKwKq=?rIAC_gt;%V1 zT)mc!owSQuIas8UCmrC!{}RBL~m4@N^1}iOVe%Ts8P-OUZrNm zg?>?58cdUZSNUq`BDJ&~6ze`LTc#++CWn`jUKx|%f;d!k1G-M&+#{t)i**sY*__yA z>>blG6b}~@AN{c$b&EH6^%~fD9so96@)YJCz&2zD7N2xu=B7l z59FP#1|RKcF{Ji(N|t{W^g2`SQI`3wsk_RE8N=hL$-#mrYX^_H=dudFWk27U#+G3FITpmm>U4-*`8Bl32 zcepxZsf2txqMHV&C*PFSthrE)C(vho1J0%5{Hg-8(^B%NqL3*rISC{-VQ#v#6bH9M zF~(>4ib7-@E4%%bW!~Y|5KcozsU+J_HZK`D-e4?Q_+}h#7iv6TWj*$@i(|5;NDPEe z@o@y#goh~qAe8Hd7?SHN{fI#s^rdSLBV8JMhQ-zL^(}e$o#|%&$`x*j)w;G=Rh6a8 zrNDIM+JG+Xtu@Dcu?*g|F;(waY9M&wu9{bz#Yyp zJ!Z?p)G*9Ss^de3DDF}U#qVUc7!?8stmv?b2ESmE_L=3^Qk|E2(@J0y!qX!U0yEZMr*|N>zM^< z5wAOfd~rttg#zlSM2SqXoz|q=F!WanYdB=J|MEeHb@)J0V{2~kw zmnU)h)glj;{GyZMB9qdnz+LG4UVSxi-Az8%3eF-VsFnVr@Tfh96gc~Z{k@Aw2_q#+x3nO=4uBDp>>EbM^H&UkWR;3ij`|#cb+Kb3$G4zp3PksgV@#HrAA>$H)H4ur_10Xhp&04N2fLHOfA_iF5e3svf z)bqfA?<-A>%KRWeiunj_G3aED@0rZ&+*rsOa+Fwq-5+zCa4|C^UEj&QSh0gx1;)c_ zFRO!j3AW6)!E}M^TsNcGjZeBLRO6n^kMzwIubxpM;+Nkir8=6k%DInwAv2in9hliE zaUmX&Y=3dHRFw8(9fQmNIbao<(45bbwOPv2XF7g*mO?NC1O4fvHM6R=(9q}*c-uFA zg%0)8uv%k?MeZcNHUa+asNmwZw2Df&HIEJSuArLjqu?LKB(#J#E4wtsn`2Z*2ot$uM8GC2g>Rj$5Il}+ln;Z|M(oQ% zY9a=4r7tdMmNqgV5n!5#;3PBg@@Ob~B0?EO6B~f~FsCSKf9q&?^o>G;#=Hr%vGKLFi&$RlTp8h@OfyLq<8hlZa8q}ZYH{Lf%i5Pz<+v~h+ z_#xxTs>goN+wvYhFmAvHLz!P1jrXm{9RC5WnG!Itf8dI_o6yQ9Lx@orDdyXQ2ZU7^ zWBbbBC`F1^b4Q!e{8=olLO&a`*MqXHQS3>Sr72&ijyxNu@7(>O`Q?+{P49yMDWTOm z8n3gKPj*tZ8C%bep%a1`(Z z7qhTND}d$lu&RcpF=`UFoC*4x89gp$wa2Iuyzfs++Q}mR5N5OYX)Pb;6Ft}cCdDe=m4wipm;zxpX>$k5WI6q_=VLeR3$pKT?(Zvri)W+cv^aEHL)nw!Nks;QZcWzYW$mxe zzo^cpD=J>7f52L|I-K0IbxFkYmd^JUv?loQI~m!d>Xn!QZ9?NH+9U9VC@j z@VlDI!lsZ)=GRa%->?a#31#M<$Y7y?b~|H_q;RGwxz2OXyoyonjZ4A88dBR;WT_h{ zDH5%IU^N%^`A0(dBpp4yaDkwF^AMiynH>?G%y$EEG3*j>-oX>%_nt1Gx>`6@%BsC9 z8`hhp;YYv(Fh;Ip|26@klr&+uz`3Py5oCz^GU4jd{uJwK57G8EF|7?8Uy^nP-@ku2 zTc4?HS6S)&FL(p{wD|u0)br=YIXON_-uc~1Lb7DoDR~MN(zlO?nBOIxd(0pxTo->u zPLn^c8OQF&*b8PFJA!C?}&KC)Z%g-|q zJK_C9cqwZb;`2`QrQAn7=I+K6 zRa24Un+wL^)0Q+FLzaJSsjx#&^C_d-G=?BcsAuF}J-zB}F>9u#it$8xw1e7txAsH~9^oNgciY(c#K0W%n z`FO!55QAO23(#OV56C_X3{%uEer`in>@=#y`nq9^BEzBP5(41Z; zPX&f~U?6a;f_JlYhU5ArG$?ZBW|~?0X!r$3lpjh*dU{DVBZ18(;)sHV8t&ke_jtX* z(FQUnObFhGi-?BK;vZTV?6pf}@YNU?UDerp@Zqt^(X>X?o;`d@(v9O&dxcGJUB>e- zUP2{Vm9rHy%swLer$eQllKb}SP}%BSuOl*JGFd=cYTq!x>yQfF=F~uytHqeFbh!d%}f=2Z6~rG^L%y(DYV2t1|A2B> zGN;@1{Wkxv=k=V98-Ux=t%KAyWJqC}g{DF#V_co&b!z^Sj^5ps7=>$u)OiQRVGyP@ zg(BU0mPFO7Kf$p36bz?-&ds*O+}XJyw@?O1!womvwZ@!FH!i%te!r&42d#%Cf7*-5 z?Fgw~P$TRZJh9`g&CPwPU)+y;bZGITC7Ukn)glt{YP(PJ?59o`PXM8QiSSfWeo9=& z)M~cdLoS$Vch*G}OpTa-5eEiM^{=d~5TqScD;B6uY3Lxo$Xn=U4>>A?L)x)`Ys#@M zX?dl#cC9~N$-dV?q$8sL&!0iR6#Z*#JdHv<`CtQ_Q=XKY4(~mu{cu}LWq*VXD@;zt zaL@_cPCNJzgMsMVQN${y^Y&k2t(F$S`Yo_;a(I#CKo=t25`xm8>MVjs5~vKtPKwwRF&1b)6gR zz?~7p4j)qhH=Djd7Y%`Q8TLD1n081(usNAI8DnIrZAJT&a2FoHT9^CxYMo$9)ZtG_I7bg2#yZ%M(RdQ7&)yBKuh!5W=PxUW#@?h+4cHcf(UyoE#a1@pH-Bmt$8%eGxIO0%&zI{)a-{Y)lpkSlTk*yOc&|ol@Be zXpIcfZhg{}WGapEOhNe=I_IxAM1G4-#e!tMxea1sU7Qy#IWOg|d!@G;oPdNLPxaAmiR>L(-q;0>05mVX~xKEnRG z#?QuGc|W_H`xyGnk^$(G{;1_bJ_Zj9*Jg9@y&N@Ij*}3(>=e+lFzmmjrw}Yax7TWF3F8&|P;c<)$@@enWGyd1ZURSQdLja@NYLZ`)ZMjw6a6}W*7?J=C<{A@G~+i1vl(;Z>q~{k| zJ1q-*{QFwtM+K|Mlo4kvN6{4l<~n3b76CcUdTVO>+D-8q`re!u^vcm`bkdaA^F*|z zY#~R)$+7-XX7iFWMx~TAl0ZuRPa;{#Hm2X!{~@sc(J}aXI2h`v+&t;~H)MG6(3w91 zlu1=MJ-@Jgai`+z#l#bw79Onyv+(2Z`h!1=UbJcpDsON@G4sWBUG7zOyebw%qjg&$ z`of(1m^+pDTB|3JGW0$K4$|ky1J3euAB5M|dcD4Ue3@*L{uJr$crfH2vyF=z+?T1E z3FN5UMaMZRNxr`7pkJJ7jPwmYu1PX#W~XQVHK_!cLOV{hOg!rIRRmQF4b*yWc1R`V zd|~fR2(oPexX?(};$hhbaU=V_z`R8W@LL=($X9-7#=kCpN-V=!VAWcbM@5X&)S(f_> z2tHfjEG%tj1S^SednAzWyu>GomYi=z)KXIp1WdRyK>CNcut zJcVoL0H)-ZrvU84$tgPtFn%Ed0M>&H*xNuJ5A1D#jo1LGz|?@N?VKH6QhItLdeq0m zrRS@cbcOV9*U9m7fQU4%k@LX=`&Ew$_LvWwA0h?Jw=hm4$4_AqxUW)7DM|n~0?_;3 z(?^!>O8(W|f*lB~Oacp5j4gb8w;^_=!mM#SXnQ!j>FAZIs`rBJ&b34ub zG!w}8<(I%EITTU}3<5X<@Xs%UrshIl-JH7RVEZw$-MnMobpHDeDk|k&lgs^k*VoSP zQuP)!F)%zzc5Vbn8vuRE<5&Ww5-@gbEjFu|E^>9LF96&iZ>AYUL)Kw7Q@ELZdH90} zIbAivuLy{8=k~C@sXgZDPhH5K{;#wK5hz z8CA^PtQSyNDnUFe5UNw3nE~o4E6dpsN!v@sUrIczoK%!YHqKv|o15eGsfjk(JQ%^b zpnp#SmHdf#DINNJhfQpDt*I>IB{Mt1Tlz@Wr z_zJ*qvnw?PMV%QU=6A3EfU%{gs}!BitB24dI!CJi=_0|Y{9h(Y+p_2VQKy#`6`&EH z-MWMHnDO&d^$eCd{R$FQ#`JYVxu?WB&K&^FQ>2*oiuw~A;-9WhVFz%qrH_aLhR(67 z{XAQ&jZu*Y6JukS#eO8LSmB)_P)`2;f{Ix^m1m;qtF290J4Ta zfkMYv>5E1fWEU(gHi{Us)bcb<4ZF(e!VAu*uMF(BqStfG4&mGZB}5vD<_6LYvmd8R`zl*C5e*&^iwxs-!ZF+G zp6KaHCN0$Z9mEfCWX<{{1Gv5?G}BXo@o-2N_bUptTe0~3r&s78<7*sgm@c9;%taky zoG)D{I+|m&M$ni@ekRs_>FN#*JxUYs^VDKk{(PSce!nk+Tj)PNxh;HFcd^O!ZA1nfFqCAYVY~sh1bET&-G4s=E!Od`sAuvS-o%bs}Y%I1zk^} zg)D}kI1;MkU0=;tLiFZ!YDj6jFDJLpgLDi61N)@qdS|GwjaYXw8%E7{rL(i zsEG;qREy(%6=(%SgR}fp3Na}8VDq!?0!XF3gP@Wm%E(8QaR)kEtB8fHCu;3WFA^Af z#~z5)J>9F7n6NQfF-qD}+ZgzP{2EX5g|o%sB3Gk>^UkgEOH5N~00F!%4vOd>j@f|X zwP7_M%MAD~c0iur+$!pT!f=eYWV(k?Q{&>O33o?|2N2|u6*LntA;qQJ5?_@t;JvlI zGu@~ox2{`n84T8}^`#iTvk^OXg}sIAy&9)GMI=gP!BP30W6u28+Qqww1S&AA{wme} zK&4=0f{4BKMJe&xFVB}dp4y0(Om-F5RpxK*_Yh`KJ@(=ks!Tm%cUJ(CUq~17ZVD&lNpVC zDl_K~TKt#=yL@2fS)-jX^;#fKWH8Kei^<+6w=-3I>(9-l-NOf)icb-lFQ!qR z-xS|`+x;fVqpXPwgSm6zDf<4T!UIjMKB0#6^2WJNCXC=BJ6h z*;JaJj?H^-A~|-;&6H`qsRiLE*L^%KQE<02Q2eSec_oM#kN+nAH6%XA$n3`ZNiW5l z&%{b|K0EpxWtM@Jz#?%Gd#h|a$P>Ok+|uvWA}6!ju?)vls!B( z{$kR%31xUTY0Mw4hF`O6!CN-yqROB*w^HkH=1D8!>pRH*1;vo}TcV zF*6YBAW>Ovz9(UuJU~L6A+B|jge4@rvMP?gFUPHTDDH@mA9=cF%hJhWx`9r)ij(dM zCB^@N=egS2khSxv?tDu1JIx;qXspbW6#FFjH|wel_2Fm~f17^u{SVFDoI7hPPprcw zy8$AYQ`n)zY)hgGSNeoTYJbTxx3e*~-=7tBb0^7Ku-hE)#_28PO}VaF>pk{aD620H z8(V|h?{2o{HjBiO?5@6A{Brr?RND^dl$)s`rztkkzRMrF;zqbSFxAE*5U%c2O%Xsz z<2|hnFpHrjjSZ9UU(+U{-%$FIQ`|NdX6qacH73Q zW$qq?&D&^6&}o_pe+rP{$nXgFFDsb}!Hhd`*8hU;k+d(DvA?+909F0db9KyXsAvk= zxMR_7Fej>L95QudqbnWQpPZ)D)L^tDuqOIl z01jH;fVfHkKMjWq%dMp}Q^mX{m4(lA<_Wa3N!6xlXK4%PX1Gnr9TSJT%}SDpj!_nQJr-IcN@SGrY ze0`FH1>Lql{&0MnOu*M0jp2&z;5cqA_CJ@BOu8Rr8tQCPw1bO}#%U}9)EFWWh z63dTi_)lqSc}}gaH@I0zpRQ@&Hp#Dhr9zD7o={L7H;k!4hz_tjhKl$JLtigy>(DD9 zn^_b(Wbdcb_r_OYPKDDsE%;Kncg@V>m)VH8pPU{5 zw8`Jh)u2`37iT5O&WRe=Mfug43-dw&*`QD3(^5)y3j;=k)z!-n-2(zJKA*IB66&A- z56WWn5dtBn{Nr#6fUDyZr!=(z+UHay_U(CktYX;)36wk{TOp^h4OzWr%&8@0*dv(H z%Cl&UH6?)qQRjly@9pfmLM%wwxdZ#va4dUyuSv>?#mTIP$;>3EimgVOUpa zSLmlNa8>qO%$nE?+YYn_1(RM;vB|{Iq^rmZ*G}XX{pj;1xSorT!I7OAmn5+hl6=WN zm+BlI$B25`9d|aT^=>WOaz;Boaek5=lQ~#T7GnIQ&6Yie^k2~lS+K&xTG+*Zq20>A zyV6bkh3nK1MG?{Gi&w{|q>#@rVp<5<=T7&+lrl0hLM6865T%~fm{Eux3q4u16A=L*wr1`N4vjcFPo?mn#^a~#BWO~7`%I59 z6%AcXiHyhvzAJ9)Oa~^~2O0(2d;ppBS6+>`8nAtZQC6kr zy(eFrwjW@NYFA>rotEG|)lgujd-%9>^CkD4Cc4_HR1+#Hve&LbfVUeK^Nuqqp>VJHinJE-q zlKM&T9w)&KFIe-Kq$i}C?wG4FB9mDoON|{TpM|xfD@-Ov9pwj(^h3pm*!Ot!#;pS$8l2CT z|Arm$yYV}Lpd%&>qE8>a-^MFtKHbBL^NuBelMNk=li-M-9Y_dBBBmn$j`<)%1I)+I z?a(tE4k0JW{b3}OX~aL$UslP2W!3-98BL4y=D93;tZvk&3@syNMl~+4so!8o9@Fu( zH(V)u_Pn5?=w-%-k%sS&2Of(~#eIGn1$RgqYB_cgoo;`&Srsn8ZuS_%H?1eA{Vop- z9SyK7z8m4Gx-kEL?4dZzJTIh&L54kep@*u6MT72A4be4}G@z~A@dW*P?CZZgb1w8f z;DbQ?2lgWAto+ge1S&KrY)XBErY>_4Mx`~IULm4)*X7G}&*Tv!MRoh=*S9-_H@R^0fK_{M+ z%oFZtRs|(9wWmDQ+fA5pWwq_n^nz>N6wk1$$GYH%{lW0|vW zp^Z0+gA$+61^~Qk zTcB(|+)Q!RGjk9F6`9%pA0WG#P;&NB5&(as$ ziaOa#m1}fVJ<44VZQQGLaHE4LSqEn+$HC%Q&6Q5#)w}nN5d5X90r-b@7>k3hPcec3XQ9lAdVoVKa!eJCkY8#D%J!?2LaOHrF@Qu)29q zs=C1A%cZnS&W&7?`izm2u$%)xwpTVCQgR2q5M}UJePvY!LoP34MoSl6LMLDq1hoM}xg+B^o3id#(?@GT%{N;v zw$t5r!ZrnqEj-|{mvJ?_!nD)v+~aOKL$MhN0;6@vm0|vI_a+PeyT#*}Iyj|$P7`S9 zwG$TO3Fz9OQ`b{s{$P$7ZkcmDpScvkyty0F>9RL_o{L{{=u8;l$!*4JY(+ zvtjcjB6=G7`E>_14LxjF_w!YztG)z?tjC&kxzDyF+0R%(nE8K=GtKVFp#W!Ggw$_H zdyZ?`Ujc5Kt5o9TL#mqJK3CST_o!I!o~h#K%;BMoIUxxkinS=R&YeLJ*~{?7Hy3<{ zmYP0Y+P>gtF?Pl$R|=eEz$ypZ1L#gE{9h!j|H&$MDz+U*4!>Ou$AP4)^MeOJWUY?A z3~`NY{}qc3P!&Am_8foE@?tgNteIy>jg8E%<^?~mG#!i03mf}(1}bw52fC?116lW+ zXEQ?iqN!OqmAx~0+S(fcs2 zWF^%VRhkk%OA5rV|0xjdyG2FSai&AeJhz^8HR~U4+G6$)daNsS+}+@r4kxGC8ebWQ2RSPFD)cXcZSRBCNm#m$=Mv(j>m{l3<5I6m(iYgMoI)h#{Rs)W@MD! zVg&Q4$XL{pd;rw<8ol+Ck`fV~4Rw;+Ktf9e-=Z$6xy()N&OBx-!eL?dfASMclk~`) zox$APa0(i>4@Pil7v}fA1eiwZR%Y|Vew8$ok_7z3Hp1{(C~aa0ZNzJj@iZ&nw55=s zPNhX2m?J@Bbo?v3#>?RKAY`m-O}J50ImzEROwcuJmS4XFSe4%ruX|CyH##<{xJ7&I zk|Z6&ITr_<7J1gxGju;D;jz3V?aKV2oX8g^JG{7}YZ@F&e%G0K(JT*_S~;8d5(v{6 zBAhnQrjwkjk6^n1LyOPj5Q0jb1E~7W=lAuw-aMAk{;d%iFpJP3mH%LUX3Km3yh|F( zJhKtH6+Icp!m5yhFA90*)PljEzD96$%t+dlAvI5UT6q{yC%=>9K1qRLxoY>21BB7B zIdB-NN8H@!;)6HaVn0lV**|+3zx6Tl^Gg*Q?!l7rb@%I| zxN>qdJ0Ivs|3EsUM*))s#(ezObhf0+46SQWSd4=I?lb>^9y3tIMgeBxwRFrY3JEza zu&BDNO|7s9_XG(Cl%MrN&#o-Bdkbg3*F$x z;2%a7JlINFZc4V##>&L%YkY&VBl%TgT+p#~Vqvja+C}>i)m6Op>CV9O$xhM<~Y4-AKHi>s_cZScQa)Bd$(*ic(gIzpz zYgC!hFAT#!b~E$WoWuH=JfC|*4Pd5@^15M9%;jJ%*fO+=-AO!0p##=&f;->CeI!jB zt7`5Se*gC3Qqy5eli14N)>}O1_x))#WK)4uv&c1O#f3xOQ$5I`4#QtcH9$bk0igGt zNc~r`oDv{t%l(#>1Ee!K4Kg!5bBsmbyiZuu9jYZX4b5K|#-8TpfyMtdSlRsrSd|x@ zf>rp>PHRTa+(LjLIX?GV6oNn14Lx~{_K7X~e0=6+7n3@A>8gd|7}LkU-*7R1Q(q=Mq8`|L!3t=bR z!N1D$3p4Z;^h+OUR#AZmLIvUMlPV;Z_`%}Z_M|{X43)VEWAH<&+ zagifpWgtxcm!8RpX#7em>QJAAd(lIK{CGdzeFAyDD_lJ>z?OzBTZ%J$s9ReO)5X0X zcVTsnQRr>NZwvKH0hYzv{<5+rL&G|_;t}jXHRmV2^1qcm{8cO$$UTx@P{8N%eTpFs z=Cy`*6g-=;rvCGco_M@uW35Be(^K{)ZA0f@?B6%_j7_6Z-kg z#{eGylqYC&t?4TW$YkiDdx!Dj$nzgVW#&s%3O6$o($_;+_IGimKUgD73uHrR%kAK$ z#Iq7yHC$kHi4&-~=$O zzJAzM2Gc$1indF}Xxrh&Yl2?DYYaO_&MjYyG-0#A)uX9*c*ksvuKcMdDZB(yJ3eDwkmM zoHSc3RQwKff{qf*Qr)JkN*n&y2uH5h1M2$K{~mDl?jC6ezH;UKx%Dxtj)UIJ8_oJR zkTF(dPL68|U^pghAiRFB{!5$&S7GF?S;hs|C8<5r`P;xu{hn#@kGJ@d75$V z06I!PZm5X)Gv%6-p%khKV)2?#Q&aK5_y<2f?)G8img;WC>>79z>=L+E>?ZrqQ*yEzFCCjhf2lD8n9u)`*q;9h z;lG$z|01RR^JgmU)%OKA7RtWYx4sQwxuENzp`rGPljbn{r1i&W3L0EuhWWK+omDE} zZf~AQoq1Qs2fQEVQ~lSyRSCkP%@XnWce>a2Cc2(4>~kbUXP)+Y8>nNkY2OWRSPP3& z_7%;75&++3`o|@#ztuFe0AWoV!)RT35PIf0xZ+P>p_S^3As z)PCb{8MhedGWg$$&X)Q3*uQ*Xz8z)r;)Rs<#P$xsbBo6&5F+qRGtkc|N&dqWV32G5`e_g>u37W)OFap6m_doidmtj~spSjor!& z@K^#V+n-_SABIlRw+2lRnXu?Qtbh%+BV_6K9JLHp%~6?-(d`<}OJE>%KvGlC2tfc0 z&-luH^NzN%-?wN~@hrD|H}oWJ9r#yOU2K^?AHHenin@hbg3YNs98BtB3iKUzm!)z{w%MMuRZ&tyb`^p4;02SZ53xA z9Pc&*9F?-VwO)N!vj#V;3-dT?!nUe?+rrk(bp*Tvi5bX)0e8I>EuX{qu%@@0(+9($ zNZof%w;E8!uGVS`yN~H4`MCE?kr%PfY81C$kA0<|CQl&6c1gQL>>dwzAf!xzA~7RX zs1_nq&DiJ>FI?;r1v})|^sb@ozZ9ze^veUJz1$tob7;5Jg=_wjDoowDo8*8SfvXX~J9%FNBwzeXhP6+X^!hf|Cxq+8DRF0@2C?#Kj>o!pgj~`t!_AQl+9M?@QOSxYJJsHl;SMx`o`yh zyRB!d-qOR)!-LwDu}2e9#iL_~s`sYm_$uRdy#=l;-weVyi|atP23RNe4|N|j;57`V zshd&vw>j|55eP)wN`hl8Lz{sj5G>Xwgv(oGwpc=ZdrGA%&*AZ1n)_8AOhbWkcL z!b;J!g^OWuDB6Z2yniRb`cD=0KKF)Q1%G^R5!B~PH#VF+u(eyuaVN~9$RH%%)iVQ~ zUA$SASffjzWnOYB!l$73L>L@?A?t1Gn|$FA;Z3FDn~8Bz^vm$qnZlONlr*045iW|> zuZ#iGr#R07l$!UzKQ&tz+-11lw-YK%>x+A_`CkWBe8-95alP}eYj^6ZDW(7gmoYep zg0j@Oh>#GIhbROF5*>uhMf&uJLrnZf-9R^FG5Kyj(!~(kf$AX*zy$e4>#=E=pYdpY zBS7X|eB(i^IXlVL|3WtQ{)>KGtfXP~4gg75P6VNoN1W08Mm0((41RpDGfuP?VV5-( zzy=YT@>}(Ya~TJ(s%NTE>Z@j|-M1(COf+SzLOA_T)Dh+>sWztH?GbzngA4?}Ruq-i z-Ns|{P_qsKwPl)U%cq0T41khZ$K4dr6E9&Te9D}w?VHe#h4(!?Q!9YdT+rLfK%CUW z{3!H4x+#Cx7Ml|w2SsN;kq=`qha`|fOlsUvegZ~_b=W+=P$5q*P6V5ACzn133IFCM zda;OFU&NIA&K##kxW~qAem&kkQ97sr;=c{B2X!2R7x#jf(O<_ELs`>W?REp!<^VC((1A`bK z#tHr`Wc>D#KSgz?Rjq+QwbOBx(vJV%|3Q{Sp#zIpoMh|>=bA~;!hWm3$y)xpBYJNI#PF@%z8g}bv6SY_yS0;4qnL~zi|K) zs|N_9Cqg}qmCo%yBIbrJSFy_5*c4g!H{@LiP@Y)%An4AYz^8)&`q6&wrl5EX4}`;L zKbC?i93t(ih&6J1^hyvoYNi4^qS8_b&z&-$`ymZKgwXl+j02G_@O<(QOwUuBx;~Su@p&BFy>+DRk{r$9s%yhdp8LIE8VW-w%flH0a7@z> z@+tKlZnga1W3G*IiFO`GlWC*-s2&t<^-Z_p7^=*Llt%~C`cg0&4Kkgv~qwqWz&vY(VTZPfOWREtjBJPDRkK z%)nDgeKMFxeN_6*%NRO>3K7aOd0$~9miqMTrp=qs&S!FZnV#G^4iNJ&V-weVL}uTN$hXIS)DK<-H0s=6aI@vGN%(a&+3^Ja46UWW0Ca?jt9FtZ==*z27bUdDO)(d31 z>0w$QVlrcJ$DHx<6PvR1?UL^bd|4^qS5y<);KpwIbY|3^O6doiXX1c+7hfJJM~nSU zg1Yqu))jmh?KYQ=xtkFJ%Dc6Xk4tOY;^zH{I)QbwSGrq?@__?Q!z`P-6J=u#B~8nm zNq*Izs;#Fh|4s|rboIeMQ%3>JO|WIl!K3TQk*$Xc9J#ms$B6qHVCg+X-rARx(lgRR zBBOMNeuD$Bu-kPdCm$jI8wz;S0{yZ_&rb?sF z%S_gyVoojRgPHMIAUu&*^gQCRJzH|}O@d#DVAYkWAF$d|Nv|w4HA|=1%e(=-)Hw%= z!_(pIDhIVKJ4vdbgFxCF5HiR#Od&kN_g}gt*meln+qdnArd00Z%-6*>XOp%9J4uEt z{X(>3!z78~SQjvVr z&u#mmzKL(Us_4@lZ}+F!yDi@o39d~t(o@3%_BmPUt_^RWr`euRjvm4@Bze8J4)0djrkJDYK5s6lNVN)uJl9+2<6mNT;~muz+zz_#{PpSCEfKp zm<$Y5tk6el;>dUrGxYoKkt=NhMOIvvAKA)F_4cXgjS!k2BKDe&a(sA`f!yrTOvMjn zI2b5D_~~-}%=e4?V9N9tmn+~V5SP)M67&bA1JAk=D006|{Ga%jlXv;Zcn#tu<7~73 zy}K0{H=Z&u394E8j#Fk~5cz8-nAR?*iZZ)Kq@Yjc7NcsTZyuUr4HQzI8b5zA!~Jco z@UJ<_32Oa5A9}RzaPe?=m926Jj|q7B(eH{W{*8mM6^aLOb5jWXz8 z63?rAE%qg4oBY5O`yvB{&-7dAp%))alRmfpd&J>&oZzwx=F6OqnRG6p`FE9rp)ho2 z5hx5oD@WBs^>m0W%;&GNC8;Z4{+4T=Fu|PElwGKcHO(d+I3t$&VGrJZz%T=aG41Mz zkx)ywV?4#S*6wl0;@K?^3`CW0`=lA@UcFIDth4V%!5EeVO1Q#XEGGxT`U#r zZiKgbF(Bn=nSh7^(w_bwm%VRDJOGL_h&q6$5}YVWOiOYDqP@}K8`2zb6RV(DZ6+uM zVLWq;juG=7BmWk+#6z1(ej={*i?~U~g#gR16jKJt4wEUB{Z(Ljl>mDDBe^ClA-lbc zX+F2AJtHMY;IB(2AWre(%JFR1pL7J9Bk+k6z`jxg1({&+O&N+M64tv z%)ud;-Jg6o8ID<@t9AIlI{ zI5|xXDbDs#nU*Y%__bO7;)&St)j`r#vRn4Dgjspjp5iy&k7^Q-F)6r<^83B~ZK&At zNG-fFBe2DT=dbc9m9+ZBN{E$^MST^;8k5H=|3|N9ysTi>Q!=CyN<46LR3BRRouc() zM$I2ZOV(RxnDOsL3w^H^k~2lHSQGF@D*cJTW$`d;6 zh;_QI$B(nkZSSVOl@$gcq{^Ny7fU0=!a!(p&&OrvI-Erhm9aHn)@C;Vix! z)?ZtCfooxH89g^k_)m6d-+mIE-!xEU3A^Z#Teep5`rRPSHJrELNA$4yi69NX)4Xi+ zJ3b5S?(XmlExs7$MPlBp052(H&2Mkhz6m;-sp_tQv0dNI#e0-MY4f|Kjh}fum`Y;D z5L6R9uo+G1GIfj5>6HqDKtjs2P_==*FQp~c*~s>~+c=`qitc=U(w&aMn@uQLZZ_G` z_#1fVC7IK0Q2fQwl$~<;w-t@?zsDsgB>(h7hN7XwC>ht$orBh_teh#z2zOo?A6G`a z)ZmCCOA2&?0GvwCD$om0Ak=5>nQuLQQ#4%yG{SZ_N%T=CgbQU;1!@vvW1QQfcZ)L9 zPX)Cof$gD~*qrj-d$j!@`yYx`T+e>95^`m3ZZ2Bhv`J`n{f+;X{QGI@?Ms)=>ct)N zrrI<2WrQ7ntMq*xAwxyL_*@RUAFr2*y?q`*+RGHN1{3d$C4-yYe8<;X$CpRk8A0DI z%#Q>%c(aurQiXSl%ENoe+-}y`kd4anlfHD!QTdBf^C#k`&lLrW(g;S%%{cdh8x5+PWU55%kP19mwH93 z*~O@ga_|{|u!wW=|I=9(I86Wg7mc#R(rHFljqCAl$@*9!7*k7$s-2Ll4Ar?Vv}Imx zN-DvXqkHs>UUVsPj*tF0AO2%ESRXv@8Tx00rcQznB(=;FWBaFRegE zyuDIWg2;o73q#GMF$&2-<8z=7h#`atvW`Q%Ecg!*N$`^brTkZ8zW(6Vd-N;}L~Ap1 zjL-E&r+3~cnUm+2X?aBre4b>YL%-XI-uCi;6-aFE%b=|#JJeUG=J&x-#yeiY(Eo{D zAAboOCuZAu`VX2boKgMy46vB&Fq{T!C;y$M{W=;8*|H5wj0F5)qMn{%SN4g0I(GEf zF~Rjzla37vt&zradoRxLT$D|GgTG0CDU`DK5&fl$V@qv?yNH%$;XfSEpebg7R+zQ7 z6~{Icb_bc#pEqP6)6x@ISre`W)GBXyP88m3!2-Fj&4zj`t`mShxuiC z3%g~F-MA< zs;z{XnG*OXsM07<&MO)mc!fOmj%j#wY3{>CC{AM+5=rRf;{)IA3@-jqB|q;Gy-ipF zmmDy6AZ7cKNkXnPs=yERO7k#k08$`f#CVn>m3mY~MC3_Qa6U#Zq@D9WBF@GqS*CFh zk54?6i!@9IbNF5}sh2eOcq|e>9IwO^vtL%I#@IbDUf@}`V=k$Ec3_YlCK5hMGvxHh z1L(wl3+8=gW&Jee*6|$&hCq3fPi=!CptlpjwlttOX^C8c!|x4eJ-I(&sTN}ZDZQvn ze~5-l=#YK7mNQR6p!j|phDlD5hCOFOAFy5r3z#0)%r4=CMyVPnapK^)lIIa9-CZ%J zFeY*N>3#2D_p%iCKd!WV3HM_h=Ul%09l2NR-^nn|1%D#Lc&wOLiUBeVj)X9If#?qs z!Y0mWKZS(0E>+Wzb_7M#q9&b)W;o}hVUL$aZj-`^0(}xWa+n&(dNgA|=wA#2Q@fIBQGDxFPF_hH4 zjhQYf5Q}*@3wjEG<_we@hki=l-PDk6NN(HQyO)dps5<&LfI)yGJ3(<(eHJy&TvPk0 z9mcu9#1@wy)|+r#XDVnv_$K2xX_=gj)br+|>6_~ydO_FZAkNYa#CoJ4PlO$;h48Fa zNoaA{=XsPX9+^>!Wn{tO4! zO{$6ZaFOcB7A7gF8G9s(hatp;F_UWXr74&2(nwHwgMFNh*22KHof8#NAl5y$Tie~8 zjCw4m7yf$8T|D?W(EtI$B{*ovo7NVBe&n&U>5%+>yXnwhzSVRHX@BN8TXkt_+uYCA zHCNu0K!3Bn%Kt&pV>t1p!z7P*T$U7?n5>#duh!M^5_}K-%Nf9|*>G_a^iVnT(rdf) z0dd7K0BWv3pgy|i1$`f;>{KR=`c0GRhfUS&bC)`MYxAk35k$ z!$?X7m&U*+AChb15iO*^&Pj&6-K4&HG5iuOd`lht6&l0PtoYv}tW&O&)ywZ(L&3n7 z@H-A;wQ@-s--|moBAX|KpR8`*wk%I+8JX!Wg5LJVnch{E6tK7aDN^R?jjguEH&N@2 zhS}>)Qa)43J+Mg>RZj)8OROVpX7=xsWWEW*@}~w* z01#@S(r~R=@@`L=HdD`TH??Yu6B>`wAoo!1rj$ zXiX{Qx}f^5YmJ#wb3#2sLhGyEHGN}48AJWg3f4XmZhT7r;Y{kd4Q#U;`)%_%r*%-H zwhMKb$3VPlvAIa;o8coq0z+vgT~2PQXpF8v7PY5mCw!r$>p;2C~HHm~GGd@C6Zd#^CxC`DCixVwUL$h#on z`5?Z?np)v*HyXd+Uld->?Klo9r~>uGRdv2S!txGh4VGspd|n^ecfil_2npr=-A(7< z`snHegXwgw*yt$#kwo{Lx%mbGvWZJPWe;gz7@ZTC>SG=}7ytBVnnlISh0J2|;NZB0 zja(uymioHqBpBM<1iKBj$r3iZ%Wwr989L*o3B%V%L%h_|uc48Fzue{k?UQdu;jJsL z4m7|{5Hd@t?1iHsAqR91!y@iy?LsA98b8Zd%^?Dt1dN6O!HQe#FlQE+wdR5BUmQz) zmF1F@oTKYm@b{`ucn6C*>+idS`n2%Hms*;(j}DC=)=%QiQAPUlJR8;&4Z-GmmFpU$ z0PuOPZmArV^a`5q=*R7j#|7`Lj>ot6QC;C7Qj~`DXE3dAKm22i*0&q-KLgA9;}H1Y z?`7b+9vB>r@fY^v-)at+q^}ofN6eQdJNPqBe^df{)|@Q-Ae@Nq*ODQUSS4eMcB=ig zDN*N#{iG-2&o0n=j?e~%WYB6 zP$-1=x&_!N_US?_f;3RM66plh>MyPvN^2&4ZFG2^uY;}^+e2=U-w;&@kYBBaRLR-M1rWRvtge`kVOO?DWkOWhn*24;=Gfl@ zZMYu1#Rb}wT*H5q5!krHN&xT@m4c#lNfc36@8)ov3%->p7>l58ByZ~c6q<%RMmQA@VkGFFNK@T ze=UJr##WwYXoWW-x%p!1uO?=M>=C8(e4?II2vtKrIP!S|q$+}G-qm)vMR_jb*S3dW ze>cJT1E9wcnkYluhYz`q5g~r1qyq1whB#MI1k6Pj)}x9SfCMyN2v5#@E&wI^q4#E- z8av@NWKhc=5e`?M{MCujh3YvH!}VRme#G{E@Xx(VRHDQ;(Dq(r;tPFIK+pRxX@!3W z?f1LY3SHF{Vezg)+{Np9Rr7(YpN*Ejt_Y!5Rp5DqVh=n&Tn1@Aad^M&-@;Ew14NVc zw9`fEl7ILSNA<7%q6Ws@6xJi;x8~{&muP0QE zqC{bkqBm;9Pz+DfR|0(#pZd%_nIbKq>)+K^HS9joFTc`H_+vyY|2Dbr>+L34^Z*Mm zG-j9SJ|wh3zXsP6UQ;AsI;z(MtV808Ac$7LMf$4cic*S>-GP>eqrX3H@(rWd!UcZ& z&^`thFs#MyQ&!QVLlomZ8Qh_#mV@F9wnHJ|K;L&p~ARwGg(oTj@R43 z$Hb?FZwo}QO{-m#Kvnh191NI(H+NqD5X7~K%llI~BY^%(wBRK-pa~1LwHH; zA)_tU!|VYqG*AvNtO!@@E>SQ6g8Z5e=f_n7 zL{~qIE*g$Sk!fhF8LMt?e8z5_E|ip5Y8Vr-b`^HLu-4Sr{?0!G|h_o>vwqcO_n=wo6_Stb7g$iq%;{t=Vb?61YRUH z%&H+58}=(aGK!?;_Xzs;B`73+8DQX<jlXSwcT%Z;Dn|WHx->F5LClI0=QuxfD+Ru}dzJ(c!HzjxY z1V_+#GH5IjW2YEXT*&-xm5VFl-o8n~O8yFlYDfJz%R1Ugu|#e zW31ElQwqfF>A7Ncd%0&7y&xmo_#_I>1QXUiM$7tz9Y!bNA5-9Z{Ffw*_R<@^p%E)P zY`0hwperc4q1<(ty2wXpQA3sF=*iLCH$3|w_bHa}xY;=RD8v(x7)PQ}6Lht%Dr+OJ zN7yf)9W_Qa2jn~dDmIlN>THy9mzNJ9<;^KN^OS4SF&@oNuQ>itzEKh(9z*J!c`VmLA%%XJjpS*V4xafvHD-N&GzdRt5M z3hu1?>xQwc7Wh{3z}JDYlIVvS9!67qmscyPg(9!wgHc@Ks&tIZk3XB7i8I&n*NXdi zg{q$X-}~sJxPr-nUe3dBIrl8t8S_eN+Sx)aPs|!?AnOCXd?eW{d98zC1j+I4}M^XiGoAN9{P2%cb9LlHu^!kP+q2+dz6Cf%R#s%om2x zQm+upzMxEh&nkNoTHGX=-%@t-PS9|vYT=3K*^=^7a11?gQaF?JK_wlve~c0##~Z2? z%{xspAxI1|?iG$xa%cV*E%=|xn?e1mUM>b=?XAnfCAw~D1FCo@Dyfz7Zq8$rqQ_xW zo^M@i{3OOx8q<;Kq#2(WFqUXL_4%7ReQ+IriFlfXa7}z8Kr<3yei4skXecEZi4l-n zsBA4_{GMDWxADhk)Z}eX3GS=g0dQxH-*lB+oX90WWSR$9@lj$yQGH2>sAy5!3G^scTHw&p6DZ;1VpPQoYp!HP3j#OT1av0_f{~B6kt6bv zh6DG!d@ZIOkN5Yj%^y`+2zYmuE~ZjmN*E1a)l-#-$)4G02k96%slrwq>{j@q7fzy8 zubs*{K}}#UhNYMZ0%(37q0}Hj3*gO@QsL;T4)T`02TMyl)naY%RKXGEEp!ip$eDZ0 zzI4g(AMCDdN0>Dkwv;YKGk{~e1*yRrB>^gP$c}AdJ@@CXkF_wE-^PBy?~YnGH&Z{` z8vLNxsi$QeqB=0AJH3#&&=G43*$9ydR&OH&x=mL$oi6 zAVc|=GNZunrD*qeq58=F3PmN}5hlc80Zj;er1o67D39#yjF~dS>WM>Q(2LJ*Zfk~q zIWg)J3#%mpO6@5=Ee|HH7$iN5B#rO=^Ar@%p6(yV@+_`Vyl&a`P75alHq z-^lk%iLZ>(lMC1}J ziXRi)i;8d+@MBazQ&EGW!Zx;vCsPkN;FXiMV;NJ*((!VlcPro0xkD`#CT$ZiTAw@M zHCO^-i1IjJ({=9x+|u%z^nF=xrN7gc{DmQlp9)7HaLxrBx;t70FW!$+E^-Q}q*;o1 zB*CmIA}AADqv#F#Z}#LT*(bc4ItWz^&=pC*SCtOHKdwQh%KU0BdMR0hvDqvS(xmR} zKb>GeRYAvC9)ZL^<)_tIZJZRRMOL9+0D?56JI0hMJjs7aHm|SX8_?VoO!bHJ2fXDB zz$r-IjT{NX(!_Fgi(~>aXH6L<5e!;<$EwZHQpb^&|QDat!fz)nP0eJuO@{ zuVb9k2s^o)GVl<6)c6gZC~)RMy3u)zGi&Ibp%n;D$;3kqFTskl+Z0qQ)J>J{M7b;E zYB#>T!n1So{V{%9xO!T6tML%M$p^hL!>D+7)aS9<%foc+#!`tVQC=X2>hECa?K#ty z*{OFKn{MnPpQ)nS*=fhJ7E(X|vq-5MGl@#z5e_(s-BAATNqqhUg!xfdVkZe>(--yK zfznbm!WVa<+5-IpT-N-F+oB!wpOr}eLCtRl-+6)o4cDtGWkIeXh}qku^hD_E!aNz|ZoT61OZ}jy05=a+=QDSezeN3B1!mdG*WZvpuDI z9{8HxE&Y=CwyM#>Uf|Z6l}l$K3G7e63!n-@ie~FB@a&!s+H=&9V(Q7Yco1EJA2^i2 zDUJSk(V={I9V(kS10?w|R9{PjPrE;V_AAP2gxoio*=a(T{IegoDI#2CoV4_!uq$*ze0n=Rscg z&M%OFT?$uZvwPbfRFCws)uE^0%H4vuNFW-MZ}CQH=t;b#IW71l;hhLz6E{^D9r7Zy zhFndgPa}(OrLFBC<2S~bQtgi;`%bz4*%<0iU)E*7Nu8oJc+`a&3@%Ul+)lf9g|C!R zA;baVD2CyTj-!4aD_JWi&ZD@Hj(6b`xED_Nd}i=~XvdTw+W-~8gb&Xlm7ExduAF2+ z*e~tf$3Fui>dyFNziz*fB8cFQcYNRrmXooN0pE`sl0S1x?cE70f>Ne{ zrC8~t*gIaP{E<$RlhG{E2;~60ec~72i^$4&3ABn0d247=Vno&|h)!wdjtkJ;kDIs# zbe+!9@->$C)WGdK`I0Vi?zKwUE&60bP~*z} zPKN3Q7?zD=e@Z_9Vc&3r;CjTCs0_RkxukG-wAoX#*DZ5sG--P4%%60ev<+K2&J~cP zyAz6p?M)oMs6<4MWe*6=pegE|IIN1){jP^}XGH_%obtj@tmd4>i8^2$%9#+ew)QQ% z=N^7#-R4uxpJ+!n8i+1LviUxu=$qS`nUb4g3?Lbnu%8LbmJi@7} zKxVR2pUI{j<2;x7AC#QS%u854Arc4gBSbvGeq>isZE2zZlz9d9pYoyaOZY}A(!$@R z++t8ZzxoBuNA-GNae2kFC$w?*bf1JF3c_!UrYE$H%4!&|js<+dF`YNFqJA-W_Rm>S zogl1!MmKxqIz-m236`zmQ!+cUu}&}VfXz1%mNtZO-ohVh_Pg7fNgo?|r6oSD3lf49 zeNAWIIcBLApA&m4bH6%icx0Gje1xiLQyMfS)??}%w4lr$lENkX!bC}H|DMCQ=1>(7 zlU!42l?2QIn@Uq=+Z<96ffqpy)kLIa4r^v0HTmCUQK=hG3W-7#bWD!}b(OOz&Jc{wH&5TvMXCW235h-m0H}PCz z&wlAvzYZzwGU7ZWCtnkAfa1fD$Wao!sx}FP#+!z~D}qO+iIe)Yj|p70==RZ`f)cFB}W*t?=PmxegovDsfD zI1*wlVXFI9{lj3F$6LqHlQNO~9obFNLvn1@1|pE~anbhD;`X)+9^k&dIHEf5O@4{nb zUQ@I(;Dabw^^3KTd$5u-apzLsB1(=Njeh1Wgo#`@DICyzJ)erNB^=KPQaTannp*yt zk;LI~&~ChsF*AZ{EiTOy*YiUY`ibn}NukIDwR>I@nA2*nZtA$VU4_%NQ9`#8HoNn5=bm}4!-GM>@#teP^RYxv7U)W?Z zo^Il?c`cRI3(~O<>H$1cgC*<-X=eSw1XUSc9fXv{1Z(I{Cm3Y)pdCD}w0EorXi#0$uNeI9=yiyawr(WXS`*-a!)ZG#QMg@sk z-T1}e@Bvuayrg27K;?T~D9Z*t76mIL^8))5r6LEVHl#|@2Zm<%=a*0MYY~R@T+u3j zTq9@d-(;zA94whlM5t^pDJcF`MdhIn|AGDChq3Co%Mw7iC6y*FB{)LeQdQvNaU1vL zg^nsCvp-=}_PF1t1U4{>1ZY9h(#ca2ZOUd=!_T-bYL+!cs8*XXkvr|%@7-Qv?^crj zJ~zpOXCJwaGylP|+lxj|pY{wIzIgKCjrnKIsg{(}n(lpSS!HeZ^29#M8gmyP)Gd#t z;(-Qek$vD42o;Nq!`dk_u;7B&*mTsXXCm5yFcQ)32F9$8L``?^Hl#@Iq^~zlJ`zanx-XV_{yl&I2j6i$tL)DXvGz2clYaXBFAqFGz!`8_HP|{do6-fo-V9yq z#{UGqD`|{T5~asF3B-gn>xm~=-Z#1-OY#q9g5x89Y5K5IEE#}L-$7z@SV?KPQ>7`qE zDsyb7dHNqy&Cwx%F&(+r2}#yg6nNqiS+7P~?}_F8|Hupbb`gNEQO0Zx8Qtlu4}E8q z-ds@F`X|l)>D&M0XMDuZ=nG3hMXN01Fc5x8>`RB{L{gE5Vgm@tb2glhdh9oM3U}c#piZ$4Uz8DAEM*K7 z;aevE{dJ?wxiFDubCeD0pJ)`pOY$(Zh}qO}Pl}_2Ytkdk^>ol66&Z^%u3L;)y(ucL zqrYhZ;Woe_6>*TB=BAHKRM6Q2PUP~`E_8unMB1vwtZT^ufhV!6Vc3}dfQ;}wr7AXT zo}Wq{nO&sF%xKU_N`!7fM`axrS-v|Wwb1oS_HvwGy}aUKIZ#>u9(+!0`NOo!)9eIW z^a#d5b7dvrs!I!aAjlNWPpZU1M@&5D|0n}vd&JQ1T7>(jkb-=9V6sf7@{{Laa}g>a zU&-3Vq@kshtV!~m{dyE8DE`tjffBj;eZSx6T7TEDO%6Kp%#nepVcF#%1bnyJHi}Jk z?0$3rb+)UVyIN0Owx7;E*ZaN#SrS<%pZ%jZPaeJsAk0;;!4v+1wyYr_VRDo8k`_{p zqrtx&H^h*$*LEfRUr8F#Cohn}{8m}gE?sN(qzhyt(uUtyHF z-tBX9jI@soavY$WNUVTcDc|l zrTB^E9-+crg{VO!k+Tt}YOoGCu66QVI{_(>ZW=R;#Pft0ilNct6U9xeMY?%B!oiNL zT##S3ocPUb3~t~;%{lKrbF?MyUXGAk)6OYoJ*tQjO(w{Av77U#HS!o*p(x|IzQ2AFwSoqY1bujZ0_m-F9Bn!rXbsaHt@6pb@$=4=z}^1(AQ7UiZ1xN$>vi@33l61p zfp-B5&G88dx7U^;OlgJU0YV3e_r3fQ&FY#$#K#8X<*M4~GYOnZp{f%{5IQ z<~a6B7W%$<|2A`&XI?1oxbFeE-TSB3cs7xXTc06v-s!wYRA$X$yw6eM-k@T^#g-_Q z*#}Ld6B&NfWAl&1=?xMDL`s^9I5yMLek;)opS^^Q%>PpX1rynE+kFVsc@HHSXPM@V z2=sb8^d!Nj8<^`!p;T_sM~3HQiTL#)9WB5lT6{M$_qv3hzsPgel)Xo*n^fTGOLv22 zRL)wp_Y#N)3z&ML1{vDuqbNJu9y^7I97m%x8e}9BtdzuBO9jL>n>bF7R;CsRj)ys3 zI%#qG!Th_uYd?-Brm+vg^AAy#057ZYN*#y-xVS4uPzc1*Vp@DMU|${?oC zt7`+i;1CWSt-I~AV(qFT#_0A|7--o1NAc?T)Zs4h?dMg$8W*70Dhw`DL#<0CnJckT zougXa!1NSE{04}$R2DmXz|R3MTrt4Sg#RJ67YFo}!{EI6I4M&?Xcz)9>UbvZy_+<% zgXMEp+vAC*RFXuyj)o?;Qhm3X^b`3}02kP<3vWNLel#7p#N9OGfQ-T$Fr!?&m~)Zr z0d}nAt@ZfIuWtHXlhOi~xS{65lVvOh9gJyy8GX={sLnC3iRzRD>qvI%dodIqQ-Xpb z^iS}tHMKW$<9;z>5)nWo%4A8p{j{y~Tq4Cg9IvU7q&f5?P6bGTA_x>_ZZ=i(ofMWs z+_hxT36jXsVI;OU%n>6Ti8LBF$1mKC!c@jpGpz`|-^1ihtH8XFF2YQ&_NMN*!0F9y z)n+^BrzE%*d_`3bCosXsQ5i|xyy$w8$uINbCrm`gFzeHg(uAA}O}8?Ma%M1&?V5D# znsgAsGR#^f921mTFvRsd@ilk4KH@3jfDlWuu8V+qG0K zxZl7Onhb+nltkCFKj9z+6K!HGx86L~FmQ75&c3l<;rQD-j**JaP;0cGzr^4~kU>4( zQ2ye=6}#6oY%@v;)EZ6fVF-+L`La;?}0@@zjW z-_JMM3Z~o!TmCx`60%u*=d5YV{L@nM=FJ<@)GuXfx!NPLJ7*$W-z zIC>B#Eaf@%>>2&k6N0LjvT{c|F2?g-yi3OzU%gr(w7<;nyE}GVR6VX^wHZikpQoqwHG zcGu!G=fu7{T@C8%IWE1s=VdE;9s?FrK}0qC8MQ}X?$FSglkO0CX67;VFD(<5e;QFo z2!a5lPCEz?!0;0=kZ206jGheGF5WNkXn9#DUQv`Zcc`Yt4apHVxCD$^BCtlp0>SA? zaJn?Y<6RRNBqrQdxI!6*8V7mwqeyzj-QsP{0n*$Ur2Xut33W!^dnm4=Su3T>Tk86} z|1ge)Z)js&g1|sZd^Wn5UcM`KiEumun;n#W#s03#7?KQK)9ws2BTS+ds36VV=W>-GE~V?9XLpo?=?NXv{I+Z8FA5aIEd zOI(4D5%GlYNoI{7J86QMy=zCk*)HPW=eDnUFi`D$z@TQyAVbcDuUd(yJwTzD3Z~B5 zd@_{Z+61V{D4tJP`De`aR_mo)uUXOfFwVQc9Orc|enwqvw$?@ZHl0~YR7B)Oyyvmg z>CS@X3;UM?Q{tYqh(evunyftyFnuM}SaMOI_-EEg&|e_oo-QOAHiT`;3?qyn9*w(4>5~cEg1Q z!Xp>%E{@SS3fI&LGiwPAB}mwCrW+=9?Dkfx3ca7-Q?fFc;ZMUs-k@g!>nOIcKg(EC z&2Gm!aKwa|(MwnOLjSmvo2>B6Ui?CywqNQXH7$c=&cEHcNfiHgetC=M0pI0&^ARVD}J~rspC|0zvM+9RRArlU7hYXOGE6`yB zBjK-jMuIw^DHFFCjOh48AwtX?6D@DtbD{&)pz|t%2TT4zQ~Re$Ji`I816)S>22F22 ztnbXW|4{}E@cCfRcvty4x?ZFDo_GnDYX7z10@adjx<%NmkjJ#gUk)IDx+O=g*Y>hs z-^|q*W6Nn0=DL)LB$m_2Db2t0xLy2?G}G3Od3)W`*{LM>F+u+KjZ~YxqVFyvTfrFL zT>ZGkNNTyD*KMU|t|iK))?ztvekltKxmzdYvjoY2XCc^Pri$XbSsC75$r_`~nwNJn zGeCO0A3KbH-y;Fp>j@DS$*Bh|1w}_$Kks{V(Z80P?n7an&ySQbUy-ZFna5B`9)voSCAOm!}&f8l$#k{lRNdKf@A}qEFy`V|q zStAEY57TPWRh@>mY1hSxe2?60v3KzWw(8=n_R}!C{x}c$6VE=|n=3oi+tn$r=WQDl zzHtIni9pOcXLJdpJX_o%wHe>T;wB8G*~zmnFn7fvD5ZN@Istg_2)Q~X)ozEaRp|^= zHr!H}+%|o#1eM2wnu;v3J;^hZ@<}6jk%o>1A_V9asNC^AgXQl5cIkJOv5!=Uw$ebp zdXWi|Hk-*gQEjhyN}_4w_cP2gIN&pAWOk5McfadJfpsXvxaQjD0T`LVDZT|hltN1& z17E+gV7i}WB@0HRoR8`5@`-YA_NaM>->vvOi2IC8Irclr9X~lueEEx+;j6pQ@8IUi zg3mZXBg(i4Pkj4au}>u_{ZGpdDQN+m6Xe8>T%lJjTI*RuaPwHW#K9qUk&(qH0a4Ch z>KgssB=-6hF5O69)A&FHRrJTZHsDmlgvRT%jWW-LF9^3aP+gJ8IhVKpc8l9I{<{oE zFH3x^TZpL~W>1;2_0v0mw^@OBgS{)!v`k-eU#1n&I`D=EW5~ks|&2(Lhp~wrWRApJJ@G*gwe@7SJ!!|vsed^?R`+l0GsmkS)j zl=$KD7Ki^*`Tq)C1u=dm=xlA9r~q`zwyne$k7ZkOXrt%V}>8s2)!{HI&QXl9IYQ@DbqZ0SUC&}+16M6vdmSu zoCNk&ZUK~VM(IroimbSL@BioxRVg$?@;LL+nDpe7`71Mzv!Mi|`5-N1N4aOe?xxNc zLX@^QA}F5F6K;CB)iQ&z>5P9EzYXON+D5mctCG9Q$kUq7&%Ga-pSE+nu(#cj_x6gD zCvWGDiwTW1=sBzK7W9k^f)tkm^X1WzcpUe8C-39gIY6odoz#Gk6~XFvDF}N5BFt=d zSt4~}sg3k%{3w+m_jsPY5Ad-DzreHa;c~4kCi?ejv9I3%MJeRGUUB#}ebWMgPVPQJ zIaMY+)u_O;uyn=ZcCujG$@A>SP6<~JbXJes0~V`2523UXN~C0~UMFaw_dPrPV0&~IxKZl1D$S09v_6_qY%NQ}8(UD||+v|;|+ z-ae=m3N;gC?L_4Y(_TFkFjLjZke_(GAUgznD4!%DJTrOz>LK@3i{occEp;@|4lW7N zKa`Y`a?-UU`u1sQU?p5ov}*fA))|{OV}jOCju0j9YKQ;SU0pO3>V6SDQR?uD-;op+I8JIrrOkD{OrXRtnLDEVfy403bRvu1HHQa| zBNuI_KD6smb4;~PpTabb&XU301;YX6nIaFWpm-!u&lUuzBc!$T?5 zq?%F&+!TPA6zJA%HMc@;@C0pdY-5AJ-bF`3pSe!r8HMY>VWN`(1=;(Npt5@*4HGzx3Udewqy&GauQZLUHAxbw3%)%^iH>)s_CeQ3UKceeT@tA~ ze`lPR0aMC{qm%7Wtir)@g|p3ywcM4_PtUDS-sL*p!hDI@;zQ+H>&#kM&-#f-$>nP; z7uFZwz8%hG`pm+AvLJsIjh1@;xqddts&DvQ+o8G+)^eo4I*qz1PKqQNqtGXAbWr1n z@wmQiA9}B9|6#~p1B+n7jGE@leCkaVu{;F45hpW478yG7vtHNUx(=;*h(aI{0kf){ zatBFV2jxEx6=nJ~Qp;4OpFi~A zN}~P1&KE%;it0uZ{1*K|4O5Ma*B@)ra!&S2ti0BMp9_3sqDGZOc{@AHK+3_~oHkt$ zLB@~}c0L0_SS;+yON`B)^Ltp7+K3;fE4nyn!)wnj)ia7w2ANwQOj)5}bZw{GjGklbO%ikSj3)o3_Wye-;A(`Z^pn~k3H61 zMEI6>=>kJP@!Cxih5Q=kFgf5%o2UhPCZ#sa?1MbQq9fw(}$k+nF)BVo?q_>yLIx3 zpzmZ)ao%$9rTFn@d^?GO}>x&jZRwi(cPg9m?khQVmu6q6Gj+JR!nHtUG*IZb$WZb+D0>p=>XzywBc z3A+$$ywVk>#yYCpTFoOA@(P0H1ub6sNM#Ua`qPr9*%%5FoOT#^@gE9oi4nVNDB8dC$hfLLLIP}S0 z%Q!G+<=<7L?@Kwfizq!Z&vJ6FZgDxd)>lQZscsmkDb%$fFbc6Y<~&6{M-A(+KG9}Z z6fE&vg6kgXh?dI+oI&M^dXJLteXFEe0#{OWuilV`?h=pB3k>m#mXKmFw(#cl_&m6u z%U9VJ=r;Y(6@ITbGk@apAy0!!IMF z(O5U(v)xvAUQZvm6n}f5tn}?@b#+8B6X*B;WsEg)f-_5EwO>3;m&Q9Pa#sTw6|Y>| zv*!SCh}^huTznw|4VEP1kYFxc)mr0=CkyO{vo}w5-o)5zhFH8v{ zo-;nU^)|6?os_Hc;X5N{G8pcID)TkH#SO-y5qj{V$?W>m&&x}HvQi4&qS_lCv%*;y zjprog5bdkuB;mZ_;2Uc5C`!*P38}n`XP?z_p2d1aBa(Zv@~OKu!s=gH zcwfAIy;O)Pj6b^Jb!rHRn7MuN5m0H-7@Lma9b!ac&~ z$G8qM@n!6`p629W?dGkE9!VxXFj?59z86rKHGXq3BEdG35?m;}=P)A!&$N67tN!`{ z8aWILoQ!ybs*J`2kJhO|wMItk2LZT0ubIv6Av&6h26K$Bk2g9sTn-uQMX}=Ihmy2< z$r-Q~{l)g;6UHTWD!vBos2b87%5tI6Ud_JJSSfW+p4;!%+U>LoVkCD-Rtt20~QEN|k`{bcIM zX1RlWb*v$=p}Q<6IbopR6=U4mrMU|NE8b&6cTOrIg~#on1E*Q;72YHJ3e|XQqC}?7 zqjG8d?)UWa9>H_Tgk`nq4(Pt)%(@%s(VdfPO*lM*JiU8h^=WTI=+msm`#jv-SA2a7 z%Eun?Xx?9NA8v9k|ETbCt|jRzdsfEA3H&zRIRnewQzVP>rVDB9ejApV@ZoX zj^5j_>NX!$#qG+v$7?}U1D|c3XK0_1eK2b@5`XUnVE{Y6*1X4R99$G5_<1=sEunfb zhglV`r*OQ9Vs9R$Br1TrF-6GJ&W0RwZQzNGHV=udR(t|iKymnS2B<0c$x%xOF{m9o zj3HN4H9?eGq5C8P^hA&H?baa^Z(RJ2}e#1mRJ5Ena1&KK(VW=!5rYnfV$u7&ZD2+{8cYsHL?rPP&<>bol4zdfM zNi8ahb6!q0Iu1>rxKN%w_9COka)RcdafN==1^Kuo@QPxCxyT`}zJ5<*$qIdwP=3-g zTp0w}oyam)nvLd4tI>)mecB5kG+3pa?S;XQa2`xswd@o z2fnMlWEZ}DSAnhwP@LC!u&E_;bMmq>=YbAZ|J+^lvQqQ(@VR0tGOe9Ii`{*wWpfR< g$`dd?KE6gTai{ZOyPvNU1pKF=qI;-73FZI)03Z%X-v9sr literal 53302 zcmc$`1yqz>7dAXJl1dNVCFOv0cL@lnAQI{zgD`YRH%iI?f=V|iBGTR9AcAzav@|G4 z{x@LoKJmWK^L_un{cjY1<~= zTukl73mVr1CDt*Ejyv}4js*63^LKH?j<=4FCXV;%6t0s1e?Fx!rd>Pzu32oA1f2Hn zxm5)>yfFb<$ko<joX(f!=48lgX;T&Eh?F?2IEELQ zxWS{ku=Y^_+?mWSo3SEfXS-i}gt`Hy6=RR{^59*59(W~P+SIdsRy8$~n&U@HBu7<} zN4xjqBy>mYs);W;q0@Px3+@vMh8F4}Y*Sue?zo}d97jvTzgApGeQ53d=8p|-9}>G$aL2edB!sTqE5{F%tSJcg77-8 z0taNd6@7l)gR0l~jjq#2)f4L+k1=q$-{8VY80X*2e!TRlG{8MeZ7Ye=9P1N0{_=@E zy*R`mmoP+|7e7l_J(p(o!0HZEQ?}_+SXG~&Ywe!jCh_r|%}bBUT(RVZZ>=jf2#1h@ z^UWgr>||**G)nhPx0rkG2+hA~E_YZ{dDc3&#LAuPeG5w+&jw3Ma8c~dHM`;hxbRY+ zJK0l3W<%)U1KFNNhN9V`cZhFVUZVaT?j%%)i*DM`!BDlq)x*G8eujzfoz<2d)En*w zP0n{-9{0jntJJ)33XqtV$K!vo32>;ok{hdWu|>6er^k77U9#mSU=2^@-rqtN-5pfkYwGoHyvw!v@v-HJ z2dAgJHX)~?T*s&jHxz*n!ywP82o$>KH`QSceA5mE>zHCY=~u3VPpnStA;g~5UZ!Y8KN-Nb@$+G_;LneEFt zXrPg88fqAnaD>7-lVqV*IVcptVGGiV0%a0!+ng&iFmE5wd3HOX9M&rx#m(n4QEz^d zE@7JXl%>MAq~m&>#${p$yaf7e% zF{UDuG2yV!7uW86#$$n@mRMCim}1+ruSj`HO-&Wv@Fb9bxCFidlkfH_Z_=ct!w+pG zwm(8_kS@v(p;X$SNWlx610^p_aX8sB8V3k|8mrx*qV?k!zzo-nYUV$<|9 zW045P)|@Tk@a}EVTzV=$txFUTfOMXMAm zExuw=4pm*BIrVnEW_)uN65mW=E*S41`Z4UY%%iBSQg|YlhXB}#n(Fv_H*|rpV+fz> z(@l-IkrExtAn6um(JDbYa@+4#LZP3vp`C#$oh(e#U|b)UwhOI-qCM>>xRvrpX=u)k zij~y3W2Vx`xbkhmsQn6fCnfCQB;bn;??LbypJ_2rj*$zqSilEXH-GKt^S z(`+MXVoFRm=QT_Q9tO>`FG$1H(VQTuGKG=$X@=^;k(gw|Wd^R3B z$t58TC0i$9YD_04+E(Iale;A^r=i&KVmb5;Td4>EQ3bUUYvd7eeZIq!(4vqY^Btp- zUKV~1NPY@oCasE}VR`F?R;Q*F&(ueE3s;t$yx@t@mtPcxg6>?kaqhxrCH`33-ghmL z&>B%rQm0we%04pq=t85WM${8w1Z7dHWKsJUF^wQD_X`?A213Io=~qm%6AW1I$>IAd ze!eW46(;9RpfI-wtURcaPaCWJZUizOx5_n@it3%q>dDz5Kr8^WdQNohQwiq1*zjSe zA*O;J9?uU)GZ>D^k~44l1D%VxSH%o523V9}lHT#nWaVzxpBy-MEHhE&qv2pzwD!ES z)f@E1KV({za-dEP1pE}A%246nv&T9V6hBG(pJdr0hSR3pVd6hI?5$M7zhVARBgw!8tzoW1X3W4wY-bCgY9@ zTP3bwo5f)~vr5JHS#?Hx4(}vb)b);djTE^V8p>!>cSdJcA-Fl@?HaBjD*pC7^Ruyh zH4h|qrxDaZoDxya*hoek?gt<4#Y$MzVjg=OLoe+$&8MwCqe#QfirDTBl{s)a9=CoJ zs=0w!d9o`6F1n6BXigJx7P+n+v3KQ_rnpy9a(b`7gM zyzm(^|?F~E|IMw2Sp zi`g59pqXkHbs;d4vxza?tUq+CotkBVDP&-beS41|vXWP)skcC)e&btKS8l@g?yidB zFymrRhUta4*J}q#>Quv6(1TPuDF0UXSoy1a$Pg_|<9moW?r({g#rC?@ykD_{_ z-m&nZybSdh{Z#2vwyjUDMto^U$|V|y?t{OuLfC1>eIe3D!chO+_7&eiZMGvfAV%YV-%B-A&Llc5i*?~XfDGGt7-_+P-A?q|1^eN$R_)QD_ z`%mJ)_v{3EodY^yWvL2*(z-xk1SW}UbIj=YXQED1a|{Sb;p`)Kl$)Nzqh^lS+5FlBLti|{Lvt&esxCY;yI zZ{K({`_4D<)!v$-b=d9q?yT7`|10O7F1O-t%F@)q_bp-nq@s}EsmXf3-VStb2wpw# z$ldMokneq^191j>pM%Ow?f6{XrjhU8d@&ZStVll&Y6y8&Z2UB|Dfj*nv9y3J6?#;L zLZS4%&4dUB9tF%-=y`mWmV@~Wj&_u7(W_nuyS93-UcX+v=zZyNwh_Z4^@mZH&>}BI zV2s|lmIlR@gK!VdUNyQt^0Kr%Yon*_GjUXmW4QdmM3OuW%n~FC<4|)y@nXV%rdhrvrmMqCGouQ5L+7Fi=wLt5-7v(oMQuz z(%rz`sdqGu3np|(#_R~Vo)q9u2TW=rB*uI6-My=?dv9uQKrHWI4@*jbwhZjHKlvh_ z{8QeWWsj1Y<1XLK%~zik1JMi(Wca$U&CacwbQ3ujg#Ozd@L>Me`Fp7N@d}FcA$WnR zSP#?cX>7RX?Quivo=QY_-c!!RSe{$9obG%~lkwFLe@z|EVIks~YH{!0^b8?6PFsyv zMfT;a6kcuT!>NO)*&9hs_fQToZxg8ttTJM!)nn8{%>iG0?#>3q*7bbHcz>J?%#ORe zfmWa4{f0H46r2;%ULWHUg7>|Wf*aEC6!3+rxOank*PAsR*EDX>y&TtdwQ~FZF8)oH zy@hMiNKfUrXRFU#CZbm@Lz}JitNmE=VS~Q;?U(!u3}vu>Po}Keyy*80UdQtqy`?`X zBq#s~m1a`16C@?Q5I%*wwol;FEb$bP=K8i<>RYp61}`}YHQ{cTOWw`h9)B%lN5%6d zN3zzgah`>g4v)}m%Gz2!q6^#Lya8v)FGG^|3JAQ%b!fbOK@pe8JSV5PAh26xWCE-r#@BWSvEuxz^!mEwbGmRmvgwb#5!jdXZ3U0E#Hx*lC@SSP>N8Hl{5j9=K*&(OpACoJ1m39Nli9hU!{wyyot z8I+E`SHSeRl3knzC6(fb#~80xU2KI`?RT$L?g+f$tlHF*(Y$f!oL1`Y66?dmP85}P zDSC~e;yV~XPQ^yjSjNvjShUJtpUc&>co-36zH@>|dzzJ-+DWfTysI}>%=1S{f^Z|$ zJ-@Deor^ho#Ax+`I&?fyc+>XFUTjAm&!SiA`aRQ?0Vbv^U!D&v_%dD*p+woGEs0Ay z1AmnZf*zeU_#?07I>RPH1bLkepeF8|{V>>vF;Xx{ zqLq=3ualU-6N55Y^57MJXq4y>3ORT|1q0oaXS<5o@ct+Vq%&;%NR@xeVyb(g1-^v0 z8)jv9v6=Xwt*9f!OVZe(xX82Y=xg}p+M{~Sr&v}ksRMn2>Ya;s-o3EbuZ%R|es5DXRsVOsWCHIcM}?6n<6OW4X2(R-?-Xy z@7=r9;H0JTgjbRR)j8Xv-!|`y7--J-Z%dYDIj>wEyS!DyF*ZaIGFITaA9UtQ&(})g zyy8C3@s5yo{&Yxbcb%onSM>^zQFz{IIa@tiru1Lqyd-3VL+~6X>lYE2p4wx4ymmGb zE(jU?AZn#@=Yx(S{`OcQEAv<4;>9a(23uZQxV#-l!pn*>_YOYbC&lWz^NCY;8h>_> zK>*%Q??Kr5bFy@jSV`DK;2UHFQ8*@@EY;)A2uE)&rMYIO>kcvZMG<~}EK;pn;_uhg z)tEn9FH0eGM&G#{OCMR>8t6OR)V=Y=@5@uNXVr8xlqI6ypPs!``Wi#|&;9YlTGfNR z+e9B4@xXq}Tac7Yms*QT0rW6rdn0=6`?jnvkqjCB_8s}#mg%aY8D!uR3yyIj=}dh5 zWk8yw%aAg!apJRK`3myp%NW2(Wz5X31Z>TlRC7?0hvKCb{z1^cq?_YuW)h zY5Es$RpM2&xxPmtk_iRMIVfpG6E_ejGsUoy;9KZX=D!eHqxsQxwZrr#c6cdS@oj-Ax?( zxuws=bFE!k6Qr_fQy&r-(dxBNm{^64U@-;7iaD+53~#a4huju;w)}FZ?CZrJFbP0B z5M!pwTCkq&o7+%!S`+2WfQj}OFJ9n|`IWxUeB&W?J>@F#vl}M}#SI}LSb0$J zc5SXkXoT@QympMD)Y9{049?dld++BM{q3z@thM6(`dXt$TIsJJtSv5rJtC)gmnvm} zKy;%TDV*fFrH`z=y9IzAb|c>6WmR$)H?=?@*7B)6l%T+CEvg%fzh)hRP;aT^J*;ul z?0MC2`6=nPZl9NstC}(Syx7@Lwj2;knNYNccp}htu7nO!ym@Y zzU05EBY$`l2R?E;1TODIu9L8^}}y&E+BimhmPBnEyS zcea!wJ#G+7l3IkU4%Vv+@v$xL${i@8ot9lF5tr`U#mxsLiC?CkRZF{uU*WK~>!s+I zpa^moxez#u$k3ting7UyM&S~>r$gn}8Ssd8aQ0Fs>)R{2_6-XyQFxfAv8|aI@ngwl z_BV8vkIWvb>9=hV8xj)}vw4+i>3uuwQ7{z2_dry9A)HU*db`I=hPyCv7dYxXD9>x6AR6bZbSwj!VSDxM#6O0tZa#@FwTCaCDHj9*q0S&;Zr{PVX! z+*n@;4hbW@aiF`is{1u%@mj`wNi1F4kgI5E=1#dpwT1Db(TkmHiybX`%Q1aodjIiw zSN9gtBh88Vc`&riaLUr@9igO6nw;1+WMA*vAb~7CPGGYfw^-#F3-h44ZEe~r%;537 z=%hpUec9DixT9e*(wn@0>bqyNU(XeZhi!@IL**z?8R^wz6t#+d8kjncWCdd1-@f5C zbXWf7sCbXN%jcNP4~;q_OTsUIp+f}PJBSQ z6+PD%^jNvuG9uwd1TLyT_K}I@y+!{|hUpS(A5HZ^cQHp<#RjC&F&T_IO~j~XVZzr- z$ax_%K|~^EBG^1ikNJGLZ=w%%B|T1XZrIZJcnfgN+_D$SEfa%Yj9F#(w~l-c2J-S= z@6YDE>c<+O7dX0Hs z5WZxBsB#Fg%c?Bgg&UJBk&03~GAAra9CbL~9yr-P29MYY^jjMUP~f#)l0);z=AJ_M zaACvLf#l}1vdMc6cTqwXHm>)l?q*;`@b@Q%*##h%zOMfafG{7vauRS3t-W5q2>pY8 zl$0mwxw*cBrXpCq;C!6h`{u|7q&@jVG!c~w9?xzbS34@CuOFKx23CSH29~tufkQZE zc9_mwpWR^B`{D0vypqr{Kg0O&5^8@Q<`I7fvia_yrYhn@=X*6k%4OQsu9G!P8$|71 zKuy}BG!jCHXZjV4neq#DIXqGchi^r*0O$>TR-UoOd7_K-HNkSWu(&Wqajw1s5FYE^ zWciKzZFzB@KYNvy?u3RNny#2p{d%o(9Vort8O>m1n}t*!pbjn|v0>AHV;aU__29|R zW9Bq22K@dsvTm0zlm@n%LI_?n+G#nD`DD$0N7_GFh~bNnb3r-Uf1Ejsr{QYKw#3kY zv;9OI9C1)GVHIj1NY{BvTwKXRK9a7waB~CajJ*JY^tiRCV|7oL+`{Ct!xZIP?c+T? z{Cmty^gvorMgoqQ(S0hg>Bh!y*66;5n?N3_X{?ts>U{RZz}c)-^C`2mS()|oSghwn zb(Z;!sb}wTTwg8KQdQ5ciEaHjwENIbB4%u_K$Zqs7~(GK*^2;iyZ2fUbn~_KTcOhJ z_r$hsGbY>Lnh;M725KFg9952q1IRC1)Y5{3^xwP7otnm!Ljkjv7j3<3Y1=|ZOFJUr z14g_?rFX>@aqQ|KzhO|8N$hxykD(~1@l1UHcJ&*yP7Y93ved}ksqb1?b+qkbck2dZ zH61|ETVw#G0UX)@&4aow0fg)Q|1ey43qbktQV&(>imd%uUid^5W`Dk@!R*3nZgz;d z$g?HY>K%Y}*W_*n+e((;Bx1I2mL;1cxdL6PtEJ0jzLA!@*C$LD4nrU={IWynS_1j8 zd(FZ_^Fy1%FEqD25B4DDNb9H(Ji1BieyJgnI9X zbso_QKn!vg3z@hlC0wK4%TFuv%%4ig;Wp)dujz12T|NF_O7`y1jwZR|tiZOyQl3=2 zS3%WM)L?e)F@fBfV@AHBJ;AknW`4mivz(gOjA+swIs;?_&zL@QIV1}PW+dV{e!k>= zO97M161~LGl;O;=flPyM;{G3^^OC=a&PV!AqjN0Z(=<|5HRU7~0A?#mMbW<2S2som zM(>zSgaOGxvdmR~^nvLL6gXiBo(uPol0Nz`C-2_*2hsQ_Kc4KVm(Avd;9(2KVhA^} zb-W&uj=|N?x?!W~!tFw~H_3U&>tX?AT~M!4c76oB=0g>6rp0xvhZg5oGac~igRnz3 zyI?WFH9Dl%%2GvzapJ3o9yW(vsRcV}a*a2$KxfIMPw2QI0wuXJr>8sr8?P=@dNPM? zg~$?JToPZ6ZCI6fJEgyswE1rN~9+>sk{ zgmx%~r+7IO58!5g#@UjRN6v0;p9Tkw`#odMa7aak!{h%79%Y}I^YinQS72E`y=JgK ze(4CKS!yD|Uyu^z9K-YElyqS2iS+Og+NmBQYqj2AX(=<^3b)~9KiXSmj_$%{KgZad z<_dT(1iycpiG44M8$3c6?9jI?At7z?k&=h>{zwJZ+ig=^Gd}oOr0?1IRhBtwV^ytoZM>)G)%u6~7!o(WPK1qb z&ISu4MVUcUwr}<`2CwewNJyV!;Y>TEISrTS@d`E%$B4Uw*5{0JBA^E6x zeDcu^iLd?%8uMuaHy#$&+OaOEAE8RpNR<1vhwNh?L*8snCw(F}caM@jKO-i(sEPL?=L@G3

      cNE!A%>**xVsXVedYTbOLdGE@E7cSMhFA*nTXX3C*>;{<4iJ=?fFi^%p zp(phK=>hGAl8CBzHU$q+W8`ka3efs>Ir2bX(GxoGQ9W!#MR_48dAfB~1I^x}Sc(;S z(JlrmO&-{i3E`5@L z>3f_h^el12$dk+L%i`$E@%eAtc^(;VrsF~xVpR9v8Qip%y5K2u;pv(NYDgeA_6W5M z`v|GSdA}Xd{-7$AkZ;pr00mKB!@rUho|{v0&)4}1!B;bzRNZ@2;wZj*XaZbOyM1W& zFR$U>iG7GI88ZJ-3yYJSPwpkRr#97NW?}To;wZ_GJ!FnuS-M4;mh0*(Opqmq!mr4BmxZ9oRIgMvT~)U;Fy~8I>e&&aTO$Mu9jSP7Xa_{yAeKgjAF9yg$V3KVN=VV~I&@n@Anq~5iJ-|Z!>ryY2^pZ|R3D|7 ztWRztuQ*}D0-8l#FTx@DZH#_q%CStJfdc(iBq|gOm27CLrtTkcF`75YqW|KV=*>7J z43zuyWPmUqq;L81!|+oE#JvCK^MUWqvS!>7Im+5a!4lz9CcKn({v{B zK9<}f2tje7c3IqB&b4?~TjCw@+3qGx>@8z;B`-F8PhjA^IGm^QP6@`hoUOig%#oId z@y1q>hlT4sMq@C*RiywR%|<|$^c6fk)BYK1+CXC-}M zlZz_d6wgW1--z7YNOufi;Cck@IrUOm4AW+c9DT~VOFK7W2cK}D5y@r$WU*hwW z4@Kt)pEc}b-|3_^4S+FM1_^neG9qU*_}`vLO*6Asqie7n(6Vz?f6(&M6cG4kQY-IM zM>3L9DU!ukLvF6FEy-+Pl-<>nk6YGYx%~Jz#VshclxKXci0%dsz?%zJb1Oo?Yc<>Z zs}k2<yO?QeEWhx zJa_zP;d@7`VXl%mDs}+mPPl@fe42DdcAM`ddr+ltL*|Oje96F`lRB9!ksHCo{Z;J} zVM#``NzaRN?U|>Kk4Ej_?^o#tELYq!ohCQPhcCaXeWK`b2kLij*!TEa;15*Nr_2OP z4N%7woNRJ{wAtDGRSmH}!tEPt}mP4o=3$4c8W0LbDOo2kGb1Tp>YAdxP}G zX#60E*%TyBr|uoz?VcSbv%sG3IC-Jb*KnzEmc#`Gm(W!B$n^Gnvs4mq#qHZtcaB}( zKQlg_%zBR|bl;jzJZfutsQ6j+r~VzO+nu^bUx$$SwIP;uxT@Li&i6JqDMQz$s!+}n zMeSh~0CMEWzzb-m8G<2~hrNe&*|n$`uN7Ror_P2-WJzW%8rzf@n!i3-CJKhzm<6ih z2z2+TgsDWOh=4eSJL>>V6b(|$o4_Fz-mr{43FuS6q?5*(?H#NH9)s6!OAW4f^u`p# zd}ga)Wo6YkvPsEb-p>lDu%p~#bR3}TkkU8$s$$u@;}vr8?0`90_0Mj?KUW=QnyG+k z!QF@6t6@=b1DcFx!M_)=)F_LOy7|$glfF9E4@67N#-j`6+gt*X4QDU{dDcL~^@p7b zL$W|>HS0f1FRr;g^M$i+Ks}_nC79Fmm7DXcz0U2-Zu^n8r?Zw42?jm;qlx3iZynx# z+|P6{yU*p+wzR@l&&xiwF&5O?W?@n@V&x4Fr%JZG)%jzmsH$e2MEauuMZ9fPT-v%Umi*BhqF-2FHTI zD)$v9taU&(E--TIE>qoNuf7uqCWcGD7=Vh3EJ{fk%xqvn7|sv$B^Xo}x+qwEZev+f zNMq`sl1BFX5@DY0@@2Pds~@|3VOfF{+>1FH=7eHis8gt)ILlDSozQ8JWOZ37-;Hvg}obH^ewW;zS zJLj*s`+~}3=)kE3^*1D#f6Vaz0#^_4CMW#-&ot(YpI@8%`0-=FYW>Llp8lGoUsT>t z&SuJq{|_w7Z;t<2B@aX}-Pq4+DKGEIau9YL-aSZ2Nh)z$u*b# zf#QPNBHZ=UBRwcz-&VB}J`7=de4;g2e8BkPU}@w_JNMy+{3t|(qFTas=5zm7-ULI# z?qm6><`2Vfl@#ywUpf9&rZ{i^K(}0dp1_?FVsQ1wNj;bM&9keziJ?sltc6AAmCf@ z5^rkPBqv_-Z_cef6DShA(?a+Jiu(&bBcXU4y1;Z9Q-xIlld=~}@g9#mc+C4!F(a4*U(G&80yl;_O8qOh$ir)T7HJ|F-Fj2 zZ~DIZRFqlShr;#UK=@SLk>ocg{n;Ytk}SZ{PL75Cb8MvH`bE}8M%tX5n*iSR&V2yY zY0NfE1J4davVjFVy%1@tHvtl-V0!MwTpLxXzzy2O;cquB@3$9M-Ljq$ymMQ}!*e$9 zlNzTa1#L$IKyUnd-qjo=ef509^r!9Gz4)EQfTm(3h~mAI;e!n#`Bt1$F_`-QtS*|O z{W7mDFGO2n&Rc;Dta}6b5CmVkK*osy;ef!PzM%^bR?M{Cv!mPxNY%FX{{mQC=ZM%7 zr}#z0{&&*$N2%=pXTtUmj6@1UUk#d{In2-=XJqA0JZGghmC{r z_Qo~$j5Mrvn{4TfPk-iAXZ)lb8uV8l`1M08-j?~>ZWu7EpXWY5`nN+CDY1G#G zwx)V~w3|+|i95=#YlK)y(#r6-d#I1)P?N+cH}}vL%KU(4ixLnN01Sks5a|A9Lh>n# zJ#7S?jBppbAnk%uNd^uj1526$$L8B?c>Bm`&+g*vMvzLIs1oDR+9&P-r{yEt_WlmD zhgh^;Db=ZaA+TO0pDqjqB545|G~K|(bA}xa!9!+UYwiM*Vv>Vl>53|HWZz%$QzQUq zb@~ykbB#O~ZQ8?}ubY9M4Wz)vlx#>nD`FB`QLikqc;};!D2NA}Oo|-8fZw5a_=Q^x z)7X3cZf6ski#(m`gI5zjdW3ns=y%!pG#`=|(@!{1J8nBWAhp~2y{>(51nbjG)gvdk z>005}!>42d&u)1LLYCjwovbJ;WlF{GMS2$9al$@$8$~{}O99aY@SsNO)j?F81kyY2 zK@AWx-Bv3=ufX82@O1)N#rQUz3{h_`0k8{6?4;o2B~akA!}9jn&y0RP0c_IvuSk(s zDMYY^KYUKE|7?Q3B*&(WK108A^~iMiUkS<-4-c=3cLEkw7m#&C;{$|*XQhNr;T=Xa z$VWyTT=`3tcc6S1b-OhYdf z48BM^H5;Dg(Z?7RPP8`@k+E_@Bd`}FICgq9fc@G;un2Ncyx( zkyPG*qUr~G$-#0`&sbntWM32@K{)AuWr)bFhebUo>_iP!|FGhZnJyR>T3A*nj^KSy zY_gk*o`k^^B1EaZb_F#dvbCHV1+}t6&dz<)m(tEARNYAcS~Od{Y7A&b%H;N_8j$qe^_PbK2~2lLlyApHFooFo7C{!iS(dF+{EN1_c4O=jL-eYQ0B+ z?hM`p0wfBNp>=|v_M<@%IE=j{XI&XO@ZHgI{^pvc5n^Q5uGOt;;fbU0MS#~urw-#A zJ>jL!XnCA%o-}~?U(_ei|BA8)Y`|ls3*EOlit6@IZ8LPtEiJSVk1xq zce&yoMHLZ?_fF4igBj|t59WkPLWH5|g@ex0P9SomEPsk%e*2ar%X4)x$5$%|WIbCO z10NlnSCWrp*Z8g@Fh5;b?!@o;RaK9HB1B=pHP>hRAtr$Q>dD%evqSSMG%-#BLIOo@ z3-1%FNmA<9{@eDj|suCCWJs=o2gj%ntnJFX^v()}G8;_uQu3na+jq z0_QkvEdIc3v+aHYM)L}xLdC;xiHV6oiorusG+68d@CppKja zNdMJ}kn7ZdAVFD(xOL{%gpsw?;#0QinAZA*l^`a%(mb!l<)z3YHXPoY{hksKqQda+ znxHOh_&J)fj2zr|>|qU-Hq)iJ12rL!)P(OjVkYb4hgebg2PB1~im(ntXRdV7<0ca+ z-KM0XdK2@A4I2nC>xt8Bxn7qEa8kH14qKM0e`o*}p`PdMKjtC)3=Cxc@G$8P(STkH zvnU1{*M|Ls2c61B#@l|8J@k%fgkWQX5=zV6c12BU1+>pvehAm6ueY%Cw|4Vw=vu23 zFnQ|Px}(e5V->L^FTpnnZXvdAom6IU2iyOo-6IV9JMG?-^uW!F>H-btOB0=1JB)Ju zDEZP3@4j$B;$7p(Y`@5dHmVYKM#&rA1fe^14GpUh%4VnpDky%)5P?x|`ig=E%j=2f zP~c2kea}uxgQ!mS|BAv+`=L+%j|bskISKCTH`QG~LI@X&Nx_0}R;W;X8&JFVs$pM- z*`xT_+C&d~W3}cZZHD3FU3qZy@#1G3(jj;!%7%X#HTx(q`Jb;(5M4isojVOVA@p0` zNml^5-ouCh#F!0ZEOwnfOESN--&@%_Wk~G|BO2LD25G;!R(xO0J20r}rBhXf%l|$g z3fD`882>;rCl`WA!OX3>8y7vz5C|TkTr*M!T_-e(up}H4b{A}*1uGo0O+2r|zK|5W z)!{PEh}QVw#a0mCrhnHQ@vQhW_0y34pXr*z^3S0FHoDLW3_sO(?Q$XmgR~PUZC9l{ zkXGn47`dx3J=QB&@un}D00lM3ft&Vma;pDSnvFjf1-eu#HWJ$;wlB!^+Wi;N0VlHR z*||h4QpcO|p(@7GjoHYZ)UHckY+|s5DN}HMmsT#S$=^`Do`A$rEWZpG zj;q3DNq2+^;inmMAASgP+we)rJz5FF{u5WrMT=}12;rtW{hb%eO*^Y%75DmlXhKV+R`8?CVr%Hz% zbK2bzd#>blxm@?m^k*jik2DnrO20~fS{EQ@hG-gGb~t=YDsO1`yZTDq zXWpV)x?Y#UFmIj9!htj~J94r#I>Q3*H8MG^HwJkGWC3jyf8Badfxz_{)b%?=M_uN*P&WB>J>02QSV*S($n%f=w-ZL zej;^h2HJK0M=+@)curKw4gpnDC4}G!Kofit9hAw4DNy<@Py#D{A6RkAauETN5#2}3 z1z!#-D(qi73%*6d-OFdHVGd2A@hrb&c(bd)c)i2`zzDyjWW*PZy437%x@WDBs?cKB z{GWXgoS{GZAkMQAXKt9vg#!4)Uv@$KTJpc?fB41G{eM9TV&BMY|BVN3O1tDF$L`Mm zDcQaFQeExa*Rj!^2L{ZwE2UJQW7@?Us*`uWRQ`sB@`2M1g}Uz%T)=9I>_P>>5 zwOKTx8f(eUoO=?LK763iCOBiEi$Y4hJ&KCF=WCRt2L_Cmx9ai?sl+D+ ztXOHKY~k*s6-OC`uhsUF*sJvP_rD^QKZ?#>mEmE(yEXP39svropn+aXy^|Q%RiDx) zvf*Kd+Qsi*h+c^=WUw7*`6qdSiV_qtoj4t`8AfgrZZhEC5-ejE?R;wos;tY}k|S>> zcK-mRLPq-ktoBTp|9g-t`MUzt=h5uFFKY;c36(G(Z75rab zhy!)5XGGf+U+cku2?7iZ8F6GAdHMpOi!94sJN-;Cv{EhKqs z1KpUPn~du6tKFQ{v79Bjo;cM{@XJy$gPmh30rP|k=A#t`Gmx?$Z?sIgk6~EE9H@TOlV7jLCIPi_eQPeXG z7UpxWK$^XBPXUvD;{lfiB@b&IV6BHeNbfds%$DX5JfQ1_|8PxiHVRMOd-)DrS!s7E zm<>I`{J(UA`9!?IV8J^#!I_PC389zL(53laIQ8T9#zZJiK zSoim=R^1A@BPYI%gxR*u zvHc0K|0*BtVgnzgo>niOb&`Uy2x({57Iat1fpZ6FU6>uH*Yve!UD(Qa3ZSS@{8Tzt>{A}*Z6r)zt&E(Z_Y<@?_ zuk^Q#w)s&=`NxE%K-sw_0GuMAO%u&&Bn`J0>kf}rN(3e2p(g}_`ijBZUF5||EWJ2E zi;|`&h7=*Kxbm85Gmr6YBa*P*&b`P&zPl&gq7VL5jW$le8x5`YSXb`|F&nt~P10cE z7$&3R(r3oh=yQ`o`ge5q@ETnauZ$_Z8Wv`P%2Aieic(yny4H|PORw8#52;@v64V=%N@1F=zk*eOEB3t5i}#w!5vKtLMx*Yh0tlwFZxFvKMyz`JtG{!xa9=l45I ziq`Epp>Y%1uu&^Io;?=-pwLo9ND;4qNlpxuXka}&8t-{rMK6=G;GKqZ{D{!ncgOM? zw(sW-(Z0VmG`zLbrgP&BVV=}&-EW=_u)(Eh{9hX$W3NUJff5$`3|&Hvz7=cpA~`sl zFCOUUMJC_Psa6L1YqdI jSaE_+ww2MtMfy#+>q!z@jqF)vGSFb#tT7Y;GL^yMU>osSVVb? zg9ebHCuhf*EVz;#vU~V?+x3!bh8T@(X|MG3*cW%kimuB&z%3XU6h2(AWVT`y3Ep~^ z+{1DmGENALQkqP<8)>FehDHfx$N~)wUDC68vTrXi6W@9da`YFfng4=Qk^oMfmtg5p zmPcsYy#XaxYTXgYMl}&be~wPuKq%H)3vk;=iE^X6mQSe{WP1U9f;}17Jv!7u!My1P zu>U$T%mGYs^^H#z6h*47BX@%YDZRzm>uS~G{++a)_e9!$z7ab4*$Y6t)9Ct<1=YX* zCbbrw+G`2LmnkDq_^?IoF-%@# z&gA0)dt8){qDL?s9-H!-7#5{K2K<#kgcg!gKfmY666RWf`pAo1?}jH4!2Tt#KgX_+D|5>L8qulWU=v zN#4z^vhSsvnwV%*MNg@jof(gDHY#X4gf#C#8JhtGUfFIGDR47}^erW{#(TrU{+K&c zY3QK>W&+qQBnhogE_LGLf2nJjpni37dqE~bTlIv=)$&-#F6PJLN-sJuRl`zEN**}z?_Z@Y{&LM3LOcX}@;zj<>q zA}iXWx(ZiF9x;qFykJ}orXPxOSx5+5B$*3R#_Ao=Qm_7FbA~?MGP+pc9RalVL|8nhFea!RjjGmzsc*tkT2HTcFi)3%DG4)1 z?JEkp!jTbW*raV={TyY9Dw&158zeINv5B<3R{qbC4o?Qe%^iGXKMMJT6LQC_FFfPMOj43FX4BQu9n#At;`M;1dS0B=BMc0u>U;Mtxe0mqplAAYh zBaixISK0CUJEZqumZB!{%z!cwu!^4?^Z!i4_4b0D%!N2Wr2j+_=9gT9<@cZ-LVp7V zh#cH7Fr!rorwEq~N{W!!wEw4_AdE#DAG9zTC?*1pGHQe|rmA8=r(4?sDH}k0>;~V4qCfpBN~M1BZ>1D#dqlsQB5Y1fi`VYEpAan$ z1mSKCjA_@e$gE(^8G$uTv1)Tj)1PLwFfdhg@!rWsP7>tnU=`>v_@)7~hW>j_<$O2B zuZd}t3xS(SqK%Gl@rrZ?o?j-hc^5Y7oIaBTR2qrn(`+#!DiTc) zK-KDX5A_|WmZq;)D{2uEN##b<~FwD)(^f!0EL4N2I^D5 zs!;%|Mh?i7o=9LuI|k;0;xqiXaDi)1T^nv90H~&n$wS6=GBTO`j|2RNo)r)uXq}8o z3yeylT)3lviJ){P(AVQS!X@B=WW&GiCmpAF@jSc?(R#mr-6ImA0I(>(BxGOOPWyf_ zj)b0b@v!UfjH#@5VQXIO-N{YXw~>m}h5<%U&`15tQ@VB9H_{P!t&_TxjK?ROml!)t zC#lXwz09zu$7AE;{DR+Ni|M$A47CcrR7T~>Gcn6(O%w(^sP}mPe}A9EpF{*+Xsz`v!XqqG#6lF#);lph0XvOt~@As@~mmVeO3 z5%G*Kk>E*NT3F{fErYTR&}o_zl93V{deL(JR!k>Pvdm0Sw%|N;V&FLLy9AKc(y@PIs@R_drHq5`L zM7q%8w4IWq>#OxfdTb^NPakMdHA4YpoR2l4d3Dod{-5&xJf6z6jr+&fVp-;Srpz-T zgou`TDpLv}LrbZU44GNxjF~BO$WS3u=9v~U5249WNTvpvitmYb*=@D6@8@}bfBf#h z_UnGFmTR5Ybsgt%9>?){e<(H=1^OiZK^qf4_$%7jS0iJLbDFYmDx*y9kaq66WnM6B zEhOSYjy+SiR}iKSZm+e^O`yL@t=ABM@Zc7nGL=z8NgLkak{;W?Xy8=?yeieV&5^TS zo;7h-Yn@Cp0=gP^lf104>ZyW$`0X>dfnw+q%+O$Kr`khOcIKawGV@Bh?~<~It2Hmi zT;F!0fFwyzM3x3TzU=Sx!<#AVwpn-?zKPp`PoafHLkRgEYBF{kG6(*k$R`y=~Mn&bhfu^-D^@Z7**U5gH_Y;pD|vRR+HRDbhf->jexyZyXfT zUuLJ7hQg~G*<7e?dflm`n94M2#4iq^y{1D&i<(6-I&7^R6gl#nzB?20iVUs~*w@1p zvv-XNv9Wi7yfLT{_6K3^?|eZ}iH`k8+Z|C@mWq4b5iHed+M*( zN4~&fudI=5RTYsX+x3GTg9u=1JM3~^z%GA#TTUw$W1j6^$^FAk9RvWUwL_fQMcw%u zMG=uLWVLH5O0uCgb!DnDs#}p2wd<+h`q!v#XzTF>;sTno*Uhy}CESGgc}Q-3XX z|IXZONG=AT@D%#+Qi^0_4!35*{P&x^#V^$Q5jx3~(C8?;EZ!hknf`H;A|<`1RF^X)ce;5u}3k z$dQ~=RyXB|r1is=-lWepWBX%l(x0HBj=sM>50c~U>-`I|s@(vl4*_~{Z%CNFp=RNH zWz^_D;fts`A*)?8MJBED-jPPHl750JZi`Go34C{v=YJhHAjv(Eu&cEewg>N+^0d2!%c-~J zb8jBomL_*Tcez89^)hX)`kcOT-k9`XAvFs}eVlD}a3KN85=T z3jiyZVX-z8&~U5bOS)%>!Q3PIEEH{BCo0BIjf|)-X_i&+pW|^{Vw1bpydTy6k9RQ@ z4R&})CWN??he+?mdvbU5^nC@0;`vr3Y-!)3vJQ99BYAyV)5?Z%9UWwV=?D@H%D0kV@G>X{!I&#*}9^QTPj-*)}5Bh#SkYaW)$AoYn@)EQx-n%`97> zrGH~rF*=~lqqusdPIJ`rX4lS{^?R38RaGABzYDCI$RUreJIKAq<-h6jzdt_Pvj`aN z#k;zBKJ1nFs@L6jt^WU&w2z!}goLc_n}~dS>T3_)EbDXppxPSA!_LlxnG4VtkRJ#| zlHbfzZGAjpLFVPRk1sn$FxRSHxdyP*)SK#uraW(CE=*M1tXYn#NqRDZOSO%ny;k!p z6m7cFPCB?H|BhZT{Y(D+1#%C1?|}Rwr|-D=#OLTQmf2YMeMb zc$DnDr>Av!>G|cGS4yu-pORc$!JnfXFqTi3<}Ux=Q&ddoaNXczT*wnq}4^3S!r&F@x(QEt>BP({mbfZuCw@)-xO8=wZ*( z?!|lQoA@>FML~3j_p)`>Ez2Oc-MRbRt!Z1a;6}C`LMRe%oYRr1Rmq1foXw7zb$|*L zgsC?vH3JKJn}Ej~c(t|xn^&*Eqplx99v zr|vHB^HV}aNQ{zN{-um$yc=2W`K|KW%DiYGvf7h;`qz*V0v& zGtQV_Yh2}Qzb73Sy0&qZ6dd8_8r=PednuyTB zUO4GlD+_X9t9C*O=@_5JEJ2_3q|%waEU@vZ!?6u_ZQ4Vm-}X=(?2&>|P9&(-Y|NO9$xVnWImmu~=w)3B3_<+N!f;1H zM@g5ku7N!29A*N(#S?leI^Pgf^&+fR7+{?LWqRZFaZpGdUEh4MSqmzOTPTC@nyjlE zB!7h=O>zdR?$a3xW(mv^=i>xmule)ZlUlJvOs@GWR47_~XdwTyO6eBq;fL}+ zCb}PJ5M40_$YH#+mx|24F1+D8Mb}=8A_dPr-Su-v{K5+7g+SlJA{8_ArqQ77Jlu&3 zm8M;!vaED*29uSLo!RJOM)UBk*;zVxlR^$*L2$bkV=}V|b$2~2)#Z=+G|=#`FL62g z)RQi|ve_=S+VU0tCEA+!R#X7!gZg!b_f)gQpArZlsoRd zeSw$oHsvch+iwgNzD5>S!BKS{w@YrhmYU~GYz&SR6ocG!osO8708k-84fcEeLgg*t z{|$)Q_nrD*U@<>3l79o2{Ya2nC~4`b+yO~`^IHF^LSmcj%B@Skbck5}Fqpm5oBHvm z+yE7SbGhR!)J`z8#7=CK?$B~Fs7q| zY;B0N`F}diq7*~8)9d=4sx;@bOmuxp7=CNOaj5S=j@sR^{0AAv8jv%NrKvJh&osG= zr|lEH3n7}GYX`9xFrHnNqB>5hbcs5nvg^E7BEXja6EWZ}_$w0Q`n^J^09V?FUDMBc zBX7&SBYo5B@2HQ;R;dw2lNuU?V`UX!`Iu0Lf|?}*xz)@GD}+_xyTCG*l=xhk$>gRw zH04dR#(j^fENoIS@9cd)MnR|V3n;)p#U~RYn)PeV6A+9EwtcK5S2zhftlo3dBBR|+ zu=``nl5tp5Eb#F;{F4X6SQh`uN&nqwipnCss?+YQJG>`4Y^47a!^0RNn#AIx57swH zJ*K62rM&E{{BV+pUbA6x37HhfNDgJTsXQEWyqk2Xrs|s7sW)ReR#%%v2Mya@mlUlV zGmi{R=~}N;WsLibjlKD@$qo8bKMqq~r7p%uMAoSZJmpehZtle1us$n75(MCfQ+i3a z>f!uxu>SkEhTOI9zk7EXM={EbkI{0JM2Y}`P3C&w4xGtB>0q4@aqE;e%GC@OGI17J zU}USS03QKtH3O*(!9Oe1et#&jMrN)>9L}e)b4S>!FXl7c|GK(S8+ah-GQN;^^A)Tb z5@SCbDN;o+q`1~6Zpg{4zPpsmv%ZaG^xBk?-r=PDc%QjfGqy1afXBlAvu6Zh_)dT8 z#|ZG2r3}L4mgp`XV*%1prZsQZLGjK1D0JPsC-visf8UMzal^OEyMoA(f3i|!G=wk~ zcfD}iMmeD4^jp*c>mnAr{H}RyO2%MmwZm^*D~MENc^dSCnw^w(6^Y=nU}< zviQB~5Sa@BnRqn@W}Cp&q`+bgF95d~FLHx%^gmC+b1lR1Rfl%JTp;-_ed?)fqG2RN zNKMk8lH&H|mPa{VZ4Jysx8{?t@imMUJ^~EM66i^Y;)v1Nm~`Zgy?X5Xk}asJqP~@A zHDQZaS~N{l=?BPl@H9KTM5$pPRNz7InG>9mqzB7{Pcw+OX$YB&m5%f7n?B&a`3UFd z;EBkW;uq4y7&^k5H2jfC_zB`(v*UBPm=f0 z9$z)I=a9UKpql-_jaujR*o}VD{L89g;r&ik^~d|Gf-4BBUw8PtewV?0kB|Q^>I*=z z`L6~yW5$|ac1xMIBc_GWp`SQU3pmT(&J3zRhBwNvzb+AxcVhXmUJ z=Z{qN&L{VXHQ{dhrpnq+)fx|iV%b%CuZTl5gyBZgq|ErK(#Y4zAF#M+LTA_DnsgUox}y=nvb#PDCb+MNDY8`zZ}<%1C(RqQ-UDyVz*=qL*&p@*gye1QA| zH&zUX#b|aFOnpk4Amv8-ttU$5)c^H}54!X}UWKhfIZ`B=2;`z50&rp7$Gk)Z%r;K@ zJy%Fj#|G6B%^=T}+n4s?&h?dT1*>^-T{K|9yb@z~@|n>Tztt!&vo7!w@}3Jm-fBVx zMkL?C=Y8PMfPQIM|2^h^(_n$|E_e`RtN#<}%+HsNS#s@$OBhmZBYpLnd*79R1c-rw$RZ+`&e!*2Sg zkgsM6MA^?NH}(=aF#b}EwUPS`4f-SYa|dpBD##qZyncF5wv+kw2fu7_yzJ0>r;ecf zzpw{?#L6wu)W{{yE;@ksb?T7N3R$5r{Us5wN&JUl#yte0-Dhfp2&To}N%3V9BYT+g z<6Zp2shnt3mT*5!ktW&@dKHz4$ee%4;?shCjQ1#QotLtY?HLxlu{OiWn|K!?Wfj{r?^ zA2+jb0(Zp`cJ_g-O{MM*k%H36y0z-=C<1z&%cEH(DS41-`F?B~-w+)+&5MPQJZ99D z2&g2j*KGRpL;J#ae$V(ZygolfLp1Ff3<37eP4gLUXQTq0lGnoK1uBImc0|1C4aSI$ z9Ay3&h+hM^pk+=)tH$w1P4XXSHiW^~LqeK*Hdvr?33;etBu$7+j!sVPdk?JAT?@QO zE#iW3c}RiIL;|UYgfI|N*^f%My&&6#TmD^=ro!jmz44XkGLHUZBoQ8I|AE0U+qmB$ zI)6OD?Ld}xk!(=CB~?TQHfv}M(Q zLtWlg4C5Bki65Z$9zKkow>&!k&OpqK9|Bq!6Q_R?#q#vz(V#~ z%J~0MOA`>4ok${n$N z%F##KynvKl`%;^Kcp}c`^NFouwcsl?8PyTM@l#zmBz=P4KWO*~0}3^guj^WgIXE zu<-{-rf-b_o35=o{(J6(?3+d`TdfsS{^(;M(8#;*S?L z+}1Og03|9Fijs1uwr8)`m5)Ivj(%~#_3F#Pd`hl!mt^{cBD=vpo7*wb%3yq-w~Y*E zSEnF*_S;nU^2(l7tKSVOevil7?cu#g6u%z;V*W=<)V;j^el@)#>I<{kjdK6>K@zkw z{_5$*g0XusSC<5%a9kdCoDbuG(16|3I{7{OOGPP&GF`--5O3X0%7 zzcR;$sIg)rQ1G{1_q7ug|zB#U}vWHpxhAdtZxe8;aDX9+|S;ZI?E(^8KV#_cE9aW&O^VKC5rh5QHup- z#h|Anby?7i`noee99AleE%lb-K%qV|NuCNp)%bq9xc0|q&~F`Xq3<2;0${efgXL$B zdKvVlDqSWw=L1SM>NO^r)5sfdOe^%!Wf^@0r|eP>^aZ*z{Pn4XTtYgS6+gEiT?|e^ zx7OwJA{G4l-Jw_TYq$)YUOQ)*?x}zM57c<3I54EBX}nsD^3nmeK$`S*>h8)LtvL9t zZfEBYRmat#yJ#TrG;I_;N+2j%1joRMsI--&*W2!`tl$SU-v2T)wAEI7FO~RLkN33@ z`yKUb)zp&*L-BFWI2LF|MBI)=wP6?>t{>&&UabmNZI(DrXhfl#L5GvxQ{qHqYX&tH9F?6UY6rBE+0*f4{#MC9GKa#_o>)cFX0WgrQ`GMZ$g72-{*617j zESYK$vM^}o;`z9DKF(OlpkCmB$;67;4&Z(2V=~z%ORyyDj<7OI-V~UENE&<7^^PN7 znxPSYCVfSk%ix0Cb!)*tNm+hh@PTy}A7w(RfVn`7Vp_!;%RqBm(wB8NwU3%d2tuT# zA!5T~95#nix*KfE`0Rj%H7dWE3f0-4qL;BD81ygf&cc#Z-}>#Pg|0K?{?&%fjQ-~U zdGKEm`Dxj=hzz>hi!}jL-$?n}1^V9=_qKl44+{KtGxH}!tJ-zy=-IVx8w=i=fY;x? zcn@jozMS*^f2a9ln^kD37qLjBHdd^G3F3I(EDJC>LqGYl(x2wTqZ=2n)=E!Z;ndrg zB~<@11ou2id|mpr%`vqIsDehQ z%Chu8+(;vW9}DF^xpgA-JwYKQr_HX&1oGjD$K{xJ-e0_sFV)B5v(I{8p1>AWvrQ1_ z8cEU!pAyz(FVvHaFbT>iPDrztvB=fvhOj>$h|fC=^Z}nDPcuE{#7|9zjUY36VU_lH zg!75XK!|%=Kl{E{68v!i$YKlZqd9ShxJ_>L=3h>~GMpIsQ3+cJgTdFex5!qLLa37i1L?F)$<9k$MpC#As&QvR%UVUj?wNxoWp^u9TMv43|@dE&^`w z8Uq_M0S397$h;(z0rw?)yw}wbm7-Q*z8qd$rdWJhFNd>h@*@s2BKJ7x23PHFBDz!M z2;g2?VNCV<+CDvso?nn(FIY-B$MHafv=dT!M^ss!vS4yX`qi=9;L(YzHrnPebGDW= zR|!AXO61~PVE&_x;8(gxZN9A(2-QCvM3B%%c8jJb`4M_ltxg%^gcX^th@L<04DsY? z{R3Eo>U1H3S2YNDv%J(!i2)@dkuqbI@Wpw>Zt(aX_4{1)@o_nl^ELZx<`9*0sr82+ zM&Nm|PA-FVADqYj#lH1J%6&er@A{?wWmFGenWxuTEG=X>{F$#ODJw2#iHf+2zP@BR zF}|=vs;IiDR#u<0YJueG*v^vcy+@$eGZnmfd*l1>;`iwE)M*OdCB93M^h}(GQ^PJi z2|CibI>9#_Fj}5QPaJ&sl3DM;12Lp6d3|49Isd3&u`|`*zdQ=AOT&vMv;W4CR&u=_ z_6#=|?{t+S4zoT}9!-!Rc_mFO(ZfR9i;0~qgk_wByjigHQ>D%a5LpF&5`sD!B-3(9 zFRb}9F-lNlF_+5d6%uS?$9K=Lk3##Wgfh0@h(-WT*JwD>SiyM*K)X^E& z(r&)81z;KVf6~(sI0$T&8vfNg;0Hb9m-_TA*MRRI+hS~eFnCbd`C(laKV?z4??T@* zvtRfV8o_tdXPVOoteUvJ;ya2Y2Y1=LUk-3;#BdanVwMT+NDtj*- z5}H@qpBB@Y68<-sM-4TtcGfCxfSW1yY09S6k5lFmG6K*vQMihuO0@uCRyuu%Ju?^q z?8jatr|_u8@sj&sSOKH=N+gzm6bct&*2=-i!xyNSSrG|y$5iUl5RF1Fy7n9e`n4(R zx}GWIZ@;ql=vLTZ`g&J1I%X*WD~9oExJjR*W%{9D0{d7$3|K;(fT)swG6_n5iK7!pyXm}gv4zHapDSY5u!J15s|m7FZHMgFS1`TiizGqdZgPkh z&YCtdqvfPr;blyr6W6T;+2#s!A>qh81_;r$w7M+051F>{_h`TWP7*-Adtoq0KV_m#tQ39B>BnzZoTK9*T0C`G7)5pp zd+-88h2s#XlkPd3iSBqG67Yj2%wh%fc%6 zJA*%&-Bcw6%$-|Ed*bfcI7IJm@qFPYS&Ktg&K5xF>~FL%w+7H;RX+JxtJdp&D4Tfn zJs=iE&~@5@Fsvg1(d+hF7c9`kzReJ-nAFPu4nEtqfkfh`_ANN>9#Q&crj4~i;PbZ^ zlRGJ$c%)VUXUq~{Y7ZmN4@Z**lke46Bia3g*ltqN4vg29`ePpwx*yvWvRhieJ088+ z;1YVhK;5uuk;mdJ{k1uV_{;JOF0U=>-~8k+2LjeA#9!@Dq*Ze{K>6|!G(v4jx$#v{ zHOaJ%&AeJ!&uHnZ(TYJ(5jKw#)zG2*=)v34o4SS?i|9F*fiCE9OB0yEfdjtZpM&^s zekZtP=!62^j4UPmUE)0&IhWP1NKxERl={z~&)NB9cJzH@@wvjvBhED`w4!b)Y+P0J z3h?k`Du7S@pBA18^L7!QF|5uOpu@*6Vt($wHQwq~j8?+mT(8{>PU%-VbBHD}7aDmQ zW6u6@zuUBec}Dt&O!IyjmSBPk7@dgo&_lJxHvOIh8GdW%R+G4J#YA*6#(@~!DQAql zN7zKgA*%{tIqYaHI)}c<=J`C1%z0f@{z)Db2zF&7qph@W9efb zCpj7pS~8t(M$!uYTvFGrOrj+FGILH|#}juxX@$CH5;tOjM)wUY0PFWdCSn)&B`N!f z=qSRTDRN&-J=I3MO#*uk34q)#KF1_?(a0r@!wzRn!%g+V^IZAcd&RCy`T`_`+}w)F#$$qgOc-QqrTxCVx!2 zKFR7jfihG^?i?Neq9yg^i(z{rw_W!@ZqHl(jNDE=$=zf2_ACw#r3wWFsf4_u_nVV5 zQPC38e$mM-5#DjPn+{l-x;K~G-w5XDuDelM2Ch{5t3I}N} zHR+3ZKi~`zp`C|V7O|KV=f$-YZiwO7-(XU^{PIpbDoJ9(wony8PaZ{xVKrZ>DQWkg zK$Dbe#d;M~&>5VguX()2>@uZ?*}^;7@kgc=F+zIu4(24y9AYCM(&-D-xz@rlW$_UO zIi-LNY$J<1W2`Q`y!Y`fD&P8DYkKS3;R^~+t^kCQ;ME&WZr58~l5Xefv#Btvr0Goa00EFhr(Kxe?XRX>THlpjXm=n$wARcK7!4$t%!L ziMl?t1pMYP1>9m1CK&y(m~GDE6c-OhECN~%yKufXI)I7Je*J3jUz&#FBoR| z@d?y8Z0%ISEDa;!iFj5>20ng?@MFLYk4^XuYgd04>QaWg=T3?`lLvt1Dc{2>7057P zb3joNSxLa~NA7!Twt*0FRbnwJ#KHy}F|Jx*BCOp^n`Qga4`qJVBpIewCNjcj(SENz z`2hcL{ZU@Qd{PqYbLVD4U9oG(w`g$oz> z?TKG9B$R%xX8nR6PJveqw^9wN652%Z8|D5oi^W8C6$=yV=p%>js|bj*ye?a}(m4vbG~p!W z7ba zs7%4!dcO~*Qu*NI9d!lF5jVWIVkPAnOx>Zx*9?+*o9ROV)@dl`P=qjBHfPB-2_yUh zQj-G=ZD){Z(UX``&dD^PkH?7a0$Pm2xi24A@7&8=YFx^9G+bRG_OOxor4*vF2DT?E z21EY@E?avBIhhvK1qg0{WqN%>NXm1sCOy$f1qMHpJ`|09kjS&1sJSu{Bb`_xvaEwy zHi16Z%3u*Mdh?zbBg0ASlqYOpIP*UK#R)$9g+XZj%~;)L7byq_d6+$1TXhOcqGRNV z%M(x`0TjsBv6~gg1$5;2GS*NE2d`I4Z z3Em@nn43NLr@2|%^&>mxW@KNy$r!fEV1x!FrIOy76~fb7_fNmed&f>o)<1(HLfXQU zG_@lmNrwtehw)*SPbiz7b_&b;BqioONie2<88bvfH~RC5AOehuQ`m{J&0d6WOA-}< zU1rzgLF{lp$#~QsHjr!Ch(Y_oJ4A747fl9sIi5^8;RKoHwZRJsHnP^4wsOf}VGv?x ztgV$bVX4H#!O|J?5Fb0j`ibt*{_BT?x^GFK)7W}hLt6P$kDruV!!Tis>xr5QES;4b zwLMmdyMJWZ4_XM$r)ygrLO#GD?3TmAIEx=#Qe+bWb%Ny*SSpurC>PX5Sxgr= zMabB(I(3RS3kBZlE0p3cGj}nz3xc|u!om&AYEV@W;aOqMmdq>Z$ zQ}k1P9F$Nb-8EqIuYTspKn3_(J2t%HjSAF>$iW`Jo(8H{dHb2!CG}= z^`-=5B;?wBwRS7s2SWBa|fBWm5kc_~qIjiH+mxIva{6f#X0DF2&u z%{GNEzlKEgl}{BE6vD>3yzl!ejLSq^TO6%_QX4vxC&9an|NE)wcBY-FY23{ZGmJ8; z3@!ACB1B|0AC7|_8vtX|Hzg>c9!QHXe4Zge5#``#=vN85Tft3lMXzJ;UkoyAaIQ!L zQWNlbYgLf!_zjFyf$TFMRV8a1d{QMwyH;Ovm6CAr39VKf((g$1V+f!4!SJLm+s_%xv0lw7sa(mxOZ=aKURL~dBLwD%@hHhu{Q?@x`~;&dRHF z?k&a!{>IKXjs)|T>;HpJwHj{Y&- zY-D+}159lfR#shzV{#{M?dU=Z;LB3LI4bo?MhcXH5i5>pH2sWvC5gvuWGwmeIixcF zW&8>%4_os_bRXD8_(TrpiAI~?{8229eDUT;C2U*341UvK5mTaR1hD?gCbQ8Q#2bn+ zudk-26}&qcp~#@{tT4!Pw)G&Ot1!=CuGre1C~nPOk>6#s!5SgG<5I3IwIia7TzYdP z7`EW*w7p<7g-pKR77S$TzvZHt>YXc6*lvV_cifj5UzUanVAzAO_ik>p5wu?^MF%Ya z!%py$Ft>Ua_yId4|8c1QbZBegOw((N>;=5E9-IFI>3zfB{mOks>7am8x!ab~?^y@Z z_*IAd)l!8I&pav*TMvI>i|)bU!ucDJ?a*GHW$`O)tZ0A=-MZFhAC?J|wbLAfVf0@* zUNL)}%e*ciAmO#X7J3J`Zj4%Y{>p=>XvWc0wR@ zLd4LEL_iN2u5KXtRyrKH(SdOp%SES7`=kQy^;13@%Z?;EsgMIPKtqbW$V#kc#Q<|J zlM!dssY5HkQ&)@p@)gdTbr$1i6C0F$s4MQdrNPFU8WE@ycvu%{q8jUvC*16-7;9&6 z0Tj}pmBafmBtBr_2lWnA6bC5a9fx=#eG04awmV)anyPDoM%u&nahnvhf|28QIvg;= zw6Rgp;V{v5VF{pDjyB5*WgD_*8L^L^5*C=gN^bip>#T3Sf^Zh#BQ|y4RfF(bn~ZfH z!$3v&XZB1Uyrq~P&nGnX#tT$x3KEKn0_7O5M-LKVs+ig=n1D^nJVwTPOeel$8M391-cDinAoNM^4y=ZS!nM}roTghZ% zI7HDM9p-`iE+Vl5J7VvG4pLtb)3KQiY68Z-O{#cN@B{qDu_Cyfu@-iLIwsdUAjrFk zSmdWBCs@jYdyI2Av}jz;a@DV03b*ZC#3AUQ8V&d5=n}>r^g0S8K-!tUWfBYH6z^Ui zH7RaJezR>8?uZk!zLb0HSjpUjp_bcMobz9zt;&k;u6=1EOo`KR6FipacacVZ8)Vt< z=+|vgW_F4BYa;cH3LVv6onDVpu#;%|@IhQO6yQW!K4aE2gfA?(iVxp^z?lmA!*+|5 zfeLvFi%*~uXgk~|Uil3#)9Nomiw_gg<&=r5GD=@@-ZE65o<(W``MZ8<>dEWQcXY0yM0vkfeWjIzDzs$ z!iJIn!}7Y|)f2J2Ac|4FIQEnE@K#|*euovjz3P#Xav;?KsNn5SpI{qzT|Q{^aHcLS zsL{tqtNr%r?HvBwJNK>0Q21_g7e8~DgSQ7qg=FU@+Ge5u*LKD3-pF=~;-^ul{dbg! zgF<{Z-Cftmzm(UBxdjBwlrNBFUL9naAQL~noH@y{XNhOq&gr`y%T|uPvEFvd;P68c z(xnnKin=rZX~qI^W(6~O85(^cF*4{p-DmY+f}8OtuLeh)XsHzVTH~tGm)pR5lk$_! zfTx&Cd)y<%-SFd>XntTgre zuK2{4Lr(J~CjL#IqG@{sRh{DSt>YaEWDL(XV_Sba^?tlnCT8OhRX>>QbkJK>1YT{?}wToxU=~(rxC!- zomOS#t$guYuC9ycx?i24>9KI5I@qisA%9+#)hJqGg3|$FyCEJiLJ(F+IuY(uXg}K5 zlPc=*f%~~SW3h`F9SxMwP|Jlv9cUu|;ZFRUCW!leLDb*6pdN?LAQ4}bKQEHsQF93~ z;;wtHLw+P!apYUJrju#JB*9hfO&q^;SD8~Fi zL6{)v`#_jE|Hi3oA3h-(hEog*K9~wr;kPYZo-`W~;qG6HzUoLrwz~z1VWfte5G{rq zhr#FDeGG?<_b>_;d4EKQ_WU>ngBKw8a?s3Z5PoUWnh8niS6?plXcWqy|3G;O20Re5 zhRvu0*pNtL$bzb4cd7cy!j*a4qkN1p=CF}L)At6%wxJVM}u(MomsM@fVnTBQCcq*YGD((zlydLK23N}r`3F;o;RK$GHpjt1ji4CEPkpx4WfJ^A(2=&CR6AE`yxH-2jS zb{~mj!Q{aSMUt}5AqQX?(H6>BSbVF3g@WlFQ+GNV?_e&cU7IE`3L`#TAf6eQf1{{- zvPh85fkTp(R;Z0UN4T<)$lH&jF-%azPQ>W|3jXMtLa{m9!*>U;6|=HT8^3}3HeV%< zhjpxDe=x4B$eWML%00_y=vkaS`*pgzV4&4=H=q-bZ6FiP^rBhg%JCQac!#bO=$t}X zXFTuc=vHdu89~Nzj`QiQ1X&cdbv{e+O3J@Mbj-W|l86PY?pz&KVJc@xKhVMR*i(#h zr8L(S0^=R0k!kLW>TyNadu=ojHR#rW*nb(k-F-2ts!zZGObnBZ3iG{3>v6ldeM)}s zw^<)Qo5+A>vi`)1+vebFY4&(fFZgM%p=0`c=nt7i)KZNZ&p%)I=}_`-9y0$225tY| z0QcqSi~PwWIm`yYP1knuA^)ug^h1!sKtYQ=^)lu*uBXH~eKPfxchXkI$0Y=&3oJK; zXL`3rnO2wP@qe|4+=A7l`hvOg@4c)-V7C?%^D5Sgm*e%*3m4Vng9*gZ8*K{|j^-~} zCOo*aj@9qOr|V}MRK7FFAzv!1oV(rUrwoo6_OP7S-=3Iy-!?K>)gcv{a*iP-zWBZ! z+xX_jb6cy&^Ndd|=iKgIAAL_f!kb%rL(yGl_-9%Y6|WFeRBxDQE?&04oUF{-I2=Q( zaKZCpN3xyn(WYWxjRNbJ;?_<@hS-r~IBPaOHXC@DeW`LHjJIj%-?$CoWJ`xrg`B9V zv&P5Jh?j)Sj#CsyML0qg?^?Ih>@_mGFKvBHG~SjEC<+-VI>Ff#2{t3ud_dM{;x8$; zuG5-<2r@nEx!VajsGMxd%=%U&>4xaRH>=`aNo#^M*sPkKw*?2t3+yy*3zziimL6{n zPi|;9IEqE=O*9)_#X=t^wf~^L7hr^(npY?_hwbAE?i{k&oDjaV`DBC5=aa;dcyOd( zVPCPkDb>yNCRXSw=0Qu$J6VauuY81CFi# z;G^z~MUr}xdo20`w`nHQltbl0J-oYr3ljx48SY+~+L4oRr5s@oZOIqyYkpX|m}E59 zZU{UkXVu%dipc|4)ipthF-m9;8MWx-hYG%w22;XP6^s zjMNUcYIVX%Yno8@16Bm@bgtZvDfwtD$S4uVsaU6+g>JIx_#o<%H zZ;Fxaj~V$t-sx^7uvg^bK143DKZyAdD3|d@+YzcJ5W@G_;$ykR$AalPcZ&lO@^KS# z1bjM&#m6wPSQihNAQ?@wh#)?TZbPJXHJ~BT9mN?UO5C6erSV!rlgCNzlMjF;F|CaZ zKQ;km!t;EmQ%aoESbRo&DI8Fu!*2rFy4)0s%ah|D9rwD_&5U@O8Tg+27%c=yhs|$S z^4Dbod3G6Qc&Aw$_7n?dDkf2@-XY!H!%@HC3~*P2?t-zp&C&!mm(Yo91|haRqx;Wr z6%b1TnasYpDd6(;wLIRmzPdn5zurDV96QU;HN5mUHqtff#jEE~XK2Xegih`r3Cs8t zDNVw+WyhpNkq;(UGp-OR=;M_|-5)G$ArTY)UYGhd>Lju|IohdT{lD;orQAAz*e$4b z_#Qv$k{)mr)IPi_kN(PAWYE^b$WU4H6{T$YSeuzbi~nYg?u#=g5;qs{8-<#lviQ_M zlSXef;;$x62Qhw|N8+em`|M(;=6Q_t(Fr2Os~QJZ%N)L{UDS>HbX?2nVd3X@5fSkY zPdvZ3;de+9WUDSjh^ynHarS(3_wv2~1bRck_1?a8P_2RjN+8zT3xHvl{b!Dhe{+ci zmkr0mxTHjX8q2ef{W2EW)jZK`u6pas-J2eq9F$xTCG!X`(cxiqqjmze45KwkX>a`* zGGGqHgs(xoh$Bv#)hNpvJ^`aX-Ny2ZLXj@#uNKfinOwSvI44Lp z>z`Xvu@p)53}F5)+@zd-3)bdSGLrsyTA86i>d9QugGsN8{OapY4z-_jl2_N-x!cfHK1|5N8 zqlKZj=8^O7a4pUZcDgMNm`5-_L&23WuQL!5+A6gk0Kb?Q*dhO$he@H=j~^Or1b9>Y z6bEBqbJ{Tw3+gf|TERlge`fGD`UsOad>oM>R)S`!p3!>({n&Psw|Hr{erbD0TH4Uv z2G$6psiy-;2GvE*3f2?t><9Ts=Ngs~L+F!dDQR*rW4ftGzw3t$MzEeMQPH9dIVP*a%^E?4=uSeGdWjU-(G}!T zo{*cR)QmK3Gr|Nv27|OERJR=gfO;2vHc;Mep(dU8%)ue8Yfd(Tm-UN+zW?fPEznpa zvBy6GYnSNvobmrbnP#_3-H%Q_HYRaq=b*Oxvh-GjAE6Cz8~e$?NYcTB zS?Y9_`irou19o@otsQUbqxAD6x!)_sa?Yu)b~#Z5ulfXd=+(HiC!JKXPI4_Sn(DKg z5?&nAYSqW#r0S%We}Wsuqt{deoU{_=UR^7- zUtQINR+z^l^#sSV;}Lq1X|2;4ltInQ$B#aAfBe>sIVJu;=U1V^jnE`vhL@twt#6+t z5ZT}VVq+s1S3E$MLak~6{uoK9$*wu{RkG#_)z?o{$M08P==Wa(9J)@{2eP36_T( z91F}9X&pgo4`a~vF ze<^+Jm@V_eFm3ea#!}eCP5w=@HgEUk`^W5_`BcvtEi5fxbgEscKKF5sdG1BCoQOA} z?33Q{RSK8`X4%e)1+DljQQW!VM0d1ejcwAiw)yB&Z9ux=(p+Af!_9P1vdOc z`lGSt+C== zy4dRS<5pK!^;bfUY6er1KA6KV1(F4#Q$Np-bJCf@nJ-*=cq%n;RVAAYt*KHhU!i@& zP5YF>YfY*F3dZ^YEeK<7K9i4)4c%cZKf|-;+9-_Eqy7mJVWmL zu2zm}UBjolj1yl~OiYBXD=8|9x^GyWdUw%LY~iY*LvGr7Q%8|li9=0{WZdej2A3L5 z?~%&j6boNk-}uaCbuW%d&NNjf750<8Z5gCX4ZO`UGxylf++!-gTU!74q|gxQMy5kZ z18tA$!GVTWXYC$Uko;LYepwhT(sARr3F;)uynY4xB;=m_L&IJQ^+nMv&oE>Y~4#WP2 z^KRow>>C2n{V%DHx?a_vxwOFl@(vh?G>eU`Nb#0<3E@9{9QU*~nec|m3oIU-v^y^` zad=RqE{eg{>=v1b%S=Jj@j7ic5~wU?{0ACvJ@K*#GId!pCL_I{BiUxM&gR3xy||$|YnW>3)pTcaomYVz4@huqSdgs%K);$hVN1^w>ewvnY+~ z`ysKQ9jDeNsRiAe4ej(0rmsT8@v?2VQxe6I}svPuUwKCBWt*8*$ z!<$cThlU0_b{W`R_#E~4u7jtY?o?;Og{tA_YpR~F5aZEO4&|B!%bxdF9bYWZj|5RC2?S7WJ&zckPo#IM@d7$;4%phcJ*JSfl)VJjJ=kZu68RKG3SGP0kN!0?u~`jeHF_m&Q*MEc}vfr|3TYx)1-IS&&7y~dG@V%tHtCLYT78@}^1Q0&szg5@_mujO$HT7m ztAY+ynlm+y)SEpxoH&Qof|D>#KGBekk&i$wF1uE7EY*6m(+-SIWl-X+K2CA@*dl4{ zR{Zr%(ZzN0drC7-Y5ndC{2S?{>fkw}lEk_lpW@4NYehv-cQyY~o}^X*TRL4;Qt{Z> zD;HN_y7u*U|5xo-_?b1XjyY-~7`VGG){}!4C)Sk4-;_r2!HRGz*VF<3Yf_^ss;cC- zl}q*64=Xi(wk8QyRN!kByo_Mu?BJ&e#kEQVdxV|{kC}?U7N)nvr8oiOjnAXQ#{T^5 zOCzKkevvO;8hMBM2W;Ijj(c=}{cAza2Tn8nT^e8QbQ@=lHdj5w9}a{S2t->h&jT;G zV^|;{9o8TC>w9IzFHvu}ju|t~CRCO!UnN}EJ+?8B*-ly=HDbGB=r?_wV0J$~T8 z6LzbTmMK57k(Wltr>aSUup3|y6~}F7jQt(VE}`; zn1BEN!cd_?yww#oF8dv7&-%lnmOm%fn9s+Sb~?hb3n^*3s8uz=Mo%6pxV6#8-@nX9N6CGO&9fjG zgG}w#V_snb)%$1caf;Yz1+}xZs17Od9)!RtB->bKY*G{B>}xDD@`_m7EMu0+bWRB6 zl`{<8VkwZ!QoM!56i5^zAxSFvRONi}f7(%M6&BsnU?q;!$9r&ux8A+h+?G39q|*~l zD)8c1mk?cxT%7X3tM7XhAsQ?1Fi3LLFNuz#BQ;F)5R4Sr(-yL{Sk(FnsZV`4ILHxq z)en^&Gj*}C3{|W)(PxvdX9tpE9j`7%Cr<)G2+zQT)I&#*)BYi`$!zjnW; zq3%9AnxW5F!uKM)JxQagsAf*yN%q z^SROyGUlCH*K@*=XdL-m?j-o9i_mjGxlcVR+4Lko=W~v4e%`)0ZmCwUrrP z2fVy+KX0BgRA2%(k2bX1`^U}01vhUV!+hYf5!HAvJ;9yf>@#khK2(sycXh6GaE$x+ zuwj{sMty)8p4O&SxWHB@n3{kjq>(uQX`62F9%{~}p1q(P5w)bkOYyPm{_s$l({k03 zix-YNTb^AOb99)my3~@;@gV=xG9jD#@ToX__FbFQi8Dv2LW2-)ylk|Z`Zsv}s5H|Q ztYw@K9wj)a00R}{w$NJSEmzVd|bQJEb!TRld?37T6JreJ5DzS`yK+d zd(p20cEYliX~p4(^`dXADAOmM)TROgJm1YpNr-&9qP?u Date: Thu, 26 May 2016 14:45:35 -0700 Subject: [PATCH 118/169] renaming network exhaust doc --- windows/manage/TOC.md | 2 +- ...re-windows-10-devices-to-stop-data-flow-to-microsoft.md | 7 +------ 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md index 621ce3f5ca..9a7fe85b18 100644 --- a/windows/manage/TOC.md +++ b/windows/manage/TOC.md @@ -18,7 +18,7 @@ #### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) #### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) ### [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md) -### [Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md) +### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) ### [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) ### [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md) ### [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) diff --git a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md index af80d923ca..66f10dbf1e 100644 --- a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md +++ b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md @@ -1,11 +1,6 @@ --- title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10) -description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. -ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9 -keywords: privacy, stop data flow to Microsoft -ms.prod: W10 -ms.mktglfcycl: manage -ms.sitesec: library +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services --- # Configure Windows 10 devices to stop data flow to Microsoft From 92d301af76670b278b742624514a116e6cb9a3a3 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 26 May 2016 14:46:07 -0700 Subject: [PATCH 119/169] renaming network exhaust doc --- ...system-components-to-microsoft-services.md | 1264 +++++++++++++++++ 1 file changed, 1264 insertions(+) create mode 100644 windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md new file mode 100644 index 0000000000..f8496916b0 --- /dev/null +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -0,0 +1,1264 @@ +--- +title: Manage connections from Windows operating system components to Microsoft services (Windows 10) +description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. +ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9 +keywords: privacy, manage connections to Microsoft +ms.prod: W10 +ms.mktglfcycl: manage +ms.sitesec: library +--- + +# Manage connections from Windows operating system components to Microsoft services + +**Applies to** + +- Windows 10 + +If you're looking for content on what each telemetry level means and how to configure it in your organization, see [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md). + +Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. + +If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. + +Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511 to manage them all. + +In Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511, you can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience. + +We are always working on improving Windows 10 for our customers. We invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows 10 work better for your organization. + +Here's what's covered in this article: + +- [Info management settings](#bkmk-othersettings) + + - [1. Cortana](#bkmk-cortana) + + - [1.1 Cortana Group Policies](#bkmk-cortana-gp) + + - [1.2 Cortana MDM policies](#bkmk-cortana-mdm) + + - [1.3 Cortana Windows Provisioning](#bkmk-cortana-prov) + + - [2. Date & Time](#bkmk-datetime) + + - [3. Device metadata retrieval](#bkmk-devinst) + + - [4. Font streaming](#font-streaming) + + - [5. Insider Preview builds](#bkmk-previewbuilds) + + - [6. Internet Explorer](#bkmk-ie) + + - [6.1 Internet Explorer Group Policies](#bkmk-ie-gp) + + - [6.2 ActiveX control blocking](#bkmk-ie-activex) + + - [7. Live Tiles](#live-tiles) + + - [8. Mail synchronization](#bkmk-mailsync) + + - [9. Microsoft Edge](#bkmk-edge) + + - [9.1 Microsoft Edge Group Policies](#bkmk-edgegp) + + - [9.2 Microsoft Edge MDM policies](#bkmk-edge-mdm) + + - [9.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov) + + - [10. Network Connection Status Indicator](#bkmk-ncsi) + + - [11. Offline maps](#bkmk-offlinemaps) + + - [12. OneDrive](#bkmk-onedrive) + + - [13. Preinstalled apps](#bkmk-preinstalledapps) + + - [14. Settings > Privacy](#bkmk-settingssection) + + - [14.1 General](#bkmk-priv-general) + + - [14.2 Location](#bkmk-priv-location) + + - [14.3 Camera](#bkmk-priv-camera) + + - [14.4 Microphone](#bkmk-priv-microphone) + + - [14.5 Speech, inking, & typing](#bkmk-priv-speech) + + - [14.6 Account info](#bkmk-priv-accounts) + + - [14.7 Contacts](#bkmk-priv-contacts) + + - [14.8 Calendar](#bkmk-priv-calendar) + + - [14.9 Call history](#bkmk-priv-callhistory) + + - [14.10 Email](#bkmk-priv-email) + + - [14.11 Messaging](#bkmk-priv-messaging) + + - [14.12 Radios](#bkmk-priv-radios) + + - [14.13 Other devices](#bkmk-priv-other-devices) + + - [14.14 Feedback & diagnostics](#bkmk-priv-feedback) + + - [14.15 Background apps](#bkmk-priv-background) + + - [15. Software Protection Platform](#bkmk-spp) + + - [16. Sync your settings](#bkmk-syncsettings) + + - [17. Teredo](#bkmk-teredo) + + - [18. Wi-Fi Sense](#bkmk-wifisense) + + - [19. Windows Defender](#bkmk-defender) + + - [20. Windows Media Player](#bkmk-wmp) + + - [21. Windows spotlight](#bkmk-spotlight) + + - [22. Windows Store](#bkmk-windowsstore) + + - [23. Windows Update Delivery Optimization](#bkmk-updates) + + - [23.1 Settings > Update & security](#bkmk-wudo-ui) + + - [23.2 Delivery Optimization Group Policies](#bkmk-wudo-gp) + + - [23.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm) + + - [23.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov) + + - [24. Windows Update](#bkmk-wu) + +## What's new in Windows 10, version 1511 + + +Here's a list of changes that were made to this article for Windows 10, version 1511: + +- Added the following new sections: + + - [Mail synchronization](#bkmk-mailsync) + + - [Offline maps](#bkmk-offlinemaps) + + - [Windows spotlight](#bkmk-spotlight) + + - [Windows Store](#bkmk-windowsstore) + +- Added the following Group Policies: + + - Open a new tab with an empty tab + + - Configure corporate Home pages + + - Let Windows apps access location + + - Let Windows apps access the camera + + - Let Windows apps access the microphone + + - Let Windows apps access account information + + - Let Windows apps access contacts + + - Let Windows apps access the calendar + + - Let Windows apps access messaging + + - Let Windows apps control radios + + - Let Windows apps access trusted devices + + - Do not show feedback notifications + + - Turn off Automatic Download and Update of Map Data + + - Force a specific default lock screen image + +- Added the AllowLinguisticDataCollection MDM policy. + +- Added steps in the [Cortana](#bkmk-cortana) section on how to disable outbound traffic using Windows Firewall. + +- Changed the Windows Update section to apply system-wide settings, and not just per user. + +## Info management settings + + +This section lists the components that make network connections to Microsoft services automatically. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience. + +The settings in this section assume you are using Windows 10, version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch. + +- [1. Cortana](#bkmk-cortana) + +- [2. Date & Time](#bkmk-datetime) + +- [3. Device metadata retrieval](#bkmk-devinst) + +- [4. Font streaming](#font-streaming) + +- [5. Insider Preview builds](#bkmk-previewbuilds) + +- [6. Internet Explorer](#bkmk-ie) + +- [7. Live Tiles](#live-tiles) + +- [8. Mail synchronization](#bkmk-mailsync) + +- [9. Microsoft Edge](#bkmk-edge) + +- [10. Network Connection Status Indicator](#bkmk-ncsi) + +- [11. Offline maps](#bkmk-offlinemaps) + +- [12. OneDrive](#bkmk-onedrive) + +- [13. Preinstalled apps](#bkmk-preinstalledapps) + +- [14. Settings > Privacy](#bkmk-settingssection) + +- [15. Software Protection Platform](#bkmk-spp) + +- [16. Sync your settings](#bkmk-syncsettings) + +- [17. Teredo](#bkmk-teredo) + +- [18. Wi-Fi Sense](#bkmk-wifisense) + +- [19. Windows Defender](#bkmk-defender) + +- [20. Windows Media Player](#bkmk-wmp) + +- [21. Windows spotlight](#bkmk-spotlight) + +- [22. Windows Store](#bkmk-windowsstore) + +- [23. Windows Update Delivery Optimization](#bkmk-updates) + +- [24. Windows Update](#bkmk-wu) + + +See the following table for a summary of the management settings. For more info, see its corresponding section. + +![Management settings table](images/settings-table.png) + +### 1. Cortana + +Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730683). + +### 1.1 Cortana Group Policies + +Find the Cortana Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Search**. + +| Policy | Description | +|------------------------------------------------------|---------------------------------------------------------------------------------------| +| Allow Cortana | Choose whether to let Cortana install and run on the device. | +| Allow search and Cortana to use location | Choose whether Cortana and Search can provide location-aware search results. | +| Do not allow web search | Choose whether to search the web from Windows Desktop Search.
      Default: Disabled| +| Don't search the web or display web results in Search| Choose whether to search the web from Cortana. | +| Set what information is shared in Search | Control what information is shared with Bing in Search. | + +When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic. + +1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. + +2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts. + +3. On the **Rule Type** page, click **Program**, and then click **Next**. + +4. On the **Program** page, click **This program path**, type **%windir%\\systemapps\\Microsoft.Windows.Cortana\_cw5n1h2txyewy\\SearchUI.exe**, and then click **Next**. + +5. On the **Action** page, click **Block the connection**, and then click **Next**. + +6. On the **Profile** page, ensure that the **Domain**, **Private**, and **Public** check boxes are selected, and then click **Next**. + +7. On the **Name** page, type a name for the rule, such as **Cortana firewall configuration**, and then click **Finish.** + +8. Right-click the new rule, click **Properties**, and then click **Protocols and Ports**. + +9. Configure the **Protocols and Ports** page with the following info, and then click **OK**. + + - For **Protocol type**, choose **TCP**. + + - For **Local port**, choose **All Ports**. + + - For **Remote port**, choose **All ports**. + +> **Note:** If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. Fiddler is a network proxy and Windows Firewall does not block proxy traffic. You should use a network traffic analyzer, such as WireShark or Message Analyzer. + +### 1.2 Cortana MDM policies + +The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). + +| Policy | Description | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Experience/AllowCortana | Choose whether to let Cortana install and run on the device. | +| Search/AllowSearchToUseLocation | Choose whether Cortana and Search can provide location-aware search results.
      Default: Allowed| + +### 1.3 Cortana Windows Provisioning + +To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies** to find **Experience** > **AllowCortana** and **Search** > **AllowSearchToUseLocation**. + +### 2. Date & Time + +You can prevent Windows from setting the time automatically. + +- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically** + + -or- + +- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters** with a value of **NoSync**. + +### 3. Device metadata retrieval + +To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. + +### 4. Font streaming + +Starting with Windows 10, fonts that are included in Windows but that are not stored on the local device can be downloaded on demand. + +To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1. + +> **Note:** This may change in future versions of Windows. + +### 5. Insider Preview builds + +To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds. + +- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Stop Insider builds**. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. + + -or- + +- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: + + - **0**. Users cannot make their devices available for downloading and installing preview software. + + - **1**. Users can make their devices available for downloading and installing preview software. + + - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. + + -or- + +- Create a provisioning package: **Runtime settings** > **Policies** > **System** > **AllowBuildPreview**, where: + + - **0**. Users cannot make their devices available for downloading and installing preview software. + + - **1**. Users can make their devices available for downloading and installing preview software. + + - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. + +### 6. Internet Explorer + +Use Group Policy to manage settings for Internet Explorer. + +### 6.1 Internet Explorer Group Policies + +Find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**. + +| Policy | Description | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites.
      Default: Enabled
      You can also turn this off in the UI by clearing the **Internet Options** > **Advanced** > **Enable Suggested Sites** check box.| +| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar.
      Default: Enabled| +| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.
      Default: Disabled
      You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.| +| Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version.
      Default: Enabled | +| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
      Default: Disabled| + +### 6.2 ActiveX control blocking + +ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero). + +For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx). + +### 7. Live Tiles + +To turn off Live Tiles: + +- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage** + +### 8. Mail synchronization + +To turn off mail synchronization for Microsoft Accounts that are configured on a device: + +- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts. + + -or- + +- Remove any Microsoft Accounts from the Mail app. + + -or- + +- Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device. + +To turn off the Windows Mail app: + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application** + +### 9. Microsoft Edge + +Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730682). + +### 9.1 Microsoft Edge Group Policies + +Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**. + +> **Note:** The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes. + +| Policy | Description | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Turn off autofill | Choose whether employees can use autofill on websites.
      Default: Enabled | +| Allow employees to send Do Not Track headers | Choose whether employees can send Do Not Track headers.
      Default: Disabled | +| Turn off password manager | Choose whether employees can save passwords locally on their devices.
      Default: Enabled | +| Turn off address bar search suggestions | Choose whether the address bar shows search suggestions.
      Default: Enabled | +| Turn off the SmartScreen Filter | Choose whether SmartScreen is turned on or off.
      Default: Enabled | +| Open a new tab with an empty tab | Choose whether a new tab page appears.
      Default: Enabled | +| Configure corporate Home pages | Choose the corporate Home page for domain-joined devices.
      Set this to **about:blank** | + +### 9.2 Microsoft Edge MDM policies + +The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). + +| Policy | Description | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Browser/AllowAutoFill | Choose whether employees can use autofill on websites.
      Default: Allowed | +| Browser/AllowDoNotTrack | Choose whether employees can send Do Not Track headers.
      Default: Not allowed | +| Browser/AllowPasswordManager | Choose whether employees can save passwords locally on their devices.
      Default: Allowed | +| Browser/AllowSearchSuggestionsinAddressBar | Choose whether the address bar shows search suggestions..
      Default: Allowed | +| Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off.
      Default: Allowed | + +### 9.3 Microsoft Edge Windows Provisioning + +Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies**. + +For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx). + +### 10. Network Connection Status Indicator + +Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftncsi.com to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx). + +You can turn off NCSI through Group Policy: + +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** + +> **Note** After you apply this policy, you must restart the device for the policy setting to take effect. + +### 11. Offline maps + +You can turn off the ability to download and update offline maps. + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data** + +### 12. OneDrive + +To turn off OneDrive in your organization: + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage** + +### 13. Preinstalled apps + +Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section. + +To remove the News app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage** + +To remove the Weather app: + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage** + +To remove the Money app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage** + +To remove the Sports app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage** + +To remove the Twitter app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage \*.Twitter | Remove-AppxPackage** + +To remove the XBOX app: + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage** + +To remove the Sway app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage** + +To remove the OneNote app: + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage** + +To remove the Get Office app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage** + +To remove the Get Skype app: + +- Right-click the Sports app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage** + +### 14. Settings > Privacy + +Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. + +- [14.1 General](#bkmk-general) + +- [14.2 Location](#bkmk-priv-location) + +- [14.3 Camera](#bkmk-priv-camera) + +- [14.4 Microphone](#bkmk-priv-microphone) + +- [14.5 Speech, inking, & typing](#bkmk-priv-speech) + +- [14.6 Account info](#bkmk-priv-accounts) + +- [14.7 Contacts](#bkmk-priv-contacts) + +- [14.8 Calendar](#bkmk-priv-calendar) + +- [14.9 Call history](#bkmk-priv-callhistory) + +- [14.10 Email](#bkmk-priv-email) + +- [14.11 Messaging](#bkmk-priv-messaging) + +- [14.12 Radios](#bkmk-priv-radios) + +- [14.13 Other devices](#bkmk-priv-other-devices) + +- [14.14 Feedback & diagnostics](#bkmk-priv-feedback) + +- [14.15 Background apps](#bkmk-priv-background) + +### 14.1 General + +**General** includes options that don't fall into other areas. + +To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**: + +> **Note:** When you turn this feature off in the UI, it turns off the advertising ID, not just resets it. + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. + + -or- + +- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero). + +To turn off **Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Turn off the SmartScreen Filter**. + + Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**. + + -or- + +- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. + + -or- + +- Create a provisioning package, using: + + - For Internet Explorer: **Runtime settings** > **Policies** > **Browser** > **AllowSmartScreen** + + - For Microsoft Edge: **Runtime settings** > **Policies** > **MicrosoftEdge** > **AllowSmartScreen** + + -or- + +- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation**, with a value of 0 (zero). + +To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**: + +> **Note: ** If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically. + + + +- Turn off the feature in the UI. + + -or- + +- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: + + - **0**. Not allowed + + - **1**. Allowed (default) + +To turn off **Let websites provide locally relevant content by accessing my language list**: + +- Turn off the feature in the UI. + + -or- + +- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1. + +### 14.2 Location + +In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location. + +To turn off **Location for this device**: + +- Click the **Change** button in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**. + + -or- + +- Apply the System/AllowLocation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: + + - **0**. Turned off and the employee can't turn it back on. + + - **1**. Turned on, but lets the employee choose whether to use it. (default) + + - **2**. Turned on and the employee can't turn it off. + + **Note** + You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx). + + -or- + +- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where + + - **No**. Turns off location service. + + - **Yes**. Turns on location service. (default) + +To turn off **Location**: + +- Turn off the feature in the UI. + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location** + + - Set the **Select a setting** box to **Force Deny**. + + -or- + +To turn off **Location history**: + +- Erase the history using the **Clear** button in the UI. + +To turn off **Choose apps that can use your location**: + +- Turn off each app using the UI. + +### 14.3 Camera + +In the **Camera** area, you can choose which apps can access a device's camera. + +To turn off **Let apps use my camera**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera** + + - Set the **Select a setting** box to **Force Deny**. + + -or- + +- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: + + - **0**. Apps can't use the camera. + + - **1**. Apps can use the camera. + + **Note** + You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx). + + -or- + +- Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where: + + - **0**. Apps can't use the camera. + + - **1**. Apps can use the camera. + +To turn off **Choose apps that can use your camera**: + +- Turn off the feature in the UI for each app. + +### 14.4 Microphone + +In the **Microphone** area, you can choose which apps can access a device's microphone. + +To turn off **Let apps use my microphone**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone** + + - Set the **Select a setting** box to **Force Deny**. + +To turn off **Choose apps that can use your microphone**: + +- Turn off the feature in the UI for each app. + +### 14.5 Speech, inking, & typing + +In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees. + +> **Note:** For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article. + + + +To turn off the functionality: + +- Click the **Stop getting to know me** button, and then click **Turn off**. + + -or- + +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning** + + -or- + +- Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero). + + -and- + + Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero). + +### 14.6 Account info + +In the **Account Info** area, you can choose which apps can access your name, picture, and other account info. + +To turn off **Let apps access my name, picture, and other account info**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information** + + - Set the **Select a setting** box to **Force Deny**. + +To turn off **Choose the apps that can access your account info**: + +- Turn off the feature in the UI for each app. + +### 14.7 Contacts + +In the **Contacts** area, you can choose which apps can access an employee's contacts list. + +To turn off **Choose apps that can access contacts**: + +- Turn off the feature in the UI for each app. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** + + - Set the **Select a setting** box to **Force Deny**. + +### 14.8 Calendar + +In the **Calendar** area, you can choose which apps have access to an employee's calendar. + +To turn off **Let apps access my calendar**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar** + + - Set the **Select a setting** box to **Force Deny**. + +To turn off **Choose apps that can access calendar**: + +- Turn off the feature in the UI for each app. + +### 14.9 Call history + +In the **Call history** area, you can choose which apps have access to an employee's call history. + +To turn off **Let apps access my call history**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history** + + - Set the **Select a setting** box to **Force Deny**. + +### 14.10 Email + +In the **Email** area, you can choose which apps have can access and send email. + +To turn off **Let apps access and send email**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email** + + - Set the **Select a setting** box to **Force Deny**. + +### 14.11 Messaging + +In the **Messaging** area, you can choose which apps can read or send messages. + +To turn off **Let apps read or send messages (text or MMS)**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging** + + - Set the **Select a setting** box to **Force Deny**. + +To turn off **Choose apps that can read or send messages**: + +- Turn off the feature in the UI for each app. + +### 14.12 Radios + +In the **Radios** area, you can choose which apps can turn a device's radio on or off. + +To turn off **Let apps control radios**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios** + + - Set the **Select a setting** box to **Force Deny**. + +To turn off **Choose apps that can control radios**: + +- Turn off the feature in the UI for each app. + +### 14.13 Other devices + +In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info. + +To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**: + +- Turn off the feature in the UI. + +To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices** + + - Set the **Select a setting** box to **Force Deny**. + +### 14.14 Feedback & diagnostics + +In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. + +To change how frequently **Windows should ask for my feedback**: + +**Note** +Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device. + + + +- To change from **Automatically (Recommended)**, use the drop-down list in the UI. + + -or- + +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications** + + -or- + +- Create the registry keys (REG\_DWORD type): + + - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds + + - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod + + Based on these settings: + + | Setting | PeriodInNanoSeconds | NumberOfSIUFInPeriod | + |---------------|-----------------------------|-----------------------------| + | Automatically | Delete the registry setting | Delete the registry setting | + | Never | 0 | 0 | + | Always | 100000000 | Delete the registry setting | + | Once a day | 864000000000 | 1 | + | Once a week | 6048000000000 | 1 | + + + +To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**: + +- To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**. + + > **Note:** You can't use the UI to change the telemetry level to **Security**. + + + + -or- + +- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** + + -or- + +- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: + + - **0**. Maps to the **Security** level. + + - **1**. Maps to the **Basic** level. + + - **2**. Maps to the **Enhanced** level. + + - **3**. Maps to the **Full** level. + + -or- + +- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where: + + - **0**. Maps to the **Security** level. + + - **1**. Maps to the **Basic** level. + + - **2**. Maps to the **Enhanced** level. + + - **3**. Maps to the **Full** level. + +### 14.15 Background apps + +In the **Background Apps** area, you can choose which apps can run in the background. + +To turn off **Let apps run in the background**: + +- Turn off the feature in the UI for each app. + +### 15. Software Protection Platform + +Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by applying the following Group Policy: + +**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation** + +The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. + +### 16. Sync your settings + +You can control if your settings are synchronized: + +- In the UI: **Settings** > **Accounts** > **Sync your settings** + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync** + + -or- + +- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. + + -or- + +- Create a provisioning package, using **Runtime settings** > **Policies** > **Experience** > **AllowSyncMySettings**, where + + - **No**. Settings are not synchronized. + + - **Yes**. Settings are synchronized. (default) + +To turn off Messaging cloud sync: + +- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero). + +### 17. Teredo + +You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx). + +- From an elevated command prompt, run **netsh interface teredo set state disabled** + +### 18. Wi-Fi Sense + +Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them. + +To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**: + +- Turn off the feature in the UI. + + -or- + +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**. + + -or- + +- Create a new REG\_DWORD registry setting called **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config**, with a value of 0 (zero). + + -or- + +- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620909). + + -or- + +- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620910). + +When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee. + +### 19. Windows Defender + +You can opt out of the Microsoft Antimalware Protection Service. + +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS** + + -or- + +- Apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). + + -or- + +- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero). + + -and- + + From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0** + +You can stop sending file samples back to Microsoft. + +- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**. + + -or- + +- Apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: + + - **0**. Always prompt. + + - **1**. (default) Send safe samples automatically. + + - **2**. Never send. + + - **3**. Send all samples automatically. + + -or- + +- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send. + +You can stop downloading definition updates: + +- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. + + -and- + +- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. + +You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1. + +### 20. Windows Media Player + +To remove Windows Media Player: + +- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**. + + -or- + +- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** + +### 21. Windows spotlight + +Windows spotlight provides different background images and text on the lock screen. You can control it by using the user interface or through Group Policy. + +- Configure the following in **Settings**: + + - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Show me tips, tricks, and more on the lock screen**. + + - **Personalization** > **Start** > **Occasionally show suggestions in Start**. + + - **System** > **Notifications & actions** > **Show me tips about Windows**. + + -or- + +- Apply the Group Policies: + + - **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. + - Add a location in the **Path to local lock screen image** box. + + - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box. + + **Note** This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. + + + + - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows Tips**. + + - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**. + +For more info, see [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md). + +### 22. Windows Store + +You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled. + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**. + +### 23. Windows Update Delivery Optimization + +Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. + +By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network. + +Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization. + +### 23.1 Settings > Update & security + +You can set up Delivery Optimization from the **Settings** UI. + +- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**. + +### 23.2 Delivery Optimization Group Policies + +You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. + +| Policy | Description | +|---------------------------|-----------------------------------------------------------------------------------------------------| +| Download Mode | Lets you choose where Delivery Optimization gets or sends updates and apps, including

      • None. Turns off Delivery Optimization.

      • Group. Gets or sends updates and apps to PCs on the same local network domain.

      • Internet. Gets or sends updates and apps to PCs on the Internet.

      • LAN. Gets or sends updates and apps to PCs on the same NAT only.

      | +| Group ID | Lets you provide a Group ID that limits which PCs can share apps and updates.
      ** Note** This ID must be a GUID.| +| Max Cache Age | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
      The default value is 259200 seconds (3 days).| +| Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
      The default value is 20, which represents 20% of the disk.| +| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
      The default value is 0, which means unlimited possible bandwidth.| + +### 23.3 Delivery Optimization MDM policies + +The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). + +| Policy | Description | +|---------------------------|-----------------------------------------------------------------------------------------------------| +| DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including

      • 0. Turns off Delivery Optimization.

      • 1. Gets or sends updates and apps to PCs on the same NAT only.

      • 2. Gets or sends updates and apps to PCs on the same local network domain.

      • 3. Gets or sends updates and apps to PCs on the Internet.

      | +| DeliveryOptimization/DOGroupID | Lets you provide a Group ID that limits which PCs can share apps and updates.
      ** Note** This ID must be a GUID.| +| DeliveryOptimization/DOMaxCacheAge | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
      The default value is 259200 seconds (3 days).| +| DeliveryOptimization/DOMaxCacheSize | Lets you specify the maximum cache size as a percentage of disk size.
      The default value is 20, which represents 20% of the disk.| +| DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
      The default value is 0, which means unlimited possible bandwidth.| + + +### 23.4 Delivery Optimization Windows Provisioning + +If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies + +Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windows ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526803), to create a provisioning package for Delivery Optimization. + +1. Open Windows ICD, and then click **New provisioning package**. + +2. In the **Name** box, type a name for the provisioning package, and then click **Next.** + +3. Click the **Common to all Windows editions** option, click **Next**, and then click **Finish**. + +4. Go to **Runtime settings** > **Policies** > **DeliveryOptimization** to configure the policies. + +For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730684). + +### 24. Windows Update + +You can turn off Windows Update by setting the following registry entries: + +- Add a REG\_DWORD value called **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. + + -and- + +- Add a REG\_DWORD value called **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. + +You can turn off automatic updates by doing one of the following. This is not recommended. + +- Add a REG\_DWORD value called **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5. + + -or- + +- Apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: + + - **0**. Notify the user before downloading the update. + + - **1**. Auto install the update and then notify the user to schedule a device restart. + + - **2** (default). Auto install and restart. + + - **3**. Auto install and restart at a specified time. + + - **4**. Auto install and restart without end-user control. + + - **5**. Turn off automatic updates. + +To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx). From 24e2237b197fce2142f3e3e271321a4d5db6328d Mon Sep 17 00:00:00 2001 From: Jan Backstrom Date: Thu, 26 May 2016 14:55:45 -0700 Subject: [PATCH 120/169] fix tagging change W10 to w10 (lower case) and changed author of CFaw to greg-lindsay --- windows/deploy/activate-forest-by-proxy-vamt.md | 2 +- windows/deploy/activate-forest-vamt.md | 2 +- ...ctivate-using-active-directory-based-activation-client.md | 4 ++-- windows/deploy/activate-using-key-management-service-vamt.md | 2 +- windows/deploy/activate-windows-10-clients-vamt.md | 2 +- windows/deploy/active-directory-based-activation-overview.md | 4 ++-- ...-10-operating-system-image-using-configuration-manager.md | 4 ++-- ...deployment-with-windows-pe-using-configuration-manager.md | 4 ++-- windows/deploy/add-manage-products-vamt.md | 2 +- windows/deploy/add-remove-computers-vamt.md | 2 +- windows/deploy/add-remove-product-key-vamt.md | 2 +- ...information-sent-to-microsoft-during-activation-client.md | 2 +- .../deploy/assign-applications-using-roles-in-mdt-2013.md | 2 +- ...ld-a-distributed-environment-for-windows-10-deployment.md | 2 +- windows/deploy/change-history-for-deploy-windows-10.md | 4 ++-- windows/deploy/configure-client-computers-vamt.md | 2 +- windows/deploy/configure-mdt-2013-for-userexit-scripts.md | 2 +- windows/deploy/configure-mdt-2013-settings.md | 2 +- windows/deploy/configure-mdt-deployment-share-rules.md | 2 +- ...ustom-windows-pe-boot-image-with-configuration-manager.md | 4 ++-- ...ate-a-task-sequence-with-configuration-manager-and-mdt.md | 5 +++-- windows/deploy/create-a-windows-10-reference-image.md | 2 +- ...-to-deploy-with-windows-10-using-configuration-manager.md | 4 ++-- windows/deploy/deploy-a-windows-10-image-using-mdt.md | 4 ++-- .../deploy-windows-10-using-pxe-and-configuration-manager.md | 4 ++-- ...ws-10-with-system-center-2012-r2-configuration-manager.md | 4 ++-- ...eploy-windows-10-with-the-microsoft-deployment-toolkit.md | 2 +- windows/deploy/deploy-windows-to-go.md | 5 +++-- ...n-for-windows-10-deployment-with-configuration-manager.md | 4 ++-- .../get-started-with-the-microsoft-deployment-toolkit.md | 2 +- .../getting-started-with-the-user-state-migration-tool.md | 4 ++-- windows/deploy/import-export-vamt-data.md | 2 +- windows/deploy/index.md | 4 ++-- windows/deploy/install-configure-vamt.md | 2 +- windows/deploy/install-kms-client-key-vamt.md | 2 +- windows/deploy/install-product-key-vamt.md | 2 +- windows/deploy/install-vamt.md | 2 +- .../deploy/integrate-configuration-manager-with-mdt-2013.md | 2 +- windows/deploy/introduction-vamt.md | 2 +- windows/deploy/key-features-in-mdt-2013.md | 2 +- windows/deploy/kms-activation-vamt.md | 2 +- windows/deploy/local-reactivation-vamt.md | 2 +- windows/deploy/manage-activations-vamt.md | 2 +- windows/deploy/manage-product-keys-vamt.md | 2 +- windows/deploy/manage-vamt-data.md | 2 +- windows/deploy/mdt-2013-lite-touch-components.md | 2 +- windows/deploy/migrate-application-settings.md | 4 ++-- windows/deploy/migration-store-types-overview.md | 4 ++-- windows/deploy/monitor-activation-client.md | 4 ++-- ...nitor-windows-10-deployment-with-configuration-manager.md | 4 ++-- windows/deploy/offline-migration-reference.md | 4 ++-- windows/deploy/online-activation-vamt.md | 2 +- windows/deploy/plan-for-volume-activation-client.md | 2 +- .../deploy/prepare-for-windows-deployment-with-mdt-2013.md | 2 +- ...-installation-of-windows-10-with-configuration-manager.md | 4 ++-- windows/deploy/proxy-activation-vamt.md | 2 +- ...s-7-client-with-windows-10-using-configuration-manager.md | 4 ++-- .../deploy/refresh-a-windows-7-computer-with-windows-10.md | 2 +- windows/deploy/remove-products-vamt.md | 2 +- ...s-7-client-with-windows-10-using-configuration-manager.md | 4 ++-- ...eplace-a-windows-7-computer-with-a-windows-10-computer.md | 2 +- windows/deploy/scenario-kms-activation-vamt.md | 2 +- windows/deploy/scenario-online-activation-vamt.md | 2 +- windows/deploy/scenario-proxy-activation-vamt.md | 2 +- windows/deploy/set-up-mdt-2013-for-bitlocker.md | 2 +- windows/deploy/sideload-apps-in-windows-10.md | 4 ++-- ...simulate-a-windows-10-deployment-in-a-test-environment.md | 2 +- windows/deploy/understanding-migration-xml-files.md | 4 ++-- windows/deploy/update-product-status-vamt.md | 2 +- .../update-windows-10-images-with-provisioning-packages.md | 4 ++-- ...-to-windows-10-with-system-center-configuraton-manager.md | 4 ++-- ...de-to-windows-10-with-the-microsoft-deployment-toolkit.md | 2 +- windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md | 2 +- ...dt-database-to-stage-windows-10-deployment-information.md | 2 +- .../use-the-volume-activation-management-tool-client.md | 2 +- windows/deploy/use-vamt-in-windows-powershell.md | 2 +- windows/deploy/use-web-services-in-mdt-2013.md | 2 +- windows/deploy/usmt-best-practices.md | 4 ++-- windows/deploy/usmt-choose-migration-store-type.md | 4 ++-- windows/deploy/usmt-command-line-syntax.md | 4 ++-- windows/deploy/usmt-common-issues.md | 4 ++-- windows/deploy/usmt-common-migration-scenarios.md | 4 ++-- windows/deploy/usmt-configxml-file.md | 4 ++-- windows/deploy/usmt-conflicts-and-precedence.md | 4 ++-- windows/deploy/usmt-custom-xml-examples.md | 4 ++-- windows/deploy/usmt-customize-xml-files.md | 4 ++-- windows/deploy/usmt-determine-what-to-migrate.md | 4 ++-- windows/deploy/usmt-estimate-migration-store-size.md | 4 ++-- windows/deploy/usmt-exclude-files-and-settings.md | 4 ++-- .../usmt-extract-files-from-a-compressed-migration-store.md | 4 ++-- windows/deploy/usmt-faq.md | 4 ++-- windows/deploy/usmt-general-conventions.md | 4 ++-- windows/deploy/usmt-hard-link-migration-store.md | 4 ++-- windows/deploy/usmt-how-it-works.md | 4 ++-- windows/deploy/usmt-how-to.md | 4 ++-- windows/deploy/usmt-identify-application-settings.md | 4 ++-- windows/deploy/usmt-identify-file-types-files-and-folders.md | 4 ++-- windows/deploy/usmt-identify-operating-system-settings.md | 4 ++-- windows/deploy/usmt-identify-users.md | 4 ++-- windows/deploy/usmt-include-files-and-settings.md | 4 ++-- windows/deploy/usmt-loadstate-syntax.md | 4 ++-- windows/deploy/usmt-log-files.md | 4 ++-- windows/deploy/usmt-migrate-efs-files-and-certificates.md | 4 ++-- windows/deploy/usmt-migrate-user-accounts.md | 4 ++-- windows/deploy/usmt-migration-store-encryption.md | 4 ++-- windows/deploy/usmt-overview.md | 4 ++-- windows/deploy/usmt-plan-your-migration.md | 4 ++-- windows/deploy/usmt-recognized-environment-variables.md | 4 ++-- windows/deploy/usmt-reference.md | 4 ++-- windows/deploy/usmt-requirements.md | 4 ++-- windows/deploy/usmt-reroute-files-and-settings.md | 4 ++-- windows/deploy/usmt-resources.md | 4 ++-- windows/deploy/usmt-return-codes.md | 4 ++-- windows/deploy/usmt-scanstate-syntax.md | 4 ++-- windows/deploy/usmt-technical-reference.md | 4 ++-- windows/deploy/usmt-test-your-migration.md | 4 ++-- windows/deploy/usmt-topics.md | 4 ++-- windows/deploy/usmt-troubleshooting.md | 4 ++-- windows/deploy/usmt-utilities.md | 4 ++-- windows/deploy/usmt-what-does-usmt-migrate.md | 4 ++-- windows/deploy/usmt-xml-elements-library.md | 4 ++-- windows/deploy/usmt-xml-reference.md | 4 ++-- windows/deploy/vamt-known-issues.md | 2 +- windows/deploy/vamt-requirements.md | 2 +- windows/deploy/vamt-step-by-step.md | 2 +- .../verify-the-condition-of-a-compressed-migration-store.md | 4 ++-- windows/deploy/volume-activation-management-tool.md | 2 +- windows/deploy/volume-activation-windows-10.md | 2 +- windows/deploy/windows-10-deployment-scenarios.md | 4 ++-- windows/deploy/windows-10-deployment-tools-reference.md | 4 ++-- windows/deploy/windows-10-edition-upgrades.md | 4 ++-- windows/deploy/windows-adk-scenarios-for-it-pros.md | 4 ++-- windows/deploy/windows-deployment-scenarios-and-tools.md | 4 ++-- .../deploy/windows-upgrade-and-migration-considerations.md | 4 ++-- windows/deploy/xml-file-requirements.md | 4 ++-- 135 files changed, 217 insertions(+), 215 deletions(-) diff --git a/windows/deploy/activate-forest-by-proxy-vamt.md b/windows/deploy/activate-forest-by-proxy-vamt.md index f178e14406..1e852d5221 100644 --- a/windows/deploy/activate-forest-by-proxy-vamt.md +++ b/windows/deploy/activate-forest-by-proxy-vamt.md @@ -2,7 +2,7 @@ title: Activate by Proxy an Active Directory Forest (Windows 10) description: Activate by Proxy an Active Directory Forest ms.assetid: 6475fc87-a6f7-4fa8-b0aa-de19f2dea7e5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/activate-forest-vamt.md b/windows/deploy/activate-forest-vamt.md index 267e03be9c..082bac639c 100644 --- a/windows/deploy/activate-forest-vamt.md +++ b/windows/deploy/activate-forest-vamt.md @@ -2,7 +2,7 @@ title: Activate an Active Directory Forest Online (Windows 10) description: Activate an Active Directory Forest Online ms.assetid: 9b5bc193-799b-4aa5-9d3e-0e495f7195d3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/activate-using-active-directory-based-activation-client.md b/windows/deploy/activate-using-active-directory-based-activation-client.md index 15ae96825a..dbf9a5a617 100644 --- a/windows/deploy/activate-using-active-directory-based-activation-client.md +++ b/windows/deploy/activate-using-active-directory-based-activation-client.md @@ -3,11 +3,11 @@ title: Activate using Active Directory-based activation (Windows 10) description: Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. ms.assetid: 08cce6b7-7b5b-42cf-b100-66c363a846af keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: CFaw +author: greg-lindsay --- # Activate using Active Directory-based activation diff --git a/windows/deploy/activate-using-key-management-service-vamt.md b/windows/deploy/activate-using-key-management-service-vamt.md index 4c5d735436..9681860156 100644 --- a/windows/deploy/activate-using-key-management-service-vamt.md +++ b/windows/deploy/activate-using-key-management-service-vamt.md @@ -3,7 +3,7 @@ title: Activate using Key Management Service (Windows 10) ms.assetid: f2417bfe-7d25-4e82-bc07-de316caa8dac description: keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/activate-windows-10-clients-vamt.md b/windows/deploy/activate-windows-10-clients-vamt.md index 91b743947e..2d77f355dc 100644 --- a/windows/deploy/activate-windows-10-clients-vamt.md +++ b/windows/deploy/activate-windows-10-clients-vamt.md @@ -3,7 +3,7 @@ title: Activate clients running Windows 10 (Windows 10) description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. ms.assetid: 39446e49-ad7c-48dc-9f18-f85a11ded643 keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/active-directory-based-activation-overview.md b/windows/deploy/active-directory-based-activation-overview.md index 7f47592aa7..9a64d7572a 100644 --- a/windows/deploy/active-directory-based-activation-overview.md +++ b/windows/deploy/active-directory-based-activation-overview.md @@ -2,11 +2,11 @@ title: Active Directory-Based Activation Overview (Windows 10) description: Active Directory-Based Activation Overview ms.assetid: c1dac3bd-6a86-4c45-83dd-421e63a398c0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: CFaw +author: greg-lindsay --- # Active Directory-Based Activation Overview diff --git a/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md index 13a328ea77..5a3eadbc33 100644 --- a/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md +++ b/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md @@ -2,8 +2,8 @@ title: Add a Windows 10 operating system image using Configuration Manager (Windows 10) description: Operating system images are typically the production image used for deployment throughout the organization. ms.assetid: 77f769cc-1a47-4f36-8082-201cd77b8d3b -keywords: ["image, deploy, distribute"] -ms.prod: W10 +keywords: image, deploy, distribute +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md index 8e72718b82..de701986b4 100644 --- a/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md +++ b/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md @@ -2,8 +2,8 @@ title: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager (Windows 10) description: In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c -keywords: ["deploy, task sequence"] -ms.prod: W10 +keywords: deploy, task sequence +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/add-manage-products-vamt.md b/windows/deploy/add-manage-products-vamt.md index 6bbbfaf218..88d5145472 100644 --- a/windows/deploy/add-manage-products-vamt.md +++ b/windows/deploy/add-manage-products-vamt.md @@ -2,7 +2,7 @@ title: Add and Manage Products (Windows 10) description: Add and Manage Products ms.assetid: a48fbc23-917d-40f7-985c-e49702c05e51 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/add-remove-computers-vamt.md b/windows/deploy/add-remove-computers-vamt.md index eae34332f2..2ad22c3d7f 100644 --- a/windows/deploy/add-remove-computers-vamt.md +++ b/windows/deploy/add-remove-computers-vamt.md @@ -2,7 +2,7 @@ title: Add and Remove Computers (Windows 10) description: Add and Remove Computers ms.assetid: cb6f3a78-ece0-4dc7-b086-cb003d82cd52 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS diff --git a/windows/deploy/add-remove-product-key-vamt.md b/windows/deploy/add-remove-product-key-vamt.md index 5776806c20..d659ae2507 100644 --- a/windows/deploy/add-remove-product-key-vamt.md +++ b/windows/deploy/add-remove-product-key-vamt.md @@ -2,7 +2,7 @@ title: Add and Remove a Product Key (Windows 10) description: Add and Remove a Product Key ms.assetid: feac32bb-fb96-4802-81b8-c69220dcfcce -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md index 8a21466ddb..39133a9d8c 100644 --- a/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md +++ b/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md @@ -3,7 +3,7 @@ title: Appendix Information sent to Microsoft during activation (Windows 10) ms.assetid: 4bfff495-07d0-4385-86e3-7a077cbd64b8 description: keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/assign-applications-using-roles-in-mdt-2013.md b/windows/deploy/assign-applications-using-roles-in-mdt-2013.md index dab995bb1e..1319888616 100644 --- a/windows/deploy/assign-applications-using-roles-in-mdt-2013.md +++ b/windows/deploy/assign-applications-using-roles-in-mdt-2013.md @@ -3,7 +3,7 @@ title: Assign applications using roles in MDT (Windows 10) description: This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer. ms.assetid: d82902e4-de9c-4bc4-afe0-41d649b83ce7 keywords: settings, database, deploy -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md index 32a354ad0e..f015c71c1f 100644 --- a/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md @@ -3,7 +3,7 @@ title: Build a distributed environment for Windows 10 deployment (Windows 10) description: In this topic, you will learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations. ms.assetid: a6cd5657-6a16-4fff-bfb4-44760902d00c keywords: replication, replicate, deploy, configure, remote -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md index 3ca65edd17..00404f4def 100644 --- a/windows/deploy/change-history-for-deploy-windows-10.md +++ b/windows/deploy/change-history-for-deploy-windows-10.md @@ -2,10 +2,10 @@ title: Change history for Deploy Windows 10 (Windows 10) description: This topic lists new and updated topics in the Deploy Windows 10 documentation for Windows 10 and Windows 10 Mobile. ms.assetid: 19C50373-6B25-4F5C-A6EF-643D36904349 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Change history for Deploy Windows 10 diff --git a/windows/deploy/configure-client-computers-vamt.md b/windows/deploy/configure-client-computers-vamt.md index b3618bac74..704c8d01f9 100644 --- a/windows/deploy/configure-client-computers-vamt.md +++ b/windows/deploy/configure-client-computers-vamt.md @@ -2,7 +2,7 @@ title: Configure Client Computers (Windows 10) description: Configure Client Computers ms.assetid: a48176c9-b05c-4dd5-a9ef-83073e2370fc -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/configure-mdt-2013-for-userexit-scripts.md b/windows/deploy/configure-mdt-2013-for-userexit-scripts.md index 590f112414..a94bee6b7b 100644 --- a/windows/deploy/configure-mdt-2013-for-userexit-scripts.md +++ b/windows/deploy/configure-mdt-2013-for-userexit-scripts.md @@ -3,7 +3,7 @@ title: Configure MDT for UserExit scripts (Windows 10) description: In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. ms.assetid: 29a421d1-12d2-414e-86dc-25b62f5238a7 keywords: rules, script -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/configure-mdt-2013-settings.md b/windows/deploy/configure-mdt-2013-settings.md index af41a8a1bb..ba84efd5c1 100644 --- a/windows/deploy/configure-mdt-2013-settings.md +++ b/windows/deploy/configure-mdt-2013-settings.md @@ -3,7 +3,7 @@ title: Configure MDT settings (Windows 10) description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) 2013 is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122 keywords: customize, customization, deploy, features, tools -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/configure-mdt-deployment-share-rules.md b/windows/deploy/configure-mdt-deployment-share-rules.md index 908f92144b..5eeadbbfd6 100644 --- a/windows/deploy/configure-mdt-deployment-share-rules.md +++ b/windows/deploy/configure-mdt-deployment-share-rules.md @@ -3,7 +3,7 @@ title: Configure MDT deployment share rules (Windows 10) description: In this topic, you will learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. ms.assetid: b5ce2360-33cc-4b14-b291-16f75797391b keywords: rules, configuration, automate, deploy -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index 049c3e93c2..a5cbfb7886 100644 --- a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -2,8 +2,8 @@ title: Create a custom Windows PE boot image with Configuration Manager (Windows 10) description: In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809 -keywords: ["tool, customize, deploy, boot image"] -ms.prod: W10 +keywords: tool, customize, deploy, boot image +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md index 03c856a7dc..0838ebde59 100644 --- a/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md +++ b/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md @@ -2,9 +2,10 @@ title: Create a task sequence with Configuration Manager and MDT (Windows 10) description: In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98 -keywords: ["deploy, upgrade, task sequence, install"] -ms.prod: W10 +keywords: deploy, upgrade, task sequence, install +ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: mdt ms.sitesec: library author: mtniehaus --- diff --git a/windows/deploy/create-a-windows-10-reference-image.md b/windows/deploy/create-a-windows-10-reference-image.md index f81f4eac9a..50ec7f2fcf 100644 --- a/windows/deploy/create-a-windows-10-reference-image.md +++ b/windows/deploy/create-a-windows-10-reference-image.md @@ -3,7 +3,7 @@ title: Create a Windows 10 reference image (Windows 10) description: Creating a reference image is important because that image serves as the foundation for the devices in your organization. ms.assetid: 9da2fb57-f2ff-4fce-a858-4ae4c237b5aa keywords: deploy, deployment, configure, customize, install, installation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index c47ac7bc38..5dbd28f0c8 100644 --- a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -2,8 +2,8 @@ title: Create an application to deploy with Windows 10 using Configuration Manager (Windows 10) description: Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process. ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c -keywords: ["deployment, task sequence, custom, customize"] -ms.prod: W10 +keywords: deployment, task sequence, custom, customize +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/deploy-a-windows-10-image-using-mdt.md b/windows/deploy/deploy-a-windows-10-image-using-mdt.md index 23176dbd84..7f92cbc0d8 100644 --- a/windows/deploy/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deploy/deploy-a-windows-10-image-using-mdt.md @@ -2,8 +2,8 @@ title: Deploy a Windows 10 image using MDT 2013 Update 2 (Windows 10) description: This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. ms.assetid: 1d70a3d8-1b1d-4051-b656-c0393a93f83c -keywords: [eployment, automate, tools, configure -ms.prod: W10 +keywords: deployment, automate, tools, configure +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md index 0cdf8e0509..2bc874cf8b 100644 --- a/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -2,8 +2,8 @@ title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10) description: In this topic, you will learn how to deploy Windows 10 using Microsoft System Center 2012 R2 Configuration Manager deployment packages and task sequences. ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa -keywords: ["deployment, image, UEFI, task sequence"] -ms.prod: W10 +keywords: deployment, image, UEFI, task sequence +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md index 32ee03ca6c..e3e558c24b 100644 --- a/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md +++ b/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md @@ -2,8 +2,8 @@ title: Deploy Windows 10 with System Center 2012 R2 Configuration Manager (Windows 10) description: If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363 -keywords: ["deployment, custom, boot"] -ms.prod: W10 +keywords: deployment, custom, boot +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md index 765f29c16d..93028930c5 100644 --- a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md @@ -3,7 +3,7 @@ title: Deploy Windows 10 with the Microsoft Deployment Toolkit (Windows 10) description: This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. ms.assetid: 837f009c-617e-4b3f-9028-2246067ee0fb keywords: deploy, tools, configure, script -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/deploy-windows-to-go.md b/windows/deploy/deploy-windows-to-go.md index 609ae81687..b4e13c5b8c 100644 --- a/windows/deploy/deploy-windows-to-go.md +++ b/windows/deploy/deploy-windows-to-go.md @@ -2,10 +2,11 @@ title: Deploy Windows To Go in your organization (Windows 10) description: This topic helps you to deploy Windows To Go in your organization. ms.assetid: cfe550be-ffbd-42d1-ab4d-80efae49b07f -keywords: ["deployment, USB, device, BitLocker, workspace, security, data"] -ms.prod: W10 +keywords: deployment, USB, device, BitLocker, workspace, security, data +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: mobility author: mtniehaus --- diff --git a/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md index 67136031be..2ed9de7378 100644 --- a/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md +++ b/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md @@ -2,8 +2,8 @@ title: Finalize the operating system configuration for Windows 10 deployment with Configuration Manager (Windows 10) description: This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enablement of the optional Microsoft Deployment Toolkit (MDT) monitoring for Microsoft System Center 2012 R2 Configuration Manager, logs folder creation, rules configuration, content distribution, and deployment of the previously created task sequence. ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e -keywords: ["configure, deploy, upgrade"] -ms.prod: W10 +keywords: configure, deploy, upgrade +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md index 57d9153cb2..85ad95c548 100644 --- a/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md +++ b/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md @@ -3,7 +3,7 @@ title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10) description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 in particular, as part of a Windows operating system deployment. ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee keywords: deploy, image, feature, install, tools -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/getting-started-with-the-user-state-migration-tool.md b/windows/deploy/getting-started-with-the-user-state-migration-tool.md index d83c01ec2d..8dae688326 100644 --- a/windows/deploy/getting-started-with-the-user-state-migration-tool.md +++ b/windows/deploy/getting-started-with-the-user-state-migration-tool.md @@ -2,10 +2,10 @@ title: Getting Started with the User State Migration Tool (USMT) (Windows 10) description: Getting Started with the User State Migration Tool (USMT) ms.assetid: 506ff1d2-94b8-4460-8672-56aad963504b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Getting Started with the User State Migration Tool (USMT) diff --git a/windows/deploy/import-export-vamt-data.md b/windows/deploy/import-export-vamt-data.md index aff3d6376f..d33f27e139 100644 --- a/windows/deploy/import-export-vamt-data.md +++ b/windows/deploy/import-export-vamt-data.md @@ -2,7 +2,7 @@ title: Import and Export VAMT Data (Windows 10) description: Import and Export VAMT Data ms.assetid: 09a2c595-1a61-4da6-bd46-4ba8763cfd4f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/index.md b/windows/deploy/index.md index a3b28ded45..0e5d1a0f8b 100644 --- a/windows/deploy/index.md +++ b/windows/deploy/index.md @@ -2,10 +2,10 @@ title: Deploy Windows 10 (Windows 10) description: Learn about deploying Windows 10 for IT professionals. ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Deploy Windows 10 diff --git a/windows/deploy/install-configure-vamt.md b/windows/deploy/install-configure-vamt.md index a660854f6f..49b3f8ec44 100644 --- a/windows/deploy/install-configure-vamt.md +++ b/windows/deploy/install-configure-vamt.md @@ -2,7 +2,7 @@ title: Install and Configure VAMT (Windows 10) description: Install and Configure VAMT ms.assetid: 5c7ae9b9-0dbc-4277-bc4f-8b3e4ab0bf50 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/install-kms-client-key-vamt.md b/windows/deploy/install-kms-client-key-vamt.md index f1e5cd2769..9605053d6a 100644 --- a/windows/deploy/install-kms-client-key-vamt.md +++ b/windows/deploy/install-kms-client-key-vamt.md @@ -2,7 +2,7 @@ title: Install a KMS Client Key (Windows 10) description: Install a KMS Client Key ms.assetid: d234468e-7917-4cf5-b0a8-4968454f7759 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/install-product-key-vamt.md b/windows/deploy/install-product-key-vamt.md index a3f4a3760e..71817b7b80 100644 --- a/windows/deploy/install-product-key-vamt.md +++ b/windows/deploy/install-product-key-vamt.md @@ -2,7 +2,7 @@ title: Install a Product Key (Windows 10) description: Install a Product Key ms.assetid: 78812c87-2208-4f8b-9c2c-5a8a18b2d648 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/install-vamt.md b/windows/deploy/install-vamt.md index 02275fb993..07a9a72b5b 100644 --- a/windows/deploy/install-vamt.md +++ b/windows/deploy/install-vamt.md @@ -2,7 +2,7 @@ title: Install VAMT (Windows 10) description: Install VAMT ms.assetid: 2eabd3e2-0a68-43a5-8189-2947e46482fc -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/integrate-configuration-manager-with-mdt-2013.md b/windows/deploy/integrate-configuration-manager-with-mdt-2013.md index 1ad2dbc2bd..4a30f0f74c 100644 --- a/windows/deploy/integrate-configuration-manager-with-mdt-2013.md +++ b/windows/deploy/integrate-configuration-manager-with-mdt-2013.md @@ -4,7 +4,7 @@ description: This topic will help you understand the benefits of integrating the ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5 ms.pagetype: mdt keywords: deploy, image, customize, task sequence -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/introduction-vamt.md b/windows/deploy/introduction-vamt.md index ee0060ad4e..3d51c0dd02 100644 --- a/windows/deploy/introduction-vamt.md +++ b/windows/deploy/introduction-vamt.md @@ -2,7 +2,7 @@ title: Introduction to VAMT (Windows 10) description: Introduction to VAMT ms.assetid: 0439685e-0bae-4967-b0d4-dd84ca6d7fa7 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/key-features-in-mdt-2013.md b/windows/deploy/key-features-in-mdt-2013.md index 7982bb6d03..03f562ac8e 100644 --- a/windows/deploy/key-features-in-mdt-2013.md +++ b/windows/deploy/key-features-in-mdt-2013.md @@ -3,7 +3,7 @@ title: Key features in MDT 2013 Update 2 (Windows 10) description: The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868 keywords: deploy, feature, tools, upgrade, migrate, provisioning -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/kms-activation-vamt.md b/windows/deploy/kms-activation-vamt.md index 4cd554a80b..beed3fb86f 100644 --- a/windows/deploy/kms-activation-vamt.md +++ b/windows/deploy/kms-activation-vamt.md @@ -2,7 +2,7 @@ title: Perform KMS Activation (Windows 10) description: Perform KMS Activation ms.assetid: 5a3ae8e6-083e-4153-837e-ab0a225c1d10 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/local-reactivation-vamt.md b/windows/deploy/local-reactivation-vamt.md index 2cd36eb80b..72b132e799 100644 --- a/windows/deploy/local-reactivation-vamt.md +++ b/windows/deploy/local-reactivation-vamt.md @@ -2,7 +2,7 @@ title: Perform Local Reactivation (Windows 10) description: Perform Local Reactivation ms.assetid: aacd5ded-da11-4d27-a866-3f57332f5dec -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/manage-activations-vamt.md b/windows/deploy/manage-activations-vamt.md index 1f15048dea..effac81fd1 100644 --- a/windows/deploy/manage-activations-vamt.md +++ b/windows/deploy/manage-activations-vamt.md @@ -2,7 +2,7 @@ title: Manage Activations (Windows 10) description: Manage Activations ms.assetid: 53bad9ed-9430-4f64-a8de-80613870862c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/manage-product-keys-vamt.md b/windows/deploy/manage-product-keys-vamt.md index fffe5de77e..a495718fe7 100644 --- a/windows/deploy/manage-product-keys-vamt.md +++ b/windows/deploy/manage-product-keys-vamt.md @@ -2,7 +2,7 @@ title: Manage Product Keys (Windows 10) description: Manage Product Keys ms.assetid: 4c6c4216-b4b7-437c-904e-4cb257f913cd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/manage-vamt-data.md b/windows/deploy/manage-vamt-data.md index adbd4c4ec6..00bbd3982f 100644 --- a/windows/deploy/manage-vamt-data.md +++ b/windows/deploy/manage-vamt-data.md @@ -2,7 +2,7 @@ title: Manage VAMT Data (Windows 10) description: Manage VAMT Data ms.assetid: 233eefa4-3125-4965-a12d-297a67079dc4 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/mdt-2013-lite-touch-components.md b/windows/deploy/mdt-2013-lite-touch-components.md index 6766bdc104..48f1a250ad 100644 --- a/windows/deploy/mdt-2013-lite-touch-components.md +++ b/windows/deploy/mdt-2013-lite-touch-components.md @@ -3,7 +3,7 @@ title: MDT 2013 Update 2 Lite Touch components (Windows 10) description: This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) 2013 Update 2 that support Lite Touch Installation (LTI) for Windows 10. ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089 keywords: deploy, install, deployment, boot, log, monitor -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/migrate-application-settings.md b/windows/deploy/migrate-application-settings.md index af79e440f7..6a8ffdc612 100644 --- a/windows/deploy/migrate-application-settings.md +++ b/windows/deploy/migrate-application-settings.md @@ -2,10 +2,10 @@ title: Migrate Application Settings (Windows 10) description: Migrate Application Settings ms.assetid: 28f70a83-0a3e-4a6b-968a-2b78ccd3cc07 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Migrate Application Settings diff --git a/windows/deploy/migration-store-types-overview.md b/windows/deploy/migration-store-types-overview.md index cf0c52812e..9ee233402b 100644 --- a/windows/deploy/migration-store-types-overview.md +++ b/windows/deploy/migration-store-types-overview.md @@ -2,10 +2,10 @@ title: Migration Store Types Overview (Windows 10) description: Migration Store Types Overview ms.assetid: 3b6ce746-76c6-43ff-8cd5-02ed0ae0cf70 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Migration Store Types Overview diff --git a/windows/deploy/monitor-activation-client.md b/windows/deploy/monitor-activation-client.md index 5a3050cb0b..26c8257cc3 100644 --- a/windows/deploy/monitor-activation-client.md +++ b/windows/deploy/monitor-activation-client.md @@ -3,11 +3,11 @@ title: Monitor activation (Windows 10) ms.assetid: 264a3e86-c880-4be4-8828-bf4c839dfa26 description: keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: CFaw +author: greg-lindsay --- # Monitor activation diff --git a/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md index 7802d20b05..12aae5a28c 100644 --- a/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md +++ b/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md @@ -2,8 +2,8 @@ title: Monitor the Windows 10 deployment with Configuration Manager (Windows 10) description: In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. ms.assetid: 4863c6aa-6369-4171-8e1a-b052ca195fce -keywords: ["deploy, upgrade"] -ms.prod: W10 +keywords: deploy, upgrade +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/offline-migration-reference.md b/windows/deploy/offline-migration-reference.md index 6ad60f1704..f54d3b4c7b 100644 --- a/windows/deploy/offline-migration-reference.md +++ b/windows/deploy/offline-migration-reference.md @@ -2,10 +2,10 @@ title: Offline Migration Reference (Windows 10) description: Offline Migration Reference ms.assetid: f347547c-d601-4c3e-8f2d-0138edeacfda -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Offline Migration Reference diff --git a/windows/deploy/online-activation-vamt.md b/windows/deploy/online-activation-vamt.md index 5f537d3e20..65311aa3e8 100644 --- a/windows/deploy/online-activation-vamt.md +++ b/windows/deploy/online-activation-vamt.md @@ -2,7 +2,7 @@ title: Perform Online Activation (Windows 10) description: Perform Online Activation ms.assetid: 8381792b-a454-4e66-9b4c-e6e4c9303823 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/plan-for-volume-activation-client.md b/windows/deploy/plan-for-volume-activation-client.md index 3247677c72..d5ed360f3e 100644 --- a/windows/deploy/plan-for-volume-activation-client.md +++ b/windows/deploy/plan-for-volume-activation-client.md @@ -3,7 +3,7 @@ title: Plan for volume activation (Windows 10) description: Product activation is the process of validating software with the manufacturer after it has been installed on a specific computer. ms.assetid: f84b005b-c362-4a70-a84e-4287c0d2e4ca keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md b/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md index a7b98b2ab3..8f2bbad1b9 100644 --- a/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md +++ b/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md @@ -3,7 +3,7 @@ title: Prepare for deployment with MDT 2013 Update 2 (Windows 10) description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT) 2013 Update 2. ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226 keywords: deploy, system requirements -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index d9735f4ee1..88a8cac968 100644 --- a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -2,8 +2,8 @@ title: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager (Windows 10) description: This topic will walk you through the process of integrating Microsoft System Center 2012 R2 Configuration Manager SP1 with Microsoft Deployment Toolkit (MDT) 2013 Update 2, as well as the other preparations needed to deploying Windows 10 via Zero Touch Installation. Additional preparations include the installation of hotfixes as well as activities that speed up the Pre-Boot Execution Environment (PXE). ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08 -keywords: ["install, configure, deploy, deployment"] -ms.prod: W10 +keywords: install, configure, deploy, deployment +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/proxy-activation-vamt.md b/windows/deploy/proxy-activation-vamt.md index c848bcd8ab..ab273007b8 100644 --- a/windows/deploy/proxy-activation-vamt.md +++ b/windows/deploy/proxy-activation-vamt.md @@ -2,7 +2,7 @@ title: Perform Proxy Activation (Windows 10) description: Perform Proxy Activation ms.assetid: 35a919ed-f1cc-4d10-9c88-9bd634549dc3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md index 7d5143cf31..68b0a74563 100644 --- a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -2,8 +2,8 @@ title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10) description: This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7 -keywords: ["upgrade, install, installation, computer refresh"] -ms.prod: W10 +keywords: upgrade, install, installation, computer refresh +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md index 70dadf1711..f6ea4a2125 100644 --- a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md +++ b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md @@ -3,7 +3,7 @@ title: Refresh a Windows 7 computer with Windows 10 (Windows 10) description: This topic will show you how to use MDT 2013 Update 2 Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f keywords: reinstallation, customize, template, script, restore -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/remove-products-vamt.md b/windows/deploy/remove-products-vamt.md index 8dca272b68..da875ea27e 100644 --- a/windows/deploy/remove-products-vamt.md +++ b/windows/deploy/remove-products-vamt.md @@ -2,7 +2,7 @@ title: Remove Products (Windows 10) description: Remove Products ms.assetid: 4d44379e-dda1-4a8f-8ebf-395b6c0dad8e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md index 44bc003fca..b9f521531f 100644 --- a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -2,8 +2,8 @@ title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10) description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft System Center 2012 R2 Configuration Manager. ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36 -keywords: ["upgrade, install, installation, replace computer, setup"] -ms.prod: W10 +keywords: upgrade, install, installation, replace computer, setup +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md index bc78de5970..a862edf501 100644 --- a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md +++ b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md @@ -3,7 +3,7 @@ title: Replace a Windows 7 computer with a Windows 10 computer (Windows 10) description: A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10; however, because you are replacing a machine, you cannot store the backup on the old computer. ms.assetid: acf091c9-f8f4-4131-9845-625691c09a2a keywords: deploy, deployment, replace -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/scenario-kms-activation-vamt.md b/windows/deploy/scenario-kms-activation-vamt.md index a43796b90b..385af084f9 100644 --- a/windows/deploy/scenario-kms-activation-vamt.md +++ b/windows/deploy/scenario-kms-activation-vamt.md @@ -2,7 +2,7 @@ title: Scenario 3 KMS Client Activation (Windows 10) description: Scenario 3 KMS Client Activation ms.assetid: 72b04e8f-cd35-490c-91ab-27ea799b05d0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/scenario-online-activation-vamt.md b/windows/deploy/scenario-online-activation-vamt.md index 69d308ee9c..41dda833ac 100644 --- a/windows/deploy/scenario-online-activation-vamt.md +++ b/windows/deploy/scenario-online-activation-vamt.md @@ -2,7 +2,7 @@ title: Scenario 1 Online Activation (Windows 10) description: Scenario 1 Online Activation ms.assetid: 94dba40e-383a-41e4-b74b-9e884facdfd3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/scenario-proxy-activation-vamt.md b/windows/deploy/scenario-proxy-activation-vamt.md index 8666ae35c6..2e475d02b4 100644 --- a/windows/deploy/scenario-proxy-activation-vamt.md +++ b/windows/deploy/scenario-proxy-activation-vamt.md @@ -2,7 +2,7 @@ title: Scenario 2 Proxy Activation (Windows 10) description: Scenario 2 Proxy Activation ms.assetid: ed5a8a56-d9aa-4895-918f-dd1898cb2c1a -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/set-up-mdt-2013-for-bitlocker.md b/windows/deploy/set-up-mdt-2013-for-bitlocker.md index 5af8715c60..7a76f8cdf7 100644 --- a/windows/deploy/set-up-mdt-2013-for-bitlocker.md +++ b/windows/deploy/set-up-mdt-2013-for-bitlocker.md @@ -3,7 +3,7 @@ title: Set up MDT for BitLocker (Windows 10) ms.assetid: 386e6713-5c20-4d2a-a220-a38d94671a38 description: keywords: disk, encryption, TPM, configure, secure, script -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/sideload-apps-in-windows-10.md b/windows/deploy/sideload-apps-in-windows-10.md index 63f3fe6fef..9af7d4e4bc 100644 --- a/windows/deploy/sideload-apps-in-windows-10.md +++ b/windows/deploy/sideload-apps-in-windows-10.md @@ -2,10 +2,10 @@ title: Sideload LOB apps in Windows 10 (Windows 10) description: Sideload line-of-business apps in Windows 10. ms.assetid: C46B27D0-375B-4F7A-800E-21595CF1D53D -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Sideload LOB apps in Windows 10 diff --git a/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md index a8391582fa..a6c8789efb 100644 --- a/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md +++ b/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md @@ -3,7 +3,7 @@ title: Simulate a Windows 10 deployment in a test environment (Windows 10) description: This topic will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT. ms.assetid: 2de86c55-ced9-4078-b280-35e0329aea9c keywords: deploy, script -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/understanding-migration-xml-files.md b/windows/deploy/understanding-migration-xml-files.md index 528c77f8d3..c03bc14e24 100644 --- a/windows/deploy/understanding-migration-xml-files.md +++ b/windows/deploy/understanding-migration-xml-files.md @@ -2,10 +2,10 @@ title: Understanding Migration XML Files (Windows 10) description: Understanding Migration XML Files ms.assetid: d3d1fe89-085c-4da8-9657-fd54b8bfc4b7 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Understanding Migration XML Files diff --git a/windows/deploy/update-product-status-vamt.md b/windows/deploy/update-product-status-vamt.md index deca904c0c..0e7af45fec 100644 --- a/windows/deploy/update-product-status-vamt.md +++ b/windows/deploy/update-product-status-vamt.md @@ -2,7 +2,7 @@ title: Update Product Status (Windows 10) description: Update Product Status ms.assetid: 39d4abd4-801a-4e8f-9b8c-425a24a96764 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/update-windows-10-images-with-provisioning-packages.md b/windows/deploy/update-windows-10-images-with-provisioning-packages.md index 4a553d8b90..e9415d414b 100644 --- a/windows/deploy/update-windows-10-images-with-provisioning-packages.md +++ b/windows/deploy/update-windows-10-images-with-provisioning-packages.md @@ -2,8 +2,8 @@ title: Update Windows 10 images with provisioning packages (Windows 10) description: Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. ms.assetid: 3CA345D2-B60A-4860-A3BF-174713C3D3A6 -keywords: ["provisioning", "bulk deployment", "image"] -ms.prod: W10 +keywords: provisioning, bulk deployment, image +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS diff --git a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md index 030ab711f2..0f66363610 100644 --- a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md +++ b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md @@ -2,8 +2,8 @@ title: Upgrade to Windows 10 with System Center Configuration Manager (Windows 10) description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878 -keywords: ["upgrade, update, task sequence, deploy"] -ms.prod: W10 +keywords: upgrade, update, task sequence, deploy +ms.prod: w10 ms.mktglfcycl: deploy author: mtniehaus --- diff --git a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md index 35b90474ab..18dfaf7fdf 100644 --- a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md @@ -3,7 +3,7 @@ title: Upgrade to Windows 10 with the Microsoft Deployment Toolkit (Windows 10) description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460 keywords: upgrade, update, task sequence, deploy -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md index 229fb16df0..64e70ced04 100644 --- a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md +++ b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md @@ -3,7 +3,7 @@ title: Use Orchestrator runbooks with MDT (Windows 10) description: This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions. ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f keywords: web services, database -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md index 14749270e7..32208d3e25 100644 --- a/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md +++ b/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md @@ -4,7 +4,7 @@ description: This topic is designed to teach you how to use the MDT database to ms.assetid: 8956ab54-90ba-45d3-a384-4fdec72c4d46 ms.pagetype: mdt keywords: database, permissions, settings, configure, deploy -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/use-the-volume-activation-management-tool-client.md b/windows/deploy/use-the-volume-activation-management-tool-client.md index 4303bd18a1..1e4f5c32b2 100644 --- a/windows/deploy/use-the-volume-activation-management-tool-client.md +++ b/windows/deploy/use-the-volume-activation-management-tool-client.md @@ -3,7 +3,7 @@ title: Use the Volume Activation Management Tool (Windows 10) description: The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys. ms.assetid: b11f0aee-7b60-44d1-be40-c960fc6c4c47 keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/use-vamt-in-windows-powershell.md b/windows/deploy/use-vamt-in-windows-powershell.md index 1247d95759..01de72d0a6 100644 --- a/windows/deploy/use-vamt-in-windows-powershell.md +++ b/windows/deploy/use-vamt-in-windows-powershell.md @@ -2,7 +2,7 @@ title: Use VAMT in Windows PowerShell (Windows 10) description: Use VAMT in Windows PowerShell ms.assetid: 13e0ceec-d827-4681-a5c3-8704349e3ba9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/use-web-services-in-mdt-2013.md b/windows/deploy/use-web-services-in-mdt-2013.md index 6fbe628335..1d8755df14 100644 --- a/windows/deploy/use-web-services-in-mdt-2013.md +++ b/windows/deploy/use-web-services-in-mdt-2013.md @@ -3,7 +3,7 @@ title: Use web services in MDT (Windows 10) description: In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522 keywords: deploy, web apps -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.pagetype: mdt ms.sitesec: library diff --git a/windows/deploy/usmt-best-practices.md b/windows/deploy/usmt-best-practices.md index b8772fe9f4..8da6b08353 100644 --- a/windows/deploy/usmt-best-practices.md +++ b/windows/deploy/usmt-best-practices.md @@ -2,10 +2,10 @@ title: USMT Best Practices (Windows 10) description: USMT Best Practices ms.assetid: e3cb1e78-4230-4eae-b179-e6e9160542d2 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # USMT Best Practices diff --git a/windows/deploy/usmt-choose-migration-store-type.md b/windows/deploy/usmt-choose-migration-store-type.md index 3e3f520ceb..5938b48748 100644 --- a/windows/deploy/usmt-choose-migration-store-type.md +++ b/windows/deploy/usmt-choose-migration-store-type.md @@ -2,10 +2,10 @@ title: Choose a Migration Store Type (Windows 10) description: Choose a Migration Store Type ms.assetid: 4e163e90-9c57-490b-b849-2ed52ab6765f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Choose a Migration Store Type diff --git a/windows/deploy/usmt-command-line-syntax.md b/windows/deploy/usmt-command-line-syntax.md index 8e62c88e30..22cf9c33aa 100644 --- a/windows/deploy/usmt-command-line-syntax.md +++ b/windows/deploy/usmt-command-line-syntax.md @@ -2,10 +2,10 @@ title: User State Migration Tool (USMT) Command-line Syntax (Windows 10) description: User State Migration Tool (USMT) Command-line Syntax ms.assetid: f9d205c9-e824-46c7-8d8b-d7e4b52fd514 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # User State Migration Tool (USMT) Command-line Syntax diff --git a/windows/deploy/usmt-common-issues.md b/windows/deploy/usmt-common-issues.md index d1865b8873..88980d6d7b 100644 --- a/windows/deploy/usmt-common-issues.md +++ b/windows/deploy/usmt-common-issues.md @@ -2,10 +2,10 @@ title: Common Issues (Windows 10) description: Common Issues ms.assetid: 5a37e390-8617-4768-9eee-50397fbbb2e1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Common Issues diff --git a/windows/deploy/usmt-common-migration-scenarios.md b/windows/deploy/usmt-common-migration-scenarios.md index dd61667933..9262ef9b0f 100644 --- a/windows/deploy/usmt-common-migration-scenarios.md +++ b/windows/deploy/usmt-common-migration-scenarios.md @@ -2,10 +2,10 @@ title: Common Migration Scenarios (Windows 10) description: Common Migration Scenarios ms.assetid: 1d8170d5-e775-4963-b7a5-b55e8987c1e4 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Common Migration Scenarios diff --git a/windows/deploy/usmt-configxml-file.md b/windows/deploy/usmt-configxml-file.md index dea99cd9e0..4484c03e2d 100644 --- a/windows/deploy/usmt-configxml-file.md +++ b/windows/deploy/usmt-configxml-file.md @@ -2,10 +2,10 @@ title: Config.xml File (Windows 10) description: Config.xml File ms.assetid: 9dc98e76-5155-4641-bcb3-81915db538e8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Config.xml File diff --git a/windows/deploy/usmt-conflicts-and-precedence.md b/windows/deploy/usmt-conflicts-and-precedence.md index 9de02f7dca..3b570d51e5 100644 --- a/windows/deploy/usmt-conflicts-and-precedence.md +++ b/windows/deploy/usmt-conflicts-and-precedence.md @@ -2,10 +2,10 @@ title: Conflicts and Precedence (Windows 10) description: Conflicts and Precedence ms.assetid: 0e2691a8-ff1e-4424-879b-4d5a2f8a113a -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Conflicts and Precedence diff --git a/windows/deploy/usmt-custom-xml-examples.md b/windows/deploy/usmt-custom-xml-examples.md index c1fa2bd582..4d60c4903c 100644 --- a/windows/deploy/usmt-custom-xml-examples.md +++ b/windows/deploy/usmt-custom-xml-examples.md @@ -2,10 +2,10 @@ title: Custom XML Examples (Windows 10) description: Custom XML Examples ms.assetid: 48f441d9-6c66-43ef-91e9-7c78cde6fcc0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Custom XML Examples diff --git a/windows/deploy/usmt-customize-xml-files.md b/windows/deploy/usmt-customize-xml-files.md index 94619ce485..30930f05ad 100644 --- a/windows/deploy/usmt-customize-xml-files.md +++ b/windows/deploy/usmt-customize-xml-files.md @@ -2,10 +2,10 @@ title: Customize USMT XML Files (Windows 10) description: Customize USMT XML Files ms.assetid: d58363c1-fd13-4f65-8b91-9986659dc93e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Customize USMT XML Files diff --git a/windows/deploy/usmt-determine-what-to-migrate.md b/windows/deploy/usmt-determine-what-to-migrate.md index 24c81b0742..27ad2ea86d 100644 --- a/windows/deploy/usmt-determine-what-to-migrate.md +++ b/windows/deploy/usmt-determine-what-to-migrate.md @@ -2,10 +2,10 @@ title: Determine What to Migrate (Windows 10) description: Determine What to Migrate ms.assetid: 01ae1d13-c3eb-4618-b39d-ee5d18d55761 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Determine What to Migrate diff --git a/windows/deploy/usmt-estimate-migration-store-size.md b/windows/deploy/usmt-estimate-migration-store-size.md index 1dbd440416..a331a99c09 100644 --- a/windows/deploy/usmt-estimate-migration-store-size.md +++ b/windows/deploy/usmt-estimate-migration-store-size.md @@ -2,10 +2,10 @@ title: Estimate Migration Store Size (Windows 10) description: Estimate Migration Store Size ms.assetid: cfb9062b-7a2a-467a-a24e-0b31ce830093 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Estimate Migration Store Size diff --git a/windows/deploy/usmt-exclude-files-and-settings.md b/windows/deploy/usmt-exclude-files-and-settings.md index 99918b8c5c..e856679334 100644 --- a/windows/deploy/usmt-exclude-files-and-settings.md +++ b/windows/deploy/usmt-exclude-files-and-settings.md @@ -2,10 +2,10 @@ title: Exclude Files and Settings (Windows 10) description: Exclude Files and Settings ms.assetid: df85baf1-6e29-4995-a4bb-ba3f8f7fed0b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Exclude Files and Settings diff --git a/windows/deploy/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deploy/usmt-extract-files-from-a-compressed-migration-store.md index 8bd8e87680..c679d58b27 100644 --- a/windows/deploy/usmt-extract-files-from-a-compressed-migration-store.md +++ b/windows/deploy/usmt-extract-files-from-a-compressed-migration-store.md @@ -2,10 +2,10 @@ title: Extract Files from a Compressed USMT Migration Store (Windows 10) description: Extract Files from a Compressed USMT Migration Store ms.assetid: ad9fbd6e-f89e-4444-8538-9b11566b1f33 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Extract Files from a Compressed USMT Migration Store diff --git a/windows/deploy/usmt-faq.md b/windows/deploy/usmt-faq.md index e69272bc26..715340a82d 100644 --- a/windows/deploy/usmt-faq.md +++ b/windows/deploy/usmt-faq.md @@ -2,10 +2,10 @@ title: Frequently Asked Questions (Windows 10) description: Frequently Asked Questions ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Frequently Asked Questions diff --git a/windows/deploy/usmt-general-conventions.md b/windows/deploy/usmt-general-conventions.md index ab6c9ad6b3..020557c402 100644 --- a/windows/deploy/usmt-general-conventions.md +++ b/windows/deploy/usmt-general-conventions.md @@ -2,10 +2,10 @@ title: General Conventions (Windows 10) description: General Conventions ms.assetid: 5761986e-a847-41bd-bf8e-7c1bd01acbc6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # General Conventions diff --git a/windows/deploy/usmt-hard-link-migration-store.md b/windows/deploy/usmt-hard-link-migration-store.md index afddeaf45d..e65487a0bd 100644 --- a/windows/deploy/usmt-hard-link-migration-store.md +++ b/windows/deploy/usmt-hard-link-migration-store.md @@ -2,10 +2,10 @@ title: Hard-Link Migration Store (Windows 10) description: Hard-Link Migration Store ms.assetid: b0598418-4607-4952-bfa3-b6e4aaa2c574 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Hard-Link Migration Store diff --git a/windows/deploy/usmt-how-it-works.md b/windows/deploy/usmt-how-it-works.md index 8e6b12231e..0c274924a6 100644 --- a/windows/deploy/usmt-how-it-works.md +++ b/windows/deploy/usmt-how-it-works.md @@ -2,10 +2,10 @@ title: How USMT Works (Windows 10) description: How USMT Works ms.assetid: 5c8bd669-9e1e-473d-81e6-652f40b24171 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # How USMT Works diff --git a/windows/deploy/usmt-how-to.md b/windows/deploy/usmt-how-to.md index 4baa318509..1a22d71262 100644 --- a/windows/deploy/usmt-how-to.md +++ b/windows/deploy/usmt-how-to.md @@ -2,10 +2,10 @@ title: User State Migration Tool (USMT) How-to topics (Windows 10) description: User State Migration Tool (USMT) How-to topics ms.assetid: 7b9a2f2a-a43a-4984-9746-a767f9f1c7e3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # User State Migration Tool (USMT) How-to topics diff --git a/windows/deploy/usmt-identify-application-settings.md b/windows/deploy/usmt-identify-application-settings.md index ca14712f31..5fa216f2b3 100644 --- a/windows/deploy/usmt-identify-application-settings.md +++ b/windows/deploy/usmt-identify-application-settings.md @@ -2,10 +2,10 @@ title: Identify Applications Settings (Windows 10) description: Identify Applications Settings ms.assetid: eda68031-9b02-4a5b-a893-3786a6505381 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Identify Applications Settings diff --git a/windows/deploy/usmt-identify-file-types-files-and-folders.md b/windows/deploy/usmt-identify-file-types-files-and-folders.md index 3ab8ded02b..49766ca745 100644 --- a/windows/deploy/usmt-identify-file-types-files-and-folders.md +++ b/windows/deploy/usmt-identify-file-types-files-and-folders.md @@ -2,10 +2,10 @@ title: Identify File Types, Files, and Folders (Windows 10) description: Identify File Types, Files, and Folders ms.assetid: 93bb2a33-c126-4f7a-a961-6c89686d54e0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Identify File Types, Files, and Folders diff --git a/windows/deploy/usmt-identify-operating-system-settings.md b/windows/deploy/usmt-identify-operating-system-settings.md index 232fabdc33..27fd8c0c25 100644 --- a/windows/deploy/usmt-identify-operating-system-settings.md +++ b/windows/deploy/usmt-identify-operating-system-settings.md @@ -2,10 +2,10 @@ title: Identify Operating System Settings (Windows 10) description: Identify Operating System Settings ms.assetid: 1704ab18-1765-41fb-a27c-3aa3128fa242 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Identify Operating System Settings diff --git a/windows/deploy/usmt-identify-users.md b/windows/deploy/usmt-identify-users.md index 1f23cb942d..6d081727c3 100644 --- a/windows/deploy/usmt-identify-users.md +++ b/windows/deploy/usmt-identify-users.md @@ -2,10 +2,10 @@ title: Identify Users (Windows 10) description: Identify Users ms.assetid: 957a4fe9-79fd-44a2-8c26-33e50f71f9de -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Identify Users diff --git a/windows/deploy/usmt-include-files-and-settings.md b/windows/deploy/usmt-include-files-and-settings.md index 6142749d13..411525684e 100644 --- a/windows/deploy/usmt-include-files-and-settings.md +++ b/windows/deploy/usmt-include-files-and-settings.md @@ -2,10 +2,10 @@ title: Include Files and Settings (Windows 10) description: Include Files and Settings ms.assetid: 9009c6a5-0612-4478-8742-abe5eb6cbac8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Include Files and Settings diff --git a/windows/deploy/usmt-loadstate-syntax.md b/windows/deploy/usmt-loadstate-syntax.md index a82a0b4357..36c3dfb311 100644 --- a/windows/deploy/usmt-loadstate-syntax.md +++ b/windows/deploy/usmt-loadstate-syntax.md @@ -2,10 +2,10 @@ title: LoadState Syntax (Windows 10) description: LoadState Syntax ms.assetid: 53d2143b-cbe9-4cfc-8506-36e9d429f6d4 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # LoadState Syntax diff --git a/windows/deploy/usmt-log-files.md b/windows/deploy/usmt-log-files.md index 89fc388cf9..9796591745 100644 --- a/windows/deploy/usmt-log-files.md +++ b/windows/deploy/usmt-log-files.md @@ -2,10 +2,10 @@ title: Log Files (Windows 10) description: Log Files ms.assetid: 28185ebd-630a-4bbd-94f4-8c48aad05649 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Log Files diff --git a/windows/deploy/usmt-migrate-efs-files-and-certificates.md b/windows/deploy/usmt-migrate-efs-files-and-certificates.md index 43a57ddc5d..d4e2db536f 100644 --- a/windows/deploy/usmt-migrate-efs-files-and-certificates.md +++ b/windows/deploy/usmt-migrate-efs-files-and-certificates.md @@ -2,10 +2,10 @@ title: Migrate EFS Files and Certificates (Windows 10) description: Migrate EFS Files and Certificates ms.assetid: 7f19a753-ec45-4433-b297-cc30f16fdee1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Migrate EFS Files and Certificates diff --git a/windows/deploy/usmt-migrate-user-accounts.md b/windows/deploy/usmt-migrate-user-accounts.md index 25c9490cbc..6c87c9b043 100644 --- a/windows/deploy/usmt-migrate-user-accounts.md +++ b/windows/deploy/usmt-migrate-user-accounts.md @@ -2,10 +2,10 @@ title: Migrate User Accounts (Windows 10) description: Migrate User Accounts ms.assetid: a3668361-43c8-4fd2-b26e-9a2deaeaeb09 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Migrate User Accounts diff --git a/windows/deploy/usmt-migration-store-encryption.md b/windows/deploy/usmt-migration-store-encryption.md index bb6343401f..1e8ea1a8e0 100644 --- a/windows/deploy/usmt-migration-store-encryption.md +++ b/windows/deploy/usmt-migration-store-encryption.md @@ -2,10 +2,10 @@ title: Migration Store Encryption (Windows 10) description: Migration Store Encryption ms.assetid: b28c2657-b986-4487-bd38-cb81500b831d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Migration Store Encryption diff --git a/windows/deploy/usmt-overview.md b/windows/deploy/usmt-overview.md index f3d7f0b860..928044a3cf 100644 --- a/windows/deploy/usmt-overview.md +++ b/windows/deploy/usmt-overview.md @@ -2,10 +2,10 @@ title: User State Migration Tool (USMT) Overview (Windows 10) description: User State Migration Tool (USMT) Overview ms.assetid: 3b649431-ad09-4b17-895a-3fec7ac0a81f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # User State Migration Tool (USMT) Overview diff --git a/windows/deploy/usmt-plan-your-migration.md b/windows/deploy/usmt-plan-your-migration.md index eaed479359..2b6ce76d7f 100644 --- a/windows/deploy/usmt-plan-your-migration.md +++ b/windows/deploy/usmt-plan-your-migration.md @@ -2,10 +2,10 @@ title: Plan Your Migration (Windows 10) description: Plan Your Migration ms.assetid: c951f7df-850e-47ad-b31b-87f902955e3e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Plan Your Migration diff --git a/windows/deploy/usmt-recognized-environment-variables.md b/windows/deploy/usmt-recognized-environment-variables.md index 8246122fd9..edebf602f1 100644 --- a/windows/deploy/usmt-recognized-environment-variables.md +++ b/windows/deploy/usmt-recognized-environment-variables.md @@ -2,10 +2,10 @@ title: Recognized Environment Variables (Windows 10) description: Recognized Environment Variables ms.assetid: 2b0ac412-e131-456e-8f0c-c26249b5f3df -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Recognized Environment Variables diff --git a/windows/deploy/usmt-reference.md b/windows/deploy/usmt-reference.md index ffe3b71ef8..753146d6b9 100644 --- a/windows/deploy/usmt-reference.md +++ b/windows/deploy/usmt-reference.md @@ -2,10 +2,10 @@ title: User State Migration Toolkit (USMT) Reference (Windows 10) description: User State Migration Toolkit (USMT) Reference ms.assetid: 2135dbcf-de49-4cea-b2fb-97dd016e1a1a -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # User State Migration Toolkit (USMT) Reference diff --git a/windows/deploy/usmt-requirements.md b/windows/deploy/usmt-requirements.md index ace2abc84a..c8632b0b4a 100644 --- a/windows/deploy/usmt-requirements.md +++ b/windows/deploy/usmt-requirements.md @@ -2,10 +2,10 @@ title: USMT Requirements (Windows 10) description: USMT Requirements ms.assetid: 2b0cf3a3-9032-433f-9622-1f9df59d6806 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # USMT Requirements diff --git a/windows/deploy/usmt-reroute-files-and-settings.md b/windows/deploy/usmt-reroute-files-and-settings.md index a948ee7c8c..99dd2eb09c 100644 --- a/windows/deploy/usmt-reroute-files-and-settings.md +++ b/windows/deploy/usmt-reroute-files-and-settings.md @@ -2,10 +2,10 @@ title: Reroute Files and Settings (Windows 10) description: Reroute Files and Settings ms.assetid: 905e6a24-922c-4549-9732-60fa11862a6c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Reroute Files and Settings diff --git a/windows/deploy/usmt-resources.md b/windows/deploy/usmt-resources.md index 0cb115c915..cc268ff816 100644 --- a/windows/deploy/usmt-resources.md +++ b/windows/deploy/usmt-resources.md @@ -2,10 +2,10 @@ title: USMT Resources (Windows 10) description: USMT Resources ms.assetid: a0b266c7-4bcb-49f1-b63c-48c6ace86b43 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # USMT Resources diff --git a/windows/deploy/usmt-return-codes.md b/windows/deploy/usmt-return-codes.md index 4354a11ca8..365b49b5c7 100644 --- a/windows/deploy/usmt-return-codes.md +++ b/windows/deploy/usmt-return-codes.md @@ -2,10 +2,10 @@ title: Return Codes (Windows 10) description: Return Codes ms.assetid: e71bbc6b-d5a6-4e48-ad01-af0012b35f22 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Return Codes diff --git a/windows/deploy/usmt-scanstate-syntax.md b/windows/deploy/usmt-scanstate-syntax.md index ff2636ee8c..5083385534 100644 --- a/windows/deploy/usmt-scanstate-syntax.md +++ b/windows/deploy/usmt-scanstate-syntax.md @@ -2,10 +2,10 @@ title: ScanState Syntax (Windows 10) description: ScanState Syntax ms.assetid: 004c755f-33db-49e4-8a3b-37beec1480ea -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # ScanState Syntax diff --git a/windows/deploy/usmt-technical-reference.md b/windows/deploy/usmt-technical-reference.md index 232f27f2fa..5bdf666976 100644 --- a/windows/deploy/usmt-technical-reference.md +++ b/windows/deploy/usmt-technical-reference.md @@ -2,10 +2,10 @@ title: User State Migration Tool (USMT) Technical Reference (Windows 10) description: The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals. ms.assetid: f90bf58b-5529-4520-a9f8-b6cb4e4d3add -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # User State Migration Tool (USMT) Technical Reference diff --git a/windows/deploy/usmt-test-your-migration.md b/windows/deploy/usmt-test-your-migration.md index 05e999a34d..e460f17de8 100644 --- a/windows/deploy/usmt-test-your-migration.md +++ b/windows/deploy/usmt-test-your-migration.md @@ -2,10 +2,10 @@ title: Test Your Migration (Windows 10) description: Test Your Migration ms.assetid: 754af276-8386-4eac-8079-3d1e45964a0d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Test Your Migration diff --git a/windows/deploy/usmt-topics.md b/windows/deploy/usmt-topics.md index a58a88b007..4fe5cace86 100644 --- a/windows/deploy/usmt-topics.md +++ b/windows/deploy/usmt-topics.md @@ -2,10 +2,10 @@ title: User State Migration Tool (USMT) Overview Topics (Windows 10) description: User State Migration Tool (USMT) Overview Topics ms.assetid: 23170271-130b-416f-a7a7-c2f6adc32eee -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # User State Migration Tool (USMT) Overview Topics diff --git a/windows/deploy/usmt-troubleshooting.md b/windows/deploy/usmt-troubleshooting.md index 576f9801c9..33296077f4 100644 --- a/windows/deploy/usmt-troubleshooting.md +++ b/windows/deploy/usmt-troubleshooting.md @@ -2,10 +2,10 @@ title: User State Migration Tool (USMT) Troubleshooting (Windows 10) description: User State Migration Tool (USMT) Troubleshooting ms.assetid: 770f45bb-2284-463f-a29c-69c04f437533 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # User State Migration Tool (USMT) Troubleshooting diff --git a/windows/deploy/usmt-utilities.md b/windows/deploy/usmt-utilities.md index eb9081b082..08df5661f2 100644 --- a/windows/deploy/usmt-utilities.md +++ b/windows/deploy/usmt-utilities.md @@ -2,10 +2,10 @@ title: UsmtUtils Syntax (Windows 10) description: UsmtUtils Syntax ms.assetid: cdab7f2d-dd68-4016-b9ed-41ffa743b65c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # UsmtUtils Syntax diff --git a/windows/deploy/usmt-what-does-usmt-migrate.md b/windows/deploy/usmt-what-does-usmt-migrate.md index 83b3851c29..89ba8aa60b 100644 --- a/windows/deploy/usmt-what-does-usmt-migrate.md +++ b/windows/deploy/usmt-what-does-usmt-migrate.md @@ -2,10 +2,10 @@ title: What Does USMT Migrate (Windows 10) description: What Does USMT Migrate ms.assetid: f613987d-0f17-43fe-9717-6465865ceda7 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # What Does USMT Migrate? diff --git a/windows/deploy/usmt-xml-elements-library.md b/windows/deploy/usmt-xml-elements-library.md index 87ffc8c9c3..f4f412fc2a 100644 --- a/windows/deploy/usmt-xml-elements-library.md +++ b/windows/deploy/usmt-xml-elements-library.md @@ -2,10 +2,10 @@ title: XML Elements Library (Windows 10) description: XML Elements Library ms.assetid: f5af0f6d-c3bf-4a4c-a0ca-9db7985f954f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # XML Elements Library diff --git a/windows/deploy/usmt-xml-reference.md b/windows/deploy/usmt-xml-reference.md index 49d7403f8f..4023b52759 100644 --- a/windows/deploy/usmt-xml-reference.md +++ b/windows/deploy/usmt-xml-reference.md @@ -2,10 +2,10 @@ title: USMT XML Reference (Windows 10) description: USMT XML Reference ms.assetid: fb946975-0fee-4ec0-b3ef-7c34945ee96f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # USMT XML Reference diff --git a/windows/deploy/vamt-known-issues.md b/windows/deploy/vamt-known-issues.md index 1e014a3e46..4aa2185e8f 100644 --- a/windows/deploy/vamt-known-issues.md +++ b/windows/deploy/vamt-known-issues.md @@ -2,7 +2,7 @@ title: VAMT Known Issues (Windows 10) description: VAMT Known Issues ms.assetid: 8992f1f3-830a-4ce7-a248-f3a6377ab77f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/vamt-requirements.md b/windows/deploy/vamt-requirements.md index 9da49547b0..06a8615669 100644 --- a/windows/deploy/vamt-requirements.md +++ b/windows/deploy/vamt-requirements.md @@ -2,7 +2,7 @@ title: VAMT Requirements (Windows 10) description: VAMT Requirements ms.assetid: d14d152b-ab8a-43cb-a8fd-2279364007b9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/vamt-step-by-step.md b/windows/deploy/vamt-step-by-step.md index e886684243..5582bd3417 100644 --- a/windows/deploy/vamt-step-by-step.md +++ b/windows/deploy/vamt-step-by-step.md @@ -2,7 +2,7 @@ title: VAMT Step-by-Step Scenarios (Windows 10) description: VAMT Step-by-Step Scenarios ms.assetid: 455c542c-4860-4b57-a1f0-7e2d28e11a10 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/verify-the-condition-of-a-compressed-migration-store.md b/windows/deploy/verify-the-condition-of-a-compressed-migration-store.md index 233beb97f0..ee16be2715 100644 --- a/windows/deploy/verify-the-condition-of-a-compressed-migration-store.md +++ b/windows/deploy/verify-the-condition-of-a-compressed-migration-store.md @@ -2,10 +2,10 @@ title: Verify the Condition of a Compressed Migration Store (Windows 10) description: Verify the Condition of a Compressed Migration Store ms.assetid: 4a3fda96-5f7d-494a-955f-6b865ec9fcae -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Verify the Condition of a Compressed Migration Store diff --git a/windows/deploy/volume-activation-management-tool.md b/windows/deploy/volume-activation-management-tool.md index 04af72f880..887c116352 100644 --- a/windows/deploy/volume-activation-management-tool.md +++ b/windows/deploy/volume-activation-management-tool.md @@ -2,7 +2,7 @@ title: Volume Activation Management Tool (VAMT) Technical Reference (Windows 10) description: The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. ms.assetid: 1df0f795-f41c-473b-850c-e98af1ad2f2a -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/volume-activation-windows-10.md b/windows/deploy/volume-activation-windows-10.md index e57043d4ca..eda56e2651 100644 --- a/windows/deploy/volume-activation-windows-10.md +++ b/windows/deploy/volume-activation-windows-10.md @@ -3,7 +3,7 @@ title: Volume Activation for Windows 10 (Windows 10) description: This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. ms.assetid: 6e8cffae-7322-4fd3-882a-cde68187aef2 keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/windows-10-deployment-scenarios.md b/windows/deploy/windows-10-deployment-scenarios.md index 54221f9de3..e76d648bb0 100644 --- a/windows/deploy/windows-10-deployment-scenarios.md +++ b/windows/deploy/windows-10-deployment-scenarios.md @@ -2,8 +2,8 @@ title: Windows 10 deployment scenarios (Windows 10) description: To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 -keywords: ["upgrade, in-place, configuration, deploy"] -ms.prod: W10 +keywords: upgrade, in-place, configuration, deploy +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/windows-10-deployment-tools-reference.md b/windows/deploy/windows-10-deployment-tools-reference.md index e71eedae97..597900fb82 100644 --- a/windows/deploy/windows-10-deployment-tools-reference.md +++ b/windows/deploy/windows-10-deployment-tools-reference.md @@ -2,10 +2,10 @@ title: Windows 10 deployment tools reference (Windows 10) description: Learn about the tools available to deploy Windows 10. ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Windows 10 deployment tools reference diff --git a/windows/deploy/windows-10-edition-upgrades.md b/windows/deploy/windows-10-edition-upgrades.md index 72baf3a243..21981254a9 100644 --- a/windows/deploy/windows-10-edition-upgrades.md +++ b/windows/deploy/windows-10-edition-upgrades.md @@ -2,10 +2,10 @@ title: Windows 10 edition upgrade (Windows 10) description: With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Windows 10 edition upgrade diff --git a/windows/deploy/windows-adk-scenarios-for-it-pros.md b/windows/deploy/windows-adk-scenarios-for-it-pros.md index 3fb2944f22..8821ada189 100644 --- a/windows/deploy/windows-adk-scenarios-for-it-pros.md +++ b/windows/deploy/windows-adk-scenarios-for-it-pros.md @@ -2,10 +2,10 @@ title: Windows ADK for Windows 10 scenarios for IT Pros (Windows 10) description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Windows ADK for Windows 10 scenarios for IT Pros diff --git a/windows/deploy/windows-deployment-scenarios-and-tools.md b/windows/deploy/windows-deployment-scenarios-and-tools.md index a66deb1389..ba4f22b7c5 100644 --- a/windows/deploy/windows-deployment-scenarios-and-tools.md +++ b/windows/deploy/windows-deployment-scenarios-and-tools.md @@ -2,8 +2,8 @@ title: Windows 10 deployment tools (Windows 10) description: To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. ms.assetid: 0d6cee1f-14c4-4b69-b29a-43b0b327b877 -keywords: ["deploy, volume activation, BitLocker, recovery, install, installation, VAMT, MDT, USMT, WDS"] -ms.prod: W10 +keywords: deploy, volume activation, BitLocker, recovery, install, installation, VAMT, MDT, USMT, WDS +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/windows-upgrade-and-migration-considerations.md b/windows/deploy/windows-upgrade-and-migration-considerations.md index 2b5ee05766..7763b0502d 100644 --- a/windows/deploy/windows-upgrade-and-migration-considerations.md +++ b/windows/deploy/windows-upgrade-and-migration-considerations.md @@ -2,10 +2,10 @@ title: Windows Upgrade and Migration Considerations (Windows 10) description: Windows Upgrade and Migration Considerations ms.assetid: 7f85095c-5922-45e9-b28e-91b1263c7281 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Windows Upgrade and Migration Considerations diff --git a/windows/deploy/xml-file-requirements.md b/windows/deploy/xml-file-requirements.md index 50c5e1b161..100306e84d 100644 --- a/windows/deploy/xml-file-requirements.md +++ b/windows/deploy/xml-file-requirements.md @@ -2,10 +2,10 @@ title: XML File Requirements (Windows 10) description: XML File Requirements ms.assetid: 4b567b50-c50a-4a4f-8684-151fe3f8275f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # XML File Requirements From e2d0123c20b0595f63cba39c262c2536c0dbbbce Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 26 May 2016 15:11:40 -0700 Subject: [PATCH 121/169] checking in 7707381 --- windows/deploy/TOC.md | 1 + .../deploy/upgrade-windows-phone-8-1-to-10.md | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 windows/deploy/upgrade-windows-phone-8-1-to-10.md diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md index 86ea7532e1..af7eb425d9 100644 --- a/windows/deploy/TOC.md +++ b/windows/deploy/TOC.md @@ -20,6 +20,7 @@ #### [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md) #### [Use web services in MDT](use-web-services-in-mdt-2013.md) #### [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md) +### [Upgrade Windows Phone 8.1 to Windows 10](upgrade-windows-phone-8-1-to-10.md) ## [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) ### [Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md) ### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) diff --git a/windows/deploy/upgrade-windows-phone-8-1-to-10.md b/windows/deploy/upgrade-windows-phone-8-1-to-10.md new file mode 100644 index 0000000000..cc27c183b0 --- /dev/null +++ b/windows/deploy/upgrade-windows-phone-8-1-to-10.md @@ -0,0 +1,19 @@ +--- +title: Deploy Windows 10 using PXE (Windows 10) +description: PXE-initiated operating system deployments in System Center Configuration Manager let client computers request and deploy operating systems over the network. In this operating system deployment scenario, the operating system image and both the x86 and x64 Windows PE boot images are sent to a distribution point that is configured to accept PXE boot requests. +ms.assetid: b001a736-91db-4f91-bd92-278e267e06d9 +keywords: deploy +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: mdt +author: greg-lindsay +--- + +# Deploy Windows 10 using PXE + +This walkthrough describes how to set up a third-party PXE server by using Windows PE 2.0. The process includes copying Windows PE 2.0 source files to your PXE server and then configuring your PXE server boot configuration to use Windows PE. + +## Related topics + +[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) From 512d1a6040207b81f06f6c518027de8e199598b2 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 26 May 2016 15:28:33 -0700 Subject: [PATCH 122/169] updating link --- windows/manage/lock-down-windows-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/lock-down-windows-10.md b/windows/manage/lock-down-windows-10.md index 142d9f3824..61004d8822 100644 --- a/windows/manage/lock-down-windows-10.md +++ b/windows/manage/lock-down-windows-10.md @@ -47,7 +47,7 @@ Enterprises often need to manage how people use corporate devices. Windows 10 p

      Use this article to make informed decisions about how you can configure Windows telemetry in your organization.

