From 07d54eba25c058ef15a85b271a5023d38561be79 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 20 Mar 2018 14:42:32 -0700 Subject: [PATCH 01/16] added surface info --- .../bitlocker/bitlocker-recovery-guide-plan.md | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 9e780394d7..ef20349b31 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -24,15 +24,6 @@ This article assumes that you understand how to set up AD DS to back up BitLock This article does not detail how to configure AD DS to store the BitLocker recovery information. -This article contains the following topics: - -- [What Is BitLocker Recovery?](#bkmk-whatisrecovery) -- [Testing Recovery](#bkmk-testingrecovery) -- [Planning Your Recovery Process](#bkmk-planningrecovery) -- [Using Additional Recovery Information](#bkmk-usingaddrecovery) -- [Resetting Recovery Passwords](#bkmk-appendixb) -- [Retrieving the BitLocker Key Package](#bkmk-appendixc) - ## What is BitLocker recovery? BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario you have the following options to restore access to the drive: @@ -109,7 +100,7 @@ Before you create a thorough BitLocker recovery process, we recommend that you t 2. At the command prompt, type the following command and then press ENTER: `manage-bde. -ComputerName -forcerecovery ` -> **Note:**  Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. +> **Note:**  Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because the OS will not boot after the recovery key is entered. Instead, the BitLocker recovery screen reappears until BitLocker protection is suspended or teh OS drice is decrypted.   ## Planning your recovery process From 004a68d447add51564f1e2d48909c8af6ae7808d Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 20 Mar 2018 14:47:27 -0700 Subject: [PATCH 02/16] added surface info --- .../bitlocker/bitlocker-recovery-guide-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index ef20349b31..94f1153940 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -100,7 +100,7 @@ Before you create a thorough BitLocker recovery process, we recommend that you t 2. At the command prompt, type the following command and then press ENTER: `manage-bde. -ComputerName -forcerecovery ` -> **Note:**  Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because the OS will not boot after the recovery key is entered. Instead, the BitLocker recovery screen reappears until BitLocker protection is suspended or teh OS drice is decrypted. +> **Note:**  Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because the OS will not boot after the recovery key is entered. Instead, the BitLocker recovery screen reappears until BitLocker protection is suspended or the OS drive is decrypted.   ## Planning your recovery process From 701e7b2ea738a15f798faf0c3a9ca147e153011c Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Tue, 20 Mar 2018 21:49:03 +0000 Subject: [PATCH 03/16] Merged PR 6507: Connectivity/AllowPhonePCLinking policy - added to Policy CSP --- .../policy-configuration-service-provider.md | 3 + .../mdm/policy-csp-connectivity.md | 77 ++++++++++++++++++- 2 files changed, 79 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index c5ec170ba9..7ab9c9e7f4 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -573,6 +573,9 @@ The following diagram shows the Policy configuration service provider in tree fo
Connectivity/AllowNFC
+
+ Connectivity/AllowPhonePCLinking +
Connectivity/AllowUSBConnection
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index faf33814cc..e07d5f9e02 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 03/12/2018 +ms.date: 03/14/2018 --- # Policy CSP - Connectivity +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -34,6 +36,9 @@ ms.date: 03/12/2018
Connectivity/AllowNFC
+
+ Connectivity/AllowPhonePCLinking +
Connectivity/AllowUSBConnection
@@ -355,6 +360,76 @@ The following list shows the supported values:
+ +**Connectivity/AllowPhonePCLinking** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4check mark4check mark4check mark4
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1803. This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue tasks, such as reading, email, and other tasks that require linking between Phone and PC. + +If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in 'Continue on PC experiences'. If you disable this policy setting, the Windows device is not allowed to be linked to phones, will remove itself from the device list of any linked Phones, and cannot participate in 'Continue on PC experiences'. +If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. + + + +ADMX Info: +- GP name: *enableMMX* +- GP ADMX file name: *grouppolicy.admx* + + + +This setting supports a range of values between 0 and 1. + +- 0 - Do not link +- 1 (default) - Allow phone-PC linking + + + + + + + +Validation: + +If the Connectivity/AllowPhonePCLinking policy is configured to value 0, the add a phone button in the Phones section in settings will be greyed out and clicking it will not launch the window for a user to enter their phone number. + +Device that has previously opt-in to MMX will also stop showing on the device list. + + + +
+ **Connectivity/AllowUSBConnection** From 6148bd81471a71dd7a9d285bb0bc292c677e53aa Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Tue, 20 Mar 2018 21:52:35 +0000 Subject: [PATCH 04/16] Merged PR 6508: Configuration service provider reference topic updated --- .../mdm/configuration-service-provider-reference.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 691891af81..2ca9f64f6a 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2631,6 +2631,8 @@ The CSPs supported in Windows 10 S is the same as in Windows 10 Pro except that - [CellularSettings CSP](cellularsettings-csp.md) - [CertificateStore CSP](certificatestore-csp.md) - [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) +- [CMPolicy CSP](cmpolicy-csp.md) +- [CM_ProxyEntries CSP](cm-proxyentries-csp.md) - [CM_CellularEntries CSP](cm-cellularentries-csp.md) - [Defender CSP](defender-csp.md) - [DevDetail CSP](devdetail-csp.md) @@ -2640,6 +2642,8 @@ The CSPs supported in Windows 10 S is the same as in Windows 10 Pro except that - [DiagnosticLog CSP](diagnosticlog-csp.md) - [DMAcc CSP](dmacc-csp.md) - [DMClient CSP](dmclient-csp.md) +- [eUICCs CSP](euiccs-csp.md) +- [Firewall CSP](firewall-csp.md) - [EMAIL2 CSP](email2-csp.md) - [EnterpriseAPN CSP](enterpriseapn-csp.md) - [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) @@ -2669,4 +2673,5 @@ The CSPs supported in Windows 10 S is the same as in Windows 10 Pro except that - [WiFi CSP](wifi-csp.md) - [Win32AppInventory CSP](win32appinventory-csp.md) - [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) +- [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) - [WindowsLicensing CSP](windowslicensing-csp.md) From 1f6347f36ce88c886814fc343e741f023165b839 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Tue, 20 Mar 2018 22:16:34 +0000 Subject: [PATCH 05/16] Merged PR 6509: AssignedAccess CSP - updated some links --- .../mdm/assignedaccess-csp.md | 29 +++++++++++-------- 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index b08768dc86..48635d81a9 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -7,20 +7,20 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 03/01/2018 +ms.date: 03/20/2018 --- # AssignedAccess CSP -The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device in the kiosk mode running the application specified in the CSP configuration. +The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration. For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211) In Windows 10, version 1709, the AssignedAccess configuration service provider (CSP) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For a step-by-step guide, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps). > [!Note] -> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting in Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. +> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. The following diagram shows the AssignedAccess configuration service provider in tree format @@ -30,10 +30,14 @@ The following diagram shows the AssignedAccess configuration service provider in Root node for the CSP. **./Device/Vendor/MSFT/AssignedAccess/KioskModeApp** -A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, follow the information in [this Microsoft website](http://go.microsoft.com/fwlink/p/?LinkId=404220). +A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app). + +For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211) > [!Note] -> You cannot set both KioskModeApp and Configuration at the same time in the device in Windows 10, version 1709. +> You cannot set both KioskModeApp and Configuration at the same time in the device in Windows 10, version 1709. +> +> You cannot set both KioskModeApp and ShellLauncher at the same time on the device. In Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md). @@ -44,9 +48,9 @@ Here's an example: ``` > [!Tip] -> In this example the double \\\ is only required because it's in json and json escapes \ into \\\\. If MDM server uses json parser\composer, they should only ask customer to type one \\, which will be \\\ in the json. If user types \\\\, it'll be \\\\\\\ in json, which is wrong. For the same reason, domain\account used in Configuration xml does not need \\\ but only one \\, because xml does not (require) escape \\. +> In this example the double \\\ is required because it's in JSON and JSON escapes \ into \\\\. If an MDM server uses JSON parser\composer, they should ask customers to type only one \\, which will be \\\ in the JSON. If user types \\\\, it'll become \\\\\\\ in JSON, which will cause erroneous results. For the same reason, domain\account used in Configuration xml does not need \\\ but only one \\, because xml does not (need to) escape \\. > -> This comment applies to both domain\account, AzureAD\someone@contoso.onmicrosoft.com, i.e. as long as a \ used in json string.  +> This applies to both domain\account, AzureAD\someone@contoso.onmicrosoft.com, i.e. as long as a \ used in JSON string.  When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name. @@ -59,11 +63,10 @@ For a local account, the domain name should be the device name. When Get is exec The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same. **./Device/Vendor/MSFT/AssignedAccess/Configuration** -Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps).Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). +Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). > [!Note] > You cannot set both KioskModeApp and Configuration at the same time on the device in Windows 10, version 1709. -> You cannot set both ShellLauncher and Configuration at the same time on the device. Enterprises can use this to easily configure and manage the curated lockdown experience. @@ -97,12 +100,14 @@ Additionally, the status payload includes a profileId, which can be used by the Supported operation is Get. **./Device/Vendor/MSFT/AssignedAccess/ShellLauncher** -Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema. +Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema. For more information, see [Shell Launcher](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/shell-launcher). > [!Note] -> You cannot set both ShellLauncher and Configuration at the same time on the device. +> You cannot set both ShellLauncher and KioskModeApp at the same time on the device. > -> Configuring Shell Launcher using the ShellLauncher node automatically enables the Shell Launcher feature if it is available within the SKU. +> Configuring Shell Launcher using the ShellLauncher node automatically enables the Shell Launcher feature if it is available within the SKU. I. Shell Launcher as a feature and the ShellLauncher node both require Windows Enterprise or Windows Education to function. +> +>The ShellLauncher node is not supported in Windows 10 Pro. **./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration** Added in Windows 10, version 1803. This node accepts a StatusConfiguration xml as input to configure the Kiosk App Health monitoring. There are three possible values for StatusEnabled node inside StatusConfiguration xml: On, OnWithAlerts, and Off. Click [link](#statusconfiguration-xsd) to see the StatusConfiguration schema. From f2a00934e98de4d58e396d233d37aa85d447daf5 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Tue, 20 Mar 2018 23:27:59 +0000 Subject: [PATCH 06/16] Merged PR 6515: Policy CSP - removed outdated list for IoT, Holographic, and Surface Hub removed outdated list for IoT, Holographic, and Surface Hub --- .../policy-configuration-service-provider.md | 230 ------------------ 1 file changed, 230 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 7ab9c9e7f4..42c5737c3e 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -4459,235 +4459,6 @@ The following diagram shows the Policy configuration service provider in tree fo - [WirelessDisplay/AllowProjectionToPC](./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc) - [WirelessDisplay/RequirePinForPairing](./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing) - -## Policies supported by IoT Core - -- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) -- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) -- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) -- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) -- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) -- [Browser/AllowAutofill](#browser-allowautofill) -- [Browser/AllowBrowser](#browser-allowbrowser) -- [Browser/AllowCookies](#browser-allowcookies) -- [Browser/AllowDoNotTrack](#browser-allowdonottrack) -- [Browser/AllowInPrivate](#browser-allowinprivate) -- [Browser/AllowPasswordManager](#browser-allowpasswordmanager) -- [Browser/AllowPopups](#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) -- [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) -- [Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl) -- [Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer) -- [Camera/AllowCamera](#camera-allowcamera) -- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui) -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) -- [Connectivity/AllowNFC](#connectivity-allownfc) -- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) -- [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular) -- [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular) -- [Connectivity/DiablePrintingOverHTTP](#connectivity-diableprintingoverhttp) -- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](#connectivity-disabledownloadingofprintdriversoverhttp) -- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards) -- [Connectivity/HardenedUNCPaths](#connectivity-hardeneduncpaths) -- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](#connectivity-prohibitinstallationandconfigurationofnetworkbridge) -- [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon) -- [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword) -- [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess) -- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) -- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) -- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground) -- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) -- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) -- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) -- [Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage) -- [Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage) -- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) -- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) -- [System/AllowEmbeddedMode](#system-allowembeddedmode) -- [System/AllowFontProviders](#system-allowfontproviders) -- [System/AllowStorageCard](#system-allowstoragecard) -- [System/TelemetryProxy](#system-telemetryproxy) -- [Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate) -- [Update/AllowUpdateService](#update-allowupdateservice) -- [Update/PauseDeferrals](#update-pausedeferrals) -- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) -- [Update/RequireUpdateApproval](#update-requireupdateapproval) -- [Update/ScheduledInstallDay](#update-scheduledinstallday) -- [Update/ScheduledInstallTime](#update-scheduledinstalltime) -- [Update/UpdateServiceUrl](#update-updateserviceurl) -- [Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots) -- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing) -- [Wifi/AllowWiFi](#wifi-allowwifi) -- [Wifi/WLANScanMode](#wifi-wlanscanmode) - - - -## Policies supported by Windows Holographic for Business - -- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection) -- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps) -- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) -- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) -- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) -- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) -- [Browser/AllowCookies](#browser-allowcookies) -- [Browser/AllowDoNotTrack](#browser-allowdonottrack) -- [Browser/AllowPasswordManager](#browser-allowpasswordmanager) -- [Browser/AllowPopups](#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](#browser-allowsmartscreen) -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword) -- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) -- [Experience/AllowCortana](#experience-allowcortana) -- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment) -- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization) -- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) -- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) -- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground) -- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) -- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) -- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) -- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) -- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) -- [Settings/AllowDateTime](#settings-allowdatetime) -- [Settings/AllowVPN](#settings-allowvpn) -- [System/AllowLocation](#system-allowlocation) -- [System/AllowTelemetry](#system-allowtelemetry) -- [Update/AllowAutoUpdate](#update-allowautoupdate) -- [Update/AllowUpdateService](#update-allowupdateservice) -- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) -- [Update/RequireUpdateApproval](#update-requireupdateapproval) -- [Update/UpdateServiceUrl](#update-updateserviceurl) - - - -## Policies supported by Microsoft Surface Hub - -- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) -- [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing) -- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) -- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) -- [Browser/AllowAddressBarDropdown](#browser-allowaddressbardropdown) -- [Browser/AllowCookies](#browser-allowcookies) -- [Browser/AllowDeveloperTools](#browser-allowdevelopertools) -- [Browser/AllowDoNotTrack](#browser-allowdonottrack) -- [Browser/AllowMicrosoftCompatibilityList](#browser-allowmicrosoftcompatibilitylist) -- [Browser/AllowPopups](#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](#browser-allowsmartscreen) -- [Browser/ClearBrowsingDataOnExit](#browser-clearbrowsingdataonexit) -- [Browser/ConfigureAdditionalSearchEngines](#browser-configureadditionalsearchengines) -- [Browser/DisableLockdownOfStartPages](#browser-disablelockdownofstartpages) -- [Browser/HomePages](#browser-homepages) -- [Browser/PreventLiveTileDataCollection](#browser-preventlivetiledatacollection) -- [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride) -- [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles) -- [Browser/SetDefaultSearchEngine](#browser-setdefaultsearchengine) -- [Camera/AllowCamera](#camera-allowcamera) -- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui) -- [ConfigOperations/ADMXInstall](#configoperations-admxinstall) -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -- [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices) -- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy) -- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites) -- [Defender/AllowArchiveScanning](#defender-allowarchivescanning) -- [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring) -- [Defender/AllowCloudProtection](#defender-allowcloudprotection) -- [Defender/AllowEmailScanning](#defender-allowemailscanning) -- [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives) -- [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning) -- [Defender/AllowIOAVProtection](#defender-allowioavprotection) -- [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem) -- [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection) -- [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring) -- [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles) -- [Defender/AllowScriptScanning](#defender-allowscriptscanning) -- [Defender/AllowUserUIAccess](#defender-allowuseruiaccess) -- [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor) -- [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware) -- [Defender/ExcludedExtensions](#defender-excludedextensions) -- [Defender/ExcludedPaths](#defender-excludedpaths) -- [Defender/ExcludedProcesses](#defender-excludedprocesses) -- [Defender/PUAProtection](#defender-puaprotection) -- [Defender/RealTimeScanDirection](#defender-realtimescandirection) -- [Defender/ScanParameter](#defender-scanparameter) -- [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime) -- [Defender/ScheduleScanDay](#defender-schedulescanday) -- [Defender/ScheduleScanTime](#defender-schedulescantime) -- [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval) -- [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent) -- [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction) -- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize) -- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching) -- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode) -- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid) -- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage) -- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize) -- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth) -- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth) -- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos) -- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer) -- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache) -- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer) -- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive) -- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap) -- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth) -- [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders) -- [Privacy/EnableActivityFeed](#privacy-enableactivityfeed) -- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) -- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) -- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground) -- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) -- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) -- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) -- [Privacy/PublishUserActivities](#privacy-publishuseractivities) -- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) -- [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot) -- [Start/StartLayout](#start-startlayout) -- [System/AllowFontProviders](#system-allowfontproviders) -- [System/AllowLocation](#system-allowlocation) -- [System/AllowTelemetry](#system-allowtelemetry) -- [TextInput/AllowIMELogging](#textinput-allowimelogging) -- [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess) -- [TextInput/AllowInputPanel](#textinput-allowinputpanel) -- [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters) -- [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters) -- [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph) -- [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary) -- [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall) -- [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208) -- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc) -- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis) -- [Update/AllowAutoUpdate](#update-allowautoupdate) -- [Update/AllowUpdateService](#update-allowupdateservice) -- [Update/AutoRestartNotificationSchedule](#update-autorestartnotificationschedule) -- [Update/AutoRestartRequiredNotificationDismissal](#update-autorestartrequirednotificationdismissal) -- [Update/BranchReadinessLevel](#update-branchreadinesslevel) -- [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays) -- [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays) -- [Update/DetectionFrequency](#update-detectionfrequency) -- [Update/PauseFeatureUpdates](#update-pausefeatureupdates) -- [Update/PauseQualityUpdates](#update-pausequalityupdates) -- [Update/ScheduleImminentRestartWarning](#update-scheduleimminentrestartwarning) -- [Update/ScheduleRestartWarning](#update-schedulerestartwarning) -- [Update/SetAutoRestartNotificationDisable](#update-setautorestartnotificationdisable) -- [Update/UpdateServiceUrl](#update-updateserviceurl) -- [Update/UpdateServiceUrlAlternate](#update-updateserviceurlalternate) -- [WiFi/AllowWiFiHotSpotReporting](#wifi-allowwifihotspotreporting) - - ## Policies that can be set using Exchange Active Sync (EAS) @@ -4715,7 +4486,6 @@ The following diagram shows the Policy configuration service provider in tree fo - [Wifi/AllowWiFi](#wifi-allowwifi) - ## Examples Set the minimum password length to 4 characters. From ee9e7c35e3f0a253592d8b1e60fd963effd5dfba Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Wed, 21 Mar 2018 13:32:12 +0000 Subject: [PATCH 07/16] Merged PR 6514: RootCATrustedCertificates CSP - updated --- .../provisioning-csp-rootcacertificate.png | Bin 27086 -> 47074 bytes ...ew-in-windows-mdm-enrollment-management.md | 13 + .../mdm/rootcacertificates-csp.md | 8 +- .../mdm/rootcacertificates-ddf-file.md | 1245 ++++++++++++++++- 4 files changed, 1221 insertions(+), 45 deletions(-) diff --git a/windows/client-management/mdm/images/provisioning-csp-rootcacertificate.png b/windows/client-management/mdm/images/provisioning-csp-rootcacertificate.png index 7a3f67195542f4a8af567f15be2ab413dc43dd1c..68672472c3d6416a371b76d9c12b194b0f326fbe 100644 GIT binary patch literal 47074 zcmeFZ2UL^kx;7kSM#ix)qoa%<#Mz2CDx%U`u#F4~L_t7WQ0X9T)Tm&P-g^lcAoLJIAcR2vClS#7eS4p?XP$>ld z%etD|zZd-;0)cGT`u)5f1hOds0@>{F-6rtK^=C(%!T$t2^fb>xvKsb{gFn8pJ)?65 z0(l+2m2=};@b?zi-;F&WkR27g{{*U#DOM0jp|{rgGgo~OQ!D)*Vx9Ow?s8*SZBbus zQQXt?qS#dT<8$dw1_d>-OTJRX5aJPA%WQlO-mdhuWi;M;r&N4pgxjae?`? zI$->Qc}(D&U++DSx0`(TXnTvN-EZti_vFm>XmJ|GTZNP1g3w#%75}Wj5-0Qvn#Nq@ z&O{B2ZT@Yb^KjiJwie4+0P^?(3`g{!>Xso0Y8od`${VVhi*FCTx_D|ub~NIY3gQak z05e99AoE@rVrpuHBcdidUWUtrh8gTI5-wHXd3eFHcT* zynyLXFkV(@7#a}X#VR7Rva;?Hu0q}#zJ5rOk&&?|^773y><^g0M+>VhwasKJ|8fHz zBQ>y`#@<#Q@CoOTIoBL{X+l;E8zul*HMO9$cMmY(*?3Xa)yaociCz?O*ESOQ3ZXtg znH8v?PnlqpoY%b_ZPkQSkl{6k&G&jx6{yn`X7@dw*wq2gdhKh@?&W)m3?GVW9y*5^(jSJYqxf%Z$ z>TB~wXv!34xHWyK^Bc%psI(aOg9w2b@M$|0iB5`R%+SecBIqHb&5*ad>cs-64fu13 z%S)YZ+G-W;>WbWXYZg-gGJ7V1BqJ@2->31uut|17jXq!$-U%!9rXg4cn;>KUE)*jp zBS+gKjpf{D3?sD)C-Mq&VmyL#XCGuXsF&p-BE?+_l)@AH_LAzhE=xRpBD$4m2!X6f zx3hW+kiVz_Q89les6Em5`IvDK%) zVQR#BneAcLG3fNhChL0DO0Ak<&Ms;~?2NulT-vyZ(7QQL!-(_|=8$~}UB~-nQtpAc zy|2=dd(w8dYz;hD^Ns4tk3|OtO0q0xJe4AaZmo(aU~f7c3nr^1wm!LfP%Pd`i;>&@ z>_YRQ27A9^_>ARC@08B)<86gK$-i2>34y(Ok+X1U;asxUOGT|6&sKiC3oXIKH52f& zRoU1n+105Cd-$Y(r*EBjW2?VJ3O?(pj0EI#KnuTy8&#~!I7i-R7Jn58|a;%DqimHqL5%NrUoYdIZNK+}VSQ108P!tY`#n107 z!(PrfoT8GYMXLKowXP#Yi||P=O;Zb@p4VqPNm4cMyH4qstge!nky5^ugzMb3uXO2} ziJ{t)sKqSWlTJmh7i+|CMV4Xx4P@+GF+GARh0UYgpdx2c;jt0>)lxl;lY17%wg=Xg zQ2Xds4v&40sSk}hSUXBdFB;GKqDQ~W+$MCi@!-)sr&4Ap^9E(fR|(QYoiQ~x&+IrN z#%9VEpLUD8YSV``O-^w5<9=hkd#s#%*Nq6nB6)|oYkq(HEooKU zaJ!N}te$F>J+ce9le*26Zb*r%3eJYiADnc`qdTamj&84CmKu2D%dlCy|Hzz8sebC& zWjvZ`*;MbgOtP#KT+t5Vl9ag z5W>XA5C~?pyw*sA{o(d>1G#@&Yjr7lu=*0z;=8r)fJF(&;a;KAT<(rru{!)9W44Pp zct?Eivd-tv3TUhBF&{~e-X_R=%yJvKxu1JPG%4;JMc^5sKe`c~W_wW?SgS!+O!Mre zEs!SLnUZ;W5by@$oc{U~_&VTL)O@jjTf5!`?YGiCM8y+J_9jIPEl==nqNu32NP1`# zM=W9Nr3P0qtAD~=?WYkn2!%F`p4t0MKlSyC2TGS#LlnUeJz`iw873NW?R9qr_i(QE zbZE5XN1W7r$&FpQ;`s@FXWFOuc;0fU^^R)J$AMv1CiG_~?iAjY;bU`mKG#;}Wb23U z;a(KFio-##?R0;c|6i4!xqU_%Csok)weC+JkbyPC=#FCFENybs{b8Dd;k9I=bN&Zhjbr6!Z)CVfu|!H1TfXlbyn8=YAeEA8)W zV|l~h`<%4){-0rr{X4O=h2jmV7nr!m6YGmRUM+z zcTuL+I$2Sj!O3`%V!wfF4no$nJE&pbP~9ztm`mH){682sKVbX^8$Kf&bqbiFn^ zr6pVT6Xi;)gVeh@yIq)r3v;d*#`pV~Id5Sf$Bx_P+dYLL7u+rc=wj^HMSA|15c{6I zjz8*sr$mLYk~~m^nv7aH1;px?epY*XyTf$bE*hpCn6wJY!579?o+l-pb&QIQEe^Yp zmw|d@UL>};)g9?~D)@%_9n5WWwHL$Nmwk5GV*HI32+Z?P)Ld{|p3lG|N}Ii~p{qst z6Up(;?S71BD>hTXwQ9R3^fc@d=F=dOvj@Zg|q4 zYh~mD3$!mQOftqTW_ZQMeN)({b)TfFnL{TPVh7%@929!sTpB<4ks^HlyCPSk;0icV zfM@n$jkGN9ijEhD{X(>^?(?4Nmt%U-bO?m4-{tf2zQw8Z)|&(eDQac&&XU7yo1Gu7 z_jdgHG&VKQ$58{EfW*Pvk%9TF7R}w-KYSP_CrECMojxyvY+>zxJJf)pwQGt%UzOK_ zgSh=v4(5NSLr9F%-D5EEH%)X3`@th4v4zow@4Qi`CMM5g@;^J;NV(O4GXE;aU|w9t z5b+b*b-uYRy<5w*E7?cyjKMCa_>AlL+6lXt4v)k1FJG3eesAON=<6UMcZ$*PAiX2i zfI`U=a-7gGh5mtgP%RX1k4~pbufAznDQKi*CM)I({WARC9AEdk`5{04;`#PSIYg2B z^jx-PyvOQUi_W|^cT1~V37Xb$F7$?4T&3VG89lzQGf*v0(D#)cm+i;Ktg0RHXLG-+ zxMCqD<)|4Q74<&*XUJ*jC3!?@Ber<5at9UZb@wD=;k8A8g2w@li2!6?v5;O<)tO|m zJo_6}#``X?kHOK$3BtsSz&>VcQ6gojBwz)9q-Ogh)iFR2e5j$Fm7oY2d^n1;Fg8xr zjYIo23N~2GYx847BRJuz#qOa_A;?>yda>+dAf6M|Se;rHRte~rwH9OQ(T2O4LEsr= zu@?e?13&frl!dDPQnwHpwc27^BP%oIpQ7US=&j(b@E4?`>FMdVGTNNpA%bcEQ`Y)P zCk*X&(;@WIJY+Cc0jHQ{PIP~k!$|G7@DP3L)b9JKEPF;>d7hp>K6?}b8B7Qh%|`or zl%K-h1YxoleV6;s!WS^ufW@KH)>D;GD)BpwMF>O#)#GDrZ9T$H?$m7$yM7DM)dgY03ZCsKCrUM55RLIQ45DJhLTG}yk&_C|y%;CMb6RSUe`llzWT zb#=euCP`9Y8X3~#hRSr3PFrEPq`*W$SuN-5FdCKZ{gS;9U>0n9Q zQ!6=w#G;f{u>lZ_L*)=>DIocHPTwgi44DBZ0+wh)*}cCGr8JhaMNbgR?n2#!Ay_vtVsWwGN~>eCL)8-Q zwN3fTf?}McEkZ}VViZaK*l7ppgznoXgHBMT2w~fN63g-i!6D0;i^7ODIi2vTqiT9BW0V)*84H< zVn`Fqa8U7dwftpA;4>DsX?F$|-;q@;t2a(q4%xJ)uI{vZ zbeNrAb%S%o{f-*?u^rnFPR=`=!XcM#J6Zh^-Zo`rWp_NaBp=PVfT_P)rJI?R^)&k+ zmHwkyEM$(QQi)%X`8$vf5p9k`1b#(DTR5Y*V};bH4lK zerJPpq@2^DiWF&f&Q?f6zn8)aF>bnZdQv)uxP?r{gT*}u1CO;pHZVt(;!RayD;7Ph-1AZ*9E0K0C% zt%~7$OrR#Nk_WC`gT{v~{)*Wz?PU#h^?NQ{gTBQkj+dBVzkhnXExc=9urAAHj}3uf z=j(^)T5PIpyS5gwe2LO*b2=vypL`qiD)1+-=k0T2HhoXpdg~g-@OOmUZsvPV{Bdc- zD`iSOB}9zeJfH{tgSoA%HdE7S@wQxVr2pG-!QW-H2vw$zNnTk|LQv#{V7O7k6!F7t zE$AhOzmNVLlGEWd-?vL8y?a**iOMfM{^mf~I~meoZ7MD7l63LF@OkoX+WF4I%L862 zCaIcR4n?X=rp!NeUKo{l(sS_5_%Y;S@fmo!x%CdE*6WU1>7=dUVmkYf-rP^OQFHij zfFiQHF?dd`&*CwKFr7tQqv!GX`K|Y_XMBvYFHASY86_I+@QOWuJYTV2V=^Joel9^$ z(Gql()m@{dG*V!q!Ktvt|73%sWe~rL^EB^7n{QXmN|^Dcl-Yq4L4lF30M3O z^>(}VPnm|bfw8*wIXAW*iqKwp*r9ou7?8|;|V*JFEM_ysfTlu%s% zxg7qZ6#I)1Po|0}43>?hx<>a>^{Qs0dEB{2AlRJ~sy9@tLRo%tC2qvECM3D`C>Rj4hG=KYBqhlF~_b$++)V6sH(_yjL{p_T? zqlNSZSxaa@Iw{#ZD{4}Fv*yleW!Bq3XW3;W>UzhuM!44iY#~;roV6Zi8yXs><=$7_T*GJyQj@cz*NinxTo?Ad|YvbNw~S8fb0+OzsU=sD$7i6>VE5@)iX3W7n7y zQqe|+hVQd?LQaz%TUcFqRqu)0z>>N*5V0qg-Xf2$x^s1VoTWO6*mnHb<`WbK@p(>BzXlzH7YqZr&dP2Z6S^x zwVLjVbmX|JLB4DD(P{*x95NgS4Y21@bc>%b8$gVft{cZMRn=`e9RhxW6y;Ve$?U+* z1UM{q#+jWI6GQ0+lr9YQmv~oDMIbfzNSFMYd?KGGCRT(`7n8T_Zmmxd(Uz(TpIuP9 z^(c}4=sC|Bs`#;gqLquBY@A*hWm!q1p9?&DY*+eXjAQ}Mm%M}97qTm&a|%XBTA=B^ zEHlB=OHDpn3H-RMO?RQffPH(MZIbw7W8b`j?YD3$2$aOc)9=6)A&-S|(LeRD*7VT0 z=W#R6VxQ;~pd_)M9UFhyCk5M3=}* zZgY9CR3rROqY~utHe7V+mF2VYtIY{V8)+pEm*X-F<3Wn28=+tgY<9B4Xx6jtD`}|Z zinu}(iTrn#zQGoKPL{W>TxHQA%VZw)GBDF!qINP9wIwPom zh?^NDq_~_$2PXNMSFtEoMc|p0U1_CRdH}O)>SZH0Zuu(d2xd-(lF48VexnXcUL?{% z=xGP)QykAtr>l9}NUMU!6Ifu$_(RS$d8LN5017YC8%c)-t-S!)K@f}4ON5u72W1ke zx>c$>3J?-m9S*(`v9YQpVYDX%nc-F;$VxbGZ#dxW!*OA}y>SzT#wB$IYu458r`qU^ zxa6yq?tB)FTCUCw2t3}yJ0hQvz7N%esera$!AW!chKr7N9uIDm|9pV` ztX1VmvLB<;-$Gs93+?NxjLs5xhUQDiQ9^y6&vI8b9(J<7@pesv4029a?Uo*pED1S; zvbWn@`w&zmj#2eq$ETyr~FzE{f7zCfo!}{0@ z>X0U%D@ajfo2>?@G_#l=Jsx8%6DP_kP4INfWEXO|I4l`**+mY~QcF4t{uyPNONghZ z$ucEBs)3|WkrO`0I=WYA4Bz_i8H{;ItOiVbioHm^v2PzaU z2GzHH&h%R$C3i|Ck=VAI7vc;WNrS<*aU-#+6CrvteMP%q-jG}0;i8=kDa)gmLZ5zqVqxbX1+1^{QcIOcT7C_P5_z~m_6`_@Q)fboflm8hQ@=vgm~R1z zLNmQ)YD$}Rb<^oPytQS%AqC8hw}T454Af^1l+sm+_MqUz3on|Q12XYhbFvtLF8<>0 z+3`-N=zauJVnt+PV1;L$KqcLFbYduC>$Caw-^6%OxSV$py6I20hx?`GQHP-))gXbq zXGt%T0?^Lvd|?aEBOg4Kk1!^j;_oj&e&U7r1!%E=$&O4=eQ;x6y}S2GR<`tx?N(7# zrC#p<%>4YX*hm;;?RTI;KHt3v_5AdB5fr)HoWh% z1(oVK`~rl(EO#d!n(#X+JK|-Wt(9F?^OM+ts6I1zcGP(c6r(E>`Bzz?f`=v7 zes7^_jsX$BZiM?j%$|XiZ8lLtiATi{Z^Ikg0&_WM$_(6{$=X-x+ObU3AMDxRePn$q zuSa}H7>a2#1f?3CG6U-qZ%Ee-5ww@94b;V8#8W(eJHZX|@;pd~2BIt}npJ7=(nW)0 zttFjF*{S_mSJEQd-=CF|nn|nIA~Gutbahy#{??^tMxLrsyMsD;{d&!CsbRC&Q;lQ` z$zd4pjDd{2x7~O8S6)U{IMU5(z9RK|k#73r(D;IBS?9?Dcq%GHKU%=EsFm8+v2(?> z+9kr7S)pt?E_87r&R6o`B*%_i0gA(4ZnEMuEX#C4FHWZeTiQJGQ!lHny11lIWh)%t z)H`W=KYnGQ*eWE<@6p73L32LawRir0Xx-5eG*xODs_yM}iZd**wtvwYZMa733%YS# zyaYF5E_OZyr6wIa5f4wtCM&`VyNw_9IJ?foW96@#M|2A9AwKz7{^+AOcFi&p)YdlY zN*SArU~?M#;i%^eAa;m5G@|rQlHOL7KjW6ZNMyQ~taLw5?#ZYch(t+1)v~$`rw{hn za{jg-1L<}YTx#g8!ZJRHSll5ff4*V)eh&{1f!5o^9Xc%QY<-=-9WCx-BJOL^fa#%4Q+jLl+C&y)Ow1Ki}#x79$Dg#yNWUqkwRFMOXxik${ ziLekTR9LJT%eYMtTy!%FQH)t$_>5VCH^yCETxdsM?q2M87})S0`=r?f#i<)hCiD-^ zi=PI5rHQ5UIxjD;$rkIc&D}>1pH!^q#RTs1hHTk@#C{V zlHlx*|KwH|5d5s%f3>c%?Pp3Y$8GigY=n>x|5l-;qQqCPT&?B@dDW28C!LyD^f+bf zkd*N35B%FHD_~y~cP@Q9t4(gG6^egBpB4T5m~v2wA5#6iLbP%)slxm7idgPDaKSYG z%XB@(Wq$?)6V$}ItP*9FTCX{#qzZ?>@n$;NsiA>Kl#{q1Bc^e}T)1Zs{Dw|_BK=B8 zV9ee>qmgz6+hs1O?%n(J(u9jNZMw;a6~=q@P=q4Z&2E3L8h5;aE~r1Al|Im@gS?L{ z5MN>MH*iTGNfqk3PLW-Lq>Cv5P;yRI0g^gBGsz+r4u zamjIpkE71wx!AOENqYKre?rVkp~|bMjT0!KvCm^9(E*+EsI%mHwcO>2R$8cf4&x|z z+>ecv#8|pKBPkOl^IntM*HE+IFoXTW!v&Swe&{U4bovM^)UIATFjF#9R7TC^#6m80 zhB$INf1ju@nJ;$)B)NPkyS9M;G!Eu~- zSXC(FPd!Rz`yckJzntG#9J`P{Q)JH`aDDzpTo2G-ALDM`({gM zp}WaI^`YuS#s0`%mQ|x+ZiPmnQ>o}8B|rZ4pemQL9i+QUCkuXF-;m~7lI)7CoJ4sd zFRKb9MSHA2Y%@-Vx_<22L@gQ;=(FPgvbuasr+d=|#DhRwM-;`*L4^6c|Ii2kUeW(! z#^E2>8Sq3}e~F^W)`0FUrLLf2_{AFd%EyzXCp%|Ltp5|$e?}kKke@S@TIDaB<*k}u zW0H7k?AX-u#_pJA(?9b8Y;WAQl*e8#F7L2A*jih0?W@fsPb=}VsPAZ^PaNb%lL{pr z7h1n;HF-ME3EdcOrM@9U*f)!8P>Y?Ncx}x5&{SV~C6)H`Qqz{|B<-{emAB229{S{| zNBG{mB4YaacEX0a_2$j&j@X$4=RAhqvu8c;lY}Op^iQ12>7kYW)b;rDQd5YJ?bRL! zb7x<(FMf2Cz)qU#Uh>n>qM)oND-Lv&bxZo0$iu!v&%3|-KDW%w;sIP9<`i(k?IROL zscMf!vgOh1A_Q_L%=7Y{?#kf-<14$ur#Sao9}R?~BnTMI(sBP`plId$FZXU%#E*3N z21GbAJ8FYw-C~IiW6aO*+-6ZDCsAVwo>*Us<)nOhKvl8(tMQG~vO_l}!OMFawypb) zXY?{rOm{#l*BGs~e%)Wzv^fV3Kvyp~CeD5Y+@BzV+S_w{CpFye0~zB-v?u<{-t`|S z(1xQ9-6zJYlz+>zM4{w4bpjH6Uwt5(l>XMpG4kOAf^=WmL>%By?yPD-HNM{m&f16? zl(w%y=7crdi`Ad=7YxYXD_zM`6YI!BMXmq z06#gTCNU<=7m>%$>D|{&FJrszW zH)(R$*p&6c{3F++5nl3XIRu4davh9{;ykh~2169I3 zgW-{pk+ZU20?+JC02aTH=D$~F)DAT~*B<^JE;0BEKcbv-C{>ZUI^v4eQf@7*poOmm zlz%VaUwf5*ykDX23hVN&y$&fAHm!@sHnLc@W0{iN1M|a&)J$&l&fdH)pGlgG6zljX zvqNp~hNX&VCag4+a6i~<4JBHdK_y;`?9i4M)tC1VQJr+*M2!`zuL~)K z&JpF31N^bOM4>-nT>MOPUIf-oP3P)RZm;q(7zxrI9}R?JSFssE*WEQq0$~Gx56zA+ z@dcoiSuRYizkoiG{~P9wjlxNholi9kJ6^oA|T8lO{mwfS>L;f?Kv6O2)A`_^K zl=}-_X|eJHh5*`#8Lhp2I&p&^MJ^2u0wmi`GwE95W_@HypA9pt-9T%V~vS_+njyZsK zUsC@$fv)RJfaTR+^SH;%V?1pH-AV(*1$z^oDeQ7ZaGkC`;S5xGR@&p3qft}_nkM}?