From 352e2f2b6b4da2a4deed29a7b9e9fec5b556689a Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 4 Jan 2024 16:43:02 -0500
Subject: [PATCH] Update links and remove glossary files

---
 ...blishing.redirection.windows-security.json |   5 +
 .../glossary/attestation-identity-keys.md     |  18 ---
 .../glossary/cloud-experience-host.md         |   8 -
 .../includes/glossary/endorsement-key.md      |  19 ---
 .../glossary/primary-refresh-token.md         |  12 --
 .../includes/glossary/storage-root-key.md     |   8 -
 .../{hello-faq.yml => faq.yml}                |  60 +++----
 .../hello-for-business/how-it-works.md        | 153 ++++++++++++------
 .../images/hello-container.png                | Bin 0 -> 53302 bytes
 .../hello-for-business/toc.yml                |   2 +-
 10 files changed, 134 insertions(+), 151 deletions(-)
 delete mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/glossary/attestation-identity-keys.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/glossary/cloud-experience-host.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/glossary/endorsement-key.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/glossary/primary-refresh-token.md
 delete mode 100644 windows/security/identity-protection/hello-for-business/deploy/includes/glossary/storage-root-key.md
 rename windows/security/identity-protection/hello-for-business/{hello-faq.yml => faq.yml} (70%)
 create mode 100644 windows/security/identity-protection/hello-for-business/images/hello-container.png

diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json
index 7eb0dedd6c..6051b78c53 100644
--- a/.openpublishing.redirection.windows-security.json
+++ b/.openpublishing.redirection.windows-security.json
@@ -8319,6 +8319,11 @@
       "source_path": "windows/security/identity-protection/hello-for-business/hello-videos.md",
       "redirect_url": "/windows/security/identity-protection/hello-for-business/",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/hello-for-business/hello-faq.yml",
+      "redirect_url": "/windows/security/identity-protection/hello-for-business/faq",
+      "redirect_document_id": false
     }
   ]
 }
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/glossary/attestation-identity-keys.md b/windows/security/identity-protection/hello-for-business/deploy/includes/glossary/attestation-identity-keys.md
deleted file mode 100644
index a54e38b3bc..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/glossary/attestation-identity-keys.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-ms.date: 01/03/2024
-ms.topic: include
----
-
-## Attestation identity keys
-
-Because the endorsement certificate is unique for each device and doesn't change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
-
-> [!NOTE]
-> The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
-> The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations.
-
-Windows creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it's communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows device.
-
-Many existing devices that will upgrade to Windows 10 won't have a TPM, or the TPM won't contain an endorsement certificate. **To accommodate those devices, Windows 10 or Windows 11 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates aren't issued by Microsoft Cloud CA. This behavior isn't as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
-
-In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be used by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that's not backed by an endorsement certificate.
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/glossary/cloud-experience-host.md b/windows/security/identity-protection/hello-for-business/deploy/includes/glossary/cloud-experience-host.md
deleted file mode 100644
index 513ed14514..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/glossary/cloud-experience-host.md
+++ /dev/null
@@ -1,8 +0,0 @@
----
-ms.date: 01/03/2024
-ms.topic: include
----
-
-## Cloud eXperience Host (CXH)
-
-Cloud eXperience Host (CXH) is a UWP application used while registering the device to Microsoft Entra ID. CXH renders the experience to collect company credentials.
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/glossary/endorsement-key.md b/windows/security/identity-protection/hello-for-business/deploy/includes/glossary/endorsement-key.md
deleted file mode 100644
index 7a9e18fc40..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/glossary/endorsement-key.md
+++ /dev/null
@@ -1,19 +0,0 @@
----
-ms.date: 01/03/2024
-ms.topic: include
----
-
-## Endorsement key
-
-The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a pair of asymmetric keys (RSA size 2048 bits).
-
-The endorsement key public key is used for sending securely sensitive parameters, such as when taking possession of the TPM that contains the defining hash of the owner password. The EK private key is used when creating secondary keys like AIKs.
-
-The endorsement key acts as an identity card for the TPM.
-
-The endorsement key is often accompanied by one or two digital certificates:
-
-- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
-- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
-
-For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during Windows OOBE.
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/glossary/primary-refresh-token.md b/windows/security/identity-protection/hello-for-business/deploy/includes/glossary/primary-refresh-token.md
deleted file mode 100644
index 32f6c6865b..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/glossary/primary-refresh-token.md
+++ /dev/null
@@ -1,12 +0,0 @@
----
-ms.date: 01/03/2024
-ms.topic: include
----
-
-## Primary refresh token
-
-Single sign on (SSO) relies on special tokens obtained for each of the types of applications above. These special tokens are then used to obtain access tokens to specific applications. In the traditional Windows Integrated authentication case using Kerberos, this token is a Kerberos TGT (ticket-granting ticket). For Microsoft Entra ID and AD FS applications, this token is a _primary refresh token_ (PRT). It's a [JSON Web Token](https://openid.net/specs/draft-jones-json-web-token-07.html) that contains claims about both the user and the device.
-
-The PRT is initially obtained during Windows user sign-in or unlock in a similar way the Kerberos TGT is obtained. This behavior is true for both Microsoft Entra joined and Microsoft Entra hybrid joined devices. For personal devices registered with Microsoft Entra ID, the PRT is initially obtained upon Add Work or School Account. For a personal device the account to unlock the device isn't the work account, but a consumer account. For example, hotmail.com, live.com, or outlook.com.
-
-The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. The PRT also contains information about the device. If you have any [device-based conditional access](/azure/active-directory/conditional-access/concept-conditional-access-grant) policy set on an application, without the PRT, access will be denied.
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/glossary/storage-root-key.md b/windows/security/identity-protection/hello-for-business/deploy/includes/glossary/storage-root-key.md
deleted file mode 100644
index be08d631e4..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/glossary/storage-root-key.md
+++ /dev/null
@@ -1,8 +0,0 @@
----
-ms.date: 01/03/2024
-ms.topic: include
----
-
-## Storage root key
-
-The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048-bits length). The SRK has a major role and is used to protect TPM keys, so that these keys can't be used without the TPM. The SRK key is created when the ownership of the TPM is taken.
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/faq.yml
similarity index 70%
rename from windows/security/identity-protection/hello-for-business/hello-faq.yml
rename to windows/security/identity-protection/hello-for-business/faq.yml
index bd1924ee2c..67e8551bfd 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/faq.yml
@@ -21,25 +21,16 @@ sections:
         answer: |
           When using Windows Hello for Business, the PIN isn't a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key.
           The statement *PIN is stronger than Password* is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](multifactor-unlock.md) feature.
-      - question: How does Windows Hello for Business authentication work?
-        answer: |
-          When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container.
-          These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It's important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn't require explicit validation through a user gesture, and the key material isn't exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure an application to require re-authentication anytime a specific operation is performed, even though the same account and PIN or gesture were already used to unlock the device.
-          For more information about the different authentication flows used by Windows Hello for Business, see [Windows Hello for Business and Authentication](hello-how-it-works-authentication.md).
-      - question: What happens after a user registers a PIN during the Windows Hello for Business enrollment process?
-        answer: |
-          Windows Hello generates a new public-private key pair on the device. The TPM generates and protects this private key; if the device doesn't have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the *protector key*. It's associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. **Each unique gesture generates a unique protector key**. The protector key securely wraps the *authentication key*. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys. Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary (for example, when using the PIN reset service). In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
-          At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means the user is able to securely sign in to the device with the PIN and thus be able to establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using the PIN, and then registers the new biometric, after which Windows generates a unique key pair and stores it securely. Future sign-ins can then use either the PIN or the registered biometric gestures.
       - question: What's a container?
         answer: |
-          In the context of Windows Hello for Business, a container is a logical grouping of *key material* or data. Windows Hello uses a single container that holds user key material for personal accounts, including key material associated with the user's Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account.
-          The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Microsoft Entra ID.
+          In the context of Windows Hello for Business, a container is a logical grouping of *key material* or data. Windows Hello uses a single container that holds user key material for personal accounts (including key material associated with the user's Microsoft account or with other consumer identity providers), and credentials associated with a workplace or school account.
+          The container holds enterprise credentials only on devices that have been registered with an organization (key material for the enterprise IDP, such as on-premises Active Directory or Microsoft Entra ID).
           
           > [!NOTE]
           > There are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials that Windows Hello stores, are protected without the creation of actual containers or folders.
 
           The container contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container. Each logical container holds one or more sets of keys.\
-          :::image type="content" source="images/passport-fig3-logicalcontainer.png" alt-text="logical container with set of keys":::
+          :::image type="content" source="images/hello-container.png" alt-text="logical container with set of keys":::
 
           Containers can contain several types of key material:
             - An authentication key, which is always an asymmetric public-private key pair. This key pair is generated during registration. It must be unlocked each time it's accessed, by using either the user's PIN or a biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key.
@@ -53,9 +44,9 @@ sections:
         answer: |
           Windows Hello for Business provides a PIN caching user experience by using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Microsoft Entra ID and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting, as long as the user is interactively signed-in. Microsoft Account sign-in keys are transactional keys, which means the user is always prompted when accessing the key. 
           
-          Beginning with Windows 10, version 1709, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations won't prompt the user for the PIN. 
+          Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation prompts the user for the PIN on first use. Subsequent private key operations won't prompt the user for the PIN. 
           
-          The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process doesn't receive the PIN, but rather the ticket that grants them private key operations. Windows 10 doesn't provide any Group Policy settings to adjust this caching.
+          The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process doesn't receive the PIN, but rather the ticket that grants them private key operations. There isn't a policy setting to adjust the caching.
       - question: Where is Windows Hello biometrics data stored?
         answer: |
             When you enroll in Windows Hello, a representation of your biometrics, called an enrollment profile, is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored).
@@ -65,34 +56,26 @@ sections:
       - question: Who has access on Windows Hello biometrics data? 
         answer: |
           Since Windows Hello biometrics data is stored in encrypted format, no user, or any process other than Windows Hello has access to it.
-      - question: What's the difference between non-destructive and destructive PIN reset?
-        answer: |
-          Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 version 1903 and later and Microsoft Entra ID can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provide a second factor of authentication, and reset their PIN without reprovisioning a new Windows Hello for Business enrollment. This flow is a non-destructive PIN reset because the user doesn't delete the current credential and obtain a new one. For more information, see [PIN Reset](hello-feature-pin-reset.md).
-          
-          Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 version 1903 and later can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then  performing a second factor of authentication to reprovision their Windows Hello for Business credential. Reprovisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. For Microsoft Entra hybrid joined devices, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services.
       - question: When is Windows Hello biometrics database file created? How is a user enrolled into Windows Hello face or fingerprint authentication?
         answer: |
-          Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, however, it is always your choice if you want to use Windows Hello or an alternative method, like a PIN. Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start > Settings > Accounts > Sign-in** options. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can request users to enroll into Windows Hello during Autopilot or during the initial setup of the device. Admins can disallow users to enroll into biometrics via Windows Hello for Business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users.
+          Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. An IT administrator may configure policy settings, but it's always a user's choice if they want to use biometrics or PIN. Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start > Settings > Accounts > Sign-in** options. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can request users to enroll into Windows Hello during Autopilot or during the initial setup of the device. Admins can disallow users to enroll into biometrics via Windows Hello for Business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users.
       - question: When is Windows Hello biometrics database file deleted? How can a user be unenrolled from Windows Hello face or fingerprint authentication?
         answer: |
-            To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start > Settings > Accounts > Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will u-enroll the user from Windows Hello biometrics authentication and will also delete the associated biometrics template database file. For more details, see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy).
+            To remove Windows Hello and any associated biometric identification data from the device, open **Start > Settings > Accounts > Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. The action unenrolls from Windows Hello biometrics authentication and deletes the associated biometrics template database file. For more details, see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy).
 
   - name: Management and operations
     questions:  
-      - question: Can I deploy and manage Windows Hello for Business using Microsoft Intune?
-        answer: |
-          Yes, hybrid and cloud-only Windows Hello for Business deployments can use Microsoft Intune. For more information, see [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello).
       - question: Can I deploy and manage Windows Hello for Business by using Microsoft Configuration Manager?
         answer: |
           Starting in Configuration Manager, version 2203, Windows Hello for Business deployments using Configuration Manager are no longer supported.
       - question: How do I delete a Windows Hello for Business container on a device?
         answer: |  
-          You can effectively disable Windows Hello for Business by launching `certutil.exe -deleteHelloContainer` on the end device under a user account, and then restarting the device.          
+          You can delete the Windows Hello for Business container by executing the command `certutil.exe -deleteHelloContainer`.          
       - question: What happens when a user forgets their PIN?
         answer: |
-          If the user can sign in with a password, they can reset their PIN by selecting the *I forgot my PIN* link in the Settings app. Users can reset also their PIN from the lock screen by selecting the *I forgot my PIN* link on the PIN credential provider.
+          If the user can sign in with a password, they can reset their PIN by selecting the *I forgot my PIN* link in the Settings app or from the lock screen, by selecting the *I forgot my PIN* link on the PIN credential provider.
           
-          For on-premises deployments, devices must be connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid deployments can onboard their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs. Non-destructive PIN reset works without access to the corporate network. Destructive PIN reset requires access to the corporate network. For more details about destructive and non-destructive PIN reset, see [PIN reset](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset).
+          For on-premises deployments, devices must be connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid deployments can onboard their Microsoft Entra tenant to use the *Windows Hello for Business PIN reset service* to reset their PINs. Non-destructive PIN reset works without access to the corporate network. Destructive PIN reset requires access to the corporate network. For more details about destructive and non-destructive PIN reset, see [PIN reset](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset).
       - question: Does Windows Hello for Business prevent the use of simple PINs?
         answer: |
           Yes. Our simple PIN algorithm looks for and disallows any PIN that has a constant delta from one digit to the next. The algorithm counts the number of steps required to reach the next digit, overflowing at 10 ('zero').
@@ -118,9 +101,6 @@ sections:
       - question: Can I disable the PIN while using Windows Hello for Business?
         answer: |
           No. The movement away from passwords is accomplished by gradually reducing the use of the password. In situations where you can't authenticate by using biometrics, you need a fallback mechanism that isn't a password. The PIN is the fallback mechanism. Disabling or hiding the PIN credential provider will disable the use of biometrics.
-      - question: What is Event ID 300?
-        answer: |
-          This event is created when Windows Hello for Business is successfully created and registered with Microsoft Entra ID. Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. This is a normal condition and no further action is required.
       - question: What happens when an unauthorized user gains possession of a device enrolled in Windows Hello for Business?
         answer: |
           The unauthorized user won't be able to utilize any biometric options and will have the only option to enter a PIN.
@@ -144,7 +124,7 @@ sections:
           No. If your organization is using Microsoft cloud services, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory.
       - question: What attributes are synchronized by Microsoft Entra Connect with Windows Hello for Business?
         answer: |
-          Review [Microsoft Entra Connect Sync: Attributes synchronized to Microsoft Entra ID](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that sync based on scenarios. The base scenarios that include Windows Hello for Business are the [Windows 10](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include other attributes.
+          Review [Microsoft Entra Connect Sync: Attributes synchronized to Microsoft Entra ID](/entra/identity/hybrid/connect/reference-connect-sync-attributes-synchronized) for a list of attributes that sync based on scenarios. The base scenarios that include Windows Hello for Business are the [Windows 10](/entra/identity/hybrid/connect/reference-connect-sync-attributes-synchronized#windows-10) scenario and the [Device writeback](/entra/identity/hybrid/connect/reference-connect-sync-attributes-synchronized#device-writeback) scenario. Your environment may include other attributes.
       - question: Can I use third-party MFA providers with Windows Hello for Business?
         answer: |
           Yes, if you're using federated hybrid deployment, you can use any third-party that provides an AD FS MFA adapter. A list of third-party MFA adapters can be found [here](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods).
@@ -166,19 +146,19 @@ sections:
           Read [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information.
       - question: Can I wear a mask to enroll or unlock using Windows Hello face authentication?
         answer: |
-          Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this article further. Remove a mask if you're wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn't allow you to remove a mask temporarily, consider un-enrolling from face authentication and only using PIN or fingerprint.
+          Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. Remove a mask if you're wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn't allow you to remove a mask temporarily, consider un-enrolling from face authentication and only using PIN or fingerprint.
       - question: How does Windows Hello for Business work with Microsoft Entra registered devices?
         answer: |
-          A user will be prompted to set up a Windows Hello for Business key on a Microsoft Entra registered devices  if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using existing gestures.
+          A user will be prompted to set up a Windows Hello for Business key on a Microsoft Entra registered devices if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using existing gestures.
 
           If a user has signed into their Microsoft Entra registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Microsoft Entra resources. The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. 
 
           It's possible to Microsoft Entra register a domain joined device. If the domain joined device has a convenience PIN, sign in with the convenience PIN will no longer work. This configuration isn't supported by Windows Hello for Business. 
 
-          For more information, please read [Microsoft Entra registered devices](/azure/active-directory/devices/concept-azure-ad-register).
+          For more information, see [Microsoft Entra registered devices](/azure/active-directory/devices/concept-azure-ad-register).
       - question: Does Windows Hello for Business work with non-Windows operating systems?
         answer: |
-          Windows Hello for Business is a feature of the Windows platform. At this time, Microsoft isn't developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).
+          Windows Hello for Business is a feature of the Windows platform.
       - question: Does Windows Hello for Business work with Microsoft Entra Domain Services clients?
         answer: |
           No, Microsoft Entra Domain Services is a separately managed environment in Azure, and hybrid device registration with cloud Microsoft Entra ID isn't available for it via Microsoft Entra Connect. Hence, Windows Hello for Business doesn't work with Microsoft Entra Domain Services.
@@ -191,7 +171,7 @@ sections:
       - question: Which is a better or more secure for of authentication, key or certificate?
         answer: |
           Both types of authentication provide the same security; one is not more secure than the other.
-          The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types is the issuance of end-entity certificates:
+          The trust models of your deployment determine how you authenticate to Active Directory. Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types is the issuance of end-entity certificates:
           - The *key trust* model authenticates to Active Directory by using a raw key. Key trust doesn't require an enterprise-issued certificate, therefore you don't need to issue certificates to users (domain controller certificates are still needed)
           - The *certificate trust* model authenticates to Active Directory by using a certificate. Therefore, you need to issue certificates to users. The certificate used in certificate trust uses the TPM-protected private key to request a certificate from your enterprise's issuing CA
       - question: What is convenience PIN?
@@ -202,7 +182,7 @@ sections:
           No. While it's possible to set a convenience PIN on Microsoft Entra joined and Microsoft Entra hybrid joined devices, convenience PIN isn't supported for Microsoft Entra user accounts (including synchronized identities). Convenience PIN is only supported for on-premises Active Directory users and local account users.
       - question: What about virtual smart cards?
         answer: |
-          Windows Hello for Business is the modern, two-factor authentication for Windows. Microsoft will deprecate virtual smart cards in the near future. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. Microsoft will publish the deprecation date to ensure customers have adequate lead time to move to Windows Hello for Business. We recommend that new Windows deployments use Windows Hello for Business.
+          Windows Hello for Business is the modern, two-factor authentication for Windows. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business.
       - question: What URLs do I need to allow for a hybrid deployment?
         answer: |
           For a list of required URLs, see [Microsoft 365 Common and Office Online](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#microsoft-365-common-and-office-online).
@@ -228,7 +208,7 @@ sections:
     questions:
       - question: What is Windows Hello for Business cloud Kerberos trust?
         answer: |
-          Windows Hello for Business *cloud Kerberos trust* is a *trust model* that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).
+          Windows Hello for Business *cloud Kerberos trust* is a *trust model* that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/deploy).
       - question: Does Windows Hello for Business cloud Kerberos trust work in my on-premises environment?
         answer: |
           This feature doesn't work in a pure on-premises AD domain services environment.
@@ -242,7 +222,7 @@ sections:
           - attempting to access on-premises resources secured by Active Directory
       - question: Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust?
         answer: |
-          Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](rdp-sign-in.md) for this purpose.
+          Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP if a [certificate is enrolled into Windows Hello for Business](rdp-sign-in.md) for this purpose. As an alternative, consider using [Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard) which doesn't require to deploy certificates.
       - question: Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud Kerberos trust?
         answer: |
           No, only the number necessary to handle the load from all cloud Kerberos trust devices.
@@ -254,4 +234,4 @@ sections:
           In a hybrid deployment, a user's public key must sync from Microsoft Entra ID to Active Directory before it can be used to authenticate against a domain controller. This sync is handled by Microsoft Entra Connect and will occur during a normal sync cycle.
       - question: Can I use Windows Hello for Business key trust and RDP?
         answer: |
-          Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Remote Credential Guard](../remote-credential-guard.md) without deploying certificates.
+          Remote Desktop Protocol (RDP) doesn't support using key-based authentication as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). As an alternative, consider using [Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard) which doesn't require to deploy certificates.
diff --git a/windows/security/identity-protection/hello-for-business/how-it-works.md b/windows/security/identity-protection/hello-for-business/how-it-works.md
index e32b8dbeab..24cef622be 100644
--- a/windows/security/identity-protection/hello-for-business/how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works.md
@@ -5,53 +5,32 @@ ms.date: 01/03/2024
 ms.topic: overview
 ---
 
-# How Windows Hello for Business works in Windows Devices
-
-Windows Hello for Business is a two-factor credential that is a more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Microsoft Entra joined, Microsoft Entra hybrid joined, or Microsoft Entra registered devices. Windows Hello for Business also works for domain joined devices.
-
-## Technical Deep Dive
-
-Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the categories and how they support Windows Hello for Business.
-
-### Device Registration
-
-Registration is a fundamental prerequisite for Windows Hello for Business.  Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Microsoft Entra ID and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS).
-
-For more information, read [how device registration works](/azure/active-directory/devices/device-registration-how-it-works).
-
-### Provisioning
-
-Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential.
-
-For more information, read [how provisioning works](how-it-works-provisioning.md).
-
-### Authentication
-
-With the device registered and provisioning complete, users can sign-in to Windows using biometrics or a PIN. PIN is the most common gesture and is available on all computers unless restricted by policy requiring a TPM. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. Neither the PIN nor the private portion of the credential are ever sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
-
-For more information read [how authentication works](how-it-works-authentication.md).
-
-## Windows Hello biometrics in the enterprise
-
-Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
-
-
-
-## How does Windows Hello work?
+# How Windows Hello for Business works
 
+Windows Hello for Business is a two-factor credential that is a more secure alternative to passwords.
 Windows Hello lets your employees use fingerprint, facial recognition, or iris recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials.
 
 The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn't roam among devices, isn't shared with a server, and can't easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
 
-## Why should I let my employees use Windows Hello?
-
 Windows Hello provides many benefits, including:
 
 - It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it's much more difficult to gain access without the employee's knowledge.
 - Employees get a simple authentication method (backed up with a PIN) that's always with them, so there's nothing to lose. No more forgetting passwords!
 - Support for Windows Hello is built into the operating system so you can add additional biometric devices and policies as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.<br>For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](configure.md) topic.
 
-## Where is Windows Hello data stored?
+
+Windows Hello for Business is two-factor authentication based on the observed authentication factors of: *something you have*, *something you know*, and *something that's part of you*. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
+
+When using Windows Hello for Business, the PIN isn't a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key.
+The statement *PIN is stronger than Password* is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](multifactor-unlock.md) feature.
+
+> [!TIP]
+> The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources.
+>
+> For more information, see [What is a Primary Refresh Token](/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim).
+
+
+## Windows Hello data storage
 
 The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor.
 