      -

      [Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md)

      +

      [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)

      Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.

      From f581ce6e3ca6a705e3d6e95d368d8414bdbad790 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 26 May 2016 15:46:44 -0700 Subject: [PATCH 123/169] template topic for 7707381 --- .../deploy/upgrade-windows-phone-8-1-to-10.md | 88 +++++++++++++++++-- 1 file changed, 83 insertions(+), 5 deletions(-) diff --git a/windows/deploy/upgrade-windows-phone-8-1-to-10.md b/windows/deploy/upgrade-windows-phone-8-1-to-10.md index cc27c183b0..af2b3989cc 100644 --- a/windows/deploy/upgrade-windows-phone-8-1-to-10.md +++ b/windows/deploy/upgrade-windows-phone-8-1-to-10.md @@ -1,8 +1,7 @@ --- title: Deploy Windows 10 using PXE (Windows 10) description: PXE-initiated operating system deployments in System Center Configuration Manager let client computers request and deploy operating systems over the network. In this operating system deployment scenario, the operating system image and both the x86 and x64 Windows PE boot images are sent to a distribution point that is configured to accept PXE boot requests. -ms.assetid: b001a736-91db-4f91-bd92-278e267e06d9 -keywords: deploy +keywords: upgrade, update, windows, phone, windows 10, mdm, mobile ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,10 +9,89 @@ ms.pagetype: mdt author: greg-lindsay --- -# Deploy Windows 10 using PXE +# How to enable a Windows Phone 8.1 upgrade to Windows 10 Mobile in an MDM environment -This walkthrough describes how to set up a third-party PXE server by using Windows PE 2.0. The process includes copying Windows PE 2.0 source files to your PXE server and then configuring your PXE server boot configuration to use Windows PE. +## Summary +This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. See the How to determine whether an upgrade is available for a device section to determine whether your device is eligible for the update. + +The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. An eligible device must "opt-in" to be offered the upgrade. + +For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. + +For Enterprises, Microsoft is offering a centralized management solution through Mobile Device Management (MDM) that can push a management policy to each eligible device to perform the opt-in. + +If you use a list of allowed apps (whitelisting) through MDM, see the documentation here to make sure system apps are whitelisted before you upgrade to Windows 10 Mobile. Also, be aware that there are known issues listed in the documentation that could adversely affect the device after you upgrade. See this documentation for rules to avoid. + +Some enterprises may want to control the availability of the Windows 10 Mobile upgrade to their users. With the opt-in model, the enterprise can blacklist the Upgrade Advisor app to prevent their users from upgrading prematurely. For more information about how to blacklist the Upgrade Advisor app, see the How to blacklist the Upgrade Advisor app section. Enterprises that have blacklisted the Upgrade Advisor app can use the solution that's described in this article to select the upgrade timing on a per-device basis. + +## More information + +To provide enterprises with a solution that's independent of the Upgrade Advisor, a new registry key in the registry configuration service provider (CSP) is available. A special GUID key value is defined. When Microsoft Update (MU) detects the presence of the registry key value on a device, any available upgrade will be made available to the device. + +### Prerequisites + +•Windows Phone 8.1 device with an available upgrade to Windows 10 Mobile. +•Device connected to Wi-Fi or cellular network to perform scan for upgrade. +•Device is already enrolled with a MDM session. +•Device is able to receive the management policy. +•MDM is capable of pushing the management policy to devices. (The minimum version for popular MDM providers that support the solution in this article are: InTune: 5.0.5565, AirWatch: 8.2, Mobile Iron: 9.0.) + +### Instructions for the MDM server + +The registry CSP is used to push the GUID value to the following registry key for which the Open Mobile Alliance (OMA) Device Management (DM) client has Read/Write access and for which the Device Update service has Read access. + +[HKLM\Software\Microsoft\Provisioning\OMADM] +"EnterpriseUpgrade"="d369c9b6-2379-466d-9162-afc53361e3c2” + +The complete SyncML command for the solution is as follows. + +Note The SyncML may vary, depending on your MDM solution. + +SyncML xmlns="SYNCML:SYNCML1.1"> + + + 250 + + + ./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/ EnterpriseUpgrade + + + chr + + d369c9b6-2379-466d-9162-afc53361e3c2 + + + + + + +The OMA DM server policy description is provided in the following table: + +OMA-URI ./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/EnterpriseUpgrade +Data Type String +Value d369c9b6-2379-466d-9162-afc53361e3c2 +After the device consumes the policy, it will be able to receive an available upgrade. + +To disable the policy, either delete the OMADM registry key or set the EnterpriseUpgrade string value to anything other than the GUID. + +### How to determine whether an upgrade is available for a device + +The Windows 10 Mobile Upgrade Advisor app is not designed or intended for Enterprise customers who want to automate the upgrade process. + +However, the Windows 10 Mobile Upgrade Advisor app is the best mechanism to determine when an upgrade is available. The app dynamically queries whether the upgrade is released for this device model and associated mobile operator (MO). + +We recommend that enterprises use a pilot device with the Windows 10 Mobile Upgrade Advisor app installed. The pilot device provides the device model and MO used by the enterprise. When you run the app on the pilot device, it will tell you that either an upgrade is available, that the device is eligible for upgrade, or that an upgrade is not available for this device. + +Note The availability of Windows 10 Mobile as an update for existing Windows Phone 8.1 devices varies by device manufacturer, device model, country or region, mobile operator or service provider, hardware limitations, and other factors. To check for compatibility and other important installation information, see the Windows 10 mobile page. + +### How to blacklist the Upgrade Advisor app + +Some enterprises may want to block their users from installing the Windows 10 Mobile Upgrade Advisor app. With Windows Phone 8.1, you can allow or deny individual apps by adding specific app publishers or the app globally unique identifier (GUID) from the Window Phone Store to an allow or deny XML list. The GUID for a particular application can be found in the URL for the app in the phone store. For example, the GUID to the Windows Phone Upgrade Adviser is listed in the following location: + +http://windowsphone.com/s?appid=fbe47e4f-7769-4103-910e-dca8c43e0b07 + +For more information about how to do this, see the Try it out: restrict Windows Phone 8.1 apps topic on TechNet. ## Related topics -[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) +[Windows 10 Mobile and mobile device management](windows-10-mobile-and-mdm.md) From e301f2077303dc39878e6e42c6bf775769dce366 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 26 May 2016 15:59:58 -0700 Subject: [PATCH 124/169] testing link --- windows/deploy/upgrade-windows-phone-8-1-to-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deploy/upgrade-windows-phone-8-1-to-10.md b/windows/deploy/upgrade-windows-phone-8-1-to-10.md index af2b3989cc..659792f6e8 100644 --- a/windows/deploy/upgrade-windows-phone-8-1-to-10.md +++ b/windows/deploy/upgrade-windows-phone-8-1-to-10.md @@ -94,4 +94,4 @@ For more information about how to do this, see the Try it out: restrict Windows ## Related topics -[Windows 10 Mobile and mobile device management](windows-10-mobile-and-mdm.md) +[Windows 10 Mobile and mobile device management](..\manage\windows-10-mobile-and-mdm.md) From f046a5fec059b3fed76b6f3225a0535247bee884 Mon Sep 17 00:00:00 2001 From: Jan Backstrom Date: Thu, 26 May 2016 17:07:01 -0700 Subject: [PATCH 125/169] tagging update change W10 to w10 (lower case), add security pagetype to various --- .../access-credential-manager-as-a-trusted-caller.md | 2 +- windows/keep-secure/access-this-computer-from-the-network.md | 2 +- windows/keep-secure/account-lockout-duration.md | 2 +- windows/keep-secure/account-lockout-policy.md | 2 +- windows/keep-secure/account-lockout-threshold.md | 2 +- windows/keep-secure/account-policies.md | 2 +- windows/keep-secure/accounts-administrator-account-status.md | 2 +- windows/keep-secure/accounts-block-microsoft-accounts.md | 2 +- windows/keep-secure/accounts-guest-account-status.md | 2 +- ...l-account-use-of-blank-passwords-to-console-logon-only.md | 2 +- windows/keep-secure/accounts-rename-administrator-account.md | 2 +- windows/keep-secure/accounts-rename-guest-account.md | 2 +- windows/keep-secure/act-as-part-of-the-operating-system.md | 2 +- .../ad-ds-schema-extensions-to-support-tpm-backup.md | 2 +- .../add-apps-to-protected-list-using-custom-uri.md | 5 +++-- ...rules-for-packaged-apps-to-existing-applocker-rule-set.md | 2 +- windows/keep-secure/add-workstations-to-domain.md | 2 +- ...figuration-windows-defender-advanced-threat-protection.md | 3 ++- windows/keep-secure/adjust-memory-quotas-for-a-process.md | 2 +- windows/keep-secure/administer-applocker.md | 2 +- windows/keep-secure/administer-security-policy-settings.md | 2 +- .../keep-secure/advanced-security-audit-policy-settings.md | 2 +- windows/keep-secure/advanced-security-auditing-faq.md | 2 +- windows/keep-secure/advanced-security-auditing.md | 2 +- ...erts-queue-windows-defender-advanced-threat-protection.md | 3 ++- windows/keep-secure/allow-log-on-locally.md | 2 +- .../allow-log-on-through-remote-desktop-services.md | 2 +- windows/keep-secure/applocker-architecture-and-components.md | 2 +- windows/keep-secure/applocker-functions.md | 2 +- windows/keep-secure/applocker-overview.md | 2 +- windows/keep-secure/applocker-policies-deployment-guide.md | 2 +- windows/keep-secure/applocker-policies-design-guide.md | 2 +- windows/keep-secure/applocker-policy-use-scenarios.md | 2 +- windows/keep-secure/applocker-processes-and-interactions.md | 2 +- windows/keep-secure/applocker-settings.md | 2 +- windows/keep-secure/applocker-technical-reference.md | 2 +- .../apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- windows/keep-secure/audit-account-lockout.md | 2 +- windows/keep-secure/audit-application-generated.md | 2 +- windows/keep-secure/audit-application-group-management.md | 2 +- windows/keep-secure/audit-audit-policy-change.md | 2 +- .../audit-audit-the-access-of-global-system-objects.md | 2 +- .../audit-audit-the-use-of-backup-and-restore-privilege.md | 2 +- windows/keep-secure/audit-authentication-policy-change.md | 2 +- windows/keep-secure/audit-authorization-policy-change.md | 2 +- windows/keep-secure/audit-central-access-policy-staging.md | 2 +- windows/keep-secure/audit-certification-services.md | 2 +- windows/keep-secure/audit-computer-account-management.md | 2 +- windows/keep-secure/audit-credential-validation.md | 2 +- .../audit-detailed-directory-service-replication.md | 2 +- windows/keep-secure/audit-detailed-file-share.md | 2 +- windows/keep-secure/audit-directory-service-access.md | 2 +- windows/keep-secure/audit-directory-service-changes.md | 2 +- windows/keep-secure/audit-directory-service-replication.md | 2 +- windows/keep-secure/audit-distribution-group-management.md | 2 +- windows/keep-secure/audit-dpapi-activity.md | 2 +- windows/keep-secure/audit-file-share.md | 2 +- windows/keep-secure/audit-file-system.md | 2 +- windows/keep-secure/audit-filtering-platform-connection.md | 2 +- windows/keep-secure/audit-filtering-platform-packet-drop.md | 2 +- .../keep-secure/audit-filtering-platform-policy-change.md | 2 +- ...it-force-audit-policy-subcategory-settings-to-override.md | 2 +- windows/keep-secure/audit-group-membership.md | 2 +- windows/keep-secure/audit-handle-manipulation.md | 2 +- windows/keep-secure/audit-ipsec-driver.md | 2 +- windows/keep-secure/audit-ipsec-extended-mode.md | 2 +- windows/keep-secure/audit-ipsec-main-mode.md | 2 +- windows/keep-secure/audit-ipsec-quick-mode.md | 2 +- windows/keep-secure/audit-kerberos-authentication-service.md | 2 +- .../keep-secure/audit-kerberos-service-ticket-operations.md | 2 +- windows/keep-secure/audit-kernel-object.md | 2 +- windows/keep-secure/audit-logoff.md | 2 +- windows/keep-secure/audit-logon.md | 2 +- windows/keep-secure/audit-mpssvc-rule-level-policy-change.md | 2 +- windows/keep-secure/audit-network-policy-server.md | 2 +- windows/keep-secure/audit-non-sensitive-privilege-use.md | 2 +- windows/keep-secure/audit-other-account-logon-events.md | 2 +- windows/keep-secure/audit-other-account-management-events.md | 2 +- windows/keep-secure/audit-other-logonlogoff-events.md | 2 +- windows/keep-secure/audit-other-object-access-events.md | 2 +- windows/keep-secure/audit-other-policy-change-events.md | 2 +- windows/keep-secure/audit-other-privilege-use-events.md | 2 +- windows/keep-secure/audit-other-system-events.md | 2 +- windows/keep-secure/audit-pnp-activity.md | 2 +- windows/keep-secure/audit-policy.md | 2 +- windows/keep-secure/audit-process-creation.md | 2 +- windows/keep-secure/audit-process-termination.md | 2 +- windows/keep-secure/audit-registry.md | 2 +- windows/keep-secure/audit-removable-storage.md | 2 +- windows/keep-secure/audit-rpc-events.md | 2 +- windows/keep-secure/audit-sam.md | 2 +- windows/keep-secure/audit-security-group-management.md | 2 +- windows/keep-secure/audit-security-state-change.md | 2 +- windows/keep-secure/audit-security-system-extension.md | 2 +- windows/keep-secure/audit-sensitive-privilege-use.md | 2 +- ...wn-system-immediately-if-unable-to-log-security-audits.md | 2 +- windows/keep-secure/audit-special-logon.md | 2 +- windows/keep-secure/audit-system-integrity.md | 2 +- windows/keep-secure/audit-user-account-management.md | 2 +- windows/keep-secure/audit-user-device-claims.md | 2 +- windows/keep-secure/back-up-files-and-directories.md | 2 +- .../keep-secure/backup-tpm-recovery-information-to-ad-ds.md | 2 +- windows/keep-secure/basic-audit-account-logon-events.md | 2 +- windows/keep-secure/basic-audit-account-management.md | 2 +- windows/keep-secure/basic-audit-directory-service-access.md | 2 +- windows/keep-secure/basic-audit-logon-events.md | 2 +- windows/keep-secure/basic-audit-object-access.md | 2 +- windows/keep-secure/basic-audit-policy-change.md | 2 +- windows/keep-secure/basic-audit-privilege-use.md | 2 +- windows/keep-secure/basic-audit-process-tracking.md | 2 +- windows/keep-secure/basic-audit-system-events.md | 2 +- windows/keep-secure/basic-security-audit-policies.md | 2 +- windows/keep-secure/basic-security-audit-policy-settings.md | 2 +- windows/keep-secure/bcd-settings-and-bitlocker.md | 2 +- windows/keep-secure/bitlocker-basic-deployment.md | 2 +- windows/keep-secure/bitlocker-countermeasures.md | 2 +- windows/keep-secure/bitlocker-frequently-asked-questions.md | 2 +- windows/keep-secure/bitlocker-group-policy-settings.md | 2 +- .../keep-secure/bitlocker-how-to-deploy-on-windows-server.md | 2 +- .../keep-secure/bitlocker-how-to-enable-network-unlock.md | 2 +- windows/keep-secure/bitlocker-overview.md | 2 +- windows/keep-secure/bitlocker-recovery-guide-plan.md | 2 +- ...e-bitlocker-drive-encryption-tools-to-manage-bitlocker.md | 2 +- .../bitlocker-use-bitlocker-recovery-password-viewer.md | 2 +- windows/keep-secure/block-untrusted-fonts-in-enterprise.md | 5 +++-- windows/keep-secure/bypass-traverse-checking.md | 2 +- .../keep-secure/change-history-for-keep-windows-10-secure.md | 3 ++- windows/keep-secure/change-the-system-time.md | 2 +- windows/keep-secure/change-the-time-zone.md | 2 +- windows/keep-secure/change-the-tpm-owner-password.md | 2 +- .../keep-secure/choose-the-right-bitlocker-countermeasure.md | 2 +- .../configure-an-applocker-policy-for-audit-only.md | 2 +- .../configure-an-applocker-policy-for-enforce-rules.md | 2 +- ...-endpoints-windows-defender-advanced-threat-protection.md | 3 ++- .../configure-exceptions-for-an-applocker-rule.md | 2 +- ...y-internet-windows-defender-advanced-threat-protection.md | 3 ++- windows/keep-secure/configure-s-mime.md | 2 +- .../keep-secure/configure-the-appLocker-reference-device.md | 2 +- .../configure-the-application-identity-service.md | 2 +- .../keep-secure/configure-windows-defender-in-windows-10.md | 2 +- ...te-a-basic-audit-policy-settings-for-an-event-category.md | 2 +- windows/keep-secure/create-a-pagefile.md | 2 +- windows/keep-secure/create-a-rule-for-packaged-apps.md | 2 +- .../create-a-rule-that-uses-a-file-hash-condition.md | 2 +- .../keep-secure/create-a-rule-that-uses-a-path-condition.md | 2 +- .../create-a-rule-that-uses-a-publisher-condition.md | 2 +- windows/keep-secure/create-a-token-object.md | 2 +- windows/keep-secure/create-applocker-default-rules.md | 2 +- windows/keep-secure/create-edp-policy-using-intune.md | 3 ++- windows/keep-secure/create-edp-policy-using-sccm.md | 5 +++-- windows/keep-secure/create-global-objects.md | 2 +- ...e-list-of-applications-deployed-to-each-business-group.md | 2 +- windows/keep-secure/create-permanent-shared-objects.md | 2 +- windows/keep-secure/create-symbolic-links.md | 2 +- .../keep-secure/create-vpn-and-edp-policy-using-intune.md | 5 +++-- .../keep-secure/create-your-applocker-planning-document.md | 2 +- windows/keep-secure/create-your-applocker-policies.md | 2 +- windows/keep-secure/create-your-applocker-rules.md | 2 +- .../creating-a-device-guard-policy-for-signed-apps.md | 2 +- windows/keep-secure/credential-guard.md | 2 +- .../dashboard-windows-defender-advanced-threat-protection.md | 4 +++- ...ge-privacy-windows-defender-advanced-threat-protection.md | 3 ++- ...in-security-descriptor-definition-language-sddl-syntax.md | 2 +- ...in-security-descriptor-definition-language-sddl-syntax.md | 2 +- windows/keep-secure/debug-programs.md | 2 +- windows/keep-secure/delete-an-applocker-rule.md | 2 +- .../deny-access-to-this-computer-from-the-network.md | 2 +- windows/keep-secure/deny-log-on-as-a-batch-job.md | 2 +- windows/keep-secure/deny-log-on-as-a-service.md | 2 +- windows/keep-secure/deny-log-on-locally.md | 2 +- .../deny-log-on-through-remote-desktop-services.md | 2 +- ...-applocker-policies-by-using-the-enforce-rules-setting.md | 2 +- windows/keep-secure/deploy-edp-policy-using-intune.md | 5 +++-- .../deploy-the-applocker-policy-into-production.md | 2 +- .../determine-group-policy-structure-and-rule-enforcement.md | 2 +- ...lications-are-digitally-signed-on-a-reference-computer.md | 2 +- .../determine-your-application-control-objectives.md | 2 +- .../keep-secure/device-guard-certification-and-compliance.md | 2 +- windows/keep-secure/device-guard-deployment-guide.md | 4 ++-- .../devices-allow-undock-without-having-to-log-on.md | 2 +- .../devices-allowed-to-format-and-eject-removable-media.md | 2 +- .../devices-prevent-users-from-installing-printer-drivers.md | 2 +- ...-restrict-cd-rom-access-to-locally-logged-on-user-only.md | 2 +- ...-restrict-floppy-access-to-locally-logged-on-user-only.md | 2 +- ...rl-message-when-users-try-to-run-a-blocked-application.md | 2 +- windows/keep-secure/dll-rules-in-applocker.md | 2 +- ...-group-policy-structure-and-applocker-rule-enforcement.md | 2 +- ...document-your-application-control-management-processes.md | 2 +- windows/keep-secure/document-your-application-list.md | 2 +- windows/keep-secure/document-your-applocker-rules.md | 2 +- ...in-controller-allow-server-operators-to-schedule-tasks.md | 2 +- .../domain-controller-ldap-server-signing-requirements.md | 2 +- ...ain-controller-refuse-machine-account-password-changes.md | 2 +- ...r-digitally-encrypt-or-sign-secure-channel-data-always.md | 2 +- ...er-digitally-encrypt-secure-channel-data-when-possible.md | 2 +- ...ember-digitally-sign-secure-channel-data-when-possible.md | 2 +- ...domain-member-disable-machine-account-password-changes.md | 2 +- .../domain-member-maximum-machine-account-password-age.md | 2 +- ...ember-require-strong-windows-2000-or-later-session-key.md | 2 +- windows/keep-secure/edit-an-applocker-policy.md | 2 +- windows/keep-secure/edit-applocker-rules.md | 2 +- ...omputer-and-user-accounts-to-be-trusted-for-delegation.md | 2 +- windows/keep-secure/enable-the-dll-rule-collection.md | 2 +- windows/keep-secure/encrypted-hard-drive.md | 2 +- windows/keep-secure/enforce-applocker-rules.md | 2 +- windows/keep-secure/enforce-password-history.md | 2 +- windows/keep-secure/enforce-user-logon-restrictions.md | 2 +- windows/keep-secure/enlightened-microsoft-apps-and-edp.md | 5 +++-- ...rror-codes-windows-defender-advanced-threat-protection.md | 3 ++- windows/keep-secure/executable-rules-in-applocker.md | 2 +- windows/keep-secure/export-an-applocker-policy-from-a-gpo.md | 2 +- .../keep-secure/export-an-applocker-policy-to-an-xml-file.md | 2 +- .../keep-secure/file-system-global-object-access-auditing.md | 2 +- windows/keep-secure/force-shutdown-from-a-remote-system.md | 2 +- windows/keep-secure/generate-security-audits.md | 2 +- .../get-started-with-windows-defender-for-windows-10.md | 2 +- .../getting-apps-to-run-on-device-guard-protected-devices.md | 2 +- windows/keep-secure/guidance-and-best-practices-edp.md | 5 +++-- windows/keep-secure/how-applocker-works-techref.md | 2 +- .../keep-secure/how-to-configure-security-policy-settings.md | 2 +- windows/keep-secure/how-user-account-control-works.md | 2 +- .../keep-secure/impersonate-a-client-after-authentication.md | 2 +- .../implement-microsoft-passport-in-your-organization.md | 2 +- .../import-an-applocker-policy-from-another-computer.md | 2 +- windows/keep-secure/import-an-applocker-policy-into-a-gpo.md | 2 +- windows/keep-secure/increase-a-process-working-set.md | 2 +- windows/keep-secure/increase-scheduling-priority.md | 2 +- windows/keep-secure/index.md | 2 +- .../initialize-and-configure-ownership-of-the-tpm.md | 2 +- .../installing-digital-certificates-on-windows-10-mobile.md | 2 +- ...on-display-user-information-when-the-session-is-locked.md | 2 +- .../interactive-logon-do-not-display-last-user-name.md | 2 +- .../interactive-logon-do-not-require-ctrl-alt-del.md | 2 +- .../interactive-logon-machine-account-lockout-threshold.md | 2 +- .../interactive-logon-machine-inactivity-limit.md | 2 +- ...tive-logon-message-text-for-users-attempting-to-log-on.md | 2 +- ...ive-logon-message-title-for-users-attempting-to-log-on.md | 2 +- ...ns-to-cache-in-case-domain-controller-is-not-available.md | 2 +- ...logon-prompt-user-to-change-password-before-expiration.md | 2 +- ...domain-controller-authentication-to-unlock-workstation.md | 2 +- windows/keep-secure/interactive-logon-require-smart-card.md | 2 +- .../interactive-logon-smart-card-removal-behavior.md | 2 +- ...ate-alerts-windows-defender-advanced-threat-protection.md | 3 ++- ...ate-domain-windows-defender-advanced-threat-protection.md | 3 ++- ...gate-files-windows-defender-advanced-threat-protection.md | 3 ++- ...stigate-ip-windows-defender-advanced-threat-protection.md | 3 ++- ...e-machines-windows-defender-advanced-threat-protection.md | 3 ++- windows/keep-secure/kerberos-policy.md | 2 +- 248 files changed, 278 insertions(+), 256 deletions(-) diff --git a/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md b/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md index f6f7140989..ff24a84d8c 100644 --- a/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md +++ b/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md @@ -2,7 +2,7 @@ title: Access Credential Manager as a trusted caller (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Access Credential Manager as a trusted caller security policy setting. ms.assetid: a51820d2-ca5b-47dd-8e9b-d7008603db88 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/access-this-computer-from-the-network.md b/windows/keep-secure/access-this-computer-from-the-network.md index 00a88b6ba8..1cb598fcfd 100644 --- a/windows/keep-secure/access-this-computer-from-the-network.md +++ b/windows/keep-secure/access-this-computer-from-the-network.md @@ -2,7 +2,7 @@ title: Access this computer from the network (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Access this computer from the network security policy setting. ms.assetid: f6767bc2-83d1-45f1-847c-54f5362db022 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/account-lockout-duration.md b/windows/keep-secure/account-lockout-duration.md index 9b8fd5a9f4..1d438057a4 100644 --- a/windows/keep-secure/account-lockout-duration.md +++ b/windows/keep-secure/account-lockout-duration.md @@ -2,7 +2,7 @@ title: Account lockout duration (Windows 10) description: Describes the best practices, location, values, and security considerations for the Account lockout duration security policy setting. ms.assetid: a4167bf4-27c3-4a9b-8ef0-04e3c6ec3aa4 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/account-lockout-policy.md b/windows/keep-secure/account-lockout-policy.md index edf3c1a723..6a13c989d3 100644 --- a/windows/keep-secure/account-lockout-policy.md +++ b/windows/keep-secure/account-lockout-policy.md @@ -2,7 +2,7 @@ title: Account Lockout Policy (Windows 10) description: Describes the Account Lockout Policy settings and links to information about each policy setting. ms.assetid: eb968c28-17c5-405f-b413-50728cb7b724 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/account-lockout-threshold.md b/windows/keep-secure/account-lockout-threshold.md index 56fedf53b7..828a524fe0 100644 --- a/windows/keep-secure/account-lockout-threshold.md +++ b/windows/keep-secure/account-lockout-threshold.md @@ -2,7 +2,7 @@ title: Account lockout threshold (Windows 10) description: Describes the best practices, location, values, and security considerations for the Account lockout threshold security policy setting. ms.assetid: 4904bb40-a2bd-4fef-a102-260ba8d74e30 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/account-policies.md b/windows/keep-secure/account-policies.md index 487d575c7f..ca8fb5a3b4 100644 --- a/windows/keep-secure/account-policies.md +++ b/windows/keep-secure/account-policies.md @@ -2,7 +2,7 @@ title: Account Policies (Windows 10) description: An overview of account policies in Windows and provides links to policy descriptions. ms.assetid: 711b3797-b87a-4cd9-a2e3-1f8ef18688fb -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/accounts-administrator-account-status.md b/windows/keep-secure/accounts-administrator-account-status.md index 6c992c3bcb..5a3cde966e 100644 --- a/windows/keep-secure/accounts-administrator-account-status.md +++ b/windows/keep-secure/accounts-administrator-account-status.md @@ -2,7 +2,7 @@ title: Accounts Administrator account status (Windows 10) description: Describes the best practices, location, values, and security considerations for the Accounts Administrator account status security policy setting. ms.assetid: 71a3bd48-1014-49e0-a936-bfe9433af23e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/accounts-block-microsoft-accounts.md b/windows/keep-secure/accounts-block-microsoft-accounts.md index a482a7a88c..cc479c5bc2 100644 --- a/windows/keep-secure/accounts-block-microsoft-accounts.md +++ b/windows/keep-secure/accounts-block-microsoft-accounts.md @@ -2,7 +2,7 @@ title: Accounts Block Microsoft accounts (Windows 10) description: Describes the best practices, location, values, management, and security considerations for the Accounts Block Microsoft accounts security policy setting. ms.assetid: 94c76f45-057c-4d80-8d01-033cf28ef2f7 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/accounts-guest-account-status.md b/windows/keep-secure/accounts-guest-account-status.md index 2e66ee3ae1..f9054008ac 100644 --- a/windows/keep-secure/accounts-guest-account-status.md +++ b/windows/keep-secure/accounts-guest-account-status.md @@ -2,7 +2,7 @@ title: Accounts Guest account status (Windows 10) description: Describes the best practices, location, values, and security considerations for the Accounts Guest account status security policy setting. ms.assetid: 07e53fc5-b495-4d02-ab42-5b245d10d0ce -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/keep-secure/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md index 9d8ddd27c9..eb700fe6ec 100644 --- a/windows/keep-secure/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md +++ b/windows/keep-secure/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md @@ -2,7 +2,7 @@ title: Accounts Limit local account use of blank passwords to console logon only (Windows 10) description: Describes the best practices, location, values, and security considerations for the Accounts Limit local account use of blank passwords to console logon only security policy setting. ms.assetid: a1bfb58b-1ae8-4de9-832b-aa889a6e64bd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/accounts-rename-administrator-account.md b/windows/keep-secure/accounts-rename-administrator-account.md index 8873990424..5c79c1d38b 100644 --- a/windows/keep-secure/accounts-rename-administrator-account.md +++ b/windows/keep-secure/accounts-rename-administrator-account.md @@ -2,7 +2,7 @@ title: Accounts Rename administrator account (Windows 10) description: This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting. ms.assetid: d21308eb-7c60-4e48-8747-62b8109844f9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/accounts-rename-guest-account.md b/windows/keep-secure/accounts-rename-guest-account.md index f82b907968..aa06c480c3 100644 --- a/windows/keep-secure/accounts-rename-guest-account.md +++ b/windows/keep-secure/accounts-rename-guest-account.md @@ -2,7 +2,7 @@ title: Accounts Rename guest account (Windows 10) description: Describes the best practices, location, values, and security considerations for the Accounts Rename guest account security policy setting. ms.assetid: 9b8052b4-bbb9-4cc1-bfee-ce25390db707 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/act-as-part-of-the-operating-system.md b/windows/keep-secure/act-as-part-of-the-operating-system.md index 5d4a39d466..a35393e223 100644 --- a/windows/keep-secure/act-as-part-of-the-operating-system.md +++ b/windows/keep-secure/act-as-part-of-the-operating-system.md @@ -2,7 +2,7 @@ title: Act as part of the operating system (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Act as part of the operating system security policy setting. ms.assetid: c1b7e084-a9f7-4377-b678-07cc913c8b0c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md b/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md index 214bc1763d..8e62ff36b5 100644 --- a/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md +++ b/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md @@ -2,7 +2,7 @@ title: AD DS schema extensions to support TPM backup (Windows 10) description: This topic provides more details about this change and provides template schema extensions that you can incorporate into your organization. ms.assetid: beb7097c-e674-4eab-b8e2-6f67c85d1f3f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md index 3f9700cfb4..eb028e5f03 100644 --- a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md +++ b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md @@ -2,9 +2,10 @@ title: Add multiple apps to your enterprise data protection (EDP) Protected Apps list (Windows 10) description: Add multiple apps to your enterprise data protection (EDP) Protected Apps list at the same time, by using the Microsoft Intune Custom URI functionality and the AppLocker. ms.assetid: b50db35d-a2a9-4b78-a95d-a1b066e66880 -keywords: ["EDP", "Enterprise Data Protection", "protected apps", "protected app list"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection, protected apps, protected app list +ms.prod: w10 ms.mktglfcycl: explore +ms.pagetype: security ms.sitesec: library author: eross-msft --- diff --git a/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md index c05eb4ebd2..d99dda899b 100644 --- a/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md +++ b/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md @@ -2,7 +2,7 @@ title: Add rules for packaged apps to existing AppLocker rule-set (Windows 10) description: This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT). ms.assetid: 758c2a9f-c2a3-418c-83bc-fd335a94097f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/add-workstations-to-domain.md b/windows/keep-secure/add-workstations-to-domain.md index 7cdeb90a8b..fac531b419 100644 --- a/windows/keep-secure/add-workstations-to-domain.md +++ b/windows/keep-secure/add-workstations-to-domain.md @@ -2,7 +2,7 @@ title: Add workstations to domain (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Add workstations to domain security policy setting. ms.assetid: b0c21af4-c928-4344-b1f1-58ef162ad0b3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md b/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md index 604d4ba268..93d466aa32 100644 --- a/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md @@ -3,8 +3,9 @@ title: Additional Windows Defender ATP configuration settings description: Use the Group Policy Console to configure settings that enable sample sharing from your endpoints. These settings are used in the deep analysis feature. keywords: configuration settings, Windows Defender ATP configuration settings, Windows Defender Advanced Threat Protection configuration settings, group policy Management Editor, computer configuration, policies, administrative templates, search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: security ms.sitesec: library author: mjcaparas --- diff --git a/windows/keep-secure/adjust-memory-quotas-for-a-process.md b/windows/keep-secure/adjust-memory-quotas-for-a-process.md index 4568ef9fe0..44fe866134 100644 --- a/windows/keep-secure/adjust-memory-quotas-for-a-process.md +++ b/windows/keep-secure/adjust-memory-quotas-for-a-process.md @@ -2,7 +2,7 @@ title: Adjust memory quotas for a process (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Adjust memory quotas for a process security policy setting. ms.assetid: 6754a2c8-6d07-4567-9af3-335fd8dd7626 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/administer-applocker.md b/windows/keep-secure/administer-applocker.md index 232b69b1ef..0940acac92 100644 --- a/windows/keep-secure/administer-applocker.md +++ b/windows/keep-secure/administer-applocker.md @@ -2,7 +2,7 @@ title: Administer AppLocker (Windows 10) description: This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies. ms.assetid: 511a3b6a-175f-4d6d-a6e0-c1780c02e818 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/administer-security-policy-settings.md b/windows/keep-secure/administer-security-policy-settings.md index 59bc1ce37f..de0baa4b22 100644 --- a/windows/keep-secure/administer-security-policy-settings.md +++ b/windows/keep-secure/administer-security-policy-settings.md @@ -2,7 +2,7 @@ title: Administer security policy settings (Windows 10) description: This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization. ms.assetid: 7617d885-9d28-437a-9371-171197407599 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/advanced-security-audit-policy-settings.md b/windows/keep-secure/advanced-security-audit-policy-settings.md index 5b5faf0b14..14ecaca52f 100644 --- a/windows/keep-secure/advanced-security-audit-policy-settings.md +++ b/windows/keep-secure/advanced-security-audit-policy-settings.md @@ -2,7 +2,7 @@ title: Advanced security audit policy settings (Windows 10) description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate. ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/advanced-security-auditing-faq.md b/windows/keep-secure/advanced-security-auditing-faq.md index eef52f8d63..3bfa640035 100644 --- a/windows/keep-secure/advanced-security-auditing-faq.md +++ b/windows/keep-secure/advanced-security-auditing-faq.md @@ -2,7 +2,7 @@ title: Advanced security auditing FAQ (Windows 10) description: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. ms.assetid: 80f8f187-0916-43c2-a7e8-ea712b115a06 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/advanced-security-auditing.md b/windows/keep-secure/advanced-security-auditing.md index 5ed85a625d..bdec74db1c 100644 --- a/windows/keep-secure/advanced-security-auditing.md +++ b/windows/keep-secure/advanced-security-auditing.md @@ -2,7 +2,7 @@ title: Advanced security audit policies (Windows 10) description: Advanced security audit policy settings are found in Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies and appear to overlap with basic security audit policies, but they are recorded and applied differently. ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md index ee4ce0a4a9..46dddb36a1 100644 --- a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: View and organize the Windows Defender ATP Alerts queue description: Learn about how the Windows Defender ATP alerts queue work, and how to sort and filter lists of alerts. keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- diff --git a/windows/keep-secure/allow-log-on-locally.md b/windows/keep-secure/allow-log-on-locally.md index fdfa7ab402..3cbeacb088 100644 --- a/windows/keep-secure/allow-log-on-locally.md +++ b/windows/keep-secure/allow-log-on-locally.md @@ -2,7 +2,7 @@ title: Allow log on locally (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on locally security policy setting. ms.assetid: d9e5e1f3-3bff-4da7-a9a2-4bb3e0c79055 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/allow-log-on-through-remote-desktop-services.md b/windows/keep-secure/allow-log-on-through-remote-desktop-services.md index cc51c9cbea..d409837c30 100644 --- a/windows/keep-secure/allow-log-on-through-remote-desktop-services.md +++ b/windows/keep-secure/allow-log-on-through-remote-desktop-services.md @@ -2,7 +2,7 @@ title: Allow log on through Remote Desktop Services (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on through Remote Desktop Services security policy setting. ms.assetid: 6267c376-8199-4f2b-ae56-9c5424e76798 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-architecture-and-components.md b/windows/keep-secure/applocker-architecture-and-components.md index 39e8bbf34c..98760516ec 100644 --- a/windows/keep-secure/applocker-architecture-and-components.md +++ b/windows/keep-secure/applocker-architecture-and-components.md @@ -2,7 +2,7 @@ title: AppLocker architecture and components (Windows 10) description: This topic for IT professional describes AppLocker’s basic architecture and its major components. ms.assetid: efdd8494-553c-443f-bd5f-c8976535135a -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-functions.md b/windows/keep-secure/applocker-functions.md index d3ab5362dd..eaad056c7a 100644 --- a/windows/keep-secure/applocker-functions.md +++ b/windows/keep-secure/applocker-functions.md @@ -2,7 +2,7 @@ title: AppLocker functions (Windows 10) description: This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. ms.assetid: bf704198-9e74-4731-8c5a-ee0512df34d2 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-overview.md b/windows/keep-secure/applocker-overview.md index 6918af6f1e..954c093d80 100644 --- a/windows/keep-secure/applocker-overview.md +++ b/windows/keep-secure/applocker-overview.md @@ -2,7 +2,7 @@ title: AppLocker (Windows 10) description: This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. ms.assetid: 94b57864-2112-43b6-96fb-2863c985dc9a -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-policies-deployment-guide.md b/windows/keep-secure/applocker-policies-deployment-guide.md index f0bce74c2a..2adc3ff79b 100644 --- a/windows/keep-secure/applocker-policies-deployment-guide.md +++ b/windows/keep-secure/applocker-policies-deployment-guide.md @@ -2,7 +2,7 @@ title: AppLocker deployment guide (Windows 10) description: This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. ms.assetid: 38632795-be13-46b0-a7af-487a4340bea1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-policies-design-guide.md b/windows/keep-secure/applocker-policies-design-guide.md index 7954db3edb..2e331c4fb8 100644 --- a/windows/keep-secure/applocker-policies-design-guide.md +++ b/windows/keep-secure/applocker-policies-design-guide.md @@ -2,7 +2,7 @@ title: AppLocker design guide (Windows 10) description: This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. ms.assetid: 1c8e4a7b-3164-4eb4-9277-11b1d5a09c7b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-policy-use-scenarios.md b/windows/keep-secure/applocker-policy-use-scenarios.md index ce30809f52..64a8fd4db0 100644 --- a/windows/keep-secure/applocker-policy-use-scenarios.md +++ b/windows/keep-secure/applocker-policy-use-scenarios.md @@ -2,7 +2,7 @@ title: AppLocker policy use scenarios (Windows 10) description: This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. ms.assetid: 33f71578-89f0-4063-ac04-cf4f4ca5c31f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-processes-and-interactions.md b/windows/keep-secure/applocker-processes-and-interactions.md index 0243055da8..5f07c7d07f 100644 --- a/windows/keep-secure/applocker-processes-and-interactions.md +++ b/windows/keep-secure/applocker-processes-and-interactions.md @@ -2,7 +2,7 @@ title: AppLocker processes and interactions (Windows 10) description: This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. ms.assetid: 0beec616-6040-4be7-8703-b6c919755d8e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-settings.md b/windows/keep-secure/applocker-settings.md index 77509f8e43..7af2350b9d 100644 --- a/windows/keep-secure/applocker-settings.md +++ b/windows/keep-secure/applocker-settings.md @@ -2,7 +2,7 @@ title: AppLocker settings (Windows 10) description: This topic for the IT professional lists the settings used by AppLocker. ms.assetid: 9cb4aa19-77c0-4415-9968-bd07dab86839 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-technical-reference.md b/windows/keep-secure/applocker-technical-reference.md index 164a159782..1c797a1679 100644 --- a/windows/keep-secure/applocker-technical-reference.md +++ b/windows/keep-secure/applocker-technical-reference.md @@ -2,7 +2,7 @@ title: AppLocker technical reference (Windows 10) description: This overview topic for IT professionals provides links to the topics in the technical reference. ms.assetid: 2b2678f8-c46b-4e1d-b8c5-037c0be255ab -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md index 5828778660..fd5dcf7155 100644 --- a/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -2,7 +2,7 @@ title: Apply a basic audit policy on a file or folder (Windows 10) description: You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log. ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-account-lockout.md b/windows/keep-secure/audit-account-lockout.md index 6c7ebbb0e2..be3326efee 100644 --- a/windows/keep-secure/audit-account-lockout.md +++ b/windows/keep-secure/audit-account-lockout.md @@ -2,7 +2,7 @@ title: Audit Account Lockout (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Account Lockout, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out. ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-application-generated.md b/windows/keep-secure/audit-application-generated.md index f7c31ca13a..3aa2716aa8 100644 --- a/windows/keep-secure/audit-application-generated.md +++ b/windows/keep-secure/audit-application-generated.md @@ -2,7 +2,7 @@ title: Audit Application Generated (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Application Generated, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs). ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-application-group-management.md b/windows/keep-secure/audit-application-group-management.md index 3055b72f6d..76cdabda54 100644 --- a/windows/keep-secure/audit-application-group-management.md +++ b/windows/keep-secure/audit-application-group-management.md @@ -2,7 +2,7 @@ title: Audit Application Group Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Application Group Management, which determines whether the operating system generates audit events when application group management tasks are performed. ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-audit-policy-change.md b/windows/keep-secure/audit-audit-policy-change.md index 65b7d6261e..de2aca1b0a 100644 --- a/windows/keep-secure/audit-audit-policy-change.md +++ b/windows/keep-secure/audit-audit-policy-change.md @@ -2,7 +2,7 @@ title: Audit Audit Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Audit Policy Change, which determines whether the operating system generates audit events when changes are made to audit policy. ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md b/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md index 767ec7c30a..9fcecc87b1 100644 --- a/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md +++ b/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md @@ -2,7 +2,7 @@ title: Audit Audit the access of global system objects (Windows 10) description: Describes the best practices, location, values, and security considerations for the Audit Audit the access of global system objects security policy setting. ms.assetid: 20d40a79-ce89-45e6-9bb4-148f83958460 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md index 49b518da5a..3bd9ddd1b8 100644 --- a/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md +++ b/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md @@ -2,7 +2,7 @@ title: Audit Audit the use of Backup and Restore privilege (Windows 10) description: Describes the best practices, location, values, and security considerations for the Audit Audit the use of Backup and Restore privilege security policy setting. ms.assetid: f656a2bb-e8d6-447b-8902-53df3a7756c5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-authentication-policy-change.md b/windows/keep-secure/audit-authentication-policy-change.md index e26a96a284..712e480800 100644 --- a/windows/keep-secure/audit-authentication-policy-change.md +++ b/windows/keep-secure/audit-authentication-policy-change.md @@ -2,7 +2,7 @@ title: Audit Authentication Policy Change (Windows 10) description: This topic for the IT professional describes this Advanced Security Audit policy setting, Audit Authentication Policy Change, which determines whether the operating system generates audit events when changes are made to authentication policy. ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-authorization-policy-change.md b/windows/keep-secure/audit-authorization-policy-change.md index 3bff0a5dd9..7e426a2044 100644 --- a/windows/keep-secure/audit-authorization-policy-change.md +++ b/windows/keep-secure/audit-authorization-policy-change.md @@ -2,7 +2,7 @@ title: Audit Authorization Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Authorization Policy Change, which determines whether the operating system generates audit events when specific changes are made to the authorization policy. ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-central-access-policy-staging.md b/windows/keep-secure/audit-central-access-policy-staging.md index e53abd2a09..28539eb491 100644 --- a/windows/keep-secure/audit-central-access-policy-staging.md +++ b/windows/keep-secure/audit-central-access-policy-staging.md @@ -2,7 +2,7 @@ title: Audit Central Access Policy Staging (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Central Access Policy Staging, which determines permissions on a Central Access Policy. ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-certification-services.md b/windows/keep-secure/audit-certification-services.md index f23bdde027..f5aa0959d7 100644 --- a/windows/keep-secure/audit-certification-services.md +++ b/windows/keep-secure/audit-certification-services.md @@ -2,7 +2,7 @@ title: Audit Certification Services (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Certification Services, which determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed. ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-computer-account-management.md b/windows/keep-secure/audit-computer-account-management.md index 5211936625..f336c85c74 100644 --- a/windows/keep-secure/audit-computer-account-management.md +++ b/windows/keep-secure/audit-computer-account-management.md @@ -2,7 +2,7 @@ title: Audit Computer Account Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Computer Account Management, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted. ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-credential-validation.md b/windows/keep-secure/audit-credential-validation.md index 7f4232806f..fdacd0aa43 100644 --- a/windows/keep-secure/audit-credential-validation.md +++ b/windows/keep-secure/audit-credential-validation.md @@ -2,7 +2,7 @@ title: Audit Credential Validation (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Credential Validation, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request. ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-detailed-directory-service-replication.md b/windows/keep-secure/audit-detailed-directory-service-replication.md index ae2e46a570..295527e35e 100644 --- a/windows/keep-secure/audit-detailed-directory-service-replication.md +++ b/windows/keep-secure/audit-detailed-directory-service-replication.md @@ -3,7 +3,7 @@ title: Audit Detailed Directory Service Replication (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Detailed Directory Service Replication, which determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers. ms.assetid: 1b89c8f5-bce7-4b20-8701-42585c7ab993 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: brianlic-msft diff --git a/windows/keep-secure/audit-detailed-file-share.md b/windows/keep-secure/audit-detailed-file-share.md index f60e4dd5f2..4d0294c79c 100644 --- a/windows/keep-secure/audit-detailed-file-share.md +++ b/windows/keep-secure/audit-detailed-file-share.md @@ -2,7 +2,7 @@ title: Audit Detailed File Share (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Detailed File Share, which allows you to audit attempts to access files and folders on a shared folder. ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-directory-service-access.md b/windows/keep-secure/audit-directory-service-access.md index 230dce9a69..2c88e66d93 100644 --- a/windows/keep-secure/audit-directory-service-access.md +++ b/windows/keep-secure/audit-directory-service-access.md @@ -2,7 +2,7 @@ title: Audit Directory Service Access (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Access, which determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed. ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-directory-service-changes.md b/windows/keep-secure/audit-directory-service-changes.md index 361827a614..18b22defe5 100644 --- a/windows/keep-secure/audit-directory-service-changes.md +++ b/windows/keep-secure/audit-directory-service-changes.md @@ -2,7 +2,7 @@ title: Audit Directory Service Changes (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Changes, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-directory-service-replication.md b/windows/keep-secure/audit-directory-service-replication.md index 9f09abada9..8dde61d22d 100644 --- a/windows/keep-secure/audit-directory-service-replication.md +++ b/windows/keep-secure/audit-directory-service-replication.md @@ -2,7 +2,7 @@ title: Audit Directory Service Replication (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Replication, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends. ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-distribution-group-management.md b/windows/keep-secure/audit-distribution-group-management.md index 1e259424ed..80cfcea450 100644 --- a/windows/keep-secure/audit-distribution-group-management.md +++ b/windows/keep-secure/audit-distribution-group-management.md @@ -2,7 +2,7 @@ title: Audit Distribution Group Management (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Distribution Group Management, which determines whether the operating system generates audit events for specific distribution-group management tasks. ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-dpapi-activity.md b/windows/keep-secure/audit-dpapi-activity.md index 1e7c77ac71..30db4c39a8 100644 --- a/windows/keep-secure/audit-dpapi-activity.md +++ b/windows/keep-secure/audit-dpapi-activity.md @@ -2,7 +2,7 @@ title: Audit DPAPI Activity (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit DPAPI Activity, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI). ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-file-share.md b/windows/keep-secure/audit-file-share.md index 8040bc118a..af74a0b2a8 100644 --- a/windows/keep-secure/audit-file-share.md +++ b/windows/keep-secure/audit-file-share.md @@ -2,7 +2,7 @@ title: Audit File Share (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File Share, which determines whether the operating system generates audit events when a file share is accessed. ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-file-system.md b/windows/keep-secure/audit-file-system.md index 53faccfac6..1ddb1c3d49 100644 --- a/windows/keep-secure/audit-file-system.md +++ b/windows/keep-secure/audit-file-system.md @@ -2,7 +2,7 @@ title: Audit File System (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File System, which determines whether the operating system generates audit events when users attempt to access file system objects. ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.pagetype: security ms.sitesec: library diff --git a/windows/keep-secure/audit-filtering-platform-connection.md b/windows/keep-secure/audit-filtering-platform-connection.md index a23961c6d9..4b8c95c652 100644 --- a/windows/keep-secure/audit-filtering-platform-connection.md +++ b/windows/keep-secure/audit-filtering-platform-connection.md @@ -2,7 +2,7 @@ title: Audit Filtering Platform Connection (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Connection, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform. ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-filtering-platform-packet-drop.md b/windows/keep-secure/audit-filtering-platform-packet-drop.md index fda5bc89e7..96935fa8b7 100644 --- a/windows/keep-secure/audit-filtering-platform-packet-drop.md +++ b/windows/keep-secure/audit-filtering-platform-packet-drop.md @@ -2,7 +2,7 @@ title: Audit Filtering Platform Packet Drop (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Packet Drop, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform. ms.assetid: 95457601-68d1-4385-af20-87916ddab906 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-filtering-platform-policy-change.md b/windows/keep-secure/audit-filtering-platform-policy-change.md index 97f04007ea..10c8a9459b 100644 --- a/windows/keep-secure/audit-filtering-platform-policy-change.md +++ b/windows/keep-secure/audit-filtering-platform-policy-change.md @@ -2,7 +2,7 @@ title: Audit Filtering Platform Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Policy Change, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions. ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md index 2ceff2fa34..50880766f6 100644 --- a/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md +++ b/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md @@ -2,7 +2,7 @@ title: Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings (Windows 10) description: Describes the best practices, location, values, and security considerations for the Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings security policy setting. ms.assetid: 8ddc06bc-b6d6-4bac-9051-e0d77035bd4e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-group-membership.md b/windows/keep-secure/audit-group-membership.md index bfbd5e7887..d738bb1582 100644 --- a/windows/keep-secure/audit-group-membership.md +++ b/windows/keep-secure/audit-group-membership.md @@ -2,7 +2,7 @@ title: Audit Group Membership (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Group Membership, which enables you to audit group memberships when they are enumerated on the client PC. ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-handle-manipulation.md b/windows/keep-secure/audit-handle-manipulation.md index da8a48ee26..6b9fb9ab21 100644 --- a/windows/keep-secure/audit-handle-manipulation.md +++ b/windows/keep-secure/audit-handle-manipulation.md @@ -2,7 +2,7 @@ title: Audit Handle Manipulation (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Handle Manipulation, which determines whether the operating system generates audit events when a handle to an object is opened or closed. ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-ipsec-driver.md b/windows/keep-secure/audit-ipsec-driver.md index 7394906faa..dbe0ede32c 100644 --- a/windows/keep-secure/audit-ipsec-driver.md +++ b/windows/keep-secure/audit-ipsec-driver.md @@ -2,7 +2,7 @@ title: Audit IPsec Driver (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit IPsec Driver, which determines whether the operating system generates audit events for the activities of the IPsec driver. ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-ipsec-extended-mode.md b/windows/keep-secure/audit-ipsec-extended-mode.md index 89f0857940..5030fc74a2 100644 --- a/windows/keep-secure/audit-ipsec-extended-mode.md +++ b/windows/keep-secure/audit-ipsec-extended-mode.md @@ -2,7 +2,7 @@ title: Audit IPsec Extended Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Extended Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-ipsec-main-mode.md b/windows/keep-secure/audit-ipsec-main-mode.md index 203307a841..872af92c04 100644 --- a/windows/keep-secure/audit-ipsec-main-mode.md +++ b/windows/keep-secure/audit-ipsec-main-mode.md @@ -2,7 +2,7 @@ title: Audit IPsec Main Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Main Mode, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-ipsec-quick-mode.md b/windows/keep-secure/audit-ipsec-quick-mode.md index 79de06ad17..8a3446cb65 100644 --- a/windows/keep-secure/audit-ipsec-quick-mode.md +++ b/windows/keep-secure/audit-ipsec-quick-mode.md @@ -2,7 +2,7 @@ title: Audit IPsec Quick Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Quick Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-kerberos-authentication-service.md b/windows/keep-secure/audit-kerberos-authentication-service.md index 85498b7404..f8665de37e 100644 --- a/windows/keep-secure/audit-kerberos-authentication-service.md +++ b/windows/keep-secure/audit-kerberos-authentication-service.md @@ -2,7 +2,7 @@ title: Audit Kerberos Authentication Service (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Authentication Service, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests. ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-kerberos-service-ticket-operations.md b/windows/keep-secure/audit-kerberos-service-ticket-operations.md index 5f00cf260a..4e3a1976d6 100644 --- a/windows/keep-secure/audit-kerberos-service-ticket-operations.md +++ b/windows/keep-secure/audit-kerberos-service-ticket-operations.md @@ -2,7 +2,7 @@ title: Audit Kerberos Service Ticket Operations (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Service Ticket Operations, which determines whether the operating system generates security audit events for Kerberos service ticket requests. ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-kernel-object.md b/windows/keep-secure/audit-kernel-object.md index 783f4c3e18..6600a97c21 100644 --- a/windows/keep-secure/audit-kernel-object.md +++ b/windows/keep-secure/audit-kernel-object.md @@ -2,7 +2,7 @@ title: Audit Kernel Object (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kernel Object, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores. ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-logoff.md b/windows/keep-secure/audit-logoff.md index 05aee8928a..56970b2562 100644 --- a/windows/keep-secure/audit-logoff.md +++ b/windows/keep-secure/audit-logoff.md @@ -2,7 +2,7 @@ title: Audit Logoff (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logoff, which determines whether the operating system generates audit events when logon sessions are terminated. ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-logon.md b/windows/keep-secure/audit-logon.md index fb98f6691c..bd363a9eb0 100644 --- a/windows/keep-secure/audit-logon.md +++ b/windows/keep-secure/audit-logon.md @@ -2,7 +2,7 @@ title: Audit Logon (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logon, which determines whether the operating system generates audit events when a user attempts to log on to a computer. ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md b/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md index 67760b944f..ab8412a168 100644 --- a/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md +++ b/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md @@ -2,7 +2,7 @@ title: Audit MPSSVC Rule-Level Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit MPSSVC Rule-Level Policy Change, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-network-policy-server.md b/windows/keep-secure/audit-network-policy-server.md index 5f060ff57e..f98d7f0579 100644 --- a/windows/keep-secure/audit-network-policy-server.md +++ b/windows/keep-secure/audit-network-policy-server.md @@ -2,7 +2,7 @@ title: Audit Network Policy Server (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Network Policy Server, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock). ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-non-sensitive-privilege-use.md b/windows/keep-secure/audit-non-sensitive-privilege-use.md index e1321ebc6a..45dd5b1a2c 100644 --- a/windows/keep-secure/audit-non-sensitive-privilege-use.md +++ b/windows/keep-secure/audit-non-sensitive-privilege-use.md @@ -2,7 +2,7 @@ title: Audit Non-Sensitive Privilege Use (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used. ms.assetid: 8fd74783-1059-443e-aa86-566d78606627 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-other-account-logon-events.md b/windows/keep-secure/audit-other-account-logon-events.md index 57eaa771fa..4511233562 100644 --- a/windows/keep-secure/audit-other-account-logon-events.md +++ b/windows/keep-secure/audit-other-account-logon-events.md @@ -2,7 +2,7 @@ title: Audit Other Account Logon Events (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Other Account Logon Events, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-other-account-management-events.md b/windows/keep-secure/audit-other-account-management-events.md index 737c91e478..48fecc4788 100644 --- a/windows/keep-secure/audit-other-account-management-events.md +++ b/windows/keep-secure/audit-other-account-management-events.md @@ -2,7 +2,7 @@ title: Audit Other Account Management Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Account Management Events, which determines whether the operating system generates user account management audit events. ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-other-logonlogoff-events.md b/windows/keep-secure/audit-other-logonlogoff-events.md index 14b371601d..5b9c517af5 100644 --- a/windows/keep-secure/audit-other-logonlogoff-events.md +++ b/windows/keep-secure/audit-other-logonlogoff-events.md @@ -2,7 +2,7 @@ title: Audit Other Logon/Logoff Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, which determines whether Windows generates audit events for other logon or logoff events. ms.assetid: 76d987cd-1917-4907-a739-dd642609a458 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-other-object-access-events.md b/windows/keep-secure/audit-other-object-access-events.md index 71b1ee1965..3d453c1927 100644 --- a/windows/keep-secure/audit-other-object-access-events.md +++ b/windows/keep-secure/audit-other-object-access-events.md @@ -2,7 +2,7 @@ title: Audit Other Object Access Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Object Access Events, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects. ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-other-policy-change-events.md b/windows/keep-secure/audit-other-policy-change-events.md index 7e2c53404a..5ef649bca4 100644 --- a/windows/keep-secure/audit-other-policy-change-events.md +++ b/windows/keep-secure/audit-other-policy-change-events.md @@ -2,7 +2,7 @@ title: Audit Other Policy Change Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Policy Change Events, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category. ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-other-privilege-use-events.md b/windows/keep-secure/audit-other-privilege-use-events.md index 839251f763..5babb23a8a 100644 --- a/windows/keep-secure/audit-other-privilege-use-events.md +++ b/windows/keep-secure/audit-other-privilege-use-events.md @@ -2,7 +2,7 @@ title: Audit Other Privilege Use Events (Windows 10) description: This security policy setting is not used. ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-other-system-events.md b/windows/keep-secure/audit-other-system-events.md index 2b28658209..3bb668bd64 100644 --- a/windows/keep-secure/audit-other-system-events.md +++ b/windows/keep-secure/audit-other-system-events.md @@ -2,7 +2,7 @@ title: Audit Other System Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other System Events, which determines whether the operating system audits various system events. ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-pnp-activity.md b/windows/keep-secure/audit-pnp-activity.md index aef1c0ae47..c80884e78c 100644 --- a/windows/keep-secure/audit-pnp-activity.md +++ b/windows/keep-secure/audit-pnp-activity.md @@ -2,7 +2,7 @@ title: Audit PNP Activity (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit PNP Activity, which determines when plug and play detects an external device. ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-policy.md b/windows/keep-secure/audit-policy.md index 87cf555f43..2cd2c8cd95 100644 --- a/windows/keep-secure/audit-policy.md +++ b/windows/keep-secure/audit-policy.md @@ -2,7 +2,7 @@ title: Audit Policy (Windows 10) description: Provides information about basic audit policies that are available in Windows and links to information about each setting. ms.assetid: 2e8ea400-e555-43e5-89d6-0898cb89da90 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-process-creation.md b/windows/keep-secure/audit-process-creation.md index dbe4b6bc69..c9c6d41c57 100644 --- a/windows/keep-secure/audit-process-creation.md +++ b/windows/keep-secure/audit-process-creation.md @@ -2,7 +2,7 @@ title: Audit Process Creation (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Creation, which determines whether the operating system generates audit events when a process is created (starts). ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-process-termination.md b/windows/keep-secure/audit-process-termination.md index 4208a938c3..9f4fde6d86 100644 --- a/windows/keep-secure/audit-process-termination.md +++ b/windows/keep-secure/audit-process-termination.md @@ -2,7 +2,7 @@ title: Audit Process Termination (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Termination, which determines whether the operating system generates audit events when an attempt is made to end a process. ms.assetid: 65d88e53-14aa-48a4-812b-557cebbf9e50 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-registry.md b/windows/keep-secure/audit-registry.md index 40ea22bf27..2f58eb5560 100644 --- a/windows/keep-secure/audit-registry.md +++ b/windows/keep-secure/audit-registry.md @@ -2,7 +2,7 @@ title: Audit Registry (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Registry, which determines whether the operating system generates audit events when users attempt to access registry objects. ms.assetid: 02bcc23b-4823-46ac-b822-67beedf56b32 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-removable-storage.md b/windows/keep-secure/audit-removable-storage.md index 1892857f3e..cdfc2b415e 100644 --- a/windows/keep-secure/audit-removable-storage.md +++ b/windows/keep-secure/audit-removable-storage.md @@ -2,7 +2,7 @@ title: Audit Removable Storage (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Removable Storage, which determines when there is a read or a write to a removable drive. ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-rpc-events.md b/windows/keep-secure/audit-rpc-events.md index dfb512694b..8bd9607c04 100644 --- a/windows/keep-secure/audit-rpc-events.md +++ b/windows/keep-secure/audit-rpc-events.md @@ -2,7 +2,7 @@ title: Audit RPC Events (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit RPC Events, which determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made. ms.assetid: 868aec2d-93b4-4bc8-a150-941f88838ba6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-sam.md b/windows/keep-secure/audit-sam.md index c682e87a89..734ac0681a 100644 --- a/windows/keep-secure/audit-sam.md +++ b/windows/keep-secure/audit-sam.md @@ -2,7 +2,7 @@ title: Audit SAM (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects. ms.assetid: 1d00f955-383d-4c95-bbd1-fab4a991a46e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-security-group-management.md b/windows/keep-secure/audit-security-group-management.md index 65d91ba967..7ff17d66f3 100644 --- a/windows/keep-secure/audit-security-group-management.md +++ b/windows/keep-secure/audit-security-group-management.md @@ -2,7 +2,7 @@ title: Audit Security Group Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Security Group Management, which determines whether the operating system generates audit events when specific security group management tasks are performed. ms.assetid: ac2ee101-557b-4c84-b9fa-4fb23331f1aa -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-security-state-change.md b/windows/keep-secure/audit-security-state-change.md index efda133f49..e8c184b3e0 100644 --- a/windows/keep-secure/audit-security-state-change.md +++ b/windows/keep-secure/audit-security-state-change.md @@ -2,7 +2,7 @@ title: Audit Security State Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system. ms.assetid: decb3218-a67d-4efa-afc0-337c79a89a2d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-security-system-extension.md b/windows/keep-secure/audit-security-system-extension.md index e605195736..428a0d685c 100644 --- a/windows/keep-secure/audit-security-system-extension.md +++ b/windows/keep-secure/audit-security-system-extension.md @@ -2,7 +2,7 @@ title: Audit Security System Extension (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security System Extension, which determines whether the operating system generates audit events related to security system extensions. ms.assetid: 9f3c6bde-42b2-4a0a-b353-ed3106ebc005 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-sensitive-privilege-use.md b/windows/keep-secure/audit-sensitive-privilege-use.md index 2c7cd5a902..718aa00bd9 100644 --- a/windows/keep-secure/audit-sensitive-privilege-use.md +++ b/windows/keep-secure/audit-sensitive-privilege-use.md @@ -2,7 +2,7 @@ title: Audit Sensitive Privilege Use (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Sensitive Privilege Use, which determines whether the operating system generates audit events when sensitive privileges (user rights) are used. ms.assetid: 915abf50-42d2-45f6-9fd1-e7bd201b193d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md index 5ce9aeecf7..0cd45cc597 100644 --- a/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md +++ b/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md @@ -2,7 +2,7 @@ title: Audit Shut down system immediately if unable to log security audits (Windows 10) description: Describes the best practices, location, values, management practices, and security considerations for the Audit Shut down system immediately if unable to log security audits security policy setting. ms.assetid: 2cd23cd9-0e44-4d0b-a1f1-39fc29303826 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-special-logon.md b/windows/keep-secure/audit-special-logon.md index 439cf91d3d..f4bad313c7 100644 --- a/windows/keep-secure/audit-special-logon.md +++ b/windows/keep-secure/audit-special-logon.md @@ -2,7 +2,7 @@ title: Audit Special Logon (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Special Logon, which determines whether the operating system generates audit events under special sign on (or log on) circumstances. ms.assetid: e1501bac-1d09-4593-8ebb-f311231567d3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-system-integrity.md b/windows/keep-secure/audit-system-integrity.md index dfc2666ebf..38fd5a5ce5 100644 --- a/windows/keep-secure/audit-system-integrity.md +++ b/windows/keep-secure/audit-system-integrity.md @@ -2,7 +2,7 @@ title: Audit System Integrity (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit System Integrity, which determines whether the operating system audits events that violate the integrity of the security subsystem. ms.assetid: 942a9a7f-fa31-4067-88c7-f73978bf2034 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-user-account-management.md b/windows/keep-secure/audit-user-account-management.md index 1f05f3085b..a763d8ea76 100644 --- a/windows/keep-secure/audit-user-account-management.md +++ b/windows/keep-secure/audit-user-account-management.md @@ -2,7 +2,7 @@ title: Audit User Account Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit User Account Management, which determines whether the operating system generates audit events when specific user account management tasks are performed. ms.assetid: f7e72998-3858-4197-a443-19586ecc4bfb -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-user-device-claims.md b/windows/keep-secure/audit-user-device-claims.md index 254bfb2c7d..e5576c4bdf 100644 --- a/windows/keep-secure/audit-user-device-claims.md +++ b/windows/keep-secure/audit-user-device-claims.md @@ -2,7 +2,7 @@ title: Audit User/Device Claims (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit User/Device Claims, which enables you to audit security events that are generated by user and device claims. ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/back-up-files-and-directories.md b/windows/keep-secure/back-up-files-and-directories.md index 2cddb14842..6f6a7b8805 100644 --- a/windows/keep-secure/back-up-files-and-directories.md +++ b/windows/keep-secure/back-up-files-and-directories.md @@ -2,7 +2,7 @@ title: Back up files and directories (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting. ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md index 5f46d91a0d..aee1050952 100644 --- a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md +++ b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md @@ -2,7 +2,7 @@ title: Backup the TPM recovery Information to AD DS (Windows 10) description: This topic for the IT professional describes how to back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS) so that you can use AD DS to administer the TPM from a remote computer. ms.assetid: 62bcec80-96a1-464e-8b3f-d177a7565ac5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-account-logon-events.md b/windows/keep-secure/basic-audit-account-logon-events.md index 4bfa89fd5b..392a87e381 100644 --- a/windows/keep-secure/basic-audit-account-logon-events.md +++ b/windows/keep-secure/basic-audit-account-logon-events.md @@ -2,7 +2,7 @@ title: Audit account logon events (Windows 10) description: Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account. ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-account-management.md b/windows/keep-secure/basic-audit-account-management.md index ee0cf33722..364a455ec2 100644 --- a/windows/keep-secure/basic-audit-account-management.md +++ b/windows/keep-secure/basic-audit-account-management.md @@ -2,7 +2,7 @@ title: Audit account management (Windows 10) description: Determines whether to audit each event of account management on a device. ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-directory-service-access.md b/windows/keep-secure/basic-audit-directory-service-access.md index 0d48b78b27..b377adcecc 100644 --- a/windows/keep-secure/basic-audit-directory-service-access.md +++ b/windows/keep-secure/basic-audit-directory-service-access.md @@ -2,7 +2,7 @@ title: Audit directory service access (Windows 10) description: Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified. ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-logon-events.md b/windows/keep-secure/basic-audit-logon-events.md index d83d80357e..143c150317 100644 --- a/windows/keep-secure/basic-audit-logon-events.md +++ b/windows/keep-secure/basic-audit-logon-events.md @@ -2,7 +2,7 @@ title: Audit logon events (Windows 10) description: Determines whether to audit each instance of a user logging on to or logging off from a device. ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-object-access.md b/windows/keep-secure/basic-audit-object-access.md index 6ae03e3c93..05d9500660 100644 --- a/windows/keep-secure/basic-audit-object-access.md +++ b/windows/keep-secure/basic-audit-object-access.md @@ -2,7 +2,7 @@ title: Audit object access (Windows 10) description: Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified. ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-policy-change.md b/windows/keep-secure/basic-audit-policy-change.md index 0590d832ee..9aee64c9c8 100644 --- a/windows/keep-secure/basic-audit-policy-change.md +++ b/windows/keep-secure/basic-audit-policy-change.md @@ -2,7 +2,7 @@ title: Audit policy change (Windows 10) description: Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies. ms.assetid: 1025A648-6B22-4C85-9F47-FE0897F1FA31 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-privilege-use.md b/windows/keep-secure/basic-audit-privilege-use.md index 38a2117169..62d38eec12 100644 --- a/windows/keep-secure/basic-audit-privilege-use.md +++ b/windows/keep-secure/basic-audit-privilege-use.md @@ -2,7 +2,7 @@ title: Audit privilege use (Windows 10) description: Determines whether to audit each instance of a user exercising a user right. ms.assetid: C5C6DAAF-8B58-4DFB-B1CE-F0675AE0E9F8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-process-tracking.md b/windows/keep-secure/basic-audit-process-tracking.md index 9fd272a03c..acfe7b0fb1 100644 --- a/windows/keep-secure/basic-audit-process-tracking.md +++ b/windows/keep-secure/basic-audit-process-tracking.md @@ -2,7 +2,7 @@ title: Audit process tracking (Windows 10) description: Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. ms.assetid: 91AC5C1E-F4DA-4B16-BEE2-C92D66E4CEEA -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-system-events.md b/windows/keep-secure/basic-audit-system-events.md index 7724e17654..70674dbb21 100644 --- a/windows/keep-secure/basic-audit-system-events.md +++ b/windows/keep-secure/basic-audit-system-events.md @@ -2,7 +2,7 @@ title: Audit system events (Windows 10) description: Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. ms.assetid: BF27588C-2AA7-4365-A4BF-3BB377916447 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-security-audit-policies.md b/windows/keep-secure/basic-security-audit-policies.md index 0ad34f0790..1de3ff5747 100644 --- a/windows/keep-secure/basic-security-audit-policies.md +++ b/windows/keep-secure/basic-security-audit-policies.md @@ -2,7 +2,7 @@ title: Basic security audit policies (Windows 10) description: Before you implement auditing, you must decide on an auditing policy. ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-security-audit-policy-settings.md b/windows/keep-secure/basic-security-audit-policy-settings.md index eeade033ce..82989b0eee 100644 --- a/windows/keep-secure/basic-security-audit-policy-settings.md +++ b/windows/keep-secure/basic-security-audit-policy-settings.md @@ -2,7 +2,7 @@ title: Basic security audit policy settings (Windows 10) description: Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy. ms.assetid: 31C2C453-2CFC-4D9E-BC88-8CE1C1A8F900 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bcd-settings-and-bitlocker.md b/windows/keep-secure/bcd-settings-and-bitlocker.md index bee0c9e8f3..ccd9afd831 100644 --- a/windows/keep-secure/bcd-settings-and-bitlocker.md +++ b/windows/keep-secure/bcd-settings-and-bitlocker.md @@ -2,7 +2,7 @@ title: BCD settings and BitLocker (Windows 10) description: This topic for IT professionals describes the BCD settings that are used by BitLocker. ms.assetid: c4ab7ac9-16dc-4c7e-b061-c0b0deb2c4fa -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-basic-deployment.md b/windows/keep-secure/bitlocker-basic-deployment.md index e63322f296..b83692c713 100644 --- a/windows/keep-secure/bitlocker-basic-deployment.md +++ b/windows/keep-secure/bitlocker-basic-deployment.md @@ -2,7 +2,7 @@ title: BitLocker basic deployment (Windows 10) description: This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. ms.assetid: 97c646cb-9e53-4236-9678-354af41151c4 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-countermeasures.md b/windows/keep-secure/bitlocker-countermeasures.md index 687bf6047b..7e1f6c7414 100644 --- a/windows/keep-secure/bitlocker-countermeasures.md +++ b/windows/keep-secure/bitlocker-countermeasures.md @@ -2,7 +2,7 @@ title: BitLocker Countermeasures (Windows 10) description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key. ms.assetid: ebdb0637-2597-4da1-bb18-8127964686ea -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-frequently-asked-questions.md b/windows/keep-secure/bitlocker-frequently-asked-questions.md index 4d179869fb..23dc64932f 100644 --- a/windows/keep-secure/bitlocker-frequently-asked-questions.md +++ b/windows/keep-secure/bitlocker-frequently-asked-questions.md @@ -2,7 +2,7 @@ title: BitLocker frequently asked questions (FAQ) (Windows 10) description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-group-policy-settings.md b/windows/keep-secure/bitlocker-group-policy-settings.md index 77412bda71..8d3864a681 100644 --- a/windows/keep-secure/bitlocker-group-policy-settings.md +++ b/windows/keep-secure/bitlocker-group-policy-settings.md @@ -2,7 +2,7 @@ title: BitLocker Group Policy settings (Windows 10) description: This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption. ms.assetid: 4904e336-29fe-4cef-bb6c-3950541864af -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md b/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md index e7035aa4e8..e57e269aff 100644 --- a/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md @@ -2,7 +2,7 @@ title: BitLocker How to deploy on Windows Server 2012 and later (Windows 10) description: This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later. ms.assetid: 91c18e9e-6ab4-4607-8c75-d983bbe2542f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md index 37e9e8b02d..16e0aa12b2 100644 --- a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md +++ b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md @@ -2,7 +2,7 @@ title: BitLocker How to enable Network Unlock (Windows 10) description: This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it. ms.assetid: be45bc28-47db-4931-bfec-3c348151d2e9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-overview.md b/windows/keep-secure/bitlocker-overview.md index 897f3dd747..58f3047141 100644 --- a/windows/keep-secure/bitlocker-overview.md +++ b/windows/keep-secure/bitlocker-overview.md @@ -2,7 +2,7 @@ title: BitLocker (Windows 10) description: This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. ms.assetid: 40526fcc-3e0d-4d75-90e0-c7d0615f33b2 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-recovery-guide-plan.md b/windows/keep-secure/bitlocker-recovery-guide-plan.md index 80df5a2c52..61d362d1a3 100644 --- a/windows/keep-secure/bitlocker-recovery-guide-plan.md +++ b/windows/keep-secure/bitlocker-recovery-guide-plan.md @@ -2,7 +2,7 @@ title: BitLocker recovery guide (Windows 10) description: This topic for IT professionals describes how to recover BitLocker keys from AD DS. ms.assetid: d0f722e9-1773-40bf-8456-63ee7a95ea14 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index a20d25ff66..8d48b8aff4 100644 --- a/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -2,7 +2,7 @@ title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker (Windows 10) description: This topic for the IT professional describes how to use tools to manage BitLocker. ms.assetid: e869db9c-e906-437b-8c70-741dd61b5ea6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md index 61521699b2..850c7507b0 100644 --- a/windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md +++ b/windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md @@ -2,7 +2,7 @@ title: BitLocker Use BitLocker Recovery Password Viewer (Windows 10) description: This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer. ms.assetid: 04c93ac5-5dac-415e-b636-de81435753a2 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/block-untrusted-fonts-in-enterprise.md b/windows/keep-secure/block-untrusted-fonts-in-enterprise.md index 032ef98517..83a3f113a9 100644 --- a/windows/keep-secure/block-untrusted-fonts-in-enterprise.md +++ b/windows/keep-secure/block-untrusted-fonts-in-enterprise.md @@ -2,9 +2,10 @@ title: Block untrusted fonts in an enterprise (Windows 10) description: To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. ms.assetid: a3354c8e-4208-4be6-bc19-56a572c361b4 -keywords: ["font blocking", "untrusted font blocking", "block fonts", "untrusted fonts"] -ms.prod: W10 +keywords: font blocking, untrusted font blocking, block fonts, untrusted fonts +ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: security ms.sitesec: library author: eross-msft --- diff --git a/windows/keep-secure/bypass-traverse-checking.md b/windows/keep-secure/bypass-traverse-checking.md index d07fea0ff5..60df8885da 100644 --- a/windows/keep-secure/bypass-traverse-checking.md +++ b/windows/keep-secure/bypass-traverse-checking.md @@ -2,7 +2,7 @@ title: Bypass traverse checking (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Bypass traverse checking security policy setting. ms.assetid: 1c828655-68d3-4140-aa0f-caa903a7087e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 5f96e1fcb1..3c7d6abdfe 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -2,9 +2,10 @@ title: Change history for Keep Windows 10 secure (Windows 10) description: This topic lists new and updated topics in the Keep Windows 10 secure documentation for Windows 10 and Windows 10 Mobile. ms.assetid: E50EC5E6-71AA-4FF1-8356-574CFDB8079B -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- diff --git a/windows/keep-secure/change-the-system-time.md b/windows/keep-secure/change-the-system-time.md index 4ac7356093..e6f43e3f88 100644 --- a/windows/keep-secure/change-the-system-time.md +++ b/windows/keep-secure/change-the-system-time.md @@ -2,7 +2,7 @@ title: Change the system time (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Change the system time security policy setting. ms.assetid: f2f6637d-acbc-4352-8ca3-ec563f918e65 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/change-the-time-zone.md b/windows/keep-secure/change-the-time-zone.md index 1b27d5afe9..3eb72473a5 100644 --- a/windows/keep-secure/change-the-time-zone.md +++ b/windows/keep-secure/change-the-time-zone.md @@ -2,7 +2,7 @@ title: Change the time zone (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Change the time zone security policy setting. ms.assetid: 3b1afae4-68bb-472f-a43e-49e300d73e50 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/change-the-tpm-owner-password.md b/windows/keep-secure/change-the-tpm-owner-password.md index 7241d40deb..ba11bc7a8c 100644 --- a/windows/keep-secure/change-the-tpm-owner-password.md +++ b/windows/keep-secure/change-the-tpm-owner-password.md @@ -2,7 +2,7 @@ title: Change the TPM owner password (Windows 10) description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. ms.assetid: e43dcff3-acb4-4a92-8816-d6b64b7f2f45 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md index 3e84e8f209..0293f672ae 100644 --- a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md +++ b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md @@ -2,7 +2,7 @@ title: Choose the right BitLocker countermeasure (Windows 10) description: This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks. ms.assetid: b0b09508-7885-4030-8c61-d91458afdb14 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md b/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md index 58ba26536b..206c0415fe 100644 --- a/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md +++ b/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md @@ -2,7 +2,7 @@ title: Configure an AppLocker policy for audit only (Windows 10) description: This topic for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker. ms.assetid: 10bc87d5-cc7f-4500-b7b3-9006e50afa50 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md b/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md index 3d6aa8a2c7..55e87ba39a 100644 --- a/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md +++ b/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md @@ -2,7 +2,7 @@ title: Configure an AppLocker policy for enforce rules (Windows 10) description: This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting. ms.assetid: 5dbbb290-a5ae-4f88-82b3-21e95972e66c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md index 79f9ff560f..aede6f38ed 100644 --- a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Configure Windows Defender ATP endpoints description: Use Group Policy or SCCM to deploy the configuration package or do manual registry changes on endpoints so that they are onboarded to the service. keywords: configure endpoints, client onboarding, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm, system center configuration manager search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: iaanw --- diff --git a/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md b/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md index 0d4e3eefd6..be96e323ed 100644 --- a/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md +++ b/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md @@ -2,7 +2,7 @@ title: Add exceptions for an AppLocker rule (Windows 10) description: This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule. ms.assetid: d15c9d84-c14b-488d-9f48-bf31ff7ff0c5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md index aef3743b8f..e0564e8606 100644 --- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Configure Windows Defender ATP endpoint proxy and Internet connection set description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service. keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, web proxy auto detect, wpad, netsh, winhttp, proxy server search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- diff --git a/windows/keep-secure/configure-s-mime.md b/windows/keep-secure/configure-s-mime.md index 1d5a83822d..7b9906f26d 100644 --- a/windows/keep-secure/configure-s-mime.md +++ b/windows/keep-secure/configure-s-mime.md @@ -3,7 +3,7 @@ title: Configure S/MIME for Windows 10 and Windows 10 Mobile (Windows 10) description: In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. ms.assetid: 7F9C2A99-42EB-4BCC-BB53-41C04FBBBF05 keywords: encrypt, digital signature -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/configure-the-appLocker-reference-device.md b/windows/keep-secure/configure-the-appLocker-reference-device.md index 59e6e81b2d..97d6fd1361 100644 --- a/windows/keep-secure/configure-the-appLocker-reference-device.md +++ b/windows/keep-secure/configure-the-appLocker-reference-device.md @@ -2,7 +2,7 @@ title: Configure the AppLocker reference device (Windows 10) description: This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer. ms.assetid: 034bd367-146d-4956-873c-e1e09e6fefee -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/configure-the-application-identity-service.md b/windows/keep-secure/configure-the-application-identity-service.md index 0714a613da..84a1d64b98 100644 --- a/windows/keep-secure/configure-the-application-identity-service.md +++ b/windows/keep-secure/configure-the-application-identity-service.md @@ -3,7 +3,7 @@ title: Configure the Application Identity service (Windows 10) description: This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually. ms.assetid: dc469599-37fd-448b-b23e-5b8e4f17e561 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: brianlic-msft diff --git a/windows/keep-secure/configure-windows-defender-in-windows-10.md b/windows/keep-secure/configure-windows-defender-in-windows-10.md index 72c2a16a9b..b52b5f6c57 100644 --- a/windows/keep-secure/configure-windows-defender-in-windows-10.md +++ b/windows/keep-secure/configure-windows-defender-in-windows-10.md @@ -2,7 +2,7 @@ title: Configure Windows Defender in Windows 10 (Windows 10) description: IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS). ms.assetid: 22649663-AC7A-40D8-B1F7-5CAD9E49653D -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/keep-secure/create-a-basic-audit-policy-settings-for-an-event-category.md index cdd372d271..69742a74b0 100644 --- a/windows/keep-secure/create-a-basic-audit-policy-settings-for-an-event-category.md +++ b/windows/keep-secure/create-a-basic-audit-policy-settings-for-an-event-category.md @@ -2,7 +2,7 @@ title: Create a basic audit policy for an event category (Windows 10) description: By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. ms.assetid: C9F52751-B40D-482E-BE9D-2C61098249D3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-a-pagefile.md b/windows/keep-secure/create-a-pagefile.md index c914d790aa..a8c65abbab 100644 --- a/windows/keep-secure/create-a-pagefile.md +++ b/windows/keep-secure/create-a-pagefile.md @@ -2,7 +2,7 @@ title: Create a pagefile (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Create a pagefile security policy setting. ms.assetid: dc087897-459d-414b-abe0-cd86c8dccdea -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-a-rule-for-packaged-apps.md b/windows/keep-secure/create-a-rule-for-packaged-apps.md index 3909260775..f0ed699e79 100644 --- a/windows/keep-secure/create-a-rule-for-packaged-apps.md +++ b/windows/keep-secure/create-a-rule-for-packaged-apps.md @@ -2,7 +2,7 @@ title: Create a rule for packaged apps (Windows 10) description: This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition. ms.assetid: e4ffd400-7860-47b3-9118-0e6853c3dfa0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md b/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md index 261eea052b..4a1038f165 100644 --- a/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md +++ b/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md @@ -2,7 +2,7 @@ title: Create a rule that uses a file hash condition (Windows 10) description: This topic for IT professionals shows how to create an AppLocker rule with a file hash condition. ms.assetid: eb3b3524-1b3b-4979-ba5a-0a0b1280c5c7 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md b/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md index 8553577fac..89a34500cd 100644 --- a/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md +++ b/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md @@ -2,7 +2,7 @@ title: Create a rule that uses a path condition (Windows 10) description: This topic for IT professionals shows how to create an AppLocker rule with a path condition. ms.assetid: 9b2093f5-5976-45fa-90c3-da1e0e845d95 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md b/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md index 11ceca1e52..214dca0f70 100644 --- a/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md +++ b/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md @@ -2,7 +2,7 @@ title: Create a rule that uses a publisher condition (Windows 10) description: This topic for IT professionals shows how to create an AppLocker rule with a publisher condition. ms.assetid: 345ad45f-2bc1-4c4c-946f-17804e29f55b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-a-token-object.md b/windows/keep-secure/create-a-token-object.md index 99055b694f..8decf358bf 100644 --- a/windows/keep-secure/create-a-token-object.md +++ b/windows/keep-secure/create-a-token-object.md @@ -2,7 +2,7 @@ title: Create a token object (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Create a token object security policy setting. ms.assetid: bfbf52fc-6ba4-442a-9df7-bd277e55729c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-applocker-default-rules.md b/windows/keep-secure/create-applocker-default-rules.md index eb37fb2112..930d2bc4d7 100644 --- a/windows/keep-secure/create-applocker-default-rules.md +++ b/windows/keep-secure/create-applocker-default-rules.md @@ -2,7 +2,7 @@ title: Create AppLocker default rules (Windows 10) description: This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run. ms.assetid: 21e9dc68-a6f4-4ebe-ac28-4c66a7ab6e18 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-edp-policy-using-intune.md b/windows/keep-secure/create-edp-policy-using-intune.md index e2dab16028..c5d390ea1c 100644 --- a/windows/keep-secure/create-edp-policy-using-intune.md +++ b/windows/keep-secure/create-edp-policy-using-intune.md @@ -2,9 +2,10 @@ title: Create an enterprise data protection (EDP) policy using Microsoft Intune (Windows 10) description: Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/create-edp-policy-using-sccm.md b/windows/keep-secure/create-edp-policy-using-sccm.md index 9e4288873e..fa412028a7 100644 --- a/windows/keep-secure/create-edp-policy-using-sccm.md +++ b/windows/keep-secure/create-edp-policy-using-sccm.md @@ -2,10 +2,11 @@ title: Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager (Windows 10) description: Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529 -keywords: ["EDP", "Enterprise Data Protection", "SCCM", "System Center Configuration Manager", Configuration Manager"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/create-global-objects.md b/windows/keep-secure/create-global-objects.md index 1f047ee451..c131685bec 100644 --- a/windows/keep-secure/create-global-objects.md +++ b/windows/keep-secure/create-global-objects.md @@ -2,7 +2,7 @@ title: Create global objects (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Create global objects security policy setting. ms.assetid: 9cb6247b-44fc-4815-86f2-cb59b6f0221e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-list-of-applications-deployed-to-each-business-group.md b/windows/keep-secure/create-list-of-applications-deployed-to-each-business-group.md index 074fababfc..c623dd725f 100644 --- a/windows/keep-secure/create-list-of-applications-deployed-to-each-business-group.md +++ b/windows/keep-secure/create-list-of-applications-deployed-to-each-business-group.md @@ -2,7 +2,7 @@ title: Create a list of apps deployed to each business group (Windows 10) description: This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. ms.assetid: d713aa07-d732-4bdc-8656-ba616d779321 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-permanent-shared-objects.md b/windows/keep-secure/create-permanent-shared-objects.md index 33ab226516..bcc0896951 100644 --- a/windows/keep-secure/create-permanent-shared-objects.md +++ b/windows/keep-secure/create-permanent-shared-objects.md @@ -2,7 +2,7 @@ title: Create permanent shared objects (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Create permanent shared objects security policy setting. ms.assetid: 6a58438d-65ca-4c4a-a584-450eed976649 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-symbolic-links.md b/windows/keep-secure/create-symbolic-links.md index 857a5a7ca9..994d8de789 100644 --- a/windows/keep-secure/create-symbolic-links.md +++ b/windows/keep-secure/create-symbolic-links.md @@ -2,7 +2,7 @@ title: Create symbolic links (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Create symbolic links security policy setting. ms.assetid: 882922b9-0ff8-4ee9-8afc-4475515ee3fd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md b/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md index 16034ac23d..760968b092 100644 --- a/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md +++ b/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md @@ -2,10 +2,11 @@ title: Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune (Windows 10) description: After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy. ms.assetid: d0eaba4f-6d7d-4ae4-8044-64680a40cf6b -keywords: ["EDP", "Enterprise Data Protection"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/create-your-applocker-planning-document.md b/windows/keep-secure/create-your-applocker-planning-document.md index 263be36d5e..f2b23f5937 100644 --- a/windows/keep-secure/create-your-applocker-planning-document.md +++ b/windows/keep-secure/create-your-applocker-planning-document.md @@ -2,7 +2,7 @@ title: Create your AppLocker planning document (Windows 10) description: This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document. ms.assetid: 41e49644-baf4-4514-b089-88adae2d624e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-your-applocker-policies.md b/windows/keep-secure/create-your-applocker-policies.md index b7a23cc02d..e4ecc44cee 100644 --- a/windows/keep-secure/create-your-applocker-policies.md +++ b/windows/keep-secure/create-your-applocker-policies.md @@ -2,7 +2,7 @@ title: Create Your AppLocker policies (Windows 10) description: This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. ms.assetid: d339dee2-4da2-4d4a-b46e-f1dfb7cb4bf0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-your-applocker-rules.md b/windows/keep-secure/create-your-applocker-rules.md index ee0590e89b..8bcb7daf24 100644 --- a/windows/keep-secure/create-your-applocker-rules.md +++ b/windows/keep-secure/create-your-applocker-rules.md @@ -2,7 +2,7 @@ title: Create Your AppLocker rules (Windows 10) description: This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules. ms.assetid: b684a3a5-929c-4f70-8742-04088022f232 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md index ee2f72275b..a1b2db57b3 100644 --- a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md +++ b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md @@ -2,7 +2,7 @@ title: Create a Device Guard code integrity policy based on a reference device (Windows 10) description: To implement Device Guard app protection, you will need to create a code integrity policy. Code integrity policies determine what apps are considered trustworthy and are allowed to run on a protected device. ms.assetid: 6C94B14E-E2CE-4F6C-8939-4B375406E825 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 870a49c024..1202cb6ae3 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -2,7 +2,7 @@ title: Protect derived domain credentials with Credential Guard (Windows 10) description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md index aa142cc631..07afd4227c 100644 --- a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md @@ -3,9 +3,11 @@ title: View the Windows Defender Advanced Threat Protection Dashboard description: Use the Dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts. keywords: dashboard, alerts, new, in progress, resolved, risk, machines at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security +author: mjcaparas --- # View the Windows Defender Advanced Threat Protection Dashboard diff --git a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md index 1286313495..6db6f55321 100644 --- a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Windows Defender ATP data storage and privacy description: Learn about how Windows Defender ATP handles privacy and data that it collects. keywords: Windows Defender ATP data storage and privacy, storage, privacy search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security --- # Windows Defender ATP data storage and privacy diff --git a/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index 6fe17f05af..99fd9c7f66 100644 --- a/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -2,7 +2,7 @@ title: DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax (Windows 10) description: Describes the best practices, location, values, and security considerations for the DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting. ms.assetid: 0fe3521a-5252-44df-8a47-8d92cf936e7c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index d4c42764a5..6b5d3ee2c2 100644 --- a/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -2,7 +2,7 @@ title: DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax (Windows 10) description: Describes the best practices, location, values, and security considerations for the DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax security policy setting. ms.assetid: 4b95d45f-dd62-4c34-ba32-43954528dabe -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/debug-programs.md b/windows/keep-secure/debug-programs.md index 4b133fd251..810c6a21b5 100644 --- a/windows/keep-secure/debug-programs.md +++ b/windows/keep-secure/debug-programs.md @@ -2,7 +2,7 @@ title: Debug programs (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Debug programs security policy setting. ms.assetid: 594d9f2c-8ffc-444b-9522-75615ec87786 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/delete-an-applocker-rule.md b/windows/keep-secure/delete-an-applocker-rule.md index ad342ee6cf..3d4888fb73 100644 --- a/windows/keep-secure/delete-an-applocker-rule.md +++ b/windows/keep-secure/delete-an-applocker-rule.md @@ -2,7 +2,7 @@ title: Delete an AppLocker rule (Windows 10) description: This topic for IT professionals describes the steps to delete an AppLocker rule. ms.assetid: 382b4be3-0df9-4308-89b2-dcf9df351eb5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/deny-access-to-this-computer-from-the-network.md b/windows/keep-secure/deny-access-to-this-computer-from-the-network.md index df4e48dc46..fbad5a0ca8 100644 --- a/windows/keep-secure/deny-access-to-this-computer-from-the-network.md +++ b/windows/keep-secure/deny-access-to-this-computer-from-the-network.md @@ -2,7 +2,7 @@ title: Deny access to this computer from the network (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny access to this computer from the network security policy setting. ms.assetid: 935e9f89-951b-4163-b186-fc325682bb0b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/deny-log-on-as-a-batch-job.md b/windows/keep-secure/deny-log-on-as-a-batch-job.md index d3abeeb6d5..5edb8ca898 100644 --- a/windows/keep-secure/deny-log-on-as-a-batch-job.md +++ b/windows/keep-secure/deny-log-on-as-a-batch-job.md @@ -2,7 +2,7 @@ title: Deny log on as a batch job (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a batch job security policy setting. ms.assetid: 0ac36ebd-5e28-4b6a-9b4e-8924c6ecf44b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/deny-log-on-as-a-service.md b/windows/keep-secure/deny-log-on-as-a-service.md index 8fa66ee734..7acdea2a4c 100644 --- a/windows/keep-secure/deny-log-on-as-a-service.md +++ b/windows/keep-secure/deny-log-on-as-a-service.md @@ -2,7 +2,7 @@ title: Deny log on as a service (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a service security policy setting. ms.assetid: f1114964-df86-4278-9b11-e35c66949794 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/deny-log-on-locally.md b/windows/keep-secure/deny-log-on-locally.md index 916d358f89..cd84f05560 100644 --- a/windows/keep-secure/deny-log-on-locally.md +++ b/windows/keep-secure/deny-log-on-locally.md @@ -2,7 +2,7 @@ title: Deny log on locally (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on locally security policy setting. ms.assetid: 00150e88-ec9c-43e1-a70d-33bfe10434db -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/deny-log-on-through-remote-desktop-services.md b/windows/keep-secure/deny-log-on-through-remote-desktop-services.md index 6877912bae..8e5065b443 100644 --- a/windows/keep-secure/deny-log-on-through-remote-desktop-services.md +++ b/windows/keep-secure/deny-log-on-through-remote-desktop-services.md @@ -2,7 +2,7 @@ title: Deny log on through Remote Desktop Services (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on through Remote Desktop Services security policy setting. ms.assetid: 84bbb807-287c-4acc-a094-cf0ffdcbca67 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/keep-secure/deploy-applocker-policies-by-using-the-enforce-rules-setting.md index b7056845e4..b5ecdf6702 100644 --- a/windows/keep-secure/deploy-applocker-policies-by-using-the-enforce-rules-setting.md +++ b/windows/keep-secure/deploy-applocker-policies-by-using-the-enforce-rules-setting.md @@ -2,7 +2,7 @@ title: Deploy AppLocker policies by using the enforce rules setting (Windows 10) description: This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. ms.assetid: fd3a3d25-ff3b-4060-8390-6262a90749ba -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/deploy-edp-policy-using-intune.md b/windows/keep-secure/deploy-edp-policy-using-intune.md index 6893478523..7b23a44cf2 100644 --- a/windows/keep-secure/deploy-edp-policy-using-intune.md +++ b/windows/keep-secure/deploy-edp-policy-using-intune.md @@ -2,10 +2,11 @@ title: Deploy your enterprise data protection (EDP) policy using Microsoft Intune (Windows 10) description: After you’ve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices. ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211 -keywords: ["EDP", "Enterprise Data Protection", "Intune"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection, Intune +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/deploy-the-applocker-policy-into-production.md b/windows/keep-secure/deploy-the-applocker-policy-into-production.md index 32e3cd0d65..e56061213f 100644 --- a/windows/keep-secure/deploy-the-applocker-policy-into-production.md +++ b/windows/keep-secure/deploy-the-applocker-policy-into-production.md @@ -2,7 +2,7 @@ title: Deploy the AppLocker policy into production (Windows 10) description: This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. ms.assetid: ebbb1907-92dc-499e-8cee-8e637483c9ae -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md b/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md index 5733fd532e..1544475c03 100644 --- a/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md +++ b/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md @@ -2,7 +2,7 @@ title: Determine the Group Policy structure and rule enforcement (Windows 10) description: This overview topic describes the process to follow when you are planning to deploy AppLocker rules. ms.assetid: f435fcbe-c7ac-4ef0-9702-729aab64163f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md index a02d55ecc7..ccf2483c4d 100644 --- a/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md +++ b/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md @@ -2,7 +2,7 @@ title: Determine which apps are digitally signed on a reference device (Windows 10) description: This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. ms.assetid: 24609a6b-fdcb-4083-b234-73e23ff8bcb8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/determine-your-application-control-objectives.md b/windows/keep-secure/determine-your-application-control-objectives.md index 65098f5d72..a74a000710 100644 --- a/windows/keep-secure/determine-your-application-control-objectives.md +++ b/windows/keep-secure/determine-your-application-control-objectives.md @@ -2,7 +2,7 @@ title: Determine your application control objectives (Windows 10) description: This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. ms.assetid: 0e84003e-6095-46fb-8c4e-2065869bb53b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/device-guard-certification-and-compliance.md b/windows/keep-secure/device-guard-certification-and-compliance.md index 9edecd273d..6ac463047e 100644 --- a/windows/keep-secure/device-guard-certification-and-compliance.md +++ b/windows/keep-secure/device-guard-certification-and-compliance.md @@ -3,7 +3,7 @@ title: Device Guard certification and compliance (Windows 10) description: Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. ms.assetid: 94167ECA-AB08-431D-95E5-7A363F42C7E3 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: brianlic-msft diff --git a/windows/keep-secure/device-guard-deployment-guide.md b/windows/keep-secure/device-guard-deployment-guide.md index 3d9a53be0e..f98d7216ea 100644 --- a/windows/keep-secure/device-guard-deployment-guide.md +++ b/windows/keep-secure/device-guard-deployment-guide.md @@ -3,9 +3,9 @@ title: Device Guard deployment guide (Windows 10) description: Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security. ms.assetid: 4BA52AA9-64D3-41F3-94B2-B87EC2717486 keywords: virtualization, security, malware -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy -ms.pagetype: devices +ms.pagetype: security, devices author: challum --- diff --git a/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md b/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md index 0d237c5cd4..d8f1d31192 100644 --- a/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md +++ b/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md @@ -2,7 +2,7 @@ title: Devices Allow undock without having to log on (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Allow undock without having to log on security policy setting. ms.assetid: 1d403f5d-ad41-4bb4-9f4a-0779c1c14b8c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md b/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md index 9c9a232738..bffc76a5e9 100644 --- a/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md +++ b/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md @@ -2,7 +2,7 @@ title: Devices Allowed to format and eject removable media (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Allowed to format and eject removable media security policy setting. ms.assetid: d1b42425-7244-4ab1-9d46-d68de823459c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md b/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md index c71b4b04d5..0bf0ba89a9 100644 --- a/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md +++ b/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md @@ -2,7 +2,7 @@ title: Devices Prevent users from installing printer drivers (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Prevent users from installing printer drivers security policy setting. ms.assetid: ab70a122-f7f9-47e0-ad8c-541f30a27ec3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md index e42ea9042c..5e399e075e 100644 --- a/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md +++ b/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md @@ -2,7 +2,7 @@ title: Devices Restrict CD-ROM access to locally logged-on user only (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Restrict CD-ROM access to locally logged-on user only security policy setting. ms.assetid: 8b8f44bb-84ce-4f18-af30-ab89910e234d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md index 3246e36da5..1716725907 100644 --- a/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md +++ b/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md @@ -2,7 +2,7 @@ title: Devices Restrict floppy access to locally logged-on user only (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Restrict floppy access to locally logged-on user only security policy setting. ms.assetid: 92997910-da95-4c03-ae6f-832915423898 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md index 267ba483ac..85c56528b1 100644 --- a/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md +++ b/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md @@ -3,7 +3,7 @@ title: Display a custom URL message when users try to run a blocked app (Windows description: This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app. ms.assetid: 9a2534a5-d1fa-48a9-93c6-989d4857cf85 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: brianlic-msft diff --git a/windows/keep-secure/dll-rules-in-applocker.md b/windows/keep-secure/dll-rules-in-applocker.md index 4f99109b04..b6e4cd9e93 100644 --- a/windows/keep-secure/dll-rules-in-applocker.md +++ b/windows/keep-secure/dll-rules-in-applocker.md @@ -2,7 +2,7 @@ title: DLL rules in AppLocker (Windows 10) description: This topic describes the file formats and available default rules for the DLL rule collection. ms.assetid: a083fd08-c07e-4534-b0e7-1e15d932ce8f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md index f583b63513..72c1c10193 100644 --- a/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md +++ b/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md @@ -2,7 +2,7 @@ title: Document the Group Policy structure and AppLocker rule enforcement (Windows 10) description: This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: brianlic-msft diff --git a/windows/keep-secure/document-your-application-control-management-processes.md b/windows/keep-secure/document-your-application-control-management-processes.md index e0ef522601..6e2a75390d 100644 --- a/windows/keep-secure/document-your-application-control-management-processes.md +++ b/windows/keep-secure/document-your-application-control-management-processes.md @@ -2,7 +2,7 @@ title: Document your application control management processes (Windows 10) description: This planning topic describes the AppLocker policy maintenance information to record for your design document. ms.assetid: 6397f789-0e36-4933-9f86-f3f6489cf1fb -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/document-your-application-list.md b/windows/keep-secure/document-your-application-list.md index c20e6831ad..735dc55515 100644 --- a/windows/keep-secure/document-your-application-list.md +++ b/windows/keep-secure/document-your-application-list.md @@ -2,7 +2,7 @@ title: Document your app list (Windows 10) description: This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies. ms.assetid: b155284b-f75d-4405-aecf-b74221622dc0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/document-your-applocker-rules.md b/windows/keep-secure/document-your-applocker-rules.md index 5603fcefdc..68d32d07d7 100644 --- a/windows/keep-secure/document-your-applocker-rules.md +++ b/windows/keep-secure/document-your-applocker-rules.md @@ -2,7 +2,7 @@ title: Document your AppLocker rules (Windows 10) description: This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded. ms.assetid: 91a198ce-104a-45ff-b49b-487fb40cd2dd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md index 73dd753654..feafcec116 100644 --- a/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md +++ b/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md @@ -2,7 +2,7 @@ title: Domain controller Allow server operators to schedule tasks (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain controller Allow server operators to schedule tasks security policy setting. ms.assetid: 198b12a4-8a5d-48e8-a752-2073b8a2cb0d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md index 8f75f7faa7..10001b50e6 100644 --- a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md +++ b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md @@ -2,7 +2,7 @@ title: Domain controller LDAP server signing requirements (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server signing requirements security policy setting. ms.assetid: fe122179-7571-465b-98d0-b8ce0f224390 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md b/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md index 3d0dc98ace..563e0956a9 100644 --- a/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md +++ b/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md @@ -2,7 +2,7 @@ title: Domain controller Refuse machine account password changes (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain controller Refuse machine account password changes security policy setting. ms.assetid: 5a7fa2e2-e1a8-4833-90f7-aa83e3b456a9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md index dde52ba0d7..b748e75485 100644 --- a/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md +++ b/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md @@ -2,7 +2,7 @@ title: Domain member Digitally encrypt or sign secure channel data (always) (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt or sign secure channel data (always) security policy setting. ms.assetid: 4480c7cb-adca-4f29-b4b8-06eb68d272bf -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md index 9412bf6ae7..241c83b30b 100644 --- a/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md +++ b/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md @@ -2,7 +2,7 @@ title: Domain member Digitally encrypt secure channel data (when possible) (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt secure channel data (when possible) security policy setting. ms.assetid: 73e6023e-0af3-4531-8238-82f0f0e4965b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md index 6f0cdd5ea0..dfa36d1360 100644 --- a/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md +++ b/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md @@ -2,7 +2,7 @@ title: Domain member Digitally sign secure channel data (when possible) (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Digitally sign secure channel data (when possible) security policy setting. ms.assetid: a643e491-4f45-40ea-b12c-4dbe47e54f34 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/domain-member-disable-machine-account-password-changes.md b/windows/keep-secure/domain-member-disable-machine-account-password-changes.md index a7e862cea4..e933a14786 100644 --- a/windows/keep-secure/domain-member-disable-machine-account-password-changes.md +++ b/windows/keep-secure/domain-member-disable-machine-account-password-changes.md @@ -2,7 +2,7 @@ title: Domain member Disable machine account password changes (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Disable machine account password changes security policy setting. ms.assetid: 1f660300-a07a-4243-a09f-140aa1ab8867 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/domain-member-maximum-machine-account-password-age.md b/windows/keep-secure/domain-member-maximum-machine-account-password-age.md index b97cf3f485..841729d203 100644 --- a/windows/keep-secure/domain-member-maximum-machine-account-password-age.md +++ b/windows/keep-secure/domain-member-maximum-machine-account-password-age.md @@ -2,7 +2,7 @@ title: Domain member Maximum machine account password age (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Maximum machine account password age security policy setting. ms.assetid: 0ec6f7c1-4d82-4339-94c0-debb2d1ac109 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md index 320d44e467..2d179f76d3 100644 --- a/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md +++ b/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md @@ -2,7 +2,7 @@ title: Domain member Require strong (Windows 2000 or later) session key (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Require strong (Windows 2000 or later) session key security policy setting. ms.assetid: 5ab8993c-5086-4f09-bc88-1b27454526bd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/edit-an-applocker-policy.md b/windows/keep-secure/edit-an-applocker-policy.md index 2faffd200f..8bd9ebfcea 100644 --- a/windows/keep-secure/edit-an-applocker-policy.md +++ b/windows/keep-secure/edit-an-applocker-policy.md @@ -2,7 +2,7 @@ title: Edit an AppLocker policy (Windows 10) description: This topic for IT professionals describes the steps required to modify an AppLocker policy. ms.assetid: dbc72d1f-3fe0-46c2-aeeb-96621fce7637 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/edit-applocker-rules.md b/windows/keep-secure/edit-applocker-rules.md index 2f47922cd0..3fcada9c5e 100644 --- a/windows/keep-secure/edit-applocker-rules.md +++ b/windows/keep-secure/edit-applocker-rules.md @@ -2,7 +2,7 @@ title: Edit AppLocker rules (Windows 10) description: This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker. ms.assetid: 80016cda-b915-46a0-83c6-5e6b0b958e32 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md index b3dcd0cd1a..6e5addb821 100644 --- a/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md +++ b/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md @@ -2,7 +2,7 @@ title: Enable computer and user accounts to be trusted for delegation (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Enable computer and user accounts to be trusted for delegation security policy setting. ms.assetid: 524062d4-1595-41f3-8ce1-9c85fd21497b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/enable-the-dll-rule-collection.md b/windows/keep-secure/enable-the-dll-rule-collection.md index 1dd233aee5..3a23c140a8 100644 --- a/windows/keep-secure/enable-the-dll-rule-collection.md +++ b/windows/keep-secure/enable-the-dll-rule-collection.md @@ -2,7 +2,7 @@ title: Enable the DLL rule collection (Windows 10) description: This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker. ms.assetid: 88ef9561-6eb2-491a-803a-b8cdbfebae27 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/encrypted-hard-drive.md b/windows/keep-secure/encrypted-hard-drive.md index 884275ee7e..7de2f367e0 100644 --- a/windows/keep-secure/encrypted-hard-drive.md +++ b/windows/keep-secure/encrypted-hard-drive.md @@ -2,7 +2,7 @@ title: Encrypted Hard Drive (Windows 10) description: Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/enforce-applocker-rules.md b/windows/keep-secure/enforce-applocker-rules.md index 0f83a7ff57..31ab2aa2b8 100644 --- a/windows/keep-secure/enforce-applocker-rules.md +++ b/windows/keep-secure/enforce-applocker-rules.md @@ -2,7 +2,7 @@ title: Enforce AppLocker rules (Windows 10) description: This topic for IT professionals describes how to enforce application control rules by using AppLocker. ms.assetid: e1528b7b-77f2-4419-8e27-c9cc3721d96d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/enforce-password-history.md b/windows/keep-secure/enforce-password-history.md index b78ac67236..a52801d820 100644 --- a/windows/keep-secure/enforce-password-history.md +++ b/windows/keep-secure/enforce-password-history.md @@ -2,7 +2,7 @@ title: Enforce password history (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Enforce password history security policy setting. ms.assetid: 8b2ab871-3e52-4dd1-9776-68bb1e935442 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/enforce-user-logon-restrictions.md b/windows/keep-secure/enforce-user-logon-restrictions.md index 40eef86d2b..39f83bb850 100644 --- a/windows/keep-secure/enforce-user-logon-restrictions.md +++ b/windows/keep-secure/enforce-user-logon-restrictions.md @@ -2,7 +2,7 @@ title: Enforce user logon restrictions (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Enforce user logon restrictions security policy setting. ms.assetid: 5891cb73-f1ec-48b9-b703-39249e48a29f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-edp.md b/windows/keep-secure/enlightened-microsoft-apps-and-edp.md index c0cd2aac59..bf8d546f56 100644 --- a/windows/keep-secure/enlightened-microsoft-apps-and-edp.md +++ b/windows/keep-secure/enlightened-microsoft-apps-and-edp.md @@ -2,10 +2,11 @@ title: List of enlightened Microsoft apps for use with enterprise data protection (EDP) (Windows 10) description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list. ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f -keywords: ["EDP", "Enterprise Data Protection"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md index f6244f66e0..6e239a2aea 100644 --- a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Review events and errors on endpoints with Event Viewer description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Windows Defender ATP service. keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Advanced Threat Protection service, cannot start, broken, can't start search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: iaanw --- diff --git a/windows/keep-secure/executable-rules-in-applocker.md b/windows/keep-secure/executable-rules-in-applocker.md index b74b7fe29a..ebad0e1645 100644 --- a/windows/keep-secure/executable-rules-in-applocker.md +++ b/windows/keep-secure/executable-rules-in-applocker.md @@ -2,7 +2,7 @@ title: Executable rules in AppLocker (Windows 10) description: This topic describes the file formats and available default rules for the executable rule collection. ms.assetid: 65e62f90-6caa-48f8-836a-91f8ac9018ee -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md b/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md index 90c10baeee..6476c88d16 100644 --- a/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md +++ b/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md @@ -2,7 +2,7 @@ title: Export an AppLocker policy from a GPO (Windows 10) description: This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified. ms.assetid: 7db59719-a8be-418b-bbfd-22cf2176c9c0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/export-an-applocker-policy-to-an-xml-file.md b/windows/keep-secure/export-an-applocker-policy-to-an-xml-file.md index a5ebd52102..f3f9d22190 100644 --- a/windows/keep-secure/export-an-applocker-policy-to-an-xml-file.md +++ b/windows/keep-secure/export-an-applocker-policy-to-an-xml-file.md @@ -2,7 +2,7 @@ title: Export an AppLocker policy to an XML file (Windows 10) description: This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing. ms.assetid: 979bd23f-6815-478b-a6a4-a25239cb1080 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/file-system-global-object-access-auditing.md b/windows/keep-secure/file-system-global-object-access-auditing.md index 5853de4758..13e7b15ca7 100644 --- a/windows/keep-secure/file-system-global-object-access-auditing.md +++ b/windows/keep-secure/file-system-global-object-access-auditing.md @@ -2,7 +2,7 @@ title: File System (Global Object Access Auditing) (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, File System (Global Object Access Auditing), which enables you to configure a global system access control list (SACL) on the file system for an entire computer. ms.assetid: 4f215d61-0e23-46e4-9e58-08511105d25b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/force-shutdown-from-a-remote-system.md b/windows/keep-secure/force-shutdown-from-a-remote-system.md index c9f51b7ed0..e635eb56d3 100644 --- a/windows/keep-secure/force-shutdown-from-a-remote-system.md +++ b/windows/keep-secure/force-shutdown-from-a-remote-system.md @@ -2,7 +2,7 @@ title: Force shutdown from a remote system (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Force shutdown from a remote system security policy setting. ms.assetid: 63129243-31ea-42a4-a598-c7064f48a3df -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/generate-security-audits.md b/windows/keep-secure/generate-security-audits.md index 78b578d1e3..437bdc47d0 100644 --- a/windows/keep-secure/generate-security-audits.md +++ b/windows/keep-secure/generate-security-audits.md @@ -2,7 +2,7 @@ title: Generate security audits (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Generate security audits security policy setting. ms.assetid: c0e1cd80-840e-4c74-917c-5c2349de885f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md index f7b4350a6f..9f8709dce5 100644 --- a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md +++ b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md @@ -2,7 +2,7 @@ title: Update and manage Windows Defender in Windows 10 (Windows 10) description: IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using Group Policy SettingsWindows Management Instrumentation (WMI)PowerShell. ms.assetid: 045F5BF2-87D7-4522-97E1-C1D508E063A7 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md index f9af00d1cd..42e7d1cff1 100644 --- a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md +++ b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md @@ -3,7 +3,7 @@ title: Get apps to run on Device Guard-protected devices (Windows 10) description: Windows 10 introduces several new features and settings that when combined all equal what we're calling, Device Guard. ms.assetid: E62B68C3-8B9F-4842-90FC-B4EE9FF8A67E keywords: Package Inspector, packageinspector.exe, sign catalog file -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/guidance-and-best-practices-edp.md b/windows/keep-secure/guidance-and-best-practices-edp.md index cf4d35de03..805ac84dfc 100644 --- a/windows/keep-secure/guidance-and-best-practices-edp.md +++ b/windows/keep-secure/guidance-and-best-practices-edp.md @@ -2,10 +2,11 @@ title: General guidance and best practices for enterprise data protection (EDP) (Windows 10) description: This section includes info about the enlightened Microsoft apps, including how to add them to your Protected Apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP). ms.assetid: aa94e733-53be-49a7-938d-1660deaf52b0 -keywords: ["EDP", "Enterprise Data Protection"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/how-applocker-works-techref.md b/windows/keep-secure/how-applocker-works-techref.md index ad2bc595e0..f9bf8450f5 100644 --- a/windows/keep-secure/how-applocker-works-techref.md +++ b/windows/keep-secure/how-applocker-works-techref.md @@ -2,7 +2,7 @@ title: How AppLocker works (Windows 10) description: This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. ms.assetid: 24bb1d73-0ff5-4af7-8b8a-2fa44d4ddbcd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/how-to-configure-security-policy-settings.md b/windows/keep-secure/how-to-configure-security-policy-settings.md index 275dfdaccb..6a307acac3 100644 --- a/windows/keep-secure/how-to-configure-security-policy-settings.md +++ b/windows/keep-secure/how-to-configure-security-policy-settings.md @@ -3,7 +3,7 @@ title: Configure security policy settings (Windows 10) description: Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller. ms.assetid: 63b0967b-a9fe-4d92-90af-67469ee20320 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/how-user-account-control-works.md b/windows/keep-secure/how-user-account-control-works.md index ca5e6eef25..90bba5477f 100644 --- a/windows/keep-secure/how-user-account-control-works.md +++ b/windows/keep-secure/how-user-account-control-works.md @@ -2,7 +2,7 @@ title: How User Account Control works (Windows 10) description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. ms.assetid: 9f921779-0fd3-4206-b0e4-05a19883ee59 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: operate ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/impersonate-a-client-after-authentication.md b/windows/keep-secure/impersonate-a-client-after-authentication.md index 6735e29692..9dc1b4f485 100644 --- a/windows/keep-secure/impersonate-a-client-after-authentication.md +++ b/windows/keep-secure/impersonate-a-client-after-authentication.md @@ -2,7 +2,7 @@ title: Impersonate a client after authentication (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Impersonate a client after authentication security policy setting. ms.assetid: 4cd241e2-c680-4b43-8ed0-3b391925cec5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md index 95e304939b..1680e13ed9 100644 --- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md +++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md @@ -3,7 +3,7 @@ title: Implement Microsoft Passport in your organization (Windows 10) description: You can create a Group Policy or mobile device management (MDM) policy that will implement Microsoft Passport on devices running Windows 10. ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8 keywords: identity, PIN, biometric, Hello -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/import-an-applocker-policy-from-another-computer.md b/windows/keep-secure/import-an-applocker-policy-from-another-computer.md index 199d82deae..0f0e11976b 100644 --- a/windows/keep-secure/import-an-applocker-policy-from-another-computer.md +++ b/windows/keep-secure/import-an-applocker-policy-from-another-computer.md @@ -2,7 +2,7 @@ title: Import an AppLocker policy from another computer (Windows 10) description: This topic for IT professionals describes how to import an AppLocker policy. ms.assetid: b48cb2b2-8ef8-4cc0-89bd-309d0b1832f6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/import-an-applocker-policy-into-a-gpo.md b/windows/keep-secure/import-an-applocker-policy-into-a-gpo.md index a5dfd645ac..c03e2d5282 100644 --- a/windows/keep-secure/import-an-applocker-policy-into-a-gpo.md +++ b/windows/keep-secure/import-an-applocker-policy-into-a-gpo.md @@ -2,7 +2,7 @@ title: Import an AppLocker policy into a GPO (Windows 10) description: This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO). ms.assetid: 0629ce44-f5e2-48a8-ba47-06544c73261f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/increase-a-process-working-set.md b/windows/keep-secure/increase-a-process-working-set.md index da0458fb81..237be32d51 100644 --- a/windows/keep-secure/increase-a-process-working-set.md +++ b/windows/keep-secure/increase-a-process-working-set.md @@ -2,7 +2,7 @@ title: Increase a process working set (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Increase a process working set security policy setting. ms.assetid: b742ad96-37f3-4686-b8f7-f2b48367105b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/increase-scheduling-priority.md b/windows/keep-secure/increase-scheduling-priority.md index a7d5d1646b..727d53c8e1 100644 --- a/windows/keep-secure/increase-scheduling-priority.md +++ b/windows/keep-secure/increase-scheduling-priority.md @@ -2,7 +2,7 @@ title: Increase scheduling priority (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Increase scheduling priority security policy setting. ms.assetid: fbec5973-d35e-4797-9626-d0d56061527f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md index 5b1c59fb81..b605acb372 100644 --- a/windows/keep-secure/index.md +++ b/windows/keep-secure/index.md @@ -2,7 +2,7 @@ title: Keep Windows 10 secure (Windows 10) description: Learn about keeping Windows 10 and Windows 10 Mobile secure. ms.assetid: EA559BA8-734F-41DB-A74A-D8DBF36BE920 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md index 2b407e7511..a1d2220641 100644 --- a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md @@ -2,7 +2,7 @@ title: Initialize and configure ownership of the TPM (Windows 10) description: This topic for the IT professional describes how to initialize and set the ownership the Trusted Platform Module (TPM), turn the TPM on and off, and clear TPM keys. ms.assetid: 1166efaf-7aa3-4420-9279-435d9c6ac6f8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md b/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md index 99bab3e2fa..33f7e83a76 100644 --- a/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md +++ b/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md @@ -3,7 +3,7 @@ title: Install digital certificates on Windows 10 Mobile (Windows 10) description: Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. ms.assetid: FF7B1BE9-41F4-44B0-A442-249B650CEE25 keywords: S/MIME, PFX, SCEP -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md index 998c7d3a6d..7c1d049314 100644 --- a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md +++ b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md @@ -2,7 +2,7 @@ title: Interactive logon Display user information when the session is locked (Windows 10) description: Describes the best practices, location, values, and security considerations for the Interactive logon Display user information when the session is locked security policy setting. ms.assetid: 9146aa3d-9b2f-47ba-ac03-ff43efb10530 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md index 945989b859..0177def043 100644 --- a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md +++ b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md @@ -2,7 +2,7 @@ title: Interactive logon Do not display last user name (Windows 10) description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not display last user name security policy setting. ms.assetid: 98b24b03-95fe-4edc-8e97-cbdaa8e314fd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md index 34a748af68..f2741165ce 100644 --- a/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md +++ b/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md @@ -2,7 +2,7 @@ title: Interactive logon Do not require CTRL+ALT+DEL (Windows 10) description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not require CTRL+ALT+DEL security policy setting. ms.assetid: 04e2c000-2eb2-4d4b-8179-1e2cb4793e18 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md b/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md index 3e7824eedb..ee2f89dfe2 100644 --- a/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md +++ b/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md @@ -2,7 +2,7 @@ title: Interactive logon Machine account lockout threshold (Windows 10) description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Machine account lockout threshold security policy setting. ms.assetid: ebbd8e22-2611-4ebe-9db9-d49344e631e4 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-machine-inactivity-limit.md b/windows/keep-secure/interactive-logon-machine-inactivity-limit.md index 9fb56662fb..5ecfd51a7e 100644 --- a/windows/keep-secure/interactive-logon-machine-inactivity-limit.md +++ b/windows/keep-secure/interactive-logon-machine-inactivity-limit.md @@ -2,7 +2,7 @@ title: Interactive logon Machine inactivity limit (Windows 10) description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Machine inactivity limit security policy setting. ms.assetid: 7065b4a9-0d52-41d5-afc4-5aedfc4162b5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md index 2277884c62..6ee93f3d7a 100644 --- a/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md +++ b/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md @@ -2,7 +2,7 @@ title: Interactive logon Message text for users attempting to log on (Windows 10) description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Message text for users attempting to log on security policy setting. ms.assetid: fcfe8a6d-ca65-4403-b9e6-2fa017a31c2e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md index 7e5719c49b..5fd221ea00 100644 --- a/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md +++ b/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md @@ -2,7 +2,7 @@ title: Interactive logon Message title for users attempting to log on (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Message title for users attempting to log on security policy setting. ms.assetid: f2596470-4cc0-4ef1-849c-bef9dc3533c6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md index 651f08183b..c57b5db6e3 100644 --- a/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md +++ b/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md @@ -2,7 +2,7 @@ title: Interactive logon Number of previous logons to cache (in case domain controller is not available) (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Number of previous logons to cache (in case domain controller is not available) security policy setting. ms.assetid: 660e925e-cc3e-4098-a41e-eb8db8062d8d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md index 6e08f688d8..3b6173cf5c 100644 --- a/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md +++ b/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md @@ -2,7 +2,7 @@ title: Interactive logon Prompt user to change password before expiration (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Prompt user to change password before expiration security policy setting. ms.assetid: 8fe94781-40f7-4fbe-8cfd-5e116e6833e9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md index 9660b5770a..0faeff4378 100644 --- a/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md +++ b/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md @@ -2,7 +2,7 @@ title: Interactive logon Require Domain Controller authentication to unlock workstation (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Interactive logon Require Domain Controller authentication to unlock workstation security policy setting. ms.assetid: 97618ed3-e946-47db-a212-b5e7a4fc6ffc -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-require-smart-card.md b/windows/keep-secure/interactive-logon-require-smart-card.md index faf1834204..2441b3c3e7 100644 --- a/windows/keep-secure/interactive-logon-require-smart-card.md +++ b/windows/keep-secure/interactive-logon-require-smart-card.md @@ -2,7 +2,7 @@ title: Interactive logon Require smart card (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Require smart card security policy setting. ms.assetid: c6a8c040-cbc7-472d-8bc5-579ddf3cbd6c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md b/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md index 29eba6fd2b..a2ba648b93 100644 --- a/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md +++ b/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md @@ -2,7 +2,7 @@ title: Interactive logon Smart card removal behavior (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Smart card removal behavior security policy setting. ms.assetid: 61487820-9d49-4979-b15d-c7e735999460 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md index 02e10c15b7..20a073c239 100644 --- a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Investigate Windows Defender Advanced Threat Protection alerts description: Use the investigation options to get details on which alerts are affecting your network, what they mean, and how to resolve them. keywords: investigate, investigation, machines, machine, endpoints, endpoint, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security --- # Investigate Windows Defender Advanced Threat Protection alerts diff --git a/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md index f5864ee6f3..fd75059fff 100644 --- a/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Investigate Windows Defender Advanced Threat Protection domains description: Use the investigation options to see if machines and servers have been communicating with malicious domains. keywords: investigate domain, domain, malicious domain, windows defender atp, alert, URL search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- # Investigate a domain associated with a Windows Defender ATP alert diff --git a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md index 3b0b76a04d..2f82d6927e 100644 --- a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Investigate Windows Defender Advanced Threat Protection files description: Use the investigation options to get details on files associated with alerts, behaviours, or events. keywords: investigate, investigation, file, malicious activity, attack motivation, deep analysis, deep analysis report search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- # Investigate a file associated with a Windows Defender ATP alert diff --git a/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md index 5e516f6425..e1427b0400 100644 --- a/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Investigate Windows Defender Advanced Threat Protection IP address description: Use the investigation options to examine possible communication between machines and external IP addresses. keywords: investigate, investigation, IP address, alert, windows defender atp, external IP search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- # Investigate an IP address associated with a Windows Defender ATP alert diff --git a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md index a248e46dd3..4778e194e5 100644 --- a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Investigate machines in the Windows Defender ATP Machines view description: Investigate affected machines in your network by reviewing alerts, network connection information, and service health on the Machines view. keywords: machines, endpoints, machine, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, active malware detections, threat category, filter, sort, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, low severity search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- diff --git a/windows/keep-secure/kerberos-policy.md b/windows/keep-secure/kerberos-policy.md index fa68f49ac1..0cb40c4482 100644 --- a/windows/keep-secure/kerberos-policy.md +++ b/windows/keep-secure/kerberos-policy.md @@ -2,7 +2,7 @@ title: Kerberos Policy (Windows 10) description: Describes the Kerberos Policy settings and provides links to policy setting descriptions. ms.assetid: 94017dd9-b1a3-4624-af9f-b29161b4bf38 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security From 87875ceac0c7d83370747aefb68e924ac1e4ccfe Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 27 May 2016 08:41:59 -0700 Subject: [PATCH 126/169] changed from opting out of MAPS to disconnecting from MAPS --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index f8496916b0..d171860de7 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1083,7 +1083,7 @@ When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings scr ### 19. Windows Defender -You can opt out of the Microsoft Antimalware Protection Service. +You can disconnect from the Microsoft Antimalware Protection Service. - Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS** From 50c264bd5520b155cac03254995bce162ba5b460 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 27 May 2016 09:31:05 -0700 Subject: [PATCH 127/169] fixing typo --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index d171860de7..616f93dc73 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1209,7 +1209,7 @@ The following Delivery Optimization MDM policies are available in the [Policy CS | Policy | Description | |---------------------------|-----------------------------------------------------------------------------------------------------| | DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including

      • 0. Turns off Delivery Optimization.

      • 1. Gets or sends updates and apps to PCs on the same NAT only.

      • 2. Gets or sends updates and apps to PCs on the same local network domain.

      • 3. Gets or sends updates and apps to PCs on the Internet.

      | -| DeliveryOptimization/DOGroupID | Lets you provide a Group ID that limits which PCs can share apps and updates.
      ** Note** This ID must be a GUID.| +| DeliveryOptimization/DOGroupID | Lets you provide a Group ID that limits which PCs can share apps and updates.
      **Note** This ID must be a GUID.| | DeliveryOptimization/DOMaxCacheAge | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
      The default value is 259200 seconds (3 days).| | DeliveryOptimization/DOMaxCacheSize | Lets you specify the maximum cache size as a percentage of disk size.
      The default value is 20, which represents 20% of the disk.| | DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
      The default value is 0, which means unlimited possible bandwidth.| From 8e6dba25e9dbe4f0c138a416b6de2fb4abc6f94e Mon Sep 17 00:00:00 2001 From: Jan Backstrom Date: Fri, 27 May 2016 13:46:06 -0700 Subject: [PATCH 128/169] update tagging change W10 to w10 (lower case); add ms.pagetype; added authors --- ...ge-privacy-windows-defender-advanced-threat-protection.md | 1 + ...ate-alerts-windows-defender-advanced-threat-protection.md | 1 + windows/keep-secure/load-and-unload-device-drivers.md | 2 +- windows/keep-secure/lock-pages-in-memory.md | 2 +- windows/keep-secure/log-on-as-a-batch-job.md | 2 +- windows/keep-secure/log-on-as-a-service.md | 2 +- windows/keep-secure/maintain-applocker-policies.md | 2 +- ...age-alerts-windows-defender-advanced-threat-protection.md | 4 +++- windows/keep-secure/manage-auditing-and-security-log.md | 2 +- .../manage-identity-verification-using-microsoft-passport.md | 2 +- windows/keep-secure/manage-packaged-apps-with-applocker.md | 2 +- windows/keep-secure/manage-tpm-commands.md | 2 +- windows/keep-secure/manage-tpm-lockout.md | 2 +- windows/keep-secure/maximum-lifetime-for-service-ticket.md | 2 +- .../keep-secure/maximum-lifetime-for-user-ticket-renewal.md | 2 +- windows/keep-secure/maximum-lifetime-for-user-ticket.md | 2 +- windows/keep-secure/maximum-password-age.md | 2 +- .../maximum-tolerance-for-computer-clock-synchronization.md | 2 +- .../merge-applocker-policies-by-using-set-applockerpolicy.md | 2 +- windows/keep-secure/merge-applocker-policies-manually.md | 2 +- ...ft-network-client-digitally-sign-communications-always.md | 2 +- ...-client-digitally-sign-communications-if-server-agrees.md | 2 +- ...t-send-unencrypted-password-to-third-party-smb-servers.md | 2 +- ...amount-of-idle-time-required-before-suspending-session.md | 2 +- ...rk-server-attempt-s4u2self-to-obtain-claim-information.md | 2 +- ...ft-network-server-digitally-sign-communications-always.md | 2 +- ...-server-digitally-sign-communications-if-client-agrees.md | 2 +- ...work-server-disconnect-clients-when-logon-hours-expire.md | 2 +- ...network-server-server-spn-target-name-validation-level.md | 2 +- .../keep-secure/microsoft-passport-and-password-changes.md | 2 +- .../microsoft-passport-errors-during-pin-creation.md | 2 +- windows/keep-secure/microsoft-passport-guide.md | 3 +-- windows/keep-secure/minimum-password-age.md | 2 +- windows/keep-secure/minimum-password-length.md | 2 +- ...quirements-windows-defender-advanced-threat-protection.md | 3 ++- windows/keep-secure/modify-an-object-label.md | 2 +- windows/keep-secure/modify-firmware-environment-values.md | 2 +- .../keep-secure/monitor-application-usage-with-applocker.md | 2 +- .../monitor-central-access-policy-and-rule-definitions.md | 2 +- windows/keep-secure/monitor-claim-types.md | 2 +- ...onboarding-windows-defender-advanced-threat-protection.md | 3 ++- .../keep-secure/monitor-resource-attribute-definitions.md | 2 +- ...tral-access-policies-associated-with-files-and-folders.md | 2 +- ...he-central-access-policies-that-apply-on-a-file-server.md | 2 +- .../monitor-the-resource-attributes-on-files-and-folders.md | 2 +- .../monitor-the-use-of-removable-storage-devices.md | 2 +- .../monitor-user-and-device-claims-during-sign-in.md | 2 +- .../network-access-allow-anonymous-sidname-translation.md | 2 +- ...allow-anonymous-enumeration-of-sam-accounts-and-shares.md | 2 +- ...ess-do-not-allow-anonymous-enumeration-of-sam-accounts.md | 2 +- ...f-passwords-and-credentials-for-network-authentication.md | 2 +- ...cess-let-everyone-permissions-apply-to-anonymous-users.md | 2 +- ...rk-access-named-pipes-that-can-be-accessed-anonymously.md | 2 +- ...access-remotely-accessible-registry-paths-and-subpaths.md | 2 +- .../network-access-remotely-accessible-registry-paths.md | 2 +- ...ss-restrict-anonymous-access-to-named-pipes-and-shares.md | 2 +- ...network-access-shares-that-can-be-accessed-anonymously.md | 2 +- ...k-access-sharing-and-security-model-for-local-accounts.md | 2 +- windows/keep-secure/network-list-manager-policies.md | 2 +- ...y-allow-local-system-to-use-computer-identity-for-ntlm.md | 2 +- ...twork-security-allow-localsystem-null-session-fallback.md | 2 +- ...ion-requests-to-this-computer-to-use-online-identities.md | 2 +- ...curity-configure-encryption-types-allowed-for-kerberos.md | 2 +- ...t-store-lan-manager-hash-value-on-next-password-change.md | 2 +- .../network-security-force-logoff-when-logon-hours-expire.md | 2 +- .../network-security-lan-manager-authentication-level.md | 2 +- .../network-security-ldap-client-signing-requirements.md | 2 +- ...curity-for-ntlm-ssp-based-including-secure-rpc-clients.md | 2 +- ...curity-for-ntlm-ssp-based-including-secure-rpc-servers.md | 2 +- ...m-add-remote-server-exceptions-for-ntlm-authentication.md | 2 +- ...ity-restrict-ntlm-add-server-exceptions-in-this-domain.md | 2 +- ...ork-security-restrict-ntlm-audit-incoming-ntlm-traffic.md | 2 +- ...restrict-ntlm-audit-ntlm-authentication-in-this-domain.md | 2 +- .../network-security-restrict-ntlm-incoming-ntlm-traffic.md | 2 +- ...urity-restrict-ntlm-ntlm-authentication-in-this-domain.md | 2 +- ...-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md | 2 +- ...-configure-windows-defender-advanced-threat-protection.md | 3 ++- windows/keep-secure/optimize-applocker-performance.md | 2 +- windows/keep-secure/overview-create-edp-policy.md | 3 ++- ...ged-apps-and-packaged-app-installer-rules-in-applocker.md | 2 +- windows/keep-secure/passport-event-300.md | 4 ++-- .../password-must-meet-complexity-requirements.md | 2 +- windows/keep-secure/password-policy.md | 2 +- windows/keep-secure/perform-volume-maintenance-tasks.md | 2 +- windows/keep-secure/plan-for-applocker-policy-management.md | 2 +- ...lanning-and-deploying-advanced-security-audit-policies.md | 2 +- ...l-overview-windows-defender-advanced-threat-protection.md | 3 ++- .../keep-secure/prepare-people-to-use-microsoft-passport.md | 2 +- ...-your-organization-for-bitlocker-planning-and-policies.md | 2 +- windows/keep-secure/profile-single-process.md | 2 +- windows/keep-secure/profile-system-performance.md | 2 +- .../keep-secure/protect-bitlocker-from-pre-boot-attacks.md | 2 +- windows/keep-secure/protect-enterprise-data-using-edp.md | 5 +++-- ...-by-controlling-the-health-of-windows-10-based-devices.md | 4 ++-- ...hared-volumes-and-storage-area-networks-with-bitlocker.md | 2 +- .../recovery-console-allow-automatic-administrative-logon.md | 2 +- ...allow-floppy-copy-and-access-to-all-drives-and-folders.md | 2 +- windows/keep-secure/refresh-an-applocker-policy.md | 2 +- .../keep-secure/registry-global-object-access-auditing.md | 2 +- windows/keep-secure/remove-computer-from-docking-station.md | 2 +- windows/keep-secure/replace-a-process-level-token.md | 2 +- .../requirements-for-deploying-applocker-policies.md | 2 +- windows/keep-secure/requirements-to-use-applocker.md | 2 +- windows/keep-secure/reset-account-lockout-counter-after.md | 2 +- windows/keep-secure/restore-files-and-directories.md | 2 +- .../run-cmd-scan-windows-defender-for-windows-10.md | 3 ++- .../run-the-automatically-generate-rules-wizard.md | 2 +- windows/keep-secure/script-rules-in-applocker.md | 2 +- .../secpol-advanced-security-audit-policy-settings.md | 2 +- windows/keep-secure/security-auditing-overview.md | 2 +- windows/keep-secure/security-considerations-for-applocker.md | 2 +- windows/keep-secure/security-options.md | 2 +- windows/keep-secure/security-policy-settings-reference.md | 2 +- windows/keep-secure/security-policy-settings.md | 2 +- windows/keep-secure/security-technologies.md | 2 +- windows/keep-secure/select-types-of-rules-to-create.md | 2 +- ...onboarding-windows-defender-advanced-threat-protection.md | 3 ++- .../settings-windows-defender-advanced-threat-protection.md | 3 ++- windows/keep-secure/shut-down-the-system.md | 2 +- ...-allow-system-to-be-shut-down-without-having-to-log-on.md | 2 +- .../keep-secure/shutdown-clear-virtual-memory-pagefile.md | 2 +- .../store-passwords-using-reversible-encryption.md | 2 +- windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md | 2 +- windows/keep-secure/synchronize-directory-service-data.md | 2 +- ...ng-key-protection-for-user-keys-stored-on-the-computer.md | 2 +- ...ompliant-algorithms-for-encryption-hashing-and-signing.md | 2 +- ...-require-case-insensitivity-for-non-windows-subsystems.md | 2 +- ...engthen-default-permissions-of-internal-system-objects.md | 2 +- windows/keep-secure/system-settings-optional-subsystems.md | 2 +- ...-windows-executables-for-software-restriction-policies.md | 2 +- .../keep-secure/take-ownership-of-files-or-other-objects.md | 2 +- ...test-an-applocker-policy-by-using-test-applockerpolicy.md | 2 +- windows/keep-secure/test-and-update-an-applocker-policy.md | 2 +- windows/keep-secure/testing-scenarios-for-edp.md | 5 +++-- windows/keep-secure/tools-to-use-with-applocker.md | 2 +- windows/keep-secure/tpm-fundamentals.md | 2 +- windows/keep-secure/tpm-recommendations.md | 2 +- ...onboarding-windows-defender-advanced-threat-protection.md | 3 ++- ...oubleshoot-windows-defender-advanced-threat-protection.md | 3 ++- .../troubleshoot-windows-defender-in-windows-10.md | 2 +- windows/keep-secure/trusted-platform-module-overview.md | 2 +- ...trusted-platform-module-services-group-policy-settings.md | 2 +- .../types-of-attacks-for-volume-encryption-keys.md | 2 +- .../keep-secure/understand-applocker-enforcement-settings.md | 2 +- .../understand-applocker-policy-design-decisions.md | 2 +- ...es-and-enforcement-setting-inheritance-in-group-policy.md | 2 +- .../understand-the-applocker-policy-deployment-process.md | 2 +- ...nderstanding-applocker-allow-and-deny-actions-on-rules.md | 2 +- windows/keep-secure/understanding-applocker-default-rules.md | 2 +- windows/keep-secure/understanding-applocker-rule-behavior.md | 2 +- .../keep-secure/understanding-applocker-rule-collections.md | 2 +- .../understanding-applocker-rule-condition-types.md | 2 +- .../keep-secure/understanding-applocker-rule-exceptions.md | 2 +- ...nderstanding-the-file-hash-rule-condition-in-applocker.md | 2 +- .../understanding-the-path-rule-condition-in-applocker.md | 2 +- ...nderstanding-the-publisher-rule-condition-in-applocker.md | 2 +- ...nce-computer-to-create-and-maintain-applocker-policies.md | 2 +- ...r-and-software-restriction-policies-in-the-same-domain.md | 2 +- .../use-the-applocker-windows-powershell-cmdlets.md | 2 +- .../use-windows-defender-advanced-threat-protection.md | 3 ++- ...ows-event-forwarding-to-assist-in-instrusion-detection.md | 2 +- ...n-approval-mode-for-the-built-in-administrator-account.md | 2 +- ...-prompt-for-elevation-without-using-the-secure-desktop.md | 2 +- ...ation-prompt-for-administrators-in-admin-approval-mode.md | 2 +- ...ol-behavior-of-the-elevation-prompt-for-standard-users.md | 2 +- ...ect-application-installations-and-prompt-for-elevation.md | 2 +- ...account-control-group-policy-and-registry-key-settings.md | 4 +++- ...only-elevate-executables-that-are-signed-and-validated.md | 2 +- ...ss-applications-that-are-installed-in-secure-locations.md | 2 +- windows/keep-secure/user-account-control-overview.md | 2 +- ...-control-run-all-administrators-in-admin-approval-mode.md | 2 +- .../user-account-control-security-policy-settings.md | 4 ++-- ...tch-to-the-secure-desktop-when-prompting-for-elevation.md | 2 +- ...file-and-registry-write-failures-to-per-user-locations.md | 2 +- windows/keep-secure/user-rights-assignment.md | 2 +- ...ting-options-to-monitor-dynamic-access-control-objects.md | 2 +- windows/keep-secure/using-event-viewer-with-applocker.md | 2 +- ...g-software-restriction-policies-and-applocker-policies.md | 2 +- windows/keep-secure/view-the-security-event-log.md | 2 +- windows/keep-secure/vpn-profile-options.md | 4 ++-- windows/keep-secure/what-is-applocker.md | 2 +- ...of-windows-support-advanced-audit-policy-configuration.md | 2 +- windows/keep-secure/why-a-pin-is-better-than-a-password.md | 2 +- windows/keep-secure/windows-10-enterprise-security-guides.md | 4 ++-- windows/keep-secure/windows-10-mobile-security-guide.md | 4 ++-- windows/keep-secure/windows-10-security-guide.md | 2 +- .../windows-defender-advanced-threat-protection.md | 3 ++- windows/keep-secure/windows-defender-in-windows-10.md | 2 +- windows/keep-secure/windows-hello-in-enterprise.md | 5 +++-- windows/keep-secure/windows-installer-rules-in-applocker.md | 2 +- windows/keep-secure/working-with-applocker-policies.md | 2 +- windows/keep-secure/working-with-applocker-rules.md | 2 +- 192 files changed, 220 insertions(+), 200 deletions(-) diff --git a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md index 6db6f55321..a5d2bec8ce 100644 --- a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -7,6 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +author: mjcaparas --- # Windows Defender ATP data storage and privacy diff --git a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md index 20a073c239..d724b1862d 100644 --- a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -7,6 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +author: mjcaparas --- # Investigate Windows Defender Advanced Threat Protection alerts diff --git a/windows/keep-secure/load-and-unload-device-drivers.md b/windows/keep-secure/load-and-unload-device-drivers.md index 0ef993463c..a0500dbf3c 100644 --- a/windows/keep-secure/load-and-unload-device-drivers.md +++ b/windows/keep-secure/load-and-unload-device-drivers.md @@ -2,7 +2,7 @@ title: Load and unload device drivers (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Load and unload device drivers security policy setting. ms.assetid: 66262532-c610-470c-9792-35ff4389430f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/lock-pages-in-memory.md b/windows/keep-secure/lock-pages-in-memory.md index c2d3f4a39d..c1da29a511 100644 --- a/windows/keep-secure/lock-pages-in-memory.md +++ b/windows/keep-secure/lock-pages-in-memory.md @@ -2,7 +2,7 @@ title: Lock pages in memory (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Lock pages in memory security policy setting. ms.assetid: cc724979-aec0-496d-be4e-7009aef660a3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/log-on-as-a-batch-job.md b/windows/keep-secure/log-on-as-a-batch-job.md index 6ffcaa330e..e2be507be1 100644 --- a/windows/keep-secure/log-on-as-a-batch-job.md +++ b/windows/keep-secure/log-on-as-a-batch-job.md @@ -2,7 +2,7 @@ title: Log on as a batch job (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Log on as a batch job security policy setting. ms.assetid: 4eaddb51-0a18-470e-9d3d-5e7cd7970b41 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/log-on-as-a-service.md b/windows/keep-secure/log-on-as-a-service.md index 04d7784d74..eff13752ec 100644 --- a/windows/keep-secure/log-on-as-a-service.md +++ b/windows/keep-secure/log-on-as-a-service.md @@ -2,7 +2,7 @@ title: Log on as a service (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Log on as a service security policy setting. ms.assetid: acc9a9e0-fd88-4cda-ab54-503120ba1f42 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/maintain-applocker-policies.md b/windows/keep-secure/maintain-applocker-policies.md index bc85d3af36..43bd39884e 100644 --- a/windows/keep-secure/maintain-applocker-policies.md +++ b/windows/keep-secure/maintain-applocker-policies.md @@ -2,7 +2,7 @@ title: Maintain AppLocker policies (Windows 10) description: This topic describes how to maintain rules within AppLocker policies. ms.assetid: b4fbfdfe-ef3d-49e0-a390-f2dfe74602bc -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md index 12cc2527bd..718b2e22ce 100644 --- a/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md @@ -3,9 +3,11 @@ title: Manage Windows Defender Advanced Threat Protection alerts description: Change the status of alerts, create suppression rules to hide alerts, submit comments, and review change history for individual alerts with the Manage Alert menu. keywords: manage alerts, manage, alerts, status, new, in progress, resolved, resolve alerts, suppress, supression, rules, context, history, comments, changes search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security +author: mjcaparas --- # Manage Windows Defender Advanced Threat Protection alerts diff --git a/windows/keep-secure/manage-auditing-and-security-log.md b/windows/keep-secure/manage-auditing-and-security-log.md index 48c840cc7b..7a6cfdc0ea 100644 --- a/windows/keep-secure/manage-auditing-and-security-log.md +++ b/windows/keep-secure/manage-auditing-and-security-log.md @@ -2,7 +2,7 @@ title: Manage auditing and security log (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Manage auditing and security log security policy setting. ms.assetid: 4b946c0d-f904-43db-b2d5-7f0917575347 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md index 7f4b06da3d..bb891d67c5 100644 --- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md +++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md @@ -3,7 +3,7 @@ title: Manage identity verification using Microsoft Passport (Windows 10) description: In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN. ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E keywords: identity, PIN, biometric, Hello -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/manage-packaged-apps-with-applocker.md b/windows/keep-secure/manage-packaged-apps-with-applocker.md index dcad549bfa..e1a7639af3 100644 --- a/windows/keep-secure/manage-packaged-apps-with-applocker.md +++ b/windows/keep-secure/manage-packaged-apps-with-applocker.md @@ -2,7 +2,7 @@ title: Manage packaged apps with AppLocker (Windows 10) description: This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. ms.assetid: 6d0c99e7-0284-4547-a30a-0685a9916650 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/manage-tpm-commands.md b/windows/keep-secure/manage-tpm-commands.md index 1aa0ca5061..0620207ec5 100644 --- a/windows/keep-secure/manage-tpm-commands.md +++ b/windows/keep-secure/manage-tpm-commands.md @@ -2,7 +2,7 @@ title: Manage TPM commands (Windows 10) description: This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. ms.assetid: a78e751a-2806-43ae-9c20-2e7ca466b765 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/manage-tpm-lockout.md b/windows/keep-secure/manage-tpm-lockout.md index 7c75700ed0..61c94cc77e 100644 --- a/windows/keep-secure/manage-tpm-lockout.md +++ b/windows/keep-secure/manage-tpm-lockout.md @@ -2,7 +2,7 @@ title: Manage TPM lockout (Windows 10) description: This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. ms.assetid: bf27adbe-404c-4691-a644-29ec722a3f7b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/maximum-lifetime-for-service-ticket.md b/windows/keep-secure/maximum-lifetime-for-service-ticket.md index 3a0a6fff86..fd43969eb0 100644 --- a/windows/keep-secure/maximum-lifetime-for-service-ticket.md +++ b/windows/keep-secure/maximum-lifetime-for-service-ticket.md @@ -2,7 +2,7 @@ title: Maximum lifetime for service ticket (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for service ticket security policy setting. ms.assetid: 484bf05a-3858-47fc-bc02-6599ca860247 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md b/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md index c1f175c55b..f807fae4e2 100644 --- a/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md +++ b/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md @@ -2,7 +2,7 @@ title: Maximum lifetime for user ticket renewal (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket renewal security policy setting. ms.assetid: f88cd819-3dd1-4e38-b560-13fe6881b609 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/maximum-lifetime-for-user-ticket.md b/windows/keep-secure/maximum-lifetime-for-user-ticket.md index e1a9089dd7..e37ae53435 100644 --- a/windows/keep-secure/maximum-lifetime-for-user-ticket.md +++ b/windows/keep-secure/maximum-lifetime-for-user-ticket.md @@ -2,7 +2,7 @@ title: Maximum lifetime for user ticket (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket policy setting. ms.assetid: bcb4ff59-334d-4c2f-99af-eca2b64011dc -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/maximum-password-age.md b/windows/keep-secure/maximum-password-age.md index 30fb8319a2..488f04f383 100644 --- a/windows/keep-secure/maximum-password-age.md +++ b/windows/keep-secure/maximum-password-age.md @@ -2,7 +2,7 @@ title: Maximum password age (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Maximum password age security policy setting. ms.assetid: 2d6e70e7-c8b0-44fb-8113-870c6120871d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md b/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md index f5f976b55a..63ebd1f934 100644 --- a/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md +++ b/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md @@ -2,7 +2,7 @@ title: Maximum tolerance for computer clock synchronization (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Maximum tolerance for computer clock synchronization security policy setting. ms.assetid: ba2cf59e-d69d-469e-95e3-8e6a0ba643af -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/keep-secure/merge-applocker-policies-by-using-set-applockerpolicy.md index 42b8495ede..2e095a1533 100644 --- a/windows/keep-secure/merge-applocker-policies-by-using-set-applockerpolicy.md +++ b/windows/keep-secure/merge-applocker-policies-by-using-set-applockerpolicy.md @@ -2,7 +2,7 @@ title: Merge AppLocker policies by using Set-ApplockerPolicy (Windows 10) description: This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. ms.assetid: f1c7d5c0-463e-4fe2-a410-844a404f18d0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/merge-applocker-policies-manually.md b/windows/keep-secure/merge-applocker-policies-manually.md index c511afb3cd..2747de84e0 100644 --- a/windows/keep-secure/merge-applocker-policies-manually.md +++ b/windows/keep-secure/merge-applocker-policies-manually.md @@ -2,7 +2,7 @@ title: Merge AppLocker policies manually (Windows 10) description: This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). ms.assetid: 3605f293-e5f2-481d-8efd-775f9f23c30f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md index 597e001a91..1cb4c83e11 100644 --- a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md @@ -2,7 +2,7 @@ title: Microsoft network client Digitally sign communications (always) (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting. ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md index 3f25ac2921..4594534751 100644 --- a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md +++ b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md @@ -2,7 +2,7 @@ title: Microsoft network client Digitally sign communications (if server agrees) (Windows 10) description: Describes the best practices, location, values, and security considerations for the Microsoft network client Digitally sign communications (if server agrees) security policy setting. ms.assetid: e553f700-aae5-425c-8650-f251c90ba5dd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md index 56635e06cc..901baabc0f 100644 --- a/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md +++ b/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md @@ -2,7 +2,7 @@ title: Microsoft network client Send unencrypted password to third-party SMB servers (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network client Send unencrypted password to third-party SMB servers security policy setting. ms.assetid: 97a76b93-afa7-4dd9-bb52-7c9e289b6017 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md index 76e38d84c1..f124f2216c 100644 --- a/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md +++ b/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md @@ -2,7 +2,7 @@ title: Microsoft network server Amount of idle time required before suspending session (Windows 10) description: Describes the best practices, location, values, and security considerations for the Microsoft network server Amount of idle time required before suspending session security policy setting. ms.assetid: 8227842a-569d-480f-b43c-43450bbaa722 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md index ea1b074c71..d979a1d65a 100644 --- a/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md +++ b/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md @@ -2,7 +2,7 @@ title: Microsoft network server Attempt S4U2Self to obtain claim information (Windows 10) description: Describes the best practices, location, values, management, and security considerations for the Microsoft network server Attempt S4U2Self to obtain claim information security policy setting. ms.assetid: e4508387-35ed-4a3f-a47c-27f8396adbba -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md index 23d423e6d9..e71590b3cf 100644 --- a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md +++ b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md @@ -2,7 +2,7 @@ title: Microsoft network server Digitally sign communications (always) (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (always) security policy setting. ms.assetid: 2007b622-7bc2-44e8-9cf1-d34b62117ea8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md index 2f327071cb..6ad33d8c8d 100644 --- a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md +++ b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md @@ -2,7 +2,7 @@ title: Microsoft network server Digitally sign communications (if client agrees) (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (if client agrees) security policy setting. ms.assetid: c92b2e3d-1dbf-4337-a145-b17a585f4fc1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md index b2737896f1..529004e2f0 100644 --- a/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md +++ b/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md @@ -2,7 +2,7 @@ title: Microsoft network server Disconnect clients when logon hours expire (Windows 10) description: Describes the best practices, location, values, and security considerations for the Microsoft network server Disconnect clients when logon hours expire security policy setting. ms.assetid: 48b5c424-9ba8-416d-be7d-ccaabb3f49af -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md index b5d71aae14..6096400f68 100644 --- a/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md +++ b/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md @@ -2,7 +2,7 @@ title: Microsoft network server Server SPN target name validation level (Windows 10) description: Describes the best practices, location, and values, policy management and security considerations for the Microsoft network server Server SPN target name validation level security policy setting. ms.assetid: 18337f78-eb45-42fd-bdbd-f8cd02c3e154 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-passport-and-password-changes.md b/windows/keep-secure/microsoft-passport-and-password-changes.md index 4325261928..ceebe00f0a 100644 --- a/windows/keep-secure/microsoft-passport-and-password-changes.md +++ b/windows/keep-secure/microsoft-passport-and-password-changes.md @@ -2,7 +2,7 @@ title: Microsoft Passport and password changes (Windows 10) description: When you set up Microsoft Passport, the PIN or biometric (Windows Hello) gesture that you use is specific to that device. ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md index a9483a0b56..490c5c9e6e 100644 --- a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md +++ b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md @@ -3,7 +3,7 @@ title: Microsoft Passport errors during PIN creation (Windows 10) description: When you set up Microsoft Passport in Windows 10, you may get an error during the Create a work PIN step. ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502 keywords: PIN, error, create a work PIN -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md index 70f6296988..b78b6f94f7 100644 --- a/windows/keep-secure/microsoft-passport-guide.md +++ b/windows/keep-secure/microsoft-passport-guide.md @@ -3,8 +3,7 @@ title: Microsoft Passport guide (Windows 10) description: This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10 operating system. ms.assetid: 11EA7826-DA6B-4E5C-99FB-142CC6BD9E84 keywords: security, credential, password, authentication -ms.prod: W10 -ms.pagetype: security +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/minimum-password-age.md b/windows/keep-secure/minimum-password-age.md index a975b21ff4..d56c232478 100644 --- a/windows/keep-secure/minimum-password-age.md +++ b/windows/keep-secure/minimum-password-age.md @@ -2,7 +2,7 @@ title: Minimum password age (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Minimum password age security policy setting. ms.assetid: 91915cb2-1b3f-4fb7-afa0-d03df95e8161 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/minimum-password-length.md b/windows/keep-secure/minimum-password-length.md index 79281f850c..39c8f9fa60 100644 --- a/windows/keep-secure/minimum-password-length.md +++ b/windows/keep-secure/minimum-password-length.md @@ -2,7 +2,7 @@ title: Minimum password length (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Minimum password length security policy setting. ms.assetid: 3d22eb9a-859a-4b6f-82f5-c270c427e17e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md index fa17f2947f..91db7537e8 100644 --- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Minimum requirements for Windows Defender Advanced Threat Protection description: Minimum network and data storage configuration, endpoint hardware and software requirements, and deployment channel requirements for Windows Defender ATP. keywords: minimum requirements, Windows Defender Advanced Threat Protection minimum requirements, network and data storage, endpoint, endpoint configuration, deployment channel search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: iaanw --- diff --git a/windows/keep-secure/modify-an-object-label.md b/windows/keep-secure/modify-an-object-label.md index a984a42a33..fecfb339d8 100644 --- a/windows/keep-secure/modify-an-object-label.md +++ b/windows/keep-secure/modify-an-object-label.md @@ -2,7 +2,7 @@ title: Modify an object label (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Modify an object label security policy setting. ms.assetid: 3e5a97dd-d363-43a8-ae80-452e866ebfd5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/modify-firmware-environment-values.md b/windows/keep-secure/modify-firmware-environment-values.md index 2dcc1d8dfc..e4f6b85eb1 100644 --- a/windows/keep-secure/modify-firmware-environment-values.md +++ b/windows/keep-secure/modify-firmware-environment-values.md @@ -2,7 +2,7 @@ title: Modify firmware environment values (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Modify firmware environment values security policy setting. ms.assetid: 80bad5c4-d9eb-4e3a-a5dc-dcb742b83fca -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/monitor-application-usage-with-applocker.md b/windows/keep-secure/monitor-application-usage-with-applocker.md index 14b94f4745..87ead686b6 100644 --- a/windows/keep-secure/monitor-application-usage-with-applocker.md +++ b/windows/keep-secure/monitor-application-usage-with-applocker.md @@ -2,7 +2,7 @@ title: Monitor app usage with AppLocker (Windows 10) description: This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. ms.assetid: 0516da6e-ebe4-45b4-a97b-31daba96d1cf -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/monitor-central-access-policy-and-rule-definitions.md b/windows/keep-secure/monitor-central-access-policy-and-rule-definitions.md index 11e4efc2be..6904612d1c 100644 --- a/windows/keep-secure/monitor-central-access-policy-and-rule-definitions.md +++ b/windows/keep-secure/monitor-central-access-policy-and-rule-definitions.md @@ -2,7 +2,7 @@ title: Monitor central access policy and rule definitions (Windows 10) description: This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects. ms.assetid: 553f98a6-7606-4518-a3c5-347a33105130 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/monitor-claim-types.md b/windows/keep-secure/monitor-claim-types.md index 9220126e6c..fcbaaa93b0 100644 --- a/windows/keep-secure/monitor-claim-types.md +++ b/windows/keep-secure/monitor-claim-types.md @@ -2,7 +2,7 @@ title: Monitor claim types (Windows 10) description: This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options. ms.assetid: 426084da-4eef-44af-aeec-e7ab4d4e2439 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md index 67ff38e86d..8babe1f172 100644 --- a/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Monitor Windows Defender ATP onboarding description: Monitor the onboarding of the Windows Defender ATP service to ensure your endpoints are correctly configured and are sending telemetry reports. keywords: monitor onboarding, monitor Windows Defender ATP onboarding, monitor Windows Defender Advanced Threat Protection onboarding search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- diff --git a/windows/keep-secure/monitor-resource-attribute-definitions.md b/windows/keep-secure/monitor-resource-attribute-definitions.md index 42bd9b783e..75bff821fe 100644 --- a/windows/keep-secure/monitor-resource-attribute-definitions.md +++ b/windows/keep-secure/monitor-resource-attribute-definitions.md @@ -2,7 +2,7 @@ title: Monitor resource attribute definitions (Windows 10) description: This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects. ms.assetid: aace34b0-123a-4b83-9e09-f269220e79de -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/keep-secure/monitor-the-central-access-policies-associated-with-files-and-folders.md index db6155e24b..74e926c90b 100644 --- a/windows/keep-secure/monitor-the-central-access-policies-associated-with-files-and-folders.md +++ b/windows/keep-secure/monitor-the-central-access-policies-associated-with-files-and-folders.md @@ -2,7 +2,7 @@ title: Monitor the central access policies associated with files and folders (Windows 10) description: This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects. ms.assetid: 2ea8fc23-b3ac-432f-87b0-6a16506e8eed -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/keep-secure/monitor-the-central-access-policies-that-apply-on-a-file-server.md index aeee1c4b35..4e21c32c36 100644 --- a/windows/keep-secure/monitor-the-central-access-policies-that-apply-on-a-file-server.md +++ b/windows/keep-secure/monitor-the-central-access-policies-that-apply-on-a-file-server.md @@ -2,7 +2,7 @@ title: Monitor the central access policies that apply on a file server (Windows 10) description: This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. ms.assetid: 126b051e-c20d-41f1-b42f-6cff24dcf20c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/monitor-the-resource-attributes-on-files-and-folders.md b/windows/keep-secure/monitor-the-resource-attributes-on-files-and-folders.md index fd2edb8b75..5849cc955c 100644 --- a/windows/keep-secure/monitor-the-resource-attributes-on-files-and-folders.md +++ b/windows/keep-secure/monitor-the-resource-attributes-on-files-and-folders.md @@ -2,7 +2,7 @@ title: Monitor the resource attributes on files and folders (Windows 10) description: This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects. ms.assetid: 4944097b-320f-44c7-88ed-bf55946a358b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/monitor-the-use-of-removable-storage-devices.md b/windows/keep-secure/monitor-the-use-of-removable-storage-devices.md index c850719ed9..7665d0dddc 100644 --- a/windows/keep-secure/monitor-the-use-of-removable-storage-devices.md +++ b/windows/keep-secure/monitor-the-use-of-removable-storage-devices.md @@ -2,7 +2,7 @@ title: Monitor the use of removable storage devices (Windows 10) description: This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects. ms.assetid: b0a9e4a5-b7ff-41c6-96ff-0228d4ba5da8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/monitor-user-and-device-claims-during-sign-in.md b/windows/keep-secure/monitor-user-and-device-claims-during-sign-in.md index 8e767cf028..f95697b152 100644 --- a/windows/keep-secure/monitor-user-and-device-claims-during-sign-in.md +++ b/windows/keep-secure/monitor-user-and-device-claims-during-sign-in.md @@ -2,7 +2,7 @@ title: Monitor user and device claims during sign-in (Windows 10) description: This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects. ms.assetid: 71796ea9-5fe4-4183-8475-805c3c1f319f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md b/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md index 6c14b5a06f..206c76f7fc 100644 --- a/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md +++ b/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md @@ -2,7 +2,7 @@ title: Network access Allow anonymous SID/Name translation (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Allow anonymous SID/Name translation security policy setting. ms.assetid: 0144477f-22a6-4d06-b70a-9c9c2196e99e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md index 52eb452b76..7de439ad10 100644 --- a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md +++ b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md @@ -2,7 +2,7 @@ title: Network access Do not allow anonymous enumeration of SAM accounts and shares (Windows 10) description: Describes the best practices, location, values, and security considerations for the Network access Do not allow anonymous enumeration of SAM accounts and shares security policy setting. ms.assetid: 3686788d-4cc7-4222-9163-cbc7c3362d73 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md index 20f6455173..1a8d592782 100644 --- a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md +++ b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md @@ -2,7 +2,7 @@ title: Network access Do not allow anonymous enumeration of SAM accounts (Windows 10) description: Describes the best practices, location, values, and security considerations for the Network access Do not allow anonymous enumeration of SAM accounts security policy setting. ms.assetid: 6ee25b33-ad43-4097-b031-7be680f64c7c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md index ec12a8c647..a60b14af97 100644 --- a/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md +++ b/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md @@ -2,7 +2,7 @@ title: Network access Do not allow storage of passwords and credentials for network authentication (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Do not allow storage of passwords and credentials for network authentication security policy setting. ms.assetid: b9b64360-36ea-40fa-b795-2d6558c46563 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md index eedd57751a..02f1530efb 100644 --- a/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md +++ b/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md @@ -2,7 +2,7 @@ title: Network access Let Everyone permissions apply to anonymous users (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Let Everyone permissions apply to anonymous users security policy setting. ms.assetid: cdbc5159-9173-497e-b46b-7325f4256353 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md index ab8eff2298..68f545297d 100644 --- a/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md +++ b/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md @@ -2,7 +2,7 @@ title: Network access Named Pipes that can be accessed anonymously (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Named Pipes that can be accessed anonymously security policy setting. ms.assetid: 8897d2a4-813e-4d2b-8518-fcee71e1cf2c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md index d7a01b9e6e..3dc22f67e2 100644 --- a/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md +++ b/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md @@ -2,7 +2,7 @@ title: Network access Remotely accessible registry paths and subpaths (Windows 10) description: Describes the best practices, location, values, and security considerations for the Network access Remotely accessible registry paths and subpaths security policy setting. ms.assetid: 3fcbbf70-a002-4f85-8e86-8dabad21928e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-access-remotely-accessible-registry-paths.md b/windows/keep-secure/network-access-remotely-accessible-registry-paths.md index 86fd1783e9..88c2340130 100644 --- a/windows/keep-secure/network-access-remotely-accessible-registry-paths.md +++ b/windows/keep-secure/network-access-remotely-accessible-registry-paths.md @@ -2,7 +2,7 @@ title: Network access Remotely accessible registry paths (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Remotely accessible registry paths security policy setting. ms.assetid: 977f86ea-864f-4f1b-9756-22220efce0bd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md index 84be70c08b..75a2e71242 100644 --- a/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md +++ b/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md @@ -2,7 +2,7 @@ title: Network access Restrict anonymous access to Named Pipes and Shares (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Restrict anonymous access to Named Pipes and Shares security policy setting. ms.assetid: e66cd708-7322-4d49-9b57-1bf8ec7a4c10 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md b/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md index b4505320e4..4f53f77bdc 100644 --- a/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md +++ b/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md @@ -2,7 +2,7 @@ title: Network access Shares that can be accessed anonymously (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Shares that can be accessed anonymously security policy setting. ms.assetid: f3e4b919-8279-4972-b415-5f815e2f0a1a -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md b/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md index fee079071d..aab32aedb6 100644 --- a/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md +++ b/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md @@ -2,7 +2,7 @@ title: Network access Sharing and security model for local accounts (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Sharing and security model for local accounts security policy setting. ms.assetid: 0b3d703c-ea27-488f-8f59-b345af75b994 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-list-manager-policies.md b/windows/keep-secure/network-list-manager-policies.md index 11de5e4da7..1488ba7052 100644 --- a/windows/keep-secure/network-list-manager-policies.md +++ b/windows/keep-secure/network-list-manager-policies.md @@ -2,7 +2,7 @@ title: Network List Manager policies (Windows 10) description: Network List Manager policies are security settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices. ms.assetid: bd8109d4-b07c-4beb-a9a6-affae2ba2fda -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md index 929606cb16..0c3458656e 100644 --- a/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md +++ b/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md @@ -2,7 +2,7 @@ title: Network security Allow Local System to use computer identity for NTLM (Windows 10) description: Describes the location, values, policy management, and security considerations for the Network security Allow Local System to use computer identity for NTLM security policy setting. ms.assetid: c46a658d-b7a4-4139-b7ea-b9268c240053 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md b/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md index 34b487bba3..405f149efa 100644 --- a/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md +++ b/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md @@ -2,7 +2,7 @@ title: Network security Allow LocalSystem NULL session fallback (Windows 10) description: Describes the best practices, location, values, and security considerations for the Network security Allow LocalSystem NULL session fallback security policy setting. ms.assetid: 5b72edaa-bec7-4572-b6f0-648fc38f5395 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index a381d1388c..fe460ccefd 100644 --- a/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -2,7 +2,7 @@ title: Network security Allow PKU2U authentication requests to this computer to use online identities (Windows 10) description: Describes the best practices, location, and values for the Network Security Allow PKU2U authentication requests to this computer to use online identities security policy setting. ms.assetid: e04a854e-d94d-4306-9fb3-56e9bd7bb926 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md index 7ca22f98c0..bcbe56a0ef 100644 --- a/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md +++ b/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md @@ -2,7 +2,7 @@ title: Network security Configure encryption types allowed for Kerberos Win7 only (Windows 10) description: Describes the best practices, location, values and security considerations for the Network security Configure encryption types allowed for Kerberos Win7 only security policy setting. ms.assetid: 303d32cc-415b-44ba-96c0-133934046ece -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md index 95b335005c..11984a8b59 100644 --- a/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md +++ b/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md @@ -2,7 +2,7 @@ title: Network security Do not store LAN Manager hash value on next password change (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security Do not store LAN Manager hash value on next password change security policy setting. ms.assetid: 6452b268-e5ba-4889-9d38-db28f919af51 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md b/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md index f6dd03a829..a302a70695 100644 --- a/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md +++ b/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md @@ -2,7 +2,7 @@ title: Network security Force logoff when logon hours expire (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security Force logoff when logon hours expire security policy setting. ms.assetid: 64d5dde4-58e4-4217-b2c4-73bd554ec926 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-lan-manager-authentication-level.md b/windows/keep-secure/network-security-lan-manager-authentication-level.md index 5d8a5343aa..3ae2b1240e 100644 --- a/windows/keep-secure/network-security-lan-manager-authentication-level.md +++ b/windows/keep-secure/network-security-lan-manager-authentication-level.md @@ -2,7 +2,7 @@ title: Network security LAN Manager authentication level (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security LAN Manager authentication level security policy setting. ms.assetid: bbe1a98c-420a-41e7-9d3c-3a2fe0f1843e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-ldap-client-signing-requirements.md b/windows/keep-secure/network-security-ldap-client-signing-requirements.md index 5207e6e65f..158b64ed3c 100644 --- a/windows/keep-secure/network-security-ldap-client-signing-requirements.md +++ b/windows/keep-secure/network-security-ldap-client-signing-requirements.md @@ -2,7 +2,7 @@ title: Network security LDAP client signing requirements (Windows 10) description: This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. ms.assetid: 38b35489-eb5b-4035-bc87-df63de50509c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md index ba6527767f..b9a0e71329 100644 --- a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md +++ b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md @@ -2,7 +2,7 @@ title: Network security Minimum session security for NTLM SSP based (including secure RPC) clients (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security Minimum session security for NTLM SSP based (including secure RPC) clients security policy setting. ms.assetid: 89903de8-23d0-4e0f-9bef-c00cb7aebf00 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md index 6bd65a6591..752b9c97c1 100644 --- a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md +++ b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md @@ -2,7 +2,7 @@ title: Network security Minimum session security for NTLM SSP based (including secure RPC) servers (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security Minimum session security for NTLM SSP based (including secure RPC) servers security policy setting. ms.assetid: c6a60c1b-bc8d-4d02-9481-f847a411b4fc -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md index ca5c6d20da..74c9b41100 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md +++ b/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md @@ -2,7 +2,7 @@ title: Network security Restrict NTLM Add remote server exceptions for NTLM authentication (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network security Restrict NTLM Add remote server exceptions for NTLM authentication security policy setting. ms.assetid: 9b017399-0a54-4580-bfae-614c2beda3a1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md index 8a29a1cbad..e16e7c0ff3 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md +++ b/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md @@ -2,7 +2,7 @@ title: Network security Restrict NTLM Add server exceptions in this domain (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network security Restrict NTLM Add server exceptions in this domain security policy setting. ms.assetid: 2f981b68-6aa7-4dd9-b53d-d88551277cc0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md index 30716f504d..f5b4bd4032 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md +++ b/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md @@ -2,7 +2,7 @@ title: Network security Restrict NTLM Audit incoming NTLM traffic (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Audit incoming NTLM traffic security policy setting. ms.assetid: 37e380c2-22e1-44cd-9993-e12815b845cf -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md index 4bda1da37a..c4254e5036 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md +++ b/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md @@ -2,7 +2,7 @@ title: Network security Restrict NTLM Audit NTLM authentication in this domain (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Audit NTLM authentication in this domain security policy setting. ms.assetid: 33183ef9-53b5-4258-8605-73dc46335e6e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md index 270051f5d3..fba51b1a73 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md +++ b/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md @@ -2,7 +2,7 @@ title: Network security Restrict NTLM Incoming NTLM traffic (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Incoming NTLM traffic security policy setting. ms.assetid: c0eff7d3-ed59-4004-908a-2205295fefb8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md index 8389b3ad72..407c4b9976 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md +++ b/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md @@ -2,7 +2,7 @@ title: Network security Restrict NTLM NTLM authentication in this domain (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM NTLM authentication in this domain security policy setting. ms.assetid: 4c7884e9-cc11-4402-96b6-89c77dc908f8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md index 439657d395..896cdbadc1 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md +++ b/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md @@ -2,7 +2,7 @@ title: Network security Restrict NTLM Outgoing NTLM traffic to remote servers (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Outgoing NTLM traffic to remote servers security policy setting. ms.assetid: 63437a90-764b-4f06-aed8-a4a26cf81bd1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md index baf6178433..eaaa736c69 100644 --- a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Onboard endpoints and set up the Windows Defender ATP user access description: Set up user access in Azure Active Directory and use Group Policy, SCCM, or do manual registry changes to onboard endpoints to the service. keywords: onboarding, windows defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: iaanw --- diff --git a/windows/keep-secure/optimize-applocker-performance.md b/windows/keep-secure/optimize-applocker-performance.md index cdd61ef5e2..ff8f099f2d 100644 --- a/windows/keep-secure/optimize-applocker-performance.md +++ b/windows/keep-secure/optimize-applocker-performance.md @@ -2,7 +2,7 @@ title: Optimize AppLocker performance (Windows 10) description: This topic for IT professionals describes how to optimize AppLocker policy enforcement. ms.assetid: a20efa20-bc98-40fe-bd81-28ec4905e0f6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/overview-create-edp-policy.md b/windows/keep-secure/overview-create-edp-policy.md index 24e6c6a647..0ca5b7cbd1 100644 --- a/windows/keep-secure/overview-create-edp-policy.md +++ b/windows/keep-secure/overview-create-edp-policy.md @@ -2,9 +2,10 @@ title: Create an enterprise data protection (EDP) policy (Windows 10) description: Microsoft Intune and System Center Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/keep-secure/packaged-apps-and-packaged-app-installer-rules-in-applocker.md index db85e986ec..b17006c05a 100644 --- a/windows/keep-secure/packaged-apps-and-packaged-app-installer-rules-in-applocker.md +++ b/windows/keep-secure/packaged-apps-and-packaged-app-installer-rules-in-applocker.md @@ -2,7 +2,7 @@ title: Packaged apps and packaged app installer rules in AppLocker (Windows 10) description: This topic explains the AppLocker rule collection for packaged app installers and packaged apps. ms.assetid: 8fd44d08-a0c2-4c5b-a91f-5cb9989f971d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/passport-event-300.md b/windows/keep-secure/passport-event-300.md index 1d055b34c7..9a7c694ae0 100644 --- a/windows/keep-secure/passport-event-300.md +++ b/windows/keep-secure/passport-event-300.md @@ -2,8 +2,8 @@ title: Event ID 300 - Passport successfully created (Windows 10) description: This event is created when a Microsoft Passport for Enterprise is successfully created and registered with Azure Active Directory (Azure AD). ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04 -keywords: ["ngc"] -ms.prod: W10 +keywords: ngc +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/password-must-meet-complexity-requirements.md b/windows/keep-secure/password-must-meet-complexity-requirements.md index c8b513828e..d51142a117 100644 --- a/windows/keep-secure/password-must-meet-complexity-requirements.md +++ b/windows/keep-secure/password-must-meet-complexity-requirements.md @@ -2,7 +2,7 @@ title: Password must meet complexity requirements (Windows 10) description: Describes the best practices, location, values, and security considerations for the Password must meet complexity requirements security policy setting. ms.assetid: 94482ae3-9dda-42df-9782-2f66196e6afe -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/password-policy.md b/windows/keep-secure/password-policy.md index fd3d56e268..4198fac995 100644 --- a/windows/keep-secure/password-policy.md +++ b/windows/keep-secure/password-policy.md @@ -2,7 +2,7 @@ title: Password Policy (Windows 10) description: An overview of password policies for Windows and links to information for each policy setting. ms.assetid: aec1220d-a875-4575-9050-f02f9c54a3b6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/perform-volume-maintenance-tasks.md b/windows/keep-secure/perform-volume-maintenance-tasks.md index 4a7f305290..dae56942a1 100644 --- a/windows/keep-secure/perform-volume-maintenance-tasks.md +++ b/windows/keep-secure/perform-volume-maintenance-tasks.md @@ -2,7 +2,7 @@ title: Perform volume maintenance tasks (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Perform volume maintenance tasks security policy setting. ms.assetid: b6990813-3898-43e2-8221-c9c06d893244 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/plan-for-applocker-policy-management.md b/windows/keep-secure/plan-for-applocker-policy-management.md index 0fa131561e..96d65e5c32 100644 --- a/windows/keep-secure/plan-for-applocker-policy-management.md +++ b/windows/keep-secure/plan-for-applocker-policy-management.md @@ -2,7 +2,7 @@ title: Plan for AppLocker policy management (Windows 10) description: This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. ms.assetid: dccc196f-6ae0-4ae4-853a-a3312b18751b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md b/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md index c9a1917ba3..1fa912d181 100644 --- a/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md +++ b/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md @@ -2,7 +2,7 @@ title: Planning and deploying advanced security audit policies (Windows 10) description: This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies. ms.assetid: 7428e1db-aba8-407b-a39e-509671e5a442 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md index b5dae385ac..4eaf0224ec 100644 --- a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Windows Defender Advanced Threat Protection portal overview description: Use the Windows Defender ATP portal to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches. keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines view, preferences setup, client onboarding, advanced attacks search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: DulceMV --- diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md index 74cebb3914..d377aafd3e 100644 --- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md +++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md @@ -3,7 +3,7 @@ title: Prepare people to use Microsoft Passport (Windows 10) description: When you set a policy to require Microsoft Passport in the workplace, you will want to prepare people in your organization. ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B keywords: identity, PIN, biometric, Hello -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md index 3c5e402383..c30af5a4c1 100644 --- a/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -2,7 +2,7 @@ title: Prepare your organization for BitLocker Planning and policies (Windows 10) description: This topic for the IT professional explains how can you plan your BitLocker deployment. ms.assetid: 6e3593b5-4e8a-40ac-808a-3fdbc948059d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/profile-single-process.md b/windows/keep-secure/profile-single-process.md index bcb68afa86..0dce3bdffe 100644 --- a/windows/keep-secure/profile-single-process.md +++ b/windows/keep-secure/profile-single-process.md @@ -2,7 +2,7 @@ title: Profile single process (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Profile single process security policy setting. ms.assetid: c0963de4-4f5e-430e-bfcd-dfd68e66a075 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/profile-system-performance.md b/windows/keep-secure/profile-system-performance.md index 5166f4de6f..d7b5f3b8fc 100644 --- a/windows/keep-secure/profile-system-performance.md +++ b/windows/keep-secure/profile-system-performance.md @@ -2,7 +2,7 @@ title: Profile system performance (Windows 10) description: This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for the Profile system performance security policy setting. ms.assetid: ffabc3c5-9206-4105-94ea-84f597a54b2e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks.md b/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks.md index 1b1c4370f3..197d906dd6 100644 --- a/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks.md +++ b/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks.md @@ -2,7 +2,7 @@ title: Protect BitLocker from pre-boot attacks (Windows 10) description: This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. ms.assetid: 24d19988-fc79-4c45-b392-b39cba4ec86b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/protect-enterprise-data-using-edp.md b/windows/keep-secure/protect-enterprise-data-using-edp.md index d647af4367..e3da331f91 100644 --- a/windows/keep-secure/protect-enterprise-data-using-edp.md +++ b/windows/keep-secure/protect-enterprise-data-using-edp.md @@ -2,10 +2,11 @@ title: Protect your enterprise data using enterprise data protection (EDP) (Windows 10) description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032 -keywords: ["EDP", "Enterprise Data Protection"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index 2550941ba3..61313be105 100644 --- a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -3,10 +3,10 @@ title: Control the health of Windows 10-based devices (Windows 10) description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices. ms.assetid: 45DB1C41-C35D-43C9-A274-3AD5F31FE873 keywords: security, BYOD, malware, device health attestation, mobile -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -ms.pagetype: security; devices +ms.pagetype: security, devices author: arnaudjumelet --- diff --git a/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index fc092b8a95..aaf71600b1 100644 --- a/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -2,7 +2,7 @@ title: Protecting cluster shared volumes and storage area networks with BitLocker (Windows 10) description: This topic for IT pros describes how to protect CSVs and SANs with BitLocker. ms.assetid: ecd25a10-42c7-4d31-8a7e-ea52c8ebc092 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md b/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md index 394b4421db..4ef6ba5277 100644 --- a/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md +++ b/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md @@ -2,7 +2,7 @@ title: Recovery console Allow automatic administrative logon (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Recovery console Allow automatic administrative logon security policy setting. ms.assetid: be2498fc-48f4-43f3-ad09-74664e45e596 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md index 23aad36087..d8945335fa 100644 --- a/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md +++ b/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md @@ -2,7 +2,7 @@ title: Recovery console Allow floppy copy and access to all drives and folders (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Recovery console Allow floppy copy and access to all drives and folders security policy setting. ms.assetid: a5b4ac0c-f33d-42b5-a866-72afa7cbd0bd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/refresh-an-applocker-policy.md b/windows/keep-secure/refresh-an-applocker-policy.md index fd227910c6..719bfb599b 100644 --- a/windows/keep-secure/refresh-an-applocker-policy.md +++ b/windows/keep-secure/refresh-an-applocker-policy.md @@ -2,7 +2,7 @@ title: Refresh an AppLocker policy (Windows 10) description: This topic for IT professionals describes the steps to force an update for an AppLocker policy. ms.assetid: 3f24fcbc-3926-46b9-a1a2-dd036edab8a9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/registry-global-object-access-auditing.md b/windows/keep-secure/registry-global-object-access-auditing.md index 087c5f60fc..b734cec46b 100644 --- a/windows/keep-secure/registry-global-object-access-auditing.md +++ b/windows/keep-secure/registry-global-object-access-auditing.md @@ -2,7 +2,7 @@ title: Registry (Global Object Access Auditing) (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Registry (Global Object Access Auditing), which enables you to configure a global system access control list (SACL) on the registry of a computer. ms.assetid: 953bb1c1-3f76-43be-ba17-4aed2304f578 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/remove-computer-from-docking-station.md b/windows/keep-secure/remove-computer-from-docking-station.md index 06949c5258..ee3b81a7d3 100644 --- a/windows/keep-secure/remove-computer-from-docking-station.md +++ b/windows/keep-secure/remove-computer-from-docking-station.md @@ -2,7 +2,7 @@ title: Remove computer from docking station (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Remove computer from docking station security policy setting. ms.assetid: 229a385a-a862-4973-899a-413b1b5b6c30 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/replace-a-process-level-token.md b/windows/keep-secure/replace-a-process-level-token.md index 0beaf15c90..5361f2a589 100644 --- a/windows/keep-secure/replace-a-process-level-token.md +++ b/windows/keep-secure/replace-a-process-level-token.md @@ -2,7 +2,7 @@ title: Replace a process level token (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Replace a process level token security policy setting. ms.assetid: 5add02db-6339-489e-ba21-ccc3ccbe8745 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/requirements-for-deploying-applocker-policies.md b/windows/keep-secure/requirements-for-deploying-applocker-policies.md index f1608ee829..e3b6c29aa7 100644 --- a/windows/keep-secure/requirements-for-deploying-applocker-policies.md +++ b/windows/keep-secure/requirements-for-deploying-applocker-policies.md @@ -2,7 +2,7 @@ title: Requirements for deploying AppLocker policies (Windows 10) description: This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. ms.assetid: 3e55bda2-3cd7-42c7-bad3-c7dfbe193d48 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/requirements-to-use-applocker.md b/windows/keep-secure/requirements-to-use-applocker.md index f9c5f24fae..6389eb2755 100644 --- a/windows/keep-secure/requirements-to-use-applocker.md +++ b/windows/keep-secure/requirements-to-use-applocker.md @@ -2,7 +2,7 @@ title: Requirements to use AppLocker (Windows 10) description: This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. ms.assetid: dc380535-071e-4794-8f9d-e5d1858156f0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/reset-account-lockout-counter-after.md b/windows/keep-secure/reset-account-lockout-counter-after.md index ebefbb2d0c..d3e6f545ed 100644 --- a/windows/keep-secure/reset-account-lockout-counter-after.md +++ b/windows/keep-secure/reset-account-lockout-counter-after.md @@ -2,7 +2,7 @@ title: Reset account lockout counter after (Windows 10) description: Describes the best practices, location, values, and security considerations for the Reset account lockout counter after security policy setting. ms.assetid: d5ccf6dd-5ba7-44a9-8e0b-c478d8b1442c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/restore-files-and-directories.md b/windows/keep-secure/restore-files-and-directories.md index b428c37092..e8bb7e6f85 100644 --- a/windows/keep-secure/restore-files-and-directories.md +++ b/windows/keep-secure/restore-files-and-directories.md @@ -2,7 +2,7 @@ title: Restore files and directories (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Restore files and directories security policy setting. ms.assetid: c673c0fa-6f49-4edd-8c1f-c5e8513f701d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md index 9eb59d5dc1..9e6debeb0f 100644 --- a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md +++ b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md @@ -4,9 +4,10 @@ description: IT professionals can run a scan using the command line in Windows D keywords: scan, command line, mpcmdrun, defender search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +ms.pagetype: security author: mjcaparas --- diff --git a/windows/keep-secure/run-the-automatically-generate-rules-wizard.md b/windows/keep-secure/run-the-automatically-generate-rules-wizard.md index 12a5620d21..565f6331da 100644 --- a/windows/keep-secure/run-the-automatically-generate-rules-wizard.md +++ b/windows/keep-secure/run-the-automatically-generate-rules-wizard.md @@ -2,7 +2,7 @@ title: Run the Automatically Generate Rules wizard (Windows 10) description: This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device. ms.assetid: 8cad1e14-d5b2-437c-8f88-70cffd7b3d8e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/script-rules-in-applocker.md b/windows/keep-secure/script-rules-in-applocker.md index 10efd57b91..6fd0ec9196 100644 --- a/windows/keep-secure/script-rules-in-applocker.md +++ b/windows/keep-secure/script-rules-in-applocker.md @@ -2,7 +2,7 @@ title: Script rules in AppLocker (Windows 10) description: This topic describes the file formats and available default rules for the script rule collection. ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md b/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md index a4f7e13245..e3f6f2ce53 100644 --- a/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md +++ b/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md @@ -2,7 +2,7 @@ title: Advanced security audit policy settings (Windows 10) description: Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate. ms.assetid: 6BF9A642-DBC3-4101-94A3-B2316C553CE3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/security-auditing-overview.md b/windows/keep-secure/security-auditing-overview.md index 135ebc41e5..cde9b0865f 100644 --- a/windows/keep-secure/security-auditing-overview.md +++ b/windows/keep-secure/security-auditing-overview.md @@ -2,7 +2,7 @@ title: Security auditing (Windows 10) description: Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network. ms.assetid: 2d9b8142-49bd-4a33-b246-3f0c2a5f32d4 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/security-considerations-for-applocker.md b/windows/keep-secure/security-considerations-for-applocker.md index 560f73ba5a..f7c0df0eab 100644 --- a/windows/keep-secure/security-considerations-for-applocker.md +++ b/windows/keep-secure/security-considerations-for-applocker.md @@ -2,7 +2,7 @@ title: Security considerations for AppLocker (Windows 10) description: This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. ms.assetid: 354a5abb-7b31-4bea-a442-aa9666117625 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/security-options.md b/windows/keep-secure/security-options.md index b9ddcb4bf8..2d25a87621 100644 --- a/windows/keep-secure/security-options.md +++ b/windows/keep-secure/security-options.md @@ -2,7 +2,7 @@ title: Security Options (Windows 10) description: Provides an introduction to the settings under Security Options of the local security policies and links to information about each setting. ms.assetid: 405ea253-8116-4e57-b08e-14a8dcdca92b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/security-policy-settings-reference.md b/windows/keep-secure/security-policy-settings-reference.md index 06c6b96d8d..4023dfc66f 100644 --- a/windows/keep-secure/security-policy-settings-reference.md +++ b/windows/keep-secure/security-policy-settings-reference.md @@ -2,7 +2,7 @@ title: Security policy settings reference (Windows 10) description: This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations. ms.assetid: ef5a4579-15a8-4507-9a43-b7ccddcb0ed1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/security-policy-settings.md b/windows/keep-secure/security-policy-settings.md index 1551485d7e..f9ea234685 100644 --- a/windows/keep-secure/security-policy-settings.md +++ b/windows/keep-secure/security-policy-settings.md @@ -2,7 +2,7 @@ title: Security policy settings (Windows 10) description: This reference topic describes the common scenarios, architecture, and processes for security settings. ms.assetid: e7ac5204-7f6c-4708-a9f6-6af712ca43b9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/security-technologies.md b/windows/keep-secure/security-technologies.md index 7d54d652f2..39c9eedbb3 100644 --- a/windows/keep-secure/security-technologies.md +++ b/windows/keep-secure/security-technologies.md @@ -2,7 +2,7 @@ title: Security technologies (Windows 10) description: Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. ms.assetid: BFE2DE22-B0CE-465B-8CF6-28F64464DF08 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/select-types-of-rules-to-create.md b/windows/keep-secure/select-types-of-rules-to-create.md index 6e92663943..00ae11caf5 100644 --- a/windows/keep-secure/select-types-of-rules-to-create.md +++ b/windows/keep-secure/select-types-of-rules-to-create.md @@ -2,7 +2,7 @@ title: Select the types of rules to create (Windows 10) description: This topic lists resources you can use when selecting your application control policy rules by using AppLocker. ms.assetid: 14751169-0ed1-47cc-822c-8c01a7477784 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md index 1be3c1bfe6..fb5e5d5cbf 100644 --- a/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Windows Defender ATP service onboarding description: Assign users to the Windows Defender ATP service application in Azure Active Directory to grant access to the portal. keywords: service onboarding, Windows Defender Advanced Threat Protection service onboarding, manage users, search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- diff --git a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md index f976f74857..81d0358abb 100644 --- a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Windows Defender Advanced Threat Protection settings description: Use the menu to configure the time zone, suppression rules, and view license information. keywords: Windows Defender ATP settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license, suppression rules search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: DulceMV --- diff --git a/windows/keep-secure/shut-down-the-system.md b/windows/keep-secure/shut-down-the-system.md index e07bf9633a..0c4f6b24a7 100644 --- a/windows/keep-secure/shut-down-the-system.md +++ b/windows/keep-secure/shut-down-the-system.md @@ -2,7 +2,7 @@ title: Shut down the system (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Shut down the system security policy setting. ms.assetid: c8e8f890-153a-401e-a957-ba6a130304bf -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md index a480adae03..bdd15d4040 100644 --- a/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md +++ b/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md @@ -2,7 +2,7 @@ title: Shutdown Allow system to be shut down without having to log on (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Shutdown Allow system to be shut down without having to log on security policy setting. ms.assetid: f3964767-5377-4416-8eb3-e14d553a7315 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md b/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md index 1e23676be3..83e27c9e00 100644 --- a/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md +++ b/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md @@ -2,7 +2,7 @@ title: Shutdown Clear virtual memory pagefile (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Shutdown Clear virtual memory pagefile security policy setting. ms.assetid: 31400078-6c56-4891-a6df-6dfb403c4bc9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/store-passwords-using-reversible-encryption.md b/windows/keep-secure/store-passwords-using-reversible-encryption.md index 386e132579..667eaec2fc 100644 --- a/windows/keep-secure/store-passwords-using-reversible-encryption.md +++ b/windows/keep-secure/store-passwords-using-reversible-encryption.md @@ -2,7 +2,7 @@ title: Store passwords using reversible encryption (Windows 10) description: Describes the best practices, location, values, and security considerations for the Store passwords using reversible encryption security policy setting. ms.assetid: 57f958c2-f1e9-48bf-871b-0a9b3299e238 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md index dddb84f0a2..b6b9fd71e5 100644 --- a/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md @@ -2,7 +2,7 @@ title: Switch PCR banks on TPM 2.0 devices (Windows 10) description: A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. ms.assetid: 743FCCCB-99A9-4636-8F48-9ECB3A3D10DE -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/synchronize-directory-service-data.md b/windows/keep-secure/synchronize-directory-service-data.md index 853573d001..b562f8a178 100644 --- a/windows/keep-secure/synchronize-directory-service-data.md +++ b/windows/keep-secure/synchronize-directory-service-data.md @@ -2,7 +2,7 @@ title: Synchronize directory service data (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Synchronize directory service data security policy setting. ms.assetid: 97b0aaa4-674f-40f4-8974-b4bfb12c232c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md index c72f3b1385..0862dc11d1 100644 --- a/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md +++ b/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md @@ -2,7 +2,7 @@ title: System cryptography Force strong key protection for user keys stored on the computer (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the System cryptography Force strong key protection for user keys stored on the computer security policy setting. ms.assetid: 8cbff267-881e-4bf6-920d-b583a5ff7de0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md index f7137a0c09..a1a1738dad 100644 --- a/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md +++ b/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md @@ -2,7 +2,7 @@ title: System cryptography Use FIPS compliant algorithms for encryption, hashing, and signing (Windows 10) description: This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. ms.assetid: 83988865-dc0f-45eb-90d1-ee33495eb045 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md index 6f9e3c9d43..1f3af1c21c 100644 --- a/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md +++ b/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md @@ -2,7 +2,7 @@ title: System objects Require case insensitivity for non-Windows subsystems (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the System objects Require case insensitivity for non-Windows subsystems security policy setting. ms.assetid: 340d6769-8f33-4067-8470-1458978d1522 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md index 708cba1b5a..5be5a462b1 100644 --- a/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md +++ b/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md @@ -2,7 +2,7 @@ title: System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links) (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links) security policy setting. ms.assetid: 3a592097-9cf5-4fd0-a504-7cbfab050bb6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/system-settings-optional-subsystems.md b/windows/keep-secure/system-settings-optional-subsystems.md index 4e096fea50..15ec7c1221 100644 --- a/windows/keep-secure/system-settings-optional-subsystems.md +++ b/windows/keep-secure/system-settings-optional-subsystems.md @@ -2,7 +2,7 @@ title: System settings Optional subsystems (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the System settings Optional subsystems security policy setting. ms.assetid: 5cb6519a-4f84-4b45-8072-e2aa8a72fb78 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md index 85e0a1c7bd..ae25abd015 100644 --- a/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md +++ b/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md @@ -2,7 +2,7 @@ title: System settings Use certificate rules on Windows executables for Software Restriction Policies (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the System settings Use certificate rules on Windows executables for Software Restriction Policies security policy setting. ms.assetid: 2380d93b-b553-4e56-a0c0-d1ef740d089c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/take-ownership-of-files-or-other-objects.md b/windows/keep-secure/take-ownership-of-files-or-other-objects.md index 255f2d4ff3..24ab3257e2 100644 --- a/windows/keep-secure/take-ownership-of-files-or-other-objects.md +++ b/windows/keep-secure/take-ownership-of-files-or-other-objects.md @@ -2,7 +2,7 @@ title: Take ownership of files or other objects (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Take ownership of files or other objects security policy setting. ms.assetid: cb8595d1-74cc-4176-bb15-d97663eebb2d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md index aa27d42260..fcc3bf2eac 100644 --- a/windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md +++ b/windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md @@ -2,7 +2,7 @@ title: Test an AppLocker policy by using Test-AppLockerPolicy (Windows 10) description: This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer. ms.assetid: 048bfa38-6825-4a9a-ab20-776cf79f402a -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/test-and-update-an-applocker-policy.md b/windows/keep-secure/test-and-update-an-applocker-policy.md index cf77664f65..99e46e3022 100644 --- a/windows/keep-secure/test-and-update-an-applocker-policy.md +++ b/windows/keep-secure/test-and-update-an-applocker-policy.md @@ -2,7 +2,7 @@ title: Test and update an AppLocker policy (Windows 10) description: This topic discusses the steps required to test an AppLocker policy prior to deployment. ms.assetid: 7d53cbef-078c-4d20-8b00-e821e33b6ea1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/testing-scenarios-for-edp.md b/windows/keep-secure/testing-scenarios-for-edp.md index 810bb44663..e2187af349 100644 --- a/windows/keep-secure/testing-scenarios-for-edp.md +++ b/windows/keep-secure/testing-scenarios-for-edp.md @@ -2,10 +2,11 @@ title: Testing scenarios for enterprise data protection (EDP) (Windows 10) description: We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company. ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2 -keywords: ["EDP", "Enterprise Data Protection"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/tools-to-use-with-applocker.md b/windows/keep-secure/tools-to-use-with-applocker.md index d0ffd99ac7..5d2d69ff81 100644 --- a/windows/keep-secure/tools-to-use-with-applocker.md +++ b/windows/keep-secure/tools-to-use-with-applocker.md @@ -2,7 +2,7 @@ title: Tools to use with AppLocker (Windows 10) description: This topic for the IT professional describes the tools available to create and administer AppLocker policies. ms.assetid: db2b7cb3-7643-4be5-84eb-46ba551e1ad1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/tpm-fundamentals.md b/windows/keep-secure/tpm-fundamentals.md index c4fb6b2cc3..6969c89924 100644 --- a/windows/keep-secure/tpm-fundamentals.md +++ b/windows/keep-secure/tpm-fundamentals.md @@ -2,7 +2,7 @@ title: TPM fundamentals (Windows 10) description: This topic for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks. ms.assetid: ac90f5f9-9a15-4e87-b00d-4adcf2ec3000 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/keep-secure/tpm-recommendations.md index 9decdf047c..81b6385faf 100644 --- a/windows/keep-secure/tpm-recommendations.md +++ b/windows/keep-secure/tpm-recommendations.md @@ -2,7 +2,7 @@ title: TPM recommendations (Windows 10) description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10. ms.assetid: E85F11F5-4E6A-43E7-8205-672F77706561 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 9199881438..7db942d7ba 100644 --- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Troubleshoot Windows Defender ATP onboarding issues description: Troubleshoot issues that might arise during the onboarding of endpoints or to the Windows Defender ATP service. keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, telemetry and diagnostics search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: iaanw --- diff --git a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md index 1d15cf5dd7..8340e9dcc0 100644 --- a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Troubleshoot Windows Defender Advanced Threat Protection description: Find solutions and work arounds to known issues such as server errors when trying to access the service. keywords: troubleshoot Windows Defender Advanced Threat Protection, troubleshoot Windows ATP, server error, access denied, invalid credentials, no data, dashboard portal, whitelist, event viewer search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- # Troubleshoot Windows Defender Advanced Threat Protection diff --git a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md index f9c63208af..e60c0f663c 100644 --- a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md +++ b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md @@ -2,7 +2,7 @@ title: Troubleshoot Windows Defender in Windows 10 (Windows 10) description: IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take. ms.assetid: EE488CC1-E340-4D47-B50B-35BD23CB4D70 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/trusted-platform-module-overview.md b/windows/keep-secure/trusted-platform-module-overview.md index 03e37a250b..e7b6e784ff 100644 --- a/windows/keep-secure/trusted-platform-module-overview.md +++ b/windows/keep-secure/trusted-platform-module-overview.md @@ -2,7 +2,7 @@ title: Trusted Platform Module Technology Overview (Windows 10) description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM. ms.assetid: face8932-b034-4319-86ac-db1163d46538 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md index 4ded5c4844..ff626bb1de 100644 --- a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md +++ b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md @@ -2,7 +2,7 @@ title: TPM Group Policy settings (Windows 10) description: This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. ms.assetid: 54ff1c1e-a210-4074-a44e-58fee26e4dbd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md b/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md index 4f38eca5a6..96a64490d0 100644 --- a/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md +++ b/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md @@ -2,7 +2,7 @@ title: Types of attacks for volume encryption keys (Windows 10) description: There are many ways Windows helps protect your organization from attacks, including Unified Extensible Firmware Interface (UEFI) secure boot, Trusted Platform Module (TPM), Group Policy, complex passwords, and account lockouts. ms.assetid: 405060a9-2009-44fc-9f84-66edad32c6bc -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understand-applocker-enforcement-settings.md b/windows/keep-secure/understand-applocker-enforcement-settings.md index 6ac72fe3f1..a27cfdc9cb 100644 --- a/windows/keep-secure/understand-applocker-enforcement-settings.md +++ b/windows/keep-secure/understand-applocker-enforcement-settings.md @@ -2,7 +2,7 @@ title: Understand AppLocker enforcement settings (Windows 10) description: This topic describes the AppLocker enforcement settings for rule collections. ms.assetid: 48773007-a343-40bf-8961-b3ff0a450d7e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understand-applocker-policy-design-decisions.md b/windows/keep-secure/understand-applocker-policy-design-decisions.md index 5687229616..4c7731bcfc 100644 --- a/windows/keep-secure/understand-applocker-policy-design-decisions.md +++ b/windows/keep-secure/understand-applocker-policy-design-decisions.md @@ -2,7 +2,7 @@ title: Understand AppLocker policy design decisions (Windows 10) description: This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment. ms.assetid: 3475def8-949a-4b51-b480-dc88b5c1e6e6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/keep-secure/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md index 066f32d60e..fd1d01d9fb 100644 --- a/windows/keep-secure/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md +++ b/windows/keep-secure/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md @@ -2,7 +2,7 @@ title: Understand AppLocker rules and enforcement setting inheritance in Group Policy (Windows 10) description: This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy. ms.assetid: c1c5a3d3-540a-4698-83b5-0dab5d27d871 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understand-the-applocker-policy-deployment-process.md b/windows/keep-secure/understand-the-applocker-policy-deployment-process.md index 76bbb8d904..a2ec48ffe5 100644 --- a/windows/keep-secure/understand-the-applocker-policy-deployment-process.md +++ b/windows/keep-secure/understand-the-applocker-policy-deployment-process.md @@ -2,7 +2,7 @@ title: Understand the AppLocker policy deployment process (Windows 10) description: This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies. ms.assetid: 4cfd95c1-fbd3-41fa-8efc-d23c1ea6fb16 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/keep-secure/understanding-applocker-allow-and-deny-actions-on-rules.md index b6d8502af0..b383087281 100644 --- a/windows/keep-secure/understanding-applocker-allow-and-deny-actions-on-rules.md +++ b/windows/keep-secure/understanding-applocker-allow-and-deny-actions-on-rules.md @@ -2,7 +2,7 @@ title: Understanding AppLocker allow and deny actions on rules (Windows 10) description: This topic explains the differences between allow and deny actions on AppLocker rules. ms.assetid: ea0370fa-2086-46b5-a0a4-4a7ead8cbed9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understanding-applocker-default-rules.md b/windows/keep-secure/understanding-applocker-default-rules.md index 76aa56e251..b0aa99f22e 100644 --- a/windows/keep-secure/understanding-applocker-default-rules.md +++ b/windows/keep-secure/understanding-applocker-default-rules.md @@ -2,7 +2,7 @@ title: Understanding AppLocker default rules (Windows 10) description: This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied. ms.assetid: bdb03d71-05b7-41fb-96e3-a289ce1866e1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understanding-applocker-rule-behavior.md b/windows/keep-secure/understanding-applocker-rule-behavior.md index 2e1353c3ed..ac18934b5f 100644 --- a/windows/keep-secure/understanding-applocker-rule-behavior.md +++ b/windows/keep-secure/understanding-applocker-rule-behavior.md @@ -2,7 +2,7 @@ title: Understanding AppLocker rule behavior (Windows 10) description: This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker. ms.assetid: 3e2738a3-8041-4095-8a84-45c1894c97d0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understanding-applocker-rule-collections.md b/windows/keep-secure/understanding-applocker-rule-collections.md index 9c569f7f53..b8adef234c 100644 --- a/windows/keep-secure/understanding-applocker-rule-collections.md +++ b/windows/keep-secure/understanding-applocker-rule-collections.md @@ -2,7 +2,7 @@ title: Understanding AppLocker rule collections (Windows 10) description: This topic explains the five different types of AppLocker rules used to enforce AppLocker policies. ms.assetid: 03c05466-4fb3-4880-8d3c-0f6f59fc5579 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understanding-applocker-rule-condition-types.md b/windows/keep-secure/understanding-applocker-rule-condition-types.md index d4e6ceaf84..f00afa16e1 100644 --- a/windows/keep-secure/understanding-applocker-rule-condition-types.md +++ b/windows/keep-secure/understanding-applocker-rule-condition-types.md @@ -2,7 +2,7 @@ title: Understanding AppLocker rule condition types (Windows 10) description: This topic for the IT professional describes the three types of AppLocker rule conditions. ms.assetid: c21af67f-60a1-4f7d-952c-a6f769c74729 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understanding-applocker-rule-exceptions.md b/windows/keep-secure/understanding-applocker-rule-exceptions.md index a99cb1f8cb..4cedcfd784 100644 --- a/windows/keep-secure/understanding-applocker-rule-exceptions.md +++ b/windows/keep-secure/understanding-applocker-rule-exceptions.md @@ -2,7 +2,7 @@ title: Understanding AppLocker rule exceptions (Windows 10) description: This topic describes the result of applying AppLocker rule exceptions to rule collections. ms.assetid: e6bb349f-ee60-4c8d-91cd-6442f2d0eb9c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/keep-secure/understanding-the-file-hash-rule-condition-in-applocker.md index b778f3c76d..89a2b1a770 100644 --- a/windows/keep-secure/understanding-the-file-hash-rule-condition-in-applocker.md +++ b/windows/keep-secure/understanding-the-file-hash-rule-condition-in-applocker.md @@ -2,7 +2,7 @@ title: Understanding the file hash rule condition in AppLocker (Windows 10) description: This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied. ms.assetid: 4c6d9af4-2b1a-40f4-8758-1a6f9f147756 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understanding-the-path-rule-condition-in-applocker.md b/windows/keep-secure/understanding-the-path-rule-condition-in-applocker.md index d62cf0c8b6..4d4e950a6c 100644 --- a/windows/keep-secure/understanding-the-path-rule-condition-in-applocker.md +++ b/windows/keep-secure/understanding-the-path-rule-condition-in-applocker.md @@ -2,7 +2,7 @@ title: Understanding the path rule condition in AppLocker (Windows 10) description: This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied. ms.assetid: 3fa54ded-4466-4f72-bea4-2612031cad43 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understanding-the-publisher-rule-condition-in-applocker.md b/windows/keep-secure/understanding-the-publisher-rule-condition-in-applocker.md index 34ac6444f3..5e0bca2ee0 100644 --- a/windows/keep-secure/understanding-the-publisher-rule-condition-in-applocker.md +++ b/windows/keep-secure/understanding-the-publisher-rule-condition-in-applocker.md @@ -2,7 +2,7 @@ title: Understanding the publisher rule condition in AppLocker (Windows 10) description: This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied. ms.assetid: df61ed8f-a97e-4644-9d0a-2169f18c1c4f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/keep-secure/use-a-reference-computer-to-create-and-maintain-applocker-policies.md index e9c7b0645e..90336b381a 100644 --- a/windows/keep-secure/use-a-reference-computer-to-create-and-maintain-applocker-policies.md +++ b/windows/keep-secure/use-a-reference-computer-to-create-and-maintain-applocker-policies.md @@ -2,7 +2,7 @@ title: Use a reference device to create and maintain AppLocker policies (Windows 10) description: This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer. ms.assetid: 10c3597f-f44c-4c8e-8fe5-105d4ac016a6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md index ef970cd8df..17fe40b6a1 100644 --- a/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md +++ b/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md @@ -2,7 +2,7 @@ title: Use AppLocker and Software Restriction Policies in the same domain (Windows 10) description: This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. ms.assetid: 2b7e0cec-df62-49d6-a2b7-6b8e30180943 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/use-the-applocker-windows-powershell-cmdlets.md b/windows/keep-secure/use-the-applocker-windows-powershell-cmdlets.md index cf988054c1..d7cd5120c4 100644 --- a/windows/keep-secure/use-the-applocker-windows-powershell-cmdlets.md +++ b/windows/keep-secure/use-the-applocker-windows-powershell-cmdlets.md @@ -2,7 +2,7 @@ title: Use the AppLocker Windows PowerShell cmdlets (Windows 10) description: This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. ms.assetid: 374e029c-5c0a-44ab-a57a-2a9dd17dc57d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md index dd0fc24f67..717abdaec8 100644 --- a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Use the Windows Defender Advanced Threat Protection portal description: Learn about the features on Windows Defender ATP portal, including how alerts work, and suggestions on how to investigate possible breaches and attacks. keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate machines, submit files, deep analysis, high, medium, low, severity, ioc, ioa search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- diff --git a/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md b/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md index 060d693df1..846f249f82 100644 --- a/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md +++ b/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md @@ -2,7 +2,7 @@ title: Use Windows Event Forwarding to help with intrusion detection (Windows 10) description: Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. ms.assetid: 733263E5-7FD1-45D2-914A-184B9E3E6A3F -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md index a4fbc0126b..7b203c0bcd 100644 --- a/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md +++ b/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md @@ -2,7 +2,7 @@ title: User Account Control Admin Approval Mode for the Built-in Administrator account (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Admin Approval Mode for the Built-in Administrator account security policy setting. ms.assetid: d465fc27-1cd2-498b-9cf6-7ad2276e5998 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md index cc8ebe93f3..e80369cae9 100644 --- a/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md +++ b/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md @@ -2,7 +2,7 @@ title: User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop (Windows 10) description: Describes the best practices, location, values, and security considerations for the User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop security policy setting. ms.assetid: fce20472-3c93-449d-b520-13c4c74a9892 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md index 28718b33ae..97af8126a3 100644 --- a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md +++ b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md @@ -2,7 +2,7 @@ title: User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode security policy setting. ms.assetid: 46a3c3a2-1d2e-4a6f-b5e6-29f9592f535d -ms.prod: W10 +ms.prod: ws10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md index e382611db9..7ca4ce4329 100644 --- a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md +++ b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md @@ -2,7 +2,7 @@ title: User Account Control Behavior of the elevation prompt for standard users (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Behavior of the elevation prompt for standard users security policy setting. ms.assetid: 1eae7def-8f6c-43b6-9474-23911fdc01ba -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md index 178aa242b4..0c372cd6ee 100644 --- a/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md +++ b/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md @@ -2,7 +2,7 @@ title: User Account Control Detect application installations and prompt for elevation (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Detect application installations and prompt for elevation security policy setting. ms.assetid: 3f8cb170-ba77-4c9f-abb3-c3ed1ef264fc -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md index 8da09ab38e..e2e57dd1bd 100644 --- a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md +++ b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md @@ -1,9 +1,11 @@ --- title: User Account Control Group Policy and registry key settings (Windows 10) description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC. -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security +author: brianlic-msft --- # User Account Control Group Policy and registry key settings diff --git a/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md index 19768449e0..76edee3e01 100644 --- a/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md +++ b/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md @@ -2,7 +2,7 @@ title: User Account Control Only elevate executables that are signed and validated (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Only elevate executables that are signed and validated security policy setting. ms.assetid: 64950a95-6985-4db6-9905-1db18557352d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md index 890ec0f2ff..be21f041f5 100644 --- a/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md +++ b/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md @@ -2,7 +2,7 @@ title: User Account Control Only elevate UIAccess applications that are installed in secure locations (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Only elevate UIAccess applications that are installed in secure locations security policy setting. ms.assetid: 4333409e-a5be-4f2f-8808-618f53abd22c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-account-control-overview.md b/windows/keep-secure/user-account-control-overview.md index ccabf37ce1..32edfe0160 100644 --- a/windows/keep-secure/user-account-control-overview.md +++ b/windows/keep-secure/user-account-control-overview.md @@ -2,7 +2,7 @@ title: User Account Control (Windows 10) description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. ms.assetid: 43ac4926-076f-4df2-84af-471ee7d20c38 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: operate ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md index 63ac1e4a65..61664f5a6e 100644 --- a/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md +++ b/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md @@ -2,7 +2,7 @@ title: User Account Control Run all administrators in Admin Approval Mode (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Run all administrators in Admin Approval Mode security policy setting. ms.assetid: b838c561-7bfc-41ef-a7a5-55857259c7bf -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-account-control-security-policy-settings.md b/windows/keep-secure/user-account-control-security-policy-settings.md index 569bf9892e..45bf5fb129 100644 --- a/windows/keep-secure/user-account-control-security-policy-settings.md +++ b/windows/keep-secure/user-account-control-security-policy-settings.md @@ -2,8 +2,8 @@ title: User Account Control security policy settings (Windows 10) description: You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy. ms.assetid: 3D75A9AC-69BB-4EF2-ACB3-1769791E1B98 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: brianlic-msft diff --git a/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md index ee510bb52e..85c36101a5 100644 --- a/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md +++ b/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md @@ -2,7 +2,7 @@ title: User Account Control Switch to the secure desktop when prompting for elevation (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Switch to the secure desktop when prompting for elevation security policy setting. ms.assetid: 77a067db-c70d-4b02-9861-027503311b8b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md index afc3766b73..8501495c6b 100644 --- a/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md +++ b/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md @@ -2,7 +2,7 @@ title: User Account Control Virtualize file and registry write failures to per-user locations (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Virtualize file and registry write failures to per-user locations security policy setting. ms.assetid: a7b47420-cc41-4b1c-b03e-f67a05221261 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-rights-assignment.md b/windows/keep-secure/user-rights-assignment.md index 401613dde1..59979d3158 100644 --- a/windows/keep-secure/user-rights-assignment.md +++ b/windows/keep-secure/user-rights-assignment.md @@ -2,7 +2,7 @@ title: User Rights Assignment (Windows 10) description: Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows. ms.assetid: 99340252-60be-4c79-b0a5-56fbe1a9b0c5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/keep-secure/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md index 13d5fc93e5..a26cffe188 100644 --- a/windows/keep-secure/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md +++ b/windows/keep-secure/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md @@ -2,7 +2,7 @@ title: Using advanced security auditing options to monitor dynamic access control objects (Windows 10) description: This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012. ms.assetid: 0d2c28ea-bdaf-47fd-bca2-a07dce5fed37 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/using-event-viewer-with-applocker.md b/windows/keep-secure/using-event-viewer-with-applocker.md index dcee6821bc..1b1b80e64f 100644 --- a/windows/keep-secure/using-event-viewer-with-applocker.md +++ b/windows/keep-secure/using-event-viewer-with-applocker.md @@ -2,7 +2,7 @@ title: Using Event Viewer with AppLocker (Windows 10) description: This topic lists AppLocker events and describes how to use Event Viewer with AppLocker. ms.assetid: 109abb10-78b1-4c29-a576-e5a17dfeb916 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/using-software-restriction-policies-and-applocker-policies.md b/windows/keep-secure/using-software-restriction-policies-and-applocker-policies.md index 54b12a4568..8a427064fb 100644 --- a/windows/keep-secure/using-software-restriction-policies-and-applocker-policies.md +++ b/windows/keep-secure/using-software-restriction-policies-and-applocker-policies.md @@ -2,7 +2,7 @@ title: Use Software Restriction Policies and AppLocker policies (Windows 10) description: This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. ms.assetid: c3366be7-e632-4add-bd10-9df088f74c6d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/view-the-security-event-log.md b/windows/keep-secure/view-the-security-event-log.md index 745195b4f3..388d32ddc8 100644 --- a/windows/keep-secure/view-the-security-event-log.md +++ b/windows/keep-secure/view-the-security-event-log.md @@ -2,7 +2,7 @@ title: View the security event log (Windows 10) description: The security log records each event as defined by the audit policies you set on each object. ms.assetid: 20DD2ACD-241A-45C5-A92F-4BE0D9F198B9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/vpn-profile-options.md b/windows/keep-secure/vpn-profile-options.md index 6f336cc6e6..77c548ec2a 100644 --- a/windows/keep-secure/vpn-profile-options.md +++ b/windows/keep-secure/vpn-profile-options.md @@ -2,10 +2,10 @@ title: VPN profile options (Windows 10) description: Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: networking +ms.pagetype: security, networking author: jdeckerMS --- diff --git a/windows/keep-secure/what-is-applocker.md b/windows/keep-secure/what-is-applocker.md index b4d758df7b..c3b47e88d5 100644 --- a/windows/keep-secure/what-is-applocker.md +++ b/windows/keep-secure/what-is-applocker.md @@ -2,7 +2,7 @@ title: What Is AppLocker (Windows 10) description: This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. ms.assetid: 44a8a2bb-0f83-4f95-828e-1f364fb65869 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/keep-secure/which-editions-of-windows-support-advanced-audit-policy-configuration.md index c60d303826..4428ed173d 100644 --- a/windows/keep-secure/which-editions-of-windows-support-advanced-audit-policy-configuration.md +++ b/windows/keep-secure/which-editions-of-windows-support-advanced-audit-policy-configuration.md @@ -2,7 +2,7 @@ title: Which editions of Windows support advanced audit policy configuration (Windows 10) description: This reference topic for the IT professional describes which versions of the Windows operating systems support advanced security auditing policies. ms.assetid: 87c71cc5-522d-4771-ac78-34a2a0825f31 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/why-a-pin-is-better-than-a-password.md b/windows/keep-secure/why-a-pin-is-better-than-a-password.md index 5afeb6f914..21d3ce97d3 100644 --- a/windows/keep-secure/why-a-pin-is-better-than-a-password.md +++ b/windows/keep-secure/why-a-pin-is-better-than-a-password.md @@ -3,7 +3,7 @@ title: Why a PIN is better than a password (Windows 10) description: Microsoft Passport in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password . ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212 keywords: pin, security, password -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/windows-10-enterprise-security-guides.md b/windows/keep-secure/windows-10-enterprise-security-guides.md index 510675e4ff..30f130d499 100644 --- a/windows/keep-secure/windows-10-enterprise-security-guides.md +++ b/windows/keep-secure/windows-10-enterprise-security-guides.md @@ -2,10 +2,10 @@ title: Enterprise security guides (Windows 10) description: Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. ms.assetid: 57134f84-bd4b-4b1d-b663-4a2d36f5a7f8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security +ms.pagetype: security, devices author: challum --- diff --git a/windows/keep-secure/windows-10-mobile-security-guide.md b/windows/keep-secure/windows-10-mobile-security-guide.md index 1008003440..16389caf95 100644 --- a/windows/keep-secure/windows-10-mobile-security-guide.md +++ b/windows/keep-secure/windows-10-mobile-security-guide.md @@ -3,10 +3,10 @@ title: Windows 10 Mobile security guide (Windows 10) description: This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security. ms.assetid: D51EF508-699E-4A68-A7CD-91D821A97205 keywords: data protection, encryption, malware resistance, smartphone, device, Windows Store -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -ms.pagetype: security; mobile +ms.pagetype: security, mobile author: AMeeus --- diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md index 2c0402513c..bb757267bb 100644 --- a/windows/keep-secure/windows-10-security-guide.md +++ b/windows/keep-secure/windows-10-security-guide.md @@ -3,7 +3,7 @@ title: Windows 10 security overview (Windows 10) description: This guide provides a detailed description of the most important security improvements in the Windows 10 operating system, with links to more detailed articles about many of its security features. ms.assetid: 4561D80B-A914-403C-A17C-3BE6FC95B59B keywords: configure, feature, file encryption -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/windows-defender-advanced-threat-protection.md b/windows/keep-secure/windows-defender-advanced-threat-protection.md index 9567620fcb..bae239bf1c 100644 --- a/windows/keep-secure/windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Windows Defender Advanced Threat Protection - Windows Defender description: Windows Defender Advanced Threat Protection is an enterprise security service that helps detect and respond to possible cybersecurity threats related to advanced persistent threats. keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, endpoint behavioral sensor, cloud security, analytics, threat intelligence search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- diff --git a/windows/keep-secure/windows-defender-in-windows-10.md b/windows/keep-secure/windows-defender-in-windows-10.md index 72d8554def..2dc00afede 100644 --- a/windows/keep-secure/windows-defender-in-windows-10.md +++ b/windows/keep-secure/windows-defender-in-windows-10.md @@ -2,7 +2,7 @@ title: Windows Defender in Windows 10 (Windows 10) description: This topic provides an overview of Windows Defender, including a list of system requirements and new features. ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/windows-hello-in-enterprise.md b/windows/keep-secure/windows-hello-in-enterprise.md index 7b9bed5681..40a4efa80a 100644 --- a/windows/keep-secure/windows-hello-in-enterprise.md +++ b/windows/keep-secure/windows-hello-in-enterprise.md @@ -2,10 +2,11 @@ title: Windows Hello biometrics in the enterprise (Windows 10) description: Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc -keywords: ["Windows Hello", "enterprise biometrics"] -ms.prod: W10 +keywords: Windows Hello, enterprise biometrics +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/windows-installer-rules-in-applocker.md b/windows/keep-secure/windows-installer-rules-in-applocker.md index b12d94b8ef..65a86eddfc 100644 --- a/windows/keep-secure/windows-installer-rules-in-applocker.md +++ b/windows/keep-secure/windows-installer-rules-in-applocker.md @@ -2,7 +2,7 @@ title: Windows Installer rules in AppLocker (Windows 10) description: This topic describes the file formats and available default rules for the Windows Installer rule collection. ms.assetid: 3fecde5b-88b3-4040-81fa-a2d36d052ec9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/working-with-applocker-policies.md b/windows/keep-secure/working-with-applocker-policies.md index 8963fa665b..219638880c 100644 --- a/windows/keep-secure/working-with-applocker-policies.md +++ b/windows/keep-secure/working-with-applocker-policies.md @@ -2,7 +2,7 @@ title: Working with AppLocker policies (Windows 10) description: This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies. ms.assetid: 7062d2e0-9cbb-4cb8-aa8c-b24945c3771d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/working-with-applocker-rules.md b/windows/keep-secure/working-with-applocker-rules.md index 762d21c78a..9c528133ef 100644 --- a/windows/keep-secure/working-with-applocker-rules.md +++ b/windows/keep-secure/working-with-applocker-rules.md @@ -2,7 +2,7 @@ title: Working with AppLocker rules (Windows 10) description: This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies. ms.assetid: 3966b35b-f2da-4371-8b5f-aec031db6bc9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security From 85712ce348c0033c290031c1184a55eb9127ac6b Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 31 May 2016 07:34:12 -0700 Subject: [PATCH 129/169] changed IE to Edge --- .../keep-secure/change-history-for-keep-windows-10-secure.md | 3 ++- .../installing-digital-certificates-on-windows-10-mobile.md | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 5f96e1fcb1..9d285fa19d 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -15,10 +15,11 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic | Description | |----------------------|-------------| +| [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Changed Internet Explorer to Microsoft Edge | | [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) | Added errors 0x80090029 and 0x80070057, and merged entries for error 0x801c03ed. | | [Microsoft Passport guide](microsoft-passport-guide.md) | Updated Roadmap section content | -| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview | |[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) |Updated info based on changes to the features and functionality.| +| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview | ## April 2016 diff --git a/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md b/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md index 99bab3e2fa..c399f5021b 100644 --- a/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md +++ b/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md @@ -22,7 +22,7 @@ Certificates in Windows 10 Mobile are primarily used for the following purposes - To authenticate a user to a reverse proxy server that is used to enable Microsoft Exchange ActiveSync (EAS) for email. - For installation and licensing of applications (from the Windows Phone Store or a custom company distribution site). -## Install certificates using Internet Explorer +## Install certificates using Microsoft Edge A certificate can be posted on a website and made available to users through a device-accessible URL that they can use to download the certificate. When a user accesses the page and taps the certificate, it opens on the device. The user can inspect the certificate, and if they choose to continue, the certificate is installed on the Windows 10 Mobile device. @@ -42,7 +42,7 @@ Windows 10 Mobile supports root, CA, and client certificate to be configured vi 3. The trusted CA certificate is installed directly during MDM request. 4. The device accepts certificate enrollment request. 5. The device generates private/public key pair. -6. The device connects to Internet facing point exposed by MDM server. +6. The device connects to Internet-facing point exposed by MDM server. 7. MDM server creates a certificate that is signed with proper CA certificate and returns it to device. > **Note:**  The device supports the pending function to allow server side to do additional verification before issuing the cert. In this case, a pending status is sent back to the device. The device will periodically contact the server, based on preconfigured retry count and retry period parameters. Retrying ends when either: From 85c2327cc893865d28917fe1fe40b8a1391cec34 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 26 May 2016 14:45:35 -0700 Subject: [PATCH 130/169] renaming network exhaust doc --- windows/manage/TOC.md | 2 +- ...re-windows-10-devices-to-stop-data-flow-to-microsoft.md | 7 +------ 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md index 621ce3f5ca..9a7fe85b18 100644 --- a/windows/manage/TOC.md +++ b/windows/manage/TOC.md @@ -18,7 +18,7 @@ #### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) #### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) ### [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md) -### [Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md) +### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) ### [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) ### [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md) ### [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) diff --git a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md index af80d923ca..66f10dbf1e 100644 --- a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md +++ b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md @@ -1,11 +1,6 @@ --- title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10) -description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. -ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9 -keywords: privacy, stop data flow to Microsoft -ms.prod: W10 -ms.mktglfcycl: manage -ms.sitesec: library +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services --- # Configure Windows 10 devices to stop data flow to Microsoft From 1907f1b642ffdb01e987fca565d84e21d0c6afb4 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 26 May 2016 14:46:07 -0700 Subject: [PATCH 131/169] renaming network exhaust doc --- ...system-components-to-microsoft-services.md | 1264 +++++++++++++++++ 1 file changed, 1264 insertions(+) create mode 100644 windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md new file mode 100644 index 0000000000..f8496916b0 --- /dev/null +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -0,0 +1,1264 @@ +--- +title: Manage connections from Windows operating system components to Microsoft services (Windows 10) +description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. +ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9 +keywords: privacy, manage connections to Microsoft +ms.prod: W10 +ms.mktglfcycl: manage +ms.sitesec: library +--- + +# Manage connections from Windows operating system components to Microsoft services + +**Applies to** + +- Windows 10 + +If you're looking for content on what each telemetry level means and how to configure it in your organization, see [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md). + +Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. + +If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. + +Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511 to manage them all. + +In Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511, you can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience. + +We are always working on improving Windows 10 for our customers. We invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows 10 work better for your organization. + +Here's what's covered in this article: + +- [Info management settings](#bkmk-othersettings) + + - [1. Cortana](#bkmk-cortana) + + - [1.1 Cortana Group Policies](#bkmk-cortana-gp) + + - [1.2 Cortana MDM policies](#bkmk-cortana-mdm) + + - [1.3 Cortana Windows Provisioning](#bkmk-cortana-prov) + + - [2. Date & Time](#bkmk-datetime) + + - [3. Device metadata retrieval](#bkmk-devinst) + + - [4. Font streaming](#font-streaming) + + - [5. Insider Preview builds](#bkmk-previewbuilds) + + - [6. Internet Explorer](#bkmk-ie) + + - [6.1 Internet Explorer Group Policies](#bkmk-ie-gp) + + - [6.2 ActiveX control blocking](#bkmk-ie-activex) + + - [7. Live Tiles](#live-tiles) + + - [8. Mail synchronization](#bkmk-mailsync) + + - [9. Microsoft Edge](#bkmk-edge) + + - [9.1 Microsoft Edge Group Policies](#bkmk-edgegp) + + - [9.2 Microsoft Edge MDM policies](#bkmk-edge-mdm) + + - [9.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov) + + - [10. Network Connection Status Indicator](#bkmk-ncsi) + + - [11. Offline maps](#bkmk-offlinemaps) + + - [12. OneDrive](#bkmk-onedrive) + + - [13. Preinstalled apps](#bkmk-preinstalledapps) + + - [14. Settings > Privacy](#bkmk-settingssection) + + - [14.1 General](#bkmk-priv-general) + + - [14.2 Location](#bkmk-priv-location) + + - [14.3 Camera](#bkmk-priv-camera) + + - [14.4 Microphone](#bkmk-priv-microphone) + + - [14.5 Speech, inking, & typing](#bkmk-priv-speech) + + - [14.6 Account info](#bkmk-priv-accounts) + + - [14.7 Contacts](#bkmk-priv-contacts) + + - [14.8 Calendar](#bkmk-priv-calendar) + + - [14.9 Call history](#bkmk-priv-callhistory) + + - [14.10 Email](#bkmk-priv-email) + + - [14.11 Messaging](#bkmk-priv-messaging) + + - [14.12 Radios](#bkmk-priv-radios) + + - [14.13 Other devices](#bkmk-priv-other-devices) + + - [14.14 Feedback & diagnostics](#bkmk-priv-feedback) + + - [14.15 Background apps](#bkmk-priv-background) + + - [15. Software Protection Platform](#bkmk-spp) + + - [16. Sync your settings](#bkmk-syncsettings) + + - [17. Teredo](#bkmk-teredo) + + - [18. Wi-Fi Sense](#bkmk-wifisense) + + - [19. Windows Defender](#bkmk-defender) + + - [20. Windows Media Player](#bkmk-wmp) + + - [21. Windows spotlight](#bkmk-spotlight) + + - [22. Windows Store](#bkmk-windowsstore) + + - [23. Windows Update Delivery Optimization](#bkmk-updates) + + - [23.1 Settings > Update & security](#bkmk-wudo-ui) + + - [23.2 Delivery Optimization Group Policies](#bkmk-wudo-gp) + + - [23.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm) + + - [23.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov) + + - [24. Windows Update](#bkmk-wu) + +## What's new in Windows 10, version 1511 + + +Here's a list of changes that were made to this article for Windows 10, version 1511: + +- Added the following new sections: + + - [Mail synchronization](#bkmk-mailsync) + + - [Offline maps](#bkmk-offlinemaps) + + - [Windows spotlight](#bkmk-spotlight) + + - [Windows Store](#bkmk-windowsstore) + +- Added the following Group Policies: + + - Open a new tab with an empty tab + + - Configure corporate Home pages + + - Let Windows apps access location + + - Let Windows apps access the camera + + - Let Windows apps access the microphone + + - Let Windows apps access account information + + - Let Windows apps access contacts + + - Let Windows apps access the calendar + + - Let Windows apps access messaging + + - Let Windows apps control radios + + - Let Windows apps access trusted devices + + - Do not show feedback notifications + + - Turn off Automatic Download and Update of Map Data + + - Force a specific default lock screen image + +- Added the AllowLinguisticDataCollection MDM policy. + +- Added steps in the [Cortana](#bkmk-cortana) section on how to disable outbound traffic using Windows Firewall. + +- Changed the Windows Update section to apply system-wide settings, and not just per user. + +## Info management settings + + +This section lists the components that make network connections to Microsoft services automatically. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience. + +The settings in this section assume you are using Windows 10, version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch. + +- [1. Cortana](#bkmk-cortana) + +- [2. Date & Time](#bkmk-datetime) + +- [3. Device metadata retrieval](#bkmk-devinst) + +- [4. Font streaming](#font-streaming) + +- [5. Insider Preview builds](#bkmk-previewbuilds) + +- [6. Internet Explorer](#bkmk-ie) + +- [7. Live Tiles](#live-tiles) + +- [8. Mail synchronization](#bkmk-mailsync) + +- [9. Microsoft Edge](#bkmk-edge) + +- [10. Network Connection Status Indicator](#bkmk-ncsi) + +- [11. Offline maps](#bkmk-offlinemaps) + +- [12. OneDrive](#bkmk-onedrive) + +- [13. Preinstalled apps](#bkmk-preinstalledapps) + +- [14. Settings > Privacy](#bkmk-settingssection) + +- [15. Software Protection Platform](#bkmk-spp) + +- [16. Sync your settings](#bkmk-syncsettings) + +- [17. Teredo](#bkmk-teredo) + +- [18. Wi-Fi Sense](#bkmk-wifisense) + +- [19. Windows Defender](#bkmk-defender) + +- [20. Windows Media Player](#bkmk-wmp) + +- [21. Windows spotlight](#bkmk-spotlight) + +- [22. Windows Store](#bkmk-windowsstore) + +- [23. Windows Update Delivery Optimization](#bkmk-updates) + +- [24. Windows Update](#bkmk-wu) + + +See the following table for a summary of the management settings. For more info, see its corresponding section. + +![Management settings table](images/settings-table.png) + +### 1. Cortana + +Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730683). + +### 1.1 Cortana Group Policies + +Find the Cortana Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Search**. + +| Policy | Description | +|------------------------------------------------------|---------------------------------------------------------------------------------------| +| Allow Cortana | Choose whether to let Cortana install and run on the device. | +| Allow search and Cortana to use location | Choose whether Cortana and Search can provide location-aware search results. | +| Do not allow web search | Choose whether to search the web from Windows Desktop Search.
      Default: Disabled| +| Don't search the web or display web results in Search| Choose whether to search the web from Cortana. | +| Set what information is shared in Search | Control what information is shared with Bing in Search. | + +When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic. + +1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. + +2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts. + +3. On the **Rule Type** page, click **Program**, and then click **Next**. + +4. On the **Program** page, click **This program path**, type **%windir%\\systemapps\\Microsoft.Windows.Cortana\_cw5n1h2txyewy\\SearchUI.exe**, and then click **Next**. + +5. On the **Action** page, click **Block the connection**, and then click **Next**. + +6. On the **Profile** page, ensure that the **Domain**, **Private**, and **Public** check boxes are selected, and then click **Next**. + +7. On the **Name** page, type a name for the rule, such as **Cortana firewall configuration**, and then click **Finish.** + +8. Right-click the new rule, click **Properties**, and then click **Protocols and Ports**. + +9. Configure the **Protocols and Ports** page with the following info, and then click **OK**. + + - For **Protocol type**, choose **TCP**. + + - For **Local port**, choose **All Ports**. + + - For **Remote port**, choose **All ports**. + +> **Note:** If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. Fiddler is a network proxy and Windows Firewall does not block proxy traffic. You should use a network traffic analyzer, such as WireShark or Message Analyzer. + +### 1.2 Cortana MDM policies + +The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). + +| Policy | Description | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Experience/AllowCortana | Choose whether to let Cortana install and run on the device. | +| Search/AllowSearchToUseLocation | Choose whether Cortana and Search can provide location-aware search results.
      Default: Allowed| + +### 1.3 Cortana Windows Provisioning + +To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies** to find **Experience** > **AllowCortana** and **Search** > **AllowSearchToUseLocation**. + +### 2. Date & Time + +You can prevent Windows from setting the time automatically. + +- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically** + + -or- + +- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters** with a value of **NoSync**. + +### 3. Device metadata retrieval + +To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. + +### 4. Font streaming + +Starting with Windows 10, fonts that are included in Windows but that are not stored on the local device can be downloaded on demand. + +To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1. + +> **Note:** This may change in future versions of Windows. + +### 5. Insider Preview builds + +To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds. + +- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Stop Insider builds**. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. + + -or- + +- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: + + - **0**. Users cannot make their devices available for downloading and installing preview software. + + - **1**. Users can make their devices available for downloading and installing preview software. + + - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. + + -or- + +- Create a provisioning package: **Runtime settings** > **Policies** > **System** > **AllowBuildPreview**, where: + + - **0**. Users cannot make their devices available for downloading and installing preview software. + + - **1**. Users can make their devices available for downloading and installing preview software. + + - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. + +### 6. Internet Explorer + +Use Group Policy to manage settings for Internet Explorer. + +### 6.1 Internet Explorer Group Policies + +Find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**. + +| Policy | Description | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites.
      Default: Enabled
      You can also turn this off in the UI by clearing the **Internet Options** > **Advanced** > **Enable Suggested Sites** check box.| +| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar.
      Default: Enabled| +| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.
      Default: Disabled
      You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.| +| Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version.
      Default: Enabled | +| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
      Default: Disabled| + +### 6.2 ActiveX control blocking + +ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero). + +For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx). + +### 7. Live Tiles + +To turn off Live Tiles: + +- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage** + +### 8. Mail synchronization + +To turn off mail synchronization for Microsoft Accounts that are configured on a device: + +- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts. + + -or- + +- Remove any Microsoft Accounts from the Mail app. + + -or- + +- Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device. + +To turn off the Windows Mail app: + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application** + +### 9. Microsoft Edge + +Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730682). + +### 9.1 Microsoft Edge Group Policies + +Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**. + +> **Note:** The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes. + +| Policy | Description | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Turn off autofill | Choose whether employees can use autofill on websites.
      Default: Enabled | +| Allow employees to send Do Not Track headers | Choose whether employees can send Do Not Track headers.
      Default: Disabled | +| Turn off password manager | Choose whether employees can save passwords locally on their devices.
      Default: Enabled | +| Turn off address bar search suggestions | Choose whether the address bar shows search suggestions.
      Default: Enabled | +| Turn off the SmartScreen Filter | Choose whether SmartScreen is turned on or off.
      Default: Enabled | +| Open a new tab with an empty tab | Choose whether a new tab page appears.
      Default: Enabled | +| Configure corporate Home pages | Choose the corporate Home page for domain-joined devices.
      Set this to **about:blank** | + +### 9.2 Microsoft Edge MDM policies + +The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). + +| Policy | Description | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Browser/AllowAutoFill | Choose whether employees can use autofill on websites.
      Default: Allowed | +| Browser/AllowDoNotTrack | Choose whether employees can send Do Not Track headers.
      Default: Not allowed | +| Browser/AllowPasswordManager | Choose whether employees can save passwords locally on their devices.
      Default: Allowed | +| Browser/AllowSearchSuggestionsinAddressBar | Choose whether the address bar shows search suggestions..
      Default: Allowed | +| Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off.
      Default: Allowed | + +### 9.3 Microsoft Edge Windows Provisioning + +Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies**. + +For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx). + +### 10. Network Connection Status Indicator + +Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftncsi.com to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx). + +You can turn off NCSI through Group Policy: + +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** + +> **Note** After you apply this policy, you must restart the device for the policy setting to take effect. + +### 11. Offline maps + +You can turn off the ability to download and update offline maps. + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data** + +### 12. OneDrive + +To turn off OneDrive in your organization: + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage** + +### 13. Preinstalled apps + +Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section. + +To remove the News app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage** + +To remove the Weather app: + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage** + +To remove the Money app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage** + +To remove the Sports app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage** + +To remove the Twitter app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage \*.Twitter | Remove-AppxPackage** + +To remove the XBOX app: + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage** + +To remove the Sway app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage** + +To remove the OneNote app: + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage** + +To remove the Get Office app: + +- Right-click the app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage** + +To remove the Get Skype app: + +- Right-click the Sports app in Start, and then click **Uninstall**. + + -or- + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage** + +### 14. Settings > Privacy + +Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. + +- [14.1 General](#bkmk-general) + +- [14.2 Location](#bkmk-priv-location) + +- [14.3 Camera](#bkmk-priv-camera) + +- [14.4 Microphone](#bkmk-priv-microphone) + +- [14.5 Speech, inking, & typing](#bkmk-priv-speech) + +- [14.6 Account info](#bkmk-priv-accounts) + +- [14.7 Contacts](#bkmk-priv-contacts) + +- [14.8 Calendar](#bkmk-priv-calendar) + +- [14.9 Call history](#bkmk-priv-callhistory) + +- [14.10 Email](#bkmk-priv-email) + +- [14.11 Messaging](#bkmk-priv-messaging) + +- [14.12 Radios](#bkmk-priv-radios) + +- [14.13 Other devices](#bkmk-priv-other-devices) + +- [14.14 Feedback & diagnostics](#bkmk-priv-feedback) + +- [14.15 Background apps](#bkmk-priv-background) + +### 14.1 General + +**General** includes options that don't fall into other areas. + +To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**: + +> **Note:** When you turn this feature off in the UI, it turns off the advertising ID, not just resets it. + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. + + -or- + +- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero). + +To turn off **Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Turn off the SmartScreen Filter**. + + Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**. + + -or- + +- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. + + -or- + +- Create a provisioning package, using: + + - For Internet Explorer: **Runtime settings** > **Policies** > **Browser** > **AllowSmartScreen** + + - For Microsoft Edge: **Runtime settings** > **Policies** > **MicrosoftEdge** > **AllowSmartScreen** + + -or- + +- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation**, with a value of 0 (zero). + +To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**: + +> **Note: ** If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically. + + + +- Turn off the feature in the UI. + + -or- + +- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: + + - **0**. Not allowed + + - **1**. Allowed (default) + +To turn off **Let websites provide locally relevant content by accessing my language list**: + +- Turn off the feature in the UI. + + -or- + +- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1. + +### 14.2 Location + +In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location. + +To turn off **Location for this device**: + +- Click the **Change** button in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**. + + -or- + +- Apply the System/AllowLocation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: + + - **0**. Turned off and the employee can't turn it back on. + + - **1**. Turned on, but lets the employee choose whether to use it. (default) + + - **2**. Turned on and the employee can't turn it off. + + **Note** + You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx). + + -or- + +- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where + + - **No**. Turns off location service. + + - **Yes**. Turns on location service. (default) + +To turn off **Location**: + +- Turn off the feature in the UI. + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location** + + - Set the **Select a setting** box to **Force Deny**. + + -or- + +To turn off **Location history**: + +- Erase the history using the **Clear** button in the UI. + +To turn off **Choose apps that can use your location**: + +- Turn off each app using the UI. + +### 14.3 Camera + +In the **Camera** area, you can choose which apps can access a device's camera. + +To turn off **Let apps use my camera**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera** + + - Set the **Select a setting** box to **Force Deny**. + + -or- + +- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: + + - **0**. Apps can't use the camera. + + - **1**. Apps can use the camera. + + **Note** + You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx). + + -or- + +- Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where: + + - **0**. Apps can't use the camera. + + - **1**. Apps can use the camera. + +To turn off **Choose apps that can use your camera**: + +- Turn off the feature in the UI for each app. + +### 14.4 Microphone + +In the **Microphone** area, you can choose which apps can access a device's microphone. + +To turn off **Let apps use my microphone**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone** + + - Set the **Select a setting** box to **Force Deny**. + +To turn off **Choose apps that can use your microphone**: + +- Turn off the feature in the UI for each app. + +### 14.5 Speech, inking, & typing + +In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees. + +> **Note:** For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article. + + + +To turn off the functionality: + +- Click the **Stop getting to know me** button, and then click **Turn off**. + + -or- + +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning** + + -or- + +- Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero). + + -and- + + Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero). + +### 14.6 Account info + +In the **Account Info** area, you can choose which apps can access your name, picture, and other account info. + +To turn off **Let apps access my name, picture, and other account info**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information** + + - Set the **Select a setting** box to **Force Deny**. + +To turn off **Choose the apps that can access your account info**: + +- Turn off the feature in the UI for each app. + +### 14.7 Contacts + +In the **Contacts** area, you can choose which apps can access an employee's contacts list. + +To turn off **Choose apps that can access contacts**: + +- Turn off the feature in the UI for each app. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** + + - Set the **Select a setting** box to **Force Deny**. + +### 14.8 Calendar + +In the **Calendar** area, you can choose which apps have access to an employee's calendar. + +To turn off **Let apps access my calendar**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar** + + - Set the **Select a setting** box to **Force Deny**. + +To turn off **Choose apps that can access calendar**: + +- Turn off the feature in the UI for each app. + +### 14.9 Call history + +In the **Call history** area, you can choose which apps have access to an employee's call history. + +To turn off **Let apps access my call history**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history** + + - Set the **Select a setting** box to **Force Deny**. + +### 14.10 Email + +In the **Email** area, you can choose which apps have can access and send email. + +To turn off **Let apps access and send email**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email** + + - Set the **Select a setting** box to **Force Deny**. + +### 14.11 Messaging + +In the **Messaging** area, you can choose which apps can read or send messages. + +To turn off **Let apps read or send messages (text or MMS)**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging** + + - Set the **Select a setting** box to **Force Deny**. + +To turn off **Choose apps that can read or send messages**: + +- Turn off the feature in the UI for each app. + +### 14.12 Radios + +In the **Radios** area, you can choose which apps can turn a device's radio on or off. + +To turn off **Let apps control radios**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios** + + - Set the **Select a setting** box to **Force Deny**. + +To turn off **Choose apps that can control radios**: + +- Turn off the feature in the UI for each app. + +### 14.13 Other devices + +In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info. + +To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**: + +- Turn off the feature in the UI. + +To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices** + + - Set the **Select a setting** box to **Force Deny**. + +### 14.14 Feedback & diagnostics + +In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. + +To change how frequently **Windows should ask for my feedback**: + +**Note** +Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device. + + + +- To change from **Automatically (Recommended)**, use the drop-down list in the UI. + + -or- + +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications** + + -or- + +- Create the registry keys (REG\_DWORD type): + + - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds + + - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod + + Based on these settings: + + | Setting | PeriodInNanoSeconds | NumberOfSIUFInPeriod | + |---------------|-----------------------------|-----------------------------| + | Automatically | Delete the registry setting | Delete the registry setting | + | Never | 0 | 0 | + | Always | 100000000 | Delete the registry setting | + | Once a day | 864000000000 | 1 | + | Once a week | 6048000000000 | 1 | + + + +To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**: + +- To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**. + + > **Note:** You can't use the UI to change the telemetry level to **Security**. + + + + -or- + +- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** + + -or- + +- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: + + - **0**. Maps to the **Security** level. + + - **1**. Maps to the **Basic** level. + + - **2**. Maps to the **Enhanced** level. + + - **3**. Maps to the **Full** level. + + -or- + +- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where: + + - **0**. Maps to the **Security** level. + + - **1**. Maps to the **Basic** level. + + - **2**. Maps to the **Enhanced** level. + + - **3**. Maps to the **Full** level. + +### 14.15 Background apps + +In the **Background Apps** area, you can choose which apps can run in the background. + +To turn off **Let apps run in the background**: + +- Turn off the feature in the UI for each app. + +### 15. Software Protection Platform + +Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by applying the following Group Policy: + +**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation** + +The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. + +### 16. Sync your settings + +You can control if your settings are synchronized: + +- In the UI: **Settings** > **Accounts** > **Sync your settings** + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync** + + -or- + +- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. + + -or- + +- Create a provisioning package, using **Runtime settings** > **Policies** > **Experience** > **AllowSyncMySettings**, where + + - **No**. Settings are not synchronized. + + - **Yes**. Settings are synchronized. (default) + +To turn off Messaging cloud sync: + +- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero). + +### 17. Teredo + +You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx). + +- From an elevated command prompt, run **netsh interface teredo set state disabled** + +### 18. Wi-Fi Sense + +Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them. + +To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**: + +- Turn off the feature in the UI. + + -or- + +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**. + + -or- + +- Create a new REG\_DWORD registry setting called **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config**, with a value of 0 (zero). + + -or- + +- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620909). + + -or- + +- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620910). + +When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee. + +### 19. Windows Defender + +You can opt out of the Microsoft Antimalware Protection Service. + +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS** + + -or- + +- Apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). + + -or- + +- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero). + + -and- + + From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0** + +You can stop sending file samples back to Microsoft. + +- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**. + + -or- + +- Apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: + + - **0**. Always prompt. + + - **1**. (default) Send safe samples automatically. + + - **2**. Never send. + + - **3**. Send all samples automatically. + + -or- + +- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send. + +You can stop downloading definition updates: + +- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. + + -and- + +- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. + +You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1. + +### 20. Windows Media Player + +To remove Windows Media Player: + +- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**. + + -or- + +- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** + +### 21. Windows spotlight + +Windows spotlight provides different background images and text on the lock screen. You can control it by using the user interface or through Group Policy. + +- Configure the following in **Settings**: + + - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Show me tips, tricks, and more on the lock screen**. + + - **Personalization** > **Start** > **Occasionally show suggestions in Start**. + + - **System** > **Notifications & actions** > **Show me tips about Windows**. + + -or- + +- Apply the Group Policies: + + - **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. + - Add a location in the **Path to local lock screen image** box. + + - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box. + + **Note** This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. + + + + - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows Tips**. + + - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**. + +For more info, see [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md). + +### 22. Windows Store + +You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled. + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**. + +### 23. Windows Update Delivery Optimization + +Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. + +By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network. + +Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization. + +### 23.1 Settings > Update & security + +You can set up Delivery Optimization from the **Settings** UI. + +- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**. + +### 23.2 Delivery Optimization Group Policies + +You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. + +| Policy | Description | +|---------------------------|-----------------------------------------------------------------------------------------------------| +| Download Mode | Lets you choose where Delivery Optimization gets or sends updates and apps, including