+$Vld%B8e;8 zlOz*7^6Xs9l^<}_Gkuvv2k56LTR+(r1G6@0qt8bij2CM zbaH^>)I+?5n@LV}V(&hStU{T#$<0+F)6>5zI+kMk5wsWP6#dR6X4y)#@A@*=lA&%| zdS}sgna;xU%OHCVhcCv;!I)GiX8^J0&1KXl^>7n@jva{Wu1p3U#C|ACB*7KJ9OrqFOE1)2m*{qU!yApRR+)qhz3@Ri2`z6q%7hoqh)MHek4%T#>jR(NI7zw?wt?;Qw! z8h4G0Y zN$0?eaeUXB_)d zjHCw4NCKooNe*mc^PEpUd-l(=%;LS-QGJov{nTGtXySQh^~XZJ4ALvNe!#~D;h{uh zyN-}(BzoNw+?B!!|4l?1)T1?#EwL(3r-EJr_AzQ+;*sK<&VdStiTYTpYuT0s`O)6! zgY>7>-#dE`bkhsbl`b1^$ZBSR=&sE-vnHV^wWKQpAK*xUtA^wkx0l+nJ^q1_Vg z&a`9RzojE1k?uSY4!6EWQ?N&OS;}UHRVv#s{&e>GU-sc)_5jwROth7Vk{e(zFo*NH z1`gT<O8%(xqcN~LO69R|o`@vIIqi1opvPjgH0l5fju6|9d zHIky#741dF#H_H4ISdM`g_E#S0;q)B>b!nV5Ci??5r%q zDqVH(2D&i-UIe%m&dz4D-eSiQojnWPYRjvE6x$0G$zqV2U_O95-CHPZIN*`frYL(N zQuoco3c%HuN83Vc(AFnRS_mG183;(CL$W&{lIJLrK?{xQQ?HW)162FdD7383MEaB{-m*bj@$rW z(D0l2WCd_89yndCnv9|lK$YGaw&-h3uG~daACya#xj^87%BN~8Uh9&3Gm4fNeFMla zc*lFV6d!Nrd}<1HK)W%xrF6J%1pDT&d$7nvy-vUXGKP(foh~85R1jM<@Sm~%F<%aH zN8BnlAinB;=LD0v#EPA+|Blv&Tqu1-O90f4+14%m*G#MYO!_lhBV8qHVNS9AXPy$9 z(q1lqqAb5@_$0Fe^M@$aG^@IXg_qme0&Mx$}ER-6FAj9Joe-4ULigk0Q|PN z*aS4&6gK~)$f;0zi{=EfWv$JU+n@au_Nq^J_8vo=P(Zh??i8 zN>2^YdqD-Havp}mgTltoP>OC^RC27i2W%T~!SIui$Gd@`KBL#Pv^=U&vt{_!^QfG+ zjb!5AuM;|2eSZ6P9QbumHqjj`i2-`z>Et;KxG@#UyCF3=AgLWbmN#zP;MAq0wWU`y zrkgQ);UAY8RJlwdt!wFH12;Su?V+iD#Q_^I_L7ocu}j|)9U%^>1kzfCQ@r{TvQ%wylt7*V^1w8qoi0>eKcrif1Cs7`!laf1` zObP?NGL)Aq;e2jQaEmOTUC9B410>jh`>N*$*}=c$4^bpGe+C-H`4qBPKJiWHI65A~ zJ!8NQ&(;Zs9|a7Ay|}{N%`8B#jR&n_$hLY%1mG@Xy!(e~roH)XiFXp;kRsZTv<>_feyxOTs_GFBZ1 zo5O7ey(GYpoHqUp`F3qEZ)$um+#MCg6^%Pr*E8ppdTCCvidP+1at;XN z@v6Rn#a%2$tG>*1Kwq_9mh1^@A?!-TxOYLlSb9F})$#1Zo=P-=4`sAI78oHORS3Kk zsBMh-yles%#dZi+bKS=GL~+j0w;YzXx>7B)%~Y~;q5k~t#yn#SsTASxJBopt+Y~?? z7_a5L`&f8Ko2kL(K*w!1BTU2u4UI+3#sJrFcO6VcF3+eg$(I}QD7ZYRxWl&Vj9KDU zsq~;AUEMx|*a+-oNP67US?lw!eBYFJNBVv@dGqbt$JM@>&lTkYbcq)~Vt6d)C3~i* z;Avm})~tB40FcdL1;X2RwTy&@g{hpWL7A8f!wbn1Wnr%|7c(!#6>oc1i-%DQqQ-(R zdBr-VLmRp;YFy5t0zli08iWzn(Z+#7DjzmZyC4T!cuyo>ZX|(9`wyJLbY%nSIW-t6 zXXbce!+U+H`2}|Ob6aBBapUKS@h?=$oINvPeF`goJHWX3H?r^2+lXjb`46BV^>`;w zwtDMTxr;A{8V8i8;~yih>xRZ3nOkA~YX~_)9J>mbEFj3?Bhdy2L@mBSVN)AU;r}8s z4!9+K#i*meWAGQn`Xgl_Ws|Z_jkmT-MTlM+98U?l;*v{kZFbN(BB8s`r`|=qT3>wd z+5LFG{bdGor@M`I`Zn-*Mjb~u?xN3zc~TLbHAnJgmt3{x?$-lQi8p4&a5xT|O!H1azQqL01BS026~1K`sKqlpR_) zC3gup_CBM7p{MV5|T>4PYSxpTgrP@@z%&jZoQ% z40H7>yf{Hj6QOLZ>NWFen5VyhTXc(e?{Mj3#{fwZb<@EKP|7U2F+Lp4l7{%Sj`zJQ z&kPOVZNp0;MMcUJJD&Z@TkeU~#oO?9qxXP1whs{Jp*&(hFr5QiS@r?tc_RPMe=Yg@ zYdAWuJP*2ML3!TVTJnD_&$BxxPx51D9wqH-%&c^nIH<=x9JqcQzP z0eQ=92ULll@+#x^;5w-}`uT%x#^Ec+QLaxX5z>WwdVcBbd|M9yw7gap%K3S?Rob3R zif*fUs?J13z7MkFe6Vv`1~<0+sQKhnRV+ryU+ccJKGdJFp6dK8%pJ01Mn33N<8&0p zMRie1p-@y?<*(W$E(n&&{%bDsr>>FBpB%Ax(^qQtr)qRhr60ceW<=ZaNJCyvB;!xr zqSi|-RC>qLnP3Hj)=Qs2w-Jm_R+ipiC~#b9C}yPVAgBHkfm_7SJaOj^=>8t}Uk1wQ zoKYf_{G9I6(7Jec*N1jv7joN*zEpSWkBV-Acq*E!}eYEpB58nD5O&-BJJyP>)H7~-! z7o6l(IUcp7bTl_qN>H(ahy>loiI%-1pYsK(@4A5ZW(#*Opo@%^W)JL0ROYOSuZ0H%_POPYQLt7==jWj&Nk*92*c{l$Z$|k=?Sed`E?lDPw z9M@_5*9Pz4$O@%h*Bq^E-0a>O6OkK*QME!N#nrbry_q`30fofnI_S~z&r zJR72*@=ugOLKsJL-FVW1IUyzc4nQszIOSsfb+RSdtAqW`nqF7{LxxL5UK1ajw`NQ| z8a%apRl4U~TKB?kpQFR;Bo-+g@-;z6d|fcsu#2)q%3s9XYZYMM&4O~wT3#EVe{K6V4N;1E)!gV6ZN`#8nr&?vwIpg`+e z*I9May*`*t__Dfq#7-CMmMq|^a>W%@H#Fv8etEo&%&AW+i_P#48&YqYLDvr6(7XSt zSNa-s6BW*0=W9h46&0y)00;D^^%83^fbImI+47Qs{}GDk7qo=0nl*sL&i9EP47kPJ zuYy-rP*Bi;L?Mf=#UCgiN?~)B|3#?qaqb4>;ouONf5E!R_)XA;0r%qPKMm#MQS zhnl|!;i_qdy*whj@6`pY+aM^kt?wzhAFUD`&^T$=qjJw#f+R?G4BMd+r(I3o5gl$sVe(p zL$;Fi_`9*qrqPqFT00urDr%>+SYJbjy$Xo3f)wG-xEA=)Lr799hTrOxDH6=E!WZmHBTSR&ZjliQ^tU$r z3cRJG986`ak$ir`hrqX0ZqpNL@gzYE=pq6XTIm)ak0R{J)Hm^0DJZ*_B%z~sIw9|K zxlFl%DGd`HCz z3Ehh48=L=#7yU(P{#_E-e?qSj*|R6?YcjzSU~_$DPXku<9S{UI{?#B5&r1;Nw<&Ga z*H6!oKN8q*mb{^DPD7+g6B*D{B64p_xM3IYNjK|X(cgWKtFw}Lt+AmvP9qE-aS9J9 zbiJO|{3NaWQs4L+diA4)2?m0W^^u8y`I7zkI#b=b7;5w4CT=VPvr- zTO!uLVq1TmSR}i4IZXMN?)heB{_*%^OD78__*3z(xhz_gSXybo=Vd-$)k~sZUabO< zo6%VWW4dtloqhG8a2F4B(Lnj-Y_WY7d4&i1Gw2H_|FQ@#9Ne7Rxwv34YQF}_l5%NO zF9~k?iYETS{JXKfyU~-T7AYV(u1a3!GgzA5<@9J2g!{hg8>%$X_Nk z{xhfbe*=9uaTo_((}3CyR%0ST6f{G=e%wWTvv*rbrg&$&R&qf?XxD@8^^6? zkN%;^uKKN~x?jXVTeFqSv5~7f*@=q}N*^Lc_ZsRW2M$*FiRWgPl~N9bbZQ&gl`tB@ zh$9EQHYny5;UvImdD-A-umd1UA8e*MrpxFat&FnB<VpY$gg+peiP6+9){;yozlrEJ@EPs*qKYdH^qly4(z1JS!xK-Jz^+(qA(K%$ zAIksUS$22H9d&Gt=-e(p&|{jT^`ONEAJ#~Ts8;jC94{vg+yr-n1@H2<-H2OTOHdTX z8be1+tT1DI@kOSwCZ)F&N~n1?;M~G`Rb^u$9^z3q`eW}@X)Xo1^k@HuF1=X}FbYR| zPPR}3X54ix@Bxz_&q#rpW}Y(j=i9ec%_GHeh2L-pju_=;QxOuzAj}{H{$fEUXNn@tG0#kjj~V?3d-zU%VTJ z;rEQrzu_@YL4E&(Njh&HBj{1(m7{r)=Yhsc%TS}nc2H_hp-$K2*MeTwq1-Kym%I*H zCyuSGBIv*(g1#(G?^WsC+r9w*AWHaVo$~qwI`;20{t9_4#s{^*{2Bmsmt&?n)AV!; zL8CaB;)J4AC-9-Hmq^(v17?+l?Xuvc(G62-Dc%XLfawQQ% z|3Dqe-Nwf?ep6fpy{A~IW*Aw0)Tb@| zFw^A7TFZDfabL_8oQz9B89lD`puCrUV6(s_hn`be4)aevT6>?%GhZx>ZZ^n-_IXAn zFYKKrUQ zo|9eJ2wQat?wpvuwS_CnF>&O_xL0 za;+(Z-sO6FwaI!5{aJE2R6~}{8_%Sp*J@6g9#M&jA@x$-AA0EJ~f>fr$L6ghR5vS`l<0LVsCi+%DgR+W& zDi-uW0b?`d@jV~t2GcAObWbDEeq~<8Dk>^|PM%gTiVFiq{gLf$x%AdWxKgd6cUb3+ zbgBdB3!R!eh6Dq*c>DyiPcN8KAi}QZ?qgq57t2QbsF(IbfvFLJSwL>diOO{MkrrdC z$mP%DaTd_n?MOig8<@H#A2Bc*iVuSoHv2$kxBfdHF`vLAtBvjaktC7OHsSre zSyjCLdJ8Z+irzECo1?I#BdZc@qJa@0l3?5ekCg&Q4`Db!vHm%A29@)e0RT67QDAT$#ZHd9 z74W*{Q##nzn(kMF>UsXhGedM8-z}A{;*Anvf_Y|cIgcl|X?NeY;99Zq&J2=6rf^2> z(eK4~&}sxfukAG*7^LJywL!UGtD67ITmpm`_BA3qc!Nq%`q3lSCHM%Ua@n@y{ntSi2+A$F|oKTC;b$6Tnza zUtVAE2JvAtjCECAjHs;OKhDtbR!&Sz)P3NNH|(rvoi6mtwsa!sP3}xSE;#0%+*p(; z$sT&tf2emN*rT9D`0LizQMnPA>HvwyoV8hO5)(Xv|A2v4sPx{Tn#mCg|aX{_UHqAi)Y3Tmb1 z4G;CD3Tdmw;EfMqZi>TelZvUWY2@+xR%frM7hYmv zIff*&sYU2PnZg6wluEfJHeSa3SsNeyKcBC;`{Q42tjEP)Lm+mnPev%;pQa9?3@8|n z7$JEmdwt*&u(CY*o?N*S=owuF14DFU01K~c>?1HUARPHjh~c-`Ypeo&Q+B&qOt6sX z!_pHyHh4KA7x8uy;^L$CFy)^aZH7xPJwEr~|5gIn(*~pWIo_TlPYIaW{$|-^FyIL= zvUo;#3yvm$QV4M1{7kF&R)$Zn_J9$xO8z(gcq{lP|63dw1^{~g2^r$c{lS7CxOz*{ z@;tH+n2OMkLTjR?+UjE!E2MscY~mfCzrDTvcx$5zU^yCq86Ur+klZ>VfxW1>1E;iA z(Hrm|$86IK!8iqXEH++oP{4}!4DvBx)V8h++X^uoCp4C;qlczpt^m@Xt=@EN55Fws zgC%bVC=n3S;6j17LjPw7==S!h3P}Nx+t73#o8s?#?Rktl4)*^7_P{@aKPqGXXIKMd zUq%kEC6_{8!UN(ME2I`=rkYm{{CODf5YpT_9+ z+O*1GiC4aYi7iC+ZZOnoSMz-t>5-S}pvYQ>S<6`VjAWlWpFFw$m+ABBSq_xm;!oz_ z+YVd`uz6+cRfy~N^NRF-Tq^!69Kglh?+-L)u$j^_AovS1YiH_<`F-87jdF>~y`60k zsN83F{K}u1Ww8y|hu8+Si4P;@9=5)8vZ}|4P8)PJvX~r550h{9MR*F+m!@?}>jqAG zPRZH{Pdh6WGu6Js#%ws#u&>DfY;yfc5qUcP`NHLEpq;tJk>>YJp@o1cSDujW8jkX% z!gL18yo}Gi4FUy0*U{FYbKX0rt71U&;x-|zCj4bxP0cI{#q2ivw6$I7hG_;0t^vR- zQcLdKJ({8w<)5Z({KaZAFaZx6dK8zko?ew&H79*f6K}R^$VspZf7z0wO=z0t@3&6- z2ui=er4=)|b*XG%_RBl8KE_FfWFQ?1HC*2^4HSimRWksnVpgPaz5gJP(t4{)2LtQUXyz6Oa9w;KT>#iRc)b!9?GD!NE~H?sV1zaag2vnql28kf9?~8 zt@7(DCYI;H`#Se=UspQ2ap00dRj=j+MfnS^m zuHAu#iA@h_K5zThpy9?CjPFY6jmI{8#7e8b=eFuO;m%^ydT(vdNshj5|6XBmYnVaP zrJG@&)UgLDN^@n8ri}#9BOh2@rJPg2m*2T*F2zt}jVQJf&pGOU;Y=5_)@T#l$m*>= zZnM5UCp4j-*dyF#B2_&6nSmve#?6Mpn9XYafByWrqu`dH`bS84;Y_oHH@Z&Av!$&{H5S0IUk5>&hBgy8p z*U1I(H%z4E$}cW6b1d#9Tf~&`LVp6x+1-6(Qn%A$#n$@sRrHWh86{~$o;__X7LH96 zu!?!kaZwzYJ7T6m4TK>9SIE(oIY+Nm^ouwZDXvYnU(@(bn#BKdbl-O9zy9534|nLG^6k;uifKTF*-@(bhi} zSToJ{iL9B2HWME%D zE&!R6xN(9e;F`{u{3~>waC_V|#Zw|CH#KE(uXkDH(p@<3&i`sSKw|IMGusM;*4`O~kM}KL0}h?B0f#j{Wv3`Cit!rR`>^tWreeRs3Tjy%%RD{C=t=BS zn$0G6>0oW(=KEhFTJN=DRjNm~hAmTMbu@S&96Hat8@-H?G}IN*n5q(M^K^gq4}+H+ ziVQHx>^(S1XY!7=v@;1)wo93AOrnf|PzGZ|#%?eLjjc)XekRLWgu^rx{<7U}joD!O z&HwRm7(KY-l^H!IK>D@Lo)CZLmhsJu`yXr%PQcl+l#x!x zQe!`3tZH0mlBPc;M_H#-&BBbibNSN)_ph!Vd+GnKHhrn~EPWYEh5u$@xhrP-L^J2r z`NOi&)FxRh5PgUg`9^oYWsvCxT@FpZ!{}Mlq|g-UTGsc}MrCcR93@R$`R_7hfnhc^ zYny^ZoFW3TFV^5O%Qb--I?@wFQlXBo0>*oz!b)~0oVO3}dl6Afi@2OaYN9YlEE;u8 z0^*%pn@}@%nJv}5TiZTI@d@zwCMk7-dzpBcZl$@>;I$1aqeg(0flI~BB7tR3{+3I< z`0#}jm2tQo8T1orN*$rK1cU*C+SC{bm4W<&D@P>LknjDJ?3 z@~3cuA_ib~wjc0ti1~n`!uo85jY!G-q5CcH+r5MB%*0GSY&DdflDeIvkMr3oONfxa zf-b~WDP;!LyMF?jE{z_F!uQg1A*7lfVpH}? zzHa>9LsBM?z>ES(;YtyH6<`r@ZgjVsHx(kS0Ip%Bcu*`xDMFpgG1U)blN8Y@u>xqW zkyE;fkqb1{mz26O=$Yz=;9oc)vKqEpa*2-hTiE+9F0H_&)v6oyRH|bwUI%#aABr5%idPA@F+8NNl#I=)ATMHj))+R%x?bU z0F=-n@suc^QhdJPG7?DN#x7DA^>Amw9 z8=QEeb?4CI75A4|=49&{2e%xfr{gzb=WRw)dbma=F`p7CjCQYnjX>HZy8rG=L6Uvm z?_@fI_N{)vTYsq{7HQcS8=y_7hJ9?^H#~KtTHqdM9sGM_vYPD z7;A+wazmU5wBro6CLYx;!EIz69{X%|vht#tu%Q;#*F=dVyM#nO;@2)BKiE;aH({it z0~V`txa(o%&7msFnBv9+*f>e@4#ltR!*K$u?7!VG|BV=+rNBRV#y&sW0(8&tL2!Vs zyz}g{$A2y4<9|i(AKofz;D8)Pk>QDXIbdb{T8I`Li1G4$TNdFC$cT(zaH=RyiAs(6 z$h|dYS;VW;cmo%di2X=5~#8*#6dd&3b!IeROi%BT=6?q@h@5Q`-JSV8KUA+aIraFG@1vtQ1ee-BE z3cLQ@gLIWK48jt%sV!ozKH~alUtsyCC z!?XgzT1Q*wG&3qiSQ^?0U35y??f=4EUF1n{&^RfZsVA@czHrSM;{&OouVO$;j{|yv z(=PDGS(+#5s=>n_hk3po5W{K{Hq8L}&=K7B-;!5((_k$gWBcH6=-$1F*ol%5E|Q3E z4t`yy!oigm8BncV`Q3xpyad#6_q^)S-;_NE;QfB8PR*vTIN zv~rUY>S)ahb3FOL%V87(mhh~Iuok#&RltpoujKG}!K0Ee@4V{4ByAB-`*QK}Z=m#_ z#8CQvqZ9TN458-<+mrKg@7+=ZS4CBd!8-g_H+3p0IYRy6(xAKnl3tVB>s#8t!_{X2 zTzx~s$go$DS25nf&4kQ#bt6>`Stzx7+bZjt;0x-xuDt#;Q-0fHGRF>yf&P$!OCx#r z6yntuk~7$&izYI<&;S{3YeB1Tc%LEkOZRG0Z9ikc7s_`iZ4AeS9W8=;Ru(M>c^FS#%*e6bLgS54Wt#|#M9Le zqzLu7U#$IL0~G-8h_LNNw7`F{;dyIG0v2b+OK~<0Ws<*2q>6f2Jt)tR`E4D*;b7F3_J3)h*S0JV!>gqb#&+{P+qpDKf=B)?7Mw#)S{ z6}jXAwqq>)U(|(v%?1($`#oObb#1q>DC;w zwoL&@Gz4qzP0OETPKgeMO}D*@4K{+@ED>e9OLjyAvtQN)k|#odnHq>Y5(5k2B7w!i z`B%h*Df_)>B8YemXzu_x1(?W4{^ns717t|_Lq@7V4#D`dLKzp)7S!jUwxA0~FmmD@ z8z~n-LPSYr^hj&k3)wT`*Vswp0v-g&d=e!ET093|tSL_=0i?jrcK?eaWLK=J`g-Rf zSeh=5L{><gyHE)J*v+i zBk-sB>WIRbMm-LP1GkRwzste*dy%)O6(K7c?BeFWZSuq317wds@cj2${|47s1yVXh zHwpmxFC$?hY(ahiXe_TY#of@`5*E|>w)^8vg+aR3$k%PCW6%cT-&-$g2ofXu2?c$7`4Ec)!x?GgIOzKt|HE0vDcN z1jKWz$6XQs3<;l!nw-pqqvt#-77rZ3_%TOgC5SOM2EMN_#&HEIEy5=Lhfag^jPT?p z=!jF<7n5fV8!a3c)O1?l{Oyl&N;ejnzp9sKct2C!MD+*#_6(5$oEtv0r@R(+YteEv z20zHs1Fsb1&&(4tJtJ%_R&f)dC)E1}{Q9;T1?+=nf+qQBQ{VlK2EB)0ked!sdP{xC zn!9$1TJ6(%g6UR!eoOH%3Kej^E1oZtCB5 zn5nxv$dah|GNZh2?j2{d^UjAm3^SKPP;_$NRNwyAi)CodYX-!VZZROGAnxmZSZ}l4 z*z0;;E4-jZ;9YCw({PUU(EuZ_Lh()wT+Y-&F8kHwN`Kx}1mjF69)uZ7WfRWd*Q;3n z0HO#Y%6)bpKQfZyU%ca^&nUvcF8%QP((;5NSzg?W)6w%T*ILOx%|D{DiFf3uYLOtY z-tI>0Udi|p0R%w4m;{3Zn)4u@$gzNgNt693;+Z2Z0m)<@*b;%py~80q%s>Y@6*MAN zo^bcY<9D!g*46 zx95n|ku}^W>1kwX%PO!tsI@s+ru-TI(bzL0;@w4M)M zR{RTPA$?Mzjl2jv!6ABxD`2T0vIDaN`r` z7{AKR<$y#1hY4;8ND6bVBv`GeW*X?}>JMyd#@&H6e=6dMHimqL@ll!+s+ zIpes}CYi5u#je7H)?}2bJmB6di2w6napnaF@ITc#7~*l;#H58CQW7c8keoj}rFxY1 z4ga!u|CKAR-|K#^Y4GwhwOYQ#u`o=wwAvmW( zE(*H99fbB+f3f(@Bj{S)I;mAXL(`|P2G)6GZ?fb%^Um?~fHNgO_L#!A{U{MM=o z$N`F(TkU7{D8D8~%h^0+c1~PFykMW@h27epF}4Et`Lu zmj4Gi6Ng!Dk&3u&Ju?)2vDO5rtPo;$ad_)Q6#4$QUVjLF3~0jGIzCCZ zribk?%~N@p(UiIHN#|Uv7;iU4TqA~%57}ioO(1zSFxK270}RwTKsRul{DeIq_aAva z7s;m+3|JJpF3oYT>i(gNGxC;mM^Vmr{c4*Pw)#Z}+>1|Zt;NTZy%puXmy5R%N7zut zWp`$zU&!Hb2D|p6iabYF@(;CQAVz~)*S6LT`XeTVI`H_xYbaQTrY@~t%kBw_i9u=4 zyee<{$imB`VkE|c!$q+lA5{f5_x~_lu2ws=gZcJ;-2^-q|KXRhR#V6-Y5m(fi=?GI z?c4%h`#*{y`BRAFKOm@zHib`i$z!%@YKH$`>DCk%BSt4-z7ua*pUNgGc{^rUs_XBzlGn^pZ^KXyryK3kR>(LFz%)&;k;W$`4qDiUatkX} zw-#nR5-PQ<%ItBt+TAjHGTCqw3|qQ(M~&Wq$A9KN!N>QyqVqGGuqydJh-?e^@R`Vt z?ID#fIbF{=o-t6hZmHhqt_C}Fq%gCsbD}|^7obKj9TOwMfAmi``7S4>`(PN~?g~-SVvT)=*tGm2No-o) zo#7Z?1{$OQbq*AaSqBxN+bNoAt0<8mjU&Ad0NDo>_rOMp2_!7vG_}Y4{`$x4Jpzfy zV9VcbgJ!0(+wKpx^+zjet8AKrl_#-36-w`lf26Sd%SwS@9RaB1)!QAskid3{urUQ` zvYVvmE1;6xDvD85A)EpMa1j4#n0OXjrbbKLI{i}#Xn#?gIRgy<^GT%T)?I`_==!gp z{jxMc1`=KonZHevV)oY+sxUDUR}|$qEvc!=mrg7D*Z)aUqvZ`C@awf=O#7>6er?>y zsZ6xeYpxShz(u&A# z>rdqmF?5R^S||4LfoIyJ1^Ss=CwF6MMt#xNT%p<(np7SHL#7Iw3SPIqc$YHP6`k zP5-anl0bJJ1=0#@8#fvG{Vt13MFuWT-1xgZ{J(}o{JWP52I*gi>B>m;B{SNYpo$3{ zpj(z`Xa2G{VpFhGShhvn zA5~%AX(K__Q7%{-AFYwB3tS^5h?aKo!?=%NVcac#j7x^`jvx^kM&c$Kkb-rxJxAJ> zh1dsZIcXGZ4bTqkp_}z}SiSO>PG#O+nk??m?K+XG8V7#wZy!u#14L8G zu-$|G{#HR*rwxS-Cb+=mUeHdHW7?OF7@92iGUwO8&jJ;}<;nEfDguGF)1QaqpW|g% z*4dVf1vy$x9qFXn9VM*m1t0iO;bW40$Wh&eCloWu>|n&M7}Lz^_mnU8{l#<=<6`@O z^gDsU^L-H_UYi?O&Yh#J{fk#r(^0$i0$l-JcQ1-dtwxUGgu^JoTY2O~-YE0pvYJeBK({j? zkpIlsjY%XQ)eB$UpeUEQTkcMbZH6AGwnmK>_tEOBhZ`Q}_&ZPToV>jkbu7RZExbeI z%GL9PT#WF$=>OnLp!7iN&aS=XK)Xp9DRhdC=JcFbRDH1fVTQ@|ts%blA+R8%Zc4~R zh9Cij;P1=RRYBH1!ae^CndnaJjT5}NI=Ag7(WVTvZ-wo5G#7*q>)!&#Z-2z*mv0@P zDLUJ3&Ix)ls&5#)kw6XnT=wfyNv(DrE+e3FuzVq*i~w~cBKa)A087w^;%62g#+ZPd zA;7)|-)^yBGvbx8a>J%Fcb|*4Ht-P@-)dAfAt-*mav1#4KwySiS+bYoa0NaRhqRF= z`qo6#5X0sH`-BsHnc?|Y1t3cYglcm*9r?1=O{fP@ST-{&s@uPTz5ngz>;%q8@5RTb zPp9YPGHNEhvty|ZX*iQr4XB7$c>IomfsfuUkm~_^ot$;`)oL zjs4+~Mhhq8H3k-u8g(5WhQ3n+@tJdy65@QFPdyJFjn83hN3KJ*JaTRU;RtVKRZlWF z2u+mnr^#2m#qf6gD`%&hlvD?q^%Q!Jb0624`mi?Og{x&7hUQYa zMr=|6*{wR<`L}MU?9z3|)H$XR>lQ-iVsDdDeFIQI7Zf=drg}a9YUO^qo_T<`OA{+3Fx{kZD~^;}yHz$iv9zk7?9mE$ zo1YJ{wuH(wRH{`rkUb%l4M7n<2IN@NHZ&6DwpO?MjTUY4ZK~Iy9%}N26%gquTlJ{k(7kDxY#2EuGNS1CU>W ziWvajf;H!Kysn_=Ly*v+Ms>ZCOeHQIjM(1m3HgkyTi}{8SS*hztIwB-`{5{iK=p`thdY{6Uyjwu3 zG}yO*5R;H#<2HO=1$&JIP0CR)feRdw_D1U~Bf{L=Tp{vAm#^xpV7oBpd+BHd&7C-m*q>>?H&w5jRmzW zc?8oYXd-ln$FHt%8=7DY-DM5GQ({D%R3CSm(CA4?PJpxDE0ikjdFzfK9z#90EmNaS zUL0aW;`{|9w~tzuM4dd|myVts21s*NKwdcGHI4y`8*v;QpKsB9E{JA7mSwNF;tK5G#g8FYD%ew1>^>fmT=PT9dG~&;Y<`n zqsF5VLS^_B(pVx;F9g^@^z>|5>Y7YqnuT@{2DzMe2wCT4II@<(V^q-HAUtX!#zc`O zvuHoPHpLcG`GTa%dl)JIgKY0fq@Ule;yFOXnP>&l-)cix__6v-q|VGk3duv86w#*1 z?nb|AT67-QR>WA;!hQ%su@z8ntFugj1;pSW{c1Cw+kVH=c;qB(?gu5wZx;c|c)*rw z`7G1DlHd91Vu1>vL3W>nDiT3PHweHmG*l8?UXx3*tfDHq8{HPYx_wHS`*gH;!9Fg% zun`XU^pSZO+`}eh3GRx$5+vlT-Fp+nmNq3t48TNPe(_oq@=~-5>00(S2P05L4$}%5 zEa##@j=j~E(H9(W_X6MuR1FLWQWLG_>j=m()X*~ZaeQG5W(&VOtK2YX;Cl5oqrLRw z>%jX0pae{YgX+4N?EN5$MaZ4FanH)_wJ%FS@@!kiNGLEOu;Je!szi5a7~-;@hsS0_ zRPET*i$^GlB1ggP86|9-Uu0>veVD6Sg^rI|gmdQ@PhF&y1SC0pj{OCrTS8jL=SJo@ z>p~R6&=6xL0JrwRfy#jYuDxIw=Y;(>R#(P+lZo0T`ipaU4YCcLt8Oe6 z?PJ{B>igDl45!{t8Ohd*F66?mw)!Mjmng|)o{y4E+^XdC22))ZmNRL~u_@0B)jIxO z%cp^|5ZwNi#FC7T(aD6ql=N$zwXyKj8@AV^NeoWS`s3^eUTs7O6M1DZSC=* zL&27RMvC#s#Mck$z8C5)h(kX3m1o3nsH4h}XI*XyVlc((-V)2VXlQ`3Q42D4%z!ky zIdA)=-d$I=2TjB^**#I+PW8!7NA7k5$CB~{t;`L6%8D#G$@}e%4tI;Y?G0OsOIrm? z|C4bGZFYD~@h60dfkZ4Y zce7$l3jIPaUjM|1{+Z8Cw{#1~KIN4?0e?_zQklEj>+l>+hQOr1{w4si^>Sa)YYG2E`R7mQ11n*Ysv zj7oX+dVlM5bZVi0D9u@0yy9pAK=>A0kRvmK9K!Cm6%vW~-8)0q0{~1HgHiAQ%t_@& zwesWv(Rh>39RmOh`N^(!Ng~3~e#xVz;=u?Ookx<13_gIlOv!ZHt*zpYAtizzV0GIQ zBK`qBFWE-PLZtgK_=*1JB|GaSu$ClCoN+aGm$RV9hFiXMvH0(6 zoB)3L)G6*@-MbagxO2r1ZATLdxU~-kBW>4+N9Q9vu#SFxw>EDp=}xeqB}ZEYlw)l8XVir?f_jr73`K%a#VPZy-2EAuSFtyahN#7pGC@lH2736DfM$=vt$F326ZW%dX}6X(ojfhn3$-n5pknlR z7f0`}Zb~v4?GhJ`z;m>K=-8SFxvJ%Eabxtvh}hjXJSdfN&a(3=(hn`@E0VM7l#9kj z%Uxoez@Ey~vh%(VCpO2}6#1#tZVrMUo-m?;?0_1Qe9uO9>XHy#3_suCWz^KQDYBGa ztBpr9V)T5{LzbBsFaiN9z<+E-oPR1dU3ZyctEVmd>;W%VMQ;s{dRW_~uq>Q$kWfQ@ z%IQCsIRY>PamkX9f@VSrFWDm7YQ1m!0z>cuK0aetu^(PiIS#V->~>T_u1mabS4Tev zfwb{H^XwZ-lj}45JP?5l_~GoPk+`yaiM`?xUf_e6Fm|=hJEQDq6>>IrKi+7P;j>pU zJ^DXV_@~J575?PL1F8jt&CHMB7uTD=Xnw(_VuC*VA_lKE0YfXX{%W2iMp^Vt|7{Y% zw&ExMOpt+ipv6qpI>D@Su9_NuiPMdxfB0ZUDjOWNQ|?Bjin93Htdb!FKL8$BbyGZB z-8Fw#;l3eW=VTiJvF8fd5dF8#>wmCRfL97OE0GM%c$1I>_65Oi;f23D?c0JXO1!|j zqgh5${W@00(~`u@f+cB+z93q2G#TQ$*|!g}0+(u}>8y6Tw0e|3_0K+d644Kz6^I`I z(d20)6x7cnz4qs%=He*Z!48F|-gw&Q>S zR+1^QC&V7luI*l)T%8cPQ5o<_Kz*;c1vcF1GI?wwOBXuzx&5h#0{Pth2TGaMFU@U6 z4n$MQM@!P%<+yU0-QHzuXFS`C>O3Y&qZudSv=$3PJ z9QyKyQ_EYLY7<6`YfF}z{1hVWIhUoPiCp&{{(NQMS8axCS75m0sccVn)l-cSS%rm) z$gV|XJ+vP6j&M!>CU<*S_$}+^Seqbf1v7qO(UDU+at#>Wh6?P0UDO}oo4gcyG3-Oi z{RQ>Q8Y?Q5Yth|1^Z2b3ebAIF8!OZ++wV`wCO=iN?7OJB9c)LU0lnUosO@CBA>y|6 zO7-o5x9wUwM}KZv*1R(CLe}cOCHHmg(x5HNjE_ZbjLi#M9pW2sy&-B2FEATDVRg~x zP4f!Kbth`0hg?s1jZ(5ot$sE*zlk?79AK<_{xs(4?%*8gtHRWB!ZpL|j;GV!Us9W^ z(O_E=QYU<}_$JB>>eAww#o$b6L?=T{c_)Mvq1D)p{QK6NiK`7UfhzkD@2aLRXiC>w zSbJ;HwUxrRFKxX8qH~PY`aim8G$?KG%01=0(~t&Dk9T~M+v=aX{<5k;s9`fz0F5!P zkMChE{JEPMYpiv9`1`7RyY&nYNj6Gk1$2;7(mU&{!l%)j*|F&Zi+s<^sWZ2nRlei2 z`E+9W-a~+q8RQmyIhSE$`aHT!>D1P>Z)t=Jj!!Aj3VR-=XO)$`T3VRgJb5U@rNUIy zp%CrfIQ!`>gn9Qr%tI|YUu9`ed(gb>mngZS+oxnBof3PF-~5DRa$+{7j2JfNP%Zo; zj%BX=xIveHrpLY^@W{}kdmR3e;;}Bw^XSj8A56h+uP2&S5T<&v-Eg}RTGl{vmaK9V zO^w7s(C?e~&E79jQD}=Au|-9uQk+r7&4wU6QM`{d)e%(cwHn>ux_$8*z;zexBHQeY z#XCk2D*#HN-CwwyCfPloyuZCKd=09A>uj9lv%k2A_nF_W`7GPF^7ktQ?_Q%9Ars$^c>XOA4(fcp0s&DCv zF4t<9! za;EwhiRjYcn5-`%dTas>t$18b@M~gyEZ)~IG%dCQB+wy~Y2TEO- z+g)@i?aULHr>9M$(gp_H{lz1676b&hBKgK!)$|K<9-Q{qYHCuuYGLDNi-GpZ{ygwu zpgsyu(dOAheg>5;u{*aqjXwiemK#d8ksjP_ue6$e68l3DeiV?*YJ412#TeHEv z%5a?`E_(OP!>h~>kgx61O~3TLg@&1D_WdF_!XC26&yE2sNAON?T<+ki3hs_S)_e076|Wi!Vz`xxHnkv9T`V`^HedJ2 zFI3vTP!RXi>Rlgw#7|Ik2cWK!{XeCf%p1>w-vJ+_@qZHEl0H0jyk{P>A*=A+(GXhR zEKUiy<(DJPzt_mbxMjzCAUq*}3G%@RU43s+t23(4-X<{MN9?m>+s^-H?X{6#2AdnY z{*$i)+EUf-Vnx4pfNAzUySQ8vJlj+NcYPwwCc@ zeV3G28ILeO2EVRUQp6=cdf&sHuW$B{w@XJ?=}>I?`Sg3fKJW*1PG}C{fjh5Gx!l6u z2$a{=FgakiQA2C+DOU7PNLS173%peW%W>TW*GZ;oJDrRooznu78?VvAb^k{FL{ynN zl|6Gu=zeKf?zO@{3VJ^duG*rAw}8Ec7*Rm1`{-H_>pofriJjUqG-abH>NV7g{+^9( zHfl`I)lRk42(0pX6Y2&#l_cX+_wAf5a}?IH1-$NLa3Tc#SMji&(mws+&g2%sSo`E6M}*-oNVX`8W5dpq2zEsd9s5y}h2?m{})L z+pC#(BUE=^x;b;FeI`2TgZ*zn}+^j1dG@3xt`h25eZ?nY$?S18U$ z5hp7-TpI%&tbjCI&JN+Uff<#6_I(*pU=rW))y%l~Q^IwKlX~6|I0m=Hf=SyX3Nty? z=>NgnW%~wgR9bi8H39UpZE=$S{3k(E&+9f7gH<{Ccl1sX{#0k^{pJgqYoloE9yn6PX%Ejr&YNiM6 zA4Zu-N*iEUqe-T2ZQn?pxJ#yvNlibY^`iTr>i;HpNcX8zZm6Vl#}t7&v`Q^ zLQnt^wx!$xFw8OlOz1ZTpRkT-6J<+}j*6->bKD&|YDBO2gfvk=4lSB0?SOy0x^3z! z7XSFy&o6LnYc241nQy`b_IWjRc%SuBQF*6rtgJLhTzHyN zQ;N=E`qCQ8-+a(;_~QtvailP3ht71BCsbm50V`)S$O{4oyo&8BSE!_4yim>G-1_?3f zi#Flh)FRv(%6l=KFTBaX5{tfW`_H*0A1pA5(6m z@Gbjbh~ei-K$gg-7j{0k678Zg|XTb$=OGsP|{Q%lf6FE5kw&FP*qJ1wY?azwqS~RFC zWUC5$ApB&J6EOd3G1#@?0U+h&%Zs_Y1Vag0;N5k7cqb&{L)?6n7R}u;X}iml(_Nc* zNO)x_t#Co%1}jta6#$ii&hT zrcuw%mBUp{78%s1ubepa3R^ef&oCpeLmzUP`+N>swquL85d=awXw_GZ8B=Z7F{hIQ zpRWRsyCd|H8%VhLcx6@9J4+sc-Nmno?3TC*MHb|psVTt{bE-|4jSGleZk z_2YEs;_zY45jRDl$p+mk6Sc5C5hPnGj3M}FuF_dVh7ssX>Jr&k96}Uv$c+%B4FL?MhN<~$UgVAQT@pNVs3AF;`{b7RgFWucYU47 zB_#W(XMKfVWKKQ?7dxt`ddRoH&l952`V`Z<=7QyKesJaf6>&cXuZMU(eeQaZdvmcY z??71+MXvR5v0HW+r{nzqWbAg4nKe4!r>K>sxmqr3$#bCXDG1aSv?E^)IrK4hG%hZD zof3~CSCeDjC1E}~x$9p#0{-5!`s?SnPdFVn1|ULkg^lPj+*kga;V`$C3Zf6rk{;&P z%(?E7mdlPw?a(#Jv)t{KyxfxZIa0wF(fj7&2~^bmoDjM>xh^1H9o8=gzED~yKYE-( zHMaKM+IBV&6PF_@iOJ z0{D9q!9)CMxjhBJym3p{XPomDg%b&vJzu#OcksCn7Rx4^D{8{mnbYFW59k*@>6m`& zJ*1)x!