@@ -60,30 +39,114 @@ The biometric data used to support Windows Hello is stored on the local device o
 
 > C:\WINDOWS\System32\WinBioDatabase
 
-## Windows Hello for Business and password changes
+## Technical Deep Dive
+
+Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the categories and how they support Windows Hello for Business.
+
+## Device Registration
+
+Registration is a fundamental prerequisite for Windows Hello for Business.  Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Microsoft Entra ID and the device registers with the Device Registration Service. For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS).
+
+For more information, read [how device registration works](/azure/active-directory/devices/device-registration-how-it-works).
+
+## Provisioning
+
+Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it can create a strong, two-factor Windows Hello for Business credential.
+
+:::row:::
+    :::column:::
+        Windows Hello generates a new public-private key pair on the device. The TPM generates and protects this private key; if the device doesn't have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the *protector key*. It's associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. **Each unique gesture generates a unique protector key**. The protector key securely wraps the *authentication key*. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys. Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary (for example, when using the PIN reset service). In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
+    :::column-end:::
+    :::column:::
+        :::image type="content" source="images/hello-container.png" alt-text="Diagram of the Windows Hello container.":::
+    :::column-end:::
+:::row-end:::
+
+At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means the user is able to securely sign in to the device with the PIN and thus be able to establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using the PIN, and then registers the new biometric, after which Windows generates a unique key pair and stores it securely. Future sign-ins can then use either the PIN or the registered biometric gestures.
+
+For more information, read [how provisioning works](how-it-works-provisioning.md).
+
+### Attestation identity keys
+
+Because the endorsement certificate is unique for each device and doesn't change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
+
+> [!NOTE]
+> The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
+> The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations.
+
+Windows creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it's communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows device.
+
+Many existing devices that will upgrade to Windows 10 won't have a TPM, or the TPM won't contain an endorsement certificate. **To accommodate those devices, Windows 10 or Windows 11 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates aren't issued by Microsoft Cloud CA. This behavior isn't as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
+
+In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be used by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that's not backed by an endorsement certificate.
+
+### Endorsement key
+
+The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a pair of asymmetric keys (RSA size 2048 bits).
+
+The endorsement key public key is used for sending securely sensitive parameters, such as when taking possession of the TPM that contains the defining hash of the owner password. The EK private key is used when creating secondary keys like AIKs.
+
+The endorsement key acts as an identity card for the TPM.
+
+The endorsement key is often accompanied by one or two digital certificates:
+
+- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
+- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
+
+For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during Windows OOBE.
+
+### Storage root key
+
+The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048-bits length). The SRK has a major role and is used to protect TPM keys, so that these keys can't be used without the TPM. The SRK key is created when the ownership of the TPM is taken.
+
+## Authentication
+
+With the device registered and provisioning complete, users can sign-in to Windows using biometrics or a PIN. PIN is the most common gesture and is available on all computers unless restricted by policy requiring a TPM. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. Neither the PIN nor the private portion of the credential are ever sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
+
+When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container.
+These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It's important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn't require explicit validation through a user gesture, and the key material isn't exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure an application to require re-authentication anytime a specific operation is performed, even though the same account and PIN or gesture were already used to unlock the device.
+
+For more information read [how authentication works](how-it-works-authentication.md).
+
+### Primary refresh token
+
+Single sign on (SSO) relies on special tokens obtained for each of the types of applications above. These special tokens are then used to obtain access tokens to specific applications. In the traditional Windows Integrated authentication case using Kerberos, this token is a Kerberos TGT (ticket-granting ticket). For Microsoft Entra ID and AD FS applications, this token is a _primary refresh token_ (PRT). It's a [JSON Web Token](https://openid.net/specs/draft-jones-json-web-token-07.html) that contains claims about both the user and the device.
+
+The PRT is initially obtained during Windows user sign-in or unlock in a similar way the Kerberos TGT is obtained. This behavior is true for both Microsoft Entra joined and Microsoft Entra hybrid joined devices. For personal devices registered with Microsoft Entra ID, the PRT is initially obtained upon Add Work or School Account. For a personal device the account to unlock the device isn't the work account, but a consumer account. For example, hotmail.com, live.com, or outlook.com.
+
+The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. The PRT also contains information about the device. If you have any [device-based conditional access](/azure/active-directory/conditional-access/concept-conditional-access-grant) policy set on an application, without the PRT, access will be denied.
+
+
+### Windows Hello for Business and password changes
 
 Changes to a user account password doesn't affect sign-in or unlock, since Windows Hello for Business uses a key or certificate.
 
 ## How Windows Hello for Business works: key points
 
 - Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.
-
 - An identity provider validates the user identity and maps the Windows Hello public key to a user account during the registration step. Example providers are Active Directory, Microsoft Entra ID, or a Microsoft account.
-
 - Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy. To guarantee that keys are generated in hardware, you must set policy.
-
 - Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics). The Windows Hello gesture doesn't roam between devices and isn't shared with the server. Biometrics templates are stored locally on a device. The PIN is never stored or shared.
-
 - The private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process.
-
 - PIN entry and biometric gesture both trigger Windows 10 and later to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user.
-
 - Personal (Microsoft account) and corporate (Active Directory or Microsoft Entra ID) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
-
 - Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture.
 