      • None. Turns off Delivery Optimization.

      • Group. Gets or sends updates and apps to PCs on the same local network domain.

      • Internet. Gets or sends updates and apps to PCs on the Internet.

      • LAN. Gets or sends updates and apps to PCs on the same NAT only.

      | +| Group ID | Lets you provide a Group ID that limits which PCs can share apps and updates.
      ** Note** This ID must be a GUID.| +| Max Cache Age | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
      The default value is 259200 seconds (3 days).| +| Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
      The default value is 20, which represents 20% of the disk.| +| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
      The default value is 0, which means unlimited possible bandwidth.| + +### 23.3 Delivery Optimization MDM policies + +The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). + +| Policy | Description | +|---------------------------|-----------------------------------------------------------------------------------------------------| +| DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including

      • 0. Turns off Delivery Optimization.

      • 1. Gets or sends updates and apps to PCs on the same NAT only.

      • 2. Gets or sends updates and apps to PCs on the same local network domain.

      • 3. Gets or sends updates and apps to PCs on the Internet.

      | +| DeliveryOptimization/DOGroupID | Lets you provide a Group ID that limits which PCs can share apps and updates.
      ** Note** This ID must be a GUID.| +| DeliveryOptimization/DOMaxCacheAge | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
      The default value is 259200 seconds (3 days).| +| DeliveryOptimization/DOMaxCacheSize | Lets you specify the maximum cache size as a percentage of disk size.
      The default value is 20, which represents 20% of the disk.| +| DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
      The default value is 0, which means unlimited possible bandwidth.| + + +### 23.4 Delivery Optimization Windows Provisioning + +If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies + +Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windows ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526803), to create a provisioning package for Delivery Optimization. + +1. Open Windows ICD, and then click **New provisioning package**. + +2. In the **Name** box, type a name for the provisioning package, and then click **Next.** + +3. Click the **Common to all Windows editions** option, click **Next**, and then click **Finish**. + +4. Go to **Runtime settings** > **Policies** > **DeliveryOptimization** to configure the policies. + +For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730684). + +### 24. Windows Update + +You can turn off Windows Update by setting the following registry entries: + +- Add a REG\_DWORD value called **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. + + -and- + +- Add a REG\_DWORD value called **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. + +You can turn off automatic updates by doing one of the following. This is not recommended. + +- Add a REG\_DWORD value called **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5. + + -or- + +- Apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: + + - **0**. Notify the user before downloading the update. + + - **1**. Auto install the update and then notify the user to schedule a device restart. + + - **2** (default). Auto install and restart. + + - **3**. Auto install and restart at a specified time. + + - **4**. Auto install and restart without end-user control. + + - **5**. Turn off automatic updates. + +To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx). From 162303d42468cd978dba73a7e9562f77f9105b62 Mon Sep 17 00:00:00 2001 From: Jan Backstrom Date: Thu, 26 May 2016 14:55:45 -0700 Subject: [PATCH 132/169] fix tagging change W10 to w10 (lower case) and changed author of CFaw to greg-lindsay --- windows/deploy/activate-forest-by-proxy-vamt.md | 2 +- windows/deploy/activate-forest-vamt.md | 2 +- ...ctivate-using-active-directory-based-activation-client.md | 4 ++-- windows/deploy/activate-using-key-management-service-vamt.md | 2 +- windows/deploy/activate-windows-10-clients-vamt.md | 2 +- windows/deploy/active-directory-based-activation-overview.md | 4 ++-- ...-10-operating-system-image-using-configuration-manager.md | 4 ++-- ...deployment-with-windows-pe-using-configuration-manager.md | 4 ++-- windows/deploy/add-manage-products-vamt.md | 2 +- windows/deploy/add-remove-computers-vamt.md | 2 +- windows/deploy/add-remove-product-key-vamt.md | 2 +- ...information-sent-to-microsoft-during-activation-client.md | 2 +- .../deploy/assign-applications-using-roles-in-mdt-2013.md | 2 +- ...ld-a-distributed-environment-for-windows-10-deployment.md | 2 +- windows/deploy/change-history-for-deploy-windows-10.md | 4 ++-- windows/deploy/configure-client-computers-vamt.md | 2 +- windows/deploy/configure-mdt-2013-for-userexit-scripts.md | 2 +- windows/deploy/configure-mdt-2013-settings.md | 2 +- windows/deploy/configure-mdt-deployment-share-rules.md | 2 +- ...ustom-windows-pe-boot-image-with-configuration-manager.md | 4 ++-- ...ate-a-task-sequence-with-configuration-manager-and-mdt.md | 5 +++-- windows/deploy/create-a-windows-10-reference-image.md | 2 +- ...-to-deploy-with-windows-10-using-configuration-manager.md | 4 ++-- windows/deploy/deploy-a-windows-10-image-using-mdt.md | 4 ++-- .../deploy-windows-10-using-pxe-and-configuration-manager.md | 4 ++-- ...ws-10-with-system-center-2012-r2-configuration-manager.md | 4 ++-- ...eploy-windows-10-with-the-microsoft-deployment-toolkit.md | 2 +- windows/deploy/deploy-windows-to-go.md | 5 +++-- ...n-for-windows-10-deployment-with-configuration-manager.md | 4 ++-- .../get-started-with-the-microsoft-deployment-toolkit.md | 2 +- .../getting-started-with-the-user-state-migration-tool.md | 4 ++-- windows/deploy/import-export-vamt-data.md | 2 +- windows/deploy/index.md | 4 ++-- windows/deploy/install-configure-vamt.md | 2 +- windows/deploy/install-kms-client-key-vamt.md | 2 +- windows/deploy/install-product-key-vamt.md | 2 +- windows/deploy/install-vamt.md | 2 +- .../deploy/integrate-configuration-manager-with-mdt-2013.md | 2 +- windows/deploy/introduction-vamt.md | 2 +- windows/deploy/key-features-in-mdt-2013.md | 2 +- windows/deploy/kms-activation-vamt.md | 2 +- windows/deploy/local-reactivation-vamt.md | 2 +- windows/deploy/manage-activations-vamt.md | 2 +- windows/deploy/manage-product-keys-vamt.md | 2 +- windows/deploy/manage-vamt-data.md | 2 +- windows/deploy/mdt-2013-lite-touch-components.md | 2 +- windows/deploy/migrate-application-settings.md | 4 ++-- windows/deploy/migration-store-types-overview.md | 4 ++-- windows/deploy/monitor-activation-client.md | 4 ++-- ...nitor-windows-10-deployment-with-configuration-manager.md | 4 ++-- windows/deploy/offline-migration-reference.md | 4 ++-- windows/deploy/online-activation-vamt.md | 2 +- windows/deploy/plan-for-volume-activation-client.md | 2 +- .../deploy/prepare-for-windows-deployment-with-mdt-2013.md | 2 +- ...-installation-of-windows-10-with-configuration-manager.md | 4 ++-- windows/deploy/proxy-activation-vamt.md | 2 +- ...s-7-client-with-windows-10-using-configuration-manager.md | 4 ++-- .../deploy/refresh-a-windows-7-computer-with-windows-10.md | 2 +- windows/deploy/remove-products-vamt.md | 2 +- ...s-7-client-with-windows-10-using-configuration-manager.md | 4 ++-- ...eplace-a-windows-7-computer-with-a-windows-10-computer.md | 2 +- windows/deploy/scenario-kms-activation-vamt.md | 2 +- windows/deploy/scenario-online-activation-vamt.md | 2 +- windows/deploy/scenario-proxy-activation-vamt.md | 2 +- windows/deploy/set-up-mdt-2013-for-bitlocker.md | 2 +- windows/deploy/sideload-apps-in-windows-10.md | 4 ++-- ...simulate-a-windows-10-deployment-in-a-test-environment.md | 2 +- windows/deploy/understanding-migration-xml-files.md | 4 ++-- windows/deploy/update-product-status-vamt.md | 2 +- .../update-windows-10-images-with-provisioning-packages.md | 4 ++-- ...-to-windows-10-with-system-center-configuraton-manager.md | 4 ++-- ...de-to-windows-10-with-the-microsoft-deployment-toolkit.md | 2 +- windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md | 2 +- ...dt-database-to-stage-windows-10-deployment-information.md | 2 +- .../use-the-volume-activation-management-tool-client.md | 2 +- windows/deploy/use-vamt-in-windows-powershell.md | 2 +- windows/deploy/use-web-services-in-mdt-2013.md | 2 +- windows/deploy/usmt-best-practices.md | 4 ++-- windows/deploy/usmt-choose-migration-store-type.md | 4 ++-- windows/deploy/usmt-command-line-syntax.md | 4 ++-- windows/deploy/usmt-common-issues.md | 4 ++-- windows/deploy/usmt-common-migration-scenarios.md | 4 ++-- windows/deploy/usmt-configxml-file.md | 4 ++-- windows/deploy/usmt-conflicts-and-precedence.md | 4 ++-- windows/deploy/usmt-custom-xml-examples.md | 4 ++-- windows/deploy/usmt-customize-xml-files.md | 4 ++-- windows/deploy/usmt-determine-what-to-migrate.md | 4 ++-- windows/deploy/usmt-estimate-migration-store-size.md | 4 ++-- windows/deploy/usmt-exclude-files-and-settings.md | 4 ++-- .../usmt-extract-files-from-a-compressed-migration-store.md | 4 ++-- windows/deploy/usmt-faq.md | 4 ++-- windows/deploy/usmt-general-conventions.md | 4 ++-- windows/deploy/usmt-hard-link-migration-store.md | 4 ++-- windows/deploy/usmt-how-it-works.md | 4 ++-- windows/deploy/usmt-how-to.md | 4 ++-- windows/deploy/usmt-identify-application-settings.md | 4 ++-- windows/deploy/usmt-identify-file-types-files-and-folders.md | 4 ++-- windows/deploy/usmt-identify-operating-system-settings.md | 4 ++-- windows/deploy/usmt-identify-users.md | 4 ++-- windows/deploy/usmt-include-files-and-settings.md | 4 ++-- windows/deploy/usmt-loadstate-syntax.md | 4 ++-- windows/deploy/usmt-log-files.md | 4 ++-- windows/deploy/usmt-migrate-efs-files-and-certificates.md | 4 ++-- windows/deploy/usmt-migrate-user-accounts.md | 4 ++-- windows/deploy/usmt-migration-store-encryption.md | 4 ++-- windows/deploy/usmt-overview.md | 4 ++-- windows/deploy/usmt-plan-your-migration.md | 4 ++-- windows/deploy/usmt-recognized-environment-variables.md | 4 ++-- windows/deploy/usmt-reference.md | 4 ++-- windows/deploy/usmt-requirements.md | 4 ++-- windows/deploy/usmt-reroute-files-and-settings.md | 4 ++-- windows/deploy/usmt-resources.md | 4 ++-- windows/deploy/usmt-return-codes.md | 4 ++-- windows/deploy/usmt-scanstate-syntax.md | 4 ++-- windows/deploy/usmt-technical-reference.md | 4 ++-- windows/deploy/usmt-test-your-migration.md | 4 ++-- windows/deploy/usmt-topics.md | 4 ++-- windows/deploy/usmt-troubleshooting.md | 4 ++-- windows/deploy/usmt-utilities.md | 4 ++-- windows/deploy/usmt-what-does-usmt-migrate.md | 4 ++-- windows/deploy/usmt-xml-elements-library.md | 4 ++-- windows/deploy/usmt-xml-reference.md | 4 ++-- windows/deploy/vamt-known-issues.md | 2 +- windows/deploy/vamt-requirements.md | 2 +- windows/deploy/vamt-step-by-step.md | 2 +- .../verify-the-condition-of-a-compressed-migration-store.md | 4 ++-- windows/deploy/volume-activation-management-tool.md | 2 +- windows/deploy/volume-activation-windows-10.md | 2 +- windows/deploy/windows-10-deployment-scenarios.md | 4 ++-- windows/deploy/windows-10-deployment-tools-reference.md | 4 ++-- windows/deploy/windows-10-edition-upgrades.md | 4 ++-- windows/deploy/windows-adk-scenarios-for-it-pros.md | 4 ++-- windows/deploy/windows-deployment-scenarios-and-tools.md | 4 ++-- .../deploy/windows-upgrade-and-migration-considerations.md | 4 ++-- windows/deploy/xml-file-requirements.md | 4 ++-- 135 files changed, 217 insertions(+), 215 deletions(-) diff --git a/windows/deploy/activate-forest-by-proxy-vamt.md b/windows/deploy/activate-forest-by-proxy-vamt.md index f178e14406..1e852d5221 100644 --- a/windows/deploy/activate-forest-by-proxy-vamt.md +++ b/windows/deploy/activate-forest-by-proxy-vamt.md @@ -2,7 +2,7 @@ title: Activate by Proxy an Active Directory Forest (Windows 10) description: Activate by Proxy an Active Directory Forest ms.assetid: 6475fc87-a6f7-4fa8-b0aa-de19f2dea7e5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/activate-forest-vamt.md b/windows/deploy/activate-forest-vamt.md index 267e03be9c..082bac639c 100644 --- a/windows/deploy/activate-forest-vamt.md +++ b/windows/deploy/activate-forest-vamt.md @@ -2,7 +2,7 @@ title: Activate an Active Directory Forest Online (Windows 10) description: Activate an Active Directory Forest Online ms.assetid: 9b5bc193-799b-4aa5-9d3e-0e495f7195d3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/activate-using-active-directory-based-activation-client.md b/windows/deploy/activate-using-active-directory-based-activation-client.md index 15ae96825a..dbf9a5a617 100644 --- a/windows/deploy/activate-using-active-directory-based-activation-client.md +++ b/windows/deploy/activate-using-active-directory-based-activation-client.md @@ -3,11 +3,11 @@ title: Activate using Active Directory-based activation (Windows 10) description: Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. ms.assetid: 08cce6b7-7b5b-42cf-b100-66c363a846af keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: CFaw +author: greg-lindsay --- # Activate using Active Directory-based activation diff --git a/windows/deploy/activate-using-key-management-service-vamt.md b/windows/deploy/activate-using-key-management-service-vamt.md index 4c5d735436..9681860156 100644 --- a/windows/deploy/activate-using-key-management-service-vamt.md +++ b/windows/deploy/activate-using-key-management-service-vamt.md @@ -3,7 +3,7 @@ title: Activate using Key Management Service (Windows 10) ms.assetid: f2417bfe-7d25-4e82-bc07-de316caa8dac description: keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/activate-windows-10-clients-vamt.md b/windows/deploy/activate-windows-10-clients-vamt.md index 91b743947e..2d77f355dc 100644 --- a/windows/deploy/activate-windows-10-clients-vamt.md +++ b/windows/deploy/activate-windows-10-clients-vamt.md @@ -3,7 +3,7 @@ title: Activate clients running Windows 10 (Windows 10) description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. ms.assetid: 39446e49-ad7c-48dc-9f18-f85a11ded643 keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/active-directory-based-activation-overview.md b/windows/deploy/active-directory-based-activation-overview.md index 7f47592aa7..9a64d7572a 100644 --- a/windows/deploy/active-directory-based-activation-overview.md +++ b/windows/deploy/active-directory-based-activation-overview.md @@ -2,11 +2,11 @@ title: Active Directory-Based Activation Overview (Windows 10) description: Active Directory-Based Activation Overview ms.assetid: c1dac3bd-6a86-4c45-83dd-421e63a398c0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: CFaw +author: greg-lindsay --- # Active Directory-Based Activation Overview diff --git a/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md index 13a328ea77..5a3eadbc33 100644 --- a/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md +++ b/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md @@ -2,8 +2,8 @@ title: Add a Windows 10 operating system image using Configuration Manager (Windows 10) description: Operating system images are typically the production image used for deployment throughout the organization. ms.assetid: 77f769cc-1a47-4f36-8082-201cd77b8d3b -keywords: ["image, deploy, distribute"] -ms.prod: W10 +keywords: image, deploy, distribute +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md index 8e72718b82..de701986b4 100644 --- a/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md +++ b/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md @@ -2,8 +2,8 @@ title: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager (Windows 10) description: In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c -keywords: ["deploy, task sequence"] -ms.prod: W10 +keywords: deploy, task sequence +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/add-manage-products-vamt.md b/windows/deploy/add-manage-products-vamt.md index 6bbbfaf218..88d5145472 100644 --- a/windows/deploy/add-manage-products-vamt.md +++ b/windows/deploy/add-manage-products-vamt.md @@ -2,7 +2,7 @@ title: Add and Manage Products (Windows 10) description: Add and Manage Products ms.assetid: a48fbc23-917d-40f7-985c-e49702c05e51 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/add-remove-computers-vamt.md b/windows/deploy/add-remove-computers-vamt.md index eae34332f2..2ad22c3d7f 100644 --- a/windows/deploy/add-remove-computers-vamt.md +++ b/windows/deploy/add-remove-computers-vamt.md @@ -2,7 +2,7 @@ title: Add and Remove Computers (Windows 10) description: Add and Remove Computers ms.assetid: cb6f3a78-ece0-4dc7-b086-cb003d82cd52 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS diff --git a/windows/deploy/add-remove-product-key-vamt.md b/windows/deploy/add-remove-product-key-vamt.md index 5776806c20..d659ae2507 100644 --- a/windows/deploy/add-remove-product-key-vamt.md +++ b/windows/deploy/add-remove-product-key-vamt.md @@ -2,7 +2,7 @@ title: Add and Remove a Product Key (Windows 10) description: Add and Remove a Product Key ms.assetid: feac32bb-fb96-4802-81b8-c69220dcfcce -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md index 8a21466ddb..39133a9d8c 100644 --- a/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md +++ b/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md @@ -3,7 +3,7 @@ title: Appendix Information sent to Microsoft during activation (Windows 10) ms.assetid: 4bfff495-07d0-4385-86e3-7a077cbd64b8 description: keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/assign-applications-using-roles-in-mdt-2013.md b/windows/deploy/assign-applications-using-roles-in-mdt-2013.md index dab995bb1e..1319888616 100644 --- a/windows/deploy/assign-applications-using-roles-in-mdt-2013.md +++ b/windows/deploy/assign-applications-using-roles-in-mdt-2013.md @@ -3,7 +3,7 @@ title: Assign applications using roles in MDT (Windows 10) description: This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer. ms.assetid: d82902e4-de9c-4bc4-afe0-41d649b83ce7 keywords: settings, database, deploy -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md index 32a354ad0e..f015c71c1f 100644 --- a/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md @@ -3,7 +3,7 @@ title: Build a distributed environment for Windows 10 deployment (Windows 10) description: In this topic, you will learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations. ms.assetid: a6cd5657-6a16-4fff-bfb4-44760902d00c keywords: replication, replicate, deploy, configure, remote -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md index 3ca65edd17..00404f4def 100644 --- a/windows/deploy/change-history-for-deploy-windows-10.md +++ b/windows/deploy/change-history-for-deploy-windows-10.md @@ -2,10 +2,10 @@ title: Change history for Deploy Windows 10 (Windows 10) description: This topic lists new and updated topics in the Deploy Windows 10 documentation for Windows 10 and Windows 10 Mobile. ms.assetid: 19C50373-6B25-4F5C-A6EF-643D36904349 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Change history for Deploy Windows 10 diff --git a/windows/deploy/configure-client-computers-vamt.md b/windows/deploy/configure-client-computers-vamt.md index b3618bac74..704c8d01f9 100644 --- a/windows/deploy/configure-client-computers-vamt.md +++ b/windows/deploy/configure-client-computers-vamt.md @@ -2,7 +2,7 @@ title: Configure Client Computers (Windows 10) description: Configure Client Computers ms.assetid: a48176c9-b05c-4dd5-a9ef-83073e2370fc -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/configure-mdt-2013-for-userexit-scripts.md b/windows/deploy/configure-mdt-2013-for-userexit-scripts.md index 590f112414..a94bee6b7b 100644 --- a/windows/deploy/configure-mdt-2013-for-userexit-scripts.md +++ b/windows/deploy/configure-mdt-2013-for-userexit-scripts.md @@ -3,7 +3,7 @@ title: Configure MDT for UserExit scripts (Windows 10) description: In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. ms.assetid: 29a421d1-12d2-414e-86dc-25b62f5238a7 keywords: rules, script -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/configure-mdt-2013-settings.md b/windows/deploy/configure-mdt-2013-settings.md index af41a8a1bb..ba84efd5c1 100644 --- a/windows/deploy/configure-mdt-2013-settings.md +++ b/windows/deploy/configure-mdt-2013-settings.md @@ -3,7 +3,7 @@ title: Configure MDT settings (Windows 10) description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) 2013 is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122 keywords: customize, customization, deploy, features, tools -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/configure-mdt-deployment-share-rules.md b/windows/deploy/configure-mdt-deployment-share-rules.md index 908f92144b..5eeadbbfd6 100644 --- a/windows/deploy/configure-mdt-deployment-share-rules.md +++ b/windows/deploy/configure-mdt-deployment-share-rules.md @@ -3,7 +3,7 @@ title: Configure MDT deployment share rules (Windows 10) description: In this topic, you will learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. ms.assetid: b5ce2360-33cc-4b14-b291-16f75797391b keywords: rules, configuration, automate, deploy -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index 049c3e93c2..a5cbfb7886 100644 --- a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -2,8 +2,8 @@ title: Create a custom Windows PE boot image with Configuration Manager (Windows 10) description: In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809 -keywords: ["tool, customize, deploy, boot image"] -ms.prod: W10 +keywords: tool, customize, deploy, boot image +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md index 03c856a7dc..0838ebde59 100644 --- a/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md +++ b/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md @@ -2,9 +2,10 @@ title: Create a task sequence with Configuration Manager and MDT (Windows 10) description: In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98 -keywords: ["deploy, upgrade, task sequence, install"] -ms.prod: W10 +keywords: deploy, upgrade, task sequence, install +ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: mdt ms.sitesec: library author: mtniehaus --- diff --git a/windows/deploy/create-a-windows-10-reference-image.md b/windows/deploy/create-a-windows-10-reference-image.md index f81f4eac9a..50ec7f2fcf 100644 --- a/windows/deploy/create-a-windows-10-reference-image.md +++ b/windows/deploy/create-a-windows-10-reference-image.md @@ -3,7 +3,7 @@ title: Create a Windows 10 reference image (Windows 10) description: Creating a reference image is important because that image serves as the foundation for the devices in your organization. ms.assetid: 9da2fb57-f2ff-4fce-a858-4ae4c237b5aa keywords: deploy, deployment, configure, customize, install, installation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index c47ac7bc38..5dbd28f0c8 100644 --- a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -2,8 +2,8 @@ title: Create an application to deploy with Windows 10 using Configuration Manager (Windows 10) description: Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process. ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c -keywords: ["deployment, task sequence, custom, customize"] -ms.prod: W10 +keywords: deployment, task sequence, custom, customize +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/deploy-a-windows-10-image-using-mdt.md b/windows/deploy/deploy-a-windows-10-image-using-mdt.md index 23176dbd84..7f92cbc0d8 100644 --- a/windows/deploy/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deploy/deploy-a-windows-10-image-using-mdt.md @@ -2,8 +2,8 @@ title: Deploy a Windows 10 image using MDT 2013 Update 2 (Windows 10) description: This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. ms.assetid: 1d70a3d8-1b1d-4051-b656-c0393a93f83c -keywords: [eployment, automate, tools, configure -ms.prod: W10 +keywords: deployment, automate, tools, configure +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md index 0cdf8e0509..2bc874cf8b 100644 --- a/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -2,8 +2,8 @@ title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10) description: In this topic, you will learn how to deploy Windows 10 using Microsoft System Center 2012 R2 Configuration Manager deployment packages and task sequences. ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa -keywords: ["deployment, image, UEFI, task sequence"] -ms.prod: W10 +keywords: deployment, image, UEFI, task sequence +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md index 32ee03ca6c..e3e558c24b 100644 --- a/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md +++ b/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md @@ -2,8 +2,8 @@ title: Deploy Windows 10 with System Center 2012 R2 Configuration Manager (Windows 10) description: If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363 -keywords: ["deployment, custom, boot"] -ms.prod: W10 +keywords: deployment, custom, boot +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md index 765f29c16d..93028930c5 100644 --- a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md @@ -3,7 +3,7 @@ title: Deploy Windows 10 with the Microsoft Deployment Toolkit (Windows 10) description: This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. ms.assetid: 837f009c-617e-4b3f-9028-2246067ee0fb keywords: deploy, tools, configure, script -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/deploy-windows-to-go.md b/windows/deploy/deploy-windows-to-go.md index 609ae81687..b4e13c5b8c 100644 --- a/windows/deploy/deploy-windows-to-go.md +++ b/windows/deploy/deploy-windows-to-go.md @@ -2,10 +2,11 @@ title: Deploy Windows To Go in your organization (Windows 10) description: This topic helps you to deploy Windows To Go in your organization. ms.assetid: cfe550be-ffbd-42d1-ab4d-80efae49b07f -keywords: ["deployment, USB, device, BitLocker, workspace, security, data"] -ms.prod: W10 +keywords: deployment, USB, device, BitLocker, workspace, security, data +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: mobility author: mtniehaus --- diff --git a/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md index 67136031be..2ed9de7378 100644 --- a/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md +++ b/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md @@ -2,8 +2,8 @@ title: Finalize the operating system configuration for Windows 10 deployment with Configuration Manager (Windows 10) description: This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enablement of the optional Microsoft Deployment Toolkit (MDT) monitoring for Microsoft System Center 2012 R2 Configuration Manager, logs folder creation, rules configuration, content distribution, and deployment of the previously created task sequence. ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e -keywords: ["configure, deploy, upgrade"] -ms.prod: W10 +keywords: configure, deploy, upgrade +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md index 57d9153cb2..85ad95c548 100644 --- a/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md +++ b/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md @@ -3,7 +3,7 @@ title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10) description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 in particular, as part of a Windows operating system deployment. ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee keywords: deploy, image, feature, install, tools -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/getting-started-with-the-user-state-migration-tool.md b/windows/deploy/getting-started-with-the-user-state-migration-tool.md index d83c01ec2d..8dae688326 100644 --- a/windows/deploy/getting-started-with-the-user-state-migration-tool.md +++ b/windows/deploy/getting-started-with-the-user-state-migration-tool.md @@ -2,10 +2,10 @@ title: Getting Started with the User State Migration Tool (USMT) (Windows 10) description: Getting Started with the User State Migration Tool (USMT) ms.assetid: 506ff1d2-94b8-4460-8672-56aad963504b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Getting Started with the User State Migration Tool (USMT) diff --git a/windows/deploy/import-export-vamt-data.md b/windows/deploy/import-export-vamt-data.md index aff3d6376f..d33f27e139 100644 --- a/windows/deploy/import-export-vamt-data.md +++ b/windows/deploy/import-export-vamt-data.md @@ -2,7 +2,7 @@ title: Import and Export VAMT Data (Windows 10) description: Import and Export VAMT Data ms.assetid: 09a2c595-1a61-4da6-bd46-4ba8763cfd4f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/index.md b/windows/deploy/index.md index a3b28ded45..0e5d1a0f8b 100644 --- a/windows/deploy/index.md +++ b/windows/deploy/index.md @@ -2,10 +2,10 @@ title: Deploy Windows 10 (Windows 10) description: Learn about deploying Windows 10 for IT professionals. ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Deploy Windows 10 diff --git a/windows/deploy/install-configure-vamt.md b/windows/deploy/install-configure-vamt.md index a660854f6f..49b3f8ec44 100644 --- a/windows/deploy/install-configure-vamt.md +++ b/windows/deploy/install-configure-vamt.md @@ -2,7 +2,7 @@ title: Install and Configure VAMT (Windows 10) description: Install and Configure VAMT ms.assetid: 5c7ae9b9-0dbc-4277-bc4f-8b3e4ab0bf50 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/install-kms-client-key-vamt.md b/windows/deploy/install-kms-client-key-vamt.md index f1e5cd2769..9605053d6a 100644 --- a/windows/deploy/install-kms-client-key-vamt.md +++ b/windows/deploy/install-kms-client-key-vamt.md @@ -2,7 +2,7 @@ title: Install a KMS Client Key (Windows 10) description: Install a KMS Client Key ms.assetid: d234468e-7917-4cf5-b0a8-4968454f7759 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/install-product-key-vamt.md b/windows/deploy/install-product-key-vamt.md index a3f4a3760e..71817b7b80 100644 --- a/windows/deploy/install-product-key-vamt.md +++ b/windows/deploy/install-product-key-vamt.md @@ -2,7 +2,7 @@ title: Install a Product Key (Windows 10) description: Install a Product Key ms.assetid: 78812c87-2208-4f8b-9c2c-5a8a18b2d648 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/install-vamt.md b/windows/deploy/install-vamt.md index 02275fb993..07a9a72b5b 100644 --- a/windows/deploy/install-vamt.md +++ b/windows/deploy/install-vamt.md @@ -2,7 +2,7 @@ title: Install VAMT (Windows 10) description: Install VAMT ms.assetid: 2eabd3e2-0a68-43a5-8189-2947e46482fc -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/integrate-configuration-manager-with-mdt-2013.md b/windows/deploy/integrate-configuration-manager-with-mdt-2013.md index 1ad2dbc2bd..4a30f0f74c 100644 --- a/windows/deploy/integrate-configuration-manager-with-mdt-2013.md +++ b/windows/deploy/integrate-configuration-manager-with-mdt-2013.md @@ -4,7 +4,7 @@ description: This topic will help you understand the benefits of integrating the ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5 ms.pagetype: mdt keywords: deploy, image, customize, task sequence -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/introduction-vamt.md b/windows/deploy/introduction-vamt.md index ee0060ad4e..3d51c0dd02 100644 --- a/windows/deploy/introduction-vamt.md +++ b/windows/deploy/introduction-vamt.md @@ -2,7 +2,7 @@ title: Introduction to VAMT (Windows 10) description: Introduction to VAMT ms.assetid: 0439685e-0bae-4967-b0d4-dd84ca6d7fa7 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/key-features-in-mdt-2013.md b/windows/deploy/key-features-in-mdt-2013.md index 7982bb6d03..03f562ac8e 100644 --- a/windows/deploy/key-features-in-mdt-2013.md +++ b/windows/deploy/key-features-in-mdt-2013.md @@ -3,7 +3,7 @@ title: Key features in MDT 2013 Update 2 (Windows 10) description: The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868 keywords: deploy, feature, tools, upgrade, migrate, provisioning -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/kms-activation-vamt.md b/windows/deploy/kms-activation-vamt.md index 4cd554a80b..beed3fb86f 100644 --- a/windows/deploy/kms-activation-vamt.md +++ b/windows/deploy/kms-activation-vamt.md @@ -2,7 +2,7 @@ title: Perform KMS Activation (Windows 10) description: Perform KMS Activation ms.assetid: 5a3ae8e6-083e-4153-837e-ab0a225c1d10 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/local-reactivation-vamt.md b/windows/deploy/local-reactivation-vamt.md index 2cd36eb80b..72b132e799 100644 --- a/windows/deploy/local-reactivation-vamt.md +++ b/windows/deploy/local-reactivation-vamt.md @@ -2,7 +2,7 @@ title: Perform Local Reactivation (Windows 10) description: Perform Local Reactivation ms.assetid: aacd5ded-da11-4d27-a866-3f57332f5dec -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/manage-activations-vamt.md b/windows/deploy/manage-activations-vamt.md index 1f15048dea..effac81fd1 100644 --- a/windows/deploy/manage-activations-vamt.md +++ b/windows/deploy/manage-activations-vamt.md @@ -2,7 +2,7 @@ title: Manage Activations (Windows 10) description: Manage Activations ms.assetid: 53bad9ed-9430-4f64-a8de-80613870862c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/manage-product-keys-vamt.md b/windows/deploy/manage-product-keys-vamt.md index fffe5de77e..a495718fe7 100644 --- a/windows/deploy/manage-product-keys-vamt.md +++ b/windows/deploy/manage-product-keys-vamt.md @@ -2,7 +2,7 @@ title: Manage Product Keys (Windows 10) description: Manage Product Keys ms.assetid: 4c6c4216-b4b7-437c-904e-4cb257f913cd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/manage-vamt-data.md b/windows/deploy/manage-vamt-data.md index adbd4c4ec6..00bbd3982f 100644 --- a/windows/deploy/manage-vamt-data.md +++ b/windows/deploy/manage-vamt-data.md @@ -2,7 +2,7 @@ title: Manage VAMT Data (Windows 10) description: Manage VAMT Data ms.assetid: 233eefa4-3125-4965-a12d-297a67079dc4 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/mdt-2013-lite-touch-components.md b/windows/deploy/mdt-2013-lite-touch-components.md index 6766bdc104..48f1a250ad 100644 --- a/windows/deploy/mdt-2013-lite-touch-components.md +++ b/windows/deploy/mdt-2013-lite-touch-components.md @@ -3,7 +3,7 @@ title: MDT 2013 Update 2 Lite Touch components (Windows 10) description: This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) 2013 Update 2 that support Lite Touch Installation (LTI) for Windows 10. ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089 keywords: deploy, install, deployment, boot, log, monitor -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/migrate-application-settings.md b/windows/deploy/migrate-application-settings.md index af79e440f7..6a8ffdc612 100644 --- a/windows/deploy/migrate-application-settings.md +++ b/windows/deploy/migrate-application-settings.md @@ -2,10 +2,10 @@ title: Migrate Application Settings (Windows 10) description: Migrate Application Settings ms.assetid: 28f70a83-0a3e-4a6b-968a-2b78ccd3cc07 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Migrate Application Settings diff --git a/windows/deploy/migration-store-types-overview.md b/windows/deploy/migration-store-types-overview.md index cf0c52812e..9ee233402b 100644 --- a/windows/deploy/migration-store-types-overview.md +++ b/windows/deploy/migration-store-types-overview.md @@ -2,10 +2,10 @@ title: Migration Store Types Overview (Windows 10) description: Migration Store Types Overview ms.assetid: 3b6ce746-76c6-43ff-8cd5-02ed0ae0cf70 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Migration Store Types Overview diff --git a/windows/deploy/monitor-activation-client.md b/windows/deploy/monitor-activation-client.md index 5a3050cb0b..26c8257cc3 100644 --- a/windows/deploy/monitor-activation-client.md +++ b/windows/deploy/monitor-activation-client.md @@ -3,11 +3,11 @@ title: Monitor activation (Windows 10) ms.assetid: 264a3e86-c880-4be4-8828-bf4c839dfa26 description: keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: CFaw +author: greg-lindsay --- # Monitor activation diff --git a/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md index 7802d20b05..12aae5a28c 100644 --- a/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md +++ b/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md @@ -2,8 +2,8 @@ title: Monitor the Windows 10 deployment with Configuration Manager (Windows 10) description: In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. ms.assetid: 4863c6aa-6369-4171-8e1a-b052ca195fce -keywords: ["deploy, upgrade"] -ms.prod: W10 +keywords: deploy, upgrade +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/offline-migration-reference.md b/windows/deploy/offline-migration-reference.md index 6ad60f1704..f54d3b4c7b 100644 --- a/windows/deploy/offline-migration-reference.md +++ b/windows/deploy/offline-migration-reference.md @@ -2,10 +2,10 @@ title: Offline Migration Reference (Windows 10) description: Offline Migration Reference ms.assetid: f347547c-d601-4c3e-8f2d-0138edeacfda -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Offline Migration Reference diff --git a/windows/deploy/online-activation-vamt.md b/windows/deploy/online-activation-vamt.md index 5f537d3e20..65311aa3e8 100644 --- a/windows/deploy/online-activation-vamt.md +++ b/windows/deploy/online-activation-vamt.md @@ -2,7 +2,7 @@ title: Perform Online Activation (Windows 10) description: Perform Online Activation ms.assetid: 8381792b-a454-4e66-9b4c-e6e4c9303823 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/plan-for-volume-activation-client.md b/windows/deploy/plan-for-volume-activation-client.md index 3247677c72..d5ed360f3e 100644 --- a/windows/deploy/plan-for-volume-activation-client.md +++ b/windows/deploy/plan-for-volume-activation-client.md @@ -3,7 +3,7 @@ title: Plan for volume activation (Windows 10) description: Product activation is the process of validating software with the manufacturer after it has been installed on a specific computer. ms.assetid: f84b005b-c362-4a70-a84e-4287c0d2e4ca keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md b/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md index a7b98b2ab3..8f2bbad1b9 100644 --- a/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md +++ b/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md @@ -3,7 +3,7 @@ title: Prepare for deployment with MDT 2013 Update 2 (Windows 10) description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT) 2013 Update 2. ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226 keywords: deploy, system requirements -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index d9735f4ee1..88a8cac968 100644 --- a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -2,8 +2,8 @@ title: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager (Windows 10) description: This topic will walk you through the process of integrating Microsoft System Center 2012 R2 Configuration Manager SP1 with Microsoft Deployment Toolkit (MDT) 2013 Update 2, as well as the other preparations needed to deploying Windows 10 via Zero Touch Installation. Additional preparations include the installation of hotfixes as well as activities that speed up the Pre-Boot Execution Environment (PXE). ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08 -keywords: ["install, configure, deploy, deployment"] -ms.prod: W10 +keywords: install, configure, deploy, deployment +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/proxy-activation-vamt.md b/windows/deploy/proxy-activation-vamt.md index c848bcd8ab..ab273007b8 100644 --- a/windows/deploy/proxy-activation-vamt.md +++ b/windows/deploy/proxy-activation-vamt.md @@ -2,7 +2,7 @@ title: Perform Proxy Activation (Windows 10) description: Perform Proxy Activation ms.assetid: 35a919ed-f1cc-4d10-9c88-9bd634549dc3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md index 7d5143cf31..68b0a74563 100644 --- a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -2,8 +2,8 @@ title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10) description: This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7 -keywords: ["upgrade, install, installation, computer refresh"] -ms.prod: W10 +keywords: upgrade, install, installation, computer refresh +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md index 70dadf1711..f6ea4a2125 100644 --- a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md +++ b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md @@ -3,7 +3,7 @@ title: Refresh a Windows 7 computer with Windows 10 (Windows 10) description: This topic will show you how to use MDT 2013 Update 2 Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f keywords: reinstallation, customize, template, script, restore -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/remove-products-vamt.md b/windows/deploy/remove-products-vamt.md index 8dca272b68..da875ea27e 100644 --- a/windows/deploy/remove-products-vamt.md +++ b/windows/deploy/remove-products-vamt.md @@ -2,7 +2,7 @@ title: Remove Products (Windows 10) description: Remove Products ms.assetid: 4d44379e-dda1-4a8f-8ebf-395b6c0dad8e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md index 44bc003fca..b9f521531f 100644 --- a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -2,8 +2,8 @@ title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10) description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft System Center 2012 R2 Configuration Manager. ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36 -keywords: ["upgrade, install, installation, replace computer, setup"] -ms.prod: W10 +keywords: upgrade, install, installation, replace computer, setup +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md index bc78de5970..a862edf501 100644 --- a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md +++ b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md @@ -3,7 +3,7 @@ title: Replace a Windows 7 computer with a Windows 10 computer (Windows 10) description: A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10; however, because you are replacing a machine, you cannot store the backup on the old computer. ms.assetid: acf091c9-f8f4-4131-9845-625691c09a2a keywords: deploy, deployment, replace -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/scenario-kms-activation-vamt.md b/windows/deploy/scenario-kms-activation-vamt.md index a43796b90b..385af084f9 100644 --- a/windows/deploy/scenario-kms-activation-vamt.md +++ b/windows/deploy/scenario-kms-activation-vamt.md @@ -2,7 +2,7 @@ title: Scenario 3 KMS Client Activation (Windows 10) description: Scenario 3 KMS Client Activation ms.assetid: 72b04e8f-cd35-490c-91ab-27ea799b05d0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/scenario-online-activation-vamt.md b/windows/deploy/scenario-online-activation-vamt.md index 69d308ee9c..41dda833ac 100644 --- a/windows/deploy/scenario-online-activation-vamt.md +++ b/windows/deploy/scenario-online-activation-vamt.md @@ -2,7 +2,7 @@ title: Scenario 1 Online Activation (Windows 10) description: Scenario 1 Online Activation ms.assetid: 94dba40e-383a-41e4-b74b-9e884facdfd3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/scenario-proxy-activation-vamt.md b/windows/deploy/scenario-proxy-activation-vamt.md index 8666ae35c6..2e475d02b4 100644 --- a/windows/deploy/scenario-proxy-activation-vamt.md +++ b/windows/deploy/scenario-proxy-activation-vamt.md @@ -2,7 +2,7 @@ title: Scenario 2 Proxy Activation (Windows 10) description: Scenario 2 Proxy Activation ms.assetid: ed5a8a56-d9aa-4895-918f-dd1898cb2c1a -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/set-up-mdt-2013-for-bitlocker.md b/windows/deploy/set-up-mdt-2013-for-bitlocker.md index 5af8715c60..7a76f8cdf7 100644 --- a/windows/deploy/set-up-mdt-2013-for-bitlocker.md +++ b/windows/deploy/set-up-mdt-2013-for-bitlocker.md @@ -3,7 +3,7 @@ title: Set up MDT for BitLocker (Windows 10) ms.assetid: 386e6713-5c20-4d2a-a220-a38d94671a38 description: keywords: disk, encryption, TPM, configure, secure, script -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/sideload-apps-in-windows-10.md b/windows/deploy/sideload-apps-in-windows-10.md index 63f3fe6fef..9af7d4e4bc 100644 --- a/windows/deploy/sideload-apps-in-windows-10.md +++ b/windows/deploy/sideload-apps-in-windows-10.md @@ -2,10 +2,10 @@ title: Sideload LOB apps in Windows 10 (Windows 10) description: Sideload line-of-business apps in Windows 10. ms.assetid: C46B27D0-375B-4F7A-800E-21595CF1D53D -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Sideload LOB apps in Windows 10 diff --git a/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md index a8391582fa..a6c8789efb 100644 --- a/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md +++ b/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md @@ -3,7 +3,7 @@ title: Simulate a Windows 10 deployment in a test environment (Windows 10) description: This topic will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT. ms.assetid: 2de86c55-ced9-4078-b280-35e0329aea9c keywords: deploy, script -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/understanding-migration-xml-files.md b/windows/deploy/understanding-migration-xml-files.md index 528c77f8d3..c03bc14e24 100644 --- a/windows/deploy/understanding-migration-xml-files.md +++ b/windows/deploy/understanding-migration-xml-files.md @@ -2,10 +2,10 @@ title: Understanding Migration XML Files (Windows 10) description: Understanding Migration XML Files ms.assetid: d3d1fe89-085c-4da8-9657-fd54b8bfc4b7 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Understanding Migration XML Files diff --git a/windows/deploy/update-product-status-vamt.md b/windows/deploy/update-product-status-vamt.md index deca904c0c..0e7af45fec 100644 --- a/windows/deploy/update-product-status-vamt.md +++ b/windows/deploy/update-product-status-vamt.md @@ -2,7 +2,7 @@ title: Update Product Status (Windows 10) description: Update Product Status ms.assetid: 39d4abd4-801a-4e8f-9b8c-425a24a96764 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/update-windows-10-images-with-provisioning-packages.md b/windows/deploy/update-windows-10-images-with-provisioning-packages.md index 4a553d8b90..e9415d414b 100644 --- a/windows/deploy/update-windows-10-images-with-provisioning-packages.md +++ b/windows/deploy/update-windows-10-images-with-provisioning-packages.md @@ -2,8 +2,8 @@ title: Update Windows 10 images with provisioning packages (Windows 10) description: Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. ms.assetid: 3CA345D2-B60A-4860-A3BF-174713C3D3A6 -keywords: ["provisioning", "bulk deployment", "image"] -ms.prod: W10 +keywords: provisioning, bulk deployment, image +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS diff --git a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md index 030ab711f2..0f66363610 100644 --- a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md +++ b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md @@ -2,8 +2,8 @@ title: Upgrade to Windows 10 with System Center Configuration Manager (Windows 10) description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878 -keywords: ["upgrade, update, task sequence, deploy"] -ms.prod: W10 +keywords: upgrade, update, task sequence, deploy +ms.prod: w10 ms.mktglfcycl: deploy author: mtniehaus --- diff --git a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md index 35b90474ab..18dfaf7fdf 100644 --- a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md @@ -3,7 +3,7 @@ title: Upgrade to Windows 10 with the Microsoft Deployment Toolkit (Windows 10) description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460 keywords: upgrade, update, task sequence, deploy -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md index 229fb16df0..64e70ced04 100644 --- a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md +++ b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md @@ -3,7 +3,7 @@ title: Use Orchestrator runbooks with MDT (Windows 10) description: This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions. ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f keywords: web services, database -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt diff --git a/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md index 14749270e7..32208d3e25 100644 --- a/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md +++ b/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md @@ -4,7 +4,7 @@ description: This topic is designed to teach you how to use the MDT database to ms.assetid: 8956ab54-90ba-45d3-a384-4fdec72c4d46 ms.pagetype: mdt keywords: database, permissions, settings, configure, deploy -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/use-the-volume-activation-management-tool-client.md b/windows/deploy/use-the-volume-activation-management-tool-client.md index 4303bd18a1..1e4f5c32b2 100644 --- a/windows/deploy/use-the-volume-activation-management-tool-client.md +++ b/windows/deploy/use-the-volume-activation-management-tool-client.md @@ -3,7 +3,7 @@ title: Use the Volume Activation Management Tool (Windows 10) description: The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys. ms.assetid: b11f0aee-7b60-44d1-be40-c960fc6c4c47 keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/use-vamt-in-windows-powershell.md b/windows/deploy/use-vamt-in-windows-powershell.md index 1247d95759..01de72d0a6 100644 --- a/windows/deploy/use-vamt-in-windows-powershell.md +++ b/windows/deploy/use-vamt-in-windows-powershell.md @@ -2,7 +2,7 @@ title: Use VAMT in Windows PowerShell (Windows 10) description: Use VAMT in Windows PowerShell ms.assetid: 13e0ceec-d827-4681-a5c3-8704349e3ba9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/use-web-services-in-mdt-2013.md b/windows/deploy/use-web-services-in-mdt-2013.md index 6fbe628335..1d8755df14 100644 --- a/windows/deploy/use-web-services-in-mdt-2013.md +++ b/windows/deploy/use-web-services-in-mdt-2013.md @@ -3,7 +3,7 @@ title: Use web services in MDT (Windows 10) description: In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522 keywords: deploy, web apps -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.pagetype: mdt ms.sitesec: library diff --git a/windows/deploy/usmt-best-practices.md b/windows/deploy/usmt-best-practices.md index b8772fe9f4..8da6b08353 100644 --- a/windows/deploy/usmt-best-practices.md +++ b/windows/deploy/usmt-best-practices.md @@ -2,10 +2,10 @@ title: USMT Best Practices (Windows 10) description: USMT Best Practices ms.assetid: e3cb1e78-4230-4eae-b179-e6e9160542d2 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # USMT Best Practices diff --git a/windows/deploy/usmt-choose-migration-store-type.md b/windows/deploy/usmt-choose-migration-store-type.md index 3e3f520ceb..5938b48748 100644 --- a/windows/deploy/usmt-choose-migration-store-type.md +++ b/windows/deploy/usmt-choose-migration-store-type.md @@ -2,10 +2,10 @@ title: Choose a Migration Store Type (Windows 10) description: Choose a Migration Store Type ms.assetid: 4e163e90-9c57-490b-b849-2ed52ab6765f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Choose a Migration Store Type diff --git a/windows/deploy/usmt-command-line-syntax.md b/windows/deploy/usmt-command-line-syntax.md index 8e62c88e30..22cf9c33aa 100644 --- a/windows/deploy/usmt-command-line-syntax.md +++ b/windows/deploy/usmt-command-line-syntax.md @@ -2,10 +2,10 @@ title: User State Migration Tool (USMT) Command-line Syntax (Windows 10) description: User State Migration Tool (USMT) Command-line Syntax ms.assetid: f9d205c9-e824-46c7-8d8b-d7e4b52fd514 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # User State Migration Tool (USMT) Command-line Syntax diff --git a/windows/deploy/usmt-common-issues.md b/windows/deploy/usmt-common-issues.md index d1865b8873..88980d6d7b 100644 --- a/windows/deploy/usmt-common-issues.md +++ b/windows/deploy/usmt-common-issues.md @@ -2,10 +2,10 @@ title: Common Issues (Windows 10) description: Common Issues ms.assetid: 5a37e390-8617-4768-9eee-50397fbbb2e1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Common Issues diff --git a/windows/deploy/usmt-common-migration-scenarios.md b/windows/deploy/usmt-common-migration-scenarios.md index dd61667933..9262ef9b0f 100644 --- a/windows/deploy/usmt-common-migration-scenarios.md +++ b/windows/deploy/usmt-common-migration-scenarios.md @@ -2,10 +2,10 @@ title: Common Migration Scenarios (Windows 10) description: Common Migration Scenarios ms.assetid: 1d8170d5-e775-4963-b7a5-b55e8987c1e4 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Common Migration Scenarios diff --git a/windows/deploy/usmt-configxml-file.md b/windows/deploy/usmt-configxml-file.md index dea99cd9e0..4484c03e2d 100644 --- a/windows/deploy/usmt-configxml-file.md +++ b/windows/deploy/usmt-configxml-file.md @@ -2,10 +2,10 @@ title: Config.xml File (Windows 10) description: Config.xml File ms.assetid: 9dc98e76-5155-4641-bcb3-81915db538e8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Config.xml File diff --git a/windows/deploy/usmt-conflicts-and-precedence.md b/windows/deploy/usmt-conflicts-and-precedence.md index 9de02f7dca..3b570d51e5 100644 --- a/windows/deploy/usmt-conflicts-and-precedence.md +++ b/windows/deploy/usmt-conflicts-and-precedence.md @@ -2,10 +2,10 @@ title: Conflicts and Precedence (Windows 10) description: Conflicts and Precedence ms.assetid: 0e2691a8-ff1e-4424-879b-4d5a2f8a113a -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Conflicts and Precedence diff --git a/windows/deploy/usmt-custom-xml-examples.md b/windows/deploy/usmt-custom-xml-examples.md index c1fa2bd582..4d60c4903c 100644 --- a/windows/deploy/usmt-custom-xml-examples.md +++ b/windows/deploy/usmt-custom-xml-examples.md @@ -2,10 +2,10 @@ title: Custom XML Examples (Windows 10) description: Custom XML Examples ms.assetid: 48f441d9-6c66-43ef-91e9-7c78cde6fcc0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Custom XML Examples diff --git a/windows/deploy/usmt-customize-xml-files.md b/windows/deploy/usmt-customize-xml-files.md index 94619ce485..30930f05ad 100644 --- a/windows/deploy/usmt-customize-xml-files.md +++ b/windows/deploy/usmt-customize-xml-files.md @@ -2,10 +2,10 @@ title: Customize USMT XML Files (Windows 10) description: Customize USMT XML Files ms.assetid: d58363c1-fd13-4f65-8b91-9986659dc93e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Customize USMT XML Files diff --git a/windows/deploy/usmt-determine-what-to-migrate.md b/windows/deploy/usmt-determine-what-to-migrate.md index 24c81b0742..27ad2ea86d 100644 --- a/windows/deploy/usmt-determine-what-to-migrate.md +++ b/windows/deploy/usmt-determine-what-to-migrate.md @@ -2,10 +2,10 @@ title: Determine What to Migrate (Windows 10) description: Determine What to Migrate ms.assetid: 01ae1d13-c3eb-4618-b39d-ee5d18d55761 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Determine What to Migrate diff --git a/windows/deploy/usmt-estimate-migration-store-size.md b/windows/deploy/usmt-estimate-migration-store-size.md index 1dbd440416..a331a99c09 100644 --- a/windows/deploy/usmt-estimate-migration-store-size.md +++ b/windows/deploy/usmt-estimate-migration-store-size.md @@ -2,10 +2,10 @@ title: Estimate Migration Store Size (Windows 10) description: Estimate Migration Store Size ms.assetid: cfb9062b-7a2a-467a-a24e-0b31ce830093 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Estimate Migration Store Size diff --git a/windows/deploy/usmt-exclude-files-and-settings.md b/windows/deploy/usmt-exclude-files-and-settings.md index 99918b8c5c..e856679334 100644 --- a/windows/deploy/usmt-exclude-files-and-settings.md +++ b/windows/deploy/usmt-exclude-files-and-settings.md @@ -2,10 +2,10 @@ title: Exclude Files and Settings (Windows 10) description: Exclude Files and Settings ms.assetid: df85baf1-6e29-4995-a4bb-ba3f8f7fed0b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Exclude Files and Settings diff --git a/windows/deploy/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deploy/usmt-extract-files-from-a-compressed-migration-store.md index 8bd8e87680..c679d58b27 100644 --- a/windows/deploy/usmt-extract-files-from-a-compressed-migration-store.md +++ b/windows/deploy/usmt-extract-files-from-a-compressed-migration-store.md @@ -2,10 +2,10 @@ title: Extract Files from a Compressed USMT Migration Store (Windows 10) description: Extract Files from a Compressed USMT Migration Store ms.assetid: ad9fbd6e-f89e-4444-8538-9b11566b1f33 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Extract Files from a Compressed USMT Migration Store diff --git a/windows/deploy/usmt-faq.md b/windows/deploy/usmt-faq.md index e69272bc26..715340a82d 100644 --- a/windows/deploy/usmt-faq.md +++ b/windows/deploy/usmt-faq.md @@ -2,10 +2,10 @@ title: Frequently Asked Questions (Windows 10) description: Frequently Asked Questions ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Frequently Asked Questions diff --git a/windows/deploy/usmt-general-conventions.md b/windows/deploy/usmt-general-conventions.md index ab6c9ad6b3..020557c402 100644 --- a/windows/deploy/usmt-general-conventions.md +++ b/windows/deploy/usmt-general-conventions.md @@ -2,10 +2,10 @@ title: General Conventions (Windows 10) description: General Conventions ms.assetid: 5761986e-a847-41bd-bf8e-7c1bd01acbc6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # General Conventions diff --git a/windows/deploy/usmt-hard-link-migration-store.md b/windows/deploy/usmt-hard-link-migration-store.md index afddeaf45d..e65487a0bd 100644 --- a/windows/deploy/usmt-hard-link-migration-store.md +++ b/windows/deploy/usmt-hard-link-migration-store.md @@ -2,10 +2,10 @@ title: Hard-Link Migration Store (Windows 10) description: Hard-Link Migration Store ms.assetid: b0598418-4607-4952-bfa3-b6e4aaa2c574 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Hard-Link Migration Store diff --git a/windows/deploy/usmt-how-it-works.md b/windows/deploy/usmt-how-it-works.md index 8e6b12231e..0c274924a6 100644 --- a/windows/deploy/usmt-how-it-works.md +++ b/windows/deploy/usmt-how-it-works.md @@ -2,10 +2,10 @@ title: How USMT Works (Windows 10) description: How USMT Works ms.assetid: 5c8bd669-9e1e-473d-81e6-652f40b24171 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # How USMT Works diff --git a/windows/deploy/usmt-how-to.md b/windows/deploy/usmt-how-to.md index 4baa318509..1a22d71262 100644 --- a/windows/deploy/usmt-how-to.md +++ b/windows/deploy/usmt-how-to.md @@ -2,10 +2,10 @@ title: User State Migration Tool (USMT) How-to topics (Windows 10) description: User State Migration Tool (USMT) How-to topics ms.assetid: 7b9a2f2a-a43a-4984-9746-a767f9f1c7e3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # User State Migration Tool (USMT) How-to topics diff --git a/windows/deploy/usmt-identify-application-settings.md b/windows/deploy/usmt-identify-application-settings.md index ca14712f31..5fa216f2b3 100644 --- a/windows/deploy/usmt-identify-application-settings.md +++ b/windows/deploy/usmt-identify-application-settings.md @@ -2,10 +2,10 @@ title: Identify Applications Settings (Windows 10) description: Identify Applications Settings ms.assetid: eda68031-9b02-4a5b-a893-3786a6505381 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Identify Applications Settings diff --git a/windows/deploy/usmt-identify-file-types-files-and-folders.md b/windows/deploy/usmt-identify-file-types-files-and-folders.md index 3ab8ded02b..49766ca745 100644 --- a/windows/deploy/usmt-identify-file-types-files-and-folders.md +++ b/windows/deploy/usmt-identify-file-types-files-and-folders.md @@ -2,10 +2,10 @@ title: Identify File Types, Files, and Folders (Windows 10) description: Identify File Types, Files, and Folders ms.assetid: 93bb2a33-c126-4f7a-a961-6c89686d54e0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Identify File Types, Files, and Folders diff --git a/windows/deploy/usmt-identify-operating-system-settings.md b/windows/deploy/usmt-identify-operating-system-settings.md index 232fabdc33..27fd8c0c25 100644 --- a/windows/deploy/usmt-identify-operating-system-settings.md +++ b/windows/deploy/usmt-identify-operating-system-settings.md @@ -2,10 +2,10 @@ title: Identify Operating System Settings (Windows 10) description: Identify Operating System Settings ms.assetid: 1704ab18-1765-41fb-a27c-3aa3128fa242 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Identify Operating System Settings diff --git a/windows/deploy/usmt-identify-users.md b/windows/deploy/usmt-identify-users.md index 1f23cb942d..6d081727c3 100644 --- a/windows/deploy/usmt-identify-users.md +++ b/windows/deploy/usmt-identify-users.md @@ -2,10 +2,10 @@ title: Identify Users (Windows 10) description: Identify Users ms.assetid: 957a4fe9-79fd-44a2-8c26-33e50f71f9de -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Identify Users diff --git a/windows/deploy/usmt-include-files-and-settings.md b/windows/deploy/usmt-include-files-and-settings.md index 6142749d13..411525684e 100644 --- a/windows/deploy/usmt-include-files-and-settings.md +++ b/windows/deploy/usmt-include-files-and-settings.md @@ -2,10 +2,10 @@ title: Include Files and Settings (Windows 10) description: Include Files and Settings ms.assetid: 9009c6a5-0612-4478-8742-abe5eb6cbac8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Include Files and Settings diff --git a/windows/deploy/usmt-loadstate-syntax.md b/windows/deploy/usmt-loadstate-syntax.md index a82a0b4357..36c3dfb311 100644 --- a/windows/deploy/usmt-loadstate-syntax.md +++ b/windows/deploy/usmt-loadstate-syntax.md @@ -2,10 +2,10 @@ title: LoadState Syntax (Windows 10) description: LoadState Syntax ms.assetid: 53d2143b-cbe9-4cfc-8506-36e9d429f6d4 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # LoadState Syntax diff --git a/windows/deploy/usmt-log-files.md b/windows/deploy/usmt-log-files.md index 89fc388cf9..9796591745 100644 --- a/windows/deploy/usmt-log-files.md +++ b/windows/deploy/usmt-log-files.md @@ -2,10 +2,10 @@ title: Log Files (Windows 10) description: Log Files ms.assetid: 28185ebd-630a-4bbd-94f4-8c48aad05649 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Log Files diff --git a/windows/deploy/usmt-migrate-efs-files-and-certificates.md b/windows/deploy/usmt-migrate-efs-files-and-certificates.md index 43a57ddc5d..d4e2db536f 100644 --- a/windows/deploy/usmt-migrate-efs-files-and-certificates.md +++ b/windows/deploy/usmt-migrate-efs-files-and-certificates.md @@ -2,10 +2,10 @@ title: Migrate EFS Files and Certificates (Windows 10) description: Migrate EFS Files and Certificates ms.assetid: 7f19a753-ec45-4433-b297-cc30f16fdee1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Migrate EFS Files and Certificates diff --git a/windows/deploy/usmt-migrate-user-accounts.md b/windows/deploy/usmt-migrate-user-accounts.md index 25c9490cbc..6c87c9b043 100644 --- a/windows/deploy/usmt-migrate-user-accounts.md +++ b/windows/deploy/usmt-migrate-user-accounts.md @@ -2,10 +2,10 @@ title: Migrate User Accounts (Windows 10) description: Migrate User Accounts ms.assetid: a3668361-43c8-4fd2-b26e-9a2deaeaeb09 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Migrate User Accounts diff --git a/windows/deploy/usmt-migration-store-encryption.md b/windows/deploy/usmt-migration-store-encryption.md index bb6343401f..1e8ea1a8e0 100644 --- a/windows/deploy/usmt-migration-store-encryption.md +++ b/windows/deploy/usmt-migration-store-encryption.md @@ -2,10 +2,10 @@ title: Migration Store Encryption (Windows 10) description: Migration Store Encryption ms.assetid: b28c2657-b986-4487-bd38-cb81500b831d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Migration Store Encryption diff --git a/windows/deploy/usmt-overview.md b/windows/deploy/usmt-overview.md index f3d7f0b860..928044a3cf 100644 --- a/windows/deploy/usmt-overview.md +++ b/windows/deploy/usmt-overview.md @@ -2,10 +2,10 @@ title: User State Migration Tool (USMT) Overview (Windows 10) description: User State Migration Tool (USMT) Overview ms.assetid: 3b649431-ad09-4b17-895a-3fec7ac0a81f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # User State Migration Tool (USMT) Overview diff --git a/windows/deploy/usmt-plan-your-migration.md b/windows/deploy/usmt-plan-your-migration.md index eaed479359..2b6ce76d7f 100644 --- a/windows/deploy/usmt-plan-your-migration.md +++ b/windows/deploy/usmt-plan-your-migration.md @@ -2,10 +2,10 @@ title: Plan Your Migration (Windows 10) description: Plan Your Migration ms.assetid: c951f7df-850e-47ad-b31b-87f902955e3e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Plan Your Migration diff --git a/windows/deploy/usmt-recognized-environment-variables.md b/windows/deploy/usmt-recognized-environment-variables.md index 8246122fd9..edebf602f1 100644 --- a/windows/deploy/usmt-recognized-environment-variables.md +++ b/windows/deploy/usmt-recognized-environment-variables.md @@ -2,10 +2,10 @@ title: Recognized Environment Variables (Windows 10) description: Recognized Environment Variables ms.assetid: 2b0ac412-e131-456e-8f0c-c26249b5f3df -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Recognized Environment Variables diff --git a/windows/deploy/usmt-reference.md b/windows/deploy/usmt-reference.md index ffe3b71ef8..753146d6b9 100644 --- a/windows/deploy/usmt-reference.md +++ b/windows/deploy/usmt-reference.md @@ -2,10 +2,10 @@ title: User State Migration Toolkit (USMT) Reference (Windows 10) description: User State Migration Toolkit (USMT) Reference ms.assetid: 2135dbcf-de49-4cea-b2fb-97dd016e1a1a -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # User State Migration Toolkit (USMT) Reference diff --git a/windows/deploy/usmt-requirements.md b/windows/deploy/usmt-requirements.md index ace2abc84a..c8632b0b4a 100644 --- a/windows/deploy/usmt-requirements.md +++ b/windows/deploy/usmt-requirements.md @@ -2,10 +2,10 @@ title: USMT Requirements (Windows 10) description: USMT Requirements ms.assetid: 2b0cf3a3-9032-433f-9622-1f9df59d6806 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # USMT Requirements diff --git a/windows/deploy/usmt-reroute-files-and-settings.md b/windows/deploy/usmt-reroute-files-and-settings.md index a948ee7c8c..99dd2eb09c 100644 --- a/windows/deploy/usmt-reroute-files-and-settings.md +++ b/windows/deploy/usmt-reroute-files-and-settings.md @@ -2,10 +2,10 @@ title: Reroute Files and Settings (Windows 10) description: Reroute Files and Settings ms.assetid: 905e6a24-922c-4549-9732-60fa11862a6c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Reroute Files and Settings diff --git a/windows/deploy/usmt-resources.md b/windows/deploy/usmt-resources.md index 0cb115c915..cc268ff816 100644 --- a/windows/deploy/usmt-resources.md +++ b/windows/deploy/usmt-resources.md @@ -2,10 +2,10 @@ title: USMT Resources (Windows 10) description: USMT Resources ms.assetid: a0b266c7-4bcb-49f1-b63c-48c6ace86b43 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # USMT Resources diff --git a/windows/deploy/usmt-return-codes.md b/windows/deploy/usmt-return-codes.md index 4354a11ca8..365b49b5c7 100644 --- a/windows/deploy/usmt-return-codes.md +++ b/windows/deploy/usmt-return-codes.md @@ -2,10 +2,10 @@ title: Return Codes (Windows 10) description: Return Codes ms.assetid: e71bbc6b-d5a6-4e48-ad01-af0012b35f22 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Return Codes diff --git a/windows/deploy/usmt-scanstate-syntax.md b/windows/deploy/usmt-scanstate-syntax.md index ff2636ee8c..5083385534 100644 --- a/windows/deploy/usmt-scanstate-syntax.md +++ b/windows/deploy/usmt-scanstate-syntax.md @@ -2,10 +2,10 @@ title: ScanState Syntax (Windows 10) description: ScanState Syntax ms.assetid: 004c755f-33db-49e4-8a3b-37beec1480ea -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # ScanState Syntax diff --git a/windows/deploy/usmt-technical-reference.md b/windows/deploy/usmt-technical-reference.md index 232f27f2fa..5bdf666976 100644 --- a/windows/deploy/usmt-technical-reference.md +++ b/windows/deploy/usmt-technical-reference.md @@ -2,10 +2,10 @@ title: User State Migration Tool (USMT) Technical Reference (Windows 10) description: The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals. ms.assetid: f90bf58b-5529-4520-a9f8-b6cb4e4d3add -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # User State Migration Tool (USMT) Technical Reference diff --git a/windows/deploy/usmt-test-your-migration.md b/windows/deploy/usmt-test-your-migration.md index 05e999a34d..e460f17de8 100644 --- a/windows/deploy/usmt-test-your-migration.md +++ b/windows/deploy/usmt-test-your-migration.md @@ -2,10 +2,10 @@ title: Test Your Migration (Windows 10) description: Test Your Migration ms.assetid: 754af276-8386-4eac-8079-3d1e45964a0d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Test Your Migration diff --git a/windows/deploy/usmt-topics.md b/windows/deploy/usmt-topics.md index a58a88b007..4fe5cace86 100644 --- a/windows/deploy/usmt-topics.md +++ b/windows/deploy/usmt-topics.md @@ -2,10 +2,10 @@ title: User State Migration Tool (USMT) Overview Topics (Windows 10) description: User State Migration Tool (USMT) Overview Topics ms.assetid: 23170271-130b-416f-a7a7-c2f6adc32eee -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # User State Migration Tool (USMT) Overview Topics diff --git a/windows/deploy/usmt-troubleshooting.md b/windows/deploy/usmt-troubleshooting.md index 576f9801c9..33296077f4 100644 --- a/windows/deploy/usmt-troubleshooting.md +++ b/windows/deploy/usmt-troubleshooting.md @@ -2,10 +2,10 @@ title: User State Migration Tool (USMT) Troubleshooting (Windows 10) description: User State Migration Tool (USMT) Troubleshooting ms.assetid: 770f45bb-2284-463f-a29c-69c04f437533 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # User State Migration Tool (USMT) Troubleshooting diff --git a/windows/deploy/usmt-utilities.md b/windows/deploy/usmt-utilities.md index eb9081b082..08df5661f2 100644 --- a/windows/deploy/usmt-utilities.md +++ b/windows/deploy/usmt-utilities.md @@ -2,10 +2,10 @@ title: UsmtUtils Syntax (Windows 10) description: UsmtUtils Syntax ms.assetid: cdab7f2d-dd68-4016-b9ed-41ffa743b65c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # UsmtUtils Syntax diff --git a/windows/deploy/usmt-what-does-usmt-migrate.md b/windows/deploy/usmt-what-does-usmt-migrate.md index 83b3851c29..89ba8aa60b 100644 --- a/windows/deploy/usmt-what-does-usmt-migrate.md +++ b/windows/deploy/usmt-what-does-usmt-migrate.md @@ -2,10 +2,10 @@ title: What Does USMT Migrate (Windows 10) description: What Does USMT Migrate ms.assetid: f613987d-0f17-43fe-9717-6465865ceda7 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # What Does USMT Migrate? diff --git a/windows/deploy/usmt-xml-elements-library.md b/windows/deploy/usmt-xml-elements-library.md index 87ffc8c9c3..f4f412fc2a 100644 --- a/windows/deploy/usmt-xml-elements-library.md +++ b/windows/deploy/usmt-xml-elements-library.md @@ -2,10 +2,10 @@ title: XML Elements Library (Windows 10) description: XML Elements Library ms.assetid: f5af0f6d-c3bf-4a4c-a0ca-9db7985f954f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # XML Elements Library diff --git a/windows/deploy/usmt-xml-reference.md b/windows/deploy/usmt-xml-reference.md index 49d7403f8f..4023b52759 100644 --- a/windows/deploy/usmt-xml-reference.md +++ b/windows/deploy/usmt-xml-reference.md @@ -2,10 +2,10 @@ title: USMT XML Reference (Windows 10) description: USMT XML Reference ms.assetid: fb946975-0fee-4ec0-b3ef-7c34945ee96f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # USMT XML Reference diff --git a/windows/deploy/vamt-known-issues.md b/windows/deploy/vamt-known-issues.md index 1e014a3e46..4aa2185e8f 100644 --- a/windows/deploy/vamt-known-issues.md +++ b/windows/deploy/vamt-known-issues.md @@ -2,7 +2,7 @@ title: VAMT Known Issues (Windows 10) description: VAMT Known Issues ms.assetid: 8992f1f3-830a-4ce7-a248-f3a6377ab77f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/vamt-requirements.md b/windows/deploy/vamt-requirements.md index 9da49547b0..06a8615669 100644 --- a/windows/deploy/vamt-requirements.md +++ b/windows/deploy/vamt-requirements.md @@ -2,7 +2,7 @@ title: VAMT Requirements (Windows 10) description: VAMT Requirements ms.assetid: d14d152b-ab8a-43cb-a8fd-2279364007b9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/vamt-step-by-step.md b/windows/deploy/vamt-step-by-step.md index e886684243..5582bd3417 100644 --- a/windows/deploy/vamt-step-by-step.md +++ b/windows/deploy/vamt-step-by-step.md @@ -2,7 +2,7 @@ title: VAMT Step-by-Step Scenarios (Windows 10) description: VAMT Step-by-Step Scenarios ms.assetid: 455c542c-4860-4b57-a1f0-7e2d28e11a10 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/verify-the-condition-of-a-compressed-migration-store.md b/windows/deploy/verify-the-condition-of-a-compressed-migration-store.md index 233beb97f0..ee16be2715 100644 --- a/windows/deploy/verify-the-condition-of-a-compressed-migration-store.md +++ b/windows/deploy/verify-the-condition-of-a-compressed-migration-store.md @@ -2,10 +2,10 @@ title: Verify the Condition of a Compressed Migration Store (Windows 10) description: Verify the Condition of a Compressed Migration Store ms.assetid: 4a3fda96-5f7d-494a-955f-6b865ec9fcae -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Verify the Condition of a Compressed Migration Store diff --git a/windows/deploy/volume-activation-management-tool.md b/windows/deploy/volume-activation-management-tool.md index 04af72f880..887c116352 100644 --- a/windows/deploy/volume-activation-management-tool.md +++ b/windows/deploy/volume-activation-management-tool.md @@ -2,7 +2,7 @@ title: Volume Activation Management Tool (VAMT) Technical Reference (Windows 10) description: The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. ms.assetid: 1df0f795-f41c-473b-850c-e98af1ad2f2a -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/volume-activation-windows-10.md b/windows/deploy/volume-activation-windows-10.md index e57043d4ca..eda56e2651 100644 --- a/windows/deploy/volume-activation-windows-10.md +++ b/windows/deploy/volume-activation-windows-10.md @@ -3,7 +3,7 @@ title: Volume Activation for Windows 10 (Windows 10) description: This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. ms.assetid: 6e8cffae-7322-4fd3-882a-cde68187aef2 keywords: vamt, volume activation, activation, windows activation -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation diff --git a/windows/deploy/windows-10-deployment-scenarios.md b/windows/deploy/windows-10-deployment-scenarios.md index 54221f9de3..e76d648bb0 100644 --- a/windows/deploy/windows-10-deployment-scenarios.md +++ b/windows/deploy/windows-10-deployment-scenarios.md @@ -2,8 +2,8 @@ title: Windows 10 deployment scenarios (Windows 10) description: To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 -keywords: ["upgrade, in-place, configuration, deploy"] -ms.prod: W10 +keywords: upgrade, in-place, configuration, deploy +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/windows-10-deployment-tools-reference.md b/windows/deploy/windows-10-deployment-tools-reference.md index e71eedae97..597900fb82 100644 --- a/windows/deploy/windows-10-deployment-tools-reference.md +++ b/windows/deploy/windows-10-deployment-tools-reference.md @@ -2,10 +2,10 @@ title: Windows 10 deployment tools reference (Windows 10) description: Learn about the tools available to deploy Windows 10. ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Windows 10 deployment tools reference diff --git a/windows/deploy/windows-10-edition-upgrades.md b/windows/deploy/windows-10-edition-upgrades.md index 72baf3a243..21981254a9 100644 --- a/windows/deploy/windows-10-edition-upgrades.md +++ b/windows/deploy/windows-10-edition-upgrades.md @@ -2,10 +2,10 @@ title: Windows 10 edition upgrade (Windows 10) description: With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Windows 10 edition upgrade diff --git a/windows/deploy/windows-adk-scenarios-for-it-pros.md b/windows/deploy/windows-adk-scenarios-for-it-pros.md index 3fb2944f22..8821ada189 100644 --- a/windows/deploy/windows-adk-scenarios-for-it-pros.md +++ b/windows/deploy/windows-adk-scenarios-for-it-pros.md @@ -2,10 +2,10 @@ title: Windows ADK for Windows 10 scenarios for IT Pros (Windows 10) description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Windows ADK for Windows 10 scenarios for IT Pros diff --git a/windows/deploy/windows-deployment-scenarios-and-tools.md b/windows/deploy/windows-deployment-scenarios-and-tools.md index a66deb1389..ba4f22b7c5 100644 --- a/windows/deploy/windows-deployment-scenarios-and-tools.md +++ b/windows/deploy/windows-deployment-scenarios-and-tools.md @@ -2,8 +2,8 @@ title: Windows 10 deployment tools (Windows 10) description: To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. ms.assetid: 0d6cee1f-14c4-4b69-b29a-43b0b327b877 -keywords: ["deploy, volume activation, BitLocker, recovery, install, installation, VAMT, MDT, USMT, WDS"] -ms.prod: W10 +keywords: deploy, volume activation, BitLocker, recovery, install, installation, VAMT, MDT, USMT, WDS +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/windows-upgrade-and-migration-considerations.md b/windows/deploy/windows-upgrade-and-migration-considerations.md index 2b5ee05766..7763b0502d 100644 --- a/windows/deploy/windows-upgrade-and-migration-considerations.md +++ b/windows/deploy/windows-upgrade-and-migration-considerations.md @@ -2,10 +2,10 @@ title: Windows Upgrade and Migration Considerations (Windows 10) description: Windows Upgrade and Migration Considerations ms.assetid: 7f85095c-5922-45e9-b28e-91b1263c7281 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # Windows Upgrade and Migration Considerations diff --git a/windows/deploy/xml-file-requirements.md b/windows/deploy/xml-file-requirements.md index 50c5e1b161..100306e84d 100644 --- a/windows/deploy/xml-file-requirements.md +++ b/windows/deploy/xml-file-requirements.md @@ -2,10 +2,10 @@ title: XML File Requirements (Windows 10) description: XML File Requirements ms.assetid: 4b567b50-c50a-4a4f-8684-151fe3f8275f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: greg-lindsay --- # XML File Requirements From 85211a040e7e671de764ed8c8ddef65178e05cae Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 26 May 2016 15:28:33 -0700 Subject: [PATCH 133/169] updating link --- windows/manage/lock-down-windows-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/lock-down-windows-10.md b/windows/manage/lock-down-windows-10.md index 142d9f3824..61004d8822 100644 --- a/windows/manage/lock-down-windows-10.md +++ b/windows/manage/lock-down-windows-10.md @@ -47,7 +47,7 @@ Enterprises often need to manage how people use corporate devices. Windows 10 p

      Use this article to make informed decisions about how you can configure Windows telemetry in your organization.

      -

      [Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md)

      +

      [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)

      Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.

      From 14d357adbc221d0901af97f14a42711d4fed3fbc Mon Sep 17 00:00:00 2001 From: Jan Backstrom Date: Thu, 26 May 2016 17:07:01 -0700 Subject: [PATCH 134/169] tagging update change W10 to w10 (lower case), add security pagetype to various --- .../access-credential-manager-as-a-trusted-caller.md | 2 +- windows/keep-secure/access-this-computer-from-the-network.md | 2 +- windows/keep-secure/account-lockout-duration.md | 2 +- windows/keep-secure/account-lockout-policy.md | 2 +- windows/keep-secure/account-lockout-threshold.md | 2 +- windows/keep-secure/account-policies.md | 2 +- windows/keep-secure/accounts-administrator-account-status.md | 2 +- windows/keep-secure/accounts-block-microsoft-accounts.md | 2 +- windows/keep-secure/accounts-guest-account-status.md | 2 +- ...l-account-use-of-blank-passwords-to-console-logon-only.md | 2 +- windows/keep-secure/accounts-rename-administrator-account.md | 2 +- windows/keep-secure/accounts-rename-guest-account.md | 2 +- windows/keep-secure/act-as-part-of-the-operating-system.md | 2 +- .../ad-ds-schema-extensions-to-support-tpm-backup.md | 2 +- .../add-apps-to-protected-list-using-custom-uri.md | 5 +++-- ...rules-for-packaged-apps-to-existing-applocker-rule-set.md | 2 +- windows/keep-secure/add-workstations-to-domain.md | 2 +- ...figuration-windows-defender-advanced-threat-protection.md | 3 ++- windows/keep-secure/adjust-memory-quotas-for-a-process.md | 2 +- windows/keep-secure/administer-applocker.md | 2 +- windows/keep-secure/administer-security-policy-settings.md | 2 +- .../keep-secure/advanced-security-audit-policy-settings.md | 2 +- windows/keep-secure/advanced-security-auditing-faq.md | 2 +- windows/keep-secure/advanced-security-auditing.md | 2 +- ...erts-queue-windows-defender-advanced-threat-protection.md | 3 ++- windows/keep-secure/allow-log-on-locally.md | 2 +- .../allow-log-on-through-remote-desktop-services.md | 2 +- windows/keep-secure/applocker-architecture-and-components.md | 2 +- windows/keep-secure/applocker-functions.md | 2 +- windows/keep-secure/applocker-overview.md | 2 +- windows/keep-secure/applocker-policies-deployment-guide.md | 2 +- windows/keep-secure/applocker-policies-design-guide.md | 2 +- windows/keep-secure/applocker-policy-use-scenarios.md | 2 +- windows/keep-secure/applocker-processes-and-interactions.md | 2 +- windows/keep-secure/applocker-settings.md | 2 +- windows/keep-secure/applocker-technical-reference.md | 2 +- .../apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- windows/keep-secure/audit-account-lockout.md | 2 +- windows/keep-secure/audit-application-generated.md | 2 +- windows/keep-secure/audit-application-group-management.md | 2 +- windows/keep-secure/audit-audit-policy-change.md | 2 +- .../audit-audit-the-access-of-global-system-objects.md | 2 +- .../audit-audit-the-use-of-backup-and-restore-privilege.md | 2 +- windows/keep-secure/audit-authentication-policy-change.md | 2 +- windows/keep-secure/audit-authorization-policy-change.md | 2 +- windows/keep-secure/audit-central-access-policy-staging.md | 2 +- windows/keep-secure/audit-certification-services.md | 2 +- windows/keep-secure/audit-computer-account-management.md | 2 +- windows/keep-secure/audit-credential-validation.md | 2 +- .../audit-detailed-directory-service-replication.md | 2 +- windows/keep-secure/audit-detailed-file-share.md | 2 +- windows/keep-secure/audit-directory-service-access.md | 2 +- windows/keep-secure/audit-directory-service-changes.md | 2 +- windows/keep-secure/audit-directory-service-replication.md | 2 +- windows/keep-secure/audit-distribution-group-management.md | 2 +- windows/keep-secure/audit-dpapi-activity.md | 2 +- windows/keep-secure/audit-file-share.md | 2 +- windows/keep-secure/audit-file-system.md | 2 +- windows/keep-secure/audit-filtering-platform-connection.md | 2 +- windows/keep-secure/audit-filtering-platform-packet-drop.md | 2 +- .../keep-secure/audit-filtering-platform-policy-change.md | 2 +- ...it-force-audit-policy-subcategory-settings-to-override.md | 2 +- windows/keep-secure/audit-group-membership.md | 2 +- windows/keep-secure/audit-handle-manipulation.md | 2 +- windows/keep-secure/audit-ipsec-driver.md | 2 +- windows/keep-secure/audit-ipsec-extended-mode.md | 2 +- windows/keep-secure/audit-ipsec-main-mode.md | 2 +- windows/keep-secure/audit-ipsec-quick-mode.md | 2 +- windows/keep-secure/audit-kerberos-authentication-service.md | 2 +- .../keep-secure/audit-kerberos-service-ticket-operations.md | 2 +- windows/keep-secure/audit-kernel-object.md | 2 +- windows/keep-secure/audit-logoff.md | 2 +- windows/keep-secure/audit-logon.md | 2 +- windows/keep-secure/audit-mpssvc-rule-level-policy-change.md | 2 +- windows/keep-secure/audit-network-policy-server.md | 2 +- windows/keep-secure/audit-non-sensitive-privilege-use.md | 2 +- windows/keep-secure/audit-other-account-logon-events.md | 2 +- windows/keep-secure/audit-other-account-management-events.md | 2 +- windows/keep-secure/audit-other-logonlogoff-events.md | 2 +- windows/keep-secure/audit-other-object-access-events.md | 2 +- windows/keep-secure/audit-other-policy-change-events.md | 2 +- windows/keep-secure/audit-other-privilege-use-events.md | 2 +- windows/keep-secure/audit-other-system-events.md | 2 +- windows/keep-secure/audit-pnp-activity.md | 2 +- windows/keep-secure/audit-policy.md | 2 +- windows/keep-secure/audit-process-creation.md | 2 +- windows/keep-secure/audit-process-termination.md | 2 +- windows/keep-secure/audit-registry.md | 2 +- windows/keep-secure/audit-removable-storage.md | 2 +- windows/keep-secure/audit-rpc-events.md | 2 +- windows/keep-secure/audit-sam.md | 2 +- windows/keep-secure/audit-security-group-management.md | 2 +- windows/keep-secure/audit-security-state-change.md | 2 +- windows/keep-secure/audit-security-system-extension.md | 2 +- windows/keep-secure/audit-sensitive-privilege-use.md | 2 +- ...wn-system-immediately-if-unable-to-log-security-audits.md | 2 +- windows/keep-secure/audit-special-logon.md | 2 +- windows/keep-secure/audit-system-integrity.md | 2 +- windows/keep-secure/audit-user-account-management.md | 2 +- windows/keep-secure/audit-user-device-claims.md | 2 +- windows/keep-secure/back-up-files-and-directories.md | 2 +- .../keep-secure/backup-tpm-recovery-information-to-ad-ds.md | 2 +- windows/keep-secure/basic-audit-account-logon-events.md | 2 +- windows/keep-secure/basic-audit-account-management.md | 2 +- windows/keep-secure/basic-audit-directory-service-access.md | 2 +- windows/keep-secure/basic-audit-logon-events.md | 2 +- windows/keep-secure/basic-audit-object-access.md | 2 +- windows/keep-secure/basic-audit-policy-change.md | 2 +- windows/keep-secure/basic-audit-privilege-use.md | 2 +- windows/keep-secure/basic-audit-process-tracking.md | 2 +- windows/keep-secure/basic-audit-system-events.md | 2 +- windows/keep-secure/basic-security-audit-policies.md | 2 +- windows/keep-secure/basic-security-audit-policy-settings.md | 2 +- windows/keep-secure/bcd-settings-and-bitlocker.md | 2 +- windows/keep-secure/bitlocker-basic-deployment.md | 2 +- windows/keep-secure/bitlocker-countermeasures.md | 2 +- windows/keep-secure/bitlocker-frequently-asked-questions.md | 2 +- windows/keep-secure/bitlocker-group-policy-settings.md | 2 +- .../keep-secure/bitlocker-how-to-deploy-on-windows-server.md | 2 +- .../keep-secure/bitlocker-how-to-enable-network-unlock.md | 2 +- windows/keep-secure/bitlocker-overview.md | 2 +- windows/keep-secure/bitlocker-recovery-guide-plan.md | 2 +- ...e-bitlocker-drive-encryption-tools-to-manage-bitlocker.md | 2 +- .../bitlocker-use-bitlocker-recovery-password-viewer.md | 2 +- windows/keep-secure/block-untrusted-fonts-in-enterprise.md | 5 +++-- windows/keep-secure/bypass-traverse-checking.md | 2 +- .../keep-secure/change-history-for-keep-windows-10-secure.md | 3 ++- windows/keep-secure/change-the-system-time.md | 2 +- windows/keep-secure/change-the-time-zone.md | 2 +- windows/keep-secure/change-the-tpm-owner-password.md | 2 +- .../keep-secure/choose-the-right-bitlocker-countermeasure.md | 2 +- .../configure-an-applocker-policy-for-audit-only.md | 2 +- .../configure-an-applocker-policy-for-enforce-rules.md | 2 +- ...-endpoints-windows-defender-advanced-threat-protection.md | 3 ++- .../configure-exceptions-for-an-applocker-rule.md | 2 +- ...y-internet-windows-defender-advanced-threat-protection.md | 3 ++- windows/keep-secure/configure-s-mime.md | 2 +- .../keep-secure/configure-the-appLocker-reference-device.md | 2 +- .../configure-the-application-identity-service.md | 2 +- .../keep-secure/configure-windows-defender-in-windows-10.md | 2 +- ...te-a-basic-audit-policy-settings-for-an-event-category.md | 2 +- windows/keep-secure/create-a-pagefile.md | 2 +- windows/keep-secure/create-a-rule-for-packaged-apps.md | 2 +- .../create-a-rule-that-uses-a-file-hash-condition.md | 2 +- .../keep-secure/create-a-rule-that-uses-a-path-condition.md | 2 +- .../create-a-rule-that-uses-a-publisher-condition.md | 2 +- windows/keep-secure/create-a-token-object.md | 2 +- windows/keep-secure/create-applocker-default-rules.md | 2 +- windows/keep-secure/create-edp-policy-using-intune.md | 3 ++- windows/keep-secure/create-edp-policy-using-sccm.md | 5 +++-- windows/keep-secure/create-global-objects.md | 2 +- ...e-list-of-applications-deployed-to-each-business-group.md | 2 +- windows/keep-secure/create-permanent-shared-objects.md | 2 +- windows/keep-secure/create-symbolic-links.md | 2 +- .../keep-secure/create-vpn-and-edp-policy-using-intune.md | 5 +++-- .../keep-secure/create-your-applocker-planning-document.md | 2 +- windows/keep-secure/create-your-applocker-policies.md | 2 +- windows/keep-secure/create-your-applocker-rules.md | 2 +- .../creating-a-device-guard-policy-for-signed-apps.md | 2 +- windows/keep-secure/credential-guard.md | 2 +- .../dashboard-windows-defender-advanced-threat-protection.md | 4 +++- ...ge-privacy-windows-defender-advanced-threat-protection.md | 3 ++- ...in-security-descriptor-definition-language-sddl-syntax.md | 2 +- ...in-security-descriptor-definition-language-sddl-syntax.md | 2 +- windows/keep-secure/debug-programs.md | 2 +- windows/keep-secure/delete-an-applocker-rule.md | 2 +- .../deny-access-to-this-computer-from-the-network.md | 2 +- windows/keep-secure/deny-log-on-as-a-batch-job.md | 2 +- windows/keep-secure/deny-log-on-as-a-service.md | 2 +- windows/keep-secure/deny-log-on-locally.md | 2 +- .../deny-log-on-through-remote-desktop-services.md | 2 +- ...-applocker-policies-by-using-the-enforce-rules-setting.md | 2 +- windows/keep-secure/deploy-edp-policy-using-intune.md | 5 +++-- .../deploy-the-applocker-policy-into-production.md | 2 +- .../determine-group-policy-structure-and-rule-enforcement.md | 2 +- ...lications-are-digitally-signed-on-a-reference-computer.md | 2 +- .../determine-your-application-control-objectives.md | 2 +- .../keep-secure/device-guard-certification-and-compliance.md | 2 +- windows/keep-secure/device-guard-deployment-guide.md | 4 ++-- .../devices-allow-undock-without-having-to-log-on.md | 2 +- .../devices-allowed-to-format-and-eject-removable-media.md | 2 +- .../devices-prevent-users-from-installing-printer-drivers.md | 2 +- ...-restrict-cd-rom-access-to-locally-logged-on-user-only.md | 2 +- ...-restrict-floppy-access-to-locally-logged-on-user-only.md | 2 +- ...rl-message-when-users-try-to-run-a-blocked-application.md | 2 +- windows/keep-secure/dll-rules-in-applocker.md | 2 +- ...-group-policy-structure-and-applocker-rule-enforcement.md | 2 +- ...document-your-application-control-management-processes.md | 2 +- windows/keep-secure/document-your-application-list.md | 2 +- windows/keep-secure/document-your-applocker-rules.md | 2 +- ...in-controller-allow-server-operators-to-schedule-tasks.md | 2 +- .../domain-controller-ldap-server-signing-requirements.md | 2 +- ...ain-controller-refuse-machine-account-password-changes.md | 2 +- ...r-digitally-encrypt-or-sign-secure-channel-data-always.md | 2 +- ...er-digitally-encrypt-secure-channel-data-when-possible.md | 2 +- ...ember-digitally-sign-secure-channel-data-when-possible.md | 2 +- ...domain-member-disable-machine-account-password-changes.md | 2 +- .../domain-member-maximum-machine-account-password-age.md | 2 +- ...ember-require-strong-windows-2000-or-later-session-key.md | 2 +- windows/keep-secure/edit-an-applocker-policy.md | 2 +- windows/keep-secure/edit-applocker-rules.md | 2 +- ...omputer-and-user-accounts-to-be-trusted-for-delegation.md | 2 +- windows/keep-secure/enable-the-dll-rule-collection.md | 2 +- windows/keep-secure/encrypted-hard-drive.md | 2 +- windows/keep-secure/enforce-applocker-rules.md | 2 +- windows/keep-secure/enforce-password-history.md | 2 +- windows/keep-secure/enforce-user-logon-restrictions.md | 2 +- windows/keep-secure/enlightened-microsoft-apps-and-edp.md | 5 +++-- ...rror-codes-windows-defender-advanced-threat-protection.md | 3 ++- windows/keep-secure/executable-rules-in-applocker.md | 2 +- windows/keep-secure/export-an-applocker-policy-from-a-gpo.md | 2 +- .../keep-secure/export-an-applocker-policy-to-an-xml-file.md | 2 +- .../keep-secure/file-system-global-object-access-auditing.md | 2 +- windows/keep-secure/force-shutdown-from-a-remote-system.md | 2 +- windows/keep-secure/generate-security-audits.md | 2 +- .../get-started-with-windows-defender-for-windows-10.md | 2 +- .../getting-apps-to-run-on-device-guard-protected-devices.md | 2 +- windows/keep-secure/guidance-and-best-practices-edp.md | 5 +++-- windows/keep-secure/how-applocker-works-techref.md | 2 +- .../keep-secure/how-to-configure-security-policy-settings.md | 2 +- windows/keep-secure/how-user-account-control-works.md | 2 +- .../keep-secure/impersonate-a-client-after-authentication.md | 2 +- .../implement-microsoft-passport-in-your-organization.md | 2 +- .../import-an-applocker-policy-from-another-computer.md | 2 +- windows/keep-secure/import-an-applocker-policy-into-a-gpo.md | 2 +- windows/keep-secure/increase-a-process-working-set.md | 2 +- windows/keep-secure/increase-scheduling-priority.md | 2 +- windows/keep-secure/index.md | 2 +- .../initialize-and-configure-ownership-of-the-tpm.md | 2 +- .../installing-digital-certificates-on-windows-10-mobile.md | 2 +- ...on-display-user-information-when-the-session-is-locked.md | 2 +- .../interactive-logon-do-not-display-last-user-name.md | 2 +- .../interactive-logon-do-not-require-ctrl-alt-del.md | 2 +- .../interactive-logon-machine-account-lockout-threshold.md | 2 +- .../interactive-logon-machine-inactivity-limit.md | 2 +- ...tive-logon-message-text-for-users-attempting-to-log-on.md | 2 +- ...ive-logon-message-title-for-users-attempting-to-log-on.md | 2 +- ...ns-to-cache-in-case-domain-controller-is-not-available.md | 2 +- ...logon-prompt-user-to-change-password-before-expiration.md | 2 +- ...domain-controller-authentication-to-unlock-workstation.md | 2 +- windows/keep-secure/interactive-logon-require-smart-card.md | 2 +- .../interactive-logon-smart-card-removal-behavior.md | 2 +- ...ate-alerts-windows-defender-advanced-threat-protection.md | 3 ++- ...ate-domain-windows-defender-advanced-threat-protection.md | 3 ++- ...gate-files-windows-defender-advanced-threat-protection.md | 3 ++- ...stigate-ip-windows-defender-advanced-threat-protection.md | 3 ++- ...e-machines-windows-defender-advanced-threat-protection.md | 3 ++- windows/keep-secure/kerberos-policy.md | 2 +- 248 files changed, 278 insertions(+), 256 deletions(-) diff --git a/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md b/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md index f6f7140989..ff24a84d8c 100644 --- a/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md +++ b/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md @@ -2,7 +2,7 @@ title: Access Credential Manager as a trusted caller (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Access Credential Manager as a trusted caller security policy setting. ms.assetid: a51820d2-ca5b-47dd-8e9b-d7008603db88 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/access-this-computer-from-the-network.md b/windows/keep-secure/access-this-computer-from-the-network.md index 00a88b6ba8..1cb598fcfd 100644 --- a/windows/keep-secure/access-this-computer-from-the-network.md +++ b/windows/keep-secure/access-this-computer-from-the-network.md @@ -2,7 +2,7 @@ title: Access this computer from the network (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Access this computer from the network security policy setting. ms.assetid: f6767bc2-83d1-45f1-847c-54f5362db022 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/account-lockout-duration.md b/windows/keep-secure/account-lockout-duration.md index 9b8fd5a9f4..1d438057a4 100644 --- a/windows/keep-secure/account-lockout-duration.md +++ b/windows/keep-secure/account-lockout-duration.md @@ -2,7 +2,7 @@ title: Account lockout duration (Windows 10) description: Describes the best practices, location, values, and security considerations for the Account lockout duration security policy setting. ms.assetid: a4167bf4-27c3-4a9b-8ef0-04e3c6ec3aa4 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/account-lockout-policy.md b/windows/keep-secure/account-lockout-policy.md index edf3c1a723..6a13c989d3 100644 --- a/windows/keep-secure/account-lockout-policy.md +++ b/windows/keep-secure/account-lockout-policy.md @@ -2,7 +2,7 @@ title: Account Lockout Policy (Windows 10) description: Describes the Account Lockout Policy settings and links to information about each policy setting. ms.assetid: eb968c28-17c5-405f-b413-50728cb7b724 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/account-lockout-threshold.md b/windows/keep-secure/account-lockout-threshold.md index 56fedf53b7..828a524fe0 100644 --- a/windows/keep-secure/account-lockout-threshold.md +++ b/windows/keep-secure/account-lockout-threshold.md @@ -2,7 +2,7 @@ title: Account lockout threshold (Windows 10) description: Describes the best practices, location, values, and security considerations for the Account lockout threshold security policy setting. ms.assetid: 4904bb40-a2bd-4fef-a102-260ba8d74e30 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/account-policies.md b/windows/keep-secure/account-policies.md index 487d575c7f..ca8fb5a3b4 100644 --- a/windows/keep-secure/account-policies.md +++ b/windows/keep-secure/account-policies.md @@ -2,7 +2,7 @@ title: Account Policies (Windows 10) description: An overview of account policies in Windows and provides links to policy descriptions. ms.assetid: 711b3797-b87a-4cd9-a2e3-1f8ef18688fb -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/accounts-administrator-account-status.md b/windows/keep-secure/accounts-administrator-account-status.md index 6c992c3bcb..5a3cde966e 100644 --- a/windows/keep-secure/accounts-administrator-account-status.md +++ b/windows/keep-secure/accounts-administrator-account-status.md @@ -2,7 +2,7 @@ title: Accounts Administrator account status (Windows 10) description: Describes the best practices, location, values, and security considerations for the Accounts Administrator account status security policy setting. ms.assetid: 71a3bd48-1014-49e0-a936-bfe9433af23e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/accounts-block-microsoft-accounts.md b/windows/keep-secure/accounts-block-microsoft-accounts.md index a482a7a88c..cc479c5bc2 100644 --- a/windows/keep-secure/accounts-block-microsoft-accounts.md +++ b/windows/keep-secure/accounts-block-microsoft-accounts.md @@ -2,7 +2,7 @@ title: Accounts Block Microsoft accounts (Windows 10) description: Describes the best practices, location, values, management, and security considerations for the Accounts Block Microsoft accounts security policy setting. ms.assetid: 94c76f45-057c-4d80-8d01-033cf28ef2f7 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/accounts-guest-account-status.md b/windows/keep-secure/accounts-guest-account-status.md index 2e66ee3ae1..f9054008ac 100644 --- a/windows/keep-secure/accounts-guest-account-status.md +++ b/windows/keep-secure/accounts-guest-account-status.md @@ -2,7 +2,7 @@ title: Accounts Guest account status (Windows 10) description: Describes the best practices, location, values, and security considerations for the Accounts Guest account status security policy setting. ms.assetid: 07e53fc5-b495-4d02-ab42-5b245d10d0ce -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/keep-secure/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md index 9d8ddd27c9..eb700fe6ec 100644 --- a/windows/keep-secure/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md +++ b/windows/keep-secure/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md @@ -2,7 +2,7 @@ title: Accounts Limit local account use of blank passwords to console logon only (Windows 10) description: Describes the best practices, location, values, and security considerations for the Accounts Limit local account use of blank passwords to console logon only security policy setting. ms.assetid: a1bfb58b-1ae8-4de9-832b-aa889a6e64bd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/accounts-rename-administrator-account.md b/windows/keep-secure/accounts-rename-administrator-account.md index 8873990424..5c79c1d38b 100644 --- a/windows/keep-secure/accounts-rename-administrator-account.md +++ b/windows/keep-secure/accounts-rename-administrator-account.md @@ -2,7 +2,7 @@ title: Accounts Rename administrator account (Windows 10) description: This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting. ms.assetid: d21308eb-7c60-4e48-8747-62b8109844f9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/accounts-rename-guest-account.md b/windows/keep-secure/accounts-rename-guest-account.md index f82b907968..aa06c480c3 100644 --- a/windows/keep-secure/accounts-rename-guest-account.md +++ b/windows/keep-secure/accounts-rename-guest-account.md @@ -2,7 +2,7 @@ title: Accounts Rename guest account (Windows 10) description: Describes the best practices, location, values, and security considerations for the Accounts Rename guest account security policy setting. ms.assetid: 9b8052b4-bbb9-4cc1-bfee-ce25390db707 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/act-as-part-of-the-operating-system.md b/windows/keep-secure/act-as-part-of-the-operating-system.md index 5d4a39d466..a35393e223 100644 --- a/windows/keep-secure/act-as-part-of-the-operating-system.md +++ b/windows/keep-secure/act-as-part-of-the-operating-system.md @@ -2,7 +2,7 @@ title: Act as part of the operating system (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Act as part of the operating system security policy setting. ms.assetid: c1b7e084-a9f7-4377-b678-07cc913c8b0c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md b/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md index 214bc1763d..8e62ff36b5 100644 --- a/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md +++ b/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md @@ -2,7 +2,7 @@ title: AD DS schema extensions to support TPM backup (Windows 10) description: This topic provides more details about this change and provides template schema extensions that you can incorporate into your organization. ms.assetid: beb7097c-e674-4eab-b8e2-6f67c85d1f3f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md index 3f9700cfb4..eb028e5f03 100644 --- a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md +++ b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md @@ -2,9 +2,10 @@ title: Add multiple apps to your enterprise data protection (EDP) Protected Apps list (Windows 10) description: Add multiple apps to your enterprise data protection (EDP) Protected Apps list at the same time, by using the Microsoft Intune Custom URI functionality and the AppLocker. ms.assetid: b50db35d-a2a9-4b78-a95d-a1b066e66880 -keywords: ["EDP", "Enterprise Data Protection", "protected apps", "protected app list"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection, protected apps, protected app list +ms.prod: w10 ms.mktglfcycl: explore +ms.pagetype: security ms.sitesec: library author: eross-msft --- diff --git a/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md index c05eb4ebd2..d99dda899b 100644 --- a/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md +++ b/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md @@ -2,7 +2,7 @@ title: Add rules for packaged apps to existing AppLocker rule-set (Windows 10) description: This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT). ms.assetid: 758c2a9f-c2a3-418c-83bc-fd335a94097f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/add-workstations-to-domain.md b/windows/keep-secure/add-workstations-to-domain.md index 7cdeb90a8b..fac531b419 100644 --- a/windows/keep-secure/add-workstations-to-domain.md +++ b/windows/keep-secure/add-workstations-to-domain.md @@ -2,7 +2,7 @@ title: Add workstations to domain (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Add workstations to domain security policy setting. ms.assetid: b0c21af4-c928-4344-b1f1-58ef162ad0b3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md b/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md index 604d4ba268..93d466aa32 100644 --- a/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md @@ -3,8 +3,9 @@ title: Additional Windows Defender ATP configuration settings description: Use the Group Policy Console to configure settings that enable sample sharing from your endpoints. These settings are used in the deep analysis feature. keywords: configuration settings, Windows Defender ATP configuration settings, Windows Defender Advanced Threat Protection configuration settings, group policy Management Editor, computer configuration, policies, administrative templates, search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: security ms.sitesec: library author: mjcaparas --- diff --git a/windows/keep-secure/adjust-memory-quotas-for-a-process.md b/windows/keep-secure/adjust-memory-quotas-for-a-process.md index 4568ef9fe0..44fe866134 100644 --- a/windows/keep-secure/adjust-memory-quotas-for-a-process.md +++ b/windows/keep-secure/adjust-memory-quotas-for-a-process.md @@ -2,7 +2,7 @@ title: Adjust memory quotas for a process (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Adjust memory quotas for a process security policy setting. ms.assetid: 6754a2c8-6d07-4567-9af3-335fd8dd7626 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/administer-applocker.md b/windows/keep-secure/administer-applocker.md index 232b69b1ef..0940acac92 100644 --- a/windows/keep-secure/administer-applocker.md +++ b/windows/keep-secure/administer-applocker.md @@ -2,7 +2,7 @@ title: Administer AppLocker (Windows 10) description: This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies. ms.assetid: 511a3b6a-175f-4d6d-a6e0-c1780c02e818 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/administer-security-policy-settings.md b/windows/keep-secure/administer-security-policy-settings.md index 59bc1ce37f..de0baa4b22 100644 --- a/windows/keep-secure/administer-security-policy-settings.md +++ b/windows/keep-secure/administer-security-policy-settings.md @@ -2,7 +2,7 @@ title: Administer security policy settings (Windows 10) description: This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization. ms.assetid: 7617d885-9d28-437a-9371-171197407599 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/advanced-security-audit-policy-settings.md b/windows/keep-secure/advanced-security-audit-policy-settings.md index 5b5faf0b14..14ecaca52f 100644 --- a/windows/keep-secure/advanced-security-audit-policy-settings.md +++ b/windows/keep-secure/advanced-security-audit-policy-settings.md @@ -2,7 +2,7 @@ title: Advanced security audit policy settings (Windows 10) description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate. ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/advanced-security-auditing-faq.md b/windows/keep-secure/advanced-security-auditing-faq.md index eef52f8d63..3bfa640035 100644 --- a/windows/keep-secure/advanced-security-auditing-faq.md +++ b/windows/keep-secure/advanced-security-auditing-faq.md @@ -2,7 +2,7 @@ title: Advanced security auditing FAQ (Windows 10) description: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. ms.assetid: 80f8f187-0916-43c2-a7e8-ea712b115a06 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/advanced-security-auditing.md b/windows/keep-secure/advanced-security-auditing.md index 5ed85a625d..bdec74db1c 100644 --- a/windows/keep-secure/advanced-security-auditing.md +++ b/windows/keep-secure/advanced-security-auditing.md @@ -2,7 +2,7 @@ title: Advanced security audit policies (Windows 10) description: Advanced security audit policy settings are found in Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies and appear to overlap with basic security audit policies, but they are recorded and applied differently. ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md index ee4ce0a4a9..46dddb36a1 100644 --- a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: View and organize the Windows Defender ATP Alerts queue description: Learn about how the Windows Defender ATP alerts queue work, and how to sort and filter lists of alerts. keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- diff --git a/windows/keep-secure/allow-log-on-locally.md b/windows/keep-secure/allow-log-on-locally.md index fdfa7ab402..3cbeacb088 100644 --- a/windows/keep-secure/allow-log-on-locally.md +++ b/windows/keep-secure/allow-log-on-locally.md @@ -2,7 +2,7 @@ title: Allow log on locally (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on locally security policy setting. ms.assetid: d9e5e1f3-3bff-4da7-a9a2-4bb3e0c79055 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/allow-log-on-through-remote-desktop-services.md b/windows/keep-secure/allow-log-on-through-remote-desktop-services.md index cc51c9cbea..d409837c30 100644 --- a/windows/keep-secure/allow-log-on-through-remote-desktop-services.md +++ b/windows/keep-secure/allow-log-on-through-remote-desktop-services.md @@ -2,7 +2,7 @@ title: Allow log on through Remote Desktop Services (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on through Remote Desktop Services security policy setting. ms.assetid: 6267c376-8199-4f2b-ae56-9c5424e76798 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-architecture-and-components.md b/windows/keep-secure/applocker-architecture-and-components.md index 39e8bbf34c..98760516ec 100644 --- a/windows/keep-secure/applocker-architecture-and-components.md +++ b/windows/keep-secure/applocker-architecture-and-components.md @@ -2,7 +2,7 @@ title: AppLocker architecture and components (Windows 10) description: This topic for IT professional describes AppLocker’s basic architecture and its major components. ms.assetid: efdd8494-553c-443f-bd5f-c8976535135a -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-functions.md b/windows/keep-secure/applocker-functions.md index d3ab5362dd..eaad056c7a 100644 --- a/windows/keep-secure/applocker-functions.md +++ b/windows/keep-secure/applocker-functions.md @@ -2,7 +2,7 @@ title: AppLocker functions (Windows 10) description: This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. ms.assetid: bf704198-9e74-4731-8c5a-ee0512df34d2 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-overview.md b/windows/keep-secure/applocker-overview.md index 6918af6f1e..954c093d80 100644 --- a/windows/keep-secure/applocker-overview.md +++ b/windows/keep-secure/applocker-overview.md @@ -2,7 +2,7 @@ title: AppLocker (Windows 10) description: This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. ms.assetid: 94b57864-2112-43b6-96fb-2863c985dc9a -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-policies-deployment-guide.md b/windows/keep-secure/applocker-policies-deployment-guide.md index f0bce74c2a..2adc3ff79b 100644 --- a/windows/keep-secure/applocker-policies-deployment-guide.md +++ b/windows/keep-secure/applocker-policies-deployment-guide.md @@ -2,7 +2,7 @@ title: AppLocker deployment guide (Windows 10) description: This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. ms.assetid: 38632795-be13-46b0-a7af-487a4340bea1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-policies-design-guide.md b/windows/keep-secure/applocker-policies-design-guide.md index 7954db3edb..2e331c4fb8 100644 --- a/windows/keep-secure/applocker-policies-design-guide.md +++ b/windows/keep-secure/applocker-policies-design-guide.md @@ -2,7 +2,7 @@ title: AppLocker design guide (Windows 10) description: This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. ms.assetid: 1c8e4a7b-3164-4eb4-9277-11b1d5a09c7b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-policy-use-scenarios.md b/windows/keep-secure/applocker-policy-use-scenarios.md index ce30809f52..64a8fd4db0 100644 --- a/windows/keep-secure/applocker-policy-use-scenarios.md +++ b/windows/keep-secure/applocker-policy-use-scenarios.md @@ -2,7 +2,7 @@ title: AppLocker policy use scenarios (Windows 10) description: This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. ms.assetid: 33f71578-89f0-4063-ac04-cf4f4ca5c31f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-processes-and-interactions.md b/windows/keep-secure/applocker-processes-and-interactions.md index 0243055da8..5f07c7d07f 100644 --- a/windows/keep-secure/applocker-processes-and-interactions.md +++ b/windows/keep-secure/applocker-processes-and-interactions.md @@ -2,7 +2,7 @@ title: AppLocker processes and interactions (Windows 10) description: This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. ms.assetid: 0beec616-6040-4be7-8703-b6c919755d8e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-settings.md b/windows/keep-secure/applocker-settings.md index 77509f8e43..7af2350b9d 100644 --- a/windows/keep-secure/applocker-settings.md +++ b/windows/keep-secure/applocker-settings.md @@ -2,7 +2,7 @@ title: AppLocker settings (Windows 10) description: This topic for the IT professional lists the settings used by AppLocker. ms.assetid: 9cb4aa19-77c0-4415-9968-bd07dab86839 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/applocker-technical-reference.md b/windows/keep-secure/applocker-technical-reference.md index 164a159782..1c797a1679 100644 --- a/windows/keep-secure/applocker-technical-reference.md +++ b/windows/keep-secure/applocker-technical-reference.md @@ -2,7 +2,7 @@ title: AppLocker technical reference (Windows 10) description: This overview topic for IT professionals provides links to the topics in the technical reference. ms.assetid: 2b2678f8-c46b-4e1d-b8c5-037c0be255ab -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md index 5828778660..fd5dcf7155 100644 --- a/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -2,7 +2,7 @@ title: Apply a basic audit policy on a file or folder (Windows 10) description: You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log. ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-account-lockout.md b/windows/keep-secure/audit-account-lockout.md index 6c7ebbb0e2..be3326efee 100644 --- a/windows/keep-secure/audit-account-lockout.md +++ b/windows/keep-secure/audit-account-lockout.md @@ -2,7 +2,7 @@ title: Audit Account Lockout (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Account Lockout, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out. ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-application-generated.md b/windows/keep-secure/audit-application-generated.md index f7c31ca13a..3aa2716aa8 100644 --- a/windows/keep-secure/audit-application-generated.md +++ b/windows/keep-secure/audit-application-generated.md @@ -2,7 +2,7 @@ title: Audit Application Generated (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Application Generated, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs). ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-application-group-management.md b/windows/keep-secure/audit-application-group-management.md index 3055b72f6d..76cdabda54 100644 --- a/windows/keep-secure/audit-application-group-management.md +++ b/windows/keep-secure/audit-application-group-management.md @@ -2,7 +2,7 @@ title: Audit Application Group Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Application Group Management, which determines whether the operating system generates audit events when application group management tasks are performed. ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-audit-policy-change.md b/windows/keep-secure/audit-audit-policy-change.md index 65b7d6261e..de2aca1b0a 100644 --- a/windows/keep-secure/audit-audit-policy-change.md +++ b/windows/keep-secure/audit-audit-policy-change.md @@ -2,7 +2,7 @@ title: Audit Audit Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Audit Policy Change, which determines whether the operating system generates audit events when changes are made to audit policy. ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md b/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md index 767ec7c30a..9fcecc87b1 100644 --- a/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md +++ b/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md @@ -2,7 +2,7 @@ title: Audit Audit the access of global system objects (Windows 10) description: Describes the best practices, location, values, and security considerations for the Audit Audit the access of global system objects security policy setting. ms.assetid: 20d40a79-ce89-45e6-9bb4-148f83958460 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md index 49b518da5a..3bd9ddd1b8 100644 --- a/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md +++ b/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md @@ -2,7 +2,7 @@ title: Audit Audit the use of Backup and Restore privilege (Windows 10) description: Describes the best practices, location, values, and security considerations for the Audit Audit the use of Backup and Restore privilege security policy setting. ms.assetid: f656a2bb-e8d6-447b-8902-53df3a7756c5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-authentication-policy-change.md b/windows/keep-secure/audit-authentication-policy-change.md index e26a96a284..712e480800 100644 --- a/windows/keep-secure/audit-authentication-policy-change.md +++ b/windows/keep-secure/audit-authentication-policy-change.md @@ -2,7 +2,7 @@ title: Audit Authentication Policy Change (Windows 10) description: This topic for the IT professional describes this Advanced Security Audit policy setting, Audit Authentication Policy Change, which determines whether the operating system generates audit events when changes are made to authentication policy. ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-authorization-policy-change.md b/windows/keep-secure/audit-authorization-policy-change.md index 3bff0a5dd9..7e426a2044 100644 --- a/windows/keep-secure/audit-authorization-policy-change.md +++ b/windows/keep-secure/audit-authorization-policy-change.md @@ -2,7 +2,7 @@ title: Audit Authorization Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Authorization Policy Change, which determines whether the operating system generates audit events when specific changes are made to the authorization policy. ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-central-access-policy-staging.md b/windows/keep-secure/audit-central-access-policy-staging.md index e53abd2a09..28539eb491 100644 --- a/windows/keep-secure/audit-central-access-policy-staging.md +++ b/windows/keep-secure/audit-central-access-policy-staging.md @@ -2,7 +2,7 @@ title: Audit Central Access Policy Staging (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Central Access Policy Staging, which determines permissions on a Central Access Policy. ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-certification-services.md b/windows/keep-secure/audit-certification-services.md index f23bdde027..f5aa0959d7 100644 --- a/windows/keep-secure/audit-certification-services.md +++ b/windows/keep-secure/audit-certification-services.md @@ -2,7 +2,7 @@ title: Audit Certification Services (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Certification Services, which determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed. ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-computer-account-management.md b/windows/keep-secure/audit-computer-account-management.md index 5211936625..f336c85c74 100644 --- a/windows/keep-secure/audit-computer-account-management.md +++ b/windows/keep-secure/audit-computer-account-management.md @@ -2,7 +2,7 @@ title: Audit Computer Account Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Computer Account Management, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted. ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-credential-validation.md b/windows/keep-secure/audit-credential-validation.md index 7f4232806f..fdacd0aa43 100644 --- a/windows/keep-secure/audit-credential-validation.md +++ b/windows/keep-secure/audit-credential-validation.md @@ -2,7 +2,7 @@ title: Audit Credential Validation (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Credential Validation, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request. ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-detailed-directory-service-replication.md b/windows/keep-secure/audit-detailed-directory-service-replication.md index ae2e46a570..295527e35e 100644 --- a/windows/keep-secure/audit-detailed-directory-service-replication.md +++ b/windows/keep-secure/audit-detailed-directory-service-replication.md @@ -3,7 +3,7 @@ title: Audit Detailed Directory Service Replication (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Detailed Directory Service Replication, which determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers. ms.assetid: 1b89c8f5-bce7-4b20-8701-42585c7ab993 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: brianlic-msft diff --git a/windows/keep-secure/audit-detailed-file-share.md b/windows/keep-secure/audit-detailed-file-share.md index f60e4dd5f2..4d0294c79c 100644 --- a/windows/keep-secure/audit-detailed-file-share.md +++ b/windows/keep-secure/audit-detailed-file-share.md @@ -2,7 +2,7 @@ title: Audit Detailed File Share (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Detailed File Share, which allows you to audit attempts to access files and folders on a shared folder. ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-directory-service-access.md b/windows/keep-secure/audit-directory-service-access.md index 230dce9a69..2c88e66d93 100644 --- a/windows/keep-secure/audit-directory-service-access.md +++ b/windows/keep-secure/audit-directory-service-access.md @@ -2,7 +2,7 @@ title: Audit Directory Service Access (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Access, which determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed. ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-directory-service-changes.md b/windows/keep-secure/audit-directory-service-changes.md index 361827a614..18b22defe5 100644 --- a/windows/keep-secure/audit-directory-service-changes.md +++ b/windows/keep-secure/audit-directory-service-changes.md @@ -2,7 +2,7 @@ title: Audit Directory Service Changes (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Changes, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-directory-service-replication.md b/windows/keep-secure/audit-directory-service-replication.md index 9f09abada9..8dde61d22d 100644 --- a/windows/keep-secure/audit-directory-service-replication.md +++ b/windows/keep-secure/audit-directory-service-replication.md @@ -2,7 +2,7 @@ title: Audit Directory Service Replication (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Replication, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends. ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-distribution-group-management.md b/windows/keep-secure/audit-distribution-group-management.md index 1e259424ed..80cfcea450 100644 --- a/windows/keep-secure/audit-distribution-group-management.md +++ b/windows/keep-secure/audit-distribution-group-management.md @@ -2,7 +2,7 @@ title: Audit Distribution Group Management (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Distribution Group Management, which determines whether the operating system generates audit events for specific distribution-group management tasks. ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-dpapi-activity.md b/windows/keep-secure/audit-dpapi-activity.md index 1e7c77ac71..30db4c39a8 100644 --- a/windows/keep-secure/audit-dpapi-activity.md +++ b/windows/keep-secure/audit-dpapi-activity.md @@ -2,7 +2,7 @@ title: Audit DPAPI Activity (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit DPAPI Activity, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI). ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-file-share.md b/windows/keep-secure/audit-file-share.md index 8040bc118a..af74a0b2a8 100644 --- a/windows/keep-secure/audit-file-share.md +++ b/windows/keep-secure/audit-file-share.md @@ -2,7 +2,7 @@ title: Audit File Share (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File Share, which determines whether the operating system generates audit events when a file share is accessed. ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-file-system.md b/windows/keep-secure/audit-file-system.md index 53faccfac6..1ddb1c3d49 100644 --- a/windows/keep-secure/audit-file-system.md +++ b/windows/keep-secure/audit-file-system.md @@ -2,7 +2,7 @@ title: Audit File System (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File System, which determines whether the operating system generates audit events when users attempt to access file system objects. ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.pagetype: security ms.sitesec: library diff --git a/windows/keep-secure/audit-filtering-platform-connection.md b/windows/keep-secure/audit-filtering-platform-connection.md index a23961c6d9..4b8c95c652 100644 --- a/windows/keep-secure/audit-filtering-platform-connection.md +++ b/windows/keep-secure/audit-filtering-platform-connection.md @@ -2,7 +2,7 @@ title: Audit Filtering Platform Connection (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Connection, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform. ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-filtering-platform-packet-drop.md b/windows/keep-secure/audit-filtering-platform-packet-drop.md index fda5bc89e7..96935fa8b7 100644 --- a/windows/keep-secure/audit-filtering-platform-packet-drop.md +++ b/windows/keep-secure/audit-filtering-platform-packet-drop.md @@ -2,7 +2,7 @@ title: Audit Filtering Platform Packet Drop (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Packet Drop, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform. ms.assetid: 95457601-68d1-4385-af20-87916ddab906 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-filtering-platform-policy-change.md b/windows/keep-secure/audit-filtering-platform-policy-change.md index 97f04007ea..10c8a9459b 100644 --- a/windows/keep-secure/audit-filtering-platform-policy-change.md +++ b/windows/keep-secure/audit-filtering-platform-policy-change.md @@ -2,7 +2,7 @@ title: Audit Filtering Platform Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Policy Change, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions. ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md index 2ceff2fa34..50880766f6 100644 --- a/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md +++ b/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md @@ -2,7 +2,7 @@ title: Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings (Windows 10) description: Describes the best practices, location, values, and security considerations for the Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings security policy setting. ms.assetid: 8ddc06bc-b6d6-4bac-9051-e0d77035bd4e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-group-membership.md b/windows/keep-secure/audit-group-membership.md index bfbd5e7887..d738bb1582 100644 --- a/windows/keep-secure/audit-group-membership.md +++ b/windows/keep-secure/audit-group-membership.md @@ -2,7 +2,7 @@ title: Audit Group Membership (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Group Membership, which enables you to audit group memberships when they are enumerated on the client PC. ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-handle-manipulation.md b/windows/keep-secure/audit-handle-manipulation.md index da8a48ee26..6b9fb9ab21 100644 --- a/windows/keep-secure/audit-handle-manipulation.md +++ b/windows/keep-secure/audit-handle-manipulation.md @@ -2,7 +2,7 @@ title: Audit Handle Manipulation (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Handle Manipulation, which determines whether the operating system generates audit events when a handle to an object is opened or closed. ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-ipsec-driver.md b/windows/keep-secure/audit-ipsec-driver.md index 7394906faa..dbe0ede32c 100644 --- a/windows/keep-secure/audit-ipsec-driver.md +++ b/windows/keep-secure/audit-ipsec-driver.md @@ -2,7 +2,7 @@ title: Audit IPsec Driver (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit IPsec Driver, which determines whether the operating system generates audit events for the activities of the IPsec driver. ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-ipsec-extended-mode.md b/windows/keep-secure/audit-ipsec-extended-mode.md index 89f0857940..5030fc74a2 100644 --- a/windows/keep-secure/audit-ipsec-extended-mode.md +++ b/windows/keep-secure/audit-ipsec-extended-mode.md @@ -2,7 +2,7 @@ title: Audit IPsec Extended Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Extended Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-ipsec-main-mode.md b/windows/keep-secure/audit-ipsec-main-mode.md index 203307a841..872af92c04 100644 --- a/windows/keep-secure/audit-ipsec-main-mode.md +++ b/windows/keep-secure/audit-ipsec-main-mode.md @@ -2,7 +2,7 @@ title: Audit IPsec Main Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Main Mode, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-ipsec-quick-mode.md b/windows/keep-secure/audit-ipsec-quick-mode.md index 79de06ad17..8a3446cb65 100644 --- a/windows/keep-secure/audit-ipsec-quick-mode.md +++ b/windows/keep-secure/audit-ipsec-quick-mode.md @@ -2,7 +2,7 @@ title: Audit IPsec Quick Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Quick Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-kerberos-authentication-service.md b/windows/keep-secure/audit-kerberos-authentication-service.md index 85498b7404..f8665de37e 100644 --- a/windows/keep-secure/audit-kerberos-authentication-service.md +++ b/windows/keep-secure/audit-kerberos-authentication-service.md @@ -2,7 +2,7 @@ title: Audit Kerberos Authentication Service (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Authentication Service, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests. ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-kerberos-service-ticket-operations.md b/windows/keep-secure/audit-kerberos-service-ticket-operations.md index 5f00cf260a..4e3a1976d6 100644 --- a/windows/keep-secure/audit-kerberos-service-ticket-operations.md +++ b/windows/keep-secure/audit-kerberos-service-ticket-operations.md @@ -2,7 +2,7 @@ title: Audit Kerberos Service Ticket Operations (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Service Ticket Operations, which determines whether the operating system generates security audit events for Kerberos service ticket requests. ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-kernel-object.md b/windows/keep-secure/audit-kernel-object.md index 783f4c3e18..6600a97c21 100644 --- a/windows/keep-secure/audit-kernel-object.md +++ b/windows/keep-secure/audit-kernel-object.md @@ -2,7 +2,7 @@ title: Audit Kernel Object (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kernel Object, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores. ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-logoff.md b/windows/keep-secure/audit-logoff.md index 05aee8928a..56970b2562 100644 --- a/windows/keep-secure/audit-logoff.md +++ b/windows/keep-secure/audit-logoff.md @@ -2,7 +2,7 @@ title: Audit Logoff (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logoff, which determines whether the operating system generates audit events when logon sessions are terminated. ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-logon.md b/windows/keep-secure/audit-logon.md index fb98f6691c..bd363a9eb0 100644 --- a/windows/keep-secure/audit-logon.md +++ b/windows/keep-secure/audit-logon.md @@ -2,7 +2,7 @@ title: Audit Logon (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logon, which determines whether the operating system generates audit events when a user attempts to log on to a computer. ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md b/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md index 67760b944f..ab8412a168 100644 --- a/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md +++ b/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md @@ -2,7 +2,7 @@ title: Audit MPSSVC Rule-Level Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit MPSSVC Rule-Level Policy Change, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-network-policy-server.md b/windows/keep-secure/audit-network-policy-server.md index 5f060ff57e..f98d7f0579 100644 --- a/windows/keep-secure/audit-network-policy-server.md +++ b/windows/keep-secure/audit-network-policy-server.md @@ -2,7 +2,7 @@ title: Audit Network Policy Server (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Network Policy Server, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock). ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-non-sensitive-privilege-use.md b/windows/keep-secure/audit-non-sensitive-privilege-use.md index e1321ebc6a..45dd5b1a2c 100644 --- a/windows/keep-secure/audit-non-sensitive-privilege-use.md +++ b/windows/keep-secure/audit-non-sensitive-privilege-use.md @@ -2,7 +2,7 @@ title: Audit Non-Sensitive Privilege Use (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used. ms.assetid: 8fd74783-1059-443e-aa86-566d78606627 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-other-account-logon-events.md b/windows/keep-secure/audit-other-account-logon-events.md index 57eaa771fa..4511233562 100644 --- a/windows/keep-secure/audit-other-account-logon-events.md +++ b/windows/keep-secure/audit-other-account-logon-events.md @@ -2,7 +2,7 @@ title: Audit Other Account Logon Events (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Other Account Logon Events, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-other-account-management-events.md b/windows/keep-secure/audit-other-account-management-events.md index 737c91e478..48fecc4788 100644 --- a/windows/keep-secure/audit-other-account-management-events.md +++ b/windows/keep-secure/audit-other-account-management-events.md @@ -2,7 +2,7 @@ title: Audit Other Account Management Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Account Management Events, which determines whether the operating system generates user account management audit events. ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-other-logonlogoff-events.md b/windows/keep-secure/audit-other-logonlogoff-events.md index 14b371601d..5b9c517af5 100644 --- a/windows/keep-secure/audit-other-logonlogoff-events.md +++ b/windows/keep-secure/audit-other-logonlogoff-events.md @@ -2,7 +2,7 @@ title: Audit Other Logon/Logoff Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, which determines whether Windows generates audit events for other logon or logoff events. ms.assetid: 76d987cd-1917-4907-a739-dd642609a458 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-other-object-access-events.md b/windows/keep-secure/audit-other-object-access-events.md index 71b1ee1965..3d453c1927 100644 --- a/windows/keep-secure/audit-other-object-access-events.md +++ b/windows/keep-secure/audit-other-object-access-events.md @@ -2,7 +2,7 @@ title: Audit Other Object Access Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Object Access Events, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects. ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-other-policy-change-events.md b/windows/keep-secure/audit-other-policy-change-events.md index 7e2c53404a..5ef649bca4 100644 --- a/windows/keep-secure/audit-other-policy-change-events.md +++ b/windows/keep-secure/audit-other-policy-change-events.md @@ -2,7 +2,7 @@ title: Audit Other Policy Change Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Policy Change Events, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category. ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-other-privilege-use-events.md b/windows/keep-secure/audit-other-privilege-use-events.md index 839251f763..5babb23a8a 100644 --- a/windows/keep-secure/audit-other-privilege-use-events.md +++ b/windows/keep-secure/audit-other-privilege-use-events.md @@ -2,7 +2,7 @@ title: Audit Other Privilege Use Events (Windows 10) description: This security policy setting is not used. ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-other-system-events.md b/windows/keep-secure/audit-other-system-events.md index 2b28658209..3bb668bd64 100644 --- a/windows/keep-secure/audit-other-system-events.md +++ b/windows/keep-secure/audit-other-system-events.md @@ -2,7 +2,7 @@ title: Audit Other System Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other System Events, which determines whether the operating system audits various system events. ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-pnp-activity.md b/windows/keep-secure/audit-pnp-activity.md index aef1c0ae47..c80884e78c 100644 --- a/windows/keep-secure/audit-pnp-activity.md +++ b/windows/keep-secure/audit-pnp-activity.md @@ -2,7 +2,7 @@ title: Audit PNP Activity (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit PNP Activity, which determines when plug and play detects an external device. ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-policy.md b/windows/keep-secure/audit-policy.md index 87cf555f43..2cd2c8cd95 100644 --- a/windows/keep-secure/audit-policy.md +++ b/windows/keep-secure/audit-policy.md @@ -2,7 +2,7 @@ title: Audit Policy (Windows 10) description: Provides information about basic audit policies that are available in Windows and links to information about each setting. ms.assetid: 2e8ea400-e555-43e5-89d6-0898cb89da90 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-process-creation.md b/windows/keep-secure/audit-process-creation.md index dbe4b6bc69..c9c6d41c57 100644 --- a/windows/keep-secure/audit-process-creation.md +++ b/windows/keep-secure/audit-process-creation.md @@ -2,7 +2,7 @@ title: Audit Process Creation (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Creation, which determines whether the operating system generates audit events when a process is created (starts). ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-process-termination.md b/windows/keep-secure/audit-process-termination.md index 4208a938c3..9f4fde6d86 100644 --- a/windows/keep-secure/audit-process-termination.md +++ b/windows/keep-secure/audit-process-termination.md @@ -2,7 +2,7 @@ title: Audit Process Termination (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Termination, which determines whether the operating system generates audit events when an attempt is made to end a process. ms.assetid: 65d88e53-14aa-48a4-812b-557cebbf9e50 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-registry.md b/windows/keep-secure/audit-registry.md index 40ea22bf27..2f58eb5560 100644 --- a/windows/keep-secure/audit-registry.md +++ b/windows/keep-secure/audit-registry.md @@ -2,7 +2,7 @@ title: Audit Registry (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Registry, which determines whether the operating system generates audit events when users attempt to access registry objects. ms.assetid: 02bcc23b-4823-46ac-b822-67beedf56b32 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-removable-storage.md b/windows/keep-secure/audit-removable-storage.md index 1892857f3e..cdfc2b415e 100644 --- a/windows/keep-secure/audit-removable-storage.md +++ b/windows/keep-secure/audit-removable-storage.md @@ -2,7 +2,7 @@ title: Audit Removable Storage (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Removable Storage, which determines when there is a read or a write to a removable drive. ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-rpc-events.md b/windows/keep-secure/audit-rpc-events.md index dfb512694b..8bd9607c04 100644 --- a/windows/keep-secure/audit-rpc-events.md +++ b/windows/keep-secure/audit-rpc-events.md @@ -2,7 +2,7 @@ title: Audit RPC Events (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit RPC Events, which determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made. ms.assetid: 868aec2d-93b4-4bc8-a150-941f88838ba6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-sam.md b/windows/keep-secure/audit-sam.md index c682e87a89..734ac0681a 100644 --- a/windows/keep-secure/audit-sam.md +++ b/windows/keep-secure/audit-sam.md @@ -2,7 +2,7 @@ title: Audit SAM (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects. ms.assetid: 1d00f955-383d-4c95-bbd1-fab4a991a46e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-security-group-management.md b/windows/keep-secure/audit-security-group-management.md index 65d91ba967..7ff17d66f3 100644 --- a/windows/keep-secure/audit-security-group-management.md +++ b/windows/keep-secure/audit-security-group-management.md @@ -2,7 +2,7 @@ title: Audit Security Group Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Security Group Management, which determines whether the operating system generates audit events when specific security group management tasks are performed. ms.assetid: ac2ee101-557b-4c84-b9fa-4fb23331f1aa -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-security-state-change.md b/windows/keep-secure/audit-security-state-change.md index efda133f49..e8c184b3e0 100644 --- a/windows/keep-secure/audit-security-state-change.md +++ b/windows/keep-secure/audit-security-state-change.md @@ -2,7 +2,7 @@ title: Audit Security State Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system. ms.assetid: decb3218-a67d-4efa-afc0-337c79a89a2d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-security-system-extension.md b/windows/keep-secure/audit-security-system-extension.md index e605195736..428a0d685c 100644 --- a/windows/keep-secure/audit-security-system-extension.md +++ b/windows/keep-secure/audit-security-system-extension.md @@ -2,7 +2,7 @@ title: Audit Security System Extension (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security System Extension, which determines whether the operating system generates audit events related to security system extensions. ms.assetid: 9f3c6bde-42b2-4a0a-b353-ed3106ebc005 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-sensitive-privilege-use.md b/windows/keep-secure/audit-sensitive-privilege-use.md index 2c7cd5a902..718aa00bd9 100644 --- a/windows/keep-secure/audit-sensitive-privilege-use.md +++ b/windows/keep-secure/audit-sensitive-privilege-use.md @@ -2,7 +2,7 @@ title: Audit Sensitive Privilege Use (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Sensitive Privilege Use, which determines whether the operating system generates audit events when sensitive privileges (user rights) are used. ms.assetid: 915abf50-42d2-45f6-9fd1-e7bd201b193d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md index 5ce9aeecf7..0cd45cc597 100644 --- a/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md +++ b/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md @@ -2,7 +2,7 @@ title: Audit Shut down system immediately if unable to log security audits (Windows 10) description: Describes the best practices, location, values, management practices, and security considerations for the Audit Shut down system immediately if unable to log security audits security policy setting. ms.assetid: 2cd23cd9-0e44-4d0b-a1f1-39fc29303826 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-special-logon.md b/windows/keep-secure/audit-special-logon.md index 439cf91d3d..f4bad313c7 100644 --- a/windows/keep-secure/audit-special-logon.md +++ b/windows/keep-secure/audit-special-logon.md @@ -2,7 +2,7 @@ title: Audit Special Logon (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Special Logon, which determines whether the operating system generates audit events under special sign on (or log on) circumstances. ms.assetid: e1501bac-1d09-4593-8ebb-f311231567d3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-system-integrity.md b/windows/keep-secure/audit-system-integrity.md index dfc2666ebf..38fd5a5ce5 100644 --- a/windows/keep-secure/audit-system-integrity.md +++ b/windows/keep-secure/audit-system-integrity.md @@ -2,7 +2,7 @@ title: Audit System Integrity (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit System Integrity, which determines whether the operating system audits events that violate the integrity of the security subsystem. ms.assetid: 942a9a7f-fa31-4067-88c7-f73978bf2034 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-user-account-management.md b/windows/keep-secure/audit-user-account-management.md index 1f05f3085b..a763d8ea76 100644 --- a/windows/keep-secure/audit-user-account-management.md +++ b/windows/keep-secure/audit-user-account-management.md @@ -2,7 +2,7 @@ title: Audit User Account Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit User Account Management, which determines whether the operating system generates audit events when specific user account management tasks are performed. ms.assetid: f7e72998-3858-4197-a443-19586ecc4bfb -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/audit-user-device-claims.md b/windows/keep-secure/audit-user-device-claims.md index 254bfb2c7d..e5576c4bdf 100644 --- a/windows/keep-secure/audit-user-device-claims.md +++ b/windows/keep-secure/audit-user-device-claims.md @@ -2,7 +2,7 @@ title: Audit User/Device Claims (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit User/Device Claims, which enables you to audit security events that are generated by user and device claims. ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/back-up-files-and-directories.md b/windows/keep-secure/back-up-files-and-directories.md index 2cddb14842..6f6a7b8805 100644 --- a/windows/keep-secure/back-up-files-and-directories.md +++ b/windows/keep-secure/back-up-files-and-directories.md @@ -2,7 +2,7 @@ title: Back up files and directories (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting. ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md index 5f46d91a0d..aee1050952 100644 --- a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md +++ b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md @@ -2,7 +2,7 @@ title: Backup the TPM recovery Information to AD DS (Windows 10) description: This topic for the IT professional describes how to back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS) so that you can use AD DS to administer the TPM from a remote computer. ms.assetid: 62bcec80-96a1-464e-8b3f-d177a7565ac5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-account-logon-events.md b/windows/keep-secure/basic-audit-account-logon-events.md index 4bfa89fd5b..392a87e381 100644 --- a/windows/keep-secure/basic-audit-account-logon-events.md +++ b/windows/keep-secure/basic-audit-account-logon-events.md @@ -2,7 +2,7 @@ title: Audit account logon events (Windows 10) description: Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account. ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-account-management.md b/windows/keep-secure/basic-audit-account-management.md index ee0cf33722..364a455ec2 100644 --- a/windows/keep-secure/basic-audit-account-management.md +++ b/windows/keep-secure/basic-audit-account-management.md @@ -2,7 +2,7 @@ title: Audit account management (Windows 10) description: Determines whether to audit each event of account management on a device. ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-directory-service-access.md b/windows/keep-secure/basic-audit-directory-service-access.md index 0d48b78b27..b377adcecc 100644 --- a/windows/keep-secure/basic-audit-directory-service-access.md +++ b/windows/keep-secure/basic-audit-directory-service-access.md @@ -2,7 +2,7 @@ title: Audit directory service access (Windows 10) description: Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified. ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-logon-events.md b/windows/keep-secure/basic-audit-logon-events.md index d83d80357e..143c150317 100644 --- a/windows/keep-secure/basic-audit-logon-events.md +++ b/windows/keep-secure/basic-audit-logon-events.md @@ -2,7 +2,7 @@ title: Audit logon events (Windows 10) description: Determines whether to audit each instance of a user logging on to or logging off from a device. ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-object-access.md b/windows/keep-secure/basic-audit-object-access.md index 6ae03e3c93..05d9500660 100644 --- a/windows/keep-secure/basic-audit-object-access.md +++ b/windows/keep-secure/basic-audit-object-access.md @@ -2,7 +2,7 @@ title: Audit object access (Windows 10) description: Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified. ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-policy-change.md b/windows/keep-secure/basic-audit-policy-change.md index 0590d832ee..9aee64c9c8 100644 --- a/windows/keep-secure/basic-audit-policy-change.md +++ b/windows/keep-secure/basic-audit-policy-change.md @@ -2,7 +2,7 @@ title: Audit policy change (Windows 10) description: Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies. ms.assetid: 1025A648-6B22-4C85-9F47-FE0897F1FA31 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-privilege-use.md b/windows/keep-secure/basic-audit-privilege-use.md index 38a2117169..62d38eec12 100644 --- a/windows/keep-secure/basic-audit-privilege-use.md +++ b/windows/keep-secure/basic-audit-privilege-use.md @@ -2,7 +2,7 @@ title: Audit privilege use (Windows 10) description: Determines whether to audit each instance of a user exercising a user right. ms.assetid: C5C6DAAF-8B58-4DFB-B1CE-F0675AE0E9F8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-process-tracking.md b/windows/keep-secure/basic-audit-process-tracking.md index 9fd272a03c..acfe7b0fb1 100644 --- a/windows/keep-secure/basic-audit-process-tracking.md +++ b/windows/keep-secure/basic-audit-process-tracking.md @@ -2,7 +2,7 @@ title: Audit process tracking (Windows 10) description: Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. ms.assetid: 91AC5C1E-F4DA-4B16-BEE2-C92D66E4CEEA -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-audit-system-events.md b/windows/keep-secure/basic-audit-system-events.md index 7724e17654..70674dbb21 100644 --- a/windows/keep-secure/basic-audit-system-events.md +++ b/windows/keep-secure/basic-audit-system-events.md @@ -2,7 +2,7 @@ title: Audit system events (Windows 10) description: Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. ms.assetid: BF27588C-2AA7-4365-A4BF-3BB377916447 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-security-audit-policies.md b/windows/keep-secure/basic-security-audit-policies.md index 0ad34f0790..1de3ff5747 100644 --- a/windows/keep-secure/basic-security-audit-policies.md +++ b/windows/keep-secure/basic-security-audit-policies.md @@ -2,7 +2,7 @@ title: Basic security audit policies (Windows 10) description: Before you implement auditing, you must decide on an auditing policy. ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/basic-security-audit-policy-settings.md b/windows/keep-secure/basic-security-audit-policy-settings.md index eeade033ce..82989b0eee 100644 --- a/windows/keep-secure/basic-security-audit-policy-settings.md +++ b/windows/keep-secure/basic-security-audit-policy-settings.md @@ -2,7 +2,7 @@ title: Basic security audit policy settings (Windows 10) description: Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy. ms.assetid: 31C2C453-2CFC-4D9E-BC88-8CE1C1A8F900 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bcd-settings-and-bitlocker.md b/windows/keep-secure/bcd-settings-and-bitlocker.md index bee0c9e8f3..ccd9afd831 100644 --- a/windows/keep-secure/bcd-settings-and-bitlocker.md +++ b/windows/keep-secure/bcd-settings-and-bitlocker.md @@ -2,7 +2,7 @@ title: BCD settings and BitLocker (Windows 10) description: This topic for IT professionals describes the BCD settings that are used by BitLocker. ms.assetid: c4ab7ac9-16dc-4c7e-b061-c0b0deb2c4fa -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-basic-deployment.md b/windows/keep-secure/bitlocker-basic-deployment.md index e63322f296..b83692c713 100644 --- a/windows/keep-secure/bitlocker-basic-deployment.md +++ b/windows/keep-secure/bitlocker-basic-deployment.md @@ -2,7 +2,7 @@ title: BitLocker basic deployment (Windows 10) description: This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. ms.assetid: 97c646cb-9e53-4236-9678-354af41151c4 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-countermeasures.md b/windows/keep-secure/bitlocker-countermeasures.md index 687bf6047b..7e1f6c7414 100644 --- a/windows/keep-secure/bitlocker-countermeasures.md +++ b/windows/keep-secure/bitlocker-countermeasures.md @@ -2,7 +2,7 @@ title: BitLocker Countermeasures (Windows 10) description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key. ms.assetid: ebdb0637-2597-4da1-bb18-8127964686ea -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-frequently-asked-questions.md b/windows/keep-secure/bitlocker-frequently-asked-questions.md index 4d179869fb..23dc64932f 100644 --- a/windows/keep-secure/bitlocker-frequently-asked-questions.md +++ b/windows/keep-secure/bitlocker-frequently-asked-questions.md @@ -2,7 +2,7 @@ title: BitLocker frequently asked questions (FAQ) (Windows 10) description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-group-policy-settings.md b/windows/keep-secure/bitlocker-group-policy-settings.md index 77412bda71..8d3864a681 100644 --- a/windows/keep-secure/bitlocker-group-policy-settings.md +++ b/windows/keep-secure/bitlocker-group-policy-settings.md @@ -2,7 +2,7 @@ title: BitLocker Group Policy settings (Windows 10) description: This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption. ms.assetid: 4904e336-29fe-4cef-bb6c-3950541864af -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md b/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md index e7035aa4e8..e57e269aff 100644 --- a/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md @@ -2,7 +2,7 @@ title: BitLocker How to deploy on Windows Server 2012 and later (Windows 10) description: This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later. ms.assetid: 91c18e9e-6ab4-4607-8c75-d983bbe2542f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md index 37e9e8b02d..16e0aa12b2 100644 --- a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md +++ b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md @@ -2,7 +2,7 @@ title: BitLocker How to enable Network Unlock (Windows 10) description: This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it. ms.assetid: be45bc28-47db-4931-bfec-3c348151d2e9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-overview.md b/windows/keep-secure/bitlocker-overview.md index 897f3dd747..58f3047141 100644 --- a/windows/keep-secure/bitlocker-overview.md +++ b/windows/keep-secure/bitlocker-overview.md @@ -2,7 +2,7 @@ title: BitLocker (Windows 10) description: This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. ms.assetid: 40526fcc-3e0d-4d75-90e0-c7d0615f33b2 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-recovery-guide-plan.md b/windows/keep-secure/bitlocker-recovery-guide-plan.md index 80df5a2c52..61d362d1a3 100644 --- a/windows/keep-secure/bitlocker-recovery-guide-plan.md +++ b/windows/keep-secure/bitlocker-recovery-guide-plan.md @@ -2,7 +2,7 @@ title: BitLocker recovery guide (Windows 10) description: This topic for IT professionals describes how to recover BitLocker keys from AD DS. ms.assetid: d0f722e9-1773-40bf-8456-63ee7a95ea14 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index a20d25ff66..8d48b8aff4 100644 --- a/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -2,7 +2,7 @@ title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker (Windows 10) description: This topic for the IT professional describes how to use tools to manage BitLocker. ms.assetid: e869db9c-e906-437b-8c70-741dd61b5ea6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md index 61521699b2..850c7507b0 100644 --- a/windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md +++ b/windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md @@ -2,7 +2,7 @@ title: BitLocker Use BitLocker Recovery Password Viewer (Windows 10) description: This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer. ms.assetid: 04c93ac5-5dac-415e-b636-de81435753a2 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/block-untrusted-fonts-in-enterprise.md b/windows/keep-secure/block-untrusted-fonts-in-enterprise.md index 032ef98517..83a3f113a9 100644 --- a/windows/keep-secure/block-untrusted-fonts-in-enterprise.md +++ b/windows/keep-secure/block-untrusted-fonts-in-enterprise.md @@ -2,9 +2,10 @@ title: Block untrusted fonts in an enterprise (Windows 10) description: To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. ms.assetid: a3354c8e-4208-4be6-bc19-56a572c361b4 -keywords: ["font blocking", "untrusted font blocking", "block fonts", "untrusted fonts"] -ms.prod: W10 +keywords: font blocking, untrusted font blocking, block fonts, untrusted fonts +ms.prod: w10 ms.mktglfcycl: deploy +ms.pagetype: security ms.sitesec: library author: eross-msft --- diff --git a/windows/keep-secure/bypass-traverse-checking.md b/windows/keep-secure/bypass-traverse-checking.md index d07fea0ff5..60df8885da 100644 --- a/windows/keep-secure/bypass-traverse-checking.md +++ b/windows/keep-secure/bypass-traverse-checking.md @@ -2,7 +2,7 @@ title: Bypass traverse checking (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Bypass traverse checking security policy setting. ms.assetid: 1c828655-68d3-4140-aa0f-caa903a7087e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 5f96e1fcb1..3c7d6abdfe 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -2,9 +2,10 @@ title: Change history for Keep Windows 10 secure (Windows 10) description: This topic lists new and updated topics in the Keep Windows 10 secure documentation for Windows 10 and Windows 10 Mobile. ms.assetid: E50EC5E6-71AA-4FF1-8356-574CFDB8079B -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- diff --git a/windows/keep-secure/change-the-system-time.md b/windows/keep-secure/change-the-system-time.md index 4ac7356093..e6f43e3f88 100644 --- a/windows/keep-secure/change-the-system-time.md +++ b/windows/keep-secure/change-the-system-time.md @@ -2,7 +2,7 @@ title: Change the system time (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Change the system time security policy setting. ms.assetid: f2f6637d-acbc-4352-8ca3-ec563f918e65 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/change-the-time-zone.md b/windows/keep-secure/change-the-time-zone.md index 1b27d5afe9..3eb72473a5 100644 --- a/windows/keep-secure/change-the-time-zone.md +++ b/windows/keep-secure/change-the-time-zone.md @@ -2,7 +2,7 @@ title: Change the time zone (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Change the time zone security policy setting. ms.assetid: 3b1afae4-68bb-472f-a43e-49e300d73e50 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/change-the-tpm-owner-password.md b/windows/keep-secure/change-the-tpm-owner-password.md index 7241d40deb..ba11bc7a8c 100644 --- a/windows/keep-secure/change-the-tpm-owner-password.md +++ b/windows/keep-secure/change-the-tpm-owner-password.md @@ -2,7 +2,7 @@ title: Change the TPM owner password (Windows 10) description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. ms.assetid: e43dcff3-acb4-4a92-8816-d6b64b7f2f45 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md index 3e84e8f209..0293f672ae 100644 --- a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md +++ b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md @@ -2,7 +2,7 @@ title: Choose the right BitLocker countermeasure (Windows 10) description: This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks. ms.assetid: b0b09508-7885-4030-8c61-d91458afdb14 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md b/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md index 58ba26536b..206c0415fe 100644 --- a/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md +++ b/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md @@ -2,7 +2,7 @@ title: Configure an AppLocker policy for audit only (Windows 10) description: This topic for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker. ms.assetid: 10bc87d5-cc7f-4500-b7b3-9006e50afa50 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md b/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md index 3d6aa8a2c7..55e87ba39a 100644 --- a/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md +++ b/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md @@ -2,7 +2,7 @@ title: Configure an AppLocker policy for enforce rules (Windows 10) description: This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting. ms.assetid: 5dbbb290-a5ae-4f88-82b3-21e95972e66c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md index 79f9ff560f..aede6f38ed 100644 --- a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Configure Windows Defender ATP endpoints description: Use Group Policy or SCCM to deploy the configuration package or do manual registry changes on endpoints so that they are onboarded to the service. keywords: configure endpoints, client onboarding, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm, system center configuration manager search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: iaanw --- diff --git a/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md b/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md index 0d4e3eefd6..be96e323ed 100644 --- a/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md +++ b/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md @@ -2,7 +2,7 @@ title: Add exceptions for an AppLocker rule (Windows 10) description: This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule. ms.assetid: d15c9d84-c14b-488d-9f48-bf31ff7ff0c5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md index aef3743b8f..e0564e8606 100644 --- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Configure Windows Defender ATP endpoint proxy and Internet connection set description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service. keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, web proxy auto detect, wpad, netsh, winhttp, proxy server search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- diff --git a/windows/keep-secure/configure-s-mime.md b/windows/keep-secure/configure-s-mime.md index 1d5a83822d..7b9906f26d 100644 --- a/windows/keep-secure/configure-s-mime.md +++ b/windows/keep-secure/configure-s-mime.md @@ -3,7 +3,7 @@ title: Configure S/MIME for Windows 10 and Windows 10 Mobile (Windows 10) description: In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. ms.assetid: 7F9C2A99-42EB-4BCC-BB53-41C04FBBBF05 keywords: encrypt, digital signature -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/configure-the-appLocker-reference-device.md b/windows/keep-secure/configure-the-appLocker-reference-device.md index 59e6e81b2d..97d6fd1361 100644 --- a/windows/keep-secure/configure-the-appLocker-reference-device.md +++ b/windows/keep-secure/configure-the-appLocker-reference-device.md @@ -2,7 +2,7 @@ title: Configure the AppLocker reference device (Windows 10) description: This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer. ms.assetid: 034bd367-146d-4956-873c-e1e09e6fefee -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/configure-the-application-identity-service.md b/windows/keep-secure/configure-the-application-identity-service.md index 0714a613da..84a1d64b98 100644 --- a/windows/keep-secure/configure-the-application-identity-service.md +++ b/windows/keep-secure/configure-the-application-identity-service.md @@ -3,7 +3,7 @@ title: Configure the Application Identity service (Windows 10) description: This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually. ms.assetid: dc469599-37fd-448b-b23e-5b8e4f17e561 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: brianlic-msft diff --git a/windows/keep-secure/configure-windows-defender-in-windows-10.md b/windows/keep-secure/configure-windows-defender-in-windows-10.md index 72c2a16a9b..b52b5f6c57 100644 --- a/windows/keep-secure/configure-windows-defender-in-windows-10.md +++ b/windows/keep-secure/configure-windows-defender-in-windows-10.md @@ -2,7 +2,7 @@ title: Configure Windows Defender in Windows 10 (Windows 10) description: IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS). ms.assetid: 22649663-AC7A-40D8-B1F7-5CAD9E49653D -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/keep-secure/create-a-basic-audit-policy-settings-for-an-event-category.md index cdd372d271..69742a74b0 100644 --- a/windows/keep-secure/create-a-basic-audit-policy-settings-for-an-event-category.md +++ b/windows/keep-secure/create-a-basic-audit-policy-settings-for-an-event-category.md @@ -2,7 +2,7 @@ title: Create a basic audit policy for an event category (Windows 10) description: By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. ms.assetid: C9F52751-B40D-482E-BE9D-2C61098249D3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-a-pagefile.md b/windows/keep-secure/create-a-pagefile.md index c914d790aa..a8c65abbab 100644 --- a/windows/keep-secure/create-a-pagefile.md +++ b/windows/keep-secure/create-a-pagefile.md @@ -2,7 +2,7 @@ title: Create a pagefile (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Create a pagefile security policy setting. ms.assetid: dc087897-459d-414b-abe0-cd86c8dccdea -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-a-rule-for-packaged-apps.md b/windows/keep-secure/create-a-rule-for-packaged-apps.md index 3909260775..f0ed699e79 100644 --- a/windows/keep-secure/create-a-rule-for-packaged-apps.md +++ b/windows/keep-secure/create-a-rule-for-packaged-apps.md @@ -2,7 +2,7 @@ title: Create a rule for packaged apps (Windows 10) description: This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition. ms.assetid: e4ffd400-7860-47b3-9118-0e6853c3dfa0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md b/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md index 261eea052b..4a1038f165 100644 --- a/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md +++ b/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md @@ -2,7 +2,7 @@ title: Create a rule that uses a file hash condition (Windows 10) description: This topic for IT professionals shows how to create an AppLocker rule with a file hash condition. ms.assetid: eb3b3524-1b3b-4979-ba5a-0a0b1280c5c7 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md b/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md index 8553577fac..89a34500cd 100644 --- a/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md +++ b/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md @@ -2,7 +2,7 @@ title: Create a rule that uses a path condition (Windows 10) description: This topic for IT professionals shows how to create an AppLocker rule with a path condition. ms.assetid: 9b2093f5-5976-45fa-90c3-da1e0e845d95 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md b/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md index 11ceca1e52..214dca0f70 100644 --- a/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md +++ b/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md @@ -2,7 +2,7 @@ title: Create a rule that uses a publisher condition (Windows 10) description: This topic for IT professionals shows how to create an AppLocker rule with a publisher condition. ms.assetid: 345ad45f-2bc1-4c4c-946f-17804e29f55b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-a-token-object.md b/windows/keep-secure/create-a-token-object.md index 99055b694f..8decf358bf 100644 --- a/windows/keep-secure/create-a-token-object.md +++ b/windows/keep-secure/create-a-token-object.md @@ -2,7 +2,7 @@ title: Create a token object (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Create a token object security policy setting. ms.assetid: bfbf52fc-6ba4-442a-9df7-bd277e55729c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-applocker-default-rules.md b/windows/keep-secure/create-applocker-default-rules.md index eb37fb2112..930d2bc4d7 100644 --- a/windows/keep-secure/create-applocker-default-rules.md +++ b/windows/keep-secure/create-applocker-default-rules.md @@ -2,7 +2,7 @@ title: Create AppLocker default rules (Windows 10) description: This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run. ms.assetid: 21e9dc68-a6f4-4ebe-ac28-4c66a7ab6e18 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-edp-policy-using-intune.md b/windows/keep-secure/create-edp-policy-using-intune.md index e2dab16028..c5d390ea1c 100644 --- a/windows/keep-secure/create-edp-policy-using-intune.md +++ b/windows/keep-secure/create-edp-policy-using-intune.md @@ -2,9 +2,10 @@ title: Create an enterprise data protection (EDP) policy using Microsoft Intune (Windows 10) description: Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/create-edp-policy-using-sccm.md b/windows/keep-secure/create-edp-policy-using-sccm.md index 9e4288873e..fa412028a7 100644 --- a/windows/keep-secure/create-edp-policy-using-sccm.md +++ b/windows/keep-secure/create-edp-policy-using-sccm.md @@ -2,10 +2,11 @@ title: Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager (Windows 10) description: Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529 -keywords: ["EDP", "Enterprise Data Protection", "SCCM", "System Center Configuration Manager", Configuration Manager"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/create-global-objects.md b/windows/keep-secure/create-global-objects.md index 1f047ee451..c131685bec 100644 --- a/windows/keep-secure/create-global-objects.md +++ b/windows/keep-secure/create-global-objects.md @@ -2,7 +2,7 @@ title: Create global objects (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Create global objects security policy setting. ms.assetid: 9cb6247b-44fc-4815-86f2-cb59b6f0221e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-list-of-applications-deployed-to-each-business-group.md b/windows/keep-secure/create-list-of-applications-deployed-to-each-business-group.md index 074fababfc..c623dd725f 100644 --- a/windows/keep-secure/create-list-of-applications-deployed-to-each-business-group.md +++ b/windows/keep-secure/create-list-of-applications-deployed-to-each-business-group.md @@ -2,7 +2,7 @@ title: Create a list of apps deployed to each business group (Windows 10) description: This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. ms.assetid: d713aa07-d732-4bdc-8656-ba616d779321 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-permanent-shared-objects.md b/windows/keep-secure/create-permanent-shared-objects.md index 33ab226516..bcc0896951 100644 --- a/windows/keep-secure/create-permanent-shared-objects.md +++ b/windows/keep-secure/create-permanent-shared-objects.md @@ -2,7 +2,7 @@ title: Create permanent shared objects (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Create permanent shared objects security policy setting. ms.assetid: 6a58438d-65ca-4c4a-a584-450eed976649 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-symbolic-links.md b/windows/keep-secure/create-symbolic-links.md index 857a5a7ca9..994d8de789 100644 --- a/windows/keep-secure/create-symbolic-links.md +++ b/windows/keep-secure/create-symbolic-links.md @@ -2,7 +2,7 @@ title: Create symbolic links (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Create symbolic links security policy setting. ms.assetid: 882922b9-0ff8-4ee9-8afc-4475515ee3fd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md b/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md index 16034ac23d..760968b092 100644 --- a/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md +++ b/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md @@ -2,10 +2,11 @@ title: Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune (Windows 10) description: After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy. ms.assetid: d0eaba4f-6d7d-4ae4-8044-64680a40cf6b -keywords: ["EDP", "Enterprise Data Protection"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/create-your-applocker-planning-document.md b/windows/keep-secure/create-your-applocker-planning-document.md index 263be36d5e..f2b23f5937 100644 --- a/windows/keep-secure/create-your-applocker-planning-document.md +++ b/windows/keep-secure/create-your-applocker-planning-document.md @@ -2,7 +2,7 @@ title: Create your AppLocker planning document (Windows 10) description: This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document. ms.assetid: 41e49644-baf4-4514-b089-88adae2d624e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-your-applocker-policies.md b/windows/keep-secure/create-your-applocker-policies.md index b7a23cc02d..e4ecc44cee 100644 --- a/windows/keep-secure/create-your-applocker-policies.md +++ b/windows/keep-secure/create-your-applocker-policies.md @@ -2,7 +2,7 @@ title: Create Your AppLocker policies (Windows 10) description: This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. ms.assetid: d339dee2-4da2-4d4a-b46e-f1dfb7cb4bf0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/create-your-applocker-rules.md b/windows/keep-secure/create-your-applocker-rules.md index ee0590e89b..8bcb7daf24 100644 --- a/windows/keep-secure/create-your-applocker-rules.md +++ b/windows/keep-secure/create-your-applocker-rules.md @@ -2,7 +2,7 @@ title: Create Your AppLocker rules (Windows 10) description: This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules. ms.assetid: b684a3a5-929c-4f70-8742-04088022f232 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md index ee2f72275b..a1b2db57b3 100644 --- a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md +++ b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md @@ -2,7 +2,7 @@ title: Create a Device Guard code integrity policy based on a reference device (Windows 10) description: To implement Device Guard app protection, you will need to create a code integrity policy. Code integrity policies determine what apps are considered trustworthy and are allowed to run on a protected device. ms.assetid: 6C94B14E-E2CE-4F6C-8939-4B375406E825 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 870a49c024..1202cb6ae3 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -2,7 +2,7 @@ title: Protect derived domain credentials with Credential Guard (Windows 10) description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md index aa142cc631..07afd4227c 100644 --- a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md @@ -3,9 +3,11 @@ title: View the Windows Defender Advanced Threat Protection Dashboard description: Use the Dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts. keywords: dashboard, alerts, new, in progress, resolved, risk, machines at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security +author: mjcaparas --- # View the Windows Defender Advanced Threat Protection Dashboard diff --git a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md index 1286313495..6db6f55321 100644 --- a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Windows Defender ATP data storage and privacy description: Learn about how Windows Defender ATP handles privacy and data that it collects. keywords: Windows Defender ATP data storage and privacy, storage, privacy search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security --- # Windows Defender ATP data storage and privacy diff --git a/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index 6fe17f05af..99fd9c7f66 100644 --- a/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -2,7 +2,7 @@ title: DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax (Windows 10) description: Describes the best practices, location, values, and security considerations for the DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting. ms.assetid: 0fe3521a-5252-44df-8a47-8d92cf936e7c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index d4c42764a5..6b5d3ee2c2 100644 --- a/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -2,7 +2,7 @@ title: DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax (Windows 10) description: Describes the best practices, location, values, and security considerations for the DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax security policy setting. ms.assetid: 4b95d45f-dd62-4c34-ba32-43954528dabe -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/debug-programs.md b/windows/keep-secure/debug-programs.md index 4b133fd251..810c6a21b5 100644 --- a/windows/keep-secure/debug-programs.md +++ b/windows/keep-secure/debug-programs.md @@ -2,7 +2,7 @@ title: Debug programs (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Debug programs security policy setting. ms.assetid: 594d9f2c-8ffc-444b-9522-75615ec87786 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/delete-an-applocker-rule.md b/windows/keep-secure/delete-an-applocker-rule.md index ad342ee6cf..3d4888fb73 100644 --- a/windows/keep-secure/delete-an-applocker-rule.md +++ b/windows/keep-secure/delete-an-applocker-rule.md @@ -2,7 +2,7 @@ title: Delete an AppLocker rule (Windows 10) description: This topic for IT professionals describes the steps to delete an AppLocker rule. ms.assetid: 382b4be3-0df9-4308-89b2-dcf9df351eb5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/deny-access-to-this-computer-from-the-network.md b/windows/keep-secure/deny-access-to-this-computer-from-the-network.md index df4e48dc46..fbad5a0ca8 100644 --- a/windows/keep-secure/deny-access-to-this-computer-from-the-network.md +++ b/windows/keep-secure/deny-access-to-this-computer-from-the-network.md @@ -2,7 +2,7 @@ title: Deny access to this computer from the network (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny access to this computer from the network security policy setting. ms.assetid: 935e9f89-951b-4163-b186-fc325682bb0b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/deny-log-on-as-a-batch-job.md b/windows/keep-secure/deny-log-on-as-a-batch-job.md index d3abeeb6d5..5edb8ca898 100644 --- a/windows/keep-secure/deny-log-on-as-a-batch-job.md +++ b/windows/keep-secure/deny-log-on-as-a-batch-job.md @@ -2,7 +2,7 @@ title: Deny log on as a batch job (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a batch job security policy setting. ms.assetid: 0ac36ebd-5e28-4b6a-9b4e-8924c6ecf44b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/deny-log-on-as-a-service.md b/windows/keep-secure/deny-log-on-as-a-service.md index 8fa66ee734..7acdea2a4c 100644 --- a/windows/keep-secure/deny-log-on-as-a-service.md +++ b/windows/keep-secure/deny-log-on-as-a-service.md @@ -2,7 +2,7 @@ title: Deny log on as a service (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a service security policy setting. ms.assetid: f1114964-df86-4278-9b11-e35c66949794 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/deny-log-on-locally.md b/windows/keep-secure/deny-log-on-locally.md index 916d358f89..cd84f05560 100644 --- a/windows/keep-secure/deny-log-on-locally.md +++ b/windows/keep-secure/deny-log-on-locally.md @@ -2,7 +2,7 @@ title: Deny log on locally (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on locally security policy setting. ms.assetid: 00150e88-ec9c-43e1-a70d-33bfe10434db -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/deny-log-on-through-remote-desktop-services.md b/windows/keep-secure/deny-log-on-through-remote-desktop-services.md index 6877912bae..8e5065b443 100644 --- a/windows/keep-secure/deny-log-on-through-remote-desktop-services.md +++ b/windows/keep-secure/deny-log-on-through-remote-desktop-services.md @@ -2,7 +2,7 @@ title: Deny log on through Remote Desktop Services (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on through Remote Desktop Services security policy setting. ms.assetid: 84bbb807-287c-4acc-a094-cf0ffdcbca67 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/keep-secure/deploy-applocker-policies-by-using-the-enforce-rules-setting.md index b7056845e4..b5ecdf6702 100644 --- a/windows/keep-secure/deploy-applocker-policies-by-using-the-enforce-rules-setting.md +++ b/windows/keep-secure/deploy-applocker-policies-by-using-the-enforce-rules-setting.md @@ -2,7 +2,7 @@ title: Deploy AppLocker policies by using the enforce rules setting (Windows 10) description: This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. ms.assetid: fd3a3d25-ff3b-4060-8390-6262a90749ba -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/deploy-edp-policy-using-intune.md b/windows/keep-secure/deploy-edp-policy-using-intune.md index 6893478523..7b23a44cf2 100644 --- a/windows/keep-secure/deploy-edp-policy-using-intune.md +++ b/windows/keep-secure/deploy-edp-policy-using-intune.md @@ -2,10 +2,11 @@ title: Deploy your enterprise data protection (EDP) policy using Microsoft Intune (Windows 10) description: After you’ve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices. ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211 -keywords: ["EDP", "Enterprise Data Protection", "Intune"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection, Intune +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/deploy-the-applocker-policy-into-production.md b/windows/keep-secure/deploy-the-applocker-policy-into-production.md index 32e3cd0d65..e56061213f 100644 --- a/windows/keep-secure/deploy-the-applocker-policy-into-production.md +++ b/windows/keep-secure/deploy-the-applocker-policy-into-production.md @@ -2,7 +2,7 @@ title: Deploy the AppLocker policy into production (Windows 10) description: This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. ms.assetid: ebbb1907-92dc-499e-8cee-8e637483c9ae -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md b/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md index 5733fd532e..1544475c03 100644 --- a/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md +++ b/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md @@ -2,7 +2,7 @@ title: Determine the Group Policy structure and rule enforcement (Windows 10) description: This overview topic describes the process to follow when you are planning to deploy AppLocker rules. ms.assetid: f435fcbe-c7ac-4ef0-9702-729aab64163f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md index a02d55ecc7..ccf2483c4d 100644 --- a/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md +++ b/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md @@ -2,7 +2,7 @@ title: Determine which apps are digitally signed on a reference device (Windows 10) description: This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. ms.assetid: 24609a6b-fdcb-4083-b234-73e23ff8bcb8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/determine-your-application-control-objectives.md b/windows/keep-secure/determine-your-application-control-objectives.md index 65098f5d72..a74a000710 100644 --- a/windows/keep-secure/determine-your-application-control-objectives.md +++ b/windows/keep-secure/determine-your-application-control-objectives.md @@ -2,7 +2,7 @@ title: Determine your application control objectives (Windows 10) description: This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. ms.assetid: 0e84003e-6095-46fb-8c4e-2065869bb53b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/device-guard-certification-and-compliance.md b/windows/keep-secure/device-guard-certification-and-compliance.md index 9edecd273d..6ac463047e 100644 --- a/windows/keep-secure/device-guard-certification-and-compliance.md +++ b/windows/keep-secure/device-guard-certification-and-compliance.md @@ -3,7 +3,7 @@ title: Device Guard certification and compliance (Windows 10) description: Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. ms.assetid: 94167ECA-AB08-431D-95E5-7A363F42C7E3 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: brianlic-msft diff --git a/windows/keep-secure/device-guard-deployment-guide.md b/windows/keep-secure/device-guard-deployment-guide.md index 3d9a53be0e..f98d7216ea 100644 --- a/windows/keep-secure/device-guard-deployment-guide.md +++ b/windows/keep-secure/device-guard-deployment-guide.md @@ -3,9 +3,9 @@ title: Device Guard deployment guide (Windows 10) description: Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security. ms.assetid: 4BA52AA9-64D3-41F3-94B2-B87EC2717486 keywords: virtualization, security, malware -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy -ms.pagetype: devices +ms.pagetype: security, devices author: challum --- diff --git a/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md b/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md index 0d237c5cd4..d8f1d31192 100644 --- a/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md +++ b/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md @@ -2,7 +2,7 @@ title: Devices Allow undock without having to log on (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Allow undock without having to log on security policy setting. ms.assetid: 1d403f5d-ad41-4bb4-9f4a-0779c1c14b8c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md b/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md index 9c9a232738..bffc76a5e9 100644 --- a/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md +++ b/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md @@ -2,7 +2,7 @@ title: Devices Allowed to format and eject removable media (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Allowed to format and eject removable media security policy setting. ms.assetid: d1b42425-7244-4ab1-9d46-d68de823459c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md b/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md index c71b4b04d5..0bf0ba89a9 100644 --- a/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md +++ b/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md @@ -2,7 +2,7 @@ title: Devices Prevent users from installing printer drivers (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Prevent users from installing printer drivers security policy setting. ms.assetid: ab70a122-f7f9-47e0-ad8c-541f30a27ec3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md index e42ea9042c..5e399e075e 100644 --- a/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md +++ b/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md @@ -2,7 +2,7 @@ title: Devices Restrict CD-ROM access to locally logged-on user only (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Restrict CD-ROM access to locally logged-on user only security policy setting. ms.assetid: 8b8f44bb-84ce-4f18-af30-ab89910e234d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md index 3246e36da5..1716725907 100644 --- a/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md +++ b/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md @@ -2,7 +2,7 @@ title: Devices Restrict floppy access to locally logged-on user only (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Restrict floppy access to locally logged-on user only security policy setting. ms.assetid: 92997910-da95-4c03-ae6f-832915423898 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md index 267ba483ac..85c56528b1 100644 --- a/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md +++ b/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md @@ -3,7 +3,7 @@ title: Display a custom URL message when users try to run a blocked app (Windows description: This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app. ms.assetid: 9a2534a5-d1fa-48a9-93c6-989d4857cf85 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: brianlic-msft diff --git a/windows/keep-secure/dll-rules-in-applocker.md b/windows/keep-secure/dll-rules-in-applocker.md index 4f99109b04..b6e4cd9e93 100644 --- a/windows/keep-secure/dll-rules-in-applocker.md +++ b/windows/keep-secure/dll-rules-in-applocker.md @@ -2,7 +2,7 @@ title: DLL rules in AppLocker (Windows 10) description: This topic describes the file formats and available default rules for the DLL rule collection. ms.assetid: a083fd08-c07e-4534-b0e7-1e15d932ce8f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md index f583b63513..72c1c10193 100644 --- a/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md +++ b/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md @@ -2,7 +2,7 @@ title: Document the Group Policy structure and AppLocker rule enforcement (Windows 10) description: This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: brianlic-msft diff --git a/windows/keep-secure/document-your-application-control-management-processes.md b/windows/keep-secure/document-your-application-control-management-processes.md index e0ef522601..6e2a75390d 100644 --- a/windows/keep-secure/document-your-application-control-management-processes.md +++ b/windows/keep-secure/document-your-application-control-management-processes.md @@ -2,7 +2,7 @@ title: Document your application control management processes (Windows 10) description: This planning topic describes the AppLocker policy maintenance information to record for your design document. ms.assetid: 6397f789-0e36-4933-9f86-f3f6489cf1fb -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/document-your-application-list.md b/windows/keep-secure/document-your-application-list.md index c20e6831ad..735dc55515 100644 --- a/windows/keep-secure/document-your-application-list.md +++ b/windows/keep-secure/document-your-application-list.md @@ -2,7 +2,7 @@ title: Document your app list (Windows 10) description: This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies. ms.assetid: b155284b-f75d-4405-aecf-b74221622dc0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/document-your-applocker-rules.md b/windows/keep-secure/document-your-applocker-rules.md index 5603fcefdc..68d32d07d7 100644 --- a/windows/keep-secure/document-your-applocker-rules.md +++ b/windows/keep-secure/document-your-applocker-rules.md @@ -2,7 +2,7 @@ title: Document your AppLocker rules (Windows 10) description: This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded. ms.assetid: 91a198ce-104a-45ff-b49b-487fb40cd2dd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md index 73dd753654..feafcec116 100644 --- a/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md +++ b/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md @@ -2,7 +2,7 @@ title: Domain controller Allow server operators to schedule tasks (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain controller Allow server operators to schedule tasks security policy setting. ms.assetid: 198b12a4-8a5d-48e8-a752-2073b8a2cb0d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md index 8f75f7faa7..10001b50e6 100644 --- a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md +++ b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md @@ -2,7 +2,7 @@ title: Domain controller LDAP server signing requirements (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server signing requirements security policy setting. ms.assetid: fe122179-7571-465b-98d0-b8ce0f224390 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md b/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md index 3d0dc98ace..563e0956a9 100644 --- a/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md +++ b/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md @@ -2,7 +2,7 @@ title: Domain controller Refuse machine account password changes (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain controller Refuse machine account password changes security policy setting. ms.assetid: 5a7fa2e2-e1a8-4833-90f7-aa83e3b456a9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md index dde52ba0d7..b748e75485 100644 --- a/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md +++ b/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md @@ -2,7 +2,7 @@ title: Domain member Digitally encrypt or sign secure channel data (always) (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt or sign secure channel data (always) security policy setting. ms.assetid: 4480c7cb-adca-4f29-b4b8-06eb68d272bf -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md index 9412bf6ae7..241c83b30b 100644 --- a/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md +++ b/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md @@ -2,7 +2,7 @@ title: Domain member Digitally encrypt secure channel data (when possible) (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt secure channel data (when possible) security policy setting. ms.assetid: 73e6023e-0af3-4531-8238-82f0f0e4965b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md index 6f0cdd5ea0..dfa36d1360 100644 --- a/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md +++ b/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md @@ -2,7 +2,7 @@ title: Domain member Digitally sign secure channel data (when possible) (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Digitally sign secure channel data (when possible) security policy setting. ms.assetid: a643e491-4f45-40ea-b12c-4dbe47e54f34 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/domain-member-disable-machine-account-password-changes.md b/windows/keep-secure/domain-member-disable-machine-account-password-changes.md index a7e862cea4..e933a14786 100644 --- a/windows/keep-secure/domain-member-disable-machine-account-password-changes.md +++ b/windows/keep-secure/domain-member-disable-machine-account-password-changes.md @@ -2,7 +2,7 @@ title: Domain member Disable machine account password changes (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Disable machine account password changes security policy setting. ms.assetid: 1f660300-a07a-4243-a09f-140aa1ab8867 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/domain-member-maximum-machine-account-password-age.md b/windows/keep-secure/domain-member-maximum-machine-account-password-age.md index b97cf3f485..841729d203 100644 --- a/windows/keep-secure/domain-member-maximum-machine-account-password-age.md +++ b/windows/keep-secure/domain-member-maximum-machine-account-password-age.md @@ -2,7 +2,7 @@ title: Domain member Maximum machine account password age (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Maximum machine account password age security policy setting. ms.assetid: 0ec6f7c1-4d82-4339-94c0-debb2d1ac109 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md index 320d44e467..2d179f76d3 100644 --- a/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md +++ b/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md @@ -2,7 +2,7 @@ title: Domain member Require strong (Windows 2000 or later) session key (Windows 10) description: Describes the best practices, location, values, and security considerations for the Domain member Require strong (Windows 2000 or later) session key security policy setting. ms.assetid: 5ab8993c-5086-4f09-bc88-1b27454526bd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/edit-an-applocker-policy.md b/windows/keep-secure/edit-an-applocker-policy.md index 2faffd200f..8bd9ebfcea 100644 --- a/windows/keep-secure/edit-an-applocker-policy.md +++ b/windows/keep-secure/edit-an-applocker-policy.md @@ -2,7 +2,7 @@ title: Edit an AppLocker policy (Windows 10) description: This topic for IT professionals describes the steps required to modify an AppLocker policy. ms.assetid: dbc72d1f-3fe0-46c2-aeeb-96621fce7637 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/edit-applocker-rules.md b/windows/keep-secure/edit-applocker-rules.md index 2f47922cd0..3fcada9c5e 100644 --- a/windows/keep-secure/edit-applocker-rules.md +++ b/windows/keep-secure/edit-applocker-rules.md @@ -2,7 +2,7 @@ title: Edit AppLocker rules (Windows 10) description: This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker. ms.assetid: 80016cda-b915-46a0-83c6-5e6b0b958e32 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md index b3dcd0cd1a..6e5addb821 100644 --- a/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md +++ b/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md @@ -2,7 +2,7 @@ title: Enable computer and user accounts to be trusted for delegation (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Enable computer and user accounts to be trusted for delegation security policy setting. ms.assetid: 524062d4-1595-41f3-8ce1-9c85fd21497b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/enable-the-dll-rule-collection.md b/windows/keep-secure/enable-the-dll-rule-collection.md index 1dd233aee5..3a23c140a8 100644 --- a/windows/keep-secure/enable-the-dll-rule-collection.md +++ b/windows/keep-secure/enable-the-dll-rule-collection.md @@ -2,7 +2,7 @@ title: Enable the DLL rule collection (Windows 10) description: This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker. ms.assetid: 88ef9561-6eb2-491a-803a-b8cdbfebae27 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/encrypted-hard-drive.md b/windows/keep-secure/encrypted-hard-drive.md index 884275ee7e..7de2f367e0 100644 --- a/windows/keep-secure/encrypted-hard-drive.md +++ b/windows/keep-secure/encrypted-hard-drive.md @@ -2,7 +2,7 @@ title: Encrypted Hard Drive (Windows 10) description: Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/enforce-applocker-rules.md b/windows/keep-secure/enforce-applocker-rules.md index 0f83a7ff57..31ab2aa2b8 100644 --- a/windows/keep-secure/enforce-applocker-rules.md +++ b/windows/keep-secure/enforce-applocker-rules.md @@ -2,7 +2,7 @@ title: Enforce AppLocker rules (Windows 10) description: This topic for IT professionals describes how to enforce application control rules by using AppLocker. ms.assetid: e1528b7b-77f2-4419-8e27-c9cc3721d96d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/enforce-password-history.md b/windows/keep-secure/enforce-password-history.md index b78ac67236..a52801d820 100644 --- a/windows/keep-secure/enforce-password-history.md +++ b/windows/keep-secure/enforce-password-history.md @@ -2,7 +2,7 @@ title: Enforce password history (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Enforce password history security policy setting. ms.assetid: 8b2ab871-3e52-4dd1-9776-68bb1e935442 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/enforce-user-logon-restrictions.md b/windows/keep-secure/enforce-user-logon-restrictions.md index 40eef86d2b..39f83bb850 100644 --- a/windows/keep-secure/enforce-user-logon-restrictions.md +++ b/windows/keep-secure/enforce-user-logon-restrictions.md @@ -2,7 +2,7 @@ title: Enforce user logon restrictions (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Enforce user logon restrictions security policy setting. ms.assetid: 5891cb73-f1ec-48b9-b703-39249e48a29f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-edp.md b/windows/keep-secure/enlightened-microsoft-apps-and-edp.md index c0cd2aac59..bf8d546f56 100644 --- a/windows/keep-secure/enlightened-microsoft-apps-and-edp.md +++ b/windows/keep-secure/enlightened-microsoft-apps-and-edp.md @@ -2,10 +2,11 @@ title: List of enlightened Microsoft apps for use with enterprise data protection (EDP) (Windows 10) description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list. ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f -keywords: ["EDP", "Enterprise Data Protection"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md index f6244f66e0..6e239a2aea 100644 --- a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Review events and errors on endpoints with Event Viewer description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Windows Defender ATP service. keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Advanced Threat Protection service, cannot start, broken, can't start search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: iaanw --- diff --git a/windows/keep-secure/executable-rules-in-applocker.md b/windows/keep-secure/executable-rules-in-applocker.md index b74b7fe29a..ebad0e1645 100644 --- a/windows/keep-secure/executable-rules-in-applocker.md +++ b/windows/keep-secure/executable-rules-in-applocker.md @@ -2,7 +2,7 @@ title: Executable rules in AppLocker (Windows 10) description: This topic describes the file formats and available default rules for the executable rule collection. ms.assetid: 65e62f90-6caa-48f8-836a-91f8ac9018ee -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md b/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md index 90c10baeee..6476c88d16 100644 --- a/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md +++ b/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md @@ -2,7 +2,7 @@ title: Export an AppLocker policy from a GPO (Windows 10) description: This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified. ms.assetid: 7db59719-a8be-418b-bbfd-22cf2176c9c0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/export-an-applocker-policy-to-an-xml-file.md b/windows/keep-secure/export-an-applocker-policy-to-an-xml-file.md index a5ebd52102..f3f9d22190 100644 --- a/windows/keep-secure/export-an-applocker-policy-to-an-xml-file.md +++ b/windows/keep-secure/export-an-applocker-policy-to-an-xml-file.md @@ -2,7 +2,7 @@ title: Export an AppLocker policy to an XML file (Windows 10) description: This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing. ms.assetid: 979bd23f-6815-478b-a6a4-a25239cb1080 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/file-system-global-object-access-auditing.md b/windows/keep-secure/file-system-global-object-access-auditing.md index 5853de4758..13e7b15ca7 100644 --- a/windows/keep-secure/file-system-global-object-access-auditing.md +++ b/windows/keep-secure/file-system-global-object-access-auditing.md @@ -2,7 +2,7 @@ title: File System (Global Object Access Auditing) (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, File System (Global Object Access Auditing), which enables you to configure a global system access control list (SACL) on the file system for an entire computer. ms.assetid: 4f215d61-0e23-46e4-9e58-08511105d25b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/force-shutdown-from-a-remote-system.md b/windows/keep-secure/force-shutdown-from-a-remote-system.md index c9f51b7ed0..e635eb56d3 100644 --- a/windows/keep-secure/force-shutdown-from-a-remote-system.md +++ b/windows/keep-secure/force-shutdown-from-a-remote-system.md @@ -2,7 +2,7 @@ title: Force shutdown from a remote system (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Force shutdown from a remote system security policy setting. ms.assetid: 63129243-31ea-42a4-a598-c7064f48a3df -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/generate-security-audits.md b/windows/keep-secure/generate-security-audits.md index 78b578d1e3..437bdc47d0 100644 --- a/windows/keep-secure/generate-security-audits.md +++ b/windows/keep-secure/generate-security-audits.md @@ -2,7 +2,7 @@ title: Generate security audits (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Generate security audits security policy setting. ms.assetid: c0e1cd80-840e-4c74-917c-5c2349de885f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md index f7b4350a6f..9f8709dce5 100644 --- a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md +++ b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md @@ -2,7 +2,7 @@ title: Update and manage Windows Defender in Windows 10 (Windows 10) description: IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using Group Policy SettingsWindows Management Instrumentation (WMI)PowerShell. ms.assetid: 045F5BF2-87D7-4522-97E1-C1D508E063A7 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md index f9af00d1cd..42e7d1cff1 100644 --- a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md +++ b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md @@ -3,7 +3,7 @@ title: Get apps to run on Device Guard-protected devices (Windows 10) description: Windows 10 introduces several new features and settings that when combined all equal what we're calling, Device Guard. ms.assetid: E62B68C3-8B9F-4842-90FC-B4EE9FF8A67E keywords: Package Inspector, packageinspector.exe, sign catalog file -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/guidance-and-best-practices-edp.md b/windows/keep-secure/guidance-and-best-practices-edp.md index cf4d35de03..805ac84dfc 100644 --- a/windows/keep-secure/guidance-and-best-practices-edp.md +++ b/windows/keep-secure/guidance-and-best-practices-edp.md @@ -2,10 +2,11 @@ title: General guidance and best practices for enterprise data protection (EDP) (Windows 10) description: This section includes info about the enlightened Microsoft apps, including how to add them to your Protected Apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP). ms.assetid: aa94e733-53be-49a7-938d-1660deaf52b0 -keywords: ["EDP", "Enterprise Data Protection"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/how-applocker-works-techref.md b/windows/keep-secure/how-applocker-works-techref.md index ad2bc595e0..f9bf8450f5 100644 --- a/windows/keep-secure/how-applocker-works-techref.md +++ b/windows/keep-secure/how-applocker-works-techref.md @@ -2,7 +2,7 @@ title: How AppLocker works (Windows 10) description: This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. ms.assetid: 24bb1d73-0ff5-4af7-8b8a-2fa44d4ddbcd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/how-to-configure-security-policy-settings.md b/windows/keep-secure/how-to-configure-security-policy-settings.md index 275dfdaccb..6a307acac3 100644 --- a/windows/keep-secure/how-to-configure-security-policy-settings.md +++ b/windows/keep-secure/how-to-configure-security-policy-settings.md @@ -3,7 +3,7 @@ title: Configure security policy settings (Windows 10) description: Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller. ms.assetid: 63b0967b-a9fe-4d92-90af-67469ee20320 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/how-user-account-control-works.md b/windows/keep-secure/how-user-account-control-works.md index ca5e6eef25..90bba5477f 100644 --- a/windows/keep-secure/how-user-account-control-works.md +++ b/windows/keep-secure/how-user-account-control-works.md @@ -2,7 +2,7 @@ title: How User Account Control works (Windows 10) description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. ms.assetid: 9f921779-0fd3-4206-b0e4-05a19883ee59 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: operate ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/impersonate-a-client-after-authentication.md b/windows/keep-secure/impersonate-a-client-after-authentication.md index 6735e29692..9dc1b4f485 100644 --- a/windows/keep-secure/impersonate-a-client-after-authentication.md +++ b/windows/keep-secure/impersonate-a-client-after-authentication.md @@ -2,7 +2,7 @@ title: Impersonate a client after authentication (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Impersonate a client after authentication security policy setting. ms.assetid: 4cd241e2-c680-4b43-8ed0-3b391925cec5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md index 95e304939b..1680e13ed9 100644 --- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md +++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md @@ -3,7 +3,7 @@ title: Implement Microsoft Passport in your organization (Windows 10) description: You can create a Group Policy or mobile device management (MDM) policy that will implement Microsoft Passport on devices running Windows 10. ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8 keywords: identity, PIN, biometric, Hello -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/import-an-applocker-policy-from-another-computer.md b/windows/keep-secure/import-an-applocker-policy-from-another-computer.md index 199d82deae..0f0e11976b 100644 --- a/windows/keep-secure/import-an-applocker-policy-from-another-computer.md +++ b/windows/keep-secure/import-an-applocker-policy-from-another-computer.md @@ -2,7 +2,7 @@ title: Import an AppLocker policy from another computer (Windows 10) description: This topic for IT professionals describes how to import an AppLocker policy. ms.assetid: b48cb2b2-8ef8-4cc0-89bd-309d0b1832f6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/import-an-applocker-policy-into-a-gpo.md b/windows/keep-secure/import-an-applocker-policy-into-a-gpo.md index a5dfd645ac..c03e2d5282 100644 --- a/windows/keep-secure/import-an-applocker-policy-into-a-gpo.md +++ b/windows/keep-secure/import-an-applocker-policy-into-a-gpo.md @@ -2,7 +2,7 @@ title: Import an AppLocker policy into a GPO (Windows 10) description: This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO). ms.assetid: 0629ce44-f5e2-48a8-ba47-06544c73261f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/increase-a-process-working-set.md b/windows/keep-secure/increase-a-process-working-set.md index da0458fb81..237be32d51 100644 --- a/windows/keep-secure/increase-a-process-working-set.md +++ b/windows/keep-secure/increase-a-process-working-set.md @@ -2,7 +2,7 @@ title: Increase a process working set (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Increase a process working set security policy setting. ms.assetid: b742ad96-37f3-4686-b8f7-f2b48367105b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/increase-scheduling-priority.md b/windows/keep-secure/increase-scheduling-priority.md index a7d5d1646b..727d53c8e1 100644 --- a/windows/keep-secure/increase-scheduling-priority.md +++ b/windows/keep-secure/increase-scheduling-priority.md @@ -2,7 +2,7 @@ title: Increase scheduling priority (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Increase scheduling priority security policy setting. ms.assetid: fbec5973-d35e-4797-9626-d0d56061527f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md index 5b1c59fb81..b605acb372 100644 --- a/windows/keep-secure/index.md +++ b/windows/keep-secure/index.md @@ -2,7 +2,7 @@ title: Keep Windows 10 secure (Windows 10) description: Learn about keeping Windows 10 and Windows 10 Mobile secure. ms.assetid: EA559BA8-734F-41DB-A74A-D8DBF36BE920 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md index 2b407e7511..a1d2220641 100644 --- a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md @@ -2,7 +2,7 @@ title: Initialize and configure ownership of the TPM (Windows 10) description: This topic for the IT professional describes how to initialize and set the ownership the Trusted Platform Module (TPM), turn the TPM on and off, and clear TPM keys. ms.assetid: 1166efaf-7aa3-4420-9279-435d9c6ac6f8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md b/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md index 99bab3e2fa..33f7e83a76 100644 --- a/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md +++ b/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md @@ -3,7 +3,7 @@ title: Install digital certificates on Windows 10 Mobile (Windows 10) description: Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. ms.assetid: FF7B1BE9-41F4-44B0-A442-249B650CEE25 keywords: S/MIME, PFX, SCEP -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md index 998c7d3a6d..7c1d049314 100644 --- a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md +++ b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md @@ -2,7 +2,7 @@ title: Interactive logon Display user information when the session is locked (Windows 10) description: Describes the best practices, location, values, and security considerations for the Interactive logon Display user information when the session is locked security policy setting. ms.assetid: 9146aa3d-9b2f-47ba-ac03-ff43efb10530 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md index 945989b859..0177def043 100644 --- a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md +++ b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md @@ -2,7 +2,7 @@ title: Interactive logon Do not display last user name (Windows 10) description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not display last user name security policy setting. ms.assetid: 98b24b03-95fe-4edc-8e97-cbdaa8e314fd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md index 34a748af68..f2741165ce 100644 --- a/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md +++ b/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md @@ -2,7 +2,7 @@ title: Interactive logon Do not require CTRL+ALT+DEL (Windows 10) description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not require CTRL+ALT+DEL security policy setting. ms.assetid: 04e2c000-2eb2-4d4b-8179-1e2cb4793e18 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md b/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md index 3e7824eedb..ee2f89dfe2 100644 --- a/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md +++ b/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md @@ -2,7 +2,7 @@ title: Interactive logon Machine account lockout threshold (Windows 10) description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Machine account lockout threshold security policy setting. ms.assetid: ebbd8e22-2611-4ebe-9db9-d49344e631e4 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-machine-inactivity-limit.md b/windows/keep-secure/interactive-logon-machine-inactivity-limit.md index 9fb56662fb..5ecfd51a7e 100644 --- a/windows/keep-secure/interactive-logon-machine-inactivity-limit.md +++ b/windows/keep-secure/interactive-logon-machine-inactivity-limit.md @@ -2,7 +2,7 @@ title: Interactive logon Machine inactivity limit (Windows 10) description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Machine inactivity limit security policy setting. ms.assetid: 7065b4a9-0d52-41d5-afc4-5aedfc4162b5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md index 2277884c62..6ee93f3d7a 100644 --- a/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md +++ b/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md @@ -2,7 +2,7 @@ title: Interactive logon Message text for users attempting to log on (Windows 10) description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Message text for users attempting to log on security policy setting. ms.assetid: fcfe8a6d-ca65-4403-b9e6-2fa017a31c2e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md index 7e5719c49b..5fd221ea00 100644 --- a/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md +++ b/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md @@ -2,7 +2,7 @@ title: Interactive logon Message title for users attempting to log on (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Message title for users attempting to log on security policy setting. ms.assetid: f2596470-4cc0-4ef1-849c-bef9dc3533c6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md index 651f08183b..c57b5db6e3 100644 --- a/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md +++ b/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md @@ -2,7 +2,7 @@ title: Interactive logon Number of previous logons to cache (in case domain controller is not available) (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Number of previous logons to cache (in case domain controller is not available) security policy setting. ms.assetid: 660e925e-cc3e-4098-a41e-eb8db8062d8d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md index 6e08f688d8..3b6173cf5c 100644 --- a/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md +++ b/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md @@ -2,7 +2,7 @@ title: Interactive logon Prompt user to change password before expiration (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Prompt user to change password before expiration security policy setting. ms.assetid: 8fe94781-40f7-4fbe-8cfd-5e116e6833e9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md index 9660b5770a..0faeff4378 100644 --- a/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md +++ b/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md @@ -2,7 +2,7 @@ title: Interactive logon Require Domain Controller authentication to unlock workstation (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Interactive logon Require Domain Controller authentication to unlock workstation security policy setting. ms.assetid: 97618ed3-e946-47db-a212-b5e7a4fc6ffc -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-require-smart-card.md b/windows/keep-secure/interactive-logon-require-smart-card.md index faf1834204..2441b3c3e7 100644 --- a/windows/keep-secure/interactive-logon-require-smart-card.md +++ b/windows/keep-secure/interactive-logon-require-smart-card.md @@ -2,7 +2,7 @@ title: Interactive logon Require smart card (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Require smart card security policy setting. ms.assetid: c6a8c040-cbc7-472d-8bc5-579ddf3cbd6c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md b/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md index 29eba6fd2b..a2ba648b93 100644 --- a/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md +++ b/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md @@ -2,7 +2,7 @@ title: Interactive logon Smart card removal behavior (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Smart card removal behavior security policy setting. ms.assetid: 61487820-9d49-4979-b15d-c7e735999460 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md index 02e10c15b7..20a073c239 100644 --- a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Investigate Windows Defender Advanced Threat Protection alerts description: Use the investigation options to get details on which alerts are affecting your network, what they mean, and how to resolve them. keywords: investigate, investigation, machines, machine, endpoints, endpoint, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security --- # Investigate Windows Defender Advanced Threat Protection alerts diff --git a/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md index f5864ee6f3..fd75059fff 100644 --- a/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Investigate Windows Defender Advanced Threat Protection domains description: Use the investigation options to see if machines and servers have been communicating with malicious domains. keywords: investigate domain, domain, malicious domain, windows defender atp, alert, URL search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- # Investigate a domain associated with a Windows Defender ATP alert diff --git a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md index 3b0b76a04d..2f82d6927e 100644 --- a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Investigate Windows Defender Advanced Threat Protection files description: Use the investigation options to get details on files associated with alerts, behaviours, or events. keywords: investigate, investigation, file, malicious activity, attack motivation, deep analysis, deep analysis report search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- # Investigate a file associated with a Windows Defender ATP alert diff --git a/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md index 5e516f6425..e1427b0400 100644 --- a/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Investigate Windows Defender Advanced Threat Protection IP address description: Use the investigation options to examine possible communication between machines and external IP addresses. keywords: investigate, investigation, IP address, alert, windows defender atp, external IP search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- # Investigate an IP address associated with a Windows Defender ATP alert diff --git a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md index a248e46dd3..4778e194e5 100644 --- a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Investigate machines in the Windows Defender ATP Machines view description: Investigate affected machines in your network by reviewing alerts, network connection information, and service health on the Machines view. keywords: machines, endpoints, machine, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, active malware detections, threat category, filter, sort, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, low severity search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- diff --git a/windows/keep-secure/kerberos-policy.md b/windows/keep-secure/kerberos-policy.md index fa68f49ac1..0cb40c4482 100644 --- a/windows/keep-secure/kerberos-policy.md +++ b/windows/keep-secure/kerberos-policy.md @@ -2,7 +2,7 @@ title: Kerberos Policy (Windows 10) description: Describes the Kerberos Policy settings and provides links to policy setting descriptions. ms.assetid: 94017dd9-b1a3-4624-af9f-b29161b4bf38 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security From db30384d73f7cc0700b2901e9b9b45c9aa3e0b1d Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 27 May 2016 08:41:59 -0700 Subject: [PATCH 135/169] changed from opting out of MAPS to disconnecting from MAPS --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index f8496916b0..d171860de7 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1083,7 +1083,7 @@ When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings scr ### 19. Windows Defender -You can opt out of the Microsoft Antimalware Protection Service. +You can disconnect from the Microsoft Antimalware Protection Service. - Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS** From 0af0033ee2f20594c457faed7546bae26549d5da Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 27 May 2016 09:31:05 -0700 Subject: [PATCH 136/169] fixing typo --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index d171860de7..616f93dc73 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1209,7 +1209,7 @@ The following Delivery Optimization MDM policies are available in the [Policy CS | Policy | Description | |---------------------------|-----------------------------------------------------------------------------------------------------| | DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including