*xq7EiB&YzEsy%IcCaa^zv^_|EA7?d9OoY$YL|!6~hWCaoIoY|1pFJ5rRgXb8YoHW8#4%Db%Fqn2t z&5qp>9Ji literal 27086 zcmdpeXIN8N+pdniGJ=XoQz6np0YSPIOh9^(CQ6YG5}FW-4G^TrCV)s&3B5@Tp^k+T zsx%QoQE5_=VCaN$)($iC`nKWxQy~@3wazFRl!J6tS2lgJ{yJgFk z1ITMvw6|>8ir=zjhvM#Ez!mo$fY-k5747X3%=Bib)nb?7a`@fhMnYz>Tr3(9kBOl=0la97-O zubF8Xa(b$$`V4JBewlq6<|%wZ(QGzc<=w**N4IjXm|XZGCVXl4$@b-^E{@-)@@uO7 zH`ZI?rR_`l2(#Aex-k*C&#fRxn4Pxqq^o4gV07bUcemcMlD&n+Bc?4USq#vQj@K3M zjr~YX8S}BVZKEprI~xD!HlzA4L{}-@vu#^U9$Y>a9k?=)=iIcxqiy_DtZCySw@9VX zhIMpHs#t5@ljl=YQ$EbQ*@~bJbmiTNCfZqxY7>ZQa5h;!{EA_Y83kkX!9ylKH8Y|TrXr%!f7;SeS!CJaSMlc%6PNrAqnkd|k5fv^OU5?h1M{;3 zLs42yI@apfY946pKItp4oScnU5~D`3ZP^}|xYC{8hSd;l+#<=%{18$=e?_~uwf|x| z-Rq#sWvVDVuv?LDJA!A|sZ`QD{n17!tAw%mZ>I*Hc&F5<1iZA|9a*mt*FnA%!X`GM z?1P?Dc*)B@5nR1SfL&0yaw7nV`gx2=-SEcqRbb4QF~dV`v--YL$^XnJIMDI(%PoGrMVDT7;}}ISUm1aM{w->L`SpEVF=|Lsh8fP^-FU?G9Bu*vu^TB z%_GQrIf4odzRnm+JAYc9c^0Rm-HMT+*Z&Y`)XOm{n7eTb4*<4 z=UzezWmd)tHr=2TQXKj2N>1;5>8}(YP+9n*^VwW*vM3_eZ_$v_5xvjHuVKG{fOJkw zMM3!RtVFut$ID3e6J|;->JwMXrDR&p77gstTi#t6+tJ%KBUR=FYmp{FZ6w1qUqiY>4(rZvTIEX(hIdcnOpoaDk)F@CTVf_EWa)NTO4z` z<+Z289)6zgN)`SK z?Gx+tSEaH+dg$MLDHTgn2jfm6$dpps(9z?_q55;BB5dDz=mTylbMI7+ZDTh$?qnw| zgDxVMTE4U<8=DPaYZl3r8)lf#YuWf@sqogleu!>EPF1#8-8;5j_@_E>t2L$3H>=QO zX6}>XET}<%hxbcI6HacCJ9Y5^7gT zDdKeAbt&4-vwE#!e{W2}b7%o^vHrVTRIjEs*M1=lg@g~O0T1@Mjjg(}4(=maSiah3 zc{_RhBQjcD;$ysic-;QDd&c5(HvHu8r~%`X+Q`u-sn?O2J7&MU4`NzA964d29r!gU zaloUl5-Vd;b04LXK?>NvEqhy()Wf6smJJv}nxy^37w@ImU*TjAf3ywClHgi7mMo6$ zb7j(N^662}LX{8Pr4B`O@DD@Vre|Lwn2yHqy_pp_rIUx-k7{&{Q;BP*_)NZj;b0Wh z(-U`A58FHO=y1FlTlX6b`_-v(3l zZ;kmrmZ7XKc+EiLHjUeYK%WH+v?&4ZT?yP&D<~?DcgWso@vce4Yz+MwjqzHO=995* zp`+r&vp($zcj~!Z%=yw?!wqDuCC0N!+F}v6#`LAT?waY1^r6MqP*TUk7Ma!pndHxz zL^l;9h{Zx)lr$$Kq6MnyJm;Qz*dOfl|jewEwxwvsFNZ$FkHk;U_hH*)^qk)R$CsxxOCosQU z`OM|i%5q}q+kunikhrAnbCvqu3Cg_5u2c;BkFp)PDjePsS2rH*6};0G#r}?K;~D7Y z_JzAqNn75&McXiTOA;t6-o0hr2E={c3%8Nz7YEOG3id`G|Nyi}&2y{nNrc&^@?1!6s4tu&pRArVQI{Ts5!lW>wUJ3Vo z&#$jAWk`+t-?L8&Y@{{TTYdkTdbglV?K0Gy1@TDo z>Ckz%ac!I#gZx!S&2$uHES00NtK*Yo1(kjMawT^5@kP~EGzZoPeKH7&hs!i3PtWF3iN^D2SZNrWsFH;Kk9?-4uXs+>1 z@e5U9&kJiN1cz*k?80U8}rPJi6rN z7mQ!%OgLO>OdUp>^0Kb|Dt;d#FLQV;y!Rn|xHeiGn%cJV#Hy#vY;I&Ep!Swmo~ra!8D9yom1P zvs1U6c?@E#JpwYhGM-ay5jCz0qg5tnuI)xKV|gFHNW4l?FcRC*M|^4a`#0f)OV^T7<(`FaYOqxf&0~v6i)~_0p$%7zl}F98Z=o>X zeIJG7_!t&!m(MEgo6KUK4VpDBnXz>?Z{N6>m}YNc2?f0=pdH9Pg2#aua!} zHXfG-VL<_=!)tfH;`uMkcV-;sx7C7rwYBTUtiA;6^LATT6_3;F^<(ZmJQjBZF=`^l zZHC?X3-|hiCPvUQQblvmwnBD?r0T9xXp%-=U8fj6t&t#V?bAGd(jZqRxlR3CmMaU- zZ<*fe*4NAmUGqK{cdbq67Clpa07cd`oEcqBBZp!49%xgsT252+aB=Z^;3plo2hlRD z+U8HY$AmC_G#xQ@O|viDCV9r>>aMH$ckyEWd0jjt`v=#bHgsPNU>vsL};_PP=uj~d#%(aLykYamWxW%J!N z5~l1V9AS#|;z*IV57jsnheo7|oDg|<2&+r4v3n}!Mi?|Kl{UxMT-q^RnLn#c;Wk%V zD9ki!FODxCcq^A^P$Kh*(tt6Y{}O(6!!C8f_&inH9nZG-^oj#&;C5AcjV_&a|H3z( z4Y4Py8;Cj9&~?tWdcM^~D4)Gyv5?_|Xk#t$H5;oXTd{7T-_bAK*Akdq=}|{ZyP9x>)pfsKQ^NZy0YRU(-=6G~mJ)amIo!Zi61%lDJd2s_6$Rh z7R%~iT6SSCZApBi+_@W-wNEadoE^#D9TOVI9_&E5o+FYO7BV*!6Z#@4#3aZC34)|> zsrp<~`fD|svItZBJ}0~lR>K*8WP(Km*EvvRI62h)5(+uI5`NXxF=b9!&ar?Zb=m(A zJ>MmsCX|Vf4dRIH!n*mn7$6<#z9w3Sg#=vtEl*>McUIl(7^=Qoai?12Ru?)og;lY$ zFR}Z8k2j~nw%EIi-zzIBZjTH+Pi9}2n@sS=jk&Z-q^6Uu{RODW zAfv<(ExvD6wsDFc!jnsPt9auK5g5P4z}HI@IQU=YlCE7W+Y_wQF*(TcL_@Jw;lb`b z1|4XM7{OxQQE@|8X)#vbd-~T{Bm@F<^g1Jd@r=WH4`ln?c61D5Vv4(pKx`1ajgv65 zebwCWw;rjK)vi0`1zLAUh>Wv^q-P%?JfW>!u8G|D4M#rHB-y+qaX8iDWSi#d{JQm` zh~Jyy$_BRs!03xlcG*adytr*E*X(eQ%d^)68h1&S^BZuI{-o6{I=$=zv)8t&^{*oszN3end_zN*Xb`86@mXrzG z#)9_MD3qEjde1#6ihVgU$1mW?E9XA;p|tI00Kr8e%6ei+i|hPFO|&<5_1kn~4d=as z19f!Eq*{yFex1aZBa-}HqbsT8prPN+CDE<{JAL_7)w`6j+g$Z^EbsTAURzq4(PQaJ zgKpQ+-9}A?{dT(JX?Mg`lDaRuLN6`#qp@B$-pjuT48-MH7Cp1yDABbE-Dy?rR5D4x zURZ8_SCO5aoj}}EdBZ>=oZ7Wr+B^|;h1Swte2XRU76 zl)3d(@7A++UXy*0_{)<_O`~e3`DHS5`fWlWmaK?_Tu7p{<6JL$>RX%R-t@Buw%d-E z$oryDM1v~E+Y3dOmuW;m1xQ&rBGV(kmkJf-^Ex6QLTp^Il^$!8pT0F^Qe3Rfh>S=h z9NLa3%Ea|gs5)6hQF__ql^jqHLxs@w-(J}`DYBr%q?tqS-hpXg`QLEs>XGY!}6kGAZnuD^a6 z0`5~e&0}^&MP=}6aY0YMqOUTgk0_(2DL#wpqoTjgefsvaOsZ~WnL-swJm1LKvZU+`6gNdHqY(#$qN@O;jlcYI*?C1366k#8{sVRd|A2 z;^jz};Dk}HjikPM@*8fVqiE{*+n!~Oh^F?XT9tI|`SVU*=C3*U32!?d?P5A_u?N-q z7|Lu}UB;j#OIwFVG{N42!vZi$5E6iYfp7r)3k4X9e|0%LhOTahGw9nD!fpfZY7K#C z50p%E8+yV}su*195wp~9*}gAF!WU_^`qeK$YcegU##r%D_Bh&u*j-pxjc+HDSOlbz zktCmnvm@%)z&ms@aFQoMs2Ed$`7-bXQLh<}+?SxHS`enS-T==z2nk3OjSfF;Bd>_&g;kAY zG!|G<*b!RdB-CJ~p%{ms{mwnJN^3sihW8Ow4+2 z@yYQ#6+{twZ9jz3AZWsdJ~ip*GssiZ57B;g+c0c0VX^1pm3@1Ubvg1=9m=YzURV+j zjh#Y)4&;E)<<>L4ZncglCbh@+q};!MaUgKEb+F)&afxpX$8DL`1UwjdoUV4Bf716I zkca9=aay~&d-+!<`*vH~F|vVS^`z{vk1bBwpF$AxoN^@LPbCI2O%?Wi`QkKnIRnxI zqKTqFecbF(FsdjNmz?1`fZuhu^Wv4!<1<~gt;V?)2|f1?56EvFVBNW&d||q>vd9mk zL&j?!#}QEMS2}0zb|rFRh=*c^o4uYw{Bb4+^{I{ROFP#&e;PM%TQOF@|~Pnut?vRFR5B}u)2_w8g?4< z6~|#L^Ug#s98B6*lXCP|;4SXVu!j)4NU5=+H>-cM4FrGrF*ZVb?Gt&h{j|$QaqVcp z{Jgum1Po0T3agOx<&jofi~MgLeEsIk2rV=Uo#IE1N}+BYJr=|>dhZkaIdu^j{=q&t zKqkhITpcUYM(-cJb_wj!k;7weAMK)vL^84Z$r1BK)Ln@#QS7M3vsfPD#AC24N(k=R zqC;{w0S~%w?OupOGNOJmLq@DV3`2o8EXwkZeqKOcs&I0?$=Z5Na@0neWBtgDA8v*K z;)TnR&U%e;CpJbkVHf)l7+Ni0|KRk19|>m=AfLGMUtNZ8fX#`e1lB?F_&F%Cq3X33 zGXjZ5H6{w|ca1b=vq~-H_EAl;1=ELQ*3))!t2=PENE_tgTY=TNh}_F~VF37}CUlAM z+E>69Vbu!NQmojPku{c|8+&qN5PCu}jP3|VXMf`0?0@kbHLO`^AEz_lznd;$;2>zs zf8=;l#7YF?rqUMyCOi8eLWpR}lirNh1D}lMZszG^RJA`tO_EgLm&D~jr597k)(Pe` zWghPBV2qIF;CbCxiQB^SLw=rPLH?`pudu}=ogzlZ0TEqa z)WJDsjE3MHhsE9+0WV~(O}X)`XSZqB!>Xlc`soYwokQxT%tgn+2#Fa`$O+TnzT}yM z;V3!vsjx=0weQBImhe`ZRN2=mqpOooVr_;4U3fwp(|oAkou_R5yGc-E#KRhA`cTBP zun%+J>9%iDcu|nUeA&5ul}XMS`s;aa_P3U-RuAdSv&~E$pcAQ`W7(iLs)Z^qI#n&>WcA7}ujhv( zZ6P^jtSt9U>%IKg$8B$nBNN>`o8AUbgC6;rjXsennxX8QC#$SK1cTr;Mrr#*umdP+ zgI@rjU<1J}8ekj74+E$Sp7PGeiLJn~Wj%j29J&xuJ|*-hBK1;A(Hs37W&Vkr&cU22)sQ4bHF&RP z&5EV6qfdusC-FNVBcW2A5_9CT?OkL7bTHEN?vcK(Q4hQ<+N2}(<6s)SdZ9_WiVxn* zD=igI@gr)V3)fyJ>`&=>T9Ln6{D#&QG=$VK7C$e3OjiHcD_pX!SMIFA5N(MI|BKVO z@B36`Fr-jbr`9sdid<`f>x3`RF+^_6%>}z^RsYw~x^e@Qh>ni~@Ll|I`{FIyjqeUZ ziX`aJz`{D#Vanv}{363j#2rOg)bsl$&V6(t&NyMxtJnsH7d(H<#hN^X`=+U#+`1s! zw8HFP-`_x*321c@`pqlR#c{2nm)-rH0%y-oU}d0QJ@KmOa4&X-i4(}hHj@~bP_s_` zCXQrWJj?*bKiVjXl#!JcZ!fRR;^LsjE1ZJdOW&sVf;*AwNFv~_sZrA-?I|k%F|;9< zwcmJEs)=J~W3%B#We^0{;^NoIb^eD!)$;C zjE9l_%NGG0jB#O`oxdFfLxzG+JNNsoCb}Aznqi}EW4&D#qgfSicul^iGB#RVR;7OB zN$YoIlfmy|+yrb{(meehsV20dYxnDEkX3{Z$LtMjeP>kA7Xck2!CTUB!o@i;ze(UM zN-uASMy+1tTgR5HW7J59pi8Fvd))lxOb&b1kmvX{FqGZ15i z(94>uF2&>8N-eM8IpKK$=@y%u^28J_C|otrlO#uOS#m*I$AdQZioRy-#!L-sOrn)< zaE*o2h~v_w@v7~mc4H}G^G&+BGF$G`%g5tRupbay3aRgk2VoqCLG zMb(fcivve<)1j6cktA)(HIX>6W>0tXcR7*Qih+2GMmsVkwue(VHiG_gyfh9`VfbN_r zbC>D&>&Ep0nI3Inm22YSpR0}TOq^wvO6M|Uhw zYsFyClNE{T zpL%*=rvU;ymAs$)ZMu3g+$Ev_@OFe6*zACxj3zcQ{PPf4GJFQ?x?NqSo+~$r(-=!q zl!qgm7CmGC^(|$uYwev6FE|m2M{+Lg7(4{;VM`+tBxMcUlIip88~U|A4jib19jlBf zh->7+JDR7+N^4qsJ>imu!8%syk|ApS?#5)z8l{59b?y~sUlUR@twIIc*olQJba_cbI6WL8oVZkC>bnY>zum?8`jE?_2r~l-sn0*=VR~97PxcRJ&D>~SF_P2fT zM%O|}OG&l*EeH6_WaQ{pX~CBBKVzT_3=Hgf3{{|nwhjR=UHewSEM?wdI>4Vhx0X=0TBBa@JNpv37M=Hosb{7>|2e(5GcmxYi z+Bo|>fzJ_P923ci?1Q00*++09(^7nlDLS2l>*Mx}cL2eYo*KPoV3cB4VovmZwc2Z1 zZ_4GvGi3aoXG>(Z0O{<34XA95YCUe@=gGjW;^}f#z`uFEDZCyUq~7F_UJ=kL>u4@Z z`J8`%%1X*EG0PUEx@weX1Ac9V{qsE~IqumChQD=-1vP|RFGO1LMxRr7KvkptC)-Q4 zRaY{%_$w@YFmCZP^F@x-(R-Jl55XRaH)G_}a(M!Citgx2RmZnTq~Js{-NT118>;pU z))lwZ@Nv{$c8y>?m8>O4jts>aJWFH}tFh8+xd3X=8-uPEaC zx@K>M{9H%Z6`y3>Es-;Fqe)tH(}4ZW3c$AHrwnh?ve9scNs>>Y#~;$#ZMv>`pf}ci z!R%kUW&(rvzbjvDQoo?41x(?eHLZWa2meFq>*0S{6Z`w;|F1O+8?WsMWFvNUWh$RN ztgdl_1(c_)Tr<_oT^(w%+uWBYQ+F|O-K}HBCZG|u^*|2Aac+D_X)YdA>S;hgwbZUM zbkBR-LRSqgjGRKc0y25Gq?6@xJ0%tsnd(ln;EY)dy= z9;p>xC?nr2wX!`T@epYYlEq=@{Z%Imo<*B$^V8Rt?ptj6c-XT%nKVB@JNpQb>z1dZ zD_zH1DLmBlMRO!c@jzqil`yu-6~3xOO3%XDl3U5UI54?Us78F~fmxgKntK+r;}u!* z#bFb3Z#(aO9Z}gw&CAP!``L_xm{f^Wqt$(!wi%?6w?>#x@+N9+5IDlN!t<*IMjDHz8VY1M>PM zPHnhhHn-GwL2#4P&dbep`2|c1GlC@JPcSm-R&}fM#`@dmbz{zz5}HoqOE=*rKj?g8C9{~0P6P9icIAv`DIv8X;RK@L&eekE|HfnZl>^z zBX|TPm<@4wb;-M%yuAxVA^cXq@xF0Z1bV`3`w+=dji4r9FO+;zrSYzZ!-Fx6; zby9Kt$(Jbn>&ic@&q&8WJOcGm6@DO>0(F9pNtqu3%TKE`UXzZghNpAr8DYT_V6yw~ zJ(nxicwKtbOy2XWq_r?0sY|1=e4@>O~aO-{)Oas41H97|J z`715_Gl6}*&pd8#l>N^0w!jM(W#MK|(3XiPEkQ})Y^}uEb=fC27q>ntKQNkj0FO6_ z5|()fm{DhND*$<}$1u|_e+48D`iMPm=r6zQbZ2js!_+G~bT1eJ^7g#zAQ=1|ZKRi4 zn0%Xkp@n};WQ0dn=K)XSr|PN_&NYoRy`H!Coji<7^o292pL_2Vnt+ZIEqZ+?UIYfEP^LethQHykZZ!sWVnkb(o?bsBv$)7@ z((h&N{y|pzrjJvPCtu&d!Kv;^Z$b0Egv=IMl6bDbaXI&tMM_nVtgFh~x7VGU05ffb ze%w^Qf3qRl+aDX)l(R7_-@ioeDMgg*v@pSFI_hRkF-f^w6lHi;RrPpa`V)I5)piM| ziGc7hj-0dBQ@7FQFXG(KRVA`)xcr&79>J65bV`qgpPI#|`k z;lwHKEAQPZOZJ?YPha)!ypHx7pE;}IZf-=?3Bq&Bnchn^oOGXwCf{?G{IQRZa1(w3 z2{}?BU1aRDxD))Krz8}uC{Qdzs4gH@QNLWq_v_+z*eknyU5EP3;4Eft_oCqV%~1eK zoaa+$d~l{8CP+GXs?6dg0-pF}b<^D>2y zu!m-La0i2A`%7H%?|BEzJcAbFun-fsVx>kQ3*i7Kh_I3B#QFJo8V%}y_Yb5CaXS|m zGOS>v&JEpzV8m|!6bx?$9&tC~;DjT}kN5@zm?ElK`ofGPOIHx6LuAX&osF)0W!WR1 zK1n#VV4e3_w-mSj zLxkfaWm4PuTA<@l+zrRtuMWpJ16bfn4Sq9%~+1A@uX&F*-sAd_x?S_Lpr7I1xuW|lhcI-dn z^jNDGOXXa1R3PVj8*49X%`7@@&<_Ny<%w*mA{HY!*ZW%*24XB1b|Q$O{A`M%nWiZz`_22BFo&HxIy9Ergx#8-)FeM`Q90rcHda@xdaLk2SDt-_V`OTP5TniBwH z#2D!C5XkQzLYoKzQ^Fu&z*2(sg&7`ZEF8BYk7G@Q#Tu+58n1v7`VMd#lmW4`v!}P| zjXYAZN_FbWhx;=En6UkDa`_*R{kAa!Z7pvUxqXF*0o_ ztiw@sBKN3ZOm{{r1Nc{nnh2I5n7R-T{`WLcIktGu)Pg_BZ%6EOf{;{h2%BuH%|=E= zwfNEvK}p$t_O*78p;lRPOJ4=<`^5Xh;AJ@3jkyU1gf$MA;;tb{nSe%Gl`P{`M+P;B zmhE+%L{}Jd%7{*A+cMd|t@qdDrrcTh5tF zNTp1g(RhCK=nn;_9sRBJKvkG)Iu_fX;6n5;Zqt5&ev3GZG7_np?)HgYzao_BQ9i(( z`ltrgjcSHsZPfdzGpM0q`# zdf!-pu${p&;uI6f?lJR-^>C1C-oXF`Bpp^lS z0YVsg^btG)U^f2>!WejjQLt%oVVXz#rDaO{m!@{M#x?pP2m}DXgVs1f+4C6Oh2j4z zIeS{{?_467NFmhNlzw)SstJ)1nmn*OiU$3(+>7o1JIZgr5W!0hX01-Y@L!n=OxQD= z#kbcO>@P5Iy+PB;`B+k`Q?H+vdZ5;1?SR3$OMRmbw;!J=s_*ec;?Ni7^dgh9m%DZ7 z?Rx`$uWbNQ=Yt2lQHP=UOq`=(?hS3f<0j1MxXZ>p6(%KVS$(ES+1tPDcIEq{#ma`QgGVXyP$Z_IS8Itv`#&OvL_syVv5#l_3||Y}m9m_? zyieCW3QJ2tK^icDkfkW2JO5pE>u216CO6F-qo`XH-T(RXdHN_TdfN^`AwB0V*!BVD zPvODQrhRB7Q9+jZu?MUmhCo5M=#k9;;tv*lll=o2gO~HArR6A$h^NN&uv!!BVt{0K zgd_DuK>z*S9tO{aq<3{ZcHMoK22mJG$NT1f77gZ=Ps`bx+mAh?%X11CdL#F_)Fcffw zA*L`_SRrDhfzUfp(pn*bomjtST4Z5`$-lHq4-9<|D!j_!m24vAJH;c<$Q8L)OFKo% zX(6pCPjO|!-)ug;@5Kv3ymS<7+wY)|8W+x9V^E0dwfqy?nx@kkT)Cz=56Z*%Ve5_C zNS=;STU;rl^a)fiy%aZT`@S>DX*h`!$5L>z27|T_4!*X;&?n1qcs|DB>&y(WS7d&# z;LWJ`7+)H$qfJg?_oBCL6PRde&M<{52@fG#t-k^_u#SxJT!iDWLV~VQ-({=U2cwx1 zWPRZ!1_e;dO@?@cTWZr#@w)yWlFsqDBXxCk6Rt-HE&HRR%e87?U;`IONhk%RCf#L| z_x>%h6L4I)yo<2_f(!sNItoJ7&H6559)dFe?{d!nBG6NFO*bA_Ba34u2|pDxxDoHA z;ngmT?Fo?{Q9EYP;^=?cl;d+bAE5(tpK71BiAu9?=x;tmCgzFP4(#e2vpkU@UVd&JvH{*A*aN47z3@+6OE<-~=`y z6dn2kYSpv|g(gkB(svwJ5}k0+=<*RvlS_aT*~jEhY>* zY0z+sjPlqY@zPHP$e$5)g`4qy&=hP-XL9oM^%6gM|Y21QG_R3GiM21GKD_9@M2hATYb3pF(&T$tU{lkPal5?lLakW)l+jYWKd5DMl$9#mvk}_v)|rs&kJ4`exYG{L0J<;Q1HT#V~0L@bi~WSHQOcRR8m_i+}e# zqhav@)L@N&jed3_5JO+FiVMjH)NexpI1SPY&Sk-RPIUrAld17uLo*Zz)_*%w`|{fq z&<)2}l+YXKs%b9eMqW!ZC&xuD5+`(FU1c3D(o<<;97rp3(>)cH4`}6+=|3KN&4AO8 z3FSbLdY#BVZx2q9E}f5A8L%b*rr5#3;qE5k7tj!Kbnq(v>?fdx9s4k01`k<-jUgN?#^>U$$KzE?%x&F3iYEm%6$mVYqqlM%h0V5r6U|2T9YDIC zJ#W!z_9%Pk_#OL;hzjEdJ^QMcYLSrkuFweTKt=uU`=NrHr%s;~kar#mEEBmhT|@oVYf5Q@I6U?P(Q5e+iqfNT zE0zoUAH$H%6lb%2H$EmqS-aa&eI3gc?^iw*=j9FfQbI9VO}@_Qj&IpgbkFTK=tymx zcopQ(NV?OYXm9+cXKtr;%EC}hn-lSVpieAAl8q}wrwE|b^OAh1?-iqUy4tp{sytV)N+eBSB3T(PeWb%NV$x-?KkQ=keu`@)bekRloIpC-ghuOD z1=6P5{iv)aM>lg46cHfCodSj1S7GPKv$rnq{o#rN8eFI4=WjQs9}v`merF3}p>>K~ z8Dy$yUN`UK+&;13(Pys^9oiSRwH|SKL1rxZLD?FU9+2bn;`N6&7p14ChqXy1P*Z#2 z^>Hub7|~OcmIZWXeC%=YddC3wJM)fprqwLv?1jFb<%9?s$}`_^XW<}_OmI}hvM^@t@UCClhNt*3RVoZf4FVc7|FKr^3% zTRY0C-ZWtUtK+nlnTFrHFJrdgaz4%{G$L0RuCxHdR4=|HEsH1ZuC ztt- z+TbABovTibLi&w*ezXS~Coj8FHzX4k8*_R6H&qQ5yV!a7P63dF7ekqiq*>`vo7H>uR}b#kWGMbC9r#c3@R2u>VyuG%SCypQZm$c~ z=5^3HBTYs=0x*NV5{(sO1xKG_)GQVw7e`;&!a~n(4PpT#w%+6t#nR+zk zwHN&v-%5Oy#!8hh$M&DR8vcp{sjdtEQCqt@z_;Anu6~s?QMpTd%!z|fMLV2tTo9;X z!D)-N57Hq@+se+yaA?2@94JSmV)z}oP2xXTw2PW7LlQ7KPC_+awmsV1X8k55G5eEI z%O$6G)KhI^BY|Y#a(eZ(SNg=ip1BQ;fjW|vdzN{)A^vM+6D*2}{mn9*jH=m@Op zzG5uQ9hY+$9B3~*-YrATfAr+&;WHT|&B5Ng7|b~$#3THtD7!J>BRYDBH>^P~C-ThR z-9RROo;uCRUZ6*^{+sL?i5UHb7JQS_7QbDDhnuXM&Q2*kniz9u&@Xy4JMYoff$35^ zkhKmK6t$R}Vxo&GE7H~kd8oy%C7jPM{9QBI?zF1N;DaiGcp67i`Dd?e_t4qn5wGL< zUee#)f5rJEG1l{wvvbzkQPd+z1KUS7$GO7Gi!8+cy-UiILY_-m+ZDBzs@aFssSkXw!ca?E`?c=g?IfXp`&JOc@fDP@ewTo& zESGYG6?E|h9lhB%yB6F^dd$ye!;}?H#;=4GULoal`psSU!6?}0 zM#@b9V*A)`m^ml-4fjzMMeNZdC)J%wd!l~0r zcjy7q?7V==jc^G*c2HM2&11GNQY=VqPWHLf4UydU+09pkW?R2ngin4b9!x*ztmIKX zgDUEp`XWU7F=+FRRh>2uIB=rF_-7)m&C@@EYNC-b^11QQm?Tg-G~Wd@jOTAl$ABrJ zA5|*DEQ+SH!NnUM*L@o+6Gcy?9(cuz@YS5J+XD;5mm5UxwXoE|pRlmE5SB?&3kYzaXVdZpg4PdLV=q4drXP-&H#y0_ z8m9kF;-jDs(O8W3^Cm0kRf3#99OlD9S?v9ApdVt2eq94=Q{Ac zO?Z;^!wWJf@(m}40c)q;<(B`96r4@vrqJLsiQ6XU@N01o>JSyoB}!j8IifuhKCwrS zwyvxPyx>e6b-eo?Qxej3NUXi?z_9YM=B2@J@=*)f!%9V#f6yFOuK$v!xepe79u} z?H2-TDUKM14xs|WMU(|5j41}-q-3}+(k(*HPRBw^d~R{R$^r+y!obvLnlTYsg5WtG zSlt`{kr3H1HfY%g9rUN%p*yLHV;(`4%Gmwfv0ZuXT075@M-!jA%Q|K!8IZ2j;MNRA z5erEq|1c8Pj5zbQ{$d>>I}2(R%M+Y%wEWT(43kMA(fbKm@+hRI{s-y$Tw&dodD$f8 z!FAUz4*Zc%Y}9#ZhRs8$FpAa_;5U*WV&70IY&{c(~2 zfQbQCFh)kw2ZQ%-Iw{BwK^}ME9%t(@Y+P;vM~+|}<$pjMNBjCd2$1xr%&OouA;QQ1 zZ{EBqC_;WEt`*d{3!MLkN!GuVjdp7OpGv|{1&or&5*J@`qKQ0OvPQl zf!`o42$flmn-tjUHGgzbrmGChN58Fy1#vfo^m(u#<8=Nsh`6f3od)M+-Cnu(F1J2* z>F!^!*2dw;x_@I+Em=(hq}&Mux#1kKZUV*liR%0{+I4C$Ok7^KQFR)yPRkKt<6zs* zDHN*Np^;VjX*t{3%O}EkD}J{6t2Qi?szXRyn-mUwD#E6j+yw_1^i{<$=Y~?1+EH1F zPKzqG-<{yQu+0H21>Z%^J0p`FiBFs`{-{#-yyq(zMrA_nDO6yAtycH`US@d@U)4Dn zN^zmfebGmWUWAu{|DT1uUn*P6O8rKr!(_iEh1)*@2qaDm#towCD-Xa{h=|okjX5$H z(6l0Lm$=O%2LEW9I@3nXy)G(ZbWcyVY!d@%C3J-%Q#Clh``DgjOOl#i);uvQj&?WXOIhM(wp>4Tdo{c=4Y=-2P`Ji_|jPZR-lNNN5( zr+>64!tvc)tMlF9PQ$$CuO>6sYy#f>jxdlrnacrWJ$50s=yv=yK{$5$*H0O(4B@!` zpFnEk!u#*Qa983Ps&7K(Fhnj*>O3cURU}xeL&@4Pe@ur7^zx-;Otfxh2fgq2BLr}X z6V|m@P9ICnkK&RQWgB#)7E2G;BN836h9QBnCk(FopKCdibF#zL^C{0g@X0X@?Il3X zU()C5Ad@7UqVB+5v6PaMassCjd3uQ;T=)+WU$_fI<&?LvDH2#9xq&y|2zDgtLO;uH zVD%O>A-XEsf71+tS^ty!0+tb;2S$mL_(~AY$W8iX|9}SyD*cIiUufnY;Q03}z2SPQ z8^c7f1c)I0zc{wq)k5WG3<`2WmOr15PT0!^#z{Qm<@qBfVb4#83zCm+(n;V67WQt! z1KFl+^JU=HJqi?u2-OwY{|#pTA`ywrjc*F;8z?=Ct{4>bxQ)uHqL$hyMC+dGlBKq4 zrqOxaTf(EsReL#gf%F9M7Yl^}lWyfH6(oXP3qs%uGOVwxH(s=2<$L;uZ+Ehtz1^78 zpqebO3vmJng{`$G978*%uE-rp!7&LJB{QVP7eT$c*Kv=mMF1k~T5Nh`-)0rBD0frf z``!nzs`qdG&Z^2jfym_SVQ4UkvBlNidOA<1z5YjDl?jKFmPqj+!?S@(yZZ0W$8FYw zfUkqC)_U{^vPj5=mYW}ol&6X
~2qxIm-XQGdk~nP)V0P`@wcw^wzB6~ffESCSsm;Cyqd)d9zY_Z_} zpCsd54zxC3x$00oD}0ruJF;iDNGE0 zdiBmJN1|fGQ*G@b>>~3n9?z0$5~Ss9YA?CAzEeukWb^PQajfOC`|mO#D%>M>1Y+P1b#-5Me>5!l!;KrkOZ z%i!U1p^kf%-fOhigf}HiFo8gwNQ}^0>(TJ^rO&Um1wS`SFnwhUN@IJYu}ljE(Wx*^ z&+R*Rpn*Nrk3gNM9o=y}8W6B3Vh|Je@%o5LKtmprj#(kr4?)USRa(Q_!N)hi#}T~e zY$iUmgHL8~0MT{_??z=M6&xK;c+Vg(LsQnK(%ZiE@hS_lMu?nI1~Lu6kO_Nu^)H~%v8jp1QbQU7KJq*}d8Rw$&a3u`nLc0FHi4mIuh$IlcqiSin?Ba@c0D(} zZf92cj*DdZ3bGYs&WsjndJOt`y&2D|yxJv&>2j^8HdefI7nX46K>mw#u^o*CJsYdT zasK_wVkrU>!>2DHjb;5kZw$S#c-HrKG`zz`M)LI?pQx0iPFJRC&>B4pO=t#mGFscV zf5QlyVB+ZIPk(|EOzeMNimSSlBFjoRr<9^DRC4$Rmo$b2f%eo{Uv}{vpC9<-pV_Le z?8pK;@{`h(b#7ZN_1CES)>ZF~qG0}s((P6H#utzqlI2yI&zvy25%hw$Qs>@4w@K4f z%=yt#1T3PDYX)Cjg~?!~K&B}ERj8w?;?e3#GsJtT?sRCSiKh?RhV7TW;`HVNQ5lHE z+2$bHO;nc9QvI)wLVATTDVVMY6_m4)9iSNpCOf|?isbD;p z9ohQQZBKnFt|M29CS_;p)V0TH5#b~)Wy#zt-FmFFrL4*Al+-9WiTitq%twyJEuH-| z>aUBtPVvW0sC!o3UCQlUe^=scf=)mT*+b6KE-wxNT5P1X0w$)+c48Ag)QvZ#f|x{I z;vv)<-anv9`El;O^iU!e@;|>M7Mp)_WIGRlaOObeILP$h z-;r9(KRV^MMS3Ny5q!y2#FLC|-`^?(V);+=G0q%KmIw6@`X>Lc(ylwKsdJ6@y6G)d z5o-|~XrdqpE=Uo%(6CHWricRsy)r}@mnDXPvZHB4O}M%!+07uaV)u9>1K zct%w<73U@lSL@x>-+OEqFL1kY9oPh_t+0dmfU60jISGKu>>-Wz4|N?j=9O#Ak4x^M z$<3!K;&eQ(U2Kwx$S+98B@*!$7Zx3Je+UTs&9a43VsJGn9k$~(s?-h(M}Cx+n|^do z+xDtHMtT**t2ix{T2UaEMJ!RpY*Lmzn?1mWe&cf!I{H-%+FJ;3oK~Vej4A3Q#Ay0( zk1}wLwmvQ?g-JQ}jLNeX*-}K5WlX|$;^~3cFTeQqW_(@N!jxJm5H20(_zecCrsrTT zV*sru7*=zR)8o=?4(+y0-`erQf5E*_q&Bb8RrK`AU-MdQ&SzmzAjrK&-?C~~fyp(M zmHRCLt!D?g%iUcu|5dsQX;T(!+g;P;LE4Q4`qj5gb?drLmgN~=x|qmybRNxqy5E3M zmbVuaL;>CI?A;9x?drXk-72bX>Gs%r%w1#oO4?4+=#BG=#Ppk~)Il?|V@Gwbd{n*) zt~4lc%wl-6e5zbwThZXr)Z7Z@gp_qQ0M@znm(e=rPV)^6oFEork%LQ~+1V=|Sw+HKvMX3fL%YfZ#qDgjaJS8V>` z_6Z2W(^`%L`lbMLwW#tgJ1SZiKnL)2(b>7hO;@Sx_`)Eb&(QZ0Z}XQ);8i(@zq_%c z2$IUQb#yI$X+4l2@lla(HDC|%u7)tFDVW;Bz~&_Oj%A_L4!4TChe#q~JNhAgTl==L zr!ylC$v~+YI%GL`w==y%^*ogr7wFtOA3g?@$-h7RQH~1y)%z9i$|{XO#48-4JYIL@ z%qkdjgxyE((MruzhfNIEWqGZDZ^Um)Immvrmh^f~xTOX3LYfq;2p%JGtyUa0$QYXN}Hn)EfvqN_DV|(xUaUb_) zmu1eT^(p6>_l(H$m{)KvS`3_%5>;dwY)^hURJ=J@HEZ7exXc$ay}xD_iHce>)dT8B zG;6y%)xAzAw&d(&MIVdM_WY7?Ez`YfB>H9Xe}{KL9N~n@^YLQIi+PRPzlq_c%+ZCr zm$#hj@?FD#Y+Y4roVa*ANG&I4lq-U`!F!q!K=JSR?s3Nk^3ASp{lEuvRzpmROrj^= zu=0y^#^Cx9wXWWIl|0;)%4M9a0u_a^@v)YT5Gz;?Yjue7xgh?`p)bc=yoenptCDDR zH_FzD(xjfU_55yG<-ZZ762{uikIkt{XZX1q2l+Nt5$o*pMQ)(PGQHz%cYxXFped7b zfV)b!OB{bA~ zvpC;QVuxLDvbTL><|R&QNu|T4atTJ_Sk zKLdg)t~7Q|1KZ+^ky)#7Zpbx0k^rYi$OoKZN|J--X#`_ZS`3$E%eak5TCOVjaW*I3 znHtyT33c~&MhaYMno}kg(F?@YCLKJe#qTzc4XEraJ)U254CfE}VgK<8kBU&r(VE3c zwl_Xo=2{d|yU$S}NF79=;hcYK5lODhVV9nL)`NowPGe!LtzJsmkr>F6CC`mcGm4nm zizz6g;t|8|RCj33&lwurvbwV(Oe1_)yLp7;$m`PcX5d(@AeX23f%f!KH7!5NT2svH zAL&gQdl+3oes@F)@k12ra5psEqm8|Oq*BJ*DJFix@g0SEzBg)H|B0T>qPJ5oI+t@R zW_n(1lk-CwrlBtPe0Hv8U%>6CtFn%rO57RA4GInQG0EjtYnue#9t+^cm60>J_cwZ- zfQ^h3Sq%@mb-1rnxHzneJX)G*hfSN26ZCCdfwbL+Os=o57t_0qULG(c{jF*;jai;p zS&cIU{~@dk?h-D*TvX#W&Hjg&ASfVo;BWa|7ghh1pPh^7<^1I-&s z3MQ^>pCx{=VY9hBU544C=iaE4hj@_chZ`LRg&Q?}YSRzJ%5lStFt}xlU zep`A!*-E`ECH{yjrox$=_K}2TV3%AO+PwJj={u*i7UO&3)?a)?H6{@=)L%=&-#nJr z=Bil)KWDP^pG}LING6+ypMllifS9lc==uNDPEPWJaE*4h?@a&rxlh1Er#x74*OQr_ zQa03qh?ABY!re_zK8(d zgW>hZ2sW&of>ohV&hO@@l%;1iELL-XHCe#8U5xdZ2e30_2i(Y8XNFD%RCKN+7jyHY zDSPmchq5|hg4EmG3f4C))Zd1_UnQHa? zje0TTUrDha$IF2Ee00?SfAuD!1dDBBFk}S#N53lJA51*5eY9lm_5mpd;f3!sRnviGzj~kn$9L5n}fiigvB9n-gKIa+T z#k0cKUDWGb&{bt@hb;hGF{qF4oIi?B2U|hyD_a4wuqc9sMGycM7O0!ROTqw>Wk4#y zW7#Fv13dyny3uO9xofHSX{crV_VJuHBSNuG=|EvkPp%2WWlu@{M}M{2lLbOl6*M=H zGW^50&T!YIQ4rgw@urg-j@Sblo@zX@a~h-(M$%?1#EQV~3Iy4!=7q3g1UE`IAJW-z zPs)rbK~LJ0+6I(4C)WThptWjlUX>sPE6sflu@%1;g`@K+6zu)_!8K1`bT0nK!OvkA zSTPY|3_=W+<+?8tr3wn0yF63b=1J$Gb%&4qG=5|Fa8E;a^>`Cqe7MEp1OUEM3UBDp zS19E0ll52Sc0362AXHv+XxDnWCH0X*n$5Qr%W04DTq^Q;I3Ljz&J7>rLJtuO`yYvuX`IgcRp9eT+TZi8j_eZFL>cod zUW^Fn*48VM6p8#65w_H+MkO_erTzJrytNP61`o+s6nicBw;&2dhHry0MZ;zv1T)J) zoknwlkn(%l5~AEBKzLst_;eTQeRXA=c9cmv@M2P$R5|SWY=Daqvis@>*EJ#8HCV^~ VtRiCt{12v2NXF(ymx=pB{|_@>rH%jq diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index b9bf7dd558..5965974382 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1345,6 +1345,12 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • OS/Mode