 ## Next steps
 
 > [!div class="nextstepaction"]
+> Whether you have have a cloud-only deployment, hybrid, or on-premises, Windows Hello for Business has a deployment option for you. To learn more, see [Plan a Windows Hello for Business Deployment](deploy/index.md).
 >
-> [Plan a Windows Hello for Business Deployment >](deploy/index.md)
\ No newline at end of file
+> [Plan a Windows Hello for Business Deploymen](deploy/index.md)
+
+
+<!--
+
+
+
+
+
+
+
+
+-->
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-container.png b/windows/security/identity-protection/hello-for-business/images/hello-container.png
new file mode 100644
index 0000000000000000000000000000000000000000..7bc87c077627ea22a9e5ba7bd223e10a4dd0473e
GIT binary patch
literal 53302
zcmdqJcTiJbyf3-|fuBJ@>C&w<5mb6FDgx38ks56D-dg}cL`4A$p!D7X1R)``P(`G7
zLa$OoC_-qVyv^^NGxN^OyZ6rAx$lqnn91xRlkC0r+G~B+r>(rx*VUkha6$k8px1nK
z-w*&O7s1!sKQ!PwC`u1W@NnMkk*OyDu-!O&QD_=o-vr;J@HEs=14_ENSHOSH*{bTO
z0>F<Lx}&Gm0MOH+d0*Aok7DhZ@vFtc_a%R&jF3lc>5rYnnJVJK%8;>}f-h|>1Ana>
zI?N=C#*BV?q25!0Ej6^w)5RydnD?(mzgnL%D9p>dgQ+S0+JVp|9VSB^3XE_@xwi_q
zeo2;FYhv_q^P)w@;SJ6SZC{1XQ@nY6{`G5qR<8P_U_)1{NiO&K(~oaAmXcMzUy^p2
z2)x#IG%1j}hoh#FYwMmz_)KP|m<T%ELP);=^gm{P91n}g+Feeey#RRRTC3#wEiX`r
zSjZY4cF0)+`Uy?htn5x@t?S7W!0&g|G+q!j+0Zva-Kon2BN^cL`7l|z=4LSl=5`7R
zlNI0g{u}b(X`X$eNJ+PrFY+Ue&(@HgHV`7ku0l)kK-u@?!-j{c!OaXuFXSq*GRB8J
zyi}pw{6p#YSe(U=eD)Nv7uzX}U#5rr_&DY3c(i_nDm0mYH2vBN<1N4#={l-L6<T}s
z8x`2;vMS=V;K3u*ngKlg0UEi%!*7Z(S?~}`bq;)D06*<N;L`+D7%p~F004NI|EDiD
zT&0R#Uhd2Cgfr69Lywai8&wGe0&+ijYs)<;HMMThdx!Mnd8^a*VwaSZRJ^@qvAC@4
z<;m*=_r_bN2fcv>X)zAj$H@}mu1gIKDqeIE8zIAK?f}rM!yEjAW6CUpCHQ>~EZW7$
z$cQyT*>7`Z;%_yNtVi~oC)x^bg-WO>IVSJ1Z$BHaaP}OJSi5=iCet*b$OL6I`FWn#
zWodn~2IX(DcQ9{O!Q2v(#sT~}SA0w5{YNh8ZUm1>)4<OJS+8Y%XwP}Lm{r6Fm?#CH
zvUlYhl~9w<t6Pm0&H@W{dQ5Nj{J69Wv|O5-oBQg~AHcR9FW;dx6uf}+D6X5*x?-+~
zU8P{~*K@1lonRKwy?^TP-EZGS5Kj*PJ2b+JDwma1#JK$uu3uP~O|SDH-g^2i?<&~o
z`QNBs+C5}(eQxku7ik?y5wtOdtFRx)T_*UkDzYf$;@@%c@T4FsHzuk)r=CMdi3JZT
zoJN^aF4&nmYXsSFC|c>nRHvdy`|sXb!3p`KKdR&c?>A(m_ey+)rP<V8^Pbqd3WL@*
z?7iS*wK0Kd8eEJfs+eT|egDMK9K)0HGp1^zyyu+JdZo0ZeD$m!B>>>xn3`Ts&Un@u
z%~Q}37p9ATEVO@rntXw?T3JV?Mzep7ZDBa$GW^!J9}D|i^Pc0eUfPM4*X-foB>7ey
zZMclHsUeuAq3+rLN^(1G=h@p|lU%Ur=?lzysnsa%Z5eRO+1xwGJK1rl(A2byd(T6e
z@nd4#gN>(E#NI6@ypwuoJ0+l^IL6YMWB6MavT=wPe$CF<Z%^pr>}35KWC@9fAZCqY
zf<>TzqwLWix2#e8NRnSV22Q(jt5Jb)7<BrX5)=8SNI=@e#;k2qQ5fm~KK$03bvikP
z0cfX6zOh`hW`B_||D#IBz~jo+X+|PEhgc-}jez(Ej-2p$A#3j>aW(@;cF)Bb)qM;@
zFQ~umvE)VBwMNVei1NRrUxX-D7tC>m&{MCtRY^R3V#x7v!<J*esn8>yWPkd3n4M-P
zJKb!BIbxsiRX%<;kR?PJ?L1p|qf42OX3tCwBO(7SlKeFO$o}=NsKw2d7sXT7CFG{G
zPvD<ph5CkS4$<yrm~3dR*7}`k|JoiUk4dQ{AqLY%nmGCk%LZGG$y-X>*+PuR@82qA
zX&=cx<?}NP@t54;%xUn}VXQoSJG8N`IAx}L`YXW*RSj?J%d`D3P^}gBY`pYo^F*0_
zp=FvYJZO9{JZPrj)v_bce6|vK6Y_P6D|IKpe!%d(6&{~8A2+Ct!VhnaV_o5BVw}ym
zJuPXB9Q?JZG>&pdvcqnAr#y4M1Tj)>tGB}|=>b1_av&9_>x43Wh$?WlU-U7KaEo?e
zb)F~^x2I#{F4NdhuvQ7TkQeE|o*c88SNJuRSX{=axzlBE<8E_j$4fY8>iKifRBwJJ
zXx=M--B>$y*))j%WuiF84f=;9)$GqKi^;n}LOZ{NUc94psv^A$b35|y&O?69p69ii
zn!?Wu@VTEHWxtA<b&_8Q%V=^b_{+r;9zc~{(I@7cM)Fx5EGQ%FeBmHIubStr6H^+&
z7<fH%+uxk6B0hpF%=+xlk40}TUHq-cDjN6c{k`YAn{DR<|13DuNHiQ-pKQ`)<&@Wl
z=iF-yiVF*sf-G^wL@Gsaq6~kDOrPM?G-}(qX<7o*t^8VguRm>3R$6#2qY)TCYA)>T
z>ZefFd2%V$_-9`B1wEI~O%-XI`*J}wa~+3y)Sq`&?pJ;+e2aY_<|B#qXevCdaE{wn
z-9N7zFEVJuT7t9?^qtM)=Usl)Z6s_hoUXjn^p?WAdaRx4ScO&i^d@ycY!fPyZ&IN%
z4jB|V9a+rr)UTMOusok7xZ^xB#}xaZBPSw%^W1gEsP01&VX3J+l`r+tzE_;4vrMqs
zEGjDmDj5yKiy-7?1uh0Si`Lk5B?=m^o}leH2|0M=?w8MQ?TwY2h{5w(IX+qXIlb_Y
z4$9~MenGjJX{0}Ah13u;5==&(JNjPM&l&}LDXKZ=bX^K~$8xuJ=<0=0-uo=*xhuD)
zY<X$6-EhROn2*<t3!YgK51Z!M7#9oI*2g5t(z>mRM}L~IlN$r|kj0ZHwPC3{yj9_}
zjAO&a=1aP@N0JzZl(+i|>!jp!5$M!g&Z<{PZ}O<O#oszA7aFWLnGQjggnJH82tSMZ
zscS={4Jyk9>PQ<gqkJbCAIX9c#RYuvEowDc{f8sMvx*B$71`If99*7g?!=Ir*}nU<
znRC2%)${w%q*ckMPVLOtG5Z8iR@JvI-r+q6U<n$cVS3~09HYcDQiljM)`X?`^DYn(
zo#PEp(sLkmyBc5Y0Ldp3=AwGMGydD3J9cT)_H&A@eA<-Ctbc|29E{NsiYHm7j)dP7
z`k1U*vZ3bQ6mw{XKN!!62cWml4cF9Vzei&)`9q<o*{AYO^;;J=Ha>+Ag-KQf3<AjP
zVadXuH;>sVcxR?uSnMNh?l<8T)|cNNj5#_+<;LA)6krWG9A&04o=5de+r`xTB;ox1
z+c1o5MLi`oy7g{m(stCA&tI`Z-n~=HIO@|o?OeAAex=Vaf(e&xuK0*%d*{cBov`ln
z`G?A4n0MMku?<rscEMe<QE3Xv$4lOSIjNW*$QUH!sVym>7N9&7kj<9x?%g~8dp`tg
z1?V3-=k2>AeSRf8Jdcl)OeXgjl^-6wve}PuRd78$k`88jne(FM3Y9}Cf3exgO#8q&
z5B`g9RH%QtnZ%;qm}%4^S{~|t8Tn_5R!q}~=~s*1qq!zTyIjW`v4mkN-ZZHn79+bG
zIG94RdoJ&)H)9@u=eSDCrVM&J`-;+1$c@<^=0@%mn}epyWOACH<Uym_CqBEu7q3`F
zw<0xc!+{b*Hw#>V_l~y=Ig$nyHy<Ms`uYmml1Ssu`?eO5m8|8d)0!7w#A4kXbtz8X
zU`vW6LUH;R`m%|_Pb8m0M;^0TTH(CX%srhddx3GC@x}2xAwCi3wCJeA#g48WL%I~;
zV5_H$=V?zcuaYWdAtqp@1szFqA-|E5D)u|fs=2|mfRhjt$zI>4j+uyvvyQ-^+0GF?
zkFKi34KLkGx!!j?d)RKtBB1al_(}?ze`$~GVYu$+$i;HiJFeYB;O4BRCNHvPwk2Rk
zDL3NTWIYH7>_T=<B+8mf^w-BPg@nxS9G>v5T*pl5Nrw994{_UF50ll8@N4MkuTl8w
zW{|1?rNtnW;<B2)Mpn4lFhixhL*jurZ$veBpx^lek2L<*qSCX3Y+UdW*(2O=Uf||a
zR%LE<(%!|DgerDulXuX3tL1cLt7V6D0DNbP99Zy$2bT(4Joa-i_by7IDWU|L=q^y?
z+vRsYc-_8r*|HE}g<Sr;3vpDcyn8|C3VoPyFLF@12rSg5V6|5BuX3o`51N~Tu;_l_
z$V<OmXO%PhWXH;mtCo~AQL!qy&3zT2<WtXKQibTd<MeCoZUD;bgO}Q(;vaiYq@(Ha
zhd(*Rbimlh_h&a5q2Rb6Z&6}MjkRQ1Wf}ae_IZ6^e#jWc+C4BVAjbf4i&LwjgV#(z
zwT>M=&k~F?odvPQW_e-ct@&0@o~w#1*g!bis#ux$<>Kk-qYh&^cgj#J!_r9jt(%Gs
zwI#p5>?<s`Xy7j=wl3M>MY*3m5lOq*zjURC(DrWs!|kc{zPHD&37eH2`cx<@vyYog
zZMM_)OJum;pFg!52Z50R*;cmm<G!pH@|lWn0VRFQCP}&wtbgL2JS%_Mb$`c6%Fx=(
zIFRD}?*Q%p6+-8?2@0AxB$J)H5+!|R8YrlMbXE|*Uo1zEeLx^y(blFpUgeob0rWzm
zK#Jk=;>C4H8v=oll9O}j%Eh}=QBlzVDk31(|1;H>r9m9|@!a5%%LDQ0`jFEJg8m&^
z01W|2!ZR~(5Gbm=<^2za0D@S{hq#eQ2A=meZ0_pn>V3tD!S<LKJDxgTk|iSpgN<2C
zeO>B&G5;2^|G61HUeufkpRs_hO_uW(K7>)-9dcbqE86$$A$sL@YWF?ciQyIAPENND
z%{o?PuP81mZeZ5o!_M8+shfWEjEoxOC2~e9TFKcFGfoBArGzOSJ-f5=O8I#0Jk{Sh
zN3o)`J;YX@_nQNjT8X5$k>%GRHZ{H*snV5qbf4-r>MBm!qoc+7TUQPeZS-f|o;|y2
z=F^j^_^!j@`!$Vd3+At^f*9q6W$!^o-aI$tk^{Vd`N`U3jr7(X#gKtqoj$x-y_G<A
z`r5y(!i*O!5h`1;EfKBSs66pHM|_EY$91B%n6QF}$JE{tPF-;>ByBN>ToOhB&3wk-
zMG+xO-6lR*(2fL38rGo}BpnezxbjBC_I?2R1Le~oMMy>@BcHCN-lJE2>W=+V2adeT
z!9i2iM;OFqcA5!R5fh8;fUVdyLZ1!_dA#>LW8+I0Lb3^uv^iDV`VzZY8Hh0_Y}s>*
z&_DVZ=`rmKsMPg6XYhI@{ul{Wg<4RnQrjLQHxzq?(KqOwK16y%)N2tmkxcRts?_(P
z-#Uu5QJ1H0PBTtQxlC|OF0ne)x1?o}UXN$@uAu@qXBw9=&3GvPZn_m6ak>scb{MO7
zOH%ww_KKaY&dtru{6fn}l1q)NFzvAOSJdmlAMS_^c>uqq!(@ABYo|?FY*<z1otY1<
zRC_jH-#)<fS^q&OLeLJ|Z()A(ge^!AC+^MgrwScNYRM(o$lz|Ea%F{RfwKmR%cQLX
zb7DM4P8cj?3Q0j9(>0e3mp^Zfb_6fA%u%f+a6fZTvj@5Jjt1aY{%27o(&)F3z2ZP-
zXl`%bYDtr$!Z)PkgW80uiGafM6$=4lB(pJIgZvWgq#D7He@KUH<{~?t%Pg=;5WDT$
ziRdl9PE1?hwhE3|-sd0KudZ+&XG0W!$?#}xrwyS5<mei?m#rZ_Qys}SJ`^ZEfR6e_
zz*KvX3rW(h6<RDzFq9P!!m^;>(w;4rL_jelI~enMRfUe*@zxIPyMNw4i4c%n(0ya!
zcdH}iqCbHVNG})PXI{3R{rZ;l`iGmMY2JVlKU8q<)jN9u>NqnYvp$E}@n!5j%X?D3
zEg47u8*kvk_T8=ORtMM?#<RBAm&c)>Db9NMCvB;Z&mV6%K-&l(uGd)}`htak23U4J
z=b0WZDeN{}ld3>H?cw>JEb;o#SOxJnc=jp)`~~^HSLs7&F@Z<$Tf%qcxr_<g$A?FA
zv%$miA^z7|Z1dZ~MooZp^2N?q48!@U^Wvq2(+b-9jO709yHt;4E<#nY{SBQy1MUMw
zw*oeHte7e&(y@0$=z1HQW>yAx;+Yx3E<}`ndx4vY*1NYnwCqE-r+shG7_zX`ol@>Y
z7Zd20Nd+wHoHbJDVjuubFJUQ^w9KTryvjxcj!VXOg>taMx=8kG?RRm{vR*jjO@BOl
zFxu*EkgKrM63Ncq?$O8Jbu(+PG!+>~3H*%$Z>Q4j#L;q0QPf!EZ6GqzOmNN<L8kU+
zd4hGBOysn{@G^cf(-XP9z0T_IY-IM*bbPL3Wgr|)#Ba4Rg_*04Bhy78<Ex+avWQa{
zN0^stfliXt9m}hL*OjxOY<y?WEw41UH}`!h?UTv8hCH%me~VMoE~BDv^BelUfTQ<u
zvjGY_tKQ~)aNdfX<!n{fKxgw>k2L}IVD2W77l*r!^|g8Oj5}8QcLvXg??U6;8K<_0
zY>1vXMT&It*<hdyHuZD8W3Zs`QO(jUjy%&CZm>xbd1YdzSJg2k{kZ}b_iW=DY++=B
zQN2c&rIuAgfPJ>@(WCJaQ`5h_-I>hi=#5Fjl{De2@ej$#3&I&dXt#O`_c9Y?36f+V
zXH5Nsy1^r(Tm2c1U@tL!TL;1M9@aS!?>Q!r67)xO#GxjdPuZ%1sbs!n?}pxh0wutS
zv}UY-@;G2dPdTtDw00jvw@V0kkXOo;l){#&u*}lJ;J;>Od~*Z?87E)5w|n2owSVl#
z=R5q#8Zr%%8=Rz*E2gubzHHYmZSbsKIweai{nr|)!tP-FPuKHr^tPGyKRx^hH3cpK
zp}#WzUs@vjKIMvaaRA1Shga+6fj{hx+&r_3EeT7A`lS_VdZ1A9aKe1M4vt&Pq)@TC
zbvK>rNcVJncgb}^ZVz`-8Lg=NQY8L1sN&68tbD0h(S|KfVgrO4xmAKMcJ^Hg-g{nO
zR-atgHdR~uVqNL@)yLCM)S*Q#Rvx2uhg+Z)^f%0e&Fl37ovjmowQZSE2pH6^*FI?@
z)>r20FaTrktfQmv=pX(z4S6&){P$DDg&9hH#pCt;{?;k9hVt<}P&J$YJBH^$$fMI4
zW>kD#z)&!$@flU9Ly*%JEe+uRKwP7B4wU(T<(ud-5MulvQ~3T@z~g@?4gUY^i%(ws
z#_id#jr}M{T3ev&aQ-`YmpnwPeF5l|Hxa|xNsCoE`A+*yN$u7<1J%rp3QH%4M-cKn
zOxb?J($o$Jo$^}kFI&#7KOb^(*h)n5g`|WsfHlQG`dGPV!X{*Exb*@6<mu_04owI5
zgQMu@`suzYRj=amot^>#tNJ*72H+7XTw2LWc&6wsFd1&0s=g|K7qb9>_Jb&_OZ1pI
z;6)qe&rlF@5eU6?vhS*VS%(Qo-|l;!dap1(udCW)oJ39Doi?@eoiZ-v`u2?)2>3Nn
zU;FIzD5UCH-n6LI_Q+bN<?(J#%yB#5B_+HlyM0u}#k>I%RIc^^gg7x#lLdAX1C=oi
z3~?tk%dV=Q6T~cB0Xe=#1>32|1@Wiz(^il8X+wE^p0BtzU{7`bra9~6{FA<Ysnhc&
zF@d0%Cd>h(V~>Y*+CnNMy|0FLYk(Sby86VU6Pjwy|6Kw4{|lqc`V$4uOiITCE_wf!
z;GhbQNnq!VysPjC9)G(O6_hB)6uPb<uCbmHjJ0Dt*=+8wr%7+EJ@V<}_4oNzC$IE8
zCdB^Jqz|GINH@RK`6-aMo%S$c<b(_xohf`djQzTLxtES1MZvWuHDK~)-ffL~ItEuO
zC+S;vfMu<0u0Lap!ND(Yf8{$}<dO0sd#K6ws#g@%^hJlv?=Jg>2D9hq&;!-1te$_y
zUM1L^{<CrXxA>e#dgJY2QkDslaI#YW17332@avbfY4Jm;mt11~Sf{5u_M^EQI%6?C
ztG<-=bbyyYaLpBb@Zs(n-?}KlMI696x-IlC!)ZdOmTk^?deyG1*n?^|CL`ktVPgZU
zmT_@X%4x(J)EKc@8Zn%q-MNLbfS0_PX>Z@dhYy`Vd}$yP!^OuJ<MRCZb14}aJ6c9w
z^s84CjyI-h`rfIFqTpR}Ufk%l4E4yx=y&n>6W7tQ7Ke=aB|;y83J6`~|CV)4$V=Fc
zSKjB=VI2z9a|Yw6^%+Yb`5?rO7G69wWA%a#V=Rz@{2Qa?0*7W9yT3nOGbt`M$BzB^
z^J0f|a!hvi^OJFxB_>&ktXzNKW#O|im2!A=9kOsZsER&5b4U^+!J>@@8G4m)S>d9*
z&)VB2|3_CmKxAW(KlJwymf=NO9dbVZO-{A9I1xYmm$$v6@6IMOz(b3BvumWAEOQ6T
z8{u?}Tqxgk@Gl-`1c0)vR&E}RjDGd1u&ly{Eqz|YoF{P((18cD62*lRPKD{PYZrbk
z#Bb@BFvoz3Oun-QtJfrYqq@i36zvpW7f8Lo$^6c&f)4;*fCEay;K|O#!q9bRp=$UQ
ziQ?)ax02Gr(3Osg=2uj-chgwx<S{`vo-$UNS$@_vJi6n$Z2%9x!8=9bMqHgeYfWM}
zcz;Z99zfe4P?#Lg*Z2_2Bpru4p#$?xq2Hyf(WX0Nkj{XvTTr+2RK8Vu=Z;=v8*bDN
zXB@*sw5mu|rP5ZSs+mOFc&`6E)!b8W&<66{6M7qYMPBrqHivkJDBcc&=S`O6m!w1K
zig2Kw{K%a9YpN@OK6P+5Ak}j7B#CbZPFJG|1E8f?%>ypk52!BRNIn!xRujJvtGQFT
zmx#UlEy}f=G4qy&06*`C<1eoy4!^3f{3*Y{($&=LEAt>T?Lxsut)=220C?R4?KUk#
ze&Z1n)+dU8IR8AcFL6UDVdX5|4A7f!-d{<(AlL~T<6~SO<LgrTf`R68^X*&?zMJtX
zXQ*NxT<F&RSzH#J;^JW(f}kKjOat=9+rnL{RMTgj1Wgw$U?Y1gj0mm!mK4y|YeluT
zIbUc(qOm8B_U+Y&eL#OL_N@Ia$Vn2~Y2S1F(p+<)rx~gu(n)#rw;FWYP3wL!eAe`e
zW$|rJZe(ogf)OQZF_PU80@oOPuP#pq03X3MUSn&<RIg<iS(o@d$3St^^ng|ChBIHS
znN<N+p*!!ju?l{sdz1MbX+R`fBt3yp%$R4lbJ<Bv&Zkb7<`pH-`^4gandiY%qgU0b
zNPS^_hl>U9OUB15afg*$nov(-IHgArU(@gxGgN5-qR(;pW&nLLo;FfAnGd9*>*sE;
zFlgxnAe4Xf?m8k&QT*?Ns$F{Of0(fj2MxPedbGTujR8yiowHt23N@rKWSs#`5BPcG
zj9Q*qi&rCis-6+8;Z=gh(hh+~--Payl^nZ$iJlfR`2)6rnpvd50FT!}`yENAcoSsf
z1G=J~?$J;RfHMLdhFMbdPz2%p5RqZYfqAR2J^*w4K6~iGVNpEXS~Ei-$dbJ-*kn~h
z;G1uWjvgFs##80{onG{^bYSq8p|z<@3ZNttoLa4c1rMGY##wgpGHtN$A&ql&h)c5;
zrvWmq&>sJhQzC9`Hod3lDIPg&iu!fA0`-&D^-Zg0E3EY<aZ!L_!6pGTLWeS*MMr1P
z6e_KN#p2<tv0_iP&{_$+eyTe~o_%s7!{C)fL0)xAoF^1D)SgKkeiy+=Q*6_lhuwKw
zQDd0SsHZSj-oKx&hv|Fqo&J}4Rlq_)A{C&oEWEh<1TqH6DwGI}HPJVgf7A5rNgJuK
z%w?<4uSR%DNu#pDXm-q8yG-|!;A|P>V8Jde=)0Q_>-iXMKZ6Vj$Q%-e>fWgaeOoSY
zlqWW!duEH>aK0N;%Yl=FQR}k?h#|;Cbph#y(hyv}sVdC<NGpBF>bhn}Km)AOWCKxK
z+_LnTaZgBzH52>8_?~Zo41taa;>p1n5V(Ha{JeJs>NS7G-1*upR5XXjSyb-TKjB^&
z&x9!5hiDvR?=V|sTr}9w12kOxJ4CVr^L><-%M;^Sikp!Okln5M^8io?(hy6XS%aaS
zXFoV5g{h}aVBM^*acU(fN5%8K);b8ai@SXyv5^@T1bp2MXa|B1`JMhIceYs%bs7LP
z+ycGS$F&|Mg{5k)qJyVaD_0djSJ*@|{tH!oer!A`NwCN<t>5fLQ`9A>i2ZFZ0MG|}
zB0$UU-C?QoHC|nuuVwh%p{s_D;;yvLfyl+@paK3-U0g$N%Y-ov*Rn#`|N4IRu^0%Q
zyB?mst3+^X$YHd;9ty4~K3BhGE&a50eah<s&STnho;wPp6r>q%+Nn8W8T>}E8aOq-
z)k!=@XtSH$%STycSj25-ugWGQffp%mP+0tp>6tcrd%~ma*_Qa=UP*R@>*TcNy)s~O
zwYP1%uO5VC;=r<rapxyT$fB~6Ihv@KTrodgn<WJGOv7?7OSYUIlT6aClm|u)J01RX
z!W-FUp|HhSsprxIx40OpDx4?PYKVtnI=TpJuDWeH`JH}$s$MRZ-!XL_R}Mqq^;A1G
z)&$p0TRN4!%xBRSHSX_5=iz2A&fvx}<MwbXToS-(WLSV}d3w^8IYX7N`O3g9pJM56
zhLbMVe{sv9&$hB0Z7idMEtwcc=QKV>?bFOe6<PxJRco)tNYDq+@2+MQI!hJ&&vOLU
zXGF;NHhWe9lQ*mW{}>B#SXwXd)ckiS#B6E(h@F!%6ci>k*8K(fmf_FH8}OIm$avFf