      • 0. Turns off Delivery Optimization.

      • 1. Gets or sends updates and apps to PCs on the same NAT only.

      • 2. Gets or sends updates and apps to PCs on the same local network domain.

      • 3. Gets or sends updates and apps to PCs on the Internet.

      | -| DeliveryOptimization/DOGroupID | Lets you provide a Group ID that limits which PCs can share apps and updates.
      ** Note** This ID must be a GUID.| +| DeliveryOptimization/DOGroupID | Lets you provide a Group ID that limits which PCs can share apps and updates.
      **Note** This ID must be a GUID.| | DeliveryOptimization/DOMaxCacheAge | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
      The default value is 259200 seconds (3 days).| | DeliveryOptimization/DOMaxCacheSize | Lets you specify the maximum cache size as a percentage of disk size.
      The default value is 20, which represents 20% of the disk.| | DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
      The default value is 0, which means unlimited possible bandwidth.| From 3a345736a7a39de21f6e073e68c646f83e409528 Mon Sep 17 00:00:00 2001 From: Jan Backstrom Date: Fri, 27 May 2016 13:46:06 -0700 Subject: [PATCH 137/169] update tagging change W10 to w10 (lower case); add ms.pagetype; added authors --- ...ge-privacy-windows-defender-advanced-threat-protection.md | 1 + ...ate-alerts-windows-defender-advanced-threat-protection.md | 1 + windows/keep-secure/load-and-unload-device-drivers.md | 2 +- windows/keep-secure/lock-pages-in-memory.md | 2 +- windows/keep-secure/log-on-as-a-batch-job.md | 2 +- windows/keep-secure/log-on-as-a-service.md | 2 +- windows/keep-secure/maintain-applocker-policies.md | 2 +- ...age-alerts-windows-defender-advanced-threat-protection.md | 4 +++- windows/keep-secure/manage-auditing-and-security-log.md | 2 +- .../manage-identity-verification-using-microsoft-passport.md | 2 +- windows/keep-secure/manage-packaged-apps-with-applocker.md | 2 +- windows/keep-secure/manage-tpm-commands.md | 2 +- windows/keep-secure/manage-tpm-lockout.md | 2 +- windows/keep-secure/maximum-lifetime-for-service-ticket.md | 2 +- .../keep-secure/maximum-lifetime-for-user-ticket-renewal.md | 2 +- windows/keep-secure/maximum-lifetime-for-user-ticket.md | 2 +- windows/keep-secure/maximum-password-age.md | 2 +- .../maximum-tolerance-for-computer-clock-synchronization.md | 2 +- .../merge-applocker-policies-by-using-set-applockerpolicy.md | 2 +- windows/keep-secure/merge-applocker-policies-manually.md | 2 +- ...ft-network-client-digitally-sign-communications-always.md | 2 +- ...-client-digitally-sign-communications-if-server-agrees.md | 2 +- ...t-send-unencrypted-password-to-third-party-smb-servers.md | 2 +- ...amount-of-idle-time-required-before-suspending-session.md | 2 +- ...rk-server-attempt-s4u2self-to-obtain-claim-information.md | 2 +- ...ft-network-server-digitally-sign-communications-always.md | 2 +- ...-server-digitally-sign-communications-if-client-agrees.md | 2 +- ...work-server-disconnect-clients-when-logon-hours-expire.md | 2 +- ...network-server-server-spn-target-name-validation-level.md | 2 +- .../keep-secure/microsoft-passport-and-password-changes.md | 2 +- .../microsoft-passport-errors-during-pin-creation.md | 2 +- windows/keep-secure/microsoft-passport-guide.md | 3 +-- windows/keep-secure/minimum-password-age.md | 2 +- windows/keep-secure/minimum-password-length.md | 2 +- ...quirements-windows-defender-advanced-threat-protection.md | 3 ++- windows/keep-secure/modify-an-object-label.md | 2 +- windows/keep-secure/modify-firmware-environment-values.md | 2 +- .../keep-secure/monitor-application-usage-with-applocker.md | 2 +- .../monitor-central-access-policy-and-rule-definitions.md | 2 +- windows/keep-secure/monitor-claim-types.md | 2 +- ...onboarding-windows-defender-advanced-threat-protection.md | 3 ++- .../keep-secure/monitor-resource-attribute-definitions.md | 2 +- ...tral-access-policies-associated-with-files-and-folders.md | 2 +- ...he-central-access-policies-that-apply-on-a-file-server.md | 2 +- .../monitor-the-resource-attributes-on-files-and-folders.md | 2 +- .../monitor-the-use-of-removable-storage-devices.md | 2 +- .../monitor-user-and-device-claims-during-sign-in.md | 2 +- .../network-access-allow-anonymous-sidname-translation.md | 2 +- ...allow-anonymous-enumeration-of-sam-accounts-and-shares.md | 2 +- ...ess-do-not-allow-anonymous-enumeration-of-sam-accounts.md | 2 +- ...f-passwords-and-credentials-for-network-authentication.md | 2 +- ...cess-let-everyone-permissions-apply-to-anonymous-users.md | 2 +- ...rk-access-named-pipes-that-can-be-accessed-anonymously.md | 2 +- ...access-remotely-accessible-registry-paths-and-subpaths.md | 2 +- .../network-access-remotely-accessible-registry-paths.md | 2 +- ...ss-restrict-anonymous-access-to-named-pipes-and-shares.md | 2 +- ...network-access-shares-that-can-be-accessed-anonymously.md | 2 +- ...k-access-sharing-and-security-model-for-local-accounts.md | 2 +- windows/keep-secure/network-list-manager-policies.md | 2 +- ...y-allow-local-system-to-use-computer-identity-for-ntlm.md | 2 +- ...twork-security-allow-localsystem-null-session-fallback.md | 2 +- ...ion-requests-to-this-computer-to-use-online-identities.md | 2 +- ...curity-configure-encryption-types-allowed-for-kerberos.md | 2 +- ...t-store-lan-manager-hash-value-on-next-password-change.md | 2 +- .../network-security-force-logoff-when-logon-hours-expire.md | 2 +- .../network-security-lan-manager-authentication-level.md | 2 +- .../network-security-ldap-client-signing-requirements.md | 2 +- ...curity-for-ntlm-ssp-based-including-secure-rpc-clients.md | 2 +- ...curity-for-ntlm-ssp-based-including-secure-rpc-servers.md | 2 +- ...m-add-remote-server-exceptions-for-ntlm-authentication.md | 2 +- ...ity-restrict-ntlm-add-server-exceptions-in-this-domain.md | 2 +- ...ork-security-restrict-ntlm-audit-incoming-ntlm-traffic.md | 2 +- ...restrict-ntlm-audit-ntlm-authentication-in-this-domain.md | 2 +- .../network-security-restrict-ntlm-incoming-ntlm-traffic.md | 2 +- ...urity-restrict-ntlm-ntlm-authentication-in-this-domain.md | 2 +- ...-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md | 2 +- ...-configure-windows-defender-advanced-threat-protection.md | 3 ++- windows/keep-secure/optimize-applocker-performance.md | 2 +- windows/keep-secure/overview-create-edp-policy.md | 3 ++- ...ged-apps-and-packaged-app-installer-rules-in-applocker.md | 2 +- windows/keep-secure/passport-event-300.md | 4 ++-- .../password-must-meet-complexity-requirements.md | 2 +- windows/keep-secure/password-policy.md | 2 +- windows/keep-secure/perform-volume-maintenance-tasks.md | 2 +- windows/keep-secure/plan-for-applocker-policy-management.md | 2 +- ...lanning-and-deploying-advanced-security-audit-policies.md | 2 +- ...l-overview-windows-defender-advanced-threat-protection.md | 3 ++- .../keep-secure/prepare-people-to-use-microsoft-passport.md | 2 +- ...-your-organization-for-bitlocker-planning-and-policies.md | 2 +- windows/keep-secure/profile-single-process.md | 2 +- windows/keep-secure/profile-system-performance.md | 2 +- .../keep-secure/protect-bitlocker-from-pre-boot-attacks.md | 2 +- windows/keep-secure/protect-enterprise-data-using-edp.md | 5 +++-- ...-by-controlling-the-health-of-windows-10-based-devices.md | 4 ++-- ...hared-volumes-and-storage-area-networks-with-bitlocker.md | 2 +- .../recovery-console-allow-automatic-administrative-logon.md | 2 +- ...allow-floppy-copy-and-access-to-all-drives-and-folders.md | 2 +- windows/keep-secure/refresh-an-applocker-policy.md | 2 +- .../keep-secure/registry-global-object-access-auditing.md | 2 +- windows/keep-secure/remove-computer-from-docking-station.md | 2 +- windows/keep-secure/replace-a-process-level-token.md | 2 +- .../requirements-for-deploying-applocker-policies.md | 2 +- windows/keep-secure/requirements-to-use-applocker.md | 2 +- windows/keep-secure/reset-account-lockout-counter-after.md | 2 +- windows/keep-secure/restore-files-and-directories.md | 2 +- .../run-cmd-scan-windows-defender-for-windows-10.md | 3 ++- .../run-the-automatically-generate-rules-wizard.md | 2 +- windows/keep-secure/script-rules-in-applocker.md | 2 +- .../secpol-advanced-security-audit-policy-settings.md | 2 +- windows/keep-secure/security-auditing-overview.md | 2 +- windows/keep-secure/security-considerations-for-applocker.md | 2 +- windows/keep-secure/security-options.md | 2 +- windows/keep-secure/security-policy-settings-reference.md | 2 +- windows/keep-secure/security-policy-settings.md | 2 +- windows/keep-secure/security-technologies.md | 2 +- windows/keep-secure/select-types-of-rules-to-create.md | 2 +- ...onboarding-windows-defender-advanced-threat-protection.md | 3 ++- .../settings-windows-defender-advanced-threat-protection.md | 3 ++- windows/keep-secure/shut-down-the-system.md | 2 +- ...-allow-system-to-be-shut-down-without-having-to-log-on.md | 2 +- .../keep-secure/shutdown-clear-virtual-memory-pagefile.md | 2 +- .../store-passwords-using-reversible-encryption.md | 2 +- windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md | 2 +- windows/keep-secure/synchronize-directory-service-data.md | 2 +- ...ng-key-protection-for-user-keys-stored-on-the-computer.md | 2 +- ...ompliant-algorithms-for-encryption-hashing-and-signing.md | 2 +- ...-require-case-insensitivity-for-non-windows-subsystems.md | 2 +- ...engthen-default-permissions-of-internal-system-objects.md | 2 +- windows/keep-secure/system-settings-optional-subsystems.md | 2 +- ...-windows-executables-for-software-restriction-policies.md | 2 +- .../keep-secure/take-ownership-of-files-or-other-objects.md | 2 +- ...test-an-applocker-policy-by-using-test-applockerpolicy.md | 2 +- windows/keep-secure/test-and-update-an-applocker-policy.md | 2 +- windows/keep-secure/testing-scenarios-for-edp.md | 5 +++-- windows/keep-secure/tools-to-use-with-applocker.md | 2 +- windows/keep-secure/tpm-fundamentals.md | 2 +- windows/keep-secure/tpm-recommendations.md | 2 +- ...onboarding-windows-defender-advanced-threat-protection.md | 3 ++- ...oubleshoot-windows-defender-advanced-threat-protection.md | 3 ++- .../troubleshoot-windows-defender-in-windows-10.md | 2 +- windows/keep-secure/trusted-platform-module-overview.md | 2 +- ...trusted-platform-module-services-group-policy-settings.md | 2 +- .../types-of-attacks-for-volume-encryption-keys.md | 2 +- .../keep-secure/understand-applocker-enforcement-settings.md | 2 +- .../understand-applocker-policy-design-decisions.md | 2 +- ...es-and-enforcement-setting-inheritance-in-group-policy.md | 2 +- .../understand-the-applocker-policy-deployment-process.md | 2 +- ...nderstanding-applocker-allow-and-deny-actions-on-rules.md | 2 +- windows/keep-secure/understanding-applocker-default-rules.md | 2 +- windows/keep-secure/understanding-applocker-rule-behavior.md | 2 +- .../keep-secure/understanding-applocker-rule-collections.md | 2 +- .../understanding-applocker-rule-condition-types.md | 2 +- .../keep-secure/understanding-applocker-rule-exceptions.md | 2 +- ...nderstanding-the-file-hash-rule-condition-in-applocker.md | 2 +- .../understanding-the-path-rule-condition-in-applocker.md | 2 +- ...nderstanding-the-publisher-rule-condition-in-applocker.md | 2 +- ...nce-computer-to-create-and-maintain-applocker-policies.md | 2 +- ...r-and-software-restriction-policies-in-the-same-domain.md | 2 +- .../use-the-applocker-windows-powershell-cmdlets.md | 2 +- .../use-windows-defender-advanced-threat-protection.md | 3 ++- ...ows-event-forwarding-to-assist-in-instrusion-detection.md | 2 +- ...n-approval-mode-for-the-built-in-administrator-account.md | 2 +- ...-prompt-for-elevation-without-using-the-secure-desktop.md | 2 +- ...ation-prompt-for-administrators-in-admin-approval-mode.md | 2 +- ...ol-behavior-of-the-elevation-prompt-for-standard-users.md | 2 +- ...ect-application-installations-and-prompt-for-elevation.md | 2 +- ...account-control-group-policy-and-registry-key-settings.md | 4 +++- ...only-elevate-executables-that-are-signed-and-validated.md | 2 +- ...ss-applications-that-are-installed-in-secure-locations.md | 2 +- windows/keep-secure/user-account-control-overview.md | 2 +- ...-control-run-all-administrators-in-admin-approval-mode.md | 2 +- .../user-account-control-security-policy-settings.md | 4 ++-- ...tch-to-the-secure-desktop-when-prompting-for-elevation.md | 2 +- ...file-and-registry-write-failures-to-per-user-locations.md | 2 +- windows/keep-secure/user-rights-assignment.md | 2 +- ...ting-options-to-monitor-dynamic-access-control-objects.md | 2 +- windows/keep-secure/using-event-viewer-with-applocker.md | 2 +- ...g-software-restriction-policies-and-applocker-policies.md | 2 +- windows/keep-secure/view-the-security-event-log.md | 2 +- windows/keep-secure/vpn-profile-options.md | 4 ++-- windows/keep-secure/what-is-applocker.md | 2 +- ...of-windows-support-advanced-audit-policy-configuration.md | 2 +- windows/keep-secure/why-a-pin-is-better-than-a-password.md | 2 +- windows/keep-secure/windows-10-enterprise-security-guides.md | 4 ++-- windows/keep-secure/windows-10-mobile-security-guide.md | 4 ++-- windows/keep-secure/windows-10-security-guide.md | 2 +- .../windows-defender-advanced-threat-protection.md | 3 ++- windows/keep-secure/windows-defender-in-windows-10.md | 2 +- windows/keep-secure/windows-hello-in-enterprise.md | 5 +++-- windows/keep-secure/windows-installer-rules-in-applocker.md | 2 +- windows/keep-secure/working-with-applocker-policies.md | 2 +- windows/keep-secure/working-with-applocker-rules.md | 2 +- 192 files changed, 220 insertions(+), 200 deletions(-) diff --git a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md index 6db6f55321..a5d2bec8ce 100644 --- a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -7,6 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +author: mjcaparas --- # Windows Defender ATP data storage and privacy diff --git a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md index 20a073c239..d724b1862d 100644 --- a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -7,6 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security +author: mjcaparas --- # Investigate Windows Defender Advanced Threat Protection alerts diff --git a/windows/keep-secure/load-and-unload-device-drivers.md b/windows/keep-secure/load-and-unload-device-drivers.md index 0ef993463c..a0500dbf3c 100644 --- a/windows/keep-secure/load-and-unload-device-drivers.md +++ b/windows/keep-secure/load-and-unload-device-drivers.md @@ -2,7 +2,7 @@ title: Load and unload device drivers (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Load and unload device drivers security policy setting. ms.assetid: 66262532-c610-470c-9792-35ff4389430f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/lock-pages-in-memory.md b/windows/keep-secure/lock-pages-in-memory.md index c2d3f4a39d..c1da29a511 100644 --- a/windows/keep-secure/lock-pages-in-memory.md +++ b/windows/keep-secure/lock-pages-in-memory.md @@ -2,7 +2,7 @@ title: Lock pages in memory (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Lock pages in memory security policy setting. ms.assetid: cc724979-aec0-496d-be4e-7009aef660a3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/log-on-as-a-batch-job.md b/windows/keep-secure/log-on-as-a-batch-job.md index 6ffcaa330e..e2be507be1 100644 --- a/windows/keep-secure/log-on-as-a-batch-job.md +++ b/windows/keep-secure/log-on-as-a-batch-job.md @@ -2,7 +2,7 @@ title: Log on as a batch job (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Log on as a batch job security policy setting. ms.assetid: 4eaddb51-0a18-470e-9d3d-5e7cd7970b41 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/log-on-as-a-service.md b/windows/keep-secure/log-on-as-a-service.md index 04d7784d74..eff13752ec 100644 --- a/windows/keep-secure/log-on-as-a-service.md +++ b/windows/keep-secure/log-on-as-a-service.md @@ -2,7 +2,7 @@ title: Log on as a service (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Log on as a service security policy setting. ms.assetid: acc9a9e0-fd88-4cda-ab54-503120ba1f42 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/maintain-applocker-policies.md b/windows/keep-secure/maintain-applocker-policies.md index bc85d3af36..43bd39884e 100644 --- a/windows/keep-secure/maintain-applocker-policies.md +++ b/windows/keep-secure/maintain-applocker-policies.md @@ -2,7 +2,7 @@ title: Maintain AppLocker policies (Windows 10) description: This topic describes how to maintain rules within AppLocker policies. ms.assetid: b4fbfdfe-ef3d-49e0-a390-f2dfe74602bc -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md index 12cc2527bd..718b2e22ce 100644 --- a/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md @@ -3,9 +3,11 @@ title: Manage Windows Defender Advanced Threat Protection alerts description: Change the status of alerts, create suppression rules to hide alerts, submit comments, and review change history for individual alerts with the Manage Alert menu. keywords: manage alerts, manage, alerts, status, new, in progress, resolved, resolve alerts, suppress, supression, rules, context, history, comments, changes search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security +author: mjcaparas --- # Manage Windows Defender Advanced Threat Protection alerts diff --git a/windows/keep-secure/manage-auditing-and-security-log.md b/windows/keep-secure/manage-auditing-and-security-log.md index 48c840cc7b..7a6cfdc0ea 100644 --- a/windows/keep-secure/manage-auditing-and-security-log.md +++ b/windows/keep-secure/manage-auditing-and-security-log.md @@ -2,7 +2,7 @@ title: Manage auditing and security log (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Manage auditing and security log security policy setting. ms.assetid: 4b946c0d-f904-43db-b2d5-7f0917575347 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md index 7f4b06da3d..bb891d67c5 100644 --- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md +++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md @@ -3,7 +3,7 @@ title: Manage identity verification using Microsoft Passport (Windows 10) description: In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN. ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E keywords: identity, PIN, biometric, Hello -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/manage-packaged-apps-with-applocker.md b/windows/keep-secure/manage-packaged-apps-with-applocker.md index dcad549bfa..e1a7639af3 100644 --- a/windows/keep-secure/manage-packaged-apps-with-applocker.md +++ b/windows/keep-secure/manage-packaged-apps-with-applocker.md @@ -2,7 +2,7 @@ title: Manage packaged apps with AppLocker (Windows 10) description: This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. ms.assetid: 6d0c99e7-0284-4547-a30a-0685a9916650 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/manage-tpm-commands.md b/windows/keep-secure/manage-tpm-commands.md index 1aa0ca5061..0620207ec5 100644 --- a/windows/keep-secure/manage-tpm-commands.md +++ b/windows/keep-secure/manage-tpm-commands.md @@ -2,7 +2,7 @@ title: Manage TPM commands (Windows 10) description: This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. ms.assetid: a78e751a-2806-43ae-9c20-2e7ca466b765 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/manage-tpm-lockout.md b/windows/keep-secure/manage-tpm-lockout.md index 7c75700ed0..61c94cc77e 100644 --- a/windows/keep-secure/manage-tpm-lockout.md +++ b/windows/keep-secure/manage-tpm-lockout.md @@ -2,7 +2,7 @@ title: Manage TPM lockout (Windows 10) description: This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. ms.assetid: bf27adbe-404c-4691-a644-29ec722a3f7b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/maximum-lifetime-for-service-ticket.md b/windows/keep-secure/maximum-lifetime-for-service-ticket.md index 3a0a6fff86..fd43969eb0 100644 --- a/windows/keep-secure/maximum-lifetime-for-service-ticket.md +++ b/windows/keep-secure/maximum-lifetime-for-service-ticket.md @@ -2,7 +2,7 @@ title: Maximum lifetime for service ticket (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for service ticket security policy setting. ms.assetid: 484bf05a-3858-47fc-bc02-6599ca860247 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md b/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md index c1f175c55b..f807fae4e2 100644 --- a/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md +++ b/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md @@ -2,7 +2,7 @@ title: Maximum lifetime for user ticket renewal (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket renewal security policy setting. ms.assetid: f88cd819-3dd1-4e38-b560-13fe6881b609 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/maximum-lifetime-for-user-ticket.md b/windows/keep-secure/maximum-lifetime-for-user-ticket.md index e1a9089dd7..e37ae53435 100644 --- a/windows/keep-secure/maximum-lifetime-for-user-ticket.md +++ b/windows/keep-secure/maximum-lifetime-for-user-ticket.md @@ -2,7 +2,7 @@ title: Maximum lifetime for user ticket (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket policy setting. ms.assetid: bcb4ff59-334d-4c2f-99af-eca2b64011dc -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/maximum-password-age.md b/windows/keep-secure/maximum-password-age.md index 30fb8319a2..488f04f383 100644 --- a/windows/keep-secure/maximum-password-age.md +++ b/windows/keep-secure/maximum-password-age.md @@ -2,7 +2,7 @@ title: Maximum password age (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Maximum password age security policy setting. ms.assetid: 2d6e70e7-c8b0-44fb-8113-870c6120871d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md b/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md index f5f976b55a..63ebd1f934 100644 --- a/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md +++ b/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md @@ -2,7 +2,7 @@ title: Maximum tolerance for computer clock synchronization (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Maximum tolerance for computer clock synchronization security policy setting. ms.assetid: ba2cf59e-d69d-469e-95e3-8e6a0ba643af -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/keep-secure/merge-applocker-policies-by-using-set-applockerpolicy.md index 42b8495ede..2e095a1533 100644 --- a/windows/keep-secure/merge-applocker-policies-by-using-set-applockerpolicy.md +++ b/windows/keep-secure/merge-applocker-policies-by-using-set-applockerpolicy.md @@ -2,7 +2,7 @@ title: Merge AppLocker policies by using Set-ApplockerPolicy (Windows 10) description: This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. ms.assetid: f1c7d5c0-463e-4fe2-a410-844a404f18d0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/merge-applocker-policies-manually.md b/windows/keep-secure/merge-applocker-policies-manually.md index c511afb3cd..2747de84e0 100644 --- a/windows/keep-secure/merge-applocker-policies-manually.md +++ b/windows/keep-secure/merge-applocker-policies-manually.md @@ -2,7 +2,7 @@ title: Merge AppLocker policies manually (Windows 10) description: This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). ms.assetid: 3605f293-e5f2-481d-8efd-775f9f23c30f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md index 597e001a91..1cb4c83e11 100644 --- a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md @@ -2,7 +2,7 @@ title: Microsoft network client Digitally sign communications (always) (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting. ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md index 3f25ac2921..4594534751 100644 --- a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md +++ b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md @@ -2,7 +2,7 @@ title: Microsoft network client Digitally sign communications (if server agrees) (Windows 10) description: Describes the best practices, location, values, and security considerations for the Microsoft network client Digitally sign communications (if server agrees) security policy setting. ms.assetid: e553f700-aae5-425c-8650-f251c90ba5dd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md index 56635e06cc..901baabc0f 100644 --- a/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md +++ b/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md @@ -2,7 +2,7 @@ title: Microsoft network client Send unencrypted password to third-party SMB servers (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network client Send unencrypted password to third-party SMB servers security policy setting. ms.assetid: 97a76b93-afa7-4dd9-bb52-7c9e289b6017 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md index 76e38d84c1..f124f2216c 100644 --- a/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md +++ b/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md @@ -2,7 +2,7 @@ title: Microsoft network server Amount of idle time required before suspending session (Windows 10) description: Describes the best practices, location, values, and security considerations for the Microsoft network server Amount of idle time required before suspending session security policy setting. ms.assetid: 8227842a-569d-480f-b43c-43450bbaa722 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md index ea1b074c71..d979a1d65a 100644 --- a/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md +++ b/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md @@ -2,7 +2,7 @@ title: Microsoft network server Attempt S4U2Self to obtain claim information (Windows 10) description: Describes the best practices, location, values, management, and security considerations for the Microsoft network server Attempt S4U2Self to obtain claim information security policy setting. ms.assetid: e4508387-35ed-4a3f-a47c-27f8396adbba -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md index 23d423e6d9..e71590b3cf 100644 --- a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md +++ b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md @@ -2,7 +2,7 @@ title: Microsoft network server Digitally sign communications (always) (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (always) security policy setting. ms.assetid: 2007b622-7bc2-44e8-9cf1-d34b62117ea8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md index 2f327071cb..6ad33d8c8d 100644 --- a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md +++ b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md @@ -2,7 +2,7 @@ title: Microsoft network server Digitally sign communications (if client agrees) (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (if client agrees) security policy setting. ms.assetid: c92b2e3d-1dbf-4337-a145-b17a585f4fc1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md index b2737896f1..529004e2f0 100644 --- a/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md +++ b/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md @@ -2,7 +2,7 @@ title: Microsoft network server Disconnect clients when logon hours expire (Windows 10) description: Describes the best practices, location, values, and security considerations for the Microsoft network server Disconnect clients when logon hours expire security policy setting. ms.assetid: 48b5c424-9ba8-416d-be7d-ccaabb3f49af -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md index b5d71aae14..6096400f68 100644 --- a/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md +++ b/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md @@ -2,7 +2,7 @@ title: Microsoft network server Server SPN target name validation level (Windows 10) description: Describes the best practices, location, and values, policy management and security considerations for the Microsoft network server Server SPN target name validation level security policy setting. ms.assetid: 18337f78-eb45-42fd-bdbd-f8cd02c3e154 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-passport-and-password-changes.md b/windows/keep-secure/microsoft-passport-and-password-changes.md index 4325261928..ceebe00f0a 100644 --- a/windows/keep-secure/microsoft-passport-and-password-changes.md +++ b/windows/keep-secure/microsoft-passport-and-password-changes.md @@ -2,7 +2,7 @@ title: Microsoft Passport and password changes (Windows 10) description: When you set up Microsoft Passport, the PIN or biometric (Windows Hello) gesture that you use is specific to that device. ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md index a9483a0b56..490c5c9e6e 100644 --- a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md +++ b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md @@ -3,7 +3,7 @@ title: Microsoft Passport errors during PIN creation (Windows 10) description: When you set up Microsoft Passport in Windows 10, you may get an error during the Create a work PIN step. ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502 keywords: PIN, error, create a work PIN -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md index 70f6296988..b78b6f94f7 100644 --- a/windows/keep-secure/microsoft-passport-guide.md +++ b/windows/keep-secure/microsoft-passport-guide.md @@ -3,8 +3,7 @@ title: Microsoft Passport guide (Windows 10) description: This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10 operating system. ms.assetid: 11EA7826-DA6B-4E5C-99FB-142CC6BD9E84 keywords: security, credential, password, authentication -ms.prod: W10 -ms.pagetype: security +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/minimum-password-age.md b/windows/keep-secure/minimum-password-age.md index a975b21ff4..d56c232478 100644 --- a/windows/keep-secure/minimum-password-age.md +++ b/windows/keep-secure/minimum-password-age.md @@ -2,7 +2,7 @@ title: Minimum password age (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Minimum password age security policy setting. ms.assetid: 91915cb2-1b3f-4fb7-afa0-d03df95e8161 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/minimum-password-length.md b/windows/keep-secure/minimum-password-length.md index 79281f850c..39c8f9fa60 100644 --- a/windows/keep-secure/minimum-password-length.md +++ b/windows/keep-secure/minimum-password-length.md @@ -2,7 +2,7 @@ title: Minimum password length (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Minimum password length security policy setting. ms.assetid: 3d22eb9a-859a-4b6f-82f5-c270c427e17e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md index fa17f2947f..91db7537e8 100644 --- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Minimum requirements for Windows Defender Advanced Threat Protection description: Minimum network and data storage configuration, endpoint hardware and software requirements, and deployment channel requirements for Windows Defender ATP. keywords: minimum requirements, Windows Defender Advanced Threat Protection minimum requirements, network and data storage, endpoint, endpoint configuration, deployment channel search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: iaanw --- diff --git a/windows/keep-secure/modify-an-object-label.md b/windows/keep-secure/modify-an-object-label.md index a984a42a33..fecfb339d8 100644 --- a/windows/keep-secure/modify-an-object-label.md +++ b/windows/keep-secure/modify-an-object-label.md @@ -2,7 +2,7 @@ title: Modify an object label (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Modify an object label security policy setting. ms.assetid: 3e5a97dd-d363-43a8-ae80-452e866ebfd5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/modify-firmware-environment-values.md b/windows/keep-secure/modify-firmware-environment-values.md index 2dcc1d8dfc..e4f6b85eb1 100644 --- a/windows/keep-secure/modify-firmware-environment-values.md +++ b/windows/keep-secure/modify-firmware-environment-values.md @@ -2,7 +2,7 @@ title: Modify firmware environment values (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Modify firmware environment values security policy setting. ms.assetid: 80bad5c4-d9eb-4e3a-a5dc-dcb742b83fca -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/monitor-application-usage-with-applocker.md b/windows/keep-secure/monitor-application-usage-with-applocker.md index 14b94f4745..87ead686b6 100644 --- a/windows/keep-secure/monitor-application-usage-with-applocker.md +++ b/windows/keep-secure/monitor-application-usage-with-applocker.md @@ -2,7 +2,7 @@ title: Monitor app usage with AppLocker (Windows 10) description: This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. ms.assetid: 0516da6e-ebe4-45b4-a97b-31daba96d1cf -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/monitor-central-access-policy-and-rule-definitions.md b/windows/keep-secure/monitor-central-access-policy-and-rule-definitions.md index 11e4efc2be..6904612d1c 100644 --- a/windows/keep-secure/monitor-central-access-policy-and-rule-definitions.md +++ b/windows/keep-secure/monitor-central-access-policy-and-rule-definitions.md @@ -2,7 +2,7 @@ title: Monitor central access policy and rule definitions (Windows 10) description: This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects. ms.assetid: 553f98a6-7606-4518-a3c5-347a33105130 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/monitor-claim-types.md b/windows/keep-secure/monitor-claim-types.md index 9220126e6c..fcbaaa93b0 100644 --- a/windows/keep-secure/monitor-claim-types.md +++ b/windows/keep-secure/monitor-claim-types.md @@ -2,7 +2,7 @@ title: Monitor claim types (Windows 10) description: This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options. ms.assetid: 426084da-4eef-44af-aeec-e7ab4d4e2439 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md index 67ff38e86d..8babe1f172 100644 --- a/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Monitor Windows Defender ATP onboarding description: Monitor the onboarding of the Windows Defender ATP service to ensure your endpoints are correctly configured and are sending telemetry reports. keywords: monitor onboarding, monitor Windows Defender ATP onboarding, monitor Windows Defender Advanced Threat Protection onboarding search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- diff --git a/windows/keep-secure/monitor-resource-attribute-definitions.md b/windows/keep-secure/monitor-resource-attribute-definitions.md index 42bd9b783e..75bff821fe 100644 --- a/windows/keep-secure/monitor-resource-attribute-definitions.md +++ b/windows/keep-secure/monitor-resource-attribute-definitions.md @@ -2,7 +2,7 @@ title: Monitor resource attribute definitions (Windows 10) description: This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects. ms.assetid: aace34b0-123a-4b83-9e09-f269220e79de -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/keep-secure/monitor-the-central-access-policies-associated-with-files-and-folders.md index db6155e24b..74e926c90b 100644 --- a/windows/keep-secure/monitor-the-central-access-policies-associated-with-files-and-folders.md +++ b/windows/keep-secure/monitor-the-central-access-policies-associated-with-files-and-folders.md @@ -2,7 +2,7 @@ title: Monitor the central access policies associated with files and folders (Windows 10) description: This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects. ms.assetid: 2ea8fc23-b3ac-432f-87b0-6a16506e8eed -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/keep-secure/monitor-the-central-access-policies-that-apply-on-a-file-server.md index aeee1c4b35..4e21c32c36 100644 --- a/windows/keep-secure/monitor-the-central-access-policies-that-apply-on-a-file-server.md +++ b/windows/keep-secure/monitor-the-central-access-policies-that-apply-on-a-file-server.md @@ -2,7 +2,7 @@ title: Monitor the central access policies that apply on a file server (Windows 10) description: This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. ms.assetid: 126b051e-c20d-41f1-b42f-6cff24dcf20c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/monitor-the-resource-attributes-on-files-and-folders.md b/windows/keep-secure/monitor-the-resource-attributes-on-files-and-folders.md index fd2edb8b75..5849cc955c 100644 --- a/windows/keep-secure/monitor-the-resource-attributes-on-files-and-folders.md +++ b/windows/keep-secure/monitor-the-resource-attributes-on-files-and-folders.md @@ -2,7 +2,7 @@ title: Monitor the resource attributes on files and folders (Windows 10) description: This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects. ms.assetid: 4944097b-320f-44c7-88ed-bf55946a358b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/monitor-the-use-of-removable-storage-devices.md b/windows/keep-secure/monitor-the-use-of-removable-storage-devices.md index c850719ed9..7665d0dddc 100644 --- a/windows/keep-secure/monitor-the-use-of-removable-storage-devices.md +++ b/windows/keep-secure/monitor-the-use-of-removable-storage-devices.md @@ -2,7 +2,7 @@ title: Monitor the use of removable storage devices (Windows 10) description: This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects. ms.assetid: b0a9e4a5-b7ff-41c6-96ff-0228d4ba5da8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/monitor-user-and-device-claims-during-sign-in.md b/windows/keep-secure/monitor-user-and-device-claims-during-sign-in.md index 8e767cf028..f95697b152 100644 --- a/windows/keep-secure/monitor-user-and-device-claims-during-sign-in.md +++ b/windows/keep-secure/monitor-user-and-device-claims-during-sign-in.md @@ -2,7 +2,7 @@ title: Monitor user and device claims during sign-in (Windows 10) description: This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects. ms.assetid: 71796ea9-5fe4-4183-8475-805c3c1f319f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md b/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md index 6c14b5a06f..206c76f7fc 100644 --- a/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md +++ b/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md @@ -2,7 +2,7 @@ title: Network access Allow anonymous SID/Name translation (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Allow anonymous SID/Name translation security policy setting. ms.assetid: 0144477f-22a6-4d06-b70a-9c9c2196e99e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md index 52eb452b76..7de439ad10 100644 --- a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md +++ b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md @@ -2,7 +2,7 @@ title: Network access Do not allow anonymous enumeration of SAM accounts and shares (Windows 10) description: Describes the best practices, location, values, and security considerations for the Network access Do not allow anonymous enumeration of SAM accounts and shares security policy setting. ms.assetid: 3686788d-4cc7-4222-9163-cbc7c3362d73 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md index 20f6455173..1a8d592782 100644 --- a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md +++ b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md @@ -2,7 +2,7 @@ title: Network access Do not allow anonymous enumeration of SAM accounts (Windows 10) description: Describes the best practices, location, values, and security considerations for the Network access Do not allow anonymous enumeration of SAM accounts security policy setting. ms.assetid: 6ee25b33-ad43-4097-b031-7be680f64c7c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md index ec12a8c647..a60b14af97 100644 --- a/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md +++ b/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md @@ -2,7 +2,7 @@ title: Network access Do not allow storage of passwords and credentials for network authentication (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Do not allow storage of passwords and credentials for network authentication security policy setting. ms.assetid: b9b64360-36ea-40fa-b795-2d6558c46563 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md index eedd57751a..02f1530efb 100644 --- a/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md +++ b/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md @@ -2,7 +2,7 @@ title: Network access Let Everyone permissions apply to anonymous users (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Let Everyone permissions apply to anonymous users security policy setting. ms.assetid: cdbc5159-9173-497e-b46b-7325f4256353 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md index ab8eff2298..68f545297d 100644 --- a/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md +++ b/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md @@ -2,7 +2,7 @@ title: Network access Named Pipes that can be accessed anonymously (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Named Pipes that can be accessed anonymously security policy setting. ms.assetid: 8897d2a4-813e-4d2b-8518-fcee71e1cf2c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md index d7a01b9e6e..3dc22f67e2 100644 --- a/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md +++ b/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md @@ -2,7 +2,7 @@ title: Network access Remotely accessible registry paths and subpaths (Windows 10) description: Describes the best practices, location, values, and security considerations for the Network access Remotely accessible registry paths and subpaths security policy setting. ms.assetid: 3fcbbf70-a002-4f85-8e86-8dabad21928e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-access-remotely-accessible-registry-paths.md b/windows/keep-secure/network-access-remotely-accessible-registry-paths.md index 86fd1783e9..88c2340130 100644 --- a/windows/keep-secure/network-access-remotely-accessible-registry-paths.md +++ b/windows/keep-secure/network-access-remotely-accessible-registry-paths.md @@ -2,7 +2,7 @@ title: Network access Remotely accessible registry paths (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Remotely accessible registry paths security policy setting. ms.assetid: 977f86ea-864f-4f1b-9756-22220efce0bd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md index 84be70c08b..75a2e71242 100644 --- a/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md +++ b/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md @@ -2,7 +2,7 @@ title: Network access Restrict anonymous access to Named Pipes and Shares (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Restrict anonymous access to Named Pipes and Shares security policy setting. ms.assetid: e66cd708-7322-4d49-9b57-1bf8ec7a4c10 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md b/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md index b4505320e4..4f53f77bdc 100644 --- a/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md +++ b/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md @@ -2,7 +2,7 @@ title: Network access Shares that can be accessed anonymously (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Shares that can be accessed anonymously security policy setting. ms.assetid: f3e4b919-8279-4972-b415-5f815e2f0a1a -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md b/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md index fee079071d..aab32aedb6 100644 --- a/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md +++ b/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md @@ -2,7 +2,7 @@ title: Network access Sharing and security model for local accounts (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Sharing and security model for local accounts security policy setting. ms.assetid: 0b3d703c-ea27-488f-8f59-b345af75b994 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-list-manager-policies.md b/windows/keep-secure/network-list-manager-policies.md index 11de5e4da7..1488ba7052 100644 --- a/windows/keep-secure/network-list-manager-policies.md +++ b/windows/keep-secure/network-list-manager-policies.md @@ -2,7 +2,7 @@ title: Network List Manager policies (Windows 10) description: Network List Manager policies are security settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices. ms.assetid: bd8109d4-b07c-4beb-a9a6-affae2ba2fda -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md index 929606cb16..0c3458656e 100644 --- a/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md +++ b/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md @@ -2,7 +2,7 @@ title: Network security Allow Local System to use computer identity for NTLM (Windows 10) description: Describes the location, values, policy management, and security considerations for the Network security Allow Local System to use computer identity for NTLM security policy setting. ms.assetid: c46a658d-b7a4-4139-b7ea-b9268c240053 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md b/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md index 34b487bba3..405f149efa 100644 --- a/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md +++ b/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md @@ -2,7 +2,7 @@ title: Network security Allow LocalSystem NULL session fallback (Windows 10) description: Describes the best practices, location, values, and security considerations for the Network security Allow LocalSystem NULL session fallback security policy setting. ms.assetid: 5b72edaa-bec7-4572-b6f0-648fc38f5395 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index a381d1388c..fe460ccefd 100644 --- a/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -2,7 +2,7 @@ title: Network security Allow PKU2U authentication requests to this computer to use online identities (Windows 10) description: Describes the best practices, location, and values for the Network Security Allow PKU2U authentication requests to this computer to use online identities security policy setting. ms.assetid: e04a854e-d94d-4306-9fb3-56e9bd7bb926 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md index 7ca22f98c0..bcbe56a0ef 100644 --- a/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md +++ b/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md @@ -2,7 +2,7 @@ title: Network security Configure encryption types allowed for Kerberos Win7 only (Windows 10) description: Describes the best practices, location, values and security considerations for the Network security Configure encryption types allowed for Kerberos Win7 only security policy setting. ms.assetid: 303d32cc-415b-44ba-96c0-133934046ece -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md index 95b335005c..11984a8b59 100644 --- a/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md +++ b/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md @@ -2,7 +2,7 @@ title: Network security Do not store LAN Manager hash value on next password change (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security Do not store LAN Manager hash value on next password change security policy setting. ms.assetid: 6452b268-e5ba-4889-9d38-db28f919af51 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md b/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md index f6dd03a829..a302a70695 100644 --- a/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md +++ b/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md @@ -2,7 +2,7 @@ title: Network security Force logoff when logon hours expire (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security Force logoff when logon hours expire security policy setting. ms.assetid: 64d5dde4-58e4-4217-b2c4-73bd554ec926 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-lan-manager-authentication-level.md b/windows/keep-secure/network-security-lan-manager-authentication-level.md index 5d8a5343aa..3ae2b1240e 100644 --- a/windows/keep-secure/network-security-lan-manager-authentication-level.md +++ b/windows/keep-secure/network-security-lan-manager-authentication-level.md @@ -2,7 +2,7 @@ title: Network security LAN Manager authentication level (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security LAN Manager authentication level security policy setting. ms.assetid: bbe1a98c-420a-41e7-9d3c-3a2fe0f1843e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-ldap-client-signing-requirements.md b/windows/keep-secure/network-security-ldap-client-signing-requirements.md index 5207e6e65f..158b64ed3c 100644 --- a/windows/keep-secure/network-security-ldap-client-signing-requirements.md +++ b/windows/keep-secure/network-security-ldap-client-signing-requirements.md @@ -2,7 +2,7 @@ title: Network security LDAP client signing requirements (Windows 10) description: This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. ms.assetid: 38b35489-eb5b-4035-bc87-df63de50509c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md index ba6527767f..b9a0e71329 100644 --- a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md +++ b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md @@ -2,7 +2,7 @@ title: Network security Minimum session security for NTLM SSP based (including secure RPC) clients (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security Minimum session security for NTLM SSP based (including secure RPC) clients security policy setting. ms.assetid: 89903de8-23d0-4e0f-9bef-c00cb7aebf00 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md index 6bd65a6591..752b9c97c1 100644 --- a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md +++ b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md @@ -2,7 +2,7 @@ title: Network security Minimum session security for NTLM SSP based (including secure RPC) servers (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security Minimum session security for NTLM SSP based (including secure RPC) servers security policy setting. ms.assetid: c6a60c1b-bc8d-4d02-9481-f847a411b4fc -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md index ca5c6d20da..74c9b41100 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md +++ b/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md @@ -2,7 +2,7 @@ title: Network security Restrict NTLM Add remote server exceptions for NTLM authentication (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network security Restrict NTLM Add remote server exceptions for NTLM authentication security policy setting. ms.assetid: 9b017399-0a54-4580-bfae-614c2beda3a1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md index 8a29a1cbad..e16e7c0ff3 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md +++ b/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md @@ -2,7 +2,7 @@ title: Network security Restrict NTLM Add server exceptions in this domain (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network security Restrict NTLM Add server exceptions in this domain security policy setting. ms.assetid: 2f981b68-6aa7-4dd9-b53d-d88551277cc0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md index 30716f504d..f5b4bd4032 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md +++ b/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md @@ -2,7 +2,7 @@ title: Network security Restrict NTLM Audit incoming NTLM traffic (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Audit incoming NTLM traffic security policy setting. ms.assetid: 37e380c2-22e1-44cd-9993-e12815b845cf -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md index 4bda1da37a..c4254e5036 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md +++ b/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md @@ -2,7 +2,7 @@ title: Network security Restrict NTLM Audit NTLM authentication in this domain (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Audit NTLM authentication in this domain security policy setting. ms.assetid: 33183ef9-53b5-4258-8605-73dc46335e6e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md index 270051f5d3..fba51b1a73 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md +++ b/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md @@ -2,7 +2,7 @@ title: Network security Restrict NTLM Incoming NTLM traffic (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Incoming NTLM traffic security policy setting. ms.assetid: c0eff7d3-ed59-4004-908a-2205295fefb8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md index 8389b3ad72..407c4b9976 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md +++ b/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md @@ -2,7 +2,7 @@ title: Network security Restrict NTLM NTLM authentication in this domain (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM NTLM authentication in this domain security policy setting. ms.assetid: 4c7884e9-cc11-4402-96b6-89c77dc908f8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md index 439657d395..896cdbadc1 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md +++ b/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md @@ -2,7 +2,7 @@ title: Network security Restrict NTLM Outgoing NTLM traffic to remote servers (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Outgoing NTLM traffic to remote servers security policy setting. ms.assetid: 63437a90-764b-4f06-aed8-a4a26cf81bd1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md index baf6178433..eaaa736c69 100644 --- a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Onboard endpoints and set up the Windows Defender ATP user access description: Set up user access in Azure Active Directory and use Group Policy, SCCM, or do manual registry changes to onboard endpoints to the service. keywords: onboarding, windows defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: iaanw --- diff --git a/windows/keep-secure/optimize-applocker-performance.md b/windows/keep-secure/optimize-applocker-performance.md index cdd61ef5e2..ff8f099f2d 100644 --- a/windows/keep-secure/optimize-applocker-performance.md +++ b/windows/keep-secure/optimize-applocker-performance.md @@ -2,7 +2,7 @@ title: Optimize AppLocker performance (Windows 10) description: This topic for IT professionals describes how to optimize AppLocker policy enforcement. ms.assetid: a20efa20-bc98-40fe-bd81-28ec4905e0f6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/overview-create-edp-policy.md b/windows/keep-secure/overview-create-edp-policy.md index 24e6c6a647..0ca5b7cbd1 100644 --- a/windows/keep-secure/overview-create-edp-policy.md +++ b/windows/keep-secure/overview-create-edp-policy.md @@ -2,9 +2,10 @@ title: Create an enterprise data protection (EDP) policy (Windows 10) description: Microsoft Intune and System Center Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/keep-secure/packaged-apps-and-packaged-app-installer-rules-in-applocker.md index db85e986ec..b17006c05a 100644 --- a/windows/keep-secure/packaged-apps-and-packaged-app-installer-rules-in-applocker.md +++ b/windows/keep-secure/packaged-apps-and-packaged-app-installer-rules-in-applocker.md @@ -2,7 +2,7 @@ title: Packaged apps and packaged app installer rules in AppLocker (Windows 10) description: This topic explains the AppLocker rule collection for packaged app installers and packaged apps. ms.assetid: 8fd44d08-a0c2-4c5b-a91f-5cb9989f971d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/passport-event-300.md b/windows/keep-secure/passport-event-300.md index 1d055b34c7..9a7c694ae0 100644 --- a/windows/keep-secure/passport-event-300.md +++ b/windows/keep-secure/passport-event-300.md @@ -2,8 +2,8 @@ title: Event ID 300 - Passport successfully created (Windows 10) description: This event is created when a Microsoft Passport for Enterprise is successfully created and registered with Azure Active Directory (Azure AD). ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04 -keywords: ["ngc"] -ms.prod: W10 +keywords: ngc +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/password-must-meet-complexity-requirements.md b/windows/keep-secure/password-must-meet-complexity-requirements.md index c8b513828e..d51142a117 100644 --- a/windows/keep-secure/password-must-meet-complexity-requirements.md +++ b/windows/keep-secure/password-must-meet-complexity-requirements.md @@ -2,7 +2,7 @@ title: Password must meet complexity requirements (Windows 10) description: Describes the best practices, location, values, and security considerations for the Password must meet complexity requirements security policy setting. ms.assetid: 94482ae3-9dda-42df-9782-2f66196e6afe -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/password-policy.md b/windows/keep-secure/password-policy.md index fd3d56e268..4198fac995 100644 --- a/windows/keep-secure/password-policy.md +++ b/windows/keep-secure/password-policy.md @@ -2,7 +2,7 @@ title: Password Policy (Windows 10) description: An overview of password policies for Windows and links to information for each policy setting. ms.assetid: aec1220d-a875-4575-9050-f02f9c54a3b6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/perform-volume-maintenance-tasks.md b/windows/keep-secure/perform-volume-maintenance-tasks.md index 4a7f305290..dae56942a1 100644 --- a/windows/keep-secure/perform-volume-maintenance-tasks.md +++ b/windows/keep-secure/perform-volume-maintenance-tasks.md @@ -2,7 +2,7 @@ title: Perform volume maintenance tasks (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Perform volume maintenance tasks security policy setting. ms.assetid: b6990813-3898-43e2-8221-c9c06d893244 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/plan-for-applocker-policy-management.md b/windows/keep-secure/plan-for-applocker-policy-management.md index 0fa131561e..96d65e5c32 100644 --- a/windows/keep-secure/plan-for-applocker-policy-management.md +++ b/windows/keep-secure/plan-for-applocker-policy-management.md @@ -2,7 +2,7 @@ title: Plan for AppLocker policy management (Windows 10) description: This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. ms.assetid: dccc196f-6ae0-4ae4-853a-a3312b18751b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md b/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md index c9a1917ba3..1fa912d181 100644 --- a/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md +++ b/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md @@ -2,7 +2,7 @@ title: Planning and deploying advanced security audit policies (Windows 10) description: This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies. ms.assetid: 7428e1db-aba8-407b-a39e-509671e5a442 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md index b5dae385ac..4eaf0224ec 100644 --- a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Windows Defender Advanced Threat Protection portal overview description: Use the Windows Defender ATP portal to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches. keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines view, preferences setup, client onboarding, advanced attacks search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: DulceMV --- diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md index 74cebb3914..d377aafd3e 100644 --- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md +++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md @@ -3,7 +3,7 @@ title: Prepare people to use Microsoft Passport (Windows 10) description: When you set a policy to require Microsoft Passport in the workplace, you will want to prepare people in your organization. ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B keywords: identity, PIN, biometric, Hello -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md index 3c5e402383..c30af5a4c1 100644 --- a/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -2,7 +2,7 @@ title: Prepare your organization for BitLocker Planning and policies (Windows 10) description: This topic for the IT professional explains how can you plan your BitLocker deployment. ms.assetid: 6e3593b5-4e8a-40ac-808a-3fdbc948059d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/profile-single-process.md b/windows/keep-secure/profile-single-process.md index bcb68afa86..0dce3bdffe 100644 --- a/windows/keep-secure/profile-single-process.md +++ b/windows/keep-secure/profile-single-process.md @@ -2,7 +2,7 @@ title: Profile single process (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Profile single process security policy setting. ms.assetid: c0963de4-4f5e-430e-bfcd-dfd68e66a075 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/profile-system-performance.md b/windows/keep-secure/profile-system-performance.md index 5166f4de6f..d7b5f3b8fc 100644 --- a/windows/keep-secure/profile-system-performance.md +++ b/windows/keep-secure/profile-system-performance.md @@ -2,7 +2,7 @@ title: Profile system performance (Windows 10) description: This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for the Profile system performance security policy setting. ms.assetid: ffabc3c5-9206-4105-94ea-84f597a54b2e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks.md b/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks.md index 1b1c4370f3..197d906dd6 100644 --- a/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks.md +++ b/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks.md @@ -2,7 +2,7 @@ title: Protect BitLocker from pre-boot attacks (Windows 10) description: This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. ms.assetid: 24d19988-fc79-4c45-b392-b39cba4ec86b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/protect-enterprise-data-using-edp.md b/windows/keep-secure/protect-enterprise-data-using-edp.md index d647af4367..e3da331f91 100644 --- a/windows/keep-secure/protect-enterprise-data-using-edp.md +++ b/windows/keep-secure/protect-enterprise-data-using-edp.md @@ -2,10 +2,11 @@ title: Protect your enterprise data using enterprise data protection (EDP) (Windows 10) description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032 -keywords: ["EDP", "Enterprise Data Protection"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index 2550941ba3..61313be105 100644 --- a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -3,10 +3,10 @@ title: Control the health of Windows 10-based devices (Windows 10) description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices. ms.assetid: 45DB1C41-C35D-43C9-A274-3AD5F31FE873 keywords: security, BYOD, malware, device health attestation, mobile -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -ms.pagetype: security; devices +ms.pagetype: security, devices author: arnaudjumelet --- diff --git a/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index fc092b8a95..aaf71600b1 100644 --- a/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -2,7 +2,7 @@ title: Protecting cluster shared volumes and storage area networks with BitLocker (Windows 10) description: This topic for IT pros describes how to protect CSVs and SANs with BitLocker. ms.assetid: ecd25a10-42c7-4d31-8a7e-ea52c8ebc092 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md b/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md index 394b4421db..4ef6ba5277 100644 --- a/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md +++ b/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md @@ -2,7 +2,7 @@ title: Recovery console Allow automatic administrative logon (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Recovery console Allow automatic administrative logon security policy setting. ms.assetid: be2498fc-48f4-43f3-ad09-74664e45e596 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md index 23aad36087..d8945335fa 100644 --- a/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md +++ b/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md @@ -2,7 +2,7 @@ title: Recovery console Allow floppy copy and access to all drives and folders (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Recovery console Allow floppy copy and access to all drives and folders security policy setting. ms.assetid: a5b4ac0c-f33d-42b5-a866-72afa7cbd0bd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/refresh-an-applocker-policy.md b/windows/keep-secure/refresh-an-applocker-policy.md index fd227910c6..719bfb599b 100644 --- a/windows/keep-secure/refresh-an-applocker-policy.md +++ b/windows/keep-secure/refresh-an-applocker-policy.md @@ -2,7 +2,7 @@ title: Refresh an AppLocker policy (Windows 10) description: This topic for IT professionals describes the steps to force an update for an AppLocker policy. ms.assetid: 3f24fcbc-3926-46b9-a1a2-dd036edab8a9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/registry-global-object-access-auditing.md b/windows/keep-secure/registry-global-object-access-auditing.md index 087c5f60fc..b734cec46b 100644 --- a/windows/keep-secure/registry-global-object-access-auditing.md +++ b/windows/keep-secure/registry-global-object-access-auditing.md @@ -2,7 +2,7 @@ title: Registry (Global Object Access Auditing) (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Registry (Global Object Access Auditing), which enables you to configure a global system access control list (SACL) on the registry of a computer. ms.assetid: 953bb1c1-3f76-43be-ba17-4aed2304f578 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/remove-computer-from-docking-station.md b/windows/keep-secure/remove-computer-from-docking-station.md index 06949c5258..ee3b81a7d3 100644 --- a/windows/keep-secure/remove-computer-from-docking-station.md +++ b/windows/keep-secure/remove-computer-from-docking-station.md @@ -2,7 +2,7 @@ title: Remove computer from docking station (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Remove computer from docking station security policy setting. ms.assetid: 229a385a-a862-4973-899a-413b1b5b6c30 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/replace-a-process-level-token.md b/windows/keep-secure/replace-a-process-level-token.md index 0beaf15c90..5361f2a589 100644 --- a/windows/keep-secure/replace-a-process-level-token.md +++ b/windows/keep-secure/replace-a-process-level-token.md @@ -2,7 +2,7 @@ title: Replace a process level token (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Replace a process level token security policy setting. ms.assetid: 5add02db-6339-489e-ba21-ccc3ccbe8745 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/requirements-for-deploying-applocker-policies.md b/windows/keep-secure/requirements-for-deploying-applocker-policies.md index f1608ee829..e3b6c29aa7 100644 --- a/windows/keep-secure/requirements-for-deploying-applocker-policies.md +++ b/windows/keep-secure/requirements-for-deploying-applocker-policies.md @@ -2,7 +2,7 @@ title: Requirements for deploying AppLocker policies (Windows 10) description: This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. ms.assetid: 3e55bda2-3cd7-42c7-bad3-c7dfbe193d48 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/requirements-to-use-applocker.md b/windows/keep-secure/requirements-to-use-applocker.md index f9c5f24fae..6389eb2755 100644 --- a/windows/keep-secure/requirements-to-use-applocker.md +++ b/windows/keep-secure/requirements-to-use-applocker.md @@ -2,7 +2,7 @@ title: Requirements to use AppLocker (Windows 10) description: This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. ms.assetid: dc380535-071e-4794-8f9d-e5d1858156f0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/reset-account-lockout-counter-after.md b/windows/keep-secure/reset-account-lockout-counter-after.md index ebefbb2d0c..d3e6f545ed 100644 --- a/windows/keep-secure/reset-account-lockout-counter-after.md +++ b/windows/keep-secure/reset-account-lockout-counter-after.md @@ -2,7 +2,7 @@ title: Reset account lockout counter after (Windows 10) description: Describes the best practices, location, values, and security considerations for the Reset account lockout counter after security policy setting. ms.assetid: d5ccf6dd-5ba7-44a9-8e0b-c478d8b1442c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/restore-files-and-directories.md b/windows/keep-secure/restore-files-and-directories.md index b428c37092..e8bb7e6f85 100644 --- a/windows/keep-secure/restore-files-and-directories.md +++ b/windows/keep-secure/restore-files-and-directories.md @@ -2,7 +2,7 @@ title: Restore files and directories (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Restore files and directories security policy setting. ms.assetid: c673c0fa-6f49-4edd-8c1f-c5e8513f701d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md index 9eb59d5dc1..9e6debeb0f 100644 --- a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md +++ b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md @@ -4,9 +4,10 @@ description: IT professionals can run a scan using the command line in Windows D keywords: scan, command line, mpcmdrun, defender search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +ms.pagetype: security author: mjcaparas --- diff --git a/windows/keep-secure/run-the-automatically-generate-rules-wizard.md b/windows/keep-secure/run-the-automatically-generate-rules-wizard.md index 12a5620d21..565f6331da 100644 --- a/windows/keep-secure/run-the-automatically-generate-rules-wizard.md +++ b/windows/keep-secure/run-the-automatically-generate-rules-wizard.md @@ -2,7 +2,7 @@ title: Run the Automatically Generate Rules wizard (Windows 10) description: This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device. ms.assetid: 8cad1e14-d5b2-437c-8f88-70cffd7b3d8e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/script-rules-in-applocker.md b/windows/keep-secure/script-rules-in-applocker.md index 10efd57b91..6fd0ec9196 100644 --- a/windows/keep-secure/script-rules-in-applocker.md +++ b/windows/keep-secure/script-rules-in-applocker.md @@ -2,7 +2,7 @@ title: Script rules in AppLocker (Windows 10) description: This topic describes the file formats and available default rules for the script rule collection. ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md b/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md index a4f7e13245..e3f6f2ce53 100644 --- a/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md +++ b/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md @@ -2,7 +2,7 @@ title: Advanced security audit policy settings (Windows 10) description: Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate. ms.assetid: 6BF9A642-DBC3-4101-94A3-B2316C553CE3 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/security-auditing-overview.md b/windows/keep-secure/security-auditing-overview.md index 135ebc41e5..cde9b0865f 100644 --- a/windows/keep-secure/security-auditing-overview.md +++ b/windows/keep-secure/security-auditing-overview.md @@ -2,7 +2,7 @@ title: Security auditing (Windows 10) description: Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network. ms.assetid: 2d9b8142-49bd-4a33-b246-3f0c2a5f32d4 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/security-considerations-for-applocker.md b/windows/keep-secure/security-considerations-for-applocker.md index 560f73ba5a..f7c0df0eab 100644 --- a/windows/keep-secure/security-considerations-for-applocker.md +++ b/windows/keep-secure/security-considerations-for-applocker.md @@ -2,7 +2,7 @@ title: Security considerations for AppLocker (Windows 10) description: This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. ms.assetid: 354a5abb-7b31-4bea-a442-aa9666117625 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/security-options.md b/windows/keep-secure/security-options.md index b9ddcb4bf8..2d25a87621 100644 --- a/windows/keep-secure/security-options.md +++ b/windows/keep-secure/security-options.md @@ -2,7 +2,7 @@ title: Security Options (Windows 10) description: Provides an introduction to the settings under Security Options of the local security policies and links to information about each setting. ms.assetid: 405ea253-8116-4e57-b08e-14a8dcdca92b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/security-policy-settings-reference.md b/windows/keep-secure/security-policy-settings-reference.md index 06c6b96d8d..4023dfc66f 100644 --- a/windows/keep-secure/security-policy-settings-reference.md +++ b/windows/keep-secure/security-policy-settings-reference.md @@ -2,7 +2,7 @@ title: Security policy settings reference (Windows 10) description: This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations. ms.assetid: ef5a4579-15a8-4507-9a43-b7ccddcb0ed1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/security-policy-settings.md b/windows/keep-secure/security-policy-settings.md index 1551485d7e..f9ea234685 100644 --- a/windows/keep-secure/security-policy-settings.md +++ b/windows/keep-secure/security-policy-settings.md @@ -2,7 +2,7 @@ title: Security policy settings (Windows 10) description: This reference topic describes the common scenarios, architecture, and processes for security settings. ms.assetid: e7ac5204-7f6c-4708-a9f6-6af712ca43b9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/security-technologies.md b/windows/keep-secure/security-technologies.md index 7d54d652f2..39c9eedbb3 100644 --- a/windows/keep-secure/security-technologies.md +++ b/windows/keep-secure/security-technologies.md @@ -2,7 +2,7 @@ title: Security technologies (Windows 10) description: Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. ms.assetid: BFE2DE22-B0CE-465B-8CF6-28F64464DF08 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/select-types-of-rules-to-create.md b/windows/keep-secure/select-types-of-rules-to-create.md index 6e92663943..00ae11caf5 100644 --- a/windows/keep-secure/select-types-of-rules-to-create.md +++ b/windows/keep-secure/select-types-of-rules-to-create.md @@ -2,7 +2,7 @@ title: Select the types of rules to create (Windows 10) description: This topic lists resources you can use when selecting your application control policy rules by using AppLocker. ms.assetid: 14751169-0ed1-47cc-822c-8c01a7477784 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md index 1be3c1bfe6..fb5e5d5cbf 100644 --- a/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Windows Defender ATP service onboarding description: Assign users to the Windows Defender ATP service application in Azure Active Directory to grant access to the portal. keywords: service onboarding, Windows Defender Advanced Threat Protection service onboarding, manage users, search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- diff --git a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md index f976f74857..81d0358abb 100644 --- a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Windows Defender Advanced Threat Protection settings description: Use the menu to configure the time zone, suppression rules, and view license information. keywords: Windows Defender ATP settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license, suppression rules search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: DulceMV --- diff --git a/windows/keep-secure/shut-down-the-system.md b/windows/keep-secure/shut-down-the-system.md index e07bf9633a..0c4f6b24a7 100644 --- a/windows/keep-secure/shut-down-the-system.md +++ b/windows/keep-secure/shut-down-the-system.md @@ -2,7 +2,7 @@ title: Shut down the system (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Shut down the system security policy setting. ms.assetid: c8e8f890-153a-401e-a957-ba6a130304bf -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md index a480adae03..bdd15d4040 100644 --- a/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md +++ b/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md @@ -2,7 +2,7 @@ title: Shutdown Allow system to be shut down without having to log on (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Shutdown Allow system to be shut down without having to log on security policy setting. ms.assetid: f3964767-5377-4416-8eb3-e14d553a7315 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md b/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md index 1e23676be3..83e27c9e00 100644 --- a/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md +++ b/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md @@ -2,7 +2,7 @@ title: Shutdown Clear virtual memory pagefile (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Shutdown Clear virtual memory pagefile security policy setting. ms.assetid: 31400078-6c56-4891-a6df-6dfb403c4bc9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/store-passwords-using-reversible-encryption.md b/windows/keep-secure/store-passwords-using-reversible-encryption.md index 386e132579..667eaec2fc 100644 --- a/windows/keep-secure/store-passwords-using-reversible-encryption.md +++ b/windows/keep-secure/store-passwords-using-reversible-encryption.md @@ -2,7 +2,7 @@ title: Store passwords using reversible encryption (Windows 10) description: Describes the best practices, location, values, and security considerations for the Store passwords using reversible encryption security policy setting. ms.assetid: 57f958c2-f1e9-48bf-871b-0a9b3299e238 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md index dddb84f0a2..b6b9fd71e5 100644 --- a/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md @@ -2,7 +2,7 @@ title: Switch PCR banks on TPM 2.0 devices (Windows 10) description: A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. ms.assetid: 743FCCCB-99A9-4636-8F48-9ECB3A3D10DE -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/synchronize-directory-service-data.md b/windows/keep-secure/synchronize-directory-service-data.md index 853573d001..b562f8a178 100644 --- a/windows/keep-secure/synchronize-directory-service-data.md +++ b/windows/keep-secure/synchronize-directory-service-data.md @@ -2,7 +2,7 @@ title: Synchronize directory service data (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Synchronize directory service data security policy setting. ms.assetid: 97b0aaa4-674f-40f4-8974-b4bfb12c232c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md index c72f3b1385..0862dc11d1 100644 --- a/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md +++ b/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md @@ -2,7 +2,7 @@ title: System cryptography Force strong key protection for user keys stored on the computer (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the System cryptography Force strong key protection for user keys stored on the computer security policy setting. ms.assetid: 8cbff267-881e-4bf6-920d-b583a5ff7de0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md index f7137a0c09..a1a1738dad 100644 --- a/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md +++ b/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md @@ -2,7 +2,7 @@ title: System cryptography Use FIPS compliant algorithms for encryption, hashing, and signing (Windows 10) description: This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. ms.assetid: 83988865-dc0f-45eb-90d1-ee33495eb045 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md index 6f9e3c9d43..1f3af1c21c 100644 --- a/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md +++ b/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md @@ -2,7 +2,7 @@ title: System objects Require case insensitivity for non-Windows subsystems (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the System objects Require case insensitivity for non-Windows subsystems security policy setting. ms.assetid: 340d6769-8f33-4067-8470-1458978d1522 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md index 708cba1b5a..5be5a462b1 100644 --- a/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md +++ b/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md @@ -2,7 +2,7 @@ title: System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links) (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links) security policy setting. ms.assetid: 3a592097-9cf5-4fd0-a504-7cbfab050bb6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/system-settings-optional-subsystems.md b/windows/keep-secure/system-settings-optional-subsystems.md index 4e096fea50..15ec7c1221 100644 --- a/windows/keep-secure/system-settings-optional-subsystems.md +++ b/windows/keep-secure/system-settings-optional-subsystems.md @@ -2,7 +2,7 @@ title: System settings Optional subsystems (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the System settings Optional subsystems security policy setting. ms.assetid: 5cb6519a-4f84-4b45-8072-e2aa8a72fb78 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md index 85e0a1c7bd..ae25abd015 100644 --- a/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md +++ b/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md @@ -2,7 +2,7 @@ title: System settings Use certificate rules on Windows executables for Software Restriction Policies (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the System settings Use certificate rules on Windows executables for Software Restriction Policies security policy setting. ms.assetid: 2380d93b-b553-4e56-a0c0-d1ef740d089c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/take-ownership-of-files-or-other-objects.md b/windows/keep-secure/take-ownership-of-files-or-other-objects.md index 255f2d4ff3..24ab3257e2 100644 --- a/windows/keep-secure/take-ownership-of-files-or-other-objects.md +++ b/windows/keep-secure/take-ownership-of-files-or-other-objects.md @@ -2,7 +2,7 @@ title: Take ownership of files or other objects (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Take ownership of files or other objects security policy setting. ms.assetid: cb8595d1-74cc-4176-bb15-d97663eebb2d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md index aa27d42260..fcc3bf2eac 100644 --- a/windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md +++ b/windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md @@ -2,7 +2,7 @@ title: Test an AppLocker policy by using Test-AppLockerPolicy (Windows 10) description: This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer. ms.assetid: 048bfa38-6825-4a9a-ab20-776cf79f402a -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/test-and-update-an-applocker-policy.md b/windows/keep-secure/test-and-update-an-applocker-policy.md index cf77664f65..99e46e3022 100644 --- a/windows/keep-secure/test-and-update-an-applocker-policy.md +++ b/windows/keep-secure/test-and-update-an-applocker-policy.md @@ -2,7 +2,7 @@ title: Test and update an AppLocker policy (Windows 10) description: This topic discusses the steps required to test an AppLocker policy prior to deployment. ms.assetid: 7d53cbef-078c-4d20-8b00-e821e33b6ea1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/testing-scenarios-for-edp.md b/windows/keep-secure/testing-scenarios-for-edp.md index 810bb44663..e2187af349 100644 --- a/windows/keep-secure/testing-scenarios-for-edp.md +++ b/windows/keep-secure/testing-scenarios-for-edp.md @@ -2,10 +2,11 @@ title: Testing scenarios for enterprise data protection (EDP) (Windows 10) description: We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company. ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2 -keywords: ["EDP", "Enterprise Data Protection"] -ms.prod: W10 +keywords: EDP, Enterprise Data Protection +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/tools-to-use-with-applocker.md b/windows/keep-secure/tools-to-use-with-applocker.md index d0ffd99ac7..5d2d69ff81 100644 --- a/windows/keep-secure/tools-to-use-with-applocker.md +++ b/windows/keep-secure/tools-to-use-with-applocker.md @@ -2,7 +2,7 @@ title: Tools to use with AppLocker (Windows 10) description: This topic for the IT professional describes the tools available to create and administer AppLocker policies. ms.assetid: db2b7cb3-7643-4be5-84eb-46ba551e1ad1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/tpm-fundamentals.md b/windows/keep-secure/tpm-fundamentals.md index c4fb6b2cc3..6969c89924 100644 --- a/windows/keep-secure/tpm-fundamentals.md +++ b/windows/keep-secure/tpm-fundamentals.md @@ -2,7 +2,7 @@ title: TPM fundamentals (Windows 10) description: This topic for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks. ms.assetid: ac90f5f9-9a15-4e87-b00d-4adcf2ec3000 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/keep-secure/tpm-recommendations.md index 9decdf047c..81b6385faf 100644 --- a/windows/keep-secure/tpm-recommendations.md +++ b/windows/keep-secure/tpm-recommendations.md @@ -2,7 +2,7 @@ title: TPM recommendations (Windows 10) description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10. ms.assetid: E85F11F5-4E6A-43E7-8205-672F77706561 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 9199881438..7db942d7ba 100644 --- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Troubleshoot Windows Defender ATP onboarding issues description: Troubleshoot issues that might arise during the onboarding of endpoints or to the Windows Defender ATP service. keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, telemetry and diagnostics search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: iaanw --- diff --git a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md index 1d15cf5dd7..8340e9dcc0 100644 --- a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Troubleshoot Windows Defender Advanced Threat Protection description: Find solutions and work arounds to known issues such as server errors when trying to access the service. keywords: troubleshoot Windows Defender Advanced Threat Protection, troubleshoot Windows ATP, server error, access denied, invalid credentials, no data, dashboard portal, whitelist, event viewer search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- # Troubleshoot Windows Defender Advanced Threat Protection diff --git a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md index f9c63208af..e60c0f663c 100644 --- a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md +++ b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md @@ -2,7 +2,7 @@ title: Troubleshoot Windows Defender in Windows 10 (Windows 10) description: IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take. ms.assetid: EE488CC1-E340-4D47-B50B-35BD23CB4D70 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/trusted-platform-module-overview.md b/windows/keep-secure/trusted-platform-module-overview.md index 03e37a250b..e7b6e784ff 100644 --- a/windows/keep-secure/trusted-platform-module-overview.md +++ b/windows/keep-secure/trusted-platform-module-overview.md @@ -2,7 +2,7 @@ title: Trusted Platform Module Technology Overview (Windows 10) description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM. ms.assetid: face8932-b034-4319-86ac-db1163d46538 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md index 4ded5c4844..ff626bb1de 100644 --- a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md +++ b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md @@ -2,7 +2,7 @@ title: TPM Group Policy settings (Windows 10) description: This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. ms.assetid: 54ff1c1e-a210-4074-a44e-58fee26e4dbd -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md b/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md index 4f38eca5a6..96a64490d0 100644 --- a/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md +++ b/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md @@ -2,7 +2,7 @@ title: Types of attacks for volume encryption keys (Windows 10) description: There are many ways Windows helps protect your organization from attacks, including Unified Extensible Firmware Interface (UEFI) secure boot, Trusted Platform Module (TPM), Group Policy, complex passwords, and account lockouts. ms.assetid: 405060a9-2009-44fc-9f84-66edad32c6bc -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understand-applocker-enforcement-settings.md b/windows/keep-secure/understand-applocker-enforcement-settings.md index 6ac72fe3f1..a27cfdc9cb 100644 --- a/windows/keep-secure/understand-applocker-enforcement-settings.md +++ b/windows/keep-secure/understand-applocker-enforcement-settings.md @@ -2,7 +2,7 @@ title: Understand AppLocker enforcement settings (Windows 10) description: This topic describes the AppLocker enforcement settings for rule collections. ms.assetid: 48773007-a343-40bf-8961-b3ff0a450d7e -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understand-applocker-policy-design-decisions.md b/windows/keep-secure/understand-applocker-policy-design-decisions.md index 5687229616..4c7731bcfc 100644 --- a/windows/keep-secure/understand-applocker-policy-design-decisions.md +++ b/windows/keep-secure/understand-applocker-policy-design-decisions.md @@ -2,7 +2,7 @@ title: Understand AppLocker policy design decisions (Windows 10) description: This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment. ms.assetid: 3475def8-949a-4b51-b480-dc88b5c1e6e6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/keep-secure/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md index 066f32d60e..fd1d01d9fb 100644 --- a/windows/keep-secure/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md +++ b/windows/keep-secure/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md @@ -2,7 +2,7 @@ title: Understand AppLocker rules and enforcement setting inheritance in Group Policy (Windows 10) description: This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy. ms.assetid: c1c5a3d3-540a-4698-83b5-0dab5d27d871 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understand-the-applocker-policy-deployment-process.md b/windows/keep-secure/understand-the-applocker-policy-deployment-process.md index 76bbb8d904..a2ec48ffe5 100644 --- a/windows/keep-secure/understand-the-applocker-policy-deployment-process.md +++ b/windows/keep-secure/understand-the-applocker-policy-deployment-process.md @@ -2,7 +2,7 @@ title: Understand the AppLocker policy deployment process (Windows 10) description: This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies. ms.assetid: 4cfd95c1-fbd3-41fa-8efc-d23c1ea6fb16 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/keep-secure/understanding-applocker-allow-and-deny-actions-on-rules.md index b6d8502af0..b383087281 100644 --- a/windows/keep-secure/understanding-applocker-allow-and-deny-actions-on-rules.md +++ b/windows/keep-secure/understanding-applocker-allow-and-deny-actions-on-rules.md @@ -2,7 +2,7 @@ title: Understanding AppLocker allow and deny actions on rules (Windows 10) description: This topic explains the differences between allow and deny actions on AppLocker rules. ms.assetid: ea0370fa-2086-46b5-a0a4-4a7ead8cbed9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understanding-applocker-default-rules.md b/windows/keep-secure/understanding-applocker-default-rules.md index 76aa56e251..b0aa99f22e 100644 --- a/windows/keep-secure/understanding-applocker-default-rules.md +++ b/windows/keep-secure/understanding-applocker-default-rules.md @@ -2,7 +2,7 @@ title: Understanding AppLocker default rules (Windows 10) description: This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied. ms.assetid: bdb03d71-05b7-41fb-96e3-a289ce1866e1 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understanding-applocker-rule-behavior.md b/windows/keep-secure/understanding-applocker-rule-behavior.md index 2e1353c3ed..ac18934b5f 100644 --- a/windows/keep-secure/understanding-applocker-rule-behavior.md +++ b/windows/keep-secure/understanding-applocker-rule-behavior.md @@ -2,7 +2,7 @@ title: Understanding AppLocker rule behavior (Windows 10) description: This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker. ms.assetid: 3e2738a3-8041-4095-8a84-45c1894c97d0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understanding-applocker-rule-collections.md b/windows/keep-secure/understanding-applocker-rule-collections.md index 9c569f7f53..b8adef234c 100644 --- a/windows/keep-secure/understanding-applocker-rule-collections.md +++ b/windows/keep-secure/understanding-applocker-rule-collections.md @@ -2,7 +2,7 @@ title: Understanding AppLocker rule collections (Windows 10) description: This topic explains the five different types of AppLocker rules used to enforce AppLocker policies. ms.assetid: 03c05466-4fb3-4880-8d3c-0f6f59fc5579 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understanding-applocker-rule-condition-types.md b/windows/keep-secure/understanding-applocker-rule-condition-types.md index d4e6ceaf84..f00afa16e1 100644 --- a/windows/keep-secure/understanding-applocker-rule-condition-types.md +++ b/windows/keep-secure/understanding-applocker-rule-condition-types.md @@ -2,7 +2,7 @@ title: Understanding AppLocker rule condition types (Windows 10) description: This topic for the IT professional describes the three types of AppLocker rule conditions. ms.assetid: c21af67f-60a1-4f7d-952c-a6f769c74729 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understanding-applocker-rule-exceptions.md b/windows/keep-secure/understanding-applocker-rule-exceptions.md index a99cb1f8cb..4cedcfd784 100644 --- a/windows/keep-secure/understanding-applocker-rule-exceptions.md +++ b/windows/keep-secure/understanding-applocker-rule-exceptions.md @@ -2,7 +2,7 @@ title: Understanding AppLocker rule exceptions (Windows 10) description: This topic describes the result of applying AppLocker rule exceptions to rule collections. ms.assetid: e6bb349f-ee60-4c8d-91cd-6442f2d0eb9c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/keep-secure/understanding-the-file-hash-rule-condition-in-applocker.md index b778f3c76d..89a2b1a770 100644 --- a/windows/keep-secure/understanding-the-file-hash-rule-condition-in-applocker.md +++ b/windows/keep-secure/understanding-the-file-hash-rule-condition-in-applocker.md @@ -2,7 +2,7 @@ title: Understanding the file hash rule condition in AppLocker (Windows 10) description: This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied. ms.assetid: 4c6d9af4-2b1a-40f4-8758-1a6f9f147756 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understanding-the-path-rule-condition-in-applocker.md b/windows/keep-secure/understanding-the-path-rule-condition-in-applocker.md index d62cf0c8b6..4d4e950a6c 100644 --- a/windows/keep-secure/understanding-the-path-rule-condition-in-applocker.md +++ b/windows/keep-secure/understanding-the-path-rule-condition-in-applocker.md @@ -2,7 +2,7 @@ title: Understanding the path rule condition in AppLocker (Windows 10) description: This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied. ms.assetid: 3fa54ded-4466-4f72-bea4-2612031cad43 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/understanding-the-publisher-rule-condition-in-applocker.md b/windows/keep-secure/understanding-the-publisher-rule-condition-in-applocker.md index 34ac6444f3..5e0bca2ee0 100644 --- a/windows/keep-secure/understanding-the-publisher-rule-condition-in-applocker.md +++ b/windows/keep-secure/understanding-the-publisher-rule-condition-in-applocker.md @@ -2,7 +2,7 @@ title: Understanding the publisher rule condition in AppLocker (Windows 10) description: This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied. ms.assetid: df61ed8f-a97e-4644-9d0a-2169f18c1c4f -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/keep-secure/use-a-reference-computer-to-create-and-maintain-applocker-policies.md index e9c7b0645e..90336b381a 100644 --- a/windows/keep-secure/use-a-reference-computer-to-create-and-maintain-applocker-policies.md +++ b/windows/keep-secure/use-a-reference-computer-to-create-and-maintain-applocker-policies.md @@ -2,7 +2,7 @@ title: Use a reference device to create and maintain AppLocker policies (Windows 10) description: This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer. ms.assetid: 10c3597f-f44c-4c8e-8fe5-105d4ac016a6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md index ef970cd8df..17fe40b6a1 100644 --- a/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md +++ b/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md @@ -2,7 +2,7 @@ title: Use AppLocker and Software Restriction Policies in the same domain (Windows 10) description: This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. ms.assetid: 2b7e0cec-df62-49d6-a2b7-6b8e30180943 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/use-the-applocker-windows-powershell-cmdlets.md b/windows/keep-secure/use-the-applocker-windows-powershell-cmdlets.md index cf988054c1..d7cd5120c4 100644 --- a/windows/keep-secure/use-the-applocker-windows-powershell-cmdlets.md +++ b/windows/keep-secure/use-the-applocker-windows-powershell-cmdlets.md @@ -2,7 +2,7 @@ title: Use the AppLocker Windows PowerShell cmdlets (Windows 10) description: This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. ms.assetid: 374e029c-5c0a-44ab-a57a-2a9dd17dc57d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md index dd0fc24f67..717abdaec8 100644 --- a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Use the Windows Defender Advanced Threat Protection portal description: Learn about the features on Windows Defender ATP portal, including how alerts work, and suggestions on how to investigate possible breaches and attacks. keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate machines, submit files, deep analysis, high, medium, low, severity, ioc, ioa search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- diff --git a/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md b/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md index 060d693df1..846f249f82 100644 --- a/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md +++ b/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md @@ -2,7 +2,7 @@ title: Use Windows Event Forwarding to help with intrusion detection (Windows 10) description: Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. ms.assetid: 733263E5-7FD1-45D2-914A-184B9E3E6A3F -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md index a4fbc0126b..7b203c0bcd 100644 --- a/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md +++ b/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md @@ -2,7 +2,7 @@ title: User Account Control Admin Approval Mode for the Built-in Administrator account (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Admin Approval Mode for the Built-in Administrator account security policy setting. ms.assetid: d465fc27-1cd2-498b-9cf6-7ad2276e5998 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md index cc8ebe93f3..e80369cae9 100644 --- a/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md +++ b/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md @@ -2,7 +2,7 @@ title: User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop (Windows 10) description: Describes the best practices, location, values, and security considerations for the User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop security policy setting. ms.assetid: fce20472-3c93-449d-b520-13c4c74a9892 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md index 28718b33ae..97af8126a3 100644 --- a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md +++ b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md @@ -2,7 +2,7 @@ title: User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode security policy setting. ms.assetid: 46a3c3a2-1d2e-4a6f-b5e6-29f9592f535d -ms.prod: W10 +ms.prod: ws10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md index e382611db9..7ca4ce4329 100644 --- a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md +++ b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md @@ -2,7 +2,7 @@ title: User Account Control Behavior of the elevation prompt for standard users (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Behavior of the elevation prompt for standard users security policy setting. ms.assetid: 1eae7def-8f6c-43b6-9474-23911fdc01ba -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md index 178aa242b4..0c372cd6ee 100644 --- a/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md +++ b/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md @@ -2,7 +2,7 @@ title: User Account Control Detect application installations and prompt for elevation (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Detect application installations and prompt for elevation security policy setting. ms.assetid: 3f8cb170-ba77-4c9f-abb3-c3ed1ef264fc -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md index 8da09ab38e..e2e57dd1bd 100644 --- a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md +++ b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md @@ -1,9 +1,11 @@ --- title: User Account Control Group Policy and registry key settings (Windows 10) description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC. -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security +author: brianlic-msft --- # User Account Control Group Policy and registry key settings diff --git a/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md index 19768449e0..76edee3e01 100644 --- a/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md +++ b/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md @@ -2,7 +2,7 @@ title: User Account Control Only elevate executables that are signed and validated (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Only elevate executables that are signed and validated security policy setting. ms.assetid: 64950a95-6985-4db6-9905-1db18557352d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md index 890ec0f2ff..be21f041f5 100644 --- a/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md +++ b/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md @@ -2,7 +2,7 @@ title: User Account Control Only elevate UIAccess applications that are installed in secure locations (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Only elevate UIAccess applications that are installed in secure locations security policy setting. ms.assetid: 4333409e-a5be-4f2f-8808-618f53abd22c -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-account-control-overview.md b/windows/keep-secure/user-account-control-overview.md index ccabf37ce1..32edfe0160 100644 --- a/windows/keep-secure/user-account-control-overview.md +++ b/windows/keep-secure/user-account-control-overview.md @@ -2,7 +2,7 @@ title: User Account Control (Windows 10) description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. ms.assetid: 43ac4926-076f-4df2-84af-471ee7d20c38 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: operate ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md index 63ac1e4a65..61664f5a6e 100644 --- a/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md +++ b/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md @@ -2,7 +2,7 @@ title: User Account Control Run all administrators in Admin Approval Mode (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Run all administrators in Admin Approval Mode security policy setting. ms.assetid: b838c561-7bfc-41ef-a7a5-55857259c7bf -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-account-control-security-policy-settings.md b/windows/keep-secure/user-account-control-security-policy-settings.md index 569bf9892e..45bf5fb129 100644 --- a/windows/keep-secure/user-account-control-security-policy-settings.md +++ b/windows/keep-secure/user-account-control-security-policy-settings.md @@ -2,8 +2,8 @@ title: User Account Control security policy settings (Windows 10) description: You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy. ms.assetid: 3D75A9AC-69BB-4EF2-ACB3-1769791E1B98 -ms.prod: W10 -ms.mktglfcycl: operate +ms.prod: w10 +ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: brianlic-msft diff --git a/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md index ee510bb52e..85c36101a5 100644 --- a/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md +++ b/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md @@ -2,7 +2,7 @@ title: User Account Control Switch to the secure desktop when prompting for elevation (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Switch to the secure desktop when prompting for elevation security policy setting. ms.assetid: 77a067db-c70d-4b02-9861-027503311b8b -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md index afc3766b73..8501495c6b 100644 --- a/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md +++ b/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md @@ -2,7 +2,7 @@ title: User Account Control Virtualize file and registry write failures to per-user locations (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Virtualize file and registry write failures to per-user locations security policy setting. ms.assetid: a7b47420-cc41-4b1c-b03e-f67a05221261 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/user-rights-assignment.md b/windows/keep-secure/user-rights-assignment.md index 401613dde1..59979d3158 100644 --- a/windows/keep-secure/user-rights-assignment.md +++ b/windows/keep-secure/user-rights-assignment.md @@ -2,7 +2,7 @@ title: User Rights Assignment (Windows 10) description: Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows. ms.assetid: 99340252-60be-4c79-b0a5-56fbe1a9b0c5 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/keep-secure/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md index 13d5fc93e5..a26cffe188 100644 --- a/windows/keep-secure/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md +++ b/windows/keep-secure/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md @@ -2,7 +2,7 @@ title: Using advanced security auditing options to monitor dynamic access control objects (Windows 10) description: This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012. ms.assetid: 0d2c28ea-bdaf-47fd-bca2-a07dce5fed37 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/using-event-viewer-with-applocker.md b/windows/keep-secure/using-event-viewer-with-applocker.md index dcee6821bc..1b1b80e64f 100644 --- a/windows/keep-secure/using-event-viewer-with-applocker.md +++ b/windows/keep-secure/using-event-viewer-with-applocker.md @@ -2,7 +2,7 @@ title: Using Event Viewer with AppLocker (Windows 10) description: This topic lists AppLocker events and describes how to use Event Viewer with AppLocker. ms.assetid: 109abb10-78b1-4c29-a576-e5a17dfeb916 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/using-software-restriction-policies-and-applocker-policies.md b/windows/keep-secure/using-software-restriction-policies-and-applocker-policies.md index 54b12a4568..8a427064fb 100644 --- a/windows/keep-secure/using-software-restriction-policies-and-applocker-policies.md +++ b/windows/keep-secure/using-software-restriction-policies-and-applocker-policies.md @@ -2,7 +2,7 @@ title: Use Software Restriction Policies and AppLocker policies (Windows 10) description: This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. ms.assetid: c3366be7-e632-4add-bd10-9df088f74c6d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/view-the-security-event-log.md b/windows/keep-secure/view-the-security-event-log.md index 745195b4f3..388d32ddc8 100644 --- a/windows/keep-secure/view-the-security-event-log.md +++ b/windows/keep-secure/view-the-security-event-log.md @@ -2,7 +2,7 @@ title: View the security event log (Windows 10) description: The security log records each event as defined by the audit policies you set on each object. ms.assetid: 20DD2ACD-241A-45C5-A92F-4BE0D9F198B9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/vpn-profile-options.md b/windows/keep-secure/vpn-profile-options.md index 6f336cc6e6..77c548ec2a 100644 --- a/windows/keep-secure/vpn-profile-options.md +++ b/windows/keep-secure/vpn-profile-options.md @@ -2,10 +2,10 @@ title: VPN profile options (Windows 10) description: Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: networking +ms.pagetype: security, networking author: jdeckerMS --- diff --git a/windows/keep-secure/what-is-applocker.md b/windows/keep-secure/what-is-applocker.md index b4d758df7b..c3b47e88d5 100644 --- a/windows/keep-secure/what-is-applocker.md +++ b/windows/keep-secure/what-is-applocker.md @@ -2,7 +2,7 @@ title: What Is AppLocker (Windows 10) description: This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. ms.assetid: 44a8a2bb-0f83-4f95-828e-1f364fb65869 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/keep-secure/which-editions-of-windows-support-advanced-audit-policy-configuration.md index c60d303826..4428ed173d 100644 --- a/windows/keep-secure/which-editions-of-windows-support-advanced-audit-policy-configuration.md +++ b/windows/keep-secure/which-editions-of-windows-support-advanced-audit-policy-configuration.md @@ -2,7 +2,7 @@ title: Which editions of Windows support advanced audit policy configuration (Windows 10) description: This reference topic for the IT professional describes which versions of the Windows operating systems support advanced security auditing policies. ms.assetid: 87c71cc5-522d-4771-ac78-34a2a0825f31 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/why-a-pin-is-better-than-a-password.md b/windows/keep-secure/why-a-pin-is-better-than-a-password.md index 5afeb6f914..21d3ce97d3 100644 --- a/windows/keep-secure/why-a-pin-is-better-than-a-password.md +++ b/windows/keep-secure/why-a-pin-is-better-than-a-password.md @@ -3,7 +3,7 @@ title: Why a PIN is better than a password (Windows 10) description: Microsoft Passport in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password . ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212 keywords: pin, security, password -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/windows-10-enterprise-security-guides.md b/windows/keep-secure/windows-10-enterprise-security-guides.md index 510675e4ff..30f130d499 100644 --- a/windows/keep-secure/windows-10-enterprise-security-guides.md +++ b/windows/keep-secure/windows-10-enterprise-security-guides.md @@ -2,10 +2,10 @@ title: Enterprise security guides (Windows 10) description: Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. ms.assetid: 57134f84-bd4b-4b1d-b663-4a2d36f5a7f8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security +ms.pagetype: security, devices author: challum --- diff --git a/windows/keep-secure/windows-10-mobile-security-guide.md b/windows/keep-secure/windows-10-mobile-security-guide.md index 1008003440..16389caf95 100644 --- a/windows/keep-secure/windows-10-mobile-security-guide.md +++ b/windows/keep-secure/windows-10-mobile-security-guide.md @@ -3,10 +3,10 @@ title: Windows 10 Mobile security guide (Windows 10) description: This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security. ms.assetid: D51EF508-699E-4A68-A7CD-91D821A97205 keywords: data protection, encryption, malware resistance, smartphone, device, Windows Store -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -ms.pagetype: security; mobile +ms.pagetype: security, mobile author: AMeeus --- diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md index 2c0402513c..bb757267bb 100644 --- a/windows/keep-secure/windows-10-security-guide.md +++ b/windows/keep-secure/windows-10-security-guide.md @@ -3,7 +3,7 @@ title: Windows 10 security overview (Windows 10) description: This guide provides a detailed description of the most important security improvements in the Windows 10 operating system, with links to more detailed articles about many of its security features. ms.assetid: 4561D80B-A914-403C-A17C-3BE6FC95B59B keywords: configure, feature, file encryption -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/windows-defender-advanced-threat-protection.md b/windows/keep-secure/windows-defender-advanced-threat-protection.md index 9567620fcb..bae239bf1c 100644 --- a/windows/keep-secure/windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/windows-defender-advanced-threat-protection.md @@ -3,9 +3,10 @@ title: Windows Defender Advanced Threat Protection - Windows Defender description: Windows Defender Advanced Threat Protection is an enterprise security service that helps detect and respond to possible cybersecurity threats related to advanced persistent threats. keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, endpoint behavioral sensor, cloud security, analytics, threat intelligence search.product: eADQiWindows 10XVcnh -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: mjcaparas --- diff --git a/windows/keep-secure/windows-defender-in-windows-10.md b/windows/keep-secure/windows-defender-in-windows-10.md index 72d8554def..2dc00afede 100644 --- a/windows/keep-secure/windows-defender-in-windows-10.md +++ b/windows/keep-secure/windows-defender-in-windows-10.md @@ -2,7 +2,7 @@ title: Windows Defender in Windows 10 (Windows 10) description: This topic provides an overview of Windows Defender, including a list of system requirements and new features. ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/windows-hello-in-enterprise.md b/windows/keep-secure/windows-hello-in-enterprise.md index 7b9bed5681..40a4efa80a 100644 --- a/windows/keep-secure/windows-hello-in-enterprise.md +++ b/windows/keep-secure/windows-hello-in-enterprise.md @@ -2,10 +2,11 @@ title: Windows Hello biometrics in the enterprise (Windows 10) description: Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc -keywords: ["Windows Hello", "enterprise biometrics"] -ms.prod: W10 +keywords: Windows Hello, enterprise biometrics +ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library +ms.pagetype: security author: eross-msft --- diff --git a/windows/keep-secure/windows-installer-rules-in-applocker.md b/windows/keep-secure/windows-installer-rules-in-applocker.md index b12d94b8ef..65a86eddfc 100644 --- a/windows/keep-secure/windows-installer-rules-in-applocker.md +++ b/windows/keep-secure/windows-installer-rules-in-applocker.md @@ -2,7 +2,7 @@ title: Windows Installer rules in AppLocker (Windows 10) description: This topic describes the file formats and available default rules for the Windows Installer rule collection. ms.assetid: 3fecde5b-88b3-4040-81fa-a2d36d052ec9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/working-with-applocker-policies.md b/windows/keep-secure/working-with-applocker-policies.md index 8963fa665b..219638880c 100644 --- a/windows/keep-secure/working-with-applocker-policies.md +++ b/windows/keep-secure/working-with-applocker-policies.md @@ -2,7 +2,7 @@ title: Working with AppLocker policies (Windows 10) description: This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies. ms.assetid: 7062d2e0-9cbb-4cb8-aa8c-b24945c3771d -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/keep-secure/working-with-applocker-rules.md b/windows/keep-secure/working-with-applocker-rules.md index 762d21c78a..9c528133ef 100644 --- a/windows/keep-secure/working-with-applocker-rules.md +++ b/windows/keep-secure/working-with-applocker-rules.md @@ -2,7 +2,7 @@ title: Working with AppLocker rules (Windows 10) description: This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies. ms.assetid: 3966b35b-f2da-4371-8b5f-aec031db6bc9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security From dc32c183742565f7544bf2aec63893ce376e89ca Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 31 May 2016 07:34:12 -0700 Subject: [PATCH 138/169] changed IE to Edge --- .../keep-secure/change-history-for-keep-windows-10-secure.md | 3 ++- .../installing-digital-certificates-on-windows-10-mobile.md | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 3c7d6abdfe..53fc6a0ef7 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,10 +16,11 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic | Description | |----------------------|-------------| +| [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Changed Internet Explorer to Microsoft Edge | | [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) | Added errors 0x80090029 and 0x80070057, and merged entries for error 0x801c03ed. | | [Microsoft Passport guide](microsoft-passport-guide.md) | Updated Roadmap section content | -| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview | |[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) |Updated info based on changes to the features and functionality.| +| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview | ## April 2016 diff --git a/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md b/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md index 33f7e83a76..6bd8e60c5d 100644 --- a/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md +++ b/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md @@ -22,7 +22,7 @@ Certificates in Windows 10 Mobile are primarily used for the following purposes - To authenticate a user to a reverse proxy server that is used to enable Microsoft Exchange ActiveSync (EAS) for email. - For installation and licensing of applications (from the Windows Phone Store or a custom company distribution site). -## Install certificates using Internet Explorer +## Install certificates using Microsoft Edge A certificate can be posted on a website and made available to users through a device-accessible URL that they can use to download the certificate. When a user accesses the page and taps the certificate, it opens on the device. The user can inspect the certificate, and if they choose to continue, the certificate is installed on the Windows 10 Mobile device. @@ -42,7 +42,7 @@ Windows 10 Mobile supports root, CA, and client certificate to be configured vi 3. The trusted CA certificate is installed directly during MDM request. 4. The device accepts certificate enrollment request. 5. The device generates private/public key pair. -6. The device connects to Internet facing point exposed by MDM server. +6. The device connects to Internet-facing point exposed by MDM server. 7. MDM server creates a certificate that is signed with proper CA certificate and returns it to device. > **Note:**  The device supports the pending function to allow server side to do additional verification before issuing the cert. In this case, a pending status is sent back to the device. The device will periodically contact the server, based on preconfigured retry count and retry period parameters. Retrying ends when either: From ef69c25c81194eb00e39b8b4216ebf6b5605bc78 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 31 May 2016 12:07:59 -0700 Subject: [PATCH 139/169] checking in 7707381 --- ...rade-a-windows-phone-8-1-to-10-with-mdm.md | 112 ++++++++++++++++++ ...rade-a-windows-phone-8-1-to-10-with-mdm.md | Bin 0 -> 162 bytes 2 files changed, 112 insertions(+) create mode 100644 windows/deploy/upgrade-a-windows-phone-8-1-to-10-with-mdm.md create mode 100644 windows/deploy/~$grade-a-windows-phone-8-1-to-10-with-mdm.md diff --git a/windows/deploy/upgrade-a-windows-phone-8-1-to-10-with-mdm.md b/windows/deploy/upgrade-a-windows-phone-8-1-to-10-with-mdm.md new file mode 100644 index 0000000000..bbf295e678 --- /dev/null +++ b/windows/deploy/upgrade-a-windows-phone-8-1-to-10-with-mdm.md @@ -0,0 +1,112 @@ +**How to enable a Windows Phone 8.1 upgrade to Windows 10 Mobile in an MDM environment ** + +Summary +======= + +This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. See the section to determine whether your device is eligible for the update. +The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. An eligible device must "opt-in" to be offered the upgrade. +For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. +For Enterprises, Microsoft is offering a centralized management solution through Mobile Device Management (MDM) that can push a management policy to each eligible device to perform the opt-in. +If you use a list of allowed apps (whitelisting) through MDM, see the documentation [here](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056(v=vs.85).aspx#whitelist) to make sure system apps are whitelisted before you upgrade to Windows 10 Mobile. Also, be aware that there are known issues listed in the documentation that could adversely affect the device after you upgrade. See this documentation for rules to avoid. +Some enterprises may want to control the availability of the Windows 10 Mobile upgrade to their users. With the opt-in model, the enterprise can blacklist the Upgrade Advisor app to prevent their users from upgrading prematurely. For more information about how to blacklist the Upgrade Advisor app, see the  section. Enterprises that have blacklisted the Upgrade Advisor app can use the solution that's described in this article to select the upgrade timing on a per-device basis. + +More information +================ + +To provide enterprises with a solution that's independent of the Upgrade Advisor, a new registry key in the registry configuration service provider (CSP) is available. A special GUID key value is defined. When Microsoft Update (MU) detects the presence of the registry key value on a device, any available upgrade will be made available to the device. + +Prerequisites +------------- + +- Windows Phone 8.1 device with an available upgrade to Windows 10 Mobile. + +- Device connected to Wi-Fi or cellular network to perform scan for upgrade. + +- Device is already enrolled with a MDM session. + +- Device is able to receive the management policy. + +- MDM is capable of pushing the management policy to devices. (The minimum version for popular MDM providers that support the solution in this article are: InTune: 5.0.5565, AirWatch: 8.2, Mobile Iron: 9.0.) + +**Instructions for the MDM server** + +The registry CSP is used to push the GUID value to the following registry key for which the Open Mobile Alliance (OMA) Device Management (DM) client has Read/Write access and for which the Device Update service has Read access. + +| \[HKLM\\Software\\Microsoft\\Provisioning\\OMADM\] + "EnterpriseUpgrade"="d369c9b6-2379-466d-9162-afc53361e3c2” | +|------------------------------------------------------------| + +The complete SyncML command for the solution is as follows. +**Note**: The SyncML may vary, depending on your MDM solution. + +SyncML xmlns="SYNCML:SYNCML1.1"> + +<SyncBody> + +<Add> + +<CmdID>250</CmdID> + +<Item> + +<Target> + +<LocURI>./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/ EnterpriseUpgrade</LocURI> + +</Target> + +<Meta> + +<Format xmlns=”syncml:metinf”>chr</Format> + +</Meta> + +<Data>d369c9b6-2379-466d-9162-afc53361e3c2</Data> + +</Item> + +</Add> + +<Final/> + +</SyncBody> + +</SyncML> + +The OMA DM server policy description is provided in the following table: + +| OMA-URI | ./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/EnterpriseUpgrade | +|-----------|-------------------------------------------------------------------------------------| +| Data Type | String | +| Value | d369c9b6-2379-466d-9162-afc53361e3c2 | + +After the device consumes the policy, it will be able to receive an available upgrade. +To disable the policy, either delete the OMADM registry key or set the EnterpriseUpgrade string value to anything other than the GUID. + +How to determine whether an upgrade is available for a device +------------------------------------------------------------- + +The Windows 10 Mobile Upgrade Advisor app is not designed or intended for Enterprise customers who want to automate the upgrade process. +However, the Windows 10 Mobile Upgrade Advisor app is the best mechanism to determine when an upgrade is available. The app dynamically queries whether the upgrade is released for this device model and associated mobile operator (MO). +We recommend that enterprises use a pilot device with the Windows 10 Mobile Upgrade Advisor app installed. The pilot device provides the device model and MO used by the enterprise. When you run the app on the pilot device, it will tell you that either an upgrade is available, that the device is eligible for upgrade, or that an upgrade is not available for this device. +Note: The availability of Windows 10 Mobile as an update for existing Windows Phone 8.1 devices varies by device manufacturer, device model, country or region, mobile operator or service provider, hardware limitations, and other factors. To check for compatibility and other important installation information, see the [Windows 10 mobile](https://www.microsoft.com/en/mobile/windows10) page. + +How to blacklist the Upgrade Advisor app +---------------------------------------- + +Some enterprises may want to block their users from installing the Windows 10 Mobile Upgrade Advisor app. With Windows Phone 8.1, you can allow or deny individual apps by adding specific app publishers or the app globally unique identifier (GUID) from the Window Phone Store to an allow or deny XML list. The GUID for a particular application can be found in the URL for the app in the phone store. For example, the GUID to the Windows Phone Upgrade Adviser is listed in the following location: + + + +For more information about how to do this, see the [Try it out: restrict Windows Phone 8.1 apps](https://technet.microsoft.com/en-us/windows/dn771706.aspx) topic on TechNet + +Applies to +=========== + +- Windows 10 Mobile Enterprise, released in November 2015 + +- Windows 10 Mobile, released in November 2015 + +- Windows Phone 8.1 + +- Windows Phone 8 for Business diff --git a/windows/deploy/~$grade-a-windows-phone-8-1-to-10-with-mdm.md b/windows/deploy/~$grade-a-windows-phone-8-1-to-10-with-mdm.md new file mode 100644 index 0000000000000000000000000000000000000000..29df01d4b1acd246110856092acada5dcdb58c42 GIT binary patch literal 162 zcmd;aFG@{U@X5?eDNd|pAQtd2xHA+nq%x#4C@}aiWHRJ2q%agSBr?EExY52vkwKH8 o=f&2W{ER?DK^Pe@>NB!}_*dIEDl%v>^n?P<30U+USqYpC0E-_J^8f$< literal 0 HcmV?d00001 From 04380fad158098617954dca734cf9f78534e73a0 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 31 May 2016 12:26:50 -0700 Subject: [PATCH 140/169] checking in 7707381 again --- windows/deploy/TOC.md | 1 + .../upgrade-a-windows-phone-8-1-to-10-with-mdm.md | 2 +- .../~$grade-a-windows-phone-8-1-to-10-with-mdm.md | Bin 162 -> 0 bytes 3 files changed, 2 insertions(+), 1 deletion(-) delete mode 100644 windows/deploy/~$grade-a-windows-phone-8-1-to-10-with-mdm.md diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md index af7eb425d9..0ac0d202d8 100644 --- a/windows/deploy/TOC.md +++ b/windows/deploy/TOC.md @@ -11,6 +11,7 @@ ### [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) ### [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) ### [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) +### [Enable a Windows Phone 8.1 upgrade to Windows 10 Mobile in an MDM environment](upgrade-a-windows-phone-8-1-to-10-with-mdm.md) ### [Configure MDT settings](configure-mdt-2013-settings.md) #### [Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md) #### [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) diff --git a/windows/deploy/upgrade-a-windows-phone-8-1-to-10-with-mdm.md b/windows/deploy/upgrade-a-windows-phone-8-1-to-10-with-mdm.md index bbf295e678..1833cb22c9 100644 --- a/windows/deploy/upgrade-a-windows-phone-8-1-to-10-with-mdm.md +++ b/windows/deploy/upgrade-a-windows-phone-8-1-to-10-with-mdm.md @@ -1,4 +1,4 @@ -**How to enable a Windows Phone 8.1 upgrade to Windows 10 Mobile in an MDM environment ** +**Enable a Windows Phone 8.1 upgrade to Windows 10 Mobile in an MDM environment ** Summary ======= diff --git a/windows/deploy/~$grade-a-windows-phone-8-1-to-10-with-mdm.md b/windows/deploy/~$grade-a-windows-phone-8-1-to-10-with-mdm.md deleted file mode 100644 index 29df01d4b1acd246110856092acada5dcdb58c42..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 162 zcmd;aFG@{U@X5?eDNd|pAQtd2xHA+nq%x#4C@}aiWHRJ2q%agSBr?EExY52vkwKH8 o=f&2W{ER?DK^Pe@>NB!}_*dIEDl%v>^n?P<30U+USqYpC0E-_J^8f$< From fb0f31b3d89b1ed523fd77b7be5ce36819e8b066 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 31 May 2016 13:14:07 -0700 Subject: [PATCH 141/169] formatting fixes --- windows/deploy/TOC.md | 1 - .../deploy/upgrade-windows-phone-8-1-to-10.md | 27 +++++++++++++------ 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md index 0ac0d202d8..f21c7050b3 100644 --- a/windows/deploy/TOC.md +++ b/windows/deploy/TOC.md @@ -21,7 +21,6 @@ #### [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md) #### [Use web services in MDT](use-web-services-in-mdt-2013.md) #### [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md) -### [Upgrade Windows Phone 8.1 to Windows 10](upgrade-windows-phone-8-1-to-10.md) ## [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) ### [Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md) ### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) diff --git a/windows/deploy/upgrade-windows-phone-8-1-to-10.md b/windows/deploy/upgrade-windows-phone-8-1-to-10.md index 659792f6e8..0094c456c4 100644 --- a/windows/deploy/upgrade-windows-phone-8-1-to-10.md +++ b/windows/deploy/upgrade-windows-phone-8-1-to-10.md @@ -1,6 +1,6 @@ --- -title: Deploy Windows 10 using PXE (Windows 10) -description: PXE-initiated operating system deployments in System Center Configuration Manager let client computers request and deploy operating systems over the network. In this operating system deployment scenario, the operating system image and both the x86 and x64 Windows PE boot images are sent to a distribution point that is configured to accept PXE boot requests. +title: Upgrade Windows Phone 8.1 to Windows 10 Mobile in an MDM environment (Windows 10) +description: This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using MDM. keywords: upgrade, update, windows, phone, windows 10, mdm, mobile ms.prod: W10 ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ author: greg-lindsay ## Summary This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. See the How to determine whether an upgrade is available for a device section to determine whether your device is eligible for the update. -The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. An eligible device must "opt-in" to be offered the upgrade. +The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. An eligible device must opt-in to be offered the upgrade. For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. @@ -30,23 +30,27 @@ To provide enterprises with a solution that's independent of the Upgrade Advisor ### Prerequisites -•Windows Phone 8.1 device with an available upgrade to Windows 10 Mobile. -•Device connected to Wi-Fi or cellular network to perform scan for upgrade. -•Device is already enrolled with a MDM session. -•Device is able to receive the management policy. -•MDM is capable of pushing the management policy to devices. (The minimum version for popular MDM providers that support the solution in this article are: InTune: 5.0.5565, AirWatch: 8.2, Mobile Iron: 9.0.) +- Windows Phone 8.1 device with an available upgrade to Windows 10 Mobile. +- Device connected to Wi-Fi or cellular network to perform scan for upgrade. +- Device is already enrolled with a MDM session. +- Device is able to receive the management policy. +- MDM is capable of pushing the management policy to devices. (The minimum version for popular MDM providers that support the solution in this article are: InTune: 5.0.5565, AirWatch: 8.2, Mobile Iron: 9.0.) ### Instructions for the MDM server The registry CSP is used to push the GUID value to the following registry key for which the Open Mobile Alliance (OMA) Device Management (DM) client has Read/Write access and for which the Device Update service has Read access. +``` [HKLM\Software\Microsoft\Provisioning\OMADM] "EnterpriseUpgrade"="d369c9b6-2379-466d-9162-afc53361e3c2” +``` + The complete SyncML command for the solution is as follows. Note The SyncML may vary, depending on your MDM solution. +``` SyncML xmlns="SYNCML:SYNCML1.1"> @@ -64,12 +68,19 @@ SyncML xmlns="SYNCML:SYNCML1.1"> +``` The OMA DM server policy description is provided in the following table: +``` OMA-URI ./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/EnterpriseUpgrade +``` + Data Type String +``` Value d369c9b6-2379-466d-9162-afc53361e3c2 +``` + After the device consumes the policy, it will be able to receive an available upgrade. To disable the policy, either delete the OMADM registry key or set the EnterpriseUpgrade string value to anything other than the GUID. From 2cd38272b96304074967f3f01e81e9b8e3aecb6e Mon Sep 17 00:00:00 2001 From: Jan Backstrom Date: Tue, 31 May 2016 13:14:56 -0700 Subject: [PATCH 142/169] article updates Per Brandon's Sharepoint drafts --- devices/surface/TOC.md | 2 +- .../advanced-uefi-security-features-for-surface.md | 8 +++++--- devices/surface/manage-surface-pro-3-firmware-updates.md | 2 +- devices/surface/surface-diagnostic-toolkit.md | 4 +++- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index f7e3191aa7..77680e7199 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -1,5 +1,5 @@ # [Surface](index.md) -## [Advanced UEFI security features for Surface](advanced-uefi-security-features-for-surface.md) +## [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md) ## [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md) ## [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) ## [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) diff --git a/devices/surface/advanced-uefi-security-features-for-surface.md b/devices/surface/advanced-uefi-security-features-for-surface.md index ca850266d6..a122041eec 100644 --- a/devices/surface/advanced-uefi-security-features-for-surface.md +++ b/devices/surface/advanced-uefi-security-features-for-surface.md @@ -1,5 +1,5 @@ --- -title: Advanced UEFI security features for Surface (Surface) +title: Advanced UEFI security features for Surface Pro 3 (Surface) description: This article describes how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices. ms.assetid: 90F790C0-E5FC-4482-AD71-60589E3C9C93 keywords: security, features, configure, hardware, device, custom, script, update @@ -10,7 +10,7 @@ ms.sitesec: library author: miladCA --- -# Advanced UEFI security features for Surface +# Advanced UEFI security features for Surface Pro 3 This article describes how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices. @@ -20,7 +20,9 @@ To address more granular control over the security of Surface devices, the v3.11 ## Manually install the UEFI update -Before you can configure the advanced security features of your Surface device, you must first install the v3.11.760.0 UEFI update. This update is installed automatically if you receive your updates from Windows Update. For more information about how to configure Windows to update automatically using Windows Update, see [How to configure and use Automatic Updates in Windows]( http://go.microsoft.com/fwlink/p/?LinkID=618030). Otherwise, you can download the UEFI update from the Microsoft Download Center; see [SurfacePro3\_ 150326.msi (105 MB)](http://go.microsoft.com/fwlink/p/?LinkID=618033) or [SurfacePro3\_ 150326.zip (156 MB)](http://go.microsoft.com/fwlink/p/?LinkID=618035). +Before you can configure the advanced security features of your Surface device, you must first install the v3.11.760.0 UEFI update. This update is installed automatically if you receive your updates from Windows Update. For more information about how to configure Windows to update automatically by using Windows Update, see [How to configure and use Automatic Updates in Windows]( http://go.microsoft.com/fwlink/p/?LinkID=618030). + +To update the UEFI on Surface Pro 3, you can download and install the Surface UEFI updates as part of the Surface Pro 3 Firmware and Driver Pack. These firmware and driver packs are available from the [Surface Pro 3 page](https://www.microsoft.com/en-us/download/details.aspx?id=38826) on the Microsoft Download Center. You can find out more about the firmware and driver packs at [Download Surface Firmware and Drivers Updates](https://technet.microsoft.com/en-us/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices). The firmware and driver packs are available as both self-contained Windows Installer (.msi) and archive (.zip) formats. You can find out more about these two formats and how you can use them to update your drivers at [Manage Surface Firmware and Driver Updates](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-pro-3-firmware-updates). ## Manually configure additional security settings diff --git a/devices/surface/manage-surface-pro-3-firmware-updates.md b/devices/surface/manage-surface-pro-3-firmware-updates.md index 8e757fdaca..3bc069e706 100644 --- a/devices/surface/manage-surface-pro-3-firmware-updates.md +++ b/devices/surface/manage-surface-pro-3-firmware-updates.md @@ -34,7 +34,7 @@ For details about Group Policy for client configuration of WSUS or Windows Updat **Windows Installer Package** -The firmware and driver downloads for Surface devices now include MSI installation files for firmware and driver updates. These MSI packages can be deployed with utilities that support application deployment, including the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. This solution allows for centralized deployment and for administrators to test and review firmware updates before they are deployed. For more information about the MSI package delivery method for firmware and driver updates, including details on what drivers are updated by the package and why certain drivers and firmware are not updated by the MSI package, see the [Surface Pro 3 MSI Now Available](http://go.microsoft.com/fwlink/p/?LinkId=618173) blog post. +The firmware and driver downloads for Surface devices now include Windows Installer files for firmware and driver updates. These Windows Installer packages can be deployed with utilities that support application deployment, including the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. This solution allows for centralized deployment and for administrators to test and review firmware updates before they are deployed. For more information about the Windows Installer package delivery method for firmware and driver updates, including details on what drivers are updated by the package and why certain drivers and firmware are not updated by the Windows Installer package, see the [Surface Pro 3 MSI Now Available](http://go.microsoft.com/fwlink/p/?LinkId=618173) blog post. For instructions on how to deploy with System Center Configuration Manager, refer to [How to Deploy Applications in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=618175). For deployment of applications with MDT, see [Step 4: Add an application in the Deploy a Windows 8.1 Image Using MDT 2013](http://go.microsoft.com/fwlink/p/?LinkId=618176). Note that you can deploy applications separately from an operating system deployment through MDT by using a Post OS Installation task sequence. diff --git a/devices/surface/surface-diagnostic-toolkit.md b/devices/surface/surface-diagnostic-toolkit.md index 4fa7514559..bcea29785f 100644 --- a/devices/surface/surface-diagnostic-toolkit.md +++ b/devices/surface/surface-diagnostic-toolkit.md @@ -125,7 +125,9 @@ If a Surface Type Cover is not detected, the test prompts you to connect the Typ >**Note:**  This test is only applicable to Surface Book and requires that the Surface Book be docked to the keyboard. -This test is essentially the same as the Type Cover test, except the integrated keyboard in the Surface Book base is tested rather than the Type Cover. Move the cursor and use the Windows key to bring up the Start menu to confirm that the touchpad and keyboard are operating successfully. This test will display the status of cursor movement and keyboard input for you to verify. Press **ESC** to complete the test. +This test is essentially the same as the Type Cover test, except the integrated keyboard in the Surface Book base is tested rather than the Type Cover. During the first stage of this test a diagram of the keyboard is displayed. When you press a key, the corresponding key will be marked on the diagram. The test will proceed when every key in the diagram is marked. In the second stage of this test, you are prompted to make several gestures on the keypad. As you perform each gesture (for example, a three finger tap), the gesture will be marked on the screen. When you have performed all gestures, the test will automatically complete. + +>**Note:**  The F-keys on the diagram require that you press the Function (FN) key simultaneously to activate them. By default, these keys perform other actions. For the Home and End keys, you must press the same keys as F8 and F9, but without the Function (FN) key pressed. #### Canvas mode battery test From 5c95b50cd114fb996a6d48d9c6b520a9e045c69a Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 31 May 2016 13:27:18 -0700 Subject: [PATCH 143/169] checking in 7707381 --- windows/deploy/TOC.md | 2 +- ...rade-a-windows-phone-8-1-to-10-with-mdm.md | 112 ------------------ 2 files changed, 1 insertion(+), 113 deletions(-) delete mode 100644 windows/deploy/upgrade-a-windows-phone-8-1-to-10-with-mdm.md diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md index f21c7050b3..194b7c44f9 100644 --- a/windows/deploy/TOC.md +++ b/windows/deploy/TOC.md @@ -11,7 +11,7 @@ ### [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) ### [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) ### [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) -### [Enable a Windows Phone 8.1 upgrade to Windows 10 Mobile in an MDM environment](upgrade-a-windows-phone-8-1-to-10-with-mdm.md) +### [Upgrade a Windows Phone 8.1 to Windows 10 Mobile using MDM](upgrade-a-windows-phone-8-1-to-10.md) ### [Configure MDT settings](configure-mdt-2013-settings.md) #### [Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md) #### [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) diff --git a/windows/deploy/upgrade-a-windows-phone-8-1-to-10-with-mdm.md b/windows/deploy/upgrade-a-windows-phone-8-1-to-10-with-mdm.md deleted file mode 100644 index 1833cb22c9..0000000000 --- a/windows/deploy/upgrade-a-windows-phone-8-1-to-10-with-mdm.md +++ /dev/null @@ -1,112 +0,0 @@ -**Enable a Windows Phone 8.1 upgrade to Windows 10 Mobile in an MDM environment ** - -Summary -======= - -This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. See the section to determine whether your device is eligible for the update. -The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. An eligible device must "opt-in" to be offered the upgrade. -For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. -For Enterprises, Microsoft is offering a centralized management solution through Mobile Device Management (MDM) that can push a management policy to each eligible device to perform the opt-in. -If you use a list of allowed apps (whitelisting) through MDM, see the documentation [here](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056(v=vs.85).aspx#whitelist) to make sure system apps are whitelisted before you upgrade to Windows 10 Mobile. Also, be aware that there are known issues listed in the documentation that could adversely affect the device after you upgrade. See this documentation for rules to avoid. -Some enterprises may want to control the availability of the Windows 10 Mobile upgrade to their users. With the opt-in model, the enterprise can blacklist the Upgrade Advisor app to prevent their users from upgrading prematurely. For more information about how to blacklist the Upgrade Advisor app, see the  section. Enterprises that have blacklisted the Upgrade Advisor app can use the solution that's described in this article to select the upgrade timing on a per-device basis. - -More information -================ - -To provide enterprises with a solution that's independent of the Upgrade Advisor, a new registry key in the registry configuration service provider (CSP) is available. A special GUID key value is defined. When Microsoft Update (MU) detects the presence of the registry key value on a device, any available upgrade will be made available to the device. - -Prerequisites -------------- - -- Windows Phone 8.1 device with an available upgrade to Windows 10 Mobile. - -- Device connected to Wi-Fi or cellular network to perform scan for upgrade. - -- Device is already enrolled with a MDM session. - -- Device is able to receive the management policy. - -- MDM is capable of pushing the management policy to devices. (The minimum version for popular MDM providers that support the solution in this article are: InTune: 5.0.5565, AirWatch: 8.2, Mobile Iron: 9.0.) - -**Instructions for the MDM server** - -The registry CSP is used to push the GUID value to the following registry key for which the Open Mobile Alliance (OMA) Device Management (DM) client has Read/Write access and for which the Device Update service has Read access. - -| \[HKLM\\Software\\Microsoft\\Provisioning\\OMADM\] - "EnterpriseUpgrade"="d369c9b6-2379-466d-9162-afc53361e3c2” | -|------------------------------------------------------------| - -The complete SyncML command for the solution is as follows. -**Note**: The SyncML may vary, depending on your MDM solution. - -SyncML xmlns="SYNCML:SYNCML1.1"> - -<SyncBody> - -<Add> - -<CmdID>250</CmdID> - -<Item> - -<Target> - -<LocURI>./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/ EnterpriseUpgrade</LocURI> - -</Target> - -<Meta> - -<Format xmlns=”syncml:metinf”>chr</Format> - -</Meta> - -<Data>d369c9b6-2379-466d-9162-afc53361e3c2</Data> - -</Item> - -</Add> - -<Final/> - -</SyncBody> - -</SyncML> - -The OMA DM server policy description is provided in the following table: - -| OMA-URI | ./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/EnterpriseUpgrade | -|-----------|-------------------------------------------------------------------------------------| -| Data Type | String | -| Value | d369c9b6-2379-466d-9162-afc53361e3c2 | - -After the device consumes the policy, it will be able to receive an available upgrade. -To disable the policy, either delete the OMADM registry key or set the EnterpriseUpgrade string value to anything other than the GUID. - -How to determine whether an upgrade is available for a device -------------------------------------------------------------- - -The Windows 10 Mobile Upgrade Advisor app is not designed or intended for Enterprise customers who want to automate the upgrade process. -However, the Windows 10 Mobile Upgrade Advisor app is the best mechanism to determine when an upgrade is available. The app dynamically queries whether the upgrade is released for this device model and associated mobile operator (MO). -We recommend that enterprises use a pilot device with the Windows 10 Mobile Upgrade Advisor app installed. The pilot device provides the device model and MO used by the enterprise. When you run the app on the pilot device, it will tell you that either an upgrade is available, that the device is eligible for upgrade, or that an upgrade is not available for this device. -Note: The availability of Windows 10 Mobile as an update for existing Windows Phone 8.1 devices varies by device manufacturer, device model, country or region, mobile operator or service provider, hardware limitations, and other factors. To check for compatibility and other important installation information, see the [Windows 10 mobile](https://www.microsoft.com/en/mobile/windows10) page. - -How to blacklist the Upgrade Advisor app ----------------------------------------- - -Some enterprises may want to block their users from installing the Windows 10 Mobile Upgrade Advisor app. With Windows Phone 8.1, you can allow or deny individual apps by adding specific app publishers or the app globally unique identifier (GUID) from the Window Phone Store to an allow or deny XML list. The GUID for a particular application can be found in the URL for the app in the phone store. For example, the GUID to the Windows Phone Upgrade Adviser is listed in the following location: - - - -For more information about how to do this, see the [Try it out: restrict Windows Phone 8.1 apps](https://technet.microsoft.com/en-us/windows/dn771706.aspx) topic on TechNet - -Applies to -=========== - -- Windows 10 Mobile Enterprise, released in November 2015 - -- Windows 10 Mobile, released in November 2015 - -- Windows Phone 8.1 - -- Windows Phone 8 for Business From 61d50538ddc63a8f2e055db516db249b5509392d Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 31 May 2016 13:27:27 -0700 Subject: [PATCH 144/169] fixed typos --- ...-windows-telemetry-in-your-organization.md | 25 ++++++++----------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md index 58de9307b7..5cc81e98f4 100644 --- a/windows/manage/configure-windows-telemetry-in-your-organization.md +++ b/windows/manage/configure-windows-telemetry-in-your-organization.md @@ -14,8 +14,7 @@ keywords: privacy Use this article to make informed decisions about how you can configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services. -**Note**   -This article does not apply to System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager because those components use a different telemetry service than Windows and Windows Server. +>**Note:**  This article does not apply to System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager because those components use a different telemetry service than Windows and Windows Server. It describes the types of telemetry we gather and the ways you can manage its telemetry. This article also lists some examples of how telemetry can provide you with valuable insights into your enterprise deployments, and how Microsoft uses the data to quickly identify and address issues affecting its customers. @@ -29,7 +28,7 @@ Microsoft is committed to improving customer experiences in a mobile-first and c Our goal is to leverage the aggregated data to drive changes in the product and ecosystem to improve our customer experiences. We are also partnering with enterprises to provide added value from the telemetry information shared by their devices. Some examples include identifying outdated patches and downloading the latest antimalware signatures to help keep their devices secure, identifying application compatibility issues prior to upgrades, and gaining insights into driver reliability issues affecting other customers. -For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for youcr organization. +For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization. ## How is telemetry data handled by Microsoft? @@ -91,8 +90,7 @@ The levels are cumulative and are illustrated in the following diagram. These le The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests secure with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core editions. -**Note**   -If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. +> **Note:**  If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is telemetry data about Windows Server features or System Center gathered. @@ -104,8 +102,7 @@ The data gathered at this level includes: - **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address. - **Note**   - You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716). + >**Note:**  You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).   @@ -128,7 +125,7 @@ The Basic level gathers a limited set of data that’s critical for understandin The data gathered at this level includes: -- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Previewinstances in the ecosystem, including: +- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Preview instances in the ecosystem, including: - Device attributes, such as camera resolution and display type @@ -152,7 +149,7 @@ The data gathered at this level includes: - **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems. - - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade.This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage. + - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage. - **App usage data**. Includes how an app is used, including how long an app is used for, when the app has focus, and when the app is started @@ -168,7 +165,7 @@ The data gathered at this level includes: ### Enhanced level -The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experiencewith the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. +The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. This is the default level, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues. @@ -204,8 +201,7 @@ However, before more data is gathered, Microsoft’s privacy governance team, in We do not recommend that you turn off telemetry in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center. -**Important**   -These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx). +>**Important:**  These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx). You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on. @@ -213,7 +209,7 @@ The lowest telemetry setting level supported through management policies is **Se ### Configure the operating system telemetry level -You can configure your operating system telemetry settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any devicelevel settings. +You can configure your operating system telemetry settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any device level settings. Use the appropriate value in the table below when you configure the management policy. @@ -274,8 +270,7 @@ There are a few more settings that you can turn off that may send telemetry info - Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At telemetry levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. - **Note**   - Microsoft do not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information. + >**Note:**  Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.   From 3c16f5bca1ac8b90e3b345bb0cf369a6955e6154 Mon Sep 17 00:00:00 2001 From: Jan Backstrom Date: Tue, 31 May 2016 13:28:04 -0700 Subject: [PATCH 145/169] changed title --- ...ce.md => advanced-uefi-security-features-for-surface-pro-3.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename devices/surface/{advanced-uefi-security-features-for-surface.md => advanced-uefi-security-features-for-surface-pro-3.md} (100%) diff --git a/devices/surface/advanced-uefi-security-features-for-surface.md b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md similarity index 100% rename from devices/surface/advanced-uefi-security-features-for-surface.md rename to devices/surface/advanced-uefi-security-features-for-surface-pro-3.md From b6494a061c05f6a5a3041fad6bca6ddfd3d12f40 Mon Sep 17 00:00:00 2001 From: Jan Backstrom Date: Tue, 31 May 2016 13:42:46 -0700 Subject: [PATCH 146/169] fixed title in index --- devices/surface/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface/index.md b/devices/surface/index.md index d0bb077b72..447cdeea27 100644 --- a/devices/surface/index.md +++ b/devices/surface/index.md @@ -35,7 +35,7 @@ For more information on planning for, deploying, and managing Surface devices in -

      [Advanced UEFI security features for Surface](advanced-uefi-security-features-for-surface.md)

      +

      [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)

      Find out how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.

      From 7258705cce0b1159a41e98d33edd1bc834262174 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 31 May 2016 13:48:03 -0700 Subject: [PATCH 147/169] fixing TOC --- windows/deploy/TOC.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md index 194b7c44f9..86ea7532e1 100644 --- a/windows/deploy/TOC.md +++ b/windows/deploy/TOC.md @@ -11,7 +11,6 @@ ### [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) ### [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) ### [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) -### [Upgrade a Windows Phone 8.1 to Windows 10 Mobile using MDM](upgrade-a-windows-phone-8-1-to-10.md) ### [Configure MDT settings](configure-mdt-2013-settings.md) #### [Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md) #### [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) From 84a283998387179ee7f8e170b694006a51362280 Mon Sep 17 00:00:00 2001 From: Jan Backstrom Date: Tue, 31 May 2016 14:06:23 -0700 Subject: [PATCH 148/169] fixed linking text to match articles --- .../advanced-uefi-security-features-for-surface-pro-3.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md index a122041eec..c90f8d9b3a 100644 --- a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md +++ b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md @@ -22,7 +22,7 @@ To address more granular control over the security of Surface devices, the v3.11 Before you can configure the advanced security features of your Surface device, you must first install the v3.11.760.0 UEFI update. This update is installed automatically if you receive your updates from Windows Update. For more information about how to configure Windows to update automatically by using Windows Update, see [How to configure and use Automatic Updates in Windows]( http://go.microsoft.com/fwlink/p/?LinkID=618030). -To update the UEFI on Surface Pro 3, you can download and install the Surface UEFI updates as part of the Surface Pro 3 Firmware and Driver Pack. These firmware and driver packs are available from the [Surface Pro 3 page](https://www.microsoft.com/en-us/download/details.aspx?id=38826) on the Microsoft Download Center. You can find out more about the firmware and driver packs at [Download Surface Firmware and Drivers Updates](https://technet.microsoft.com/en-us/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices). The firmware and driver packs are available as both self-contained Windows Installer (.msi) and archive (.zip) formats. You can find out more about these two formats and how you can use them to update your drivers at [Manage Surface Firmware and Driver Updates](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-pro-3-firmware-updates). +To update the UEFI on Surface Pro 3, you can download and install the Surface UEFI updates as part of the Surface Pro 3 Firmware and Driver Pack. These firmware and driver packs are available from the [Surface Pro 3 page](https://www.microsoft.com/en-us/download/details.aspx?id=38826) on the Microsoft Download Center. You can find out more about the firmware and driver packs at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/en-us/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices). The firmware and driver packs are available as both self-contained Windows Installer (.msi) and archive (.zip) formats. You can find out more about these two formats and how you can use them to update your drivers at [Manage Surface driver and firmware updates](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-pro-3-firmware-updates). ## Manually configure additional security settings From e7c787afb0fff61daedfddd50930117d6c5a49db Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 31 May 2016 14:13:39 -0700 Subject: [PATCH 149/169] changed index.md and updated 7707381 --- windows/deploy/TOC.md | 4 ++-- windows/deploy/index.md | 4 ++-- windows/deploy/upgrade-windows-phone-8-1-to-10.md | 12 ++++-------- 3 files changed, 8 insertions(+), 12 deletions(-) diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md index 86ea7532e1..d0819639d7 100644 --- a/windows/deploy/TOC.md +++ b/windows/deploy/TOC.md @@ -1,5 +1,4 @@ # [Deploy Windows 10](index.md) -## [Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) ## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) ## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) ### [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) @@ -38,6 +37,7 @@ ## [Windows 10 edition upgrade](windows-10-edition-upgrades.md) ## [Deploy Windows To Go in your organization](deploy-windows-to-go.md) ## [Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md) +## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) ## [Sideload apps in Windows 10](sideload-apps-in-windows-10.md) ## [Volume Activation [client]](volume-activation-windows-10.md) ### [Plan for volume activation [client]](plan-for-volume-activation-client.md) @@ -133,4 +133,4 @@ ###### [Recognized Environment Variables](usmt-recognized-environment-variables.md) ###### [XML Elements Library](usmt-xml-elements-library.md) ##### [Offline Migration Reference](offline-migration-reference.md) - +## [Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) diff --git a/windows/deploy/index.md b/windows/deploy/index.md index 0e5d1a0f8b..defe5b7387 100644 --- a/windows/deploy/index.md +++ b/windows/deploy/index.md @@ -15,7 +15,6 @@ Learn about deploying Windows 10 for IT professionals. |Topic |Description | |------|------------| -|[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). | |[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. | |[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. | |[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. | @@ -24,10 +23,11 @@ Learn about deploying Windows 10 for IT professionals. |[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. | |[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. | |[Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md) |Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. | +|[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. | |[Sideload apps in Windows 10](sideload-apps-in-windows-10.md) |Sideload line-of-business apps in Windows 10. | |[Volume Activation [client]](volume-activation-windows-10.md) |This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. | |[Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) |Learn about the tools available to deploy Windows 10. | - +|[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). | ## Related topics - [Windows 10 and Windows 10 Mobile](../index.md) diff --git a/windows/deploy/upgrade-windows-phone-8-1-to-10.md b/windows/deploy/upgrade-windows-phone-8-1-to-10.md index 0094c456c4..2a752e928a 100644 --- a/windows/deploy/upgrade-windows-phone-8-1-to-10.md +++ b/windows/deploy/upgrade-windows-phone-8-1-to-10.md @@ -9,18 +9,14 @@ ms.pagetype: mdt author: greg-lindsay --- -# How to enable a Windows Phone 8.1 upgrade to Windows 10 Mobile in an MDM environment +# Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management (MDM) ## Summary -This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. See the How to determine whether an upgrade is available for a device section to determine whether your device is eligible for the update. +This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using MDM. To determine if the device is eligible for an upgrade, see How to determine whether an upgrade is available for a device. -The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. An eligible device must opt-in to be offered the upgrade. +The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. An eligible device must opt-in to be offered the upgrade. For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. For Enterprises, Microsoft is offering a centralized management solution through Mobile Device Management (MDM) that can push a management policy to each eligible device to perform the opt-in. -For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. - -For Enterprises, Microsoft is offering a centralized management solution through Mobile Device Management (MDM) that can push a management policy to each eligible device to perform the opt-in. - -If you use a list of allowed apps (whitelisting) through MDM, see the documentation here to make sure system apps are whitelisted before you upgrade to Windows 10 Mobile. Also, be aware that there are known issues listed in the documentation that could adversely affect the device after you upgrade. See this documentation for rules to avoid. +If you use a list of allowed applications (known as whitelisting) through MDM, see the documentation here to make sure system applications are whitelisted before you upgrade to Windows 10 Mobile. Also, be aware that there are known issues listed in the documentation that could adversely affect the device after you upgrade. See this documentation for rules to avoid. Some enterprises may want to control the availability of the Windows 10 Mobile upgrade to their users. With the opt-in model, the enterprise can blacklist the Upgrade Advisor app to prevent their users from upgrading prematurely. For more information about how to blacklist the Upgrade Advisor app, see the How to blacklist the Upgrade Advisor app section. Enterprises that have blacklisted the Upgrade Advisor app can use the solution that's described in this article to select the upgrade timing on a per-device basis. From 1f76df0bb54d25065cb9661a3414585984db9491 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 31 May 2016 14:28:02 -0700 Subject: [PATCH 150/169] added in page link --- windows/deploy/upgrade-windows-phone-8-1-to-10.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deploy/upgrade-windows-phone-8-1-to-10.md b/windows/deploy/upgrade-windows-phone-8-1-to-10.md index 2a752e928a..dd86596b93 100644 --- a/windows/deploy/upgrade-windows-phone-8-1-to-10.md +++ b/windows/deploy/upgrade-windows-phone-8-1-to-10.md @@ -12,7 +12,7 @@ author: greg-lindsay # Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management (MDM) ## Summary -This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using MDM. To determine if the device is eligible for an upgrade, see How to determine whether an upgrade is available for a device. +This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using MDM. To determine if the device is eligible for an upgrade, see [How to determine whether an upgrade is available for a device](#Howto). The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. An eligible device must opt-in to be offered the upgrade. For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. For Enterprises, Microsoft is offering a centralized management solution through Mobile Device Management (MDM) that can push a management policy to each eligible device to perform the opt-in. @@ -81,7 +81,7 @@ After the device consumes the policy, it will be able to receive an available up To disable the policy, either delete the OMADM registry key or set the EnterpriseUpgrade string value to anything other than the GUID. -### How to determine whether an upgrade is available for a device +### How to determine whether an upgrade is available for a device The Windows 10 Mobile Upgrade Advisor app is not designed or intended for Enterprise customers who want to automate the upgrade process. From a4a7a2464876a4cbda6a62d12376d7de03d5a3c4 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 31 May 2016 14:46:32 -0700 Subject: [PATCH 151/169] fixing anchor --- windows/deploy/upgrade-windows-phone-8-1-to-10.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deploy/upgrade-windows-phone-8-1-to-10.md b/windows/deploy/upgrade-windows-phone-8-1-to-10.md index dd86596b93..c0cad00ee1 100644 --- a/windows/deploy/upgrade-windows-phone-8-1-to-10.md +++ b/windows/deploy/upgrade-windows-phone-8-1-to-10.md @@ -12,7 +12,7 @@ author: greg-lindsay # Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management (MDM) ## Summary -This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using MDM. To determine if the device is eligible for an upgrade, see [How to determine whether an upgrade is available for a device](#Howto). +This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using MDM. To determine if the device is eligible for an upgrade, see [How to determine whether an upgrade is available for a device](#howto). The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. An eligible device must opt-in to be offered the upgrade. For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. For Enterprises, Microsoft is offering a centralized management solution through Mobile Device Management (MDM) that can push a management policy to each eligible device to perform the opt-in. @@ -81,7 +81,7 @@ After the device consumes the policy, it will be able to receive an available up To disable the policy, either delete the OMADM registry key or set the EnterpriseUpgrade string value to anything other than the GUID. -### How to determine whether an upgrade is available for a device +### How to determine whether an upgrade is available for a device The Windows 10 Mobile Upgrade Advisor app is not designed or intended for Enterprise customers who want to automate the upgrade process. From 0cf233e358c15b8a6014d5790bc9a1a80f60709f Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Tue, 31 May 2016 14:54:44 -0700 Subject: [PATCH 152/169] updates for 7746292 --- .../images/room-control-wiring-diagram.png | Bin 0 -> 10489 bytes ...se-room-control-system-with-surface-hub.md | 271 ++++++------------ 2 files changed, 90 insertions(+), 181 deletions(-) create mode 100644 devices/surface-hub/images/room-control-wiring-diagram.png diff --git a/devices/surface-hub/images/room-control-wiring-diagram.png b/devices/surface-hub/images/room-control-wiring-diagram.png new file mode 100644 index 0000000000000000000000000000000000000000..5a2ecf613edea2a9108d9107e923a03312f400af GIT binary patch literal 10489 zcmb7qby!qU_wLXkNH<8w&{xPlR#j0> z&&%v6nluCJFr-mk$@c`|al)AU=6UJROEb^hLR0)T-y0=kkxv-BqdG z71t9f&oQKRb4AD1i-W_Cd9&SL%>iQm6}Pfjw2Y@IsFnVP<}(w)$sp_JW( zG&VLyl1I)bN0sn#Ww5=On49B(#0pvU|AwL-Ah@}CR%>l~qm8n^8b4;LkZ`F#VsY6S zq47$g&H{32=a< z?HE12u+4~0A%0P<`Z%gtx?+eYS5)m$BuC-_jBn!c512apG>lmxR7cz&ag)6Mtz1D! z1+PDbZobfxIs9m;DTs;dd7v-u1}@YzkM7^Gq-WC-WFYl7IOTMYXAGtfNHw2@P9x3wK$M z+aOQ&tN4Yl<$R?n>2ho9-JK6Nb2%i=v*Zuy4LsHGW9tV01@3Yoc_2!kWC=FY08*a* z`0?Yoghi2;z^YQu=e6M5I1CT*3#ro+k5?1)o6qB#rghMx`TOZ$*O*0r`>4_D4GVM@ zKKh2zD{sWp=}X3t>DMSa=;PuMp*e_S$~_c6?J*)Q)L&QJPgck6dAF&FNk9lQKQviWB;(*%2F6jmDSQx8&}Z(%*6T$?To zP9Gn2H+Y4-4yeJsCCgvL3}Q)Cpp_7YA`z8#DS_{&i-ukhe2~bAun1#<;tJ}YmfAK; z#%$})jE!mey1d{s?`-erU}z|jpZxra$+?=+>~%mcyzjFI^;)cLcfLwCe%zn~g2W3q$ouJRol zt=SvTN+j{F;h8+v;OQw1Q*=7t593A^EO^&l`S}=r{hW8>eqoOm((dpN6~C7v2`czi zuNdoSnL5xgPktZo+&XS7iCr+tPAq;(Mq!%DUkCULzp~u@h%63gyRWKSbjO**RHJ{r z$z&WwUZ(W6d_JeXv9T5v?~VO+FJ*kjz>_TA5S6}!X%%RePKz}Zhk!PwD2#2U>g3#$2wKeo5Y1QX|&o{4pamo99XI)pB z*?DIyJBmRW>!x3cbPxYF!#jW9nsiJg-x(-Q-b&jOVEHLVX9YKjtNten7L9gLE#7~SdG12R^qkCzhQJ)>!d$Z@++(S1+OB8hUr}heaRrq0z(mj%da2+B9K!q}BaEQB5D! z0Ty)GQsFuSzY8Nx?lwudSiO|0VnOazl8@K~o^1~325Aqj4}*1!ypqk-<)wz+yfZn@ z7Evu=6U@ZY!9?KG3nmxk*4j5!)#69`vr}#9_p$#%w*7@4^+#Z1>6Z5C!-Q?e5J!&C zFY*x&+F4CNzQ`;9|m4B?`iW62b6!??rw;ztrFmO?0RTadAGJV znUCm6Ol(DB*p8)O83oGG-kYmBpz30dpp7k4P=_a%$ojm`QKKy<=PlAauGg;(!fZsu z#Lns1t|i1Tk$X)9^37Aw8+`MC7!Wo2AjQq!D!hyVWTuS9%kJEPaM=K}%`h~Vqurpv z1DWt@^nIV4-4@;tlLJ&PHPzJ|}#(kS1F_ zzsbox`V74oFZt!1Df{p<48>aV?_&WKR<^R#`(bn+b1q71*NokuJ&wjb(jfzAvyK4> zbM!q0Shy|@-$oYIDHUef3>S6}O+0clAiU3q>9t#8IvUIN=?7jpMMfS8j8;w$?3=a4 z_FlSiJntS|d(+kYs~_zSF;eJP=sT5ccIG;&c~z~AwjdFbuR^JB2aWpJoJK*1J1x3I zc?}KvRXJ9z7TAJ__&?JU7)-$mb(j&ybvw2JDh<)uXvhT`9efY$8B$;h;DNyfKG^gx z+y*c6W4>@|`!JSwd|VPeZ!n6YzTOC@1{~?pGf%th$Ks!dm<`{e$vk$b-zjlmKOi$e^@h6&HoTs;qngKP0IS$+Ua_) zug3RM-Qv#kLDol9ylK}nx+m?^m-&Wv$Z-^6{O73s ze-_>90!WGKJs2O9)MEFfzbs-~#0xI6t)omGuqE@!^TEc=IY9RKNR4DI$yC zW6!xmaC(;|?wm({NZ=GWxh||oj@+TGE)jBiK+@7ndd2JaWucXjvf?ysDL{%e(!aAf z8MV$mHso#gaK%oOUWKCk>#Wey^R05O|IGu;T zQo~b*DjA05g0NM4n4PfoqV`2Mfx1qeAJ1I*-sx}1O3SB`MVd8iD-owPS+JXcR|QiD zy$5#l?edBLE<@2V+TAKH8rpBm$By6f00XI_xo-#^OU(+3+nK>{9b(hV~1n5A?tM~hLqlU@W1)ymMpN^q(@g>B?IW!QGHdnsSrVR~rV3Q;Zh@T3 zC56}hzZ1<|jWE-}0!_U8A;I7a4{U1&6iqi=|KQ8-3xhf9+rQh0Bcu%uk}dOeW?B-h z@X*JHXslw6PWxn*VpgPbHLnhrW;e2Och$|qLmsb(J{XpkkH6MOf15YtT9$ixy0W-f zrqoBkH=&iG?I^g^qavJ_)UZtJZf96%K^vj>^JWa>wPI<4pJYrw3RKYSsxeqLnuS! z;Up4_VRL+RI;8N5csn;RMV65k%Sk7+L*R0GbD@rWiq8KDi;x3>$M3KqbSbs(^zzkz zl!-dU;as*~^uid6TYRv$V| zj%x|Z%br+www8=XD3f)d^tfA8?}?G$GcJQ0C2lnAh)U}B!-%b|0OHt1!P9m#)$s)e zJ$WMZdV_kQjBP<&<++3~!h2(x z69Hf?JMDioq77|$T@CnB6p`K^x=MI;d2VK$Fib{z=;?X7)D-! z&ine2h-`rlOU4iOm~}CQsD-tOY)h+~%jS+X2ANbe;~$~#Zy4N@$C0eD`igbUY-=-1 zwUEXA7bLbNdlM8$n7uPiZb>l_R~e(uk2+Mi6~!bkKc4ty<4B?RpTgAK2=r)YmRQ}V z{NY~0dIWDK*LPWXHx5@R{Ka>FK@A?^_b8FF<&C>k(Ec<0G!=WD3QTKg(sV^YA-gbg zny->cT+MsUD%fA#7>WMS_u@Y86HRuw^v{|P@d3JyKTR^4*R}aX5z-5%sW3w5s73Ed z5Fr%2a5_)$Kfi>(uch!mcOUD!bTQcQ+dKgFzsA zMAY(*S$Y_9UtdmoS+%C=%AN5iK3VyE(h(Yp9qrY$o?&0cRX&j?Z7!5ACA%^OecTG}UF?lBeAmO}|~D z$Pp!%r$LO!)35~+6}euhslq?7Ol@Lb1(n+0=g;m!PTf|{pYys4K8q81wl46SBeLIw z6=&Z-$;j@cK{?1$4&^vp3zN@qYz1GUuqV*J3 z*`DKCvC)g}LS9yNuFE*BfiC!SllFa`>e(ot=O(oJvKXgW9g%Tr%>+6BsU}1@Lhs+4 zhwFRBKaGE4Xb*`^^-vALDHRPrK3}x2>bO5{14psaA$M~=KMrCKp)Y^^ZG&lUe%{JO zhogivpB}Ql#+MO3=iRZH_1sls{Ox+KJ^blAeA;S&FZx2rYCSrCYvVr_(aBAJ;a)a~ z7!O6=oNZF40`iC2FG~Q^kAXZo>JwlvZlPgjim^HzVs5ZFPy;4k1RL%z;w|Qm;u=XT z)V_;SdHgm3BZEQ0BYXtqaD&$W!#yO@QQg4fXptRa%23wFg>$L0T~t)Gw?1GZw3}im zo@TGSqHH9AhleWC%+!cc5k-JDU4Rv%)??WpO*00<4=)eJ*MFN7vl^s_m6LMbo0-sDRf8UOZ~ zZO5svR8jQxiaN}h&yQ+n8hYuT?Th*z+1!{)f2EP~sV8^1(G>mkJA5)hJ{Dld61{0S zNsx~^v8j!mogQ{xQkg1_A8+tp;{4$Xp$8Cx$4dyV_ecI%M&(#~u!p;Q{8u1kd2cwH zJ&xmi`S0#R%~8YOUQH1r0cc}_zZ~1*x|2A_)VGvD!&FnJgV0{gM_$m2Ahqyk`2tx zJ}o%hEL%i>>bQIjc4MvVLi*4lzn`||khhZTC0#p-b33%uhUd}x#sypEq`4i%O_ow(3Pl&I>%|nkDvoT~)xhqgL zmt^RiP@`eX1KoKlg47ysBnA_=HkfAwBm(h7<5w@#hD%HNT*S*uV||ZfND z6ADC9R|{5<5~CI0bIlPeuva)0Qp5T9cT0SGDaAxcJkNVkgeB8`Rp;FY@C=jZZ|4Dk zO%$$$5kk?t8cg8GCzx7uWLrT*(%nXHCw&oT0}DI(zX%Bl50!{T5h2fgF7_tADhOpf z!@Rm?Uh@4BDl@%sYD@cnVSsQ9A@n~e=0BD9|Ngj1hTLwUTB>VaIrp&F?VaD`Mo`c& z2KF_bWL8>KxVX9sTN}pG2#025yu{I5B_d2WJ=og|7@;Em0ti284H9w2B>K#PX*+Lr zyy2?&>}!nv_yl!42;6EU@)rT8Y}EuuJp`&=gq{Lv>TV#v;|R(4K`#;wirS;X4$cN- z#92=*T`R3{So3!xQq|1v)6Fjjt|5$Rw8HUOl!iLRSiN!Dyy%2$J3X_m^Be_~lcyMN zluAdu(j;CNuWX;M@{Gv^L_6=`T9EjE&zTHi9Hcf3g+Dghj!`GU425f=nGi5Q?ORAEm z1C4f-nA*-ab75S1Dd1&pi-Hc|Q9;SZUH&SFIxvbnr1ir1T zJGoIbVQ44_{DVe@CH)Lx!%Ipd0zXYfr(<~J`t)5e%gZ5kmdughUdK{ChnxRKq{*;0 zY7`p9-nM{luNUPEU z+i|OSK+8B>87=ZThto>Q4sw{*aWkBkaRcudldcD%2@gGM01v*H+__M3v1x;8hQ5Ez zQi&Mwz*%AvF06UM@qCe&&q;RDT_sUdoE9?pL=?rB&artuywk-#ZS8CJ3(;hq5k1b6 ziBf{~ry0!i_@1x2EzQjpm1CHCqK+O=gBHXAA-Z5d=Bs!mV~x23s^uopDhWQd_k!Dl;Ne^LfecXY16Je1Tt zOd)ImVwtG3aMB(?^x+b}%bVn}e{Pub9|JV`3{1kzf&(lE&Ubs4#<^y+YqdtbG@O|z zefEDQlkm)55w*S@Z>!i-1uUAYe9@px(1mdrJIUJU z4pcI)FE@8oU7$lT6Z5OB*+?-#GX~CxlW>*D>i2U-?Kpy#f;*fr8oauVMxX4IbNvW_n|#Ij-Ll5jK)TxFSzE(r<~HTjahq zlGXB{N(0}3Qwin@%hiP=n#lg^3jD<+0TkX;g!u{Upoq2fMI{19Lq-^t&E6_I)ws2i zq4z>g(`8%6Qkcv2O>Sd4vt3lXQBL`_~_a|`Fj@8@A>Tha2WyJd{y65_J6I+xKWk2X+KY0v&|v~(u=cc5il z)Ky9G|6`VzQIy^*K{GJ(naB74hE0wx6IGgL(GHOZ{L!Sbg#xe!pi*`AJO=PI)koV!MZcFs7hq_H)s+&my%b`Hb0&g8*tUmi7D#wo@%2ewChLG@No^ssB=utQuDQ zXX+S^I^P+6G;Zs(H^I!tmZ&@2V@F-zD{l8$XEd z6Ki#c?9|=PH_}9uA@LKY?*8A$T!7>kS$o7Jii)xT$cZ`XZa$sc`sQ@KY1O}toEMyH z-sNv#>Yhx#zyGOuJ=7feHy5C`8F0kS$!LmtB7Hopjz;+Oc*Q7R0~(_ZIpO zHz=U$#!3FgZSy$kxXzLGGv=0DKs4P1`AK_#(`4&xMoIPQ#c%&RzHk?TI%--y{#D1B zaq$I?P}I9^{_KC>>~`dO3b3CeZ$uOraToXv{4uJWJAl|i1x zJ$;dGd40UBWj51sJ|>a(wApDLrqbi&{9o6Uwj$?${fhYVtbYGbF`P0vux%G$C&8*+ ze)k^W&o_JdaTWn4t!~IW_1%Nhrjzj#9ahSQ_nYcHlY5mWp3ClOLgfZkDK5-_de-T6 zwvoW9?7{v8XYbV`x|&#x=f63Q>*!-J@mi1e_V$+B#8ReG`?y3=y@NJL=xGnmf|ZDf zh{|)gdMdvk@^%-}?0Y+{Et4(vS(NjgoCV%zqo+wO&6>Y$pVQ(EuU`#u!h_F<{7*5! zyVbXhFGbJ0YHAW(?R!HB^YC*!Iv!#rj&o~R+#ma1qzwVoh3JVS*DP8$$fh{EwyD!=J4_f3|tZLA&PcRwG7JnuV@lAG^v5*U(@Z^0Tk|E(6#w1Bpi zN>6U?5+FoQy9~xN=M7t)%S1cu{G%!2rW{&XTxB4eku*8=cS+~VAFN?X58V(GN!+S8 zpm7zwtz<`JkW*8qGzGOrnxGs$HnVgu!&^*?&1KABF;cJP+RZ^kE&^x$lkI4RQXMc` z1UFDi1Z&e#78iSySwa$?$K=V3|1{8a7>$5?s=&!&!%wl&>Lf$VHTR{NnP7TZ2=i^w zUzy+E<~gr!D`2*(9x!6KSr~^nv23ea4^w*rQ{P7wWLWdV{VHlDAIHYo6fW%t>}u9U z`hO8{Kz7~jmuDFQ9q^J81hs?*@2IaFq^G})sPErfO!K)sSt6k?ucJ;xt$*sxjO@iX z4N(o(HV@l-YI18MjpxXQ``-4SebZ(q=8uP$C_y^&rjHYT}14aG$9jfgW3~ea0o;m|jwGkZYfpF!_&z zxS4Mmw}3WK9e{reM*$GeVvLcAva}XO_0)|^|MbR?)AO$|tby5(1a|P!sQtgCHjC3C zbJj=*3D>c-CjhWe!o$f;QHng2bcprs{Ucli3@ zQHov<{0>HC<|U`svw$G#jm3Tr2pq*TYdt{%rmbv?q+A2be|hiqUPwq-F;x8eHzM>e zAoYC7445~En(Cc_2b#8P52t@_{D}Hv3y_#R{2xF-Jw%eey=iiJyX=2|lozS`yps?9 z4sHfeBXPS4CLgYwT#}73l%t5~)xi?gmlfpM$-e&sAVx{iWIN;&A&73Jjfhv^4QD?W zFE1~FhAO^Knet85cDwX?u=H)Y-&8XWGjryJnPba-bW4d z&4*2$mwc}%zGtH*d(24w1WFYo*$2~p^q}odkSV4b!&0Q6nIB)g{m7F2!0Q7Iq(jA-z2(g|(`C>VoSoZ30OWw?OBK8wjbr7UYeY|V>&c{BYt9Z8!6QAkJq$$O`sfkhw2HxQ%HM2ownlD7^xouKuM9zC4<@wV3+trR~P^x?oaK>&HZ4`axqYB#Y;giW!MGK z(SSBO3nq~aqPpbm+w)b3WU)3JKn`8exATD1W}D-U9rhVw2^OXUGSX9P+?W19&SLbx z`D(Xm1&rnfR8HU9?bNE4os7yLwB6PRU(E z#Pi+plZ6_qACVO15Bml<1k{4u99I3&>G5x?Uu8nrX=!OY@0U+HfkPskT3PWmTIiW5 zN_CH#TgMt}s{ilHhz!)vRDmuO@*aHNvp3A%?H2>ejn9vzTkh87cMwt*8lP?4S_SrPl$&*4n?P14eNhf z?R(w@G=IbJetwUxjYvm zGhs#+lhl7addSuqsJ)iCz;AJAANr#spD3-Vl_HFgcCF%Q_?N{Xu`4G?aAKzj|7RH^ z?r(Yv(*^52>=lTT;50P@ERROIZtnN6)rVIRPRi+887L6a-C5Qz2@%Fl)uXnKCOb4^ zk;$ANDH>p}J!>76fzn4~Ed(1&6I1jl*oGFiLDK(_Yb|oTDLY?%Ta!fbZ$Z9p@x4W1 Zl(cHF`1lEK0>>3Ws!CdlmGTy_{{^c?kVF6g literal 0 HcmV?d00001 diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md index 70f4344966..b467970fef 100644 --- a/devices/surface-hub/use-room-control-system-with-surface-hub.md +++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md @@ -13,14 +13,9 @@ Room control systems can be used with your Microsoft Surface Hub. Using a room control system with your Surface Hub involves connecting room control hardware to the Surface Hub, usually through the RJ11 serial port on the bottom of the Surface Hub. -## Debugging +## Terminal settings - -You can use the info in this section for debugging scenarios. You shouldn't need it for a typical installation. - -### Terminal settings - -To connect to a room control system control panel, you don't need to connect to the Surface Hub, or to configure any terminal settings. For debugging purposes, if you want to connect a PC or laptop to your Surface Hub and send commands from the Surface Hub, you can use a terminal emulator program like Tera Term or PuTTY. These are the terminal settings you'll need: +To connect to a room control system control panel, you don't need to configure any terminal settings on the Surface Hub. If you want to connect a PC or laptop to your Surface Hub and send serial commands from the Surface Hub, you can use a terminal emulator program like Tera Term or PuTTY. @@ -54,20 +49,24 @@ To connect to a room control system control panel, you don't need to connect to + + + +

      Flow control

      none

      Line feed

      every carriage return
        -### Wiring diagram +## Wiring diagram -You can use a standard RJ-11 (6P6C) connector to connect the Surface Hub serial port to a room control system. This is the recommended method. +You can use a standard RJ-11 (6P6C) connector to connect the Surface Hub serial port to a room control system. This is the recommended method. You can also use an RJ-11 4-conductor cable, but we do not recommend this method. -You can also use an RJ-11 4-conductor cable, but we do not recommend this method. You'll need to convert pin numbers to make sure it's wired correctly. The following diagram shows how to convert the pin numbers. +This diagram shows the correct pinout usedfor an RJ-11 (6P6C) to DB9 cable. -![image showing the wiring diagram. ](images/roomcontrolwiring.png) +![image showing the wiring diagram. ](images/room-control-wiring-diagram.png) -### Command sets +## Command sets Room control systems use common meeting-room scenarios for commands. Commands originate from the room control system, and are communicated over a serial connection to a Surface Hub. Commands are ASCII based, and the Surface Hub will acknowledge when state changes occur. @@ -106,7 +105,7 @@ The following command modifiers are available. Commands terminate with a new lin   -### Power +## Power Surface Hub can be in one of these power states. @@ -157,9 +156,76 @@ Surface Hub can be in one of these power states. -  +In Replacement PC mode, the power states are only Ready and Off and only change the display. The management port can't be used to power on the replacement PC. -### Brightness + +++++ + + + + + + + + + + + + + + + + + + + +
      StateEnergy Star stateDescription

      0

      S5

      Off

      5

      50

      Ready

      + +For a control device, anything other than 5 / Ready should be considered off. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      CommandState changeResponse

      PowerOn

      Device turns on (display + PC).

      Power=0

      PowerOn

      PC service notifies SMC that the PC is ready.

      Power=5

      PowerOff

      Device transitions to ambient state (PC on, display dim).

      Power=0

      Power?

      SMC reports the last-known power state.

      Power=<#>

      + + +## Brightness The current brightness level is a range from 0 to 100. @@ -191,18 +257,10 @@ Changes to brightness levels can be sent by a room control system, or other syst

      PC service notifies SMC of new brightness level.

      Brightness = 50

      - -

      Brightness?

      -

      SMC sends a message over the control channel to request brightness.

      -

      PC service notifies SMC of new brightness level.

      -

      Brightness = 50

      - - +  -  - -### Volume +## Volume The current volume level is a range from 0 to 100. @@ -234,47 +292,14 @@ Changes to volume levels can be sent by a room control system, or other system.

      PC service notifies SMC of new volume level.

      Volume = 50

      - -

      Volume?

      -

      SMC sends a message over the control channel to request volume.

      -

      PC service notifies SMC of new volume level.

      -

      Volume = 50

      -   -### Mute for audio and microphone +## Mute for audio -Audio and microphone can be muted. - - ---- - - - - - - - - - - - - - - - - -
      StateDescription

      0

      Source is not muted.

      1

      Source is muted.

      - -  - -Changes to microphone or audio can be sent by a room control system, or other system. +Audio can be muted. @@ -294,32 +319,14 @@ Changes to microphone or audio can be sent by a room control system, or other sy - - - - - - - - - - - - - - - - +

      AudioMute+

      SMC sends the audio mute command.

      PC service notifies SMC that audio is muted.

      AudioMute=<#>

      MicMute+

      SMC sends the microphone mute command.

      -

      PC service notifies SMC that microphone is muted.

      MicMute=<#>

      AudioMute?

      SMC queries PC service for the current audio state.

      -

      PC service notifies SMC that audio is muted.

      AudioMute=<#>

      MicMute?

      SMC queries PC service for the current microphone state.

      -

      PC service notifies SMC that the microphone is muted.

      MicMute=<#>

      none
        -### Video source +## Video source Several display sources can be used. @@ -351,10 +358,6 @@ Several display sources can be used.

      3

      VGA

      - -

      4

      -

      Wireless

      - @@ -377,7 +380,7 @@ Changes to display source can be sent by a room control system, or other system. -

      Source=<#>

      +

      Source=#

      SMC changes to the desired source.

      PC service notifies SMC that the display source has switched.

      Source=<#>

      @@ -389,7 +392,7 @@ Changes to display source can be sent by a room control system, or other system.

      Source=<#>

      -

      Source+

      +

      Source-

      SMC cycles to the previous active input source.

      PC service notifies SMC of the current input source.

      Source=<#>

      @@ -403,101 +406,7 @@ Changes to display source can be sent by a room control system, or other system. -  - -### Starting apps - -Surface Hub keyboard supports starting apps with special keys. Room control systems can invoke those keys through the management port. There is no expected response for these commands. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
      StateDescription

      0

      Start large-screen experience (LSX)

      1

      Start LSX custom app 1

      2

      Start LSX custom app 2

      3

      Start LSX custom app 3

      - -  - -Changes to display source can be sent by a room control system, or other system. - - ----- - - - - - - - - - - - - - - -
      CommandState changeResponse

      AppKey=<#>

      Send a command to

      -

      PC service notifies SMC that the display source has switched.