    • + +[RootCATrustedCertificates CSP](rootcacertificates-csp.md) +

    Added the following node in Windows 10, version 1803:

    +
      +
    • UntrustedCertificates
      • +
    @@ -1651,6 +1657,13 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware +[RootCATrustedCertificates CSP](rootcacertificates-csp.md) +

    Added the following node in Windows 10, version 1803:

    +
      +
    • UntrustedCertificates
      • +
    + + [Policy CSP](policy-configuration-service-provider.md)

    Added the following new policies for Windows 10, version 1803:

      diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md index 8f5c11db9d..b7fa5a8362 100644 --- a/windows/client-management/mdm/rootcacertificates-csp.md +++ b/windows/client-management/mdm/rootcacertificates-csp.md @@ -7,11 +7,14 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/26/2017 +ms.date: 03/06/2018 --- # RootCATrustedCertificates CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + The RootCATrustedCertificates configuration service provider enables the enterprise to set the Root Certificate Authority (CA) certificates. > [!Note] @@ -44,6 +47,9 @@ Node for trusted publisher certificates. **RootCATrustedCertificates/TrustedPeople** Node for trusted people certificates. +**RootCATrustedCertificates/UntrustedCertificates** +Addeded in Windows 10, version 1803. Node for certificates that are not trusted. IT admin can use this node to immediately flag certificates that have been compromised and no longer usable. + **_CertHash_** Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md index 6e6492a240..03c352d150 100644 --- a/windows/client-management/mdm/rootcacertificates-ddf-file.md +++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md @@ -7,17 +7,19 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 12/05/2017 +ms.date: 03/07/2018 --- # RootCATrustedCertificates DDF file +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **RootCACertificates** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the current version for this CSP. +The XML below is for Windows 10, version 1803. ``` syntax @@ -28,7 +30,7 @@ The XML below is the current version for this CSP. 1.2 RootCATrustedCertificates - ./Vendor/MSFT + ./User/Vendor/MSFT @@ -43,7 +45,7 @@ The XML below is the current version for this CSP. - + com.microsoft/1.1/MDM/RootCATrustedCertificates @@ -74,8 +76,6 @@ The XML below is the current version for this CSP. - - Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value @@ -100,12 +100,12 @@ The XML below is the current version for this CSP. - + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. - + @@ -117,7 +117,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -271,8 +271,6 @@ The XML below is the current version for this CSP. - - Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value @@ -297,12 +295,12 @@ The XML below is the current version for this CSP. - + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. - + @@ -311,7 +309,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -363,7 +361,7 @@ The XML below is the current version for this CSP. - Returns the starting date of the certificate's validity. This is equivalent to the NotBefore member in the CERT_INFO structure. + Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. @@ -384,7 +382,7 @@ The XML below is the current version for this CSP. - Returns the expiration date of the certificate. This is equivalent to the NotAfter member in the CERT_INFO structure + Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure @@ -405,7 +403,7 @@ The XML below is the current version for this CSP. - Returns the certificate template name. + Returns the certificate template name. Supported operation is Get. @@ -450,8 +448,6 @@ The XML below is the current version for this CSP. - - Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value @@ -476,12 +472,12 @@ The XML below is the current version for this CSP. - + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. - + @@ -493,7 +489,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -551,7 +547,7 @@ The XML below is the current version for this CSP. - Returns the starting date of the certificate's validity. This is equivalent to the NotBefore member in the CERT_INFO structure. + Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. @@ -575,7 +571,7 @@ The XML below is the current version for this CSP. - Returns the expiration date of the certificate. This is equivalent to the NotAfter member in the CERT_INFO structure + Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure @@ -599,7 +595,7 @@ The XML below is the current version for this CSP. - Returns the certificate template name. + Returns the certificate template name. Supported operation is Get. @@ -647,8 +643,6 @@ The XML below is the current version for this CSP. - - Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value @@ -673,12 +667,12 @@ The XML below is the current version for this CSP. - + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. - + @@ -690,7 +684,7 @@ The XML below is the current version for this CSP. - text/plain + @@ -748,7 +742,7 @@ The XML below is the current version for this CSP. - Returns the starting date of the certificate's validity. This is equivalent to the NotBefore member in the CERT_INFO structure. + Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. @@ -772,7 +766,7 @@ The XML below is the current version for this CSP. - Returns the expiration date of the certificate. This is equivalent to the NotAfter member in the CERT_INFO structure + Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure @@ -796,7 +790,1180 @@ The XML below is the current version for this CSP. - Returns the certificate template name. + Returns the certificate template name. Supported operation is Get. + + + + + + + + + + + + + + text/plain + + + + + + + UntrustedCertificates + + + + + + + + + + + + + + + + + + + + + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value + + + + + + + + + + + + + CertHash + + + + + + EncodedCertificate + + + + + + + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + + + + + + + + + + + + + IssuedBy + + + + + Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. + + + + + + + + + + + + + + text/plain + + + + + IssuedTo + + + + + Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. + + + + + + + + + + + + + + text/plain + + + + + ValidFrom + + + + + Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + + + + + + + + text/plain + + + + + ValidTo + + + + + Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure + + + + + + + + + + + + + + text/plain + + + + + TemplateName + + + + + Returns the certificate template name. Supported operation is Get. + + + + + + + + + + + + + + text/plain + + + + + + + + RootCATrustedCertificates + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.1/MDM/RootCATrustedCertificates + + + + Root + + + + + + + + + + + + + + + + + + + + + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value + + + + + + + + + + + + + CertHash + + + + + + EncodedCertificate + + + + + + + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + + + + + + + + + + + + + IssuedBy + + + + + Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. + + + + + + + + + + + + + + text/plain + + + + + IssuedTo + + + + + Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. + + + + + + + + + + + + + + text/plain + + + + + ValidFrom + + + + + Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + + + + + + + + text/plain + + + + + ValidTo + + + + + Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure + + + + + + + + + + + + + + text/plain + + + + + TemplateName + + + + + Returns the certificate template name. Supported operation is Get. + + + + + + + + + + + + + + text/plain + + + + + + + CA + + + + + + + + + + + + + + + + + + + + + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value + + + + + + + + + + + + + CertHash + + + + + + EncodedCertificate + + + + + + + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + + + + + + + + + + IssuedBy + + + + + Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. + + + + + + + + + + + text/plain + + + + + IssuedTo + + + + + Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. + + + + + + + + + + + text/plain + + + + + ValidFrom + + + + + Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + + + + + text/plain + + + + + ValidTo + + + + + Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure + + + + + + + + + + + text/plain + + + + + TemplateName + + + + + Returns the certificate template name. Supported operation is Get. + + + + + + + + + + + text/plain + + + + + + + TrustedPublisher + + + + + + + + + + + + + + + + + + + + + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value + + + + + + + + + + + + + CertHash + + + + + + EncodedCertificate + + + + + + + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + + + + + + + + + + + + + IssuedBy + + + + + Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. + + + + + + + + + + + + + + text/plain + + + + + IssuedTo + + + + + Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. + + + + + + + + + + + + + + text/plain + + + + + ValidFrom + + + + + Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + + + + + + + + text/plain + + + + + ValidTo + + + + + Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure + + + + + + + + + + + + + + text/plain + + + + + TemplateName + + + + + Returns the certificate template name. Supported operation is Get. + + + + + + + + + + + + + + text/plain + + + + + + + TrustedPeople + + + + + + + + + + + + + + + + + + + + + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value + + + + + + + + + + + + + CertHash + + + + + + EncodedCertificate + + + + + + + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + + + + + + + + + + + + + IssuedBy + + + + + Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. + + + + + + + + + + + + + + text/plain + + + + + IssuedTo + + + + + Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. + + + + + + + + + + + + + + text/plain + + + + + ValidFrom + + + + + Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + + + + + + + + text/plain + + + + + ValidTo + + + + + Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure + + + + + + + + + + + + + + text/plain + + + + + TemplateName + + + + + Returns the certificate template name. Supported operation is Get. + + + + + + + + + + + + + + text/plain + + + + + + + UntrustedCertificates + + + + + + + + + + + + + + + + + + + + + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value + + + + + + + + + + + + + CertHash + + + + + + EncodedCertificate + + + + + + + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + + + + + + + + + + + + + IssuedBy + + + + + Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. + + + + + + + + + + + + + + text/plain + + + + + IssuedTo + + + + + Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. + + + + + + + + + + + + + + text/plain + + + + + ValidFrom + + + + + Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + + + + + + + + text/plain + + + + + ValidTo + + + + + Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure + + + + + + + + + + + + + + text/plain + + + + + TemplateName + + + + + Returns the certificate template name. Supported operation is Get. @@ -818,14 +1985,4 @@ The XML below is the current version for this CSP. -``` - -  - -  - - - - - - +``` \ No newline at end of file From 8d372a5586f6b6ff8440e849750bf0b57cf9749e Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 21 Mar 2018 14:42:03 +0000 Subject: [PATCH 08/16] Merged PR 6523: New topic for MPSA This topic is intentionally not added to the TOC at this time --- ...a-software-microsoft-store-for-business.md | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 store-for-business/manage-mpsa-software-microsoft-store-for-business.md diff --git a/store-for-business/manage-mpsa-software-microsoft-store-for-business.md b/store-for-business/manage-mpsa-software-microsoft-store-for-business.md new file mode 100644 index 0000000000..970b3c783f --- /dev/null +++ b/store-for-business/manage-mpsa-software-microsoft-store-for-business.md @@ -0,0 +1,59 @@ +--- +title: Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business +description: Software purchased under Microsoft Products and Services Agreement (MPSA) can be managed in Microsoft Store for Business +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: store +author: TrudyHa +ms.localizationpriority: high +ms.date: 3/20/2018 +--- + +# Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +Software purchased with the Microsoft Products and Services Agreement (MPSA) can now be managed in Microsoft Store for Business. This allows customers to manage online software purchases in one location. + +There are a couple of things you might need to set up to manage MPSA software purchases in Store for Business. + +**To manage MPSA software in Microsoft Store for Business** +1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com). +2. Click **Manage**, and then click **My Organization**. +3. Click **Connected tenants** to see purchasing accounts and the tenants that they are connected to. + +## Add tenant +The tenant or tenants that are added to your purchasing account control how you can distribute software to people in your organization. If there isn't a tenant listed for your purchasing account, you'll need to add one before you can use or manage the software you've purchased. When we give you a list to choose from, tenants are grouped by domain. + +**To add a tenant to a purchasing account** +1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com). +2. Click **Manage**, and then click **My Organization**. +3. Click **Connected tenants**, and then click the ellipses for a purchasing account without a tenant listed. +4. Click **Choose a tenant**, and then click **Submit**. + +If you don't see your tenant in the list, you can add the name of your tenant + +**To add the name of your tenant** +1. On **Add a tenant**, click **Don't see your tenant?**. +2. Enter a domain name, and then click **Next**, and then click **Done**. + +You'll need to get permissions for the admin that manages the domain you want to add. We'll take you to Business Center Portal where you can manage permissions and roles. The admin will need to be the **Account Manager**. + +## Add global admin +In some cases, we might not have info on who the global admin is for the tenant that you select. It might be that the tenant is unmanaged, and you'll need to identify a global admin. Or, you might only need to share account info for the global admin. + +If you need to nominate someone to be the global admin, they need sufficient permissions: +- someone who can distribute sofware +- in Business Center Portal (BCP), it should be someone with **Agreement Admin** role + +**To add a global admin to a tenant** + +We'll ask for a global admin if we need that info when you add a tenant to a purchasing account. You'd see the request for a global admin before returning to **Store for Business**. + +- On **Add a Global Admin**, click **Make me the Global Admin**, and then click **Submit**. +-or- +- On **Add a Global Admin**, type a name in **Invite someone else**, and then click **Submit**. \ No newline at end of file From 9f2de57b533f017e390b0304582483f348f8b8a8 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 21 Mar 2018 12:40:50 -0700 Subject: [PATCH 09/16] changing build notification --- .openpublishing.publish.config.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 9e9233eb13..efe7a5e648 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -476,7 +476,7 @@ } ], "notification_subscribers": [ - "brianlic@microsoft.com" + "elizapo@microsoft.com" ], "branches_to_filter": [ "" From 0d60902a79725bf3c4db3f6a7cf9a0c015738fde Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Wed, 21 Mar 2018 20:55:45 +0000 Subject: [PATCH 10/16] Merged PR 6535: AssignedAccess CSP - updated descriptions and links fixed typo --- windows/client-management/mdm/assignedaccess-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 48635d81a9..f083dad4a1 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -39,7 +39,7 @@ For a step-by-step guide for setting up devices to run in kiosk mode, see [Set u > > You cannot set both KioskModeApp and ShellLauncher at the same time on the device. -In Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md). +Starting in Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md). Here's an example: From 7378e96c6918217fe7ebbf1a01cdca81e266e835 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Wed, 21 Mar 2018 20:56:05 +0000 Subject: [PATCH 11/16] Merged PR 6539: Removed some LocalPoliciesSecurityOptions policies --- ...ew-in-windows-mdm-enrollment-management.md | 18 - .../policy-configuration-service-provider.md | 5 +- ...policy-csp-localpoliciessecurityoptions.md | 586 +----------------- 3 files changed, 2 insertions(+), 607 deletions(-) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 5965974382..66cacb8036 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1175,14 +1175,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
    • LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia
    • LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
    • LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
      • -
    • LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
      • -
    • LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
      • -
    • LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible
      • -
    • LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges
      • -
    • LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge
      • -
    • LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey
    • LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
      • -
    • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways
    • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
    • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
    • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
      • @@ -1193,10 +1186,8 @@ For details about Microsoft mobile device management protocols for Windows 10 s
    • LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers
    • LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
    • LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
      • -
    • LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM
    • LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
    • LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
      • -
    • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
    • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
    • LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
    • LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
      • @@ -1788,14 +1779,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
    • LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia
    • LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
    • LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
      • -
    • LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
      • -
    • LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
      • -
    • LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible
      • -
    • LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges
      • -
    • LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge
      • -
    • LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey
    • LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
      • -
    • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways
    • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
    • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
    • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
      • @@ -1806,10 +1790,8 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
    • LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers
    • LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
    • LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
      • -
    • LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM
    • LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
    • LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
      • -
    • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
    • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
    • LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
    • LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
      • diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 42c5737c3e..debb631fa9 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 03/05/2018 +ms.date: 03/16/2018 --- # Policy CSP @@ -4133,9 +4133,6 @@ The following diagram shows the Policy configuration service provider in tree fo - [LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowedtoformatandejectremovablemedia) - [LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters) - [LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly) -- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways) -- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible) -- [LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges) - [LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked) - [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) - [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 27c960d639..327397bc54 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 03/12/2018 +ms.date: 03/16/2018 --- # Policy CSP - LocalPoliciesSecurityOptions @@ -51,24 +51,6 @@ ms.date: 03/12/2018
      LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
      -
      - LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways -
      -
      - LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible -
      -
      - LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible -
      -
      - LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges -
      -
      - LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge -
      -
      - LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey -
      LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
      @@ -93,9 +75,6 @@ ms.date: 03/12/2018
      LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
      -
      - LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways -
      LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
      @@ -126,9 +105,6 @@ ms.date: 03/12/2018
      LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
      -
      - LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM -
      LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
      @@ -138,9 +114,6 @@ ms.date: 03/12/2018
      LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
      -
      - LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients -
      LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
      @@ -784,375 +757,6 @@ GP Info:
      - -**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark4check mark4check mark4check mark4cross markcross mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Domain member: Digitally encrypt or sign secure channel data (always) - -This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. - -When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. - -This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies: - -Domain member: Digitally encrypt secure channel data (when possible) -Domain member: Digitally sign secure channel data (when possible) - -Default: Enabled. - -Notes: - -If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. -If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. -Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not. - - - -GP Info: -- GP English name: *Domain member: Digitally encrypt or sign secure channel data (always)* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
      - - -**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark4check mark4check mark4check mark4cross markcross mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Domain member: Digitally encrypt secure channel data (when possible) - -This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. - -When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc. - -This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption. - -Default: Enabled. - -Important - -There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted. - -Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains. - - - -GP Info: -- GP English name: *Domain member: Digitally encrypt secure channel data (when possible)* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
      - - -**LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark4check mark4check mark4check mark4cross markcross mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Domain member: Digitally sign secure channel data (when possible) - -This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. - -When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. - -This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit. - -Default: Enabled. - - - -GP Info: -- GP English name: *Domain member: Digitally sign secure channel data (when possible)* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
      - - -**LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark4check mark4check mark4check mark4cross markcross mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Domain member: Disable machine account password changes - -Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days. - -Default: Disabled. - -Notes - -This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions. -This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names. - - - -GP Info: -- GP English name: *Domain member: Disable machine account password changes* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
      - - -**LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark4check mark4check mark4check mark4cross markcross mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Domain member: Maximum machine account password age - -This security setting determines how often a domain member will attempt to change its computer account password. - -Default: 30 days. - -Important - -This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers. - - - -GP Info: -- GP English name: *Domain member: Maximum machine account password age* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
      - - -**LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark4check mark4check mark4check mark4cross markcross mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Domain member: Require strong (Windows 2000 or later) session key - -This security setting determines whether 128-bit key strength is required for encrypted secure channel data. - -When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller within the domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup, and so on. - -Depending on what version of Windows is running on the domain controller that the domain member is communicating with and the settings of the parameters: - -Domain member: Digitally encrypt or sign secure channel data (always) -Domain member: Digitally encrypt secure channel data (when possible) -Some or all of the information that is transmitted over the secure channel will be encrypted. This policy setting determines whether or not 128-bit key strength is required for the secure channel information that is encrypted. - -If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed. If this setting is disabled, then the key strength is negotiated with the domain controller. - -Default: Enabled. - -Important - -In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later. -In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later. - - - -GP Info: -- GP English name: *Domain member: Require strong (Windows 2000 or later) session key* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
      - **LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked** @@ -1650,77 +1254,6 @@ GP Info:
      - -**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark4check mark4check mark4check mark4cross markcross mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Microsoft network client: Digitally sign communications (always) - -This security setting determines whether packet signing is required by the SMB client component. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. - -If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. - -Default: Disabled. - -Important - -For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - -GP Info: -- GP English name: *Microsoft network client: Digitally sign communications (always)* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
      - **LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees** @@ -2334,63 +1867,6 @@ GP Info:
      - -**LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark4check mark4check mark4check mark4cross markcross mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Network security: Allow Local System to use computer identity for NTLM - -This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. - -If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. - -If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. - -By default, this policy is enabled on Windows 7 and above. - -By default, this policy is disabled on Windows Vista. - -This policy is supported on at least Windows Vista or Windows Server 2008. - -Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy. - - - - -
      - **LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests** @@ -2586,66 +2062,6 @@ GP Info:
      - -**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark4check mark4check mark4check mark4cross markcross mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Network security: Minimum session security for NTLM SSP based (including secure RPC) clients - -This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: - -Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated. -Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. - -Default: - -Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. - -Windows 7 and Windows Server 2008 R2: Require 128-bit encryption - - - -GP Info: -- GP English name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) clients* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
      - **LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers** From e47e8e86e180b6709b3b240a0bfedbeed726b2e8 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Wed, 21 Mar 2018 14:08:29 -0700 Subject: [PATCH 12/16] moved the one unique item out of UR troubleshoot into new general TR topic --- .../images/upgrade-analytics-unsubscribe.png | Bin 0 -> 33468 bytes .../windows-analytics-FAQ-troubleshooting.md | 19 ++++++++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 windows/deployment/update/images/upgrade-analytics-unsubscribe.png diff --git a/windows/deployment/update/images/upgrade-analytics-unsubscribe.png b/windows/deployment/update/images/upgrade-analytics-unsubscribe.png new file mode 100644 index 0000000000000000000000000000000000000000..402db94d6fb3fca99d76f90cdf8709a409694cd6 GIT binary patch literal 33468 zcmeFZRa6{Z*DV}KaCdiicXxMpXsmJ9;O>Or5}9@Vw0x@+xSyVja(uDLr}RapiJ9v}YGr%y<7vXbhbK0!Kv`UHUr3kh!Nb=c$p zZy?;%WyC+#Oc5S~cfMGQDT#ghRG*0OY6b<~hjW(IbNlp(DDs~-MB@In<)=>}YI2fd zn%>6e-B8{JGONAk#a>$*Zx3%Qp6zu85#c3t65qwMxN{;hGc);IW?XVIz#qUbs^pBm zmYzI!%>||PD)VxPm-gCr_sL8S>nXyk^;=n)h82wu?_hK)`4r;EyH@Mmulsqmz0b99 zzt-z*!;X)wO>(Xd1iZTo{lbn%dqqCh6>8rO<6EUSAngC<@oWZM4C&0y6IDuouUoif z`MBM}klqT0$(&gOpL%nOv4ywMC!95U<`wvQS{v{*>{dr#G z54y#LE?58E>DI^73XbvnJw{;9KNtIWyGT@deJbx2dHh`_5QJ3!gb^5kuC!5aO9^N2 zw#}jF{{b914ufS)Phi+;u|%&aVRv_TiLEVVT)`nqTO{~9gXUxYu&G0UYahWR+2y&pfnC>d@!+JA zz5}l2=4uBA>6W>Tjp}KCm?OTED9Hk0B0*vtsb>#~KhC^m5o1Rv>EmYbcDA-_aTjD@ z1K1Am%2h#lNvauXN$n0x?_30}OeWp4E0c4$rJi0MeGb{Jm(g(v`?vAF)9pPy#2alg zD*19%&22tkCnKsAv}-yo9Y%Jq?@oK5Jz^B(v$C?-jDSu~EVPXM)W4jT8#tKB;5gv? zg+joc#7#(oPn|xbDlH1QJ5J~JOrWAFR%3JFIArSZ9Ds*l;Ew!iY6y!SY-DXsbN6`( zK3tqReQjm5zfu%NT!M1`iz71w{?rJO9o=piQGsvMFe?Q*{VPNs zlWxcA)T|T->(Ap;4ca{@D5*R@HUT!e{nz5kvQTOC@9L;f04;#)Sb`8t%cbzQ!?0FVG-llndUAH(sea2*I-9J%VE@R3m1VxvRGoZ54h9-tM!@LU zJ)ts*1-JPH`Iokui`>RT7R!QGpV+kYv@{l@W?_DAVzoaz`*s5q1?=pN*i0rG+Q!0O z+czmqcP%Xs>F@W8;R;Kd@O6Fe10Y`ELy1NF-~X1o-6O?+BkwXc(BbiafMg;0Xldc*LAlhsO+PrmGF|hD)hV*F z09akEhIv(=6LK^*h~#oJ@Ke{c7w?brAqaK(&5$NIjwc93DJ5M$Ac?}EPoXq=fu}S; zkd++NkF>zWl{fub(bR;fMj=nil!3*@0ALSuJe;T{J;?60po$&h?zOFV-|vVj%LvN< zHmYH5vA;+Dr_sZC5eN-Z_vU1&C8edbU#szVZMWa=m^{wZo59um0wRb0!RN#VkVIgx zlVxTWMoYQ~9-u)btugF`!*5()+*&7yjh2+rhZDL!Fy@d%$f=ce0&=!fC<=jNdDylsFlu z+j+zSR&2IRLLM?Aver>pOxgU(g85X4CGwQx5|a~n+N9}d4i8eDt$#h*TR}L+%N$Y8 z6>h@b;^3``m_0NMad5EDfaR*|c^%^c8Ju6+nvOALq9&waUX6br9e zKH4TYz4l}A$BP9!onIm?wi_f4&-90{He3j4RQ;eVi99-dIA}ZR((kUkHqg}H-``hy zaXoyz*0`4rEq1#?Y0Wbb?BD3hZRm@C^N<3!8y2dWs%LcdrAuUKbvs=;J4;c*#`ay| z;bVm}x$PF7nOI2@$Bmi*4t@Z2HJ8yYDTcAJG0;hqdo|A5ngD7eIc*peS=UF`JsBng zCTzwOB2*GvSXNqE1maA3072Bu&;|!Ndq;i!?83m;hu31%%T=W{v@eA^QbR*m40$8j zz23!vrmX#{gd2D5v9_ltzF&P&TXtyG=QvOkDAXgl9*G1!*M^D3Zb#;<_V;l(Il09< zW<(w!4GIU+YYl2v+K|Y=vG||R!)sb34i&ZhXCBLrr&_-i58lPyGgN+Cig$E!;OpA~ z(G^k(wB2TxWvAcdut&DndR;?=4r*gWxQv))6mk71*cm#m@rnvYeIOGFq~?5&P{kr+ zTpgsQnKnE+J4%rqq?s~ovvtv^)&}+ePCZ@IUqg*M>16)`?Ck0ytQ{CGK@=ojS`q;s zk9ojG>C|q8WZ<5IU5CSZ3&O@`m%oaYc7h@GJp!zFJ|PxHq;MXuf51k`ITBJlY{@M= zJlWLeNR|B0GH*rm_5L!tbq{~5+NVY%f3S1_{fA@!$z|;u%QUCF?>0~ zZx{dEbeEt0uvoy}#s2-4*4BX^sq1&SVR>_x;-8;8Fz%S+;?21p@WxFP$^o%S(~N^%^C@ z|AcSiHW3h{?ic=c2~&O0h8Dm(=qMqzW5`LH4KGMgf04z{t642n`r_zmgDOI5gWg}d z^}qlRwymN9zmK+m4#~ii*`%?&yd16(enZ;IX^pB`r-p~U`>7}_0N>>4iA$D;}}%xp#Qi1zZ!?1jJ%97(}y1TVm#SY z+jp{jLf#8jZ9?5f_HX=v^`Gl1&*4dZRvs~5`7OH{)l^Em(u>c`>G&7}S_7EaHjhqD zejmc_Tn{o*3+pkb$HoOMj5Lmxb!Te(GjtErS0Bi$TQXJZ&|{zKVC;Uzjtz%U>t$v4 z{o7wB-D8P2T^$h!%JAY%{K}ghi~eQ{5G2EdH!v``t}vmF8bNJrnjnmKAyg_0eAYkN zswon*OL{1<98M<=x7Hxoe+zwH82tOGu`xH7_^tmJEr#uc-@aANZ@KcZyvSdZ>y}mt zzpJU}!M~cLW?)b`jW)O&t!FFUA}l~p?@RU3lgc(rJr2tE*AqRq(>`|a%k=Rz2VlsU zn8PL|C1GP@v$3%~@7Jo)Vz#uj$QP^kzB;ff!azfx;J{*#VaI}BU@N(^)L@&%S+6=- zSDZcwQg#1hgJ^J3wWlc#5gUPxCf z+o?p;dPRX}IZHHJs|T%2cTDZM3$Ok0O&QO|{^zyruKQ!Zixr%~1WfF;psDGKFQIvOgzkwto zv$C`6k1j70{fv!sTRZ??oZHt+^8%hjQG`tkgedUBRT0`gTV0@YSYMZx-)u$7O?DMo z)$D9g4ak(Wsgx*XM<6<)yRWUS5p3jg*=d7w4amj!_W%|amR~5XGCDdq70pdeIlL}A zf3J6!;rR!Z`q!OwW3$6t>f+;(lp!5U|Niy9Be9E|dN`Q+ak{rRxCf!n>v^`^Y`64n zdTOerxj9@R!