z!$MmXF&VGFwZwo`@1*2v?&I4swf=X&kN098N&m+19UZk>2r8d+$vZ9YF1+?gk90Ei
z&Eh%zMeN%Ej&JL0a{*o=Obi~x2JP~Y*L%SSCX}+VR09b%PJdRUi$Z!j`kcwkd0FJd
z0@u-|<$=2gTc)5_yZ%6g&V!ie+QYCjQMOJ))f+5-N;H+<{IXKD(VCi8u@VJan+Z=t
z+i+S`NgO6LP6O4K!DYZTAYkm*uU~7u8R|ZBKi@3}UgqZh-~y%?%0Z0em;j<8GtsfC
zE)^zdd$ayJ1I}y8N6~+Hcghzj8CAFl^b)}uYj^G1wF=kix+-yA&NHk8Awrh_3n=BB
z>Ah(CFHr4q**kZhs#pnr-SA)R8f?`_3+yntWodV9Z^{V>9Rs=RCzhXBr_nRhKdNqn
zK!_5ahs^NSv9>evDRD!KNTfIPTuxqI5@rl+h^F+U<;rCaO3jC92&9vsZ(yo_mhq^S
zwS4`i0To~z0~YFRVRTbPzC+!aLKl`}rs}gkAq&F{*MsSaiU87T1^V5xBv_PE>_<&r
zzu>8-qGh-bCvY%ze)_X4!hSZc?}?$}<6oV$RJ<g9qyh37z|PXR0wSU@V_|3mR8`sI
z&s*ooYRQ19UE(+qj3J0JW{xo&{_4||@ZBG74Ka0>)p=fh(9M;pqC~D`bUN&3wK1d&
z6~5HjXJAa4I<u`Yl+}?Qlc<Ud80>Y@CxQ~`8#3iVN1?ZR4{hw@jG%$Nn^~bLzr+r6
zz-&xD-`SdND`U{RTXB)vnc9VvvN47cDSU&(E9mwZbVP;WXg(Bn<$M{FHYV<+x=s6}
zefp)WdJ($dtu3e8_g7Bn(ne20X{*Jl!?9-1mUkoyIgcXu>w49;Do;FgPSVZ%JSBim
zi}Zlj4G4baJ2-xouT|pTITTs9QH5O$JNhNr;k>`jnqyv10hC?&mX#%Vp?$F{X=&YP
zhR*h7-=6&|y;nw!79EaNx(=d!yP&ze8V8$!n(GEV<RpC**#`qK(vbQqq6ES}EB9Mg
zs<y0ol{6YHomC-!TtI>F-8ho;S^&6GY(&mrE;8wf5C2<n(uRDg?myih;j_7?bUEVh
z);)IS1Z64rE7e3Y5}O5}mO#pxMRAem!S+{e4w>fFQnlw*rNym^=t$NH-7Nhgx1!!P
z9AP$?Jg@1Q@900-q(^t8R1XcXWL&WCK$f8>uulc??szhrOP($ot@NjLb5Ad!X*Z{=
z<HL!oE2a@z&VFPNQETxQUtOVeQb+*^UjuLadKauDw4gC%^$LDsI<62UVp8<T5|*c*
zGeL`SNF$*_cv8_nk@HH*)h-SM_Y(^^j8jLsK)*z5e{gVc!gF_HS{eI+7pDD*4-PjG
zeHajPgi%N*oNF_G*=uFbelZc-iNlUm^jInu7=`%f(9zl3B!ER&3Q+L}2@DJB?=N-C
z-mSg%uOX0nNadCutrs`T=i@*3S+`3UvaRISS8u?Q9*_MPCL9p*L<!;U$HCOWXjl&2
zKMy*-svWEcmf%8T7e!HCPcwcjX)DX?!BXjXfPl-2AXF;!5#b(YmO8E~X4rDr5QKeX
z5YkUT9wDXWiSG3ypJ5%)PcFuczB0>FAF)HPDHNUMNtKNJ56FTNFvx;@{eIt1{dJ#d
z&nO*u@{hiyDP7AqbQdX9{Efj8U#pXq3PJ9Db8L7nLY1K_sGA}ew_>6xvo8t0FrP%_
zhdMJqFT7|NfB(-SF{?2tZtO7)Otc&azdc=YHE_e+-h6mU-{-Pr=%Zp$Ak@*|4oE7*
zVd*9hOtEG*Py^+1noozUs?ZjfmLmQk3+sGC$@-~QM`%xgci2q%?D7cVSUc$lb@A-L
z)%f{=t2UU^lX0gqboUm%pElNkjlI~@ZNZQVu=p3)N}W#=E{)eGhTmjuH^1DCnVjWs
zb6N6CAuBAJDxFs$yugL_t{F#;Dq9fED|#7}_6y)W;lZ-*moc@=?=#D{)5Y$9AOYl%
z?kq0QDw4jXHrMM&&tvnRfY`@rT6Qj;UEP@#S$=|hQHq$kFAxiD_H%_^6j!?B*V!)?
z#-|zyc@Z$SdKYXi0OC<#A)CJ!@U{s}nV$P6iq;Y81T7{-G2JMRber;%o0|1{2jZQ3
z<@;XoEzj;8!e$X5(|a>Ke&E^@Prp$1a*|#$!Xt0V#VQan`Vvjw>COPa`r5;yvrF^*
ze;hxPUX{n|#O;s>c+iqt$|NgtJM=#5Z)owsV7$sV??0NAPZr}j(6=w~=zA>6nQf|F
z^DY%jC@5zYGrqnM&_|Ju*T19DYS?S?cGzN+H=FgRWV*g$*R0cZr6&^hR<6QJ9~Y?P
zy#L-8>=D2eyvTUJo2Y!`FX5<dR`2)7Sx7!DNYufgjj0_u$_6Y`gTtgR$jW&#C^m!E
zLov6v<irMJ@_G<t#0hSSI15?VR;a#r^7ptLMW5+FPYLIzCRU1gg~evyJ%QVv%Q@S9
zaw3@DKkwwp{`(m5o0rY!yfRY!s4b|Nnyqi+*t(kw7`?Z$92Nz|T5Y?w>@R(ZPSZU%
z_~!MlJ_m0#!hdi&C5P!YWMVu`=6UPQsdC)jq#SHzcssH_M6SA?(;;Rw<h0OE9stV0
zCC{N+E!Rbt)vNxh&1ai8p43oWu*uLZ^C<DRNM-m_(>>_D>448*y6<751z})oAn$Tw
z$dqk=pJph0LURw3WyTn_crk5%I4=w79<6X}le;ANfw9CwioIPU4IvT`TqVT*WjF)*
zc3m)q+xQ;+HDHG_O!gu(;}YcW$8RAPjTYFVM4nF8I#R(a8arWbky}x_@bcV2t?^<u
z){P~6(026=(Y*P`^4fvKx+S*p-KrBqnUHJV`gRJBk;M->VCFYq-WKfqg|-#!z_QI(
zkzS)(ggV8jIovBsuV5KR$b`6J4N(XgKNFT*0?*NExW^aJ4<UQqooQt!=A|p_HaO=%
z4sA1MiU6e`U-%AcOy?%=;p0KLi%BxqgsF}otdtMu`m$>~lS&08IMOV}_JwzUpeI!v
zJ%zV=lIC|BGBTAE(i!Y|x~5V#mqjSLWZVM1q3|vjeqmg`>80eJ4|e-iIb`MIDiVKK
zi?={qff=!e=%aookx1QCtYS~C>G4drVU8vA;32x0g;)0S@i?-cG3C_i!~BL%VD|AO
zh)1B}>00Qr^t^nz5{D8s>~`w5)rPmr;7m^}rJv&QsvRmt&*AppD4#iuHk9;<E?k}>
zJpcsM$@^=f3pC-BIH#RD^Q^{{p^9ShN@l<TMCd)+-&LE0tBvpJGcTJc$r$4nBH;mf
zYh@SK&xIbIsqcgHV?`q83M1726LuGKEPF%7B6*LDy)rUJm9`H&(+H<sp8{Qlplz;q
z0TtqY@};WX19RKf?iaXPUr`CxXJ-4u#~;55Us|RCgO>M@PGk!>%P;Q%L?R|<G{YiX
zZ=pMhLytB+5G;WuLf=mJo%$-2-N&Lswxe^6yAV?zK-|IL`{Hc9P9H^Ysl$MAxm8V|
zn!SED)^U7T6g^%dcHao?yx%Rh)~mflui~oDk8k;~b6OWnyX@OIJU!FH1|rE8?kb;o
zrt;Q$^l#py*~mV=#p0NH2OuCuttyxuP?4U;a(ir45W0eQ8m`LkOT(Pj{;-l)#wSC5
z@B!t6-Mix=>?0Kzy0teqXaLKPU=7QNDLvo-<rgmz!?T$0|2){+P;_hgpAC!K4~=fD
z3a3|7EYqI}#VC}eHT*!r`#LZQ!n+CiW0yPC4ZSPA^eQp_2gFRpziS^5zCkyu8)9!u
zoC7A`gP+;fSL&_*xjS9oezum><rw#bTDdL%@gFA*5~O6kWe+Xg{I;KgA5VAu<Pz(s
zynhf^r5}8h<U7(!>^Q%m!Z=#C{!sqp<9OCI#i3<-ycEccu5<r4d6Hk?WOBOBF{=mX
zT>Kw;<oBcfTc8=UcXfsTUm;SZ=U*X`xVL)HvAdxQFSXRGv(bQ8Sr^}}^swI%3$Lg6
zR}Pxm*+GAdjvnjnjV0~vnP=#~b>Wh7DkY9%$H5o`y~=TSz4G(ZZIPucl;k;2LRu{+
zDHt2}F9hc}dKWEq_wF<DE-|Xfe`0^%&x?zTs~n6#%lmDn(_gsogqK^+OK@zlu1;yZ
z?4@?@((<|I9v*i|?!=^BBZAXwEmXqJp`5H%mbZO9DfMlI(KvGH&jLcVdQbV*SQ<`&
zHNsOG;r{Dn0F+ww>ii=~qBmryRB&J&d<4Nj(ElQK*l&<Dn6vCC{1F0pm4aj--~LP6
zlov{OnXL9+Cl?eHJbr2>z(LEvonM(8-5AXy@8st<vigZcO12Uc`sNry`c@CK@0r8}
zN>eDdp5(pr+*Yef`gYh*5pw#0Cus8vh{Hj%nFo|Qbv)x>&@R^d^Rp&b+|QIw@xi~m
z7eU+GvZ8F<sgN_0B@~k~^axTaXWFOJ`ao16aChwo7_N}GzGh?E`kqy!q)JR-H}eb4
z<PLALjQiCw6UE%;>CE{Loy9l_sFPhwauRkr#_Z?&mQh~UjU5y1j@g9n@!tckW503I
zTtK=H2*$Xn-5D1kUU9-RkN`+fp<$q%V(^h)vzbz1&Tvv};o;CZPh!u{pZDjUL$FpW
zyZRQcBcgi&aejh$IS>V=`Ke{=-SHugv5MyHJsgiZ+HV`B+dWlOl>a@T?*AFAaZepx
z%$&xR@TsRLAe{@eWO*LU>cm+asO;&NkXbkT12S1J3_ULqU+<_;AHf!<ukIbZdx&ER
zV(mms^7@QlnZV-$_i}@^GQKcje*8=e-wm9{F|I8a{Lx;&X&K^)|6=QWgwY23l>T3C
z@dV@+;(7deC+<*7e39uFP7e|{ruNZTXrGOd9UI0ozxWq&cWXC3z<v_aocVk>`n&y+
zWcdX*s0_>v|Is>?aaG_{T3H_Eb2(zWH0R~&+y}(M7QDhK7hK(?&af+E1(;4qt<h6e
zxG=g<*fVu^4mVP~NX37A?uvqeodjdeT-x0~aZNR5PrMv$PnB(MbTu%+(8vsh3rn0A
z3hi0)&TP|kxwBKzb9^nO<kH3Fg~D!+9IznzSFKCFKu|Pfsl(vq`x%#^&dRUerPZRt
zHnOZ>&Kk?yA>N0RWf>C(e6gh-w*|T_-jA7q651J&xgMd7swj-K2xk$Y_u3g%H{&tJ
zS>90iwCP{l+{z_%p|#lM($+AGL5me`9bNDz&Bj_bco+A$!%DMK?;iH|tEIfG@8G#c
z!LWhcd$meEIu66$u5F1xNOmIP!Cd)or-{lth4GFzS)uV<vgVKd9ve&U>CqKJ3ljN)
znJ)G78>fALkjAl`dra!p9oMR})4HGbD(ACbT#$>nop{Qe@^N2M=O87RNC4%&xuNv{
zVbsZliEaW1&G^2`@6ruiA9VZST9#hTllA!FYa2$QtFN2&m<DZ8km^+Y^t9d$MS*Ud
zGPC7<L1ZaP;b<zb2hr_m<3RBr8Zxf~?$Ck`wI=+yLil2U+t6-nv&RTKyem%1yiNJj
zqnaC*7J}KAy;ypOJhJsJC}a~}+=qH~<z|_B_ws^|`=rCDFTKa%HFTT0{-k<lFF~!U
zXRwU41s@YSy95a4mj!t{3EwI8J->-?{6cAs-ZHCal+dZ+_{`Wps3cjor#OK%Ge^{}
zTCT@?TluBgPNwAv@gQo@(LP;OQv?aoXYq}x8ETs-$^+J#3S0}{>B1mw#e$xd<bUv?
zuccyD!)*W5Gua`V{AI4aD^V(p*`LRjnoazU;)@^;m58L|_HDtqVkoPz+k$B9^KO!r
z&!0j0zKGY!j8mOgoovsmSHZfE9VdT%FQ5j5L3wT7P9+20SU#*j+3vRPnIP?W;1M+C
zOSCPfQZ`pDzTH(l!qg9rOv76y_->|d+Y<2-Wns@*rGE|%9i}~9N0&Waxd8q%X+`6T
zk<qpHP3XffQ1_3tj%i#I&G!8Pi9Fr&2|0UF%hxBpnr3_K?+-me5fll;Z^u9Pu65jj
z3c~Ay5j&(R&rw?bOrN1na0-+ZD!J<CA9hOqGgv~i{~zl|n-mX-3ORGN?`s(LDu88Y
zkTY{8uQ9ILzrm<-;CKpE?BH(LGSXZX>2XYWio4YG9)oqv?yD%wX|c5}kbWFVyi@oH
zn>fWq?AYAgoY2&e4c^MvqS7>|cd)g7w_R9`MZI<w;r)%Wu=H~=-HTH`$T|MQg&kKp
zWjf<YE!;fXs^(YZlHcp8>Vu&=5z7FQR6*EyQG1ouv~5fqQ<=BnY`8k%d&&b862BcE
zySb14oc7PkpX`393FhNTa7*5o`}4<o^)m3G3%5L}6vMUrpIp{E9IIy}_Z&-siw%fs
zegVMt8PhYGF_wHH9kDJROSnT_XOyRFd5<-1Osfgvb5D2)@~ci1w7h=ra7P$IPjK`C
zqP+r`YP%ZmdR>|$Z_Ft%KRzn@M|4)jgVR;=W?^0?aY!lvj@wO(Vvw9(>?tY@@jVPX
z{<9Y7`LxEu^<W~sd*tqRuEyhiITn*4-=M9m3UaDBNX0<?#qt_a>vQ!tom$G0O-@%)
zdoLN(%bA>tX_QMLQFn}Qy21m^Ks{9?aIPyIVZwo5lO5wrgBXnG`mkcSBGMf8|Jv0N
z*hEV+hNMS$j`5?XN9_msm>jdGtP>Hl6VLVt^P_qsu^&HZUCKW?Dm?>fE=bi%a!+i)
zq_9?+OI%^=M+e6~&svCuv&`<oJW(djE(z*xQaPlAz4ujK`DFHpI3|F2f9dpv`g5AG
zK97M8CI5M*z?tq~bKmW|NR!%^H;#OFlbR+x4p)<Mgb%h{r&I-LL+^sw$va!^Rl;~v
z8nIt^10vc}_X?P&o+zM9lWKl^Phyqibt}j+nBvByu`DbuS$xV$+6voyB8{E4ORIhQ
z<GAMD#%Pr`pG|-jM^ndfHVVYHdqy{CLmz{)Uq}g7QP}r1>8)^0wd{r^j2scrf}~%3
z^zhU#xL6e0rEE}`j@&!?lf*7^n{VS<eJ&!$>sj?S9`^^Kec;9hlz|Rvo*xR^Gc~v4
z9i-Lbmdl>b-U;o|rm$q^lY{5(DLCKsq~6Wf3O*Gc_al2y{cAYt8MK%<3(pqabbwx>
zlo59%w#JVM42~J*2Jmj&*@GOGh)umXB`WgeX)yqj;1$jk^(||L8DUha22oUKXuH%w
zS4<Xk9IT^Lmj;-BEzzL747k(Ti$tJ3%BHyiC0YmZ7->*W5y<~crIG^P=Rcr4s}-{I
z-!ykBwm!mQ;Zi-ra$zdctmIVSlrKlP3f$L|9{g20)-kQ#d$$=BwGxU<CFZrxV1MUt
z%Fh0vrI0=RcB<>`h%FdMsXEjSGQKQjg>2LoSOdMq`QNVLSvo_4D(pa-%43<FefeKq
zUgagog^Qs(??y}Vx*x(_%{3IytL)85b9*?CS4a4Ofr}(?$DUNs61xw`lxfnX1!MUT
z3u^y|a6iU!l~-lSKz`g6Wnn!&e7lq@o&)fb1l^xEN==K;oxq)H#gEQ5^!?Ab@B!sz
z>DOvKt2lJx@{ysdU@Is5jT-Cfd|n|I1_nO?Udmyz9veF~Ez6YZdDD`B;^G1}YWH{f
zz1_*J@8EmYy%#}(0e+@O{QxXe;~}TQTo#zl!+1kQs(?nY7oG7&sPR983n0^(?TV`E
zy%<{Zpjx%$cxDN<sCG6To~mQT1in%!zUZjtBJNAO#GJ9BS7u{i-r<aH@%Y*A#%xZB
zO>6Pfnt_7uhmT6+cpk(;Sc)IfaD^<A6Iv@Hr#iJ;Rku8CvTR-<eu#DgMO<R5ElK{>
zH1$~;hr4Qb0BcJd;9}|<PGQFrv32IJv=uNePNL3K`e>Ik1$!K^0SdW`5yMX5A_)&q
z@9uM{NN25uMoTLyI%j2NNl8e&I6gi$5oF06KhwlP*zdEmY(N#8qE=Nn0GjpEV1TU8
zqd5KFECXog{g*y3nB4j?CPoAM<HsE?Zf^A1CYOeWP|RmnbxvnJI2?{fOg?P2Jloty
zye1b;V_ImKI<)^?Tk7vll9XX#G8M22a$pU^i?A86;6B;Gg-wHThRjgHtobW&BU7_M
ziv=7RR?=P_?--{Z$uOF#7$|%@&v^<Lhy^3l=Gfjm)=UH_g)CoyjK&EsxRXy-MaK_X
zlFa)1DS^okAWi%?!=Q!!H^WewD~uGc^jy+SN>2U|kFST+fxe=Pw*KS7VZu3eY3HP{
zqLZN$fau{g7Y21aoa?mc0cV!a4!D2|Rt5;dYF-O>EtuV4c^ktmdl!E@6G$FB?0-D=
z28=5>p6%lFIojW<ayIgwG*<~VG2+t340+_4nuB}p&M;wq=34O;$nsQtCV40~GvtdP
z2eQ?IVk)7FF5>UzPgTWj75PEVb^_uyV9i#13pAOV-|xMM3adD5g;Gyr9PzafuSfqO
z$~U3LEdJgVG#JltHj;#=(b%Q+(-a<t8j5Bu`7`>)gPRTd?+kj9FwsUM3GnFD`5qDl
zl2mcdUioN%u2{^TZ>KVVR9@>+S*JB_(p832^Zbf`f8z0<cEGrTl<Sm&FPx+Fh>SMX
zW%<S0iK&h6Fyg1f$_jlGVIde%@@;bVmmTh;TZ9BuU3T)a*j=AY+E>`<(hIay)T44o
z<`B;-AHS_<kF%1tFD+uMfQG`5`c+@zKu@_FN7EP-Us6&KT1-a=b@W!t$D^YntpWsA
zRrxIZExlOvaA4H=4CyTVe8=2Z|Ma49zM=m1dxxsn1y&eJ&R2_n;QYHDkE?Y(!C|wa
zN@L0qYci8dqIa!sz`^jWmjdhl&{&o?5lr?^Z8yCtKdC0*QCM(!@4}T(mYBI0%7Out
z^|at@T#0LW-5y?t^A<9eC}0Iyu`i$STY#I%YU>GbSa@3s>DSv1jg{@LK4=(3DjgjU
z_&Ck21~7be0fR`2ocz^$b>{Sdn`i*2Lw_#BL9!rkR<FR~(1zx3DDB6p$As2m7)5Z^
za8bETgb^}&7j|WAZ?rilvOiWWA55n|QH1wEIq(6sh9#SP^&DT~_f~OM8XW}x0L$W5
zz1XHNZ?uFXJiwMx`67~z32q_H&J1}r3T`tht5W*{VviU6iYNCbo(*w=8lx9;gomY<
z;Dv>!Nl~}8jJp(8fL`r?LGqLNStAPMfY^(9DnpFemI-%+E%k4=Si62tT%^LEX~M|$
z2y5s7F78I1%js)1Rhi(XERxVIq_mPfPP6Q_M}&>Cre@(!M|t#zX}&apsqtj=w7md4
zaazfO4JKp_^Zdb&$z7{It*F{)_U|Q){KP6fH>wG7oRX8oWR8K^Jun;xs`O(iQe-W*
zlZo2bei0hf&o^?SBcap=m=}WCxd_g5gr>ax`MrCh`NCfX=-&)^MQ0Ajq47hSs_}H!
zUY=i=8*(ZxpUC60l8k|yLVLE4A0-ADirx<9{yY{eZZ6rw)XiGUcrqohMDwxGEO<r$
z7V?V*b~`1|sWs$oNc1*Hc<q7EgR|b4lAC4iF?&70G|aq-%;3*&;Hb9`87?xthdQkp
zLxvpg#Mozy@4;e_53XAoh_%LGDNEo*1#G73Rr}yh!6{eNH!^i%a?G{Z>@;R-&ye8w
zQM-V+rYhlC&2Y(~#IkuhJ`Ct-H-oBBN=?X7=TTK>jIPBuu1B1x*qD18pnx3Sn6@kk
zc@OykNvIy`=PSC1WTWS^ep13TDF}&K2uMZr+Eg{HQYj)<RS+pAZ44_MLKnyp-_bn*
zxHHi=W+h%K>SJn_8xlX@j_;y<R!D!n!#L_GAIJ{B-@GuwX}p>iYs{3^^02ip<e}F@
zlOFRC!n)V?B`9V;kfwHlHnWzo4${IzMIyEx336Mb77|<?Z#Isaq)JR(BH?l&UC;ls
zr+BZkR!YpAxfN6pMCenICjTmx#2jTSR!4e3r|>=D0MZ6YwugFB4-Fw<8jWLl3C1(K
z@5|Jxt*#ZsShW7iv)^H+oUGOPsVCT90pEz@9dKOD-O~xz5ZPLAoZYS_99R+AQSsWM
zMhd&a(3a+Qzr^g->ccL9yb=W8&>|)9?aXV<qKK>pmH&+Dp;?P7KPI^67X;6div+Ap
z@n0jh9K1*5Q+|%yDp-h!i#QP+kCD#{FYC><Hqe?MR=n=nmf}Pd&nHxD1Uwd?kfRyX
zMa?8+Euhm(ucxr&UoBz2gmY2&7KvCE)N3@0b3?i9iJEg@%C1{}ctoX9-W{HLV;Pi~
z!J0iUC|EeRnqj6mR`^gPC?ex-^1OV3YYk7_wwYfjiKsJP=eg8v$`()uTWMK(gx@m!
zy?fc}vmaL!ttE5|6I3;P6$d*}(5cFAuNyNz8i?7i@Xs-)(j)kbHB|_>e%jLe$L_gi
zp1$HP-l#9)m2Rz1!On5q;7cfJI3hwK@?dlFxDQdYfg1(w@rpIa{4%Q!aEpE~@l2b`
zR$({sWo=;TC6mcnt;WYgdyw(q@8s)GM?S&_Z;I7IN_^tb>4na>VWKEw&As&1fos3;
zDL2=^+Bv~8hu}MEPja8yuqqLN3uCHY<F;qHiJg|Ix&s^~{%f{<5up-{{#E+7IUD>d
zS!S@x?lvxNdAIqET^_PS2b;fxa~lTE?H?@FwWp)asZEJk)7On%BGpexgA0nufgKO3
zoV60!dJ8;?nBzT)uW1s7?+o7QJFh$D7}+YL?f4dp@q=2l%JG&eu93-c521lXSe2D~
zTAqb6bMS|M7TUm{fw)$^sh1<3dNcV%e`qrs8R%jfI4^mx3IIw#I-MmXBmDaSDkRB=
zt;6f!mN_>C9jf&I8Prj|H&ya!$&FX{n0?wMjY={2Q%d%d<9GCufQ~`_^I75@%~thB
zOQ<Vc%GoACMijaCunC!1UE1=15R>M$FGaS7;nM7D7k-iFZV*~x1KO6$U56A=mBNcp
z>7vHW=WgbSnNQz6Sp!r!gVi$~1v`b_9yF+7>|PJ;==UED`_nHy-KbS73bPw2$&%s~
zofo)*QGf@z<!_4wzTf*xkX1Ux*6p%opy!hxLS0ZZB7UuU96Qx!X+3jHt_F}Lgcv&-
z!}v5JxvB$|V}Ef^Vf&3_6UhDJaG80zmJ>U;w#VV>6zS|>*AKBsKy}2}qWX#rF%mJe
z6XVLYiN(Y%A0C5-ApvTP!t~O<iTLhCUc=B~PaNm^y~_Qg6-f1LH8NwbNxfW`qp5<G
zC*<Rm%?3VKgTJOO=*Ky1oUXQ)Xb@J8U?9ZN1zymy(<0J$w#3=Iq<A)0j>)IKE`+xE
z^wO-MXgs^UY&ggHFWsu3xb2GS-V%B6%@jUmfl^hecNmTjci$h=^tx)SImQx|=^beP
z*|pqd2;KFlGGr$Kt{pCI{-FE^_rWm*O)#Yj1Pn2~r`4p!iD$Qr%hdW>I<q8_tB0+p
z?39L{7S9#)6bBIljG2GVH&u1mKmWb~28u+TML^d~7z}KGRXvL`g)S9e(uI>P#&0LD