      Source=<#>

      - -  - -### I'm done - -People will be able to start the I'm done feature on a Surface Hub from a room control system. I'm done removes any work that was displayed on the Surface Hub before ending the meeting. No information or files are saved on Surface Hub. - - ----- - - - - - - - - - - - - - - -
      CommandState changeResponse

      I'm done

      Start I'm done activity on Surface Hub.

      none

      - -  - -### Errors +## Errors Errors are returned following the format in this table. From b812ae8e3e395e807947afb10e24aece16092aca Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 31 May 2016 15:02:49 -0700 Subject: [PATCH 153/169] typos --- .../manage/configure-windows-telemetry-in-your-organization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md index 5cc81e98f4..0c28495bbb 100644 --- a/windows/manage/configure-windows-telemetry-in-your-organization.md +++ b/windows/manage/configure-windows-telemetry-in-your-organization.md @@ -279,7 +279,7 @@ There are a few more settings that you can turn off that may send telemetry info ### Drive higher application and driver quality in the ecosystem -Telemetry plays an important role in quickly identifying and fixing critical reliability and security issues in our customers’ deployments and configurations. Insights into the telemetry data we gather helps us to quickly identify crashes or hangs associated with a certain application or driver on a given configuration, like a particular storage type (for example, SCSI) or a memory size. For System Center, job usages and statuses can also help us enhance the job workload and the communication between System Center and its managed products. Microsoft’s ability to get this data from customers and drive improvements into the ecosystem helps raise the bar for the quality of System Center, Windows Server applications, Windows apps, and drivers. Real-time data about Windows installations reduces downtime and the cost associated with troubleshooting unreliable drivers or unstable applications +Telemetry plays an important role in quickly identifying and fixing critical reliability and security issues in our customers’ deployments and configurations. Insights into the telemetry data we gather helps us to quickly identify crashes or hangs associated with a certain application or driver on a given configuration, like a particular storage type (for example, SCSI) or a memory size. For System Center, job usages and statuses can also help us enhance the job workload and the communication between System Center and its managed products. Microsoft’s ability to get this data from customers and drive improvements into the ecosystem helps raise the bar for the quality of System Center, Windows Server applications, Windows apps, and drivers. Real-time data about Windows installations reduces downtime and the cost associated with troubleshooting unreliable drivers or unstable applications. ### Reduce your total cost of ownership and downtime From 757fe6defde63707078085147923177f7a71ae02 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Tue, 31 May 2016 15:09:53 -0700 Subject: [PATCH 154/169] fixing image issue --- devices/surface-hub/use-room-control-system-with-surface-hub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md index b467970fef..1158773d5f 100644 --- a/devices/surface-hub/use-room-control-system-with-surface-hub.md +++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md @@ -64,7 +64,7 @@ You can use a standard RJ-11 (6P6C) connector to connect the Surface Hub serial This diagram shows the correct pinout usedfor an RJ-11 (6P6C) to DB9 cable. -![image showing the wiring diagram. ](images/room-control-wiring-diagram.png) +![image showing the wiring diagram.](images/room-control-wiring-diagram.png) ## Command sets From f51ead17f4b5c350ce85408800a7b85461bcebbb Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 31 May 2016 15:42:52 -0700 Subject: [PATCH 155/169] some edits --- .../deploy/upgrade-windows-phone-8-1-to-10.md | 36 ++++++++++--------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/windows/deploy/upgrade-windows-phone-8-1-to-10.md b/windows/deploy/upgrade-windows-phone-8-1-to-10.md index c0cad00ee1..526351a3e1 100644 --- a/windows/deploy/upgrade-windows-phone-8-1-to-10.md +++ b/windows/deploy/upgrade-windows-phone-8-1-to-10.md @@ -2,7 +2,7 @@ title: Upgrade Windows Phone 8.1 to Windows 10 Mobile in an MDM environment (Windows 10) description: This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using MDM. keywords: upgrade, update, windows, phone, windows 10, mdm, mobile -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt @@ -11,14 +11,18 @@ author: greg-lindsay # Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management (MDM) +**Applies to** + +- Windows 10 Mobile + ## Summary -This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using MDM. To determine if the device is eligible for an upgrade, see [How to determine whether an upgrade is available for a device](#howto). +This article describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile using Mobile Device Management (MDM). To determine if the device is eligible for an upgrade, see the [How to determine whether an upgrade is available for a device](#howto-upgrade-available) topic in this article. -The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. An eligible device must opt-in to be offered the upgrade. For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. For Enterprises, Microsoft is offering a centralized management solution through Mobile Device Management (MDM) that can push a management policy to each eligible device to perform the opt-in. +The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. An eligible device must opt-in to be offered the upgrade. For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. For Enterprises, Microsoft is offering a centralized management solution through MDM that can push a management policy to each eligible device to perform the opt-in. -If you use a list of allowed applications (known as whitelisting) through MDM, see the documentation here to make sure system applications are whitelisted before you upgrade to Windows 10 Mobile. Also, be aware that there are known issues listed in the documentation that could adversely affect the device after you upgrade. See this documentation for rules to avoid. +If you use a list of allowed applications (app whitelisting) with MDM, verify that system applications are whitelisted before you upgrade to Windows 10 Mobile. Also, be aware that there are [known issues](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056.aspx#whitelist) with app whitelisting that could adversely affect the device after you upgrade. -Some enterprises may want to control the availability of the Windows 10 Mobile upgrade to their users. With the opt-in model, the enterprise can blacklist the Upgrade Advisor app to prevent their users from upgrading prematurely. For more information about how to blacklist the Upgrade Advisor app, see the How to blacklist the Upgrade Advisor app section. Enterprises that have blacklisted the Upgrade Advisor app can use the solution that's described in this article to select the upgrade timing on a per-device basis. +Some enterprises might want to control the availability of the Windows 10 Mobile upgrade to their users. With the opt-in model, the enterprise can blacklist the Upgrade Advisor app to prevent their users from upgrading prematurely. For more information about how to blacklist the Upgrade Advisor app, see the [How to blacklist the Upgrade Advisor app](#howto-blacklist) section in this article. Enterprises that have blacklisted the Upgrade Advisor app can use the solution described in this article to select the upgrade timing on a per-device basis. ## More information @@ -28,9 +32,9 @@ To provide enterprises with a solution that's independent of the Upgrade Advisor - Windows Phone 8.1 device with an available upgrade to Windows 10 Mobile. - Device connected to Wi-Fi or cellular network to perform scan for upgrade. -- Device is already enrolled with a MDM session. +- Device is already enrolled with an MDM session. - Device is able to receive the management policy. -- MDM is capable of pushing the management policy to devices. (The minimum version for popular MDM providers that support the solution in this article are: InTune: 5.0.5565, AirWatch: 8.2, Mobile Iron: 9.0.) +- MDM is capable of pushing the management policy to devices. Minimum version numbers for some popular MDM providers that support this solution are: InTune: 5.0.5565, AirWatch: 8.2, Mobile Iron: 9.0. ### Instructions for the MDM server @@ -44,7 +48,7 @@ The registry CSP is used to push the GUID value to the following registry key fo The complete SyncML command for the solution is as follows. -Note The SyncML may vary, depending on your MDM solution. +Note: The SyncML may vary, depending on your MDM solution. ``` SyncML xmlns="SYNCML:SYNCML1.1"> @@ -79,25 +83,23 @@ Value d369c9b6-2379-466d-9162-afc53361e3c2 After the device consumes the policy, it will be able to receive an available upgrade. -To disable the policy, either delete the OMADM registry key or set the EnterpriseUpgrade string value to anything other than the GUID. +To disable the policy, delete the OMADM registry key or set the EnterpriseUpgrade string value to anything other than the GUID. -### How to determine whether an upgrade is available for a device +### How to determine whether an upgrade is available for a device -The Windows 10 Mobile Upgrade Advisor app is not designed or intended for Enterprise customers who want to automate the upgrade process. - -However, the Windows 10 Mobile Upgrade Advisor app is the best mechanism to determine when an upgrade is available. The app dynamically queries whether the upgrade is released for this device model and associated mobile operator (MO). +The Windows 10 Mobile Upgrade Advisor app is not designed or intended for Enterprise customers who want to automate the upgrade process. However, the Windows 10 Mobile Upgrade Advisor app is the best mechanism to determine when an upgrade is available. The app dynamically queries whether the upgrade is released for this device model and associated mobile operator (MO). We recommend that enterprises use a pilot device with the Windows 10 Mobile Upgrade Advisor app installed. The pilot device provides the device model and MO used by the enterprise. When you run the app on the pilot device, it will tell you that either an upgrade is available, that the device is eligible for upgrade, or that an upgrade is not available for this device. -Note The availability of Windows 10 Mobile as an update for existing Windows Phone 8.1 devices varies by device manufacturer, device model, country or region, mobile operator or service provider, hardware limitations, and other factors. To check for compatibility and other important installation information, see the Windows 10 mobile page. +Note: The availability of Windows 10 Mobile as an update for existing Windows Phone 8.1 devices varies by device manufacturer, device model, country or region, mobile operator or service provider, hardware limitations, and other factors. To check for compatibility and other important installation information, see the [Windows 10 mobile](https://www.microsoft.com/en/mobile/windows10) page. -### How to blacklist the Upgrade Advisor app +### How to blacklist the Upgrade Advisor app -Some enterprises may want to block their users from installing the Windows 10 Mobile Upgrade Advisor app. With Windows Phone 8.1, you can allow or deny individual apps by adding specific app publishers or the app globally unique identifier (GUID) from the Window Phone Store to an allow or deny XML list. The GUID for a particular application can be found in the URL for the app in the phone store. For example, the GUID to the Windows Phone Upgrade Adviser is listed in the following location: +Some enterprises may want to block their users from installing the Windows 10 Mobile Upgrade Advisor app. With Windows Phone 8.1, you can allow or deny individual apps by adding specific app publishers or the app globally unique identifier (GUID) from the Window Phone Store to an allow or deny XML list. The GUID for a particular application can be found in the URL for the app in the phone store. For example, the GUID to the Windows Phone Upgrade Adviser (fbe47e4f-7769-4103-910e-dca8c43e0b07) is displayed in the following URL: http://windowsphone.com/s?appid=fbe47e4f-7769-4103-910e-dca8c43e0b07 -For more information about how to do this, see the Try it out: restrict Windows Phone 8.1 apps topic on TechNet. +For more information about how to do this, see [Try it out: restrict Windows Phone 8.1 apps](https://technet.microsoft.com/en-us/windows/dn771706.aspx). ## Related topics From 1e3e04982a25eb0674540b82b66c84938fe9af4f Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 31 May 2016 15:55:37 -0700 Subject: [PATCH 156/169] fixed table --- windows/deploy/upgrade-windows-phone-8-1-to-10.md | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/windows/deploy/upgrade-windows-phone-8-1-to-10.md b/windows/deploy/upgrade-windows-phone-8-1-to-10.md index 526351a3e1..06736b9eaa 100644 --- a/windows/deploy/upgrade-windows-phone-8-1-to-10.md +++ b/windows/deploy/upgrade-windows-phone-8-1-to-10.md @@ -46,9 +46,7 @@ The registry CSP is used to push the GUID value to the following registry key fo ``` -The complete SyncML command for the solution is as follows. - -Note: The SyncML may vary, depending on your MDM solution. +The complete SyncML command for the solution is as follows. Note: The SyncML may vary, depending on your MDM solution. ``` SyncML xmlns="SYNCML:SYNCML1.1"> @@ -72,14 +70,11 @@ SyncML xmlns="SYNCML:SYNCML1.1"> The OMA DM server policy description is provided in the following table: -``` -OMA-URI ./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/EnterpriseUpgrade -``` -Data Type String -``` -Value d369c9b6-2379-466d-9162-afc53361e3c2 -``` +| OMA-URI ./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/EnterpriseUpgrade | +| Data Type String | +| Value d369c9b6-2379-466d-9162-afc53361e3c2 | + After the device consumes the policy, it will be able to receive an available upgrade. From 9f32206a1a0e97ee7636fae925002e5fc0003c36 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 31 May 2016 16:14:27 -0700 Subject: [PATCH 157/169] table again --- windows/deploy/upgrade-windows-phone-8-1-to-10.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/deploy/upgrade-windows-phone-8-1-to-10.md b/windows/deploy/upgrade-windows-phone-8-1-to-10.md index 06736b9eaa..fcd5564915 100644 --- a/windows/deploy/upgrade-windows-phone-8-1-to-10.md +++ b/windows/deploy/upgrade-windows-phone-8-1-to-10.md @@ -70,10 +70,11 @@ SyncML xmlns="SYNCML:SYNCML1.1"> The OMA DM server policy description is provided in the following table: - -| OMA-URI ./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/EnterpriseUpgrade | -| Data Type String | -| Value d369c9b6-2379-466d-9162-afc53361e3c2 | +|Item |Setting | +|------|------------| +| OMA-URI |./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/EnterpriseUpgrade | +| Data Type |String | +| Value |d369c9b6-2379-466d-9162-afc53361e3c2 | After the device consumes the policy, it will be able to receive an available upgrade. From 3a831739a0439566f7d3a4f3e010c81d7d299983 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 31 May 2016 16:51:54 -0700 Subject: [PATCH 158/169] again --- windows/deploy/upgrade-windows-phone-8-1-to-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deploy/upgrade-windows-phone-8-1-to-10.md b/windows/deploy/upgrade-windows-phone-8-1-to-10.md index fcd5564915..4a59de5fa9 100644 --- a/windows/deploy/upgrade-windows-phone-8-1-to-10.md +++ b/windows/deploy/upgrade-windows-phone-8-1-to-10.md @@ -79,7 +79,7 @@ The OMA DM server policy description is provided in the following table: After the device consumes the policy, it will be able to receive an available upgrade. -To disable the policy, delete the OMADM registry key or set the EnterpriseUpgrade string value to anything other than the GUID. +To disable the policy, delete the **OMADM** registry key or set the **EnterpriseUpgrade** string value to anything other than the GUID. ### How to determine whether an upgrade is available for a device From e37cd8e0eabdf4dc2ee140e0a1ed896ef31b6bd2 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 1 Jun 2016 09:33:19 -0700 Subject: [PATCH 159/169] tweak link text --- education/windows/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/windows/index.md b/education/windows/index.md index 26974a5cdc..55697f65f9 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -25,4 +25,4 @@ author: jdeckerMS ## Related topics - [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index) -- [Try it out: virtual labs for Windows 10 Education](https://technet.microsoft.com/en-us/windows/dn610356) +- [Try it out: virtual labs and how-to videos for Windows 10 Education](https://technet.microsoft.com/en-us/windows/dn610356) From e14cf5684a37c610d4b2080604fffdda104a6bdd Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Wed, 1 Jun 2016 09:35:18 -0700 Subject: [PATCH 160/169] updates from tech review --- .../use-room-control-system-with-surface-hub.md | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md index 1158773d5f..e3971aa2c6 100644 --- a/devices/surface-hub/use-room-control-system-with-surface-hub.md +++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md @@ -185,7 +185,7 @@ In Replacement PC mode, the power states are only Ready and Off and only change -For a control device, anything other than 5 / Ready should be considered off. +For a control device, anything other than 5 / Ready should be considered off. Each PowerOn command results in two state changes and reponses. @@ -203,14 +203,10 @@ For a control device, anything other than 5 / Ready should be considered off. - - - - - - - + + + From a60787240326ce3167979755b65de681db40bb07 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 1 Jun 2016 11:02:07 -0700 Subject: [PATCH 161/169] editing change history --- .../manage/change-history-for-manage-and-update-windows-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index df398cfd27..3035b4bb6c 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -17,7 +17,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in | New or changed topic | Description | | ---|---| | [Group Policies that apply only to Windows 10 Enterprise and Education Editions](group-policies-for-enterprise-and-education-editions.md) | New | -| [Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md) | Added section on how to turn off Live Tiles | +| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added section on how to turn off Live Tiles | | [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | New telemetry content | | [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) |Removed info about sharing wi-fi network access with contacts, since it's been deprecated. | | [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Corrected script for setting a custom shell using Shell Launcher | From e0e1891fdde9bb3324d29d8f14b0739402ccfb37 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Wed, 1 Jun 2016 12:51:18 -0700 Subject: [PATCH 162/169] space error --- devices/surface-hub/use-room-control-system-with-surface-hub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md index e3971aa2c6..447edd18aa 100644 --- a/devices/surface-hub/use-room-control-system-with-surface-hub.md +++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md @@ -62,7 +62,7 @@ To connect to a room control system control panel, you don't need to configure a You can use a standard RJ-11 (6P6C) connector to connect the Surface Hub serial port to a room control system. This is the recommended method. You can also use an RJ-11 4-conductor cable, but we do not recommend this method. -This diagram shows the correct pinout usedfor an RJ-11 (6P6C) to DB9 cable. +This diagram shows the correct pinout used for an RJ-11 (6P6C) to DB9 cable. ![image showing the wiring diagram.](images/room-control-wiring-diagram.png) From 0d7d697908da8a424fccd21a958def0662b41342 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 1 Jun 2016 13:56:33 -0700 Subject: [PATCH 163/169] minor edits --- windows/deploy/upgrade-windows-phone-8-1-to-10.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deploy/upgrade-windows-phone-8-1-to-10.md b/windows/deploy/upgrade-windows-phone-8-1-to-10.md index 4a59de5fa9..c2e678923a 100644 --- a/windows/deploy/upgrade-windows-phone-8-1-to-10.md +++ b/windows/deploy/upgrade-windows-phone-8-1-to-10.md @@ -55,7 +55,7 @@ SyncML xmlns="SYNCML:SYNCML1.1"> 250 - ./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/ EnterpriseUpgrade + ./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/EnterpriseUpgrade chr @@ -91,7 +91,7 @@ Note: The availability of Windows 10 Mobile as an update for existing Windows Ph ### How to blacklist the Upgrade Advisor app -Some enterprises may want to block their users from installing the Windows 10 Mobile Upgrade Advisor app. With Windows Phone 8.1, you can allow or deny individual apps by adding specific app publishers or the app globally unique identifier (GUID) from the Window Phone Store to an allow or deny XML list. The GUID for a particular application can be found in the URL for the app in the phone store. For example, the GUID to the Windows Phone Upgrade Adviser (fbe47e4f-7769-4103-910e-dca8c43e0b07) is displayed in the following URL: +Some enterprises may want to block their users from installing the Windows 10 Mobile Upgrade Advisor app. With Windows Phone 8.1, you can allow or deny individual apps by adding specific app publishers or the app globally unique identifier (GUID) from the Window Phone Store to an allow or deny XML list. The GUID for a particular application can be found in the URL for the app in the phone store. For example, the GUID to the Windows 10 Mobile Upgrade Adviser (fbe47e4f-7769-4103-910e-dca8c43e0b07) is displayed in the following URL: http://windowsphone.com/s?appid=fbe47e4f-7769-4103-910e-dca8c43e0b07 From 60ad78e71f336e6071e309ffd2a511c1a1c25edc Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 1 Jun 2016 15:37:35 -0700 Subject: [PATCH 164/169] checking new topic --- ...nfigure-a-pxe-server-to-load-windows-pe.md | 177 ++++++++++++++++++ 1 file changed, 177 insertions(+) create mode 100644 windows/deploy/configure-a-pxe-server-to-load-windows-pe.md diff --git a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md new file mode 100644 index 0000000000..e174209ece --- /dev/null +++ b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md @@ -0,0 +1,177 @@ +--- +title: Walkthrough: Configure a PXE server to load Windows PE +description: This topic describes how to configure a PXE server to load Windows PE so that it can be used with an image file to install Windows 10 from the network. +keywords: windows pe, windows 10, upgrade, deploy, image +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deployment +author: greg-lindsay +--- + +# Walkthrough: Configure a PXE server to load Windows PE + +**Applies to** + +- Windows 10 + +This topic describes how to configure a PXE server to load Windows PE so that it can be used with an image file to install Windows 10 from the network. + +## Prerequisites + +- Deployment computer: A computer with the Windows Assessment and Deployment Kit (Windows ADK) installed (). +- DHCP server: A DHCP server or DHCP proxy configured to respond to PXE client requests. +- PXE server: A server running the TFTP server service. +- File server: A server hosting a network file share. + +All four of the roles specified above can be hosted on the same computer if desired, but this is not required. + +## Step 1: Copy Windows PE source files to the PXE server + +### To copy source files to your PXE server: + +1. On the deployment computer, click **Start**, and type **deployment**. +2. Right-click **Deployment and Imaging Tools Environment** and then click **Run as administrator**. The Deployment and Imaging Tools Environment shortcut opens a Command Prompt window and automatically sets environment variables to point to all the necessary tools. +3. Run the following command to copy the base Windows PE files into a new folder. The script requires two arguments: hardware architecture and destination location. + +``` +copype.cmd +``` + +The value of <arch> can be **x86**, **amd64**, or **arm** and <destination> is a path to a local directory. If the directory does not already exist, it will be created. For example: + +``` +copype.cmd amd64 C:\\winpe\_amd64 +``` + +The script creates the destination directory structure and copies all the necessary files for that architecture. For example: + +C:\\winpe\_amd64 +C:\\winpe\_amd64\\fwfiles +C:\\winpe\_amd64\\media +C:\\winpe\_amd64\\mount + +4. Mount the base Windows PE image (winpe.wim) to the \\mount directory using the DISM tool. Mounting an image file unpacks the file contents into a folder so that you can make changes directly or by using tools such as DISM. To mount the image file, run the following command. Replace the directory names with the directory name that you used in the previous step. + +``` +Dism /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount +``` + +5.Map a network share to the root TFTP directory on the PXE/TFTP server and create a \\Boot folder. Consult your TFTP server documentation to determine the root TFTP server directory, enable sharing this directory, and verify it can be accessed on the network. In the following example, the PXE server name is PXE-1 and the TFTP root directory is shared using a network path of \\PXE-1\TFTPRoot. See the following example: + +``` +net use y: \\PXE-1\TFTPRoot +y: +md boot +``` + +6. Copy the PXE boot files from the mounted directory to the \\Boot folder. For example, + +``` +copy c:\winpe_amd64\mount\windows\boot\pxe\*.* y:\boot +``` + +7. Copy the boot.sdi file to the PXE/TFTP server. + +``` +copy C:\winpe_amd64\media\boot\boot.sdi y:\boot +``` + +8. Copy the bootable Windows PE image (boot.wim) to the \\Boot folder. + +``` +copy C:\winpe_amd64\media\sources\boot.wim y:\boot +``` + +## Step 2: Configure boot settings and copy the BCD file + +### To configure boot settings: + +1. Create a BCD store using bcdedit.exe. For example: + +``` +bcdedit /createstore c:\BCD +``` + +2. Configure RAMDISK settings. See the following example: + +``` +bcdedit /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options" +bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdidevice partition=C: +bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \winpe_amd64\media\boot\boot.sdi +``` + +3. Create a new boot application entry for the Windows PE image. See the following example: + +``` +bcdedit /store c:\BCD /set {GUID1} device ramdisk=[c:]\winpe_amd64\media\sources\boot.wim,{ramdiskoptions} +bcdedit /store c:\BCD /set {GUID1} path \windows\system32\winload.exe +bcdedit /store c:\BCD /set {GUID1} osdevice ramdisk=[c:]\winpe_amd64\media\sources\boot.wim,{ramdiskoptions} +bcdedit /store c:\BCD /set {GUID1} systemroot \windows +bcdedit /store c:\BCD /set {GUID1} detecthal Yes +bcdedit /store c:\BCD /set {GUID1} winpe Yes +``` + +4. Configure BOOTMGR settings. See the following example: + +``` +bcdedit /store c:\BCD /set {bootmgr} timeout 30 +bcdedit /store c:\BCD -displayorder {GUID1} -addlast +``` + +5. Copy the BCD file to your TFTP server. For example, + +``` +copy c:\BCD \\PXE-1\TFTPRoot\Boot +``` + +Your PXE/TFTP server is now configured. + +Note: You can view the BCD settings that have been configured using the command “bcdedit /store <BCD file location> /enum all. See the following example: + +``` +C:\>bcdedit /store C:\BCD /enum all +Windows Boot Manager +-------------------- +identifier {bootmgr} +description boot manager +displayorder {a4f89c62-2142-11e6-80b6-00155da04110} +timeout 30 + +Windows Boot Loader +------------------- +identifier {a4f89c62-2142-11e6-80b6-00155da04110} +device ramdisk=[boot]\boot\boot.wim,{ramdiskoptions} +description winpe boot image +osdevice ramdisk=[boot]\boot\boot.wim,{ramdiskoptions} +systemroot \Windows +detecthal Yes +winpe Yes + +Setup Ramdisk Options +--------------------- +identifier {ramdiskoptions} +description ramdisk options +ramdisksdidevice boot +ramdisksdipath \boot\boot.sdi +``` + +#### The deployment process + +The following summarizes the PXE client boot process. + +1. A client is directed by DHCP options 066 and 067 to download boot\\wdsnbp.com from the TFTP server. +2. Wdsnbp.com validates the DHCP/PXE response packet and then the client downloads boot\\pxeboot.com. +3. Pxeboot.com requires the client to press the F12 key to initiate a PXE boot. +4. The client downloads boot\\bootmgr.exe and the boot\\BCD file from the TFTP server. Note: The BCD store must reside in the \\boot directory on the TFTP server and must be named BCD. +5. Bootmgr.exe reads the BCD operating system entries and downloads boot\\boot.sdi and the Windows PE image (boot\\boot.wim). Optional files that can also be downloaded include true type fonts (boot\\Fonts\\wgl4\_boot.ttf) and the hibernation state file (\\hiberfil.sys) if these files are present. +6. Bootmgr.exe starts Windows PE by calling winload.exe within the Windows PE image. +7. Windows PE loads, a command prompt opens and wpeinit.exe is run to initialize Windows PE. +8. The Windows PE client provides access to tools like imagex, diskpart, and bcdboot using the Windows PE command prompt. Using these tools together with a Windows 10 image file, the destination computer can be formatted properly to load a full Windows 10 operating system. + +See Also +--------- + +#### Concepts + +[Windows PE Walkthroughs](https://technet.microsoft.com/en-us/library/cc748899.aspx) \ No newline at end of file From 707e682be8307696804ce89d2a5f57e4b27c96a9 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 1 Jun 2016 16:29:39 -0700 Subject: [PATCH 165/169] added to TOC --- windows/deploy/TOC.md | 1 + ...nfigure-a-pxe-server-to-load-windows-pe.md | 140 +++++++++--------- 2 files changed, 71 insertions(+), 70 deletions(-) diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md index d0819639d7..cc0388e935 100644 --- a/windows/deploy/TOC.md +++ b/windows/deploy/TOC.md @@ -34,6 +34,7 @@ ### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) ## [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) ## [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) +## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) ## [Windows 10 edition upgrade](windows-10-edition-upgrades.md) ## [Deploy Windows To Go in your organization](deploy-windows-to-go.md) ## [Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md) diff --git a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md index e174209ece..0d9b9332db 100644 --- a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md @@ -1,5 +1,5 @@ --- -title: Walkthrough: Configure a PXE server to load Windows PE +title: Walkthrough: Configure a PXE server to load Windows PE (Windows 10) description: This topic describes how to configure a PXE server to load Windows PE so that it can be used with an image file to install Windows 10 from the network. keywords: windows pe, windows 10, upgrade, deploy, image ms.prod: w10 @@ -19,115 +19,115 @@ This topic describes how to configure a PXE server to load Windows PE so that ## Prerequisites -- Deployment computer: A computer with the Windows Assessment and Deployment Kit (Windows ADK) installed (). -- DHCP server: A DHCP server or DHCP proxy configured to respond to PXE client requests. -- PXE server: A server running the TFTP server service. -- File server: A server hosting a network file share. +- A deployment computer: A computer with the [Windows Assessment and Deployment Kit](https://www.microsoft.com/en-us/download/details.aspx?id=39982) (Windows ADK) installed. +- A DHCP server: A DHCP server or DHCP proxy configured to respond to PXE client requests is required. +- A PXE server: A server running the TFTP service that can host Windows PE boot files that the client will download. +- A file server: A server hosting a network file share. -All four of the roles specified above can be hosted on the same computer if desired, but this is not required. +All four of the roles specified above can be hosted on the same computer or each can be on a separate computer. -## Step 1: Copy Windows PE source files to the PXE server +## Step 1: Copy Windows PE source files from the deployment computer to the PXE server -### To copy source files to your PXE server: +### To copy source files to the PXE server: 1. On the deployment computer, click **Start**, and type **deployment**. 2. Right-click **Deployment and Imaging Tools Environment** and then click **Run as administrator**. The Deployment and Imaging Tools Environment shortcut opens a Command Prompt window and automatically sets environment variables to point to all the necessary tools. 3. Run the following command to copy the base Windows PE files into a new folder. The script requires two arguments: hardware architecture and destination location. -``` -copype.cmd -``` + ``` + copype.cmd + ``` -The value of <arch> can be **x86**, **amd64**, or **arm** and <destination> is a path to a local directory. If the directory does not already exist, it will be created. For example: + The value of **<arch>** can be **x86**, **amd64**, or **arm** and **<destination>** is a path to a local directory. If the directory does not already exist, it will be created. For example, the following command copies **amd64** architecture files to the **C:\winpe_amd64** directory: -``` -copype.cmd amd64 C:\\winpe\_amd64 -``` + ``` + copype.cmd amd64 C:\winpe_amd64 + ``` -The script creates the destination directory structure and copies all the necessary files for that architecture. For example: + The script creates the destination directory structure and copies all the necessary files for that architecture. In the previous example, the following directories are created: -C:\\winpe\_amd64 -C:\\winpe\_amd64\\fwfiles -C:\\winpe\_amd64\\media -C:\\winpe\_amd64\\mount + C:\\winpe\_amd64 + C:\\winpe\_amd64\\fwfiles + C:\\winpe\_amd64\\media + C:\\winpe\_amd64\\mount -4. Mount the base Windows PE image (winpe.wim) to the \\mount directory using the DISM tool. Mounting an image file unpacks the file contents into a folder so that you can make changes directly or by using tools such as DISM. To mount the image file, run the following command. Replace the directory names with the directory name that you used in the previous step. +4. Mount the base Windows PE image (winpe.wim) to the \mount directory using the DISM tool. Mounting an image file unpacks the file contents into a folder so that you can make changes directly or by using tools such as DISM. See the following example. -``` -Dism /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount -``` + ``` + Dism /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount + ``` -5.Map a network share to the root TFTP directory on the PXE/TFTP server and create a \\Boot folder. Consult your TFTP server documentation to determine the root TFTP server directory, enable sharing this directory, and verify it can be accessed on the network. In the following example, the PXE server name is PXE-1 and the TFTP root directory is shared using a network path of \\PXE-1\TFTPRoot. See the following example: +5. Map a network share to the root TFTP directory on the PXE/TFTP server and create a \Boot folder. Consult your TFTP server documentation to determine the root TFTP server directory, then enable sharing for this directory, and verify it can be accessed on the network. In the following example, the PXE server name is PXE-1 and the TFTP root directory is shared using a network path of \\PXE-1\TFTPRoot: -``` -net use y: \\PXE-1\TFTPRoot -y: -md boot -``` + ``` + net use y: \\PXE-1\TFTPRoot + y: + md boot + ``` -6. Copy the PXE boot files from the mounted directory to the \\Boot folder. For example, +6. Copy the PXE boot files from the mounted directory to the \Boot folder. For example: -``` -copy c:\winpe_amd64\mount\windows\boot\pxe\*.* y:\boot -``` + ``` + copy c:\winpe_amd64\mount\windows\boot\pxe\*.* y:\boot + ``` 7. Copy the boot.sdi file to the PXE/TFTP server. -``` -copy C:\winpe_amd64\media\boot\boot.sdi y:\boot -``` + ``` + copy C:\winpe_amd64\media\boot\boot.sdi y:\boot + ``` -8. Copy the bootable Windows PE image (boot.wim) to the \\Boot folder. +8. Copy the bootable Windows PE image (boot.wim) to the \Boot folder. -``` -copy C:\winpe_amd64\media\sources\boot.wim y:\boot -``` + ``` + copy C:\winpe_amd64\media\sources\boot.wim y:\boot + ``` ## Step 2: Configure boot settings and copy the BCD file ### To configure boot settings: -1. Create a BCD store using bcdedit.exe. For example: +1. Create a BCD store using bcdedit.exe: -``` -bcdedit /createstore c:\BCD -``` + ``` + bcdedit /createstore c:\BCD + ``` -2. Configure RAMDISK settings. See the following example: +2. Configure RAMDISK settings: -``` -bcdedit /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options" -bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdidevice partition=C: -bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \winpe_amd64\media\boot\boot.sdi -``` + ``` + bcdedit /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options" + bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdidevice partition=C: + bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \winpe_amd64\media\boot\boot.sdi + ``` -3. Create a new boot application entry for the Windows PE image. See the following example: +3. Create a new boot application entry for the Windows PE image: -``` -bcdedit /store c:\BCD /set {GUID1} device ramdisk=[c:]\winpe_amd64\media\sources\boot.wim,{ramdiskoptions} -bcdedit /store c:\BCD /set {GUID1} path \windows\system32\winload.exe -bcdedit /store c:\BCD /set {GUID1} osdevice ramdisk=[c:]\winpe_amd64\media\sources\boot.wim,{ramdiskoptions} -bcdedit /store c:\BCD /set {GUID1} systemroot \windows -bcdedit /store c:\BCD /set {GUID1} detecthal Yes -bcdedit /store c:\BCD /set {GUID1} winpe Yes -``` + ``` + bcdedit /store c:\BCD /set {GUID1} device ramdisk=[c:]\winpe_amd64\media\sources\boot.wim,{ramdiskoptions} + bcdedit /store c:\BCD /set {GUID1} path \windows\system32\winload.exe + bcdedit /store c:\BCD /set {GUID1} osdevice ramdisk=[c:]\winpe_amd64\media\sources\boot.wim,{ramdiskoptions} + bcdedit /store c:\BCD /set {GUID1} systemroot \windows + bcdedit /store c:\BCD /set {GUID1} detecthal Yes + bcdedit /store c:\BCD /set {GUID1} winpe Yes + ``` -4. Configure BOOTMGR settings. See the following example: +4. Configure BOOTMGR settings: -``` -bcdedit /store c:\BCD /set {bootmgr} timeout 30 -bcdedit /store c:\BCD -displayorder {GUID1} -addlast -``` + ``` + bcdedit /store c:\BCD /set {bootmgr} timeout 30 + bcdedit /store c:\BCD -displayorder {GUID1} -addlast + ``` -5. Copy the BCD file to your TFTP server. For example, +5. Copy the BCD file to your TFTP server: -``` -copy c:\BCD \\PXE-1\TFTPRoot\Boot -``` + ``` + copy c:\BCD \\PXE-1\TFTPRoot\Boot + ``` Your PXE/TFTP server is now configured. -Note: You can view the BCD settings that have been configured using the command “bcdedit /store <BCD file location> /enum all. See the following example: +Note: You can view the BCD settings that have been configured using the command **“bcdedit /store <BCD file location> /enum all**: ``` C:\>bcdedit /store C:\BCD /enum all From 002c324c72820439ed945e405db99dbec5990c21 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 1 Jun 2016 17:00:00 -0700 Subject: [PATCH 166/169] several edits --- .../change-history-for-deploy-windows-10.md | 10 +++++++ ...nfigure-a-pxe-server-to-load-windows-pe.md | 30 +++++++++---------- .../deploy/upgrade-windows-phone-8-1-to-10.md | 2 +- 3 files changed, 25 insertions(+), 17 deletions(-) diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md index 00404f4def..ef6b329f37 100644 --- a/windows/deploy/change-history-for-deploy-windows-10.md +++ b/windows/deploy/change-history-for-deploy-windows-10.md @@ -11,6 +11,16 @@ author: greg-lindsay # Change history for Deploy Windows 10 This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +## June 2016 +| New or changed topic | Description | +|----------------------|-------------| +| [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) | New | + +## May 2016 +| New or changed topic | Description | +|----------------------|-------------| +| [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) | New | + ## December 2015 | New or changed topic | Description | |----------------------|-------------| diff --git a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md index 0d9b9332db..3c8d7acd2a 100644 --- a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md @@ -1,21 +1,23 @@ --- -title: Walkthrough: Configure a PXE server to load Windows PE (Windows 10) +title: Configure a PXE server to load Windows PE (Windows 10) description: This topic describes how to configure a PXE server to load Windows PE so that it can be used with an image file to install Windows 10 from the network. -keywords: windows pe, windows 10, upgrade, deploy, image +keywords: upgrade, update, windows, windows 10, pxe, WinPE, image, wim ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: deployment +ms.pagetype: deploy author: greg-lindsay --- -# Walkthrough: Configure a PXE server to load Windows PE +# Configure a PXE server to load Windows PE **Applies to** - Windows 10 -This topic describes how to configure a PXE server to load Windows PE so that it can be used with an image file to install Windows 10 from the network. +## Summary + +This walkthrough describes how to configure a PXE server to load Windows PE by booting a client computer from the network. Using the Windows PE tools and a Windows 10 image file, you can install Windows 10 from the network. ## Prerequisites @@ -26,19 +28,19 @@ This topic describes how to configure a PXE server to load Windows PE so that All four of the roles specified above can be hosted on the same computer or each can be on a separate computer. -## Step 1: Copy Windows PE source files from the deployment computer to the PXE server - -### To copy source files to the PXE server: +## Step 1: Copy Windows PE source files 1. On the deployment computer, click **Start**, and type **deployment**. + 2. Right-click **Deployment and Imaging Tools Environment** and then click **Run as administrator**. The Deployment and Imaging Tools Environment shortcut opens a Command Prompt window and automatically sets environment variables to point to all the necessary tools. -3. Run the following command to copy the base Windows PE files into a new folder. The script requires two arguments: hardware architecture and destination location. + +3. Run the following command to copy the base Windows PE files into a new folder. The script requires two arguments: hardware architecture and destination location. The value of **<architecture>** can be **x86**, **amd64**, or **arm** and **<destination>** is a path to a local directory. If the directory does not already exist, it will be created. ``` - copype.cmd + copype.cmd ``` - The value of **<arch>** can be **x86**, **amd64**, or **arm** and **<destination>** is a path to a local directory. If the directory does not already exist, it will be created. For example, the following command copies **amd64** architecture files to the **C:\winpe_amd64** directory: + For example, the following command copies **amd64** architecture files to the **C:\winpe_amd64** directory: ``` copype.cmd amd64 C:\winpe_amd64 @@ -85,8 +87,6 @@ All four of the roles specified above can be hosted on the same computer or each ## Step 2: Configure boot settings and copy the BCD file -### To configure boot settings: - 1. Create a BCD store using bcdedit.exe: ``` @@ -125,9 +125,7 @@ All four of the roles specified above can be hosted on the same computer or each copy c:\BCD \\PXE-1\TFTPRoot\Boot ``` -Your PXE/TFTP server is now configured. - -Note: You can view the BCD settings that have been configured using the command **“bcdedit /store <BCD file location> /enum all**: +Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command “bcdedit /store <BCD file location> /enum all. See the following example: ``` C:\>bcdedit /store C:\BCD /enum all diff --git a/windows/deploy/upgrade-windows-phone-8-1-to-10.md b/windows/deploy/upgrade-windows-phone-8-1-to-10.md index c2e678923a..f79c20d4ba 100644 --- a/windows/deploy/upgrade-windows-phone-8-1-to-10.md +++ b/windows/deploy/upgrade-windows-phone-8-1-to-10.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mdt -author: greg-lindsay +author: Jamiejdt --- # Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management (MDM) From 0638414cca87e1f45f62e9b6fe1fa1c8482cecd0 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 1 Jun 2016 17:18:18 -0700 Subject: [PATCH 167/169] minor fixes --- ...configure-a-pxe-server-to-load-windows-pe.md | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md index 3c8d7acd2a..164be99f99 100644 --- a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md @@ -47,18 +47,18 @@ All four of the roles specified above can be hosted on the same computer or each ``` The script creates the destination directory structure and copies all the necessary files for that architecture. In the previous example, the following directories are created: - + + ``` C:\\winpe\_amd64 C:\\winpe\_amd64\\fwfiles C:\\winpe\_amd64\\media C:\\winpe\_amd64\\mount - + ``` 4. Mount the base Windows PE image (winpe.wim) to the \mount directory using the DISM tool. Mounting an image file unpacks the file contents into a folder so that you can make changes directly or by using tools such as DISM. See the following example. ``` Dism /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount ``` - 5. Map a network share to the root TFTP directory on the PXE/TFTP server and create a \Boot folder. Consult your TFTP server documentation to determine the root TFTP server directory, then enable sharing for this directory, and verify it can be accessed on the network. In the following example, the PXE server name is PXE-1 and the TFTP root directory is shared using a network path of \\PXE-1\TFTPRoot: ``` @@ -66,19 +66,16 @@ All four of the roles specified above can be hosted on the same computer or each y: md boot ``` - 6. Copy the PXE boot files from the mounted directory to the \Boot folder. For example: ``` copy c:\winpe_amd64\mount\windows\boot\pxe\*.* y:\boot ``` - 7. Copy the boot.sdi file to the PXE/TFTP server. ``` copy C:\winpe_amd64\media\boot\boot.sdi y:\boot ``` - 8. Copy the bootable Windows PE image (boot.wim) to the \Boot folder. ``` @@ -92,7 +89,6 @@ All four of the roles specified above can be hosted on the same computer or each ``` bcdedit /createstore c:\BCD ``` - 2. Configure RAMDISK settings: ``` @@ -100,7 +96,6 @@ All four of the roles specified above can be hosted on the same computer or each bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdidevice partition=C: bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \winpe_amd64\media\boot\boot.sdi ``` - 3. Create a new boot application entry for the Windows PE image: ``` @@ -111,21 +106,19 @@ All four of the roles specified above can be hosted on the same computer or each bcdedit /store c:\BCD /set {GUID1} detecthal Yes bcdedit /store c:\BCD /set {GUID1} winpe Yes ``` - 4. Configure BOOTMGR settings: ``` bcdedit /store c:\BCD /set {bootmgr} timeout 30 bcdedit /store c:\BCD -displayorder {GUID1} -addlast ``` - 5. Copy the BCD file to your TFTP server: ``` copy c:\BCD \\PXE-1\TFTPRoot\Boot ``` -Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command “bcdedit /store <BCD file location> /enum all. See the following example: +Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command “bcdedit /store <BCD file location> /enum all. The GUID displayed below is an example and your GUID will be different: ``` C:\>bcdedit /store C:\BCD /enum all @@ -154,7 +147,7 @@ ramdisksdidevice boot ramdisksdipath \boot\boot.sdi ``` -#### The deployment process +## PXE boot summary The following summarizes the PXE client boot process. From 51dee484e90e00c638048cfa9a3bc90e91359a15 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 2 Jun 2016 10:45:57 -0700 Subject: [PATCH 168/169] added to index.md --- windows/deploy/index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deploy/index.md b/windows/deploy/index.md index defe5b7387..4e09532aaf 100644 --- a/windows/deploy/index.md +++ b/windows/deploy/index.md @@ -20,6 +20,7 @@ Learn about deploying Windows 10 for IT professionals. |[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. | |[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. | |[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. | +|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. | |[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. | |[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. | |[Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md) |Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. | From 41aa33c7c29f153c338e6d18f3a161015d403315 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 2 Jun 2016 10:56:42 -0700 Subject: [PATCH 169/169] corrected typo --- .../configure-a-pxe-server-to-load-windows-pe.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md index 164be99f99..a304a10c23 100644 --- a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md @@ -49,10 +49,10 @@ All four of the roles specified above can be hosted on the same computer or each The script creates the destination directory structure and copies all the necessary files for that architecture. In the previous example, the following directories are created: ``` - C:\\winpe\_amd64 - C:\\winpe\_amd64\\fwfiles - C:\\winpe\_amd64\\media - C:\\winpe\_amd64\\mount + C:\winpe\_amd64 + C:\winpe\_amd64\fwfiles + C:\winpe\_amd64\media + C:\winpe\_amd64\mount ``` 4. Mount the base Windows PE image (winpe.wim) to the \mount directory using the DISM tool. Mounting an image file unpacks the file contents into a folder so that you can make changes directly or by using tools such as DISM. See the following example. @@ -118,7 +118,7 @@ All four of the roles specified above can be hosted on the same computer or each copy c:\BCD \\PXE-1\TFTPRoot\Boot ``` -Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command “bcdedit /store <BCD file location> /enum all. The GUID displayed below is an example and your GUID will be different: +Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command bcdedit /store <BCD file location> /enum all. See the following example. Note: Your GUID will be different than the one shown below. ``` C:\>bcdedit /store C:\BCD /enum all @@ -147,7 +147,7 @@ ramdisksdidevice boot ramdisksdipath \boot\boot.sdi ``` -## PXE boot summary +## PXE boot process summary The following summarizes the PXE client boot process.

      PowerOn

      Device turns on (display + PC).

      Power=0

      PowerOn

      PC service notifies SMC that the PC is ready.

      Power=5

      Device turns on (display + PC).

      PC service notifies SMC that the PC is ready.

      Power=0

      Power=5

      PowerOff

      Device transitions to ambient state (PC on, display dim).