$6-riIrpXwxY{0JpeZ-VJzZhbx z2K)>O$@<%j(C_Vj2|Tu7@JnWd=$uTW!py{E*|_rjhDPxT`{~r=1D*+->;HUXhX=LD z!H6hmbfJfilvn%>dw6FmFV7mA8?rmLyhWHU#-t{jWa6ryV4 zf3LN!yi{uxT>z$dI8HcqNw(#+E78PaX;W{W# z!2N;_d^jW?qVWVhVm=|V^+*B{ZYj6@@=yB)-+Nm`2i&f2>Ervjy{rJojSi2G_czM< z7pTTGleZHc-oxkpS=U~1EfiZs^HN{YCk%WG?`bCLSOh=LFL!x7kE0XvDNnC3{s>~V2BIvr1_lJLFx}hKeN4eGhi{Kt)8pgW0$$8+z5Wj? z*4{!cJA>IyJu9oLF~>xWWEWKHkr>p9tYP0H1hAPzM}eq)w8+WRhXYj;FFBKwlO%pu z5IOOJMInEiYim)$ub#nPx}I;x6v#zO3)^?G+z2(b%o1=Nt5vCeoE{GbHUAk$IY-mO zdb%@&y!zS+)HWxa9A5+H1ETj)FV2le-#ruzA6WEV9026&%JS+eV6ZPJ0R$i0>2)bh zWNmFdSP~_J77Cc1okhF9y}dYE1@RL8LgYb@9a?R$L>Q|z?v5cq45lk_)NN{QwZ7nSa&lsfh>Ya8 z4Ee(xVwfb>)d_y?yU1UM$m_sq@p}Dob9gw^MDQ~z)5Szt8EpwZwP#rnqGm_Ho9~yx zQso~z&b+W8Xn%Iz2Pfma@v~X)M-Zcwz)rv<%eEj$8tf5wr^+^Okh)a`hN{e3^mfHL z7VD#tI41C|v$+&`l9vJw2htFu5F>;&#&)k!UD$mF+}LOdpW_g@`^Y0WtkC*`x3h^A zxn7~z@v87Q26A>W;@%IZekdp_FR~C!zQH%E^M3oiwna-^g@wc!0~6!(c|qLY)Hm^x zbxY_^L0G#`hR(p-CsVEgm;%$IH&337ob8+=oSuUO0c=kTN0Bo-;JC!``MISwUPtiS z@4sI2Bw_$_b8r~_`Q>^z6hTIuir7nsO|4N zuBht~uo+tX-i5{#!JqFi{PV+KMDed zJumU9pz(tLs#7ECZt@FOMS;nH4wAfwlTaBn=dUswMxv2_eVsh2ms_tmRTSu-eK0M^ zibSc|kNZ!g0nf$^Xmolr#DA_JDo&;N8GIDnzy?hULN5splg9-&;C}w53O5Hn8V7EO zgODu?vjHC+1~&|U0{;*v_^3I!!8`~J9?Ofb_&V((@hbw>XDYVM8IzZ!;AcwB9T#g! zafdSui*%hstp#;_8oJ7=ideTm5s|Mbpqr;xFp@${ALIpr@fbMiyuw(g_|KK3Dd*K^ zMHTbtgC%UbipqqwD((N01b#4IkZHz!|2)XM8?Yezj}a8;w&C8S!E1T_g`CFff~~zq z0f7<({t^G5^>j$d;NE_Y_#g9ABILj(K}h_M{qh5p==9e?WZ({bLZ>e_Lx)TC{`v1f z{br30lNU7occg4GB*Ax*^?!z{m{XA)gpPvy&seeQm%Ronrc%okj-D(P!9%P6>NF=$ zQjLZ|{AciRX*7k67lJNgT5&qNtbAr^ZZLo#I4Y!~b(;oN?Ll zYj8+_lC0})QaLwI!Vqze-?(37V48F?Xr9!*yO6zjgh7ZEq^+YP@^aSr@zVQY=jd3& zLOx9OpD7{_vVw;(_f64WFf6r|^Zwdb-J#N5X^7$nGG!d|9&O(_M>zWY&cRZAG`yMDv%a0F?uc0EyON~4F8>8kQMa&1oOI8`*G7h zj`4ASxg;eH>Pf*3{C9d~k>SFcjdD|QU&`4vIvyqd86i<%yR|YBWE+3!ho5FReRE(b zE{cY^d>|y(U&@K;<~d7P{VLhwIu{=hh|4aEW7A+UU_h2C@@+!vytyvg7N-cVS$Q(e z?(F;RgYI(fBeK$drJ5P=?K=7Qm$z9W@z$=fzm6+))|bI>TzqVs1Fu88t#nSkPt(fU ztv&9%(9qBgjg6`DR5#>Fw1R?!R1+0Rq1XJBl!H@KHC0uLCX#V!+C;eRHL3exGBQZZsB5a+SE zbt~{9??d@O);Z$x=;Jent)sHE+)sixq*IZPGYJ+a5&vW7GR=x<;g>3K!196RA}8Mo z2#@LWoz4|9Xt8JG;d#8enn_15q+(<|qY-(EZfu^kTF*TVvpt^|7f41we{nrdey9RN`C|Nm_~~>jPiX%{ zYd%p4kbWuR$-!Ukt%|WY-?_avbbf&Cpv${_Hj ze=L+n2;TP3Jcjb7i@gh@g8SGIOO1l-rhr9nakrbcoOrtP+_6F>$`5#lBWa#RVu9A% zn@LU(z6W<+cf-YBAETzX$GP98`FD1r-W0jCkdZZ(~e zTOwuGS9ebXB)Q-k%Cm5P*#xw~9tFBdGZoM@mXcj-U@a7;HR+g?-U|xY-{c9UaxRcXG1U zzkPU+{t*!Y9k=xU{;sU7%=^2ntW2X+IW;}q&H!&jS63HYquZuGN{|2P4Wj?D-nyF= zh(GsuyPWHi8i2piDqL-*N;Q`UyR*$E54so!qMUszxrJ`9)K?q2FS~i>dZJfim-zwu zy=-97wtR?$RlzLik=^ZxpcpYrcufL*Ew%Q@yjj0RPrh?L-E+lMp4n-(Cc|;47a`UC zzMV4YIQwEUrC;aqi09SoC6br>d*DaA@2=F=jK|2dSg<2s@ulM1jkI@@k?X;GHZlga zKf12I3m32N@ClM~bTr9S#%YocyTfQjXzPzeKJWLp)FtvYZ&c|Lch|C+ULLoaBF9}|nOEA&avq5C@I)HmbRcksY74fPdIJGt>r%($K3RXV zCA?Y1H=1lTL`6Tbe+~_0-7)!iUIJr2w#o~uGSzE-r%gdvkDbA29;eNwh6ZsBEG(=> z>*-;ASadU5%r@_9fVK6Z|H}g&^(7e@nN#;Yc2%^WrR6>tOm5Fg#bWR8?J*j*q3%qK zjXmGZsnlbuoh?-AyuH3A5DVdxko1D{x#h?9!(0Uw6%=ITTy6(^`;FOIke!ENX!Ov> z>-5JT&XaVR*lTeuIG+!BK;}^NN0GBZmT8?@q1eyX z+n9w_b8DtTjciW+X}%&H|7M#~9T%bgmGaoM>=zlK`+fxil^>A+9LKfBou4jE+J&>G z)eh>+VUg7(wT2&kcPnetIiW;4Bz&Pm^6?KsYjkcn&`b4X^A-sY66^Nu(l{;3jj$?N zg4PiFqA+Rad`*`TM4p%nV@OUH*_@}9S0$T?hfLz8=V>}zJ{RKd1f#;$S5DKyz4xzA zdUiZ4>n)Gc7UY`l!;=CMf>(e23CGV>Fl?P;Q2Rda0t2xZrbbizFf2qqfw;N76yLq6 z*=?J%==6Hc);?bEtRaKBv$_bR%U~sv4zImcYsEpj^#CXfxW@h;;3{{ePVMmO^71k` zNhEVSUv0L|^^xwpMn(1QPq3cK3APh?J}PuOoSMuNAu(g_0#jkJ@W3y=%N-sJ5BK}& zCXUN>+u(GJ73l5#cQ~FPvV{~C)?F#Vj@3o%oA2vim$w@rTePZ)$_ZyIP9_y>&j@C% zg4ba$Lwr#}5}k5WMA$QswPRWp2F1d|kp7rX4M@#5-)(JhuKA;ps^VFaxmC7M?(BPZ z?cGD7!!O($JlhCw)`sT8VmPObDA@@O8wdOiGVhP^73P(FEqtU`_bCR81yC|Jnj9;k zpmn-FtJ56vVO0ZRxYbw=R9X_<$CGJ;wOVzcrGcN<*04spHZgC4DNia(Ct4=thZ(71 z*X_^mMlk05ov#epIqdS(;20;dPNKPS-QP>|GYQo;D}SrCiwYzYEY$P9y$61N>k5xN zi5XwEC)#-mHMY&SZmhN%N&B;3HncQ;Br6@^a*3rDe*?dhU<-^1m2mC#6cRSz`Uk8X*e8|cVEg|L@8$` zitiI>Pe08j2J~Yfe$=pp@tY4LmSOq`=Oz9@7dPthYnP=27i18y8AZSF`9Hf?HP_dh zO|;rA)jVzmihyac&Ti??_h4sE3a*O_`P^90(9m%9TQ#ahN!P&v46EX!qkV2CdC;oK z6YCcG`hv?tAHclFbW`Y*D48=8_6P?rQ}5HHlXIH%bTUQp>&c4cHk`6d<)G>X|iJ>5+W zd;SGZ571rAF5cM5p*(G(DoC>qtWN#OJLXZ4?&9~w_TmFIjDp#i!@DrHVX z0zT-i2J)I;=wy2puvWxJI_!2@KG{z887ME?ZkC)IOL;^U%_2#T*6>k9Iv5^SZQTvs za0Or~W&R#H=9t&)6HU`>c772a#MTKZkaxcvK&ig!M$k$rru(XuW9e!C(R5+#AWOfG zEn~v1&~^Peeh{aSLBoy~*LGV$vLH$+`TKWd65%RMdasLhI_y}`0GNIx`@PZQ|8g*y z&DLYm8z98Vc?S-(ikx)GHY50m&o7UcCJh#FXQ#Wn6zSt?B=u)~p)lZbW+IV*wuZ*Q z+3AMYmZh*96Ft3t6L9uoqtn5`fq;OZo)6w^F_l55zhok^Y8QL3r1$OIY0Kx3NRj1E zO4_tbm2G9!X#U<2G{G3cQ>e+`Em?qrqQ1TqT~EY*9U@YUKywg%kCnk6*YvHAe3!li z$_itTqSuixC-U{!YG_0Xy^(g4Cwt^(_F#)$@|l~$XHK4SBzy1I`U*8V`)V501o^sP zyJ}VSK$TPk8|@r}!^oFQtfi`UWDe!NPe-&y^zMqzlc_uNZDC1;Gm%cga^xY z!?-vkL$8f~7YSR^_lndgd>>R3v+^E_aIu$T*NGqN^RTCE`bIY^?0l-Ti9U{Q8QpyC z=ND@EaznMz+nx;+vAkAq7>9;hAKaXH; z2SY#I$RCTi4Sq~viR4i|*NNU(L>!s$0UCju<-5y{-PEen4kX47p;|P}aV}aj+5t~110Aaf0tw@b0kAVU-4iDYKuTfr5)DC|iyn^|CV}{3xm9@5G+;SN;fEW7XFC#K%fsd)cnAI`@a# zGNBd9j|NG|#-3b?jt$UXn~*;;*N{3bH?pDYKdRUDDcr2+W|8Rylc^okuIhAp+F`DG1}m zJsTD69mKhI+BxF-xw4+x`_^w}Uee3VH>xOfe+5A@jKJNSIc!@88Jd zjx@|zF85;tqi%G4#~;pH z3`DZ4@Qj00wwM{^Uxp)0!j7iMO!%}!{?nzN(ND=*dzyzP+?ODEe3wchwJ#XD8 z>HKs#7Y1AjFAkG0#gThYWe{Gg`m2!z3(1YJ4_I10*?`>0{%wMQH9XYfbQrxgiu1v! z7iB)%W3DLfZ^5cvCfkm#R4=YUI#+c4f=0brpZ0qu|oF)ynYYW#UjCj9=whms#z^l#}= zp+{k(zZK|)3>{N_SBarys4V*Ug-Hf@ck6(4mCErg(Sz7{H~IcYyVKPs++8jlF(lH2 zQ~Tq@|1VqM=>m!{n@ki=(BW0OLVnr!N$X>R@u|7#W^()PmNvwuU?m_ zUA(s;2al@42LOGGKP{Uy=@toG^%g zq6i3Pd`aw2_gcQ|L~P80~png#8~%($oUX>3%?W?<@QtSXxtb5Os-#_Y(|ExYW4ENBe^#uc5KJ zZArlPSJ7g1EzN}!9AZYu;JS_$r=4sM#>sL?|#%w5KXMIQQ;$H(T4nhRqZue^&~W6;GGO(4#HnPgVuvbVRl z)-yx>HU5GfbO*u>wcpF@`diC!h|&WMF(-=;3C74v<1DyT`?!{;1Z?CI^}1*0yQWKi zJ)huW{Rx@pbyW>lH~ad@HA*{6RmfAhIk~(VI_jc=wMa4PFyY(e=~EXLxfbWS5fKp= z=ebNBG~Ddu^q^LQzvWXAn*=$iwb!*F3P?c(31MTVde$xT0xdH9Jv<)sE0^mUIueeh z%{367WBgq7pt#j4G{dP@rCDu$_RI)Jjz~2AIIC%SP}coIER{YZt7(XiKWKA(1xHU; z*%dI}Q{23a)C!{cE4IC(wpAx&%k z@|Dx;tZ>CKvV6(8t_>8t8jOHcNogwzk%UN+4t=Ur@%~cP*;u7*m^d0T#32M%Jv_k< zdOjK<1^(d?a!XxN4xb1RqZAS^h(klW+@ZZN`G<*a$ZfRX^V!+<={X5{b_PBghKXAB zj}cLCs3FTXLI^T6>{g-~AwdM@&pS$}j zIwGhkEmSc|k@39pL{aj7whe0D+O=M6Yl3SD_}~Hoo2ehCaT#%snBwLf3ojGL$n50W z*dpHS=!yb1uJrczvo7(tXxuy08Z$pc*yus(tH{tw98V)HjYuSr9O9gqncDX3b&E1_ zCf`%v_AC%Xso479g5NnLiL=0rb7B7X2?-%__BYqH&4sCz&rB5Xk`sG-2fO|_-{_=4wRYh;4=tfJT;u@}s_SlxxxO}YRh*m0S|3*FUH?KhFPv(*{zf8_%O4sR z!vQVlM`Y1fHNfQ#6}Ez*(3_xtXoDMqvperV#@nAyL>qo*IfAN?dM(FRxEWMAo%Ydi zG9C_}m5DmGF;HWE;vdcokA6my9;Dpyc5&HW?Rb{9a8GA>ZV2ak2*GY}MVNskM3K1= z@x&g9#jdbDnKd(%{OkG%N?yiRvPqoXpy3yOI#Dtp=P{h66HIBvyTxJjMU*_36xxe z8?`yBA#S2e9c4Cd4B1xy-AKwI3yY>@Y{s@Dt65X+baRaoY(imGa=XyFG1967hPHR`ioM1zM=tKp93wX*14Nl!3~rxY?l8 zD5l7;(H=PuGINaFse(DXW{ox|xBhn97QbU@hnIdM-fcbMZZQK#e zysf!Q`DdcYYOlz8U#v32FCQ6FV*+J{utb<@Kb806h-0i+oh|{>8aKvLe48PS8+~J~ zeVK?8&ZHnO1998E*y_MkJGe3OHc0T~(;1r1*vbHk8ubA-FS#LP-cQwo{49gD89d3u zwmaQHuqa$UK2A=u(a{)!_X}o$*oJWy+irA%!Xo!G(SNIZecqsc^|Zx=t92y<>p^SF z)CJr@G?Rx1mnozA!TdztlKeJI{GXz6q|k6K1~9SRE{9?RhYq+tkHkWuym8T^hJvrG z>T7&o0V$EAtor1NX0`xYnXpJwTnUjD+e-_wx=>ZLI`R{7*2p9xyUYwM=HS%ruY>$R z)JV8#5c>`vBcMzAg_*eLh+{B%nC%YCeW#c*AYM#XpU(&usMv={J2S$zIAh9{XRe96X2~4sjHs*P0Z~wDAwenv14k$AmY3w{(P~P? z+7u;&SbXM=!CJ}}J#ci#QI=>8wQDVjSt#lK>mK(dgg*W+xjgEH|)=HT~inO z`JY#3pRFe%|NlOKV8Ays|2rlag$euC>CKXIH-!&Ai=W}&)Oor~5PR63 z;A6p46{t%}spdP{otI|lO73RBlP+2aXGtM=OHt4cGMJExzAR&d$U4FV$@%P|+5ujQ zuk*iGjWzWX1o_F)6~0BXCrS0|=cpq`MqZdb1d(Q}e98B>T7tctaSbqovkx9qWxvhk zmhf;8N~o#q#Bsw+m469f`KdhtCutW&QBMZ%;;RM&VnPnSW=4&r0*5SAV(z|jiRny? zC?7=QZOsV+XMN{|nUsguJ?sY;?>hD@K)>M~p}#pbM20RVW@-W59>jrAMnXQjEua?& zaftfX*WMqTqO-tyOPM1vLF~NgoG~G1uI#E{Aix=yJZ#8LNZk>M0UJ*69DNGQW49FJ zOuM>B8qnt@QYQ7^T6r?8hb~wI7&MjS70QOLhDM=3GkVd#(@nBV$ma)QHN6l?Qn~-eIPv%r7poUs`gwySp#1t>uBWCpXxgM;~c40edrfprknIGO#uaEh%Y#AIsZ*FcHb$SN!`48XWae(Cry2ffrS!oep<$AMlRWek|AVD)%2Ydc~ zIIu7mD-cy$^r=zg7VK|0vKI)^n$Jci-?|CDEKYoF@yb`Fg&{utSfHK@*pfk*B2zBe zmR0TdyRk)2p~t#4Ouf$6iQvinU?@bhH8WH5P>Ki3`mS#t-bWgzFE+ak7#H)9?dKUzV%n@K?)v~Z7JAHghnl=S1HY-j}3JL(!c_}HJ z$Dxn@>qfV3ZZFSGd3PaT&7AMoz*Fr{jMxmcw7ae< zzpHap*q!d8YcM(TdBcP?bo!z?_SNd~K~1=o3I~JM9*Fmy+kh(rGEg0Ll0Qrkv36Zgr%mTi`A^|R8q3aPcmM7PGdqCyg$xzL1 zZCxQd?DN692nu7~f?`&l#FAQi8ak?)_^9Z?H(mYcAK#)UIoI30l3BQcru zelBflsp;FGA!X2cG15|1*A7-<{Vcl6o5wp%UjM~^ICF#!aPq0i=KN@}_66QX-%45D z7n?sKIdm>WLU!~Qa$*7tV+3>aEdH1|y1L+7$gBY;WTn|9?MU--)2*uAR~daP=9@Nk zAk5de1O-43MeKN(LXcI}Sx)zBC_$D!D!j}vB{;&fVmUvElLJ&qehfBCjEjR{5Ao6| zXgMpo8cHM|o7{}W>h-JrKd+BY!dP?h3ui`Z6lF7sWo=Uv(^iKob%ewb#SEz|F;yz?rF_;^O@gl0d)h{%~;Fkx92s)Ky2&(b~Fn z8f{C2_XAvPd>>*7m|cIJ#PAvCYlOy=>fe z>eT~=7;3w2jJ$4Tf3|>?XPb3q1J}DF8|&-OFE8ik=l7>kFJu%H0}~VWb0td8mb>7@ zjXw1mjH|!Ols1PFDE>Ktq8K!;ZxVxMs|>B=fd6##Z<{0Tz|OCCK_ch!vLuhQ%@lG( zE%WQz-(iruyFLd0VjF~sknDpA5Hp*JD9lD-4A&a9(VOAxI0V~F^>e`)YphM)F&&C!I_a+%6iZI)XJ~R)T88!>f~FY8X4pt-w`a6Vt<0@pLBdo4!M;{b%n zBVcK6f4?{_CN(9c;L~2RPOULk>`+t=vq?|f6N^UX-`pU5VQ@thtkcHF5jU~;LV-j7 z(CIUtrq_5#N=d|Rw$O1;a6xP^J8e0hHu*z~n_6pPc{)%9(p{tFCD zA({o`=g%$@?1`%`?S@TO4h}@9sGso6pS@om&Ix!Ne-WQ`Iw!(LM@Ku;D`$Z<*>O1Z zL7ylAaMCKlqPSS;7M6#uqdT4fYBov^p|O!H*&Ffs7!s_uJF8}jk>6My`_pj^$TSaN z5XhwF=_<=w+#Uw6vdUuz#^`O)zyC(n6E7=^4#qVaYSCe=E(Bn>-NvFC7U-+l@F7Nu zVSOFhS;%gI1$`3>`>Ztp5f#ezY|_}!35JYpsPnNi*h=-wMyntZ(v&A+dO+u&E8xc; zXIUvyOtaFCJb&1WzHeCmLK8Kfx{ z!=?>Za>!XHqrVGAqyJfv-7*D4m6qXCCLIjn#Z3i6y#tc)q5Y_}Os{?rTMqe;%jPXq zsjZAHV^Iol46cVO=f#Qws=*NTc%NfW2_jZ&mS>E|_LaNr*b#Y?;T_hdZb)+`oID01uDL`l74-wg({0-%UX#?%^>P5PXSjXlUr?=a(H&y|c5E8~E;% z!f4WygSI(et^ozvmu?c^b2Rgh)Desq0Qg`zZ{*7)t8U>BuT7tkJ~08Wg!p*>#|OBx|p(um9YSz><#&ZRz++E}6Q1#U7UkdZL|GB_sT!wpzIw{H~*z*a5Tfh)Egln8_u!b5cUWSY92H(`1oZv#T>uL(5 z3_*|k6=j90Lxvk3MoRD{9UO|6>+0LFl%*zj8sv2``bbtIahMzk*`~+xrlf3CpKn4D`wMqwNW6;+ zlaUxCWLYDh?hRn0%t((oSQ+832?-;7K8NUg(}GiZdMTPlH-!4?ZFBt`q=S(RR1o>q z&_NmWCHWpa+)`j34M*wE4VwJ+W+FF)3GqLOKx#TJj6)?b6(%{t)7<3qd>kkTj~)Eo zj9QUy#vq4$8Fv4OU}{)P!Qc)iG7gBsElwnh27@r@Kk#iT!wa0sQxqW=#=E|dz=S{;b`~damev;mDP4XDWT*4&<~u#mdvt~JLPQp%S@j< zltB4=I$t-qxSw8}4=@E|cnqvwcRJ3i!QX=ymw=<})cB;s@j=`CRSk9nq(I834-|>Y z^RMx>&X$YpKwneSGF3KHGs^z0Y4CCx9*5N?(>_Q{@akFAT0h~f^>sqKEx+5z2GH(-jkw}iPzb{yhuRGsTP}tGo`*5~mJ)J8hppeci zH43hXONfhq+rIV&FD{UFj};({Z6jkb>Ifr1=MX&d+#gF_J?Fx=hdSQ3=gk%tnzIT$F|Z$xeW| zM%&rySLn9BI*JXA%B|N^bl!-SZ+KfsN4ZmPi!xZ`^?TWG@|F=Ffg!Hc15Kesc*+P5 zmcKYeGzBp6Dgxdx*-9|KF%&Rc&CZnQZ-_LtdgWhSk~~Z*HdRg^2V4@@MnL1uP~XB) zA%~TJ%HT*Wf?xZjQDZXW z^2h}sJ`>lNz;koG9acn0|HNc24*haMe}d-=ckveV2>#=R)z#jE-is7qx)^R01iqwOL=v*DqHG08{{lT zxW1quqBy3#tAcG`d7LsZOTdNN@b6H1n6x)x1H%($0(>vhErW1b?`XLisl*?y%)(1* zEr%ggzlc0FjEs`B7rU&GD-4_FOn%5=G%mRm+u_W#2D9m!c~bXmW-3X+nRHgT46KAP5dTDmvK zHDN--q)p#(2nISn@cDE5YegNobVZ^AN6*zxX(a}^5FR!*HZE=$@*Mb#zAB`L=Hg!B z*hgg;8X6)Qnsom*z90E$deahc>zPKh;Opyass&ENvH7w|oi#uA7MpN6+4BD68n3(nvjFdM&zKI7KQ^sD~Lwzgg&I%lrR0AAzXNSrsg zE{z9`ym(b(YZ@!n40lu2%3eobe{eCO$jlonYmRUrollSq!*LQoSseIPC|_O3GJdPx z&Z9|)xPx-{%aQ=^Y0} zIEoI7mXcE9Dz0v)#y_TVh6unca43b#`z!x%GYiO?1#0~)($t1sGJZx@nVPRp2(_=%8 z-#<{n*(Y`rk}X!F{{_YZAPWBqEdTGf1-QZZ`1zwEB6_>K!N(yjE4y;&G>L8YVGOx0 z$oN&U#x`NJ%Rh7iXe%ixT{tP_?|{24W=^{Q_~xhj`fdxfvwg2OQnURIni`gUxxtT^7@LR)i-?E_C1q}5p^Q-y zk#anw=vs5Hs_fHHNkxWdAgq2j{s1T+j}iY7NM(vBvK`f}9{1~l+Kw)*9*#FNorHv& zg6j5+K+w-fkoVe%_~Z46(_$mE(u>fZ?{;UZ6p(hP=;%{~#KTCBFdsjDRL&Ce`1AAq zFmHFqv=EtiT1)gtf8-fPh zU!$wvVVHOKuwq#^9n6(&M{9BHz`PaY=IlH=bIV5rN3WP+Zf1sygR{1~>(~D1=%$nV zx1~kozSGMM0K9XxR)~m*w^vu;5fR&O`uJ6T5*qm*XRh4!YABIssm#GxNWsr=SM~`v zG#6-R=>K9WGoRwQToSFyyH^&w?j9K#>FFtWf*E`X(@N*&=C%oC5OPNPiW{9*Vd_2H z+&;<|+~9YGVB{tSn)rvwm87T7fu-_nuvg*?qB9S z_O0YRcD;CTzP)e=XmzUf+@BYg$@}r+$8aY9;c{zpWo6RfhGC2Mad!-EG|t-kdV}MV zt&>xdP-0>t$639@0!O?l_NtSY7r%LY>z}`1Pr5thum}hcMY%j&X$R-jii!%r`g}99 zu>rQaYB^cizGOyqbFOsHRG}*N`0QD7t&YB}u8aKzQW6rCU*R+0v@%QX8&T9VFkrjh zn*d(REA@uDI_crFGxx%*KJpZKUT~ZMcMibZJ8|*G?vV2BPtqF5Tp2ybDT|Hc2Yay< zeD%5c`T`uze}Cxd>)+-)-bFPPqC~8nZBJ~8pUhOe1<^%9eiwUS9apsi3!GESF@hr% z+2mNhtP72agP)%;M1PU0D8A7j@TF-}+j>)>h0dVw=x%Odv1%v;0PG(>o@I2F!#D^C z3ifZDc&&h2*|4IdsMxdQdh}ajF&$8~ECe9xsnE-wPk*KRijtZdMyV$!=D%oP4eXN2 z5ma`u^Al$F4y$Mt0OY14ofo7U27)sH^i@DB)$c=daQu=CgM!ra;UTcs$7LpCV}?NCu6b1Fb5kO&X_<7?BDdCJ&8iGQ#irb?s}dZ6quwP=p+-C zTc^&=Z5Z4*hQgcxQL_b_4`e*^IwL z+8ktWKRY{m+x7sSUC==~NFiH`p^r>ZIrf4H=uEw_c&lTq!Y=a-aLMsuKg~|T(U&Sr zrz$tsc<>YJ(2VO-U*qP;0Dz?goV}~~ndVkj0HoDf{nP&uNdk+<+uJ*rYnqFQ2ib~} zt`~R_FxT1TKWAle3hdb0Oqc0~L7#`QpAZ#Sdl3hwu{7mwo(D!dTiLS>;yoCqx`u|n@I7!O0(B)QUZYWG%Jrk( zB)ze>vg%tDe|)%XPa+cx-Hj6@s1SC<#G?Sj6B82(v4M5h83zBlqE1Q6iiJBp87G&QGyy%yUo7aJ|LD2!^PuTPfl;}e~W#KSr7 z>E)I0r+|val!5|jb=^R@fR~gkN=QhUrO`6^2yo>*@mXQ6EqoY4wp72}Y1X}>{Crq$ zgm1v4j~qmkD}ky5f6vXD^xRo1=yqX++I)tcv;)wW$DSKt4b>po7aN!$9;xI$>jD1KlWLuLE;7p)VjhATAN?vD_29iyVzv z?>eM;$avkOGn>lF(3)Sp%=qvjbYgsJDx#RwGs>?YX&IToi@C|mmB(kC%py@$ z%0`E5_V)IlSoI^VN5;o-f&`;!s8qXiL5u@v(JJU5OK`nNg@mA^qZd^HCUEer~7Fzi+r+gye_?ka)p!p*?^8yeNJbHDIj`k`~ttBSBB6 zS;ctD!hA6D`7_xTE)^GA>>SaA*tdjYqSNi$MrwBU!>0&+z_HtAuuq&+d6i#+HVk>n-Y2sR^4m9M~Ow=8-w) z4+vP+B#mBa-tB4ib+<5m=UA5yvo7s9P?&wp>yk-GwFc8iV2KLY{>kxBZNBzC^a+qv zpwtL`mXF0GLG<+g{eL`g{{LZzX>dyP%C&IT<8SX(Tm6vnyT0g2+qBT$PrV@ihi0XQ z*65Uh{6AmQ#o)nV5DAzXWDZ<&OKKMK76CHSiZT|g1;_8knQYzcNG312>1m!W7sQHj zpkHFyel_KYIUnDYL`pD(eP-f$9)>?^OTlCU$z%;fYR2EBun zJK8G@^uO=lcpDH9BPb|paPZ^DD>qrh+WM59olR$<=H~aZK5wk(qehhb2kq>gWW@ye zQ`vD$G~d2?Bk#z@bh*8pZDZ@ySNfWI`{73Xz8??8es*>`GJu%maMc+orOjUv8JoYn z{Q504Z|dKnoQDq9wRjbK6&MuyH}Vm~nB zWh!Nvo}Xz<&NL$+atntB2ju7N-QVNZ)(-FQ+ht~|65$d4CBebLA|*|IZ?dtiYpCrt z(M3~QgtU*T@?e~gkT zLIrkh?Omn4efPn;mXvsbg!%XAntySz zthE)lrp7-%zcwze+Cj^O6EDuSFE|*rz8*;jyPZjMKI+q|SyC0pWfe!!3_TZ42OA1@ z=0Ur^V0rGdkP}U-zn*;h3IN5LqS-*$Bs8LWU?X=y^EDevPp6 zvR5YcF_)GPv$Iz^Ij~k#MAF%1WaPH;@sS?eIocGbe6>=tv4MEje{UCOVlA($oe*R| zY8$F73XZQvVNIQx>iP1OCN|+^^ahqnVC^HOw-rY`}t+3rgQvmFL4tAge)0w*+L8Dc*Zmr!!e3Ga^Knc zH}e$hzwdn1Qj|}6^Pj)vZ7vJUDVT9t_;Ekof#?8vH*MhDfH5V0Dig0PLqECqTv1AT z<^3hgX9u@h1fKrI2lsRYCeibV@~=)lg?etX0rE-G|M{<`gi3FNF#bI5D~!S1c3!eu zwfS(aH%ZDdXQ2uPw0>?AyQwQb?!QL{z&P8K`GuW-o?XR@grgJoR!>S6sCq`h^h-Cq zPhZXK+32OUPsh8%A{EuHVc}s(TIgJE-S9HV3J}tHI*haBKeEo`!g29w@V&&dl;?Tf zRnaO7xhHEXe4WoYU0|@$p!bTuO1*0>pg`k+AMyN(?sEc5Is(18=27|OPCCc}=%ojB zl!egkA>p9?!~%6!CTSZZ9Akm-KFv)#xJ43)>CDxHSR;Y6-pcg})9wE$wOk-n@6#A>g;j&@m$_ zo`8cLBku%gvK*OaqWcdas#`4s%L;eOMAo(~Tu)Y>F=`P`eZC>93ZIe=b;k#*MOatO z%dec@JVjYt_Q$w0M+^+T_V#=ZM_G#7?s-;?rBJPQBX-jWew0NjKKON_y(;Q>`8#m` z0jbb^ELh!gd;f|>L2EqRD?2=jS|eTrR5APAk{}*aGN+lIX-U~UUQ>n;>Un=--GSCO zplLXVYB0fn``6)U`0Z+nXcv`5wi}6d30QmL%F0-{xog2%dS5ffkTL+;Xle=~D3p_+ zj{O6&e&UKh3%Noq8F)ithGmz(@2sjOGtA8LqP!)E*p?qY-6OgW9p%RjPB{-OT1hG{NeM>}tM#<*L^Xe z;j&|37aJ`m6=S`{4xE;kLdLx&mlLHvlvP4dAqE{CA8U*{hjk)yZ1!DoSl0JV4SNv} z>?{fIC>*%yt!Ffr_B~{KX75K&ccIl+Zidy5M4OUc3M>?{D$UK!rKP1VxSrUUSf7t- zYPecVUt=%gY5)f~J}NxU#_zV=3kx~^|bzmH{lX2uNr=-U7D zR;%A7g@`xS#87WKS<;R%VQ?3g-Q%ppJi_=)$tErHGOdE9KcDioLlY^X4AKnLwF((yBTw+%op7^ z#}7&yL{H+VG_IUZ=a}O>DHh$9NH7LJSijSC`TbizM`^*Q2Zbb({IBC;+e7!YPQ73ZEdRN9> z=mp65wKI+nyW-iRhvd%OLJkw@gQUtv5V+55Bno?)Pay=6w7ruZ&Oeh}JFh$N1vl1E zzaF%22j7j>VM-S@-eWy8(fN^}D8k{~3HlmGCGBXJaQWd1EPDj#B7S*$YGey^t$#xb zJPcXY9Vd5gk6SrOpmh95e+6b7k*u%ATaR8tS{>A&9vbueTWGhl3eB@Zv6JOZy0qvj{dA=A=-aDwW?U&($#1`9VpNDJa`R|V%JwD*l0VS zbzP4>O~h-GLf*))q~C0WWMc4l;)-YRjL9w6XWp|00Ez7$pex!JQr z7|&yTZYj=l@6mp>CVZN2Z&I{U@<~4_SPTs+T<%&g5@E)zQB2MDLY#Z^v(pi zuDl$*R#Krk1`$C?077G_wk*yu+o8>O*01l=bz29jQ;0>}%}TRg`N50(Itq9j^fjA? zoio%GQUF{^R%!@>&^%My_0{+b@@;ahjR1amzlMT(r`NVw*vs#F2zGY^6587zPe;Tt zPg{Y=_UY3nkd+sy!pp^lL&f+pN(+c5U4NcBEE&5qm9k>=^oVg+VRInLiGZ7ni_d8} z9_>rq3^-`xGi!k^KM5gGT=&oGqb^MB4OBQ7pxO{OsX+ThW9(~tj&aLMI=}zH+9~|9 z$@B1|WAfAWa|?<6HC;nROXiPW^i^^AEAe9h)hzOS_*PK*X-~*mkb^|^cc+6N)uc#- z~?aMkU&*{uc85q;Yx@-mqD=P;>Ho zjPaC!`gKoa;&zX+=;PY=b$aMEudLF3o9}K>tFUJXN=RK6cKK()-3CK+x!~HF7s6t8 z`}{61X4thLn-pTjXkkJfj)MGse8K!Tp-GZ!R_rWI{rIZDz2eDvN#1r zIFlb$R1lalcvx6ih7RU>Q$1sj$qwdPeAp9f+yqjgVxwd7T(JpUvWT`VyR_l-k(Ps5 zcsBzD#3~v*j0H)$8Yx~Du6?xfAHlW)He1}asFv6qan_5Jld){uafEL^c~1seY6tM> z-L9A)24mZ%7CkO8PX(CnOZym0X`-|>-Xo!=&}a@{GKyj8*U~p_yFO2b z+8Vo_8Y0cRNIX3~jrG(o&DZ}1JC-*Gws$yQ7n?B*Q=`4mIT}tJXVpNE=|$cB)NlD2 zfucz9dYel>>n__NL853oG^8o8V8lS)y=3FpsZE=H(QBd_Xwl03_6RoX=XW<1kB5)< zC`t~a)_gh5zC#_SMOl3paRe%Oq3yK?A%mCXOFq|@)e4c%u*Ze$*S~xJeK0M+3E3Os z&7{`z&GtWlPhOzgcz75IlHSXtO8#>61ti6!SG$U?sqQ6WGr=qZG}ylm!BTW}i+pKr z*Jut$V=y!&K%Ug_(K*)0M^eSX3W8~M+QjU~YLES`^|D7Hr=~D?=YsuHWymCUSR}9K zjpnyrk7GxvFA5pFm1^Z+%b#_TW#40HX(BwwR-ixcA9wfjXTh=8`!XhAMR0!+`el*idkb6G-mMd!gYnsLV-pwG|$;Wne-l!m-EZBGHJogVI^hdq{PHX3d(YD zm{QnP#m!gO(IKjj@KE{KV+ztKjhTC?L6Zk0`^}1QbK`1t*{P}F*g{_G#A(}yiley0 z?ql+D4vcYPM8P&2J6KrI%BS%Wr<)M|r0EKlw#UcD1|V`sM&yNw1jureBAMmoipP7d z1r^^Sl2I*$oh3wZQ2|2iQ2h|IZv=_}3K`=?=tEy`Zyp)iKI|`Kq4dw6<8K)HOy%U{ zKxdz;D8?26x>+Bi?ahB=z7zJoTzoF4cHnDup{%~6u?`ev<6boH@LsM!_H9w)X>(7k zW%ikxVPEznK|{&1KJ6ZBjAG^*>EFmHa}V1`*tX{e^#yNIcL;eh%Jm!8NW!C{Msmc1 zfDGQ)4r1Cl8)*=vi|}x8LI;j$Pp`(oTdM^E>Ri@)fo|>L<&`7oh7bYtktf3f0@Wc% z3&nb%hAh=P=$p~VXsoq|i3fv*F?Bry1H&jGanv#7Et$q~jdY2fsMCQLQeAEkmdRFg z&d6w>6jNA(W!5Q5@y-ho+ryBwbG27^c$!P%jq4vaHiEZi>z|TGWJU#TF775O9-2(2 z?pT{G%MCF-;5B%=hI3dAJcZe~BWZo_^OMYk!jbqv@Phk%%~XRax9cChYEDR2yN~v3 zN$ob*QQn5V3HUdbl}p}R^==AZv37)#g49>`wwd6gbkPQIlpoP!sx6Byl3HBU|pj8vx-3mwR)t!@rf+f&b%*Tf$D|r{7_#m4!tF`YO>ZYNCsmSKn2w z#UR1Z;U(zjf$knKI%x#w7?ZH2HoN^*iq`{Xm);5}wLQ|5$yX3XWv{DCJTFE6)V3C> zhkOfWgIdJ9I#*FqOZ|>+1p%J$ZzI&lxNP&pPF;vdbgPV?pUh&NuZr-%gyreF`+;mt zAoL46|9*zh3y!h5^gx*ElwvY%QK6ea=jZ3= z=}b0@?xlW(u+(*c1{t=)b;5LX++scpX|I&g&6pC&Kd>#_IN z>~kqxB!vA$X}hb)JX9qt39*YP3)?QQND=i@*H5&nCm*!WB-hKDe<*Lja?w0%s_ZD} zWM&gT2rPt44QGU7;Q#ZyqE(EatnuTK@1amP`EO;6eAq}FP#=jrgHjj7xtsB~i>It4 zDSTJ?h<3W2{lNlfhoe##$6;8fKK#1V`nxk$dXcBZCk5X{Rg_q?rK^& zGW-&%I|w`-XSq#|>Ib_Q8wm$kmhxvK8+jti1u=)8dc6j}MHp#Y8ln?V##qGQ`r*%u zq9E1@?|iWJDz|(2_DitJ(rHPWp(q=pI+rsmkI7}-f?R<7=W(bN+V(1nCaH2*(Y~Y?%8H88$aKdFwP~Z0 z6wV_cv}g=N9Vu6)1*G<_Cn5ccYN44%r^ljjfuLgFuFmmSw}Limnq?FWwDh6vsPypv6`y* zFmYcTQ}@K0Y$=PitTUIpaEfs3B4%)!<%J6zn*wHA3g0}eo|6dFRcX31*U^8~eWdzr zMl-oa5u>bV^oqQ%p?)O4BvsD-*elQ{lIUZ+K@qL|a0T3_xx2<7eXYnEiwPJe?LOXD zMQ;9Ya$3@UYYb*>P8;*FI}SFykT?CH1u<%8k3}%DGPywQm6!*A+D!d`YM<|zJH9@FUKzGK^=Eg=2i1g9U#zw>yFti|7leZxCcVtChgocJ< z$<8k<c}0g&*>opIKgS}^ql2unx8LF5TMlQy|AjVK z6Wm6KLHVuGYGj4&rpqLdnJCi?