zP^W0J2B-Plak6hL%3@|OijyF8IJE@510!;v4Xd}6x?GwzYAbOi)Rz{)IR{fE>GN9Y
zpNH9t+lZ_PXL24D2r)~h$pY3&V6$|O-hWxh<-EUSAcpH1yQ*XZ;N|ddMh)J$z;!{2
z%W{^JsvprgdM0HLqkB*%^p@=R3Uoa+;I>u!24acHhrNjpX3epsk(QoG8}+ABRKRu6
z>c6%e6Ifp8v?>A<ge@o(1av><O=%Gme%+oZyIBrqZ}QV7mPGkLim|J_d7cW$z6O#r
zr4Yx)vuHJ`Y4zHsP45ShM8u7izZ;MR|L>ou?IgNB_uI`jbT>k^v)t-HC)H=OQ7=xn
z#IfG%jZN$)FpCWmr!xxE6<%fIX*V2tCm^;D`DSAsYqRZU#R#2XU4J<)R}uyKKmWJ1
zm6}9S^V#Zfmd*ix>Vx`k7Ruu7$u#~fO*C@Ibu>!Zi#sEZF1HZEC;JI(qv6U&;)l((
zq%9b|%7%d;euENp0gvL<*C%~&qcOZsUeKN{zW?}tk@ucaO|Ea-XMhc85K(Cg0=g}9
zu+Uo&6;z}XLNBtB8bEpyAPNLjHsBTk3lMq<B?t*f7Z6c;54}q7y@t$%`~R$Yo>}kA
zJM(!y;);PqF7Eq2&*M0LM?%FDSU~xD`UssDGr5Sm-N;ysT%s?3v2c!V)&neIPX&au
zH1t8haP*G{81DXWz%2jei+^f&N5gN%<K{;ZJp^43P@cYQWCR5SEYTk{W@cZZn+^QK
z^Vi6nZ+Hh|sCKn81l`=^#=Z29z5QbO<ZbY8Udfk%`T|~)7`Fc6=vp!D2rl!*>BE+I
zI+|%S=&oSfV1A}$$<OSjj+LOgPu!m1<rd*y!R7}wZNz5W`tj}l-@}0Z5$i2Gu;w<z
zPd(kfLQf{qsg@i&(G*uZ7X`*Et*T;FPm}sK(=YG_Y>O-IH!>=&4WxJOARf`7o_PgT
zEO`cWROhw-udL_bWBc#^D+TBzn9-5Z1_I6HR-;kMFuq}*z;Uon8u_Ft*us+64<3FZ
zj_g)tpS!B})BQGLscUE;9UOju^lYB4(7h5?UYWjQa}mJWFkMo_dB8I#la*XIOG{Fw
zOz*%wA+tWmn)(0Es2(ackXTh!<#13I5n1liUwCam!;6Wv&@f#o2P_|sJ!Qx=LwROM
z_pysS?Na_%-^ISqvlzx|<Y4iAI!av${n~h4SnBK2DkDaV7;kZk2uRr$Dr2?{&9w(B
zFgvci{QSkP$vUF<4l;CZw_o5W6oofVZc}^AiZ{Y#$!Y0e@I4+9{uON;;4R?&pJ~C3
zY}|otBLg5j;zTT`KTvLlW0T$+=21?Dx(>)Nnox77bOTd;-xzaxH|sx?CVB$3bQZV`
z^xU^}^L<XjKQ@sc37rv;_xLN{;vSt`_E!1_5-U49J7ox@Ko@^wVKU~+N}faVGGt<%
za;CJ4iXs0FuzL6V&F*rvSBl@?$<ew`yRLV`D5{jcLh=(g0CBtuMo+)+$&!9YIWYg%
z#i8dP%DM8BixIgMl>_~quH~G4lb9OI&4|HSkxPHs>82Fl9n5g5QekaZNe7uXx^z?Z
zwhjJev4a%bG~2A1d1t=N0?F!&$_@Ah2BQV!$<DytOm0)FPL<hbTl4m)VfTQT;=GS`
z7~HfFk&`+FJh)(W^11}&GE#wBuDW5px8qn8FZ8$QduNn*T&60QtEc`AgivqhA1Y(g
zX?9z4cS?^oJ#P2Se)*jdMvZ*JZ<nDHnI?=h2iXJn&tfG-DqTCRO$1zWAVi~N4?$70
z64wL_YtWvUg@pl~88;W9cRoay=*Z1hxvAY9tny{OY*r)@%?eSy1%8mmSL}i**t$zu
zy6H*NoIM_wn?&<1y_esqX0V^bPu=s!Q~#(l^Cw}U{m+2^|F4QiRZr?)&-#h1=8!cO
z20&`NVg|=xPxYn{t=uxT6Fy=r7|qEOhMr=R$wM&e1B}J!(|{G?Cn;m2%Y!-<9GzWH
zOV=8!NglC@+Bd$;m+2=3wh_p7OFiMwvk?Ki2boKK-+Hz#3Jv=xZ=t1By;cHBcpzh@
zVD3-73deA&14-;|zKCOb@hQemk~i6)Pe8y3?Oko^1&*f?-x5)cv{DqN$(DW@rwhcp
z&*-YeoE!ODe(C1pu)v$w#aDVTm65TO4REWE!e7D(vc`an=y4i#d0*y$GJX^~cu~8>
z4`6G$k*hkE?;F=l%U4S43DRB%>$BIPQ)RQd=Ns!}xGmmgeMEKACB*?(fSyvp_qt4a
zqfDzG-<i{#tS0j0pl#4M<Ci+pX3%V?AJvr451}=L42-Cz|M1aC93abtXe<~Q8@c&+
zqND#hIR$MAeEZh$6~)KlLN!c9r=mpOvARpUN~${Gi&(z?*Zk=xcbv4qeHQ6C8n%(N
z@cETn!1oLvT5pB7lhb`Ncn+IB_O1Dm6_ML9Vuz)ulWWi@==Tv#KDHcaiqlWs2U-VG
zst0d<I?pZJo9e=aba+nX%w4>nC+bMdi4GFuR&PAlSfA5xYG0}Yt8n74E+iz*9Q-4-
zm1b&wD0h`iwJvr_ycRF&CvaG))5^*NCm(**$v^s=HQ!uer!SKB*U`lpV9@OPuOZXB
zRy2`(BJ*0V;27fW9o-i<1G|oLO^Tjc(tODX+UA@<ms-gRkslHMpd!UGQoxPTyxQ16
zyfD;bjs4xD%2CUkJ1kQ20veYd!UO@a<xs4sV^aj@39pT2awbUIHE^pqHB_U*So2L4
zd}+HM_B=lbBz(Cc`$o$0vVi@FCj=x?VI6uL9Gp)$CA@ReVaAt@#CcS{7MNcv)8pW8
z+EO}5YVml{!;IeVezC8R_m;2orvCYDmfMc_Ei|vJ>)-rc;z%xDWsPwoV&-K2C$?{f
zyboftx$0Eh@m#mG&KF2$b;B-aUsVZ@h)kvZJ^KZRzrK6$HL0x;+{VLQp+kgF(Z58q
z*z!${pfi+S?}?&P2boyb(LEf}ylCijwb#+dhX4Gglpct<JASnhPaa_A*oV{^g=~1d
zkkZ6fi1hM6J{odTHaOpM%5@Q@p#-oRiwq*`NM?Us;<UqgRjTU?ltxDAbj=F>QHJ{T
z60e(vtR4|n&Y*N_t$bpNGMZ?j)XsQQHYx`sEyd$ZGyE3egx6s)Yf=w;yth8-Xj>ep
z5Ly_2iynL$45z*CB%{^5bLvXfo|MXeZ_+!lZK6|Am@mvS*)w0@tMIC%&F_nmwNYO$
zWgpRCcsuc1)C;!aP2@@Z3{q;}v_TR%y7gY0-s==8!LmkDqsb9g^guya_rAH{pXgz~
z8*B&ddWk_~k#WoMWw11LvU^x|{vW2urwPo;n(fTbEy2>UK~LAPzUM9(O@c=l?LzO`
z$u;=ukNPNz%#c?h3xl7E1CC?dVw?WN&hWN>@+Z^ZEZwfSx+cTLRz{cr0$$#IH1QDi
z(L*mLfLyYhDX@mzcvQla*t=mFg47xLa}s~1{rg+(Wb`62GlhlWKkMA=Cc-?}d^w)p
z0Pwri1K>I<T0*b8^iy>0Dq|fl&?ODt1d{y27ZSP4BF}}Bc6N3&qO$jMRyd2Pw{{-Z
z7VuVQX<7PlnlFhs-hmIA=Ywp_+vPhwnHql+6}9@<@l#)fza6OT#>h@qj8>ZKR2e#X
zp2W=5$q#%eS4zmZX};0dmcl~k$iME9Y%cYD!(I5R8+M|3XiVEeHEZZ^2|`xbf6Z97
z!d@s^QJ6AL+O6nB@F#><-F$WvMs6oI++*;alz5WCl(C@Ll&Qws-aOkZ+Z6VA66JK%
zv)JA<Zq93jFOl9#)|kGX9nlEF_5jhNazaI?H1PW2`Lm7D5lU2buW|e%8zn6{YBFK`
zA!28!aQnOSQxCd-&5{Q0hHo}<^qo{(1Bjo{9nxcZ-5$wjvOWbpt+2S#Hm(E`QdPq$
z%;>{E6(6=yZaKE;d`!`8s2#L@8yOZ<P8g|j8EBSxW@@w&5rUBRwh0gK6@bmHBDZVu
z(XcMRrih(-&ED|KTW>q;M+q3qXYl4aE-rG(H!W?e;wrnte!AyUhoSc<y6+9nY`nlZ
zb)3kVOHSL%+u&)f8$scW89NFrG>}TB-*wcSP*uBQx-*Dvj+H5jr~i>#z>>I{V}pDI
zVaT!uu^NfLG3!lM!Pj3KN#STcu#|9c7N~{Fdx9aT>(Vl6n$<Z3I9f$8_jR<&zszBx
zKQM*St4f0LHb>Zj@X=C?E7dIB$&tUVv;^xXZ8kW$q>%DFM+XYNYuj3$_2OlvG)UeI
zT6)OdeQmFc)2q%Kad!n5_B7!J5Lp$Dc<zq9fQ_X5DjIV5@JL*0r1j5J`xU*wY|=Ya
zr5_HQ`zgHO76+(w-@e&9>#;o0cWC*uiS*p0<YA0mp61{$?ruHn*3RJNww-L&N}^&D
zV~~GRUUfe6<SIFO_FmRok}%i(h3(?2qfdtkj-UQ<r_D-M$1=GUzkX^fzka}Q>hO=>
zBN7MOTPWJ*L3qhCzm>89A*mhjyqby*e?pyUy_urv-oRGY^_LAe&$zDdw?=`SVm4q@
z2p+>jJRm|KpqDs7*JgGlzG}O)*g~$0MIl<`P-W>!UuTeshM<J8sAF$j|LeVD?HG7k
z6DO2AY+yxg4r-8<)B952h(YtoN)<`x@;j}YjXL4?q<0Mrt~;rCLcaR{Hso;%Hfc$}
zY)!R9<H`5^n<4q$`K(2$r-rNIK^R#WYz$F>pFi!^yL9Grz4kXav$IAIHpx*{tsZNs
zmQwOt$<pDqC9XDX<<l~w;4aAoc>uB^8tno*PvQODh<x4rMwI?m{0Ak4a4W+TG18u6
z_M?S3Jy>a*nF<&&mat>&;J<(zV}8I<ZxD6Y<>oxDM`Nrd=>kIP;8Ew)C}-owtt%|;
z4j-?jchtT}03i_daet5?SOR$qkpy!};M}Q}OIQ9AtpOv<M`q8K>GoVY+s#X<2-eYI
zx0dPg3Vy;D(V?bdV9R9tAIcrhK_=|@?!bqhs{mFw=r7<MJ43A|9$V51wq$pU82|MG
z4jb<q9<E7>7cygaZ8pPD3zI~i=Od}Q`9OGTZ`l<O8!BHy7yVz7G*g<D46~>ITat!>
za*e)y3j9XT@1OV-^%-C&Oa7b!!`=TT#or7(#jCATPo&@}`Sb+d=OgYjT8sz#1B}}-
zItCi_?bH*~KPtOcxKde8B?M9+oA2XBB?hjvwf6Zo*r%|Znp3+ABtq~SWwt2>s-_E#
zn&aZ$b8Eru(blP1#$(5)g-)ewv_V|zC}Wtc<TQAB8P^<B>2@&Q>I2Kv@7w+F!?5`V
znC(cDqhFNw`I1H%og5iJLg(1cIF{ZItHo6Ni@vz%kOYDR$eC#SrEku0F8lfmwadrh
zhQ$|fz4lhZ??_Fd*61ga0KTVqy&R(IJ5j>>KL)$=PAqyqlx5Z|HSd;Q{Pe||_h>f8
zftPUe|BIb(DS79ZlXRL-;oHHRD};9?3U9(PBwPEo1zQcbF2Y;D%>`_Ze$RFw9Z~E|
zkvNvzIQ~eWAMfjXj~pNgL+7HSqkB&WP80x*42)oruKQKd!Gy?i?Le=gE(d|Fk=Z`C
z<9v$1X5h;amV^h6e5R-Kym!-mbBDiMmH!16$Y7k((C-@tjzEs@>Hmh4p9Tj9%iOqe
zW;oM25NLWrkOgPPdpK2b3KWWm769Ykm+70;I)i0c+L2J250vi!%z^i;4%WJ#u?as9
zOSU+evoYTc+{I*i&!sU|-UmbKSAQ_1{$m)hWu3XIc=P62+&y?I=aH8|pQ6XF2b=GM
zlIhd=-R`HG)))-V(wPgMh7zj+0@srY2va0BR5Ck1(#q7hx61EpFOXOyfYkX3<L~4o
zf@XVNKQR;-)}Y#O)$Q=SZVSLdo#O<SJaEys(z7epXEdh+9)TqebmD$%lmLvMvH7WP
zU#~N2;qPK!;8&znBo<rrJQ2^tZu#+xG$_1~_nv>3py(^%eSuF0SrWD&hsD0#HuJ)d
zFjN{1C=C3Jy3@zQ2vIFMmPwSpy{0D~CwJ&VE$9C33IJKB_yuXiHIfP33Fi!^3j9M(
zyS4dJk?AU{GNOs#sfgHXx^aWt%Dut|1DaA1<I5P8rx67+AFSZY2T;i7@s#ztBw2`K
zd8ASiM8J(+nDuCFNoV40lr=cb8Li2tLaMR~=ba9^DH2ecW3tlF^{w}!@y-YE`;rK0
zO4YpdCb6W!a9(G}Hp6b~;z}uH0X3-eB_8prC+J);HH4T-VJoS@&%}6S5{igd%#Hkc
zy-qda{KZqFB}OI0bC5sRN9N=MD>liNu!~`5xM56F#jv^3DxDZh!8Wg!=jvKI10`O`
zNNO~K74qg^v*1==1!`j`fIqZ$rHlTZ8ZoFe?1wsA+2+zl^m8$#i<m4O=rlAI3^i5(
zKXmlpqREwE7Tq&>Iwvb=ivCo0`Ap<m^r_0w#1((toWz`BE<Hb^Pr5>fhJTtHZO(-T
z5sQ`Qx>zbTjuh5n&*A>!8zt!|H!35Jkx-Qg8+UC5Ce!buUAx<gOC{PTqMuSb+OoCV
z6@-%n0{1Fdhe&eJo-Kt{cGDM-Bp$G-diNWLE7C15@L-m6$irqZClNZ;a$=hQuR8WH
zvA6X2jjyvcZ8@L!Ef12goG&?5o8W`WS@Y*-{p!sg)?P3m<rk>Mlabdf1K4uLk44Jd
z&HVv;;#cQkbQ?9K(G1J6xb^DpVd?nh`y=x;or_*Usap*VJl~=KNR@JPt5;+cOI;wQ
z;+d(<^VAkkIf1f((mbnDujTnN44^1~x5D6MI3Nx;!8v%Ozh!XeK}|!jPdZl^Ky9Vv
z=kVK1sVF_miVIs$%jWd1CXg-3J+_W`E}?g#Uvkv=VCpKWM!<N4Sh}mU8Jjv4P%RBB
zO@ptCcK84pyk7ojF1WTp?K7dD5Ew>0yS?jt!42i1;{DV=_fF@{_Vb}6g1_9z9bz>I
z!=W0am6AJO8I(p7efsz6qXw2St{+%_J+p1o8BDYvxtheF8h*p#Pleaac)u*8EPWxD
z8S7g2Pdsow`0Az(J;&k%XP`j$yp7UG#<@q(C{!AC%kg@&TB(rB!RME4>_qCODj(Za
zitSWzXtZf?;d(S3?8QTc{xx=9AQyVw5hiDYUGs}9ym|5=2;rsVyl_Pw#>oIdH(gbQ
z6SoE)!&9c1G<&=ts=s|<dSo*?zrx5Izfkeh5gbe#>Uo0)pSqrYdItR%ICnr2@y(IQ
zHI&3FR_Noaw!3sp)yALqN{uV6liN3xx)=Tu)RGHSUC~N4%XH$zEx|RBht2g4?$f`z
znK$@%M%>|D8q1aPrh&l0QEDm(k-7jbFC1<$tCq{AAw5%Q`atvZ&AdI=C&!8US=*EP
z%W3HbOqcdm5c6F-{U#zU{_N`}rt^Dy{}k+0c0Su0*+dgIBBqngZ4~(%?}Bl-4hSb*
z`?2DrV75TQWd=1m$Xphf(uJOj=wh5z#W^3q|B}AchI!5_eS`S%`TP6l3v%YVBz(v5
z+G7V6D=NF2xU#*2;Vky+Y||zZZ+>w*HFnj%?#@Vgw6~cq${7cj6EOEqK$>7uk>wcN
z5@s360Fhz_Yq)DJtgCe1Jxp=}zh)RVcsN_@W}FY^E4%&AH%lKpAg)5poE3FTv#-^C
zc*@hWG5l(!B{^<H*i1NT(17q!^!>tgjsN0{L6^aq#%hi7ME@4`lk1Q-$NN2v%6gR?
z^}OV=3*+X=ZXk!Gr)waTd;R^vefJ9Gx{?lf5i%iAS_@fSi^}7ic6WNnr%9&Us}DTv
zbFg-}5`>bA))bUqJv4+j<&>DqYUO14#Lj8nE=D1z!q0%wI39!`;lQgkx%>Dk|5qRe
zv$LM-mO|P1vCdRzLw~lMm_hStC1<_}>}h_UGGFbM$-J>zYGQi547c4is6&`qDM@RY
z?L2X0={0|lBHx%3*!n@UV^IvClwJnyf$e#UOT9Vr77$n60AAs@YPU)Vuk#bqA1$Rv
zW3kxH_agKAmNsU|vVqxtGvh;&x*SGk&g0y>de-4qjJG4`)2g4!joqxU)=95<jheU0
zj}u@>7<xA-39o?fZJU^1^<Qbkt)rQ#p~1)vDb^>q>zM-yoa&zOnZw)4J4W!OTM!8N
z`+q;c&OzX8t%YU`Jg5z)zGUOtiv36TN?j?)(I@0tfAD$s(Y^fePiYly%ny6p4$`YB
z`XucWUi$iORv7+Wm09YBZS*}s6||C)<14E%!H04>=xdJD$?=EL5{vJA=*RK1v(pAv
z(>3!|^+tJBc12i;R=e{zp#OTnwQP*;_yHOrl;R}Nu~U}KZJ|7xvYPfa?~|IovE9~|
zlt{ej-xvo2_f1`{)?dkQ^3LQ_)_h*3Sxyy@?G}3TC?Sf<h-C9S238B?`KjP5-cORv
zuGruHsn$>nL#>K>hOXd>?>E%1uw=gNF2=}F)?QbKDJ&~Yn-t$^<YRCH*Q{6HVKE&$
zRjg%GcBef%aKVI|?bTQ3B?YicPrAR;LmW;A$(Mx&MbRe&#k)e?Y^0Unb@O!oaL?!W
zV~Y!X=!28BAXvsA^9D;U`ww4LsA;zy;b(WFtmOpESEY$sfQ9H1!wpWc%4=CM9B5_t
zgP#%Gh=w}{E1Ygvyv6P-T+rvlncI82&*C28#jf%(P<cB+V$1x&%ID&?QC_6|`QEO;
z(}Q-q%SVLitD^yJEgjXVZ8ENxGN;v<A<bYyKo~#_q$`cZ)Jq=KkoCadfp)T1vO=Cd
zfud{8f|=@y?YgD%MS3JZmC}jkkyd<JZ7C;-sgTa%+?;!kf43{+=lrTzE9zP$UO{_&
z!z<UTYkQ%x{n@&Xey86j!`-T@5eBPxV!@0#acXdmNO{Sgq0TdF<pN}9`L05cki3Dg
z0r}V(9y`rY6AMTZg=2A?JNzNr;hcRA{w&?r0U)Nauh7^Ab5>3+F;$mheO8SDrLy+~
zw1DsxZT*Nn)B{H(H4WKM-To%WSY;}jHR7D_y)X5=Wdd=IHIv7M8Fn+v2k)JGh_d{d
zZ`5l$w(=P-hC@oDq_+>fq;w6qFFq>V2p15CH-Uf?#ok#Cr=e|nB};nx#|qm$!4o~J
zl$D;*uvV<(_ch;g<<2A5!IBk`^Sal7i&<waDGkDDRLEIXx6K5Mq6;t4e=o33k6YKE
z$%P2{ic30*J!PyBaz-Xmcdm?18tDS1cYK}?b}Z1WMrS*4agx8dhz)1HF6Q5`^Tv|z
zC}=PAf%wkg8ZN387XbMR2a_ZRoAHRp*e02ug~1risO`v5+9HW{`16oYtXd&Gy7Rd%
z<F<uP0y(&PCtJu+$A95A6U2f4SoSO_2r*#Wf9L;)`{p@#jju9F=A)Z=%-U9or9FeJ
z_~*HBpi#a2-eyj+WnZ}fN%960l)Q>&n5Zm5rhTcqD#a4W7YE?kal_xVVwce$460DC
zoa8~6K6G9n<1`Z^MCup=SHp~#4&HC1LgOFyY-sbeGk2>Mr7c!t;oY4n(0#BE=zD?J
zz0dsI$ktfNV`-zLwN*wsaQdyZW@+hnZ)_#NIH1z{^}GsmgwIBSKv?MoW2ueCK8BK*
zpnasCHBc%^%l*bY<NqN&d^_a@l3{?i^f72Js*US6RA9CJZ$c@Uf@iONjJRJS<#?M+
zx+|r-m0i?98SK^50Yc&~Ynb^U(0c#}>hiu{K%H-(O_(LPXrhDZOEX-$X$QY2FEeZ~
z%<SKHABfOw=BIW3iCGO3P{+P6IZjf~Dg%6x1q8VMMm>I14(7`qbTEW3j*Xgs{v3^1
z%yi>EPNx0;%1_GUaM*l*aPOB1kQ=Xks_HH)D1X-C!HcnmbC8PW|GSrzoOdVzX;0W)
z3N;6ryCMeVlHBqdh*ao+8iz-eRt2R~SEAv%L|-TjeQhAr=~TWs54CB`?O%iC|FeVi
zE@rm!f`C8?FmJA@{CX)em3R7AGC11B)K|CR${N2FNANUF`sbgsW<^gUmIla8Ai~AP
zcqda;PDbYGCmG~xwf$ee(#XMhxy7N<uF$Zs)K66_zmf=(`OyM=J5mE0m9h%kKz)iB
zVXhQN*-;bJHw}xu>&zE8$LCzKMv=Gx<a}V$`-j5^kRZ<Cp3N;R6ag8se{AeH#&&N<
z_`Se!wCwA?DV^SB-6nESZ6^I9fJgyS!Ae*0@@O>-nw_B55C~wp9h5*N@1eWUF&hU;
zAo@IarNGgMqlJRw9XGw6i(s=2p60H?t(5zO549gZzIR!##{mZ$=GczBD1S~l!#Ybf
zyTME^+i1001`VOS3a-s@!{e2Na-HOt?pn@<Xbi@2#gZlY3&`e5@0tLGcA6jm@#E`}
z;3uEuN=C<Tw%`283u7|epo8Sy15pW$%SJT_!w-3ebcnC|st83~VrJFGWJ8n&UC{-O
z;w{q=h18|t&$bQH#7rcDY}_<wrJNYn_*vT;#N_S3W?R!jy}@8`X<VUo6rV=r8qVBN
zCB_s-`mEcYDOLw0Wf$<NaIk$&`MQv7zT^Bn8KE%gHChwQJcDk5pF|qPn2rzJEv>cJ
zzi(23&VOCH61VK!d-86o-O28$?fX&QjaA#{v~0f|Bu1HBSwu}E;B8g(kji62?gUZ@
ziUZ{0$SR{O_?VHmK|qV6jd7bEBZAI2j|<u!aXNHBWs4kMi!~KuD|x6q4V@VXgm*N-
zTgXH-D|KP%X3TyU^}VBsasy_03!pOCC1&7H$Vnkc*!aTiRvmJ629-XPJ-@hcB93#E
zi7(jWvQ^V;T2qN;lapCtg)cf%Kr$eY!q#y4TYc1>(j^^q{)$05<>zgS+evy|(c9t{
z4ra7paNznsb|$ZxDF61u;=__x4@i*o_8jZw%Y_}m5&;K?S1+-!HSo_z2bBh;6Xr$`
z0_)N5(kziHHr!h%V3S>;owkCRw>p{~UcF09o>3I&Cd?4>?sFveT<3toV!%%qP?kKF
zgVfpIR9pF{TDv0s-er>p*(HN0kG7a&%ijw8e0+4|i`catsVb`WK^}W;nhAE(lfX{W
zhR%jrsknjLM5LN`<>|u^qf3x1CUCX?*EI|EZe>1)W-I}?c|xWd>UK~mbN}kM%i(EX
zXOwQBS2vt;t0*e7R*X*=+dX=G*a!+t3YKd|Z{5Fh<ca2<u}7M{LX6fq?Sgs*anZ`E
z?S9c!(~=QSSn_(W03#+~;tbYRPB{aHIAmu|7;~VmeP&v-)pb1Zeq2dz+_9qVFU-!|
zffb>#8y8!{T&-LefFZNIY&kJ=v|x=glF7;lF+Dy9Zw;x2XY^Osk}R_8ZR%fhW-kyl
zj7!;cF3wLSD>*vdA0|5GA&^_f1DTA_Dd;jmw;}2uwl|!4cWdAWXV@yI98jZfEjkj8
zF^7*x3H*)lXOY<bq#L=qxlYA|(Q)Sx<s;MYW{L4S2^R#M-*}yp3cZ{sA`t1@zOXV}