      x$S^(>D@>?TqL^@(P%(k zqHdc*MN4{cmU7~KvsozZsOZ^Puy>u@R$0icZCm9QSP`bf#z#r%0d3nr$1so!g`41^ zkBL~~gU34B<0g1%A&cByljzht6h+k2r)24ba)?_}oaYbh{lkl-m-`I+wsL;P-x?Gz zE}RkUveaaXE}?WdXTK<@1_i)Xg1wD(wbj*`rUc}KV*8`^&X+8+M9@MGxc1w_87s^y zP)hv)2A2a_!A53+?|6|aAhJ4ZQqL!YyV!2ya99(igm^1byro&kqie*Oc{Q6o$J|mY z#s65!ystB4H5+O$IdlGex2TPi^KFA-X)CqRl!d1{HN2-bmS%W8NP{ z9xt^EO4ivTSra1X?Po`Ldtr5$+Czj-NooKzp}uDb#J}N;eSmK7K}(bIn|Qx9{=*8F zsy+g7Pc=kqu=d6!whER>pqb^Z>vxbF;sDfNGcEsspt3Ipa|LH^{q_OdA zT~*Fcq9vI+JFwo}5+icsb>kM5r9z=06=~9^CF)N6y!-a)_rb(-I!?(CMNQp7`H>GCnepeS@W%0wm7R(XJ9+_4Rgwrx?QV=WOxuZsBCw{VFB%s&m0l4ClHpZ=U(qC!^` zewot{QD7T1N$1_i2FgmSYG5^cWz)0bGSBy&RO^jRsmYUC>amCTuYa6&>v5qm%0J?r znXswvcT~f4jq(BC6s$6TS4H(*HE9^FQTOdU5&N8+BIfxmw<5WLAy7ZjTh7b9E8Ccq zca>FG5+)&uhkoy~yWVIh`GdRhP<2x-8Ev=>ovw*K-}o7cy;7LF`P*C96kSkWhde#z zTT_(aP&H}K^;PzBVUDi9dRp&uFpRRT>7w~5a*!B>dS2fWRW7WBjcWxVhG;F-#ML>| z7yhmEuLIIk=fjvI|QWxcZ}>U7@+A|38#D3UZ`J|Ky{P*l;yT%9$jz zm4$usr28C(u2CMiS84@_56sXJl@Q$f65K^MHeC0LsS{;9FaBF>n~z(qTcUp|!s_1H zFkaNO>I+r>vz>g_$qvxy<_u0<0j8`XO|JY zJqPYS(OpE{`qWUzgkEHqn9Kg@_+F>i%Z*AzcXn7m zSmlq9Y`78|n_zcgRqK^FuaPL|ARv2AC5it!+Q(jpzQjFVVD|nnX9FC-)U>cfHEe4z$n;6_48dQt zpz^7ccSWOmOoqz;eP;s?7Un);g7CBi zaP+a6ZCFOL8@V;7etG=4@A{V*iQj}hubOw*Xne#B4z0W8SCK%&wJpdk7w*QT>dPs= zk|jh(=jP>OMLJ+EHN<|R%hfBm`*t#T{Nm8|zA()Lu${_S%Fv+3*u9HwnzhK^-|BuI zXhly~{rdrY4EkB^xxH zQMso?gEnyRJCaG&kxt%2(x@JQR}bKkDY!>9`}OApi%u?j&iGtijtRH2V8YJVF|bPI z8|t+>s*4;tPJR^CPoRBwZQ!b#-dsCvC~M#a6}Tg$G)yzQ8Fine zXSuExnKEo=aDt8|5A(7s4_f}7VGx99;;tO*uZ6vD$sLJ4Q++j{q=y+feK3wKdZ|S< z%8+1_nk*L2@Aq2B-b9J*+{l zw=N+!UkiL`d8iA!0-UMj2iIK+^Ra?WLiE8`Qg0EB*m&;Ofc(v;AQ3r123BbT-UYZ# z+(Sg$hp&<)foa5MHx(s(nX2;|<^453^KG7Yo=x~K8wrVI#ky=p_c5l-2e6nZkoF4ZJw;gX6`q^Zdk=?gg!7z1+)&>Q( zH3ZU@PQN17IiMQ&4)8#}J_L~UHhc0Bb?CD;QT>rGlLTq|J(<#O9g;)?3-dhSO9jS>M z1>a4Xw8=FlCmm#9i@isw8$`qCVI@So?s8#f1nC4YiWq0e{-&&~nkH%h8{6o~On)vh zu90w5W-cwSG%NeKy=gg7X9#qBjHhr`f%Z;sqKQPDqN=b(?nz9QhAM0=7#pY3xaj4dUCGdBDa(9^sC5Q7B}o*Z(lLK%!jB2O|EPq2CPBS zz|F~Y%@1M;?0-Efw`;W@iy*4O-aCRDi0P|bX)q~Ho}-u8n?!67W1wDM2cp!k`iiOW zi+VhEa+l&_LS~<%B44ShygUar+b%!TY1;l4JgBB+ z8?#-e4UigeQkku}Isv#PbSwfKo^ip#`hmENaC~K%>lg!!u(u;g=beMpCju?(GCf-{vq&Owfj8f8XPlgm$lk%!*FWc_2POtM>Dh42j7f)Bi%O{+{GWtmM09MREzde**U%fPvd(6Q_D7 z1Y83i(FZJ)BmP-W7fQl8_CuB&6!hrJ)!M(m+wEY&?9+O2=#=;)gq&ec?|$#oLj~s{ z+7;IF6v{D*q1*;31l_=gx2bPmdu9hg6Mk439W9K=j4Q{I;A~ZxU<`H2NGWgOz~p7} z@KqbPLI58x!-D*}xSNlXVfQ9|iyS23GQsM;B=bmM{r?HP8$;xb?g6JVN@b89g&$U0 zY2pc>a!>pCGo&eNlGJSOGp1D^N{9mwgTtCKqZ zQMx>Njg5nYq+ue1ckX}|fPgnf4BU$3&$xLWyhb2cLm$EezbdzjF_4vRA9IGHW_)E~3o zi-ak@JHS)vh9tCXJYwTvJUCq%UJO75$SRHSN|=5F4Z@PY7TdTagE983TdHfw>r?q! zJ>iN<=)*+7TK?(^yOhyyhEAzfI1dW%yqQW%`kwQ=cxQ$*G&WjQ3gtO4GlaoIS2p9# zT5SiY7=y#7utnmKVUhGHm*EGEi}D*Ta10@!B6Ef*j&$(Bo1>UOO!@$n%#B0pw(-t+ z3zXHEnec$M40xE-8`5ATjp%u1)@Z2YL0^I2V@7`D@ohgR}k%9W;$s20Y*pV0gqGy1t zfDehU5mcTUM!X<82~M1Rc7^IjJ(EH-5)0PLEnH<-~Q;E zG9r9QPeZ_7@FpMn0YEiwY*;vT$Wu4mp(i!m;FQf2mCWd`Q}8%z^cNm!u=EgsGkw-5 zimPFvYjltvkdGk<;eh!t$%7ryadr>P=`p?2i&J;7&QKM{Whyy69bL3_$SMqzl#`M$ z0GII_W5EQZ>tZa2k=9_i7SaV^Rig1Mf?=SPL|2<<3*aaqpfFa)W1`^3YP6m%;dN^W z6%V>5x=Ms159tt^u{?mxXtel@k%A}#uvV#z$xr|zF2nF#h47~EsY0~86qWpx!FV7( zDVm-E@bL){rAJwKuz*lJz^3adUCM6gLm0|UF|^VeD16}8Z{dNuFyyV=(xagGrW|Ap z2P3}BLmF-~$+cIBg(j0nI;hkV4xhq^Uv zpm87*JmFb45l}OH`7=skbv@M^d8$|4b@EUj8dHEpfBN7kFFcBiCqo~MSDm}hD2(yy zKI#$!9G)LA;xQUBQD=Ch13Vi%t8d^+MjCK&OWtHh-s%aDbbt;5ViQLI2ypVg$(w8q zfdEYT0)5~hFLFjc@qy&8F3CcVOI&4UTX<0S_|>c9Oeha~ASa-WM^yU6{^+B0vFy!FU z!c#^d3RL97`(OalrzjOizVaih;ursYxqGGzefbsd#fy7>8=GX1WTydUGzFx}?V2jS zbn#L;pd8W=9u>dCL{7$Kh2!B%S9ywe@yJYiAO7p^&yV(Rej=5S%)#8FaMH(@9udfZpmx7PR>UfTfMHC!-b|1 zQIv}zKlMNvcypA+Z-Av$r+62dKAtEiMSD6b-gVO%iTrprl=JzfGLY%2d+LMir#k_l z7gL77kiL`?!P~}@@6+9Wp9>WrU(_+=8JZqMaeziFB8Z zTfPurJVReR1bBJO=9LWNa3<*U%Y|kD`HPe&Hm|m>7s|Vk2jG|IOTiu_OczU57dxG2lh)J4d$wu55LCQPSN^6mJy*HCWB^$q zjkB29H_lY|Tqcb?)4kE%sR8>JgXC*0*!U@4eXj|b7mKHt3XzX`e6IB;u8Anub4|x( za;V1lpD78e-synvhLDP%`fc^mg{1jH5uTKpolQsnrYn)vbJgFM3?SF$5^Me_OHCkB zY|FwtGaG6Tc`a9YF-T=tHe>A85*tgM>{xuqJKm8-JwxXw6M!yjdNs1omVlt;hA!Wq zEzvKNqGtN78CSQ@l<26XhNTDAo7YxkdSFSYiB{w7(}{qv30WI@tPN&oGxW@e?!qCP zT%N7|UUWcKp(c9`#RracnVG_nA&kE-%{>TKKFTJXFm;1##s71X+BJam#(IiKWyEODQeDwn2d>L{MhptvlrX z0y5qtMHwb(iDzez%>@?DJM+Q9ZD~_DyKC(5(OTL0=inWiQfvs}p#Vh!v!liiE(_Od zF*<%#fPL+}B4B#+%{Ql@ZIH0>z(xojxkc}G{#g_*oIEL;^BwGZv*_I7ba~2)g4?ES z*N{p>jM8_z{CIOV!Pt;si@6H60AKldD>gg`Bj3Kk`YwG-W`w!rmRp`Wtmm1;$AdZ$ z#|93YNyyM-iiSmeX(2N9+paiq)S1l|>P#7w-@Vc$k}EVx`J1mSxV38jJ57;8CJjyGNdo`hL=i~%4)YB8IgsJFqVV%i_tru0C3qcM3E@2GzpAy*o`AUib08NjIgVU z@F}<5OLb0zN~BzN*icAkJE%mJAstF7AD_;9;E^kzu#^xWFfNuTdNvx^`eY+ z_8DFxGhyY27u#cjBz*)Tz})t18yJ-D=}5jd=KupBAW!AB6VI+aGNV6we|7K;{Vbqk zA8d-8tnVfx_sH8;V2y}fmB4@(ukmma8yN$9pN`eEv(8~l!Z}w%eQF$SvA5Haosyq2 z(%k}Uyvf6N@*x|t)6lUcaxU_nPS_q#KFSA}>4N&@Bxy|OBQUcZlb(?$d)BDq0ie@g zjs%-`1_e;XhceJXPL`obeB1FVeU6>F)^JLLQ^ecXuvmskA2>)P>STAF`mpDzy}~ep5z;V-S?mJwp##ct)+_ z7&FDS%@{}yE4%pOsXzi^qzs+HmN5e5@<4@G8I%`zYjJtZ;-~-$!(g9x*gPRKI};zL0SCy(>HA<1uQ?q`{jZ zGr&)gY|Z3p)O|#@NMqnU0$Z*rFN3y)lwy3L_!=_xzzfwF0xQY|q%;<`oQjWs#?E8W zSQv)k=>i4iS2h5^D3yy6Galz9r~`(tjsOG?6!-%-4FJ!E=V+TR*{FAo2SWxXfQCl} zz=45#Jg;itHMYvxUuMT}@T5V(gL4%CJR@dIc*h?;3@4Ep8IcDNl8>Gp(CX_mV^=oi z1a7s{?R-?_0YKz!%RgWN9xmxPH$$(3oH+<=0RMLlag4|XuqqR0Km!O2-B*9gPi}a_m%6rHSr`oh z-q%L8;2R^=*eDYJqALzSTLx{Q>D7o(-*Q7SMGj)L_KtO)puuWQL8rMOdtLxe-Q zq%Ut3gfBc29smJ^6rR_D7o;_nkF5lCOq~ zQvv8oXTA_ATYZ+n7FYvG9xy%P1n@Ee8zPUYXI>jXkv9+pn4A-JWT=QN)B`?wZR!UY z8D>)+`k_H3PhdmuJyV~3!ei-=@9Kw4@FH!pG89mD-6y=VdG+g(hWNgVrw-U5C%|xp z`r!2F_DfHA_#vIXj%Yy0hzG3B=o1~oljrVn($oiVrK{3l`#fEG3t#9Tec|*}omAsW z-}G2C4)6d!r;AtRot-+&8$3<7{Le4Z2oqoiadf9aDU z08^(xfhPlW7>c1J`oR04E4+=886r>m!82l1h*1D|2MuWi>ky*hvPloH>9rWn;9c{; z0azK8dQopYKl;Wfg<Y09mBc%E#g0E}%Z54{20e&dha*b|RdSvV8)71$U{R_A(E)nFm% zDTm8pSkh$^8ZXX^a>@e_(ox@i5`Wl6`sBF_2?y*ntmIzgeue3WN6M^Gh821>*Cto%S*!4R5df4Z|Z!)95hR^6PJ%JU%RlH|I z7Zs2(N*Q<@lvm-5?NBZTNNAK!*W9=&4+Dq*0-gs21(f3I)=95V42h6SIHe4Pqx(X@ z09sxM_%Yxj&v*$cP?tv6gz$8+C?I3eP*6CH3eW)r6jE9R{`e5LlmjS87x+k{^2H}Z z2mFAC^69FTu?b_SK>mgX@Box_GXbJ9xvIQA>q7FBNHFU6#+$^>Ytoa)GsfO^&-NP`ZD zLzae-7@gm`#>!K`0borKY0#Bh8HWkKCW$q!(vYt%vTmn|8C_lX|Nr*xFsE@ChypO& zffI2BPQcar8;L7$Gj_kO-YQ$cQcBuR+xMiXZQ?lgc>Fw`*i+Z(qdb&@73TbAv)OiD z&s87gH3Q(%(!uFzBGGxV>yTF60`hmAELng^6~Sp^as@h(>z<1=)h)VBrx1wF&V?h5 zNONgdGZchNr<5JB(^F*23YDJA09nx$&-K26fspoGf=;o#-Q#_PG8^2GF;Z7v1FYE= zJ=vX^C>KK`Q2ym_*U8fWpEh8Wq1$-G?*`h5zHvcHqi^fu&MU{VJo!yWm52T^Sjav4yDO9L;3&a`2#n(S zPN0ZZAvKK79Hk|E76N6`(1he3f}m9HUBc+@JYg+?)F~Q4`HbbEp*&N1`Fe&%)VT~C z$kch~MjgB+dL=;|zg&yuI>%9zdu%BsxjKyDCOIpKa`PoLA=DuWa&g zsJHXr8Q@;Bbe;^Prw{62Hp4Yy)@n8;jd}#qgE}cw^xt#osZU6IFYg5|lE@7ZmiEkV z`jL^cj!X46hw(^jF?pI#*agS@BWuRx2Fe(hNeAQeN+-wGql-)DPDE&)5 z0XatBr1@WY=$1VE{!D*U-hH8t28Bj@8w8CxQGUuq+0xV% zQpk9TEg`Q}aQR%K5GG(LHzWR}V>+sL>tU)KZ>4>=E{o^q=T%%5gf_JUE1T)eRFK;t zE`j0?xGT6vCU#tH%Uy8^?MsGJp>3xUbK3Y&a9LRSb^rSM`fiOTQ~xJWAU>O^(2!ON zOeJOV^Cowy!trlU_0a~C%cgxV0aJa*)1iI&9Zn))~@|wHxf7PkM^)Tm}o*47k2$;9dSsK1jzs&N+PdLddma5$Cd=J+AWz zKDxH=(K&K40tnH1VmqX4d$mgpkf%)y7Tw#VV;P;9j`IdGyCm%Zwc*AL&5J%8Mob?O zuus2Tvp&@BF0(=TWr`_Iggm5Ej!Us-i|fPIWg(8l8ZHZOZn6ASSQ^D5npj5Vve162 z{8*94n$F7Cn{iul?Gi(}HW1mujHK=Mq+bZsQa3I(JIL%5vo+e7edwhJ{?zFPi*bYRyxw3iT)^MygzIM=0D?1nohu|NV zMNym+1|tjlS-FDW2!WY^MM&2cd+`Nq&ql7o9NOk;8?y*@zKaxQOS}$Y(+FY#Rx)Kb zpx6+>Xb`JIU>%zY#D-uUBW2G(=wgB7{-QV~O3208VQsN3uHq4hxgg$zT~}Nawp+7W zxe|~n5@y}9W?8ag7I0~>hQ+JMmRKauYC)`VL9nn{*1}lI@9F7jyOmpP4CxU+%hObR5tS{mn?(Zj zj)Q+q3~UkH_Hj+OT8gbu3LSn7uSNnl8U=Ps7qldEk(2PLUc0j2*K}J(&WV| z=06rqjpfUSEG(ut#eBj@mlceJ#r<`^;N`+kdI2ME*0C3Z^j{vX$=f-3CC2lu;8<;Z z?V!VJywocp55X-HGSDB^sF!dMix%>1X`Dxp%Hf=AX;bN4&v{4(;im@IbezERJXapl z%EPB~K5vPP;h1fF%~*?&>#`_D00~fNYlR&lU5D?9F)K|71NpLoop&ASy5=+au!HjLf>-spTuyL6^N92AqdOtPx#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf|D{PpK~#8N?EUAL zZEJR)hs~$pKdf8-5?0wb9h&sb=KM|yz32f z{@&l5Z(8`3U-^~u!^6W^T3U(^wtv01^YioB+53B2SXh{yy+612b3VS`^X~n=eYdhb zJw1&J7cRuYU;fK~`TS4+=|3Hto13#+A8h}!w#CK8_pLA+ufbpt@ z*ZXf%v5e#UF%ONGr0M-!zQ#>Gc|UGvXJ^svc7I#`sW*S=Fa4!h`0|&(eEuK)hyURR zVEQk4dlCeBI2^`gGI?Le(R^$)8t>aUegLMw`)!_Y?^i3?vhDSHzYXk|Ceq4#P`3=!!Fxn!9M=E_qK1vVgBf zJdTfTJj&N*;pSP{JbCQda?1annD+er+qeAE?7i7xwwd>jG1JEbSm4KZeDAw%k3aL+ z```YmVVz?VlMk51^X>6x{Je2cAF9>b?5eLl+068b1yh0aOMmze$AwFme*XZ~!X_gp zlWBBX?ew9<=>(yfaBmuM#(qv*xV)f3aYU^0z4P-kz+e^*SN-#ulxv@zUG>>-ZS(UY zlzA(kF9Mli?Y79+s-lsu?ZmZG-297~l-Ou23t%G~18VpJA<*EkpnzkD|PU!_yQ7xUKQ!V*Vf zLmn>jjtKvP?^U zsQhH}K6_p$X*J$UOO>cpmoxs}o)VsM$b9e_wlltCnJ$s;3TZY^GHZ$N!h-ios2K&a zV>+E?7*q0VUfzO4=FW#R?xx>wmd&sYBPA%~XOMYmQCag@+W|-i7lBXm zU^y0+8nJcxX4KYJB9?r{CyoC?OgW#7DbK+uPWBJt*MI#Vz6Youfa$-Y?eO3re(4|l zgZT6-ugtFe%iokC_YwP>Z{CgZXb_|BaV$)_?jmHH* z;{0@~$Pog<$aUpriUKG^=P1j!1ep6A6!^1%EqVoE&p0UT{PWIx!Y%-%@+jmpO;nIM zQ@Q+^O2X-aO2f%HO0RYZNHe`FO6FaZq_T*T0~XbKBbMv6I7fre2x9?dw(jWm$8pl? z#Aw)!_4Q_KZ)~6#jp+6U2`rV`V$|!^SV38=IAkiy;VHmE2IV&=q`6wFkv5{sUwOug zXNl(`L9~tH9UXV#{_buJd!x9pxgIyKZpWpa)gXFtN zC;pv^@(YzLYxe;lcg{B}T(d%1T$mEQB3oIWr2X`)$kxKrgitN9I?pY~Ib}9pJZE2v z#oDF#*pK~8TzT#W-?kJiTfWCWVDF$nC-=MYtAG1f;=ldB{8?nDV9y6&`mbmcO#jL+ z{$hOYbDxV5iTwT8RP-}|#9H;;x88|yzsETYb=XEhdLTnT&L&6-3=ilb^8qXnVInHb zz*I$(G32?X&_ZDn$RTeib_GlY(PSlDJ3ki~3X||iuoS3FK!)c=n1r>+UyANI!U#~N zD+1w^v7DnUi@u)#k{Xr3=7*DE&qB(LcVrNYe7}xz*BXsjTCTPj>!_?1@tuIhEj)`;A7OGA8a-;Kho` z0?M$-$I%2ZJSF}oF#zBM;R??z1DuAx1ZpnAu-Det0dK$*fL#=A0jCA>U_$y&j@xm7 z!dfPl=L%rI4eMK3X~JkLN*dRTd=xMpMxP38ZXqmlPpjn|FfFBQj*(|pz)O@XvN0r& z2gG$urLnkJjXH5!rg9)V^4$!FxROe9kKa`AmeqL;If1b+Q)!U7<7mWrbthi@+)u`h zS6+?kN;S)7iM*nU2uddU{nO~|w&Pd-&fkvz{=fZ?V|`;QWA&ti>9=3~VEdk%weup1 zRRogXoL2-G1(n}29FqnZq1J)8B-kp8}$1 zzDwX<_sf230Yyu}bLT22r-KM5bD0qng=jw0e*4{ zcnM&p1-usErdSAuJs3o*N z%;VrKDf?Eof zmjyMB)aVLT@%OnS-1#uA9%{f|0F@AUQK98GK%}WG$jV@| zBIP}GLSTC@klae#%4VF4&=q7V4qC{0}fWDJ4` zO1eD62Ts`lyo~e$_XVv*zybCQ;0vfj_K6QJ!v0{xm5OmDzT}J6aw@%fYMQOgWThNU zyNubin$1i4j{)F$B_jCg5-9+}Edn%e`q;BA7y6)$wi(seZ-M(r@R1+#&PcF&YgniiX}`KhG!x(p(c@N2&z`l zUeVky749jO(vV8QeQN%iuU672w?1PGl{>MhU(qZ+Ps65qeXxCxEft7O;hZ;?qyTVv-XM`;IuqbLN8k#?`JB)2ju@8LIM0WQ zLMY4`Chz)qapv=!*I`3~PPs1_QD8H0tWI}bg$ci2_M7KdVtc1=evL(%1As$0PYwz zwbERPt5>eZ^UppXFTMOqJomzf;`+_ovA($-AW?LAPTy-^_DjAegEgJx@l-29_AKBm z2%g5(c$RbtX#N==0YJdBf^$nC5@39S^8^fj>*q8*!yb$e);EO-yQM6U*Hz4UeXTaW zR58`Ha4LS(yaK@eZk0l;abNes#_C$EtgcdNEoc5(XZ!6UW1b)fyfv3YK~YfA${XW#gEC%9f#W z^uFnE&u{vi-%EKmtc?9rvzg8hw(qgc!88FPg~s0k636`Ke?=%#Xl8$kwx+B?=ea_v z;N{yXh&*F>vv378#2;lT&X)ksR63NuR%5SMqTZ+`sM<(SuP<_KA@_QN zy}1;P<|1rnF;*ItSY>Z|9e~x(CcE+*igbPt1xn#Z&~u+v6mG_g3;EkP%~_?&Y6I2s zl72oPS zB0lk{Psg(_emE{%y+++ui2{>U4VCH)^8Z}p&=}TT+Vds2feJ$!-udz1(PeHXx zd6@i0qn7uZJg+rm8Hu7qorn>SB2dJc3+&m*XmtIVCjzJsmkKx=tORUjQQ7m4!t)Wc zLU}bUld-NB^4&_IH;OJ5kru>YNX0O#?d)MdAcRRdlOI_j^G&oP<0YUc>U-{UewQQv z{7`=DY1*Ey)chWA3R?>AW1E6GH)RzJ8Bzj?+w8jU$a0jWl$Vq&_h~H24wqHd(^v)o ztJMN-f?-u41nlZflxnpat83L*Td&2+dIN@qLalMW>fT6YTw6maxwgL1;93~ry}!M#siwdi|AobJPd9>0czKz) z0_ZCDO0&kd>ZAcc&2S6of`93s)K4jxoK98VIk>{E&QMzYnwac%Y2qyar5W{FgFJ92 zOh8q|TwQ6zXFl_Z_^}`Rk@(^d{ek%8D=)`$x30z3+Dh!+e;99k{TuO*|K2~2U;c$( ziof-XzZ8G>SN=}?&0qM%_}jnyx8t>MycvDi;nwy}T)TQJKKilG#I4&el8y%Hs}ern zSf~OV#(Oz;Tdnn@>bEWRh?R$BYZ?+i(jPn=0WkVRkM(DE;uw?u_@o^N2gh-Ibezm| z3cyzDHOjLQTU%>!`SLal`Xce!j1|&l+UyY^~DTTx!ah<=X zWm985*#0?NGLqSrwRj3C=Q0CpT(6@nWm8DX{jy=iXo4@J2!P~r1MmUt8Y?iy6<7#> zS%+OVR{_oyk2Qd>7MokE38E`JY*fhRN{#Eb@S>nx zTVb!kTm@>)MH!?3S<@XLLm`Gn)#D;@ou^HK&op{HulbZa$|!?F1B^?vS?8N2PPY0A z!fqXLBImcw|jWOE?*;PoUGaA__Q-Cb{Poj{cAV zm9NI@ue}+2yL-_(YLQAxI ztD1Lyk+8j-y&uSmWWkRycR^iOgZ|vPj0&)pQI^z9R@2fDJ@cyn`z+7RWY@sGqjhA% zls@8#4W9aFOrOsf2JuQuVUbFP-x5<9xji6k*qZxyjcdAjh|U-3R!|Fzd09Fft>QEeDIh0rl4}voL+``$Pya>UPTj~ zy#a`>ZUBHAfFbO&4xrWn&^lnd0^5{@)?t{k)OsE8m9aLKVT33*fVM27)x?%1!U`4k zY#`v{3c7%=&?fVo{Tct#AY_{6>ER6(hTZEK|IEU|GWFZ08RxtFuIR@DOdGIK8$>jZ zGY?3wfMdsW&2m3)gUS#l(`f^qC;d1%u@`{-Eqeg!5L4I&CL2)z7UEu6swOLx>DX7) zmTcp*0t>&ev(3AQ@y@E5yiY%CjX^drj}tz0d8{?ZDtp{q*evtk8T&n`z~CuOAR&+|MxuYl6!!|RrjP$n~_ zH2JQUfsI_cRgi&Y%bCl9R>~rn#kW1W3AUD(WpCIS4)30eYTlO;&dT4oD$7&AZ)__& zfA(hZx8-kn+Yfl9N#$Ivm2yg#kX^|LqXeAkO?e^iCBIS)cs_p`*^*A;qFYGtPnW}Y zY;%2kKW>j>!FTR%rZ;Q6Cvl(2&U>4QvOwpFdpx1Po6XFdzn|xxAiTD3DwtJ zbwc=%@i{9~0qU?oX2%aKt8xr5eHstE|+j z*+^nZ=^9w9kam0P+39^r5L<*zScb$(!A4N+6Dmq7u#+nkg<4(PA1uE*Ny zY61{1CD@vYH2`p#bSfiWvP^BwKchUfU~JMlQ>F;l?r;LOK!gOx8F7}eR|(Jl%T0u; zX-|nPE6RRWdCmR#%AO#c5=)*MIvJ8|u$c8kf~!`(UQR$JAgu!{kp&niLXqX%0Q^_A zM5xTy*6Ub4SRz_CR-T5>=KD!3s8D#@S~S5pWe2wJQ>Q7f#K|8-$BNnRgM8H>a#I$q zjIul2`*5F|V= ze0;Vmz?raFeifFQilXH6+xV!M0)tGrRwGRa(Xwd*B&=S0&(x>MrEC5!4w_DY4Cip}l<1(@nd$$Xa4gudXBy}_z#qRDwy!H0G@%B3psTfwH zxp^V#>pL-AsKsQl2Dp(QRu*C?f944(hCQBV7&Y=>J$<1Yap~d(*z;DbudT+~+Bysr zFr|F;L#l8V-vSk$t^spO%R#^~@9hukG1)D<`ID6-N3CJoG0%~aW#Y5aXymZnDwS+n zBMKB7by-$Ki^NxVj)N!2;jB>ezGclbgp{&mIZbUCV=I1icF!qunJ=Qtb}^E94jru{1Lf@;0zp{jx$oL-%YLc?rgJ#xyEH>5LqOIM zYJiv^U$ zdF2Q#M@}tLF)Bmpg0XTeua*4d`4ZY31oB6gps%W(nA zi>i_9T3@5TV1AF}obbQWNCrqRStx>=e`7>oCDI}Lyk~M;B1ZKq%(~p_JgAVfY6Jh<9_V#w_e!@&qw-2 zIc6VMqATke1KKwB*s(mp$MlhZwxG{vZz_I8&Sg-X8=)Mn1E4yzb21&l>WA4<-6FqU zfBQjHnmbWnyF`4K39Fc?hHRGDfMP>g#Y&Fg5*7rPgmgiP@)dabCGh1?T=HZYz|98; zY*Cj;zE|8RN#o5t0oIRk&x4_6IdLm1idiF+Wss)5>G3IF&$oQA5D3e4e)Vzr|JE6I zcu`sPnJVSkfbDA5SB)>9wNkLB0Y5X1Im|UFwxJ^v0`2@B4<+N3#v87YG8X1he$;no z`oK2t%lmB+dcrr8^VDn#&776aw|`M)`t6&7sSpUCimpPVkjY3<5CkLrNBKR$QMZGF z?W+nP_XJOsJg@qm-EoRg+mfteX^vMbuo-<a?Rv z8uYOWpp<4Z-yAARfU%p?vK!Y3$-)tH>u<7{f>lP~h`G%XKjWwPS55rwNWa3DhZI}rp;=hE<4 zPf(S~yD2|KCW#vrqyp4kvRQzSgXdhRelNDU5~i<7=7F**NOqw~ zhriN<&@6E-kfh11!ldva{4xoZ14)ueogtju%rVhpOxM8((^ck0(ES0XJ7C%AIJO(m zgmpgJ?Z)2W0A(M?{?U*lfY}=ZvH%bu)Tl0|Pit#)CAPL#vgKbtt_)1yoIKcF1r^+6 zf&#zif?=9%2|}n4%9WLaz-Ro`0~N&h^QV6;ldYpJvs&I}mhiseSMr6KqHF3;Vii!? zSX+w=JFq_3TA4&db5PdS01TIs9rnx*O!)b@^F=301pAK<%Wrtb;F`V>bf>nU-c zP&Q+K!+bLqRzw_S^*Nac?gVgw-t}f*ajjXLevBND}bmCQl?dLv!$NYbIrW7Po)!t_&&LmG9h~fIJ1u}`J+5! z-g1w)rCWh4%zOt7GZ)Fr0>n1#^+~tx3+~Kh+;{Rm;aV1geJLEm=7MRSo8gA(Y+YQ; z_z?tbv=+6cdeoPj8#>DnGE6IFbKcGG8Se zg1J*LDvNVVEk{X7V9BeeX?x0&V<9U*WqbVm_hd_1_wOeYGBIEA`mfY{un_n{kDGbA2V&xZZ5kQo)sQ@jn@fEN*5l&RIk;`%7B9mZ9@s zsU$MN`HX;yo}|0LO2zaDUcQqR86TVHLtaD4oOjewJUcsEvAMY(8=D)^Xg2a$MY$t5v809RJrEGA}EgwOTuX?x6_;DB)JG^4=_CfNRL|MIFy05hOyt8#NNp$9s->A z0nmE~{Wv@xaczi+uitSg#t5}lyFRXswK@R07FRE>$CV3faY<&n)&NZFfNU+nG$&;t zF6yxgkV0;(5PAY)pZ_j^IcIU+^3jqGSw*?;W>}`F?EY3+%d-h;=7n#dXm$%)As(B6 z;^xL$4l1axG@}BjQNKiUb34a@1NFSWkPS^Lv9X z;+`PPl?3bTK|y#qaHD}azS_uv0Qxg64q0CMhIzvVsp1p&ed0vaU!($&!k<1elm*2|F!er?lM1gOry`Z#&g|oh3S_T8jy{6g z?w`d$8x{(fp1@L%I+HjOWP7J^40yICi!qqm2vU#XcmXqb3b1Id2c|Qu6h^uUXl^<5 zw27jjY>u9)Ic6V4md)7WoP7vo2LOdSEcmHRsQ_Mh5BvlLlntPg?PXUM6wd}X{jJG7 zQiIELzFS7asJI4G7>~jTDOpv!R@kf@rc(GF0YO0r*$%9Ev8zDxcYjsQ&lB|9~b2qVYwuasfLvU+i}ndlQiYbVOy|vwmC}*g#vs&j!Qp^_OYzwj_NF=O$RZV>03XWD z@4~B)Y{Ieu$ObBXlV@jDfSzZ^OEH?VI}{XVl5a&udtn99&Pj$&Yx%Q$UjgG0`+S-Xu zZx}ajyckQ>W}NcfWPBFAU?}98j%+}5=RR`awzPDfld`NjZvjAPMPj^d1QS?g-=?oh z9_enVbFGg2H27`D{Hg#&o*KWxILS{y(>zReN;s~$+Fm0w`oPgYL8yG)#vWv|<_N4&=V?j756aPSbp3JD+4H_*51!>hM_7?BNj z^+po_S%*#9Ixf>D%WU9EP>{ia3Or}SlUFP!{g}pUJRPwM6}DazS4?@wjxU_sDg6u} zBX5^Bcni=3pBH7;r=!^3+#)UY*uHQP^Vb>ZXMidQP_9ngV#Aak3Ze=4lRDy)^S@fU zq&fR!5{H~TnsCKm{hflJ4Kp=C3juInX0H>AWh{sqvXm@V(Bc}0lr^zYz)}vBT7PF+ zsH_EODFI!s<~J&oEB7d~CGyA#%SkEMz4vr%CFefa{<+)Z zpjysTi&IFsP;MYB%GP_g`Ab5eGUOv(M6eJd+13zNnsb@*JDHjafO4EA%i|ySWR)te zz$`e)da`jP6+;C=i2+2XlIy{CZOH0jmiC6{fa7Vj0L1pd5kjLl=?>ZLmpUwsTsC&` z+j}j5@+cd&c&;;!!&X1`j@z+++=+dc3OR1YgT14;|L`bw58H9lAH!5It5d`HCj(+H zc_VNL0izWdM-S+Z-w;Z?zR zzUGwx@!;VjF6u6*#MZ?tgsE9u_FSxvqH=uUHC{pg`k*QL~ z@~jk3hUd91C*3${rT84-8$aWDMqcGc7{xUK&=Y5K+loNx3<&mJQ@uknn>gcW^j^hB3+&k*=yB9|%qc~^{;^9FDAZ*8@gKj+BKjHi&?(YeX?O88@F29fC z{_ascNJUZex0J?k7iibx>3962np8_lz*Q%*W6yRkfsYui!n$9v6 zeWqn6uTZMRW%5$x;+>^xEv{U<1&E&JKm*g%YWK3D(JyBsU2&E~2>S-$-pZBce1 zKP#ql06}0DwQ@!y&jBjqHYIXpB4`_a7Lw(*y8`JrMts+q2xW^E`x#<;j%Gj(qP>l=Iq)=#w;(+t+3~EY?mherq(d0gj>4R$+8zqg*KbqCS6><~Hg$_YWvr2)R9aRO-%VYjh z&JgG{-F#m*!O`;!&=Zx@a|Dw=8&Z;$BHT7gA%^9fC_r`bH0lVdt+f?ib>^cEirIk~ zwhvpmnA*wVar97bS(|`sI5v>%?H|WmcX#9KuiuTYy>>5Nd-GAe_V&a0`kVLS8?Qfz z*WP##-+1$GeEp3(@%7j4#G5>OcW)nnJdWMtlQ;k@ovYHdl(NCaMjnyQ2A=dY!UO>r zjaDZean;cdAYvCrjWm^~Y$~qlJWa)waXEFK6MN|2Yc|Trn(U&4xpxjAE-$ad&1asE zyASu$4{X;XCnnLSEbBCE&FCS&on`8nyl7c@0C2mz`;?8(+bcpq0ciN^ zl7MeFo%0zZ9j5P102~hPFYW<_MLUDCo&MwJky1tKf2S8{z*SN zfO3}#aME)r@iHRo__!B`RC=xUfV=^qc~==ZrK~iWxxhY2*M*(%)6(IaX>PM?mfI~$ znKfSN!)I5dWrrRU`?9>WhB)eKqTH3#D(R4bYF(@-6EJlrBVSrTDm?P8epuZAf_3&` zChxPqEBRR}7t7K-DSBnNHnb^fPt*3)f$6*ef2aNNtq8s{h}6vXG>>@9JrULOe8&Iy z0n<@cy`af&5P5$Vepv`l`>`+;%{q^cTv_CLmD;^Z?$=>!&FWGD>asw9vW)xv=(gH` z>Pd8tj$uKt!O;LFVu$F$YFvSH$TeqSIyqqnaM}Q!y##t)TV9>?L-vKTf*7(h-385N zGd8x?V{3CGwl8kS)oWMc>h&ve^XApKb^ChUe*RWG|J?0(@wuDv0>|4oZp6;kHXu`j zSqb_TxknB+OsGOBY+26+kCdjuxMZjH=XAmkrw~+8Z3MGtK(*3?sK;K3+NU=VW(DSn&kSF1!q^@bV3<9 zku2375y@Bq(FAeA@Y{x^D`9nQlk_a*WGahGHQrr_qjnoW!#V&I2mLO9F{bRvTPzD3 zXnI|z7VPtkU5n;mQoz(0@gpZY5$`5|=n$|R9QUJlMEV5NeL!=+6TOq-f;a&{kFhY0 zP5{&_U-P0cce^WPOFV&P&xgr4_tGdh62_@aNEZNWgXr8Hlcb?S$$^mm6#?g%JroMK zmU(ZBTSX@73}HT&?_0$Fr@W`Y&rgVp7gIM>A;K(Am)o=Rx$X(tGTNtUOY#5Lb(;g9 zo5h-4f4*(^+U%YWasFOEQ*ZF@63-!HnUS(ougPe$)zl|bnG|i+7!U$Pn+hptv{J9c zRB44Q zytosWFJFi&moCM%D_7zc0C?-x^|*QCdOZKkt$60y8}Zz;H{)6NXRgPyx3BX1I$(J- zZr{8-`_2B$)p+*S#khHGCvIKYj+<96#^s%jxUjX6g9B_Nu@T`MCZstjTd^yS+LDYz zg*7kuo$JYG_nivh37E=s^wY8Hi>%g4E4#kq9!xJ6$RjVMIu4`N^p*|li*(988`0eD zk4k-%&nz#y#Imc8!e%)ZbDsDKqU5$MKcgE|0J!1cH_f~5l3eJk%}On$`~B>0@165c zJuVl&%l_DwKY8aI4b*3)bfoAaB$_!Txbz(HKNnMaijdkG>*OE}Ky(Gu*Oq#LbPYgV zYb*nt00bai<7MZo+*x0X>sKz#fbLp6ck4<#d-GyEd*ebpca!Vbm#3Fks*#_Ab^&uR8{)$(ugRbU@f6;0#bbCl40RsMzdV;k>l&x=F0K2-hxecC9<( zx?SO9=6**hwG4AGiGs@&8=~Caa|_JMRmkPxyf@#<8+?LWxu^WkbN~SNm7HV1@<=`K zY4hI0{P)wdJzZ4;n+$0VlDVVI#V!7wJI_&`xhpTq$@f{dzMmbTQ(zEAzEc>h-}HK^ z@!j${Bu&9AE!wAmk!F6xx}EGfX>jg5k(&FO{+iG`u%4?|E&zm=;@RsL}0CEd( z+y+1|#WOegePas{g+an3eeM>|UAh1OUtW!C7dK$803yJ6ak~+hE;eA8%W-M53CnE& zluf>0iH*imtk)J}qt3Cq5GxfF8}rpT<}_?X#$-CdM*22MW)HU51uUEaO5b8hr>qpP zrGgPWY{`|usXRrI01DpM?6yy*rtllDzZt*wtN$eS9z9GJrA<$ zh&6ZOS3$U!?7O-!ypeeCfJp}IssH>2uS$OaERGXc#g}@evjIhvL=|)J8$2O|L>Q-9AEy+ zUyfh=Ykxi7cBZ~?08p2#7xaC`qbydX2TX~pz-^pQ+>5rylL6<0I6mse$$meM580gv=dg5nbAH=Hp0O)j z2QcmoC^rXWkat9rxB>F^ARsNp(r}jw@R#|co22-Fi7eO1RapCc1Y2pOE$`j2NG2UcjhiptfeV|%i}RPA9)A@H1k7U_G8bGCo4?Qs_S{cI^bJgO4t z(=4MztkJoq4~P%SG7QcTv;Q8u_wBsw(8cs$@l4KZ%DE<@i>Xx*xFv*J!Bd&-A;ppN|Keqnyr+H0fbdc5MBCMqyr0 zeI9c(fmE}y4;yL2;0DCGWE>F2_fe49@*RTbnD1(yrU~s>Zb6yHHRnAqLp*KFk!5N| z!h#m-@$jG*zx*rzB<|dK5bwVE&G^;7|I2ax(snEhdJx=Zt;v~YIC-Xd41mg-7LwIz zlFN=tqgUzADZs0&n64R6+*np>=<^)cm1r%z5(??IhMvs@((~>q>Pq`!#Myw=wKPN&j8Iy93AxIV6Pj8 zyB+p+p6~AU&&3)d5V%UyFc_F73oUf6_d{g3J8SvH=AeYTM=;LYH zo@g)?tiE&45?9I}+e>Zx?RycReB%e&@_m)k9UyZp@SLcZ5BtAD!xMRw3ZU^GS zf)Svyw4A{1L?F6AvKIqDY|n>EZ8_?-dZu{{E7T|28@jv;KnfBMhFl}8Y%H@Yqu5m_j|GD zz>L-)*TNqdw%~|d=0Ji9aVJgAv%5q(+*3rkX09et$Ui_bWtBKu;d@3NB;yxg$@^rx z`2?>k-@IFX^9(O!|Lmt|d!oVA60s1|Z#CNmJ0#=V_Q%=h+kz%o&YQ+8GH`V=8VT{!ZNAjb0!y(?XRP<|C3AZ>M8 zadKiG)K)Gux4(B32hOm+dmOtD4{|Jhj%f!JPXWwx*rfeaWv|&!mGGP#WD1B*VWDSd z0;%S+;E1SOA;8w$p%JiRxnm_+hZ(*k_*GCij>}FOY}!d$=09o9u0e$1d;!Zf!J``g z?4SKceC410I_C09)XA^xTZ=MIhn?8kT94P>_odW|cZH+fN-FVO>Tc*&Cqe znpJ}?psve&z9T7S=R>TXylXwfX@m%D-z1fd~vXYZiQ3Q5wL1~ z(&NcOj&^%=(8`I!kNVR%?4H6#BaSfj_uJDPA=l%ZWJwIH1j)M`Dob1}WPSZbm$WRF zDT^ZG#;b^XNr&mn_fqa>pqveTmf>vUTE=<4`RM%hr)Yb!!PK&zo&LUV`B9{57J*V* z7h&<3w^M-J6gIM1@LT{`P%1|?`FeJ%LZCH|vfB#Esp+3Amft!M&=P|}HhF;n^jY>SSxO=Bq4gnkKm*Bd`dVFoaY_z#=C`@m>KXL7wCY z0ma1RvMBUU-W5=S)UU4+ntCJ_I}chi|?8PR=)=OQLmn zm_ES;fWiK_wdM2dfpB!ZPc}^eDid#IAR{Gji9_)*Qb7^FWilsykHk-NF)K6Dq%YJs z9ldN(h>mE^}#v8r4^$)Mi#0Vi~!u>StX{9?4r`5YDO?h zUMm#y5m!#8qdTbd({(NW<-126ZpWYW#g_=kiW|<@{CNREXs6_vx~FsJz(_* z_e%v*wBc#qD6tQ=A7m@sVlE!V9Eb%@x_G zXX$zyDa@0LtrheYvd11e0EtOrE8=O`2rcb{CTDIcf_8%lPZp zmMsp`>@CclSF$o&Ujdi~Hu^l`+f(8!_yV-NBXe|sL6)(MmoQFAgB6+n<@bEDoR3ER z7!7PxB2L7O&mbNZzD@Qm0`vfK=|X1pCA%Y$?3RFQ&963B%B0`x&71^hgX8v&lWuRs z#>Q&SB((~t*2#OBCDI8{no)o>W$NTI_L+5oMP);uwz6PelrCtxNvK%KL%WP6V3N^u zR#^s~7$;ufQZiTebbWCj5z0LsSjuNU%c*hrZJTenKRsK~jwg8g{VtCD9{(vP3dyOy zP1uyoQDDs$W3yGN3F9~uIEOHuA)q<1u>mFPpGUtvVIReys}FPy&reY{o^$cNQ$dC>a%l{<0!F0Rgp){T4su<8M+?o@b#f$=^OHKts_8mH zPExYmARLkFESf0!DnRSV8rh?>5+&1R-`?7Y?ahrG)BxrsP+B+1I!(UsYr+ezB|ZY9 zl}foT_~rbf0D@pE;0ta!T_Avwl??e}Cw@yVftm^+how#cZ_*(Ux|*rJS6vK7z|l_B zdsqA z-*pE0>W&EZ+{q%_WSYhQ8)JX90z|A2Ybgk=|`=$6c-(3b?r)A zx_kvtEYk#59CyFI8qJNhsKbn!n3?rj0n!BkdDtH0*z=k$4l=BXY1-}gq7H+)aOFa5 z@LNR_P_JIv$vHg*G8H|6)T1VJtr`p5%h5F6C*z$hzTRv^vr%>{GyRC;5iD@v2qe22 z0TR3;AXqjzk+c8{aL7Pi%m3`u2DkI1Q4CJzhi_mJ+mW*vb`E0bUn56iDqrdrBFf!A_R}tp&bMp~pFl z_0+xBk70}Nw7N0r*)TZCIU8I?x(RTm`-I(j6Ua7XkhIx9l(akDAE7Inuv}zeG6Wn6 zAEsm)3g*=nCSxYPT z+|!Sxi43@|tzcRMs19*->1D^`I~||PoSd|$>}5*6lO6!;Z2m3#9**PD;RNtJjfeZA zc<^Wt4|n@<|G`PzeQ+4}AD!fEQO78?K%{AT1@OCaWhXW_HgZ}#7s9Inpj8w*m*@cW z1URRUlaUV`TfTc7$B*_CG*O*2{hi%@WgQj@dtKdJN13Ty9P6%$ZSMk^o6LyZ)Wsny zPKHkT=2V2lM|NabnzdWoJIRQ10&F&!pmUfeh#Cs{XvxX;oW#StbF=q>Cb=Lm9u1Nm z)-|UA)w-=rd~dm?+XC=DlW9^J_J+}-V(d^M9-s81%WnbG)_7Mz==KFr8{x1JhW0xZ z++lxIERI%^1w}t@cK}Zt=E!*0!uP$x28*ufIMIKs;UJ0hR#xEVm)EU`X26+! zc?na(B1290i?YaHk$PU4-S?O?WO;eEr#{S{6I6Xa+Y+9l?deL*@55Ha0ZBvP&)w5A z5^iEMOoBqzbbNju4+OxZAh|cp&Wx zdd{j2Gj#>fD!}Ptb^08uRZRUACo;iY2Y5#)Z3oud>bNYl^M#@~u^gwE_O2t@`-MD-InEfdB_u8?4(9Y$f?MP3OViVKy!o|(l-rkCJ0MN;rHS6umnUiLq z81MOV0gGX86h{X~@$Osi#<0_ki<{eVVdp|@?d)LNE&}eIRL(0`uVy}+Q_+}jrcXa7 z*@|#lc?iLP5YNv0>yBlVJmYwNGr9^pzG&Ehyu)yv-99Hs=FblCmXV;El@Ui`SwKcW zF@FJtu}fng9Aw|zjg=Lce_3**v7*aDw~O7<08<#|pl?4=ebmlIH3U#$lmPQ^be5CN z98)E7wWlBrxM{xqWZ^M-hBF1AGKmjyuHP%i=_ z;snl4Q>U-i9ug9&8tm0)R{+%uR37>zd(IeToT(fwX6H^7CYJ3Xz_+@6fL6cva0+X6 zneJh_JZa9aZvm*}b(+j1qTA^J z%%c@#*^Bg=A{ z>rLt2aFT4#l}(pRSt6d~V3v0Q(iBJJ5lBQPmC^L+Td|r)5Ck*I3R3V^=ACfGA6AcU zIcEd+o|er#|6uz*wz(StQWxha-~=H!MQ{)=gb^l%bZMeFJae(4;Al4$^URkP7BGF6 z>M=Ukf4RsGd((dwc4JW?mZJjG+}K=+OBc6bS!)1LX&kbVL$Gk#xCvn`F7b}7!0u@* zV!EP`={sC$pbT~5R2rOykhf(3R>f>M92IlBxwa7tJae{Ki7^6yPMlmm#TH*4CLXJR zlFzQi3g)~m@0y@z;~{B8Sr!WrnZh%^r(Tkx;#Y{V9pK(~90iEc#$6NK^B8Wk!qD?Q4Numi@gk8}uFj`@Cnun36iqXn=5 z-x~3+j3-fn*)9_A2^GeO!qN1vi~+A{1rR46YnaIET-&I{@+M_LdAgc{ldQCy_mn)f zq0M!*n)<4dm-P$Vv9_}wPV(URdi$bU8jfxn0df=Gm&8-=#v%YVr7}w3vsU04_eFl| z_XJvFwYi)NHLg)XZ{#Ys_RJuOV&RgN95MrW5aiPx<-2x15KYt*Y9xKmexnd#0hPFs zPx^l==*uGIu)IWtZlOLU+XrC!18&Nj#-?JILXwJJKtz6~KQo0)8A&-w3FEIYgEPR; zrGypiDQ05&(4+@22IutL!o<6LBUnU2A_`JmUZw+JT$CAO zG82O-=r9%BM*zVDHfa|u7@J*vN_thI8B-wyO-#E4bpV2F0cRhhbuJdTzIBl}RkGz+ z1w8x(3LvY&2tIdox@0H@3H9YkMQRqFJUk9NB0@fLUf4_l%QlUAfim zBN3ofWu^S3Ki)KxF3Zh^Cwn>Aztp4hld?~^mXG;r+LAF4@5Ex`&K>=%u7S0nUU=JQ z`7hg?Qa=bs>mlzv9oq+B`U7qXsv_WGWXh4NfhrJ=8cM<7x;`S!(#Q8SHD{)lAvgxy zDdL=6X)K8FmkY{a=B;hW9!tw@_Icz(36LE1hsr3=k;+rf?R=h$Qefq1|3N2%9s+dE zjHGfa<>@z*F%W0jWe#%%90i4CY2=%x#X$$But?|9JOxN| zQWTE>l4IUAE$yP@kre01D_h8A;2oIT-bp`JHZR1*Yd2E4ZFTpX2|}r7ivZ z?AFPyN2I4bcMg!+HA`PNt1&% zT%yEfSk{R5%En66VSSYq$`WfvQ#iXSWtkBUAm*s7(lO*LmH^87YBQ>9%~)Om+{goa zRaIeId>1QP<5!8s;8N9|y$*^S07N!itlZ_7$d zZJK|kO`jsyb1XY|rktma^UWpu(84g!Wmtep&g}{asXXW4qRYgNv$DKcO6A2hD=>ZjezSljH?k(+^9i;@fFFk7WjD)OU#mCso!Opk2W;7w)~w(? zS*md`Jf6t>DPa5bY~<_*+jrX(3Jcrg{I{E6nKkPSKou?-PntF}AyctZP&9w+_?$<6 z>sRs*u*xM(D{iTh~KgE@5o%Gq#Hn4m*NZ5WY> z4%qvc;C(<&MX?b@A0PUk;A}5|6~L%oFKbTO_~C5lrLl(SpcpyI$@JyHccdo#=8qpn1;_$dl9CulNy`g5gK(VO5*|q&$@>#nB;F;QbKZw8f*Zyk!!+-eqV{?5iSs5>c6Qo!< z=*n0oolbeUJY#dY=pEOsAakZKtcYCCK22xy+X@ZPhE*>&YOrb;FvrElGQgWQ0~xUt zPBQIiEZqmi#b9OR=q1ukH0%=9RvxCq(wN7^?2w;B)hs{3o>Pw%(#`iRTEoxTxQr|B z8)ZI$MXWjWPi{5P(hIjn4Ta~U0WyJ7(-usH0o7~;7 zpQi2UO3m-__IS-%0D{eH2#B?;YMo{fqLG58aB^SMRlO_oM52EPG~wg}?9|If8?+jey3e`$a5f{r=Xuxh;jVLEtJg8LOG~d> zWeR1Zb5qq_f1GX#s~cSv0zLM4GRghJlbmb7{P6qsRm~(3SGCW^vd!(y*uJopzcruj z81GC=b_%xz-HECXTOE$07y#Om>Qha8o||Ab4$mGOw|HOI0cDU( zxR#7p#3>Vq4C3K~d*tPWc&ua|mA`+jz!%q6U#a?lrJh3ocbK!O!i0xS{NrsuDcsv z>10n>$`-ft6aERjzBm8PpZXwk&$1;Pt&aRnJ|&|kE@=@wMcW5p`n%bX4}EFLR8lYz zVgSjOVK1pluD?@MY6dibmVG5{2yo4I*+%-JmQfOvO@I=PZ1Ay5m3z*4NeSiT9)u(V zs>1MUJnLj5b3ayLr_K;1i19p9E?aaGk{siX0NY>DNrs(4%J2w^R}pFzXr@#OxTd<@ zf6^yNcq(4;0mCHto-TtkOjnszb)^od!m4x~U|#CN@ZI9yH6ALe?2ml$NZi&o*7){9 zj-EO?JdFMQBjUh!%}U~_4_PG@6l96A7vtf0bCvq!q#ehAXRF)I!3oY#rAxylqI1a) z!Gy2r#!&J7HRAmqKzrO9#!pZHQ% zM02xOCcaF1mIMX9Um>wIKC%R;EdlZs60&I7nqL&Xd0<=;aL5f}2&;5Z#UNU}estPS zrRan+08) zb`Xe_r+_J-CrRLFxtj(4R02FHmJ?C^w#~d0DA{=-tu!C!&kEUN`b~55S<=g%%iJh; z$XaQ1D&U!vJA;Sf7464d7+s>7*t4>e4@&La#|!fU&g7svw3UZ~mZU z(C@?M%bcyQO6t&0Cr#mzSSAl-#>Tmad3*oigZTP4UyC>1ehYv-jvnC=d-7-@)>oUc zw(Ta>wPNVU!I4uj_Tq?2#+6>JU<}7nl|$=V zaCK3Kl4j!)zr9nKXO>8kg0xQfX3oOJRprB?Q!uO$Ed#eQ>S?xlkKHZ(?jHH`4QuQ4 z!Ls{P-*S19jlg{Vam(*%*q$0NwNU2;`!8)HczsaHVXp0yLLnHW+Mpb^&Yz*!2zzT3 zC!Kz@?7-cJiC~WQ`|JSfcyyklR)#~)vFIv`uscM!0)SR4^=JTwYt40(wvMT&A5T9g z=MBfcuVP*|(j;B3H`82pHlSnxD5>H}6qV&R!*4bgaG=>1}vSpZ^EYBrMR6@HwjRY%{c#-$* z4Bl!T$D41wMtUo;LOQaM2_|UVlEDDOQ-|MDS$+7$7sFwrD}btvE83UoljgfFWVf=? zAaAO1`SLdVPTah4DK2cT0)$IBO`WcST60BjNSwd~oiQJ*N!BN*PV9?H`t8FzUsGQz zD`%n7|0%;;Ab{FAmE1W%1(2?h)~)(VtdU0zD!c~IIY_}W5TG0< zpX|)?&`*u&FO!#TudHrHb9og&v*Zf65G#E#xjRD3V~+~BI~b;W;@<9l9KcKuPrCf> z=2FlnZ7L^r&3?hExNsJ-0(Qyms-xz}Gp||BRu1VB;z$&E1%}CcWo9UWH@RwI<0(&a zV}BwO9E+|M`A;2SpQELqUHThqU0J>GBrj!luowEkS$^Q@*-YP)y8!@spkU{P`g;ke z^RVVe!=E6CqiLB?*>#qjDSpoEavC$tN!K<%>Ga|d=5WaIxQ$7N@OJ^%5rCS2g^*?= zQg#H_oJLUf-$9pvBElAm_^kqHRwN_?#=;AbzTXji#{U zXb|~2in(0g!DLn8Y-c{{9H)=ai8D?Kc4KoB#c#!hosBp=+>84U?vW2RRFsA;N6*OD ztpLsd)GHUS#P-HUY```@{Ngk5+0T9=KJ)R9#tY9}j~8#>jN4Z)#d9|<$Fo;2$F++W zcotKgvAUub#u46H*HJem~R4A}ZJF8m;S`=C;{D^b%)v&6UT z8CaM8x%~Dq;w{mzq3_H}mrFJv768s*o|>)X$`7y!Ebo`Sh(+1vVETKt&4GD-oL?(B zrVt_g=k|MqQJofmw4dZ~G>!o#>IuSr(C);+Nh^J0+0X!3%KBumcFP%#`Y6E=(ulYb zcIptKrXbsqe7?e`X0ITflRV2VIrpd{sh;!r$t65@&Q5uRKU@YPgR zQB~Y*^jQ>$QB2U)?l-3>g)C@9yd1x+Uv5B>CukOA8UWR#hmoyr#l=h4d1s~@=cFgKSYO-9S?@R2*K;J-if)r+w^SUmQu1Un9>)Ieqi7wUP~n{<@NR5vksst! zWjVUN0f5{jO`8AYr+J$wL1iRx=syN99T<^AFkNX>QVDR{I!2swM}=0 z4O3uH=6iuKfyRw8P!vjVds%Q-`EX_{tqS`(dtPtUq6ssu0qAz;lKJ_pm6Fda zAroo78-(BEubBB+RB3_uT`TQ0%Z)D;j+L^plF4e>6rHnt3`lOtJ$t73XX5g%I%7|U z0;U46X~|`$GxnTQ5$DPGP*=b8e%!y;X0CkSn}Ov#lJAEdVf?)W&+oQ<*YLTfiJaY= zW(?CgG0jRD+Z0yT8`)`Ia6Jde0F{AbwnqRX0EvX>uoD{?Uo~UvvN{+Y@;CZGjL2P4&%T@H*2LPq!>=>YI zffF#DvjL{#Zag}8m`rkgXFFE6w_@wkrMUI%b8+qV?O0piip$q;#D`vbB`#gLmL}_0 zzw(v%_kaH9;{W+S{15R9|I1&E?(tF1OL_&+`|KA!AAjcm@b6&KF2>f@T0Hmc&A9va z8?g@?tt~GAbo%d{KcJKDg40ug9ndoENs`%5j*b8VmtL7MvR*fik9T2^u*kMUJbST; zSzoQnIspLkOb~M-6Z>m692vG$kDcvpK>uo7zI-)qT)iH*Z{3c~)wQ^MVJDt@?%5oN zzqxZM`>c-0ucd|M1mHoh7d1@f31#a1s{)JuJ_ilBbjvy4IkUpDZ00TTlvf#TrMOU- z9Bm9*hTU79XD+};`RJeK6`m2qIHwFrd4f+?cEBMb1n2`w>`owE12i|O9IQCj)|xqw zsVwN)yTMuICJ=lQ}ag*xYCJ#*r1K{4ay1SbUq6*}YU@XwqwZw44v?#h(_A)b5H z%G&%bjcIHMsBzcJ>T6!j&iJz*YLAZ!{GKDxUSTg=f!5!?eOG;dpX};gHq3sK49s!4<6$J{ka=4?zeM{ zJa7!S3{dJ>gA(6r0WgB|3bOF#H(rmw`TzSH@sSr_jBS+L6*oy%0>k)}iiP<6;@|#T z@yaJY3HUbS?t{H(4@i5ZmW@oU))5b*#N^*X`BIwWOBIKt z4v2}BhU^HYOxm4iG`m!h+s%42LCVhiHl)>8Hsa!y>)9RY;N&Q7+_*sn*XLQ-K9xCf~I?9Y|M+<*1*+xCiINyPxi*J12v9&^?VdfLCcQ#OnG6 z%yo@iv(ln0N9|axPXOUctRZjJ<+E6~p^ET~ca>v9-!3vR?=_OHBTp${N7LCSSb(t< zghjjANpjGV7}amZE1&(bxO($N(nZBaR#~q6!>Y3T;8Og`|N6`E7yg5PD>k=wc>Ddo zi2?f1zjHe|If?)2fBK(NKR?*M$M&7T>;%V3PENmvvMNYEA-I(aS##amS&R_a^&bhg zD9v=ty>Xg%&XeivN!j=U^%%n{?OtLluPxr*U#>YT5N4#4Fxvps&<9vg^D~DB8X*MR z@7arBNM$L{`K>>cgJ!SP`MPE6@BAl5xTj`rbUp36_{STBp8 z04_3nh1S~MvFc7YcXD_XZ@vC{3<$f^?nE1~I6m&g(a~`{dbA%8AMOIm-R$V@EKaLy z>nQFitiMYcO`{E9-?{U4eB+y66M~}yt35e6h({0Z#{K*6#=+ih`fcyu-y_WrlC^#G z)tBOjKmXZy@!1=Ex08O$Dr_1%18^ck0iQGW5#Je{52I`6c|dlg+lOa0&+X5fOD8Az zP{~l)TNQG z3I8}MYz0SQr|w)&d7t%twE;C*=Zv{?GXIy??G0kLGTE?|d_KYPN!-MQ$M^a6#Di%m ztg@wf@q4(E=^ z93R>xs7w5GVNiW&4->X(zWeA=93LHE{#J7iR;Sl99vMkCOfOKJdBd%Y&8qZ_m zfA~W$!bmT~O)7?)*RRAgH?G8}e-aPxd^3LY*Zw}~I*41hE>k)q>Lg5i8(x;ldn&9k zfYqN`X$>&*$LWr7xM%6gMG}z@8wj%p1yR&OfwbBL!+r9DYs+FY@ye+i`HG|Ks@$j( zj>p>48KA3t^~v`htg--R-lO!FrQuH1IO@ZaM}#wiS)N9n+O4)Ujdf)0(#|C+zFSxz zH{#OeYq0QZvA%sJs*Nqu0h3>BPyxHBA0g_7Sg>KS%p_L&tlE@i>=IHlEk*l?FKHq- zlC^5)^H^>^V?`qHni*vviC$IyX3soL+Y=6^r9|dH=kf8H;$L)2AtB7NdqJ>6DX3uu zR24xNR01HM)nPC5QCyq=rI}rGU`ow8CQ~)+1L^#k`U;y3!BK@G4DiuOPwZT-@6Z{Z zbf*ZOIR~i#iV)h}h)*TMunUjVu`OakIvwATNDWZhhlhLd`5*m!{JH<)KaD^AbAKv6 z@wrdL3$HvMmv3B-`sQj*mLYSs!D#?A_sH(TnS2Omjii<~7%L@AUelllN+M0M@ctO4r2UQ7c}1{q4AaZx`@9iD7>j`+NJ* z>vXcRTHjdBy2q;S1UBmV&V_A2wibh4C#ob+(^UO$K<~cz#V^Fq|GWQo{P>T4Cf1uv z@$la3v59&A<3IYzoPN*>QWuR&)C_IB0-y!cAt0v}pg=59rus(>Q@Lr1gl{4Z^-#Pv&?@uBBmh|hld3-P6&_{sQVfBa|SC;sqH#h?6B|GW6f zKl(HALtp&E@#)X~czog@#ETGLsmTvld<^f-(a>84zymWu#x zT4}`5E$5a%m@V7NqTS-yWT~E!CV?jXu&J{uj&*51_0()jf9B8png9OFU;Z)$;G$~3 z^EUS({;S^X;QjCZ{J$61uU|`_q4D~?2Ghs40;rf}Nc(8eio=I@VqpRkK&cX70WLcy-+6k&_YxP(aM6;m+m4 zAVN5X(H+6cWPYazch~PZ+?4oTxp_VQ#LxareEJKYiXrA+9e}7*iML&ECOtsPiKcZo z*eK=j%YF`<)JHhNoL2ECW2ed+=C`JRrob(mva`2Gm1$_V8~`sBV`k#nP-Ixnm8oA) zw}X9X7nf@B=38&aGta)5{VIC^$k2}Yn5@Z8Kpk0Ij^MJ!BDqddthSX&N-Wofob1HU z$=16A00}U$W!;YTF4DKsY>?k})VJ%{LISCMa;bA-1+(9NzPbY*J=&!h#xOwuc{s`b zx=xtwvdItc-HC5}{nz8*!CTQeco!3TM7d00cs3+Dh=4filEFrvy1o?&%(4H*i%Q10 z*{9P{M;U+e&irv$sY|8gfQTV+x6zS`Mqhu8;&WIeH=lVvZai~4Zan{N zY{SHF+`19BpLqrydNwXyyA?NJuFmAOy>k&3zn!ZoEPs*nI={qq-7tzoD z?9XO}@xeCRtS8Gp`%}67T@DD0{S6T)q&IeT;7UIm@pcA%XX#?!g$b5D|zee3L^?>Q>CP2Ft>+4$yP{)Uzc=yiTc=ztT_~sk$z;0iUfAWw2 zVf@;!{{842J<63x7ti>{!ho_IQ-PFaLF^;!XB|G4y|5G40@3QJc zM)Wr-KDr^S#9WD1mR>4Bj-;y#IQKdBy$>kbaF%OE<-6u3)fQp9cp=oYegzw5MrH*rm?;qtLqn{y2^3m z3T1UU8ml{0LICQ@I?qGT0mNQ!7#&#lfPApw&f%#U@% zm!kxMt5!l!(`KqZ*w`#;%U1DCW5gO3rLY##*Qt(3GqS_FXEWhYSWY zt=hm~?QJiB^D_M%j3}qM1ER7Ekf2G8o+C`K_YF5Y^&_a>_qQ$t`<1#>N4wLHE@0~L zLP73Bue=gJ^auVxT!En*BPVedIAxVC&EXhv*Pap(6lmujwc$rLn$zbI{~XoCH|-JN z5Lx@V60?kttTU&C12|=+_NBEujGEwRFW+-a_{PpoEW-{R>7>s$TYGJQ$#cwllw1qK z^b{+Cu!vvwZzcb7Sr;-nC;R|R1k)j)I^w&1zTbuoI|f}>NDWX~cJgFQc_%(OZnxt2 zM>+yMFyrT)wy&XQOVq zX(oVo=9jHCgk_J7@whbFI9yoI=TeSdtC3rp!MZOj1nzO3-G%@mS3DRHhI6^L`{OtP zOk3<8^PF@ZllN^Z$}Z3JC|eij>+!4;!#IMB&jvUfQ{=BZJdG0o?XXSda?+2z<8B;w zhH(UAZ^3w5RF+Qs;_@avERKUi{n~xYY_h-b8Rcbe6b8<5v7y~I?Izu@jFVObB``+VqxB^)W_XH+&^hY zhd6%W4}K|L{rD$fGS0jN2*O5tLs;l|kgUK??`J6K6y-Zd6Fp8)!m@TdCOp8Y`C3L| z0i+3zHf)hb(qbC*gVoqwXvB$ET=37u0nKxnb74-TwT`L0xtaNx>l%tJuHNL~!FuMsRpOaqaxOn0rVEe2&uX!&3i~!d&&H6Q1=EfEuaU$&VSlIv^ zQU2H7ekbnU+l`a1Gekw~lSlXNKY-;<;$U|#D=gQt(mmjUd^z@?G>*>52g=nUo|ms& zj`r~p%=9=8_gXRNoW;q}8I_m}+`$T!TsFH0nD#+8myj6&s-x*L;00igTu*C}BW&6s z!xNXNiD>oD;-EK;1HyR#c-{jvcRM5YaqJV{JwWqem*14jetQrnfaIa)y#e=!d2PSN z(Pz2$i1PB@sRX9+@Z{ie&y*TNdP)Qxd@$pIQ?;S-8*&8B*PRc?7P+rdWpodo- zRJe6_0kVtg3zaXrGXY_8a02%h$#4DLS=O>zo_U(KCmKxW+Z;^4)0gpsY<6-NJrYF8 z6@gSKNqps8fk}UH0=Vo^=X&{WcG~qhge4bfJEQIJQ6`?0=tA^xpD^JilF(nY}aB>j(? z$8FA?=?K{2`7Y*I7t^c@P>ujsm>x`})9GY*4okE##QvF1kZi?}Ew3m@$pC@eh7=g4 zl|vo&B^e>k$><2f8R;Fbu1Tqn_rgV&A(4f`9&1i#S1O!la}{ReysR=?Gj-+%)tndb z$>aszw{kQ;HHU|!TV<3Z>o#zZ>5zCiV^RlDIRRh}+oZ2QjqQuq;^s3SjuAlp_TAlh z4KX#&OU&jiccL>@Q*u&^iRL9&&te40z3e?Ec{(?(*(^9(v$@*w1qTPQZI- zzZ-7=(r@jz**kHE^S5(v$GZpZxO32tcMm)9)}xbnXSbdEyR+jvT)Xp#XYzQQ#|QhZ zc$YZe**%Cmr1u`-JUD2@y@&g;d)$dV*Y*c^JNCgPKc%D&v&~gn0XTaUWTO$+$^Ik( zS|(Pqu4LSq3 zKleiX+|U19w(Pb$M+mWvZ?K?o4>DN%d+7&dccKt$1C_%rM)MII0+zc9pubN)t>@Xr zOF;9FbC(R(x$d}sJ1Yy?^HDN3fY^xUq$}R@EgL*udgW!z?|Pb-wjVi{X_M%MG>{5Uyj#s0C&P;1ura^3nzfXG7tCFenC z!KTbBfc609cF-Bb5$0(JHrVM=Hk#$jD=^e`zT#xkc1fzm>WY5XO~N^ew*lgJ?;iqC z-Pi*__u7-V11R1(?gMH7;lsmt7chGpzAsW+%b$ z&R&n-u*d}2ZnDe!M*=U`2>YIXT!8f+KMm`*- zY~z|HeVMm#~9z{qL6FrD|B~2u|@aSh$;hp3p0f6_-Re?h`AaLlT6IcDl z8D^3lxn;u32)7=$1=t$cn3GrZI$fARD>{Hh>!=-vfQ0~Zg30%Z&wVz&^hbXR2K68g zj`v}ICEoFMvJ`mPg8*65J5RISUc8t2 zK{%$>gxl%dXUr3IL0zgf>*=rbzWrh^VJDHILOEsV zhVKG>`lDq%$$V@@Mv;4%#3!<&E+FEhG3G_98@u}e-n~bdut#zK;X%ARI~P0;V62Z| zmUkZR!Qi;Z(Y5T`&ihFPv9#PIYzIZyio6)BtLyP6{>`6>|LiaRpW;hD^~ZSr0MP5k zF(&#US#~^t-NJx1w{tyw_I=9chcJda z37mU?qWeCqS;o4{{!mk$?>*#MfA3?y9|8Wyd{f_QYcS0QrcPhqv9pi?nv^wS7Yh|C zLx67qrl^}puyQsr)3kHxQmk)o=4@lKMk^-;F-0^%kQ3xQyZIrH5(MWO@SZLmJxw0% zQJ{4qh+6(yFc!Q%b%*UL4g`+8Ksp53lqoB5T}P$z)wEZqxS5TK`t=KYeR{TkExq0kO1>I;uvKXE1Qc=qc>Lh7tjI5nuxt*n60;-84xD zc@16QeraG4u7qWMPxd8sB59X8Zo@VXP)3>7BiPOT2S@SlySwqu-TU#viyw}cUVbHZ zA3XrzCTXfoT*_qJPv4|H0t!1nM^K$?7+{x$BEW)IE{X@>30_VrB48R5@5u^%Z=Qay z$s$w~!^~AS*;NJs(edXA-U2XxDu}>1AP%k-wZ6R>x1N6%)4xm|w}gWF-2VPSDwtFG zna8rEY}i7l^j{KSUe|YOc+e^GZJG@q_FhO|HRWWbRjt)>u2LJe9Plv2Bqg;lGng7| zZ9pD5-GOrv*oXDO{%$gAcH$?0`lsXn{XhPX z@ye$@9bL+2QmMxjR_6#c%gS}_9r9bV%LcW{c+>;f>}xvaTSLr$Kz|0@PDJhOVO9o5 zu*yTgSJ#AKe@whOBjiJ7X_+8fx-wk375gOPu6sjYu@!Yz%H|JgwAX_}n_ZoCdut;u zT-c7)H2{_3H)}Vy*Ydj42ySg|CFAs_WosptK$@aLsqhW$D>q9?Kycz7&3{K^IlNS) zEDcVaXZdhsFVj&LnJHVThz&y**L*-r4lqedO1dn^1X%Ti+R8{jC7bDfVmB4N$V4g7 zZx!mdwiKY5Abq#rZpFMcBm{(-*qYi7>h=$>;wjK>~Vl1*}@7KO&3wAyQT*mN-ih1Ke>gt=na||N9&376&a`iz{Xz9>$$-o5Sp9xB49x*l z;msENl;!1QeFAE$Wk>p9j#er&?c49Q2*0{we^wP`aiMg;&WWP=ZH3_MSDJOX6fmGJ zb7{zq0KazENlTVuePbg&@{y0kI!Y}Ic0!Ir*z{;@90AxYI~5Y8Bd)qX^4o-AR~*&S zUIHqiK%R|yu--K%_1IX6ot^c#as68MGro26dVKgpFT{sG`~sEEv+?3fFT^v?J{#K? zx1+X#Ie$9FBtD^x_9&}e(tMO4?8F~8Z(WUNpS=-x9=scm4j#ojZ@(E`DyRSIzx!|E zzy9z3+qgzJ&VIFcK8@AtVqD!?jpwdz$4j@b#D{KP&Kaw2UfzkV_4VvU(5%;q-)7vn zaV?&G{+YOX^rp$_~2-b)U3Q*1F za%`^gjkQ|rY_G)TRx@@sS95U4^3o}CdLA28GTScyys{k48ih&vb@kYL!w(}3DdWj7 zGbZeOuW(lxDxc)HljqoI?Xqw<2c5Q+wV=|uy>X|IvYH8TjSUxjCUR!#3?4}AN@D}M2qa*49^Zl#~?TQ9rh1 znbj)hiY@Fgl=L?nq$+(Xs|H|F`OjhvpmxINOPH(|ceZjCeaExgPuB)J2OONjKKt!< zknmW6iMe9Isy^HgzZlOwa}$8JlYTcVpWeU+ zH;Ctjt+;jlN<4S#TD?*Jvzd7+0_E#HGu8Z__~@PMi%>CVTCMR{>1p+};*|qa&qY=%5#A>mb)u z3Y38>Cpc8s?+B2VeKJg*ThQvsQUC;zHM>yBPW8+Co;_MhKV-{3ar0Xn_jBjlxnixC zW_k&xlK1S$jVxP6pFUFqc}lh?dIZ$J^K(BBJGq_(q)>h@pmcj2Y#)DieqCVD4`d7Y z-~Bs(Cw~3c|5<$PtG^My@$0`9zxJ#DB)-D$H(!4prESFo^L>o@+3&M!((Bg(6zwpr z*`I6mjBNOTiH-HCmL*JvfRz5OK7u_!x`s%ZD~jp{uy5gDe4g*fQUuTc=+FH*7*8d7 zU4Q~XJ^|PV{SM$zNq}-506{1F#k#WzoK^@5tqLPx4vA;ZOaxGAuF8r8N*kbLq`o5< zn-iM%n(>Av`xpU$GRCZXXUZ{Wu+C0zdz#mBu|2@nXL|hs;hw_`0hp~#3|?5lv}#Y-2GP0Ow~*4C(ey5XFsHo6=h zA9LP}FaGF{#2B!BbpPD|p+H{0xV*EGpsBywp}!NEJC%^#v+S(^iA$ir0BCNmtt68+ zqx|kFmCDNMdiI7eD{TO>(s9Z_nOvDsOn%mFJ9b?4Jwn( zt+i+Xq7I2Q|N2xYmappRNU#kogKDjjjd%8dxOww-T)S~28w_0`B1Hu-D`q}FVBTkw zE@>F$zTjNDy$*X9+3BTDSm`*URQ67xV#zrt_+GNrbeEPNT6t$nji_&4j{5q=SgJO7 zZjmyEeapa+r?YV{N1Xl5zwy6*-`Mkh*wmHp#F?jJ1XLC+*M%r`8#v) z{I-n@a#ow12NYKH=)t3S{Tr{vyYIXc5ANTKL;LFOJ&azf1H*ClCrn|0&;EoRSZJqX zhwDkSICe1EPdFZRU9U%fX(h&($HUVFo&gYhlk}~%DTEPmac-dTxeYeU?2FL@j34YC z#V0=V*?8&Im*U~W2Wg%Q4w|O2D*a71SP41;f#$HlA+VYs&Q~fRlO+jS`Z5<`LzMDg0M@TvHzfke`$%8Vc390-p%sUe0Edm>wH@?-RouDrYV40Npsh( zS58u5x2lhQ>?3je_AM%mUW{PKBO4$RJkFxQvyH||#)qGP3Sp5q_CU}CmbKLZ4gJ*< zK-$>ZANS(+h3K_qrQ_Jz*p4eZmtl_U(Lccw*gJwjS7B`RI6OFvRl>JX&Az7Bu3lxo zmZP#v|Hk@e&PHW=%u^fkhFv@EN9;b@rNTImzwn>`#rRMD{9hoAus!<)SQ(LayZkKb zcHz8?S|jJO0+TUP2>@(@;1$gM9f0`arHgU#@)gc6MRN_n-Pp=01GN~ODa?tetryJ0 zTnC@ZV+HVZPJs)TFT}9XS`<@BlS<7!f?-EakZ@@L{PquSA*ULmj3y!8y<}9Z883VT5bjEt!EtjC-&u8o@ zV`EuP>O(N(0r}G1n$XkQ8#k#(jRSsiK*pAgD0&mTdQAv{tQx zC`YGRb14$w59J+1ZE+OU1@?+V^8A+f5Q^c*p)*lIXckUkRG379iW6AmQp{t(z>y++ z!^RYWqKeSl7OkfOYtx(%HqC#zNccL-E`@&1l$ItzHKNsyb<~`pz2Uw7L z!W_ir`bMVTmhry*N=*lUnvI&r0xT&{FtOvlmBVB}1t2q!z2x&;$b;o%tNKl0 zg({%=W!}Lw4L_BQ{4+g^B*MO>F0HJR*kRvFNLJ{(j#65}G~c?kO~o^a`w#9?5wzmP z4?iEbZ{3WSKl(D|wHSk82e3Vf$>|V4fps=ka}A|Yx1SZ8%e3TR2&&BNij`nd0caiF zg*gw1ZLYdx3h9D9nQqJR*=L`LAOGSPFFTM0~T)424 zX8Ce;3Fg+1-}sHM#LKW$8``pU8nA3)K3A3|n7D&D+J86pkM`q-zw}e_pZ?eX_t?Do zYCP&uxt%qrD3>X7tdLfhawUGmdzrkeFX?VLkF{FFrOi4(zZn-X|1VtF%!#s_8;w}! z=#+}Kyl-x9KSaEg5KDtZD+ET0o#@kM8ef?_AdbPF5`=rInPS9Ien84o0{2oVb ziHg;6@(a_PyxMdmi=ylt|DTLgkW_c1rs#o;(xJz`BeYr8PHv-MnD5kCNm!Iu7iJV+ z-RHoOzI1=gfLC2iy+l{k3H_tW8{(3aL|Z=kSu=cvkFPu}+dNO6$Snc!@pAz&fAG(m z&=aqrBx%lg(}JA6B>?%JKLy+z;l%aM$v)uIip>>FEKKZ;HCRRiu;CfOw#GwE6uSxd zHu&AF+A$v>Mvxn@s8v{0qgFcXYnsZc^tU+^5tbQYRWSb=oTEr6kfvO1w%}O>C9swH z=l}hmN3k?nk0~S)V~vhNI2WeMAtk#vKJdkG~)$UJJc^ZFC1E^?6T3DFl_m?^6nllXnL+*!LGkmw}J6fiHiwX^hvkFh`i9pSUP&E z;9WrO`i*Px$xnVfKL5GTCipF&{9`Ax9(KdVmJ0c_1f9`;X@i+qYMcdiJE!X-JUTg! zqgE^0_F?6kU8Edf(CT+{NM?FOj6(RHT~|SA%TE0@S4D5 zdU7p)!nBK4i+sKR@L?Ra+ws#s^C#m^{Oq5K^_?qm*d0cFWfM8Uq~F?!oy`mB$JH`e zsWxD#1z^`|m7L9fi^{p#a5}?49<1oJRBVaY!a@#7w|zR53rEr^7g}D%N$_*lt6rxa z?USRJPN;;Ct?kVsvYUgRIwttfU_<$0*VIpavh3=D6vwKJ zj-xf6HMgpeM@m=)vU?Nq2!J9S2o^SajC*a&@pcS*EsmWSwh!ZY_ilXk*MBwM`sUX# zodAJkofUvoAer(F%oQcV8kd~Y5#L1UU253%c-Gh15oWu<)DUD%#hO#5p&;%uRN2W| zRUk!~cz+3y)bzLYbr}I00gQk0Xa7xrZJ2#Xr?8F+3Mb3XNu*(AQxscv=&Vl~UZ+k7 zf*CIuD5$b_Kk8)Dx%{%sQ9a_QV5_t~&TFZ(Dv$m)!*SAO$L%}g(JA(PSti8r z`QP{XhD=%JA=sHGxwHk9n!qav3WoNFw2{GS?k-=x9KZF|-;5SOsOf(F#*O&Yr#=~< z`t&E_x#yn&jL)JApxUCIEG^?=sp$vCav-zpYU9*(PH^(h-8*sT!M(Wq@Il;r@E{)T z?Z)v*E614k?F$T$=2UUS)rKCYv0H;FYKho0!XdDNeF7EvE3lZy`fT;@nFcE`DPvVS9q>cr%wjnEbrY__R z%V!BaLR^CQdNhi3Qk zKV^vgDRcVzQ;;s36?;w=#Er~j!Zu%XiS&6mPr>%Yw&vS;{11KUN29S?Me+9I_-HSV z4qRn&ACv4MM<)#4kJjOCJbG{^4)-3!!-sFj{rj)S!~5^X{@&fVfA`JU-@g-&9=;Rz z@4O!Gy#CeLdw3_tomPTrvIYeJhy=STif&H;S)k*C|`Km45+R^IoRpcl5_*V+IUQ3DMn98oElnjZ+S11Ps3N zn_tN;Q-?>S&%y+p1+>lWjktB&zL}R|b7LbF&z5iBKRh_1Vyb1htC;eh4~Um6{n73o zOchqm^I9k?t7{ow0o8S*o`3#@IBA{4)hid`!j9dRE@ixhid(my%NeEwe7jgV1)(g> zmVYZCec9%j%o|il6MT*QY{7V)2zz65JAVAfew=W3;`Oh7JsJ2Cm4w~0G?c8Uvg?>B z%|=1Mj11C8O_i8=XxSRJ6{NFQrOS!9)yXTD#NGt_*RYOctdc}sJRK^M>39&UtNL7> z>ae&#>_3~!Nb8SpG;^4#OF&<_a-Fo^CZE@`LelsL5s@9zbv6MA$-7J=pgQTr#EHYn z-ytmDaru3iuyNE)BwLoj>w2(r{~Qyt$H$oxj{K3x+UBKLyKp6zoikRvJw=YWtA$nJ z?B2WY#$W%1U;4hW=l!rrPSoqiw@n6S;w+o4;YxdnkP;GPqH(}8z5@Fi` zy`j)^L9?q1LvF%K{-gio&&H$scTuuFvODCH02IQmsix^`Ywc9ur^5)HWgoCq!5rmc zE${440;C`?2Lhi@kVEL@lXgLJ+`T|&tFgXRCm<2{4I}-N9Q(6I9a+}e$_60o1ShD9 z?8w?cl{YK$uP|OsLIKimQc7OneV&(f15}qUU&?Rq@9(D%GiNS>6*&ouGRmW|y}cDL zy!d>)`pT;S;d62O_U%~R*v!#HenSxLz&aaESm4fuxODwiY+t$@n-?xnxi-l!^Qsy< zJKOR3&wVbow$`bvT38SD_|OZ_q)&8=c`OK-7F*G?D;I&MNlFS*`2`p&p?(JjM?Pak zoJ|K*Xv)qYdRQ|L?!6Q5+<7~G;wS%5{6GF*|3m!nAN+&S1;}^X-DnL@V?d=dAfKH^ zPaks?AaZsl0W{qh4H&9!kVYfR*TzbF0xT1OYE?_i45sWVSXji>;lt^JBwy_TUgNMn{>+5OE^nFj?h^B0eo-^v29 zdvD9%R?4&A%9`@=9{3Pmm5L>Yr=q{Qj-ICNi3L*&3K2rUUH7I3mJIHwBtnjXm zdCyU^T)6HG0Jcj@ny38Pg6Zx^5;I$2Rfcj5v^6`stVf^dzwsx2Doy|4u+82@=roxX zc9=K-O6^1q78>U!*VM{(#RBx9;V z;^!>*GJPvM^WAQ0Ha6O)RrZ=ox+pi~k*b+PAFB zd=ch>&G1VI9g?cVfr8`zpf-2IZz$yNz5E*X)xhSz9wFK*v9o&BIW_Q$RnZVS{ZQw9jdD4YT7jw!%C+*0guufWxsqLi2j$Lm# z_WkGxP_4wRo44YXS6_*%*RREuYgb^S&!gYEKmYv~=Tb+uIsAN2Ifj$|dfMonQCY!XR`0XN! zR^(19V{Z$=+UIh~7t4}A(#Ph&u5E1@>P1tlrZuhYLo0*xkFz4)YGy(xnN4+IAha*+JD?1!`cuE zn2AeExHLpAF~Ri#`xtiM+?hkJO%Uo)ACMVnzMTO=oO5(t9@jP+V(wWh3zqr}bI4nY zi~@#vE&u`!_7HHU9dA3js1H->wp=1)kj!ccW*}JTXwQ~Qo>c`>FcCBbZwYo}oew6* z7yiKKFlFn}?jB?Xq4GKgUN99romNkvR)L&-UIh{81}HMJoeGgl9iyy00M)z@6a>*U z-vMXG?F+7{oP^`(8P_awmmR4vxo978)eq#TB;%VM$TQC6DAV-*5YV>6f2uZVb?v8W z({+PZxVDh@jhkJql35ZTneqzextz&{BH5|^ZC6*XC?DgBtMtC;c|8*%HI z+j0BZ=i@nm>iV@?>CX&U`h*X-oQk~vV;}oWeBpCH6c;XDimr`{!w#l#eeH^D-HFzxm%4)WCs!0toocCqIGc|V!x3h70^-_86z z>9pdlx9`OI)|L2={@i~aU;3keB2JLO5f$O-X)$qY)hZRa73DB{cWe>29U1rv`B0@2 zwp*5!-wbdZF;=peBfG>iec8yKeR?N=o|B)*Ak)ltmqlCd0;Q~!|1ArO#Zu1l%AusB z(Qa-Codw13^1QM>?`mjwFJEWtq~^5;ZEz{!zs z$xoBJg#5A8lU>qCtx=%;?^%fX_qCQPk{!E1a{@UQEMWInsq1-;j5f>k8)V1;M-hT zBTi+kyPuK4<}B)?0bi8i0AmC^XJIlw<0+sRN10_ZTjBuv5e9sOyqPmo&3nOj73E)T zt|dsyWNi@2p^Dr;CBEjhtleRxn*1uA>&9ETG%<&Fc6O);O>1dnlKtg80fGfgGxNxD zkl_<{9bmnB?Q&ecd?jA^(2McWkAFNq@rh5yD=&W}Uj69D;}8D9FU1QlzChYXfb>bG z$3~uVtYk&GzOkObU3_)0V)Dw87-qv0fC{_I?q^y&eB5}LH@YC~Js`6dWGutN0)1Zd z)q*nLiqBFA+CMl<*8HWP_#^R?fB28(vedo4jJ=YJ|2dDSD=1L1l&PkEol2+?&Ds(c z%`|(EIBYf>v?!-#YXxJKqNCghsK^{vR$3>5yfP+gLg__ zV#|RCpOVe2cw#r}Lw5^NMQ}o7TTlgw>=T+hLMw|zS<}BrVahIsQvdTO&_5mM90|_uL3U<0MCLBN%rLra2>Gn=gmXogQ?zoh%!X^W>brvCC zLO~t*#CH_%BJ_lDI*cFr;U7Zbm$L7ug6FazIkg^ucRHZCn-mtML-=2~#m!)hU8QpajQMg-L5it!QT^k0*$;MsQ&a@}^rM!F5Y5!)`Wn}&C^R5|A}+z8 zTz=Qq+GT2fcNbh+lnFWc0`HdJ%M`3Y%MM^@LaCgHIv~fpgf|}ohx8yEiX(RsNEwvV z(v4tmwx)JrKz3};)@g)I;W|Ue()q8DB2b0x`rcV=?`+41Uw$PH5B335m>NuDBIA(d zjGP7!JpS-w*|45V>L~@kXT*&}4TqQyHeL&IT77g9;NZE)D1BOu*t< zLDI^|?n0WmPPk!Q1+yyo>3f2v0}2FC!?yKbU=p3_B9SopGCDcDMW4T_8)KbrAX;zCwtdD-<{c00-k&z(}U(r}6SS&y)8l zuO^afgj&jidlUz|_X{a0TX|16fn}oXmp-KC2j#?fWaH+gq4_=ENeCvt%)4BUHO!`YTM+FzODx;AC zsxS){XDH>loxD-VR8a5o$2}RI3M81>+A8aF#_`X7?(;d4MN{+iOfwNhw*$WbPVwmf zm3w4Z>?*R%$;KV8DT_`i2dzsp+UQgPA{AL+bP7JfGF!?4fNV)dNfdCE!{^czMv1Lp z1lTn5WuBwc9I~l7w$d!CdD`WuPQKe3o_;evC`)zA$vX6nl1HxlQ~{J+W2s7B)@xRH zW!gCzo|Ar9(HtBeBxu_TZROZl(d4b>P|If1QDlwSqLSRgMEAD?A=cKG*eg^-&A4`L zi?Hf(>9X^iZpX$}HMX`Iq_0Q%CsA)MWCdV9R`W&DyteAxqKn)EPz44v5vDcw|LK;= z7Is;&DHI_1vocxc+zQ-&s8%ZdZYPHW+t4{0wPCHgF8Y*lFS@;B!1Orwjt;bL7iLFp_~GkBvKHT2x?(i zzWP=X0_4+qO`V3ZfLOY7h_iQ-1Xxt0BYT*zFA;|LmUPmm2sec)cjU{8oXUYj<@?r# z<_9$muQ)F&#|+);S`=2!MfSDotQ`HiubO}JE!zyz%zt{eCl^d9LRYrbRB)BZg(cY$ z;D}i}0o10`D#t2vQv>HXy4E`Y2AU!V0PHe=+1Lb_0Hw+*;JO}*wKYtqTJ$I9IW?Y& zB>*B1*^+Bbt4S=t3T$bTzMZWHut-^`t4JDFr`sjHGAP4Q)$IyYTD=v{6IiIe!ZZQV7Fn(! zSXzZO;mgRA!fr}~P%;YQoKyPoZ2?!%wlAb{*A&bS_%e}HlG2UI)?mGAg5eUCmL{c2 zrc1>JBG(-%-KS74^0Bn|!?a1KQ`lMI93LH1c`U~YY|U;%0i{IxG_4sVu|bs+1Lop+egjwYEli%Ycc4%vL;*d5v|I zOoqu&O~3P?3KrS_HG6hYqLwvhX&UE?mVbG_(}DHdU5ayudD>&-{LJoX_T4Sr(zI6Y zKiH4;?ThilKlY^@Emfs5v~RFXZ91mHB2P5!8{}J!yv!r_b7(1X(`9Ae2T9(mPmvTR&&6qvHbRZNds5NcGZa&QhqWLdDmy2p6!VS)6+9ewY6xhUWo0BH{;5+ z=i~bI7vnO=OV^%@t2bVZ>$g74{-NBj-S|-4xb;%pe(odj;a5KyANly_zh zz7QYz)DOkSf9Q+x>Zd;+we=l<7q%gbLKrk((=g#Eh-8bYW)8dN@t9oz6+8vhGE0;# z#t0HeK`WI{1)!!^7zLJ(<}%Hg^eB@wqxkGJiTqYEp`GkmAx(cT@9FdNJF-3-eFSF} z#fC3MQ?}H#+ZWHM54t&Q3`_HrcqqsMuw*(J4e#4<=Y5xwwx24I2JB>?fY{6gHg-fH z6-A)sEEPm=0i-hefU->6-?CG`El6uJ*BYy&hx}9tiGgfI;CGz-+i$&<&p0)nD+oxF z1XF#;x>Yz$K+sRDVmir;E4?~#O!^dg-jQXi4O__po;o{6pSK%WnF?^iJ6JL20&$rf z+a3iu?q6jmPFeyLK*?{}M>5OGe3_S>ySYdD{WB}|le)J4Xw*;O^9ipJWQJ=cRPv#c zbJ-r9^x~ygJ{~W8=%X=$oz?|-zH67h1+0<=6^2Z_*=XiG549@tErnDvD8u2TxP3BH zltJz|S&d`=wU`9aW{vk<0}3WAyEeR>)eArt$SiZ;OHd>XLpQ>CZd@%R(!htjlX7lZ z$#Am`fH!>K?~_ZsTJo>#JnMbSjW{}?ij|3BmRI;D;hLYyU0Qfg(e^~A<_s2EZ*Iqp z+aHSOU;J1+_X7L#ABpFm`)EA-{Ht;MnOEW_VCwxFH(!if&%6{jZ+|#$J^wOC02Z*l zaqGpncKzA7a^v~9^2`hI@+UtVpZK9a5X-Bpp;yxO(d?6n0Puebonkh%rY867<0o+C zL?6iqy?=_5z>?5>6+dfdgkDpuj*w4zX7j=};C?;Ld%-q+mV5_POSYkDs^ZF~yeF%) zwH%S0F-NcIH`8PSbWs+4t1>LvY4Jm{A;87|iJyO}_AGi_E7*?q`Jah{6#-ZjDp$efK|b6*qs`DdTY?+*u~ zY}8Rpv!gnB=BH(MvOjr$HhvH*1y(B|0hS*;&h_(Ty3N^S$%4i*CTN)ztCEWpuB|z3 zp&$)#JLDEN>}HtBqR9KqmrM&RSYYS6@pIFBUO))a)UVdbhVs5;(T1J+{j6xPD5~5u zX9|ntME~Y=G1~1BmELK5;fr5VLa69$a3U`JT7uE862>NSXLm41Md|LaJOwgk#EEEZ zl*~plK43##_Du!I>sEXfeXe!^(}&z34`ABdb9gCH<14;LY84HlW+vp2o)ZssK#(-g2!>~|bdoSoaq$6Xl``0r3chDK*j7Mvvz+`&$^`d0gOR@|`n6ts>M-O*KHn zA#`cdncE0hV|687{K%`Zg!$DObYcQ45lm2h!g1sg=frc0>8^D82_5s}0rtywpPE;VwPlrVck}^#D;p+bs@SQE+?pA`k=D&byL*L?ZE!H=-$d0pk z`0(AFI*+W$e9D0j{Kz46q9i7XE(RIdpg)S;gOga>*oi;-$Nuf8H`aK+nf_qeWgRB% z^o+9XI?OxA*qa~ZpLEer6K!5roX&vQFnSA=6Dq76pb&(`bazIo+COI3Et75yq~ zlZf!XZkEg&%ZIDpGyiiVPb33R)Aq!sMxmFftvOLLg>1u47QWRTyTxbiT9~9vNu~n; zBh=USU1qhTf7v~?<1RjrJPym%2Mn9ijW(0-8WNcho=NVhI8}Y*P z&&R#{?{crOU%Rm-J0-kiSO8YNA>%BdlB|q)aJ#TS0HA`>lC@l;T*+TY#wDQnJrL&f zd>mU_E99qaUtlLqsnmsu2_(vadF@qw&bdB3WoJTD=>g_?eN9B5A`%oznoWbUB%_xV z+s}0{>;m{JHlo~MsfwhM zRwE5n?j`f143@MqkOya=S|L9g9Gw--3S~+h##lOozRQeI&Qu1a3`rE_Yg5r8GV4+> z%j`=6D`jq6oygg=+Ol+{O9w>dr2MIpE zsry8kRA-0^m%QPz$luennaxk=CJ3UgDmzs+<(N2Pf4TETl>{NS>5@IixAT12RSvG_ zHIKzlS;it0j%*fzwNGZc`%y}jn%lWMMAY3mP;+WOa?tZ8LbC#}tivX3eNBbuo(hn| zM}3*^+xVfWyScrE;yJknz=VLMe~l<m(#r*jm&euoNy^3Vz(|0~3Ckut0iipL7qy(Ty& zt9BF|ad0-XT=|pp9MHnKyWLb9Fvl~jjS(O_>UQINM0t*2s#JQpiYR$tgPC$@-Qh$w zSy@tcD{C9D>Gf!=t;bT0$^)z7j7o8#*2H>SiAAkKtRyYPbI6B1Y@D=3E5=?A*=CS( zlUWJ)Do=&qK200h_JnSfgA1DJ$H~@53Qkbatg?nx;d4i6EWl(Sxm%!uLb>NVs$Vi0 z!Go||?_E$46717i17KBhO>Mzgwxhqw28$~1*8sgbLcNXvZfoA7{MiQ;ff)}3ygq`( zH&MP80C?l}Ed+20Q_^lUvOxi@Br3s@csP_Y*szO4D&^Wxi`8 zLydRzSIUk|yCCc6CC9lt!pl?(MFL+g{mZj{%hq^jZgTEVr*}KYl+28h*(Z>a4t7Vq zs2KXq9ARd<2HhTyq1*tEdFW^|0V!MUWjo}TN@~B`?9M~p*szm~g>-FhZG}_p$+Xio zA-l5wCZJiEC_%XKtiE9zRBBE84OgP+#N8XK06M>UUKZz4CL3$3R9JS7mviZ=IL`*1 zoa6=2H6v|#cd2Zz3DyF$Y0EygN`wUhFeVe`&-7()2s``x1m7Yf%x0clh_-!sDMud3 zvdQ8k9P@PwyRyvhft5Fg3x^Z&VbadLPVUD7ZiURI#ygN)t=%(b13xc$QO@$8E)#O3Q(0oB!5CO?l<-aX#lbf0JoX%4MyGA-+d4#`;Ve^bP}x&@-o!*GYr?-%Fg>w(e~udXA1NB ziJ$tZc=e+nOGbf2r}=`oCuHc~NhXGL+i;*+@vXf8Rsk+{uW>BqJwd@1ckjKMvjI5; zp9{bZ1|tL>5W-~3NvF{kO`=?48AVw-n`Fy!op5Bbf@H7PiGI72V5UmClI2Nn5MTP~ zKSFdT+;8RkXN0NWRhFce*X~Mg`u!51U_ye7qSt^S&C9^KDxFhPFwBN60JD!0rjL?m zWZAaztJ!vs(r_bjX?n{{bI2&U)pXiAe#;~UIp;Y&Un=a*tQA*eDI||rk`mHre^a|F zrT@+Fxu4_ZO($%}{FRaF=8(bap3r0zAZ2?3m*CuJ*5j?W-U5WDar62uBS;jr7)nKF z9E_vguw+R&_bQbcQ6QfUOD1d_u^?*8IS*_54*1REo5Hl$hMp20Hxo?t3_Gz=TgoI_Rr;`+u; z`r#L3ggkGFaX`*^!Mq@k>^nN4BDwSWYgD=?u|OH5kCpe9DyE%BNw@xBfk$_N7DukF zWQDV2Sx{;6V4CHW`EsKfYn$7#y0%R^kcW0Z!PwG2**}Q4U;9S9_8VV`H^2T{@y)M& zCGOvSJ376S=o}v=h<7@zI5|3ugM+;|1l;XjS6=~`DMNb%RGP~Prd7&fL_QAqZ-G2o zVo#{|TU2;9l(kMy0Mos=bLW2SAGQ*BPr6iKe5VO>KYVmQ{?h;FucWKwN!e0vEW^jP zCw@LtH(3)fnCHnb+4I-8r!_az|M>p+=36;tJz0gmE)^LzhGGl>ryhW0ZCXrbz5qB2 z*nF;-EY3!yu%o3m?AUKnbIakKvgTsKpN1X0x3|~h8nt^LhMMLz%A0W)*Ni-o6VSY7 zI_%!Es;?Fh@tRZd31&7t>Dv?;PL7VE-D)SuZoygwshkmr00o^XKqa_m{4oEl6lAKJ zthW00VMDD}D_sUg!akq+ip}2yTq2jP=YV#u_YTmQKYSn?*{q0lxyarcFcuqV1YeWj zFj)O}vS6^9N@19c);zJtgWuTM*^2%BJs9^|en0b)@SQo!9T5(fdJ#PJZ@XebPE5>h z7b?wfLD?E^dtUvAOVa*-dJBxw?dA9(w8f%H68k9MKB}Izif~q z@3OQP0akV^2K~P0XZn@xf>prM3QT!1kDMCOvU1dz=}+Y&fAp7|9%nSOk;jo>&p!KX z%GlXisraX-dRBGASXQKma7R?8GP({x)a~hGw{q4MqbtOP33V;#k|B&!DoTELPP#GZ zkk{=&JiL1^zVWrM$6J8*;qC)~yN$dYvLD3WqkGZb-{;yet(*fHWOo2CR%3O2Cz@+J zY0?jnA7Y)2whE?lEo(nL8}Z&rw4GOCjAaAJciY`)pTKhaRsvcKRKyhH@!mnW*ktGU zB!*ZtNkqOw7oX&9(L(=z_xIDLfT|c4tiqh}LtClrIWNzs5R~`#wdMPQo*==wfYa)9 zsi}47kEnq$RRtn_UI@CwM-?p8Jq24>cSfE06ARB#dsDr_?b_CI(l6Meb__z zQ98oWB_M4n=_oC*HiX&D#zrGyQT8bq4iS0*NuQoW4{cGl0n6?`f}z0a62^Yn?ovgG z%`bolu(Kh^IQkvIK%lT|lKn4b!d4Oj!*n=KFp=d6k^)2e;AC&SpMwhcEu#|{HR}Zh zEe5|`7Q=JYl--E5h)V?^@EMmbifcZZw%gC#j&FYBo4JCi0F!fh0(4d&zUPVrh0WU7 z6xlms-ih7L{e@8js<7Z(AB#BI9ZVmyi|UzAP9h?M(}$WC0BO$#DxQ&13akPtaFqF^ zAJIz03e@~C6HA^MC%y?=wb2uFge}(qP|bMCi4c6>yh*Evv|FiJ(OWTT?mN-6`Q)kz zmoHz#s@RAD=6HXy0B9|6jOYhPdC?Qba&#uYk(8Kr3u326hRuU~{ z`z&Q_C7Jv`yY_g(AK!dG@8#>7j;0ec9U*SFtg&UM0G0xplbIk4uq|g)N3LUpK-kJT zA)LPE&0rjDn8W}bJYB3(%P&Vya|lIz?v;LPXtwg9F~v$XJ+ ziC9Qh0;@7*>-MFK7m{VZ_2wH~ufQT5lkYd}v0-O)!E0ug6Gum$$#|@c^h;|}%DA)3 z6*6jNA=B5Fd9Z&N8#bJ9ZY%u?z&a&PBql4TA`$v=c}JiFwC!;3x?&4}pOwdmGS57s z{DSYIHogwXYH_%FC}0E73;{m@vF>vwj~rakSlwANfSQ zaepuF0elaSdT}2Rym#1+yL%_`&cma4_t6pOM{#ez9S;sW9J?HQ@#v@@_x3t*cefq) z_m1NM&v!@XnBeQNwzdUO8BhJt4htS(f)jNrs%((8F>LCTjW+JpVDZ(=p9<%dW&Oex zKztG>Cqv4V=aJ!RwL!(vpls}JhuKeBT}^jwYb90yRfGdT9ibyyB8&N40#4?uxt0Q> zu&0a5HLR48Z_{b=Mx6Oh?0LWMZb}B3Qk3O)+TAj9-Z#5mELji#Ar#2~{8LyclpF?! z63w3%c<1MjZ~j&=?EZqvA!OA05R+q=z@x*H*hPSkPWo}c@59z84ttZ>!+bgdV2=Q& zV-(_u{TN2kf-M{krm^1}#4$qHnpENh-F?*VM}7MuadmMN^HNg@jRyqmTp&xbg*Yd7 z1_T}duAh_GrhwYX4(`n?I&6Q+geL&uI)twvEMjdCg%Hg2twtzJQ zT#mbUmt`pgd_Ff>Q(=wfmjaEDaGt(USf8$k28xs|*vbNN&k<7WZswmr>u=*@pVoOp zlggS6RK&5cVe{KG69r7aaUJeSfVVQ)e8nU#C+60D;q7}hCNb&I1F{< z*i2Bu3A)V#Fp+P;>}8q6XK!yW7x8oA5gR@Fgsls}Z#$uiKFSICJ0!nk{iX2*U?#sD z%wTJGVNbGBT^Wu?r?Q!W4ynkwAM~kO5o+e^GSOdYr6mit;&9WiX@6eJWdOiU0IZY# zX?*l^UyQdOoWz}jUcB+B6>mK}j<@e0#cS{G#W&u57{B$#z4*=7?z7*EufDk(-*{&) z-ne@Z-@LOIZ$3DPHy-TASKoLy-UN`3sr>CrUEf%X%h#`G7rff)YHVG)9Jii(K5jnu zT&!+yM%Q$ahK&oC0mF-N{l@LMeDNyG@jTvo{oS~KcR%jF`zXHt)wklUx9>&kxEBxZ z?Z%@=`*C>GNnd=2{IqYfQ(96enNHbkAIBlb0~p~h4CWCa`k>W` z-BvFiwz{$39mD~Ql9{^80zCS>zSw!!Bf(Q1tLb~1+S!^vC=;PfW!1?%i<`rvl)Ly9F%MylrmZZ+BCF)vWO-T^ z#NtCAei0Bl$@gTw`tY1++f@-nNT($4JmTu)nf2tFGIKnO2a_)k{68W{3Oif>> zqpI{%I~}6~5L|~zpthV1uk;VLKeVn5eY=2JrH+|Cj?33>#|nTpI<@a+1)#&scXoa% zi2)4HV+R>*0a{0$aU67panPnx?+jppR0POPU(=p48xl`JuGMK_jlhPf>o#^a;`;5| zarM^iSfr93o=h4Rv`E9 zK8iz_bgw(c5*kne>Pi@7mp1cK8JwI=^j>Ed#WTAqQW+|LWC(--#y^(He@myI^zC;A zrtgPMg}2Y%Tp0yJO{*-E1WcZp3BHUXpW~*-0=nM<)O>bUmN}UPAqp5dXD7hrr5yF7 zU5k?H3U$o>fO{j3Bb2EP2($sRBNVuWqMTSWb8Mqj9Ta8&6S#TXc{d3YP#^@p3j@^u z#0PQ&lPqTzSAj#YBKVwj-qur1*ov*$)bb=O8+P_FV;#KUGz^cjj%0-L71=C+K< zN=3h@sdM@{19rhYTkie7-HQZBGvgE`Ft7CUWuBT}MkKp%ox?_4ZB%n#GY)V^1D!%H zTkUI_g8~|+ARwEQRudufc;1u3NuW2@H@IKK&u?A3b}gULME5-va%HtiWm39`*%#Dh zXq#*-Ol{_OPz<+cO1`dQ96~L-JWFC`cfS@;5GZZ5_JH0nw{M3K4s%oR%rRA zAr}+fxl6N^AAm|11(ivTP9seMs1`&S*ip;Mt8NE=(&`LVKCh*bQ6)TG2QqzqvCcz_ zppox3E>Qsx_h+8{5R|$~SvEO1mY)10Kb;YcNb}oc>5(C}Ih5B4Wb9p#UACyKtcV2f z-mpvM-)29df>?|z*DuC$bD0YL5&JG+JC02m>H1cFzsR_3u^%U`cIJ7?0Qt1BwUuS< zvf|Z6ht%p{M*gtkOooIbU12ROHNdrfa>9EH(z;s&Ai7b`?IY(h_?QF$|KJ?-2 zm~Cf&`v%%kTNWiF)$|n9WL7dJ<0I=jb}1A9#385xs^3gzgrb&}1kTfxm37;Sp3DwV zv@s}|;!IIwY4!vd!1m^07p5NBUlSSyIJ?xx!1^MYoSP=8d1C9g?tz@0ia3vnlVO^r zvMwDg=D#bVnkL`z8!`|r2Y2IY{45z8_-tW!$g7~UzP=f2n5H(&xS7AY2E6A|)%rbM zvuS0`Mh}Nb3Sc&-2lOvvAiCP0Q98lG_n(-!10=cHX3ZC7_ z%+FI8HGr9{l=q$I*5B?jR>63#G0V#Wjwv>d04f!lU^;LFlk!M~V8xu1(eT?wyFQhl z{>nO7M4=Ou`Ju}t;@M|!r*GKqRyl7g*{_%?*7h_I;BwqO@?=ko9CFJ;P7Ge2cegS= z&qg_WJ8W*Q#l_2;0P=Y}+`k`thmSH|*KS@XUMtAddaPmDSb3=%b|;k8LUQB&?nCx_ znP-~x4T$vUDV`ITt7A^;BS<;rHg| zYSzjQn_OS5$EerlV<DtCL%wb{$?HL0DQKEWK|6hnR9IZ_SN7FqqY zG8kLeHI?l@nt%_})JJA71tTeI+k(iSw}$IX z@qRlF_D+cBA~HnfjXo~HSgmYbTi@OhRsd@afE!S?pR8R5jiYTDXSUuxMcWe%rUJ^> zUwbWn>+9c$Z@m6`{Q7VGR{X**{Zjm+fBH{R{xbW#uqlk1P;>)jpa4;bG*3OEoIaNf z76nqtCR0JK#Y?aUd~d&s|MYrdmZOZ6+;jU0Vv1vW+x@85?f{rQlvai%+eB$Jr}^`L!KVsaZDB%92Kx3;d{QIm zreKl}GBz8WoKasN>dwwZQyVTIn8QS26DGSsoSck8MVH0szjVyE?8)@&=MrG;r0#cR zZbX{sETHsuiz-Z3KWv(ofQBm@I40dzG)-qKE-NZWd|A1fcPei2H;SsTaq@{zTNr@D zX-*esf7J_HJH)w+sM1GipUgV>Y#ujYmjZVKR9IOizxggum~InUUzRZO^jpS*FJpG@ z#rFC--yjYA+5eMICbM(WV_hlwfi=msaw?#y`ROe7an3U^F&C2)By!HvW!(gVt6(h< zl)(fGRAOhC+$$@aln<85x%uLpx-enbyJmf-+fD%1qA-m|*0 zk=?P5VeEqV0r|5BKn_OdREDLO#g$7Jcy2AOT(}k&cP>*l>#?(aDK1~V8XMbK2fALW z^%!>TG6=}-AH;(P50Jl6_JQpT0c7;jRS8nBkR_`FEB)@E#dGbFzEkpXs=G=#cse#E z{fXQXOcBy|-gztj@jw1Y@e9BB3+#U*{?V`gllYZi`P=b#|K8tC{}1I^Odx8>(lYI_ z)Sg~Px()0-r58Z%-@ltRwaiI@wING1LLRcqjQty}b*o699mu^dHUKHv)x?lwk^0DL zm3np(zxB-Z=nva~WdX8m)uwiKcU-vUwMwlYO&02=P^y#yr?}=M$77U0->75!?W^es zpE81km;wkVColyt>jKJYdhKWFfCB-=ck(`INxvrXDBZ3EH9o+50#5Oh!hB?lHY5-q z`)BGFaI}ZrvrMD_E$FK>*;h03P>ZfqR6dthKvq~jZ(~;RLCOTH0E2lauvx*`dH>$s zJ6Q($a&6qo1>MPCkO#C@0rQuRb~R$5wyYor~z@g{o09mo5P=0;qr>VJUt#rfpxm63cb_Y!b2+6CXBw9?d94mdn|LEwL@K59NmCNi`vm!KJz1{$s=!QdDoeS4;T;JS^ix)3rIjv>Iwhf!t ze{TO;D;&$-xnkE=SIAE)3|O#hZ&``yTejOHf8HQu>%FAf0|{eOL!owM0HEc592Bn7~l`WOG^FClnNR)HX( zDG3S)sqE3#;3mo;6Lmz+vI?zvERB(|X^y37tqEDlZavRFcRQ|Ky9C>{ld`y>nPx|H z8*2o3yFl6aGD*|iR_at(6j3*Xf-18UIE-Tf7r=FRPge*N^HZAt=#%H zx3+f(yO#p(H_NgSR4jy{i8z%_u=}p8OIDRWQPah@%?mr?tFQu{%wL9TJarEUR&K^E zyHWvcWoZ)_FX=0O(_#(_T>47OyF}VF@|}&%jr8@(m`dXf=?8#Ke~u<2ek3sQ#dpk~ z+&DL%{N?lJt?@Ixw&V*-R!})<3F)&z?ws@pzGM`PPGsU+0GLB2?UZkM7$@T>OEk^q ziE@{#9uTKYQ&uSUPOz)nIe=m%=(00q_OWc}5;)n-TbVS8`2V+eAAowFSAF;&?Qtbt zZOM}DIEga}VT3|Uq0p4wMS+$MC^ePCuiM}!?FiVQwGk{GEQ9=S6y*s z+qhw4@;=q34;^YdckhmTIXGQZYuoD8YofAdVa&D_tA?$UAu!UzLwV2YJgcvc#2(C` z7|tCw7)dHea?SVGfH4lpj2w6G-Q6C1U{~IwBP>UNVWIS}o`wT@$HVy0Nj_bu*5?2I z@Be<9rsuadzZ>~eO}yfZKko%;q6}AF*!$7uAillsugJvmzI}W4v>iKlCEDEC?z#8= zcE_D}wNKxAXZzHxx3}AFyR&`lh8x=5ci-1mCGA;PZEaIiy8RFc;fB~9?0nf$DhHLI)JLMcio&}=0A7(1jHR@f4lk)8!rbQ^^n@7uW&JBo45g zi?DP{07m_}6}3|HT;l{Z{TC$4GIIh@o4N+H%R6e5q`pPKbdfV$zhOfGDMv6peJIzC zmt29IC{1(UXLpR&udp-z#ParuTW*M6A1UBWjuk=cx38!=<_`Wr?;Gi z;zSA}X;HG-5wi(eP6lx8U0_}*2e^0t{`@{(_GZrnGFDatXk=V-bgR2WuwVm}<;idO z9Wk>qjvv{dR@HR-!1XtkgXl!pIPUpM=fXd&wQu~!Z;a+#qNGW7(6(n$CL@xYw`{H` zWNVr=>({T3GOtUMWqE)#2PIDQB~n_JX4ukYE7IIZlQn>R_0`X7U-xxi-9G1YURag7 zcFkma*~`ALUABGu&|u}opaTg0o*oRFs7sawG!qu+8{(0pO7))w13a*(g!g3_pa0Sq zrAa;&#j;aV6xItRdQE2rCu$RY#vlSxqD6xy6-_blydXLeMNo7+`i{Iw(g4sD9{|Hx zfw)QiM%@7mFf-kTV_`hvhhhFhFfx^fW2l`oQ;q<41izJUCLuG)Vx{UBKj!-gEjM-lln=ozWVBRiO^_2@&_gJx0Us4U& zmBX+%XUbU)auEeEL*YaX{1~JYb&0eADG;`BKpIB^@k`})$&1lP`Z^? zEMFBTcf1{(I$V*szU_!Qf71%7`i6IL_FA+j=H*vj)vkEfv)lGSy zxfm*gVD$Pk*R5UCHg8^E9sVo{m>M83N?xPIF~BnFq(20QVe|zQ07MO1QP+qsZ?P~UO){1`7MGY3qVwxFax!e+h85c9N2%Lz)(Lj00P9c)w@G^4Z)gh9L^cDXxMRZ>QLk{++13HRGlQh6^SfYPp&;1 z83Niw&f(QD{C1Z?K=WGl3+Fm#5FM~j!mv;HOtoS(EACjudaT`FF~u4WO(~C!!sfBr&L!tJbycS6$tRJik=EM*}Z=#!*H%7kkNNmou{-U zbT$U9D3li0&QZCdX-lyUNl-9-w}10*{jCD2pmp(6Q;lMTfWvjs3EwK7AP%D&eWsfD`g+Z)G|g!^XSKjG{1t35sH6?tbO(@@K`86* z0ga|52OvrY3bjXRcx7#C(@fpAWlP(=YgYh99RwuECSYXhQSFA6=KwVxQ;eiLtSi^> zs|NP(KNzRDW;h=>?^pkAWTJb4Gw=*h)BOMmW{;hYbB?qEz}B5tQ#|149{JnlOI>hg z`Xtw{TU&KJd|yct?S&uBSo!I52c+a6ik5%P4UYVk=j6%ZqL93nR>N?8I)J7pgYc-K zZ@*Gg=oXvR5a%N*Ef5tYre$nozvjP2zC4ri0L;Dn_P4w5xxXElIvU+v*d`_>lfT&+ zx?qMoR`C-CPuENgXQM0!&}Y+HooIDsKzl)K=H#(MDMuXmsblTb%ye5E{@h;{9vl&A z9L@2vjohkMl9q_U%T!03O>}ID^#1*cP9t}%9J*>oiNJ>Jo-TChf@u_O%l2ot=REJF zZR5r(+Qh1j0hTo^uM}29W0l2Bnj>f8Nl!#6W)ALa&wuW-+F$>MuWg&xttkUo6vd*r zCeoYNSJwitB1Qkz-xzN-f1_;rf_xgn-&*!5;>R!0K>`ZOH;lwun)SLTeDyPV#K;#W;#d$v0g{@HCgcM= zO>iT*-dVYFbvtaTQ4Dsr`gKoMB%!%%Cm&O*3^)`Iz$kwUYy#ZFs87+T2p+<1@~O`^ zhkqMcNEZP}J5O08P%FIR2s9&y8;-;&R2NtrPOj^l0|3jH8|WeH)Mc(~j;~GgFZj?d z-?qK&+q1W>$qPu*RC9;{VaYoHif5zJM-AA8ckBQ(jQQQ0{Q7F~l&Z{g?h6PLl?Gfi z@qLcO_n0)%HSKe^K-E3FBxxd(CmAd2-S^y6Wd(kUi6>c}w&#GR}>~;d8jvU>s(SK9S#!TBhC&C-+Ab9953$ z=7_BH>spmGdu)(8KGk;ZnQph=abMf9Gx7|N6Ol3Xvvr=y^afIWDrI)+Ks&g1XTb7g zTeV_wTecw1bCA|fo^x$QT3_o{FKgSkOt$SCRwYWEYCCt_-S+L?(GE@RYy0=^ZTt7_ ztrd4x=+RY!R>vYAjXtu|)VGrA*wNu;IQp$0Qlh5;v6M@a0Knw>&1tf2ZcAebl;55g z$7gN%l?Woy+R-$#?Pd@BM5sm&zv%N{8YKdjln|KZZ>-FGLycNY%HM zdN=u6JJ9Gd&w9$}C}WSt07WCjwtCY)_vK&qWyx#!sSBR?V4@|>@nJu1BBcO0zib3s zBtzk-mMBY<2T1$Q`BtG&(8)>5Fo(@(fXgEF2?H(>AD|I=0AgjU_0~y4^rOr*xqHR( z>K~Q2K{6x!K*lJmD4T*)d|(3LjamaOtEbFgtZ6RJ!xyrAQh)QXxecfmSAUwQdkD0^ zF7avPUqG9P$4B2huUkTsQGcMg7C##|Y-kVO|6t{(zY}N{REFW|7sgY{q&vYE25RIy z&j465vaHoA9RoWd)8sZFk%tTJkq*!AC_SWO8Fqt$NX)N+65*l6L?gDzPx6)~=uSQEus z7BGmxMiK1kDI%CYxWCODigM@}j{yx%1@x>Zj{@1_A}yK%(9~!tU-e@}Vd-K1)QG$O zPW@yCC`7u$JmF}X?@1Gwh$x1DNS&i5Nz-8#z=ri}+U47~B@2<1ck^tF$4Zf-Q9_Zk zyo`jd4)8D#hHsS;FskV=HYCYmBDRe`4o*#%qW~nQ@}F)7AL(0}_oZEXqcS{Y3b+Di zt9C>Sx-BLr*S0mj0-FCQ_{x<5yZ}o%ij+W9r7u+3PDUmifM^$#`5)KKRJbT}2qaEGelwtTu5*uG_yfWjbNM3=PnrNWbdoI$2EXD_?#vN(@4t0N11 z1H)PqA7dU4!VOK3K~iA-hyWtOul~o`81~fu{cYXa7QkKnieamN zFzzoWWrL4}O_XU=U)M{H#rj=sc#|@wZsm1&`e=%gasY{t=~B9W)VIYG>W*B=8gLfa zh8N#w(&CAL!fqHz*|f6gpONu3Yt|HK>QmN~PXJnno%a{%LP{C+*DJFxw{k+cltT^1 z<>bV+cq;;8zDmH!)P4xD6Xq^zv=PhlIQbRJEHF47TRBt!x-hMVzQ^gQ=3>dFk8OOPDS%I_}7|*%tS#9Imb)}Ehtt84$Uc)Y*q4VbO>@23q z|8$~D7EIBi1&R8iD2(pV!2>a%9c^mweQoBzo_6B!!L~5Uza)k}2q+v2I3ACZPwm<@ z^!QQUGO{$O?KUqW(fPhI1~omkzwJ%a+@$Z*QQVVJ(BX*t*}r*TbW#yhblCJBOXYlu z#Ibl$npsiEcf8{*?e4p7FVH=mW}asD@+B)O%B)Y0guhy@7w{Hwu8%@W)AnRGF{u&P zq;LAt`nBuh`6ntGw1d;}fYKlaX4&5YhPQlKn!y3PnG*ru<-x2da*hI|M1HGRPeh5A zRNm78f~kW?lJ`_?Zeg!W(X%Mp#CCwJ4_PD!NCB8x47n0x&0q5aV^HKHI`vModZt$Sn6O_^nMxYO;hJJ)lwHd~td}ebL=n)d z_Gpf!kwIcfPo@lO!sq(v*<$W1j$5>hw*$%BJ_!1ahta4g^l0Q=dJ+C+eE)04fE^wU z*d0#_bR_aT6Q>#JiV>4=o;w*?Ew4G7zCf^enQ2KJg=NiY?wh$7nVV=YD)oWEB?%F$ zuRTd<>g!9jYHwlQ*H3*UPTRf$YvWX|eAbl}$?x2?Gj?*YT02^92lno3$BzU^PajL! zjVo}L`sjT%AUv$lkFLL34w1JduqTdISHPwO467$rw2A0dR4{T~7>Bhy^|h+4OJr={ z1Hr@b1PS_3Z8RRAnKGpo*xOL*PaC?V!Ia9(Odo7BK6|`7O0w(096Rc}I%iBi7MY2( z(&YDf-01@c+8?~(_3dLHcz-**|3Eu=d$gi-tn@D%%X2m5RuJ-nlxQXm8Rju@`?7q{SUO?ebuYmr#^Li z`{XUR<{3*bSGFyiuZ%LT53o+OH7lcZiGB_T0A>S(R+y}=_2dD+C?CTF;6~B)xvg1~ zdjS?r+TOIcddldrZx)%JGaVxdytKo|j?`RA26rSzZ4cB39(bS~j-#nvm=Yc7$Ba!E z$N~g&BpDhfVXo`Z0HqZ=cwih>H|h7X%ElC|gE@|!JQkx!bXy_PP#&W1*_p$6hmotT zKvBR?_eP)6Rin8D-kS0;#APenspPdH0Hvva=WTbiqlc1C0DrjVJaWz}OB1>4PDx`t ze}~hH@Fz01^cIMnh;tLMA3q(iPxPhR#v)DM!=FwWeg8cyR5wZuZULp#gXZ|@)Z@uq z2aE@kzbJb{n&9en*c-dJ2H$4m91q%vCQi|&ExJaIhF8v{cHa*$b4R*5hRyK2nS3}I zeVdAJPu4+x3)@z&UK@wHDfiX?+5lN}WAVy3XF#+nPH01(S>M*I-dJ-**R9!7E2lPW z+FXk=R;5|LBJV1XybT<37F#dd9DXf}oodI9?n$ulKsz-v)n*UvZAYf|Q1Svxijb;H z9j#2HxxQ`Pa#`CLe%4LObF#L1q*@_c&GB@3n^ms<0DaBn-fe^)ztU|&0#CjO!*_URb$ z=@^t1QYX?ZVGJi{Z7$NDlmNHeN7l+a%kU0)t#U1dXwM6M#2;Q)q+E6u|gdUU1c_=$9D`DcuLXc_L7NtB+88717pp&c>*{QQ?8n z;4~3^0IoJ+vH3;h!+^Z&`7l)=CIKK_gLApQb@SHx7+W>vlcp}0>UM$Fse527?^7t)#Y zWF+2UyGt@&j-T+R3+=d1QlF0VSbREq>e|uzNZ!GHyVEi|9NyKp<~}#(V~+v?&MQDl z_Poo}h%R9;U6=|xSf15!VtT5;^t7f;j?;EU?msWf#C28?q=L)wxky$Q;I)CB3;Tq8=lBGHEa%Uaug7Bu_~D^aL4we?}8DW&=9 z^B6WonVeh~h1170*`@+=fBfF}w_pF?zt#Tm58vMIx%>WhblNA7DV&ex#lQ^|#dt-E zy8|ZEi9AgQs=WjPsA#y_NMy(O4U)wUPh0P;NglwpQYGa;wRAKgfquUA8`ichmu+pw z19C?>n^-ik5i)4Xi)5x_IQlvnQVlkxd3>7D$L4h-0P)(2FCbgCa5fq>Ktv8ksqKcO z+rt|3h^YR8ToK8sfLM*{N;lXd9SNB}WWd5Q(`45!zv7AjdZOYu7AuoPj@87?GyY4i zd2RUDXQxV;nq%V5)5xZq8 zR=4FV6A?~KR;$2=>@1NKK^~cjqlm1POuuq<&m25d%Qhz_CfecD8`%T!0+0xz_EwF< z)h%HfobH>FT%M_Z;gn(7id6w!1CRRVO(lvx^7zOZMi4MIy?g6Y1*4IXWs{X zx4@fRZ6Mn<$(-thl) zYUnHWB}t-^BLTsg94Df{ClBX1G!-ySlQ5NM%QAx&$7^e_G}WSr3-oIyQnHHUbgudK z_^H`|@3F%*J*1Y*#e3=GSD$Mls#tmrAOO*0Ne{3{w+;ZCd_xuerDk1P~g)GWRsllyoA? z@X-g7M5DvO7%OLnGXemrX6ezKp9o(Z$)>GaTj03ex8uP!n-<8?0ITNr;?xJw2Ed{( z-4ZorDgdu6z<9?4JKN>kww3G?XvN{BGLkOu6A1(m~+@dnF z&FERQ(BXZlLjz!~ty?=083d$H9c!C6tEt*_{&F0^8-Oak(@*W<+O z6jl{Fh};rQn~rxnPS9YY)`9@Ss;NQ1^h})hMD%@i>}1^Z&DBloT zAo??&SfkakApiPnm()JZKjl{suhd%s~_A9^mKiYM_ z`|7syzWW0_X?7+$F*?5_#=d!-{;|ni3wR!xX?NUlXO(e9ntZEQnkqFMkq0i*N2c4p zeKEc`i}g`rTi0#B{Ia%jgYT$YwmIAY#O^-csd<|r5h@U5B*5O%Q?m+0b|#|d;i3FA zOH*#;2U2SS>XYl%*6e^)0Ugn@bPYI|B)>e-A>NVZuSj~|o~icWj$QSYfW3S7#Yr5j z$T-Ct@)09n9Eb4S=Rd#Qb^m>B@rvc`Orp3!qB~s;M`uN6LxTozHYrxcGczaJfddEI z?p=G@^RK?THX!E6^riYPk;w7bbegO)oN7QMEdl+_KweY6c*t)Nr*fW5J@4Lous!hL zo-~Cg+Sct?q)c&0$3Md~skj?k<0wQHBR^=ntOi6wC%;qgdhV;sTURi7gx%H1xN;`sUKI@OHJrzxIUub}4Njnj%O;C{| z(NLObGx4_mPRB@R;-&2XG_V3DO>ZN?zGi7I-SK$qQ+dV;6`S~qfX^fna_>y?J~?xw zok;WU=yZ%W5hZ>!Dr>H4Bptmg(4|lSM}%lFX5*&KZTt4^?a+Y(?KQ7{U3>Eze!qR{ zmQS>U`=+9_x*MYKX>N*aSFc*tF5A2{0CA$4v-|fSC_v!lee=iW5h4*&RqV7b+R)tF z6VNiiq<=5PjQ|%Xsks4hQY|=4b*7U3xUHB6UTCFo1FwpcCVQ>z%WHWl} z%b)daCK0%_6Um57MK+8^#OwP(M-L~8p4I|5lROiF=AD|zodJ`|F`Y=i=#k{Vd+&iZ5ofV7X&cNk#cU=zx7fmi@UVCH137lIHLHOX2iw}A z>4O0vPAlM%w5#7bx{wm*S_BmU)ymO5#DUKQfP8Ro{f5o85&7hrRc&=z7L%(d0+K*! zqHSDnf6>XdW%Gu%Wy_{^`DGj0_O0vN_RBW4ZQD1sO&iy?wd+@>-r~d$?u*lyX{Qr4 zPEXk|{BSv-n%^oYFneQ(dAbJHd~1KY>SR%_*Jn~FZMZf6+Iv7W1`*+2npZ_$L4Hl;>2M_0x&Yl~@1iAa!Cp!&0@puHK$5q&$}-)#T^{Q|-w9z3o^k z>u4g7q1o7v?xUd!ijrGGE(kzcr!&vL+uL!8x`Tp+P?`$_+e?$AgyWiJt{@4vQg~bH! zNxSq!`Ij4%NVKLqpf=`Bv}vjAr*Hj4+q!jgd)BiquXWc3eS9;W;ad@=d2QA}^gc>I zjKoBBRG}i#q{;Y!Rm}rrP|3HNb%`u(dTkYr?hm)jAqD2OCuz#y9g7~+k8TCgjcpDY zo2g;KPctI`S1mq>EOZalT6QL#_c%(z+lGyss@Yxu9fxPosrpyLQ}r{Z9yDv~n^=iL3tcs{0d(@xB-e+?;TgT2SRGKG zo=MYswnp16)DWeMN{wurXZeYnZ>)Kj^@-@fJRs48HtNk852uXjzmCw7f9<84Y)v`S z?8Sn?y=4h6w`|>(vMx!wah_+RMt`k#n}}1LSYa3a;fC6it5&9UkRv>-NsD52es9~d zxoz9LF?m{y;0p^{X@^oa{nMQ8soM5$xJ+8{@p(Mg%qbm~oipR)sD}P|^_t5OG}t{8 zz)dYiuAUjnDlzHV$X?6MER&khA0W2?VC~v9)k-2?EiNs%D)iHcE?F>5?bQm6lc}(o zfXLzL>6)fu>oq&psAS5j3A{W_v=y~v(A18}7{`XTa&mK9xn@IKx@v7(vT|)(v1VPa zt&icYY^P)VjzJE);cM#Kt)5YcKx^mvTpuLzS{!{`5~Wxc!&?-?S{QH~i1cC@`sMIY zQB^?Nyw-|@z(oK@)MUiBkTi$BMC-p-#0i*M<$06!O%Zy>+yAJ&`#tY%H{Wz~nzH)~ z+ze`oWQ>jiWFFobmMJ~fx!dGJ1jsq)KG9dmDBRbK2cm$@+WnSR02~yd8o4%Yi&2Vv zmL?(sR<$}TKq`_QXca`}$Kp)%$*zpUSebNoC)zxdavVKmWzNw8$P@AoZ&F2Axg%DS3Dq$_@~SQ1Pc3T7ARnJpAdt zSi5m!+c!1U_U=0nhnz?*&-j#z*$O*%KG+_7;GVW&-I{=99B>YO?(r}=k{&@vH~cj~ zXePmMrbO-;Y~rl*xTU26fX$a}PjF!Gf&f;60Wvx5D|-1~*TnG|izHHp)a7wsWsP3y zOV^E{9Hx#{;{=NQbrwq+#mQg)Z6sO!aYH zmFCQPu1T^vocmDOj(gFDu&S>M)exU6k`&Wqait3Ri0x$*^Vv&&@&$p|P(Z>!n^AKEFEP?2B)HR+Vx(GnK1_Eq5z(RP!|gzL z+@Gk<0GIyK;c6HqB}e_rBmlfl)C6yXPezRm@>s5^8)MJ@eeLS!KELkay#|)T$I=x` z3xsQA_;gwu0l*J`R0J$v^iGER#lWw#>8u3PVY&%4^%b*tLO&1-xTf2ixAg(`|2l@7Z^#`LLZX9Qv=@#dolLywMVB%R(37BYJIsi250no5-{HwiCaa zNh`iu2L{pTvO!keJVp~DrLunmeY(>qzsdL&Fa*?>FE&6JnZ^nEM2_bdFP>y}NzvmRn1|Isxxtz%f7RT=+-Mm-K$7z`|4x9&c5eo{rT4o;4H8+p1h& zwk*K0l!3%kFFn)jD{7C($+fGiFK%T(Zpm_A6WtImzA@*byp?TPno~<@6?fYFwJBwR>!R9^`v=&!{c}ia5f&BGHDiDmI^#5Gb0nB6maIK z&7?W-7@a^y6IZj*`LKJy2)d@{aN@Uh^^>)Pc4-YF-E`9}?JaMAM|;OR-r3&s$M0|J z)@@ArCku#-Iv+VaTnJ!ZYHT;WF_=VbqL?(7MH~PJcv-ivX>GK&>>b)NJoj=P-xej{ zo1^f2d_Vv~lhx|6$ipWw;)HzvemX6MBWeC0oK90bdFpl%DIPeuzXr*y&+kT4-3>{| zCrZph;H*S%KJd0a5uuq62Apc}EZ`z^68W4=dP86i&(mteQ?9igI{@rrn%PzYz_a_PnZJ7t8 zPCHTt5?jcDM@GZ06ALTiG>=6diCWc{_4NiQQO#gT`Ha99lyg5_3fJeNeRu`!M|W#dGnG{lzlIw-cbN-#fn6oIfhf1OtfCoCRSO?E&@|Hkx7(jL5yc{nr(wbJ*IKg(z)5T zG}o7<`4f|A%iD>zVo{pynnR~%OX)O;4;-3l`w!2yJ%@5k&9vP)_Ds#TUHQB7z>&6Z z`gq$JfUWz}$J*ZM**10LL;%AY?iFbU&9nqZLmtx1sxA7?Y8)kI7zVi@ldb^+Heor@ zM53(#>WP53enSTCT$Ckd@R<^;Q+#7;UqEDSoWizk&kBegt9>jjPds$!NIM+fN-aegSj_jTsMu35V&q!;Iiq=dW0xAWFaaQ#iYAdpUUz&u+BYT4}`bKRGtzUFs zqVm9ZITj<%z5=RAZ`p0^ydvAFsRI?++2F+F|KT^<0|Lo|acf>0z_Yl510eGy`MYqC zC_B#JRKV$U4xlQc(lwwfLZoh!ljE}|tIu-Xx^;0nr`z7$yW2-U@{zWA!-hm>mhdK@ zyeXO!=>cuv23(DT&se&fvJ5}BJp>%}&B+4(YEI`Jj_&hb_PHrE9T6s=-&rpo&J3~(IpF}skY&uLz-Z<^L?6ZqS4xPI6!I*xPB}BJEwdRG)cj#!_ zwf}H?FwLkPd(IyFkF*E(9&Y#SIMD9jJ>4G2?|XM1$T8I(+&$Iyr`bgrH5Y4#D*aUk z8^YW0<7h+Rq^*M}SZ-Ft;J0X1v_kQ$JkhjJRTP@B#|ql1L?S0<5}gDfZN>MTtDc*8 z7S@!fSl-mCxUTK7W&gftOl`+y5D){ofVl|bynYvkB6#Vtzy*nG60x6ckXIiw_a9qQ=aPk z4G`EX6_7dyzO`a0G8*=?E@-w7v=AX&6p)DYG*xX@qQdNVuy^# zk|q$9vz1M?4@Js#I`T8Cf}X2GE3mYH=tO;2f8|60sea<>mRQIEnSvL`o)DFe7@Oc| zm0Q_*7nMFC-DEy#V{nvvszoPxo*wJ&c)CrGx^(+YQ<+z68h%Al$36Se#MZnvU(_bK zmiUR5js9Hjt6OF~*}&$Qg!^_k1pbqCD?;&#R{3=|sYT zhXVPb0xgL0=HDDT=<7;kTHus&i4shd7b%GvhXW)A4wPHI0kZtnP+HSGHjm^eP2JQr5K?J6VBi7f3fjbv&ttzY~`RvMMvyxPD@|KmE3=Y67eS?J-Ff2{9h=13ud{h5@BX8XwKxf;Ab?w9N ze_va^I8koubNKx$=|$#op2OJ-4l@`5R!+mRgtnqlWOTOLmt8YHK5mg&T)Tt{DfuquYtmWYoLe%kO z^f2mMc9-OGq)v6IMc%qMY>IO)nx^lfG@v<9HUx6#b{ z;%AhxKIiK^WpPkcM`FfyDoC4{w46fqRpkK0RwdaC8jt}Bpl7#zP05)V&EDzcai*=b zJz79)Vq$6Au-4XY0kz4MZH?{vBD`9~m9kM>k(TL0j9S!T&S-rKWi~()V;uIg&KCHt zUOU+)*R8L}#lX$}sj0Se_pU_zyUV~fY*^bit>4(zulN1_wQcLBO>Ns{TXJk_8#kCu zp&xN^v!^Rrm=nt=m#$01nT#11a~x@H=%lt%5|iEss9fpruuR?f$8Q<)m!t0&F=3 zT_?lcyXX%`Z}!D(%|g*lq-#iFl_SC}Jx?{)Gs6zo=zRF8=i&_2-_wOISuj;kvuUDD zA5X;}8?+-Q7q%m(oX4>8d-n9AHgjrG{w~h3upK*<$fE{`Oc4cABD(<98QY>!yHsq% zF%#nfkjD*L8WitoNt29cjX*wHYsKF5i;@udkD6PIq8c)9_ zO}mYoHWZN7r0>az<{MPbm(+;8k=I09eIoeEM2u-hTcM+g3G_vKK*SUzP1#xmkUaFM z>MPu^VRL|RbvqQ$*}Z3Pef70KF3sJw>n7W#jqAgQxsS`+y5zB9ML;Y?HuwTGb-UEY zCn+;P6*;FQRrKY{7PqwlRP#00=o1bY1FMYz=9P)AMce+aO0+9F6nR^J?~A83NRw!L za`ozpbo2|FnNa4K*`#B=>TR_ivjYUrNnDf_EUpX z?ZDK&wkJ{YzP-E4DGj5P$PD<-*d8%W>eRV>`*LG{hph&ypG1D58?Sj%_YOQxE1>Qr zt;jnuW_VuKK7GfIcGrD-+8y`oZg~42Hu&3Sq;J$X(jy>(p zTz_Eq{zQNiHMMGW_+1dEC3@vlW)gT4FJlrjFA(vDm?eFFDupQue;j@6(Ac z*=D{G?-eUnm-3uUg=<#$h7T~*B%cZR9E%rDOQZTd^$*R)8_%W^bEypgT@>Eblr@R8 z>`K06`&DgKlyKRa81LlzwtD^6HnDC~TeE3v+qh+0+qi9OyKLLD^4#`z*_Btd?K$e( zQ(G?!h$Z^U-^;gO(Y9KdvTb8+PJBE7aO#AWL4oTS%s@1ty*?~NKtyv-Q!kKG&uHrN z*oJ|ID~mXE(Gz7Y=N>?|O39jU`=TD6nQm8Jd1c$Macyq;;M=l_?p7w+v+rfz%Ku5T zBH~lS-K`SMngIdOH0Sku0UAv@gB7*YPcp>Q>NTs{v!DB%0G*HXooQ2trrWKz-Clco zYKGfyK;PlYP9kMZOnaajv8F!ech)S20Qj&kEx=OzCAte3)|Pml z%QJX1ht>{QS6se5z^;2?D7X5wNgUp;oqG!SU-FWdRGLe}hb5_gFGyaTg|8gYgT+g% zK~DsndY+B0=v%f}WB8pW5oGwL=MkCc)ke#E_64}^xwFm0aalTf^GPOF0Wo z?%`ez1>m{HNet&`Dz|<}T>;6T?uCE5K@Go}FzgBlQx!pbW@2JhyWxh9xA(sL|3TV- z_`!By`e@rfJze^II3Q+su>Dg<+f*Xi>9n|j+>2lQlJ?@yeM$8V+bEq~pW=wq8cQ`N z($;@Uej-*=p6Ht>p62Lg(Osb1Y}mCV06-l~HHtVwGifYJ@Nr6Yx+*fNfhe^exgD>5 z^cLIN7#XfgRJ$T_NmNT%16vpFZ&L^MwVOV5XJqHSAzjMN`~`1#!y5+w@E`ueGL-Wn z&B^%yrbd9j_|N@?wsqU~a&RUo8_@7o(aA(;>jIF#Y{@bs{u7DDY-FqHxF$+%7Tu$h zdD1n_DcWHZ3e7g7;`-C7=@g?Akwn66=J3IGD!}Pe4vQCP@*HndY5LxI+pX<*z|LnK zY>o^lO*$t-eMeN-?}afgo?H|DaMCfAhqBvfgkzxXnyey&lX=$2>*3_JZ~y)@yVtZY z{Gyi)!6{A39zXG-D{5 zxz*Z|_J5c~tzkd*)ch~!B`K~#=U zrz|n}+_xp%+u!!C0LX0n%CGzjdF4!7o~RrsXil2OG&^f*@2cT>o0~BljhIr?R)oUZ8$wZ~=+k*k~>#zSvK;S^zv-95in#1Ln#c6Kc)RqTi z3_2}K^tEc$N-iYj8$>RmLI4&AwtQ8bg6;HDH!IhItpb^)x$ZktajS`Z1Ihs@pJLI) z@u2|ee|W{eXqzUNwyQ4RS`N@g%Od7O0ZMgs@=RJzT2sf4#ObYUf9v1_mi&;R*9mu_Tg#nXTO$^Y8E?H~O8 z_7z|8mF?^Q^4GVodHGkgKl>$rrhUQZy|lgH1Nw-q`l;`#b0T z|9$^^&e_@7+4K3__jTQM-L*+iYV}masD!P&VCG9*KI+f6zC-1B> zPbr_<`pPKPxCpuG8Z$<}dDLE3PyEbP)tKyei(el8S1S(LLU}+b%nI3(dUPb=zHH!j zF6r@aVvZ-5PRBXTDy&N-3=A7f!E~iRc+Cgvg#K$a5H(gleV@ul?ZD^+`XS*YBqxInu~| zrv7?}1gEo|ls~V=4M^C!)x9^$a%fffylR}^5H`fCNya-|)>rV!5c#^L)XK=L`1{B^ z>+&0w?4{wdvq5dTmRRGv{lLS=lY@`*uavbl31|&@L4mLu#(RoEBD$kuo)_6qasHJ% zl*Y7?e-Hn0rtx%gk7M}cRQF5VmTvz0lqxzO-!jjhWba;9*VJhdLKGfX@f{HO<+|L^ zKBY+PeUlFFvIKsLfG2wIv|4nOE-$BO?l}I{q2LD) z3yBKqYoCo(;aNfsvf7Pg#fJCQG_SiXDw*l6Od-XSPjLoPVB|Q3S4Z8FZSd@UyIK6Yl>3Ghq zzaDp6=Q0`3c><58d!`v=R(_8O9;v8%{KslPHg(r7UvGN#&pFz~W%-7O&BMvtLp7iH zHrJ<$5}aDVzzkiZ<||43UCXE)#Nm_2uRY&jiJ~7JCGI?D1D%@S$rOL6xtA|8r1)zd zeBDXcB!m&Qo0+S(n{IKpTmd(OjDQJTNp7vBMzB@Xm7QVYugqay^xc z$&D$;;DQlNx3eiJ$HwQIq)7wE)oc=}h@a`h@4S41c0lgj?esjvBA|j|(|T3zKH99rlaudhf zTrc&HI@B?DxCWorZBst`uLw6{8KF`TpUmb_QBK*!*>U0lJnpJJ>cU>N9DuEsl7JuF zC|7;dm%4!SKf0+shZ;?#pN`?bV8;#6O*|g^gACjb{U`SI$^O#Jp=GYKlS`m*gYMZ; zM>StN2sL-LN!QKG%yUHZ$2DCfZQG=#CatJSp#14xw%GkT%7T4Jslpq2LKji>#oozK2j$`z@-#w+4`gP^T?p*I~A zr7I~)oW=F1$*$5lBh!_9M&?GWRhJq+wEQ`ska}QRuIV?=7;=_6UA*DLeASl+&A63L zRTjVGl7ua|>ua-ZSTP`hwNen1Xmm+w{n|{_7}1PjqPI1GRrllihl#)WuMHWTv=o?K z6T?ZA-oH=EN*DR%SPY4fbIEUVmsr22K7)gKAS2$a{CGEqp*4lDY7#R&es`|6A@197RHkr zl<#4R(ani!G|O@Z`~iUPc~$Q;1?;!$@8nzHRf6_j7Bu0yuEK9-(!@?k0KSZQVzk>U z(-(5L_?PJbJHvBaK^VvQ9mD5C-~sRt0$Kf1?{<;*RViX$xH4>eaV`b^ zv9^2EH?LB436qY>Bc^mc5-~Y@`%{$XktXcxVq?isLIp|6_3G7-|8>QO53M1GeMhk5 z&|e^Ae{zegg5Rr-b0bL@recu*Fe@*MU)SN^w4mZ#uB6K*^A$Gv@yY^^M~>zU*Ul>N zI}F~ee?8ebU$L9BT&=)|E=qu2Cx-YQ`6yoh1$?#lSn1zraj!A`PI`J9y#28BNX-$i zx<@wFm3Z;_P!l^#igEa-YIuhREd(Qtn_9NCpHE zCbzL+Y)MLdfG5!7Fo6fW{j=EeZZ`L=Z;a+UiiYxZQDY3O^fIik;%pk3%h6P_QQ|yHq1j}lGE`6o883~t5F=+ z42P!b*4fUscrLASo9d{n zeZR3Zx(waS*wY6b4gP)u6V8~BYlZj3#l5@C5x}JFaE!;|>)Yb5FAj2*xx+TWNhJjR z`8#_NHoc?w=~du#%?tJ|ZVBnk&-8P%2Gm+^f&9m&3x2mQMFNj`=V$ zld;;(IoPi~#vC+03Mr`z-PqRdW*f*+gTKhIhkzWD6tm=Fb&&ssbDn&D`9bO)l67nb zB0mfFV^5ufFq2#zx&i}^-6>aro=a3eI^ju6i!6m0hn}X014=0dHc-3 zF}@e^S690c`UldqJ%8~db{?8DJc=ydb^Pnc!bmfr)=MlsN-Y-cz16QP4xg^Pxf*FT zQLMUc?3syg##kBiMy42Apv$>^;)_b+kM-2+^;y2*azcP4yHh(mca&2j`)0Xkz2XlPybODlC{YLUP=;l<1Y`h(@ zk-;L6A;wA0l>>KWeJ)HKN=t(q_WrTrcU>@>Q5Z+PPL{EAwREDxU`k`YC_b9?x%VWE zPnc+PmMzB!{lygN9L0EN0p8Vb{d7Ap{NPYN+SN}#5GL#!W=>y}e6uCFY9J!ir|(Tv z9<+KGvEMLsxe?dt=w!v6uRHvtjJ^c+6KR*96)m0LGA+7mkEyYs`O_kYuxdNiS^Dwb z1<3v!++%L_cF{WjnT=x3o8QRb9lnC$Fj}RXhpf@0O;VcZ=?a3<2Xs-<86*D;#~5GC zON{1e_DtR?KPORxT_$3i-s#vk;182gjD@w$kYeAVPdKh!Y04>@d{5u5ySn7FuqQ#d z9yR|SZG;%L1Wot1`0FyO`+f+<9=8CYVE-jFWfp~BG5nlC2l^$f@I@~6Xbp1&m(SHV z3|y|rb&ok?gJ6M6v(PsFF}}5r$(w|OA!^ENyiX-k3T(cCW?QMH0(te=n^2=F5 z#jL^Y9smw5uxHgY>Q4!Pmcv>k$jWv*JN=)T^-j> z?#<$++`MM-UT!P-&rMiuYLbL=3BMS2&-z_Ru}NqUZbpLW{IFvYVIN41o>^YtEz*d! z2F=G1n7`{@Se7))etAGb+f^Xl^<%|%i)XQ84F$epSvzC71egDuJe%)?%^uwf1-@Ns z0WAq5;=jK`iTe;3CJK zZH{=<52UlZKw&qTn6YG+z8NvMh=+>%%d-RuSj(837+4y9%2QL-E&SV@W}tz$fpBno zV4RSYI;e4I@Lf^RA6(0weJZ7ssvhJ^x4hnKfxm;01$xnz8-mgyp;Hs1Ki?mfX17>0 z-D|n10rFo;QAta(8E4r6LW8S|;t;M`;h8v;_;#H|d(5Tg|Jh zQ?|-}=qdxRPxPE8dgGw3qps6A=)1a9 z;4EU53Sk85X~JpVei*2rEJzf)=0Yy#abMLjek@q+?p8Po*;T@@=DUiz{5CGlEg%1> z;w4chem&mbM)n6%G(6vJB9I_KD??3UhY!&2??yxyI+=|(AaU;QZZd?PLzZI zroA48q@SGh&+&Xpw0?E6#^l9Nw`!S1+HW^3#KAPa#4ItAY~EN1D|h};JkQ%u^*oy- zX1i4pvB|6hBgqYH=x_Je72?U*B{o0`5v565@LHSKX=J|=0S)X|^{FRu73XWM`tqjg z73+`LKxeP>bWp=UQ?*)sLie{lx#2es#UG47^n&o7ma5j5Yo66Iki$Z}AA+VGQXMjR zqU&;B?k|=Pbbw6nzMUZSO+kX1mVp=I7BYXR2$G+qkh~%ARy)r8y&wlQ@BvJN( zCryt7owEm;Yz7@|1srLthJVFWR=joC4}q|ddb+z^2$#U>F|*w=?y&A-zk1-H7weu9 znTtXSsRIf*)S^TZS`1!XK>eFkd1Tr^1~?7m|9AspE!l%nR4;F6QF9(WE>qs2_n8TD z{vq9p&?vRM9zJM?2j@N?0;WimwpGM7;*$Xua6Lgrb$@RVK;*6t5EmW0*5C)D-UYU^ zCG4uJk9Z+G`D}tf-kG|A99C3dY&hkkjZ|CXhP5G~rZG`W*1w(--M(eNG@odn>#gLMaXcUnYEK@q4myzkiaMb&#Rn zdOWQh;^ugpK%5q}mQK0D_J)H|BnPfLS@Wvn-5&Jy>MSmG zr@r`m0pxMn@RD4(Hr{A81$MT--MsiN-tkK2v`*op9f7b3|7AnZ_fI+ghl3G!3am=n zwgVKc%^N|EGw_6$(}Waf;gf$~TJ;)!S=rI1Z8Fic|FXcYP1kH9FlG5uOK|;wAgE?# zByuF1Vt{MZ{WQrm@>oFb*-%9EQ|)O+E!(Q$Z8o1KNCFeAouhk3-o#7eCAuZAGx~D*qd`El9poHf)m9Bs{^<9yc{m0MPG4-SZ z#!$5dM4yFQ5xRio_`=>Gq1Qat{*ip2Oxj@1hRgW;Gkn{;M^SWdhw%Kgczts0z{S;0R@)wr9lOKJ$UT2T~|U0%5iVaR1h)w=sAa0O4pzxeB1Ki z^5>##Q^S??5MJH$$;$R!pRFkJ%$&Sbe?8&p8jc?v1cO>4>t`eDd9{O;#@ zEymg#oNO3p;4w~JD%&np^~|X$MCxprUTI(4Z;;9yRHnE0Stv>HUJA1Mljo$BW`%gf zNm1WJB3Rq$OWWybqpImDWZDtDdz!>Pt>}^ka z?LWyUi*yfJ@!_8hFSomv2{BUY4i)I74;{^*T>>_pAO)Hq1s+16)vFe1rS@l+vKs^- zz@lT-G*TwA$`debx}-_`ogitI;g5@u9H_Xq!Ne~A{*U~a606qWAoB0~)d-WRUvVu8 zlUUdcy5BF|LpwjGtRwFn*w=32f!?le`FNDO`{g9*>3x4fwh+cL{~`QUCz4=*GYBU4 zradqgU@fwa=RxDJV|O8aXF2*2)>KPM+0qw%MFORMGVor(cPa8Rw1T4iJe8GPM-est zRC#o4|C{~GKBD+%EKStVH2S|eA_>$V*3u{+Ua{iXyDACR)4MDt60N={6fWJ~mRwec}gDW4kjS-n^gssTsQ zfhXMpRpztyC>gY_3-R3Ior%Z0OBJQ3+uaKm_a1ba~ z@#T9zMel#;LywREST9`W2XK`)}TidZ8_Og+VHK+@~(7bAGl``V^70 zQZ3dDlYdG;?P;gL zqqgT-#vU~tLswP$%gZ0gA0Dr^w(c9<&V6qI+&ZYP()z}H0}w_#q~HW|bs68*OnDhy0bBx`%wUhs4`+$R9#V#Xql^BTV3oluCEx!wlc8hPUqaAa@7LcdHf{)2ra(0@>V* zHkMX*y3gW8$7KZ`84B7sgDXR~cTqn}jvVrbKgJur_u;~(46X4BcoQ-^yw^5k@MZ5rvcdGwOZ$m$(WzQ`L{~N z2}ft860qjazFSd=;zB-1B{@5OM&X~YCuvLQF3It&6RN&T?#HNz%G@zz?3(;wU&Iep z%Lf>Y0mup@oPMaj+;sWU1gYN^C`XbX9Xo7o8^v--xGyY2t_#CFJH&OTDA> zWb3S03G5qiT{uL{3gBzV2)q-kD#4Fdp&TH%@W-o$^mTfEnTk?jDW4Fw4u4num{SOv z*FeCfeTUbxr$RkNCP|g-)A-;KJfA_qDv}x?xJR}l#(XjL*Fe`-kE1g^+bJrD3T$Bb2 zFfS84<8xUJBX3E(YRbOc8zUa#j~B5p&TMaM7ZbjUHZb#Ku1am#Ewt;0hXsq5qF?26 z8R?a*se)}~p4rB>KjH?a;WP||NqXvamQRprW685N?>L$BI`ijV?o7_))jexe{`Zo# zN@jDE=2N0u+s->yN0NQ+%Zvc$?p|f|Fl@`)pznz>`ZlQSaBTBSX`$TT-^|$oUkjRu zC`2q7Qy}*95m()-XL~KLyTfbR^aJ2qcr>g0593zHpN?o^=dnn;Y{9P_;g(cp{AOiO z2-vD?(n(vwFE=!vLyJPoDqh8eX*q?>7v33R34owf8hSaCXrraac96-I0Th$ zz#7TqT`gcyWxOq(j8By{+mV80>IQ^sbOoVTXkhYMoX#fMXs>fRoKz?*Qly5O)I z;LYknD;x5>0*aKqn~eWAed8{J>XAMv+T0Y?SYRC%QB=t-NAFTs{3C-ZP5;1Pn^*_bvU9#mb5?yrcgFlH8Pyg?P>(BrHKY^W)WL$2sM^BXW ze1_6ShK7bL#~ivN+Mp>lL0}NpYEOgGLR4Q-=bNJUwnlCB3n8eW!K%-3P?-AkWs*3` zSka^s<_syxy{+%Lg>Fj0ET0p%}VkS5!`zA;GSil~t%?NYS@~P7aX0Ty{ zih}M`Lbv6?O^W)?WaY^^J?k}){hGzr(1X@c+L#oE1$1QCDdl2z=w5b9*cBAB@Jiby z6@|AO5Oy7~w6un~!q4lz%f@=6V4fIQ8tT6&v-!H~1VrSF-M2&6T;X(KD|GesTg^H* z9}|60Iy*skb75LZQ2b7 zLMm)N{(by+fcMe~_aXM=$fyu$98o^T1GyXNzI#Go(2@)~v_Fyz-IC6cR6#OU$WE5(afmt~(`d{qeDzY!sx z4pO!k201jO9_gcJ^qX;t=h(dkfkIt}>tyVi;)ia8K)3hRu+yXPPFSv6ZY@*T9_~(x zn!;h&yFzSZtz9<+bQ;O#zSQDTb07htYR3H0zf%G1SmT%5p_=WiZWkTs)|1jMKw5M? z-DioOA-r+&bm)?>i{xCJiOzF-#VdQK`cQ849TXda`VSo*PuK#FnvWVr1Z9D6(LD_6 zq~3egcUt%8LHFr{r5Zc*KK`f=RnJO;;|RS@A)d|t8<}HK5b^8e`;+Plh}5g&fbNbi z+>`JKyBi2wRyd8I%=n$47TUATauTTCaSO{ku+hcM4NDiEOV4th%#_H+4ZKNpqhOzp zn30`Ihes>kZ44W6@ofUn;_a-VffW_x*3v_$t9!HC+cbC$3=# zp0Fv_!1ai@H|i0_P0!erK0!`Uka~1t_n9O=db~m?-`bVo{wA*8Ic!7d?h8_2m@&~>#oG=&Yqx@# zvO{VUz0+t4x|}r&Q#-%0CX7*Gv^yoT^ST-q4$c6-0%Lb@?_)5`4FYq+waTCmgJHOi z2G`bQZ*6qw#sfR^9zG7t@d@U5zx?Jur)cKG47knizT3%UWoJ$djo6wGL(k6_1+8fs z-~T2HcxywdcuJsX0QG<5afLAJCz^imw|j#bm_AXZ??tE#~FUos|~veM`FPf^3j`@}@j`DWeiHgfPExmDi+hW47m86O?{{Bp z+H34-qE?bNE1a}1^AV2~Zw0vVL@E~I^uxx%&8}J3+_&~m*7+NJk0os3O&<+CaU4KI$_L231k2-CcTsC6;I9;PDDAz&!19x!r`fb zk3a|fH@LQt;W&j!=-nu^35yEDdX6biG@oLwySwFY)*~rd3fMxfG5`MW`y%pq&jK23 z3W$OIP*B(1G<=k^S5ISzPdmfeHR-JHumC8hoC~CoauWmuoPiK7k9$hiY*4!bysxOWYNZ|I-&*Yg))X2$ z?El)Yu37ZNUU?RRymjpVdjY_q+v=g)MGDh)H(%^3*LoV&KWk8?>ozlZ1>@Xw41HL~zQ7xXbz~}^^`OtF>0FQ{xfvQljVMG_iP?Vk-sXeqm0y!Mnm%i|ty!#547W)ryI8(pD zYA}#!&ISSpBtBbG=!JS%)705_mserOP;^^kfI>RvY7Mi58zBnPRxQXK6$%>C9$&pR z68U#Aq#xRV{E!-OVHL+cCPd`Di$!5E-MJY;GQ|7knoo?%#F|xG_ief2uDh@1F_tTZ z+G^YK*oN$`?^A0ydF_s)mL=EM5RJu-umhYVY4F^#dD5TtrM^ilW)0f`t7W92{yT2A z(l;Ln-rFik;)Cx8{0CT3X|R^Z%CPsj8FlqdY_k4`m2O}FEAZ;D>HsZmxGRs-b5wF$ z|H~`!SF-FLUhFZ_heOLKCKP)e*3F@J4cW_sRCVo})K`ZDgNv1>zv(ol6*^xhV|J78 z(uhtev7k;qK^(ZTpu$XyTJMDsaD=#>3LG| zHvHmME_Gsm3O0p11_BkiU!l;+RA6d(2wY-zFGFlO8*(S>g|B;3ISsCFz629Rt)@p; zdS&=B1=8uS9&riv@PHzXrcSescBdQU>hHQ zA@ONZFsbIWT;F6+Sl07)iNZ=~svKR;Z^tD2LdsheNAD+tA=)DOR!;gvm(t(pO7t@I z7kw|RO9e;&vP|Dn%Y$XZZq8D~MlHY{e2FqXP%*CaLN=G_+=@8C`(Izb&Qrb-)GNG> z#T)6yUSlCyBnq~tDOtC+b2?V0m5%^be)ImcxkBO9A&|0*NX47TLZV6sL|Y-MtyyfU zQzq}J)#|M=KL05qhstU)b2_onrC;n! z2c5RUSD+}_l6jUA5ipR&%RHH4U6r^lF|FzJ-0N;^%?iJKJc7kN=H6Kr^U^mD>eqI2qeI3nrJG_;ZM&`2KbFi#R}m zYL;mE=uVkL*wTq~T_<8#Yh?QdoZO8tamr${g4BFK`kkPbrceA}%WG|p?dHCdxwnKe z^9P(tQxP+2e;~##c})=f_&0co=;x}1SzPT=?OqY(N0TbgS6l!5IPoQX<551T2%8gV zQFIfKO!c7a1ZLqcexmphwE9Td>U$y>n7py^x15DT`|fNIag`vZlIveXf?p?4KkWO@ z2GZ^Hm~tYmyED+rf$ymTkg+nG3A+7+Ej15*S1z2N?QNuX+a6`-0vrdeS~E^@7LLc0 z7Lpx}s?@a%8j%bqoz_{`S%@Y}2HigI0+$D;mZSEmDJk}bOXdOK4!|$lcCgGmyTnLPR+v3ZEf|HSF5S@!4(kFL#yTX=0~x)FS-yp>$G1oAk)i803$ymw%>ie-HqedC@!@!~4%@NXExqxs z`1!gAHW-Jg`t+wkmm(KpGtnrDkhZnLGc&J}(Cv+QQs2fA6I%|`=d71pc8GNSZg@TL z=40}m`fb3NsKeVZLcetd2H!4rYL`k$5rb=YorQlo@ay8VozkI@hY|AoR9_fW7FaJy zH7KU?*+LNMh2Pg+d~F9SlPh4(k|`fmQ`%lNWRrjBx}58^T0_qD>PoJN-OS=RS}=F& z^7^>!3G>~5D7Ky?draSnMW3*#utypjl%)?d-)-w-92}%8uW>#e6&9%y9%+Z!v8!`h zyM|no*L7o%y*Q{Pu{#&H6D8Fk`wxwLz2yWq<+XI_2u1l81|ZS6GU&07@TesS;OIYq#gFsjxA)84m7zA1|H+?y2kx~Jo8r535~pr?8e}@ z>3ReSYbAW>g`v&Rwg6;PfEbXusonJ-r>{NO=YF2Tk4oiK-*10)OUWW5cJp8S)!ym^ z1*gfbuty6P(tlXd)_(ucfT8nt%#(G(WQUv657Uf`MIsAi11SDO!!R$@Q7a_`)zRIt zFS2gtjqV{)5WZO`L@%_{extwJ6vDh48U$Son?V{b&T+Y*R+892;{QUneT6R0$nZbw z(P1~yY*Pa`%@eXILY6-UBzBi3b|xb1lqbt!SX|tQyI9?_T2}kJ%RJjkrb~8oYv<1M zNW8IiTuEq!o#LCrN$#rx9!568^*F^#7<;!F4wf@16=u$a&{IMt=#Xhi(DW;BTn@cM zpdeg(kDQfx7;~^qh#+&n_wzV65WK!X!(ms5NqoTB74$0kk-g^&F zIuF{sURmmIzk%D7myn|L(E504q{{p61 zvlRlll^>lgl*P2}QrirDnOZzBPHH(8k zXo|&;ZNMC18l+l#`wcJ-^_1Z)@v ziVYgNKh(;GNaG1gZ46GMv?;#6u$J$m@&3dactF2iFT(-7vy5RwDr2;pd7cTQ=aE?5l2cE4D?!U7cIW#$uUG-d(^6C3zyO zR>=C(G5^k;uL3Lv4Cmr0;=@fp1oqz(W?(0IpYFh(M7eX_8i{fSPh})`X%7{=<0Bw= zZ=hxop*ZncFsgo(LMBC{Gy(9?TW4DxvK`6WLBJO+ml^=NNS^$tbVa9YYft#Y}5L(>0+lQB(|x# zlkEF}Ob}OEU1SJ|D}~xie-#pw8`JEoKxMku*pU8M_-{aQ@8-PZ&-PcGoWb8?-CljT z0|fMZxcheAGa;>q&be~GEVD>@Eu$1Ide<0s1)b|)&S)4cyz30p#iwNQo7QD}Sc>xP zLx--XlHcl{>^&Wb)eqX7HuE^^fk?BrtMf<)HvBXs^)jYV!La)kImK>7zNujyPfIaksX zkkcq*?@R-xEWB$y!S$74|JGK8<51Q8SnVK#*XZ+#&9%HXc= z;Y^;Zeyfz1MPye(x;~Bh(c~4XwhmursDsv7C<76ay6wYk1|orP4q1@JNr!#a`ON7D zVCu({FTArQSu>XU|8e-e;d_JUfM-yEFD-jL{UrGQ!_Fn#1y#9|c6TK)J7|aQKV)+! z{Mtyj9!YZR6_{UNPr+NSKh557MMP*v_Hbv4QfB&KzT?99VYvQ!-S{BWrHpdumW}*o z;&T_YAAESV`Ky$JKNsnS)L<%W+_N(YON?!{kEX?t_QMi|-HZme+Q~#)9`piu{EO5? zTV0VNS{O>im06djLY2@17fgAWPZduu#;5a=imzJZw^{7!MsN5JEu$x3B7d7$m6u?W zKpHl$kwyWQ;z9oS&C_b|M`3TZbMzV(U4~~vPjf(tS*IL+xWg@})O;G_2ZyoBoWDM(?hCYn~=oSLi zu_5uckiFdlHl3mATni@KHK?+dPdCxb%PQR z6RT2{mC5CbgUh@)NTSqU?$qdOwq?*M-I!8sJuy0Q3)L=>T&wT8THMsMy!n`Nk5Vr* z!<;oYq6EGjL77U}7DKU3V7{D9$-2$wO2nICVGAb6xH+x!-qgQ<89jl7&Fs{SXHeQX zd|Q>GQ6l`aqfeXLuy2E|R!2D9_2__VB)y+-62lrf0)2UFVDh06)G2rdbz74WaKnLr zLv05ac*2`M588b3!Zp%Dg?+u}$edD!RinU$&>r(!m39XWA!Gph>?x8c17SoNqa$u3 z?S&rTFqo8I-!U(%uagpMxKhYF%OjZkTz0S@t25MCm>zw-5P@*9Ll^ zH531-Sy!=j7*8tY^X36=+g$2E0!v@{rg`ihfAf^5gh~&H-cALGOyfT_^AjX**<=tY zMiswqFw$#ZK>d{txRhFDBMh|e?kq8r(V-DsL< zP$4m&Ms*K2H2T3OWB4ajE%*Hs*Ny8A_$|K_PX<_X{%YH{(OS2;mKR#Vd`FR4v}3dy zAG{N*H$*V^YD9h-m1hH~S!y_H)@KiRhI|88hyW?O!F`cV%jy1Mp>>_5N2eh?2yb5l z`mvHi&b{Eek(Z29uaCjW2c*#BA-d$cYwst}IM(op-B`eNlN{&KB%&x(pXN8|Wygy- zLG7@vXgb89oXlV!YU%)S2)!9A3Z$e2Gh}YG4R%zH40hz#T(fM??C=(hN5eBKMux@j zd{X>y==XiA*%go9#Ls(Z|75c8y&Fj*kFsz5 zb@Z5|d}&xocr?94sO+03lV3?OLol|mz`XjacvgxZFamkTuL_;AxLlJOsfM$bf+@Qy z5++EPVjK6T&5h&0=Y(WHq!8etlbqcDM&^H2G`es>#;>lcQlIk+8tljIn=&eiT z%m^|e|1Jfaz2b1bFA~Tq&2tSkw2EfCOx4)ZbV6s!EpH^Osx3o}OV;m;I93mw0abZh zu%iFvC4b{9qlWsWexvLG>l|U4>9B-9Xtwc`}Tsu!h-Z=p2cL zUf=3%zdim@er;qJ2G<^bHFq(oG|pQ;{3fXd@{i{=vB*sJ5*>GbJ=uU*X*_;;x!l+J z_v6lNnqBmz4VODP(f4lzOJDFtN@to@eBJisG7KHIuPdlx;eI76*#@RkeB95gKRq&< zEbi(qpbUrI0F`6;L6k_@AqmL2ovrm$*kI*{k-VJ z44xC=mu$n9Efc(641X*l^(;5Z>396tUU+W>^sjWD`aB0`cCy4I^4JY(Py~SO~F=w zdhG){CU~u5>U0UM{#wCBd%9B%uZ+28NugHlv~&{zoS!}=!<@ZA{JM9G_m@3YeEC?@bA~sg&*#6WKvl|ydx{g=wk~U_ zzCBmsJKsUJ9cgx5`ZN&(_Ca_hWprfE+98haZdXQl6w-ln&TmD&4$QYFjhmJXhmhX$JBzI?N?cAZ}`Z_l%19A(Hs;^^aPENT5}TarIr zP#}oERgUFmUxe+ceJ%~y>V0#`Hpcjfnh74QSrg=EC!&Ya)(^B4Ppg4{M20N&rC^W%h8 zpI!vbTfX@ses7uU?YypW3j_X!Ig$O-FKvO`W=oZSw8#Y<<B>qVIrMTqt08tlnM(*@H!rFx$8|u_ret^TV z)$Nlo>IBvA!xgs<@(p*oA|(F&xe*#mf80*Kk_r}caZ>+L?c!Fk@;;FEk?V>U8Ve3W z>GtEkw71)G4+bdjd<)TYu4&O9=z+|)==p$HK=il z#O~s=pr1OI>q%$c!O$*!e(c_r*F#4uE@fyZ^hWgzagmhyHt=+*S|pzGS^QymoKRj# zr4TZ)^sV8S$BMa7)4TOAAO78a{+=%ofUV&>X>Bk+W!HzgM6}I0u4&p1yE^6$ZPC6p zzhft-UWcnStPY6cNdy&kK2PWcX7jKcJI(*yOG^#@@o5A^jX?FQaHDIOLM#?`n7a{@ zsK}Cr@V*XwR``A<^KJ)xf!uaB(Ucu^mRH~hG9sy)HruoM5pEaqOTXfKl!Lx|&B50I zF!m0v$QK@L*qece7m05b@%x;BiT&*(DZHO?YSi&h2=wt@raqURq0@Sa_qp32`Y~}b z*w(I0%M5_j15^MJ2B|bTziW2?OD5Hbk9!7OQ_4x#9|3A6>FYm z><^yQWPvn0qtNm)v zjxjA;hAP8+qm=m*WkiAuyZZY3N&HjTE|ICb9V;`T{FAj2AzZq6Utlw%pw8>lc9EOr z!j5BEc3CN+ydwW08qkFQ@Ot6fY<#kl%-U8_JViN217s*>C5-oxx9-mF!CPnl96&I~ zJ^U^7vyLsl_TO=GLB_T$Jz7hCP$Qa5bw1wkHGbk010_5{GSWPR#q{Bd;i(jzp~hrk z3{i{-?}h-T>-d8F;J1ckRIGToT!$w0w|}F*-z4wO zq)GSa{5<8>-!q_BJ8bPPfoJ$!>O*z}mi}8(N@D=ZouqPbbxO;7U1cz!?%3}&@m}1n)crTgWoof)6)zNrZiKy#b?bk!ee=kuh#c3lP#V_?YOQHXb=Bk zZ7lEhgWVy3X7ZslwYQVkzSW=J9<|=yj*`+t#PlItNs0}+v=r_Rdo6Tr?L7vZ`dz|Z zp&Poa@tKp8?XLROHN#JhnZa&n4PS|Najw?`WOS2;*QN0K3%s)c(0qVNsm2M4 zwcw_gj#XN*r-!yQnzfDssv4Ndvmj6}^GAEWrfufjZ*46!$*#l3#jsj{B&8U27;8_| zZy9VUxC-cW7=AhZv}fppv=Mu)+|=I^T(?ev^>xAlIwV8tsiTqLIME~kzH)C;HYjZE z8e}(11SWJY8OOexR3$JX;*$CTXVJ;rv`~GOJIt@DDr#_l>=hFWkA^byZ9bp8Y4R}iiPuEn0T)Z^v*`QI;XgYEKTXyE8)#najc>54+WAr{a=3OF173{z z8fG8!8Fo0SR27SO%hPSNp3Ak8m8e9kglv~A#Z1%kP03ys>#R_Hb*<>+Fkpvfbw-*Q z3jH6V&ibJV{%gY zj2cLcA+7J8?=SEFu=t#FuKT*Xf`X#Azahg|Rkr5Z3{~?tI7up%WfNC=p*FxM#h*z91pikHsfG2WL{Y6pAZEl$K##b;2+&UrJJ(6 zyu>(usD0M~gTFX3+TFkqz3O@fVA?)QgP1gK!~4=7$OnLh)^PUxc zYa`biHOx`3l?FI-ZL(DIe`p||tL6aLY)B_azWv6q1UeoX>LxzL0?y6=?kO(vVeXab zD_9HGmZ3)2@Jrn0NBSA%g~u^F&IPid&)tYQ<#q%8M|<0k1o>yytEJJkU|bWptbKF6 z`Q8dbPjx0utw1@bd~B;*)8Hf|(8y-7iG|z_3roZ4)&pq(p{`-M1DsWjT`gc9UR5Io znzi=L6jYK-unC?Sv!_myfN(@t>`g)!MbY{J+HRfK%ZJ-LRxBe3lrbTeeCMJCrkZ8x zJ~P3HwD+I#^<2sQ^_6RrET?KZZb;9ksr}&r5P2#Te;neth8r(EGi2AdyCu2c?NUL;TkU(@T`Kf5i3L4_W%hx;dLkW&!1??_;N{y^x-_G?6TC32+uM`x64(Z@{$ zQe7)1&n7EwR=^P<8+*BGzTjHKrty3{l74@cfq`J(?umEBl|)5Cd!*=mS5tO>?)a)7 zNLhAl2W>r{!z_CHq1Dkz-Vt#J`ZNsq>+Z0Z3~~R`=ao_cwsnvE1DB2-g9`~RG&)(^ zzZesgq;&d<+SsPbw;B^Z=jo*9X8IKRVM!lqA7kG$0J(m9oY2yS(CYq3{*SflB=VLs zZHD0=3fIk;1c(ikhsogYQTHxyUr977Pto>}yVP(IJ@EqCUy_njDyI0YF+MN1&PhZd zhX#+wICX@|lGQ-idJBGDvW@C6?u}#SFBuHyq{QCN z*ybd!d&otCK|*f(E+sU+`5u>Iv1^Up4Km+aG#2aKIZ8RF`P*d_d=mq!1@|~!gd4f_ zNUiDSZam=+d7Y&nfT%iHNQuITM5@)e(cX2T!9z>$|KeC*eUJ;L10O5xMfY23blo|T zdjlJ*D37$XDVWGf1GZat>taK|*12~yF<$iq@0~2jFkky3F>IsoJ`-0 z^?Xsz_GPd2v>T%iKt$-cguqU2#>Zf7b|iF*v)pfncF~MXXo%OUfPB9W{Tg%Ta8r-Z zvxYN5zze`5U91%Scu#HrOnZ@W%u$h&p%3ThR_Ch%>!??!CpX$i)wI?w=!}s6z6=~k zeodom&^C5;Xxi!Y)vJpcnY*-|1JnZLL0dnGa;7#t37DzD{)%mjy5Gg$*Ux0^JLGSn z*_|qBs!Wbb{Ms5DpZTy_jZDhB*);i!ojQcjR$}Ep`Okhk`)O21I5TZNT8bYH#i+OxX?YAq%7$$Y zbQg*^W&Iq@6#r?EJ z>L*dQ6S(`ieel;jWxcVPgYxdpYhzxa<3FD$fa3B7?1EoiJfJ)o8GA1Pad#T!EEW!I ztB+a_l=;-?(H2^cpV|2ujN3uFbBk=^?pOUF@d-N^gp4)oiQZywSdU09cTP-bMFcsF9&%#5wDa^pJOmeJRm zLJCgPA2|KmEU2D>mLhh8kGaGvI{fX>xPAyr?8T#-;CJ2tV8xR+4@y`Qi`WP6QeF3| zQNoB@7F^Gl&Z(WR0bIUj9V3sh`)emq?B86=3G0v22W9V1T7;XM)JZ$Ue)<_l-x8NI&x#!`-x+`i(}BAqtbA>+Ojf~QvY8!;u<#bmv#?7a5Uv^dK9v<7ZR%d>W?Kz>g2$p7yW2}8cHs$*7P@K!#k#~qFRgB zVLScY%ALTLlDj}E+;jF_8wo@T`8Fwg)$9|Q?cRv2cecD&m%1T8UxpaqFTa0*H;f74 zM2*@*XX1U_%d<5iJ@igRq~>)4Dg?auQzO(8gMa$K#FyS~&pO-B3DgOcKlu*28sL<@970(Du5X6b8uiiq0Pm7UT}4l5Ry>*Yl2X z@EO>;HNQ~-V4PfMOJ~a!$!}SI==gep^F0%Oc<4N|SlJnpKUkMeP|V7!$z@seh>D&q zqS58Tn+LNkhj(-WpxL7?WC1l%nFSV;_g2KUkW%CauyI%KJ}W$3dL_ zeB^C)e(C*+B*IPs!|&fKC6-U~|1iPwBS5?aj{~&N2et&NM@w*+_6>#_ORwL;{2e5X z(KEsW<BbiXl6nu*HjRR>_vQ5@2Tnwr-&m$LZqC2gTANm7<8jol|i0DWO5%f zAvjs?)rJ|Cu3-5kYt83)wR9`CQ=!<1HLmD9t+>JZn>KeI-GAqw83UNNcCLBoIWe&% z%(tyo8mkhNb>!_wq?oe5WBv#h8e<`kQLIu*22iDZqOva2dCf62NcVXN)Gwdh$@#Jv zk@<^>3iv}UOg3j8G&KaG(F$L_SW-?7qOT#HwU0n1;N+)Nhq}iBard*y=$Svz{Tiog zMC#Di6G)%{vnuUfrUaTdr`NR^1ZxNWo4sbCfGX^bH?|RN20BvZ`WXp;*mCuNuJuA4 z3a#WI+Pn7?#KAZo{X?o0Hp$p^x>NQ_;K%?q3FFrR@2-$g+))tIB*=OVL=Ug9e`Viy zKAS-5*5ysGeZJ01DZxp>K?Q96CBdXKLSfl>DcOEO>gE~-F}be8d9cR%)*VB7wC%W4 z^}ZwZgt@-I#|gF`BLV=GWCFvlems~jINK=dAeuC>eMt)AJ#4w>?a4nV-3xnKP!}{z z(;W4T`OC=<61c9z8qK&O-V3Wr(8u1Z5I+QYXe0;G)i@-m)acY01m~v3?&lfzx1uFu z_bEO}j&r!J7o$8G>%qx`JVS9*DT4Uujw}T};m_hR|G`moWE961v_Xv7jf(9g3Jfa& z&F&;_lRFwgzWXxKk>L~mhi`3tL`%4D_iiY)H*U^E146PlPC@YlAb`D^$Ul`!EIYx@ zPJe<(y$r6y}oNI}D#Af;0zLeIu2A|K&+W9SEh#=L{%u&qAlOH%S@QJhVnCVDD zSPEIbJ<&oeDw!%=6jL80iTFh)bQ)n9Y<^_NCm7)CcgLyFBmnzv#;WU}zATwXQAD3q zFI*>|MmF*&KfkN*hY--*lshClp}~mn51Y|?%-0KK{Rwj4ihg@F2b{m~Cl)8n_3KI_ zL7AyJ%wV5@50z}P3fM-uE94^KjlSCvVo>6~L`q3nWRlDKkoShjddHS8Li{@o>y0CI zF(@=?#$?{le#@2+WMZ$J)?nhg&9)UZWK&cgmY)drf70+XCNgtR1@RM{WWSBVL|j?B zYVhaQ%cJ#{{1gAC$&Dc9;Dwoer!$@++_%6dN+|_8FGXWpg*JPnJZ%4|H*zPKm%#9; z<&T53?h+I8%jq2}_a`AKNfv1B`cSPD*5A!l>A@qxHKBf61_ub3{-@arYB_Xc zRn$)1C0lrdo$Ap=cc$p&puFEH{r7eHo4=gdx-E(6oiE&u_aB+BJ|^j9THbej2-wmU z3*F%LvbWsT@qCg6>=3b8Ou|3P?@Jy4b7&ex3LY=Otp zE-J0|J}O6Vd#uP-c??O$SN{mn{a5x#gt|soF~#4E3_N1IFw*}wBfLrl`&my68pL<* zzWaFS>AjM_Z@O?AUCpZvtJp2cY7lA~?1?rZFkldQK0bC8q2OL}>ZX`w!AB zGFNcUen}F7lE0|9^E5wm2M6nhX#Ak~p@81(n(+JgqdklHX?5(!qP1l3AQKH=?U~QZ z*s6@I7@`N&h~=X3vKtMy!W69o0p_>8(D#SeQ}vHE>ENvqhFI8fBazyG`&`1;hlD1=Au2HQMRZF^=N?;2&2m1nK& zpHbcsIAPLv)Ww4qkA5ZcpyX{TE%E+BFzZv4?W?#{d7(Z7nsauV7n2&8wF5ygHDFqH zt-@Ely!J~oisAmwzEu`jPx%d zFBoRAX%X@BX? z%H1q5R{TyqjWa$(b@fRF5_nrZ`hIs__b0vs%4;{t9Lfs58Igrw{72t^|3zPw!~f8V z8YlAtC(d~dO6+w#QEw0+aB0|AQh|uxBkmQrCyW+7Rw34ASv(SI#W`=!S#SPwSB-yp zE?_CYjVtkfVqH&3fn21H!M^jAQzd^Cv9To_dmhJ*oR*Lu925`j0g)5fc~d{Wr+P2F z@uG2aUFd4+s4b1BX3NRcqNhp<@xPLGuJ$}M&Xe}(u+zIFcVty zW47TEm%xuX)|_s$adP&owm95tk0|OqFS*fF_PYP2%M5opr6EcQ;n{6m`b=nBf;+t` zDg3GX%A+@Fm$-FKAYJ$EdueO5nKyHgq|zo{isuLOO{-5ZF%qR8K5Lh1NF93jh*<>0>Sl7pdblJg za1zcDCB-7Lo~ZZ*J~gcuZY{Iz6QMHP9qjd7#+6FqNtEfRhVN=I&w(`WT(|*!>TN`l zJ5rnh3T@NMLQM}?p;8VbDt8a2&cb>i1LX%ByclD0cRZ#+=1WM1G|I6nKi(hed1>t# zbtXmF4wdAELfs-_Ow-8M95|jA!FD`lt`DaLuftfvk7dMuwIe=L_imTS=SjqD<%Db% zE~A3~%d3r!{3JooUc!JB@ZwKcFp{P%bA`C0qXtjjmeIF!d0O>`6erGdM3X7$IYhF)F%zPyf@t9&Pz8Tr_sQkZmC+Sj+xV z+(aFC`N-BHba7Nx<9P0j>x0zEwyegaq(HL;*3&tpBE|%AmHw@9`SiqWP8A^#I0yNS z?w)`rLbh`>%D?2jM-In~r0G>doHDh|PUy~VxT(c_+E+#9ChTB^?axI5x3SJ2b-i6- zHsMS;2t)cFm&M-MzW22Wu~EnJjR~2QOGlb~hACqPy_FxPt_?t^rV^9S-OcV-uH_}(^>^;2rF?jd zF(x<|qrRWn<$Fx*?hq(g+{dgB#2Z#Z_SP1cr@}A=n=ZM%4~d-Ma0b<|#WNSTb9Go$ zO+}{P-#<~2npeoY6SaS+i%g5tLpRyZO&-`K5e#4J^rI!|nZC1mZP`3b*Wle(&-T-3 zwT^Mks|axoTRyff|H@C6>||ot*aO=hu>FOa5^~kBWsO(} z!@deCm3*dy5&FDr%Qw7k)I-s7=4cmlu~XuG(Y3rOIp^cFr(PDunbA8p9rh%jkIjrf zLwx_|(8djk-JfW_>FG3mZb4qAEb+7&cWJT*f-GuTTZMKhNQ?n7OQG*ISc3^4cboq= zdw9yOssz)j%Va47(Z@sWp9$T%Sf{%p5A;Ti5z=d<2G3Z{@&bJ z6x}zzjQxtSZe@hmqfiob1)xZoK9+b$BUk}T@=eiwMKJnCB^ zUKZY>M)aJrp|49{Y7)$=3DvYAiY17{pg!MdOFstRZsZ2O*@3;V%tsj`L_160Q9ICP zJ8XMVmi`?I9=W?zp%6Rof`pKUG3GDNz;!or7SHa=Hfzwf9L2W8k#lh5=wPkullX0X zenz$sgxO(xhMD66F)G8snmE_I=~nhRHI8W(F}0EV^FOrxcJ5Y_*-*7jpG;-aQ)~vy zalwKO-FP>q4#jDwc+`)!#$tnci*NYuRRkMOFCR${a+;UkX6!h*P+(o?iRsz=-FcFO zya?S7VZ8Uz`m_4qbnG$MY&2)zhc7FneRE*GcG&tgxtJ?PC4aU{_0vQ_A9+<6^54@O zO3nq5QA67Fg`pU3`A>gHPyJujQ&!NB7~JgH?bzvtMrh~+B&96k>;NQ7pq#JaopXf| zd-!;9DY3`9Jr$ka7f8pmMg~jY9pLx2j({?A`47!4MTz zftphStK%&B_OkFzQ6r1pJ@f~&>$+|e7drIVT!?HIvTV)O?aJ{iM@P0p6ZkHsoY;=*nf#zAejJ=TG)pKw~LIj!^uyS~}0I1B4I?l5^b7aRL0 zg>P%MO_rEIcJ~!T9Xt%XF~GmAZO8N4!Tb~b5&0quqBP1B$~yCy*VO8kvr^+6L7T~j znj`P9Rd=BNL?T~L*n?Td>y3NddP@3?a6n#QYYE5`Y?>8k{`5}Kc<9Xr<8<2=bP#Gf z$Xv?L4D^V$f?d_r-QfG7A)=?|P}f((j~(_mlK@~EUC*EHP~2bW>u+KlRck$X(=-@m z`1K|AzVlbZ4bc$O?xW4BUHpI~*Lb9tUjBTpy{Upk!AVO%E`3ak;_U~Lx`luLi+2{* z6hj(+Vvozf7Y~3Y5`wb@9>wKwIJQ@msp-~UOW{LQ1&gr}IcgOKVGFmVMz`?6*AVL^ zu69J7D|DX1(~PJKF8^)GEH#g^Le5BwBc~F=-7GtYvz?O7R)QdVrryvVVlb6`(R6YC zR*#5S)as%_VV0BJWIbJzsh2(5{)#;!X8M-Y)1P4ucbaMKDi@yT_U3$mccUlk|M`f# zAqV&t&|PH*xNm`Obx>ySIWBr--s&KXV4qx?OoJUFO&ioNoy9N{8}CBJ zlZ+a;z>`0oBKJDAz}Y=l@?bqaJN2Bm5pOfgrGZ5u2l{QUh4jzS*N7(zio?6S&oSQ+ zng4kO;B!uNWYX(z1hdR8KhoYSp3OKH;qT7RpNLx`I@~JyVWGJQ+iCJ-_-G5?~`}Z>=ek7XVJ$H zG2L3w9XUXS_KSfC_w{Clckc%0GaEsUe%w{OPMuzmLgut@{nJ^ zu43(#f43{!L~>47Cs8*YrlckeLtc?;N0Y{i8^e4ZVj3#|x1z~5@J3uUA{L9)>F0i& z-6AL+<>IhtPX>C#74q{7ZRHRDR!xVVt5R<#dYX}jB* zQQ$SlsOjKM?Y#8bVdEyfT9;iNH9Sw;zn_>Z7hnORx)R`^vBlsG!CJ-0Skdie4WT!` zojcNfgUUl3kWk-`6ki4D!aZmwu$m@-s-EGvT1y?IlD$5i7QqX^30(^vGhMjFW|PEBuu>+-SdO~-IP zclrsdUO}3Zf@=)4osrK#wWQAaB>8 zO(5CQtXMxq4MJUCGu$(Thvp$Hji=Gb43WMdDnz_C8KjL9;%CYv0KpyPWFfD6jrCL^ zJ1^aS=#2K>KvVh0CyA#{+Z$Gy(Ek~r^zpo1bUBRcLLv@7iN$UPf_UME?8!Bj%KKP;)i`=gu`ln-I!0Yj{fM!)opal8a zQQPK$Oo<>1v>VcO3#L#brEy8lG$+v=rY@1RA*(0iY$*GH?AOF`fx!Bs`O_7B6_u(i zeqSSd&V%V|?s2ZHZD*Ej+PYBqremKfXQbtb5gRIu#EgZc7hk1+`Yb42+n1YR;*yL3#jYi+cEycRMrFqCYD3#2J=4f$x#} z>o}=o5I42=-j$mydPmLeD%6#)Jfb}KGz2mUlH2)X9y?P^3YJL5MzvtfObE5Qp-c@gT7bm3qW{?(kH|3P=ck%=W zJLp>rQD(pKXSl&t=U<3P4OI5Q)WM?`sWs$OM}FTp2*=Yvqxtt#+EnPbig+>)DXk zU^Kw%Q9UR*s+j6*(Bzbk(dP=$;TP{Y7!y~emO&Wmi}8H2GtxpilsCu9Q+ncEY+*MN z%T&CmXn0Tz|L~dVYB{QdtmgQ;jEBUIj9hUB4Bq~4&20-lkV1$&Ws`sW0EW^gsE%CF z+rm1wGETQB-Y7dWIEW{MbfAgQEXmw)ts zF9IR|6jGi{fKNYJ2%Lf9H&GWnj9orJpN_oS>Qk+t2j3o(%_9u9g0i-{Gj{BMgN?aQ zr}-ybZe%Wsi!E()W{1jX4N&^OP7`8Jz;j#m@2n#Ki8meuOJK#B#1E=i^9!c}JQcjg^csAKLWu+7Biuqj{{m>R zl)5E{`6kp6vg~pmV-un86{M-)43Kl}m)1a)uSw#s#aS2^rjoG|H&h!!Zl;L6syeD9 zQ(#1!<{TPbgFfnmHwQLCp2nG+MHVx50hK!hz2ijP#}zHe`1>c+vE&atn=7rI^66Ke zN>la6wIg;`e({OLQ(ry7r^efu5rhJRCfiMXl@3v9OxfhB3wJHMP&3idgE(EgGA7mJ zm|0kuDpTfN8`~>#=BV#Y=J`?>zQi1sn3-1b5&@vXkE3Ux^z=1~8oZ8Q^28K7pp848 z=~sLn#aDDC$1UkRrTknP;1wyBn8k0ee<_>i@yO4hd8xOS<3IJy<~^}TC7%Wi*@6S7s@`N z-<&DEsHhLzHSO)UR|SB){k_FLnhoQ2_$q$FEU%(JLN>Rq)$1+c#2?^5^Puh(ls6>}gxT>;-|MEfE=xPSxmm@TyErDKjWKN@FD68*ud%tS~iiA$M2L&-?d9K9BmU`m^+TH5t z39wMJjq;6+%`>+oY_N|Il82b6S-KCqSZn=t8=Le6ty1@>}__pnVxV+|TavdW)r^ zBt;D=a|@%ArDqJQHZ!RRT12$*!}proK1HFM_jpa(=e%N1NN+v+c9Kn`Qu4vU>CWfq zmfCbl2t1WX;_H{XHir@=jmNv!FFcvQL<@FAs^zHN|3oF5EnYOBm8+S}TeWp;Sh4%% zy#!U8*Ceo!1r}D>n<59qeQ60h7qLX5Aw`S_cQd zGa57NQH?LQZG=8RE%LWV{)`c7^@B5>nOX8SQXf~l@dcJo!XV9a^dQUUJz0f;Es>UG z6@PNqqLthu-1A~YD$YopOyvM$`JScllW5p^qKu-in%kDVR&i}$`bi&$@ZDe+@w>67 zJ=ywwTfe^uf~R}Bge?=id$f*Ha*6Z5@~YE_>ksC!LQ~URX23>N{|s&3z`a_gyRc~X zCS8e=91Ecmzz-VSnsKRo=?9N*{fV|@+K+|Zm*?R$4RIr^>ah3hTvqW7O#TY&G89!! z$_o5u@d&FplfEd;FSLniz=rTUU)p4UliV^94(SrmI)4;@hK=`3^$Oio`JVMl z)g;iPiUknd-X~>=f%awnDt@)f3rmP8WqI6mVs3J{l&i|rqt`Kt=_^k|!C7p1Nf}W7_larpc=%k|wJEUAa_|mN7w!)>q%1f|!~Lc6>y9#F9q&k%&CjJHqYA%xmNCsQX_6^C#o? zuP5JsY4E|!@CB1+n3Q^N@Uj%$%Y>i*a1e2lfvAZw zKG5x}b9JM%Zc>H4I=f3g{A;|{N$nGhTE*^N1MjwG1x$l`Xd5k>v`d}s2|?=pCF~$P zN8X~WZ65}R$bn4N62sP&mvdTrMi1c4QJ#XbUiIB*!>=KU^o9Nf@-NpMsyr7rUfjIbTDMK_^Ach{;(c z@n}803n7*dtR?VCHTPBI^{SQ-6R$>KbFGnWd0xw7`i$B|`O~^gXH#?Zx;PIR#YItf zi{T?&Tfoe1w*qJAB7`{Eu}5!mpnaC_d@w*YlXNnpbe3Hm^n5X-TqrxMqsczhU>{DI zm#-H+bxqz|i&$DdO_}Ks5tEk{k;f(n2>~#i)&z!B@b$l6OA4HiE}VDBrSYqxg`?-ime9vFMsozj?}JdeBO8l_r8~rf=$22g)O8PxtZaR zg5$jT*nsK2zzccV%v^vlrV(`0qXT&sna|Ha*r{k`fh%`?|0gooTqCw}Uhla^y274pdw*6*5OaRj zAYG0cmlXH4^6^rzEJOkrv+vqzr??-9&oaQj@f0R0ayD$COoR+|&ss?kbI?1No3Z)d z2s$eR2hw78N$KQP*|I&)_$@t~GG}ham_55IO0fF}qW~jKvrs%*cAuuGgLZ~QQS?~= zZO1KvF4T?WV)rKh5Ucl1iQ0W|I+g8|S#4ZAsku)I) zQS-AL-tsq9FMt24L~iBxQ*bzbmEzx4M%7oq^c`=q*ytBu@P0wL3&lQ9CUK5xJTtG~synxOer#0X|01AxI894?%Q3S* zRBC>nrFS-Ca|`4)VsehpaCH#ajA~mfWB1*t*G|x9+yo0=>b&L}N}v~<)R7F!-uMdQ zgJz>Shfq}apEIs=xx}2UC+OQIi2qqJ?IW5}|7UZd>N|<-v-hpV;v*!hC)Nh2m{1@S z_2hmklF}wgYEhpqfg$D~A%Wuy2n|l|p#4wLqeE*Orthi2Q5!_fbP0OVbo8H|M1qg` z9&L?qLimD?TETfqQ{*hD-yI40l)zzf$feCqQI?uyy98Q- zGEz1mM??zL!uKPWoxO}b)oD=nC4{32;)B--;ua(JOPSmOpQ^*JQYueV21=JNHzMxv zeZVDlx}U?{xhMc8c7Jm%c??EWL2mohFR5?i5Jjo7T_TS;E~ogfra%BUjG%m;Hz45P zKab66GV`ng=~AiXfNUNF*sd3$o*iU{As;?H8dtWDj$qRQj_H7-*Nc;D>DPsXd_{BH zI*ihG5B1%#k2!{}(FY(8znbXrZAJEOMp6N@bXez$p7CR~&em>G-3_wVB-jwWg^Z#X5F3&xTeE%2zup&5YUMDQ_T?F5F@qE zy?pu=jp-6vxqJKqvVJchf<;cIJi8)@(w6F(+n4SgPklb3Kn{+CnW%l{W4^NG0pMZ|rQFWxv2436`f$3aj0gtk$s-TeKEa1)yCkv*&D7@i%r!zEl`CI8tE5j>(SL_{&~jw= ze5$4|8QBBzMva6f#Niz(1iRbn%k%pJC1J>CFOQ|6CK!U}zLDuW8ymNfTlf!SMJ_`8s;N<+d;hmM>`k26yX8PX z-+M?CYtYK-Ld zs;?&0JkIpfweAmpi_cpX7cWxW$Rz-b(7TREPTa$p^jRMv0CgtT^8gTEV=Z?kdc83c zAy+F#_mxJD_zY@sLaFyOOUPrWBriSbncxY48I~in_VF22uSAJx-3~sz3`oi`w2!`G znQE?_^p{y!K;{b=9r(5 zir<)vAJAj={vgezIR?6@t3T2j{mnrQ-hY%zEG=!+Vx*M29M=Nb#p(4==*3z`H*%88 zW|Q`m&s39cl`Q)Y{iQ%8#x)`e-0LS~xzfu4Mg@p3eYpLZU zIE2!s_`8R0U%IBumMp$nj&|*$@83mpg7WxFHGT7!*W=>ptHTJFKZ7ZSDQ>2f+5DUe zUfJN8Jb3i-$>bQ-pb;FguZj`!#qS8H+#Jf2xB*|k^2h3oK$Sdn;^K@#wz@26Q<)e) z{T1GiWZypzNnIoCd z8Jyh_!YS0pso~fyCVTZ(@Va$_9~w2k#n?ZTC%?7qnNCb~DVS0e4`MDLyEBy?A@Yzu zTaUb|=knaab?rSWV5SN&hWp)_VL!t=xkb-HBPGOJHI2`QVXq${$8Gd?gX1ZeJzr2y zNj=$L~MX3wXGsbgI{%DIC@|tu?t=oB@k1sHHNl4XiE{Ttf zs)ta9UlaAXp)tjtYVT#sKqhvMSw*=!E!kxGu(GQ`+vb|Ruj>5JNy`>^BQ=1l8-d8< zGTmX9Y0azUuGZdY{ZjIo+lx)x;^>(%jd2rQdygfI4{VuaxRzqrRAqV*ru6Jwb&$DS zoJXf2t|AM}ksO>unGkA017;KXoDjBNUt>$P1{0<*uA1OX0AE}PYJR3XEm^Fg=w>@K z(>8X3eYQ1RKWtIF<{VPLu!^YIgoGb3`SRddWSHe9aHL)@3J z^`>YtPq=B!Zt~wocFd%D#0!WoYE*$x_>tf@&HA^D}y?fjR%3jJJUm*GgH#uMSzzdwD>Ne+y?lM`_L*p`de z;oQ`bUbrsy@Z)$$6khx3((nLAgmBv(qrIhMn`v;La)C2w?_){Zu8JB;8T%Psh}*2t2nvnhG9;B zS9mKGg#LRYv_fsBL|P$y_szGTff`iocm;pT)S?a=Kblb2x^mq_b?r=a^QpUpwbsv$ zQhzc)^%UItbeG9@b05S$b_;U8BqAiSyQXl1QP!pVE?f1nZ5II2-?)#V$*;>c+_F>(gvj&+fySkXa z;pn;0YMZ&l+vBn%eKlA>`|(JNNFuFeU!JwmxX9OsFK1_j7nv-TweRso-z&V$MHd5( z3%*U0U9$hU?f2OW_5;Q6YCiJ?ysJ@Nr>b)9r2`sr=bS0SA`)}oshIdRPOXnrByf}s zXoe;}V&95=Q1vi^Fw*~0Y5S4H>)c>XPjpe^9mC{!-eI3Ws=QbVC-0IVo#AHBL~~dfH>Yy!#B~9dKF(a# zXM)PXzt6!sLdi?y@3BwaxhBS~tn8ybZ;HRB`lZ62^88?MzGstns$l1I+r}IRbAhcN z+H0b5oF~XEtxc51HndGS%$mP8yX|7b7OR&4K;vU%E2Bo}SB;Bnlax=ceg|{q_z`j{ zmn)Qv3@vce)A!uYQ0$eS+H8AMBHWK0#P2`-GBs`Y(JjW4f-81Ir6dr~Yx6ZbsCXvk z_lG$Y7(lci$lR6&`5jaD z0+O$d^`p<9ASDulPo(v{4x)oT`e8c>*JQtaBflf%9GBWrI+;}~@c3v>y|C2j>cM?V zz}I%K59k#Ql39h%ZZLefo3wb5M-Q8@MGizz=Lk4Do-q8J$uR!?{4SaQ2Ge)be&J`^ zfB+Cg(~eK#UDQmGYqFY$pf9<)P(OYyn7;Ynfn_Fu;i;3^%H+)OyO37ZxhIoim1{|Z z`JDw08yY8(Y}pQYKY7(R1)YgZg`K2ykBzcuMP6cnK zyM}D2frEbK-7SuGS#)PEI`!t)(QIk!8TUu3aJb)`OR%{TKTv$-%_Vc(pRMeiQnN8e zVwNN1meWJw^yEV_?NPG$Z0}a@qI!6$9emzaFP}z*QBR#6C}o`&vM!*3k@xTrzYDNE zedluTEI&_22+%)yD~sr#g}oL3{wy_`28ALR&<|{g-cbU6`cp(<+i&rgaMZhu?Lb;{ z0$M)c|9JK%L~E+bVThqeyhiFkSmMPZ+!_fzAFi&3`=*ApEcS7EDo+@h?1W4ii93Hu}S9 zCx85T!K+Q6u*LKMaF%vFtdrly z0lSx!gc_@yH<9%6Z_i%Iug%F=pbdMm*@c@2$tc_M?1Ez=p4Q>}i4FowUWGQXTx6%r z8X*3f{I5yF`muGUCd*VkN;fZUAZ<*%b!*f;M=+c0j~@dda3)}l82|)xs$@^TXLrRj43RQ{Mw&QbcaRZP40#n_HGX2U zB~G`#@AD$dIN#*<7N#Kck5-M;&?D78 zbm5jSn{Ut@0MYKGaDSm(~Zt&A?gHQ=0^t%R1yvNAuox5lKf^Xi<<<mAe|wQJtsLb9koxNJ8`i>0sF?^AZvcKFjbmJ`_00Uwvk(S&C91GOLGzQm<$Z~ zu(>cW6azx~NORk_RIZh1$?o6sk$4Z&XwWQ1piaTLTe&L|e1fpb|sWAE-I03xJUUJxx~t=#ZxO z^!ceHz{?1Lnlu0zqhVCi1=he62#Ay!w+K-rq_0vFR-_`W&VL__VYmR0L3&P_jMh1D zQ2!!6pxC2O^Bn;L1NXiy=QJ}#;dlo;wtW+g=@MYbx;60USy41Vm8R|zzsU{|8o1(= zfVU>T{Ycd>P!!P_G1r7u9^gTa^7Fib9p%!j76I$`l{SF#3|{(ozLXQlkg=^2mjO2wEX-JEK0c*cqAAPp>JsOqfDBKtQ0!iSg z&kxV?_CDhv1Lc&CZU_5`0uF;So)Lu^ZC3Ukosy^WDZ6*2=eP3fCzO_5e)P)%7tx%2 zyCEu*bNu=3U1gBI>-dsBat_p_?e8e>(v!bB870@G?OjAB((_jnTRt7A^fQm1b8zyI zhCIlcjJmwtN1pedXUH9IbO%rJ9p#CPs43m*xxgdg^kzRH#pl z8iVQ6h?JYb_5C?1CZiRFxo2REfiZ5zHCINA?tEm|pAo@17$yKQ0406-o{R8?FY`44 zk7q@YqA_4{K6U0Dd5T;C3s8}72l=Ox$VEBGcD@q(P!IFbKFDtjrt^rN$zY0 zA3a*9QQpqQ|9m(u1v(es^XVAV6QgsYYiRU93keH9aiYFtfqodGcdhA4wx=ZFO&G%;hm>xgDJvKa-ObfJFV!^xL z{qBM9W1sJc=zIjKP6|7p`9qfikMo`8vojyp?bDmirF;7DH*Vb6{(oaIn!8v Date: Thu, 19 May 2016 09:18:20 -0700 Subject: [PATCH 043/169] Vicki feedback --- education/windows/set-up-school-pcs-technical.md | 2 +- education/windows/use-set-up-school-pcs-app.md | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 773f61a13b..93a7b7c1fb 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -38,7 +38,7 @@ The following table tells you what you get using the **Set up School PCs** app i ## Prerequisites for IT -* If your school uses Azure AD, [configure your directory to allow devices to join](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/). If the teacher is going to set up a lot of devices, give her appropriate privileges for joining devices or make a special account. +* If your school uses Azure AD, [configure your directory to allow devices to join](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/). If the teacher is going to set up a lot of devices, give the teacher appropriate privileges for joining devices or make a special account. * Office 365, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/en-us/academic/office-365-education-plan) * If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703369%28v=vs.85%29.aspx) * After you set up your Office 365 Education tenant, use [Microsoft School Data Sync Preview](https://sis.microsoft.com/) to sync user profiles and class rosters from your Student Information System (SIS). diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index 28442ed89e..15363f3962 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -35,7 +35,6 @@ The Set up School PCs app helps you set up new computers running Windows 10, ver * Windows 10 automatically manages accounts no matter how many students use the PC. * Keeps computers up-to-date without interfering with class time using Windows Update and maintenance hours (by default, 12 AM). * Customizes the sign-in screen to support students with IDs and temporary users. -* Automatically manages account profiles on shared computers to maintain performance * Locks down the computer to prevent mischievous activity: * Prevents students from installing apps * Prevents students from removing the computer from the school's device management system From f9a7ca405a0e0cc638e44f5f13c6d3cbeded38d1 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 19 May 2016 09:27:09 -0700 Subject: [PATCH 044/169] troubleshooting --- education/windows/TOC.md | 6 +++--- education/windows/get-minecraft-for-education.md | 8 ++++---- education/windows/index.md | 2 +- education/windows/school-get-minecraft.md | 10 +++++----- education/windows/teacher-get-minecraft.md | 10 +++++----- 5 files changed, 18 insertions(+), 18 deletions(-) diff --git a/education/windows/TOC.md b/education/windows/TOC.md index 450b18a3bb..3d85abd08b 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -2,9 +2,9 @@ ## [Use the Set up School PCs app](use-set-up-school-pcs-app.md) ## [Set up School PCs app technical reference](set-up-school-pcs-technical.md) ## [Set up students' PCs to join domain](set-up-students-pcs-to-join-domain.md) -## [Get Minecraft for Education](get-minecraft-for-education.md) -### [For teachers: get Minecraft for Education](teacher-get-minecraft.md) -### [For IT admins: get Minecraft for Education](school-get-minecraft.md) +## [Get Minecraft: Education Edition](get-minecraft-for-education.md) +### [For teachers: get Minecraft: Education Edition](teacher-get-minecraft.md) +### [For IT admins: get Minecraft: Education Edition](school-get-minecraft.md) ## [Take tests in Windows 10](take-tests-in-windows-10.md) ### [Set up Take a Test on a single PC](take-a-test-single-pc.md) ### [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 3a815018d1..e71bfa5826 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -1,14 +1,14 @@ --- -title: Use Set up School PCs app -description: Learn how the Set up School PCs app works and how to use it. -keywords: ["shared cart", "shared PC", "school"] +title: Get Minecraft: Education Edition +description: Learn how to get and distribute Minecraft: Education Edition. +keywords: ["school"] ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library author: jdeckerMS --- -# Use the Set up School PCs app +# Get Minecraft: Education Edition **Applies to:** - Windows 10 diff --git a/education/windows/index.md b/education/windows/index.md index 7fba6e3d70..f7f9f123f0 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -19,7 +19,7 @@ author: jdeckerMS |[Use Set up School PCs app](use-set-up-school-pcs-app.md) | Learn how to use the **Set up School PCs** app to quickly configure new Windows 10 PCs for students. | | [Set up School PCs app technical reference](set-up-school-pcs-technical.md) | This topic provides prerequisites and provisioning details for using the **Set up School PCs** app. | | [Set up students' PCs to join domain](set-up-students-pcs-to-join-domain.md) | Learn how to create provisioning packages to easily configure student's PCs to join your Active Directory domain. | -| [Get Minecraft for Education](get-minecraft-for-education.md) | Learn how to get early access to Minecraft: Education Edition and distribute it to your students. | +| [Get Minecraft: Education Edition](get-minecraft-for-education.md) | Learn how to get free early access to **Minecraft: Education Edition** and distribute it to your students. | | [Take tests in Windows 10](take-tests-in-windows-10.md) | Learn how to configure and use the **Take a Test** app in Windows 10 | | [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. | | [Chromebook migration guide](chromebook-migration-guide.md) | Learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. | diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index 01a29c2dc4..842ea627e2 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -1,17 +1,17 @@ --- -title: Use Set up School PCs app -description: Learn how the Set up School PCs app works and how to use it. -keywords: ["shared cart", "shared PC", "school"] +title: For IT administrators: get Minecraft: Education Edition +description: Learn how IT admins can get and distribute Minecraft in their schools. +keywords: ["school"] ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library author: jdeckerMS --- -# Use the Set up School PCs app +# For IT administrators: get Minecraft: Education Edition **Applies to:** -- Windows 10 Insider Preview +- Windows 10 > [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index 01a29c2dc4..98c194c982 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -1,17 +1,17 @@ --- -title: Use Set up School PCs app -description: Learn how the Set up School PCs app works and how to use it. -keywords: ["shared cart", "shared PC", "school"] +title: For teachers: get Minecraft: Education Edition +description: Learn how teachers can get and distribute Minecraft. +keywords: ["school"] ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library author: jdeckerMS --- -# Use the Set up School PCs app +# For teachers: get Minecraft: Education Edition **Applies to:** -- Windows 10 Insider Preview +- Windows 10 > [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] From 5a00c00858511a29dc332ca11c5f9f9491970799 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 19 May 2016 10:03:34 -0700 Subject: [PATCH 045/169] header display fix? --- .../windows/get-minecraft-for-education.md | 8 ++++---- education/windows/images/enter-email.PNG | Bin 0 -> 119594 bytes education/windows/images/get-the-app.PNG | Bin 0 -> 129831 bytes education/windows/images/it-get-app.PNG | Bin 0 -> 110733 bytes education/windows/images/teacher-get-app.PNG | Bin 0 -> 103443 bytes education/windows/school-get-minecraft.md | 4 +++- education/windows/teacher-get-minecraft.md | 4 +++- 7 files changed, 10 insertions(+), 6 deletions(-) create mode 100644 education/windows/images/enter-email.PNG create mode 100644 education/windows/images/get-the-app.PNG create mode 100644 education/windows/images/it-get-app.PNG create mode 100644 education/windows/images/teacher-get-app.PNG diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index e71bfa5826..304a564556 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -16,9 +16,9 @@ author: jdeckerMS > [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] -[Minecraft: Education Edition](http://education.minecraft.net/) is built for learning. +[Minecraft: Education Edition](http://education.minecraft.net/) is built for learning. (need more marketing blurb here?) -This summer, teachers and IT administrators can get early access to **Minecraft: Education Edition**. +Teachers and IT administrators can now get early access to **Minecraft: Education Edition**. ![education.minecraft.net](images/minecraft.png) @@ -32,10 +32,10 @@ This summer, teachers and IT administrators can get early access to **Minecraft: ![teacher](images/teacher.png) -[Learn how teachers can get and distribute **Minecraft: Education Edition**](teacher.get.minecraft.md) +[Learn how teachers can get and distribute **Minecraft: Education Edition**](teacher-get-minecraft.md) ![IT administrator](images/school.png) -[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](teacher.get.minecraft.md), and how to manage permissions for Minecraft. +[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft. diff --git a/education/windows/images/enter-email.PNG b/education/windows/images/enter-email.PNG new file mode 100644 index 0000000000000000000000000000000000000000..644d893f061f0caaa3a1a0cf41e2e08c71ee6e59 GIT binary patch literal 119594 zcmV)CK*GO?P)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf|D{PpK~#8N)V&9Q zWku2cU9%H52bNuyoF#(^Q3-+~ikMLlMG+(lNR%K5B0({tqF_Kp6m!Nv&PXtTfFMfF zvamVt%C;_ZRb5?O9Zt9%mt1nm;zu63KZXt+8jIt< z1JGHlpT&z8wG%orjpK8HMDGxZfzoxvA~PWhRv}z?4C(BQMLwzJ24hU#kc=)D6yhxy zc>Y2GeGRchi%gnx=>Io){QnKA4wi(PT3dnR(t%uSRzcW0?U4Pn%E?wuk96Bp13(y% zG!U@RA)U{`mX?F&a|cPGdf0Yc&u52c7o+NI$+~rP42jMm@Ju?-58AX*yM08Z#>orP z5rvl}SU9_l=Sf=ZM>!+5a@`jlC#a5&@2Ze_XNpZPH~TmNY;6kN+#KcCYj1Z=kw>!kG0lbCpymi z=DCYMd&b9O;)IDppyc3%&6884>MPF}U^h((&hXhxp>7X6W zhAI_U62KawvXm|eDn@Lv1X`r9Z~=Lp(b3hd#39kwC)%AI(K)n7Mw>Y|nbefh_?=tkZw*3z=?*!Tea-t>V?(Xgw($$#*g6Ps_*asit z(4zTlNy=A*uOV~!X(xgM-8NQ2|1(Qr0@!ljqTX28tDxf|+0bHp7a_^8EGvpA1W2Zy zRXS%lQ9m3B#hXyJ6Ng2Xl+oSY6+Jz}oJQ%s-n3OnyAPU2VPp)T(C-K6UkCAF^1#G{ zdSmO0lDO zP^#0{(P!mY6?9ChC_d!&s?#m*Qwgo~DADWELhF_jQU|4BHU6qGJ#;zGZ1gh(VUm;q zodM{LILXFUAcm83BNhCFl*5?Hq&k*7PxGhX86O;)ES82hFx~B-4wM}deXH}(p@?hnW2%9f zb%K{3Atz8erd=wgqC=F%$Bm>U27=Bm1?&!^DvT-N37o#zqxn*n$&VO0U-)*+^b<{X zU<=uVR-^@x&Lgx_PuL7$kp`ayy$dBXjzw~d-(owWEJuJMWh-sR>Zz-z6Ul2lgeI#X zbjo8g(06IViS$ew7OA}vAKfx&F|%*_liHu%*&t)cG@FX+&&0tBvcKrVZ&aZTM4IP< zA`>c2P=qv}!@tHW^g9u74qgFg^F!sSx8k&$`hK<)*pk^f1IqfmKUBFmHq;?-&F!ph zMdaxRE^sw3JCG)D-kf|XMTC8>AEPT&8^gY=KH~B#L!=jMj3!vHV7@~ZNa5gT5+$hu z>5CT0uC=JBZAx~=mW0gX7cB`82&PJ7z{73`j1RVZGu77>Pd#VZB82Ob+;D-`i_U8r z#lW%YkVG-{fiy^+iU&i)5c|&|@ys)mP9$T%1}IL2+B_BRRTm`#w?*V<7DI_E^`kj?GR4448Y!wPeeI*Zi>T@=gU zQOe~f!LC9~IWN^8GywHT3Pm3imSgk0!qRk7 z(>Yo^>5|D;ZBMr)4arybifwx0rUY!QWLYYJQch11l^_CYmtM*-lcnvDj&>uvlp{&S z#8>J1rc;p|!n6OW~Mz+K6Z=ZVJD%lSA7DgCS`s} zqz^G@i4OGSDd>|f#!rFDV@O#pu!=xAmbBp4zS%5?&f#OfV1CHVG3y8!b~&tb1(!r0 zvUu{)V;{0H$cnDzEFqmV?vDaKNpK&uTWmpPzi1;^(}0tv$MRpXI@_00vMocMJpgl&T-1jMnFELSi@-|qAX^iIpaoU zE`!m7XvHX^z`zU8!0@SjTZEqjxKSA3^kJs52;oIBSF*LSOJnJr0c(h6-9wmpRUFCG zNzl1K#t+S8uBGmYbi&_T^r9bMLHTi!4(6#lgfMN-##Gdwr1zNP# zRsz`6Bk7g(pina#NEkm0>mjxcQ7F!m8Sx^#sAjgvP8Jgw96@RtNoYAB+q5lb(y%>> zE}gn>VR4lV5}b>19e6s#D_bz>an6jDKEWz8cLAWI-@>06Jjdh>q3pbtK=$JSk3Oe! z7_;q9AM7l4kFxC0;iFSRawkS+MvbmGVka>&R9hX=DN053W6j#xinrrbCOS0<@kXxH zNPoy0i-DOSs{#VmHsD-3aL`~!ovYuVZF2ipSSnB5YJe&v7xANWp9t5jggh!+dYwO1 zLt-x(sIQI$J4rPttK~%mA*3B-p#8o2P%!1ejtbfDGq^3G3;hyk`}7lNM$$>%4)G<$ zU0wJd>=o>=RR%rLIF^a}q6gAyxx$x~nr*}OB@SjzTPiL_-EPMo>6f8WLoe1b7D4?8aI^%LDtE(ZZ)8UX zgpe|fCp*D5kejwwnyTTpGY@P;M@WEUCB{4;oo3Xc0rP{rN0E6xEjU zn0bFlBSrHlTfucy0}+JHIooTP=@89CI<%_mai8R2-Ep?=&Eo+TL1L9)qa(kcXa95KR< znE853QU=9VUk-r6SFx0+YF_Q(s5#6r|pjRybBLy1=~179JROhN?R}EsuH1 zK}$ajcC<^4>&L!@5A7gP%+1FdZ=9oV5)hHN195_R=dmiuasOujZ6A%joS~G%S?So~ z=YZt$d};%?3<}UG{*lFj4WI~G2S9)}SE7TdqKX=Uhk^$TfhQ9fA6d$Q9QMJnODl(= z-9zPV%FwOb8rn+EKDRu8tfD|4qM|C?CEwqz!Pb(?*U`?a6@hCiB9|l|jQ4tLJ(XgIZ`%V~dlyP?t#dNH4==B*VJ8 zVt9AACkw8>%K9QN1Eug>1Ce~*;=fRUaScE!paEp`OL&1mjr)hR9qDF}pdXiM1*c1* zrkss96m5=tglFgCCeCxy<oufwKq4N;KWT$8P$(Ls9r+@pLEYy6=7?L zn-FpvO6AH8AjVZlIr3wE7E0PMj*iODfmdN++3tcN_?97cXZ;ye&NNEk$9Nq0Av??G zii_2PtQDSAhOClr5|%IJsd75SC}z+C<2xzkaklI~S9qZ7D0;~kJ-9)VH~EV5$5EBsJ5o6LJ7RCoO!%u@QK9CC`moI#!%hm|9LDD@)sTQ6=diKVkB}|m$j>@4>ZXJj~Ek|%-)&|h3lm3xk~pJq%IAyP%`#FgIQ>FtTOA7AV(~sEi$=TEEKm zKMGX38ESJ>K!-K_Pe_DOtIqI5?+!|;!8;0Iq1-DbS zfbD9sL}!CPBDBh6W%Gz#DKjTu>7-%Pr}paQIyCm8yzJYY%OJ6P8IGywh-iIk+dkP0 z4g-A8{uS8HOy{5Ux!V|=lsQEppIJErr|SURaTV+bG0Xa$ls7i^Nr*X=uK};*H44hL_bSz{6__d5`*DsjB^A7rjR|z&|KnJt7 zM@J^rU-&-FAEhZ>C~j9PKk3oR4mvdnlg+kA-sF`!W3>gC5+v9q)2F+OyDz)Tu9Di9 zJasJat=DAbgDI5rrGu!5Cq9+BFk$M}>fNh)1?t4)ChbFbI^-^)Eh_6%a9!7OL?-G@ zOW3Z_iEQ5lict3BI!%2+4Vf*qKz$6k%2}?K3sMtEha}EDm!$(gnO_Mt0a^?M>e9ya z-n1*BJjEIK+5;e!KM!BSA{%VTg)xx@OR5)RoWW( zFG7-UGpNCeP(X;Hzy9!Fmd18Nn~7NsG%z-zfUVdT8lkR)YOpO~Sk{?aFY6(lA};L> zp6$bqLMcPk9=>)43Nm0vrECSY5dj>o^;tI2fft>yuEJV_BQsZ(r+fQ?KSAxypl3Xt z<1BFYCW=fdL0Y{Y2yG8`lvRB=*7Ci5y&iNKOnB@e>nsX*gCv)_V_V5b&S@_)3B(iV zV@PTlB)hje>&#s|xv`77SZNeh9qH#uNjdH(qJWB&Xvd{8{XZ#!2un<1i=FES1>(x0 zE^Hy!NdS7JJ{|-qD*_Tnc_ObeG?Dv%iJM40CqPq$+JO%~Mf&FmJ>x7r0G4|hfLg8E zeuxsl0ujg%{~{-RjSmzw^l#@bBzqvG;}@(s+Cb^)d!VJX7A^c#*38438iDI&zL`tq zO-K4p+d&KAM-O^>Xya@P$hl0ZgvGEz2Z!{K87z(XupseW!QDe`L$({}VaH&0vwdxvMNA{R5)YF(vbDyLpf(ar-ZysRt+k;b#<4s-aKb3Gt(AD zw`dJj>#({Ts)25(>c^I5kJxr8ARmg)8FBILD1y~ zvnlZe&T6g691!4%G8i3ghVX$IL4g3foH!ujuB`WRo3njY+oEJ(3Tw7I5 zZLUnS@-eBU&0r6lDUFURS=fSVeVPP?YkyG^)4ZUg0g%<7YyyjPhXoJv&?8+suB$_c zc=v);X9K+YRC(9W#KA#U=tNoVaaXV=M>@{|Br_RYF(0&m43zB${Z3P6l3LBI6X`I1mm^Jo(g#ukl9s8N53X0*R*X_)AFSl@F|6#nhVXcpv*9%LzJd{B@Fg4ydb;8)>Q+L<64##Du=FGZLDxx>0_ z(lPB~gHUx0dy*2|&oL2Xf<6e)(LvhqZ$BVEg-mjJMA?K|fy8Tq&-FtdV4ez8CBHd9 z;P~0v@u0x9KqSG?@eDR};X+51(m^3VC=ZHuP(sLU0pd6i(rL)WT2YCncny(bQ0ta* zfR1Q@n9^uq^KlBC0G%l#w=a=Z0~>+sbPE@Vrb6Gs=vLrHl^*e7U>mCAF!3HL-!)VQ z#NfwZN8Pxy6Y4Y;!SpSMYn6>8K@ih%rRC~ag{dB8Bo7V_?^$Vaba{m)a6T{%Iws># zF=)$d*OFn`YF_GUSplLo07x?c1}pZgK|cft?;V$ijM z)5&*{#C9QRS-vmRX%JC!nvTZjm>l?}Ow}93(|n{~&ZShY|8X~O+82B&0B!7o0!hya zm9_%dHJOUCg6!_michv&A7g=M3QbvJs*~f$O&}}f^rz5vJ7E*bX5d4N(6utROjZmfoIexbIm; zXs9u13^^`VTLd0Ap!YL~@n|mtYqwYq)p-tl+&-)z3o(CaSkV|psgD9YsSC3l^i&&% zCUjghX?Uthx;3U^G`13AQLj!Ui|d0m3XhsohTkSYq5^hD9X&~QMjIE&pxsKz(+tlF zP2@oeK(z8~3N$EyTth)dCk05UxxgUY1_u>neuO8oUOA_eiGcfKk=?(fxy1l!2D@@Q z&@ea|T1xpi9Al*BJ)vWeq?0S5)j9R$uH#-!!dk09rI{NHRmL;?npV8c*7jm@oJ;6{tD3g~ulv7B74KwOP0N*lz4^0}AGQy|! z;M2q|UuYPb@n?ftc939|DZ0!6o+1v!8+ii(FTf}5D0Pm7`3_B2L`Uq3sOp(E*q^2+ z{fc>TK|b2U2Cq}o$++7>>9#jHg4DZytUo4b@>}A?H9%H?wx-%{FoiFJqWP7NWrDhn zDuD>}gU$}EBDqHFG|8+CP;DdN!yL!PSK^UGmbX2DascW8%#H|L9B}TU;TwV|XlWrt zZWf0;>GTmMP1GCN6WWueL7~N{6`CJ`==7>m^Tnwd=9WO5w~sM?^!0W`??QE;g+p{y zC4A%!ExeLUD;y0eU7BIiiCqmEj2SZ>T7tVn>s+bs)KrE6tk3(xN|Z9(kOF?8!K$gt zjhlPhm=N1Hoso|fbh6y<&{6rU>N@412wfbN-=)wk;fG6%;VL~;${wx;^Q<%TNF9_?2_zTA*hd7&twW;tuSkX7=AkdT@Q6BDGpP>OQmQx6&jfe{mp4{r~ z8wxbb&R0gM5Al(AXgelqg%l#GBtM3c86pHd*EA(Xe#uH->J(jXgPCuBXqv>Ay}92= zQ_=y0KYMXFqdwcV`hc*w=I*!W=!_4Jt{ANQum{(&%?k;hiKHC$X6`8j_hZC#|A(IH z&FYxD2PvPo&J$8sDPHLh!~u@*b>6ar9raRz8K5!+WLjE~s!WS$D-1l>C$&QBl#h^X zHu~vPz{a@N%ex_n{Z#^%PQF~&nwqO9n51~;%J4ri;76YA%tL-GF zY=MbfpW4y(DZ|A!hxQC>U90mmu}VXq=zu|J5%{9TK*yVTY*Wf7&)cWn*dJ|(-Wc4) zPd|R0q|W_(G<9RbrFQggg3{O`_4Q)fRv+tAa=BmdRlxSKqaiq4zG5__^i%YKR=D2+ zUHT(r>hB}{qTqF0aQ=77>&;eDLMAUCERLBH^0nP_;uT$UV>SvB&=3_IR|mXk(a4Cc zo`_Ln=2>YK%uPQ-x)#TR86)EHTUL(w^VNA4=iO>hzyNY~B19CaIC_IP*B!8EsjM*5 z5ACa1ryGU_6K$1U+@o1YkCyXx2s($Jn7f$ErSg~<&=sX#E4iCA^AwJegMd6~I1VM@{Go#rQ3-WH5`{`dFl1Sl(;!7P=TgP{1i z2uE;iVZzJyaObx}&p{Ck$WdQIo2;R3-?+Mp8y}~l!23P(kqJ^IcM;Ne0dj<`atu{p zC6RjZ=9_K?R1KsiDMe~Q@Q|BsA85}L=t_?T)s50(%)*Vh> z3Zl-UNnIK3a&?Ffz)M*HJ1*7DF42w=XPs%5P4rYs6%aS7EN4jTxt*Q^J$Iux5riWwFCR1YM zDzjqL>KR6tFm~-((KEa^Cf~VoEY?aeb%JrHk~p==DPm`zb>}3{U9&vWk+LVzfY5>t zr<&1lq_AcwzMe-=5;NB>6=vJAOUmhXpdll=Wdu4EUN&@5ryIciR3RND5q*V|0ulFN z38)QPu>70Ox5NkhQXTJ`!vl{>0;m|NPKt&Bnx0NTb=$X7!nGFTU zP~*+CCP1(%s1=q5FkKeo3dJ7ulO?Egp-sL0DcmYaSE#mHEmu=0$AOgEzM0QRmIFoV z)7vE_-|AG{_)4IICucWFwu$uZM+7{e$(<>K_HElML;E)Ez$)Z4lUnWM z`c@h`sK?tB{ucy@ebkdKT2lS`7!3i`q! z${F@4JnKcytnw-p^wIRpgFN~W0rGKL<%=HFPS&*p2|83= zI+R3#V*}1pBuzx{i^^j%#u43mbwxJmAXa-^- z`2b`9E!5l*W=rlGW+}|9=gQ}en~N57M(@0cg>wf4(g@0D+k{HuEPQtv4gq6lX2)!t z4|Sq~bUp+q3h_)x%I2J^GF$1@tcBSi1DO_=zALk{w@>lDa@|gYn*w)c4(rlVU&`^d zI~}=6rAK`D#|2-{p~LlZtqlQ4vmhDwu{MT2Iu-dGg9kv{NeqcOv**T>PduUUc+8$X z+cd~?bBY*raGLDHlg8{1kT!*?P`4VKNCyx{6(kQsD(L2kG|m?k%@Ij}47|$epa8KX zlksNg2THI4o)xhHRgeZOQ3S&lP4rDWBX9{-|Ne-SgUht(+W385)4-ryo@FuxiIAA> z=xYkjgElnM2~>w*XKZ{?S4KK?*&5e7uwjKH03GtG90`u;#~oWi#oGYcsz!i3c$i(2 zceb4Gz?A&#c(7{Y)^+}UA@3Zfu#TlH!K+R4O#4cD41P@f82E5(Sx@6Dopb0|2K5c< zLMdXz-A3@Dse}YqEU)GG^^;Xa7b%rVD&(Y%bRATeWUF#UP!76Op3`Ilgw(g>M>gTO zT@a4`X}-|S@`^p{2N1=jet;(abN*Oo=#+Yx+!9bQ^2E9*5p-5Q)XVZHLU%~DC()FW zb`iMGWQqwX3Vq}0z(ghakp`aZTWa>MfzCT*2W)?*J(#0Zt6zebSSkq}McE?nH}H{R zTT(eiNjE1IO?x9y9(~}mSS5mJX&elqk-SSm*lVoN!ExgutC$c+6@DI8AOC_#8GTsM z4(aOAN!t7i1C-!{gh9v>vePHS#7F?0tQt6X8k)#zXoZHtc;H(@7Yfm!)2qP$Fk##% z8p$yvUM9R?ftKeQ)Oe^EyoG%WW7yE)TFnl38Q=XWDcBPI(t?|eW@oMF41cn^#dA(z~DVcgWU!jZ5&_y*7@<{ zU;Qq&-G2L+GiQz_0Sk)Z!4d47`4CJH8A&uT8I6rapaVP4-eO}C!Hi5uLN8QOY5iM6 zpwrqG1G5a~L!eS6xPk+Y4nicjK=SJ!U@#zHnJU^Z0F`I!s0aq1l~hoqeH}(= zvL=z24iu;bP9-hMl6dEXYs?)TObsKrTNRlQ7m@1YJU&w~ar6f%ki&N?$|k%eCH>I~ zh|4b%N%TiK>PtSdST7_?7I;u+__bCEw3+yl=`ByuNJmLQCK~7(`f#d%4Ack;$YoSZ zxvb9;{bK-ReU|3~=HR&XTAbzLlxw>vt~!toos>&)6`+1xlcz4}S5;Gd9?ZxmKu;BQA9N1#kSAHJqtvJs zDO&gh>W^H$|AT(u38Ctu`d6v`&jFR#eSehFE|@#d1Db>Q zFc5Md65Shjz|Ah+0!8^qf)Oa-?EI0D*Z^T#c2J9=ovONR$pUHVTcHH1ipB!LV2A-NB0uUO&vz{sRjfd7#J-) zT--M{Xhn>|mI36pFep-k)R3SP2DyHjHGotDU@0@YG@w{L4n``s>kChSL?sl`HTAhc zaR}~2O`!9o^MQvQ2K(bEQt{l@QB;K}Z%_hlk6L|!p3bHAVQ{e%c1Wk@wvxX&E9mqtt3-D8|bZ_0`QN?R=bpf3@x zywkWVMg~`t1nNq@LJpF&A@zoavW3h5h@MmD3Tg)k_Ms3VK!+4=^6(D9|2a^@QejD# z&YL>8x(*1P-Hq$7w2$!7S!TJte3OVieiKolM_z(rqMN=#QDxI2_7#*xaqy))Wp(bq zcXM*Vk-qUOT>nM?tmyngb97v6HH8s>nixJ#pe@qwJg}8rJFdX`%|Lu?o5ZPCyX~?b zgf=ilSw|)KCGqgVCb-O}e4A$({gW1}Rjxbcb!*#w4|a{m@9=_&YW3&ze+bw(0#Ppx z0I&2KzvB29F??i<9z7;@-Ss^&bNcke6R_3EDE{VM-WDsYutE$|1&0kA77Kb8#3PS9 z98;%Gjo!soO-LbE18NK%eOI0u$BI!$v%)E(U}xqGgvIdG`Fgeb z6s_6`&8nbKmaSL6bwlx%F)IGDEni`@^S*ITeE35jh`;^$<~ZW$bAL>0ID=ks}>sIawZnL=Av@T0I#ID*ff;11b7{lShRmNa+VB zMjc#_c9CUCG$>Ss=;$itNh_In6)UeBpl7u)`Zl(Xlq))>llfYnU)GSF7yQI@%Q?WQ z*#y35Zz#F&a3lk)Irpi42$qpV2L^yDs}h`65a3TB8Jr?J9}m!4(RoFP6M$}#%c9`0 z+foK_uMVlJ>>USWT+VAb|2m?8?V~GY8=nuy#KDrSchZoL94D2yu}s%&B|CB0a;??gzxQR zom(%ak@?s}MRTH+fXx;ga9W#ownr&pQWYzZT9S0-iDkxb(+(-!-@AJGSJSRJ;&z@=FgAm)28_x;b^=WGn7APrWHC* zvdmXmjFY$NPgmZ|88bET^~Jme^J50I#FLrO-1&1HKvhXO_%UNAiOw!FQl0&uf0_h9j~P&^Fdd|gk{O-kNh$&&sHz$8 zfP@ymf`pYB0f6$eg$6Xpm~J!Bz#KtvV-pI$8d|~uZQ7K=XgRh(CzV{k&?F;W)$4bV zr<&~*mfV2!OA!MzZRyUPgU%`ZL`w(DUvt%mftgk2Gep8Lf#RSfklRQ^Fip#s*#ZQj z{V2!G6-VI=w;MonK(CxO0C!HJ-M;XOaCRb!s{r|&iMoEFnes8{dGN!Dbq!O%kqJlS zkb!?(!C{y-`ht#EzKToM)CX<{;h?Ki@RXOf$|NkgW}s}!;vDJDIuS41KXf4^XqU<0 z8o~fj0(z9DEEh!?%)CvkGzLW;7lF2~>5xu)TJ9n%L`}JJ%%k}@_P+&HhUA+1Ake2t zP;MiTg-bGHB_b32E`uDM7-P{rOlF;+R%NE0+pAt zjUt-t0tg42;aV~~9-!vLTfBrv8*m8Cw;lG zlndUTs4>Vfp)1!V8SIpY-TGa*8npQ%^UZf3S;B=6HbmF{P5>7V&w3cIcHXk9y>OUJpTB&=<+M#>YHwfi>|mj zUcd7$F?9H__~~yijsp)pJoZ=k{gv0nZhO2x=FFNC?|$!|@#9}y6jxmT=lJ6l*T_QJ#`k~mo4D+To8xy^T^n!N_1zv^7ih42%R6_C@Ba9wamn>J z#U)o>A7_8_JMrQzUS=Qljqm=z`M{~4`CR<=lFQ@lZ+s^vPMV}yOIQ5-qD$hWPkt&! zXcf!gj1JKYc0_~ux}$W2f!XGxshGg<|JWqtG3FlvL)Us)&SC&o4cJL zB;xQyRXR)loEL&zo8-ng)aSNAM&(fr3eZjrFzC}OK^`@s&Cj($})x1B-M(2vS{qK9o{s)(s2nb@FO5EP)605fbr z>GT}}aaMau@97!p0Wb%%oD89F@OyjbYq7AvFX8t9sCFZG05yNw44Yws2y?|#K-)?N ztc(w3)%V=b7~tr0Il0Me>?{VlEiMBZ&l)b2j0;)ev0z!qV8^Z<@}oa%OEgml==ga7 z>U9I5)V_skAT5mt1k&bfwYiTMljUxnL*+e~Qm>#n&n zo}Tv-fJHhg$| z;ILfD=xbXq@ubG{j4$Bl~@ZLndSc*^N9cFef=#ZP{y{JUcGm{Boz?!0){ z?t8>BA3G_=k6$saz4G$7{qMKMOJ4T!`25$-jkVTT%PU3(aDWvj=d-l>w9}D3r%z{v zI!k>zJGa`+Dj`n80T`rP6a%zz=4yl9?b%==`Dh1Q^$9q!5tMJj9FtScPkJk ztv7Tkz4(ywXDF+tv_TwFaS}KT)!)vFzOKB~Vd@u5 z4^C#xSzFxN0(pZ1#2Acl&f+27`DsIztEE$RZh%0RO3&`wyb}kS9smU%jIntM&H#wq z;JI5s1K!jPykZYPVksE!zZaez+WJZ#0)B z@}zk?n99;eKs5qI!3Hb!X#-GJb<18Ma@|htSFZtb?J@O=hEpak11(rEA7*MEBL@PY>QH1|2bXo0}$PJMMw%FpOan@O%iItW2@|SNFmt6YCc;wNCW0yC*HCCFqQhfc~v*YzU?Hup_zz5?W zcitHX?f0Sh*^hr1*Ij*8Jo3|HJ|6s`55^DA z|4v+a*~PKy>TATtn{F0E)EF~o&WfFOepB4|r|aXegZ7KdFS$4#edH0}QN#+7J2y`} z=7>1&>tBn@FTKQfo^B!8$Bthi4%++uvDP~4#-^KZ5hs7_m^k;#Uy8r}<(7EO4zKe{ z^xbcHQ{1X^8i@u6Jj;^KaXP&iFlTC1A2H;TPa!)i8C2$yr8v<?|e1q~xW%NJD2QDh_Oyik^oC<#}*{F8q~F5z0|b z0|_lKL3ieA8$Q;G6@YzBY0Hcp`iOYmJ;@9@X?OyKPT-k7%77aM-*PfR$O`Ek4nWe* zGyRg!iSVf_vv*b2b$1(3fA|?c!OczGtC$8{a^k_t*9mw>+L0_*Db=@58CUk;m7#>en!URhgM+=KrZM{v?yq_D0OpKgAHE!H= zw>WF}pU1gx`Bt3!*7N#>bKd%Gg>S{I32Vn;FMlA;c*BEn%IhAAQ+8|wouBcB2V(y% zpNgT~su;x450xb-j&g=;@c7LyeoAh<_H{eOm{Fr*yY063pmpO-*J^b)%6T>hDV3rC zGuf?P`6|bM{*#}?teG=n)zwyaV@;ksSxU}Zx*1S!`|DqQZEyU<2{Cl&Fb{Z-JoHek zra=$Nm;T}R#$9i{4PweOlf5Om!|Prj7yR^>@#2@hG#2Vk;_@;66)(s&eQ8v&-2x zxo*#NT5O8jp!r}H0*n%Xh8+dxH9SXvMh#68RyMRNeW13$a>8J=v-`A~@Cjaik+k~LisfB}YR;e~4a9axBwB&F7 zYR83Y%S8(m@(yEYdJ-xAb+-)V~V8$su*t}-W9TWPkWLF3_fC|W%TNd;8HF{8%D z_19e;k3I5GZ2sbx#*rUAG1gjZ-T212Uyj++rfJ~J>lHw=QhhoZH*TEcQ>Q!~!!)R& zF*-&XgR^oQQcSyhdVF^&Fm2j&&qjpo!Fr8j)riGEs>;|JzcSaT&O`VO~B`eME+~Z6|JUilM zJ(XuWnGRgvYQsR^p}-)R^>dY^g!1Eo3GLKSDnA&cc&3}TODPbS!8!0QJpxzR9hBLk z58VN@`_U`M8gJ3o55e0p3Z|)a2gQZNbpUmt@{ysdvv%e_p2`SO=L~!{rBarIm7(C3 zp7418s+RVuLZAPcgZH>{ZE;w0rSlCT5|4Sjghk(rIuYLl*Pw)%=x zKDQ{!^Nk~92wW4}SDv?tD9!W>RQiJej)l!H1_O%JfRr3vcL2K};M__-BNKCFZjFOs zMThM%U{J0)wR~(tDbf>aqgHu?27?T5@hqevNnI6)FNT(AxQ+rht=d4^Px)vH9c!@d zD&IULC#m!Sn}W^&ie*yjKYkXtKI*&V^WjU5pX*gU?TC?A zN8T05v1QUPFjO=Ag+Bwfo+$+C-65j&nZN8R3|ZEQgQ;QTsx$rr zJEz@zLy~gEBK4qv5&Alrl${e4CJUk~!93yND1JOY*9X47xEpK@y>l%Mf?Q%^0^ij` z8#74p0(X2<4t(4=$N~kK836sifo!#VyPZLgNq!EXypOY&a%^L&>>>sD_-=aIRQdQp z6t`%R+Rn|*H9h$1sJ@F0aRZbRM2{Q&gsXgXjU96{Vm?SuU0xt`h(T~CZ0~%91&vV7 z`xv1Y$HHD|j~h1$#xJ3y@zU#@j#L5f8AgDEgNF!dkeuSQtzP+R zEBl#ep7wRP&9->4)1Q3wi5S{5G;X~9x_IOE+r+6SpWwmm?Yr(4b7#&m&YJ728^cBn z(+cq!->|dtDyzllF=I4%KWzSW+n^e)?UAFz;4V?NeC?1jHyg_0;lSmRB(G=hwINl1 zK8zz6sU4Zp{YoFaF30E6+%4J)=$2p$LQrT84A35gJ|yZfE1T#wqaSUZFF}GrwP0pa z(xpizl9o-1Y2y-16Zw@zRg9)zZxKsD=q|T6)q$l`^vMI>yZ|Ae1C^e^rHo4h7F=ai z%6ip_n=$hfn~>+08k{0pii;CtFjb=RT4ng*oIXGq(vUyD%Ye#&y0il_bIj5N@D#8G zJ3AbsqCSF8UYnN(d>wOJ75p4r`OWPrQAbv2K#~+!m;{d0qc~at&YJNP`k=YVE3;N& z2KQxzvr-c9XOQHFj|T(JDI+xB?JZvJ$Aab^poDt)fVzU=0l`E?(ITP)QHFPs;{}Hb zgXIwbL=a1KL1S znU3)*-y}+-Tzv5# ztjzc9xo3RjsH0=+?Y4`94?jHK^p>~A+&Qe!#8>oDGPA^c?zube`RCoS-Ub`QaUVY= zUbXFZ@xHx36z|(>ALCwl!FROUdrh2h@~QEvZMK!5xmuVvZ>|Q;XX4hs{v}@Yq7CAs z$A3I_c+bK35AM5vmi_*BJj>kZj6>5WS zD2AiPfT4F#mD6dxO|DKvoW8c=jAC;=;Rc?Da#qOIcfWMCKom2M%E z-b=xrk^tR$RF+{N%~nPNs0xS%IUU+{bGi&3+52@M1{?CE6YGVObRr(~6u6hB> zG!bKvw9|lwE0U01XF#w(iUK6zP0KmFo#umRIxhZh|HN}$n&q8bKFHt99~7XRLtZ6d zIjx)$kg0SH=pu;gr(_QTX26LNY?nkVr{W$AUB=l4invZHl=TweXms$k8*-Ha`9vl! z5jn-Tnk@m)IrMx}f*I8eMZwLO0&?Wg4qx*SE|Z1oRN;*c)B(^dQ0p9gN-C&~YXmP+ zoK(*Lw?Y%dzgE4ST{TS8SkpeI-Z*v6ir~U1(;oCuaH>9BS5TxA+S_&omTfijX(;Ql z^-&UZ^g#g5fkMW8jnx>8xG9C3riKk2Dt|mQdK88aBR)(%O;btp$^J<@apa9$Ud<_F zUsZsxIi>_&wH29=f%YWL10D2?Eh&pG#0BY!yjf476}m|$KdtWYKMyI?vH^hrDrDiL zu%RPHTCqIS!7a9rKlWJMeB%wqyX=zRdCAS=0Vo|{MaJMTYSd_-j~FpDZolo;IP>&V zrSRT3=+MLBE9ZVQ_Sx@%SaIS+VIz6)%X54@8zvInse@A@r>~rJj zV^4?`#*dFLo_R*xrooMyUv_`r`{Qfh`fi+j`lr1#|IRnh)p1dr^_er{&f9N`?KSY7 zdDd6r_>X_WZ*KY4xnGMvU3YDa9zE6rIgqcO>eNbfO5F6Ptk+S;92ff^e2BLQpv&Nx zO(#9dP~Eu+wW-y*Hc%m8K%CR!9PEHf9s2=ERnh$dR-*`{Ta8vvS_wAW~QwuoDQo@wOlNO?0$4LE0YSlLOB z0!QD}q73NzHFqlGx9eD1*t#p}lV>e?i#!FbI2@JMdBJEvl_zmHw(6u4&M8mCZHS;8 z1^K%yCXTXkxG(IqLT{4a%wY{k?<_ZuRPyi7k&;?(>QM^nE zd*1xQQOTCj~^nIKu(yu*`A(sYJnl?)7gzEz${vWi+J zB9*V|=802-?*9tFt_Gl1uRt@oe<(R>B)6HM>c=&cPHI^ho7)#Ox2XbErQJEn7Hjj$ z6Cvq{>2Ty=o6I5x4(N<6N4RmbUp@w*Am7E~Gi<@ai~+8fZA=C`mm%3(RHj6Gz{Tcd z9@(GMo@Iw;BtZOECajnAdJrpj_0V+X-xdsCb21B?~ zr#xaW-u^2ohzKz{H(N7)CX0{dOga2Vq207q!LNYmvVGSL!thocd59WnfpVm~J4-)i zt)q7%(VM>BiqsJ-^3exinMBvyh15&wYz1;OC_QBd@;7JEv>S4zg=E>h{$>y=YrY{} z-NHrxB$Ai<>hNEhQNg6yqHUbStFod4G)|rPYcnX2qSjLkDvR8PZf<3!K4l9Oc722) z2U}OI41C_=>y;zsaV&vv5D`AKctn7ru1Shj5C40BQY+KJm@5qwbdlLQ!%i`B#hJbl z%RJRYI;7ngbTA_7n3qV@Hmr)l)d0n$+Jm8?_=+M7mriI?6zvL7!3p~ku6}YAp7JsV`q3jCf&iQGGn?3zh(pnbT>UckrXz_6L+VV&-HGejm%hZ^kp!pyU>?MV7(u zjT-z`7aaz_flvm&6U*SovP>VUPTIS0LC#vbxe*0rt05#ik2=iLfQy5m zg7FbW3jAE3^`NqfmY6<{I24MR)`G+& z&-x&f6XF8UN;M1Of1H#*PIJKuH4Y5{^>sPKaRMN>8VROz8-d6*__%Cw-=zHFRcybW*gXovO0Yas7kb&MxebeuN#WyoD<^ zB)e{3mZ){gV{yZdR~r!vmC~d^$(f5ZxJ%+m2kH2sTHv$#qjY`uC5iMWz;_hd7clrO zRJt@(|~wL=Cg`K`4HKXeuV#T*oRq?Ubu5 z+KfExgHulQ)e+K=AW$;PCL#B25%r2%X~rQ-y7Qz?0)c}5>O{jgpeQ6gbgA+}s<`+> zU$)V?x1sr3K4cMwzV%!`I)^S>p5$V;`W241M3K?$J^)~78!x9~f>lg@=IJ=m3>L{*JtQop8P*K@j!5cgb=`NKlVCoW{B{UDIyVDw2UUz#{=Pe8Y zvs?z2ky?@QmI|(^u{s;26=T+43YGKg9@-P5Mvd}&LV2!{@+fim$Ps=osF5A?mD1P( zh0d5UqeXj^c{ooz;lbABm@#9$5^WBA0P>D#?nTYDhfqEe?c(t+FuFW!IG-%g> z4{A9Zc0tM$#o#e0W^(SR=uV+{yEG77Bi5EYYuyR~A__}F=|c+O6d#7aI+2~`>jOK?yZ2^`S7OO>*G5^6z#5i?p(=rf?={IES*F}FFX50g7{ ztKSSN%CQZt9GB--sS`$wM?B4aIqj0Y6SN`ii~^fTsjQ}EzXt*tOohNKfj%$Koy5dW#<&=hlb66S5Rejkp4;@jiV!mtpVBBaCD@? z$^pa5qH(MxC!o^2=n5^<*8wtMxDl`fDc!upyr5-3jsneig(dP49swn^>mi~zlH^T3 zD}m(hG~wid57{mx5*Vp;;v>!-qo#AKEg(#u@TgaA2arU2DMI~G0c=dY0_jPgvJCzN z9wqS2lmubHr==W~=S zSs!??jUgFT29vQ|;_cb30)wEh<8|`fkXG!rgB%3&%_5RdJiO`?u3}KoSLr3{ATa;s z0T3HyYt+=MUc}!6gqT?WAha+`XbG?saQ;B3WlE3@uxg`vHaVU7)mMZxzjnoh0LcuL zM=+d5nQ##@NkKpEJCuQ5>b0(T8h`u63s+1R-xus*|Ick zuT%YGKT`^9rDVjF+MSN=aH)X$^A1x#f}uRG8YpL48BMx_1Ds*U@rA%( zQK_4PS3gA(|MN^KNw31TJxO#Cw*F=HY9I7a2dgAVX>>#1@M%9G90iweEeBm4@Ga?I zGCyxdAwW?!QEY=e(y~2N7Fm%Gf90}?lVtJ(xR1yQxZ2_aRlZIK@FDbO@xTXoA_k2j zAAtY&^N3n(^l0(JZW@of*?uqh-gg#%{mW(BGkeN%LB$+8cUpAMpP3d$q9t{ffoFYY z51kN`=Z%U53lVW}=;`i@@go;{%d-ite?}8>65(xbGVvwmt0TB}XliH%DwKed^EnW5 zb<|*sQ_Srhl~Fo_BwL;y9Mv$)qG&v3CceHPR9IkM8lqipSultiTq@7?i}27Sp^yU~ zNW3)TA&ateQt5p0GKP>&iET_C+GM+^SLa+WGDpXg9waNi^BU&K0pfmAK+i;MC6m6_Ek(7!;dOL~Lqd2>{0?3t}a% zBU^R8-X;v{z`*BgA~+z$8K;X0EOq&yC{)(q`BqYJK#5`+( z`yj2+#-bN;#iof#dP+{Za$4Dm16^}dh3VfU^m55VfKz5yheRffe$AHh&BOf+fN$Cv z6kGI497s+t3@WV(^}NX!;JhDXwc8m&u9~8s8vz{YlF2bqTFlSDahIjaVF&mCU;Crp z%JQ>*WCE$SMulNQnQY@!T3$Pc8McK$o@mNGxaXh_a$Kfz9~O{L`_VB(O6TmrA+_Wu zPsT)F#vfrL_De(hgih@cL2WO5+g>>$BWPWn@Xt#Nc~lwE#4eGS`akvLQ*r2FhYc9~ zTD2Sms*)?fj5Jqx03cxlvgk5sw_p$^1ED5y1f5D1$OggHNB}ho3Y89R+zfu4FI;jE)Ueg(4te~ zoJ&&DsR&ty&`uc~P+JZI0!**)vpN;G{IV%`M$3lX36=4n&3yTww2?U!!JK4Irc|BS zY%Ku?ok(YVa8V4p$YR?uiqeanmlCaGu2z-Tq*nniCwn55`hlD8@6%tKEf1pGPx1W5%ul zs|%~6pHQwrKj@eJ0s#@5P-!nMeF@%8MA|wHKzL|C^>IVzgv(`h?rlPS=wmb&*tOZ1 z5LxSmQ69<(V7x+0h0G%p(=5cE6{&A1W065yDx+6}AAT4-%c8POJiG!c%=1PX`aBbx zq-~nEVd(O!V|FSsEJyk`#To2$%)t)Kz5ElAx&{+KHO;F6(1-V03RRAc}c_i zxsFDhCP<8gDxu2^5|D;aq1LLFYo6D%3eB{Bc_@?=IXJchao5(d0%z!mI$?BP$x(3} zmkmgOp|i{=Y2JnqU^bT5KRRzQt+g2}Q~(*?I#3>Hl_y#gg`#v%BuPSkm2uDy9nhF;I6}gd>l-OF&kF=IlCU>(El&ydtT)Q>*t*#kIncGW^(rXc!M&z?-s# zzuUQd1_IfH=L}RvP)v}RBj(`_shFZP#UN~-9iUISc4L`#QEj1FB`-L}m8Nt6$3X>b z*@X@^jGz$u$Mvr_GzFZDKPXK~g_h2k8F+QT4BTYsq{*!H(P=hfp{_V-naeRl z6>T6?iE3!V!1JZSpmg$sZ1qDck4M<&)m@VR{cu>e0209jZNqVd%T>b*mjK7xQ#37%9uuQAFk8kRNr{k_{L|(63s{0LnS&2U8`a zPD_SluuVEq^p#ek&kYc)GBa_g>euH)6l~LIp)x?H9Ccn4oibV?pJVeR7HS1ofoRo+ zi|WVprMapv;}BPxaWb8{);e;YRGM=2ua4v5S<~8B4QLi<0?5h02TpU6D49@>1<987 zAZI6>k9m0Y12%r4WouOzKn~&=ssR5xko9N>pjN+z7I>r*s1d*=k2-MXj}r2_nIh=J z-~4!BQL@Ju0h86Vkqp_e0+%ZR0xIB1rRZACB0?Ybj+*tWb9UVHLAUiUiR^&s=g_IN zX$$%(GExrTUFqtF-8x^M>fu59VZK3;8xUF4xVYMp{}SXbdJlT@=J`nhwp)GIDYPU* ztDQwRTf15eXEpf#Z3TNMf=-*EWG?}fElTVM4O~aTSyr$d`eEy(h7?R8iMb(lF14j0 zD`220o>n<7CkH6QU`veG?C?Kkxdo8vCMjUs!={1K)hO&WgTn%o<`Zct7^+1yg@G!m zVR-;LxcM45?+;aBrE%2;ynYB{vhAr3IC!~yKM4UAGb>bv5&F6rhJ}$~)vf?nF?0}; zS62F(mH~dk;a!PXzxAzSIrr{ z=$4ck)RIF)+cG0(et17*&H`!agjThl1<(?8bx2hut-Mg-e5m=h?iNwig96VLn#>vi z*_>P`gOyFqmkg)^hhs;kd{6kS4?cj-B{&0xQ>+|9WhAETw^NP^;<#{b)X$EOwDJg& zWbm_C1Ut3tjpVg8+>f&D5Ye$1KBSRHpP)Yu1a@+b&;-O)y05dAQv)jmC|gw8Un@R* zf#mfwu}b&f;%J4!4KUb|CzR+>fLx{~on$>k-FZm&zYElf0QVZ&+Tl#~w2z>T(~e2S z{^^r;b-tb_9QquZVIWYz9?(7ZLKm`%Nh_hgE7LazdeEY{@@(+*GX@s)IP`LQ+db12i1OSiKBG>M_x^ti-@b_EEE3e_sU%0@lyE*gb zdcb4gV*oT=n#uLn5&bBkwGePUsR#jTSVJ?=`W&sw0Re)ptKv5FJXXR^E6Ex1oM?h# zmBwH}U|LeFJFaCUksl!_!6fyAnBJY@m?Xs3aE5{|(xS3@eHj-5ApkS2qY zayYl+b0yQkpetY35uTGPKb&-7YboHDr&fp6#)*CuZ9$gr%fT4gkjFfdfN^Cj$mLs> z;Vm4QC{65iD(I~d1?Z7(d0FkL9(0Hv4Sd|eS=-P~-#TD2qmHekUtsIrrB0=~a~;6? z5NRYR+`x2Tyl{sq>81M54wg^&1VwAe4AD}3aUQ+~fxYrU<$x9PJfI3!c+5>onk+}CPW&OO5ZF2CcZ@H z*sg$nWBnSGhMxbA0M0c4sgtxVTe)4XY-Q31>+0NfR-LG#eT1ON zhZPfctRLZtqHuDs6dl`_0&Su+%VE8dUudFZ4?N}m3Jqw!2?twKe)i)Wj6L9KknHA< zmc6a1K~HJO0AF4KId5*=&eTA+aG{^a_QV!q*do^(HQS_LQ#WftvQigtkPaxCB1)y3 zp+GCzKc9*^ZtdtOqOP-*z`62U=p{mB^#MIS+tR^Bz=kd{XqyByDxg5IR380?cA$YM zTdPH=kOs{iK`5DRLKQHvp)z%%P`Gs!6A_WS^uPx0}g$av$hVAGLHiTkaU(4D$!dr@86z8j|C|7Un>?Yd zpE@IkZ{lDFQaNcbPE;35$5YZsbkWqMQ){B*c_0_sw`whT@RQ@?>ONniOF4RJsShl2#A3T>;J^fw^%c6I%cQsHC^C{~>0Dn6T2dmvk-RxFd(WKiUPDvz(SByDLp&Do&a#fFq&z_u9gB|(Ihlp zHRwvG=z(90(>|wa`Fx;Ct8QG^U|{!(M|I$BFg8l+qmZvPO8xmU??SgZpogu0Lm#r2CUQX+cE1V!U`p0Cw+P241P#jG#6J(3C zTeCR^b>q6i)EO$2ZEMwZ`GuAMJ!Wc#{%08y@~nNnY_JJ8VZb?jku8x2te;{>j_L<>z?V~7I0+@K1>k|RgnTBV0L@&{L)$i@WO5l@{CYH+&vYq~ zwXOi)(z{eB?Tpfin{l5=Hc!Md#j*?C{8EQ)zJzw`m-C8Wj&|mqE5r6 z58GmF*>RU*>t9!di=SYtlv18Vl)m>dS4<@usI(W%E zbXd*JTQJuvySek``r2JiP}ok@SM9-K$9{;4kf;DJ*FnrI5j^$r%2II_2@I@5hw)~x z_6~?ZLS^X^ltf_JfY4yLvN^I+SU*a`AX4a@-IqM!xyEo{a4AbO3@`srj1o%+ilJ6> z0~J{S$>zHrMK71S&{C$4ggkA67ry2%MU;JSuaIQWypGAr6y0p}oSneO6ycW@&rsPY zz_PNf#^O-0>4dI+307x04iM2$)0<@~eiP6?O+*Y;8!*NqBWVm2J>4w-X`|fh_CP4Z zWE%oh>;@C?3eozJ$*8UT_5>+`L9~7_cHd1Z987`^kPpD;Ic?2*F|9l*uECD~=i*sJ z*r7wvXakY6IoME5jF24z8YJ`ALOq(8a9yvfTeCwYGC9SRXn%^iT}9QZ(68H2Y1EJF znlJ)`yu?b(CeT(jSiWb0iVJmOA(5{MD)JdvFgg;|K$PD3(F+~pd+FamJ0@!7ogi#sA)w* zscro#gU5QzNA5gCUsiuL6T%8)&TLr z7;^B29}a|SF+*DHeQ&ljZOF6{?V*DQDFx4Mtr~t(%5qLA@PuJH zO4rw3hbY(Q#NQW}%`2(bj%D3Q2yc591$j1zJYvkCJ-nyf%)-Fei6JX^=MdRcH}h1P zWUQcqq$$3L5t402br@2zW(i;}3#^J|0Oi54-e6f1P#B?wAuS@0uOSIr^0)7@6&Uxw z2@q`7j)_9{QNQgTd33@RR`hQft8xJAKdqQ{=6?<$S5Yev^_~F+L7hsbtww#x6eLP5 zLV23F_77MxDPoB1lpwT_C$iWMHmktuM3&+<_m;him|jcSKq}C7AsTiwI){%jDjJ}8 zt7+6pYCb;8lRo+mPFx*@6%qeY#~p$c^34`nq2N$ibCS(?&`ls4p6B9s1;IErQVVs9pO)XUgV%x>Zt0^bFU~OK)cr_lI`vAC zKBkWcTgmUsBR$qhzKw$#i2XQUA^qEnU$loD6RJVR4Vq_g6tl?w4WxyV-nxRh%G z9WIk7&o`CpA|mXEGNn9Zqr9aiPMQ44K-@v!K|*1kMF5V2g+YPBgCW)PLc9rLdoFt0Z(jNI7)LU zxIQMCK`D&DH6)4J{zsR08{UpORRbnU2uS1YuKc-7YPpOX?RhXfE1ND0m_=W4_TIYX{0 zYilq)N`O8b5;q;C^FV}@PBJ9jdIw{VS|xtU^Qmnwnu>;@SVpljiHVFWI^D{1^& zyZ^kFNrtjmVfzvdyj9e9nk|L8l@&^c1<#ozgPxrhOntFbY0AJ@n7mN|NLfS}mpJpi zj8K*c43-Y$f+cMIsM@AmXcw`(@&MDamQW(iq}p9kT<%BbtP`0$a41FzzmZ-tr&0te z#_SS(SE`j>2Iyp73z{eWG8%vgMWh-{sZz3bJb`8}O+N@AlOz^0Mq>SoZ_e~t{n3Gy zFI{o>XBrb7UIl2-0>-DJI6xh8g_gB+MMTHjo-S9)>Oe>X7fq!x!^5m>lrAQ|O7|?% zJfw4ulviQ=4bSOuM;EJa;>e6cWNR(80f1j12`j0DDx>0-n<6ANpi+4*FtAMJWT@ga z!~!g_1fU&IyA+Y>6_3+FInkY$gQN?(oR9QR_mc!- zRj1h|^lNM*ff(mCrIl_!fklI3Dk&ey=*V`1jphW%RGE2UAI7DiJ%{_GouH`!q_&}; zwwV`bow`^-kfPi^O2iInFKDw$=T1SOb%TcF>h6>y)v5tm^%dtVXQeDH2zuLXUqzx_dM4Pe!|P^nb1F#X)!sXI#eo-Eg-s1)pm zBSyl)QGl1|W|j$X9h4qK=E%sri*4L!(nD>RFX| zQYY8H9Q{B!+mxc>nyQUj4w6L3DA0bnRhq_3c{&{S03BcVQ}8wf*8rqbHUt*&7bKDc zUGq$(ihE0q4-T(~zm?+6EDU_oyP|3X+8lapd8sT_w1o9YAQcA4p>sdrrJz&l$%+v( zE?5qfqK*|vL#KqnfPC-=2Iv@cLY&vHCL|@RTp4T~*_kT6kLL&(l>rLXuoS3r4Gc>K z+Cc(&;)daofHLQ#LyHY0^(1|i zTLqhX|~vmCwdM_>=#$QSFzaVQiBK)tb6+H zfDiRn@S_Bca-L`sY)>_$mI2su?)Fs-8)#w@z@!