>+OjP;W?N)kr{{;SGRKczm2qbL_y5cqKTp0eBtE4 zOBt^qDG3`d;I^s218+yo1ojKkoDo^~#C!}?RAG?Jc7f5nF7oWNGEd?}gqXRdWuAo2 z=WFK#AO71!q`GS5wqKRlgj`=jo5jm42FeEt49|5?4+v~gWve^ud{Xq?JU}Y1q?9xLgJ4NjFNKsh!f;Z;nR5gaL0r22@zH7* z){_onf-31BBY?R|q7W90lVUZL*3q&a+sY0yY>bVcEkKMp*d}4jpctP+P_X`hP5PbO z>({~GCvADZghG;Ec~q&&$sw=lA)Nq0Kbjq?e+I`CVGYExYUEJuv=i`=K8d`4!ixwO zvPFDw$n{&iIm2UR$jHckiz8uH(?I0Tpx?gXUq2*F04cuh5{=Tp!ydsHLXg7`6!6gS zfzduPLAx}WB5KI+RL9ddjG;-%ozd_X{wHen9`o_r+pq=oUFjk>>b#HayRvm3v9tVO z>mu-3h+!5zv&VVAV)jZa7D^y_glVHP;ni=qw*#?+f?kGA1CB>GuLCEA&WQQLgF!W& z{+EPh*X|6MbOfkvg;cZW7N&6gYBC#%9iOysBSf=UgMxwr*sp@0Nl~lH%cFF%gc}q+ zBi7N?)zr{9ySV6-DXOxYVS|gt!h|Sv7jMDxg{xu(ck&;h+!2zJ#-U>iP;*E}`WO&Y z@;ffRN{jvg9BgUG=$*qH4E3FcRl;emApa3eZWx07Rut1ll~f192$6!)l}@}xX7M`m z8XEY|V$k%0yVBNS1jyi0RY>X~SJ8^bijz{pRpje@g>;^=$Z$9DH&-9SPpFj02;q__ z)*Af-0;&mh$Tp$_T;jL*;9{!qvpVF0rCdnf_p!YT@l}1kF^h5&p2@j@gp4eKti)*f zOn@v*rS!W6ZbfQ^4H(!w4|C8TThH$JK9dzdPX}NK1b%mV>gT9aTNP5 zwKz#B54I>qXbZN)WJV_f$9<#E6#qv(Lx*8n{;O=p=S4|4lbmFPC7eEmIRXS^ z&H|PP!ab)h<`w^vy_YdrHszSyXk`5IOSlsWN4RsQB~ki zH|WPN%E`+LjkrHvV#PvuNciuq8%E8IzRDG0168gMgnH0Q`szS>yc2X#!i0~1{6KaB zno#Kj*CH-KTo2OuIckdZ{uZxn= zwn4WA%V*xUZUw5xx4TppT8kkq-<*)}-$xXAX2OK`8#{Zj|46c{~ zBydDwJS8gAVC_6BaQX1T8y0AnWL(rx3`%+WUR>Kc62iAZ*Rs8$;qy?U_#MsOOQyBD z%H-a_*nQ1H=Vb89EnxT+5ITV`YVn|3;CX6h-}*NDxFP_9;-=DPO0Yt@;B zg~ip)4ag}#_m1z-fV{>35xC>Nq@GH0_*yxGUo661`}zo(mz_t$gBiFxyMJ;h6F z-76&r-va`?rbxZQDVb6x5*w0oZsT}w=r*meewSBhRDAroC}4eN+b6--TQ(GzUdbMe z3jlVvpK(2Fpd*Wkh6a}Rr!BJdC5{|$#(+8)Y?8n`1)NyySJ&4b9v2QzeY%664y451&)}8 zzT32*^&ND-YXpcj>3(3wHyHqS&kf)fZ1w;Kzoix*+|rtw8ep~vMGKt-9=P9{3ved3 z98jN!>%So5lcrdsgq;K=ws#UK&`!cHXC+?W*=;Z8?3Z&XZ+w1pP&>GOh;%3uXeHI4 zoPN|NYa6F~QWx^p;%)4cABSnRNp&`ATVGeH`UfuGW{4j==cu*Zo~D?bM8l@4mA@w9T+a_}fCOPO#AXy0w*@ z@)3vBsY{UQeru)y+2FVJr?Xk4w|*f7aSeLAeinL>qU)ZSdz@8<&9lqAt5P}zB8+a} zmtG{P74zI3Q|k3xC89ype&Ct14jh9)ZRt3j;b4;H(2xRdw*J#aUcKRuQE7MH_TE>^ zzX-{Ht7*BwWLRw-xapcdw;5}cUBVB_ZJmi=eBg>Jg9x~Ds$r8a)CL> zv*kiui`DYB4iolqQ$f@)$g8B{pEm}VhC-e?n(9B#5wq{2&1~#0(PI}csy>N);l0mD z;W=*K1*ZLi$_ex>sr>R(N{dtJ+X(GH=_hg*^Fs4DQ5Tnv4Ws&P-S?3HN<2^pb44kr z|9eMBB=(gmS@X0R3sa;e9~Z0ETM3JLTGIbBWWX$PeKjjcSnX!)JOeTP!L{*^E1CZP z{1pm#C==d*>RoWW0$pF^O+=+?>D0QXYgJeKzJ|Hg0)p3N}6#fZ0|TfSkn1*PKRPxA_^UWhe(<5dMs!<>BIM$kq8L*ox21=Wb`- z7y7!4oy2Mn&06?H*EqWf14g7L87e*4J>ma-S!{hQ>henoxrpXMyYdE@O1kpas7-M| z=9MO|M+j848kw;*;B!&qm$mWOlYxxfs;z@;v9?!4L?kvYgKghhVwa}SW%+m;xX`Jm zTTJ%7cRK4rLP9{)l|2y|0c$FAhTi-rNeQ4|zWZJ`)O+M|CHwCUSqRf70e;>iMguEHTM{9wSs`sTKB}L|Kf=d1M{z+T_-ix$+7n z2ut`LS;)Ofu&wKJo0PS`b09(HGci3kw=^>>{EW%t6y>$tNPUf)#Bl!CVNIreNwzu< zbT*2>=Tz?j-)udx+`~;rMJphZ(R1K=deUxjh?DbqbCopwL+|EvZWROjBi0sfY=W}9 zq=h#>eLIqvjLb|&b&^Dp;IL_%h93qusWi%YYlVI4D|{o?QFebs#ei7PY_59wTneH> zMqouL1P`v)mF^LUv~1zn|(c zq|%QT=LY#*QDeKP%{E+n5*8Ap4QTRkjisVbGg2I+H66?qVDc2CzFW)FeH3oG+C@?Op07OQP)cC6`YXiofI zxWJ5GUE_vpnVRprU(&S$x;4Sn2L+84@iNC7R~3>_@&+}(nv8D3^;zpbrYyox8SC`L z1kHNl`4`FopTn6x_J>2D(M0^eT~`j*6aTpf3>rUHPtsm+)-~=wgXemDc%BYIv`D8D zxtc!fmZ}xM#A*F=1w#dqqZ`>cP8TU54&=u7nUqCLS6ajGv>Y&zU&(z+o_i~uphK;? z%_mDPW)xiLe$P1!6}=$}_odFOO(+#TD;;K$!{D(g_IvM+T|_kd@~g$UxW0GIY&6(Fl$J4 zB_%u=G=NB-5$yuY*6`}cNNl_j_Mepjza#|2PZTTMR^;m~<$V6M@q%o5mS;#jmFL5< zn39wN42?}E<>aW^LpsAJr{|Y4u3nb;NbfBgUVBh}X|31CD2F7ZuFdH*ch(h$(&``1 z!3a|z?-%X9mu#5DQf1ls(;!bdnZeeiEk@s_=S-IoK}3jg!M`$GO9`cuPw{u2SLd}SlxkdH@|`ncWztRCK9b6(s^IH(u-l{#Xu?`# zjTfOjmo0PLV5*9d;>_K7AyxQ+)oz`!I(mRC=6lxH_)6@~nprZ%h?Ha1P!X`qsQ+h~ zDNrNMVJ~vBuP7>MlAWAgSsB^cnPy*vj~XPs!K{gX&#h5}iS|D}?UJdT;CIn2oonDr zGYsq)!sO!6>)BOl2a7vccg@{Nucas{ya^Ni%FdoliV zVw%6{{h8K{K_Dz9`1U2vf{+hfq|B11vxDtepd62Y$UHwsSxF&AHKRe?SY`89LfWeA$k;H53Dr3=7<4k9Up8+}1cp!-U?%_U}HRgFia5xGH2-ueeq95ozuuH5k-qdyle zDn9WkIW9k!SRFHbpaRiyNDdK@_eLr@FQUFWr4n)KDz2S!mLYy->#jm|e^Dl8@UI*1 zpOue#VCd&Br`;_yv>0=Fmhvob|3GW0vf3yo5G2^CMJjt)%I^?Cjm;99HZ|8(`K3&a zP5X1JdzUaJ+*B0-DWrOc&qON7^2&pfgJo`nsBf$>y7QNa55G5M-}N znO;DljGvTre&8w__{EI(<|Wv-K%5>^oltw#mkMZcMO$^zH!|qHXdqS&Wh5Bv_3sFv zLL8=GLMn~>PHRRMMyEsX(WDZbB;o(s=Q*G%$ZIA59{N8=1VQuj^P6vl+v$|CE)kf@ zi;F=an#7w=SRw^w+sA?<@cbNCl5UsT^?q^1sTkJ`E&Qtin|AvvtV?8#`RQpH&%$${J`RIfC)$m83Jn7We^p;LnS4#( zzXL>wlAS%tW_V%(HxA@G0M&Dd$@C><#<$v9W>(fIc3d!bv=@xJcsMsctMrU~t5_sX zWN^HW9ug#k<-wIVZ=XKGULSRViB@*W!gM(Kz#RfLX!G|0wHkm6UId(}zJ49ub|%Jo zhxhky zDuBajgL11A$nU_fWjY0-F2Gm_V?{SNwS#4S9?e0YWO#p} zp;`yfyE0e)Vgx{U87ZTd`4vyho$b9A^XpgCBWW7A6G_7PcsnmHWkvl&*xE|^zUJOv zHg^Vn6Ku?)KOeAbPhXrJNU3lpmMH=UaR9INfOr@{4tH(1Vp9N60ZGP2gW)A9yzGypQwkw zQ2_j-{w$54T2@d{5Cx8}9(W9RvD!uf`0BVZe^wtWc)(yux|JT!kgBr=+5S043sda~R;=Lz~YO%ilHwN*3d}qqQ|K z2eR^%8Og?@&7LLjFM9(HhO>Q)5F0$Be2Zkr{Q}gw7Cw9aTQ?~rLW`VBpDtTD!<+MZ zKd!$rTWRZ05RG``(a}*=6~_}Tyu6&43kFeSfpe)2UJU3n??Zs`!TX4ki)iD$g!j(Y zRy6d5Ns-$1u=ZQ*PBy)7NUD24BCjGMCML$h`T<@P7^N$qqy|0Su1p{nfoq^M;eo)T zw|=Nno1VJ5soZnT5y3i-BR83{S51BOi{K|zEju~z&#EfoY0BQ7Jw?*P5{(2_IOC}G aLs0+F?ukrV4AwL7BPXpSRRJ*${l5Ug4qMm& literal 0 HcmV?d00001 diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index 6f9ab33923..5712daf23f 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -31,6 +31,8 @@ If you've followed the steps in the [Enrolling devices in Windows Analytics](win [Upgrade Readiness doesn't show IE site discovery data from some devices](#upgrade-readiness-doesnt-show-ie-site-discovery-data-from-some-devices) +[Disable Upgrade Readiness](#disable-upgrade-readiness) + ### Devices not showing up @@ -153,6 +155,23 @@ Finally, Upgrade Readiness only collects IE site discovery data on devices that [comment]: # (Device names are not showing up properly? Starting with Windows 10 1803, the device name is no longer collected by default and requires a separate opt-in by setting HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection\AllowDeviceNameInTelemetry:DWORD == 1. This is done by default if you run the latest version of the deployment script, or can be set via policy. If the policy is not set, then the device name will show up as "Unknown (aka.ms/analyticsDeviceName)") +### Disable Upgrade Readiness + +If you want to stop using Upgrade Readiness and stop sending diagnostic data data to Microsoft, follow these steps: + +1. Unsubscribe from the Upgrade Readiness solution in the OMS portal. In the OMS portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option. + + ![Upgrade Readiness unsubscribe](images/upgrade-analytics-unsubscribe.png) + +2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the diagnostic data level to **Security**: + + **Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection* + **Windows 10**: Follow the instructions in the [Configure Windows diagnostic data in your organization](/configuration/configure-windows-diagnostic-data-in-your-organization.md) topic. + +3. If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0". The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*. +4. **Optional step:** You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection". + + ## Other common questions ### What are the requirements and costs for Windows Analytics solutions? From fe72d455b1d042a7629e81b331786c73b0fe7cc0 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 21 Mar 2018 14:10:37 -0700 Subject: [PATCH 13/16] update mb daily usage --- ...equirements-windows-defender-advanced-threat-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index 3027bbe7f9..368f43a52c 100644 --- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 11/17/2017 +ms.date: 03/21/2018 --- # Minimum requirements for Windows Defender ATP @@ -68,7 +68,7 @@ The hardware requirements for Windows Defender ATP on endpoints is the same as t #### Internet connectivity Internet connectivity on endpoints is required either directly or through proxy. -The Windows Defender ATP sensor can utilize up to 5MB daily of bandwidth to communicate with the Windows Defender ATP cloud service and report cyber data. +The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data. For more information on additional proxy configuration settings see, [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) . From 4e510d198258c4a74ca843c5469d9df424ee841a Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Wed, 21 Mar 2018 21:11:50 +0000 Subject: [PATCH 14/16] Merged PR 6531: ApplicationManagement policies in Policy CSP - added 2 new policies --- ...ew-in-windows-mdm-enrollment-management.md | 4 + .../policy-configuration-service-provider.md | 6 + .../mdm/policy-csp-applicationmanagement.md | 146 ++++++++++++++++++ 3 files changed, 156 insertions(+) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 66cacb8036..5904341127 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1147,6 +1147,8 @@ For details about Microsoft mobile device management protocols for Windows 10 s
    • AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold
    • AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter
    • ApplicationDefaults/EnableAppUriHandlers
      • +
    • ApplicationManagement/MSIAllowUserControlOverInstall
      • +
    • ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges
    • Browser/AllowConfigurationUpdateForBooksLibrary
    • Browser/AlwaysEnableBooksLibrary
    • Browser/EnableExtendedBooksTelemetry
      • @@ -1659,6 +1661,8 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware

      Added the following new policies for Windows 10, version 1803:

      • ApplicationDefaults/EnableAppUriHandlers
        • +
      • ApplicationManagement/MSIAllowUserControlOverInstall
        • +
      • ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges
      • Connectivity/AllowPhonePCLinking
      • RestrictedGroups/ConfigureGroupMembership
      diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index debb631fa9..914f916fa6 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -225,6 +225,12 @@ The following diagram shows the Policy configuration service provider in tree fo
      ApplicationManagement/DisableStoreOriginatedApps
      +
      + ApplicationManagement/MSIAllowUserControlOverInstall +
      +
      + ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges +
      ApplicationManagement/RequirePrivateStoreOnly
      diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 47b9d1e09d..4abd17e1d1 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -11,6 +11,8 @@ ms.date: 03/12/2018 # Policy CSP - ApplicationManagement +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
      @@ -43,6 +45,12 @@ ms.date: 03/12/2018
      ApplicationManagement/DisableStoreOriginatedApps
      +
      + ApplicationManagement/MSIAllowUserControlOverInstall +
      +
      + ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges +
      ApplicationManagement/RequirePrivateStoreOnly
      @@ -538,6 +546,144 @@ The following list shows the supported values:
      + +**ApplicationManagement/MSIAllowUserControlOverInstall** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark4check mark4check mark4check mark4cross markcross mark
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1803. This policy setting permits users to change installation options that typically are available only to system administrators. + +If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to a security violation. + +If you disable or do not configure this policy setting, the security features of Windows Installer prevent users from changing installation options typically reserved for system administrators, such as specifying the directory to which files are installed. + +If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. + +This policy setting is designed for less restrictive environments. It can be used to circumvent errors in an installation program that prevents software from being installed. + + + +ADMX Info: +- GP English name: *Allow user control over installs* +- GP name: *EnableUserControl* +- GP ADMX file name: *MSI.admx* + + + +This setting supports a range of values between 0 and 1. + + + + + + + + + + + +
      + + +**ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark4check mark4check mark4check mark4cross markcross mark
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
      + + + +Added in Windows 10, version 1803. This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system. + +If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers. + +If you disable or do not configure this policy setting, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer. + +Note: This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders. + +Caution: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guaranteed to be secure. + + +ADMX Info: +- GP English name: *Always install with elevated privileges* +- GP name: *AlwaysInstallElevated* +- GP ADMX file name: *MSI.admx* + + + +This setting supports a range of values between 0 and 1. + + + + + + + + + + + +
      + **ApplicationManagement/RequirePrivateStoreOnly** From 77200ef8b93f78e0a7cf5c4f22057513e8e4cd63 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Wed, 21 Mar 2018 14:30:21 -0700 Subject: [PATCH 15/16] set redirect in TroubleshootUR topic; removed from TOC --- windows/deployment/TOC.md | 1 - .../upgrade/troubleshoot-upgrade-readiness.md | 40 +------------------ 2 files changed, 2 insertions(+), 39 deletions(-) diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index 60b97c2e42..db15a838fa 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -241,7 +241,6 @@ ##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md) ##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md) ##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md) -#### [Troubleshoot Upgrade Readiness](upgrade/troubleshoot-upgrade-readiness.md) ### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md) #### [Get started with Update Compliance](update/update-compliance-get-started.md) #### [Use Update Compliance](update/update-compliance-using.md) diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-readiness.md b/windows/deployment/upgrade/troubleshoot-upgrade-readiness.md index a837d861dc..e020be4aad 100644 --- a/windows/deployment/upgrade/troubleshoot-upgrade-readiness.md +++ b/windows/deployment/upgrade/troubleshoot-upgrade-readiness.md @@ -1,39 +1,3 @@ --- -title: Troubleshoot Upgrade Readiness (Windows 10) -description: Provides troubleshooting information for Upgrade Readiness. -ms.prod: w10 -author: greg-lindsay -ms.date: 04/19/2017 ---- - -# Troubleshoot Upgrade Readiness - -If you’re having issues seeing data in Upgrade Readiness after running the Upgrade Readiness Deployment script, make sure it completes successfully without any errors. Check the output of the script in the command window and/or log UA_dateTime_machineName.txt to ensure all steps were completed successfully. In addition, we recommend that you wait at least 48 hours before checking OMS for data after the script first completes without reporting any error. - -If you still don’t see data in Upgrade Readiness, follow these steps: - -1. Download and extract the [Upgrade Readiness Deployment Script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409). Ensure the “Pilot/Diagnostics” folder is included . - -2. Edit the script as described in [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md). - -3. Check that isVerboseLogging is set to $true. - -4. Run the script again. Log files will be saved to the directory specified in the script. - -5. Open a support case with Microsoft Support through your regular channel and provide this information. - -## Disable Upgrade Readiness - -If you want to stop using Upgrade Readiness and stop sending diagnostic data data to Microsoft, follow these steps: - -1. Unsubscribe from the Upgrade Readiness solution in the OMS portal. In the OMS portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option. - - ![Upgrade Readiness unsubscribe](../images/upgrade-analytics-unsubscribe.png) - -2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the diagnostic data level to **Security**: - - **Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection* - **Windows 10**: Follow the instructions in the [Configure Windows diagnostic data in your organization](/configuration/configure-windows-diagnostic-data-in-your-organization.md) topic. - -3. If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0". The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*. -4. You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection". **This is an optional step**. +redirect_url: /windows/deployment/update/windows-analytics-FAQ-troubleshooting +--- \ No newline at end of file From 6540c97dec55d36472279e0a23dae958bc401f73 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 21 Mar 2018 16:13:22 -0700 Subject: [PATCH 16/16] revised surface statement --- .../bitlocker/bitlocker-recovery-guide-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 94f1153940..6505ce3f4a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -100,7 +100,7 @@ Before you create a thorough BitLocker recovery process, we recommend that you t 2. At the command prompt, type the following command and then press ENTER: `manage-bde. -ComputerName -forcerecovery ` -> **Note:**  Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because the OS will not boot after the recovery key is entered. Instead, the BitLocker recovery screen reappears until BitLocker protection is suspended or the OS drive is decrypted. +> **Note:**  Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. For more information, see [BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device](https://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx).   ## Planning your recovery process