z?mO~~RVT}9!f^Rlj)hO)zk!@-del(gMpyC72icRekoG?x$Gwc4s1f8Ra1uD6gYxfh
z3}vXpH8_>1(GbRRKinuY8GSygBs=77tu4PJHsIsWG+hZ`!V{a=_~r~#)@`_3I%~X_
zG@jO*lzaHsR~_rO+CGQh)O$9REOZ|sMKl7jm*xcle{#POH|vyS#!pLU#nQZl-{{=8
z@!wspawx6Qm*#`CAFsOf43~@`iMf*^i8kSPui$Db^cJ>{rb+!z<AXA+_Eqv4hY2jA
zJxw#GiQSoCAdZgJl}nP=l8f>e-&6wR>i&o9kpk_QuG!vf)B84<9(`Vz=S`k?dHJoH
ziiS#A^PWwR9*>M2-K>0=-+L0Gr4BAH^=8*9;>x*fyh{_G3vh!unEcakH;02j{qj!H
zaqb=6%c{1R{mlTM*hjZVL;Pc7(Sd<i7Xyf1=9RLQiSz!cC?P~&WY~H;81W1K$s8qB
z*|8k2uAP27*M+DmfB=CIGzr>0!lSFnsLyG_`eTECOr5nk=lZ3mXPFkA_DM|^yP52}
zfs}GKm4IZ|qd?jDke|V*SeC1MxR2{zpZ_FhXX&d1%sr~N<7{O{SlELnRfoZ4OPhm4
z%pibV0cV)TNizn2RSPm*EA!so*9vvq#_HZc6<ShSfXTB(rBhVtYwy5mLszGt?inA{
zxBPu4Fo5{r+h_!QChvg$IbDXjA%Gc^0ic8Rl@8#OEYb^7g8X$%gwk{S+(yuI&T>_k
zL(H0iMh1><4rtEF>A<rW-P%@>UOg^mnO0f`gG6^rXPkVzseXe#QZ?|i08EDG{J=|V
z{?=ce4^Jz>;63Z};uNhe5ki6;2!0?f&G!Dh$4e0te9xc?@b<HED(tVA3jmeyUhp5%
zT9)T6>*R^iY96<1OD#1FW*w8Pq;Dr>?XL{Z)hPM9#>T#KO{Q*cM?38uh&$dclM1Tl
zPS~$<h+HS&J*V}h6q{bBv!qy8jVo3QncYNuY6j6`kSSDT!lqmiu9%;=!T-A3H~;y_
z=%|2l#_O^wM4!=Ygq6q$N^XaR1J~1Qy2}{I(Kmspd7KKFBVIV|cS^F)z_H*-;(px1
zRD-IZ?9{d<ryIN~fQ$R&Xt_sn#mJrNaqB@Pt>C`LYcKFlxQ>f6jwJzYm2i0ZDado{
z$kQ3yf8d;OMFm0GGH+L(z$Sw4SK3|e26NYqB~N=%;|z=V>q8RN4<g#?`Pci6rI1fb
zAzAG73GccGDT&NgY-rkH-_?#+QT%K=rW4$|56`tmTRt?U`T2FGu_&e|sO}0Xl<jrL
zp$f{}KEpvh*djjM^8(Y~^uM7C8V2v-XA<APe_2Z&(AcbWoxhK0D-lu>c3;SN!(n6+
zpd0~!(v$oH92b?};claZ{t^vY@UGzdGaDiAg6uEzUXUKwZi5RU+Pf*}JoMh!g9PK*
z-XHys3)?@h>hK>n#*br?ksZ(04r;Tnl9%{fy(=bGk|WC_QL)H39t~g3z%?snO~-Dt
z(k<8(^`Xw(Ydp#6)TZRC{iX)1^7G`+|3W46lgCn3L3sL8t(mbF+ck2i)UEg&=8?K|
ztG5>8T5$w~o!P=R@`RP_EA1Pb?@JoK4SF9s;maiF9>w)^`W!$WGith>bh?JKWE%?f
zNTv2XYd^x&502V%2R=!*&YjtNtP(hs-YLlPutAj;>UD06o4XT}yR-p<;}=4=NccLR
z3svRS1o@x7qn@6dE3-uryg#x_JLrD<`g=IO8ve(C>W(y&Lu45^7-VVZyqlNi=&QBd
zBTbS1W^;`wS(qi064hHyPY}6VoA}*WofrcY#ssfbv5uIgAiHcIu4G0U>?-kz4wI;8
zNw4_B=yy^h*Ey>sA5L-{&WJ9`Q=IpF_7|ilLbCs1+UFiz#<;bT7C}y~8QvGAWnQ4(
z|JKF`;6|hwF}w9oIvGH9%)I?QRch6C?f$m|THW?MMy<TYZ5hv}WCWnz(n0jOA_e^K
zJ42Gq$3>TJ?U?MHx~ctw*b61>d~{AwVYM#Wjk#Bs%`{k}bBZu*&nJpaL=@)4Y@Of5
zEDCDcm}yx?0M8w3cQ<3$+r`5P4b7f)vqwE!{XE(L0^WPVDdJfA>^P|=eYl0$+DYCR
z4S#kx>>5R?9^76khcX$ynmgBFpd=)$ii>f<trS$&U?@EbDg2Y@V3eG3fo0wz{Iukc
zE^V^w-7AssUfcE`J6|}vMe`qhK{o){T@9$l6Zv@mzPJRh=1z7>UW32Muod!6WS7D*
z^VY|IJk`@i0OHPBb5XgTA-3eATtHq!ErhFeliusoI7|_F*H^40A^lD6^F*mjhA#qs
ztBETCBG4Z8(fz;aej{HKC&b0ZfnDpG0NusPd+=2Yoy3S~UWA=LHILH&RZG)lf8wzh
zT?$aUfMp5;CRsi($wszyjyJZ%uzD$yiCL73kapm^+*HDINe0s4NjW(BVW-*csCPm8
zVcEfV=pZe}K%~_g`xa0bS50rPzf}><v`I&97ZV1wJ5DkwD@bL1lh<cV&=A0Ydd_o2
znI9bH6%}bk;7k8%(Ra;%Hf*)>x0ouwqYp>IqSK>qz=mn-%EZ-DaqE~MlN4yi(Falv
zc^H{kbpXus-&{$My~)7$FM%Y(`e?G~{@~HKIUyyfRHtQbPI~mKr?ws9S_6;8m(H*n
z2F$x`ZWViXN4MJ^b%Y1|)Nh;CFy%Sy<JYq|!!e7W+xW@qm|yh?Mq-OML{Go7bSvB3
zx-2RoRN0#l-TOc>YNy{j+&8WfwCSmUo-i)4i{#^yu!!w;mb*qmvm$PHtE)1-4!K<2
zc2%TL{C9wg0MYG#094*Z{139B^1b8=2f{^Gs=_<7P48s)G>()KlPk)bwGZZ`x7Cx)
zQz)XR&BhzgVn9KoGe@5D+}p|Yv1(6Od`fiWhtCeYJagk%*hRjaoaCXW)rs=1w3hIt
z>IWM1A^_gV8~0xMDE<ES7#r;GqZ@7khj4~=3`gTuIb>EC0cF-4m)lFt5tT6|C<zpI
zux_!PK<(C#cVc}7VOjHgf1?#-O|Ed{FDA0kC`v{I7trU`5$eyA#Qwat*;2EtDj?ZQ
zt)Rfm#g~7y{mmpr^&S5kOo@ftb}BPhe+jKs?Ld5A^F?BcPqCYeu>%ldUjrJ9@?G)s
zj&w#G62$WSoA3=a8&BM|(3I_H^pc8-8BVfVoOK}c!>U2(AL+K3;glhGi!dz7cJ_*k
z%6BHnW{8?i()z9X@2CC{ernvdzF_q3$jr)nud}mC-#VYv{apH<4f$GZ69WtBan+mu
z7bas6uKnN9W&UU1B&dx9u~b2xf-uYTg=o&)w%44odj)dF=sam7%0lxgL-P#dfmrp$
z=twQ*Ki~Ui16(BX7<RMP|HO*{LTXKr<y>5F=I%qNv@mx$WK0xrLhFo(VmFg@mD2tg
z^<v}|qt3kS$-7;|R#U<9-?-Wkhv5GvfiE8G_JjFucarGZ*W_YW)PSer2QyWocjcF_
z1n-++82VX(;p(uBL;e$+Z~SP~SC0_u5xc<E4bkHlo~3FVIbVMB^NQp$Nz})`IGv#d
zezBmoIRqTJms6l;(qj6n<_30;ZFJcF7^N1VDbLLC-01!P+2M&^t^#WJ%F{r$RC>m5
zDN8aWqvV2euf-PrgT<HR3)R=knsr7KVSP6L7JDY)j<4^t0VS>FQFnH;9weL7on5-g
z+p3Y<^1#JH8+!?$Mte$JlIcF2ZQQuCQd43%<cPd?-1F(c&8l+s-An`hpffnt$c2^6
z2EZdudbH9aM*11v)XD9)TW{0!>rqd#IX;waxN1mu1ekvvnj3bV;|OR=;rJEFO6)-{
zfBi(7@^*i!(Y50bT$PjK2dzGv?wEq#C|*2z>!-?*^{){#pi%5Q806`9K3^<+YX9x$
z?ooPPs;+{(qP*kn`n+vysk72TmxCQZ>He5)Y0_N8S9)lq>yGFG2g2g6>~aA}?L8JE
zzKHAx8?=59m}BQ_>J>iy?(OzJPNufMD@iX<*Nz$a<(*|UmC(0fO85#QWzyXmbQTST
z>EjjF0mbdxPc7n&xXe@i#^YNq?onhmCTSh7*(HtFDmOZ)IBDPhpdR1;TH5AHf33Hb
z6a<29Y2wZ=G5W~**6=6q{RWR?D+ExW^6XysOLE=6(V!%7$QIS#9F0}t{(iUq6*p47
zB$Xy<cEdeR95wq)bZA`|9O#J5@ITHq^6D_y_vGM9XDTcSAMNkm(6|R*Z;DcOKxnIQ
z2Ur<b)pEJ)WAq?a?i((<Rk!xk4DVBJA+B4Ic4#_xi~SC;ZY-KjV7b7uY<}e0M3^pn
zaOtD%3^#0`%-YpQY9Z(k&wC>@H=3ttY;CdFktBa1Zio7UQ^jMl!j5Zbi_y%mta^7k
zr>LoVO|$%P80$cZAxyLM0(d;|ty@ud7q;6h9RqI&n3ukDLb1>7<}aJMWM;q$GDOAB
z|11*<hMgr7{e-O6*=XtF`{ko$*WZOfWwD+42br|*&~&FV^P^O(b^T7ON#bK2onu5&
z>fo;5w8`rM?ZE-Z!67l=jyMiV<J4*ZV#jXy9t>aQcFcKqHE5z?j*3=fFA;lVMW(Sd
zcH)2rSF7=Dvd{LLk?zgXF%}t%GS<OV=P0`XDCY)$CSfNGyB*d+(M$L5qPZ>ylJmq4
z53#X*8vMA8Fxs~f8c|lAbCV5!Xlr)pD^OT*9suTl+ah+hw)z47XVYy239#^Bm&1uG
z1_&Z!$u5i^@Yt6UOOS)WaDgm8Z+4eY!OOvQ6p&b5Ccj6>C@HxNs|p$(Z`7)KRhCAr
zP$JfRQOB9w0OF1rjSYe#f2JYLFx2wx_41~rD4Gm17jBc*EW-2%>loIg<QmYlZl;(3
zIKW-p#J*i;?$q$zdnKSMgddS!4eECn%*t+j)KaI(G<5)e&hCfsjs;N%*~>0bF(XY6
zb9#enNi7xFKK{WQCM{hjruilknx4u^jsHS@$24k=o5gtO31MlpFE@E0`!z>c7fqU5
zLvzmLW!wfh0#u>CHl;mcicDOsh7kZy$+=rEI};N{H;e0j{CL1&bnkL5ML1;cx`GU7
z`g+w=f7eei-gs`NdDIryNpin1I^!xoo`n;c8qZ|f{{YIr!st-G8xu`Fp0ue=>!T%a
zj6VLbon`-rOP@lBM7!tguTuRpSQxanrx?2_Zea};7)9dFL`lXiJ64vqx>1-iQOCdS
zwwwBb%I=sTukS5g;~Pd=_2rg-Y{YlaX5Frvlg5rQ0()jGy$&C_^tk+wG!ZMG{GW~F
zirr?H>`Mu;mViz|r+JhJCT39iS!sma`lUsX%Agcm=P#YiNv+hr)2tKEVc8W_ig@F_
zXeh2@CZV(GIdfo?Kata5_^`JMIZ{z-A6yz4Co-jg;=-*Dm*-R|pmg@I__DWtv=&VX
z-u4I3F%YcI<oMA>84k;H+W!2Cr9;b5Z|8%a6YJbDC-K>8Mll9hy41TK`}`S%YR$Do
z-@N%Ab_lAALC3<-Dgo$&V*7`2Gs|YiP>MjT$Sfh=*(Vm~o8D%U-vHM_MD54uKX0qM
z)PCbo1cGWK9PRq5^>8AD<9#*5HOysK%(zC@Cj>h})*DAk%}E;A_#sMeHJ@r_cgii0
zc+|TDlUYlY4i{MkRsaoIoR>w17f``O60!Y2y!4r$gwB*nSB6!bJb(D%wy!14b%L6y
z>FcI)_(C~BUpyP$nWTk7vMzTkO;M<8e%*!ok+D&|-j@XcL`)%1m;WdkF)H$WJ3P!I
zA?ZwGm+%{!B+){c%DQ`F-|WpVSk+A{hSd%fVEs1rDsA6B#<yv)PCbLp9itkZk5=u|
zlT>2n<R|SV;O6Qz73_L9+dhoW;R|8dNh6Hg^uUM^RqcowrcX|LcBQ6=J>Q+5tw)dM
zhf__|AjBRBV8}3`_?$=iPNmG-k7`XW15&U_absd}?tpYflxeVh0wG9yiN$2VnG~4U
z1Y4#!J5&>pE!p16<5hkOuX>Yh`C7}8LECY+N6HlSn~=Xi_x5;$&S0wT`Sr<|DdTI%
zXqcok@87-20X+(}lWALNOJ-jZ1hwPem#+Y7!iFiKcE{37X_Lp)KD`mu=`)84Y;Nk1
z+0A^Qz%>x(-utJO6}f?6gjOaKLz0!6AbN<Uwr9IVahtbew|NwLk49t(J+rbqvi7Dj
z<j=Ei%(^U$eSj(vN$;VEQbpkX(xGJ{2g8K_)}7SOj|~XKQNs-wdQX6w!I*%<POP*;
zy{u(~1V>unnyJ(izK9f9EA(E<2V;&~n_<Sv(<vXcMHnwI3gJ8I0U@Rksuq(`qY1r=
z4wMrOk3Gp;_&u)YR!q=4wb0^gBfbLp8a<69_w&o)mO3`~d$ifq*SzQ6&!!2bQ7nOO
z5R*DHe?C+yA;}QxhSsWVcsTg0jiM5(XrvOYGoWy9;U)8;yJC|t*9?siQB5JcBGT~;
zl{6L2*OAGVlDS3==}Wdo<CuiaD&cnruM+8rw8!w2q+D8Dmv%uD^`bMD`iHxd6JcUu
z?)=_@;Xa@4?|Bc3U43PBu6b}4l=JBXjt%;z)1JKNJ2df`7q{5*q)|&uiiCy$ic`Hm
z_Ki>Hk!X^j7H@WAnVP>mdih7?lw>=HfYQgT0_&`pV3?!b&&vT<_sRt@U8XiQw0T(g
zQBU_vvPf<s-+6*Cdr#bm1oRL7#=1r;<A=^Yhd=h~h?FSWot*<Ov(G7qr(~d)`5P;r
z@ER>w@FkhQG0ZxB*Vvf4<(|^OQBg$N4<UXq{M<7MRe#vfzoU5S{`gv!^dZ=lk9{Or
ztWBQDw9PB+tP{x%bgige+*EkjAnZ6=i+^Fdqt$S0D4%3oWm6aW*fTUt{HmqnX)IUc
zlI@jQIgHQ_`|I3f^T8z>`8k7AG<j`>>~^nr`JE7#JVBSRoUKad7-Ha|Sn@@9*Jcm^
zw}%gfdg#&iK(~sIi{>L>&6MBTim^|z`qDBTtU`?UmniFb@{=~+;ZRn;`Z{UpOz52!
zukp<WZ(#fApjgVg$uKIw2fSGBz8K9kD_u>!l!Ao6(Zj8PSeD+)j_NX;%~hl_zu~<*
z>P@(XP72{E`i4Fvmt&a(NFN(ywtY(VX`SbX27k=-xDVH6uWs%KV#PO#!#E9zRT)Tx
zpOPBX>BuuV0N@R+y<9elt_qg>lqduJt$`gI&|dDjGq<ox&5xzez`sYmWZlskoV{!~
zXt4aP&M{zQAbCbGPZTMzFokytIf%aYPOxPtWpWJGux|>}IHH9VD+fL~UrgNniQ$1g
zd$TJDLv5t%)6L|RRJf{2cWdT<9bE2>5hFzm^!}4+W{}&=0GgBLxbsy~T&AUrS(f)}
zhaQV`a4I>U=<!6*BR%EV>fncyF0>Jh^M>|dHqz)zco;Whdx7#LafgrwRl4hrt`6d<
z?Q<d)HU@(+-KW!Z)3*HN9(^n<>>wTawQCMaRKw;7Z%w1zN@^|jiG|A>lQYzjmNevg
z^e0k4SKIwQpOmH7_%qk?5HN#>Fc#CeYV}ka?4(&$VX-x?Z3};`GH#%Cm&U#?e>ynu
zP;NJq;oNqQ;7PLv5ppFtJYR0likMiyj7Yqh#N%Yqzt!E3;$|S=rcY4*794Rs_IGc%
zmbrmYjj8GM71j^O_tNyGz{0)yMx{&dXW~^-hIT$lf(Kr4iH|cC9kKqCR;{P$^R5_{
zD8?_al^`(DLGbhXUFhPCj3F^j8^yc&F^Y$BmOZr|!4widEhJgrL0ER>OUMgizo4oO
zPB!;YaIHPt%%4^Zbtw&C!G?Ye=sX(;)z6kyIn_-#io?)I=A|z(#@ozed*6$Zv}|<q
zpFVe#ldLE%AA(rtbzzU*YM-i`_cc}2+{L7IwxM(8e5;R`l)kK!0%l4qB?1CQo;wM>
zbGEk2<M?)r*8jBIYwzN;<92@|B!}5DV2CH{!id)>m~CQXP1waThrGV`nnbcFPRFUs
zJA~m#6BC6HdUUKxZTB4^J0U}7r*AvHv>Cmus!c28%lz5W-6kx+vuA!VlR}in#F~7W
zTe+66F+Oy+^k}PK#Kq=;=KgL!#xp=YEbWn3qR;~blyM~SicJrq_O)wlj*v)*-&Exg
zT%SUeq-}7z-c2>TJW<OP`zWR*`BYJy;YZY!A-sD=!qXF&?4oAxe0EXT*-i|8JKkxe
zT7A*h@0wv|^l7rMUBW*<>>Nec)|gTz&lDHTZdF)W!4@7C6@>`iYjLo((Pt!S<|Ui=
zEGJkUIv7%Wdla3ezc@L18Q?6Ign8Vv`8`@RELoK`Wb(6>$7VoT%vmx?j9SfKv_o61
z5i<P!cxN_#Mb^}&#om5K5lfBpMEqf4T1I^1F5T{f^JKfl|25jrZ_RP5@bRZ!iLFGb
z5Q8(1q&Y`Cnv9^taUa>+@11!A6zlkp)T=|cYchpgrUb<;$t?<6_^{U1(ubx2w|MXp
zotZBUiP+faHg_wMi!!WXz!!%k!%+8?kM;vSOqX{~v^zSToQi<{dUzP5R+bITr_1X3
z!wa{ON+h`^ZW&#9Z>w$7Vxjjkaj&Dgm@VpPLC9G2B{w@0uC-z}ms6sdiO496b+TM_
z^_F9U7554pkYFR@0t2MiCMB!7xmZyxgZJA*N-U$3>NqW$)O|q|e<MI@mgMGfjDu>W
zsTH-`fpDFcd%xh$th2dN5Gf_Do}-I`e9Q@7cfb6R5Fdso&0YO!6{Q>Ls;4P5TDZ+L
zh#74JM&7|z{Z;VgcLzmLZL{-P#hoJ$PfWkpNJe*H*Yak4rs`)F8-KBQatr7e9IdwT
zhfj;qtZA^sor>Ly(|M<6#x<s(MkY+ts41nkC9$m^wsOv~=!55#L7%og*)9Ld=s`rW
z4#pHV4!(*B^H?+SI(+ibN%5q8;Vb9Osu1prT|ZIhn<oRPs+nC<!95`!fYk<bH{)nF
zdngF8WgFt!DsaY>%X`@aQHJ2~J+{2+#)^uC_;@hvpw5}e$BBP)w;pGDww21}BEA{+
zC6Oij*N3)$mTy}drm|}r)gp6!FFlnjDK1g;JHs|}T~b!s?h5W8mfWUzssM$i874=D
znX`6p&66TCBRx%FC6QRaWV}-vA9F-$`^gu@cLZlG`Pdr7emS-a>aySlotPe-&NqF^
zj9rNq&wiV!M=Pz}TQrQU<ZV4Uo%Nb2Ad~?H+ZEs!g?G?yc<((8+gR-!;#rMNAMJxZ
zLbSP;FnO{`1z!H(dhl10UNA?U35<~NooI4MT|e3utDSPnE|k^mY)fe4B!>U_N*hp+
zk)6+?VAW?=A_8@GA$n}nHj3u4HJz#>jw36%8}CF<3HYxXu&!Jq;<Qgm4K{(22ggaG
zMWN+4uU8IbyN0i!8xiM<KkrU`5gqndO*lG(_}EF*ztOl5KRcdOqppRC6NI|(tJXyq
zdH8>I_~PQ{BBG_)*T{7iOY<Ldyf)ruBe<#IOsl}vOGdsU;m6yarA|k(G5ds4rz4L%
zyc8_*Rh+AfMW&#&s1sAIb$ert>Am5=Gb(|bDiUX}|H+-|^u>%LCs(6#0lQ<iUE@nj
zw%DUl+j%a>=ahep!gGGD&7OKI@o2L9dbCWQ+3r4SGR}h=&Mb;!<zvQQ|7;NS3ZX)M
z6g#Ct)m>fB2_(e)Sutj4l(#6!mI=!xxvdefnH5-@>eB5yFyc6_=xY3g?t!u6*W%uE
zntczC!LnS)ZK*jc8coj4Gw#Z$C3**a&@^|n$;cmgvofl{LF?fBZD%WhW_v3HDG5i9
z{Z1Pfdk_qV@nv$h<HcH5A3vLa(Z48O8P|h&`WokGRxtKP8Ep?YKm+=k1=lHmnSI%h
zlZU@NJxiL>A^8RT`f@vVyvYNlWeI8(*n7)yLTtD@<}V~1KPoYvgzpueptY9}YL_cJ
zk3Pl(CDcX{!b~I<MqVO4w=S~bq^#nKm6xJltcrX*$5dSKr`hsV&4t!m7EivoZN-yt
zbb5o9t`~75irBWoW>lgebfOBsj};GGPo12jxh*IQ`P!M%<a^N~)Qbypdzf@~8LM7N
z5~Jbzw}p}c*rzXbM;`MT9^tI%BTyL!tt2N@EEgB+rVAq7`~_x~rgC=c?FwdDT+tjl
z<76f;O|2OMJ9=Dmo}3m!Xugt%ux}*f`gx-H{qYJ9{=z!4%)vctz|fF&=aaJ`L}yaq
zuBJ4+_6F(t)>>%X3K#V(MZgWmMC|||-fkq?HTDumXtld?%jr3E!i^zEe1(GWKH`N%
zWmO<pg80<mP+IHo0T1MUhJ%E$xHRrc?g2KOHx?G)ZgakK;(*&S{zuOIcw2DQw(Yxg
zol$%02}&lmD__dQb+mT=bL0oNPuuW=)XDUv^~ntCJgNU)#psZ*aRUw8jhSEhFrq`P
z&YZk(baCNmbw<u#dtf0{9GNmzWWISq&ImdQ^P8NE)iBAK!mN~&kqpYdM}tM_W5bmj
zZ>&;v`;epPXZF4Ij&^s3xpEKGygUJkUFMO0>$p?hUvl_o`Z-~0dgo`~2F28>#(wyd
z<D4OK3%O0ODjHPhP?37yv2z#L`{CvZf06#|o2%6C+Y+f_Mj%0z$AbnVgS-1>n~9-<
zF3BXS0kLRDE)(a#_9jN<+FCRtHmYvRag=Z&BnQt*y@+PfE`3gXbAf3{dxAP0*eq4O
z2a4NgBH@QK#<H;M553}>v}$H+V`Y*{E}Bs5i7HP~@5rY4{W@OGaZb~sD?BWZ1*mrO
zVQEhyLq+}nDqiuQ{#CT$y4D+u?#9e578K4^W?aT6UvV5pyAIeozKwOeZx+6N_j0EB
zHS>d1UG9|?<aJ!it_<qhmsoE{fv%vK5qoMy+7dp<rgY}uAYtp5jv$LocxaB@nSAZ*
zUh8q&MHvBI&zkF8Zf&*S+=#wKJtY($Msfp9^h1sZ**kg-$_pnS?JBCik6<)OC?hqm
z3pp<|0B`?ipSf|zGt7k&#{YKDuV&(vZDy6MFgDbRmGG$iBBQQL?V=|UEZ&6t9BR6O
zUwQb^%did85{w0Tl~8GAF3jdBgTaIrr;Z@kUOVOCGiFiakA=woJnT-ts`lEn{bB|S
zv<Puh^E1ZCn;=jhFKzmt23{xMT}i95rjbu34lNmk?V|&?riw#=@Hqxp##%fD>)S^)
zhfkg3fc>nOrh|3LOY-5fFd@Z{ui#y^7^@w+w)-roCS2(;jI1TUcxjyyv<}#VQ!~&h
zbVc+xOzTErzUi-<&C(v2dDgEHC)$(Mm(9wtKI>^`VGYd|k)~Ab(ZOwQH?rhVhTa=V
z?q=z(pT%utBJTdNBOmxOpJ-S)21XrIK22RY#5OL81j+NX&WJNVuXwWT(LE1ZQ->3=
z_P9zE>ebXMwH3ew*Wl)U)Y(dhPp0l*Q|1sm-GU6LK8n>R(gZW6P~veEfD<mDFmI3G