~P<=mx*s9j7y2RsIS+mlYvRn`!E zPFl(%!{wwv_gNN3_ASIIqpUiZu}Cs)>ZP&_Xl#K(r>9ecmj*C);M~r_wV(>Vr$jns zMaaso+joZMU`HU0w$YTuGOjEJ+5zZL11&bSljNg)T5y00tg=03D%9NT_EpX`Tx(AUAv$!I_8WmSpIpxKDN-U0gx?D zw1^Z*8bVpx5d#>UE6=<@D0vm79tC7^YKN+jwA#?1v;@@jlxgXZ)r3+Fl;T)Q7LoHt zluQDujt7IK=PV@;{`%6kwT@`9n0Ts)_9IJaoI0pIX)E%nZ&J_l0I{qM_JJj4e`MH$ z4`pfz@Y0F|B#;SDC#b9=`cZnyC4K1J6Dl3O8zF~PC6QOLU4d$DI>|oHc^+%bXQi$N z#S2yc()J1PBVLq1icaZ=;DCv5L6IJG@dHBO|2kO#vU|eLggb`P$xEe+fXO0oiBm}{ zS8;d^8pMku0N!As99;hr;K4C#R)W$Hok_k|U6w)QNpvMkf+1xmWNCq!NYm*c^i_Hq zl!!3MldeDJ4SeBv0s}465k7pOt2`b?XQ1NxpC4@3K*koP zS*u>?eV7(mBZiIe;5f8ffdNnc0~~fDxhpgugy|0P7*9Xju`4$)mL)sSDR&o{Irz61QePeL(q{-c#@ z*!`Logp+PH-EvBX5a7WXM`#gO1?PvUMaR6@qXX zy=)*F2b`4k_lkt{y3XKdQxP@~5&LzTswpm(7$BeWlS(>7-Nf_=Q?4VYy~1Y~CEx zj&*KCHAIowvml+#8vyxJyRhB_v zfR25h{Gi;Qb{j~qm_<56lZ__@7!kHZP0*R`MoHd&Rs^L9#r0?~qjt*zat8}bf-ET+ z+KHzl&}os&W!!MYBn9d2ngB`UlC7kF1E3))oR)O2njbdi5JXZRQ^1l6A{JEI~M~JB+4!HPS$a;TRGp(T-^?k8f zH0UTcKK6#W)+iYmWC^A(C7={9mt7YT6Te&)VXSf%zQ$1M>XoW;RCjOLsw@{`ySlnn zU-8iL+X{7A@fHtXsI|li9BJ+h?ev6HazYvgA)WgG0JV*h0b*t#?3&g9P8rK=1UL+T z)A(uuc#%e{bAgx}O2B8pW4no0htU=tnrQI0b&kxy{kR0W^Y$X`By#9cf$eXLf*xfN zQcJQEA=;2Vc3-pWT&z`IM+~JMeQl4oI&e)6+fvZ9l(#}!Mr@=3bjh{?Y9OsYo*{kF z06?IM-wZ%@%6c{s`ePVqv>RdzqfSbIrE?w#g#mh1v{}mi zQ1t0r41i4Da@LI%iY>?lH;y7|j|@6@8p%+}e9J_~6H1>tDl0l~vw;s;*D1>}*&)y-R(*~@8L>)9 zr3>jk)ydF<_0*n+&`RM#tU~Hsvg#Kra~q)o1*(Sh6!S}mD6Keokm-|d{BBtVbj&+I zxp4xT>|S^xiSC8(K~H@PlTeqj{oBw@tN>9|xP+~eft-Y@WQ7nxVEs0Z#h` z{gglxy9DRX%#zi`kmSB7Huy{1n3PYQDQ|77zO=pX5pY`lh_dZP?I9fBD0q%gR9A$IMS_Z6>Ts4s?athr& z!#rRy0CLw2TbCkf$?QCfLa_}GDijwjgrbv>@AtonM#qqDR}9N#yUw*$hZQK;2fkz?}6ZI3bgop~ArP2AHJ)n#_*jj!u#bL3Nek&7CthrcHk)rc9Zl z@U&)6vt5`K8>>JJ%7dCMgFxNIR3uzuk}NCjB_22+@2Ln|x~HD95bKJ4dL}`>o~MaK zeU%Z-sFK2y7HC6#mR7NpVEJI~+&S^g(@)2&nKLCPB`d(I3CVlO^d+H*g&a+)0QJ$= zz;+%dF0+_PR{`l_V7X@l@Uu*fG4M&(ie|b%=bk+1gT5I|>aGOsgN;@|AMO_@AAy|( zj)#e5VmZC{s!CZ3D}a- zB@_LVzRZKje%XZNMg{{y;4AQ0_zTinHluQ?zbk_rzTt`blc%6jcg~#I@$}@$F>BUL zp;H@6EgCRLeYs8)qm+(j4I}bI-tYUA)3-B~%=V3VSOMFgd1s-@QDH&eDXOv@QsOq~ zlqPb}X_f%MOPQX3p!@)SgF%st@d@>zT6CMb5e@04O;u^&aU%?~0+sWELAKz5Q-yQa zrV(f}w_CQCTZ1_G4r#~4u@rE~quue_1nw(f3lv{u_v1dq2frd&5lVoc;`(0o`P@eU zaq7gl;}HvSfECvBdAU+NVk^*O8PFxuQ z4=A!MUDUVGt0u3ugy_9lrbEK@YyouG#LDHR7b*8@Qq?K< zR52Y%C%P1X+LDm^wxOIYqpOq zU$&($GEdfkL0t&wu*Pkylob(JxRsKiKq<<1XCX@ax{bJ*MGirB<6Dr`Nr(fpXU}q* zabdcb_wy-mzOcN3y*}JZd3fWNfNb|=!`wM@VzVu_h+TJoPmCQqHXeQW5sU6BEJt}b zJv&z7fNNclP=GXM$H_B0Ck~<#uJoH_mJcY&L7G+JbRs&HuIDln=D*1_Gv-Ys)>%cD zgr1m~qwK(KgKXsbM^KP6r*&#sv2#W60o8`+Gp1E*56vWKsMHLF9|LlItj6cUcL`?h zl6(4$nRar%C0%&+|JQs=I(O-ner{(=pQNm4AO(&OYTOlUd6brYlGF|jd~;&UEngPz zdgrb&YShShq zc|-t(=}Y;lqtu;I!7$bQNhn(RFTnEAX<;n|-N}|2O>-_?pc@VB){(NXsjMqFssZWM zG!*=5L$yuyC8ne=Kj?-iyKbC2A9~PH9$krZPwM2{Js{e*dtg$4FQ=5Dyl8=E0VvDB zh|MJ);I@H}1ck?(*|X!-TW_Pm?;YBK#_60@F2@DEr85-&^Us;nQRVC`T?+-#-+Kvoho zV04r#eJ-;&M-N4$*_!$8wA0S<*)z|I9d~?#oWfS|%2&QBR#;($xb(8iT*xbIY|Hg> z*Hycv?3O{1)EkjJkmw8P7?c`-KallmPi^A&rMiG-Wjem%6Vx8Hu7 zw};w-5Y>4ms5myC@l1nm0Su>{`oO6ozK%#gP!Zp0NHNQzcERS;SWJzQlu?iNnNJ)f zxB5J*K|i#iUiRi&bLfRb><7#<}0K^7ZbE z=unHizK4T_sAN*TagwF_F?H&+c;9>97kj>M58pU(#Z_0?4*9>gvE#xdcXJb`v4v4q65 z??_+a2C6C)Fc@;=C#i6rdiE*G zk`NfgmV{<1r7FEF2bj7}t6do?1Fp5G@$)$vZXl41DuC`Ddief$@czk0|H)5&5LaJw zwFbU%as+*G?X}m7Wb&CmKb;b9R_9tSub)a&OQ!76Q(qiozNa${3ghCoW7-G@WXAzB z{VdQ51qb)zU;c`eWx~{Fo{5hheyC>Y4@-vOo|L%GrT&9MM?CZNQ}Lnw4~qRid~n=w z?X_{*DJQutG2vyGO|behx?GU$iLXgHw}A2%M~a50C--S`9OJNdZ;=2cwH854L;R?#Eu>M0sY{n$4O)Cj%h*z+RNeHsWlp z%IL!v{OHFJS|HaRDGap$A?%Ne4e7*kw?S_ z_j-R^cEy!(+8Jj=j|R9YQ>Mj!2Ye_FKHvb;|Itr=7N7piXJf^Q6H<1Ip0C+r*MgTW z=Z=UppuRC}%9Pk`_ub;yqmFd>U;X;m@wv}`Ax4iL?KV>lB@=D6NPUk!lqyHJR@(p| zZ?N>|3-D<|lQz6u$8xN|dHyJ!Hd1?{N_rn{N>2yh+xfO5*#-JnqHkJ~eoT=(H8OsI zk_=SbF9LXSf-<1TwOAc1&~DzQ#D5qEx}xWmBa;gG^k0MFph_QUHDlDaPWM zHG7U@{3XTi@7>c|Gk%M|N^z$q55)I$53@s_KR-J+ie?hWbs_$U@Q}lfFb!bge6~a| zJjtQYxG`hnx4-&zJn{HranWyo6?fi#yXbLeX)2$;wI3?_+?7ga@SjwQemWqksi1oG z^)eW1aIjq6(KBqAmFJZsbr*Q$WZ9HPy_Ii=>g#`HYg8XPI;!#yIubse#rh&y0sZ7` zB?0s$L-SM9s8`YfIK$wa%CW?QJ$V7EFlN|Ejm8@iPd`05PWi;Ao&U#+FN#w?b#mNz z)3tH&C4Y>ouD;TKkcr8-u`9%muiZY@S!ZoKR5yy4Sauv3b+VCDN4BIFYZAkYX)!pq z#~J*xvoq7T6c)WB7WB?1qIP>cE)(DDuf0a$>VDy-Ki#0?wcZ}ZTH%zMXxD%Ffilmh z-10$fM>r72J)kLX>0>`?1KW=EFi@7F!xk0J+kwdyj(3eUSC4JB-OiH$zi3&xNu@(+ z!{Wh9_ZQa<}qeyTM=g)@aRM_f5hJ0Z}_Fd}4Oq^@-^eg&N_P>b79(ybyI-kP}4zDQp` zw0)*Z{~ECPQ-Hdy=?MN>3|NEX8K5S^LAU%&8JI0-!hjyn=n-&KhbYPq% zhq}}2ca#y8!Ox1vU?HY@i4iK|-xYkRMI8HgIw&UDhDv(5{XT?6F%M z{^0}TF!5`KgZJAf&iLd>F-@}Y5Np;<2 z%@iX?j)*fp^SL=H-5wmB`R9{tp#um*_bP$DD zvZYgEt?6Vr=Ai}Pk=H%6M=R$karAM=$DxNG5&!(>J${bNWaJwdp!e8q_c-&6)8j3> zyd|bio0>*1hUBwAc<|wezUYH`BZfpOkkVLQ z$NGbL{}%%E2Zkna4jxdCO)woP%I%AStx+9i6#nl<=O-eqn{7dA^?{1J&Uy3zV;odS zTJ9>MBL+GTp!iYc(YCDA=4;~TJIyJovZOH?w9ken_DnEg=^4H$f(OKWVRlZe*sY{b zCg@01RdVZ8x!krAg7aMBW0)Y2lBUjV%>w0_gw+w-M{ zF~Uq0<{?I&2jm)?FV=T?8*{rIUK{JbXnk)jP!Y>zEv8&F%=i_?yR#2vwT3|=kF^Y_ zT4Kk*)}z@m*Be#L1D4 zE)AW0#$LBS@>sT|K~>z+F%nE!A@MmIEKo-?7cO_5A}7G@=&W)lOqk$v1~rV$vvBmQ zIxu+gC!VXUJjpn-X3lUYPj8F9FvL9i4f-m>EVo;;T+gno2kI<-3OGIPlJhp3L~2VD zF>2(5$4fk_K#UcKNmOhFo9HerxX{F?z`eRSu2c1U`I19{mhOF~U|5Moh*kBw@(HCrA_ z$kpZm*MKy#C9i!Uev(o;`lB>_0Em>udOT@ja;&z_KdbF>|4tpHtuxtRJJUD6Nr%{} z+fX4_eeC|_E*(JYBL+C_0a`(c_@cf=8bIgIGhO?qx{WG3tS5Z8hH`I3)HFbFfSXBqBB0~f`DFBB<+ zj%K=&i92gKdhj-ibV1uuCl#GPe{Rf~J<}5n03%`>XTDa0TpR7}t*-=HSgu#(0J&iP z9G%Z`o+_d?;${}r&-L$%o-WParFXA@#mf)a+xXG;BIW59eUL1g4byNP2;eiI)^n$! zKmSq_Dpc#A<=jzPb(h{0uiMvIYDr+yMEij|5a3lgfQLSrWu`2H19^3O1-ktI7@Ze; zq3d8D(89*i1*CX(bUy9shjh_7y3g5Z6QE1Icx(fJ7xuvJ30r^6ieZA@d|gUyxL~1b zfF8kDV1<@9qdYk3iIydVB2Po&~m608i4L0?ovc0MYIzfjfN>CZ4F)fx}j+aS83M0>y~|ie0;}T)phQid6t#k9xkVF z(+>G5ljy09=|fC7aPs&z+v@__j&_|Nv!%~o=@6T(ivs)zwW|Rpyt^3N0*^H6%cY0~ zN+WQGH2$Tn#bpCEbT##Zk2fzJGc5-(^g^KDVY@j%fU7o?Ow`eOS7S4YpzZxXoiaG3 zC@%?9j+K2~;PAETIudr<(L{s z+TbuoVYApLw3(}U@xb~W>K@=txOne)<8hrSO z5wW3gS6*dho%2388dOS9gRG$y#0DE}=z(?CEb&w$uC>P6vC$@*#`+s<9ILOjwr8F5 zq!@T}a{x_lCk_w&(9pBz&9ZTrpkuD70MrE7S#$#qThQ#s0X*-)erbfx;&VVy(5;iE-n{bGgh0z(riH6|Aqkb=O_bceL>U?JBFRqO=WM zj`!L1;oJl?CfCEbZpz9DnZR2|bjOSxE4|H9qsyU6Cid$`j2US?ZMOMKJlg_TS#7xC zCh?;6H;i@GSue(n8W-!Y|DxDpi!EZLX0yPgNh`%B8*dUDZM;!zyy1qDk(U*)?Y1a3 z-E;}Y!H-e9SPOuk_!6jQ+v*`epl6M zVBPhkQ|X5`VfTO=DCnF`fCC+hcL8$e@H)~lIvj`x2ik+de3MN!v;N)D2jFpzbHtX% zj2Y|I%6g)^{`wolTC%J0D~|Ud1=Q6DlO5V@*s$T2m3BsM9yu8?Vx;R-oi8hgi7Tz- zHd|Y518_Zh&9&DypBHVgeypvw1{h4~(3@<$sqe7%3#>KMVBo9TgzW6uvnBVUSZUHk z(OgG#){_kD#Hw0h;b3_D#RHDYu&w1*6cO~ap8D>KWMjN=e5T~Yv9GOqlD2{9tf_v5 z)8dwKJ954{XJSlyEz*EyJxUfkL`_6HnDNUAk(N0L9^kOCg3nJnU_#>2_Uyp8V+sMi z!JGf#Tthaop6qf1>2}RES65qh$|fXNgNH#nf(K>SS$i$lg^4RVAZ?S4Hj0fl+(4`9 z>d@i7%zGv$O__vrCpFaxi`QnDtgj^ ze0;fYR3jO6>zth&`1^gwt`(5_$&h^`nACEvJYN!1oLWMPa&>_5>WpBy{A@lEmRGfsRXix4-jUarCjr#qGD<>T7>1j9=0G834X~_Bp<7e$V&p?u*v@?6ut?vt5@|e`_F&=Gk*EApT!lI{=r*Qxum8; zaR;c%&Y2q{Me}X%*fn8MwoWW#k zyj2~@&W9dsr!ro2iXjfstbA^alk7kH?eA5W-^3?QI6hWcRkqNuv&7Ehz>Z9Z;ZcpZ zz4P7iy4Sxxw%qEKB`4t@cis_S{nA;nfhG}0O1>Mey~cNY+5yV0w%U5@`0N+IY}}V^ zvVnP5!)ICnKUNIu$Pu3Ry&s6)?QzVJN4Rt17%MPPtS%=;+rDP|9by&Pa}&5L@w1;g zJ#M@8R!=0Dbz+MaJw#VcMJ8_KaZ;r{#Yi|?QR-MIS7D`MoRQI_?yXMM@IO9OTT zKDgKW;;}~`kJs$5LwxGfXU1P-ODCOpf+lT!nuu`+H7k~dw&U$yvqS9i<~PSHw%k$^ zx4a{|!e9RU=lJ>0e;zm9^rz_V?1>KFtRcOqT^@b%$++w9w;S)EgAdkZZf3my{d>kP zvgsyVeCcKJqaXe-{{8Q}JyGL+P)PWJd(FOS&&5jRS{MU4mm_FsCXj4#{@}tN#xEqp zX`ejBk2c`IxV;_I@V|qoacC)_7YQg}$-xo$uZ~o_XeJ4FKJ)Gc{fy{co}9X0gkgc8(o)+%ZOK!rp{C z|M8Ew`s%CWCqMnER*}6iVt8J2#O4_EPdoM0*mj$(;|%$OOE14Hjyd}1c>U{M7sKRp zD%^SJo$>AOd^fJW_PQ9m!q}1ucd5!^=tuhV)?=}E^4v##%7mwNQoyA(KB%m|=-;EK zQ0UG4a=oA3C1~cPpMixq(@m9O5Ym9NXfdl>wjpy>>2GOB<3cC7QOE-xI>e{azIA5- zJoMt#ng;9S0xgT>AF9io$mErP*kF3l)4#cuIpHPP{*8Hmypot=a94uYY4qnevP}^U;zvKYAXc2P zq6*TGLp1B387s-z9slu9#7ke6o$(L9yC^2hDFQsh_O^HKs#VDP@t0d}cEeB?mj2H? z{Y>oop7(g*qyBfufv(N0TeB&Vj+rxO#0j4`MLOEav@ZU`@8ZeFpHTf5$0nO^5wFxB z{n3w|=-K8a7yrSt^*e6=d;Iu^KZqxv`cLfnzP+@nm>4(y>AJY{t~+H6!!&E07PsDZ zn+9HFSP*Y{+dDj?{L`Oqh=1I1yJwcD_sPc}u|cjUc`A$^IVv8PZml>vN>L!~k&|G~ z+jGff0X%9mmS$*`V^YJwwAViS#Q_H&;DTs2Y$?0%mQ zr2Ty3TjzOZPyc?;Zo9?KZ`di;(n{;(lTX&*|AZ%~fM?$_1oUJFq(QIV!d{{FUG(cX zKk{IlyZv#fP*Sq1$GJk^0w$UBV!!?OkA3&u7tFZnmRsV^JMIwwEyrZ>JZ&ilr> zar4c$I3J1X(bpk$oTd74*DR|GCOPxf4}SiOU&XZP(|o5VtE|7>dRyFh^Uc1-$4xO$ zKQqM+n$_Qo=`(yY5;p2f4H&*?PoFkD-n8=@{g}myE3Oz*MejF1{EeMCcg$|I!3MGI zw%f*Ln{FB#Zt$Ww{=}1FLFWSZHvpf->%4$bniPHIOJ9l?Z?Q#Oe90xgGnP8;wA1Tl zKbyrFr=J!F9Q5J1`=58mI8FYU%-Q`+zGxbphn|R5>OoUL`8u?`dU3hK0_tgd8lzU&*E`f6LwC40v36VHZoK zHFcr@{MGg@fk7ykoQ`FJs%(i11Jw$rNenqO*;zPbVXjEI45o7MsP*-9(Z!Tguc1|N z-4q~4dh>i~z@4K{KQlT0bi;L8fxIt{kP|p?-w(#>o&i$G*n6Ki_nfcVS@2I3vo#yt>Q%3fgAX~>1K$yc9&ASoV;YC+E8Fj|W1M=%r{j>r zkBloWyVML40z`pym9I8R`o&W7`*+6h)-g*_lpT`AG zIqlQ&oo}BP=brr)85r-X>v4x0F>-WF(ae(V(QD=4KXdx2F=gsB8xO#paEBamR2(2j zx9e`Z$IUn195ZH4i~H}pH@@vW*+>myXKns-ud75%9iUEBS#GP*4nqeey-(y>OW6u1$?*bjaOpB#Cs{SC+?F< z+ZfzBa4<8qiWoU+hT1Ayul^zngFV~271&1HSgr#duBr82o0=o)H&*|NC}&%=&Qh~cthuL7VTGTeON0SzZ;mB<;%KyXy0 zL;G6R%$d_;^r(^I$|`{@?$UEi{JQg6VIS8D7yDY#yLWrH2R{1U@gF-bZn*wWriDtl zsqJf$?fc(5KVG}T_D)ac_y>H*nV+k2H&R`%fcm%rVrv@ggXO)@I& zJ5=&OCP_$7a-?3}s6I?)U-FU{$FawJ)PvE5TG@V0{RTU24GanlT%Y^QnHt325Kn7D z^QA9;*?kRg+e%-+0h*vs)5M(>?!EWl=M^+^o_+S$;+vxT@|V9Xj``@(vHyV|)+DM= zD|mH4wkUD_EQJ`bxUa#FLXjppr6k|%rjN%6W&1t^Rj8_oMxZ_n7X0gq2R^q4>HJa; z4S2E<^uQK3+l$oEAROo~R(ttH87?DwD$K+~#8Q7{Wry$QrWka?HEgf=kWEPVN8gO; z0?JdmuWK`47d`n`ar$Bcb|n7*0jjq%6R% z`Ga2K*|i#g5CxwG;dh3b;6<1m*{(RGo@wG2~(RaU% z88^;O&Yen?A2W7bobkz1;vv|Eko%M>H|#hxEuQY z8mItP20yy+`(BCirWD%)cB6K^`Q{tr#1l_6-oYO}#Mf*5dO(95mOK{D7N^7jy(1lW54U2?+)J0*{3r3I0UN$99rI`$+dZ3kH(Sd97mSVqei@3 zD^Mn@M;?8&R?5X5jyft1Kk}$J@}nP(O*Y-kegjiu^0eBjtHyiYvxmzbwEuo_*~OQ{ zcnvg6I>yo;RL{pXS=i%!?=wz65YK*g(r9e@Bz=J`=z5Ku7YvM{f4D!4vV#UFW)G%_ zS5I=h-gZ|0ejoaf2fiQujW-*upmw1Rp~Y792lvTU>zj7oSrdqjJm^+G zR-s${?3m+^kAK~JuXR3V%``pZ4wLTNykzwma?#)t_91GE&r zm04RXD5?fHu z2Ofcb##BLxY$-ha&_nUpKmXZD+rM^4XXLC#N>b-w@Zj1Sz#XFhzUQCnsH2vksd_b_ z)$0=^jAsuh8^Ht@UU;D!$un6&Ej~t_{$Ka}%W*npZtdkPcOA{rH`3ts(Eazv)mL4i zL35lPFvRz8R)Q~!*je*gZA=Pa~*k=+&%xi z$JOWktbkpj5tF__v{*Sa6L*9275{t(UmFLpFwC69s18bCyT`92Pqfr#+}!cRV~@MtaJ0i@S2zRo-fXUVLNa~YD+jk7S!UD*q0XK& z*IVv9PQtbJi+=mtSar44ZC6Pv>2de&1P#Eq-gax;bI(0q*}v?iFZDZ8sSJ(<-2zu$ zeRVvo6(7!@7Of&ONId@dlg61eNj4!{AXn93XqI`UUeeLZ@v=%#UXtY}<=$9ePq;GO(ih4~6T;9| znc7F3z!x5-#a2FdkLJ5#-5&ODcru_ALev_XFfg4X1t~QUmox;%(SQA%vz_+pS8o%m zuDV*Qk=e3f_RQ7~@S9)#!pkg!o~wBd%Hg>p>+N5$6E8gj;5msx+k z4P%^Uod3G#?s)Kl`{nF-$X?2o0ohrL4Ke_fb)#X-0yT|~fBfSgyeeopw`LIfaLJBw zOnGKXJpSloe#I3lg_R~wkb~H?P|v|HouumSsh$`A21vtNg1IxHgVb3XP69?JqZAIa zxV9mSrVi|)Sn4u(wjl}Nll_m=I;Q5cG;qz8SH*7ccx!xk-+khs5AEF!`|ceF@BbmM z{8?!uKfE{Hd~=t(;CtWpYGrWSV4J-&p41BEzYdaPQw_-2(zRDz8TUVMUq8E|ZQbdF zXT3HQf+OnDN{wwg+Ul{#9`!B=j%(t?NwMK38+oz>(2iCv%4<~7QR$g#yR(~bMQ9)j zkYTv!y!7QS^Z74-uE~HJfvu|wv_qD{`E>fRmxmvD#3}1)1u;*uLf?3@4Q%n=`|kI3 zrUY_iGvbB)&~F}l;)zxcgC0-4ASb4mH(MmW?}D`BP3&}15tm*a?dx#B zhxYO6>41IrjSnAqU|e?jxOE^mTL zP^#D=&kF%cFF`>G=xX5t`Lpq3oOJmWm;2#(w()6WKQ1EvOt^9O6k-*9-nY&(KEA_^ zOs5f49^BMYS4iX_K7oPiaZR4?)kK|Fwvo>S107WV;vl}9+c-<#p4t$4}l zyE}b{F!e|qVj%Pcyx@7F={}dfGeOAkax`V2d?x5e^+61Hvio2@@}t%FB_%M@e0{pS zK;c14NPrO|N5vg?-0oQ}vv{sE%++j~JO+&&Ui&)V5OeoG{t>rphJ#~qW~=#|fHIoA zbe6T!H{-RGw+mgLOd$u|GZ?X=s6bZ%kGz*`nNDMmJwFiN`{9q{oNs+Q&i$qWM}@B` ze%|@tkI$X;6)T@v60hVzp`$c=10Hv;F-x!yTcC-*@ih& zZ9cJJMD z&p7?lXT~|_ecQHm;ZJ`aKmFxzW93y=F)k~yEXHqtdCWs!Qn{5IX4!EwzXCI79NB8+ zF4W0SKNX!lx$Rh?Mtzj9IJbZN<1VL-(B#4suL9I_{(^bF9Kmb528bnKLdosq`n;K#!_*Z+MR1T5= zh9uy!4R+6}g`{TiyOLQ*DDL_*SfC58`B@*C=79lysNb_n#6~>eX@XuSHQ@I$;K>iM zjhTa<20K<`3gqKMMbxy4cob9`gAynDQS;kpfa;_~#BLe5B#|-XyJ3RmR``^W-7ymIX)oSe0 zKj!hW5{O@Z$;ENS#TUnn=`%f`@=z=A$iol$mUz-2j%>NS&fpmfb-|bvw^V9uZtS4$ zw1nl=kGCom=M62~@wn@I_J}L4yFQNj*vI4TnkjQPD0hMKJSD5<$I2|1ZDl{8uYr%? zf2DU$(TEJu)mFM|o^L5`0Zxx?5R8mC8bp77Z@2V}y}EiX<{?i(8ppt?qt3`?d%}z< zkeppdZj|8_Yr}{4cwiV>0_k>=!Xr?EXW;-kIkcA_2I8g$sva^wW#xA;ppD?^7qbgy zNY^+E(vc4R5JNlY$u{aZ6Axy|eX-X*`^2w*_Xod5Yo|Bt9BZt;MogVD)ou2>-~Pt` zs|aB8DI2mhzU^kUe<& zO`)?3UDH!kLh=kRFR^D*XQzwY@Im|3O?J&ch_ek^c_5azL^Uv^yIeXj)ocTnk5)>W z==vWr+1OVw0JkP}r6nn)pg z@_<$bBin=ZEf9{M^`uYtp|6hI&eXukb-Oy~S)bU4@)?|Yck;#4xhQJi%874nhHr5kRTX#o>+ zm*h9WzL5Iy!4~l2k_9?GCUYsw>@(0-!l!+Z-Eqn7$$=Iu4D?JGDOMPPBb&DqevZNg`zwxz_wD14r7N z8%qFY@O1n^p%m_)UlKVWv?6v4Bv65phQd871h+CT6|{7!KeKj#zv=SZCY0})v{u;Y zC1o`=1D%ZPgM03|m+!)R_@M{m%U}Fl9C_FwarnUp#ew_o9s7Oo{c*%cKJ33@s*vR& zNIeQQ6X&ZR_*N$MSb=PPusa4lz%NKp=SDWjH2bLKRysE|u-yr8EvMQi{;dfj%bdwP zvdyaP3QB+Emt2MyyFS?+vn0z7NN3nNH(B(mzt}bf9BS}``s&Nz!PIS9@Vo-<%QxNt z3=CCFuk(S)7n3n?I93}R9NIa=s%!=;A@fNimS-KlQRE^1M^eBWP2dg= zbzzX>askgib7O}8I!yy$z3J!4|NO_-y6xj!DuFmF8bazL2fqBXZ?=#VS6WluxptSY z4;$J&)GIqymkfCPuO_y^B$8Dfym;dbZ?9p%qfN3ONbl$fIV79)WFF$}iFwNF>4TCj zzN012{(>aV65BRImID4j#EVX3E2`H5Pljko2DU=80QhMOg@@{ng?WqDtpvr2(MH)ILsjqK=Z6x~zmA5V%+?Nxw!b<`Q$MMgfH#aW3D(=lY;^^QF6u1L zH~vWel+NO+#b{7TN}VaEvpI8T#({?%;+4ebKJ#h6`t7e;IXw30Bi6^Nnoz7babk=a zGYSgUi8}~9;U^up04DZ2$dvSv!A4LN<5b1jN(K`ZGXZ2)k6cJtq3SdV3sU@qiU{43 z#v!AW%1~n!KXz5IgL9Q{c1Uc83;=A^L8yN;J`d7`(2WyGv}LWD3ZcK4+$X4 z&O3#qHx6^s63|lP#oz2cdh_qkj%#n6Ng!k{gx3_UWcjl+#XFvII-1Uz; z{45-0S6g$fn6TnRKR?zF@DM7SfAU#C?O+E~?54RAOQ2(`{ZxeiD7)|ed!5S7LFk2| z$Z0x6e4n<=QrsHm1|twB?~{^PQ<{6 zt@nBYlB-8gEI3j(6s1~ukwL}Kg}=^qK*SWY9Ya>X#}qqjVd==h%2m*pM<;xpPx!oy z!8;NFMO+_bsx&g)G5v^x%UKVS-9FTL!dD%zF|Mm(L$)2RR?CR=}EYlr->)YO@PSPbKrSni8792BRj2Mw; zV*)M~|Lfj=IgN+w*L%?hnqAFHBZ8UGvQuV*cq>F5kg7quDL30i41hEWL1ynQOx|Ae z&;t+nQ44OXA31tt^r*9SX@-Y`9y4}K>zbdz#1-J*gvt-2=bS--qwu*E*kFT5!?6=U zNMu%u@7QBYqyaWkKYXJTh;anPgbR?i6hMxqm=uFA*OG3&F`wT$=&-}=AkhCnpq;uk z33+e1y}u2MeRu9Z|8Zwbn=&;?B>hX zyL?yWgq0@6M1_7JQtS}$Fnoo2vxNUriUjj>mZ4fU*KnE5-gVbMoW9rI`*(MRv>7_fD^+aCEy z1fbS(^Y|~9px*!n61fR8XRzj(OTgF5b!4caH!fz>EWA>x1mbMz^N1Dgwf(l+`dMPG z|EHbh?hiJFygZh`BQ*Q$y_ao?i8qsIuV|Ey4gmCmY+Tksc7PWKcy*_Nj(T8!eyx~n zodE#XcOjvnur)DlObJE%taZ#(WubUW5g>p<~{Hc}}B7RbOpTBGx04RG22t7y+n9W+UD4 zuYdhB{&Gt`mT}mTN7`XBpy6D-T_6X@y99AeJG}07+36$$+X~!y^}FBv+I#sQKKM{O zI{qdInfWg}UPOz-V{6IFbTPA6BJk~Rznul7&`L{Z3&`BU>l~!aaw*JOu#h?UIFI2XVuyFJK#WH zBjdGQZWG!=I^`PLL5Cjd+sYHDk%Ekm>l?Hg+w63PU3Y!AbT(7Yhj!u3FY|me&DPs( z7cVYv_ z-F0!(O*fGe$A9buuRa;@`PUTmhVFURbfE^4BMv`2CattmT=bjY#*WufAL_pST>m}y98n$oTM{WbKFJFcD9ew1$jWP^vBz(=FFaJ z`hErvy@{UfMKb5gDDUXZ+NPJqhrx%5TwdcN9}J~>;(<;w4gWlZ_xCdRC=CjX8?-gJ zIeL(euIWdqd&FeI$s~Xe3kUS!i2)OqQZj3tu|g`7Y;#OR^wG!*wtbue&-eiz&Qu5L z<1Jd1fnS&WZ2M&t9N|_$aW_086@q5!3kK-;Nql5e;Q6RaF1gsNy_ahB$L-(zQKe@e zk^tSKLo`*|6sg=<=@iTo7#M0MievWR0T81>K@_OaqD3RnKsB+6l)#Jx2lks^|H=mb z&RyRXC!Bn;U+u*6ip+?4&S}f7wu+;VJw8r6`IC0qo^c3pycd4|dtTYTXu}QT)1Ui% zY`x8Pz5vcm8$(A7_X}+gJ>uwi$xC1Ax_B$3RZ*LZbih1Dt3A~%<7#M44DR{&Km9=d zaUVO;k6p0Zq_c4c?Ma{bWbC&4?*60L3g{t8tL{yuD2;TlWHA(0#Y$$NdGd*TW@}pw z1Z%9lW{gl8FH~mLIY+b9jW^vi&i(dxwK)K)4!Oe06acw-B^i&n zaN`q!XC-T#I^ytg0L*52U*@lV_EVQV_Jot-!-sq%CQVu;c|iNf1=-8DWVTYTxuUS{3%u=^;jfVX(bi{rG@PK)ig-`;mvo`1mw-Y)Zv9HLX{ zwSWZm(Hz+t`Hi-10`0B>(gQA(T@K!zOCnoZazGeiDae0vPMENw-_gs6?d-4k9i5|OXT0`T;t?%hV<8I3vE+?c`ZK>pk)d4oAP9f zDj<7_LWd~&gFa>0Ju^r^-))OPOvu0&Ufv!?N%*%a{oEl}9C<`121_HyCnxdfBM-+_ zS6;5cWjAj}-E+@B)hXrdlyAWqq+E$oNCNqStQ?UCFeP&d;|5aqYF&_!`aeCw@HM`u2DF#lScb&laRG9?PKIUv9a@ zhF57|^vpg#`>8YHBS#$>n{WP-_>`Q^BM(0;L#4CjvphKZ2Oqf4#><-v{00NfOgcMz z-2u4pjO=y}u0w}beB)?rMF@+ur6u?yRqT&40l(L8}5@u6@tlcgHSod#m4) zLs)nH4dV9O{;GN>-83Aa&~Ml=b+65`?RMM81{YlDfvvVf6By8b{?i}FFMjf4J8Ndc z7hn8)Z|NLz_)+n}efNtuzWL2DR|5?6d8n8d8GQG=Z^rbg)8dF@j%~F!45%)2F8TfM zV$)4Gi+8+xw>a#mqcsS=%k9GT0iM--=)ni$)2DtizWaDl+jV$PnFlpsg{Fu(UXP>Q(y+HLC6`wxs)cC?z&W_i=VP{Qv zUhca^>9DK>spqFpKh+O%FQ@1{S91LUHie9WsEQ8Pph%>i{);U7qTsbVzAiS~ zeDk!43KVp;Iy`Ck{srg9Z-4z8$vix|Gyweex4&`!Kj@G{V*djVj5ojat-hv(E_e|H zE2^)3^=$tO!}=R+AY3_N1!Tn!&?9pYPUmdF1n7qwQ7*gUD!;pw{}cS~H@=|>`!xT{ z#r}sJ8jln`dL@MdsH}zMANGg(k8*je<+zU?6VcC>)CcTZn?CEi4@D1u0&wFBeGK1&zoF0i0dwhR&MZx`;EF8zr1dE9MJ6w1 zfYLW<2kSNQsW*!W1|*XCJ2I}>dC*XL+7$zbF-_mPQhIi8xDyxxncC2voGT9m+LslL z2jE=sGuZaBh_O%1bojZL#jP?6NJ~Z;5K85;d=D6sh z-`YX2`dfRQb?vlxqs0Du?-eH;d$hNsY8|ON9rM8lABdw5J1ma;$RU1v&6;woyx)nk0iQ~`Cg{*+0!8(*_RIxX*1#lhbrN6!sC{L8_A zo_sQ%eEczA8~X7Neqb6iv_ih`-}iXiDZ!K!it%TUa-Tu}zD>Qn@R+yg^R^UL!Thby zz`#HNj$2K7z+SjM`lAakj05)BD{i^*2EY9u*`RaJKkxG0lV^SIv#m!GXcE^EQ5LDb z(gn`&3z{ID{)v-(!vrfa%C9(aLVW9-b7HUE-esoWKYrJ>2UE``NE_1#3J0tAiA6jAV z{ekzz&$L1qRc?*Pxxu%!OQO2mc;k)!H*vNtu_N^Jz`ggz(@#I;8yxI-DPtST@;+B! z#dyaZcf|YN`|kLHgu5#@1 z9Qn~>uJS@j9fN3>7_E-B2PlhD~{jk2n6<}as!ozkZmnG)T z&i`~|07S`k;={_iUN7@R10x~}`(2d%l2yIiiZ)X@w~5-wH;t$)ePu`|gD?7m7J*L8 zK%z4KV4ito$V=M9Ibyuf(Lp@C*npOP&=YlG)l6M;#R-*cQwGlzxB(1`)Ct*iiWOpZ z^bzDCl@G_nV5lyskiyO^fa+8RPTx2LZ{eT|vOB*2z3(pm`d7akD~`|C6g?lH5|f{L zDyC^hGf4vlZ#?%tasyBse=7Uf_sMui$EvHW?p2bP z?fOoYVREPA3S(FBMP<)s^yQic+hpwL^HN&gOPLjw3s&Xbe3Fq)de6Q0c-D`T&j;0I z^%fOb@+J!2q{2(1z0ILKj2zdRNQ*Z`v+NNb@JCU zor~nyX892d_N4j0HCC~9I;wB_UatE|CpzI8&C^=(&6qYrdDNpjMhqJv=dhyR2l?>B z55)B8Gh?;YR`KeL@@zKY$awgE_MBO)f|n%c4B-&}Wu#o{^(uiw`Ho zHW`BrTQYOz&hc}M%tYC4&DkkNmz~RvquRD^e(@Reth`a-zWeSKinxGEs6ep-$TUF% z()jTc9IsSqV`lcOczKM#9ZPmPQcjW8Gy~={lb`ZSx6$!RlU7yTvQFh|8vM`VlxLpt z^$~Urum#?gxWf3nbMS%t@AH6!Gp#F=Cg60~s^ZQ4^<@dr;5o$=MT6CoovEE`mu&}r zT;t=JIvg&~sjZ;;4Ie(#f2%c5{eioRc~7XpJ)O?I*iM+01lLEnQHFP#vPDRZSV=zm z=wp687XJgtz~T-s-B2E2LO4@4!Rz7t&ldV1A2;6c-qc}QC3?3-xcD0T2-zym_ul&- zaG&DtW+r;9HlWH{0DPPf&#pbH$r0DvUbOyttsRC0+z{9Dr6c`xXk_8pQgu-8lFwHk zVXGQjMg~?n+!%*^*gJLh3|;5cufEfg{$T#n`+TnXsx8p3|4dl;^aZwwc_I6MCQr6c zVw;_pRWtbUvTgo2_aWKx`~{1A6H|}cjYWd%r&%+6c^~P+k3Q;ayZ}2_YslX)K%vV= z9(hc%_r=;8r0EN`Yv~RkO5f!HeQcH&dtf^>E%!h0x-xuUeMXJR5<6f#)4O2)+;~Eh z&Zp%^Cu)_5?B1%i50g$yd*Qzx){1i0>{+q8>~$p9yiv9w7Z28w&vWGfAYTp_Ieaj= z(V5C23uvAC;XfS>O3ynuN!O{bV`&mY4K>1eds}%7OmKv~d!5qo*ZcuCK8ArAontTX z@*u2s$3N3%hH^*{A4Di=(9Rz~94OvO$Rp?}MHcEu4s7aWev(#om^}GEanzB=m%;Ds zulNFewqiEoU{KUDC^J@-JNmn_k8?=p2eTm>mU<@4^6Mjm^7NJE+U*{CQtVP*6 zrYd|+)hhj^wK3=(>V+pxK7#9OsGJiV&koMpYP>45Ez3@6FZc_`?V?Vo6Q4u7-Fb@~ z4wkk!5w(l#gf^sJtU7!Ei$HY0XE1Nn2RkciUMVer9;jS76_~Dc;eO~d7nB?vg)h7C z9h#_CA1HxU!EwwNvRTA+=nq_Pp-vbBcA)-ehLTTx5nXUiD{p*Iz6f!By@NXG(<{4Y zmByPsIH#TI4?aQ`$+6ZNM@@fX6NY!;t->x+2P)saMP=SFn{}(g2wYib2 z)}_^g$f2Vt@O63B9eyxlMI#J+q#KnqaL~OAlw$#-=m#^QCz+G<0}uKE+k}Wfo^6Q& zibIC>w7rw25z#$CaqEOU%B!rmnWbYU)=W73PEhFqN=_?n37$nDqXlIW-AJSDouF@O z1K^nQnO{if!cI0^O@Y81-z68fW#Ist4|+{$VrE)BpU3>4I66u98t=nh690s@CugBeENr_LM>lt7+=g;iTdaaK*CaqRFWHn|D3|Han~sZqr!3u zq@x~YXQY9PUZhhUaUiZ6hDV+{Rm!IhYy_fYkO!XVsQ}4L5Ih4a17Auf9hk0S&`})v zbO!e&g(Y=Bq7JP9VvUQJjuju7Z~}Jz4#+PjsJK_S9^?}jAXZ61i;(3+$7LJ%5{?fJ z)iNTuj(HuGcPrM;*PHy&o$3cb0kIu#(i{XpqZl~m4-t;e&3r;`v#|17n0yu3?g8I8 zR%YtNbt>iZS7*pT0KedQ7eRFavh8pxst4_^Vs>O87fK09&mZfTL5CxFZA?2kj{5P9 z3OHzj9ZrJtGfJ0j&H9s`wL(?{a)N-yz-6HEn_nC>&`4kgI7(p`^jof%_GxgUzUHM& zd;mO<4L|9Lgd%m@mptnMJr*0X2ZD#}z!L@Zr;zV;EN>KXf8ar9I*0hl0ZXiqVBh5ZcHsFb^0(OWj^h1ucVeX)mfln(V%D{zM0MNmlGtg26 z#77ic_>^#|(&ufc&0s;x0TlT``&E#|gU1G#@{&nk!XHXJWu@*(#}}mpNrdyPv{P&t zKFVEDHwHOuh{u+wKfok}G?P@YZ*1vx>3|G532>lEHce3in5gy<>Px^&l1vKJ; zPjqP=&^)u_ThQ9r1Hf%eZoz=Pf}f`nJ(7`&uMOQHdC+kziycoEC7FPQ_*m+hfiw{5 zcv(NcTsJE!=OWzVXc%~KJT4~(Xq%%=(W&H3+svTf<${X0EPT_JJiP7=-Z)LK=4Ipb zFY>*zwjNX=WU$uTpjs$BZPxhGQFWL=bu2CeO$9UpKK7q@XsA%-K=4wioR%!k@{>As z+elArQTiqb(jk|ub(TPR$mO%Clmr@x0%~PmE`(ePZU?1PCsTtDQilcBx~ zMRdipjGnmZNZ(CAf#lMS@BlwA25k-W;QFQ=9qDUKK)}|5Qfaas+k$8p`H+G(LQc{% zWF5da4fQip{1NSHM=2$EnU35HybOHQC+$~^%tW%Q7%$0SvTIw_fL!~o>7f()toTsG z$>_^IOFVQ)vC~fS%*0*Jl_DUYWhV=IKuO0h($>ZQQAcRO$Mq7>UbHhdOD+91P4WrZ zR_NFhIVIu4&^%_Tpy@Dcqm{N(O#azEudw)OK1kuK}(@&E;3J zTNuUD;L3{X1wv&4yZ)b&E0%EbqYU%r**M(EmEnOH#aN!wptS)B)SV8OND7Lo4t~DF z8dbIo&(Er{0%YdREKLR7ooPUpLl`nG>xM=LHNYe#eO}Nkx->FM_r+<|!<`fPB@f$V zLp!_tERWxRr}|-3tpQ8IdoTx=a~p5c^ZPZEy7k0a4lL}NU@?Tqd ztzc0)2SOHkb^vieKqhe(opcudiXQ=|>Wk_!{B#PWshngXnN27p?vUePrR$f{Qhy1? zDwsN?lgej6`xahck~h$0J8xf|=)7I}FAF_#Bw-7Tl|@0W~w z5X@DIw}fbSbYDIRl8|ze3J1^3K9Q(zI#aBei3;@1!!|&9E77#UZPBb1CBL!})F?-8 zc(7e*r1QY1-ihP$b5yh^?MGC|NCc;b|O|}@Qk)NYlp&2W-Cg-M7Vpi<8qSNr3y?b zd!8FZ3gDWpX$s%JWXVr-B8&U3k_%XL9qFgoAA@PGc)62Z8W6tiT~yOYi>8k7w;rJd zn;P<`0Z<2tKpfy$;}r&;4*+LZ+O&&>P{rNI&r23#ko^dKd?CC zoXSdBSug?J0V?NE;-)2h&kp4%F^WE|{@70Nwv!swvoIQ0_%y0Z`v(R!0EO=V2qX{8 z+>MXemZ=zVM_2G?xV*W90g#T4Q8U_^ zqx%$&GA`%1viYfXqCQE?=S=3ZEupS-8$kg@(KGe5hM@yg!Ud?m9pV4S-dOkwS3@u0@J_p-{9)p~cUimX&6b|&%Dnn4YC>20ivEW44aV{K1-&$j- zq{`mzbP9bUtW;DTt^}E1f_V2fS!D(2Ntx@0Q}I@$^1S7X;;0T2UxN?)maW1k-D_e@@nID>ATtG?4Q9=RBI9i1g$9QBrT09~@`j~PcB~Qh;7R=*25QrB$ z#Ds`~$c2{jZ`(%H$4JYRj7}{fX3mI}@q@lo#qxBeTt7DfD?@#AMivJJ3(}YfQMmLY zd1z)($6ttU2rtu=j>uNU>%}BrwaIUAQ6E9uWd-1nU^04e)elZ1jvl(WPlyPjen2(e zRw#HlM%#d}h5F;|2j35I>riDMh|UWmk1Mnwj$(sZ ziNZ;em5B~ldd!X~7Wlk`chShNBcf0VKL!*!6(ti-s1>PB%7YZc&&zTN@nTvAdX^g< zrW!T`RMROKfxr~)qtR}%erTq*%4|$LyrQfNQdH?G2c0@ZsUHN@>bXx?Y@3YpbfP#d zivII|#2u9F?IW%m;5@R^8$H6SJ8;lOwv4I6Aghuj?rzR_0ouvzxt#wP052FL(-2S5 zV;F2X@Z1hofq?neALUCZcWv5vyOc0sK$M4J@taDhSyncRyRNE9h1}0zCe2bn-Yo#9 z7B%zHg!JR(h3fb}j?g9FQT;`GBA8Mw4{+;Ek|Sf!yA(cG8JDHSj7!=W>l-HE;N}@i zK4pV`!$wT{R6=p{<2FY;ZVZ#7X%c_5SrvkZXfk6aR$?J*I6ywJ8lkLY4^t{kdBF8a zD~+t>WFRkt$E6bJ1JdEyeMA4LuA8kmlxPE!S-!!?&1Ugt8*Xq>zRHFj250=Z@BAP6 zwZ1e`La^v0vY=BNSk6(5_C{Y=HdYSu;n}Uv=Q-F=hE{}?$mdRXtvD}sN@wmT^&xMN z@%R%DO`hm!!2uh&AlM`wYDbzAiAU7ncsZd)2|%^r_(Eem9iw4l3C6!S@&Ibn)j&}h zPu!$?Y$bH`L$VAvw%0oN5dhwl!E<9CAaq{zbi~0J{iySNEC526QK>wLNW!qd2cJvf z7UgbTPMFZrXLe%090bOi>xsM-UfjGtcWNRTZ8gdo)~oRrkSGJ z0=HIfWaH8pzYqa=(H`Fi8Y0UBoXmLsk4GD*6?x`_{9;V>6Uto$&f6dviog~&hM;Pm zvBMLF#{*NwN(JesFtCz22TlnvAtV?MUoT+`Ou;YW9j?KYw+zjtXNNj^;0Ab=0Lf7@ zrXVgsWl0Bn&6&_{%W>?W+RdQld24`v#i~T~R0*o(`9rR&*_m^L1CC4`NMP%ZU>(i; zxxcI%2sP5kk3id4m8rk6oMcBSLs{jx!6b6bJ6i#0Ac+LY6#bb|R#E(#zD5@7Ae~_(ik1DJ51#Tr+|v>8p_V zZe-dkImMlVFrAZKt%7IYv9AfL^$+?&QMl+Rxr58Rz>JTLfIQ04+SbYxi2P_V0ZJ_c z+u{H?>!7pJ*dOiy0=0-)n{i2D z1v6Q=xj3L}2W$4B#+10V9_*);$q2Ux)s!C1yB3p%>mphV7XC{)&iU-+pX^fC^Ps*-iP z1vE^o1KGij2Po_ii2GZCR)EZy8be<|hlvi9ArJ3y$7i`wg(F*E%pf(uU0;>-9}ZIB z12R&Zpeb7Qtt<^Mw-tKzx~@+((kwd&M|u@D^A4}Dh}eHu=Z){&n%;}rTt>})dEq}L#D zifE*Z9w{+8p~Q(aQB~cY%B4+Q7i6pjwZQG0oH7X)5-x9Ds+7lN4zv@@6qVKVGmIVh z@N7j!;NUJ$wG=F40G#EfJ%X~FYQ54qqdUsN3mkM|# zh;JViVtn%B5^5GLftqNDDfcIIkQ*yLR-rgz%Pe$~s`M!@vcM)`r+BZdw*{5Sc%Xgg zEfM#r9gt_y-Tc)s?1r)|2QHWhgTyYAOH|l7V~2 z2xznL>4?7h@&xD37e#f5rfasfz9U^IXcNygx)dD+O533bHG`J{)*1ulnwM=11w(L# z9N=%v05;@_jzulfqgN@=Iw#`|cz6#4pX6f!ozo$73>^pK3|@bDkvknV80eh1kROa% z3^hE_0m^lU7(_2p<@mCaadd8$Bc0)Hf(sp8A z=}HC|PTE=eM+H1iC`b?@@-QN`YI&JCg6rASHU7;*gyf%D*-_R5I*TD9`HxrEQ(&^B&Z zi@Rm%D_2&L;Ezirp4joHbMKFUPkiGN?TOV|BSn%0h_6=O|JYU>-O1tqJ;MTu@mgpB*TK`Q!<*2E+ z#T;?^#eD;9^$p;Oz5x3`O#?J^pli)f)*mN2UHQcMQ5;NV$AEEck(mq9aeNsUZIle@ zH*hw2{Nm7qZ_CN$s7s3EXI#N6f{RJvxPZE2gTP(rHV@^mIk+tf)UvRdt+XuE5(?6> zfl2uv5=g2+5Iu~wA8n9?%Cl}=JL3Sk(L)YU#jJKJAJw9xiC4KW9VIddSS9h0J6n9{ z56Woe&wrua0&t)S8Hm--T7z+y2*fP|5OpD6QUao5)GEhmAA>LqANl%WKq<`*P?LkM zI+lq8gOCB_X|akTi%{;Y{=!oX1h{E)Y#A0h)L}N8!8FSucn;pG0npL^`48L*$lSFe zTR-9mBSaZk6wki%k*}TW7>}di0ND_gV}?HltN3+~>0DJj&WW30<$K^MTB9up!>=@G z26axNP6kp-Fjz@+%>0*7{|f*^!BUO42IRL^A0SQ(;SK&h3CPBSYkFl)8V0w>)inYu z9fm-WEdru!Cu9$Gf)ALa=x@Zuyz z6gJ66>M)Sv5p^i3gZU!@yr=-2tGL&OlOb+*qJmu{Cfr)v;qk=G**5(rSf3 zC@TeG0P~5RZVI($-7xUVi_WGpd@4;*f}NXibnDtB^|W*7>{lvT;FQJKQx9U%GZDrM zC_lD3g+QYKMBRcRN|OhdQ3ko0RR%c&j>f^KWW_1@elvMj?gm9RfrUdjHw;nyQJ?C5 zlM7m^a>xP6acU8Sgv<-_$H;jmI;u!FJ1xaIQX@DQKXio3W0?J?W2`*PZY{*k25PBa zZ-jx5Z79yeFsYDG(NDyi1^$$6x;_tx)M>h0H+bGJ$87a3}QJQ>y)BQm^uj|{Y<~H8i$rwOD3Y= zZ8A`SL**E+3bZ3LAV8-I#A=mScEKyx{+Qs!Ry_D{g6I^J15K3VICzGW6_zJ%;9^#! ze@~+I7Y}{Q@ao8&!QO&|l6YlI&_>^N%5n<=v`sN^fiWC?&<3yjfRzmlQqHnK_AJ-n zJ7nT(i;|c1R_An4xv7fJ>hKCPc;Qo3qepN(jO%3ZghOZiFy=)N4r!Z0C&|3Lm;lB+ z28k0Wsq#1z&O}u|T)z}gcsw2bud*Iz>Z916bOXq8h*kkPCdU0phw!R7Dhg)CKY0pN z5^wr(KOtB8BQ8_O`GcPRg9Y*Iz88RjKV!=E;~%M40ZQlytt}zww;t#*aA&;Dpk69? z2#nDf%OQ+lusL>cn!xEDDGzU{6jlv< zW`qQkjsZc(GDGaqt$XU)u?wRGnd2X&V5-HGiU}UtsA%x@ePCP_i$EdLGSur5W7vsH z{gFreJ?wOh?kIzki?js?qVxDuu`Ze&BOl)hDkb%dSeoip0tSbIs^E8bVoY2{Re3?5 zc??9M3Y^0USO3{|(?Hfh32sDpv<8d^9K7hj4NDkBjIio^Rp~wvzaD7OFWj!~Rh=Ck zD;fqd16;UOE>@!o8sN3RVmw=b*w6gbA*2G3S(RixaDkgNS_p6so{~=<;M*81^Eg^| z;)Q^IQWl_Y%P=-*-op`^K~CT%uy{sOG}V9TDi7>iZZedZH$OWiImh-_7(H)I5myqE z3JKpggkYG#1!eE9Km>4Aabt%Ocmi101z08+G^dEJ670Z=7gas@VFKgpLK=qa5?L}Ck6Qr*0 z|EYt0P&vTY`WP1~25)|yozlTif1~@7mgu;+aF81s!_9dH8bmr?KsXA}Q@mj*S{v_t z<-3IV4CuiF{X~f_8h<@{cDJ4KhmbX?@vG{T$Cz+mc(pJ7gwqaGM{X|SBi`tRXE4ZH z?Qy>dx7(sW>(VA8LVDiu7U>1|>PiAOI$ zICnn!7;mQuJ1jkA0>+;zz~e}Gx05S?Msi-#L?B(G{TTV$IQM}QG# zATV2{Eer;5S;6XLek2$-fl%0%K!?+1Sv-;D-fPv&yA1XpK-F|nf zWlLlx=rCGH!I&u3e5wMnWc9|KfXId;V&fsyCI!D!{kzs~COAV4}|hX@+bhYYgT3Kq*;Dd;CDBst=&eLMk5- z4et@9Il>bu;LAmQ9@s+4@fSIy8w310HMBn-fX|a&>s#n1PG(fo24~opzASU z`N*7debU##6ih5yNVbdUyoe!yM5S0ps*q2O)dgKCfOCinzja@{L_4UjG|2{?hi4w; z!ilgY=*JqcNn*hL2pJBXTh4*pOtXQ5$R>M^f#WbY!PE(A=*$mikwCXMx?4&dM~q+1eO0+^~0?TP>c99y1E zCy{vvZRq%PC3HHIfNKt5OqY127*5Fcmpg-9L#lSKVVbXvx^P4=x zQt2TKk|!FhcGL$hqrP%~ldf{^a~erUL}%36mCpNrA(w$%lK_Cig?!pzPM$12 zNfuFdItsCBR#~b!R^nNr{)t1K^8)G@$$%HpBX2w9NVaTZa-M9PuwC52JWP(SOaiU< zLW#VHz!L#yLb|C1VS)Nmydru8$I1}J!Lm>qXC4G7qS}j6ckUdr;eDXqrjWc;P&&&5A+|aK0*5(3>^Wdh zz1oHfMh*N?%HV6R&Q&@6FtBlQ!!(oSy?sq`d;~ka{O8r9w90%laQO2vcrQrl5tFMF#O0~_ zfJUmb?uuoR+-XgT8CLt57@#D!psM$srT*Wjnw`ft5&Zhtgsj zkaK7YAOIaB){nBt_4q<0*pHlFbhZkN1M;BHM8oY?DRE?T<`tj#^ykvV&)~sByc>cr z++QAeV2b`L4aeb=?!L_!and*=&Xp`cAA$k+aG!&d@~}ZfVA&TPaW5!E6{r(^571)d z8|Snmu9eepWXU9ou?){Kma!?=TdJ_#8@m!<3bX{M8Au!(j4S^~fM{vvSHZjnA9OYG z*8e6HfXTPH(i>d!aEb!TiooefIHMm_hHDu(x*l2q^6e{M3*@E`iZBR;%k`W>{d$|6 zLc)I$(8=Hjj_RQ$P=>OoGcpO)MNVp?m5hmk6d(DJroqv%W0%y8$pG^3)~`gT5yQJW}vTzw!1~P^iWCG7F38D#JuL{)= z9~HvzP!_z=Mq(cLPJtHrFsIydNyzb1TuTC{Qk4e{ zUV^{_)i}GX!kUDs?W~d&JaNN$NKoh__2RvfIZc1Q(_CrLH3}TNXccJ$KN*}T`O;p? z8h+G5k3(guux*vbT+g08l-JSU#^k$-Oun&UWs+FxbBxOa;#u{5O;>3?LFdGjxly{u zlUQH{=`C)ApaLFC{tJ%5=N$FB#~32iAp$u-$Ru<~WyKqOA!V+;$F_EqwT%W1_Cx_3 z+~6`o6RoI=o>~&-tvr`#bu)$*kY#1`B~Y+o;U5Pe31qd2*%%Grx6vQUG9jQw7=hD) zaA0MK0TEjsMDjTutw8xM5`Gtd`iCw@iBLY_R2`16NL|ZPKeXrjgR!&--w)c#1r%sA zArzXUHmvKZ7Lz7fC>jYG6S2T9P$H8jooWNNi;^+&_&a}ld zMqHLxWaK>5epa-dr0Zn!0DO~IfV>QQg!C7=60!REV4nT+cka7Q*UZjBldBJC< zYR4UqqR?J;A&|9r0jK#7|6o3`O^Sznk*FEYf%D8nfnYD78lMON`;I`DScEbECKMDJ zrWm~w(bB>G6If|oQ29!6B7LJo>IsZX=kDLSUc^z6T;+R$u`~!jE|ew*aAtRtA$r1w zOh+Vz(Lp>h$U6CUaRy(=RT(-ILl6TkAO^FHDO;Hu%xvR~!0F|$B=}BEoSv0gbX;Gi z0otYsZn!|91x778DpQOkA$lqxc#be8)Oj84`51X@Zcm6&!G~nl@pW|n0JVbl$BsOMRqI7wlA+h<286qo)Cpi!BxT+zU>8U&_WKQ(aPGHoJ2*d|;*O!>5R4r+q= z0RR;+A;{Xm%G%0Yi(4}==qM&XI?GJzl;RdPN`V4P=%f*-uRvL4IKYvkv;q`DjIilb7mUJ#ZNYxA zWjhl2kX#{#RCzYfcXvu=Akr}NimtScwtCgamN3}F9FtBvHXV6aG5y2q%isqdQ4h;V zVEI!Id8r(2@pUs5ikrn0RMvce96_oQd@IGWurtj;8W4Q*%piTQc9S0gimFE=TrR?t3Z(i!|ILpey^OjIBXJRgFf zzVnXK5+^P|dH3W&o4QlmILSTz*_z1pAoVO!D*Z?dbj%XmAgMyJp2Pmi?J&4_b z7L4LLdMS_8RS$*p1MHN^YTQ4PWqToa;u@Vz8nEFkOQoaP6Gyf=Qg$#GJE3$ zwzCEd7$60M8wQDLW+7;tXkhT8bmWi~jd$#!nB^`rD?Z3n4q3V1?C99W9N`!0@(sli z!(z5fI|hm-WopmeiI{N<-=IMQ)8Ija%tMi6ZPw@WNCQU8nX)Bf+Bz?R5)5!(qf!4N zUABa1YjYiO$$DUbR!)B`KnCzKaNxk0*;k+iM|I6m`!Q6sm-Ul z9BRD=EGHpEe2kmYW@rG=MBnMt+T=~Ra61?tWDw8u6}<)@s~u9z2o)={hnv zY;^Lze57$_rY0jcQZX5U26)3rX)q3NN`3lFo_6@fFH)~wz2%si(hwOT0?lPhX`OY~ zPiw8aUi$94@5E(GIn@Cp)~!eP)V)WK;0MMt5GVBN)yoEWgdE?z^Ut4l*<%l1Cy7B? zpweSlaf6PK=CqD>f&jAVA)dG0VF$@!7aOr5>cb&JB!divqbhl~NwV&tKAU37DbqC5 zPM4;ie)=@Yq?39gQ3ag-0{!}>b=F(o#-w?B1EA4JS8Hh)t#V>npd9?`Px?&%6erAw zQh&MIuhOiu&f+2Tj1I?3Vj))eBr5PQ)jmPi|KzGdnv{7pg> z)wrQjL-mw+2@@IA#AqySf_^lqb#U3r zAI21A-*Cf?(-B7>pElTVleFbF+ojXbJSVNR$|{=u)s09M5F!S-ckkY5iKUkED}X|o zgw+CW4n;n!9GI^xuu#7=!wfU}W{jHP+8{s-506YNwxnqG=&5s3p@+g3y6l+{ukt~D zM-AX1Y1iHNOf$|nlUFYWD`H0*O%!&fnPwVq2Z(a@?lno;>o@xfAG1T03N;Pos)0^W zLX;RIi()b;nV2vv?Bqn7W4v}q4p4y!iXEux;~*Kd$fAd2u+l24rLLO24%UQX-ue2b zzVpp5<3Ch&MyKs|+S!ibo3Foa*e?ah-+1%Q(xq2lYq?ZcP)rDBks-eD@+;lf12yrO zMuv0I#TK{R#suhOS{}%BtU^9GOaP!gUw!#S+T+*zq>VP+BEA3KyPj#!Hpd)tRttHx zR-m-J9BJdsv&@o?Kk4MO^KQGU{$^=wO^VQ~;W(QLpbIOmvTE9G&pi__Cur{c#?csL zUX{BoP{;zcBL{TLF291`bmW^XWVDuAdYLqNpFY`e$ApJU%*t_swB3eXI7mYuz!v7N zIZ%#1Ty(J|HLlN2n{2jO+C+|Jvn{r=gN6;~lw=?pt;f%I5YaudJ0UVL>N=}ZVm&z;K$FU7bVgK9tU_5!Gfw9B* zWmg4(3XSR@Tg4HuYQQHIIU@jNr=`d~cdP5skE^e_R@!5)y=<>&1au1mrmvp3=(IR} zj$%M)p}16x9SLQiVN1jZPrN+-`~YCujYT&q-1 zZW)?a{?Wm5DGmBQ^f6@H%Rp|j`R3{33(r@$AoV~0oOH@bC#Dykf6i}cVNkFQ@!fad zrf(GnX>icN-^yV2TV%1c|AB{?Fop;Eg$MXy*8JUo0iM~ijlnFobLXzJAt*&~nB&pzz;(`486ckNV{fa9COF|Cwn#B9(s7-`BLH9YmGwgP z(ODZrt;ns1>i+=)zm=Y7f+IN%QP~qu{*zZx==uQV?;n=Ur)1=?0E#sAP@IztebTLdj|oO<>Cv9tSGzyMdCecpfI5=W&Q|E^KrBL6{yG(IISl9*JYlY<5fwxeS_4AeMf zqW6t(FayQ$F`4-C%P*s!aC)jupA47XV5erN#tynTXyD*9NOB3=Vv^x>)we@5sYVtK z>T~*=9T@c3&ozpdZ$cBzZmhD#G4jmf(0e?d^=HUst0~lM94Y&`o* zH{X22TS&~5K9TW9`FT8H$dEy4j=APeYp%UcT13WT5-I1~Z@rmjnQgYT)wbKFS!bUu z@gdKl>g>-x`^;Nm0JBE6$~M|$GuP{<)!q|NJgJ%I=4s_sSM_Xc(n%&w@5@m4?b|o4 zvg&G{vClKlyy@dlKDMBl0W#}mV6C_QhUxWJU)9QV8?QRJMmhC#)25eRc)_c+)z@4z zEw=a)TGh=c{@zkMVpZFB{so-3(87yorq?a4yZ#30-aGG58$XU&pA>;xoR?p5B^lBU zJxC^CBfpx$`xHJ3*b`}UnL{cOGUwc46bv)>ug@++;B zuDI+H)1@t|uD)hku;0RI-g)~55bQ4 z_dp=9dZXQMzwx>q<$?<>l$Ks@`Sj|`FH3GC(+c8s(n$k=_KXaeG_`>s^X?phP8EFR_&$WN{GY^V2)>+5Kv8URK zjHjJ$dQDaiN!_~lNRK`IkM#V1{^Qlvy6decoq5y7W~-lXpQf5->a@)A%cn&oD-87) zpMTEylL4K?GFoccP6!*(BX|(~arVPd>74zz=$Z5nOTQRniIy^UOPcT42Ei z(G&ej-MOXX@5?#&=+)c$wcLs;S{_qOF{Sl+XF2e%zWTxw7y4w?)mK;lE|V6Q4oukuG6%w+; zJFKXpx25?+V|D4`%hJ7d)>TW^^r>oa-!k92)wt(2#nVhWAPzGD{7>FPfH=E86`BCcC5^cG^BIyzs(lnPrz1-NEUz zPe1lp2JiZ^ZHvi9PA3_?E4^UgY%06CXX+_zGImG)i z%Pg1XoO5nFxaF2xF|Dw|%Cf1mq&Fph+Q?g=HrZ&)wDeNT+Qu?LV!~isZ$-l52jDI% zrxO^sG&LwKx9o~ouj1-r3EWn)404R`&$r(pJ^j=ZQoyh5V3?6$fCkAJ4$^Fd=UwKU zd){<{Rz%ZJJG}<@p!A#H?3-4VabgzEEQ+nW&p!W5Gc(Pwn867cP;hee3BULCl21PU zM1!cGl@f(7Gx;x6ud@c;0t+mtRc2Q^mJK)AR8IBhzTi&B?03LH>7auTODo8+Ff008 z4i@9}<>z0f&p-V%O)G^t>ev(1`HQD7WGsHQ*WPlto7x!RJWu}9>8a1;Q`lJjdf)v# zTV@4jkQ|T&1_tE^zSE5BQ>`dao`VlN+{XD+(V@!G$DLqD`lVJz45l;AIWOvHz-+kb zW{xvk;wuRA$!PZM-AhjGHD7nzap#@2Li^f=ZM_XQ^s14z{CdCr(sC=TXj#*btS+XT zZn|{PVTYxu)wbcohomPl`6*YHJ(z zZ@>9AZMx-_GT!f|e?InT>e8jFCpB}-F=yKE;6r`K9<$oL_T5)bXruI=%B?N~dFYY9 zbAP_~?mOw^GtW}{*L7cSu;Iq(K(*_`4?nQnk2&%8c3xk9@uiIV6ln?>+$pD;Djj~z zvFTv7cexc;@WgJ0nPyPlRCfOBNS1s4W*_(OXPDUMFz3bKC4m+@_ADV_p zmlj`S(X@wFcb|RnxxyEobg-lFiDZw{I#Bwz)KW{?81ANt-9EqGOM3mKSM`S;bWqxK zqxEIHKTfmHHhVf~|NYW7TW^!zltaW39C_q18jC!CrWN#Pw(`}NqPe7u^{&6#Lt|mI zCanvn1NQxmw_87w4zH$(^RY)BsR{C@a^BI4?5a#P7Dv5 z*e|{D#v2;j(`xm7uASy=v(A=IJN0z0OwmIo$=_(zb=VuPZ9k$46DRGO*v)9UA#BM(p4TyEHwQ zlY#%hN^rOg=jE4Nln#`EzW=^^(`hIF(PDY`y|>fFmt7;7<-Kk|!W%JiWctV7?{|m3 z{NhXLt~+kiN^oW0@KJ_H8a2c3qpWokm?VMkA z^_4buoIftdvHk`dq^{k&r7N$zLM!3L6cFd+$yo2aHUc zZn0%L_K3smq~f|ktR%kH%933I3?Po-+%r#4|9a|aIkxxHW!GGnW}bD{G{;MQb*`ZTt_KVLypB|MwxETXO%eMa5A_o8f(+){QK~&|f znsLuQ=bY&X8DNY{FX<+{7x31P9MrzQJy?$9YsqxdbnY3arO)Mrw*2{a=}&+BL%QX! zH%LYuJqun`t1jxZMNE4cBb>A9U{ItJ@&}Mskii?TlenXhPwRX zi#@^M7W7Az$LjqGrO}=fPB}F_{NRJ0ER>y-Z^hG`nqaXq+-3WpYZdaG4enQ8ed$Tr zJ$K%f2FV!$e>(LPO+>#EU>MPdX*dHv1f&40P?*T|9 zr3DvUDE;TzfBA+xUkj6b25C~@o7$uo=o;Ip=bV3mSD#;h{cY-h-q|(UI3sp&{`1`P z>BW~{NegL`efQn>rnRJB+>3BQ|NiOJQ%=^z>6LVlbO9&u?7yB#*Is|ER%a`vTW-18 zGGyD+58-P}e5vuywjd18OJ@=%;G^v|J zE8V-*FWi6zpktjob@fDSpMCam-!h@vV)HH1VvA{|CmT7{R8yz^{m=6j4?UQUJ?1FeuhUOIOSa;Pbk zv}xOIcSx69a-sC#B~3EcNDFBNj$UoB!6sVGKA0}Ow12wgrW@qwr?njan-KGM8Ac2j zh9RIF12~Hmei0d~LDZ$sSSj7oGL$&TDW;ez&8u0_DW{#0 z&h3AZx5s9mdoHC1$umL&+GJC=!Nh z^DVbZf4%j#boyE6%CW9$y0FT&2Fu*1o_#PCa_6KKx4f7#3!oQ%|GS-!aFf z^DnwIZL{t6b}ASqwjN)6{srHqH;p>%`DdRqe|f@KlN1iByYRsmpJU=RY&aUWK)?L# z3(f8)w_|@xMi>LuTPwQR=bR&5E2qxNlbI!}ID>GbSZl1ccDniYJ0!D<(`s5NbB%^; zsQ2G{uV?DhOgl|lLj#nF$GviB>tl z(`sdbG|Q~Br&Yus#^u5L|L*O}+G;}d%ANzWZyvqCc(5hNb-1`jF)A&i89cD3X3|&v z^``V|&BOt=>K0yXaSh7Xyy}{Kiay?+?UeW~To~=m#su8zjpsue%|w zp~)G%vm&I;FpnM}KlG6PfoJ&jgUftAN_eV{&p@B|=$9>_uUd5B1ciw(SIyOm~Lj801U3a@26RcX3#M@+(P3~<{ zU=pn~n3$A&_=MJHn$e&9hd-thPdF}Js>vbk;_hyo)VuG!WBij&GFkekCSS;m6^?{$ z983awiAQV=aw8ts>eSUEM|ph76s31G?kAseO0B$lY32HX%5+F`&NiF-5oa|-6UfOX z?UVSB4wHuIrk_FbkuGZN@f6}Ho@oHYyk(1RldPBsv(?Hg$AB4Ck4XpsuUun$Kof|a zcidi+nQzldE3KIRrinDGrzI9&LI(X6mt|{_=juMyc%4g=3v{Fa`t3f|52E7>6O8qT zHQ|2hsi(5-a#58Nw_TVR%_L`gcbcU4BxzEuB)fLkgtv@KwSDODA!(M`W=%KUd~>?< zjytqcKfrm@$nia?g~zMXvuB@uF&%Tv@!oyI{+xE&Dd|^Q`QCHa-_r^!tdhRc7(tJ? zP7Ng^^Of8f z0Cht;5uqd7cOyoP@X{I{{Nh?a6cgOYhk3ih&xk0UXE_KkJE>+T_i7ft)Y41)MhEtx z88BRY9XxcfFZcq?IG)t(;*tx`PuKnBFX^ED_f324wu_aK0bzwPaThlq42nr)d`>*} z=(LNJk&D=uUU`l0vSgL!K_i~nOI~8hWzt^1-bXXUebbKHZl#scB$>$+I&!a|Ry9(EyVQ$c9h=V*y_1 z&@O0m3o!98CLQg>{0yJ!b(6uyuvHBWH`w%@fBtmzvB#%9cHK2?wBEX@{{`m?c}FQ^ z56w`Y^EUAOD#I4OT7RU`~7Hx=C^1G=hK*nOnbwB^R@uTM)Yziiq=GwTQL zzt7vWyn3k$)P?^_lO$_7!OR?c{?H01R#v~IJkMQq_IBFMqRlmnKmO^@>3BH>w!m>p ztpNrOIslFq^l=-02OHdT&-in?`tr+C|Fh3ZYc9WBdg9TCZM-{mDqBcw_oBzKm4eZL z9(uy@nBV^)ouS$L`fIGNmFWd`cB-h7^_DuOA84|Yj5fv%1vrqF5E7Abk}+mw<6Q>o zD8my;(MFc6s-tWM@#YfnEjoTQLe((TvE7BE>5}y#ZdT#$&3z8|Z94LhgVLtbhubAz zKAA(k0=~JRD3O3DtBcOk8{`2U#!i>q=QxwX7^_L3+~#i+uDoo@{ac(rcWknQ;Rz^-9VH4TX4sMhKqJ^4pi}t;mFtJlGmnPbM`_7Y|e)<_@Mu~3z zlvsRElZgfCTmtcU7sPYUe8nN;;@8lr3^#~i=&^%NS3KT@8@nK|ik>ooz?QHhfGz-x zyAMA2Al-WF&FRsHW3|8E0sA=*o5t#L^UXF$d+fDq+H}*+(?u6vp5~or-gNG{XQj2* zSuK6=;rr>lbNZ*XwKC_XI_Pn2nhym4^i9{!(o_BUTmoVufF3d?Z66eeA9mwt3HnUm z0Pt;FEMV8o=hShVI`|n#u0!8(=dEd#)tB*3->IjZnReXqm%b*=4K==FpXP#+{t+uV z>JXfb9VjzC}NB`QO;t(9JgfD7SUjJ z!(D{j!F1OhxB5;*wx9m_=%eWiISOXUtOWl3>@#WAwbrt+{75sRz4qD9%FazL77G2I zNpK#@+`(Htx8HKJSB%{F@Udo(Y$R3XGP08Q8*jet^9|SE zK&$_cJYH5_dBya~%P*(5-+5d0WHT)Etdlw^h7x-INf^7O}<|J&&MB4Q%^Z{y6et6YxLFEpQmMnA867Fc8bX-_ZIbE{&IENa`R24tFuVAx~7E}Sv0-({<~?b ztv0j0nRS*~D>!3=tEpfOk+RSa;|=F^IO2&O?++ zWx4#j!w=Qcedcu5`Tf(M&pt1mb6)?n;z}!}ciw$Fb???)tG%neHFD*(*QIkWxG4SU z&u97>9Gu&;Pd}Z8%DA7?|Dv?o>TCEmXYk^P*a|%9)YH;6*WH*dy!49n+_TT7hyU@Q zw*()1?9ueg-F8nWo%ZMSFX8y=^Dol*7hjsrx!~foLk7)Coq-tFBmZ*c73tUe?Vrv#_X4M%^!pRj@qaieop<3S>9VV@ z^PoBP4=38#{plp(o^`f#-A%WpGtNFgEx*D_u7l%x?bTN`5MT4Q=cSill{VaXV>^&8 zk{L?(kB9!@8P@$8d~9)Y+w@hxm>Bcl*AT+y6K7HITIB96}fITyPaIs~~N(P(^%$_R87TQZ%<=%DsZRvtb zuS{27cYV6z+UwJF6vrI)31FTFf1F1>;$w$yPj*m7>& ze_Iocb1uBdTc>OOY&{P+=*5c;lDCU6(ri0jd(~CG>-5Gu@3!MT^{jK!{s$joM_6}~ zqpjP((Z~Njoqvf|rI%fvjyUFc&9>i@9M4QU@48#MTJ%mn{meA$9JBjI5XQ@gn#uqD z-h0y@rMp+COJB zH~)fZvdR0{VR9YkC$ViNmr}>l9JJphaT+7 zO&{qjz@&;$wopC!Qd8;S_>gK6t*&XtnP&3!w=>T zrHe1RJY9OpmA;#lZ8SP#Qt1V4=NfUZp54>!x8I&lIR4o5hZBx>8LqcsAKrWKec6UT zr#*kQTe|A9OVd?XT%P9ZJ6}5LxZ~4QazO05AamL*rhG)_(5cWxxj=O|Z(r%H{+&{~ z%A|p9SackxK=-jd9_@)X0*vKw^c~U_+yRcF4uI`z@IeZF zgnRC}H(hnr73sqM7f9CzrOBj|lTR_Z>Q0%iQQsYR!U^g2+ip+4{>?tr_DX9WEh^4G z_rmnozuub8Ik&$b@p$2d=hDe1otFM`^$qEP2ObfbPU%6}O~yAi4SR^oXO(vCwO6}e zFS+=N)W82_X}^6BOy`|esi`-V4&f2OW_vyX2a5LW=;HpP|8UZYe#jJou%zc2M@MEU!hqW22zlL&-`>xAk-+Rk zCR6b&NXL$yQ_tS);WO(RPJd{!0Q=F2P?O>C0G#fWo_X~a;~(Ey=S z5GF>lo0OfcQRuKbM7hDqmQnW}y;2tmn!C>^(_81P$k-TgL(5 zIM}}Ks97{kWUB)Mfuo|oC=ah*=|aofTdbO*Z3wOWLe%f606Tnee7ATV%K2WQE_`=AbzpMsua1fN`=26gEZk|H6WY-t46Me(Z`6F)n7a|)Jc;r^Z^|oY$M}I3GEPGWJCkG z%NCu21}Kpqx{b4Et8nmO@uyWIt1ZSv(PysdjcC$17ccP7Sn$eFxSNEROCP=->Kz00 zD*5IX_#HlSL~KKML+&HfcLTmjJtP-)SD4@+vymhD2z6)4u}Oxwk8$%19V-gx(+22v z>(MPcCLW3(8fogI(M_Ypv+Aq=*;1q3td`I>8tyd3&}sTPXogOqd+@>-qMpaZNOY2O z)nVsLWw~_2vyqQH{7~9tlTAD+W)}$Ospd*n8n>c9WC+i*4e;0@552<)@i%GjNnD4OJ9ov?R#`0B%Xn!86VEP6<1qyA`wJFoX!q{2 ztLiJ{4sCR>*QC8d?xHYg@DR0CV?zCg{vs15yL=CnYwNV%k29(Mu;GK{;Dd4Dca2Kd=n;5l(t_?#4jFTqpo{d8u>%cuApO`0 z5T>;TEl$S(@^j4^WRu(gI%viFSvp|cTb6RTEdc1J)si+C?xy-?1fW}A|AAGuDYLm_;LE> zuDhficiJg!ywOHdDjX6M7L}u2I^w|DzOy6JS(lDnZ&Rv`JYx-fv{9*|>vsZb0CGiw zi}YOg6)DRYy2uFf#d*=bT3_UVaRlfmgve=>Lxz!tVI{5BuNhB~S))9kXSx7s=!)s) zyf{<&JbidU~OLG-q*`h*uyqxaSsNYQ@ymBXUGU%+k>Q4aP>4+a0xwsLO!VICEC z9y!9JF)>7x%m(kkd8Z@F)|)mCX1t#rBL8HYR^hnFWdZXVc55baTp_Yu~^=0U`>fxllEv+<*$0R~Z^PTZr>(eQhkZ611&3a=4rF`=)nW>;c8rW(F2B^|+aX*_&UIs}@p}mE?iHJuq#w@kZ&CQ%;iNY8FiUgba+M zyfViCNdaJxK2iM`oScGKGJ}6%Rg!5@76l!p0b}LmRZ)@+JlkNyFNH0O=KV)9EwEf@ zx6^b)wz(LC*0Li(^0&O9192g6Jmch8rQ!1|znW}GR{*DVgITWH<%TQ3yWepbEd+_$ zq%z>;GzS`0`nn4B{;KOmODK7TuV%be@_bZ)wg)l&O+I<_op@Ct_X*QEbOZ54Uj?2b z&$@JRzH0E5jCwMCD)C;@gAX|@O_jIKy(=O4@J17y2dg($ ztFf|)F=Vxa7ui0)cFi(~F@`RB@&kCX#e?$GNW>^qhED!D5aW;!bQy}&sk234nQ2aL?G~K&4v=s z$yso2Ho81^C{NH8QZjpm=(Cyq_QD5dn4i^`aXs1IE}&gmI7e33`FC>XenZ%habb%-*7JMb%o zm2RnRL?z_pmZ6Q1u`58U#7hjC0CD}gy}69rqgV+)G87qcw6RnK9krg;LZnr>sh5cS ztbH|T$$3S}Eg(`EGmKNP*ug1=4tnCHBfP~ zQ7?E5H3X+3bb`Q6!xK?@jQpTRITCC`avJB9@}C(o)#w|F=!8iI+vPY_R=iwh^5j1X zDu`ptn1l%d;DPuLfN0uSLt98xix77+i4f>AD~4tbY=>}19JlUbl)b-92cYPp7Kqdd ztQ63HbD$Jw*2y$!Kyl*(`?_=p7m$4`a2p_aiem{dT*K}HR>y4T6<0?`=aZ}gWM>Ff zK;fvyuWG0aMS^AjGzY2_pq)BYlh8qG1s7aT8k7bP;{A9P!Ybi?{DA{~eI!b%B`75h zCp*9Lg>HDS4g4|)IG60XIpBuBUY}lh<>k0=t=SdjXbwjj!qzOt1Fmdflos+JO|$%w zy!UT_2Q*HRJ5Pz5WAUU~#)m;*Z=QFKnjiDU6o|YQP-!lCghG-mu3vIDZ`{@lv!p8c z7=W>~!7O16B4YvrADt>UN?8U9VOEI)%@GyDU@|#g)!DX!X{%5D&Q!&@R!A5d6pkFJ zkmS@!5Q+6k}i12(>ZBWj_o?(RHn={sRCnGo=TRfx$1|5RGt`uAAXICGVX(Xo&){KU&x{Y zYQEd0Ksxbe`7Objfe|{8qP?->p;b?pPU-7!zDjr8afja?)MxT|UXGh&;#ycd(h!qq z{^4Hq5lCP)hfEe}XXqbX>ks1;1}YeJVU@5f^0|hmLtzw=aWs$l+&?nln!1Sw&Wvji3@DUDWo=OD zU`{9-b$lwsY^QLQh%`UH=)tI#D9_iXg8e#VX@Rv0pzZ{|9LET9OZy5duWA|CkttVV zNS(X(Nb7B|QCet`MSN3<2wFZE8&=s(7#-DN>!EB5K+)SAYz=s}ruHdJ%FP(Q?Hl6} zwAogK4s8T5LZeg`M>vu}BRr!BqQOAgP<_G!@4T~fr(f>k_omV(I8Ee;Qye&OaGGJ3 znbU@wZkoRN>gzOGJRqao>kbwc*P9@UoE3z>$c*?>b0&$y>)N?%+H}jU(=^jf=NqCrB3rI=N$^7l z4Nr5=Gk@(hc<2v+{$Z~)Y#ll&bRMkXa4q+@(Sj^XVokVGbJ_14wsj*KXz84i%YPELb9jZ<9s&>a{UEe5%+ z%8e#$yLCeM!HRxTR{;?rXXp_~$1%9UMl4i1&>r;C?P>&)AJr&K8#rMC=$nre7(38o z%a$9By36Tx(|BdelRieTSOl3dQ2%GJJ%K; z9AOCi;rkTeLHV832=Mwlg^YP$f&q;XiMnaPMJFQRCZSIn?Ker=WrUTXaA!9Ntw77_%}?rF)e3q!O@}FN z<3PtM&Rvh($w=phLXsMkNBTLJ4(Y^`PDwleayJit@)Ke!Anj+l(jqoh7%*syD<+w;;1zJ^fTCK zlim_Y0TukadHj?>^MGnKwTWw>;N5)dZG9(g73$S7rmaJro_-1NX3Nz&&|lmQ=I!=8D=jRbCT;@k5&}$rI=rsBhHiT6p*r>^C$?#32fyYi)Wg<|7T9gd%F(*WR z?bN~GH2&-!lpq}HThp(lM0;2P@`r=K@zFMH8LK`|N+m!~lCw;aM~#;25?34CX7K7< z@xlvj;{;yg@exJH$7?CjZp)KXj>z6Z4!Z`oOpLt+DkkDOJ`$ylN`P1gk9!kR4t+HvoEz|t7WctI6K(T`dXz>Og~L=l8x zflK5ZP(Ujolce}G%<$n_si^14W?=A=;}up}#V;#e>t{dn^KO2WLBPs}TY~+eN+}Pk zKemdh#t*~67X+#^W>z5s+d<9;D#p z#oTP0e4#SmeEp>d62hefw*~X!>O&6PKV5mrCB8Ku$HL2Bc_}duQ=3#pCIB+z#Q?lD z{>!hv@Xak~ac3#NZ%B~W874k?sW=1LgHD3sfqC#Vv*Q8m&p!Q3vXk7jiiZL(7U2Dp zw3qiDuBN`@-KmpIGMV*)Pn&%9rDUyk&?Y|f!XTqfT=@3{NaYwn-+c3J`t-BU{cg(< zyj?{Nfd+lR>)Jkpj@rTYDLV*k+41EL=zEf+()1KK=||o=Lq3kIDvhR5(h(jeS6g`4 z8=bKZi4k7EgbW)wRPZ7Xa8kdlmYB@(?n`vQd8+TU%pWiAWgD9IfCIjHJ{11olhruy zSv~TQ-=<>^Kg_p-qa(a*cuX#&&*~?12bu6vXmA>YziHSAe*%j9@4ku8T2bB>OUQTx z#=8Hd`r|A5BfbdFYUEp;Gq!kD9sP-}(k9bUo*#G6n6?h99CH6mx<6#N9JJ804b3}N zc~G4fBBRfUvD|nC9q%}xT!@dYiVgvp41UDk0xov>4DDEOfB%}#wdro$6y8tH=*UA$|r~15TfIGK&*xomWm|v(N z?Vv^VaCFE|(xCAW=G=W0Z3MGxsVKPZFf%?+Y-qpeO1eIpj>`ra1962S!H_(Glxk=W zl%RPW14=zYl|U;%5fGHnhAJ(gTHPShh{tn|jIYy18*Oy-V~;(YdiL(EcBmoBVBR2I z2tjZzrNlWPRL>YNv`Y6~L`vg9(!GDPU%KMbi_`QoPM>=9nj}5_#6SI95znddfc8^Q zKAE0+;)(RDJ@@jL7oK|Z2|xG80ONg*>u<234LuL#k~aGsv->64Z@=+|4ciJUuadUe zZpXC9B8zwh$-5i5MVBv)^NzcZbv{&%Z{bB3NsBJNgulfGzjQdtPUkMa(#mP-X{Sj` zEwgmmc(ct#XN14O$Fn)SYKO0J@3_k@{!9mNj=>1hHoh&!`!Tow#V`EXkJn#&)rOPj zuy{w^YOAf`mt)T~(~N26S!OdnUN-Dm8v>WSQ06t(Tq||&)ywa|V=H2_&A0M*<9HaB z7v5rskTZb8;0xhfZoPHdV#}>0k2%x3Z@=wH0ox$}@qUXeoK{_B)%5H$&v>?qVdV29 zJT%NiW7ADGO*`$hv%h-r>MO7ME&DxsbWdAuwPkwd*=N%8&;2KDwaqqeCkF82k3LR( zF6tM%?3xyse}464@3hcD3#D_bmQypE3Uk=IvRz(KyQ zvbH{`d!{u+n=L{<33cB+cc*vXdQ0*docJ8oZhP#R`l=845(IC@xaNw>)3h^8msVeE zZ96pd4+qL~X}s)v=iPSm8~=Hm49_s~=9$@NpUt}xtF5`Fb(@FnF@oD}zeCz=tF63C z^UgbOxsT1aj*K5xJvgP}IEec?7Dm`cLdH`v#gO7ioM%18FygK-%#6XZ#*_WPSbG~$ z=fVr1`vk5Nf|Zh{m7N1N$(JZ>l$0HXd}OFOS!G}e>c%SEUb(t}PSswon6P8U6qU;L zyl!2)``JA|n>jSTf=~Ow#iJx{4@b4pI6WMKfAedZD5_wRcyd4t(M(VE;D@r5Q6U23 zkCmC9C*)i-J=Opf1PgVMCckbd1Vk^Kq>{wH+nq_WI{+|A=I&JZV@sPy(&$Gf6*Ycy zUz;f>1Q=I7HSd{|)}ioPEtwfIjIC}4inI*lf+`6?%c_ne9L0F~{<85&qX1v~!l=@( zijx!lhNy9TfrgIp-C9x#l!z4|FP5EYmYLJT4?UP3fAlfG-iHU-St*PSENlS=aN|w4 zNNcXWmRBsiEO*n*wz7lby>_Rbd6qv*bk7~PTPd!-{>HS@%B!aL-+eFrX21Q@W?OG# zqd~njWOR4kb5Gx%TxR((6Y7w**N-~3}{y_pOyZ+?0C#pnGp*lVu8DNQ@=46gUP<4#Qb9ehZ-@7{aT z-1GEJE6Krf?au>Bf5;Aba{Ku1zuw26a^i!SX9+)Lueti_w7!fp698@sDFBYmHrqnZ zbk=mqg%|oeY^R)dI^7ceBhhgoe#$;mq{ELm(w}YNy4*CvbIK{FdP1=9LJOz0)?PcE zbn;1Zo^zzDue!^1}b?ou}5(WLR?DETdHOV*4_{`8> z)n;A@e92YU_~BQ+0rsoCf0Hh|<}c}APdu64eB;e@R{#F#m%IJS&WpE3+;G=jX{n`` zmC?U6ExFwC>DIs9=j+JasM84Odsdcb_P;P4bok-vzPs;AJN#m2_c;!JhM8whzdQbf zw8w9LlWx87uW8={4@!?e^KUt@_0zp~-N>{D6_;I>_TB%$bkuPtc!D%syTPi@cY>-M=!yH?#zF;NIPo^Ah=o%i2$NT-3X+f8Xj*Y}yKqEu za!iJCbUd_P9A4R$gcr9BS~xk?_49sgbt=)-QN&@D{Kmc$)e6fH#p%5^GW93y=OV2$0w4K4tH(c-6Vv&X;8(VV` zG7gtF$@3YajW^lc+g;ROTmzEN=q$9zqB8tTreFPHr}VFXJ(+%g+%bOj5wDKw-Fp(x zV14(SaG^B3K$+RHFJ@POfyKA8p8NMR>F7fbO}E@|gH{UnYsS5s6_U@$@P&m#4%jE1 z`iI}ATW+~QGvqa-q@DfE!Xpp;Z94y)bJEtEZ|E;fue91~X|~yCml2V(-C?`*&qp6g z2krYCf6&)&1Q95I=kPy6lptMtaJucz%c+tk~iTW!0Y_}Addyj6h}F2;Yc#g|A+_gf%cstLrewEA0V zwN?GfGTuPM*5V-t?C)2-U3O7_>(F5b9+>XG_iyRs6Ho9CLeEJj^(*+c*l>gN!8`A! z>$Ktmcvm6Y?|grace6GhU3EYwxn2G^$>D;t&q|+u^ijI`uQ&L^!Hlybk2~J)Ts=@u z`2KtDNk<)Wi0fgbn8^Hc_dU{Y_uD7kaqG?LtTRqa*I#qBcNXXnUV+u6OQ&?^pH4}0 ztM8uEDt@C)H%*(ayLP(Z{Ik=qez|j+euf#-th3MIkKOV<&IkT}e>(BRqtj7G9`0AT zp~JV{a$~w(a{u+7yQXix`6_kk#?2fGa&%me;_grMgq(20`3X!xjI_W8h%bz^;{qqzbep`( zDT4E|O%Q%2e>ma71GbI3I(c^}Fl-nPee+BoTfSNl2nmiDcLAZWH41igIG}7Zl|~tK z(#BuKYx%|D$<}yVvkOj;dcv)M!wiNCUT8*L92)`oA}d^^UyO}J+;Ejwy9queMG^YT zH_pgrGnumUqrHq75yeRXLYsfHL{-_2PwlB=1ft}aKza!Q5i50Dt2Y4w)~jqZ3N0Wf zAyNrdyuvPc+-`t03Bnzrz?;N*DK)R3A`SU1rWF!K=1*swmG(X8w>HW+EtIREsRH;( zH!a~{8;?~ZcLH*!)!g&WV+DKSpO2^YHjvSI?>#Bx5P!yG@+qg11AErnRXh}G{K664 z7Ep~>fmdMhLC@)DnBF{c-EVT#XZ<=&^F0T!ws#siyD*z_0PqABvA6F_UHs4yD7H^0MQ< zX(fWZ`d@r`T3qt;otB}=K5`9emDScrx7~GbI_-=zeUlI}@p4>8w^&|{Z|?DFnPr!Y zy9{^MDug${bA5B!WtU5L-g$RA{q)n)=9_OWF^%?n7QNqJKxi-oyisP(x#o5f?_T7C ztGqXn4|g(XechMh`r%!EyukRjTW--x>NKqYFZNxoT<@A)hL+XZTW`PZ7c%pbT>1^; z!DAq7arTkyd36}C3uCp&pk%hq%fI`mKlm&X`iPNd8*`nXt?MuFvpvWw!FZqGV-G#- zYo~16WU2Yrpf>To%lN=?mvqvf&+_Mt4*T6P&c+dNt&?kXTqm1My2RaYe7}xQ-tbOE zKU*a{BeViwRes*3m#1?txilS;ag?`WOK{g+ccj^bYmvnl zGyi+;vtRn_ZFi=VwaVpj7``@t*<}}bQg+>qx2406I9h$%JN@Ume``{7b2{nd)6zNT zU6>YIVhOEMH8B!SbR`ThyE`M5&P@`rEl*!!deK80$*hn5Re9SI%SDLPKg}WfDN^B| za~JfVaUxr%XFUg0R9U%X6;xhhB1%UYV-k*R+!WV2PE`TENCyvb=jq6MhFR632fp#k z#^2TLFub*hJrmwY4$fS^5^`ot6y)%jSYrpm@iD2;IqAZOtco*=AR1Yov?BB>5ITjy z2VH29s4OHDf-XRt^sCPE1g2wob(|a@&R;kz0s2Yw=r!t;VA4U&Xrq-Sv<0f=$EV)J z2kS6`pfk8_*AIS5Mm|?wQ6gq5-R1N+S`kKSZlki@d-Y87&OcxJ-4TbSbIv+5opZ+N z>7?JEkXGYEkQ!`d>#+usE20Hw2^hK8UwOsXSeWVZF;c$8#!H#~mVTAtmV9@Vm}`=; zFhtB=1(u}xZT!i?>%<& z3z?C@1s9y>4?bSj|AMsHhU=yijyclb>0*$uVn#2UhQ|#Oq}g%^P&%9vt2MxmMA=7Z zMfdZqHurWhFXW!LZ(kc^fbw(AHCH-a&hebH&Pc!9d53iM)mM63G!Hq2I3nZ6AA8(i zn_hRl_59)2>#n6#xMPp=3UIp}w@c@pf4*jOvkSX6aqa1yQF+_5n z(ei73;k}3>(;t3+Vp?(8WztehEt9Uf{;z(F1NlQ@pd20jK{;<8sUB^Qtt`)>4K_*) zM8%Pn`BNIS*;>Uw^qQoXxBUE!ps;as1bxD!1$GQNHxdv_-W#{c7)DrI zFWL={IMH}b8{`3TkH1;yO_#JAJVKI^n}>ZyNBYpuRQy85ci(l_6IownF~ z!_@zxbJOm7{U-hKl+)CWqtl5e9Gy1bawCnoe(CIUFVw`duWyWMVtb4gA4Z@9Z$RP0 zvf?w#JytquHGPM{79U(;8a+yVtTVb{6m<<8Ny&_eUesKe#P|R2k)i#Km5RV1+og^YXhuS zSp{;3C@UR4W5cQgC1&={jVqo2sQp$d27qM9R|NQ)#7fI7?T^_mu9b5rJY+{FKBvU$ z^v*kP*Gg(YnnNopzla*kS5eBYox1p=zfVXWmt1m*Kf%ODGvSNXC|_n~yK9zNXSFk6 zs3MJcJ}K}Z6SiF6emidP;2Pq)@4n+z*Cv~6o{cV2LvAtH=`(I-;x5vqmRu}-_2n07 z9vRN3MH{|XTVt*Ck@O?(%2a;~0d$C4_WZ$v(s;EN6RMS0Tg`VW4wlaFEa-dhzMa1K z@=JfqZ$;(t1pwY|(@T>Mo;`f-KmYa$3_}BM_cBdVV8!#`{r9K2=b1OnJmbv1$%wl` zu@g<|lc*CW(^W(tgAr!|7z$SE3(KkVshaoSdpFH1zIv(M#Yq*Na?c3|aqAa-iIZ1f z@|h_5?$y^`@zyt!JM@k(ZM^#Oi)qD`R}-xcUhS{8)>>flO61?qJmqctMHXA!yA(LN z6;@bTxtajjaJj`cYTU&1w8}G)TxQu7(yMR2nm+mbW8YZCs|xx282xt2DJP_(k2~C7 z*`98O=~GwXXVCQJ2m8bS_jSpR+J9&vVFWoj%xgTQ-QgKf>#EbgawguU^7|-LyB#Ma&LpCY{kA4@g zfXQf66E6Y}UU>Z>va=lYhwR->#kodH3NJ3H^EYPjWbyw1(8C5AM4M#n)l-#6Q8yPv1u9(F|PGsP6?@(cT` z&SdG*3;O%6OYS1w|KNkuEOL}=A==4^MvaQjJ<}sFa5H_{$&B_=;p0xuLuL3kkYPPi ztES~wSkVssqVvy5tFOII+C#JVZMWYs9dg9)Qs4Rd%4ocl?z!hKe`%fv#Sc9AFs%v( zm<}r*&z9AG4-6R)R?0Yosi&Gco&2ZMeFxuZXP)J6>+xMMKU*YV7K#J@hgJxeUwL)f zeUH7ob%n}Fh4TOj1!N0_Rnd#jJ*PHzO8qaqFikNtM#Ol zPfowwZ8sfHb)Ubc3DCd){co)_u1x1@rMbgSJEh+pdwg1T_0|0r8F#(=9)l3qn2EFE zJ^tvU(w0BpKJBWu?jySEZMb1N<&S?5U)|Gv_uT8da*sUzM1Rekn^7Kl=pX6MTW<05 zlQxvJtJc|?JjkeX9r}iA|B_BU>#Vf3aR26j1Jl7r9qms*(fv3OWD&Z^fDc2YpD;Li zd+M@_E>eHbmkvDauyn*R$EsXRK&b0G=X8c{dj*89OR(N1R^aXV-+cS6?fY1^&0 zPpAI*Bs2 zYz3<$#u_s4HX3Cmn=sz$7iyABGYWb2hoc}49vN--F*sC? z^56oKyU%z9rlW&#zyUaNmdfEs!Gyy^eysX{VZ-J4*fmmNm!rNS)>XGbbuuCJr8qr1 zJjuUHzJ}-bvASN+gM$E=P%vKdaHO=tNi{Gn1y>ay2e(|6EF;O<^m76HJ`URSxDKeg zOxWO^m8{*aBGt*>TDEwc64i{Z=(da*(bb@dF zrWY&(9cd(=;lZK#+5&Qtk@1$N;>G#RE2Hr0%P)Jzj?u;}VC4Dk7mp4+^Yl|`0nK#z z&@7IOYlGa7!F7z<*My}X9XoeOFFg0}^yUYjrgP5xbGr7*EB*C$rer)LHvfVPrrET@ z8zega(&_?w&}S=;Z{+n`XpzLTbRTGS*1Pwl{!lDHr;TO{M~uxe_gr!mBmBWiuFLVj zHLIf+{_`Ijlxe1$HZ8QsVloQd{88T5Uwy^tLxv6U>W&AGf%ml{;lq-=or0I$F1gII z{v;G1TE(#9?5G@&R2wRrKgX4|~NN-x)&#H47a)*q;_!Vu_{9 z4<7{PlPR=|i}CbNl;qC9(SAMCLj4v_56EHmRy}{RMl1Ct7F)tArq^G8-CMZtzVoi% zOy93xKeh2A-!Qc3VvG4&CEt?!Oa^!Dwbu5H5?q_4O>@jXXL{_>M^ca8@fd+WZ`HAL z>f5)kSCl-K@Z=N!^xcW9K)(F^3r&hvPBYImvyJEDk3MQ%dC;Bj6tWw@qX6^voi}|b zhwEo2C5KrhRk92+A3FW#V~<$|%x33Xu%A~* z@A1J?>1zRQ>*jgQWtU$rO+VvI-d%Y0rI&njQJ=~Cq*-U1!{^M7r;`4I`?XhJ_G|sP z{>Hb|UVG(LPYxF7x1h?;Ze6F1tav~A-~*?R7~YiLc>UEhPv80M7~gv1P4i(Rr_LXt zl{1gCEV}68mIsf1(6>DD!^f1T*UEI!#TT>VeE#`=OP^=fs`nk=d;-tNggc2p{p92H z@h2Zdy>(a{O~CFQG`LG}D-hfvxVyU+_aZ?H6nEF)7Oc2ip%nKPcW8?{v}g+y`FPHI z-t%48{F7X}v$LC>$-O&s-@lL59}Aei+|7GA%_~3Lb#JS3_2&5L6DNl|IFn}K%m^Hs z^?rQFGPrK+dybd1{_g%9OidB!ezC1cqoRA0D>fzh5^he0o2nu9np)M%2h%*fIqj@s z;(fXL(RReAF~XIBm!g*Q>Ca3uPWO4Igt7w2)qty4&^07xd(_AtC}nkpocQ$s@3{9@ z1-NB*?6ZOzrB8gTzWPWrFYhL+1N)m+ah4Q34dH&%Us!>DB<{gaNt(?zo`K@sYaRj< z(pcn>@nhO3YLur6WFI)Qya+w8AdM>AF^VSDW=l!DlVu&>mGcl8V>>p&X+wKGw19|f z2ahCsm(JJmlQ>=tah0eSKzJL?xPJRajA>Ew1|i^ZDbGWyYA`?T6T;+sq;D})9FLGn z9@><_=@)8mC5ym&I0~JV?g$_y3M*yE%hwq1~b8~4n4m}e2Uq`>Iv8f^aw?~Y* z#|4E<9aYg^(LIGIHgRpYq$qX;T*jgGImT(eSzeWzNA9nWu14oA`oosY7fQ%88)^1P zh#^dr&eUN%+%`+1mQ(d(@M`L ziWklL<1rr)qOIHPs{SQ3zJ*gmvs>ysOM%?TfD{=Hg@%2?RDrKR?=n}*5<12sO9IXhy+G>UCOG^3KZq($Sy zI-&$GC@F@cLY*)A+&o}s$!nj@#M}dwHW%6?j6lZps~WEl@@8T>Sv4?Xtso;@j4cBh{s1ws&Q)hF7b*yc$SgOW1ev903owf8r&+ipXnk;dg z!t5+4oC%9dksn=VMAi8rr8ey+Ek2|1nNQVb&z`4<|K`>4v5czj&W^@=7 zoxs(u_g_$3g|3De-P3LNX`py`cv5$XuoSaByVMu4!WzDJ%<+wUcePF?2m(s`{W}P# zo zRyi2Jw}7z;r1tndigU!_5d_?GE@Wg}S*z6^7rDH3*?Rh7Sg5E9ij4pC0`o;3;!eQ? za9!_Iv~vVf1ktaUS95 zDOvvva`DaF=&*sMmr};_`Z&Q~WZ{EnGTinaFg13p9hMHp-EO}~lPthkjqjjrIjdad zNNW-tH&vYPm!zj&ew7bGO7k9F33PVUq7UFY+q z=F`}ec3onZT=@0hc6nBWCUbJbh;%YM-M<))YPRh;Xj+Ntm|e*T7vB@VqJ{>ZOwVK$ zu0;{&elFtAmv3I%k)ktlh5MPgWa5m362liqE)k}vEUXZtRnWk~v0iUfJs6uNcWURy zsC?vJlfo$45DR{awPQyr+vQ&3g9@-1`_!q4D3y82d?Zc)nq25@GC^lYj4dobuKBf`?Osus4iE(Qr6a5WF&HkC#_vNj4W3VY} z589f#AWB3YOR3l7C-J&mbIb=Q0%C#eU?r5UX36oHe-QC-E-TcmjnpQi2;KK1>U zR}i4ALT~)46xprvZ=!ir;JMPn!6`ElRN3&#y&QQs2^$fl?`+AzsKR}Fx8USdmO+8s zX(9HnJFb9Bmlz9xL;EXssAqJQHp#+(<;aC&+>gG}^9SD06zDQd^o7WUSst^6PALCe zO%f_9>tRt$_co*rH!fQ5t9xXsLi;)GIIlAbn7EHv?V?UACQ()yB7IlVI2&RiTG4YB z$(*2q8^kUaE?$Kk8)7TVQ>>VP2n+X62$m}(@HQIZA#GM0B3_yN;PZw$QPY?025fu8 zp|B?IcYtHP*$3~vI5B6lzPSEQg*GQzUW)A!Q% z+|05ePF0|y*Wkhc`VpCQT#dzKi3x^xz?^WF-8sLHUVpf}_5G#iS<5IEiDiQ2s1NQ3 zdDbE@QaGgBY~yQ7!d-fHUW0bsHF3r7;EkW<8?&^coCAmpe}r z)h3&a@P)L?=@|`^eH4Q;Tpo=C57bH?X{=e{QL0V^OHRtF-N4{eSln7yn!6c-yk_ER zv?L|!;kS*Rh zBn_!>OJaUdV>Mi%@SKw-@GSj`EWi@|Al2%g*fpJd)3wR?mHgAo8_{fh!HIQLjh8?H zL?CjCm~TH-y_o^PflL(Q?m~A94W)dld^mWQh!;e5Y1v6V+?jInfd(ntT3fV6PUQZP zWvbh?Vx{XfI(u2N{q6BjaX1|j$=1!$!E>xo}%F=0ZRpv+@VUb~Tm0*Ju^yv4YFJ9HefI4%m8jnLuaSlzz zjm{)y5K#x~6)Qi-UTZk>vzJ&h^ub#u6XWuzh=7|w@Vktzr|`V?#f&MQWuC7e%6xeC zazA5r4Fi9bdqjB{3VEgKhc5fEGY`Gqe^Xi*wpE^QqrO@5jf0#mFJtj32%xN5%!F&j%&T}FXY9rfz?g;Wb`~^zZcF5LY-9g<+CXGO zR4`}TvT5rcHSY^iiFf@OawPOOy?eJc;z2=q@puiwqO8e45J{LV#f+z?x30%k*VH&) zXnGr3+vC9>rQl@_VkDaSeb1OtzUF9`l~_>M~`~y~}A$gs7nMhSkgp*-q{dT9zGfSz48pae@8YEBF|S2=V{@5 ze$}oO2xWLBqThVi%(p~+B$8p1RXEWF26&<2T~IT4c{}oasyaFyz6vHxDz9u-r)gl0 zhJv~sp8GyG%qDgBDg1&t&>1jeJE*DrVnuu+-{_vR;DM>G*DG`wMpt z-m_!Xr4i3+Zz_+}2U0CqnW7tf!Ua+P&5j;^1(W!(udflHBTPoMfTl=OUOhSnS1MuWR zrcGL)62r!yBUu@TeP;Sz{fchvwkfB{dRN8}8rej_PbU`|(vJ6|wV}G;gpk&K1Mwd# zg%83BVJX!(8FeaxP4u5J!Ky3$xL|uTzYW1k-HfQP@jS)TNSWi1yIb`*lP21Co~7z) zVtGN&p<;{v$ahO(t82 z{4){IC$!3#MRvc;vJAcQB*0Eq6eg0q$%(>W4BNal8--U8 z%BA0#X`PHhs}|>ItuOdKXizGg`BH0?S3H#w`<2oSfu=MKq$gO1}wQ5V1 zXl+*w3Jjb`k);YJn-P`5=un%u*`$p*4Tg4YhHY|`OJVvdSf0Y7$uRsGUnW-4WOU{V z!FSMB@?ma>;eMU?)dO_rbbeOwbBV43L+sq4jb>N*7>kvgj4H8HZ4BJg-D88SGV zIggWnS|`h+u>{2jKa?+G70e~5WY2<@^{`Az>;2~Z=c|rgB^F}1g!wCYBvz-9sb;`} z0@wns>m_*~rTbI{5{C|vxBuFPddT>M-?jf7;H^7tWP+fW;DzaqypelRhF{20q;_5V zSO+e4_K$FU&NoP$MZ%%HI{}7qck;6-8 zLJdeFFbQ)`bDj&I_70|11B=xoBGt{G$b3aopR|_!MJ)sEqAjH2k+pfoIE-{Y&XNko zdIUiLcS}wR1-ps-NOpO>A9AV z$w|HyaO9R|6lFZE;I|0I+|T&~o`?;paR5p7vLye#5H`wJdL(6(n#&FuY{QSclGuO0 z*WGEu_0Rz#BsP(Vo)VM&YianR^mDinAUfp4*y3tVduhtEKI~S7V}^ggTn5k_fRgP& zQ|ms`nNq45?ekM1nZj(b5m^|=n~pN7pmdzYSiY1}AQgcSPYzq+E0qgbd4XHCL@Ggf)N3LQFlz|V5EsZ)IIt0PGHULeKUEnZEj6cqtpaaD zMogOb{UvmP7yF&EilHk3%+JDx&*B|VMWH?p4KzRYK^JwQGR$`ZzR$j1=WV$5KP~Qn zpQ2H(89Ax(UO6We6`(z(FV?B2%`;V%)!Y`=4#^0#q1X**UnB|<$YRl!s zvgTMn(iEXI+f1(Mfm*4;-soT+RwyulIm-VX`{m5#9?eP%E|{DB5`V!O!LTb+xRpQI4>GI&B}N(;&w#jPCX24GNE?VHMY1a30U`3 zL=g;q_8^c$V6vJWj?kHk$rCGcKO(FUX1k-+5Fb;O^~}!eoiAM*Y`jVJL8br@@8!W8F>69;)IB!K zvXbL15&?E=s7sB0z{*U6bGwm)-W|=rksq${L!GD)_d{CmGxm@e{Iu<%`vnWZ(O;c7 z%}=VI9pC@F5~2=&@pk(W9+IpSCD`?z&bBMy0B2XigqPNUqwpc|;U3&e)oDg-lPJt( zYZCq`3k!)^?BXLVPjNiTEJhb)XOk4PJ&>sxDFWF!I)Fv*g-*}m0EBhYwK_t(?juh% zd5ZL-m4W^$hA1m#-HoQ7nS!vBu~J{BMi}mgKeNdK!MGT|F=$CoCdjs+U615JCA`Mq z4(6kX$;%Fk#yh=eZxa=Zm<6jnRHCQWbA~xbl@6?T)_ zv&F!;)cxckUuX)V*uB0};pgE5=1)bHak*J_2Zh;c7vcVW$fa?l?$=70cMe!_2uxfh zg<6E@7qS9hH{{YnFu`321p=B*gnG3ea&3(D$n&%oh-dAQmVMNt6c{?O0yvK-vIqsa zIeUi;S1ki|M2K3kIz2d1y9)JWKzL-b?b3=QkrwTOqBbukSb_*m%d4fuHQJkC@;fC) z=aE(6c|dLWJI9PHVj>&%NUNXapL9w;YBTUdR}a3ekg-$fVYg#lSZZTL-pOVORL|nr zBzhf*iqoh%A}@xkK-I-mViHRkIm_GlX6-5AMyp9q(AtGvi!dWt(u4+f|8WIn&zDRu~YspL21&AMCQVOKY{P_u!{z z%T}#h6Di?a-!nB`5{lrT8|Y@jYLaAwDq-852(Kv7lD8eac5+EsFsK!0tp^hZYTLIOa^_`b%_U+(KNiAt!eN*ImGKVf|Q|WxOf^d#d(FwqU|fahp6{AVFhwx zGtTGOUD`V~&$z7`GTvw&xTT|kOpFOe8}HO5iY=kp2o3mqL*k}Z0zdFH(&<$3{Lcyo zJFYEwtwmtUEzW?Y?%7YArpl$CXKV@ zdu&wklZwymx`|V0=^F32$NTI=;=PSo){jTQ8b$RMW~i1XjW^o%2e`zehT0=0dzI6>m*~?GIp+J z2XE+M5hS1lVECVbK#9R=2o}eds`AHJ^jHzsUefMe+kni&&POl~r(^iWG<=q>3g;7q zJmJzBO*$+Ay9H?h#GEu3n*wf0C_JSo#3 z79Q&);Gp@$&kE(_JeuSI>W81xO;wWZ)HG*{6X~!-0-IU?BFp=LkeXX9)pyh!F+AA9 zr6^U7%{Y-5ZT@BZ{ZcO^aHbWTy~1qPhfk~=eZ{8Zv?OY%jVHc2i13;>C3 zCm`p@ZZ549Jr2fr5jzr|mwb}u5o#!!Cm2Tv`UsPC3OU^dN=wg+m~JAa_TMoiJ`-rY z&e@0qC^3r}gVb)yVR~B4?FOWWMkUb&4~ukda7)-0%=#F9Z$@6>^}ZKKh+={`N!GXR zxO#}Yoj4J)tzWMTd-8JY#2s6KMIY3oYA=M&TMlX~-B;nmyuJbVtFgo$s3Oa{+=d=C z&7f`^2ked{6U1h1>39`rtV8YGml50c(NjJM1tbx10f_<0zt|{=ue7$)JcrE|cE|*N zhK>I*?+Tr!@#u5x0k&#N7&7*fL1$YB=GQTp-Uu1Qi-mvX*!0yK-Zl%Q!v(H4449n6 z6YkeiHlDU%RiR|7=n5CGO;6S$xnB;$4+Z_P5RR!t6wDWQ?Ur4vJTCiM3*Ps57rO8H zoDvsr>_lgMGOrCNgj1bIbKU)EjTxUaz4)s)#6Kqhi57gDC}2Df5b4R4}R* zyl6n#6X7qRLl$aF10jU^&blJl!n9bm(8vxX91E9oq%@b|c&?aw`HHFE(jp9h?jY^s zE3!sEDn6iMyMYpBUf}O)7>d#?)B>%~E-;oZwr}(kqh~MBN)!{>*nCnC6)V4wBs`~W zWnU&JQW8z4SU#;-DE1kf_@GnGo;4ASCUe$WGt-@xdqT8CvOJd=Q-mr`DFaEq5ObVn zt)J7Osgmn9cViarGt!r*NvZ_=BK|q+M;8((C3GrIi1?MjM8uH%oI5)ah@N6tOmESh zr}G#k59q?7Bcpc>cUE36F-Q^6YqNhu*iNMR;0j1hk~Fkt`~+tWg34f}-QSLwAJWXkvh7{t;@Xd_mbNL$8CQ6LZ&6x@#rsR{hoV;qm*GKwhy#CF6rxQt*g;0o3U zxRv%Cfm6cN;$)_8IX?Fv8mwDg+6Nni@nD`0yDnzcvMEuLo7D94=|N;X1G5>|>_JX; zwCZ+_pOeS}c|)JZwiv5=kLHDX2cr0)8=pc$gGZnfp|6H;?&u+$22;b!_@U9%@leko zIWgG;NeZGTgf@$D8AFH(9&1He{E`eT-gjx84t$7wm47G*yjW-;=Y>;ZLX$@v(LhsG zcqXyltdF_)g~ZVqc<#%1_*!{B5p9BiWaKsCF0vZ_b;OT9(&5la=szaBTZZnq=0i?Z zH0~lX{|E~drD$X#<`g0V##JrMbqhqhC~Y#ke6DgPtY!U&w~%2%8wP45v@tb&clROA zk!zZlsvwsN6{dOOQ}CYL&?cLnzvd&zW)^E+?-svc`Gb0YU_{b7)ykD0wPp}f-+WL9 zZ&wIhd3u#ioRUH;4cFphwQgblN9clREQmK)HPh!OM@QfzC0(XC0BLL((D?=13M+KX zgM{1yz%onV@s6&app4ai0@26w$q2rGj~w=DsR)<}joigF@1gf0(}8i`OJ$h1W$1PPexSGTb1bV(P*-VI=|@kC-nFrx%>T8E zU}8V~O?1E93GE=7GzD@Qtti5$%wTlX zAhdCGSLEID;w^0%L6p;o8)Xrzpar>)J+WkqJXYFrx%(#mMBNPYQRT6cL>T%$;__5cc(d1GV-6Ug`|{uc)_7ZWTUp;9_1F*rEUo;uhzK$TE? zGrWRCQ2=%|{m-nZQQ}c_{c;;jAFx*t<2C7Q&v*)&omSQ;@n90_yPJSW9tg5DSWP?q z08e2AgDuvqwz#$#!>Z|GnIzGN&ZbMLS!Ql$$$gl|W`H5Nzptpv<3Q8i2qpDHm)v58EMU9k$t_WE}gJY{5$Y24vd_5&RsWoQu?AElE1JOy@zO66Y?OXSC z#s*F&;X}mqxw_e@*XW0cKcK|v5(hN68(H(Gm#s^GtBl?vNr?6;&oxGFPc^Q?MV$5l z(-Ek$Kc9g;ag>~jF9|&ZnloX^B8-t|llZarsMxgDX@?mGh;7brFYlpo6B%wD*)@W? z+I_CCFv$l&*0kkB6AD1Ip5hZRWKxB_gSI4&+N9D;q94@WFiYZ-$ejL=0;fTxXlHau zK}o?hs-TI~O^#6p@PFFiFHlP?-g#8Oni)mH)-#QK zBMfZxE|E2r&;QJ?c%hIRC>&bk@aPvKe*?##XA(a#PVwQ-gBz7mpB-l_tjJ7M=~Z2A zU^%0hpp=mViPCp5 zTRmixT4@I%!e2x6O0}!BRlSkT03i)5Q#)j2YtlJ;vRc1F5&1(Cr zz}UdOOf&THG!D)*E1w#APR09AW%WBpXWw@y9S%DUs;nKB2u-sbrg+dg3#+hV4ZrN* z?e_cNg&P*RF+7nzd@ZBqjAhkB1X?gKF1p=j^9$V231=M z2>L=e&edZIHyjz9?wa%HiNqEDrw#N%<)B(^s!WI1@pi0a62GEtzKbbldK)(BRqR~l z@u9%>;$OJB;q9zY`@(w~RnA_ksOAQoC<2Udjr)%j&sEvC>mnR)6=IbCeyV&+E~~Cq z+T}gCi@r0GLcu*fXS`l>HJkV+G(T(J*On%1(NSjn>k54tI)_yCcoJL?loU2!0A&xm zR(atEc&7Q4=`8W@FanlrzKT^PXL?%I*CWV9DNj_8IFq@eBf#Gw<><&^Gn&uWhOJR^ zI3u;4QOH!E@Ndh;5#Pz)pY|b0XL7)_%H|>Sr&@Tm$VU)e9s}_nx`Aj5j{@poIs;j7 z;9A~X|E%!j^xN1XWsFK7a{QQZ77aPIw?=#oxZxhRH;4lpo_t|VSqe5|v9KGU-j(w% zq5JssJ^2a*7BphTE06RqpF9lc6@H~i_kZ@Y!Hk`6i}MndL9JUKlB50UsQLRih3xZH zU`8Bjz>3>;lb=D8F7w;~9gAN=I)D8U6#DixZERuZ>}=00hBl7?UufV$z-;rVl)*w( zN>C-t7`RTs_IBT+vs#4Bgc0?aHZs9wxYPQVYQW?dc_AWrE05qCg2qsm0nM*)tix)O zvG4Ds6-xk@TP!#AI7#yusiXo7Fbmo-Ei_Oy!8-u!oG&1IgQ@ofc?@}SLYg}+{!pP+ zYE*fOm>5ivZjGjaGUph9lOc8}H2$ zze{w(+_M+KN15uah62^w^B8M!H!l%BBHCAH39e_@i8@q1c6X;s(7c=Xp4yGduc;d& ze_c=f)6vcB^0SPc?BgG1VX;0Blm>koi7B4*rL+#y-(<4%Y!ay+T1ghzwiTyUft&8M zc_fXVEaD1y8WbVqDg>6>mJZ=5XazAEomeQTs8YuY`zFz>zHpPqa@ox5%b0MM6$Mn} z9QH&JE{9J>6O@K%Rb!)}YHg!Z0($w%RWjRGAEbyYB7$4y;(hs=KqP_=8nRA1DSl`r z-`p^n@k`aPNZf`j+lNpbI~HJ8W0mQTr%L>+tbFN(_G1Gyc1pwyR^(n}s5lI+L;tM1;mtqCV1RLqC;H zAL+i`^?e`hEv<)ztVk@d0Fepd=zh1d9?#t{!IFRK(bU*`h1E&9pQ&OALSBJ3w(NO% zJ3fd`G2X^7RJs z)*A|34i{P(V%4yeir#h{4HtE|htqszAR0KXmlcrwTYCiSSeuBGFir49$pd(vV>-Af zA_iZ1C$8VHw4V~-h~oy+8%oQA+#!siW2k{|waMC6Aep~v3c{6ccgd+0nMFZL@1^&M zYI{EY`Nk>VhEQ5}Fb85_toQLrKavmEKoocWo-=;bAR{gd&-Z91nzv}>gH z1TgKIR`9bUd1MBbdG$(QZh9ZdfndXAtT9g4(UwKOl#CsVM}i!IylxYIu&Q% zS^C^zp^yD5=bpt&ClgFGi4R6r5gFAjJlsqFBOZ35G`r_*J!OCxLAp5SCRt3T_=nVn?^kO+dOV(-EP zP-)oYZRG@XCjdMKIkVgnlf1G?($U(n)5I|hHdS}`qNMv+i2Pj{>jdZTRrR9j(=a!4 zKjIunEB^W;Seq9$$n40YRtP&@and#j5u|NnCog+Y*_C)Vt3#8|AiTo3N}yEf*06OA zP~p3do*oWotq@`6fXgdi>R!@MAcPX$GF0%#p*<82pjqVYO>_FA{)Une|lsEZ>z2!s;s` zltD73FWlqt0ST2l!Uw+|GE)8Q@Ou9J^JRZK+>c`6iLc@-2ggMRLd^ z+Uavd{v6zT$>T~jM2u_^;-K8^@UU7W#|=`?cC~*TX^q<#VIYiJeMtyg#`Dzfq<9Wo zlqxT}a^`6BBI#EOW7T1_K~;0Zf@`ptB>|x%3OmfmyFBm0cF1*a$B-5U^SGY)F-D8Lmwz|w!MA&VO;1kAjIW2q5Uw6?CF+ggXgHb4+CO?y zTiD@>yV)a=Mf_s6xyDcAEFE|3_>)Of%Xb!LP(_AoGvpi2aJWkRoy0Dx|1Zk;rT)Yc z0_!Z+Gs36~i>YS)7!xSc1B4WetU`zoPdSFXDFk2Yde1M$;$+rh*KS%fF->=WdA5DL&ElhELp;>+$;8ytEw*1y+yV2Ha(KP(3CrMUR znAhf=tmzmHuj_&{=H68k?7q5r1p~&elCS2(g#oY1ptqxZ4FS~+?FJ+Z!OPoFIarcv zAMY;y5=MInwNg3HN@c@rKUC0|r5na~8P)40`=uXv3OD4Ol9%fEpvjFC%(DMPL)5N& zhWg%Knbq33YEz_$Eb}B`IyB7U5K=+|HiNEx)`Ji0p9TSLQZ+16wNlJGk8M|&hwrNk zHl5b)_YqwIMEkGAbIlZq`^MMIOcqaP(KgxtQ-)G->$W;p17tU$!|J}Shy|O6#r_+7 zje{P3jEO)reDhAK^^*TntgOQ=9LCJO-~H=J>K8@BuZQ&g25$D*|G%1W5ybG^>LC5i zC>`>rhK{GrzK${fQ(iJcy@r2mBM+Uoi}wBBZ|`VO3fAtVo<8RI9<>jao@8tM=0FIPczL|`-c1rZX#EZB$t>#q@CrNd zoQwoQEqvGPKHjE;JTi#C61{~hT|-@df7(sHd98I12DtbM9m2k^`=3k4qXs=3OMHGc zLp5ugz5*6>H+zG0XNttVe&t-eBFZabr~|;oPn(DajK9D9HJ8YT^m}E~1l?#${0r_! zK6nK;*4KXv#>(*+CHpTpY!CNnr)lhc_^>L8#Qk0dPZ6Kp{@?8wnuFH=xv-=Eot*;u zuJEfzzw#CL%{e7@{jJ)x)9v`_@22LAi6%wbK&*)=SyhO1pQqt-Rz+m{@YQcl)%l`oeO`xw)Qn7 zF!+8yPutcGLu2ce6{pGdU$s7plTX!=d&%0g^m_JJt zMO?w&Pz^u}Lz0BFJ)kA(edv4sETL;sOS>4Cst7TR*_0c$AoW5W+^*L&%ZOjQylbTv z)tESYv9gK|RTc&3*%rZ0=1#K5?mK5j@Yers(u)wnVA#80ka|Zkw*)9?E7QaT%;maSB&JWYVhiynE#l7^kymftYbaY6PN4YZFrjbvI1=@C!@VHIjL2*bh1t%7}MMi%KzL9jZ>qrf%Y`pfcU}Bp|68gD{nzuv(QF)upsPRDlt}g9kjx~lT)_=bC4!RM` z7IKqU#Oyah4bRIF()S{VAg@W8PRQ~EQ$Blr_esr1+>|yX#jXKVid8s?Wt7~9&NX|A z1@l*8$NU&gh)b?zLAHr=HUAi;*P%o1YMDALy=|KyTFTlSV zqg%*s^ICp&JYSbfcsl3|xB*(+_wGW;>~jXDW1h>{afr>VvZRkP-)>5!aW%5b z)OW_gJk-oj!|hfo9zc2kXxyL{c|5cM^TuP8$%3Y`f^zZNU;i40UO4XN3TPBim_zZo zw0=dV#1ZBRvVub<2Mrne`(IsC z558!1j{QHz{o7z(afV^MAYVT)P8P#-E5257C_`CDj!{3ZpUOs>&uiEASRZ38)+ffv zosh{?7%)Y-`0jsL*q}=FKrErmH680$^6FYwv#)tVB>D~;>6#tdIYXzV5LmbYsx!rQMrg3c|O01SOz(N+5vi-K3^pnkU z(Pa2=WjxVRKb6JB7TB|+Z<2_uLe>Z zT-K2ow+rT({U;xWG|{1fiT<4L@j$J+zM+MJYqq;(#lcr`_A6QIh#-s({`b!#oYfAE zKZOP6jlZPDv<^U8+b0r>Pd|XP?SB`vjzp#nfULHl><}pfBM=iMMRcoSqj^z9L?>fv zO!MG`6}NG2>Sz}IM&v6Fyya^%Ga{Z3K@zv1y#)||kriF2_v z&oVJrTlql}@)h1Slc6{OibdB?#f|O4Q$0vs3l&B`jYk2=Cu3!VS!>l4U!s1xtw89f z^2YXMlYukBYn<~Z3wx_&kd@=(nV z!LDEEeK(9^88{r1^n6EYK-W8Xv6E;9@)3LAU9E~|yBW?3P zNhB!_;&-&{-fj%JjETN)a;1Vsj?i^P;y7KTN;|FD8L)0%|7*pby91zNMBJw+Qfum} z^SNpi-a$u*4Og3*gO>hRT7~pG6bGkwtoxQN@~8j4_Yf{OlNdN|zIxa8Zh5sF6Wv1Voa^1$YIL_Ll6*Z1z>AdLokq zk8o4Wo$xBB`u*P+upG2LBDu=wO+nt>sf~a|9GCI#d|>?5(@3x~MID-Bomj+N13I!y zSgqhah}-0tssuN|KX|>x8rmR@duFfFBC-W_L6{zYc$G5eWY-7};A+5&X&)#`O;20A%P|D4b*a9y$ zJa;Diy_QSOH!RKUDE3oupI?~znepaN%NLrx)bHmzbULNauSJ|PAksHfNHr4CS!XNNn3az$El+9d3fmK(PDP1?3b9BxU7JQh zwVL9{R7XD{S;c?@giWpBG|y{|+{m~~RYdh8 zhSHx<{cxIf8^?PDE3B1gmf&j4;3M(4i!q)&H}Z&8i6y7jDqX#v6NM5Yt6HD0jy%+q z>7)+&C!OLRV^1{*PybvD?Kmd>`X16~;V+_=L8M=&x;pxi>)UJhkaihn znllj`M!$vw)-rC2_+5mwSOGr#K2Q^e zLm~YLp&r-@N3tC|&n}QVHq_9FdaLFQGrq3{s;q{6TcVXN;csusqUcNW*U4Y`+uetU z&SC;0iZGz7CF{O=v(3CMzCv(Gc z)`}tdf6M@2!x&l1!ykbOYEz`q`pIyI~TJxJ;U$&)lGN z&%>-$KeRfTW;nt~UNq?ONCRk|c!L{kaFY19t+xAF6P??lSxym%c1Fs1l5-9M z4qTS#v`C8QcUwVib?1)kZ<2Ob2QLu{P%AmhX{nX;{S6{Mxqdb9fa2dJn9K<*B2IdQ zhwc$mHNbsM1WN%z*3x6i=I6!=Mu18%65CAfKG|&#)yYR~oB~4F0uP;0EW=c&MOtL{ zXPrxvai=D^3<}i!b|UXve(MsXIW3gu+AzHrSU;{7!8+nD>k7fj-PUtlC~^W?#Jh4c znRY5~7bl9aYiCEyw&6Kmsa8gFlrwZ7N;lpY-af{v#XCfwUd=BrRG?xK65|wfqhtl) zky6MkR}OnJBh(zbTw8k#QH6wv`YS#afE6VSbaE?6`^|$&X$*~o@fhyJWts?5HTb}= zXQ^QQ7Mi%YG?x>5(8v9eEG#}f<@%a6F|q(VZPk7^;U`2m-+CbhZ@Qr%h7e0^fY~4H z>GEZ81FcsME}5;(gdkF8$H8)lF&iEDtR2r#@DGul|2qyr!5WrQ{2rw)mHX1NC)zmU zJcO@MEx~e~kepTN2l-R$yHowvd8qR^b4S>*O{NSJtTVAx(wQq)plp)sfxnryZT+TR zr9P6Emi!fHC3yBZju8|a`i4fuT*Eo$5-{=2I^!|EE+2)IRceBumrKusA0vw1BlMa8 z*D_X!Vm)`}pr-@p)kRr%&fP0TV|1{~@J)qzP3;q(*gWxMGYW4a-Dv>?HQFUBKdkn^ zmIl`U2c+N?X%JXfq_7)5P};*w2&{5ID&~V+5GrH^h*Zd+TKfjS6{+Q1++sg;hzW1y zGsnySSO8iGrfiz7PVsOUK`dsH@mbNI?Yh@(i9$iH228eg+LJG$$54EogU_KMI{esP z!!tx&$tqwhZK8Iq)Okb51j)I?s&gxuQaaST+9p2-TkK-y#xs0P7yD`v)+p?qrlwl! zq?%Sus5&Z#Y~)D9KCM889QIE}u{MFw^FovJ4KzL2>u=l8UAUZ+lS-;xWdt_{71p-K zn^4RE{8IhF+g?GV7Y6Pw*8dM@K$yS02mcYq1#Kwue*mx@NM~H(`;8oGwv~cIwx#7f zrt}IXpW}_dtD$;v1*(q;ti6gc#1Y~2*y?Q3s?XbDD!~eDG!93{SpShOoW4M#qd4S- z8B?({$xcQ2VT{QOqg+-WzW$^@Jsehtjylp<=v4l^1{UkF3Je_lhBAv2>hfor3aoMn zl-J7At3RwENOYhq{&*BE$!*4Qg%bvIv?GoI#JEn@5jo{#O4!)uz@UNz2Z{(~#8r?w z1@i<2hyW%S1Dp2JZ{F%05qtPdUYJB6Kli2M9ekaSRiE#g)nCU^k{38Y=n0Pi+%?9V zolJC~wc`r>SPlyG5$9Eo-4ASaD>1jQ9lj4puKI5Vp?@LwiKi)LWR=j8tDHu%2PL+F z(I0_)k}(mSH3C;vXf6Ny!i2{6!=bdaE#dod-w0Eyfu9Osr6N&%E?ZR((m2?`h>!FY zDI8T)h!FYB0LP#}epyKkA2v+RPlnSDL-jjJMU+QTyfBLGpo9)em)(@o#}+1m?Mzl@ z7+LNj?bHd})QPX2H?g7|G2Gjh7-`%N(7_wMj@CGaGyXdX7u?`-M{(z-&O2$v!p$%u zWjx&F$yTTDR!|+B0CRf`{%G;#>u`$WKh39Ph||h$+_b_~sDRVz&~c>BZ7o$wQFx&Q z-B3!BR)BN|c+celFq1yP0Jh3w9drcFi|t^q*tz;g|8O%!9Y&9iE$482^pmPd5FHUD zjpJYP^@^QP8cCS2+>bYmN!?7hhFp$oWXzIz{DEtH!?V#0jaC61ilaCZ;qwY3oGFR} za9+EHM_C20)N=0zD(JB)iJLFXn=%Nd6WL~qQv%gVwus4)k*7t}DUKE*@ayUsmz^f( z(qxiq>CE_@A?iwl2cHWl$uRWJ?(*Yl|ZB}*Kr)~pSpd=5}9i)5U@M4=Ai)92N+ zTn41}%7Fn?v*|zwt-8m{`@pZOdSN(YcdqC(=OLE+D;9ya78*vI z7^wLkZeoqlI){b-)=Nwnpg*u6W1}aXW@5`BrvRbz5uczSoJC81T2LC?)-VwOK?$HH zmy*x3bu|k*+R1D4Tvq^BAuZxnsGO+|{3BiJm9m74wssC=(&nE~&c_G5 znyX2Im2Jp0fOwq83R}ipla!I%{i;4RIrwGbqOxpb+VLrazN4>LO(QmNu!5%?=@eoW zZW)0|Nre;o!I3%}5vout{5?WLXf;DXO9`!)2@R*0>O`nf0GW7xmlJ&;O@YZlt(p>O zKg}ymYz(Es*g_^|AWm9Ktm6{o*tz(xLTR2@L}sY1xz>+W&AgXF96A57pwKY~V+kt9 zenSUOE7!DKNTYW&+kRrk4#}3D zRTc(2m@UKK7&|Iey~_$=*s$Sg*zjSoS`Z<&zl_%!AY7eeMaT1EB$sP%Uj2y?9HSkd zsbemQi-?>K4$6-kIA1|46t+>pKT_v@EP~BO<;S3?^XZ@;)-deN`!NjBq}}0w!mOoH z+yE0i_`0KTvht%_tiU|L&x%jT+%DB8lPrGK68-YW5$YvG34`%K+lN|GDOHUdC`UpL zrOx<3{rN^Dz&S`_126h}lqVpJ&Unr-0z!kfCo3ZE85h|NW3-aI1WqasvPTy zz)L)0^eUjEET)}fX21`C%Msy7107BZH%UyqQB~<47Xl28+oraHr6V`QsE}LAwJjVT zjexJLrO1QpSKbbkc7og6v^vG81N@dyjkN_@E8QA~@x$I6+=g21kXcz#lTQCog8t(n zcAn>>PB_V2Ux7cb4m;Dg+}xsk$;eX08X2*r>NpYxztcp^D|dlY1GW38%*Y&61g^|7 z1;1~gK8TF01QBXxZAeonWdO(d0Z9v>OoQYq(5`|CAnt0kw;Gy9TY+kY)ze9;J$R(p)9)lNz@%cXM*XNt5c^uyIGG@0`peY&6+mqi(05F7UH_(1D(C1;xmYm`T=@ z*dfyeFsN*bI?j&@dMlHXnPveS{wS)W%5WYf9m=+6;EXi*@m-5*26Q27($>%hV4VL8 z5Q1<&3s}V!M>w)6zq!S$vzV;dL54syK;`s!p#UpB2?KeQy86#TqFhO%Ku)&sz{62_ zWH>;{)qKXW1fY~^OK1pHWHl%W*<#XOw^_h}Z1Xv8i2aJ@U`!RXRrKvJzEC=_8k$2< zEra67+WN>b4y{1RX&rZCC|FwyW9mc|>eR3@g({bGR97c?*hJu`HHeB)u*82-P)7E+ zLantqw1lzCb9|s!Z>ZueOwNxA;QTao;z%NP-UaXgGLn9^7@g!)IXzj$QB7JYsC>Nj zL&dmbl5{yuUn6vTl*2y-1mQq)f>wte@)W-+Dw<0eJ$j`1u(Q>tzu|bt+IkV)e5C_r-VwwaQS=n?WJaEQkWvk_fJmnJf96HbYj67^EfQk!|+o z>F8v~8qWVE@L*Laytfu6CN%3X5*h-!*DU0&#r~jzY-}|Kv<$o@j0-@7j9S*K2Ck*I zRZid`P)933>VYCB6NP`0!`2BP-x4VJKMypz5s=uUa8YEkVl#E1;z?C4ks9a7khXT?uNu<9}4j!DC|sdC~avJip<6p8r5wX zN(1O6>NJ8IbdHJqK&9mpzWbSeYlm5FqM@z=F6ZDPFX{3l4b4fDqqPxK3jP*iZFC88byjusZ@I=t{Tf<|(jg>x21KPe5YVG=0%WV-y;Hz3J3uR%in4^K z(=uYCb!@@__zKQ(g#g;ZG@u3Kgj)NJbxbJq+5%OTX=|Mc2V=CbjWF>!ogg5#%{k3h zpdWF7aW^+1(#C9`6B_{K#unNF1vkeMs`WWC;p8ul&77dY7O|q2Nsv*Mmkl`13!~8f+Hw$8OoN zC|+2sv8wdwGMp6#R^`bQUO#4__F`Pgr5vu&>jC|9?yWNs;F@5~@d?7YRv^w##sKhwYiuDVYTgXV=NVKPaU!BBQuGKunOqrEA;%g6bt#Yo;x4CE zUVnU`bwGug@e2Q=AR!}X%Q_3(&kZ^-v2WB1XhF;N*EHh?0`!WuH3~qXRmw#zOdLaw z@x)_W9_q?wEEyWHNFMCB2DLg+7+Yv7G^*PoAamOuofh6F62#}}6oChZ@u*H3&M;!> zN+I0W9b_z7Au5m69Q-nJ707NRPp5~+5g=6p&POJOy=$&U`wo@7eWp&t0Qh_X(=cJxkQWlCBJ!Ua~NCRe;w2wuD|(RqyVyHWYD?tF|?0P zwu2%`j%UO$p2uubIkq+9%lj;hag0Pd^0#{c{YJFMl z)UkE&_yP)-=Re6DJ3DGM5*ie*m#-%V1@)X__LM;o1VXn2+xQp=%H(1+(%T@DXyns3-j0@UY?xzXrA2}XR z8Z1MSa4I+>$(dE0T1THYH8rK-BSv@?PcKlO8nqRpPFNlCO+G)w?o1^cZQ!7PaH4+w z9lF45DW}J?o74$f@hUW}r@#S!VkmTr@2D&W;?MLm0>4ocq@&ab_S&xrqry(1jNSJ&}2^*TV?Y!wQ4z<(5dmzBu}ozr_vSXhB^V~eln>D;}e zI`jkJ*V|>s=j#aS1M0{_xg1^N8=_dzsXlREkEOcof>(H6?Q!>LlW&T`xiPWws!xBu z+gB{Y6WgM!6Di}BC_Jg0-7x(R{(Q7Dv=*p<<8#|}gr7zMsMe|CXqgUxQgM>l3@yoZ zWC1uoprfx{I4VGEsTsA~;eQb5%iN74)wfI`rSGvnBn|=M1V74_zVr!pqro^g> zY8=`D{n*W8xWEuRal)8|HWy!6^h`uxd3@1MM zIo=?rYle1$go-5QJrNe)2XuS#Zy_`X3GJa^OD5c2aEsWc*k!_45r%TS(o;T;52NSR zAlNt9?KrSD1-84)KqYR!Do#+~L<9$;ap525ecg>g^Mt}7aih|L4qU}mZU>}dR`A$# zKXM>i9%txuWF}+HmFwfN3@!UF%`y6NeQc>=MU-owdNE`WeJYcv`zY#J98yXiG zoNi}~fl*Yw))GkNblZXPARRGY@<`|xXF-S~;xQHO-V7%aD==TPt$Jl_`Dc9oh}MrY zP?r-O(bQ3QT0cGk@@h~ad~lx5x6@&4^>I5&APzJ%MIEK%aTw|cwLw*b7YSsGHlj_K z1mBTBQKd6D%*5KkEwy=pgUvVT{sMZJl`U2a8|bgH11ACu4x)yb6FMIYEz_r?M$r>% zfNf#xwDqMXkOF?Tsw;VzWE;ef5!mb?1!pumxfe(p88puN{YDR;!3P<4@L_BiXnisV@W9FbR9LdF88$i(kCk8Dmb4M9Zu&iRT3QmO^Db@DR_4`ou^LFHLnyhbRJ4iP~yA zW(wC1sjQTO#pSp=lr-~?mWR$7vT8NXBxBn=I3`pHDpUc-02HQAHZ7K+fqJ-%0QV{D z)HuUJ+=s{NB5WayYJ7-p8yHu%O@IiK;AVmO>6l5rIc_=hggyb3&183s6Fwfwc8p7%2ctJJWoC-OJ<5@h>bKTFYK#eI|oxI5h2d8pwaKRzb2u_dx z=i_XV>x$mal;gDn6_}0#iKqX_;s|4EkRMM__&uW07x5J_b*9-h<>7lFXJeAa<#6&1 zH;AGX2Pv<;V+Y0Qiant3fpJd0l41}np3wS)sX^@`vt;3|`>{%;Pz{d&O0pDk43Fh? z-L*j@#<~D0Xgy6|3XoD|KCL8X{;;xPI9{h421K0%5oIDsnZb5H0EOnKpXAH*0|C;8 z-kdZo3k0caYKfPFNOP5C&Q&lWTi$L&;$iuTO?TB7+j@>=*$MAVil7f$^)`eY6T|Wo zr9kdq7+N+4Ck6WJUmvVArl8G$IAxsa1OB&ffzRwy8v@@5Bgk#AHn5luQvGmtQS*0T zGVmm5^vu~Av&IUQvq85wA7<%PS>RCyt@_A=)}zO=k5EHHJ`;SV)7$D~EFsOUN@%?G z=y4;1+N>I3#flGkpo=;*ZBQ9`p4E(c-P0%KpTsuQc|$%;di#(%isMvq$d-wG*OyER zjED#-A1>sz0oMmVeu+;C?n4Vm`VegLi6G2mK+D7A+aAc)2jyKYe^}Wt*y3KLs#n8_ zAY~@3b1yUXCbWIj?l zOUh5Ib+#PU{?Pm}h<^JuJ{qRp|AF@}zxTcGDCh1!Pvahyyt+t>raZ?qz?5R_niZkq z{<|O1#o6in9>kGSciTK%d;#sH_szp(qRN%D0B z`i&}7W7R}G|1FUm-^`2{ib{NNGCrv>-#AgRgHt|pA;%M*q>EnU6UYtt?3_2(VV0MoXR0yI=&!Fy^RLc z?JhU%Ne5C2Z@rnGp)L{x&xxU@qE%Y&2c%tNOWO>L;TB3bDf@|rB*#AI-4Jklt1w!v ztz=JA!c6inHAiPoFAJSrKJHEwu*NV7O(LSlAIJ|aFO*#i4@u6pC1}G`x&PpSa?8zc zDO0z8;MV2$yyu-||Ni~aFN_<;M#wcfk8w4+2`Iwbp9;NN5Mn&@nqE9#Ru5eLumFHJ zKpxx(Gj9i0fvQ&yO7!ZJ6DFWMkDZU=j0X>}+ksFdO4pL|IhI+;n>Jxe$5%%+iF1m(!ALAWV@5Qe)*e~MgI5CQ$wZfLDq5hv7zehYK|M^a83{) z0bA;7Lr%`!le}y*F5&zn0NbC0*d1S!5iqYj;hjn@?IvT(GuD17SyBxH%JjPwTP;(X zywpS&=wRB*GL{CKn&40*gl$Q5y?gY<^4zB@djvWjk;J1cpxG=7RC*01LL$^ z8)EWr)cLgsEt|wvmZRmii(XgmIrn-^p+{Z31DglS)4R+5hrd#;x#OS380M~0AM~7` z4rK;C&i2#s*`X=UYOXyIc)ly%#-XvrSgOq9NneCSD%&cEsra|+# zaY*7+eEm+&2lj-%u1lSIZ}+qY(z1A2hf~4v65{w&U%4Q_agPX1#t@)o+!ov+Fd+#XCGxUUoVKY zSE@qfMUs$lJf89}OeuqiBF7EuL@;Kut_Oz5In8m!w%pPYg*&*}SeB0pbK4Uf56z_v z{G7KhWog*@@--xo0zi2-Di~LVV4DW#=evY3z~qI+lJg6*(@ZV$^by4ltOn@N&MttM zbzjGX;stMYE-1lZ#>iOX{^}zlZfNm}kCh@z7}$!AF<`8?Q16?&7@Jmm;hHo>pr_np zOcv8d5wW68R)qK}^P{35r_Cq`S#eLashFK?)P}eFD8$K`79r>h?NgO<;)qd0pgpfL zo7rZ0dl^H3Oc+NmSapVU0gh9=K}cEY4sjeg;V3-if#L9YkHPk!9}j>$j2)Qr56Z{{ z*n!Q1wtX<5^zq;!!JXMy>Bp-+XAV>rV^$Sj4Q4|%o*^rYSeexEuXOrx=xa`xkw(BB z7z@%XCnVOO^(ejKz?4s##~Jt|+C~1IfiWPT)seNVa-C_S_pVlaT;t1nL8CJGn=4z` zoRu<8N-7Sm`P8wp^B|-h#c3fZ^dT#TePVzgAL?_`Wce$&1vN)VIbcfWmc>wB6|DJ9 z*#%K=0OYy+!tF|G+Cgk;!C&7{Uj?<_#McQ`FbCP@B)9`79@Mekf#Vl^QXO`ujufjl za0p2ZTgJgTDlIzeHTU@eC- zD*KTKm$55f8ziei6~P~*7}9=>YkO?>0us#*iWIUD_k;Z~+bFDsM~JfnJFo+r46-I1 ziLE27Z4ufaBjjzb%*O%Z3?0P~ijxcx294*;_=j)^+|VS!bJ zXjF(fHMQbld{1@2koNTFw3GT##AP}bS$W~ytTDw|>7iRz*Ler0)@_Pcoz^koU7cR> zX-rrs#R@N0N;uMGIj<$&row86eAV$kJE&bd0p&GsZ&9wN17l}?s;@YH0x=T_;-?2B zxsGhd>(MW(J zfWvLgQz6xGxwM^fCiQ68fDxsc7NQ2)gX8M$ZUyvo)5AeYQo44(+fuI=C+syOZSlt8 zD0WPgI_Gxa)PQO+b7lxINH$6u3)qh zM$OTa2T(vYwE9gW?o~)+<&X4XqbX#4R8>xf zy#ehJ*6mJM1+g2aRruj};;|Rv$Vxn%Ck$(i29mw072y-yppE)$t-5XJsnmT4J-A#U zZyJJG^e&tx$Q`HVl=aO^^^jFazk-tb3Nni*>5-82XiKsrtwWW$FDh+#5Fy`14Vnn7 zlCK-6UeP*rW-r`cpjG(}%VXgFoz}e*AdiAwD zQKNny#GdJPx#K=Cqc#qB}B7#k*yX8}Kn z%4G5B#{@(lj*9-M9#QjDNEF$H@JY_dPntQze-n}>KirYXm9U?*kV14~`p}(EzS#0~ zyI=&)CXAdRV8si16d9u=PCMEVQqdnuEKP{xE*gCSa`OOgo6B*nFs}8KE)k6+43@12 zHxXh$Ph6N+2Oga-WiIaS_VIgIY4XE>42PuiG1wlT5wKSJHq6V3Jtq0q;s6(x%2{W0 z%a`Bvm&$cdJzEa2UNYNaz?@7D!_JIqC%vsD>x8l576n!wSRL+2O`=L30& zSV~Qo*amX4g*B+}gaohD>Jiy~cdEBEeGMu~xuY|-kry;Cr8OCRXsP4>(34(C`vxPB zn~F3}b|@zo>)h8d? z2ZrxN1UZ$xyE^3qfBWik@4K%r|KsPLRlf8K&n|cUlk3XW7oRByq6x-aXXS*0Oy?y> z^yG7Qm*s!;!crbO8ji^mvI6m=wN9;j!I`^){*cm1pEP#99AL^LpE{I1ru^?8DL-<_ zKG!{sx|Bh~3YGF~!^fn6@UYSk&&ej0^7JR1R?e8!0R;UvzzQ2P7GyB{6vt5xke`4} zkYPw;4)_j38E$Xasl(njBVWAuBoJ%nrph?~KbZk%5dClUyy}-#8~L0(pf?;==u2+O zWl<|@PR&ef#TR#Vnhu922WY34#QO2IHjM$zu#(EM+;(+_`D+Yo7(@~DWM=X(Le6kq zuO?N;&+I|sdPLw&0w)x1h?GO>z(;d}RaUq?dRgT*h{jV%p=4+Jz^*A*N8m$$Es-3$ z*@FDAB(-drHv$IBLX-d+OEgbK2Iw0SP9}JOPXzH%Y=HLU2Q+cYb$V-n$)kDy{?|OM zJoUUi<;lPD+47vX{%Lu}FMp=I}PPwDR|U?G zZC1zS>wf6M@|G80T&{o0zE~aNGZel`ZT-SaE-BBwcwd~5a|X@S*#@vlnHUCFeWcR? z+PGk}$if&YrmT28g14P>4RAsIl@Zs6RgKpYqM=?sTul;)TkbP;GD7W}tvI@p4$zci)$A$PN5pSEKXXUG0WG>@FB|BKF zJe^Z5qnHe;5!k4c9iD-4hNth66e5#;RDuj42Tl5Kk|amvYH&-cA6w~B0zIE-tp=V8 z3ag&n6iMO=J(E}snz3h91reGJp?E8(-EUAL_7GY^qBV?miRee)CP^q7cekc{Ah~eJ z%yAK?vp%(e4zJYA4y*$fmde>@?J6(7YJYkChi@;BJ#e^`U2PR&G)FFJApLois0(@3P_({J-xXE(Z_I*D0>?kpp}ApF6+&o1eU@ zeEZ=e<%Q2Yulxl$!n^EDp+8c-r}!0Gk-hatpHjZ|$Xt2$T;{P&7=)kble=xcWvUGSfIYDi)pHTH>Pyp8-_?rSH7!Ld3H=y&zv;a zsmO|3L!#&U-i%g!@N_P;VxKvHw?1vrSs8{y3}=H=5DhoY$eP!xG!#gJYQaXlS&<{7 zI4jTp=csz#q7^v+KOUJNO;u>9=XeXftw<5F(3V27KtmI$^S}+LUFGA%_=)`i$t^u_ ztuO=)w{9AH9U{S-RJH+9l0Z5$>?FZRDiSh~h6g|B3I{mI2e5YOSEV~O08Qi=5IeCoN>}fofIO0C^;18S;>~vr|6CN8zHZ zQ(lAeMwE?KHMpuWHy`hz45Q8}B+6{Wf@9@Z<0mDcdiB{`bXAY&K=F8pJyv}Bk^M$* ztd=q8qD3{*wXenD__|$Hrk=Q}+^a#H0nPy(3#rCgV7xaohTZu>{)|&pl1TZYqck3F zH<{bRhfFiB9u!gIfpBnK%cESmAO@e8QFE;kr^g5I6lfsi^1n9dW8SqSYCv2oP+&(~ zR=sDfH)`UI3PCGbY^C{JaTxUyzxKZUf%S(-zYDA`nlz* z3-^`__sy0wwHo}eoZ+1xdP(`}FFm*X*RR}L{v}%8s z=xGzDTV|%pE}fJ=`$=b%+un6u`NnVEP=4yVCzjjpdAMA3+1YO5&Ijg7Ib*im{h(H} z0&mG~6Xa}N8*oG?CSXvjk%FnWee|(m(vk0Zr=Qq%oAP$vf($&P%F2*4cb-+_T%ODf zN5S~g69l9`J0wNDRjki^KEUp0BxOXT8~!$ma!)ta!C~;P46ODz!LX5~wj5hHElwh0 zaT#J1Z0!%BwPjDw8XNr|_b;y7)_ zz4{&Vg#<_LRjm5wom9%nub6C_5D-CKfQd*+c%V0Ar!PXbVQI(war8>~dSm4iz2Xyq zUVP;_r93iMzW@EB<$H94 z=cWu9XbiJ2a;nF%D#Tod(Fh<+>;c7XisKXL>)=oh^rMF8iw_1f@9abeHtLj6F7yo1 z7lZFrwN`yzG2_@OH_`?Sul21mO?bbsTw`HJWj5Km+844-30U=tQm!c+R4$@E4p{t5 z8}*Sp<2X^*Q)FLTvzvM+v}+-$8tyx@4cV;cKPksUR7Rs-4pBppLxld<+&H1S@vp0_w~CTE(Z?H zmAAj*DW#mXt6X{Q1?6o&^Nh0l%x*c%QcZB_<@;naro8y`aW%hGe(Z;zSe|>$x#d6p z$#+<&m0c?2+8c1C=%M+E=Uh-um!tfg9?GsNguYdK^{4C#(z5KHB<62=J`QD@DzQ^XvtN#22US0m{SN(ul_!-}5 ze#@bA(@i)2@@GEt>9Tk4X*FvC$fJ40k?oa-&jfVvH=T)D<8=#JN@BCwRx$_inU+>< zAW8aH3FS95#P|mSX}4n=%t2vucN~Ibw~Q$t9jl!aL`=Hq$Qfw4(QI{c)>X;8s_}jy z#$7s4v?GVt05Jd3t^M-09R`&orXT}NB0pBDgvg@yT_^I4I>6aca64j1J)D0?jTWF&(12+4OKVV}Q{?Ngf<)(T04gXH zSAadO!_WulwlNB8g(3Wa^|IR-q%biCf#eMnGV?}sU|lez{bs8`8c9+7AB#YXt`9Zd zEbGm#snm}Q=CG=RSQk>mSd7L+iM?3vJL_5Hkv$hloH^xDFd=A?ef-bvD_@n-@(1563!=YQ4)a5=xvHG4 z@|!<;M|tj(&n&<6*PmK0+P_Du%*FC=#ryD)#qt+_;Oz40+aD}<9Mnoqj_{sG<~>n= z^R-u&(`Kj2hyLh0<->pao$}oy3+4B|c%b~97hGKa!AmbG zAN%sba`5m%`K)N~I(Q_uXV(hT-E!L8{pE2FevX93O8Q-);;Hi3;X~zzo^w6_XE98re8-TfQH3$LL4^U)$5*ENJlKMh%&k+Ba-;nO>BEkx`dH=e1lINt^(3 zFKd;Eu}TNHyu_W2l2d$bz?GW@{CI)(F~W7Yxa~a*FUnW%Y*g9yBTZl98fZ8^Ot4pG z#MLpsB}c$&FCJ&;8DdW0rt3+-G)_vD%tr<2oqR4M69Vx7c5E})r%1mEc9`VpXR+=t zs;SUD#$2?1N2vNkUsC0a7rph1vF&J8N7dP`jdG#i&P_xG-07me!-0d)wgl2-*g)`g z3se#9GA9exBMwg-+zB8pQU$6uWzn?%ELUwHFKb$EwsM>9Din?|I)3hOiIV^g)O1(r zDgOOF1!O!#t2R()st}zTAQOp)cdgJ9qYp-8pL)+7L_Y ziFrdPn{fZZd&@01zjbSlr!dS_xe7S*#t=AknIu6N0Z!2GnUwPV-bw~RUkq(nkDv`x zDO48Msk|WvZ z!NJ$^XfKH&RNV6DD@4_He2J(c$#-A}HWP3t7wj$N@u!z^p>UrZS)P62n6xr0Pf$KI zd*wu!h#+)NRQ_3VJk3ET!0A9sowHSDyQ^}XVAA8T&Z{(!Q+WPqkq0g9wVf3P89vCD zj+FBAYkm0O_yDd&ULao3($0RBt;g}TfWt3C7JfDjgrE!cQ;Dh+n+q6g5TnH}%CrHO z(L*;rTStIK2vgZ$FU<2kQ0idlwVJ3aN3-#VC`J$qlX;cVaR5k?GJ5;hGKQQu59GGv zQvnW~Kce+bCs=oMW*WugYd+|q+hxTYTYC)+{H0GGMn|PyVS{p_aaXAFaYiD7o;)T5 ze5+7Spl;f6KAC)l%-e=unS5NJ9KT4q0&TmJ@}c3CW0C4%xVz|g!~-1GM4KL@z;XSU zpWBW}>zxI1J;N)5K8XJGcnM5S`;tJJz9tPM0Sytyzmbd<++IJ__B@vrQb$NMuqJlk zB!@ci6X7PpYHUZ9ZIpf#-7uJhAFvjl69UI8Xx2IojW!xWmnfnyvCW5Sq}YaET8ubX zNqthGkNb+@5%RKT8$@|UoPb}iRSh_{h!qcl`Z+j#;08U2_};2he3SLJZa^w*CkEb$ znvR6z#2Jw%xfkbI>CP)2e@(=7JYSP@f7m9~M|z3tR`CxFRJJDU5ugZ2XK1~-Cc4wF zM&8@QY&k2BlL@vReLYTfoTRm?M-$cg!ImE7@U<*cgvb*z&@mo=h&q%jbRvLQBDD53 zC<7b<6!#`%5cxbv?Rx?v1ATHkI(bNbL%{L{p<>jR4&kLNj}0gWJm!%6%#dn^CgLV~ zsTw1w=&5X$nHV9|4xD7bI8Ta95GKqHY!~>jZb8^HY)GVgwq}FC@UrWkfKBv!9A#s< zCe@)SwTdAR0)CV)Lu{dBc;Xt)wC{FY(29shA>hl3hgBnno$FuF_%?ZrJx)^{8r6~Q zo^B|dr_1mqcHH!U8&9MVR&eNnM;R9KQ4cyOA-y8O@xeruafWPj@(&FlHv@&9;2$@! zfbixTt6zVH4prUH`Kc`&V%$gra$>!qFH*!Dq0a}CrAmo?#Q>4s1897zG`|gn48V-xLVb5MY}jXin0-d~ifx8EA}+&X7Hy zWQ?+ue4jx}EDSeJa7j+kIbK9$LzXo6>r8 z4aGwSD6#4M=brVeN^I298)cbCoU9O6zJ-KtU^HlpqFPMYo(^WDhO93+HRSL6Z$k5> z5&=X}85xFx=&Z*Y&xmVDYuSDP`Db#if>Zzx90`rYR@+K2 zPe&w!B1wgOZ5UpA{owu+(h08RRcDRkwsiRoqRg2p6cOUmP%x-|!lzc!Q2;krg@p zY#DL~FYC|^lBSF}c`*mp1u3R5Iq!g!?}>y)DtK}zZ3Pi;YpP94d?T>V5zxe*UOHO7 zeCZp@f%9Le1N0GP?u_Qt3+!1>t_ z3S%DqM4Tvbx_7q>h~4%uF|A7Zn;sd+_Ai8F{&y#!LDC>co#uVb=L#pt)lfCmViB zX4!Ftv~RsZt9lxX_(ufflrx1~acI2|;szSY$ar!sk+GS^gThlEdTYn$nyQcr&CqQH zI!Po!W%kV?W<~EJr8OJWmQs?-Ck4v3To52ri?@MvHlPS{ah2K>Gkwqvcb%uR6c= z&jwA_T*1YpifcnQZWt^X+q@A2TEAhW&Q(mgR}rGapt7Qi*V^DDWa@3@G2l_b|7NZa zM#nda2yC30^UyegJml9TA2|U3DXeRRlyForVl?4q0&SSD4#tp?t=qV{#mBY!$&0^n zCV(I7P}(=J*zw8Tsfbc|P#>Q70_%)Esn4teIfyupf|J>V-i6Tm+M!C(MLy%k_NPp@ z^R10~7fm`x6d3jRh&LxB}PNmRi}feR!j zlZo+))+$g8m{|q#DnI&y-l&)PwlxOlHehm4eFFg=8}T+M=o|q=1n6H0-WfU?QrbSL zCx=uNNW5RYQUAWQv-S9QT(LeVUBMYG}CBJQ0Hq-Qy;4&>O}UR*DBSMbL z#3=i2LAIF$eiH};$`5;lVWNWOwTv&TMBmO&T?~}B#RMwDWV?n1qCV-!OUT0@ZOUdJ z7VXw>zLu98cW_$zAaeugN;u`a594}fJlX*h4(#y}j)xy_!&Ro{fD&s6CmVKU(RYwi z>%Eo(uIE_fG!oQ^IUtXeKRjVO~v5WgBGI%Wtne8lcEPMl#DPHnvVA9EP3wO zK&=%_Dv+OzQQgdHS|R>@Slw0?W75;t1jlM&uOPG9;{5*HtYu|+u{0wPQ`(mZID7*oXOn$d|8-Vu$+{jEq>7( z<*afzDPSv?>q?;~<)JJ>_1*ubuKHf#3OTW`Bh~80_Cn>}Hl~UlY_v_a_)DQ&pV8Z1 zkBQO#5~~<=MH|$!sIfwX7uUbSaRbz15J_pQ{i!^uM^QFYvomWb*wOV?X@r*79V3g{ zI_u)6MMoX-NV{&Nk^~Rtplv_%ffW93D^_R~$_+V-aP$0Z~#L zCk=3b#{dQTfIk-6-5y{Jk85O_hw0r?^0irGy$$7AeKH5SI8E3ZsL}RDOiccX%1;d)#aK05^2punM=8suB9knJa zOupa8DE{7h6C$v$Y4I$e(9RP%Z0+N~5xI{c+VBg8Epx^{fM8)MK3CbqgOR}n4zLHgz`RVIwead7BT31z!| zuOO9Rm2DpNH(E>(C48zJ)bq&*{SoRLGK;^Zu|WzxP~$TE5f8d#2DO->AS3T73c99mwRIEz_tRDYa4*03XEfk@lV8BQbx*_)9I}M+MWn( zn=0n@CmU)z8;m7pA;e_vIwry_!#R1yqwF;Bc36Od_!od`xP|#pvF}(EZSYVA#u2d< zXT`JN#~^f&s8JhEe<-fMuC!I4{@_56pSID7(ErCLryU14%0L!LjYmOW%7>o5#x=ew zvqXiIv~{UItK-%IdZxPjCzhCCy2dskZK7wY#ItvzkuQZ`f~pwW+Ccw)=$l3vG<_Kt zKO#|O#R2+6r`7>Nw-u|*Z35aD$Ql7qNPbOpb2TG@WTNYFX-#=%CgGe8xgwDWWSBi2 z4}+%y2}qM=^qbBxhmbKIg$T%2kbJwL-F9kVcyEq#sPk$Nef`x&gw$pL+Sx2#CpjDg zH8G#tM{TtRLOxpu?KVe33V>e1AcX->l(nprR^>KQA-2o~#5VNg+qhAO+w-|2$Je@M ze3zqn=>rK4q1)~HeU`pMPlgzS%qq)LVCt#W>~XT~s& zYEd#G3$HBWWz~2^uW%)gHDd82%@!wp^efHi656Wr(`Pv6R&sN)P}?#P2q}ja)+vkY zOW)qQtmM#`r&B%fc5#)_A60OBv`uC5t4_W8qg?fvID~GOA*yMRb|_yBs@4=i2I?uU zw&Dg9D3FUhlM9@wbhb2zwR{4A61Jh~9+*pAF?;+N9D!R<-<#>AkP_!t?1z;(>w*yt zq}1)=0g^Ssu-cPwTx07kQUdxB)iMaf-fRUh z*M+2@Xpk21_Zw-Cvd~MfMh_jd0Yn6H^`XW~N#Bh!*2odC>^` zxB;fy!2#BHTB?j4RU72mhMlR>T>s;)QXCK3^Yd7+vZb$GmEQEo22~(s6X|j2K_fyKJWh(Rv@3!WHizs6?Y+RB+1@JC zr{mfxm!Y+B*|pm%AGSDg02my1wj<-Al_V>t<>@8g2-BU7_gnG^gjZAo zZa0rDRVhhEa=}}TA>Z^8cTMV?elf01*>L&NYFjzf7av7qHM=_C)VS70bsUg)s3kIT zc*Q3f=7sc~+ilsuwm#H9-pay&a!oU?YqC0nD>@2C2QL)L4X@sMWb0IXxpvAsP`M*i zYevgq-lB;U191^EHcNdSud`_W(DP@x05$mf2fYbtj_&xGKuRc=+>8k~3&l7{r^r;> z^0i6HiW8)+n(_T0JYMAxKEjnMCC3dY%5_5IuKE#^xTz_wA6mtXne_ouS8b{w`Vr0- zJ>&M!MZ}|(HfG)+FgrDS)joQRJ}$yvp;x`qA**()S8~vzZ=kU(k%!W_%oshPE%Bqw zEz%!|2!{Y9?jK_x#14&BtkpO=oS_DkXSg59Eml8CpTsICk-Ve)| zfXGM%YDN8sQ;%mfq18!3t?KG4Q1qTKfn+iMKEV=y>rW({RCDAS26eD1@&iyma4?o-MN2ii@-5SUsqY>S8>*(=%n)?5wYM zQI|Ht3y2m@B4z$Mhpkar7YukuE5uGW?;MR4q#Y1-5rC>XlDHcbLq>gQ;TLD^ZmB}8 zpf4wv6i)`UhoY%VrI3aG@*-{?X<#*LpdV1E-0amUJ9?apJ1BXi6Gp%v(Rra79#EsJ zJe8wQo>hdKn`HK(bA_-mtvNUd@PGwhPAF*4I-psI_*Q*HJ&a8NLj_>?S&>r>gHI@K z)@!Z;YpVgKi)ixdl~Ng`bxRQa6g>~vBNbortpjn$HnK02V=iqLm3H6AtU!!*340hu z)GUX9U8eP@P{`^TUE9G@uO1zI{6-w>OnGgFWHkWCssuw{VL!mbLW;Zl6Is57E2J+T zv)cCtheF60TyjPPCiE!uQJ-;urlD>1D@H{P;I-U1jp6W^KRJiQ8F`|n5bY96UcxHB zhpl2yetz1({8S~{gTHMAOoFR>!tvI}V-?JLAyJJ}KuAM_724>I3%3CJ*pi^FV=U7E z47TF&1lwsu+9IHxY{PMNJ?*omRG{+F2+M$=3N3pQQPENxn4*JN< zYd`6{Fz`shVd4pEiQ=Hh*Km285gH~k+&G(-LjY#vxOUBU%dEFC;X!rPSMM4g_27UP zLcoJ%knj9a87mq7?VW3dA#=20C&5RVy_;Z^M+Y&oio}^KoTCjwj9s(Bm;jI=`Fe{^ zb$!>V|C0~hMV_UpJZ&%pJd(jyrya6@Vkq55rO<;q;?*AdCf|Chw2)bRhap3hgaKm4 zI3#Km4YF8RcXKs5S5sfBReHm|iKa9*=%9sB=sX65twwKmsxr-B>?vRjpiL(mx{jJqnvSF(ZdQpnPQu%t)tFPw zJC0H4HsN5^p(X`x3AI22_~4uJjXYlYtHdWbFf=daDO8s0Lg5&4(*T*G6^m$#q!5|> z_y@Vl45Qowx1@T^x&+7IgG}ZG3{*5g8OWy(8ghh&86rxH62e`wuB_22bIKkEPB0K6 zbY<3)ppJ!eC?A0yzlG&9^V&|%h{6wG7* zfecrJRp?Yq&n+20A!0i^kf@+~y{u@X_Id)Clx|}%*ox;2SkpwpW=8&I11y_1HT->Z xnKbzj@~cFY#&|@m1&y*PZ6>YfcN{0B{C^Ko8m)aV3s3+6002ovPDHLkV1n!GdP@KR literal 0 HcmV?d00001 diff --git a/education/windows/images/get-the-app.PNG b/education/windows/images/get-the-app.PNG new file mode 100644 index 0000000000000000000000000000000000000000..0692ae6f7ffdbd3e357a301c7a5de06e522b0531 GIT binary patch literal 129831 zcmV()K;OTKP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf|D{PpK~#8N)V&9w zokh|AKgn(B2_b|oO~8WEQJNqfK|oPKL;*z+6cm+LQB)KgMWtClX)1_{ih!b`A_`bg zQ4j^BcS!Hat^e=mJG~h!`pS{t_Qrc0}|;yI(mY$yKOzjTjLlMvgR=5LAx% z(3(MfCXnT8sljK@2MiQy`8zO>a!ZgrQsMJi-TyCOXqzn?o=!DQ^^H)xKjTs{M=W*( z2*rM6Jx;B;d0alE3Cdy>lHw4cIn|WTElq2)90Ik*X9F(RUwcd|l@*g=Fw`=YqgtN$ z$QUVs`3yW4h7CnA<+rNFfTEr$+slMXeXtxW2Cee{H(-#|D+usDSn=5uO+JU?7|ZPM zmrsMmyI_t%VZ=V0PfipgPQmi~>sxm9VXAc7+j`8=2R9|0T^z`;9F2%wjd15I2Ns9oj zIw?TXh-iyGee8IUsEsrRI1PZN-!J;2)Yc)=Bcs1hCL@nEqP;!ZIy+)ydk%)+53N9| zu9c{Uj8w zxnG~Y-u`HlEa=UHy0Xl-!36$q0+WyD45^z6!%0gmHNCdovVgX6n@X3`rtOg-Z-i`g zggSo6mPYjUs(rCK;fOfxQirT;N#ZRnfL-f2LcOkIWLva#v_-qx%hR*c18wINP<_s$|mrBUuUCD8ey1{Iw&|yFk^p{FXQdwO z(;h?sG4MT-iSK0AsMus@XP5e&G$p=G8a{-RvK1Nyl0zb`>7>DZ=8ha8{n0OU0*yY& zFd)L{wiY+p8W&V@NvQxc4xJ3Ohk-IM4~9V{hXGNs9$G8THg}4C;J0R1tUSt2YLR6E zva6@Nj`T0BWriznd$KQ3rUH6zh4gD~jXYNzjz^Y}fcTOni(>KO#U326$3E+s$)C!Z zbRJztv13!FYMru%7+mYpFhT_I#qa~qP#Gy@wRd(#X9u=3QvR(k?Y`D!?(%4;>E=gy zoLgBWl{A&7$=gKF>9vgd0X}%zw5Q_4lRg1LvJ{T1;Mfl_d1EA}kA%!4VRs z52I3L%p4fxdgVa+V9>%NdUkpFT%8tmkFJkZ&7Q4`b>%mpkc{&WMK4WK9=JpZP$lBSJ_95<(9&X)1I5>WC$j!(z} z(P|(G3nFd|)u)E)#R<1b4mlL`Rh?&Q@c$4b(^bGc;-K7~&lZwcB@I++L(hR$yrIy@ zQ>3=bNDanJK1OIV!6aiO-dZ+FmmDDjaOaUdIbs{a3edl2TTb%<8fq8Xv8`RsT5ZJu zFjDyze+W~Y7Bg0TI-?)}V~P*RmPX?As82{)oZn`f6RY+)P;JcT;!x+klB1UiCNn?5 z2swcP269iZ3g7yzz0CFqza?%2$m&oX`UXL_$1)^=}O$2FiQfvnPQ5~g`$w?rV{-uyi-3ZTm zAXQ~Y;D7Z=zS3^+p^2z6Ooo;$k$=%-LX~6UWE88j{#$wOS0i}^UwCa8-!j0y-@Xf5 z)_|rsg*rPrqNAfzw6uVcJ$kp#0+>;Ke4;R<66Ftg{3xi3gFy+j(Ut7=io*YDjrAr>w^j zv!)ZvOX9N)DPz_1(*bzPf|`eFu}xG?TH1iLDLb;mRhy_K6oi8fY0%(E{nZ9+fu-H- zNH9XR3mumkDywj2nV!fgZ75&1V-=_EZ5yJ)gpfMu#ng^t=@X4wnpkRqfPJ;Zuydj1 zBq%#~n?hZILBsu#++y^cArBv7B+$1QBVqdF_7U2M;dY_l!kzTsdf=b(!ZSk+5)M|sCRFshgnAqvn))n3#2d%L z9;--iuBcB^r}^Ww1hN3i8NYGTI2cd^a;0n;tb##+{&etU#i!P@+m&w~1_A!Xp3d|o zxq|hUsfj^d`mr5K4v_mXRx(tMm2*dXhue~BQxE>hfdtz6;X^s&pqC`?{N;gdTt{rF z-}szJOYkAXJuwYnn5sTx$OiGc;Kl+D#E1SK`F@51kOM#?7^w%kb*0qb9wfsIE|+E zN?}xAzn0*(GE@i;DpztT*`WMPq4J19m<~=*git!F#AI+@$dd+00agz1nhuh|ig>#$ zV5IWe99T`TP16%2welTkgr00wOa_F;2y!|4dfe!Oy0QoXK=rErd;pshjm<_n3YRD^a%OMpu?SM>Dv zByH+&KcH@9P+aM@LRHi6A4x{NYExgg&?E5Kh{M|*LQ$&a^ zI$R*nvM|6xU%rIxw^rLzs%jA8(**Q4Qsrrz8d8_aRiHj9ON~i3D?$?D=P-%}zJi#y zg9pW*^gZw>!fpe%gNUZtsf^MogTb>csT6bOflqaIv}twK-jyqJB=WKwURdGLF7Tm1 zAyUl`xlae+iH4lAchkiG2>Jf5_D=E9=DeIJB8>Eco~V2V%wF%K-a-wM@JcP}5Ml+-# z!YkL@a7W@zT6bWef|veY#bsz3#G+@3c+7J(e{@NZP8rAOj8fl8=)Z`Hp$QA;o$qzq!T!7F-HV@aRr)SZ%< z7>-T{IwTWP92@Q3R){dvFerLOj-8e3OTd7dt4AwwW~@y5oR0VOQYqOZN*q~ePnta_p6ty-lecJt#wi+WnX_{c?sa-`9h zrAJVqLbdSYtzgy7_0pV(P%s0$AQk=~ZNcOe&oK0yNhjPnkYObXI6C<20AxISd=1YW zC_@mZt}pAXlrW)OHKFhHR&|S+QO1KRx<VOQmoT61!w;4W2 zs2%O{Gal@?$3gWfk1c9&$S-O(%ciHcaT6>T;5+>z^+LB@h1%uQkS+NEhx$YezI;@~ zAxRLt%b=tC3-m+~8%GcDk&_@XMMW;7JR#>;o{U#dX|{=Cb3?&p9hUwqACwP41%!hU z1h&D7Lpuqb8;>sna>k(wD@Z04Y9rJPPzu8|3M)DF944|g9Km)G{ zq|^Y^IHavKL1DoS0k3VM<9v>4Pz&{gTwhF^{)Iw%a{O9A_8Zebh4 z>9iRioB(lV?+kJToUAcj1VThP$+*Ebtb^^39DQ``^~8h@t@a`vTGX!q1v+U>CqZa# zW1Ilzq%-?v5UkcFOw%wKrwB}gff8Hq_aNz;zt|DL*5F6HQ?`aI-8@V3gmfXU>F?yW=hS>nyq=OZMzJ_oa%Ip#HSDqq$ma_MM$AcJ%>nDH#w zEY2~tl=^7Y!zWRdlZeefNutJ&@F>e5*!Re&zAyt#inT}&7sQT#*?|i2ljxk zE{$A{S=pdd;n9u+vu!;PM+!d0n}e*hYM0Ij&&HCVKF()pXrf3V`W+g`Z{iFFt|b{y z9Ksv}j%O4&5DDyUOwZIfS9)bo6uDU?0SX0R99i^X9#d&EbFuSR9RJkLPgQ8iqrbyV zl67VJ>R8BI20Iutz=r2i0FGCY$f1)A#1)tvsr*PS{kf}%!E8h?+mTxL$$4>X7oHaG zF-p9R79$+HBtL^(r+DrVJFEgb#9P~dR&E{)B@gwQW$C3?frf*9B^AyU&*Ogus0i|{ z0dND9&;XEYc%Gn9zba}8_2UkWfwu&2XAKQtyW?ftL`@rOf+S@XF-_??jn%rx#{98Z zrGr+W97o96L6D>gm)e^fiG00|e725+OZ#E(^oOLW*)=xmRh)2yTxY4&?X7AB`V4jD zM|GKf{YV$)SHHa)+z4JxCLv#gp@eS)vwZN5#6=Hgm^2`dR+E`lKGiCQqw?LPqFD!Q zbe4Tm0Pi{=qYFbrVMJ*wr{N0*eE?*po^oB$KEZ;!Nbb<6m6hhzt$-~-C7Dm_!6@m_ zjiDb%LSI>^D9;_xR|$@Tm%KFamkP9b2Fk54RH81^8i1r`P?BR*CMK;{rFnwD5doZ* znry6y8bW3JSAM;n>@>wy0^dk^w~)%34)s7szKKZ;?c2f4ds?w`(+W0RS5FiZisEVm z7+3*7Hrj<7mpa-zJ=n490B@f3Fs8yFc#7mFlYB|2)EXWTM!I#9_isoPNhLl z=f1;|TEq^Ub(F6nH)|&i+BlBvd=^k0n+}uPqLdI%Y!3>*DP7s8AyYs)b$d1-dTb-+ zwYD@E?;DdQ-l@BdG>nOJ1~oY}1}3hxF|cvntz9^*#@Z$8Xz?_vT?3mO7z13VsC25r zcGU(hdND1p*r1hz9$Z>iDn}YO6!@kBF>F04KP6moXzHL9NF9~wX`HX!!o^Qse_ zXPRi}h~w~fqv~RS;hZg^-X7H=+LZOIS?J_BUv!~ur$brM%9}l?7v69>gjzmnaD)v8 zG%o0O_w+=M>>PU533%co2RPNQ@(u0SDVTH%kXJ#x*uG#?r{;;B7+EZQt3LEb311_E zO&u9H;L5{+>aatT4)an94RDOm)l@2Wm4}UB=OpZD_I+RXX@he)%e<_2n#{eAEnlb>Ybi0+{ zfr>mTFLb%f(l)JgYmkN$z%^w!Lf@^-%0+0bW62OF;W zRosn`t1tHb{V{i;?)q!@!&uipp=Kc zj&2Z=$WmdBneAAfC@`?eZFo@QdfUkU-W=4V#kPT74Q$jWgHd1*<9b_{8i&;ygPpe_ z&97*QU*Bpiy3}G-DMp;Y2#=E)snL#${>bDOP-A+qv$Y8)tq{yC*8-JRYx)q8@6!cRWh8#*rMHtAbP_tUYP;eU;azw!K%C97$ z!z`?$^hyhGeT~%y9UP~L)zfhp$V|%xz}FGJ6v%guaj<8cQLp1JqTd|cau9?L9Tt4Z zd8<WD#?cr_(q4= zzLSup=*x9eAwZjD^~rr6D>TzuKWLCoOFBqCPyC_5G)qOL3lAIIg-RjBY~(eImykYz zm}%?B%|?<=P=Rx-(~>UR@I;6LQmCCd%BclOv)(w(ysW{Trr>nJy; zpdGT4iR?2Tq%0iJq|*TNAv_(q{>MNEI`;0nHjPVt)Igg_I`QaBJPO!FgJ1n5X>*YW z1wSUij3%)Zvh6Ec1Ei zoE1wacXF|10UoU*N8l|&H?j!Pu*x&fmY!OvD=R5ogG`;|@ZF&Sg2x&dkXUWyYK)xn z5gjXC>87hZ^QR;Nq(+Dq<>ALSlQ6*b^=K8=6YWZ8Q0ovcT`D|E#77fUueTyaK#Mr> zpjDefYOfq24lmTrM+`7y@z#t2{2`(F;UaOtGyj@R_x5%Zv;Eb(+zLhiR^Y6rASx%W z+M&pA-SJDZeyv*tPaaBqx#4M`)(2`mE;k6t#=}tw<^c(tKrTS);GAUxZ3_MDn9?U5 z(h8-Ml-9w4mZPnub~w^GRVup!zSylZ&oV{EBo#`t7QH5KIBvFV*qW@59^kZ_cCS8zHMB&hgHJV~LlexZQvM%Y|-Q7Ov1-Bre1xbkKwsd-+& zmxBsTx4n3_2!iyXNK(qRf@~34Er&kY6s2G*kTf{7ek_^=TcWV2gvIq-S)3E^Q-%F~ zGS(#o3Er)>O;5Ye2YTCLz(*-oA67qZ2sD5)Bp5=ttuS^A3FAs7P4y7Ga)T=|g(1Ql zL9RebqCqqOdH@v;%nQc`tA@4GIifV^=*u=@-Z;`9ZM_=gSh=aeScG?~@$$Nw1~m_C zxtdG9Rj2Uiu9DVAX&@WMy(58hEpw`L?%39Ae%1Qbv}my~kXurBr0 zp;hw?UW(EJ&ht4L<^=~%ezpth_KHpE*_9H~>6na>=!{&i<9W#1**iQ)kq-*UN{40% zoa8ZOR+YBhbbcl9B}09Lw@u_5SxR}4q(AwtHl5&@>U9mV(gezz9zwd14#F2t%<%J$ zM{A=DOv(qSTLy(L?NE@xjG{L(L84TC(2g}!7zCYDyC3sV02a`z@<1_?_`oE*szb5j z2S!{C4jp|%kSv!GzzcmOiR5{WFArSqX#(K7mlFya;I^xQ^F}B-DNqN!OlsPxuhFIP zI*Wds;wCe>wVj^EY5JOS=|`knN56KU z)M9MQs{nM8dh$ks=?a&XA!VSOTqy_p)2A`;!XHP9(vH-xG};i`^@Pi1;4keFg7*L7 z1w6>ZUvi*Gep4Q&>9;h5W8=~4=|Dh{o*gJ7hgJs3%=EK=M2o_T%{9s< zNEsNV8Y(+>Q_f{UnjTG`z!`Nzf!Z+uD0TPr#$v9)NMJi!2EMW_z_FM8Bpy!pE$ot= z*>Nkt8b{E~R^btTHBh5zlCeLpe4d{5!9bZ-K%i{Cga*B#hychbX~MEAudKC_2B2X6 ziMv;p6Xj?vAxZo3#}wt`$5Eox3KL$ApJn2lpIkDQ_gkhV6)E>AI>w zX~OkvoVE~NZpVuTot3D5JXm4B?K;wdMB38p$FpeRdUYlsJ-IF*vTkB%!Va0(t&X&3 zK7flX460f=)^-M2e6ivhP``mP#R1b1n1=Mh>X7nnBV=D4ZGL8syFcq&EWBMV8^iY+ zpYmmk5@DznRps_l_EG9XyL@>p0X(dnzGz1#fv|J>pI4ot>*w^`0EykFj?LDWXXnx@ zGkZ^bRmKk=iypeoYolUO_+0Zdzle+(SYHau1K~2@ED!KTPYcvDTwU<6oZ{5YrJUv& zno*552HIM(s(t*-970(iOteH)iuXc53Q(%^vLK4D^sqB@TkO^h)il~ddQ`hm-goeJ zcl%KlJZ5@f)lGY0Frp1_p4iZKO2dA+CfBY&4eVgpA7d1*NIbc{O8*epM)fgRPL<)* zJfkjQh;Ezck7!dpq`O^}E_;Vp_c>xZXicR>iu!_%*u;!!)8oA#IN{k2bOW(aidlE$ zlKAF?Cnb>hLf`_#u<0%__Px22O}zCgF0T(xDALwLHZo2p2MA6bSiIw zLr^xxR!Y9!C~0KpQ>GMXy+TV3k*gwXmX#4m1s^&h>vF06yv18(pbJ#&2B=I^JnJfCJl7# zLJN7la-Hf-qV05HIB8?EG79_1_?AqYtTME!`_N)ZeI=Ju*s^5 z{)*qR9il%8jw*$iRh0HJFgTbx_>{}!y6U%$NcWsVkI=)Nygl8~&8`;qrZn_z8`8Ol zRJ93wF=^p?Zf9qQY`H`BCr?(|2U@U#uYxyZ^KJw+n^)DFLOBiDDtOpepWsMpW>H=& z_#t<6BH5iON{|(jlO*Vj=}*Ob-+w}}gl7RT=LwoZH$hC+utcE;j`ZyXM+&4J7!ZdB zE`#;=Xy|N)`xJ}N?C78i#e0Qx#E(@E=!Wy(a-=o_ZvuPus*J_ z^+&rpM~C?AP?`F$wr?U);2IxWlic?2>tJY21CE`Ys-b_|sZs|@g+I}vt!mJBDIhJ~ zP3mLO;)OA9-rRh_Ds+rR4U(V`@GKugQLd#_x@W&qz8lzyX}lb92Bc>_po4=(2w>!= zf_W`m%*GYwfO?Wj<(A#dJkJic{_ z1rV+J2FNFnUg~w*nn7iVIaXxc9og2FgA}WNR-};i0D}PN3l4NJKZOG2J^O}VR+r+P zOa?jX;)EJ2o!q^E5-c{XTE9+k8Ox`iyk?hqmVvEX(^G&a70!twsZ^?T(?~jSSa&K+ zN$ro$y{aZi*EtCmA2w)c;q(jdu0kKqmlJ^GVA&r)*iZXmYmODz;5yJ0yi3F)-*AAg z8n#;G_o>=4?MG4TOMu*{mPAD?M!~V{8Bv;$T!b`Hci-Wx6y~79_#samRHv`cVoUg9 z^l!Z?n7()^ntDX&-a|ZuR4|uhUF|iBGm8JYsk0&%_42wgUD@A+>XUQZsG~ z7|_8sRN`=sr)y9_Ps+26KWh*TC^DEa1hfVZa0*tV7||G!#yd2Su3$dJ6k_>-X(^V6 zXs18L7#29Hq zLD|W(K5PXom_I+(Sn~z3^Deu^1{-Zuww-7qQ_K<~${^=erIT=GqJrLvkuVhua#0O z-KHiJ+|2};>Z0x-sWTcWx@9#Cp+_GPBhIM_D@}IXY`g9W*{G#>QP`hISSvh7k>34oa|3Dvzc+e zz7%kIbVMfnsWfHSURB(yRqGzzWvI6AujvtWN-LMk1bBVEAZs03r&6s4eXOIUdCF4g z1dhvKO?yc;Pp&1ucXH5$^^*f z1HXuwGD%S}$_rO@LB{r_$p#ZE(tEX_Fdy^_+QwxSx4igN{fa)k<)nqWN^k|DZT@wp zsE^{!?M!=9w|U6=o1k;^t&k`JIOq2{fa%mDOtggIfaIZ}6;J@;F*9Z9`+~LCiBEpw zvvJZ%pNdz#Y8O8*#I63c8-orCr6V7E><8oIPkuJu^oE0C?(Dho>R0a)*IxIV*m~=2 zV$s4y5>lO2isHd-c8_^jn}M_wha{yi0J7bQ=E3z$Oh>Pbw0xsJIu85T^7B;suc7=TX&J2ba2KZK>3qYdmo3fV>gtP*Gp3Gm@#>Z}=R9j*1% zP(Z~RK)f{!BBcaKpl5yE3DGs4*n#sBU|vDL!_}y`Xjw;UOPy!P$&y=I+2GST{FhG9 zG(()@=pAhVI+T8;b3eN&dusl3LE1$20oQEs^Pwt3o!RxsQBZZ>QYT3#bkqvTU*W{) z;M2~v4h1u!!9#p|HLp`-^P@Wo%*J^bnA^Q`c8!n(91fgdLpoQ;SM+s?A*De_IIf#^ zFjeZT{ezxBf8hi3N)x^8FDgtZIrNa+f@6@Q4XICGSV#Um6$OPX;Bu*xCcvL&k zF1`$-bMU#|h+Vh^gyidwQWVd{xoP;Z!idmt(2;JG==RWu`y*&)w%vV>t`s=SYkvCB zt~3a#TA83@Y{=K$H2Eo&WWavJM@>;9xV^H?R9+HugqZ;e9_ zJtF?+gpb99apSyijM1_sGjHCU*lyb$0$XURGfGh~Y zkz_$Vt}wWbb)b$?*j30D@-*|41!>TY%MlbDgd)88CUf1Hx%Sr1wX8bOxua%#bF9zF znRWf}U@Z1x|6iG)gDW-d4$8D|0a&0cJ4T%IV4 zc<2oFn=t6)e;MF6^#gxCl?;esQ50;a3h0UU0h>Mm*9=y6+d8*JNrz~cB9_X&NbMkj z-F1x%IogPNq;Vscfui*9d@;0Q3~(shU-U>jVe9SQAzDMb%kqSjoQEeBAKa6Qo}I)X=Y?6ML}^?Oo>T{GEaLdW|%8JvBCSG!FJ z9sZvIi`~>oEMDBadu5F^){G5bxUpA50BtdA)~tB@VejxcFn|7B4c={W$;ID{&wcLG zap|SsiZNrx$k@5C+7okT&yFV^e>|Ri?6H_XZ?0&tg*eXxCIjM}*)wCdf*V4!nR)Z) z$F!%Oj3=LbB4*8;t--g)N<-Bc#5~nU-cwIL9`onUBh`jOGM;$s(U?7R zrte^)VcD|m;DW9Ayy4fsj&FSJD{<{LSH&KCzb4-F=0ju5sL?S^<@{e!stGrc9XpLG zt5*&NBM0MIHWX$_4`pgDlI z9$R7Pc>~CBNLsX=t0>8Ng0sjpClS#PTRhHiSvos7a!!gcaM6jpLSoR!Lb6+xQ@hxO z;BcTLGBi($1x+HRn7_htd56q1b7T`LxI95+6znjdHK=S-&1e?3#VB59xHv2vLh`Nd zFHcJS%&J+Hl7?S`1f>C2Q|JM>sid2EUJ;TeI{8UH0B~KNlq4!ODNa8ZfHyRNma>tc zl1@zB*1BDb(mmr>dg@WmT5W^;CJzk`{Fn%kY0cyRHdG096r;&E$7Inmm0%PF?8oXL z9l6PBWuJIMKdBcZbD*5d7GgSK@}A`@K4}EZR_CfPCv94Aa7jhJ5WVKgjyoO_+(t4X z{3v&4_G%HrwsKunnHDurAH?9Xe8^iaxa}15wR_`C5hsf`CJDKFk`o-iZA-jm-PDC2 z9`Gyi7%bafcfkH9|K-m&Yd{#A)K(CBHM1K(qBjocT;S*B%ocnR62%Wv-_|`k?s~zJ zSarQw(Z@fSRGbo!ms!`WJEq2>>7&J@W^GFB?p_jWthrX~x%X@1fd}r3uFkHQy6UR& zz3+ZI#!r|Kix$q0b=TW4jyv{)@xX)k#i%X~5YwNEpIr6Bm^yXUSY^u8c=CzIW5I%X zS|N3-fjVNxSMMB$yzTJVPAfeIj)xw6IJVpVRq?_Xy+{MujCl2Kd&ef5zC7;y*S|dQ zZN1I5ao`&dj@|d%Csv-aay)q7y|Hld!Wb!suyDcrc-iKg$03Iw5j*d)2hSmB5PeLF z?TLj87sbmr-y&Xj;G1Ia{q~QQR-U2(?~#~3eMW4)Xc>Ke?aJ@r&fnKDJIy+s}rX*>Yq@C;l=Cy(Vu#v^eN*Du4x=^7J|Az{G8R7Pf2 z3{44m0A~A>zt(r>Q%%Zl2aDLYl|WZ8*D3z<36$rMNDG!e5< zNSi$3z?aIw8VT;03^)Q0FhcY;q>kVaOurIweMDptI(St@aRdTPAGGEG?p1)wfZ+j6 z4vQTTbiqW4n@{TYl%1s*!8w=^HYPkfEpJ&WodHD$<3UGh4vJfNmt&?+D(MWY$f|S# zbSx`0aav0QV!*uzF|RskJJ+r3-av;zac*Q z>Cbsk0&GN5_5uxVN5A8+c<}!F;@!u-FW!9U;igCa3=L4nyzB6oF>OYian4s`%dNL@ z*;-$>2HSTXc1Rp~^f9r+PP;g7S%5ZA`S?fU`s;oXnKGn_4iUE5G&!)JsWn35= zjn0z2Lk1`Zsb*1~eac6(yw48aOQ)dIq)iD*5265RG`)LO<3wQvpqdQDC=NJHC&fW6 zAC^;Br7d8Gju&XR0@YEHe(n2(gp({VIH|BQlRC~A7m)<%Y`L+gd^|24346r}D7DRR z#8GEdnr}{mhH%g+ZJ7`8QmjQb>Nhhb&Qa%T3MY$LCdwW>(D|4b@a@Re4)k|cgKhn7 zp|76{GQhx6z-nHO2mS#nA!;66qfaY`-m;Q(T-Sk|Z|J}os64j8VCR7Wy~)vVBMRyG zNfj|)xpTmPCCZBDAV)2kp1?VG-ZgdWyY}Eogxnv5-Um^YuB8B|@S80I&lI86l%hCl z_j6*RXTEd}PbotVbO81CcqNhwB;DI*cBncE?5}hR4N|l2jQ_s@_@efvMh2x66({#- zIDM{NJUcs*j}&jQqb%8&HCH-LPKZPRI&c*OiN_4kH)-CT5+41<0~2i0Hqh58?Z*gUIRaVyPJe1fyzltqspi>$j7sDdi`Mn?M#e7|v?*|GhF>b& zGR=!bd*pLGG%bTp9cA zwMQIw$eZGl3or2KKWo-(x^!V(_ACIq`^(B}6!_7At=cpsz7QesYw@y3v%V)%qZ#yJz``h1Q z^q4U=I5)Tg2H=iKgUUctQ?#i%yPQ_ezS2?HDJhdfHST2cIk(TFKO4 z`hZSo$3gU#7lza|lx_(&4Lqa**Ghf8RKYV;%bdX%`b}DNHSja25p4K17*FZSpx-gS zr!3!muc;R3?v!%U%ua>GbuAvGb~jTQ`e*|n>GFazz~0Q;;fBh>7bU= z#bH08S-b^6QU){-0%VTJy%eOJsS}k^9Sl4;rF^?QuldS6__1>YbV&Wmw%nxpl(;Ag z0cL@$6E+=0$NF*k8WEpH&&e2iB&Sh^;QEOH$umVrsWmwceMQWzhH(^u##gnr?$zx?A zEDe^29Co^pg1ZKmQr)th-)xb&iTVZu^JJ&Y3kcZu`gI zcj|GbssF8WOm>Nl~=h={qroM55Momd&lr(Tzs#o09W8$RE z>Zcm7!?S?a;skn61C#)L*8wDVD+HBZYZycu$P7Lef$p0fuoRH7Cku4s?Bm>>CdDXE z2|9Q#z|pu0#!0>TUnwXj%IG;~rwmAS>rGt-hf+nO+8SJOO{9WyN)Ll5XF8;_P!fGm zw6X(wm~BEW>mPy0Ee)mPLzW;yK9<};^n8|l`))o`keB)`SDu65x0*n^R8BfP+omK3 zAIhWm#3*-s^w* zkxJW<&S2-XqC<*j1o@M=+oa^D49`6zcTXRN;toEmI+o5Aaf*I2jbBQWCLK#oX~L=2 z5d&Bu?zTifI?a_idM;GZffSIq(p)2Os-rSeqZLm_rFfFWb~l5VKH%r1##Q>B2v%+6 z@s=I%$@hd@b>Z9E+wo^iwupB`r*JstC4sb8v!x$)vwlIoa-cW*JIBRSI~*2IZgWIDvCZL2g_*B9BxbC+O}t{ghvLxv?~5b$y=SR# z*lX{N!}h&5)|t8}y8Ft^w(?rI8#QWF-20!qJU~pHx>{_t^($htO}BL3&#wMatfYa* z0#!&keZ6eTs%*(d-1YB&c>o$ac5I9q-4&xpk4onyEiGQS$k*sbj~N}4S6(?LO_~&s zKmJ%un?5bZjvMFg!`X9Y$2^|p6F~mQS6uG+aUb}fIPb!5$9}InPzoRL;5&ED+?XT$ zF{*2rbppD^`oP3t!D;+ijUrmq;v^w7Mw<_(zXy+nllRE zb9C?yk%}6tY&Eh-VCBViGhYK1bJR(n;U=(jwH zStcg7P3TT7(6FTnB-gim#7Zz-mEw5 z@NC}qFaK`5`juP7_rH5-Oqn`0KKjX1;$<)2Oat7k=+ZzsYSd_zTjKXrsug3j20dW< zjHlG#Ij9+s(~Sc6;#V`3-tHdS)w+-w*|;!t+R-y9qbgNM$P4Rq3=BhaS}!1SJ6#!E zBtlLQT}NwJ7KnfiL_paZT$zsc3?-<(49-+&p<758T2Z0R{yIk&)sF-F_AQ~YYY!nL zWXs%|@CT>Je`TS7dOe8S*4vb3C!WQePM|~c*GkmQn{xQuCElUeA=!9|054nS8B5PB zMUz(YR;cPiv*@+~$lgYv0?rl4HVP$*_~jh^p+cYOl+~da9gO3bwt`Dq(!~a>)?tBq zk~=8XfD22?B`|nE4;|rPB&&S{&Ji+PA5`q&Cm8&QUO zZ59-lN@)gPYe7zELdDLFYekerwB*zjbe?n+h{GT41YjG^L2&UT`moNqrB&PZsgU(a zpdZ+AiYL*a54YZ+;_INM4PAg^YKR}#3KJrhygW}qd=HyGOsLI_jSp>2a!7TK^v^(m zcvh1F?{%~?4fj@;OiN7YXp z?h$}4qE6v$f9i8t;Yb4brrn{(dur<=G7{PRKR2-b=!YZ5R0E1K)VyT`_~%%lB{{b; z0UgJV8>%ye~l}tUy=uuWF;~czvv~)>?7r zzwYoO2|K@fw-`Tue0<^4pN!x9`j;+0dCHXd<PItt-;Wm&>Dt7gPwxhqnvnPQm`6A`J zDy-%mfee7?h|Z=Mfe*MoD&jQZ!>-PGg9xiP&rFrbTXKBU2{cO?m!RXQcIrD;qpeJVdLiwscI2}SBQ5>oj)7LS{3)IK#XJikm!`IY0_{W31zSgFJZ&X*8{O>6Fu@32BcM@0)SKcP@`zcHJW$e&~UC{L#nayWhUpk2UPI&%P>m zUYv3ESL36f__Uv+`|=r|^J5Sg1<)m9U`E4!^S$@{$7x5u_qaIYtaD@I7r(??s=iyQ zf_SqdrtuZfk~^!E#g-8|WBUN3HM%}EHV8-@s%!`SxU2$2T&zZh&=?Ap22g48)1a3j z&-58YuC~6B{6dOTXCpTq2%601?7-3qP<3-KV>kuaifV}m!&rFfG0Gs z;@qJ`lOv#l)rlmu@C8(PbxOOC%wX9H1=EmiS5kz>g3D(m8NR*CpiJltAvFvjeJN}L z3J|s46sQlr#3zyz#RwM}5f$BltE8sLqJ*twpYQ+;4W+yN6!8Fu2lX)nB%tlPNK@C*MrQvK9IA_jzAVd zM4m@@I&!t{idV$1P@Qv4CZJ7gRAn5pK?)!l>B{%Ol*BVN+uD<7g-k0nj8(uV%1Z-C z-Md^KOEKx3zQ&|d8L|zo*L95^9itU^6s%Le4L?^G6CTvcz*Yx22Fhv!^=LmPeDkOy z0pQ>C{h?m+oz7sVg9~RK3Fa5x$#n7lXa5}C$o`&K(lsgW-|S5xFJ83JP?swV4Lsu? zxGnZ+yCz<=VNcHNh5=@Qzq?~94$Uw|$I42d zJ8w?>?CPuHj@xgG)z?@f9@k*_mp}f|>78n@$DepC{&@3ER`zPEuP%cd5r6vQ&2h$O zJ{9-<=Ra=LQEJdtS6{=|;r?{v@8g^=pW%nmc|r5mD?OOf`jcju*nG zteqD+BOTgVR6qV*28dT9D(Glu$hk|B4!h7ync%_f>yy_v(53(eI4I4tX$K|nW0p8c zAdeKZ=5xx54z$>|v>E}Ykxzw$LbD!SkdWF-!X zAmuGfYk^k|lmXZD`5~#LqW^8E^$s}>We0JA?3oJiUHpP4F-l80$g@zk&n(H2Sjn@_ zOrWMJxU>T2*d9GL@r}{OFYTFFNftWlN7At;MkU?bo*vM0P)ua-oAmv9u*S+P^K%eW zEy7EQ7}zAUaH~lnpI_UkqbK(jBr81ou5`s0EL<4dZol1%JV)0;qyQ|o_biOL6V{F2 z9QK2V1@n|T1dqxmtsHCo_S^B5j(5iauUVMaC>qH>F>WZZoG4Hj2V^B(P60E zOtN6!JP#IQx_HA$M7IWz#S0gBw$L?(2h6o1(rRh`g86=)tZVcb#TWS8H=c|d>;LCk zxL~2^b!$-R^p*y93o$tMEa4(y#F%lTqO*;app+?vg1b;k;#TFV_)+3xlm@C^%}RK2 zGz#{02Q}#E(POJMP`MME<%=9c9M@w+7E&zrAvZi*Re8eE&>0r4~-%@I@= zuiWu+T~0CWf!R!6=*5BJ*Zo|bXtF)S-@)K9c`cCdIMXUMXFtNg0NwFR8%uA^_O6Cj z4T~drc9$ikfDjtkr8tLbtBGCda#V^D__7&-!=cl_x4Tg3XQU}E`Mn>nfXu#YvM!JM z!OsrIstnnDok?=xtQxqS3kOxwDchCCknfA;s*BF(?uf9`sjG)J7lU+0CvlbNNHj7v zb;B`ZSq2~C@(PtrPJG=&d|;mdvsmiqMkG63@y^zK(SQPNTWI8uf>U8Jq1cA;Wiv%% z3fWp*;)EY>ACd|^9bwmWP;_yMoU_fHGz8ES)732cN90P#C*|nDL$Q25Ew_lVUF?u^ zJ3F?i=rgJrUK-`;D^*#_O)vtS=+_y^w*qZ%E_Gyrhn}3S-?X8mOrpmyozTyOs)Q86 z+xQ?Tk9Qt2Akg>mE675hA+J{}3vcC8dwNtT7mkJp*ZmwJYZ(HARWlf1FAvIw1IdWp zVi$#3*k|IFK$}UsO7yidfgib0zOP}*&bZ8M1v)>qo1{btI|0W9l#2gR8jqi#JNgf| z^#fipD*)&gf0h#s{1VUgiiA${PF&fF5|DuFn0}#y;$}f{zrPfoRW}oS`(K#iq9jMr z@nEKOWaoMwyu!cv=13hXJ8k;(IR1nW6`7U`6eLt=Juh*r5@uQhbsA81Bf4~Gfy$~u zjI(l@G+Be61~1=Dq>j?w*%1>aPRctIr4SmH!HZk|$B&=r?Wpk@;8xMfjeTNi!HqIz z+!(F&5@(WDP2?KZL=T*ngZ5PQU0Nkhnkc*p<6@%fn>b-5KNG&#s^zzzCcZ{!SHns8`y%? zrSc4T^^t*grSW%5{DTGm2G764`x!Zs3P4qgpX z6n-ld#N@b^RTT?+X8*Nw1V*bTori~u3#L1vcfS9S*`fVRT7Rioh?pG84k#eZNophp)IH;q0}jW zdbVIf5u<=&)MKnnuiUf(Y3U4+36}X0KQ5l7xXHn`qD1-{?e77=wOcv*Km%%o+A70C z#d@w`DS%zVa3F@*ZQpo zl~)C{i8LsciiXPj8kvZ2BMADVzjNaUt2g@y+k(p2#_~Fz+gL{iT;CN-Ki1JN0Ec~e zR$<@K36HL$c#%fEqLJvC4jphERoO-mU-A)72id;kX#tc}LP9g%*QUW?oQ!+?q=*TV z2Z!-1D^Dx1Q4?Z9SC3YADxl=yLffRi7}F`X3TY0Gq98Oz0AQLNoufPiVekM@F8K_I z7`JB_D5wxE6couOwQ=w(HH;C{lv~olr-9l0NmcAeE@~DiDTehMqCkZ$cI0hT^e0-Cq+%c%BSYe3Tav_&4uvMJgYp2PH3mBp zT-=2evaK5ATL9e?$f}`&Nt?zn1q-;eaLkkI5~yIEY>@>0+@{q^&Z`XBMmu+e=AF-+ zH{77(g>I${3)ECZ143jQw!8~}dOWOI84Pma>E5Jyvd8w2UeZA4&))li?*(ln0 ziRCcR&qIOpXT*AOpH@@MG?KBQ0E3Uu924^vwQ06RJ!KG6;H;RTr+el^2{>eMJn_IE z3K`+N3I~U63n_@%L*5E2z7ZY=sF`Orj_?)l?3Cf_oUK78i$ddXFes<=T+%Z@HMn_N zfL4_lnhi)_*qW|;_Juq+6lN@vs|PgY^SYxRrg6%{q4#Me zMor9s+B);rY9ugq_ROK?5zSb|2z6SF$v<=kEUl5ILpd6`0pdV7)~AaxuqY16DlX}c z_%xX&FV&!8g*WGwL@9^*@;RXFJa$T@&D;smk!OBX01kIjvTaL8Lq_zFbXMKEG21E z9*=-g>OpNtL~Y=>ZzxI%TiH}+u|Pri@(K@m6+`h|4qRW&&r zaB9$FQ0bEm3fFq0EKaQ~~07s5u4xNUg2Ms>3C1&!S!VH74yZ zUK!-{p?`F=@z3ef0XIfS1{}TDE#f^Pxqw1Vsjw`*pA963gJHNj2LT8Qh)jP#t+jt~ z+dXaI6&meNW`0Q&jx^>~m$WKG{EIJZ(8olN?ZPCeGCKF9vT|s`oQVoiD?xfAy9Lje z1$ZT)`W`;2*EgR?x0DAc3!PN4WJTJv9af0xgTyDz36GGbt*DEb>jDK?uxvm)Ig)M7 zq>H}a(a{#OXU~rJy!TiQbQhI@ZWRr5g~*Bkm^j>#y$o`2JvGXi@P{-W5A_n)v$(p|hM)%2+Eved*M}0PA+l=97rhkgLe&YZ#J=yMkF+;9Ssm!>2wgfM!}L zTeeQgqym+zWXQUb4ZsT5-ng#ANu5YlJg&+mNK+_&D3cIsdMFQ?5-o+La<`oDh;rls2m1HQi)@!~LTGIv0=ndwY5v##gDR|*5*UmWT7i;I zk&;|gDa=|3Jp7AKwH#3U_u5QBS1=P0BRgs6~L~6yo}dR zo&z=B3r00b&)`tb4~GiZT2aLKVw_IOfRFqg zYTS3@sokpa6);d$^x4=J_FL#y84kg}FZKmnm7|2|tmfDF8GppIIZ0R90w z{&NDznO%sdMDSTmLjVFPC86S1sLlzT7U9r88X`RdP!S+fLKQ@Sj83DGU_i3L5%ptN zegM2Sw5ewsBu=sgiAKOq3AC5aks_h+(SmGS@Tb6_L9PI}`D41dfe&zZ*e)6L`h3F=ew9fl|Jj(&I%oUZ5@-(vuE`}GXbKdk zEo@Shz$R+IumqH2Ldyf_ev{PbQ89K5Hy-lbUMHicaQl4YBCl#>6`PzP;Ij$T3pcHy z@cXnd9KAt7KdtA65~+2yRF+++>AL8EZdgURd89r!B^^1B!H#^#QN9~Mpw^}ozv+AV zWX(eZ_^n5vQGW{zJ%2{v!umlLS|1rznT-lV(Q=;~DLkW*Eu~WjLHdvY9ylZ$4R0Ed zGR4A`ve`P$R0VY6xH24XO6R?Nhmr(|LZ%6cO9oD*8mv>4wR8}V=C20$hG*r8mVKql z!nbd@z(GkyTBu#KL0&=B*^v)?dolyA3VD)K_-9L|AqtIZhDbnDsuLcp+XT>_2_z*2 z)sN3bE~khttEP0Q$(&d(^*;-soM{841x2q(lT2$XqtXF#+o4EqL0Af|5LLKFvoEPG$(Yx9pqS7+vxXHwCN*g{b4w6W?iS_PT6+UPB7x%&FuO{x zYCtoz0rgr3*cIvOGpzinA#ZzEO!@c*JKjF*b zarb+7ceiQMD-sHW4$ahzTOgk$aBdC-;8!5tnzt;d^eXPq;JQT2%Yl|-qk_SJLMQ~Q zHd7Q%hUsLSMLjPUtwv2cjSu9$Z;87BT)K3Y>?EMHssO0mBzE(-B4C;=Vc8(5#E7?E zEu*-@c{)$O7@T`smP0|fyZC|7{f$}Q?;1$X?Q_ekcFae)s@VVJDuP*dVfiktS0)=cw zV1P);PhHA3>HvcCaOKs0qyf~Sa+y*Bby!CNl;?WOxym~mTA5I2X0@)dk`mN3tPX1+ zPWh#PjB+59;*Fz$lY&=)BsX84HbG2SCiqqG%_*eGfN+}N<8XbqGLG1OA^S#B9S+D_ zs;2)sz)j`IO`$ND3#GX4=%|clKGI0$QrIn43R*j5vP@Z*Y2al%y9G2Ur(nBQqRW6J z-4P&)PXg6tA;e`P`2y*fviZ1^bPS%6N?!*@lkhsY5k#=?toD%Y(q3M@@p2Dd4nokN z$6|$*Bd=^+v~aPGOB_h+>*4w4&wdPl)RPhvX9{DC%<}_2{?` zKuc0htE64$vO=Zp)vgQ`@8(t@BbUI0`U)7|bi&ndlq8^Wa{qWhOK0$TPKNE#yg&&# z94HQnG-&yT6_KS2BzqXWlq@>(ukP4hx;t<9uskT@8;Da!4K**1H5ZC0pVP&35zpBe zj8`yD<2pnR05%XcFzqL1TT&NeBb!2;wyC%5qVh2qL z9aT+s0*V?S#&QdzSEkyEHt@EiK5bg&_?jbSrRO#T(Ew*d#L=iTkml=b;+N};2u4{o zjPiPQs-pz%(kiY~EA$Q-dIz1SD1oh8{x8cn4ylYgj60#yB$v0X)ZY9lWp+(I$t#a& z(C--h>?0|rMq=A)#=t<}3lXp*&RC!2BP@`dQFQobcJ80 zc8f0sV*3#1>LMKavd8};sIn3&pb;*D(^uW}lF|B5GVMuUP#05s@gw=jpg+=gBrkr% zZKHftnsub+IASw(03y(5LF&WC>p)2#M8_kuKLhBK`dMZ1zjg4$;KZv9sgr*o@XaJD zZ`$G$d&OUKeUF!bj2hJ$qr39iW&3H>*R268pHp7sm0KO$pqKYzh^G63BoJ-;BLT9w zpl%7lDa$Y-}L#DZYopN)6)0YEYK67DGarzj2szH;% zj%U1VbaHaar+-=TbQ&D2qG{&f=!nw;PdNNZsaHUtOUYg?o4+Eg`A>OS8JRZ0`Oges zw+0}oCb=3ampG&R;GF1KiJNAp7{-ioI5!)SElc>tsBn0!STSJZNEf&m>rc9)EOia| z?hp*uuHNFJGn&q-Lf#_7BLm*5b?2l4xWT}YPc+OV9naF5JC0ywAf8=- zK57LSCxN8pLXsOC1_6Vq_!1A?FqJn1AU8>(KDfGP4wOf10&$2TgTAyo3bce0&h|~k zw1EKG$VLCWudrd;ii5$Vj>$qHTp-Kxi(I}T0h!cxwxQB*)bmKv5qW{sIc}ttnn8H5 zBrep)Y{{8eFiFX_O`xTnFWEd^aoPfuuHY=|B0=mLA$KL<8QY;0k!T^G-_|3F=#70hVm0=$t9nfzOT#cW8kUw!& z38j%-iW-pHMxtQ9s`Bc^sF#*AD)!|!k+?1eonv>_uRg?kHP}Iz!Ok~km43kFqQhH} zUC}v8eOrOmTMojiLq34N{OM-prooN>x?_9NTca3)lz@+6!1Uz`WHP@=n>yhUJqS}# zA6tSue`_ex7vpy4Fltm_bxaf0k?2Hhnx|+H?055R|A8TAF8@=oZA2^MGBUKgLEq$L9p?GcnMA2W7J5) z2_RZ@6r%c}1>C`0UmChQgW`FevE&iVE7%gu^@}b%$m9B@%kAn2vIDj%X*cfDN}mpQ zSz)f75G^K8QPwwv^u7zY2JUE)1NdF$n+^D3Lk>ppsu9R2VRwntaQ1RVH1mf^x9h5X2wc5mY04j|eQ*yP3 zPI5&7;OF3;zGTiQi&yV=D`hA@nC#mCS$fONeNixaB{#n%#{GMS#7w;VIvOk8K-oBpb z?crt;{$+-NP3MZcoggLyYxbk8lT-IKrNEED;7Qb890zrcVXZWv~i# zVE?J1LJr`ffbt~=hLWA0IUY0IlovW_wE74aT6BUYeW2=3q&PsPCEzQ8JQtl}Y#GO~ zQC@la@eItgR5$6ii`*b0oj00rlgX&gvPG#T%2k|;h(@6$T#lyWHd8%1Lu7J9)p^a( z1ml&^s>$Vn+cXO_$#LES=#W(pa(cy$La3pZtH4`uLY?Xs&Q}ubKW;-|}qM>oFK-|ZYZ#tr#{W)pYRUN^9>e*`zd7I2H7cft_GL^5xJ}-9o+xr139MNEa+15=7K;a3mqf7 za%US{m(mC(4=RB+Evqo<@(Qk_({<)QhWA8|2DOEY7U#Ak*V?+9*V(|sP5Y<{;fpGO zoG6n5f2v1y8B6%Q`i)3VhA9BEm0=$dK$%?gP+|7C>#Wb6R|0cgi##|$H@VUS2g4AK zIZ*%~E>WfoCM}yfmJOySTsNF0RHEvpdvFTn=6<;{;ln&J1?DFxXz?-(#C03#|2enfqotfmh!DbLMg{q1zm($o;`~U z*MUKf53@fJ@Pq0W88$5E-R6!_xsc=z(A$!3yx1AQP}7n@npay7{kx>ZGp<+)Z6AT%uRn z)S3ay*QOsBv^J(D%3ofVN>`7rJ+Ac*r}<0J0XRn=9YI|Ca;i9 zFP=oxe;orp_M+9hUkV`H$~$checXlr-pKMKfC4d#3{MlMLI*GnwB-<1d0h! zjM%QQOY-E1nV3<~mp7cw_5W;7>kLB6ftp=q9yS0%%+n^pR??0mdnN9ATMPUQF^u$ZC<>Av7tq9lEAiPO38vL&^M`2IM$)Q zh~ib9bj;Q&=}`8+g=bFB}i>=z?=sFTMMyItk@K<9aZ+lOnwaA}F%g4^q#ddxaVVH45EP0H`5c?TW>lX3 z&R_1p-cYcMmNDWXT&dF(3g5|HIaj_NrJ~ePL{!aKBUYojm4MKTJSwg3ndWut7iM!vuQZ8lYD^@K!>egJi@63fE(elZ~<*X~AtkY63q8 zPz*D$n(!G)z-F1?BCBmyakr-hqUWJ0N~W*LdK8G8$LyV4y(Gpva%(#v1MSGEW%J6p z$Ja%DnZX3}aSsn{8mK61dsATILHWvyTg-l~PEhhlIsdDSUz9)E&(wK4w5?s#v;GF( z4pLfvDyM2%D?!YtG8)}0IaO}4NMj}h)6Brlcv5h26h<6;>xv&B^Op^UKEf)P8)?Ag z5n5zumu7wdDiK3gj!<_4Qop?Yi1PiseX{%2o^+XwpF7H!he1M!Vu+{woHHV?f>YU zHbIeT?uk~xiXt)f)&MtBlX4?Vbh5Qm6T}iHiSkRU`pkv&qZ5W0O6CBDBUC!PDegf} zIC)=Y>5~e!l~UgH8o(KNKym=PgK>s{GLz%PGG!SEve4hmvt;AOA(Bb1~N8dPs zJyQ<0T^7Sn8HNkyz1qlf0(vm-rKpGx3O+bPK$%v%102^$CDOz>t%MFD>Cl#7361>$x4EZtWS~+F;qCe~= z7HA5>tfd-2`mzB0;qnL35JJQL3|Ng?fr@o>holcc%sEaTo|)$as?XmX zjbl%F&Y9&?x_Ltg$~d5W9b2HVKM0&A0M#=4E<9UcW(a}yqpu}KDFL4f#>5Vko|g|4 zq%ZjQs!mAQN4+*i|MxC|iBtw#7{wj5@JN)9wI{eVv?VVkp$|gZaJHRykyIyxAaB*6 z&s0ZBeZINDF+SNNhYczR`C;=MGS7}xv1NVeOdcc(kCw)RMhTq5Q4%!NA&K9L(HaU` z=Ieyrl*)^>z@RSW)cS2tE>%iXkWN~c{LWH21$1dvX)7Fo(^LTR`he;|O!2&HQfbn; z|5LO}t7p;meG;WA`+b$?Z`M3{!&a0AJ`aj>osYjW>+0YSUg3w8p~fQ7&WFX9c=ZUq zki=4#2>EW0<^}m!tj9Ivu#gY_0T-}P_KQV6@d#&E(wmqm)e7uOE>vRIVz;n6k!#p zevNe(Q0bvvKD3s{wOWDN5Gw{U86t#YKU|YjC&-BplVog3LAHSh%67~n6D~*+67t+Y z6);65V!hUtpFAfUS-h>ww-^VHpD^3!)_QyjmEi+uJNid=5B4Y(DvcYvIOYJZiaaSO zeE7T^0W)3XTxL*7cz3zs0|#iqTL%1@%DQ27bRZx8Yhc=;!9scYp{i_20$PDCt2B$>3|!nGh)sZ+etu+Gv2}VolK&(Pe@+d@UFgUV96=1c-DY^ ze3YJZR%ixX&K*H%v?DXHPM)U$&!6llP)W_In4JjJIL|b3q98fwd~`UnU10%41WJ1H zRa*2jVmk$`L+wHOk{#m>h_NUA>AYKcZH6 z^$M)`S7j*)Iyx0CYW5;VN3X!t{`d=4X$*LbGhAyMqd|@T9VN~SA{zb5eMt4ojCz?Q zd7>nq#1J%XSOVI%L}9_Ax^kFLR30EyL6|^rI*BT3Q)4r*ws zImirlYp7|10cWE_aY{~6ThZCg8U=_j5W2MDoIB8XnMN*d%q?KMQxOI5;G4MnJNZ5b zNB9ajK4;VbC>#6ZoIilIO^G;m<$pWTN-lMvU*+Q`dfktUp3os$Rgx!1!bQjK+mNMh zSCn$%N8J{tsk#)0K4-=$zYPriqka0(7krL-a>4c=~bkH1>Uy7N&BHWCFub~{z)p0Wkt2iDcXMWDa zsHe9(7W>Xj9vWvmQg)GMFHqZn2%kPv;GD186&4beT!Dp>kaQNcZ!T4ZLIYE2C1j%j zmrgA_xMo@3(WP0B3_U@|R`G*OQgEL66=ppoyO>r(yHt-3^~y`w7! zRN;3spn6cFitLm=L4k#G4s;~zhd2WRdCX$`#tNEAZka6j#h@7!yuTq_)$4`?R6&tw z5Rf)p`d}a*EK8cFwMb?)(@J$_l%JY61ngLK%z=(0+bm7gOwao2{ZtN2;|Ag`ugGY7IcPqRy~MeVpf0I-m3dku*ku+6bi= z$QD~ZfZZCP)TGelh4yB0h>gM%{ngiA$!LJIj17>Ex+w{R1tr@7LWB)c8(~Liga;RWRU~)lC@K^dU}R8Qs(Vz` zECy7+FHV@~fa_NM{`W`;4#Cp++|r3LP_zH+P)C@c#xxA6iq!-~Rm{)jD4!W3uOtFD zM{Aa`s+((OD#gHuf=A*kxi;9AxBjvxYa>-QgPxb|GElEF#3(BsH=WKIz>^bwY{V)< zofxuYCfnB^k-@V!x+G3t_?2O6pf)f;b*VhvDML*kdQPaH0(2@L6&i_xS^%i=WPNE+ zo;x;=f^d?`E*wfWk}My0lJ({r1~faOZpx81zyq7iTG4^@!8VfzKID~-+2Zn6hA2`C zN9bBU^sKM9Lln4SiJJ>}s|iNf*~#EmUZ$DVW{So1#AWK?2YfP zDzZ1BmK#c|rVkITSlQyu03cVut`K5Ck168 zKN!}D+S9N9Q@iALval34r){(ek>U7G?jY|KG68$wgI`vhXWzU7#g2|X;DDP8jXGw? zmZfu6a$L*frlrb1V^qG^Qj;KVVpFKshMhDxNqN6(4=TAjq=prjRHaMj*J7KUw0XW7~DntS0W2|z- zIa`B2gj2nW!?S1U!gr@bUN>b8Le;@5M1z|+qa{Dj(G~#^F1?HV(h!BnV6+PLypjWm zmvi)Ik{o%4g#txB_@2LTUW^?*I#yq8wODA-d=o>r4gD^FS3L@S-=6U44VD=>H`ui4fNI@SIRbdYBVlt`<{Uyjmvqu*IG`kAFZ zFi(BK!aKgMAJ^54NVc;Hy9XbP0&?Zzqmr|zDSFc1KD7X z{4u7=!k}N;txm`U3!CwZO#0x)FA?)~6I&X3v>peC!?i3~tm*+l#~?D5TTJF+Ss)%x^0cMxIrG=+Ih+ z2e5Fz^g)0>;LU&Tkjx71Pnl(Yk)H(L?1nF-jqu&_+rFb(`0j56{xsXRAsx`>#+N2ajPuuY@vkf}pyfOGrF+^6|KUZG^iOy4!b3;e0-w(+5Tf?o@;jKBZC;dZ zQ^=qIw7u?t{ZIb$A8(4TuF>WXRyEO zJI|pe*Pn zSQzuun%azK8F$1%pmP_Yl1xb`^cug*0HGOENIr@;Z&B%lhuSeXD9oBUJ>K@VBjcE3 zj*COza#$R6&_VH%m%KEtzy5l4_HOAguX$21_p>QUng1!2rJXAs`OWsrbS_^16?RXzFjcI+jkU&`iZ6&<0AO zO-0)vqSI&0h{Fy)BG!7r+VSWkkK`anHe{u9S+*i1;D{76KQ#>~acBdS1586U3!ZANCPFs=3FQ?^<0gu_H;)RSub&4}JP-6p3PM7fKnEZd(0@;V(NWUnS zELt2(v?9YlFk7$kQ=DNK-rO%s-E=+kt9))NUq`yR?nTd|ree>(cQo4(Mi?TQ1%&uy{AX0hk)d&I+!JnBKy6COL) zX5aCIQE^|}g3SUZ3*7=4<@dRU6$h6XRJ2(hUM;(UGf86|(5@*9ecv+qrv+5ZB<)`* z!;5y}p zptDGA^vZ3wjS-hzbiu$mUph6WtTNRFJcEIvz+0L`WeJe2N`P-CE5dD^n{U2F9D3Mc zF>d_$xbVF5;&;FMZA_Y^*_0UUWp7mm?QKO>&V#{zn>&LSLMkA`966{rzUh!S;0-xX(^{>TuFa1`GA3rY3bHTW$TXpaNBCAo! zAr9#hcFJ^i>Vj{{V1+OM>l}F*ab4m})yp- znuL!tRZ$%Efd{=Yjz9iG#{1;QPm15&aDxW>F~Y);K$|+Cjg70kc_6*DzT{EOnbDes zePi2_#RHzwx%-(mhXK$2nVA2`9vqsZ(92*)X3}1@EG*6RAUW zwRtkO+N!I?m(DmrTe3N9t8IxX&x->DQ+uWlgnO6Bz`>3}J*ockLCd3x z*ly%{Sa}P8f>?2D*tJPW8^5b+vJ8W4W%2yOi(axxth?^|amb->Q>9%tWLljYM>@L7 zwKhrD!?P(e47L_orXnz~>T0XU>)&`#tiQnv5jF@z$5qtqN*PmJ3G0P6Q?NUsX-i&QhdXgw{oD*N>8*gUN^Wp zJe|ObfF&3tD*j-xCTCX3Tqcm;8sG*KYtk@1Wf2;nxLEVnj<<~9OCYgyKGLhTRi~~V zA2|LaPXF{NAB%low@1A3;Md1tZ$DHk=ee46bVSdR9<9c;>e39`1|l8Q_7*AY*m{<{ zo>ei>t126qCoWt|Wy_MS3hGz66x>c{)6F)E7pXm8tX1T2fjk1+Ol(;os|&9v6a(rt z?^OKX1Gu6#f;r5p71tTcstB+_JCvj*l#E8p4hHOp74E!wbF=?|qqa0qg>*h|_Pjh7 z*unaPvq*Yay}?^`EzA^NZA2v*6pvjxCE%m-7IV?04-`~yS?dH7Bh9$xja++*tRFjc zpJedks4~LI!2mvF6SA`nH`*v(vdJcDf7yj?V{q8`MK6j?Ub;z4(4?oeO{urcyi%+J zezAd)$;rD0Gt<{`uxDk!3oi`r>0`SqG@%+Td{ZpHnzZ-ySoiEe&=$y79Xk^lUK7aQ zMFDf?&GQ7_+w|TIlHR~C_6R^Xb=9n+LQQ`@0BMH?>!Kx8XsxsIC(#^`5xLX<*s7iG zn{5Q-V1xMCIvDwbsmYkQuJ6IAMF#+sY)ecCIoE{P+nVy}_>X#DhsPe}=YmRlm(B39 zXKcs*9R5V#HbLErv$$brht)QInnBNxfxw6GQVM#798(*E1eqj>Abh&v7-Tdngt!x} zrtC^pc{p1LQW3Dxi(ed@ZN9md^$V2&Aqk}wgoR=7Qd$qAuCf@s+HkgVQro<8yI6aj z7nlaLED*(|q45(Y#IJw#%Q*hH_s08=JtnUG=}$GwV>OpT_+qJM)1CfF@?H(rXzDx4DxdI9^-~}i%kvC0FNUIb~)iwz0wjugABTi*u>Wv=UW)<#dHe0L>#JTB zJMXYV?7H*LvCB?7E52jwr1MwrxMS?T>n?H2pZ*kM$BnVWv(pk&)Jq)}MZD1usT>|j zA`q{@ISIUZUMr-PEu9Xu(qk|xmf*OzA`wf0cE!ISpI77f8V>w$#24TjiK`rKhLEPGbA}k& zpMN81=b1Tl#>$sIqsdUO#sM@+HB3^Nc=*nGwSRrKGO1CWXv2emyZh_CAlL|f(Kn32 zvjQOhEe13gQQC@dXQ8pcfa&aL41gk$)lgH#R{${L*)wN)AlQ4K*BT!uN5_Ex&)@k5 z7Y%F(M_}}&j?tsX#%{as>A`mXf_Z5$M|6A$iJGvNfCzFiK7R*1bNyi5b zMPT6ip#0>1I6#sbmIpte zU2na0<0YD$_~I_JUF+Kd>6>PkTRC}6)Hj>Zb{H#q;0`L+(k$l(RF#N6%(wNH+Y4M^ z_Un5bm;mKYg10@*$}7b=Gpm;}`iaXa;*x8$dWp)i3dcHr#e*2Aygoayd0VI&C!bOSHJqT`>=PJj1|5< zxWjha#>=(Rgkn!$ua2n;bi$2tU86>6u$&gZ{p}6r6r$mr~%Z4817$&9RAv)f?94SkWhE_?Z{gPUI; z=Fyxoi(`$o*3ydZmGR(1560pJi%NYcSd5Af1{>1GjUAi&^{SY?-K46ZyvBf}fsDrz zSROOb*1?Wu^Yyr5kO%;6oJl$;6Lp6{v7kT~@al%fb0ehy0YU!00k{K{YjaQ+hPiPA zQb>@-T!C1{%5)n}3y_+hJj*Z`>{Lp~1b))6jE?{cT!S2=2?UV0Khvp|XU~+y;I*#A zdCb7q>EPb971t46sM$QI@fxK3Z#WxH@*x`3jk*BnnzK@eql)kh9lH0cl;mJ+2Q7gP zK)Eb~25adiSf3>{pe33>xeTBU)p0A-oTX?k2i&(St`2s*uFgFvxo)tYk>sOUtO?0y z#bZ#IJuA26y@KIL85dM2HtDxT$Z0c<8K=;2)9R<*JU|iK6VXH&1W-*|Rg8)d1UXz^ z+5sQp-nuj)&Z*eeM2>ev(spDoN~3RhkQ1u0)wUk!G`Xx^3%kh|@G4*z<>(vC6mMtO zg&GRaII^TBaB@@Mc}#wQ%xQ(x5VG+=@`MQ!Y;#WXZyx8f3ngGR0aZjz`>v~weqaAx zNs|rtCn4Zp>f=%kJ61UdYXjYhj`@dd>eTg;u0tb~g6>x(4PfHvw3hVNFdT?dBQzR9 zz``hPif?}Cd7dECtjL?F%?ea+?H@LQLLetH8Ryq!X=`8Rp*?w#NVX?>0T{S?8Qe5Z z@Zh&sV$vTKF&%&(MnQ(r;Z7D@~pp`@D8PS5754gG3nNp#TII zBh<|x`=)~qcHYS+eash!Q>lnmZc`O5!m}^VZPm=0akNlmD|FG~B~Ir~K01V#yxh&T zXmQM&H$N84=gvO12ik`TUp%NJZrY->o{NM+)?Hkkg-QZ-+*wXC$3{IDjgSn%$}`s z<+gP6G;jXgn6JPcZU6>1ckXQIc$RSHh~I^li$+?~y*RoTE{FjclHWzBhQ%g40g+H6 z-PvtL%2S&1((ScEo(V$%*=!UIKsBUip5%6lenofDqJ`pZj_;_PBiYfz{Q2|6bILv( zU@r?6NT=gnX9bX%cBb3{*%XsC?38Cy(FJ!o`wc{r0y%Q4 z7^!eTxfM5WKJu$>Y}x$MzVl^oOI$}fIoXczy^|r;FI>1N=7{#9h1e^XBo^CNv8P#c zupiYey8J1oX^5{r9v6_l?abM_mrk3P3Dj47X{6ngUM7_lXgLNCCRs4irdhME@fKc~ zMOWv^F`uQ)v_-PddD81_^-;@KY@$xwDqw{kK#*1k+Jqb5&^f6%(|Kz9+0u1w7giW^ zW+Suui~_pEZ{Yvt^LT;q;RWBs_AI^zUD>%SaDCi<1O8^I&lX#mFFo21@SK7C4c)7P z?Og4G9W1aPD|fTIFBiMlk-qI4c~r(?EeCutine7nqAyPXSZI>bWBHJXzVkAb5R50g zDE%5)>1T?my|P_NuYQ0_Q2y6&R_8i;RowTH-h>H69nXBd}H#9?ttz- zt>mOrD@eiD=%`z~V&U{&&VgqCFE*mOmPp663zx;9X(_*b$;AU-|H?TrdF7Q$foBGb zGyuHv72C!qPWfy+{J{Nj;)nkyzW2i)$F!%W#ruvsI%ZCv;q3`zMy0KQ0r6bdh2Of& zgV-KB?GU&8is6kNJ3jvBBOlRBc5Hm+)1P$1v;DtFs7KfC6tm@V48VuntR0&<8N zY2)Gc_m^+_^4N2az2k)&Z|s#J4(IN>?vCqzer?=+=f7g?xY2G{tSmcpHY6R0hTdW4 zonyD%_KeAsSN2UhH0l$NKNi3G^_lMnQ(MRJa zKf1!V)lXb$Wjh=$;D6#XpNmm4w(%1u#9C{vZAbaw0}t3}xK?`k<(J0RTW=fdt-GFP zTph9g`s=%cJ^awa>VG`+-x)u>=IZ$FWtVyz>Ex47iM7^VJ1+Rfd9JH#RF|DA{XypC zqixdr=xA03D<^RGzy1~f{LlRwU}wZpN4(9Q9352vyB-P9Yz3SVj(^LowsCu|yWR$V z`_3Y*`ftDOA92->e;6~SO^aXM_y^xzb;5DS#$%5?>RBW*9P_^S%LZN^A9~+=W5)F9 z9Li~AqAHzrP;WV_jZ z`yJx#?>fr*d4cpy`#vt4nWc%N?fi4FKdSgz0Rm_ezg_85~pvn0N z$*+M-2-`@vJMXkpth3%awqb4{`Rm{Q7C-pmk0jUl_~G}zD;+-&?>+8)TB)gTiVt*k z;)hR&ZC~-q_~u0y$92E{bxf08{PNmsH2GT`E6WG2zS^qR-yO2uQR=5WzVf~A{~*5e z-OJslk2>;**m|q2a>=^mgv}9|FpAxZm(=mOVKyHqDm_JL)Ao(233NEg;%Q89>LgM5PKHNvy z0S!gF=1nC~q%QTXGI-@>E7~nr_Y6Xmt@K=j^5}@Z45Bu~7jttQ{+_sL2*nd9*$2}y zq=g2+(94~`rY%7Jlv^uz|7B07@5Vm*J@4^K*2dK+{S1L(6bHCL7u+n#&HSI#>>UjK$SiicG-fUgppZN5bu@y>U}XBjUi-S&$7-vu5tAlOl5<@z4t(Pq+=lI7IMa? ze(B8k^k=>huiE+5=4tXulVh#5){5Qs*fWki>fIhVd&DoRA{@}FtF9^%ZSkeEzY=eI z`;o$3TXL)wTd5;5V`YX(+SyfhCAW*QvE!hkOn33F;s!=r=ig7K-v9T)I1E3*DN&{kbUg9adGVX zKNw#;`&{duHePAcN|Js3c+1-ki}NnLBsLX)K$g!gO2?vCuK&UfU51O^%pQjV9fC=~ z`WtQ-FP3dFp};O%f!X+8d+#GXUl{Lw{|92non9^7OqA1`?Ctqo<(xkJv6DRLQU4-2 z+|9SxQg(D+eDtJG#7>%=pi>^Vd69JZn%C?bXK6CV;Jr`-BD{8L;xKjURJGB{eh~sN zUK6`j)IL+DOo^3No@__Jgox)%*H~jM-$LK1&P*Ck3`H(l-0f?iANrpU$Jf4oe!St0 z2dUj&VmqF)$`sYPWgK?I5pn)Ez7f0bw!5!GQJ%KKK`hdw>;>zt8|$pIj_hP|?7Q#2 zarvd+u>)Rt@=BI@i_JIF1oqhY{AWKKQ&yhhRW*|%_Xj}wV_@c->+(27E+g<5jGbQ5 zFW7YptnM5T_xn$k=}Ct2IeHgBiTI0&lP1PVC!G|ho%#joa_?Au)zxFNU= zJud#{`LS-fsjUHKP5wqJrj0akue5B3jtiPW5;3fzU=Bj{KRKf3?-}I)q_`+|-;ct6uyj;GD_CuF1)5PN~ zZ+S~xbm4_@^wCFq;L8V|6PPU1XVLwdYpfaDzVelE>9@ZVhaPf>e9`K@afSi!EjmB% zYhRO$>&TC31&Znl4Qmj+VG~7v*aiza>(~Pyt0QGA&l3pAK%h*PRZxC2o#BNWJo2)W zudQp)j7Tl^Hh^i`U4Uv0n8*dcvlfzt3gTseDe4=KO?~PS8TZ1@CVO#RB zBaV#2-u@16Ieh)A=f*96{G%FD4IoYL^V-+OTMs)TKJ<|jH7mO#?z{J18UJ|6%T~{l z*hB_>vR1Tg+5Y~9-^TZ}5_;s3hunZH|F_wGyI4ajG4L4}nW@xmvNyl=Z7RQMocX0Q z;269e*fF+!Xg5!~cf2PqY~OrUt1WoMQG&J2w%f*WANWvw`g5n+d=r}W(;=#k zp*NJb3UmU1z5Uw30Bre@haQU89r%X$*va`E;?+O?aa?`Xl`-wfCq2W4$36Di%k9p} z3tCLVmV~0vvbTF!GRLt(5V_w*Sa6dqa5&;>xYxC2moDw_k z_$qIye&hVF#~);Al)6Mbav(EDS260@QZ?;*S^s$dR|7~*SXPxzB)!!i&vR&veGJDmRy5&;r zrENm;`mH5udfJc)AhZ0mkqYSy`(%&oBz*M5kH#xB2t27a_{vwm7JvWy-;KkKE<5eG zW4vFh#7}(uV_CFKZ=L4zfeTmiNL4=>O}^oV!ATPywHp1#y*1wTj(0f!l5brSKl|Cw%XPp07(aeO z?7sVM@eWNi-mX;}?RoLVm$-ea-7`=CpEc;kT z1NnzO^uc(~dye%WgMFYeR%;T`Ki;lIv8As8ZUdb+Q^?J>u^o{?H&g_MRLZ`j+j#X~z(IBTbcK=oxuPn<1 z3Lg2*F^%#jkp~~EoU9z#Ip8{=4kNkIrB`Lli8(UBYL%CyEV}fOFc>O!cu9Wit$&R> z{&~AsFgx$Eo39fjum=k>12KKt^f>&;qn!GuKm9rWddr_RqaNk+3Wcp@05f;}iWZ#; zU?$DB%7;(*VBB@r-FZD>-h6fD-^Zz6_?(PSo&DAo{xgIQL&X^uwIrGc$wR6sP{s||3+}lGa9OGuC`N9ABsGZ#pzkhjrK!fPt z|Nb{$7h%h8wrE^?_0@6F1>f{Q&F%PwT@QF~JN$_F?59tTOD?>?*JOBO!}ZtyCdO#x z$;Di5==tKQpN|i`|Jbwsga`8v{GQ1cFy1A@8i2v*jEY`-X>wnt2{`R#7mPoE8-b*L&9znnMrvO`Q+sRoo z$N{^(YWw)UBr}+G| z&wn;Pcgo3e&wu_CbL+J)@xu1*H_!XJbp;J(x{o~kNPO(WC&Xt@`BdEYkH35H!?8X1 z-~;gm4KO%`^)`5+CWBiw>}dM588Jic!*iYh+wIto?MQMn0l{5(dS0N>=at5_s{Ic* zz=IqspLZN_SX_4Lr7`V^C*0Oto4f0-yW+IdPK}RzF)L3yqnUG>wS#VMc37dPy%!>eM=wbtgeo3-O zdK*d+1}(t1lgqJpYY^_14RFUCt5qf(TzBRXB;V+vfe=T9t`FG%01tB5&|Z7)5!e6v z*S3dw^U{{TC3)ZcmP0)#4FWsM5-mr7G`6XyX^@+){;^f05#&c?(@ESq=U=jqj!bj+>)vohG;_G$_9&!e_`Gi3&_3nXKald>39dRA}6>EaOu|*mr>ELbd(@< zVu8Csw4{~v(*G%5ToKo>nf%e;P>Y!`LnWk{=CPi)9tq$N22wN=kfP?!o|7vy!G}Nk zF^|-KtAc^|U-qekjgNy5&YMuKy7GtKIvYHbdm2!6-WCy8wG<8TnNOV@<0ee>ER~1B z`LDbQ*72lJw zKIpQOSDxb87Y=#<*B=-gZ1}>s@%O)rFP(N;thCZfF2*Z=0%@%_ucE4q_o?6|Ss*C&k8igLD`&y_#= zp?TkMqZhj#jD|bQxIS1rCwgW3GM^o6x6at&>g*aVTIKFD*?^yqg9rZq$+$d*&}k#Y zk^1_Yno)B+83XMpZP8{5=uPuF*WU`gGPX4|6TSBO-^K6${MY!+O@DN_z9oGB$5;7U znV7KiVB7SKT6F*?YSIF4+;Wd@;DI9(i+}#}Hm!tDGv4zFbZGQ&u$(6KUG}Yu<9nBW zCnl{lF-DIXoen^@MLUgC8?mL6oh;;JC&lHLeJB2K^UdBe1Rq@zaKH~g{80SnSJ%1E zZM@OOi0pXUn{;02Fjz2A>>Smp$x(-Ns}*sh!3&H=+{_VBF#Klj`dm;d1V?njh^H+BP7 zow`a~{qvt|mGOA2vHEJhzPqHG0d1trx;UW`+%cJV!S%DMmaVfYz+RGi#LG6_G=BGo zo8u-;a&Nfl4-UV*@#eVx_cz7$T4kPf?pNZm#~ybd<;A{SyWD5L{ap6wquv!`M~(6I zuhH}^@x_0at)jkn^B-^aHLMD0jw#)6fW7)giq5=o0YC;n?oa~hkV(xa(03VtnZz+! zJLI5)oc{SQoEpFQ#dV&1()K*kQ2ReyzrVchSH4C%UiN%|{0_V`SPq2~Pdw49=<#F5 zM+bM3E8ttWzQ-U)du;T=7l!}1RCduffF9!`8thTUa0(q*)1DsdU`p~~EyL=S` z8#@MFyhKBOfF8|m7z0_iCLSyZ2uw`+xb0v4x_5wobf_+XK}-6RPVy!q2CO2CM`7At zgO|?OZUoo6TjHHMn9!hiwyyJXPtFpi!HbE1$qF(V}|?cSMQ<$WJ=t9 z=biD7TmRsM^!?F{aK;~FFIhnsG6 zXMwhvax1rX4K*_ZT;Zt#1JzWn)uBJPU^9S^Bjx%Ib#cuMJ@R7f8PlKg4LMIe`4nVi z9IDUt)&Yl9|MVdeNAjol>+Kmb=B44 zH`o2Lq&$DXU4U%!ZT#Yw`25=%=y-mO&Wzmv)}1?H>N@qMQ|Wo4_~rT{TYbpR>TI^! zj2pDLgYn7IX3S*SMGnlywOB-jpO z#nm3S+;WT4_S<)#m_I)UI#*%A!rNvuwX(+n0$6T^ahjywQ~DBiE|DbzRwrI856Pk< zf;d^P)9)lYt+NiMeV6Njs=#3p_cKfm_cxb7Ff^kV=3PIZkn*YNeL`{n2# zxbJ?yRt}nQO-}=`y|vjg{`oITiuh1G@nA1kPl=F-l+>=UM%w0HNtK046 z6BfqbZ@bL{5`Kktai3B<(+_Cxl_pP$tFFG<<+y%FpBg&QJ@UvSafb%8Ng6EukiM!R zASkf>9>W$SVLG1#4rGb~PNYnr>8(`vszsg5C==a%P@XgAN zOG5tlZcSKvd83u+VF&aB+aU$uOU(I&-5C`)u_f@E`RIWa9)lU>8I;)(VEYsBvvex% zfv}wcPWtnJr%ZgR1KJ;73<{-&=vqiial%``L+Vwq?`DvtNXG;-=Q{fs3 zoqL^i*YnoWJ$K)28K|E|;;{o7wKDC-(I=arDa$W^@pIq(#-QfJ8UUeU0MN%E81PnG zZM8W39Y@9|KmD1w{E8pNJKz0oqw+ATXPLscfn%_=egoX)-1wetHQhrwsxr1P=#(}f zDlbj~mW7t&%DJJIEk_%CZbgv7FM43h@$4^uG0r&k^Ks@GXDFQ32xolZb8-2l-_C(V zqfI$wZ=~r~c4K z-G(uct^Ug_5=V|BoFKV2*kJuQ{K$93CqF}*{Wx~tV^5=VS0BnuZ4Cj@#9He1O`|Dm zU9}C=MqH2Cc;k(I$1Zj_lhyYydZCE>gW8xaa@vV&iOi_!4~=FOaATMU;z0lt*}k-ZpiNl#PxMG$)&A_bJFnvq=Ke6kT|rDq`Rx zQa*8fE5O7|g)D>n9lnVpzK%Af|M3xV&aqGH1seKzG6GpsGYd(0MPXix_e`z7rofm(^yWkqNy{t?YVfQ8<$wSXkpfWi2J3I&ByPdpY>O?-7stV2OW!KqoMEz;%#0+p!1g1zm$RkC z^GMW19v55dtPeCbS&pz${`q#&IzW0N;@@Kz@A6$8L9R1$o z;z=n}YO#4$wzQ7T_QfG$<+E&jkvBk6&>` zDd`#BDP|E2GES9YK8@wjS4~@SDCP_R%C+(4afV{izzRUlFzzs6ww2(8f8m)DahsJ=U zMkst36c>|e3nMkC=~Oym`;{Ya+`;L?Xl_M`6Sa44m$9`cThK(U+5)==9lZQqIBs8k zxr-a%n%qdP0g8?tdkSNa#FroxX7m5W??zHJo`PvmTcJT!nWa#$!)XFo5>uwZJTn{2X;o?i${Fc* zsR7q%WwqPRJH;Nm?Ch}DE<44ZI__PiovcqDd zp0$+g7!@*}23m2r*1<#Nb7s$r&!6$d_}C{u<*l&4+;U6&_(xa7r$6!Wc+-LV#mis3 zQJnIrPnr(K&di7l;|y~7=9s1R%7ev?>!lbh6$9df4%(dAlOg?yCPqdPnkkzKo#wE~ zsXK!*D3`V72TD-E@My*wazdw;QOH5w-MG}KpgI9}XwhCCRQ8(yexXz{X^%`v?)as_ ze5_E4I4A@A0gOenK?Huqe5TO}m9J#a9)-ge41?S^G_W0Y^n2VE++_9r%P))1eCiW% z(18cU7B72o{P6ofFm0e#nNWBWn67B@2nSVr@`24)0I?urLw5E8wk2^Q1M1l%!52Rq zaSA!{;+p3;Pd*sXT)rr&)=-@(yb;npXPSRuuma9a24Y{LxF4>jJYU*ZGO)_Un zO{F${Ajb?PW<{!&iXcd{OuDRu@=QT>pa-v{6nF%IzaoNXp6g;2Rb}D9a=($t0`OBR zU=ocEbZUBPPqy?126Bs!w1m`8YJ%-R4Q%ZlohR0UCiW46Uir6E(EL^ZS7A;&H zix+8d(_jNN{6$XSL{mhW6tKh6j~ywUzy5No2-&ML;h+OJuBHG^@`G-ngDiyIhZjZr5&If;*Bvu`tyLLBW;Af$x58`S@;)xA9R_V(-+b%WOwy?WKx4+ z*n8$csVq6TJOXfm{A=f&a36*oyM zKv4{)a!DSI!s^M;TD9_0uynPUU4_9MhA+PIa#>)NRaf%^n3Q+J;Lva`IEJz^!^zPQ zBxS?6Xsoy127V-f>oK(sH-xkeEezg!;P6u#!mT2}eB9VnY@ja9T<6Y-*Ggx*?!HId zdFQ|5sCOI@ha7ZZoOI%c#>4sP{$#?6-dcX#-T~zywYby$r~jAp7nF5u8JN4@a$(I z8vtI)=ir1ZlU z?c3jeWURlz266L^zgL?b9&bPVt?}j4PxC~IXYwq!+NJ`eunc5`PHM-jnSOTsS|_%` z5db-Dn=Ed(2i9F@T{|?(C$I(_#a@vTM>!BLeaTC`LosdUjMNkOge2JjXeUSfLI{MU zUBOgshYT^2MseDPXQw#gjKE?mj1_wYs5l76{X{}~rmi-p+2O~wrnGu@@MNumdb+W5 zainzK|LL+S=9PzV@|i{f@`wWRd6h#SOkoVJ!yNFNwgOa1fqEPsM)-!4zy19mK3i?I zRW*T_5PiKkTKHn($fUI|mS~0IiLQvRx!P*R=P!$qU z&h3|Yl;fri78R_BeKQ-YHVvjo<9fAHTcAOWXEwPvf*WUgt9?KR-Ggl%%0{doXDCfa zpYww!&AyYJ9*x0`K&K3P*ltdD_{E+nC;H+u+czitObBz36PDtFxkhqqt)vX{kfa@@dg zum6p2DXz{4$Ypu~3E|G7wAL*E3(bsGAJpy=EyY^JK;bMEs9`AyMF)f6^+CX9n{DQ| z!=Pa9I^r6U@3>+{qw*c*%G z(?+9&BFs#%d0@e!1zP#O%JFYsa#8&2Uw6csYpvxiwMi>Yj?o&FyO;3Cqxn8dRUsq5 znPIa!5uriyVqwY$k6;k84XQxK_|4#RA;VJg*@UKydES7*NQR2$PGQK5lHEw>oV#Rs zaW}Bx#vA)>6*%spfbO~RVvDV}E-66T1M+i6EVp(8lc!Gc)=YLwI-ok8+J#%BH-6EJ zjpJ*ijwoO4#8&i^Pd=gcZjVj3*wVLg+i7WXksXcBBPhz`msex$w#Qy}P?vq@J27qA zbPqh-Y{Xr7Tu0?5rb&&h`X*r4{FfazS5o}7c50)Ml+`6zaUc!E{rBJN!GOQO;TrOi zg-cXKc{mTsK%$^yr%dvIzutPQon&!gSx*ZreKt6y0##*?RKE0AXXoJiPG2SG^`pT9 z9pH(A5L~v(+R(3#I=$nccNiBRGJ4FY=# zg(|3CnjI8sx1%JvGA1C8$;?owR9HcCqY<#lOI{Ka$B);<2wQ_U>`eV$Cp-s;jqwQ4 z9=q>ud|pq;H8E^C2cE3h2iceh0i3(a+24tO-T{ga0&woM9lpu$_Ej3!y;xx`T%uK* z1~mpYE*a%655tf6Qhhm?q#w(~tiu2Ur48uk4UIV&oD5KF6Rt}cw}9H-;*e74)`@) zIffs6?{c#IaP4ld*~cC7nyapi0haCUY2emxZ_cs_~GH>1@q?0 zK%2Pc8^pReA&x(w>I#%^L^D>;TY)r+1KjTX=%WwC?fJnI<8G3oDIe$~Dl6N#@BaJaj(`2rS#Le`P){)F zBiSf+IsRn=z?)j$bIdWI#$}gX<_DB5yKx5VIUyY+vRKaH06S1oYI9$fQwure+;zdx zC4#Tj74VE)$9{PsWW^q_U+lgPI&^IYll$+v$9G(=x#pU&^($WC6)esYyI>#ycy5#} z(&Iny0iOfdIym+TV!mk4a&S%p+xgTxN4ha6!@dJvgg~G4pp&^npg(wJ+gHEwO`je6 z-lJpQ`~|*YhJl3}a^rB4f}c71T%`Fbo~>Bmie zqco}JI;KGdkj>YH7ccUl$*PU#0eMS~|BPC+(Q95x;n5=Wi&QFGCv9yC;uV$WCV_GX z`4FxHvNoCj{AKrj#Q4QvJ65B_!JLv>NgBT=(*BQsk6-u#n`}r zTR)PZ%5BM-8I5GCTs-@xJ7l1L2&ej3zZ9Go$g5uO7*JUnTovls0~BD@%oSaAwlhQj zhaA^GV%OdGjEyzpeR31!#?FfJ~Z;zWF7g=aMhJXgcu$MwFJA_<~H z=U`vigONF+B#LYWI+YY7W&HH2t86U1HG;v8&cc=gTTQ$Od7(N07mh#vsn5i=+il-? z5SwRVc!SE_ci$Boyl}(#*e5>aJ0p4KjB*^OPkYLDkG*Wu&HVU5?kndE7r^NvSzVI% z_UD~i3~KccX5aeOxA~e153x?0F)g0dN`ckEDW`niH_-qdJh1^})r<-qG$9?G>r_2C z$TA@Cw>^o-V<2NkkBwOx==md7w}*gNp6&hG*T%8Of5`9pW47o%K(Jk^yelJ=4AK>n z0yfy^PR`7Ch63;Ds{uXX;CWds@?)gTbbtKA@3|~*ec4s3Bvx%ECTGVTf4n+PyXv1F)1RCcPdxd!bTuO;$}YCuc6-Z+K9P|}Wq6|sX|u#D ze_u6Ala*DpvODFoUocNggC;~8nAp+>eCMg`W#;s0o|)S*sO=hBb%SP<7Yi^DU-Zoj zyh=UvZHL9Xj(WHIjCD3^w)y4-3Tv*hMtt#$Uv#;PFS*1M7WDiZC}=M%=S+bdcS#jZI%%TN6ke zG=Ir6YqlmVWhK(+v<*mF+&%k?Ykv_uqO{#BUl}K#^ilUuWSODKlwZQGHW)u{T%2<9 zCt{7&SC2pb;SX`kpZ^@=#*B44<+Zn@ht9aG)Z3C8)OZH3y@Tgs8K|;90UVj|F$rgP zjK=_ctx9?LbbLatc353Y6Uy_oTk67}VpCw-anz#_J;@*sZz6osX;|neja2^|0DVUE z(#HZhs6xtvj?U}0F_Uj5Cipgd9Xy#V^%*J+L4zE%6F?;7KxPDe@!wn*#2-N=Cx%rv zaN&>PSCc^(7gnwAS%C=9NCf(d9bqBJ1IaUHO!up?ct{jw|4gg7MOu|j8qM==1=YgA z4d?laES}-$#K^!X43mqpoG%(S5(KE=ILc0?lW*N9xf)U)Rf}c?>}lV7?>+I&^S&0x z9Q(d_-v>Sz+wHhx{NctMy^RF!)K#a(?t8t)*ED{8-7m8W0gjE;&Y5SN9-sKsr(>&a zwu!HP^TPPq)mJ$kBcpNOaL_@1)5ZxOINoJ_du@>h3&g=e3%LQBmREp%>(Yy3-+lLs z9d_6$&N$=Dxap=FRi2kFcf|htzs?=|+G~Fnd++@kgwo8Pk~FGl6AHLpND_JL$^uAs z%@Ch>;)!@%PK3K+d6(lqH3?Z|)m1!W{_z!81pifc!bkFzO8k%CS*M>Soz-UrNll)c zAU;Sh$+S0v@gW+lnM^Q{4F%G8vjxv0(s}tSrkj5MdkuC!@b%m?&OF=C+&%QbeYC8% zlMi_PfwAgptHo)b`%L`LM^AEfStY-Hens1Fe|=s2Vuu}K&%O8YtHOTrqaWId($V-= z^WFE_JHGMtulj8o2*Y(?>hD#1Fnhk^_S@ofpZZjM>T{ouLl1v@Y`)btaii>*!4JEd zq(SaLwJp5=`q%ui?d16CIp@Tg=X}Kj9nb%*xKeY{UNUhU@*Bu*$8QLmd;j zZ~oKG@z%o+SN={hcg}1Ls87VItFErLzsYY|Y4(B^5CI-W=l>c{Kkc+Q>7tTwCJ}V6BEA%Ofqkr_#N6bHyF`k?I`A>f)dwhxC zy?X9fziJu4!O`+Eg#)EuZW25F)KlYx4}Uo2;sXzGARScREgkiloe{n{?$%rX5%=A9 ze{8V+`tg;s&-CL0Q&wKtcRqjX(#zc5mB%I_b^to!iRn+p=T7@#eDdQTjW@mFz}Q?X z_h0?`H_^Rlu~${&#ou0g?ip*Zy_R2A|Jl!e&U}rQopDnN{onr!DqwK%U8ow|;E_Jd zjXd}Yw$SNE0PV^h)?U$=AxrB?axI5kIL~%< zwVbO?<}%1aQST<0zI<1f)epxZ^{og{bc|*y3<`9lh5$gJhtv6m9P+!4d5;IF>oizQ zm6M{ZfhmBv^@F7XIwJ25`sh&2BL=e{`W4Ar=EIBPUeW%dh2Z*TH)S%?uqYy=i8cz-DHPUf&T`( z>)-#1kN(dIvG0ES$LrttCO_xa3e3287}n1#sV=So(rEykb~Q%0&OtDIm*qY8+#Sch z|2^@c4}I9H20{e}s3VRzA~xM@QxA09w<$A6{x9*CKinLrf8lfSwzt2-FHR;@;PqiA9DiKAEL`j3~=M`erMUzv4}VI1^Bh<0ogeA&jZ)&B)sL2 zL;a$L&9~U1ASCbxnu{;KIKFrJWm*Y#`OPbKN~#|{tsO(CbB`UU^9 zgWvP|#(Wb@h1+hsEiOFie6Pd+-e{DMt}OJbVuYM5FU|%gYVzgnNaWLpRV^#uFP(F4 zeDMpPkG*!=%>lUJ;%|AigiWm`9|zD@^au2U++6eg%U}N*$G!i9@!q44ik)|QRcyFH zKDtzaXDctb@WQzCJC}L2I$4uhXfmiV+2tQHfK^sm)osz=+wXe0d4owT(^yvb`TQk* z6~C7g2&CZ45B8M6(TVP}3=05*gL9Bwg>!nW6bX_TwLG{bO?Y6rO+EN1B(fmsxzSOE zfWg)So#gW>PV)JgJc>a}xR{f%OPK`d>tHiMDo4yKc+^C8g))W7RFO%0jRtm(?GGDtBu!^Im(+H9gSc zyciJqtDeW?Aow4*(aImXDnUN(ZX&F^&U$t@3|Q!xnHX zIxKp5=)ng(XtSka#o7qn3NWmL&XpyzwgK`+5dPK%8$m}dVkl(_zzZv2bPS|pMF#%g zZ=v~GMeWAc4RmPBM;?CI&VmQIxj}*d5#%m5?94BAW$Qxq;6RorZQXU(wR3{!zW#2t z$xPMvh&o_jZ25{;cwl{0<$Z&c+81^U8{QUVyLoN?LPu@pYX$OhT#I|`(Z_5{yrRsn zEn@N@yXDO!`~?+*HvJzt9@FZB|A^aQgBQw~P4%|+Q(8HDdu2d8tG=Fo-p|KBzpw9A z3bTIbJ@m+f!Wm&_zXdnPNZyAZdeA)B9+|j_4*KB^I|gg+dS)d=-(gpT8*(1i>YW=l zMoDi>ba2*bb82_#fE!s>nKH#~!E<&a#6PVpG=T)^vCop=-O7MetQ$3uDav-)foD>uIi3JRJ4a`!ENMTN}+ObW0GUQ)gK8f(U6 z4Gj1L`bzhrCDM_6hE`B3OZOXWw6P{>3*zAi9&kH)kdV&SU3a}0KXE1DJ{mJMu#MoE zL$3EocPN8)T4RmX)jpaOOW)MTwkhdsZ?3t0p+xQOAA-g?b`!Y&5S%wdD9RvCus7IvN3H$mxS zIay5OQ;3%|?q5KH1nL)W<&1NNz2pizVyEcIIQ|14WuUuQ1KpW&bUcvhW?3c_eJuqT z1DyyVJ;S4AWIVO~Dac+b7ickP8W1BI@IL{nl9a@2uCV{v5z-7>^G`KrcN#4drFGIl{ zNp*8Auk{X4PZp#n%D@||W^91A;mCmHtv}fkH)pVFfInn`7SA`e!jgJ&uUipn=7< zzISLOAMasxS=pKAOZs7}ypuP)(3eHS&R2|JpOi(9wU2Pq0WZ{MqQ+#JNh@v7gqnZj z;F=)%WTMb5-E{DtSNS0vy*LyN(IGDS^flh*0zNuTf1$o0OIWfv{S-coHgMZ%lA>Rg zO^sq>wiN~15~sGy%HH7D!F9=`3W$GGMkX3`5`ZvklK9H3C;s&M!Y&| zD?w;UgY%|{lm(~{Q)6k2!FH%|*w;qMII=3VFr+-iIaTl-PExq3Uv>D<`Ku~wsR#}Mj80S)FCNK#~E@oMgo+$o|MDl@}XHOVYm|Dcp~Civ3P3hUz2Zckl5VF%t4b#o=o@_MU1Ta{yUpt{l*tK`6(KpO+m6mq8U}h)0-orb zN1rR0dW$4V=bzD8*|61LiMzxd{nDV7SMmn2|ZG9=Ds-sn=oerbONHvFi7F2m{2pg z^{U@Pmp+Jtgh|1Pix{{E=eph8v zHU<2O=rR3H9g3P{ryh&QLPj{AdVq_E2EU@TR zng%#O<3uB)38As_fM2uB3FL@F!hp6aEjc?Wjdt;yDSG(JkNjt9yWDCi@Ik$*(*uk< zf2y#-o{xVl0B{8iL+o6MTh68e1Ljl(>dd0!; zrBA}AofZ6>XVs))G=sjS?iN5uY53MbB%`$!V7XM&9)%DGO=?zG0~9ym%r};7oTLdOvQ%=J3hkaFaU1yMJ2UR z4R8kJZ}Ye`c(IB=&lR%T)-aeT=c#V}O88ziE_dQ!;0!z%aLOtieQiu7-e~c9H0`W` z<_9%b4>A-P7h5VxTQf$C!k9#9ED?c*gihN`ItDdJIvcm#GlOKQ2}92-D9!v}gcy;T zXG<=(l{(vV%g_$21T4g2Q%)^r+o70#NQYF)i4OQGUD2Gw)7g|Jd7;JjiBKHK@Wa!> z%?XduUCQ*qSss9Zst6S**N`jQ8q#!7cXT=k1(NAnq;Z4=l09%Cr~$m}K(5NgM8|`g z=qoVE!KMgxaG@!2P%eWWRYN*iYAUo=5VFMbA$7(_nwP9NJow7(LxfU30c4+6`I0&< zXd*h|P;kgRtn7hN`XVPCer`Xf<8-R=(RmJbu0aRor|?CwnNtI$X$xvDLs2?C*iatM ziE{1|f?AtdRInb|qBMY{Hq)>1goMr6_Vkl?z)=hJQB&eTXn<{24R-9zNGSUw>;@#u zO+Qe1<6CC3@@O1>l;??{lU3Gwg1+jOJ!HEG2OFxiTt6zp*3g}j2uh<3*>26CgfjcK zTqS@Af3_@6MHl(8Ti;lR@a~rog)z|*4)1w|2W+*!uiGrUf4Cw7043x?el%S^qDkLy zTNx+Qv;9<-IuQh-_U;1GgzHBFl;P`Zin?T#hXPEn^P(J_8aG=j`!Ir{V+L-EL!I_d ziVEHTjG#~la3&YX<<+6;bew98PF>U?D54q~eZE5Bt$|R=7?u@Z8f*(W`+okx!kB@f zOfceeT`ylEN~0T?3Dvlvlp_iG>(TrFi3feJ&`=^5OjQI!V1Jx{F6Yl3ZEQ9;j3jY= z%Phu=F{lw78kPK)f&Y#Yqwqk(vmH|JP~v(5*DU-8tC&Yqs6j$CT-*uJ9)x9AuV7-^fP2)wy`3hpLs4 z4+%>qXrwUa6Qkxs2gUQiZqq5iwgNLut@UmbzlpY=JBPqwH$Odg4R7OAI#}g`5 zM_5r2pD{?3d>-?7WoBN z*seg7-S)~s5co4ucu$&a_cAHqVPdxMO-Xo46*@!&)<^P~x=~zN*a%S7fIQZ*>a%@= zTl8R5#cdzhB)pO2%*=OnrbQ|RlptO#OR2*EO#}eXU(Tg7R&okCs6apaZt@gfhYSmFtZDdtJ3%D6uu7`{$%`ainLmIs?(vJ%IuE}Q{^I8B-89J(q6yMDnn z@*q+PDI9WU+&r7Q2}lg`vPP?2akl+!uS!Utq6u_qi+r4ge?Or8l1C~u4>F{D7pe&9 zTe7ll>LFlkg8&55l2RfQRvc844vA>bKctEin(;I=-WI^KGAP0}0T0NiXp5mvxPJ0$esGE&2z2C*TW?7+uxX`^b6|$fb{>OUqeJV5 z=5&1};It6gvpJ#Rd>lakZ-He>d2_H!!EkJB<#e3+{c-1lGj6MXg74(q7-2qO_3be4B)Rpl_S5;Z2NwVq}05hp@ zOk9M4A0~C?8n0@6)vAJQX=Yn-y)5r=^bU_?G;QTU4tupcqJloXHCS}PKyMwYE~B78 zSB7f9^$bXL;Aa?cgr{;|J)uL;sRpsB3;uM>3JIJLng;{o)|nQN zr!J;aO2e?p<|Yl_bm0s60F6th0<#j$96Mj9{WqbuEcKMSbg~JYidSp7mN65X;0gzSLkX<4z=8a>&3plAmfrZ<*eNK_@E)m4*V%Xg;VA z;;s;m?eE#K z%ZfgT)Qc{SLn1X0=UBms1!xiFJC@+Ourrl$G1G!vVvvU8s&PUs3lJxyb2EjK#w3W8 zbc(Fh2e?C8na0--0|j?T^4C7rMa>lO&*jML!Bf1T3%}LBBEX-%&R6ZePRk82I9_Ra!Oui|L`12G6eLy&~v?h@SH-QBgt9g0J7E6@VPwMcP_ zdvS;0?wW)MA)f#9d*zW3(dBtYP6zyCM)?t9KznVp@Tomo43RGvhhju^V4$7s{( z1Fy@ygVR?yJ@T{6C2dAt;c+zol2ev}TW4RO!sSke%H!Rql0|ecqw?%rC{p2h!*7*1 zp$Sq!?YVit=%4|g@9U1*&3p4jNTn$9n3rD;Fj##W|CS<+uSa@HcyJw`osY_gii9z2 z+3naNPu)fUEGRgHNAV%ijTcvt)^Cg}RSBx1^rR{yA)K5K=V>|=L@Bh33AG6bhx(Jh zA&@V8$%5n))VP1+yd8p2=-=FvFhVz5$~$Oe=M4zzEn2XIiXxGQ@}`nhDkn#fDVuOu z)8;fKf@oo^;u6oX6jpl8)Q8j6fM=*34V0o)*->ZC79l6B@)%A}Qkjq!M+TvY+UQEL z=xJI>*eNasj_>KQL175fA52lQJCCwKDrF%LIG}P57ZTymPhhEJ%Dar*cy^JXNtZ-` zpF9XBtQiz9t}cQcs2i`N1JY$SnKxy%gzA|#FkBUt(^m9+S;s(`(H<18`tUScGBNR} zcPI=_tzS3NOo!Rjd}a&!+}32E{l1{|-7pzB-hr%j#KaHi6Tyy8y8N~q zLHa4O0e=*eZo8)+;VCqD#zSST@`8_9Gw>UJKsQQ5{w}9{)LCFDfO_=Vl+-Oi2IT?` zmA~7pat0fnaLXbr5x%zVsyY-M9A-UC9Xab7<;SL`LI>>=DHuB-UPa7k!3#fS(;wofdfx%Yj77TDy#L4kn%cn&kgc!dRGOujv zU_)pq1372Gcs4Z>3@d3%Mdq3B;FWjy5ZkJ<)L1Ewks`qUlQ(|);VM}(Pux(5ion8P z3n4zl6*f61Gd+1%=xz!ntN|3o8XgFDC5=vcDIgD@*o^8mi ztD*=}Hq@v@do~*AA`|}U&`|#rJFkAxm^i}cjt%_4>A6-Uu7GLMg9WE)SzM0l3N+p~ zUW;oDC_21Hhkyg;`hgdIK(Xg^taoObA4wwBB#iL^;YwDDqe#`1+6g+fNigEGRGVM7OHCr7+MuD}Hz&=$Esw#kY-JS}G;pgA`} z0PZM~a-{N;k%V8$&9Z2Q%YolADj=1Y9VvT7z47B^p3B#jkg zIzQp{%aBR~Quk1}+8imqeknXOfP{qh74PNGS(!YOBy~&5r)OQ%mTQm|W~y8a^410C zXWiwsCCId+hoqxvT%POBd=e0&%ovs2e-%)a{1Y1Rz<`5;RLNS|}Mb zI-p*uwMJWG%%3A->ErE;1At;c8fDa_?kBIBlfG?E4|kC8}0j&z7a zuTXjTR%uCGD}05^)FovJjrW48UVI^HqD}eutj@Y&2FP zDmCf(u@S2fRBF^XQ3Mo;*hP^QL++V?Dvh0 z34(zfN}4)G$|icrU-@}mN26Eo%*4=8|N7$>Wkz{iI+p=IlEE+W(D&eDd_}ORcV^(h zqwp@{)$5s?+Cv547UfEq%_WT!BL?c#I6NW(EloIYqkFmo@0q_dH%u{VmbkXtVo_B?D@D~HYNih@wZuwwo zBk+GZ!W}me7un46`ObL}+cXlcLMERpS-?+Ma5<8362rAy;dVsR4v&4Ym*T-UhslFS z@qzY7C&e8G;X;P}I+t=JY!8|cD z{Wy9UQydy3LTBtHhvp!ESB^?XsS5jxp**)0 zo(}C~DA}#3w9r9<9Qx}i%Pi1y&DEjlQ*#(K{-{tgXvsBAo2*Y&NM+Dd;)!Sbh;CP2 zl`TT;=~!Mp@JN-80C-VAy3+IFN_oXJ>XJu{JqEHUgrq`O#dm${M@`*%xZ_5sc$M^J zY;q~T3Gz2j$&X9s4IP;(^9Ps1RJSM-kI)#oNST+-7)3dlcBLss+0OKmPjU*J2HlVo z6csN+6~TticNNqUCM4Gz9KqyYIm%IZX(u2`Ypx|I{>}5Mfg-pw%`NxjDL&*BZEnOc zPiY&944>eJ$;qD@zuBmR1CM!Tgv71NqBsCtX+ncj7niNc7?n0r=tt?@*;hj3B-a$H zi6F--$_xjd>Y@Z5$*LalDD?=C2e)p)!XXT<1LWIZI;hs)NXaOS4gni@h7DCYmA|KT z^KWRSJ|&P>(qbMs9_7svfC;E#HvpqI@^*?UF7)XJ{#4GJ+sM;xI(N@! znBr^1=vNq=8V*CTZ_7`{^<5*73Ar`?72oDAWr-LiAM>>4n#P9XV-2Gc))dIlnNr#o z9CP!Y6L;oLAa5~@ieNM?!EQf(I~lunR?_a}iGiNRQ5Yi;uK1O&7c-^D4n?Luod&~M zK+*lEd<UYzrRUGh{}a8jG?FJ;!}R{gCmhRK8Hr` zmxxt9Qd_W<7T#D8i7#Qa;-sRLHuEEA{!#?8rzb~)v*xcmXvk7Qz5Eo%>llhoop@wI zXob59NJEAKU^-(M(~~((M^aiSjaDRP-Sg-2CWc1HhEoq|jKMu&PzG8Yel~V;@UVch zl`B3az7<{r7-toT^7Hd(Tx-x$cQ%e>W&p{>L*+poyG>R3QNNZwIg%qXc}^s$ zsDdD zbOUW8a|It^!b5&?0LBF+@;(O$Rb2{pPaQ(n9A>k_@ z9JJ0+d_xBh$~a^SQtG>0J!(#^C<;|3?nMN2%ab20S1u;xf9UnE{Qy7dvGfvI{DnWfSZ+fmAp;LMy?8G{#oynq0vAH57*scl${5uA1Gn-P zUdeJc5O%s0UyyT%nJ$!I)nNC9mR|K;`L8 z2MDZ)qn^mq$^(9if9%kN-)z3%^ENgLC^#60;uF2J2Sy9j5yrx-6>_Ep6`Kc@Rk*?L zh9=jnT*(W`hSDHTwD^pzLN^XQkXso$1#h6F=@tK<3oP@D+J&7+iTDoVXhdhGMn?Ob=o=CMZ#z6C5 z$y}XAmqbrIQ!W&`uJFf20FTO^Q4@$t96E8ja7HE5c630&K;3Z#7qe47_g8)#Zq8bx zJ0tFV!c*`oz6`_oY$j2*oL5SF!BJJFnEaWerX2F5`pYr^@!$dFpmUTvQX#LZGgS^V zJFo#jY?OTi2W*~P77lBsQ^DG~(}-5qzO5tBCrtM$bLeN^K(4Ll$QdkvC>JfHX=EDt zxg>JLgSO%T{BV?lbhy-KxRSDU$8UjALyHqu$fUTx510kihHDUzkch!FN(+iAkT!+j zA}sARf?;PFjSRuyiePaVDkHhFC~XYXn1D`2vM-xg$?1O@ERdBOGh|GDsT&pB0*e4* z;2G6%Ag%=ws7Z6h3+|Q38x;zF6_%m-rvSyN!b#6Pe71vH$EYBwrrJE^C_zWa%jq_G zC^XY=DZt>!G!U+f@MBP@6W0^rG~S8~1JTC;P~SL!Qh>fZH$r2!jn04)bs2s`fT#xI zxHa!3=QeooQ${S;no(qmfw7Z-^GB7r8Hu0uX}wgYNq)vNfSkw<(0xPM2r5^r1UU>s zY6UrzKGCT^=Ti$YDz4lW#RP^%e{S&0C;lo!m|hBO$jgP|UNq>M<)MwEgyD%gP%?Pb zETrJ)vI|U_p+&l^SHcoT5}Z@<#C{vZR;z_Lo`0$Vqnm(P(l}IT_8teRZh}}!JHG9pSVavM_l*3E9QD# z&Xo=?l>$K_zyCpK%zwa{&v)q{v$y=im z|G1zBaK@}S7&RLRjxfc{PIK*jxT`HriY( z8to5qrPX70IOOLJt&E%p9>jpJ@<-yFo4qq^Q~+P)en&{!l)0Hv{r>i#d|OiANB0f zjX@7J-WQ;bN{K0J)*X(Nhax(GZjo)> z%nT}gN)AxAj9vrf0naVpEeCLjrJ3FJ>u33j^Q2P*cGGa@+pzi|QNWKnk^#Uy%B zu6!{UrcvWi#j~;`8cg?&%nlQHqY6D1Dgb6@d^zSFgv-K>0D&8t@%Tlwml`SV*MZAX zxt1XLl0~Pnl|P5D4O@5c#5>w_RUzfUG$tp&w9AF>vQ{a6A?IE@FdxMU8GPpblU=De zP=r#49s#mVoW_d7h@nV^O0lxN+Xl{x1qzcM*qRM0>4g0>T6)y@vBqMdZz#3PP(j|~ zPZ_}raq?|=Y?9zNhDJ&Y32wnKj4Nd?4*uiD5j4S6a7zKBbl_#qbmZDi?qFqYMx-g+ z9TQRO7Gb5CaX^Y|R7a+93y~MnK)eCsAtNOFrBgp*$`WZIg&xsW<#G524jn zbp$>|qU>Py>{rQO&&1=7PLn^Ps=vX*28#zw+X{1qv&3~B@dR%&K)_vb0x~06W|7a0 z*WU=TW@}Ig9~Bx{{ELCi$id98rWA7tP$8*wav-1NH9ZM2mni~ONEyMD`D~0}s#r&@ zGf-fm@m(oTxsEL)C8N6E4!~acQ-^%wmoi)NDI&s%BJvBuYMdDUeAh0gGKp6b!b1d- zbTG=il8}1`7s^w(MhvT_$%djla!N9tdTwScNx`8;0prOVPZ-_6cN#l?z^G-(GG^+$ zuLH4x%D36${{%onmRwNySs*n<_3-PUVDZ)b6zuSTEV&#QW-q_ZITqx(^T@Y zGM0y@w-lE3UslAxNXeXA3qYK7DCEX?sk&%y%11KbotV%ohb$pq=sm(MU%o?5_3XBu z{sroH35DO}QtKos4M*UyEymNEbj&aua%^U+ZEYXU_VygjWtme7ZHP!m{<_xIx-e+Q z=SMxu&y`K?01w1106)nuI~zRPxG5fa5R=z_SW3X3uksI;A$At}!AKE@%^?73d@_k1 zoui&@OGPa*99#Ry*OwT(xB2)om4Vh};blx9Ioc~J2*6FuYQ)+427rOWFGswdtfb&oy&osJ!Y7(3TpCTv17E!