zR#iIKpF>kwz3aH!+d8f^92M02#>&nMAP&L_ldkSPowJRJz#?Id8sk2rKUL8o#rkVD
zKy+{*pWTzh(J0$*%X_^@<;CmcHx&N6!G3Y>oAC92*kmQET)>QrSX#(w?Zcwh^MB#E
zB+fsusA=ZZTI+syc1LC5H5*fl-jrXfi=35hS6u$RfSCw$w>nN1GZ($&{f-0f5tw}{
zFTvFsm>M8umi`1?JnEH`{QTNKjCN{M*y?S=d0V#18;-ajX#;)+RJ??HcVzfQxZNF_
zvPDe4HE5z#r5M-^+24aoiZMb^YGC2-rQ8zT3JRrv@dd-mhc?r{Z@Gf{pt*6DY)BSE
zO-0jC>ESSHbOpUG21J7-oZ*>QIwmFP{`(BiA34~~-E!8fIh<mlv<1L`zxY^hX^T_Y
z&!AJiX4qWbyb`#G@Yy&g@(c2Ydq3e&k!rvMi8<3;{<qccbNADbrOeU#{e)8xllI0=
zoY#18K=ocBb;_`sx{8n;%+_o=1!-4s60O+S_g&IV*SXo$>dgwF3qo;sX=M8QLjkh%
z!f$B+;sKh;fvEKBzc@DkONj}DVt@|83QqI;qp`aU%=!Xmx{F0mYIu+y^9;`KfT1SW
zZBDI8bd&-LrFzW~OpjKkgmZciWRR)68F`P6OFW;8RDi?uTTrm9au3*7!_~8AM{(vQ
zAFsW(0bWYWs_aPw=|84W;X{f4qp-IOi!125L<ued8Ye*;2@VNKkl>9c1Oma`-QC^Y
zouCQs?(R--x5nL_IpqEBz4Oi7XXambKXjksoT^>5*Is+A@+J<zT<yi`Wj=qmu-)~V
zhkXH1A)Ce(CSqt#kgxvzd!du2x2R4tg2#SacRF``02Zi?ML}*ot_Mh<f=*~abGJWW
zQD)ltpEkyn7Iviqps$*H45bh7VM{}UW)0i|{fM#Qohk8r-C7K)oZ3LqRL>3It^wwL
z*?b<48&`#xXVL=ln#<=BHgNe!EB1d|jsR~a8L}A~#21f)+n>Z``}oHr4WIt=omO`P
zKWKMm%&{T^?TI9?-`mRwH_2c=0_7dXT>naDv6muIU*3V|D87lF;;)w38~LOnSth=d
zn1K!2T$Y;aO|V@1zvp6Dl|rzcz0xq1%y%#T<+9!&Dp#Q3LyQsu6)<^WbT1mo1~<q%
zx8AmJ*|gWLeOmoE_$d+<dbl`J5sW5M$^7--g?7G?-N(6IZWt6R0L{dUSIe~%^IG<n
z`$S3cQ?Ws}vV`Tm(?^31pUz)?Q+5r&07$E=9xiY3#+kauC-L&O>kNIS^$S=rFIbWl
zqNauYCTl7hE@pwKA=KVPf;%wP5v}*O?~nW-8k@RvX+g`6$b7foWtu~zYA!{|G+0AG
z>8aoXn7HGIFQ}9{fJ&KtbvqMed99Rb*)=braLs+QnrrRgCxvdDmd3}k5GRqM!lY65
zw?$2@u4I1-@M(tOF?bmIt*XW^R>kxJ+YAB5BWH_O@iYHs?O661?nv*bYEgkq34Z*G
z3gwdT%WNL&#P!7s1oUPr?8grnfGl9nWu@3Gt*89W&IjND>{y|8{g(?)h;xm~XPP?t
zO8`kHX*T~Xa@0)yHg(<%(2NG$Jo1g<t^gLEG}IYLkBgE%wb=k_LRs!-#)7vaEbgCr
z|58o|0C5V2KS9Qm=Ol)X>+b8-N#WjY3C-wyiwwugRsCFhTo|ALo%;y5k!0H$B%ywg
zT&TDntW~b1_;-c!7b<=pD(}<$?}A^so-F|1FM9!K*Zr31=m#i#=mP?|^3|lxN8=hz
zDyW;svT7ulbg?fAUi*OEFR-YXr-3>o2_Rs$pj6;Zb|cO-Gf*y*(E?h^y8Krxh=;u^
z_&q*z`YI9iqOx|-J_~oiBtNt_KetI`K>-4P&V0E%1i2^ku&Zo#)pFXkZ+-=%Y;ZXd
za@7dT9J2$D1yAlD952)}6`Q}>L{4|#3j@6E2`5v`E?VMhHqh9WSjZC{GTB*J%Ab$o
zxDFJ^s`Q0E!)UhrOo*Rry<3o)Pj7v)y60PYLThvqcV}MpUjF0MssPyHxqMwyg?oQ4
z;dc1qD+uTk*Q&P{F{%Xu4ez%ZFOjWC>VsF)?5$q}pk=i@UO|Utl9{AX71oS9;0M%(
z!@n;H0m5g*<Hwt1PkTCun?ZLSG%c6A8X7q?eDwkgS?-R*O<7Nu>Vgd45^h6gS)L7*
zGw<cEHZj>@s(cWejoh~^BbUAbrO49xeZ<YMf^A?&avUBtEd=fxA^OQdoch_PoNDIm
zmL5QQ4;cys(*mLJWp<BWdWdV;Zz`&sbd^N-D&G=*IV~QI?KmA~D$X#u|AeqUd9<>3
z`-2$>;Hs{ult3e&5#sBNIb7oa^JlTWZlB3qweJ{X74$p1_B)%mhRdg&zg4o4g7)lQ
zG|&K5^a&fDO(4hv3+GELGilYOl)KY+j?!z?B$eqU!lf7MzO0l#qQrdX?o$G40;;b7
zF3h)VJDE=sFBac0dC~gw<GyJ5q`dWwLw}Kmf~S!y2{4sE68xGfEJl0&RDsQ-lGNJ3
zJFLU&zLf>om<9F7`U<F(uGE^gm)7biZ3mpJ$E{7caOzIcGbRGX_94<nn~LPz|E%N;
z{->KHxvS+kYo>4Az~gXqG=CSSw(pN08yfe#mMobSJl>Fd7)9VPpY1@>clSvI0SL&t
z7ZZ&$q6882WCQ!Td+f>kld>@^4{~KKGJnV_0aC)i9qzvxw}{76Pj4~aBt;fcvQ7o=
zK(B_&igMPE*)%(8Wu-`S=Xq1pp@T7SB@T^#YeIYb9AL)sdvwJAHH>opNngLy3LuSx
zZfjHU$^344vq{gkJ^Cd3x_mp=^d84xi|Hr8w|W&<WxY2De3ZS5Htt9%)oR4_Db`Ma
zeoKsvRl7z%Y_3F2zc*YB9m>kfOEk-F#=20JX*<tp1Os#79l>aNFzE#axZ`0ma@WzB
z<+4l`+ugAPfJ5yqZd<Ks68gr(47<u31wU6!%`0An^Ui>8dimLv8Vsos;Umm56rz{&
zco%UsZa)^#bw8=!IsJON6yN#LBjr=o^lSU#BXBH*Suz5a9aC{Kz<Eg+r{OJb+L2=a
zNgLsjH4Q8JvT^jf7I?e#{g`s?4WF|lmC>B5x2cgSfnFY;Snk$N?ZsEum`?2LXLwfq
zw#_Pcxjve3>h^pE-7$bp=Kma@>DGoy-^Bb*cY9=%e7gIYo%Z{g#ozE4wqf1}I8O1o
zK*J3iy5xVP*Lzc~HMu9RTLA_<^YhD(-rpDEFl!9dxIZWEBbCIF&5$GEcJag(%KZj9
z&;_phq9%49rsuZJSRNNi_}tAREhyza_I|z3O6j-_y!v1u`#5tIR8#s_k{nP1z+KA0
zscn@%{lTmHg%jXCmuB8}xLXGW#LX3=j%d7dr<UZQX?Y#l&7ZIR^m1-I<oT>=p>F>D
zhkWGXiD)U{8F)E2!m=pDUm6{r-V=A=^yjx5bo^U__pQ8(X{YWq4bTo2gY$cSjQ`=)
z<5;oUQ%Po}>!IJ}dCMqwqWBtw2by)#;Bq~6kJm7{9F1RB6*{jp37fH9P5yw7>bIj&
zjh^ENt|lPnb#+u<2#J@I`zVDwP-~ISlf*0YWqh|PxUk~}(EQFS<+8dL{F2`%^I--h
z9a3LgwzGXwC;8Qj-!*bC-Tlfpv+?0}pRAV8gYtAQ`8R)!WfyDGoRM&0!Lc>q!lzPh
z3sx8#;`eEn`mUe`E?s~8_A|9A<T$--99`~nB@4aq`RN2^7ypA7pZjIZ)uGgLXn|Ad
z$w|QpiN7`G;#>HF)u_qJ;_W=B@ETy?KF5}TFE>0@5RDIS*9y7W*)cRacM!g&<1eTX
z$9%t+iIe|6cHbAC--6BsI;yR;*y3hT6Eg6SO&}F(tte-3#Y=uM>znx|n9Q`oV&$`u
zSy_gxGk5YuTPd%iHs<rg$E%rbc|zy5QWZMW^R2>bI>#;p9q|o0LnaOLdbS@N*Yx%D
zY0LJnCLw&^o<8QF-UD43oa1oLfw1+=tT~}MMX`ngAMVMLJ=|yN@bvB9SZBSL`Mxin
z%~a8SOjb4+BKp<9WadF{9CNYt2I`rKlzMY1T4bzbRUlOOwq&5*TeKb@fu{s;qpLUP
zG%=V}{j&B0s`}EDBR8DZ(ZKhIzR`R+rKBLwInYi+*`q;OuS%8UV?ZfQ@yZw1VH}zg
z_a-+$%gm{m9qPPZjlooyGD?*-b3RidQr9XOr-|+_F&|)gA94GdxBO5+k!gl)lSUj!
z@RVv>7hSe`1s9fgYN(sZ?l1DkN^9lf&Wd<0?>NsM?c&@et0LS@t61VB0gn=(S3jNX
z+oovK6iCgaBKcdHD5)BsF=jfW93+I&pN-z{%%XHb$E>RF$~3V?^y%?xVs}YE@Hko0
z&`Sn+O!R`Zia`!Rp-4<aA;s_SJIS6cHHDK?QX}b`7jkbCblUORjX#26HK2WxE+e=j
z7BQ^{PVV7z8YZlrQM;<w_tA7oj_C$I6T`{#&ayW^CjhX4_E?ftn6|2OF%ix*K8hbF
zIk$9PQa2l1BD?GsqCn^0Rku*N$!ze^7{SF{e%w0#9*=`hqM+ga{PZ|oj7WMv*K{m;
z+&Bd=IjxRdE@Lq~o-dm8Fx(!0N^2Y~UISW`BQ&EUD*9)cql7<dy~7llaFNNT>)<<_
zT&nnD2M>xEBc4P94x$J|zsa5V#3zh#;x^zKuM3E`XQS!Q_01b+0Qk*W)hb?kl%VU=
z9>7dTpq8`5TVG#T-Jd?w>aL4^Pkz^O8x)|BUabb0gaxXzn=w1A%#?ZW$4y(3HK7)_
zhpq9-&OcST^*21CPCFl(;protJ?3o@$`49Wxw=&PpB3@ZDAyv=_aa3W>>UfJ49cQz
zDF^It89TX>&j1bNaS8PtI4&a+OmH2Zs9)EP#_gu$1_gc3uV|TPjUtMd3^*+>2ht;!
zs~PURAQorF4m=8{7u#E9D{QaRp^ygeFi0$YGoZ511}J_ktxxsdEKVuQXMXiMd|p|e
z>*}#nb9%!4EJ@{}E&V}TQF4M2pek#dP!#YKTEXD0F)n4m=QxlAD(l)W<*)@+QgHG|
zKuyJ%xRfFx&QmD-D5pj9h~jO(<cMX^J%*@oDr39I%p$(i2QkeB%RWAp?v+WZwL}0-
z?RQVlp1B3ib}Mez%h!r`E9WCTNTnP-!QaCgviK*Bme>kjk7VDM*YoE!$g89hmENf{
zmA>WFW!XYO9N4Yn?=ou4zVmER{$RGi7vk57br_)xGD0v{zPB?iq`Rgn8lm;sh%QlT
zY?~+!38)OTUbRU#RI9@;nOaotFCLV_-LpqHiOuGQ$1#Q=1}8HTXj=)BRC76QD&S2h
z8CQ_duKj(a7-&}<%sugMKthnlV^z+xs4uV66Je?>JAq=|khC=@N-Q9hVC>DWHJB@s
zGZ)VW(-&s_^keEuld75cq$*9Mhv%o_8|=0pV%F}MN8~4hX9Wo0kQKGsa4FV?R$Ue5
z$pgZ7V>Pr1nN4*u^i_lGDU3ae$1!y-s2ea|C3f1biywGxwj^$nYb@u~w{u)lK{D^P
zV3S<7H*aIQnO2Kfcn|7Ty2n1^OZ+Ljsfi%uD%+l5mxoUD<7D!)#FhB3;r5?ocMz|a
ztGz<e$_NquOle34WA&Q?mx^aS;79U|Wz+{nE2H9WW{}qOTT*CD8Un+`1Z&d#>saZh
z4f`zbJPNA}OpXL)^I99B#rCeQ+Q+gR<NHG^Y5vJ~Y612^)=``$1fsc`$1yoB1IsiG
zo>SV77l&>KStcYEH8!ApZhMcxt#>MK_*m^TLQ^yiA5Jpi^pH<;Wzj!R%+97Rq82Ui
zJ@m+db6~VTdicZg+&ruFX`UXK>^gO2dm?urN@Jjb7eN)gs5257^aH2!k~|2nuu#yl
zt08~%{zz2%D?51Q7`_cgRSsK>Myig7^v&h5TD46SV0|6a-^VGT7|F#1ISC{4FmSj%
zq=RcN>EP~2Ya?Zu287|r+)SE#2s?gv(=^fy>|I_ZebVHfJSLv$xsublTtMb7fi6j^
zi-55Q?;ND4-1(dy#EjoC;#Z@IG<N)sp$6wD%K!dULtkHCo0`0tXKVOQA~`0Ye7<h+
zI|}uihJ?^zadqQseQyr~-L@MkNFeO>D=ORp%7RA55wO@NG{d)`N~7tMPYTEkC2mUy
zFWfV_$jYoYbXKm(E1%2U1R9H3DktcqiTwQiE|Ojwa$e8Ue!&x5^r!3Ug3-Znz>-*=
zz|UzgdFxs-190n9@O_mndDC(<y*DIf4svJ?Nojmv<9I=z>U-I#Sw>spk8(NW7a~1e
zAN)7h?k(bf$41v-mk9V>>|UbEK4l1KNhb3%wigQsf9@D=pGU&d^oxCm1xcbEG)q?+
z0f%bRv2-l8qcUm;?D!j-DkK(acA8B8@SHv~SxIPg{C?5Yvf*!SEPRDklg2M73?bZy
zC<kgw7)JMu)XemX@}hH>dsdSItWrIN#C;slq6w7rF%1iX+>hzUX@nsE)z_5Ep@g|$
zjV1(Lo4)K}U^wOSk^YGMOZFmP1Jwu^vR;&Mg8}JwC|Bp&CKWnkTxIlT#5b>|xQ1P1
zZ$QR7)(VohdcAU<2TJ@pZr0;uncm4XXlGDv&X{&mP2&ri;GrGr7a-RKXO)k=j_8vM
z6s4L#ahs6yt@|+ANIn7%kEzhH$JRKNixvC1|3Q_z!XLH@wqj;?qcSw0;rIg9L7K5>
zvLTYNRB?!C+rpg2%+kk;>!-S@gw6g)^pt}KVctXD{F&2HK1<C_h()W-J^xt-wACqx
zx*Ze^Vrse(_?8s*td0*s-lfLfqI!#rc2l73bK_6shqnsq1brt++xY>azxv>kUSGZ0
zjmjMOk<6qirHy8^-tN?B*_kTKEKMKKe88P=*{*^HgKCt5-s;>WcA5!24v**N3Fq6N
z`OHFvxz)<igo?RB-r;#$lHsw(52r<_@Q!lNeVG$FBd-OPUS7lfoEIx_H%xkbBR^^S
z`5=1|_9C`gH;Dv!=5g%MkKDhH)s`<3W~H-D>-H}nq)fHVd?%zu%Fv|$3x0-seY!Bh
zVflP-b}o=we3muMT66%l2R+`Fgimoe`%e2fW_b9)BoWt6PWl>8apN*Mhe?bYxY+ZL
z#F#5j4pIF9<>Hp#!rp|~Rv21`L>ff1vm3nTh~gbH{)`tvK^O#NrqV%SvR#>GMnMr{
zNQ`XV@x2}9g4}l!#-?QV{lbEe!(MkOjWgc`iDAQbqTyS5DWqLmg|vD>dY^r_XuFtc
zd?TejJ5p^i6;ih)>i#mAa(oG_-~dDalwYIhBv84UIosDs3+Y`{U9K+9W@ULRdIcQE
z+-c%Kg-~?&Yoe&mtcr#ylBq`4{%BPeUZsQ}&g;^!OY0m2UsJV*3I7Jo=g}CwKK$JF
z7lWiz`jkmwp!djRE|Rg&8(z@-4FPeCygvxifbPdhhlpnYicc;=PKoKZTyY?w${{#5
zAorGy6@Z}(B^8PbHb#E0SP+%b^G7!VC!vH|l_}R8QB3o1gWynpq|eP?!dYi?YGVkD
zS5b)mxJYb(qU4^Ssy7(}DtNv6QF?ddFiTDXWASQ(XYYJCdG6bLb?5Kn3JzJm?mLOy
zOEer9&>|=olT&QZXl+cLbVyIdd2?yCsX_V;Wbj(-{bqbV_Z9y)AdJ}!f*@k0YwJ=n
zulL{%L@e4}*mJT_CrJYi2YrIyD>7~{{y~K|SN>{m$MuSSAe+?{@`F+$U0HJjzKO>n
zb?h%&=4+u-VFz&OPpQ<KpHZckvsaBrc(iC_W}yj8L<mC0GGZO-*-u+vP&#fhJ?yix
zq*W|ibCzi4S3X(teDL~t{RSQFD>7L3B(pme7p@Cg$WO$&9AfK<;7AP81I3oX^eT0L
z$H=Q(8Cz&KrtuOGWV$(vuB@`At{0t`IkW<t$$8!OtkO}ts1dytSLWw~)r#_P@M3qb
zX(<WWiCCp+i1A(1KlLcxhn&?g>)%oNMy_R2>DD=3RmVS6R&W1`{3UI?s17=qM#AT<
zQhY!$_DNu7M@84k3)1*hrPgSdNxDMIJdH;+TL1YBl?~715P5^~aHc;1^+xiY?;g?t
zp^yDNT4DWN!tueu#Us4FEZyVk<uplx<k_?8`e<e8F#Pi$s$yEEzTY%wEVIs6pSep4
zsp2_5$;W%Ra%)%z9k(jQPb{Uy$`G}$48(3i=Vssvh0Va_65{%s^)b8S$PLJ9N@Cld
z9KM%hYD3fAvvW&XVggCkzq0V3py=Cqx<;*G>a3`^pL^bVTg7T87`#I9kJq>@(_87N
zCEbFRf{3jMYDs=Uf`2Q-Nf9F?tof!~4BHpi3q3y%O+cJM?7b~Cp_o}%3?if@i5RS0
z-0-}~87}kV59sUEs&BtA@6*MfP3XxX&+RAZahW`Q&$At4-nRPu&)f2Xi#Hb^Xwu-Y
zIM%z^uM8v@r26u*-1jY2CWIS!u~d=4a6@Z+8>iNvukNGaJI+V`;0he7Cv)`{Fs6^N
zBocIfVZ$B_oeD;ovtP+o==czvOFzn^K6HbJ?8muF{I*s#1~m75BMAqB?M283Na|^F
zF!+H9<Z>2-bA2Ph@D%nEBh-O|oK8=+a>1*&&lOmAg`z*>=F=YB5569bAOxjZ!kf_!
zY!huL#Ozq=5dI7`BZFv3B7@yRi6mtxVL$w(0aLa;bJvq7c4NiZbsj85PAL995e`|S
zm~bJ09aq*sMm$xH(W@s(ZOuc00a{+U6c_8~Q*C3t-E?gH7<H>vztq1agtICMyEDo$
zFULF}UYorFtAcq=FMi76L&VHM)jjXXy~&SfW{-04MD)PEx_%*iDBzrkH&>u&Ul1f2
zh=};0Va;18rrt(zgr3bd4%inY0~)~@7BjA3(g}!%)|Xz(nd(8r99DIzwI~A^zS&)W
zOuDoB?AS~R{D8Cgjtv*}s7EusZ)B8L2wwoPVw+ngEf4_RGv(tan(dMn*1cgNBFL!c
zYdW3obvGR@nbh22Qwk1r1Hd>+k-Ki!Mu$<sy1E$=w`0=t$nHZ7cSe^}&6b0x6`M>v
zHmW_CHb)}J;3b%zC_jP~hl+Ur*6nWpNJ^?S>oU2w#|nP7=y!>jMCa`Q+4y)N`i@L)
z;lTCSL_*^`GFVOjcv_9~itkBkU(#Rc;2oaP^Ydsy6>oJ(&ZOLD6>Kr(4Ce2FY4ehZ
zBSm&Y@I(_f7VrzQ5<JqfK4x6MpZa@hW(?6jjA`?llK-8$uKkl^yV9@;+Qx+fn~7Ub
z1Tpr+&yjCxu{E6qRj4*A4F&BrAXBR-$JG&8qo(x81F0Va?KS$mf@C=;=O4pn&<&oW
zZ;V3Z@@p&Ko-S2Q-iI914w29f1w=Xfm*AWov<{0InaUe?koN&MR_qI?Xe#h=W1<RI
z0Vg~xJNbu!(jMf>cM`z_+a_8qarB!#eb`J`;_)?ALo2jrKXkHqzpTcAtMlDER>ItZ
zD&>15Sk!Z^E#Ls&J;Odk)4~iqSk^^VQ&VQVe3j&Oi88ZbKDqpmBU()k6{98yzlB&6
zA>u|@4ON^~z8KqBe8r@ngDPJFwY&Fw%FCA6-@N)XIXu@X_T&8{{2g&_zz~ta&9A0)
z73~VcMtP?X8Sziv^fSwBEGoJxq1T{=U4!~V8Dn25521j4LmB%n%N|F}>hF5UI>#y;
zJwDFXI@~Y2C-rXxKzG&zS#Ni=UQXvX^{xjt5HW$a<fg@0dKrRBX?*>_8*w9M`r@x&
zw$pUnI2Ig-H=divXX(R+XC4vFgq{nd7hAt>Ofi3&(iy~pE><u@MdpG;lJ=u{KLi<@
zP|r$!zA_<6`i1`^5eI_&hLdgiPBC8N=?9wwuQ}G5v}vmgm#gsHV5uu%3!lyUt0bp0
z!!i;a2<mEslSaH@>p@}IG5H;N-QO<e0r|Jb;5&uxi2gvf>dqS72<ys84t;_3dxiKv
zDp<?MoV_A(HiPqS4A_T9KjSuq>rKKoq_>i952me@_BM_YfZh04^J<HR8oE2gdnIyz
zW<R}sQ`e1)?BSOzJ#a6V^zYMDSg$)=y!xJU^qw6xu|z-7D|XZL9Ha61H2YsZ+%?vE
z>+mg&{&^i0Zg%<`Q}=0?MLHvff;0Jq1b*3jl7Jm@Lan4T1^rF`#CwWor0i8oO}2Ew
zfHc2c@d@F~|Muz6Pf|UQy7MA&>(Xqg`&D6d3oQY3`t7BunA<^F>4c-2@nj>I6bK30
zN{Yzt^vvwtb$Tw1Edo`78Knr<R`ra)v}a;|I5=#BeKNWsUB7>b*|5GkWr6p82vmT4
zu4^cIvX(0Otf~=-yVEhc991dBT?eGcMm`lz>ALy;gc^~5rXH*%I9)wzPTd6_lFXaT
z#oQ;))Z>maLhL_)l_EFu7zxwuj3goYId*3<@eLWg47(xLRz;2SFcQf&Luf!$rU$JX
z_}n{GT4_W?%rI?$R_R;71EmO3E^KUj$5QDSTTg?R)@s^t+mc$YuH1$-r3|Fty0ls!
zKCe67s`cAX$WW_PZx@Vf(p|=FxWTJs1~PyAqq$ttVBC$&xCi;AX1#|##gJ8hVYl0H
zQQg}l(T<`4OS5*~VC!fcHFBjm-EWoepqvY{>%R5h;bW=2L!Y)2dRvKOe{+7AjemkO
zV_;uy^j3bGJ}R!Js6eHrm>!Y`_lO}R$swL6_Au{-Pdg<3LE`&VH=E~_t9=dg2os3W
z#-_bkr8uE?e<-xCOK3(_1@NS38W12)Lx1=7{QSJVDT~pU%F6}X6GpUlugt`AX85`8
z+KOczZwSGI0I$Kp&aa+7RHu?Zu=GirT@}XpacKd`bp*UDMZ$-TYN<HG5WxdFN=GR=
zoJH<`WuAdxgu0Fpp+nvSW@Nx7`y#yr<c_<_Yk%XvZn%*?p9N1o*2E1?c<cxn%0)BX
zo!FF$ohfR3&x3o~1s1g;Zt@rLtoJmxULXZ&4EDHBXdJ#r&hJrp97^05{m>{>RFM2!
zF}*(9eBME03p_`-C?EB_Bs+vNT*>%OUZURo)?5>`u)<tIn~w4>_uIE`kOoYAPv)kZ
zr&k^}1ju%mbOC<EEjt$sG;i8G%o(um2PZ-gUddCtXJ+aNCSytcfo3QciTw;T!0L|c
zVR#ZO{S#Y_Z!nlsCE}43b5vh(<9&MN###opV_*;Gq#o~R8l!;)(i}1nK}eY2Ur;Ii
zKsi|!+7XkqH`@Iwkh$W=`hELG(9N=lxZVX?L@QBitU11_AiTiDw^jUnkAmFDps?4v
z26FIuXZm5pXYt9t&G%UKJy=dU{N7SePgu;s%a7Rm;f#T-`XGS%Ve+(-)#>3p(`4W#
zO7Px&69gr)m_lf}i_^G;epkA^%6^?DHsP6<B7Q^Kfys;+vW^L__gnfntExe478Il;