`uV zQGiG&N2O^J>=e2tzFgZ)|El*?T}xgib`=JI)B2|FRc>*avI0jP&wKN7HzCtzmR|Wt z`LYhFdrsBy*_e#zFb<-@uURNoQVgwC9u))dtN!zuHYQ)%QpTyM;l4@(cqArAI=pi< zoxs=L>1YmNY zqXJV%>`4-8S807b4Ovx{jjQEc-4m2z*&GO|$EZIyLWQ*E2yY%|%mC&(lSc;UY zKyI9&D7hE?DQkLWvYn}SI&{j2vT*?P2pK!{hetCi7rO+FRcZL(D|O`@6z+b#^DuV} zE~@aM#LbhclK|xLR!mvKlhjq?sm$mxpdDWeZ`W3FWaNGtWL`27A`?$HDjx6lnNR30 zC4+Uo`gI8CfVbqQU(+I*g@d&DM@WvapvyE`SrP^xh@SOKdS+UUo1BosWOAW;p)(jUO>LU0f)f}I`Sl4mVs;eZFCisTQd8dAhQyI$;|jK9iPK|3C2~>a9al| zt-7s)JWVH81W@_P6~Rczu(|`1mY)L_avDh!+|7X|ogzXVq!`is<>LlITE(dZnF8VE zMg!ftQby{?Vag8$$a^p>hV$J&8#mT9h7PWboCH_ssS6uNQtQ45Do}gZ(U3VL5U02V z?n-Eh+30}6$-?gJ2N+RWiupl?s3sbBgS}Mwy_&!is;m*#%U?4k3tN@?% z#a^+ABc}-cAT-(f3AYp}fA>WZG8!*ISQr+Hc}OIAFPGY-o*g-vAkoFE-|WQnVZ`84 z`I&J*5w~xTA1x(~9J3k*E=r4HXZq3`TcFT#A-q-H@#_?nLGf(NT$Ti6h;LfDBS4wt zmjP0f%~L^vxiBPZ9mIY^ek(MFi?DgcJNwweMsit`jeiBgbP*9uiS`EjkqsR4;ImSn~T z0Rx)`r8OvNnnBfIS_1emlF^cJBeY4&tz51D!0CAXe882YcNb@95A52udM;8i>sF}T^$-@ z$@!ufRRd}v!6;x}tGtwT%sd|znwPVInwH^b;%^F>wl(~ohAQm?fN`aARFzIA-k`v! zV=L657@CMdKmFwQ&AhHBW0z|!tZ@m6lDmUsdB+GUh01NEWk|a4jI|Cn^5@2lP`%imzplbo>5s;J_HlbYf;#1Fw&{ARx&LHz-~nffApxBeCcRXQ#Z- z%NEP=IS@h8D+1Vr#TpqSInwy`8uJeQqWDV8h-C1fsx634k3cCic;!&m=80~T@7ZQk z!J{LFNBJve8HUW>M>IySG9*UV!jpf;>bJe*L+vT zrA=Fg(Mu4nf5lR@Qx{nu_EZwkfY&l2`01yCSx3Ya9YvNA8S4+y83F#uamrRjbG}Kd zc{lVLGM}=01$4j&rHF^138D}+$Vd_QMzXE^Qldo8-QD#pv zd-Dizl9gsIfzWBYc2oOUz-fbKQlE26tcUIbz z4FygSh0-Gr88;gWImh8yikdN^Ur`W7+R5ZobdG)h@Q2uAw_RiQS!az0AAK~w@6}6b z+eEt#DIabpD0=5bM?j+)bsU%i#+c4G@4PXi%G#~#w9$RK?lHp*)7!WVQHKIP#rFw>9V42hbGfTO;sfOETWHW7wc%%%4gOVyw%2&kyH9V|Ewbt( z0mX~?=AAz#(CG39=^39WB}S!9%6xq%9A5SS9X#WYJRA=1@*Q2`&_VLFElW(0Ay-kU zhm4=pa>pN9+8GL}c$TWlA1`jXw&X}!MJrf-9gG(PfBG?&T4GtKfOJsf{p+)UkwXUm z6tha0jyvgO8@vAfeu#kse~k4v+9;0y^U1DM6r`sK!s#h$R^i-S|utO2UQ47O?1EG-wlyvp9d0Khb zX}iUui!Uw#oWQ-v=8$RXWh!9VQ{JA}$KO&Wr+D8um|$qKJ;GaP?#t zl>b@hUl23QG>Z?e1seG=3Mie+TRBh9Byq-F(xn#-1tRq<=RfLHqi{$x9b8H}$yIwP z^o18)RLX4%_o@?D6;V*)Hv09Gf?jHwW#asc|L$*xQFjGOeEpc#S}KeoIOOni{=}=G zmac;GjLW>K3-0S_>tRhH)5=K(3I*`N>#4%S2*jsVs6&bJKJzc<#imzI`Ku8^A|p3zOfRMFX>8@Gg1Mcf>Qa9CMdA1E-79w4eUCWh^fThv<4=gT z8cA`!CL|zN@4x?kTz$>;amE>E$HF}pRY&2wn0uZ%E@%dHC-d7goGv?mQ}))oT<=!&rZBhs7c44xcWh_cs&f9dWOb9GRBLEw)NIsC!T!z z>G9F}aa{cO zi{gU6UJzZoc8wpUOlg07&=tclNJeiF$=|dJ^E+pv13JkAnxNHXQ`h*5`LB9yHRS+-}=#le3CyFH-v#1a= zUG6FzMg#vmzCL*pT>1hIp_9L;Q1|ZDCtpU@^PnMv#NR=phZj_3gv2`p6+C?4QK}CNqBRYMx26jp zENR=JeV(sZc&ZM{&|xxEqH~CNwGh^jR|pihEDix#VCJdwB%vA)RkF_vR*@-7CguZMj05SQGwqFGcA$>;irxY6dFAP z0!|)P2Bzq;F66B%uimi5ooVEGXPr4tIOdobp?qeTZiZNCrBz}wby$#HmBPGdq{jzf zkqp+ckfEa33NRXClt4YrHTOI*`U+ifd((A%7b@X@Vbz{DiN|pFGbgSClS?A&=z!xQr1)Mo13e zuV@@RL~(hMUiX8B4v+paSh6#IosJZPB{RGW3Uux~Mcn`3L-FTRPK|T__P3ZsGQH+% ztH;bU&7?duBi{` zMrX3_33y%7x+zyh{J~myArVK+iN%=bLP zwN}hF`|R=Ar=LY%HS|Feo|$HvIdM^l;WpBLxnuKq7Oe|W-Z>L>$i`Ca$ zGp3kw%6Rpam*dMXzY;IDjlK8VFE-h9^H_4JrQwV5wN2x9YFKUCwX?#WQRz-S=bZTX{SU;K zPhfKPfiabhB7MWqkU{C#+C0F7BPnZL`CUv5>;n*=jp8B@Q_B zFwwth%rL`DG0SYT#eM&}J0_GI9sB1~;F?iy>a>*qIBH>_nXz3lR_xALIg zR$Fte=+&!Nyz};3o&^Bl@pRKoABXTuB|mx!Hq-90)^)G-!ZV4+xIsinl1yJ9JoV}gzo#u5tO zLFHbgM-SDhWM1{k;n2toe|`J)jSV*3(B=H{%g?1u7mDkyy*4^^>SV)p+=+jVmtJ}y z2B;1``|RU*^|e=Ga>?!m8sWeC+G{FH?>O|}gJM295gIY?vg7tK-+c4M#~*)ULrJ@w zQ|puH`pLnTV-W;l-_*jZOaLpOO8I`@YrUHEn=-TR*xyC>=I9_URGOmwOD!O zRbmy%{5IQcA76j-ZA?GIjIqzY2bhm5t+cW_Ys2Fi$OcI-n86oxz#qY$L@Q@MjLJtOD?&T z=n%4&zaRR?x>9bt@AU^8gIjLAK?-)(_|vh+OF(Ay!uOm~a9yUJTD=|K?HV3a z>wbwPmlku!*T}F_EVJASvDp?|#&c4{10-b3$&;sh!Ez`Bc0*lw!38nzyz_bri^b~0 zjyl@P=bpRnv_f80Mrr8aA?kq*v9VoPjs51EZivN}STeSgVndN@d?e#|WURC9`tj&P z4@qzzuwmR`mtEZmCKK+HPCdhh{Epjhjn`g()kbCg4L5dgttCd$a3+{w!q|4Z9i@Oe z#rfx+DTDM{?7G{YRs!_25z@_7#{2I1SG*!6y}}ABx_7;}XglQ4!{a+C?Q5>NMn-vY z)4kNP%fzW?ou!fKPjUIBm$>(T=%4;%<2~TV0WterbBc#cR=vn!R#fvzxS3{Q1lU6c zc{dr7$<&391pq@HNuD$Y#SZS42-Jw9X zzxe!%m{&YqVda%=RFL((_dmdO%XB)k2W*w^DW&|1ln8Lgt^bS%#P@H-;}cFjRWxlJ zPd@Q@JfM;5Qp+wIC!Th?4I(oF0CGoO^UDYSl{igQS-*?ykW4X z?mBHOro1qk%qVnG2XKwG*YTPgM^G&)Ihk$FIb`%+jDJ7&m^*-X-F1g#{|>h!MjdO3 ze{;(K-G19`v9t^z9Ye2AsdL^aw$wG9vI0Whej4{JwveQB8$kdY%XKnEpE8^pRuYsVLR=xon?=;uD_`KKm5=)&XT-* z_SxrglnmRfGtVMjAVYfOpJFxD-5qMPZ@l$ZtiSF$F`*Rx6rH=oHd}AwS%!P=yH6dO ziPUDc^JwR^(@%@A9`qX?>2or^5|pnf(+LeUwjeQ-*{6z_4Kpx@FS0y+~=Nu zKK>y;;xjs0e6hu(Z>DnH!U~T|7!}FU;n-pO?c>tRE{h8I_e$_C^y*N_va+ zIc6RhV0eZCNnljTFi6jIKA0wNDj@)I1~&I?zhxMj;5!8{U6S8xV(KJY zLW#xXK}*m@y{|J*KP6^YkFC=ro#Kj1{;rY96tT;$d&Zq=Txb0Gq`38;H^p&B9Uhab z(&t}rVKqpm;TSf{NQif^kI|18dzEiaCq`U+(cj{tzg`gMoqJAnmVhPgimwE@K-*4A zat7Xq~nf>u$H>Ptn*)kt(4c{_=k7bjMN)2@bpF*>Upj2^$velC!nckD|AN1q6PJr;=bU+l zdXt-JWc+#@uAbl9Di6v4qrCEp%f&+vJ`@{ig#5L7JLq7I zEPJ`({>0QKhDJPM(@KF{pBovEKKxMZw&Mx3YxPlDv#4*h@T^;r>^_VesG+s6cz52>a z8ZEu-uzT;iJMO;Yj#x;_dI^n~j~8C*_2R#tA4eU2m^XUNE5{Tg^651rm50q5bktHo zjOVFefG|dXZ6#*|)e%ANcNdM{X%w=PMz6@()9OUDYu7&Ry8V{uppo1>^Uv>*4S>AR zfq3=hmpvQNTXnM9nrr*IlzQ|iP?Q`Uw)fwC+p>?MWCI0t_M%3hOj$ns!2NNj%0*jg z+rE9grxEnNfBa)yd-c_Eu8hod-KUpv>OkdWJyo4_LHQGh8eWP(#mkO!v5U+>v7{|tEN;K+E_J>p zvf-gUuBA>6>tZXdv|^mBPRwN*p`IxkH`!tWbeVQ)jkI@+ z)6}V=)5=I2m}Z)3;^BuLj88xLM4h~T@h^1}AAI-$)8(ZQ)%%Y>{uqDUbDy~9-n--Y z6OW5qZoOHf`t76h6jR13tFGZGNoH1FlJPv?fPK|rzDfr3dUZs)I}g>IuYgoTvO#oP zs>KLqgzAuGsX=2d^I|#kwF4e zCR7*-7=_5xQUQ9Sz$Y3FvgrT?0`u{uXO0p*@{ogLA}Q7zZoNIu|Jy~;NuwsF7l9XF zcvi-?i|JqVS9)aUkx;_rziKd8ai|{$Imp@6vEG(J@p85Xg8r76#SAj$W=STYB17DW_$JC z85KYD)YEa+`G55qT`>R~LFB%M2C)MiUw-vP43g4fB*+F3&MsV3osmBscYGXi%yBWj zdh1__COTrvX+--EjVw?5%lWbYA%|)dr%sU!37wygqUmWF=1;^g$_o#@2||49+_`g{ zamvXt+w60yJe}i^BaVzuKKa<|$4plj=+J%wD<*&u14eLqDSqH3jRxT9R8vnAH%O5I z9Nz00ga)9N%Z4Q!G7PkvpncqS^9}AKop9=D@$4(F$9fxWte$sY$ z$U`0}8*PLRpy?hq+=k-$XP))urO76n)SFgj6u-MnrO^y)R&0g6!_6$4#% zx9+#kALCC)91;8c@elFoXPOi#}zg--B@WFADI+mxNc53Xj(~gdZTrqm3)5J^` z9mokMpe)MF^{!5ac+Tquk3RN@XRJDF5HX-{zxd#T_hh6ek=)YW+r^g};j%u=jM>AF zKIHabk*;(WyYShB;&o{GpJyp^+Dbvs5N4mp(g<-R$L z&tm6KV#ZL7JX9wsq@I^m;V@b-kCx+W<$$Wd%-!Ne{2JKc5tYV<%Z(O1myHaw&oP&U z_Uo^|iaF<*$J>|ttC512ikezI?|}nzlgBjEOzkUB3c+avFugqIb)=Q_mtTAt>#w9cGQV19vdYd!MI8)L^RhfAhb-wB@VHV9O zS5vOAQih)f|Kzn-XtNR&4Y}093q+5(XP4o)$x4bY z4n}~fy6I<_!Ht*A0`QUiP+;F{6!@h^x0`IaWh}n*vT=h(Fc<_rrBVQr#vebQnMTAo zf2(u=Yqm_+ek*=&xm|Whcy$CG0p^Z)gc6!W_3@+1%CsDY(Lti4bLTE`!P)1;+%rw@ z^%M*_ue9`5ee#alChM*hbI#B`ddxFt?6Bn)@z8zuX@oPe(*r2ySJeamq0bNM2pp#l zT3e6S-qpzEgi}s)8~X6w_Z>H@tD$D}OxqhMqv+WZ46*8}gOs$JyE=5NF(#-@838&V z>)jx9ld5c&TzH{7sz<9cLftXSWCMz`tFkOJM46oSp2phWl~iM6^apO%O`waZ&c&Bm zKIWKrzF2UvC1Ue!wv7ufx;Q53q*0Y%v&}b+FTVUrhGDSRvuu3CQ`RsUjkAen)>-F> z6_#IKqp^#lt2%?b?zxxs%=m3oF6khX0j(Eu>mwKIib9Ek>A+SM~C7@%9p6sX2hc}M6 zZBZs(HAuN!ddX$ndHee7Z(|yDFxc0?w6`~ZDZE36c9sE>PQXZ>50kHM+=v?z+P^YUHAAPy;@ZP6I-y`tz;_Sbi7caf=f~T~mowjQne87I{0d{iSb=F%yPSS{imtHsB zY;)7i2#--5<<0X1U3@DsMp-B#_o4;stiPc~Msviy|GGOq`}kvzih-i=QKHjL-#sqS zDD}?UZ}Uzt0L5DP#061d3p|b0#z=W%L|%H~#W>>VV>N1>$sGzdb}$O~!_GUaK@U&| zVrs7=&9~q}vDzAIdWsnS!mCZT*fRFhNbkkxpN}1P-PL)KFEYm~5f5rKwB3$7+5f@& z?)AvD5jZfMbtqu3efEh@RK7cJyVdXE9dOv;8ePt$`WhBnND063de3((t6T3~*!k7KBjO=qXPSn>d7nPuiU^R&}q z^G!GLsK&CVf^v_}aD3e()2w-~v*ubc!*t!_wma_c8k!@T9HcnW)J-pvvihn^-5u zG#*ny^coOI7g_>{)$`hzm`m@*f}AC<1XhfoVIagX4hL|NBMt_NsR9}ijplFXpBuN` zabVfEcQG2ka+BohrPCfnD4vS9=eW?T$C_#>f=dpSc}-_4|_(>p07&Sc9z>I{{6%gaq@}BTEVlnwkvBw!n50+e~1k> z-XyLSy;om;xfJ1qo>F>$ zz;&6rOI&l!mGQ5;?vO#yk?@Ha_@`B4#VH>l0e#=#36gM}z6vufP5}F8yhA4mZHln?iy z>G8JB6FX>phwQtz*O9i`etYjmoq6V&Wf*Ra_Nto;r1(Em2jD>QiruR3NeN<{S=V`7 zb$s5LXKM7mV(fp&A#tlld#}9sg7ZWkQNj;s6xFA9Z;yaJmQkSGjle4u|GNElPYbhi zbD8B=Fugl!boHr>-gZ0f6g%#+TfC$4?XlDL9@P{BPdui$&pq>W?+o64r(I)#g%*sP zufN{m$SMZ7n|jrUAAOA1{Z2Ug$oNzpF?Q@7anOO$t^0KG$Ndh7O*JZi>y6jrwO2G! zlCnhUs7oZ#8PB_8uetIHqr?ys&L$b)qYpoFXOXp2>ST~c5eVhPlXQwl9=t!ERmY5a zUwHAwJOXH=(FBUtXDzDjGMY!$nQA0`o`51HuX52o`5vC-SY`Rw-FG|BM<04n@l!zx zk*Cz4v%PR*WZ4#v0%aPKQXu{48g^1Ldhak{2Tx7!u=8$e=d;J&d+imQZ?=iopBNRR zcXr-=x9Iajzu0S!-Mtaz9kp3HYRu@+zUZ8_)%|-ih-b+-t+vW4YOj0QAhY8Wxk3io zwQplXty>#rHl|#1$z{=_$HKAImYaKI##-=fv&^Cn_D?8A=TB#M0?|sjm~mNtg%#tl zBaVpu4>%z9-GBe+F5~;z=bwApb*ZJ7au}~yuz?I?$7Zv)-hL-8yX>-9ZS~b+mtA&= zgAO{_yr3m81F+*xyLiXro_p>oBe;3I_0~J_t@OdM#~vFCt3z@82`9vWzWv<+2Iqtm zO&C{SeYr-tU&JPxY#uYuG_%*>JqnecVVeD{vrdm2ZoD?uS!aXTS8_F6b-vF&e^9x< zwCuCK$C@xijF8c1s@_wVdgdKI2k-#H)1znn+(s3@?koGIq!i32dLNA(c$bs>(*^Lj|frvjGUNKlr+*F zMH6d?QVF8-o3Fo!{t^txVcxrQmo7FSywAq8=Afa2qn$>slTI;NbWs>1GaCC;>NWBO z^Zo<+d#7Kw?%h2X&OA4Q#|8=No+(eZIfE0H{4{u=MJ9db!U8ghdzI_>eer;vdVS@HCwRp;$Jc^h+X-s|l^!7B$B%LO9e751!$k{s1 zbV-*kQ(1s`ePFN}cJ~=))YAwl(cXStf--lXetIj}0!-n4tvY5Mg?j${v(G#=2uvbF zJngjIR2P+S2$AV8q1kJIc;R2R0haJO6_5SJqcHSU0|*LnWnGWtvy<2!4L0aK#E>kNHCcCK(xHr-rMikVipL`mfHS%F?h0YP9IdDxi^|bEoqwrXV zWU7%@d6?q*Msmj55yo=bZqvqhUw`K|%5F`{GC=e(b=Gyd>HJJt;0;FM^Upq4yBp${ zqZys`{{A~}aGJWS>PCDVCfYvx{4=-5F6RA^_((KOKV8bnC!c=i>Gf`sQ#zCV2Mmlp zeSYxiNzgk$yk%;Vb^wznnP_5_rHko6S9~UUqW)3hld3(VE7&9jzgQphdy=B{2V|gE zFGSr&jZs^-uG6S(bku03x7VYXnq*c8S!0C5R2~Vsi6@lzv(LVW&XZ3Xlc)`A5bJh1 zp~?W?-`0p7IdBGY9C$qA3^S{)JH+?B`*?>k%RiHg#~2=VHnS6xnH%b!t^3q3vsB+m zR?%mjCY@L^fnNH`a*B-c8dSIL-JF{9%qQ9Lqb(;hO-X132Imvl1OWHP1X zf!8}2L3YtSI^a9y*H3(A6v)~iQ|WA=L7#m4&6n;3@O~lh=J`~hUP)6sZ!{Aj5&>kS zy8HqlCG8&fGoV?9s+Q3LJZpq{^6?}O-^PLa9WFz6`K2RIJ?$hhXKEpo!4gs!fkNYB zr#=oQQZRh_0_~1_#W8;U_+{0S8${8Y%O?Y2q;Cp}(-5h7IO_zcl5FOQw!~rN;d?oJ zpqZGQDBuI1m4Y}WCCZ9FmracYW948_@I!oYrjZ1z7CeZ@GYRxx=%FW@`3eY9conrq zCxD`Ip7P7^409BDV7OSL@RtQVouX<|7&K-S(P0D5h!q@d#QO>pe$YikAuPRUS2YL} zz%(?|R6Ic=4J~;Gj}()-a~Q%QCa6&4iIN4aI}(*2d`+|tF~ARUY^>v4<4Hi^JY@wq zu@N}Fz5H8;!simNk(U`JSMu=>%{XZw%t=W{&XQ+FCUlYxJL;HNb1u66;E@UIkE%!dtzbm%2+gWV8D%3AM}(0Kqhn)-zj)(A1%w#f;2|9y7V}Tf ztl=P+exYCYS?>zNk+-f!K{#E%U$ zpsy#d8#;3#c|&7MVMVA}Z=uJ;i5$Z$yyQqlazVf_EUHE-83xNC04YLEp-~v?Pzg!p znnUrok*cngh3tJK7D+5^C7e{ygFitM7L>Fep)VUYqf*ka^Kf_?50V%M>HTBKlmhTM ziG0Y!c?%O41tB~@p%d2#;Bh0Wp79x>QlwC-EHZG6QsFnfK<7g};4&-YsFE5NWpe;t zxn$FeaF%>2a>gs+ktUF{E*{D}qylg{Plp+eWRj0uG| z>F`mex>A1d3$e(BKDB@4>63zV@0bcRpOjYz83SGjCq2s#d8$Zqg0|(hqB5ogRe9(K z+2u-JIpK^>6n|vVYDbe9i+;_k1aMg=nJ=8kQVgJOK=1NnK)EKZ;J{eb_+Yg1C$Ylu zHjQ$`F-~=4s9!qO97OHq0|Er#C$Dh_CPc2H@0S87M(4%?eHKxXeU=%_fq^y(96L44 z^Y&K2Vsyq;&C?Sp|SI@fNS*qlo3UQnJOBE17HwK7n#xFnWCpk`62zvD7IC)=6*9bR5?lIYEV5C|AIPGw*Uk{1T>P7z?~`4U?V{JPiDcoizA^}TrE882={QPQsfA{((lG{Al@{kWa$UJ2l7hT~D;R9r@h z_A_K8=*S!rEX&R{FUU{EbfxG%V^Z(X?+r=1r}pe~}~EY(ECqYx2tZ~jmv50>TU6@J>7Q8$8tSe9=4f8I=m>N2O4fBfKU9 zh29m}rgAh8J$uAe^+c^$c=aD6PCEMu5p`(mgu1o(K8z_SjSAoka6&@(IuWHU*sr6^MZ_PXvhx7JE=Y%hF%$!jslIRq-EvZai=@+@b% z)Npc?Cx4+D-}RRD;0`BclcP+4$)K#{sfd(|^Dsq}`35;`*n#)F+K>%EvWhGyPxD;& z{GorDu>q%xsxbaan9~a(dk?(kt1|mc(-FLXs}!zxYkpl@2G>R2juk*hQy`C@iN!q1 z+g}3BlbZK3ZUVEhx|xc8cOnte1r!CqM3AVSV9CYH!NZ~6L5l?)Vd0hQTQo=XG%fzyvwkp z8qSep#%px`$wW!$&x9JD(Ljk~df=&Ct$uO8Az&!%%n8I1O0u3|u6yCCFr0x%g(R-7 z*gA`{ZtIS99_qu&S&nbm3WjC!4MV8TF=QX?_2QPh?-mI&V2Vg^PepIxW_vrvG zl$!+Poi$DpcnOa)IUB5KzPVmT-6y>Oxq1}nC-CT578Lr&cfAUnIX843GA57tT2_|9 zqxR~wCa)_hJ^Y3P(9s0+OnO|?pyG>b3dN^sNOQzvfX3)QGbzwglEODpCeq|`7@HMO z?}Sv2q^nQPW-Uodngv(bo(4}zRV(h9aZmgTY6`k?tpRIP>{fFxLjWF}Q$U)pG&hv3 z@@#`AI7=aj**boLXkXx=bY4V9h(N%9UIdNJ3;*iL1SHs}NUk8Kf8ay<<$VEKC6IA{ zP#M{AMgwBB><^a8-~s+9ZM9XufJ&&8`IkHtg$TE<^wtW$a%5e2A<#WE)alS2|7rkr zj5IVwRb1%dyg}Ekp22E<`A1GbqvJ?36<7C^3;)t+g-wsJC2=Q?EPe7rR98(Z!;(|= z=g~rv@Uwt2AyafH#s+Hiipi$OGLj`|Np?pk&k3!EXSv}()@k)q$>>NQ8^!L=!W&m} zMoF;z32K#9xke~qDwXvm4w4wGC= zQ$1H1RKSBvX=R>8)Dxpu1ekOx7iF{B-f1ugc%4k{15Vud1O!7q8f`>93v2%Ih4wvzO^JE*PrE1d*S5+S21tvaXi} znX<3L{1H_>*GAEnX$%|Til6MLewsqbGJ`T*>n?v?-F^ZZ!&}IpB_LX(`&xft>yl@Rhe*s)ZmI`rCMt{A(>lNR8^|ewX3`uRe*1=^|6dQ*U)oHT| z^C!yy&H)4Z#iyTs>Jv^1gNDlx@Qw~!!a;*SP5k@sdqwZwedJ-$5vml=5zJfoI?}uU zc)yL45qKH2^3L6$ z3X>doA#1yFI*m32p zGN3=I25zb|-N@+meealc=9y#Fl~;s+&KIYhb*?{X%DaC@9Cb{rwe~tbecUa~wSowzE8w0O$^w50JS2N$O__AH;$qI< zl3JxUK0ks$0suZ;g^L$qIZgfSbI*wxW|+aF39_RI?qGB8?DgYTjGxM-2pCq@@MuWH z!zwdGGy%fe`Wew>sxDSs#UQl?Nl!Y9f#Nd)-)4s$;+DJr<#!DEJ{lv7S!bIy?!528SbWJP zJ@Nwg7oUF~mtXsj*kPAl+;O?;hMWBHVd^s#OjE$CW@zNdn0%3y&9~Yr&OHCT{Q9-p zp5;=G87Y?Q+~J@BqBRS6DnFUR9V%ApQFSN&C@zj2)TFcGQ@srz5108fmBqo|-KOsr z7ybRxcSj7d6mlDOnLH2f-JP4=+D&d({^S?Ad% zn2JQs?!Wh*c;UHc{5c~&aka;udq)3$90@nRc|Z6kc33jX6hMej_#k_M>yb=#r453f zcSfIi>ghQC#N)+lah?trf0PkpBVyqlqf^%2FmCPIwDTw~4;~QzXwTqNIw&qi%7&A? zsd%?_{ZTG?u@*=TLn8d+m5qrzNly}8G}_1scb1>gTuMdaNa+AW^2oVn`2-%kNS^4P zW<6$jx)Q(950~+a%XGMs<~M>y5}LWvJbc0WQ*m&NA)bZD4kaz-&%gQ9!)?tWSOm6u1mfo}vRjqp8 zR2(C+{t`y=>(i&VkC$R6DXqndgFoT04zKEi<8(gx_!GZCIoI6tdiNJw=CjqH@4b$_yUUQPrz6t{kK69~6Gk zJ)C4ROy$meQJBbC@(3Pe!-kwZESpXlVdW+F0-$G2l#bc#bI#>a7Mrqwl~-FMW}bC6 zAKiu#ptCTKItzT++#LXQh#r6B(Rl6ESA*l0$OnUnEO1bQ%K|RyS`PX9@uvZ*r|&Ii zoc@8);fOB8fGIZ)6zKhf73&Q&L7wvlX>mvH64mf}rMJCf>JU>*Yld!Fv z!v^{YkL6B6j|)Z>a=rTWimR`?(VusE?)hipJB?EKoK$c5fBeZuaphIl#L-6|=TnU6 zOr%j8;X@XflIOEEjEJmX)xeM^%EHHi`v?boK)Q!XZaH#|dhP#Xf9n`K8}uI#GYQ|Zb6S;)83_PdSPJ-Y-~gZI((i}9j!S)@=o9zIm~Hmi zRGuH=fd?Oqci(+4_St*y*k$LPRsRFsLHR~y9yUxyfO^p%onB6A(XH_4StDG^^5c&z zwWyRbkPkd~U%dX>YY<@>=ZLk&&{=*FR;bieO+W?}^7B z^F1FA#klvEv6+9q`R&K)7*k9!r5mzOU+Fxh&mZ*2Ms7tlOlVntg_Wda`+78Y^W^=)6F-JEtH-UGRm|c056!PW;C?rHe35k1{_q( zI_)&wy2geZZxS8V@!&*^1r}Jy=YMXt<(5+R3;5Ir&T^b!!j7@+4m-z`8VNBShY{zy za6J}V)MWxFUt9HV`L-AJ%BPQZ+I^3hb@thPa!W5YPCi-08I$X5xPeD)OdA&p5kq8{+sD~wpB8)Wv2*OR@1Aksf&2Irmep5V-R0+dZCi`ZIp^d%gEHKbrRA1e zJ~rQStJqkhzbVxgddUc(@MloxVAWMukFL{piye2^)tz731G^g6UV9zM-Zrt^vdh_! zdaW8Ac$DJ&@bcT`l zjW^yZDLjN8-92yRdu_X zKQg;rEGQZG`l0Bi?g*QGj@eBQu+BQ`+OgKhNl;yC?z*#RU4!r^ty_EED88JyjvVb<7y#gP*#OO(Wtk31pRN+z>)DTa^ zCta%V1S*2huy`~mMa1E>^l~__@Z{6a@^M*!M=4xYX?$nw&_5j$_uhSHyssV?y>wuw zU3atc-Ds^f{k^w&=AAb-Rs)!7$|>Vd$Da_3F0q8;0bhOfMeMuBo<4eK+2xnFVpbu& z#T|Q3HG@?TgPpjU$fymye~o=)wza!1msIAJxe!ar^DJ%fRj! z$Dep&l_KG+Gft0l&OAMqUTV46@1TQx#M&bdJ?P#j2Mcq&*!}n2<0F!&cg_RcRZ3@) zNhh&8@zm4(t-)7cekCrt;>uV|in{=#u60&j#UpI$2f8_+`LH98_7PNTuCtyU->&0( zaR5_@)Ez*FXx-ITiQek*G9~@D%dYg1QU%UF^;CaOhoi-46UaOrsW*DQ7K=#nLhp3b zO&4>_GgmzE=p(VLM)K204mgK!QT3>Sx8CUKuU&J7sH$@4gwIeDragbKc+Fk-X>LyW*U`{8b&3MT~>5K5VqfI#S*P zEL-ZR71j zqH>Rrvfn}mD{0+--+kiT^Um{8VYl7#&*&tBRN%Q6Uhv1A+fLjzcG_VFk7%ZmVFq4% zwP$?v(T7(0If}`)jxORjv2C{A+Ryjhcc1FvdzEAEIQYyU-PCujy>j>c<9kb z){j$9JyWumbY67P-{RcAoE@i}a$2mnZgyOO zZMWMxK9cU?h(wMMTR|P_btLz|jyvw`k?&e-uHroaC!BDy4Ss=t+;DXqeazu9w)q(< zYMhB^*88yqF}|PV&;>;|O2=2K!8-rH3`{X*iUvg?nNRj+0x7(N7=hFci9D}c1Mvx^$O+~5KKMvH@yrYHz+?Z;k2|()ANwA3h>hIB^UN8`EwQK? zMSk5GV3-cmCy~HjEv3HyUVGYq#U&Syxz$@@YLbRaZtPOrZkL^HCH)n1deTfIefjwp zG4~v^M!PoS#SPd0!yjhtE=4>*ie;jSJ9$%2_vxpL_19nDhb}L>?6Mk}4v1ZM-NQz1 z#g$f!$tRyUuD|}e%(Td`NTLHkPxqqAaJH%ER(P1S1EF;?28-Mb1CH?yLiMeK)F+J;c_!oH`M26@|E^(lTR8) z9eRjHX!CjmOCEeD@11wvj`?SwC01B!v3TdLxBNcWpdkZehM8uvk-PHp%VL@-CW?jT zo88}dJoJd8{K=@p4?i$woo!B^n>elNnol@&@77(TsToz*ebo_LJnp#b7N2v8ky~x8 z_Rp zeDHo5_bK9#Lk^7n_dn1^?wI3_j%m7170a)a?BhQPhmH&JurBN9)21 z&bK~VVwq*4^VD7ANEx2Rdi0PHSUU#v8z5O5?mF5|Bd#9mczpBS*OKG5o}mISQ<%UJ zM;z`$wJ$jTJavY@^%N%htkio>@6i~>^GJ{H_D!pi(YD)c8#mr`qj|OKuB^olR6A&= zdPavb5>h(dgX`5-UW_hNO%jJ3dVn{e&9BZeBkHryz91fZ{2_IQrdB(dI-Yp^kvQ~_ zBPCPqVuu|$;Q34A-+1Ho;w^QQq>OFk{vw0dzTJ3n*x?6D?+mm~rtau4o_)p{vBw^} zncu6fwo=S8%XBgM6jP|2N5{MGza6v9-YsUFd1{ShuZt}<-&P%qIlLhb&4YQP;nOCW z4rP6nved76Pnl{u|Gx}Ut)bU-Q5~UOU2KdR2e@+5J`A;|ls{K`MV{(Vfl84Yk> z^dty*FNFE^J$BhKw%=;=*j-mXox_)&8HJp8_F2(E3WiZ5>lsxt8&Mw}CA=6z)RkUJ!H6IafUP z(8Es4nQx5%He*D3R8YQ`Mk8ZNWNwWf7hHG|jS>b0pBAE5y5Yu~TEVeq_tsl)dJdfL zqEYS({(eb(-KT$?c=Bn+or}&m)+e)!bs)b{0b$1w+@hXy*RIpXt3BTm{>42yLWwXh zKhw-J$CJ-IAHDkYjZHS&)af{=nlFfx{-~plv|)WsBND!3Ko1b$fbB=sOa0`Nk8H^A zx#wQ{BgiI)iWDC>IQgopu8NtYZ21g7Q-ARD1@)rmoqt}ZIrv~s-|uci$|r*uq0Olg zE$dN$nu+Vn4Mqypg>NW7z3u5$$D9&Rea|&x_n1mbWr0N&k-U83_1cBiv+w!(>;C)? zpIGvTW2?0Wcmy9f{24mto_C&@MDkU#IQ^s(JO%mW6HoZ-)SR-<6fi~^ z!>_-MwbotN@h6{bavSCX?WI^h`rrfm%{IrJl7k-p_8=pj_uqRb*57n9DV51Ja_$n3 zOSU>`ROPzr{UYQZx>fw{&#*#Ycx1lQCh$bn7iQyW>Q=xJ8{6WNK1oYb@&{B}13Flfu+_j~Gj$WRBVA)CjPv*TYXc^GtPM2PnUJ z;;w()*sC5Ax<7x>?+37i6xlWqfKKh2FpKfO!1T zht+eQE!N*~<9Ote2Svw7ug6WI5d)(G-aYI2>MJrn>KKS`e0=fL6HbVePdF~lI^(q1 zZO84U*j|=W>NpCI5(@330@HK%-g8fEx78N@g#IZSg`Du`Q*9hLJ^lXs?~TI`J2*~1 z?UdMmzkOnd?YE1szx!6{@@v^}2L%J)Sofee?9(xvXRdEiW;i$sh*Xp18XujF)8sPcHapeeii5fCkKZ86TkZZZ3?T<7WNh@Pi&ke14f;bnzGnJCY|21RsyYVv>=J9PtZOjJV%m!Qn2x{yp1b3iBM$Q?c9=%o zd$(P^p~0OgW0av&oqq7{yYW`fo-#CZ#yab*=NSk_)&IQlMz6Q5wCZXyeEp)2Vx}2qj_tSG*_%kdP)CpV(e~Yck2vFu6Qx|2iEFRE*&pQe z#w_84Uq8yovPRAZk!!ENBKF#QXV>#$i!JF*6J*K;s1X|F_-iMYAEtj{73tc!t@ zM`)iwvdk<2vib6>FU3iJJ}yo>{m&ZVoDqBNxr@J`!5SvzqP)~0?KbhkqrA^dN;c#{ zCp+a1FZ2cLzU(VtoZ?-IMTu3k@y;k8E`IpohvT3_4)MpG=a_R2w-Ept!sxLiK|;@H ziT7umajHLeL#OWIi!SjR9P6M-2k0%0mM@kksB82Nz?aOCKXBc7=WTJ+F^9*w=bjmd z9(I5_q=)(|1h?LLv)b_1{^HA@{&b8+#)n$39C5^qmD+_TPaiefgAdr=D!T!kp9I0RV+I$ zncATzgc3l}xEIb)T#>0f3Y}0f&j`}9D3$^|vyjU7r9S%LLx0MhO(gV|Sg77*&po{x z2!`?@O@kN?mfZ0~uJy0`_R|Q4xn~R%)))LV2zI@(`)#qMmWr2OdNJmiXP#JLrIq8J zJMUB@feu}8g8;d2Su-?r|BY*O5Q5TXcipqkJrmn*yM1h^cz24gbQb#dLkUEj zdfI6od2zz~ZoBR2HCT2Ve*DR&4qt4^CH!UOO}E-gBY}D1C-ruD2af}oJ>9MHb8h^`SB;57@w&l#&r1)qLq$cR+2gcN{7UoU@KK}TFSZJX|V(qooi-#V*-=B+Gw8xUM;rg4zu_ydF{;>D18o5ppi!QQ6 z)w5^)b6_m7=#sJXj=Q_V@%iVU#yn;1O?1QJc5T~xl<=uKb99E^fB$`dH*muZHj39@ zdo^a%$b2K+voYhlZ@;s#Atkdmu$>u#=bwE>qmS;dJgS0Yi6s_~UcJ7SA=|`w2g#UqnQBVO_ipj8d+v(Ow%FK) zd95|q690#qKESoCdklN=OU|jp1W88iB9dVrGj!jw~Ez8L7s`kTr z??xN1ACErvaICJj&KmJ9yX+n}-+Z&^*~mJ2lZ`i(F~&fp9%MHsUlS)UcB}Hv+>iZ! z3_cxp;)$nt_w0Add&|wYF)fcga-TQsnPTXKL=2om3#80q+|Z0%OO5>J0kpQ}RPP8A zQ-qA-SUdB2oD2!Vf{{ZpAR@e|%@w@~V{`tNA#E1BUa7>*9sv!IDV5jXem_3`>f3nl z<1gZ+o^N`M>96OW>$&XrKK&vddFnaOe*?S=f&y?4R)&d@3*Uj_h22{;vbpcE$2^tf zEzHoYO26oW3*xm`UW&8MJ3qea(=X1u`0rk?xkbJ0PMs!k^+25)faog1j?JM#?6%il z{tzoio_RVpYtuj;_uP|;9pIZ!thF#gd;gtxtcV|f>=F0QC!TbYxbl)qr1U?HYj3#G zWqAIT*JF>p{^<9QhN?4>0wci`4TWc%$k5gelJdiEg^MmmUW0!c605AXdfWghLDs(c zuX~MegN-(c>#x7o+k_82@BnY5c=h!+9d_>n532!g9zV$d7h$AK7ER+9UX_R9{q3R) zq@>;x-(HJ8z52xRGUNctCSNzvgCfE&9%B;Z2#~l-sO)&*R=Tb6q;Kk~XKYHJ5 zq~G)(C-i5lFvW?B91%mg!uaFUh&|AkH(i@eHlj|b%Z+-@Y(tRxe^PY@idK! z*nN2KJr7!L@4oB)*kX&VJ^Jx%jT|+`;Fe?l+O(4%Pcf|&%?gbzRBAn%a;;QcRR_|TDY;f0sRiYu)uV>{T>sgFGJWDFTRQk|4_{PWL~zV0C0k|oJk2N`45PuYBT+iiEL^ZR1F_5K_2=aY|( z`Q}|9K798p4K}`3XKAxI?!+U#^Ob!LaD{eZXRf0ifV`qRsSOSkaCf;j68t>?om=P` z9h7**uoYMQR1240ddbK$&Nw-`sS(h7ZzslC&qG8l^Lc$t@69~xtTA1;Zt>Jp zPkU;DwT;D>SSp@*@=0&OUP5^>Rq@J8FIh;2HJ0|?pfJ~* zbH}W6&KVEfdyhvkOe>&VFkDM5y=+X@d2&xLU=*4DqX$)t8^X%&wG~!eNkaLAPmbAm zlg;9tx88Pdn2$ZeXL^g1Ogee=km6=Nrnij8Ll4{+6Y3s=#z`ua1*O8qo2N9|`Jrz= z8zT7m(1Q>9JsPIj)?0slp9Vo=W{qox?lZ&^OD*Z$caLc#+C!t8H{N*DQ@PZYWkhz8 z^#*9a{+jEp3^tW9m~p0=#G>)M0cXQaHi~J~BONBi%$Jql)JV)5GQ_(+8g(!tWeS#E zY29b&9uu^mAf9>V>FB7&=>e{OkP#H_imR-whTGP4@sW%PJM~sydu^xZb&AJDC%l_T z{!|mdX&j7-Sf5y7#g(n-o{-UG;h&fO@4fr3_(}4}M_YO2c0LH0~E(e9j{-WC+@zf9a)`@orS6vl(?QwBRCMtHDUpA>wm03opEA zOs{%J9-eyoiRhy;Qx8@LDl4P(<(65&>q*El&$r!nb4)u;c0`e}b=Td{ueiMY@+J=$I72Kcna4=7k>s(*ANL3kW474B3t1MPc;erp zM?i6d(@~m#z6E{K3nN~pP+xfd8F${N>N1VnA#%@>&$Al+Qnz!@Gk44}>zr7ncwGa9 zH{X2In|>G!v{jja-o3x`jLDoDg@5s-^yCZA`Tf>qrHfc&Wt9H*dv9ta`&vvkNv@v) zu6qL`H)Y{~oOOby)g)9Ms&xNZfU#>%m`1m~zK#9%J2J+*{PN32o_qG`o^GS^N>oO3 z?vG^G))u`@6*xAA4t62zEEIDOz$-rH>h0BfKuHW$PaOlxrjDPacqW}>QdbD;0W>D2 z4G?GyBg1fd<4m`)+Yy0g#6|=1w8nseZgeO*(y?I!J;fZlm7_*glo7?iZaL^+^ve4& z;9y$CB`bwfzTSN$oCqx7FLo0o$4jzoXy8N-gpmeSuA z03#(K{1Z&Ts6Bh|oPfgDo$0_Za^RgnzQL8fULjOPkJn~|*VvX{e)%}(>~mw|O*dB0 z@jZ`(9Il4fU%f->0${4R)D9iu#%CFnGvWVT(-t}um+Y|$o>k(84J z%e3WqJnxv~nfSxRQ@(aj8)}MUJj*Se4!@LK{XqvEBNV>8JtAc-+On-sM&TGck+06i zMBc1IoSy~`vH_>9Od!0>4k>~8`=i?GB;r@fERcr;&_-CpA7Apyh@^wRYz^ndR5Dkd zKS@6@%|0>wRvXc{(1#cd;Lrid0LHkJ_|C+|h+!i<(*bYE4;)}a_{bN1LLJjlA#V%| zBN=3VqE70BQrF0lcm^J5p?(h_X>TeMxM^#Ym4nlHM-jb)4xwxV#Sdn)s9R(U zd>tm}pbo6`nds)-PL?A?tYwon!)yzAq3d$yA=me)Z)7yrQl(GChxU?FIt>g&NXG#M z$P4mL+qa%n8>MYCH9Bb6Ac`ZI5e+I+X)}0c>vMJa-rfRu=lUuU0DJr=LL-p{Fm&I^ z&>a!uU3tY7BQLn%9QVkX5)j9t_Q@Dk2%oU=)L-!vfU@=S!k$KU0r=&!nWub;0`Vd- zOeaJY2ju9H_{1*Ic%P8so3zj_40`a~{7BL5`wVX#GGQ&bNjFB1YT0g^r-Y|6a6W1{ zL-;W0a85TLVZPP)Lxx1*R<5wW&`@~SoI53cfx^L@ILO$I;igZC=&d5?j9fv&ccz9= zhvFePNtO7Sn#gNT-&T31XN5ac)N5a zr7gmVmz?F!9dm`dOn4GK?nGaPWHGFY#1l6vhUsQ&a`sk~Mi;_Koj{7l zE0Fl9aIX(29R?1;;OtAHX70|({umR^=j7_nfdt59!6^>dxl&?MWy(42fMBH%1yF1Ph>^+vIL_b)1wh^H>fZvip#<;6T?v zD;s0jdB-T7a~hMG$PV>_>=2KfcqU)!KkI@<&HjU;K&ji3m(Trc$eXPq%Ef8jq0uPT zWfu#X{$#}Bt6b7q&yq6=;ic=o!fE5gRb{YK9R3)=!Uqf)2lM)YVsRC&1jST1Wzem! z)G&E80yR}?>(>Ijf~D|_^-`EdJ2HPOS28r~b%N?TGNRuC8 zfj60;$Xya66~IgR*eK?m@e;t*<#tqEg$ud!j#|fnKVVZH`s3><&MSpNS%6K(Ko!Z9 zB`n1l3{wZyFGoYB{45)GPA1Teo{JtZFBFd|!?;2dXIk3G5#2wT7>a2XHJrww`c$xW zDtf7kOKOtZiSIUI3Zj^F_DK&IJy(UZE7u(h)_QHY^NS++Wpc@`{!9Z|P$1;5Jgbvp zWTFB3`O6wf#~+ZjSI^gwY))s~)wQ@^3%?pqjg!q>0`g~u(D+>$5>6{Dm~4TUpPow+ z%GWZ0se~rOT82_01P_H*8Z{LJC@qBesj$2$z9zY3A}bR_Oe!A9mJd}|$C6O+R*5P= zFfC}r)RoiK`OcFKK7U4(>ohbJ8Z}B7Ib!P5pU7!oOv$sJZ&PTRduve9BPg74N+ebp z(MI{^Nw0nkcGDlG8H`oRq~@wot0wn5MC?+WBa`FOdW zH9eYykr1VFDMSfWW#&N%%-PCiiHuNJqo85i$xk?Fv^ECLQ>pRRPbv%=bQ(SG2`fBs zJmW)&5}pRk#>Q#$nLlDue$r6H@zn9QF@cZlghWYW*x;Rbh8(1^Qc4_o@r)A+Pi^DK z3%Sv~KTv9|s0cXnrQVXt>RJE7S24!%GBoSUWh4#%y4G7@#w*Zx|8oI;n06^ZL;xL} zyv)3skq057O-yrHBs&VoPDhU7tZb!6@S|R+cPnSoR)D-oYMpQKfmet?=0yztsxW@Z z4}Rh=K9{TSp;^T9ekQ3r3n1JWGRqx?fi)~;z_g%WjS!7(RoB@mp~F_?Zw45>F9@~| zTNb{?>U8-MyL}41PD2dcWLc0S=n;NhEprtXb3q=SF4a9UY2&6xXz>h@XiwQp@uaILpKjbxb*&)j2k^(W0$G@*&ShzU(Ig)u z{F<~iC}n8w5=1gw)t${47D{}|51VtE|=2B2(BUa*+#(V}D0xDjhWLdnXp?EEV#zZ`GP;vCYGcI$e zVQvET@Sg+8H)w|zXtE-qF=P$uNB)E<4tzktc>Z3a5F(J)<EdL$U#@8plsyiFm8^n!clS?JEcQGrJ<8k3r@o( ze|I`$%V?)_Iiz=wjy zkI=weLe{x7zr(D%Q0j_={O6atS(n$S2ctk-Fp{6}g2&|`CuGmQ0_T05Z~i6 zuI@@j!V_JSce*;FepI}YQW!J66O*TtAvTUmIy$dq?Ts})*38`jQ#{sA(LtUv!Ho~&7JwH z-ikOy&%?4q&&WbWC1>6&R+smyDBq|+SfR8vC}Fy)+k!%K#a0N5+@r`-;9ACID)^Dh ziz-zWDYa!GDZ!+th$+|LBPL<#Um)WuOlfUIEP?i{k<3&Hqc{v43(Kx!F^4>f2M)3( z2kx8l$OIS~^Br3#__7H?P&OoP5q`fbR?!I&#B*F%9@9uUWmCWnQCAv==_$l>3t|}N z3s>qL|H?U*>W=7*NC5&XM^NU1A*x^P#AEk3!40L$C`}Oi*BywzwYUUGd%J4z0{j`uUa_#E~Sl{u+c*(0O|?{er@=^$L zWTbETafG_VPxQ--xswIB4jK6$;vw6hAzQ6Yd)6y79dd7bC^GA^c>W*;AgxAuh^}BzoXE<((V}uUth%9V%J{ znHn@`0rEu$Wn9NH5!?`p57?@5r~#1^oJ@>Li*Xx2*Aba!_4K6f)qF*pWL@-g05_YS zMzCapkvCsKt@@(eqYqO_qKBin|}C+h9N1aOO%;WU0d4rlHi;dcR1R-(09TcX{e7-%#!1al2Sl*Z>V z(oogVT|TTJ@hPw4I+`0P_pr@XL)|E_8~J=ol_p91c#2n2RJCB)!W?EGbnhRvNuOf5N(j@Jc)61|5}Mt=->mQ(7Bq z(L91YCASz7c0NIiJ`#~QRb$d5`^t~s4d z-jr7*cD)JY$+X(Yk;6QjfUFu|yaW!zV7Wrx%mH`{4nd`aGL8I{1{tQF;2miYLQ=L7 zKQI{nx{41WHsy-1d(nk~Ab;wgnHZ+{as~vsE9FZH$lKH4ZdWOrRSgSlZdD%m)5gUx zpCDC)wb2b99VSCI-sF^Hb9=G3rj-8jU@@lvlDH+fe2D?3y!S>;-)&jKRU?pFX=AhOL}$-X#9Y6PCEBH2L( z@qQMRM3k|)OK>e)Vd(*7Xhow+XbuPj&@`ku)vW^+#(92xa)+(GxxP}RhaTUm%G4Mv zWHbsBm-LltaQ>!06-D;Q>IG^Fs(dws1s7Q)rtHl5j~eEKum*{PUoe*w8JwR5bwuzz zH#VKHh)iQPZ34E6&pPug{^Sh8=Z2&7C<1V@-JUf8a2uECSfodfm~qCLoECr*%2lZ6 zx$ZJ2rLKHLq4KwSC}l>tb-@=I@v~?^7txsLl`_3&UegG5Px*7yEQNtV*0bw9L!1?; zX_z)hFdT+BOs=X3+w$t_n+o724K2A))tA6|&>;Xv1GWA=8q^F;FJ@gOA>n z;!qm3+6LuNe7rnLBMr*XWhYF3rWL;`Om$iA$(RmPUX?EjNPkHIKz?bmvt*fjK9@i4 zac~hwngWS0F_KD-Hm1J<1!wW8V#(!SJ}Fe`YPVdJX-V^QA*m)kR8_fvOgAkw|0ZDC zRYda*VG}A>ss7-h>j?t{eL~uXX=3UF4_)af5+B*tqw(n?;5Y9eCa1~4kuLLcZ7U@P z5M1K71i>^b03+ctxHF~bre&zn5`;t$C)*G=RjnDdD6|mbk|sNZg&e`_Kb{pX4>~Xz zr_m8t#?1_cCdn#tszCUIF>NP;+pAMX=ZxvqjaT1spJ;F|t; zCTD(Ao|Utn6aii3kaR5pDH9rFv=;kU0<;we)HAOW+30=)u>8~rXaHy_4rrt;fkcgz zjT)m7IE7$=1sC=?jlFvJstTS>%<>GHf}#pDW?HjB!idK59nlpjsc#X8gFquJe?IMu zSbV9aO#?WqT)|NN3M?r+(Hk1+5#Ugb;=CT`)`LLNB#1Vi%FsJ@*=>(F`HVBw$TZ4O zd~!wjnd;>|ur5Yb}xl|sLX0S|YcWXx!Pj8<*nbguwKOC!kZ0i2A&fPnW&b4j9( zgL})e;&PuYpIlPr9fhCD-w)~0A`nui(y4vN^O)Q(hF_JqH5fajl+{2n8ncs7R!7>c??~_0ahYuMR(k!t+ z_rv6ea~OGx;>1tG0zaALHfeYUExbUB{9EtBQ>Hm|17E=fPf5$XKR0f$!t9q!l@{KR zE`9Y^)j?UW#XozZX%2ZdEe%%?pnyo4_-McxJ5zvDPX47gYBJ1tnptLkg_or&?JT*s!&C?QDbE4 z=PD(BnQ1GKF~T^tTALq!s7jTPsmpf{N07D491B(HdmYDo}^4&fH9ImKA_if%$<#60wtlIK#+0rju6)?L5dGg9ZT8yDqNOvoIDsI5f7a} zdjnir(y5V@%|Kk!sDT|1<&uJXYzrr`;O9Ow}rlU95QqX8tRQo>ESyc#Rdkw*(oleaY(o9YL~ zHr^;;1`5VZ-p_!7bo2n%^asnD$~*O4TzPJtK0+E}C-8|IzTnJ(rCqvAnaYa_5pAqD z4f=7QPjTR!K;m##Bqsn+;e1P}((*U)bhc4KxG{{A zO**-8aPA*#c1q-FRSY#pHBB?^H2$);=h@W=a{VJmWhiav;bam%{0fbn*1{FI4D42YIN`m!%iI`6Bv=y4scWD z6g^Pla-%?W#bKaW+f3tBz1t^;E=v_c3>6>4r4bkmQ!d6)9EO>AUO1<&q-F9|i8N~E z-61|>!wDK~J9O|VGCrzI`IPs9F!m@p^38D-IrHRd@>6rbzX0JSE|Am$Eu~Z#-b5e~ zc^Ac4pygzOMpZ@GxzETh0!YDy<}F0wfO2(y`RHtm|5!lgntz7O^k;$+RMsXtPXc7c zaw3`}N1X49T!Wg?40Y+w46@>S5-rFJ!b0UK4Qr^Bzlx?G9P5@@tIm)xE*e6Uj6*1L zeM~7Ow<9I*$oz<*`MQHUitv);WCMO9(XU(^cT$v|X;AJY`kr;6TuSeuIw9OD5S%Ig zS#FFahS72>8hC-8uNQDmC$b9~%eiP`Q_0|=gM4%$9cv%X?CErs4qC?-&BBFl@!B4g zibh@BHr@WvHSkH!9V_z>T9Te$0;H_iGg=3@O2*(u0WuhEgkJ(p z8y8K-uoXY12WiC zd%z(F>>H0i@8ROK`&ykX!*~ju= zBp!P3fjIN@Q{%gDzK(Ow`)e${>~j9(3NJ^$^Ugc5=We_B+hOahyKbC(+8H(o7{qpM z+Qw&JejeLxwUsDW?@daV^8|O@ZMWEY*WFwmrb{1v_@OxXpabH*2lx)&i0CxF`C zp+4^DBjcYp-Q=UK{fjg{kpIK%R|lTP!flKSE( zqJ8$=%iqY_XroQy#1l@A_dj?)rtjX}e0}AWm*ddG4~cKS{xTkV=!uv_orG_{`_@N8 zk?$p!T@)9bcV0};p}pFQ8oXaDRb!{|&_XMr;No3xwWp>~bbNLys%sOV*R4wtE?x7M z8|CNh`0=AIC@w|;QXWc(asue}qLxepa!$q=Ui_HKBobPomRB~0=G3$V#36R#Xr3Z{ z6GRUhHvcm#1-r;qw5B+krPW_{8}gY@N`N{yw3c=8ucGm6KI@-XB$_~p+swN_F>>aZ zQB=I+QP0%Jm;nP&AH`rm*?dtUR9(?wLD@^`>*|p%dy`1C~!$dxrM;cd*tfx68L+UaLR|7WT;HmgocB{NW#x3u;CDdiF08{#O#PCl( z=_*=m2=(KsTFI=9k~+{BcgmiIH97C%+d8JvrESoWb;;ooS?U%a;&A6RZlJmt3Lk5J zje!M-Fe<>t5<)5$Weh-?v4v4`C6kuO8xyoleg&;jR6py|Rn=IHTt|y@EC55myB`N1 zc0_#p_1Cf8mYc@GGGJeQ{)I;+jA~|?Z8jUZ#~ynmcHDZ)*k$`|eAw<`e>%nlJoD5O zF>TjwF^xtojL;_Hj6lJ>^Um*cBRS0Y@=GqZ&@fdv^Q^PRjn`fiTW`LJ4_;n*)ipF) zZ1{ktgyH*M-^U;K-rq*<*rSh#9k<;o&OG&$Sb3FI{V95Skgth`eg61|SYeqZW4E1m ziaF+(BNkq`heua@uK$H+pN);yUnln8=a2D?jD=s|6#7)^oFYC!Tzv7x@sI1S@mk#4 ztFIpCo^!T0!yxoiPun%lJ?qTaddtn@%P+r-op;;AUuIZo=xciAbHU2Kuq zUoK|TO`jn&ss8ygwle*2Y1mqX)%zy2jQ*l4Y|?Y3KD$L)8Hx#pVFpL}6UGd)rY z<+U(1xY{;u(U9BFamqxO>~%|mDu+i-TT1wFmTKfH)BAljdh*JHQ(V{?=LLD3@}~Ej z?>FYQELUH(}0xn=5 zaFLaqW0tF3^S`=3fKmZRp_-9|A%ja`%dUX#%~zCubEs$7B9weh8$7JyQl>hzrbI>q zt`Ff9q9V7sETIvKWx!TR(Ns6itIF8&rCT|8;iN^@aNH7A_YBTlZV~T@DDxLTJ3JJ*xYE@8)0!JMkhF~1wU}#T z1fY?;F}YTu5ot@#>?{>H?qHaP=S)Y=HTT?7r2mXJd%hk|KlNnXe)}!{tPZE)&%3|^ zj(hA8hs9T4eic1mdrijS+L&UBDPrFF=8OC9xyRw%x=$B#%sE%Q{q|d)wp?V<#e8b_ z3^UFcuW6*xegZyj*e>4a`C43a)#dT^S6}-3VmWm;R46mR(^*$Gi7mcSj!? zh#PLW)}JfkYs@I=yYIR)w%cy|xaa-{MaXJKh)>&tZ?$b{nS6qHseDLo3{>nnn z*IxBk*xleN0i;LCA;x|C^;g32;`1*)vth#UbC~kI|GFzKzwFX@;rVCdmYZ+zmzX&K z7NgDvmSavhG46fj@i_9>a*zTM^In_)C&rc~a1>y5bl%1adQo4ESgD{OEmKaG-Y&g~~)Js}s) zQ;ASE<&FWPhgw|Ky7=QBK5;Emm!yXu;P)DZaD$hx)^l0~8)F!$vZY!V<&&6TIOf#%OZOMXD{BQtQe0I5O~^7M@4HKiVH!d9W+ zQyuEoJ7MYks3N?{LX2ar*Rus&9iPJToBkLZ_^QMWP9BQy6dFm}V3LRAfDxNFpy)ZL z-%}QmTSS<9q(-UyXB@)i%^j|I7u$J5iQBX8*uHNM(<{eS2>B)-GVM+o9YaN-tc+62 zo&-ClPMK*?KCmGjG?%slZ*j;u`9Q0l+*!m)Ry0~As17{Ik)ZGf16c#^)tHj-%JJM7 z=hs0+!5AGmw+PK6jg12k#~LKx@;W+~P@y2l)}TbLCrW5UR4CvoaYM)uN>u_=m~DLE zs|3rVE3zCB{&1#%)8?R2k`lmk3afQBb`rU`<-_2THJ^4y&F$I`DCoN)|#=@ zvdj4cu6&rYgTDop-@e1>Fxq3?h7xs@yl(kSg)8xpr$Wx|dvHk#zA_>_@#zMT3rA816vhjPHU0W@NNHDch8UQfgT zv3QQrqr6!T8fZ4sRAOpE)U$iF7_({}jVnq(H1WN)c5E-ls3{(J7}at0LIiRlW#d0x zF>LUu_G$oyQkd5-2vhzpgwm(6%?GP5a3X@mL7x2vwg(4jw{< zFgZj~lddXV@yjbIa2dN&tJOW2G9C^R6S9nAtS)i{jteM6$-%3p3b78*nvy|Xh*p^8 z=a%D-3iXm02lWCkjVBd4cg%`-Lz(IjgHfjXSYz@Gp7{nYj2-Fp2TP1kH)eL7zxbsw z%Mqft>(WDet=%N2SdXJqk#VwuavE2%MtjoL?O2Yyk-$;F zIz_HFl~6fn;GbrmV}=s5#BRiZ14>wl*O~)J0}smcC_v!Yx@1#BCi+R?P)02!C@v`{ z>1cpRg-q^Sb3lnFp->O2-w%ELJ-Id4UdLbFo@tg@VwvTauSN~+{Q*tjpo0&yl4KLf z#+z;$y?TAGFuoAoK5qEOwHnbZ<8RaPA<4@xy-1_Pd1ISxwv*BOw|h@z$_8=Bf{7v| zimU$6M@SeKK6$}MQ8(Uni&$`>9x+6XZkc75kLkNlA1`ZkNcRug&OQ6Axa5+HJrV-= zyvJvser}_^?)n?XgcEi2J8^ttjI}!RT`mntp@&cUOstV@*XZ133O7Lei{msxoPO-5 zcH{4Y@u{L82M&mv{&8JA_2lC*u>XK~_uaR>2In1Z`ezr{(xUl^#~+Q;{(QVg!sP1; zS1CF7j_KY_H`&a5U1Xs}M8h=k!ABoBFO1ntGtLw%ue_R`#*fukTg#2`ujq2GmFyrIli$L{tW9 z!qb`tYNgym4H2{MgxS{w)Pa#C!s^~iD2wep@O84{6o4PU7K5>JnF6#W71z8^--L|U z6iQhdX)i$BlD0s~Wi5;bYlhi#+yQ98ITm;kGpYxQvV+!ASsI~)Q+5n_#e<6f_NNh6 zizG~gV+b5qM5P)pf7un_H)~wKB$XWEGENo*nWa#4IK3NK^6xLX%d&wH1L3$TkUQNt z;;T$JZ{i>(@kAf7*{z$0E0aEDA6?eAjf|V0Gi(IYk~V6&Q=E}%zVDXuP1zH#Xw)^K z;)AY~n|gK}J!iS{&OFN^*4jSbp$s2Fcr6%9?A0#+q&^E)Ia2F+qt# z8p!&2&^*TqKm?JcoG!OqO`o(5jb*E#F%ukE8_6!NK#2q7mC;3?KE31oznm3w&NX*j z{f`^tyuV%?i!QpjM_i29UVQQSxaFoBVvDV}jSDZmBCfpl##m~Z<>J&6kN3w#`DW7V z7$3oOUAy^%p>MqUnx7}{+}UeT2p1z2zW2p6rRV4c6Y;@C0n?-iJcfyH(@oiBs`&GX z$N5`j7ykWHyYv2fp{F75{nx)#lJVn%58jJYPd_8>fAFC={)Cf^XVS?hi?6=^GH$%# zAF$ac^F66IDHw z)QJIT%&4VITOq_i*$6MLo=b+w)fD5n1y3Pbent-^hUxN;d`i(0pneD#pNR}yx=@^WGtCdV|{GMAoZryc=$^B1QT?OH+#P3(Lxs)Gz=_X*k!$JX&KN@KK>}a_~Hw% z^G(-%25(3~p!v|}i!Z(Ckr{1~ou2c}zksLSK9q6o+O=!E|NeVUJ3;&QUL)j{h%dkT z(qH(VN~5Reo_$*Ut~RCU&l@<@@D>oBE>lk(pMUysy!!IX8qu!ckE`~SQK3Q2Fw;yj zma}->j?vttlXQv&GyI6Jo>mJqsJmW;=Av9Df}hx zeC6Yli}zSOKKt^sc<0@B@}rL~6%#qC`7%u+fEHwp#@jLw5y$!fby)}QQ8oPjp3q3c zC}by5qX6F2Y0_HBHM}d|yKpCQhMuI!<@9UI*!s;)9jGD7&}Mh`|= zbgamO%vfU+K38B8US?4&k*Ys@jZ=Br*j4qJ*Q6W+#~((Gc8zf%zNaJUu$r(;2V_p@ zP;vo7%0%Xt;YGuiDcEriWKbu`02NTv%=8;UJAEyZKkeTI{N#9GQQX2Zw=XluCaz4~CX<5FWmy&F<2XO3!pCw2&`FD_@4@n|AaL zJsOjL?#^OAH1uLv7PWeA38_5zP?s%Dq|9><{EB zJ)odb0BOnoG>w&Of&UHlM67SI8Kks7+ACL&p41Nf zZkyT+Ml#pTlc`QiJJmhs_cj_huGxF5jGEH zA*^~@tSK>l>6eL>hS3rYi)lav7sEAir-}Wkd!{|vMU{MD(@A^3j1A2gg z$&=AtHJXD4I&+S1NI4`AaCy2^ex6~`t^I|I^)|oGg0TdT{xGsbhpFSK&S##qgt1dc zvMMhP+gEa^cu`TD4>gx%p~UIxVwJu;0VV$L1I=4#OO7}Iw6^AcANZL$x^OB%i>``t z)fHE0M0buxbY1lLI~9d&Ag-}2h08T40amwpTR|~!fYIpD!X;x=?n}F1w3zeh^v)1? zg-PIvkPRg7N6B75sG5LsM__4o`By~MkljR&-bAEaJh8BA9}n! zS`UoOJOXxp87+%nQNT;eZSvmRkkwF!;ZL~mG1@CHS?BqDPU?)jHo{2O4W8aKN`)d+ z%EI}R4u9wqUh^vRPge)Zk`uQ7OQ31-nu}c%fM2yvSq-wTM}>kodtM<;Oqs5Ze^e+rHjR~cjegl^ z^&>~4!9dtxxoo0M*Q79?^H=fJIJpv+X%rf;8!LXo;WkHFysK0;aza?jfFnL&K7dD! znI0_DKN%t*svc8yI=*Ru_?B5|ycX{eGJTu2earG^w}@*r@b|9hcHp#{y0 z_lp5U$?yMi4v9S#gLEmQ9UBac4aMYAxr8c(1e&tj+oLkIQw4ZbrZ(z!BkN;D@q?AsYz{FeA?IY~+&_w+psX@aEefZV zJ1$c;0kAbzu1S?Ac{T|nKa3W56yQT+@mEYQR98R)D3DD-SLk-*r72W-kdC*KY$QcXDW+b4x(j=qSb|lvuw#lv*!2wvcm)(iAXdij0uS)deSu!E+Xe z2}TK_1fG}2hYV%9QbH^t&xWFOG)!;YAoDsCMi0azwL~9fUNSd86Cr7IAk)249vCq} zGsda{$AMzqhzw6xddiYKFfejz+Qvt7A|lf}{&Fa51a9PRg7)|3mkKW>s)KNtU%pM( zSll+s(a%IsknYR+1r!ul!^(xI4PH%vFw>dz0QPEdzZMFfQRU+|gfV6~_SAq1)-}#d zrbzR{L;C%<0&UL)l$_=#mzn{=l3#*|#`+ih^Rql?vlt?#5Phtku?5OBtng7RW9orBaltd}-|P1se_LcLoUjCGLM5ew(@btexK)3IkiotiVg0nZt&c*B@+A!Iufg^>@zp3TN5{x}>f$G*5WojD0r>k#G zXNA8IC`S`XrN*;ZK_k^QM^jZghmkgE&a!e>ct8|kQUVNJ2HQ+Ffy|c131U1dR|5=P z@o;3{r5_4LzvMDHD80Lfx2F zKL8C0e-CKPu91vi0R_!CKs6fpIXV11ijbt=9-yU_x+Vy5!!eF1J_s0)yRvlOpoAUU zf|O{vB_2IJf5%SO3}j@Z^z_C^o4!92NR@12>a*x11UVZVPc%yXLWiDH$N>Vmui}bs z8Zetg+(?DbpBIsV&XJtr!vftgjVN!oJ|7Q+pPWZqBEnNerX>l=T+#vbbgQ7zK$a^Z z?>$vSIYloW2Nw)PTuMbXhbl@&gT7LG;~vPSv8=@v$r-0WWn^pp;gekU(dCaUB9gtd1 zLTHR7RgSDS4%Hhp{PaWqOkKz_$vKJJ#HCg9ye>>C`DKXR4;n8>#l74y{IR`AUFB zZo2nt0i;1rX+Ls^<#6XEKR1vDr`%J|Ahon&v_{gzJx_MD2{(L~N)D6A9jWl;N_!*E zDvGX+_i~X_=1V)Ww%CK}8$OgRi?0>my2B0K|s+cv0UqjBn z8MyTR88amLDc56}esTUMM;SYut7Pw7R zQHxRYBDUA$BwjLh9#tu_H*UBAW!eHIC$6J&1sb25R$fARO2Mug14c;qB^G4ZTx0Cy zJO!#hm!-J_C<2YXqTB{Y_ckU3Rz}VzvFqw$7N=m328~P}q^s~0X!_I~G7Sbh4XyB~ z03uvV8R1@T=sUIX9@0ZeP!*vaM8 zq*{d1(jIb`b1^({KPhO^nRGt#t+F*8O(4^>4vpa@ZC(>shNsV%aQ&VDMPuQbdsY0R z80j^3f64ow3*;~+C`A1{{G}Mb4HTJcMn5Db)5=rvX$ml`+||l8ejAT4hU+J{BH zwQ?3OG`%z}g73$ILQrxlZcI?(m15MPo|?NlouWav9#JY|uPy4|;d&+(BfmT?okpr> z5HxpHhTJBou`(*eu;{PCltJaT=0$jEXicl2Nwk)r;-g2W0@I3@{`gM-qrz)(2tbu^ zt?o+(Tu0}|1jHe`MC)r4epS%u)!_Y`!|3u%E>RCH7&!uQ|LY(*;i@Y2rE8X7zZQ(T zBMcSfb@YmnmLs^$OgGO)aQv4gEtCl;G`>i`y|LF2I5VH}Q zKaU-ZQ$xqpyQ#-9lK}Q+^b?e%mPlM%BLgAjPj@7u>xO}2XVtJ_KChB}C*FcA0~l@c zCF$X2coFafL?3(^gDbf*Ws$izcZKyhp6gUL`cxofBY4lvSUHshL#!MGI!_SL78bHZ3sm2yCm#WVBaDYgoBcYBF<gPt~QEj4gaG|gi8U*xhj7<$M%&!?hvT-8y%k;fT(mFxYa!`=;lsL0_Cf`&Ep!B zd~wNxLc=(NLV77?aSdQEWmz2ALrrx%R_@nAavfT#PF5pQ?jeW(2mbE>mpQGRoV#N- zT(xqRvdRw@q>~K0l1fBwQ`Qxt-;^U-YT}XymC2!*VA(5R6JZ%%s6Pnj@P>DLG3n8&9T2x< zO^pfxDYz$}ra6rXFvd)~ItLqT;ZWDy(?Uk6vY7-KZ_`mA^Q$|cG5j|Iir3s#B)}V> zdK{zsxj>qh8c#Ou3W!wbB63j_fc<|-&i`3}toc(u7$RI%KF_k)>0W;3Ggp_}Q3Un2 z;P9HuznYw@6Uk0YB-`?jT*{H!803{5UB^(c!kT1;1M1J2b8%D*DVsxM92`)ttwC$y zjX3@rq41~iT3ms~dqMLk&4LZ`Lw>ksoi|2mDM8^Qu6f*+;wQA!R)03w<|yCRkTqtX zRXysEwehK5V3e+6Dvm;MDMboo1^Ob}QeB=6Zv$LUYy3}C^- z6+?k>Ggc{4jN34c;@Dw{VCT+8@CuVlP>C+y8I;d*OuJ<+_-1Z(W^iTxJ~8+_No8Ew z7^jDhYF1Jpb0gy_0-TZc6zN10#|n9sV8k$on=Xxp$iH@y35Z!UP?>BDX}HyTLLHKF zAD5&6hYMUL;qX+Vjk^*lfBVao#+%jOWL)vHA*U)SL(++&;v7Mjg*6lBOV02Mg+l@K ztZ)TaP|;X(&86Tsf@Fiqq29*ms_0__iY`DYgT9hq@rN}da1riqNk$aFqx5aL{P>ly zlBh7Sr2EeXOX>LVA={3fo{?Wq)r&E3%CcO!EEg&9#RN*O8HG}b$gXYh0VpMpku#>N57pW$O8@La-6 zSQVF|HaZm_wI%UzRXPnrOPx5ZNSSMIcX~_MnF7x^)DwS5WGy zO79X-c0Xo`lBP_=GfTgOb9MY*0mdr&Aj7XP7_;)V;$pK6J!wjzFcp9@BfJLht|Ys5<#eXSvf0yZjG%%?H(pK_7Haar$KQ0D-Bl< zE?3nkod(EAnSbS(n_AL4tIjv$9Fmd*X9o%PgjPJLD?N_L&VfN5)ChuHPyI{5nN{vL z0GFY14OunZw&)5}B^ETjgC{P&e|`=WJilF?{wKpIC2nAPX%TKCqXB|(R-{Cw6A5N_ zBJI(N`#)$Mn)9gKw9{F+&iA6y$oViK8 z*8we;G8x{r?kG)egIT@PXJ+Pk;$UILF3S74eH;^vtGeY8{dWD0Npx~mmV1zVDOl(2kQf`xV(li48%DYqIV*e8Dsu)mIekOJ#Nd%ocz9MWX{2z%fKg@h zMino=V63zl3J}?k^dMGLq8l5aJ9yTFAHN>J-H0u7mr)hXWM$*)Q5<1#NMP%b03SS+ zTRlT>b_0G6WU7R5SGHDxEV7{4rxEe3xhz;tvo{A6>i@ww0P&bkoo5Ebbe1aIVf>ju zYtPQ{2wh88ROofV{r?9=(8t!n^VV7}3~bGjj_c?FePZ?10L72GN8fo?ta6FBB;Z=^ z8=*D-Og(ncSQg4p$|k8%aLxZliDaecF@0@s&yNqH!s zd;8%U{hIJMGQdL%Y6W9z8y)1`9MFA(|4;ztR9~e56cjOqwDFEfE zn9%R@9kZnQ(QvgrwqP#Jca6t;`NBT$NwV;U_%l>J*HP``rK*w2)zP=Ko+^ zK=KhLk1balrJ&rG=fsinsyjWFrc+}4AG8LA_l=z5o_0Pa_iF(C-{7k0l+*~#D$m!f zo+#b|W-*bSEp*GtXmM==O%)fNr+&am zDbU>ctvURO#J!#r$@x02Vk*O&!qruLahQHfzIohHrgLVl_;CqM`B<4<-8JUJNG{9l zdtEVX4BCoOB3z|#c^uEKx>U|tRoONA+ubnaY5x&&%W7JVs@5jGFR;r{Kmv zsl%wCs=>~CV~q|&v-f%xeiAu|c7p!A}_#58&OR;f&behbm^I(vjQn z;p3~Uir{sG#K&j|iWup#Ucnifqy^u27(LySr113DLse(h6|r#b(IN0QUJ=3CR8ic^H?_B$Mj;-w6_-N+VGY_}f^M`0?E63J_MLzyc`O9FXHW4&Lt@ zzfHqE?*fjNeFTm+!v9i$m(AU81ZVgMUCd04UIr+c1x%g#QONq2tL z8;jn867fh#E_X3<1*h`IpL-OxP(vd)JvwXGF51d4wQH{{Uoa+rp~pCS_^f-f#*mfG zCR{^oU48DG}x1m>X|2sriCe__>ucszR?Coe#csGzg#}f-h6!#x=N+Q_hMu zz-xgFxhtUDL~P^%Uyc~Ti~K|BFl1O_;CIw|aRhkTB&^}y;gthQf#qyF8=aCFm4Mtx zQZOmFiNn9q{d{OhRqAClfC%7fK<~mMccNt2^z}= z4;x((l)_uCKnud-^d)ZHWgD-YqLg~8ImJrguKx7@7r?7VUjJ4Af6;QOJJVW}e2Z%a zg&g!{sp?jvwN`&)QLjZD0UHt&zPy-zA|y{pNK|a5U?YRSKET(3W#CYfSZNc21yjVt z$;;THT4{X9vAmL4#UYxWt?0mSe<0JPflIT%XpYFniGPU&0s&_^wrSJWh7BXvwq1_i z94^Ob1p{CTMJHvcLzSQWFmT3byhOt39)56NCCr_pPy;SgHoF&E?}}{)qUUYuBz_7ueo>L z%tH(e2tknTAPa*m>tQRgY&o)#gd^G5NWoY_c7(yU9&wb&_LooaA38OF)2;5ir1jhJl$ob6Uw|x~uQ)zSH+kukKZ6 zKh|Dr?X~w=>+F5bsp3Gnb=04?MHTSkff81f@sfJKZpm3A%cmNCI;uO+JD6HaK}IU~ zhc+q-G3Fa4$iS=$=*&Y{nX;yWmQzU_lv2HC{&g<)3Lqo;$K z0$p4LP#*Lf16hL$ml!;A8S!fa4cfifp+`wN4FL??MobGT?d^LNW$**D+3Y~Wom(aQ zCkNWbxL!c|5=2sJBA49dADgng93#R+Y*nswRMx<~X8` zU5Hf zW~|!cULSPgub}1^(`iFsRd9@ZPIA~nZ#%-b1q?-$5cb%T6six_nK~+!=G?VjEi04E zU`A&+)%hdMA5UYVJ4Y;%wxuQMN#nYIfF9BfyO5PIk0+(-4}}}NG|-42kX3CK8tJpwk{ zHuUWQZ9@(&I9^YFw>i{qKMmm_WU^>L{XLy(#`&Abxs4xcxwR_-q}}*X?YSc+Y|WEm z#K1O?r_T1vCas~Hh#ISLJ~8=n6d;-axIu*ir{&^(Oo&y0{=|oyhXfT^;uzze98Qvn z#0rYmozZ<_+A3%`P$o zF60*x8xxX*9RalFb1`5T8ipa##rinBttpN0VZI77*E+^PlsgVTXp z=Fwh<9eU91DY&5_d%F|veH?SNuph2bZqjaM9AW9Bz%Hz&Ray~f3Ik%|jiw)NE?nJq zz~P0L&{2+WIM~oij(c(nBsjm?(tfb=13ZC*Ugfx$BMBTU^sImYeJV}h>UDc^#$5+3 z>M#ID=jvrPzBl}@)+emma9Xv{+i~LMtvKmP3$Om7f%Dc;H0EY2#!8GD9&SPD2+*}( ze0Uk*7TX|Ny0t!OBW@$b)t*EPM2r}qk{kfEI9om!13D^=Xm3~Qf`AJSUsR|nwu(dd z2y|Rn^xW2sU=tk;$m2DF=!KAJ*v{94uURs!!-$}wAme{rl#nLJMM^^=xW*m3Q9uS{ zENn-aFz3D|c8sxN zJdu|&$2f3uD?HR={Dn)O222KfKmWW=->W5lFf{~Fmm+aC@N3xV5)WCflsB!R!zToj z$l1DYfOBQV#tMxz+ibLUz_D}FpZIxOk{UH5MTg_tJ)rT2%ej&S+#aNrFZ1C?Aj4dt zn^hr+UU{}UU1>~_M=-!CeZ*?DRqM8aup@6)6)dX~Q@!utJ_s#?{$`&0aWRgAVPBPX z_2x$Ep#mQl53HDZpoa?&EEix4>L{l0O>;D0VUavQK$}U(M|QiNc2*xA52bTlM%rc% z$tk5dGP1}K>S7S9T?C}KPsCHH z^|qHOIYOBz(FW6pNSlYaTdVdTB#ir%1_{|5D)cKqRDff}i&Bh%SH&Xmc&P93USYhF zLAzL8v+W~&RUbU*00k}qOX97M%h%d>9S#U$1>SELOso6iWaM>?tPOC!$+0)&y+VTo| zFo|0mfjrvQyt~56O1|4Ah$JvXI0*#^M}cy1!ij3tK*zlq9zACzH&6hA3xnTuhZPkb z+c^-&NHB>lF~5=^CmO*`C`THrEK!O{NWp<_l=ZbW2RRBkF-+vWH2nvm9kP3%s_Z(e zJpQ1Khg6Uk?Fg7mROsm~`uhPFF(g34)(^^1uOl?kj|gz4uYV~oLF5srNw_{ggK{gi zKn3&zq-zNiX{W+S7Dx9Zjne>S`a~}=mNjA=*CWVL7k1QGYD|3bATPv9Zed|TK~8p2 zSzHi^1vH}OVgU=a<&kvO`?cUC7||aLSb+(cV6C^m%bAfoH5te-X^)>Q-gklS7%f zz=$?9r5}tDE4jD`QGv?i{%5UMBUU?G<`*1fOt12?U>npz6JH@th202ts;8W@A^HQT z2TpOM&t8FG0;Qd=^`^#fj(XxivRyY7+EnA{86iv{y+vXR+U=&{A%xl`2Myt5yNyy? z(+2@<>1|sl#&~ePfI3Ay4=ASA&?NQ�&N#$%h5dXcokVAaHO!U>rhTg?Lg9BplQ~ zPE6IAOm%5kgLRBrwkP?C9WdUJ!vV57gGR0Nk3gI$fr($m!9g}FHk^pdAPqSwIn)Yg z=`BN03}QRcgd>1fhq^d%x(%_KgacE}u+fsf0akZm}c2S*_F9sNaR z;s|`N4+inyK&ClvNoRpD z0iFjHDfX@zB;$A`z&sb&E*#@EC%%{RK6 zqaQP2Lv?=QPrO+P#eJbbRt~&~uA0!1+e2c4>Q+TrR0WZ>Dd7ZHzA1CK!6W>VU=>(Z z%5kfXty6DLs?<+b!bJMUi>>sf9h3oVf(6Nq<8~Oe3usff%YjDDc*V?+df5W93$I#G z#u&z`eNN*-4_L+Jdvd%65_+nh04Q4S+0F4SGWDBeAYeS;TsC>{P&^&UG!o1!dvTJ8Fo^Qhl5(1x~59gYo9kPH!CF_-9o>7kJ#I|#>C38R$K z%78Izqb`q4r89A;$tjQ&JK;D?D+k)`CLx+0Hqe0R-1o($a?CG}k&t`bo-d9bocmNv zAG7^|ahpxT?Letc6Cc}C&FDf|pUkWPt(ginY?b99gWa^EzKsV5nk)K~Q}LG&%i;Np zisv5Z$RV%6p`sWwnnW2uW1 zwaEvC0OpNX$&7`Z4hQVy3nGxTXk#@P8boOT!{H%G^@NO*%Ya%oGXk^?aWTH6El8db zJ&dioZ09lxvtaK4i-b&HIkzJSkR^SQse^_QWQ>`UF=WaJ@h3U7y8~2hJa|BDK2Vp_ zCm&uR@A*EfI){Ej(U};p>2Pgq4){A%^NB?s(7=8;CqoTDVR$(+m1|hY_>alPN@_5` zK@u`mCP&ECz8#^PMLSk=9#GLo@Q^HKCC0Ebv^zwov5NH3c@>M3b!zl$(W4f9!ReZ9 z1^YJS!HJoLERmaE#bgmOz>x3vWpt#S?-SyD8`&*D(ZdXlexbX!WMzNy9vgL>Rs68e zyM(M{BFK5X?Kxl({r5`FFX2~SIi6&&ji*Pwn9)B)9xuqLQ{m`hCV*n9jiy(bFsWw6 zZIDcXhL8yXb7epZeP0)ZkRs}{;obo@o{JoX?)DK}A*2-($3R7ODn@M%B^cQ$Fui7X zNX|RqbYMQjoDcuPkv?QU8ZJArskFO@dJ+Kzx18A%5NLW^aUAxigDiA(kt-)B=XU9V*taR8CjDCnh^%)o<*s0!^V({{zcDd3Bqc*Mu zaG+k+yHE)!g|kIE`DP+;R9!yYL2HUYQk1d1iYo4x66WuE^1?bME_b17tuvMU>!W^d z1NHMzLt`j`(hgcm#wv?N`@lb!G#K<9py;K8y6POTu%Yta?)4Z_kNs;vgO`m+LV5lP zrZq@nL$}dDh84HMc)ksAp9Oaufo%e^K&?ES0%fZU^+mPbM{a|c4Q}< z1!lGRbg<`f(9w+WyKZb{g2=*naO4nREK{kAv-AW{a59&Bc<4{&q_|gE`|X^(-&Fa z_6geFLagM{{t1y}t~e{;BFQ5aC#~#AI&H`&GJG$!N(8p%0!C7H2lr(Rfo4=7*n;|K zlqMaAEjZ2$hz>MB-`LAYK%ULVgiJ_Y*9ByUr{N(7*}558jf3yw37dJ)03}!2A11+W zxLx8_KsHJO&)USi2`JvS*(AsgUg=l`1b6Y- zsM|LKR(A?s1TeNGy&*|})73mi=Q|Kt$??#F>lpxX;r%i;y-+FM5t9qxsYnMl(ZHTk z6>yJ-)t3utOD80oR|ULrM$n+1+jF$z9v_4{5|nwIpIdkMTml&mbwm2ubvxp5>{ut? z>p=$sm+H~MdRQ0S)K+l0O4V`5!t!H|)qy>UhOXhuE@a701i`aj_Ej zQAMXt`#}^niYF_1Xs9bxpkt`uqk4uYA8d)OP!Rrn#vlJ1ym-!6tVv#cRjK&en5uM} zuvA;sU~EIiQ+FVOxN6m>9OQsHJ4aShI@z&) zoivRq1Q!K6{u)p_=ON-CUJi)*=V26*4m_&Ic@WV2(1`el!>mE7epn)2Sx(j}2)t7B zOc01+{D@=l3q7TQ+WILc9_cN@Bsbh4^6R$x0^M-Jc#5A3-^v1 z9|VkT+>0ZSak3=@Cl3US-9G1#8+`shEZzo0Jp>h(zEj% zYdy})I+I{7V#{`A!1j_BWc#X6D|wBftw-<+^O%iQG-CX+YNVu zY4vd)w$UX@`W)1e)28V|sx%ACM7tXi^&{P;MK#&m9ZXB{~Qr+wz55~PVwys#g z#j1)B)>oeIr|j!We4Vd=Vg;9UI4jZmRQCwPDL+!BP_rHP%!H&XU zSEr!r^O(Mok0ww7G-yHc)Q9=K>(m~OC+ga#s>u#s?x?0I`SxL2IF+2PqidS*L3-D^1Bs4lU{1oK! zqR9bK#SX3}Mokfds-p=IR96r1OP-dyBU*Xks4Q|E=}5Jo8OFS1w}U?bn((KzO3w;Z zE~!k#WCgaV4<52tDSa<^Z8hCjkowsR14F8zWBw&>hpVyGtbmN1aXIV2HjlJ>^^5vw z1oPD+*oU8c{$W^8ZqZXAIxTvVLsthCrh z9H0K)nlcSkb@1E(zRDADSS3*0YU}|Mq7$nLR%g~H%fRMiE4a8x=%XTmkG6(Zc^jy2 zXePi`>O%%Z6`_M$&By6b%cHdLEA75u5S_Q3735geb-enPorJM6i$KQviTR2Mz*tgm z?$E0&zR-EY39f3x-Mjd#{h0+I zrK3}t)Kh6D1jh5;))#MdMaQrP_3;-FWzi~9Bgq1aTF4Y^7hO9*AM|QV-wR&HP`hB; zgE9qkHjyd06)32U8r(*76#&1SyyHlD8!7YU?91(9ZwhAfCFk0T772aCR!R15`nEgx;#ukt(SCP(u7~14trNf-sLx;J$o6O^zc1 zI32_RYXH?*94x;|?iGW|p)t1QWV_u!B-TL35jB~LHws`g#>N9Flr1qIea*mxA^34v zf(Q;a7 zV9R?r==(y6(=#4wii;u#RPh4=HPaYNY3I#B1rWM=XGl7lX1a|b!g6;;*$cT9C?glm zmC7o3R;ay=bjtJGszQ(8aDxV!xtGZ4!xUsbgE1c%)Po#PX4)h~_IP?S#Q8%)XuXB0 zvNJ+otYs!~bTGKlbUFJ17#Rc_KYYM41tCG7JZwQw@RN+X)FHs&n_Ne^l5u6O6qaq2 zoCMS*0;6;|23%_8BlKzjM<>Kt2BAVFVw8-QR}Q0?49lK}#@f-UKO z3vnjQW48j$O?U*?160ow!zT1s*%@*?!NUh=S>2~ysym`I>Ni?*PWefxEOBWZU;s7- zI3VzOT>(Y$S@sD+oof1?>c}i8CFez6Chgrc|HG zr-U)enIR<2*1pb*>l0+C=DsA@8oQYFjOnIUR%}-ahxKdL)CQX?+?a=_g6MlazUC~f z!9@?3iXJi5v4Zm|4F1T0ld=Q`-`k^{m0VphLK7OGm#YP_@ll31wi_60~&gf;zVHh_7OHwka~Bt;(>w$_`F6aS>^F3F0W+=1U^0eGOwHu zkB_5><;%%=XG)F;M}=MDAq1hVxErAOG?WY-c@Pz#tKRMsa?j5widm!_0n?;T9u1rW zQAevX?ynI@6g2wlv690fGnU*Fi@?J7ePU&W9kuUtc<_W@YiIo9{+oYMg4ZqJ#Z#I- zN}`tAzL%%gymy&FaHG%msOFB4U>XmyNS?3SSS9LMkn$Tz~0#rkah-^zbpM>UE^VuY6JWF$;x^O$V4ec99E)BOMxSoJv6S4qe zYHkc8*fHI<4D%s{s=lW^=Q79#ec+q~y-!1DsPhB|ojE`df1lX(<` z*xWMYXy?RLHv=nz+@^}q6LgaSPP0L{+>s9nGiPUyg51oYamtg=0Yea0)MQq0A;7WK z=s+Z+GQJEo0V^IR8J12@0nSfXY6R3cu3%$@=j}zE;RGZeSkjWv+`Wi_*e8&R#fL8t zAV3ndm{{D?!&C5MxPJK_LS0OWR3w~m3bQIFK<29sfbR`*63`z9u_=Ij)N#K-^qvB+ zfrKN7E=kTY^T|duu8!{3Ofne(p?f$V7X`e3=xSp-ErkCOTwkE!=3HSeGqy|tPc@Dj z(EPg|fSJohD}4a%1BAZ5Y@l}TpuoXI0y#HqHz`0eJ`NP@dn`r?$9%4|`QxYx(riKb zY8{7F|3*MM^X>B80l5r7`xuz1BiI!*Nd8rI94%>rlWa!-bMP7TJ$?XzFt#NbTaBX1 zS;a5Z6(DttFyrVIm(YPubpC^nFt$CFXHF;(cpg=2NS0O3U`1u?G`>Q1oGGhE0z_ZWdgyDe@ff9#cgbDas<~CXxKeH z>XEt1r1hVVaV5jw^#t?>;QUNHQ1JOD83a6|ORot?bT~8u8NzeRC>tJc8>Fa#DC=1b9~JoWK``>x(d_S?j;U z2$QsGre=QR`2+Dmb|VENql&y1;26tbHJ#NUGHCpB^71Nx9g#4dB+iM!<@+d`7cK1s zg54wt+L}3nD}r26C8RlBtfL6=in%QoY!3j$IZOp}L&Vfq}SV{3q1oOR4j5{2} zkP+mo)6A4HgI0C1)kr;;J~1~4NS-gAA6f-^u0+7hlb%iJdA5B}Hk33UqYKdsd74vr zk9s3yo+zPm&qW|R3D7K*aGLBSkY@f1ifL3kf!bKNk!bX*5 zY(tifYejxq-ID~Uu^a9e?8H~oAO^Kwvyx3v0s5ANI_P^Qa$<}bSLv~}MHN@wzRA)&^bkLM80}p?1~@&8 z*_p?9weSdL2iX*>8q4nO$<{kzF4$A>dV2++S)EGaq&Uut@}Y9=0JBf}xrW zoO2++^fsu#No=h?`k@^2;5d@jhBlv+m@W1Sv`ba?4kvpFx@p+B&z7wa=c2N>0KCl<^n%YD9?)nzu~Gt@A6fPUD zE%G<1JdxQMNBMaC!+h8M;#DK-EI-oFx6@aH_?k)OSA}8YNig>_Kld}6Z+zpAmD_H; zEruS)sS)y)69kMsNp&1YigWXdK=o0~zy~c)+A;5-1uT>gW&%zZWps$t5zGYD-VQ*@ zGDd!yk}=R94~Xy$Cgk~LaK80~>l4P!Hug|N5afM2?#X#2$CqGh+z6D6p^rIBMC)5U8&y}-hzffNDegA!#``Mp;%jQ2)pu6L? z+wBZ<9Q|N}J1N(~;N$FS9w!JbbUdw>K`)$?NJVekGzL2+|}YNfKF>im=~Eudo#NQN(V z)WnMz50-dxrAj#?$Uoyw#6cy?44_@;C2ZP{1C0{u+!746isU8r@DOp&Z?hvE^_O21 z?$;xfj#)PX#70kom(>!++776S?E(ZkF4~#JT3gyKT`mkX*EiIM_4Bd{tAadGg##KAHnQkn_*`ekO0JkBEAS=98|~U!=OJb z>k4v=3-)C@5pcXv83BTK-n!idVT>2R_9KJFn6sL5KvWsy6@hU+0v!M!(J=1BG`6d$ zilEf->Mnr=n6s_2aUfhmz>hm^YBk8bK}Teu9#4!K&`ooQpLdF@;|Rc;3OovV=8&Lb z=Ylh}Xb4S)3MjHelYn~qsJ=CUjxAt0D%owmDA0ATEYP7;+6ZmXF{Dig$e~H?4OP7{>)dG(!a1fk0Y2Juybdj zEUrFM{^-YkxEx=7v<#JR2fFZ6#O0)$Ky2S+(f z954e+ac~d*WLAGKAeoP?8daO=8kFZT;k2?UfD*e$eaO>;QE7{BBLoi0U$cU{lVRV3u|9AyFm?H4qkR>73x{vY-Lubmvm5a zRo)kR)hFO;+aAVFjB_^2RdjR)?+)0O@lev{cM&5AN$&vECyj#~!AgAFTzT5p z+`R%t*;EE9b%da0T77DM#hepzs9>Ecc_oE)fF>t@8qpNPPmJJ5$zQ00X zClyF1TAYySkgG(r zLO*4k2grMSQW1er>aW@~f3-#*r3n^(GFbmSeB*cUXkTyb0W>kH*fy#K9N+=DkIwU5 zh9Msw=!LEwsFgtHxeg`!04OjE9>EbD!M;EQx;7BxCV?C$4=Q9@UNn+I`x^x{aFZ|f z#SuGL;)K|K3dhL9+C1s!)!tJYaF{sNt&Y=vTpxC^HBDi@r$(AzdLPtZeD@WEoG)a& ztj&+BZtx|@;=R!Amc^w-JNS68LnEMZ@)vh&418ZzW909b)PDpr1ys>+9g<(t3~vWT z#$T12$V}B+h+k$@+xM2NHTsK>?*rC+v+7rHVioCf$snj9GXgPenKyBColT%RB?!R0 z8|b-YcIuZe$RrgTxD!$3Y5_VL=?*Az9|@=gN-{FlPzU!}J=kFGD(OJ$)(P!&8&cX8 z08P`j99tr;g6mbnxKiVqP&TQY{C?mr07;793Av)F^KK$g=P^Hm8xinLTft{P4r7-= zmqRk0A-0C>bkxlE>V$U2%HuT5O-{oPOFZT0Q=WZ!;>F5_KTP9N0ssjdaD8;ut2lpg zat#_XWv;do^T88V*m1+xQ9tNc8YZ2R$R3n{U!)HE&H8fJRGa0j3|)!PY~ zx4XgEoO{Xv7l`YzK)KO?DY6w9>?s58?a3D4uo4{1I&wx@)iJXOc7wXbX2-^C3ojVB z1HknLv~>$GK%SifoIa*ug+ovv5RtaM<$UFA{fphg*zSWS><Xht-`5%%2wU2z`MRF&VNA77FlDALfuYbPb>svIKk@ zn}o1Mc|}0;#L>ZE_SY1Um?O|qs)6zH)R2j_AJ7AZc%UW!JlVDBbbWwHi&^dH+alYJt=VCpNZY*FH&kT9>ose5l2|N;Rr+|}D729J2 z|4aMAiHk?+oQq9SS#?7V_w z9@J_oXvbV36)%}b1L_fpU|&RK6cs4cMtcEAY3FKm^ejX@bl1P{D@td+m({}D0zHBq zxygX^t+nJpv#Fm3D+;KVVw8Z;%0#tMy4a5U2&vQIhH(v3>#IQ^k56IXe7rO$FZ!|* zXhof9<~VC!Tw%$T7rx#Nk2*k_HsuUime*mY03?&2GO1)`sP4?mt#u z^G&zMDz3j-UinpL$_M`T{pBPpJ23eqOp-AU(`ZOfs>||8b^8eQG@TLJXK-~$sZ_pd zfCG;0vyOD$Ed4?J=;sDM{3!>>JtDTrxWaD(Ik;!({&)4Tf!(6|Ih37vn1{E@xCjVK zMBq`r*#;J>249|o#+Dj&tfD*Jj=u_wZBE(|Fsa{EfQ-OUFEE6x3>i0q9Jem`0%fY$ zrV~5y@cN4;zV8YHc<>$=1B0FfKe7hj6NA5!hT@Zd?zG5QKeaaNF1JNH9`79ieIhFBPFD{cdNwjE++n;Bt4hUU_a zG97G}P~Yewz^;;SRidL$L3m1bdjEk*cxhPP__DjpJHO`{vp^k8}aXP3(l zeBI6E{+qjT{%Lh~T=VaASCf+92lhA0_x!Ol<-7jaEvD)E!my$O+c!PyMESu#d3(9D zr-pS(UtX8bmVY=UK63+=fK)J<)#g-Z&IoVIZ3DC_JJXvh$3$WpWT|b}?WLp6j}sDC z)@e_DDLv|xKO>n76j&xGy4rrr5vYe*q4ScL{Dr^&-uJzy96x@d7VQ9dGR|f|PRm!} z?J_|)o&cO}0x4hdixxNLI`Vud?Qi?2bXu!a9?9uO16#vm<{u=@emcMqfbf=@2M%%s zpP?LPta`kXOS8a6Y3|9z&+Ukp=MI~js)BbV_9{(0Vim5kI)3DA|2U{PMlki zgvKW`v`XsWwiPO;7EpqvS^xohS&sBaBzD!w?QU7769G!nB#{cL6XT=SMRGb!P-h%= zW3j(5Ng>L1(t_1tpy%vXxXx=Lnb zvN9}x{P`!#n_qfQx&L*)Uw-F5T`FZ^zWnaTm&-4{=kf9cb6vsduWHryiWlEfUi_@% z<R}gyj*WFfL@}J*S{`7x#syzR$W92;$E=M=8 zn*!^7;`KxS#qH%Q?mJ#y{=zfm*kY%Apvl-^*u-1Ycx z>v&ndBrbwiR+h_)U-Y#zPmzG}i9jAC*m3Eq|8NkMPDif5fsNt7FF5n$W;zSsi=s~L z{nb`9F*PahMul*o?yYS=K5XJg<-M}1_c#f5*jIH9Obk5c_Hrw>E9bSEi(dySnH4(1z8TNJ%m!isz?v(1T7UwE2gIRs*aUo=tM41 zc@el7@+cIzty5VLxhT{JeXmI<;ObQ;d|aYW`U;U~t)w8c?rRHO(MAF0CS9}U-J~;x zsMKW(P!ho#WYtUnpFntnLA!%Dd}ps6DA2w3Pux;|`{S3&XCJ&=yd+{J#j1)xpjFbn z3LyXUOYScJ=kJ^^|M=g0vHa<0pDaJ}jklMNeeitw;@N)r_}R7cHU-6pFAOv_)lO|c z^M%#&z^9hWBg-4*S5^0*^0?}|Pxs1a&-cq)|KG>US3l!e`JO+1tCo3#@~waPbb09? zzN!55J02@<`n4~VfAD8+FW>aslX0K00>5DXfzPj%pMUq`gDPx_tAOpDw@t!3*U#9=KS3@n!dx(`UNnw#9Dw&Odsl{7J1Y-}LVvE2q_`fAv@I z))e9-)Wy9{Ql2{R&haXh05bZutGSdb^wV_0xUyG0&E(W@ zii3XNs}$2xtpjv%4<|_DGg3Du5L~K_u$PQyhmC_&ErD%)eLVsm7XUa+m2-p+de&5I z-|;2QT^;#OeSmE}sQDupdK**rj$lV9peAH`b*KN>X49B>62U{~66_e9)_m$zxfEIt zhLJYNGKKVmflfr4fn>chvhE37*r;459IcrqAnjG-vIaOY>lAZhlhv(K(mnV~x*9iu zo3?qeC0lqeRl?{KtWvMUuxIURRnYmoFsPuW+ki5u)1peCBwBdq!a6v6gG0=$z-G{n z;A%joJg$||6IxZ3%R{e}e(#5$Q~p2U2Y=+b#ud)ZeuwK?zH_8dE6dzq4l>g(M zXUhj4Tq(b*p!D3^d)`X?{;#`57u_4>8Fwv}+wWQ|J<0t`(uLKfuNb@Y3YP2TU%vgZ z^65`5m!Ev!6Qa?|@s!$gq6z+&w|}vGP%F`&d++07xl#VQ0^E7^3HTfT=#%B4$NS|K z|MGL?OK)2$J*_UwV7)BPua{$UYvtJdYB^R`%hKj*S(xkV{3qzqR?LyV%L%r(*%;m^ z7@K(of}K%mdkgLl;fOnmb5cbATy=9Fs;>^N5BhT8u~Mq>9CwAi&>lVrM~o9B zWMEa_Pm@O^uz3}yI({C;s{(8-8#x#$>30*glJi3+b(<3#M?LqvRG{DjZ+>mOh9&W0 zTwtN2JbyTIwEf64@_4vI8F+)z!NFO7Qc-P1tFdjqlM?>4W*{YpCQ<69PMN!P zR9~1M2td~g1VsY>s6>!+4l$}kTbJm=-*-ueY8m$QZ|1R56kqItRP^;c(;qf~C1QPF zR6&rHCxNgH4$SRB_hAA^{MM%EBc77&Kj~u?$N29Rris7yKu31chPoJ&eFs>N z6L1eOsrhbrr66;kQxJN(RzLFk<)3S{^t{)6r2LhC{K@jn+j?a~LFlA{4Rim@u}=B& zr!AJBP@wvAKl@NAw=C3ot`Am#c`gAOB6fkO?{HtQsoK=Vvobx+e@$F&vjL}+p@-M#Q-f~=et+A-7FyMTW zyCNv&FOXE{;H}T1#b18s?ZW1|7OyMirn%*EYdI%8Uv8N@U(U>5ET_vw1wRG6(k~s} z5vEO?J^Z30vSlEecg7S1F+m@`LsPnINyI$>N zUz6*|!zwbq2ikTfScykiSVYK?3`sEoa}ft^zG@c@O)02toC&=Hg1-U5Fw(!v)E4f( zALqIlXU-3)LUr&Hswl8kHUhPx5?-2P4!UY@GVw)KgJ`_E6LAE5m0`1JT*19Cpd;3B z5Ecn4LTTz&6U&L@2%_;efSdIp$W5rqiru|+)tF(Xm&d16No^hgl`#0Ps9%6DrLFd*5$BZSd_TK&p?v>4zpMUq+^3!ko zeEH@7c&X)v{L@yLchHA*B>oE zB^kf@z{T>Y@(scIu)N}hH0&+V|BzO9hiE_u>*>cz17t5WU$I2b^kE#3# z1-nb-_~vq1EbFDqwn{pUs{1(D7ws9a4qj#w;A9Z$e;gVe5h`!L$>puu5{S8H$M2|7 zM>&qr_nxZJgG2n8C_kak^r3|4N9dhEdX%?A#WwU?M}krxd+_VpGL*~Y%(I`=V@U@% zei_`4_Yp*}F7#rh5B|JT!>&WwpMXHQP^r+%c2+}Tl>@*i5X5_G$n$3i=L3BpsbfPr zS_Gg8_uNcxJt7b?O~{!QXwQ$l)V&4c1!EBp3)p5b;vjSv^oI=B!QV245*|egV@y6Z zh`;v8Kp8Tig$#-`e9*bjX{Z~pjkbe%Se9T*gDZoSyAQ1P2uMWwI8M?eY4;OSPD?g( z!l-OwyM7vS*wSbMjy0Kxz=Wo|V>aF+XeITY|8%MR5C86q<;VZRUFEH>e0q8PcidBc z@-N?0e)n@LWkrGFpZ)e(Z&AMc?>?)%?iEij?|ALA$~QdkgtyH9p9e1~_}o<9@YkPS zUU1h^tegO~d*IRa@~m5XRZB7AiUg^2VoWG?g*v(xm$F<^H*j&>&9?yOt3u!htcCX;yqxZIH0h69(=XEniNr{20_#j?el=t?G7Thp36bg;o4 zGff&+t3x?n?w~cE(>dk6r4=L5ygr~HXNN5C1p)Sx9k7XmmCE>PFBz=x4I&IJS4@^C zzFzgyhKGLi$HfFUh~eNBq8vV3#_)>!bpbRZAQ2nq=f!oXdgQ4Qfs)`6E5-;IZ1*{c zM03kRe(25*xvEb%dg*K4k{R8Cj#nwvf&ed;?7SLG7)hrM5JbxN!f1m%G-s@iZ6frE zMBoov1M^GuFe5EH{#Em{NQVp&1atPMv~oubrL+s(cQ0Yip}T7?WLKV{Cp*f_67|f;#-O0yA*2 zf1!NpX)h@syYE#}mtPs*gPoYmT0Gr-Td&-Ex>x4q0#?^H%O@UNFPC^2L?_p&^XNV zmeWh!^2JM9X{r3P=lbQcR)d?r@PhJ+UwXLw)~8p>9Vffx{hzs9HZKm!*FOKI@>~Dy zGt1m7KTy8@g*TPuOBc&0A3j^|={;U<@18HG6v&R3Rh@bf$OfC8vcB0X7dB1^Pn9P& zZz`fH%jHa&8$40I;$uHrj`g_*s1>i|KgRFTy_(;n+jqe5^j^zW9pWYCina$1M016E zb~r*Ah!>%UvNF!z_k8S(aGWfC{;CAP1PAQ_u?Qb}CVmix#MG zM+7J?aQqIX3b;RK2@v3;=uC(VAZ_HMBOCD;i~^dZ)!s^kc$trA(5Kyg3lM^19-;@q zi!T|(uCK#*?$4O##_qIJO3u;O+E=vGtpxgLSeB<=(U)#NeIHvcA5_3_kW(Nk3!QRtby)u6Czs26KfYW( z^qCbc+%zdwM{xMyr&Rv?m&%1T(c^^8Q%9XQpLlqs{MJV=l*ca)%SG|~2my%gM790m zxj}hI!OSugK_5NeFYg!s_leiXKfh+)=_@$F2RdgScxY9!6s$hKUOx5*Yvr;6bl6Sx zYa8W3w_mmohwq|-w&C%$^3LBoUq1A?OXW;=y`1S>E;p4+<>bbtvN(5HE4Rz##N28* zv3a?i-ndw9oX%@^1V%e-4bw#0r zS0ff^w-i-)1|4x#^qDP8w(US%6DvGcML1cn?rJjt*X^w@d@7wfBw$VI$548)Y7GNN z9|_z{4!dX7d$l$o@KY{>xJ+r;$#p{baaBg(=qlJ@%MgK0NQIr?yQwRfO3WT?ocG!Y*tP2K9# z5gft3fP)AQ#Q0GG?L%@wtguaJ}C!XI#;6G+;A182Vw3334V zfCzMQxbz#r)tPu@Ci>XIQ!vogcHW~R&#Dhn@^;cHwflxOh+mED;RER#f1w{3M#l&W zgbHqKRrZHm@~Cez4oHxq&vxb-Ek9k!D$hT+BU=#o)z*Pt1+1hjtJ;WQiXh)76@ecv zQJoQGbj5=l>W~x7X`=+djDWAu`ijVtLjtS;1q|E(6ubSTt zXh&c}Z}^6=XiouB-S;Vw-SG&ZoAl-$CUebcic=AYNvFcmDl@7=+616lZKw;qRA8lc zQ0xe95Xf$1 zaxZDC>?aT0yV^Gc{kGybYo)!);tQ`M$PN44lamcZ68C@zKCCv>BMmOUu+1vYzed1F z$)3x1ik?{@&`6*D5w>E2f94LxbtbhruUT;Y+Y!>nvXSDX}Rh8AO6Cp)Z3n*VT zk)GzkysFBWw#^FyrTt)y+fh*q#~}qJsSC2r5!`Ul3@eGFF`gMX+1L)XpQvR3X|_^T z=kroF<=hA3W<}VUi~pN%xutyf%fG99`XdjN;o4<2Q$U;>_%(x5TFsp<7koc&N%5qo ztJv@(_`2|G;R~)3#)myuTKHP7oN-PBC(^ijRuHUA{FI=azXO~+S2#-cdh54>3skO0E6^8S3E;hxq5A2^d(}^VGp>2?#P`y|P__vHPk#>j z=A(YO@7&kIW)aYF`fOuTkKwo=@O@A0snQ5UY(LP3dw|%C`+quaA`^RuED^#*?bMQ` zAHi&h%?J+S2c2XQNa4-}3tODLtHzjkTx#%8Qeds?Q7J@7X<`NsZBWG)r`WnLn8n-D z=uV;9xlX#oYY>|3Vr+Yc6eI26Jqf&R3q42E(T1QL{o<>E9JJMUKar}6O(}_V1NRK2 zN3Is>3Dc6`Xse}McNIPqfT4e+fjl0;p#a7yCft=HJiI3cGOs*4X22r|$27qfadI`u z1bG^rg9JNly;)XPR?5p>_Ls}wdgb?)Pk#8rWue0}Ae&`DtG=bVm2!GsE4!jqU2jdn zPURXWo(q7FM$MzOFOWLI6u|K@FL2Ouw{}*(59HcPg|ksZI}bcj!(^`TZT$m3ZXe&e z9YIYFNHjS1k;j<~?dqK=_ZM)<26tY{T5rk;ZuQq36vQd_y*Jq)@5yJ48jZIp#W+f72)gs3TAF&v6Dq-9w6nBO=PmZbwOwiit z#5TZO^9-J}2~b`Qkc~9z;NgobAxApseg%<%K99q^ZHA7K4}pn5Dn(;xNBoXpzW|$# z4?Ov{t#eEgH6EOgo^)4%jo1m3V`dN^{m030gbms#6`XgXIpW72JA1Z#%S*qty!4yC zrF`H$?<>6y3xf>@wc`qQH+3$TQ{8?!zA!Au6bQSj%h#o@X2crE(;I-T9gz}ESR-vG zK^~VIEjC$U;G|IohfiPtV4xy9YgTrwNL0)U$KRbPhOrGd8PaZ^+mSTX;s*B{%u^pY zP*y=a%FjxcAVQr3UEP+o{h^gv>}zRDk(4LE^}1d2p)MeZ-Ea3l0#=P)Q4LcE3r!3q z31+N9U}Bvpmu$)iTeOER8k0~NX_o~sR^IBP*bPD_kT|p@A_R*#CJ$(7D>XyksLH19 zpT|A)F>liRnHHj;F%Rl1pKZVtqtZ-C3+14^RcpQkxq7isNouajvNXda_RP-=*Z~nV z^D-k^Wg3{oLdwNfp3)m^JF$%hA&!kQd?&#!f|z2O z9iW}4I1(IqEWOhcD$toPs~9*mSM6H?{*H&{jb?Ci(=C7+lQ~=&AfrPdLAZh(4wsdR zAF^SqQhF1#y#kVO2Qqb(NB8;CW3~qAW49OYs-(W~^^OU45?hBVbq>3Bcm=?Om0orBwVxHY&%O@<2Lh)pz3 zR30`g7Lx=PuwsrdzHTlh-4_z{UqnM8(x9bnJB~$#(6*sKNf}7%;F=M-fo!4q6`PNc zCIdO2+CQ^VnwkxaEjwfHPIq485%%zfMwR9F3YCZ!E)q~yWrxKDb%{I+gen1~Yg3Y~ z>{AzPa#;eb7B_edWp}>->4BoO0%-;_$K~1s+Vut(%V%%qZxiSo4h$I8v+T^*Jn*}}Uw-b*KU?m)>uGLx z;ljo8>ev45a(?*_$}^tz%yN0qE%Sr5a@%9?F2l9e^2A`VTpsqyr#^qSyz+bh{*?wg z(fMB|y604!;GRk4Bd2yCJk;gDArAdn8>)Rh)Sf8pjkZjBCHU?2(h zR$It+qFeE%wjk&Uf|RBe;Rsm65R*_zLUKc~1x9`6ivdI@c7!5=X@2ud6Sk5!$F|2G z^I=>_b-exA291IEg;mG32!Ji`5=IJJiLvw`$Pw&35@O4Hip1qDLbpKMCZyZS?h#O> zC1xypV*ry71oC9v4cf!lHi{=Onej1xaswT}dE6UZD2wY)C^vZy-l)(XB5uEs#;@R0 zczxj9h0Sv3o%bo&^~(uebe~*UFJ~6l%dwso2ZPnJR4$aafBx?B#((kta?hQ&1S7$P zODpC3zVn;QUFY9ko_^2ivNr6N_4$)!WusRv_2|@4TFjUp%H= z2093Q7P=nz2=3@}>(CGGTnL#|Tj=YYQT`KFTA*(tqnyXcP{2{gP2?jKOa!3(fm z_Qoa_T|Q_L0TW(oTOBEUc<3dLDv*r02*GvS7@I>H=z!?$RrK#V zg=XIB1oN#n>3NBt8mfLQ>R~PO5a;iHhCwpt<)`iREM7QtzaGm~z@{Ug( zEC2MD-c{~y1v=p44}P}%(BJy5^5qL3ET_+$E`43B4mRe?O24B(*C`J^a;|*GEC1n@ zjlSI=PEoC4fbuvP92HL3=Wr3#2x*#24g|X}wz#e)3vUa0IZ*BDFT9>pcN3bOy_N1!>c_ZE4CCCBL($?s+ zk$jW~0pmq}i$>QRo-Dch4xU>AkCz6info_P54QpHhuL$eQTCr$eig{9^|AUq{21dL zvUG8hXEZ8poXW5?tlcn((#TNrw)p{kzy*XJ^{h-qJ1FR_apl=-MH-$>;fVCW?Y^N9l zJ9+`!v1P1>Je^vAN4G!eMRrApI@ z39>DL@szE2A0Z?_0iqWK!ZuJgh8*~?sUq2Y0&s&nNNK}Tvgr@6Hn?Kc#6+@&{z4=7 z`$>Q&Q}(_=&Tr;eov(%rc3FP}*A|#q*TD3M@Tf~3BHQ!X(?N(!w~hswyuKa zEZqiQcKU$dOlj&_W$<$}Y}Yj_Jh8yRa?cKjhNJIsk4mdMRyMRF5Gr!YCrTLGmAcaA zTp)I=Yh|~J0dUe)9_=7y1(k8*Ai-|Zvciz`J#FHrE489ye7rJMWSUoBu@ySAf+NWJ z`zy7UC+OIw;(?>b#tanS1?ttIaAU|SS8c`AA+vgN)1ZfV8nG3f7e64ZjlLsr2vjg3 zpxAC`Al>t!8QOZ4DL#H+!@&?hGWx1c0YOb-Qh)-e#)_su1b(=AczFPX!3EVnX`wp$ zpgd@=1vJqc2N~;_gv;-g% z+0_yTst;U;g80a0UWJG>7NHC;+s#@Lea=PMFs~t>XjYeXQnkM3flP! z{X#JWMot1+#82CJbtlnw?$s;VfIf8&3b^{GR}$nwkv@{`Ajds9_Z@wxQ&Nadw6WpU zPxp}v0+C@($Ot-E%Qki=svY&u(~=IZZlFWddUab+J4j^jys$Ya0tE-QYp$z?pnT7d72gVeN#DsQw zXP|ct+X_g{6)voNB@zqGRYeJ7mAwQ1h0roX10`e&=e}52Bc+Vg*Vw+bZ5aXbY$? z-rF&i_6U<&&cZFF&M3J>%7H#iLX$9&J%wlFeFRqzIVk%Ku=Vw+c;j;{q7Jm{bdIg8 zTrSJY=alZtkM^V7=U+$uXsc4c_J9A|a_-zYr=NEB)5}NS|L@Ai@Bc!X|J1)OUw_Z% z%T34QmlRkiu#z+{h)IkCdKvi;;ExF<{+BZ#jU$XN&qNUsiWrCGK1fJ93m~@Fpp7lI z#omG+rRV-st`;o8=?IcMmC0{`c^g!+__mZ#DES6Y9{OO(i<7d0r_L;sZ}1$4?BlFp z=dWXx>@q)`puSSaR%^aKf$K&OOSaAdIPk7?B;Yl6;~4)C^BFd#Z+5War3-+(-)Y-Y z?>72_#*NWY5=H0WLBL10ZCd$PAe~l83>oOGfTMPPzt3$)?=8p5w>=X z0NW-g*;X-hNSS<2lU`w3waU?@nmJ&^cnhTbaUG_?7M=zQvaq&R9~t|AIKM{uoj^2@ z?S%da!==tlcjhR1*Qq}O&0j;d-wk&JOV|N-Ww4LXmPLA!KH#;~Nzk55`weub9=suk zdnBzRQG+jQUhECaLXT%R)>OvDdMUky#nR`NO?R%`dFRdLSAYGTA`?iRSmXw*s*O0ZS*R82cM7&lHLu_$@dpU zjAKLw_tD^wU65%agTTP3zyVAD$n(8POGJ;b z7PgMBx4{wX54jas4AFnCh-k#i==>S5o9%&QvN(76GPdZ>1e4v=Hp)iyzF$S(um#FP zu5x}C5JVm8SaAfZKyE0be|Q9Xo=BFYx)JRo$~l2z#trGk7LsUqNePf=v(xkFn2j74jFd~xNu03SY*v#mBl zjVo->KaPP`szH6A1oH?Eu=50mzuGYt=xG@sbvkb2vjaA5+c*nYquI�^(WSfWV!u z$4pOyq&s-9r4ZLrCocjMsvFodFf8sZb4%xyWl@1YAI_H(OB-eBI6e$I76Kb(Wtrd9 zs`ag5>|&}R53rY84s3-nv+Kc@`DSNPn;Zb{?Zm>aqq3y=_zXW z)RAyb(B}#)Pj>q~mD#|oj^>975Imh2532AQ0<^J8;;56Hlac0i>kzqqI7Kpi0*Y0P zmp`_Eb&cfCARQt0eKIqI=cWgOy=7i`@HvdK^g~SuUcM;sLmk|cL;rLfs)Uz_aj5WO zWyYUI%MLx3?&8CUh}<%v)t_~?CsB^-=%Cx!VUm|ou|Pz0n@|;L}pkgwpcxXly|v{W847ul8NPs8h@6n zKWxAsl$2F9Dr8CE)|{{=MsrYE#K;zNbKLY+o#q({UO;E8(9^HLH#>S08zHL&u@| zJ10N6+FvV|mM@m|_2trA)aq>c@$$&K-&9`yqJ=Vl{MOQa^gZQW@A)0nDS!4)y{J4m zd~Vt7uQ)%@JXjxg%9?`S3Kwh=jCcc6PkL1IM~Nq_6!6x9wUrV&dh$R=K4zv*B+7Fo z7f%VsDaR_N*HwVy<|2WLQaXqvcfRt02b-!Dd~&)zPJ+0<#SO}MfFlC%0A|j^)4{c_ zAOSzNFW_XXS{vaR`6$^9JQz-)2TxJ*W3dVVLV_(Gf-;G(5};H8Hc}cr*s@JN_!oE1 zG`s*WYVqMoO}BPC>Z4zIwB6hm5CxtBq!2P6f{yYi)`wB$$ft@At`2BZ+nKhWSQKD> zj_~8jS+-@Z7la@UMQnQ7szC(AfY7^E(#~ZB`Ea7%s+c)?fOO4^7Q2UjYL!N;NB2=_cgtg_zosru%8%8EWken7Iw=)@Z6%JNY<^UbE_cb-2ao z6=EUNDBi%N_Pe4R;)it*%P0$5#8)%KIN`V1s^o!0LJ7}stPJML3+~w{FM7^RWqGhr z2J)A8p6Hj~_`lv({@KsHt-SiRuPx6y^+Z|QSn#bLeAPhw*VK++hn?+jnd82?t;*nV z{nIZX4c%C(CUlI@4mj@7g##tft*@_XwN>A~x8p)4yh3NvrWdL} z7;>j!bdwXEEu9Fa{zey``c%1{RVBxe`E^pr=b;-`q`nA{er)BY-K-Znsq+q+(uXv* ziq%a7Pmcv-01pGa&?~HILingXcJuGx>E9Oz*xZW68JH88GK%RHRTc?PUur37o@{r~ zAFY;UW433}0lp@HlmQI%9% zW~_Phe&4Q9S#3_xmh@Sa;=b3JK=>2akAO5B9EjNGe=gSMfq_6fY zK(zX+ZNY)c;>83M#}HBiWe9A(y7N(jg+7sd_Cd!aj*}^zR}8UP$q{n(hvO!&9a~x~ ziwnofLa%F@P1;HEIGH*5;=3Kw8T)5wq-dP*qD3A?!Rt#74=l{fQ}H!mY-4s8IAIB9 z@Q%q8E6LctB>1iM`=Pg2k~m!Srqgla`b-QDRZ&cgk!CEwbSwZe`U9R03P*?Sa1Nfd z(iho$wG9EeyU63Q>c8rc>#Jq@j~!522%iXkI34vHnUbSgC+x_vyY&cr2L(DITjiX6 zk{S2Cqyv+(o`UdW{~D6ugN^A+j4flH*lY<49jxe=N-RfJY}F1l#$3#(kQ(vO*ef0L zLVt{*(u^}o6G)Ln0FQEa#C%m@K<7vZsc^rA^uv4u>;RRQcIvKpF*w+JW*Y1sQvnsvYNa-NC$duCz_4vXKyJM4P zMF?*uhVzyp4C|7HKXZ6Mqek|nAQ#@aoZ$d}Kf75aI#U+owA zMxXd0Y0rVo*FU%MU$n`;7zZ79Lue-*cdDCo+yyJ#(`>>uHPS*s+sk zFyAX1nzRFHxvCZ6ssd&odR??L9CL4Z%Ud?z@cP%4JMOsC$}nf?sCDxP7>*_a1PTQm zV5hAUlc2&1iWiPKL4398E5|zN-9VF>Iya<@1bi9n%o8laS#si45=!;qmZ67gIPzW| zfzl@ov(4h|gW%ss=(rr`(g;MoSO;2M9zpJg=Ve)z-zUG34;rSQ=piqD4c zOCpDMnjQ|+s&f!QEbVBjBZE#ri6|6ItV%cm&jjiz9|IRtjTU3CRg zch^%x`&RHQ7gF}sN4la;vQKB zN90K#&y6aJ${m2(kt7(xtY%42>3qwUlEGMbd*3!}4O*4QMJT-T9082j54sm;GE8x~k&oWRc$$qqVs-_D z3ejc+vnqBKkRo>zWql!I1n?mv?PGqbo`NjAQebfXp9<*+Z^`91h$kyPp0d2S-YMtT791!)`^e+vHGlVq%iRC=Ge5QY zhM)L{<))>Z6r{BLvqMrBnSA1ga0eoBV+)6SNDORO5tJ*kwUxCpSnq4q)+;AZo+!87 zc57MGN)9KU-|Ruq@pg&+%s(wAMjHyZgU!Ao_DWe>zg#Z&m%U=(=T?Tkn%BSDt69}U zT)dUSLoHgCs&f}FESKfWYo2X$n_a(f$O9sCbMb^DC-livC(D^Lr_0i@Me*P%O;&we z*($3mR`hkBb@X86`> zJZ6V7U{$GlczO$oy})&?HZQM~)zwuu<%-thM&QO$(t|#v^K&IS>d#kN92qCIMLw%B zzh=-l<8WkX<=|q+r7NA)wQ_lFO)Kt&a#A|-6zsY4=gZ|wm(4SSIlR%GHeF_wpy$5)ycni@1y*w`K>uxh*29TzG9O24JcvKQcm#8DmNiIg%A%L}4x6F;sruw&_ zelC{v!J2>N*n!9wVZp>lz-c7aGU*q9cIuldP%%nzBa$u|+;}%P{U1Mmyeus(l?&%D zlr@b}ZV8&{I8dzexMT_7Tph_p8*CRg^G{*vd}4aA>R3A7)w#eujlRZB=e_>e*5#F+ zeqUG6m-y->&Rv~D`okv3^hyhnx>}AC0C|$ZLp*Z>Wktv703CB$#G@{xZj{Z-u9_F> z@5PH3eUVJL$3lZZ8|Dvm_?b~Jw*vE!r};vuX;5_(Nuz-hw9R81$hPY^0vwzcBl|GQ zYN0QDmE;1UCtnD4zrP+AlOl~iWjn@(1D{SEELcZ65?R1S?V}Q$bDVqFJkALn<&XG+ zk7F9A1^J9s&CBqcSFZO+Hu7W(*~JfMse+ZSzpGO7XrZf%YE7mEO-#PCvd6sT2UX`4 z0AYd~&>uSX)qGv6xYfaYxish+SCoJF(Jz+2_x=B*%>Cv&{{7}-7e8OL=JWe#;aHhq z;>0B5#PGxoCyGNuOPn6Y^Am>(bX?^hKekj(pFZt@=IKa}BY{o{PTEi^_}jU`TYp*y zmNhw&wZW>78~mh=I;9mTDi~-2(t^zmCeFM98LPCFOL9VM>nay0qWe42 zCr-#|Nfu|ykbp%C@pJ%1tjY$`8HdJ+;(L5GaK$P`S@pv&pBvn}#vs@>u&phhfYj zrP|s*m3hT09&EX;YP>p~o^_npxLs86Uc0=iTFH=pND6k6jlQtJKH|Z+6Z9ciSm>3d zg(dMocZOQ?$9e_$-APq3Hx?Eab?jLOE~w1EcF76z54|;DwLdNna3$q96Kmu^$2a2u zVX>6mFs?wk=5J(N9h6u|DKa{-dfo~T>)CNBxv+@tJ;_P9-4dFvPua=G|XJ9z4EX>rNU|I+eu=_`Q8s!DBWIu6NF5UnXn{u~pdMm=(W95gfm z7Zy8ZVM%jaV}|2`12cr*1sf>Pt*ywm8s<39RHL~GyWpx%IT5)+=aI1~=Ytf@0#k4v zvO7D{DcS;1k>=ufLFdTj%ger4b9ZzudF3q7aC_d4I827<{Z0T6f@qG7c#A0)A9+j; z$QrNX2mx&~?GH}`mFnpED#T~-?l1N1ZuvO@wTXG9gnbSL9LVc<(15JntGAC*}Er9yCw3v)0^4A|3&`sqHzdF+xTR5@0K3nX0laHRFR gV#-~&d};ar0gJeJ8#~grnE(I)07*qoM6N<$f}FESfB*mh literal 0 HcmV?d00001 diff --git a/education/windows/images/it-get-app.PNG b/education/windows/images/it-get-app.PNG new file mode 100644 index 0000000000000000000000000000000000000000..9740081ef40209279d8f7c2a4c6551c2829146d5 GIT binary patch literal 110733 zcmV)8K*qm`P)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf|D{PpK~#8N?EMLp zZrOF;hwU1^`o@~;&GUOb0_XHt#~N}_Gqq-cr+2@wQm0F9y1^W6RV%{5njbJbT>`Th2(YBa$n*#O0c z_#WiHV8$W{$D3u{bz5IQ;eP;}7fjR@3=j ztLJa?^}9=he_81L2g%3Y-d-#&F2>kD`6vJ6;75MsN1|S@AHI5LhY3$jO~v^5_~Dap zAAi_~G`Hg3?ZXCFX1mvpZxy{gr1$>*exC34F*!Mza{X@Cx%A%I*@@9;^sc6Dx|X+E zt^R@VY;$unz|$D}sh|3(gCF~`AB*|<`NLQ5>@XvhO689XsG8s3e!NYky(f|bAf2m5bB?{|JkWB(t0eGo?g zDPWcS6|(xrOqL_-`S9HT!v^)k^pCP(o@_+F){vGmn7gAqmtTipz2(`_@2@|6|4u;K z@(QXpWZw!<{evorg6iMA`Hkt*c$ca9$Ab)i zz3jXh=IgFUM~N=~y!o+zkHU;msHCI;_qZo><2*P}sC_>Eme@+byfshKL%#5|Jo}da zpnzJ^`7NJ%9OcFD_WeGemP4BC0mxSCxN#6@&nwTyC#N#3>^Lzt9^(_^#APN;Phc6u z?rur@h%bJ7?Eiv}QgqU%4vn7EGOMXp0GKiIW`6efM}=17d;k&T55td15Ljbh5>dXS zaI$aV4HGy_0>G+)7uBOGd)uRw{oA1WFFmM|%`~Adot%%eOEWP-&_<)(*roF133ET% z8|JgU5%1JY{D}XPw$^aZft5Ty@iifvfbn=Y$vgiQWrmm(Mt&c_WrE)Xv^nq_!kLG? zJphqsl?s(dco|1cWMZ;He1(BW2cyh`JT(ck^B;blB-V-8+ucop8*z>kU}A#jGI}0- z&)+@bF#QSAG=CN19v|CBNG38(;n6yqn3&4^nEt`oMABub@KB8L%4AF!-hA?Xz1|>? z+#^{N#y{AJ-GTX#Zhe5uasU=&VCwLG5_(M_oMTxA3sHE+GLKiFtNDdSJEJ{>l$S~^ z-&!AIx!$2;Pq<=V&K( z2IO@(%z83Qre{5xxpD5ruRi7K^?EVdEv7eA;QPI-7t56mPL^-7n8}oH5@D1HtV#-#{6{D=N4mcvO#`lV*dEqSX??5uRZs8jD~H#n~at9^;o~N8m;Mt*rm*4)%p1T zKlkV3%K2llPkmE6S!eRqA(iqljkg|$rGMMw=$%)OqkCx}9DAh-6aWMuI3O zArr&|2BX^@A(Y%3UO<4|5PrZcoB2aFM?eW3L&B=nOjQ8ZmB8_TXSQL33Qd zR|qMC-xp13oH7s}-;RTD6#!+X*@{|aJZgd@btUknhLJo={%lBiHsaa9hK2Mije69Z z070!9Qvg$AdOE682m|?_fCdNsLF{xofXxsg>c`IBE&xDz0p>cHHflk&0yvLP7Vu9# zQKh5oRSSjy+W_nUcv*U0OUa2zA;bp->~=|Sk9dvri06osc*kSJM|;HC0pz>=5n-Xl z7+Mx_v?#;E%xnVJ-tI7V`@QJ4w_>l~PjI#l#sFmNK;X=JB;HQ1AL|<%fWk28G)a6r zJMaZ`PyeR*B|jCut5pS{3P3-Z-|q4b{H0uDF(Q+*Cl_M+#OWALAX`&QapC^Q;@tW3 z@teQ!-^IabJ*t4w8#ivo)mL7Pg@u!`H#HXrjT7#%esX6v)@xBt$69RKJa{lB8woIcFK z?>xQ@s)r2zM*&m?x=+66Y<%#_sptZx!yN>WYieo0$T(%$+uw;Xf1{C%5q?ZfbOM0L z%2iL`FVFqL19;+3F@p{eA_YpB7OzI!2u^!|qjd6%Y{88OdKuR~ppsfHVRsaIz(WAn zWCTW%>GuG8T^0$zd}KaTw;<7j0{~g2;80WDPg9Yr0A!g+YZ7popP!8u*9z&XRcWG6 z07Qn{qio}3c%Q5J945dK79g$E(MDjhD!|&9ZYH=Y4Ew{K7@^4>pw&(R9BP{*w7`8c z!}k>d6bX|r)KJAn@5j+_6lJk%iZC8#HECv+4XYJE+0-;`pwhL#x6)QXR^wE7k-BU| z_Be@=hH^IsNVoMorglW22Kk?#n+4FvQ$sx%s)4p+M1!D~pA8%DtdDW)LfR2u5ACbn z?!-X!AX%GE>s-ocu^f=$NeVFqe^k+it27*$cW7&aY#v5r?0`nBuBN(hEC%BM$>c(u zzw-V#dFoU={>wiDkF^2gYTQ{~jhk;=i$-HMqB$26)2HL#_&5Jry#M_dp#e07FV*C2 zhHW$@m3etv(D7v+Hp#H#?SoB->00dl83iB%+uWfs&B@S!v77Ne{>FowfKc5#`dBL5U9ZwFr@MTg)9>c zaR9KP*Cgmn0al21Ov2bx6j!qrIpG|OI%Z#^HW@Pr?lc-v1Cz8y1JkTe#dN(+Yh0es z!f>-_d~?&SSU}rbn3;|x1buOKHs)uiV`ioq^E_LmK|40T5KBB?nxBgk^T*=Y+&pp2 z5O<3_S5w=YL?aqUi_o>uL+EWF1e6|Tco#FQ*N36eRQucyDG$ZLJljc=whx$SN)LAi z01%ovK&S?{kEScoA>{yKaXF}Esu_<14g$UKFRX|>L$p%UQ^&8=no&haCegUYC#KTe zN41fHG!hX50LXj{Xi$1s0)6t_CyyPp#WwlrdiDnSdkf8XeX|{F>zkbGvAVh$t1Ihq z>(&Yaek-nCyAf|(yB=@6aU)*meBk$WOIWB|fbROHyD^5cfWR+ZX^i>5Jw1 zwX=lt%=bJfE+)%!7>2kqp1dz{du9Ws9FW(2idm^OV(Hk~ID7t~SUP^5@RdR`iG)1# z2ivi>dOO_%s^-hLZbo~14FE<48cq0TDqTjF%lvAs&~8b9cYJ(3-uz*nN5{V?ATPDc zVT9kvDdTDmeXGv5BhK5Mg_UjDJ^fDM+XFm`mZ`dfF`7c8MyT*8O#5hpelBAuPsT;b z3kZ*6%BxSJ)f$K#@eNuEn(5B&P73S<{8t!TA`4i6vK;_C5VUFN0cg$g$!MVk&H%o% zEx;F(b#A5sICEA3UO;sQlWC^Wz_c!!W0k9BYiiC2;@%FqLHjoSk>;1$Ep;>jT8uEu z)yxNKm;g@^{t6lifDgdW&P_+FRgLD1rYxc+!tiaXZfbG>#u(xC3-9jlVIHH&aSlxz zO@5br^fA3R0mO~%ZfvY?$HvAsCiEuPt$e-?KyIv+-`m@pv7W%W9jjbd*EeD<-w_UQ zTw80$t>v{?SzSkqTZ?PgZv&>c0MVOq^TwTgwzjsF>8!7BMVoI1{edTD=mDRvmgaqfUM4n-;9{Ye;ItsQ)^1O1!!kydOg|pD-;?Xg&e27~bQ^ z_wFf|P>28{x|3g1Ei=rBVgGn+C? zN=f&xm(iosLtOb*oE~qNr*HK1$k^=NeY=EyuhU94k`&~3`TTl-{ryf`SWV~g1XhSA z5YfWwJC%W@h2d;X)xZwW(ozUzLct4E9Rm>aUX(N*Xdq(l^0DzNum=d1CaFTWr~i{{ z`Y&Z9p8>dbKBPdHC$9Q)HKmJ?lzhVBs!b?4{Dv1N`B@>JD(N?2@R>RqE&$vFjP}9lW+FlJg~ql+lrP1b_ymaTNFpvctFWZzGt|i5XY0XtX=3V*K^wDU58<{G zF12cbBfrfo@`t}>my7jcC!C<6&JFXLGVxmH2kCz=s}n z-opZ_RGYE5coGfvY}8vb(Wg;rG-uFEXEGgK6>8CNEpbku2ne#xY|yiDf=9nzKHqv; zR%!XII6dAjPv6KXCKf7k9JPku$m#J`lzz9)qvP$~z4c7?@LK*StMGt|hX9&&I`w#z z;}MgI5OBj%v9h8s^^w{7XEX_>K8MMTEu#Z01q+@C#P(G0VncfBTQwR#QBzJ~N?|MU z7!yCr`xIh>^P6~#HvyBYzxg1UbP8~(BD^)U#~K1W1}IOC@5S+@*|>cEbiDtOhvMTO z`CxqHLyyK|?|)BxfZrc{&d{MeXCCmSexyVA6l7BUz2x?O}YeW5lIpW=j zyjo9ovUsn*w!bq-*Tjy#cAlx-`c7&ry3Cup<(?tOTCMX@IFHa^v`_s6LvfLe>NB<1*^=El=bQGER zoyVJBn`Z?e`EEq{uxzl(yb7}RLFfvY0$3Yppmqvwb=p`xt!T|m^C|qVf1U5`D79|v zs2W3C*|!BgJdWh^?asF(zn?8B1hS=805~=E1w^&S0|alMQ;l~t+)dM4=lU)tkRu3^ zL5V(TOd9g3=_ep7FWd{3n%en@Q|%+Q13w|}zy>$|CM~|9+LK9*Glzuj4tX+)rKOp8 z&wC$;kACd2_z362@3}9|oj)EkGc~k_@u=4XAA9D9F=767TkHXpFn>>2zE?dpsHyv~xAnftoXbh{mqQmY_f(1v-7Hf&sFJ06HSU@^BB(I0R<` z4L(Oq@Rh>GWAbzm6@Ck*YUjE{)HiKN>{*w|EwyoZmqXY{XTr`=(ieQwhwBvrO54&n z5+`x_kx`hcenR2jjwJoN_U0SXA#}R{sGTDN=+Penu4vXfLo`4KTUbdY9ce5abT`G8JVD}QWc_R!1(6G}%8vi9;F)K4JwuxusIgeA{fN?I*xS(*22 zoZz#JSY9aL_uCJj96cq%Jiq=Z?~SL(1qYYpbN)#qS|CpIYF&=fN80YJQjRUk;m|7h zg)&c44jWj9N=eU7dpqpZokDwe)WC4JPh&BpT=Hm-Fm_;?u7xi7_BBbOw}Bx%8vqHu(J%yRX0GISI39WQeX+1O17nl(vE68QH#s+=-P?%nU>nfrQa-?{a)5>l z(4w8zYL)Cv(;wJEAeN?Q;>@vQao@SqacXfoPA|^J`yRL)?|^b8--k^&Q3M1WvEp7R`cJ6G-n9$jJG@)$J8GIq{RomBe0Rz z1YGJe8wyXpsaLDesfK1Y#XWh0e&d86qg>`=Qh&4HYMH4rJGN|CcZtV(mlz4C1aLg- zpjU?OnKwTWVAX05Gb9OHra^5|0$Uh2HGP13{ZazR(|DA2GE%i8(n~bMW zqFpI`e&twBFaX|A8!A55)cJ@<$k1Q62RIY}l}QOHC?_z>zyL;qHnGX;{^6TsYEHv~ zpD`(@ISkq-qY1lib-K<``BxOHQ6V7N?FcMU^}cdUn?IvUk6`-HuMD6T?9< zX9Wv;s9W_~%+_i#-vK8lNHcdG|$stN;##26dg~RVQN}S z1Xg=3ohQ`Iq0f|Ru?9&)A_`Q-#XAV>a{y$a`-b zIa~xSN;5qLfPebV?6pjv=pjQos9v+OGI2NtS8hOvQls@ma22XVN(Cbk6T#(@=Ahb( zapY?yseG4W!vE6oqUOPKg`6}^-)Dx?uO(P3GJ=2(etnc6LkdF;jmaMSTCI^~=>Ver zPB(^q%vQA^G+BlDsDnd|L=)D|mD*Gl5LV-IxDOfz`ON$sYTLV*Ze8LM7#a=@BYcg< z<@kIv9(@>%b$&Mby*A}2%}stvUKMb)NVOHqELdpXr?yDe4*(7xrSJ+`{?;W@NMlJe zSmH53xRx?|pZ?K9;Lz{vPva736WsVs=!~lz&o;~?fF+DpSt(g|ud@UytIIGT@6pZpT)7DqUi#AR?IbJz4!+W!18LeA?sl7@s zn8SC{N$s4V*-qp$ZseVEa3f>{LVz}))&-ZP&ydq; znsx?d#|iIbbj`hq3SlY}+1aAcEeC>+Px6fK2#bZC!cu_1-s&S^9EX7c=R=Lj;XBAZ zW+J9EvfzxSUCyDuJ^5m|=fLlTj1=H0Os&PGg_xe1Ar2=nlofrPay#4^CODgx0GFmD z_X3DuKVkj=QsdGmJHqUBnyG?jJOeb_k<(-N-S2gIHcXlU8EKxLII$Ryy!Qb>nY<2q z+4(e%W~FvAP6K3bye4ijD~oI&HB{y`ON&d;RNTNGvN3bOp z^RMr)i6$?dXE?3fVv>_L(;#2zp9er42fV{M8qz=uPK2@(G-uFdxe7gOWIPYxH#N?z zqr=Xv3F$}Oq`6Po9Y^T?6Hf{oIe$fnd4EZwaEVz zpOZHV*KPNsy|NMe(6~|6y`(#*2T!fW+Qu8Px%nEj(Jy;gk$3rV4}q#o1e3xDV-zah8v72Q+8_1-2FL3ntUOm^cQ{nPJ3#A2V+D`~-3}R{!NJ@g zprKwmb3DH5;~z^CbOZ?7lRr+G)Y5bSWKn3eY?R7SC(=`xEjF1F3vGD5+o7aR? z0(mu0f*(IhPrL;?JaP=Ju$J+m8CqVx5sR{H{PUR&#LDVgT+hh?%dxq&1-PQkLyNIW zH4W-XwDpO}It8ebZ_R(=r^Uf3|LD>X9wlA^JMWXW zB`Fy#-z5R_HVG`1D39NA81^uT9{ZH{`>zg>+JOUGlTHB0_=cS!>~svIBPLyNr~w^v?|PIsF!nYp|F zxHn1(&)9YjcAei2^Q$ESYI~gffT4mmK2=9)nF8|!RzX(=hOO276u_w(fHB1@!U7s< zJ7X}E-;AmG$m~jAa;<+fVHJF}Nd(aj5l)Ak?D2aSEzv1_0+M4t1-hKBYIvB^`*c+h zR{<+ETs0$vS-}Q423&LOpTe5j7VmhkVCNzu;E_{EoyYFfONR{^j}rhCFwsbDspepJ zwOTaQUcZN?+RrhkJHtVOMn**ZqhT-J^Wc?u?2-2Zrj(EL1R~uimd##kg;)W$#ceAVoS}x-=*xs=ykhE4?73d zNPSnpj4VLs1GGs;5eT*kx}@JnYt1zcj8MRWCax1PF$TRx1Ihw;k$1DNb~?yasdf|G z)V{T-N`VPrqmls$&sjRNJk?fdRQZ?I5dRWOC0CLb-X&bRIk+!<0EE%T=d_k2ZSo3v zPIrrWGP~qA7uZowsJGErjVf$JwLTY(Cg=1l`I(3=4Y20_nX?yTZebz1G}Jx#RtxQ5 ztWNl)n3+ElQ;h}0gLJdf?*2nQy}J*XM1gT8(CyW2&P@cYL(Az98bAb1Y`g0;O70Pc zHej;t)Jg8Uyz8QI?CjaOF&;aRYZvhtqA?8Mbv}t57iu0q0p2b4)-yCd(r0HY`2T>s)3{V@;U`;l7^zuXhyAG=JyNqg1bY+_Q{Wd5Ml23 z!ukI1edxiQg1a;50TRW9U>VdvRg9#!Kojf#1BAIsc^|1XdoArz7#w+=tG9 z;@)mQHT)a~CY>l_x)Er=98IEz>`4&HQyL6`HYrMUloY<8en*7ZOS|bXPh82nB(_1y z`jF4$N5bgY8NjeRJMhE+-hqK(F&g%_)>%n2>4`S&3*Apy3jMXbGj8id8q2HW@Mojh ziiuh^wz_Tj3_79dP64PVPCXRoE`2bLop>mwrl#}Td*L{$^}F^^9_7$>ryqBm+6bVo zZM9vLWAsTN+Vc$ZF40h$ZWs1=RR8Pp5O}*+mEXs72F1}0UyGtL8LIMF$1Pf z6IJ6G={rT3256$Y2!`5H4iDqpQB%U?6lgU``>6qw{*md=y$gjn)lmOpu7V|CK^#GO zKp3YVHm7HzUac362?5m-1|v|G5ZDxA(k1+Ep4Fc{k>Q9|9|JCSay;s__UK zd_sxRtkyIp|NIn_5=@i(D7zXMCCT4vN$J8c;Fw<<EfNDdkFJv=nj!@mg&y zH8bK=`^?^d!t0a7$VOwEEVLpo(xN}qdhmN14c#{tfmN-VnA8w?p82yr_^H-x8b>Y` zs<_m_A(-vhco6>hnbUFQ{)cj11OZBjG{0M08?m~2+iEQUW3+s)_UTWTb(Ci2MYuG8 zt|a-vw9La0-s-?-oi@rqdndNHC`ZqZIdjHW5;q$k>Eu|_@zl!uC=tE*B`!1y7e1DmI2aO|VK6#}@E?S*_Ml?UbVF%&q4@S{};hcuo2gKSi<#t=(MC-#0 z^xYP~yoGRXp)qcA?Qm^l5_JHuHd@?<<|T}~?Rd6@&-T zCJpN+0g!0aK-DgdQ(>nx*(mTTg)q}MIZi=|yTmi(Gy%+jD*H|q&6TzeK}gL}Yrsx8 zO<~m*VI{K{fFXpEZI*}##mWg`9r zRU;w}hh~lJc%%%DPtDtndwUfug#+ksAr4~7DYI(0+~-(b z8j_vAAV+Re`4$R~q>fuX|ey|!*sY>1%wP6lE?)e;WB&j6TL}~=Q-AtG=QaK*78q!Cv*ZBq{*G%B@mi^eqJ<4 z^X)rTy%PK-9=kAaj+Z4E{8W#Xm6iDFSD&Df>?f!g z8!_c#&NHn>#$hF8ClZHrb}FvZj}`1Yw^m|hxgA>@-5B)9k3Lh&N;-Q0;lV!XYdu(9 zQk^{R9crqM4A`~NZex{j4p0WPE_T&c;k5zJ`dhsiZgY0Ku}kA_*(`@>kR5d6S{J&Y zwxYYW8rz%8v4Mtt`_?t`cAc!lSDYK08-y89cJg99OCReIo=lg}o}(fF@Ev$0Iq}{& z?s`zQqOEXyqo-hSXLh(Ec?H3k0)X_RxvIH<(m6ONvZ!i2aAVj>G^jg$B!`A@hZ%Q=so?-O_sVrh}uA40f4+)qEA z0Bb9&izL@n9k0e%wa%$VT16Z%BkkoUevLk-=;|gobNU>S0=kKdmR-%5bfFO$&$RL% ziL0$5X&J5zEmITKg~7*s_a+TVN5J3*k9nT23s@T;5oCF+j{IeO+$A6qzy54Bqbin{ z>%cm}K{ijna~~@N%}!I*v8B1hBVg8W46kE%X;d9fm32s-%R)IcCNco=TK4iUqs+s` zOTR835ya`f;{aDDHUL&TfO2>kG^$P3axt6JXU|e@%1Q(_D3ZzsXPhv(oFAzSv4+$j zI~^<^&UE>ZUq?ew^gNOtgq5ZyKg60E3_VG|yC1y{Ac_W{TR>~9kNMullpplh0KF~1 zbOTy+c)v>qpxv0-s=gj*PJLG^u3oknjm8{wX(9&=%0Yu|V*p?hD}d=NJL&=%z^=+V zutO5*B8ONtlzjmI4FTw^UwQH#IPQ8-&4ap34GM--P}NH8xlN!ca$cSZCGF zQ%KMt`Ocv>0?H8}30h7M%mtwj{ZrYC&#?#d<_h&lm|Eb`q9tl~ntqzBYJ!AJ8jx6) z*P&Fqc8>9V8=&7(!{OP=rher0*hbrGWAbgbyRo*ljgX_=mv-Fgbuxd}eQs4_VJJn}+QuPhzN2wAJ}d;kwPVTk z92|1hs7^$y<|<_RAtz{HccR;IG=|e#NsDLJzx2%6Y{WMhjADCh2QwWF93UP6uwt$i zJsJ%F)*jb3r+M?fgZA17V95*7C9qmYRN=%}El!@i7?1dPh^#ki3F>Yw8^>dFL_e@DsyscoEQg9Ol6Rdcy zZ!R?*xf_OowYb2vK1c8!+N6}qG>FNYaVT$UG~OqW7#H8?&>|6BqS+>xrTmh|3F*d_xU;9+#({sP=c3q-IZYaoyVSBMQ#J~Q=bv@p zQi$$&uycUP%5Pyr9m?G1cuK;mS!-fiX2S|_yrz-RwK0MQ(B`l~n{oyIMg}e3t z`XqXz4an?I)Hf>+6OU5v9AABeM;9*&vWlZ1ng zbBl55@_kXCo{p`}ZPM6}`MG&mkjA;aN(0e`J_lF;l+k+9V!B6;dj?eD>jWKPsR+HN z!lH0`U#^D|?4A&t>@3a5;0MI<=NFHiy z#yj|1@Gz|3D8yC-7=t!rXHn63&9t+<670#h+KgIV4y;EgmDY@({N<6@!ao6xIPE}j z5Vqyi&uPb2nH_Yf0jhNoPQUCB&9U7_LtSsj+GaN?PCJqHw zX_e)otb`+0zRcFK9H^(IE(igEkF@^8M83*R56OmRzKh7zq%Fm^4&ziq$gM>pA34@+qTDiIc{CQ7VRy7jC^~jiOM9|gjqhp z*?ifWl7?}be>+iiH}@CxZ$U_o9Vx^64M)v?@;9&l*Z4xldZ(oFO1 z6k2&R8m*bs($}zPdYwVI>qW1#5jStV2u;>$AcDq=1_bk3W?3&&xN+~tQd3>OI| zibxI_k_iO?nOdQRaZ-2{m_sn|5TrZ`@D|O}C;6M3BSFdEyeYt-2`@+xo(S`OYQAa( zPG>CP6@mog6f7cBp7<@e3W91e@Nt4F`bB=D*z3C31Nc32ffF^i)ONTxz9Vo0032)T zHG91QyL5vnQN&|8&13p?0aeHDb`aWqG@wd?>WLiKec|GLc{VYlbxn+j&jnm=Tzfsb z+np596qqE{*T6BsGRrEU`bNPlW%uAU@!7#7y-Gviy$x3mPttrWF%rL#TY7*~?d*_F zW!k3o%3Fahfq}S9f&e+lUf=|@#4$)3&FT~yYBkMl*ET3CUHO5&YCk?K3WwKBDG z0(MpiCym;$*Nv@>H30QatlqvAeSpyTz{j*u{GOkb+q#!S-B_gIEV$we&tOo2c(bfo#H>TDpR7OmCtV(JvC z-*(Z8ZLFxhU1#s<<{+|r;7}ay`a?!Z%>u^IFDV1(39}@_DC97ORj%v`o5iFTfMA8g z)8BHM43sPT^UqcBeXgL$V`a*sJm>c%E_*~3LVp{NiI^Y5s9V{R3sxzpgb}3@h!Hl! z=M-4Z>ZHS(_>TO-*8IjaXJHJ$7$S%(!2GFy(C(OFSOTLYhxKk_5f2Ca65P1i^JfQTOG&jA} zTcsDDTA#UP_tbdIOgCb#iHX~2MicGIg=SL2Bb#I)kFNozpl6=QLnc?AmtkGpTZhE! zLNzVonsov2df6H~iAj*7Q!6Dc4}q1$5?l>MVWk;_;ulXao8{B#nPzHwJHvK%3Tax8 zkGtZNJD=L1b^-BKwB${!DopTPW^ah{iM0h!^j)p2*N0aCVJDHulW3t%Ev-z|bL5K+ zmR3`CfRZ1zSTX|XosiItwbfg3XXQ2;DB8E-sBaqrErlXh zzS{{`*CI~>eOAOhaNPBvDvM+xQ{Vx?6pjJ{X^3$xEwQaIt**mG1O$Y>d`1{=WHtqu5BVk! zdpji&0f>mRGbi`FLYT((hS6(p#`2xp(d}%fmegx+l}+6$5vNZrMH5i!@Oxpd8TVhg zfM6>yYPZB|IVf)-2lOQV#8Xmp+nF4Y&+o(!{$M#Lzzec!rB0Y|dZ)mfR2Su_J^hc_ zpruTfd`mCis@+<*2^fS)a8G(t-^8&aAd(kptyY_RP^EiiBBooIu+8eBre;#s0r3zn zHM6WUK!-DTQqA%lM4yJjF~xScNlVAF+Ck%NGu;es`d3FA&YS|IR%8M^_qlaWX)E}Y z98xU(^)^g4gaY%)6ALlZ0_fqzz1~&~+IOPA>3XKuVz+ZMcH6h2w{bl>oP*9Xacm`s zjR9u60AatsMVk6h?ND-o7ywn;BwwotNS~=ZZF=NKOGhC7+92=7IQi`NHsj@&o{pEF zekQ*NcnhZICm@_yzg9`I5rn^3oWqDp-H_sbNWQg z&CNs`jVS3#xok9~W4ZuHE8P%D7ikR*r5nT$gY%u>#e3Hm6@-1B<6L=mptjA&_OQEF zskBWEKZT$7{!1VyEhFKYYus`#2s*;R;YilI^wk>B%CHyR21X!Oi_6M3O-@Z)^JsmM zy{zN3D5xWUTSxjk+nZat3v7wGd~P&01WurE&095C^IJx$lDG7)k}g_ouB}RV>Ee-% zI&n**34xceQ#wCJ{TOw(VyC+n!|j{V-?&CYcQd-(J6H{yfN_^F-53o3-`*M)#tL9Z z*kOt!oh(f5&+nJbIGX^K;hHx?x*G%9w&1&x{f2Jfwwnb zddk-{c+y6XK)1IYTWHNR57DJDzH{T%xcb_2(cQjHx`#4y4;*(rsCpFUEm}tk3xbuu z6+VR!W>L@;(*#nEFX;#{{WjS)!z$2#7-98i+VhzLW2Ag2 zn55s(=Uh{RwfmykID?axdzn+~V7tWna zfOO?4we4Ka%_OO2g+GV3aF{oHp&c`89x9b;9ABD``|dj%S1z9=p5rk$TLZ|ufa^>G z>e50pW@Z{O3xKy;wOC(U&Cagx`Ofc5P|v$KM`-ykKj6 z`CiTSNP871jMv6ckS0r{Wg7hEKIhbvzicSUv(tJ#`|c_`9A)+2EWJz~?yp}1;9|bh|*5Z?2 zS6*|fgZ^RhI2Rr#oYn(Xlsrn&(g$mU=CHG}FO{GB($zAk%M4ZO?QTEr2~f=gX2{MS zg@$5}sNXbCdAeUgD}<-ys{?0~*kcZp=n8->U>-qeC;dm+sY1i;H3bzxD;gQ`0)+5t zn&|s`b{OnrT>4$@h}jWf(VlYl4!?8j4H(hsjS42*%1M;;B)*YwK4x-a* z!$(4)K6!CY3u8^#{mx|*(aRT{eesJYfbqY*CP zEv^}VF1<%Qn(1DxlA}!^)Bj20Bn!Z}c5E$IJ==Cp{jhY@kOFb-q3`YGR9Cm*@yL8p zW=(&=N}Sa-q!p8s2eMG4M;bPO{K<}|O&YGw#wtLT%k_{Mh(*wJHwbX#G5yW(Y*N7C zV4Ri78Yg9&s-ravXU?v}av{##+suwT0o2Bqh%!IYU=04`EV~xy{;)#Ka~XSTou`|K zGaHDc8I8fgBxQr=n#bb!@dsmi@p80|U5^(3J?p%ISteS`3b&+$Bf%2UQO4+moTUd z$@{8lId&(TcjGp^0;Z%2+~q`OVN}xPRCAg%FrR3`JHu*6Z4#k%kiI}az#Oara&C`Y zo0^I%SMH0`r_aXn>RK$Xtf0{jvz%&_6TElp=#TYgwp}?&ZJ4@>4M8P`S|u`aCB1!V1sK?X?G1FF*vJX0qz`iIzjR8dgYor)51>(>hGkC; zmN*2bv={_R^PATahjo*kUgXQ6MlSOwFrv66uT<;uxBU17t@A9C96TH1g4&+@&mDms_Cc>M}SVNsPvnfByQpyLQ zTCFX`{IM&suymzdk6(^cXCH`W^Cb1`_xHvDb?%KrN4-7et^c(DmeI`!DbdvSc}dI{nY-;&G@NJd-W4fMx^dZ)v1CT+U+p zmxen>kC=k_NdPicYg~}kyyjj&;>bqTmfb6l?C^4Ahw)`DiKF=Zi^gjnj0&>wNts%0 z$B{fU<;H|L3BwM`G7M`-L$zlQywfNsZ|09Q1op!=KeHznT0--fPk3*++}Kax*X=Tf zMWaSxM_z&{7pR-ziQzSl6F~$=S^3~U4BTeOlsqcu7xaxo@pQXm@ zEE{{4bIc*B3y2C@SwRSbbIld|5B+Tdj%KI#GTl*r)iPvg!B{|dc+H%kil8_se0I7O z)6GWuR_*bhN1I&5T-*f|k71&>TJEg`xa)&O2zot$6H|D7s|^SPhyaEQ!nmSV`Uugu z)CBu|HRNG*dJ3bUq@YMiMQ$RTKfk)N8SSke8P&Ho5$l-QD=X`9>C%-rf9WzHg~>>R zLSfNzoCA)wiO`qj;mS!6z)shSWhQP5p0p~odDCwykZ|>P&cRoMa>Xn_OP^%=QOTqD zBp~I2AcxQV&|KSyr4Q98^8^4m{q4{x)AtaXvl$~ZYP4krl#5D7PH%O49imBKQsXm$ zT$qRYF`jf0m?(8A*k)LP+*qw=-*WY^yh5g#$a3U8Y1{D7NN!QDoz2bs-gPMQJ6hcw zzih-~0O^=hL~Z=_iJAv}z=E%hfO*vQL}LM{>Q_~3)e;!P#7}F-20?tzypT8Zn*5kK z(cytj27sp3@blVJh$ETZiUWs}b{#GlWrQ0nu5&a=tzlbNrsGS7V{+Zlser zrE!+uGYHtUaSC{7pe+QW0ER$$zbViHm~Pu!vjk86>~f#N z40o$3=_kZULvwOKbp@@nnWmk>PN>-0+=yP+J(#x8hR5T=nNv9vr@y@&qn;}d?6u+%-jWyeRjs+@z-I_AAaP8(^9rjcwflEPQ|M`mMON zydHg?-CSOaC!T&Go_OZ@T>QB;JsTs^D$6Qj&LgCG1uSwuE&x^SSZ&ie@M^QtK$5&E za@-sVx#p!k=xXy6k$0)`q+pk+sA&G&3rcpJWd~7$sDag}jLw*kVizd*FD_AMX<_7f z2L1rOsBm;@y?_SNN;*rsmn6tfetxIl`}xoC+~a7UGF)#2+Fyf#e(-%Q}L%+f1; z+xqNtR{>5m@dVqEYY23+ah8_Z07<>%6KU?X&{oY~Yr>gUy27OTNYIyO;Nwco#!Xta z(-&KZHuXj$X=&qFr6D@d@~hQ(-aL%^?mzxOp!!FJNaj*uSegMm1y%rZZW<7sKD+{| z^Nm_8G$vzlx)R4`YjJFb@D1)~rs7zWE8u&4rV+={5Eo&b#d~vklzZ0)tdm|j1dhx=U_~85A8{hrMzJm(gMax;qH1sVh{yFHqQbRDN$c!B`b_Su9 zY2MlihNkN3RPKb}IJqR#d9ycq=**4Cf*#Et8bLF1m-g8qI4MMHXoGTLGcQ?0&957>be2ECGTpO z=ARbA13}MG87z;?8KIqx}jsTLZl6WVs0dyRFIbXf%!iTCJF>0%mHi zlx24hF0f;Dx1SxJdurQ`6D5BAzwND!*xp#pMpNydEb$#plX*6q*&xt1kEj9Y=IT_^ zN16(@g7m;i1(03;bhq6m{{7tPH`jG_adA%FVHA|c%X}SH&OLBQ!#pI|H*y|*b98;T z&ZG2>uD{nw2m|>){X$ci{wRJ4awwTGNo!s~pdBuvkl49Y$Fy&vp|$|uR+DQ3Ap%@$ zHJ$^y_N>pKu2RcF)a8ffZX;7peT@6=)&o|s29G#gzDnqX5r zvxinqNaj}CQY$r&N@HppfURJY9b3F}{JtGc;{fH2n>XVc;HsbO-1)Qd(GPztW@qQo zD0=`E0W}>FY%NB8y84Rs5kr;a@f>%FxvzVm4+taU*#V=rHuOwQcE2p)#(UQXy>QXa zh!Yv_nG5IQ%EJ!=xb670&woBPHn&VD-5Sz8hpUlJg6L7b(4bfrO?x|!yf50S&&-u! zOZBBMmN*0|wMeoQ2jpL4I^&~Y0+qmPc;mP8C8xdWIylUSFSEq_*B#)!ojtj*3<1=f zT@~Mj#$6jXCmg6DqFLu~I6oz>0+nB`2{B#hsaJfm5vNgtI7$l;sP zKo}xNn(!^zNSA}|p61MKOu|G z^^%9&@60uLy|<%DYefY*d+lw&d0$2(l(JJ$a^m4%^UNL3C^oMuhY@}wr-v={x8giX|LgPg z^`{Jy_gPFBfeP1+K8~q^?w8t7E~AH*G{Lj%HA?P-1rR*01R0 z4}rLVmF7!1a(*`)-s4SOc?1(X zsK(G(OQ$0xO+XglAu?eOoe?=i#8Y}$rUF*UUi{0&xXn8SNNdGB0jf1Do=UY&{-8hQ zkI80CxvuH#alrNjV0t{Njm4O#HdD)VHL9Iak4A4B%b-miwt43EIHlqAJ(tXrZV1J~ z=UG4SgPNwK@fojyWv)E4p{irSojP+Nj-NQk{S1*%hFs~2clu;0gX3CT4c_ff#t<56 zMOdf(UWbO-8CTRnYPmM967a>wGB!WUObNM^{b}*?=4@p~ugzp@d2orsGR$i%=H?gU{`((}3zr_G5uG>NM7Rs+1EkGbDi!WnP@_@b+o7SOZq!^I z-@3K63BY%AjJ2SepAxV6DK4Pjd8XC!HqZaC&%!ghr_kcz`)~Gi(HrBE?n%IJ^z;y@ zz7^+D`d^=?w>#zF1i-xG?;+Emqrk*)l&C>~gxC}ugD7|~R)$ar?DOQBp;Al%3(Y;X zJ?{x867kGMtWB?s?IT5gn?&XSpb)tAujT^I@*4Tk_m-LjXD-R-9Zc?M16T4_o3`AE z?J%)ggr@%l=jLWRUV8m{yu$g~b*`MxzxE1RoIAt{JgyLA@_aAI@NEhZ@i@*lk(GQ_ z0Ct6Lx9gT0&J+SH$oVe$RU_K!^y2FE+wt1fv5SPxLjZc2!lkq3N^Sk2M z(y8co>3R-LvjYh(B2Ma-bCQa42%avQoN;7X0M;D;3D8m6{O4?@tkXUIl8$3r zt$QjV>(INLp+qR}9Ur}~>x4#fq(2hy8i8DWnwJ4U)hB*CvgF5!3i&)iKQZcYkKi930<18b$@>Chyb{q!a0m{oox8-+91q_+TG8X`-kFt`nTX~t8UcrPFP&hxFu+r9t8I*)+$ z51Q`L0Xe?;!_0guj<*)z_dTdrt5>Z+kmbTXL@?`Ayu+K+8Wmu}sIkgbnTEe%15G5K zB@6LKs68^D{pYj1L%1cVf^@`GrjvIBI`S!I?lVf>C`ddLq>I)}SV0eMMXjL=Fb;On zMhKtU4eXf>3!FSwK}%@15)l1<4bAn%mtT$!K;zJsV*ZxS38y5ciHv{?VroJTcgjf( zfb$d>PQpKI74kDi@d^YaGI47pu14e?W)!0%~qS(nq{Il|NF#aL4 z6b&@riY%R;y`}I|N1$wv)$UO%9#vJDkbixo;8q zOF*iSp2Lakc&TD$B9zc#h{l)0o=l&7xC+0c5`Y!LOk!$|;wxW$CLaIdSK_%BUW_-; zkSC@pF)$o)+u5Zkt0N}3a<4Wju;wBvf}6s|y?NBVAV_PAT31J7B(rxPO(|#iaO9p_ zgf9&%^=89h_^emK8~P?_qwN}Qmvr_BzfP>}LD zT3KqfYAVE$ojRQPoc9W(=ItJu8OWA?tTOl!r%d_}kpehkLRSEBx-nsnH$~HRE8>%9j>ppCeENG^r1PDa z{eR|r{xqifZan|uD|{>Q1P!j7k|A4g%gPhWA)w{DqWS~T2%Sx(8JaW5D3^XI!-0fk zg_F8*46a(0f@)`@W~MEq;80vO+><~;6>((T>1!RLK)GDqE`XQHAKxSR;s~cb)dDL; zj|O06$7D(b^_1o_>A5~A#LqnCYWji>d9sd5r==SQI$DG9lrv|@*&t;3;SoWeJi0^e z6b+U}ka{uV25K{9;X;=adQRL*X;- z(*GbA-2F%H`~NdP^E252^o<@0jJ@&i_Hop*r@;O`he6d8Pc63M)WS3Zr>0@PF-w$p z!sL3B)V#7xqzSOT%h3i1fzSL6i=;WBt1!8G zR2~^8&k0Bg|?$z#PJ*FEeM;@V&#&%EHWo(@t!!uSX9p=-AS19A8?>aikme z^rH=5yzf%1qN#l4$*%$$2tH=0PKxw363T&6q&nq> zcSW;tOsH#}&NS=MYN5IDJV#KV!Ob`kW4aNGvoo={I2(&|(;3e9HNfA|6KZtMpFg#< z5NA#=#fg*iaqQT9oH}(p&Ye9SCr=!Y*6eipAM3!vu@4W8qrHwO>=@dob>f!j(lFz*#NC}O|`pu?qgZLvq@*^?!(?9*w2mkuN{;%h1N8iYCl(+)^ZXfm%zSF`( zr__!<_R#5g^x`qJ09QvB;)>=YcnK_OibFd#xFRcD;X^>m@t?&!6?BSbnM1LViX0vU zNXqoaXr*Y*J55stG@th5YE7!0rg;eB7+O+G@>4Yi5yhIcteDNF?1UE+#{szNREVC+O**|JAiMo>ijNSb&EnNUs`m^G)7u z#nVrHA$A5^r4ghatmpAbEuh)Bc<~_`hgRIWbDKu5k;_4@udSr=Fw>f&(VNaSC7cpl z=uCr!RrBNj#ovto{vZ4o(VU)Nn--n@oRWVzp+8CX)mo@E8rcyv+dJ1xVkFeABlG=QB7`Y6>N%%>w2{B8;` z)1{GX9Uyc`G{8uZ*xK3%r(y~;i;L6oz6TzRxyE#~H{0oJy|u9w&%FFvOrfFZPH{Gk z+Gqk6WwT>Odgme{RriVNy8&Qti^i-&!%>Mb=(Go*j1iv}0|}X>T#8W_jg96rPdr6~ z;O?c1&}AaN`_KG9e9!m&V7}9&SM9Asd$((mXKmzj!EyKtoP}1DeF6){SxY>SR_4`g zo1`Vqi3$A6I8m!~EyZ*<;gj z0;Wmk<~v0rRSnrEwU}f9o+a<6z~u--r3|KBsI_xt&fo-v8($@o)Xx|3+LuOPyJ8@O2=tJp{^CpbC)a zha9u#mCRTZ0;O7?z+rE)+Lz#NvF$m}auP;OJ3E5_VOPj^)hBh{oNeWh9x}UOX9NvI zqd5bAG-Dr{xN21kli7LQb)aoT7O+)qDVHTK4*h|{GMofTA#vRtu^ zFge}Rf9;STyG9(TFh*Kss%#&dwok*Azx$&ciO?JF(^y5mbD@|1U=J<4>;T*DjAFaH z8ynlh*k})9yEo!~2h(*Jo9%uqZ}eh)a}Zmd0pFleQXx*u9YAZBZPZk^ozzWJ!7Q#f z=g5B}w)zokz47QBOc8z}b|}+6?+=_hI@Lf+q>)1to8-O%ea7tQ1FXmNXHS;$I*DQ2 z@>~D1$|3J5H%{!hb@O%%0rLrHS3w5f^WG1}mHR%xmuTVjnV6eC2FT9$Rf`_~(cP8#1&^Edm!v z(L8U>v|?fDc+4*zkLKJ0V0$d;({oX)w^AN#v{N>SORlv8Re-nC&|zFTJvYlKe*yf^ z+&k?~ z1~82w#L{$6`~>jItRKxx-2h&NBU(D*RI7D!H`nsCBS>M*QvfV%mibqh)hxx`V*cB@ zWA^X3ph*uv>BqnJmwz<={11FD+Ts?1k0=75E6dCA`b)3G%FX3m&va^HgobHcYJz|& z0^%YT2Y{-ba%%wI>ShPfaw;ZywUY;JCADz?wJHds6$&h_hUG*ASGH1XU)@|ylXZS> z7Sj$h8;xbI)kITuVHyOC@N3)M_^l^ih>l2wiKwPxMl@3`PY$FfZVwx@1Ip^82we+G zoDGSeNLw{V8KLSkBp|eG!rN0 zHE*bVDqj8*5VP~hfc%zG6zrT`Ws4~~@VyL^{!YRRGC2j2w+?cb(Q?cqVKn7E>=?>b z{<$7$#z%)OyQ2wwQifa^Crs%ze><;#0E4&U&;9xDi&+3|tEf$iFT}|cr)dNi z5_~khoa=4Ru_mivnM1EQo$Zo~e(+4tF@DRNLzZ|Z!`pc!sA@Xqu(K3mHN&0gcAa(z z7?Zy~AZyQWmVs{}P->=Qwdr{BxvO#Y<|f+ZBzaY{+(&~%+wShgcE`n7&>FdR&?wve z12jOM^$fE|BUi2&p8GBu=wLX8M(Mqpxl8aJkRQ+e!>cPJsmbd87>j|LD_L``0@}>z z(V+RvVPpdUpaQpQcnv$@T=wL`)wh}B zkZEnV0pF?gJKAYfk27bk#L3ea$B{t3_=P;nO=`i}(9rOD zpe7_QSyvNipmiF<$+|P~`qA%psM|gOsYdMrEr5JwGNx#B#%U;YPZ_HXWR4#uulWd} z5zmhnyw1JPhQru_=)=B?tWf4ImQ=47J5EvU4RbMUt*9ry{44R&OHZI>-~F2EyN`(P z_Hjrb!C~JPR-Yrk)h_KoD!L=BKHO=$@4EyWKax%TPKM3z1y=z{;sdT|Ix_N}+K1or z+&ckMw}1d{^tuvqx}srChv%l6GpUZwObty0;8NqgeDQLeJ9`eT)nPRXjcJwDpOApK zaQRAn{1bmH9)0X1F@NGzn%Z`X96`7PJs zsgmKT$v6Z&Eb9n!+j;TrPCuu8KmOv7^ki(X|2WDb8wabjM?}KN+1}${?uDE=Fs9F)Gbk?CG!77tBBTL>{v} zQj0GQw}7jcoDgWT&1#)GgD&=-(^wwRFk49uzE|&e6os8oxduh%R9|tzCv~niPn`N# z3l1jV2~rj6JqO{#r#m|X8oO=y$__Z0j`C&Q1Kh-$RsbxP9jI!{gWVWl5e?f|Pg~vS zI+JaEJKF2*=wSu5Ikz@8V|!yOm!5Pj*j?ftd6L#X3Ic?dC6mMNh2!oARSp{-#{{~- zL(i5JvrrStmdV2wU657d%+@&>K*8iZ1T&v&#vdRkdvJ&Y?`1;G@@!o-!R?_*hSsm? zFq~>k0&)Ur0v$}QX;yl*%kLaogr+z#HICWsSW|=o;kkJ6e463yc8B~ak^&8X(J1zb z+ij9ZfW^7{9*mFu@jn@leCWebpP54gL_5&epeCfO0RmMup{ZIlHSf9BCaUS5a}T3h zrGW&YJt&3J0l*|jsa;j7RkWNcf;JXAfKY!24U%&MjkD9U*Bn6E?4dR8kXOMDT2a;` z4P3fI3d%@)0LW1TQrs=P^uM(B%y z2fM2P#9Fu+VvfkrXH7$f`p4O#E~a9_;aHn{%F#?{khx6#q<-swddJ7gPXaahgO61vVZrj;v~(45C3W~UqUta;6@Wd5 zWw}o5Hkz{=2NEagB!?plYL!E@&ORElV_mnQkpSvwgAU-?;VdxwC(LqF2d1=83url+c*~|K4yzczQG`U z%%UD9mjkJtSKcMO^XDCgVuz1=67?{3`uuja{5Ka`MtGfE0F1!+u5JZzVO~1Z$zejd zR9wZGF;mfK)VL>Hn%(-G01o8X6|ByjIT82WcPTF4cOe^s!l;J>#{niyTnBCMAW8b{ z*2wdIr5TqWel$M$J%2jh`@s*#^wJ5y-m!_!`z~WC8-VF-YbF+2(=iM9F3v5+@r4ty zxNs6pb^)-RA!`POPI-(HKAwe?tE+s^&3sIWwVgZ&}c zwiUCDow#y(G9JBuCf@hpd@M}^yL+A38?*sw=gvDyqJZZ_UAnp8iCR2>nYmH>Gyg}z zM#=n5G4xZ)gXT@J-EOY~ce2cn>*Y{W(M7=rYU2JpqQKpL-2J7rGGS#irZp41{6Ir1;!2!2l6{$-ofu_+M!L{cmI|6;A8KP>6vLlj>R;9R&@#_W_!KC zGnm%FDt0Ak_U?^UV-x0owU?>z)KpS}4mgIY1AdaNAlp-5kO;_;@i`X~jHo7CK_LCIUB z*w4}>a~OBVz(aSmJpepJ1i{+uq^veSVwkX>bn<) zk9y~&m%aIoh7$lB-e(8x-kUzoDh<8kmCaAmm%KP5%-=Ns@F#z>9EPDR^4lTZa!BAI z-Lu({;Djl=xyt{goEh)o??mH!6QqXm;S0T##3e z)b%iD(OhTej>XK}62jVu-e50B4Qy=n^6a|JbLcOfj4s-_Lzp%@G&K5V$26C@B6Jer zO&5Ry$0JFZa>q^S1l$Nb*;u7Y zRq`b;6g;37p;=Bnrhao$2Itr=n&|i_>XW0Gu28W%n`m&?qrLum^tZ1?ePSDcZN#7a z!~^mEhfks?t^-2b(IBj|$kN9^I)bxsq%vs_{y2OhZ96)cD5a?%e9Ss;+EQQ&Z--0B!HRLUQ)P zxwv%sO4OQ-Si$`I%9BsU6Hh!D&ph*dJo)r9@%(cy#TUQw)wp^6W*j?pI!>H8l`~cZ zGkwH4>j#ZM_eK}(THKghSd8<4wC;$lb~|aIiSGdSV&=Ojw&OCVW3thVxy2Ufv5hluTCq$oeX3wwyc?eJ`G$dj=M|GsH^J}2URUqK5^jw=u zo)K3Ho#75u(luLN}ZQ5<$Cn29ObtBHVZkjA>~|uxp@;9s0->QhrofGgT6zZ zpx5kdoIiIej?YiW_U39_yZTCWG0EMIL~}bZnJc0sjjLODpF4em25~3n%C{O5aq`$) zEH2Jr*>q!dr67cY`$K$u5% zZdq3O#g3;eH8gZGgQHN~nO5I!4!&2jOrWKF6?hn4a#YB!v%q$XyK6Y?r*GcL0uz&N z#%JD2oYEc&CB01c@E3XZN2w1REYt9}oo0fpnHod;9w%I`XtnRGL5F%_Q_(;wv02T7wxK z2kN`*wBem|(C>fn{y28*7=YG@+iM%~Q$O?1;^o(_<}jO9YYwI?+D5P4iD#aDAs&DH z^SM~GTUH-mJeEED4&ol6iCA72ws2!V{lCrW*|>m^o&OZ2RIw`7FSLCW_C!m zW@Z6^srb#$Jsz*!xSrarfRGYKegy?}Pw)Uu#ST19$WJMt5r3s&Y9&P|-g*jT`JrV_ z3G~Cmx--hWw@wM4Rm(RSH-Gq@jLw5xh~&+~xV`WPurzMNcw6{F04@0j1`?#x=Stq4 z5$Dh`{o$@irGMNlL0l`~B4AmsPsHmlzZBQ5y~evimX~%boPO-+jMs zokjDfZg+S4IpfXs2nK_GtgNoY03dd#(l~W)2b$xWCvq=zp3w;HknZxG75LGia8Adq z#KlYZW2peDNo}-jfXnh&F3UmS1XR&km-{Z|&}CEhfpX}RL*N{fiv@;7mb=)JPOcr0 zE&%%h&?Eu%scM}Vov=Z@9Foz)dbGhKHLD)F>aybAmw=}lsi><6sgduiNu!PKVR7y5 zy34LZ@!W858|@fv8(@9%$uGn!uf2p!p<@3Y$K3#`NvFI0kVMic_kps+hfI;Cp{$xh zt6Xx=GkaO}t>(OG-U+7Qa0!nYrjvgh#u?W<+qa{^Rghet5@5EqhRt*hc&)-D72-gz zNORD1b3cDT^7P4L@!*5^#p1$z`a9*|*RH-1>zMIJYn85VZlreHz(k*0Sc)@ePm{(( z{MxVnO8of$=f8}9N`ttzvJ%ZkD^8-px*n%1RcQ)tb=z_6=B>DX>rPBHTk)Zfd^8?> z=)KWwwQ^*EV>Uf&F8o1yPdxQ>y!6Uz*-51c*%*n3d-}@An+&h+A_?t`Qlr-|O{hFw zaQRR!-*U*L3W_ubCb*PWQZr_e}Z}8@J-R{3p6ndf#u&dr~QnYl&4-8vSCtyle} zCdU8Fg7hq=z7eNcFW|tlIZc;_WgmbRF!u!NogR&o!?d<&w6{4sG1!rZdA`?;o&7F( zFBsSybnFIOkx z6nKkN7i~xemEjc}SKC+c9h)lC9}w3NAg)bU;`rIc^o>o{(PYthZea?(@y1OwrX_&( zM6Ncpvbq-6Z{E(q|E`qer~=K@`PsSXZ@1$Y|JkSF@BRONA|C(3mk_2}oIZUvYG|TW zG)?y>+Sp!;TdSC|x0hpweBJ->Lvi1G9*!DX*+|nE4cGNRUwq}|_|jLtoC_oifH`YT z0Xh^Y+lgF%)p4noRUxxnmWkh%UfRCh@uueJH_$7E*3)=+ml|Z!%Q!qq^N^ND4~^d= zzwyi;)Q|CSYcS(7E&ur>HRnTc@*7QPUnR&>H@U#|;WwJAF1GAdH^H{U@A_q7Y?s#S zwEM9Qpt_fRw>^rdo_sE6w{5N8iGFWA9=vicjx8<5u-_vNeTX!!0I4f}h3m1xKMrqF zL(W-FnI{@zG}jzbC*DG1-9>_zt^s#iOC(ok;*Duh0(@0;o>q+R8*%9DkNSq^h z;2>J=YMMi+4*LP*Lx<5-r(=40F{WEfSW!**SdG`RLl5FtgHHY>9|A-2Hwwglu3)wU zi1x^%Ypo9Az_nHZ(w*TZ=SB=&Z*{L7BLH+1{n(q>jlBwGuS5R^+O_7}J#ySLpqg@) z>?MQmAS3m|)i5z*Zc82F77EJ|RIylOsb zX0R?{$1u$YQE%1b0z&9w#7-b^&iIS3ydIB#<*O-ljan^x=Z`HNLjY!?-RZ_PO!6** z?iR`BNz-n2ZVmxz#H%mA7XRQM{Db(1|L7m4zw7jwGtroFANYC>9n;6Uvc3s8-^g77 zj-Ngqk3RNToIZOFb9NL9fWi68=ZW_qdhQy4V5in@<0B0yuG2lGLouVJB_!ac0IIZ8 zqdFw>TMmMAln)Acc`r@;mOJ9K9`dQb^D3P)O7bC#N<9TU;UWK)09*u0?>&v*JN}ep z1ZU5~Z;7y+1-#6xX=NGnEa7M7=A$(`uk8VFRl*r&oo*+bQ?IH0?DH?iYp=hN`!H>8 zu2UCNF;64a+1^5%-Jom$kieQ*^AEAAs2w)2CC#E)T7Ef7fY*F?j=!_sc6I?wCrS*< z6`Um+zzJ~7wFHcoGPwL+YuatIs{kf^GgHeBDo~K`tTR5Nz;*`dnaEXN1 zw%&z79Teqv9E8ixgM1G78V&z+8)RVPRG?8o9Ed&K6Hps*<$){FL^BnDEA{Dk%`v~xcq&R8=nT z3hNe=ID46LkRiXNj;mFt)B;Y8nP@iV6F_HX8UVQ+ zWAoWL)`BlwtHO?0+jITD4n%O)nCl2gFW01X+-R@6MVX-61m&jz7*m^d1v5SvLtEe5 z?PD3aerhjG_W^)9*o7bUlVWAa@-BrfpZJG+PwxScBBoX>x+vgT z1i1jH0$RkHQ-LNZN@_Bz;F9C~_)c}zae!(^39iB^3_IK##`MBWTzc>lrhh$lK`Iy8 zpb3v_fNH0=i)r6LgCHRR4Q5n}abkjr*(qi8SFc`+)y>UJ*9ApfLeL&={d}iRo=h|T zKl{)A^LXyL=MlE!IRtBFej!~O6*MZ>Bv@Wqi{;hzxU;$ui^onRSibV|3jpy_{H?$B z@5U!T@gX!TcNQ%J(Pgr1cL1WKm4}imQQpFY{(SRz>-`~J-+B~lpa@X8W-;?j`o8s> zH@UP#Ds_FU3*l>>SL98gGy*x2Njj_T6Jt~I+D3&$^l zezQEE1{h|klV)sh4*Mk2%-uPJe?MM+;kl?H1b_A4`ZwZV{gEGvX*7?W z9T(nEBxrodM*%HQFQm^=fXe%#DHapgGatRfqr{u>A4M;?axYkB`iJk!GpJ;K44kid zKz_bc0_B|zp}$E-tjoo)0mbRrrKmNR&;Vxvys2DD(De>n z-=N!98+Jm*e0=6JzZt*y3%?pKzj&QSZ#mZ1x@op=Y_y}(?a^2|6c5_NQw}{M0#=-$CC|-`twQ?) z8iifK`v6V3ECHBn<-$+;b)BL*8mD0xcZ_il;B>K`?KJQ0Y#M0Nqn(adpjDN8Ru16P zO4LyVssMUTP@io9qWq>Iccn5npp*x5@pD1+kmlA!swzoaOL%V_P~aXovXs;?j3y6T z$9c%v);w25B>iBTXST3#Liu+HzsV>DFM^Rht!RB-oxkn5I|S(XZJ2$+yY=x78tTc@ zXX5^c9?oG(Zn`&BZNZ53c(*Swu>O4>FgJunIPgg(z)3=w56^1yZ`myMaZw`a4Lt`=u>M>&r!YxrK%(F z`_Uil=Rokexp{!R5^ucxa%?Q$jvxGi?~fn;p&yI^X}JP@0;QBl;!(Ia|CYl}5j%L2 zE~rRqfX=+hj;Zp|H*_T3{XP@nPs(KGAnyynbICy3SgW*B22FKV;ir;eR@5paty z)8A@v*?3Z?W$8x47#(JJy_F*_=Fs?EQ#K}`;iL;RPoRyp;=+adqP^XZuRQTAwA_uA zJDvFAly>o|dtKnLgTcm>qzL z>7Rg#);b*ZY2^C=EoMLF{MZ!W->gKnH3e|$4{b%=#=QlQ(!fu^M+fjAs%RX*Yg$XW zZ<|E(l-|~x!?w70Snq^mX-h@k6UV*bQ>9|hE;ZxC91M{&fB?~y9KPqGLqAvZw>*H8 z!%`eHt%j7dQ9ww2X)blF_+GBAqn#`ITV=b0SqcwZ76H3_ztX)$cfyPY>frN)u`I-?HP69X_?Wxfx%5>Zznvv)RhdpY2XB zZrr%ZyDb{4sknXXb}TH+rvKA=lOB#sbzHGLwX(KWeAfqRdDXab>He6VIT71@?+Q@e zZGE%doG$I)eS5q#?OhkbSyJY{;TpHZ@7fE-nUA4`Lj&dYM$;|G$78dz0+4oSET-UJ z*9REFzm%Qwxkf-`x&Y~9y;{~W06@oSXx%EsQ6jpU%9i2)N7jjVC?VWtH6J#r)`yg~ z%`>p8r9JtjFUO0|J@;*&>RokE!SaCh>>uctJ+k`JWX{|_N^q1RffpIc9$8nJ@3_zk z=AJ9jJAl3i01pv@-2<1db47TxDnC|m+y335Y)%x5cXaf_=_kO3gh=CL%{Z?>Q zyElwG8xDF#JE~L@uw)=RgHD_|6ZXQxPI2wla=h^3tMS6~uP0DH`u-2a_kI5l#Gm=z z?~gzJo!=QB|MZt6 zBT*jt;4oeP8rBP8GFD$4hBjZRIVDIck&Ektu*2>|I*7g$TTciNkf-~gf9)5c^kotuAz{Y9EyQ7P?lV{`^hJsh!>xE z=AO_1$v`&0RPO;$#pI>p&!SzNnsJVG8TusC3P_r4$ppmdGiT5!9NWE4+*(cLp z@u>XIlz5nl6w*8 z%22CvmFnf(C;tkjzDu77V&&b}sxDzMO-G*{X|rlY8JB)Y!yA%vDel=A8kN=r&r|4+ ze99T8pgD-Woi_RF0xW_fKvvs}R%0AM+mBXrJeFo1mNXS}Gn09Ld}%(;o;e*&H2U07 zk3?J>;+W?9d=s#nj~N=a0ld-P-ZV!sKhuhf=T66?4?P_3efWWR>gg}X^Dn*_b7+9N zZQME4J;kP{Td}k>N7@z2QU%L(=j=qMy+Pig4173QX<+`p4-4ZY{N-ZhaxVFR|0b)o z+)<#`nvObgO;69n^xSm%JTo1_+n7rM_Yo^Tc6g-%-_j6l_BS9sybP$?v7~liI`ZH! z2%q%kcT!NY1KxQ<5FnjzOD!lr#pHtrd{4b8KVFMGm5nq_UpI{4uP^qiU;N@d1FC^YN)) z_=UK$b{l3?6LoluV-CsZaD?VDLb$ils5>cCuA8~AxR48Ul+G9_Fi!kqydOmet^0@m z;$MmX#sBiJqe;{N*>;SLINF5ou=(6z` z;W&V*X+9EEiJ1Sn__O0Ga|Nf#vH%X?RGk`+GiR6L^vMMptwzjFPm{NjTmRUpKtFOg>`M3X0ynOX~_LjStPQTNoPO5R{)UkNzJy+m~2jb?9+mOR;vA1JwV>Pzh z`!PFvCjR{Q|D|~7p$|c40db1FU;$D0)_*QlDPUy}yS_|m<{AbrdNa(1$)Q{mF5HVNjn(QL&(`0@WLe)hlp$-MvFj<;e;;jee+I7)9sgCMVdvxgSp zA83!Nql|p3&UbnkQf4`hrg3bx89l(KHX7pn$nWk@Syx><`q@yYLqt8ZM5o42mT_kQo6i68sR|7x5+cRoSS zEiB54Qnc#)-W>qsXa_EKVGpkUHX_O%Upt}R|L6zf^8J_N<(FSV)4W3+p^3t@npQdQ zUMv6%G|LGNxOM@FdbH4H1nAThU~q@oObOfw&&}(%;=cPIh%1+`@D0L)8Cx0GmCz;+ z{S*r0b`gwqkX9HtNAK;P*ox0>a^R;hLq-6j{CHJvW^M>8ea1|I|upi zTC(On-}wxB9BDlnZ^mQ1hrb0pZ@G7`CO4X!H1pFkU3iW5sG zbNcW6{9Mjxo1LAB8F*#}OQGQ!2~%zbUFOx#&gnm$k9pqJp;rZZ*)Tl(@Wb)QqgW}J z{wvF?X#cy#)CZxL??B77H9&fndYVQHu0(4ZD`cV?n_IoyyZ>V!|C4dy;sd!_nVp2r zNHV>tnhUO!`W&Oaa>})&f;KK7Ef)A*3&PPUsaI0p*3ahl7JRdtt^ga5Q~+ccXlgxq zFX`RM!a9}SMZWW{gvq+$m524kV}Uefk+3-t#jrH^rt32@!v#L7SL4aYzZ5S%_4GT| zRNu|>=s3caw+r)5PBqmZ{m~!&=0VjAi0qm$3c2_1#wi$?wuSKe`<*#<4~_5y=KpkK zA~wwG8vPx2u^9$fwpJe~!h{ z;u6}@SUmaUlNm>qdP?7#ybNcT4jD%(7>{OV0fQW5j-;vGdUzMabji z1o!&sFlU{iJ{SWJHu6xL3f1pY+`N;nBxGD78$Cdtb95Q8caz+D< zz5z%~K`%#6=q{*Hpy`=b4nq^H+`oT)V;g=|!^Fba9p)@5SEp)syQDn{n9haUV!NL0 z$3OPR<2b?S0jk*qxsAcc&4zQ@! zxp!NYsc_;JF~~g0zX_E2k+&tz@|yR=k-sw>=@;0{PcoK7b-&`d3FQ0yn9q!dd-CLZ z5>Gvj`Tz9q4yww6->9j6D}dEB&4b6=y?-aC^7+F*{KJ1RpQ>Q0;2r_kyKx>J6928g z-|jeK0M7+yfK2Wtp!!=)Xcr;rV&-oi&f(r_Z$_unhDnD2+%Q*Q&t6sp$rai?bLl`& zm|RoJ0r}2mI&tE75h@t@Pk#3wj|U&PFExiY@i}F&3y^8@_xt_awne&m>Z20SZPC>b zWoA!zLiK7H&z(OXbz1wcKJzpHI2O5@JI`~M0iFo-4htKg`C5+-@3E4TJ{Gp9;in*RN8>gSZHw zo;rC9kZS-an$Pg}xFa7X08rN%MQalXpu5AFq@}dVAwwb*G;j{T=B*mM4UxWPJD+G` z`OKkF2%{#p+H-2qBdmsr=nlK_(n~J_VwE^~>TJ49wl~^osaPd8tQElg(&fu&arJoP z+6{PU79Khir%s=XQ)kX3Pzjx-E{Zi!eAC4ocVwU-r~jWSOTN%#&uwMo3O)p)V%tsr zc4;hg3aJ{TZ^?w1niwh|AX{8%cQc(bg*V|b591~TcRW=^r4Yr+FqgjZTizM1491b; znt5PHtJ7zn6jYxCR1ar?z1?A61h;RMwt9qRZ}_`^CqydL>p zey@{1$qHI77f;N_XF^W1C$0dB<7+zi)d-nS6yCO|Ta zt?7E1b7&$9v(qt$3AhB9o;qb-cq;2* zYjX>;v!8y#ri0Zva#=WpEwvawpdoZX`13D37nd%aiwEz&63e%5p8CN|{EgEk<&K_&Ur8Bc}oaZxW z(*536Y^<-u0ML8+r5EBie&yEznL!+1L~EUHq3!7!!Qy}pYIIZsWyIpa>QS@UMME#9 zEqsjD?G#UY(RX%w)ZIp`t=x*0m7B4-u^ijm>*)jS_cn9X#O_WfCJ0{zo%Fdjv4k2l z61z0UufFjL7RzSLk&i3)Jq);>$>B`86K>zRnTxTwe(NJxHxmH<)6YCZ{Fv#~&+Ob% z96z=|{c2w8=QDq3{CuC_CTsIgKppKAAh7c?0aphV<yWfK2t)TkN9RET<)l3|L>brTEo}l_p4(nN_xqS9`Jaow|pLcU$wwvD_KXxK! z=VxPaaglQ&jvbeo7vmTvxBjxF`T1DjD)T#K)N!8<;`ZKi8jY~gXvOvGcT!M)_=kTG zZFK|)Vm1Qan;RSHymyfl{kAPk&MBvh!pMT9=AFZATm@bba|qRucIt{qJ7__cRS{70 zc=+M>#4rEyug0}&*D&$tDVPih5CRY~qj7B^n40+BJH@p^UaXzeDi9K+vW4_#ab;CA|SG*6WzC z4Nk8<(?w82EAm<=eHZVxQF2I5kb=`9`{5V0wG*`&bY5 z-n***u(urtfN<<#t~=a{dk5Qhw>Dz+_Kmo4?e*ANyB*ywRtzB9+g#)KN^A?{?d{m# z8K6i4s-!hl9Rs|kqK!uT8rDFE{EbN6^&L*0IUg461iQTw~LX|28(e@!ZR=#V7yRcf_SjXL;5^ zz{Zi$(jzPL=^p6ut-Gr>(Vo;=kp#1rTBPNX*_?tZOFHlWtr~#OT|{~g4b=$>zwv9o z1t>YKwRBL);v;}Hw{0PfwY9aZV24Zz{@JksquY1uLeff>%zJzJcFdBWhaPwc4QWVx zn8XN$?g>pcJ2qCAug9&cFCe`A^z{n%#x0=rxw;{ur)IG$Yq`vznzp8{;T^XqVEbD? za*4y;Z1r9D0R}fwgzh}cI5?fqFc_3sT{}6|5^&;lKly&Ulka=&KJ~M~xBSkqLjV|U z`1r8|?(u!nHa)`j(f-?lAwakd0B@|`jFnqgWA)A(u}1ki0Gul~wYS$|duuH=SC`|? z&8uMOB&>kXc-V?k_0XMK%xCALvCxk!JF&n)RuZ3-Q21_vK8juRievytSLN*Nz=ujMrXyIX?7($Kw7gmkx)=l^Iyp z9ry{$s69@k1>)d(b<;6GtALsR^qp686w79NGj|`THudMiC-8v`Qvg$`@RWb#v%Jki z5J#|ylZRS539JU;H_wE4!PQ`bs#)?d4;jQ^3wynp#$`&Wr~FZOo3Q9+wfu`rJ#1fx=Gph0fO(y`;QxO4&m z9;7xXY$^bg`ur-+E5~$1z?=n>;4|9EG+p+s-e|_+@#C?!u@(Q`-}v|Am6u;Zqh2I_ zVj<6J!o6-U!El?jmhaq2FusUzPS4b`hxlOVA{%xBA&O|!?ao$qg#Fe3^}kJnaDns@ zRs_}Un;q-enyJUH|Ju*RFa6wq8#9>sHbglai^fP%bR#+8I{kOq2yjI^v4f-t7Id}~ z&40=s`7Bdid6)SXDx|)#l)9Dn`_MXf@|3O6u6!?e7{7XFZaw0cmE8mjXT#|qbvTi< zbX=%AsM_x8Pjwpbq&`(pz+p<7#XU4sCk9yW&Y5>_t{jg{82MVDcDk+^+qY5Tx!Umr z*1`VB9Z)fXNi&z*1JoQDP(iEK`e@rIk4URF9eZOl6lOkV=1wHd*Oy--&ts{vZf|bJ zr?EWVxOyWl-+y0x=XZT)OpQ-v$LM1p{&>9qgCB{;^db$C!@!#29Q7kLiyvNBjh$8# zG$PVEP4{#IRH8d<$F0@d&~i6g^EL7XzY$hG)@7WHD>TgCJjf9MNn_|rIodbJ;|S0GAWGr}mgztGNB`&^&{Sapsw>S$&C&c0LAT-sJXcRoC%s~e;2iMIMIv%g zAHd@L@4db80Bc|ZgohGOqlfKR$z77>Hy8rg{uXq`RN(b*p0`(^u^dE*ExiS@b)YV z)Pk!(*=jX%D9!4fT8 z)i1?MPd|aCPlG}k1X2YqhwUIoITjMZQ>cmtB*CH2t}k8K1Hy4{Prd?|r_|HmMmUAj zaOsER>bHh*yAHSQ$lYuyuVyF|O;FzB_t8{O!KEZg96T2woCzgg8uw1mz4Fn5shdH2 zD~4#TJv7T5G-?-%8G%^)gJHhgTw9Iq#yXlSrafWy&^*Qf;C(88&pnb#e?N@5eR!ml>;Uz4Py7!LHgdU^LVMk{b)4vzp&307lwYYlq zYTUSfC(fNY6V2K<8tmio#v89umfiTLKmAYBrE~w~2cd(bL&(no`4NaJli}QY$M9;< zI|Wzp-0Ezi{cn-B9aQo>REJOA?2uB;ls~O2F^q>cjyd_ls}ezd+T7XjP+_T1q&6zT z5>C3ipfxX&k5d^@o)i*-cvx?`!k+vhn(FVfo~nHOZS!A7=6tt_kRbAo&3{?>AbYHr z(7a?2=d|1TG}~%n{yGM+9!&tIUPC*B!5x#BC)$mh>ecII|8xh8*I`n}4Z2aD8^$?# z;E(-@@4(D%rJquUN-bKx<4k^pA?;95gP5vT(k);ofDEK7K&?;|J(|U0r&9XK4#A?2 zK#_4kZ4cnH6Kpb`e)hSzvvLQM-)V@3FFvxPajdR-Wrvkos|#HF-ZHo#h~S$UL}*NB z3qVmzyK?bzg6R$#kQ%2QBUfL0A@=%hwBlK4)l9#z9d)y49MfnZg@&z|<~jo{a~p7I z=I^dd6j@vhH#n1li&&K0lcpQPsQ^fQ?qYFmcGiXP93$$CI%UAKfTdxR0|4g&B3w8GL~eMI27+=e5Bdjw zFpL(OI&D6ak8A`pjsnsNz@Be8?D%~0i(mORsJ@fqj{>L)Y%|I8Hs9-x<7G~Xv zbUqg5T4;aGm_xHu@aGkJ1Z|dc2Em=>bWZq83t>ixowd{i6zp(XU0;g_?!P}C{lNRt zv_|Palm!(+8*9020yEa$Tc|{ZmGP{(cnexiYL{quKFiJsm{Ce5pdq}L)3{tA-U{oZ zQB4Ep?tpsp=Iwa##h0>2Ss*oR4#(nZ+zzj@qiP1t)?r-h>l+ddaGHg7eq(-z`Mtu@ zM!?UaC7nEZB7L9=jYE@eTzw^aTPrawfI&Aqo4g7tj+)T)&8@z<7vSuK5ukkU^W2G+ zXKvdq0N9~p`ZheeUmS7Z#)_7+ibhkGIGi9X&q&K1Yo(Ku57f$eO&BZ=-7?6r@%b*d z3MZVSILu>-TVtZc?;L&?9mz=(nV$E>H33;tm~BL)f2KntB#?Y9EYCO%Yg{&p=Fvtf z^Go;&TIoc!9vj`=`08`7$4hT4$Ia!fxOICoQ2yik_3QEK%P+<)>h8|%J6ICy)CuVm zN4?=Ff%g($HNO1iFHvu^apA%R!rqEkUVJ4xSFhc;5i|2kaqirCvCN!jL+n5EMaDDF z?LjxTJ6om06x!2r!hifTEh<~c6C6!D#g{ za}$8f>5?L&%mddr=z9-SO!G_d>S6Y614JMD_(xNFDCX;KGN=Q+O;{~dEmh!DP@Su9 zFTdYwLb~v9n!y0CmFZE;`N&yPZhbKU_}D2SpzZ*!?v~mFD7}B?ndegbDfJ+u>kiOe zu}2vP={uZtnl0L8x7&#ov?4*&$pI3@j=KB?P_X08I39ZN0YIdZ0!h~5g=fDS%eSxP zAb-nL%wOn1+zvl-u6Mcv6eHsD%sK1Ct+rFvoOO(E@xR;Q=RzU+4Fz>w4K^CSvoWw? z(!F6%{SM%s%O6@V#-I5;^xs)G@*dB!(Ng%czML*u>Qr~di25|V@2!tqHjnhQ0E};h z#^;ibrfr$_M~B)zR)MSN>*^6eyjq6xPL~AV5U;=Y32T~37wYs5X8m)oU61wlPPF^Z ziI13`p35Cr-+1k6StE6Gjd({fO{4B&JOi}a54`^q@z?$j|4t5f`{iH$l{kIkM11li z9~CF#$tRzRXP~Rn9aUe7 z7qPCs4XVG-@kaqvi?E}i0jOB+2oFXPLS#>T0-gH|A!I`YIhl-8O){sEA}B7L;`Gt7 z=es~8;m2ZSZ5^6b;}hTU9l27F^WhV4hIXFlPjx`PK0XD01jFg;lEK`wNS;#|CC9&k_hu(0O~i4FHXziJ7^0>{xvDsVC#c%^QTBBwu#AsLA<_ZcYGz zurjIUr9RUG%5HdRx3I9FG#%0rQJ`#BufB#h-i!wxdMLFvY4Pj7{@GZ*a~<#*WJA&? zPFJ&cA(vj?p8K7$s0(1JuXq5R`Z+>?=h=I|8y()uaL!88WzyjrM-dF6v*C?Huyr&+ zkN3S!KS5Xj@Q`=8_zm|0u3IjT1WoHvkj5-_QDy;CF!$bGahIOUdc@SuMVkfBp|j2i z?`eJZ0a32*ALY`7yF1oBVF~9LP-nOqPE0R@>^bED>S9FvUgaehgofM+R(sHMWxE^K zR@P%Q?rbgHM~zsVpQT)#SX;ZD(52??qALqa3-Cl8+Kh95K7QaY{LkWhzyJH=`qdlp z3qSXBH2xFu$xnPd-t*q~QRhqXg)e_4p7_cW@u81?I2Ycro|VA_KH}U#Ik>a25)-xY zsKM|K#rkDAum0YsM6-UI-db#`th!>p{WX1(bi(7YvK@-&_xr5oV<#q;TA*xcTX-}sGR zjh%j*xTJ+brq2%Wp(uM<1_3<#qO#F&7*Vb|FSr4IZmlig8Qyig?f8R)e500UqlTvE z^TP&9fzJsGMoaajJ@UQqTzKpd2i22(8wG-pzAs@iVyq)H)h~TH zUi!AC`uiV$6hO7)jK6MVhY7r~>H4Q=o(eoBb=zg!y4`4_MQo#iZJ{M~dT3$*XKGG_ zRa13M0LK#!(4d^kx^(%i*Cs#i4d!h3Vr%Lk1Xlm8Mmi z`Fu-(C|61VOju?}x!hZ77j|$>I##vxcH2>5Z@xoTKKJ?GA|BPGl12it_9BUCg7^Dn zT>+m}VQ3dyvD|lV-%2gW4y`h^@E|)});HDw$i2A#!H09}j?ezmr?XQp_iZPesg)cG zqksb*<@c$T05CFTYV%}40n|KB`jbD)@08HI<+{6r_wVV@0#k_23gVc74*saR>~> zRZ`+g{NpCmHg03_1#xEF965R;`P8^cOF#x3GAZIIyj!l0#>hr2)6U2b^TzLdWVmuI zzzy%G1!CwTknRRiYqjF^x$|-Q?AbVV>SUb6j905%T$}+g8#$i&+}TrnLxT-(jZfCG z0`}tM$#e11kA0HJDlt3LijREk;R`%}dMP*qdCM?h6cxF-%p!`#7Wz8%H9FGZ zzAKkf`!xNd@qL=fYN=`mx;S(vr2kWG5fxE(IdS}W&J4SA=T5AxtR#3OI93plsY*Qe z!b`ESy^X+4#QJudEZECk%g(6W0@>`7f9Jj{PYP@?FBK@Y90f!mkMv!GizN-UL``?> z>GWHxE|S-AzXxCp24qrR;u3qMU+6kXSp}@sx;6KSLjeG69d4!j#$iOJD=4}Htm>nU zN{-F+pPCi_{6$uh_U6^+jxWxkL6iY%L9?Qr<*>1=N9!0f+k4X_jQ7f3?p(?&8dl)YfMHH8s#E0SQCxfR4gqu06|AL&?u7LE{(SNBsaFJ31UP~BfcBcvkUR> z{`>#u_@N*DvG~$gpNY?W=Ckonf9ijTm!5wn{ zG29_ICP>07Z-&1I4yk$%90=+p+7?_ZIJ#<)dpijdww#mIsWMCk@SNfl#B71p?qp6| z+A4sm`(BW6is*67x*Y`?txTXZ4K>*#Gh7YfNaN8&OeRZ!v-4?+CuI{qP0*uiPbZl{5r!^ahnm$}KXP!ImRbbU$ zdKOK}4FYf6x*0d`+)S`D4jUVnKKv4zh5Kfy)w_P|IGVC1cCIE5N_whM3L@^=RL0x_ zPJ*f$oIuHM$2AIm0+i2baa3Wn?0x!l!nJ>{xP!)I!DD#agWD$?c3p!xl@TKFD zdjXW^fd=U41NXFdM1d0l?C^2XY`3n4bBLSo`OX!$EX$so?Dc7=0O(v>V9?E_9|a+2 zjalCnc+??n0^rWxcx-G8Y3v*ExBjF5d;Imk{x{EyOC0Gg!A4p4HHdMf{IsH9%`^R*-28!&(5 zFXE(pl2dw9*M&n>Mu>y}mce(n2iB2Vu8rGK93{b{NbmmRu;h39;eO|WL!XKVboLy? ztwyI%sWBGQd8C#%bXyfWG6cxI7@`HJ*7rEw<44WZF_bei)5%D=VDVM3Ua2MjEta<$d{Uj8fUNHiLLF;?8$X3s#>#tP+8h( zqP=c6?z`{41WV_(+aqmyj)Qff5CL4Fx5w8N=yiEmCfE2>a*rQ7MFU~4^h&I+ZIWAu z2{}%)5?}h#m*Oj5egff}LbwG3hZapGSSElG_ZSVrSo$q#g!C^GXErGO)67<=s{qB+ z1R5MdW<#a0m+_u7WW=ZIz+q>TV=k<0r=7!^2uoZ^Q@=A_-3F2f=sY^I5hB0(o26a) zLj_2P@Ayl9TMyZzzpMY2*CX-^U>P*s7UVZKgCu_Au>;8=S}sfICqa`dmcTe4 zI*#_@rAyhMU3uXCc<%?^ALlP$jM>Hcm|t3?!Pa*@8E%$HZfL0O{dYJS4FbyZ}u5Y#-$zZcV`(h>kuJO0{h(l&oILx564z{;0=LmQsYHOsRDiQjfm zsWEEG!j1WTn(=mG5tBYeOpHs!tw-Ngz0rsUCppUAe+ zJ??gDsU0V1CD^OADG*si!WmaRPMX?NtmP>G$b9;6AWZ37ov8ikK;$n!1`LQJ?iTG4xo3-FXuF9G869kj((1r>TRB7tY1yi!Reh!$(qf=#_PO$%8Hr z8a6#1=Ebyuq0}U8bZu~^oLR@SVnX}h`$_5+2&B>Z(I5S>_;>%k{~$ItJMo*p`J3_c z|LkYusi&TZKl{CZDxQAgi}B>8+$-!J0$vJqenI*? zR+!b8bpt3&lW0Y{8m3Th1S#J;tjNVi1Zj8dbQ-EtR@b+-Vrl7kyzjm5iEg?85CGD3 z2v=&_fb4`W4nR%tDMP!6lX5st)*(v*^!c+FFf%9OjT_gqBhQRkPRFmdrf1O5cVc6! zO=hPse>G3ZIJC?$w!|mkSSG1tlOQMws#Vg=i2%e?qY-gnz61O{T#FmmuEpywzZ_rr!sp|uC%zJ|zxHZef8$y< zg2h)$amdR$jn$VQ|7xtPtfnS<#B=()rAOiv{3vK!G`X;7ilvd3FC2kJn!0$(g&kKih5;hx%41Dh#^5R{8SnUd= zntOjZR1Dq2?nr`&fJq`LxGG-pmFQ(9pfOJDKY4zH{S(lCJ|jZ%|7tqsA4uOw+1*#H2V2m&m~r!^oL zn6@=xyn?pr(U^?${z%&uK+}HbpR+28uXk$-K zphFRN*8s@!%WNij2!^_(G93BVB~}i35n2;KEj4FdL309RSeqXIrx(aWT2YRiAW$lk zheV#|y>T3o;;ugw3_D>Q!lb!ZN?t(EsgXH#GW}_S>SVqaEY&9b?I|dz!3kQ|u3t-# zGp=MA{;2K9#A=?l*8VlDe%I7~GfCg8p{a$bHI`oc6kOs@9`}~C?PN+91mXNfZFR5% z*a27$sdDk^ZnqcbFJ8=%2x?FYtU%-8H>Jm4Gq#wxcD&eWr9jxw_+9{3BenBQKjiH@ zw{kd@pzKbruCCP|j^gI>YE)b(1Wnp+vu9cGKszo{X}Vki#j$J;G=DW+i|b*;eVV$K zQE>#AEO$Oh6;17?XrM_1&djGkYP@eA-t)}300hftaAP&B69dxZG#;K65H}`(lZtf- zJXs)3dmkKrYo07Z$szZK&0E6pfjnY<%LI+$@2zTCsD;BF90X?}A8hhbAyc&1^A6ZI&ecg0;BYzRB5JL z#C&6655rJ|!|*=hpCAlzl8+C+_dCmY6wr71AuqF5_{Ox8#&4!__aBz_o;U=$T}PP~k6pRdhmDZ-{OXOA<0V_Y($ zT8RuNzu7CVcBm_Tz7W{xpd&l>Pix1 zVd+=`_??yY=%B5-0+TwaGnTS^n#Tflx)%^YPEtuNbaYV4s&6sZ8?ZMWwZ@%G6I8wO zI|t#XGRgM>0P#8u%vowVG)k~ZDw|%Rr*-5kB0J);Fr0#)TC|$2Af&mi#ymNNsa@A! z3;=SvUz4sNtpQh!N`MuB@>{JD0Mzf()l)`MRBJB!%{S1tSTv=FUDt~4m;^?yg4Ge$ zWH!gF-zM>C>O(UgI$O)B#5<0xpssUjuxTeK9r7OE`dc0qq~$Nmv`f9Vw|CTiB7e*M>f6Hu?lh{o`<|NNiF-k_iRdrg)oiN`u8KGILkGwE6KSPnC6 zxN>{=C*KRchj^cV@>*^)fHm&bZ!^B5036=lGeE;}Pn1I#J zDU)fxBm?ut_o+E%xbnRkqi@yT?7{X`uU$Haick_hwGdCW0)>HF8I$+rD1zZPX`%`~ z2#*4qfXeqrCb=UH{L~IJ$JOQvOvnr<26A}9bN-xdpoTuDGq z8@uf2BhF$`kUr_9`AoPhfzRX(zopJS%G6`&EFIj|#7*H2VyNGoZ){kzjOBk8weSHp zJG41)q=M_F5{c!_br>pG8R^( z`_(7o^%q}=_1m|i!FTRVkU%P>(bCPPIY|?p4A_7t=X2#rmf@|3@5Fj?owA@6RSq() z_OA>{2l8t5WxY~973|_RAlUDW_O3mSsB_mJYC-+(uz-+EEfWcRfML-tU?_QnL*__d zn*w!s3XTb`yz^8u+gx9d?p7yFTLIPQ{2*R9i1P?M9c_?6uFM$(t<868CUzDHMo0co z0aM_1E8~^bJsetl!~selGjRZ#T`W@hq>Lj*M_5gIc`z)kZ7dH>P>UcQw*# zkhaVJ8OAvDkvoI!fI80MSpp>YW88y|;kGwp@CPsR%+U|NmuCno6`h(21#O?Q9%N*z+Y;d@{;~csBfLq;JItTE_JATO1yH`oa@%6)t`Kdrmj^$iWv%mrO*9F+YyHz0x0Q{bMju| z(T@#lQZD|Gt~{Cms|CR`lh00FG9pl>1!dVOuiyDwc2@%i_EUq;!2kfh%0r$!%Q#Kv z9yuW8y>Q47V`;{fo_0G;EINz>GwZ*~4g?vAdxhfYs@a*n_JF3}x_XjZIV+5PghBJ$ zSuAQ0F4`eT31Z5EtH29*GG~G+l9V%DU_2KW5nLT_3bymUfPHF9gq5YYx7vW~YTUkc zE0%BGiCbL#&atfKTVQi&mYrtqRe$Q#sr0J~kZCTHryR5{xFV=(j@c+6P^PEpU(D@8 zZIy6pX==r8!=lOTLe8%vm}>Z^&z>h&6S1u3hotkpD??E0n!28UBQw91)TYSH?$r!>=R05-y_%S8ds77?N;m(EOb(ne0) zAP(b6O%81{w{+&YlPg>{P{4ORQP)q+(F`P>Q(y&B(oxgZKb=+x<<6R-4ulZNr+?W6 zb+Tci?#g-w&<&c}DcRlObo{c5#|(zi?Uk)~oZhVKBV7^1>lohRClJH0t8W(?T z7@XXZ(|-NZ)}};xPaKx{u0O=HDni#nQ*k)XU{@wBjI7WiI%pGz<}eH`=;h#Zdn#md z%(erxLr<4|bE^#`KK22F9)jhPZ#ggDf%^cHbLYi^?EQtYeD4NyGMs)l1>AT9S+!I% zA{c0{&Z42Yh_gGdx=($bXKE>Sify17Z*OfPylA5UcXe_qwL+INw6pE<BM$|UvotiR)A2~3ww3^Z z0?l3MyUc(SRC%7}@f3A3fszCOSeR0vIDk$r@0Y7vaUDVfwL^EV?Epqy8pIBO=t^4K z{cdb^da>DQ$0l03!^^fdxNdc0eY+bQ&|!n?=Hc1qbiIhqpn$2XZ^;h>XbmZ$0VSk< zb#=fz+)`%CNm+#OF*U{18joB8Wr9K(GDhQTBb$5!owLreI+MOyA;Vz@upiRCjYo&Z z_SA*T@i+d~e-Kyhe=ye2V4r>ZtMTQ}{Z>5vr7xhVj^Gh;!gski47@##=B&bM{Ur}% z{5I~UMk>%hhs@ECI{70T2I|<0b*Omwo}YD=z~ z@5=nnU@9F{!T?bNYJypg4j>KveKMftlPjUy0J!i?SiCc4ifS zWYO4CpopLU8HYaG#l?kaPB&AC71A5mu9LSpXjzNpl{G*_ExTwcYKboV;?N=QU3hsM zO*E(ZLVNd#s@9v)0I2IU8ujKhra9Nf45s}o^3{W^5H!NcVP?YPt$$trjgaBNKE zy8=!LCGbObQgNHZtsJLII5j=%2AHGX9Oee78J8824GO$@*rq6qjkSCSC$M?yzCQ9x!lvFfw zZCUfHjAX-0IVQNm_*3$h*ljaOfer@s7n z+_`f*T_5+tao4X>C8OBFYJR%)MKb9`nP;Ahe$av+4Ub9HNzPTvNr16c2M|dr=e*bL z1?F_0WFK;>0o4IFHQO@Aai6dN3*4z0r-|-iJ1)Sb84jcBGVqyxRo5O>E71?i=lM*t z-dRR&iQ=Yz`T*^Dc1V~@>*-^y^Uie()IJ^Bv$nCG!)r|2bW*!EG1oRXh@{$?` zfztOyS#lTSq`b#>?k4Mwt8f<$ zE*8OLEAD^r(Rkp>12Lf%i3Y3tLybQfGc|A5ZK!3r);CsTIO@R{`qgVR9Lw>OKk@hD z|MnmKhp{-@fJfZfb(qtsUwQfExOwANwCeiHFJ}7M0676eEtUEb{ApV`xZEFUPGnUX7QZeJY-R>Iu%TB#^)G+>`Or^H0Y!PkuF? z=l=Hf+evpDk>Bl*#_3Lw*586dEVKT<+4S$3rT++>LSgHjdkCdgSoWx|!a#PgG-?gZ z=q7-r|L<`BBKI|N8x=Ic7TRRX{gZfR$50<&bYQj}3u<+_*ow@kw85M_gf7Ao01Kzu z3tY^kw2D$w(JxxVgq@jPM8nzwteo$!<|Ej6U-rLB;YGOBuq}53AXQ5+B}Ji*_U9_~ zyo^4;^XY&7=`6K9=4wzGN^Qu-fw=gQ@p$kkvs>c!cL7^ZHTDcK5i3I+uuU|(yT+ega&GFVY(F(T#%XWU_K3Zym z0;ruYxx}KrWAdLf!{D*>XHw3ck>fWH07B_lG(9_w%&HB5e$;8eL;tOsyffdN0jCdK z%{+b9;aF0Kzex`l<1X!~Qd}c;LbJ#r^j`Yzi5l6D9Vufk(#pm!lD) z0*(678Fa|A8w^e*pE$$oAOFNZh-P6Zrz?deJbfBU}wh{ z`4%{BD2LR;p1#^a5AZ}ArjFK@Z^w-{UXRybdOltPFrWVN7vqJep8_sPPF^6eY3zP1t@YiqgT;vRL`?W@`U-hh=fPP+f@Vg4|WZ-eSP2348< zAm_8!0Z*AoKy{eYIPf%?sG5b zlr>VF;WITQ@akfS=ybN@=RfuHW+b&t^O9+sF9N_W3Hba?ATgr_lqjQNI4pw=#e}|) z!+hr}!&@HmI_!68gdA5n9@~KE>M8<+soi#eeE_!WMuAI<@!j9`C*s2&`3OR`9M3-U zLIS6NSbU7q2k=)tQlK?8NyqWB0(iO&RF%wi=HKj~flm~0OkXVdw)0T{way%a>KhCT_Lx-DFnHtBF^nPk}oOp`nOomBHV50frry7;Uq1!3d|K{J1s z+(reEs{pG&RKE(USS-3LeCLced-?ZhY;?D{ChzUrE5u=*sAJBD9(rFq_|PN7;` z+);O94c+()7;!lOhETNes8a=#_em@;*D2cj#r+0j`P_B&zGKlI>GbVC!UC} zJpTE3j;lkpZUV4tw{FJf@^Z9kDBD|`X#K;~;2}v;q2NN{FY9YKL|M?a;ltnM@ZCKR zs_9E2Bk%TMp}!GO%>z0qcvBTyWX+heeTSxu*DmI!V>1VKI`n9vY1O-EWdgyFXKsck zVB`*}t=U{2Z@be)OK`2#dNO?hC|C-{FPfe|1P-(zgf9V=yr)SH-2{?jCr*{J@Z9~U zjHj6H3hY6+1E^XK>lBI zmn3C&(pK=THHF}4txKWSym^+HWJUYSo@O;hz%B=;^WM$}8>hLs>2wF!02sfkBiXB6 zpPGp8`1pt8;Ro-}&Ng>cU6@;l4}J7Qaq;|F1RT>9ZA&fJUTMeD+Jpar54=A<{_#)7 zeOK%kVW?A2( z>)^WPg89^ya%Xv!Z(LH*U0vtm(GPqmE?uVVMntB>Cv{Y5ZhfV{92I@Lvq|FvIMQI` zV$_)CDg%$a_mT9i{^oCdHa_|Bk3;Ko@$ySA#={Rk5TE$O$Ksi1pG`M`6H^B8czbg_ zzWn*mXJ^)z0b@b*b;7^);*0SrzF4E~=E#g>h6Rs`6KI&mq5a zXM>RZZ{x=^-}MJ}tU21@cR!Bg+UvLCD3;wfe>e)~M}Fi-zIjl!;G(*xjQ_1T-|3-w zHt26-0*>dheGVVm#_Y6Nbv8`)c-j#FH>klVBnr72Xqt{_jGB-7Hr>h8m75%!DCll& zw{u35<0m1CQlEll+-kReFRj!-WjN`TonJ7gD@jdH&jN@paI%lqVMmP`pacGE*oU(~0Yxx4FUKl|DA?dD){m_!$a0Hqd~ZUk=h>81}^ z;mvw1bjr*VP9e_a+z4xaeeMu0M>x0(z!}U(w|v&$mb;%K2)Y9VnpSNhzWY1>cznml zJ^~nGvUj&JDf@By)bV)Vd;b6I-3g#(NmUr&>V0{=uhX-y%sy!CB zO)mqy({tzl|9h)WoxM)gt*UoN`^r~*MZ5Z%tJ+gfKHm21-kChCT)w1z^P9e@z5Wf~ z&~CWl=62(aH?`}pzp<@dx4v!KxH(1^Ivex~_FY!qZ95fk1li~?g9ceIzH|yQIxo_6 zezJT=KRUguJDB8XI~KAHt%nHAX@=tqru2VGN016=nOVm(&feKvgtz$YY=!fihwVDb zJZw6i%^aE6W`-^WRCBU63jjfN>Qu|xTE6Vuylq?54c*R|6ZST{z2N!xw(D=W1)I^l zz#jaCj1A9cMkRxX!$qR3HFu*WvoPUZ_?_iVv?0ro#VZ18Xl|NSkpno61IDyZ0U zsV<=XetbFC%ch+-z3ENQE>lH>tct;1$_oPo(O1I6Kxi%hl*RI8iz1+&$Tznpzs!Xi zrp}vZYG79M^3F+Jkn@(_!V7E;u6B-T?$!z8@Y2B=ML507JrDt7UIbc)lAz7hfJ`a8 zoy%uX6c7c-+-VaO>BZF-Nasg;7O#8xgdZ=XaOKk+nt&xZW+sgHz#;H<#|D~z6*y<- z3$0C?H?{Zw*84LE2zG|i+O`WQ11p(jT!_!WmC}ngWfN9BbT@<*u^}8ae;p4l0!Msz z)F3BWb;a`LuazE)fM^Teh~fPd}a09k$pS_AXz# zH2>!Ph7D`mwbxwJUiY=Hi!AH;lAv(>L(yjNJ#%h*=;24(#?4!@BN3SLeAN7uRhU-| znFZNSz{-p~zISqsEI)8XY=|;JSq{%b2Rf19#ox73rdzon3l8q0Sg0syu&gZVM_b+- zijygy>EjW!yX;W_F-oAnZmF2M@Wq$FCsXyOs{K*DlTkN=bzG)vqIMLS8ky?BwsqUi zK+dLTho0uPyYGH+yYZ%*qCHETx@0A+fGM>((Mh%wV{PZw^=<3cwUIsUXk&-=29EV@ z%cc!&?V2as!=L?hd+?JVi{bgx?PHOBZd$)C=dIUoSl=Fh>WQE?f@LHK2MyO_WF}Bw zbIsLlSp?v*(fv86N}jqCoz&C_j`*c~ay3WWz38?6x|3h@V%g7_3ZetgyU~y?DeO7y zbndC3I(GP2XOF?xL{~r1UCIlXUdgFHiOhLi{Pc})eB-kZs+Z%cDF@%r1mq>Fx%%pr zZRN@(xvXZ-?!7r2G-R3^0aK=GIf^~sOkpg7L%xxYOvl@5X}#dNd(XZc@=p(0g-vAu zJ$l6YzZv;gG4qu5_?H1OXzL7x5k+qvPKDm?{Le79xW{qH-OHwK1A=)#b7c0Ccc=Ap z=sYVR3^n^jF=KQyA>J{3!;3NCF8{uf)|Sds*KlE08!>BCv@uS+V*GBbwE~o zkfYJZ^c>+hUqQg1Iz4P)_PqAudtVya{B2PuWFGC%oEJ=EG2Gt~!SoX!`GfY65B*+y z?4eJ#r=EDEede>DXrFoTQ^Smd9^*VxUuf3)%Uc9i4MON?7o(yjBPmtgb`KNp=aSNitQ-X^$m$V6) zslWDMvqo+)&bkUjy^w3Jeu+Y(2M#xXL{o;#HYd6&zzutLu`YmTwASzQ0Xrez@P;=$ zyP$fxpfC8df+#*ahC=2^H?H5<_U+vl4s}1EQw4lXs9)ccJC}*wyezv$K^y$Eka|?Wrh*S(ga*SZWDm4 zH$5=Q2m&%<_Z<+;5oblfH2=h4^ECfx6UP|@1E)2nK4nR^mx9wZEwP}&g&bA!QqWxLX2`yQW z(+Gmy{up`+X49t4iU2S(GpY}M==a-4{^XA`8@FKJ`e5_M5xUyJaL&VmTKw`-Y9vM( z99z^7B=WD~hFr|0=8MLuQH#R|U;ZMlzm)5H9-=)XK124wVFp^K@aKGMlqUv@?+tx3 zK2J3`{N4AoPk;1-ZG7MEwlL_~wQY0r zC&l;g+t>UB2=krRR_F4kpve5afGwLwgLTgI#HQw3D?E2jzFgeBV@J;SuDa^Vwsggk zwm0;(|Inf2k$>63JKL%m_IB(@2Kk)fwQ}HSWS%jkk0d_iMeZ>=h|B0;YFsvxI0JTn zZj3lWJ&E&laL&Gcfk1mknm&t$a|JJ|zAS>OGA^0b?j75shu#;#B8(x1Q#qUq)E-=r%SH)X>KQLIJ-Io*=72%`%JvzB&$ zWH@6HT)iwqZ?up*cCNl+dAoAu!Zs7Gs4tV8KYxC^{>JOuO*h}tuDtHLJXCumGHE-V z_D4|Oy)!zrUAuEQob$#ZTYrquuCZ&bzNWq6m9Ngf?7D5ou6%&%xN3^ zMg$l5%mJ7pU?aIwBlMfyi!3u9TMui=mg$e#=FOu{a37pTP!0YCR6};b&d63!_O{&I zW;etoo@gUFQ*x4Z8ck?=n)SMYcgCE^oFh zg8sm}dCSK3JHPu|?S22}SKG(_^n>l=AOGX_NMxlO);!$yZr{+ZTsFVG>fXEC^5u)$ zp3xY>M`ko@-dtn^_2!kQw|OBC9Z<)!EHOIKxbk4~=%7xVu#|6ByYi~5qH|o_c5dI< zo_u;u&i5`~v7%jf{k36FhuZ$ga&3C?r(n6&k;dqL`S$NI<*CJ=jER& z+7*e%-U!InO*_D7?9h?sFB98wChB&pVNMUvg`j%A*OyIDO^Dt*2GfzTMesa&Bzxus z^G9-zdw1rf1^sinEGhz;^{V-TYNlb2ok!s;DY$TAOR+}gq{AMMz`$vb#V}aUziip^ zEW<&{fHK1h=Mv;{(mss4JLWBduEOEz?wcYI$GqvbfPO(_E@+Xx;x>n)iO@V%S3ZZO z3_gdekpTtWfAmKmY-5KHrLz;0`MazZju0GlGK&b%Nv;e2&p=clTbXO}k>x{jf!mr< z*_qI9I^s}d{T9~eOR8CsorjFCT(+<+U*?!X(;YDi2xszwP9~;Pvexu~T}s}9$NgjB zl$er=v+qk z?P^m_M%EejYF<+ZWj@tkVqLy?UR%CoUIzd5mNP|mI$aP=g2HyDM3&56g6X6u2s9-U z|4aGCouu28*T~$t@i{k#_6J4}wyoQ@Whd#F$*Zndl_QL?g9k!}k?kI{3g%$=j^%#c zcHgOCbMr&KE9WiDBP#aAx8u>SX&0+S$Ta7ggAkom&C{O_o(n@8kt!a(4(UE0td&%w^OkM_x+-gwdE? zM~FSeCz}bOfd|DV!j6>R#kj0efbYn;p*|~Y<6L}P0 z{K&WU?RaE=N5*1k9hv&nqit%)AZ~;$jI|??ou!)%wyv+NCVsa#9%W5}$F*R36SRS}{-|n_!$F}UaZ@AtrtLbg^ldB^` z{&;hU&OLYB(XNQhb>FTX8R$p%?}<8lbNlbXQL6`zwrN4jj0mtZ!&dw;Nc!McC!+(B z?dwSMQ$f#2DcW8SY`81WB*&)lehV@h7o$suyqFoZR1j;{PhV4q*QM5OPb269A!XmKA3gAeHj|evzyv$dLVL?bfvY3A?0+#?b8om9_ z$QpL<-jzda*acI8)gP3T@p|(rFy=Y1@qCW6LgTq}T{9a98sX0AhN3tBDIUXJ9ZXy@ ztfIwm-Ibz=D_>G1tzO)8fsp)s$6pi;c}>es$I>5x4z6x>MFh>ba!YPFo_V;VkyRa! zAWNXxUR-1^lQIS2@EUv0t$URr9X}R$kL%omm?_gk7RPgmlmIDn6p$ToV;galjNh_U z(C|qWSaN;(3vAE?UxVy7szu z;Pkp=Ckr`EMU{lq77$>BYB-xC4%+IGXW*R-pyydpa;^TSg^Pvm+sbUZWk zJ1cB1G}vZ_p7@XhVaB5^S$l1^$d`d%Ch+Ak{10GY49UxwJa;p)k*VQ8-6{Ctjp4ik zAot4h>2RGxYOb5}jGz-m7cX3x!)jR@$oa!CE`i6N959s#jf9Q`tn1^bZ zx}${xwWF?}MyBvb1L^)#+o3~8ga5;EKRSt-BQd-k zY5Nb3wO{++zt$f7_$Tv-L7fvJdXqkP_KY?Xnd!`FmdHi67~i`NP-o?6KAl@+=0SgM z0*I^%FMQlofwi;(bDr%G8L~{)lz_Qfs~n6JWTOIBPA`O>GN@nF|M(sB=1|B}w8wwlQkAKhg~~_| z$Iwh!3bH@k)>BKo%*oB1Ws&&I%)0T8hd=Vi&0Asf!ph{5srZkRKl59y zpt<9*3jm%4nshwO$R5chUwXtdFCMz{SMeLqqpG#4V-fh5EnD1P6dBf6zv`>o9e3Q_ z7A;-gX3U(MFKW;V&-BP*a!FFOB_QMwo&Zd@j61-&TR-Xuz0m_lBO{&PX3bmJ_Uzl= z{_qbz*go)kzZ-Z?<}^Y60luJ-jOWnlEW>qyG2|H;E=-JHZ3|YS*z{4IZ6on_yN4muNXb(^GG`yG#)t?x(a(V2Y&GISlhI5OYS0ExpGDR z1>fZ>mbS&wsqNdjy&Z`W)q>FRqB(QhSh&Tu2&(%6=kZAK*%2Gpsn8L7%26F5o&nM( z1J0)Gg#_(Q2GxMG7C@AjNv&AAB#pycP3s1|38nN@eW2t-euqt*`ak1f6h>FxoStY? z!^s3yb6mBg3Ke3Nc|xaFEnTuCvmn7P-}=iIC{1vQtWIIUO@OkCO4cKwE?lrMf{_aZwFB+&*paqq@sga2<-D0y`!6p3ZW+;U|MqWYrrNDll?8Tzv|G5{ z74F0*SjO|XC-XYa^v;wh^>{QdqM|+Ltu+wXG`oz$amKC$Rb0uGQ(^uXtkV3z&4L)N`UO` zT*?=Z!DqLg!?b}QYRVu+1rcy)Ut~yI2!81~|I#gV(XMRWix^vA$Bvrw)VT(p=YXsh>9&exh^vBv0Pdw80?%kO$LvOh0#^}Ia*6zON-ge_nw?+rHB<#wvuqkaM zvPaV%I-mTTYS{tAC?jZelA0H_0<4ZBM@Krn;5HB7j!{MaX_%=xrI}H!vkiY%d)MwA zZPCI7ZP}7V?TY1#+meOz+TI;I+KJ#{;p}~Z zjw1dajiMt;bWRixpIId!yAJ1YmK|A`TeWC@-=5w1a_Yuwu591@rf+ON@crN4UiIo% z<=@Nla^h%YoDLG18TK?UhKut?BHJ7t&8ZTy?raWymCIrA3= zj|-y{SnOL-!dGbn_q=LFeSLoXfRj%J1VcPgn3Lz~#Jf{LY1#o=2PccfaD9xo}&I=Pg{= zmS3^5t+?XKHaqBEw|PhVL$JREIPTM@$iv$C=6}K;X^U}KN3Nj9$B5B9%3`S7NZEZ8hJm1 zJS|KH)yo9uD)`RH{Ozaxk?oCzL&dN!g3iovF3Ul>?Vw>$f~uo`Lj7H!WmjPe@yxJM zqGlNE4gJ!{NCZKS)&Zt3Km6>1|E5nXTah;6z<9^_r6~ichRn*(k z`Ew&UMVk_cz`fL+0I) znRS_}wglI3q4*v_Jjycee0dQ6oc@la@o;AHJQ+dM%Z!t<@ZiUSZ%b;9MHVuB=G6AW zm%O0;jlcFC?fZVqol|AOlhGGb5Keg>B@p*_i>65$`|L_UzixHmrTJefEdbY4vb|cnxmJXp|fW)U@M(vTAnsLpsOmOakk8*m<$V$SN z!ubpl<4fQXSj?w&^Jby`z&Smf*3oxfgy^ZwG0ErzLgfsdygZUoayX9J{W)a^ARlXU zA`4j(L!~Y=>zZd)qMJ;>P4~OCq~7k&&dgA$k$Lk1pQTx0gb_##S@X2~2r`Zt^df~5 zIOWI?*B`oz%58ekxo*?C_G|C{_571AUKUv?kn@PRWY1{v8TT?vj^L1+6+$Ta!j3$m zlW>gNiEuXaatjtja0`AcyLtWVzrOv|@A&ris;_!wo_An}nwKOxrS8vu1YW8MeBDX_ z9_HoI>^2^9IS`I{QuY@`WT)w5Q8rI`3a85y)X+RKwi71<=QPWR=H>>6@so$!>L(s- z+qbQ4BO{R=hP@iniqNwnsE*7IJq2H0DmfldtTcrpFy+6{Wge+$rA1_Gf~EDIxq2fm zGBTy0UiViM$fN62a*8K9T*G@Of-PPa0cGj3plwdRJbLu;)$NHVpK9wjZOH>%WT3V! z`>P3-l{qJtz9?YM>=@;Y%#Y7`%rECL^REeziyk&$mJT9%h@2NCk7!%j`Hy!5LxT3x82rmyW{qD{Y^KwZH{K#wwN82GdI6#%KO|M{J8>xVk*=Yn+0aB(X$a#D0 zIJ%jRRg1uyZ`b2r_+6BZ_QGflgAMy_7T|oHGem(f8bf9o(ULGcQw`B{f?#av0K>}V zOi|o6zMOLvl!6Yt$93+Mp|gO?=le*ezpGzHPC~mM&?x-*!iP@eA&0FL~)p z^6l?ez4Ddqw&&fP#~>;*Yr2EEqaz51%&a%?;oRaKd9lnZ|JG9cM*p0dvm;A#wBn)8 z;k2K@LV&k9z~#8Y$es>cO%Z%enGr$EXy8~|{n#hlXFm0z$UF~(vzz;jjwFJ^wCD^3 zRYO{=ntx5ZAn$lSWrp9;X~aDv4ZD4Et~G+K6YjHPiEJ^Kg~dNQaOSDa3x>c>y_z#J zuPt1fz@y*;-2>9%I=y0$w;2q$8MnYJOA2{q!o*a$# zLl)7bc~q+#{AB^z;^GL*iz9+|ybgbiD^w6A;J>)Mr9Um0~H6A!yN z6n1IEkPZ|GYJ} z&tG7Xk#KxL*)acT7^$oyPXmG@Gr4eoQx^G#T1OB8D+2QL$Sg)8V_3U>UHgMS{C^R| zrsM+eg9i@g&=EiR$L?|=d1OS9u_Xjze;L-{*8<+Mkj-mf``Y&AZ~eCRnpb<1e@DA& z)v9o)1<_6f9P^8j;q2P6E8pfXT)6BMZE@usWzat!S!V{QxEsN?lb0c-XD8e4$eME0 z5OqwMHNB#O>vQJ1gKnKAK$%QN_+7#CW48Vi8(3>RRl+(0tqWZOv&_U;DLR*IxFrm$e&ix}{xtF^v2#~u>a*s~3fuEyteYB3y2Dn_1d~DaGQqhDUg>FJe6yq1m5qiUMesY`4#cp` z*1U)TVVp8H8IpCNG68?b=uj@|KO7FCm$m&cT1`U{@N9Dp?+ruj)~K3?Go;kw+!!{` zj~<*sApouUQYZpIXJnMv%^?awURGFrU`Q`$3OAf8gKfr#E^ychgiiB%BauNl^3N$* zaWi*Qedd#&Xiu$qx?OkGmF@X=-kH0Vf~feM)0Qn++!n-VcvAk^jL~rH=iPKuyZ41J zh-_(L`^GoEv3=_||Hbyw7ri8YFUo9W@uH}+ctP-dtnG?`= zTYK=6ABs%$a9b2f>$K)YOMFK8nUQIRN<%Io!;q(Wa$A4}CYHfGLS!MD&{^o{aAb+j zc`#?)ts@ptL*JoayQ%!1zhGgz;+kvP@|9P&g)6UVN5<#0$DiKR9)5C7dor@pE!!g- z3mRv~5Z=6{7mNOYq0x$wkg_xV2q-)v8=GYwrBe=FtVD%X0njbvN9Uw!3!ShIaK; zSGAYF?B(r>6<4%vTQ-M$VhqDh&j4QvL3PS|-t(UE@BGg1%)e#x#R7U}!at{=di-z% z)d((gy91A{)AN@}WrXu1fQ-zYmoKOMIcW26oYq@j>-3y#WPkpGc?;9n4~{vGZdzM$ z#j;)y8JWqr9K!asx?lZOJPo;cd3h7O*3 z`X};bh`5_`l@Xl1w8_7i8iDm#1m@Wz3)|8aD+pB>RLapIJ0ZVQ#A8a4ToKXW6HEeM&~ zOmI9R@`3#a^Q0~-7HrUnoI9@Qs*as(N5_sv=RPMg&uiK(x82dMyYa@hc-hLZ6&-E2 zhW7C%pKKrc@E=Ezdue;#^KNZU=gLhEb7q8HcQ26W%Q1nQH*aZ=Jp6Eb=#hsqYh4sU zaes71k3RZ%1m*E|?RD1&-BTiPKHUz7y*a1&&%XAR?Vh{uh)!@>*wOy>>%Z~7wtwHD z$c$f??*V=Ex%&2n0PW?-GyKr!`GOslKlgJ#_vJGDkFw!NGpB_E zMbF+1PImu8@?Rn2@ z&%gWb_`Nb0y)RxW>xuv#Jo=kbmUP*9mf3sAsMa-_|J$~$JA4CAVA+c0`NmwwBJ(ue zAl~HCsi0eCNM!fWNOfZzObptcyrVev^yVHCje)@?LTxNPwl^E z)vEU0-~C-}`?f7@`<5+%BZAHe+futfX6a9+*m!a4t{otqDL!bFfd-#!u+rtliCW7cg?U6?wiQvDw?cTL3?a|bg zkr(;y+Pkl9-4-K^5UkGG4y+p19~d3Wt<|&USZ(4j1N*yavvd2b%N(n}UAAreuC$*s z`Rw`l_JsiLO%DG9&Pf1~)fhIKfDcbd0p@8`;Ut0}frt_Qx@w0v%9uxu?}8sA@)ASL z6_UNok|78zvK~&>&9z1&QAQ>^FPzbwRD|aE7fK7G@m3JfoNZ3sOB2Igp=9sbNpNcenBZX4ktsqDGY%v zt{_MJ!c(^!DRL}B(g>;o(TS-uqkA$t>h1IN2&Plp;c#Rxk;%_XDsPzgMO$mvJQf-G zfsjMsIwdDFj{>aei2QRSRy&YF{C1}5!Lj4H#npM9UdqU}Pr|!!L0h`=is(pIwi$C5 zw0)6@ZQQoIJsHFNbsKg@W@ZW~hS!lb&Y$n>(b*w`KpZ%khE)Xq)>PU<{4+Yy@r)fg z(GDD*(r$R(i`xyizNqazG~PzXB72`YtIZ!-)|M~7t}UE@ZNyeDc1}iSc)a=JgZ^|% z+C=ccw%Dej`snCryYaef+w1@Q*SC-S$%osTC!dN=WlAo-zv24p+6(WwD?3pKyKLXF zJ^vK-X)}LI&8c3a2Szj77j)0$vy(yfGQs%>K3{4?CSx0;^{Em)^KXW{dSJmpuyOj3 zEYlnOd}AKv^2L&%6Q2xU>_UUN%<$g`CJ_jtzKGVHMisTg@n+ANnRAl4v?&mEe_uUt zrt$>VF0jjTa|u-7iyuK(1RI|*M1x!A;O+0!_?#Qrqa`?22l%tr5lPyzWlJ(Bk42Ep zKRX;*5E_E&aHO%^iQ}vS=WohAa)%dQ;+_{*dG8e6co3v)50$x^o~Sy8>G@}lBM5l& zyJPpxJn3j;-lF)uxE((ld`E_gOE1`L5gm<8#yxYf^m+UiYPBe)!F$3kv1=FE@I za8WLuGK8Ly+b*L`bFtBRlCKWwB*K$o9dytgH25>jvql!SdtdSDHh;W;BJL+$7`)MN7^!#@BUAMLCuDdz|+|y4#)t-Ff$=pS^YuD}wUi;h5y?cWHL+wCh&vx0d zUD>c~-U|p+bZ|bteIY=5lR-7$>;({RK7KTepc_)= zR>Z)Of3hTuM8+ZGoDqg)yJ9ZOiD%J31O_`&JdF%-W;}~~5i-)qWVJFvPJSe^qVSq% zCxWGHEey||^5sj-k9IF9*r>Ibxr{0lXiMrd!~VFEu4sFDWQ$nj)aEH?aBgkIa~YaI zm>Fj{VE*;cXvbdnc$fiE@Ynv4V~4}pkLBOpni8p&Wi+{j$#WtMUSbfJWM$?TH!bPH zyB8=NN2V5~J9!0PLLZzu0n2+fZ`qN54Pp8674b|^?1FTNHM3jGh%%T)V9HGr@nAF@ z)-iw%T`^yMG-!+Bnf;Ha(KUO=f1XX)Ak6cyCdiwXon&&>#S_R z$g>ra|L9<7Ea)Pq6Hx{a)(@YEfNw~ft1<$g7mSg&Cg0Ya9`$l5vdrTrjXoT-A*LA{g_NK++t{5@r$l zlXQ&d%h|i`y1iY0?R7bl+OU2@+JFPq+4z}YGN@iAIG><8HJo8;1l3ugTtiDkLCJv( z%0EL>>jPchw8Jc*d0Xu5cFubVdhW+>ZO@rAH!`E?&4Cuy=^c-t!B_{*hYtVlvxiWS-Ny-@u(rJ^ zAB#-UeA~(uR|M@d@+~_#2$*?7e+;di7wd0Zp6mIZseO=k1vjpY2VKlzetW2c4=XU=J}VrV~g z=162-M`C!tqixviZ)EMwpnOut7C~ovbZq9?GgGIB2pZjyik*y1Wn^X=L6VGhzqzz5 zzOx^vcnRWTk!g=b&^&%}dSvhW+LjnbA0FM=7RGRW#nJ^aN}3UNa-toMvZ3*ivANli zkmvlibn${H6Pa|3Y^I;s7lHUtyY+@^+C8`3+OEI)id>mNhMTu+ZL8O;Z5ual%TxAk zSKSvQfqkPgP79i*1?w|%r=Mx9=^+QfPb?!RTZf&{uOBZObBCz3$p;!k(tLEnBvPtl4nq zKc|Dqpn93$d;~u&G6;uG*ddi&YdD`}Lfy$iVMt*_<}ovHGN>?;3=T5DXvRw{(*s`I zK}(OH!^EJ`;T7gHO#vvM8vp_~^7GGigrT~RjWpZ{fPz}sbpl%a z32Wv2Awrp%sSA${t8!_Tp=Y#{FUL;J0i#cr>A9fqrCMf*+Ko1>g*68VQSuZI1PC!2@G$PaaadKRTN3BrQQ~ZaDDMYuAO7&1{PoFUdFl&O$vN z0fc<5Oz;-D`+hh(8Y?RNZKc_>9jzBKh=99m=hnzhV;H+`b-q=eW}Y#+haA$A8UKxc zrcS!QGj%i%nGv8yoW(FQKZ5$~2rR+tv^g2%Hbnq6Pr4zp>HQIS#v+rP5kb~I{29~d zB>mYj=|tnoZN$+|MhT$J%slNJv%NKL1TC^{8xkxNvk_o?N(|wT&uxdNuV~9w-qH5# z7;C$CY-`63?QFZZKiLk9Zi*~#UR$(_5>Tes{AogB%tRQE?`W(vh$(-r8v=$aE5r*+SE zu;r$YpwARm9>W)svL&0Y>6}eqP}V&sg1PB{y%8*h{OrIX4ISs2-w+GY$UJkZD-ww4 zHM<>bVVkC~g4FC7bvB0_Zy0{HbjhN2%PqHLu-U)=VDiq^PY07h^)kV^2tG^3|7L_; zO`8@D6oO+RdRmTYD3izTML^|CX>8&OgW^QdM(%8hi_isyT;mx3EV1!7nAoh#)B>l= zmoo96VX{9rymH0zZs^XSlb#^Re*$aZ)XS@vAuZ@KY_-E{K?Dk!?C!n$I!6c`f*u+; zLsZEaAlM3sf=~C|yrXO`GS#T#GuJx?-I zD>EDOQp<9rJ$w9F}E_2*Ph}Oew!i)N;af33hFc9P0b0V0BfS7Q^=ghmW^SJNC9m)~t_Ux~1*hb+8?hp__7vvUBGy%q)&;Z^waIL4?mRaLAONbFlvo$^zVlw%RU|%aS#`DOmCI}&6+!} z8)dQ4xSzYt*kSxjbq6m-8M0NGH+kyRjn=GuF<)+-t-qEVW38y-8SGx7M)n;tbX=m( zTqhl)5xWJ2<>d<(w*`y3^C|>%S^ts4huZG2lij=b(7fE3hDeNxfg<+Y`bS$4g%r`5t0~-Q7 zi#EJ;iuy7i_w?G9C@opCIJd{zaNrs0^9{BshzP(lWX~`Nx)IdPW7?%+&dZxrfze+r zRmYGwhtn7dhnG=%d6LrrhzQ7Gw&Ce1$I7w-cR)H)2GcH}3RLkmpDQQW=G)vDvh9sv z?nL;73l?{oP&lvMRZEsG&fPTR{PMPF`E}9R zMA9(yym7c{RS*CGuyIL5K~(Ru z*i65)hx=#~ecdo$us1c)4ga}cH`I&&@`|#Nm6-=KyuSMCYumhe3nCbIL09H6YwqlD z>=_|PFVegoH-GNfZK>rQ1)(NK*tOvRX6B{#c_x{frSM}7D5 zKrx3?SaeL>q9I@%W<$%3WJ+MTz*puOPs2(Gi{w!;T@v_*4| zw_C57)2?1ItzEg?iDZXksJx|Zc>2k%+BHzKe;I-^lIcK0P83ORMP@F`8r>fO^zKt7VXj#{PBO& zSi!651TR(LvfPgBriLs>W=?A>7B6bYqMSo&*h5Z11+DqQFK~{Y+Wu-+Vt1ZHXSWl< zWKg|KaIS(^x;u1(T^dqGAdRa2K$-(1GC(o9ZaOuMc4h`s!~Q5A*^%{<{shZBZX~zJgF)SPX^3#gf!<=hDW!hk*x~O96SRa2c|@&;<*=64npBHhVcHf z=GfR+{s{{w1o`88=1=`OYKMKG%iCy19~h%~!8BcWG+b}A)yAlU=wXx)y=90pdbC7O z^yooGg6O@EmPGH7Uo< zJas;N&Q~=c>G`aMOi;-dUpJ%$apQhzP4F9tM-my3pdTm9wc~^5yY)U1O)vTFJd{z- zg2>o*lY98-uc9h%Ri~z4iaF^wGankSn8#Ml`+f3o1Vu;%7=+??n(ezKFw zt$|DY?Kbr1+|7^VS&3ij*MHW+VzVRE=u z&t|6aQV}Kv-<&wPvaC+}?W1`J1R-qLayHWq8mQS$>OwE?Nq`ev_s{C2?^<9+AL{`4 zDK~vf*QRTUla3_JN=T@S#ZkkL=PIPhK@jKe!I~Zg9r!LCdy0|m>{DM>fncPWstJKY zfJX(G>6c`wA2_*V@PP=ccUbfwx!fSFbdB@wZ@*R4uN`N{7HM-{>PTfnernTVXBg&s zAu|2&+l^E*x&8mIg%&=A|KdrLh3Kb9_~0J-stb-aImib z^I&0p&XRc?Ph{liDEZ=y*Kpv%>q(~Wy?zN}@3*n-RMUv(ec6sov=2NYA6{En*paSh})#CB^Iid`u`NXZcChi=c zCDNB(P^^XgBOlaQxlmWDcs7#mb{s3(WR5YNIzP-_*&@j~I_hAfCP|)h`UrjNhX=j8 z?Vqc#_8{VwWMjgOmgT4&e_V>ekep`qv-LY0jS!>6g7R#08}=NYVdd|kjxXnZ?OwL5 zez6^2yuyc9585b<&2`ed?I-Nl^Pb(Ett|it{56;_HfU|wF~JQu{ZX1aQRh<|-$RK2q2X(6`ZFGrnWtNGfQq8FFYQ)Y|DU7Ckij{8`Uwsx8MK@G;5V zM)rN@!E#XW%L&dL#Ww4v7oL{wGh$Vv0n%CHvaW1l;3E8+!xtG$q^#2P2S;8K+PNUU zs4XY>A$gfM59LQr#d2sZ&!;r&IVvO!R*`iaJ^a~Wl{bt;m(^4T$l9HeV?`p?=1cM! zhoX9(LK(Z(RBRxbKtY@wF~Gerj6Pu{eT_NkXB577xH0!z`7X0IgYKGUO})YZ?$0i` z%ex}*P2yK(W1NLK^$j~1-oYU|GVn|;0!CC5G&Q^?rB#>NJHi-p?gle^xt$=;Zbp|= zBXc?L?<4=>V3-->;gGL^1;jBD52@kS8v(|kf#sL$X_d?8q>FQNiF7G#-%m{CqSUPX zvPIvDgl`tc?94aww{wXuy514#U%JOX`y zP@~s#Zqa*=5J+U|)P=JIqt(chL{by@vWs81ajvu`Y4caiRP z$`d|zQh7e^=XLr~x<1&=vgM`kE&d-{?|GQ-hsEyyDGTC7JqyQdeptgZzPCsP41w^m z;G7=EWaxduhcwK|C;KVh*Q#0^%Pi>8&Hn7Ct}%Kf8)O-DU!w3e58tVW(0m%YSMpCL z?$q_+j-czkxlypMcm2Mi=2M7?OH`i;92K(E>bEXB-QYy2RrvWZxFjb0oRX^cu$7XB z$w(YTcY3+PFrTb;ayOR%_pCkitLi+nQ0ZEvP&mH&=J*h5xH?OVbB$PniHByX7dYLU(p}qbdI6}fkWs=O1&-yy~l2zibvcd(&FufVeYbE95@W@~EE>fbS_6&hF zZ%g(Ox|0J!1Nx>F=2=~`J1d3|p`cH%ftgf=ex|d!b~Y3KEfp0)yMQqH^u-+>DVgBe-9XNnQ;M6tIMGfCr2g@p8_cr)9V7wl|Mu zosF5_NAX4y94$hoZL0F(LGz8BtQ*NUXNR5>x1EuKQR(o`*4&#q@joaIRL2d+<%~?V z`*q0Sx1zW)`@AAMup=#EoF@1rDK=G;?^j>C?GPBOI^tTU9yc}^>`&M=5s%bnYh;c% zV0~D_+{{JEYF)BcbuHMma@V9eF;4C@7kbB-M{@A~>!-bY9d6MfD?fkNZ*{lKFNlYm z)ZIED=-$}*Xco!K)aCSmzLTl-&8J2Md!t)H+`PH<_I2=~&re2lVYfaB2aaeR zz&=(R#7CKSzYz+Ghg<_+^hV3)_tEL8;Iy}i;3ti+05ZeCEDkrrnXe z89v^!j`(rdQQzi)PLfapFX^uJ^29)$lTK%^V!fHD_a{Zp!3m%Qs*`(etV;y;^P%v68BZu@xD zuTosB0;^SJ$MM$>$-4R*FC_joxzO@8)9{r|qm=`wf6Qj&M8{M9hXbjIE^OFFbz{O$ z&c)TBJ)US9-|DLIC2z*uuU6kJBr107CEk{Z9Rue@HnO)53;}%G#QhXTs3> z)&PyJ8c3BARq*bX8Y1apAug;^mYu+~D}nL6J$JBl)Q$y?#$0DieA8P?SKMT`As(9_|J{dw}IN_|CJvJqYN4gr<> zM-5*ub_iW0T)@S!EyhKqfHyh&@;qwc4~@@N4bjer3t7(tE_SlTw!%0kgzp*v?{|%ls@l#SSzFGL%y}TJ{%}sv zod?;VSU=MV7>Kzdaa8>yp>COqR9%Nw@Y^dto;{O3YyEX|`_%qnXURC)u#?qczAeX7 zmh@(r0HyOjgL-BBxbonhuxW*}Eq>B=AxqTqBq7TA)Ch55e3`C%o_?Z-InuM}-n>E| z2&2ynG zd#(2S+#$$bM<2?g$4#qk@?eB#J55mWpwakSLhS1AO6~CBRHfy7_02^!OrngM3@-iW zKPlX&5EC|)wmfUhOt*E zje)app3vdZxIu|RT|9dI)`Du13+pBDt~2BTz$Es^1I$^sOnvyF`?X$vg%p|cp``No zb*J(faOYyX+Wlq)ag}}|ia8J+CMhQxIt;~}hVDdhUfH#57Jq_ZJ@18koo%D9x99(J z(XIa#&)lGVQKbAje6{*2)AdmKX8q<*`_gR@5~Xw4-*^0T=nJzOA>yo#qe0Bo;A|Dw z7|>z{e~Q6`9q@-kq9$+7IB$4p5^?M4H$#|n`JJ}CQ1>}dp7SuF#LWgLzUYMc=CAGV zj)!EJLq*JZ*gkXkw_D|5rXX{t3hn}S^AF(!lO%&T=`Ts%swDoBLWa%SZzaIsy#OuJ zY1IfLHsu2zFZY6`Tjnem53>A@C(Rl-Z}vG2SgE!) zFxT_p^X-3y+wT$YtE`S`no<{qY`F z+yRE;fRe~9T1OT*LrM1W`EGlc+x3C%^#H3O>xYi7BI~JveUB& zk@kHy^n<-%vF&lDfLrC-^z|zGDtjlE?TxcPCe(k-l#o$x4sgvY{jq&nzMaQYq8)x= za|V##DX>*J4!%6u$$2U%tH7ZUfMZ==T|qsMtS1t(+5egkMRk{r1CMo>R*Drq_NmQ> zFS}nQuAt$ekrBeOls=4x@t8vQu2|~X9Hg4zX=^~t!06lE;6G)=366Zc=XQR6{to3!J&YA7rBy!oAlxFA6yOx%UQc)vYU|84=u-Ng6n# z9^6UucGUoMgP|ky;UE_qo-%w%yzY2=8b$y|&mCEy9x4`8a0x~%arS08jpFTMIlyG;P`-@31`^kUPK{Dz=_H$K6=h{72qKv?2sy`=G0Q43G^_1&e9wE`Sc(oh#Z&2sXnPU_lJ45rA9qo~$3>KO8Z~W+O zG?nrlne2W~MRFaubvI0&03Uumd^5`tfQ`&GkTMpPLq>H`F0MHA|J8F3GP+#c!!Q0e zr(SZ3cMm)KbQtqYd3>8#;p~}h3!ZDe3=<*ZW6YS~xN_@Ch0Zyg+&IJBT!!;gZ>8qw zPE&sVQJ{vT1grFwtQ4lFw|#_7atGv)wc7pkw%v`25Sw+)7iPJCud+^ji-{FkdOvqrN^91$`1I^=t{V z1w^|ufny|2f1GGd&M6r6xbXtA(J+dp(H*?1L?1VJ&2`7~7Xh00z3x<(P?mWxqT88w z!-7LggFT+_bk>uYUS+tk3ih^-s?&tde~ga*k7~O^u%4D0*fKoZI?HU;di9n0?wX9; zBe`^_$#9J=!NxE(QRkXV`;vJRvv<6P3BOPA{EJ* zng4rtvHenxDzSACU}yhG;Zs~sR{ADwMGT-i;Fqx1`{HUDE^~^Hz6k3Sd2o}6w@)>c zXJn6^0;jfnHmaH`C)fWh6bLa#30!{o-^}?Qu@+WgO@W%Y%_r5@!r@iYQ;8K8o0@=H zS92jFI#e9ZSC6NPbChQan2!bbPaYi&Qif zc7}Y@ts`nXAz>h-91N&R=x1}4!i3-8cmB%@5h%i6Fy+!xTh&K?<%2i3kyqz(${jz| z%K!GN;pPPM%*I(XrE(M7t7>^mRn}8E)Ewh9T7|X%|E4eqJd%?D(f;rqJD~}n~0k%mNYC0gZ#_dG!P_wD4 zVilVtL9W+ECl0Vwz-hjxY)*w9F(VlX1WPR$)cV`A8p7X6E_QS-WqeXWq_w{RH%e*X z)n!9HLRS5@T0huN4p-Rg^Ki;Xol#hw9kfBT6e#)b1M50slvaI+vhD?{uGwS~uMoW- zDx_<}&HRqQd>k4nzI=H6$aYSksmsjklnN{c&IFrv4DdvT15Z9ZCp%bi$ zS&K^3YoM`dJfaYN!=CYHQ{D3D>c3}gu+XSX&dkZ@Z=6SrWks*gi3Q2|Q}*;)Or8}qA%c?m+ZzhJ_w#*Pj0)*M8BbzIa&2}k>aaPb&KYw z=iat#5Yf|pB#1o}XDJsspYq%i5MxVVf`;>y!Zy05k*=feHnXtV=d&DP3+44?Ra|k( zw}pu-&runo=}pb~$J;-Ixmw~lRC`0+a5SqrYXJgK1*0s5(JhWZ=h_t={#}zeI831+ zrd`j%xWurobR04LC2DJif>Q+nbKV$O@Sm;m>MAzKkB^v2>-<9EmbP5`Dtni|;cGsR z0$ZndW4{yuJI+&|bl6^}_{@kYnK9zecs;U@TkaDy*OV0vpkI~Ek9gLY0jroSHW<#_ zCSG6L$S3ywZlrWh5!*+3R-#@}uzj!Rp68&~AsNF~Z8m$`{3C0kM12kMV zAA_Ano*m%GdkZ(V2Z#hp@>Jy%%?N3}#OsjHDcEAfZj*_1!gb-Zv`O`21wJlZ^e5g{Ifgvyl!kw+8?B+^s2#H!u|%4u5TVWG00 zF1zxXsf0_~l&FM_rZ@8uO~+vn0~2r z+XuxNeO-GE$k#)Di1v=VmHE7jus86bjv7})Y|PI7;XG-@y7p85-x-I#E3j0Iqe<;? zVQANzk7W90FAHH^yEHApi&G$iF?Toc#^UB`#XF~L_Zu26?G&SKK(oA z|8HLx7pQ82m3XS~uMGCk;Ls|vGqB`hr`EaMkia&)sth^zwO(AxdGE#2^|J`oyo~&d zk!;Ln`)N3W+BnZXpx>YL6>D_ZLOejjVAM}=E~H8Yv98*V=ga;m_7wvgo883bAfG2r z-l1~m5S=ak!a3>OmRfM(j-V zi;a_GitnSS%VA&>(z$iSuz9l!X?3;Rplp8aYCqQyw%u_3w&(}h9Q^Qdw?+I^SpNFA zeXB3Bx=Ym6w=Q75{*enIedpKv{1Hor+M@W#aag!u%7FX(!$15yKAYSZry1UnKTPy( z5xXtgw4rzZc{bQC5;AWEt(Dcs=UTluCbr|Ok;!d&Tj+2ox? z%1e>)nsp4exR$+qm>4!p6|FyNcUgG&7!NLQp6-cLI=wAaM)~*ViUHE;_Lmi1#euTJFP-o3njLU3` zCKASJlSYBcOc|xiy`Z9yrPE4L4G?v%0!-f5#T@@7JDi_VKNc`yK*WUZ+QOkkTl2L^7Rpk@hjt1Uv=lJ$zv&IV9i#VVa-V6y7srI!a-? z8*#D0YwLs~XI7y+PiuktM9KKj5Y1w{-dPSQ*fIZmS5>!Z$apl%Hz0>+B#0X>9S1hf zk_3z7rD*iAwmEB{Q7cRIZ=^C5mm>d62-~W~1>tHmLQ>NY9ljG|fmh^vyUPHMx#LxTb~##cuZZ(B zw5$X8%$!^qr)HZB{BY+!e846FEk9=mowF!U!+6X5L&B?Yip=?O|-SWk1)F z&mHE*0c9V_#Mv@y|=Kh{~eA$#2wqo@}^S(+y zyX%sJd9<1xgR^pLdKUZLN@_)xS=mJLGs&hoiLXo^a@!c)by98dF?8`EAb|PzSUL^%*Poa0l*Z19OmwNH3=P zrN@fUNegG&K$MUoG7_XPetzEal!_CbMEjZkB05TmrBzw**-ovFS87ZOF&htk&}Rpb zHYklS1R74DeBDuC04b*75wF*@aa@&e;nne4`#C3Uw+D4zuPTfgmaUDfoZfskXPDi3 z)lF|Z`i_juvGe7o?uZ7>taFbX8A_&r8c$HravKJAINl|tE`e5DSripyiHKKl7)gi9Jp z_r`6LAlG3j`DJ1H-s>K64@bSEe~F4yZ`t2y38v}f(di~#3&lwP0=Cuy-3~cD_YV*J zG~>-Fp7jEx9?#~-FT!iE-Aw@XVJY=q(BRou#KqSH9H<|g3nwh)Az_L1e;txVjL1W2Q}B+ah8%0u z;`3L|(gV(H<=CPB{aqOUt0%ly8YIUXZ><@`2rUQ-b-_*#T>bH6T4t+Byg-` zhShqD>iaOqnaItHap*JYm!JEm0UYZ$2Q*MA#u&|T!AM;kXr!Y3WF`*<=d$=aSgLQQ zL3v(leFku8h1!wo`6SXP{U-HQ`DcveF;fyC$fijFU#j!VdsFd#+SeuG)y&8v4l3XY zr_0tuP9lywfgHXB|HwhmmvM7z;YXdCLaKMF`;|J@4Pr^08!-W@tluJp=3|Y%i{yylTF8D!CYE56Tn2P7 zj5Y`)5{>dS21k~bwEG=liP(4`{Mt1{x1_N%isOCkCkNVMkw}Nl9VZT|J9`XC%u)}8 zWM$<6kQYf>rupO?@FZ8Nz4qnAr$uVChiv+!d^m`9q;&~WAs+y$dq4t;5bOTS+SF)3 zilRY@I_z)CwC38-I;b4+o@KO$Lf#Ovklj5y-aM1Ny7fyo)?6_HA5lDZW@rpGRqXtz zOQKg|J(`#h;hB~#Vjhw5WJ9+%JHK~e(>maVnIr!t;D{9WMeOoX9A>4|=oimNk~?6! z96{mqEYUu$B_`yA42Ey{Gd*g8R6d#>feJ*R*a+d{f!%a{(N|YhULE|`I^6^|_51|= zKS=I)jR?-I2}Dr*II8v@l{>4IBFan1RbDE>WetVEfN;UQfqsSYf_=g|L9HZbk8j}c zhY`v@`ZQ;vu|f`OKzM9Y{0&lvt@tyEgwg=8uQfuvW3b&RWzHn|_Xszo6Y;+ysAD)0 zI3IJpgVATBV_8}mz?qEjmAt?I&kQI?fRb!~GtN8t7#_961-)&TR~U0}}=nqsi+TeybdF1u-RZG4YrT zxg)6hLw{1-+ugLt1HMyXjiQ=J!8t0eq>bVIf)7LO~$TK@Iz*v@$p*LdX|vqkH0K&e4o%c*kCT?k5UTg>G0TcSc;f?+7-`j@T1%*YagH)!jP zXZfxpMi<*rUc0H}Iiuw56SqvyRspzjg+Pe7gy-PCJciY$ZzObRK-%$@Yk!Q)8DW!4 z7wkK*T1T#q_~4!nYsxBK^`4yZf^n9Wn;v8oXD!Wf1 z#L^LCgDPZR9r+4so)Mp$f$yEs>V}NnHw5ORh|fZZ0!E0G7c)dz&p!)e2m>$m{WaJY zol+n#>t9dY-=zD!&vSX$mw#6A83|=X+~H=;1%1%(GY%XM&CWf-Q_-C95i4ww;S7Ds zESm)|!p|4tO570vpMh?jfC>0-A)e694iSDN7^8{t_ZJNP9PqyC>P8R_2PVRIAMB zu9Y7wxa~5um!PFX1RT!YwrD``nQWXHLa~a?95jvKHIO0?n)EzcU6heNc<4oI?8}}Z zN~vOCYwA=Ht6}=!1AH{lb4yA27vf}c(zLJ7{qz!Rk$JjM0^NNu^rK76(P~Aki;w5x z&WEF`T%^yYk+eDpqL-)9H^PZJY;_j93R_Or-O4w>%Fl)LOXvCu$!ENBo(_%JEnBXg z6A%FR?r!|Vjg!Uc4LJ6G82Zj#gN;m_u7j)mllikDWwK=F3bBKQsEY35 zr=-$PmZA|N*oTST-TOvT&Ru{j>FGqVusE}w0gv+|S6RMj;c|MYm7H33_uNUHuM_Q?n0 zIkD#g<0VU}1ro3a)!Jt`!%~B~O-~j`0oxP=zV#nbFg z?=T-Sj@X&C)DQ|gsyO??#0M1cv*}KOJty+Hg`PMY8}Q+~4N~VXvOYyxw5qit`Y#h+ zf@7J@g2E$gFuo!l<-(!{3VYeY0#;&>7xb~Oi#c&$-C94D zKjiFwkQoDX&rKZtm`)$PKp&zDt6|K`MFr6F4xX|yeqhTuHlBADzL#kMsr^@k zYI}`FZk-=dQ9}t1yJP01;KVERauODl);T zy!(1aFdt-Bx@RHK#@E`_kU!bq7XZsMKuBXUoiP2+?{~fgDEo<%J50ZbOEMs!C+4-@ zDxBs2NXZ#tjSQPPqH!du-qtA5(dWbonkiC|qVv35@JS>3LS*r& zP|OEQ2imu5Rzy^-L6u%&toeRR4?C%~j!oe?5d+S3!v$nT8DEr|kInO!)Kd6eSFJLZ zjAkdx%}Q!U`GoH&C~|Q05x32m0MGR4oRP9V$ahvGmfCzeq)#;GaPMS%3Q|RI#Yv#| zu6^;Uf|Rhz$jN*INJlzaNt^FzU8#uQ{otu4Tfj2TBmJRP`qSg}9Nh8`PF5_Zb$dAt zRs#rA2O4V8REhc#;;Qqdt>Ii@Gk2OK-&_>)#A@^JE^&&lJO+9=8xWXeFJj01HV3~b z>Vx?2jz;-;nSt6?KC_4TeC4omefr6DXzw+r;xFY9KIm)>oyH*D4`LZ`!K}OA<1im8 zp!|zrXg$$cohoU7S_z3tiLUaTlkic0Qg5I8#S0go>e^?RKZ@ZjB|Ob+yzGE*WW2^EAOZAGpuD(m6`p>xI@GqPh$l+&{n;mY=sidR+J-0k^Z_fm`nAIDIi?ybuo@`o}zT@!Te!;$|J$3Zi?T7*7hT@UU z_$A-o`#u+YpZ<6>O8V+@mt!`lK9J|zj(vUQy8N9ESmm54; zb%`r0u?jWoE;(5c&d=;jUf;^*peRc^Sh3m>QWFm=k24LJg|GLQZ?}7WX;IR1-W}+I zDekE)85cVvDV@GA%l!!rY_gS|+;2OJL2vAi7g6EBXA3>nt6TZ&0TF2NS|X=Wi-W^Y zA@OnALW^BtMx;ezwhF2Bk4KD$DVW2s-slw@x2!7#;p>PX98)!5YpKWk>Q&d? zdux@rl^jZ&BPM4W{Q!~+|F&)Gt|*}qGJ)=G8G$ugtKUp2Ht2GzP|%}=YFL=rLbKVi zDyPAXJWBzGqiMCD0sUfWAB} z)9+Nj5ZqW6vrC|Iy_bu>#9wrUMXBEHsPXCuokr%87W7jqozCOootQ2=^SpOGhhDUr;ZemFb(b=ofIQt|`;}^F^}&YdNB%LBQId;B3JNpyAFiXl(*c_P@_ap# zD5uyZQ5Ma32)-QIKh<`jm`c;v4wy{3;6@snY~1W(gdLCBXdk0<4Gd2&%ofD&PbnHY zU7THET0Lfgn?Had?l)-UNJ>gLDHjp_S1Gb&30m&L-0zc=UD{5U6S-)%AK8j~tM#H`6#BdO0S0)N8a z;Ucc_l9_BF#fhjWCEe(fU79X$Xi(hbr`{peCAJgSnKpZg8IIChqOK!i~vs;B!^)Kjk!ce+mj@rH-V~|<*0s!cKe-UdtAdoXh_w&403ee zPT8_|Aqv?ac~KGUOZ@{Yxw>z<<5e1zIwCG_4m{eUCdvsUbw_)9BOIEmtufzaSk(D` zgf>fW&#E6&#AbetuvaXVISWuP^14qc{^~b(_8?Ukaao8e+N!V04ws|DRyCfvqqeZ8 zY?K{h4S-UiI6kAdj(0+6DL9*Bo!;Z?4S@I)imgR;*^ATAy#c4fAm8vANsne2GkvVs zSEwb|nIxT_tk`=oJ~?E0hMD`sRh4cbio65IO3dEhv^Q7^)=BzR>qyMu)Y^1dKQyPb z{f{MCv{)%qRR_QrfF*`71b?eE`hN8_%hNb`mB7P=Esu&;dGZYagpQXv9vIPcw4{MW zqQ7v@sWY>CxM<;3i^SS9<31^5j28!Q6>8+AB^qQ0JAc1Frhji|?)ytUm?G+-g(Fq+zFUs-vXRS@u!TiynL(z;R>y38jQ4*J?0KqJ~umIr1X0^vk0xg4Fn($$k_oBBn�c#YTf9s%I z*J$8}+&y(`^1-jkpye9=%w<_XMVpsIuP>yGg8^F>lx}*`3P^paTB*{xsvzgXSKL>j zrwiF3!Bya$0z}9}!%23#f>DVN$G`5bO92G^0goaweI`d}_efDo+ND`hSw4P1{dj{k@s4s+t@3WS z$Ok3{@}C!4ghO|L-41!VF}qWrnqWMU(qw;_l;kBR4(H*2<{pu1J2UCYr>hXuyd3=~ zMM$J{N%Q9bzi7YD`8(kRDXK=?!#aVa}{y5#IfImT$bup zqD>>1Pbam?DM7&%-z%*VQ$2z(Zz7J0^74l{8~g_P@A+L^d`SYhX-LUvLT94f9@J7Z zoq0Ua52^t@lZG)Tp3~TmvkCP*ja0V4>gAoQCs4!GZF=|4v#=v)@EYt@P%*1q+fl(+JUwfQB9$tu1w7 zH)eOockR!us@+^zzFSBe4-0dV_vSWEdAfWOaiOQU9_bd_==mFP!DPN~uZa2?tA9&i zUjaB|djW_!hj`owH;2y@5pUZ*+s;z5%}&5Qnk&ocuVAQs+!w6~Ad11G^4oVMON(vU zS>@)D66>9!Z=9w5Jsa%1&(#KtapiixBkJt|Rd#PRTef?L?;3|(7-tVv=srtQm;iV@ zp_+*XrTyMFa?u|p5Vzc{ZrD2v`Gzfol|`#soX}qCpV#kf(utC-m9|roGL5}IV$T@) z_r7KzI?{O{iFfvEgjQ3ux;>L}O9^#cqalUXH~B8OeSG}o_Bab_U8S1~+p8-Z%k_d# z8p__rXD7j;$v2M*epli6X|6#nZgieTtdRnVdh~wfZIYAs7D&$1uI24WSLZ)I2P-1s zyRz~QT)@Wf<@q~dz65U%pse$5d5gayNhrX?YCeBHf<@qYQ6|0lxd0y3j##3|jBj(! zkv0LWZ58AC((-nI`@Y4-yNmW}Jp!J!g@s zVHL69OpLTsDkyuDT<+u0y?~)7-AD1j=9fUn$G0*FT05UbXGh7SuFX6G%`BpFUF#7p z{>Vp$MKqmnjl5oW{(c;z20eazC0p$$8o^9PVEIyBKk`wzUANLqa#R>epnL=ScAP=I z?hR8irB}db?>t(|sdnqQ4NW%i*jKD$Lm_5Py?Wt26W*n^-jY(Y1VJHQ2XqE(YBMXJXgMQpp8kBol^;GiLW(C9bdve;190U z48I2_QFn1izQE+aLgWS8SZ4QCLygWh&5+ZtEGgcb&dRme_eeh}2^r1m6+UF~oQY&4Od-KUApush;@(X8*3;V{4A?#9yqWVPl@wo)=iWO0r==IJhN}n_1t0kLvwl)-qG27#Ikw1I$PmjA(wU zOeNxU`08-&Lsow^i@No>iqLQGXV7mX;X{41)bltMOgWq2CaapeZ_t|hkSDezfyUX0 zYwQ6fy#K6jFl{^~rWqQ4kz}U%hOKNTg@`;DOR%!^^PU1(DU`<7_5MnLE1dnce3?oa z$H(nx2$Y9;NT?AR_h+em!5#WUns>l~xIZu{{36A(uj)JO@>|lU)?V5ao}i3cNj*FN zqay4tCb>oj!KE+!kxyx-&$oDeDwJj+&(C6qRQ^W1xxUAR(yA|sg7>t0gR{8Y;_u7< zke8$Q0cWxxCd|FYuF$*2=DL(T<-D3AL^&O$d;$GAXNHa4Rkww(WyaGmZ8BC^jLSGio_sRq(#DtpKLY~17ZCEbn+p2L>NS* zb@-ro%af&9#Umczl1QqaB0L=dMZThJxm}dRFk{$6tFAr;KV!UF(RfxP8y^X zOWyE1Zb^bGIKsvKdoYBDl(z$`BQ1g~0w=Dqvo;M8;GMN(h((@b?noD6t-iE`4;#Ao1>q|FDzZFX1i7&f9^A=>L|b-KYd0lK^LIY|$Yrh#WDrtenG!B4 zaro?EBG*VEzzk{>NPgz{j$zOOpmJys8MdAin89C=_pB0%apTX4qFM1Y8J3X2$6BUnC&d^K!`mkCW zR(hqGyKKVv=DHZZJk!~f@)d%SNU`SBg68VIe?AO?A1(Q4&Nv)ePi9;TB4= zi;%ASl5618`^IT9wrM5e8U?)SeA@h#U@xa09}Dd0W8wutAHP#gj41n!w4uPpR*Tg~ zyF=m3;JN!iL`TWxoYYndNgwE(7%g_u*XOU`j0hj8{MqmAM)vkTTNpP_Wi4?A@Gp?l z4zWS+?Az=NToLh1!>5;kp213XbO@OhONkz(+1n)`N$z3Dlg2Of?NNk^DS_Z_!Hpn& zx!hR=3-#JPC)tE&@zb%MHG_9z9{akt5Ad*_dm*2@I4>J`VN zv3CkYO~0vGUQpCHOP;DLZ9!y1qP+AWFrV0f0EpHTzqyf7a?-Pqb$LwA8H==)2Ae?Z zTN@7eD