zq=Wx#t>D=xOYK7O$6RZ{tuxzIE;&Si3&W4IKj6+(P<EL8SE_(5zh&q4)p~csXYK(5
zqTV(rLI)|D2-vkz_jABlxD830d*BIFv%>OJ+l>jOi?fT;%~PC|8D1)2vXnT>)y+)}
z81>jMU<b#Yfq`{BO2O>DO9|oD3~$C!p2G@4xLoDgQ+D3M;=I4{fr!1PZ_3X5$}_26
za9r-wAXXQ`KRA&J&-jfE*nB=Qu+ByrzKU>P6)hn{aKddQ)w`It6@~!<i0da+I$h_6
zdd!Ya5xw^9y6#xe255^m!rE=q0L==cRSVfx@ynY1D=SGcu2pxL84_+1MYLapR#`J@
zAbKo_vRmI8OUqfU1}AwRxDDKdr?!YffPcxL;kx_Sw)Z5Uc(o|yPE+V{ugCcei1Sim
zKLjLpzdcgfE|^pk_7?qn-_bPTSR9<L5-Jn_M|f6L)<W#mZ4Y0GMqtB?bO!%rM$8cH
z3$9jV@vC;e#TexD6^)+lxdt7+{aQYX-}W5|2LsurtiFDZVhB8a$)z|~o^SD`D9ciz
zt%c*+wr(IJHEbyJva8;1)<(T`Sv3VN0Yqf=uAhd~E`yORjLQ3bx4u&IzOW5Dv^!GT
zt?Y1RaWT}?BY7cGGTM|1cjbyk?IQ_hRkL9&wQ9s*0?TnNUc9x&49TMCyax3l?|45I
zzsAHn7!IT!n9E&749e}NTZj8B*EJQ)0QdFayA)BTCwOy6=4~!n{B9}VEa=WbZ!6a#
z;B?eZix#W~6L0^ZD3??JUYfwoT#St#_>bwL-Kz$oBMO`}qApNEmGNu+B1-^V>vN-%
z4>>Mi#GrD0d@yNjVp2VSWbRC2FfzHHm|kj^oRPbRkBnJ*)+lhl5k7}<m$x#EWCr9n
z1qfOC9%MEAePnq!y=f?Sri1k=<bOJBL`hO?Q_ZaynV6<vqwrmb=Ob)xLI)2HOtp!|
z9BMIn4@HT-Og-h9Y)uo`4NoKjDjg&)sWkgHu%T-2#l?sVZxdVJxR^~ZwGPLgF)%Px
zYyEzBDD7COg(mPVuGF57=T?7wzK|b&L=RmU7=2!uzq5GK4Sz0TYdO)sS-M$I(Q<R*
zv{awKl+C%Vb?7-yj1##f>F;&U{&nknJe|rGpJuIhz9b~XV-j|(Po0$JTXVz8a=MZA
zD1LUX61~|%HI)wK))ZOqoitz^h(2urvcXNbcn-y_MPEqSCVIOzuZ9AgBJp8X3&*!V
zL{V^t55`0@Z}FuREwz;F7BcLzo2m(OUlks%YoGULhs~5s8&vII?EYPI+R&~y(I`d$
zv<qr5jr}mXEWVLV%#+O!tX!pYSW$3a-^T9n&qpxoB;u)xnthz#H=(<3miobtPp=co
zRCZVBN2)i$xSA*UW~(fWYvsOh>}^R2Ly1YqJK}=WIz9;w_|*yT97w|Rwdg&XfYocp
zEwq(8nVsc|tF+ST{dzlgRosTBr3%mlwdP^5*hfjW*~o*aAHe!mzxUthEv6XmW0l)>
zIY`0ci++M@rQg*8Sv3V8q3^ctu<GU+&1jP<q6(TgX!e_?Q0$!uu__N~Nl)o$HdiU`
z7b>f5FfIjG=ZVG%r+LAI@Z=)Ie?P4Xp06+zl)dG@skxvjA@f=_dm|buEkiaoN?SzD
zS^QWQYhdOPtM_F<J7UA$?biVnNbiFNu=wY$>NaA1N8Pjsg_K6D%qB{x%dQ={q|gxK
zifj2$7?&&#p0@x1%iZjHdZ|lC-o3oh!mhXG;_P_^=(F8E)_r~q^};`I$)R{O`Vio_
z7&pCAeU1ekz_!pU(KXx-x1H8jkJ9Hl<++nFH${^<-fy5%88Rb5o7m&Cm@|%@i}TT8
zGioXACSJh`;RM^w<88H5p8Sw?L0uC2le=%%=GT7y!J|=3MC;c@;0m4-$WdI;>J5$j
zE1_7t8mp|&A@3Ei61Ki-Ef7*)9dM3|tndn<2x@4V3mYomo84!Xl)DVWhS(P)t7;uJ
z^zrB1Yu`uOO3i%;$6m2_jamG8AjI&E3+YW=N*gt`EuWHOW%p-<)$;)sUR3sLuDTLM
ztCq`=V$0_v8jq6Ur-!Ba`F)Q(s9#4DOTL%~s!i0NvF~3Ll-9csOm&`<b1Es*@U}GN
zh~a{(u1YETJBUq%iT9Pq1}6?8P%rEZG!}(KeF1bT*4~d3KCbH~=^i!{L3$a%iusLi
zJwu7AfT6H@v_{oB1M@3iV`UXLzj~(a4L(z*V&-Xf-eLg4&O=j?y?6C<YCM!`)ECDI
zDN@urQm%A6LJtWxOW!zftJvhW`l?K(RelZ4vwYHUZ+%ulVyJ_~B86IDU|~j;D7Kyr
zMA#b(3u-MV$mV$X-PReYs3ui(g(ww2H@%FWU`x3Nug}mxY2p$3TUx)H)BQ_k>iwj^
zXo77q-H<qvkwPNeLvFf)tb=%JNWc#-@&LoCEbakoBVgczLDTtq0E!(A&w7Hl^|u`-
zD92f~NVBG6T4CpQonfd_0@2eBY}H-Rtnc_%23I~&lu7ctGX#64g<5KcnMY%i$B>3j
zT8gQt3_vdN6$dXJ%(rq|S5`2+e$|}VJZY?~u<$*XKDV^4R2OXf0k;v0VGlSi8B$QT
zB4{ABTY<W8NcE)68&2nsZmm1J)2aCSRP)|&=l=2L+;YD1OQ((4uyp<9%-x>VC6m7?
zhY!Zy-i`@_GYSzpg!J$38lA2I9D{rCLm6_}Qg={bH-=@Cngn6MA=-TLcC{OFSA{Ja
zI$9Dg>6kVF%Y0-sb6POiyb~ALsCtM)_{$wXnh6w;=v0jY0>?bgReAz>2-|<($0~yM
z{k>GDxZx@CuW!mc%K}mHEnyk=nr=E8*IXE3gbBNoo}C$0se;cG$AVY`)zqC1p59Zf
zFaE^zOA^GQKiwnp&`lI#&71w<DYwga=1<#&S#j(=t<K_#{ssqf23uY=ZTa0NlEW(N
z7e^l+9*7ZyBJ!FzPqe!(*alN;f{r|tJTF)*$s8fRl)Oq>x`4As0D(vytDMU0uW7F4
zsL(?BF&9=l6$Ve~ab0F=eDT%JQ@bv6nPV*#mN%`WNyH<m62z?}L9!`}-xi;zHLNMi
zkkM(;WU1*-Gd#sx2~s{{5!qK_xH(ZuHBW0Soe~*u>k+(N_K(TX2Hcq+LW|NhANs&a
z?hj~d_a+t(0?2QEOv=P6z{GfGydZu>vB-1wN2+QPl(Ix@f!=Lr4D1%u*M)UHJE5q(
zGt`5eLSm_x*ee2gU4Cec>x({pzlg9a2X)IW3-Rg+R$IpViI+RE!}>AieNIB9!SCa;
z7DCTgc|~`G-0rfrdkoT$herPRF_V&lCO~;(h%+nAcr6s!xxtqJ3PN-r?nmKz)#@hA
z{8V}kLHkm)Sym*tNGVSOp~Ys+0Mhjwsf_nD-LJrCSZ>g-OY|iW*N^MFAjWNa$YSEQ
z8fY8TD?ayuE2#8_{%elWfk~aCZuOJOtGWG)Q>7lt{@_KU>1ky+qBfcET)aN>V1+Kc
zfX_UrTt+@buNRZfv~`kI9PsyhScl37)ntVt$c%X3FS}p=J;6)j^6H_)97KS9IKaUi
z*vt-4*-PYh&-;yW@Kag}8GH!fSiuM#uq_3%<SlC=S_m9n?}h#f8+c=6YCmc;9@s1!
z6|H)6oR{}BqPU)=64^mdf6n~>mk;WM+W(agXl7Q3X8T8vj?BSQ3giuT)`$-HJf#ga
z{B;q*L};EV15gFt*Nm%}e(7smC3$$w4Ks^KCiR%|IXDop#*+kJTMWfDa#-@7^5LOL
zjcg%)-)EE7+tlrLWhyPsOMyp^&xQJpJCN^z9o+Jc!`vuY4{>U?<Hj#lgiKO0EAv6y
z0TMa}LiT+Nj6x?_4IqluD=mJZ`k!kEBy44dHrp;53$>o5E%Qz6cCQRBv;UX`quSVc
zy)u5Y(r8zzbX1n^37}t8K%VE|#j!Fs-nVTx=!`8$F#;}<vsGGI=2+Fw&~sgU9qr4)
zm=*lphzv>9wan-fW=Jqc71N#z+Fb@3?z!S@d8Eu~(&Q}fRZNKgT?*VKyF)3FZ)1%T
zWdoJhak<#!GK=)=2O*_NbW4r-d!0!|_uJ0L?o<$zzRu2zR*3VVuf1oa_x@hiw@@#Q
znb9{g3z$WZ5ey?dU3z@lo#O(r-6(Viwd)f!p=!}5eq%q&k=Rj9#b4?X<Tt8CZJpQR
zZa-S}x#-FjYs09bB6OzC!fI%OY=~~*kMD<t;mj&xQu037ce_Nd_GHN*n@z@i^1ph!
zY7`K@Mtd92P!^f~*lz)yT~ArlmV_aQkF)ULbj6&BXJ{>wN*rO!D)Af^NfgH0)4Wex
zxbFp!8E|(LP5TehNFjt88>&`Ln?Lo!dX8PZObhR1G`)#aUiYwbhJ5!3mk0rX<4r;3
zbSZ7h?spI4Y#A+i2Z`qRKVyZh-%NUakD;HtTdy$9`mP<lOO7QeL$*G#ypZ#aw)8OK
zE1JciNHy8983jeCnJk3FWq52Ps|>||g1^yJe=JW3A|@7Vo30tU`1Hr?JTT@)Y@e9=
z9n154|K4rk`<PtqO7A`Ql-NFfRI_)ach|~M@7qBDu=S-Gd#mqe*4ET$Np)OvuqNn2
zF;Os9$?8`Xb&z#;u<i#6cGST449MrHTzgHzQ#dp3f#Z2a$w&UYJ$lH8NLm<+K_aqS
zKN&_A4grYe7YQHP2fomvX8TI{+i?}GX(@J{+~F;wN^g-MyUEU>bO3exB3SCn=}GG)
zHu1f?mO<X1Karu#vnNQmiiu9RSxU_+{zugt93Kv^6zC$y@#dzkDUWpgF)jJX(iIKL
zeq9jyoo_=HBlOB~7fuVK2!U&)1E@^!KH9b0jc;uH3Jj%atbI~VdA#LflD}9|ap*iQ
zs^<P$lx;c=0BEcYH&7~?&WQ634VNR7-8a8`%urgb_u<gUlo_AktJiK?zjhKDuM?n~
z&6um@^|A+tyi4tOF%N6<M(?dn5oY~%{~4kAPQ!r}EX$|aOIWp_QH1s5`AjpKRYnUt
zoBzOy3LA1GH2i?#ae8?ie@$Tf>t?O=N++E%8SSbQ^RWxlgXBn1hT>9+C3pf;-D1gV
zm+HCnovx53vCV`BKQV=}Ut?l%NO@(WaFjQz36C(-!ywU!bpM1qQL`>Ct#RmQ_>H`7
z=2~*>L2L3Zi{+L^mL5DIeWm*mjlP>TXI0;Ng5@OwDB6m%qec-+(@p!+hjS@D0Q8c<
z#ofwz_T=}W71fQ-LuRBT6!(s7nvD$p`}Z$v0e|euY~$YwOm9~JkUQ-CfCPdjXx!#O
zT`Vsz`3^+QysA?(u~ERnK*YSm%n1`Etj{~K072jU9l&8N$V<UqjAv%6IP8!y?^F+e
zs{j{rV@zJ8g%^-l!hMyl()D>!R^R=u#`MS)+uh#;t!U>i4ZU2<gcF=&2!xpDOshc@
zuo>J3-rpvyuK_%Tb%1<h`z$-6%iTiwb~9TP;$dS4j6h9IMN=TR8X#<Zl6WtK3>HLI
zRbVVj)mfo6xVu;bBD{a8&5Em7&C^r4n>5C|2r?9nH46-OpiE5nw&dcS-5ni08kmYb
zP}v6P*+1b~R3PtL2)hw%K+CQGu{Mmw`GFw*ky@Bwab$2OP&=WEZC-HbwA3ZCaBDiw
z1wN!gQi^^(rK{3|!8B;2(MsVP>E#pAE0zYUsst+6-0Pis?3M=RwzF_PeRVmV)6>2j
z*!T5o)dz73FDMtoKfIk~azLh`mf1!{Rgu3B1|SK<qTjErqaFL<TWUm3CugOCAa_Ch
zsbo)!MIZ<w;$314;_t9k(Wb0)d5tBsT6+Q7^4|vGwZ3nGvc&|aCb5#^>Eq*2j$Oyf
zr7&<Yc-ikcBinq9#1ATQ-uxom!PY>DoK(!Q>S4%hQylMQII@yCBkQ|7`AY)HZ3Vb6
zAJ?%UV%Kl@ti_PQJ^(anboQ`Yp!&rLvbl^v*I)C3kNZZJ2$0!WM}AvTM1N8nwv~wI
zX#5A9Z^Bf);L!jiKY{cQnf~8i#XRX)Na;E$<;Y-h+Dqif7Fgs;g{an%SCj*P3VgE@
zk-#JRNn1-`^9<U+;V`#cVo_K~5fejUVnP9}_;>NwaKN<X^91p^$m`lvJ~_FnZa&;L
zz$l!eOS>N`FKLHgmt}NTgac@4XQwhBX_XuH;k&Mw!&UcX6A2LpN14r60~;I&*ThFW
z6C^K~IZ)F3VSca_1%UQ?SNSXhLovPcC2;j*Tj@_STVH@735z4s!P2N|AJ)@Q;eh7o
zSv5bWrxk~s(-z1@<>%iqC~A~8Hrsm1^dCzh!tR>BA5TnA$K1lx15=?aQnH&bBCpIC
z??#Chwm0+PJ)p}HdBEA&*i=+iQRQ%vA3m;sBO{(|y%?foy`B{0mBW=0CH_s;wA`>U
zA^xNx)#u4iW;5YJ-X#~?`JEb68LfNkGv-IAQ26O#BwJO(8M!E_P(VX6l>^JxLf{Td
z@!3FMzvDZ?GCAO?JLP5W(O8#7{FqC7OzKj5B!X(}`RG!6{6`LJ+Uhng!g>lgF-q<X
zK%CLKy4STIdEkp0ertM=H$krBX+u6<wf7Ro+y6rn5#IkFki-(-WAG8;a7Ba_>E=}}
z+&fo5tb2g~T8F71FYjv`ap+*t>yFf}w&Z6r2o^7-lyuDwKXfqv1}#SdDmTt!+LF#8
zFCbvM3<miZ@;Vmv*tX5Zsy~gZgmq1xbqLucun?k_HfbXG8)wb&+76O+*V56VJKd8y
z5I2cTt979DqCrk$8v*y|H4N{rcqo}T{uNM&1~Qln{JIj)-Q6u-WK0I_4PVY544(#Q
z;`U#Gc8sY5Xan{Uz=z&0;>Y0s!syBkuIb3`RW*lO_|6)WXnOS?EF1FtPr?f~4mL3V
zpgKVMP9O^S6DlPdrL7%$!tD@A#ZE2GfD<w0*`VV!lafr_#wz5=gk8;!^4IJ{0&Pjd
zV^D~f;>_{nd`Zi0S#XEitNV4=$u)W(Yc|$^X`Jn8tx+enUS1exFx$FBv<CMczmn-4
zF3k2{8-w;M1utqsG=uCr&4t!{EZ5Yl+<Np~s(um3shP*b=f9`?3nBI@9hY^Xxsb4$
z4w<9<2A_Me`$C}jzmpw~eizO5s*UqKVxCm5bs_-JD(LR@%H<!q*R*1m&;YUjK&^Lv
z<<T$oetTu0M<u;#(yRMr3l`%A#dVu5lOrS4TwYE;a&cA9&np+#G^VKcCVjm8vbAlJ
z_HM_h4xyv7@WFiSsZPh<n|IIQTwtNLrpDMSZ*C=k33P_E*JWkk&AVWIgddoHvMAmA
zjwDxw7zp9j{5jpE0aqKuyc?`sTq(1N7fXjeQupKjlGS{B$@Q1QYL%bfy?dwKOS;|v
zr3FTZKmr@P*O+(9qDMW&?%Lwx?}vebuV%7}&%^1)46QeLHJ4Y#%8iC3j!dZ6*NQ;Q
z2_-y4J?EeF&3a4Gq;{v6NJF9{ynK7Uts=y^tYafg8gA9?qN#<k-&5Gg_jT5IN&d$k
z?^0G7EEZ9CuT%M4!wISPXN;<LGlr2jQ%DE3ZYM?_i`A!Qd^K%%L<?6%GeZF!TH!&y
zW~HUHqt5Ad{GkT*Gl%uA3u0f8{5W6EOfQ#@^v(JLA~*XfMDh#3R4}{>dfS|h$|<D$
zv{HYol*7^%6frn2*(hty;Yt<eF@>-R#c3!i8tzJ|@{t=Jax_pZAHv<e@xz-pI;@4A
zseP1&{rLakNz_9#-u(rRlJ=^uM>s0)2CTzPV(gi`ntK<LVk6fx-@njva@Dj*xnVJd
z?GVu}Ui|}jCKj|z(sXgR#3OFhqL922eDM;jwDI_bl(dLwlq->K@T`nVaBIS(wMTz_
z9FQTJ382;5VHhe#{%+E0rZM^1zI5*F%=*6oo+3TREZzSV;W1$vjbV`?#N7gx^IjFh
z5IB#jXLOMOnJMs$Inbt`d`Qg-iV9&ki+;$$)38EuRmF1s-=LR0W9%tj4XtJK`@bbh
z6I~Px@`;Vprs*!7S=tNR94_gMoKmUL)1rz8ZsK=vs5THp0{?GR%?RT}pS<B%9cyCR
zr9XNZQzhi*U+vK$3$^m&qU#z=_Tk^8;tK1?R3^Tg%oo>-&N8B9>*%u|c^~~Y3p0w-
zR5pnN_LQV0>zIv_hS!7&FP)dX0VOL!a}WorBPVFhHj>g))YC&C{@N=4kumviu2gL(
z(Xxh+ga_si`O?}$QDQ>OusZGRMVPQDOjCGLw5x^t=$BPQ$Q*S+s>?k2`WI-5zM?W?
zT~*kr@zN1iK!!f9X#g@bVse&4IMFe#WW{5q(?VmpH<|AyfN&~nZo_E4SclcJ?wCG#
zUBhBn`)lSZ^Jf+tDmvQk$2VivN9EGC^!|0|KLdka^$@S2eQ@F`O|sG{(+R!0RV~dH
zjqu+NO>SFred~{nL(Kj<C+#9<X#-f-6TsAHM$$GiE2b-mI>edg4TNFH`4j{i5K=M+
zsFHs@-+TXF?6pqv$5U+a9#dXB2PTE7BafF!%qtVU>f=GRrgzTjD^`M>rX}62DVnSS
zL*<~JyG?{FLY(BB^2$Tu__3zde1xJ)j^}EV8KA^aU9q9gaJ_R}L`1HB3#ews?;kJ6
z165PPp10THRFfFM9yH*$stO#Vh~Irwz8_KORDkpu@&gA+I7PbJ8ljQ2!VqJspY4br
z@D$ylTf=wmcn+X6=_4{V>}?R(YWkZiQfBnlujuVXAF)^lA@+XlHF*YWmNvIa?_9C4
z>oTE24qk!>x3+4U5*FdwH{0!Q;hQ3N7s8`vONzmXu2&zo-Op6!Uhsg&y+W5v+GAOY
z41k1@P-yY+!L^k{0)FIi)1l%L(}T`8avUJMU0{MLK;sG}t8bis26DBOf*qSmDBvMe
z!BfBl58TK(NKETeaK)pZm~?(kfQc8X6dvZhf>!a5+35Y5n}@aSYuG=SVy3&hdn}pM
zFRiK_9q~xQ$!kirGF;gqzNqEiCp6ev?=}uoZ++J7<s=|O_3ymh$9ZiA#1;(T$kXas
z=2=S57HCl?t@sM#!|U-)W`Ca_<q>oDL&elA@|FUrw~8CZqn4x$T;WsQxla30fi-r?
zK|w)34DWyajc0(&>QftsuIXUZVqLO}rmNOsYtryFHa7ZktBoUMm2jag!y#X5+3UQD
z>pe;ctK~JCb2#<8-kgmRw0<fLNwVy~ZoQd6Lb?J7j|(VF;GD+y^k};p|DELMFJ_oI
znpM5||DqG%<TGR%wLBE*#9q{heqYpH6X}^j0k@{}Ukbe=B8=i4@w>5HGV<@u%X0Q_
z+Kox42wc)lMR<&iasC@Zfhgbd7$=r)eUk<xFkYJo@n>j!F86KjH}Ru<k7Xc;2okCd
zt0I5u@qyvyd4nEL5EyG4G|gtKHlHO__eS?0J5dWujvV=~X9y-+*p`+wRzQugn}q;b
z*(|OKDOw}?>CVUea<>B-0`yCEq&<rxb#|ilAO8y~fle88Ke0^K`So_zZH;1x7GJ|z
z<Bz*4Izga50vb01-+WM2tPVxlm4gQQ=y&8d00*Z3WCK77t>z+TEp0)1RuI(t;<}6f
za3v*d>!dZm6(DW*;N#(Sp>n&XPa<8K)Wl$i*e!@*-*U(^tr)sQa|ERL*P#4gv59Wx
zQh;=*$@y%(=>VFgalhFg+jF}N<MWM@TW@oq?*s3!JMacE);_RD^Z}q3kk=shOExC)
zoqL=5m8DS*ZYF&kW}@$;yfT_&i+Y{J_qR-m3a)+6F7zKb(We{qI$N2nLTlbM+lX$i
zJ10Su=!b@^y##v*-2jCN)n1!Fpw=KM-d7RCX7pw<C^SagE%2L5gpMiC{8L`lNsX!O
z{pqqkb@yxo-CnhuGU6d4YRc_L^r}I9M7xjn-u!Je%QS?PwXH_0-1e`_jncBa=1tg5
zHqb0che~!$V-lV<4u|*-Cr6$KkFVJeh%_82PdO%=pHldy&e~qk1J=EZuZfg+E`Q5^
z+t~>F0PxC$jur-huscn}Qw`uTM0W=+(vo)+kq_A%<(=cpNvYn0MT%D=7RE$XQ)ur5
z65$-Oyn_5f@U{=HX1rZS!_y-Y$>i;M?~3HzpA_=fx%crE$2%JUVQ0y{Rp1oJI=d?U
zWl{E1H1Mo;tQHR>VXo2ZNXbpLQd1BX(Lnq2y?zLKiw)}){2e6lmmP5w%omx*^_NXn
zAq>)(_*{3Ba31!+=6*zU;)elmcAzc%9odidkyH<ULtpS+2VVCjd+)WlPHJ^4t;POZ
zs6_h7{qpUyMt?_bi>%lg*-Z=!pN;BttI8iKPB3M-hNKl_!m^0<|6yEC|4)p|PA#E{
z_x{N@!h#FcDg=9{Ve45a24}xiC`&bep3a27ADM7ZbItQS)`jG`w}pQ&tZh}K%y@!&
z#kuWtQr-PnYR0(>)p=zwjgWBy<^w9{toM_GUK}hVlJa-$`^8+$X`9cNzORuVbf~+>
zq&gmE%NweR@p%}Av=F9mwgoAMP<G!1M#5P|<YJmr0OjniCL1o?-4rge0B@2MW_Uk2
zSAdmL7kDvA8PGW+$#j(So<`SF%Nxw<+J=q1&+#8pW#$X1(hohKgNKJ{lN>ZZyVas(
zD)Ix;w*#a`tghr{uBkUYPoYLols9sd79{512#BOoR$H_?)v<v*A43^fg#Qgrupg%b
zGFWY(3<`quy;^P19uMTtj@*p_@^l0y;1C1B(EOObj_2L96vzj>djJqdUy!xue_((|
zfHL}$-vU`Q9PJAS?7v=#i;m^I1>Q7>P9J3ZMm~9Wq~dn_KUxA2^o9%`>}!ifD1@*6
zkYQ)=y~Yp3`rh)ChAwbI<b;o3n6J2{fxsO2u5(`^BN|v&^98)`{7=q~2c*Q05V>Dm
zKz{`o4i11I{Ja0U$Ta$V@&cd)fM;G1wxSE^gOSFD1aHlGq(n{37ESsJL;@VdMpNGs
nzgnN%#KGKMDX~7!Q?hvKJbWwnvkjnQ9!6YPQm6!?>HR+dV^ABg

literal 0
HcmV?d00001

diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index 554ad174c3..c70b04312d 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -38,4 +38,4 @@ items:
   - name: Windows Hello Enhanced Security Sign-in (ESS) 🔗
     href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
   - name: Frequently Asked Questions (FAQ)
-    href: hello-faq.yml    
+    href: faq.yml